1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2016 */
6 /* See the file NOTICE for conditions of use and distribution. */
10 #include "appendfile.h"
12 #ifdef SUPPORT_MAILDIR
13 #include "tf_maildir.h"
17 /* Encodings for mailbox formats, and their names. MBX format is actually
18 supported only if SUPPORT_MBX is set. */
20 enum { mbf_unix, mbf_mbx, mbf_smail, mbf_maildir, mbf_mailstore };
22 static const char *mailbox_formats[] = {
23 "unix", "mbx", "smail", "maildir", "mailstore" };
26 /* Check warn threshold only if quota size set or not a percentage threshold
27 percentage check should only be done if quota > 0 */
29 #define THRESHOLD_CHECK (ob->quota_warn_threshold_value > 0 && \
30 (!ob->quota_warn_threshold_is_percent || ob->quota_value > 0))
33 /* Options specific to the appendfile transport. They must be in alphabetic
34 order (note that "_" comes before the lower case letters). Some of them are
35 stored in the publicly visible instance block - these are flagged with the
38 optionlist appendfile_transport_options[] = {
39 #ifdef SUPPORT_MAILDIR
40 { "*expand_maildir_use_size_file", opt_stringptr,
41 (void *)offsetof(appendfile_transport_options_block, expand_maildir_use_size_file) },
43 { "*set_use_fcntl_lock",opt_bool | opt_hidden,
44 (void *)offsetof(appendfile_transport_options_block, set_use_fcntl) },
45 { "*set_use_flock_lock",opt_bool | opt_hidden,
46 (void *)offsetof(appendfile_transport_options_block, set_use_flock) },
47 { "*set_use_lockfile", opt_bool | opt_hidden,
48 (void *)offsetof(appendfile_transport_options_block, set_use_lockfile) },
50 { "*set_use_mbx_lock", opt_bool | opt_hidden,
51 (void *)offsetof(appendfile_transport_options_block, set_use_mbx_lock) },
53 { "allow_fifo", opt_bool,
54 (void *)offsetof(appendfile_transport_options_block, allow_fifo) },
55 { "allow_symlink", opt_bool,
56 (void *)offsetof(appendfile_transport_options_block, allow_symlink) },
57 { "batch_id", opt_stringptr | opt_public,
58 (void *)offsetof(transport_instance, batch_id) },
59 { "batch_max", opt_int | opt_public,
60 (void *)offsetof(transport_instance, batch_max) },
61 { "check_group", opt_bool,
62 (void *)offsetof(appendfile_transport_options_block, check_group) },
63 { "check_owner", opt_bool,
64 (void *)offsetof(appendfile_transport_options_block, check_owner) },
65 { "check_string", opt_stringptr,
66 (void *)offsetof(appendfile_transport_options_block, check_string) },
67 { "create_directory", opt_bool,
68 (void *)offsetof(appendfile_transport_options_block, create_directory) },
69 { "create_file", opt_stringptr,
70 (void *)offsetof(appendfile_transport_options_block, create_file_string) },
71 { "directory", opt_stringptr,
72 (void *)offsetof(appendfile_transport_options_block, dirname) },
73 { "directory_file", opt_stringptr,
74 (void *)offsetof(appendfile_transport_options_block, dirfilename) },
75 { "directory_mode", opt_octint,
76 (void *)offsetof(appendfile_transport_options_block, dirmode) },
77 { "escape_string", opt_stringptr,
78 (void *)offsetof(appendfile_transport_options_block, escape_string) },
79 { "file", opt_stringptr,
80 (void *)offsetof(appendfile_transport_options_block, filename) },
81 { "file_format", opt_stringptr,
82 (void *)offsetof(appendfile_transport_options_block, file_format) },
83 { "file_must_exist", opt_bool,
84 (void *)offsetof(appendfile_transport_options_block, file_must_exist) },
85 { "lock_fcntl_timeout", opt_time,
86 (void *)offsetof(appendfile_transport_options_block, lock_fcntl_timeout) },
87 { "lock_flock_timeout", opt_time,
88 (void *)offsetof(appendfile_transport_options_block, lock_flock_timeout) },
89 { "lock_interval", opt_time,
90 (void *)offsetof(appendfile_transport_options_block, lock_interval) },
91 { "lock_retries", opt_int,
92 (void *)offsetof(appendfile_transport_options_block, lock_retries) },
93 { "lockfile_mode", opt_octint,
94 (void *)offsetof(appendfile_transport_options_block, lockfile_mode) },
95 { "lockfile_timeout", opt_time,
96 (void *)offsetof(appendfile_transport_options_block, lockfile_timeout) },
97 { "mailbox_filecount", opt_stringptr,
98 (void *)offsetof(appendfile_transport_options_block, mailbox_filecount_string) },
99 { "mailbox_size", opt_stringptr,
100 (void *)offsetof(appendfile_transport_options_block, mailbox_size_string) },
101 #ifdef SUPPORT_MAILDIR
102 { "maildir_format", opt_bool,
103 (void *)offsetof(appendfile_transport_options_block, maildir_format ) } ,
104 { "maildir_quota_directory_regex", opt_stringptr,
105 (void *)offsetof(appendfile_transport_options_block, maildir_dir_regex) },
106 { "maildir_retries", opt_int,
107 (void *)offsetof(appendfile_transport_options_block, maildir_retries) },
108 { "maildir_tag", opt_stringptr,
109 (void *)offsetof(appendfile_transport_options_block, maildir_tag) },
110 { "maildir_use_size_file", opt_expand_bool,
111 (void *)offsetof(appendfile_transport_options_block, maildir_use_size_file ) } ,
112 { "maildirfolder_create_regex", opt_stringptr,
113 (void *)offsetof(appendfile_transport_options_block, maildirfolder_create_regex ) },
114 #endif /* SUPPORT_MAILDIR */
115 #ifdef SUPPORT_MAILSTORE
116 { "mailstore_format", opt_bool,
117 (void *)offsetof(appendfile_transport_options_block, mailstore_format ) },
118 { "mailstore_prefix", opt_stringptr,
119 (void *)offsetof(appendfile_transport_options_block, mailstore_prefix ) },
120 { "mailstore_suffix", opt_stringptr,
121 (void *)offsetof(appendfile_transport_options_block, mailstore_suffix ) },
122 #endif /* SUPPORT_MAILSTORE */
124 { "mbx_format", opt_bool,
125 (void *)offsetof(appendfile_transport_options_block, mbx_format ) } ,
126 #endif /* SUPPORT_MBX */
127 { "message_prefix", opt_stringptr,
128 (void *)offsetof(appendfile_transport_options_block, message_prefix) },
129 { "message_suffix", opt_stringptr,
130 (void *)offsetof(appendfile_transport_options_block, message_suffix) },
131 { "mode", opt_octint,
132 (void *)offsetof(appendfile_transport_options_block, mode) },
133 { "mode_fail_narrower",opt_bool,
134 (void *)offsetof(appendfile_transport_options_block, mode_fail_narrower) },
135 { "notify_comsat", opt_bool,
136 (void *)offsetof(appendfile_transport_options_block, notify_comsat) },
137 { "quota", opt_stringptr,
138 (void *)offsetof(appendfile_transport_options_block, quota) },
139 { "quota_directory", opt_stringptr,
140 (void *)offsetof(appendfile_transport_options_block, quota_directory) },
141 { "quota_filecount", opt_stringptr,
142 (void *)offsetof(appendfile_transport_options_block, quota_filecount) },
143 { "quota_is_inclusive", opt_bool,
144 (void *)offsetof(appendfile_transport_options_block, quota_is_inclusive) },
145 { "quota_size_regex", opt_stringptr,
146 (void *)offsetof(appendfile_transport_options_block, quota_size_regex) },
147 { "quota_warn_message", opt_stringptr | opt_public,
148 (void *)offsetof(transport_instance, warn_message) },
149 { "quota_warn_threshold", opt_stringptr,
150 (void *)offsetof(appendfile_transport_options_block, quota_warn_threshold) },
151 { "use_bsmtp", opt_bool,
152 (void *)offsetof(appendfile_transport_options_block, use_bsmtp) },
153 { "use_crlf", opt_bool,
154 (void *)offsetof(appendfile_transport_options_block, use_crlf) },
155 { "use_fcntl_lock", opt_bool_set,
156 (void *)offsetof(appendfile_transport_options_block, use_fcntl) },
157 { "use_flock_lock", opt_bool_set,
158 (void *)offsetof(appendfile_transport_options_block, use_flock) },
159 { "use_lockfile", opt_bool_set,
160 (void *)offsetof(appendfile_transport_options_block, use_lockfile) },
162 { "use_mbx_lock", opt_bool_set,
163 (void *)offsetof(appendfile_transport_options_block, use_mbx_lock) },
164 #endif /* SUPPORT_MBX */
167 /* Size of the options list. An extern variable has to be used so that its
168 address can appear in the tables drtables.c. */
170 int appendfile_transport_options_count =
171 sizeof(appendfile_transport_options)/sizeof(optionlist);
173 /* Default private options block for the appendfile transport. */
175 appendfile_transport_options_block appendfile_transport_option_defaults = {
178 US"q${base62:$tod_epoch}-$inode", /* dirfilename */
179 NULL, /* message_prefix (default reset in init if not bsmtp) */
180 NULL, /* message_suffix (ditto) */
181 US"anywhere", /* create_file_string (string value for create_file) */
183 NULL, /* quota_directory */
184 NULL, /* quota_filecount */
185 NULL, /* quota_size_regex */
186 NULL, /* quota_warn_threshold */
187 NULL, /* mailbox_size_string */
188 NULL, /* mailbox_filecount_string */
189 NULL, /* expand_maildir_use_size_file */
190 US"^(?:cur|new|\\..*)$", /* maildir_dir_regex */
191 NULL, /* maildir_tag */
192 NULL, /* maildirfolder_create_regex */
193 NULL, /* mailstore_prefix */
194 NULL, /* mailstore_suffix */
195 NULL, /* check_string (default changed for non-bsmtp file)*/
196 NULL, /* escape_string (ditto) */
197 NULL, /* file_format */
199 0, /* quota_warn_threshold_value */
200 -1, /* mailbox_size_value */
201 -1, /* mailbox_filecount_value */
202 0, /* quota_filecount_value */
203 APPENDFILE_MODE, /* mode */
204 APPENDFILE_DIRECTORY_MODE, /* dirmode */
205 APPENDFILE_LOCKFILE_MODE, /* lockfile_mode */
206 30*60, /* lockfile_timeout */
207 0, /* lock_fcntl_timeout */
208 0, /* lock_flock_timeout */
209 10, /* lock_retries */
210 3, /* lock_interval */
211 10, /* maildir_retries */
212 create_anywhere,/* create_file */
214 FALSE, /* allow_fifo */
215 FALSE, /* allow_symlink */
216 FALSE, /* check_group */
217 TRUE, /* check_owner */
218 TRUE, /* create_directory */
219 FALSE, /* notify_comsat */
220 TRUE, /* use_lockfile */
221 FALSE, /* set_use_lockfile */
222 TRUE, /* use_fcntl */
223 FALSE, /* set_use_fcntl */
224 FALSE, /* use_flock */
225 FALSE, /* set_use_flock */
226 FALSE, /* use_mbx_lock */
227 FALSE, /* set_use_mbx_lock */
228 FALSE, /* use_bsmtp */
229 FALSE, /* use_crlf */
230 FALSE, /* file_must_exist */
231 TRUE, /* mode_fail_narrower */
232 FALSE, /* maildir_format */
233 FALSE, /* maildir_use_size_file */
234 FALSE, /* mailstore_format */
235 FALSE, /* mbx_format */
236 FALSE, /* quota_warn_threshold_is_percent */
237 TRUE, /* quota_is_inclusive */
238 FALSE, /* quota_no_check */
239 FALSE /* quota_filecount_no_check */
244 /*************************************************
245 * Setup entry point *
246 *************************************************/
248 /* Called for each delivery in the privileged state, just before the uid/gid
249 are changed and the main entry point is called. We use this function to
250 expand any quota settings, so that it can access files that may not be readable
251 by the user. It is also used to pick up external mailbox size information, if
255 tblock points to the transport instance
256 addrlist addresses about to be delivered (not used)
257 dummy not used (doesn't pass back data)
258 uid the uid that will be set (not used)
259 gid the gid that will be set (not used)
260 errmsg where to put an error message
262 Returns: OK, FAIL, or DEFER
266 appendfile_transport_setup(transport_instance *tblock, address_item *addrlist,
267 transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg)
269 appendfile_transport_options_block *ob =
270 (appendfile_transport_options_block *)(tblock->options_block);
271 uschar *q = ob->quota;
272 double default_value = 0.0;
275 addrlist = addrlist; /* Keep picky compilers happy */
280 if (ob->expand_maildir_use_size_file)
281 ob->maildir_use_size_file = expand_check_condition(ob->expand_maildir_use_size_file,
282 US"`maildir_use_size_file` in transport", tblock->name);
284 /* Loop for quota, quota_filecount, quota_warn_threshold, mailbox_size,
287 for (i = 0; i < 5; i++)
291 uschar *which = NULL;
293 if (q == NULL) d = default_value;
297 uschar *s = expand_string(q);
301 *errmsg = string_sprintf("Expansion of \"%s\" in %s transport failed: "
302 "%s", q, tblock->name, expand_string_message);
303 return search_find_defer? DEFER : FAIL;
306 d = Ustrtod(s, &rest);
308 /* Handle following characters K, M, G, %, the latter being permitted
309 for quota_warn_threshold only. A threshold with no quota setting is
312 if (tolower(*rest) == 'k') { d *= 1024.0; rest++; }
313 else if (tolower(*rest) == 'm') { d *= 1024.0*1024.0; rest++; }
314 else if (tolower(*rest) == 'g') { d *= 1024.0*1024.0*1024.0; rest++; }
315 else if (*rest == '%' && i == 2)
317 if (ob->quota_value <= 0 && !ob->maildir_use_size_file) d = 0;
318 else if ((int)d < 0 || (int)d > 100)
320 *errmsg = string_sprintf("Invalid quota_warn_threshold percentage (%d)"
321 " for %s transport", (int)d, tblock->name);
324 ob->quota_warn_threshold_is_percent = TRUE;
329 /* For quota and quota_filecount there may be options
330 appended. Currently only "no_check", so we can be lazy parsing it */
331 if (i < 2 && Ustrstr(rest, "/no_check") == rest)
334 rest += sizeof("/no_check") - 1;
337 while (isspace(*rest)) rest++;
341 *errmsg = string_sprintf("Malformed value \"%s\" (expansion of \"%s\") "
342 "in %s transport", s, q, tblock->name);
347 /* Set each value, checking for possible overflow. */
352 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4) which = US"quota";
353 ob->quota_value = (off_t)d;
354 ob->quota_no_check = no_check;
355 q = ob->quota_filecount;
359 if (d >= 2.0*1024.0*1024.0*1024.0) which = US"quota_filecount";
360 ob->quota_filecount_value = (int)d;
361 ob->quota_filecount_no_check = no_check;
362 q = ob->quota_warn_threshold;
366 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
367 which = US"quota_warn_threshold";
368 ob->quota_warn_threshold_value = (off_t)d;
369 q = ob->mailbox_size_string;
370 default_value = -1.0;
374 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
375 which = US"mailbox_size";;
376 ob->mailbox_size_value = (off_t)d;
377 q = ob->mailbox_filecount_string;
381 if (d >= 2.0*1024.0*1024.0*1024.0) which = US"mailbox_filecount";
382 ob->mailbox_filecount_value = (int)d;
388 *errmsg = string_sprintf("%s value %.10g is too large (overflow) in "
389 "%s transport", which, d, tblock->name);
399 /*************************************************
400 * Initialization entry point *
401 *************************************************/
403 /* Called for each instance, after its options have been read, to
404 enable consistency checks to be done, or anything else that needs
408 appendfile_transport_init(transport_instance *tblock)
410 appendfile_transport_options_block *ob =
411 (appendfile_transport_options_block *)(tblock->options_block);
413 /* Set up the setup entry point, to be called in the privileged state */
415 tblock->setup = appendfile_transport_setup;
417 /* Lock_retries must be greater than zero */
419 if (ob->lock_retries == 0) ob->lock_retries = 1;
421 /* Only one of a file name or directory name must be given. */
423 if (ob->filename != NULL && ob->dirname != NULL)
424 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
425 "only one of \"file\" or \"directory\" can be specified", tblock->name);
427 /* If a file name was specified, neither quota_filecount nor quota_directory
430 if (ob->filename != NULL)
432 if (ob->quota_filecount != NULL)
433 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
434 "quota_filecount must not be set without \"directory\"", tblock->name);
435 if (ob->quota_directory != NULL)
436 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
437 "quota_directory must not be set without \"directory\"", tblock->name);
440 /* The default locking depends on whether MBX is set or not. Change the
441 built-in default if none of the lock options has been explicitly set. At least
442 one form of locking is required in all cases, but mbx locking changes the
443 meaning of fcntl and flock locking. */
445 /* Not all operating systems provide flock(). For those that do, if flock is
446 requested, the default for fcntl is FALSE. */
451 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
452 "flock() support was not available in the operating system when this "
453 "binary was built", tblock->name);
454 #endif /* NO_FLOCK */
455 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
461 if (!ob->set_use_lockfile && !ob->set_use_fcntl && !ob->set_use_flock &&
462 !ob->set_use_mbx_lock)
464 ob->use_lockfile = ob->use_flock = FALSE;
465 ob->use_mbx_lock = ob->use_fcntl = TRUE;
467 else if (ob->use_mbx_lock)
469 if (!ob->set_use_lockfile) ob->use_lockfile = FALSE;
470 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
471 if (!ob->set_use_flock) ob->use_flock = FALSE;
472 if (!ob->use_fcntl && !ob->use_flock) ob->use_fcntl = TRUE;
475 #endif /* SUPPORT_MBX */
477 if (!ob->use_fcntl && !ob->use_flock && !ob->use_lockfile && !ob->use_mbx_lock)
478 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
479 "no locking configured", tblock->name);
481 /* Unset timeouts for non-used locking types */
483 if (!ob->use_fcntl) ob->lock_fcntl_timeout = 0;
484 if (!ob->use_flock) ob->lock_flock_timeout = 0;
486 /* If a directory name was specified, only one of maildir or mailstore may be
487 specified, and if quota_filecount or quota_directory is given, quota must
490 if (ob->dirname != NULL)
492 if (ob->maildir_format && ob->mailstore_format)
493 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
494 "only one of maildir and mailstore may be specified", tblock->name);
495 if (ob->quota_filecount != NULL && ob->quota == NULL)
496 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
497 "quota must be set if quota_filecount is set", tblock->name);
498 if (ob->quota_directory != NULL && ob->quota == NULL)
499 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
500 "quota must be set if quota_directory is set", tblock->name);
503 /* If a fixed uid field is set, then a gid field must also be set. */
505 if (tblock->uid_set && !tblock->gid_set && tblock->expand_gid == NULL)
506 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
507 "user set without group for the %s transport", tblock->name);
509 /* If "create_file" is set, check that a valid option is given, and set the
512 if (ob->create_file_string != NULL)
515 if (Ustrcmp(ob->create_file_string, "anywhere") == 0) value = create_anywhere;
516 else if (Ustrcmp(ob->create_file_string, "belowhome") == 0) value =
518 else if (Ustrcmp(ob->create_file_string, "inhome") == 0)
519 value = create_inhome;
521 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
522 "invalid value given for \"file_create\" for the %s transport: %s",
523 tblock->name, ob->create_file_string);
524 ob->create_file = value;
527 /* If quota_warn_threshold is set, set up default for warn_message. It may
528 not be used if the actual threshold for a given delivery ends up as zero,
529 of if it's given as a percentage and there's no quota setting. */
531 if (ob->quota_warn_threshold != NULL)
533 if (tblock->warn_message == NULL) tblock->warn_message = US
534 "To: $local_part@$domain\n"
535 "Subject: Your mailbox\n\n"
536 "This message is automatically created by mail delivery software (Exim).\n\n"
537 "The size of your mailbox has exceeded a warning threshold that is\n"
538 "set by the system administrator.\n";
541 /* If batch SMTP is set, force the check and escape strings, and arrange that
542 headers are also escaped. */
546 ob->check_string = US".";
547 ob->escape_string = US"..";
548 ob->options |= topt_escape_headers;
551 /* If not batch SMTP, not maildir, not mailstore, and directory is not set,
552 insert default values for for the affixes and the check/escape strings. */
554 else if (ob->dirname == NULL && !ob->maildir_format && !ob->mailstore_format)
556 if (ob->message_prefix == NULL) ob->message_prefix =
557 US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n";
558 if (ob->message_suffix == NULL) ob->message_suffix = US"\n";
559 if (ob->check_string == NULL) ob->check_string = US"From ";
560 if (ob->escape_string == NULL) ob->escape_string = US">From ";
564 /* Set up the bitwise options for transport_write_message from the various
565 driver options. Only one of body_only and headers_only can be set. */
568 (tblock->body_only? topt_no_headers : 0) |
569 (tblock->headers_only? topt_no_body : 0) |
570 (tblock->return_path_add? topt_add_return_path : 0) |
571 (tblock->delivery_date_add? topt_add_delivery_date : 0) |
572 (tblock->envelope_to_add? topt_add_envelope_to : 0) |
573 ((ob->use_crlf || ob->mbx_format)? topt_use_crlf : 0);
578 /*************************************************
580 *************************************************/
582 /* The comsat daemon is the thing that provides asynchronous notification of
583 the arrival of local messages, if requested by the user by "biff y". It is a
584 BSD thing that uses a TCP/IP protocol for communication. A message consisting
585 of the text "user@offset" must be sent, where offset is the place in the
586 mailbox where new mail starts. There is no scope for telling it which file to
587 look at, which makes it a less than useful if mail is being delivered into a
588 non-standard place such as the user's home directory. In fact, it doesn't seem
589 to pay much attention to the offset.
593 offset offset in mailbox
599 notify_comsat(uschar *user, off_t offset)
606 DEBUG(D_transport) debug_printf("notify_comsat called\n");
608 sprintf(CS buffer, "%.200s@" OFF_T_FMT "\n", user, offset);
610 if ((sp = getservbyname("biff", "udp")) == NULL)
612 DEBUG(D_transport) debug_printf("biff/udp is an unknown service");
616 host.name = US"localhost";
620 /* This code is all set up to look up "localhost" and use all its addresses
621 until one succeeds. However, it appears that at least on some systems, comsat
622 doesn't listen on the ::1 address. So for the moment, just force the address to
623 be 127.0.0.1. At some future stage, when IPv6 really is superseding IPv4, this
624 can be changed. (But actually, comsat is probably dying out anyway.) */
627 if (host_find_byname(&host, NULL, 0, NULL, FALSE) == HOST_FIND_FAILED)
629 DEBUG(D_transport) debug_printf("\"localhost\" unknown\n");
634 host.address = US"127.0.0.1";
637 for (h = &host; h; h = h->next)
640 int host_af = Ustrchr(h->address, ':') != NULL ? AF_INET6 : AF_INET;
642 DEBUG(D_transport) debug_printf("calling comsat on %s\n", h->address);
644 if ((sock = ip_socket(SOCK_DGRAM, host_af)) < 0) continue;
646 /* Connect never fails for a UDP socket, so don't set a timeout. */
648 (void)ip_connect(sock, host_af, h->address, ntohs(sp->s_port), 0, FALSE);
649 rc = send(sock, buffer, Ustrlen(buffer) + 1, 0);
654 debug_printf("send to comsat failed for %s: %s\n", strerror(errno),
661 /*************************************************
662 * Check the format of a file *
663 *************************************************/
665 /* This function is called when file_format is set, to check that an existing
666 file has the right format. The format string contains text/transport pairs. The
667 string matching is literal. we just read big_buffer_size bytes, because this is
668 all about the first few bytes of a file.
672 tblock the transport block
673 addr the address block - for inserting error data
675 Returns: pointer to the required transport, or NULL
679 check_file_format(int cfd, transport_instance *tblock, address_item *addr)
681 const uschar *format =
682 ((appendfile_transport_options_block *)(tblock->options_block))->file_format;
684 int len = read(cfd, data, sizeof(data));
688 DEBUG(D_transport) debug_printf("checking file format\n");
690 /* An empty file matches the current transport */
692 if (len == 0) return tblock;
694 /* Search the formats for a match */
696 while ((s = string_nextinlist(&format,&sep,big_buffer,big_buffer_size)))
698 int slen = Ustrlen(s);
699 BOOL match = len >= slen && Ustrncmp(data, s, slen) == 0;
700 uschar *tp = string_nextinlist(&format, &sep, big_buffer, big_buffer_size);
704 transport_instance *tt;
705 for (tt = transports; tt; tt = tt->next)
706 if (Ustrcmp(tp, tt->name) == 0)
709 debug_printf("file format -> %s transport\n", tt->name);
712 addr->basic_errno = ERRNO_BADTRANSPORT;
713 addr->message = string_sprintf("%s transport (for %.*s format) not found",
719 /* Failed to find a match */
721 addr->basic_errno = ERRNO_FORMATUNKNOWN;
722 addr->message = US"mailbox file format unrecognized";
729 /*************************************************
730 * Check directory's files for quota *
731 *************************************************/
733 /* This function is called if quota is set for one of the delivery modes that
734 delivers into a specific directory. It scans the directory and stats all the
735 files in order to get a total size and count. This is an expensive thing to do,
736 but some people are prepared to bear the cost. Alternatively, if size_regex is
737 set, it is used as a regex to try to extract the size from the file name, a
738 strategy that some people use on maildir files on systems where the users have
741 The function is global, because it is also called from tf_maildir.c for maildir
742 folders (which should contain only regular files).
744 Note: Any problems can be written to debugging output, but cannot be written to
745 the log, because we are running as an unprivileged user here.
748 dirname the name of the directory
749 countptr where to add the file count (because this function recurses)
750 regex a compiled regex to get the size from a name
752 Returns: the sum of the sizes of the stattable files
753 zero if the directory cannot be opened
757 check_dir_size(uschar *dirname, int *countptr, const pcre *regex)
761 int count = *countptr;
765 dir = opendir(CS dirname);
766 if (dir == NULL) return 0;
768 while ((ent = readdir(dir)) != NULL)
770 uschar *name = US ent->d_name;
773 if (Ustrcmp(name, ".") == 0 || Ustrcmp(name, "..") == 0) continue;
777 /* If there's a regex, try to find the size using it */
782 if (pcre_exec(regex, NULL, CS name, Ustrlen(name), 0, 0, ovector,6) >= 2)
785 off_t size = (off_t)Ustrtod(name + ovector[2], &endptr);
786 if (endptr == name + ovector[3])
790 debug_printf("check_dir_size: size from %s is " OFF_T_FMT "\n", name,
796 debug_printf("check_dir_size: regex did not match %s\n", name);
799 /* No regex or no match for the regex, or captured non-digits */
801 if (!string_format(buffer, sizeof(buffer), "%s/%s", dirname, name))
804 debug_printf("check_dir_size: name too long: dir=%s name=%s\n", dirname,
809 if (Ustat(buffer, &statbuf) < 0)
812 debug_printf("check_dir_size: stat error %d for %s: %s\n", errno, buffer,
817 if ((statbuf.st_mode & S_IFMT) == S_IFREG)
818 sum += statbuf.st_size;
819 else if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
820 sum += check_dir_size(buffer, &count, regex);
825 debug_printf("check_dir_size: dir=%s sum=" OFF_T_FMT " count=%d\n", dirname,
835 /*************************************************
836 * Apply a lock to a file descriptor *
837 *************************************************/
839 /* This function applies a lock to a file descriptor, using a blocking or
840 non-blocking lock, depending on the timeout value. It can apply either or
841 both of a fcntl() and a flock() lock. However, not all OS support flock();
842 for those that don't, the use_flock option cannot be set.
845 fd the file descriptor
846 fcntltype type of lock, specified as F_WRLCK or F_RDLCK (that is, in
847 fcntl() format); the flock() type is deduced if needed
848 dofcntl do fcntl() locking
849 fcntltime non-zero to use blocking fcntl()
850 doflock do flock() locking
851 flocktime non-zero to use blocking flock()
853 Returns: yield of the fcntl() or flock() call, with errno preserved;
854 sigalrm_seen set if there has been a timeout
858 apply_lock(int fd, int fcntltype, BOOL dofcntl, int fcntltime, BOOL doflock,
863 struct flock lock_data;
864 lock_data.l_type = fcntltype;
865 lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
867 sigalrm_seen = FALSE;
874 yield = fcntl(fd, F_SETLKW, &lock_data);
879 else yield = fcntl(fd, F_SETLK, &lock_data);
883 if (doflock && (yield >= 0))
885 int flocktype = (fcntltype == F_WRLCK)? LOCK_EX : LOCK_SH;
889 yield = flock(fd, flocktype);
894 else yield = flock(fd, flocktype | LOCK_NB);
896 #endif /* NO_FLOCK */
905 /*************************************************
906 * Copy message into MBX mailbox *
907 *************************************************/
909 /* This function is called when a message intended for a MBX mailbox has been
910 written to a temporary file. We can now get the size of the message and then
911 copy it in MBX format to the mailbox.
914 to_fd fd to write to (the real mailbox)
915 from_fd fd to read from (the temporary file)
916 saved_size current size of mailbox
918 Returns: OK if all went well, DEFER otherwise, with errno preserved
919 the number of bytes written are added to transport_count
920 by virtue of calling transport_write_block()
923 /* Values taken from c-client */
925 #define MBX_HDRSIZE 2048
926 #define MBX_NUSERFLAGS 30
929 copy_mbx_message(int to_fd, int from_fd, off_t saved_size)
934 transport_ctx tctx = {0};
938 /* If the current mailbox size is zero, write a header block */
944 memset (deliver_out_buffer, '\0', MBX_HDRSIZE);
945 sprintf(CS(s = deliver_out_buffer), "*mbx*\015\012%08lx00000000\015\012",
946 (long int)time(NULL));
947 for (i = 0; i < MBX_NUSERFLAGS; i++)
948 sprintf (CS(s += Ustrlen(s)), "\015\012");
949 if (!transport_write_block (&tctx, deliver_out_buffer, MBX_HDRSIZE, FALSE))
953 DEBUG(D_transport) debug_printf("copying MBX message from temporary file\n");
955 /* Now construct the message's header from the time and the RFC822 file
956 size, including CRLFs, which is the size of the input (temporary) file. */
958 if (fstat(from_fd, &statbuf) < 0) return DEFER;
959 size = statbuf.st_size;
961 sprintf (CS deliver_out_buffer, "%s," OFF_T_FMT ";%08lx%04x-%08x\015\012",
962 tod_stamp(tod_mbx), size, 0L, 0, 0);
963 used = Ustrlen(deliver_out_buffer);
965 /* Rewind the temporary file, and copy it over in chunks. */
967 if (lseek(from_fd, 0 , SEEK_SET) < 0) return DEFER;
971 int len = read(from_fd, deliver_out_buffer + used,
972 DELIVER_OUT_BUFFER_SIZE - used);
975 if (len == 0) errno = ERRNO_MBXLENGTH;
978 if (!transport_write_block(&tctx, deliver_out_buffer, used + len, FALSE))
986 #endif /* SUPPORT_MBX */
990 /*************************************************
991 * Check creation is permitted *
992 *************************************************/
994 /* This function checks whether a given file name is permitted to be created,
995 as controlled by the create_file option. If no home directory is set, however,
996 we can't do any tests.
999 filename the file name
1000 create_file the ob->create_file option
1002 Returns: TRUE if creation is permitted
1006 check_creation(uschar *filename, int create_file)
1010 if (deliver_home != NULL && create_file != create_anywhere)
1012 int len = Ustrlen(deliver_home);
1013 uschar *file = filename;
1015 while (file[0] == '/' && file[1] == '/') file++;
1016 if (Ustrncmp(file, deliver_home, len) != 0 || file[len] != '/' ||
1017 ( Ustrchr(file+len+2, '/') != NULL &&
1019 create_file != create_belowhome ||
1020 Ustrstr(file+len, "/../") != NULL
1025 /* If yield is TRUE, the file name starts with the home directory, and does
1026 not contain any instances of "/../" in the "belowhome" case. However, it may
1027 still contain symbolic links. We can check for this by making use of
1028 realpath(), which most Unixes seem to have (but make it possible to cut this
1029 out). We can't just use realpath() on the whole file name, because we know
1030 the file itself doesn't exist, and intermediate directories may also not
1031 exist. What we want to know is the real path of the longest existing part of
1032 the path. That must match the home directory's beginning, whichever is the
1036 if (yield && create_file == create_belowhome)
1038 uschar *slash, *next;
1040 for (slash = Ustrrchr(file, '/'); /* There is known to be one */
1041 rp == NULL && slash > file; /* Stop if reached beginning */
1045 rp = US realpath(CS file, CS big_buffer);
1046 next = Ustrrchr(file, '/');
1050 /* If rp == NULL it means that none of the relevant directories exist.
1051 This is not a problem here - it means that no symbolic links can exist,
1052 which is all we are worried about. Otherwise, we must compare it
1053 against the start of the home directory. However, that may itself
1054 contain symbolic links, so we have to "realpath" it as well, if
1059 uschar hdbuffer[PATH_MAX+1];
1060 uschar *rph = deliver_home;
1061 int rlen = Ustrlen(big_buffer);
1063 rp = US realpath(CS deliver_home, CS hdbuffer);
1070 if (rlen > len) rlen = len;
1071 if (Ustrncmp(rph, big_buffer, rlen) != 0)
1074 DEBUG(D_transport) debug_printf("Real path \"%s\" does not match \"%s\"\n",
1075 big_buffer, deliver_home);
1079 #endif /* NO_REALPATH */
1087 /*************************************************
1088 * Main entry point *
1089 *************************************************/
1091 /* See local README for general interface details. This transport always
1092 returns FALSE, indicating that the status which has been placed in the first
1093 address should be copied to any other addresses in a batch.
1095 Appendfile delivery is tricky and has led to various security problems in other
1096 mailers. The logic used here is therefore laid out in some detail. When this
1097 function is called, we are running in a subprocess which has had its gid and
1098 uid set to the appropriate values. Therefore, we cannot write directly to the
1099 exim logs. Any errors must be handled by setting appropriate return codes.
1100 Note that the default setting for addr->transport_return is DEFER, so it need
1101 not be set unless some other value is required.
1103 The code below calls geteuid() rather than getuid() to get the current uid
1104 because in weird configurations not running setuid root there may be a
1105 difference. In the standard configuration, where setuid() has been used in the
1106 delivery process, there will be no difference between the uid and the euid.
1108 (1) If the af_file flag is set, this is a delivery to a file after .forward or
1109 alias expansion. Otherwise, there must be a configured file name or
1112 The following items apply in the case when a file name (as opposed to a
1113 directory name) is given, that is, when appending to a single file:
1115 (2f) Expand the file name.
1117 (3f) If the file name is /dev/null, return success (optimization).
1119 (4f) If the file_format options is set, open the file for reading, and check
1120 that the bytes at the start of the file match one of the given strings.
1121 If the check indicates a transport other than the current one should be
1122 used, pass control to that other transport. Otherwise continue. An empty
1123 or non-existent file matches the current transport. The file is closed
1126 (5f) If a lock file is required, create it (see extensive separate comments
1127 below about the algorithm for doing this). It is important to do this
1128 before opening the mailbox if NFS is in use.
1130 (6f) Stat the file, using lstat() rather than stat(), in order to pick up
1131 details of any symbolic link.
1133 (7f) If the file already exists:
1135 Check the owner and group if necessary, and defer if they are wrong.
1137 If it is a symbolic link AND the allow_symlink option is set (NOT the
1138 default), go back to (6f) but this time use stat() instead of lstat().
1140 If it's not a regular file (or FIFO when permitted), defer delivery.
1142 Check permissions. If the required permissions are *less* than the
1143 existing ones, or supplied by the address (often by the user via filter),
1144 chmod() the file. Otherwise, defer.
1146 Save the inode number.
1148 Open with O_RDRW + O_APPEND, thus failing if the file has vanished.
1150 If open fails because the file does not exist, go to (6f); on any other
1153 Check the inode number hasn't changed - I realize this isn't perfect (an
1154 inode can be reused) but it's cheap and will catch some of the races.
1156 Check it's still a regular file (or FIFO if permitted).
1158 Check that the owner and permissions haven't changed.
1160 If file_format is set, check that the file still matches the format for
1161 the current transport. If not, defer delivery.
1163 (8f) If file does not exist initially:
1165 Open with O_WRONLY + O_EXCL + O_CREAT with configured mode, unless we know
1166 this is via a symbolic link (only possible if allow_symlinks is set), in
1167 which case don't use O_EXCL, as it doesn't work.
1169 If open fails because the file already exists, go to (6f). To avoid
1170 looping for ever in a situation where the file is continuously being
1171 created and deleted, all of this happens inside a loop that operates
1172 lock_retries times and includes the fcntl and flock locking. If the
1173 loop completes without the file getting opened, defer and request
1174 freezing, because something really weird is happening.
1176 If open fails for any other reason, defer for subsequent delivery except
1177 when this is a file delivery resulting from an alias or forward expansion
1178 and the error is EPERM or ENOENT or EACCES, in which case FAIL as this is
1179 most likely a user rather than a configuration error.
1181 (9f) We now have the file checked and open for writing. If so configured, lock
1182 it using fcntl, flock, or MBX locking rules. If this fails, close the file
1183 and goto (6f), up to lock_retries times, after sleeping for a while. If it
1184 still fails, give up and defer delivery.
1186 (10f)Save the access time (for subsequent restoration) and the size of the
1187 file, for comsat and for re-setting if delivery fails in the middle -
1188 e.g. for quota exceeded.
1190 The following items apply in the case when a directory name is given:
1192 (2d) Create a new file in the directory using a temporary name, by opening for
1193 writing and with O_CREAT. If maildir format is being used, the file
1194 is created in a temporary subdirectory with a prescribed name. If
1195 mailstore format is being used, the envelope file is first created with a
1196 temporary name, then the data file.
1198 The following items apply in all cases:
1200 (11) We now have the file open for writing, and locked if it was given as a
1201 file name. Write the message and flush the file, unless there is a setting
1202 of the local quota option, in which case we can check for its excession
1203 without doing any writing.
1205 In the case of MBX format mailboxes, the message is first written to a
1206 temporary file, in order to get its correct length. This is then copied to
1207 the real file, preceded by an MBX header.
1209 If there is a quota error on writing, defer the address. Timeout logic
1210 will determine for how long retries are attempted. We restore the mailbox
1211 to its original length if it's a single file. There doesn't seem to be a
1212 uniform error code for quota excession (it even differs between SunOS4
1213 and some versions of SunOS5) so a system-dependent macro called
1214 ERRNO_QUOTA is used for it, and the value gets put into errno_quota at
1217 For any other error (most commonly disk full), do the same.
1219 The following applies after appending to a file:
1221 (12f)Restore the atime; notify_comsat if required; close the file (which
1222 unlocks it if it was locked). Delete the lock file if it exists.
1224 The following applies after writing a unique file in a directory:
1226 (12d)For maildir format, rename the file into the new directory. For mailstore
1227 format, rename the envelope file to its correct name. Otherwise, generate
1228 a unique name from the directory_file option, and rename to that, possibly
1229 trying a few times if the file exists and re-expanding the name gives a
1232 This transport yields FAIL only when a file name is generated by an alias or
1233 forwarding operation and attempting to open it gives EPERM, ENOENT, or EACCES.
1234 All other failures return DEFER (in addr->transport_return). */
1238 appendfile_transport_entry(
1239 transport_instance *tblock, /* data for this instantiation */
1240 address_item *addr) /* address we are working on */
1242 appendfile_transport_options_block *ob =
1243 (appendfile_transport_options_block *)(tblock->options_block);
1244 struct stat statbuf;
1245 uschar *fdname = NULL;
1246 uschar *filename = NULL;
1247 uschar *hitchname = NULL;
1248 uschar *dataname = NULL;
1249 uschar *lockname = NULL;
1250 uschar *newname = NULL;
1251 uschar *nametag = NULL;
1253 uschar *filecount_msg = US"";
1255 struct utimbuf times;
1256 struct timeval msg_tv;
1257 BOOL disable_quota = FALSE;
1258 BOOL isdirectory = FALSE;
1259 BOOL isfifo = FALSE;
1260 BOOL wait_for_tick = FALSE;
1261 uid_t uid = geteuid(); /* See note above */
1262 gid_t gid = getegid();
1264 int mode = (addr->mode > 0)? addr->mode : ob->mode;
1265 off_t saved_size = -1;
1266 off_t mailbox_size = ob->mailbox_size_value;
1267 int mailbox_filecount = ob->mailbox_filecount_value;
1275 int mbx_lockfd = -1;
1276 uschar mbx_lockname[40];
1277 FILE *temp_file = NULL;
1278 #endif /* SUPPORT_MBX */
1280 #ifdef SUPPORT_MAILDIR
1281 int maildirsize_fd = -1; /* fd for maildirsize file */
1282 int maildir_save_errno;
1286 DEBUG(D_transport) debug_printf("appendfile transport entered\n");
1288 /* An "address_file" or "address_directory" transport is used to deliver to
1289 files specified via .forward or an alias file. Prior to release 4.20, the
1290 "file" and "directory" options were ignored in this case. This has been changed
1291 to allow the redirection data to specify what is in effect a folder, whose
1292 location is determined by the options on the transport.
1294 Compatibility with the case when neither option is set is retained by forcing a
1295 value for the file or directory name. A directory delivery is assumed if the
1296 last character of the path from the router is '/'.
1298 The file path is in the local part of the address, but not in the $local_part
1299 variable (that holds the parent local part). It is, however, in the
1300 $address_file variable. Below, we update the local part in the address if it
1301 changes by expansion, so that the final path ends up in the log. */
1303 if (testflag(addr, af_file) &&
1304 ob->filename == NULL &&
1305 ob->dirname == NULL)
1307 fdname = US"$address_file";
1308 if (address_file[Ustrlen(address_file)-1] == '/' ||
1309 ob->maildir_format ||
1310 ob->mailstore_format)
1314 /* Handle (a) an "address file" delivery where "file" or "directory" is
1315 explicitly set and (b) a non-address_file delivery, where one of "file" or
1316 "directory" must be set; initialization ensures that they are not both set. */
1320 fdname = ob->filename;
1323 fdname = ob->dirname;
1328 addr->transport_return = PANIC;
1329 addr->message = string_sprintf("Mandatory file or directory option "
1330 "missing from %s transport", tblock->name);
1335 /* Maildir and mailstore require a directory */
1337 if ((ob->maildir_format || ob->mailstore_format) && !isdirectory)
1339 addr->transport_return = PANIC;
1340 addr->message = string_sprintf("mail%s_format requires \"directory\" "
1341 "to be specified for the %s transport",
1342 ob->maildir_format? "dir" : "store", tblock->name);
1346 path = expand_string(fdname);
1350 addr->transport_return = PANIC;
1351 addr->message = string_sprintf("Expansion of \"%s\" (file or directory "
1352 "name for %s transport) failed: %s", fdname, tblock->name,
1353 expand_string_message);
1359 addr->message = string_sprintf("appendfile: file or directory name "
1360 "\"%s\" is not absolute", path);
1361 addr->basic_errno = ERRNO_NOTABSOLUTE;
1365 /* For a file delivery, make sure the local part in the address(es) is updated
1366 to the true local part. */
1368 if (testflag(addr, af_file))
1370 address_item *addr2;
1371 for (addr2 = addr; addr2 != NULL; addr2 = addr2->next)
1372 addr2->local_part = string_copy(path);
1375 /* The available mailbox formats depend on whether it is a directory or a file
1381 #ifdef SUPPORT_MAILDIR
1382 (ob->maildir_format)? mbf_maildir :
1384 #ifdef SUPPORT_MAILSTORE
1385 (ob->mailstore_format)? mbf_mailstore :
1393 (ob->mbx_format)? mbf_mbx :
1400 debug_printf("appendfile: mode=%o notify_comsat=%d quota=" OFF_T_FMT
1402 " warning=" OFF_T_FMT "%s\n"
1403 " %s=%s format=%s\n message_prefix=%s\n message_suffix=%s\n "
1404 "maildir_use_size_file=%s\n",
1405 mode, ob->notify_comsat, ob->quota_value,
1406 ob->quota_no_check? " (no_check)" : "",
1407 ob->quota_filecount_no_check? " (no_check_filecount)" : "",
1408 ob->quota_warn_threshold_value,
1409 ob->quota_warn_threshold_is_percent? "%" : "",
1410 isdirectory? "directory" : "file",
1411 path, mailbox_formats[mbformat],
1412 (ob->message_prefix == NULL)? US"null" : string_printing(ob->message_prefix),
1413 (ob->message_suffix == NULL)? US"null" : string_printing(ob->message_suffix),
1414 (ob->maildir_use_size_file)? "yes" : "no");
1416 if (!isdirectory) debug_printf(" locking by %s%s%s%s%s\n",
1417 ob->use_lockfile? "lockfile " : "",
1418 ob->use_mbx_lock? "mbx locking (" : "",
1419 ob->use_fcntl? "fcntl " : "",
1420 ob->use_flock? "flock" : "",
1421 ob->use_mbx_lock? ")" : "");
1424 /* If the -N option is set, can't do any more. */
1429 debug_printf("*** delivery by %s transport bypassed by -N option\n",
1431 addr->transport_return = OK;
1435 /* Handle the case of a file name. If the file name is /dev/null, we can save
1436 ourselves some effort and just give a success return right away. */
1440 BOOL use_lstat = TRUE;
1441 BOOL file_opened = FALSE;
1442 BOOL allow_creation_here = TRUE;
1444 if (Ustrcmp(path, "/dev/null") == 0)
1446 addr->transport_return = OK;
1450 /* Set the name of the file to be opened, and the file to which the data
1451 is written, and find out if we are permitted to create a non-existent file. */
1453 dataname = filename = path;
1454 allow_creation_here = check_creation(filename, ob->create_file);
1456 /* If ob->create_directory is set, attempt to create the directories in
1457 which this mailbox lives, but only if we are permitted to create the file
1458 itself. We know we are dealing with an absolute path, because this was
1461 if (ob->create_directory && allow_creation_here)
1463 uschar *p = Ustrrchr(path, '/');
1465 if (!directory_make(NULL, path, ob->dirmode, FALSE))
1467 addr->basic_errno = errno;
1469 string_sprintf("failed to create directories for %s: %s", path,
1471 DEBUG(D_transport) debug_printf("%s transport: %s\n", tblock->name, path);
1477 /* If file_format is set we must check that any existing file matches one of
1478 the configured formats by checking the bytes it starts with. A match then
1479 indicates a specific transport - if it is not this one, pass control to it.
1480 Otherwise carry on here. An empty or non-existent file matches the current
1481 transport. We don't need to distinguish between non-existence and other open
1482 failures because if an existing file fails to open here, it will also fail
1483 again later when O_RDWR is used. */
1485 if (ob->file_format != NULL)
1487 int cfd = Uopen(path, O_RDONLY, 0);
1490 transport_instance *tt = check_file_format(cfd, tblock, addr);
1493 /* If another transport is indicated, call it and return; if no transport
1494 was found, just return - the error data will have been set up.*/
1500 set_process_info("delivering %s to %s using %s", message_id,
1501 addr->local_part, tt->name);
1502 debug_print_string(tt->debug_string);
1503 addr->transport = tt;
1504 (tt->info->code)(tt, addr);
1511 /* The locking of mailbox files is worse than the naming of cats, which is
1512 known to be "a difficult matter" (T.S. Eliot) and just as cats must have
1513 three different names, so several different styles of locking are used.
1515 Research in other programs that lock mailboxes shows that there is no
1516 universally standard method. Having mailboxes NFS-mounted on the system that
1517 is delivering mail is not the best thing, but people do run like this,
1518 and so the code must do its best to cope.
1520 Three different locking mechanisms are supported. The initialization function
1521 checks that at least one is configured.
1525 Unless no_use_lockfile is set, we attempt to build a lock file in a way that
1526 will work over NFS. Only after that is done do we actually open the mailbox
1527 and apply locks to it (if configured).
1529 Originally, Exim got the file opened before doing anything about locking.
1530 However, a very occasional problem was observed on Solaris 2 when delivering
1531 over NFS. It is seems that when a file is opened with O_APPEND, the file size
1532 gets remembered at open time. If another process on another host (that's
1533 important) has the file open and locked and writes to it and then releases
1534 the lock while the first process is waiting to get the lock, the first
1535 process may fail to write at the new end point of the file - despite the very
1536 definite statement about O_APPEND in the man page for write(). Experiments
1537 have reproduced this problem, but I do not know any way of forcing a host to
1538 update its attribute cache for an open NFS file. It would be nice if it did
1539 so when a lock was taken out, but this does not seem to happen. Anyway, to
1540 reduce the risk of this problem happening, we now create the lock file
1541 (if configured) *before* opening the mailbox. That will prevent two different
1542 Exims opening the file simultaneously. It may not prevent clashes with MUAs,
1543 however, but Pine at least seems to operate in the same way.
1545 Lockfiles should normally be used when NFS is involved, because of the above
1548 The logic for creating the lock file is:
1550 . The name of the lock file is <mailbox-name>.lock
1552 . First, create a "hitching post" name by adding the primary host name,
1553 current time and pid to the lock file name. This should be unique.
1555 . Create the hitching post file using WRONLY + CREAT + EXCL.
1557 . If that fails EACCES, we assume it means that the user is unable to create
1558 files in the mail spool directory. Some installations might operate in this
1559 manner, so there is a configuration option to allow this state not to be an
1560 error - we proceed to lock using fcntl only, after the file is open.
1562 . Otherwise, an error causes a deferment of the address.
1564 . Hard link the hitching post to the lock file name.
1566 . If the link succeeds, we have successfully created the lock file. Simply
1567 close and unlink the hitching post file.
1569 . If the link does not succeed, proceed as follows:
1571 o Fstat the hitching post file, and then close and unlink it.
1573 o Now examine the stat data. If the number of links to the file is exactly
1574 2, the linking succeeded but for some reason, e.g. an NFS server crash,
1575 the return never made it back, so the link() function gave a failure
1578 . This method allows for the lock file to be created by some other process
1579 right up to the moment of the attempt to hard link it, and is also robust
1580 against NFS server crash-reboots, which would probably result in timeouts
1581 in the middle of link().
1583 . System crashes may cause lock files to get left lying around, and some means
1584 of flushing them is required. The approach of writing a pid (used by smail
1585 and by elm) into the file isn't useful when NFS may be in use. Pine uses a
1586 timeout, which seems a better approach. Since any program that writes to a
1587 mailbox using a lock file should complete its task very quickly, Pine
1588 removes lock files that are older than 5 minutes. We allow the value to be
1589 configurable on the transport.
1593 If use_fcntl_lock is set, then Exim gets an exclusive fcntl() lock on the
1594 mailbox once it is open. This is done by default with a non-blocking lock.
1595 Failures to lock cause retries after a sleep, but only for a certain number
1596 of tries. A blocking lock is deliberately not used so that we don't hold the
1597 mailbox open. This minimizes the possibility of the NFS problem described
1598 under LOCK FILES above, if for some reason NFS deliveries are happening
1599 without lock files. However, the use of a non-blocking lock and sleep, though
1600 the safest approach, does not give the best performance on very busy systems.
1601 A blocking lock plus timeout does better. Therefore Exim has an option to
1602 allow it to work this way. If lock_fcntl_timeout is set greater than zero, it
1603 enables the use of blocking fcntl() calls.
1607 If use_flock_lock is set, then Exim gets an exclusive flock() lock in the
1608 same manner as for fcntl locking above. No-blocking/timeout is also set as
1609 above in lock_flock_timeout. Not all operating systems provide or support
1610 flock(). For those that don't (as determined by the definition of LOCK_SH in
1611 /usr/include/sys/file.h), use_flock_lock may not be set. For some OS, flock()
1612 is implemented (not precisely) on top of fcntl(), which means there's no
1613 point in actually using it.
1617 If use_mbx_lock is set (this is supported only if SUPPORT_MBX is defined)
1618 then the rules used for locking in c-client are used. Exim takes out a shared
1619 lock on the mailbox file, and an exclusive lock on the file whose name is
1620 /tmp/.<device-number>.<inode-number>. The shared lock on the mailbox stops
1621 any other MBX client from getting an exclusive lock on it and expunging it.
1622 It also stops any other MBX client from unlinking the /tmp lock when it has
1625 The exclusive lock on the /tmp file prevents any other MBX client from
1626 updating the mailbox in any way. When writing is finished, if an exclusive
1627 lock on the mailbox can be obtained, indicating there are no current sharers,
1628 the /tmp file is unlinked.
1630 MBX locking can use either fcntl() or flock() locking. If neither
1631 use_fcntl_lock or use_flock_lock is set, it defaults to using fcntl() only.
1632 The calls for getting these locks are by default non-blocking, as for non-mbx
1633 locking, but can be made blocking by setting lock_fcntl_timeout and/or
1634 lock_flock_timeout as appropriate. As MBX delivery doesn't work over NFS, it
1635 probably makes sense to set timeouts for any MBX deliveries. */
1638 /* Build a lock file if configured to do so - the existence of a lock
1639 file is subsequently checked by looking for a non-negative value of the
1640 file descriptor hd - even though the file is no longer open. */
1642 if (ob->use_lockfile)
1644 /* cf. exim_lock.c */
1645 lockname = string_sprintf("%s.lock", filename);
1646 hitchname = string_sprintf( "%s.%s.%08x.%08x", lockname, primary_hostname,
1647 (unsigned int)(time(NULL)), (unsigned int)getpid());
1649 DEBUG(D_transport) debug_printf("lock name: %s\nhitch name: %s\n", lockname,
1652 /* Lock file creation retry loop */
1654 for (i = 0; i < ob->lock_retries; sleep(ob->lock_interval), i++)
1657 hd = Uopen(hitchname, O_WRONLY | O_CREAT | O_EXCL, ob->lockfile_mode);
1661 addr->basic_errno = errno;
1663 string_sprintf("creating lock file hitching post %s "
1664 "(euid=%ld egid=%ld)", hitchname, (long int)geteuid(),
1665 (long int)getegid());
1669 /* Attempt to hitch the hitching post to the lock file. If link()
1670 succeeds (the common case, we hope) all is well. Otherwise, fstat the
1671 file, and get rid of the hitching post. If the number of links was 2,
1672 the link was created, despite the failure of link(). If the hitch was
1673 not successful, try again, having unlinked the lock file if it is too
1676 There's a version of Linux (2.0.27) which doesn't update its local cache
1677 of the inode after link() by default - which many think is a bug - but
1678 if the link succeeds, this code will be OK. It just won't work in the
1679 case when link() fails after having actually created the link. The Linux
1680 NFS person is fixing this; a temporary patch is available if anyone is
1681 sufficiently worried. */
1683 if ((rc = Ulink(hitchname, lockname)) != 0) fstat(hd, &statbuf);
1686 if (rc != 0 && statbuf.st_nlink != 2)
1688 if (ob->lockfile_timeout > 0 && Ustat(lockname, &statbuf) == 0 &&
1689 time(NULL) - statbuf.st_ctime > ob->lockfile_timeout)
1691 DEBUG(D_transport) debug_printf("unlinking timed-out lock file\n");
1694 DEBUG(D_transport) debug_printf("link of hitching post failed - retrying\n");
1698 DEBUG(D_transport) debug_printf("lock file created\n");
1702 /* Check for too many tries at creating the lock file */
1704 if (i >= ob->lock_retries)
1706 addr->basic_errno = ERRNO_LOCKFAILED;
1707 addr->message = string_sprintf("failed to lock mailbox %s (lock file)",
1714 /* We now have to get the file open. First, stat() it and act on existence or
1715 non-existence. This is in a loop to handle the case of a file's being created
1716 or deleted as we watch, and also to handle retries when the locking fails.
1717 Rather than holding the file open while waiting for the fcntl() and/or
1718 flock() lock, we close and do the whole thing again. This should be safer,
1719 especially for NFS files, which might get altered from other hosts, making
1720 their cached sizes incorrect.
1722 With the default settings, no symlinks are permitted, but there is an option
1723 to permit symlinks for those sysadmins that know what they are doing.
1724 Shudder. However, insist that the initial symlink is owned by the right user.
1725 Thus lstat() is used initially; if a symlink is discovered, the loop is
1726 repeated such that stat() is used, to look at the end file. */
1728 for (i = 0; i < ob->lock_retries; i++)
1730 int sleep_before_retry = TRUE;
1731 file_opened = FALSE;
1733 if((use_lstat? Ulstat(filename, &statbuf) : Ustat(filename, &statbuf)) != 0)
1735 /* Let's hope that failure to stat (other than non-existence) is a
1738 if (errno != ENOENT)
1740 addr->basic_errno = errno;
1741 addr->message = string_sprintf("attempting to stat mailbox %s",
1746 /* File does not exist. If it is required to pre-exist this state is an
1749 if (ob->file_must_exist)
1751 addr->basic_errno = errno;
1752 addr->message = string_sprintf("mailbox %s does not exist, "
1753 "but file_must_exist is set", filename);
1757 /* If not permitted to create this file because it isn't in or below
1758 the home directory, generate an error. */
1760 if (!allow_creation_here)
1762 addr->basic_errno = ERRNO_BADCREATE;
1763 addr->message = string_sprintf("mailbox %s does not exist, "
1764 "but creation outside the home directory is not permitted",
1769 /* Attempt to create and open the file. If open fails because of
1770 pre-existence, go round the loop again. For any other error, defer the
1771 address, except for an alias or forward generated file name with EPERM,
1772 ENOENT, or EACCES, as those are most likely to be user errors rather
1773 than Exim config errors. When a symbolic link is permitted and points
1774 to a non-existent file, we get here with use_lstat = FALSE. In this case
1775 we mustn't use O_EXCL, since it doesn't work. The file is opened RDRW for
1776 consistency and because MBX locking requires it in order to be able to
1777 get a shared lock. */
1779 fd = Uopen(filename, O_RDWR | O_APPEND | O_CREAT |
1780 (use_lstat? O_EXCL : 0), mode);
1783 if (errno == EEXIST) continue;
1784 addr->basic_errno = errno;
1785 addr->message = string_sprintf("while creating mailbox %s",
1787 if (testflag(addr, af_file) &&
1788 (errno == EPERM || errno == ENOENT || errno == EACCES))
1789 addr->transport_return = FAIL;
1793 /* We have successfully created and opened the file. Ensure that the group
1794 and the mode are correct. */
1796 if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
1798 addr->basic_errno = errno;
1799 addr->message = string_sprintf("while setting perms on mailbox %s",
1801 addr->transport_return = FAIL;
1807 /* The file already exists. Test its type, ownership, and permissions, and
1808 save the inode for checking later. If symlinks are permitted (not the
1809 default or recommended state) it may be a symlink that already exists.
1810 Check its ownership and then look for the file at the end of the link(s).
1811 This at least prevents one user creating a symlink for another user in
1812 a sticky directory. */
1816 int oldmode = (int)statbuf.st_mode;
1817 ino_t inode = statbuf.st_ino;
1818 BOOL islink = (oldmode & S_IFMT) == S_IFLNK;
1820 isfifo = FALSE; /* In case things are changing */
1822 /* Check owner if required - the default. */
1824 if (ob->check_owner && statbuf.st_uid != uid)
1826 addr->basic_errno = ERRNO_BADUGID;
1827 addr->message = string_sprintf("mailbox %s%s has wrong uid "
1828 "(%ld != %ld)", filename,
1829 islink? " (symlink)" : "",
1830 (long int)(statbuf.st_uid), (long int)uid);
1834 /* Group is checked only if check_group is set. */
1836 if (ob->check_group && statbuf.st_gid != gid)
1838 addr->basic_errno = ERRNO_BADUGID;
1839 addr->message = string_sprintf("mailbox %s%s has wrong gid (%d != %d)",
1840 filename, islink? " (symlink)" : "", statbuf.st_gid, gid);
1844 /* Just in case this is a sticky-bit mail directory, we don't want
1845 users to be able to create hard links to other users' files. */
1847 if (statbuf.st_nlink != 1)
1849 addr->basic_errno = ERRNO_NOTREGULAR;
1850 addr->message = string_sprintf("mailbox %s%s has too many links (%d)",
1851 filename, islink? " (symlink)" : "", statbuf.st_nlink);
1856 /* If symlinks are permitted (not recommended), the lstat() above will
1857 have found the symlink. Its ownership has just been checked; go round
1858 the loop again, using stat() instead of lstat(). That will never yield a
1861 if (islink && ob->allow_symlink)
1864 i--; /* Don't count this time round */
1868 /* An actual file exists. Check that it is a regular file, or FIFO
1871 if (ob->allow_fifo && (oldmode & S_IFMT) == S_IFIFO) isfifo = TRUE;
1873 else if ((oldmode & S_IFMT) != S_IFREG)
1875 addr->basic_errno = ERRNO_NOTREGULAR;
1876 addr->message = string_sprintf("mailbox %s is not a regular file%s",
1877 filename, ob->allow_fifo? " or named pipe" : "");
1881 /* If the mode is not what it would be for a newly created file, change
1882 the permissions if the mode is supplied for the address. Otherwise,
1883 reduce but do not extend the permissions. If the newly created
1884 permissions are greater than the existing permissions, don't change
1885 things when the mode is not from the address. */
1887 if ((oldmode = (oldmode & 07777)) != mode)
1889 int diffs = oldmode ^ mode;
1890 if (addr->mode > 0 || (diffs & oldmode) == diffs)
1892 DEBUG(D_transport) debug_printf("chmod %o %s\n", mode, filename);
1893 if (Uchmod(filename, mode) < 0)
1895 addr->basic_errno = errno;
1896 addr->message = string_sprintf("attempting to chmod mailbox %s",
1903 /* Mode not from address, and newly-created permissions are greater
1904 than existing permissions. Default is to complain, but it can be
1905 configured to go ahead and try to deliver anyway if that's what
1906 the administration wants. */
1908 else if (ob->mode_fail_narrower)
1910 addr->basic_errno = ERRNO_BADMODE;
1911 addr->message = string_sprintf("mailbox %s has the wrong mode %o "
1912 "(%o expected)", filename, oldmode, mode);
1917 /* We are happy with the existing file. Open it, and then do further
1918 tests to ensure that it is the same file that we were just looking at.
1919 If the file does not now exist, restart this loop, going back to using
1920 lstat again. For an NFS error, just defer; other opening errors are
1921 more serious. The file is opened RDWR so that its format can be checked,
1922 and also MBX locking requires the use of a shared (read) lock. However,
1923 a FIFO is opened WRONLY + NDELAY so that it fails if there is no process
1924 reading the pipe. */
1926 fd = Uopen(filename, isfifo? (O_WRONLY|O_NDELAY) : (O_RDWR|O_APPEND),
1930 if (errno == ENOENT)
1935 addr->basic_errno = errno;
1938 addr->message = string_sprintf("while opening named pipe %s "
1939 "(could mean no process is reading it)", filename);
1941 else if (errno != EWOULDBLOCK)
1943 addr->message = string_sprintf("while opening mailbox %s", filename);
1948 /* This fstat really shouldn't fail, as we have an open file! There's a
1949 dilemma here. We use fstat in order to be sure we are peering at the file
1950 we have got open. However, that won't tell us if the file was reached
1951 via a symbolic link. We checked this above, but there is a race exposure
1952 if the link was created between the previous lstat and the open. However,
1953 it would have to be created with the same inode in order to pass the
1954 check below. If ob->allow_symlink is set, causing the use of stat rather
1955 than lstat above, symbolic links may be there anyway, and the checking is
1958 if (fstat(fd, &statbuf) < 0)
1960 addr->basic_errno = errno;
1961 addr->message = string_sprintf("attempting to stat open mailbox %s",
1966 /* Check the inode; this is isn't a perfect check, but gives some
1969 if (inode != statbuf.st_ino)
1971 addr->basic_errno = ERRNO_INODECHANGED;
1972 addr->message = string_sprintf("opened mailbox %s inode number changed "
1973 "from %d to %ld", filename, inode, statbuf.st_ino);
1974 addr->special_action = SPECIAL_FREEZE;
1978 /* Check it's still a regular file or FIFO, and the uid, gid, and
1979 permissions have not changed. */
1981 if ((!isfifo && (statbuf.st_mode & S_IFMT) != S_IFREG) ||
1982 (isfifo && (statbuf.st_mode & S_IFMT) != S_IFIFO))
1984 addr->basic_errno = ERRNO_NOTREGULAR;
1986 string_sprintf("opened mailbox %s is no longer a %s", filename,
1987 isfifo? "named pipe" : "regular file");
1988 addr->special_action = SPECIAL_FREEZE;
1992 if ((ob->check_owner && statbuf.st_uid != uid) ||
1993 (ob->check_group && statbuf.st_gid != gid))
1995 addr->basic_errno = ERRNO_BADUGID;
1997 string_sprintf("opened mailbox %s has wrong uid or gid", filename);
1998 addr->special_action = SPECIAL_FREEZE;
2002 if ((statbuf.st_mode & 07777) != oldmode)
2004 addr->basic_errno = ERRNO_BADMODE;
2005 addr->message = string_sprintf("opened mailbox %s has wrong mode %o "
2006 "(%o expected)", filename, statbuf.st_mode & 07777, mode);
2007 addr->special_action = SPECIAL_FREEZE;
2011 /* If file_format is set, check that the format of the file has not
2012 changed. Error data is set by the testing function. */
2014 if (ob->file_format != NULL &&
2015 check_file_format(fd, tblock, addr) != tblock)
2017 addr->message = US"open mailbox has changed format";
2021 /* The file is OK. Carry on to do the locking. */
2024 /* We now have an open file, and must lock it using fcntl(), flock() or MBX
2025 locking rules if configured to do so. If a lock file is also required, it
2026 was created above and hd was left >= 0. At least one form of locking is
2027 required by the initialization function. If locking fails here, close the
2028 file and go round the loop all over again, after waiting for a bit, unless
2029 blocking locking was used. */
2032 if ((ob->lock_fcntl_timeout > 0) || (ob->lock_flock_timeout > 0))
2033 sleep_before_retry = FALSE;
2035 /* Simple fcntl() and/or flock() locking */
2037 if (!ob->use_mbx_lock && (ob->use_fcntl || ob->use_flock))
2039 if (apply_lock(fd, F_WRLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
2040 ob->use_flock, ob->lock_flock_timeout) >= 0) break;
2043 /* MBX locking rules */
2046 else if (ob->use_mbx_lock)
2049 struct stat lstatbuf, statbuf2;
2050 if (apply_lock(fd, F_RDLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
2051 ob->use_flock, ob->lock_flock_timeout) >= 0 &&
2052 fstat(fd, &statbuf) >= 0)
2054 sprintf(CS mbx_lockname, "/tmp/.%lx.%lx", (long)statbuf.st_dev,
2055 (long)statbuf.st_ino);
2058 * 2010-05-29: SECURITY
2059 * Dan Rosenberg reported the presence of a race-condition in the
2060 * original code here. Beware that many systems still allow symlinks
2061 * to be followed in /tmp so an attacker can create a symlink pointing
2062 * elsewhere between a stat and an open, which we should avoid
2065 * It's unfortunate that we can't just use all the heavily debugged
2066 * locking from above.
2068 * Also: remember to mirror changes into exim_lock.c */
2070 /* first leave the old pre-check in place, it provides better
2071 * diagnostics for common cases */
2072 if (Ulstat(mbx_lockname, &statbuf) >= 0)
2074 if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
2076 addr->basic_errno = ERRNO_LOCKFAILED;
2077 addr->message = string_sprintf("symbolic link on MBX lock file %s",
2081 if (statbuf.st_nlink > 1)
2083 addr->basic_errno = ERRNO_LOCKFAILED;
2084 addr->message = string_sprintf("hard link to MBX lock file %s",
2090 /* If we could just declare "we must be the ones who create this
2091 * file" then a hitching post in a subdir would work, since a
2092 * subdir directly in /tmp/ which we create wouldn't follow links
2093 * but this isn't our locking logic, so we can't safely change the
2094 * file existence rules. */
2096 /* On systems which support O_NOFOLLOW, it's the easiest and most
2097 * obviously correct security fix */
2098 mbx_tmp_oflags = O_RDWR | O_CREAT;
2100 mbx_tmp_oflags |= O_NOFOLLOW;
2102 mbx_lockfd = Uopen(mbx_lockname, mbx_tmp_oflags, ob->lockfile_mode);
2105 addr->basic_errno = ERRNO_LOCKFAILED;
2106 addr->message = string_sprintf("failed to open MBX lock file %s :%s",
2107 mbx_lockname, strerror(errno));
2111 if (Ulstat(mbx_lockname, &lstatbuf) < 0)
2113 addr->basic_errno = ERRNO_LOCKFAILED;
2114 addr->message = string_sprintf("attempting to lstat open MBX "
2115 "lock file %s: %s", mbx_lockname, strerror(errno));
2118 if (fstat(mbx_lockfd, &statbuf2) < 0)
2120 addr->basic_errno = ERRNO_LOCKFAILED;
2121 addr->message = string_sprintf("attempting to stat fd of open MBX "
2122 "lock file %s: %s", mbx_lockname, strerror(errno));
2128 * statbuf: if exists, is file which existed prior to opening the
2129 * lockfile, might have been replaced since then
2130 * statbuf2: result of stat'ing the open fd, is what was actually
2132 * lstatbuf: result of lstat'ing the filename immediately after
2133 * the open but there's a race condition again between
2134 * those two steps: before open, symlink to foo, after
2135 * open but before lstat have one of:
2136 * * was no symlink, so is the opened file
2137 * (we created it, no messing possible after that point)
2139 * * symlink elsewhere
2140 * * hardlink elsewhere
2142 * Don't want to compare to device of /tmp because some modern systems
2143 * have regressed to having /tmp be the safe actual filesystem as
2144 * valuable data, so is mostly worthless, unless we assume that *only*
2145 * Linux systems do this and that all Linux has O_NOFOLLOW. Something
2146 * for further consideration.
2147 * No point in doing a readlink on the lockfile as that will always be
2148 * at a different point in time from when we open it, so tells us
2149 * nothing; attempts to clean up and delete after ourselves would risk
2150 * deleting a *third* filename.
2152 if ((statbuf2.st_nlink > 1) ||
2153 (lstatbuf.st_nlink > 1) ||
2154 (!S_ISREG(lstatbuf.st_mode)) ||
2155 (lstatbuf.st_dev != statbuf2.st_dev) ||
2156 (lstatbuf.st_ino != statbuf2.st_ino))
2158 addr->basic_errno = ERRNO_LOCKFAILED;
2159 addr->message = string_sprintf("RACE CONDITION detected: "
2160 "mismatch post-initial-checks between \"%s\" and opened "
2161 "fd lead us to abort!", mbx_lockname);
2165 (void)Uchmod(mbx_lockname, ob->lockfile_mode);
2167 if (apply_lock(mbx_lockfd, F_WRLCK, ob->use_fcntl,
2168 ob->lock_fcntl_timeout, ob->use_flock, ob->lock_flock_timeout) >= 0)
2170 struct stat ostatbuf;
2172 /* This tests for a specific race condition. Ensure that we still
2173 have the same file. */
2175 if (Ulstat(mbx_lockname, &statbuf) == 0 &&
2176 fstat(mbx_lockfd, &ostatbuf) == 0 &&
2177 statbuf.st_dev == ostatbuf.st_dev &&
2178 statbuf.st_ino == ostatbuf.st_ino)
2180 DEBUG(D_transport) debug_printf("MBX lockfile %s changed "
2181 "between creation and locking\n", mbx_lockname);
2184 DEBUG(D_transport) debug_printf("failed to lock %s: %s\n", mbx_lockname,
2186 (void)close(mbx_lockfd);
2191 DEBUG(D_transport) debug_printf("failed to fstat or get read lock on %s: %s\n",
2192 filename, strerror(errno));
2195 #endif /* SUPPORT_MBX */
2197 else break; /* No on-file locking required; break the open/lock loop */
2200 debug_printf("fcntl(), flock(), or MBX locking failed - retrying\n");
2204 use_lstat = TRUE; /* Reset to use lstat first */
2207 /* If a blocking call timed out, break the retry loop if the total time
2208 so far is not less than than retries * interval. Use the larger of the
2209 flock() and fcntl() timeouts. */
2212 (i+1) * ((ob->lock_fcntl_timeout > ob->lock_flock_timeout)?
2213 ob->lock_fcntl_timeout : ob->lock_flock_timeout) >=
2214 ob->lock_retries * ob->lock_interval)
2215 i = ob->lock_retries;
2217 /* Wait a bit before retrying, except when it was a blocked fcntl() or
2218 flock() that caused the problem. */
2220 if (i < ob->lock_retries && sleep_before_retry) sleep(ob->lock_interval);
2223 /* Test for exceeding the maximum number of tries. Either the file remains
2224 locked, or, if we haven't got it open, something is terribly wrong... */
2226 if (i >= ob->lock_retries)
2230 addr->basic_errno = ERRNO_EXISTRACE;
2231 addr->message = string_sprintf("mailbox %s: existence unclear", filename);
2232 addr->special_action = SPECIAL_FREEZE;
2236 addr->basic_errno = ERRNO_LOCKFAILED;
2237 addr->message = string_sprintf("failed to lock mailbox %s (fcntl/flock)",
2243 DEBUG(D_transport) debug_printf("mailbox %s is locked\n", filename);
2245 /* Save access time (for subsequent restoration), modification time (for
2246 restoration if updating fails), size of file (for comsat and for re-setting if
2247 delivery fails in the middle - e.g. for quota exceeded). */
2249 if (fstat(fd, &statbuf) < 0)
2251 addr->basic_errno = errno;
2252 addr->message = string_sprintf("while fstatting opened mailbox %s",
2257 times.actime = statbuf.st_atime;
2258 times.modtime = statbuf.st_mtime;
2259 saved_size = statbuf.st_size;
2260 if (mailbox_size < 0) mailbox_size = saved_size;
2261 mailbox_filecount = 0; /* Not actually relevant for single-file mailbox */
2264 /* Prepare for writing to a new file (as opposed to appending to an old one).
2265 There are several different formats, but there is preliminary stuff concerned
2266 with quotas that applies to all of them. Finding the current size by directory
2267 scanning is expensive; for maildirs some fudges have been invented:
2269 (1) A regex can be used to extract a file size from its name;
2270 (2) If maildir_use_size is set, a maildirsize file is used to cache the
2276 uschar *check_path = path; /* Default quota check path */
2277 const pcre *regex = NULL; /* Regex for file size from file name */
2279 if (!check_creation(string_sprintf("%s/any", path), ob->create_file))
2281 addr->basic_errno = ERRNO_BADCREATE;
2282 addr->message = string_sprintf("tried to create file in %s, but "
2283 "file creation outside the home directory is not permitted", path);
2287 #ifdef SUPPORT_MAILDIR
2288 /* For a maildir delivery, ensure that all the relevant directories exist,
2289 and a maildirfolder file if necessary. */
2291 if (mbformat == mbf_maildir && !maildir_ensure_directories(path, addr,
2292 ob->create_directory, ob->dirmode, ob->maildirfolder_create_regex))
2294 #endif /* SUPPORT_MAILDIR */
2296 /* If we are going to do a quota check, of if maildir_use_size_file is set
2297 for a maildir delivery, compile the regular expression if there is one. We
2298 may also need to adjust the path that is used. We need to do this for
2299 maildir_use_size_file even if the quota is unset, because we still want to
2300 create the file. When maildir support is not compiled,
2301 ob->maildir_use_size_file is always FALSE. */
2303 if (ob->quota_value > 0 || THRESHOLD_CHECK || ob->maildir_use_size_file)
2305 const uschar *error;
2308 /* Compile the regex if there is one. */
2310 if (ob->quota_size_regex != NULL)
2312 regex = pcre_compile(CS ob->quota_size_regex, PCRE_COPT,
2313 (const char **)&error, &offset, NULL);
2316 addr->message = string_sprintf("appendfile: regular expression "
2317 "error: %s at offset %d while compiling %s", error, offset,
2318 ob->quota_size_regex);
2321 DEBUG(D_transport) debug_printf("using regex for file sizes: %s\n",
2322 ob->quota_size_regex);
2325 /* Use an explicitly configured directory if set */
2327 if (ob->quota_directory != NULL)
2329 check_path = expand_string(ob->quota_directory);
2330 if (check_path == NULL)
2332 addr->transport_return = PANIC;
2333 addr->message = string_sprintf("Expansion of \"%s\" (quota_directory "
2334 "name for %s transport) failed: %s", ob->quota_directory,
2335 tblock->name, expand_string_message);
2339 if (check_path[0] != '/')
2341 addr->message = string_sprintf("appendfile: quota_directory name "
2342 "\"%s\" is not absolute", check_path);
2343 addr->basic_errno = ERRNO_NOTABSOLUTE;
2348 #ifdef SUPPORT_MAILDIR
2349 /* Otherwise, if we are handling a maildir delivery, and the directory
2350 contains a file called maildirfolder, this is a maildir++ feature telling
2351 us that this is a sub-directory of the real inbox. We should therefore do
2352 the quota check on the parent directory. Beware of the special case when
2353 the directory name itself ends in a slash. */
2355 else if (mbformat == mbf_maildir)
2357 struct stat statbuf;
2358 if (Ustat(string_sprintf("%s/maildirfolder", path), &statbuf) >= 0)
2360 uschar *new_check_path = string_copy(check_path);
2361 uschar *slash = Ustrrchr(new_check_path, '/');
2367 slash = Ustrrchr(new_check_path, '/');
2372 check_path = new_check_path;
2373 DEBUG(D_transport) debug_printf("maildirfolder file exists: "
2374 "quota check directory changed to %s\n", check_path);
2379 #endif /* SUPPORT_MAILDIR */
2382 /* If we are using maildirsize files, we need to ensure that such a file
2383 exists and, if necessary, recalculate its contents. As a byproduct of this,
2384 we obtain the current size of the maildir. If no quota is to be enforced
2385 (ob->quota_value == 0), we still need the size if a threshold check will
2388 Another regular expression is used to determine which directories inside the
2389 maildir are going to be counted. */
2391 #ifdef SUPPORT_MAILDIR
2392 if (ob->maildir_use_size_file)
2394 const pcre *dir_regex = NULL;
2395 const uschar *error;
2398 if (ob->maildir_dir_regex != NULL)
2400 int check_path_len = Ustrlen(check_path);
2402 dir_regex = pcre_compile(CS ob->maildir_dir_regex, PCRE_COPT,
2403 (const char **)&error, &offset, NULL);
2404 if (dir_regex == NULL)
2406 addr->message = string_sprintf("appendfile: regular expression "
2407 "error: %s at offset %d while compiling %s", error, offset,
2408 ob->maildir_dir_regex);
2413 debug_printf("using regex for maildir directory selection: %s\n",
2414 ob->maildir_dir_regex);
2416 /* Check to see if we are delivering into an ignored directory, that is,
2417 if the delivery path starts with the quota check path, and the rest
2418 of the deliver path matches the regex; if so, set a flag to disable quota
2419 checking and maildirsize updating. */
2421 if (Ustrncmp(path, check_path, check_path_len) == 0)
2423 uschar *s = path + check_path_len;
2424 while (*s == '/') s++;
2425 s = (*s == 0)? US "new" : string_sprintf("%s/new", s);
2426 if (pcre_exec(dir_regex, NULL, CS s, Ustrlen(s), 0, 0, NULL, 0) < 0)
2428 disable_quota = TRUE;
2429 DEBUG(D_transport) debug_printf("delivery directory does not match "
2430 "maildir_quota_directory_regex: disabling quota\n");
2435 /* Quota enforcement; create and check the file. There is some discussion
2436 about whether this should happen if the quota is unset. At present, Exim
2437 always creates the file. If we ever want to change this, uncomment
2438 appropriate lines below, possibly doing a check on some option. */
2440 /* if (???? || ob->quota_value > 0) */
2447 maildirsize_fd = maildir_ensure_sizefile(check_path, ob, regex, dir_regex,
2450 if (maildirsize_fd == -1)
2452 addr->basic_errno = errno;
2453 addr->message = string_sprintf("while opening or reading "
2454 "%s/maildirsize", check_path);
2457 /* can also return -2, which means that the file was removed because of
2458 raciness; but in this case, the size & filecount will still have been
2461 if (mailbox_size < 0) mailbox_size = size;
2462 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2465 /* No quota enforcement; ensure file does *not* exist; calculate size if
2470 * time_t old_latest;
2471 * (void)unlink(CS string_sprintf("%s/maildirsize", check_path));
2472 * if (THRESHOLD_CHECK)
2473 * mailbox_size = maildir_compute_size(check_path, &mailbox_filecount, &old_latest,
2474 * regex, dir_regex, FALSE);
2479 #endif /* SUPPORT_MAILDIR */
2481 /* Otherwise if we are going to do a quota check later on, and the mailbox
2482 size is not set, find the current size of the mailbox. Ditto for the file
2483 count. Note that ob->quota_filecount_value cannot be set without
2484 ob->quota_value being set. */
2486 if (!disable_quota &&
2487 (ob->quota_value > 0 || THRESHOLD_CHECK) &&
2488 (mailbox_size < 0 ||
2489 (mailbox_filecount < 0 && ob->quota_filecount_value > 0)))
2494 debug_printf("quota checks on directory %s\n", check_path);
2495 size = check_dir_size(check_path, &filecount, regex);
2496 if (mailbox_size < 0) mailbox_size = size;
2497 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2500 /* Handle the case of creating a unique file in a given directory (not in
2501 maildir or mailstore format - this is how smail did it). A temporary name is
2502 used to create the file. Later, when it is written, the name is changed to a
2503 unique one. There is no need to lock the file. An attempt is made to create
2504 the directory if it does not exist. */
2506 if (mbformat == mbf_smail)
2509 debug_printf("delivering to new file in %s\n", path);
2510 filename = dataname =
2511 string_sprintf("%s/temp.%d.%s", path, (int)getpid(), primary_hostname);
2512 fd = Uopen(filename, O_WRONLY|O_CREAT, mode);
2513 if (fd < 0 && /* failed to open, and */
2514 (errno != ENOENT || /* either not non-exist */
2515 !ob->create_directory || /* or not allowed to make */
2516 !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */
2517 (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */
2519 addr->basic_errno = errno;
2520 addr->message = string_sprintf("while creating file %s", filename);
2525 #ifdef SUPPORT_MAILDIR
2527 /* Handle the case of a unique file in maildir format. The file is written to
2528 the tmp subdirectory, with a prescribed form of name. */
2530 else if (mbformat == mbf_maildir)
2533 debug_printf("delivering in maildir format in %s\n", path);
2535 nametag = ob->maildir_tag;
2537 /* Check that nametag expands successfully; a hard failure causes a panic
2538 return. The actual expansion for use happens again later, when
2539 $message_size is accurately known. */
2541 if (nametag != NULL && expand_string(nametag) == NULL &&
2542 !expand_string_forcedfail)
2544 addr->transport_return = PANIC;
2545 addr->message = string_sprintf("Expansion of \"%s\" (maildir_tag "
2546 "for %s transport) failed: %s", nametag, tblock->name,
2547 expand_string_message);
2551 /* We ensured the existence of all the relevant directories above. Attempt
2552 to open the temporary file a limited number of times. I think this rather
2553 scary-looking for statement is actually OK. If open succeeds, the loop is
2554 broken; if not, there is a test on the value of i. Get the time again
2555 afresh each time round the loop. Its value goes into a variable that is
2556 checked at the end, to make sure we don't release this process until the
2557 clock has ticked. */
2563 (void)gettimeofday(&msg_tv, NULL);
2564 basename = string_sprintf(TIME_T_FMT ".H%luP%lu.%s",
2565 msg_tv.tv_sec, msg_tv.tv_usec, getpid(), primary_hostname);
2567 filename = dataname = string_sprintf("tmp/%s", basename);
2568 newname = string_sprintf("new/%s", basename);
2570 if (Ustat(filename, &statbuf) == 0)
2572 else if (errno == ENOENT)
2574 fd = Uopen(filename, O_WRONLY | O_CREAT | O_EXCL, mode);
2576 DEBUG (D_transport) debug_printf ("open failed for %s: %s\n",
2577 filename, strerror(errno));
2580 /* Too many retries - give up */
2582 if (i >= ob->maildir_retries)
2584 addr->message = string_sprintf ("failed to open %s (%d tr%s)",
2585 filename, i, (i == 1)? "y" : "ies");
2586 addr->basic_errno = errno;
2587 if (errno == errno_quota || errno == ENOSPC)
2588 addr->user_message = US"mailbox is full";
2592 /* Open or stat failed but we haven't tried too many times yet. */
2597 /* Note that we have to ensure the clock has ticked before leaving */
2599 wait_for_tick = TRUE;
2601 /* Why are these here? Put in because they are present in the non-maildir
2602 directory case above. */
2604 if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
2606 addr->basic_errno = errno;
2607 addr->message = string_sprintf("while setting perms on maildir %s",
2613 #endif /* SUPPORT_MAILDIR */
2615 #ifdef SUPPORT_MAILSTORE
2617 /* Handle the case of a unique file in mailstore format. First write the
2618 envelope to a temporary file, then open the main file. The unique base name
2619 for the files consists of the message id plus the pid of this delivery
2625 address_item *taddr;
2626 mailstore_basename = string_sprintf("%s/%s-%s", path, message_id,
2627 string_base62((long int)getpid()));
2630 debug_printf("delivering in mailstore format in %s\n", path);
2632 filename = string_sprintf("%s.tmp", mailstore_basename);
2633 newname = string_sprintf("%s.env", mailstore_basename);
2634 dataname = string_sprintf("%s.msg", mailstore_basename);
2636 fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
2637 if (fd < 0 && /* failed to open, and */
2638 (errno != ENOENT || /* either not non-exist */
2639 !ob->create_directory || /* or not allowed to make */
2640 !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */
2641 (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */
2643 addr->basic_errno = errno;
2644 addr->message = string_sprintf("while creating file %s", filename);
2648 /* Why are these here? Put in because they are present in the non-maildir
2649 directory case above. */
2651 if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
2653 addr->basic_errno = errno;
2654 addr->message = string_sprintf("while setting perms on file %s",
2659 /* Built a C stream from the open file descriptor. */
2661 if ((env_file = fdopen(fd, "wb")) == NULL)
2663 addr->basic_errno = errno;
2664 addr->transport_return = PANIC;
2665 addr->message = string_sprintf("fdopen of %s ("
2666 "for %s transport) failed", filename, tblock->name);
2672 /* Write the envelope file, then close it. */
2674 if (ob->mailstore_prefix != NULL)
2676 uschar *s = expand_string(ob->mailstore_prefix);
2679 if (!expand_string_forcedfail)
2681 addr->transport_return = PANIC;
2682 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2683 "prefix for %s transport) failed: %s", ob->mailstore_prefix,
2684 tblock->name, expand_string_message);
2685 (void)fclose(env_file);
2693 fprintf(env_file, "%s", CS s);
2694 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2698 fprintf(env_file, "%s\n", sender_address);
2700 for (taddr = addr; taddr!= NULL; taddr = taddr->next)
2701 fprintf(env_file, "%s@%s\n", taddr->local_part, taddr->domain);
2703 if (ob->mailstore_suffix != NULL)
2705 uschar *s = expand_string(ob->mailstore_suffix);
2708 if (!expand_string_forcedfail)
2710 addr->transport_return = PANIC;
2711 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2712 "suffix for %s transport) failed: %s", ob->mailstore_suffix,
2713 tblock->name, expand_string_message);
2714 (void)fclose(env_file);
2722 fprintf(env_file, "%s", CS s);
2723 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2727 if (fclose(env_file) != 0)
2729 addr->basic_errno = errno;
2730 addr->message = string_sprintf("while closing %s", filename);
2735 DEBUG(D_transport) debug_printf("Envelope file %s written\n", filename);
2737 /* Now open the data file, and ensure that it has the correct ownership and
2740 fd = Uopen(dataname, O_WRONLY|O_CREAT|O_EXCL, mode);
2743 addr->basic_errno = errno;
2744 addr->message = string_sprintf("while creating file %s", dataname);
2748 if(Uchown(dataname, uid, gid) || Uchmod(dataname, mode))
2750 addr->basic_errno = errno;
2751 addr->message = string_sprintf("while setting perms on file %s",
2757 #endif /* SUPPORT_MAILSTORE */
2760 /* In all cases of writing to a new file, ensure that the file which is
2761 going to be renamed has the correct ownership and mode. */
2763 if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
2765 addr->basic_errno = errno;
2766 addr->message = string_sprintf("while setting perms on file %s",
2773 /* At last we can write the message to the file, preceded by any configured
2774 prefix line, and followed by any configured suffix line. If there are any
2775 writing errors, we must defer. */
2777 DEBUG(D_transport) debug_printf("writing to file %s\n", dataname);
2782 /* If there is a local quota setting, check that we are not going to exceed it
2783 with this message if quota_is_inclusive is set; if it is not set, the check
2784 is for the mailbox already being over quota (i.e. the current message is not
2785 included in the check). */
2787 if (!disable_quota && ob->quota_value > 0)
2791 debug_printf("Exim quota = " OFF_T_FMT " old size = " OFF_T_FMT
2792 " this message = %d (%sincluded)\n",
2793 ob->quota_value, mailbox_size, message_size,
2794 ob->quota_is_inclusive? "" : "not ");
2795 debug_printf(" file count quota = %d count = %d\n",
2796 ob->quota_filecount_value, mailbox_filecount);
2799 if (mailbox_size + (ob->quota_is_inclusive? message_size:0) > ob->quota_value)
2802 if (!ob->quota_no_check)
2804 DEBUG(D_transport) debug_printf("mailbox quota exceeded\n");
2806 errno = ERRNO_EXIMQUOTA;
2808 else DEBUG(D_transport) debug_printf("mailbox quota exceeded but ignored\n");
2812 if (ob->quota_filecount_value > 0
2813 && mailbox_filecount + (ob->quota_is_inclusive ? 1:0) >
2814 ob->quota_filecount_value)
2815 if(!ob->quota_filecount_no_check)
2817 DEBUG(D_transport) debug_printf("mailbox file count quota exceeded\n");
2819 errno = ERRNO_EXIMQUOTA;
2820 filecount_msg = US" filecount";
2822 else DEBUG(D_transport) if (ob->quota_filecount_no_check)
2823 debug_printf("mailbox file count quota exceeded but ignored\n");
2827 /* If we are writing in MBX format, what we actually do is to write the message
2828 to a temporary file, and then copy it to the real file once we know its size.
2829 This is the most straightforward way of getting the correct length in the
2830 separator line. So, what we do here is to save the real file descriptor, and
2831 replace it with one for a temporary file. The temporary file gets unlinked once
2832 opened, so that it goes away on closure. */
2835 if (yield == OK && ob->mbx_format)
2837 temp_file = tmpfile();
2838 if (temp_file == NULL)
2840 addr->basic_errno = errno;
2841 addr->message = US"while setting up temporary file";
2846 fd = fileno(temp_file);
2847 DEBUG(D_transport) debug_printf("writing to temporary file\n");
2849 #endif /* SUPPORT_MBX */
2851 /* Zero the count of bytes written. It is incremented by the transport_xxx()
2854 transport_count = 0;
2855 transport_newlines = 0;
2857 /* Write any configured prefix text first */
2859 if (yield == OK && ob->message_prefix != NULL && ob->message_prefix[0] != 0)
2861 uschar *prefix = expand_string(ob->message_prefix);
2864 errno = ERRNO_EXPANDFAIL;
2865 addr->transport_return = PANIC;
2866 addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s "
2867 "transport) failed", ob->message_prefix, tblock->name);
2870 else if (!transport_write_string(fd, "%s", prefix)) yield = DEFER;
2873 /* If the use_bsmtp option is on, we need to write SMTP prefix information. The
2874 various different values for batching are handled outside; if there is more
2875 than one address available here, all must be included. If any address is a
2876 file, use its parent in the RCPT TO. */
2878 if (yield == OK && ob->use_bsmtp)
2880 transport_count = 0;
2881 transport_newlines = 0;
2882 if (ob->use_crlf) cr = US"\r";
2883 if (!transport_write_string(fd, "MAIL FROM:<%s>%s\n", return_path, cr))
2888 transport_newlines++;
2889 for (a = addr; a != NULL; a = a->next)
2891 address_item *b = testflag(a, af_pfr)? a->parent: a;
2892 if (!transport_write_string(fd, "RCPT TO:<%s>%s\n",
2893 transport_rcpt_address(b, tblock->rcpt_include_affixes), cr))
2894 { yield = DEFER; break; }
2895 transport_newlines++;
2897 if (yield == OK && !transport_write_string(fd, "DATA%s\n", cr))
2900 transport_newlines++;
2904 /* Now the message itself. The options for transport_write_message were set up
2905 at initialization time. */
2909 transport_ctx tctx = {
2917 if (!transport_write_message(&tctx, 0))
2921 /* Now a configured suffix. */
2923 if (yield == OK && ob->message_suffix != NULL && ob->message_suffix[0] != 0)
2925 uschar *suffix = expand_string(ob->message_suffix);
2928 errno = ERRNO_EXPANDFAIL;
2929 addr->transport_return = PANIC;
2930 addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s "
2931 "transport) failed", ob->message_suffix, tblock->name);
2934 else if (!transport_write_string(fd, "%s", suffix)) yield = DEFER;
2937 /* If batch smtp, write the terminating dot. */
2939 if (yield == OK && ob->use_bsmtp ) {
2940 if(!transport_write_string(fd, ".%s\n", cr)) yield = DEFER;
2941 else transport_newlines++;
2944 /* If MBX format is being used, all that writing was to the temporary file.
2945 However, if there was an earlier failure (Exim quota exceeded, for example),
2946 the temporary file won't have got opened - and no writing will have been done.
2947 If writing was OK, we restore the fd, and call a function that copies the
2948 message in MBX format into the real file. Otherwise use the temporary name in
2952 if (temp_file != NULL && ob->mbx_format)
2959 transport_count = 0; /* Reset transport count for actual write */
2960 /* No need to reset transport_newlines as we're just using a block copy
2961 * routine so the number won't be affected */
2962 yield = copy_mbx_message(fd, fileno(temp_file), saved_size);
2964 else if (errno >= 0) dataname = US"temporary file";
2966 /* Preserve errno while closing the temporary file. */
2968 mbx_save_errno = errno;
2969 (void)fclose(temp_file);
2970 errno = mbx_save_errno;
2972 #endif /* SUPPORT_MBX */
2974 /* Force out the remaining data to check for any errors; some OS don't allow
2975 fsync() to be called for a FIFO. */
2977 if (yield == OK && !isfifo && EXIMfsync(fd) < 0) yield = DEFER;
2979 /* Update message_size and message_linecount to the accurate count of bytes
2980 written, including added headers. Note; we subtract 1 from message_linecount as
2981 this variable doesn't count the new line between the header and the body of the
2984 message_size = transport_count;
2985 message_linecount = transport_newlines - 1;
2987 /* If using a maildir++ quota file, add this message's size to it, and
2988 close the file descriptor, except when the quota has been disabled because we
2989 are delivering into an uncounted folder. */
2991 #ifdef SUPPORT_MAILDIR
2994 if (yield == OK && maildirsize_fd >= 0)
2995 maildir_record_length(maildirsize_fd, message_size);
2996 maildir_save_errno = errno; /* Preserve errno while closing the file */
2997 if (maildirsize_fd >= 0)
2998 (void)close(maildirsize_fd);
2999 errno = maildir_save_errno;
3001 #endif /* SUPPORT_MAILDIR */
3003 /* If there is a quota warning threshold and we are have crossed it with this
3004 message, set the SPECIAL_WARN flag in the address, to cause a warning message
3007 if (!disable_quota && THRESHOLD_CHECK)
3009 off_t threshold = ob->quota_warn_threshold_value;
3010 if (ob->quota_warn_threshold_is_percent)
3011 threshold = (off_t)(((double)ob->quota_value * threshold) / 100);
3013 debug_printf("quota = " OFF_T_FMT
3014 " threshold = " OFF_T_FMT
3015 " old size = " OFF_T_FMT
3016 " message size = %d\n",
3017 ob->quota_value, threshold, mailbox_size,
3019 if (mailbox_size <= threshold && mailbox_size + message_size > threshold)
3020 addr->special_action = SPECIAL_WARN;
3022 /******* You might think that the test ought to be this:
3024 * if (ob->quota_value > 0 && threshold > 0 && mailbox_size > 0 &&
3025 * mailbox_size <= threshold && mailbox_size + message_size > threshold)
3027 * (indeed, I was sent a patch with that in). However, it is possible to
3028 * have a warning threshold without actually imposing a quota, and I have
3029 * therefore kept Exim backwards compatible.
3034 /* Handle error while writing the file. Control should come here directly after
3035 the error, with the reason in errno. In the case of expansion failure in prefix
3036 or suffix, it will be ERRNO_EXPANDFAIL. */
3040 addr->special_action = SPECIAL_NONE; /* Cancel any quota warning */
3042 /* Save the error number. If positive, it will ultimately cause a strerror()
3043 call to generate some text. */
3045 addr->basic_errno = errno;
3047 /* For system or Exim quota excession, or disk full, set more_errno to the
3048 time since the file was last read. If delivery was into a directory, the
3049 time since last read logic is not relevant, in general. However, for maildir
3050 deliveries we can approximate it by looking at the last modified time of the
3051 "new" subdirectory. Since Exim won't be adding new messages, a change to the
3052 "new" subdirectory implies that an MUA has moved a message from there to the
3055 if (errno == errno_quota || errno == ERRNO_EXIMQUOTA || errno == ENOSPC)
3057 addr->more_errno = 0;
3058 if (!isdirectory) addr->more_errno = (int)(time(NULL) - times.actime);
3060 #ifdef SUPPORT_MAILDIR
3061 else if (mbformat == mbf_maildir)
3063 struct stat statbuf;
3064 if (Ustat("new", &statbuf) < 0)
3066 DEBUG(D_transport) debug_printf("maildir quota exceeded: "
3067 "stat error %d for \"new\": %s\n", errno, strerror(errno));
3069 else /* Want a repeatable time when in test harness */
3071 addr->more_errno = running_in_test_harness? 10 :
3072 (int)time(NULL) - statbuf.st_mtime;
3075 debug_printf("maildir: time since \"new\" directory modified = %s\n",
3076 readconf_printtime(addr->more_errno));
3078 #endif /* SUPPORT_MAILDIR */
3081 /* Handle system quota excession. Add an explanatory phrase for the error
3082 message, since some systems don't have special quota-excession errors,
3083 and on those that do, "quota" doesn't always mean anything to the user. */
3085 if (errno == errno_quota)
3088 addr->message = string_sprintf("mailbox is full "
3089 "(quota exceeded while writing to file %s)", filename);
3091 addr->message = string_sprintf("mailbox is full");
3093 addr->user_message = US"mailbox is full";
3094 DEBUG(D_transport) debug_printf("System quota exceeded for %s%s%s\n",
3096 isdirectory? US"" : US": time since file read = ",
3097 isdirectory? US"" : readconf_printtime(addr->more_errno));
3100 /* Handle Exim's own quota-imposition */
3102 else if (errno == ERRNO_EXIMQUOTA)
3104 addr->message = string_sprintf("mailbox is full "
3105 "(MTA-imposed%s quota exceeded while writing to %s)", filecount_msg,
3107 addr->user_message = US"mailbox is full";
3108 DEBUG(D_transport) debug_printf("Exim%s quota exceeded for %s%s%s\n",
3109 filecount_msg, dataname,
3110 isdirectory? US"" : US": time since file read = ",
3111 isdirectory? US"" : readconf_printtime(addr->more_errno));
3114 /* Handle a process failure while writing via a filter; the return
3115 from child_close() is in more_errno. */
3117 else if (errno == ERRNO_FILTER_FAIL)
3120 addr->message = string_sprintf("transport filter process failed (%d) "
3121 "while writing to %s%s", addr->more_errno, dataname,
3122 (addr->more_errno == EX_EXECFAILED)? ": unable to execute command" : "");
3125 /* Handle failure to expand header changes */
3127 else if (errno == ERRNO_CHHEADER_FAIL)
3131 string_sprintf("failed to expand headers_add or headers_remove while "
3132 "writing to %s: %s", dataname, expand_string_message);
3135 /* Handle failure to complete writing of a data block */
3137 else if (errno == ERRNO_WRITEINCOMPLETE)
3139 addr->message = string_sprintf("failed to write data block while "
3140 "writing to %s", dataname);
3143 /* Handle length mismatch on MBX copying */
3146 else if (errno == ERRNO_MBXLENGTH)
3148 addr->message = string_sprintf("length mismatch while copying MBX "
3149 "temporary file to %s", dataname);
3151 #endif /* SUPPORT_MBX */
3153 /* For other errors, a general-purpose explanation, if the message is
3156 else if (addr->message == NULL)
3157 addr->message = string_sprintf("error while writing to %s", dataname);
3159 /* For a file, reset the file size to what it was before we started, leaving
3160 the last modification time unchanged, so it will get reset also. All systems
3161 investigated so far have ftruncate(), whereas not all have the F_FREESP
3162 fcntl() call (BSDI & FreeBSD do not). */
3164 if (!isdirectory && ftruncate(fd, saved_size))
3165 DEBUG(D_transport) debug_printf("Error resetting file size\n");
3168 /* Handle successful writing - we want the modification time to be now for
3169 appended files. Remove the default backstop error number. For a directory, now
3170 is the time to rename the file with a unique name. As soon as such a name
3171 appears it may get used by another process, so we close the file first and
3172 check that all is well. */
3176 times.modtime = time(NULL);
3177 addr->basic_errno = 0;
3179 /* Handle the case of writing to a new file in a directory. This applies
3180 to all single-file formats - maildir, mailstore, and "smail format". */
3184 if (fstat(fd, &statbuf) < 0)
3186 addr->basic_errno = errno;
3187 addr->message = string_sprintf("while fstatting opened message file %s",
3192 else if (close(fd) < 0)
3194 addr->basic_errno = errno;
3195 addr->message = string_sprintf("close() error for %s",
3196 (ob->mailstore_format)? dataname : filename);
3200 /* File is successfully written and closed. Arrange to rename it. For the
3201 different kinds of single-file delivery, some games can be played with the
3202 name. The message size is by this time set to the accurate value so that
3203 its value can be used in expansions. */
3207 uschar *renamename = newname;
3210 DEBUG(D_transport) debug_printf("renaming temporary file\n");
3212 /* If there is no rename name set, we are in a non-maildir, non-mailstore
3213 situation. The name is built by expanding the directory_file option, and
3214 we make the inode number available for use in this. The expansion was
3215 checked for syntactic validity above, before we wrote the file.
3217 We have to be careful here, in case the file name exists. (In the other
3218 cases, the names used are constructed to be unique.) The rename()
3219 function just replaces an existing file - we don't want that! So instead
3220 of calling rename(), we must use link() and unlink().
3222 In this case, if the link fails because of an existing file, we wait
3223 for one second and try the expansion again, to see if it produces a
3224 different value. Do this up to 5 times unless the name stops changing.
3225 This makes it possible to build values that are based on the time, and
3226 still cope with races from multiple simultaneous deliveries. */
3228 if (newname == NULL)
3232 uschar *old_renameleaf = US"";
3234 for (i = 0; ; sleep(1), i++)
3236 deliver_inode = statbuf.st_ino;
3237 renameleaf = expand_string(ob->dirfilename);
3240 if (renameleaf == NULL)
3242 addr->transport_return = PANIC;
3243 addr->message = string_sprintf("Expansion of \"%s\" "
3244 "(directory_file for %s transport) failed: %s",
3245 ob->dirfilename, tblock->name, expand_string_message);
3249 renamename = string_sprintf("%s/%s", path, renameleaf);
3250 if (Ulink(filename, renamename) < 0)
3252 DEBUG(D_transport) debug_printf("link failed: %s\n",
3254 if (errno != EEXIST || i >= 4 ||
3255 Ustrcmp(renameleaf, old_renameleaf) == 0)
3257 addr->basic_errno = errno;
3258 addr->message = string_sprintf("while renaming %s as %s",
3259 filename, renamename);
3263 old_renameleaf = renameleaf;
3264 DEBUG(D_transport) debug_printf("%s exists - trying again\n",
3273 } /* re-expand loop */
3274 } /* not mailstore or maildir */
3276 /* For maildir and mailstore formats, the new name was created earlier,
3277 except that for maildir, there is the possibility of adding a "tag" on
3278 the end of the name by expanding the value of nametag. This usually
3279 includes a reference to the message size. The expansion of nametag was
3280 checked above, before the file was opened. It either succeeded, or
3281 provoked a soft failure. So any failure here can be treated as soft.
3282 Ignore non-printing characters and / and put a colon at the start if the
3283 first character is alphanumeric. */
3287 if (nametag != NULL)
3289 uschar *iptr = expand_string(nametag);
3292 uschar *etag = store_get(Ustrlen(iptr) + 2);
3293 uschar *optr = etag;
3296 if (mac_isgraph(*iptr) && *iptr != '/')
3298 if (optr == etag && isalnum(*iptr)) *optr++ = ':';
3304 renamename = string_sprintf("%s%s", newname, etag);
3308 /* Do the rename. If the name is too long and a tag exists, try again
3311 if (Urename(filename, renamename) < 0 &&
3312 (nametag == NULL || errno != ENAMETOOLONG ||
3313 (renamename = newname, Urename(filename, renamename) < 0)))
3315 addr->basic_errno = errno;
3316 addr->message = string_sprintf("while renaming %s as %s",
3317 filename, renamename);
3321 /* Rename succeeded */
3325 DEBUG(D_transport) debug_printf("renamed %s as %s\n", filename,
3327 filename = dataname = NULL; /* Prevents attempt to unlink at end */
3329 } /* maildir or mailstore */
3330 } /* successful write + close */
3332 } /* write success */
3335 /* For a file, restore the last access time (atime), and set the modification
3336 time as required - changed if write succeeded, unchanged if not. */
3338 if (!isdirectory) utime(CS filename, ×);
3340 /* Notify comsat if configured to do so. It only makes sense if the configured
3341 file is the one that the comsat daemon knows about. */
3343 if (ob->notify_comsat && yield == OK && deliver_localpart != NULL)
3344 notify_comsat(deliver_localpart, saved_size);
3346 /* Pass back the final return code in the address structure */
3349 debug_printf("appendfile yields %d with errno=%d more_errno=%d\n",
3350 yield, addr->basic_errno, addr->more_errno);
3352 addr->transport_return = yield;
3354 /* Close the file, which will release the fcntl lock. For a directory write it
3355 is closed above, except in cases of error which goto RETURN, when we also need
3356 to remove the original file(s). For MBX locking, if all has gone well, before
3357 closing the file, see if we can get an exclusive lock on it, in which case we
3358 can unlink the /tmp lock file before closing it. This is always a non-blocking
3359 lock; there's no need to wait if we can't get it. If everything has gone right
3360 but close fails, defer the message. Then unlink the lock file, if present. This
3361 point in the code is jumped to from a number of places when errors are
3362 detected, in order to get the file closed and the lock file tidied away. */
3367 if (mbx_lockfd >= 0)
3369 if (yield == OK && apply_lock(fd, F_WRLCK, ob->use_fcntl, 0,
3370 ob->use_flock, 0) >= 0)
3373 debug_printf("unlinking MBX lock file %s\n", mbx_lockname);
3374 Uunlink(mbx_lockname);
3376 (void)close(mbx_lockfd);
3378 #endif /* SUPPORT_MBX */
3380 if (fd >= 0 && close(fd) < 0 && yield == OK)
3382 addr->basic_errno = errno;
3383 addr->message = string_sprintf("while closing %s", filename);
3384 addr->transport_return = DEFER;
3387 if (hd >= 0) Uunlink(lockname);
3389 /* We get here with isdirectory and filename set only in error situations. */
3391 if (isdirectory && filename != NULL)
3394 if (dataname != filename) Uunlink(dataname);
3397 /* If wait_for_tick is TRUE, we have done a delivery where the uniqueness of a
3398 file name relies on time + pid. We must not allow the process to finish until
3399 the clock has move on by at least one microsecond. Usually we expect this
3400 already to be the case, but machines keep getting faster... */
3402 if (wait_for_tick) exim_wait_tick(&msg_tv, 1);
3404 /* A return of FALSE means that if there was an error, a common error was
3405 put in the first address of a batch. */
3410 /* End of transport/appendfile.c */
git://git.exim.org / users / jgh / exim.git / blob