X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/6d95688d6a272297a6a47f2fd2695cc8e5b8b730..8c2a478b1f6f8c3fb43317c1e6729b23a3b972b7:/src/src/readconf.c diff --git a/src/src/readconf.c b/src/src/readconf.c index a5482f72d..3644ab53e 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -117,9 +117,12 @@ static optionlist optionlist_config[] = { #endif { "disable_ipv6", opt_bool, &disable_ipv6 }, #ifndef DISABLE_DKIM + { "dkim_verify_hashes", opt_stringptr, &dkim_verify_hashes }, + { "dkim_verify_keytypes", opt_stringptr, &dkim_verify_keytypes }, + { "dkim_verify_minimal", opt_bool, &dkim_verify_minimal }, { "dkim_verify_signers", opt_stringptr, &dkim_verify_signers }, #endif -#ifdef EXPERIMENTAL_DMARC +#ifdef SUPPORT_DMARC { "dmarc_forensic_sender", opt_stringptr, &dmarc_forensic_sender }, { "dmarc_history_file", opt_stringptr, &dmarc_history_file }, { "dmarc_tld_file", opt_stringptr, &dmarc_tld_file }, @@ -241,7 +244,7 @@ static optionlist optionlist_config[] = { #endif { "pid_file_path", opt_stringptr, &pid_file_path }, { "pipelining_advertise_hosts", opt_stringptr, &pipelining_advertise_hosts }, -#ifdef SUPPORT_PIPE_CONNECT +#ifndef DISABLE_PIPE_CONNECT { "pipelining_connect_advertise_hosts", opt_stringptr, &pipe_connect_advertise_hosts }, #endif @@ -414,6 +417,8 @@ for (struct auth_info * ai = auths_available; ai->driver_name[0]; ai++) spf(buf, sizeof(buf), US"_DRIVER_AUTHENTICATOR_%T", ai->driver_name); builtin_macro_create(buf); options_from_list(ai->options, (unsigned)*ai->options_count, US"AUTHENTICATOR", ai->driver_name); + + if (ai->macros_create) (ai->macros_create)(); } } @@ -2748,12 +2753,13 @@ if (!type) for (int i = 0; i < 4; i++) if ((t = tree_search(*(anchors[i]), name+1))) { + namedlist_block * nb = t->data.ptr; + const uschar * s = nb->hide ? hidden : nb->string; found = TRUE; if (no_labels) - printf("%s\n", ((namedlist_block *)(t->data.ptr))->string); + printf("%s\n", s); else - printf("%slist %s = %s\n", types[i], name+1, - ((namedlist_block *)(t->data.ptr))->string); + printf("%slist %s = %s\n", types[i], name+1, s); } if (!found) @@ -2974,18 +2980,19 @@ Arguments: s the text of the option line, starting immediately after the name of the list type tname the name of the list type, for messages + hide do not output value on "-bP" Returns: nothing */ static void read_named_list(tree_node **anchorp, int *numberp, int max, uschar *s, - uschar *tname) + uschar *tname, BOOL hide) { BOOL forcecache = FALSE; uschar *ss; tree_node *t; -namedlist_block *nb = store_get(sizeof(namedlist_block), FALSE); +namedlist_block * nb = store_get(sizeof(namedlist_block), FALSE); if (Ustrncmp(s, "_cache", 6) == 0) { @@ -3015,6 +3022,7 @@ if (!tree_insertnode(anchorp, t)) t->data.ptr = nb; nb->number = *numberp; *numberp += 1; +nb->hide = hide; if (*s++ != '=') log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "missing '=' after \"%s\"", t->name); @@ -3071,80 +3079,6 @@ log_write(0, LOG_MAIN|LOG_PANIC_DIE, "malformed ratelimit data: %s", s); -/************************************************* -* Drop privs for checking TLS config * -*************************************************/ - -/* We want to validate TLS options during readconf, but do not want to be -root when we call into the TLS library, in case of library linkage errors -which cause segfaults; before this check, those were always done as the Exim -runtime user and it makes sense to continue with that. - -Assumes: tls_require_ciphers has been set, if it will be - exim_user has been set, if it will be - exim_group has been set, if it will be - -Returns: bool for "okay"; false will cause caller to immediately exit. -*/ - -#ifndef DISABLE_TLS -static BOOL -tls_dropprivs_validate_require_cipher(BOOL nowarn) -{ -const uschar *errmsg; -pid_t pid; -int rc, status; -void (*oldsignal)(int); - -/* If TLS will never be used, no point checking ciphers */ - -if ( !tls_advertise_hosts - || !*tls_advertise_hosts - || Ustrcmp(tls_advertise_hosts, ":") == 0 - ) - return TRUE; -else if (!nowarn && !tls_certificate) - log_write(0, LOG_MAIN, - "Warning: No server certificate defined; will use a selfsigned one.\n" - " Suggested action: either install a certificate or change tls_advertise_hosts option"); - -oldsignal = signal(SIGCHLD, SIG_DFL); - -fflush(NULL); -if ((pid = fork()) < 0) - log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for TLS check"); - -if (pid == 0) - { - /* in some modes, will have dropped privilege already */ - if (!geteuid()) - exim_setugid(exim_uid, exim_gid, FALSE, - US"calling tls_validate_require_cipher"); - - if ((errmsg = tls_validate_require_cipher())) - log_write(0, LOG_PANIC_DIE|LOG_CONFIG, - "tls_require_ciphers invalid: %s", errmsg); - fflush(NULL); - exim_underbar_exit(0); - } - -do { - rc = waitpid(pid, &status, 0); -} while (rc < 0 && errno == EINTR); - -DEBUG(D_tls) - debug_printf("tls_validate_require_cipher child %d ended: status=0x%x\n", - (int)pid, status); - -signal(SIGCHLD, oldsignal); - -return status == 0; -} -#endif /*DISABLE_TLS*/ - - - - /************************************************* * Read main configuration options * *************************************************/ @@ -3341,47 +3275,42 @@ if (f.trusted_config && Ustrcmp(filename, US"/dev/null")) } } -/* Do a dummy store-allocation of a size related to the (toplevel) file size. -This assumes we will need this much storage to handle all the allocations -during startup; it won't help when .include is being used. When it does, it -will cut down on the number of store blocks (and malloc calls, and sbrk -syscalls). It also assume we're on the relevant pool. */ - -if (statbuf.st_size > 8192) - { - rmark r = store_mark(); - void * dummy = store_get((int)statbuf.st_size, FALSE); - store_reset(r); - } - /* Process the main configuration settings. They all begin with a lower case letter. If we see something starting with an upper case letter, it is taken as a macro definition. */ while ((s = get_config_line())) { + BOOL hide; + uschar * t; + if (config_lineno == 1 && Ustrstr(s, "\xef\xbb\xbf") == s) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "found unexpected BOM (Byte Order Mark)"); - if (isupper(s[0])) - { if (!macro_read_assignment(s)) exim_exit(EXIT_FAILURE, US""); } + if (isupper(*s)) + { + if (!macro_read_assignment(s)) exim_exit(EXIT_FAILURE, US""); + continue; + } + + t = (hide = Ustrncmp(s, "hide", 4) == 0 && isspace(s[4])) ? s + 5 : s; - else if (Ustrncmp(s, "domainlist", 10) == 0) + if (Ustrncmp(t, "domainlist", 10) == 0) read_named_list(&domainlist_anchor, &domainlist_count, - MAX_NAMED_LIST, s+10, US"domain list"); + MAX_NAMED_LIST, t+10, US"domain list", hide); - else if (Ustrncmp(s, "hostlist", 8) == 0) + else if (Ustrncmp(t, "hostlist", 8) == 0) read_named_list(&hostlist_anchor, &hostlist_count, - MAX_NAMED_LIST, s+8, US"host list"); + MAX_NAMED_LIST, t+8, US"host list", hide); - else if (Ustrncmp(s, US"addresslist", 11) == 0) + else if (Ustrncmp(t, US"addresslist", 11) == 0) read_named_list(&addresslist_anchor, &addresslist_count, - MAX_NAMED_LIST, s+11, US"address list"); + MAX_NAMED_LIST, t+11, US"address list", hide); - else if (Ustrncmp(s, US"localpartlist", 13) == 0) + else if (Ustrncmp(t, US"localpartlist", 13) == 0) read_named_list(&localpartlist_anchor, &localpartlist_count, - MAX_NAMED_LIST, s+13, US"local part list"); + MAX_NAMED_LIST, t+13, US"local part list", hide); else (void) readconf_handle_option(s, optionlist_config, optionlist_config_size, @@ -3476,15 +3405,14 @@ smtp_active_hostname = primary_hostname; got set above. Of course, writing to the log may not work if log_file_path is not set, but it will at least get to syslog or somewhere, with any luck. */ -if (*spool_directory == 0) +if (!*spool_directory) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "spool_directory undefined: cannot " "proceed"); /* Expand the spool directory name; it may, for example, contain the primary host name. Same comment about failure. */ -s = expand_string(spool_directory); -if (s == NULL) +if (!(s = expand_string(spool_directory))) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand spool_directory " "\"%s\": %s", spool_directory, expand_string_message); spool_directory = s; @@ -3493,32 +3421,27 @@ spool_directory = s; the null string or "syslog". It is also allowed to contain one instance of %D or %M. However, it must NOT contain % followed by anything else. */ -if (*log_file_path != 0) +if (*log_file_path) { const uschar *ss, *sss; int sep = ':'; /* Fixed for log file path */ - s = expand_string(log_file_path); - if (s == NULL) + if (!(s = expand_string(log_file_path))) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand log_file_path " "\"%s\": %s", log_file_path, expand_string_message); ss = s; - while ((sss = string_nextinlist(&ss,&sep,big_buffer,big_buffer_size)) != NULL) + while ((sss = string_nextinlist(&ss, &sep, big_buffer, big_buffer_size))) { uschar *t; if (sss[0] == 0 || Ustrcmp(sss, "syslog") == 0) continue; - t = Ustrstr(sss, "%s"); - if (t == NULL) + if (!(t = Ustrstr(sss, "%s"))) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_file_path \"%s\" does not " "contain \"%%s\"", sss); *t = 'X'; - t = Ustrchr(sss, '%'); - if (t != NULL) - { + if ((t = Ustrchr(sss, '%'))) if ((t[1] != 'D' && t[1] != 'M') || Ustrchr(t+2, '%') != NULL) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_file_path \"%s\" contains " "unexpected \"%%\" character", s); - } } log_file_path = s; @@ -3661,11 +3584,6 @@ if ((tls_verify_hosts || tls_try_verify_hosts) && !tls_verify_certificates) "tls_%sverify_hosts is set, but tls_verify_certificates is not set", tls_verify_hosts ? "" : "try_"); -/* This also checks that the library linkage is working and we can call -routines in it, so call even if tls_require_ciphers is unset */ -if (!tls_dropprivs_validate_require_cipher(nowarn)) - exit(1); - /* Magic number: at time of writing, 1024 has been the long-standing value used by so many clients, and what Exim used to use always, that it makes sense to just min-clamp this max-clamp at that. */ @@ -3783,7 +3701,7 @@ driver_instance **p = anchor; driver_instance *d = NULL; uschar *buffer; -while ((buffer = get_config_line()) != NULL) +while ((buffer = get_config_line())) { uschar name[64]; uschar *s; @@ -3804,6 +3722,7 @@ while ((buffer = get_config_line()) != NULL) if (!d->driver_name) log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "no driver defined for %s \"%s\"", class, d->name); + /* s is using big_buffer, so this call had better not */ (d->info->init)(d); d = NULL; } @@ -4238,7 +4157,7 @@ Returns: nothing static void auths_init(void) { -#ifdef SUPPORT_PIPE_CONNECT +#ifndef DISABLE_PIPE_CONNECT int nauths = 0; #endif @@ -4264,11 +4183,11 @@ for (auth_instance * au = auths; au; au = au->next) "(%s and %s) have the same public name (%s)", au->client ? US"client" : US"server", au->name, bu->name, au->public_name); -#ifdef SUPPORT_PIPE_CONNECT +#ifndef DISABLE_PIPE_CONNECT nauths++; #endif } -#ifdef SUPPORT_PIPE_CONNECT +#ifndef DISABLE_PIPE_CONNECT f.smtp_in_early_pipe_no_auth = nauths > 16; #endif } @@ -4367,10 +4286,8 @@ log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "local_scan() options not supported: " uschar *p; while ((p = get_config_line())) - { (void) readconf_handle_option(p, local_scan_options, local_scan_options_count, NULL, US"local_scan option \"%s\" unknown"); - } #endif }