Correction on string comparison
[exim.git] / src / src / sieve.c
index 36353b7c80fc9eb3e23874055835b5f21b336344..c7adfe169cc715943a3b6e91119dfa022b70475f 100644 (file)
@@ -1,11 +1,11 @@
-/* $Cambridge: exim/src/src/sieve.c,v 1.30 2007/09/24 11:52:16 michael Exp $ */
-
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) Michael Haardt 2003-2007 */
-/* See the file NOTICE for conditions of use and distribution. */
+/* Copyright (c) Michael Haardt 2003 - 2015
+ * Copyright (c) The Exim Maintainers 2016 - 2018
+ * See the file NOTICE for conditions of use and distribution.
+ */
 
 /* This code was contributed by Michael Haardt. */
 
@@ -71,6 +71,7 @@ struct Sieve
   int require_enotify;
   struct Notification *notified;
 #endif
+  uschar *enotify_mailto_owner;
 #ifdef SUBADDRESS
   int require_subaddress;
 #endif
@@ -108,6 +109,38 @@ struct Notification
   struct Notification *next;
   };
 
+/* This should be a complete list of supported extensions, so that an external
+ManageSieve (RFC 5804) program can interrogate the current Exim binary for the
+list of extensions and provide correct information to a client.
+
+We'll emit the list in the order given here; keep it alphabetically sorted, so
+that callers don't get surprised.
+
+List *MUST* end with a NULL.  Which at least makes ifdef-vs-comma easier. */
+
+const uschar *exim_sieve_extension_list[] = {
+  CUS"comparator-i;ascii-numeric",
+  CUS"copy",
+#ifdef ENCODED_CHARACTER
+  CUS"encoded-character",
+#endif
+#ifdef ENOTIFY
+  CUS"enotify",
+#endif
+  CUS"envelope",
+#ifdef ENVELOPE_AUTH
+  CUS"envelope-auth",
+#endif
+  CUS"fileinto",
+#ifdef SUBADDRESS
+  CUS"subaddress",
+#endif
+#ifdef VACATION
+  CUS"vacation",
+#endif
+  NULL
+};
+
 static int eq_asciicase(const struct String *needle, const struct String *haystack, int match_prefix);
 static int parse_test(struct Sieve *filter, int *cond, int exec);
 static int parse_commands(struct Sieve *filter, int exec, address_item **generated);
@@ -147,6 +180,8 @@ static uschar str_online_c[]="online";
 static const struct String str_online={ str_online_c, 6 };
 static uschar str_maybe_c[]="maybe";
 static const struct String str_maybe={ str_maybe_c, 5 };
+static uschar str_auto_submitted_c[]="Auto-Submitted";
+static const struct String str_auto_submitted={ str_auto_submitted_c, 14 };
 #endif
 #ifdef SUBADDRESS
 static uschar str_subaddress_c[]="subaddress";
@@ -199,6 +234,9 @@ uschar *new = NULL;
 uschar ch;
 size_t line;
 
+/* Two passes: one to count output allocation size, second
+to do the encoding */
+
 for (pass=0; pass<=1; ++pass)
   {
   line=0;
@@ -212,55 +250,47 @@ for (pass=0; pass<=1; ++pass)
   for (start=src->character,end=start+src->length; start<end; ++start)
     {
     ch=*start;
-    if (line>=73)
+    if (line>=73)      /* line length limit */
       {
       if (pass==0)
         dst->length+=2;
       else
         {
-        *new++='=';
+        *new++='=';    /* line split */
         *new++='\n';
         }
       line=0;
       }
-    if
-      (
-      (ch>=33 && ch<=60)
-      || (ch>=62 && ch<=126)
-      ||
-        (
-        (ch==9 || ch==32)
-        && start+2<end
-        && (*(start+1)!='\r' || *(start+2)!='\n')
-        )
-      )
+    if (  (ch>='!' && ch<='<')
+       || (ch>='>' && ch<='~')
+       || (  (ch=='\t' || ch==' ')
+          && start+2<end
+          && (*(start+1)!='\r' || *(start+2)!='\n')    /* CRLF */
+          )
+       )
       {
       if (pass==0)
         ++dst->length;
       else
-        *new++=*start;
+        *new++=*start; /* copy char */
       ++line;
       }
-    else if (ch=='\r' && start+1<end && *(start+1)=='\n')
+    else if (ch=='\r' && start+1<end && *(start+1)=='\n') /* CRLF */
       {
       if (pass==0)
-        {
         ++dst->length;
-        line=0;
-        }
       else
-        *new++='\n';
-        line=0;
-      ++start;
+        *new++='\n';                                   /* NL */
+      line=0;
+      ++start; /* consume extra input char */
       }
     else
       {
       if (pass==0)
         dst->length+=3;
       else
-        {
-        sprintf(CS new,"=%02X",ch);
-        new+=3;
+        {              /* encoded char */
+        new += sprintf(CS new,"=%02X",ch);
         }
       line+=3;
       }
@@ -379,11 +409,14 @@ Returns
  -1           syntax error
 */
 
-static int parse_mailto_uri(struct Sieve *filter, const uschar *uri, string_item **recipient, struct String *header, struct String *subject, struct String *body)
+static int
+parse_mailto_uri(struct Sieve *filter, const uschar *uri,
+  string_item **recipient, struct String *header, struct String *subject,
+  struct String *body)
 {
 const uschar *start;
-struct String to,hname,hvalue;
-int capacity;
+struct String to, hname;
+struct String hvalue = {.character = NULL, .length = 0};
 string_item *new;
 
 if (Ustrncmp(uri,"mailto:",7))
@@ -391,6 +424,7 @@ if (Ustrncmp(uri,"mailto:",7))
   filter->errmsg=US "Unknown URI scheme";
   return 0;
   }
+
 uri+=7;
 if (*uri && *uri!='?')
   for (;;)
@@ -399,22 +433,21 @@ if (*uri && *uri!='?')
     for (start=uri; *uri && *uri!='?' && (*uri!='%' || *(uri+1)!='2' || tolower(*(uri+2))!='c'); ++uri);
     if (uri>start)
       {
-      capacity=0;
-      to.character=(uschar*)0;
-      to.length=0;
-      to.character=string_cat(to.character,&capacity,&to.length,start,uri-start);
-      to.character[to.length]='\0';
+      gstring * g = string_catn(NULL, start, uri-start);
+
+      to.character = string_from_gstring(g);
+      to.length = g->ptr;
       if (uri_decode(&to)==-1)
         {
         filter->errmsg=US"Invalid URI encoding";
         return -1;
         }
-        new=store_get(sizeof(string_item));
-        new->text=store_get(to.length+1);
-        if (to.length) memcpy(new->text,to.character,to.length);
-        new->text[to.length]='\0';
-        new->next=*recipient;
-        *recipient=new;
+      new=store_get(sizeof(string_item));
+      new->text=store_get(to.length+1);
+      if (to.length) memcpy(new->text,to.character,to.length);
+      new->text[to.length]='\0';
+      new->next=*recipient;
+      *recipient=new;
       }
     else
       {
@@ -433,11 +466,10 @@ if (*uri=='?')
     for (start=uri; *uri && (isalnum(*uri) || strchr("$-_.+!*'(),%",*uri)); ++uri);
     if (uri>start)
       {
-      capacity=0;
-      hname.character=(uschar*)0;
-      hname.length=0;
-      hname.character=string_cat(hname.character,&capacity,&hname.length,start,uri-start);
-      hname.character[hname.length]='\0';
+      gstring * g = string_catn(NULL, start, uri-start);
+
+      hname.character = string_from_gstring(g);
+      hname.length = g->ptr;
       if (uri_decode(&hname)==-1)
         {
         filter->errmsg=US"Invalid URI encoding";
@@ -456,11 +488,10 @@ if (*uri=='?')
     for (start=uri; *uri && (isalnum(*uri) || strchr("$-_.+!*'(),%",*uri)); ++uri);
     if (uri>start)
       {
-      capacity=0;
-      hvalue.character=(uschar*)0;
-      hvalue.length=0;
-      hvalue.character=string_cat(hvalue.character,&capacity,&hvalue.length,start,uri-start);
-      hvalue.character[hvalue.length]='\0';
+      gstring * g = string_catn(NULL, start, uri-start);
+
+      hname.character = string_from_gstring(g);
+      hname.length = g->ptr;
       if (uri_decode(&hvalue)==-1)
         {
         filter->errmsg=US"Invalid URI encoding";
@@ -487,7 +518,8 @@ if (*uri=='?')
         {US"date",4},
         {US"from",4},
         {US"message-id",10},
-        {US"received",8}
+        {US"received",8},
+        {US"auto-submitted",14}
         };
       static struct String *end=ignore+sizeof(ignore)/sizeof(ignore[0]);
       struct String *i;
@@ -495,13 +527,18 @@ if (*uri=='?')
       for (i=ignore; i<end && !eq_asciicase(&hname,i,0); ++i);
       if (i==end)
         {
-        if (header->length==-1) header->length=0;
-        capacity=header->length;
-        header->character=string_cat(header->character,&capacity,&header->length,hname.character,hname.length);
-        header->character=string_cat(header->character,&capacity,&header->length,CUS ": ",2);
-        header->character=string_cat(header->character,&capacity,&header->length,hvalue.character,hvalue.length);
-        header->character=string_cat(header->character,&capacity,&header->length,CUS "\n",1);
-        header->character[header->length]='\0';
+       gstring * g;
+
+        if (header->length==-1) header->length = 0;
+
+       g = string_catn(NULL, header->character, header->length);
+        g = string_catn(g, hname.character, hname.length);
+        g = string_catn(g, CUS ": ", 2);
+        g = string_catn(g, hvalue.character, hvalue.length);
+        g = string_catn(g, CUS "\n", 1);
+
+       header->character = string_from_gstring(g);
+       header->length = g->ptr;
         }
       }
     if (*uri=='&') ++uri;
@@ -608,8 +645,10 @@ return (match_prefix ? nl==0 : nl==0 && hl==0);
 
 /*
 Arguments:
-  needle      pattern to search ...
-  haystack    ... inside the haystack
+  needle          pattern to search ...
+  haystack        ... inside the haystack
+  ascii_caseless  ignore ASCII case
+  match_octet     match octets, not UTF-8 multi-octet characters
 
 Returns:      0               needle not found in haystack
               1               needle found
@@ -957,10 +996,10 @@ Arguments:
 Returns:      quoted string
 */
 
-static const uschar *quote(const struct String *header)
+static const uschar *
+quote(const struct String *header)
 {
-uschar *quoted=NULL;
-int size=0,ptr=0;
+gstring * quoted = NULL;
 size_t l;
 const uschar *h;
 
@@ -971,26 +1010,20 @@ while (l)
   switch (*h)
     {
     case '\0':
-      {
-      quoted=string_cat(quoted,&size,&ptr,CUS "\\0",2);
+      quoted = string_catn(quoted, CUS "\\0", 2);
       break;
-      }
     case '$':
     case '{':
     case '}':
-      {
-      quoted=string_cat(quoted,&size,&ptr,CUS "\\",1);
-      }
+      quoted = string_catn(quoted, CUS "\\", 1);
     default:
-      {
-      quoted=string_cat(quoted,&size,&ptr,h,1);
-      }
+      quoted = string_catn(quoted, h, 1);
     }
   ++h;
   --l;
   }
-quoted=string_cat(quoted,&size,&ptr,CUS "",1);
-return quoted;
+quoted = string_catn(quoted, CUS "", 1);
+return string_from_gstring(quoted);
 }
 
 
@@ -999,7 +1032,7 @@ return quoted;
 *************************************************/
 
 /*
-According to RFC 3028, duplicate delivery to the same address must
+According to RFC 5228, duplicate delivery to the same address must
 not happen, so the list is first searched for the address.
 
 Arguments:
@@ -1010,33 +1043,36 @@ Arguments:
 Returns:      nothing
 */
 
-static void add_addr(address_item **generated, uschar *addr, int file, int maxage, int maxmessages, int maxstorage)
+static void
+add_addr(address_item **generated, uschar *addr, int file, int maxage, int maxmessages, int maxstorage)
 {
 address_item *new_addr;
 
 for (new_addr=*generated; new_addr; new_addr=new_addr->next)
-  {
-  if (Ustrcmp(new_addr->address,addr)==0 && (file ? testflag(new_addr, af_pfr|af_file) : 1))
+  if (  Ustrcmp(new_addr->address,addr) == 0
+     && (  !file
+       || testflag(new_addr, af_pfr)
+       || testflag(new_addr, af_file)
+       )
+     )
     {
     if ((filter_test != FTEST_NONE && debug_selector != 0) || (debug_selector & D_filter) != 0)
-      {
       debug_printf("Repeated %s `%s' ignored.\n",file ? "fileinto" : "redirect", addr);
-      }
+
     return;
     }
-  }
 
 if ((filter_test != FTEST_NONE && debug_selector != 0) || (debug_selector & D_filter) != 0)
-  {
   debug_printf("%s `%s'\n",file ? "fileinto" : "redirect", addr);
-  }
-new_addr=deliver_make_addr(addr,TRUE);
+
+new_addr = deliver_make_addr(addr,TRUE);
 if (file)
   {
-  setflag(new_addr, af_pfr|af_file);
+  setflag(new_addr, af_pfr);
+  setflag(new_addr, af_file);
   new_addr->mode = 0;
   }
-new_addr->p.errors_address = NULL;
+new_addr->prop.errors_address = NULL;
 new_addr->next = *generated;
 *generated = new_addr;
 }
@@ -1436,12 +1472,14 @@ Returns:      1                success
               0                identifier not matched
 */
 
-static int parse_string(struct Sieve *filter, struct String *data)
+static int
+parse_string(struct Sieve *filter, struct String *data)
 {
-int dataCapacity=0;
+gstring * g = NULL;
+
+data->length = 0;
+data->character = NULL;
 
-data->length=0;
-data->character=(uschar*)0;
 if (*filter->pc=='"') /* quoted string */
   {
   ++filter->pc;
@@ -1449,11 +1487,17 @@ if (*filter->pc=='"') /* quoted string */
     {
     if (*filter->pc=='"') /* end of string */
       {
-      int foo=data->length;
-
       ++filter->pc;
+
+      if (g)
+       {
+       data->character = string_from_gstring(g);
+       data->length = g->ptr;
+       }
+      else
+       data->character = US"\0";
       /* that way, there will be at least one character allocated */
-      data->character=string_cat(data->character,&dataCapacity,&foo,CUS "",1);
+
 #ifdef ENCODED_CHARACTER
       if (filter->require_encoded_character
           && string_decode(filter,data)==-1)
@@ -1463,7 +1507,7 @@ if (*filter->pc=='"') /* quoted string */
       }
     else if (*filter->pc=='\\' && *(filter->pc+1)) /* quoted character */
       {
-      data->character=string_cat(data->character,&dataCapacity,&data->length,filter->pc+1,1);
+      g = string_catn(g, filter->pc+1, 1);
       filter->pc+=2;
       }
     else /* regular character */
@@ -1473,11 +1517,11 @@ if (*filter->pc=='"') /* quoted string */
 #else
       if (*filter->pc=='\n')
         {
-        data->character=string_cat(data->character,&dataCapacity,&data->length,US"\r",1);
+        g = string_catn(g, US"\r", 1);
         ++filter->line;
         }
 #endif
-      data->character=string_cat(data->character,&dataCapacity,&data->length,filter->pc,1);
+      g = string_catn(g, filter->pc, 1);
       filter->pc++;
       }
     }
@@ -1519,7 +1563,7 @@ else if (Ustrncmp(filter->pc,CUS "text:",5)==0) /* multiline string */
     if (*filter->pc=='\n') /* end of line */
 #endif
       {
-      data->character=string_cat(data->character,&dataCapacity,&data->length,CUS "\r\n",2);
+      g = string_catn(g, CUS "\r\n", 2);
 #ifdef RFC_EOL
       filter->pc+=2;
 #else
@@ -1532,10 +1576,15 @@ else if (Ustrncmp(filter->pc,CUS "text:",5)==0) /* multiline string */
       if (*filter->pc=='.' && *(filter->pc+1)=='\n') /* end of string */
 #endif
         {
-        int foo=data->length;
+       if (g)
+         {
+         data->character = string_from_gstring(g);
+         data->length = g->ptr;
+         }
+       else
+         data->character = US"\0";
+       /* that way, there will be at least one character allocated */
 
-        /* that way, there will be at least one character allocated */
-        data->character=string_cat(data->character,&dataCapacity,&foo,CUS "",1);
 #ifdef RFC_EOL
         filter->pc+=3;
 #else
@@ -1551,13 +1600,13 @@ else if (Ustrncmp(filter->pc,CUS "text:",5)==0) /* multiline string */
         }
       else if (*filter->pc=='.' && *(filter->pc+1)=='.') /* remove dot stuffing */
         {
-        data->character=string_cat(data->character,&dataCapacity,&data->length,CUS ".",1);
+        g = string_catn(g, CUS ".", 1);
         filter->pc+=2;
         }
       }
     else /* regular character */
       {
-      data->character=string_cat(data->character,&dataCapacity,&data->length,filter->pc,1);
+      g = string_catn(g, filter->pc, 1);
       filter->pc++;
       }
     }
@@ -1670,12 +1719,13 @@ Returns:      1                success
               -1               no string list found
 */
 
-static int parse_stringlist(struct Sieve *filter, struct String **data)
+static int
+parse_stringlist(struct Sieve *filter, struct String **data)
 {
 const uschar *orig=filter->pc;
-int dataCapacity=0;
-int dataLength=0;
-struct String *d=(struct String*)0;
+int dataCapacity = 0;
+int dataLength = 0;
+struct String *d = NULL;
 int m;
 
 if (*filter->pc=='[') /* string list */
@@ -1684,20 +1734,17 @@ if (*filter->pc=='[') /* string list */
   for (;;)
     {
     if (parse_white(filter)==-1) goto error;
-    if ((dataLength+1)>=dataCapacity) /* increase buffer */
+    if (dataLength+1 >= dataCapacity) /* increase buffer */
       {
       struct String *new;
-      int newCapacity;          /* Don't amalgamate with next line; some compilers grumble */
-      newCapacity=dataCapacity?(dataCapacity*=2):(dataCapacity=4);
-      if ((new=(struct String*)store_get(sizeof(struct String)*newCapacity))==(struct String*)0)
-        {
-        filter->errmsg=CUstrerror(errno);
-        goto error;
-        }
+
+      dataCapacity = dataCapacity ? dataCapacity * 2 : 4;
+      new = store_get(sizeof(struct String) * dataCapacity);
+
       if (d) memcpy(new,d,sizeof(struct String)*dataLength);
-      d=new;
-      dataCapacity=newCapacity;
+      d = new;
       }
+
     m=parse_string(filter,&d[dataLength]);
     if (m==0)
       {
@@ -1934,7 +1981,7 @@ Grammar:
 Arguments:
   filter      points to the Sieve filter including its state
   n           total number of tests
-  true        number of passed tests
+  num_true    number of passed tests
   exec        Execute parsed statements
 
 Returns:      1                success
@@ -1942,14 +1989,14 @@ Returns:      1                success
               -1               syntax or execution error
 */
 
-static int parse_testlist(struct Sieve *filter, int *n, int *true, int exec)
+static int parse_testlist(struct Sieve *filter, int *n, int *num_true, int exec)
 {
 if (parse_white(filter)==-1) return -1;
 if (*filter->pc=='(')
   {
   ++filter->pc;
   *n=0;
-   *true=0;
+   *num_true=0;
   for (;;)
     {
     int cond;
@@ -1958,7 +2005,7 @@ if (*filter->pc=='(')
       {
       case -1: return -1;
       case 0: filter->errmsg=CUS "missing test"; return -1;
-      default: ++*n; if (cond) ++*true; break;
+      default: ++*n; if (cond) ++*num_true; break;
       }
     if (parse_white(filter)==-1) return -1;
     if (*filter->pc==',') ++filter->pc;
@@ -2146,13 +2193,13 @@ else if (parse_identifier(filter,CUS "allof"))
   allof-test   = "allof" <tests: test-list>
   */
 
-  int n,true;
+  int n,num_true;
 
-  switch (parse_testlist(filter,&n,&true,exec))
+  switch (parse_testlist(filter,&n,&num_true,exec))
     {
     case -1: return -1;
     case 0: filter->errmsg=CUS "missing test list"; return -1;
-    default: *cond=(n==true); return 1;
+    default: *cond=(n==num_true); return 1;
     }
   }
 else if (parse_identifier(filter,CUS "anyof"))
@@ -2161,13 +2208,13 @@ else if (parse_identifier(filter,CUS "anyof"))
   anyof-test   = "anyof" <tests: test-list>
   */
 
-  int n,true;
+  int n,num_true;
 
-  switch (parse_testlist(filter,&n,&true,exec))
+  switch (parse_testlist(filter,&n,&num_true,exec))
     {
     case -1: return -1;
     case 0: filter->errmsg=CUS "missing test list"; return -1;
-    default: *cond=(true>0); return 1;
+    default: *cond=(num_true>0); return 1;
     }
   }
 else if (parse_identifier(filter,CUS "exists"))
@@ -2701,8 +2748,8 @@ Returns:      2                success by stop
               1                other success
               -1               syntax or execution error
 */
-static int parse_commands(struct Sieve *filter, int exec,
-  address_item **generated)
+static int
+parse_commands(struct Sieve *filter, int exec, address_item **generated)
 {
 while (*filter->pc)
   {
@@ -2934,7 +2981,6 @@ while (*filter->pc)
     int m;
     struct String from;
     struct String importance;
-    struct String *options;
     struct String message;
     struct String method;
     struct Notification *already;
@@ -2942,7 +2988,9 @@ while (*filter->pc)
     struct String header;
     struct String subject;
     struct String body;
-    uschar *envelope_from,*envelope_to;
+    uschar *envelope_from;
+    struct String auto_submitted_value;
+    uschar *auto_submitted_def;
 
     if (!filter->require_enotify)
       {
@@ -2953,7 +3001,6 @@ while (*filter->pc)
     from.length=-1;
     importance.character=(uschar*)0;
     importance.length=-1;
-    options=(struct String*)0;
     message.character=(uschar*)0;
     message.length=-1;
     recipient=NULL;
@@ -2963,8 +3010,7 @@ while (*filter->pc)
     subject.character=(uschar*)0;
     body.length=-1;
     body.character=(uschar*)0;
-    envelope_from=expand_string("$sender_address");
-    envelope_to=expand_string("$local_part_prefix$local_part$local_part_suffix@$domain");
+    envelope_from=(sender_address && sender_address[0]) ? expand_string(US"$local_part_prefix$local_part$local_part_suffix@$domain") : US "";
     for (;;)
       {
       if (parse_white(filter)==-1) return -1;
@@ -3015,75 +3061,92 @@ while (*filter->pc)
     if (parse_semicolon(filter)==-1) return -1;
     if (parse_mailto_uri(filter,method.character,&recipient,&header,&subject,&body)!=1)
       return -1;
-    if (message.length==-1) message=subject;
-    if (message.length==-1) expand_header(&message,&str_subject);
-
-    for (already=filter->notified; already; already=already->next)
-      {
-      if (already->method.length==method.length
-          && (method.length==-1 || strcmp(already->method.character,method.character)==0)
-          && already->importance.length==importance.length
-          && (importance.length==-1 || strcmp(already->importance.character,importance.character)==0)
-          && already->message.length==message.length
-          && (message.length==-1 || strcmp(already->message.character,message.character)==0))
-        break;
-      }
-    if (already==(struct Notification*)0)
-      /* New notification, process it */
+    if (exec)
       {
-      struct Notification *sent;
-      sent=store_get(sizeof(struct Notification));
-      sent->method=method;
-      sent->importance=importance;
-      sent->message=message;
-      sent->next=filter->notified;
-      filter->notified=sent;
-      if ((filter_test != FTEST_NONE && debug_selector != 0) || (debug_selector & D_filter) != 0)
+      if (message.length==-1) message=subject;
+      if (message.length==-1) expand_header(&message,&str_subject);
+      expand_header(&auto_submitted_value,&str_auto_submitted);
+      auto_submitted_def=expand_string(string_sprintf("${if def:header_auto-submitted {true}{false}}"));
+      if (auto_submitted_value.character == NULL || auto_submitted_def == NULL)
         {
-        debug_printf("Notification to `%s': '%s'.\n",method.character,message.length!=-1 ? message.character : CUS "");
+        filter->errmsg=CUS "header string expansion failed";
+        return -1;
         }
-#ifndef COMPILE_SYNTAX_CHECKER
-      if (exec && filter_test == FTEST_NONE)
+        if (Ustrcmp(auto_submitted_def,"true")!=0 || Ustrcmp(auto_submitted_value.character,"no")==0)
         {
-        string_item *p;
-        header_line *h;
-        int pid,fd;
+        for (already=filter->notified; already; already=already->next)
+          {
+          if (already->method.length==method.length
+              && (method.length==-1 || Ustrcmp(already->method.character,method.character)==0)
+              && already->importance.length==importance.length
+              && (importance.length==-1 || Ustrcmp(already->importance.character,importance.character)==0)
+              && already->message.length==message.length
+              && (message.length==-1 || Ustrcmp(already->message.character,message.character)==0))
+            break;
+          }
+        if (already==(struct Notification*)0)
+          /* New notification, process it */
+          {
+          struct Notification *sent;
+          sent=store_get(sizeof(struct Notification));
+          sent->method=method;
+          sent->importance=importance;
+          sent->message=message;
+          sent->next=filter->notified;
+          filter->notified=sent;
+  #ifndef COMPILE_SYNTAX_CHECKER
+          if (filter_test == FTEST_NONE)
+            {
+            string_item *p;
+            int pid,fd;
 
-        if ((pid = child_open_exim2(&fd,envelope_to,envelope_to))>=1)
+            if ((pid = child_open_exim2(&fd,envelope_from,envelope_from))>=1)
+              {
+              FILE *f;
+              uschar *buffer;
+              int buffer_capacity;
+
+              f = fdopen(fd, "wb");
+              fprintf(f,"From: %s\n",from.length==-1 ? expand_string(US"$local_part_prefix$local_part$local_part_suffix@$domain") : from.character);
+              for (p=recipient; p; p=p->next) fprintf(f,"To: %s\n",p->text);
+              fprintf(f,"Auto-Submitted: auto-notified; %s\n",filter->enotify_mailto_owner);
+              if (header.length>0) fprintf(f,"%s",header.character);
+              if (message.length==-1)
+                {
+                message.character=US"Notification";
+                message.length=Ustrlen(message.character);
+                }
+              /* Allocation is larger than necessary, but enough even for split MIME words */
+              buffer_capacity=32+4*message.length;
+              buffer=store_get(buffer_capacity);
+              if (message.length!=-1) fprintf(f,"Subject: %s\n",parse_quote_2047(message.character, message.length, US"utf-8", buffer, buffer_capacity, TRUE));
+              fprintf(f,"\n");
+              if (body.length>0) fprintf(f,"%s\n",body.character);
+              fflush(f);
+              (void)fclose(f);
+              (void)child_close(pid, 0);
+              }
+            }
+          if ((filter_test != FTEST_NONE && debug_selector != 0) || (debug_selector & D_filter) != 0)
+            {
+            debug_printf("Notification to `%s': '%s'.\n",method.character,message.length!=-1 ? message.character : CUS "");
+            }
+#endif
+          }
+        else
           {
-          FILE *f;
-          uschar *buffer;
-          int buffer_capacity;
-
-          f = fdopen(fd, "wb");
-          for (h = header_list; h != NULL; h = h->next)
-            if (h->type == htype_received) fprintf(f,"%s",h->text);
-          fprintf(f,"From: %s\n",from.length==-1 ? envelope_to : from.character);
-          for (p=recipient; p; p=p->next) fprintf(f,"To: %s\n",p->text);
-          if (header.length>0) fprintf(f,"%s",header.character);
-          if (message.length==-1)
+          if ((filter_test != FTEST_NONE && debug_selector != 0) || (debug_selector & D_filter) != 0)
             {
-            message.character=US"Notification";
-            message.length=Ustrlen(message.character);
+            debug_printf("Repeated notification to `%s' ignored.\n",method.character);
             }
-          /* Allocation is larger than neccessary, but enough even for split MIME words */
-          buffer_capacity=32+4*message.length;
-          buffer=store_get(buffer_capacity);
-          if (message.length!=-1) fprintf(f,"Subject: %s\n",parse_quote_2047(message.character, message.length, US"utf-8", buffer, buffer_capacity, TRUE));
-          fprintf(f,"\n");
-          if (body.length>0) fprintf(f,"%s\n",body.character);
-          fflush(f);
-          (void)fclose(f);
-          (void)child_close(pid, 0);
           }
         }
-#endif
-      }
-    else
-      {
-      if ((filter_test != FTEST_NONE && debug_selector != 0) || (debug_selector & D_filter) != 0)
+      else
         {
-        debug_printf("Repeated notification to `%s' ignored.\n",method.character);
+        if ((filter_test != FTEST_NONE && debug_selector != 0) || (debug_selector & D_filter) != 0)
+          {
+          debug_printf("Ignoring notification, triggering message contains Auto-submitted: field.\n");
+          }
         }
       }
     }
@@ -3222,15 +3285,13 @@ while (*filter->pc)
     if (exec)
       {
       address_item *addr;
-      int capacity,start;
       uschar *buffer;
       int buffer_capacity;
-      struct String key;
       md5 base;
       uschar digest[16];
       uschar hexdigest[33];
       int i;
-      uschar *once;
+      gstring * once;
 
       if (filter_personal(aliases,TRUE))
         {
@@ -3242,32 +3303,30 @@ while (*filter->pc)
           }
         /* build oncelog filename */
 
-        key.character=(uschar*)0;
-        key.length=0;
-        capacity=0;
+        md5_start(&base);
+
         if (handle.length==-1)
           {
-          if (subject.length!=-1) key.character=string_cat(key.character,&capacity,&key.length,subject.character,subject.length);
-          if (from.length!=-1) key.character=string_cat(key.character,&capacity,&key.length,from.character,from.length);
-          key.character=string_cat(key.character,&capacity,&key.length,reason_is_mime?US"1":US"0",1);
-          key.character=string_cat(key.character,&capacity,&key.length,reason.character,reason.length);
+         gstring * key = NULL;
+          if (subject.length!=-1) key =string_catn(key, subject.character, subject.length);
+          if (from.length!=-1) key = string_catn(key, from.character, from.length);
+          key = string_catn(key, reason_is_mime?US"1":US"0", 1);
+          key = string_catn(key, reason.character, reason.length);
+         md5_end(&base, key->s, key->ptr, digest);
           }
         else
-          key=handle;
-        md5_start(&base);
-        md5_end(&base, key.character, key.length, digest);
+         md5_end(&base, handle.character, handle.length, digest);
+
         for (i = 0; i < 16; i++) sprintf(CS (hexdigest+2*i), "%02X", digest[i]);
+
         if ((filter_test != FTEST_NONE && debug_selector != 0) || (debug_selector & D_filter) != 0)
-          {
           debug_printf("Sieve: mail was personal, vacation file basename: %s\n", hexdigest);
-          }
+
         if (filter_test == FTEST_NONE)
           {
-          capacity=Ustrlen(filter->vacation_directory);
-          start=capacity;
-          once=string_cat(filter->vacation_directory,&capacity,&start,US"/",1);
-          once=string_cat(once,&capacity,&start,hexdigest,33);
-          once[start] = '\0';
+          once = string_cat (NULL, filter->vacation_directory);
+          once = string_catn(once, US"/", 1);
+          once = string_catn(once, hexdigest, 33);
 
           /* process subject */
 
@@ -3278,11 +3337,12 @@ while (*filter->pc)
             subject_def=expand_string(US"${if def:header_subject {true}{false}}");
             if (Ustrcmp(subject_def,"true")==0)
               {
+             gstring * g = string_catn(NULL, US"Auto: ", 6);
+
               expand_header(&subject,&str_subject);
-              capacity=6;
-              start=6;
-              subject.character=string_cat(US"Auto: ",&capacity,&start,subject.character,subject.length);
-              subject.length=start;
+              g = string_catn(g, subject.character, subject.length);
+             subject.character = string_from_gstring(g);
+              subject.length = g->ptr;
               }
             else
               {
@@ -3295,7 +3355,7 @@ while (*filter->pc)
 
           addr = deliver_make_addr(string_sprintf(">%.256s", sender_address), FALSE);
           setflag(addr, af_pfr);
-          setflag(addr, af_ignore_error);
+          addr->prop.ignore_error = TRUE;
           addr->next = *generated;
           *generated = addr;
           addr->reply = store_get(sizeof(reply_item));
@@ -3305,11 +3365,12 @@ while (*filter->pc)
             addr->reply->from = expand_string(US"$local_part@$domain");
           else
             addr->reply->from = from.character;
-          /* Allocation is larger than neccessary, but enough even for split MIME words */
+          /* Allocation is larger than necessary, but enough even for split MIME words */
           buffer_capacity=32+4*subject.length;
           buffer=store_get(buffer_capacity);
-          addr->reply->subject=parse_quote_2047(subject.character, subject.length, US"utf-8", buffer, buffer_capacity, TRUE);
-          addr->reply->oncelog=once;
+         /* deconst cast safe as we pass in a non-const item */
+          addr->reply->subject = US parse_quote_2047(subject.character, subject.length, US"utf-8", buffer, buffer_capacity, TRUE);
+          addr->reply->oncelog = string_from_gstring(once);
           addr->reply->once_repeat=days*86400;
 
           /* build body and MIME headers */
@@ -3318,30 +3379,25 @@ while (*filter->pc)
             {
             uschar *mime_body,*reason_end;
             static const uschar nlnl[]="\r\n\r\n";
+           gstring * g;
 
             for
               (
-              mime_body=reason.character,reason_end=reason.character+reason.length;
-              mime_body<(reason_end-(sizeof(nlnl)-1)) && memcmp(mime_body,nlnl,(sizeof(nlnl)-1));
+              mime_body = reason.character, reason_end = reason.character + reason.length;
+              mime_body < (reason_end-(sizeof(nlnl)-1)) && memcmp(mime_body, nlnl, (sizeof(nlnl)-1));
               ++mime_body
               );
-            capacity = 0;
-            start = 0;
-            addr->reply->headers = string_cat(NULL,&capacity,&start,reason.character,mime_body-reason.character);
-            addr->reply->headers[start] = '\0';
-            capacity = 0;
-            start = 0;
+
+            addr->reply->headers = string_copyn(reason.character, mime_body-reason.character);
+
             if (mime_body+(sizeof(nlnl)-1)<reason_end) mime_body+=(sizeof(nlnl)-1);
             else mime_body=reason_end-1;
-            addr->reply->text = string_cat(NULL,&capacity,&start,mime_body,reason_end-mime_body);
-            addr->reply->text[start] = '\0';
+            addr->reply->text = string_copyn(mime_body, reason_end-mime_body);
             }
           else
             {
-            struct String qp = { NULL, 0 };  /* Keep compiler happy (PH) */
+            struct String qp = { .character = NULL, .length = 0 };  /* Keep compiler happy (PH) */
 
-            capacity = 0;
-            start = reason.length;
             addr->reply->headers = US"MIME-Version: 1.0\n"
                                    "Content-Type: text/plain;\n"
                                    "\tcharset=\"utf-8\"\n"
@@ -3351,9 +3407,7 @@ while (*filter->pc)
           }
         }
         else if ((filter_test != FTEST_NONE && debug_selector != 0) || (debug_selector & D_filter) != 0)
-          {
           debug_printf("Sieve: mail was not personal, vacation would ignore it\n");
-          }
       }
     }
     else break;
@@ -3377,8 +3431,8 @@ Returns:      1                success
               -1               syntax or execution error
 */
 
-static int parse_start(struct Sieve *filter, int exec,
-  address_item **generated)
+static int
+parse_start(struct Sieve *filter, int exec, address_item **generated)
 {
 filter->pc=filter->filter;
 filter->line=1;
@@ -3467,7 +3521,15 @@ while (parse_identifier(filter,CUS "require"))
     else if (eq_octet(check,&str_envelope_auth,0)) filter->require_envelope_auth=1;
 #endif
 #ifdef ENOTIFY
-    else if (eq_octet(check,&str_enotify,0)) filter->require_enotify=1;
+    else if (eq_octet(check,&str_enotify,0))
+      {
+      if (filter->enotify_mailto_owner == NULL)
+        {
+        filter->errmsg=CUS "enotify disabled";
+        return -1;
+        }
+        filter->require_enotify=1;
+      }
 #endif
 #ifdef SUBADDRESS
     else if (eq_octet(check,&str_subaddress,0)) filter->require_subaddress=1;
@@ -3515,7 +3577,8 @@ Arguments:
   filter      points to the entire file, read into store as a single string
   options     controls whether various special things are allowed, and requests
               special actions (not currently used)
-  sieve_vacation_directory  where to store vacation "once" files
+  vacation_directory    where to store vacation "once" files
+  enotify_mailto_owner  owner of mailto notifications
   useraddress string expression for :user part of address
   subaddress  string expression for :subaddress part of address
   generated   where to hang newly-generated addresses
@@ -3531,7 +3594,8 @@ Returns:      FF_DELIVERED     success, a significant action was taken
 
 int
 sieve_interpret(uschar *filter, int options, uschar *vacation_directory,
-  uschar *useraddress, uschar *subaddress, address_item **generated, uschar **error)
+  uschar *enotify_mailto_owner, uschar *useraddress, uschar *subaddress,
+  address_item **generated, uschar **error)
 {
 struct Sieve sieve;
 int r;
@@ -3557,6 +3621,20 @@ else
     }
   }
 
+if (enotify_mailto_owner == NULL)
+  sieve.enotify_mailto_owner = NULL;
+else
+  {
+  sieve.enotify_mailto_owner=expand_string(enotify_mailto_owner);
+  if (sieve.enotify_mailto_owner == NULL)
+    {
+    *error = string_sprintf("failed to expand \"%s\" "
+      "(sieve_enotify_mailto_owner): %s", enotify_mailto_owner,
+      expand_string_message);
+    return FF_ERROR;
+    }
+  }
+
 sieve.useraddress = useraddress == NULL ? CUS "$local_part_prefix$local_part$local_part_suffix" : useraddress;
 sieve.subaddress = subaddress;