diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 09:44:07 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 09:44:07 +0000 |
commit | 39ce00b8d520cbecbd6af87257e8fb11df0ec273 (patch) | |
tree | 4c21a2674c19e5c44be3b3550b476b9e63d8ae3d /src/deliver.c | |
parent | Initial commit. (diff) | |
download | exim4-upstream/4.94.2.tar.xz exim4-upstream/4.94.2.zip |
Adding upstream version 4.94.2.upstream/4.94.2upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/deliver.c')
-rw-r--r-- | src/deliver.c | 8678 |
1 files changed, 8678 insertions, 0 deletions
diff --git a/src/deliver.c b/src/deliver.c new file mode 100644 index 0000000..f5f065e --- /dev/null +++ b/src/deliver.c @@ -0,0 +1,8678 @@ +/************************************************* +* Exim - an Internet mail transport agent * +*************************************************/ + +/* Copyright (c) University of Cambridge 1995 - 2018 */ +/* Copyright (c) The Exim Maintainers 2020 */ +/* See the file NOTICE for conditions of use and distribution. */ + +/* The main code for delivering a message. */ + + +#include "exim.h" +#include "transports/smtp.h" +#include <sys/uio.h> +#include <assert.h> + + +/* Data block for keeping track of subprocesses for parallel remote +delivery. */ + +typedef struct pardata { + address_item *addrlist; /* chain of addresses */ + address_item *addr; /* next address data expected for */ + pid_t pid; /* subprocess pid */ + int fd; /* pipe fd for getting result from subprocess */ + int transport_count; /* returned transport count value */ + BOOL done; /* no more data needed */ + uschar *msg; /* error message */ + uschar *return_path; /* return_path for these addresses */ +} pardata; + +/* Values for the process_recipients variable */ + +enum { RECIP_ACCEPT, RECIP_IGNORE, RECIP_DEFER, + RECIP_FAIL, RECIP_FAIL_FILTER, RECIP_FAIL_TIMEOUT, + RECIP_FAIL_LOOP}; + +/* Mutually recursive functions for marking addresses done. */ + +static void child_done(address_item *, uschar *); +static void address_done(address_item *, uschar *); + +/* Table for turning base-62 numbers into binary */ + +static uschar tab62[] = + {0,1,2,3,4,5,6,7,8,9,0,0,0,0,0,0, /* 0-9 */ + 0,10,11,12,13,14,15,16,17,18,19,20, /* A-K */ + 21,22,23,24,25,26,27,28,29,30,31,32, /* L-W */ + 33,34,35, 0, 0, 0, 0, 0, /* X-Z */ + 0,36,37,38,39,40,41,42,43,44,45,46, /* a-k */ + 47,48,49,50,51,52,53,54,55,56,57,58, /* l-w */ + 59,60,61}; /* x-z */ + + +/************************************************* +* Local static variables * +*************************************************/ + +/* addr_duplicate is global because it needs to be seen from the Envelope-To +writing code. */ + +static address_item *addr_defer = NULL; +static address_item *addr_failed = NULL; +static address_item *addr_fallback = NULL; +static address_item *addr_local = NULL; +static address_item *addr_new = NULL; +static address_item *addr_remote = NULL; +static address_item *addr_route = NULL; +static address_item *addr_succeed = NULL; +static address_item *addr_senddsn = NULL; + +static FILE *message_log = NULL; +static BOOL update_spool; +static BOOL remove_journal; +static int parcount = 0; +static pardata *parlist = NULL; +static int return_count; +static uschar *frozen_info = US""; +static uschar *used_return_path = NULL; + + + +/************************************************* +* read as much as requested * +*************************************************/ + +/* The syscall read(2) doesn't always returns as much as we want. For +several reasons it might get less. (Not talking about signals, as syscalls +are restartable). When reading from a network or pipe connection the sender +might send in smaller chunks, with delays between these chunks. The read(2) +may return such a chunk. + +The more the writer writes and the smaller the pipe between write and read is, +the more we get the chance of reading leass than requested. (See bug 2130) + +This function read(2)s until we got all the data we *requested*. + +Note: This function may block. Use it only if you're sure about the +amount of data you will get. + +Argument: + fd the file descriptor to read from + buffer pointer to a buffer of size len + len the requested(!) amount of bytes + +Returns: the amount of bytes read +*/ +static ssize_t +readn(int fd, void * buffer, size_t len) +{ +uschar * next = buffer; +uschar * end = next + len; + +while (next < end) + { + ssize_t got = read(fd, next, end - next); + + /* I'm not sure if there are signals that can interrupt us, + for now I assume the worst */ + if (got == -1 && errno == EINTR) continue; + if (got <= 0) return next - US buffer; + next += got; + } + +return len; +} + + +/************************************************* +* Make a new address item * +*************************************************/ + +/* This function gets the store and initializes with default values. The +transport_return value defaults to DEFER, so that any unexpected failure to +deliver does not wipe out the message. The default unique string is set to a +copy of the address, so that its domain can be lowercased. + +Argument: + address the RFC822 address string + copy force a copy of the address + +Returns: a pointer to an initialized address_item +*/ + +address_item * +deliver_make_addr(uschar *address, BOOL copy) +{ +address_item *addr = store_get(sizeof(address_item), FALSE); +*addr = address_defaults; +if (copy) address = string_copy(address); +addr->address = address; +addr->unique = string_copy(address); +return addr; +} + + + + +/************************************************* +* Set expansion values for an address * +*************************************************/ + +/* Certain expansion variables are valid only when handling an address or +address list. This function sets them up or clears the values, according to its +argument. + +Arguments: + addr the address in question, or NULL to clear values +Returns: nothing +*/ + +void +deliver_set_expansions(address_item *addr) +{ +if (!addr) + { + const uschar ***p = address_expansions; + while (*p) **p++ = NULL; + return; + } + +/* Exactly what gets set depends on whether there is one or more addresses, and +what they contain. These first ones are always set, taking their values from +the first address. */ + +if (!addr->host_list) + { + deliver_host = deliver_host_address = US""; + deliver_host_port = 0; + } +else + { + deliver_host = addr->host_list->name; + deliver_host_address = addr->host_list->address; + deliver_host_port = addr->host_list->port; + } + +deliver_recipients = addr; +deliver_address_data = addr->prop.address_data; +deliver_domain_data = addr->prop.domain_data; +deliver_localpart_data = addr->prop.localpart_data; +router_var = addr->prop.variables; + +/* These may be unset for multiple addresses */ + +deliver_domain = addr->domain; +self_hostname = addr->self_hostname; + +#ifdef EXPERIMENTAL_BRIGHTMAIL +bmi_deliver = 1; /* deliver by default */ +bmi_alt_location = NULL; +bmi_base64_verdict = NULL; +bmi_base64_tracker_verdict = NULL; +#endif + +/* If there's only one address we can set everything. */ + +if (!addr->next) + { + address_item *addr_orig; + + deliver_localpart = addr->local_part; + deliver_localpart_prefix = addr->prefix; + deliver_localpart_prefix_v = addr->prefix_v; + deliver_localpart_suffix = addr->suffix; + deliver_localpart_suffix_v = addr->suffix_v; + + for (addr_orig = addr; addr_orig->parent; addr_orig = addr_orig->parent) ; + deliver_domain_orig = addr_orig->domain; + + /* Re-instate any prefix and suffix in the original local part. In all + normal cases, the address will have a router associated with it, and we can + choose the caseful or caseless version accordingly. However, when a system + filter sets up a pipe, file, or autoreply delivery, no router is involved. + In this case, though, there won't be any prefix or suffix to worry about. */ + + deliver_localpart_orig = !addr_orig->router + ? addr_orig->local_part + : addr_orig->router->caseful_local_part + ? addr_orig->cc_local_part + : addr_orig->lc_local_part; + + /* If there's a parent, make its domain and local part available, and if + delivering to a pipe or file, or sending an autoreply, get the local + part from the parent. For pipes and files, put the pipe or file string + into address_pipe and address_file. */ + + if (addr->parent) + { + deliver_domain_parent = addr->parent->domain; + deliver_localpart_parent = !addr->parent->router + ? addr->parent->local_part + : addr->parent->router->caseful_local_part + ? addr->parent->cc_local_part + : addr->parent->lc_local_part; + + /* File deliveries have their own flag because they need to be picked out + as special more often. */ + + if (testflag(addr, af_pfr)) + { + if (testflag(addr, af_file)) address_file = addr->local_part; + else if (deliver_localpart[0] == '|') address_pipe = addr->local_part; + deliver_localpart = addr->parent->local_part; + deliver_localpart_prefix = addr->parent->prefix; + deliver_localpart_prefix_v = addr->parent->prefix_v; + deliver_localpart_suffix = addr->parent->suffix; + deliver_localpart_suffix_v = addr->parent->suffix_v; + } + } + +#ifdef EXPERIMENTAL_BRIGHTMAIL + /* Set expansion variables related to Brightmail AntiSpam */ + bmi_base64_verdict = bmi_get_base64_verdict(deliver_localpart_orig, deliver_domain_orig); + bmi_base64_tracker_verdict = bmi_get_base64_tracker_verdict(bmi_base64_verdict); + /* get message delivery status (0 - don't deliver | 1 - deliver) */ + bmi_deliver = bmi_get_delivery_status(bmi_base64_verdict); + /* if message is to be delivered, get eventual alternate location */ + if (bmi_deliver == 1) + bmi_alt_location = bmi_get_alt_location(bmi_base64_verdict); +#endif + + } + +/* For multiple addresses, don't set local part, and leave the domain and +self_hostname set only if it is the same for all of them. It is possible to +have multiple pipe and file addresses, but only when all addresses have routed +to the same pipe or file. */ + +else + { + if (testflag(addr, af_pfr)) + { + if (testflag(addr, af_file)) address_file = addr->local_part; + else if (addr->local_part[0] == '|') address_pipe = addr->local_part; + } + for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next) + { + if (deliver_domain && Ustrcmp(deliver_domain, addr2->domain) != 0) + deliver_domain = NULL; + if ( self_hostname + && ( !addr2->self_hostname + || Ustrcmp(self_hostname, addr2->self_hostname) != 0 + ) ) + self_hostname = NULL; + if (!deliver_domain && !self_hostname) break; + } + } +} + + + + +/************************************************* +* Open a msglog file * +*************************************************/ + +/* This function is used both for normal message logs, and for files in the +msglog directory that are used to catch output from pipes. Try to create the +directory if it does not exist. From release 4.21, normal message logs should +be created when the message is received. + +Called from deliver_message(), can be operating as root. + +Argument: + filename the file name + mode the mode required + error used for saying what failed + +Returns: a file descriptor, or -1 (with errno set) +*/ + +static int +open_msglog_file(uschar *filename, int mode, uschar **error) +{ +if (Ustrstr(filename, US"/../")) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "Attempt to open msglog file path with upward-traversal: '%s'\n", filename); + +for (int i = 2; i > 0; i--) + { + int fd = Uopen(filename, +#ifdef O_CLOEXEC + O_CLOEXEC | +#endif +#ifdef O_NOFOLLOW + O_NOFOLLOW | +#endif + O_WRONLY|O_APPEND|O_CREAT, mode); + if (fd >= 0) + { + /* Set the close-on-exec flag and change the owner to the exim uid/gid (this + function is called as root). Double check the mode, because the group setting + doesn't always get set automatically. */ + +#ifndef O_CLOEXEC + (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC); +#endif + if (exim_fchown(fd, exim_uid, exim_gid, filename) < 0) + { + *error = US"chown"; + return -1; + } + if (fchmod(fd, mode) < 0) + { + *error = US"chmod"; + return -1; + } + return fd; + } + if (errno != ENOENT) + break; + + (void)directory_make(spool_directory, + spool_sname(US"msglog", message_subdir), + MSGLOG_DIRECTORY_MODE, TRUE); + } + +*error = US"create or open"; +return -1; +} + + + + +/************************************************* +* Write to msglog if required * +*************************************************/ + +/* Write to the message log, if configured. This function may also be called +from transports. + +Arguments: + format a string format + +Returns: nothing +*/ + +void +deliver_msglog(const char *format, ...) +{ +va_list ap; +if (!message_logs) return; +va_start(ap, format); +vfprintf(message_log, format, ap); +fflush(message_log); +va_end(ap); +} + + + + +/************************************************* +* Replicate status for batch * +*************************************************/ + +/* When a transport handles a batch of addresses, it may treat them +individually, or it may just put the status in the first one, and return FALSE, +requesting that the status be copied to all the others externally. This is the +replication function. As well as the status, it copies the transport pointer, +which may have changed if appendfile passed the addresses on to a different +transport. + +Argument: pointer to the first address in a chain +Returns: nothing +*/ + +static void +replicate_status(address_item *addr) +{ +for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next) + { + addr2->transport = addr->transport; + addr2->transport_return = addr->transport_return; + addr2->basic_errno = addr->basic_errno; + addr2->more_errno = addr->more_errno; + addr2->delivery_time = addr->delivery_time; + addr2->special_action = addr->special_action; + addr2->message = addr->message; + addr2->user_message = addr->user_message; + } +} + + + +/************************************************* +* Compare lists of hosts * +*************************************************/ + +/* This function is given two pointers to chains of host items, and it yields +TRUE if the lists refer to the same hosts in the same order, except that + +(1) Multiple hosts with the same non-negative MX values are permitted to appear + in different orders. Round-robinning nameservers can cause this to happen. + +(2) Multiple hosts with the same negative MX values less than MX_NONE are also + permitted to appear in different orders. This is caused by randomizing + hosts lists. + +This enables Exim to use a single SMTP transaction for sending to two entirely +different domains that happen to end up pointing at the same hosts. + +We do not try to batch up different A-record host names that refer to the +same IP. + +Arguments: + one points to the first host list + two points to the second host list + +Returns: TRUE if the lists refer to the same host set +*/ + +static BOOL +same_hosts(host_item *one, host_item *two) +{ +while (one && two) + { + if (Ustrcmp(one->name, two->name) != 0) + { + int mx = one->mx; + host_item *end_one = one; + host_item *end_two = two; + + /* Batch up only if there was no MX and the list was not randomized */ + + if (mx == MX_NONE) return FALSE; + + /* Find the ends of the shortest sequence of identical MX values */ + + while ( end_one->next && end_one->next->mx == mx + && end_two->next && end_two->next->mx == mx) + { + end_one = end_one->next; + end_two = end_two->next; + } + + /* If there aren't any duplicates, there's no match. */ + + if (end_one == one) return FALSE; + + /* For each host in the 'one' sequence, check that it appears in the 'two' + sequence, returning FALSE if not. */ + + for (;;) + { + host_item *hi; + for (hi = two; hi != end_two->next; hi = hi->next) + if (Ustrcmp(one->name, hi->name) == 0) break; + if (hi == end_two->next) return FALSE; + if (one == end_one) break; + one = one->next; + } + + /* All the hosts in the 'one' sequence were found in the 'two' sequence. + Ensure both are pointing at the last host, and carry on as for equality. */ + + two = end_two; + } + + /* if the names matched but ports do not, mismatch */ + else if (one->port != two->port) + return FALSE; + + /* Hosts matched */ + + one = one->next; + two = two->next; + } + +/* True if both are NULL */ + +return (one == two); +} + + + +/************************************************* +* Compare header lines * +*************************************************/ + +/* This function is given two pointers to chains of header items, and it yields +TRUE if they are the same header texts in the same order. + +Arguments: + one points to the first header list + two points to the second header list + +Returns: TRUE if the lists refer to the same header set +*/ + +static BOOL +same_headers(header_line *one, header_line *two) +{ +for (;; one = one->next, two = two->next) + { + if (one == two) return TRUE; /* Includes the case where both NULL */ + if (!one || !two) return FALSE; + if (Ustrcmp(one->text, two->text) != 0) return FALSE; + } +} + + + +/************************************************* +* Compare string settings * +*************************************************/ + +/* This function is given two pointers to strings, and it returns +TRUE if they are the same pointer, or if the two strings are the same. + +Arguments: + one points to the first string + two points to the second string + +Returns: TRUE or FALSE +*/ + +static BOOL +same_strings(uschar *one, uschar *two) +{ +if (one == two) return TRUE; /* Includes the case where both NULL */ +if (!one || !two) return FALSE; +return (Ustrcmp(one, two) == 0); +} + + + +/************************************************* +* Compare uid/gid for addresses * +*************************************************/ + +/* This function is given a transport and two addresses. It yields TRUE if the +uid/gid/initgroups settings for the two addresses are going to be the same when +they are delivered. + +Arguments: + tp the transort + addr1 the first address + addr2 the second address + +Returns: TRUE or FALSE +*/ + +static BOOL +same_ugid(transport_instance *tp, address_item *addr1, address_item *addr2) +{ +if ( !tp->uid_set && !tp->expand_uid + && !tp->deliver_as_creator + && ( testflag(addr1, af_uid_set) != testflag(addr2, af_gid_set) + || ( testflag(addr1, af_uid_set) + && ( addr1->uid != addr2->uid + || testflag(addr1, af_initgroups) != testflag(addr2, af_initgroups) + ) ) ) ) + return FALSE; + +if ( !tp->gid_set && !tp->expand_gid + && ( testflag(addr1, af_gid_set) != testflag(addr2, af_gid_set) + || ( testflag(addr1, af_gid_set) + && addr1->gid != addr2->gid + ) ) ) + return FALSE; + +return TRUE; +} + + + + +/************************************************* +* Record that an address is complete * +*************************************************/ + +/* This function records that an address is complete. This is straightforward +for most addresses, where the unique address is just the full address with the +domain lower cased. For homonyms (addresses that are the same as one of their +ancestors) their are complications. Their unique addresses have \x\ prepended +(where x = 0, 1, 2...), so that de-duplication works correctly for siblings and +cousins. + +Exim used to record the unique addresses of homonyms as "complete". This, +however, fails when the pattern of redirection varies over time (e.g. if taking +unseen copies at only some times of day) because the prepended numbers may vary +from one delivery run to the next. This problem is solved by never recording +prepended unique addresses as complete. Instead, when a homonymic address has +actually been delivered via a transport, we record its basic unique address +followed by the name of the transport. This is checked in subsequent delivery +runs whenever an address is routed to a transport. + +If the completed address is a top-level one (has no parent, which means it +cannot be homonymic) we also add the original address to the non-recipients +tree, so that it gets recorded in the spool file and therefore appears as +"done" in any spool listings. The original address may differ from the unique +address in the case of the domain. + +Finally, this function scans the list of duplicates, marks as done any that +match this address, and calls child_done() for their ancestors. + +Arguments: + addr address item that has been completed + now current time as a string + +Returns: nothing +*/ + +static void +address_done(address_item *addr, uschar *now) +{ +update_spool = TRUE; /* Ensure spool gets updated */ + +/* Top-level address */ + +if (!addr->parent) + { + tree_add_nonrecipient(addr->unique); + tree_add_nonrecipient(addr->address); + } + +/* Homonymous child address */ + +else if (testflag(addr, af_homonym)) + { + if (addr->transport) + tree_add_nonrecipient( + string_sprintf("%s/%s", addr->unique + 3, addr->transport->name)); + } + +/* Non-homonymous child address */ + +else tree_add_nonrecipient(addr->unique); + +/* Check the list of duplicate addresses and ensure they are now marked +done as well. */ + +for (address_item * dup = addr_duplicate; dup; dup = dup->next) + if (Ustrcmp(addr->unique, dup->unique) == 0) + { + tree_add_nonrecipient(dup->unique); + child_done(dup, now); + } +} + + + + +/************************************************* +* Decrease counts in parents and mark done * +*************************************************/ + +/* This function is called when an address is complete. If there is a parent +address, its count of children is decremented. If there are still other +children outstanding, the function exits. Otherwise, if the count has become +zero, address_done() is called to mark the parent and its duplicates complete. +Then loop for any earlier ancestors. + +Arguments: + addr points to the completed address item + now the current time as a string, for writing to the message log + +Returns: nothing +*/ + +static void +child_done(address_item *addr, uschar *now) +{ +while (addr->parent) + { + address_item *aa; + + addr = addr->parent; + if (--addr->child_count > 0) return; /* Incomplete parent */ + address_done(addr, now); + + /* Log the completion of all descendents only when there is no ancestor with + the same original address. */ + + for (aa = addr->parent; aa; aa = aa->parent) + if (Ustrcmp(aa->address, addr->address) == 0) break; + if (aa) continue; + + deliver_msglog("%s %s: children all complete\n", now, addr->address); + DEBUG(D_deliver) debug_printf("%s: children all complete\n", addr->address); + } +} + + + +/************************************************* +* Delivery logging support functions * +*************************************************/ + +/* The LOGGING() checks in d_log_interface() are complicated for backwards +compatibility. When outgoing interface logging was originally added, it was +conditional on just incoming_interface (which is off by default). The +outgoing_interface option is on by default to preserve this behaviour, but +you can enable incoming_interface and disable outgoing_interface to get I= +fields on incoming lines only. + +Arguments: + g The log line + addr The address to be logged + +Returns: New value for s +*/ + +static gstring * +d_log_interface(gstring * g) +{ +if (LOGGING(incoming_interface) && LOGGING(outgoing_interface) + && sending_ip_address) + { + g = string_fmt_append(g, " I=[%s]", sending_ip_address); + if (LOGGING(outgoing_port)) + g = string_fmt_append(g, ":%d", sending_port); + } +return g; +} + + + +static gstring * +d_hostlog(gstring * g, address_item * addr) +{ +host_item * h = addr->host_used; + +g = string_append(g, 2, US" H=", h->name); + +if (LOGGING(dnssec) && h->dnssec == DS_YES) + g = string_catn(g, US" DS", 3); + +g = string_append(g, 3, US" [", h->address, US"]"); + +if (LOGGING(outgoing_port)) + g = string_fmt_append(g, ":%d", h->port); + +#ifdef SUPPORT_SOCKS +if (LOGGING(proxy) && proxy_local_address) + { + g = string_append(g, 3, US" PRX=[", proxy_local_address, US"]"); + if (LOGGING(outgoing_port)) + g = string_fmt_append(g, ":%d", proxy_local_port); + } +#endif + +g = d_log_interface(g); + +if (testflag(addr, af_tcp_fastopen)) + g = string_catn(g, US" TFO*", testflag(addr, af_tcp_fastopen_data) ? 5 : 4); + +return g; +} + + + + + +#ifndef DISABLE_TLS +static gstring * +d_tlslog(gstring * g, address_item * addr) +{ +if (LOGGING(tls_cipher) && addr->cipher) + { + g = string_append(g, 2, US" X=", addr->cipher); +#ifdef EXPERIMENTAL_TLS_RESUME + if (LOGGING(tls_resumption) && testflag(addr, af_tls_resume)) + g = string_catn(g, US"*", 1); +#endif + } +if (LOGGING(tls_certificate_verified) && addr->cipher) + g = string_append(g, 2, US" CV=", + testflag(addr, af_cert_verified) + ? +#ifdef SUPPORT_DANE + testflag(addr, af_dane_verified) + ? "dane" + : +#endif + "yes" + : "no"); +if (LOGGING(tls_peerdn) && addr->peerdn) + g = string_append(g, 3, US" DN=\"", string_printing(addr->peerdn), US"\""); +return g; +} +#endif + + + + +#ifndef DISABLE_EVENT +uschar * +event_raise(uschar * action, const uschar * event, uschar * ev_data) +{ +uschar * s; +if (action) + { + DEBUG(D_deliver) + debug_printf("Event(%s): event_action=|%s| delivery_IP=%s\n", + event, + action, deliver_host_address); + + event_name = event; + event_data = ev_data; + + if (!(s = expand_string(action)) && *expand_string_message) + log_write(0, LOG_MAIN|LOG_PANIC, + "failed to expand event_action %s in %s: %s\n", + event, transport_name ? transport_name : US"main", expand_string_message); + + event_name = event_data = NULL; + + /* If the expansion returns anything but an empty string, flag for + the caller to modify his normal processing + */ + if (s && *s) + { + DEBUG(D_deliver) + debug_printf("Event(%s): event_action returned \"%s\"\n", event, s); + errno = ERRNO_EVENT; + return s; + } + } +return NULL; +} + +void +msg_event_raise(const uschar * event, const address_item * addr) +{ +const uschar * save_domain = deliver_domain; +uschar * save_local = deliver_localpart; +const uschar * save_host = deliver_host; +const uschar * save_address = deliver_host_address; +const int save_port = deliver_host_port; + +router_name = addr->router ? addr->router->name : NULL; +deliver_domain = addr->domain; +deliver_localpart = addr->local_part; +deliver_host = addr->host_used ? addr->host_used->name : NULL; + +if (!addr->transport) + { + if (Ustrcmp(event, "msg:fail:delivery") == 0) + { + /* An address failed with no transport involved. This happens when + a filter was used which triggered a fail command (in such a case + a transport isn't needed). Convert it to an internal fail event. */ + + (void) event_raise(event_action, US"msg:fail:internal", addr->message); + } + } +else + { + transport_name = addr->transport->name; + + (void) event_raise(addr->transport->event_action, event, + addr->host_used + || Ustrcmp(addr->transport->driver_name, "smtp") == 0 + || Ustrcmp(addr->transport->driver_name, "lmtp") == 0 + || Ustrcmp(addr->transport->driver_name, "autoreply") == 0 + ? addr->message : NULL); + } + +deliver_host_port = save_port; +deliver_host_address = save_address; +deliver_host = save_host; +deliver_localpart = save_local; +deliver_domain = save_domain; +router_name = transport_name = NULL; +} +#endif /*DISABLE_EVENT*/ + + + +/******************************************************************************/ + + +/************************************************* +* Generate local prt for logging * +*************************************************/ + +/* This function is a subroutine for use in string_log_address() below. + +Arguments: + addr the address being logged + yield the current dynamic buffer pointer + +Returns: the new value of the buffer pointer +*/ + +static gstring * +string_get_localpart(address_item * addr, gstring * yield) +{ +uschar * s; + +s = addr->prefix; +if (testflag(addr, af_include_affixes) && s) + { +#ifdef SUPPORT_I18N + if (testflag(addr, af_utf8_downcvt)) + s = string_localpart_utf8_to_alabel(s, NULL); +#endif + yield = string_cat(yield, s); + } + +s = addr->local_part; +#ifdef SUPPORT_I18N +if (testflag(addr, af_utf8_downcvt)) + s = string_localpart_utf8_to_alabel(s, NULL); +#endif +yield = string_cat(yield, s); + +s = addr->suffix; +if (testflag(addr, af_include_affixes) && s) + { +#ifdef SUPPORT_I18N + if (testflag(addr, af_utf8_downcvt)) + s = string_localpart_utf8_to_alabel(s, NULL); +#endif + yield = string_cat(yield, s); + } + +return yield; +} + + +/************************************************* +* Generate log address list * +*************************************************/ + +/* This function generates a list consisting of an address and its parents, for +use in logging lines. For saved onetime aliased addresses, the onetime parent +field is used. If the address was delivered by a transport with rcpt_include_ +affixes set, the af_include_affixes bit will be set in the address. In that +case, we include the affixes here too. + +Arguments: + g points to growing-string struct + addr bottom (ultimate) address + all_parents if TRUE, include all parents + success TRUE for successful delivery + +Returns: a growable string in dynamic store +*/ + +static gstring * +string_log_address(gstring * g, + address_item *addr, BOOL all_parents, BOOL success) +{ +BOOL add_topaddr = TRUE; +address_item *topaddr; + +/* Find the ultimate parent */ + +for (topaddr = addr; topaddr->parent; topaddr = topaddr->parent) ; + +/* We start with just the local part for pipe, file, and reply deliveries, and +for successful local deliveries from routers that have the log_as_local flag +set. File deliveries from filters can be specified as non-absolute paths in +cases where the transport is going to complete the path. If there is an error +before this happens (expansion failure) the local part will not be updated, and +so won't necessarily look like a path. Add extra text for this case. */ + +if ( testflag(addr, af_pfr) + || ( success + && addr->router && addr->router->log_as_local + && addr->transport && addr->transport->info->local + ) ) + { + if (testflag(addr, af_file) && addr->local_part[0] != '/') + g = string_catn(g, CUS"save ", 5); + g = string_get_localpart(addr, g); + } + +/* Other deliveries start with the full address. It we have split it into local +part and domain, use those fields. Some early failures can happen before the +splitting is done; in those cases use the original field. */ + +else + { + uschar * cmp; + int off = g->ptr; /* start of the "full address" */ + + if (addr->local_part) + { + const uschar * s; + g = string_get_localpart(addr, g); + g = string_catn(g, US"@", 1); + s = addr->domain; +#ifdef SUPPORT_I18N + if (testflag(addr, af_utf8_downcvt)) + s = string_localpart_utf8_to_alabel(s, NULL); +#endif + g = string_cat(g, s); + } + else + g = string_cat(g, addr->address); + + /* If the address we are going to print is the same as the top address, + and all parents are not being included, don't add on the top address. First + of all, do a caseless comparison; if this succeeds, do a caseful comparison + on the local parts. */ + + cmp = g->s + off; /* only now, as rebuffer likely done */ + string_from_gstring(g); /* ensure nul-terminated */ + if ( strcmpic(cmp, topaddr->address) == 0 + && Ustrncmp(cmp, topaddr->address, Ustrchr(cmp, '@') - cmp) == 0 + && !addr->onetime_parent + && (!all_parents || !addr->parent || addr->parent == topaddr) + ) + add_topaddr = FALSE; + } + +/* If all parents are requested, or this is a local pipe/file/reply, and +there is at least one intermediate parent, show it in brackets, and continue +with all of them if all are wanted. */ + +if ( (all_parents || testflag(addr, af_pfr)) + && addr->parent + && addr->parent != topaddr) + { + uschar *s = US" ("; + for (address_item * addr2 = addr->parent; addr2 != topaddr; addr2 = addr2->parent) + { + g = string_catn(g, s, 2); + g = string_cat (g, addr2->address); + if (!all_parents) break; + s = US", "; + } + g = string_catn(g, US")", 1); + } + +/* Add the top address if it is required */ + +if (add_topaddr) + g = string_append(g, 3, + US" <", + addr->onetime_parent ? addr->onetime_parent : topaddr->address, + US">"); + +return g; +} + + + +/******************************************************************************/ + + + +/* If msg is NULL this is a delivery log and logchar is used. Otherwise +this is a nonstandard call; no two-character delivery flag is written +but sender-host and sender are prefixed and "msg" is inserted in the log line. + +Arguments: + flags passed to log_write() +*/ +void +delivery_log(int flags, address_item * addr, int logchar, uschar * msg) +{ +gstring * g; /* Used for a temporary, expanding buffer, for building log lines */ +rmark reset_point; + +/* Log the delivery on the main log. We use an extensible string to build up +the log line, and reset the store afterwards. Remote deliveries should always +have a pointer to the host item that succeeded; local deliveries can have a +pointer to a single host item in their host list, for use by the transport. */ + +#ifndef DISABLE_EVENT + /* presume no successful remote delivery */ + lookup_dnssec_authenticated = NULL; +#endif + +reset_point = store_mark(); +g = string_get_tainted(256, TRUE); /* addrs will be tainted, so avoid copy */ + +if (msg) + g = string_append(g, 2, host_and_ident(TRUE), US" "); +else + { + g->s[0] = logchar; g->ptr = 1; + g = string_catn(g, US"> ", 2); + } +g = string_log_address(g, addr, LOGGING(all_parents), TRUE); + +if (LOGGING(sender_on_delivery) || msg) + g = string_append(g, 3, US" F=<", +#ifdef SUPPORT_I18N + testflag(addr, af_utf8_downcvt) + ? string_address_utf8_to_alabel(sender_address, NULL) + : +#endif + sender_address, + US">"); + +if (*queue_name) + g = string_append(g, 2, US" Q=", queue_name); + +#ifdef EXPERIMENTAL_SRS +if(addr->prop.srs_sender) + g = string_append(g, 3, US" SRS=<", addr->prop.srs_sender, US">"); +#endif + +/* You might think that the return path must always be set for a successful +delivery; indeed, I did for some time, until this statement crashed. The case +when it is not set is for a delivery to /dev/null which is optimised by not +being run at all. */ + +if (used_return_path && LOGGING(return_path_on_delivery)) + g = string_append(g, 3, US" P=<", used_return_path, US">"); + +if (msg) + g = string_append(g, 2, US" ", msg); + +/* For a delivery from a system filter, there may not be a router */ +if (addr->router) + g = string_append(g, 2, US" R=", addr->router->name); + +g = string_append(g, 2, US" T=", addr->transport->name); + +if (LOGGING(delivery_size)) + g = string_fmt_append(g, " S=%d", transport_count); + +/* Local delivery */ + +if (addr->transport->info->local) + { + if (addr->host_list) + g = string_append(g, 2, US" H=", addr->host_list->name); + g = d_log_interface(g); + if (addr->shadow_message) + g = string_cat(g, addr->shadow_message); + } + +/* Remote delivery */ + +else + { + if (addr->host_used) + { + g = d_hostlog(g, addr); + if (continue_sequence > 1) /*XXX this is wrong for a dropped proxyconn. Would have to pass back from transport */ + g = string_catn(g, US"*", 1); + +#ifndef DISABLE_EVENT + deliver_host_address = addr->host_used->address; + deliver_host_port = addr->host_used->port; + deliver_host = addr->host_used->name; + + /* DNS lookup status */ + lookup_dnssec_authenticated = addr->host_used->dnssec==DS_YES ? US"yes" + : addr->host_used->dnssec==DS_NO ? US"no" + : NULL; +#endif + } + +#ifndef DISABLE_TLS + g = d_tlslog(g, addr); +#endif + + if (addr->authenticator) + { + g = string_append(g, 2, US" A=", addr->authenticator); + if (addr->auth_id) + { + g = string_append(g, 2, US":", addr->auth_id); + if (LOGGING(smtp_mailauth) && addr->auth_sndr) + g = string_append(g, 2, US":", addr->auth_sndr); + } + } + + if (LOGGING(pipelining)) + { + if (testflag(addr, af_pipelining)) + g = string_catn(g, US" L", 2); +#ifndef DISABLE_PIPE_CONNECT + if (testflag(addr, af_early_pipe)) + g = string_catn(g, US"*", 1); +#endif + } + +#ifndef DISABLE_PRDR + if (testflag(addr, af_prdr_used)) + g = string_catn(g, US" PRDR", 5); +#endif + + if (testflag(addr, af_chunking_used)) + g = string_catn(g, US" K", 2); + } + +/* confirmation message (SMTP (host_used) and LMTP (driver_name)) */ + +if ( LOGGING(smtp_confirmation) + && addr->message + && (addr->host_used || Ustrcmp(addr->transport->driver_name, "lmtp") == 0) + ) + { + unsigned lim = big_buffer_size < 1024 ? big_buffer_size : 1024; + uschar *p = big_buffer; + uschar *ss = addr->message; + *p++ = '\"'; + for (int i = 0; i < lim && ss[i] != 0; i++) /* limit logged amount */ + { + if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\'; /* quote \ and " */ + *p++ = ss[i]; + } + *p++ = '\"'; + *p = 0; + g = string_append(g, 2, US" C=", big_buffer); + } + +/* Time on queue and actual time taken to deliver */ + +if (LOGGING(queue_time)) + g = string_append(g, 2, US" QT=", + string_timesince(&received_time)); + +if (LOGGING(deliver_time)) + g = string_append(g, 2, US" DT=", string_timediff(&addr->delivery_time)); + +/* string_cat() always leaves room for the terminator. Release the +store we used to build the line after writing it. */ + +log_write(0, flags, "%s", string_from_gstring(g)); + +#ifndef DISABLE_EVENT +if (!msg) msg_event_raise(US"msg:delivery", addr); +#endif + +store_reset(reset_point); +return; +} + + + +static void +deferral_log(address_item * addr, uschar * now, + int logflags, uschar * driver_name, uschar * driver_kind) +{ +rmark reset_point = store_mark(); +gstring * g = string_get(256); + +/* Build up the line that is used for both the message log and the main +log. */ + +/* Create the address string for logging. Must not do this earlier, because +an OK result may be changed to FAIL when a pipe returns text. */ + +g = string_log_address(g, addr, LOGGING(all_parents), FALSE); + +if (*queue_name) + g = string_append(g, 2, US" Q=", queue_name); + +/* Either driver_name contains something and driver_kind contains +" router" or " transport" (note the leading space), or driver_name is +a null string and driver_kind contains "routing" without the leading +space, if all routing has been deferred. When a domain has been held, +so nothing has been done at all, both variables contain null strings. */ + +if (driver_name) + { + if (driver_kind[1] == 't' && addr->router) + g = string_append(g, 2, US" R=", addr->router->name); + g = string_fmt_append(g, " %c=%s", toupper(driver_kind[1]), driver_name); + } +else if (driver_kind) + g = string_append(g, 2, US" ", driver_kind); + +g = string_fmt_append(g, " defer (%d)", addr->basic_errno); + +if (addr->basic_errno > 0) + g = string_append(g, 2, US": ", + US strerror(addr->basic_errno)); + +if (addr->host_used) + { + g = string_append(g, 5, + US" H=", addr->host_used->name, + US" [", addr->host_used->address, US"]"); + if (LOGGING(outgoing_port)) + { + int port = addr->host_used->port; + g = string_fmt_append(g, ":%d", port == PORT_NONE ? 25 : port); + } + } + +if (LOGGING(deliver_time)) + g = string_append(g, 2, US" DT=", string_timediff(&addr->delivery_time)); + +if (addr->message) + g = string_append(g, 2, US": ", addr->message); + +(void) string_from_gstring(g); + +/* Log the deferment in the message log, but don't clutter it +up with retry-time defers after the first delivery attempt. */ + +if (f.deliver_firsttime || addr->basic_errno > ERRNO_RETRY_BASE) + deliver_msglog("%s %s\n", now, g->s); + +/* Write the main log and reset the store. +For errors of the type "retry time not reached" (also remotes skipped +on queue run), logging is controlled by L_retry_defer. Note that this kind +of error number is negative, and all the retry ones are less than any +others. */ + + +log_write(addr->basic_errno <= ERRNO_RETRY_BASE ? L_retry_defer : 0, logflags, + "== %s", g->s); + +store_reset(reset_point); +return; +} + + + +static void +failure_log(address_item * addr, uschar * driver_kind, uschar * now) +{ +rmark reset_point = store_mark(); +gstring * g = string_get(256); + +#ifndef DISABLE_EVENT +/* Message failures for which we will send a DSN get their event raised +later so avoid doing it here. */ + +if ( !addr->prop.ignore_error + && !(addr->dsn_flags & (rf_dsnflags & ~rf_notify_failure)) + ) + msg_event_raise(US"msg:fail:delivery", addr); +#endif + +/* Build up the log line for the message and main logs */ + +/* Create the address string for logging. Must not do this earlier, because +an OK result may be changed to FAIL when a pipe returns text. */ + +g = string_log_address(g, addr, LOGGING(all_parents), FALSE); + +if (LOGGING(sender_on_delivery)) + g = string_append(g, 3, US" F=<", sender_address, US">"); + +if (*queue_name) + g = string_append(g, 2, US" Q=", queue_name); + +/* Return path may not be set if no delivery actually happened */ + +if (used_return_path && LOGGING(return_path_on_delivery)) + g = string_append(g, 3, US" P=<", used_return_path, US">"); + +if (addr->router) + g = string_append(g, 2, US" R=", addr->router->name); +if (addr->transport) + g = string_append(g, 2, US" T=", addr->transport->name); + +if (addr->host_used) + g = d_hostlog(g, addr); + +#ifndef DISABLE_TLS +g = d_tlslog(g, addr); +#endif + +if (addr->basic_errno > 0) + g = string_append(g, 2, US": ", US strerror(addr->basic_errno)); + +if (addr->message) + g = string_append(g, 2, US": ", addr->message); + +if (LOGGING(deliver_time)) + g = string_append(g, 2, US" DT=", string_timediff(&addr->delivery_time)); + +(void) string_from_gstring(g); + +/* Do the logging. For the message log, "routing failed" for those cases, +just to make it clearer. */ + +if (driver_kind) + deliver_msglog("%s %s failed for %s\n", now, driver_kind, g->s); +else + deliver_msglog("%s %s\n", now, g->s); + +log_write(0, LOG_MAIN, "** %s", g->s); + +store_reset(reset_point); +return; +} + + + +/************************************************* +* Actions at the end of handling an address * +*************************************************/ + +/* This is a function for processing a single address when all that can be done +with it has been done. + +Arguments: + addr points to the address block + result the result of the delivery attempt + logflags flags for log_write() (LOG_MAIN and/or LOG_PANIC) + driver_type indicates which type of driver (transport, or router) was last + to process the address + logchar '=' or '-' for use when logging deliveries with => or -> + +Returns: nothing +*/ + +static void +post_process_one(address_item *addr, int result, int logflags, int driver_type, + int logchar) +{ +uschar *now = tod_stamp(tod_log); +uschar *driver_kind = NULL; +uschar *driver_name = NULL; + +DEBUG(D_deliver) debug_printf("post-process %s (%d)\n", addr->address, result); + +/* Set up driver kind and name for logging. Disable logging if the router or +transport has disabled it. */ + +if (driver_type == EXIM_DTYPE_TRANSPORT) + { + if (addr->transport) + { + driver_name = addr->transport->name; + driver_kind = US" transport"; + f.disable_logging = addr->transport->disable_logging; + } + else driver_kind = US"transporting"; + } +else if (driver_type == EXIM_DTYPE_ROUTER) + { + if (addr->router) + { + driver_name = addr->router->name; + driver_kind = US" router"; + f.disable_logging = addr->router->disable_logging; + } + else driver_kind = US"routing"; + } + +/* If there's an error message set, ensure that it contains only printing +characters - it should, but occasionally things slip in and this at least +stops the log format from getting wrecked. We also scan the message for an LDAP +expansion item that has a password setting, and flatten the password. This is a +fudge, but I don't know a cleaner way of doing this. (If the item is badly +malformed, it won't ever have gone near LDAP.) */ + +if (addr->message) + { + const uschar * s = string_printing(addr->message); + + /* deconst cast ok as string_printing known to have alloc'n'copied */ + addr->message = expand_hide_passwords(US s); + } + +/* If we used a transport that has one of the "return_output" options set, and +if it did in fact generate some output, then for return_output we treat the +message as failed if it was not already set that way, so that the output gets +returned to the sender, provided there is a sender to send it to. For +return_fail_output, do this only if the delivery failed. Otherwise we just +unlink the file, and remove the name so that if the delivery failed, we don't +try to send back an empty or unwanted file. The log_output options operate only +on a non-empty file. + +In any case, we close the message file, because we cannot afford to leave a +file-descriptor for one address while processing (maybe very many) others. */ + +if (addr->return_file >= 0 && addr->return_filename) + { + BOOL return_output = FALSE; + struct stat statbuf; + (void)EXIMfsync(addr->return_file); + + /* If there is no output, do nothing. */ + + if (fstat(addr->return_file, &statbuf) == 0 && statbuf.st_size > 0) + { + transport_instance *tb = addr->transport; + + /* Handle logging options */ + + if ( tb->log_output + || result == FAIL && tb->log_fail_output + || result == DEFER && tb->log_defer_output + ) + { + uschar *s; + FILE *f = Ufopen(addr->return_filename, "rb"); + if (!f) + log_write(0, LOG_MAIN|LOG_PANIC, "failed to open %s to log output " + "from %s transport: %s", addr->return_filename, tb->name, + strerror(errno)); + else + if ((s = US Ufgets(big_buffer, big_buffer_size, f))) + { + uschar *p = big_buffer + Ustrlen(big_buffer); + const uschar * sp; + while (p > big_buffer && isspace(p[-1])) p--; + *p = 0; + sp = string_printing(big_buffer); + log_write(0, LOG_MAIN, "<%s>: %s transport output: %s", + addr->address, tb->name, sp); + } + (void)fclose(f); + } + + /* Handle returning options, but only if there is an address to return + the text to. */ + + if (sender_address[0] != 0 || addr->prop.errors_address) + if (tb->return_output) + { + addr->transport_return = result = FAIL; + if (addr->basic_errno == 0 && !addr->message) + addr->message = US"return message generated"; + return_output = TRUE; + } + else + if (tb->return_fail_output && result == FAIL) return_output = TRUE; + } + + /* Get rid of the file unless it might be returned, but close it in + all cases. */ + + if (!return_output) + { + Uunlink(addr->return_filename); + addr->return_filename = NULL; + addr->return_file = -1; + } + + (void)close(addr->return_file); + } + +/* The success case happens only after delivery by a transport. */ + +if (result == OK) + { + addr->next = addr_succeed; + addr_succeed = addr; + + /* Call address_done() to ensure that we don't deliver to this address again, + and write appropriate things to the message log. If it is a child address, we + call child_done() to scan the ancestors and mark them complete if this is the + last child to complete. */ + + address_done(addr, now); + DEBUG(D_deliver) debug_printf("%s delivered\n", addr->address); + + if (!addr->parent) + deliver_msglog("%s %s: %s%s succeeded\n", now, addr->address, + driver_name, driver_kind); + else + { + deliver_msglog("%s %s <%s>: %s%s succeeded\n", now, addr->address, + addr->parent->address, driver_name, driver_kind); + child_done(addr, now); + } + + /* Certificates for logging (via events) */ +#ifndef DISABLE_TLS + tls_out.ourcert = addr->ourcert; + addr->ourcert = NULL; + tls_out.peercert = addr->peercert; + addr->peercert = NULL; + + tls_out.ver = addr->tlsver; + tls_out.cipher = addr->cipher; + tls_out.peerdn = addr->peerdn; + tls_out.ocsp = addr->ocsp; +# ifdef SUPPORT_DANE + tls_out.dane_verified = testflag(addr, af_dane_verified); +# endif +#endif + + delivery_log(LOG_MAIN, addr, logchar, NULL); + +#ifndef DISABLE_TLS + tls_free_cert(&tls_out.ourcert); + tls_free_cert(&tls_out.peercert); + tls_out.ver = NULL; + tls_out.cipher = NULL; + tls_out.peerdn = NULL; + tls_out.ocsp = OCSP_NOT_REQ; +# ifdef SUPPORT_DANE + tls_out.dane_verified = FALSE; +# endif +#endif + } + + +/* Soft failure, or local delivery process failed; freezing may be +requested. */ + +else if (result == DEFER || result == PANIC) + { + if (result == PANIC) logflags |= LOG_PANIC; + + /* This puts them on the chain in reverse order. Do not change this, because + the code for handling retries assumes that the one with the retry + information is last. */ + + addr->next = addr_defer; + addr_defer = addr; + + /* The only currently implemented special action is to freeze the + message. Logging of this is done later, just before the -H file is + updated. */ + + if (addr->special_action == SPECIAL_FREEZE) + { + f.deliver_freeze = TRUE; + deliver_frozen_at = time(NULL); + update_spool = TRUE; + } + + /* If doing a 2-stage queue run, we skip writing to either the message + log or the main log for SMTP defers. */ + + if (!f.queue_2stage || addr->basic_errno != 0) + deferral_log(addr, now, logflags, driver_name, driver_kind); + } + + +/* Hard failure. If there is an address to which an error message can be sent, +put this address on the failed list. If not, put it on the deferred list and +freeze the mail message for human attention. The latter action can also be +explicitly requested by a router or transport. */ + +else + { + /* If this is a delivery error, or a message for which no replies are + wanted, and the message's age is greater than ignore_bounce_errors_after, + force the af_ignore_error flag. This will cause the address to be discarded + later (with a log entry). */ + + if (!*sender_address && message_age >= ignore_bounce_errors_after) + addr->prop.ignore_error = TRUE; + + /* Freeze the message if requested, or if this is a bounce message (or other + message with null sender) and this address does not have its own errors + address. However, don't freeze if errors are being ignored. The actual code + to ignore occurs later, instead of sending a message. Logging of freezing + occurs later, just before writing the -H file. */ + + if ( !addr->prop.ignore_error + && ( addr->special_action == SPECIAL_FREEZE + || (sender_address[0] == 0 && !addr->prop.errors_address) + ) ) + { + frozen_info = addr->special_action == SPECIAL_FREEZE + ? US"" + : f.sender_local && !f.local_error_message + ? US" (message created with -f <>)" + : US" (delivery error message)"; + f.deliver_freeze = TRUE; + deliver_frozen_at = time(NULL); + update_spool = TRUE; + + /* The address is put on the defer rather than the failed queue, because + the message is being retained. */ + + addr->next = addr_defer; + addr_defer = addr; + } + + /* Don't put the address on the nonrecipients tree yet; wait until an + error message has been successfully sent. */ + + else + { + addr->next = addr_failed; + addr_failed = addr; + } + + failure_log(addr, driver_name ? NULL : driver_kind, now); + } + +/* Ensure logging is turned on again in all cases */ + +f.disable_logging = FALSE; +} + + + + +/************************************************* +* Address-independent error * +*************************************************/ + +/* This function is called when there's an error that is not dependent on a +particular address, such as an expansion string failure. It puts the error into +all the addresses in a batch, logs the incident on the main and panic logs, and +clears the expansions. It is mostly called from local_deliver(), but can be +called for a remote delivery via findugid(). + +Arguments: + logit TRUE if (MAIN+PANIC) logging required + addr the first of the chain of addresses + code the error code + format format string for error message, or NULL if already set in addr + ... arguments for the format + +Returns: nothing +*/ + +static void +common_error(BOOL logit, address_item *addr, int code, uschar *format, ...) +{ +addr->basic_errno = code; + +if (format) + { + va_list ap; + gstring * g; + + va_start(ap, format); + g = string_vformat(NULL, SVFMT_EXTEND|SVFMT_REBUFFER, CS format, ap); + va_end(ap); + addr->message = string_from_gstring(g); + } + +for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next) + { + addr2->basic_errno = code; + addr2->message = addr->message; + } + +if (logit) log_write(0, LOG_MAIN|LOG_PANIC, "%s", addr->message); +deliver_set_expansions(NULL); +} + + + + +/************************************************* +* Check a "never users" list * +*************************************************/ + +/* This function is called to check whether a uid is on one of the two "never +users" lists. + +Arguments: + uid the uid to be checked + nusers the list to be scanned; the first item in the list is the count + +Returns: TRUE if the uid is on the list +*/ + +static BOOL +check_never_users(uid_t uid, uid_t *nusers) +{ +if (!nusers) return FALSE; +for (int i = 1; i <= (int)(nusers[0]); i++) if (nusers[i] == uid) return TRUE; +return FALSE; +} + + + +/************************************************* +* Find uid and gid for a transport * +*************************************************/ + +/* This function is called for both local and remote deliveries, to find the +uid/gid under which to run the delivery. The values are taken preferentially +from the transport (either explicit or deliver_as_creator), then from the +address (i.e. the router), and if nothing is set, the exim uid/gid are used. If +the resulting uid is on the "never_users" or the "fixed_never_users" list, a +panic error is logged, and the function fails (which normally leads to delivery +deferral). + +Arguments: + addr the address (possibly a chain) + tp the transport + uidp pointer to uid field + gidp pointer to gid field + igfp pointer to the use_initgroups field + +Returns: FALSE if failed - error has been set in address(es) +*/ + +static BOOL +findugid(address_item *addr, transport_instance *tp, uid_t *uidp, gid_t *gidp, + BOOL *igfp) +{ +uschar *nuname; +BOOL gid_set = FALSE; + +/* Default initgroups flag comes from the transport */ + +*igfp = tp->initgroups; + +/* First see if there's a gid on the transport, either fixed or expandable. +The expanding function always logs failure itself. */ + +if (tp->gid_set) + { + *gidp = tp->gid; + gid_set = TRUE; + } +else if (tp->expand_gid) + { + if (!route_find_expanded_group(tp->expand_gid, tp->name, US"transport", gidp, + &(addr->message))) + { + common_error(FALSE, addr, ERRNO_GIDFAIL, NULL); + return FALSE; + } + gid_set = TRUE; + } + +/* If the transport did not set a group, see if the router did. */ + +if (!gid_set && testflag(addr, af_gid_set)) + { + *gidp = addr->gid; + gid_set = TRUE; + } + +/* Pick up a uid from the transport if one is set. */ + +if (tp->uid_set) *uidp = tp->uid; + +/* Otherwise, try for an expandable uid field. If it ends up as a numeric id, +it does not provide a passwd value from which a gid can be taken. */ + +else if (tp->expand_uid) + { + struct passwd *pw; + if (!route_find_expanded_user(tp->expand_uid, tp->name, US"transport", &pw, + uidp, &(addr->message))) + { + common_error(FALSE, addr, ERRNO_UIDFAIL, NULL); + return FALSE; + } + if (!gid_set && pw) + { + *gidp = pw->pw_gid; + gid_set = TRUE; + } + } + +/* If the transport doesn't set the uid, test the deliver_as_creator flag. */ + +else if (tp->deliver_as_creator) + { + *uidp = originator_uid; + if (!gid_set) + { + *gidp = originator_gid; + gid_set = TRUE; + } + } + +/* Otherwise see if the address specifies the uid and if so, take it and its +initgroups flag. */ + +else if (testflag(addr, af_uid_set)) + { + *uidp = addr->uid; + *igfp = testflag(addr, af_initgroups); + } + +/* Nothing has specified the uid - default to the Exim user, and group if the +gid is not set. */ + +else + { + *uidp = exim_uid; + if (!gid_set) + { + *gidp = exim_gid; + gid_set = TRUE; + } + } + +/* If no gid is set, it is a disaster. We default to the Exim gid only if +defaulting to the Exim uid. In other words, if the configuration has specified +a uid, it must also provide a gid. */ + +if (!gid_set) + { + common_error(TRUE, addr, ERRNO_GIDFAIL, US"User set without group for " + "%s transport", tp->name); + return FALSE; + } + +/* Check that the uid is not on the lists of banned uids that may not be used +for delivery processes. */ + +nuname = check_never_users(*uidp, never_users) + ? US"never_users" + : check_never_users(*uidp, fixed_never_users) + ? US"fixed_never_users" + : NULL; +if (nuname) + { + common_error(TRUE, addr, ERRNO_UIDFAIL, US"User %ld set for %s transport " + "is on the %s list", (long int)(*uidp), tp->name, nuname); + return FALSE; + } + +/* All is well */ + +return TRUE; +} + + + + +/************************************************* +* Check the size of a message for a transport * +*************************************************/ + +/* Checks that the message isn't too big for the selected transport. +This is called only when it is known that the limit is set. + +Arguments: + tp the transport + addr the (first) address being delivered + +Returns: OK + DEFER expansion failed or did not yield an integer + FAIL message too big +*/ + +int +check_message_size(transport_instance *tp, address_item *addr) +{ +int rc = OK; +int size_limit; + +deliver_set_expansions(addr); +size_limit = expand_string_integer(tp->message_size_limit, TRUE); +deliver_set_expansions(NULL); + +if (expand_string_message) + { + rc = DEFER; + addr->message = size_limit == -1 + ? string_sprintf("failed to expand message_size_limit " + "in %s transport: %s", tp->name, expand_string_message) + : string_sprintf("invalid message_size_limit " + "in %s transport: %s", tp->name, expand_string_message); + } +else if (size_limit > 0 && message_size > size_limit) + { + rc = FAIL; + addr->message = + string_sprintf("message is too big (transport limit = %d)", + size_limit); + } + +return rc; +} + + + +/************************************************* +* Transport-time check for a previous delivery * +*************************************************/ + +/* Check that this base address hasn't previously been delivered to its routed +transport. If it has been delivered, mark it done. The check is necessary at +delivery time in order to handle homonymic addresses correctly in cases where +the pattern of redirection changes between delivery attempts (so the unique +fields change). Non-homonymic previous delivery is detected earlier, at routing +time (which saves unnecessary routing). + +Arguments: + addr the address item + testing TRUE if testing wanted only, without side effects + +Returns: TRUE if previously delivered by the transport +*/ + +static BOOL +previously_transported(address_item *addr, BOOL testing) +{ +uschar * s = string_sprintf("%s/%s", + addr->unique + (testflag(addr, af_homonym)? 3:0), addr->transport->name); + +if (tree_search(tree_nonrecipients, s) != 0) + { + DEBUG(D_deliver|D_route|D_transport) + debug_printf("%s was previously delivered (%s transport): discarded\n", + addr->address, addr->transport->name); + if (!testing) child_done(addr, tod_stamp(tod_log)); + return TRUE; + } + +return FALSE; +} + + + +/****************************************************** +* Check for a given header in a header string * +******************************************************/ + +/* This function is used when generating quota warnings. The configuration may +specify any header lines it likes in quota_warn_message. If certain of them are +missing, defaults are inserted, so we need to be able to test for the presence +of a given header. + +Arguments: + hdr the required header name + hstring the header string + +Returns: TRUE the header is in the string + FALSE the header is not in the string +*/ + +static BOOL +contains_header(uschar *hdr, uschar *hstring) +{ +int len = Ustrlen(hdr); +uschar *p = hstring; +while (*p != 0) + { + if (strncmpic(p, hdr, len) == 0) + { + p += len; + while (*p == ' ' || *p == '\t') p++; + if (*p == ':') return TRUE; + } + while (*p != 0 && *p != '\n') p++; + if (*p == '\n') p++; + } +return FALSE; +} + + + + +/************************************************* +* Perform a local delivery * +*************************************************/ + +/* Each local delivery is performed in a separate process which sets its +uid and gid as specified. This is a safer way than simply changing and +restoring using seteuid(); there is a body of opinion that seteuid() +cannot be used safely. From release 4, Exim no longer makes any use of +it for delivery. Besides, not all systems have seteuid(). + +If the uid/gid are specified in the transport_instance, they are used; the +transport initialization must ensure that either both or neither are set. +Otherwise, the values associated with the address are used. If neither are set, +it is a configuration error. + +The transport or the address may specify a home directory (transport over- +rides), and if they do, this is set as $home. If neither have set a working +directory, this value is used for that as well. Otherwise $home is left unset +and the cwd is set to "/" - a directory that should be accessible to all users. + +Using a separate process makes it more complicated to get error information +back. We use a pipe to pass the return code and also an error code and error +text string back to the parent process. + +Arguments: + addr points to an address block for this delivery; for "normal" local + deliveries this is the only address to be delivered, but for + pseudo-remote deliveries (e.g. by batch SMTP to a file or pipe) + a number of addresses can be handled simultaneously, and in this + case addr will point to a chain of addresses with the same + characteristics. + + shadowing TRUE if running a shadow transport; this causes output from pipes + to be ignored. + +Returns: nothing +*/ + +static void +deliver_local(address_item *addr, BOOL shadowing) +{ +BOOL use_initgroups; +uid_t uid; +gid_t gid; +int status, len, rc; +int pfd[2]; +pid_t pid; +uschar *working_directory; +address_item *addr2; +transport_instance *tp = addr->transport; + +/* Set up the return path from the errors or sender address. If the transport +has its own return path setting, expand it and replace the existing value. */ + +if(addr->prop.errors_address) + return_path = addr->prop.errors_address; +#ifdef EXPERIMENTAL_SRS +else if (addr->prop.srs_sender) + return_path = addr->prop.srs_sender; +#endif +else + return_path = sender_address; + +if (tp->return_path) + { + uschar *new_return_path = expand_string(tp->return_path); + if (!new_return_path) + { + if (!f.expand_string_forcedfail) + { + common_error(TRUE, addr, ERRNO_EXPANDFAIL, + US"Failed to expand return path \"%s\" in %s transport: %s", + tp->return_path, tp->name, expand_string_message); + return; + } + } + else return_path = new_return_path; + } + +/* For local deliveries, one at a time, the value used for logging can just be +set directly, once and for all. */ + +used_return_path = return_path; + +/* Sort out the uid, gid, and initgroups flag. If an error occurs, the message +gets put into the address(es), and the expansions are unset, so we can just +return. */ + +if (!findugid(addr, tp, &uid, &gid, &use_initgroups)) return; + +/* See if either the transport or the address specifies a home directory. A +home directory set in the address may already be expanded; a flag is set to +indicate that. In other cases we must expand it. */ + +if ( (deliver_home = tp->home_dir) /* Set in transport, or */ + || ( (deliver_home = addr->home_dir) /* Set in address and */ + && !testflag(addr, af_home_expanded) /* not expanded */ + ) ) + { + uschar *rawhome = deliver_home; + deliver_home = NULL; /* in case it contains $home */ + if (!(deliver_home = expand_string(rawhome))) + { + common_error(TRUE, addr, ERRNO_EXPANDFAIL, US"home directory \"%s\" failed " + "to expand for %s transport: %s", rawhome, tp->name, + expand_string_message); + return; + } + if (*deliver_home != '/') + { + common_error(TRUE, addr, ERRNO_NOTABSOLUTE, US"home directory path \"%s\" " + "is not absolute for %s transport", deliver_home, tp->name); + return; + } + } + +/* See if either the transport or the address specifies a current directory, +and if so, expand it. If nothing is set, use the home directory, unless it is +also unset in which case use "/", which is assumed to be a directory to which +all users have access. It is necessary to be in a visible directory for some +operating systems when running pipes, as some commands (e.g. "rm" under Solaris +2.5) require this. */ + +working_directory = tp->current_dir ? tp->current_dir : addr->current_dir; +if (working_directory) + { + uschar *raw = working_directory; + if (!(working_directory = expand_string(raw))) + { + common_error(TRUE, addr, ERRNO_EXPANDFAIL, US"current directory \"%s\" " + "failed to expand for %s transport: %s", raw, tp->name, + expand_string_message); + return; + } + if (*working_directory != '/') + { + common_error(TRUE, addr, ERRNO_NOTABSOLUTE, US"current directory path " + "\"%s\" is not absolute for %s transport", working_directory, tp->name); + return; + } + } +else working_directory = deliver_home ? deliver_home : US"/"; + +/* If one of the return_output flags is set on the transport, create and open a +file in the message log directory for the transport to write its output onto. +This is mainly used by pipe transports. The file needs to be unique to the +address. This feature is not available for shadow transports. */ + +if ( !shadowing + && ( tp->return_output || tp->return_fail_output + || tp->log_output || tp->log_fail_output || tp->log_defer_output + ) ) + { + uschar * error; + + addr->return_filename = + spool_fname(US"msglog", message_subdir, message_id, + string_sprintf("-%d-%d", getpid(), return_count++)); + + if ((addr->return_file = open_msglog_file(addr->return_filename, 0400, &error)) < 0) + { + common_error(TRUE, addr, errno, US"Unable to %s file for %s transport " + "to return message: %s", error, tp->name, strerror(errno)); + return; + } + } + +/* Create the pipe for inter-process communication. */ + +if (pipe(pfd) != 0) + { + common_error(TRUE, addr, ERRNO_PIPEFAIL, US"Creation of pipe failed: %s", + strerror(errno)); + return; + } + +/* Now fork the process to do the real work in the subprocess, but first +ensure that all cached resources are freed so that the subprocess starts with +a clean slate and doesn't interfere with the parent process. */ + +search_tidyup(); + +if ((pid = exim_fork(US"delivery-local")) == 0) + { + BOOL replicate = TRUE; + + /* Prevent core dumps, as we don't want them in users' home directories. + HP-UX doesn't have RLIMIT_CORE; I don't know how to do this in that + system. Some experimental/developing systems (e.g. GNU/Hurd) may define + RLIMIT_CORE but not support it in setrlimit(). For such systems, do not + complain if the error is "not supported". + + There are two scenarios where changing the max limit has an effect. In one, + the user is using a .forward and invoking a command of their choice via pipe; + for these, we do need the max limit to be 0 unless the admin chooses to + permit an increased limit. In the other, the command is invoked directly by + the transport and is under administrator control, thus being able to raise + the limit aids in debugging. So there's no general always-right answer. + + Thus we inhibit core-dumps completely but let individual transports, while + still root, re-raise the limits back up to aid debugging. We make the + default be no core-dumps -- few enough people can use core dumps in + diagnosis that it's reasonable to make them something that has to be explicitly requested. + */ + +#ifdef RLIMIT_CORE + struct rlimit rl; + rl.rlim_cur = 0; + rl.rlim_max = 0; + if (setrlimit(RLIMIT_CORE, &rl) < 0) + { +# ifdef SETRLIMIT_NOT_SUPPORTED + if (errno != ENOSYS && errno != ENOTSUP) +# endif + log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_CORE) failed: %s", + strerror(errno)); + } +#endif + + /* Reset the random number generator, so different processes don't all + have the same sequence. */ + + random_seed = 0; + + /* If the transport has a setup entry, call this first, while still + privileged. (Appendfile uses this to expand quota, for example, while + able to read private files.) */ + + if (addr->transport->setup) + switch((addr->transport->setup)(addr->transport, addr, NULL, uid, gid, + &(addr->message))) + { + case DEFER: + addr->transport_return = DEFER; + goto PASS_BACK; + + case FAIL: + addr->transport_return = PANIC; + goto PASS_BACK; + } + + /* Ignore SIGINT and SIGTERM during delivery. Also ignore SIGUSR1, as + when the process becomes unprivileged, it won't be able to write to the + process log. SIGHUP is ignored throughout exim, except when it is being + run as a daemon. */ + + signal(SIGINT, SIG_IGN); + signal(SIGTERM, SIG_IGN); + signal(SIGUSR1, SIG_IGN); + + /* Close the unwanted half of the pipe, and set close-on-exec for the other + half - for transports that exec things (e.g. pipe). Then set the required + gid/uid. */ + + (void)close(pfd[pipe_read]); + (void)fcntl(pfd[pipe_write], F_SETFD, fcntl(pfd[pipe_write], F_GETFD) | + FD_CLOEXEC); + exim_setugid(uid, gid, use_initgroups, + string_sprintf("local delivery to %s <%s> transport=%s", addr->local_part, + addr->address, addr->transport->name)); + + DEBUG(D_deliver) + { + debug_printf(" home=%s current=%s\n", deliver_home, working_directory); + for (address_item * batched = addr->next; batched; batched = batched->next) + debug_printf("additional batched address: %s\n", batched->address); + } + + /* Set an appropriate working directory. */ + + if (Uchdir(working_directory) < 0) + { + addr->transport_return = DEFER; + addr->basic_errno = errno; + addr->message = string_sprintf("failed to chdir to %s", working_directory); + } + + /* If successful, call the transport */ + + else + { + BOOL ok = TRUE; + set_process_info("delivering %s to %s using %s", message_id, + addr->local_part, addr->transport->name); + + /* Setting this global in the subprocess means we need never clear it */ + transport_name = addr->transport->name; + + /* If a transport filter has been specified, set up its argument list. + Any errors will get put into the address, and FALSE yielded. */ + + if (addr->transport->filter_command) + { + ok = transport_set_up_command(&transport_filter_argv, + addr->transport->filter_command, + TRUE, PANIC, addr, US"transport filter", NULL); + transport_filter_timeout = addr->transport->filter_timeout; + } + else transport_filter_argv = NULL; + + if (ok) + { + debug_print_string(addr->transport->debug_string); + replicate = !(addr->transport->info->code)(addr->transport, addr); + } + } + + /* Pass the results back down the pipe. If necessary, first replicate the + status in the top address to the others in the batch. The label is the + subject of a goto when a call to the transport's setup function fails. We + pass the pointer to the transport back in case it got changed as a result of + file_format in appendfile. */ + + PASS_BACK: + + if (replicate) replicate_status(addr); + for (addr2 = addr; addr2; addr2 = addr2->next) + { + int i; + int local_part_length = Ustrlen(addr2->local_part); + uschar *s; + int ret; + + if( (ret = write(pfd[pipe_write], &addr2->transport_return, sizeof(int))) != sizeof(int) + || (ret = write(pfd[pipe_write], &transport_count, sizeof(transport_count))) != sizeof(transport_count) + || (ret = write(pfd[pipe_write], &addr2->flags, sizeof(addr2->flags))) != sizeof(addr2->flags) + || (ret = write(pfd[pipe_write], &addr2->basic_errno, sizeof(int))) != sizeof(int) + || (ret = write(pfd[pipe_write], &addr2->more_errno, sizeof(int))) != sizeof(int) + || (ret = write(pfd[pipe_write], &addr2->delivery_time, sizeof(struct timeval))) != sizeof(struct timeval) + || (ret = write(pfd[pipe_write], &addr2->special_action, sizeof(int))) != sizeof(int) + || (ret = write(pfd[pipe_write], &addr2->transport, + sizeof(transport_instance *))) != sizeof(transport_instance *) + + /* For a file delivery, pass back the local part, in case the original + was only part of the final delivery path. This gives more complete + logging. */ + + || (testflag(addr2, af_file) + && ( (ret = write(pfd[pipe_write], &local_part_length, sizeof(int))) != sizeof(int) + || (ret = write(pfd[pipe_write], addr2->local_part, local_part_length)) != local_part_length + ) + ) + ) + log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s", + ret == -1 ? strerror(errno) : "short write"); + + /* Now any messages */ + + for (i = 0, s = addr2->message; i < 2; i++, s = addr2->user_message) + { + int message_length = s ? Ustrlen(s) + 1 : 0; + if( (ret = write(pfd[pipe_write], &message_length, sizeof(int))) != sizeof(int) + || message_length > 0 && (ret = write(pfd[pipe_write], s, message_length)) != message_length + ) + log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s", + ret == -1 ? strerror(errno) : "short write"); + } + } + + /* OK, this process is now done. Free any cached resources that it opened, + and close the pipe we were writing down before exiting. */ + + (void)close(pfd[pipe_write]); + search_tidyup(); + exit(EXIT_SUCCESS); + } + +/* Back in the main process: panic if the fork did not succeed. This seems +better than returning an error - if forking is failing it is probably best +not to try other deliveries for this message. */ + +if (pid < 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Fork failed for local delivery to %s", + addr->address); + +/* Read the pipe to get the delivery status codes and error messages. Our copy +of the writing end must be closed first, as otherwise read() won't return zero +on an empty pipe. We check that a status exists for each address before +overwriting the address structure. If data is missing, the default DEFER status +will remain. Afterwards, close the reading end. */ + +(void)close(pfd[pipe_write]); + +for (addr2 = addr; addr2; addr2 = addr2->next) + { + if ((len = read(pfd[pipe_read], &status, sizeof(int))) > 0) + { + int i; + uschar **sptr; + + addr2->transport_return = status; + len = read(pfd[pipe_read], &transport_count, + sizeof(transport_count)); + len = read(pfd[pipe_read], &addr2->flags, sizeof(addr2->flags)); + len = read(pfd[pipe_read], &addr2->basic_errno, sizeof(int)); + len = read(pfd[pipe_read], &addr2->more_errno, sizeof(int)); + len = read(pfd[pipe_read], &addr2->delivery_time, sizeof(struct timeval)); + len = read(pfd[pipe_read], &addr2->special_action, sizeof(int)); + len = read(pfd[pipe_read], &addr2->transport, + sizeof(transport_instance *)); + + if (testflag(addr2, af_file)) + { + int llen; + if ( read(pfd[pipe_read], &llen, sizeof(int)) != sizeof(int) + || llen > 64*4 /* limit from rfc 5821, times I18N factor */ + ) + { + log_write(0, LOG_MAIN|LOG_PANIC, "bad local_part length read" + " from delivery subprocess"); + break; + } + /* sanity-checked llen so disable the Coverity error */ + /* coverity[tainted_data] */ + if (read(pfd[pipe_read], big_buffer, llen) != llen) + { + log_write(0, LOG_MAIN|LOG_PANIC, "bad local_part read" + " from delivery subprocess"); + break; + } + big_buffer[llen] = 0; + addr2->local_part = string_copy(big_buffer); + } + + for (i = 0, sptr = &addr2->message; i < 2; i++, sptr = &addr2->user_message) + { + int message_length; + len = read(pfd[pipe_read], &message_length, sizeof(int)); + if (message_length > 0) + { + len = read(pfd[pipe_read], big_buffer, message_length); + big_buffer[big_buffer_size-1] = '\0'; /* guard byte */ + if (len > 0) *sptr = string_copy(big_buffer); + } + } + } + + else + { + log_write(0, LOG_MAIN|LOG_PANIC, "failed to read delivery status for %s " + "from delivery subprocess", addr2->unique); + break; + } + } + +(void)close(pfd[pipe_read]); + +/* Unless shadowing, write all successful addresses immediately to the journal +file, to ensure they are recorded asap. For homonymic addresses, use the base +address plus the transport name. Failure to write the journal is panic-worthy, +but don't stop, as it may prove possible subsequently to update the spool file +in order to record the delivery. */ + +if (!shadowing) + { + for (addr2 = addr; addr2; addr2 = addr2->next) + if (addr2->transport_return == OK) + { + if (testflag(addr2, af_homonym)) + sprintf(CS big_buffer, "%.500s/%s\n", addr2->unique + 3, tp->name); + else + sprintf(CS big_buffer, "%.500s\n", addr2->unique); + + /* In the test harness, wait just a bit to let the subprocess finish off + any debug output etc first. */ + + testharness_pause_ms(300); + + DEBUG(D_deliver) debug_printf("journalling %s", big_buffer); + len = Ustrlen(big_buffer); + if (write(journal_fd, big_buffer, len) != len) + log_write(0, LOG_MAIN|LOG_PANIC, "failed to update journal for %s: %s", + big_buffer, strerror(errno)); + } + + /* Ensure the journal file is pushed out to disk. */ + + if (EXIMfsync(journal_fd) < 0) + log_write(0, LOG_MAIN|LOG_PANIC, "failed to fsync journal: %s", + strerror(errno)); + } + +/* Wait for the process to finish. If it terminates with a non-zero code, +freeze the message (except for SIGTERM, SIGKILL and SIGQUIT), but leave the +status values of all the addresses as they are. Take care to handle the case +when the subprocess doesn't seem to exist. This has been seen on one system +when Exim was called from an MUA that set SIGCHLD to SIG_IGN. When that +happens, wait() doesn't recognize the termination of child processes. Exim now +resets SIGCHLD to SIG_DFL, but this code should still be robust. */ + +while ((rc = wait(&status)) != pid) + if (rc < 0 && errno == ECHILD) /* Process has vanished */ + { + log_write(0, LOG_MAIN, "%s transport process vanished unexpectedly", + addr->transport->driver_name); + status = 0; + break; + } + +if ((status & 0xffff) != 0) + { + int msb = (status >> 8) & 255; + int lsb = status & 255; + int code = (msb == 0)? (lsb & 0x7f) : msb; + if (msb != 0 || (code != SIGTERM && code != SIGKILL && code != SIGQUIT)) + addr->special_action = SPECIAL_FREEZE; + log_write(0, LOG_MAIN|LOG_PANIC, "%s transport process returned non-zero " + "status 0x%04x: %s %d", + addr->transport->driver_name, + status, + msb == 0 ? "terminated by signal" : "exit code", + code); + } + +/* If SPECIAL_WARN is set in the top address, send a warning message. */ + +if (addr->special_action == SPECIAL_WARN && addr->transport->warn_message) + { + int fd; + uschar *warn_message; + pid_t pid; + + DEBUG(D_deliver) debug_printf("Warning message requested by transport\n"); + + if (!(warn_message = expand_string(addr->transport->warn_message))) + log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand \"%s\" (warning " + "message for %s transport): %s", addr->transport->warn_message, + addr->transport->name, expand_string_message); + + else if ((pid = child_open_exim(&fd, US"tpt-warning-message")) > 0) + { + FILE *f = fdopen(fd, "wb"); + if (errors_reply_to && !contains_header(US"Reply-To", warn_message)) + fprintf(f, "Reply-To: %s\n", errors_reply_to); + fprintf(f, "Auto-Submitted: auto-replied\n"); + if (!contains_header(US"From", warn_message)) + moan_write_from(f); + fprintf(f, "%s", CS warn_message); + + /* Close and wait for child process to complete, without a timeout. */ + + (void)fclose(f); + (void)child_close(pid, 0); + } + + addr->special_action = SPECIAL_NONE; + } +} + + + + +/* Check transport for the given concurrency limit. Return TRUE if over +the limit (or an expansion failure), else FALSE and if there was a limit, +the key for the hints database used for the concurrency count. */ + +static BOOL +tpt_parallel_check(transport_instance * tp, address_item * addr, uschar ** key) +{ +unsigned max_parallel; + +if (!tp->max_parallel) return FALSE; + +max_parallel = (unsigned) expand_string_integer(tp->max_parallel, TRUE); +if (expand_string_message) + { + log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand max_parallel option " + "in %s transport (%s): %s", tp->name, addr->address, + expand_string_message); + return TRUE; + } + +if (max_parallel > 0) + { + uschar * serialize_key = string_sprintf("tpt-serialize-%s", tp->name); + if (!enq_start(serialize_key, max_parallel)) + { + address_item * next; + DEBUG(D_transport) + debug_printf("skipping tpt %s because concurrency limit %u reached\n", + tp->name, max_parallel); + do + { + next = addr->next; + addr->message = US"concurrency limit reached for transport"; + addr->basic_errno = ERRNO_TRETRY; + post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_TRANSPORT, 0); + } while ((addr = next)); + return TRUE; + } + *key = serialize_key; + } +return FALSE; +} + + + +/************************************************* +* Do local deliveries * +*************************************************/ + +/* This function processes the list of addresses in addr_local. True local +deliveries are always done one address at a time. However, local deliveries can +be batched up in some cases. Typically this is when writing batched SMTP output +files for use by some external transport mechanism, or when running local +deliveries over LMTP. + +Arguments: None +Returns: Nothing +*/ + +static void +do_local_deliveries(void) +{ +open_db dbblock; +open_db *dbm_file = NULL; +time_t now = time(NULL); + +/* Loop until we have exhausted the supply of local deliveries */ + +while (addr_local) + { + struct timeval delivery_start; + struct timeval deliver_time; + address_item *addr2, *addr3, *nextaddr; + int logflags = LOG_MAIN; + int logchar = f.dont_deliver? '*' : '='; + transport_instance *tp; + uschar * serialize_key = NULL; + + /* Pick the first undelivered address off the chain */ + + address_item *addr = addr_local; + addr_local = addr->next; + addr->next = NULL; + + DEBUG(D_deliver|D_transport) + debug_printf("--------> %s <--------\n", addr->address); + + /* An internal disaster if there is no transport. Should not occur! */ + + if (!(tp = addr->transport)) + { + logflags |= LOG_PANIC; + f.disable_logging = FALSE; /* Jic */ + addr->message = addr->router + ? string_sprintf("No transport set by %s router", addr->router->name) + : US"No transport set by system filter"; + post_process_one(addr, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0); + continue; + } + + /* Check that this base address hasn't previously been delivered to this + transport. The check is necessary at this point to handle homonymic addresses + correctly in cases where the pattern of redirection changes between delivery + attempts. Non-homonymic previous delivery is detected earlier, at routing + time. */ + + if (previously_transported(addr, FALSE)) continue; + + /* There are weird cases where logging is disabled */ + + f.disable_logging = tp->disable_logging; + + /* Check for batched addresses and possible amalgamation. Skip all the work + if either batch_max <= 1 or there aren't any other addresses for local + delivery. */ + + if (tp->batch_max > 1 && addr_local) + { + int batch_count = 1; + BOOL uses_dom = readconf_depends((driver_instance *)tp, US"domain"); + BOOL uses_lp = ( testflag(addr, af_pfr) + && (testflag(addr, af_file) || addr->local_part[0] == '|') + ) + || readconf_depends((driver_instance *)tp, US"local_part"); + uschar *batch_id = NULL; + address_item **anchor = &addr_local; + address_item *last = addr; + address_item *next; + + /* Expand the batch_id string for comparison with other addresses. + Expansion failure suppresses batching. */ + + if (tp->batch_id) + { + deliver_set_expansions(addr); + batch_id = expand_string(tp->batch_id); + deliver_set_expansions(NULL); + if (!batch_id) + { + log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand batch_id option " + "in %s transport (%s): %s", tp->name, addr->address, + expand_string_message); + batch_count = tp->batch_max; + } + } + + /* Until we reach the batch_max limit, pick off addresses which have the + same characteristics. These are: + + same transport + not previously delivered (see comment about 50 lines above) + same local part if the transport's configuration contains $local_part + or if this is a file or pipe delivery from a redirection + same domain if the transport's configuration contains $domain + same errors address + same additional headers + same headers to be removed + same uid/gid for running the transport + same first host if a host list is set + */ + + while ((next = *anchor) && batch_count < tp->batch_max) + { + BOOL ok = + tp == next->transport + && !previously_transported(next, TRUE) + && testflag(addr, af_pfr) == testflag(next, af_pfr) + && testflag(addr, af_file) == testflag(next, af_file) + && (!uses_lp || Ustrcmp(next->local_part, addr->local_part) == 0) + && (!uses_dom || Ustrcmp(next->domain, addr->domain) == 0) + && same_strings(next->prop.errors_address, addr->prop.errors_address) + && same_headers(next->prop.extra_headers, addr->prop.extra_headers) + && same_strings(next->prop.remove_headers, addr->prop.remove_headers) + && same_ugid(tp, addr, next) + && ( !addr->host_list && !next->host_list + || addr->host_list + && next->host_list + && Ustrcmp(addr->host_list->name, next->host_list->name) == 0 + ); + + /* If the transport has a batch_id setting, batch_id will be non-NULL + from the expansion outside the loop. Expand for this address and compare. + Expansion failure makes this address ineligible for batching. */ + + if (ok && batch_id) + { + uschar *bid; + address_item *save_nextnext = next->next; + next->next = NULL; /* Expansion for a single address */ + deliver_set_expansions(next); + next->next = save_nextnext; + bid = expand_string(tp->batch_id); + deliver_set_expansions(NULL); + if (!bid) + { + log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand batch_id option " + "in %s transport (%s): %s", tp->name, next->address, + expand_string_message); + ok = FALSE; + } + else ok = (Ustrcmp(batch_id, bid) == 0); + } + + /* Take address into batch if OK. */ + + if (ok) + { + *anchor = next->next; /* Include the address */ + next->next = NULL; + last->next = next; + last = next; + batch_count++; + } + else anchor = &next->next; /* Skip the address */ + } + } + + /* We now have one or more addresses that can be delivered in a batch. Check + whether the transport is prepared to accept a message of this size. If not, + fail them all forthwith. If the expansion fails, or does not yield an + integer, defer delivery. */ + + if (tp->message_size_limit) + { + int rc = check_message_size(tp, addr); + if (rc != OK) + { + replicate_status(addr); + while (addr) + { + addr2 = addr->next; + post_process_one(addr, rc, logflags, EXIM_DTYPE_TRANSPORT, 0); + addr = addr2; + } + continue; /* With next batch of addresses */ + } + } + + /* If we are not running the queue, or if forcing, all deliveries will be + attempted. Otherwise, we must respect the retry times for each address. Even + when not doing this, we need to set up the retry key string, and determine + whether a retry record exists, because after a successful delivery, a delete + retry item must be set up. Keep the retry database open only for the duration + of these checks, rather than for all local deliveries, because some local + deliveries (e.g. to pipes) can take a substantial time. */ + + if (!(dbm_file = dbfn_open(US"retry", O_RDONLY, &dbblock, FALSE, TRUE))) + { + DEBUG(D_deliver|D_retry|D_hints_lookup) + debug_printf("no retry data available\n"); + } + + addr2 = addr; + addr3 = NULL; + while (addr2) + { + BOOL ok = TRUE; /* to deliver this address */ + uschar *retry_key; + + /* Set up the retry key to include the domain or not, and change its + leading character from "R" to "T". Must make a copy before doing this, + because the old key may be pointed to from a "delete" retry item after + a routing delay. */ + + retry_key = string_copy( + tp->retry_use_local_part ? addr2->address_retry_key : + addr2->domain_retry_key); + *retry_key = 'T'; + + /* Inspect the retry data. If there is no hints file, delivery happens. */ + + if (dbm_file) + { + dbdata_retry *retry_record = dbfn_read(dbm_file, retry_key); + + /* If there is no retry record, delivery happens. If there is, + remember it exists so it can be deleted after a successful delivery. */ + + if (retry_record) + { + setflag(addr2, af_lt_retry_exists); + + /* A retry record exists for this address. If queue running and not + forcing, inspect its contents. If the record is too old, or if its + retry time has come, or if it has passed its cutoff time, delivery + will go ahead. */ + + DEBUG(D_retry) + { + debug_printf("retry record exists: age=%s ", + readconf_printtime(now - retry_record->time_stamp)); + debug_printf("(max %s)\n", readconf_printtime(retry_data_expire)); + debug_printf(" time to retry = %s expired = %d\n", + readconf_printtime(retry_record->next_try - now), + retry_record->expired); + } + + if (f.queue_running && !f.deliver_force) + { + ok = (now - retry_record->time_stamp > retry_data_expire) + || (now >= retry_record->next_try) + || retry_record->expired; + + /* If we haven't reached the retry time, there is one more check + to do, which is for the ultimate address timeout. */ + + if (!ok) + ok = retry_ultimate_address_timeout(retry_key, addr2->domain, + retry_record, now); + } + } + else DEBUG(D_retry) debug_printf("no retry record exists\n"); + } + + /* This address is to be delivered. Leave it on the chain. */ + + if (ok) + { + addr3 = addr2; + addr2 = addr2->next; + } + + /* This address is to be deferred. Take it out of the chain, and + post-process it as complete. Must take it out of the chain first, + because post processing puts it on another chain. */ + + else + { + address_item *this = addr2; + this->message = US"Retry time not yet reached"; + this->basic_errno = ERRNO_LRETRY; + addr2 = addr3 ? (addr3->next = addr2->next) + : (addr = addr2->next); + post_process_one(this, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0); + } + } + + if (dbm_file) dbfn_close(dbm_file); + + /* If there are no addresses left on the chain, they all deferred. Loop + for the next set of addresses. */ + + if (!addr) continue; + + /* If the transport is limited for parallellism, enforce that here. + We use a hints DB entry, incremented here and decremented after + the transport (and any shadow transport) completes. */ + + if (tpt_parallel_check(tp, addr, &serialize_key)) + { + if (expand_string_message) + { + logflags |= LOG_PANIC; + do + { + addr = addr->next; + post_process_one(addr, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0); + } while ((addr = addr2)); + } + continue; /* Loop for the next set of addresses. */ + } + + + /* So, finally, we do have some addresses that can be passed to the + transport. Before doing so, set up variables that are relevant to a + single delivery. */ + + deliver_set_expansions(addr); + + gettimeofday(&delivery_start, NULL); + deliver_local(addr, FALSE); + timesince(&deliver_time, &delivery_start); + + /* If a shadow transport (which must perforce be another local transport), is + defined, and its condition is met, we must pass the message to the shadow + too, but only those addresses that succeeded. We do this by making a new + chain of addresses - also to keep the original chain uncontaminated. We must + use a chain rather than doing it one by one, because the shadow transport may + batch. + + NOTE: if the condition fails because of a lookup defer, there is nothing we + can do! */ + + if ( tp->shadow + && ( !tp->shadow_condition + || expand_check_condition(tp->shadow_condition, tp->name, US"transport") + ) ) + { + transport_instance *stp; + address_item *shadow_addr = NULL; + address_item **last = &shadow_addr; + + for (stp = transports; stp; stp = stp->next) + if (Ustrcmp(stp->name, tp->shadow) == 0) break; + + if (!stp) + log_write(0, LOG_MAIN|LOG_PANIC, "shadow transport \"%s\" not found ", + tp->shadow); + + /* Pick off the addresses that have succeeded, and make clones. Put into + the shadow_message field a pointer to the shadow_message field of the real + address. */ + + else for (addr2 = addr; addr2; addr2 = addr2->next) + if (addr2->transport_return == OK) + { + addr3 = store_get(sizeof(address_item), FALSE); + *addr3 = *addr2; + addr3->next = NULL; + addr3->shadow_message = US &addr2->shadow_message; + addr3->transport = stp; + addr3->transport_return = DEFER; + addr3->return_filename = NULL; + addr3->return_file = -1; + *last = addr3; + last = &addr3->next; + } + + /* If we found any addresses to shadow, run the delivery, and stick any + message back into the shadow_message field in the original. */ + + if (shadow_addr) + { + int save_count = transport_count; + + DEBUG(D_deliver|D_transport) + debug_printf(">>>>>>>>>>>>>>>> Shadow delivery >>>>>>>>>>>>>>>>\n"); + deliver_local(shadow_addr, TRUE); + + for(; shadow_addr; shadow_addr = shadow_addr->next) + { + int sresult = shadow_addr->transport_return; + *(uschar **)shadow_addr->shadow_message = + sresult == OK + ? string_sprintf(" ST=%s", stp->name) + : string_sprintf(" ST=%s (%s%s%s)", stp->name, + shadow_addr->basic_errno <= 0 + ? US"" + : US strerror(shadow_addr->basic_errno), + shadow_addr->basic_errno <= 0 || !shadow_addr->message + ? US"" + : US": ", + shadow_addr->message + ? shadow_addr->message + : shadow_addr->basic_errno <= 0 + ? US"unknown error" + : US""); + + DEBUG(D_deliver|D_transport) + debug_printf("%s shadow transport returned %s for %s\n", + stp->name, rc_to_string(sresult), shadow_addr->address); + } + + DEBUG(D_deliver|D_transport) + debug_printf(">>>>>>>>>>>>>>>> End shadow delivery >>>>>>>>>>>>>>>>\n"); + + transport_count = save_count; /* Restore original transport count */ + } + } + + /* Cancel the expansions that were set up for the delivery. */ + + deliver_set_expansions(NULL); + + /* If the transport was parallelism-limited, decrement the hints DB record. */ + + if (serialize_key) enq_end(serialize_key); + + /* Now we can process the results of the real transport. We must take each + address off the chain first, because post_process_one() puts it on another + chain. */ + + for (addr2 = addr; addr2; addr2 = nextaddr) + { + int result = addr2->transport_return; + nextaddr = addr2->next; + + DEBUG(D_deliver|D_transport) + debug_printf("%s transport returned %s for %s\n", + tp->name, rc_to_string(result), addr2->address); + + /* If there is a retry_record, or if delivery is deferred, build a retry + item for setting a new retry time or deleting the old retry record from + the database. These items are handled all together after all addresses + have been handled (so the database is open just for a short time for + updating). */ + + if (result == DEFER || testflag(addr2, af_lt_retry_exists)) + { + int flags = result == DEFER ? 0 : rf_delete; + uschar *retry_key = string_copy(tp->retry_use_local_part + ? addr2->address_retry_key : addr2->domain_retry_key); + *retry_key = 'T'; + retry_add_item(addr2, retry_key, flags); + } + + /* Done with this address */ + + addr2->delivery_time = deliver_time; + post_process_one(addr2, result, logflags, EXIM_DTYPE_TRANSPORT, logchar); + + /* If a pipe delivery generated text to be sent back, the result may be + changed to FAIL, and we must copy this for subsequent addresses in the + batch. */ + + if (addr2->transport_return != result) + { + for (addr3 = nextaddr; addr3; addr3 = addr3->next) + { + addr3->transport_return = addr2->transport_return; + addr3->basic_errno = addr2->basic_errno; + addr3->message = addr2->message; + } + result = addr2->transport_return; + } + + /* Whether or not the result was changed to FAIL, we need to copy the + return_file value from the first address into all the addresses of the + batch, so they are all listed in the error message. */ + + addr2->return_file = addr->return_file; + + /* Change log character for recording successful deliveries. */ + + if (result == OK) logchar = '-'; + } + } /* Loop back for next batch of addresses */ +} + + + + +/************************************************* +* Sort remote deliveries * +*************************************************/ + +/* This function is called if remote_sort_domains is set. It arranges that the +chain of addresses for remote deliveries is ordered according to the strings +specified. Try to make this shuffling reasonably efficient by handling +sequences of addresses rather than just single ones. + +Arguments: None +Returns: Nothing +*/ + +static void +sort_remote_deliveries(void) +{ +int sep = 0; +address_item **aptr = &addr_remote; +const uschar *listptr = remote_sort_domains; +uschar *pattern; +uschar patbuf[256]; + +while ( *aptr + && (pattern = string_nextinlist(&listptr, &sep, patbuf, sizeof(patbuf))) + ) + { + address_item *moved = NULL; + address_item **bptr = &moved; + + while (*aptr) + { + address_item **next; + deliver_domain = (*aptr)->domain; /* set $domain */ + if (match_isinlist(deliver_domain, (const uschar **)&pattern, UCHAR_MAX+1, + &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK) + { + aptr = &(*aptr)->next; + continue; + } + + next = &(*aptr)->next; + while ( *next + && (deliver_domain = (*next)->domain, /* Set $domain */ + match_isinlist(deliver_domain, (const uschar **)&pattern, UCHAR_MAX+1, + &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL)) != OK + ) + next = &(*next)->next; + + /* If the batch of non-matchers is at the end, add on any that were + extracted further up the chain, and end this iteration. Otherwise, + extract them from the chain and hang on the moved chain. */ + + if (!*next) + { + *next = moved; + break; + } + + *bptr = *aptr; + *aptr = *next; + *next = NULL; + bptr = next; + aptr = &(*aptr)->next; + } + + /* If the loop ended because the final address matched, *aptr will + be NULL. Add on to the end any extracted non-matching addresses. If + *aptr is not NULL, the loop ended via "break" when *next is null, that + is, there was a string of non-matching addresses at the end. In this + case the extracted addresses have already been added on the end. */ + + if (!*aptr) *aptr = moved; + } + +DEBUG(D_deliver) + { + debug_printf("remote addresses after sorting:\n"); + for (address_item * addr = addr_remote; addr; addr = addr->next) + debug_printf(" %s\n", addr->address); + } +} + + + +/************************************************* +* Read from pipe for remote delivery subprocess * +*************************************************/ + +/* This function is called when the subprocess is complete, but can also be +called before it is complete, in order to empty a pipe that is full (to prevent +deadlock). It must therefore keep track of its progress in the parlist data +block. + +We read the pipe to get the delivery status codes and a possible error message +for each address, optionally preceded by unusability data for the hosts and +also by optional retry data. + +Read in large chunks into the big buffer and then scan through, interpreting +the data therein. In most cases, only a single read will be necessary. No +individual item will ever be anywhere near 2500 bytes in length, so by ensuring +that we read the next chunk when there is less than 2500 bytes left in the +non-final chunk, we can assume each item is complete in the buffer before +handling it. Each item is written using a single write(), which is atomic for +small items (less than PIPE_BUF, which seems to be at least 512 in any Unix and +often bigger) so even if we are reading while the subprocess is still going, we +should never have only a partial item in the buffer. + +hs12: This assumption is not true anymore, since we get quite large items (certificate +information and such). + +Argument: + poffset the offset of the parlist item + eop TRUE if the process has completed + +Returns: TRUE if the terminating 'Z' item has been read, + or there has been a disaster (i.e. no more data needed); + FALSE otherwise +*/ + +static BOOL +par_read_pipe(int poffset, BOOL eop) +{ +host_item *h; +pardata *p = parlist + poffset; +address_item *addrlist = p->addrlist; +address_item *addr = p->addr; +pid_t pid = p->pid; +int fd = p->fd; + +uschar *msg = p->msg; +BOOL done = p->done; + +/* Loop through all items, reading from the pipe when necessary. The pipe +used to be non-blocking. But I do not see a reason for using non-blocking I/O +here, as the preceding select() tells us, if data is available for reading. + +A read() on a "selected" handle should never block, but(!) it may return +less data then we expected. (The buffer size we pass to read() shouldn't be +understood as a "request", but as a "limit".) + +Each separate item is written to the pipe in a timely manner. But, especially for +larger items, the read(2) may already return partial data from the write(2). + +The write is atomic mostly (depending on the amount written), but atomic does +not imply "all or noting", it just is "not intermixed" with other writes on the +same channel (pipe). + +*/ + +DEBUG(D_deliver) debug_printf("reading pipe for subprocess %d (%s)\n", + (int)p->pid, eop? "ended" : "not ended yet"); + +while (!done) + { + retry_item *r, **rp; + uschar pipeheader[PIPE_HEADER_SIZE+1]; + uschar *id = &pipeheader[0]; + uschar *subid = &pipeheader[1]; + uschar *ptr = big_buffer; + size_t required = PIPE_HEADER_SIZE; /* first the pipehaeder, later the data */ + ssize_t got; + + DEBUG(D_deliver) debug_printf( + "expect %lu bytes (pipeheader) from tpt process %d\n", (u_long)required, pid); + + /* We require(!) all the PIPE_HEADER_SIZE bytes here, as we know, + they're written in a timely manner, so waiting for the write shouldn't hurt a lot. + If we get less, we can assume the subprocess do be done and do not expect any further + information from it. */ + + if ((got = readn(fd, pipeheader, required)) != required) + { + msg = string_sprintf("got " SSIZE_T_FMT " of %d bytes (pipeheader) " + "from transport process %d for transport %s", + got, PIPE_HEADER_SIZE, pid, addr->transport->driver_name); + done = TRUE; + break; + } + + pipeheader[PIPE_HEADER_SIZE] = '\0'; + DEBUG(D_deliver) + debug_printf("got %ld bytes (pipeheader) from transport process %d\n", + (long) got, pid); + + { + /* If we can't decode the pipeheader, the subprocess seems to have a + problem, we do not expect any furher information from it. */ + char *endc; + required = Ustrtol(pipeheader+2, &endc, 10); + if (*endc) + { + msg = string_sprintf("failed to read pipe " + "from transport process %d for transport %s: error decoding size from header", + pid, addr->transport->driver_name); + done = TRUE; + break; + } + } + + DEBUG(D_deliver) + debug_printf("expect %lu bytes (pipedata) from transport process %d\n", + (u_long)required, pid); + + /* Same as above, the transport process will write the bytes announced + in a timely manner, so we can just wait for the bytes, getting less than expected + is considered a problem of the subprocess, we do not expect anything else from it. */ + if ((got = readn(fd, big_buffer, required)) != required) + { + msg = string_sprintf("got only " SSIZE_T_FMT " of " SIZE_T_FMT + " bytes (pipedata) from transport process %d for transport %s", + got, required, pid, addr->transport->driver_name); + done = TRUE; + break; + } + + /* Handle each possible type of item, assuming the complete item is + available in store. */ + + switch (*id) + { + /* Host items exist only if any hosts were marked unusable. Match + up by checking the IP address. */ + + case 'H': + for (h = addrlist->host_list; h; h = h->next) + { + if (!h->address || Ustrcmp(h->address, ptr+2) != 0) continue; + h->status = ptr[0]; + h->why = ptr[1]; + } + ptr += 2; + while (*ptr++); + break; + + /* Retry items are sent in a preceding R item for each address. This is + kept separate to keep each message short enough to guarantee it won't + be split in the pipe. Hopefully, in the majority of cases, there won't in + fact be any retry items at all. + + The complete set of retry items might include an item to delete a + routing retry if there was a previous routing delay. However, routing + retries are also used when a remote transport identifies an address error. + In that case, there may also be an "add" item for the same key. Arrange + that a "delete" item is dropped in favour of an "add" item. */ + + case 'R': + if (!addr) goto ADDR_MISMATCH; + + DEBUG(D_deliver|D_retry) + debug_printf("reading retry information for %s from subprocess\n", + ptr+1); + + /* Cut out any "delete" items on the list. */ + + for (rp = &addr->retries; (r = *rp); rp = &r->next) + if (Ustrcmp(r->key, ptr+1) == 0) /* Found item with same key */ + { + if (!(r->flags & rf_delete)) break; /* It was not "delete" */ + *rp = r->next; /* Excise a delete item */ + DEBUG(D_deliver|D_retry) + debug_printf(" existing delete item dropped\n"); + } + + /* We want to add a delete item only if there is no non-delete item; + however we still have to step ptr through the data. */ + + if (!r || !(*ptr & rf_delete)) + { + r = store_get(sizeof(retry_item), FALSE); + r->next = addr->retries; + addr->retries = r; + r->flags = *ptr++; + r->key = string_copy(ptr); + while (*ptr++); + memcpy(&r->basic_errno, ptr, sizeof(r->basic_errno)); + ptr += sizeof(r->basic_errno); + memcpy(&r->more_errno, ptr, sizeof(r->more_errno)); + ptr += sizeof(r->more_errno); + r->message = *ptr ? string_copy(ptr) : NULL; + DEBUG(D_deliver|D_retry) debug_printf(" added %s item\n", + r->flags & rf_delete ? "delete" : "retry"); + } + + else + { + DEBUG(D_deliver|D_retry) + debug_printf(" delete item not added: non-delete item exists\n"); + ptr++; + while(*ptr++); + ptr += sizeof(r->basic_errno) + sizeof(r->more_errno); + } + + while(*ptr++); + break; + + /* Put the amount of data written into the parlist block */ + + case 'S': + memcpy(&(p->transport_count), ptr, sizeof(transport_count)); + ptr += sizeof(transport_count); + break; + + /* Address items are in the order of items on the address chain. We + remember the current address value in case this function is called + several times to empty the pipe in stages. Information about delivery + over TLS is sent in a preceding X item for each address. We don't put + it in with the other info, in order to keep each message short enough to + guarantee it won't be split in the pipe. */ + +#ifndef DISABLE_TLS + case 'X': + if (!addr) goto ADDR_MISMATCH; /* Below, in 'A' handler */ + switch (*subid) + { + case '1': + addr->tlsver = addr->cipher = addr->peerdn = NULL; + + if (*ptr) + { + addr->cipher = string_copy(ptr); + addr->tlsver = string_copyn(ptr, Ustrchr(ptr, ':') - ptr); + } + while (*ptr++); + if (*ptr) + addr->peerdn = string_copy(ptr); + break; + + case '2': + if (*ptr) + (void) tls_import_cert(ptr, &addr->peercert); + else + addr->peercert = NULL; + break; + + case '3': + if (*ptr) + (void) tls_import_cert(ptr, &addr->ourcert); + else + addr->ourcert = NULL; + break; + +# ifndef DISABLE_OCSP + case '4': + addr->ocsp = *ptr ? *ptr - '0' : OCSP_NOT_REQ; + break; +# endif + } + while (*ptr++); + break; +#endif /*DISABLE_TLS*/ + + case 'C': /* client authenticator information */ + switch (*subid) + { + case '1': addr->authenticator = *ptr ? string_copy(ptr) : NULL; break; + case '2': addr->auth_id = *ptr ? string_copy(ptr) : NULL; break; + case '3': addr->auth_sndr = *ptr ? string_copy(ptr) : NULL; break; + } + while (*ptr++); + break; + +#ifndef DISABLE_PRDR + case 'P': + setflag(addr, af_prdr_used); + break; +#endif + + case 'L': + switch (*subid) + { +#ifndef DISABLE_PIPE_CONNECT + case 2: setflag(addr, af_early_pipe); /*FALLTHROUGH*/ +#endif + case 1: setflag(addr, af_pipelining); break; + } + break; + + case 'K': + setflag(addr, af_chunking_used); + break; + + case 'T': + setflag(addr, af_tcp_fastopen_conn); + if (*subid > '0') setflag(addr, af_tcp_fastopen); + if (*subid > '1') setflag(addr, af_tcp_fastopen_data); + break; + + case 'D': + if (!addr) goto ADDR_MISMATCH; + memcpy(&(addr->dsn_aware), ptr, sizeof(addr->dsn_aware)); + ptr += sizeof(addr->dsn_aware); + DEBUG(D_deliver) debug_printf("DSN read: addr->dsn_aware = %d\n", addr->dsn_aware); + break; + + case 'A': + if (!addr) + { + ADDR_MISMATCH: + msg = string_sprintf("address count mismatch for data read from pipe " + "for transport process %d for transport %s", pid, + addrlist->transport->driver_name); + done = TRUE; + break; + } + + switch (*subid) + { + #ifdef SUPPORT_SOCKS + case '2': /* proxy information; must arrive before A0 and applies to that addr XXX oops*/ + proxy_session = TRUE; /*XXX should this be cleared somewhere? */ + if (*ptr == 0) + ptr++; + else + { + proxy_local_address = string_copy(ptr); + while(*ptr++); + memcpy(&proxy_local_port, ptr, sizeof(proxy_local_port)); + ptr += sizeof(proxy_local_port); + } + break; + #endif + + #ifdef EXPERIMENTAL_DSN_INFO + case '1': /* must arrive before A0, and applies to that addr */ + /* Two strings: smtp_greeting and helo_response */ + addr->smtp_greeting = string_copy(ptr); + while(*ptr++); + addr->helo_response = string_copy(ptr); + while(*ptr++); + break; + #endif + + case '0': + DEBUG(D_deliver) debug_printf("A0 %s tret %d\n", addr->address, *ptr); + addr->transport_return = *ptr++; + addr->special_action = *ptr++; + memcpy(&addr->basic_errno, ptr, sizeof(addr->basic_errno)); + ptr += sizeof(addr->basic_errno); + memcpy(&addr->more_errno, ptr, sizeof(addr->more_errno)); + ptr += sizeof(addr->more_errno); + memcpy(&addr->delivery_time, ptr, sizeof(addr->delivery_time)); + ptr += sizeof(addr->delivery_time); + memcpy(&addr->flags, ptr, sizeof(addr->flags)); + ptr += sizeof(addr->flags); + addr->message = *ptr ? string_copy(ptr) : NULL; + while(*ptr++); + addr->user_message = *ptr ? string_copy(ptr) : NULL; + while(*ptr++); + + /* Always two strings for host information, followed by the port number and DNSSEC mark */ + + if (*ptr) + { + h = store_get(sizeof(host_item), FALSE); + h->name = string_copy(ptr); + while (*ptr++); + h->address = string_copy(ptr); + while(*ptr++); + memcpy(&h->port, ptr, sizeof(h->port)); + ptr += sizeof(h->port); + h->dnssec = *ptr == '2' ? DS_YES + : *ptr == '1' ? DS_NO + : DS_UNK; + ptr++; + addr->host_used = h; + } + else ptr++; + + /* Finished with this address */ + + addr = addr->next; + break; + } + break; + + /* Local interface address/port */ + case 'I': + if (*ptr) sending_ip_address = string_copy(ptr); + while (*ptr++) ; + if (*ptr) sending_port = atoi(CS ptr); + while (*ptr++) ; + break; + + /* Z marks the logical end of the data. It is followed by '0' if + continue_transport was NULL at the end of transporting, otherwise '1'. + We need to know when it becomes NULL during a delivery down a passed SMTP + channel so that we don't try to pass anything more down it. Of course, for + most normal messages it will remain NULL all the time. */ + + case 'Z': + if (*ptr == '0') + { + continue_transport = NULL; + continue_hostname = NULL; + } + done = TRUE; + DEBUG(D_deliver) debug_printf("Z0%c item read\n", *ptr); + break; + + /* Anything else is a disaster. */ + + default: + msg = string_sprintf("malformed data (%d) read from pipe for transport " + "process %d for transport %s", ptr[-1], pid, + addr->transport->driver_name); + done = TRUE; + break; + } + } + +/* The done flag is inspected externally, to determine whether or not to +call the function again when the process finishes. */ + +p->done = done; + +/* If the process hadn't finished, and we haven't seen the end of the data +or if we suffered a disaster, update the rest of the state, and return FALSE to +indicate "not finished". */ + +if (!eop && !done) + { + p->addr = addr; + p->msg = msg; + return FALSE; + } + +/* Close our end of the pipe, to prevent deadlock if the far end is still +pushing stuff into it. */ + +(void)close(fd); +p->fd = -1; + +/* If we have finished without error, but haven't had data for every address, +something is wrong. */ + +if (!msg && addr) + msg = string_sprintf("insufficient address data read from pipe " + "for transport process %d for transport %s", pid, + addr->transport->driver_name); + +/* If an error message is set, something has gone wrong in getting back +the delivery data. Put the message into each address and freeze it. */ + +if (msg) + for (addr = addrlist; addr; addr = addr->next) + { + addr->transport_return = DEFER; + addr->special_action = SPECIAL_FREEZE; + addr->message = msg; + log_write(0, LOG_MAIN|LOG_PANIC, "Delivery status for %s: %s\n", addr->address, addr->message); + } + +/* Return TRUE to indicate we have got all we need from this process, even +if it hasn't actually finished yet. */ + +return TRUE; +} + + + +/************************************************* +* Post-process a set of remote addresses * +*************************************************/ + +/* Do what has to be done immediately after a remote delivery for each set of +addresses, then re-write the spool if necessary. Note that post_process_one +puts the address on an appropriate queue; hence we must fish off the next +one first. This function is also called if there is a problem with setting +up a subprocess to do a remote delivery in parallel. In this case, the final +argument contains a message, and the action must be forced to DEFER. + +Argument: + addr pointer to chain of address items + logflags flags for logging + msg NULL for normal cases; -> error message for unexpected problems + fallback TRUE if processing fallback hosts + +Returns: nothing +*/ + +static void +remote_post_process(address_item *addr, int logflags, uschar *msg, + BOOL fallback) +{ +/* If any host addresses were found to be unusable, add them to the unusable +tree so that subsequent deliveries don't try them. */ + +for (host_item * h = addr->host_list; h; h = h->next) + if (h->address) + if (h->status >= hstatus_unusable) tree_add_unusable(h); + +/* Now handle each address on the chain. The transport has placed '=' or '-' +into the special_action field for each successful delivery. */ + +while (addr) + { + address_item *next = addr->next; + + /* If msg == NULL (normal processing) and the result is DEFER and we are + processing the main hosts and there are fallback hosts available, put the + address on the list for fallback delivery. */ + + if ( addr->transport_return == DEFER + && addr->fallback_hosts + && !fallback + && !msg + ) + { + addr->host_list = addr->fallback_hosts; + addr->next = addr_fallback; + addr_fallback = addr; + DEBUG(D_deliver) debug_printf("%s queued for fallback host(s)\n", addr->address); + } + + /* If msg is set (=> unexpected problem), set it in the address before + doing the ordinary post processing. */ + + else + { + if (msg) + { + addr->message = msg; + addr->transport_return = DEFER; + } + (void)post_process_one(addr, addr->transport_return, logflags, + EXIM_DTYPE_TRANSPORT, addr->special_action); + } + + /* Next address */ + + addr = next; + } + +/* If we have just delivered down a passed SMTP channel, and that was +the last address, the channel will have been closed down. Now that +we have logged that delivery, set continue_sequence to 1 so that +any subsequent deliveries don't get "*" incorrectly logged. */ + +if (!continue_transport) continue_sequence = 1; +} + + + +/************************************************* +* Wait for one remote delivery subprocess * +*************************************************/ + +/* This function is called while doing remote deliveries when either the +maximum number of processes exist and we need one to complete so that another +can be created, or when waiting for the last ones to complete. It must wait for +the completion of one subprocess, empty the control block slot, and return a +pointer to the address chain. + +Arguments: none +Returns: pointer to the chain of addresses handled by the process; + NULL if no subprocess found - this is an unexpected error +*/ + +static address_item * +par_wait(void) +{ +int poffset, status; +address_item *addr, *addrlist; +pid_t pid; + +set_process_info("delivering %s: waiting for a remote delivery subprocess " + "to finish", message_id); + +/* Loop until either a subprocess completes, or there are no subprocesses in +existence - in which case give an error return. We cannot proceed just by +waiting for a completion, because a subprocess may have filled up its pipe, and +be waiting for it to be emptied. Therefore, if no processes have finished, we +wait for one of the pipes to acquire some data by calling select(), with a +timeout just in case. + +The simple approach is just to iterate after reading data from a ready pipe. +This leads to non-ideal behaviour when the subprocess has written its final Z +item, closed the pipe, and is in the process of exiting (the common case). A +call to waitpid() yields nothing completed, but select() shows the pipe ready - +reading it yields EOF, so you end up with busy-waiting until the subprocess has +actually finished. + +To avoid this, if all the data that is needed has been read from a subprocess +after select(), an explicit wait() for it is done. We know that all it is doing +is writing to the pipe and then exiting, so the wait should not be long. + +The non-blocking waitpid() is to some extent just insurance; if we could +reliably detect end-of-file on the pipe, we could always know when to do a +blocking wait() for a completed process. However, because some systems use +NDELAY, which doesn't distinguish between EOF and pipe empty, it is easier to +use code that functions without the need to recognize EOF. + +There's a double loop here just in case we end up with a process that is not in +the list of remote delivery processes. Something has obviously gone wrong if +this is the case. (For example, a process that is incorrectly left over from +routing or local deliveries might be found.) The damage can be minimized by +looping back and looking for another process. If there aren't any, the error +return will happen. */ + +for (;;) /* Normally we do not repeat this loop */ + { + while ((pid = waitpid(-1, &status, WNOHANG)) <= 0) + { + struct timeval tv; + fd_set select_pipes; + int maxpipe, readycount; + + /* A return value of -1 can mean several things. If errno != ECHILD, it + either means invalid options (which we discount), or that this process was + interrupted by a signal. Just loop to try the waitpid() again. + + If errno == ECHILD, waitpid() is telling us that there are no subprocesses + in existence. This should never happen, and is an unexpected error. + However, there is a nasty complication when running under Linux. If "strace + -f" is being used under Linux to trace this process and its children, + subprocesses are "stolen" from their parents and become the children of the + tracing process. A general wait such as the one we've just obeyed returns + as if there are no children while subprocesses are running. Once a + subprocess completes, it is restored to the parent, and waitpid(-1) finds + it. Thanks to Joachim Wieland for finding all this out and suggesting a + palliative. + + This does not happen using "truss" on Solaris, nor (I think) with other + tracing facilities on other OS. It seems to be specific to Linux. + + What we do to get round this is to use kill() to see if any of our + subprocesses are still in existence. If kill() gives an OK return, we know + it must be for one of our processes - it can't be for a re-use of the pid, + because if our process had finished, waitpid() would have found it. If any + of our subprocesses are in existence, we proceed to use select() as if + waitpid() had returned zero. I think this is safe. */ + + if (pid < 0) + { + if (errno != ECHILD) continue; /* Repeats the waitpid() */ + + DEBUG(D_deliver) + debug_printf("waitpid() returned -1/ECHILD: checking explicitly " + "for process existence\n"); + + for (poffset = 0; poffset < remote_max_parallel; poffset++) + { + if ((pid = parlist[poffset].pid) != 0 && kill(pid, 0) == 0) + { + DEBUG(D_deliver) debug_printf("process %d still exists: assume " + "stolen by strace\n", (int)pid); + break; /* With poffset set */ + } + } + + if (poffset >= remote_max_parallel) + { + DEBUG(D_deliver) debug_printf("*** no delivery children found\n"); + return NULL; /* This is the error return */ + } + } + + /* A pid value greater than 0 breaks the "while" loop. A negative value has + been handled above. A return value of zero means that there is at least one + subprocess, but there are no completed subprocesses. See if any pipes are + ready with any data for reading. */ + + DEBUG(D_deliver) debug_printf("selecting on subprocess pipes\n"); + + maxpipe = 0; + FD_ZERO(&select_pipes); + for (poffset = 0; poffset < remote_max_parallel; poffset++) + if (parlist[poffset].pid != 0) + { + int fd = parlist[poffset].fd; + FD_SET(fd, &select_pipes); + if (fd > maxpipe) maxpipe = fd; + } + + /* Stick in a 60-second timeout, just in case. */ + + tv.tv_sec = 60; + tv.tv_usec = 0; + + readycount = select(maxpipe + 1, (SELECT_ARG2_TYPE *)&select_pipes, + NULL, NULL, &tv); + + /* Scan through the pipes and read any that are ready; use the count + returned by select() to stop when there are no more. Select() can return + with no processes (e.g. if interrupted). This shouldn't matter. + + If par_read_pipe() returns TRUE, it means that either the terminating Z was + read, or there was a disaster. In either case, we are finished with this + process. Do an explicit wait() for the process and break the main loop if + it succeeds. + + It turns out that we have to deal with the case of an interrupted system + call, which can happen on some operating systems if the signal handling is + set up to do that by default. */ + + for (poffset = 0; + readycount > 0 && poffset < remote_max_parallel; + poffset++) + { + if ( (pid = parlist[poffset].pid) != 0 + && FD_ISSET(parlist[poffset].fd, &select_pipes) + ) + { + readycount--; + if (par_read_pipe(poffset, FALSE)) /* Finished with this pipe */ + for (;;) /* Loop for signals */ + { + pid_t endedpid = waitpid(pid, &status, 0); + if (endedpid == pid) goto PROCESS_DONE; + if (endedpid != (pid_t)(-1) || errno != EINTR) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Unexpected error return " + "%d (errno = %d) from waitpid() for process %d", + (int)endedpid, errno, (int)pid); + } + } + } + + /* Now go back and look for a completed subprocess again. */ + } + + /* A completed process was detected by the non-blocking waitpid(). Find the + data block that corresponds to this subprocess. */ + + for (poffset = 0; poffset < remote_max_parallel; poffset++) + if (pid == parlist[poffset].pid) break; + + /* Found the data block; this is a known remote delivery process. We don't + need to repeat the outer loop. This should be what normally happens. */ + + if (poffset < remote_max_parallel) break; + + /* This situation is an error, but it's probably better to carry on looking + for another process than to give up (as we used to do). */ + + log_write(0, LOG_MAIN|LOG_PANIC, "Process %d finished: not found in remote " + "transport process list", pid); + } /* End of the "for" loop */ + +/* Come here when all the data was completely read after a select(), and +the process in pid has been wait()ed for. */ + +PROCESS_DONE: + +DEBUG(D_deliver) + { + if (status == 0) + debug_printf("remote delivery process %d ended\n", (int)pid); + else + debug_printf("remote delivery process %d ended: status=%04x\n", (int)pid, + status); + } + +set_process_info("delivering %s", message_id); + +/* Get the chain of processed addresses */ + +addrlist = parlist[poffset].addrlist; + +/* If the process did not finish cleanly, record an error and freeze (except +for SIGTERM, SIGKILL and SIGQUIT), and also ensure the journal is not removed, +in case the delivery did actually happen. */ + +if ((status & 0xffff) != 0) + { + uschar *msg; + int msb = (status >> 8) & 255; + int lsb = status & 255; + int code = (msb == 0)? (lsb & 0x7f) : msb; + + msg = string_sprintf("%s transport process returned non-zero status 0x%04x: " + "%s %d", + addrlist->transport->driver_name, + status, + (msb == 0)? "terminated by signal" : "exit code", + code); + + if (msb != 0 || (code != SIGTERM && code != SIGKILL && code != SIGQUIT)) + addrlist->special_action = SPECIAL_FREEZE; + + for (addr = addrlist; addr; addr = addr->next) + { + addr->transport_return = DEFER; + addr->message = msg; + } + + remove_journal = FALSE; + } + +/* Else complete reading the pipe to get the result of the delivery, if all +the data has not yet been obtained. */ + +else if (!parlist[poffset].done) (void)par_read_pipe(poffset, TRUE); + +/* Put the data count and return path into globals, mark the data slot unused, +decrement the count of subprocesses, and return the address chain. */ + +transport_count = parlist[poffset].transport_count; +used_return_path = parlist[poffset].return_path; +parlist[poffset].pid = 0; +parcount--; +return addrlist; +} + + + +/************************************************* +* Wait for subprocesses and post-process * +*************************************************/ + +/* This function waits for subprocesses until the number that are still running +is below a given threshold. For each complete subprocess, the addresses are +post-processed. If we can't find a running process, there is some shambles. +Better not bomb out, as that might lead to multiple copies of the message. Just +log and proceed as if all done. + +Arguments: + max maximum number of subprocesses to leave running + fallback TRUE if processing fallback hosts + +Returns: nothing +*/ + +static void +par_reduce(int max, BOOL fallback) +{ +while (parcount > max) + { + address_item *doneaddr = par_wait(); + if (!doneaddr) + { + log_write(0, LOG_MAIN|LOG_PANIC, + "remote delivery process count got out of step"); + parcount = 0; + } + else + { + transport_instance * tp = doneaddr->transport; + if (tp->max_parallel) + enq_end(string_sprintf("tpt-serialize-%s", tp->name)); + + remote_post_process(doneaddr, LOG_MAIN, NULL, fallback); + } + } +} + +static void +rmt_dlv_checked_write(int fd, char id, char subid, void * buf, ssize_t size) +{ +uschar pipe_header[PIPE_HEADER_SIZE+1]; +size_t total_len = PIPE_HEADER_SIZE + size; + +struct iovec iov[2] = { + { pipe_header, PIPE_HEADER_SIZE }, /* indication about the data to expect */ + { buf, size } /* *the* data */ +}; + +ssize_t ret; + +/* we assume that size can't get larger then BIG_BUFFER_SIZE which currently is set to 16k */ +/* complain to log if someone tries with buffer sizes we can't handle*/ + +if (size > BIG_BUFFER_SIZE-1) + { + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "Failed writing transport result to pipe: can't handle buffers > %d bytes. truncating!\n", + BIG_BUFFER_SIZE-1); + size = BIG_BUFFER_SIZE; + } + +/* Should we check that we do not write more than PIPE_BUF? What would +that help? */ + +/* convert size to human readable string prepended by id and subid */ +if (PIPE_HEADER_SIZE != snprintf(CS pipe_header, PIPE_HEADER_SIZE+1, "%c%c%05ld", + id, subid, (long)size)) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "header snprintf failed\n"); + +DEBUG(D_deliver) debug_printf("header write id:%c,subid:%c,size:%ld,final:%s\n", + id, subid, (long)size, pipe_header); + +if ((ret = writev(fd, iov, 2)) != total_len) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "Failed writing transport result to pipe (%ld of %ld bytes): %s", + (long)ret, (long)total_len, ret == -1 ? strerror(errno) : "short write"); +} + +/************************************************* +* Do remote deliveries * +*************************************************/ + +/* This function is called to process the addresses in addr_remote. We must +pick off the queue all addresses that have the same transport, remote +destination, and errors address, and hand them to the transport in one go, +subject to some configured limitations. If this is a run to continue delivering +to an existing delivery channel, skip all but those addresses that can go to +that channel. The skipped addresses just get deferred. + +If mua_wrapper is set, all addresses must be able to be sent in a single +transaction. If not, this function yields FALSE. + +In Exim 4, remote deliveries are always done in separate processes, even +if remote_max_parallel = 1 or if there's only one delivery to do. The reason +is so that the base process can retain privilege. This makes the +implementation of fallback transports feasible (though not initially done.) + +We create up to the configured number of subprocesses, each of which passes +back the delivery state via a pipe. (However, when sending down an existing +connection, remote_max_parallel is forced to 1.) + +Arguments: + fallback TRUE if processing fallback hosts + +Returns: TRUE normally + FALSE if mua_wrapper is set and the addresses cannot all be sent + in one transaction +*/ + +static BOOL +do_remote_deliveries(BOOL fallback) +{ +int parmax; +int poffset; + +parcount = 0; /* Number of executing subprocesses */ + +/* When sending down an existing channel, only do one delivery at a time. +We use a local variable (parmax) to hold the maximum number of processes; +this gets reduced from remote_max_parallel if we can't create enough pipes. */ + +if (continue_transport) remote_max_parallel = 1; +parmax = remote_max_parallel; + +/* If the data for keeping a list of processes hasn't yet been +set up, do so. */ + +if (!parlist) + { + parlist = store_get(remote_max_parallel * sizeof(pardata), FALSE); + for (poffset = 0; poffset < remote_max_parallel; poffset++) + parlist[poffset].pid = 0; + } + +/* Now loop for each remote delivery */ + +for (int delivery_count = 0; addr_remote; delivery_count++) + { + pid_t pid; + uid_t uid; + gid_t gid; + int pfd[2]; + int address_count = 1; + int address_count_max; + BOOL multi_domain; + BOOL use_initgroups; + BOOL pipe_done = FALSE; + transport_instance *tp; + address_item **anchor = &addr_remote; + address_item *addr = addr_remote; + address_item *last = addr; + address_item *next; + uschar * panicmsg; + uschar * serialize_key = NULL; + + /* Pull the first address right off the list. */ + + addr_remote = addr->next; + addr->next = NULL; + + DEBUG(D_deliver|D_transport) + debug_printf("--------> %s <--------\n", addr->address); + + /* If no transport has been set, there has been a big screw-up somewhere. */ + + if (!(tp = addr->transport)) + { + f.disable_logging = FALSE; /* Jic */ + panicmsg = US"No transport set by router"; + goto panic_continue; + } + + /* Check that this base address hasn't previously been delivered to this + transport. The check is necessary at this point to handle homonymic addresses + correctly in cases where the pattern of redirection changes between delivery + attempts. Non-homonymic previous delivery is detected earlier, at routing + time. */ + + if (previously_transported(addr, FALSE)) continue; + + /* Force failure if the message is too big. */ + + if (tp->message_size_limit) + { + int rc = check_message_size(tp, addr); + if (rc != OK) + { + addr->transport_return = rc; + remote_post_process(addr, LOG_MAIN, NULL, fallback); + continue; + } + } + +/*XXX need to defeat this when DANE is used - but we don't know that yet. +So look out for the place it gets used. +*/ + + /* Get the flag which specifies whether the transport can handle different + domains that nevertheless resolve to the same set of hosts. If it needs + expanding, get variables set: $address_data, $domain_data, $localpart_data, + $host, $host_address, $host_port. */ + if (tp->expand_multi_domain) + deliver_set_expansions(addr); + + if (exp_bool(addr, US"transport", tp->name, D_transport, + US"multi_domain", tp->multi_domain, tp->expand_multi_domain, + &multi_domain) != OK) + { + deliver_set_expansions(NULL); + panicmsg = addr->message; + goto panic_continue; + } + + /* Get the maximum it can handle in one envelope, with zero meaning + unlimited, which is forced for the MUA wrapper case. */ + + address_count_max = tp->max_addresses; + if (address_count_max == 0 || mua_wrapper) address_count_max = 999999; + + + /************************************************************************/ + /***** This is slightly experimental code, but should be safe. *****/ + + /* The address_count_max value is the maximum number of addresses that the + transport can send in one envelope. However, the transport must be capable of + dealing with any number of addresses. If the number it gets exceeds its + envelope limitation, it must send multiple copies of the message. This can be + done over a single connection for SMTP, so uses less resources than making + multiple connections. On the other hand, if remote_max_parallel is greater + than one, it is perhaps a good idea to use parallel processing to move the + message faster, even if that results in multiple simultaneous connections to + the same host. + + How can we come to some compromise between these two ideals? What we do is to + limit the number of addresses passed to a single instance of a transport to + the greater of (a) its address limit (rcpt_max for SMTP) and (b) the total + number of addresses routed to remote transports divided by + remote_max_parallel. For example, if the message has 100 remote recipients, + remote max parallel is 2, and rcpt_max is 10, we'd never send more than 50 at + once. But if rcpt_max is 100, we could send up to 100. + + Of course, not all the remotely addresses in a message are going to go to the + same set of hosts (except in smarthost configurations), so this is just a + heuristic way of dividing up the work. + + Furthermore (1), because this may not be wanted in some cases, and also to + cope with really pathological cases, there is also a limit to the number of + messages that are sent over one connection. This is the same limit that is + used when sending several different messages over the same connection. + Continue_sequence is set when in this situation, to the number sent so + far, including this message. + + Furthermore (2), when somebody explicitly sets the maximum value to 1, it + is probably because they are using VERP, in which case they want to pass only + one address at a time to the transport, in order to be able to use + $local_part and $domain in constructing a new return path. We could test for + the use of these variables, but as it is so likely they will be used when the + maximum is 1, we don't bother. Just leave the value alone. */ + + if ( address_count_max != 1 + && address_count_max < remote_delivery_count/remote_max_parallel + ) + { + int new_max = remote_delivery_count/remote_max_parallel; + int message_max = tp->connection_max_messages; + if (connection_max_messages >= 0) message_max = connection_max_messages; + message_max -= continue_sequence - 1; + if (message_max > 0 && new_max > address_count_max * message_max) + new_max = address_count_max * message_max; + address_count_max = new_max; + } + + /************************************************************************/ + + +/*XXX don't know yet if DANE will be used. So tpt will have to +check at the point if gets next addr from list, and skip/defer any +nonmatch domains +*/ + + /* Pick off all addresses which have the same transport, errors address, + destination, and extra headers. In some cases they point to the same host + list, but we also need to check for identical host lists generated from + entirely different domains. The host list pointers can be NULL in the case + where the hosts are defined in the transport. There is also a configured + maximum limit of addresses that can be handled at once (see comments above + for how it is computed). + If the transport does not handle multiple domains, enforce that also, + and if it might need a per-address check for this, re-evaluate it. + */ + + while ((next = *anchor) && address_count < address_count_max) + { + BOOL md; + if ( (multi_domain || Ustrcmp(next->domain, addr->domain) == 0) + && tp == next->transport + && same_hosts(next->host_list, addr->host_list) + && same_strings(next->prop.errors_address, addr->prop.errors_address) + && same_headers(next->prop.extra_headers, addr->prop.extra_headers) + && same_ugid(tp, next, addr) + && ( next->prop.remove_headers == addr->prop.remove_headers + || ( next->prop.remove_headers + && addr->prop.remove_headers + && Ustrcmp(next->prop.remove_headers, addr->prop.remove_headers) == 0 + ) ) + && ( !multi_domain + || ( ( + (void)(!tp->expand_multi_domain || ((void)deliver_set_expansions(next), 1)), + exp_bool(addr, + US"transport", next->transport->name, D_transport, + US"multi_domain", next->transport->multi_domain, + next->transport->expand_multi_domain, &md) == OK + ) + && md + ) ) ) + { + *anchor = next->next; + next->next = NULL; + next->first = addr; /* remember top one (for retry processing) */ + last->next = next; + last = next; + address_count++; + } + else anchor = &(next->next); + deliver_set_expansions(NULL); + } + + /* If we are acting as an MUA wrapper, all addresses must go in a single + transaction. If not, put them back on the chain and yield FALSE. */ + + if (mua_wrapper && addr_remote) + { + last->next = addr_remote; + addr_remote = addr; + return FALSE; + } + + /* If the transport is limited for parallellism, enforce that here. + The hints DB entry is decremented in par_reduce(), when we reap the + transport process. */ + + if (tpt_parallel_check(tp, addr, &serialize_key)) + if ((panicmsg = expand_string_message)) + goto panic_continue; + else + continue; /* Loop for the next set of addresses. */ + + /* Set up the expansion variables for this set of addresses */ + + deliver_set_expansions(addr); + + /* Ensure any transport-set auth info is fresh */ + addr->authenticator = addr->auth_id = addr->auth_sndr = NULL; + + /* Compute the return path, expanding a new one if required. The old one + must be set first, as it might be referred to in the expansion. */ + + if(addr->prop.errors_address) + return_path = addr->prop.errors_address; +#ifdef EXPERIMENTAL_SRS + else if(addr->prop.srs_sender) + return_path = addr->prop.srs_sender; +#endif + else + return_path = sender_address; + + if (tp->return_path) + { + uschar *new_return_path = expand_string(tp->return_path); + if (new_return_path) + return_path = new_return_path; + else if (!f.expand_string_forcedfail) + { + panicmsg = string_sprintf("Failed to expand return path \"%s\": %s", + tp->return_path, expand_string_message); + goto enq_continue; + } + } + + /* Find the uid, gid, and use_initgroups setting for this transport. Failure + logs and sets up error messages, so we just post-process and continue with + the next address. */ + + if (!findugid(addr, tp, &uid, &gid, &use_initgroups)) + { + panicmsg = NULL; + goto enq_continue; + } + + /* If this transport has a setup function, call it now so that it gets + run in this process and not in any subprocess. That way, the results of + any setup that are retained by the transport can be reusable. One of the + things the setup does is to set the fallback host lists in the addresses. + That is why it is called at this point, before the continue delivery + processing, because that might use the fallback hosts. */ + + if (tp->setup) + (void)((tp->setup)(addr->transport, addr, NULL, uid, gid, NULL)); + + /* If we have a connection still open from a verify stage (lazy-close) + treat it as if it is a continued connection (apart from the counter used + for the log line mark). */ + + if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only) + { + DEBUG(D_deliver) + debug_printf("lazy-callout-close: have conn still open from verification\n"); + continue_transport = cutthrough.transport; + continue_hostname = string_copy(cutthrough.host.name); + continue_host_address = string_copy(cutthrough.host.address); + continue_sequence = 1; + sending_ip_address = cutthrough.snd_ip; + sending_port = cutthrough.snd_port; + smtp_peer_options = cutthrough.peer_options; + } + + /* If this is a run to continue delivery down an already-established + channel, check that this set of addresses matches the transport and + the channel. If it does not, defer the addresses. If a host list exists, + we must check that the continue host is on the list. Otherwise, the + host is set in the transport. */ + + f.continue_more = FALSE; /* In case got set for the last lot */ + if (continue_transport) + { + BOOL ok = Ustrcmp(continue_transport, tp->name) == 0; +/*XXX do we need to check for a DANEd conn vs. a change of domain? */ + + /* If the transport is about to override the host list do not check + it here but take the cost of running the transport process to discover + if the continued_hostname connection is suitable. This is a layering + violation which is unfortunate as it requires we haul in the smtp + include file. */ + + if (ok) + { + smtp_transport_options_block * ob; + + if ( !( Ustrcmp(tp->info->driver_name, "smtp") == 0 + && (ob = (smtp_transport_options_block *)tp->options_block) + && ob->hosts_override && ob->hosts + ) + && addr->host_list + ) + { + ok = FALSE; + for (host_item * h = addr->host_list; h; h = h->next) + if (Ustrcmp(h->name, continue_hostname) == 0) + /*XXX should also check port here */ + { ok = TRUE; break; } + } + } + + /* Addresses not suitable; defer or queue for fallback hosts (which + might be the continue host) and skip to next address. */ + + if (!ok) + { + DEBUG(D_deliver) debug_printf("not suitable for continue_transport (%s)\n", + Ustrcmp(continue_transport, tp->name) != 0 + ? string_sprintf("tpt %s vs %s", continue_transport, tp->name) + : string_sprintf("no host matching %s", continue_hostname)); + if (serialize_key) enq_end(serialize_key); + + if (addr->fallback_hosts && !fallback) + { + for (next = addr; ; next = next->next) + { + next->host_list = next->fallback_hosts; + DEBUG(D_deliver) debug_printf("%s queued for fallback host(s)\n", next->address); + if (!next->next) break; + } + next->next = addr_fallback; + addr_fallback = addr; + } + + else + { + for (next = addr; ; next = next->next) + { + DEBUG(D_deliver) debug_printf(" %s to def list\n", next->address); + if (!next->next) break; + } + next->next = addr_defer; + addr_defer = addr; + } + + continue; + } + + /* Set a flag indicating whether there are further addresses that list + the continued host. This tells the transport to leave the channel open, + but not to pass it to another delivery process. We'd like to do that + for non-continue_transport cases too but the knowlege of which host is + connected to is too hard to manage. Perhaps we need a finer-grain + interface to the transport. */ + + for (next = addr_remote; next && !f.continue_more; next = next->next) + for (host_item * h = next->host_list; h; h = h->next) + if (Ustrcmp(h->name, continue_hostname) == 0) + { f.continue_more = TRUE; break; } + } + + /* The transports set up the process info themselves as they may connect + to more than one remote machine. They also have to set up the filter + arguments, if required, so that the host name and address are available + for expansion. */ + + transport_filter_argv = NULL; + + /* Create the pipe for inter-process communication. If pipe creation + fails, it is probably because the value of remote_max_parallel is so + large that too many file descriptors for pipes have been created. Arrange + to wait for a process to finish, and then try again. If we still can't + create a pipe when all processes have finished, break the retry loop. */ + + while (!pipe_done) + { + if (pipe(pfd) == 0) pipe_done = TRUE; + else if (parcount > 0) parmax = parcount; + else break; + + /* We need to make the reading end of the pipe non-blocking. There are + two different options for this. Exim is cunningly (I hope!) coded so + that it can use either of them, though it prefers O_NONBLOCK, which + distinguishes between EOF and no-more-data. */ + +/* The data appears in a timely manner and we already did a select on +all pipes, so I do not see a reason to use non-blocking IO here + +#ifdef O_NONBLOCK + (void)fcntl(pfd[pipe_read], F_SETFL, O_NONBLOCK); +#else + (void)fcntl(pfd[pipe_read], F_SETFL, O_NDELAY); +#endif +*/ + + /* If the maximum number of subprocesses already exist, wait for a process + to finish. If we ran out of file descriptors, parmax will have been reduced + from its initial value of remote_max_parallel. */ + + par_reduce(parmax - 1, fallback); + } + + /* If we failed to create a pipe and there were no processes to wait + for, we have to give up on this one. Do this outside the above loop + so that we can continue the main loop. */ + + if (!pipe_done) + { + panicmsg = string_sprintf("unable to create pipe: %s", strerror(errno)); + goto enq_continue; + } + + /* Find a free slot in the pardata list. Must do this after the possible + waiting for processes to finish, because a terminating process will free + up a slot. */ + + for (poffset = 0; poffset < remote_max_parallel; poffset++) + if (parlist[poffset].pid == 0) + break; + + /* If there isn't one, there has been a horrible disaster. */ + + if (poffset >= remote_max_parallel) + { + (void)close(pfd[pipe_write]); + (void)close(pfd[pipe_read]); + panicmsg = US"Unexpectedly no free subprocess slot"; + goto enq_continue; + } + + /* Now fork a subprocess to do the remote delivery, but before doing so, + ensure that any cached resources are released so as not to interfere with + what happens in the subprocess. */ + + search_tidyup(); + + if ((pid = exim_fork(US"transport")) == 0) + { + int fd = pfd[pipe_write]; + host_item *h; + + /* Setting this global in the subprocess means we need never clear it */ + transport_name = tp->name; + + /* There are weird circumstances in which logging is disabled */ + f.disable_logging = tp->disable_logging; + + /* Show pids on debug output if parallelism possible */ + + if (parmax > 1 && (parcount > 0 || addr_remote)) + DEBUG(D_any|D_v) debug_selector |= D_pid; + + /* Reset the random number generator, so different processes don't all + have the same sequence. In the test harness we want different, but + predictable settings for each delivery process, so do something explicit + here rather they rely on the fixed reset in the random number function. */ + + random_seed = f.running_in_test_harness ? 42 + 2*delivery_count : 0; + + /* Set close-on-exec on the pipe so that it doesn't get passed on to + a new process that may be forked to do another delivery down the same + SMTP connection. */ + + (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC); + + /* Close open file descriptors for the pipes of other processes + that are running in parallel. */ + + for (poffset = 0; poffset < remote_max_parallel; poffset++) + if (parlist[poffset].pid != 0) (void)close(parlist[poffset].fd); + + /* This process has inherited a copy of the file descriptor + for the data file, but its file pointer is shared with all the + other processes running in parallel. Therefore, we have to re-open + the file in order to get a new file descriptor with its own + file pointer. We don't need to lock it, as the lock is held by + the parent process. There doesn't seem to be any way of doing + a dup-with-new-file-pointer. */ + + (void)close(deliver_datafile); + { + uschar * fname = spool_fname(US"input", message_subdir, message_id, US"-D"); + + if ((deliver_datafile = Uopen(fname, +#ifdef O_CLOEXEC + O_CLOEXEC | +#endif + O_RDWR | O_APPEND, 0)) < 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to reopen %s for remote " + "parallel delivery: %s", fname, strerror(errno)); + } + + /* Set the close-on-exec flag */ +#ifndef O_CLOEXEC + (void)fcntl(deliver_datafile, F_SETFD, fcntl(deliver_datafile, F_GETFD) | + FD_CLOEXEC); +#endif + + /* Set the uid/gid of this process; bombs out on failure. */ + + exim_setugid(uid, gid, use_initgroups, + string_sprintf("remote delivery to %s with transport=%s", + addr->address, tp->name)); + + /* Close the unwanted half of this process' pipe, set the process state, + and run the transport. Afterwards, transport_count will contain the number + of bytes written. */ + + (void)close(pfd[pipe_read]); + set_process_info("delivering %s using %s", message_id, tp->name); + debug_print_string(tp->debug_string); + if (!(tp->info->code)(addr->transport, addr)) replicate_status(addr); + + set_process_info("delivering %s (just run %s for %s%s in subprocess)", + message_id, tp->name, addr->address, addr->next ? ", ..." : ""); + + /* Ensure any cached resources that we used are now released */ + + search_tidyup(); + + /* Pass the result back down the pipe. This is a lot more information + than is needed for a local delivery. We have to send back the error + status for each address, the usability status for each host that is + flagged as unusable, and all the retry items. When TLS is in use, we + send also the cipher and peerdn information. Each type of information + is flagged by an identifying byte, and is then in a fixed format (with + strings terminated by zeros), and there is a final terminator at the + end. The host information and retry information is all attached to + the first address, so that gets sent at the start. */ + + /* Host unusability information: for most success cases this will + be null. */ + + for (h = addr->host_list; h; h = h->next) + { + if (!h->address || h->status < hstatus_unusable) continue; + sprintf(CS big_buffer, "%c%c%s", h->status, h->why, h->address); + rmt_dlv_checked_write(fd, 'H', '0', big_buffer, Ustrlen(big_buffer+2) + 3); + } + + /* The number of bytes written. This is the same for each address. Even + if we sent several copies of the message down the same connection, the + size of each one is the same, and it's that value we have got because + transport_count gets reset before calling transport_write_message(). */ + + memcpy(big_buffer, &transport_count, sizeof(transport_count)); + rmt_dlv_checked_write(fd, 'S', '0', big_buffer, sizeof(transport_count)); + + /* Information about what happened to each address. Four item types are + used: an optional 'X' item first, for TLS information, then an optional "C" + item for any client-auth info followed by 'R' items for any retry settings, + and finally an 'A' item for the remaining data. */ + + for(; addr; addr = addr->next) + { + uschar *ptr; + + /* The certificate verification status goes into the flags */ + if (tls_out.certificate_verified) setflag(addr, af_cert_verified); +#ifdef SUPPORT_DANE + if (tls_out.dane_verified) setflag(addr, af_dane_verified); +#endif +# ifdef EXPERIMENTAL_TLS_RESUME + if (tls_out.resumption & RESUME_USED) setflag(addr, af_tls_resume); +# endif + + /* Use an X item only if there's something to send */ +#ifndef DISABLE_TLS + if (addr->cipher) + { + ptr = big_buffer + sprintf(CS big_buffer, "%.128s", addr->cipher) + 1; + if (!addr->peerdn) + *ptr++ = 0; + else + ptr += sprintf(CS ptr, "%.512s", addr->peerdn) + 1; + + rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer); + } + else if (continue_proxy_cipher) + { + ptr = big_buffer + sprintf(CS big_buffer, "%.128s", continue_proxy_cipher) + 1; + *ptr++ = 0; + rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer); + } + + if (addr->peercert) + { + ptr = big_buffer; + if (tls_export_cert(ptr, big_buffer_size-2, addr->peercert)) + while(*ptr++); + else + *ptr++ = 0; + rmt_dlv_checked_write(fd, 'X', '2', big_buffer, ptr - big_buffer); + } + if (addr->ourcert) + { + ptr = big_buffer; + if (tls_export_cert(ptr, big_buffer_size-2, addr->ourcert)) + while(*ptr++); + else + *ptr++ = 0; + rmt_dlv_checked_write(fd, 'X', '3', big_buffer, ptr - big_buffer); + } +# ifndef DISABLE_OCSP + if (addr->ocsp > OCSP_NOT_REQ) + { + ptr = big_buffer + sprintf(CS big_buffer, "%c", addr->ocsp + '0') + 1; + rmt_dlv_checked_write(fd, 'X', '4', big_buffer, ptr - big_buffer); + } +# endif +#endif /*DISABLE_TLS*/ + + if (client_authenticator) + { + ptr = big_buffer + sprintf(CS big_buffer, "%.64s", client_authenticator) + 1; + rmt_dlv_checked_write(fd, 'C', '1', big_buffer, ptr - big_buffer); + } + if (client_authenticated_id) + { + ptr = big_buffer + sprintf(CS big_buffer, "%.64s", client_authenticated_id) + 1; + rmt_dlv_checked_write(fd, 'C', '2', big_buffer, ptr - big_buffer); + } + if (client_authenticated_sender) + { + ptr = big_buffer + sprintf(CS big_buffer, "%.64s", client_authenticated_sender) + 1; + rmt_dlv_checked_write(fd, 'C', '3', big_buffer, ptr - big_buffer); + } + +#ifndef DISABLE_PRDR + if (testflag(addr, af_prdr_used)) + rmt_dlv_checked_write(fd, 'P', '0', NULL, 0); +#endif + + if (testflag(addr, af_pipelining)) +#ifndef DISABLE_PIPE_CONNECT + if (testflag(addr, af_early_pipe)) + rmt_dlv_checked_write(fd, 'L', '2', NULL, 0); + else +#endif + rmt_dlv_checked_write(fd, 'L', '1', NULL, 0); + + if (testflag(addr, af_chunking_used)) + rmt_dlv_checked_write(fd, 'K', '0', NULL, 0); + + if (testflag(addr, af_tcp_fastopen_conn)) + rmt_dlv_checked_write(fd, 'T', + testflag(addr, af_tcp_fastopen) ? testflag(addr, af_tcp_fastopen_data) + ? '2' : '1' : '0', + NULL, 0); + + memcpy(big_buffer, &addr->dsn_aware, sizeof(addr->dsn_aware)); + rmt_dlv_checked_write(fd, 'D', '0', big_buffer, sizeof(addr->dsn_aware)); + + /* Retry information: for most success cases this will be null. */ + + for (retry_item * r = addr->retries; r; r = r->next) + { + sprintf(CS big_buffer, "%c%.500s", r->flags, r->key); + ptr = big_buffer + Ustrlen(big_buffer+2) + 3; + memcpy(ptr, &r->basic_errno, sizeof(r->basic_errno)); + ptr += sizeof(r->basic_errno); + memcpy(ptr, &r->more_errno, sizeof(r->more_errno)); + ptr += sizeof(r->more_errno); + if (!r->message) *ptr++ = 0; else + { + sprintf(CS ptr, "%.512s", r->message); + while(*ptr++); + } + rmt_dlv_checked_write(fd, 'R', '0', big_buffer, ptr - big_buffer); + } + +#ifdef SUPPORT_SOCKS + if (LOGGING(proxy) && proxy_session) + { + ptr = big_buffer; + if (proxy_local_address) + { + DEBUG(D_deliver) debug_printf("proxy_local_address '%s'\n", proxy_local_address); + ptr = big_buffer + sprintf(CS ptr, "%.128s", proxy_local_address) + 1; + DEBUG(D_deliver) debug_printf("proxy_local_port %d\n", proxy_local_port); + memcpy(ptr, &proxy_local_port, sizeof(proxy_local_port)); + ptr += sizeof(proxy_local_port); + } + else + *ptr++ = '\0'; + rmt_dlv_checked_write(fd, 'A', '2', big_buffer, ptr - big_buffer); + } +#endif + +#ifdef EXPERIMENTAL_DSN_INFO +/*um, are they really per-addr? Other per-conn stuff is not (auth, tls). But host_used is! */ + if (addr->smtp_greeting) + { + DEBUG(D_deliver) debug_printf("smtp_greeting '%s'\n", addr->smtp_greeting); + ptr = big_buffer + sprintf(CS big_buffer, "%.128s", addr->smtp_greeting) + 1; + if (addr->helo_response) + { + DEBUG(D_deliver) debug_printf("helo_response '%s'\n", addr->helo_response); + ptr += sprintf(CS ptr, "%.128s", addr->helo_response) + 1; + } + else + *ptr++ = '\0'; + rmt_dlv_checked_write(fd, 'A', '1', big_buffer, ptr - big_buffer); + } +#endif + + /* The rest of the information goes in an 'A0' item. */ + + sprintf(CS big_buffer, "%c%c", addr->transport_return, addr->special_action); + ptr = big_buffer + 2; + memcpy(ptr, &addr->basic_errno, sizeof(addr->basic_errno)); + ptr += sizeof(addr->basic_errno); + memcpy(ptr, &addr->more_errno, sizeof(addr->more_errno)); + ptr += sizeof(addr->more_errno); + memcpy(ptr, &addr->delivery_time, sizeof(addr->delivery_time)); + ptr += sizeof(addr->delivery_time); + memcpy(ptr, &addr->flags, sizeof(addr->flags)); + ptr += sizeof(addr->flags); + + if (!addr->message) *ptr++ = 0; else + ptr += sprintf(CS ptr, "%.1024s", addr->message) + 1; + + if (!addr->user_message) *ptr++ = 0; else + ptr += sprintf(CS ptr, "%.1024s", addr->user_message) + 1; + + if (!addr->host_used) *ptr++ = 0; else + { + ptr += sprintf(CS ptr, "%.256s", addr->host_used->name) + 1; + ptr += sprintf(CS ptr, "%.64s", addr->host_used->address) + 1; + memcpy(ptr, &addr->host_used->port, sizeof(addr->host_used->port)); + ptr += sizeof(addr->host_used->port); + + /* DNS lookup status */ + *ptr++ = addr->host_used->dnssec==DS_YES ? '2' + : addr->host_used->dnssec==DS_NO ? '1' : '0'; + + } + rmt_dlv_checked_write(fd, 'A', '0', big_buffer, ptr - big_buffer); + } + + /* Local interface address/port */ +#ifdef EXPERIMENTAL_DSN_INFO + if (sending_ip_address) +#else + if (LOGGING(incoming_interface) && sending_ip_address) +#endif + { + uschar * ptr; + ptr = big_buffer + sprintf(CS big_buffer, "%.128s", sending_ip_address) + 1; + ptr += sprintf(CS ptr, "%d", sending_port) + 1; + rmt_dlv_checked_write(fd, 'I', '0', big_buffer, ptr - big_buffer); + } + + /* Add termination flag, close the pipe, and that's it. The character + after 'Z' indicates whether continue_transport is now NULL or not. + A change from non-NULL to NULL indicates a problem with a continuing + connection. */ + + big_buffer[0] = continue_transport ? '1' : '0'; + rmt_dlv_checked_write(fd, 'Z', '0', big_buffer, 1); + (void)close(fd); + exit(EXIT_SUCCESS); + } + + /* Back in the mainline: close the unwanted half of the pipe. */ + + (void)close(pfd[pipe_write]); + + /* If we have a connection still open from a verify stage (lazy-close) + release its TLS library context (if any) as responsibility was passed to + the delivery child process. */ + + if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only) + { +#ifndef DISABLE_TLS + if (cutthrough.is_tls) + tls_close(cutthrough.cctx.tls_ctx, TLS_NO_SHUTDOWN); +#endif + (void) close(cutthrough.cctx.sock); + release_cutthrough_connection(US"passed to transport proc"); + } + + /* Fork failed; defer with error message */ + + if (pid == -1) + { + (void)close(pfd[pipe_read]); + panicmsg = string_sprintf("fork failed for remote delivery to %s: %s", + addr->domain, strerror(errno)); + goto enq_continue; + } + + /* Fork succeeded; increment the count, and remember relevant data for + when the process finishes. */ + + parcount++; + parlist[poffset].addrlist = parlist[poffset].addr = addr; + parlist[poffset].pid = pid; + parlist[poffset].fd = pfd[pipe_read]; + parlist[poffset].done = FALSE; + parlist[poffset].msg = NULL; + parlist[poffset].return_path = return_path; + + /* If the process we've just started is sending a message down an existing + channel, wait for it now. This ensures that only one such process runs at + once, whatever the value of remote_max parallel. Otherwise, we might try to + send two or more messages simultaneously down the same channel. This could + happen if there are different domains that include the same host in otherwise + different host lists. + + Also, if the transport closes down the channel, this information gets back + (continue_transport gets set to NULL) before we consider any other addresses + in this message. */ + + if (continue_transport) par_reduce(0, fallback); + + /* Otherwise, if we are running in the test harness, wait a bit, to let the + newly created process get going before we create another process. This should + ensure repeatability in the tests. Wait long enough for most cases to complete + the transport. */ + + else testharness_pause_ms(600); + + continue; + +enq_continue: + if (serialize_key) enq_end(serialize_key); +panic_continue: + remote_post_process(addr, LOG_MAIN|LOG_PANIC, panicmsg, fallback); + continue; + } + +/* Reached the end of the list of addresses. Wait for all the subprocesses that +are still running and post-process their addresses. */ + +par_reduce(0, fallback); +return TRUE; +} + + + + +/************************************************* +* Split an address into local part and domain * +*************************************************/ + +/* This function initializes an address for routing by splitting it up into a +local part and a domain. The local part is set up twice - once in its original +casing, and once in lower case, and it is dequoted. We also do the "percent +hack" for configured domains. This may lead to a DEFER result if a lookup +defers. When a percent-hacking takes place, we insert a copy of the original +address as a new parent of this address, as if we have had a redirection. + +Argument: + addr points to an addr_item block containing the address + +Returns: OK + DEFER - could not determine if domain is %-hackable +*/ + +int +deliver_split_address(address_item * addr) +{ +uschar * address = addr->address; +uschar * domain; +uschar * t; +int len; + +if (!(domain = Ustrrchr(address, '@'))) + return DEFER; /* should always have a domain, but just in case... */ + +len = domain - address; +addr->domain = string_copylc(domain+1); /* Domains are always caseless */ + +/* The implication in the RFCs (though I can't say I've seen it spelled out +explicitly) is that quoting should be removed from local parts at the point +where they are locally interpreted. [The new draft "821" is more explicit on +this, Jan 1999.] We know the syntax is valid, so this can be done by simply +removing quoting backslashes and any unquoted doublequotes. */ + +t = addr->cc_local_part = store_get(len+1, is_tainted(address)); +while(len-- > 0) + { + int c = *address++; + if (c == '\"') continue; + if (c == '\\') + { + *t++ = *address++; + len--; + } + else *t++ = c; + } +*t = 0; + +/* We do the percent hack only for those domains that are listed in +percent_hack_domains. A loop is required, to copy with multiple %-hacks. */ + +if (percent_hack_domains) + { + int rc; + uschar *new_address = NULL; + uschar *local_part = addr->cc_local_part; + + deliver_domain = addr->domain; /* set $domain */ + + while ( (rc = match_isinlist(deliver_domain, (const uschar **)&percent_hack_domains, 0, + &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE, NULL)) + == OK + && (t = Ustrrchr(local_part, '%')) != NULL + ) + { + new_address = string_copy(local_part); + new_address[t - local_part] = '@'; + deliver_domain = string_copylc(t+1); + local_part = string_copyn(local_part, t - local_part); + } + + if (rc == DEFER) return DEFER; /* lookup deferred */ + + /* If hackery happened, set up new parent and alter the current address. */ + + if (new_address) + { + address_item *new_parent = store_get(sizeof(address_item), FALSE); + *new_parent = *addr; + addr->parent = new_parent; + new_parent->child_count = 1; + addr->address = new_address; + addr->unique = string_copy(new_address); + addr->domain = deliver_domain; + addr->cc_local_part = local_part; + DEBUG(D_deliver) debug_printf("%%-hack changed address to: %s\n", + addr->address); + } + } + +/* Create the lowercased version of the final local part, and make that the +default one to be used. */ + +addr->local_part = addr->lc_local_part = string_copylc(addr->cc_local_part); +return OK; +} + + + + +/************************************************* +* Get next error message text * +*************************************************/ + +/* If f is not NULL, read the next "paragraph", from a customized error message +text file, terminated by a line containing ****, and expand it. + +Arguments: + f NULL or a file to read from + which string indicating which string (for errors) + +Returns: NULL or an expanded string +*/ + +static uschar * +next_emf(FILE *f, uschar *which) +{ +uschar *yield; +gstring * para; +uschar buffer[256]; + +if (!f) return NULL; + +if (!Ufgets(buffer, sizeof(buffer), f) || Ustrcmp(buffer, "****\n") == 0) + return NULL; + +para = string_get(256); +for (;;) + { + para = string_cat(para, buffer); + if (!Ufgets(buffer, sizeof(buffer), f) || Ustrcmp(buffer, "****\n") == 0) + break; + } +if ((yield = expand_string(string_from_gstring(para)))) + return yield; + +log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand string from " + "bounce_message_file or warn_message_file (%s): %s", which, + expand_string_message); +return NULL; +} + + + + +/************************************************* +* Close down a passed transport channel * +*************************************************/ + +/* This function is called when a passed transport channel cannot be used. +It attempts to close it down tidily. The yield is always DELIVER_NOT_ATTEMPTED +so that the function call can be the argument of a "return" statement. + +Arguments: None +Returns: DELIVER_NOT_ATTEMPTED +*/ + +static int +continue_closedown(void) +{ +if (continue_transport) + for (transport_instance * t = transports; t; t = t->next) + if (Ustrcmp(t->name, continue_transport) == 0) + { + if (t->info->closedown) (t->info->closedown)(t); + break; + } +return DELIVER_NOT_ATTEMPTED; +} + + + + +/************************************************* +* Print address information * +*************************************************/ + +/* This function is called to output an address, or information about an +address, for bounce or defer messages. If the hide_child flag is set, all we +output is the original ancestor address. + +Arguments: + addr points to the address + f the FILE to print to + si an initial string + sc a continuation string for before "generated" + se an end string + +Returns: TRUE if the address is not hidden +*/ + +static BOOL +print_address_information(address_item *addr, FILE *f, uschar *si, uschar *sc, + uschar *se) +{ +BOOL yield = TRUE; +uschar *printed = US""; +address_item *ancestor = addr; +while (ancestor->parent) ancestor = ancestor->parent; + +fprintf(f, "%s", CS si); + +if (addr->parent && testflag(addr, af_hide_child)) + { + printed = US"an undisclosed address"; + yield = FALSE; + } +else if (!testflag(addr, af_pfr) || !addr->parent) + printed = addr->address; + +else + { + uschar *s = addr->address; + uschar *ss; + + if (addr->address[0] == '>') { ss = US"mail"; s++; } + else if (addr->address[0] == '|') ss = US"pipe"; + else ss = US"save"; + + fprintf(f, "%s to %s%sgenerated by ", ss, s, sc); + printed = addr->parent->address; + } + +fprintf(f, "%s", CS string_printing(printed)); + +if (ancestor != addr) + { + uschar *original = ancestor->onetime_parent; + if (!original) original= ancestor->address; + if (strcmpic(original, printed) != 0) + fprintf(f, "%s(%sgenerated from %s)", sc, + ancestor != addr->parent ? "ultimately " : "", + string_printing(original)); + } + +if (addr->host_used) + fprintf(f, "\n host %s [%s]", + addr->host_used->name, addr->host_used->address); + +fprintf(f, "%s", CS se); +return yield; +} + + + + + +/************************************************* +* Print error for an address * +*************************************************/ + +/* This function is called to print the error information out of an address for +a bounce or a warning message. It tries to format the message reasonably by +introducing newlines. All lines are indented by 4; the initial printing +position must be set before calling. + +This function used always to print the error. Nowadays we want to restrict it +to cases such as LMTP/SMTP errors from a remote host, and errors from :fail: +and filter "fail". We no longer pass other information willy-nilly in bounce +and warning messages. Text in user_message is always output; text in message +only if the af_pass_message flag is set. + +Arguments: + addr the address + f the FILE to print on + t some leading text + +Returns: nothing +*/ + +static void +print_address_error(address_item *addr, FILE *f, uschar *t) +{ +int count = Ustrlen(t); +uschar *s = testflag(addr, af_pass_message) ? addr->message : NULL; + +if (!s && !(s = addr->user_message)) + return; + +fprintf(f, "\n %s", t); + +while (*s) + if (*s == '\\' && s[1] == 'n') + { + fprintf(f, "\n "); + s += 2; + count = 0; + } + else + { + fputc(*s, f); + count++; + if (*s++ == ':' && isspace(*s) && count > 45) + { + fprintf(f, "\n "); /* sic (because space follows) */ + count = 0; + } + } +} + + +/*********************************************************** +* Print Diagnostic-Code for an address * +************************************************************/ + +/* This function is called to print the error information out of an address for +a bounce or a warning message. It tries to format the message reasonably as +required by RFC 3461 by adding a space after each newline + +it uses the same logic as print_address_error() above. if af_pass_message is true +and addr->message is set it uses the remote host answer. if not addr->user_message +is used instead if available. + +Arguments: + addr the address + f the FILE to print on + +Returns: nothing +*/ + +static void +print_dsn_diagnostic_code(const address_item *addr, FILE *f) +{ +uschar * s = testflag(addr, af_pass_message) ? addr->message : NULL; +unsigned cnt; + +/* af_pass_message and addr->message set ? print remote host answer */ +if (s) + { + DEBUG(D_deliver) + debug_printf("DSN Diagnostic-Code: addr->message = %s\n", addr->message); + + /* search first ": ". we assume to find the remote-MTA answer there */ + if (!(s = Ustrstr(addr->message, ": "))) + return; /* not found, bail out */ + s += 2; /* skip ": " */ + cnt = fprintf(f, "Diagnostic-Code: smtp; "); + } +/* no message available. do nothing */ +else return; + +while (*s) + { + if (cnt > 950) /* RFC line length limit: 998 */ + { + DEBUG(D_deliver) debug_printf("print_dsn_diagnostic_code() truncated line\n"); + fputs("[truncated]", f); + break; + } + + if (*s == '\\' && s[1] == 'n') + { + fputs("\n ", f); /* as defined in RFC 3461 */ + s += 2; + cnt += 2; + } + else + { + fputc(*s++, f); + cnt++; + } + } + +fputc('\n', f); +} + + +/************************************************* +* Check list of addresses for duplication * +*************************************************/ + +/* This function was introduced when the test for duplicate addresses that are +not pipes, files, or autoreplies was moved from the middle of routing to when +routing was complete. That was to fix obscure cases when the routing history +affects the subsequent routing of identical addresses. This function is called +after routing, to check that the final routed addresses are not duplicates. + +If we detect a duplicate, we remember what it is a duplicate of. Note that +pipe, file, and autoreply de-duplication is handled during routing, so we must +leave such "addresses" alone here, as otherwise they will incorrectly be +discarded. + +Argument: address of list anchor +Returns: nothing +*/ + +static void +do_duplicate_check(address_item **anchor) +{ +address_item *addr; +while ((addr = *anchor)) + { + tree_node *tnode; + if (testflag(addr, af_pfr)) + { + anchor = &(addr->next); + } + else if ((tnode = tree_search(tree_duplicates, addr->unique))) + { + DEBUG(D_deliver|D_route) + debug_printf("%s is a duplicate address: discarded\n", addr->unique); + *anchor = addr->next; + addr->dupof = tnode->data.ptr; + addr->next = addr_duplicate; + addr_duplicate = addr; + } + else + { + tree_add_duplicate(addr->unique, addr); + anchor = &(addr->next); + } + } +} + + + + +/************************************************/ + +static void +print_dsn_addr_action(FILE * f, address_item * addr, + uschar * action, uschar * status) +{ +address_item * pa; + +if (addr->dsn_orcpt) + fprintf(f,"Original-Recipient: %s\n", addr->dsn_orcpt); + +for (pa = addr; pa->parent; ) pa = pa->parent; +fprintf(f, "Action: %s\n" + "Final-Recipient: rfc822;%s\n" + "Status: %s\n", + action, pa->address, status); +} + + + +/* When running in the test harness, there's an option that allows us to +fudge this time so as to get repeatability of the tests. Take the first +time off the list. In queue runs, the list pointer gets updated in the +calling process. */ + +int +test_harness_fudged_queue_time(int actual_time) +{ +int qt; +if ( f.running_in_test_harness && *fudged_queue_times + && (qt = readconf_readtime(fudged_queue_times, '/', FALSE)) >= 0) + { + DEBUG(D_deliver) debug_printf("fudged queue_times = %s\n", + fudged_queue_times); + return qt; + } +return actual_time; +} + +/************************************************/ + +static FILE * +expand_open(const uschar * filename, + const uschar * varname, const uschar * reason) +{ +const uschar * s = expand_cstring(filename); +FILE * fp = NULL; + +if (!s || !*s) + log_write(0, LOG_MAIN|LOG_PANIC, + "Failed to expand %s: '%s'\n", varname, filename); +else if (*s != '/' || is_tainted(s)) + log_write(0, LOG_MAIN|LOG_PANIC, + "%s is not %s after expansion: '%s'\n", + varname, *s == '/' ? "untainted" : "absolute", s); +else if (!(fp = Ufopen(s, "rb"))) + log_write(0, LOG_MAIN|LOG_PANIC, "Failed to open %s for %s " + "message texts: %s", s, reason, strerror(errno)); +return fp; +} + +/************************************************* +* Deliver one message * +*************************************************/ + +/* This is the function which is called when a message is to be delivered. It +is passed the id of the message. It is possible that the message no longer +exists, if some other process has delivered it, and it is also possible that +the message is being worked on by another process, in which case the data file +will be locked. + +If no delivery is attempted for any of the above reasons, the function returns +DELIVER_NOT_ATTEMPTED. + +If the give_up flag is set true, do not attempt any deliveries, but instead +fail all outstanding addresses and return the message to the sender (or +whoever). + +A delivery operation has a process all to itself; we never deliver more than +one message in the same process. Therefore we needn't worry too much about +store leakage. + +Liable to be called as root. + +Arguments: + id the id of the message to be delivered + forced TRUE if delivery was forced by an administrator; this overrides + retry delays and causes a delivery to be tried regardless + give_up TRUE if an administrator has requested that delivery attempts + be abandoned + +Returns: When the global variable mua_wrapper is FALSE: + DELIVER_ATTEMPTED_NORMAL if a delivery attempt was made + DELIVER_NOT_ATTEMPTED otherwise (see comment above) + When the global variable mua_wrapper is TRUE: + DELIVER_MUA_SUCCEEDED if delivery succeeded + DELIVER_MUA_FAILED if delivery failed + DELIVER_NOT_ATTEMPTED if not attempted (should not occur) +*/ + +int +deliver_message(uschar *id, BOOL forced, BOOL give_up) +{ +int i, rc; +int final_yield = DELIVER_ATTEMPTED_NORMAL; +time_t now = time(NULL); +address_item *addr_last = NULL; +uschar *filter_message = NULL; +int process_recipients = RECIP_ACCEPT; +open_db dbblock; +open_db *dbm_file; +extern int acl_where; +uschar *info; + +#ifdef MEASURE_TIMING +report_time_since(×tamp_startup, US"delivery start"); /* testcase 0022, 2100 */ +#endif + +info = queue_run_pid == (pid_t)0 + ? string_sprintf("delivering %s", id) + : string_sprintf("delivering %s (queue run pid %d)", id, queue_run_pid); + +/* If the D_process_info bit is on, set_process_info() will output debugging +information. If not, we want to show this initial information if D_deliver or +D_queue_run is set or in verbose mode. */ + +set_process_info("%s", info); + +if ( !(debug_selector & D_process_info) + && (debug_selector & (D_deliver|D_queue_run|D_v)) + ) + debug_printf("%s\n", info); + +/* Ensure that we catch any subprocesses that are created. Although Exim +sets SIG_DFL as its initial default, some routes through the code end up +here with it set to SIG_IGN - cases where a non-synchronous delivery process +has been forked, but no re-exec has been done. We use sigaction rather than +plain signal() on those OS where SA_NOCLDWAIT exists, because we want to be +sure it is turned off. (There was a problem on AIX with this.) */ + +#ifdef SA_NOCLDWAIT + { + struct sigaction act; + act.sa_handler = SIG_DFL; + sigemptyset(&(act.sa_mask)); + act.sa_flags = 0; + sigaction(SIGCHLD, &act, NULL); + } +#else +signal(SIGCHLD, SIG_DFL); +#endif + +/* Make the forcing flag available for routers and transports, set up the +global message id field, and initialize the count for returned files and the +message size. This use of strcpy() is OK because the length id is checked when +it is obtained from a command line (the -M or -q options), and otherwise it is +known to be a valid message id. */ + +if (id != message_id) + Ustrcpy(message_id, id); +f.deliver_force = forced; +return_count = 0; +message_size = 0; + +/* Initialize some flags */ + +update_spool = FALSE; +remove_journal = TRUE; + +/* Set a known context for any ACLs we call via expansions */ +acl_where = ACL_WHERE_DELIVERY; + +/* Reset the random number generator, so that if several delivery processes are +started from a queue runner that has already used random numbers (for sorting), +they don't all get the same sequence. */ + +random_seed = 0; + +/* Open and lock the message's data file. Exim locks on this one because the +header file may get replaced as it is re-written during the delivery process. +Any failures cause messages to be written to the log, except for missing files +while queue running - another process probably completed delivery. As part of +opening the data file, message_subdir gets set. */ + +if ((deliver_datafile = spool_open_datafile(id)) < 0) + return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */ + +/* The value of message_size at this point has been set to the data length, +plus one for the blank line that notionally precedes the data. */ + +/* Now read the contents of the header file, which will set up the headers in +store, and also the list of recipients and the tree of non-recipients and +assorted flags. It updates message_size. If there is a reading or format error, +give up; if the message has been around for sufficiently long, remove it. */ + + { + uschar * spoolname = string_sprintf("%s-H", id); + if ((rc = spool_read_header(spoolname, TRUE, TRUE)) != spool_read_OK) + { + if (errno == ERRNO_SPOOLFORMAT) + { + struct stat statbuf; + if (Ustat(spool_fname(US"input", message_subdir, spoolname, US""), + &statbuf) == 0) + log_write(0, LOG_MAIN, "Format error in spool file %s: " + "size=" OFF_T_FMT, spoolname, statbuf.st_size); + else + log_write(0, LOG_MAIN, "Format error in spool file %s", spoolname); + } + else + log_write(0, LOG_MAIN, "Error reading spool file %s: %s", spoolname, + strerror(errno)); + + /* If we managed to read the envelope data, received_time contains the + time the message was received. Otherwise, we can calculate it from the + message id. */ + + if (rc != spool_read_hdrerror) + { + received_time.tv_sec = received_time.tv_usec = 0; + /*XXX subsec precision?*/ + for (i = 0; i < 6; i++) + received_time.tv_sec = received_time.tv_sec * BASE_62 + tab62[id[i] - '0']; + } + + /* If we've had this malformed message too long, sling it. */ + + if (now - received_time.tv_sec > keep_malformed) + { + Uunlink(spool_fname(US"msglog", message_subdir, id, US"")); + Uunlink(spool_fname(US"input", message_subdir, id, US"-D")); + Uunlink(spool_fname(US"input", message_subdir, id, US"-H")); + Uunlink(spool_fname(US"input", message_subdir, id, US"-J")); + log_write(0, LOG_MAIN, "Message removed because older than %s", + readconf_printtime(keep_malformed)); + } + + (void)close(deliver_datafile); + deliver_datafile = -1; + return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */ + } + } + +/* The spool header file has been read. Look to see if there is an existing +journal file for this message. If there is, it means that a previous delivery +attempt crashed (program or host) before it could update the spool header file. +Read the list of delivered addresses from the journal and add them to the +nonrecipients tree. Then update the spool file. We can leave the journal in +existence, as it will get further successful deliveries added to it in this +run, and it will be deleted if this function gets to its end successfully. +Otherwise it might be needed again. */ + + { + uschar * fname = spool_fname(US"input", message_subdir, id, US"-J"); + FILE * jread; + + if ( (journal_fd = Uopen(fname, O_RDWR|O_APPEND +#ifdef O_CLOEXEC + | O_CLOEXEC +#endif +#ifdef O_NOFOLLOW + | O_NOFOLLOW +#endif + , SPOOL_MODE)) >= 0 + && lseek(journal_fd, 0, SEEK_SET) == 0 + && (jread = fdopen(journal_fd, "rb")) + ) + { + while (Ufgets(big_buffer, big_buffer_size, jread)) + { + int n = Ustrlen(big_buffer); + big_buffer[n-1] = 0; + tree_add_nonrecipient(big_buffer); + DEBUG(D_deliver) debug_printf("Previously delivered address %s taken from " + "journal file\n", big_buffer); + } + rewind(jread); + if ((journal_fd = dup(fileno(jread))) < 0) + journal_fd = fileno(jread); + else + (void) fclose(jread); /* Try to not leak the FILE resource */ + + /* Panic-dies on error */ + (void)spool_write_header(message_id, SW_DELIVERING, NULL); + } + else if (errno != ENOENT) + { + log_write(0, LOG_MAIN|LOG_PANIC, "attempt to open journal for reading gave: " + "%s", strerror(errno)); + return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */ + } + + /* A null recipients list indicates some kind of disaster. */ + + if (!recipients_list) + { + (void)close(deliver_datafile); + deliver_datafile = -1; + log_write(0, LOG_MAIN, "Spool error: no recipients for %s", fname); + return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */ + } + } + + +/* Handle a message that is frozen. There are a number of different things that +can happen, but in the default situation, unless forced, no delivery is +attempted. */ + +if (f.deliver_freeze) + { +#ifdef SUPPORT_MOVE_FROZEN_MESSAGES + /* Moving to another directory removes the message from Exim's view. Other + tools must be used to deal with it. Logging of this action happens in + spool_move_message() and its subfunctions. */ + + if ( move_frozen_messages + && spool_move_message(id, message_subdir, US"", US"F") + ) + return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */ +#endif + + /* For all frozen messages (bounces or not), timeout_frozen_after sets the + maximum time to keep messages that are frozen. Thaw if we reach it, with a + flag causing all recipients to be failed. The time is the age of the + message, not the time since freezing. */ + + if (timeout_frozen_after > 0 && message_age >= timeout_frozen_after) + { + log_write(0, LOG_MAIN, "cancelled by timeout_frozen_after"); + process_recipients = RECIP_FAIL_TIMEOUT; + } + + /* For bounce messages (and others with no sender), thaw if the error message + ignore timer is exceeded. The message will be discarded if this delivery + fails. */ + + else if (!*sender_address && message_age >= ignore_bounce_errors_after) + log_write(0, LOG_MAIN, "Unfrozen by errmsg timer"); + + /* If this is a bounce message, or there's no auto thaw, or we haven't + reached the auto thaw time yet, and this delivery is not forced by an admin + user, do not attempt delivery of this message. Note that forced is set for + continuing messages down the same channel, in order to skip load checking and + ignore hold domains, but we don't want unfreezing in that case. */ + + else + { + if ( ( sender_address[0] == 0 + || auto_thaw <= 0 + || now <= deliver_frozen_at + auto_thaw + ) + && ( !forced || !f.deliver_force_thaw + || !f.admin_user || continue_hostname + ) ) + { + (void)close(deliver_datafile); + deliver_datafile = -1; + log_write(L_skip_delivery, LOG_MAIN, "Message is frozen"); + return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */ + } + + /* If delivery was forced (by an admin user), assume a manual thaw. + Otherwise it's an auto thaw. */ + + if (forced) + { + f.deliver_manual_thaw = TRUE; + log_write(0, LOG_MAIN, "Unfrozen by forced delivery"); + } + else log_write(0, LOG_MAIN, "Unfrozen by auto-thaw"); + } + + /* We get here if any of the rules for unfreezing have triggered. */ + + f.deliver_freeze = FALSE; + update_spool = TRUE; + } + + +/* Open the message log file if we are using them. This records details of +deliveries, deferments, and failures for the benefit of the mail administrator. +The log is not used by exim itself to track the progress of a message; that is +done by rewriting the header spool file. */ + +if (message_logs) + { + uschar * fname = spool_fname(US"msglog", message_subdir, id, US""); + uschar * error; + int fd; + + if ((fd = open_msglog_file(fname, SPOOL_MODE, &error)) < 0) + { + log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't %s message log %s: %s", error, + fname, strerror(errno)); + return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */ + } + + /* Make a C stream out of it. */ + + if (!(message_log = fdopen(fd, "a"))) + { + log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't fdopen message log %s: %s", + fname, strerror(errno)); + return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */ + } + } + + +/* If asked to give up on a message, log who did it, and set the action for all +the addresses. */ + +if (give_up) + { + struct passwd *pw = getpwuid(real_uid); + log_write(0, LOG_MAIN, "cancelled by %s", + pw ? US pw->pw_name : string_sprintf("uid %ld", (long int)real_uid)); + process_recipients = RECIP_FAIL; + } + +/* Otherwise, if there are too many Received: headers, fail all recipients. */ + +else if (received_count > received_headers_max) + process_recipients = RECIP_FAIL_LOOP; + +/* Otherwise, if a system-wide, address-independent message filter is +specified, run it now, except in the case when we are failing all recipients as +a result of timeout_frozen_after. If the system filter yields "delivered", then +ignore the true recipients of the message. Failure of the filter file is +logged, and the delivery attempt fails. */ + +else if (system_filter && process_recipients != RECIP_FAIL_TIMEOUT) + { + int rc; + int filtertype; + ugid_block ugid; + redirect_block redirect; + + if (system_filter_uid_set) + { + ugid.uid = system_filter_uid; + ugid.gid = system_filter_gid; + ugid.uid_set = ugid.gid_set = TRUE; + } + else + ugid.uid_set = ugid.gid_set = FALSE; + + return_path = sender_address; + f.enable_dollar_recipients = TRUE; /* Permit $recipients in system filter */ + f.system_filtering = TRUE; + + /* Any error in the filter file causes a delivery to be abandoned. */ + + redirect.string = system_filter; + redirect.isfile = TRUE; + redirect.check_owner = redirect.check_group = FALSE; + redirect.owners = NULL; + redirect.owngroups = NULL; + redirect.pw = NULL; + redirect.modemask = 0; + + DEBUG(D_deliver|D_filter) debug_printf("running system filter\n"); + + rc = rda_interpret( + &redirect, /* Where the data is */ + RDO_DEFER | /* Turn on all the enabling options */ + RDO_FAIL | /* Leave off all the disabling options */ + RDO_FILTER | + RDO_FREEZE | + RDO_REALLOG | + RDO_REWRITE, + NULL, /* No :include: restriction (not used in filter) */ + NULL, /* No sieve vacation directory (not sieve!) */ + NULL, /* No sieve enotify mailto owner (not sieve!) */ + NULL, /* No sieve user address (not sieve!) */ + NULL, /* No sieve subaddress (not sieve!) */ + &ugid, /* uid/gid data */ + &addr_new, /* Where to hang generated addresses */ + &filter_message, /* Where to put error message */ + NULL, /* Don't skip syntax errors */ + &filtertype, /* Will always be set to FILTER_EXIM for this call */ + US"system filter"); /* For error messages */ + + DEBUG(D_deliver|D_filter) debug_printf("system filter returned %d\n", rc); + + if (rc == FF_ERROR || rc == FF_NONEXIST) + { + (void)close(deliver_datafile); + deliver_datafile = -1; + log_write(0, LOG_MAIN|LOG_PANIC, "Error in system filter: %s", + string_printing(filter_message)); + return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */ + } + + /* Reset things. If the filter message is an empty string, which can happen + for a filter "fail" or "freeze" command with no text, reset it to NULL. */ + + f.system_filtering = FALSE; + f.enable_dollar_recipients = FALSE; + if (filter_message && filter_message[0] == 0) filter_message = NULL; + + /* Save the values of the system filter variables so that user filters + can use them. */ + + memcpy(filter_sn, filter_n, sizeof(filter_sn)); + + /* The filter can request that delivery of the original addresses be + deferred. */ + + if (rc == FF_DEFER) + { + process_recipients = RECIP_DEFER; + deliver_msglog("Delivery deferred by system filter\n"); + log_write(0, LOG_MAIN, "Delivery deferred by system filter"); + } + + /* The filter can request that a message be frozen, but this does not + take place if the message has been manually thawed. In that case, we must + unset "delivered", which is forced by the "freeze" command to make -bF + work properly. */ + + else if (rc == FF_FREEZE && !f.deliver_manual_thaw) + { + f.deliver_freeze = TRUE; + deliver_frozen_at = time(NULL); + process_recipients = RECIP_DEFER; + frozen_info = string_sprintf(" by the system filter%s%s", + filter_message ? US": " : US"", + filter_message ? filter_message : US""); + } + + /* The filter can request that a message be failed. The error message may be + quite long - it is sent back to the sender in the bounce - but we don't want + to fill up the log with repetitions of it. If it starts with << then the text + between << and >> is written to the log, with the rest left for the bounce + message. */ + + else if (rc == FF_FAIL) + { + uschar *colon = US""; + uschar *logmsg = US""; + int loglen = 0; + + process_recipients = RECIP_FAIL_FILTER; + + if (filter_message) + { + uschar *logend; + colon = US": "; + if ( filter_message[0] == '<' + && filter_message[1] == '<' + && (logend = Ustrstr(filter_message, ">>")) + ) + { + logmsg = filter_message + 2; + loglen = logend - logmsg; + filter_message = logend + 2; + if (filter_message[0] == 0) filter_message = NULL; + } + else + { + logmsg = filter_message; + loglen = Ustrlen(filter_message); + } + } + + log_write(0, LOG_MAIN, "cancelled by system filter%s%.*s", colon, loglen, + logmsg); + } + + /* Delivery can be restricted only to those recipients (if any) that the + filter specified. */ + + else if (rc == FF_DELIVERED) + { + process_recipients = RECIP_IGNORE; + if (addr_new) + log_write(0, LOG_MAIN, "original recipients ignored (system filter)"); + else + log_write(0, LOG_MAIN, "=> discarded (system filter)"); + } + + /* If any new addresses were created by the filter, fake up a "parent" + for them. This is necessary for pipes, etc., which are expected to have + parents, and it also gives some sensible logging for others. Allow + pipes, files, and autoreplies, and run them as the filter uid if set, + otherwise as the current uid. */ + + if (addr_new) + { + int uid = system_filter_uid_set ? system_filter_uid : geteuid(); + int gid = system_filter_gid_set ? system_filter_gid : getegid(); + + /* The text "system-filter" is tested in transport_set_up_command() and in + set_up_shell_command() in the pipe transport, to enable them to permit + $recipients, so don't change it here without also changing it there. */ + + address_item *p = addr_new; + address_item *parent = deliver_make_addr(US"system-filter", FALSE); + + parent->domain = string_copylc(qualify_domain_recipient); + parent->local_part = US"system-filter"; + + /* As part of this loop, we arrange for addr_last to end up pointing + at the final address. This is used if we go on to add addresses for the + original recipients. */ + + while (p) + { + if (parent->child_count == USHRT_MAX) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "system filter generated more " + "than %d delivery addresses", USHRT_MAX); + parent->child_count++; + p->parent = parent; + + if (testflag(p, af_pfr)) + { + uschar *tpname; + uschar *type; + p->uid = uid; + p->gid = gid; + setflag(p, af_uid_set); + setflag(p, af_gid_set); + setflag(p, af_allow_file); + setflag(p, af_allow_pipe); + setflag(p, af_allow_reply); + + /* Find the name of the system filter's appropriate pfr transport */ + + if (p->address[0] == '|') + { + type = US"pipe"; + tpname = system_filter_pipe_transport; + address_pipe = p->address; + } + else if (p->address[0] == '>') + { + type = US"reply"; + tpname = system_filter_reply_transport; + } + else + { + if (p->address[Ustrlen(p->address)-1] == '/') + { + type = US"directory"; + tpname = system_filter_directory_transport; + } + else + { + type = US"file"; + tpname = system_filter_file_transport; + } + address_file = p->address; + } + + /* Now find the actual transport, first expanding the name. We have + set address_file or address_pipe above. */ + + if (tpname) + { + uschar *tmp = expand_string(tpname); + address_file = address_pipe = NULL; + if (!tmp) + p->message = string_sprintf("failed to expand \"%s\" as a " + "system filter transport name", tpname); + if (is_tainted(tmp)) + p->message = string_sprintf("attempt to used tainted value '%s' for" + "transport '%s' as a system filter", tmp, tpname); + tpname = tmp; + } + else + p->message = string_sprintf("system_filter_%s_transport is unset", + type); + + if (tpname) + { + transport_instance *tp; + for (tp = transports; tp; tp = tp->next) + if (Ustrcmp(tp->name, tpname) == 0) + { + p->transport = tp; + break; + } + if (!tp) + p->message = string_sprintf("failed to find \"%s\" transport " + "for system filter delivery", tpname); + } + + /* If we couldn't set up a transport, defer the delivery, putting the + error on the panic log as well as the main log. */ + + if (!p->transport) + { + address_item *badp = p; + p = p->next; + if (!addr_last) addr_new = p; else addr_last->next = p; + badp->local_part = badp->address; /* Needed for log line */ + post_process_one(badp, DEFER, LOG_MAIN|LOG_PANIC, EXIM_DTYPE_ROUTER, 0); + continue; + } + } /* End of pfr handling */ + + /* Either a non-pfr delivery, or we found a transport */ + + DEBUG(D_deliver|D_filter) + debug_printf("system filter added %s\n", p->address); + + addr_last = p; + p = p->next; + } /* Loop through all addr_new addresses */ + } + } + + +/* Scan the recipients list, and for every one that is not in the non- +recipients tree, add an addr item to the chain of new addresses. If the pno +value is non-negative, we must set the onetime parent from it. This which +points to the relevant entry in the recipients list. + +This processing can be altered by the setting of the process_recipients +variable, which is changed if recipients are to be ignored, failed, or +deferred. This can happen as a result of system filter activity, or if the -Mg +option is used to fail all of them. + +Duplicate addresses are handled later by a different tree structure; we can't +just extend the non-recipients tree, because that will be re-written to the +spool if the message is deferred, and in any case there are casing +complications for local addresses. */ + +if (process_recipients != RECIP_IGNORE) + for (i = 0; i < recipients_count; i++) + if (!tree_search(tree_nonrecipients, recipients_list[i].address)) + { + recipient_item *r = recipients_list + i; + address_item *new = deliver_make_addr(r->address, FALSE); + new->prop.errors_address = r->errors_to; +#ifdef SUPPORT_I18N + if ((new->prop.utf8_msg = message_smtputf8)) + { + new->prop.utf8_downcvt = message_utf8_downconvert == 1; + new->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1; + DEBUG(D_deliver) debug_printf("utf8, downconvert %s\n", + new->prop.utf8_downcvt ? "yes" + : new->prop.utf8_downcvt_maybe ? "ifneeded" + : "no"); + } +#endif + + if (r->pno >= 0) + new->onetime_parent = recipients_list[r->pno].address; + + /* If DSN support is enabled, set the dsn flags and the original receipt + to be passed on to other DSN enabled MTAs */ + + new->dsn_flags = r->dsn_flags & rf_dsnflags; + new->dsn_orcpt = r->orcpt; + DEBUG(D_deliver) debug_printf("DSN: set orcpt: %s flags: 0x%x\n", + new->dsn_orcpt ? new->dsn_orcpt : US"", new->dsn_flags); + + switch (process_recipients) + { + /* RECIP_DEFER is set when a system filter freezes a message. */ + + case RECIP_DEFER: + new->next = addr_defer; + addr_defer = new; + break; + + + /* RECIP_FAIL_FILTER is set when a system filter has obeyed a "fail" + command. */ + + case RECIP_FAIL_FILTER: + new->message = + filter_message ? filter_message : US"delivery cancelled"; + setflag(new, af_pass_message); + goto RECIP_QUEUE_FAILED; /* below */ + + + /* RECIP_FAIL_TIMEOUT is set when a message is frozen, but is older + than the value in timeout_frozen_after. Treat non-bounce messages + similarly to -Mg; for bounce messages we just want to discard, so + don't put the address on the failed list. The timeout has already + been logged. */ + + case RECIP_FAIL_TIMEOUT: + new->message = US"delivery cancelled; message timed out"; + goto RECIP_QUEUE_FAILED; /* below */ + + + /* RECIP_FAIL is set when -Mg has been used. */ + + case RECIP_FAIL: + new->message = US"delivery cancelled by administrator"; + /* Fall through */ + + /* Common code for the failure cases above. If this is not a bounce + message, put the address on the failed list so that it is used to + create a bounce. Otherwise do nothing - this just discards the address. + The incident has already been logged. */ + + RECIP_QUEUE_FAILED: + if (sender_address[0]) + { + new->next = addr_failed; + addr_failed = new; + } + break; + + + /* RECIP_FAIL_LOOP is set when there are too many Received: headers + in the message. Process each address as a routing failure; if this + is a bounce message, it will get frozen. */ + + case RECIP_FAIL_LOOP: + new->message = US"Too many \"Received\" headers - suspected mail loop"; + post_process_one(new, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0); + break; + + + /* Value should be RECIP_ACCEPT; take this as the safe default. */ + + default: + if (!addr_new) addr_new = new; else addr_last->next = new; + addr_last = new; + break; + } + +#ifndef DISABLE_EVENT + if (process_recipients != RECIP_ACCEPT && event_action) + { + uschar * save_local = deliver_localpart; + const uschar * save_domain = deliver_domain; + uschar * addr = new->address, * errmsg = NULL; + int start, end, dom; + + if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE)) + log_write(0, LOG_MAIN|LOG_PANIC, + "failed to parse address '%.100s': %s\n", addr, errmsg); + else + { + deliver_localpart = + string_copyn(addr+start, dom ? (dom-1) - start : end - start); + deliver_domain = dom ? CUS string_copyn(addr+dom, end - dom) : CUS""; + + event_raise(event_action, US"msg:fail:internal", new->message); + + deliver_localpart = save_local; + deliver_domain = save_domain; + } + } +#endif + } + +DEBUG(D_deliver) + { + debug_printf("Delivery address list:\n"); + for (address_item * p = addr_new; p; p = p->next) + debug_printf(" %s %s\n", p->address, + p->onetime_parent ? p->onetime_parent : US""); + } + +/* Set up the buffers used for copying over the file when delivering. */ + +deliver_in_buffer = store_malloc(DELIVER_IN_BUFFER_SIZE); +deliver_out_buffer = store_malloc(DELIVER_OUT_BUFFER_SIZE); + + + +/* Until there are no more new addresses, handle each one as follows: + + . If this is a generated address (indicated by the presence of a parent + pointer) then check to see whether it is a pipe, file, or autoreply, and + if so, handle it directly here. The router that produced the address will + have set the allow flags into the address, and also set the uid/gid required. + Having the routers generate new addresses and then checking them here at + the outer level is tidier than making each router do the checking, and + means that routers don't need access to the failed address queue. + + . Break up the address into local part and domain, and make lowercased + versions of these strings. We also make unquoted versions of the local part. + + . Handle the percent hack for those domains for which it is valid. + + . For child addresses, determine if any of the parents have the same address. + If so, generate a different string for previous delivery checking. Without + this code, if the address spqr generates spqr via a forward or alias file, + delivery of the generated spqr stops further attempts at the top level spqr, + which is not what is wanted - it may have generated other addresses. + + . Check on the retry database to see if routing was previously deferred, but + only if in a queue run. Addresses that are to be routed are put on the + addr_route chain. Addresses that are to be deferred are put on the + addr_defer chain. We do all the checking first, so as not to keep the + retry database open any longer than necessary. + + . Now we run the addresses through the routers. A router may put the address + on either the addr_local or the addr_remote chain for local or remote + delivery, respectively, or put it on the addr_failed chain if it is + undeliveable, or it may generate child addresses and put them on the + addr_new chain, or it may defer an address. All the chain anchors are + passed as arguments so that the routers can be called for verification + purposes as well. + + . If new addresses have been generated by the routers, da capo. +*/ + +f.header_rewritten = FALSE; /* No headers rewritten yet */ +while (addr_new) /* Loop until all addresses dealt with */ + { + address_item *addr, *parent; + + /* Failure to open the retry database is treated the same as if it does + not exist. In both cases, dbm_file is NULL. */ + + if (!(dbm_file = dbfn_open(US"retry", O_RDONLY, &dbblock, FALSE, TRUE))) + DEBUG(D_deliver|D_retry|D_route|D_hints_lookup) + debug_printf("no retry data available\n"); + + /* Scan the current batch of new addresses, to handle pipes, files and + autoreplies, and determine which others are ready for routing. */ + + while (addr_new) + { + int rc; + uschar *p; + tree_node *tnode; + dbdata_retry *domain_retry_record; + dbdata_retry *address_retry_record; + + addr = addr_new; + addr_new = addr->next; + + DEBUG(D_deliver|D_retry|D_route) + { + debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); + debug_printf("Considering: %s\n", addr->address); + } + + /* Handle generated address that is a pipe or a file or an autoreply. */ + + if (testflag(addr, af_pfr)) + { + /* If an autoreply in a filter could not generate a syntactically valid + address, give up forthwith. Set af_ignore_error so that we don't try to + generate a bounce. */ + + if (testflag(addr, af_bad_reply)) + { + addr->basic_errno = ERRNO_BADADDRESS2; + addr->local_part = addr->address; + addr->message = + US"filter autoreply generated syntactically invalid recipient"; + addr->prop.ignore_error = TRUE; + (void) post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0); + continue; /* with the next new address */ + } + + /* If two different users specify delivery to the same pipe or file or + autoreply, there should be two different deliveries, so build a unique + string that incorporates the original address, and use this for + duplicate testing and recording delivery, and also for retrying. */ + + addr->unique = + string_sprintf("%s:%s", addr->address, addr->parent->unique + + (testflag(addr->parent, af_homonym)? 3:0)); + + addr->address_retry_key = addr->domain_retry_key = + string_sprintf("T:%s", addr->unique); + + /* If a filter file specifies two deliveries to the same pipe or file, + we want to de-duplicate, but this is probably not wanted for two mail + commands to the same address, where probably both should be delivered. + So, we have to invent a different unique string in that case. Just + keep piling '>' characters on the front. */ + + if (addr->address[0] == '>') + while (tree_search(tree_duplicates, addr->unique)) + addr->unique = string_sprintf(">%s", addr->unique); + + else if ((tnode = tree_search(tree_duplicates, addr->unique))) + { + DEBUG(D_deliver|D_route) + debug_printf("%s is a duplicate address: discarded\n", addr->address); + addr->dupof = tnode->data.ptr; + addr->next = addr_duplicate; + addr_duplicate = addr; + continue; + } + + DEBUG(D_deliver|D_route) debug_printf("unique = %s\n", addr->unique); + + /* Check for previous delivery */ + + if (tree_search(tree_nonrecipients, addr->unique)) + { + DEBUG(D_deliver|D_route) + debug_printf("%s was previously delivered: discarded\n", addr->address); + child_done(addr, tod_stamp(tod_log)); + continue; + } + + /* Save for checking future duplicates */ + + tree_add_duplicate(addr->unique, addr); + + /* Set local part and domain */ + + addr->local_part = addr->address; + addr->domain = addr->parent->domain; + + /* Ensure that the delivery is permitted. */ + + if (testflag(addr, af_file)) + { + if (!testflag(addr, af_allow_file)) + { + addr->basic_errno = ERRNO_FORBIDFILE; + addr->message = US"delivery to file forbidden"; + (void)post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0); + continue; /* with the next new address */ + } + } + else if (addr->address[0] == '|') + { + if (!testflag(addr, af_allow_pipe)) + { + addr->basic_errno = ERRNO_FORBIDPIPE; + addr->message = US"delivery to pipe forbidden"; + (void)post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0); + continue; /* with the next new address */ + } + } + else if (!testflag(addr, af_allow_reply)) + { + addr->basic_errno = ERRNO_FORBIDREPLY; + addr->message = US"autoreply forbidden"; + (void)post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0); + continue; /* with the next new address */ + } + + /* If the errno field is already set to BADTRANSPORT, it indicates + failure to expand a transport string, or find the associated transport, + or an unset transport when one is required. Leave this test till now so + that the forbid errors are given in preference. */ + + if (addr->basic_errno == ERRNO_BADTRANSPORT) + { + (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0); + continue; + } + + /* Treat /dev/null as a special case and abandon the delivery. This + avoids having to specify a uid on the transport just for this case. + Arrange for the transport name to be logged as "**bypassed**". */ + + if (Ustrcmp(addr->address, "/dev/null") == 0) + { + uschar *save = addr->transport->name; + addr->transport->name = US"**bypassed**"; + (void)post_process_one(addr, OK, LOG_MAIN, EXIM_DTYPE_TRANSPORT, '='); + addr->transport->name = save; + continue; /* with the next new address */ + } + + /* Pipe, file, or autoreply delivery is to go ahead as a normal local + delivery. */ + + DEBUG(D_deliver|D_route) + debug_printf("queued for %s transport\n", addr->transport->name); + addr->next = addr_local; + addr_local = addr; + continue; /* with the next new address */ + } + + /* Handle normal addresses. First, split up into local part and domain, + handling the %-hack if necessary. There is the possibility of a defer from + a lookup in percent_hack_domains. */ + + if ((rc = deliver_split_address(addr)) == DEFER) + { + addr->message = US"cannot check percent_hack_domains"; + addr->basic_errno = ERRNO_LISTDEFER; + (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_NONE, 0); + continue; + } + + /* Check to see if the domain is held. If so, proceed only if the + delivery was forced by hand. */ + + deliver_domain = addr->domain; /* set $domain */ + if ( !forced && hold_domains + && (rc = match_isinlist(addr->domain, (const uschar **)&hold_domains, 0, + &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE, + NULL)) != FAIL + ) + { + if (rc == DEFER) + { + addr->message = US"hold_domains lookup deferred"; + addr->basic_errno = ERRNO_LISTDEFER; + } + else + { + addr->message = US"domain is held"; + addr->basic_errno = ERRNO_HELD; + } + (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_NONE, 0); + continue; + } + + /* Now we can check for duplicates and previously delivered addresses. In + order to do this, we have to generate a "unique" value for each address, + because there may be identical actual addresses in a line of descendents. + The "unique" field is initialized to the same value as the "address" field, + but gets changed here to cope with identically-named descendents. */ + + for (parent = addr->parent; parent; parent = parent->parent) + if (strcmpic(addr->address, parent->address) == 0) break; + + /* If there's an ancestor with the same name, set the homonym flag. This + influences how deliveries are recorded. Then add a prefix on the front of + the unique address. We use \n\ where n starts at 0 and increases each time. + It is unlikely to pass 9, but if it does, it may look odd but will still + work. This means that siblings or cousins with the same names are treated + as duplicates, which is what we want. */ + + if (parent) + { + setflag(addr, af_homonym); + if (parent->unique[0] != '\\') + addr->unique = string_sprintf("\\0\\%s", addr->address); + else + addr->unique = string_sprintf("\\%c\\%s", parent->unique[1] + 1, + addr->address); + } + + /* Ensure that the domain in the unique field is lower cased, because + domains are always handled caselessly. */ + + p = Ustrrchr(addr->unique, '@'); + while (*p != 0) { *p = tolower(*p); p++; } + + DEBUG(D_deliver|D_route) debug_printf("unique = %s\n", addr->unique); + + if (tree_search(tree_nonrecipients, addr->unique)) + { + DEBUG(D_deliver|D_route) + debug_printf("%s was previously delivered: discarded\n", addr->unique); + child_done(addr, tod_stamp(tod_log)); + continue; + } + + /* Get the routing retry status, saving the two retry keys (with and + without the local part) for subsequent use. If there is no retry record for + the standard address routing retry key, we look for the same key with the + sender attached, because this form is used by the smtp transport after a + 4xx response to RCPT when address_retry_include_sender is true. */ + + addr->domain_retry_key = string_sprintf("R:%s", addr->domain); + addr->address_retry_key = string_sprintf("R:%s@%s", addr->local_part, + addr->domain); + + if (dbm_file) + { + domain_retry_record = dbfn_read(dbm_file, addr->domain_retry_key); + if ( domain_retry_record + && now - domain_retry_record->time_stamp > retry_data_expire + ) + { + DEBUG(D_deliver|D_retry) + debug_printf("domain retry record present but expired\n"); + domain_retry_record = NULL; /* Ignore if too old */ + } + + address_retry_record = dbfn_read(dbm_file, addr->address_retry_key); + if ( address_retry_record + && now - address_retry_record->time_stamp > retry_data_expire + ) + { + DEBUG(D_deliver|D_retry) + debug_printf("address retry record present but expired\n"); + address_retry_record = NULL; /* Ignore if too old */ + } + + if (!address_retry_record) + { + uschar *altkey = string_sprintf("%s:<%s>", addr->address_retry_key, + sender_address); + address_retry_record = dbfn_read(dbm_file, altkey); + if ( address_retry_record + && now - address_retry_record->time_stamp > retry_data_expire) + { + DEBUG(D_deliver|D_retry) + debug_printf("address<sender> retry record present but expired\n"); + address_retry_record = NULL; /* Ignore if too old */ + } + } + } + else + domain_retry_record = address_retry_record = NULL; + + DEBUG(D_deliver|D_retry) + { + if (!domain_retry_record) + debug_printf("no domain retry record\n"); + else + debug_printf("have domain retry record; next_try = now%+d\n", + f.running_in_test_harness ? 0 : + (int)(domain_retry_record->next_try - now)); + + if (!address_retry_record) + debug_printf("no address retry record\n"); + else + debug_printf("have address retry record; next_try = now%+d\n", + f.running_in_test_harness ? 0 : + (int)(address_retry_record->next_try - now)); + } + + /* If we are sending a message down an existing SMTP connection, we must + assume that the message which created the connection managed to route + an address to that connection. We do not want to run the risk of taking + a long time over routing here, because if we do, the server at the other + end of the connection may time it out. This is especially true for messages + with lots of addresses. For this kind of delivery, queue_running is not + set, so we would normally route all addresses. We take a pragmatic approach + and defer routing any addresses that have any kind of domain retry record. + That is, we don't even look at their retry times. It doesn't matter if this + doesn't work occasionally. This is all just an optimization, after all. + + The reason for not doing the same for address retries is that they normally + arise from 4xx responses, not DNS timeouts. */ + + if (continue_hostname && domain_retry_record) + { + addr->message = US"reusing SMTP connection skips previous routing defer"; + addr->basic_errno = ERRNO_RRETRY; + (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0); + + addr->message = domain_retry_record->text; + setflag(addr, af_pass_message); + } + + /* If we are in a queue run, defer routing unless there is no retry data or + we've passed the next retry time, or this message is forced. In other + words, ignore retry data when not in a queue run. + + However, if the domain retry time has expired, always allow the routing + attempt. If it fails again, the address will be failed. This ensures that + each address is routed at least once, even after long-term routing + failures. + + If there is an address retry, check that too; just wait for the next + retry time. This helps with the case when the temporary error on the + address was really message-specific rather than address specific, since + it allows other messages through. + + We also wait for the next retry time if this is a message sent down an + existing SMTP connection (even though that will be forced). Otherwise there + will be far too many attempts for an address that gets a 4xx error. In + fact, after such an error, we should not get here because, the host should + not be remembered as one this message needs. However, there was a bug that + used to cause this to happen, so it is best to be on the safe side. + + Even if we haven't reached the retry time in the hints, there is one more + check to do, which is for the ultimate address timeout. We only do this + check if there is an address retry record and there is not a domain retry + record; this implies that previous attempts to handle the address had the + retry_use_local_parts option turned on. We use this as an approximation + for the destination being like a local delivery, for example delivery over + LMTP to an IMAP message store. In this situation users are liable to bump + into their quota and thereby have intermittently successful deliveries, + which keep the retry record fresh, which can lead to us perpetually + deferring messages. */ + + else if ( ( f.queue_running && !f.deliver_force + || continue_hostname + ) + && ( ( domain_retry_record + && now < domain_retry_record->next_try + && !domain_retry_record->expired + ) + || ( address_retry_record + && now < address_retry_record->next_try + ) ) + && ( domain_retry_record + || !address_retry_record + || !retry_ultimate_address_timeout(addr->address_retry_key, + addr->domain, address_retry_record, now) + ) ) + { + addr->message = US"retry time not reached"; + addr->basic_errno = ERRNO_RRETRY; + (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0); + + /* For remote-retry errors (here and just above) that we've not yet + hit the retry time, use the error recorded in the retry database + as info in the warning message. This lets us send a message even + when we're not failing on a fresh attempt. We assume that this + info is not sensitive. */ + + addr->message = domain_retry_record + ? domain_retry_record->text : address_retry_record->text; + setflag(addr, af_pass_message); + } + + /* The domain is OK for routing. Remember if retry data exists so it + can be cleaned up after a successful delivery. */ + + else + { + if (domain_retry_record || address_retry_record) + setflag(addr, af_dr_retry_exists); + addr->next = addr_route; + addr_route = addr; + DEBUG(D_deliver|D_route) + debug_printf("%s: queued for routing\n", addr->address); + } + } + + /* The database is closed while routing is actually happening. Requests to + update it are put on a chain and all processed together at the end. */ + + if (dbm_file) dbfn_close(dbm_file); + + /* If queue_domains is set, we don't even want to try routing addresses in + those domains. During queue runs, queue_domains is forced to be unset. + Optimize by skipping this pass through the addresses if nothing is set. */ + + if (!f.deliver_force && queue_domains) + { + address_item *okaddr = NULL; + while (addr_route) + { + address_item *addr = addr_route; + addr_route = addr->next; + + deliver_domain = addr->domain; /* set $domain */ + if ((rc = match_isinlist(addr->domain, (const uschar **)&queue_domains, 0, + &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE, NULL)) + != OK) + if (rc == DEFER) + { + addr->basic_errno = ERRNO_LISTDEFER; + addr->message = US"queue_domains lookup deferred"; + (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0); + } + else + { + addr->next = okaddr; + okaddr = addr; + } + else + { + addr->basic_errno = ERRNO_QUEUE_DOMAIN; + addr->message = US"domain is in queue_domains"; + (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0); + } + } + + addr_route = okaddr; + } + + /* Now route those addresses that are not deferred. */ + + while (addr_route) + { + int rc; + address_item *addr = addr_route; + const uschar *old_domain = addr->domain; + uschar *old_unique = addr->unique; + addr_route = addr->next; + addr->next = NULL; + + /* Just in case some router parameter refers to it. */ + + if (!(return_path = addr->prop.errors_address)) + return_path = sender_address; + + /* If a router defers an address, add a retry item. Whether or not to + use the local part in the key is a property of the router. */ + + if ((rc = route_address(addr, &addr_local, &addr_remote, &addr_new, + &addr_succeed, v_none)) == DEFER) + retry_add_item(addr, + addr->router->retry_use_local_part + ? string_sprintf("R:%s@%s", addr->local_part, addr->domain) + : string_sprintf("R:%s", addr->domain), + 0); + + /* Otherwise, if there is an existing retry record in the database, add + retry items to delete both forms. We must also allow for the possibility + of a routing retry that includes the sender address. Since the domain might + have been rewritten (expanded to fully qualified) as a result of routing, + ensure that the rewritten form is also deleted. */ + + else if (testflag(addr, af_dr_retry_exists)) + { + uschar *altkey = string_sprintf("%s:<%s>", addr->address_retry_key, + sender_address); + retry_add_item(addr, altkey, rf_delete); + retry_add_item(addr, addr->address_retry_key, rf_delete); + retry_add_item(addr, addr->domain_retry_key, rf_delete); + if (Ustrcmp(addr->domain, old_domain) != 0) + retry_add_item(addr, string_sprintf("R:%s", old_domain), rf_delete); + } + + /* DISCARD is given for :blackhole: and "seen finish". The event has been + logged, but we need to ensure the address (and maybe parents) is marked + done. */ + + if (rc == DISCARD) + { + address_done(addr, tod_stamp(tod_log)); + continue; /* route next address */ + } + + /* The address is finished with (failed or deferred). */ + + if (rc != OK) + { + (void)post_process_one(addr, rc, LOG_MAIN, EXIM_DTYPE_ROUTER, 0); + continue; /* route next address */ + } + + /* The address has been routed. If the router changed the domain, it will + also have changed the unique address. We have to test whether this address + has already been delivered, because it's the unique address that finally + gets recorded. */ + + if ( addr->unique != old_unique + && tree_search(tree_nonrecipients, addr->unique) != 0 + ) + { + DEBUG(D_deliver|D_route) debug_printf("%s was previously delivered: " + "discarded\n", addr->address); + if (addr_remote == addr) addr_remote = addr->next; + else if (addr_local == addr) addr_local = addr->next; + } + + /* If the router has same_domain_copy_routing set, we are permitted to copy + the routing for any other addresses with the same domain. This is an + optimisation to save repeated DNS lookups for "standard" remote domain + routing. The option is settable only on routers that generate host lists. + We play it very safe, and do the optimization only if the address is routed + to a remote transport, there are no header changes, and the domain was not + modified by the router. */ + + if ( addr_remote == addr + && addr->router->same_domain_copy_routing + && !addr->prop.extra_headers + && !addr->prop.remove_headers + && old_domain == addr->domain + ) + { + address_item **chain = &addr_route; + while (*chain) + { + address_item *addr2 = *chain; + if (Ustrcmp(addr2->domain, addr->domain) != 0) + { + chain = &(addr2->next); + continue; + } + + /* Found a suitable address; take it off the routing list and add it to + the remote delivery list. */ + + *chain = addr2->next; + addr2->next = addr_remote; + addr_remote = addr2; + + /* Copy the routing data */ + + addr2->domain = addr->domain; + addr2->router = addr->router; + addr2->transport = addr->transport; + addr2->host_list = addr->host_list; + addr2->fallback_hosts = addr->fallback_hosts; + addr2->prop.errors_address = addr->prop.errors_address; + copyflag(addr2, addr, af_hide_child); + copyflag(addr2, addr, af_local_host_removed); + + DEBUG(D_deliver|D_route) + debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n" + "routing %s\n" + "Routing for %s copied from %s\n", + addr2->address, addr2->address, addr->address); + } + } + } /* Continue with routing the next address. */ + } /* Loop to process any child addresses that the routers created, and + any rerouted addresses that got put back on the new chain. */ + + +/* Debugging: show the results of the routing */ + +DEBUG(D_deliver|D_retry|D_route) + { + debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"); + debug_printf("After routing:\n Local deliveries:\n"); + for (address_item * p = addr_local; p; p = p->next) + debug_printf(" %s\n", p->address); + + debug_printf(" Remote deliveries:\n"); + for (address_item * p = addr_remote; p; p = p->next) + debug_printf(" %s\n", p->address); + + debug_printf(" Failed addresses:\n"); + for (address_item * p = addr_failed; p; p = p->next) + debug_printf(" %s\n", p->address); + + debug_printf(" Deferred addresses:\n"); + for (address_item * p = addr_defer; p; p = p->next) + debug_printf(" %s\n", p->address); + } + +/* Free any resources that were cached during routing. */ + +search_tidyup(); +route_tidyup(); + +/* These two variables are set only during routing, after check_local_user. +Ensure they are not set in transports. */ + +local_user_gid = (gid_t)(-1); +local_user_uid = (uid_t)(-1); + +/* Check for any duplicate addresses. This check is delayed until after +routing, because the flexibility of the routing configuration means that +identical addresses with different parentage may end up being redirected to +different addresses. Checking for duplicates too early (as we previously used +to) makes this kind of thing not work. */ + +do_duplicate_check(&addr_local); +do_duplicate_check(&addr_remote); + +/* When acting as an MUA wrapper, we proceed only if all addresses route to a +remote transport. The check that they all end up in one transaction happens in +the do_remote_deliveries() function. */ + +if ( mua_wrapper + && (addr_local || addr_failed || addr_defer) + ) + { + address_item *addr; + uschar *which, *colon, *msg; + + if (addr_local) + { + addr = addr_local; + which = US"local"; + } + else if (addr_defer) + { + addr = addr_defer; + which = US"deferred"; + } + else + { + addr = addr_failed; + which = US"failed"; + } + + while (addr->parent) addr = addr->parent; + + if (addr->message) + { + colon = US": "; + msg = addr->message; + } + else colon = msg = US""; + + /* We don't need to log here for a forced failure as it will already + have been logged. Defer will also have been logged, but as a defer, so we do + need to do the failure logging. */ + + if (addr != addr_failed) + log_write(0, LOG_MAIN, "** %s routing yielded a %s delivery", + addr->address, which); + + /* Always write an error to the caller */ + + fprintf(stderr, "routing %s yielded a %s delivery%s%s\n", addr->address, + which, colon, msg); + + final_yield = DELIVER_MUA_FAILED; + addr_failed = addr_defer = NULL; /* So that we remove the message */ + goto DELIVERY_TIDYUP; + } + + +/* If this is a run to continue deliveries to an external channel that is +already set up, defer any local deliveries. + +jgh 2020/12/20: I don't see why; locals should be quick. +The defer goes back to version 1.62 in 1997. A local being still deliverable +during a continued run might result from something like a defer during the +original delivery, eg. in a DB lookup. Unlikely but possible. + +To avoid delaying a local when combined with a callout-hold for a remote +delivery, test continue_sequence rather than continue_transport. */ + +if (continue_sequence > 1 && addr_local) + { + DEBUG(D_deliver|D_retry|D_route) + debug_printf("deferring local deliveries due to continued-transport\n"); + if (addr_defer) + { + address_item *addr = addr_defer; + while (addr->next) addr = addr->next; + addr->next = addr_local; + } + else + addr_defer = addr_local; + addr_local = NULL; + } + + +/* Because address rewriting can happen in the routers, we should not really do +ANY deliveries until all addresses have been routed, so that all recipients of +the message get the same headers. However, this is in practice not always +possible, since sometimes remote addresses give DNS timeouts for days on end. +The pragmatic approach is to deliver what we can now, saving any rewritten +headers so that at least the next lot of recipients benefit from the rewriting +that has already been done. + +If any headers have been rewritten during routing, update the spool file to +remember them for all subsequent deliveries. This can be delayed till later if +there is only address to be delivered - if it succeeds the spool write need not +happen. */ + +if ( f.header_rewritten + && ( addr_local && (addr_local->next || addr_remote) + || addr_remote && addr_remote->next + ) ) + { + /* Panic-dies on error */ + (void)spool_write_header(message_id, SW_DELIVERING, NULL); + f.header_rewritten = FALSE; + } + + +/* If there are any deliveries to do and we do not already have the journal +file, create it. This is used to record successful deliveries as soon as +possible after each delivery is known to be complete. A file opened with +O_APPEND is used so that several processes can run simultaneously. + +The journal is just insurance against crashes. When the spool file is +ultimately updated at the end of processing, the journal is deleted. If a +journal is found to exist at the start of delivery, the addresses listed +therein are added to the non-recipients. */ + +if (addr_local || addr_remote) + { + if (journal_fd < 0) + { + uschar * fname = spool_fname(US"input", message_subdir, id, US"-J"); + + if ((journal_fd = Uopen(fname, +#ifdef O_CLOEXEC + O_CLOEXEC | +#endif + O_WRONLY|O_APPEND|O_CREAT|O_EXCL, SPOOL_MODE)) < 0) + { + log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't open journal file %s: %s", + fname, strerror(errno)); + return DELIVER_NOT_ATTEMPTED; + } + + /* Set the close-on-exec flag, make the file owned by Exim, and ensure + that the mode is correct - the group setting doesn't always seem to get + set automatically. */ + + if( exim_fchown(journal_fd, exim_uid, exim_gid, fname) + || fchmod(journal_fd, SPOOL_MODE) +#ifndef O_CLOEXEC + || fcntl(journal_fd, F_SETFD, fcntl(journal_fd, F_GETFD) | FD_CLOEXEC) +#endif + ) + { + int ret = Uunlink(fname); + log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't set perms on journal file %s: %s", + fname, strerror(errno)); + if(ret && errno != ENOENT) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s", + fname, strerror(errno)); + return DELIVER_NOT_ATTEMPTED; + } + } + } +else if (journal_fd >= 0) + { + close(journal_fd); + journal_fd = -1; + } + + + +/* Now we can get down to the business of actually doing deliveries. Local +deliveries are done first, then remote ones. If ever the problems of how to +handle fallback transports are figured out, this section can be put into a loop +for handling fallbacks, though the uid switching will have to be revised. */ + +/* Precompile a regex that is used to recognize a parameter in response +to an LHLO command, if is isn't already compiled. This may be used on both +local and remote LMTP deliveries. */ + +if (!regex_IGNOREQUOTA) + regex_IGNOREQUOTA = + regex_must_compile(US"\\n250[\\s\\-]IGNOREQUOTA(\\s|\\n|$)", FALSE, TRUE); + +/* Handle local deliveries */ + +if (addr_local) + { + DEBUG(D_deliver|D_transport) + debug_printf(">>>>>>>>>>>>>>>> Local deliveries >>>>>>>>>>>>>>>>\n"); + do_local_deliveries(); + f.disable_logging = FALSE; + } + +/* If queue_run_local is set, we do not want to attempt any remote deliveries, +so just queue them all. */ + +if (f.queue_run_local) + while (addr_remote) + { + address_item *addr = addr_remote; + addr_remote = addr->next; + addr->next = NULL; + addr->basic_errno = ERRNO_LOCAL_ONLY; + addr->message = US"remote deliveries suppressed"; + (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_TRANSPORT, 0); + } + +/* Handle remote deliveries */ + +if (addr_remote) + { + DEBUG(D_deliver|D_transport) + debug_printf(">>>>>>>>>>>>>>>> Remote deliveries >>>>>>>>>>>>>>>>\n"); + + /* Precompile some regex that are used to recognize parameters in response + to an EHLO command, if they aren't already compiled. */ + + smtp_deliver_init(); + + /* Now sort the addresses if required, and do the deliveries. The yield of + do_remote_deliveries is FALSE when mua_wrapper is set and all addresses + cannot be delivered in one transaction. */ + + if (remote_sort_domains) sort_remote_deliveries(); + if (!do_remote_deliveries(FALSE)) + { + log_write(0, LOG_MAIN, "** mua_wrapper is set but recipients cannot all " + "be delivered in one transaction"); + fprintf(stderr, "delivery to smarthost failed (configuration problem)\n"); + + final_yield = DELIVER_MUA_FAILED; + addr_failed = addr_defer = NULL; /* So that we remove the message */ + goto DELIVERY_TIDYUP; + } + + /* See if any of the addresses that failed got put on the queue for delivery + to their fallback hosts. We do it this way because often the same fallback + host is used for many domains, so all can be sent in a single transaction + (if appropriately configured). */ + + if (addr_fallback && !mua_wrapper) + { + DEBUG(D_deliver) debug_printf("Delivering to fallback hosts\n"); + addr_remote = addr_fallback; + addr_fallback = NULL; + if (remote_sort_domains) sort_remote_deliveries(); + do_remote_deliveries(TRUE); + } + f.disable_logging = FALSE; + } + + +/* All deliveries are now complete. Ignore SIGTERM during this tidying up +phase, to minimize cases of half-done things. */ + +DEBUG(D_deliver) + debug_printf(">>>>>>>>>>>>>>>> deliveries are done >>>>>>>>>>>>>>>>\n"); +cancel_cutthrough_connection(TRUE, US"deliveries are done"); + +/* Root privilege is no longer needed */ + +exim_setugid(exim_uid, exim_gid, FALSE, US"post-delivery tidying"); + +set_process_info("tidying up after delivering %s", message_id); +signal(SIGTERM, SIG_IGN); + +/* When we are acting as an MUA wrapper, the smtp transport will either have +succeeded for all addresses, or failed them all in normal cases. However, there +are some setup situations (e.g. when a named port does not exist) that cause an +immediate exit with deferral of all addresses. Convert those into failures. We +do not ever want to retry, nor do we want to send a bounce message. */ + +if (mua_wrapper) + { + if (addr_defer) + { + address_item * nextaddr; + for (address_item * addr = addr_defer; addr; addr = nextaddr) + { + log_write(0, LOG_MAIN, "** %s mua_wrapper forced failure for deferred " + "delivery", addr->address); + nextaddr = addr->next; + addr->next = addr_failed; + addr_failed = addr; + } + addr_defer = NULL; + } + + /* Now all should either have succeeded or failed. */ + + if (!addr_failed) + final_yield = DELIVER_MUA_SUCCEEDED; + else + { + host_item * host; + uschar *s = addr_failed->user_message; + + if (!s) s = addr_failed->message; + + fprintf(stderr, "Delivery failed: "); + if (addr_failed->basic_errno > 0) + { + fprintf(stderr, "%s", strerror(addr_failed->basic_errno)); + if (s) fprintf(stderr, ": "); + } + if ((host = addr_failed->host_used)) + fprintf(stderr, "H=%s [%s]: ", host->name, host->address); + if (s) + fprintf(stderr, "%s", CS s); + else if (addr_failed->basic_errno <= 0) + fprintf(stderr, "unknown error"); + fprintf(stderr, "\n"); + + final_yield = DELIVER_MUA_FAILED; + addr_failed = NULL; + } + } + +/* In a normal configuration, we now update the retry database. This is done in +one fell swoop at the end in order not to keep opening and closing (and +locking) the database. The code for handling retries is hived off into a +separate module for convenience. We pass it the addresses of the various +chains, because deferred addresses can get moved onto the failed chain if the +retry cutoff time has expired for all alternative destinations. Bypass the +updating of the database if the -N flag is set, which is a debugging thing that +prevents actual delivery. */ + +else if (!f.dont_deliver) + retry_update(&addr_defer, &addr_failed, &addr_succeed); + +/* Send DSN for successful messages if requested */ +addr_senddsn = NULL; + +for (address_item * a = addr_succeed; a; a = a->next) + { + /* af_ignore_error not honored here. it's not an error */ + DEBUG(D_deliver) debug_printf("DSN: processing router : %s\n" + "DSN: processing successful delivery address: %s\n" + "DSN: Sender_address: %s\n" + "DSN: orcpt: %s flags: 0x%x\n" + "DSN: envid: %s ret: %d\n" + "DSN: Final recipient: %s\n" + "DSN: Remote SMTP server supports DSN: %d\n", + a->router ? a->router->name : US"(unknown)", + a->address, + sender_address, + a->dsn_orcpt ? a->dsn_orcpt : US"NULL", + a->dsn_flags, + dsn_envid ? dsn_envid : US"NULL", dsn_ret, + a->address, + a->dsn_aware + ); + + /* send report if next hop not DSN aware or a router flagged "last DSN hop" + and a report was requested */ + + if ( (a->dsn_aware != dsn_support_yes || a->dsn_flags & rf_dsnlasthop) + && a->dsn_flags & rf_notify_success + ) + { + /* copy and relink address_item and send report with all of them at once later */ + address_item * addr_next = addr_senddsn; + addr_senddsn = store_get(sizeof(address_item), FALSE); + *addr_senddsn = *a; + addr_senddsn->next = addr_next; + } + else + DEBUG(D_deliver) debug_printf("DSN: not sending DSN success message\n"); + } + +if (addr_senddsn) + { + pid_t pid; + int fd; + + /* create exim process to send message */ + pid = child_open_exim(&fd, US"DSN"); + + DEBUG(D_deliver) debug_printf("DSN: child_open_exim returns: %d\n", pid); + + if (pid < 0) /* Creation of child failed */ + { + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Process %d (parent %d) failed to " + "create child process to send success-dsn message: %s", getpid(), + getppid(), strerror(errno)); + + DEBUG(D_deliver) debug_printf("DSN: child_open_exim failed\n"); + } + else /* Creation of child succeeded */ + { + FILE * f = fdopen(fd, "wb"); + /* header only as required by RFC. only failure DSN needs to honor RET=FULL */ + uschar * bound; + transport_ctx tctx = {{0}}; + + DEBUG(D_deliver) + debug_printf("sending success-dsn to: %s\n", sender_address); + + /* build unique id for MIME boundary */ + bound = string_sprintf(TIME_T_FMT "-eximdsn-%d", time(NULL), rand()); + DEBUG(D_deliver) debug_printf("DSN: MIME boundary: %s\n", bound); + + if (errors_reply_to) + fprintf(f, "Reply-To: %s\n", errors_reply_to); + + moan_write_from(f); + fprintf(f, "Auto-Submitted: auto-generated\n" + "To: %s\n" + "Subject: Delivery Status Notification\n", + sender_address); + moan_write_references(f, NULL); + fprintf(f, "Content-Type: multipart/report;" + " report-type=delivery-status; boundary=%s\n" + "MIME-Version: 1.0\n\n" + + "--%s\n" + "Content-type: text/plain; charset=us-ascii\n\n" + + "This message was created automatically by mail delivery software.\n" + " ----- The following addresses had successful delivery notifications -----\n", + bound, bound); + + for (address_item * a = addr_senddsn; a; a = a->next) + fprintf(f, "<%s> (relayed %s)\n\n", + a->address, + a->dsn_flags & rf_dsnlasthop ? "via non DSN router" + : a->dsn_aware == dsn_support_no ? "to non-DSN-aware mailer" + : "via non \"Remote SMTP\" router" + ); + + fprintf(f, "--%s\n" + "Content-type: message/delivery-status\n\n" + "Reporting-MTA: dns; %s\n", + bound, smtp_active_hostname); + + if (dsn_envid) + { /* must be decoded from xtext: see RFC 3461:6.3a */ + uschar *xdec_envid; + if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0) + fprintf(f, "Original-Envelope-ID: %s\n", dsn_envid); + else + fprintf(f, "X-Original-Envelope-ID: error decoding xtext formatted ENVID\n"); + } + fputc('\n', f); + + for (address_item * a = addr_senddsn; a; a = a->next) + { + host_item * hu; + + print_dsn_addr_action(f, a, US"delivered", US"2.0.0"); + + if ((hu = a->host_used) && hu->name) + fprintf(f, "Remote-MTA: dns; %s\nDiagnostic-Code: smtp; 250 Ok\n\n", + hu->name); + else + fprintf(f, "Diagnostic-Code: X-Exim; relayed via non %s router\n\n", + a->dsn_flags & rf_dsnlasthop ? "DSN" : "SMTP"); + } + + fprintf(f, "--%s\nContent-type: text/rfc822-headers\n\n", bound); + + fflush(f); + transport_filter_argv = NULL; /* Just in case */ + return_path = sender_address; /* In case not previously set */ + + /* Write the original email out */ + + tctx.u.fd = fd; + tctx.options = topt_add_return_path | topt_no_body; + /*XXX hmm, FALSE(fail) retval ignored. + Could error for any number of reasons, and they are not handled. */ + transport_write_message(&tctx, 0); + fflush(f); + + fprintf(f,"\n--%s--\n", bound); + + fflush(f); + fclose(f); + rc = child_close(pid, 0); /* Waits for child to close, no timeout */ + } + } + +/* If any addresses failed, we must send a message to somebody, unless +af_ignore_error is set, in which case no action is taken. It is possible for +several messages to get sent if there are addresses with different +requirements. */ + +while (addr_failed) + { + pid_t pid; + int fd; + uschar *logtod = tod_stamp(tod_log); + address_item *addr; + address_item *handled_addr = NULL; + address_item **paddr; + address_item *msgchain = NULL; + address_item **pmsgchain = &msgchain; + + /* There are weird cases when logging is disabled in the transport. However, + there may not be a transport (address failed by a router). */ + + f.disable_logging = FALSE; + if (addr_failed->transport) + f.disable_logging = addr_failed->transport->disable_logging; + + DEBUG(D_deliver) + debug_printf("processing failed address %s\n", addr_failed->address); + + /* There are only two ways an address in a bounce message can get here: + + (1) When delivery was initially deferred, but has now timed out (in the call + to retry_update() above). We can detect this by testing for + af_retry_timedout. If the address does not have its own errors address, + we arrange to ignore the error. + + (2) If delivery failures for bounce messages are being ignored. We can detect + this by testing for af_ignore_error. This will also be set if a bounce + message has been autothawed and the ignore_bounce_errors_after time has + passed. It might also be set if a router was explicitly configured to + ignore errors (errors_to = ""). + + If neither of these cases obtains, something has gone wrong. Log the + incident, but then ignore the error. */ + + if (sender_address[0] == 0 && !addr_failed->prop.errors_address) + { + if ( !testflag(addr_failed, af_retry_timedout) + && !addr_failed->prop.ignore_error) + log_write(0, LOG_MAIN|LOG_PANIC, "internal error: bounce message " + "failure is neither frozen nor ignored (it's been ignored)"); + + addr_failed->prop.ignore_error = TRUE; + } + + /* If the first address on the list has af_ignore_error set, just remove + it from the list, throw away any saved message file, log it, and + mark the recipient done. */ + + if ( addr_failed->prop.ignore_error + || addr_failed->dsn_flags & rf_dsnflags + && !(addr_failed->dsn_flags & rf_notify_failure) + ) + { + addr = addr_failed; + addr_failed = addr->next; + if (addr->return_filename) Uunlink(addr->return_filename); + +#ifndef DISABLE_EVENT + msg_event_raise(US"msg:fail:delivery", addr); +#endif + log_write(0, LOG_MAIN, "%s%s%s%s: error ignored%s", + addr->address, + !addr->parent ? US"" : US" <", + !addr->parent ? US"" : addr->parent->address, + !addr->parent ? US"" : US">", + addr->prop.ignore_error + ? US"" : US": RFC 3461 DSN, failure notify not requested"); + + address_done(addr, logtod); + child_done(addr, logtod); + /* Panic-dies on error */ + (void)spool_write_header(message_id, SW_DELIVERING, NULL); + } + + /* Otherwise, handle the sending of a message. Find the error address for + the first address, then send a message that includes all failed addresses + that have the same error address. Note the bounce_recipient is a global so + that it can be accessed by $bounce_recipient while creating a customized + error message. */ + + else + { + if (!(bounce_recipient = addr_failed->prop.errors_address)) + bounce_recipient = sender_address; + + /* Make a subprocess to send a message */ + + if ((pid = child_open_exim(&fd, US"bounce-message")) < 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Process %d (parent %d) failed to " + "create child process to send failure message: %s", getpid(), + getppid(), strerror(errno)); + + /* Creation of child succeeded */ + + else + { + int ch, rc; + int filecount = 0; + int rcount = 0; + uschar *bcc, *emf_text; + FILE * fp = fdopen(fd, "wb"); + FILE * emf = NULL; + BOOL to_sender = strcmpic(sender_address, bounce_recipient) == 0; + int max = (bounce_return_size_limit/DELIVER_IN_BUFFER_SIZE + 1) * + DELIVER_IN_BUFFER_SIZE; + uschar * bound; + uschar *dsnlimitmsg; + uschar *dsnnotifyhdr; + int topt; + + DEBUG(D_deliver) + debug_printf("sending error message to: %s\n", bounce_recipient); + + /* Scan the addresses for all that have the same errors address, removing + them from the addr_failed chain, and putting them on msgchain. */ + + paddr = &addr_failed; + for (addr = addr_failed; addr; addr = *paddr) + if (Ustrcmp(bounce_recipient, addr->prop.errors_address + ? addr->prop.errors_address : sender_address) == 0) + { /* The same - dechain */ + *paddr = addr->next; + *pmsgchain = addr; + addr->next = NULL; + pmsgchain = &(addr->next); + } + else + paddr = &addr->next; /* Not the same; skip */ + + /* Include X-Failed-Recipients: for automatic interpretation, but do + not let any one header line get too long. We do this by starting a + new header every 50 recipients. Omit any addresses for which the + "hide_child" flag is set. */ + + for (addr = msgchain; addr; addr = addr->next) + { + if (testflag(addr, af_hide_child)) continue; + if (rcount >= 50) + { + fprintf(fp, "\n"); + rcount = 0; + } + fprintf(fp, "%s%s", + rcount++ == 0 + ? "X-Failed-Recipients: " + : ",\n ", + testflag(addr, af_pfr) && addr->parent + ? string_printing(addr->parent->address) + : string_printing(addr->address)); + } + if (rcount > 0) fprintf(fp, "\n"); + + /* Output the standard headers */ + + if (errors_reply_to) + fprintf(fp, "Reply-To: %s\n", errors_reply_to); + fprintf(fp, "Auto-Submitted: auto-replied\n"); + moan_write_from(fp); + fprintf(fp, "To: %s\n", bounce_recipient); + moan_write_references(fp, NULL); + + /* generate boundary string and output MIME-Headers */ + bound = string_sprintf(TIME_T_FMT "-eximdsn-%d", time(NULL), rand()); + + fprintf(fp, "Content-Type: multipart/report;" + " report-type=delivery-status; boundary=%s\n" + "MIME-Version: 1.0\n", + bound); + + /* Open a template file if one is provided. Log failure to open, but + carry on - default texts will be used. */ + + if (bounce_message_file) + emf = expand_open(bounce_message_file, + US"bounce_message_file", US"error"); + + /* Quietly copy to configured additional addresses if required. */ + + if ((bcc = moan_check_errorcopy(bounce_recipient))) + fprintf(fp, "Bcc: %s\n", bcc); + + /* The texts for the message can be read from a template file; if there + isn't one, or if it is too short, built-in texts are used. The first + emf text is a Subject: and any other headers. */ + + if ((emf_text = next_emf(emf, US"header"))) + fprintf(fp, "%s\n", emf_text); + else + fprintf(fp, "Subject: Mail delivery failed%s\n\n", + to_sender? ": returning message to sender" : ""); + + /* output human readable part as text/plain section */ + fprintf(fp, "--%s\n" + "Content-type: text/plain; charset=us-ascii\n\n", + bound); + + if ((emf_text = next_emf(emf, US"intro"))) + fprintf(fp, "%s", CS emf_text); + else + { + fprintf(fp, +/* This message has been reworded several times. It seems to be confusing to +somebody, however it is worded. I have retreated to the original, simple +wording. */ +"This message was created automatically by mail delivery software.\n"); + + if (bounce_message_text) + fprintf(fp, "%s", CS bounce_message_text); + if (to_sender) + fprintf(fp, +"\nA message that you sent could not be delivered to one or more of its\n" +"recipients. This is a permanent error. The following address(es) failed:\n"); + else + fprintf(fp, +"\nA message sent by\n\n <%s>\n\n" +"could not be delivered to one or more of its recipients. The following\n" +"address(es) failed:\n", sender_address); + } + fputc('\n', fp); + + /* Process the addresses, leaving them on the msgchain if they have a + file name for a return message. (There has already been a check in + post_process_one() for the existence of data in the message file.) A TRUE + return from print_address_information() means that the address is not + hidden. */ + + paddr = &msgchain; + for (addr = msgchain; addr; addr = *paddr) + { + if (print_address_information(addr, fp, US" ", US"\n ", US"")) + print_address_error(addr, fp, US""); + + /* End the final line for the address */ + + fputc('\n', fp); + + /* Leave on msgchain if there's a return file. */ + + if (addr->return_file >= 0) + { + paddr = &(addr->next); + filecount++; + } + + /* Else save so that we can tick off the recipient when the + message is sent. */ + + else + { + *paddr = addr->next; + addr->next = handled_addr; + handled_addr = addr; + } + } + + fputc('\n', fp); + + /* Get the next text, whether we need it or not, so as to be + positioned for the one after. */ + + emf_text = next_emf(emf, US"generated text"); + + /* If there were any file messages passed by the local transports, + include them in the message. Then put the address on the handled chain. + In the case of a batch of addresses that were all sent to the same + transport, the return_file field in all of them will contain the same + fd, and the return_filename field in the *last* one will be set (to the + name of the file). */ + + if (msgchain) + { + address_item *nextaddr; + + if (emf_text) + fprintf(fp, "%s", CS emf_text); + else + fprintf(fp, + "The following text was generated during the delivery " + "attempt%s:\n", (filecount > 1)? "s" : ""); + + for (addr = msgchain; addr; addr = nextaddr) + { + FILE *fm; + address_item *topaddr = addr; + + /* List all the addresses that relate to this file */ + + fputc('\n', fp); + while(addr) /* Insurance */ + { + print_address_information(addr, fp, US"------ ", US"\n ", + US" ------\n"); + if (addr->return_filename) break; + addr = addr->next; + } + fputc('\n', fp); + + /* Now copy the file */ + + if (!(fm = Ufopen(addr->return_filename, "rb"))) + fprintf(fp, " +++ Exim error... failed to open text file: %s\n", + strerror(errno)); + else + { + while ((ch = fgetc(fm)) != EOF) fputc(ch, fp); + (void)fclose(fm); + } + Uunlink(addr->return_filename); + + /* Can now add to handled chain, first fishing off the next + address on the msgchain. */ + + nextaddr = addr->next; + addr->next = handled_addr; + handled_addr = topaddr; + } + fputc('\n', fp); + } + + /* output machine readable part */ +#ifdef SUPPORT_I18N + if (message_smtputf8) + fprintf(fp, "--%s\n" + "Content-type: message/global-delivery-status\n\n" + "Reporting-MTA: dns; %s\n", + bound, smtp_active_hostname); + else +#endif + fprintf(fp, "--%s\n" + "Content-type: message/delivery-status\n\n" + "Reporting-MTA: dns; %s\n", + bound, smtp_active_hostname); + + if (dsn_envid) + { + /* must be decoded from xtext: see RFC 3461:6.3a */ + uschar *xdec_envid; + if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0) + fprintf(fp, "Original-Envelope-ID: %s\n", dsn_envid); + else + fprintf(fp, "X-Original-Envelope-ID: error decoding xtext formatted ENVID\n"); + } + fputc('\n', fp); + + for (addr = handled_addr; addr; addr = addr->next) + { + host_item * hu; + + print_dsn_addr_action(fp, addr, US"failed", US"5.0.0"); + + if ((hu = addr->host_used) && hu->name) + { + fprintf(fp, "Remote-MTA: dns; %s\n", hu->name); +#ifdef EXPERIMENTAL_DSN_INFO + { + const uschar * s; + if (hu->address) + { + uschar * p = hu->port == 25 + ? US"" : string_sprintf(":%d", hu->port); + fprintf(fp, "Remote-MTA: X-ip; [%s]%s\n", hu->address, p); + } + if ((s = addr->smtp_greeting) && *s) + fprintf(fp, "X-Remote-MTA-smtp-greeting: X-str; %.900s\n", s); + if ((s = addr->helo_response) && *s) + fprintf(fp, "X-Remote-MTA-helo-response: X-str; %.900s\n", s); + if ((s = addr->message) && *s) + fprintf(fp, "X-Exim-Diagnostic: X-str; %.900s\n", s); + } +#endif + print_dsn_diagnostic_code(addr, fp); + } + fputc('\n', fp); + } + + /* Now copy the message, trying to give an intelligible comment if + it is too long for it all to be copied. The limit isn't strictly + applied because of the buffering. There is, however, an option + to suppress copying altogether. */ + + emf_text = next_emf(emf, US"copy"); + + /* add message body + we ignore the intro text from template and add + the text for bounce_return_size_limit at the end. + + bounce_return_message is ignored + in case RET= is defined we honor these values + otherwise bounce_return_body is honored. + + bounce_return_size_limit is always honored. + */ + + fprintf(fp, "--%s\n", bound); + + dsnlimitmsg = US"X-Exim-DSN-Information: Due to administrative limits only headers are returned"; + dsnnotifyhdr = NULL; + topt = topt_add_return_path; + + /* RET=HDRS? top priority */ + if (dsn_ret == dsn_ret_hdrs) + topt |= topt_no_body; + else + { + struct stat statbuf; + + /* no full body return at all? */ + if (!bounce_return_body) + { + topt |= topt_no_body; + /* add header if we overrule RET=FULL */ + if (dsn_ret == dsn_ret_full) + dsnnotifyhdr = dsnlimitmsg; + } + /* line length limited... return headers only if oversize */ + /* size limited ... return headers only if limit reached */ + else if ( max_received_linelength > bounce_return_linesize_limit + || ( bounce_return_size_limit > 0 + && fstat(deliver_datafile, &statbuf) == 0 + && statbuf.st_size > max + ) ) + { + topt |= topt_no_body; + dsnnotifyhdr = dsnlimitmsg; + } + } + +#ifdef SUPPORT_I18N + if (message_smtputf8) + fputs(topt & topt_no_body ? "Content-type: message/global-headers\n\n" + : "Content-type: message/global\n\n", + fp); + else +#endif + fputs(topt & topt_no_body ? "Content-type: text/rfc822-headers\n\n" + : "Content-type: message/rfc822\n\n", + fp); + + fflush(fp); + transport_filter_argv = NULL; /* Just in case */ + return_path = sender_address; /* In case not previously set */ + { /* Dummy transport for headers add */ + transport_ctx tctx = {{0}}; + transport_instance tb = {0}; + + tctx.u.fd = fileno(fp); + tctx.tblock = &tb; + tctx.options = topt; + tb.add_headers = dsnnotifyhdr; + + /*XXX no checking for failure! buggy! */ + transport_write_message(&tctx, 0); + } + fflush(fp); + + /* we never add the final text. close the file */ + if (emf) + (void)fclose(emf); + + fprintf(fp, "\n--%s--\n", bound); + + /* Close the file, which should send an EOF to the child process + that is receiving the message. Wait for it to finish. */ + + (void)fclose(fp); + rc = child_close(pid, 0); /* Waits for child to close, no timeout */ + + /* If the process failed, there was some disaster in setting up the + error message. Unless the message is very old, ensure that addr_defer + is non-null, which will have the effect of leaving the message on the + spool. The failed addresses will get tried again next time. However, we + don't really want this to happen too often, so freeze the message unless + there are some genuine deferred addresses to try. To do this we have + to call spool_write_header() here, because with no genuine deferred + addresses the normal code below doesn't get run. */ + + if (rc != 0) + { + uschar *s = US""; + if (now - received_time.tv_sec < retry_maximum_timeout && !addr_defer) + { + addr_defer = (address_item *)(+1); + f.deliver_freeze = TRUE; + deliver_frozen_at = time(NULL); + /* Panic-dies on error */ + (void)spool_write_header(message_id, SW_DELIVERING, NULL); + s = US" (frozen)"; + } + deliver_msglog("Process failed (%d) when writing error message " + "to %s%s", rc, bounce_recipient, s); + log_write(0, LOG_MAIN, "Process failed (%d) when writing error message " + "to %s%s", rc, bounce_recipient, s); + } + + /* The message succeeded. Ensure that the recipients that failed are + now marked finished with on the spool and their parents updated. */ + + else + { + for (addr = handled_addr; addr; addr = addr->next) + { + address_done(addr, logtod); + child_done(addr, logtod); + } + /* Panic-dies on error */ + (void)spool_write_header(message_id, SW_DELIVERING, NULL); + } + } + } + } + +f.disable_logging = FALSE; /* In case left set */ + +/* Come here from the mua_wrapper case if routing goes wrong */ + +DELIVERY_TIDYUP: + +/* If there are now no deferred addresses, we are done. Preserve the +message log if so configured, and we are using them. Otherwise, sling it. +Then delete the message itself. */ + +if (!addr_defer) + { + uschar * fname; + + if (message_logs) + { + fname = spool_fname(US"msglog", message_subdir, id, US""); + if (preserve_message_logs) + { + int rc; + uschar * moname = spool_fname(US"msglog.OLD", US"", id, US""); + + if ((rc = Urename(fname, moname)) < 0) + { + (void)directory_make(spool_directory, + spool_sname(US"msglog.OLD", US""), + MSGLOG_DIRECTORY_MODE, TRUE); + rc = Urename(fname, moname); + } + if (rc < 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to move %s to the " + "msglog.OLD directory", fname); + } + else + if (Uunlink(fname) < 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s", + fname, strerror(errno)); + } + + /* Remove the two message files. */ + + fname = spool_fname(US"input", message_subdir, id, US"-D"); + if (Uunlink(fname) < 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s", + fname, strerror(errno)); + fname = spool_fname(US"input", message_subdir, id, US"-H"); + if (Uunlink(fname) < 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s", + fname, strerror(errno)); + + /* Log the end of this message, with queue time if requested. */ + + if (LOGGING(queue_time_overall)) + log_write(0, LOG_MAIN, "Completed QT=%s", string_timesince(&received_time)); + else + log_write(0, LOG_MAIN, "Completed"); + + /* Unset deliver_freeze so that we won't try to move the spool files further down */ + f.deliver_freeze = FALSE; + +#ifndef DISABLE_EVENT + (void) event_raise(event_action, US"msg:complete", NULL); +#endif + } + +/* If there are deferred addresses, we are keeping this message because it is +not yet completed. Lose any temporary files that were catching output from +pipes for any of the deferred addresses, handle one-time aliases, and see if +the message has been on the queue for so long that it is time to send a warning +message to the sender, unless it is a mailer-daemon. If all deferred addresses +have the same domain, we can set deliver_domain for the expansion of +delay_warning_ condition - if any of them are pipes, files, or autoreplies, use +the parent's domain. + +If all the deferred addresses have an error number that indicates "retry time +not reached", skip sending the warning message, because it won't contain the +reason for the delay. It will get sent at the next real delivery attempt. + Exception: for retries caused by a remote peer we use the error message + store in the retry DB as the reason. +However, if at least one address has tried, we'd better include all of them in +the message. + +If we can't make a process to send the message, don't worry. + +For mailing list expansions we want to send the warning message to the +mailing list manager. We can't do a perfect job here, as some addresses may +have different errors addresses, but if we take the errors address from +each deferred address it will probably be right in most cases. + +If addr_defer == +1, it means there was a problem sending an error message +for failed addresses, and there were no "real" deferred addresses. The value +was set just to keep the message on the spool, so there is nothing to do here. +*/ + +else if (addr_defer != (address_item *)(+1)) + { + uschar *recipients = US""; + BOOL want_warning_msg = FALSE; + + deliver_domain = testflag(addr_defer, af_pfr) + ? addr_defer->parent->domain : addr_defer->domain; + + for (address_item * addr = addr_defer; addr; addr = addr->next) + { + address_item *otaddr; + + if (addr->basic_errno > ERRNO_WARN_BASE) want_warning_msg = TRUE; + + if (deliver_domain) + { + const uschar *d = testflag(addr, af_pfr) + ? addr->parent->domain : addr->domain; + + /* The domain may be unset for an address that has never been routed + because the system filter froze the message. */ + + if (!d || Ustrcmp(d, deliver_domain) != 0) + deliver_domain = NULL; + } + + if (addr->return_filename) Uunlink(addr->return_filename); + + /* Handle the case of one-time aliases. If any address in the ancestry + of this one is flagged, ensure it is in the recipients list, suitably + flagged, and that its parent is marked delivered. */ + + for (otaddr = addr; otaddr; otaddr = otaddr->parent) + if (otaddr->onetime_parent) break; + + if (otaddr) + { + int i; + int t = recipients_count; + + for (i = 0; i < recipients_count; i++) + { + uschar *r = recipients_list[i].address; + if (Ustrcmp(otaddr->onetime_parent, r) == 0) t = i; + if (Ustrcmp(otaddr->address, r) == 0) break; + } + + /* Didn't find the address already in the list, and did find the + ultimate parent's address in the list, and they really are different + (i.e. not from an identity-redirect). After adding the recipient, + update the errors address in the recipients list. */ + + if ( i >= recipients_count && t < recipients_count + && Ustrcmp(otaddr->address, otaddr->parent->address) != 0) + { + DEBUG(D_deliver) debug_printf("one_time: adding %s in place of %s\n", + otaddr->address, otaddr->parent->address); + receive_add_recipient(otaddr->address, t); + recipients_list[recipients_count-1].errors_to = otaddr->prop.errors_address; + tree_add_nonrecipient(otaddr->parent->address); + update_spool = TRUE; + } + } + + /* Except for error messages, ensure that either the errors address for + this deferred address or, if there is none, the sender address, is on the + list of recipients for a warning message. */ + + if (sender_address[0]) + { + uschar * s = addr->prop.errors_address; + if (!s) s = sender_address; + if (Ustrstr(recipients, s) == NULL) + recipients = string_sprintf("%s%s%s", recipients, + recipients[0] ? "," : "", s); + } + } + + /* Send a warning message if the conditions are right. If the condition check + fails because of a lookup defer, there is nothing we can do. The warning + is not sent. Another attempt will be made at the next delivery attempt (if + it also defers). */ + + if ( !f.queue_2stage + && want_warning_msg + && ( !(addr_defer->dsn_flags & rf_dsnflags) + || addr_defer->dsn_flags & rf_notify_delay + ) + && delay_warning[1] > 0 + && sender_address[0] != 0 + && ( !delay_warning_condition + || expand_check_condition(delay_warning_condition, + US"delay_warning", US"option") + ) + ) + { + int count; + int show_time; + int queue_time = time(NULL) - received_time.tv_sec; + + queue_time = test_harness_fudged_queue_time(queue_time); + + /* See how many warnings we should have sent by now */ + + for (count = 0; count < delay_warning[1]; count++) + if (queue_time < delay_warning[count+2]) break; + + show_time = delay_warning[count+1]; + + if (count >= delay_warning[1]) + { + int extra; + int last_gap = show_time; + if (count > 1) last_gap -= delay_warning[count]; + extra = (queue_time - delay_warning[count+1])/last_gap; + show_time += last_gap * extra; + count += extra; + } + + DEBUG(D_deliver) + { + debug_printf("time on queue = %s id %s addr %s\n", + readconf_printtime(queue_time), message_id, addr_defer->address); + debug_printf("warning counts: required %d done %d\n", count, + warning_count); + } + + /* We have computed the number of warnings there should have been by now. + If there haven't been enough, send one, and up the count to what it should + have been. */ + + if (warning_count < count) + { + header_line *h; + int fd; + pid_t pid = child_open_exim(&fd, US"delay-warning-message"); + + if (pid > 0) + { + uschar * wmf_text; + FILE * wmf = NULL; + FILE * f = fdopen(fd, "wb"); + uschar * bound; + transport_ctx tctx = {{0}}; + + if (warn_message_file) + wmf = expand_open(warn_message_file, + US"warn_message_file", US"warning"); + + warnmsg_recipients = recipients; + warnmsg_delay = queue_time < 120*60 + ? string_sprintf("%d minutes", show_time/60) + : string_sprintf("%d hours", show_time/3600); + + if (errors_reply_to) + fprintf(f, "Reply-To: %s\n", errors_reply_to); + fprintf(f, "Auto-Submitted: auto-replied\n"); + moan_write_from(f); + fprintf(f, "To: %s\n", recipients); + moan_write_references(f, NULL); + + /* generated boundary string and output MIME-Headers */ + bound = string_sprintf(TIME_T_FMT "-eximdsn-%d", time(NULL), rand()); + + fprintf(f, "Content-Type: multipart/report;" + " report-type=delivery-status; boundary=%s\n" + "MIME-Version: 1.0\n", + bound); + + if ((wmf_text = next_emf(wmf, US"header"))) + fprintf(f, "%s\n", wmf_text); + else + fprintf(f, "Subject: Warning: message %s delayed %s\n\n", + message_id, warnmsg_delay); + + /* output human readable part as text/plain section */ + fprintf(f, "--%s\n" + "Content-type: text/plain; charset=us-ascii\n\n", + bound); + + if ((wmf_text = next_emf(wmf, US"intro"))) + fprintf(f, "%s", CS wmf_text); + else + { + fprintf(f, +"This message was created automatically by mail delivery software.\n"); + + if (Ustrcmp(recipients, sender_address) == 0) + fprintf(f, +"A message that you sent has not yet been delivered to one or more of its\n" +"recipients after more than "); + + else + fprintf(f, +"A message sent by\n\n <%s>\n\n" +"has not yet been delivered to one or more of its recipients after more than \n", + sender_address); + + fprintf(f, "%s on the queue on %s.\n\n" + "The message identifier is: %s\n", + warnmsg_delay, primary_hostname, message_id); + + for (h = header_list; h; h = h->next) + if (strncmpic(h->text, US"Subject:", 8) == 0) + fprintf(f, "The subject of the message is: %s", h->text + 9); + else if (strncmpic(h->text, US"Date:", 5) == 0) + fprintf(f, "The date of the message is: %s", h->text + 6); + fputc('\n', f); + + fprintf(f, "The address%s to which the message has not yet been " + "delivered %s:\n", + !addr_defer->next ? "" : "es", + !addr_defer->next ? "is": "are"); + } + + /* List the addresses, with error information if allowed */ + + fputc('\n', f); + for (address_item * addr = addr_defer; addr; addr = addr->next) + { + if (print_address_information(addr, f, US" ", US"\n ", US"")) + print_address_error(addr, f, US"Delay reason: "); + fputc('\n', f); + } + fputc('\n', f); + + /* Final text */ + + if (wmf) + { + if ((wmf_text = next_emf(wmf, US"final"))) + fprintf(f, "%s", CS wmf_text); + (void)fclose(wmf); + } + else + { + fprintf(f, +"No action is required on your part. Delivery attempts will continue for\n" +"some time, and this warning may be repeated at intervals if the message\n" +"remains undelivered. Eventually the mail delivery software will give up,\n" +"and when that happens, the message will be returned to you.\n"); + } + + /* output machine readable part */ + fprintf(f, "\n--%s\n" + "Content-type: message/delivery-status\n\n" + "Reporting-MTA: dns; %s\n", + bound, + smtp_active_hostname); + + + if (dsn_envid) + { + /* must be decoded from xtext: see RFC 3461:6.3a */ + uschar *xdec_envid; + if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0) + fprintf(f,"Original-Envelope-ID: %s\n", dsn_envid); + else + fprintf(f,"X-Original-Envelope-ID: error decoding xtext formatted ENVID\n"); + } + fputc('\n', f); + + for (address_item * addr = addr_defer; addr; addr = addr->next) + { + host_item * hu; + + print_dsn_addr_action(f, addr, US"delayed", US"4.0.0"); + + if ((hu = addr->host_used) && hu->name) + { + fprintf(f, "Remote-MTA: dns; %s\n", hu->name); + print_dsn_diagnostic_code(addr, f); + } + fputc('\n', f); + } + + fprintf(f, "--%s\n" + "Content-type: text/rfc822-headers\n\n", + bound); + + fflush(f); + /* header only as required by RFC. only failure DSN needs to honor RET=FULL */ + tctx.u.fd = fileno(f); + tctx.options = topt_add_return_path | topt_no_body; + transport_filter_argv = NULL; /* Just in case */ + return_path = sender_address; /* In case not previously set */ + + /* Write the original email out */ + /*XXX no checking for failure! buggy! */ + transport_write_message(&tctx, 0); + fflush(f); + + fprintf(f,"\n--%s--\n", bound); + + fflush(f); + + /* Close and wait for child process to complete, without a timeout. + If there's an error, don't update the count. */ + + (void)fclose(f); + if (child_close(pid, 0) == 0) + { + warning_count = count; + update_spool = TRUE; /* Ensure spool rewritten */ + } + } + } + } + + /* Clear deliver_domain */ + + deliver_domain = NULL; + + /* If this was a first delivery attempt, unset the first time flag, and + ensure that the spool gets updated. */ + + if (f.deliver_firsttime) + { + f.deliver_firsttime = FALSE; + update_spool = TRUE; + } + + /* If delivery was frozen and freeze_tell is set, generate an appropriate + message, unless the message is a local error message (to avoid loops). Then + log the freezing. If the text in "frozen_info" came from a system filter, + it has been escaped into printing characters so as not to mess up log lines. + For the "tell" message, we turn \n back into newline. Also, insert a newline + near the start instead of the ": " string. */ + + if (f.deliver_freeze) + { + if (freeze_tell && freeze_tell[0] != 0 && !f.local_error_message) + { + uschar *s = string_copy(frozen_info); + uschar *ss = Ustrstr(s, " by the system filter: "); + + if (ss != NULL) + { + ss[21] = '.'; + ss[22] = '\n'; + } + + ss = s; + while (*ss != 0) + { + if (*ss == '\\' && ss[1] == 'n') + { + *ss++ = ' '; + *ss++ = '\n'; + } + else ss++; + } + moan_tell_someone(freeze_tell, addr_defer, US"Message frozen", + "Message %s has been frozen%s.\nThe sender is <%s>.\n", message_id, + s, sender_address); + } + + /* Log freezing just before we update the -H file, to minimize the chance + of a race problem. */ + + deliver_msglog("*** Frozen%s\n", frozen_info); + log_write(0, LOG_MAIN, "Frozen%s", frozen_info); + } + + /* If there have been any updates to the non-recipients list, or other things + that get written to the spool, we must now update the spool header file so + that it has the right information for the next delivery attempt. If there + was more than one address being delivered, the header_change update is done + earlier, in case one succeeds and then something crashes. */ + + DEBUG(D_deliver) + debug_printf("delivery deferred: update_spool=%d header_rewritten=%d\n", + update_spool, f.header_rewritten); + + if (update_spool || f.header_rewritten) + /* Panic-dies on error */ + (void)spool_write_header(message_id, SW_DELIVERING, NULL); + } + +/* Finished with the message log. If the message is complete, it will have +been unlinked or renamed above. */ + +if (message_logs) (void)fclose(message_log); + +/* Now we can close and remove the journal file. Its only purpose is to record +successfully completed deliveries asap so that this information doesn't get +lost if Exim (or the machine) crashes. Forgetting about a failed delivery is +not serious, as trying it again is not harmful. The journal might not be open +if all addresses were deferred at routing or directing. Nevertheless, we must +remove it if it exists (may have been lying around from a crash during the +previous delivery attempt). We don't remove the journal if a delivery +subprocess failed to pass back delivery information; this is controlled by +the remove_journal flag. When the journal is left, we also don't move the +message off the main spool if frozen and the option is set. It should get moved +at the next attempt, after the journal has been inspected. */ + +if (journal_fd >= 0) (void)close(journal_fd); + +if (remove_journal) + { + uschar * fname = spool_fname(US"input", message_subdir, id, US"-J"); + + if (Uunlink(fname) < 0 && errno != ENOENT) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s", fname, + strerror(errno)); + + /* Move the message off the spool if requested */ + +#ifdef SUPPORT_MOVE_FROZEN_MESSAGES + if (f.deliver_freeze && move_frozen_messages) + (void)spool_move_message(id, message_subdir, US"", US"F"); +#endif + } + +/* Closing the data file frees the lock; if the file has been unlinked it +will go away. Otherwise the message becomes available for another process +to try delivery. */ + +(void)close(deliver_datafile); +deliver_datafile = -1; +DEBUG(D_deliver) debug_printf("end delivery of %s\n", id); +#ifdef MEASURE_TIMING +report_time_since(×tamp_startup, US"delivery end"); /* testcase 0005 */ +#endif + +/* It is unlikely that there will be any cached resources, since they are +released after routing, and in the delivery subprocesses. However, it's +possible for an expansion for something afterwards (for example, +expand_check_condition) to do a lookup. We must therefore be sure everything is +released. */ + +search_tidyup(); +acl_where = ACL_WHERE_UNKNOWN; +return final_yield; +} + + + +void +tcp_init(void) +{ +#ifdef EXIM_TFO_PROBE +tfo_probe(); +#else +f.tcp_fastopen_ok = TRUE; +#endif +} + + +uschar * +deliver_get_sender_address (uschar * id) +{ +int rc; +uschar * new_sender_address, + * save_sender_address; +BOOL save_qr = f.queue_running; +uschar * spoolname; + +/* make spool_open_datafile non-noisy on fail */ + +f.queue_running = TRUE; + +/* Side effect: message_subdir is set for the (possibly split) spool directory */ + +deliver_datafile = spool_open_datafile(id); +f.queue_running = save_qr; +if (deliver_datafile < 0) + return NULL; + +/* Save and restore the global sender_address. I'm not sure if we should +not save/restore all the other global variables too, because +spool_read_header() may change all of them. But OTOH, when this +deliver_get_sender_address() gets called, the current message is done +already and nobody needs the globals anymore. (HS12, 2015-08-21) */ + +spoolname = string_sprintf("%s-H", id); +save_sender_address = sender_address; + +rc = spool_read_header(spoolname, TRUE, TRUE); + +new_sender_address = sender_address; +sender_address = save_sender_address; + +if (rc != spool_read_OK) + return NULL; + +assert(new_sender_address); + +(void)close(deliver_datafile); +deliver_datafile = -1; + +return new_sender_address; +} + + + +void +delivery_re_exec(int exec_type) +{ +uschar * where; + +if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only) + { + int channel_fd = cutthrough.cctx.sock; + + smtp_peer_options = cutthrough.peer_options; + continue_sequence = 0; + +#ifndef DISABLE_TLS + if (cutthrough.is_tls) + { + int pfd[2], pid; + + smtp_peer_options |= OPTION_TLS; + sending_ip_address = cutthrough.snd_ip; + sending_port = cutthrough.snd_port; + + where = US"socketpair"; + if (socketpair(AF_UNIX, SOCK_STREAM, 0, pfd) != 0) + goto fail; + + where = US"fork"; + testharness_pause_ms(150); + if ((pid = exim_fork(US"tls-proxy-interproc")) < 0) + goto fail; + + if (pid == 0) /* child: will fork again to totally disconnect */ + { + smtp_proxy_tls(cutthrough.cctx.tls_ctx, big_buffer, big_buffer_size, + pfd, 5*60); + /* does not return */ + } + + close(pfd[0]); + waitpid(pid, NULL, 0); + (void) close(channel_fd); /* release the client socket */ + channel_fd = pfd[1]; + } +#endif + + transport_do_pass_socket(cutthrough.transport, cutthrough.host.name, + cutthrough.host.address, message_id, channel_fd); + } +else + { + cancel_cutthrough_connection(TRUE, US"non-continued delivery"); + (void) child_exec_exim(exec_type, FALSE, NULL, FALSE, 2, US"-Mc", message_id); + } +return; /* compiler quietening; control does not reach here. */ + +#ifndef DISABLE_TLS +fail: + log_write(0, + LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE), + "delivery re-exec %s failed: %s", where, strerror(errno)); + + /* Get here if exec_type == CEE_EXEC_EXIT. + Note: this must be _exit(), not exit(). */ + + _exit(EX_EXECFAILED); +#endif +} + +/* vi: aw ai sw=2 +*/ +/* End of deliver.c */ |