X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/8768d5483a5894400ae1f70cda1beb44ed9b087c..ef77ddc9239a2a96442b7708c825235823d6c9ce:/src/src/receive.c diff --git a/src/src/receive.c b/src/src/receive.c index f7124a61f..2223d4645 100644 --- a/src/src/receive.c +++ b/src/src/receive.c @@ -3,6 +3,7 @@ *************************************************/ /* Copyright (c) University of Cambridge 1995 - 2018 */ +/* Copyright (c) The Exim Maintainers 2020 */ /* See the file NOTICE for conditions of use and distribution. */ /* Code for receiving a message and setting up spool files. */ @@ -14,9 +15,9 @@ extern int dcc_ok; #endif -#ifdef EXPERIMENTAL_DMARC +#ifdef SUPPORT_DMARC # include "dmarc.h" -#endif /* EXPERIMENTAL_DMARC */ +#endif /************************************************* * Local static variables * @@ -144,7 +145,7 @@ Returns: available on-root space, in kilobytes All values are -1 if the STATFS functions are not available. */ -int +int_eximarith_t receive_statvfs(BOOL isspool, int *inodeptr) { #ifdef HAVE_STATFS @@ -175,6 +176,7 @@ else empty item in a list. */ if (*p == 0) p = US":"; + /* should never be a tainted list */ while ((path = string_nextinlist(&p, &sep, buffer, sizeof(buffer)))) if (Ustrcmp(path, "syslog") != 0) break; @@ -216,14 +218,14 @@ if (STATVFS(CS path, &statbuf) != 0) log_write(0, LOG_MAIN|LOG_PANIC, "cannot accept message: failed to stat " "%s directory %s: %s", name, path, strerror(errno)); smtp_closedown(US"spool or log directory problem"); - exim_exit(EXIT_FAILURE, NULL); + exim_exit(EXIT_FAILURE); } *inodeptr = (statbuf.F_FILES > 0)? statbuf.F_FAVAIL : -1; /* Disks are getting huge. Take care with computing the size in kilobytes. */ -return (int)(((double)statbuf.F_BAVAIL * (double)statbuf.F_FRSIZE)/1024.0); +return (int_eximarith_t)(((double)statbuf.F_BAVAIL * (double)statbuf.F_FRSIZE)/1024.0); #else /* Unable to find partition sizes in this environment. */ @@ -258,22 +260,23 @@ Returns: FALSE if there isn't enough space, or if the information cannot BOOL receive_check_fs(int msg_size) { -int space, inodes; +int_eximarith_t space; +int inodes; if (check_spool_space > 0 || msg_size > 0 || check_spool_inodes > 0) { space = receive_statvfs(TRUE, &inodes); DEBUG(D_receive) - debug_printf("spool directory space = %dK inodes = %d " - "check_space = %dK inodes = %d msg_size = %d\n", + debug_printf("spool directory space = " PR_EXIM_ARITH "K inodes = %d " + "check_space = " PR_EXIM_ARITH "K inodes = %d msg_size = %d\n", space, inodes, check_spool_space, check_spool_inodes, msg_size); - if ((space >= 0 && space < check_spool_space) || - (inodes >= 0 && inodes < check_spool_inodes)) + if ( space >= 0 && space + msg_size / 1024 < check_spool_space + || inodes >= 0 && inodes < check_spool_inodes) { - log_write(0, LOG_MAIN, "spool directory space check failed: space=%d " - "inodes=%d", space, inodes); + log_write(0, LOG_MAIN, "spool directory space check failed: space=" + PR_EXIM_ARITH " inodes=%d", space, inodes); return FALSE; } } @@ -283,15 +286,15 @@ if (check_log_space > 0 || check_log_inodes > 0) space = receive_statvfs(FALSE, &inodes); DEBUG(D_receive) - debug_printf("log directory space = %dK inodes = %d " - "check_space = %dK inodes = %d\n", + debug_printf("log directory space = " PR_EXIM_ARITH "K inodes = %d " + "check_space = " PR_EXIM_ARITH "K inodes = %d\n", space, inodes, check_log_space, check_log_inodes); - if ((space >= 0 && space < check_log_space) || - (inodes >= 0 && inodes < check_log_inodes)) + if ( space >= 0 && space < check_log_space + || inodes >= 0 && inodes < check_log_inodes) { - log_write(0, LOG_MAIN, "log directory space check failed: space=%d " - "inodes=%d", space, inodes); + log_write(0, LOG_MAIN, "log directory space check failed: space=" PR_EXIM_ARITH + " inodes=%d", space, inodes); return FALSE; } } @@ -371,7 +374,7 @@ if (!already_bombing_out) /* Exit from the program (non-BSMTP cases) */ -exim_exit(EXIT_FAILURE, NULL); +exim_exit(EXIT_FAILURE); } @@ -487,9 +490,16 @@ if (recipients_count >= recipients_list_max) { recipient_item *oldlist = recipients_list; int oldmax = recipients_list_max; - recipients_list_max = recipients_list_max? 2*recipients_list_max : 50; - recipients_list = store_get(recipients_list_max * sizeof(recipient_item)); - if (oldlist != NULL) + + const int safe_recipients_limit = INT_MAX / 2 / sizeof(recipient_item); + if (recipients_list_max < 0 || recipients_list_max >= safe_recipients_limit) + { + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Too many recipients: %d", recipients_list_max); + } + + recipients_list_max = recipients_list_max ? 2*recipients_list_max : 50; + recipients_list = store_get(recipients_list_max * sizeof(recipient_item), FALSE); + if (oldlist) memcpy(recipients_list, oldlist, oldmax * sizeof(recipient_item)); } @@ -553,11 +563,9 @@ Returns: TRUE if it did remove something; FALSE otherwise BOOL receive_remove_recipient(uschar *recipient) { -int count; DEBUG(D_receive) debug_printf("receive_remove_recipient(\"%s\") called\n", recipient); -for (count = 0; count < recipients_count; count++) - { +for (int count = 0; count < recipients_count; count++) if (Ustrcmp(recipients_list[count].address, recipient) == 0) { if ((--recipients_count - count) > 0) @@ -565,7 +573,6 @@ for (count = 0; count < recipients_count; count++) (recipients_count - count)*sizeof(recipient_item)); return TRUE; } - } return FALSE; } @@ -573,6 +580,30 @@ return FALSE; +/* Pause for a while waiting for input. If none received in that time, +close the logfile, if we had one open; then if we wait for a long-running +datasource (months, in one use-case) log rotation will not leave us holding +the file copy. */ + +static void +log_close_chk(void) +{ +if (!receive_timeout) + { + struct timeval t; + timesince(&t, &received_time); + if (t.tv_sec > 30*60) + mainlog_close(); + else + { + fd_set r; + FD_ZERO(&r); FD_SET(0, &r); + t.tv_sec = 30*60 - t.tv_sec; t.tv_usec = 0; + if (select(1, &r, NULL, NULL, &t) == 0) mainlog_close(); + } + } +} + /************************************************* * Read data portion of a non-SMTP message * *************************************************/ @@ -621,9 +652,16 @@ register int linelength = 0; if (!f.dot_ends) { - register int last_ch = '\n'; + int last_ch = '\n'; + +/*XXX we do a gettimeofday before checking for every received char, +which is hardly clever. The function-indirection doesn't help, but +an additional function to check for nonempty read buffer would help. +See stdin_getc() / smtp_getc() / tls_getc() / bdat_getc(). */ - for (; (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF; last_ch = ch) + for ( ; + log_close_chk(), (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF; + last_ch = ch) { if (ch == 0) body_zerocount++; if (last_ch == '\r' && ch != '\n') @@ -665,7 +703,7 @@ if (!f.dot_ends) ch_state = 1; -while ((ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF) +while (log_close_chk(), (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF) { if (ch == 0) body_zerocount++; switch (ch_state) @@ -1143,7 +1181,7 @@ if (error_handling == ERRORS_SENDER) else fprintf(stderr, "exim: %s%s\n", text2, text1); /* Sic */ (void)fclose(f); -exim_exit(error_rc, US""); +exim_exit(error_rc); } @@ -1173,7 +1211,6 @@ Returns: nothing static void add_acl_headers(int where, uschar *acl_name) { -header_line *h, *next; header_line *last_received = NULL; switch(where) @@ -1194,14 +1231,13 @@ if (acl_removed_headers) { DEBUG(D_receive|D_acl) debug_printf_indent(">>Headers removed by %s ACL:\n", acl_name); - for (h = header_list; h; h = h->next) if (h->type != htype_old) + for (header_line * h = header_list; h; h = h->next) if (h->type != htype_old) { const uschar * list = acl_removed_headers; int sep = ':'; /* This is specified as a colon-separated list */ uschar *s; - uschar buffer[128]; - while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer)))) + while ((s = string_nextinlist(&list, &sep, NULL, 0))) if (header_testname(h, s, Ustrlen(s), FALSE)) { h->type = htype_old; @@ -1215,7 +1251,7 @@ if (acl_removed_headers) if (!acl_added_headers) return; DEBUG(D_receive|D_acl) debug_printf_indent(">>Headers added by %s ACL:\n", acl_name); -for (h = acl_added_headers; h; h = next) +for (header_line * h = acl_added_headers, * next; h; h = next) { next = h->next; @@ -1305,15 +1341,12 @@ if (sender_fullhost) if (LOGGING(dnssec) && sender_host_dnssec) /*XXX sender_helo_dnssec? */ g = string_catn(g, US" DS", 3); g = string_append(g, 2, US" H=", sender_fullhost); - if (LOGGING(incoming_interface) && interface_address != NULL) - { - g = string_cat(g, - string_sprintf(" I=[%s]:%d", interface_address, interface_port)); - } + if (LOGGING(incoming_interface) && interface_address) + g = string_fmt_append(g, " I=[%s]:%d", interface_address, interface_port); } if (f.tcp_in_fastopen && !f.tcp_in_fastopen_logged) { - g = string_catn(g, US" TFO", 4); + g = string_catn(g, US" TFO*", f.tcp_in_fastopen_data ? 5 : 4); f.tcp_in_fastopen_logged = TRUE; } if (sender_ident) @@ -1321,7 +1354,17 @@ if (sender_ident) if (received_protocol) g = string_append(g, 2, US" P=", received_protocol); if (LOGGING(pipelining) && f.smtp_in_pipelining_advertised) - g = string_catn(g, US" L-", f.smtp_in_pipelining_used ? 2 : 3); + { + g = string_catn(g, US" L", 2); +#ifndef DISABLE_PIPE_CONNECT + if (f.smtp_in_early_pipe_used) + g = string_catn(g, US"*", 1); + else if (f.smtp_in_early_pipe_advertised) + g = string_catn(g, US".", 1); +#endif + if (!f.smtp_in_pipelining_used) + g = string_catn(g, US"-", 1); + } return g; } @@ -1352,7 +1395,6 @@ run_mime_acl(uschar *acl, BOOL *smtp_yield_ptr, uschar **smtp_reply_ptr, FILE *mbox_file; uschar * rfc822_file_path = NULL; unsigned long mbox_size; -header_line *my_headerlist; uschar *user_msg, *log_msg; int mime_part_count_buffer = -1; uschar * mbox_filename; @@ -1360,7 +1402,8 @@ int rc = OK; /* check if it is a MIME message */ -for (my_headerlist = header_list; my_headerlist; my_headerlist = my_headerlist->next) +for (header_line * my_headerlist = header_list; my_headerlist; + my_headerlist = my_headerlist->next) if ( my_headerlist->type != '*' /* skip deleted headers */ && strncmpic(my_headerlist->text, US"Content-Type:", 13) == 0 ) @@ -1418,7 +1461,7 @@ if (rc == OK) struct dirent * entry; DIR * tempdir; - for (tempdir = opendir(CS scandir); entry = readdir(tempdir); ) + for (tempdir = exim_opendir(scandir); entry = readdir(tempdir); ) if (strncmpic(US entry->d_name, US"__rfc822_", 9) == 0) { rfc822_file_path = string_sprintf("%s/%s", scandir, entry->d_name); @@ -1480,11 +1523,10 @@ return TRUE; void received_header_gen(void) { -uschar *received; -uschar *timestamp; -header_line *received_header= header_list; +uschar * received; +uschar * timestamp = expand_string(US"${tod_full}"); +header_line * received_header= header_list; -timestamp = expand_string(US"${tod_full}"); if (recipients_count == 1) received_for = recipients_list[0].address; received = expand_string(received_header_text); received_for = NULL; @@ -1503,14 +1545,14 @@ so all we have to do is fill in the text pointer, and set the type. However, if the result of the expansion is an empty string, we leave the header marked as "old" so as to refrain from adding a Received header. */ -if (received[0] == 0) +if (!received[0]) { received_header->text = string_sprintf("Received: ; %s\n", timestamp); received_header->type = htype_old; } else { - received_header->text = string_sprintf("%s; %s\n", received, timestamp); + received_header->text = string_sprintf("%s;\n\t%s\n", received, timestamp); received_header->type = htype_received; } @@ -1615,7 +1657,6 @@ not. */ BOOL receive_msg(BOOL extract_recip) { -int i; int rc = FAIL; int msg_size = 0; int process_info_len = Ustrlen(process_info); @@ -1623,7 +1664,7 @@ int error_rc = error_handling == ERRORS_SENDER ? errors_sender_rc : EXIT_FAILURE; int header_size = 256; int start, end, domain; -int id_resolution; +int id_resolution = 0; int had_zero = 0; int prevlines_length = 0; @@ -1648,6 +1689,7 @@ uschar *frozen_by = NULL; uschar *queued_by = NULL; uschar *errmsg; +rmark rcvd_log_reset_point; gstring * g; struct stat statbuf; @@ -1658,7 +1700,8 @@ uschar *user_msg, *log_msg; /* Working header pointers */ -header_line *h, *next; +rmark reset_point; +header_line *next; /* Flags for noting the existence of certain headers (only one left) */ @@ -1670,10 +1713,7 @@ header_line *from_header = NULL; header_line *subject_header = NULL; header_line *msgid_header = NULL; header_line *received_header; - -#ifdef EXPERIMENTAL_DMARC -int dmarc_up = 0; -#endif /* EXPERIMENTAL_DMARC */ +BOOL msgid_header_newly_created = FALSE; /* Variables for use when building the Received: header. */ @@ -1697,7 +1737,7 @@ if (extract_recip || !smtp_input) header. Temporarily mark it as "old", i.e. not to be used. We keep header_last pointing to the end of the chain to make adding headers simple. */ -received_header = header_list = header_last = store_get(sizeof(header_line)); +received_header = header_list = header_last = store_get(sizeof(header_line), FALSE); header_list->next = NULL; header_list->type = htype_old; header_list->text = NULL; @@ -1705,8 +1745,9 @@ header_list->slen = 0; /* Control block for the next header to be read. */ -next = store_get(sizeof(header_line)); -next->text = store_get(header_size); +reset_point = store_mark(); +next = store_get(sizeof(header_line), FALSE); /* not tainted */ +next->text = store_get(header_size, TRUE); /* tainted */ /* Initialize message id to be null (indicating no message read), and the header names list to be the normal list. Indicate there is no data file open @@ -1727,6 +1768,13 @@ if (thismessage_size_limit <= 0) thismessage_size_limit = INT_MAX; message_linecount = body_linecount = body_zerocount = max_received_linelength = 0; +#ifdef WITH_CONTENT_SCAN +/* reset non-per-part mime variables */ +mime_is_coverletter = 0; +mime_is_rfc822 = 0; +mime_part_count = -1; +#endif + #ifndef DISABLE_DKIM /* Call into DKIM to set up the context. In CHUNKING mode we clear the dot-stuffing flag */ @@ -1734,16 +1782,15 @@ if (smtp_input && !smtp_batched_input && !f.dkim_disable_verify) dkim_exim_verify_init(chunking_state <= CHUNKING_OFFERED); #endif -#ifdef EXPERIMENTAL_DMARC -/* initialize libopendmarc */ -dmarc_up = dmarc_init(); +#ifdef SUPPORT_DMARC +if (sender_host_address) dmarc_init(); /* initialize libopendmarc */ #endif /* Remember the time of reception. Exim uses time+pid for uniqueness of message ids, and fractions of a second are required. See the comments that precede the message id creation below. */ -(void)gettimeofday(&message_id_tv, NULL); +exim_gettime(&message_id_tv); /* For other uses of the received time we can operate with granularity of one second, and for that we use the global variable received_time. This is for @@ -1764,7 +1811,7 @@ single timeout for the whole message. */ else if (receive_timeout > 0) { os_non_restarting_signal(SIGALRM, data_timeout_handler); - alarm(receive_timeout); + ALARM(receive_timeout); } /* SIGTERM and SIGINT are caught always. */ @@ -1819,10 +1866,15 @@ for (;;) if (ptr >= header_size - 4) { int oldsize = header_size; - /* header_size += 256; */ + + if (header_size >= INT_MAX/2) + goto OVERSIZE; header_size *= 2; - if (!store_extend(next->text, oldsize, header_size)) - next->text = store_newblock(next->text, header_size, ptr); + + /* The data came from the message, so is tainted. */ + + if (!store_extend(next->text, TRUE, oldsize, header_size)) + next->text = store_newblock(next->text, TRUE, header_size, ptr); } /* Cope with receiving a binary zero. There is dispute about whether @@ -1877,7 +1929,7 @@ for (;;) if (ch == '\n') { message_ended = END_DOT; - store_reset(next); + reset_point = store_reset(reset_point); next = NULL; break; /* End character-reading loop */ } @@ -1926,6 +1978,7 @@ for (;;) if (message_size >= header_maxsize) { +OVERSIZE: next->text[ptr] = 0; next->slen = ptr; next->type = htype_other; @@ -1982,7 +2035,7 @@ for (;;) if (ptr == 1) { - store_reset(next); + reset_point = store_reset(reset_point); next = NULL; break; } @@ -1997,7 +2050,8 @@ for (;;) if (nextch == ' ' || nextch == '\t') { next->text[ptr++] = nextch; - message_size++; + if (++message_size >= header_maxsize) + goto OVERSIZE; continue; /* Iterate the loop */ } else if (nextch != EOF) (receive_ungetc)(nextch); /* For next time */ @@ -2010,7 +2064,7 @@ for (;;) next->text[ptr] = 0; next->slen = ptr; - store_reset(next->text + ptr + 1); + store_release_above(next->text + ptr + 1); /* Check the running total size against the overall message size limit. We don't expect to fail here, but if the overall limit is set less than MESSAGE_ @@ -2075,7 +2129,8 @@ for (;;) if (newsender) { if (domain == 0 && newsender[0] != 0) - newsender = rewrite_address_qualify(newsender, FALSE); + /* deconst ok as newsender was not const */ + newsender = US rewrite_address_qualify(newsender, FALSE); if (filter_test != FTEST_NONE || receive_check_set_sender(newsender)) { @@ -2120,7 +2175,8 @@ for (;;) the line, stomp on them here. */ if (had_zero > 0) - for (p = next->text; p < next->text + ptr; p++) if (*p == 0) *p = '?'; + for (uschar * p = next->text; p < next->text + ptr; p++) if (*p == 0) + *p = '?'; /* It is perfectly legal to have an empty continuation line at the end of a header, but it is confusing to humans @@ -2205,9 +2261,10 @@ for (;;) /* Set up for the next header */ + reset_point = store_mark(); header_size = 256; - next = store_get(sizeof(header_line)); - next->text = store_get(header_size); + next = store_get(sizeof(header_line), FALSE); + next->text = store_get(header_size, TRUE); ptr = 0; had_zero = 0; prevlines_length = 0; @@ -2222,7 +2279,7 @@ normal case). */ DEBUG(D_receive) { debug_printf(">>Headers received:\n"); - for (h = header_list->next; h; h = h->next) + for (header_line * h = header_list->next; h; h = h->next) debug_printf("%s", h->text); debug_printf("\n"); } @@ -2249,7 +2306,7 @@ if (filter_test != FTEST_NONE && header_list->next == NULL) /* Scan the headers to identify them. Some are merely marked for later processing; some are dealt with here. */ -for (h = header_list->next; h; h = h->next) +for (header_line * h = header_list->next; h; h = h->next) { BOOL is_resent = strncmpic(h->text, US"resent-", 7) == 0; if (is_resent) contains_resent_headers = TRUE; @@ -2453,7 +2510,7 @@ if (extract_recip) { while (recipients_count-- > 0) { - uschar *s = rewrite_address(recipients_list[recipients_count].address, + const uschar * s = rewrite_address(recipients_list[recipients_count].address, TRUE, TRUE, global_rewrite_rules, rewrite_existflags); tree_add_nonrecipient(s); } @@ -2463,7 +2520,7 @@ if (extract_recip) /* Now scan the headers */ - for (h = header_list->next; h; h = h->next) + for (header_line * h = header_list->next; h; h = h->next) { if ((h->type == htype_to || h->type == htype_cc || h->type == htype_bcc) && (!contains_resent_headers || strncmpic(h->text, US"resent-", 7) == 0)) @@ -2476,7 +2533,7 @@ if (extract_recip) while (*s != 0) { uschar *ss = parse_find_address_end(s, FALSE); - uschar *recipient, *errmess, *p, *pp; + uschar *recipient, *errmess, *pp; int start, end, domain; /* Check on maximum */ @@ -2491,8 +2548,8 @@ if (extract_recip) white space that follows the newline must not be removed - it is part of the header. */ - pp = recipient = store_get(ss - s + 1); - for (p = s; p < ss; p++) if (*p != '\n') *pp++ = *p; + pp = recipient = store_get(ss - s + 1, is_tainted(s)); + for (uschar * p = s; p < ss; p++) if (*p != '\n') *pp++ = *p; *pp = 0; #ifdef SUPPORT_I18N @@ -2504,11 +2561,12 @@ if (extract_recip) &domain, FALSE); #ifdef SUPPORT_I18N - if (string_is_utf8(recipient)) - message_smtputf8 = TRUE; - else - allow_utf8_domains = b; + if (recipient) + if (string_is_utf8(recipient)) message_smtputf8 = TRUE; + else allow_utf8_domains = b; } +#else + ; #endif /* Keep a list of all the bad addresses so we can send a single @@ -2519,10 +2577,10 @@ if (extract_recip) If there are no recipients at all, an error will occur later. */ - if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0) + if (!recipient && Ustrcmp(errmess, "empty address") != 0) { int len = Ustrlen(s); - error_block *b = store_get(sizeof(error_block)); + error_block *b = store_get(sizeof(error_block), FALSE); while (len > 0 && isspace(s[len-1])) len--; b->next = NULL; b->text1 = string_printing(string_copyn(s, len)); @@ -2625,7 +2683,7 @@ the message, if necessary (we hope it won't be). */ if (host_number_string) { - id_resolution = (BASE_62 == 62)? 5000 : 10000; + id_resolution = BASE_62 == 62 ? 5000 : 10000; sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s", string_base62((long int)( host_number * (1000000/id_resolution) + @@ -2637,7 +2695,7 @@ appropriate resolution. */ else { - id_resolution = (BASE_62 == 62)? 500 : 1000; + id_resolution = BASE_62 == 62 ? 500 : 1000; sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s", string_base62((long int)(message_id_tv.tv_usec/id_resolution)) + 4); } @@ -2652,7 +2710,7 @@ it will fit. */ to be the least significant base-62 digit of the time of arrival. Otherwise ensure that it is an empty string. */ -message_subdir[0] = split_spool_directory ? message_id[5] : 0; +set_subdir_str(message_subdir, message_id, 0); /* Now that we have the message-id, if there is no message-id: header, generate one, but only for local (without suppress_local_fixups) or submission mode @@ -2662,9 +2720,9 @@ any illegal characters therein. */ if ( !msgid_header && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode)) { - uschar *p; uschar *id_text = US""; uschar *id_domain = primary_hostname; + header_line * h; /* Permit only letters, digits, dots, and hyphens in the domain */ @@ -2681,7 +2739,7 @@ if ( !msgid_header else if (*new_id_domain) { id_domain = new_id_domain; - for (p = id_domain; *p; p++) + for (uschar * p = id_domain; *p; p++) if (!isalnum(*p) && *p != '.') *p = '-'; /* No need to test '-' ! */ } } @@ -2702,17 +2760,25 @@ if ( !msgid_header else if (*new_id_text) { id_text = new_id_text; - for (p = id_text; *p; p++) if (mac_iscntrl_or_special(*p)) *p = '-'; + for (uschar * p = id_text; *p; p++) if (mac_iscntrl_or_special(*p)) *p = '-'; } } - /* Add the header line - * Resent-* headers are prepended, per RFC 5322 3.6.6. Non-Resent-* are - * appended, to preserve classical expectations of header ordering. */ + /* Add the header line. + Resent-* headers are prepended, per RFC 5322 3.6.6. Non-Resent-* are + appended, to preserve classical expectations of header ordering. */ - header_add_at_position(!resents_exist, NULL, FALSE, htype_id, + h = header_add_at_position_internal(!resents_exist, NULL, FALSE, htype_id, "%sMessage-Id: <%s%s%s@%s>\n", resent_prefix, message_id_external, - (*id_text == 0)? "" : ".", id_text, id_domain); + *id_text == 0 ? "" : ".", id_text, id_domain); + + /* Arrange for newly-created Message-Id to be logged */ + + if (!resents_exist) + { + msgid_header_newly_created = TRUE; + msgid_header = h; + } } /* If we are to log recipients, keep a copy of the raw ones before any possible @@ -2721,8 +2787,8 @@ function may mess with the real recipients. */ if (LOGGING(received_recipients)) { - raw_recipients = store_get(recipients_count * sizeof(uschar *)); - for (i = 0; i < recipients_count; i++) + raw_recipients = store_get(recipients_count * sizeof(uschar *), FALSE); + for (int i = 0; i < recipients_count; i++) raw_recipients[i] = string_copy(recipients_list[i].address); raw_recipients_count = recipients_count; } @@ -2731,9 +2797,9 @@ if (LOGGING(received_recipients)) recipients will get here only if the conditions were right (allow_unqualified_ recipient is TRUE). */ -for (i = 0; i < recipients_count; i++) - recipients_list[i].address = - rewrite_address(recipients_list[i].address, TRUE, TRUE, +for (int i = 0; i < recipients_count; i++) + recipients_list[i].address = /* deconst ok as src was not cont */ + US rewrite_address(recipients_list[i].address, TRUE, TRUE, global_rewrite_rules, rewrite_existflags); /* If there is no From: header, generate one for local (without @@ -2748,7 +2814,7 @@ From:) but we still want to ensure a valid Sender: if it is required. */ if ( !from_header && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode)) { - uschar *oname = US""; + const uschar * oname = US""; /* Use the originator_name if this is a locally submitted message and the caller is not trusted. For trusted callers, use it only if -F was used to @@ -2862,9 +2928,8 @@ if ( from_header uschar *at = domain ? from_address + domain - 1 : NULL; if (at) *at = 0; - from_address += route_check_prefix(from_address, local_from_prefix); - slen = route_check_suffix(from_address, local_from_suffix); - if (slen > 0) + from_address += route_check_prefix(from_address, local_from_prefix, NULL); + if ((slen = route_check_suffix(from_address, local_from_suffix, NULL)) > 0) { memmove(from_address+slen, from_address, Ustrlen(from_address)-slen); from_address += slen; @@ -2909,7 +2974,8 @@ it has already been rewritten as part of verification for SMTP input. */ if (global_rewrite_rules && !sender_address_unrewritten && *sender_address) { - sender_address = rewrite_address(sender_address, FALSE, TRUE, + /* deconst ok as src was not const */ + sender_address = US rewrite_address(sender_address, FALSE, TRUE, global_rewrite_rules, rewrite_existflags); DEBUG(D_receive|D_rewrite) debug_printf("rewritten sender = %s\n", sender_address); @@ -2930,7 +2996,7 @@ We start at the second header, skipping our own Received:. This rewriting is documented as happening *after* recipient addresses are taken from the headers by the -t command line option. An added Sender: gets rewritten here. */ -for (h = header_list->next; h; h = h->next) +for (header_line * h = header_list->next; h; h = h->next) { header_line *newh = rewrite_header(h, NULL, NULL, global_rewrite_rules, rewrite_existflags, TRUE); @@ -2969,7 +3035,7 @@ new Received:) has not yet been set. */ DEBUG(D_receive) { debug_printf(">>Headers after rewriting and local additions:\n"); - for (h = header_list->next; h; h = h->next) + for (header_line * h = header_list->next; h; h = h->next) debug_printf("%c %s", h->type, h->text); debug_printf("\n"); } @@ -3042,7 +3108,7 @@ if ((data_fd = Uopen(spool_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE)) < 0) /* Make sure the file's group is the Exim gid, and double-check the mode because the group setting doesn't always get set automatically. */ -if (fchown(data_fd, exim_uid, exim_gid)) +if (0 != exim_fchown(data_fd, exim_uid, exim_gid, spool_name)) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed setting ownership on spool file %s: %s", spool_name, strerror(errno)); @@ -3215,7 +3281,7 @@ if (fflush(spool_data_file) == EOF || ferror(spool_data_file) || /* No I/O errors were encountered while writing the data file. */ DEBUG(D_receive) debug_printf("Data file written for message %s\n", message_id); -if (LOGGING(receive_time)) timesince(&received_time_taken, &received_time); +gettimeofday(&received_time_complete, NULL); /* If there were any bad addresses extracted by -t, or there were no recipients @@ -3236,16 +3302,15 @@ if (extract_recip && (bad_addresses || recipients_count == 0)) if (recipients_count == 0) debug_printf("*** No recipients\n"); if (bad_addresses) { - error_block *eblock = bad_addresses; debug_printf("*** Bad address(es)\n"); - while (eblock != NULL) - { + for (error_block * eblock = bad_addresses; eblock; eblock = eblock->next) debug_printf(" %s: %s\n", eblock->text1, eblock->text2); - eblock = eblock->next; - } } } + log_write(0, LOG_MAIN|LOG_PANIC, "%s %s found in headers", + message_id, bad_addresses ? "bad addresses" : "no recipients"); + fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); /* If configured to send errors to the sender, but this fails, force @@ -3257,11 +3322,12 @@ if (extract_recip && (bad_addresses || recipients_count == 0)) if (error_handling == ERRORS_SENDER) { if (!moan_to_sender( - (bad_addresses == NULL)? - (extracted_ignored? ERRMESS_IGADDRESS : ERRMESS_NOADDRESS) : - (recipients_list == NULL)? ERRMESS_BADNOADDRESS : ERRMESS_BADADDRESS, - bad_addresses, header_list, spool_data_file, FALSE)) - error_rc = (bad_addresses == NULL)? EXIT_NORECIPIENTS : EXIT_FAILURE; + bad_addresses + ? recipients_list ? ERRMESS_BADADDRESS : ERRMESS_BADNOADDRESS + : extracted_ignored ? ERRMESS_IGADDRESS : ERRMESS_NOADDRESS, + bad_addresses, header_list, spool_data_file, FALSE + ) ) + error_rc = bad_addresses ? EXIT_FAILURE : EXIT_NORECIPIENTS; } else { @@ -3284,7 +3350,7 @@ if (extract_recip && (bad_addresses || recipients_count == 0)) { Uunlink(spool_name); (void)fclose(spool_data_file); - exim_exit(error_rc, US"receiving"); + exim_exit(error_rc); } } @@ -3449,20 +3515,19 @@ else goto TIDYUP; #endif /* WITH_CONTENT_SCAN */ -#ifdef EXPERIMENTAL_DMARC - dmarc_up = dmarc_store_data(from_header); -#endif /* EXPERIMENTAL_DMARC */ +#ifdef SUPPORT_DMARC + dmarc_store_data(from_header); +#endif #ifndef DISABLE_PRDR if (prdr_requested && recipients_count > 1 && acl_smtp_data_prdr) { - unsigned int c; int all_pass = OK; int all_fail = FAIL; smtp_printf("353 PRDR content analysis beginning\r\n", TRUE); /* Loop through recipients, responses must be in same order received */ - for (c = 0; recipients_count > c; c++) + for (unsigned int c = 0; recipients_count > c; c++) { uschar * addr= recipients_list[c].address; uschar * msg= US"PRDR R=<%s> %s"; @@ -3657,9 +3722,9 @@ if (sigsetjmp(local_scan_env, 1) == 0) had_local_scan_timeout = 0; os_non_restarting_signal(SIGALRM, local_scan_timeout_handler); - if (local_scan_timeout > 0) alarm(local_scan_timeout); + if (local_scan_timeout > 0) ALARM(local_scan_timeout); rc = local_scan(data_fd, &local_scan_data); - alarm(0); + ALARM_CLR(0); os_non_restarting_signal(SIGALRM, sigalrm_handler); f.enable_dollar_recipients = FALSE; @@ -3728,18 +3793,15 @@ the spool file gets corrupted. Ensure that all recipients are qualified. */ if (rc == LOCAL_SCAN_ACCEPT) { if (local_scan_data) - { - uschar *s; - for (s = local_scan_data; *s != 0; s++) if (*s == '\n') *s = ' '; - } - for (i = 0; i < recipients_count; i++) + for (uschar * s = local_scan_data; *s != 0; s++) if (*s == '\n') *s = ' '; + for (int i = 0; i < recipients_count; i++) { recipient_item *r = recipients_list + i; r->address = rewrite_address_qualify(r->address, TRUE); - if (r->errors_to != NULL) + if (r->errors_to) r->errors_to = rewrite_address_qualify(r->errors_to, TRUE); } - if (recipients_count == 0 && blackholed_by == NULL) + if (recipients_count == 0 && !blackholed_by) blackholed_by = US"local_scan"; } @@ -3791,7 +3853,6 @@ else string_from_gstring(g), istemp, string_printing(errmsg)); if (smtp_input) - { if (!smtp_batched_input) { smtp_respond(smtp_code, 3, TRUE, errmsg); @@ -3802,7 +3863,6 @@ else else moan_smtp_batch(NULL, "%s %s", smtp_code, errmsg); /* Does not return */ - } else { fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); @@ -3858,10 +3918,9 @@ file fails, we have failed to accept this message. */ if (host_checking || blackholed_by) { - header_line *h; Uunlink(spool_name); msg_size = 0; /* Compute size for log line */ - for (h = header_list; h; h = h->next) + for (header_line * h = header_list; h; h = h->next) if (h->type != '*') msg_size += h->slen; } @@ -3893,16 +3952,6 @@ else receive_messagecount++; -/* In SMTP sessions we may receive several in one connection. After each one, -we wait for the clock to tick at the level of message-id granularity. This is -so that the combination of time+pid is unique, even on systems where the pid -can be re-used within our time interval. We can't shorten the interval without -re-designing the message-id. See comments above where the message id is -created. This is Something For The Future. */ - -message_id_tv.tv_usec = (message_id_tv.tv_usec/id_resolution) * id_resolution; -exim_wait_tick(&message_id_tv, id_resolution); - /* Add data size to written header size. We do not count the initial file name that is in the file, but we do add one extra for the notional blank line that precedes the data. This total differs from message_size in that it include the @@ -3939,6 +3988,7 @@ it first! Include any message id that is in the message - since the syntax of a message id is actually an addr-spec, we can use the parse routine to canonicalize it. */ +rcvd_log_reset_point = store_mark(); g = string_get(256); g = string_append(g, 2, @@ -3949,15 +3999,21 @@ if (message_reference) g = add_host_info_for_log(g); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (LOGGING(tls_cipher) && tls_in.cipher) + { g = string_append(g, 2, US" X=", tls_in.cipher); +# ifndef DISABLE_TLS_RESUME + if (LOGGING(tls_resumption) && tls_in.resumption & RESUME_USED) + g = string_catn(g, US"*", 1); +# endif + } if (LOGGING(tls_certificate_verified) && tls_in.cipher) g = string_append(g, 2, US" CV=", tls_in.certificate_verified ? "yes":"no"); if (LOGGING(tls_peerdn) && tls_in.peerdn) g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\""); if (LOGGING(tls_sni) && tls_in.sni) - g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); + g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE)); #endif if (sender_host_authenticated) @@ -3984,18 +4040,14 @@ if (proxy_session && LOGGING(proxy)) if (chunking_state > CHUNKING_OFFERED) g = string_catn(g, US" K", 2); -sprintf(CS big_buffer, "%d", msg_size); -g = string_append(g, 2, US" S=", big_buffer); +g = string_fmt_append(g, " S=%d", msg_size); /* log 8BITMIME mode announced in MAIL_FROM 0 ... no BODY= used 7 ... 7BIT 8 ... 8BITMIME */ if (LOGGING(8bitmime)) - { - sprintf(CS big_buffer, "%d", body_8bitmime); - g = string_append(g, 2, US" M8S=", big_buffer); - } + g = string_fmt_append(g, " M8S=%d", body_8bitmime); #ifndef DISABLE_DKIM if (LOGGING(dkim) && dkim_verify_overall) @@ -4007,7 +4059,11 @@ if (LOGGING(dkim) && arc_state && Ustrcmp(arc_state, "pass") == 0) #endif if (LOGGING(receive_time)) - g = string_append(g, 2, US" RT=", string_timediff(&received_time_taken)); + { + struct timeval diff = received_time_complete; + timediff(&diff, &received_time); + g = string_append(g, 2, US" RT=", string_timediff(&diff)); + } if (*queue_name) g = string_append(g, 2, US" Q=", queue_name); @@ -4017,16 +4073,20 @@ any characters except " \ and CR and so in particular it can contain NL! Therefore, make sure we use a printing-characters only version for the log. Also, allow for domain literals in the message id. */ -if (msgid_header) +if ( LOGGING(msg_id) && msgid_header + && (LOGGING(msg_id_created) || !msgid_header_newly_created) + ) { - uschar *old_id; + uschar * old_id; BOOL save_allow_domain_literals = allow_domain_literals; allow_domain_literals = TRUE; old_id = parse_extract_address(Ustrchr(msgid_header->text, ':') + 1, &errmsg, &start, &end, &domain, FALSE); allow_domain_literals = save_allow_domain_literals; - if (old_id != NULL) - g = string_append(g, 2, US" id=", string_printing(old_id)); + if (old_id) + g = string_append(g, 2, + msgid_header_newly_created ? US" id*=" : US" id=", + string_printing(old_id)); } /* If subject logging is turned on, create suitable printing-character @@ -4034,7 +4094,6 @@ text. By expanding $h_subject: we make use of the MIME decoding. */ if (LOGGING(subject) && subject_header) { - int i; uschar *p = big_buffer; uschar *ss = expand_string(US"$h_subject:"); @@ -4042,7 +4101,7 @@ if (LOGGING(subject) && subject_header) a C-like string, and turn any non-printers into escape sequences. */ *p++ = '\"'; - if (*ss != 0) for (i = 0; i < 100 && ss[i] != 0; i++) + if (*ss != 0) for (int i = 0; i < 100 && ss[i] != 0; i++) { if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\'; *p++ = ss[i]; @@ -4066,7 +4125,7 @@ if (message_logs && !blackholed_by) { int fd; uschar * m_name = spool_fname(US"msglog", message_subdir, message_id, US""); - + if ( (fd = Uopen(m_name, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE)) < 0 && errno == ENOENT ) @@ -4131,12 +4190,10 @@ response, but the chance of this happening should be small. */ if (smtp_input && sender_host_address && !f.sender_host_notsocket && !receive_smtp_buffered()) { - struct timeval tv; + struct timeval tv = {.tv_sec = 0, .tv_usec = 0}; fd_set select_check; FD_ZERO(&select_check); FD_SET(fileno(smtp_in), &select_check); - tv.tv_sec = 0; - tv.tv_usec = 0; if (select(fileno(smtp_in) + 1, &select_check, NULL, NULL, &tv) != 0) { @@ -4193,7 +4250,7 @@ if(cutthrough.cctx.sock >= 0 && cutthrough.delivery) case '4': /* Temp-reject. Keep spoolfiles and accept, unless defer-pass mode. ... for which, pass back the exact error */ - if (cutthrough.defer_pass) smtp_reply = string_copy_malloc(msg); + if (cutthrough.defer_pass) smtp_reply = string_copy_perm(msg, TRUE); cutthrough_done = TMP_REJ; /* Avoid the usual immediate delivery attempt */ break; /* message_id needed for SMTP accept below */ @@ -4203,7 +4260,7 @@ if(cutthrough.cctx.sock >= 0 && cutthrough.delivery) break; /* message_id needed for SMTP accept below */ case '5': /* Perm-reject. Do the same to the source. Dump any spoolfiles */ - smtp_reply = string_copy_malloc(msg); /* Pass on the exact error */ + smtp_reply = string_copy_perm(msg, TRUE); /* Pass on the exact error */ cutthrough_done = PERM_REJ; break; } @@ -4225,12 +4282,13 @@ if(!smtp_reply) if (f.deliver_freeze) log_write(0, LOG_MAIN, "frozen by %s", frozen_by); if (f.queue_only_policy) log_write(L_delay_delivery, LOG_MAIN, "no immediate delivery: queued%s%s by %s", - *queue_name ? " in " : "", *queue_name ? CS queue_name : "", + *queue_name ? " in " : "", *queue_name ? CS queue_name : "", queued_by); } f.receive_call_bombout = FALSE; -store_reset(g); /* The store for the main log message can be reused */ +/* The store for the main log message can be reused */ +rcvd_log_reset_point = store_reset(rcvd_log_reset_point); /* If the message is frozen, and freeze_tell is set, do the telling. */ @@ -4261,6 +4319,23 @@ then we can think about properly declaring the message not-received. */ TIDYUP: +/* In SMTP sessions we may receive several messages in one connection. After +each one, we wait for the clock to tick at the level of message-id granularity. +This is so that the combination of time+pid is unique, even on systems where the +pid can be re-used within our time interval. We can't shorten the interval +without re-designing the message-id. See comments above where the message id is +created. This is Something For The Future. +Do this wait any time we have created a message-id, even if we rejected the +message. This gives unique IDs for logging done by ACLs. */ + +if (id_resolution != 0) + { + message_id_tv.tv_usec = (message_id_tv.tv_usec/id_resolution) * id_resolution; + exim_wait_tick(&message_id_tv, id_resolution); + id_resolution = 0; + } + + process_info[process_info_len] = 0; /* Remove message id */ if (spool_data_file && cutthrough_done == NOT_TRIED) { @@ -4311,12 +4386,17 @@ if (smtp_input) else if (chunking_state > CHUNKING_OFFERED) { - smtp_printf("250- %u byte chunk, total %d\r\n250 OK id=%s\r\n", FALSE, + /* If there is more input waiting, no need to flush (probably the client + pipelined QUIT after data). We check only the in-process buffer, not + the socket. */ + + smtp_printf("250- %u byte chunk, total %d\r\n250 OK id=%s\r\n", + receive_smtp_buffered(), chunking_datasize, message_size+message_linecount, message_id); chunking_state = CHUNKING_OFFERED; } else - smtp_printf("250 OK id=%s\r\n", FALSE, message_id); + smtp_printf("250 OK id=%s\r\n", receive_smtp_buffered(), message_id); if (host_checking) fprintf(stdout,