1 /* $Cambridge: exim/src/src/log.c,v 1.15 2010/06/06 00:27:52 pdp Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2009 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Functions for writing log files. The code for maintaining datestamped
11 log files was originally contributed by Tony Sheen. */
16 #define LOG_NAME_SIZE 256
17 #define MAX_SYSLOG_LEN 870
19 #define LOG_MODE_FILE 1
20 #define LOG_MODE_SYSLOG 2
22 enum { lt_main, lt_reject, lt_panic, lt_debug };
24 static uschar *log_names[] = { US"main", US"reject", US"panic", US"debug" };
28 /*************************************************
29 * Local static variables *
30 *************************************************/
32 static uschar mainlog_name[LOG_NAME_SIZE];
33 static uschar rejectlog_name[LOG_NAME_SIZE];
34 static uschar debuglog_name[LOG_NAME_SIZE];
36 static uschar *mainlog_datestamp = NULL;
37 static uschar *rejectlog_datestamp = NULL;
39 static int mainlogfd = -1;
40 static int rejectlogfd = -1;
41 static ino_t mainlog_inode = 0;
42 static ino_t rejectlog_inode = 0;
44 static uschar *panic_save_buffer = NULL;
45 static BOOL panic_recurseflag = FALSE;
47 static BOOL syslog_open = FALSE;
48 static BOOL path_inspected = FALSE;
49 static int logging_mode = LOG_MODE_FILE;
50 static uschar *file_path = US"";
55 /*************************************************
57 *************************************************/
59 /* The given string is split into sections according to length, or at embedded
60 newlines, and syslogged as a numbered sequence if it is overlong or if there is
61 more than one line. However, if we are running in the test harness, do not do
62 anything. (The test harness doesn't use syslog - for obvious reasons - but we
63 can get here if there is a failure to open the panic log.)
66 priority syslog priority
67 s the string to be written
73 write_syslog(int priority, uschar *s)
78 if (running_in_test_harness) return;
80 if (!syslog_timestamp) s += log_timezone? 26 : 20;
88 openlog(CS syslog_processname, LOG_PID|LOG_CONS, syslog_facility);
90 openlog(CS syslog_processname, LOG_CONS, syslog_facility);
96 /* First do a scan through the message in order to determine how many lines
97 it is going to end up as. Then rescan to output it. */
99 for (pass = 0; pass < 2; pass++)
104 for (i = 1, tlen = len; tlen > 0; i++)
107 uschar *nlptr = Ustrchr(ss, '\n');
108 if (nlptr != NULL) plen = nlptr - ss;
109 #ifndef SYSLOG_LONG_LINES
110 if (plen > MAX_SYSLOG_LEN) plen = MAX_SYSLOG_LEN;
113 if (ss[plen] == '\n') tlen--; /* chars left */
115 if (pass == 0) linecount++; else
118 syslog(priority, "%.*s", plen, ss);
120 syslog(priority, "[%d%c%d] %.*s", i,
121 (ss[plen] == '\n' && tlen != 0)? '\\' : '/',
122 linecount, plen, ss);
125 if (*ss == '\n') ss++;
132 /*************************************************
134 *************************************************/
136 /* This is called when Exim is dying as a result of something going wrong in
137 the logging, or after a log call with LOG_PANIC_DIE set. Optionally write a
138 message to debug_file or a stderr file, if they exist. Then, if in the middle
139 of accepting a message, throw it away tidily by calling receive_bomb_out();
140 this will attempt to send an SMTP response if appropriate. Passing NULL as the
141 first argument stops it trying to run the NOTQUIT ACL (which might try further
142 logging and thus cause problems). Otherwise, try to close down an outstanding
146 s1 Error message to write to debug_file and/or stderr and syslog
147 s2 Error message for any SMTP call that is in progress
148 Returns: The function does not return
152 die(uschar *s1, uschar *s2)
156 write_syslog(LOG_CRIT, s1);
157 if (debug_file != NULL) debug_printf("%s\n", s1);
158 if (log_stderr != NULL && log_stderr != debug_file)
159 fprintf(log_stderr, "%s\n", s1);
161 if (receive_call_bombout) receive_bomb_out(NULL, s2); /* does not return */
162 if (smtp_input) smtp_closedown(s2);
163 exim_exit(EXIT_FAILURE);
168 /*************************************************
169 * Create a log file *
170 *************************************************/
172 /* This function is called to create and open a log file. It may be called in a
173 subprocess when the original process is root.
178 The file name has been build in a working buffer, so it is permissible to
179 overwrite it temporarily if it is necessary to create the directory.
181 Returns: a file descriptor, or < 0 on failure (errno set)
185 log_create(uschar *name)
187 int fd = Uopen(name, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
189 /* If creation failed, attempt to build a log directory in case that is the
192 if (fd < 0 && errno == ENOENT)
195 uschar *lastslash = Ustrrchr(name, '/');
197 created = directory_make(NULL, name, LOG_DIRECTORY_MODE, FALSE);
198 DEBUG(D_any) debug_printf("%s log directory %s\n",
199 created? "created" : "failed to create", name);
201 if (created) fd = Uopen(name, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
209 /*************************************************
210 * Create a log file as the exim user *
211 *************************************************/
213 /* This function is called when we are root to spawn an exim:exim subprocess
214 in which we can create a log file. It must be signal-safe since it is called
215 by the usr1_handler().
220 Returns: a file descriptor, or < 0 on failure (errno set)
224 log_create_as_exim(uschar *name)
230 /* In the subprocess, change uid/gid and do the creation. Return 0 from the
231 subprocess on success. If we don't check for setuid failures, then the file
232 can be created as root, so vulnerabilities which cause setuid to fail mean
233 that the Exim user can use symlinks to cause a file to be opened/created as
234 root. We always open for append, so can't nuke existing content but it would
235 still be Rather Bad. */
239 if (setgid(exim_gid) < 0)
240 die(US"exim: setgid for log-file creation failed, aborting",
241 US"Unexpected log failure, please try later");
242 if (setuid(exim_uid) < 0)
243 die(US"exim: setuid for log-file creation failed, aborting",
244 US"Unexpected log failure, please try later");
245 _exit((log_create(name) < 0)? 1 : 0);
248 /* If we created a subprocess, wait for it. If it succeeded, try the open. */
250 while (pid > 0 && waitpid(pid, &status, 0) != pid);
251 if (status == 0) fd = Uopen(name, O_APPEND|O_WRONLY, LOG_MODE);
253 /* If we failed to create a subprocess, we are in a bad way. We return
254 with fd still < 0, and errno set, letting the caller handle the error. */
262 /*************************************************
264 *************************************************/
266 /* This function opens one of a number of logs, creating the log directory if
267 it does not exist. This may be called recursively on failure, in order to open
270 The directory is in the static variable file_path. This is static so that it
271 the work of sorting out the path is done just once per Exim process.
273 Exim is normally configured to avoid running as root wherever possible, the log
274 files must be owned by the non-privileged exim user. To ensure this, first try
275 an open without O_CREAT - most of the time this will succeed. If it fails, try
276 to create the file; if running as root, this must be done in a subprocess to
280 fd where to return the resulting file descriptor
281 type lt_main, lt_reject, lt_panic, or lt_debug
282 tag optional tag to include in the name (only hooked up for debug)
288 open_log(int *fd, int type, uschar *tag)
292 uschar buffer[LOG_NAME_SIZE];
294 /* The names of the log files are controlled by file_path. The panic log is
295 written to the same directory as the main and reject logs, but its name does
296 not have a datestamp. The use of datestamps is indicated by %D/%M in file_path.
297 When opening the panic log, if %D or %M is present, we remove the datestamp
298 from the generated name; if it is at the start, remove a following
299 non-alphanumeric character as well; otherwise, remove a preceding
300 non-alphanumeric character. This is definitely kludgy, but it sort of does what
301 people want, I hope. */
303 ok = string_format(buffer, sizeof(buffer), CS file_path, log_names[type]);
305 /* Save the name of the mainlog for rollover processing. Without a datestamp,
306 it gets statted to see if it has been cycled. With a datestamp, the datestamp
307 will be compared. The static slot for saving it is the same size as buffer,
308 and the text has been checked above to fit, so this use of strcpy() is OK. */
312 Ustrcpy(mainlog_name, buffer);
313 mainlog_datestamp = mainlog_name + string_datestamp_offset;
316 /* Ditto for the reject log */
318 else if (type == lt_reject)
320 Ustrcpy(rejectlog_name, buffer);
321 rejectlog_datestamp = rejectlog_name + string_datestamp_offset;
324 /* and deal with the debug log (which keeps the datestamp, but does not
327 else if (type == lt_debug)
329 Ustrcpy(debuglog_name, buffer);
332 /* this won't change the offset of the datestamp */
333 ok2 = string_format(buffer, sizeof(buffer), "%s%s",
336 Ustrcpy(debuglog_name, buffer);
340 /* Remove any datestamp if this is the panic log. This is rare, so there's no
341 need to optimize getting the datestamp length. We remove one non-alphanumeric
342 char afterwards if at the start, otherwise one before. */
344 else if (string_datestamp_offset >= 0)
346 uschar *from = buffer + string_datestamp_offset;
347 uschar *to = from + string_datestamp_length;
348 if (from == buffer || from[-1] == '/')
350 if (!isalnum(*to)) to++;
354 if (!isalnum(from[-1])) from--;
357 /* This strcpy is ok, because we know that to is a substring of from. */
362 /* If the file name is too long, it is an unrecoverable disaster */
366 die(US"exim: log file path too long: aborting",
367 US"Logging failure; please try later");
370 /* We now have the file name. Try to open an existing file. After a successful
371 open, arrange for automatic closure on exec(), and then return. */
373 *fd = Uopen(buffer, O_APPEND|O_WRONLY, LOG_MODE);
377 (void)fcntl(*fd, F_SETFD, fcntl(*fd, F_GETFD) | FD_CLOEXEC);
381 /* Open was not successful: try creating the file. If this is a root process,
382 we must do the creating in a subprocess set to exim:exim in order to ensure
383 that the file is created with the right ownership. Otherwise, there can be a
384 race if another Exim process is trying to write to the log at the same time.
385 The use of SIGUSR1 by the exiwhat utility can provoke a lot of simultaneous
390 /* If we are already running as the Exim user (even if that user is root),
391 we can go ahead and create in the current process. */
393 if (euid == exim_uid) *fd = log_create(buffer);
395 /* Otherwise, if we are root, do the creation in an exim:exim subprocess. If we
396 are neither exim nor root, creation is not attempted. */
398 else if (euid == root_uid) *fd = log_create_as_exim(buffer);
400 /* If we now have an open file, set the close-on-exec flag and return. */
404 (void)fcntl(*fd, F_SETFD, fcntl(*fd, F_GETFD) | FD_CLOEXEC);
408 /* Creation failed. There are some circumstances in which we get here when
409 the effective uid is not root or exim, which is the problem. (For example, a
410 non-setuid binary with log_arguments set, called in certain ways.) Rather than
411 just bombing out, force the log to stderr and carry on if stderr is available.
414 if (euid != root_uid && euid != exim_uid && log_stderr != NULL)
416 *fd = fileno(log_stderr);
420 /* Otherwise this is a disaster. This call is deliberately ONLY to the panic
421 log. If possible, save a copy of the original line that was being logged. If we
422 are recursing (can't open the panic log either), the pointer will already be
425 if (panic_save_buffer == NULL)
427 panic_save_buffer = (uschar *)malloc(LOG_BUFFER_SIZE);
428 if (panic_save_buffer != NULL)
429 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
432 log_write(0, LOG_PANIC_DIE, "Cannot open %s log file \"%s\": %s: "
433 "euid=%d egid=%d", log_names[type], buffer, strerror(errno), euid, getegid());
439 /*************************************************
440 * Add configuration file info to log line *
441 *************************************************/
443 /* This is put in a function because it's needed twice (once for debugging,
447 ptr pointer to the end of the line we are building
450 Returns: updated pointer
454 log_config_info(uschar *ptr, int flags)
456 Ustrcpy(ptr, "Exim configuration error");
459 if ((flags & (LOG_CONFIG_FOR & ~LOG_CONFIG)) != 0)
461 Ustrcpy(ptr, " for ");
465 if ((flags & (LOG_CONFIG_IN & ~LOG_CONFIG)) != 0)
467 sprintf(CS ptr, " in line %d of %s", config_lineno, config_filename);
471 Ustrcpy(ptr, ":\n ");
476 /*************************************************
477 * A write() operation failed *
478 *************************************************/
480 /* This function is called when write() fails on anything other than the panic
481 log, which can happen if a disk gets full or a file gets too large or whatever.
482 We try to save the relevant message in the panic_save buffer before crashing
486 name the name of the log being written
487 length the string length being written
488 rc the return value from write()
490 Returns: does not return
494 log_write_failed(uschar *name, int length, int rc)
496 int save_errno = errno;
498 if (panic_save_buffer == NULL)
500 panic_save_buffer = (uschar *)malloc(LOG_BUFFER_SIZE);
501 if (panic_save_buffer != NULL)
502 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
505 log_write(0, LOG_PANIC_DIE, "failed to write to %s: length=%d result=%d "
506 "errno=%d (%s)", name, length, rc, save_errno,
507 (save_errno == 0)? "write incomplete" : strerror(save_errno));
513 /*************************************************
514 * Write message to log file *
515 *************************************************/
517 /* Exim can be configured to log to local files, or use syslog, or both. This
518 is controlled by the setting of log_file_path. The following cases are
521 log_file_path = "" write files in the spool/log directory
522 log_file_path = "xxx" write files in the xxx directory
523 log_file_path = "syslog" write to syslog
524 log_file_path = "syslog : xxx" write to syslog and to files (any order)
526 The message always gets '\n' added on the end of it, since more than one
527 process may be writing to the log at once and we don't want intermingling to
528 happen in the middle of lines. To be absolutely sure of this we write the data
529 into a private buffer and then put it out in a single write() call.
531 The flags determine which log(s) the message is written to, or for syslogging,
532 which priority to use, and in the case of the panic log, whether the process
533 should die afterwards.
535 The variable really_exim is TRUE only when exim is running in privileged state
536 (i.e. not with a changed configuration or with testing options such as -brw).
537 If it is not, don't try to write to the log because permission will probably be
540 Avoid actually writing to the logs when exim is called with -bv or -bt to
541 test an address, but take other actions, such as panicing.
543 In Exim proper, the buffer for building the message is got at start-up, so that
544 nothing gets done if it can't be got. However, some functions that are also
545 used in utilities occasionally obey log_write calls in error situations, and it
546 is simplest to put a single malloc() here rather than put one in each utility.
547 Malloc is used directly because the store functions may call log_write().
549 If a message_id exists, we include it after the timestamp.
552 selector write to main log or LOG_INFO only if this value is zero, or if
553 its bit is set in log_write_selector
554 flags each bit indicates some independent action:
555 LOG_SENDER add raw sender to the message
556 LOG_RECIPIENTS add raw recipients list to message
557 LOG_CONFIG add "Exim configuration error"
558 LOG_CONFIG_FOR add " for " instead of ":\n "
559 LOG_CONFIG_IN add " in line x[ of file y]"
560 LOG_MAIN write to main log or syslog LOG_INFO
561 LOG_REJECT write to reject log or syslog LOG_NOTICE
562 LOG_PANIC write to panic log or syslog LOG_ALERT
563 LOG_PANIC_DIE write to panic log or LOG_ALERT and then crash
564 format a printf() format
565 ... arguments for format
571 log_write(unsigned int selector, int flags, const char *format, ...)
578 /* If panic_recurseflag is set, we have failed to open the panic log. This is
579 the ultimate disaster. First try to write the message to a debug file and/or
580 stderr and also to syslog. If panic_save_buffer is not NULL, it contains the
581 original log line that caused the problem. Afterwards, expire. */
583 if (panic_recurseflag)
585 uschar *extra = (panic_save_buffer == NULL)? US"" : panic_save_buffer;
586 if (debug_file != NULL) debug_printf("%s%s", extra, log_buffer);
587 if (log_stderr != NULL && log_stderr != debug_file)
588 fprintf(log_stderr, "%s%s", extra, log_buffer);
589 if (*extra != 0) write_syslog(LOG_CRIT, extra);
590 write_syslog(LOG_CRIT, log_buffer);
591 die(US"exim: could not open panic log - aborting: see message(s) above",
592 US"Unexpected log failure, please try later");
595 /* Ensure we have a buffer (see comment above); this should never be obeyed
596 when running Exim proper, only when running utilities. */
598 if (log_buffer == NULL)
600 log_buffer = (uschar *)malloc(LOG_BUFFER_SIZE);
601 if (log_buffer == NULL)
603 fprintf(stderr, "exim: failed to get store for log buffer\n");
604 exim_exit(EXIT_FAILURE);
608 /* If we haven't already done so, inspect the setting of log_file_path to
609 determine whether to log to files and/or to syslog. Bits in logging_mode
610 control this, and for file logging, the path must end up in file_path. This
611 variable must be in permanent store because it may be required again later in
616 BOOL multiple = FALSE;
617 int old_pool = store_pool;
619 store_pool = POOL_PERM;
621 /* If nothing has been set, don't waste effort... the default values for the
622 statics are file_path="" and logging_mode = LOG_MODE_FILE. */
624 if (log_file_path[0] != 0)
626 int sep = ':'; /* Fixed separator - outside use */
628 uschar *ss = log_file_path;
630 while ((s = string_nextinlist(&ss,&sep,log_buffer,LOG_BUFFER_SIZE)) != NULL)
632 if (Ustrcmp(s, "syslog") == 0)
633 logging_mode |= LOG_MODE_SYSLOG;
634 else if ((logging_mode & LOG_MODE_FILE) != 0) multiple = TRUE;
637 logging_mode |= LOG_MODE_FILE;
639 /* If a non-empty path is given, use it */
643 file_path = string_copy(s);
646 /* If the path is empty, we want to use the first non-empty, non-
647 syslog item in LOG_FILE_PATH, if there is one, since the value of
648 log_file_path may have been set at runtime. If there is no such item,
649 use the ultimate default in the spool directory. */
654 uschar *tt = US LOG_FILE_PATH;
655 while ((t = string_nextinlist(&tt,&sep,log_buffer,LOG_BUFFER_SIZE))
658 if (Ustrcmp(t, "syslog") == 0 || t[0] == 0) continue;
659 file_path = string_copy(t);
662 } /* Empty item in log_file_path */
663 } /* First non-syslog item in log_file_path */
664 } /* Scan of log_file_path */
667 /* If no modes have been selected, it is a major disaster */
669 if (logging_mode == 0)
670 die(US"Neither syslog nor file logging set in log_file_path",
671 US"Unexpected logging failure");
673 /* Set up the ultimate default if necessary. Then revert to the old store
674 pool, and record that we've sorted out the path. */
676 if ((logging_mode & LOG_MODE_FILE) != 0 && file_path[0] == 0)
677 file_path = string_sprintf("%s/log/%%slog", spool_directory);
678 store_pool = old_pool;
679 path_inspected = TRUE;
681 /* If more than one file path was given, log a complaint. This recursive call
682 should work since we have now set up the routing. */
686 log_write(0, LOG_MAIN|LOG_PANIC,
687 "More than one path given in log_file_path: using %s", file_path);
691 /* If debugging, show all log entries, but don't show headers. Do it all
692 in one go so that it doesn't get split when multi-processing. */
699 Ustrcpy(ptr, "LOG:");
702 /* Show the options that were passed into the call. These are those whose
703 flag values do not have the 0x80000000 bit in them. Note that this
704 automatically exclude the "all" setting. */
706 for (i = 0; i < log_options_count; i++)
708 unsigned int bit = log_options[i].bit;
709 if ((bit & 0x80000000) != 0) continue;
710 if ((selector & bit) != 0)
713 Ustrcpy(ptr, log_options[i].name);
718 sprintf(CS ptr, "%s%s%s%s%s\n ",
719 ((flags & LOG_MAIN) != 0)? " MAIN" : "",
720 ((flags & LOG_PANIC) != 0)? " PANIC" : "",
721 ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE)? " DIE" : "",
722 ((flags & LOG_REJECT) != 0)? " REJECT" : "");
725 if ((flags & LOG_CONFIG) != 0) ptr = log_config_info(ptr, flags);
727 va_start(ap, format);
728 if (!string_vformat(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer)-1, format, ap))
729 Ustrcpy(ptr, "**** log string overflowed log buffer ****");
734 debug_printf("%s", log_buffer);
737 /* If no log file is specified, we are in a mess. */
739 if ((flags & (LOG_MAIN|LOG_PANIC|LOG_REJECT)) == 0)
740 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_write called with no log "
743 /* There are some weird circumstances in which logging is disabled. */
747 DEBUG(D_any) debug_printf("log writing disabled\n");
751 /* Handle disabled reject log */
753 if (!write_rejectlog) flags &= ~LOG_REJECT;
755 /* Create the main message in the log buffer. Do not include the message id
756 when called by a utility. */
759 sprintf(CS ptr, "%s ", tod_stamp(tod_log));
762 if ((log_extra_selector & LX_pid) != 0)
764 sprintf(CS ptr, "[%d] ", (int)getpid());
768 if (really_exim && message_id[0] != 0)
770 sprintf(CS ptr, "%s ", message_id);
774 if ((flags & LOG_CONFIG) != 0) ptr = log_config_info(ptr, flags);
776 va_start(ap, format);
777 if (!string_vformat(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer)-1, format, ap))
778 Ustrcpy(ptr, "**** log string overflowed log buffer ****\n");
782 /* Add the raw, unrewritten, sender to the message if required. This is done
783 this way because it kind of fits with LOG_RECIPIENTS. */
785 if ((flags & LOG_SENDER) != 0 &&
786 ptr < log_buffer + LOG_BUFFER_SIZE - 10 - Ustrlen(raw_sender))
788 sprintf(CS ptr, " from <%s>", raw_sender);
792 /* Add list of recipients to the message if required; the raw list,
793 before rewriting, was saved in raw_recipients. There may be none, if an ACL
794 discarded them all. */
796 if ((flags & LOG_RECIPIENTS) != 0 && ptr < log_buffer + LOG_BUFFER_SIZE - 6 &&
797 raw_recipients_count > 0)
800 sprintf(CS ptr, " for");
802 for (i = 0; i < raw_recipients_count; i++)
804 uschar *s = raw_recipients[i];
805 if (log_buffer + LOG_BUFFER_SIZE - ptr < Ustrlen(s) + 3) break;
806 sprintf(CS ptr, " %s", s);
811 sprintf(CS ptr, "\n");
813 length = ptr - log_buffer;
815 /* Handle loggable errors when running a utility, or when address testing.
816 Write to log_stderr unless debugging (when it will already have been written),
817 or unless there is no log_stderr (expn called from daemon, for example). */
819 if (!really_exim || log_testing_mode)
821 if (debug_selector == 0 && log_stderr != NULL &&
822 (selector == 0 || (selector & log_write_selector) != 0))
825 fprintf(log_stderr, "LOG: %s", CS(log_buffer + 20)); /* no timestamp */
827 fprintf(log_stderr, "%s", CS log_buffer);
829 if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE);
833 /* Handle the main log. We know that either syslog or file logging (or both) is
834 set up. A real file gets left open during reception or delivery once it has
835 been opened, but we don't want to keep on writing to it for too long after it
836 has been renamed. Therefore, do a stat() and see if the inode has changed, and
839 if ((flags & LOG_MAIN) != 0 &&
840 (selector == 0 || (selector & log_write_selector) != 0))
842 if ((logging_mode & LOG_MODE_SYSLOG) != 0 &&
843 (syslog_duplication || (flags & (LOG_REJECT|LOG_PANIC)) == 0))
844 write_syslog(LOG_INFO, log_buffer);
846 if ((logging_mode & LOG_MODE_FILE) != 0)
850 /* Check for a change to the mainlog file name when datestamping is in
851 operation. This happens at midnight, at which point we want to roll over
852 the file. Closing it has the desired effect. */
854 if (mainlog_datestamp != NULL)
856 uschar *nowstamp = tod_stamp(string_datestamp_type);
857 if (Ustrncmp (mainlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
859 (void)close(mainlogfd); /* Close the file */
860 mainlogfd = -1; /* Clear the file descriptor */
861 mainlog_inode = 0; /* Unset the inode */
862 mainlog_datestamp = NULL; /* Clear the datestamp */
866 /* Otherwise, we want to check whether the file has been renamed by a
867 cycling script. This could be "if else", but for safety's sake, leave it as
868 "if" so that renaming the log starts a new file even when datestamping is
873 if (Ustat(mainlog_name, &statbuf) < 0 || statbuf.st_ino != mainlog_inode)
875 (void)close(mainlogfd);
881 /* If the log is closed, open it. Then write the line. */
885 open_log(&mainlogfd, lt_main, NULL); /* No return on error */
886 if (fstat(mainlogfd, &statbuf) >= 0) mainlog_inode = statbuf.st_ino;
889 /* Failing to write to the log is disastrous */
891 if ((rc = write(mainlogfd, log_buffer, length)) != length)
893 log_write_failed(US"main log", length, rc);
894 /* That function does not return */
899 /* Handle the log for rejected messages. This can be globally disabled, in
900 which case the flags are altered above. If there are any header lines (i.e. if
901 the rejection is happening after the DATA phase), log the recipients and the
904 if ((flags & LOG_REJECT) != 0)
908 if (header_list != NULL && (log_extra_selector & LX_rejected_header) != 0)
910 if (recipients_count > 0)
914 /* List the sender */
916 string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
917 "Envelope-from: <%s>\n", sender_address);
920 /* List up to 5 recipients */
922 string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
923 "Envelope-to: <%s>\n", recipients_list[0].address);
926 for (i = 1; i < recipients_count && i < 5; i++)
928 string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer), " <%s>\n",
929 recipients_list[i].address);
933 if (i < recipients_count)
935 (void)string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
941 /* A header with a NULL text is an unfilled in Received: header */
943 for (h = header_list; h != NULL; h = h->next)
946 if (h->text == NULL) continue;
947 fitted = string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
948 "%c %s", h->type, h->text);
950 if (!fitted) /* Buffer is full; truncate */
952 ptr -= 100; /* For message and separator */
953 if (ptr[-1] == '\n') ptr--;
954 Ustrcpy(ptr, "\n*** truncated ***\n");
960 length = ptr - log_buffer;
963 /* Write to syslog or to a log file */
965 if ((logging_mode & LOG_MODE_SYSLOG) != 0 &&
966 (syslog_duplication || (flags & LOG_PANIC) == 0))
967 write_syslog(LOG_NOTICE, log_buffer);
969 /* Check for a change to the rejectlog file name when datestamping is in
970 operation. This happens at midnight, at which point we want to roll over
971 the file. Closing it has the desired effect. */
973 if ((logging_mode & LOG_MODE_FILE) != 0)
977 if (rejectlog_datestamp != NULL)
979 uschar *nowstamp = tod_stamp(string_datestamp_type);
980 if (Ustrncmp (rejectlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
982 (void)close(rejectlogfd); /* Close the file */
983 rejectlogfd = -1; /* Clear the file descriptor */
984 rejectlog_inode = 0; /* Unset the inode */
985 rejectlog_datestamp = NULL; /* Clear the datestamp */
989 /* Otherwise, we want to check whether the file has been renamed by a
990 cycling script. This could be "if else", but for safety's sake, leave it as
991 "if" so that renaming the log starts a new file even when datestamping is
994 if (rejectlogfd >= 0)
996 if (Ustat(rejectlog_name, &statbuf) < 0 ||
997 statbuf.st_ino != rejectlog_inode)
999 (void)close(rejectlogfd);
1001 rejectlog_inode = 0;
1005 /* Open the file if necessary, and write the data */
1007 if (rejectlogfd < 0)
1009 open_log(&rejectlogfd, lt_reject, NULL); /* No return on error */
1010 if (fstat(rejectlogfd, &statbuf) >= 0) rejectlog_inode = statbuf.st_ino;
1013 if ((rc = write(rejectlogfd, log_buffer, length)) != length)
1015 log_write_failed(US"reject log", length, rc);
1016 /* That function does not return */
1022 /* Handle the panic log, which is not kept open like the others. If it fails to
1023 open, there will be a recursive call to log_write(). We detect this above and
1024 attempt to write to the system log as a last-ditch try at telling somebody. In
1025 all cases except mua_wrapper, try to write to log_stderr. */
1027 if ((flags & LOG_PANIC) != 0)
1029 if (log_stderr != NULL && log_stderr != debug_file && !mua_wrapper)
1030 fprintf(log_stderr, "%s", CS log_buffer);
1032 if ((logging_mode & LOG_MODE_SYSLOG) != 0)
1034 write_syslog(LOG_ALERT, log_buffer);
1037 /* If this panic logging was caused by a failure to open the main log,
1038 the original log line is in panic_save_buffer. Make an attempt to write it. */
1040 if ((logging_mode & LOG_MODE_FILE) != 0)
1042 panic_recurseflag = TRUE;
1043 open_log(&paniclogfd, lt_panic, NULL); /* Won't return on failure */
1044 panic_recurseflag = FALSE;
1046 if (panic_save_buffer != NULL)
1047 (void) write(paniclogfd, panic_save_buffer, Ustrlen(panic_save_buffer));
1049 if ((rc = write(paniclogfd, log_buffer, length)) != length)
1051 int save_errno = errno;
1052 write_syslog(LOG_CRIT, log_buffer);
1053 sprintf(CS log_buffer, "write failed on panic log: length=%d result=%d "
1054 "errno=%d (%s)", length, rc, save_errno, strerror(save_errno));
1055 write_syslog(LOG_CRIT, log_buffer);
1056 flags |= LOG_PANIC_DIE;
1059 (void)close(paniclogfd);
1062 /* Give up if the DIE flag is set */
1064 if ((flags & LOG_PANIC_DIE) != LOG_PANIC)
1065 die(NULL, US"Unexpected failure, please try later");
1071 /*************************************************
1072 * Close any open log files *
1073 *************************************************/
1079 { (void)close(mainlogfd); mainlogfd = -1; }
1080 if (rejectlogfd >= 0)
1081 { (void)close(rejectlogfd); rejectlogfd = -1; }
1083 syslog_open = FALSE;
1088 /*************************************************
1089 * Decode bit settings for log/debug *
1090 *************************************************/
1092 /* This function decodes a string containing bit settings in the form of +name
1093 and/or -name sequences, and sets/unsets bits in a bit string accordingly. It
1094 also recognizes a numeric setting of the form =<number>, but this is not
1095 intended for user use. It's an easy way for Exim to pass the debug settings
1096 when it is re-exec'ed.
1098 The log options are held in two unsigned ints (because there became too many
1099 for one). The top bit in the table means "put in 2nd selector". This does not
1100 yet apply to debug options, so the "=" facility sets only the first selector.
1102 The "all" selector, which must be equal to 0xffffffff, is recognized specially.
1103 It sets all the bits in both selectors. However, there is a facility for then
1104 unsetting certain bits, because we want to turn off "memory" in the debug case.
1106 The action taken for bad values varies depending upon why we're here.
1107 For log messages, or if the debugging is triggered from config, then we write
1108 to the log on the way out. For debug setting triggered from the command-line,
1109 we treat it as an unknown option: error message to stderr and die.
1112 selector1 address of the first bit string
1113 selector2 address of the second bit string, or NULL
1114 notall1 bits to exclude from "all" for selector1
1115 notall2 bits to exclude from "all" for selector2
1116 string the configured string
1117 options the table of option names
1119 which "log" or "debug"
1120 flags DEBUG_FROM_CONFIG
1122 Returns: nothing on success - bomb out on failure
1126 decode_bits(unsigned int *selector1, unsigned int *selector2, int notall1,
1127 int notall2, uschar *string, bit_table *options, int count, uschar *which,
1131 if (string == NULL) return;
1135 char *end; /* Not uschar */
1136 *selector1 = strtoul(CS string+1, &end, 0);
1137 if (*end == 0) return;
1138 errmsg = string_sprintf("malformed numeric %s_selector setting: %s", which,
1143 /* Handle symbolic setting */
1150 bit_table *start, *end;
1152 while (isspace(*string)) string++;
1153 if (*string == 0) return;
1155 if (*string != '+' && *string != '-')
1157 errmsg = string_sprintf("malformed %s_selector setting: "
1158 "+ or - expected but found \"%s\"", which, string);
1162 adding = *string++ == '+';
1164 while (isalnum(*string) || *string == '_') string++;
1168 end = options + count;
1172 bit_table *middle = start + (end - start)/2;
1173 int c = Ustrncmp(s, middle->name, len);
1176 if (middle->name[len] != 0) c = -1; else
1178 unsigned int bit = middle->bit;
1179 unsigned int *selector;
1181 /* The value with all bits set means "force all bits in both selectors"
1182 in the case where two are being handled. However, the top bit in the
1183 second selector is never set. When setting, some bits can be excluded.
1186 if (bit == 0xffffffff)
1190 *selector1 = 0xffffffff ^ notall1;
1191 if (selector2 != NULL) *selector2 = 0x7fffffff ^ notall2;
1196 if (selector2 != NULL) *selector2 = 0;
1200 /* Otherwise, the 0x80000000 bit means "this value, without the top
1201 bit, belongs in the second selector". */
1205 if ((bit & 0x80000000) != 0)
1207 selector = selector2;
1210 else selector = selector1;
1211 if (adding) *selector |= bit; else *selector &= ~bit;
1213 break; /* Out of loop to match selector name */
1216 if (c < 0) end = middle; else start = middle + 1;
1217 } /* Loop to match selector name */
1221 errmsg = string_sprintf("unknown %s_selector setting: %c%.*s", which,
1222 adding? '+' : '-', len, s);
1225 } /* Loop for selector names */
1227 /* Handle disasters */
1230 if (Ustrcmp(which, "debug") == 0)
1232 if (flags & DEBUG_FROM_CONFIG)
1234 log_write(0, LOG_CONFIG|LOG_PANIC, "%s", errmsg);
1237 fprintf(stderr, "exim: %s\n", errmsg);
1240 else log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "%s", errmsg);
1245 /*************************************************
1246 * Activate a debug logfile (late) *
1247 *************************************************/
1249 /* Normally, debugging is activated from the command-line; it may be useful
1250 within the configuration to activate debugging later, based on certain
1251 conditions. If debugging is already in progress, we return early, no action
1252 taken (besides debug-logging that we wanted debug-logging).
1254 Failures in options are not fatal but will result in paniclog entries for the
1257 The first use of this is in ACL logic, "control = debug/tag=foo/opts=+expand"
1258 which can be combined with conditions, etc, to activate extra logging only
1259 for certain sources. */
1262 debug_logging_activate(uschar *tag_name, uschar *opts)
1268 debug_printf("DEBUGGING ACTIVATED FROM WITHIN CONFIG.\n"
1269 "DEBUG: Tag=\"%s\" Opts=\"%s\"\n", tag_name, opts);
1273 if (tag_name != NULL && (Ustrchr(tag_name, '/') != NULL))
1275 log_write(0, LOG_MAIN|LOG_PANIC, "debug tag may not contain a '/' in: %s",
1280 debug_selector = D_default;
1283 decode_bits(&debug_selector, NULL, D_memory, 0, opts,
1284 debug_options, debug_options_count, US"debug", DEBUG_FROM_CONFIG);
1287 open_log(&fd, lt_debug, tag_name);
1290 debug_file = fdopen(fd, "w");
1292 log_write(0, LOG_MAIN|LOG_PANIC, "unable to open debug log");