X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/d342446f29e81eddd4845cbf23e9454b9fc406e2..87359fb001c9fb4d450a35a0b5f6642c16c78c34:/src/src/receive.c diff --git a/src/src/receive.c b/src/src/receive.c index cba53c20d..76b4d378d 100644 --- a/src/src/receive.c +++ b/src/src/receive.c @@ -3,30 +3,37 @@ *************************************************/ /* Copyright (c) University of Cambridge 1995 - 2018 */ +/* Copyright (c) The Exim Maintainers 2020 */ /* See the file NOTICE for conditions of use and distribution. */ /* Code for receiving a message and setting up spool files. */ #include "exim.h" +#include #ifdef EXPERIMENTAL_DCC extern int dcc_ok; #endif -#ifdef EXPERIMENTAL_DMARC +#ifdef SUPPORT_DMARC # include "dmarc.h" -#endif /* EXPERIMENTAL_DMARC */ +#endif /************************************************* * Local static variables * *************************************************/ -static FILE *data_file = NULL; static int data_fd = -1; static uschar *spool_name = US""; enum CH_STATE {LF_SEEN, MID_LINE, CR_SEEN}; +#ifdef HAVE_LOCAL_SCAN +jmp_buf local_scan_env; /* error-handling context for local_scan */ +unsigned had_local_scan_crash; +unsigned had_local_scan_timeout; +#endif + /************************************************* * Non-SMTP character reading functions * @@ -40,7 +47,27 @@ changing the pointer variables.) */ int stdin_getc(unsigned lim) { -return getc(stdin); +int c = getc(stdin); + +if (had_data_timeout) + { + fprintf(stderr, "exim: timed out while reading - message abandoned\n"); + log_write(L_lost_incoming_connection, + LOG_MAIN, "timed out while reading local message"); + receive_bomb_out(US"data-timeout", NULL); /* Does not return */ + } +if (had_data_sigint) + { + if (filter_test == FTEST_NONE) + { + fprintf(stderr, "\nexim: %s received - message abandoned\n", + had_data_sigint == SIGTERM ? "SIGTERM" : "SIGINT"); + log_write(0, LOG_MAIN, "%s received while reading local message", + had_data_sigint == SIGTERM ? "SIGTERM" : "SIGINT"); + } + receive_bomb_out(US"signal-exit", NULL); /* Does not return */ + } +return c; } int @@ -83,7 +110,7 @@ BOOL receive_check_set_sender(uschar *newsender) { uschar *qnewsender; -if (trusted_caller) return TRUE; +if (f.trusted_caller) return TRUE; if (!newsender || !untrusted_set_sender) return FALSE; qnewsender = Ustrchr(newsender, '@') ? newsender : string_sprintf("%s@%s", newsender, qualify_domain_sender); @@ -118,7 +145,7 @@ Returns: available on-root space, in kilobytes All values are -1 if the STATFS functions are not available. */ -int +int_eximarith_t receive_statvfs(BOOL isspool, int *inodeptr) { #ifdef HAVE_STATFS @@ -190,14 +217,14 @@ if (STATVFS(CS path, &statbuf) != 0) log_write(0, LOG_MAIN|LOG_PANIC, "cannot accept message: failed to stat " "%s directory %s: %s", name, path, strerror(errno)); smtp_closedown(US"spool or log directory problem"); - exim_exit(EXIT_FAILURE, NULL); + exim_exit(EXIT_FAILURE); } *inodeptr = (statbuf.F_FILES > 0)? statbuf.F_FAVAIL : -1; /* Disks are getting huge. Take care with computing the size in kilobytes. */ -return (int)(((double)statbuf.F_BAVAIL * (double)statbuf.F_FRSIZE)/1024.0); +return (int_eximarith_t)(((double)statbuf.F_BAVAIL * (double)statbuf.F_FRSIZE)/1024.0); #else /* Unable to find partition sizes in this environment. */ @@ -232,22 +259,23 @@ Returns: FALSE if there isn't enough space, or if the information cannot BOOL receive_check_fs(int msg_size) { -int space, inodes; +int_eximarith_t space; +int inodes; if (check_spool_space > 0 || msg_size > 0 || check_spool_inodes > 0) { space = receive_statvfs(TRUE, &inodes); DEBUG(D_receive) - debug_printf("spool directory space = %dK inodes = %d " - "check_space = %dK inodes = %d msg_size = %d\n", + debug_printf("spool directory space = " PR_EXIM_ARITH "K inodes = %d " + "check_space = " PR_EXIM_ARITH "K inodes = %d msg_size = %d\n", space, inodes, check_spool_space, check_spool_inodes, msg_size); - if ((space >= 0 && space < check_spool_space) || - (inodes >= 0 && inodes < check_spool_inodes)) + if ( space >= 0 && space + msg_size / 1024 < check_spool_space + || inodes >= 0 && inodes < check_spool_inodes) { - log_write(0, LOG_MAIN, "spool directory space check failed: space=%d " - "inodes=%d", space, inodes); + log_write(0, LOG_MAIN, "spool directory space check failed: space=" + PR_EXIM_ARITH " inodes=%d", space, inodes); return FALSE; } } @@ -257,15 +285,15 @@ if (check_log_space > 0 || check_log_inodes > 0) space = receive_statvfs(FALSE, &inodes); DEBUG(D_receive) - debug_printf("log directory space = %dK inodes = %d " - "check_space = %dK inodes = %d\n", + debug_printf("log directory space = " PR_EXIM_ARITH "K inodes = %d " + "check_space = " PR_EXIM_ARITH "K inodes = %d\n", space, inodes, check_log_space, check_log_inodes); - if ((space >= 0 && space < check_log_space) || - (inodes >= 0 && inodes < check_log_inodes)) + if ( space >= 0 && space < check_log_space + || inodes >= 0 && inodes < check_log_inodes) { - log_write(0, LOG_MAIN, "log directory space check failed: space=%d " - "inodes=%d", space, inodes); + log_write(0, LOG_MAIN, "log directory space check failed: space=" PR_EXIM_ARITH + " inodes=%d", space, inodes); return FALSE; } } @@ -316,11 +344,13 @@ if (spool_name[0] != '\0') /* Now close the file if it is open, either as a fd or a stream. */ -if (data_file != NULL) +if (spool_data_file) + { + (void)fclose(spool_data_file); + spool_data_file = NULL; + } +else if (data_fd >= 0) { - (void)fclose(data_file); - data_file = NULL; -} else if (data_fd >= 0) { (void)close(data_fd); data_fd = -1; } @@ -343,7 +373,7 @@ if (!already_bombing_out) /* Exit from the program (non-BSMTP cases) */ -exim_exit(EXIT_FAILURE, NULL); +exim_exit(EXIT_FAILURE); } @@ -361,37 +391,29 @@ Returns: nothing static void data_timeout_handler(int sig) { -uschar *msg = NULL; - -sig = sig; /* Keep picky compilers happy */ - -if (smtp_input) - { - msg = US"SMTP incoming data timeout"; - log_write(L_lost_incoming_connection, - LOG_MAIN, "SMTP data timeout (message abandoned) on connection " - "from %s F=<%s>", - (sender_fullhost != NULL)? sender_fullhost : US"local process", - sender_address); - } -else - { - fprintf(stderr, "exim: timed out while reading - message abandoned\n"); - log_write(L_lost_incoming_connection, - LOG_MAIN, "timed out while reading local message"); - } - -receive_bomb_out(US"data-timeout", msg); /* Does not return */ +had_data_timeout = sig; } +#ifdef HAVE_LOCAL_SCAN /************************************************* * local_scan() timeout * *************************************************/ /* Handler function for timeouts that occur while running a local_scan() -function. +function. Posix recommends against calling longjmp() from a signal-handler, +but the GCC manual says you can so we will, and trust that it's better than +calling probably non-signal-safe funxtions during logging from within the +handler, even with other compilers. + +See also https://cwe.mitre.org/data/definitions/745.html which also lists +it as unsafe. + +This is all because we have no control over what might be written for a +local-scan function, so cannot sprinkle had-signal checks after each +call-site. At least with the default "do-nothing" function we won't +ever get here. Argument: the signal number Returns: nothing @@ -400,11 +422,8 @@ Returns: nothing static void local_scan_timeout_handler(int sig) { -sig = sig; /* Keep picky compilers happy */ -log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function timed out - " - "message temporarily rejected (size %d)", message_size); -/* Does not return */ -receive_bomb_out(US"local-scan-timeout", US"local verification problem"); +had_local_scan_timeout = sig; +siglongjmp(local_scan_env, 1); } @@ -423,12 +442,12 @@ Returns: nothing static void local_scan_crash_handler(int sig) { -log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function crashed with " - "signal %d - message temporarily rejected (size %d)", sig, message_size); -/* Does not return */ -receive_bomb_out(US"local-scan-error", US"local verification problem"); +had_local_scan_crash = sig; +siglongjmp(local_scan_env, 1); } +#endif /*HAVE_LOCAL_SCAN*/ + /************************************************* * SIGTERM or SIGINT received * @@ -444,26 +463,7 @@ Returns: nothing static void data_sigterm_sigint_handler(int sig) { -uschar *msg = NULL; - -if (smtp_input) - { - msg = US"Service not available - SIGTERM or SIGINT received"; - log_write(0, LOG_MAIN, "%s closed after %s", smtp_get_connection_info(), - (sig == SIGTERM)? "SIGTERM" : "SIGINT"); - } -else - { - if (filter_test == FTEST_NONE) - { - fprintf(stderr, "\nexim: %s received - message abandoned\n", - (sig == SIGTERM)? "SIGTERM" : "SIGINT"); - log_write(0, LOG_MAIN, "%s received while reading local message", - (sig == SIGTERM)? "SIGTERM" : "SIGINT"); - } - } - -receive_bomb_out(US"signal-exit", msg); /* Does not return */ +had_data_sigint = sig; } @@ -489,8 +489,8 @@ if (recipients_count >= recipients_list_max) { recipient_item *oldlist = recipients_list; int oldmax = recipients_list_max; - recipients_list_max = recipients_list_max? 2*recipients_list_max : 50; - recipients_list = store_get(recipients_list_max * sizeof(recipient_item)); + recipients_list_max = recipients_list_max ? 2*recipients_list_max : 50; + recipients_list = store_get(recipients_list_max * sizeof(recipient_item), FALSE); if (oldlist != NULL) memcpy(recipients_list, oldlist, oldmax * sizeof(recipient_item)); } @@ -555,11 +555,9 @@ Returns: TRUE if it did remove something; FALSE otherwise BOOL receive_remove_recipient(uschar *recipient) { -int count; DEBUG(D_receive) debug_printf("receive_remove_recipient(\"%s\") called\n", recipient); -for (count = 0; count < recipients_count; count++) - { +for (int count = 0; count < recipients_count; count++) if (Ustrcmp(recipients_list[count].address, recipient) == 0) { if ((--recipients_count - count) > 0) @@ -567,7 +565,6 @@ for (count = 0; count < recipients_count; count++) (recipients_count - count)*sizeof(recipient_item)); return TRUE; } - } return FALSE; } @@ -575,6 +572,30 @@ return FALSE; +/* Pause for a while waiting for input. If none received in that time, +close the logfile, if we had one open; then if we wait for a long-running +datasource (months, in one use-case) log rotation will not leave us holding +the file copy. */ + +static void +log_close_chk(void) +{ +if (!receive_timeout) + { + struct timeval t; + timesince(&t, &received_time); + if (t.tv_sec > 30*60) + mainlog_close(); + else + { + fd_set r; + FD_ZERO(&r); FD_SET(0, &r); + t.tv_sec = 30*60 - t.tv_sec; t.tv_usec = 0; + if (select(1, &r, NULL, NULL, &t) == 0) mainlog_close(); + } + } +} + /************************************************* * Read data portion of a non-SMTP message * *************************************************/ @@ -621,11 +642,18 @@ register int linelength = 0; /* Handle the case when only EOF terminates the message */ -if (!dot_ends) +if (!f.dot_ends) { - register int last_ch = '\n'; + int last_ch = '\n'; + +/*XXX we do a gettimeofday before checking for every received char, +which is hardly clever. The function-indirection doesn't help, but +an additional function to check for nonempty read buffer would help. +See stdin_getc() / smtp_getc() / tls_getc() / bdat_getc(). */ - for (; (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF; last_ch = ch) + for ( ; + log_close_chk(), (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF; + last_ch = ch) { if (ch == 0) body_zerocount++; if (last_ch == '\r' && ch != '\n') @@ -667,7 +695,7 @@ if (!dot_ends) ch_state = 1; -while ((ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF) +while (log_close_chk(), (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF) { if (ch == 0) body_zerocount++; switch (ch_state) @@ -1025,7 +1053,7 @@ int ch; DEBUG(D_receive) debug_printf("CHUNKING: %s\n", fout ? "writing spoolfile in wire format" : "flushing input"); -spool_file_wireformat = TRUE; +f.spool_file_wireformat = TRUE; for (;;) { @@ -1145,7 +1173,7 @@ if (error_handling == ERRORS_SENDER) else fprintf(stderr, "exim: %s%s\n", text2, text1); /* Sic */ (void)fclose(f); -exim_exit(error_rc, US""); +exim_exit(error_rc); } @@ -1175,7 +1203,6 @@ Returns: nothing static void add_acl_headers(int where, uschar *acl_name) { -header_line *h, *next; header_line *last_received = NULL; switch(where) @@ -1183,7 +1210,7 @@ switch(where) case ACL_WHERE_DKIM: case ACL_WHERE_MIME: case ACL_WHERE_DATA: - if ( cutthrough.fd >= 0 && cutthrough.delivery + if ( cutthrough.cctx.sock >= 0 && cutthrough.delivery && (acl_removed_headers || acl_added_headers)) { log_write(0, LOG_MAIN|LOG_PANIC, "Header modification in data ACLs" @@ -1196,7 +1223,7 @@ if (acl_removed_headers) { DEBUG(D_receive|D_acl) debug_printf_indent(">>Headers removed by %s ACL:\n", acl_name); - for (h = header_list; h; h = h->next) if (h->type != htype_old) + for (header_line * h = header_list; h; h = h->next) if (h->type != htype_old) { const uschar * list = acl_removed_headers; int sep = ':'; /* This is specified as a colon-separated list */ @@ -1217,7 +1244,7 @@ if (acl_removed_headers) if (!acl_added_headers) return; DEBUG(D_receive|D_acl) debug_printf_indent(">>Headers added by %s ACL:\n", acl_name); -for (h = acl_added_headers; h; h = next) +for (header_line * h = acl_added_headers, * next; h; h = next) { next = h->next; @@ -1307,21 +1334,30 @@ if (sender_fullhost) if (LOGGING(dnssec) && sender_host_dnssec) /*XXX sender_helo_dnssec? */ g = string_catn(g, US" DS", 3); g = string_append(g, 2, US" H=", sender_fullhost); - if (LOGGING(incoming_interface) && interface_address != NULL) - { - g = string_cat(g, - string_sprintf(" I=[%s]:%d", interface_address, interface_port)); - } + if (LOGGING(incoming_interface) && interface_address) + g = string_fmt_append(g, " I=[%s]:%d", interface_address, interface_port); } -if (tcp_in_fastopen && !tcp_in_fastopen_logged) +if (f.tcp_in_fastopen && !f.tcp_in_fastopen_logged) { - g = string_catn(g, US" TFO", 4); - tcp_in_fastopen_logged = TRUE; + g = string_catn(g, US" TFO*", f.tcp_in_fastopen_data ? 5 : 4); + f.tcp_in_fastopen_logged = TRUE; } if (sender_ident) g = string_append(g, 2, US" U=", sender_ident); if (received_protocol) g = string_append(g, 2, US" P=", received_protocol); +if (LOGGING(pipelining) && f.smtp_in_pipelining_advertised) + { + g = string_catn(g, US" L", 2); +#ifndef DISABLE_PIPE_CONNECT + if (f.smtp_in_early_pipe_used) + g = string_catn(g, US"*", 1); + else if (f.smtp_in_early_pipe_advertised) + g = string_catn(g, US".", 1); +#endif + if (!f.smtp_in_pipelining_used) + g = string_catn(g, US"-", 1); + } return g; } @@ -1352,7 +1388,6 @@ run_mime_acl(uschar *acl, BOOL *smtp_yield_ptr, uschar **smtp_reply_ptr, FILE *mbox_file; uschar * rfc822_file_path = NULL; unsigned long mbox_size; -header_line *my_headerlist; uschar *user_msg, *log_msg; int mime_part_count_buffer = -1; uschar * mbox_filename; @@ -1360,7 +1395,8 @@ int rc = OK; /* check if it is a MIME message */ -for (my_headerlist = header_list; my_headerlist; my_headerlist = my_headerlist->next) +for (header_line * my_headerlist = header_list; my_headerlist; + my_headerlist = my_headerlist->next) if ( my_headerlist->type != '*' /* skip deleted headers */ && strncmpic(my_headerlist->text, US"Content-Type:", 13) == 0 ) @@ -1418,7 +1454,7 @@ if (rc == OK) struct dirent * entry; DIR * tempdir; - for (tempdir = opendir(CS scandir); entry = readdir(tempdir); ) + for (tempdir = exim_opendir(scandir); entry = readdir(tempdir); ) if (strncmpic(US entry->d_name, US"__rfc822_", 9) == 0) { rfc822_file_path = string_sprintf("%s/%s", scandir, entry->d_name); @@ -1450,10 +1486,12 @@ if (rc == DISCARD) { recipients_count = 0; *blackholed_by_ptr = US"MIME ACL"; + cancel_cutthrough_connection(TRUE, US"mime acl discard"); } else if (rc != OK) { Uunlink(spool_name); + cancel_cutthrough_connection(TRUE, US"mime acl not ok"); unspool_mbox(); #ifdef EXPERIMENTAL_DCC dcc_ok = 0; @@ -1613,7 +1651,6 @@ not. */ BOOL receive_msg(BOOL extract_recip) { -int i; int rc = FAIL; int msg_size = 0; int process_info_len = Ustrlen(process_info); @@ -1621,11 +1658,11 @@ int error_rc = error_handling == ERRORS_SENDER ? errors_sender_rc : EXIT_FAILURE; int header_size = 256; int start, end, domain; -int id_resolution; +int id_resolution = 0; int had_zero = 0; int prevlines_length = 0; -register int ptr = 0; +int ptr = 0; BOOL contains_resent_headers = FALSE; BOOL extracted_ignored = FALSE; @@ -1646,6 +1683,7 @@ uschar *frozen_by = NULL; uschar *queued_by = NULL; uschar *errmsg; +rmark rcvd_log_reset_point; gstring * g; struct stat statbuf; @@ -1656,7 +1694,8 @@ uschar *user_msg, *log_msg; /* Working header pointers */ -header_line *h, *next; +rmark reset_point; +header_line *next; /* Flags for noting the existence of certain headers (only one left) */ @@ -1668,16 +1707,14 @@ header_line *from_header = NULL; header_line *subject_header = NULL; header_line *msgid_header = NULL; header_line *received_header; - -#ifdef EXPERIMENTAL_DMARC -int dmarc_up = 0; -#endif /* EXPERIMENTAL_DMARC */ +BOOL msgid_header_newly_created = FALSE; /* Variables for use when building the Received: header. */ uschar *timestamp; int tslen; + /* Release any open files that might have been cached while preparing to accept the message - e.g. by verifying addresses - because reading a message might take a fair bit of real time. */ @@ -1694,7 +1731,7 @@ if (extract_recip || !smtp_input) header. Temporarily mark it as "old", i.e. not to be used. We keep header_last pointing to the end of the chain to make adding headers simple. */ -received_header = header_list = header_last = store_get(sizeof(header_line)); +received_header = header_list = header_last = store_get(sizeof(header_line), FALSE); header_list->next = NULL; header_list->type = htype_old; header_list->text = NULL; @@ -1702,15 +1739,16 @@ header_list->slen = 0; /* Control block for the next header to be read. */ -next = store_get(sizeof(header_line)); -next->text = store_get(header_size); +reset_point = store_mark(); +next = store_get(sizeof(header_line), FALSE); /* not tainted */ +next->text = store_get(header_size, TRUE); /* tainted */ /* Initialize message id to be null (indicating no message read), and the header names list to be the normal list. Indicate there is no data file open yet, initialize the size and warning count, and deal with no size limit. */ message_id[0] = 0; -data_file = NULL; +spool_data_file = NULL; data_fd = -1; spool_name = US""; message_size = 0; @@ -1724,23 +1762,29 @@ if (thismessage_size_limit <= 0) thismessage_size_limit = INT_MAX; message_linecount = body_linecount = body_zerocount = max_received_linelength = 0; +#ifdef WITH_CONTENT_SCAN +/* reset non-per-part mime variables */ +mime_is_coverletter = 0; +mime_is_rfc822 = 0; +mime_part_count = -1; +#endif + #ifndef DISABLE_DKIM /* Call into DKIM to set up the context. In CHUNKING mode we clear the dot-stuffing flag */ -if (smtp_input && !smtp_batched_input && !dkim_disable_verify) +if (smtp_input && !smtp_batched_input && !f.dkim_disable_verify) dkim_exim_verify_init(chunking_state <= CHUNKING_OFFERED); #endif -#ifdef EXPERIMENTAL_DMARC -/* initialize libopendmarc */ -dmarc_up = dmarc_init(); +#ifdef SUPPORT_DMARC +if (sender_host_address) dmarc_init(); /* initialize libopendmarc */ #endif /* Remember the time of reception. Exim uses time+pid for uniqueness of message ids, and fractions of a second are required. See the comments that precede the message id creation below. */ -(void)gettimeofday(&message_id_tv, NULL); +exim_gettime(&message_id_tv); /* For other uses of the received time we can operate with granularity of one second, and for that we use the global variable received_time. This is for @@ -1751,7 +1795,9 @@ received_time = message_id_tv; /* If SMTP input, set the special handler for timeouts. The alarm() calls happen in the smtp_getc() function when it refills its buffer. */ -if (smtp_input) os_non_restarting_signal(SIGALRM, data_timeout_handler); +had_data_timeout = 0; +if (smtp_input) + os_non_restarting_signal(SIGALRM, data_timeout_handler); /* If not SMTP input, timeout happens only if configured, and we just set a single timeout for the whole message. */ @@ -1759,11 +1805,12 @@ single timeout for the whole message. */ else if (receive_timeout > 0) { os_non_restarting_signal(SIGALRM, data_timeout_handler); - alarm(receive_timeout); + ALARM(receive_timeout); } /* SIGTERM and SIGINT are caught always. */ +had_data_sigint = 0; signal(SIGTERM, data_sigterm_sigint_handler); signal(SIGINT, data_sigterm_sigint_handler); @@ -1813,10 +1860,15 @@ for (;;) if (ptr >= header_size - 4) { int oldsize = header_size; - /* header_size += 256; */ + + if (header_size >= INT_MAX/2) + goto OVERSIZE; header_size *= 2; - if (!store_extend(next->text, oldsize, header_size)) - next->text = store_newblock(next->text, header_size, ptr); + + /* The data came from the message, so is tainted. */ + + if (!store_extend(next->text, TRUE, oldsize, header_size)) + next->text = store_newblock(next->text, TRUE, header_size, ptr); } /* Cope with receiving a binary zero. There is dispute about whether @@ -1856,7 +1908,7 @@ for (;;) prevent further reading), and break out of the loop, having freed the empty header, and set next = NULL to indicate no data line. */ - if (ptr == 0 && ch == '.' && dot_ends) + if (ptr == 0 && ch == '.' && f.dot_ends) { ch = (receive_getc)(GETC_BUFFER_UNLIMITED); if (ch == '\r') @@ -1871,7 +1923,7 @@ for (;;) if (ch == '\n') { message_ended = END_DOT; - store_reset(next); + reset_point = store_reset(reset_point); next = NULL; break; /* End character-reading loop */ } @@ -1920,6 +1972,7 @@ for (;;) if (message_size >= header_maxsize) { +OVERSIZE: next->text[ptr] = 0; next->slen = ptr; next->type = htype_other; @@ -1929,7 +1982,7 @@ for (;;) log_write(0, LOG_MAIN, "ridiculously long message header received from " "%s (more than %d characters): message abandoned", - sender_host_unknown? sender_ident : sender_fullhost, header_maxsize); + f.sender_host_unknown ? sender_ident : sender_fullhost, header_maxsize); if (smtp_input) { @@ -1976,7 +2029,7 @@ for (;;) if (ptr == 1) { - store_reset(next); + reset_point = store_reset(reset_point); next = NULL; break; } @@ -1991,7 +2044,8 @@ for (;;) if (nextch == ' ' || nextch == '\t') { next->text[ptr++] = nextch; - message_size++; + if (++message_size >= header_maxsize) + goto OVERSIZE; continue; /* Iterate the loop */ } else if (nextch != EOF) (receive_ungetc)(nextch); /* For next time */ @@ -2004,7 +2058,7 @@ for (;;) next->text[ptr] = 0; next->slen = ptr; - store_reset(next->text + ptr + 1); + store_release_above(next->text + ptr + 1); /* Check the running total size against the overall message size limit. We don't expect to fail here, but if the overall limit is set less than MESSAGE_ @@ -2053,7 +2107,7 @@ for (;;) && regex_match_and_setup(regex_From, next->text, 0, -1) ) { - if (!sender_address_forced) + if (!f.sender_address_forced) { uschar *uucp_sender = expand_string(uucp_from_sender); if (!uucp_sender) @@ -2075,11 +2129,11 @@ for (;;) { sender_address = newsender; - if (trusted_caller || filter_test != FTEST_NONE) + if (f.trusted_caller || filter_test != FTEST_NONE) { authenticated_sender = NULL; originator_name = US""; - sender_local = FALSE; + f.sender_local = FALSE; } if (filter_test != FTEST_NONE) @@ -2114,7 +2168,8 @@ for (;;) the line, stomp on them here. */ if (had_zero > 0) - for (p = next->text; p < next->text + ptr; p++) if (*p == 0) *p = '?'; + for (uschar * p = next->text; p < next->text + ptr; p++) if (*p == 0) + *p = '?'; /* It is perfectly legal to have an empty continuation line at the end of a header, but it is confusing to humans @@ -2150,7 +2205,7 @@ for (;;) { log_write(0, LOG_MAIN, "overlong message header line received from " "%s (more than %d characters): message abandoned", - sender_host_unknown? sender_ident : sender_fullhost, + f.sender_host_unknown ? sender_ident : sender_fullhost, header_line_maxsize); if (smtp_input) @@ -2199,9 +2254,10 @@ for (;;) /* Set up for the next header */ + reset_point = store_mark(); header_size = 256; - next = store_get(sizeof(header_line)); - next->text = store_get(header_size); + next = store_get(sizeof(header_line), FALSE); + next->text = store_get(header_size, TRUE); ptr = 0; had_zero = 0; prevlines_length = 0; @@ -2216,7 +2272,7 @@ normal case). */ DEBUG(D_receive) { debug_printf(">>Headers received:\n"); - for (h = header_list->next; h; h = h->next) + for (header_line * h = header_list->next; h; h = h->next) debug_printf("%s", h->text); debug_printf("\n"); } @@ -2243,7 +2299,7 @@ if (filter_test != FTEST_NONE && header_list->next == NULL) /* Scan the headers to identify them. Some are merely marked for later processing; some are dealt with here. */ -for (h = header_list->next; h; h = h->next) +for (header_line * h = header_list->next; h; h = h->next) { BOOL is_resent = strncmpic(h->text, US"resent-", 7) == 0; if (is_resent) contains_resent_headers = TRUE; @@ -2377,9 +2433,9 @@ for (h = header_list->next; h; h = h->next) set.) */ case htype_sender: - h->type = !active_local_sender_retain - && ( sender_local && !trusted_caller && !suppress_local_fixups - || submission_mode + h->type = !f.active_local_sender_retain + && ( f.sender_local && !f.trusted_caller && !f.suppress_local_fixups + || f.submission_mode ) && (!resents_exist || is_resent) ? htype_old : htype_sender; @@ -2457,7 +2513,7 @@ if (extract_recip) /* Now scan the headers */ - for (h = header_list->next; h; h = h->next) + for (header_line * h = header_list->next; h; h = h->next) { if ((h->type == htype_to || h->type == htype_cc || h->type == htype_bcc) && (!contains_resent_headers || strncmpic(h->text, US"resent-", 7) == 0)) @@ -2465,30 +2521,28 @@ if (extract_recip) uschar *s = Ustrchr(h->text, ':') + 1; while (isspace(*s)) s++; - parse_allow_group = TRUE; /* Allow address group syntax */ + f.parse_allow_group = TRUE; /* Allow address group syntax */ while (*s != 0) { uschar *ss = parse_find_address_end(s, FALSE); - uschar *recipient, *errmess, *p, *pp; + uschar *recipient, *errmess, *pp; int start, end, domain; /* Check on maximum */ if (recipients_max > 0 && ++rcount > recipients_max) - { give_local_error(ERRMESS_TOOMANYRECIP, US"too many recipients", US"message rejected: ", error_rc, stdin, NULL); /* Does not return */ - } /* Make a copy of the address, and remove any internal newlines. These may be present as a result of continuations of the header line. The white space that follows the newline must not be removed - it is part of the header. */ - pp = recipient = store_get(ss - s + 1); - for (p = s; p < ss; p++) if (*p != '\n') *pp++ = *p; + pp = recipient = store_get(ss - s + 1, is_tainted(s)); + for (uschar * p = s; p < ss; p++) if (*p != '\n') *pp++ = *p; *pp = 0; #ifdef SUPPORT_I18N @@ -2515,10 +2569,10 @@ if (extract_recip) If there are no recipients at all, an error will occur later. */ - if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0) + if (!recipient && Ustrcmp(errmess, "empty address") != 0) { int len = Ustrlen(s); - error_block *b = store_get(sizeof(error_block)); + error_block *b = store_get(sizeof(error_block), FALSE); while (len > 0 && isspace(s[len-1])) len--; b->next = NULL; b->text1 = string_printing(string_copyn(s, len)); @@ -2547,8 +2601,8 @@ if (extract_recip) while (isspace(*s)) s++; } /* Next address */ - parse_allow_group = FALSE; /* Reset group syntax flags */ - parse_found_group = FALSE; + f.parse_allow_group = FALSE; /* Reset group syntax flags */ + f.parse_found_group = FALSE; /* If this was the bcc: header, mark it "old", which means it will be kept on the spool, but not transmitted as part of the @@ -2621,7 +2675,7 @@ the message, if necessary (we hope it won't be). */ if (host_number_string) { - id_resolution = (BASE_62 == 62)? 5000 : 10000; + id_resolution = BASE_62 == 62 ? 5000 : 10000; sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s", string_base62((long int)( host_number * (1000000/id_resolution) + @@ -2633,7 +2687,7 @@ appropriate resolution. */ else { - id_resolution = (BASE_62 == 62)? 500 : 1000; + id_resolution = BASE_62 == 62 ? 500 : 1000; sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s", string_base62((long int)(message_id_tv.tv_usec/id_resolution)) + 4); } @@ -2648,7 +2702,7 @@ it will fit. */ to be the least significant base-62 digit of the time of arrival. Otherwise ensure that it is an empty string. */ -message_subdir[0] = split_spool_directory ? message_id[5] : 0; +set_subdir_str(message_subdir, message_id, 0); /* Now that we have the message-id, if there is no message-id: header, generate one, but only for local (without suppress_local_fixups) or submission mode @@ -2656,11 +2710,11 @@ messages. This can be user-configured if required, but we had better flatten any illegal characters therein. */ if ( !msgid_header - && ((!sender_host_address && !suppress_local_fixups) || submission_mode)) + && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode)) { - uschar *p; uschar *id_text = US""; uschar *id_domain = primary_hostname; + header_line * h; /* Permit only letters, digits, dots, and hyphens in the domain */ @@ -2669,7 +2723,7 @@ if ( !msgid_header uschar *new_id_domain = expand_string(message_id_domain); if (!new_id_domain) { - if (!expand_string_forcedfail) + if (!f.expand_string_forcedfail) log_write(0, LOG_MAIN|LOG_PANIC, "expansion of \"%s\" (message_id_header_domain) " "failed: %s", message_id_domain, expand_string_message); @@ -2677,7 +2731,7 @@ if ( !msgid_header else if (*new_id_domain) { id_domain = new_id_domain; - for (p = id_domain; *p; p++) + for (uschar * p = id_domain; *p; p++) if (!isalnum(*p) && *p != '.') *p = '-'; /* No need to test '-' ! */ } } @@ -2690,7 +2744,7 @@ if ( !msgid_header uschar *new_id_text = expand_string(message_id_text); if (!new_id_text) { - if (!expand_string_forcedfail) + if (!f.expand_string_forcedfail) log_write(0, LOG_MAIN|LOG_PANIC, "expansion of \"%s\" (message_id_header_text) " "failed: %s", message_id_text, expand_string_message); @@ -2698,17 +2752,25 @@ if ( !msgid_header else if (*new_id_text) { id_text = new_id_text; - for (p = id_text; *p; p++) if (mac_iscntrl_or_special(*p)) *p = '-'; + for (uschar * p = id_text; *p; p++) if (mac_iscntrl_or_special(*p)) *p = '-'; } } - /* Add the header line - * Resent-* headers are prepended, per RFC 5322 3.6.6. Non-Resent-* are - * appended, to preserve classical expectations of header ordering. */ + /* Add the header line. + Resent-* headers are prepended, per RFC 5322 3.6.6. Non-Resent-* are + appended, to preserve classical expectations of header ordering. */ - header_add_at_position(!resents_exist, NULL, FALSE, htype_id, + h = header_add_at_position_internal(!resents_exist, NULL, FALSE, htype_id, "%sMessage-Id: <%s%s%s@%s>\n", resent_prefix, message_id_external, - (*id_text == 0)? "" : ".", id_text, id_domain); + *id_text == 0 ? "" : ".", id_text, id_domain); + + /* Arrange for newly-created Message-Id to be logged */ + + if (!resents_exist) + { + msgid_header_newly_created = TRUE; + msgid_header = h; + } } /* If we are to log recipients, keep a copy of the raw ones before any possible @@ -2717,8 +2779,8 @@ function may mess with the real recipients. */ if (LOGGING(received_recipients)) { - raw_recipients = store_get(recipients_count * sizeof(uschar *)); - for (i = 0; i < recipients_count; i++) + raw_recipients = store_get(recipients_count * sizeof(uschar *), FALSE); + for (int i = 0; i < recipients_count; i++) raw_recipients[i] = string_copy(recipients_list[i].address); raw_recipients_count = recipients_count; } @@ -2727,7 +2789,7 @@ if (LOGGING(received_recipients)) recipients will get here only if the conditions were right (allow_unqualified_ recipient is TRUE). */ -for (i = 0; i < recipients_count; i++) +for (int i = 0; i < recipients_count; i++) recipients_list[i].address = rewrite_address(recipients_list[i].address, TRUE, TRUE, global_rewrite_rules, rewrite_existflags); @@ -2742,7 +2804,7 @@ untrusted user to set anything in the envelope (which might then get info From:) but we still want to ensure a valid Sender: if it is required. */ if ( !from_header - && ((!sender_host_address && !suppress_local_fixups) || submission_mode)) + && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode)) { uschar *oname = US""; @@ -2753,8 +2815,8 @@ if ( !from_header if (!sender_host_address) { - if (!trusted_caller || sender_name_forced || - (!smtp_input && !sender_address_forced)) + if (!f.trusted_caller || f.sender_name_forced || + (!smtp_input && !f.sender_address_forced)) oname = originator_name; } @@ -2773,12 +2835,12 @@ if ( !from_header resent_prefix, oname, *oname ? " <" : ""); fromend = *oname ? US">" : US""; - if (sender_local || local_error_message) + if (f.sender_local || f.local_error_message) header_add(htype_from, "%s%s@%s%s\n", fromstart, local_part_quote(originator_login), qualify_domain_sender, fromend); - else if (submission_mode && authenticated_id) + else if (f.submission_mode && authenticated_id) { if (!submission_domain) header_add(htype_from, "%s%s@%s%s\n", fromstart, @@ -2825,9 +2887,9 @@ here. If the From: header contains more than one address, then the call to parse_extract_address fails, and a Sender: header is inserted, as required. */ if ( from_header - && ( active_local_from_check - && ( sender_local && !trusted_caller && !suppress_local_fixups - || submission_mode && authenticated_id + && ( f.active_local_from_check + && ( f.sender_local && !f.trusted_caller && !f.suppress_local_fixups + || f.submission_mode && authenticated_id ) ) ) { BOOL make_sender = TRUE; @@ -2838,7 +2900,7 @@ if ( from_header &start, &end, &domain, FALSE); uschar *generated_sender_address; - generated_sender_address = submission_mode + generated_sender_address = f.submission_mode ? !submission_domain ? string_sprintf("%s@%s", local_part_quote(authenticated_id), qualify_domain_sender) @@ -2858,9 +2920,8 @@ if ( from_header uschar *at = domain ? from_address + domain - 1 : NULL; if (at) *at = 0; - from_address += route_check_prefix(from_address, local_from_prefix); - slen = route_check_suffix(from_address, local_from_suffix); - if (slen > 0) + from_address += route_check_prefix(from_address, local_from_prefix, NULL); + if ((slen = route_check_suffix(from_address, local_from_suffix, NULL)) > 0) { memmove(from_address+slen, from_address, Ustrlen(from_address)-slen); from_address += slen; @@ -2876,19 +2937,19 @@ if ( from_header appropriate rewriting rules. */ if (make_sender) - if (submission_mode && !submission_name) + if (f.submission_mode && !submission_name) header_add(htype_sender, "%sSender: %s\n", resent_prefix, generated_sender_address); else header_add(htype_sender, "%sSender: %s <%s>\n", resent_prefix, - submission_mode? submission_name : originator_name, + f.submission_mode ? submission_name : originator_name, generated_sender_address); /* Ensure that a non-null envelope sender address corresponds to the submission mode sender address. */ - if (submission_mode && *sender_address) + if (f.submission_mode && *sender_address) { if (!sender_address_unrewritten) sender_address_unrewritten = sender_address; @@ -2926,7 +2987,7 @@ We start at the second header, skipping our own Received:. This rewriting is documented as happening *after* recipient addresses are taken from the headers by the -t command line option. An added Sender: gets rewritten here. */ -for (h = header_list->next; h; h = h->next) +for (header_line * h = header_list->next; h; h = h->next) { header_line *newh = rewrite_header(h, NULL, NULL, global_rewrite_rules, rewrite_existflags, TRUE); @@ -2953,7 +3014,7 @@ As per Message-Id, we prepend if resending, else append. */ if ( !date_header_exists - && ((!sender_host_address && !suppress_local_fixups) || submission_mode)) + && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode)) header_add_at_position(!resents_exist, NULL, FALSE, htype_other, "%sDate: %s\n", resent_prefix, tod_stamp(tod_full)); @@ -2965,7 +3026,7 @@ new Received:) has not yet been set. */ DEBUG(D_receive) { debug_printf(">>Headers after rewriting and local additions:\n"); - for (h = header_list->next; h; h = h->next) + for (header_line * h = header_list->next; h; h = h->next) debug_printf("%c %s", h->type, h->text); debug_printf("\n"); } @@ -2993,7 +3054,7 @@ We have to create the Received header now rather than at the end of reception, so the timestamp behaviour is a change to the normal case. Having created it, send the headers to the destination. */ -if (cutthrough.fd >= 0 && cutthrough.delivery) +if (cutthrough.cctx.sock >= 0 && cutthrough.delivery) { if (received_count > received_headers_max) { @@ -3038,7 +3099,7 @@ if ((data_fd = Uopen(spool_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE)) < 0) /* Make sure the file's group is the Exim gid, and double-check the mode because the group setting doesn't always get set automatically. */ -if (fchown(data_fd, exim_uid, exim_gid)) +if (0 != exim_fchown(data_fd, exim_uid, exim_gid, spool_name)) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed setting ownership on spool file %s: %s", spool_name, strerror(errno)); @@ -3049,7 +3110,7 @@ the first line of the file (containing the message ID) because otherwise there are problems when Exim is run under Cygwin (I'm told). See comments in spool_in.c, where the same locking is done. */ -data_file = fdopen(data_fd, "w+"); +spool_data_file = fdopen(data_fd, "w+"); lock_data.l_type = F_WRLCK; lock_data.l_whence = SEEK_SET; lock_data.l_start = 0; @@ -3066,31 +3127,32 @@ data line (which was read as a header but then turned out not to have the right format); write it (remembering that it might contain binary zeros). The result of fwrite() isn't inspected; instead we call ferror() below. */ -fprintf(data_file, "%s-D\n", message_id); +fprintf(spool_data_file, "%s-D\n", message_id); if (next) { uschar *s = next->text; int len = next->slen; - len = fwrite(s, 1, len, data_file); len = len; /* compiler quietening */ - body_linecount++; /* Assumes only 1 line */ + if (fwrite(s, 1, len, spool_data_file) == len) /* "if" for compiler quietening */ + body_linecount++; /* Assumes only 1 line */ } /* Note that we might already be at end of file, or the logical end of file (indicated by '.'), or might have encountered an error while writing the message id or "next" line. */ -if (!ferror(data_file) && !(receive_feof)() && message_ended != END_DOT) +if (!ferror(spool_data_file) && !(receive_feof)() && message_ended != END_DOT) { if (smtp_input) { message_ended = chunking_state <= CHUNKING_OFFERED - ? read_message_data_smtp(data_file) + ? read_message_data_smtp(spool_data_file) : spool_wireformat - ? read_message_bdat_smtp_wire(data_file) - : read_message_bdat_smtp(data_file); + ? read_message_bdat_smtp_wire(spool_data_file) + : read_message_bdat_smtp(spool_data_file); receive_linecount++; /* The terminating "." line */ } - else message_ended = read_message_data(data_file); + else + message_ended = read_message_data(spool_data_file); receive_linecount += body_linecount; /* For BSMTP errors mainly */ message_linecount += body_linecount; @@ -3137,10 +3199,10 @@ if (!ferror(data_file) && !(receive_feof)() && message_ended != END_DOT) } else { - fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); + fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); give_local_error(ERRMESS_TOOBIG, string_sprintf("message too big (max=%d)", thismessage_size_limit), - US"message rejected: ", error_rc, data_file, header_list); + US"message rejected: ", error_rc, spool_data_file, header_list); /* Does not return */ } break; @@ -3170,8 +3232,8 @@ we can then give up. Note that for SMTP input we must swallow the remainder of the input in cases of output errors, since the far end doesn't expect to see anything until the terminating dot line is sent. */ -if (fflush(data_file) == EOF || ferror(data_file) || - EXIMfsync(fileno(data_file)) < 0 || (receive_ferror)()) +if (fflush(spool_data_file) == EOF || ferror(spool_data_file) || + EXIMfsync(fileno(spool_data_file)) < 0 || (receive_ferror)()) { uschar *msg_errno = US strerror(errno); BOOL input_error = (receive_ferror)() != 0; @@ -3199,8 +3261,8 @@ if (fflush(data_file) == EOF || ferror(data_file) || else { - fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); - give_local_error(ERRMESS_IOERR, msg, US"", error_rc, data_file, + fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); + give_local_error(ERRMESS_IOERR, msg, US"", error_rc, spool_data_file, header_list); /* Does not return */ } @@ -3231,17 +3293,16 @@ if (extract_recip && (bad_addresses || recipients_count == 0)) if (recipients_count == 0) debug_printf("*** No recipients\n"); if (bad_addresses) { - error_block *eblock = bad_addresses; debug_printf("*** Bad address(es)\n"); - while (eblock != NULL) - { + for (error_block * eblock = bad_addresses; eblock; eblock = eblock->next) debug_printf(" %s: %s\n", eblock->text1, eblock->text2); - eblock = eblock->next; - } } } - fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); + log_write(0, LOG_MAIN|LOG_PANIC, "%s %s found in headers", + message_id, bad_addresses ? "bad addresses" : "no recipients"); + + fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); /* If configured to send errors to the sender, but this fails, force a failure error code. We use a special one for no recipients so that it @@ -3252,39 +3313,35 @@ if (extract_recip && (bad_addresses || recipients_count == 0)) if (error_handling == ERRORS_SENDER) { if (!moan_to_sender( - (bad_addresses == NULL)? - (extracted_ignored? ERRMESS_IGADDRESS : ERRMESS_NOADDRESS) : - (recipients_list == NULL)? ERRMESS_BADNOADDRESS : ERRMESS_BADADDRESS, - bad_addresses, header_list, data_file, FALSE)) - error_rc = (bad_addresses == NULL)? EXIT_NORECIPIENTS : EXIT_FAILURE; + bad_addresses + ? recipients_list ? ERRMESS_BADADDRESS : ERRMESS_BADNOADDRESS + : extracted_ignored ? ERRMESS_IGADDRESS : ERRMESS_NOADDRESS, + bad_addresses, header_list, spool_data_file, FALSE + ) ) + error_rc = bad_addresses ? EXIT_FAILURE : EXIT_NORECIPIENTS; } else { if (!bad_addresses) - { if (extracted_ignored) fprintf(stderr, "exim: all -t recipients overridden by command line\n"); else fprintf(stderr, "exim: no recipients in message\n"); - } else { fprintf(stderr, "exim: invalid address%s", - (bad_addresses->next == NULL)? ":" : "es:\n"); - while (bad_addresses != NULL) - { + bad_addresses->next ? "es:\n" : ":"); + for ( ; bad_addresses; bad_addresses = bad_addresses->next) fprintf(stderr, " %s: %s\n", bad_addresses->text1, bad_addresses->text2); - bad_addresses = bad_addresses->next; - } } } if (recipients_count == 0 || error_handling == ERRORS_STDERR) { Uunlink(spool_name); - (void)fclose(data_file); - exim_exit(error_rc, US"receiving"); + (void)fclose(spool_data_file); + exim_exit(error_rc); } } @@ -3333,10 +3390,10 @@ $message_body_end can be extracted if needed. Allow $recipients in expansions. deliver_datafile = data_fd; user_msg = NULL; -enable_dollar_recipients = TRUE; +f.enable_dollar_recipients = TRUE; if (recipients_count == 0) - blackholed_by = recipients_discarded ? US"MAIL ACL" : US"RCPT ACL"; + blackholed_by = f.recipients_discarded ? US"MAIL ACL" : US"RCPT ACL"; else { @@ -3346,7 +3403,7 @@ else { #ifndef DISABLE_DKIM - if (!dkim_disable_verify) + if (!f.dkim_disable_verify) { /* Finish verification */ dkim_exim_verify_finish(); @@ -3449,20 +3506,19 @@ else goto TIDYUP; #endif /* WITH_CONTENT_SCAN */ -#ifdef EXPERIMENTAL_DMARC - dmarc_up = dmarc_store_data(from_header); -#endif /* EXPERIMENTAL_DMARC */ +#ifdef SUPPORT_DMARC + dmarc_store_data(from_header); +#endif #ifndef DISABLE_PRDR if (prdr_requested && recipients_count > 1 && acl_smtp_data_prdr) { - unsigned int c; int all_pass = OK; int all_fail = FAIL; smtp_printf("353 PRDR content analysis beginning\r\n", TRUE); /* Loop through recipients, responses must be in same order received */ - for (c = 0; recipients_count > c; c++) + for (unsigned int c = 0; recipients_count > c; c++) { uschar * addr= recipients_list[c].address; uschar * msg= US"PRDR R=<%s> %s"; @@ -3575,7 +3631,7 @@ else if (acl_not_smtp) { uschar *user_msg, *log_msg; - authentication_local = TRUE; + f.authentication_local = TRUE; rc = acl_check(ACL_WHERE_NOTSMTP, NULL, acl_not_smtp, &user_msg, &log_msg); if (rc == DISCARD) { @@ -3602,15 +3658,13 @@ else if (!user_msg) user_msg = US"local configuration problem"; if (smtp_batched_input) - { moan_smtp_batch(NULL, "%d %s", 550, user_msg); /* Does not return */ - } else { - fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); + fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); give_local_error(ERRMESS_LOCAL_ACL, user_msg, - US"message rejected by non-SMTP ACL: ", error_rc, data_file, + US"message rejected by non-SMTP ACL: ", error_rc, spool_data_file, header_list); /* Does not return */ } @@ -3621,8 +3675,8 @@ else /* The applicable ACLs have been run */ - if (deliver_freeze) frozen_by = US"ACL"; /* for later logging */ - if (queue_only_policy) queued_by = US"ACL"; + if (f.deliver_freeze) frozen_by = US"ACL"; /* for later logging */ + if (f.queue_only_policy) queued_by = US"ACL"; } #ifdef WITH_CONTENT_SCAN @@ -3634,47 +3688,70 @@ dcc_ok = 0; #endif +#ifdef HAVE_LOCAL_SCAN /* The final check on the message is to run the scan_local() function. The version supplied with Exim always accepts, but this is a hook for sysadmins to supply their own checking code. The local_scan() function is run even when all the recipients have been discarded. */ -/*XXS could we avoid this for the standard case, given that few people will use it? */ lseek(data_fd, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); /* Arrange to catch crashes in local_scan(), so that the -D file gets deleted, and the incident gets logged. */ -os_non_restarting_signal(SIGSEGV, local_scan_crash_handler); -os_non_restarting_signal(SIGFPE, local_scan_crash_handler); -os_non_restarting_signal(SIGILL, local_scan_crash_handler); -os_non_restarting_signal(SIGBUS, local_scan_crash_handler); - -DEBUG(D_receive) debug_printf("calling local_scan(); timeout=%d\n", - local_scan_timeout); -local_scan_data = NULL; - -os_non_restarting_signal(SIGALRM, local_scan_timeout_handler); -if (local_scan_timeout > 0) alarm(local_scan_timeout); -rc = local_scan(data_fd, &local_scan_data); -alarm(0); -os_non_restarting_signal(SIGALRM, sigalrm_handler); - -enable_dollar_recipients = FALSE; - -store_pool = POOL_MAIN; /* In case changed */ -DEBUG(D_receive) debug_printf("local_scan() returned %d %s\n", rc, - local_scan_data); - -os_non_restarting_signal(SIGSEGV, SIG_DFL); -os_non_restarting_signal(SIGFPE, SIG_DFL); -os_non_restarting_signal(SIGILL, SIG_DFL); -os_non_restarting_signal(SIGBUS, SIG_DFL); +if (sigsetjmp(local_scan_env, 1) == 0) + { + had_local_scan_crash = 0; + os_non_restarting_signal(SIGSEGV, local_scan_crash_handler); + os_non_restarting_signal(SIGFPE, local_scan_crash_handler); + os_non_restarting_signal(SIGILL, local_scan_crash_handler); + os_non_restarting_signal(SIGBUS, local_scan_crash_handler); + + DEBUG(D_receive) debug_printf("calling local_scan(); timeout=%d\n", + local_scan_timeout); + local_scan_data = NULL; + + had_local_scan_timeout = 0; + os_non_restarting_signal(SIGALRM, local_scan_timeout_handler); + if (local_scan_timeout > 0) ALARM(local_scan_timeout); + rc = local_scan(data_fd, &local_scan_data); + ALARM_CLR(0); + os_non_restarting_signal(SIGALRM, sigalrm_handler); + + f.enable_dollar_recipients = FALSE; + + store_pool = POOL_MAIN; /* In case changed */ + DEBUG(D_receive) debug_printf("local_scan() returned %d %s\n", rc, + local_scan_data); + + os_non_restarting_signal(SIGSEGV, SIG_DFL); + os_non_restarting_signal(SIGFPE, SIG_DFL); + os_non_restarting_signal(SIGILL, SIG_DFL); + os_non_restarting_signal(SIGBUS, SIG_DFL); + } +else + { + if (had_local_scan_crash) + { + log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function crashed with " + "signal %d - message temporarily rejected (size %d)", + had_local_scan_crash, message_size); + receive_bomb_out(US"local-scan-error", US"local verification problem"); + /* Does not return */ + } + if (had_local_scan_timeout) + { + log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function timed out - " + "message temporarily rejected (size %d)", message_size); + receive_bomb_out(US"local-scan-timeout", US"local verification problem"); + /* Does not return */ + } + } /* The length check is paranoia against some runaway code, and also because (for a success return) lines in the spool file are read into big_buffer. */ -if (local_scan_data != NULL) +if (local_scan_data) { int len = Ustrlen(local_scan_data); if (len > LOCAL_SCAN_MAX_RETURN) len = LOCAL_SCAN_MAX_RETURN; @@ -3683,9 +3760,9 @@ if (local_scan_data != NULL) if (rc == LOCAL_SCAN_ACCEPT_FREEZE) { - if (!deliver_freeze) /* ACL might have already frozen */ + if (!f.deliver_freeze) /* ACL might have already frozen */ { - deliver_freeze = TRUE; + f.deliver_freeze = TRUE; deliver_frozen_at = time(NULL); frozen_by = US"local_scan()"; } @@ -3693,9 +3770,9 @@ if (rc == LOCAL_SCAN_ACCEPT_FREEZE) } else if (rc == LOCAL_SCAN_ACCEPT_QUEUE) { - if (!queue_only_policy) /* ACL might have already queued */ + if (!f.queue_only_policy) /* ACL might have already queued */ { - queue_only_policy = TRUE; + f.queue_only_policy = TRUE; queued_by = US"local_scan()"; } rc = LOCAL_SCAN_ACCEPT; @@ -3706,19 +3783,16 @@ the spool file gets corrupted. Ensure that all recipients are qualified. */ if (rc == LOCAL_SCAN_ACCEPT) { - if (local_scan_data != NULL) - { - uschar *s; - for (s = local_scan_data; *s != 0; s++) if (*s == '\n') *s = ' '; - } - for (i = 0; i < recipients_count; i++) + if (local_scan_data) + for (uschar * s = local_scan_data; *s != 0; s++) if (*s == '\n') *s = ' '; + for (int i = 0; i < recipients_count; i++) { recipient_item *r = recipients_list + i; r->address = rewrite_address_qualify(r->address, TRUE); - if (r->errors_to != NULL) + if (r->errors_to) r->errors_to = rewrite_address_qualify(r->errors_to, TRUE); } - if (recipients_count == 0 && blackholed_by == NULL) + if (recipients_count == 0 && !blackholed_by) blackholed_by = US"local_scan"; } @@ -3770,7 +3844,6 @@ else string_from_gstring(g), istemp, string_printing(errmsg)); if (smtp_input) - { if (!smtp_batched_input) { smtp_respond(smtp_code, 3, TRUE, errmsg); @@ -3779,16 +3852,13 @@ else goto TIDYUP; /* Skip to end of function */ } else - { moan_smtp_batch(NULL, "%s %s", smtp_code, errmsg); /* Does not return */ - } - } else { - fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); + fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); give_local_error(ERRMESS_LOCAL_SCAN, errmsg, - US"message rejected by local scan code: ", error_rc, data_file, + US"message rejected by local scan code: ", error_rc, spool_data_file, header_list); /* Does not return */ } @@ -3799,11 +3869,12 @@ the message to be abandoned. */ signal(SIGTERM, SIG_IGN); signal(SIGINT, SIG_IGN); +#endif /* HAVE_LOCAL_SCAN */ /* Ensure the first time flag is set in the newly-received message. */ -deliver_firsttime = TRUE; +f.deliver_firsttime = TRUE; #ifdef EXPERIMENTAL_BRIGHTMAIL if (bmi_run == 1) @@ -3827,8 +3898,8 @@ memcpy(received_header->text + received_header->slen - tslen - 1, if (mua_wrapper) { - deliver_freeze = FALSE; - queue_only_policy = FALSE; + f.deliver_freeze = FALSE; + f.queue_only_policy = FALSE; } /* Keep the data file open until we have written the header file, in order to @@ -3836,12 +3907,11 @@ hold onto the lock. In a -bh run, or if the message is to be blackholed, we don't write the header file, and we unlink the data file. If writing the header file fails, we have failed to accept this message. */ -if (host_checking || blackholed_by != NULL) +if (host_checking || blackholed_by) { - header_line *h; Uunlink(spool_name); msg_size = 0; /* Compute size for log line */ - for (h = header_list; h != NULL; h = h->next) + for (header_line * h = header_list; h; h = h->next) if (h->type != '*') msg_size += h->slen; } @@ -3861,8 +3931,8 @@ else } else { - fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); - give_local_error(ERRMESS_IOERR, errmsg, US"", error_rc, data_file, + fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); + give_local_error(ERRMESS_IOERR, errmsg, US"", error_rc, spool_data_file, header_list); /* Does not return */ } @@ -3873,34 +3943,43 @@ else receive_messagecount++; -/* In SMTP sessions we may receive several in one connection. After each one, -we wait for the clock to tick at the level of message-id granularity. This is -so that the combination of time+pid is unique, even on systems where the pid -can be re-used within our time interval. We can't shorten the interval without -re-designing the message-id. See comments above where the message id is -created. This is Something For The Future. */ - -message_id_tv.tv_usec = (message_id_tv.tv_usec/id_resolution) * id_resolution; -exim_wait_tick(&message_id_tv, id_resolution); - /* Add data size to written header size. We do not count the initial file name that is in the file, but we do add one extra for the notional blank line that precedes the data. This total differs from message_size in that it include the added Received: header and any other headers that got created locally. */ -fflush(data_file); +if (fflush(spool_data_file)) + { + errmsg = string_sprintf("Spool write error: %s", strerror(errno)); + log_write(0, LOG_MAIN, "%s\n", errmsg); + Uunlink(spool_name); /* Lose the data file */ + + if (smtp_input) + { + smtp_reply = US"451 Error in writing spool file"; + message_id[0] = 0; /* Indicate no message accepted */ + goto TIDYUP; + } + else + { + fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET); + give_local_error(ERRMESS_IOERR, errmsg, US"", error_rc, spool_data_file, + header_list); + /* Does not return */ + } + } fstat(data_fd, &statbuf); msg_size += statbuf.st_size - SPOOL_DATA_START_OFFSET + 1; /* Generate a "message received" log entry. We do this by building up a dynamic -string as required. Since we commonly want to add two items at a time, use a -macro to simplify the coding. We log the arrival of a new message while the +string as required. We log the arrival of a new message while the file is still locked, just in case the machine is *really* fast, and delivers it first! Include any message id that is in the message - since the syntax of a message id is actually an addr-spec, we can use the parse routine to canonicalize it. */ +rcvd_log_reset_point = store_mark(); g = string_get(256); g = string_append(g, 2, @@ -3911,9 +3990,15 @@ if (message_reference) g = add_host_info_for_log(g); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (LOGGING(tls_cipher) && tls_in.cipher) + { g = string_append(g, 2, US" X=", tls_in.cipher); +# ifndef DISABLE_TLS_RESUME + if (LOGGING(tls_resumption) && tls_in.resumption & RESUME_USED) + g = string_catn(g, US"*", 1); +# endif + } if (LOGGING(tls_certificate_verified) && tls_in.cipher) g = string_append(g, 2, US" CV=", tls_in.certificate_verified ? "yes":"no"); if (LOGGING(tls_peerdn) && tls_in.peerdn) @@ -3946,18 +4031,14 @@ if (proxy_session && LOGGING(proxy)) if (chunking_state > CHUNKING_OFFERED) g = string_catn(g, US" K", 2); -sprintf(CS big_buffer, "%d", msg_size); -g = string_append(g, 2, US" S=", big_buffer); +g = string_fmt_append(g, " S=%d", msg_size); /* log 8BITMIME mode announced in MAIL_FROM 0 ... no BODY= used 7 ... 7BIT 8 ... 8BITMIME */ if (LOGGING(8bitmime)) - { - sprintf(CS big_buffer, "%d", body_8bitmime); - g = string_append(g, 2, US" M8S=", big_buffer); - } + g = string_fmt_append(g, " M8S=%d", body_8bitmime); #ifndef DISABLE_DKIM if (LOGGING(dkim) && dkim_verify_overall) @@ -3979,16 +4060,20 @@ any characters except " \ and CR and so in particular it can contain NL! Therefore, make sure we use a printing-characters only version for the log. Also, allow for domain literals in the message id. */ -if (msgid_header) +if ( LOGGING(msg_id) && msgid_header + && (LOGGING(msg_id_created) || !msgid_header_newly_created) + ) { - uschar *old_id; + uschar * old_id; BOOL save_allow_domain_literals = allow_domain_literals; allow_domain_literals = TRUE; old_id = parse_extract_address(Ustrchr(msgid_header->text, ':') + 1, &errmsg, &start, &end, &domain, FALSE); allow_domain_literals = save_allow_domain_literals; - if (old_id != NULL) - g = string_append(g, 2, US" id=", string_printing(old_id)); + if (old_id) + g = string_append(g, 2, + msgid_header_newly_created ? US" id*=" : US" id=", + string_printing(old_id)); } /* If subject logging is turned on, create suitable printing-character @@ -3996,7 +4081,6 @@ text. By expanding $h_subject: we make use of the MIME decoding. */ if (LOGGING(subject) && subject_header) { - int i; uschar *p = big_buffer; uschar *ss = expand_string(US"$h_subject:"); @@ -4004,7 +4088,7 @@ if (LOGGING(subject) && subject_header) a C-like string, and turn any non-printers into escape sequences. */ *p++ = '\"'; - if (*ss != 0) for (i = 0; i < 100 && ss[i] != 0; i++) + if (*ss != 0) for (int i = 0; i < 100 && ss[i] != 0; i++) { if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\'; *p++ = ss[i]; @@ -4027,38 +4111,37 @@ people. */ if (message_logs && !blackholed_by) { int fd; + uschar * m_name = spool_fname(US"msglog", message_subdir, message_id, US""); - spool_name = spool_fname(US"msglog", message_subdir, message_id, US""); - - if ( (fd = Uopen(spool_name, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE)) < 0 + if ( (fd = Uopen(m_name, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE)) < 0 && errno == ENOENT ) { (void)directory_make(spool_directory, spool_sname(US"msglog", message_subdir), MSGLOG_DIRECTORY_MODE, TRUE); - fd = Uopen(spool_name, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE); + fd = Uopen(m_name, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE); } if (fd < 0) log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't open message log %s: %s", - spool_name, strerror(errno)); + m_name, strerror(errno)); else { FILE *message_log = fdopen(fd, "a"); - if (message_log == NULL) + if (!message_log) { log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't fdopen message log %s: %s", - spool_name, strerror(errno)); + m_name, strerror(errno)); (void)close(fd); } else { uschar *now = tod_stamp(tod_log); fprintf(message_log, "%s Received from %s\n", now, g->s+3); - if (deliver_freeze) fprintf(message_log, "%s frozen by %s\n", now, + if (f.deliver_freeze) fprintf(message_log, "%s frozen by %s\n", now, frozen_by); - if (queue_only_policy) fprintf(message_log, + if (f.queue_only_policy) fprintf(message_log, "%s no immediate delivery: queued%s%s by %s\n", now, *queue_name ? " in " : "", *queue_name ? CS queue_name : "", queued_by); @@ -4071,7 +4154,7 @@ if (message_logs && !blackholed_by) arrival, and outputting an SMTP response. While writing to the log, set a flag to cause a call to receive_bomb_out() if the log cannot be opened. */ -receive_call_bombout = TRUE; +f.receive_call_bombout = TRUE; /* Before sending an SMTP response in a TCP/IP session, we check to see if the connection has gone away. This can only be done if there is no unconsumed input @@ -4091,7 +4174,7 @@ Of course, since TCP/IP is asynchronous, there is always a chance that the connection will vanish between the time of this test and the sending of the response, but the chance of this happening should be small. */ -if (smtp_input && sender_host_address != NULL && !sender_host_notsocket && +if (smtp_input && sender_host_address && !f.sender_host_notsocket && !receive_smtp_buffered()) { struct timeval tv; @@ -4119,7 +4202,7 @@ if (smtp_input && sender_host_address != NULL && !sender_host_notsocket && /* Delete the files for this aborted message. */ - Uunlink(spool_fname(US"input", message_subdir, message_id, US"-D")); + Uunlink(spool_name); Uunlink(spool_fname(US"input", message_subdir, message_id, US"-H")); Uunlink(spool_fname(US"msglog", message_subdir, message_id, US"")); @@ -4144,7 +4227,7 @@ for this message. */ XXX We do not handle queue-only, freezing, or blackholes. */ -if(cutthrough.fd >= 0 && cutthrough.delivery) +if(cutthrough.cctx.sock >= 0 && cutthrough.delivery) { uschar * msg = cutthrough_finaldot(); /* Ask the target system to accept the message */ /* Logging was done in finaldot() */ @@ -4156,7 +4239,7 @@ if(cutthrough.fd >= 0 && cutthrough.delivery) case '4': /* Temp-reject. Keep spoolfiles and accept, unless defer-pass mode. ... for which, pass back the exact error */ - if (cutthrough.defer_pass) smtp_reply = string_copy_malloc(msg); + if (cutthrough.defer_pass) smtp_reply = string_copy_perm(msg, TRUE); cutthrough_done = TMP_REJ; /* Avoid the usual immediate delivery attempt */ break; /* message_id needed for SMTP accept below */ @@ -4166,7 +4249,7 @@ if(cutthrough.fd >= 0 && cutthrough.delivery) break; /* message_id needed for SMTP accept below */ case '5': /* Perm-reject. Do the same to the source. Dump any spoolfiles */ - smtp_reply = string_copy_malloc(msg); /* Pass on the exact error */ + smtp_reply = string_copy_perm(msg, TRUE); /* Pass on the exact error */ cutthrough_done = PERM_REJ; break; } @@ -4179,50 +4262,77 @@ if(!smtp_reply) #endif { log_write(0, LOG_MAIN | - (LOGGING(received_recipients)? LOG_RECIPIENTS : 0) | - (LOGGING(received_sender)? LOG_SENDER : 0), + (LOGGING(received_recipients) ? LOG_RECIPIENTS : 0) | + (LOGGING(received_sender) ? LOG_SENDER : 0), "%s", g->s); /* Log any control actions taken by an ACL or local_scan(). */ - if (deliver_freeze) log_write(0, LOG_MAIN, "frozen by %s", frozen_by); - if (queue_only_policy) log_write(L_delay_delivery, LOG_MAIN, + if (f.deliver_freeze) log_write(0, LOG_MAIN, "frozen by %s", frozen_by); + if (f.queue_only_policy) log_write(L_delay_delivery, LOG_MAIN, "no immediate delivery: queued%s%s by %s", - *queue_name ? " in " : "", *queue_name ? CS queue_name : "", + *queue_name ? " in " : "", *queue_name ? CS queue_name : "", queued_by); } -receive_call_bombout = FALSE; +f.receive_call_bombout = FALSE; -store_reset(g); /* The store for the main log message can be reused */ +/* The store for the main log message can be reused */ +rcvd_log_reset_point = store_reset(rcvd_log_reset_point); /* If the message is frozen, and freeze_tell is set, do the telling. */ -if (deliver_freeze && freeze_tell != NULL && freeze_tell[0] != 0) - { +if (f.deliver_freeze && freeze_tell && freeze_tell[0]) moan_tell_someone(freeze_tell, NULL, US"Message frozen on arrival", "Message %s was frozen on arrival by %s.\nThe sender is <%s>.\n", message_id, frozen_by, sender_address); - } /* Either a message has been successfully received and written to the two spool files, or an error in writing the spool has occurred for an SMTP message, or -an SMTP message has been rejected for policy reasons. (For a non-SMTP message -we will have already given up because there's no point in carrying on!) In -either event, we must now close (and thereby unlock) the data file. In the -successful case, this leaves the message on the spool, ready for delivery. In -the error case, the spool file will be deleted. Then tidy up store, interact -with an SMTP call if necessary, and return. +an SMTP message has been rejected for policy reasons, or a message was passed on +by cutthrough delivery. (For a non-SMTP message we will have already given up +because there's no point in carrying on!) For non-cutthrough we must now close +(and thereby unlock) the data file. In the successful case, this leaves the +message on the spool, ready for delivery. In the error case, the spool file will +be deleted. Then tidy up store, interact with an SMTP call if necessary, and +return. + +For cutthrough we hold the data file locked until we have deleted it, otherwise +a queue-runner could grab it in the window. A fflush() was done earlier in the expectation that any write errors on the data file will be flushed(!) out thereby. Nevertheless, it is theoretically possible for fclose() to fail - but what to do? What has happened to the lock -if this happens? */ +if this happens? We can at least log it; if it is observed on some platform +then we can think about properly declaring the message not-received. */ TIDYUP: -process_info[process_info_len] = 0; /* Remove message id */ -if (data_file != NULL) (void)fclose(data_file); /* Frees the lock */ +/* In SMTP sessions we may receive several messages in one connection. After +each one, we wait for the clock to tick at the level of message-id granularity. +This is so that the combination of time+pid is unique, even on systems where the +pid can be re-used within our time interval. We can't shorten the interval +without re-designing the message-id. See comments above where the message id is +created. This is Something For The Future. +Do this wait any time we have created a message-id, even if we rejected the +message. This gives unique IDs for logging done by ACLs. */ + +if (id_resolution != 0) + { + message_id_tv.tv_usec = (message_id_tv.tv_usec/id_resolution) * id_resolution; + exim_wait_tick(&message_id_tv, id_resolution); + id_resolution = 0; + } + + +process_info[process_info_len] = 0; /* Remove message id */ +if (spool_data_file && cutthrough_done == NOT_TRIED) + { + if (fclose(spool_data_file)) /* Frees the lock */ + log_write(0, LOG_MAIN|LOG_PANIC, + "spoolfile error on close: %s", strerror(errno)); + spool_data_file = NULL; + } /* Now reset signal handlers to their defaults */ @@ -4280,8 +4390,8 @@ if (smtp_input) /* smtp_reply is set non-empty */ else if (smtp_reply[0] != 0) - if (fake_response != OK && (smtp_reply[0] == '2')) - smtp_respond((fake_response == DEFER)? US"450" : US"550", 3, TRUE, + if (fake_response != OK && smtp_reply[0] == '2') + smtp_respond(fake_response == DEFER ? US"450" : US"550", 3, TRUE, fake_response_text); else smtp_printf("%.1024s\r\n", FALSE, smtp_reply); @@ -4292,7 +4402,7 @@ if (smtp_input) log_write(0, LOG_MAIN, "Completed");/* Delivery was done */ case PERM_REJ: /* Delete spool files */ - Uunlink(spool_fname(US"input", message_subdir, message_id, US"-D")); + Uunlink(spool_name); Uunlink(spool_fname(US"input", message_subdir, message_id, US"-H")); Uunlink(spool_fname(US"msglog", message_subdir, message_id, US"")); break; @@ -4300,7 +4410,7 @@ if (smtp_input) case TMP_REJ: if (cutthrough.defer_pass) { - Uunlink(spool_fname(US"input", message_subdir, message_id, US"-D")); + Uunlink(spool_name); Uunlink(spool_fname(US"input", message_subdir, message_id, US"-H")); Uunlink(spool_fname(US"msglog", message_subdir, message_id, US"")); } @@ -4309,6 +4419,11 @@ if (smtp_input) } if (cutthrough_done != NOT_TRIED) { + if (spool_data_file) + { + (void) fclose(spool_data_file); /* Frees the lock; do not care if error */ + spool_data_file = NULL; + } message_id[0] = 0; /* Prevent a delivery from starting */ cutthrough.delivery = cutthrough.callout_hold_only = FALSE; cutthrough.defer_pass = FALSE; @@ -4331,9 +4446,11 @@ starting. */ if (blackholed_by) { - const uschar *detail = local_scan_data - ? string_printing(local_scan_data) - : string_sprintf("(%s discarded recipients)", blackholed_by); + const uschar *detail = +#ifdef HAVE_LOCAL_SCAN + local_scan_data ? string_printing(local_scan_data) : +#endif + string_sprintf("(%s discarded recipients)", blackholed_by); log_write(0, LOG_MAIN, "=> blackhole %s%s", detail, blackhole_log_msg); log_write(0, LOG_MAIN, "Completed"); message_id[0] = 0;