summaryrefslogtreecommitdiffstats
path: root/src/spool_out.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/spool_out.c')
-rw-r--r--src/spool_out.c563
1 files changed, 563 insertions, 0 deletions
diff --git a/src/spool_out.c b/src/spool_out.c
new file mode 100644
index 0000000..a0c6995
--- /dev/null
+++ b/src/spool_out.c
@@ -0,0 +1,563 @@
+/*************************************************
+* Exim - an Internet mail transport agent *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions for writing spool files, and moving them about. */
+
+
+#include "exim.h"
+
+
+
+/*************************************************
+* Deal with header writing errors *
+*************************************************/
+
+/* This function is called immediately after errors in writing the spool, with
+errno still set. It creates an error message, depending on the circumstances.
+If errmsg is NULL, it logs the message and panic-dies. Otherwise errmsg is set
+to point to the message, and -1 is returned. This function makes the code of
+spool_write_header() a bit neater.
+
+Arguments:
+ where SW_RECEIVING, SW_DELIVERING, or SW_MODIFYING
+ errmsg where to put the message; NULL => panic-die
+ s text to add to log string
+ temp_name name of temp file to unlink
+ f FILE to close, if not NULL
+
+Returns: -1 if errmsg is not NULL; otherwise doesn't return
+*/
+
+static int
+spool_write_error(int where, uschar **errmsg, uschar *s, uschar *temp_name,
+ FILE *f)
+{
+uschar *msg = where == SW_RECEIVING
+ ? string_sprintf("spool file %s error while receiving from %s: %s", s,
+ sender_fullhost ? sender_fullhost : sender_ident,
+ strerror(errno))
+ : string_sprintf("spool file %s error while %s: %s", s,
+ where == SW_DELIVERING ? "delivering" : "modifying",
+ strerror(errno));
+
+if (temp_name) Uunlink(temp_name);
+if (f) (void)fclose(f);
+
+if (errmsg)
+ *errmsg = msg;
+else
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", msg);
+
+return -1;
+}
+
+
+
+/*************************************************
+* Open file under temporary name *
+*************************************************/
+
+/* This is used for opening spool files under a temporary name,
+with a single attempt at deleting if they already exist.
+
+Argument: temporary name for spool header file
+Returns: file descriptor of open file, or < 0 on failure, with errno unchanged
+*/
+
+int
+spool_open_temp(uschar *temp_name)
+{
+int fd = Uopen(temp_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE);
+
+/* If the file already exists, something has gone wrong. This process may well
+have previously created the file if it is delivering more than one address, but
+it should have renamed it almost immediately. A file could, however, be left
+around as a result of a system crash, and by coincidence this process might
+have the same pid. We therefore have one go at unlinking it before giving up.
+*/
+
+if (fd < 0 && errno == EEXIST)
+ {
+ DEBUG(D_any) debug_printf("%s exists: unlinking\n", temp_name);
+ Uunlink(temp_name);
+ fd = Uopen(temp_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE);
+ }
+
+/* If the file has been opened, make sure the file's group is the Exim gid, and
+double-check the mode because the group setting doesn't always get set
+automatically. */
+
+if (fd >= 0)
+ if (exim_fchown(fd, exim_uid, exim_gid, temp_name) || fchmod(fd, SPOOL_MODE))
+ {
+ DEBUG(D_any) debug_printf("failed setting perms on %s\n", temp_name);
+ (void) close(fd); fd = -1;
+ Uunlink(temp_name);
+ }
+
+return fd;
+}
+
+
+
+static const uschar *
+zap_newlines(const uschar *s)
+{
+uschar *z, *p;
+
+if (Ustrchr(s, '\n') == NULL) return s;
+
+p = z = string_copy(s);
+while ((p = Ustrchr(p, '\n')) != NULL) *p++ = ' ';
+return z;
+}
+
+static void
+spool_var_write(FILE * fp, const uschar * name, const uschar * val)
+{
+if (is_tainted(val)) putc('-', fp);
+fprintf(fp, "-%s %s\n", name, val);
+}
+
+/*************************************************
+* Write the header spool file *
+*************************************************/
+
+/* Returns the size of the file for success; zero for failure. The file is
+written under a temporary name, and then renamed. It's done this way so that it
+works with re-writing the file on message deferral as well as for the initial
+write. Whenever this function is called, the data file for the message should
+be open and locked, thus preventing any other exim process from working on this
+message.
+
+Argument:
+ id the message id
+ where SW_RECEIVING, SW_DELIVERING, or SW_MODIFYING
+ errmsg where to put an error message; if NULL, panic-die on error
+
+Returns: the size of the header texts on success;
+ negative on writing failure, unless errmsg == NULL
+*/
+
+int
+spool_write_header(uschar *id, int where, uschar **errmsg)
+{
+int fd;
+int size_correction;
+FILE * fp;
+struct stat statbuf;
+uschar * tname;
+uschar * fname;
+
+tname = spool_fname(US"input", message_subdir, US"hdr.", message_id);
+
+if ((fd = spool_open_temp(tname)) < 0)
+ return spool_write_error(where, errmsg, US"open", NULL, NULL);
+fp = fdopen(fd, "wb");
+DEBUG(D_receive|D_deliver) debug_printf("Writing spool header file: %s\n", tname);
+
+/* We now have an open file to which the header data is to be written. Start
+with the file's leaf name, to make the file self-identifying. Continue with the
+identity of the submitting user, followed by the sender's address. The sender's
+address is enclosed in <> because it might be the null address. Then write the
+received time and the number of warning messages that have been sent. */
+
+fprintf(fp, "%s-H\n", message_id);
+fprintf(fp, "%.63s %ld %ld\n", originator_login, (long int)originator_uid,
+ (long int)originator_gid);
+fprintf(fp, "<%s>\n", sender_address);
+fprintf(fp, "%d %d\n", (int)received_time.tv_sec, warning_count);
+
+fprintf(fp, "-received_time_usec .%06d\n", (int)received_time.tv_usec);
+
+/* If there is information about a sending host, remember it. The HELO
+data can be set for local SMTP as well as remote. */
+
+if (sender_helo_name) spool_var_write(fp, US"helo_name", sender_helo_name);
+
+if (sender_host_address)
+ {
+ if (is_tainted(sender_host_address)) putc('-', fp);
+ fprintf(fp, "-host_address %s.%d\n", sender_host_address, sender_host_port);
+ if (sender_host_name)
+ spool_var_write(fp, US"host_name", sender_host_name);
+ }
+if (sender_host_authenticated)
+ spool_var_write(fp, US"host_auth", sender_host_authenticated);
+if (sender_host_auth_pubname)
+ spool_var_write(fp, US"host_auth_pubname", sender_host_auth_pubname);
+
+/* Also about the interface a message came in on */
+
+if (interface_address)
+ {
+ if (is_tainted(interface_address)) putc('-', fp);
+ fprintf(fp, "-interface_address %s.%d\n", interface_address, interface_port);
+ }
+
+if (smtp_active_hostname != primary_hostname)
+ spool_var_write(fp, US"active_hostname", smtp_active_hostname);
+
+/* Likewise for any ident information; for local messages this is
+likely to be the same as originator_login, but will be different if
+the originator was root, forcing a different ident. */
+
+if (sender_ident)
+ spool_var_write(fp, US"ident", sender_ident);
+
+/* Ditto for the received protocol */
+
+if (received_protocol)
+ spool_var_write(fp, US"received_protocol", received_protocol);
+
+/* Preserve any ACL variables that are set. */
+
+tree_walk(acl_var_c, &acl_var_write, fp);
+tree_walk(acl_var_m, &acl_var_write, fp);
+
+/* Now any other data that needs to be remembered. */
+
+if (f.spool_file_wireformat)
+ fprintf(fp, "-spool_file_wireformat\n");
+else
+ fprintf(fp, "-body_linecount %d\n", body_linecount);
+fprintf(fp, "-max_received_linelength %d\n", max_received_linelength);
+
+if (body_zerocount > 0) fprintf(fp, "-body_zerocount %d\n", body_zerocount);
+
+if (authenticated_id)
+ spool_var_write(fp, US"auth_id", authenticated_id);
+if (authenticated_sender)
+ spool_var_write(fp, US"auth_sender", zap_newlines(authenticated_sender));
+
+if (f.allow_unqualified_recipient) fprintf(fp, "-allow_unqualified_recipient\n");
+if (f.allow_unqualified_sender) fprintf(fp, "-allow_unqualified_sender\n");
+if (f.deliver_firsttime) fprintf(fp, "-deliver_firsttime\n");
+if (f.deliver_freeze) fprintf(fp, "-frozen " TIME_T_FMT "\n", deliver_frozen_at);
+if (f.dont_deliver) fprintf(fp, "-N\n");
+if (host_lookup_deferred) fprintf(fp, "-host_lookup_deferred\n");
+if (host_lookup_failed) fprintf(fp, "-host_lookup_failed\n");
+if (f.sender_local) fprintf(fp, "-local\n");
+if (f.local_error_message) fprintf(fp, "-localerror\n");
+#ifdef HAVE_LOCAL_SCAN
+if (local_scan_data) spool_var_write(fp, US"local_scan", local_scan_data);
+#endif
+#ifdef WITH_CONTENT_SCAN
+if (spam_bar) spool_var_write(fp, US"spam_bar", spam_bar);
+if (spam_score) spool_var_write(fp, US"spam_score", spam_score);
+if (spam_score_int) spool_var_write(fp, US"spam_score_int", spam_score_int);
+#endif
+if (f.deliver_manual_thaw) fprintf(fp, "-manual_thaw\n");
+if (f.sender_set_untrusted) fprintf(fp, "-sender_set_untrusted\n");
+
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+if (bmi_verdicts) spool_var_write(fp, US"bmi_verdicts", bmi_verdicts);
+#endif
+
+#ifndef DISABLE_TLS
+if (tls_in.certificate_verified) fprintf(fp, "-tls_certificate_verified\n");
+if (tls_in.cipher) spool_var_write(fp, US"tls_cipher", tls_in.cipher);
+if (tls_in.peercert)
+ {
+ if (tls_export_cert(big_buffer, big_buffer_size, tls_in.peercert))
+ fprintf(fp, "--tls_peercert %s\n", CS big_buffer);
+ }
+if (tls_in.peerdn) spool_var_write(fp, US"tls_peerdn", string_printing(tls_in.peerdn));
+if (tls_in.sni) spool_var_write(fp, US"tls_sni", string_printing(tls_in.sni));
+if (tls_in.ourcert)
+ {
+ if (tls_export_cert(big_buffer, big_buffer_size, tls_in.ourcert))
+ fprintf(fp, "-tls_ourcert %s\n", CS big_buffer);
+ }
+if (tls_in.ocsp) fprintf(fp, "-tls_ocsp %d\n", tls_in.ocsp);
+# ifdef EXPERIMENTAL_TLS_RESUME
+fprintf(fp, "-tls_resumption %c\n", 'A' + tls_in.resumption);
+# endif
+if (tls_in.ver) spool_var_write(fp, US"tls_ver", tls_in.ver);
+#endif
+
+#ifdef SUPPORT_I18N
+if (message_smtputf8)
+ {
+ fprintf(fp, "-smtputf8\n");
+ if (message_utf8_downconvert)
+ fprintf(fp, "-utf8_%sdowncvt\n", message_utf8_downconvert < 0 ? "opt" : "");
+ }
+#endif
+
+/* Write the dsn flags to the spool header file */
+/* DEBUG(D_deliver) debug_printf("DSN: Write SPOOL: -dsn_envid %s\n", dsn_envid); */
+if (dsn_envid) fprintf(fp, "-dsn_envid %s\n", dsn_envid);
+/* DEBUG(D_deliver) debug_printf("DSN: Write SPOOL: -dsn_ret %d\n", dsn_ret); */
+if (dsn_ret) fprintf(fp, "-dsn_ret %d\n", dsn_ret);
+
+/* To complete the envelope, write out the tree of non-recipients, followed by
+the list of recipients. These won't be disjoint the first time, when no
+checking has been done. If a recipient is a "one-time" alias, it is followed by
+a space and its parent address number (pno). */
+
+tree_write(tree_nonrecipients, fp);
+fprintf(fp, "%d\n", recipients_count);
+for (int i = 0; i < recipients_count; i++)
+ {
+ recipient_item *r = recipients_list + i;
+ const uschar *address = zap_newlines(r->address);
+
+ /* DEBUG(D_deliver) debug_printf("DSN: Flags: 0x%x\n", r->dsn_flags); */
+
+ if (r->pno < 0 && !r->errors_to && r->dsn_flags == 0)
+ fprintf(fp, "%s\n", address);
+ else
+ {
+ const uschar *errors_to = r->errors_to ? zap_newlines(r->errors_to) : CUS"";
+ /* for DSN SUPPORT extend exim 4 spool in a compatible way by
+ adding new values upfront and add flag 0x02 */
+ const uschar *orcpt = r->orcpt ? zap_newlines(r->orcpt) : CUS"";
+
+ fprintf(fp, "%s %s %d,%d %s %d,%d#3\n", address, orcpt, Ustrlen(orcpt),
+ r->dsn_flags, errors_to, Ustrlen(errors_to), r->pno);
+ }
+
+ DEBUG(D_deliver) debug_printf("DSN: **** SPOOL_OUT - "
+ "address: <%s> errorsto: <%s> orcpt: <%s> dsn_flags: 0x%x\n",
+ r->address, r->errors_to, r->orcpt, r->dsn_flags);
+ }
+
+/* Put a blank line before the headers */
+
+fprintf(fp, "\n");
+
+/* Save the size of the file so far so we can subtract it from the final length
+to get the actual size of the headers. */
+
+fflush(fp);
+if (fstat(fd, &statbuf))
+ return spool_write_error(where, errmsg, US"fstat", tname, fp);
+size_correction = statbuf.st_size;
+
+/* Finally, write out the message's headers. To make it easier to read them
+in again, precede each one with the count of its length. Make the count fixed
+length to aid human eyes when debugging and arrange for it not be included in
+the size. It is followed by a space for normal headers, a flagging letter for
+various other headers, or an asterisk for old headers that have been rewritten.
+These are saved as a record for debugging. Don't included them in the message's
+size. */
+
+for (header_line * h = header_list; h; h = h->next)
+ {
+ fprintf(fp, "%03d%c %s", h->slen, h->type, h->text);
+ size_correction += 5;
+ if (h->type == '*') size_correction += h->slen;
+ }
+
+/* Flush and check for any errors while writing */
+
+if (fflush(fp) != 0 || ferror(fp))
+ return spool_write_error(where, errmsg, US"write", tname, fp);
+
+/* Force the file's contents to be written to disk. Note that fflush()
+just pushes it out of C, and fclose() doesn't guarantee to do the write
+either. That's just the way Unix works... */
+
+if (EXIMfsync(fileno(fp)) < 0)
+ return spool_write_error(where, errmsg, US"sync", tname, fp);
+
+/* Get the size of the file, and close it. */
+
+if (fstat(fd, &statbuf) != 0)
+ return spool_write_error(where, errmsg, US"fstat", tname, NULL);
+if (fclose(fp) != 0)
+ return spool_write_error(where, errmsg, US"close", tname, NULL);
+
+/* Rename the file to its correct name, thereby replacing any previous
+incarnation. */
+
+fname = spool_fname(US"input", message_subdir, id, US"-H");
+DEBUG(D_receive|D_deliver) debug_printf("Renaming spool header file: %s\n", fname);
+
+if (Urename(tname, fname) < 0)
+ return spool_write_error(where, errmsg, US"rename", tname, NULL);
+
+/* Linux (and maybe other OS?) does not automatically sync a directory after
+an operation like rename. We therefore have to do it forcibly ourselves in
+these cases, to make sure the file is actually accessible on disk, as opposed
+to just the data being accessible from a file in lost+found. Linux also has
+O_DIRECTORY, for opening a directory.
+
+However, it turns out that some file systems (some versions of NFS?) do not
+support directory syncing. It seems safe enough to ignore EINVAL to cope with
+these cases. One hack on top of another... but that's life. */
+
+#ifdef NEED_SYNC_DIRECTORY
+
+tname = spool_fname(US"input", message_subdir, US".", US"");
+
+# ifndef O_DIRECTORY
+# define O_DIRECTORY 0
+# endif
+
+if ((fd = Uopen(tname, O_RDONLY|O_DIRECTORY, 0)) < 0)
+ return spool_write_error(where, errmsg, US"directory open", fname, NULL);
+
+if (EXIMfsync(fd) < 0 && errno != EINVAL)
+ return spool_write_error(where, errmsg, US"directory sync", fname, NULL);
+
+if (close(fd) < 0)
+ return spool_write_error(where, errmsg, US"directory close", fname, NULL);
+
+#endif /* NEED_SYNC_DIRECTORY */
+
+/* Return the number of characters in the headers, which is the file size, less
+the preliminary stuff, less the additional count fields on the headers. */
+
+DEBUG(D_receive) debug_printf("Size of headers = %d\n",
+ (int)(statbuf.st_size - size_correction));
+
+return statbuf.st_size - size_correction;
+}
+
+
+/************************************************
+* Make a hard link *
+************************************************/
+
+/* Used by spool_move_message() below. Note re the use of sprintf(): the value
+of spool_directory is checked to ensure that it is less than 200 characters at
+start-up time.
+
+Arguments:
+ dir base directory name
+ dq destiinationqueue name
+ subdir subdirectory name
+ id message id
+ suffix suffix to add to id
+ from source directory prefix
+ to destination directory prefix
+ noentok if TRUE, absence of file is not an error
+
+Returns: TRUE if all went well
+ FALSE, having panic logged if not
+*/
+
+static BOOL
+make_link(uschar *dir, uschar * dq, uschar *subdir, uschar *id, uschar *suffix,
+ uschar *from, uschar *to, BOOL noentok)
+{
+uschar * fname = spool_fname(string_sprintf("%s%s", from, dir), subdir, id, suffix);
+uschar * tname = spool_q_fname(string_sprintf("%s%s", to, dir), dq, subdir, id, suffix);
+if (Ulink(fname, tname) < 0 && (!noentok || errno != ENOENT))
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC, "link(\"%s\", \"%s\") failed while moving "
+ "message: %s", fname, tname, strerror(errno));
+ return FALSE;
+ }
+return TRUE;
+}
+
+
+
+/************************************************
+* Break a link *
+************************************************/
+
+/* Used by spool_move_message() below. Note re the use of sprintf(): the value
+of spool_directory is checked to ensure that it is less than 200 characters at
+start-up time.
+
+Arguments:
+ dir base directory name
+ subdir subdirectory name
+ id message id
+ suffix suffix to add to id
+ from source directory prefix
+ noentok if TRUE, absence of file is not an error
+
+Returns: TRUE if all went well
+ FALSE, having panic logged if not
+*/
+
+static BOOL
+break_link(uschar *dir, uschar *subdir, uschar *id, uschar *suffix, uschar *from,
+ BOOL noentok)
+{
+uschar * fname = spool_fname(string_sprintf("%s%s", from, dir), subdir, id, suffix);
+if (Uunlink(fname) < 0 && (!noentok || errno != ENOENT))
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC, "unlink(\"%s\") failed while moving "
+ "message: %s", fname, strerror(errno));
+ return FALSE;
+ }
+return TRUE;
+}
+
+
+
+/************************************************
+* Move message files *
+************************************************/
+
+/* Move the files for a message (-H, -D, and msglog) from one directory (or
+hierarchy) to another. It is assume that there is no -J file in existence when
+this is done.
+
+Arguments:
+ id the id of the message to be delivered
+ subdir the subdirectory name, or an empty string
+ from a prefix for "input" or "msglog" for where the message is now
+ to a prefix for "input" or "msglog" for where the message is to go
+
+Returns: TRUE if all is well
+ FALSE if not, with error logged in panic and main logs
+*/
+
+BOOL
+spool_move_message(uschar *id, uschar *subdir, uschar *from, uschar *to)
+{
+uschar * dest_qname = queue_name_dest ? queue_name_dest : queue_name;
+
+/* Create any output directories that do not exist. */
+
+(void) directory_make(spool_directory,
+ spool_q_sname(string_sprintf("%sinput", to), dest_qname, subdir),
+ INPUT_DIRECTORY_MODE, TRUE);
+(void) directory_make(spool_directory,
+ spool_q_sname(string_sprintf("%smsglog", to), dest_qname, subdir),
+ INPUT_DIRECTORY_MODE, TRUE);
+
+/* Move the message by first creating new hard links for all the files, and
+then removing the old links. When moving messages onto the main spool, the -H
+file should be set up last, because that's the one that tells Exim there is a
+message to be delivered, so we create its new link last and remove its old link
+first. Programs that look at the alternate directories should follow the same
+rule of waiting for a -H file before doing anything. When moving messages off
+the mail spool, the -D file should be open and locked at the time, thus keeping
+Exim's hands off. */
+
+if (!make_link(US"msglog", dest_qname, subdir, id, US"", from, to, TRUE) ||
+ !make_link(US"input", dest_qname, subdir, id, US"-D", from, to, FALSE) ||
+ !make_link(US"input", dest_qname, subdir, id, US"-H", from, to, FALSE))
+ return FALSE;
+
+if (!break_link(US"input", subdir, id, US"-H", from, FALSE) ||
+ !break_link(US"input", subdir, id, US"-D", from, FALSE) ||
+ !break_link(US"msglog", subdir, id, US"", from, TRUE))
+ return FALSE;
+
+log_write(0, LOG_MAIN, "moved from %s%s%s%sinput, %smsglog to %s%s%s%sinput, %smsglog",
+ *queue_name?"(":"", *queue_name?queue_name:US"", *queue_name?") ":"",
+ from, from,
+ *dest_qname?"(":"", *dest_qname?dest_qname:US"", *dest_qname?") ":"",
+ to, to);
+
+return TRUE;
+}
+
+
+/* End of spool_out.c */
+/* vi: aw ai sw=2
+*/