Adding upstream version 4.96.upstream/4.96upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

244 files changed, 187237 insertions, 0 deletions

diff --git a/src/EDITME b/src/EDITME
new file mode 100644
index 0000000..53022e5
--- /dev/null
+++ b/src/EDITME
@@ -0,0 +1,1497 @@
+##################################################
+#          The Exim mail transport agent         #
+##################################################
+
+# This is the template for Exim's main build-time configuration file. It
+# contains settings that are independent of any operating system. These are
+# things that are mostly sysadmin choices. The items below are divided into
+# those you must specify, those you probably want to specify, those you might
+# often want to specify, and those that you almost never need to mention.
+
+# Edit this file and save the result to a file called Local/Makefile within the
+# Exim distribution directory before running the "make" command.
+
+# Things that depend on the operating system have default settings in
+# OS/Makefile-Default, but these are overridden for some OS by files
+# called OS/Makefile-<osname>. You can further override these settings by
+# creating files Local/Makefile-<osname>, and Local/Makefile-<build>.
+# The suffix "<osname>" stands for the name of your operating system - look
+# at the names in the OS directory to see which names are recognized,
+# and "<build>" is the content of the environment variable "build".
+
+# However, if you are building Exim for a single OS only, you don't need to
+# worry about setting up Local/Makefile-<osname>. Any build-time configuration
+# settings you require can in fact be placed in the one file called
+# Local/Makefile. It is only if you are building for several OS from the same
+# source files that you need to worry about splitting off your own OS-dependent
+# settings into separate files. (There's more explanation about how this all
+# works in the toplevel README file, under "Modifying the building process", as
+# well as in the Exim specification.)
+
+# One OS-specific thing that may need to be changed is the command for running
+# the C compiler; the overall default is gcc, but some OS Makefiles specify cc.
+# You can override anything that is set by putting CC=whatever in your
+# Local/Makefile.
+
+# NOTE: You should never need to edit any of the distributed Makefiles; all
+# overriding can be done in your Local/Makefile(s). This will make it easier
+# for you when the next release comes along.
+
+# The location of the X11 libraries is something else that is quite variable
+# even between different versions of the same operating system (and indeed
+# there are different versions of X11 as well, of course). The four settings
+# concerned here are X11, XINCLUDE, XLFLAGS (linking flags) and X11_LD_LIB
+# (dynamic run-time library). You need not worry about X11 unless you want to
+# compile the Exim monitor utility. Exim itself does not use X11.
+
+# Another area of variability between systems is the type and location of the
+# DBM library package. Exim has support for ndbm, gdbm, tdb, and Berkeley DB.
+# By default the code assumes ndbm; this often works with gdbm or DB, provided
+# they are correctly installed, via their compatibility interfaces. However,
+# Exim can also be configured to use the native calls for Berkeley DB (obsolete
+# versions 1.85, 2.x, 3.x, or the current 4.x version) and also for gdbm.
+
+# For some operating systems, a default DBM library (other than ndbm) is
+# selected by a setting in the OS-specific Makefile. Most modern OS now have
+# a DBM library installed as standard, and in many cases this will be selected
+# for you by the OS-specific configuration. If Exim compiles without any
+# problems, you probably do not have to worry about the DBM library. If you
+# do want or need to change it, you should first read the discussion in the
+# file doc/dbm.discuss.txt, which also contains instructions for testing Exim's
+# interface to the DBM library.
+
+# In Local/Makefiles blank lines and lines starting with # are ignored. It is
+# also permitted to use the # character to add a comment to a setting, for
+# example
+#
+# EXIM_GID=42   # the "mail" group
+#
+# However, with some versions of "make" this works only if there is no white
+# space between the end of the setting and the #, so perhaps it is best
+# avoided. A consequence of this facility is that it is not possible to have
+# the # character present in any setting, but I can't think of any cases where
+# this would be wanted.
+###############################################################################
+
+
+
+###############################################################################
+#                    THESE ARE THINGS YOU MUST SPECIFY                        #
+###############################################################################
+
+# Exim will not build unless you specify BIN_DIRECTORY, CONFIGURE_FILE, and
+# EXIM_USER. You also need EXIM_GROUP if EXIM_USER specifies a uid by number.
+
+# If you don't specify SPOOL_DIRECTORY, Exim won't fail to build. However, it
+# really is a very good idea to specify it here rather than at run time. This
+# is particularly true if you let the logs go to their default location in the
+# spool directory, because it means that the location of the logs is known
+# before Exim has read the run time configuration file.
+
+#------------------------------------------------------------------------------
+# BIN_DIRECTORY defines where the exim binary will be installed by "make
+# install". The path is also used internally by Exim when it needs to re-invoke
+# itself, either to send an error message, or to recover root privilege. Exim's
+# utility binaries and scripts are also installed in this directory. There is
+# no "standard" place for the binary directory. Some people like to keep all
+# the Exim files under one directory such as /usr/exim; others just let the
+# Exim binaries go into an existing directory such as /usr/sbin or
+# /usr/local/sbin. The installation script will try to create this directory,
+# and any superior directories, if they do not exist.
+
+BIN_DIRECTORY=/usr/exim/bin
+
+
+#------------------------------------------------------------------------------
+# CONFIGURE_FILE defines where Exim's run time configuration file is to be
+# found. It is the complete pathname for the file, not just a directory. The
+# location of all other run time files and directories can be changed in the
+# run time configuration file. There is a lot of variety in the choice of
+# location in different OS, and in the preferences of different sysadmins. Some
+# common locations are in /etc or /etc/mail or /usr/local/etc or
+# /usr/local/etc/mail. Another possibility is to keep all the Exim files under
+# a single directory such as /usr/exim. Whatever you choose, the installation
+# script will try to make the directory and any superior directories if they
+# don't exist. It will also install a default runtime configuration if this
+# file does not exist.
+
+CONFIGURE_FILE=/usr/exim/configure
+
+# It is possible to specify a colon-separated list of files for CONFIGURE_FILE.
+# In this case, Exim will use the first of them that exists when it is run.
+# However, if a list is specified, the installation script no longer tries to
+# make superior directories or to install a default runtime configuration.
+
+
+#------------------------------------------------------------------------------
+# The Exim binary must normally be setuid root, so that it starts executing as
+# root, but (depending on the options with which it is called) it does not
+# always need to retain the root privilege. These settings define the user and
+# group that is used for Exim processes when they no longer need to be root. In
+# particular, this applies when receiving messages and when doing remote
+# deliveries. (Local deliveries run as various non-root users, typically as the
+# owner of a local mailbox.) Specifying these values as root is not supported.
+
+EXIM_USER=
+
+# If you specify EXIM_USER as a name, this is looked up at build time, and the
+# uid number is built into the binary. However, you can specify that this
+# lookup is deferred until runtime. In this case, it is the name that is built
+# into the binary. You can do this by a setting of the form:
+
+# EXIM_USER=ref:exim
+
+# In other words, put "ref:" in front of the user name. If you set EXIM_USER
+# like this, any value specified for EXIM_GROUP is also passed "by reference".
+# Although this costs a bit of resource at runtime, it is convenient to use
+# this feature when building binaries that are to be run on multiple systems
+# where the name may refer to different uids. It also allows you to build Exim
+# on a system where there is no Exim user defined.
+
+# If the setting of EXIM_USER is numeric (e.g. EXIM_USER=42), there must
+# also be a setting of EXIM_GROUP. If, on the other hand, you use a name
+# for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless
+# you want to use a group other than the default group for the given user.
+
+# EXIM_GROUP=
+
+# Many sites define a user called "exim", with an appropriate default group,
+# and use
+#
+# EXIM_USER=exim
+#
+# while leaving EXIM_GROUP unspecified (commented out).
+
+
+#------------------------------------------------------------------------------
+# SPOOL_DIRECTORY defines the directory where all the data for messages in
+# transit is kept. It is strongly recommended that you define it here, though
+# it is possible to leave this till the run time configuration.
+
+# Exim creates the spool directory if it does not exist. The owner and group
+# will be those defined by EXIM_USER and EXIM_GROUP, and this also applies to
+# all the files and directories that are created in the spool directory.
+
+# Almost all installations choose this:
+
+SPOOL_DIRECTORY=/var/spool/exim
+
+
+
+###############################################################################
+#                            TLS                                              #
+###############################################################################
+# Exim is built by default to support the SMTP STARTTLS command, which implements
+# Transport Layer Security using SSL (Secure Sockets Layer). This requires you
+# must install the OpenSSL library package or the GnuTLS library. Exim contains
+# no cryptographic code of its own.
+
+# If you are running Exim as a (TLS) server, just building it with TLS support
+# is all you need to do, as tls_advertise_hosts is set to '*' by
+# default. But you are advised to create a suiteable certificate, and tell
+# Exim about it by means of the tls_certificate and tls_privatekey run
+# time options, otherwise Exim will create a self signed certificate on
+# the fly.  If you are running Exim only as a (TLS) client, building it with
+# TLS support is all you need to do.
+#
+# If you are using pkg-config then you should not need to worry where
+# the libraries and headers are installed, as the pkg-config .pc
+# specification should include all -L/-I information necessary.
+# Enabling the USE_*_PC options should be sufficient. If not using
+# pkg-config, then you have to specify the libraries, and you might
+# need to specify the locations too.
+
+# Uncomment the following lines if you want
+# to build Exim without any TLS support (either OpenSSL or GnuTLS):
+# DISABLE_TLS=yes
+# Unless you do this, you must define one of USE_OPENSSL or USE_GNUTLS
+# below.
+
+# If you are building with TLS, the library configuration must be done:
+
+# Uncomment this if you are using OpenSSL
+# USE_OPENSSL=yes
+# Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
+# and an optional location.
+# USE_OPENSSL_PC=openssl
+# TLS_LIBS=-lssl -lcrypto
+# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
+
+# Uncomment this if you are using GnuTLS
+# USE_GNUTLS=yes
+# Uncomment one of these settings if you are using GnuTLS; pkg-config vs not
+# and an optional location. If you disable SUPPORT_DANE below, you
+# can remove the gnutls-dane references here.  Earlier versions of GnuTLS
+# required libtasn1 and libgrypt also; add if needed.
+# USE_GNUTLS_PC=gnutls gnutls-dane
+# TLS_LIBS=-lgnutls -lgnutls-dane
+# TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
+
+# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
+# build process will require libgcrypt-config to exist in your $PATH.  A
+# version that old is likely to become unsupported by Exim in 2017.
+
+# The security fix we provide with the gnutls_allow_auto_pkcs11 option
+# (4.82 PP/09) introduces a compatibility regression.  The symbol is
+# not available if GnuTLS is build without p11-kit (--without-p11-kit
+# configure option).  In this case use AVOID_GNUTLS_PKCS11=yes when
+# building Exim.
+# AVOID_GNUTLS_PKCS11=yes
+
+# If you are running Exim as a server, note that just building it with TLS
+# support is not all you need to do. You also need to set up a suitable
+# certificate, and tell Exim about it by means of the tls_certificate
+# and tls_privatekey run time options. You also need to set tls_advertise_hosts
+# to specify the hosts to which Exim advertises TLS support. On the other hand,
+# if you are running Exim only as a client, building it with TLS support
+# is all you need to do.
+
+# If you are using pkg-config then you should not need to worry where the
+# libraries and headers are installed, as the pkg-config .pc specification
+# should include all -L/-I information necessary.  If not using pkg-config
+# then you might need to specify the locations too.
+
+# Additional libraries and include files are required for both OpenSSL and
+# GnuTLS. The TLS_LIBS settings above assume that the libraries are installed
+# with all your other libraries. If they are in a special directory, you may
+# need something like
+
+# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
+
+# or
+
+# TLS_LIBS=-L/opt/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
+# If not using DANE under GnuTLS we can lose one library
+# TLS_LIBS=-L/opt/gnu/lib -lgnutls -ltasn1 -lgcrypt
+
+# TLS_LIBS is included only on the command for linking Exim itself, not on any
+# auxiliary programs. If the include files are not in a standard place, you can
+# set TLS_INCLUDE to specify where they are, for example:
+
+# TLS_INCLUDE=-I/usr/local/openssl/include/
+# or
+# TLS_INCLUDE=-I/opt/gnu/include
+
+# You don't need to set TLS_INCLUDE if the relevant directories are already
+# specified in INCLUDE.
+
+
+# Uncomment the following line to remove support for TLS Resumption
+# DISABLE_TLS_RESUME=yes
+
+
+###############################################################################
+#           THESE ARE THINGS YOU PROBABLY WANT TO SPECIFY                     #
+###############################################################################
+
+# If you need extra header file search paths on all compiles, put the -I
+# options in INCLUDE.  If you want the extra searches only for certain
+# parts of the build, see more specific xxx_INCLUDE variables below.
+
+# INCLUDE=-I/example/include
+
+# You need to specify some routers and transports if you want the Exim that you
+# are building to be capable of delivering mail. You almost certainly need at
+# least one type of lookup. You should consider whether you want to build
+# the Exim monitor or not.
+
+# If you need to override how pkg-config finds configuration files for
+# installed software, then you can set that here; wildcards will be expanded.
+
+# PKG_CONFIG_PATH=/usr/local/opt/openssl/lib/pkgconfig : /opt/*/lib/pkgconfig
+
+
+#------------------------------------------------------------------------------
+# These settings determine which individual router drivers are included in the
+# Exim binary. There are no defaults in the code; those routers that are wanted
+# must be defined here by setting the appropriate variables to the value "yes".
+# Including a router in the binary does not cause it to be used automatically.
+# It has also to be configured in the run time configuration file. By
+# commenting out those you know you don't want to use, you can make the binary
+# a bit smaller. If you are unsure, leave all of these included for now.
+
+ROUTER_ACCEPT=yes
+ROUTER_DNSLOOKUP=yes
+ROUTER_IPLITERAL=yes
+ROUTER_MANUALROUTE=yes
+ROUTER_QUERYPROGRAM=yes
+ROUTER_REDIRECT=yes
+
+# This one is very special-purpose, so is not included by default.
+
+# ROUTER_IPLOOKUP=yes
+
+
+#------------------------------------------------------------------------------
+# These settings determine which individual transport drivers are included in
+# the Exim binary. There are no defaults; those transports that are wanted must
+# be defined here by setting the appropriate variables to the value "yes".
+# Including a transport in the binary does not cause it to be used
+# automatically. It has also to be configured in the run time configuration
+# file. By commenting out those you know you don't want to use, you can make
+# the binary a bit smaller. If you are unsure, leave all of these included for
+# now.
+
+TRANSPORT_APPENDFILE=yes
+TRANSPORT_AUTOREPLY=yes
+TRANSPORT_PIPE=yes
+TRANSPORT_SMTP=yes
+
+# This one is special-purpose, and commonly not required, so it is not
+# included by default.
+
+# TRANSPORT_LMTP=yes
+
+
+#------------------------------------------------------------------------------
+# The appendfile transport can write messages to local mailboxes in a number
+# of formats. The code for three specialist formats, maildir, mailstore, and
+# MBX, is included only when requested. If you do not know what this is about,
+# leave these settings commented out.
+
+# SUPPORT_MAILDIR=yes
+# SUPPORT_MAILSTORE=yes
+# SUPPORT_MBX=yes
+
+
+#------------------------------------------------------------------------------
+# See below for dynamic lookup modules.
+#
+# If not using package management but using this anyway, then think about how
+# you perform upgrades and revert them. You should consider the benefit of
+# embedding the Exim version number into LOOKUP_MODULE_DIR, so that you can
+# maintain two concurrent sets of modules.
+#
+# *BEWARE*: ability to modify the files in LOOKUP_MODULE_DIR is equivalent to
+# the ability to modify the Exim binary, which is often setuid root!  The Exim
+# developers only intend this functionality be used by OS software packagers
+# and we suggest that such packagings' integrity checks should be paranoid
+# about the permissions of the directory and the files within.
+
+# LOOKUP_MODULE_DIR=/usr/lib/exim/lookups/
+
+# To build a module dynamically, you'll need to define CFLAGS_DYNAMIC for
+# your platform.  Eg:
+# CFLAGS_DYNAMIC=-shared -rdynamic
+# CFLAGS_DYNAMIC=-shared -rdynamic -fPIC
+
+#------------------------------------------------------------------------------
+# These settings determine which file and database lookup methods are included
+# in the binary. See the manual chapter entitled "File and database lookups"
+# for discussion. DBM and lsearch (linear search) are included by default. If
+# you are unsure about the others, leave them commented out for now.
+# LOOKUP_DNSDB does *not* refer to general mail routing using the DNS. It is
+# for the specialist case of using the DNS as a general database facility (not
+# common).
+# If set to "2" instead of "yes" then the corresponding lookup will be
+# built as a module and must be installed into LOOKUP_MODULE_DIR. You need to
+# add -export-dynamic -rdynamic to EXTRALIBS. You may also need to add -ldl to
+# EXTRALIBS so that dlopen() is available to Exim. You need to define
+# LOOKUP_MODULE_DIR above so the exim binary actually loads dynamic lookup
+# modules.
+# Also, instead of adding all the libraries/includes to LOOKUP_INCLUDE and
+# LOOKUP_LIBS, add them to the respective LOOKUP_*_INCLUDE and LOOKUP_*_LIBS
+# (where * is the name as given here in this list). That ensures that only
+# the dynamic library and not the exim binary will be linked against the
+# library.
+# NOTE: LDAP cannot be built as a module!
+#
+# For Redis you need to have hiredis installed on your system
+# (https://github.com/redis/hiredis).
+# Depending on where it is installed you may have to edit the CFLAGS
+# (often += -I/usr/local/include) and LDFLAGS (-lhiredis) lines.
+
+# If your system has pkg-config then the _INCLUDE/_LIBS setting can be
+# handled for you automatically by also defining the _PC variable to reference
+# the name of the pkg-config package, if such is available.
+
+LOOKUP_DBM=yes
+LOOKUP_LSEARCH=yes
+LOOKUP_DNSDB=yes
+
+# LOOKUP_CDB=yes
+# LOOKUP_DSEARCH=yes
+# LOOKUP_IBASE=yes
+# LOOKUP_JSON=yes
+# LOOKUP_LDAP=yes
+# LOOKUP_LMDB=yes
+
+# LOOKUP_MYSQL=yes
+# LOOKUP_MYSQL_PC=mariadb
+# LOOKUP_NIS=yes
+# LOOKUP_NISPLUS=yes
+# LOOKUP_ORACLE=yes
+# LOOKUP_PASSWD=yes
+# LOOKUP_PGSQL=yes
+# LOOKUP_REDIS=yes
+# LOOKUP_SQLITE=yes
+# LOOKUP_SQLITE_PC=sqlite3
+# LOOKUP_WHOSON=yes
+
+# These two settings are obsolete; all three lookups are compiled when
+# LOOKUP_LSEARCH is enabled. However, we retain these for backward
+# compatibility. Setting one forces LOOKUP_LSEARCH if it is not set.
+
+# LOOKUP_WILDLSEARCH=yes
+# LOOKUP_NWILDLSEARCH=yes
+
+
+# Some platforms may need this for LOOKUP_NIS:
+# LIBS += -lnsl
+
+#------------------------------------------------------------------------------
+# If you have set LOOKUP_LDAP=yes, you should set LDAP_LIB_TYPE to indicate
+# which LDAP library you have. Unfortunately, though most of their functions
+# are the same, there are minor differences. Currently Exim knows about four
+# LDAP libraries: the one from the University of Michigan (also known as
+# OpenLDAP 1), OpenLDAP 2, the Netscape SDK library, and the library that comes
+# with Solaris 7 onwards. Uncomment whichever of these you are using.
+
+# LDAP_LIB_TYPE=OPENLDAP1
+# LDAP_LIB_TYPE=OPENLDAP2
+# LDAP_LIB_TYPE=NETSCAPE
+# LDAP_LIB_TYPE=SOLARIS
+
+# If you don't set any of these, Exim assumes the original University of
+# Michigan (OpenLDAP 1) library.
+
+
+#------------------------------------------------------------------------------
+# The PCRE2 library is required for Exim.  There is no longer an embedded
+# version of the PCRE library included with the source code, instead you
+# must use a system library or build your own copy of PCRE2.
+# In either case you must specify the library link info here.  If the
+# PCRE2 header files are not in the standard search path you must also
+# modify the INCLUDE path (above)
+#
+# Use PCRE_CONFIG to query the pcre-config command (first found in $PATH)
+# to find the include files and libraries, else use PCRE_LIBS and set INCLUDE
+# too if needed.
+
+PCRE2_CONFIG=yes
+# PCRE_LIBS=-lpcre2
+
+
+#------------------------------------------------------------------------------
+# Comment out the following line to remove DANE support
+# Note: Enabling this unconditionally overrides DISABLE_DNSSEC
+# forces you to have SUPPORT_TLS enabled (the default).  For DANE under
+# GnuTLS we need an additional library.  See TLS_LIBS or USE_GNUTLS_PC
+# below.
+SUPPORT_DANE=yes
+
+#------------------------------------------------------------------------------
+# Additional libraries and include directories may be required for some
+# lookup styles (e.g. LDAP, MYSQL or PGSQL). LOOKUP_LIBS is included only on
+# the command for linking Exim itself, not on any auxiliary programs. You
+# don't need to set LOOKUP_INCLUDE if the relevant directories are already
+# specified in INCLUDE. The settings below are just examples; -lpq is for
+# PostgreSQL, -lgds is for Interbase, -lsqlite3 is for SQLite, -lhiredis
+# is for Redis, -ljansson for JSON.
+#
+# You do not need to use this for any lookup information added via pkg-config.
+
+# LOOKUP_INCLUDE=-I /usr/local/ldap/include -I /usr/local/mysql/include -I /usr/local/pgsql/include
+# LOOKUP_INCLUDE +=-I /usr/local/include
+# LOOKUP_LIBS=-L/usr/local/lib -lldap -llber -lmysqlclient -lpq -lgds -lsqlite3 -llmdb
+
+#------------------------------------------------------------------------------
+# If you included LOOKUP_LMDB above you will need the library. Depending
+# on where installed you may also need an include directory
+#
+# LOOKUP_INCLUDE += -I/usr/local/include
+# LOOKUP_LIBS += -llmdb
+
+
+#------------------------------------------------------------------------------
+# Compiling the Exim monitor: If you want to compile the Exim monitor, a
+# program that requires an X11 display, then EXIM_MONITOR should be set to the
+# value "eximon.bin". De-comment this setting to enable compilation of the
+# monitor. The locations of various X11 directories for libraries and include
+# files are defaulted in the OS/Makefile-Default file, but can be overridden in
+# local OS-specific make files.
+
+# EXIM_MONITOR=eximon.bin
+
+
+#------------------------------------------------------------------------------
+# Compiling Exim with content scanning support: If you want to compile Exim
+# with support for message body content scanning, set WITH_CONTENT_SCAN to
+# the value "yes". This will give you malware and spam scanning in the DATA ACL,
+# and the MIME ACL. Please read the documentation to learn more about these
+# features.
+
+# WITH_CONTENT_SCAN=yes
+
+# If you have content scanning you may wish to only include some of the scanner
+# interfaces.  Uncomment any of these lines to remove that code.
+
+# DISABLE_MAL_FFROTD=yes
+# DISABLE_MAL_FFROT6D=yes
+# DISABLE_MAL_DRWEB=yes
+# DISABLE_MAL_FSECURE=yes
+# DISABLE_MAL_SOPHIE=yes
+# DISABLE_MAL_CLAM=yes
+# DISABLE_MAL_AVAST=yes
+# DISABLE_MAL_SOCK=yes
+# DISABLE_MAL_CMDLINE=yes
+
+# These scanners are claimed to be no longer existent.
+
+DISABLE_MAL_AVE=yes
+DISABLE_MAL_KAV=yes
+DISABLE_MAL_MKS=yes
+
+
+#------------------------------------------------------------------------------
+# If built with TLS, Exim includes code to support DKIM (DomainKeys Identified
+# Mail, RFC4871) signing and verification.  Verification of signatures is
+# turned on by default.  See the spec for information on conditionally
+# disabling it.  To disable the inclusion of the entire feature, set
+# DISABLE_DKIM to "yes"
+
+# DISABLE_DKIM=yes
+
+#------------------------------------------------------------------------------
+# Uncomment the following line to remove Per-Recipient-Data-Response support.
+
+# DISABLE_PRDR=yes
+
+#------------------------------------------------------------------------------
+# Uncomment the following line to remove OCSP stapling support in TLS,
+# from Exim.  Note it can only be supported when built with
+# GnuTLS 3.1.3 or later, or OpenSSL
+
+# DISABLE_OCSP=yes
+
+#------------------------------------------------------------------------------
+# By default, Exim has support for checking the AD bit in a DNS response, to
+# determine if DNSSEC validation was successful.  If your system libraries
+# do not support that bit, then set DISABLE_DNSSEC to "yes"
+# Note: Enabling SUPPORT_DANE unconditionally overrides this setting.
+
+# DISABLE_DNSSEC=yes
+
+# To disable support for Events set DISABLE_EVENT to "yes"
+# DISABLE_EVENT=yes
+
+
+# Uncomment this line to remove support for early pipelining, per
+# https://datatracker.ietf.org/doc/draft-harris-early-pipe/
+# DISABLE_PIPE_CONNECT=yes
+
+
+# Uncomment the following to remove the fast-ramp two-phase-queue-run support
+# DISABLE_QUEUE_RAMP=yes
+
+# Uncomment the following lines to add SRS (Sender Rewriting Scheme) support
+# using only native facilities.
+# SUPPORT_SRS=yes
+
+
+#------------------------------------------------------------------------------
+# Compiling Exim with experimental features. These are documented in
+# experimental-spec.txt. "Experimental" means that the way these features are
+# implemented may still change. Backward compatibility is not guaranteed.
+
+# Uncomment the following line to add support for talking to dccifd.  This
+# defaults the socket path to /usr/local/dcc/var/dccifd.
+# Doing so will also explicitly turn on the WITH_CONTENT_SCAN option.
+
+# EXPERIMENTAL_DCC=yes
+
+# Uncomment the following line to add DMARC checking capability, implemented
+# using libopendmarc libraries. You must have SPF and DKIM support enabled also.
+# Library version libopendmarc-1.4.1-1.fc33.x86_64  (on Fedora 33) is known broken;
+# 1.3.2-3 works.  I seems that the OpenDMARC project broke their API.
+# SUPPORT_DMARC=yes
+# CFLAGS += -I/usr/local/include
+# LDFLAGS += -lopendmarc
+# Uncomment the following if you need to change the default. You can
+# override it at runtime (main config option dmarc_tld_file)
+# DMARC_TLD_FILE=/etc/exim/opendmarc.tlds
+
+# Uncomment the following line to add ARC (Authenticated Received Chain)
+# support.  You must have SPF and DKIM support enabled also.
+# EXPERIMENTAL_ARC=yes
+
+# Uncomment the following lines to add Brightmail AntiSpam support. You need
+# to have the Brightmail client SDK installed. Please check the experimental
+# documentation for implementation details. You need to edit the CFLAGS and
+# LDFLAGS lines.
+
+# EXPERIMENTAL_BRIGHTMAIL=yes
+# CFLAGS  += -I/opt/brightmail/bsdk-6.0/include
+# LDFLAGS += -lxml2_single -lbmiclient_single -L/opt/brightmail/bsdk-6.0/lib
+
+# Uncomment the following to include extra information in fail DSN message (bounces)
+# EXPERIMENTAL_DSN_INFO=yes
+
+# Uncomment the following line to add queuefile transport support
+# EXPERIMENTAL_QUEUEFILE=yes
+
+###############################################################################
+#                 THESE ARE THINGS YOU MIGHT WANT TO SPECIFY                  #
+###############################################################################
+
+# The items in this section are those that are commonly changed according to
+# the sysadmin's preferences, but whose defaults are often acceptable. The
+# first five are concerned with security issues, where differing levels of
+# paranoia are appropriate in different environments. Sysadmins also vary in
+# their views on appropriate levels of defence in these areas. If you do not
+# understand these issues, go with the defaults, which are used by many sites.
+
+
+#------------------------------------------------------------------------------
+# Although Exim is normally a setuid program, owned by root, it refuses to run
+# local deliveries as root by default. There is a runtime option called
+# "never_users" which lists the users that must never be used for local
+# deliveries. There is also the setting below, which provides a list that
+# cannot be overridden at runtime. This guards against problems caused by
+# unauthorized changes to the runtime configuration. You are advised not to
+# remove "root" from this option, but you can add other users if you want. The
+# list is colon-separated. It must NOT contain any spaces.
+
+# FIXED_NEVER_USERS=root:bin:daemon
+FIXED_NEVER_USERS=root
+
+
+#------------------------------------------------------------------------------
+# By default, Exim insists that its configuration file be owned by root. You
+# can specify one additional permitted owner here.
+
+# CONFIGURE_OWNER=
+
+# If the configuration file is group-writeable, Exim insists by default that it
+# is owned by root. You can specify one additional permitted group owner here.
+
+# CONFIGURE_GROUP=
+
+# If you specify CONFIGURE_OWNER or CONFIGURE_GROUP as a name, this is looked
+# up at build time, and the uid or gid number is built into the binary.
+# However, you can specify that the lookup is deferred until runtime. In this
+# case, it is the name that is built into the binary. You can do this by a
+# setting of the form:
+
+# CONFIGURE_OWNER=ref:mail
+# CONFIGURE_GROUP=ref:sysadmin
+
+# In other words, put "ref:" in front of the user or group name. Although this
+# costs a bit of resource at runtime, it is convenient to use this feature when
+# building binaries that are to be run on multiple systems where the names may
+# refer to different uids or gids. It also allows you to build Exim on a system
+# where the relevant user or group is not defined.
+
+
+#------------------------------------------------------------------------------
+# The -C option allows Exim to be run with an alternate runtime configuration
+# file. When this is used by root, root privilege is retained by the binary
+# (for any other caller including the Exim user, it is dropped). You can
+# restrict the location of alternate configurations by defining a prefix below.
+# Any file used with -C must then start with this prefix (except that /dev/null
+# is also permitted if the caller is root, because that is used in the install
+# script). If the prefix specifies a directory that is owned by root, a
+# compromise of the Exim account does not permit arbitrary alternate
+# configurations to be used. The prefix can be more restrictive than just a
+# directory (the second example).
+
+# ALT_CONFIG_PREFIX=/some/directory/
+# ALT_CONFIG_PREFIX=/some/directory/exim.conf-
+
+
+#------------------------------------------------------------------------------
+# When a user other than root uses the -C option to override the configuration
+# file (including the Exim user when re-executing Exim to regain root
+# privileges for local message delivery), this will normally cause Exim to
+# drop root privileges. The TRUSTED_CONFIG_LIST option, specifies a file which
+# contains a list of trusted configuration filenames, one per line. If the -C
+# option is used by the Exim user or by the user specified in the
+# CONFIGURE_OWNER setting, to specify a configuration file which is listed in
+# the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim.
+
+# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs
+
+
+#------------------------------------------------------------------------------
+# Uncommenting this option disables the use of the -D command line option,
+# which changes the values of macros in the runtime configuration file.
+# This is another protection against somebody breaking into the Exim account.
+
+# DISABLE_D_OPTION=yes
+
+
+#------------------------------------------------------------------------------
+# By contrast, you might be maintaining a system which relies upon the ability
+# to override values with -D and assumes that these will be passed through to
+# the delivery processes.  As of Exim 4.73, this is no longer the case by
+# default.  Going forward, we strongly recommend that you use a shim Exim
+# configuration file owned by root stored under TRUSTED_CONFIG_LIST.
+# That shim can set macros before .include'ing your main configuration file.
+#
+# As a strictly transient measure to ease migration to 4.73, the
+# WHITELIST_D_MACROS value defines a colon-separated list of macro-names
+# which are permitted to be overridden from the command-line which will be
+# honoured by the Exim user.  So these are macros that can persist to delivery
+# time.
+# Examples might be -DTLS or -DSPOOL=/some/dir.  The values on the
+# command-line are filtered to only permit: [A-Za-z0-9_/.-]*
+#
+# This option is highly likely to be removed in a future release.  It exists
+# only to make 4.73 as easy as possible to migrate to.  If you use it, we
+# encourage you to schedule time to rework your configuration to not depend
+# upon it.  Most people should not need to use this.
+#
+# By default, no macros are whitelisted for -D usage.
+
+# WHITELIST_D_MACROS=TLS:SPOOL
+
+#------------------------------------------------------------------------------
+# Exim has support for the AUTH (authentication) extension of the SMTP
+# protocol, as defined by RFC 2554. If you don't know what SMTP authentication
+# is, you probably won't want to include this code, so you should leave these
+# settings commented out. If you do want to make use of SMTP authentication,
+# you must uncomment at least one of the following, so that appropriate code is
+# included in the Exim binary. You will then need to set up the run time
+# configuration to make use of the mechanism(s) selected.
+
+# AUTH_CRAM_MD5=yes
+# AUTH_CYRUS_SASL=yes
+# AUTH_DOVECOT=yes
+# AUTH_EXTERNAL=yes
+# AUTH_GSASL=yes
+# AUTH_GSASL_PC=libgsasl
+# AUTH_HEIMDAL_GSSAPI=yes
+# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
+# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5
+# AUTH_PLAINTEXT=yes
+# AUTH_SPA=yes
+# AUTH_TLS=yes
+
+# Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1
+# requires multiple pkg-config files to work with Exim, so the second example
+# above is needed.
+
+#------------------------------------------------------------------------------
+# If you specified AUTH_CYRUS_SASL above, you should ensure that you have the
+# Cyrus SASL library installed before trying to build Exim, and you probably
+# want to uncomment the first line below.
+# Similarly for GNU SASL, unless pkg-config is used via AUTH_GSASL_PC.
+# Ditto for AUTH_HEIMDAL_GSSAPI(_PC).
+
+# AUTH_LIBS=-lsasl2
+# AUTH_LIBS=-lgsasl
+# AUTH_LIBS=-lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lhcrypto -lasn1 -lwind -lroken -lcrypt
+
+# If using AUTH_GSASL with SCRAM methods, you should also be defining
+# SUPPORT_I18N to get standards-conformant support of utf8 normalization.
+
+
+#------------------------------------------------------------------------------
+# When Exim is decoding MIME "words" in header lines, most commonly for use
+# in the $header_xxx expansion, it converts any foreign character sets to the
+# one that is set in the headers_charset option. The default setting is
+# defined by this setting:
+
+HEADERS_CHARSET="ISO-8859-1"
+
+# If you are going to make use of $header_xxx expansions in your configuration
+# file, or if your users are going to use them in filter files, and the normal
+# character set on your host is something other than ISO-8859-1, you might
+# like to specify a different default here. This value can be overridden in
+# the runtime configuration, and it can also be overridden in individual filter
+# files.
+#
+# IMPORTANT NOTE: The iconv() function is needed for character code
+# conversions. Please see the next item...
+
+
+#------------------------------------------------------------------------------
+# Character code conversions are possible only if the iconv() function is
+# installed on your operating system. There are two places in Exim where this
+# is relevant: (a) The $header_xxx expansion (see the previous item), and (b)
+# the Sieve filter support. For those OS where iconv() is known to be installed
+# as standard, the file in OS/Makefile-xxxx contains
+#
+# HAVE_ICONV=yes
+#
+# If you are not using one of those systems, but have installed iconv(), you
+# need to uncomment that line above. In some cases, you may find that iconv()
+# and its header file are not in the default places. You might need to use
+# something like this:
+#
+# HAVE_ICONV=yes
+# CFLAGS=-O -I/usr/local/include
+# EXTRALIBS_EXIM=-L/usr/local/lib -liconv
+#
+# but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM
+# as well.
+#
+# nb: FreeBSD as of 4.89 defines LIBICONV_PLUG to pick up the system iconv
+# more reliably.  If you explicitly want the libiconv Port then as well
+# as adding -liconv you'll want to unset LIBICONV_PLUG.  If you actually need
+# this, let us know, but for now the Exim Maintainers are assuming that this
+# is uncommon and so you'll need to edit OS/os.h-FreeBSD yourself to remove
+# the define.
+
+
+#------------------------------------------------------------------------------
+# The passwords for user accounts are normally encrypted with the crypt()
+# function. Comparisons with encrypted passwords can be done using Exim's
+# "crypteq" expansion operator. (This is commonly used as part of the
+# configuration of an authenticator for use with SMTP AUTH.) At least one
+# operating system has an extended function called crypt16(), which uses up to
+# 16 characters of a password (the normal crypt() uses only the first 8). Exim
+# supports the use of crypt16() as well as crypt() but note the warning below.
+
+# You can always indicate a crypt16-encrypted password by preceding it with
+# "{crypt16}". If you want the default handling (without any preceding
+# indicator) to use crypt16(), uncomment the following line:
+
+# DEFAULT_CRYPT=crypt16
+
+# If you do that, you can still access the basic crypt() function by preceding
+# an encrypted password with "{crypt}". For more details, see the description
+# of the "crypteq" condition in the manual chapter on string expansions.
+
+# Some operating systems do not include a crypt16() function, so Exim has one
+# of its own, which it uses unless HAVE_CRYPT16 is defined. Normally, that will
+# be set in an OS-specific Makefile for the OS that have such a function, so
+# you should not need to bother with it.
+
+# *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***
+# It turns out that the above is not entirely accurate. As well as crypt16()
+# there is a function called bigcrypt() that some operating systems have. This
+# may or may not use the same algorithm, and both of them may be different to
+# Exim's built-in crypt16() that is used unless HAVE_CRYPT16 is defined.
+#
+# However, since there is now a move away from the traditional crypt()
+# functions towards using SHA1 and other algorithms, tidying up this area of
+# Exim is seen as very low priority. In practice, if you need to, you can
+# define DEFAULT_CRYPT to the name of any function that has the same interface
+# as the traditional crypt() function.
+# *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***
+
+
+#------------------------------------------------------------------------------
+# The default distribution of Exim contains only the plain text form of the
+# documentation. Other forms are available separately. If you want to install
+# the documentation in "info" format, first fetch the Texinfo documentation
+# sources from the ftp directory and unpack them, which should create files
+# with the extension "texinfo" in the doc directory. You may find that the
+# version number of the texinfo files is different to your Exim version number,
+# because the main documentation isn't updated as often as the code. For
+# example, if you have Exim version 4.43, the source tarball unpacks into a
+# directory called exim-4.43, but the texinfo tarball unpacks into exim-4.40.
+# In this case, move the contents of exim-4.40/doc into exim-4.43/doc after you
+# have unpacked them. Then set INFO_DIRECTORY to the location of your info
+# directory. This varies from system to system, but is often /usr/share/info.
+# Once you have done this, "make install" will build the info files and
+# install them in the directory you have defined.
+
+# INFO_DIRECTORY=/usr/share/info
+
+
+#------------------------------------------------------------------------------
+# Exim log directory and files: Exim creates several log files inside a
+# single log directory. You can define the directory and the form of the
+# log file name here. If you do not set anything, Exim creates a directory
+# called "log" inside its spool directory (see SPOOL_DIRECTORY above) and uses
+# the filenames "mainlog", "paniclog", and "rejectlog". If you want to change
+# this, you can set LOG_FILE_PATH to a path name containing one occurrence of
+# %s. This will be replaced by one of the strings "main", "panic", or "reject"
+# to form the final file names. Some installations may want something like this:
+
+# LOG_FILE_PATH=/var/log/exim_%slog
+
+# which results in files with names /var/log/exim_mainlog, etc. The directory
+# in which the log files are placed must exist; Exim does not try to create
+# it for itself. It is also your responsibility to ensure that Exim is capable
+# of writing files using this path name. The Exim user (see EXIM_USER above)
+# must be able to create and update files in the directory you have specified.
+
+# You can also configure Exim to use syslog, instead of or as well as log
+# files, by settings such as these
+
+# LOG_FILE_PATH=syslog
+# LOG_FILE_PATH=syslog:/var/log/exim_%slog
+
+# The first of these uses only syslog; the second uses syslog and also writes
+# to log files. Do not include white space in such a setting as it messes up
+# the building process.
+
+
+#------------------------------------------------------------------------------
+# When logging to syslog, the following option caters for syslog replacements
+# that are able to accept log entries longer than the 1024 characters allowed
+# by RFC 3164. It is up to you to make sure your syslog daemon can handle this.
+# Non-printable characters are usually unacceptable regardless, so log entries
+# are still split on newline characters.
+
+# SYSLOG_LONG_LINES=yes
+
+# If you are not interested in the process identifier (pid) of the Exim that is
+# making the call to syslog, then comment out the following line.
+
+SYSLOG_LOG_PID=yes
+
+
+#------------------------------------------------------------------------------
+# Cycling log files: this variable specifies the maximum number of old
+# log files that are kept by the exicyclog log-cycling script. You don't have
+# to use exicyclog. If your operating system has other ways of cycling log
+# files, you can use them instead. The exicyclog script isn't run by default;
+# you have to set up a cron job for it if you want it.
+
+EXICYCLOG_MAX=10
+
+
+#------------------------------------------------------------------------------
+# The compress command is used by the exicyclog script to compress old log
+# files. Both the name of the command and the suffix that it adds to files
+# need to be defined here. See also the EXICYCLOG_MAX configuration.
+
+COMPRESS_COMMAND=/usr/bin/gzip
+COMPRESS_SUFFIX=gz
+
+
+#------------------------------------------------------------------------------
+# If the exigrep utility is fed compressed log files, it tries to uncompress
+# them using this command.
+
+# Leave it empty to enforce autodetection at runtime:
+# ZCAT_COMMAND=
+#
+# Omit the path if you want to use your system's PATH:
+# ZCAT_COMMAND=zcat
+#
+# Or specify the full pathname:
+ZCAT_COMMAND=/usr/bin/zcat
+
+#------------------------------------------------------------------------------
+# Compiling in support for embedded Perl: If you want to be able to
+# use Perl code in Exim's string manipulation language and you have Perl
+# (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded
+# Perl costs quite a lot of resources. Only do this if you really need it.
+
+# EXIM_PERL=perl.o
+
+
+#------------------------------------------------------------------------------
+# Support for dynamically-loaded string expansion functions via ${dlfunc. If
+# you are using gcc the dynamically-loaded object must be compiled with the
+# -shared option, and you will need to add -export-dynamic to EXTRALIBS so
+# that the local_scan API is made available by the linker. You may also need
+# to add -ldl to EXTRALIBS so that dlopen() is available to Exim.
+
+# EXPAND_DLFUNC=yes
+
+
+#------------------------------------------------------------------------------
+# Exim has support for PAM (Pluggable Authentication Modules), a facility
+# which is available in the latest releases of Solaris and in some GNU/Linux
+# distributions (see http://ftp.kernel.org/pub/linux/libs/pam/). The Exim
+# support, which is intended for use in conjunction with the SMTP AUTH
+# facilities, is included only when requested by the following setting:
+
+# SUPPORT_PAM=yes
+
+# You probably need to add -lpam to EXTRALIBS, and in some releases of
+# GNU/Linux -ldl is also needed.
+
+
+#------------------------------------------------------------------------------
+# Proxying.
+#
+# If you may want to use outbound (client-side) proxying, using Socks5,
+# uncomment the line below.
+
+# SUPPORT_SOCKS=yes
+
+# If you may want to use inbound (server-side) proxying, using Proxy Protocol,
+# uncomment the line below.
+
+# SUPPORT_PROXY=yes
+
+
+#------------------------------------------------------------------------------
+# Internationalisation.
+#
+# Uncomment the following to include Internationalisation features.  This is the
+# SMTPUTF8 ESMTP extension, and associated facilities for handling UTF8 domain
+# and localparts, per RFC 3490 (IDNA2003).
+# You need to have the IDN library installed.
+# If you want IDNA2008 mappings per RFCs 5890, 6530 and 6533, you additionally
+# need libidn2 and SUPPORT_I18N_2008.
+
+# SUPPORT_I18N=yes
+# LDFLAGS += -lidn
+# SUPPORT_I18N_2008=yes
+# LDFLAGS += -lidn -lidn2
+
+
+#------------------------------------------------------------------------------
+# Uncomment the following lines to add SPF support. You need to have libspf2
+# installed on your system (www.libspf2.org). Depending on where it is installed
+# you may have to edit the CFLAGS and LDFLAGS lines.
+
+# SUPPORT_SPF=yes
+# CFLAGS  += -I/usr/local/include
+# LDFLAGS += -lspf2
+
+
+#------------------------------------------------------------------------------
+# Support for authentication via Radius is also available. The Exim support,
+# which is intended for use in conjunction with the SMTP AUTH facilities,
+# is included only when requested by setting the following parameter to the
+# location of your Radius configuration file:
+
+# RADIUS_CONFIG_FILE=/etc/radiusclient/radiusclient.conf
+# RADIUS_CONFIG_FILE=/etc/radius.conf
+
+# If you have set RADIUS_CONFIG_FILE, you should also set one of these to
+# indicate which RADIUS library is used:
+
+# RADIUS_LIB_TYPE=RADIUSCLIENT
+# RADIUS_LIB_TYPE=RADIUSCLIENTNEW
+# RADIUS_LIB_TYPE=RADLIB
+
+# RADIUSCLIENT is the radiusclient library; you probably need to add
+#   -lradiusclient to EXTRALIBS.
+#
+# The API for the radiusclient library was changed at release 0.4.0.
+# Unfortunately, the header file does not define a version number that clients
+# can use to support both the old and new APIs. If you are using version 0.4.0
+# or later of the radiusclient library, you should use RADIUSCLIENTNEW.
+#
+# RADLIB is the Radius library that comes with FreeBSD (the header file is
+#   called radlib.h); you probably need to add -lradius to EXTRALIBS.
+#
+# If you do not set RADIUS_LIB_TYPE, Exim assumes the radiusclient library,
+# using the original API.
+
+
+#------------------------------------------------------------------------------
+# Support for authentication via the Cyrus SASL pwcheck daemon is available.
+# Note, however, that pwcheck is now deprecated in favour of saslauthd (see
+# next item). The Exim support for pwcheck, which is intented for use in
+# conjunction with the SMTP AUTH facilities, is included only when requested by
+# setting the following parameter to the location of the pwcheck daemon's
+# socket.
+#
+# There is no need to install all of SASL on your system. You just need to run
+# ./configure --with-pwcheck, cd to the pwcheck directory within the sources,
+# make and make install. You must create the socket directory (default
+# /var/pwcheck) and chown it to Exim's user and group. Once you have installed
+# pwcheck, you should arrange for it to be started by root at boot time.
+
+# CYRUS_PWCHECK_SOCKET=/var/pwcheck/pwcheck
+
+
+#------------------------------------------------------------------------------
+# Support for authentication via the Cyrus SASL saslauthd daemon is available.
+# The Exim support, which is intended for use in conjunction with the SMTP AUTH
+# facilities, is included only when requested by setting the following
+# parameter to the location of the saslauthd daemon's socket.
+#
+# There is no need to install all of SASL on your system. You just need to run
+# ./configure --with-saslauthd (and any other options you need, for example, to
+# select or deselect authentication mechanisms), cd to the saslauthd directory
+# within the sources, make and make install. You must create the socket
+# directory (default /var/state/saslauthd) and chown it to Exim's user and
+# group. Once you have installed saslauthd, you should arrange for it to be
+# started by root at boot time.
+
+# CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux
+
+
+#------------------------------------------------------------------------------
+# TCP wrappers: If you want to use tcpwrappers from within Exim, uncomment
+# this setting. See the manual section entitled "Use of tcpwrappers" in the
+# chapter on building and installing Exim.
+#
+# USE_TCP_WRAPPERS=yes
+#
+# You may well also have to specify a local "include" file and an additional
+# library for TCP wrappers, so you probably need something like this:
+#
+# USE_TCP_WRAPPERS=yes
+# CFLAGS=-O -I/usr/local/include
+# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap
+#
+# but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM
+# as well.
+#
+# To use a name other than exim in the tcpwrappers config file,
+# e.g. if you're running multiple daemons with different access lists,
+# or multiple MTAs with the same access list, define
+# TCP_WRAPPERS_DAEMON_NAME accordingly
+#
+# TCP_WRAPPERS_DAEMON_NAME="exim"
+
+
+#------------------------------------------------------------------------------
+# The default action of the exim_install script (which is run by "make
+# install") is to install the Exim binary with a unique name such as
+# exim-4.43-1, and then set up a symbolic link called "exim" to reference it,
+# moving the symbolic link from any previous version. If you define NO_SYMLINK
+# (the value doesn't matter), the symbolic link is not created or moved. You
+# will then have to "turn Exim on" by setting up the link manually.
+
+# NO_SYMLINK=yes
+
+
+#------------------------------------------------------------------------------
+# Another default action of the install script is to install a default runtime
+# configuration file if one does not exist. This configuration has a router for
+# expanding system aliases. The default assumes that these aliases are kept
+# in the traditional file called /etc/aliases. If such a file does not exist,
+# the installation script creates one that contains just comments (no actual
+# aliases). The following setting can be changed to specify a different
+# location for the system alias file.
+
+SYSTEM_ALIASES_FILE=/etc/aliases
+
+
+#------------------------------------------------------------------------------
+# There are some testing options (-be, -bt, -bv) that read data from the
+# standard input when no arguments are supplied. By default, the input lines
+# are read using the standard fgets() function. This does not support line
+# editing during interactive input (though the terminal's "erase" character
+# works as normal). If your operating system has the readline() function, and
+# in addition supports dynamic loading of library functions, you can cause
+# Exim to use readline() for the -be testing option (only) by uncommenting the
+# following setting. Dynamic loading is used so that the library is loaded only
+# when the -be testing option is given; by the time the loading occurs,
+# Exim has given up its root privilege and is running as the calling user. This
+# is the reason why readline() is NOT supported for -bt and -bv, because Exim
+# runs as root or as exim, respectively, for those options. When USE_READLINE
+# is "yes", as well as supporting line editing, a history of input lines in the
+# current run is maintained.
+
+# USE_READLINE=yes
+
+# You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes.
+# Note that this option adds to the size of the Exim binary, because the
+# dynamic loading library is not otherwise included.
+
+# If libreadline is not in the normal library paths, then because Exim is
+# setuid you'll need to ensure that the correct directory is stamped into
+# the binary so that dlopen will find it.
+# Eg, on macOS/Darwin with a third-party install of libreadline, perhaps:
+
+# EXTRALIBS_EXIM+=-Wl,-rpath,/usr/local/opt/readline/lib
+
+
+#------------------------------------------------------------------------------
+# Uncomment this setting to include IPv6 support.
+
+# HAVE_IPV6=yes
+
+###############################################################################
+#              THINGS YOU ALMOST NEVER NEED TO MENTION                        #
+###############################################################################
+
+# The settings in this section are available for use in special circumstances.
+# In the vast majority of installations you need not change anything below.
+
+
+#------------------------------------------------------------------------------
+# The following commands live in different places in some OS. Either the
+# ultimate default settings, or the OS-specific files should already point to
+# the right place, but they can be overridden here if necessary. These settings
+# are used when building various scripts to ensure that the correct paths are
+# used when the scripts are run. They are not used in the Makefile itself. Perl
+# is not necessary for running Exim unless you set EXIM_PERL (see above) to get
+# it embedded, but there are some utilities that are Perl scripts. If you
+# haven't got Perl, Exim will still build and run; you just won't be able to
+# use those utilities.
+
+# CHOWN_COMMAND=/usr/bin/chown
+# CHGRP_COMMAND=/usr/bin/chgrp
+# CHMOD_COMMAND=/usr/bin/chmod
+# MV_COMMAND=/bin/mv
+# RM_COMMAND=/bin/rm
+# TOUCH_COMMAND=/usr/bin/touch
+# PERL_COMMAND=/usr/bin/perl
+
+
+#------------------------------------------------------------------------------
+# The following macro can be used to change the command for building a library
+# of functions. By default the "ar" command is used, with options "cq".
+# Only in rare circumstances should you need to change this.
+
+# AR=ar cq
+
+
+#------------------------------------------------------------------------------
+# In some operating systems, the value of the TMPDIR environment variable
+# controls where temporary files are created. Exim does not make use of
+# temporary files, except when delivering to MBX mailboxes. However, if Exim
+# calls any external libraries (e.g. DBM libraries), they may use temporary
+# files, and thus be influenced by the value of TMPDIR. For this reason, when
+# Exim starts, it checks the environment for TMPDIR, and if it finds it is set,
+# it replaces the value with what is defined here. Commenting this setting
+# suppresses the check altogether. Older installations call this macro
+# just TMPDIR, but this has side effects at build time. At runtime
+# TMPDIR is checked as before.
+
+EXIM_TMPDIR="/tmp"
+
+
+#------------------------------------------------------------------------------
+# The following macros can be used to change the default modes that are used
+# by the appendfile transport. In most installations the defaults are just
+# fine, and in any case, you can change particular instances of the transport
+# at run time if you want.
+
+# APPENDFILE_MODE=0600
+# APPENDFILE_DIRECTORY_MODE=0700
+# APPENDFILE_LOCKFILE_MODE=0600
+
+
+#------------------------------------------------------------------------------
+# In some installations there may be multiple machines sharing file systems,
+# where a different configuration file is required for Exim on the different
+# machines. If CONFIGURE_FILE_USE_NODE is defined, then Exim will first look
+# for a configuration file whose name is that defined by CONFIGURE_FILE,
+# with the node name obtained by uname() tacked on the end, separated by a
+# period (for example, /usr/exim/configure.host.in.some.domain). If this file
+# does not exist, then the bare configuration file name is tried.
+
+# CONFIGURE_FILE_USE_NODE=yes
+
+
+#------------------------------------------------------------------------------
+# In some esoteric configurations two different versions of Exim are run,
+# with different setuid values, and different configuration files are required
+# to handle the different cases. If CONFIGURE_FILE_USE_EUID is defined, then
+# Exim will first look for a configuration file whose name is that defined
+# by CONFIGURE_FILE, with the effective uid tacked on the end, separated by
+# a period (for example, /usr/exim/configure.0). If this file does not exist,
+# then the bare configuration file name is tried. In the case when both
+# CONFIGURE_FILE_USE_EUID and CONFIGURE_FILE_USE_NODE are set, four files
+# are tried: <name>.<euid>.<node>, <name>.<node>, <name>.<euid>, and <name>.
+
+# CONFIGURE_FILE_USE_EUID=yes
+
+
+#------------------------------------------------------------------------------
+# The size of the delivery buffers: These specify the sizes (in bytes) of
+# the buffers that are used when copying a message from the spool to a
+# destination. There is rarely any need to change these values.
+
+# DELIVER_IN_BUFFER_SIZE=8192
+# DELIVER_OUT_BUFFER_SIZE=8192
+
+
+#------------------------------------------------------------------------------
+# The mode of the database directory: Exim creates a directory called "db"
+# in its spool directory, to hold its databases of hints. This variable
+# determines the mode of the created directory. The default value in the
+# source is 0750.
+
+# EXIMDB_DIRECTORY_MODE=0750
+
+
+#------------------------------------------------------------------------------
+# Database file mode: The mode of files created in the "db" directory defaults
+# to 0640 in the source, and can be changed here.
+
+# EXIMDB_MODE=0640
+
+
+#------------------------------------------------------------------------------
+# Database lock file mode: The mode of zero-length files created in the "db"
+# directory to use for locking purposes defaults to 0640 in the source, and
+# can be changed here.
+
+# EXIMDB_LOCKFILE_MODE=0640
+
+
+#------------------------------------------------------------------------------
+# This parameter sets the maximum length of the header portion of a message
+# that Exim is prepared to process. The default setting is one megabyte. The
+# limit exists in order to catch rogue mailers that might connect to your SMTP
+# port, start off a header line, and then just pump junk at it for ever. The
+# message_size_limit option would also catch this, but it may not be set.
+# The value set here is the default; it can be changed at runtime.
+
+# HEADER_MAXSIZE="(1024*1024)"
+
+
+#------------------------------------------------------------------------------
+# The mode of the input directory: The input directory is where messages are
+# kept while awaiting delivery. Exim creates it if necessary, using a mode
+# which can be defined here (default 0750).
+
+# INPUT_DIRECTORY_MODE=0750
+
+
+#------------------------------------------------------------------------------
+# The mode of Exim's log directory, when it is created by Exim inside the spool
+# directory, defaults to 0750 but can be changed here.
+
+# LOG_DIRECTORY_MODE=0750
+
+
+#------------------------------------------------------------------------------
+# The log files themselves are created as required, with a mode that defaults
+# to 0640, but which can be changed here.
+
+# LOG_MODE=0640
+
+
+#------------------------------------------------------------------------------
+# The TESTDB lookup is for performing tests on the handling of lookup results,
+# and is not useful for general running. It should be included only when
+# debugging the code of Exim.
+
+# LOOKUP_TESTDB=yes
+
+
+#------------------------------------------------------------------------------
+# /bin/sh is used by default as the shell in which to run commands that are
+# defined in the makefiles. This can be changed if necessary, by uncommenting
+# this line and specifying another shell, but note that a Bourne-compatible
+# shell is expected.
+
+# MAKE_SHELL=/bin/sh
+
+
+#------------------------------------------------------------------------------
+# The maximum number of named lists of each type (address, domain, host, and
+# local part) can be increased by changing this value. It should be set to
+# a multiple of 16.
+
+# MAX_NAMED_LIST=16
+
+
+#------------------------------------------------------------------------------
+# Network interfaces: Unless you set the local_interfaces option in the runtime
+# configuration file to restrict Exim to certain interfaces only, it will run
+# code to find all the interfaces there are on your host. Unfortunately,
+# the call to the OS that does this requires a buffer large enough to hold
+# data for all the interfaces - it was designed in the days when a host rarely
+# had more than three or four interfaces. Nowadays hosts can have very many
+# virtual interfaces running on the same hardware. If you have more than 250
+# virtual interfaces, you will need to uncomment this setting and increase the
+# value.
+
+# MAXINTERFACES=250
+
+
+#------------------------------------------------------------------------------
+# Per-message logs: While a message is in the process of being delivered,
+# comments on its progress are written to a message log, for the benefit of
+# human administrators. These logs are held in a directory called "msglog"
+# in the spool directory. Its mode defaults to 0750, but can be changed here.
+# The message log directory is also used for storing files that are used by
+# transports for returning data to a message's sender (see the "return_output"
+# option for transports).
+
+# MSGLOG_DIRECTORY_MODE=0750
+
+
+#------------------------------------------------------------------------------
+# There are three options which are used when compiling the Perl interface and
+# when linking with Perl. The default values for these are placed automatically
+# at the head of the Makefile by the script which builds it. However, if you
+# want to override them, you can do so here.
+
+# PERL_CC=
+# PERL_CCOPTS=
+# PERL_LIBS=
+
+
+#------------------------------------------------------------------------------
+# If you wish to disable valgrind in the binary, define NVALGRIND=1.
+# This should not be needed.
+
+# NVALGRIND=1
+
+#------------------------------------------------------------------------------
+# Identifying the daemon: When an Exim daemon starts up, it writes its pid
+# (process id) to a file so that it can easily be identified. The path of the
+# file can be specified here. Some installations may want something like this:
+
+# PID_FILE_PATH=/var/lock/exim.pid
+
+# If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
+# using the name "exim-daemon.pid".
+
+# If you start up a daemon without the -bd option (for example, with just
+# the -q15m option), a pid file is not written. Also, if you override the
+# configuration file with the -oX option, no pid file is written. In other
+# words, the pid file is written only for a "standard" daemon.
+
+
+#------------------------------------------------------------------------------
+# If Exim creates the spool directory, it is given this mode, defaulting in the
+# source to 0750.
+
+# SPOOL_DIRECTORY_MODE=0750
+
+
+#------------------------------------------------------------------------------
+# The mode of files on the input spool which hold the contents of messages can
+# be changed here. The default is 0640 so that information from the spool is
+# available to anyone who is a member of the Exim group.
+
+# SPOOL_MODE=0640
+
+
+#------------------------------------------------------------------------------
+# Moving frozen messages: If the following is uncommented, Exim is compiled
+# with support for automatically moving frozen messages out of the main spool
+# directory, a facility that is found useful by some large installations. A
+# run time option is required to cause the moving actually to occur. Such
+# messages become "invisible" to the normal management tools.
+
+# SUPPORT_MOVE_FROZEN_MESSAGES=yes
+
+
+#------------------------------------------------------------------------------
+# Expanding match_* second parameters: BE CAREFUL IF ENABLING THIS!
+# It has proven too easy in practice for administrators to configure security
+# problems into their Exim install, by treating match_domain{}{} and friends
+# as a form of string comparison, where the second string comes from untrusted
+# data. Because these options take lists, which can include lookup;LOOKUPDATA
+# style elements, a foe can then cause Exim to, eg, execute an arbitrary MySQL
+# query, dropping tables.
+# From Exim 4.77 onwards, the second parameter is not expanded; it can still
+# be a list literal, or a macro, or a named list reference.  There is also
+# the new expansion condition "inlisti" which does expand the second parameter,
+# but treats it as a list of strings; also, there's "eqi" which is probably
+# what is normally wanted.
+#
+# If you really need to have the old behaviour, know what you are doing and
+# will not complain if your system is compromised as a result of doing so, then
+# uncomment this option to get the old behaviour back.
+
+# EXPAND_LISTMATCH_RHS=yes
+
+#------------------------------------------------------------------------------
+# Disabling the use of fsync(): DO NOT UNCOMMENT THE FOLLOWING LINE unless you
+# really, really, really know what you are doing. And even then, think again.
+# You should never uncomment this when compiling a binary for distribution.
+# Use it only when compiling Exim for your own use.
+#
+# Uncommenting this line enables the use of a runtime option called
+# disable_fsync, which can be used to stop Exim using fsync() to ensure that
+# files are written to disc before proceeding. When this is disabled, crashes
+# and hardware problems such as power outages can cause data to be lost. This
+# feature should only be used in very exceptional circumstances. YOU HAVE BEEN
+# WARNED.
+
+# ENABLE_DISABLE_FSYNC=yes
+
+#------------------------------------------------------------------------------
+# For development, add this to include code to time various stages and report.
+# CFLAGS += -DMEASURE_TIMING
+
+# For a very slightly smaller build, for constrained systems, uncomment this.
+# The feature involved is purely for debugging.
+
+# DISABLE_CLIENT_CMD_LOG=yes
+
+# End of EDITME for Exim 4.
diff --git a/src/acl.c b/src/acl.c
new file mode 100644
index 0000000..fb78a7b
--- /dev/null
+++ b/src/acl.c
@@ -0,0 +1,4896 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Code for handling Access Control Lists (ACLs) */
+
+#include "exim.h"
+
+#ifndef MACRO_PREDEF
+
+/* Default callout timeout */
+
+#define CALLOUT_TIMEOUT_DEFAULT 30
+
+/* Default quota cache TTLs */
+
+#define QUOTA_POS_DEFAULT (5*60)
+#define QUOTA_NEG_DEFAULT (60*60)
+
+
+/* ACL verb codes - keep in step with the table of verbs that follows */
+
+enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
+       ACL_WARN };
+
+/* ACL verbs */
+
+static uschar *verbs[] = {
+    [ACL_ACCEPT] =	US"accept",
+    [ACL_DEFER] =	US"defer",
+    [ACL_DENY] =	US"deny",
+    [ACL_DISCARD] =	US"discard",
+    [ACL_DROP] =	US"drop",
+    [ACL_REQUIRE] =	US"require",
+    [ACL_WARN] =	US"warn"
+};
+
+/* For each verb, the conditions for which "message" or "log_message" are used
+are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
+"accept", the FAIL case is used only after "endpass", but that is selected in
+the code. */
+
+static int msgcond[] = {
+  [ACL_ACCEPT] =	BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
+  [ACL_DEFER] =		BIT(OK),
+  [ACL_DENY] =		BIT(OK),
+  [ACL_DISCARD] =	BIT(OK) | BIT(FAIL) | BIT(FAIL_DROP),
+  [ACL_DROP] =		BIT(OK),
+  [ACL_REQUIRE] =	BIT(FAIL) | BIT(FAIL_DROP),
+  [ACL_WARN] =		BIT(OK)
+  };
+
+#endif
+
+/* ACL condition and modifier codes - keep in step with the table that
+follows.
+down. */
+
+enum { ACLC_ACL,
+       ACLC_ADD_HEADER,
+       ACLC_AUTHENTICATED,
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+       ACLC_BMI_OPTIN,
+#endif
+       ACLC_CONDITION,
+       ACLC_CONTINUE,
+       ACLC_CONTROL,
+#ifdef EXPERIMENTAL_DCC
+       ACLC_DCC,
+#endif
+#ifdef WITH_CONTENT_SCAN
+       ACLC_DECODE,
+#endif
+       ACLC_DELAY,
+#ifndef DISABLE_DKIM
+       ACLC_DKIM_SIGNER,
+       ACLC_DKIM_STATUS,
+#endif
+#ifdef SUPPORT_DMARC
+       ACLC_DMARC_STATUS,
+#endif
+       ACLC_DNSLISTS,
+       ACLC_DOMAINS,
+       ACLC_ENCRYPTED,
+       ACLC_ENDPASS,
+       ACLC_HOSTS,
+       ACLC_LOCAL_PARTS,
+       ACLC_LOG_MESSAGE,
+       ACLC_LOG_REJECT_TARGET,
+       ACLC_LOGWRITE,
+#ifdef WITH_CONTENT_SCAN
+       ACLC_MALWARE,
+#endif
+       ACLC_MESSAGE,
+#ifdef WITH_CONTENT_SCAN
+       ACLC_MIME_REGEX,
+#endif
+       ACLC_QUEUE,
+       ACLC_RATELIMIT,
+       ACLC_RECIPIENTS,
+#ifdef WITH_CONTENT_SCAN
+       ACLC_REGEX,
+#endif
+       ACLC_REMOVE_HEADER,
+       ACLC_SEEN,
+       ACLC_SENDER_DOMAINS,
+       ACLC_SENDERS,
+       ACLC_SET,
+#ifdef WITH_CONTENT_SCAN
+       ACLC_SPAM,
+#endif
+#ifdef SUPPORT_SPF
+       ACLC_SPF,
+       ACLC_SPF_GUESS,
+#endif
+       ACLC_UDPSEND,
+       ACLC_VERIFY };
+
+/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
+"message", "log_message", "log_reject_target", "logwrite", "queue" and "set" are
+modifiers that look like conditions but always return TRUE. They are used for
+their side effects.  Do not invent new modifier names that result in one name
+being the prefix of another; the binary-search in the list will go wrong. */
+
+typedef struct condition_def {
+  uschar	*name;
+
+/* Flag to indicate the condition/modifier has a string expansion done
+at the outer level. In the other cases, expansion already occurs in the
+checking functions. */
+  BOOL		expand_at_top:1;
+
+  BOOL		is_modifier:1;
+
+/* Bit map vector of which conditions and modifiers are not allowed at certain
+times. For each condition and modifier, there's a bitmap of dis-allowed times.
+For some, it is easier to specify the negation of a small number of allowed
+times. */
+  unsigned	forbids;
+
+} condition_def;
+
+static condition_def conditions[] = {
+  [ACLC_ACL] =			{ US"acl",		FALSE, FALSE,	0 },
+
+  [ACLC_ADD_HEADER] =		{ US"add_header",	TRUE, TRUE,
+				  (unsigned int)
+				  ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
+				    ACL_BIT_PREDATA | ACL_BIT_DATA |
+#ifndef DISABLE_PRDR
+				    ACL_BIT_PRDR |
+#endif
+				    ACL_BIT_MIME | ACL_BIT_NOTSMTP |
+				    ACL_BIT_DKIM |
+				    ACL_BIT_NOTSMTP_START),
+  },
+
+  [ACLC_AUTHENTICATED] =	{ US"authenticated",	FALSE, FALSE,
+				  ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START |
+				    ACL_BIT_CONNECT | ACL_BIT_HELO,
+  },
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+  [ACLC_BMI_OPTIN] =		{ US"bmi_optin",	TRUE, TRUE,
+				  ACL_BIT_AUTH |
+				    ACL_BIT_CONNECT | ACL_BIT_HELO |
+				    ACL_BIT_DATA | ACL_BIT_MIME |
+# ifndef DISABLE_PRDR
+				    ACL_BIT_PRDR |
+# endif
+				    ACL_BIT_ETRN | ACL_BIT_EXPN |
+				    ACL_BIT_MAILAUTH |
+				    ACL_BIT_MAIL | ACL_BIT_STARTTLS |
+				    ACL_BIT_VRFY | ACL_BIT_PREDATA |
+				    ACL_BIT_NOTSMTP_START,
+  },
+#endif
+  [ACLC_CONDITION] =		{ US"condition",	TRUE, FALSE,	0 },
+  [ACLC_CONTINUE] =		{ US"continue",	TRUE, TRUE,	0 },
+
+  /* Certain types of control are always allowed, so we let it through
+  always and check in the control processing itself. */
+  [ACLC_CONTROL] =		{ US"control",	TRUE, TRUE,	0 },
+
+#ifdef EXPERIMENTAL_DCC
+  [ACLC_DCC] =			{ US"dcc",		TRUE, FALSE,
+				  (unsigned int)
+				  ~(ACL_BIT_DATA |
+# ifndef DISABLE_PRDR
+				  ACL_BIT_PRDR |
+# endif
+				  ACL_BIT_NOTSMTP),
+  },
+#endif
+#ifdef WITH_CONTENT_SCAN
+  [ACLC_DECODE] =		{ US"decode",		TRUE, FALSE, (unsigned int) ~ACL_BIT_MIME },
+
+#endif
+  [ACLC_DELAY] =		{ US"delay",		TRUE, TRUE, ACL_BIT_NOTQUIT },
+#ifndef DISABLE_DKIM
+  [ACLC_DKIM_SIGNER] =		{ US"dkim_signers",	TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM },
+  [ACLC_DKIM_STATUS] =		{ US"dkim_status",	TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM },
+#endif
+#ifdef SUPPORT_DMARC
+  [ACLC_DMARC_STATUS] =		{ US"dmarc_status",	TRUE, FALSE, (unsigned int) ~ACL_BIT_DATA },
+#endif
+
+  /* Explicit key lookups can be made in non-smtp ACLs so pass
+  always and check in the verify processing itself. */
+  [ACLC_DNSLISTS] =		{ US"dnslists",	TRUE, FALSE,	0 },
+
+  [ACLC_DOMAINS] =		{ US"domains",	FALSE, FALSE,
+				  (unsigned int)
+				  ~(ACL_BIT_RCPT | ACL_BIT_VRFY
+#ifndef DISABLE_PRDR
+				  |ACL_BIT_PRDR
+#endif
+      ),
+  },
+  [ACLC_ENCRYPTED] =		{ US"encrypted",	FALSE, FALSE,
+				  ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START |
+				    ACL_BIT_HELO,
+  },
+
+  [ACLC_ENDPASS] =		{ US"endpass",	TRUE, TRUE,	0 },
+
+  [ACLC_HOSTS] =		{ US"hosts",		FALSE, FALSE,
+				  ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
+  },
+  [ACLC_LOCAL_PARTS] =		{ US"local_parts",	FALSE, FALSE,
+				  (unsigned int)
+				  ~(ACL_BIT_RCPT | ACL_BIT_VRFY
+#ifndef DISABLE_PRDR
+				  | ACL_BIT_PRDR
+#endif
+      ),
+  },
+
+  [ACLC_LOG_MESSAGE] =		{ US"log_message",	TRUE, TRUE,	0 },
+  [ACLC_LOG_REJECT_TARGET] =	{ US"log_reject_target", TRUE, TRUE,	0 },
+  [ACLC_LOGWRITE] =		{ US"logwrite",	TRUE, TRUE,	0 },
+
+#ifdef WITH_CONTENT_SCAN
+  [ACLC_MALWARE] =		{ US"malware",	TRUE, FALSE,
+				  (unsigned int)
+				    ~(ACL_BIT_DATA |
+# ifndef DISABLE_PRDR
+				    ACL_BIT_PRDR |
+# endif
+				    ACL_BIT_NOTSMTP),
+  },
+#endif
+
+  [ACLC_MESSAGE] =		{ US"message",	TRUE, TRUE,	0 },
+#ifdef WITH_CONTENT_SCAN
+  [ACLC_MIME_REGEX] =		{ US"mime_regex",	TRUE, FALSE, (unsigned int) ~ACL_BIT_MIME },
+#endif
+
+  [ACLC_QUEUE] =		{ US"queue",		TRUE, TRUE,
+				  ACL_BIT_NOTSMTP |
+#ifndef DISABLE_PRDR
+				  ACL_BIT_PRDR |
+#endif
+				  ACL_BIT_DATA,
+  },
+
+  [ACLC_RATELIMIT] =		{ US"ratelimit",	TRUE, FALSE,	0 },
+  [ACLC_RECIPIENTS] =		{ US"recipients",	FALSE, FALSE, (unsigned int) ~ACL_BIT_RCPT },
+
+#ifdef WITH_CONTENT_SCAN
+  [ACLC_REGEX] =		{ US"regex",		TRUE, FALSE,
+				  (unsigned int)
+				  ~(ACL_BIT_DATA |
+# ifndef DISABLE_PRDR
+				    ACL_BIT_PRDR |
+# endif
+				    ACL_BIT_NOTSMTP |
+				    ACL_BIT_MIME),
+  },
+
+#endif
+  [ACLC_REMOVE_HEADER] =	{ US"remove_header",	TRUE, TRUE,
+				  (unsigned int)
+				  ~(ACL_BIT_MAIL|ACL_BIT_RCPT |
+				    ACL_BIT_PREDATA | ACL_BIT_DATA |
+#ifndef DISABLE_PRDR
+				    ACL_BIT_PRDR |
+#endif
+				    ACL_BIT_MIME | ACL_BIT_NOTSMTP |
+				    ACL_BIT_NOTSMTP_START),
+  },
+  [ACLC_SEEN] =			{ US"seen",		TRUE, FALSE,	0 },
+  [ACLC_SENDER_DOMAINS] =	{ US"sender_domains",	FALSE, FALSE,
+				  ACL_BIT_AUTH | ACL_BIT_CONNECT |
+				    ACL_BIT_HELO |
+				    ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
+				    ACL_BIT_ETRN | ACL_BIT_EXPN |
+				    ACL_BIT_STARTTLS | ACL_BIT_VRFY,
+  },
+  [ACLC_SENDERS] =		{ US"senders",	FALSE, FALSE,
+				  ACL_BIT_AUTH | ACL_BIT_CONNECT |
+				    ACL_BIT_HELO |
+				    ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
+				    ACL_BIT_ETRN | ACL_BIT_EXPN |
+				    ACL_BIT_STARTTLS | ACL_BIT_VRFY,
+  },
+
+  [ACLC_SET] =			{ US"set",		TRUE, TRUE,	0 },
+
+#ifdef WITH_CONTENT_SCAN
+  [ACLC_SPAM] =			{ US"spam",		TRUE, FALSE,
+				  (unsigned int) ~(ACL_BIT_DATA |
+# ifndef DISABLE_PRDR
+				  ACL_BIT_PRDR |
+# endif
+				  ACL_BIT_NOTSMTP),
+  },
+#endif
+#ifdef SUPPORT_SPF
+  [ACLC_SPF] =			{ US"spf",		TRUE, FALSE,
+				  ACL_BIT_AUTH | ACL_BIT_CONNECT |
+				    ACL_BIT_HELO | ACL_BIT_MAILAUTH |
+				    ACL_BIT_ETRN | ACL_BIT_EXPN |
+				    ACL_BIT_STARTTLS | ACL_BIT_VRFY |
+				    ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
+  },
+  [ACLC_SPF_GUESS] =		{ US"spf_guess",	TRUE, FALSE,
+				  ACL_BIT_AUTH | ACL_BIT_CONNECT |
+				    ACL_BIT_HELO | ACL_BIT_MAILAUTH |
+				    ACL_BIT_ETRN | ACL_BIT_EXPN |
+				    ACL_BIT_STARTTLS | ACL_BIT_VRFY |
+				    ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
+  },
+#endif
+  [ACLC_UDPSEND] =		{ US"udpsend",		TRUE, TRUE,	0 },
+
+  /* Certain types of verify are always allowed, so we let it through
+  always and check in the verify function itself */
+  [ACLC_VERIFY] =		{ US"verify",		TRUE, FALSE, 0 },
+};
+
+
+#ifdef MACRO_PREDEF
+# include "macro_predef.h"
+void
+features_acl(void)
+{
+for (condition_def * c = conditions; c < conditions + nelem(conditions); c++)
+  {
+  uschar buf[64], * p, * s;
+  int n = sprintf(CS buf, "_ACL_%s_", c->is_modifier ? "MOD" : "COND");
+  for (p = buf + n, s = c->name; *s; s++) *p++ = toupper(*s);
+  *p = '\0';
+  builtin_macro_create(buf);
+  }
+}
+#endif
+
+
+#ifndef MACRO_PREDEF
+
+/* Return values from decode_control(); used as index so keep in step
+with the controls_list table that follows! */
+
+enum {
+  CONTROL_AUTH_UNADVERTISED,
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+  CONTROL_BMI_RUN,
+#endif
+  CONTROL_CASEFUL_LOCAL_PART,
+  CONTROL_CASELOWER_LOCAL_PART,
+  CONTROL_CUTTHROUGH_DELIVERY,
+  CONTROL_DEBUG,
+#ifndef DISABLE_DKIM
+  CONTROL_DKIM_VERIFY,
+#endif
+#ifdef SUPPORT_DMARC
+  CONTROL_DMARC_VERIFY,
+  CONTROL_DMARC_FORENSIC,
+#endif
+  CONTROL_DSCP,
+  CONTROL_ENFORCE_SYNC,
+  CONTROL_ERROR,		/* pseudo-value for decode errors */
+  CONTROL_FAKEDEFER,
+  CONTROL_FAKEREJECT,
+  CONTROL_FREEZE,
+
+  CONTROL_NO_CALLOUT_FLUSH,
+  CONTROL_NO_DELAY_FLUSH,
+  CONTROL_NO_ENFORCE_SYNC,
+#ifdef WITH_CONTENT_SCAN
+  CONTROL_NO_MBOX_UNSPOOL,
+#endif
+  CONTROL_NO_MULTILINE,
+  CONTROL_NO_PIPELINING,
+
+  CONTROL_QUEUE,
+  CONTROL_SUBMISSION,
+  CONTROL_SUPPRESS_LOCAL_FIXUPS,
+#ifdef SUPPORT_I18N
+  CONTROL_UTF8_DOWNCONVERT,
+#endif
+};
+
+
+
+/* Structure listing various control arguments, with their characteristics.
+For each control, there's a bitmap of dis-allowed times. For some, it is easier
+to specify the negation of a small number of allowed times. */
+
+typedef struct control_def {
+  uschar	*name;
+  BOOL		has_option;     /* Has /option(s) following */
+  unsigned	forbids;	/* bitmap of dis-allowed times */
+} control_def;
+
+static control_def controls_list[] = {
+  /*	name			has_option	forbids */
+[CONTROL_AUTH_UNADVERTISED] =
+  { US"allow_auth_unadvertised", FALSE,
+				  (unsigned)
+				  ~(ACL_BIT_CONNECT | ACL_BIT_HELO)
+  },
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+[CONTROL_BMI_RUN] =
+  { US"bmi_run",                 FALSE,		0 },
+#endif
+[CONTROL_CASEFUL_LOCAL_PART] =
+  { US"caseful_local_part",      FALSE, (unsigned) ~ACL_BIT_RCPT },
+[CONTROL_CASELOWER_LOCAL_PART] =
+  { US"caselower_local_part",    FALSE, (unsigned) ~ACL_BIT_RCPT },
+[CONTROL_CUTTHROUGH_DELIVERY] =
+  { US"cutthrough_delivery",     TRUE,		0 },
+[CONTROL_DEBUG] =
+  { US"debug",                   TRUE,		0 },
+
+#ifndef DISABLE_DKIM
+[CONTROL_DKIM_VERIFY] =
+  { US"dkim_disable_verify",     FALSE,
+				  ACL_BIT_DATA | ACL_BIT_NOTSMTP |
+# ifndef DISABLE_PRDR
+				  ACL_BIT_PRDR |
+# endif
+				  ACL_BIT_NOTSMTP_START
+  },
+#endif
+
+#ifdef SUPPORT_DMARC
+[CONTROL_DMARC_VERIFY] =
+  { US"dmarc_disable_verify",    FALSE,
+	  ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
+  },
+[CONTROL_DMARC_FORENSIC] =
+  { US"dmarc_enable_forensic",   FALSE,
+	  ACL_BIT_DATA | ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
+  },
+#endif
+
+[CONTROL_DSCP] =
+  { US"dscp",                    TRUE,
+	  ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START | ACL_BIT_NOTQUIT
+  },
+[CONTROL_ENFORCE_SYNC] =
+  { US"enforce_sync",            FALSE,
+	  ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
+  },
+
+  /* Pseudo-value for decode errors */
+[CONTROL_ERROR] =
+  { US"error",                   FALSE, 0 },
+
+[CONTROL_FAKEDEFER] =
+  { US"fakedefer",               TRUE,
+	  (unsigned)
+	  ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
+	    ACL_BIT_PREDATA | ACL_BIT_DATA |
+#ifndef DISABLE_PRDR
+	    ACL_BIT_PRDR |
+#endif
+	    ACL_BIT_MIME)
+  },
+[CONTROL_FAKEREJECT] =
+  { US"fakereject",              TRUE,
+	  (unsigned)
+	  ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
+	    ACL_BIT_PREDATA | ACL_BIT_DATA |
+#ifndef DISABLE_PRDR
+	  ACL_BIT_PRDR |
+#endif
+	  ACL_BIT_MIME)
+  },
+[CONTROL_FREEZE] =
+  { US"freeze",                  TRUE,
+	  (unsigned)
+	  ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
+	    ACL_BIT_PREDATA | ACL_BIT_DATA |
+	    // ACL_BIT_PRDR|    /* Not allow one user to freeze for all */
+	    ACL_BIT_NOTSMTP | ACL_BIT_MIME)
+  },
+
+[CONTROL_NO_CALLOUT_FLUSH] =
+  { US"no_callout_flush",        FALSE,
+	  ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
+  },
+[CONTROL_NO_DELAY_FLUSH] =
+  { US"no_delay_flush",          FALSE,
+	  ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
+  },
+
+[CONTROL_NO_ENFORCE_SYNC] =
+  { US"no_enforce_sync",         FALSE,
+	  ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
+  },
+#ifdef WITH_CONTENT_SCAN
+[CONTROL_NO_MBOX_UNSPOOL] =
+  { US"no_mbox_unspool",         FALSE,
+	(unsigned)
+	~(ACL_BIT_MAIL | ACL_BIT_RCPT |
+	  ACL_BIT_PREDATA | ACL_BIT_DATA |
+	  // ACL_BIT_PRDR|    /* Not allow one user to freeze for all */
+	  ACL_BIT_MIME)
+  },
+#endif
+[CONTROL_NO_MULTILINE] =
+  { US"no_multiline_responses",  FALSE,
+	  ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
+  },
+[CONTROL_NO_PIPELINING] =
+  { US"no_pipelining",           FALSE,
+	  ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START
+  },
+
+[CONTROL_QUEUE] =
+  { US"queue",			TRUE,
+	  (unsigned)
+	  ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
+	    ACL_BIT_PREDATA | ACL_BIT_DATA |
+	    // ACL_BIT_PRDR|    /* Not allow one user to freeze for all */
+	    ACL_BIT_NOTSMTP | ACL_BIT_MIME)
+  },
+
+[CONTROL_SUBMISSION] =
+  { US"submission",              TRUE,
+	  (unsigned)
+	  ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA)
+  },
+[CONTROL_SUPPRESS_LOCAL_FIXUPS] =
+  { US"suppress_local_fixups",   FALSE,
+    (unsigned)
+    ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA |
+      ACL_BIT_NOTSMTP_START)
+  },
+#ifdef SUPPORT_I18N
+[CONTROL_UTF8_DOWNCONVERT] =
+  { US"utf8_downconvert",        TRUE, (unsigned) ~(ACL_BIT_RCPT | ACL_BIT_VRFY)
+  }
+#endif
+};
+
+/* Support data structures for Client SMTP Authorization. acl_verify_csa()
+caches its result in a tree to avoid repeated DNS queries. The result is an
+integer code which is used as an index into the following tables of
+explanatory strings and verification return codes. */
+
+static tree_node *csa_cache = NULL;
+
+enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
+ CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
+
+/* The acl_verify_csa() return code is translated into an acl_verify() return
+code using the following table. It is OK unless the client is definitely not
+authorized. This is because CSA is supposed to be optional for sending sites,
+so recipients should not be too strict about checking it - especially because
+DNS problems are quite likely to occur. It's possible to use $csa_status in
+further ACL conditions to distinguish ok, unknown, and defer if required, but
+the aim is to make the usual configuration simple. */
+
+static int csa_return_code[] = {
+  [CSA_UNKNOWN] =	OK,
+  [CSA_OK] =		OK,
+  [CSA_DEFER_SRV] =	OK,
+  [CSA_DEFER_ADDR] =	OK,
+  [CSA_FAIL_EXPLICIT] =	FAIL,
+  [CSA_FAIL_DOMAIN] =	FAIL,
+  [CSA_FAIL_NOADDR] =	FAIL,
+  [CSA_FAIL_MISMATCH] =	FAIL
+};
+
+static uschar *csa_status_string[] = {
+  [CSA_UNKNOWN] =	US"unknown",
+  [CSA_OK] =		US"ok",
+  [CSA_DEFER_SRV] =	US"defer",
+  [CSA_DEFER_ADDR] =	US"defer",
+  [CSA_FAIL_EXPLICIT] =	US"fail",
+  [CSA_FAIL_DOMAIN] =	US"fail",
+  [CSA_FAIL_NOADDR] =	US"fail",
+  [CSA_FAIL_MISMATCH] =	US"fail"
+};
+
+static uschar *csa_reason_string[] = {
+  [CSA_UNKNOWN] =	US"unknown",
+  [CSA_OK] =		US"ok",
+  [CSA_DEFER_SRV] =	US"deferred (SRV lookup failed)",
+  [CSA_DEFER_ADDR] =	US"deferred (target address lookup failed)",
+  [CSA_FAIL_EXPLICIT] =	US"failed (explicit authorization required)",
+  [CSA_FAIL_DOMAIN] =	US"failed (host name not authorized)",
+  [CSA_FAIL_NOADDR] =	US"failed (no authorized addresses)",
+  [CSA_FAIL_MISMATCH] =	US"failed (client address mismatch)"
+};
+
+/* Options for the ratelimit condition. Note that there are two variants of
+the per_rcpt option, depending on the ACL that is used to measure the rate.
+However any ACL must be able to look up per_rcpt rates in /noupdate mode,
+so the two variants must have the same internal representation as well as
+the same configuration string. */
+
+enum {
+  RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
+  RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
+};
+
+#define RATE_SET(var,new) \
+  (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
+
+static uschar *ratelimit_option_string[] = {
+  [RATE_PER_WHAT] =	US"?",
+  [RATE_PER_CLASH] =	US"!",
+  [RATE_PER_ADDR] =	US"per_addr",
+  [RATE_PER_BYTE] =	US"per_byte",
+  [RATE_PER_CMD] =	US"per_cmd",
+  [RATE_PER_CONN] =	US"per_conn",
+  [RATE_PER_MAIL] =	US"per_mail",
+  [RATE_PER_RCPT] =	US"per_rcpt",
+  [RATE_PER_ALLRCPTS] =	US"per_rcpt"
+};
+
+/* Enable recursion between acl_check_internal() and acl_check_condition() */
+
+static int acl_check_wargs(int, address_item *, const uschar *, uschar **,
+    uschar **);
+
+static acl_block * acl_current = NULL;
+
+
+/*************************************************
+*            Find control in list                *
+*************************************************/
+
+/* The lists are always in order, so binary chop can be used.
+
+Arguments:
+  name      the control name to search for
+  ol        the first entry in the control list
+  last      one more than the offset of the last entry in the control list
+
+Returns:    index of a control entry, or -1 if not found
+*/
+
+static int
+find_control(const uschar * name, control_def * ol, int last)
+{
+for (int first = 0; last > first; )
+  {
+  int middle = (first + last)/2;
+  uschar * s =  ol[middle].name;
+  int c = Ustrncmp(name, s, Ustrlen(s));
+  if (c == 0) return middle;
+  else if (c > 0) first = middle + 1;
+  else last = middle;
+  }
+return -1;
+}
+
+
+
+/*************************************************
+*         Pick out condition from list           *
+*************************************************/
+
+/* Use a binary chop method
+
+Arguments:
+  name        name to find
+  list        list of conditions
+  end         size of list
+
+Returns:      offset in list, or -1 if not found
+*/
+
+static int
+acl_checkcondition(uschar * name, condition_def * list, int end)
+{
+for (int start = 0; start < end; )
+  {
+  int mid = (start + end)/2;
+  int c = Ustrcmp(name, list[mid].name);
+  if (c == 0) return mid;
+  if (c < 0) end = mid;
+  else start = mid + 1;
+  }
+return -1;
+}
+
+
+/*************************************************
+*         Pick out name from list                *
+*************************************************/
+
+/* Use a binary chop method
+
+Arguments:
+  name        name to find
+  list        list of names
+  end         size of list
+
+Returns:      offset in list, or -1 if not found
+*/
+
+static int
+acl_checkname(uschar *name, uschar **list, int end)
+{
+for (int start = 0; start < end; )
+  {
+  int mid = (start + end)/2;
+  int c = Ustrcmp(name, list[mid]);
+  if (c == 0) return mid;
+  if (c < 0) end = mid; else start = mid + 1;
+  }
+
+return -1;
+}
+
+
+/*************************************************
+*            Read and parse one ACL              *
+*************************************************/
+
+/* This function is called both from readconf in order to parse the ACLs in the
+configuration file, and also when an ACL is encountered dynamically (e.g. as
+the result of an expansion). It is given a function to call in order to
+retrieve the lines of the ACL. This function handles skipping comments and
+blank lines (where relevant).
+
+Arguments:
+  func        function to get next line of ACL
+  error       where to put an error message
+
+Returns:      pointer to ACL, or NULL
+              NULL can be legal (empty ACL); in this case error will be NULL
+*/
+
+acl_block *
+acl_read(uschar *(*func)(void), uschar **error)
+{
+acl_block *yield = NULL;
+acl_block **lastp = &yield;
+acl_block *this = NULL;
+acl_condition_block *cond;
+acl_condition_block **condp = NULL;
+uschar * s;
+
+*error = NULL;
+
+while ((s = (*func)()))
+  {
+  int v, c;
+  BOOL negated = FALSE;
+  uschar *saveline = s;
+  uschar name[EXIM_DRIVERNAME_MAX];
+
+  /* Conditions (but not verbs) are allowed to be negated by an initial
+  exclamation mark. */
+
+  if (Uskip_whitespace(&s) == '!')
+    {
+    negated = TRUE;
+    s++;
+    }
+
+  /* Read the name of a verb or a condition, or the start of a new ACL, which
+  can be started by a name, or by a macro definition. */
+
+  s = readconf_readname(name, sizeof(name), s);
+  if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
+
+  /* If a verb is unrecognized, it may be another condition or modifier that
+  continues the previous verb. */
+
+  if ((v = acl_checkname(name, verbs, nelem(verbs))) < 0)
+    {
+    if (!this)
+      {
+      *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
+        saveline);
+      return NULL;
+      }
+    }
+
+  /* New verb */
+
+  else
+    {
+    if (negated)
+      {
+      *error = string_sprintf("malformed ACL line \"%s\"", saveline);
+      return NULL;
+      }
+    this = store_get(sizeof(acl_block), GET_UNTAINTED);
+    *lastp = this;
+    lastp = &(this->next);
+    this->next = NULL;
+    this->condition = NULL;
+    this->verb = v;
+    this->srcline = config_lineno;	/* for debug output */
+    this->srcfile = config_filename;	/**/
+    condp = &(this->condition);
+    if (*s == 0) continue;               /* No condition on this line */
+    if (*s == '!')
+      {
+      negated = TRUE;
+      s++;
+      }
+    s = readconf_readname(name, sizeof(name), s);  /* Condition name */
+    }
+
+  /* Handle a condition or modifier. */
+
+  if ((c = acl_checkcondition(name, conditions, nelem(conditions))) < 0)
+    {
+    *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
+      saveline);
+    return NULL;
+    }
+
+  /* The modifiers may not be negated */
+
+  if (negated && conditions[c].is_modifier)
+    {
+    *error = string_sprintf("ACL error: negation is not allowed with "
+      "\"%s\"", conditions[c].name);
+    return NULL;
+    }
+
+  /* ENDPASS may occur only with ACCEPT or DISCARD. */
+
+  if (c == ACLC_ENDPASS &&
+      this->verb != ACL_ACCEPT &&
+      this->verb != ACL_DISCARD)
+    {
+    *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
+      conditions[c].name, verbs[this->verb]);
+    return NULL;
+    }
+
+  cond = store_get(sizeof(acl_condition_block), GET_UNTAINTED);
+  cond->next = NULL;
+  cond->type = c;
+  cond->u.negated = negated;
+
+  *condp = cond;
+  condp = &(cond->next);
+
+  /* The "set" modifier is different in that its argument is "name=value"
+  rather than just a value, and we can check the validity of the name, which
+  gives us a variable name to insert into the data block. The original ACL
+  variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
+  extended to 20 of each type, but after that people successfully argued for
+  arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
+  After that, we allow alphanumerics and underscores, but the first character
+  after c or m must be a digit or an underscore. This retains backwards
+  compatibility. */
+
+  if (c == ACLC_SET)
+#ifndef DISABLE_DKIM
+    if (  Ustrncmp(s, "dkim_verify_status", 18) == 0
+       || Ustrncmp(s, "dkim_verify_reason", 18) == 0)
+      {
+      uschar * endptr = s+18;
+
+      if (isalnum(*endptr))
+	{
+	*error = string_sprintf("invalid variable name after \"set\" in ACL "
+	  "modifier \"set %s\" "
+	  "(only \"dkim_verify_status\" or \"dkim_verify_reason\" permitted)",
+	  s);
+	return NULL;
+	}
+      cond->u.varname = string_copyn(s, 18);
+      s = endptr;
+      Uskip_whitespace(&s);
+      }
+    else
+#endif
+    {
+    uschar *endptr;
+
+    if (Ustrncmp(s, "acl_c", 5) != 0 && Ustrncmp(s, "acl_m", 5) != 0)
+      {
+      *error = string_sprintf("invalid variable name after \"set\" in ACL "
+	"modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
+      return NULL;
+      }
+
+    endptr = s + 5;
+    if (!isdigit(*endptr) && *endptr != '_')
+      {
+      *error = string_sprintf("invalid variable name after \"set\" in ACL "
+	"modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
+	s);
+      return NULL;
+      }
+
+    while (*endptr && *endptr != '=' && !isspace(*endptr))
+      {
+      if (!isalnum(*endptr) && *endptr != '_')
+	{
+	*error = string_sprintf("invalid character \"%c\" in variable name "
+	  "in ACL modifier \"set %s\"", *endptr, s);
+	return NULL;
+	}
+      endptr++;
+      }
+
+    cond->u.varname = string_copyn(s + 4, endptr - s - 4);
+    s = endptr;
+    Uskip_whitespace(&s);
+    }
+
+  /* For "set", we are now positioned for the data. For the others, only
+  "endpass" has no data */
+
+  if (c != ACLC_ENDPASS)
+    {
+    if (*s++ != '=')
+      {
+      *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
+        conditions[c].is_modifier ? US"modifier" : US"condition");
+      return NULL;
+      }
+    Uskip_whitespace(&s);
+    cond->arg = string_copy(s);
+    }
+  }
+
+return yield;
+}
+
+
+
+/*************************************************
+*         Set up added header line(s)            *
+*************************************************/
+
+/* This function is called by the add_header modifier, and also from acl_warn()
+to implement the now-deprecated way of adding header lines using "message" on a
+"warn" verb. The argument is treated as a sequence of header lines which are
+added to a chain, provided there isn't an identical one already there.
+
+Argument:   string of header lines
+Returns:    nothing
+*/
+
+static void
+setup_header(const uschar *hstring)
+{
+const uschar *p, *q;
+int hlen = Ustrlen(hstring);
+
+/* Ignore any leading newlines */
+while (*hstring == '\n') hstring++, hlen--;
+
+/* An empty string does nothing; ensure exactly one final newline. */
+if (hlen <= 0) return;
+if (hstring[--hlen] != '\n')		/* no newline */
+  q = string_sprintf("%s\n", hstring);
+else if (hstring[hlen-1] == '\n')	/* double newline */
+  {
+  uschar * s = string_copy(hstring);
+  while(s[--hlen] == '\n')
+    s[hlen+1] = '\0';
+  q = s;
+  }
+else
+  q = hstring;
+
+/* Loop for multiple header lines, taking care about continuations */
+
+for (p = q; *p; p = q)
+  {
+  const uschar *s;
+  uschar * hdr;
+  int newtype = htype_add_bot;
+  header_line **hptr = &acl_added_headers;
+
+  /* Find next header line within the string */
+
+  for (;;)
+    {
+    q = Ustrchr(q, '\n');		/* we know there was a newline */
+    if (*++q != ' ' && *q != '\t') break;
+    }
+
+  /* If the line starts with a colon, interpret the instruction for where to
+  add it. This temporarily sets up a new type. */
+
+  if (*p == ':')
+    {
+    if (strncmpic(p, US":after_received:", 16) == 0)
+      {
+      newtype = htype_add_rec;
+      p += 16;
+      }
+    else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
+      {
+      newtype = htype_add_rfc;
+      p += 14;
+      }
+    else if (strncmpic(p, US":at_start:", 10) == 0)
+      {
+      newtype = htype_add_top;
+      p += 10;
+      }
+    else if (strncmpic(p, US":at_end:", 8) == 0)
+      {
+      newtype = htype_add_bot;
+      p += 8;
+      }
+    while (*p == ' ' || *p == '\t') p++;
+    }
+
+  /* See if this line starts with a header name, and if not, add X-ACL-Warn:
+  to the front of it. */
+
+  for (s = p; s < q - 1; s++)
+    if (*s == ':' || !isgraph(*s)) break;
+
+  hdr = string_sprintf("%s%.*s", *s == ':' ? "" : "X-ACL-Warn: ", (int) (q - p), p);
+  hlen = Ustrlen(hdr);
+
+  /* See if this line has already been added */
+
+  while (*hptr)
+    {
+    if (Ustrncmp((*hptr)->text, hdr, hlen) == 0) break;
+    hptr = &(*hptr)->next;
+    }
+
+  /* Add if not previously present */
+
+  if (!*hptr)
+    {
+    /* The header_line struct itself is not tainted, though it points to
+    possibly tainted data. */
+    header_line * h = store_get(sizeof(header_line), GET_UNTAINTED);
+    h->text = hdr;
+    h->next = NULL;
+    h->type = newtype;
+    h->slen = hlen;
+    *hptr = h;
+    hptr = &h->next;
+    }
+  }
+}
+
+
+
+/*************************************************
+*        List the added header lines		 *
+*************************************************/
+uschar *
+fn_hdrs_added(void)
+{
+gstring * g = NULL;
+
+for (header_line * h = acl_added_headers; h; h = h->next)
+  {
+  int i = h->slen;
+  if (h->text[i-1] == '\n') i--;
+  g = string_append_listele_n(g, '\n', h->text, i);
+  }
+
+return g ? g->s : NULL;
+}
+
+
+/*************************************************
+*        Set up removed header line(s)           *
+*************************************************/
+
+/* This function is called by the remove_header modifier.  The argument is
+treated as a sequence of header names which are added to a colon separated
+list, provided there isn't an identical one already there.
+
+Argument:   string of header names
+Returns:    nothing
+*/
+
+static void
+setup_remove_header(const uschar *hnames)
+{
+if (*hnames)
+  acl_removed_headers = acl_removed_headers
+    ? string_sprintf("%s : %s", acl_removed_headers, hnames)
+    : string_copy(hnames);
+}
+
+
+
+/*************************************************
+*               Handle warnings                  *
+*************************************************/
+
+/* This function is called when a WARN verb's conditions are true. It adds to
+the message's headers, and/or writes information to the log. In each case, this
+only happens once (per message for headers, per connection for log).
+
+** NOTE: The header adding action using the "message" setting is historic, and
+its use is now deprecated. The new add_header modifier should be used instead.
+
+Arguments:
+  where          ACL_WHERE_xxxx indicating which ACL this is
+  user_message   message for adding to headers
+  log_message    message for logging, if different
+
+Returns:         nothing
+*/
+
+static void
+acl_warn(int where, uschar *user_message, uschar *log_message)
+{
+if (log_message != NULL && log_message != user_message)
+  {
+  uschar *text;
+  string_item *logged;
+
+  text = string_sprintf("%s Warning: %s",  host_and_ident(TRUE),
+    string_printing(log_message));
+
+  /* If a sender verification has failed, and the log message is "sender verify
+  failed", add the failure message. */
+
+  if (sender_verified_failed != NULL &&
+      sender_verified_failed->message != NULL &&
+      strcmpic(log_message, US"sender verify failed") == 0)
+    text = string_sprintf("%s: %s", text, sender_verified_failed->message);
+
+  /* Search previously logged warnings. They are kept in malloc
+  store so they can be freed at the start of a new message. */
+
+  for (logged = acl_warn_logged; logged; logged = logged->next)
+    if (Ustrcmp(logged->text, text) == 0) break;
+
+  if (!logged)
+    {
+    int length = Ustrlen(text) + 1;
+    log_write(0, LOG_MAIN, "%s", text);
+    logged = store_malloc(sizeof(string_item) + length);
+    logged->text = US logged + sizeof(string_item);
+    memcpy(logged->text, text, length);
+    logged->next = acl_warn_logged;
+    acl_warn_logged = logged;
+    }
+  }
+
+/* If there's no user message, we are done. */
+
+if (!user_message) return;
+
+/* If this isn't a message ACL, we can't do anything with a user message.
+Log an error. */
+
+if (where > ACL_WHERE_NOTSMTP)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
+    "found in a non-message (%s) ACL: cannot specify header lines here: "
+    "message ignored", acl_wherenames[where]);
+  return;
+  }
+
+/* The code for setting up header lines is now abstracted into a separate
+function so that it can be used for the add_header modifier as well. */
+
+setup_header(user_message);
+}
+
+
+
+/*************************************************
+*         Verify and check reverse DNS           *
+*************************************************/
+
+/* Called from acl_verify() below. We look up the host name(s) of the client IP
+address if this has not yet been done. The host_name_lookup() function checks
+that one of these names resolves to an address list that contains the client IP
+address, so we don't actually have to do the check here.
+
+Arguments:
+  user_msgptr  pointer for user message
+  log_msgptr   pointer for log message
+
+Returns:       OK        verification condition succeeded
+               FAIL      verification failed
+               DEFER     there was a problem verifying
+*/
+
+static int
+acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
+{
+int rc;
+
+/* Previous success */
+
+if (sender_host_name) return OK;
+
+/* Previous failure */
+
+if (host_lookup_failed)
+  {
+  *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
+  return FAIL;
+  }
+
+/* Need to do a lookup */
+
+HDEBUG(D_acl)
+  debug_printf_indent("looking up host name to force name/address consistency check\n");
+
+if ((rc = host_name_lookup()) != OK)
+  {
+  *log_msgptr = rc == DEFER
+    ? US"host lookup deferred for reverse lookup check"
+    : string_sprintf("host lookup failed for reverse lookup check%s",
+	host_lookup_msg);
+  return rc;    /* DEFER or FAIL */
+  }
+
+host_build_sender_fullhost();
+return OK;
+}
+
+
+
+/*************************************************
+*   Check client IP address matches CSA target   *
+*************************************************/
+
+/* Called from acl_verify_csa() below. This routine scans a section of a DNS
+response for address records belonging to the CSA target hostname. The section
+is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
+If one of the addresses matches the client's IP address, then the client is
+authorized by CSA. If there are target IP addresses but none of them match
+then the client is using an unauthorized IP address. If there are no target IP
+addresses then the client cannot be using an authorized IP address. (This is
+an odd configuration - why didn't the SRV record have a weight of 1 instead?)
+
+Arguments:
+  dnsa       the DNS answer block
+  dnss       a DNS scan block for us to use
+  reset      option specifying what portion to scan, as described above
+  target     the target hostname to use for matching RR names
+
+Returns:     CSA_OK             successfully authorized
+             CSA_FAIL_MISMATCH  addresses found but none matched
+             CSA_FAIL_NOADDR    no target addresses found
+*/
+
+static int
+acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
+                       uschar *target)
+{
+int rc = CSA_FAIL_NOADDR;
+
+for (dns_record * rr = dns_next_rr(dnsa, dnss, reset);
+     rr;
+     rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
+  {
+  /* Check this is an address RR for the target hostname. */
+
+  if (rr->type != T_A
+    #if HAVE_IPV6
+      && rr->type != T_AAAA
+    #endif
+  ) continue;
+
+  if (strcmpic(target, rr->name) != 0) continue;
+
+  rc = CSA_FAIL_MISMATCH;
+
+  /* Turn the target address RR into a list of textual IP addresses and scan
+  the list. There may be more than one if it is an A6 RR. */
+
+  for (dns_address * da = dns_address_from_rr(dnsa, rr); da; da = da->next)
+    {
+    /* If the client IP address matches the target IP address, it's good! */
+
+    DEBUG(D_acl) debug_printf_indent("CSA target address is %s\n", da->address);
+
+    if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
+    }
+  }
+
+/* If we found some target addresses but none of them matched, the client is
+using an unauthorized IP address, otherwise the target has no authorized IP
+addresses. */
+
+return rc;
+}
+
+
+
+/*************************************************
+*       Verify Client SMTP Authorization         *
+*************************************************/
+
+/* Called from acl_verify() below. This routine calls dns_lookup_special()
+to find the CSA SRV record corresponding to the domain argument, or
+$sender_helo_name if no argument is provided. It then checks that the
+client is authorized, and that its IP address corresponds to the SRV
+target's address by calling acl_verify_csa_address() above. The address
+should have been returned in the DNS response's ADDITIONAL section, but if
+not we perform another DNS lookup to get it.
+
+Arguments:
+  domain    pointer to optional parameter following verify = csa
+
+Returns:    CSA_UNKNOWN    no valid CSA record found
+            CSA_OK         successfully authorized
+            CSA_FAIL_*     client is definitely not authorized
+            CSA_DEFER_*    there was a DNS problem
+*/
+
+static int
+acl_verify_csa(const uschar *domain)
+{
+tree_node *t;
+const uschar *found;
+int priority, weight, port;
+dns_answer * dnsa;
+dns_scan dnss;
+dns_record *rr;
+int rc, type, yield;
+#define TARGET_SIZE 256
+uschar * target = store_get(TARGET_SIZE, GET_TAINTED);
+
+/* Work out the domain we are using for the CSA lookup. The default is the
+client's HELO domain. If the client has not said HELO, use its IP address
+instead. If it's a local client (exim -bs), CSA isn't applicable. */
+
+while (isspace(*domain) && *domain != '\0') ++domain;
+if (*domain == '\0') domain = sender_helo_name;
+if (!domain) domain = sender_host_address;
+if (!sender_host_address) return CSA_UNKNOWN;
+
+/* If we have an address literal, strip off the framing ready for turning it
+into a domain. The framing consists of matched square brackets possibly
+containing a keyword and a colon before the actual IP address. */
+
+if (domain[0] == '[')
+  {
+  const uschar *start = Ustrchr(domain, ':');
+  if (start == NULL) start = domain;
+  domain = string_copyn(start + 1, Ustrlen(start) - 2);
+  }
+
+/* Turn domains that look like bare IP addresses into domains in the reverse
+DNS. This code also deals with address literals and $sender_host_address. It's
+not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
+address literals, but it's probably the most friendly thing to do. This is an
+extension to CSA, so we allow it to be turned off for proper conformance. */
+
+if (string_is_ip_address(domain, NULL) != 0)
+  {
+  if (!dns_csa_use_reverse) return CSA_UNKNOWN;
+  domain = dns_build_reverse(domain);
+  }
+
+/* Find out if we've already done the CSA check for this domain. If we have,
+return the same result again. Otherwise build a new cached result structure
+for this domain. The name is filled in now, and the value is filled in when
+we return from this function. */
+
+if ((t = tree_search(csa_cache, domain)))
+  return t->data.val;
+
+t = store_get_perm(sizeof(tree_node) + Ustrlen(domain), domain);
+Ustrcpy(t->name, domain);
+(void)tree_insertnode(&csa_cache, t);
+
+/* Now we are ready to do the actual DNS lookup(s). */
+
+found = domain;
+dnsa = store_get_dns_answer();
+switch (dns_special_lookup(dnsa, domain, T_CSA, &found))
+  {
+  /* If something bad happened (most commonly DNS_AGAIN), defer. */
+
+  default:
+    yield = CSA_DEFER_SRV;
+    goto out;
+
+  /* If we found nothing, the client's authorization is unknown. */
+
+  case DNS_NOMATCH:
+  case DNS_NODATA:
+    yield = CSA_UNKNOWN;
+    goto out;
+
+  /* We got something! Go on to look at the reply in more detail. */
+
+  case DNS_SUCCEED:
+    break;
+  }
+
+/* Scan the reply for well-formed CSA SRV records. */
+
+for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
+     rr;
+     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_SRV)
+  {
+  const uschar * p = rr->data;
+
+  /* Extract the numerical SRV fields (p is incremented) */
+
+  GETSHORT(priority, p);
+  GETSHORT(weight, p);
+  GETSHORT(port, p);
+
+  DEBUG(D_acl)
+    debug_printf_indent("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
+
+  /* Check the CSA version number */
+
+  if (priority != 1) continue;
+
+  /* If the domain does not have a CSA SRV record of its own (i.e. the domain
+  found by dns_special_lookup() is a parent of the one we asked for), we check
+  the subdomain assertions in the port field. At the moment there's only one
+  assertion: legitimate SMTP clients are all explicitly authorized with CSA
+  SRV records of their own. */
+
+  if (Ustrcmp(found, domain) != 0)
+    {
+    yield = port & 1 ? CSA_FAIL_EXPLICIT : CSA_UNKNOWN;
+    goto out;
+    }
+
+  /* This CSA SRV record refers directly to our domain, so we check the value
+  in the weight field to work out the domain's authorization. 0 and 1 are
+  unauthorized; 3 means the client is authorized but we can't check the IP
+  address in order to authenticate it, so we treat it as unknown; values
+  greater than 3 are undefined. */
+
+  if (weight < 2)
+    {
+    yield = CSA_FAIL_DOMAIN;
+    goto out;
+    }
+
+  if (weight > 2) continue;
+
+  /* Weight == 2, which means the domain is authorized. We must check that the
+  client's IP address is listed as one of the SRV target addresses. Save the
+  target hostname then break to scan the additional data for its addresses. */
+
+  (void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
+    (DN_EXPAND_ARG4_TYPE)target, TARGET_SIZE);
+
+  DEBUG(D_acl) debug_printf_indent("CSA target is %s\n", target);
+
+  break;
+  }
+
+/* If we didn't break the loop then no appropriate records were found. */
+
+if (!rr)
+  {
+  yield = CSA_UNKNOWN;
+  goto out;
+  }
+
+/* Do not check addresses if the target is ".", in accordance with RFC 2782.
+A target of "." indicates there are no valid addresses, so the client cannot
+be authorized. (This is an odd configuration because weight=2 target=. is
+equivalent to weight=1, but we check for it in order to keep load off the
+root name servers.) Note that dn_expand() turns "." into "". */
+
+if (Ustrcmp(target, "") == 0)
+  {
+  yield = CSA_FAIL_NOADDR;
+  goto out;
+  }
+
+/* Scan the additional section of the CSA SRV reply for addresses belonging
+to the target. If the name server didn't return any additional data (e.g.
+because it does not fully support SRV records), we need to do another lookup
+to obtain the target addresses; otherwise we have a definitive result. */
+
+rc = acl_verify_csa_address(dnsa, &dnss, RESET_ADDITIONAL, target);
+if (rc != CSA_FAIL_NOADDR)
+  {
+  yield = rc;
+  goto out;
+  }
+
+/* The DNS lookup type corresponds to the IP version used by the client. */
+
+#if HAVE_IPV6
+if (Ustrchr(sender_host_address, ':') != NULL)
+  type = T_AAAA;
+else
+#endif /* HAVE_IPV6 */
+  type = T_A;
+
+
+lookup_dnssec_authenticated = NULL;
+switch (dns_lookup(dnsa, target, type, NULL))
+  {
+  /* If something bad happened (most commonly DNS_AGAIN), defer. */
+
+  default:
+    yield = CSA_DEFER_ADDR;
+    break;
+
+  /* If the query succeeded, scan the addresses and return the result. */
+
+  case DNS_SUCCEED:
+    rc = acl_verify_csa_address(dnsa, &dnss, RESET_ANSWERS, target);
+    if (rc != CSA_FAIL_NOADDR)
+      {
+      yield = rc;
+      break;
+      }
+    /* else fall through */
+
+  /* If the target has no IP addresses, the client cannot have an authorized
+  IP address. However, if the target site uses A6 records (not AAAA records)
+  we have to do yet another lookup in order to check them. */
+
+  case DNS_NOMATCH:
+  case DNS_NODATA:
+    yield = CSA_FAIL_NOADDR;
+    break;
+  }
+
+out:
+
+store_free_dns_answer(dnsa);
+return t->data.val = yield;
+}
+
+
+
+/*************************************************
+*     Handle verification (address & other)      *
+*************************************************/
+
+enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
+       VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT,
+       VERIFY_HDR_NAMES_ASCII, VERIFY_ARC
+  };
+typedef struct {
+  uschar * name;
+  int	   value;
+  unsigned where_allowed;	/* bitmap */
+  BOOL	   no_options;		/* Never has /option(s) following */
+  unsigned alt_opt_sep;		/* >0 Non-/ option separator (custom parser) */
+  } verify_type_t;
+static verify_type_t verify_type_list[] = {
+    /*	name			value			where	        no-opt opt-sep */
+    { US"reverse_host_lookup",	VERIFY_REV_HOST_LKUP,	(unsigned)~0,	FALSE, 0 },
+    { US"certificate",	  	VERIFY_CERT,	 	(unsigned)~0,	TRUE,  0 },
+    { US"helo",	  		VERIFY_HELO,	 	(unsigned)~0,	TRUE,  0 },
+    { US"csa",	  		VERIFY_CSA,	 	(unsigned)~0,	FALSE, 0 },
+    { US"header_syntax",	VERIFY_HDR_SYNTAX,	ACL_BITS_HAVEDATA, TRUE, 0 },
+    { US"not_blind",	  	VERIFY_NOT_BLIND,	ACL_BITS_HAVEDATA, FALSE, 0 },
+    { US"header_sender",	VERIFY_HDR_SNDR,	ACL_BITS_HAVEDATA, FALSE, 0 },
+    { US"sender",	  	VERIFY_SNDR,		ACL_BIT_MAIL | ACL_BIT_RCPT
+			| ACL_BIT_PREDATA | ACL_BIT_DATA | ACL_BIT_NOTSMTP,
+										FALSE, 6 },
+    { US"recipient",	  	VERIFY_RCPT,	 	ACL_BIT_RCPT,	FALSE, 0 },
+    { US"header_names_ascii",	VERIFY_HDR_NAMES_ASCII, ACL_BITS_HAVEDATA, TRUE, 0 },
+#ifdef EXPERIMENTAL_ARC
+    { US"arc",			VERIFY_ARC,	 	ACL_BIT_DATA,	FALSE , 0 },
+#endif
+  };
+
+
+enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
+  CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
+  CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
+  CALLOUT_HOLD, CALLOUT_TIME	/* TIME must be last */
+  };
+typedef struct {
+  uschar * name;
+  int      value;
+  int	   flag;
+  BOOL     has_option;	/* Has =option(s) following */
+  BOOL     timeval;	/* Has a time value */
+  } callout_opt_t;
+static callout_opt_t callout_opt_list[] = {
+    /*	name			value			flag		has-opt		has-time */
+    { US"defer_ok",   	  CALLOUT_DEFER_OK,	 0,				FALSE, FALSE },
+    { US"no_cache",   	  CALLOUT_NOCACHE,	 vopt_callout_no_cache,		FALSE, FALSE },
+    { US"random",	  CALLOUT_RANDOM,	 vopt_callout_random,		FALSE, FALSE },
+    { US"use_sender",     CALLOUT_USE_SENDER,	 vopt_callout_recipsender,	FALSE, FALSE },
+    { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster,	FALSE, FALSE },
+    { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0,			TRUE,  FALSE },
+    { US"postmaster",	  CALLOUT_POSTMASTER,	 0,				FALSE, FALSE },
+    { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm,		FALSE, FALSE },
+    { US"mailfrom",	  CALLOUT_MAILFROM,	 0,				TRUE,  FALSE },
+    { US"maxwait",	  CALLOUT_MAXWAIT,	 0,				TRUE,  TRUE },
+    { US"connect",	  CALLOUT_CONNECT,	 0,				TRUE,  TRUE },
+    { US"hold",		  CALLOUT_HOLD,		 vopt_callout_hold,		FALSE, FALSE },
+    { NULL,		  CALLOUT_TIME,		 0,				FALSE, TRUE }
+  };
+
+
+
+static int
+v_period(const uschar * s, const uschar * arg, uschar ** log_msgptr)
+{
+int period;
+if ((period = readconf_readtime(s, 0, FALSE)) < 0)
+  {
+  *log_msgptr = string_sprintf("bad time value in ACL condition "
+    "\"verify %s\"", arg);
+  }
+return period;
+}
+
+
+
+/* This function implements the "verify" condition. It is called when
+encountered in any ACL, because some tests are almost always permitted. Some
+just don't make sense, and always fail (for example, an attempt to test a host
+lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
+
+Arguments:
+  where        where called from
+  addr         the recipient address that the ACL is handling, or NULL
+  arg          the argument of "verify"
+  user_msgptr  pointer for user message
+  log_msgptr   pointer for log message
+  basic_errno  where to put verify errno
+
+Returns:       OK        verification condition succeeded
+               FAIL      verification failed
+               DEFER     there was a problem verifying
+               ERROR     syntax error
+*/
+
+static int
+acl_verify(int where, address_item *addr, const uschar *arg,
+  uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
+{
+int sep = '/';
+int callout = -1;
+int callout_overall = -1;
+int callout_connect = -1;
+int verify_options = 0;
+int rc;
+BOOL verify_header_sender = FALSE;
+BOOL defer_ok = FALSE;
+BOOL callout_defer_ok = FALSE;
+BOOL no_details = FALSE;
+BOOL success_on_redirect = FALSE;
+BOOL quota = FALSE;
+int quota_pos_cache = QUOTA_POS_DEFAULT, quota_neg_cache = QUOTA_NEG_DEFAULT;
+address_item *sender_vaddr = NULL;
+uschar *verify_sender_address = NULL;
+uschar *pm_mailfrom = NULL;
+uschar *se_mailfrom = NULL;
+
+/* Some of the verify items have slash-separated options; some do not. Diagnose
+an error if options are given for items that don't expect them.
+*/
+
+uschar *slash = Ustrchr(arg, '/');
+const uschar *list = arg;
+uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
+verify_type_t * vp;
+
+if (!ss) goto BAD_VERIFY;
+
+/* Handle name/address consistency verification in a separate function. */
+
+for (vp = verify_type_list;
+     CS vp < CS verify_type_list + sizeof(verify_type_list);
+     vp++
+    )
+  if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
+                      : strcmpic (ss, vp->name) == 0)
+   break;
+if (CS vp >= CS verify_type_list + sizeof(verify_type_list))
+  goto BAD_VERIFY;
+
+if (vp->no_options && slash)
+  {
+  *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
+    "(this verify item has no options)", arg);
+  return ERROR;
+  }
+if (!(vp->where_allowed & BIT(where)))
+  {
+  *log_msgptr = string_sprintf("cannot verify %s in ACL for %s",
+		  vp->name, acl_wherenames[where]);
+  return ERROR;
+  }
+switch(vp->value)
+  {
+  case VERIFY_REV_HOST_LKUP:
+    if (!sender_host_address) return OK;
+    if ((rc = acl_verify_reverse(user_msgptr, log_msgptr)) == DEFER)
+      while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
+	if (strcmpic(ss, US"defer_ok") == 0)
+	  return OK;
+    return rc;
+
+  case VERIFY_CERT:
+    /* TLS certificate verification is done at STARTTLS time; here we just
+    test whether it was successful or not. (This is for optional verification; for
+    mandatory verification, the connection doesn't last this long.) */
+
+    if (tls_in.certificate_verified) return OK;
+    *user_msgptr = US"no verified certificate";
+    return FAIL;
+
+  case VERIFY_HELO:
+    /* We can test the result of optional HELO verification that might have
+    occurred earlier. If not, we can attempt the verification now. */
+
+    if (!f.helo_verified && !f.helo_verify_failed) smtp_verify_helo();
+    return f.helo_verified ? OK : FAIL;
+
+  case VERIFY_CSA:
+    /* Do Client SMTP Authorization checks in a separate function, and turn the
+    result code into user-friendly strings. */
+
+    rc = acl_verify_csa(list);
+    *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
+                                              csa_reason_string[rc]);
+    csa_status = csa_status_string[rc];
+    DEBUG(D_acl) debug_printf_indent("CSA result %s\n", csa_status);
+    return csa_return_code[rc];
+
+#ifdef EXPERIMENTAL_ARC
+  case VERIFY_ARC:
+    {	/* Do Authenticated Received Chain checks in a separate function. */
+    const uschar * condlist = CUS string_nextinlist(&list, &sep, NULL, 0);
+    int csep = 0;
+    uschar * cond;
+
+    if (!(arc_state = acl_verify_arc())) return DEFER;
+    DEBUG(D_acl) debug_printf_indent("ARC verify result %s %s%s%s\n", arc_state,
+      arc_state_reason ? "(":"", arc_state_reason, arc_state_reason ? ")":"");
+
+    if (!condlist) condlist = US"none:pass";
+    while ((cond = string_nextinlist(&condlist, &csep, NULL, 0)))
+      if (Ustrcmp(arc_state, cond) == 0) return OK;
+    return FAIL;
+    }
+#endif
+
+  case VERIFY_HDR_SYNTAX:
+    /* Check that all relevant header lines have the correct 5322-syntax. If there is
+    a syntax error, we return details of the error to the sender if configured to
+    send out full details. (But a "message" setting on the ACL can override, as
+    always). */
+
+    rc = verify_check_headers(log_msgptr);
+    if (rc != OK && *log_msgptr)
+      if (smtp_return_error_details)
+	*user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
+      else
+	acl_verify_message = *log_msgptr;
+    return rc;
+
+  case VERIFY_HDR_NAMES_ASCII:
+    /* Check that all header names are true 7 bit strings
+    See RFC 5322, 2.2. and RFC 6532, 3. */
+
+    rc = verify_check_header_names_ascii(log_msgptr);
+    if (rc != OK && smtp_return_error_details && *log_msgptr)
+      *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
+    return rc;
+
+  case VERIFY_NOT_BLIND:
+    /* Check that no recipient of this message is "blind", that is, every envelope
+    recipient must be mentioned in either To: or Cc:. */
+    {
+    BOOL case_sensitive = TRUE;
+
+    while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
+      if (strcmpic(ss, US"case_insensitive") == 0)
+        case_sensitive = FALSE;
+      else
+        {
+        *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
+           "condition \"verify %s\"", ss, arg);
+        return ERROR;
+        }
+
+    if ((rc = verify_check_notblind(case_sensitive)) != OK)
+      {
+      *log_msgptr = US"bcc recipient detected";
+      if (smtp_return_error_details)
+        *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
+      }
+    return rc;
+    }
+
+  /* The remaining verification tests check recipient and sender addresses,
+  either from the envelope or from the header. There are a number of
+  slash-separated options that are common to all of them. */
+
+  case VERIFY_HDR_SNDR:
+    verify_header_sender = TRUE;
+    break;
+
+  case VERIFY_SNDR:
+    /* In the case of a sender, this can optionally be followed by an address to use
+    in place of the actual sender (rare special-case requirement). */
+    {
+    uschar *s = ss + 6;
+    if (!*s)
+      verify_sender_address = sender_address;
+    else
+      {
+      while (isspace(*s)) s++;
+      if (*s++ != '=') goto BAD_VERIFY;
+      while (isspace(*s)) s++;
+      verify_sender_address = string_copy(s);
+      }
+    }
+    break;
+
+  case VERIFY_RCPT:
+    break;
+  }
+
+
+
+/* Remaining items are optional; they apply to sender and recipient
+verification, including "header sender" verification. */
+
+while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
+  {
+  if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
+  else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
+  else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
+
+  /* These two old options are left for backwards compatibility */
+
+  else if (strcmpic(ss, US"callout_defer_ok") == 0)
+    {
+    callout_defer_ok = TRUE;
+    if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
+    }
+
+  else if (strcmpic(ss, US"check_postmaster") == 0)
+     {
+     pm_mailfrom = US"";
+     if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
+     }
+
+  /* The callout option has a number of sub-options, comma separated */
+
+  else if (strncmpic(ss, US"callout", 7) == 0)
+    {
+    callout = CALLOUT_TIMEOUT_DEFAULT;
+    if (*(ss += 7))
+      {
+      while (isspace(*ss)) ss++;
+      if (*ss++ == '=')
+        {
+	const uschar * sublist = ss;
+        int optsep = ',';
+
+        while (isspace(*sublist)) sublist++;
+        for (uschar * opt; opt = string_nextinlist(&sublist, &optsep, NULL, 0); )
+          {
+	  callout_opt_t * op;
+	  double period = 1.0F;
+
+	  for (op= callout_opt_list; op->name; op++)
+	    if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
+	      break;
+
+	  verify_options |= op->flag;
+	  if (op->has_option)
+	    {
+	    opt += Ustrlen(op->name);
+            while (isspace(*opt)) opt++;
+            if (*opt++ != '=')
+              {
+              *log_msgptr = string_sprintf("'=' expected after "
+                "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
+              return ERROR;
+              }
+            while (isspace(*opt)) opt++;
+	    }
+	  if (op->timeval && (period = v_period(opt, arg, log_msgptr)) < 0)
+	    return ERROR;
+
+	  switch(op->value)
+	    {
+            case CALLOUT_DEFER_OK:		callout_defer_ok = TRUE; break;
+            case CALLOUT_POSTMASTER:		pm_mailfrom = US"";	break;
+            case CALLOUT_FULLPOSTMASTER:	pm_mailfrom = US"";	break;
+            case CALLOUT_MAILFROM:
+              if (!verify_header_sender)
+                {
+                *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
+                  "callout option only for verify=header_sender (detected in ACL "
+                  "condition \"%s\")", arg);
+                return ERROR;
+                }
+              se_mailfrom = string_copy(opt);
+  	      break;
+            case CALLOUT_POSTMASTER_MAILFROM:	pm_mailfrom = string_copy(opt); break;
+            case CALLOUT_MAXWAIT:		callout_overall = period;	break;
+            case CALLOUT_CONNECT:		callout_connect = period;	break;
+            case CALLOUT_TIME:			callout = period;		break;
+	    }
+          }
+        }
+      else
+        {
+        *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
+          "ACL condition \"%s\"", arg);
+        return ERROR;
+        }
+      }
+    }
+
+  /* The quota option has sub-options, comma-separated */
+
+  else if (strncmpic(ss, US"quota", 5) == 0)
+    {
+    quota = TRUE;
+    if (*(ss += 5))
+      {
+      while (isspace(*ss)) ss++;
+      if (*ss++ == '=')
+        {
+	const uschar * sublist = ss;
+        int optsep = ',';
+	int period;
+
+        while (isspace(*sublist)) sublist++;
+        for (uschar * opt; opt = string_nextinlist(&sublist, &optsep, NULL, 0); )
+	  if (Ustrncmp(opt, "cachepos=", 9) == 0)
+	    if ((period = v_period(opt += 9, arg, log_msgptr)) < 0)
+	      return ERROR;
+	    else
+	      quota_pos_cache = period;
+	  else if (Ustrncmp(opt, "cacheneg=", 9) == 0)
+	    if ((period = v_period(opt += 9, arg, log_msgptr)) < 0)
+	      return ERROR;
+	    else
+	      quota_neg_cache = period;
+	  else if (Ustrcmp(opt, "no_cache") == 0)
+	    quota_pos_cache = quota_neg_cache = 0;
+	}
+      }
+    }
+
+  /* Option not recognized */
+
+  else
+    {
+    *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
+      "condition \"verify %s\"", ss, arg);
+    return ERROR;
+    }
+  }
+
+if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
+      (vopt_callout_recipsender|vopt_callout_recippmaster))
+  {
+  *log_msgptr = US"only one of use_sender and use_postmaster can be set "
+    "for a recipient callout";
+  return ERROR;
+  }
+
+/* Handle quota verification */
+if (quota)
+  {
+  if (vp->value != VERIFY_RCPT)
+    {
+    *log_msgptr = US"can only verify quota of recipient";
+    return ERROR;
+    }
+
+  if ((rc = verify_quota_call(addr->address,
+	      quota_pos_cache, quota_neg_cache, log_msgptr)) != OK)
+    {
+    *basic_errno = errno;
+    if (smtp_return_error_details)
+      {
+      if (!*user_msgptr && *log_msgptr)
+        *user_msgptr = string_sprintf("Rejected after %s: %s",
+	    smtp_names[smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)]],
+	    *log_msgptr);
+      if (rc == DEFER) f.acl_temp_details = TRUE;
+      }
+    }
+
+  return rc;
+  }
+
+/* Handle sender-in-header verification. Default the user message to the log
+message if giving out verification details. */
+
+if (verify_header_sender)
+  {
+  int verrno;
+
+  if ((rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
+    callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
+    &verrno)) != OK)
+    {
+    *basic_errno = verrno;
+    if (smtp_return_error_details)
+      {
+      if (!*user_msgptr && *log_msgptr)
+        *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
+      if (rc == DEFER) f.acl_temp_details = TRUE;
+      }
+    }
+  }
+
+/* Handle a sender address. The default is to verify *the* sender address, but
+optionally a different address can be given, for special requirements. If the
+address is empty, we are dealing with a bounce message that has no sender, so
+we cannot do any checking. If the real sender address gets rewritten during
+verification (e.g. DNS widening), set the flag to stop it being rewritten again
+during message reception.
+
+A list of verified "sender" addresses is kept to try to avoid doing to much
+work repetitively when there are multiple recipients in a message and they all
+require sender verification. However, when callouts are involved, it gets too
+complicated because different recipients may require different callout options.
+Therefore, we always do a full sender verify when any kind of callout is
+specified. Caching elsewhere, for instance in the DNS resolver and in the
+callout handling, should ensure that this is not terribly inefficient. */
+
+else if (verify_sender_address)
+  {
+  if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)))
+    {
+    *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
+      "sender verify callout";
+    return ERROR;
+    }
+
+  sender_vaddr = verify_checked_sender(verify_sender_address);
+  if (   sender_vaddr				/* Previously checked */
+      && callout <= 0)				/* No callout needed this time */
+    {
+    /* If the "routed" flag is set, it means that routing worked before, so
+    this check can give OK (the saved return code value, if set, belongs to a
+    callout that was done previously). If the "routed" flag is not set, routing
+    must have failed, so we use the saved return code. */
+
+    if (testflag(sender_vaddr, af_verify_routed))
+      rc = OK;
+    else
+      {
+      rc = sender_vaddr->special_action;
+      *basic_errno = sender_vaddr->basic_errno;
+      }
+    HDEBUG(D_acl) debug_printf_indent("using cached sender verify result\n");
+    }
+
+  /* Do a new verification, and cache the result. The cache is used to avoid
+  verifying the sender multiple times for multiple RCPTs when callouts are not
+  specified (see comments above).
+
+  The cache is also used on failure to give details in response to the first
+  RCPT that gets bounced for this reason. However, this can be suppressed by
+  the no_details option, which sets the flag that says "this detail has already
+  been sent". The cache normally contains just one address, but there may be
+  more in esoteric circumstances. */
+
+  else
+    {
+    BOOL routed = TRUE;
+    uschar *save_address_data = deliver_address_data;
+
+    sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
+#ifdef SUPPORT_I18N
+    if ((sender_vaddr->prop.utf8_msg = message_smtputf8))
+      {
+      sender_vaddr->prop.utf8_downcvt =       message_utf8_downconvert == 1;
+      sender_vaddr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
+      }
+#endif
+    if (no_details) setflag(sender_vaddr, af_sverify_told);
+    if (verify_sender_address[0] != 0)
+      {
+      /* If this is the real sender address, save the unrewritten version
+      for use later in receive. Otherwise, set a flag so that rewriting the
+      sender in verify_address() does not update sender_address. */
+
+      if (verify_sender_address == sender_address)
+        sender_address_unrewritten = sender_address;
+      else
+        verify_options |= vopt_fake_sender;
+
+      if (success_on_redirect)
+        verify_options |= vopt_success_on_redirect;
+
+      /* The recipient, qualify, and expn options are never set in
+      verify_options. */
+
+      rc = verify_address(sender_vaddr, NULL, verify_options, callout,
+        callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
+
+      HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
+
+      if (rc != OK)
+        *basic_errno = sender_vaddr->basic_errno;
+      else
+	DEBUG(D_acl)
+	  if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
+	    debug_printf_indent("sender %s verified ok as %s\n",
+	      verify_sender_address, sender_vaddr->address);
+	  else
+	    debug_printf_indent("sender %s verified ok\n",
+	      verify_sender_address);
+      }
+    else
+      rc = OK;  /* Null sender */
+
+    /* Cache the result code */
+
+    if (routed) setflag(sender_vaddr, af_verify_routed);
+    if (callout > 0) setflag(sender_vaddr, af_verify_callout);
+    sender_vaddr->special_action = rc;
+    sender_vaddr->next = sender_verified_list;
+    sender_verified_list = sender_vaddr;
+
+    /* Restore the recipient address data, which might have been clobbered by
+    the sender verification. */
+
+    deliver_address_data = save_address_data;
+    }
+
+  /* Put the sender address_data value into $sender_address_data */
+
+  sender_address_data = sender_vaddr->prop.address_data;
+  }
+
+/* A recipient address just gets a straightforward verify; again we must handle
+the DEFER overrides. */
+
+else
+  {
+  address_item addr2;
+
+  if (success_on_redirect)
+    verify_options |= vopt_success_on_redirect;
+
+  /* We must use a copy of the address for verification, because it might
+  get rewritten. */
+
+  addr2 = *addr;
+  rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
+    callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
+  HDEBUG(D_acl) debug_printf_indent("----------- end verify ------------\n");
+
+  *basic_errno = addr2.basic_errno;
+  *log_msgptr = addr2.message;
+  *user_msgptr = addr2.user_message ? addr2.user_message : addr2.message;
+
+  /* Allow details for temporary error if the address is so flagged. */
+  if (testflag((&addr2), af_pass_message)) f.acl_temp_details = TRUE;
+
+  /* Make $address_data visible */
+  deliver_address_data = addr2.prop.address_data;
+  }
+
+/* We have a result from the relevant test. Handle defer overrides first. */
+
+if (  rc == DEFER
+   && (  defer_ok
+      || callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER
+   )  )
+  {
+  HDEBUG(D_acl) debug_printf_indent("verify defer overridden by %s\n",
+    defer_ok? "defer_ok" : "callout_defer_ok");
+  rc = OK;
+  }
+
+/* If we've failed a sender, set up a recipient message, and point
+sender_verified_failed to the address item that actually failed. */
+
+if (rc != OK && verify_sender_address)
+  {
+  if (rc != DEFER)
+    *log_msgptr = *user_msgptr = US"Sender verify failed";
+  else if (*basic_errno != ERRNO_CALLOUTDEFER)
+    *log_msgptr = *user_msgptr = US"Could not complete sender verify";
+  else
+    {
+    *log_msgptr = US"Could not complete sender verify callout";
+    *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
+      *log_msgptr;
+    }
+
+  sender_verified_failed = sender_vaddr;
+  }
+
+/* Verifying an address messes up the values of $domain and $local_part,
+so reset them before returning if this is a RCPT ACL. */
+
+if (addr)
+  {
+  deliver_domain = addr->domain;
+  deliver_localpart = addr->local_part;
+  }
+return rc;
+
+/* Syntax errors in the verify argument come here. */
+
+BAD_VERIFY:
+*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
+  "\"helo\", \"header_syntax\", \"header_sender\", \"header_names_ascii\" "
+  "or \"reverse_host_lookup\" at start of ACL condition "
+  "\"verify %s\"", arg);
+return ERROR;
+}
+
+
+
+
+/*************************************************
+*        Check argument for control= modifier    *
+*************************************************/
+
+/* Called from acl_check_condition() below.
+To handle the case "queue_only" we accept an _ in the
+initial / option-switch position.
+
+Arguments:
+  arg         the argument string for control=
+  pptr        set to point to the terminating character
+  where       which ACL we are in
+  log_msgptr  for error messages
+
+Returns:      CONTROL_xxx value
+*/
+
+static int
+decode_control(const uschar *arg, const uschar **pptr, int where, uschar **log_msgptr)
+{
+int idx, len;
+control_def * d;
+uschar c;
+
+if (  (idx = find_control(arg, controls_list, nelem(controls_list))) < 0
+   || (  (c = arg[len = Ustrlen((d = controls_list+idx)->name)]) != 0
+      && (!d->has_option || c != '/' && c != '_')
+   )  )
+  {
+  *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
+  return CONTROL_ERROR;
+  }
+
+*pptr = arg + len;
+return idx;
+}
+
+
+
+
+/*************************************************
+*        Return a ratelimit error                *
+*************************************************/
+
+/* Called from acl_ratelimit() below
+
+Arguments:
+  log_msgptr  for error messages
+  format      format string
+  ...         supplementary arguments
+
+Returns:      ERROR
+*/
+
+static int
+ratelimit_error(uschar **log_msgptr, const char *format, ...)
+{
+va_list ap;
+gstring * g =
+  string_cat(NULL, US"error in arguments to \"ratelimit\" condition: ");
+
+va_start(ap, format);
+g = string_vformat(g, SVFMT_EXTEND|SVFMT_REBUFFER, format, ap);
+va_end(ap);
+
+gstring_release_unused(g);
+*log_msgptr = string_from_gstring(g);
+return ERROR;
+}
+
+
+
+
+/*************************************************
+*            Handle rate limiting                *
+*************************************************/
+
+/* Called by acl_check_condition() below to calculate the result
+of the ACL ratelimit condition.
+
+Note that the return value might be slightly unexpected: if the
+sender's rate is above the limit then the result is OK. This is
+similar to the dnslists condition, and is so that you can write
+ACL clauses like: defer ratelimit = 15 / 1h
+
+Arguments:
+  arg         the option string for ratelimit=
+  where       ACL_WHERE_xxxx indicating which ACL this is
+  log_msgptr  for error messages
+
+Returns:       OK        - Sender's rate is above limit
+               FAIL      - Sender's rate is below limit
+               DEFER     - Problem opening ratelimit database
+               ERROR     - Syntax error in options.
+*/
+
+static int
+acl_ratelimit(const uschar *arg, int where, uschar **log_msgptr)
+{
+double limit, period, count;
+uschar *ss;
+uschar *key = NULL;
+uschar *unique = NULL;
+int sep = '/';
+BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
+BOOL noupdate = FALSE, badacl = FALSE;
+int mode = RATE_PER_WHAT;
+int old_pool, rc;
+tree_node **anchor, *t;
+open_db dbblock, *dbm;
+int dbdb_size;
+dbdata_ratelimit *dbd;
+dbdata_ratelimit_unique *dbdb;
+struct timeval tv;
+
+/* Parse the first two options and record their values in expansion
+variables. These variables allow the configuration to have informative
+error messages based on rate limits obtained from a table lookup. */
+
+/* First is the maximum number of messages per period / maximum burst
+size, which must be greater than or equal to zero. Zero is useful for
+rate measurement as opposed to rate limiting. */
+
+if (!(sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0)))
+  return ratelimit_error(log_msgptr, "sender rate limit not set");
+
+limit = Ustrtod(sender_rate_limit, &ss);
+if      (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
+else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
+else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
+
+if (limit < 0.0 || *ss != '\0')
+  return ratelimit_error(log_msgptr,
+    "\"%s\" is not a positive number", sender_rate_limit);
+
+/* Second is the rate measurement period / exponential smoothing time
+constant. This must be strictly greater than zero, because zero leads to
+run-time division errors. */
+
+period = !(sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0))
+  ? -1.0 : readconf_readtime(sender_rate_period, 0, FALSE);
+if (period <= 0.0)
+  return ratelimit_error(log_msgptr,
+    "\"%s\" is not a time value", sender_rate_period);
+
+/* By default we are counting one of something, but the per_rcpt,
+per_byte, and count options can change this. */
+
+count = 1.0;
+
+/* Parse the other options. */
+
+while ((ss = string_nextinlist(&arg, &sep, NULL, 0)))
+  {
+  if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
+  else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
+  else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
+  else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
+  else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
+  else if (strcmpic(ss, US"per_conn") == 0)
+    {
+    RATE_SET(mode, PER_CONN);
+    if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
+      badacl = TRUE;
+    }
+  else if (strcmpic(ss, US"per_mail") == 0)
+    {
+    RATE_SET(mode, PER_MAIL);
+    if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
+    }
+  else if (strcmpic(ss, US"per_rcpt") == 0)
+    {
+    /* If we are running in the RCPT ACL, then we'll count the recipients
+    one by one, but if we are running when we have accumulated the whole
+    list then we'll add them all in one batch. */
+    if (where == ACL_WHERE_RCPT)
+      RATE_SET(mode, PER_RCPT);
+    else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
+      RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
+    else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
+      RATE_SET(mode, PER_RCPT), badacl = TRUE;
+    }
+  else if (strcmpic(ss, US"per_byte") == 0)
+    {
+    /* If we have not yet received the message data and there was no SIZE
+    declaration on the MAIL command, then it's safe to just use a value of
+    zero and let the recorded rate decay as if nothing happened. */
+    RATE_SET(mode, PER_MAIL);
+    if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
+    else count = message_size < 0 ? 0.0 : (double)message_size;
+    }
+  else if (strcmpic(ss, US"per_addr") == 0)
+    {
+    RATE_SET(mode, PER_RCPT);
+    if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
+    else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
+    }
+  else if (strncmpic(ss, US"count=", 6) == 0)
+    {
+    uschar *e;
+    count = Ustrtod(ss+6, &e);
+    if (count < 0.0 || *e != '\0')
+      return ratelimit_error(log_msgptr, "\"%s\" is not a positive number", ss);
+    }
+  else if (strncmpic(ss, US"unique=", 7) == 0)
+    unique = string_copy(ss + 7);
+  else if (!key)
+    key = string_copy(ss);
+  else
+    key = string_sprintf("%s/%s", key, ss);
+  }
+
+/* Sanity check. When the badacl flag is set the update mode must either
+be readonly (which is the default if it is omitted) or, for backwards
+compatibility, a combination of noupdate and strict or leaky. */
+
+if (mode == RATE_PER_CLASH)
+  return ratelimit_error(log_msgptr, "conflicting per_* options");
+if (leaky + strict + readonly > 1)
+  return ratelimit_error(log_msgptr, "conflicting update modes");
+if (badacl && (leaky || strict) && !noupdate)
+  return ratelimit_error(log_msgptr,
+    "\"%s\" must not have /leaky or /strict option, or cannot be used in %s ACL",
+    ratelimit_option_string[mode], acl_wherenames[where]);
+
+/* Set the default values of any unset options. In readonly mode we
+perform the rate computation without any increment so that its value
+decays to eventually allow over-limit senders through. */
+
+if (noupdate) readonly = TRUE, leaky = strict = FALSE;
+if (badacl) readonly = TRUE;
+if (readonly) count = 0.0;
+if (!strict && !readonly) leaky = TRUE;
+if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
+
+/* Create the lookup key. If there is no explicit key, use sender_host_address.
+If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
+omit it. The smoothing constant (sender_rate_period) and the per_xxx options
+are added to the key because they alter the meaning of the stored data. */
+
+if (!key)
+  key = !sender_host_address ? US"" : sender_host_address;
+
+key = string_sprintf("%s/%s/%s%s",
+  sender_rate_period,
+  ratelimit_option_string[mode],
+  unique == NULL ? "" : "unique/",
+  key);
+
+HDEBUG(D_acl)
+  debug_printf_indent("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
+
+/* See if we have already computed the rate by looking in the relevant tree.
+For per-connection rate limiting, store tree nodes and dbdata in the permanent
+pool so that they survive across resets. In readonly mode we only remember the
+result for the rest of this command in case a later command changes it. After
+this bit of logic the code is independent of the per_* mode. */
+
+old_pool = store_pool;
+
+if (readonly)
+  anchor = &ratelimiters_cmd;
+else switch(mode)
+  {
+  case RATE_PER_CONN:
+    anchor = &ratelimiters_conn;
+    store_pool = POOL_PERM;
+    break;
+  case RATE_PER_BYTE:
+  case RATE_PER_MAIL:
+  case RATE_PER_ALLRCPTS:
+    anchor = &ratelimiters_mail;
+    break;
+  case RATE_PER_ADDR:
+  case RATE_PER_CMD:
+  case RATE_PER_RCPT:
+    anchor = &ratelimiters_cmd;
+    break;
+  default:
+    anchor = NULL; /* silence an "unused" complaint */
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+      "internal ACL error: unknown ratelimit mode %d", mode);
+    break;
+  }
+
+if ((t = tree_search(*anchor, key)))
+  {
+  dbd = t->data.ptr;
+  /* The following few lines duplicate some of the code below. */
+  rc = (dbd->rate < limit)? FAIL : OK;
+  store_pool = old_pool;
+  sender_rate = string_sprintf("%.1f", dbd->rate);
+  HDEBUG(D_acl)
+    debug_printf_indent("ratelimit found pre-computed rate %s\n", sender_rate);
+  return rc;
+  }
+
+/* We aren't using a pre-computed rate, so get a previously recorded rate
+from the database, which will be updated and written back if required. */
+
+if (!(dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE, TRUE)))
+  {
+  store_pool = old_pool;
+  sender_rate = NULL;
+  HDEBUG(D_acl) debug_printf_indent("ratelimit database not available\n");
+  *log_msgptr = US"ratelimit database not available";
+  return DEFER;
+  }
+dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
+dbd = NULL;
+
+gettimeofday(&tv, NULL);
+
+if (dbdb)
+  {
+  /* Locate the basic ratelimit block inside the DB data. */
+  HDEBUG(D_acl) debug_printf_indent("ratelimit found key in database\n");
+  dbd = &dbdb->dbd;
+
+  /* Forget the old Bloom filter if it is too old, so that we count each
+  repeating event once per period. We don't simply clear and re-use the old
+  filter because we want its size to change if the limit changes. Note that
+  we keep the dbd pointer for copying the rate into the new data block. */
+
+  if(unique && tv.tv_sec > dbdb->bloom_epoch + period)
+    {
+    HDEBUG(D_acl) debug_printf_indent("ratelimit discarding old Bloom filter\n");
+    dbdb = NULL;
+    }
+
+  /* Sanity check. */
+
+  if(unique && dbdb_size < sizeof(*dbdb))
+    {
+    HDEBUG(D_acl) debug_printf_indent("ratelimit discarding undersize Bloom filter\n");
+    dbdb = NULL;
+    }
+  }
+
+/* Allocate a new data block if the database lookup failed
+or the Bloom filter passed its age limit. */
+
+if (!dbdb)
+  {
+  if (!unique)
+    {
+    /* No Bloom filter. This basic ratelimit block is initialized below. */
+    HDEBUG(D_acl) debug_printf_indent("ratelimit creating new rate data block\n");
+    dbdb_size = sizeof(*dbd);
+    dbdb = store_get(dbdb_size, GET_UNTAINTED);
+    }
+  else
+    {
+    int extra;
+    HDEBUG(D_acl) debug_printf_indent("ratelimit creating new Bloom filter\n");
+
+    /* See the long comment below for an explanation of the magic number 2.
+    The filter has a minimum size in case the rate limit is very small;
+    this is determined by the definition of dbdata_ratelimit_unique. */
+
+    extra = (int)limit * 2 - sizeof(dbdb->bloom);
+    if (extra < 0) extra = 0;
+    dbdb_size = sizeof(*dbdb) + extra;
+    dbdb = store_get(dbdb_size, GET_UNTAINTED);
+    dbdb->bloom_epoch = tv.tv_sec;
+    dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
+    memset(dbdb->bloom, 0, dbdb->bloom_size);
+
+    /* Preserve any basic ratelimit data (which is our longer-term memory)
+    by copying it from the discarded block. */
+
+    if (dbd)
+      {
+      dbdb->dbd = *dbd;
+      dbd = &dbdb->dbd;
+      }
+    }
+  }
+
+/* If we are counting unique events, find out if this event is new or not.
+If the client repeats the event during the current period then it should be
+counted. We skip this code in readonly mode for efficiency, because any
+changes to the filter will be discarded and because count is already set to
+zero. */
+
+if (unique && !readonly)
+  {
+  /* We identify unique events using a Bloom filter. (You can find my
+  notes on Bloom filters at http://fanf.livejournal.com/81696.html)
+  With the per_addr option, an "event" is a recipient address, though the
+  user can use the unique option to define their own events. We only count
+  an event if we have not seen it before.
+
+  We size the filter according to the rate limit, which (in leaky mode)
+  is the limit on the population of the filter. We allow 16 bits of space
+  per entry (see the construction code above) and we set (up to) 8 of them
+  when inserting an element (see the loop below). The probability of a false
+  positive (an event we have not seen before but which we fail to count) is
+
+    size    = limit * 16
+    numhash = 8
+    allzero = exp(-numhash * pop / size)
+            = exp(-0.5 * pop / limit)
+    fpr     = pow(1 - allzero, numhash)
+
+  For senders at the limit the fpr is      0.06%    or  1 in 1700
+  and for senders at half the limit it is  0.0006%  or  1 in 170000
+
+  In strict mode the Bloom filter can fill up beyond the normal limit, in
+  which case the false positive rate will rise. This means that the
+  measured rate for very fast senders can bogusly drop off after a while.
+
+  At twice the limit, the fpr is  2.5%  or  1 in 40
+  At four times the limit, it is  31%   or  1 in 3.2
+
+  It takes ln(pop/limit) periods for an over-limit burst of pop events to
+  decay below the limit, and if this is more than one then the Bloom filter
+  will be discarded before the decay gets that far. The false positive rate
+  at this threshold is 9.3% or 1 in 10.7. */
+
+  BOOL seen;
+  unsigned n, hash, hinc;
+  uschar md5sum[16];
+  md5 md5info;
+
+  /* Instead of using eight independent hash values, we combine two values
+  using the formula h1 + n * h2. This does not harm the Bloom filter's
+  performance, and means the amount of hash we need is independent of the
+  number of bits we set in the filter. */
+
+  md5_start(&md5info);
+  md5_end(&md5info, unique, Ustrlen(unique), md5sum);
+  hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
+  hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
+
+  /* Scan the bits corresponding to this event. A zero bit means we have
+  not seen it before. Ensure all bits are set to record this event. */
+
+  HDEBUG(D_acl) debug_printf_indent("ratelimit checking uniqueness of %s\n", unique);
+
+  seen = TRUE;
+  for (n = 0; n < 8; n++, hash += hinc)
+    {
+    int bit = 1 << (hash % 8);
+    int byte = (hash / 8) % dbdb->bloom_size;
+    if ((dbdb->bloom[byte] & bit) == 0)
+      {
+      dbdb->bloom[byte] |= bit;
+      seen = FALSE;
+      }
+    }
+
+  /* If this event has occurred before, do not count it. */
+
+  if (seen)
+    {
+    HDEBUG(D_acl) debug_printf_indent("ratelimit event found in Bloom filter\n");
+    count = 0.0;
+    }
+  else
+    HDEBUG(D_acl) debug_printf_indent("ratelimit event added to Bloom filter\n");
+  }
+
+/* If there was no previous ratelimit data block for this key, initialize
+the new one, otherwise update the block from the database. The initial rate
+is what would be computed by the code below for an infinite interval. */
+
+if (!dbd)
+  {
+  HDEBUG(D_acl) debug_printf_indent("ratelimit initializing new key's rate data\n");
+  dbd = &dbdb->dbd;
+  dbd->time_stamp = tv.tv_sec;
+  dbd->time_usec = tv.tv_usec;
+  dbd->rate = count;
+  }
+else
+  {
+  /* The smoothed rate is computed using an exponentially weighted moving
+  average adjusted for variable sampling intervals. The standard EWMA for
+  a fixed sampling interval is:  f'(t) = (1 - a) * f(t) + a * f'(t - 1)
+  where f() is the measured value and f'() is the smoothed value.
+
+  Old data decays out of the smoothed value exponentially, such that data n
+  samples old is multiplied by a^n. The exponential decay time constant p
+  is defined such that data p samples old is multiplied by 1/e, which means
+  that a = exp(-1/p). We can maintain the same time constant for a variable
+  sampling interval i by using a = exp(-i/p).
+
+  The rate we are measuring is messages per period, suitable for directly
+  comparing with the limit. The average rate between now and the previous
+  message is period / interval, which we feed into the EWMA as the sample.
+
+  It turns out that the number of messages required for the smoothed rate
+  to reach the limit when they are sent in a burst is equal to the limit.
+  This can be seen by analysing the value of the smoothed rate after N
+  messages sent at even intervals. Let k = (1 - a) * p/i
+
+    rate_1 = (1 - a) * p/i + a * rate_0
+           = k + a * rate_0
+    rate_2 = k + a * rate_1
+           = k + a * k + a^2 * rate_0
+    rate_3 = k + a * k + a^2 * k + a^3 * rate_0
+    rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
+           = rate_0 * a^N + k * (1 - a^N) / (1 - a)
+           = rate_0 * a^N + p/i * (1 - a^N)
+
+  When N is large, a^N -> 0 so rate_N -> p/i as desired.
+
+    rate_N = p/i + (rate_0 - p/i) * a^N
+    a^N = (rate_N - p/i) / (rate_0 - p/i)
+    N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
+    N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
+
+  Numerical analysis of the above equation, setting the computed rate to
+  increase from rate_0 = 0 to rate_N = limit, shows that for large sending
+  rates, p/i, the number of messages N = limit. So limit serves as both the
+  maximum rate measured in messages per period, and the maximum number of
+  messages that can be sent in a fast burst. */
+
+  double this_time = (double)tv.tv_sec
+                   + (double)tv.tv_usec / 1000000.0;
+  double prev_time = (double)dbd->time_stamp
+                   + (double)dbd->time_usec / 1000000.0;
+
+  /* We must avoid division by zero, and deal gracefully with the clock going
+  backwards. If we blunder ahead when time is in reverse then the computed
+  rate will be bogus. To be safe we clamp interval to a very small number. */
+
+  double interval = this_time - prev_time <= 0.0 ? 1e-9
+                  : this_time - prev_time;
+
+  double i_over_p = interval / period;
+  double a = exp(-i_over_p);
+
+  /* Combine the instantaneous rate (period / interval) with the previous rate
+  using the smoothing factor a. In order to measure sized events, multiply the
+  instantaneous rate by the count of bytes or recipients etc. */
+
+  dbd->time_stamp = tv.tv_sec;
+  dbd->time_usec = tv.tv_usec;
+  dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
+
+  /* When events are very widely spaced the computed rate tends towards zero.
+  Although this is accurate it turns out not to be useful for our purposes,
+  especially when the first event after a long silence is the start of a spam
+  run. A more useful model is that the rate for an isolated event should be the
+  size of the event per the period size, ignoring the lack of events outside
+  the current period and regardless of where the event falls in the period. So,
+  if the interval was so long that the calculated rate is unhelpfully small, we
+  re-initialize the rate. In the absence of higher-rate bursts, the condition
+  below is true if the interval is greater than the period. */
+
+  if (dbd->rate < count) dbd->rate = count;
+  }
+
+/* Clients sending at the limit are considered to be over the limit.
+This matters for edge cases such as a limit of zero, when the client
+should be completely blocked. */
+
+rc = dbd->rate < limit ? FAIL : OK;
+
+/* Update the state if the rate is low or if we are being strict. If we
+are in leaky mode and the sender's rate is too high, we do not update
+the recorded rate in order to avoid an over-aggressive sender's retry
+rate preventing them from getting any email through. If readonly is set,
+neither leaky nor strict are set, so we do not do any updates. */
+
+if ((rc == FAIL && leaky) || strict)
+  {
+  dbfn_write(dbm, key, dbdb, dbdb_size);
+  HDEBUG(D_acl) debug_printf_indent("ratelimit db updated\n");
+  }
+else
+  {
+  HDEBUG(D_acl) debug_printf_indent("ratelimit db not updated: %s\n",
+    readonly? "readonly mode" : "over the limit, but leaky");
+  }
+
+dbfn_close(dbm);
+
+/* Store the result in the tree for future reference.  Take the taint status
+from the key for consistency even though it's unlikely we'll ever expand this. */
+
+t = store_get(sizeof(tree_node) + Ustrlen(key), key);
+t->data.ptr = dbd;
+Ustrcpy(t->name, key);
+(void)tree_insertnode(anchor, t);
+
+/* We create the formatted version of the sender's rate very late in
+order to ensure that it is done using the correct storage pool. */
+
+store_pool = old_pool;
+sender_rate = string_sprintf("%.1f", dbd->rate);
+
+HDEBUG(D_acl)
+  debug_printf_indent("ratelimit computed rate %s\n", sender_rate);
+
+return rc;
+}
+
+
+
+/*************************************************
+*      Handle a check for previously-seen        *
+*************************************************/
+
+/*
+ACL clauses like:   seen = -5m / key=$foo / readonly
+
+Return is true for condition-true - but the semantics
+depend heavily on the actual use-case.
+
+Negative times test for seen-before, positive for seen-more-recently-than
+(the given interval before current time).
+
+All are subject to history not having been cleaned from the DB.
+
+Default for seen-before is to create if not present, and to
+update if older than 10d (with the seen-test time).
+Default for seen-since is to always create or update.
+
+Options:
+  key=value.  Default key is $sender_host_address
+  readonly
+  write
+  refresh=<interval>:  update an existing DB entry older than given
+			amount.  Default refresh lacking this option is 10d.
+			The update sets the record timestamp to the seen-test time.
+
+XXX do we need separate nocreate, noupdate controls?
+
+Arguments:
+  arg         the option string for seen=
+  where       ACL_WHERE_xxxx indicating which ACL this is
+  log_msgptr  for error messages
+
+Returns:       OK        - Condition is true
+               FAIL      - Condition is false
+               DEFER     - Problem opening history database
+               ERROR     - Syntax error in options
+*/
+
+static int
+acl_seen(const uschar * arg, int where, uschar ** log_msgptr)
+{
+enum { SEEN_DEFAULT, SEEN_READONLY, SEEN_WRITE };
+
+const uschar * list = arg;
+int slash = '/', interval, mode = SEEN_DEFAULT, yield = FAIL;
+BOOL before;
+int refresh = 10 * 24 * 60 * 60;	/* 10 days */
+const uschar * ele, * key = sender_host_address;
+open_db dbblock, * dbm;
+dbdata_seen * dbd;
+time_t now;
+
+/* Parse the first element, the time-relation. */
+
+if (!(ele = string_nextinlist(&list, &slash, NULL, 0)))
+  goto badparse;
+if ((before = *ele == '-'))
+  ele++;
+if ((interval = readconf_readtime(ele, 0, FALSE)) < 0)
+  goto badparse;
+
+/* Remaining elements are options */
+
+while ((ele = string_nextinlist(&list, &slash, NULL, 0)))
+  if (Ustrncmp(ele, "key=", 4) == 0)
+    key = ele + 4;
+  else if (Ustrcmp(ele, "readonly") == 0)
+    mode = SEEN_READONLY;
+  else if (Ustrcmp(ele, "write") == 0)
+    mode = SEEN_WRITE;
+  else if (Ustrncmp(ele, "refresh=", 8) == 0)
+    {
+    if ((refresh = readconf_readtime(ele + 8, 0, FALSE)) < 0)
+      goto badparse;
+    }
+  else
+    goto badopt;
+
+if (!(dbm = dbfn_open(US"seen", O_RDWR, &dbblock, TRUE, TRUE)))
+  {
+  HDEBUG(D_acl) debug_printf_indent("database for 'seen' not available\n");
+  *log_msgptr = US"database for 'seen' not available";
+  return DEFER;
+  }
+
+dbd = dbfn_read_with_length(dbm, key, NULL);
+now = time(NULL);
+if (dbd)		/* an existing record */
+  {
+  time_t diff = now - dbd->time_stamp;	/* time since the record was written */
+
+  if (before ? diff >= interval : diff < interval)
+    yield = OK;
+
+  if (mode == SEEN_READONLY)
+    { HDEBUG(D_acl) debug_printf_indent("seen db not written (readonly)\n"); }
+  else if (mode == SEEN_WRITE || !before)
+    {
+    dbd->time_stamp = now;
+    dbfn_write(dbm, key, dbd, sizeof(*dbd));
+    HDEBUG(D_acl) debug_printf_indent("seen db written (update)\n");
+    }
+  else if (diff >= refresh)
+    {
+    dbd->time_stamp = now - interval;
+    dbfn_write(dbm, key, dbd, sizeof(*dbd));
+    HDEBUG(D_acl) debug_printf_indent("seen db written (refresh)\n");
+    }
+  }
+else
+  {			/* No record found, yield always FAIL */
+  if (mode != SEEN_READONLY)
+    {
+    dbdata_seen d = {.time_stamp = now};
+    dbfn_write(dbm, key, &d, sizeof(*dbd));
+    HDEBUG(D_acl) debug_printf_indent("seen db written (create)\n");
+    }
+  else
+    HDEBUG(D_acl) debug_printf_indent("seen db not written (readonly)\n");
+  }
+
+dbfn_close(dbm);
+return yield;
+
+
+badparse:
+  *log_msgptr = string_sprintf("failed to parse '%s'", arg);
+  return ERROR;
+badopt:
+  *log_msgptr = string_sprintf("unrecognised option '%s' in '%s'", ele, arg);
+  return ERROR;
+}
+
+
+
+/*************************************************
+*            The udpsend ACL modifier            *
+*************************************************/
+
+/* Called by acl_check_condition() below.
+
+Arguments:
+  arg          the option string for udpsend=
+  log_msgptr   for error messages
+
+Returns:       OK        - Completed.
+               DEFER     - Problem with DNS lookup.
+               ERROR     - Syntax error in options.
+*/
+
+static int
+acl_udpsend(const uschar *arg, uschar **log_msgptr)
+{
+int sep = 0;
+uschar *hostname;
+uschar *portstr;
+uschar *portend;
+host_item *h;
+int portnum;
+int len;
+int r, s;
+uschar * errstr;
+
+hostname = string_nextinlist(&arg, &sep, NULL, 0);
+portstr = string_nextinlist(&arg, &sep, NULL, 0);
+
+if (!hostname)
+  {
+  *log_msgptr = US"missing destination host in \"udpsend\" modifier";
+  return ERROR;
+  }
+if (!portstr)
+  {
+  *log_msgptr = US"missing destination port in \"udpsend\" modifier";
+  return ERROR;
+  }
+if (!arg)
+  {
+  *log_msgptr = US"missing datagram payload in \"udpsend\" modifier";
+  return ERROR;
+  }
+portnum = Ustrtol(portstr, &portend, 10);
+if (*portend != '\0')
+  {
+  *log_msgptr = US"bad destination port in \"udpsend\" modifier";
+  return ERROR;
+  }
+
+/* Make a single-item host list. */
+h = store_get(sizeof(host_item), GET_UNTAINTED);
+memset(h, 0, sizeof(host_item));
+h->name = hostname;
+h->port = portnum;
+h->mx = MX_NONE;
+
+if (string_is_ip_address(hostname, NULL))
+  h->address = hostname, r = HOST_FOUND;
+else
+  r = host_find_byname(h, NULL, 0, NULL, FALSE);
+if (r == HOST_FIND_FAILED || r == HOST_FIND_AGAIN)
+  {
+  *log_msgptr = US"DNS lookup failed in \"udpsend\" modifier";
+  return DEFER;
+  }
+
+HDEBUG(D_acl)
+  debug_printf_indent("udpsend [%s]:%d %s\n", h->address, portnum, arg);
+
+/*XXX this could better use sendto */
+r = s = ip_connectedsocket(SOCK_DGRAM, h->address, portnum, portnum,
+		1, NULL, &errstr, NULL);
+if (r < 0) goto defer;
+len = Ustrlen(arg);
+r = send(s, arg, len, 0);
+if (r < 0)
+  {
+  errstr = US strerror(errno);
+  close(s);
+  goto defer;
+  }
+close(s);
+if (r < len)
+  {
+  *log_msgptr =
+    string_sprintf("\"udpsend\" truncated from %d to %d octets", len, r);
+  return DEFER;
+  }
+
+HDEBUG(D_acl)
+  debug_printf_indent("udpsend %d bytes\n", r);
+
+return OK;
+
+defer:
+*log_msgptr = string_sprintf("\"udpsend\" failed: %s", errstr);
+return DEFER;
+}
+
+
+
+/*************************************************
+*   Handle conditions/modifiers on an ACL item   *
+*************************************************/
+
+/* Called from acl_check() below.
+
+Arguments:
+  verb         ACL verb
+  cb           ACL condition block - if NULL, result is OK
+  where        where called from
+  addr         the address being checked for RCPT, or NULL
+  level        the nesting level
+  epp          pointer to pass back TRUE if "endpass" encountered
+                 (applies only to "accept" and "discard")
+  user_msgptr  user message pointer
+  log_msgptr   log message pointer
+  basic_errno  pointer to where to put verify error
+
+Returns:       OK        - all conditions are met
+               DISCARD   - an "acl" condition returned DISCARD - only allowed
+                             for "accept" or "discard" verbs
+               FAIL      - at least one condition fails
+               FAIL_DROP - an "acl" condition returned FAIL_DROP
+               DEFER     - can't tell at the moment (typically, lookup defer,
+                             but can be temporary callout problem)
+               ERROR     - ERROR from nested ACL or expansion failure or other
+                             error
+*/
+
+static int
+acl_check_condition(int verb, acl_condition_block *cb, int where,
+  address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
+  uschar **log_msgptr, int *basic_errno)
+{
+uschar *user_message = NULL;
+uschar *log_message = NULL;
+int rc = OK;
+#ifdef WITH_CONTENT_SCAN
+int sep = -'/';
+#endif
+
+for (; cb; cb = cb->next)
+  {
+  const uschar *arg;
+  int control_type;
+
+  /* The message and log_message items set up messages to be used in
+  case of rejection. They are expanded later. */
+
+  if (cb->type == ACLC_MESSAGE)
+    {
+    HDEBUG(D_acl) debug_printf_indent("  message: %s\n", cb->arg);
+    user_message = cb->arg;
+    continue;
+    }
+
+  if (cb->type == ACLC_LOG_MESSAGE)
+    {
+    HDEBUG(D_acl) debug_printf_indent("l_message: %s\n", cb->arg);
+    log_message = cb->arg;
+    continue;
+    }
+
+  /* The endpass "condition" just sets a flag to show it occurred. This is
+  checked at compile time to be on an "accept" or "discard" item. */
+
+  if (cb->type == ACLC_ENDPASS)
+    {
+    *epp = TRUE;
+    continue;
+    }
+
+  /* For other conditions and modifiers, the argument is expanded now for some
+  of them, but not for all, because expansion happens down in some lower level
+  checking functions in some cases. */
+
+  if (!conditions[cb->type].expand_at_top)
+    arg = cb->arg;
+  else if (!(arg = expand_string(cb->arg)))
+    {
+    if (f.expand_string_forcedfail) continue;
+    *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
+      cb->arg, expand_string_message);
+    return f.search_find_defer ? DEFER : ERROR;
+    }
+
+  /* Show condition, and expanded condition if it's different */
+
+  HDEBUG(D_acl)
+    {
+    int lhswidth = 0;
+    debug_printf_indent("check %s%s %n",
+      (!conditions[cb->type].is_modifier && cb->u.negated)? "!":"",
+      conditions[cb->type].name, &lhswidth);
+
+    if (cb->type == ACLC_SET)
+      {
+#ifndef DISABLE_DKIM
+      if (  Ustrcmp(cb->u.varname, "dkim_verify_status") == 0
+	 || Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
+	{
+	debug_printf("%s ", cb->u.varname);
+	lhswidth += 19;
+	}
+      else
+#endif
+	{
+	debug_printf("acl_%s ", cb->u.varname);
+	lhswidth += 5 + Ustrlen(cb->u.varname);
+	}
+      }
+
+    debug_printf("= %s\n", cb->arg);
+
+    if (arg != cb->arg)
+      debug_printf("%.*s= %s\n", lhswidth,
+      US"                             ", CS arg);
+    }
+
+  /* Check that this condition makes sense at this time */
+
+  if ((conditions[cb->type].forbids & (1 << where)) != 0)
+    {
+    *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
+      conditions[cb->type].is_modifier ? "use" : "test",
+      conditions[cb->type].name, acl_wherenames[where]);
+    return ERROR;
+    }
+
+  /* Run the appropriate test for each condition, or take the appropriate
+  action for the remaining modifiers. */
+
+  switch(cb->type)
+    {
+    case ACLC_ADD_HEADER:
+    setup_header(arg);
+    break;
+
+    /* A nested ACL that returns "discard" makes sense only for an "accept" or
+    "discard" verb. */
+
+    case ACLC_ACL:
+      rc = acl_check_wargs(where, addr, arg, user_msgptr, log_msgptr);
+      if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
+        {
+        *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
+          "\"%s\" command (only allowed with \"accept\" or \"discard\")",
+          verbs[verb]);
+        return ERROR;
+        }
+    break;
+
+    case ACLC_AUTHENTICATED:
+      rc = sender_host_authenticated ? match_isinlist(sender_host_authenticated,
+	      &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL) : FAIL;
+    break;
+
+    #ifdef EXPERIMENTAL_BRIGHTMAIL
+    case ACLC_BMI_OPTIN:
+      {
+      int old_pool = store_pool;
+      store_pool = POOL_PERM;
+      bmi_current_optin = string_copy(arg);
+      store_pool = old_pool;
+      }
+    break;
+    #endif
+
+    case ACLC_CONDITION:
+    /* The true/false parsing here should be kept in sync with that used in
+    expand.c when dealing with ECOND_BOOL so that we don't have too many
+    different definitions of what can be a boolean. */
+    if (*arg == '-'
+	? Ustrspn(arg+1, "0123456789") == Ustrlen(arg+1)    /* Negative number */
+	: Ustrspn(arg,   "0123456789") == Ustrlen(arg))     /* Digits, or empty */
+      rc = (Uatoi(arg) == 0)? FAIL : OK;
+    else
+      rc = (strcmpic(arg, US"no") == 0 ||
+            strcmpic(arg, US"false") == 0)? FAIL :
+           (strcmpic(arg, US"yes") == 0 ||
+            strcmpic(arg, US"true") == 0)? OK : DEFER;
+    if (rc == DEFER)
+      *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
+    break;
+
+    case ACLC_CONTINUE:    /* Always succeeds */
+    break;
+
+    case ACLC_CONTROL:
+      {
+      const uschar *p = NULL;
+      control_type = decode_control(arg, &p, where, log_msgptr);
+
+      /* Check if this control makes sense at this time */
+
+      if (controls_list[control_type].forbids & (1 << where))
+	{
+	*log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
+	  controls_list[control_type].name, acl_wherenames[where]);
+	return ERROR;
+	}
+
+      switch(control_type)
+	{
+	case CONTROL_AUTH_UNADVERTISED:
+	  f.allow_auth_unadvertised = TRUE;
+	  break;
+
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+	case CONTROL_BMI_RUN:
+	  bmi_run = 1;
+	  break;
+#endif
+
+#ifndef DISABLE_DKIM
+	case CONTROL_DKIM_VERIFY:
+	  f.dkim_disable_verify = TRUE;
+# ifdef SUPPORT_DMARC
+	  /* Since DKIM was blocked, skip DMARC too */
+	  f.dmarc_disable_verify = TRUE;
+	  f.dmarc_enable_forensic = FALSE;
+# endif
+	break;
+#endif
+
+#ifdef SUPPORT_DMARC
+	case CONTROL_DMARC_VERIFY:
+	  f.dmarc_disable_verify = TRUE;
+	  break;
+
+	case CONTROL_DMARC_FORENSIC:
+	  f.dmarc_enable_forensic = TRUE;
+	  break;
+#endif
+
+	case CONTROL_DSCP:
+	  if (*p == '/')
+	    {
+	    int fd, af, level, optname, value;
+	    /* If we are acting on stdin, the setsockopt may fail if stdin is not
+	    a socket; we can accept that, we'll just debug-log failures anyway. */
+	    fd = fileno(smtp_in);
+	    if ((af = ip_get_address_family(fd)) < 0)
+	      {
+	      HDEBUG(D_acl)
+		debug_printf_indent("smtp input is probably not a socket [%s], not setting DSCP\n",
+		    strerror(errno));
+	      break;
+	      }
+	    if (dscp_lookup(p+1, af, &level, &optname, &value))
+	      if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
+		{
+		HDEBUG(D_acl) debug_printf_indent("failed to set input DSCP[%s]: %s\n",
+		    p+1, strerror(errno));
+		}
+	      else
+		{
+		HDEBUG(D_acl) debug_printf_indent("set input DSCP to \"%s\"\n", p+1);
+		}
+	    else
+	      {
+	      *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
+	      return ERROR;
+	      }
+	    }
+	  else
+	    {
+	    *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
+	    return ERROR;
+	    }
+	  break;
+
+	case CONTROL_ERROR:
+	  return ERROR;
+
+	case CONTROL_CASEFUL_LOCAL_PART:
+	  deliver_localpart = addr->cc_local_part;
+	  break;
+
+	case CONTROL_CASELOWER_LOCAL_PART:
+	  deliver_localpart = addr->lc_local_part;
+	  break;
+
+	case CONTROL_ENFORCE_SYNC:
+	  smtp_enforce_sync = TRUE;
+	  break;
+
+	case CONTROL_NO_ENFORCE_SYNC:
+	  smtp_enforce_sync = FALSE;
+	  break;
+
+#ifdef WITH_CONTENT_SCAN
+	case CONTROL_NO_MBOX_UNSPOOL:
+	  f.no_mbox_unspool = TRUE;
+	  break;
+#endif
+
+	case CONTROL_NO_MULTILINE:
+	  f.no_multiline_responses = TRUE;
+	  break;
+
+	case CONTROL_NO_PIPELINING:
+	  f.pipelining_enable = FALSE;
+	  break;
+
+	case CONTROL_NO_DELAY_FLUSH:
+	  f.disable_delay_flush = TRUE;
+	  break;
+
+	case CONTROL_NO_CALLOUT_FLUSH:
+	  f.disable_callout_flush = TRUE;
+	  break;
+
+	case CONTROL_FAKEREJECT:
+	  cancel_cutthrough_connection(TRUE, US"fakereject");
+	case CONTROL_FAKEDEFER:
+	  fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
+	  if (*p == '/')
+	    {
+	    const uschar *pp = p + 1;
+	    while (*pp) pp++;
+	    /* The entire control= line was expanded at top so no need to expand
+	    the part after the / */
+	    fake_response_text = string_copyn(p+1, pp-p-1);
+	    p = pp;
+	    }
+	   else /* Explicitly reset to default string */
+	    fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
+	  break;
+
+	case CONTROL_FREEZE:
+	  f.deliver_freeze = TRUE;
+	  deliver_frozen_at = time(NULL);
+	  freeze_tell = freeze_tell_config;       /* Reset to configured value */
+	  if (Ustrncmp(p, "/no_tell", 8) == 0)
+	    {
+	    p += 8;
+	    freeze_tell = NULL;
+	    }
+	  if (*p)
+	    {
+	    *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
+	    return ERROR;
+	    }
+	  cancel_cutthrough_connection(TRUE, US"item frozen");
+	  break;
+
+	case CONTROL_QUEUE:
+	  f.queue_only_policy = TRUE;
+	  if (Ustrcmp(p, "_only") == 0)
+	    p += 5;
+	  else while (*p == '/')
+	    if (Ustrncmp(p, "/only", 5) == 0)
+	      { p += 5; f.queue_smtp = FALSE; }
+	    else if (Ustrncmp(p, "/first_pass_route", 17) == 0)
+	      { p += 17; f.queue_smtp = TRUE; }
+	    else
+	      break;
+	  cancel_cutthrough_connection(TRUE, US"queueing forced");
+	  break;
+
+	case CONTROL_SUBMISSION:
+	  originator_name = US"";
+	  f.submission_mode = TRUE;
+	  while (*p == '/')
+	    {
+	    if (Ustrncmp(p, "/sender_retain", 14) == 0)
+	      {
+	      p += 14;
+	      f.active_local_sender_retain = TRUE;
+	      f.active_local_from_check = FALSE;
+	      }
+	    else if (Ustrncmp(p, "/domain=", 8) == 0)
+	      {
+	      const uschar *pp = p + 8;
+	      while (*pp && *pp != '/') pp++;
+	      submission_domain = string_copyn(p+8, pp-p-8);
+	      p = pp;
+	      }
+	    /* The name= option must be last, because it swallows the rest of
+	    the string. */
+	    else if (Ustrncmp(p, "/name=", 6) == 0)
+	      {
+	      const uschar *pp = p + 6;
+	      while (*pp) pp++;
+	      submission_name = parse_fix_phrase(p+6, pp-p-6);
+	      p = pp;
+	      }
+	    else break;
+	    }
+	  if (*p)
+	    {
+	    *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
+	    return ERROR;
+	    }
+	  break;
+
+	case CONTROL_DEBUG:
+	  {
+	  uschar * debug_tag = NULL, * debug_opts = NULL;
+	  BOOL kill = FALSE, stop = FALSE;
+
+	  while (*p == '/')
+	    {
+	    const uschar * pp = p+1;
+	    if (Ustrncmp(pp, "tag=", 4) == 0)
+	      {
+	      for (pp += 4; *pp && *pp != '/';) pp++;
+	      debug_tag = string_copyn(p+5, pp-p-5);
+	      }
+	    else if (Ustrncmp(pp, "opts=", 5) == 0)
+	      {
+	      for (pp += 5; *pp && *pp != '/';) pp++;
+	      debug_opts = string_copyn(p+6, pp-p-6);
+	      }
+	    else if (Ustrncmp(pp, "kill", 4) == 0)
+	      {
+	      pp += 4;
+	      kill = TRUE;
+	      }
+	    else if (Ustrncmp(pp, "stop", 4) == 0)
+	      {
+	      pp += 4;
+	      stop = TRUE;
+	      }
+	    else if (Ustrncmp(pp, "pretrigger=", 11) == 0)
+		debug_pretrigger_setup(pp+11);
+	    else if (Ustrncmp(pp, "trigger=", 8) == 0)
+	      {
+	      if (Ustrncmp(pp += 8, "now", 3) == 0)
+		{
+		pp += 3;
+		debug_trigger_fire();
+		}
+	      else if (Ustrncmp(pp, "paniclog", 8) == 0)
+		{
+		pp += 8;
+		dtrigger_selector |= BIT(DTi_panictrigger);
+		}
+	      }
+	    while (*pp && *pp != '/') pp++;
+	    p = pp;
+	    }
+
+	  if (kill)
+	    debug_logging_stop(TRUE);
+	  else if (stop)
+	    debug_logging_stop(FALSE);
+	  else if (debug_tag || debug_opts)
+	    debug_logging_activate(debug_tag, debug_opts);
+	  break;
+	  }
+
+	case CONTROL_SUPPRESS_LOCAL_FIXUPS:
+	  f.suppress_local_fixups = TRUE;
+	  break;
+
+	case CONTROL_CUTTHROUGH_DELIVERY:
+	  {
+	  uschar * ignored = NULL;
+#ifndef DISABLE_PRDR
+	  if (prdr_requested)
+#else
+	  if (0)
+#endif
+	    /* Too hard to think about for now.  We might in future cutthrough
+	    the case where both sides handle prdr and this-node prdr acl
+	    is "accept" */
+	    ignored = US"PRDR active";
+	  else if (f.deliver_freeze)
+	    ignored = US"frozen";
+	  else if (f.queue_only_policy)
+	    ignored = US"queue-only";
+	  else if (fake_response == FAIL)
+	    ignored = US"fakereject";
+	  else if (rcpt_count != 1)
+	    ignored = US"nonfirst rcpt";
+	  else if (cutthrough.delivery)
+	    ignored = US"repeated";
+	  else if (cutthrough.callout_hold_only)
+	    {
+	    DEBUG(D_acl)
+	      debug_printf_indent(" cutthrough request upgrades callout hold\n");
+	    cutthrough.callout_hold_only = FALSE;
+	    cutthrough.delivery = TRUE;	/* control accepted */
+	    }
+	  else
+	    {
+	    cutthrough.delivery = TRUE;	/* control accepted */
+	    while (*p == '/')
+	      {
+	      const uschar * pp = p+1;
+	      if (Ustrncmp(pp, "defer=", 6) == 0)
+		{
+		pp += 6;
+		if (Ustrncmp(pp, "pass", 4) == 0) cutthrough.defer_pass = TRUE;
+		/* else if (Ustrncmp(pp, "spool") == 0) ;	default */
+		}
+	      else
+		while (*pp && *pp != '/') pp++;
+	      p = pp;
+	      }
+	    }
+
+	  DEBUG(D_acl) if (ignored)
+	    debug_printf(" cutthrough request ignored on %s item\n", ignored);
+	  }
+	break;
+
+#ifdef SUPPORT_I18N
+	case CONTROL_UTF8_DOWNCONVERT:
+	  if (*p == '/')
+	    {
+	    if (p[1] == '1')
+	      {
+	      message_utf8_downconvert = 1;
+	      addr->prop.utf8_downcvt = TRUE;
+	      addr->prop.utf8_downcvt_maybe = FALSE;
+	      p += 2;
+	      break;
+	      }
+	    if (p[1] == '0')
+	      {
+	      message_utf8_downconvert = 0;
+	      addr->prop.utf8_downcvt = FALSE;
+	      addr->prop.utf8_downcvt_maybe = FALSE;
+	      p += 2;
+	      break;
+	      }
+	    if (p[1] == '-' && p[2] == '1')
+	      {
+	      message_utf8_downconvert = -1;
+	      addr->prop.utf8_downcvt = FALSE;
+	      addr->prop.utf8_downcvt_maybe = TRUE;
+	      p += 3;
+	      break;
+	      }
+	    *log_msgptr = US"bad option value for control=utf8_downconvert";
+	    }
+	  else
+	    {
+	    message_utf8_downconvert = 1;
+	    addr->prop.utf8_downcvt = TRUE;
+	    addr->prop.utf8_downcvt_maybe = FALSE;
+	    break;
+	    }
+	  return ERROR;
+#endif
+
+	}
+      break;
+      }
+
+    #ifdef EXPERIMENTAL_DCC
+    case ACLC_DCC:
+      {
+      /* Separate the regular expression and any optional parameters. */
+      const uschar * list = arg;
+      uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
+      /* Run the dcc backend. */
+      rc = dcc_process(&ss);
+      /* Modify return code based upon the existence of options. */
+      while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
+        if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
+          rc = FAIL;   /* FAIL so that the message is passed to the next ACL */
+      }
+    break;
+    #endif
+
+    #ifdef WITH_CONTENT_SCAN
+    case ACLC_DECODE:
+    rc = mime_decode(&arg);
+    break;
+    #endif
+
+    case ACLC_DELAY:
+      {
+      int delay = readconf_readtime(arg, 0, FALSE);
+      if (delay < 0)
+        {
+        *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
+          "modifier: \"%s\" is not a time value", arg);
+        return ERROR;
+        }
+      else
+        {
+        HDEBUG(D_acl) debug_printf_indent("delay modifier requests %d-second delay\n",
+          delay);
+        if (host_checking)
+          {
+          HDEBUG(D_acl)
+            debug_printf_indent("delay skipped in -bh checking mode\n");
+          }
+
+	/* NOTE 1: Remember that we may be
+        dealing with stdin/stdout here, in addition to TCP/IP connections.
+        Also, delays may be specified for non-SMTP input, where smtp_out and
+        smtp_in will be NULL. Whatever is done must work in all cases.
+
+        NOTE 2: The added feature of flushing the output before a delay must
+        apply only to SMTP input. Hence the test for smtp_out being non-NULL.
+        */
+
+        else
+          {
+          if (smtp_out && !f.disable_delay_flush)
+	    mac_smtp_fflush();
+
+#if !defined(NO_POLL_H) && defined (POLLRDHUP)
+	    {
+	    struct pollfd p;
+	    nfds_t n = 0;
+	    if (smtp_out)
+	      {
+	      p.fd = fileno(smtp_out);
+	      p.events = POLLRDHUP;
+	      n = 1;
+	      }
+	    if (poll(&p, n, delay*1000) > 0)
+	      HDEBUG(D_acl) debug_printf_indent("delay cancelled by peer close\n");
+	    }
+#else
+	  /* Lacking POLLRDHUP it appears to be impossible to detect that a
+	  TCP/IP connection has gone away without reading from it. This means
+	  that we cannot shorten the delay below if the client goes away,
+	  because we cannot discover that the client has closed its end of the
+	  connection. (The connection is actually in a half-closed state,
+	  waiting for the server to close its end.) It would be nice to be able
+	  to detect this state, so that the Exim process is not held up
+	  unnecessarily. However, it seems that we can't. The poll() function
+	  does not do the right thing, and in any case it is not always
+	  available.  */
+
+          while (delay > 0) delay = sleep(delay);
+#endif
+          }
+        }
+      }
+    break;
+
+#ifndef DISABLE_DKIM
+    case ACLC_DKIM_SIGNER:
+    if (dkim_cur_signer)
+      rc = match_isinlist(dkim_cur_signer,
+                          &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
+    else
+      rc = FAIL;
+    break;
+
+    case ACLC_DKIM_STATUS:
+    rc = match_isinlist(dkim_verify_status,
+                        &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
+    break;
+#endif
+
+#ifdef SUPPORT_DMARC
+    case ACLC_DMARC_STATUS:
+    if (!f.dmarc_has_been_checked)
+      dmarc_process();
+    f.dmarc_has_been_checked = TRUE;
+    /* used long way of dmarc_exim_expand_query() in case we need more
+     * view into the process in the future. */
+    rc = match_isinlist(dmarc_exim_expand_query(DMARC_VERIFY_STATUS),
+                        &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
+    break;
+#endif
+
+    case ACLC_DNSLISTS:
+    rc = verify_check_dnsbl(where, &arg, log_msgptr);
+    break;
+
+    case ACLC_DOMAINS:
+    rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
+      addr->domain_cache, MCL_DOMAIN, TRUE, CUSS &deliver_domain_data);
+    break;
+
+    /* The value in tls_cipher is the full cipher name, for example,
+    TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
+    cipher names such as DES-CBC3-SHA. But program defensively. We don't know
+    what may in practice come out of the SSL library - which at the time of
+    writing is poorly documented. */
+
+    case ACLC_ENCRYPTED:
+    if (tls_in.cipher == NULL) rc = FAIL; else
+      {
+      uschar *endcipher = NULL;
+      uschar *cipher = Ustrchr(tls_in.cipher, ':');
+      if (!cipher) cipher = tls_in.cipher; else
+        {
+        endcipher = Ustrchr(++cipher, ':');
+        if (endcipher) *endcipher = 0;
+        }
+      rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
+      if (endcipher) *endcipher = ':';
+      }
+    break;
+
+    /* Use verify_check_this_host() instead of verify_check_host() so that
+    we can pass over &host_data to catch any looked up data. Once it has been
+    set, it retains its value so that it's still there if another ACL verb
+    comes through here and uses the cache. However, we must put it into
+    permanent store in case it is also expected to be used in a subsequent
+    message in the same SMTP connection. */
+
+    case ACLC_HOSTS:
+    rc = verify_check_this_host(&arg, sender_host_cache, NULL,
+      sender_host_address ? sender_host_address : US"", CUSS &host_data);
+    if (rc == DEFER) *log_msgptr = search_error_message;
+    if (host_data) host_data = string_copy_perm(host_data, TRUE);
+    break;
+
+    case ACLC_LOCAL_PARTS:
+    rc = match_isinlist(addr->cc_local_part, &arg, 0,
+      &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
+      CUSS &deliver_localpart_data);
+    break;
+
+    case ACLC_LOG_REJECT_TARGET:
+      {
+      int logbits = 0;
+      int sep = 0;
+      const uschar *s = arg;
+      uschar * ss;
+      while ((ss = string_nextinlist(&s, &sep, NULL, 0)))
+        {
+        if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
+        else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
+        else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
+        else
+          {
+          logbits |= LOG_MAIN|LOG_REJECT;
+          log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
+            "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
+          }
+        }
+      log_reject_target = logbits;
+      }
+    break;
+
+    case ACLC_LOGWRITE:
+      {
+      int logbits = 0;
+      const uschar *s = arg;
+      if (*s == ':')
+        {
+        s++;
+        while (*s != ':')
+          {
+          if (Ustrncmp(s, "main", 4) == 0)
+            { logbits |= LOG_MAIN; s += 4; }
+          else if (Ustrncmp(s, "panic", 5) == 0)
+            { logbits |= LOG_PANIC; s += 5; }
+          else if (Ustrncmp(s, "reject", 6) == 0)
+            { logbits |= LOG_REJECT; s += 6; }
+          else
+            {
+            logbits = LOG_MAIN|LOG_PANIC;
+            s = string_sprintf(":unknown log name in \"%s\" in "
+              "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
+            }
+          if (*s == ',') s++;
+          }
+        s++;
+        }
+      while (isspace(*s)) s++;
+
+      if (logbits == 0) logbits = LOG_MAIN;
+      log_write(0, logbits, "%s", string_printing(s));
+      }
+    break;
+
+    #ifdef WITH_CONTENT_SCAN
+    case ACLC_MALWARE:			/* Run the malware backend. */
+      {
+      /* Separate the regular expression and any optional parameters. */
+      const uschar * list = arg;
+      uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
+      uschar * opt;
+      BOOL defer_ok = FALSE;
+      int timeout = 0;
+
+      while ((opt = string_nextinlist(&list, &sep, NULL, 0)))
+        if (strcmpic(opt, US"defer_ok") == 0)
+	  defer_ok = TRUE;
+	else if (  strncmpic(opt, US"tmo=", 4) == 0
+		&& (timeout = readconf_readtime(opt+4, '\0', FALSE)) < 0
+		)
+	  {
+	  *log_msgptr = string_sprintf("bad timeout value in '%s'", opt);
+	  return ERROR;
+	  }
+
+      rc = malware(ss, timeout);
+      if (rc == DEFER && defer_ok)
+	rc = FAIL;	/* FAIL so that the message is passed to the next ACL */
+      }
+    break;
+
+    case ACLC_MIME_REGEX:
+    rc = mime_regex(&arg);
+    break;
+    #endif
+
+    case ACLC_QUEUE:
+    if (is_tainted(arg))
+      {
+      *log_msgptr = string_sprintf("Tainted name '%s' for queue not permitted",
+				    arg);
+      return ERROR;
+      }
+    if (Ustrchr(arg, '/'))
+      {
+      *log_msgptr = string_sprintf(
+	      "Directory separator not permitted in queue name: '%s'", arg);
+      return ERROR;
+      }
+    queue_name = string_copy_perm(arg, FALSE);
+    break;
+
+    case ACLC_RATELIMIT:
+    rc = acl_ratelimit(arg, where, log_msgptr);
+    break;
+
+    case ACLC_RECIPIENTS:
+    rc = match_address_list(CUS addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
+      CUSS &recipient_data);
+    break;
+
+    #ifdef WITH_CONTENT_SCAN
+    case ACLC_REGEX:
+    rc = regex(&arg);
+    break;
+    #endif
+
+    case ACLC_REMOVE_HEADER:
+    setup_remove_header(arg);
+    break;
+
+    case ACLC_SEEN:
+    rc = acl_seen(arg, where, log_msgptr);
+    break;
+
+    case ACLC_SENDER_DOMAINS:
+      {
+      uschar *sdomain;
+      sdomain = Ustrrchr(sender_address, '@');
+      sdomain = sdomain ? sdomain + 1 : US"";
+      rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
+        sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
+      }
+    break;
+
+    case ACLC_SENDERS:
+    rc = match_address_list(CUS sender_address, TRUE, TRUE, &arg,
+      sender_address_cache, -1, 0, CUSS &sender_data);
+    break;
+
+    /* Connection variables must persist forever; message variables not */
+
+    case ACLC_SET:
+      {
+      int old_pool = store_pool;
+      if (  cb->u.varname[0] != 'm'
+#ifndef DISABLE_EVENT
+	 || event_name		/* An event is being delivered */
+#endif
+	 )
+        store_pool = POOL_PERM;
+#ifndef DISABLE_DKIM	/* Overwriteable dkim result variables */
+      if (Ustrcmp(cb->u.varname, "dkim_verify_status") == 0)
+	dkim_verify_status = string_copy(arg);
+      else if (Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
+	dkim_verify_reason = string_copy(arg);
+      else
+#endif
+	acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
+      store_pool = old_pool;
+      }
+    break;
+
+#ifdef WITH_CONTENT_SCAN
+    case ACLC_SPAM:
+      {
+      /* Separate the regular expression and any optional parameters. */
+      const uschar * list = arg;
+      uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
+
+      rc = spam(CUSS &ss);
+      /* Modify return code based upon the existence of options. */
+      while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
+        if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
+          rc = FAIL;	/* FAIL so that the message is passed to the next ACL */
+      }
+    break;
+#endif
+
+#ifdef SUPPORT_SPF
+    case ACLC_SPF:
+      rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
+    break;
+    case ACLC_SPF_GUESS:
+      rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
+    break;
+#endif
+
+    case ACLC_UDPSEND:
+    rc = acl_udpsend(arg, log_msgptr);
+    break;
+
+    /* If the verb is WARN, discard any user message from verification, because
+    such messages are SMTP responses, not header additions. The latter come
+    only from explicit "message" modifiers. However, put the user message into
+    $acl_verify_message so it can be used in subsequent conditions or modifiers
+    (until something changes it). */
+
+    case ACLC_VERIFY:
+    rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
+    if (*user_msgptr)
+      acl_verify_message = *user_msgptr;
+    if (verb == ACL_WARN) *user_msgptr = NULL;
+    break;
+
+    default:
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
+      "condition %d", cb->type);
+    break;
+    }
+
+  /* If a condition was negated, invert OK/FAIL. */
+
+  if (!conditions[cb->type].is_modifier && cb->u.negated)
+    if (rc == OK) rc = FAIL;
+    else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
+
+  if (rc != OK) break;   /* Conditions loop */
+  }
+
+
+/* If the result is the one for which "message" and/or "log_message" are used,
+handle the values of these modifiers. If there isn't a log message set, we make
+it the same as the user message.
+
+"message" is a user message that will be included in an SMTP response. Unless
+it is empty, it overrides any previously set user message.
+
+"log_message" is a non-user message, and it adds to any existing non-user
+message that is already set.
+
+Most verbs have but a single return for which the messages are relevant, but
+for "discard", it's useful to have the log message both when it succeeds and
+when it fails. For "accept", the message is used in the OK case if there is no
+"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
+present. */
+
+if (*epp && rc == OK) user_message = NULL;
+
+if ((BIT(rc) & msgcond[verb]) != 0)
+  {
+  uschar *expmessage;
+  uschar *old_user_msgptr = *user_msgptr;
+  uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
+
+  /* If the verb is "warn", messages generated by conditions (verification or
+  nested ACLs) are always discarded. This also happens for acceptance verbs
+  when they actually do accept. Only messages specified at this level are used.
+  However, the value of an existing message is available in $acl_verify_message
+  during expansions. */
+
+  if (verb == ACL_WARN ||
+      (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
+    *log_msgptr = *user_msgptr = NULL;
+
+  if (user_message)
+    {
+    acl_verify_message = old_user_msgptr;
+    expmessage = expand_string(user_message);
+    if (!expmessage)
+      {
+      if (!f.expand_string_forcedfail)
+        log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
+          user_message, expand_string_message);
+      }
+    else if (expmessage[0] != 0) *user_msgptr = expmessage;
+    }
+
+  if (log_message)
+    {
+    acl_verify_message = old_log_msgptr;
+    expmessage = expand_string(log_message);
+    if (!expmessage)
+      {
+      if (!f.expand_string_forcedfail)
+        log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
+          log_message, expand_string_message);
+      }
+    else if (expmessage[0] != 0)
+      {
+      *log_msgptr = (*log_msgptr == NULL)? expmessage :
+        string_sprintf("%s: %s", expmessage, *log_msgptr);
+      }
+    }
+
+  /* If no log message, default it to the user message */
+
+  if (!*log_msgptr) *log_msgptr = *user_msgptr;
+  }
+
+acl_verify_message = NULL;
+return rc;
+}
+
+
+
+
+
+/*************************************************
+*        Get line from a literal ACL             *
+*************************************************/
+
+/* This function is passed to acl_read() in order to extract individual lines
+of a literal ACL, which we access via static pointers. We can destroy the
+contents because this is called only once (the compiled ACL is remembered).
+
+This code is intended to treat the data in the same way as lines in the main
+Exim configuration file. That is:
+
+  . Leading spaces are ignored.
+
+  . A \ at the end of a line is a continuation - trailing spaces after the \
+    are permitted (this is because I don't believe in making invisible things
+    significant). Leading spaces on the continued part of a line are ignored.
+
+  . Physical lines starting (significantly) with # are totally ignored, and
+    may appear within a sequence of backslash-continued lines.
+
+  . Blank lines are ignored, but will end a sequence of continuations.
+
+Arguments: none
+Returns:   a pointer to the next line
+*/
+
+
+static uschar *acl_text;          /* Current pointer in the text */
+static uschar *acl_text_end;      /* Points one past the terminating '0' */
+
+
+static uschar *
+acl_getline(void)
+{
+uschar *yield;
+
+/* This loop handles leading blank lines and comments. */
+
+for(;;)
+  {
+  Uskip_whitespace(&acl_text);   	/* Leading spaces/empty lines */
+  if (!*acl_text) return NULL;		/* No more data */
+  yield = acl_text;			/* Potential data line */
+
+  while (*acl_text && *acl_text != '\n') acl_text++;
+
+  /* If we hit the end before a newline, we have the whole logical line. If
+  it's a comment, there's no more data to be given. Otherwise, yield it. */
+
+  if (!*acl_text) return *yield == '#' ? NULL : yield;
+
+  /* After reaching a newline, end this loop if the physical line does not
+  start with '#'. If it does, it's a comment, and the loop continues. */
+
+  if (*yield != '#') break;
+  }
+
+/* This loop handles continuations. We know we have some real data, ending in
+newline. See if there is a continuation marker at the end (ignoring trailing
+white space). We know that *yield is not white space, so no need to test for
+cont > yield in the backwards scanning loop. */
+
+for(;;)
+  {
+  uschar *cont;
+  for (cont = acl_text - 1; isspace(*cont); cont--);
+
+  /* If no continuation follows, we are done. Mark the end of the line and
+  return it. */
+
+  if (*cont != '\\')
+    {
+    *acl_text++ = 0;
+    return yield;
+    }
+
+  /* We have encountered a continuation. Skip over whitespace at the start of
+  the next line, and indeed the whole of the next line or lines if they are
+  comment lines. */
+
+  for (;;)
+    {
+    while (*(++acl_text) == ' ' || *acl_text == '\t');
+    if (*acl_text != '#') break;
+    while (*(++acl_text) != 0 && *acl_text != '\n');
+    }
+
+  /* We have the start of a continuation line. Move all the rest of the data
+  to join onto the previous line, and then find its end. If the end is not a
+  newline, we are done. Otherwise loop to look for another continuation. */
+
+  memmove(cont, acl_text, acl_text_end - acl_text);
+  acl_text_end -= acl_text - cont;
+  acl_text = cont;
+  while (*acl_text != 0 && *acl_text != '\n') acl_text++;
+  if (*acl_text == 0) return yield;
+  }
+
+/* Control does not reach here */
+}
+
+
+
+
+
+/************************************************/
+/* For error messages, a string describing the config location
+associated with current processing. NULL if not in an ACL. */
+
+uschar *
+acl_current_verb(void)
+{
+if (acl_current) return string_sprintf(" (ACL %s, %s %d)",
+    verbs[acl_current->verb], acl_current->srcfile, acl_current->srcline);
+return NULL;
+}
+
+/*************************************************
+*        Check access using an ACL               *
+*************************************************/
+
+/* This function is called from address_check. It may recurse via
+acl_check_condition() - hence the use of a level to stop looping. The ACL is
+passed as a string which is expanded. A forced failure implies no access check
+is required. If the result is a single word, it is taken as the name of an ACL
+which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
+text, complete with newlines, and parsed as such. In both cases, the ACL check
+is then run. This function uses an auxiliary function for acl_read() to call
+for reading individual lines of a literal ACL. This is acl_getline(), which
+appears immediately above.
+
+Arguments:
+  where        where called from
+  addr         address item when called from RCPT; otherwise NULL
+  s            the input string; NULL is the same as an empty ACL => DENY
+  user_msgptr  where to put a user error (for SMTP response)
+  log_msgptr   where to put a logging message (not for SMTP response)
+
+Returns:       OK         access is granted
+               DISCARD    access is apparently granted...
+               FAIL       access is denied
+               FAIL_DROP  access is denied; drop the connection
+               DEFER      can't tell at the moment
+               ERROR      disaster
+*/
+
+static int
+acl_check_internal(int where, address_item *addr, uschar *s,
+  uschar **user_msgptr, uschar **log_msgptr)
+{
+int fd = -1;
+acl_block *acl = NULL;
+uschar *acl_name = US"inline ACL";
+uschar *ss;
+
+/* Catch configuration loops */
+
+if (acl_level > 20)
+  {
+  *log_msgptr = US"ACL nested too deep: possible loop";
+  return ERROR;
+  }
+
+if (!s)
+  {
+  HDEBUG(D_acl) debug_printf_indent("ACL is NULL: implicit DENY\n");
+  return FAIL;
+  }
+
+/* At top level, we expand the incoming string. At lower levels, it has already
+been expanded as part of condition processing. */
+
+if (acl_level == 0)
+  {
+  if (!(ss = expand_string(s)))
+    {
+    if (f.expand_string_forcedfail) return OK;
+    *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
+      expand_string_message);
+    return ERROR;
+    }
+  }
+else ss = s;
+
+while (isspace(*ss)) ss++;
+
+/* If we can't find a named ACL, the default is to parse it as an inline one.
+(Unless it begins with a slash; non-existent files give rise to an error.) */
+
+acl_text = ss;
+
+if (is_tainted(acl_text) && !f.running_in_test_harness)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "attempt to use tainted ACL text \"%s\"", acl_text);
+  /* Avoid leaking info to an attacker */
+  *log_msgptr = US"internal configuration error";
+  return ERROR;
+  }
+
+/* Handle the case of a string that does not contain any spaces. Look for a
+named ACL among those read from the configuration, or a previously read file.
+It is possible that the pointer to the ACL is NULL if the configuration
+contains a name with no data. If not found, and the text begins with '/',
+read an ACL from a file, and save it so it can be re-used. */
+
+if (Ustrchr(ss, ' ') == NULL)
+  {
+  tree_node * t = tree_search(acl_anchor, ss);
+  if (t)
+    {
+    if (!(acl = (acl_block *)(t->data.ptr)))
+      {
+      HDEBUG(D_acl) debug_printf_indent("ACL \"%s\" is empty: implicit DENY\n", ss);
+      return FAIL;
+      }
+    acl_name = string_sprintf("ACL \"%s\"", ss);
+    HDEBUG(D_acl) debug_printf_indent("using ACL \"%s\"\n", ss);
+    }
+
+  else if (*ss == '/')
+    {
+    struct stat statbuf;
+    if ((fd = Uopen(ss, O_RDONLY, 0)) < 0)
+      {
+      *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
+        strerror(errno));
+      return ERROR;
+      }
+    if (fstat(fd, &statbuf) != 0)
+      {
+      *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
+        strerror(errno));
+      return ERROR;
+      }
+
+    /* If the string being used as a filename is tainted, so is the file content */
+    acl_text = store_get(statbuf.st_size + 1, ss);
+    acl_text_end = acl_text + statbuf.st_size + 1;
+
+    if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
+      {
+      *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
+        ss, strerror(errno));
+      return ERROR;
+      }
+    acl_text[statbuf.st_size] = 0;
+    (void)close(fd);
+
+    acl_name = string_sprintf("ACL \"%s\"", ss);
+    HDEBUG(D_acl) debug_printf_indent("read ACL from file %s\n", ss);
+    }
+  }
+
+/* Parse an ACL that is still in text form. If it came from a file, remember it
+in the ACL tree, having read it into the POOL_PERM store pool so that it
+persists between multiple messages. */
+
+if (!acl)
+  {
+  int old_pool = store_pool;
+  if (fd >= 0) store_pool = POOL_PERM;
+  acl = acl_read(acl_getline, log_msgptr);
+  store_pool = old_pool;
+  if (!acl && *log_msgptr) return ERROR;
+  if (fd >= 0)
+    {
+    tree_node * t = store_get_perm(sizeof(tree_node) + Ustrlen(ss), ss);
+    Ustrcpy(t->name, ss);
+    t->data.ptr = acl;
+    (void)tree_insertnode(&acl_anchor, t);
+    }
+  }
+
+/* Now we have an ACL to use. It's possible it may be NULL. */
+
+while ((acl_current = acl))
+  {
+  int cond;
+  int basic_errno = 0;
+  BOOL endpass_seen = FALSE;
+  BOOL acl_quit_check = acl_level == 0
+    && (where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT);
+
+  *log_msgptr = *user_msgptr = NULL;
+  f.acl_temp_details = FALSE;
+
+  HDEBUG(D_acl) debug_printf_indent("processing \"%s\" (%s %d)\n",
+    verbs[acl->verb], acl->srcfile, acl->srcline);
+
+  /* Clear out any search error message from a previous check before testing
+  this condition. */
+
+  search_error_message = NULL;
+  cond = acl_check_condition(acl->verb, acl->condition, where, addr, acl_level,
+    &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
+
+  /* Handle special returns: DEFER causes a return except on a WARN verb;
+  ERROR always causes a return. */
+
+  switch (cond)
+    {
+    case DEFER:
+      HDEBUG(D_acl) debug_printf_indent("%s: condition test deferred in %s\n",
+	verbs[acl->verb], acl_name);
+      if (basic_errno != ERRNO_CALLOUTDEFER)
+	{
+	if (search_error_message != NULL && *search_error_message != 0)
+	  *log_msgptr = search_error_message;
+	if (smtp_return_error_details) f.acl_temp_details = TRUE;
+	}
+      else
+	f.acl_temp_details = TRUE;
+      if (acl->verb != ACL_WARN) return DEFER;
+      break;
+
+    default:      /* Paranoia */
+    case ERROR:
+      HDEBUG(D_acl) debug_printf_indent("%s: condition test error in %s\n",
+	verbs[acl->verb], acl_name);
+      return ERROR;
+
+    case OK:
+      HDEBUG(D_acl) debug_printf_indent("%s: condition test succeeded in %s\n",
+	verbs[acl->verb], acl_name);
+      break;
+
+    case FAIL:
+      HDEBUG(D_acl) debug_printf_indent("%s: condition test failed in %s\n",
+	verbs[acl->verb], acl_name);
+      break;
+
+    /* DISCARD and DROP can happen only from a nested ACL condition, and
+    DISCARD can happen only for an "accept" or "discard" verb. */
+
+    case DISCARD:
+      HDEBUG(D_acl) debug_printf_indent("%s: condition test yielded \"discard\" in %s\n",
+	verbs[acl->verb], acl_name);
+      break;
+
+    case FAIL_DROP:
+      HDEBUG(D_acl) debug_printf_indent("%s: condition test yielded \"drop\" in %s\n",
+	verbs[acl->verb], acl_name);
+      break;
+    }
+
+  /* At this point, cond for most verbs is either OK or FAIL or (as a result of
+  a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
+  for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
+
+  switch(acl->verb)
+    {
+    case ACL_ACCEPT:
+      if (cond == OK || cond == DISCARD)
+	{
+	HDEBUG(D_acl) debug_printf_indent("end of %s: ACCEPT\n", acl_name);
+	return cond;
+	}
+      if (endpass_seen)
+	{
+	HDEBUG(D_acl) debug_printf_indent("accept: endpass encountered - denying access\n");
+	return cond;
+	}
+      break;
+
+    case ACL_DEFER:
+      if (cond == OK)
+	{
+	HDEBUG(D_acl) debug_printf_indent("end of %s: DEFER\n", acl_name);
+	if (acl_quit_check) goto badquit;
+	f.acl_temp_details = TRUE;
+	return DEFER;
+	}
+      break;
+
+    case ACL_DENY:
+      if (cond == OK)
+	{
+	HDEBUG(D_acl) debug_printf_indent("end of %s: DENY\n", acl_name);
+	if (acl_quit_check) goto badquit;
+	return FAIL;
+	}
+      break;
+
+    case ACL_DISCARD:
+      if (cond == OK || cond == DISCARD)
+	{
+	HDEBUG(D_acl) debug_printf_indent("end of %s: DISCARD\n", acl_name);
+	if (acl_quit_check) goto badquit;
+	return DISCARD;
+	}
+      if (endpass_seen)
+	{
+	HDEBUG(D_acl)
+	  debug_printf_indent("discard: endpass encountered - denying access\n");
+	return cond;
+	}
+      break;
+
+    case ACL_DROP:
+      if (cond == OK)
+	{
+	HDEBUG(D_acl) debug_printf_indent("end of %s: DROP\n", acl_name);
+	if (acl_quit_check) goto badquit;
+	return FAIL_DROP;
+	}
+      break;
+
+    case ACL_REQUIRE:
+      if (cond != OK)
+	{
+	HDEBUG(D_acl) debug_printf_indent("end of %s: not OK\n", acl_name);
+	if (acl_quit_check) goto badquit;
+	return cond;
+	}
+      break;
+
+    case ACL_WARN:
+      if (cond == OK)
+	acl_warn(where, *user_msgptr, *log_msgptr);
+      else if (cond == DEFER && LOGGING(acl_warn_skipped))
+	log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
+	  "condition test deferred%s%s", host_and_ident(TRUE),
+	  *log_msgptr ? US": " : US"",
+	  *log_msgptr ? *log_msgptr : US"");
+      *log_msgptr = *user_msgptr = NULL;  /* In case implicit DENY follows */
+      break;
+
+    default:
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
+	acl->verb);
+      break;
+    }
+
+  /* Pass to the next ACL item */
+
+  acl = acl->next;
+  }
+
+/* We have reached the end of the ACL. This is an implicit DENY. */
+
+HDEBUG(D_acl) debug_printf_indent("end of %s: implicit DENY\n", acl_name);
+return FAIL;
+
+badquit:
+  *log_msgptr = string_sprintf("QUIT or not-QUIT toplevel ACL may not fail "
+    "('%s' verb used incorrectly)", verbs[acl->verb]);
+  return ERROR;
+}
+
+
+
+
+/* Same args as acl_check_internal() above, but the string s is
+the name of an ACL followed optionally by up to 9 space-separated arguments.
+The name and args are separately expanded.  Args go into $acl_arg globals. */
+static int
+acl_check_wargs(int where, address_item *addr, const uschar *s,
+  uschar **user_msgptr, uschar **log_msgptr)
+{
+uschar * tmp;
+uschar * tmp_arg[9];	/* must match acl_arg[] */
+uschar * sav_arg[9];	/* must match acl_arg[] */
+int sav_narg;
+uschar * name;
+int i;
+int ret;
+
+if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
+  goto bad;
+
+for (i = 0; i < 9; i++)
+  {
+  while (*s && isspace(*s)) s++;
+  if (!*s) break;
+  if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
+    {
+    tmp = name;
+    goto bad;
+    }
+  }
+
+sav_narg = acl_narg;
+acl_narg = i;
+for (i = 0; i < acl_narg; i++)
+  {
+  sav_arg[i] = acl_arg[i];
+  acl_arg[i] = tmp_arg[i];
+  }
+while (i < 9)
+  {
+  sav_arg[i] = acl_arg[i];
+  acl_arg[i++] = NULL;
+  }
+
+acl_level++;
+ret = acl_check_internal(where, addr, name, user_msgptr, log_msgptr);
+acl_level--;
+
+acl_narg = sav_narg;
+for (i = 0; i < 9; i++) acl_arg[i] = sav_arg[i];
+return ret;
+
+bad:
+if (f.expand_string_forcedfail) return ERROR;
+*log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
+  tmp, expand_string_message);
+return f.search_find_defer ? DEFER : ERROR;
+}
+
+
+
+/*************************************************
+*        Check access using an ACL               *
+*************************************************/
+
+/* Alternate interface for ACL, used by expansions */
+int
+acl_eval(int where, uschar *s, uschar **user_msgptr, uschar **log_msgptr)
+{
+address_item adb;
+address_item *addr = NULL;
+int rc;
+
+*user_msgptr = *log_msgptr = NULL;
+sender_verified_failed = NULL;
+ratelimiters_cmd = NULL;
+log_reject_target = LOG_MAIN|LOG_REJECT;
+
+if (where == ACL_WHERE_RCPT)
+  {
+  adb = address_defaults;
+  addr = &adb;
+  addr->address = expand_string(US"$local_part@$domain");
+  addr->domain = deliver_domain;
+  addr->local_part = deliver_localpart;
+  addr->cc_local_part = deliver_localpart;
+  addr->lc_local_part = deliver_localpart;
+  }
+
+acl_level++;
+rc = acl_check_internal(where, addr, s, user_msgptr, log_msgptr);
+acl_level--;
+return rc;
+}
+
+
+
+/* This is the external interface for ACL checks. It sets up an address and the
+expansions for $domain and $local_part when called after RCPT, then calls
+acl_check_internal() to do the actual work.
+
+Arguments:
+  where        ACL_WHERE_xxxx indicating where called from
+  recipient    RCPT address for RCPT check, else NULL
+  s            the input string; NULL is the same as an empty ACL => DENY
+  user_msgptr  where to put a user error (for SMTP response)
+  log_msgptr   where to put a logging message (not for SMTP response)
+
+Returns:       OK         access is granted by an ACCEPT verb
+               DISCARD    access is granted by a DISCARD verb
+               FAIL       access is denied
+               FAIL_DROP  access is denied; drop the connection
+               DEFER      can't tell at the moment
+               ERROR      disaster
+*/
+int acl_where = ACL_WHERE_UNKNOWN;
+
+int
+acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
+  uschar **log_msgptr)
+{
+int rc;
+address_item adb;
+address_item *addr = NULL;
+
+*user_msgptr = *log_msgptr = NULL;
+sender_verified_failed = NULL;
+ratelimiters_cmd = NULL;
+log_reject_target = LOG_MAIN|LOG_REJECT;
+
+#ifndef DISABLE_PRDR
+if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY || where==ACL_WHERE_PRDR)
+#else
+if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY)
+#endif
+  {
+  adb = address_defaults;
+  addr = &adb;
+  addr->address = recipient;
+  if (deliver_split_address(addr) == DEFER)
+    {
+    *log_msgptr = US"defer in percent_hack_domains check";
+    return DEFER;
+    }
+#ifdef SUPPORT_I18N
+  if ((addr->prop.utf8_msg = message_smtputf8))
+    {
+    addr->prop.utf8_downcvt =       message_utf8_downconvert == 1;
+    addr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
+    }
+#endif
+  deliver_domain = addr->domain;
+  deliver_localpart = addr->local_part;
+  }
+
+acl_where = where;
+acl_level = 0;
+rc = acl_check_internal(where, addr, s, user_msgptr, log_msgptr);
+acl_level = 0;
+acl_where = ACL_WHERE_UNKNOWN;
+
+/* Cutthrough - if requested,
+and WHERE_RCPT and not yet opened conn as result of recipient-verify,
+and rcpt acl returned accept,
+and first recipient (cancel on any subsequents)
+open one now and run it up to RCPT acceptance.
+A failed verify should cancel cutthrough request,
+and will pass the fail to the originator.
+Initial implementation:  dual-write to spool.
+Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
+
+Cease cutthrough copy on rxd final dot; do not send one.
+
+On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
+
+On data acl accept, terminate the dataphase on an open cutthrough conn.  If accepted or
+perm-rejected, reflect that to the original sender - and dump the spooled copy.
+If temp-reject, close the conn (and keep the spooled copy).
+If conn-failure, no action (and keep the spooled copy).
+*/
+switch (where)
+  {
+  case ACL_WHERE_RCPT:
+#ifndef DISABLE_PRDR
+  case ACL_WHERE_PRDR:
+#endif
+
+    if (f.host_checking_callout)	/* -bhc mode */
+      cancel_cutthrough_connection(TRUE, US"host-checking mode");
+
+    else if (  rc == OK
+	    && cutthrough.delivery
+	    && rcpt_count > cutthrough.nrcpt
+	    )
+      {
+      if ((rc = open_cutthrough_connection(addr)) == DEFER)
+	if (cutthrough.defer_pass)
+	  {
+	  uschar * s = addr->message;
+	  /* Horrid kludge to recover target's SMTP message */
+	  while (*s) s++;
+	  do --s; while (!isdigit(*s));
+	  if (*--s && isdigit(*s) && *--s && isdigit(*s)) *user_msgptr = s;
+	  f.acl_temp_details = TRUE;
+	  }
+	else
+	  {
+	  HDEBUG(D_acl) debug_printf_indent("cutthrough defer; will spool\n");
+	  rc = OK;
+	  }
+      }
+    else HDEBUG(D_acl) if (cutthrough.delivery)
+      if (rcpt_count <= cutthrough.nrcpt)
+	debug_printf_indent("ignore cutthrough request; nonfirst message\n");
+      else if (rc != OK)
+	debug_printf_indent("ignore cutthrough request; ACL did not accept\n");
+    break;
+
+  case ACL_WHERE_PREDATA:
+    if (rc == OK)
+      cutthrough_predata();
+    else
+      cancel_cutthrough_connection(TRUE, US"predata acl not ok");
+    break;
+
+  case ACL_WHERE_QUIT:
+  case ACL_WHERE_NOTQUIT:
+    /* Drop cutthrough conns, and drop heldopen verify conns if
+    the previous was not DATA */
+    {
+    uschar prev =
+      smtp_connection_had[SMTP_HBUFF_PREV(SMTP_HBUFF_PREV(smtp_ch_index))];
+    BOOL dropverify = !(prev == SCH_DATA || prev == SCH_BDAT);
+
+    cancel_cutthrough_connection(dropverify, US"quit or conndrop");
+    break;
+    }
+
+  default:
+    break;
+  }
+
+deliver_domain = deliver_localpart = deliver_address_data =
+  deliver_domain_data = sender_address_data = NULL;
+
+/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
+ACL, which is really in the middle of an SMTP command. */
+
+if (rc == DISCARD)
+  {
+  if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
+      "ACL", acl_wherenames[where]);
+    return ERROR;
+    }
+  return DISCARD;
+  }
+
+/* A DROP response is not permitted from MAILAUTH */
+
+if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
+    "ACL", acl_wherenames[where]);
+  return ERROR;
+  }
+
+/* Before giving a response, take a look at the length of any user message, and
+split it up into multiple lines if possible. */
+
+*user_msgptr = string_split_message(*user_msgptr);
+if (fake_response != OK)
+  fake_response_text = string_split_message(fake_response_text);
+
+return rc;
+}
+
+
+/*************************************************
+*             Create ACL variable                *
+*************************************************/
+
+/* Create an ACL variable or reuse an existing one. ACL variables are in a
+binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
+
+Argument:
+  name    pointer to the variable's name, starting with c or m
+
+Returns   the pointer to variable's tree node
+*/
+
+tree_node *
+acl_var_create(uschar * name)
+{
+tree_node * node, ** root = name[0] == 'c' ? &acl_var_c : &acl_var_m;
+if (!(node = tree_search(*root, name)))
+  {
+  node = store_get(sizeof(tree_node) + Ustrlen(name), name);
+  Ustrcpy(node->name, name);
+  (void)tree_insertnode(root, node);
+  }
+node->data.ptr = NULL;
+return node;
+}
+
+
+
+/*************************************************
+*       Write an ACL variable in spool format    *
+*************************************************/
+
+/* This function is used as a callback for tree_walk when writing variables to
+the spool file. To retain spool file compatibility, what is written is -aclc or
+-aclm followed by the rest of the name and the data length, space separated,
+then the value itself, starting on a new line, and terminated by an additional
+newline. When we had only numbered ACL variables, the first line might look
+like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
+acl_cfoo.
+
+Arguments:
+  name    of the variable
+  value   of the variable
+  ctx     FILE pointer (as a void pointer)
+
+Returns:  nothing
+*/
+
+void
+acl_var_write(uschar * name, uschar * value, void * ctx)
+{
+FILE * f = (FILE *)ctx;
+putc('-', f);
+if (is_tainted(value))
+  {
+  int q = quoter_for_address(value);
+  putc('-', f);
+  if (is_real_quoter(q)) fprintf(f, "(%s)", lookup_list[q]->name);
+  }
+fprintf(f, "acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
+}
+
+#endif	/* !MACRO_PREDEF */
+/* vi: aw ai sw=2
+*/
+/* End of acl.c */
diff --git a/src/aliases.default b/src/aliases.default
new file mode 100644
index 0000000..725d172
--- /dev/null
+++ b/src/aliases.default
@@ -0,0 +1,40 @@
+# Default aliases file, installed by Exim. This file contains no real aliases.
+# You should edit it to taste.
+
+
+# The following alias is required by the mail RFCs 2821 and 2822.
+# Set it to the address of a HUMAN who deals with this system's mail problems.
+
+# postmaster: someone@your.domain
+
+# It is also common to set the following alias so that if anybody replies to a
+# bounce message from this host, the reply goes to the postmaster.
+
+# mailer-daemon: postmaster
+
+
+# You should also set up an alias for messages to root, because it is not
+# usually a good idea to deliver mail as root.
+
+# root: postmaster
+
+# It is a good idea to redirect any messages sent to system accounts so that
+# they don't just get ignored. Here are some common examples:
+
+# bin: root
+# daemon: root
+# ftp: root
+# nobody: root
+# operator: root
+# uucp: root
+
+# You should check your /etc/passwd for any others.
+
+
+# Other commonly enountered aliases are:
+#
+# abuse:       the person dealing with network and mail abuse
+# hostmaster:  the person dealing with DNS problems
+# webmaster:   the person dealing with your website
+
+####
diff --git a/src/arc.c b/src/arc.c
new file mode 100644
index 0000000..86688f6
--- /dev/null
+++ b/src/arc.c
@@ -0,0 +1,1903 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+/* Experimental ARC support for Exim
+   Copyright (c) Jeremy Harris 2018 - 2020
+   Copyright (c) The Exim Maintainers 2021 - 2022
+   License: GPL
+*/
+
+#include "exim.h"
+#if defined EXPERIMENTAL_ARC
+# if defined DISABLE_DKIM
+#  error DKIM must also be enabled for ARC
+# else
+
+#  include "functions.h"
+#  include "pdkim/pdkim.h"
+#  include "pdkim/signing.h"
+
+extern pdkim_ctx * dkim_verify_ctx;
+extern pdkim_ctx dkim_sign_ctx;
+
+#define ARC_SIGN_OPT_TSTAMP	BIT(0)
+#define ARC_SIGN_OPT_EXPIRE	BIT(1)
+
+#define ARC_SIGN_DEFAULT_EXPIRE_DELTA (60 * 60 * 24 * 30)	/* one month */
+
+/******************************************************************************/
+
+typedef struct hdr_rlist {
+  struct hdr_rlist *	prev;
+  BOOL			used;
+  header_line *		h;
+} hdr_rlist;
+
+typedef struct arc_line {
+  header_line *	complete;	/* including the header name; nul-term */
+  uschar *	relaxed;
+
+  /* identified tag contents */
+  /*XXX t= for AS? */
+  blob		i;
+  blob		cv;
+  blob		a;
+  blob		b;
+  blob		bh;
+  blob		d;
+  blob		h;
+  blob		s;
+  blob		c;
+  blob		l;
+
+  /* tag content sub-portions */
+  blob		a_algo;
+  blob		a_hash;
+
+  blob		c_head;
+  blob		c_body;
+
+  /* modified copy of b= field in line */
+  blob		rawsig_no_b_val;
+} arc_line;
+
+typedef struct arc_set {
+  struct arc_set *	next;
+  struct arc_set *	prev;
+
+  unsigned		instance;
+  arc_line *		hdr_aar;
+  arc_line *		hdr_ams;
+  arc_line *		hdr_as;
+
+  const uschar *	ams_verify_done;
+  BOOL			ams_verify_passed;
+} arc_set;
+
+typedef struct arc_ctx {
+  arc_set *	arcset_chain;
+  arc_set *	arcset_chain_last;
+} arc_ctx;
+
+#define ARC_HDR_AAR	US"ARC-Authentication-Results:"
+#define ARC_HDRLEN_AAR	27
+#define ARC_HDR_AMS	US"ARC-Message-Signature:"
+#define ARC_HDRLEN_AMS	22
+#define ARC_HDR_AS	US"ARC-Seal:"
+#define ARC_HDRLEN_AS	9
+#define HDR_AR		US"Authentication-Results:"
+#define HDRLEN_AR	23
+
+static time_t now;
+static time_t expire;
+static hdr_rlist * headers_rlist;
+static arc_ctx arc_sign_ctx = { NULL };
+static arc_ctx arc_verify_ctx = { NULL };
+
+
+/******************************************************************************/
+
+
+/* Get the instance number from the header.
+Return 0 on error */
+static unsigned
+arc_instance_from_hdr(const arc_line * al)
+{
+const uschar * s = al->i.data;
+if (!s || !al->i.len) return 0;
+return (unsigned) atoi(CCS s);
+}
+
+
+static uschar *
+skip_fws(uschar * s)
+{
+uschar c = *s;
+while (c && (c == ' ' || c == '\t' || c == '\n' || c == '\r')) c = *++s;
+return s;
+}
+
+
+/* Locate instance struct on chain, inserting a new one if
+needed.  The chain is in increasing-instance-number order
+by the "next" link, and we have a "prev" link also.
+*/
+
+static arc_set *
+arc_find_set(arc_ctx * ctx, unsigned i)
+{
+arc_set ** pas, * as, * next, * prev;
+
+for (pas = &ctx->arcset_chain, prev = NULL, next = ctx->arcset_chain;
+     as = *pas; pas = &as->next)
+  {
+  if (as->instance > i) break;
+  if (as->instance == i)
+    {
+    DEBUG(D_acl) debug_printf("ARC: existing instance %u\n", i);
+    return as;
+    }
+  next = as->next;
+  prev = as;
+  }
+
+DEBUG(D_acl) debug_printf("ARC: new instance %u\n", i);
+*pas = as = store_get(sizeof(arc_set), GET_UNTAINTED);
+memset(as, 0, sizeof(arc_set));
+as->next = next;
+as->prev = prev;
+as->instance = i;
+if (next)
+  next->prev = as;
+else
+  ctx->arcset_chain_last = as;
+return as;
+}
+
+
+
+/* Insert a tag content into the line structure.
+Note this is a reference to existing data, not a copy.
+Check for already-seen tag.
+The string-pointer is on the '=' for entry.  Update it past the
+content (to the ;) on return;
+*/
+
+static uschar *
+arc_insert_tagvalue(arc_line * al, unsigned loff, uschar ** ss)
+{
+uschar * s = *ss;
+uschar c = *++s;
+blob * b = (blob *)(US al + loff);
+size_t len = 0;
+
+/* [FWS] tag-value [FWS] */
+
+if (b->data) return US"fail";
+s = skip_fws(s);						/* FWS */
+
+b->data = s;
+while ((c = *s) && c != ';') { len++; s++; }
+*ss = s;
+while (len && ((c = s[-1]) == ' ' || c == '\t' || c == '\n' || c == '\r'))
+  { s--; len--; }						/* FWS */
+b->len = len;
+return NULL;
+}
+
+
+/* Inspect a header line, noting known tag fields.
+Check for duplicates. */
+
+static uschar *
+arc_parse_line(arc_line * al, header_line * h, unsigned off, BOOL instance_only)
+{
+uschar * s = h->text + off;
+uschar * r = NULL;	/* compiler-quietening */
+uschar c;
+
+al->complete = h;
+
+if (!instance_only)
+  {
+  al->rawsig_no_b_val.data = store_get(h->slen + 1, GET_TAINTED);
+  memcpy(al->rawsig_no_b_val.data, h->text, off);	/* copy the header name blind */
+  r = al->rawsig_no_b_val.data + off;
+  al->rawsig_no_b_val.len = off;
+  }
+
+/* tag-list  =  tag-spec *( ";" tag-spec ) [ ";" ] */
+
+while ((c = *s))
+  {
+  char tagchar;
+  uschar * t;
+  unsigned i = 0;
+  uschar * fieldstart = s;
+  uschar * bstart = NULL, * bend;
+
+  /* tag-spec  =  [FWS] tag-name [FWS] "=" [FWS] tag-value [FWS] */
+
+  s = skip_fws(s);						/* FWS */
+  if (!*s) break;
+/* debug_printf("%s: consider '%s'\n", __FUNCTION__, s); */
+  tagchar = *s++;
+  s = skip_fws(s);						/* FWS */
+  if (!*s) break;
+
+  if (!instance_only || tagchar == 'i') switch (tagchar)
+    {
+    case 'a':				/* a= AMS algorithm */
+      {
+      if (*s != '=') return US"no 'a' value";
+      if (arc_insert_tagvalue(al, offsetof(arc_line, a), &s)) return US"a tag dup";
+
+      /* substructure: algo-hash   (eg. rsa-sha256) */
+
+      t = al->a_algo.data = al->a.data;
+      while (*t != '-')
+	if (!*t++ || ++i > al->a.len) return US"no '-' in 'a' value";
+      al->a_algo.len = i;
+      if (*t++ != '-') return US"no '-' in 'a' value";
+      al->a_hash.data = t;
+      al->a_hash.len = al->a.len - i - 1;
+      }
+      break;
+    case 'b':
+      {
+      gstring * g = NULL;
+
+      switch (*s)
+	{
+	case '=':			/* b= AMS signature */
+	  if (al->b.data) return US"already b data";
+	  bstart = s+1;
+
+	  /* The signature can have FWS inserted in the content;
+	  make a stripped copy */
+
+	  while ((c = *++s) && c != ';')
+	    if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
+	      g = string_catn(g, s, 1);
+	  if (!g) return US"no b= value";
+	  al->b.data = string_from_gstring(g);
+	  al->b.len = g->ptr;
+	  gstring_release_unused(g);
+	  bend = s;
+	  break;
+	case 'h':			/* bh= AMS body hash */
+	  s = skip_fws(++s);					/* FWS */
+	  if (*s != '=') return US"no bh value";
+	  if (al->bh.data) return US"already bh data";
+
+	  /* The bodyhash can have FWS inserted in the content;
+	  make a stripped copy */
+
+	  while ((c = *++s) && c != ';')
+	    if (c != ' ' && c != '\t' && c != '\n' && c != '\r')
+	      g = string_catn(g, s, 1);
+	  if (!g) return US"no bh= value";
+	  al->bh.data = string_from_gstring(g);
+	  al->bh.len = g->ptr;
+	  gstring_release_unused(g);
+	  break;
+	default:
+	  return US"b? tag";
+	}
+      }
+      break;
+    case 'c':
+      switch (*s)
+	{
+	case '=':			/* c= AMS canonicalisation */
+	  if (arc_insert_tagvalue(al, offsetof(arc_line, c), &s)) return US"c tag dup";
+
+	  /* substructure: head/body   (eg. relaxed/simple)) */
+
+	  t = al->c_head.data = al->c.data;
+	  while (isalpha(*t))
+	    if (!*t++ || ++i > al->a.len) break;
+	  al->c_head.len = i;
+	  if (*t++ == '/')		/* /body is optional */
+	    {
+	    al->c_body.data = t;
+	    al->c_body.len = al->c.len - i - 1;
+	    }
+	  else
+	    {
+	    al->c_body.data = US"simple";
+	    al->c_body.len = 6;
+	    }
+	  break;
+	case 'v':			/* cv= AS validity */
+	  if (*++s != '=') return US"cv tag val";
+	  if (arc_insert_tagvalue(al, offsetof(arc_line, cv), &s)) return US"cv tag dup";
+	  break;
+	default:
+	  return US"c? tag";
+	}
+      break;
+    case 'd':				/* d= AMS domain */
+      if (*s != '=') return US"d tag val";
+      if (arc_insert_tagvalue(al, offsetof(arc_line, d), &s)) return US"d tag dup";
+      break;
+    case 'h':				/* h= AMS headers */
+      if (*s != '=') return US"h tag val";
+      if (arc_insert_tagvalue(al, offsetof(arc_line, h), &s)) return US"h tag dup";
+      break;
+    case 'i':				/* i= ARC set instance */
+      if (*s != '=') return US"i tag val";
+      if (arc_insert_tagvalue(al, offsetof(arc_line, i), &s)) return US"i tag dup";
+      if (instance_only) goto done;
+      break;
+    case 'l':				/* l= bodylength */
+      if (*s != '=') return US"l tag val";
+      if (arc_insert_tagvalue(al, offsetof(arc_line, l), &s)) return US"l tag dup";
+      break;
+    case 's':				/* s= AMS selector */
+      if (*s != '=') return US"s tag val";
+      if (arc_insert_tagvalue(al, offsetof(arc_line, s), &s)) return US"s tag dup";
+      break;
+    }
+
+  while ((c = *s) && c != ';') s++;
+  if (c) s++;				/* ; after tag-spec */
+
+  /* for all but the b= tag, copy the field including FWS.  For the b=,
+  drop the tag content. */
+
+  if (!instance_only)
+    if (bstart)
+      {
+      size_t n = bstart - fieldstart;
+      memcpy(r, fieldstart, n);		/* FWS "b=" */
+      r += n;
+      al->rawsig_no_b_val.len += n;
+      n = s - bend;
+      memcpy(r, bend, n);		/* FWS ";" */
+      r += n;
+      al->rawsig_no_b_val.len += n;
+      }
+    else
+      {
+      size_t n = s - fieldstart;
+      memcpy(r, fieldstart, n);
+      r += n;
+      al->rawsig_no_b_val.len += n;
+      }
+  }
+
+if (!instance_only)
+  *r = '\0';
+
+done:
+/* debug_printf("%s: finshed\n", __FUNCTION__); */
+return NULL;
+}
+
+
+/* Insert one header line in the correct set of the chain,
+adding instances as needed and checking for duplicate lines.
+*/
+
+static uschar *
+arc_insert_hdr(arc_ctx * ctx, header_line * h, unsigned off, unsigned hoff,
+  BOOL instance_only, arc_line ** alp_ret)
+{
+unsigned i;
+arc_set * as;
+arc_line * al = store_get(sizeof(arc_line), GET_UNTAINTED), ** alp;
+uschar * e;
+
+memset(al, 0, sizeof(arc_line));
+
+if ((e = arc_parse_line(al, h, off, instance_only)))
+  {
+  DEBUG(D_acl) if (e) debug_printf("ARC: %s\n", e);
+  return US"line parse";
+  }
+if (!(i = arc_instance_from_hdr(al)))	return US"instance find";
+if (i > 50)				return US"overlarge instance number";
+if (!(as = arc_find_set(ctx, i)))	return US"set find";
+if (*(alp = (arc_line **)(US as + hoff))) return US"dup hdr";
+
+*alp = al;
+if (alp_ret) *alp_ret = al;
+return NULL;
+}
+
+
+
+
+static const uschar *
+arc_try_header(arc_ctx * ctx, header_line * h, BOOL instance_only)
+{
+const uschar * e;
+
+/*debug_printf("consider hdr '%s'\n", h->text);*/
+if (strncmpic(ARC_HDR_AAR, h->text, ARC_HDRLEN_AAR) == 0)
+  {
+  DEBUG(D_acl)
+    {
+    int len = h->slen;
+    uschar * s;
+    for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
+      s--, len--;
+    debug_printf("ARC: found AAR: %.*s\n", len, h->text);
+    }
+  if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AAR, offsetof(arc_set, hdr_aar),
+			  TRUE, NULL)))
+    {
+    DEBUG(D_acl) debug_printf("inserting AAR: %s\n", e);
+    return US"inserting AAR";
+    }
+  }
+else if (strncmpic(ARC_HDR_AMS, h->text, ARC_HDRLEN_AMS) == 0)
+  {
+  arc_line * ams;
+
+  DEBUG(D_acl)
+    {
+    int len = h->slen;
+    uschar * s;
+    for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
+      s--, len--;
+    debug_printf("ARC: found AMS: %.*s\n", len, h->text);
+    }
+  if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AMS, offsetof(arc_set, hdr_ams),
+			  instance_only, &ams)))
+    {
+    DEBUG(D_acl) debug_printf("inserting AMS: %s\n", e);
+    return US"inserting AMS";
+    }
+
+  /* defaults */
+  if (!ams->c.data)
+    {
+    ams->c_head.data = US"simple"; ams->c_head.len = 6;
+    ams->c_body = ams->c_head;
+    }
+  }
+else if (strncmpic(ARC_HDR_AS, h->text, ARC_HDRLEN_AS) == 0)
+  {
+  DEBUG(D_acl)
+    {
+    int len = h->slen;
+    uschar * s;
+    for (s = h->text + h->slen; s[-1] == '\r' || s[-1] == '\n'; )
+      s--, len--;
+    debug_printf("ARC: found AS: %.*s\n", len, h->text);
+    }
+  if ((e = arc_insert_hdr(ctx, h, ARC_HDRLEN_AS, offsetof(arc_set, hdr_as),
+			  instance_only, NULL)))
+    {
+    DEBUG(D_acl) debug_printf("inserting AS: %s\n", e);
+    return US"inserting AS";
+    }
+  }
+return NULL;
+}
+
+
+
+/* Gather the chain of arc sets from the headers.
+Check for duplicates while that is done.  Also build the
+reverse-order headers list;
+
+Return: ARC state if determined, eg. by lack of any ARC chain.
+*/
+
+static const uschar *
+arc_vfy_collect_hdrs(arc_ctx * ctx)
+{
+header_line * h;
+hdr_rlist * r = NULL, * rprev = NULL;
+const uschar * e;
+
+DEBUG(D_acl) debug_printf("ARC: collecting arc sets\n");
+for (h = header_list; h; h = h->next)
+  {
+  r = store_get(sizeof(hdr_rlist), GET_UNTAINTED);
+  r->prev = rprev;
+  r->used = FALSE;
+  r->h = h;
+  rprev = r;
+
+  if ((e = arc_try_header(ctx, h, FALSE)))
+    {
+    arc_state_reason = string_sprintf("collecting headers: %s", e);
+    return US"fail";
+    }
+  }
+headers_rlist = r;
+
+if (!ctx->arcset_chain) return US"none";
+return NULL;
+}
+
+
+static BOOL
+arc_cv_match(arc_line * al, const uschar * s)
+{
+return Ustrncmp(s, al->cv.data, al->cv.len) == 0;
+}
+
+/******************************************************************************/
+
+/* Return the hash of headers from the message that the AMS claims it
+signed.
+*/
+
+static void
+arc_get_verify_hhash(arc_ctx * ctx, arc_line * ams, blob * hhash)
+{
+const uschar * headernames = string_copyn(ams->h.data, ams->h.len);
+const uschar * hn;
+int sep = ':';
+hdr_rlist * r;
+BOOL relaxed = Ustrncmp(US"relaxed", ams->c_head.data, ams->c_head.len) == 0;
+int hashtype = pdkim_hashname_to_hashtype(
+		    ams->a_hash.data, ams->a_hash.len);
+hctx hhash_ctx;
+const uschar * s;
+int len;
+
+if (  hashtype == -1
+   || !exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
+  {
+  DEBUG(D_acl)
+      debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
+  return;
+  }
+
+/* For each headername in the list from the AMS (walking in order)
+walk the message headers in reverse order, adding to the hash any
+found for the first time. For that last point, maintain used-marks
+on the list of message headers. */
+
+DEBUG(D_acl) debug_printf("ARC: AMS header data for verification:\n");
+
+for (r = headers_rlist; r; r = r->prev)
+  r->used = FALSE;
+while ((hn = string_nextinlist(&headernames, &sep, NULL, 0)))
+  for (r = headers_rlist; r; r = r->prev)
+    if (  !r->used
+       && strncasecmp(CCS (s = r->h->text), CCS hn, Ustrlen(hn)) == 0
+       )
+      {
+      if (relaxed) s = pdkim_relax_header_n(s, r->h->slen, TRUE);
+
+      len = Ustrlen(s);
+      DEBUG(D_acl) pdkim_quoteprint(s, len);
+      exim_sha_update_string(&hhash_ctx, s);
+      r->used = TRUE;
+      break;
+      }
+
+/* Finally add in the signature header (with the b= tag stripped); no CRLF */
+
+s = ams->rawsig_no_b_val.data, len = ams->rawsig_no_b_val.len;
+if (relaxed)
+  len = Ustrlen(s = pdkim_relax_header_n(s, len, FALSE));
+DEBUG(D_acl) pdkim_quoteprint(s, len);
+exim_sha_update(&hhash_ctx, s, len);
+
+exim_sha_finish(&hhash_ctx, hhash);
+DEBUG(D_acl)
+  { debug_printf("ARC: header hash: "); pdkim_hexprint(hhash->data, hhash->len); }
+return;
+}
+
+
+
+
+static pdkim_pubkey *
+arc_line_to_pubkey(arc_line * al)
+{
+uschar * dns_txt;
+pdkim_pubkey * p;
+
+if (!(dns_txt = dkim_exim_query_dns_txt(string_sprintf("%.*s._domainkey.%.*s",
+	  (int)al->s.len, al->s.data, (int)al->d.len, al->d.data))))
+  {
+  DEBUG(D_acl) debug_printf("pubkey dns lookup fail\n");
+  return NULL;
+  }
+
+if (  !(p = pdkim_parse_pubkey_record(dns_txt))
+   || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
+   )
+  {
+  DEBUG(D_acl) debug_printf("pubkey dns lookup format error\n");
+  return NULL;
+  }
+
+/* If the pubkey limits use to specified hashes, reject unusable
+signatures. XXX should we have looked for multiple dns records? */
+
+if (p->hashes)
+  {
+  const uschar * list = p->hashes, * ele;
+  int sep = ':';
+
+  while ((ele = string_nextinlist(&list, &sep, NULL, 0)))
+    if (Ustrncmp(ele, al->a_hash.data, al->a_hash.len) == 0) break;
+  if (!ele)
+    {
+    DEBUG(D_acl) debug_printf("pubkey h=%s vs sig a=%.*s\n",
+			      p->hashes, (int)al->a.len, al->a.data);
+    return NULL;
+    }
+  }
+return p;
+}
+
+
+
+
+static pdkim_bodyhash *
+arc_ams_setup_vfy_bodyhash(arc_line * ams)
+{
+int canon_head = -1, canon_body = -1;
+long bodylen;
+
+if (!ams->c.data) ams->c.data = US"simple";	/* RFC 6376 (DKIM) default */
+pdkim_cstring_to_canons(ams->c.data, ams->c.len, &canon_head, &canon_body);
+bodylen = ams->l.data
+	? strtol(CS string_copyn(ams->l.data, ams->l.len), NULL, 10) : -1;
+
+return pdkim_set_bodyhash(dkim_verify_ctx,
+	pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len),
+	canon_body,
+	bodylen);
+}
+
+
+
+/* Verify an AMS. This is a DKIM-sig header, but with an ARC i= tag
+and without a DKIM v= tag.
+*/
+
+static const uschar *
+arc_ams_verify(arc_ctx * ctx, arc_set * as)
+{
+arc_line * ams = as->hdr_ams;
+pdkim_bodyhash * b;
+pdkim_pubkey * p;
+blob sighash;
+blob hhash;
+ev_ctx vctx;
+int hashtype;
+const uschar * errstr;
+
+as->ams_verify_done = US"in-progress";
+
+/* Check the AMS has all the required tags:
+   "a="  algorithm
+   "b="  signature
+   "bh=" body hash
+   "d="  domain (for key lookup)
+   "h="  headers (included in signature)
+   "s="  key-selector (for key lookup)
+*/
+if (  !ams->a.data || !ams->b.data || !ams->bh.data || !ams->d.data
+   || !ams->h.data || !ams->s.data)
+  {
+  as->ams_verify_done = arc_state_reason = US"required tag missing";
+  return US"fail";
+  }
+
+
+/* The bodyhash should have been created earlier, and the dkim code should
+have managed calculating it during message input.  Find the reference to it. */
+
+if (!(b = arc_ams_setup_vfy_bodyhash(ams)))
+  {
+  as->ams_verify_done = arc_state_reason = US"internal hash setup error";
+  return US"fail";
+  }
+
+DEBUG(D_acl)
+  {
+  debug_printf("ARC i=%d AMS   Body bytes hashed: %lu\n"
+	       "              Body %.*s computed: ",
+	       as->instance, b->signed_body_bytes,
+	       (int)ams->a_hash.len, ams->a_hash.data);
+  pdkim_hexprint(CUS b->bh.data, b->bh.len);
+  }
+
+/* We know the bh-tag blob is of a nul-term string, so safe as a string */
+
+if (  !ams->bh.data
+   || (pdkim_decode_base64(ams->bh.data, &sighash), sighash.len != b->bh.len)
+   || memcmp(sighash.data, b->bh.data, b->bh.len) != 0
+   )
+  {
+  DEBUG(D_acl)
+    {
+    debug_printf("ARC i=%d AMS Body hash from headers: ", as->instance);
+    pdkim_hexprint(sighash.data, sighash.len);
+    debug_printf("ARC i=%d AMS Body hash did NOT match\n", as->instance);
+    }
+  return as->ams_verify_done = arc_state_reason = US"AMS body hash miscompare";
+  }
+
+DEBUG(D_acl) debug_printf("ARC i=%d AMS Body hash compared OK\n", as->instance);
+
+/* Get the public key from DNS */
+
+if (!(p = arc_line_to_pubkey(ams)))
+  return as->ams_verify_done = arc_state_reason = US"pubkey problem";
+
+/* We know the b-tag blob is of a nul-term string, so safe as a string */
+pdkim_decode_base64(ams->b.data, &sighash);
+
+arc_get_verify_hhash(ctx, ams, &hhash);
+
+/* Setup the interface to the signing library */
+
+if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx, NULL)))
+  {
+  DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
+  as->ams_verify_done = arc_state_reason = US"internal sigverify init error";
+  return US"fail";
+  }
+
+hashtype = pdkim_hashname_to_hashtype(ams->a_hash.data, ams->a_hash.len);
+if (hashtype == -1)
+  {
+  DEBUG(D_acl) debug_printf("ARC i=%d AMS verify bad a_hash\n", as->instance);
+  return as->ams_verify_done = arc_state_reason = US"AMS sig nonverify";
+  }
+
+if ((errstr = exim_dkim_verify(&vctx,
+	  pdkim_hashes[hashtype].exim_hashmethod, &hhash, &sighash)))
+  {
+  DEBUG(D_acl) debug_printf("ARC i=%d AMS verify %s\n", as->instance, errstr);
+  return as->ams_verify_done = arc_state_reason = US"AMS sig nonverify";
+  }
+
+DEBUG(D_acl) debug_printf("ARC i=%d AMS verify pass\n", as->instance);
+as->ams_verify_passed = TRUE;
+return NULL;
+}
+
+
+
+/* Check the sets are instance-continuous and that all
+members are present.  Check that no arc_seals are "fail".
+Set the highest instance number global.
+Verify the latest AMS.
+*/
+static uschar *
+arc_headers_check(arc_ctx * ctx)
+{
+arc_set * as;
+int inst;
+BOOL ams_fail_found = FALSE;
+
+if (!(as = ctx->arcset_chain_last))
+  return US"none";
+
+for(inst = as->instance; as; as = as->prev, inst--)
+  {
+  if (as->instance != inst)
+    arc_state_reason = string_sprintf("i=%d (sequence; expected %d)",
+      as->instance, inst);
+  else if (!as->hdr_aar || !as->hdr_ams || !as->hdr_as)
+    arc_state_reason = string_sprintf("i=%d (missing header)", as->instance);
+  else if (arc_cv_match(as->hdr_as, US"fail"))
+    arc_state_reason = string_sprintf("i=%d (cv)", as->instance);
+  else
+    goto good;
+
+  DEBUG(D_acl) debug_printf("ARC chain fail at %s\n", arc_state_reason);
+  return US"fail";
+
+  good:
+  /* Evaluate the oldest-pass AMS validation while we're here.
+  It does not affect the AS chain validation but is reported as
+  auxilary info. */
+
+  if (!ams_fail_found)
+    if (arc_ams_verify(ctx, as))
+      ams_fail_found = TRUE;
+    else
+      arc_oldest_pass = inst;
+  arc_state_reason = NULL;
+  }
+if (inst != 0)
+  {
+  arc_state_reason = string_sprintf("(sequence; expected i=%d)", inst);
+  DEBUG(D_acl) debug_printf("ARC chain fail %s\n", arc_state_reason);
+  return US"fail";
+  }
+
+arc_received = ctx->arcset_chain_last;
+arc_received_instance = arc_received->instance;
+
+/* We can skip the latest-AMS validation, if we already did it. */
+
+as = ctx->arcset_chain_last;
+if (!as->ams_verify_passed)
+  {
+  if (as->ams_verify_done)
+    {
+    arc_state_reason = as->ams_verify_done;
+    return US"fail";
+    }
+  if (!!arc_ams_verify(ctx, as))
+    return US"fail";
+  }
+return NULL;
+}
+
+
+/******************************************************************************/
+static const uschar *
+arc_seal_verify(arc_ctx * ctx, arc_set * as)
+{
+arc_line * hdr_as = as->hdr_as;
+arc_set * as2;
+int hashtype;
+hctx hhash_ctx;
+blob hhash_computed;
+blob sighash;
+ev_ctx vctx;
+pdkim_pubkey * p;
+const uschar * errstr;
+
+DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d\n", as->instance);
+/*
+       1.  If the value of the "cv" tag on that seal is "fail", the
+           chain state is "fail" and the algorithm stops here.  (This
+           step SHOULD be skipped if the earlier step (2.1) was
+           performed) [it was]
+
+       2.  In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
+           == "none" && i != 1)) then the chain state is "fail" and the
+           algorithm stops here (note that the ordering of the logic is
+           structured for short-circuit evaluation).
+*/
+
+if (  as->instance == 1 && !arc_cv_match(hdr_as, US"none")
+   || arc_cv_match(hdr_as, US"none") && as->instance != 1
+   )
+  {
+  arc_state_reason = US"seal cv state";
+  return US"fail";
+  }
+
+/*
+       3.  Initialize a hash function corresponding to the "a" tag of
+           the ARC-Seal.
+*/
+
+hashtype = pdkim_hashname_to_hashtype(hdr_as->a_hash.data, hdr_as->a_hash.len);
+
+if (  hashtype == -1
+   || !exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod))
+  {
+  DEBUG(D_acl)
+      debug_printf("ARC: hash setup error, possibly nonhandled hashtype\n");
+  arc_state_reason = US"seal hash setup error";
+  return US"fail";
+  }
+
+/*
+       4.  Compute the canonicalized form of the ARC header fields, in
+           the order described in Section 5.4.2, using the "relaxed"
+           header canonicalization defined in Section 3.4.2 of
+           [RFC6376].  Pass the canonicalized result to the hash
+           function.
+
+Headers are CRLF-separated, but the last one is not crlf-terminated.
+*/
+
+DEBUG(D_acl) debug_printf("ARC: AS header data for verification:\n");
+for (as2 = ctx->arcset_chain;
+     as2 && as2->instance <= as->instance;
+     as2 = as2->next)
+  {
+  arc_line * al;
+  uschar * s;
+  int len;
+
+  al = as2->hdr_aar;
+  if (!(s = al->relaxed))
+    al->relaxed = s = pdkim_relax_header_n(al->complete->text,
+					    al->complete->slen, TRUE);
+  len = Ustrlen(s);
+  DEBUG(D_acl) pdkim_quoteprint(s, len);
+  exim_sha_update(&hhash_ctx, s, len);
+
+  al = as2->hdr_ams;
+  if (!(s = al->relaxed))
+    al->relaxed = s = pdkim_relax_header_n(al->complete->text,
+					    al->complete->slen, TRUE);
+  len = Ustrlen(s);
+  DEBUG(D_acl) pdkim_quoteprint(s, len);
+  exim_sha_update(&hhash_ctx, s, len);
+
+  al = as2->hdr_as;
+  if (as2->instance == as->instance)
+    s = pdkim_relax_header_n(al->rawsig_no_b_val.data,
+					al->rawsig_no_b_val.len, FALSE);
+  else if (!(s = al->relaxed))
+    al->relaxed = s = pdkim_relax_header_n(al->complete->text,
+					    al->complete->slen, TRUE);
+  len = Ustrlen(s);
+  DEBUG(D_acl) pdkim_quoteprint(s, len);
+  exim_sha_update(&hhash_ctx, s, len);
+  }
+
+/*
+       5.  Retrieve the final digest from the hash function.
+*/
+
+exim_sha_finish(&hhash_ctx, &hhash_computed);
+DEBUG(D_acl)
+  {
+  debug_printf("ARC i=%d AS Header %.*s computed: ",
+    as->instance, (int)hdr_as->a_hash.len, hdr_as->a_hash.data);
+  pdkim_hexprint(hhash_computed.data, hhash_computed.len);
+  }
+
+
+/*
+       6.  Retrieve the public key identified by the "s" and "d" tags in
+           the ARC-Seal, as described in Section 4.1.6.
+*/
+
+if (!(p = arc_line_to_pubkey(hdr_as)))
+  return US"pubkey problem";
+
+/*
+       7.  Determine whether the signature portion ("b" tag) of the ARC-
+           Seal and the digest computed above are valid according to the
+           public key.  (See also Section Section 8.4 for failure case
+           handling)
+
+       8.  If the signature is not valid, the chain state is "fail" and
+           the algorithm stops here.
+*/
+
+/* We know the b-tag blob is of a nul-term string, so safe as a string */
+pdkim_decode_base64(hdr_as->b.data, &sighash);
+
+if ((errstr = exim_dkim_verify_init(&p->key, KEYFMT_DER, &vctx, NULL)))
+  {
+  DEBUG(D_acl) debug_printf("ARC verify init: %s\n", errstr);
+  return US"fail";
+  }
+
+if ((errstr = exim_dkim_verify(&vctx,
+	      pdkim_hashes[hashtype].exim_hashmethod,
+	      &hhash_computed, &sighash)))
+  {
+  DEBUG(D_acl)
+    debug_printf("ARC i=%d AS headers verify: %s\n", as->instance, errstr);
+  arc_state_reason = US"seal sigverify error";
+  return US"fail";
+  }
+
+DEBUG(D_acl) debug_printf("ARC: AS vfy i=%d pass\n", as->instance);
+return NULL;
+}
+
+
+static const uschar *
+arc_verify_seals(arc_ctx * ctx)
+{
+arc_set * as = ctx->arcset_chain_last;
+
+if (!as)
+  return US"none";
+
+for ( ; as; as = as->prev) if (arc_seal_verify(ctx, as)) return US"fail";
+
+DEBUG(D_acl) debug_printf("ARC: AS vfy overall pass\n");
+return NULL;
+}
+/******************************************************************************/
+
+/* Do ARC verification.  Called from DATA ACL, on a verify = arc
+condition.  No arguments; we are checking globals.
+
+Return:  The ARC state, or NULL on error.
+*/
+
+const uschar *
+acl_verify_arc(void)
+{
+const uschar * res;
+
+memset(&arc_verify_ctx, 0, sizeof(arc_verify_ctx));
+
+if (!dkim_verify_ctx)
+  {
+  DEBUG(D_acl) debug_printf("ARC: no DKIM verify context\n");
+  return NULL;
+  }
+
+/* AS evaluation, per
+https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-6
+*/
+/* 1.  Collect all ARC sets currently on the message.  If there were
+       none, the ARC state is "none" and the algorithm stops here.
+*/
+
+if ((res = arc_vfy_collect_hdrs(&arc_verify_ctx)))
+  goto out;
+
+/* 2.  If the form of any ARC set is invalid (e.g., does not contain
+       exactly one of each of the three ARC-specific header fields),
+       then the chain state is "fail" and the algorithm stops here.
+
+       1.  To avoid the overhead of unnecessary computation and delay
+           from crypto and DNS operations, the cv value for all ARC-
+           Seal(s) MAY be checked at this point.  If any of the values
+           are "fail", then the overall state of the chain is "fail" and
+           the algorithm stops here.
+
+   3.  Conduct verification of the ARC-Message-Signature header field
+       bearing the highest instance number.  If this verification fails,
+       then the chain state is "fail" and the algorithm stops here.
+*/
+
+if ((res = arc_headers_check(&arc_verify_ctx)))
+  goto out;
+
+/* 4.  For each ARC-Seal from the "N"th instance to the first, apply the
+       following logic:
+
+       1.  If the value of the "cv" tag on that seal is "fail", the
+           chain state is "fail" and the algorithm stops here.  (This
+           step SHOULD be skipped if the earlier step (2.1) was
+           performed)
+
+       2.  In Boolean nomenclature: if ((i == 1 && cv != "none") or (cv
+           == "none" && i != 1)) then the chain state is "fail" and the
+           algorithm stops here (note that the ordering of the logic is
+           structured for short-circuit evaluation).
+
+       3.  Initialize a hash function corresponding to the "a" tag of
+           the ARC-Seal.
+
+       4.  Compute the canonicalized form of the ARC header fields, in
+           the order described in Section 5.4.2, using the "relaxed"
+           header canonicalization defined in Section 3.4.2 of
+           [RFC6376].  Pass the canonicalized result to the hash
+           function.
+
+       5.  Retrieve the final digest from the hash function.
+
+       6.  Retrieve the public key identified by the "s" and "d" tags in
+           the ARC-Seal, as described in Section 4.1.6.
+
+       7.  Determine whether the signature portion ("b" tag) of the ARC-
+           Seal and the digest computed above are valid according to the
+           public key.  (See also Section Section 8.4 for failure case
+           handling)
+
+       8.  If the signature is not valid, the chain state is "fail" and
+           the algorithm stops here.
+
+   5.  If all seals pass validation, then the chain state is "pass", and
+       the algorithm is complete.
+*/
+
+if ((res = arc_verify_seals(&arc_verify_ctx)))
+  goto out;
+
+res = US"pass";
+
+out:
+  return res;
+}
+
+/******************************************************************************/
+
+/* Prepend the header to the rlist */
+
+static hdr_rlist *
+arc_rlist_entry(hdr_rlist * list, const uschar * s, int len)
+{
+hdr_rlist * r = store_get(sizeof(hdr_rlist) + sizeof(header_line), GET_UNTAINTED);
+header_line * h = r->h = (header_line *)(r+1);
+
+r->prev = list;
+r->used = FALSE;
+h->next = NULL;
+h->type = 0;
+h->slen = len;
+h->text = US s;
+
+return r;
+}
+
+
+/* Walk the given headers strings identifying each header, and construct
+a reverse-order list.
+*/
+
+static hdr_rlist *
+arc_sign_scan_headers(arc_ctx * ctx, gstring * sigheaders)
+{
+const uschar * s;
+hdr_rlist * rheaders = NULL;
+
+s = sigheaders ? sigheaders->s : NULL;
+if (s) while (*s)
+  {
+  const uschar * s2 = s;
+
+  /* This works for either NL or CRLF lines; also nul-termination */
+  while (*++s2)
+    if (*s2 == '\n' && s2[1] != '\t' && s2[1] != ' ') break;
+  s2++;		/* move past end of line */
+
+  rheaders = arc_rlist_entry(rheaders, s, s2 - s);
+  s = s2;
+  }
+return rheaders;
+}
+
+
+
+/* Return the A-R content, without identity, with line-ending and
+NUL termination. */
+
+static BOOL
+arc_sign_find_ar(header_line * headers, const uschar * identity, blob * ret)
+{
+header_line * h;
+int ilen = Ustrlen(identity);
+
+ret->data = NULL;
+for(h = headers; h; h = h->next)
+  {
+  uschar * s = h->text, c;
+  int len = h->slen;
+
+  if (Ustrncmp(s, HDR_AR, HDRLEN_AR) != 0) continue;
+  s += HDRLEN_AR, len -= HDRLEN_AR;		/* header name */
+  while (  len > 0
+	&& (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
+    s++, len--;					/* FWS */
+  if (Ustrncmp(s, identity, ilen) != 0) continue;
+  s += ilen; len -= ilen;			/* identity */
+  if (len <= 0) continue;
+  if ((c = *s) && c == ';') s++, len--;		/* identity terminator */
+  while (  len > 0
+	&& (c = *s) && (c == ' ' || c == '\t' || c == '\r' || c == '\n'))
+    s++, len--;					/* FWS */
+  if (len <= 0) continue;
+  ret->data = s;
+  ret->len = len;
+  return TRUE;
+  }
+return FALSE;
+}
+
+
+
+/* Append a constructed AAR including CRLF.  Add it to the arc_ctx too.  */
+
+static gstring *
+arc_sign_append_aar(gstring * g, arc_ctx * ctx,
+  const uschar * identity, int instance, blob * ar)
+{
+int aar_off = gstring_length(g);
+arc_set * as =
+  store_get(sizeof(arc_set) + sizeof(arc_line) + sizeof(header_line), GET_UNTAINTED);
+arc_line * al = (arc_line *)(as+1);
+header_line * h = (header_line *)(al+1);
+
+g = string_catn(g, ARC_HDR_AAR, ARC_HDRLEN_AAR);
+g = string_fmt_append(g, " i=%d; %s;\r\n\t", instance, identity);
+g = string_catn(g, US ar->data, ar->len);
+
+h->slen = g->ptr - aar_off;
+h->text = g->s + aar_off;
+al->complete = h;
+as->next = NULL;
+as->prev = ctx->arcset_chain_last;
+as->instance = instance;
+as->hdr_aar = al;
+if (instance == 1)
+  ctx->arcset_chain = as;
+else
+  ctx->arcset_chain_last->next = as;
+ctx->arcset_chain_last = as;
+
+DEBUG(D_transport) debug_printf("ARC: AAR '%.*s'\n", h->slen - 2, h->text);
+return g;
+}
+
+
+
+static BOOL
+arc_sig_from_pseudoheader(gstring * hdata, int hashtype, const uschar * privkey,
+  blob * sig, const uschar * why)
+{
+hashmethod hm = /*sig->keytype == KEYTYPE_ED25519*/ FALSE
+  ? HASH_SHA2_512 : pdkim_hashes[hashtype].exim_hashmethod;
+blob hhash;
+es_ctx sctx;
+const uschar * errstr;
+
+DEBUG(D_transport)
+  {
+  hctx hhash_ctx;
+  debug_printf("ARC: %s header data for signing:\n", why);
+  pdkim_quoteprint(hdata->s, hdata->ptr);
+
+  (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
+  exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
+  exim_sha_finish(&hhash_ctx, &hhash);
+  debug_printf("ARC: header hash: "); pdkim_hexprint(hhash.data, hhash.len);
+  }
+
+if (FALSE /*need hash for Ed25519 or GCrypt signing*/ )
+  {
+  hctx hhash_ctx;
+  (void) exim_sha_init(&hhash_ctx, pdkim_hashes[hashtype].exim_hashmethod);
+  exim_sha_update(&hhash_ctx, hdata->s, hdata->ptr);
+  exim_sha_finish(&hhash_ctx, &hhash);
+  }
+else
+  {
+  hhash.data = hdata->s;
+  hhash.len = hdata->ptr;
+  }
+
+if (  (errstr = exim_dkim_signing_init(privkey, &sctx))
+   || (errstr = exim_dkim_sign(&sctx, hm, &hhash, sig)))
+  {
+  log_write(0, LOG_MAIN, "ARC: %s signing: %s\n", why, errstr);
+  DEBUG(D_transport)
+    debug_printf("private key, or private-key file content, was: '%s'\n",
+      privkey);
+  return FALSE;
+  }
+return TRUE;
+}
+
+
+
+static gstring *
+arc_sign_append_sig(gstring * g, blob * sig)
+{
+/*debug_printf("%s: raw sig ", __FUNCTION__); pdkim_hexprint(sig->data, sig->len);*/
+sig->data = pdkim_encode_base64(sig);
+sig->len = Ustrlen(sig->data);
+for (;;)
+  {
+  int len = MIN(sig->len, 74);
+  g = string_catn(g, sig->data, len);
+  if ((sig->len -= len) == 0) break;
+  sig->data += len;
+  g = string_catn(g, US"\r\n\t  ", 5);
+  }
+g = string_catn(g, US";\r\n", 3);
+gstring_release_unused(g);
+string_from_gstring(g);
+return g;
+}
+
+
+/* Append a constructed AMS including CRLF.  Add it to the arc_ctx too. */
+
+static gstring *
+arc_sign_append_ams(gstring * g, arc_ctx * ctx, int instance,
+  const uschar * identity, const uschar * selector, blob * bodyhash,
+  hdr_rlist * rheaders, const uschar * privkey, unsigned options)
+{
+uschar * s;
+gstring * hdata = NULL;
+int col;
+int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6);	/*XXX hardwired */
+blob sig;
+int ams_off;
+arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line), GET_UNTAINTED);
+header_line * h = (header_line *)(al+1);
+
+/* debug_printf("%s\n", __FUNCTION__); */
+
+/* Construct the to-be-signed AMS pseudo-header: everything but the sig. */
+
+ams_off = g->ptr;
+g = string_fmt_append(g, "%s i=%d; a=rsa-sha256; c=relaxed; d=%s; s=%s",
+      ARC_HDR_AMS, instance, identity, selector);	/*XXX hardwired a= */
+if (options & ARC_SIGN_OPT_TSTAMP)
+  g = string_fmt_append(g, "; t=%lu", (u_long)now);
+if (options & ARC_SIGN_OPT_EXPIRE)
+  g = string_fmt_append(g, "; x=%lu", (u_long)expire);
+g = string_fmt_append(g, ";\r\n\tbh=%s;\r\n\th=",
+      pdkim_encode_base64(bodyhash));
+
+for(col = 3; rheaders; rheaders = rheaders->prev)
+  {
+  const uschar * hnames = US"DKIM-Signature:" PDKIM_DEFAULT_SIGN_HEADERS;
+  uschar * name, * htext = rheaders->h->text;
+  int sep = ':';
+
+  /* Spot headers of interest */
+
+  while ((name = string_nextinlist(&hnames, &sep, NULL, 0)))
+    {
+    int len = Ustrlen(name);
+    if (strncasecmp(CCS htext, CCS name, len) == 0)
+      {
+      /* If too long, fold line in h= field */
+
+      if (col + len > 78) g = string_catn(g, US"\r\n\t  ", 5), col = 3;
+
+      /* Add name to h= list */
+
+      g = string_catn(g, name, len);
+      g = string_catn(g, US":", 1);
+      col += len + 1;
+
+      /* Accumulate header for hashing/signing */
+
+      hdata = string_cat(hdata,
+		pdkim_relax_header_n(htext, rheaders->h->slen, TRUE));	/*XXX hardwired */
+      break;
+      }
+    }
+  }
+
+/* Lose the last colon from the h= list */
+
+if (g->s[g->ptr - 1] == ':') g->ptr--;
+
+g = string_catn(g, US";\r\n\tb=;", 7);
+
+/* Include the pseudo-header in the accumulation */
+
+s = pdkim_relax_header_n(g->s + ams_off, g->ptr - ams_off, FALSE);
+hdata = string_cat(hdata, s);
+
+/* Calculate the signature from the accumulation */
+/*XXX does that need further relaxation? there are spaces embedded in the b= strings! */
+
+if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AMS"))
+  return NULL;
+
+/* Lose the trailing semicolon from the psuedo-header, and append the signature
+(folded over lines) and termination to complete it. */
+
+g->ptr--;
+g = arc_sign_append_sig(g, &sig);
+
+h->slen = g->ptr - ams_off;
+h->text = g->s + ams_off;
+al->complete = h;
+ctx->arcset_chain_last->hdr_ams = al;
+
+DEBUG(D_transport) debug_printf("ARC: AMS '%.*s'\n", h->slen - 2, h->text);
+return g;
+}
+
+
+
+/* Look for an arc= result in an A-R header blob.  We know that its data
+happens to be a NUL-term string. */
+
+static uschar *
+arc_ar_cv_status(blob * ar)
+{
+const uschar * resinfo = ar->data;
+int sep = ';';
+uschar * methodspec, * s;
+
+while ((methodspec = string_nextinlist(&resinfo, &sep, NULL, 0)))
+  if (Ustrncmp(methodspec, US"arc=", 4) == 0)
+    {
+    uschar c;
+    for (s = methodspec += 4;
+         (c = *s) && c != ';' && c != ' ' && c != '\r' && c != '\n'; ) s++;
+    return string_copyn(methodspec, s - methodspec);
+    }
+return US"none";
+}
+
+
+
+/* Build the AS header and prepend it */
+
+static gstring *
+arc_sign_prepend_as(gstring * arcset_interim, arc_ctx * ctx,
+  int instance, const uschar * identity, const uschar * selector, blob * ar,
+  const uschar * privkey, unsigned options)
+{
+gstring * arcset;
+uschar * status = arc_ar_cv_status(ar);
+arc_line * al = store_get(sizeof(header_line) + sizeof(arc_line), GET_UNTAINTED);
+header_line * h = (header_line *)(al+1);
+uschar * badline_str;
+
+gstring * hdata = NULL;
+int hashtype = pdkim_hashname_to_hashtype(US"sha256", 6);	/*XXX hardwired */
+blob sig;
+
+/*
+- Generate AS
+  - no body coverage
+  - no h= tag; implicit coverage
+  - arc status from A-R
+    - if fail:
+      - coverage is just the new ARC set
+        including self (but with an empty b= in self)
+    - if non-fail:
+      - all ARC set headers, set-number order, aar then ams then as,
+        including self (but with an empty b= in self)
+*/
+DEBUG(D_transport) debug_printf("ARC: building AS for status '%s'\n", status);
+
+/* Construct the AS except for the signature */
+
+arcset = string_append(NULL, 9,
+	  ARC_HDR_AS,
+	  US" i=", string_sprintf("%d", instance),
+	  US"; cv=", status,
+	  US"; a=rsa-sha256; d=", identity,			/*XXX hardwired */
+	  US"; s=", selector);					/*XXX same as AMS */
+if (options & ARC_SIGN_OPT_TSTAMP)
+  arcset = string_append(arcset, 2,
+      US"; t=", string_sprintf("%lu", (u_long)now));
+arcset = string_cat(arcset,
+	  US";\r\n\t b=;");
+
+h->slen = arcset->ptr;
+h->text = arcset->s;
+al->complete = h;
+ctx->arcset_chain_last->hdr_as = al;
+
+/* For any but "fail" chain-verify status, walk the entire chain in order by
+instance.  For fail, only the new arc-set.  Accumulate the elements walked. */
+
+for (arc_set * as = Ustrcmp(status, US"fail") == 0
+	? ctx->arcset_chain_last : ctx->arcset_chain;
+     as; as = as->next)
+  {
+  arc_line * l;
+  /* Accumulate AAR then AMS then AS.  Relaxed canonicalisation
+  is required per standard. */
+
+  badline_str = US"aar";
+  if (!(l = as->hdr_aar)) goto badline;
+  h = l->complete;
+  hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
+  badline_str = US"ams";
+  if (!(l = as->hdr_ams)) goto badline;
+  h = l->complete;
+  hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, TRUE));
+  badline_str = US"as";
+  if (!(l = as->hdr_as)) goto badline;
+  h = l->complete;
+  hdata = string_cat(hdata, pdkim_relax_header_n(h->text, h->slen, !!as->next));
+  }
+
+/* Calculate the signature from the accumulation */
+
+if (!arc_sig_from_pseudoheader(hdata, hashtype, privkey, &sig, US"AS"))
+  return NULL;
+
+/* Lose the trailing semicolon */
+arcset->ptr--;
+arcset = arc_sign_append_sig(arcset, &sig);
+DEBUG(D_transport) debug_printf("ARC: AS  '%.*s'\n", arcset->ptr - 2, arcset->s);
+
+/* Finally, append the AMS and AAR to the new AS */
+
+return string_catn(arcset, arcset_interim->s, arcset_interim->ptr);
+
+badline:
+  DEBUG(D_transport)
+    debug_printf("ARC: while building AS, missing %s in chain\n", badline_str);
+  return NULL;
+}
+
+
+/**************************************/
+
+/* Return pointer to pdkim_bodyhash for given hash method, creating new
+method if needed.
+*/
+
+void *
+arc_ams_setup_sign_bodyhash(void)
+{
+int canon_head, canon_body;
+
+DEBUG(D_transport) debug_printf("ARC: requesting bodyhash\n");
+pdkim_cstring_to_canons(US"relaxed", 7, &canon_head, &canon_body);	/*XXX hardwired */
+return pdkim_set_bodyhash(&dkim_sign_ctx,
+	pdkim_hashname_to_hashtype(US"sha256", 6),			/*XXX hardwired */
+	canon_body,
+	-1);
+}
+
+
+
+void
+arc_sign_init(void)
+{
+memset(&arc_sign_ctx, 0, sizeof(arc_sign_ctx));
+headers_rlist = NULL;
+}
+
+
+
+/* A "normal" header line, identified by DKIM processing.  These arrive before
+the call to arc_sign(), which carries any newly-created DKIM headers - and
+those go textually before the normal ones in the message.
+
+We have to take the feed from DKIM as, in the transport-filter case, the
+headers are not in memory at the time of the call to arc_sign().
+
+Take a copy of the header and construct a reverse-order list.
+Also parse ARC-chain headers and build the chain struct, retaining pointers
+into the copies.
+*/
+
+static const uschar *
+arc_header_sign_feed(gstring * g)
+{
+uschar * s = string_copyn(g->s, g->ptr);
+headers_rlist = arc_rlist_entry(headers_rlist, s, g->ptr);
+return arc_try_header(&arc_sign_ctx, headers_rlist->h, TRUE);
+}
+
+
+
+/* Per RFCs 6376, 7489 the only allowed chars in either an ADMD id
+or a selector are ALPHA/DIGGIT/'-'/'.'
+
+Check, to help catch misconfigurations such as a missing selector
+element in the arc_sign list.
+*/
+
+static BOOL
+arc_valid_id(const uschar * s)
+{
+for (uschar c; c = *s++; )
+  if (!isalnum(c) && c != '-' && c != '.') return FALSE;
+return TRUE;
+}
+
+
+
+/* ARC signing.  Called from the smtp transport, if the arc_sign option is set.
+The dkim_exim_sign() function has already been called, so will have hashed the
+message body for us so long as we requested a hash previously.
+
+Arguments:
+  signspec	Three-element colon-sep list: identity, selector, privkey.
+		Optional fourth element: comma-sep list of options.
+		Already expanded
+  sigheaders	Any signature headers already generated, eg. by DKIM, or NULL
+  errstr	Error string
+
+Return value
+  Set of headers to prepend to the message, including the supplied sigheaders
+  but not the plainheaders.
+*/
+
+gstring *
+arc_sign(const uschar * signspec, gstring * sigheaders, uschar ** errstr)
+{
+const uschar * identity, * selector, * privkey, * opts, * s;
+unsigned options = 0;
+int sep = 0;
+header_line * headers;
+hdr_rlist * rheaders;
+blob ar;
+int instance;
+gstring * g = NULL;
+pdkim_bodyhash * b;
+
+expire = now = 0;
+
+/* Parse the signing specification */
+
+if (!(identity = string_nextinlist(&signspec, &sep, NULL, 0)) || !*identity)
+  { s = US"identity"; goto bad_arg_ret; }
+if (!(selector = string_nextinlist(&signspec, &sep, NULL, 0)) || !*selector)
+  { s = US"selector"; goto bad_arg_ret; }
+if (!(privkey = string_nextinlist(&signspec, &sep, NULL, 0))  || !*privkey)
+  { s = US"privkey"; goto bad_arg_ret; }
+if (!arc_valid_id(identity))
+  { s = US"identity"; goto bad_arg_ret; }
+if (!arc_valid_id(selector))
+  { s = US"selector"; goto bad_arg_ret; }
+if (*privkey == '/' && !(privkey = expand_file_big_buffer(privkey)))
+  goto ret_sigheaders;
+
+if ((opts = string_nextinlist(&signspec, &sep, NULL, 0)))
+  {
+  int osep = ',';
+  while ((s = string_nextinlist(&opts, &osep, NULL, 0)))
+    if (Ustrcmp(s, "timestamps") == 0)
+      {
+      options |= ARC_SIGN_OPT_TSTAMP;
+      if (!now) now = time(NULL);
+      }
+    else if (Ustrncmp(s, "expire", 6) == 0)
+      {
+      options |= ARC_SIGN_OPT_EXPIRE;
+      if (*(s += 6) == '=')
+	if (*++s == '+')
+	  {
+	  if (!(expire = (time_t)atoi(CS ++s)))
+	    expire = ARC_SIGN_DEFAULT_EXPIRE_DELTA;
+	  if (!now) now = time(NULL);
+	  expire += now;
+	  }
+	else
+	  expire = (time_t)atol(CS s);
+      else
+	{
+	if (!now) now = time(NULL);
+	expire = now + ARC_SIGN_DEFAULT_EXPIRE_DELTA;
+	}
+      }
+  }
+
+DEBUG(D_transport) debug_printf("ARC: sign for %s\n", identity);
+
+/* Make an rlist of any new DKIM headers, then add the "normals" rlist to it.
+Then scan the list for an A-R header. */
+
+string_from_gstring(sigheaders);
+if ((rheaders = arc_sign_scan_headers(&arc_sign_ctx, sigheaders)))
+  {
+  hdr_rlist ** rp;
+  for (rp = &headers_rlist; *rp; ) rp = &(*rp)->prev;
+  *rp = rheaders;
+  }
+
+/* Finally, build a normal-order headers list */
+/*XXX only needed for hunt-the-AR? */
+/*XXX also, we really should be accepting any number of ADMD-matching ARs */
+  {
+  header_line * hnext = NULL;
+  for (rheaders = headers_rlist; rheaders;
+       hnext = rheaders->h, rheaders = rheaders->prev)
+    rheaders->h->next = hnext;
+  headers = hnext;
+  }
+
+if (!(arc_sign_find_ar(headers, identity, &ar)))
+  {
+  log_write(0, LOG_MAIN, "ARC: no Authentication-Results header for signing");
+  goto ret_sigheaders;
+  }
+
+/* We previously built the data-struct for the existing ARC chain, if any, using a headers
+feed from the DKIM module.  Use that to give the instance number for the ARC set we are
+about to build. */
+
+DEBUG(D_transport)
+  if (arc_sign_ctx.arcset_chain_last)
+    debug_printf("ARC: existing chain highest instance: %d\n",
+      arc_sign_ctx.arcset_chain_last->instance);
+  else
+    debug_printf("ARC: no existing chain\n");
+
+instance = arc_sign_ctx.arcset_chain_last ? arc_sign_ctx.arcset_chain_last->instance + 1 : 1;
+
+/*
+- Generate AAR
+  - copy the A-R; prepend i= & identity
+*/
+
+g = arc_sign_append_aar(g, &arc_sign_ctx, identity, instance, &ar);
+
+/*
+- Generate AMS
+  - Looks fairly like a DKIM sig
+  - Cover all DKIM sig headers as well as the usuals
+    - ? oversigning?
+  - Covers the data
+  - we must have requested a suitable bodyhash previously
+*/
+
+b = arc_ams_setup_sign_bodyhash();
+g = arc_sign_append_ams(g, &arc_sign_ctx, instance, identity, selector,
+      &b->bh, headers_rlist, privkey, options);
+
+/*
+- Generate AS
+  - no body coverage
+  - no h= tag; implicit coverage
+  - arc status from A-R
+    - if fail:
+      - coverage is just the new ARC set
+        including self (but with an empty b= in self)
+    - if non-fail:
+      - all ARC set headers, set-number order, aar then ams then as,
+        including self (but with an empty b= in self)
+*/
+
+if (g)
+  g = arc_sign_prepend_as(g, &arc_sign_ctx, instance, identity, selector, &ar,
+      privkey, options);
+
+/* Finally, append the dkim headers and return the lot. */
+
+if (sigheaders) g = string_catn(g, sigheaders->s, sigheaders->ptr);
+
+out:
+  if (!g) return string_get(1);
+  (void) string_from_gstring(g);
+  gstring_release_unused(g);
+  return g;
+
+
+bad_arg_ret:
+  log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)", s);
+ret_sigheaders:
+  g = sigheaders;
+  goto out;
+}
+
+
+/******************************************************************************/
+
+/* Check to see if the line is an AMS and if so, set up to validate it.
+Called from the DKIM input processing.  This must be done now as the message
+body data is hashed during input.
+
+We call the DKIM code to request a body-hash; it has the facility already
+and the hash parameters might be common with other requests.
+*/
+
+static const uschar *
+arc_header_vfy_feed(gstring * g)
+{
+header_line h;
+arc_line al;
+pdkim_bodyhash * b;
+uschar * errstr;
+
+if (!dkim_verify_ctx) return US"no dkim context";
+
+if (strncmpic(ARC_HDR_AMS, g->s, ARC_HDRLEN_AMS) != 0) return US"not AMS";
+
+DEBUG(D_receive) debug_printf("ARC: spotted AMS header\n");
+/* Parse the AMS header */
+
+h.next = NULL;
+h.slen = g->size;
+h.text = g->s;
+memset(&al, 0, sizeof(arc_line));
+if ((errstr = arc_parse_line(&al, &h, ARC_HDRLEN_AMS, FALSE)))
+  {
+  DEBUG(D_acl) if (errstr) debug_printf("ARC: %s\n", errstr);
+  goto badline;
+  }
+
+if (!al.a_hash.data)
+  {
+  DEBUG(D_acl) debug_printf("ARC: no a_hash from '%.*s'\n", h.slen, h.text);
+  goto badline;
+  }
+
+/* defaults */
+if (!al.c.data)
+  {
+  al.c_body.data = US"simple"; al.c_body.len = 6;
+  al.c_head = al.c_body;
+  }
+
+/* Ask the dkim code to calc a bodyhash with those specs */
+
+if (!(b = arc_ams_setup_vfy_bodyhash(&al)))
+  return US"dkim hash setup fail";
+
+/* Discard the reference; search again at verify time, knowing that one
+should have been created here. */
+
+return NULL;
+
+badline:
+  return US"line parsing error";
+}
+
+
+
+/* A header line has been identified by DKIM processing.
+
+Arguments:
+  g		Header line
+  is_vfy	TRUE for verify mode or FALSE for signing mode
+
+Return:
+  NULL for success, or an error string (probably unused)
+*/
+
+const uschar *
+arc_header_feed(gstring * g, BOOL is_vfy)
+{
+return is_vfy ? arc_header_vfy_feed(g) : arc_header_sign_feed(g);
+}
+
+
+
+/******************************************************************************/
+
+/* Construct the list of domains from the ARC chain after validation */
+
+uschar *
+fn_arc_domains(void)
+{
+arc_set * as;
+unsigned inst;
+gstring * g = NULL;
+
+for (as = arc_verify_ctx.arcset_chain, inst = 1; as; as = as->next, inst++)
+  {
+  arc_line * hdr_as = as->hdr_as;
+  if (hdr_as)
+    {
+    blob * d = &hdr_as->d;
+
+    for (; inst < as->instance; inst++)
+      g = string_catn(g, US":", 1);
+
+    g = d->data && d->len
+      ? string_append_listele_n(g, ':', d->data, d->len)
+      : string_catn(g, US":", 1);
+    }
+  else
+    g = string_catn(g, US":", 1);
+  }
+return g ? g->s : US"";
+}
+
+
+/* Construct an Authentication-Results header portion, for the ARC module */
+
+gstring *
+authres_arc(gstring * g)
+{
+if (arc_state)
+  {
+  arc_line * highest_ams;
+  int start = 0;		/* Compiler quietening */
+  DEBUG(D_acl) start = g->ptr;
+
+  g = string_append(g, 2, US";\n\tarc=", arc_state);
+  if (arc_received_instance > 0)
+    {
+    g = string_fmt_append(g, " (i=%d)", arc_received_instance);
+    if (arc_state_reason)
+      g = string_append(g, 3, US"(", arc_state_reason, US")");
+    g = string_catn(g, US" header.s=", 10);
+    highest_ams = arc_received->hdr_ams;
+    g = string_catn(g, highest_ams->s.data, highest_ams->s.len);
+
+    g = string_fmt_append(g, " arc.oldest-pass=%d", arc_oldest_pass);
+
+    if (sender_host_address)
+      g = string_append(g, 2, US" smtp.remote-ip=", sender_host_address);
+    }
+  else if (arc_state_reason)
+    g = string_append(g, 3, US" (", arc_state_reason, US")");
+  DEBUG(D_acl) debug_printf("ARC:  authres '%.*s'\n",
+		  g->ptr - start - 3, g->s + start + 3);
+  }
+else
+  DEBUG(D_acl) debug_printf("ARC:  no authres\n");
+return g;
+}
+
+
+# endif /* DISABLE_DKIM */
+#endif /* EXPERIMENTAL_ARC */
+/* vi: aw ai sw=2
+ */
diff --git a/src/auths/Makefile b/src/auths/Makefile
new file mode 100644
index 0000000..e85b22a
--- /dev/null
+++ b/src/auths/Makefile
@@ -0,0 +1,45 @@
+# Make file for building a library containing all the available authorization
+# methods, and calling it auths.a. In addition, there are functions that are
+# of general use in several methods; these are in separate modules so they are
+# linked in only when needed. This Makefile is called from the main make file,
+# after cd'ing to the auths subdirectory. When the relevant AUTH_ macros are
+# defined, the equivalent modules herein is not included in the final binary.
+
+OBJ = auth-spa.o call_pam.o call_pwcheck.o \
+      call_radius.o check_serv_cond.o cram_md5.o cyrus_sasl.o dovecot.o \
+      external.o get_data.o get_no64_data.o gsasl_exim.o heimdal_gssapi.o \
+      plaintext.o pwcheck.o \
+      spa.o tls.o xtextdecode.o xtextencode.o
+
+auths.a:         $(OBJ)
+		 @$(RM_COMMAND) -f auths.a
+		 @echo "$(AR) auths.a"
+		 $(FE)$(AR) auths.a $(OBJ)
+		 $(RANLIB) $@
+
+.SUFFIXES:       .o .c
+.c.o:;           @echo "$(CC) $*.c"
+		 $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c
+
+auth-spa.o:         $(HDRS) auth-spa.c
+call_pam.o:         $(HDRS) call_pam.c
+call_pwcheck.o:     $(HDRS) call_pwcheck.c pwcheck.h
+call_radius.o:      $(HDRS) call_radius.c
+check_serv_cond.o:  $(HDRS) check_serv_cond.c
+get_data.o:         $(HDRS) get_data.c
+get_no64_data.o:    $(HDRS) get_no64_data.c
+pwcheck.o:          $(HDRS) pwcheck.c pwcheck.h
+xtextdecode.o:      $(HDRS) xtextdecode.c
+xtextencode.o:      $(HDRS) xtextencode.c
+
+cram_md5.o:         $(HDRS) cram_md5.c cram_md5.h
+cyrus_sasl.o:       $(HDRS) cyrus_sasl.c cyrus_sasl.h
+dovecot.o:          $(HDRS) dovecot.c dovecot.h
+external.o:         $(HDRS) external.c external.h
+gsasl_exim.o:       $(HDRS) gsasl_exim.c gsasl_exim.h
+heimdal_gssapi.o:   $(HDRS) heimdal_gssapi.c heimdal_gssapi.h
+plaintext.o:        $(HDRS) plaintext.c plaintext.h
+spa.o:              $(HDRS) spa.c spa.h
+tls.o:              $(HDRS) tls.c tls.h
+
+# End
diff --git a/src/auths/README b/src/auths/README
new file mode 100644
index 0000000..66bdcdc
--- /dev/null
+++ b/src/auths/README
@@ -0,0 +1,98 @@
+AUTHS
+
+The modules in this directory are in support of various authentication
+functions. Some of them, such as the base64 encoding/decoding and MD5
+computation, are just functions that might be used by several authentication
+mechanisms. Others are the SMTP AUTH mechanisms themselves, included in the
+final binary if the relevant AUTH_XXX value is set in Local/Makefile. The
+general functions are in separate modules so that they get included in the
+final binary only if they are actually called from somewhere.
+
+GENERAL FUNCTIONS
+
+The API for each of these functions is documented with the function's code.
+
+  auth_b64encode       encode in base 64
+  auth_b64decode       decode from base 64
+  auth_call_pam        do PAM authentication (if build with SUPPORT_PAM)
+  auth_get_data        issue SMTP AUTH challenge and read response
+  auth_xtextencode     encode as xtext
+  auth_xtextdecode     decode from xtext
+
+INTERFACE TO SMTP AUTHENTICATION MECHANISMS
+
+These are general SASL mechanisms, adapted for use with SMTP. Each
+authentication mechanism has three functions, for initialization, server
+authentication, and client authentication.
+
+INITIALIZATION
+
+The initialization function is called when the configuration is read, and can
+check for incomplete or illegal settings. It has one argument, a pointer to the
+instance block for this configured mechanism. It must set the flags called
+"server" and "client" in the generic auth_instance block to indicate whether
+the server and/or client functions are available for this authenticator.
+Typically this depends on whether server or client configuration options have
+been set, but it is also possible to have an authenticator that has only one of
+the server or client functions.  The function may not touch big_buffer.
+
+SERVER AUTHENTICATION
+
+The second function performs authentication as a server. It receives a pointer
+to the instance block, and its second argument is the remainder of the data
+from the AUTH command. The numeric variable maximum setting (expand_nmax) is
+set to zero, with $0 initialized as unset. The authenticator may set up numeric
+variables according to its (old) specification and $auth<n> variables the
+preferred ones nowadays; it should leave them set at the end so that they can
+be used for the expansion of the generic server_set_id option, which happens
+centrally.
+
+This function has access to the SMTP input and output so that it can write
+intermediate responses and read more data if necessary. There is a packaged
+function in auth_get_data() which outputs a challenge and reads a response.
+
+The yield of a server authentication check must be one of:
+
+  OK          success
+  DEFER       couldn't complete the check
+  FAIL        authentication failed
+  CANCELLED   authentication forced to fail by "*" response to challenge,
+                or by certain forced string expansion failures
+  BAD64       bad base64 data received
+  UNEXPECTED  unexpected data received
+
+In the case of DEFER, auth_defer_msg should point to an error message.
+
+CLIENT AUTHENTICATION
+
+The third function performs authentication as a client. It receives a pointer
+to the instance block, and four further arguments:
+
+  The smtp_context item for the connection to the remote host.
+
+  The normal command-reading timeout value.
+
+  A pointer to a buffer, to be used for receiving responses. It is done this
+    way so that the buffer is available for logging etc. in the calling
+    function in cases of error.
+
+  The size of the buffer.
+
+The yield of a client authentication check must be one of:
+
+  OK          success
+  FAIL_SEND   error after writing a command; errno is set
+  FAIL        failed after reading a response;
+              either errno is set (for timeouts, I/O failures) or
+              the buffer contains the SMTP response line
+  CANCELLED   the client cancelled authentication (often "fail" in expansion)
+              the buffer may contain a message; if not, *buffer = 0
+  ERROR       local problem (typically expansion error); message in buffer
+
+To communicate with the remote host the client should call
+smtp_write_command(). If this yields FALSE, the authenticator should return
+FAIL. After a successful write, the response is received by a call to
+smtp_read_response(), which should use the buffer handed to the client function
+as an argument.
+
+****
diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c
new file mode 100644
index 0000000..8d886b6
--- /dev/null
+++ b/src/auths/auth-spa.c
@@ -0,0 +1,1524 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/*
+ * This file provides the necessary methods for authenticating with
+ * Microsoft's Secure Password Authentication.
+
+ * All the original code used here was torn by Marc Prud'hommeaux out of the
+ * Samba project (by Andrew Tridgell, Jeremy Allison, and others).
+ *
+ * Copyright (c) The Exim Maintainers 2021
+
+ * Tom Kistner provided additional code, adding spa_build_auth_challenge() to
+ * support server authentication mode.
+
+ * Mark Lyda provided a patch to solve this problem:
+
+ - Exim is indicating in its Authentication Request message (Type 1) that it
+   can transmit text in either Unicode or OEM format.
+
+ - Microsoft's SMTP server (smtp.email.msn.com) is responding in its
+   Challenge message (Type 2) that it will be expecting the OEM format.
+
+ - Exim does not pay attention to the text format requested by Microsoft's
+   SMTP server and, instead, defaults to using the Unicode format.
+
+ * References:
+ * http://www.innovation.ch/java/ntlm.html
+ * http://www.kuro5hin.org/story/2002/4/28/1436/66154
+
+ * It seems that some systems have existing but different definitions of some
+ * of the following types. I received a complaint about "int16" causing
+ * compilation problems. So I (PH) have renamed them all, to be on the safe
+ * side, by adding 'x' on the end.
+
+ * typedef signed short int16;
+ * typedef unsigned short uint16;
+ * typedef unsigned uint32;
+ * typedef unsigned char  uint8;
+
+ * The API is extremely simple:
+ * 1. Form a SPA authentication request based on the username
+ *    and (optional) domain
+ * 2. Send the request to the server and get an SPA challenge
+ * 3. Build the challenge response and send it back.
+ *
+ * Example usage is as
+ * follows:
+ *
+int main (int argc, char ** argv)
+{
+       SPAAuthRequest   request;
+       SPAAuthChallenge challenge;
+       SPAAuthResponse  response;
+       char msgbuf[2048];
+       char buffer[512];
+       char *username, *password, *domain, *challenge_str;
+
+       if (argc < 3)
+       {
+               printf ("Usage: %s <username> <password> [SPA Challenge]\n",
+                       argv [0]);
+               exit (1);
+       }
+
+       username = argv [1];
+       password = argv [2];
+       domain = 0;
+
+       spa_build_auth_request (&request, username, domain);
+
+       spa_bits_to_base64 (msgbuf, US &request,
+               spa_request_length(&request));
+
+       printf ("SPA Login request for username=%s:\n   %s\n",
+               argv [1], msgbuf);
+
+       if (argc < 4)
+       {
+               printf ("Run: %s <username> <password> [NTLM Challenge] " \
+                       "to complete authenitcation\n", argv [0]);
+               exit (0);
+       }
+
+       challenge_str = argv [3];
+
+       if (spa_base64_to_bits (CS &challenge, sizeof(challenge),
+                CCS (challenge_str))<0)
+       {
+                printf("bad base64 data in challenge: %s\n", challenge_str);
+                exit (1);
+       }
+
+       spa_build_auth_response (&challenge, &response, username, password);
+       spa_bits_to_base64 (msgbuf, US &response,
+               spa_request_length(&response));
+
+       printf ("SPA Response to challenge:\n   %s\n for " \
+               "username=%s, password=%s:\n   %s\n",
+               argv[3], argv [1], argv [2], msgbuf);
+       return 0;
+}
+ *
+ *
+ * All the client code used here was torn by Marc Prud'hommeaux out of the
+ * Samba project (by Andrew Tridgell, Jeremy Allison, and others).
+ * Previous comments are below:
+ */
+
+/*
+   Unix SMB/Netbios implementation.
+   Version 1.9.
+
+   a partial implementation of DES designed for use in the
+   SMB authentication protocol
+
+   Copyright (C) Andrew Tridgell 1998
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+
+/* NOTES:
+
+   This code makes no attempt to be fast! In fact, it is a very
+   slow implementation
+
+   This code is NOT a complete DES implementation. It implements only
+   the minimum necessary for SMB authentication, as used by all SMB
+   products (including every copy of Microsoft Windows95 ever sold)
+
+   In particular, it can only do a unchained forward DES pass. This
+   means it is not possible to use this code for encryption/decryption
+   of data, instead it is only useful as a "hash" algorithm.
+
+   There is no entry point into this code that allows normal DES operation.
+
+   I believe this means that this code does not come under ITAR
+   regulations but this is NOT a legal opinion. If you are concerned
+   about the applicability of ITAR regulations to this code then you
+   should confirm it for yourself (and maybe let me know if you come
+   up with a different answer to the one above)
+*/
+
+#define DEBUG_X(a,b) ;
+
+extern int DEBUGLEVEL;
+
+#include "../exim.h"
+#include "auth-spa.h"
+#include <assert.h>
+
+
+#ifndef _BYTEORDER_H
+# define _BYTEORDER_H
+
+# define RW_PCVAL(read,inbuf,outbuf,len) \
+       { if (read) { PCVAL (inbuf,0,outbuf,len); } \
+       else      { PSCVAL(inbuf,0,outbuf,len); } }
+
+# define RW_PIVAL(read,big_endian,inbuf,outbuf,len) \
+       { if (read) { if (big_endian) { RPIVAL(inbuf,0,outbuf,len); } else { PIVAL(inbuf,0,outbuf,len); } } \
+       else      { if (big_endian) { RPSIVAL(inbuf,0,outbuf,len); } else { PSIVAL(inbuf,0,outbuf,len); } } }
+
+# define RW_PSVAL(read,big_endian,inbuf,outbuf,len) \
+       { if (read) { if (big_endian) { RPSVAL(inbuf,0,outbuf,len); } else { PSVAL(inbuf,0,outbuf,len); } } \
+       else      { if (big_endian) { RPSSVAL(inbuf,0,outbuf,len); } else { PSSVAL(inbuf,0,outbuf,len); } } }
+
+# define RW_CVAL(read, inbuf, outbuf, offset) \
+       { if (read) { (outbuf) = CVAL (inbuf,offset); } \
+       else      { SCVAL(inbuf,offset,outbuf); } }
+
+# define RW_IVAL(read, big_endian, inbuf, outbuf, offset) \
+       { if (read) { (outbuf) = ((big_endian) ? RIVAL(inbuf,offset) : IVAL (inbuf,offset)); } \
+       else      { if (big_endian) { RSIVAL(inbuf,offset,outbuf); } else { SIVAL(inbuf,offset,outbuf); } } }
+
+# define RW_SVAL(read, big_endian, inbuf, outbuf, offset) \
+       { if (read) { (outbuf) = ((big_endian) ? RSVAL(inbuf,offset) : SVAL (inbuf,offset)); } \
+       else      { if (big_endian) { RSSVAL(inbuf,offset,outbuf); } else { SSVAL(inbuf,offset,outbuf); } } }
+
+# undef CAREFUL_ALIGNMENT
+
+/* we know that the 386 can handle misalignment and has the "right"
+   byteorder */
+# ifdef __i386__
+#  define CAREFUL_ALIGNMENT 0
+# endif
+
+# ifndef CAREFUL_ALIGNMENT
+#  define CAREFUL_ALIGNMENT 1
+# endif
+
+# define CVAL(buf,pos) ((US (buf))[pos])
+# define PVAL(buf,pos) ((unsigned)CVAL(buf,pos))
+# define SCVAL(buf,pos,val) (CVAL(buf,pos) = (val))
+
+
+# if CAREFUL_ALIGNMENT
+
+#  define SVAL(buf,pos) (PVAL(buf,pos)|PVAL(buf,(pos)+1)<<8)
+#  define IVAL(buf,pos) (SVAL(buf,pos)|SVAL(buf,(pos)+2)<<16)
+#  define SSVALX(buf,pos,val) (CVAL(buf,pos)=(val)&0xFF,CVAL(buf,pos+1)=(val)>>8)
+#  define SIVALX(buf,pos,val) (SSVALX(buf,pos,val&0xFFFF),SSVALX(buf,pos+2,val>>16))
+#  define SVALS(buf,pos) ((int16x)SVAL(buf,pos))
+#  define IVALS(buf,pos) ((int32x)IVAL(buf,pos))
+#  define SSVAL(buf,pos,val) SSVALX((buf),(pos),((uint16x)(val)))
+#  define SIVAL(buf,pos,val) SIVALX((buf),(pos),((uint32x)(val)))
+#  define SSVALS(buf,pos,val) SSVALX((buf),(pos),((int16x)(val)))
+#  define SIVALS(buf,pos,val) SIVALX((buf),(pos),((int32x)(val)))
+
+# else /* CAREFUL_ALIGNMENT */
+
+/* this handles things for architectures like the 386 that can handle
+   alignment errors */
+/*
+   WARNING: This section is dependent on the length of int16x and int32x
+   being correct
+*/
+
+/* get single value from an SMB buffer */
+#  define SVAL(buf,pos) (*(uint16x *)(CS (buf) + (pos)))
+#  define IVAL(buf,pos) (*(uint32x *)(CS (buf) + (pos)))
+#  define SVALS(buf,pos) (*(int16x *)(CS (buf) + (pos)))
+#  define IVALS(buf,pos) (*(int32x *)(CS (buf) + (pos)))
+
+/* store single value in an SMB buffer */
+#  define SSVAL(buf,pos,val) SVAL(buf,pos)=((uint16x)(val))
+#  define SIVAL(buf,pos,val) IVAL(buf,pos)=((uint32x)(val))
+#  define SSVALS(buf,pos,val) SVALS(buf,pos)=((int16x)(val))
+#  define SIVALS(buf,pos,val) IVALS(buf,pos)=((int32x)(val))
+
+# endif /* CAREFUL_ALIGNMENT */
+
+/* macros for reading / writing arrays */
+
+# define SMBMACRO(macro,buf,pos,val,len,size) \
+{ for (int l = 0; l < (len); l++) (val)[l] = macro((buf), (pos) + (size)*l); }
+
+# define SSMBMACRO(macro,buf,pos,val,len,size) \
+{ for (int l = 0; l < (len); l++) macro((buf), (pos) + (size)*l, (val)[l]); }
+
+/* reads multiple data from an SMB buffer */
+# define PCVAL(buf,pos,val,len) SMBMACRO(CVAL,buf,pos,val,len,1)
+# define PSVAL(buf,pos,val,len) SMBMACRO(SVAL,buf,pos,val,len,2)
+# define PIVAL(buf,pos,val,len) SMBMACRO(IVAL,buf,pos,val,len,4)
+# define PCVALS(buf,pos,val,len) SMBMACRO(CVALS,buf,pos,val,len,1)
+# define PSVALS(buf,pos,val,len) SMBMACRO(SVALS,buf,pos,val,len,2)
+# define PIVALS(buf,pos,val,len) SMBMACRO(IVALS,buf,pos,val,len,4)
+
+/* stores multiple data in an SMB buffer */
+# define PSCVAL(buf,pos,val,len) SSMBMACRO(SCVAL,buf,pos,val,len,1)
+# define PSSVAL(buf,pos,val,len) SSMBMACRO(SSVAL,buf,pos,val,len,2)
+# define PSIVAL(buf,pos,val,len) SSMBMACRO(SIVAL,buf,pos,val,len,4)
+# define PSCVALS(buf,pos,val,len) SSMBMACRO(SCVALS,buf,pos,val,len,1)
+# define PSSVALS(buf,pos,val,len) SSMBMACRO(SSVALS,buf,pos,val,len,2)
+# define PSIVALS(buf,pos,val,len) SSMBMACRO(SIVALS,buf,pos,val,len,4)
+
+
+/* now the reverse routines - these are used in nmb packets (mostly) */
+# define SREV(x) ((((x)&0xFF)<<8) | (((x)>>8)&0xFF))
+# define IREV(x) ((SREV(x)<<16) | (SREV((x)>>16)))
+
+# define RSVAL(buf,pos) SREV(SVAL(buf,pos))
+# define RSVALS(buf,pos) SREV(SVALS(buf,pos))
+# define RIVAL(buf,pos) IREV(IVAL(buf,pos))
+# define RIVALS(buf,pos) IREV(IVALS(buf,pos))
+# define RSSVAL(buf,pos,val) SSVAL(buf,pos,SREV(val))
+# define RSSVALS(buf,pos,val) SSVALS(buf,pos,SREV(val))
+# define RSIVAL(buf,pos,val) SIVAL(buf,pos,IREV(val))
+# define RSIVALS(buf,pos,val) SIVALS(buf,pos,IREV(val))
+
+/* reads multiple data from an SMB buffer (big-endian) */
+# define RPSVAL(buf,pos,val,len) SMBMACRO(RSVAL,buf,pos,val,len,2)
+# define RPIVAL(buf,pos,val,len) SMBMACRO(RIVAL,buf,pos,val,len,4)
+# define RPSVALS(buf,pos,val,len) SMBMACRO(RSVALS,buf,pos,val,len,2)
+# define RPIVALS(buf,pos,val,len) SMBMACRO(RIVALS,buf,pos,val,len,4)
+
+/* stores multiple data in an SMB buffer (big-endian) */
+# define RPSSVAL(buf,pos,val,len) SSMBMACRO(RSSVAL,buf,pos,val,len,2)
+# define RPSIVAL(buf,pos,val,len) SSMBMACRO(RSIVAL,buf,pos,val,len,4)
+# define RPSSVALS(buf,pos,val,len) SSMBMACRO(RSSVALS,buf,pos,val,len,2)
+# define RPSIVALS(buf,pos,val,len) SSMBMACRO(RSIVALS,buf,pos,val,len,4)
+
+# define DBG_RW_PCVAL(charmode,string,depth,base,read,inbuf,outbuf,len) \
+       { RW_PCVAL(read,inbuf,outbuf,len) \
+       DEBUG_X(5,("%s%04x %s: ", \
+             tab_depth(depth), base,string)); \
+    if (charmode) print_asc(5, US (outbuf), (len)); else \
+       for (int idx = 0; idx < len; idx++) { DEBUG_X(5,("%02x ", (outbuf)[idx])); } \
+       DEBUG_X(5,("\n")); }
+
+# define DBG_RW_PSVAL(charmode,string,depth,base,read,big_endian,inbuf,outbuf,len) \
+       { RW_PSVAL(read,big_endian,inbuf,outbuf,len) \
+       DEBUG_X(5,("%s%04x %s: ", \
+             tab_depth(depth), base,string)); \
+    if (charmode) print_asc(5, US (outbuf), 2*(len)); else \
+       for (int idx = 0; idx < len; idx++) { DEBUG_X(5,("%04x ", (outbuf)[idx])); } \
+       DEBUG_X(5,("\n")); }
+
+# define DBG_RW_PIVAL(charmode,string,depth,base,read,big_endian,inbuf,outbuf,len) \
+       { RW_PIVAL(read,big_endian,inbuf,outbuf,len) \
+       DEBUG_X(5,("%s%04x %s: ", \
+             tab_depth(depth), base,string)); \
+    if (charmode) print_asc(5, US (outbuf), 4*(len)); else \
+       for (int idx = 0; idx < len; idx++) { DEBUG_X(5,("%08x ", (outbuf)[idx])); } \
+       DEBUG_X(5,("\n")); }
+
+# define DBG_RW_CVAL(string,depth,base,read,inbuf,outbuf) \
+       { RW_CVAL(read,inbuf,outbuf,0) \
+       DEBUG_X(5,("%s%04x %s: %02x\n", \
+             tab_depth(depth), base, string, outbuf)); }
+
+# define DBG_RW_SVAL(string,depth,base,read,big_endian,inbuf,outbuf) \
+       { RW_SVAL(read,big_endian,inbuf,outbuf,0) \
+       DEBUG_X(5,("%s%04x %s: %04x\n", \
+             tab_depth(depth), base, string, outbuf)); }
+
+# define DBG_RW_IVAL(string,depth,base,read,big_endian,inbuf,outbuf) \
+       { RW_IVAL(read,big_endian,inbuf,outbuf,0) \
+       DEBUG_X(5,("%s%04x %s: %08x\n", \
+             tab_depth(depth), base, string, outbuf)); }
+
+#endif /* _BYTEORDER_H */
+
+void E_P16 (uschar *p14, uschar *p16);
+void E_P24 (uschar *p21, uschar *c8, uschar *p24);
+void D_P16 (uschar *p14, uschar *in, uschar *out);
+void SMBOWFencrypt (uschar passwd[16], uschar * c8, uschar p24[24]);
+
+void mdfour (uschar *out, uschar *in, int n);
+
+
+/*
+ * base64.c -- base-64 conversion routines.
+ *
+ * For license terms, see the file COPYING in this directory.
+ *
+ * This base 64 encoding is defined in RFC2045 section 6.8,
+ * "Base64 Content-Transfer-Encoding", but lines must not be broken in the
+ * scheme used here.
+ */
+
+static const char base64digits[] =
+  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+#define BAD    (char) -1
+static const char base64val[] = {
+  BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD,
+    BAD,
+  BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD,
+    BAD,
+  BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, 62, BAD, BAD, BAD,
+    63,
+  52, 53, 54, 55, 56, 57, 58, 59, 60, 61, BAD, BAD, BAD, BAD, BAD, BAD,
+  BAD, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
+  15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, BAD, BAD, BAD, BAD, BAD,
+  BAD, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
+  41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, BAD, BAD, BAD, BAD, BAD
+};
+#define DECODE64(c)  (isascii(c) ? base64val[c] : BAD)
+
+void
+spa_bits_to_base64 (uschar *out, const uschar *in, int inlen)
+/* raw bytes in quasi-big-endian order to base 64 string (NUL-terminated) */
+{
+for (; inlen >= 3; inlen -= 3)
+  {
+  *out++ = base64digits[in[0] >> 2];
+  *out++ = base64digits[((in[0] << 4) & 0x30) | (in[1] >> 4)];
+  *out++ = base64digits[((in[1] << 2) & 0x3c) | (in[2] >> 6)];
+  *out++ = base64digits[in[2] & 0x3f];
+  in += 3;
+  }
+if (inlen > 0)
+  {
+  uschar fragment;
+
+  *out++ = base64digits[in[0] >> 2];
+  fragment = (in[0] << 4) & 0x30;
+  if (inlen > 1)
+     fragment |= in[1] >> 4;
+  *out++ = base64digits[fragment];
+  *out++ = (inlen < 2) ? '=' : base64digits[(in[1] << 2) & 0x3c];
+  *out++ = '=';
+  }
+*out = '\0';
+}
+
+
+/* The outlength parameter was added by PH, December 2004 */
+
+int
+spa_base64_to_bits (char *out, int outlength, const char *in)
+/* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
+{
+int len = 0;
+uschar digit1, digit2, digit3, digit4;
+
+if (in[0] == '+' && in[1] == ' ')
+  in += 2;
+if (*in == '\r')
+  return (0);
+
+do
+  {
+  if (len >= outlength)                   /* Added by PH */
+    return -1;                          /* Added by PH */
+  digit1 = in[0];
+  if (DECODE64 (digit1) == BAD)
+    return -1;
+  digit2 = in[1];
+  if (DECODE64 (digit2) == BAD)
+    return -1;
+  digit3 = in[2];
+  if (digit3 != '=' && DECODE64 (digit3) == BAD)
+    return -1;
+  digit4 = in[3];
+  if (digit4 != '=' && DECODE64 (digit4) == BAD)
+    return -1;
+  in += 4;
+  *out++ = (DECODE64 (digit1) << 2) | (DECODE64 (digit2) >> 4);
+  ++len;
+  if (digit3 != '=')
+    {
+    if (len >= outlength)                   /* Added by PH */
+      return -1;                          /* Added by PH */
+    *out++ =
+      ((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2);
+    ++len;
+    if (digit4 != '=')
+      {
+      if (len >= outlength)                   /* Added by PH */
+	return -1;                          /* Added by PH */
+      *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4);
+      ++len;
+      }
+    }
+  }
+while (*in && *in != '\r' && digit4 != '=');
+
+return len;
+}
+
+
+static uschar perm1[56] = { 57, 49, 41, 33, 25, 17, 9,
+  1, 58, 50, 42, 34, 26, 18,
+  10, 2, 59, 51, 43, 35, 27,
+  19, 11, 3, 60, 52, 44, 36,
+  63, 55, 47, 39, 31, 23, 15,
+  7, 62, 54, 46, 38, 30, 22,
+  14, 6, 61, 53, 45, 37, 29,
+  21, 13, 5, 28, 20, 12, 4
+};
+
+static uschar perm2[48] = { 14, 17, 11, 24, 1, 5,
+  3, 28, 15, 6, 21, 10,
+  23, 19, 12, 4, 26, 8,
+  16, 7, 27, 20, 13, 2,
+  41, 52, 31, 37, 47, 55,
+  30, 40, 51, 45, 33, 48,
+  44, 49, 39, 56, 34, 53,
+  46, 42, 50, 36, 29, 32
+};
+
+static uschar perm3[64] = { 58, 50, 42, 34, 26, 18, 10, 2,
+  60, 52, 44, 36, 28, 20, 12, 4,
+  62, 54, 46, 38, 30, 22, 14, 6,
+  64, 56, 48, 40, 32, 24, 16, 8,
+  57, 49, 41, 33, 25, 17, 9, 1,
+  59, 51, 43, 35, 27, 19, 11, 3,
+  61, 53, 45, 37, 29, 21, 13, 5,
+  63, 55, 47, 39, 31, 23, 15, 7
+};
+
+static uschar perm4[48] = { 32, 1, 2, 3, 4, 5,
+  4, 5, 6, 7, 8, 9,
+  8, 9, 10, 11, 12, 13,
+  12, 13, 14, 15, 16, 17,
+  16, 17, 18, 19, 20, 21,
+  20, 21, 22, 23, 24, 25,
+  24, 25, 26, 27, 28, 29,
+  28, 29, 30, 31, 32, 1
+};
+
+static uschar perm5[32] = { 16, 7, 20, 21,
+  29, 12, 28, 17,
+  1, 15, 23, 26,
+  5, 18, 31, 10,
+  2, 8, 24, 14,
+  32, 27, 3, 9,
+  19, 13, 30, 6,
+  22, 11, 4, 25
+};
+
+
+static uschar perm6[64] = { 40, 8, 48, 16, 56, 24, 64, 32,
+  39, 7, 47, 15, 55, 23, 63, 31,
+  38, 6, 46, 14, 54, 22, 62, 30,
+  37, 5, 45, 13, 53, 21, 61, 29,
+  36, 4, 44, 12, 52, 20, 60, 28,
+  35, 3, 43, 11, 51, 19, 59, 27,
+  34, 2, 42, 10, 50, 18, 58, 26,
+  33, 1, 41, 9, 49, 17, 57, 25
+};
+
+
+static uschar sc[16] = { 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 };
+
+static uschar sbox[8][4][16] = {
+  {{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7},
+   {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8},
+   {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0},
+   {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}},
+
+  {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10},
+   {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5},
+   {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15},
+   {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}},
+
+  {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8},
+   {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1},
+   {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7},
+   {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}},
+
+  {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15},
+   {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9},
+   {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4},
+   {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}},
+
+  {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9},
+   {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6},
+   {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14},
+   {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}},
+
+  {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11},
+   {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8},
+   {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6},
+   {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}},
+
+  {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1},
+   {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6},
+   {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2},
+   {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}},
+
+  {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7},
+   {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2},
+   {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8},
+   {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}
+};
+
+static void
+permute (char *out, char *in, uschar * p, int n)
+{
+for (int i = 0; i < n; i++)
+  out[i] = in[p[i] - 1];
+}
+
+static void
+lshift (char *d, int count, int n)
+{
+char out[64];
+for (int i = 0; i < n; i++)
+  out[i] = d[(i + count) % n];
+for (int i = 0; i < n; i++)
+  d[i] = out[i];
+}
+
+static void
+concat (char *out, char *in1, char *in2, int l1, int l2)
+{
+while (l1--)
+  *out++ = *in1++;
+while (l2--)
+  *out++ = *in2++;
+}
+
+static void
+xor (char *out, char *in1, char *in2, int n)
+{
+for (int i = 0; i < n; i++)
+  out[i] = in1[i] ^ in2[i];
+}
+
+static void
+dohash (char *out, char *in, char *key, int forw)
+{
+int i, j, k;
+char pk1[56];
+char c[28];
+char d[28];
+char cd[56];
+char ki[16][48];
+char pd1[64];
+char l[32], r[32];
+char rl[64];
+
+permute (pk1, key, perm1, 56);
+
+for (i = 0; i < 28; i++)
+  c[i] = pk1[i];
+for (i = 0; i < 28; i++)
+  d[i] = pk1[i + 28];
+
+for (i = 0; i < 16; i++)
+  {
+  lshift (c, sc[i], 28);
+  lshift (d, sc[i], 28);
+
+  concat (cd, c, d, 28, 28);
+  permute (ki[i], cd, perm2, 48);
+  }
+
+permute (pd1, in, perm3, 64);
+
+for (j = 0; j < 32; j++)
+  {
+  l[j] = pd1[j];
+  r[j] = pd1[j + 32];
+  }
+
+for (i = 0; i < 16; i++)
+  {
+  char er[48];
+  char erk[48];
+  char b[8][6];
+  char cb[32];
+  char pcb[32];
+  char r2[32];
+
+  permute (er, r, perm4, 48);
+
+  xor (erk, er, ki[forw ? i : 15 - i], 48);
+
+  for (j = 0; j < 8; j++)
+   for (k = 0; k < 6; k++)
+     b[j][k] = erk[j * 6 + k];
+
+  for (j = 0; j < 8; j++)
+   {
+   int m, n;
+   m = (b[j][0] << 1) | b[j][5];
+
+   n = (b[j][1] << 3) | (b[j][2] << 2) | (b[j][3] << 1) | b[j][4];
+
+   for (k = 0; k < 4; k++)
+     b[j][k] = (sbox[j][m][n] & (1 << (3 - k))) ? 1 : 0;
+   }
+
+  for (j = 0; j < 8; j++)
+   for (k = 0; k < 4; k++)
+     cb[j * 4 + k] = b[j][k];
+  permute (pcb, cb, perm5, 32);
+
+  xor (r2, l, pcb, 32);
+
+  for (j = 0; j < 32; j++)
+   l[j] = r[j];
+
+  for (j = 0; j < 32; j++)
+   r[j] = r2[j];
+  }
+
+concat (rl, r, l, 32, 32);
+
+permute (out, rl, perm6, 64);
+}
+
+static void
+str_to_key (uschar *str, uschar *key)
+{
+int i;
+
+key[0] = str[0] >> 1;
+key[1] = ((str[0] & 0x01) << 6) | (str[1] >> 2);
+key[2] = ((str[1] & 0x03) << 5) | (str[2] >> 3);
+key[3] = ((str[2] & 0x07) << 4) | (str[3] >> 4);
+key[4] = ((str[3] & 0x0F) << 3) | (str[4] >> 5);
+key[5] = ((str[4] & 0x1F) << 2) | (str[5] >> 6);
+key[6] = ((str[5] & 0x3F) << 1) | (str[6] >> 7);
+key[7] = str[6] & 0x7F;
+for (i = 0; i < 8; i++)
+    key[i] = (key[i] << 1);
+}
+
+
+static void
+smbhash (uschar *out, uschar *in, uschar *key, int forw)
+{
+int i;
+char outb[64];
+char inb[64];
+char keyb[64];
+uschar key2[8];
+
+str_to_key (key, key2);
+
+for (i = 0; i < 64; i++)
+  {
+  inb[i] = (in[i / 8] & (1 << (7 - (i % 8)))) ? 1 : 0;
+  keyb[i] = (key2[i / 8] & (1 << (7 - (i % 8)))) ? 1 : 0;
+  outb[i] = 0;
+  }
+
+dohash (outb, inb, keyb, forw);
+
+for (i = 0; i < 8; i++)
+  out[i] = 0;
+
+for (i = 0; i < 64; i++)
+  if (outb[i])
+   out[i / 8] |= (1 << (7 - (i % 8)));
+}
+
+void
+E_P16 (uschar *p14, uschar *p16)
+{
+uschar sp8[8] = { 0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 };
+smbhash (p16, sp8, p14, 1);
+smbhash (p16 + 8, sp8, p14 + 7, 1);
+}
+
+void
+E_P24 (uschar *p21, uschar *c8, uschar *p24)
+{
+smbhash (p24, c8, p21, 1);
+smbhash (p24 + 8, c8, p21 + 7, 1);
+smbhash (p24 + 16, c8, p21 + 14, 1);
+}
+
+void
+D_P16 (uschar *p14, uschar *in, uschar *out)
+{
+smbhash (out, in, p14, 0);
+smbhash (out + 8, in + 8, p14 + 7, 0);
+}
+
+/****************************************************************************
+ Like strncpy but always null terminates. Make sure there is room!
+ The variable n should always be one less than the available size.
+****************************************************************************/
+
+char *
+StrnCpy (char *dest, const char *src, size_t n)
+{
+char *d = dest;
+if (!dest)
+  return (NULL);
+if (!src)
+  {
+  *dest = 0;
+  return (dest);
+  }
+while (n-- && (*d++ = *src++));
+*d = 0;
+return (dest);
+}
+
+size_t
+skip_multibyte_char (char c)
+{
+/* bogus if to get rid of unused compiler warning */
+if (c)
+  return 0;
+else
+  return 0;
+}
+
+
+/*******************************************************************
+safe string copy into a known length string. maxlength does not
+include the terminating zero.
+********************************************************************/
+
+char *
+safe_strcpy (char *dest, const char *src, size_t maxlength)
+{
+size_t len;
+
+if (!dest)
+  {
+  DEBUG_X (0, ("ERROR: NULL dest in safe_strcpy\n"));
+  return NULL;
+  }
+
+if (!src)
+  {
+  *dest = 0;
+  return dest;
+  }
+
+len = strlen (src);
+
+if (len > maxlength)
+  {
+  DEBUG_X (0, ("ERROR: string overflow by %d in safe_strcpy [%.50s]\n",
+	    (int) (len - maxlength), src));
+  len = maxlength;
+  }
+
+memcpy (dest, src, len);
+dest[len] = 0;
+return dest;
+}
+
+
+void
+strupper (char *s)
+{
+while (*s)
+  {
+   size_t skip = skip_multibyte_char (*s);
+   if (skip != 0)
+     s += skip;
+   else
+     {
+       if (islower ((uschar)(*s)))
+	 *s = toupper (*s);
+       s++;
+     }
+  }
+}
+
+
+/*
+ This implements the X/Open SMB password encryption
+ It takes a password, a 8 byte "crypt key" and puts 24 bytes of
+ encrypted password into p24
+ */
+
+void
+spa_smb_encrypt (uschar * passwd, uschar * c8, uschar * p24)
+{
+uschar p14[15], p21[21];
+
+memset (p21, '\0', 21);
+memset (p14, '\0', 14);
+StrnCpy (CS  p14, CS  passwd, 14);
+
+strupper (CS  p14);
+E_P16 (p14, p21);
+
+SMBOWFencrypt (p21, c8, p24);
+
+#ifdef DEBUG_PASSWORD
+DEBUG_X (100, ("spa_smb_encrypt: lm#, challenge, response\n"));
+dump_data (100, CS  p21, 16);
+dump_data (100, CS  c8, 8);
+dump_data (100, CS  p24, 24);
+#endif
+}
+
+/* Routines for Windows NT MD4 Hash functions. */
+static int
+_my_wcslen (int16x * str)
+{
+int len = 0;
+while (*str++ != 0)
+  len++;
+return len;
+}
+
+/*
+ * Convert a string into an NT UNICODE string.
+ * Note that regardless of processor type
+ * this must be in intel (little-endian)
+ * format.
+ */
+
+static int
+_my_mbstowcs (int16x * dst, uschar * src, int len)
+{
+int i;
+int16x val;
+
+for (i = 0; i < len; i++)
+  {
+  val = *src;
+  SSVAL (dst, 0, val);
+  dst++;
+  src++;
+  if (val == 0)
+   break;
+  }
+return i;
+}
+
+/*
+ * Creates the MD4 Hash of the users password in NT UNICODE.
+ */
+
+void
+E_md4hash (uschar * passwd, uschar * p16)
+{
+int len;
+int16x wpwd[129];
+
+/* Password cannot be longer than 128 characters */
+len = strlen (CS  passwd);
+if (len > 128)
+  len = 128;
+/* Password must be converted to NT unicode */
+_my_mbstowcs (wpwd, passwd, len);
+wpwd[len] = 0;               /* Ensure string is null terminated */
+/* Calculate length in bytes */
+len = _my_wcslen (wpwd) * sizeof (int16x);
+
+mdfour (p16, US wpwd, len);
+}
+
+/* Does both the NT and LM owfs of a user's password */
+void
+nt_lm_owf_gen (char *pwd, uschar nt_p16[16], uschar p16[16])
+{
+char passwd[130];
+
+memset (passwd, '\0', 130);
+safe_strcpy (passwd, pwd, sizeof (passwd) - 1);
+
+/* Calculate the MD4 hash (NT compatible) of the password */
+memset (nt_p16, '\0', 16);
+E_md4hash (US passwd, nt_p16);
+
+#ifdef DEBUG_PASSWORD
+DEBUG_X (100, ("nt_lm_owf_gen: pwd, nt#\n"));
+dump_data (120, passwd, strlen (passwd));
+dump_data (100, CS  nt_p16, 16);
+#endif
+
+/* Mangle the passwords into Lanman format */
+passwd[14] = '\0';
+strupper (passwd);
+
+/* Calculate the SMB (lanman) hash functions of the password */
+
+memset (p16, '\0', 16);
+E_P16 (US passwd, US p16);
+
+#ifdef DEBUG_PASSWORD
+DEBUG_X (100, ("nt_lm_owf_gen: pwd, lm#\n"));
+dump_data (120, passwd, strlen (passwd));
+dump_data (100, CS  p16, 16);
+#endif
+/* clear out local copy of user's password (just being paranoid). */
+memset (passwd, '\0', sizeof (passwd));
+}
+
+/* Does the des encryption from the NT or LM MD4 hash. */
+void
+SMBOWFencrypt (uschar passwd[16], uschar * c8, uschar p24[24])
+{
+uschar p21[21];
+
+memset (p21, '\0', 21);
+
+memcpy (p21, passwd, 16);
+E_P24 (p21, c8, p24);
+}
+
+/* Does the des encryption from the FIRST 8 BYTES of the NT or LM MD4 hash. */
+void
+NTLMSSPOWFencrypt (uschar passwd[8], uschar * ntlmchalresp, uschar p24[24])
+{
+uschar p21[21];
+
+memset (p21, '\0', 21);
+memcpy (p21, passwd, 8);
+memset (p21 + 8, 0xbd, 8);
+
+E_P24 (p21, ntlmchalresp, p24);
+#ifdef DEBUG_PASSWORD
+DEBUG_X (100, ("NTLMSSPOWFencrypt: p21, c8, p24\n"));
+dump_data (100, CS  p21, 21);
+dump_data (100, CS  ntlmchalresp, 8);
+dump_data (100, CS  p24, 24);
+#endif
+}
+
+
+/* Does the NT MD4 hash then des encryption. */
+
+void
+spa_smb_nt_encrypt (uschar * passwd, uschar * c8, uschar * p24)
+{
+uschar p21[21];
+
+memset (p21, '\0', 21);
+
+E_md4hash (passwd, p21);
+SMBOWFencrypt (p21, c8, p24);
+
+#ifdef DEBUG_PASSWORD
+DEBUG_X (100, ("spa_smb_nt_encrypt: nt#, challenge, response\n"));
+dump_data (100, CS  p21, 16);
+dump_data (100, CS  c8, 8);
+dump_data (100, CS  p24, 24);
+#endif
+}
+
+static uint32x A, B, C, D;
+
+static uint32x
+F (uint32x X, uint32x Y, uint32x Z)
+{
+return (X & Y) | ((~X) & Z);
+}
+
+static uint32x
+G (uint32x X, uint32x Y, uint32x Z)
+{
+return (X & Y) | (X & Z) | (Y & Z);
+}
+
+static uint32x
+H (uint32x X, uint32x Y, uint32x Z)
+{
+return X ^ Y ^ Z;
+}
+
+static uint32x
+lshift_a (uint32x x, int s)
+{
+x &= 0xFFFFFFFF;
+return ((x << s) & 0xFFFFFFFF) | (x >> (32 - s));
+}
+
+#define ROUND1(a,b,c,d,k,s) a = lshift_a(a + F(b,c,d) + X[k], s)
+#define ROUND2(a,b,c,d,k,s) a = lshift_a(a + G(b,c,d) + X[k] + (uint32x)0x5A827999,s)
+#define ROUND3(a,b,c,d,k,s) a = lshift_a(a + H(b,c,d) + X[k] + (uint32x)0x6ED9EBA1,s)
+
+/* this applies md4 to 64 byte chunks */
+static void
+spa_mdfour64 (uint32x * M)
+{
+int j;
+uint32x AA, BB, CC, DD;
+uint32x X[16];
+
+for (j = 0; j < 16; j++)
+  X[j] = M[j];
+
+AA = A;
+BB = B;
+CC = C;
+DD = D;
+
+ROUND1 (A, B, C, D, 0, 3);
+ROUND1 (D, A, B, C, 1, 7);
+ROUND1 (C, D, A, B, 2, 11);
+ROUND1 (B, C, D, A, 3, 19);
+ROUND1 (A, B, C, D, 4, 3);
+ROUND1 (D, A, B, C, 5, 7);
+ROUND1 (C, D, A, B, 6, 11);
+ROUND1 (B, C, D, A, 7, 19);
+ROUND1 (A, B, C, D, 8, 3);
+ROUND1 (D, A, B, C, 9, 7);
+ROUND1 (C, D, A, B, 10, 11);
+ROUND1 (B, C, D, A, 11, 19);
+ROUND1 (A, B, C, D, 12, 3);
+ROUND1 (D, A, B, C, 13, 7);
+ROUND1 (C, D, A, B, 14, 11);
+ROUND1 (B, C, D, A, 15, 19);
+
+ROUND2 (A, B, C, D, 0, 3);
+ROUND2 (D, A, B, C, 4, 5);
+ROUND2 (C, D, A, B, 8, 9);
+ROUND2 (B, C, D, A, 12, 13);
+ROUND2 (A, B, C, D, 1, 3);
+ROUND2 (D, A, B, C, 5, 5);
+ROUND2 (C, D, A, B, 9, 9);
+ROUND2 (B, C, D, A, 13, 13);
+ROUND2 (A, B, C, D, 2, 3);
+ROUND2 (D, A, B, C, 6, 5);
+ROUND2 (C, D, A, B, 10, 9);
+ROUND2 (B, C, D, A, 14, 13);
+ROUND2 (A, B, C, D, 3, 3);
+ROUND2 (D, A, B, C, 7, 5);
+ROUND2 (C, D, A, B, 11, 9);
+ROUND2 (B, C, D, A, 15, 13);
+
+ROUND3 (A, B, C, D, 0, 3);
+ROUND3 (D, A, B, C, 8, 9);
+ROUND3 (C, D, A, B, 4, 11);
+ROUND3 (B, C, D, A, 12, 15);
+ROUND3 (A, B, C, D, 2, 3);
+ROUND3 (D, A, B, C, 10, 9);
+ROUND3 (C, D, A, B, 6, 11);
+ROUND3 (B, C, D, A, 14, 15);
+ROUND3 (A, B, C, D, 1, 3);
+ROUND3 (D, A, B, C, 9, 9);
+ROUND3 (C, D, A, B, 5, 11);
+ROUND3 (B, C, D, A, 13, 15);
+ROUND3 (A, B, C, D, 3, 3);
+ROUND3 (D, A, B, C, 11, 9);
+ROUND3 (C, D, A, B, 7, 11);
+ROUND3 (B, C, D, A, 15, 15);
+
+A += AA;
+B += BB;
+C += CC;
+D += DD;
+
+A &= 0xFFFFFFFF;
+B &= 0xFFFFFFFF;
+C &= 0xFFFFFFFF;
+D &= 0xFFFFFFFF;
+
+for (j = 0; j < 16; j++)
+  X[j] = 0;
+}
+
+static void
+copy64 (uint32x * M, uschar *in)
+{
+int i;
+
+for (i = 0; i < 16; i++)
+  M[i] = (in[i * 4 + 3] << 24) | (in[i * 4 + 2] << 16) |
+    (in[i * 4 + 1] << 8) | (in[i * 4 + 0] << 0);
+}
+
+static void
+copy4 (uschar *out, uint32x x)
+{
+out[0] = x & 0xFF;
+out[1] = (x >> 8) & 0xFF;
+out[2] = (x >> 16) & 0xFF;
+out[3] = (x >> 24) & 0xFF;
+}
+
+/* produce a md4 message digest from data of length n bytes */
+void
+mdfour (uschar *out, uschar *in, int n)
+{
+uschar buf[128];
+uint32x M[16];
+uint32x b = n * 8;
+int i;
+
+A = 0x67452301;
+B = 0xefcdab89;
+C = 0x98badcfe;
+D = 0x10325476;
+
+while (n > 64)
+  {
+  copy64 (M, in);
+  spa_mdfour64 (M);
+  in += 64;
+  n -= 64;
+  }
+
+for (i = 0; i < 128; i++)
+  buf[i] = 0;
+memcpy (buf, in, n);
+buf[n] = 0x80;
+
+if (n <= 55)
+  {
+  copy4 (buf + 56, b);
+  copy64 (M, buf);
+  spa_mdfour64 (M);
+  }
+else
+  {
+  copy4 (buf + 120, b);
+  copy64 (M, buf);
+  spa_mdfour64 (M);
+  copy64 (M, buf + 64);
+  spa_mdfour64 (M);
+  }
+
+for (i = 0; i < 128; i++)
+  buf[i] = 0;
+copy64 (M, buf);
+
+copy4 (out, A);
+copy4 (out + 4, B);
+copy4 (out + 8, C);
+copy4 (out + 12, D);
+
+A = B = C = D = 0;
+}
+
+char versionString[] = "libntlm version 0.21";
+
+/* Utility routines that handle NTLM auth structures. */
+
+/* The [IS]VAL macros are to take care of byte order for non-Intel
+ * Machines -- I think this file is OK, but it hasn't been tested.
+ * The other files (the ones stolen from Samba) should be OK.
+ */
+
+
+/* I am not crazy about these macros -- they seem to have gotten
+ * a bit complex.  A new scheme for handling string/buffer fields
+ * in the structures probably needs to be designed
+ */
+
+#define spa_bytes_add(ptr, header, buf, count) \
+{ \
+if (buf && (count) != 0) /* we hate -Wint-in-bool-contex */ \
+  { \
+  SSVAL(&ptr->header.len,0,count); \
+  SSVAL(&ptr->header.maxlen,0,count); \
+  SIVAL(&ptr->header.offset,0,((ptr->buffer - ((uint8x*)ptr)) + ptr->bufIndex)); \
+  memcpy(ptr->buffer+ptr->bufIndex, buf, count); \
+  ptr->bufIndex += count; \
+  } \
+else \
+  { \
+  ptr->header.len = \
+  ptr->header.maxlen = 0; \
+  SIVAL(&ptr->header.offset,0,((ptr->buffer - ((uint8x*)ptr)) + ptr->bufIndex)); \
+  } \
+}
+
+#define spa_string_add(ptr, header, string) \
+{ \
+char *p = string; \
+int len = 0; \
+if (p) len = strlen(p); \
+spa_bytes_add(ptr, header, (US p), len); \
+}
+
+#define spa_unicode_add_string(ptr, header, string) \
+{ \
+char *p = string; \
+uschar *b = NULL; \
+int len = 0; \
+if (p) \
+  { \
+  len = strlen(p); \
+  b = strToUnicode(p); \
+  } \
+spa_bytes_add(ptr, header, b, len*2); \
+}
+
+
+#define GetUnicodeString(structPtr, header) \
+unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
+#define GetString(structPtr, header) \
+toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
+
+#ifdef notdef
+
+#define DumpBuffer(fp, structPtr, header) \
+dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
+
+
+static void
+dumpRaw (FILE * fp, uschar *buf, size_t len)
+{
+int i;
+
+for (i = 0; i < len; ++i)
+  fprintf (fp, "%02x ", buf[i]);
+
+fprintf (fp, "\n");
+}
+
+#endif
+
+char *
+unicodeToString (char *p, size_t len)
+{
+int i;
+static char buf[1024];
+
+assert (len + 1 < sizeof buf);
+
+for (i = 0; i < len; ++i)
+  {
+  buf[i] = *p & 0x7f;
+  p += 2;
+  }
+
+buf[i] = '\0';
+return buf;
+}
+
+static uschar *
+strToUnicode (char *p)
+{
+static uschar buf[1024];
+size_t l = strlen (p);
+int i = 0;
+
+assert (l * 2 < sizeof buf);
+
+while (l--)
+  {
+  buf[i++] = *p++;
+  buf[i++] = 0;
+  }
+
+return buf;
+}
+
+static uschar *
+toString (char *p, size_t len)
+{
+static uschar buf[1024];
+
+assert (len + 1 < sizeof buf);
+
+memcpy (buf, p, len);
+buf[len] = 0;
+return buf;
+}
+
+#ifdef notdef
+
+void
+dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request)
+{
+fprintf (fp, "NTLM Request:\n");
+fprintf (fp, "      Ident = %s\n", request->ident);
+fprintf (fp, "      mType = %d\n", IVAL (&request->msgType, 0));
+fprintf (fp, "      Flags = %08x\n", IVAL (&request->flags, 0));
+fprintf (fp, "       User = %s\n", GetString (request, user));
+fprintf (fp, "     Domain = %s\n", GetString (request, domain));
+}
+
+void
+dumpSmbNtlmAuthChallenge (FILE * fp, SPAAuthChallenge * challenge)
+{
+fprintf (fp, "NTLM Challenge:\n");
+fprintf (fp, "      Ident = %s\n", challenge->ident);
+fprintf (fp, "      mType = %d\n", IVAL (&challenge->msgType, 0));
+fprintf (fp, "     Domain = %s\n", GetUnicodeString (challenge, uDomain));
+fprintf (fp, "      Flags = %08x\n", IVAL (&challenge->flags, 0));
+fprintf (fp, "  Challenge = ");
+dumpRaw (fp, challenge->challengeData, 8);
+}
+
+void
+dumpSmbNtlmAuthResponse (FILE * fp, SPAAuthResponse * response)
+{
+fprintf (fp, "NTLM Response:\n");
+fprintf (fp, "      Ident = %s\n", response->ident);
+fprintf (fp, "      mType = %d\n", IVAL (&response->msgType, 0));
+fprintf (fp, "     LmResp = ");
+DumpBuffer (fp, response, lmResponse);
+fprintf (fp, "     NTResp = ");
+DumpBuffer (fp, response, ntResponse);
+fprintf (fp, "     Domain = %s\n", GetUnicodeString (response, uDomain));
+fprintf (fp, "       User = %s\n", GetUnicodeString (response, uUser));
+fprintf (fp, "        Wks = %s\n", GetUnicodeString (response, uWks));
+fprintf (fp, "       sKey = ");
+DumpBuffer (fp, response, sessionKey);
+fprintf (fp, "      Flags = %08x\n", IVAL (&response->flags, 0));
+}
+#endif
+
+void
+spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain)
+{
+char *u = strdup (user);
+char *p = strchr (u, '@');
+
+if (p)
+  {
+  if (!domain)
+   domain = p + 1;
+  *p = '\0';
+  }
+
+request->bufIndex = 0;
+memcpy (request->ident, "NTLMSSP\0\0\0", 8);
+SIVAL (&request->msgType, 0, 1);
+SIVAL (&request->flags, 0, 0x0000b207);      /* have to figure out what these mean */
+spa_string_add (request, user, u);
+spa_string_add (request, domain, domain);
+free (u);
+}
+
+
+
+void
+spa_build_auth_challenge (SPAAuthRequest * request, SPAAuthChallenge * challenge)
+{
+char chalstr[8];
+int i;
+int p = (int)getpid();
+int random_seed = (int)time(NULL) ^ ((p << 16) | p);
+
+/* Ensure challenge data is cleared, in case it isn't all used. This
+patch added by PH on suggestion of Russell King */
+
+memset(challenge, 0, sizeof(SPAAuthChallenge));
+
+challenge->bufIndex = 0;
+memcpy (challenge->ident, "NTLMSSP\0", 8);
+SIVAL (&challenge->msgType, 0, 2);
+SIVAL (&challenge->flags, 0, 0x00008201);
+SIVAL (&challenge->uDomain.len, 0, 0x0000);
+SIVAL (&challenge->uDomain.maxlen, 0, 0x0000);
+SIVAL (&challenge->uDomain.offset, 0, 0x00002800);
+
+/* generate eight pseudo random bytes (method ripped from host.c) */
+
+for(i=0;i<8;i++)
+  {
+  chalstr[i] = (uschar)(random_seed >> 16) % 256;
+  random_seed = (1103515245 - (chalstr[i])) * random_seed + 12345;
+  }
+
+memcpy(challenge->challengeData,chalstr,8);
+}
+
+
+
+
+/* This is the original source of this function, preserved here for reference.
+The new version below was re-organized by PH following a patch and some further
+suggestions from Mark Lyda to fix the problem that is described at the head of
+this module. At the same time, I removed the untidiness in the code below that
+involves the "d" and "domain" variables. */
+
+#ifdef NEVER
+void
+spa_build_auth_response (SPAAuthChallenge * challenge,
+                        SPAAuthResponse * response, char *user,
+                        char *password)
+{
+uint8x lmRespData[24];
+uint8x ntRespData[24];
+char *d = strdup (GetUnicodeString (challenge, uDomain));
+char *domain = d;
+char *u = strdup (user);
+char *p = strchr (u, '@');
+
+if (p)
+  {
+  domain = p + 1;
+  *p = '\0';
+  }
+
+spa_smb_encrypt (US password, challenge->challengeData, lmRespData);
+spa_smb_nt_encrypt (US password, challenge->challengeData, ntRespData);
+
+response->bufIndex = 0;
+memcpy (response->ident, "NTLMSSP\0\0\0", 8);
+SIVAL (&response->msgType, 0, 3);
+
+spa_bytes_add (response, lmResponse, lmRespData, 24);
+spa_bytes_add (response, ntResponse, ntRespData, 24);
+spa_unicode_add_string (response, uDomain, domain);
+spa_unicode_add_string (response, uUser, u);
+spa_unicode_add_string (response, uWks, u);
+spa_string_add (response, sessionKey, NULL);
+
+response->flags = challenge->flags;
+
+free (d);
+free (u);
+}
+#endif
+
+
+/* This is the re-organized version (see comments above) */
+
+void
+spa_build_auth_response (SPAAuthChallenge * challenge,
+                        SPAAuthResponse * response, char *user,
+                        char *password)
+{
+uint8x lmRespData[24];
+uint8x ntRespData[24];
+uint32x cf = IVAL(&challenge->flags, 0);
+char *u = strdup (user);
+char *p = strchr (u, '@');
+char *d = NULL;
+char *domain;
+
+if (p)
+  {
+  domain = p + 1;
+  *p = '\0';
+  }
+
+else domain = d = strdup((cf & 0x1)?
+  CCS GetUnicodeString(challenge, uDomain) :
+  CCS GetString(challenge, uDomain));
+
+spa_smb_encrypt (US password, challenge->challengeData, lmRespData);
+spa_smb_nt_encrypt (US password, challenge->challengeData, ntRespData);
+
+response->bufIndex = 0;
+memcpy (response->ident, "NTLMSSP\0\0\0", 8);
+SIVAL (&response->msgType, 0, 3);
+
+spa_bytes_add (response, lmResponse, lmRespData, (cf & 0x200) ? 24 : 0);
+spa_bytes_add (response, ntResponse, ntRespData, (cf & 0x8000) ? 24 : 0);
+
+if (cf & 0x1) {      /* Unicode Text */
+     spa_unicode_add_string (response, uDomain, domain);
+     spa_unicode_add_string (response, uUser, u);
+     spa_unicode_add_string (response, uWks, u);
+} else {             /* OEM Text */
+     spa_string_add (response, uDomain, domain);
+     spa_string_add (response, uUser, u);
+     spa_string_add (response, uWks, u);
+}
+
+spa_string_add (response, sessionKey, NULL);
+response->flags = challenge->flags;
+
+if (d != NULL) free (d);
+free (u);
+}
diff --git a/src/auths/auth-spa.h b/src/auths/auth-spa.h
new file mode 100644
index 0000000..cfe1b08
--- /dev/null
+++ b/src/auths/auth-spa.h
@@ -0,0 +1,92 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/*
+ * This file provides the necessary methods for authenticating with
+ * Microsoft's Secure Password Authentication.
+
+ * All the code used here was torn by Marc Prud'hommeaux out of the
+ * Samba project (by Andrew Tridgell, Jeremy Allison, and others).
+ */
+
+/* December 2004: The spa_base64_to_bits() function has no length checking in
+it. I have added a check. PH */
+
+/* It seems that some systems have existing but different definitions of some
+of the following types. I received a complaint about "int16" causing
+compilation problems. So I (PH) have renamed them all, to be on the safe side.
+
+typedef signed short int16;
+typedef unsigned short uint16;
+typedef unsigned uint32;
+typedef unsigned char  uint8;
+*/
+
+typedef signed short int16x;
+typedef unsigned short uint16x;
+typedef unsigned uint32x;
+typedef unsigned char  uint8x;
+
+typedef struct
+{
+       uint16x         len;
+       uint16x         maxlen;
+       uint32x         offset;
+} SPAStrHeader;
+
+typedef struct
+{
+       char         ident[8];
+       uint32x         msgType;
+       SPAStrHeader    uDomain;
+       uint32x         flags;
+       uint8x         challengeData[8];
+       uint8x         reserved[8];
+       SPAStrHeader    emptyString;
+       uint8x         buffer[1024];
+       uint32x         bufIndex;
+} SPAAuthChallenge;
+
+
+typedef struct
+{
+       char         ident[8];
+       uint32x         msgType;
+       uint32x         flags;
+       SPAStrHeader    user;
+       SPAStrHeader    domain;
+       uint8x         buffer[1024];
+       uint32x         bufIndex;
+} SPAAuthRequest;
+
+typedef struct
+{
+       char         ident[8];
+       uint32x         msgType;
+       SPAStrHeader    lmResponse;
+       SPAStrHeader    ntResponse;
+       SPAStrHeader    uDomain;
+       SPAStrHeader    uUser;
+       SPAStrHeader    uWks;
+       SPAStrHeader    sessionKey;
+       uint32x         flags;
+       uint8x         buffer[1024];
+       uint32x         bufIndex;
+} SPAAuthResponse;
+
+#define spa_request_length(ptr) (((ptr)->buffer - (uint8x*)(ptr)) + (ptr)->bufIndex)
+
+void spa_bits_to_base64 (unsigned char *, const unsigned char *, int);
+int spa_base64_to_bits(char *, int, const char *);
+void spa_build_auth_response (SPAAuthChallenge *challenge,
+       SPAAuthResponse *response, char *user, char *password);
+void spa_build_auth_request (SPAAuthRequest *request, char *user,
+       char *domain);
+extern void spa_smb_encrypt (unsigned char * passwd, unsigned char * c8,
+                             unsigned char * p24);
+extern void spa_smb_nt_encrypt (unsigned char * passwd, unsigned char * c8,
+                                unsigned char * p24);
+extern char *unicodeToString(char *p, size_t len);
+extern void spa_build_auth_challenge(SPAAuthRequest *, SPAAuthChallenge *);
+
diff --git a/src/auths/call_pam.c b/src/auths/call_pam.c
new file mode 100644
index 0000000..80f80f1
--- /dev/null
+++ b/src/auths/call_pam.c
@@ -0,0 +1,204 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 - 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+
+/* This module contains functions that call the PAM authentication mechanism
+defined by Sun for Solaris and also available for Linux and other OS.
+
+We can't just compile this code and allow the library mechanism to omit the
+functions if they are not wanted, because we need to have the PAM headers
+available for compiling. Therefore, compile these functions only if SUPPORT_PAM
+is defined. However, some compilers don't like compiling empty modules, so keep
+them happy with a dummy when skipping the rest. Make it reference itself to
+stop picky compilers complaining that it is unused, and put in a dummy argument
+to stop even pickier compilers complaining about infinite loops.
+Then use a mutually-recursive pair as gcc is just getting stupid. */
+
+#ifndef SUPPORT_PAM
+static void dummy(int x);
+static void dummy2(int x) { dummy(x-1); }
+static void dummy(int x) { dummy2(x-1); }
+#else  /* SUPPORT_PAM */
+
+#ifdef PAM_H_IN_PAM
+#include <pam/pam_appl.h>
+#else
+#include <security/pam_appl.h>
+#endif
+
+/* According to the specification, it should be possible to have an application
+data pointer passed to the conversation function. However, I was unable to get
+this to work on Solaris 2.6, so static variables are used instead. */
+
+static int pam_conv_had_error;
+static const uschar *pam_args;
+static BOOL pam_arg_ended;
+
+
+
+/*************************************************
+*           PAM conversation function            *
+*************************************************/
+
+/* This function is passed to the PAM authentication function, and it calls it
+back when it wants data from the client. The string list is in pam_args. When
+we reach the end, we pass back an empty string once. If this function is called
+again, it will give an error response. This is protection against something
+crazy happening.
+
+Arguments:
+  num_msg        number of messages associated with the call
+  msg            points to an array of length num_msg of pam_message structures
+  resp           set to point to the response block, which has to be got by
+                   this function
+  appdata_ptr    the application data pointer - not used because in Solaris
+                   2.6 it always arrived in pam_converse() as NULL
+
+Returns:         a PAM return code
+*/
+
+static int
+pam_converse (int num_msg, PAM_CONVERSE_ARG2_TYPE **msg,
+  struct pam_response **resp, void *appdata_ptr)
+{
+int sep = 0;
+struct pam_response *reply;
+
+/* It seems that PAM frees reply[] */
+
+if (  pam_arg_ended
+   || !(reply = malloc(sizeof(struct pam_response) * num_msg)))
+  return PAM_CONV_ERR;
+
+for (int i = 0; i < num_msg; i++)
+  {
+  uschar *arg;
+  switch (msg[i]->msg_style)
+    {
+    case PAM_PROMPT_ECHO_ON:
+    case PAM_PROMPT_ECHO_OFF:
+      if (!(arg = string_nextinlist(&pam_args, &sep, NULL, 0)))
+	{
+	arg = US"";
+	pam_arg_ended = TRUE;
+	}
+      reply[i].resp = strdup(CCS arg); /* Use libc malloc, PAM frees resp directly*/
+      reply[i].resp_retcode = PAM_SUCCESS;
+      break;
+
+    case PAM_TEXT_INFO:    /* Just acknowledge messages */
+    case PAM_ERROR_MSG:
+      reply[i].resp_retcode = PAM_SUCCESS;
+      reply[i].resp = NULL;
+      break;
+
+    default:  /* Must be an error of some sort... */
+      free(reply);
+      pam_conv_had_error = TRUE;
+      return PAM_CONV_ERR;
+    }
+  }
+
+*resp = reply;
+return PAM_SUCCESS;
+}
+
+
+
+/*************************************************
+*              Perform PAM authentication        *
+*************************************************/
+
+/* This function calls the PAM authentication mechanism, passing over one or
+more data strings.
+
+Arguments:
+  s        a colon-separated list of strings
+  errptr   where to point an error message
+
+Returns:   OK if authentication succeeded
+           FAIL if authentication failed
+           ERROR some other error condition
+*/
+
+int
+auth_call_pam(const uschar *s, uschar **errptr)
+{
+pam_handle_t *pamh = NULL;
+struct pam_conv pamc;
+int pam_error;
+int sep = 0;
+uschar *user;
+
+/* Set up the input data structure: the address of the conversation function,
+and a pointer to application data, which we don't use because I couldn't get it
+to work under Solaris 2.6 - it always arrived in pam_converse() as NULL. */
+
+pamc.conv = pam_converse;
+pamc.appdata_ptr = NULL;
+
+/* Initialize the static data - the current input data, the error flag, and the
+flag for data end. */
+
+pam_args = s;
+pam_conv_had_error = FALSE;
+pam_arg_ended = FALSE;
+
+/* The first string in the list is the user. If this is an empty string, we
+fail. PAM doesn't support authentication with an empty user (it prompts for it,
+causing a potential mis-interpretation). */
+
+user = string_nextinlist(&pam_args, &sep, NULL, 0);
+if (user == NULL || user[0] == 0) return FAIL;
+
+/* Start off PAM interaction */
+
+DEBUG(D_auth)
+  debug_printf("Running PAM authentication for user \"%s\"\n", user);
+
+pam_error = pam_start ("exim", CS user, &pamc, &pamh);
+
+/* Do the authentication - the pam_authenticate() will call pam_converse() to
+get the data it wants. After successful authentication we call pam_acct_mgmt()
+to apply any other restrictions (e.g. only some times of day). */
+
+if (pam_error == PAM_SUCCESS)
+  {
+  pam_error = pam_authenticate (pamh, PAM_SILENT);
+  if (pam_error == PAM_SUCCESS && !pam_conv_had_error)
+    pam_error = pam_acct_mgmt (pamh, PAM_SILENT);
+  }
+
+/* Finish the PAM interaction - this causes it to clean up store etc. Unclear
+what should be passed as the second argument. */
+
+pam_end(pamh, PAM_SUCCESS);
+
+/* Sort out the return code. If not success, set the error message. */
+
+if (pam_error == PAM_SUCCESS)
+  {
+  DEBUG(D_auth) debug_printf("PAM success\n");
+  return OK;
+  }
+
+*errptr = US pam_strerror(pamh, pam_error);
+DEBUG(D_auth) debug_printf("PAM error: %s\n", *errptr);
+
+if (pam_error == PAM_USER_UNKNOWN ||
+    pam_error == PAM_AUTH_ERR ||
+    pam_error == PAM_ACCT_EXPIRED)
+  return FAIL;
+
+return ERROR;
+}
+
+#endif  /* SUPPORT_PAM */
+
+/* End of call_pam.c */
diff --git a/src/auths/call_pwcheck.c b/src/auths/call_pwcheck.c
new file mode 100644
index 0000000..0adde44
--- /dev/null
+++ b/src/auths/call_pwcheck.c
@@ -0,0 +1,121 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* Copyright (c) The Exim Maintainers 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This module contains interface functions to the two Cyrus authentication
+daemons. The original one was "pwcheck", which gives its name to the source
+file. This is now deprecated in favour of "saslauthd". */
+
+
+#include "../exim.h"
+#include "pwcheck.h"
+
+
+/*************************************************
+*      External entry point for pwcheck          *
+*************************************************/
+
+/* This function calls the now-deprecated "pwcheck" Cyrus-SASL authentication
+daemon, passing over a colon-separated user name and password. As this is
+called from the string expander, the string will always be in dynamic store and
+can be overwritten.
+
+Arguments:
+  s        a colon-separated username:password string
+  errptr   where to point an error message
+
+Returns:   OK if authentication succeeded
+           FAIL if authentication failed
+           ERROR some other error condition
+*/
+
+int
+auth_call_pwcheck(uschar *s, uschar **errptr)
+{
+uschar *reply = NULL;
+uschar *pw = Ustrrchr(s, ':');
+
+if (pw == NULL)
+  {
+  *errptr = US"pwcheck: malformed input - missing colon";
+  return ERROR;
+  }
+
+*pw++ = 0;   /* Separate user and password */
+
+DEBUG(D_auth)
+  debug_printf("Running pwcheck authentication for user \"%s\"\n", s);
+
+switch (pwcheck_verify_password(CS s, CS pw, CCSS &reply))
+  {
+  case PWCHECK_OK:
+  DEBUG(D_auth) debug_printf("pwcheck: success (%s)\n", reply);
+  return OK;
+
+  case PWCHECK_NO:
+  DEBUG(D_auth) debug_printf("pwcheck: access denied (%s)\n", reply);
+  return FAIL;
+
+  default:
+  DEBUG(D_auth) debug_printf("pwcheck: query failed (%s)\n", reply);
+  *errptr = reply;
+  return ERROR;
+  }
+}
+
+
+/*************************************************
+*       External entry point for pwauthd         *
+*************************************************/
+
+/* This function calls the "saslauthd" Cyrus-SASL authentication daemon,
+saslauthd, As this is called from the string expander, all the strings will
+always be in dynamic store and can be overwritten.
+
+Arguments:
+  username        username
+  password        password
+  service         optional service
+  realm           optional realm
+  errptr          where to point an error message
+
+Returns:   OK if authentication succeeded
+           FAIL if authentication failed
+           ERROR some other error condition
+*/
+
+int
+auth_call_saslauthd(const uschar *username, const uschar *password,
+  const uschar *service, const uschar *realm, uschar **errptr)
+{
+uschar *reply = NULL;
+
+if (service == NULL) service = US"";
+if (realm == NULL) realm = US"";
+
+DEBUG(D_auth)
+  debug_printf("Running saslauthd authentication for user \"%s\" \n", username);
+
+switch (saslauthd_verify_password(username, password, service,
+        realm, (const uschar **)(&reply)))
+  {
+  case PWCHECK_OK:
+  DEBUG(D_auth) debug_printf("saslauthd: success (%s)\n", reply);
+  return OK;
+
+  case PWCHECK_NO:
+  DEBUG(D_auth) debug_printf("saslauthd: access denied (%s)\n", reply);
+  return FAIL;
+
+  default:
+  DEBUG(D_auth) debug_printf("saslauthd: query failed (%s)\n", reply);
+  *errptr = reply;
+  return ERROR;
+  }
+}
+
+/* End of call_pwcheck.c */
diff --git a/src/auths/call_radius.c b/src/auths/call_radius.c
new file mode 100644
index 0000000..e7f9f52
--- /dev/null
+++ b/src/auths/call_radius.c
@@ -0,0 +1,223 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2016 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This file was originally supplied by Ian Kirk. The libradius support came
+from Alex Kiernan. */
+
+#include "../exim.h"
+
+/* This module contains functions that call the Radius authentication
+mechanism.
+
+We can't just compile this code and allow the library mechanism to omit the
+functions if they are not wanted, because we need to have the Radius headers
+available for compiling. Therefore, compile these functions only if
+RADIUS_CONFIG_FILE is defined. However, some compilers don't like compiling
+empty modules, so keep them happy with a dummy when skipping the rest. Make it
+reference itself to stop picky compilers complaining that it is unused, and put
+in a dummy argument to stop even pickier compilers complaining about infinite
+loops. Then use a mutually-recursive pair as gcc is just getting stupid. */
+
+#ifndef RADIUS_CONFIG_FILE
+static void dummy(int x);
+static void dummy2(int x) { dummy(x-1); }
+static void dummy(int x) { dummy2(x-1); }
+#else  /* RADIUS_CONFIG_FILE */
+
+
+/* Two different Radius libraries are supported. The default is radiusclient,
+using its original API. At release 0.4.0 the API changed. */
+
+#ifdef RADIUS_LIB_RADLIB
+# include <radlib.h>
+#else
+# if !defined(RADIUS_LIB_RADIUSCLIENT) && !defined(RADIUS_LIB_RADIUSCLIENTNEW)
+#  define RADIUS_LIB_RADIUSCLIENT
+# endif
+
+# ifdef RADIUS_LIB_RADIUSCLIENTNEW
+#  define ENV FREERADIUSCLIENT_ENV	/* Avoid clash with Berkeley DB */
+#  include <freeradius-client.h>
+# else
+#  include <radiusclient.h>
+# endif
+#endif
+
+
+
+/*************************************************
+*              Perform RADIUS authentication     *
+*************************************************/
+
+/* This function calls the Radius authentication mechanism, passing over one or
+more data strings.
+
+Arguments:
+  s        a colon-separated list of strings
+  errptr   where to point an error message
+
+Returns:   OK if authentication succeeded
+           FAIL if authentication failed
+           ERROR some other error condition
+*/
+
+int
+auth_call_radius(const uschar *s, uschar **errptr)
+{
+uschar *user;
+const uschar *radius_args = s;
+int result;
+int sep = 0;
+
+#ifdef RADIUS_LIB_RADLIB
+  struct rad_handle *h;
+#else
+  #ifdef RADIUS_LIB_RADIUSCLIENTNEW
+    rc_handle *h;
+  #endif
+  VALUE_PAIR *send = NULL;
+  VALUE_PAIR *received;
+  unsigned int service = PW_AUTHENTICATE_ONLY;
+  char msg[4096];
+#endif
+
+
+if (!(user = string_nextinlist(&radius_args, &sep, NULL, 0))) user = US"";
+
+DEBUG(D_auth) debug_printf("Running RADIUS authentication for user \"%s\" "
+               "and \"%s\"\n", user, radius_args);
+
+*errptr = NULL;
+
+
+/* Authenticate using the radiusclient library */
+
+#ifndef RADIUS_LIB_RADLIB
+
+rc_openlog("exim");
+
+#ifdef RADIUS_LIB_RADIUSCLIENT
+if (rc_read_config(RADIUS_CONFIG_FILE) != 0)
+  *errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE);
+
+else if (rc_read_dictionary(rc_conf_str("dictionary")) != 0)
+  *errptr = US"RADIUS: can't read dictionary";
+
+else if (!rc_avpair_add(&send, PW_USER_NAME, user, 0))
+  *errptr = US"RADIUS: add user name failed";
+
+else if (!rc_avpair_add(&send, PW_USER_PASSWORD, CS radius_args, 0))
+  *errptr = US"RADIUS: add password failed");
+
+else if (!rc_avpair_add(&send, PW_SERVICE_TYPE, &service, 0))
+  *errptr = US"RADIUS: add service type failed";
+
+#else  /* RADIUS_LIB_RADIUSCLIENT unset => RADIUS_LIB_RADIUSCLIENT2 */
+
+if (!(h = rc_read_config(RADIUS_CONFIG_FILE)))
+  *errptr = string_sprintf("RADIUS: can't open %s", RADIUS_CONFIG_FILE);
+
+else if (rc_read_dictionary(h, rc_conf_str(h, "dictionary")) != 0)
+  *errptr = US"RADIUS: can't read dictionary";
+
+else if (!rc_avpair_add(h, &send, PW_USER_NAME, user, Ustrlen(user), 0))
+  *errptr = US"RADIUS: add user name failed";
+
+else if (!rc_avpair_add(h, &send, PW_USER_PASSWORD, CS radius_args,
+    Ustrlen(radius_args), 0))
+  *errptr = US"RADIUS: add password failed";
+
+else if (!rc_avpair_add(h, &send, PW_SERVICE_TYPE, &service, 0, 0))
+  *errptr = US"RADIUS: add service type failed";
+
+#endif  /* RADIUS_LIB_RADIUSCLIENT */
+
+if (*errptr)
+  {
+  DEBUG(D_auth) debug_printf("%s\n", *errptr);
+  return ERROR;
+  }
+
+#ifdef RADIUS_LIB_RADIUSCLIENT
+result = rc_auth(0, send, &received, msg);
+#else
+result = rc_auth(h, 0, send, &received, msg);
+#endif
+
+DEBUG(D_auth) debug_printf("RADIUS code returned %d\n", result);
+
+switch (result)
+  {
+  case OK_RC:
+    return OK;
+
+  case REJECT_RC:
+  case ERROR_RC:
+    return FAIL;
+
+  case TIMEOUT_RC:
+    *errptr = US"RADIUS: timed out";
+    return ERROR;
+
+  case BADRESP_RC:
+  default:
+    *errptr = string_sprintf("RADIUS: unexpected response (%d)", result);
+    return ERROR;
+  }
+
+#else  /* RADIUS_LIB_RADLIB is set */
+
+/* Authenticate using the libradius library */
+
+if (!(h = rad_auth_open()))
+  {
+  *errptr = string_sprintf("RADIUS: can't initialise libradius");
+  return ERROR;
+  }
+if (rad_config(h, RADIUS_CONFIG_FILE) != 0 ||
+    rad_create_request(h, RAD_ACCESS_REQUEST) != 0 ||
+    rad_put_string(h, RAD_USER_NAME, CS user) != 0 ||
+    rad_put_string(h, RAD_USER_PASSWORD, CS radius_args) != 0 ||
+    rad_put_int(h, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) != 0 ||
+    rad_put_string(h, RAD_NAS_IDENTIFIER, CS primary_hostname) != 0)
+  {
+  *errptr = string_sprintf("RADIUS: %s", rad_strerror(h));
+  result = ERROR;
+  }
+else
+  switch (result = rad_send_request(h))
+    {
+    case RAD_ACCESS_ACCEPT:
+      result = OK;
+      break;
+
+    case RAD_ACCESS_REJECT:
+      result = FAIL;
+      break;
+
+    case -1:
+      *errptr = string_sprintf("RADIUS: %s", rad_strerror(h));
+      result = ERROR;
+      break;
+
+    default:
+      *errptr = string_sprintf("RADIUS: unexpected response (%d)", result);
+      result= ERROR;
+      break;
+    }
+
+if (*errptr) DEBUG(D_auth) debug_printf("%s\n", *errptr);
+rad_close(h);
+return result;
+
+#endif  /* RADIUS_LIB_RADLIB */
+}
+
+#endif  /* RADIUS_CONFIG_FILE */
+
+/* End of call_radius.c */
diff --git a/src/auths/check_serv_cond.c b/src/auths/check_serv_cond.c
new file mode 100644
index 0000000..457a715
--- /dev/null
+++ b/src/auths/check_serv_cond.c
@@ -0,0 +1,124 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+
+/* This module contains the function server_condition(), which is used
+by all authenticators. */
+
+
+/*************************************************
+*              Check server_condition            *
+*************************************************/
+
+/* This function is called from the server code of all authenticators. For
+plaintext and gsasl, it is always called: the argument cannot be empty, because
+for those, setting server_condition is what enables it as a server
+authenticator. For all the other authenticators, this function is called after
+they have authenticated, to enable additional authorization to be done.
+
+Argument:     the authenticator's instance block
+
+Returns:
+  OK          NULL argument, or success
+  DEFER       couldn't complete the check
+  FAIL        authentication failed
+*/
+
+int
+auth_check_serv_cond(auth_instance *ablock)
+{
+  return auth_check_some_cond(ablock,
+      US"server_condition", ablock->server_condition, OK);
+}
+
+
+/*************************************************
+*         Check some server condition            *
+*************************************************/
+
+/* This underlies server_condition, but is also used for some more generic
+ checks.
+
+Arguments:
+  ablock     the authenticator's instance block
+  label      debugging label naming the string checked
+  condition  the condition string to be expanded and checked
+  unset      value to return on NULL condition
+
+Returns:
+  OK          success (or unset=OK)
+  DEFER       couldn't complete the check
+  FAIL        authentication failed
+*/
+
+int
+auth_check_some_cond(auth_instance *ablock,
+    uschar *label, uschar *condition, int unset)
+{
+uschar *cond;
+
+HDEBUG(D_auth)
+  {
+  debug_printf("%s authenticator %s:\n", ablock->name, label);
+  for (int i = 0; i < AUTH_VARS; i++) if (auth_vars[i])
+    debug_printf("  $auth%d = %s\n", i + 1, auth_vars[i]);
+  for (int i = 1; i <= expand_nmax; i++)
+    debug_printf("  $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
+  debug_print_string(ablock->server_debug_string);    /* customized debug */
+  }
+
+/* For the plaintext authenticator, server_condition is never NULL. For the
+rest, an unset condition lets everything through. */
+
+/* For server_condition, an unset condition lets everything through.
+For plaintext/gsasl authenticators, it will have been pre-checked to prevent
+this.  We return the unset scenario value given to us, which for
+server_condition will be OK and otherwise will typically be FAIL. */
+
+if (!condition) return unset;
+cond = expand_string(condition);
+
+HDEBUG(D_auth)
+  if (!cond)
+    debug_printf("expansion failed: %s\n", expand_string_message);
+  else
+    debug_printf("expanded string: %s\n", cond);
+
+/* A forced expansion failure causes authentication to fail. Other expansion
+failures yield DEFER, which will cause a temporary error code to be returned to
+the AUTH command. The problem is at the server end, so the client should try
+again later. */
+
+if (!cond)
+  {
+  if (f.expand_string_forcedfail) return FAIL;
+  auth_defer_msg = expand_string_message;
+  return DEFER;
+  }
+
+/* Return FAIL for empty string, "0", "no", and "false"; return OK for
+"1", "yes", and "true"; return DEFER for anything else, with the string
+available as an error text for the user. */
+
+if (*cond == 0 ||
+    Ustrcmp(cond, "0") == 0 ||
+    strcmpic(cond, US"no") == 0 ||
+    strcmpic(cond, US"false") == 0)
+  return FAIL;
+
+if (Ustrcmp(cond, "1") == 0 ||
+    strcmpic(cond, US"yes") == 0 ||
+    strcmpic(cond, US"true") == 0)
+  return OK;
+
+auth_defer_msg = cond;
+auth_defer_user_msg = string_sprintf(": %s", cond);
+return DEFER;
+}
+
+/* End of check_serv_cond.c */
diff --git a/src/auths/cram_md5.c b/src/auths/cram_md5.c
new file mode 100644
index 0000000..2c0616c
--- /dev/null
+++ b/src/auths/cram_md5.c
@@ -0,0 +1,360 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* The stand-alone version just tests the algorithm. We have to drag
+in the MD5 computation functions, without their own stand-alone main
+program. */
+
+#ifdef STAND_ALONE
+#define CRAM_STAND_ALONE
+#include "md5.c"
+
+
+/* This is the normal, non-stand-alone case */
+
+#else
+#include "../exim.h"
+#include "cram_md5.h"
+
+/* Options specific to the cram_md5 authentication mechanism. */
+
+optionlist auth_cram_md5_options[] = {
+  { "client_name",        opt_stringptr,
+      OPT_OFF(auth_cram_md5_options_block, client_name) },
+  { "client_secret",      opt_stringptr,
+      OPT_OFF(auth_cram_md5_options_block, client_secret) },
+  { "server_secret",      opt_stringptr,
+      OPT_OFF(auth_cram_md5_options_block, server_secret) }
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int auth_cram_md5_options_count =
+  sizeof(auth_cram_md5_options)/sizeof(optionlist);
+
+/* Default private options block for the condition authentication method. */
+
+auth_cram_md5_options_block auth_cram_md5_option_defaults = {
+  NULL,             /* server_secret */
+  NULL,             /* client_secret */
+  NULL              /* client_name */
+};
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+void auth_cram_md5_init(auth_instance *ablock) {}
+int auth_cram_md5_server(auth_instance *ablock, uschar *data) {return 0;}
+int auth_cram_md5_client(auth_instance *ablock, void *sx, int timeout,
+    uschar *buffer, int buffsize) {return 0;}
+
+#else	/*!MACRO_PREDEF*/
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up. */
+
+void
+auth_cram_md5_init(auth_instance *ablock)
+{
+auth_cram_md5_options_block *ob =
+  (auth_cram_md5_options_block *)(ablock->options_block);
+if (ob->server_secret != NULL) ablock->server = TRUE;
+if (ob->client_secret != NULL)
+  {
+  ablock->client = TRUE;
+  if (ob->client_name == NULL) ob->client_name = primary_hostname;
+  }
+}
+
+#endif	/*!MACRO_PREDEF*/
+#endif  /* STAND_ALONE */
+
+
+
+#ifndef MACRO_PREDEF
+/*************************************************
+*      Perform the CRAM-MD5 algorithm            *
+*************************************************/
+
+/* The CRAM-MD5 algorithm is described in RFC 2195. It computes
+
+  MD5((secret XOR opad), MD5((secret XOR ipad), challenge))
+
+where secret is padded out to 64 characters (after being reduced to an MD5
+digest if longer than 64) and ipad and opad are 64-byte strings of 0x36 and
+0x5c respectively, and comma means concatenation.
+
+Arguments:
+  secret         the shared secret
+  challenge      the challenge text
+  digest         16-byte slot to put the answer in
+
+Returns:         nothing
+*/
+
+static void
+compute_cram_md5(uschar *secret, uschar *challenge, uschar *digestptr)
+{
+md5 base;
+int len = Ustrlen(secret);
+uschar isecret[64];
+uschar osecret[64];
+uschar md5secret[16];
+
+/* If the secret is longer than 64 characters, we compute its MD5 digest
+and use that. */
+
+if (len > 64)
+  {
+  md5_start(&base);
+  md5_end(&base, US secret, len, md5secret);
+  secret = US md5secret;
+  len = 16;
+  }
+
+/* The key length is now known to be <= 64. Set up the padded and xor'ed
+versions. */
+
+memcpy(isecret, secret, len);
+memset(isecret+len, 0, 64-len);
+memcpy(osecret, isecret, 64);
+
+for (int i = 0; i < 64; i++)
+  {
+  isecret[i] ^= 0x36;
+  osecret[i] ^= 0x5c;
+  }
+
+/* Compute the inner MD5 digest */
+
+md5_start(&base);
+md5_mid(&base, isecret);
+md5_end(&base, US challenge, Ustrlen(challenge), md5secret);
+
+/* Compute the outer MD5 digest */
+
+md5_start(&base);
+md5_mid(&base, osecret);
+md5_end(&base, md5secret, 16, digestptr);
+}
+
+
+#ifndef STAND_ALONE
+
+/*************************************************
+*             Server entry point                 *
+*************************************************/
+
+/* For interface, see auths/README */
+
+int
+auth_cram_md5_server(auth_instance *ablock, uschar *data)
+{
+auth_cram_md5_options_block *ob =
+  (auth_cram_md5_options_block *)(ablock->options_block);
+uschar *challenge = string_sprintf("<%d.%ld@%s>", getpid(),
+    (long int) time(NULL), primary_hostname);
+uschar *clear, *secret;
+uschar digest[16];
+int i, rc, len;
+
+/* If we are running in the test harness, always send the same challenge,
+an example string taken from the RFC. */
+
+if (f.running_in_test_harness)
+  challenge = US"<1896.697170952@postoffice.reston.mci.net>";
+
+/* No data should have been sent with the AUTH command */
+
+if (*data) return UNEXPECTED;
+
+/* Send the challenge, read the return */
+
+if ((rc = auth_get_data(&data, challenge, Ustrlen(challenge))) != OK) return rc;
+if ((len = b64decode(data, &clear)) < 0) return BAD64;
+
+/* The return consists of a user name, space-separated from the CRAM-MD5
+digest, expressed in hex. Extract the user name and put it in $auth1 and $1.
+The former is now the preferred variable; the latter is the original one. Then
+check that the remaining length is 32. */
+
+auth_vars[0] = expand_nstring[1] = clear;
+while (*clear && !isspace(*clear)) clear++;
+if (!isspace(*clear)) return FAIL;
+*clear++ = 0;
+
+expand_nlength[1] = clear - expand_nstring[1] - 1;
+if (len - expand_nlength[1] - 1 != 32) return FAIL;
+expand_nmax = 1;
+
+/* Expand the server_secret string so that it can compute a value dependent on
+the user name if necessary. */
+
+debug_print_string(ablock->server_debug_string);    /* customized debugging */
+secret = expand_string(ob->server_secret);
+
+/* A forced fail implies failure of authentication - i.e. we have no secret for
+the given name. */
+
+if (secret == NULL)
+  {
+  if (f.expand_string_forcedfail) return FAIL;
+  auth_defer_msg = expand_string_message;
+  return DEFER;
+  }
+
+/* Compute the CRAM-MD5 digest that we should have received from the client. */
+
+compute_cram_md5(secret, challenge, digest);
+
+HDEBUG(D_auth)
+  {
+  uschar buff[64];
+  debug_printf("CRAM-MD5: user name = %s\n", auth_vars[0]);
+  debug_printf("          challenge = %s\n", challenge);
+  debug_printf("          received  = %s\n", clear);
+  Ustrcpy(buff, US"          digest    = ");
+  for (i = 0; i < 16; i++) sprintf(CS buff+22+2*i, "%02x", digest[i]);
+  debug_printf("%.54s\n", buff);
+  }
+
+/* We now have to compare the digest, which is 16 bytes in binary, with the
+data received, which is expressed in lower case hex. We checked above that
+there were 32 characters of data left. */
+
+for (i = 0; i < 16; i++)
+  {
+  int a = *clear++;
+  int b = *clear++;
+  if (((((a >= 'a')? a - 'a' + 10 : a - '0') << 4) +
+        ((b >= 'a')? b - 'a' + 10 : b - '0')) != digest[i]) return FAIL;
+  }
+
+/* Expand server_condition as an authorization check */
+return auth_check_serv_cond(ablock);
+}
+
+
+
+/*************************************************
+*              Client entry point                *
+*************************************************/
+
+/* For interface, see auths/README */
+
+int
+auth_cram_md5_client(
+  auth_instance *ablock,                 /* authenticator block */
+  void * sx,				 /* smtp connextion */
+  int timeout,                           /* command timeout */
+  uschar *buffer,                        /* for reading response */
+  int buffsize)                          /* size of buffer */
+{
+auth_cram_md5_options_block *ob =
+  (auth_cram_md5_options_block *)(ablock->options_block);
+uschar *secret = expand_string(ob->client_secret);
+uschar *name = expand_string(ob->client_name);
+uschar *challenge, *p;
+int i;
+uschar digest[16];
+
+/* If expansion of either the secret or the user name failed, return CANCELLED
+or ERROR, as appropriate. */
+
+if (!secret || !name)
+  {
+  if (f.expand_string_forcedfail)
+    {
+    *buffer = 0;           /* No message */
+    return CANCELLED;
+    }
+  string_format(buffer, buffsize, "expansion of \"%s\" failed in "
+    "%s authenticator: %s",
+    !secret ? ob->client_secret : ob->client_name,
+    ablock->name, expand_string_message);
+  return ERROR;
+  }
+
+/* Initiate the authentication exchange and read the challenge, which arrives
+in base 64. */
+
+if (smtp_write_command(sx, SCMD_FLUSH, "AUTH %s\r\n", ablock->public_name) < 0)
+  return FAIL_SEND;
+if (!smtp_read_response(sx, buffer, buffsize, '3', timeout))
+  return FAIL;
+
+if (b64decode(buffer + 4, &challenge) < 0)
+  {
+  string_format(buffer, buffsize, "bad base 64 string in challenge: %s",
+    big_buffer + 4);
+  return ERROR;
+  }
+
+/* Run the CRAM-MD5 algorithm on the secret and the challenge */
+
+compute_cram_md5(secret, challenge, digest);
+
+/* Create the response from the user name plus the CRAM-MD5 digest */
+
+string_format(big_buffer, big_buffer_size - 36, "%s", name);
+for (p = big_buffer; *p; ) p++;
+*p++ = ' ';
+
+for (i = 0; i < 16; i++)
+  p += sprintf(CS p, "%02x", digest[i]);
+
+/* Send the response, in base 64, and check the result. The response is
+in big_buffer, but b64encode() returns its result in working store,
+so calling smtp_write_command(), which uses big_buffer, is OK. */
+
+buffer[0] = 0;
+if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", b64encode(CUS big_buffer,
+  p - big_buffer)) < 0) return FAIL_SEND;
+
+return smtp_read_response(sx, US buffer, buffsize, '2', timeout)
+  ? OK : FAIL;
+}
+#endif  /* STAND_ALONE */
+
+
+/*************************************************
+**************************************************
+*             Stand-alone test program           *
+**************************************************
+*************************************************/
+
+#ifdef STAND_ALONE
+
+int main(int argc, char **argv)
+{
+int i;
+uschar *secret = US argv[1];
+uschar *challenge = US argv[2];
+uschar digest[16];
+
+compute_cram_md5(secret, challenge, digest);
+
+for (i = 0; i < 16; i++) printf("%02x", digest[i]);
+printf("\n");
+
+return 0;
+}
+
+#endif
+
+#endif	/*!MACRO_PREDEF*/
+/* End of cram_md5.c */
diff --git a/src/auths/cram_md5.h b/src/auths/cram_md5.h
new file mode 100644
index 0000000..95644db
--- /dev/null
+++ b/src/auths/cram_md5.h
@@ -0,0 +1,31 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Private structure for the private options. */
+
+typedef struct {
+  uschar *server_secret;
+  uschar *client_secret;
+  uschar *client_name;
+} auth_cram_md5_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist auth_cram_md5_options[];
+extern int auth_cram_md5_options_count;
+
+/* Block containing default values. */
+
+extern auth_cram_md5_options_block auth_cram_md5_option_defaults;
+
+/* The entry points for the mechanism */
+
+extern void auth_cram_md5_init(auth_instance *);
+extern int auth_cram_md5_server(auth_instance *, uschar *);
+extern int auth_cram_md5_client(auth_instance *, void *, int, uschar *, int);
+
+/* End of cram_md5.h */
diff --git a/src/auths/cyrus_sasl.c b/src/auths/cyrus_sasl.c
new file mode 100644
index 0000000..c8e2da5
--- /dev/null
+++ b/src/auths/cyrus_sasl.c
@@ -0,0 +1,513 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This code was originally contributed by Matthew Byng-Maddick */
+
+/* Copyright (c) A L Digital 2004 */
+
+/* A generic (mechanism independent) Cyrus SASL authenticator. */
+
+
+#include "../exim.h"
+
+
+/* We can't just compile this code and allow the library mechanism to omit the
+functions if they are not wanted, because we need to have the Cyrus SASL header
+available for compiling. Therefore, compile these functions only if
+AUTH_CYRUS_SASL is defined. However, some compilers don't like compiling empty
+modules, so keep them happy with a dummy when skipping the rest. Make it
+reference itself to stop picky compilers complaining that it is unused, and put
+in a dummy argument to stop even pickier compilers complaining about infinite
+loops. */
+
+#ifndef AUTH_CYRUS_SASL
+static void dummy(int x);
+static void dummy2(int x) { dummy(x-1); }
+static void dummy(int x) { dummy2(x-1); }
+#else
+
+
+#include <sasl/sasl.h>
+#include "cyrus_sasl.h"
+
+/* Options specific to the cyrus_sasl authentication mechanism. */
+
+optionlist auth_cyrus_sasl_options[] = {
+  { "server_hostname",      opt_stringptr,
+      OPT_OFF(auth_cyrus_sasl_options_block, server_hostname) },
+  { "server_mech",          opt_stringptr,
+      OPT_OFF(auth_cyrus_sasl_options_block, server_mech) },
+  { "server_realm",         opt_stringptr,
+      OPT_OFF(auth_cyrus_sasl_options_block, server_realm) },
+  { "server_service",       opt_stringptr,
+      OPT_OFF(auth_cyrus_sasl_options_block, server_service) }
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int auth_cyrus_sasl_options_count =
+  sizeof(auth_cyrus_sasl_options)/sizeof(optionlist);
+
+/* Default private options block for the cyrus_sasl authentication method. */
+
+auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults = {
+  US"smtp",         /* server_service */
+  US"$primary_hostname", /* server_hostname */
+  NULL,             /* server_realm */
+  NULL              /* server_mech */
+};
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+void auth_cyrus_sasl_init(auth_instance *ablock) {}
+int auth_cyrus_sasl_server(auth_instance *ablock, uschar *data) {return 0;}
+int auth_cyrus_sasl_client(auth_instance *ablock, void * sx,
+  int timeout, uschar *buffer, int buffsize) {return 0;}
+gstring * auth_cyrus_sasl_version_report(gstring * g) {return NULL;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up. */
+
+
+/* Auxiliary function, passed in data to sasl_server_init(). */
+
+static int
+mysasl_config(void *context, const char *plugin_name, const char *option,
+      const char **result, unsigned int *len)
+{
+if (context && !strcmp(option, "mech_list"))
+  {
+  *result = context;
+  if (len) *len = strlen(*result);
+  return SASL_OK;
+  }
+return SASL_FAIL;
+}
+
+/* Here's the real function */
+
+void
+auth_cyrus_sasl_init(auth_instance *ablock)
+{
+auth_cyrus_sasl_options_block *ob =
+  (auth_cyrus_sasl_options_block *)(ablock->options_block);
+const uschar *list, *listptr, *buffer;
+int rc, i;
+unsigned int len;
+rmark rs_point;
+uschar *expanded_hostname;
+char *realm_expanded;
+
+sasl_conn_t *conn;
+sasl_callback_t cbs[] = {
+  {SASL_CB_GETOPT, NULL, NULL },
+  {SASL_CB_LIST_END, NULL, NULL}};
+
+/* default the mechanism to our "public name" */
+
+if (!ob->server_mech) ob->server_mech = string_copy(ablock->public_name);
+
+if (!(expanded_hostname = expand_string(ob->server_hostname)))
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
+      "couldn't expand server_hostname [%s]: %s",
+      ablock->name, ob->server_hostname, expand_string_message);
+
+realm_expanded = NULL;
+if (  ob->server_realm
+   && !(realm_expanded = CS expand_string(ob->server_realm)))
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
+      "couldn't expand server_realm [%s]: %s",
+      ablock->name, ob->server_realm, expand_string_message);
+
+/* we're going to initialise the library to check that there is an
+authenticator of type whatever mechanism we're using */
+
+cbs[0].proc = (int(*)(void)) &mysasl_config;
+cbs[0].context = ob->server_mech;
+
+if ((rc = sasl_server_init(cbs, "exim")) != SASL_OK)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
+      "couldn't initialise Cyrus SASL library.", ablock->name);
+
+if ((rc = sasl_server_new(CS ob->server_service, CS expanded_hostname,
+                   realm_expanded, NULL, NULL, NULL, 0, &conn)) != SASL_OK)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
+      "couldn't initialise Cyrus SASL server connection.", ablock->name);
+
+if ((rc = sasl_listmech(conn, NULL, "", ":", "", CCSS &list, &len, &i)) != SASL_OK)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
+      "couldn't get Cyrus SASL mechanism list.", ablock->name);
+
+i = ':';
+listptr = list;
+
+HDEBUG(D_auth)
+  {
+  debug_printf("Initialised Cyrus SASL service=\"%s\" fqdn=\"%s\" realm=\"%s\"\n",
+      ob->server_service, expanded_hostname, realm_expanded);
+  debug_printf("Cyrus SASL knows mechanisms: %s\n", list);
+  }
+
+/* the store_get / store_reset mechanism is hierarchical
+ the hierarchy is stored for us behind our back. This point
+ creates a hierarchy point for this function.  */
+
+rs_point = store_mark();
+
+/* loop until either we get to the end of the list, or we match the
+public name of this authenticator */
+
+while (  (buffer = string_nextinlist(&listptr, &i, NULL, 0))
+      && strcmpic(buffer,ob->server_mech) );
+
+if (!buffer)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
+      "Cyrus SASL doesn't know about mechanism %s.", ablock->name, ob->server_mech);
+
+store_reset(rs_point);
+
+HDEBUG(D_auth) debug_printf("Cyrus SASL driver %s: %s initialised\n", ablock->name, ablock->public_name);
+
+/* make sure that if we get here then we're allowed to advertise. */
+ablock->server = TRUE;
+
+sasl_dispose(&conn);
+sasl_done();
+}
+
+/*************************************************
+*             Server entry point                 *
+*************************************************/
+
+/* For interface, see auths/README */
+
+/* note, we don't care too much about memory allocation in this, because this is entirely
+within a shortlived child */
+
+int
+auth_cyrus_sasl_server(auth_instance *ablock, uschar *data)
+{
+auth_cyrus_sasl_options_block *ob =
+  (auth_cyrus_sasl_options_block *)(ablock->options_block);
+uschar *output, *out2, *input, *clear, *hname;
+uschar *debug = NULL;   /* Stops compiler complaining */
+sasl_callback_t cbs[] = {{SASL_CB_LIST_END, NULL, NULL}};
+sasl_conn_t *conn;
+char * realm_expanded = NULL;
+int rc, firsttime = 1, clen, *negotiated_ssf_ptr = NULL, negotiated_ssf;
+unsigned int inlen, outlen;
+
+input = data;
+inlen = Ustrlen(data);
+
+HDEBUG(D_auth) debug = string_copy(data);
+
+hname = expand_string(ob->server_hostname);
+if (hname && ob->server_realm)
+  realm_expanded = CS expand_string(ob->server_realm);
+if (!hname  ||  !realm_expanded  && ob->server_realm)
+  {
+  auth_defer_msg = expand_string_message;
+  return DEFER;
+  }
+
+if (inlen)
+  {
+  if ((clen = b64decode(input, &clear)) < 0)
+    return BAD64;
+  input = clear;
+  inlen = clen;
+  }
+
+if ((rc = sasl_server_init(cbs, "exim")) != SASL_OK)
+  {
+  auth_defer_msg = US"couldn't initialise Cyrus SASL library";
+  return DEFER;
+  }
+
+rc = sasl_server_new(CS ob->server_service, CS hname, realm_expanded, NULL,
+  NULL, NULL, 0, &conn);
+
+HDEBUG(D_auth)
+  debug_printf("Initialised Cyrus SASL server connection; service=\"%s\" fqdn=\"%s\" realm=\"%s\"\n",
+      ob->server_service, hname, realm_expanded);
+
+if (rc != SASL_OK )
+  {
+  auth_defer_msg = US"couldn't initialise Cyrus SASL connection";
+  sasl_done();
+  return DEFER;
+  }
+
+if (tls_in.cipher)
+  {
+  if ((rc = sasl_setprop(conn, SASL_SSF_EXTERNAL, (sasl_ssf_t *) &tls_in.bits)) != SASL_OK)
+    {
+    HDEBUG(D_auth) debug_printf("Cyrus SASL EXTERNAL SSF set %d failed: %s\n",
+        tls_in.bits, sasl_errstring(rc, NULL, NULL));
+    auth_defer_msg = US"couldn't set Cyrus SASL EXTERNAL SSF";
+    sasl_done();
+    return DEFER;
+    }
+  else
+    HDEBUG(D_auth) debug_printf("Cyrus SASL set EXTERNAL SSF to %d\n", tls_in.bits);
+
+  /*XXX Set channel-binding here with sasl_channel_binding_t / SASL_CHANNEL_BINDING
+  Unclear what the "name" element does though, ditto the "critical" flag. */
+  }
+else
+  HDEBUG(D_auth) debug_printf("Cyrus SASL: no TLS, no EXTERNAL SSF set\n");
+
+/* So sasl_setprop() documents non-shorted IPv6 addresses which is incredibly
+annoying; looking at cyrus-imapd-2.3.x source, the IP address is constructed
+with their iptostring() function, which just wraps
+getnameinfo(..., NI_NUMERICHOST|NI_NUMERICSERV), which is equivalent to the
+inet_ntop which we wrap in our host_ntoa() function.
+
+So the docs are too strict and we shouldn't worry about :: contractions. */
+
+/* Set properties for remote and local host-ip;port */
+for (int i = 0; i < 2; ++i)
+  {
+  int propnum;
+  const uschar * label;
+  uschar * address_port;
+  const char *s_err;
+
+  if (i)
+    {
+    propnum = SASL_IPREMOTEPORT;
+    label = CUS"peer";
+    address_port = string_sprintf("%s;%d",
+				  sender_host_address, sender_host_port);
+    }
+  else
+    {
+    propnum = SASL_IPLOCALPORT;
+    label = CUS"local";
+    address_port = string_sprintf("%s;%d", interface_address, interface_port);
+    }
+
+  if ((rc = sasl_setprop(conn, propnum, address_port)) != SASL_OK)
+    {
+    HDEBUG(D_auth)
+      {
+      s_err = sasl_errdetail(conn);
+      debug_printf("Failed to set %s SASL property: [%d] %s\n",
+          label, rc, s_err ? s_err : "<unknown reason>");
+      }
+    break;
+    }
+  HDEBUG(D_auth) debug_printf("Cyrus SASL set %s hostport to: %s\n",
+      label, address_port);
+  }
+
+for (rc = SASL_CONTINUE; rc == SASL_CONTINUE; )
+  {
+  if (firsttime)
+    {
+    firsttime = 0;
+    HDEBUG(D_auth) debug_printf("Calling sasl_server_start(%s,\"%s\")\n", ob->server_mech, debug);
+    rc = sasl_server_start(conn, CS ob->server_mech, inlen ? CS input : NULL, inlen,
+           CCSS &output, &outlen);
+    }
+  else
+    {
+    /* auth_get_data() takes a length-specfied block of binary
+    which can include zeroes; no terminating NUL is needed */
+
+    if ((rc = auth_get_data(&input, output, outlen)) != OK)
+      {
+      /* we couldn't get the data, so free up the library before
+      returning whatever error we get */
+      sasl_dispose(&conn);
+      sasl_done();
+      return rc;
+      }
+    inlen = Ustrlen(input);
+
+    HDEBUG(D_auth) debug = string_copy(input);
+    if (inlen)
+      {
+      if ((clen = b64decode(input, &clear)) < 0)
+       {
+       sasl_dispose(&conn);
+       sasl_done();
+       return BAD64;
+       }
+      input = clear;
+      inlen = clen;
+      }
+
+    HDEBUG(D_auth) debug_printf("Calling sasl_server_step(\"%s\")\n", debug);
+    rc = sasl_server_step(conn, CS input, inlen, CCSS &output, &outlen);
+    }
+
+  if (rc == SASL_BADPROT)
+    {
+    sasl_dispose(&conn);
+    sasl_done();
+    return UNEXPECTED;
+    }
+  if (rc == SASL_CONTINUE)
+    continue;
+
+  /* Get the username and copy it into $auth1 and $1. The former is now the
+  preferred variable; the latter is the original variable. */
+
+  if ((sasl_getprop(conn, SASL_USERNAME, (const void **)&out2)) != SASL_OK)
+    {
+    HDEBUG(D_auth)
+      debug_printf("Cyrus SASL library will not tell us the username: %s\n",
+	  sasl_errstring(rc, NULL, NULL));
+    log_write(0, LOG_REJECT, "%s authenticator (%s): "
+       "Cyrus SASL username fetch problem: %s", ablock->name, ob->server_mech,
+       sasl_errstring(rc, NULL, NULL));
+    sasl_dispose(&conn);
+    sasl_done();
+    return FAIL;
+    }
+  auth_vars[0] = expand_nstring[1] = string_copy(out2);
+  expand_nlength[1] = Ustrlen(out2);
+  expand_nmax = 1;
+
+  switch (rc)
+    {
+    case SASL_FAIL: case SASL_BUFOVER: case SASL_BADMAC: case SASL_BADAUTH:
+    case SASL_NOAUTHZ: case SASL_ENCRYPT: case SASL_EXPIRED:
+    case SASL_DISABLED: case SASL_NOUSER:
+      /* these are considered permanent failure codes */
+      HDEBUG(D_auth)
+	debug_printf("Cyrus SASL permanent failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
+      log_write(0, LOG_REJECT, "%s authenticator (%s): "
+	 "Cyrus SASL permanent failure: %s", ablock->name, ob->server_mech,
+	 sasl_errstring(rc, NULL, NULL));
+      sasl_dispose(&conn);
+      sasl_done();
+      return FAIL;
+
+    case SASL_NOMECH:
+      /* this is a temporary failure, because the mechanism is not
+      available for this user. If it wasn't available at all, we
+      shouldn't have got here in the first place...  */
+
+      HDEBUG(D_auth)
+	debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
+      auth_defer_msg =
+	  string_sprintf("Cyrus SASL: mechanism %s not available", ob->server_mech);
+      sasl_dispose(&conn);
+      sasl_done();
+      return DEFER;
+
+    case SASL_OK:
+      HDEBUG(D_auth)
+	debug_printf("Cyrus SASL %s authentication succeeded for %s\n",
+	    ob->server_mech, auth_vars[0]);
+
+      if ((rc = sasl_getprop(conn, SASL_SSF, (const void **)(&negotiated_ssf_ptr)))!= SASL_OK)
+	{
+	HDEBUG(D_auth)
+	  debug_printf("Cyrus SASL library will not tell us the SSF: %s\n",
+	      sasl_errstring(rc, NULL, NULL));
+	log_write(0, LOG_REJECT, "%s authenticator (%s): "
+	    "Cyrus SASL SSF value not available: %s", ablock->name, ob->server_mech,
+	    sasl_errstring(rc, NULL, NULL));
+	sasl_dispose(&conn);
+	sasl_done();
+	return FAIL;
+	}
+      negotiated_ssf = *negotiated_ssf_ptr;
+      HDEBUG(D_auth)
+	debug_printf("Cyrus SASL %s negotiated SSF: %d\n", ob->server_mech, negotiated_ssf);
+      if (negotiated_ssf > 0)
+	{
+	HDEBUG(D_auth)
+	  debug_printf("Exim does not implement SASL wrapping (needed for SSF %d).\n", negotiated_ssf);
+	log_write(0, LOG_REJECT, "%s authenticator (%s): "
+	    "Cyrus SASL SSF %d not supported by Exim", ablock->name, ob->server_mech, negotiated_ssf);
+	sasl_dispose(&conn);
+	sasl_done();
+	return FAIL;
+	}
+
+      /* close down the connection, freeing up library's memory */
+      sasl_dispose(&conn);
+      sasl_done();
+
+      /* Expand server_condition as an authorization check */
+      return auth_check_serv_cond(ablock);
+
+    default:
+      /* Anything else is a temporary failure, and we'll let SASL print out
+       * the error string for us
+       */
+      HDEBUG(D_auth)
+	debug_printf("Cyrus SASL temporary failure %d (%s)\n", rc, sasl_errstring(rc, NULL, NULL));
+      auth_defer_msg =
+	  string_sprintf("Cyrus SASL: %s", sasl_errstring(rc, NULL, NULL));
+      sasl_dispose(&conn);
+      sasl_done();
+      return DEFER;
+    }
+  }
+/* NOTREACHED */
+return 0;  /* Stop compiler complaints */
+}
+
+/*************************************************
+*                Diagnostic API                  *
+*************************************************/
+
+gstring *
+auth_cyrus_sasl_version_report(gstring * g)
+{
+const char * implementation, * version;
+sasl_version_info(&implementation, &version, NULL, NULL, NULL, NULL);
+g = string_fmt_append(g,
+	"Library version: Cyrus SASL: Compile: %d.%d.%d\n"
+	"                             Runtime: %s [%s]\n",
+	SASL_VERSION_MAJOR, SASL_VERSION_MINOR, SASL_VERSION_STEP,
+	version, implementation);
+return g;
+}
+
+/*************************************************
+*              Client entry point                *
+*************************************************/
+
+/* For interface, see auths/README */
+
+int
+auth_cyrus_sasl_client(
+  auth_instance *ablock,                 /* authenticator block */
+  void * sx,			 	 /* connexction */
+  int timeout,                           /* command timeout */
+  uschar *buffer,                        /* for reading response */
+  int buffsize)                          /* size of buffer */
+{
+/* We don't support clients (yet) in this implementation of cyrus_sasl */
+return FAIL;
+}
+
+#endif   /*!MACRO_PREDEF*/
+#endif  /* AUTH_CYRUS_SASL */
+
+/* End of cyrus_sasl.c */
diff --git a/src/auths/cyrus_sasl.h b/src/auths/cyrus_sasl.h
new file mode 100644
index 0000000..6cf8834
--- /dev/null
+++ b/src/auths/cyrus_sasl.h
@@ -0,0 +1,36 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Copyright (c) A L Digital Ltd 2004 */
+
+/* Private structure for the private options. */
+
+typedef struct {
+  uschar *server_service;
+  uschar *server_hostname;
+  uschar *server_realm;
+  uschar *server_mech;
+} auth_cyrus_sasl_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist auth_cyrus_sasl_options[];
+extern int auth_cyrus_sasl_options_count;
+
+/* Block containing default values. */
+
+extern auth_cyrus_sasl_options_block auth_cyrus_sasl_option_defaults;
+
+/* The entry points for the mechanism */
+
+extern void auth_cyrus_sasl_init(auth_instance *);
+extern int auth_cyrus_sasl_server(auth_instance *, uschar *);
+extern int auth_cyrus_sasl_client(auth_instance *, void *, int, uschar *, int);
+extern gstring * auth_cyrus_sasl_version_report(gstring *);
+
+/* End of cyrus_sasl.h */
diff --git a/src/auths/dovecot.c b/src/auths/dovecot.c
new file mode 100644
index 0000000..5d77133
--- /dev/null
+++ b/src/auths/dovecot.c
@@ -0,0 +1,530 @@
+/*
+ * Copyright (c) The Exim Maintainers 2006 - 2022
+ * Copyright (c) 2004 Andrey Panin <pazke@donpac.ru>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published
+ * by the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+/* A number of modifications have been made to the original code. Originally I
+commented them specially, but now they are getting quite extensive, so I have
+ceased doing that. The biggest change is to use unbuffered I/O on the socket
+because using C buffered I/O gives problems on some operating systems. PH */
+
+/* Protocol specifications:
+ * Dovecot 1, protocol version 1.1
+ *   http://wiki.dovecot.org/Authentication%20Protocol
+ *
+ * Dovecot 2, protocol version 1.1
+ *   http://wiki2.dovecot.org/Design/AuthProtocol
+ */
+
+#include "../exim.h"
+#include "dovecot.h"
+
+#define VERSION_MAJOR  1
+#define VERSION_MINOR  0
+
+/* http://wiki.dovecot.org/Authentication%20Protocol
+"The maximum line length isn't defined,
+ but it's currently expected to fit into 8192 bytes"
+*/
+#define DOVECOT_AUTH_MAXLINELEN 8192
+
+/* This was hard-coded as 8.
+AUTH req C->S sends {"AUTH", id, mechanism, service } + params, 5 defined for
+Dovecot 1; Dovecot 2 (same protocol version) defines 9.
+
+Master->Server sends {"USER", id, userid} + params, 6 defined.
+Server->Client only gives {"OK", id} + params, unspecified, only 1 guaranteed.
+
+We only define here to accept S->C; max seen is 3+<unspecified>, plus the two
+for the command and id, where unspecified might include _at least_ user=...
+
+So: allow for more fields than we ever expect to see, while aware that count
+can go up without changing protocol version.
+The cost is the length of an array of pointers on the stack.
+*/
+#define DOVECOT_AUTH_MAXFIELDCOUNT 16
+
+/* Options specific to the authentication mechanism. */
+optionlist auth_dovecot_options[] = {
+  { "server_socket", opt_stringptr, OPT_OFF(auth_dovecot_options_block, server_socket) },
+/*{ "server_tls", opt_bool, OPT_OFF(auth_dovecot_options_block, server_tls) },*/
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int auth_dovecot_options_count = nelem(auth_dovecot_options);
+
+/* Default private options block for the authentication method. */
+
+auth_dovecot_options_block auth_dovecot_option_defaults = {
+	.server_socket = NULL,
+/*	.server_tls =	FALSE,*/
+};
+
+
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+void auth_dovecot_init(auth_instance *ablock) {}
+int auth_dovecot_server(auth_instance *ablock, uschar *data) {return 0;}
+int auth_dovecot_client(auth_instance *ablock, void * sx,
+  int timeout, uschar *buffer, int buffsize) {return 0;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+/* Static variables for reading from the socket */
+
+static uschar sbuffer[256];
+static int socket_buffer_left;
+
+
+
+/*************************************************
+ *          Initialization entry point           *
+ *************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up. */
+
+void auth_dovecot_init(auth_instance *ablock)
+{
+auth_dovecot_options_block *ob =
+       (auth_dovecot_options_block *)(ablock->options_block);
+
+if (!ablock->public_name) ablock->public_name = ablock->name;
+if (ob->server_socket) ablock->server = TRUE;
+ablock->client = FALSE;
+}
+
+/*************************************************
+ *    "strcut" to split apart server lines       *
+ *************************************************/
+
+/* Dovecot auth protocol uses TAB \t as delimiter; a line consists
+of a command-name, TAB, and then any parameters, each separated by a TAB.
+A parameter can be param=value or a bool, just param.
+
+This function modifies the original str in-place, inserting NUL characters.
+It initialises ptrs entries, setting all to NULL and only setting
+non-NULL N entries, where N is the return value, the number of fields seen
+(one more than the number of tabs).
+
+Note that the return value will always be at least 1, is the count of
+actual fields (so last valid offset into ptrs is one less).
+*/
+
+static int
+strcut(uschar *str, uschar **ptrs, int nptrs)
+{
+uschar *last_sub_start = str;
+int n;
+
+for (n = 0; n < nptrs; n++)
+  ptrs[n] = NULL;
+n = 1;
+
+while (*str)
+  if (*str++ == '\t')
+    if (n++ <= nptrs)
+      {
+      *ptrs++ = last_sub_start;
+      last_sub_start = str;
+      str[-1] = '\0';
+      }
+
+/* It's acceptable for the string to end with a tab character.  We see
+this in AUTH PLAIN without an initial response from the client, which
+causing us to send "334 " and get the data from the client. */
+if (n <= nptrs)
+  *ptrs = last_sub_start;
+else
+  {
+  HDEBUG(D_auth)
+    debug_printf("dovecot: warning: too many results from tab-splitting;"
+		  " saw %d fields, room for %d\n", n, nptrs);
+  n = nptrs;
+  }
+
+return n <= nptrs ? n : nptrs;
+}
+
+static void debug_strcut(uschar **ptrs, int nlen, int alen) ARG_UNUSED;
+static void
+debug_strcut(uschar **ptrs, int nlen, int alen)
+{
+int i;
+debug_printf("%d read but unreturned bytes; strcut() gave %d results: ",
+		socket_buffer_left, nlen);
+for (i = 0; i < nlen; i++)
+  debug_printf(" {%s}", ptrs[i]);
+if (nlen < alen)
+  debug_printf(" last is %s\n", ptrs[i] ? ptrs[i] : US"<null>");
+else
+  debug_printf(" (max for capacity)\n");
+}
+
+#define CHECK_COMMAND(str, arg_min, arg_max) do { \
+       if (strcmpic(US(str), args[0]) != 0) \
+               goto out; \
+       if (nargs - 1 < (arg_min)) \
+               goto out; \
+       if ( (arg_max != -1) && (nargs - 1 > (arg_max)) ) \
+               goto out; \
+} while (0)
+
+#define OUT(msg) do { \
+       auth_defer_msg = (US msg); \
+       goto out; \
+} while(0)
+
+
+
+/*************************************************
+*      "fgets" to read directly from socket      *
+*************************************************/
+
+/* Added by PH after a suggestion by Steve Usher because the previous use of
+C-style buffered I/O gave trouble. */
+
+static uschar *
+dc_gets(uschar *s, int n, client_conn_ctx * cctx)
+{
+int p = 0;
+int count = 0;
+
+for (;;)
+  {
+  if (socket_buffer_left == 0)
+    {
+    if ((socket_buffer_left =
+#ifndef DISABLE_TLS
+	cctx->tls_ctx ? tls_read(cctx->tls_ctx, sbuffer, sizeof(sbuffer)) :
+#endif
+	read(cctx->sock, sbuffer, sizeof(sbuffer))) <= 0)
+      if (count == 0)
+	return NULL;
+      else
+	break;
+    p = 0;
+    }
+
+  while (p < socket_buffer_left)
+    {
+    if (count >= n - 1) break;
+    s[count++] = sbuffer[p];
+    if (sbuffer[p++] == '\n') break;
+    }
+
+  memmove(sbuffer, sbuffer + p, socket_buffer_left - p);
+  socket_buffer_left -= p;
+
+  if (s[count-1] == '\n' || count >= n - 1) break;
+  }
+
+s[count] = '\0';
+return s;
+}
+
+
+
+
+/*************************************************
+*              Server entry point                *
+*************************************************/
+
+int
+auth_dovecot_server(auth_instance * ablock, uschar * data)
+{
+auth_dovecot_options_block *ob =
+       (auth_dovecot_options_block *) ablock->options_block;
+uschar buffer[DOVECOT_AUTH_MAXLINELEN];
+uschar *args[DOVECOT_AUTH_MAXFIELDCOUNT];
+uschar *auth_command;
+uschar *auth_extra_data = US"";
+uschar *p;
+int nargs, tmp;
+int crequid = 1, ret = DEFER;
+host_item host;
+client_conn_ctx cctx = {.sock = -1, .tls_ctx = NULL};
+BOOL found = FALSE, have_mech_line = FALSE;
+
+HDEBUG(D_auth) debug_printf("dovecot authentication\n");
+
+if (!data)
+  {
+  ret = FAIL;
+  goto out;
+  }
+
+/*XXX timeout? */
+cctx.sock = ip_streamsocket(ob->server_socket, &auth_defer_msg, 5, &host);
+if (cctx.sock < 0)
+ goto out;
+
+#ifdef notdef
+# ifndef DISABLE_TLS
+if (ob->server_tls)
+  {
+  union sockaddr_46 interface_sock;
+  EXIM_SOCKLEN_T size = sizeof(interface_sock);
+  smtp_connect_args conn_args = { .host = &host };
+  tls_support tls_dummy = { .sni = NULL };
+  uschar * errstr;
+
+  if (getsockname(cctx->sock, (struct sockaddr *) &interface_sock, &size) == 0)
+    conn_args.sending_ip_address = host_ntoa(-1, &interface_sock, NULL, NULL);
+  else
+    {
+    *errmsg = string_sprintf("getsockname failed: %s", strerror(errno));
+    goto bad;
+    }
+
+  if (!tls_client_start(&cctx, &conn_args, NULL, &tls_dummy, &errstr))
+    {
+    auth_defer_msg = string_sprintf("TLS connect failed: %s", errstr);
+    goto out;
+    }
+  }
+# endif
+#endif
+
+auth_defer_msg = US"authentication socket protocol error";
+
+socket_buffer_left = 0;  /* Global, used to read more than a line but return by line */
+for (;;)
+  {
+debug_printf("%s %d\n", __FUNCTION__, __LINE__);
+  if (!dc_gets(buffer, sizeof(buffer), &cctx))
+    OUT("authentication socket read error or premature eof");
+debug_printf("%s %d\n", __FUNCTION__, __LINE__);
+  p = buffer + Ustrlen(buffer) - 1;
+  if (*p != '\n')
+    OUT("authentication socket protocol line too long");
+
+  *p = '\0';
+  HDEBUG(D_auth) debug_printf("received: '%s'\n", buffer);
+
+  nargs = strcut(buffer, args, nelem(args));
+
+  HDEBUG(D_auth) debug_strcut(args, nargs, nelem(args));
+
+  /* Code below rewritten by Kirill Miazine (km@krot.org). Only check commands that
+    Exim will need. Original code also failed if Dovecot server sent unknown
+    command. E.g. COOKIE in version 1.1 of the protocol would cause troubles. */
+  /* pdp: note that CUID is a per-connection identifier sent by the server,
+    which increments at server discretion.
+    By contrast, the "id" field of the protocol is a connection-specific request
+    identifier, which needs to be unique per request from the client and is not
+    connected to the CUID value, so we ignore CUID from server.  It's purely for
+    diagnostics. */
+
+  if (Ustrcmp(args[0], US"VERSION") == 0)
+    {
+    CHECK_COMMAND("VERSION", 2, 2);
+    if (Uatoi(args[1]) != VERSION_MAJOR)
+      OUT("authentication socket protocol version mismatch");
+    }
+  else if (Ustrcmp(args[0], US"MECH") == 0)
+    {
+    CHECK_COMMAND("MECH", 1, INT_MAX);
+    have_mech_line = TRUE;
+    if (strcmpic(US args[1], ablock->public_name) == 0)
+      found = TRUE;
+    }
+  else if (Ustrcmp(args[0], US"SPID") == 0)
+    {
+    /* Unfortunately the auth protocol handshake wasn't designed well
+    to differentiate between auth-client/userdb/master. auth-userdb
+    and auth-master send VERSION + SPID lines only and nothing
+    afterwards, while auth-client sends VERSION + MECH + SPID +
+    CUID + more. The simplest way that we can determine if we've
+    connected to the correct socket is to see if MECH line exists or
+    not (alternatively we'd have to have a small timeout after SPID
+    to see if CUID is sent or not). */
+
+    if (!have_mech_line)
+      OUT("authentication socket type mismatch"
+	" (connected to auth-master instead of auth-client)");
+    }
+  else if (Ustrcmp(args[0], US"DONE") == 0)
+    {
+    CHECK_COMMAND("DONE", 0, 0);
+    break;
+    }
+  }
+
+if (!found)
+  {
+  auth_defer_msg = string_sprintf(
+    "Dovecot did not advertise mechanism \"%s\" to us", ablock->public_name);
+  goto out;
+  }
+
+/* Added by PH: data must not contain tab (as it is
+b64 it shouldn't, but check for safety). */
+
+if (Ustrchr(data, '\t') != NULL)
+  {
+  ret = FAIL;
+  goto out;
+  }
+
+/* Added by PH: extra fields when TLS is in use or if the TCP/IP
+connection is local. */
+
+if (tls_in.cipher)
+  auth_extra_data = string_sprintf("secured\t%s%s",
+     tls_in.certificate_verified ? "valid-client-cert" : "",
+     tls_in.certificate_verified ? "\t" : "");
+
+else if (  interface_address
+        && Ustrcmp(sender_host_address, interface_address) == 0)
+  auth_extra_data = US"secured\t";
+
+
+/****************************************************************************
+The code below was the original code here. It didn't work. A reading of the
+file auth-protocol.txt.gz that came with Dovecot 1.0_beta8 indicated that
+this was not right. Maybe something changed. I changed it to move the
+service indication into the AUTH command, and it seems to be better. PH
+
+fprintf(f, "VERSION\t%d\t%d\r\nSERVICE\tSMTP\r\nCPID\t%d\r\n"
+       "AUTH\t%d\t%s\trip=%s\tlip=%s\tresp=%s\r\n",
+       VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
+       ablock->public_name, sender_host_address, interface_address,
+       data ? CS  data : "");
+
+Subsequently, the command was modified to add "secured" and "valid-client-
+cert" when relevant.
+****************************************************************************/
+
+auth_command = string_sprintf("VERSION\t%d\t%d\nCPID\t%d\n"
+       "AUTH\t%d\t%s\tservice=smtp\t%srip=%s\tlip=%s\tnologin\tresp=%s\n",
+       VERSION_MAJOR, VERSION_MINOR, getpid(), crequid,
+       ablock->public_name, auth_extra_data, sender_host_address,
+       interface_address, data);
+
+if ((
+#ifndef DISABLE_TLS
+    cctx.tls_ctx ? tls_write(cctx.tls_ctx, auth_command, Ustrlen(auth_command), FALSE) :
+#endif
+    write(cctx.sock, auth_command, Ustrlen(auth_command))) < 0)
+  HDEBUG(D_auth) debug_printf("error sending auth_command: %s\n",
+    strerror(errno));
+
+HDEBUG(D_auth) debug_printf("sent: '%s'\n", auth_command);
+
+while (1)
+  {
+  uschar *temp;
+  uschar *auth_id_pre = NULL;
+
+  if (!dc_gets(buffer, sizeof(buffer), &cctx))
+    {
+    auth_defer_msg = US"authentication socket read error or premature eof";
+    goto out;
+    }
+
+  buffer[Ustrlen(buffer) - 1] = 0;
+  HDEBUG(D_auth) debug_printf("received: '%s'\n", buffer);
+  nargs = strcut(buffer, args, nelem(args));
+  HDEBUG(D_auth) debug_strcut(args, nargs, nelem(args));
+
+  if (Uatoi(args[1]) != crequid)
+    OUT("authentication socket connection id mismatch");
+
+  switch (toupper(*args[0]))
+    {
+    case 'C':
+      CHECK_COMMAND("CONT", 1, 2);
+
+      if ((tmp = auth_get_no64_data(&data, US args[2])) != OK)
+	{
+	ret = tmp;
+	goto out;
+	}
+
+      /* Added by PH: data must not contain tab (as it is
+      b64 it shouldn't, but check for safety). */
+
+      if (Ustrchr(data, '\t') != NULL)
+        {
+	ret = FAIL;
+	goto out;
+	}
+
+      temp = string_sprintf("CONT\t%d\t%s\n", crequid, data);
+      if ((
+#ifndef DISABLE_TLS
+	  cctx.tls_ctx ? tls_write(cctx.tls_ctx, temp, Ustrlen(temp), FALSE) :
+#endif
+	  write(cctx.sock, temp, Ustrlen(temp))) < 0)
+	OUT("authentication socket write error");
+      break;
+
+    case 'F':
+      CHECK_COMMAND("FAIL", 1, -1);
+
+      for (int i = 2; i < nargs && !auth_id_pre; i++)
+	if (Ustrncmp(args[i], US"user=", 5) == 0)
+	  {
+	  auth_id_pre = args[i] + 5;
+	  expand_nstring[1] = auth_vars[0] = string_copy(auth_id_pre); /* PH */
+	  expand_nlength[1] = Ustrlen(auth_id_pre);
+	  expand_nmax = 1;
+	  }
+      ret = FAIL;
+      goto out;
+
+    case 'O':
+      CHECK_COMMAND("OK", 2, -1);
+
+      /* Search for the "user=$USER" string in the args array
+      and return the proper value.  */
+
+      for (int i = 2; i < nargs && !auth_id_pre; i++)
+	if (Ustrncmp(args[i], US"user=", 5) == 0)
+	  {
+	  auth_id_pre = args[i] + 5;
+	  expand_nstring[1] = auth_vars[0] = string_copy(auth_id_pre); /* PH */
+	  expand_nlength[1] = Ustrlen(auth_id_pre);
+	  expand_nmax = 1;
+	  }
+
+      if (!auth_id_pre)
+        OUT("authentication socket protocol error, username missing");
+
+      auth_defer_msg = NULL;
+      ret = OK;
+      /* fallthrough */
+
+    default:
+      goto out;
+    }
+  }
+
+out:
+/* close the socket used by dovecot */
+#ifndef DISABLE_TLS
+if (cctx.tls_ctx)
+  tls_close(cctx.tls_ctx, TRUE);
+#endif
+if (cctx.sock >= 0)
+  close(cctx.sock);
+
+/* Expand server_condition as an authorization check */
+return ret == OK ? auth_check_serv_cond(ablock) : ret;
+}
+
+
+#endif   /*!MACRO_PREDEF*/
diff --git a/src/auths/dovecot.h b/src/auths/dovecot.h
new file mode 100644
index 0000000..bfe1f07
--- /dev/null
+++ b/src/auths/dovecot.h
@@ -0,0 +1,30 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) The Exim Maintainters 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Private structure for the private options. */
+
+typedef struct {
+  uschar *	server_socket;
+  BOOL		server_tls;
+} auth_dovecot_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist auth_dovecot_options[];
+extern int auth_dovecot_options_count;
+
+/* Block containing default values. */
+
+extern auth_dovecot_options_block auth_dovecot_option_defaults;
+
+/* The entry points for the mechanism */
+
+extern void auth_dovecot_init(auth_instance *);
+extern int auth_dovecot_server(auth_instance *, uschar *);
+
+/* End of dovecot.h */
diff --git a/src/auths/external.c b/src/auths/external.c
new file mode 100644
index 0000000..7e7fca8
--- /dev/null
+++ b/src/auths/external.c
@@ -0,0 +1,155 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Jeremy Harris 2019-2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This file provides an Exim authenticator driver for
+a server to verify a client SSL certificate, using the EXTERNAL
+method defined in RFC 4422 Appendix A.
+*/
+
+
+#include "../exim.h"
+#include "external.h"
+
+/* Options specific to the external authentication mechanism. */
+
+optionlist auth_external_options[] = {
+  { "client_send",	opt_stringptr, OPT_OFF(auth_external_options_block, client_send) },
+  { "server_param2",	opt_stringptr, OPT_OFF(auth_external_options_block, server_param2) },
+  { "server_param3",	opt_stringptr, OPT_OFF(auth_external_options_block, server_param3) },
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int auth_external_options_count = nelem(auth_external_options);
+
+/* Default private options block for the authentication method. */
+
+auth_external_options_block auth_external_option_defaults = {
+    .server_param2 = NULL,
+    .server_param3 = NULL,
+
+    .client_send = NULL,
+};
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+void auth_external_init(auth_instance *ablock) {}
+int auth_external_server(auth_instance *ablock, uschar *data) {return 0;}
+int auth_external_client(auth_instance *ablock, void * sx,
+  int timeout, uschar *buffer, int buffsize) {return 0;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up. */
+
+void
+auth_external_init(auth_instance *ablock)
+{
+auth_external_options_block * ob = (auth_external_options_block *)ablock->options_block;
+if (!ablock->public_name) ablock->public_name = ablock->name;
+if (ablock->server_condition) ablock->server = TRUE;
+if (ob->client_send) ablock->client = TRUE;
+}
+
+
+
+/*************************************************
+*             Server entry point                 *
+*************************************************/
+
+/* For interface, see auths/README */
+
+int
+auth_external_server(auth_instance * ablock, uschar * data)
+{
+auth_external_options_block * ob = (auth_external_options_block *)ablock->options_block;
+int rc;
+
+/* If data was supplied on the AUTH command, decode it, and split it up into
+multiple items at binary zeros. The strings are put into $auth1, $auth2, etc,
+up to a maximum. To retain backwards compatibility, they are also put int $1,
+$2, etc. If the data consists of the string "=" it indicates a single, empty
+string. */
+
+if (*data)
+  if ((rc = auth_read_input(data)) != OK)
+    return rc;
+
+/* Now go through the list of prompt strings. Skip over any whose data has
+already been provided as part of the AUTH command. For the rest, send them
+out as prompts, and get a data item back. If the data item is "*", abandon the
+authentication attempt. Otherwise, split it into items as above. */
+
+if (expand_nmax == 0) 	/* skip if rxd data */
+  if ((rc = auth_prompt(CUS"")) != OK)
+    return rc;
+
+if (ob->server_param2)
+  {
+  uschar * s = expand_string(ob->server_param2);
+  auth_vars[expand_nmax] = s;
+  expand_nstring[++expand_nmax] = s;
+  expand_nlength[expand_nmax] = Ustrlen(s);
+  if (ob->server_param3)
+    {
+    s = expand_string(ob->server_param3);
+    auth_vars[expand_nmax] = s;
+    expand_nstring[++expand_nmax] = s;
+    expand_nlength[expand_nmax] = Ustrlen(s);
+    }
+  }
+
+return auth_check_serv_cond(ablock);
+}
+
+
+
+/*************************************************
+*              Client entry point                *
+*************************************************/
+
+/* For interface, see auths/README */
+
+int
+auth_external_client(
+  auth_instance *ablock,                 /* authenticator block */
+  void * sx,				 /* smtp connextion */
+  int timeout,                           /* command timeout */
+  uschar *buffer,                        /* buffer for reading response */
+  int buffsize)                          /* size of buffer */
+{
+auth_external_options_block *ob =
+  (auth_external_options_block *)(ablock->options_block);
+const uschar * text = ob->client_send;
+int rc;
+
+/* We output an AUTH command with one expanded argument, the client_send option */
+
+if ((rc = auth_client_item(sx, ablock, &text, AUTH_ITEM_FIRST | AUTH_ITEM_LAST,
+      timeout, buffer, buffsize)) != OK)
+  return rc == DEFER ? FAIL : rc;
+
+if (text) auth_vars[0] = string_copy(text);
+return OK;
+}
+
+
+
+#endif   /*!MACRO_PREDEF*/
+/* End of external.c */
diff --git a/src/auths/external.h b/src/auths/external.h
new file mode 100644
index 0000000..7d43650
--- /dev/null
+++ b/src/auths/external.h
@@ -0,0 +1,32 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Jeremy Harris 2019 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Private structure for the private options. */
+
+typedef struct {
+  uschar * server_param2;
+  uschar * server_param3;
+
+  uschar * client_send;
+} auth_external_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist auth_external_options[];
+extern int auth_external_options_count;
+
+/* Block containing default values. */
+
+extern auth_external_options_block auth_external_option_defaults;
+
+/* The entry points for the mechanism */
+
+extern void auth_external_init(auth_instance *);
+extern int auth_external_server(auth_instance *, uschar *);
+extern int auth_external_client(auth_instance *, void *, int, uschar *, int);
+
+/* End of external.h */
diff --git a/src/auths/get_data.c b/src/auths/get_data.c
new file mode 100644
index 0000000..e0d79db
--- /dev/null
+++ b/src/auths/get_data.c
@@ -0,0 +1,259 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 - 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+
+
+/****************************************************************
+*	Decode and split the argument of an AUTH command	*
+****************************************************************/
+
+/* If data was supplied on the AUTH command, decode it, and split it up into
+multiple items at binary zeros. The strings are put into $auth1, $auth2, etc,
+up to a maximum. To retain backwards compatibility, they are also put int $1,
+$2, etc. If the data consists of the string "=" it indicates a single, empty
+string. */
+
+int
+auth_read_input(const uschar * data)
+{
+if (Ustrcmp(data, "=") == 0)
+  {
+  auth_vars[0] = expand_nstring[++expand_nmax] = US"";
+  expand_nlength[expand_nmax] = 0;
+  }
+else
+  {
+  uschar * clear, * end;
+  int len;
+
+  if ((len = b64decode(data, &clear)) < 0) return BAD64;
+  DEBUG(D_auth) debug_printf("auth input decode:");
+  for (end = clear + len; clear < end && expand_nmax < EXPAND_MAXN; )
+    {
+    DEBUG(D_auth) debug_printf(" '%s'", clear);
+    if (expand_nmax < AUTH_VARS) auth_vars[expand_nmax] = clear;
+    expand_nstring[++expand_nmax] = clear;
+    while (*clear != 0) clear++;
+    expand_nlength[expand_nmax] = clear++ - expand_nstring[expand_nmax];
+    }
+  DEBUG(D_auth) debug_printf("\n");
+  }
+return OK;
+}
+
+
+
+
+/*************************************************
+*      Issue a challenge and get a response      *
+*************************************************/
+
+/* This function is used by authentication drivers to b64-encode and
+output a challenge to the SMTP client, and read the response line.
+
+Arguments:
+   aptr       set to point to the response (which is in big_buffer)
+   challenge  the challenge data (unencoded, may be binary)
+   challen    the length of the challenge data, in bytes
+
+Returns:      OK on success
+              BAD64 if response too large for buffer
+              CANCELLED if response is "*"
+*/
+
+int
+auth_get_data(uschar ** aptr, const uschar * challenge, int challen)
+{
+int c;
+int p = 0;
+smtp_printf("334 %s\r\n", FALSE, b64encode(challenge, challen));
+while ((c = receive_getc(GETC_BUFFER_UNLIMITED)) != '\n' && c != EOF)
+  {
+  if (p >= big_buffer_size - 1) return BAD64;
+  big_buffer[p++] = c;
+  }
+if (p > 0 && big_buffer[p-1] == '\r') p--;
+big_buffer[p] = 0;
+DEBUG(D_receive) debug_printf("SMTP<< %s\n", big_buffer);
+if (Ustrcmp(big_buffer, "*") == 0) return CANCELLED;
+*aptr = big_buffer;
+return OK;
+}
+
+
+
+int
+auth_prompt(const uschar * challenge)
+{
+int rc, len;
+uschar * resp, * clear, * end;
+
+if ((rc = auth_get_data(&resp, challenge, Ustrlen(challenge))) != OK)
+  return rc;
+if ((len = b64decode(resp, &clear)) < 0)
+  return BAD64;
+end = clear + len;
+
+/* This loop must run at least once, in case the length is zero */
+do
+  {
+  if (expand_nmax < AUTH_VARS) auth_vars[expand_nmax] = clear;
+  expand_nstring[++expand_nmax] = clear;
+  while (*clear != 0) clear++;
+  expand_nlength[expand_nmax] = clear++ - expand_nstring[expand_nmax];
+  }
+while (clear < end && expand_nmax < EXPAND_MAXN);
+return OK;
+}
+
+
+/***********************************************
+*	Send an AUTH-negotiation item		*
+************************************************/
+
+/* Expand and send one client auth item and read the response.
+Include the AUTH command and method if tagged as "first".  Use the given buffer
+for receiving the b6-encoded reply; decode it it return it in the string arg.
+
+Return:
+  OK          success
+  FAIL_SEND   error after writing a command; errno is set
+  FAIL        failed after reading a response;
+              either errno is set (for timeouts, I/O failures) or
+              the buffer contains the SMTP response line
+  CANCELLED   the client cancelled authentication (often "fail" in expansion)
+              the buffer may contain a message; if not, *buffer = 0
+  ERROR       local problem (typically expansion error); message in buffer
+  DEFER       more items expected
+*/
+
+int
+auth_client_item(void * sx, auth_instance * ablock, const uschar ** inout,
+  unsigned flags, int timeout, uschar * buffer, int buffsize)
+{
+int len, clear_len;
+uschar * ss, * clear;
+
+ss = US expand_cstring(*inout);
+if (ss == *inout) ss = string_copy(ss);
+
+/* Forced expansion failure is not an error; authentication is abandoned. On
+all but the first string, we have to abandon the authentication attempt by
+sending a line containing "*". Save the failed expansion string, because it
+is in big_buffer, and that gets used by the sending function. */
+
+if (!ss)
+  {
+  if (!(flags & AUTH_ITEM_FIRST))
+    {
+    if (smtp_write_command(sx, SCMD_FLUSH, "*\r\n") >= 0)
+      (void) smtp_read_response(sx, US buffer, buffsize, '2', timeout);
+    }
+  if (f.expand_string_forcedfail)
+    {
+    *buffer = 0;       /* No message */
+    return CANCELLED;
+    }
+  string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
+    "authenticator: %s", *inout, ablock->name, expand_string_message);
+  return ERROR;
+  }
+
+len = Ustrlen(ss);
+
+/* The character ^ is used as an escape for a binary zero character, which is
+needed for the PLAIN mechanism. It must be doubled if really needed.
+
+The parsing ambiguity of ^^^ is taken as ^^ -> ^ ; ^ -> NUL - and there is
+no way to get a leading ^ after a NUL.  We would need to intro new syntax to
+support that (probably preferring to take a more-standard exim list as a source
+and concat the elements with intervening NULs.  Either a magic marker on the
+source string for client_send, or a new option). */
+
+for (int i = 0; i < len; i++)
+  if (ss[i] == '^')
+    if (ss[i+1] != '^')
+      ss[i] = 0;
+    else
+      if (--len > i+1) memmove(ss + i + 1, ss + i + 2, len - i);
+
+/* The first string is attached to the AUTH command; others are sent
+unembellished. */
+
+if (flags & AUTH_ITEM_FIRST)
+  {
+  if (smtp_write_command(sx, SCMD_FLUSH, "AUTH %s%s%s\r\n",
+       ablock->public_name, len == 0 ? "" : " ", b64encode(CUS ss, len)) < 0)
+    return FAIL_SEND;
+  }
+else
+  if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", b64encode(CUS ss, len)) < 0)
+    return FAIL_SEND;
+
+/* If we receive a success response from the server, authentication
+has succeeded. There may be more data to send, but is there any point
+in provoking an error here? */
+
+if (smtp_read_response(sx, buffer, buffsize, '2', timeout))
+  {
+  *inout = NULL;
+  return OK;
+  }
+
+/* Not a success response. If errno != 0 there is some kind of transmission
+error. Otherwise, check the response code in the buffer. If it starts with
+'3', more data is expected. */
+
+if (errno != 0 || buffer[0] != '3') return FAIL;
+
+/* If there is no more data to send, we have to cancel the authentication
+exchange and return ERROR. */
+
+if (flags & AUTH_ITEM_LAST)
+  {
+  if (smtp_write_command(sx, SCMD_FLUSH, "*\r\n") >= 0)
+    (void)smtp_read_response(sx, US buffer, buffsize, '2', timeout);
+  string_format(buffer, buffsize, "Too few items in client_send in %s "
+    "authenticator", ablock->name);
+  return ERROR;
+  }
+
+/* Now that we know we'll continue, we put the received data into $auth<n>,
+if possible. First, decode it: buffer+4 skips over the SMTP status code. */
+
+clear_len = b64decode(buffer+4, &clear);
+
+/* If decoding failed, the default is to terminate the authentication, and
+return FAIL, with the SMTP response still in the buffer. However, if client_
+ignore_invalid_base64 is set, we ignore the error, and put an empty string
+into $auth<n>. */
+
+if (clear_len < 0)
+  {
+  uschar *save_bad = string_copy(buffer);
+  if (!(flags & AUTH_ITEM_IGN64))
+    {
+    if (smtp_write_command(sx, SCMD_FLUSH, "*\r\n") >= 0)
+      (void)smtp_read_response(sx, US buffer, buffsize, '2', timeout);
+    string_format(buffer, buffsize, "Invalid base64 string in server "
+      "response \"%s\"", save_bad);
+    return CANCELLED;
+    }
+  DEBUG(D_auth) debug_printf("bad b64 decode for '%s';"
+       " ignoring due to client_ignore_invalid_base64\n", save_bad);
+  clear = string_copy(US"");
+  clear_len = 0;
+  }
+
+*inout = clear;
+return DEFER;
+}
+  
+  
+/* End of get_data.c */
diff --git a/src/auths/get_no64_data.c b/src/auths/get_no64_data.c
new file mode 100644
index 0000000..a019756
--- /dev/null
+++ b/src/auths/get_no64_data.c
@@ -0,0 +1,47 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+
+
+/*************************************************
+*  Issue a non-b64 challenge and get a response  *
+*************************************************/
+
+/* This function is used by authentication drivers to output a challenge
+to the SMTP client and read the response line. This version does not use base
+64 encoding for the text on the 334 line. It is used by the SPA, dovecot
+and gsasl authenticators.
+
+Arguments:
+   aptr       set to point to the response (which is in big_buffer)
+   challenge  the challenge text (unencoded)
+
+Returns:      OK on success
+              BAD64 if response too large for buffer
+              CANCELLED if response is "*"
+*/
+
+int
+auth_get_no64_data(uschar **aptr, uschar *challenge)
+{
+int c;
+int p = 0;
+smtp_printf("334 %s\r\n", FALSE, challenge);
+while ((c = receive_getc(GETC_BUFFER_UNLIMITED)) != '\n' && c != EOF)
+  {
+  if (p >= big_buffer_size - 1) return BAD64;
+  big_buffer[p++] = c;
+  }
+if (p > 0 && big_buffer[p-1] == '\r') p--;
+big_buffer[p] = 0;
+if (Ustrcmp(big_buffer, "*") == 0) return CANCELLED;
+*aptr = big_buffer;
+return OK;
+}
+
+/* End of get_no64_data.c */
diff --git a/src/auths/gsasl_exim.c b/src/auths/gsasl_exim.c
new file mode 100644
index 0000000..bae5f08
--- /dev/null
+++ b/src/auths/gsasl_exim.c
@@ -0,0 +1,1024 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2019 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Copyright (c) Twitter Inc 2012
+   Author: Phil Pennock <pdp@exim.org> */
+/* Copyright (c) Phil Pennock 2012 */
+
+/* Interface to GNU SASL library for generic authentication. */
+
+/* Trade-offs:
+
+GNU SASL does not provide authentication data itself, so we have to expose
+that decision to configuration.  For some mechanisms, we need to act much
+like plaintext.  For others, we only need to be able to provide some
+evaluated data on demand.  There's no abstracted way (ie, without hardcoding
+knowledge of authenticators here) to know which need what properties; we
+can't query a session or the library for "we will need these for mechanism X".
+
+So: we always require server_condition, even if sometimes it will just be
+set as "yes".  We do provide a number of other hooks, which might not make
+sense in all contexts.  For some, we can do checks at init time.
+*/
+
+#include "../exim.h"
+
+#ifndef AUTH_GSASL
+/* dummy function to satisfy compilers when we link in an "empty" file. */
+static void dummy(int x);
+static void dummy2(int x) { dummy(x-1); }
+static void dummy(int x) { dummy2(x-1); }
+#else
+
+#include <gsasl.h>
+#include "gsasl_exim.h"
+
+
+#if GSASL_VERSION_MINOR >= 10
+# define EXIM_GSASL_HAVE_SCRAM_SHA_256
+# define EXIM_GSASL_SCRAM_S_KEY
+
+#elif GSASL_VERSION_MINOR == 9
+# define EXIM_GSASL_HAVE_SCRAM_SHA_256
+
+# if GSASL_VERSION_PATCH >= 1
+#  define EXIM_GSASL_SCRAM_S_KEY
+# endif
+# if GSASL_VERSION_PATCH < 2
+#  define CHANNELBIND_HACK
+# endif
+
+#else
+# define CHANNELBIND_HACK
+#endif
+
+/* Convenience for testing strings */
+
+#define STREQIC(Foo, Bar) (strcmpic((Foo), (Bar)) == 0)
+
+
+/* Authenticator-specific options. */
+/* I did have server_*_condition options for various mechanisms, but since
+we only ever handle one mechanism at a time, I didn't see the point in keeping
+that.  In case someone sees a point, I've left the condition_check() API
+alone. */
+#define LOFF(field) OPT_OFF(auth_gsasl_options_block, field)
+
+optionlist auth_gsasl_options[] = {
+  { "client_authz",		opt_stringptr,	LOFF(client_authz) },
+  { "client_channelbinding",	opt_bool,	LOFF(client_channelbinding) },
+  { "client_password",		opt_stringptr,	LOFF(client_password) },
+  { "client_spassword",		opt_stringptr,	LOFF(client_spassword) },
+  { "client_username",		opt_stringptr,	LOFF(client_username) },
+
+  { "server_channelbinding",	opt_bool,	LOFF(server_channelbinding) },
+  { "server_hostname",		opt_stringptr,	LOFF(server_hostname) },
+#ifdef EXIM_GSASL_SCRAM_S_KEY
+  { "server_key",		opt_stringptr,	LOFF(server_key) },
+#endif
+  { "server_mech",		opt_stringptr,	LOFF(server_mech) },
+  { "server_password",		opt_stringptr,	LOFF(server_password) },
+  { "server_realm",		opt_stringptr,	LOFF(server_realm) },
+  { "server_scram_iter",	opt_stringptr,	LOFF(server_scram_iter) },
+  { "server_scram_salt",	opt_stringptr,	LOFF(server_scram_salt) },
+#ifdef EXIM_GSASL_SCRAM_S_KEY
+  { "server_skey",		opt_stringptr,	LOFF(server_s_key) },
+#endif
+  { "server_service",		opt_stringptr,	LOFF(server_service) }
+};
+
+int auth_gsasl_options_count =
+  sizeof(auth_gsasl_options)/sizeof(optionlist);
+
+/* Defaults for the authenticator-specific options. */
+auth_gsasl_options_block auth_gsasl_option_defaults = {
+  .server_service = US"smtp",
+  .server_hostname = US"$primary_hostname",
+  .server_scram_iter = US"4096",
+  /* all others zero/null */
+};
+
+
+#ifdef MACRO_PREDEF
+# include "../macro_predef.h"
+
+/* Dummy values */
+void auth_gsasl_init(auth_instance *ablock) {}
+int auth_gsasl_server(auth_instance *ablock, uschar *data) {return 0;}
+int auth_gsasl_client(auth_instance *ablock, void * sx,
+  int timeout, uschar *buffer, int buffsize) {return 0;}
+gstring * auth_gsasl_version_report(gstring * g) {return NULL;}
+
+void
+auth_gsasl_macros(void)
+{
+# ifdef EXIM_GSASL_HAVE_SCRAM_SHA_256
+  builtin_macro_create(US"_HAVE_AUTH_GSASL_SCRAM_SHA_256");
+# endif
+# ifdef EXIM_GSASL_SCRAM_S_KEY
+  builtin_macro_create(US"_HAVE_AUTH_GSASL_SCRAM_S_KEY");
+# endif
+}
+
+#else   /*!MACRO_PREDEF*/
+
+
+
+/* "Globals" for managing the gsasl interface. */
+
+static Gsasl *gsasl_ctx = NULL;
+static int
+  main_callback(Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop);
+static int
+  server_callback(Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop, auth_instance *ablock);
+static int
+  client_callback(Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop, auth_instance *ablock);
+
+static BOOL sasl_error_should_defer = FALSE;
+static Gsasl_property callback_loop = 0;
+static BOOL checked_server_condition = FALSE;
+
+enum { CURRENTLY_SERVER = 1, CURRENTLY_CLIENT = 2 };
+
+struct callback_exim_state {
+  auth_instance *ablock;
+  int currently;
+};
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up. */
+
+void
+auth_gsasl_init(auth_instance *ablock)
+{
+static char * once = NULL;
+int rc;
+auth_gsasl_options_block *ob =
+  (auth_gsasl_options_block *)(ablock->options_block);
+
+/* As per existing Cyrus glue, use the authenticator's public name as
+the default for the mechanism name; we don't handle multiple mechanisms
+in one authenticator, but the same driver can be used multiple times. */
+
+if (!ob->server_mech)
+  ob->server_mech = string_copy(ablock->public_name);
+
+/* Can get multiple session contexts from one library context, so just
+initialise the once. */
+
+if (!gsasl_ctx)
+  {
+  if ((rc = gsasl_init(&gsasl_ctx)) != GSASL_OK)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
+	      "couldn't initialise GNU SASL library: %s (%s)",
+	      ablock->name, gsasl_strerror_name(rc), gsasl_strerror(rc));
+
+  gsasl_callback_set(gsasl_ctx, main_callback);
+  }
+
+/* We don't need this except to log it for debugging. */
+
+HDEBUG(D_auth) if (!once)
+  {
+  if ((rc = gsasl_server_mechlist(gsasl_ctx, &once)) != GSASL_OK)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
+	      "failed to retrieve list of mechanisms: %s (%s)",
+	      ablock->name,  gsasl_strerror_name(rc), gsasl_strerror(rc));
+
+  debug_printf("GNU SASL supports: %s\n", once);
+  }
+
+if (!gsasl_client_support_p(gsasl_ctx, CCS ob->server_mech))
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
+	    "GNU SASL does not support mechanism \"%s\"",
+	    ablock->name, ob->server_mech);
+
+if (ablock->server_condition)
+  ablock->server = TRUE;
+else if(  ob->server_mech
+       && !STREQIC(ob->server_mech, US"EXTERNAL")
+       && !STREQIC(ob->server_mech, US"ANONYMOUS")
+       && !STREQIC(ob->server_mech, US"PLAIN")
+       && !STREQIC(ob->server_mech, US"LOGIN")
+       )
+  {
+  /* At present, for mechanisms we don't panic on absence of server_condition;
+  need to figure out the most generically correct approach to deciding when
+  it's critical and when it isn't.  Eg, for simple validation (PLAIN mechanism,
+  etc) it clearly is critical.
+  */
+
+  ablock->server = FALSE;
+  HDEBUG(D_auth) debug_printf("%s authenticator:  "
+	    "Need server_condition for %s mechanism\n",
+	    ablock->name, ob->server_mech);
+  }
+
+/* This does *not* scale to new SASL mechanisms.  Need a better way to ask
+which properties will be needed. */
+
+if (  !ob->server_realm
+   && STREQIC(ob->server_mech, US"DIGEST-MD5"))
+  {
+  ablock->server = FALSE;
+  HDEBUG(D_auth) debug_printf("%s authenticator:  "
+	    "Need server_realm for %s mechanism\n",
+	    ablock->name, ob->server_mech);
+  }
+
+ablock->client = ob->client_username && ob->client_password;
+}
+
+
+/* GNU SASL uses one top-level callback, registered at library level.
+We dispatch to client and server functions instead. */
+
+static int
+main_callback(Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop)
+{
+int rc = 0;
+struct callback_exim_state *cb_state =
+  (struct callback_exim_state *)gsasl_session_hook_get(sctx);
+
+if (!cb_state)
+  {
+  HDEBUG(D_auth) debug_printf("gsasl callback (%d) not from our server/client processing\n", prop);
+#ifdef CHANNELBIND_HACK
+  if (prop == GSASL_CB_TLS_UNIQUE)
+    {
+    uschar * s;
+    if ((s = gsasl_callback_hook_get(ctx)))
+      {
+      HDEBUG(D_auth) debug_printf("GSASL_CB_TLS_UNIQUE from ctx hook\n");
+      gsasl_property_set(sctx, GSASL_CB_TLS_UNIQUE, CS s);
+      }
+    else
+      {
+      HDEBUG(D_auth) debug_printf("GSASL_CB_TLS_UNIQUE!  dummy for now\n");
+      gsasl_property_set(sctx, GSASL_CB_TLS_UNIQUE, "");
+      }
+    return GSASL_OK;
+    }
+#endif
+  return GSASL_NO_CALLBACK;
+  }
+
+HDEBUG(D_auth)
+  debug_printf("GNU SASL Callback entered, prop=%d (loop prop=%d)\n",
+      prop, callback_loop);
+
+if (callback_loop > 0)
+  {
+  /* Most likely is that we were asked for property FOO, and to
+  expand the string we asked for property BAR to put into an auth
+  variable, but property BAR is not supplied for this mechanism. */
+  HDEBUG(D_auth)
+    debug_printf("Loop, asked for property %d while handling property %d\n",
+	prop, callback_loop);
+  return GSASL_NO_CALLBACK;
+  }
+callback_loop = prop;
+
+if (cb_state->currently == CURRENTLY_CLIENT)
+  rc = client_callback(ctx, sctx, prop, cb_state->ablock);
+else if (cb_state->currently == CURRENTLY_SERVER)
+  rc = server_callback(ctx, sctx, prop, cb_state->ablock);
+else
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
+      "unhandled callback state, bug in Exim", cb_state->ablock->name);
+  /* NOTREACHED */
+
+callback_loop = 0;
+return rc;
+}
+
+
+/*************************************************
+*             Debug service function             *
+*************************************************/
+static const uschar * 
+gsasl_prop_code_to_name(Gsasl_property prop)
+{
+switch (prop)
+  {
+  case GSASL_AUTHID:			return US"AUTHID";
+  case GSASL_AUTHZID:			return US"AUTHZID";
+  case GSASL_PASSWORD:			return US"PASSWORD";
+  case GSASL_ANONYMOUS_TOKEN:		return US"ANONYMOUS_TOKEN";
+  case GSASL_SERVICE:			return US"SERVICE";
+  case GSASL_HOSTNAME:			return US"HOSTNAME";
+  case GSASL_GSSAPI_DISPLAY_NAME:	return US"GSSAPI_DISPLAY_NAME";
+  case GSASL_PASSCODE:			return US"PASSCODE";
+  case GSASL_SUGGESTED_PIN:		return US"SUGGESTED_PIN";
+  case GSASL_PIN:			return US"PIN";
+  case GSASL_REALM:			return US"REALM";
+  case GSASL_DIGEST_MD5_HASHED_PASSWORD:	return US"DIGEST_MD5_HASHED_PASSWORD";
+  case GSASL_QOPS:			return US"QOPS";
+  case GSASL_QOP:			return US"QOP";
+  case GSASL_SCRAM_ITER:		return US"SCRAM_ITER";
+  case GSASL_SCRAM_SALT:		return US"SCRAM_SALT";
+  case GSASL_SCRAM_SALTED_PASSWORD:	return US"SCRAM_SALTED_PASSWORD";
+#ifdef EXIM_GSASL_SCRAM_S_KEY
+  case GSASL_SCRAM_STOREDKEY:		return US"SCRAM_STOREDKEY";
+  case GSASL_SCRAM_SERVERKEY:		return US"SCRAM_SERVERKEY";
+#endif
+  case GSASL_CB_TLS_UNIQUE:		return US"CB_TLS_UNIQUE";
+  case GSASL_SAML20_IDP_IDENTIFIER:	return US"SAML20_IDP_IDENTIFIER";
+  case GSASL_SAML20_REDIRECT_URL:	return US"SAML20_REDIRECT_URL";
+  case GSASL_OPENID20_REDIRECT_URL:	return US"OPENID20_REDIRECT_URL";
+  case GSASL_OPENID20_OUTCOME_DATA:	return US"OPENID20_OUTCOME_DATA";
+  case GSASL_SAML20_AUTHENTICATE_IN_BROWSER:	return US"SAML20_AUTHENTICATE_IN_BROWSER";
+  case GSASL_OPENID20_AUTHENTICATE_IN_BROWSER:	return US"OPENID20_AUTHENTICATE_IN_BROWSER";
+  case GSASL_VALIDATE_SIMPLE:		return US"VALIDATE_SIMPLE";
+  case GSASL_VALIDATE_EXTERNAL:		return US"VALIDATE_EXTERNAL";
+  case GSASL_VALIDATE_ANONYMOUS:	return US"VALIDATE_ANONYMOUS";
+  case GSASL_VALIDATE_GSSAPI:		return US"VALIDATE_GSSAPI";
+  case GSASL_VALIDATE_SECURID:		return US"VALIDATE_SECURID";
+  case GSASL_VALIDATE_SAML20:		return US"VALIDATE_SAML20";
+  case GSASL_VALIDATE_OPENID20:		return US"VALIDATE_OPENID20";
+  }
+return CUS string_sprintf("(unknown prop: %d)", (int)prop);
+}
+
+/*************************************************
+*             Server entry point                 *
+*************************************************/
+
+/* For interface, see auths/README */
+
+int
+auth_gsasl_server(auth_instance *ablock, uschar *initial_data)
+{
+char *tmps;
+char *to_send, *received;
+Gsasl_session *sctx = NULL;
+auth_gsasl_options_block *ob =
+  (auth_gsasl_options_block *)(ablock->options_block);
+struct callback_exim_state cb_state;
+int rc, auth_result, exim_error, exim_error_override;
+
+HDEBUG(D_auth)
+  debug_printf("GNU SASL: initialising session for %s, mechanism %s\n",
+      ablock->name, ob->server_mech);
+
+#ifndef DISABLE_TLS
+if (tls_in.channelbinding && ob->server_channelbinding)
+  {
+# ifndef DISABLE_TLS_RESUME
+  if (!tls_in.ext_master_secret && tls_in.resumption == RESUME_USED)
+    {		/* per RFC 7677 section 4 */
+    HDEBUG(D_auth) debug_printf(
+      "channel binding not usable on resumed TLS without extended-master-secret");
+    return FAIL;
+    }
+# endif
+# ifdef CHANNELBIND_HACK
+/* This is a gross hack to get around the library before 1.9.2
+a) requiring that c-b was already set, at the _start() call, and
+b) caching a b64'd version of the binding then which it never updates. */
+
+  gsasl_callback_hook_set(gsasl_ctx, tls_in.channelbinding);
+# endif
+  }
+#endif
+
+if ((rc = gsasl_server_start(gsasl_ctx, CCS ob->server_mech, &sctx)) != GSASL_OK)
+  {
+  auth_defer_msg = string_sprintf("GNU SASL: session start failure: %s (%s)",
+      gsasl_strerror_name(rc), gsasl_strerror(rc));
+  HDEBUG(D_auth) debug_printf("%s\n", auth_defer_msg);
+  return DEFER;
+  }
+/* Hereafter: gsasl_finish(sctx) please */
+
+cb_state.ablock = ablock;
+cb_state.currently = CURRENTLY_SERVER;
+gsasl_session_hook_set(sctx, &cb_state);
+
+tmps = CS expand_string(ob->server_service);
+gsasl_property_set(sctx, GSASL_SERVICE, tmps);
+tmps = CS expand_string(ob->server_hostname);
+gsasl_property_set(sctx, GSASL_HOSTNAME, tmps);
+if (ob->server_realm)
+  {
+  tmps = CS expand_string(ob->server_realm);
+  if (tmps && *tmps)
+    gsasl_property_set(sctx, GSASL_REALM, tmps);
+  }
+/* We don't support protection layers. */
+gsasl_property_set(sctx, GSASL_QOPS, "qop-auth");
+
+#ifndef DISABLE_TLS
+if (tls_in.channelbinding)
+  {
+  /* Some auth mechanisms can ensure that both sides are talking withing the
+  same security context; for TLS, this means that even if a bad certificate
+  has been accepted, they remain MitM-proof because both sides must be within
+  the same negotiated session; if someone is terminating one session and
+  proxying data on within a second, authentication will fail.
+
+  We might not have this available, depending upon TLS implementation,
+  ciphersuite, phase of moon ...
+
+  If we do, it results in extra SASL mechanisms being available; here,
+  Exim's one-mechanism-per-authenticator potentially causes problems.
+  It depends upon how GNU SASL will implement the PLUS variants of GS2
+  and whether it automatically mandates a switch to the bound PLUS
+  if the data is available.  Since default-on, despite being more secure,
+  would then result in mechanism name changes on a library update, we
+  have little choice but to default it off and let the admin choose to
+  enable it.  *sigh*
+
+  Earlier library versions need this set early, during the _start() call,
+  so we had to misuse gsasl_callback_hook_set/get() as a data transfer
+  mech for the callback done at that time to get the bind-data.  More recently
+  the callback is done (if needed) during the first gsasl_stop().  We know
+  the bind-data here so can set it (and should not get a callback).
+  */
+  if (ob->server_channelbinding)
+    {
+    HDEBUG(D_auth) debug_printf("Auth %s: Enabling channel-binding\n",
+	ablock->name);
+# ifndef CHANNELBIND_HACK
+    gsasl_property_set(sctx, GSASL_CB_TLS_UNIQUE, CCS tls_in.channelbinding);
+# endif
+    }
+  else
+    HDEBUG(D_auth)
+      debug_printf("Auth %s: Not enabling channel-binding (data available)\n",
+	  ablock->name);
+  }
+else
+  HDEBUG(D_auth)
+    debug_printf("Auth %s: no channel-binding data available\n",
+	ablock->name);
+#endif
+
+checked_server_condition = FALSE;
+
+received = CS initial_data;
+to_send = NULL;
+exim_error = exim_error_override = OK;
+
+do {
+  switch (rc = gsasl_step64(sctx, received, &to_send))
+    {
+    case GSASL_OK:
+      if (!to_send)
+	goto STOP_INTERACTION;
+      break;
+
+    case GSASL_NEEDS_MORE:
+      break;
+
+    case GSASL_AUTHENTICATION_ERROR:
+    case GSASL_INTEGRITY_ERROR:
+    case GSASL_NO_AUTHID:
+    case GSASL_NO_ANONYMOUS_TOKEN:
+    case GSASL_NO_AUTHZID:
+    case GSASL_NO_PASSWORD:
+    case GSASL_NO_PASSCODE:
+    case GSASL_NO_PIN:
+    case GSASL_BASE64_ERROR:
+      HDEBUG(D_auth) debug_printf("GNU SASL permanent error: %s (%s)\n",
+	  gsasl_strerror_name(rc), gsasl_strerror(rc));
+      log_write(0, LOG_REJECT, "%s authenticator (%s):\n  "
+	  "GNU SASL permanent failure: %s (%s)",
+	  ablock->name, ob->server_mech,
+	  gsasl_strerror_name(rc), gsasl_strerror(rc));
+      if (rc == GSASL_BASE64_ERROR)
+	exim_error_override = BAD64;
+      goto STOP_INTERACTION;
+
+    default:
+      auth_defer_msg = string_sprintf("GNU SASL temporary error: %s (%s)",
+	  gsasl_strerror_name(rc), gsasl_strerror(rc));
+      HDEBUG(D_auth) debug_printf("%s\n", auth_defer_msg);
+      exim_error_override = DEFER;
+      goto STOP_INTERACTION;
+    }
+
+  /*XXX having our caller send the final smtp "235" is unfortunate; wastes a roundtrip */
+  if ((rc == GSASL_NEEDS_MORE) || (to_send && *to_send))
+    exim_error = auth_get_no64_data(USS &received, US to_send);
+
+  if (to_send)
+    {
+    free(to_send);
+    to_send = NULL;
+    }
+
+  if (exim_error)
+    break; /* handles * cancelled check */
+
+  } while (rc == GSASL_NEEDS_MORE);
+
+STOP_INTERACTION:
+auth_result = rc;
+
+HDEBUG(D_auth)
+  {
+  const uschar * s;
+  if ((s = CUS gsasl_property_fast(sctx, GSASL_SCRAM_ITER)))
+    debug_printf(" - itercnt:   '%s'\n", s);
+  if ((s = CUS gsasl_property_fast(sctx, GSASL_SCRAM_SALT)))
+    debug_printf(" - salt:      '%s'\n", s);
+#ifdef EXIM_GSASL_SCRAM_S_KEY
+  if ((s = CUS gsasl_property_fast(sctx, GSASL_SCRAM_SERVERKEY)))
+    debug_printf(" - ServerKey: '%s'\n", s);
+  if ((s = CUS gsasl_property_fast(sctx, GSASL_SCRAM_STOREDKEY)))
+    debug_printf(" - StoredKey: '%s'\n", s);
+#endif
+  }
+
+gsasl_finish(sctx);
+
+/* Can return: OK DEFER FAIL CANCELLED BAD64 UNEXPECTED */
+
+if (exim_error != OK)
+  return exim_error;
+
+if (auth_result != GSASL_OK)
+  {
+  HDEBUG(D_auth) debug_printf("authentication returned %s (%s)\n",
+      gsasl_strerror_name(auth_result), gsasl_strerror(auth_result));
+  if (exim_error_override != OK)
+    return exim_error_override; /* might be DEFER */
+  if (sasl_error_should_defer) /* overriding auth failure SASL error */
+    return DEFER;
+  return FAIL;
+  }
+
+/* Auth succeeded, check server_condition unless already done in callback */
+return checked_server_condition ? OK : auth_check_serv_cond(ablock);
+}
+
+
+/* returns the GSASL status of expanding the Exim string given */
+static int
+condition_check(auth_instance *ablock, uschar *label, uschar *condition_string)
+{
+int exim_rc = auth_check_some_cond(ablock, label, condition_string, FAIL);
+switch (exim_rc)
+  {
+  case OK:	return GSASL_OK;
+  case DEFER:	sasl_error_should_defer = TRUE;
+		return GSASL_AUTHENTICATION_ERROR;
+  case FAIL:	return GSASL_AUTHENTICATION_ERROR;
+  default:	log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:  "
+		  "Unhandled return from checking %s: %d",
+		  ablock->name, label, exim_rc);
+  }
+
+/* NOTREACHED */
+return GSASL_AUTHENTICATION_ERROR;
+}
+
+
+/* Set the "next" $auth[n] and increment expand_nmax */
+
+static void
+set_exim_authvar_from_prop(Gsasl_session * sctx, Gsasl_property prop)
+{
+uschar * propval = US gsasl_property_fast(sctx, prop);
+int i = expand_nmax, j = i + 1;
+propval = propval ? string_copy(propval) : US"";
+HDEBUG(D_auth) debug_printf("auth[%d] <=  %s'%s'\n",
+			    j, gsasl_prop_code_to_name(prop), propval);
+expand_nstring[j] = propval;
+expand_nlength[j] = Ustrlen(propval);
+if (i < AUTH_VARS) auth_vars[i] = propval;
+expand_nmax = j;
+}
+
+static void
+set_exim_authvars_from_a_az_r_props(Gsasl_session * sctx)
+{
+if (expand_nmax > 0 ) return;
+
+/* Asking for GSASL_AUTHZID calls back into us if we use
+gsasl_property_get(), thus the use of gsasl_property_fast().
+Do we really want to hardcode limits per mechanism?  What happens when
+a new mechanism is added to the library.  It *shouldn't* result in us
+needing to add more glue, since avoiding that is a large part of the
+point of SASL. */
+
+set_exim_authvar_from_prop(sctx, GSASL_AUTHID);
+set_exim_authvar_from_prop(sctx, GSASL_AUTHZID);
+set_exim_authvar_from_prop(sctx, GSASL_REALM);
+}
+
+
+static int
+prop_from_option(Gsasl_session * sctx, Gsasl_property prop,
+  const uschar * option)
+{
+HDEBUG(D_auth) debug_printf(" %s\n", gsasl_prop_code_to_name(prop));
+if (option)
+  {
+  set_exim_authvars_from_a_az_r_props(sctx);
+  option = expand_cstring(option);
+  HDEBUG(D_auth) debug_printf("  '%s'\n", option);
+  if (*option)
+    gsasl_property_set(sctx, prop, CCS option);
+  return GSASL_OK;
+  }
+HDEBUG(D_auth) debug_printf("  option not set\n");
+return GSASL_NO_CALLBACK;
+}
+
+static int
+server_callback(Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop,
+  auth_instance *ablock)
+{
+char * tmps;
+uschar * s;
+int cbrc = GSASL_NO_CALLBACK;
+auth_gsasl_options_block * ob =
+  (auth_gsasl_options_block *)(ablock->options_block);
+
+HDEBUG(D_auth) debug_printf("GNU SASL callback %s for %s/%s as server\n",
+	    gsasl_prop_code_to_name(prop), ablock->name, ablock->public_name);
+
+for (int i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
+expand_nmax = 0;
+
+switch (prop)
+  {
+  case GSASL_VALIDATE_SIMPLE:
+    /* GSASL_AUTHID, GSASL_AUTHZID, and GSASL_PASSWORD */
+    set_exim_authvar_from_prop(sctx, GSASL_AUTHID);
+    set_exim_authvar_from_prop(sctx, GSASL_AUTHZID);
+    set_exim_authvar_from_prop(sctx, GSASL_PASSWORD);
+
+    cbrc = condition_check(ablock, US"server_condition", ablock->server_condition);
+    checked_server_condition = TRUE;
+    break;
+
+  case GSASL_VALIDATE_EXTERNAL:
+    if (!ablock->server_condition)
+      {
+      HDEBUG(D_auth) debug_printf("No server_condition supplied, to validate EXTERNAL\n");
+      cbrc = GSASL_AUTHENTICATION_ERROR;
+      break;
+      }
+    set_exim_authvar_from_prop(sctx, GSASL_AUTHZID);
+
+    cbrc = condition_check(ablock,
+	US"server_condition (EXTERNAL)", ablock->server_condition);
+    checked_server_condition = TRUE;
+    break;
+
+  case GSASL_VALIDATE_ANONYMOUS:
+    if (!ablock->server_condition)
+      {
+      HDEBUG(D_auth) debug_printf("No server_condition supplied, to validate ANONYMOUS\n");
+      cbrc = GSASL_AUTHENTICATION_ERROR;
+      break;
+      }
+    set_exim_authvar_from_prop(sctx, GSASL_ANONYMOUS_TOKEN);
+
+    cbrc = condition_check(ablock,
+	US"server_condition (ANONYMOUS)", ablock->server_condition);
+    checked_server_condition = TRUE;
+    break;
+
+  case GSASL_VALIDATE_GSSAPI:
+    /* GSASL_AUTHZID and GSASL_GSSAPI_DISPLAY_NAME
+    The display-name is authenticated as part of GSS, the authzid is claimed
+    by the SASL integration after authentication; protected against tampering
+    (if the SASL mechanism supports that, which Kerberos does) but is
+    unverified, same as normal for other mechanisms.
+     First coding, we had these values swapped, but for consistency and prior
+    to the first release of Exim with this authenticator, they've been
+    switched to match the ordering of GSASL_VALIDATE_SIMPLE. */
+
+    set_exim_authvar_from_prop(sctx, GSASL_GSSAPI_DISPLAY_NAME);
+    set_exim_authvar_from_prop(sctx, GSASL_AUTHZID);
+
+    /* In this one case, it perhaps makes sense to default back open?
+    But for consistency, let's just mandate server_condition here too. */
+
+    cbrc = condition_check(ablock,
+	US"server_condition (GSSAPI family)", ablock->server_condition);
+    checked_server_condition = TRUE;
+    break;
+
+  case GSASL_SCRAM_ITER:
+    cbrc = prop_from_option(sctx, prop, ob->server_scram_iter);
+    break;
+
+  case GSASL_SCRAM_SALT:
+    cbrc = prop_from_option(sctx, prop, ob->server_scram_salt);
+    break;
+
+#ifdef EXIM_GSASL_SCRAM_S_KEY
+  case GSASL_SCRAM_STOREDKEY:
+    cbrc = prop_from_option(sctx, prop, ob->server_s_key);
+    break;
+
+  case GSASL_SCRAM_SERVERKEY:
+    cbrc = prop_from_option(sctx, prop, ob->server_key);
+    break;
+#endif
+
+  case GSASL_PASSWORD:
+    /* SCRAM-*: GSASL_AUTHID, GSASL_AUTHZID and GSASL_REALM
+       DIGEST-MD5: GSASL_AUTHID, GSASL_AUTHZID and GSASL_REALM
+       CRAM-MD5: GSASL_AUTHID
+       PLAIN: GSASL_AUTHID and GSASL_AUTHZID
+       LOGIN: GSASL_AUTHID
+     */
+    set_exim_authvars_from_a_az_r_props(sctx);
+
+    if (!(s = ob->server_password))
+      {
+      HDEBUG(D_auth) debug_printf("option not set\n");
+      break;
+      }
+    if (!(tmps = CS expand_string(s)))
+      {
+      sasl_error_should_defer = !f.expand_string_forcedfail;
+      HDEBUG(D_auth) debug_printf("server_password expansion failed, so "
+	  "can't tell GNU SASL library the password for %s\n", auth_vars[0]);
+      return GSASL_AUTHENTICATION_ERROR;
+      }
+    HDEBUG(D_auth) debug_printf("  set\n");
+    gsasl_property_set(sctx, GSASL_PASSWORD, tmps);
+
+    /* This is inadequate; don't think Exim's store stacks are geared
+    for memory wiping, so expanding strings will leave stuff laying around.
+    But no need to compound the problem, so get rid of the one we can. */
+
+    if (US tmps != s) memset(tmps, '\0', strlen(tmps));
+    cbrc = GSASL_OK;
+    break;
+
+  default:
+    HDEBUG(D_auth) debug_printf(" Unrecognised callback: %d\n", prop);
+    cbrc = GSASL_NO_CALLBACK;
+  }
+
+HDEBUG(D_auth) debug_printf("Returning %s (%s)\n",
+    gsasl_strerror_name(cbrc), gsasl_strerror(cbrc));
+
+return cbrc;
+}
+
+
+/******************************************************************************/
+
+#define PROP_OPTIONAL	BIT(0)
+
+static BOOL
+set_client_prop(Gsasl_session * sctx, Gsasl_property prop, uschar * val,
+  unsigned flags, uschar * buffer, int buffsize)
+{
+uschar * s;
+
+if (!val) return !!(flags & PROP_OPTIONAL);
+if (!(s = expand_string(val)) || !(flags & PROP_OPTIONAL) && !*s)
+  {
+  string_format(buffer, buffsize, "%s", expand_string_message);
+  return FALSE;
+  }
+if (*s)
+  {
+  HDEBUG(D_auth) debug_printf("%s: set %s = '%s'\n", __FUNCTION__,
+    gsasl_prop_code_to_name(prop), s);
+  gsasl_property_set(sctx, prop, CS s);
+  }
+
+return TRUE;
+}
+
+/*************************************************
+*              Client entry point                *
+*************************************************/
+
+/* For interface, see auths/README */
+
+int
+auth_gsasl_client(
+  auth_instance *ablock,		/* authenticator block */
+  void * sx,				/* connection */
+  int timeout,				/* command timeout */
+  uschar *buffer,			/* buffer for reading response */
+  int buffsize)				/* size of buffer */
+{
+auth_gsasl_options_block *ob =
+  (auth_gsasl_options_block *)(ablock->options_block);
+Gsasl_session * sctx = NULL;
+struct callback_exim_state cb_state;
+uschar * s;
+BOOL initial = TRUE;
+int rc, yield = FAIL;
+
+HDEBUG(D_auth)
+  debug_printf("GNU SASL: initialising session for %s, mechanism %s\n",
+      ablock->name, ob->server_mech);
+
+*buffer = 0;
+
+#ifndef DISABLE_TLS
+if (tls_out.channelbinding && ob->client_channelbinding)
+  {
+# ifndef DISABLE_TLS_RESUME
+  if (!tls_out.ext_master_secret && tls_out.resumption == RESUME_USED)
+    {	/* Per RFC 7677 section 4.  See also RFC 7627, "Triple Handshake"
+	vulnerability, and https://www.mitls.org/pages/attacks/3SHAKE */
+    string_format(buffer, buffsize, "%s",
+      "channel binding not usable on resumed TLS without extended-master-secret");
+    return FAIL;
+    }
+# endif
+# ifdef CHANNELBIND_HACK
+  /* This is a gross hack to get around the library before 1.9.2
+  a) requiring that c-b was already set, at the _start() call, and
+  b) caching a b64'd version of the binding then which it never updates. */
+
+  gsasl_callback_hook_set(gsasl_ctx, tls_out.channelbinding);
+# endif
+  }
+#endif
+
+if ((rc = gsasl_client_start(gsasl_ctx, CCS ob->server_mech, &sctx)) != GSASL_OK)
+  {
+  string_format(buffer, buffsize, "GNU SASL: session start failure: %s (%s)",
+      gsasl_strerror_name(rc), gsasl_strerror(rc));
+  HDEBUG(D_auth) debug_printf("%s\n", buffer);
+  return ERROR;
+  }
+
+cb_state.ablock = ablock;
+cb_state.currently = CURRENTLY_CLIENT;
+gsasl_session_hook_set(sctx, &cb_state);
+
+/* Set properties */
+
+if (  !set_client_prop(sctx, GSASL_PASSWORD, ob->client_password,
+		  0, buffer, buffsize)
+   || !set_client_prop(sctx, GSASL_AUTHID, ob->client_username,
+		  0, buffer, buffsize)
+   || !set_client_prop(sctx, GSASL_AUTHZID, ob->client_authz,
+		  PROP_OPTIONAL, buffer, buffsize)
+   )
+  return ERROR;
+
+#ifndef DISABLE_TLS
+if (tls_out.channelbinding)
+  if (ob->client_channelbinding)
+    {
+    HDEBUG(D_auth) debug_printf("Auth %s: Enabling channel-binding\n",
+	ablock->name);
+# ifndef CHANNELBIND_HACK
+    gsasl_property_set(sctx, GSASL_CB_TLS_UNIQUE, CCS tls_out.channelbinding);
+# endif
+    }
+  else
+    HDEBUG(D_auth)
+      debug_printf("Auth %s: Not enabling channel-binding (data available)\n",
+	  ablock->name);
+#endif
+
+/* Run the SASL conversation with the server */
+
+for(s = NULL; ;)
+  {
+  uschar * outstr;
+  BOOL fail = TRUE;
+
+  rc = gsasl_step64(sctx, CS s, CSS &outstr);
+
+  if (rc == GSASL_NEEDS_MORE || rc == GSASL_OK)
+    {
+    fail = initial
+      ? smtp_write_command(sx, SCMD_FLUSH,
+			  outstr ? "AUTH %s %s\r\n" : "AUTH %s\r\n",
+			  ablock->public_name, outstr) <= 0
+      : outstr
+      ? smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", outstr) <= 0
+      : FALSE;
+    free(outstr);
+    if (fail)
+      {
+      yield = FAIL_SEND;
+      goto done;
+      }
+    initial = FALSE;
+    }
+
+  if (rc != GSASL_NEEDS_MORE)
+    {
+    if (rc != GSASL_OK)
+      {
+      string_format(buffer, buffsize, "gsasl: %s", gsasl_strerror(rc));
+      break;
+      }
+
+    /* expecting a final 2xx from the server, accepting the AUTH */
+
+    if (smtp_read_response(sx, buffer, buffsize, '2', timeout))
+      yield = OK;
+    break;	/* from SASL sequence loop */
+    }
+
+  /* 2xx or 3xx response is acceptable.  If 2xx, no further input */
+
+  if (!smtp_read_response(sx, buffer, buffsize, '3', timeout))
+    if (errno == 0 && buffer[0] == '2')
+      buffer[4] = '\0';
+    else
+      {
+      yield = FAIL;
+      goto done;
+      }
+  s = buffer + 4;
+  }
+
+done:
+if (yield == OK)
+  {
+  expand_nmax = 0;
+  set_exim_authvar_from_prop(sctx, GSASL_AUTHID);
+  set_exim_authvar_from_prop(sctx, GSASL_SCRAM_ITER);
+  set_exim_authvar_from_prop(sctx, GSASL_SCRAM_SALT);
+  set_exim_authvar_from_prop(sctx, GSASL_SCRAM_SALTED_PASSWORD);
+  }
+
+gsasl_finish(sctx);
+return yield;
+}
+
+static int
+client_callback(Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop, auth_instance *ablock)
+{
+HDEBUG(D_auth) debug_printf("GNU SASL callback %s for %s/%s as client\n",
+	    gsasl_prop_code_to_name(prop), ablock->name, ablock->public_name);
+switch (prop)
+  {
+  case GSASL_CB_TLS_UNIQUE:	/*XXX should never get called for this */
+    HDEBUG(D_auth)
+      debug_printf(" filling in\n");
+    gsasl_property_set(sctx, GSASL_CB_TLS_UNIQUE, CCS tls_out.channelbinding);
+    return GSASL_OK;
+  case GSASL_SCRAM_SALTED_PASSWORD:
+    {
+    uschar * client_spassword =
+      ((auth_gsasl_options_block *) ablock->options_block)->client_spassword;
+    uschar dummy[4];
+    HDEBUG(D_auth) if (!client_spassword)
+      debug_printf(" client_spassword option unset\n");
+    if (client_spassword)
+      {
+      expand_nmax = 0;
+      set_exim_authvar_from_prop(sctx, GSASL_AUTHID);
+      set_exim_authvar_from_prop(sctx, GSASL_SCRAM_ITER);
+      set_exim_authvar_from_prop(sctx, GSASL_SCRAM_SALT);
+      set_client_prop(sctx, GSASL_SCRAM_SALTED_PASSWORD, client_spassword,
+		  0, dummy, sizeof(dummy));
+      for (int i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
+      expand_nmax = 0;
+      }
+    break;
+    }
+  default:
+    HDEBUG(D_auth)
+      debug_printf(" not providing one\n");
+    break;
+  }
+return GSASL_NO_CALLBACK;
+}
+
+/*************************************************
+*                Diagnostic API                  *
+*************************************************/
+
+gstring *
+auth_gsasl_version_report(gstring * g)
+{
+return string_fmt_append(g, "Library version: GNU SASL: Compile: %s\n"
+			    "                           Runtime: %s\n",
+	GSASL_VERSION, gsasl_check_version(NULL));
+}
+
+
+
+/* Dummy */
+void auth_gsasl_macros(void) {}
+
+#endif   /*!MACRO_PREDEF*/
+#endif  /* AUTH_GSASL */
+
+/* End of gsasl_exim.c */
diff --git a/src/auths/gsasl_exim.h b/src/auths/gsasl_exim.h
new file mode 100644
index 0000000..19c9036
--- /dev/null
+++ b/src/auths/gsasl_exim.h
@@ -0,0 +1,53 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2019 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Copyright (c) Twitter Inc 2012 */
+
+/* Interface to GNU SASL library for generic authentication. */
+
+/* Authenticator-specific options. */
+
+typedef struct {
+  uschar *server_service;
+  uschar *server_hostname;
+  uschar *server_realm;
+  uschar *server_mech;
+  uschar *server_password;
+  uschar *server_key;
+  uschar *server_s_key;
+  uschar *server_scram_iter;
+  uschar *server_scram_salt;
+
+  uschar *client_username;
+  uschar *client_password;
+  uschar *client_authz;
+  uschar *client_spassword;
+
+  BOOL    server_channelbinding;
+  BOOL	  client_channelbinding;
+} auth_gsasl_options_block;
+
+/* Data for reading the authenticator-specific options. */
+
+extern optionlist auth_gsasl_options[];
+extern int auth_gsasl_options_count;
+
+/* Defaults for the authenticator-specific options. */
+
+extern auth_gsasl_options_block auth_gsasl_option_defaults;
+
+/* The entry points for the mechanism */
+
+extern void auth_gsasl_init(auth_instance *);
+extern int auth_gsasl_server(auth_instance *, uschar *);
+extern int auth_gsasl_client(auth_instance *, void *,
+				int, uschar *, int);
+extern gstring * auth_gsasl_version_report(gstring *);
+extern void auth_gsasl_macros(void);
+
+/* End of gsasl_exim.h */
diff --git a/src/auths/heimdal_gssapi.c b/src/auths/heimdal_gssapi.c
new file mode 100644
index 0000000..3817632
--- /dev/null
+++ b/src/auths/heimdal_gssapi.c
@@ -0,0 +1,618 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Copyright (c) Twitter Inc 2012
+   Author: Phil Pennock <pdp@exim.org> */
+/* Copyright (c) Phil Pennock 2012 */
+
+/* Interface to Heimdal library for GSSAPI authentication. */
+
+/* Naming and rationale
+
+Sensibly, this integration would be deferred to a SASL library, but none
+of them appear to offer keytab file selection interfaces in their APIs.  It
+might be that this driver only requires minor modification to work with MIT
+Kerberos.
+
+Heimdal provides a number of interfaces for various forms of authentication.
+As GS2 does not appear to provide keytab control interfaces either, we may
+end up supporting that too.  It's possible that we could trivially expand to
+support NTLM support via Heimdal, etc.  Rather than try to be too generic
+immediately, this driver is directly only supporting GSSAPI.
+
+Without rename, we could add an option for GS2 support in the future.
+*/
+
+/* Sources
+
+* mailcheck-imap (Perl, client-side, written by me years ago)
+* gsasl driver (GPL, server-side)
+* heimdal sources and man-pages, plus http://www.h5l.org/manual/
+* FreeBSD man-pages (very informative!)
+* http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
+  semantics, that found by browsing Heimdal source to find how to set the keytab; however,
+  after multiple attempts I failed to get that to work and instead switched to
+  gsskrb5_register_acceptor_identity().
+*/
+
+#include "../exim.h"
+
+#ifndef AUTH_HEIMDAL_GSSAPI
+/* dummy function to satisfy compilers when we link in an "empty" file. */
+static void dummy(int x);
+static void dummy2(int x) { dummy(x-1); }
+static void dummy(int x) { dummy2(x-1); }
+#else
+
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
+
+/* for the _init debugging */
+#include <krb5.h>
+
+#include "heimdal_gssapi.h"
+
+/* Authenticator-specific options. */
+optionlist auth_heimdal_gssapi_options[] = {
+  { "server_hostname",      opt_stringptr,
+      OPT_OFF(auth_heimdal_gssapi_options_block, server_hostname) },
+  { "server_keytab",        opt_stringptr,
+      OPT_OFF(auth_heimdal_gssapi_options_block, server_keytab) },
+  { "server_service",       opt_stringptr,
+      OPT_OFF(auth_heimdal_gssapi_options_block, server_service) }
+};
+
+int auth_heimdal_gssapi_options_count =
+  sizeof(auth_heimdal_gssapi_options)/sizeof(optionlist);
+
+/* Defaults for the authenticator-specific options. */
+auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
+  US"$primary_hostname",    /* server_hostname */
+  NULL,                     /* server_keytab */
+  US"smtp",                 /* server_service */
+};
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+void auth_heimdal_gssapi_init(auth_instance *ablock) {}
+int auth_heimdal_gssapi_server(auth_instance *ablock, uschar *data) {return 0;}
+int auth_heimdal_gssapi_client(auth_instance *ablock, void * sx,
+  int timeout, uschar *buffer, int buffsize) {return 0;}
+gstring * auth_heimdal_gssapi_version_report(gstring * g) {}
+
+#else   /*!MACRO_PREDEF*/
+
+
+
+/* "Globals" for managing the heimdal_gssapi interface. */
+
+/* Utility functions */
+static void
+  exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
+static int
+  exim_gssapi_error_defer(rmark, OM_uint32, OM_uint32, const char *, ...)
+    PRINTF_FUNCTION(4, 5);
+
+#define EmptyBuf(buf) do { buf.value = NULL; buf.length = 0; } while (0)
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up. */
+
+/* Heimdal provides a GSSAPI extension method for setting the keytab;
+in the init, we mostly just use raw krb5 methods so that we can report
+the keytab contents, for -D+auth debugging. */
+
+void
+auth_heimdal_gssapi_init(auth_instance *ablock)
+{
+krb5_context context;
+krb5_keytab keytab;
+krb5_kt_cursor cursor;
+krb5_keytab_entry entry;
+krb5_error_code krc;
+char *principal, *enctype_s;
+const char *k_keytab_typed_name = NULL;
+auth_heimdal_gssapi_options_block *ob =
+  (auth_heimdal_gssapi_options_block *)(ablock->options_block);
+
+ablock->server = FALSE;
+ablock->client = FALSE;
+
+if (!ob->server_service || !*ob->server_service)
+  {
+  HDEBUG(D_auth) debug_printf("heimdal: missing server_service\n");
+  return;
+  }
+
+if ((krc = krb5_init_context(&context)))
+  {
+  int kerr = errno;
+  HDEBUG(D_auth) debug_printf("heimdal: failed to initialise krb5 context: %s\n",
+      strerror(kerr));
+  return;
+  }
+
+if (ob->server_keytab)
+  {
+  k_keytab_typed_name = CCS string_sprintf("file:%s", expand_string(ob->server_keytab));
+  HDEBUG(D_auth) debug_printf("heimdal: using keytab %s\n", k_keytab_typed_name);
+  if ((krc = krb5_kt_resolve(context, k_keytab_typed_name, &keytab)))
+    {
+    HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_resolve", context, krc);
+    return;
+    }
+  }
+else
+ {
+  HDEBUG(D_auth) debug_printf("heimdal: using system default keytab\n");
+  if ((krc = krb5_kt_default(context, &keytab)))
+    {
+    HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_default", context, krc);
+    return;
+    }
+  }
+
+HDEBUG(D_auth)
+  {
+  /* http://www.h5l.org/manual/HEAD/krb5/krb5_keytab_intro.html */
+  if ((krc = krb5_kt_start_seq_get(context, keytab, &cursor)))
+    exim_heimdal_error_debug("krb5_kt_start_seq_get", context, krc);
+  else
+    {
+    while (!(krc = krb5_kt_next_entry(context, keytab, &entry, &cursor)))
+      {
+      principal = enctype_s = NULL;
+      krb5_unparse_name(context, entry.principal, &principal);
+      krb5_enctype_to_string(context, entry.keyblock.keytype, &enctype_s);
+      debug_printf("heimdal: keytab principal: %s  vno=%d  type=%s\n",
+	  principal ? principal : "??",
+	  entry.vno,
+	  enctype_s ? enctype_s : "??");
+      free(principal);
+      free(enctype_s);
+      krb5_kt_free_entry(context, &entry);
+      }
+    if ((krc = krb5_kt_end_seq_get(context, keytab, &cursor)))
+      exim_heimdal_error_debug("krb5_kt_end_seq_get", context, krc);
+    }
+  }
+
+if ((krc = krb5_kt_close(context, keytab)))
+  HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_close", context, krc);
+
+krb5_free_context(context);
+
+ablock->server = TRUE;
+}
+
+
+static void
+exim_heimdal_error_debug(const char *label,
+    krb5_context context, krb5_error_code err)
+{
+const char *kerrsc;
+kerrsc = krb5_get_error_message(context, err);
+debug_printf("heimdal %s: %s\n", label, kerrsc ? kerrsc : "unknown error");
+krb5_free_error_message(context, kerrsc);
+}
+
+/*************************************************
+*             Server entry point                 *
+*************************************************/
+
+/* For interface, see auths/README */
+
+/* GSSAPI notes:
+OM_uint32: portable type for unsigned int32
+gss_buffer_desc / *gss_buffer_t: hold/point-to size_t .length & void *value
+  -- all strings/etc passed in should go through one of these
+  -- when allocated by gssapi, release with gss_release_buffer()
+*/
+
+int
+auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
+{
+gss_name_t gclient = GSS_C_NO_NAME;
+gss_name_t gserver = GSS_C_NO_NAME;
+gss_cred_id_t gcred = GSS_C_NO_CREDENTIAL;
+gss_ctx_id_t gcontext = GSS_C_NO_CONTEXT;
+uschar *ex_server_str;
+gss_buffer_desc gbufdesc = GSS_C_EMPTY_BUFFER;
+gss_buffer_desc gbufdesc_in = GSS_C_EMPTY_BUFFER;
+gss_buffer_desc gbufdesc_out = GSS_C_EMPTY_BUFFER;
+gss_OID mech_type;
+OM_uint32 maj_stat, min_stat;
+int step, error_out;
+uschar *tmp1, *tmp2, *from_client;
+auth_heimdal_gssapi_options_block *ob =
+  (auth_heimdal_gssapi_options_block *)(ablock->options_block);
+BOOL handled_empty_ir;
+rmark store_reset_point;
+uschar *keytab;
+uschar sasl_config[4];
+uschar requested_qop;
+
+store_reset_point = store_mark();
+
+HDEBUG(D_auth)
+  debug_printf("heimdal: initialising auth context for %s\n", ablock->name);
+
+/* Construct our gss_name_t gserver describing ourselves */
+tmp1 = expand_string(ob->server_service);
+tmp2 = expand_string(ob->server_hostname);
+ex_server_str = string_sprintf("%s@%s", tmp1, tmp2);
+gbufdesc.value = (void *) ex_server_str;
+gbufdesc.length = Ustrlen(ex_server_str);
+maj_stat = gss_import_name(&min_stat,
+    &gbufdesc, GSS_C_NT_HOSTBASED_SERVICE, &gserver);
+if (GSS_ERROR(maj_stat))
+  return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
+      "gss_import_name(%s)", CS gbufdesc.value);
+
+/* Use a specific keytab, if specified */
+if (ob->server_keytab) 
+  {
+  keytab = expand_string(ob->server_keytab);
+  maj_stat = gsskrb5_register_acceptor_identity(CCS keytab);
+  if (GSS_ERROR(maj_stat))
+    return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
+	"registering keytab \"%s\"", keytab);
+  HDEBUG(D_auth)
+    debug_printf("heimdal: using keytab \"%s\"\n", keytab);
+  }
+
+/* Acquire our credentials */
+maj_stat = gss_acquire_cred(&min_stat,
+    gserver,             /* desired name */
+    0,                   /* time */
+    GSS_C_NULL_OID_SET,  /* desired mechs */
+    GSS_C_ACCEPT,        /* cred usage */
+    &gcred,              /* handle */
+    NULL                 /* actual mechs */,
+    NULL                 /* time rec */);
+if (GSS_ERROR(maj_stat))
+  return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
+      "gss_acquire_cred(%s)", ex_server_str);
+
+maj_stat = gss_release_name(&min_stat, &gserver);
+
+HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n");
+
+/* Loop talking to client */
+step = 0;
+from_client = initial_data;
+handled_empty_ir = FALSE;
+error_out = OK;
+
+/* buffer sizes: auth_get_data() uses big_buffer, which we grow per
+GSSAPI RFC in _init, if needed, to meet the SHOULD size of 64KB.
+(big_buffer starts life at the MUST size of 16KB). */
+
+/* step values
+0: getting initial data from client to feed into GSSAPI
+1: iterating for as long as GSS_S_CONTINUE_NEEDED
+2: GSS_S_COMPLETE, SASL wrapping for authz and qop to send to client
+3: unpick final auth message from client
+4: break/finish (non-step)
+*/
+while (step < 4)
+  switch (step)
+    {
+    case 0:
+      if (!from_client || !*from_client)
+        {
+	if (handled_empty_ir)
+	  {
+	  HDEBUG(D_auth) debug_printf("gssapi: repeated empty input, grr.\n");
+	  error_out = BAD64;
+	  goto ERROR_OUT;
+	  }
+
+	HDEBUG(D_auth) debug_printf("gssapi: missing initial response, nudging.\n");
+	if ((error_out = auth_get_data(&from_client, US"", 0)) != OK)
+	  goto ERROR_OUT;
+	handled_empty_ir = TRUE;
+	continue;
+	}
+      /* We should now have the opening data from the client, base64-encoded. */
+      step += 1;
+      HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n");
+      break;
+
+    case 1:
+      gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
+      if (gclient)
+        {
+	maj_stat = gss_release_name(&min_stat, &gclient);
+	gclient = GSS_C_NO_NAME;
+	}
+      maj_stat = gss_accept_sec_context(&min_stat,
+	  &gcontext,          /* context handle */
+	  gcred,              /* acceptor cred handle */
+	  &gbufdesc_in,       /* input from client */
+	  GSS_C_NO_CHANNEL_BINDINGS,  /* XXX fixme: use the channel bindings from GnuTLS */
+	  &gclient,           /* client identifier */
+	  &mech_type,         /* mechanism in use */
+	  &gbufdesc_out,      /* output to send to client */
+	  NULL,               /* return flags */
+	  NULL,               /* time rec */
+	  NULL                /* delegated cred_handle */
+	  );
+      if (GSS_ERROR(maj_stat))
+        {
+	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
+	    "gss_accept_sec_context()");
+	error_out = FAIL;
+	goto ERROR_OUT;
+	}
+      if (gbufdesc_out.length != 0)
+        {
+	error_out = auth_get_data(&from_client,
+	    gbufdesc_out.value, gbufdesc_out.length);
+	if (error_out != OK)
+	  goto ERROR_OUT;
+
+	gss_release_buffer(&min_stat, &gbufdesc_out);
+	EmptyBuf(gbufdesc_out);
+	}
+      if (maj_stat == GSS_S_COMPLETE)
+        {
+	step += 1;
+	HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n");
+	}
+      else
+	HDEBUG(D_auth) debug_printf("heimdal: need more data\n");
+      break;
+
+    case 2:
+      memset(sasl_config, 0xFF, 4);
+      /* draft-ietf-sasl-gssapi-06.txt defines bitmasks for first octet
+      0x01 No security layer
+      0x02 Integrity protection
+      0x04 Confidentiality protection
+
+      The remaining three octets are the maximum buffer size for wrapped
+      content. */
+      sasl_config[0] = 0x01;  /* Exim does not wrap/unwrap SASL layers after auth */
+      gbufdesc.value = (void *) sasl_config;
+      gbufdesc.length = 4;
+      maj_stat = gss_wrap(&min_stat,
+	  gcontext,
+	  0,                    /* conf_req_flag: integrity only */
+	  GSS_C_QOP_DEFAULT,    /* qop requested */
+	  &gbufdesc,            /* message to protect */
+	  NULL,                 /* conf_state: no confidentiality applied */
+	  &gbufdesc_out         /* output buffer */
+	  );
+      if (GSS_ERROR(maj_stat))
+        {
+	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
+	    "gss_wrap(SASL state after auth)");
+	error_out = FAIL;
+	goto ERROR_OUT;
+	}
+
+      HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n");
+
+      error_out = auth_get_data(&from_client,
+	  gbufdesc_out.value, gbufdesc_out.length);
+      if (error_out != OK)
+	goto ERROR_OUT;
+
+      gss_release_buffer(&min_stat, &gbufdesc_out);
+      EmptyBuf(gbufdesc_out);
+      step += 1;
+      break;
+
+    case 3:
+      gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
+      maj_stat = gss_unwrap(&min_stat,
+	  gcontext,
+	  &gbufdesc_in,       /* data from client */
+	  &gbufdesc_out,      /* results */
+	  NULL,               /* conf state */
+	  NULL                /* qop state */
+	  );
+      if (GSS_ERROR(maj_stat))
+        {
+	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
+	    "gss_unwrap(final SASL message from client)");
+	error_out = FAIL;
+	goto ERROR_OUT;
+	}
+      if (gbufdesc_out.length < 4)
+        {
+	HDEBUG(D_auth)
+	  debug_printf("gssapi: final message too short; "
+	      "need flags, buf sizes and optional authzid\n");
+	error_out = FAIL;
+	goto ERROR_OUT;
+	}
+
+      requested_qop = (CS gbufdesc_out.value)[0];
+      if (!(requested_qop & 0x01))
+        {
+	HDEBUG(D_auth)
+	  debug_printf("gssapi: client requested security layers (%x)\n",
+	      (unsigned int) requested_qop);
+	error_out = FAIL;
+	goto ERROR_OUT;
+	}
+
+      for (int i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
+      expand_nmax = 0;
+
+      /* Identifiers:
+      The SASL provided identifier is an unverified authzid.
+      GSSAPI provides us with a verified identifier, but it might be empty
+      for some clients.
+      */
+
+      /* $auth2 is authzid requested at SASL layer */
+      if (gbufdesc_out.length > 4)
+        {
+	expand_nlength[2] = gbufdesc_out.length - 4;
+	auth_vars[1] = expand_nstring[2] =
+	  string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
+	expand_nmax = 2;
+	}
+
+      gss_release_buffer(&min_stat, &gbufdesc_out);
+      EmptyBuf(gbufdesc_out);
+
+      /* $auth1 is GSSAPI display name */
+      maj_stat = gss_display_name(&min_stat,
+	  gclient, &gbufdesc_out, &mech_type);
+      if (GSS_ERROR(maj_stat))
+        {
+	auth_vars[1] = expand_nstring[2] = NULL;
+	expand_nmax = 0;
+	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
+	    "gss_display_name(client identifier)");
+	error_out = FAIL;
+	goto ERROR_OUT;
+	}
+
+      expand_nlength[1] = gbufdesc_out.length;
+      auth_vars[0] = expand_nstring[1] =
+	string_copyn(gbufdesc_out.value, gbufdesc_out.length);
+
+      if (expand_nmax == 0)	/* should be: authzid was empty */
+	{
+	expand_nmax = 2;
+	expand_nlength[2] = expand_nlength[1];
+	auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
+	HDEBUG(D_auth)
+	  debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
+	}
+
+      HDEBUG(D_auth)
+	debug_printf("heimdal SASL: happy with client request\n"
+	   "  auth1 (verified GSSAPI display-name): \"%s\"\n"
+	   "  auth2 (unverified SASL requested authzid): \"%s\"\n",
+	   auth_vars[0], auth_vars[1]);
+
+      step += 1;
+      break;
+
+    } /* switch */
+  /* while step */
+
+
+ERROR_OUT:
+maj_stat = gss_release_cred(&min_stat, &gcred);
+if (gclient)
+  {
+  gss_release_name(&min_stat, &gclient);
+  gclient = GSS_C_NO_NAME;
+  }
+if (gbufdesc_out.length)
+  {
+  gss_release_buffer(&min_stat, &gbufdesc_out);
+  EmptyBuf(gbufdesc_out);
+  }
+if (gcontext != GSS_C_NO_CONTEXT)
+  gss_delete_sec_context(&min_stat, &gcontext, GSS_C_NO_BUFFER);
+
+store_reset(store_reset_point);
+
+if (error_out != OK)
+  return error_out;
+
+/* Auth succeeded, check server_condition */
+return auth_check_serv_cond(ablock);
+}
+
+
+static int
+exim_gssapi_error_defer(rmark store_reset_point,
+    OM_uint32 major, OM_uint32 minor,
+    const char *format, ...)
+{
+va_list ap;
+OM_uint32 maj_stat, min_stat;
+OM_uint32 msgcontext = 0;
+gss_buffer_desc status_string;
+gstring * g;
+
+HDEBUG(D_auth)
+  {
+  va_start(ap, format);
+  g = string_vformat(NULL, SVFMT_EXTEND|SVFMT_REBUFFER, format, ap);
+  va_end(ap);
+  }
+
+auth_defer_msg = NULL;
+
+do {
+  maj_stat = gss_display_status(&min_stat,
+      major, GSS_C_GSS_CODE, GSS_C_NO_OID, &msgcontext, &status_string);
+
+  if (!auth_defer_msg)
+    auth_defer_msg = string_copy(US status_string.value);
+
+  HDEBUG(D_auth) debug_printf("heimdal %s: %.*s\n",
+      string_from_gstring(g), (int)status_string.length,
+      CS status_string.value);
+  gss_release_buffer(&min_stat, &status_string);
+
+  } while (msgcontext != 0);
+
+if (store_reset_point)
+  store_reset(store_reset_point);
+return DEFER;
+}
+
+
+/*************************************************
+*              Client entry point                *
+*************************************************/
+
+/* For interface, see auths/README */
+
+int
+auth_heimdal_gssapi_client(
+  auth_instance *ablock,                 /* authenticator block */
+  void * sx,				 /* connection */
+  int timeout,                           /* command timeout */
+  uschar *buffer,                        /* buffer for reading response */
+  int buffsize)                          /* size of buffer */
+{
+HDEBUG(D_auth)
+  debug_printf("Client side NOT IMPLEMENTED: you should not see this!\n");
+/* NOT IMPLEMENTED */
+return FAIL;
+}
+
+/*************************************************
+*                Diagnostic API                  *
+*************************************************/
+
+gstring *
+auth_heimdal_gssapi_version_report(gstring * g)
+{
+/* No build-time constants available unless we link against libraries at
+build-time and export the result as a string into a header ourselves. */
+
+return string_fmt_append(g, "Library version: Heimdal: Runtime: %s\n"
+			    " Build Info: %s\n",
+	heimdal_version, heimdal_long_version));
+}
+
+#endif   /*!MACRO_PREDEF*/
+#endif  /* AUTH_HEIMDAL_GSSAPI */
+
+/* End of heimdal_gssapi.c */
diff --git a/src/auths/heimdal_gssapi.h b/src/auths/heimdal_gssapi.h
new file mode 100644
index 0000000..49775af
--- /dev/null
+++ b/src/auths/heimdal_gssapi.h
@@ -0,0 +1,39 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Copyright (c) Twitter Inc 2012
+   Author: Phil Pennock <pdp@exim.org> */
+/* Copyright (c) Phil Pennock 2012 */
+
+/* Interface to Heimdal library for GSSAPI authentication. */
+
+/* Authenticator-specific options. */
+
+typedef struct {
+  uschar *server_hostname;
+  uschar *server_keytab;
+  uschar *server_service;
+} auth_heimdal_gssapi_options_block;
+
+/* Data for reading the authenticator-specific options. */
+
+extern optionlist auth_heimdal_gssapi_options[];
+extern int auth_heimdal_gssapi_options_count;
+
+/* Defaults for the authenticator-specific options. */
+
+extern auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults;
+
+/* The entry points for the mechanism */
+
+extern void auth_heimdal_gssapi_init(auth_instance *);
+extern int auth_heimdal_gssapi_server(auth_instance *, uschar *);
+extern int auth_heimdal_gssapi_client(auth_instance *, void *, int, uschar *, int);
+extern void auth_heimdal_gssapi_version_report(BOOL);
+
+/* End of heimdal_gssapi.h */
diff --git a/src/auths/plaintext.c b/src/auths/plaintext.c
new file mode 100644
index 0000000..58d1783
--- /dev/null
+++ b/src/auths/plaintext.c
@@ -0,0 +1,179 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 - 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "plaintext.h"
+
+
+/* Options specific to the plaintext authentication mechanism. */
+
+optionlist auth_plaintext_options[] = {
+  { "client_ignore_invalid_base64", opt_bool,
+      OPT_OFF(auth_plaintext_options_block, client_ignore_invalid_base64) },
+  { "client_send",        opt_stringptr,
+      OPT_OFF(auth_plaintext_options_block, client_send) },
+  { "server_prompts",     opt_stringptr,
+      OPT_OFF(auth_plaintext_options_block, server_prompts) }
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int auth_plaintext_options_count =
+  sizeof(auth_plaintext_options)/sizeof(optionlist);
+
+/* Default private options block for the plaintext authentication method. */
+
+auth_plaintext_options_block auth_plaintext_option_defaults = {
+  NULL,              /* server_prompts */
+  NULL,              /* client_send */
+  FALSE              /* client_ignore_invalid_base64 */
+};
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+void auth_plaintext_init(auth_instance *ablock) {}
+int auth_plaintext_server(auth_instance *ablock, uschar *data) {return 0;}
+int auth_plaintext_client(auth_instance *ablock, void * sx, int timeout,
+    uschar *buffer, int buffsize) {return 0;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up. */
+
+void
+auth_plaintext_init(auth_instance *ablock)
+{
+auth_plaintext_options_block *ob =
+  (auth_plaintext_options_block *)(ablock->options_block);
+if (ablock->public_name == NULL) ablock->public_name = ablock->name;
+if (ablock->server_condition != NULL) ablock->server = TRUE;
+if (ob->client_send != NULL) ablock->client = TRUE;
+}
+
+
+
+/*************************************************
+*             Server entry point                 *
+*************************************************/
+
+/* For interface, see auths/README */
+
+int
+auth_plaintext_server(auth_instance * ablock, uschar * data)
+{
+auth_plaintext_options_block * ob =
+  (auth_plaintext_options_block *)(ablock->options_block);
+const uschar * prompts = ob->server_prompts;
+uschar * s;
+int number = 1;
+int rc;
+int sep = 0;
+
+/* Expand a non-empty list of prompt strings */
+
+if (prompts)
+  if (!(prompts = expand_cstring(prompts)))
+    {
+    auth_defer_msg = expand_string_message;
+    return DEFER;
+    }
+
+/* If data was supplied on the AUTH command, decode it, and split it up into
+multiple items at binary zeros. The strings are put into $auth1, $auth2, etc,
+up to a maximum. To retain backwards compatibility, they are also put int $1,
+$2, etc. If the data consists of the string "=" it indicates a single, empty
+string. */
+
+if (*data)
+  if ((rc = auth_read_input(data)) != OK)
+    return rc;
+
+/* Now go through the list of prompt strings. Skip over any whose data has
+already been provided as part of the AUTH command. For the rest, send them
+out as prompts, and get a data item back. If the data item is "*", abandon the
+authentication attempt. Otherwise, split it into items as above. */
+
+while (  (s = string_nextinlist(&prompts, &sep, NULL, 0))
+      && expand_nmax < EXPAND_MAXN)
+  if (number++ > expand_nmax)
+    if ((rc = auth_prompt(CUS s)) != OK)
+      return rc;
+
+/* We now have a number of items of data in $auth1, $auth2, etc (and also, for
+compatibility, in $1, $2, etc). Authentication and authorization are handled
+together for this authenticator by expanding the server_condition option. Note
+that ablock->server_condition is always non-NULL because that's what configures
+this authenticator as a server. */
+
+return auth_check_serv_cond(ablock);
+}
+
+
+
+/*************************************************
+*              Client entry point                *
+*************************************************/
+
+/* For interface, see auths/README */
+
+int
+auth_plaintext_client(
+  auth_instance *ablock,                 /* authenticator block */
+  void * sx,				 /* smtp connextion */
+  int timeout,                           /* command timeout */
+  uschar *buffer,                        /* buffer for reading response */
+  int buffsize)                          /* size of buffer */
+{
+auth_plaintext_options_block *ob =
+  (auth_plaintext_options_block *)(ablock->options_block);
+const uschar * text = ob->client_send;
+const uschar * s;
+int sep = 0;
+int auth_var_idx = 0, rc;
+int flags = AUTH_ITEM_FIRST;
+
+if (ob->client_ignore_invalid_base64)
+  flags |= AUTH_ITEM_IGN64;
+
+/* The text is broken up into a number of different data items, which are
+sent one by one. The first one is sent with the AUTH command; the remainder are
+sent in response to subsequent prompts. Each is expanded before being sent. */
+
+while ((s = string_nextinlist(&text, &sep, NULL, 0)))
+  {
+  if (!text)
+    flags |= AUTH_ITEM_LAST;
+
+  if ((rc = auth_client_item(sx, ablock, &s, flags, timeout, buffer, buffsize))
+       != DEFER)
+    return rc;
+
+  flags &= ~AUTH_ITEM_FIRST;
+
+  if (auth_var_idx < AUTH_VARS)
+    auth_vars[auth_var_idx++] = string_copy(s);
+  }
+
+/* Control should never actually get here. */
+
+return FAIL;
+}
+
+#endif   /*!MACRO_PREDEF*/
+/* End of plaintext.c */
diff --git a/src/auths/plaintext.h b/src/auths/plaintext.h
new file mode 100644
index 0000000..4c6d011
--- /dev/null
+++ b/src/auths/plaintext.h
@@ -0,0 +1,31 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Private structure for the private options. */
+
+typedef struct {
+  uschar *server_prompts;
+  uschar *client_send;
+  BOOL    client_ignore_invalid_base64;
+} auth_plaintext_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist auth_plaintext_options[];
+extern int auth_plaintext_options_count;
+
+/* Block containing default values. */
+
+extern auth_plaintext_options_block auth_plaintext_option_defaults;
+
+/* The entry points for the mechanism */
+
+extern void auth_plaintext_init(auth_instance *);
+extern int auth_plaintext_server(auth_instance *, uschar *);
+extern int auth_plaintext_client(auth_instance *, void *, int, uschar *, int);
+
+/* End of plaintext.h */
diff --git a/src/auths/pwcheck.c b/src/auths/pwcheck.c
new file mode 100644
index 0000000..7dd529f
--- /dev/null
+++ b/src/auths/pwcheck.c
@@ -0,0 +1,449 @@
+/* SASL server API implementation
+ * Rob Siemborski
+ * Tim Martin
+ * $Id: checkpw.c,v 1.49 2002/03/07 19:14:04 ken3 Exp $
+ */
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/*
+ * Copyright (c) 2001 Carnegie Mellon University.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. The name "Carnegie Mellon University" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For permission or any other legal
+ *    details, please contact
+ *      Office of Technology Transfer
+ *      Carnegie Mellon University
+ *      5000 Forbes Avenue
+ *      Pittsburgh, PA  15213-3890
+ *      (412) 268-4387, fax: (412) 268-7395
+ *      tech-transfer@andrew.cmu.edu
+ *
+ * 4. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by Computing Services
+ *     at Carnegie Mellon University (http://www.cmu.edu/computing/)."
+ *
+ * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
+ * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Taken from Cyrus-SASL library and adapted by Alexander S. Sabourenkov
+ * Oct 2001 - Apr 2002: Slightly modified by Philip Hazel.
+ * Aug 2003: new code for saslauthd from Alexander S. Sabourenkov incorporated
+ *           by Philip Hazel (minor mods to avoid compiler warnings)
+ * Oct 2006: (PH) removed redundant tests on "reply" being NULL - some were
+ *           missing, and confused someone who was using this code for some
+ *           other purpose. Here in Exim, "reply" is never NULL.
+ *
+ * screwdriver@lxnt.info
+ *
+ */
+
+/* Originally this module supported only the pwcheck daemon, which is where its
+name comes from. Nowadays it supports saslauthd as well; pwcheck is in fact
+deprecated. The definitions of CYRUS_PWCHECK_SOCKET and CYRUS_SASLAUTHD_SOCKET
+determine whether the facilities are actually supported or not. */
+
+
+#include "../exim.h"
+#include "pwcheck.h"
+
+
+#if defined(CYRUS_PWCHECK_SOCKET) || defined(CYRUS_SASLAUTHD_SOCKET)
+
+#include <sys/uio.h>
+
+static int retry_read(int, void *, unsigned );
+static int retry_writev(int, struct iovec *, int );
+static int read_string(int, uschar **);
+static int write_string(int, const uschar *, int);
+
+#endif
+
+
+/* A dummy function that always fails if pwcheck support is not
+wanted. */
+
+#ifndef CYRUS_PWCHECK_SOCKET
+int pwcheck_verify_password(const char *userid,
+                            const char *passwd,
+                            const char **reply)
+{
+*reply = "pwcheck support is not included in this Exim binary";
+return PWCHECK_FAIL;
+}
+
+
+/* This is the real function */
+
+#else
+
+ /* taken from cyrus-sasl file checkpw.c */
+ /* pwcheck daemon-authenticated login */
+ int pwcheck_verify_password(const char *userid,
+                                  const char *passwd,
+                                  const char **reply)
+ {
+     int s, start, r, n;
+     struct sockaddr_un srvaddr;
+     struct iovec iov[2];
+     static char response[1024];
+
+     *reply = NULL;
+
+     s = socket(AF_UNIX, SOCK_STREAM, 0);
+     if (s == -1) { return PWCHECK_FAIL; }
+
+     memset(CS &srvaddr, 0, sizeof(srvaddr));
+     srvaddr.sun_family = AF_UNIX;
+     strncpy(srvaddr.sun_path, CYRUS_PWCHECK_SOCKET, sizeof(srvaddr.sun_path));
+     r = connect(s, (struct sockaddr *)&srvaddr, sizeof(srvaddr));
+     if (r == -1) {
+        DEBUG(D_auth)
+            debug_printf("Cannot connect to pwcheck daemon (at '%s')\n",CYRUS_PWCHECK_SOCKET);
+       *reply = "cannot connect to pwcheck daemon";
+       return PWCHECK_FAIL;
+     }
+
+     iov[0].iov_base = CS userid;
+     iov[0].iov_len = strlen(userid)+1;
+     iov[1].iov_base = CS passwd;
+     iov[1].iov_len = strlen(passwd)+1;
+
+     retry_writev(s, iov, 2);
+
+     start = 0;
+     while (start < sizeof(response) - 1) {
+       n = read(s, response+start, sizeof(response) - 1 - start);
+       if (n < 1) break;
+       start += n;
+     }
+
+     (void)close(s);
+
+     if (start > 1 && !strncmp(response, "OK", 2)) {
+       return PWCHECK_OK;
+     }
+
+     response[start] = '\0';
+     *reply = response;
+     return PWCHECK_NO;
+ }
+
+#endif
+
+
+
+ /* A dummy function that always fails if saslauthd support is not
+wanted. */
+
+#ifndef CYRUS_SASLAUTHD_SOCKET
+int saslauthd_verify_password(const uschar *userid,
+                const uschar *passwd,
+                const uschar *service,
+                const uschar *realm,
+                const uschar **reply)
+{
+*reply = US"saslauthd support is not included in this Exim binary";
+return PWCHECK_FAIL;
+}
+
+
+/* This is the real function */
+
+#else
+ /* written from scratch  */
+ /* saslauthd daemon-authenticated login */
+
+int saslauthd_verify_password(const uschar *userid,
+                const uschar *password,
+                const uschar *service,
+                const uschar *realm,
+                const uschar **reply)
+{
+    uschar *daemon_reply = NULL;
+    int s, r;
+    struct sockaddr_un srvaddr;
+
+    DEBUG(D_auth)
+       debug_printf("saslauthd userid='%s' servicename='%s'"
+                    " realm='%s'\n", userid, service, realm );
+
+    *reply = NULL;
+
+    s = socket(AF_UNIX, SOCK_STREAM, 0);
+    if (s == -1) {
+       *reply = CUstrerror(errno);
+       return PWCHECK_FAIL;
+    }
+
+    memset(CS &srvaddr, 0, sizeof(srvaddr));
+    srvaddr.sun_family = AF_UNIX;
+    strncpy(srvaddr.sun_path, CYRUS_SASLAUTHD_SOCKET,
+            sizeof(srvaddr.sun_path));
+    r = connect(s, (struct sockaddr *)&srvaddr, sizeof(srvaddr));
+    if (r == -1) {
+       DEBUG(D_auth)
+            debug_printf("Cannot connect to saslauthd daemon (at '%s'): %s\n",
+                         CYRUS_SASLAUTHD_SOCKET, strerror(errno));
+       *reply = string_sprintf("cannot connect to saslauthd daemon at "
+                               "%s: %s", CYRUS_SASLAUTHD_SOCKET,
+                               strerror(errno));
+       return PWCHECK_FAIL;
+    }
+
+    if ( write_string(s, userid, Ustrlen(userid)) < 0) {
+        DEBUG(D_auth)
+            debug_printf("Failed to send userid to saslauthd daemon \n");
+        (void)close(s);
+        return PWCHECK_FAIL;
+    }
+
+    if ( write_string(s, password, Ustrlen(password)) < 0) {
+        DEBUG(D_auth)
+            debug_printf("Failed to send password to saslauthd daemon \n");
+        (void)close(s);
+        return PWCHECK_FAIL;
+    }
+
+    memset((void *)password, 0, Ustrlen(password));
+
+    if ( write_string(s, service, Ustrlen(service)) < 0) {
+        DEBUG(D_auth)
+            debug_printf("Failed to send service name to saslauthd daemon \n");
+        (void)close(s);
+        return PWCHECK_FAIL;
+    }
+
+    if ( write_string(s, realm, Ustrlen(realm)) < 0) {
+        DEBUG(D_auth)
+            debug_printf("Failed to send realm to saslauthd daemon \n");
+        (void)close(s);
+        return PWCHECK_FAIL;
+    }
+
+    if ( read_string(s, &daemon_reply ) < 2) {
+        DEBUG(D_auth)
+            debug_printf("Corrupted answer '%s' received. \n", daemon_reply);
+        (void)close(s);
+        return PWCHECK_FAIL;
+    }
+
+    (void)close(s);
+
+    DEBUG(D_auth)
+        debug_printf("Answer '%s' received. \n", daemon_reply);
+
+    *reply = daemon_reply;
+
+    if ( (daemon_reply[0] == 'O') && (daemon_reply[1] == 'K') )
+        return PWCHECK_OK;
+
+    if ( (daemon_reply[0] == 'N') && (daemon_reply[1] == 'O') )
+        return PWCHECK_NO;
+
+    return PWCHECK_FAIL;
+}
+
+#endif
+
+
+/* helper functions */
+#if defined(CYRUS_PWCHECK_SOCKET) || defined(CYRUS_SASLAUTHD_SOCKET)
+
+#define MAX_REQ_LEN 1024
+
+/* written from scratch */
+
+/* FUNCTION: read_string */
+
+/* SYNOPSIS
+ * read a sasld-style counted string into
+ * store-allocated buffer, set pointer to the buffer,
+ * return number of bytes read or -1 on failure.
+ * END SYNOPSIS */
+
+static int read_string(int fd, uschar **retval) {
+    unsigned short count;
+    int rc;
+
+    rc = (retry_read(fd, &count, sizeof(count)) < (int) sizeof(count));
+    if (!rc) {
+        count = ntohs(count);
+        if (count > MAX_REQ_LEN) {
+            return -1;
+        } else {
+	    /* Assume the file is trusted, so no tainting */
+            *retval = store_get(count + 1, GET_UNTAINTED);
+            rc = (retry_read(fd, *retval, count) < (int) count);
+            (*retval)[count] = '\0';
+            return count;
+        }
+    }
+    return -1;
+}
+
+
+/* FUNCTION: write_string */
+
+/* SYNOPSIS
+ * write a sasld-style counted string into given fd
+ * written bytes on success, -1 on failure.
+ * END SYNOPSIS */
+
+static int write_string(int fd, const uschar *string, int len) {
+    unsigned short count;
+    int rc;
+    struct iovec iov[2];
+
+    count = htons(len);
+
+    iov[0].iov_base = (void *) &count;
+    iov[0].iov_len = sizeof(count);
+    iov[1].iov_base = (void *) string;
+    iov[1].iov_len = len;
+
+    rc = retry_writev(fd, iov, 2);
+
+    return rc;
+}
+
+
+/* taken from cyrus-sasl file saslauthd/saslauthd-unix.c  */
+
+/* FUNCTION: retry_read */
+
+/* SYNOPSIS
+ * Keep calling the read() system call with 'fd', 'buf', and 'nbyte'
+ * until all the data is read in or an error occurs.
+ * END SYNOPSIS */
+static int retry_read(int fd, void *inbuf, unsigned nbyte)
+{
+    int n;
+    int nread = 0;
+    char *buf = CS inbuf;
+
+    if (nbyte == 0) return 0;
+
+    for (;;) {
+       n = read(fd, buf, nbyte);
+       if (n == 0) {
+           /* end of file */
+           return -1;
+       }
+       if (n == -1) {
+           if (errno == EINTR) continue;
+           return -1;
+       }
+
+       nread += n;
+
+       if (n >= (int) nbyte) return nread;
+
+       buf += n;
+       nbyte -= n;
+    }
+}
+
+/* END FUNCTION: retry_read */
+
+/* FUNCTION: retry_writev */
+
+/* SYNOPSIS
+ * Keep calling the writev() system call with 'fd', 'iov', and 'iovcnt'
+ * until all the data is written out or an error occurs.
+ * END SYNOPSIS */
+
+static int     /* R: bytes written, or -1 on error */
+retry_writev (
+  /* PARAMETERS */
+  int fd,                              /* I: fd to write on */
+  struct iovec *iov,                   /* U: iovec array base
+                                        *    modified as data written */
+  int iovcnt                           /* I: number of iovec entries */
+  /* END PARAMETERS */
+  )
+{
+    /* VARIABLES */
+    int n;                             /* return value from writev() */
+    int i;                             /* loop counter */
+    int written;                       /* bytes written so far */
+    static int iov_max;                        /* max number of iovec entries */
+    /* END VARIABLES */
+
+    /* initialization */
+#ifdef MAXIOV
+    iov_max = MAXIOV;
+#else /* ! MAXIOV */
+# ifdef IOV_MAX
+    iov_max = IOV_MAX;
+# else /* ! IOV_MAX */
+    iov_max = 8192;
+# endif /* ! IOV_MAX */
+#endif /* ! MAXIOV */
+    written = 0;
+
+    for (;;) {
+
+       while (iovcnt && iov[0].iov_len == 0) {
+           iov++;
+           iovcnt--;
+       }
+
+       if (!iovcnt) {
+           return written;
+       }
+
+       n = writev(fd, iov, iovcnt > iov_max ? iov_max : iovcnt);
+       if (n == -1) {
+           if (errno == EINVAL && iov_max > 10) {
+               iov_max /= 2;
+               continue;
+           }
+           if (errno == EINTR) {
+               continue;
+           }
+           return -1;
+       } else {
+           written += n;
+       }
+
+       for (i = 0; i < iovcnt; i++) {
+           if (iov[i].iov_len > (unsigned) n) {
+               iov[i].iov_base = CS iov[i].iov_base + n;
+               iov[i].iov_len -= n;
+               break;
+           }
+           n -= iov[i].iov_len;
+           iov[i].iov_len = 0;
+       }
+
+       if (i == iovcnt) {
+           return written;
+       }
+    }
+    /* NOTREACHED */
+}
+
+/* END FUNCTION: retry_writev */
+#endif
+
+/* End of auths/pwcheck.c */
diff --git a/src/auths/pwcheck.h b/src/auths/pwcheck.h
new file mode 100644
index 0000000..1287ea2
--- /dev/null
+++ b/src/auths/pwcheck.h
@@ -0,0 +1,27 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This file provides support for authentication via the Cyrus SASL pwcheck
+daemon (whence its name) and the newer saslauthd daemon. */
+
+/* Error codes used internally within the authentication functions */
+
+/* PWCHECK_OK   - auth successful
+   PWCHECK_NO   - access denied
+   PWCHECK_FAIL - [temporary] failure */
+
+#define PWCHECK_OK   0
+#define PWCHECK_NO   1
+#define PWCHECK_FAIL 2
+
+/* Cyrus functions for doing the business. */
+
+extern int pwcheck_verify_password(const char *, const char *, const char **);
+extern int saslauthd_verify_password(const uschar *, const uschar *,
+           const uschar *, const uschar *, const uschar **);
+
+/* End of pwcheck.h */
diff --git a/src/auths/spa.c b/src/auths/spa.c
new file mode 100644
index 0000000..ff90d33
--- /dev/null
+++ b/src/auths/spa.c
@@ -0,0 +1,376 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This file, which provides support for Microsoft's Secure Password
+Authentication, was contributed by Marc Prud'hommeaux. Tom Kistner added SPA
+server support. I (PH) have only modified it in very trivial ways.
+
+References:
+  http://www.innovation.ch/java/ntlm.html
+  http://www.kuro5hin.org/story/2002/4/28/1436/66154
+  http://download.microsoft.com/download/9/5/e/95ef66af-9026-4bb0-a41d-a4f81802d92c/%5bMS-SMTP%5d.pdf
+
+ * It seems that some systems have existing but different definitions of some
+ * of the following types. I received a complaint about "int16" causing
+ * compilation problems. So I (PH) have renamed them all, to be on the safe
+ * side, by adding 'x' on the end. See auths/auth-spa.h.
+
+ * typedef signed short int16;
+ * typedef unsigned short uint16;
+ * typedef unsigned uint32;
+ * typedef unsigned char  uint8;
+
+07-August-2003:  PH: Patched up the code to avoid assert bombouts for stupid
+                     input data. Find appropriate comment by grepping for "PH".
+16-October-2006: PH: Added a call to auth_check_serv_cond() at the end
+05-June-2010:    PP: handle SASL initial response
+*/
+
+
+#include "../exim.h"
+#include "spa.h"
+
+/* #define DEBUG_SPA */
+
+#ifdef DEBUG_SPA
+#define DSPA(x,y,z)   debug_printf(x,y,z)
+#else
+#define DSPA(x,y,z)
+#endif
+
+/* Options specific to the spa authentication mechanism. */
+
+optionlist auth_spa_options[] = {
+  { "client_domain",             opt_stringptr,
+      OPT_OFF(auth_spa_options_block, spa_domain) },
+  { "client_password",           opt_stringptr,
+      OPT_OFF(auth_spa_options_block, spa_password) },
+  { "client_username",           opt_stringptr,
+      OPT_OFF(auth_spa_options_block, spa_username) },
+  { "server_password",           opt_stringptr,
+      OPT_OFF(auth_spa_options_block, spa_serverpassword) }
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int auth_spa_options_count =
+  sizeof(auth_spa_options)/sizeof(optionlist);
+
+/* Default private options block for the condition authentication method. */
+
+auth_spa_options_block auth_spa_option_defaults = {
+  NULL,              /* spa_password */
+  NULL,              /* spa_username */
+  NULL,              /* spa_domain */
+  NULL               /* spa_serverpassword (for server side use) */
+};
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+void auth_spa_init(auth_instance *ablock) {}
+int auth_spa_server(auth_instance *ablock, uschar *data) {return 0;}
+int auth_spa_client(auth_instance *ablock, void * sx, int timeout,
+    uschar *buffer, int buffsize) {return 0;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up. */
+
+void
+auth_spa_init(auth_instance *ablock)
+{
+auth_spa_options_block *ob =
+  (auth_spa_options_block *)(ablock->options_block);
+
+/* The public name defaults to the authenticator name */
+
+if (ablock->public_name == NULL) ablock->public_name = ablock->name;
+
+/* Both username and password must be set for a client */
+
+if ((ob->spa_username == NULL) != (ob->spa_password == NULL))
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:\n  "
+      "one of client_username and client_password cannot be set without "
+      "the other", ablock->name);
+ablock->client = ob->spa_username != NULL;
+
+/* For a server we have just one option */
+
+ablock->server = ob->spa_serverpassword != NULL;
+}
+
+
+
+/*************************************************
+*             Server entry point                 *
+*************************************************/
+
+/* For interface, see auths/README */
+
+#define CVAL(buf,pos) ((US (buf))[pos])
+#define PVAL(buf,pos) ((unsigned)CVAL(buf,pos))
+#define SVAL(buf,pos) (PVAL(buf,pos)|PVAL(buf,(pos)+1)<<8)
+#define IVAL(buf,pos) (SVAL(buf,pos)|SVAL(buf,(pos)+2)<<16)
+
+int
+auth_spa_server(auth_instance *ablock, uschar *data)
+{
+auth_spa_options_block *ob = (auth_spa_options_block *)(ablock->options_block);
+uint8x lmRespData[24];
+uint8x ntRespData[24];
+SPAAuthRequest request;
+SPAAuthChallenge challenge;
+SPAAuthResponse  response;
+SPAAuthResponse  *responseptr = &response;
+uschar msgbuf[2048];
+uschar *clearpass, *s;
+unsigned off;
+
+/* send a 334, MS Exchange style, and grab the client's request,
+unless we already have it via an initial response. */
+
+if (!*data && auth_get_no64_data(&data, US"NTLM supported") != OK)
+  return FAIL;
+
+if (spa_base64_to_bits(CS &request, sizeof(request), CCS data) < 0)
+  {
+  DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
+    "request: %s\n", data);
+  return FAIL;
+  }
+
+/* create a challenge and send it back */
+
+spa_build_auth_challenge(&request, &challenge);
+spa_bits_to_base64(msgbuf, US &challenge, spa_request_length(&challenge));
+
+if (auth_get_no64_data(&data, msgbuf) != OK)
+  return FAIL;
+
+/* dump client response */
+if (spa_base64_to_bits(CS &response, sizeof(response), CCS data) < 0)
+  {
+  DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
+    "response: %s\n", data);
+  return FAIL;
+  }
+
+/***************************************************************
+PH 07-Aug-2003: The original code here was this:
+
+Ustrcpy(msgbuf, unicodeToString(((char*)responseptr) +
+  IVAL(&responseptr->uUser.offset,0),
+  SVAL(&responseptr->uUser.len,0)/2) );
+
+However, if the response data is too long, unicodeToString bombs out on
+an assertion failure. It uses a 1024 fixed buffer. Bombing out is not a good
+idea. It's too messy to try to rework that function to return an error because
+it is called from a number of other places in the auth-spa.c module. Instead,
+since it is a very small function, I reproduce its code here, with a size check
+that causes failure if the size of msgbuf is exceeded. ****/
+
+  {
+  int i;
+  char * p;
+  int len = SVAL(&responseptr->uUser.len,0)/2;
+
+  if (  (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
+     || len >= sizeof(responseptr->buffer)/2
+     || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
+     )
+    {
+    DEBUG(D_auth)
+      debug_printf("auth_spa_server(): bad uUser spec in response\n");
+    return FAIL;
+    }
+
+  if (len + 1 >= sizeof(msgbuf)) return FAIL;
+  for (i = 0; i < len; ++i)
+    {
+    msgbuf[i] = *p & 0x7f;
+    p += 2;
+    }
+  msgbuf[i] = 0;
+  }
+
+/***************************************************************/
+
+/* Put the username in $auth1 and $1. The former is now the preferred variable;
+the latter is the original variable. These have to be out of stack memory, and
+need to be available once known even if not authenticated, for error messages
+(server_set_id, which only makes it to authenticated_id if we return OK) */
+
+auth_vars[0] = expand_nstring[1] = string_copy(msgbuf);
+expand_nlength[1] = Ustrlen(msgbuf);
+expand_nmax = 1;
+
+debug_print_string(ablock->server_debug_string);    /* customized debug */
+
+/* look up password */
+
+if (!(clearpass = expand_string(ob->spa_serverpassword)))
+  if (f.expand_string_forcedfail)
+    {
+    DEBUG(D_auth) debug_printf("auth_spa_server(): forced failure while "
+      "expanding spa_serverpassword\n");
+    return FAIL;
+    }
+  else
+    {
+    DEBUG(D_auth) debug_printf("auth_spa_server(): error while expanding "
+      "spa_serverpassword: %s\n", expand_string_message);
+    return DEFER;
+    }
+
+/* create local hash copy */
+
+spa_smb_encrypt(clearpass, challenge.challengeData, lmRespData);
+spa_smb_nt_encrypt(clearpass, challenge.challengeData, ntRespData);
+
+/* compare NT hash (LM may not be available) */
+
+off = IVAL(&responseptr->ntResponse.offset,0);
+if (off >= sizeof(SPAAuthResponse) - 24)
+  {
+  DEBUG(D_auth)
+    debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
+  return FAIL;
+  }
+s = (US responseptr) + off;
+
+if (memcmp(ntRespData, s, 24) == 0)
+  return auth_check_serv_cond(ablock);	/* success. we have a winner. */
+
+  /* Expand server_condition as an authorization check (PH) */
+
+return FAIL;
+}
+
+
+/*************************************************
+*              Client entry point                *
+*************************************************/
+
+/* For interface, see auths/README */
+
+int
+auth_spa_client(
+  auth_instance *ablock,                 /* authenticator block */
+  void * sx,				 /* connection */
+  int timeout,                           /* command timeout */
+  uschar *buffer,                        /* buffer for reading response */
+  int buffsize)                          /* size of buffer */
+{
+auth_spa_options_block *ob =
+       (auth_spa_options_block *)(ablock->options_block);
+SPAAuthRequest   request;
+SPAAuthChallenge challenge;
+SPAAuthResponse  response;
+char msgbuf[2048];
+char *domain = NULL;
+char *username, *password;
+
+/* Code added by PH to expand the options */
+
+*buffer = 0;    /* Default no message when cancelled */
+
+if (!(username = CS expand_string(ob->spa_username)))
+  {
+  if (f.expand_string_forcedfail) return CANCELLED;
+  string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
+   "authenticator: %s", ob->spa_username, ablock->name,
+   expand_string_message);
+  return ERROR;
+  }
+
+if (!(password = CS expand_string(ob->spa_password)))
+  {
+  if (f.expand_string_forcedfail) return CANCELLED;
+  string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
+   "authenticator: %s", ob->spa_password, ablock->name,
+   expand_string_message);
+  return ERROR;
+  }
+
+if (ob->spa_domain)
+  if (!(domain = CS expand_string(ob->spa_domain)))
+    {
+    if (f.expand_string_forcedfail) return CANCELLED;
+    string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
+		  "authenticator: %s", ob->spa_domain, ablock->name,
+		  expand_string_message);
+    return ERROR;
+    }
+
+/* Original code */
+
+if (smtp_write_command(sx, SCMD_FLUSH, "AUTH %s\r\n", ablock->public_name) < 0)
+  return FAIL_SEND;
+
+/* wait for the 3XX OK message */
+if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
+  return FAIL;
+
+DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain);
+
+spa_build_auth_request(&request, CS username, domain);
+spa_bits_to_base64(US msgbuf, US &request, spa_request_length(&request));
+
+DSPA("\n\n%s authenticator: sending request (%s)\n\n", ablock->name, msgbuf);
+
+/* send the encrypted password */
+if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", msgbuf) < 0)
+  return FAIL_SEND;
+
+/* wait for the auth challenge */
+if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
+  return FAIL;
+
+/* convert the challenge into the challenge struct */
+DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4);
+spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4));
+
+spa_build_auth_response(&challenge, &response, CS username, CS password);
+spa_bits_to_base64(US msgbuf, US &response, spa_request_length(&response));
+DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf);
+
+/* send the challenge response */
+if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", msgbuf) < 0)
+       return FAIL_SEND;
+
+/* If we receive a success response from the server, authentication
+has succeeded. There may be more data to send, but is there any point
+in provoking an error here? */
+
+if (smtp_read_response(sx, US buffer, buffsize, '2', timeout))
+  return OK;
+
+/* Not a success response. If errno != 0 there is some kind of transmission
+error. Otherwise, check the response code in the buffer. If it starts with
+'3', more data is expected. */
+
+if (errno != 0 || buffer[0] != '3')
+  return FAIL;
+
+return FAIL;
+}
+
+#endif   /*!MACRO_PREDEF*/
+/* End of spa.c */
diff --git a/src/auths/spa.h b/src/auths/spa.h
new file mode 100644
index 0000000..ca93469
--- /dev/null
+++ b/src/auths/spa.h
@@ -0,0 +1,38 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This file, which provides support for Microsoft's Secure Password
+Authentication, was contributed by Marc Prud'hommeaux. */
+
+
+#include "auth-spa.h"
+
+/* Private structure for the private options. */
+
+typedef struct {
+  uschar *spa_username;
+  uschar *spa_password;
+  uschar *spa_domain;
+  uschar *spa_serverpassword;
+} auth_spa_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist auth_spa_options[];
+extern int auth_spa_options_count;
+
+/* Block containing default values. */
+
+extern auth_spa_options_block auth_spa_option_defaults;
+
+/* The entry points for the mechanism */
+
+extern void auth_spa_init(auth_instance *);
+extern int auth_spa_server(auth_instance *, uschar *);
+extern int auth_spa_client(auth_instance *, void *, int, uschar *, int);
+
+/* End of spa.h */
diff --git a/src/auths/tls.c b/src/auths/tls.c
new file mode 100644
index 0000000..325e7b4
--- /dev/null
+++ b/src/auths/tls.c
@@ -0,0 +1,94 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Jeremy Harris 1995 - 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This file provides an Exim authenticator driver for
+a server to verify a client SSL certificate
+*/
+
+
+#include "../exim.h"
+#include "tls.h"
+
+/* Options specific to the tls authentication mechanism. */
+
+optionlist auth_tls_options[] = {
+  { "server_param",     opt_stringptr,
+      OPT_OFF(auth_tls_options_block, server_param1) },
+  { "server_param1",    opt_stringptr,
+      OPT_OFF(auth_tls_options_block, server_param1) },
+  { "server_param2",    opt_stringptr,
+      OPT_OFF(auth_tls_options_block, server_param2) },
+  { "server_param3",    opt_stringptr,
+      OPT_OFF(auth_tls_options_block, server_param3) },
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int auth_tls_options_count = nelem(auth_tls_options);
+
+/* Default private options block for the authentication method. */
+
+auth_tls_options_block auth_tls_option_defaults = {
+    NULL,	/* server_param1 */
+    NULL,	/* server_param2 */
+    NULL,	/* server_param3 */
+};
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+void auth_tls_init(auth_instance *ablock) {}
+int auth_tls_server(auth_instance *ablock, uschar *data) {return 0;}
+int auth_tls_client(auth_instance *ablock, void * sx,
+  int timeout, uschar *buffer, int buffsize) {return 0;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up. */
+
+void
+auth_tls_init(auth_instance *ablock)
+{
+ablock->public_name = ablock->name;	/* needed for core code */
+}
+
+
+
+/*************************************************
+*             Server entry point                 *
+*************************************************/
+
+/* For interface, see auths/README */
+
+int
+auth_tls_server(auth_instance *ablock, uschar *data)
+{
+auth_tls_options_block * ob = (auth_tls_options_block *)ablock->options_block;
+
+if (ob->server_param1)
+  auth_vars[expand_nmax++] = expand_string(ob->server_param1);
+if (ob->server_param2)
+  auth_vars[expand_nmax++] = expand_string(ob->server_param2);
+if (ob->server_param3)
+  auth_vars[expand_nmax++] = expand_string(ob->server_param3);
+return auth_check_serv_cond(ablock);
+}
+
+
+#endif   /*!MACRO_PREDEF*/
+/* End of tls.c */
diff --git a/src/auths/tls.h b/src/auths/tls.h
new file mode 100644
index 0000000..7aa95b6
--- /dev/null
+++ b/src/auths/tls.h
@@ -0,0 +1,30 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Jeremy Harris 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Private structure for the private options. */
+
+typedef struct {
+  uschar * server_param1;
+  uschar * server_param2;
+  uschar * server_param3;
+} auth_tls_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist auth_tls_options[];
+extern int auth_tls_options_count;
+
+/* Block containing default values. */
+
+extern auth_tls_options_block auth_tls_option_defaults;
+
+/* The entry points for the mechanism */
+
+extern void auth_tls_init(auth_instance *);
+extern int auth_tls_server(auth_instance *, uschar *);
+
+/* End of tls.h */
diff --git a/src/auths/xtextdecode.c b/src/auths/xtextdecode.c
new file mode 100644
index 0000000..746dfbd
--- /dev/null
+++ b/src/auths/xtextdecode.c
@@ -0,0 +1,58 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+
+
+/*************************************************
+*          Decode byte-string in xtext           *
+*************************************************/
+
+/* This function decodes a string in xtextformat as defined in RFC 1891 and
+required by the SMTP AUTH extension (RFC 2554). We put the result in a piece of
+store of equal length - it cannot be longer than this. Although in general the
+result of decoding an xtext may be binary, in the context in which it is used
+by Exim (for decoding the value of AUTH on a MAIL command), the result is
+expected to be an addr-spec. We therefore add on a terminating zero, for
+convenience.
+
+Arguments:
+  code        points to the coded string, zero-terminated
+  ptr         where to put the pointer to the result, which is in
+              dynamic store
+
+Returns:      the number of bytes in the result, excluding the final zero;
+              -1 if the input is malformed
+*/
+
+int
+auth_xtextdecode(uschar *code, uschar **ptr)
+{
+register int x;
+uschar * result = store_get(Ustrlen(code) + 1, code);
+*ptr = result;
+
+while ((x = (*code++)) != 0)
+  {
+  if (x < 33 || x > 127 || x == '=') return -1;
+  if (x == '+')
+    {
+    register int y;
+    if (!isxdigit((x = (*code++)))) return -1;
+    y = ((isdigit(x))? x - '0' : (tolower(x) - 'a' + 10)) << 4;
+    if (!isxdigit((x = (*code++)))) return -1;
+    *result++ = y | ((isdigit(x))? x - '0' : (tolower(x) - 'a' + 10));
+    }
+  else *result++ = x;
+  }
+
+*result = 0;
+return result - *ptr;
+}
+
+/* End of xtextdecode.c */
diff --git a/src/auths/xtextencode.c b/src/auths/xtextencode.c
new file mode 100644
index 0000000..fc571c7
--- /dev/null
+++ b/src/auths/xtextencode.c
@@ -0,0 +1,58 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+
+
+/*************************************************
+*          Encode byte-string in xtext           *
+*************************************************/
+
+/* This function encodes a string of bytes, containing any values whatsoever,
+as "xtext", as defined in RFC 1891 and required by the SMTP AUTH extension (RFC
+2554).
+
+Arguments:
+  clear       points to the clear text bytes
+  len         the number of bytes to encode
+
+Returns:      a pointer to the zero-terminated xtext string, which
+              is in working store
+*/
+
+uschar *
+auth_xtextencode(uschar *clear, int len)
+{
+uschar *code;
+uschar *p = US clear;
+uschar *pp;
+int c = len;
+int count = 1;
+register int x;
+
+/* We have to do a prepass to find out how many specials there are,
+in order to get the right amount of store. */
+
+while (c -- > 0)
+  count += ((x = *p++) < 33 || x > 127 || x == '+' || x == '=')? 3 : 1;
+
+pp = code = store_get(count, clear);
+
+p = US clear;
+c = len;
+while (c-- > 0)
+  if ((x = *p++) < 33 || x > 127 || x == '+' || x == '=')
+    pp += sprintf(CS pp, "+%.02x", x);   /* There's always room */
+  else
+    *pp++ = x;
+
+*pp = 0;
+return code;
+}
+
+/* End of xtextencode.c */
diff --git a/src/base64.c b/src/base64.c
new file mode 100644
index 0000000..fa06a7a
--- /dev/null
+++ b/src/base64.c
@@ -0,0 +1,297 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004, 2015 */
+/* License: GPL */
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "exim.h"
+#ifdef WITH_CONTENT_SCAN	/* file-IO specific decode function */
+# include "mime.h"
+
+/* BASE64 decoder matrix */
+static unsigned char mime_b64[256]={
+/*   0 */  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,
+/*  16 */  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,
+/*  32 */  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,   62,  128,  128,  128,   63,
+/*  48 */   52,   53,   54,   55,   56,   57,   58,   59,   60,   61,  128,  128,  128,  255,  128,  128,
+/*  64 */  128,    0,    1,    2,    3,    4,    5,    6,    7,    8,    9,   10,   11,   12,   13,   14,
+/*  80 */   15,   16,   17,   18,   19,   20,   21,   22,   23,   24,   25,  128,  128,  128,  128,  128,
+/*  96 */  128,   26,   27,   28,   29,   30,   31,   32,   33,   34,   35,   36,   37,   38,   39,   40,
+/* 112 */   41,   42,   43,   44,   45,   46,   47,   48,   49,   50,   51,  128,  128,  128,  128,  128,
+/* 128 */  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,
+/* 144 */  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,
+/* 160 */  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,
+/* 176 */  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,
+/* 192 */  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,
+/* 208 */  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,
+/* 224 */  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,
+/* 240 */  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128,  128
+};
+
+/* decode base64 MIME part */
+ssize_t
+mime_decode_base64(FILE * in, FILE * out, uschar * boundary)
+{
+uschar ibuf[MIME_MAX_LINE_LENGTH], obuf[MIME_MAX_LINE_LENGTH];
+uschar *opos;
+ssize_t len, size = 0;
+int bytestate = 0;
+
+opos = obuf;
+
+while (Ufgets(ibuf, MIME_MAX_LINE_LENGTH, in) != NULL)
+  {
+  if (boundary != NULL
+     && Ustrncmp(ibuf, "--", 2) == 0
+     && Ustrncmp((ibuf+2), boundary, Ustrlen(boundary)) == 0
+     )
+    break;
+
+  for (uschar * ipos = ibuf ; *ipos != '\r' && *ipos != '\n' && *ipos; ++ipos)
+    if (*ipos == '=')			/* skip padding */
+      ++bytestate;
+
+    else if (mime_b64[*ipos] == 128)	/* skip bad characters */
+      mime_set_anomaly(MIME_ANOMALY_BROKEN_BASE64);
+
+    /* simple state-machine */
+    else switch((bytestate++) & 3)
+      {
+      case 0:
+	*opos = mime_b64[*ipos] << 2; break;
+      case 1:
+	*opos++ |= mime_b64[*ipos] >> 4;
+	*opos = mime_b64[*ipos] << 4; break;
+      case 2:
+	*opos++ |= mime_b64[*ipos] >> 2;
+	*opos = mime_b64[*ipos] << 6; break;
+      case 3:
+	*opos++ |= mime_b64[*ipos]; break;
+      }
+
+  /* something to write? */
+  len = opos - obuf;
+  if (len > 0)
+    {
+    if (fwrite(obuf, 1, len, out) != len) return -1; /* error */
+    size += len;
+    /* copy incomplete last byte to start of obuf, where we continue */
+    if ((bytestate & 3) != 0)
+      *obuf = *opos;
+    opos = obuf;
+    }
+  } /* while */
+
+/* write out last byte if it was incomplete */
+if (bytestate & 3)
+  {
+  if (fwrite(obuf, 1, 1, out) != 1) return -1;
+  ++size;
+  }
+
+return size;
+}
+
+#endif	/*WITH_CONTENT_SCAN*/
+
+/*************************************************
+ *************************************************
+ *************************************************
+ *************************************************
+ *************************************************
+ *************************************************
+ *************************************************
+ *************************************************
+ *************************************************
+ *************************************************
+ *************************************************
+ *************************************************
+ *************************************************
+ *************************************************
+ *************************************************
+ *************************************************/
+
+
+/*************************************************
+*          Decode byte-string in base 64         *
+*************************************************/
+
+/* This function decodes a string in base 64 format as defined in RFC 2045
+(MIME) and required by the SMTP AUTH extension (RFC 2554). The decoding
+algorithm is written out in a straightforward way. Turning it into some kind of
+compact loop is messy and would probably run more slowly.
+
+Arguments:
+  code        points to the coded string, zero-terminated
+  ptr         where to put the pointer to the result, which is in
+              allocated store, and zero-terminated
+
+Returns:      the number of bytes in the result,
+              or -1 if the input was malformed
+
+Whitespace in the input is ignored.
+A zero is added on to the end to make it easy in cases where the result is to
+be interpreted as text. This is not included in the count. */
+
+static uschar dec64table[] = {
+  255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255, /*  0-15 */
+  255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255, /* 16-31 */
+  255,255,255,255,255,255,255,255,255,255,255, 62,255,255,255, 63, /* 32-47 */
+   52, 53, 54, 55, 56, 57, 58, 59, 60, 61,255,255,255,255,255,255, /* 48-63 */
+  255,  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, /* 64-79 */
+   15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25,255,255,255,255,255, /* 80-95 */
+  255, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, /* 96-111 */
+   41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51,255,255,255,255,255  /* 112-127*/
+};
+
+int
+b64decode(const uschar *code, uschar **ptr)
+{
+
+int x, y;
+uschar *result;
+
+ {
+  int l = Ustrlen(code);
+  *ptr = result = store_get(1 + l/4 * 3 + l%4, code);
+ }
+
+/* Each cycle of the loop handles a quantum of 4 input bytes. For the last
+quantum this may decode to 1, 2, or 3 output bytes. */
+
+while ((x = *code++) != 0)
+  {
+  if (isspace(x)) continue;
+  /* debug_printf("b64d: '%c'\n", x); */
+
+  if (x > 127 || (x = dec64table[x]) == 255) return -1;
+
+  while (isspace(y = *code++)) ;
+  /* debug_printf("b64d: '%c'\n", y); */
+  if (y > 127 || (y = dec64table[y]) == 255)
+    return -1;
+
+  *result++ = (x << 2) | (y >> 4);
+  /* debug_printf("b64d:      -> %02x\n", result[-1]); */
+
+  while (isspace(x = *code++)) ;
+  /* debug_printf("b64d: '%c'\n", x); */
+  if (x == '=')		/* endmarker, but there should be another */
+    {
+    while (isspace(x = *code++)) ;
+    /* debug_printf("b64d: '%c'\n", x); */
+    if (x != '=') return -1;
+    while (isspace(y = *code++)) ;
+    if (y != 0) return -1;
+    /* debug_printf("b64d: DONE\n"); */
+    break;
+    }
+  else
+    {
+    if (x > 127 || (x = dec64table[x]) == 255) return -1;
+    *result++ = (y << 4) | (x >> 2);
+    /* debug_printf("b64d:      -> %02x\n", result[-1]); */
+
+    while (isspace(y = *code++)) ;
+    /* debug_printf("b64d: '%c'\n", y); */
+    if (y == '=')
+      {
+      while (isspace(y = *code++)) ;
+      if (y != 0) return -1;
+      /* debug_printf("b64d: DONE\n"); */
+      break;
+      }
+    else
+      {
+      if (y > 127 || (y = dec64table[y]) == 255) return -1;
+      *result++ = (x << 6) | y;
+      /* debug_printf("b64d:      -> %02x\n", result[-1]); */
+      }
+    }
+  }
+
+*result = 0;
+return result - *ptr;
+}
+
+
+/*************************************************
+*          Encode byte-string in base 64         *
+*************************************************/
+
+/* This function encodes a string of bytes, containing any values whatsoever,
+in base 64 as defined in RFC 2045 (MIME) and required by the SMTP AUTH
+extension (RFC 2554). The encoding algorithm is written out in a
+straightforward way. Turning it into some kind of compact loop is messy and
+would probably run more slowly.
+
+Arguments:
+  clear       points to the clear text bytes
+  len         the number of bytes to encode
+  proto_mem   taint indicator
+
+Returns:      a pointer to the zero-terminated base 64 string, which
+              is in working store
+*/
+
+static uschar *enc64table =
+  US"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+uschar *
+b64encode_taint(const uschar * clear, int len, const void * proto_mem)
+{
+uschar * code = store_get(4*((len+2)/3) + 1, proto_mem);
+uschar * p = code;
+
+while (len-- >0)
+  {
+  int x, y;
+
+  x = *clear++;
+  *p++ = enc64table[(x >> 2) & 63];
+
+  if (len-- <= 0)
+    {
+    *p++ = enc64table[(x << 4) & 63];
+    *p++ = '=';
+    *p++ = '=';
+    break;
+    }
+
+  y = *clear++;
+  *p++ = enc64table[((x << 4) | ((y >> 4) & 15)) & 63];
+
+  if (len-- <= 0)
+    {
+    *p++ = enc64table[(y << 2) & 63];
+    *p++ = '=';
+    break;
+    }
+
+  x = *clear++;
+  *p++ = enc64table[((y << 2) | ((x >> 6) & 3)) & 63];
+
+  *p++ = enc64table[x & 63];
+  }
+
+*p = 0;
+
+return code;
+}
+
+uschar *
+b64encode(const uschar * clear, int len)
+{
+return b64encode_taint(clear, len, clear);
+}
+
+
+/* End of base64.c */
+/* vi: sw ai sw=2
+*/
diff --git a/src/blob.h b/src/blob.h
new file mode 100644
index 0000000..a3f1e24
--- /dev/null
+++ b/src/blob.h
@@ -0,0 +1,15 @@
+/*
+ *  Blob - a general pointer/size item for a memory chunk
+ *
+ *  Copyright (C) 2016  Exim maintainers
+ */
+
+#ifndef BLOB_H	/* entire file */
+#define BLOB_H
+
+typedef struct {
+  uschar * data;
+  size_t   len;
+} blob;
+
+#endif
diff --git a/src/bmi_spam.c b/src/bmi_spam.c
new file mode 100644
index 0000000..af4bc46
--- /dev/null
+++ b/src/bmi_spam.c
@@ -0,0 +1,476 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Code for calling Brightmail AntiSpam.
+   Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004
+   License: GPL */
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+
+#include "exim.h"
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+
+#include "bmi_spam.h"
+
+uschar *bmi_current_optin = NULL;
+
+uschar *bmi_process_message(header_line *header_list, int data_fd) {
+  BmiSystem *system = NULL;
+  BmiMessage *message = NULL;
+  BmiError err;
+  BmiErrorLocation err_loc;
+  BmiErrorType err_type;
+  const BmiVerdict *verdict = NULL;
+  FILE *data_file;
+  uschar data_buffer[4096];
+  uschar localhost[] = "127.0.0.1";
+  uschar *host_address;
+  uschar *verdicts = NULL;
+  int i,j;
+
+  err = bmiInitSystem(BMI_VERSION, CS bmi_config_file, &system);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    err_loc = bmiErrorGetLocation(err);
+    err_type = bmiErrorGetType(err);
+    log_write(0, LOG_PANIC,
+               "bmi error [loc %d type %d]: could not initialize Brightmail system.", (int)err_loc, (int)err_type);
+    return NULL;
+  }
+
+  err = bmiInitMessage(system, &message);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    err_loc = bmiErrorGetLocation(err);
+    err_type = bmiErrorGetType(err);
+    log_write(0, LOG_PANIC,
+               "bmi error [loc %d type %d]: could not initialize Brightmail message.", (int)err_loc, (int)err_type);
+    bmiFreeSystem(system);
+    return NULL;
+  }
+
+  /* Send IP address of sending host */
+  if (sender_host_address == NULL)
+    host_address = localhost;
+  else
+    host_address = sender_host_address;
+  err = bmiProcessConnection(CS host_address, message);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    err_loc = bmiErrorGetLocation(err);
+    err_type = bmiErrorGetType(err);
+    log_write(0, LOG_PANIC,
+               "bmi error [loc %d type %d]: bmiProcessConnection() failed (IP %s).", (int)err_loc, (int)err_type, CS host_address);
+    bmiFreeMessage(message);
+    bmiFreeSystem(system);
+    return NULL;
+  };
+
+  /* Send envelope sender address */
+  err = bmiProcessFROM(CS sender_address, message);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    err_loc = bmiErrorGetLocation(err);
+    err_type = bmiErrorGetType(err);
+    log_write(0, LOG_PANIC,
+               "bmi error [loc %d type %d]: bmiProcessFROM() failed (address %s).", (int)err_loc, (int)err_type, CS sender_address);
+    bmiFreeMessage(message);
+    bmiFreeSystem(system);
+    return NULL;
+  };
+
+  /* Send envelope recipients */
+  for(i=0;i<recipients_count;i++) {
+    recipient_item *r = recipients_list + i;
+    BmiOptin *optin = NULL;
+
+    /* create optin object if optin string is given */
+    if ((r->bmi_optin != NULL) && (Ustrlen(r->bmi_optin) > 1)) {
+      debug_printf("passing bmiOptin string: %s\n", r->bmi_optin);
+      bmiOptinInit(&optin);
+      err = bmiOptinMset(optin, r->bmi_optin, ':');
+      if (bmiErrorIsFatal(err) == BMI_TRUE) {
+        log_write(0, LOG_PANIC|LOG_MAIN,
+                   "bmi warning: [loc %d type %d]: bmiOptinMSet() failed (address '%s', string '%s').", (int)err_loc, (int)err_type, CS r->address, CS r->bmi_optin);
+        if (optin != NULL)
+          bmiOptinFree(optin);
+        optin = NULL;
+      };
+    };
+
+    err = bmiAccumulateTO(CS r->address, optin, message);
+
+    if (optin != NULL)
+      bmiOptinFree(optin);
+
+    if (bmiErrorIsFatal(err) == BMI_TRUE) {
+      err_loc = bmiErrorGetLocation(err);
+      err_type = bmiErrorGetType(err);
+      log_write(0, LOG_PANIC,
+                 "bmi error [loc %d type %d]: bmiAccumulateTO() failed (address %s).", (int)err_loc, (int)err_type, CS r->address);
+      bmiFreeMessage(message);
+      bmiFreeSystem(system);
+      return NULL;
+    };
+  };
+  err = bmiEndTO(message);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    err_loc = bmiErrorGetLocation(err);
+    err_type = bmiErrorGetType(err);
+    log_write(0, LOG_PANIC,
+               "bmi error [loc %d type %d]: bmiEndTO() failed.", (int)err_loc, (int)err_type);
+    bmiFreeMessage(message);
+    bmiFreeSystem(system);
+    return NULL;
+  };
+
+  /* Send message headers */
+  while (header_list != NULL) {
+    /* skip deleted headers */
+    if (header_list->type == '*') {
+      header_list = header_list->next;
+      continue;
+    };
+    err = bmiAccumulateHeaders(CCS header_list->text, header_list->slen, message);
+    if (bmiErrorIsFatal(err) == BMI_TRUE) {
+      err_loc = bmiErrorGetLocation(err);
+      err_type = bmiErrorGetType(err);
+      log_write(0, LOG_PANIC,
+                 "bmi error [loc %d type %d]: bmiAccumulateHeaders() failed.", (int)err_loc, (int)err_type);
+      bmiFreeMessage(message);
+      bmiFreeSystem(system);
+      return NULL;
+    };
+    header_list = header_list->next;
+  };
+  err = bmiEndHeaders(message);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    err_loc = bmiErrorGetLocation(err);
+    err_type = bmiErrorGetType(err);
+    log_write(0, LOG_PANIC,
+               "bmi error [loc %d type %d]: bmiEndHeaders() failed.", (int)err_loc, (int)err_type);
+    bmiFreeMessage(message);
+    bmiFreeSystem(system);
+    return NULL;
+  };
+
+  /* Send body */
+  data_file = fdopen(data_fd,"r");
+  do {
+    j = fread(data_buffer, 1, sizeof(data_buffer), data_file);
+    if (j > 0) {
+      err = bmiAccumulateBody(CCS data_buffer, j, message);
+      if (bmiErrorIsFatal(err) == BMI_TRUE) {
+        err_loc = bmiErrorGetLocation(err);
+        err_type = bmiErrorGetType(err);
+        log_write(0, LOG_PANIC,
+                   "bmi error [loc %d type %d]: bmiAccumulateBody() failed.", (int)err_loc, (int)err_type);
+        bmiFreeMessage(message);
+        bmiFreeSystem(system);
+        return NULL;
+      };
+    };
+  } while (j > 0);
+  err = bmiEndBody(message);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    err_loc = bmiErrorGetLocation(err);
+    err_type = bmiErrorGetType(err);
+    log_write(0, LOG_PANIC,
+               "bmi error [loc %d type %d]: bmiEndBody() failed.", (int)err_loc, (int)err_type);
+    bmiFreeMessage(message);
+    bmiFreeSystem(system);
+    return NULL;
+  };
+
+
+  /* End message */
+  err = bmiEndMessage(message);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    err_loc = bmiErrorGetLocation(err);
+    err_type = bmiErrorGetType(err);
+    log_write(0, LOG_PANIC,
+               "bmi error [loc %d type %d]: bmiEndMessage() failed.", (int)err_loc, (int)err_type);
+    bmiFreeMessage(message);
+    bmiFreeSystem(system);
+    return NULL;
+  };
+
+  /* Get store for the verdict string.  Since we are processing message data, assume that
+  the verdict is tainted.  XXX this should use a growable-string  */
+
+  verdicts = store_get(1, GET_TAINTED);
+  *verdicts = '\0';
+
+  for ( err = bmiAccessFirstVerdict(message, &verdict);
+        verdict;
+        err = bmiAccessNextVerdict(message, verdict, &verdict) ) {
+    char *verdict_str;
+
+    err = bmiCreateStrFromVerdict(verdict,&verdict_str);
+    if (!store_extend(verdicts,
+	  Ustrlen(verdicts)+1, Ustrlen(verdicts)+1+strlen(verdict_str)+1)) {
+      /* can't allocate more store */
+      return NULL;
+    };
+    if (*verdicts != '\0')
+      Ustrcat(verdicts, US ":");
+    Ustrcat(verdicts, US verdict_str);
+    bmiFreeStr(verdict_str);
+  };
+
+  DEBUG(D_receive) debug_printf("bmi verdicts: %s\n", verdicts);
+
+  if (Ustrlen(verdicts) == 0)
+    return NULL;
+  else
+    return verdicts;
+}
+
+
+int bmi_get_delivery_status(uschar *base64_verdict) {
+  BmiError err;
+  BmiErrorLocation err_loc;
+  BmiErrorType err_type;
+  BmiVerdict *verdict = NULL;
+  int rc = 1;   /* deliver by default */
+
+  /* always deliver when there is no verdict */
+  if (base64_verdict == NULL)
+    return 1;
+
+  /* create verdict from base64 string */
+  err = bmiCreateVerdictFromStr(CS base64_verdict, &verdict);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    err_loc = bmiErrorGetLocation(err);
+    err_type = bmiErrorGetType(err);
+    log_write(0, LOG_PANIC,
+               "bmi error [loc %d type %d]: bmiCreateVerdictFromStr() failed. [%s]", (int)err_loc, (int)err_type, base64_verdict);
+    return 1;
+  };
+
+  err = bmiVerdictError(verdict);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    /* deliver normally due to error */
+    rc = 1;
+  }
+  else if (bmiVerdictDestinationIsDefault(verdict) == BMI_TRUE) {
+    /* deliver normally */
+    rc = 1;
+  }
+  else if (bmiVerdictAccessDestination(verdict) == NULL) {
+    /* do not deliver */
+    rc = 0;
+  }
+  else {
+    /* deliver to alternate location */
+    rc = 1;
+  };
+
+  bmiFreeVerdict(verdict);
+  return rc;
+}
+
+
+uschar *bmi_get_alt_location(uschar *base64_verdict) {
+  BmiError err;
+  BmiErrorLocation err_loc;
+  BmiErrorType err_type;
+  BmiVerdict *verdict = NULL;
+  uschar *rc = NULL;
+
+  /* always deliver when there is no verdict */
+  if (base64_verdict == NULL)
+    return NULL;
+
+  /* create verdict from base64 string */
+  err = bmiCreateVerdictFromStr(CS base64_verdict, &verdict);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    err_loc = bmiErrorGetLocation(err);
+    err_type = bmiErrorGetType(err);
+    log_write(0, LOG_PANIC,
+               "bmi error [loc %d type %d]: bmiCreateVerdictFromStr() failed. [%s]", (int)err_loc, (int)err_type, base64_verdict);
+    return NULL;
+  };
+
+  err = bmiVerdictError(verdict);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    /* deliver normally due to error */
+    rc = NULL;
+  }
+  else if (bmiVerdictDestinationIsDefault(verdict) == BMI_TRUE) {
+    /* deliver normally */
+    rc = NULL;
+  }
+  else if (bmiVerdictAccessDestination(verdict) == NULL) {
+    /* do not deliver */
+    rc = NULL;
+  }
+  else {
+    /* deliver to alternate location */
+    rc = store_get(strlen(bmiVerdictAccessDestination(verdict))+1, GET_TAINTED);
+    Ustrcpy(rc, bmiVerdictAccessDestination(verdict));
+    rc[strlen(bmiVerdictAccessDestination(verdict))] = '\0';
+  };
+
+  bmiFreeVerdict(verdict);
+  return rc;
+}
+
+uschar *bmi_get_base64_verdict(uschar *bmi_local_part, uschar *bmi_domain) {
+  BmiError err;
+  BmiErrorLocation err_loc;
+  BmiErrorType err_type;
+  BmiVerdict *verdict = NULL;
+  const BmiRecipient *recipient = NULL;
+  const char *verdict_str = NULL;
+  uschar *verdict_ptr;
+  uschar *verdict_buffer = NULL;
+  int sep = 0;
+
+  /* return nothing if there are no verdicts available */
+  if (bmi_verdicts == NULL)
+    return NULL;
+
+  /* allocate room for the b64 verdict string */
+  verdict_buffer = store_get(Ustrlen(bmi_verdicts)+1, GET_TAINTED);
+
+  /* loop through verdicts */
+  verdict_ptr = bmi_verdicts;
+  while ((verdict_str = CCS string_nextinlist(&verdict_ptr, &sep,
+                                          verdict_buffer,
+                                          Ustrlen(bmi_verdicts)+1)) != NULL) {
+
+    /* create verdict from base64 string */
+    err = bmiCreateVerdictFromStr(verdict_str, &verdict);
+    if (bmiErrorIsFatal(err) == BMI_TRUE) {
+      err_loc = bmiErrorGetLocation(err);
+      err_type = bmiErrorGetType(err);
+      log_write(0, LOG_PANIC,
+                 "bmi error [loc %d type %d]: bmiCreateVerdictFromStr() failed. [%s]", (int)err_loc, (int)err_type, verdict_str);
+      return NULL;
+    };
+
+    /* loop through rcpts for this verdict */
+    for ( recipient = bmiVerdictAccessFirstRecipient(verdict);
+          recipient != NULL;
+          recipient = bmiVerdictAccessNextRecipient(verdict, recipient)) {
+      uschar *rcpt_local_part;
+      uschar *rcpt_domain;
+
+      /* compare address against our subject */
+      rcpt_local_part = US bmiRecipientAccessAddress(recipient);
+      rcpt_domain = Ustrchr(rcpt_local_part,'@');
+      if (rcpt_domain == NULL) {
+        rcpt_domain = US"";
+      }
+      else {
+        *rcpt_domain = '\0';
+        rcpt_domain++;
+      };
+
+      if ( (strcmpic(rcpt_local_part, bmi_local_part) == 0) &&
+           (strcmpic(rcpt_domain, bmi_domain) == 0) ) {
+        /* found verdict */
+        bmiFreeVerdict(verdict);
+        return US verdict_str;
+      };
+    };
+
+    bmiFreeVerdict(verdict);
+  };
+
+  return NULL;
+}
+
+
+uschar *bmi_get_base64_tracker_verdict(uschar *base64_verdict) {
+  BmiError err;
+  BmiErrorLocation err_loc;
+  BmiErrorType err_type;
+  BmiVerdict *verdict = NULL;
+  uschar *rc = NULL;
+
+  /* always deliver when there is no verdict */
+  if (base64_verdict == NULL)
+    return NULL;
+
+  /* create verdict from base64 string */
+  err = bmiCreateVerdictFromStr(CS base64_verdict, &verdict);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    err_loc = bmiErrorGetLocation(err);
+    err_type = bmiErrorGetType(err);
+    log_write(0, LOG_PANIC,
+               "bmi error [loc %d type %d]: bmiCreateVerdictFromStr() failed. [%s]", (int)err_loc, (int)err_type, base64_verdict);
+    return NULL;
+  };
+
+  /* create old tracker string from verdict */
+  err = bmiCreateOldStrFromVerdict(verdict, &rc);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    err_loc = bmiErrorGetLocation(err);
+    err_type = bmiErrorGetType(err);
+    log_write(0, LOG_PANIC,
+               "bmi error [loc %d type %d]: bmiCreateOldStrFromVerdict() failed. [%s]", (int)err_loc, (int)err_type, base64_verdict);
+    return NULL;
+  };
+
+  bmiFreeVerdict(verdict);
+  return rc;
+}
+
+
+int bmi_check_rule(uschar *base64_verdict, uschar *option_list) {
+  BmiError err;
+  BmiErrorLocation err_loc;
+  BmiErrorType err_type;
+  BmiVerdict *verdict = NULL;
+  int rc = 0;
+  uschar *rule_num;
+  uschar *rule_ptr;
+  uschar rule_buffer[32];
+  int sep = 0;
+
+
+  /* no verdict -> no rule fired */
+  if (base64_verdict == NULL)
+    return 0;
+
+  /* create verdict from base64 string */
+  err = bmiCreateVerdictFromStr(CS base64_verdict, &verdict);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    err_loc = bmiErrorGetLocation(err);
+    err_type = bmiErrorGetType(err);
+    log_write(0, LOG_PANIC,
+               "bmi error [loc %d type %d]: bmiCreateVerdictFromStr() failed. [%s]", (int)err_loc, (int)err_type, base64_verdict);
+    return 0;
+  };
+
+  err = bmiVerdictError(verdict);
+  if (bmiErrorIsFatal(err) == BMI_TRUE) {
+    /* error -> no rule fired */
+    bmiFreeVerdict(verdict);
+    return 0;
+  }
+
+  /* loop through numbers */
+  /* option_list doesn't seem to be expanded so cannot be tainted.  If it ever is we
+  will trap here */
+  rule_ptr = option_list;
+  while ((rule_num = string_nextinlist(&rule_ptr, &sep,
+                                       rule_buffer, sizeof(rule_buffer)))) {
+    int rule_int = -1;
+
+    /* try to translate to int */
+    (void)sscanf(rule_num, "%d", &rule_int);
+    if (rule_int > 0) {
+      debug_printf("checking rule #%d\n", rule_int);
+      /* check if rule fired on the message */
+      if (bmiVerdictRuleFired(verdict, rule_int) == BMI_TRUE) {
+        debug_printf("rule #%d fired\n", rule_int);
+        rc = 1;
+        break;
+      };
+    };
+  };
+
+  bmiFreeVerdict(verdict);
+  return rc;
+};
+
+#endif
diff --git a/src/bmi_spam.h b/src/bmi_spam.h
new file mode 100644
index 0000000..a9af778
--- /dev/null
+++ b/src/bmi_spam.h
@@ -0,0 +1,22 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Code for calling Brightmail AntiSpam.
+   Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004
+   License: GPL */
+
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+
+#include <bmi_api.h>
+
+extern uschar *bmi_process_message(header_line *, int);
+extern uschar *bmi_get_base64_verdict(uschar *, uschar *);
+extern uschar *bmi_get_base64_tracker_verdict(uschar *);
+extern int bmi_get_delivery_status(uschar *);
+extern uschar *bmi_get_alt_location(uschar *);
+extern int bmi_check_rule(uschar *,uschar *);
+
+extern uschar *bmi_current_optin;
+
+#endif
diff --git a/src/buildconfig.c b/src/buildconfig.c
new file mode 100644
index 0000000..f9a8feb
--- /dev/null
+++ b/src/buildconfig.c
@@ -0,0 +1,984 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/*************************************************
+*       Build configuration header for Exim      *
+*************************************************/
+
+/* This auxiliary program builds the file config.h by the following
+process:
+
+First, it determines the size of off_t and time_t variables, and generates
+macro code to define OFF_T_FMT and TIME_T_FMT as suitable formats, if they are
+not already defined in the system-specific header file.
+
+Then it reads Makefile, looking for certain OS-specific definitions which it
+uses to define some specific macros. Finally, it reads the defaults file
+config.h.defaults.
+
+The defaults file contains normal C #define statements for various macros; if
+the name of a macro is found in the environment, the environment value replaces
+the default. If the default #define does not contain any value, then that macro
+is not copied to the created file unless there is some value in the
+environment.
+
+This program is compiled and run as part of the Make process and is not
+normally called independently. */
+
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <poll.h>
+#include <pwd.h>
+#include <grp.h>
+
+typedef struct {
+  const char *name;
+  int *flag;
+} have_item;
+
+typedef struct {
+  const char *name;
+  char *data;
+} save_item;
+
+static const char *db_opts[] = { "", "USE_DB", "USE_GDBM", "USE_TDB", "USE_NDBM" };
+
+static int have_ipv6 = 0;
+static int have_iconv = 0;
+
+static char errno_quota[256];
+static char ostype[256];
+static char cc[256];
+
+/* If any entry is an initial substring of another, the longer one must
+appear first. */
+
+static have_item have_list[] = {
+  { "HAVE_IPV6",      &have_ipv6 },
+  { "HAVE_ICONV",     &have_iconv },
+  { NULL, NULL}
+};
+
+static save_item save_list[] = {
+  { "ERRNO_QUOTA",    errno_quota },
+  { "OSTYPE",         ostype },
+  { "CC",             cc },
+  { NULL, NULL}
+};
+
+
+/* Subroutine to check a string for precisely one instance of "%s". If not,
+bomb out. */
+
+void
+check_percent_ess(char *value, char *name)
+{
+int OK = 0;
+char *p = strstr(value, "%s");
+if (p != NULL) OK = strstr(p+2, "%s") == NULL;
+if (!OK)
+  {
+  printf("\n*** \"%s\" (%s) must contain precisely one occurrence of\n"
+    "*** \"%%s\". Please review your build-time configuration.\n\n/", value,
+    name);
+  exit(1);
+  }
+}
+
+
+/* Main program */
+
+int
+main(int argc, char **argv)
+{
+off_t test_off_t = 0;
+time_t test_time_t = 0;
+ino_t test_ino_t;
+#if ! (__STDC_VERSION__ >= 199901L)
+size_t test_size_t = 0;
+ssize_t test_ssize_t = 0;
+unsigned long test_ulong_t = 0L;
+unsigned int test_uint_t = 0;
+#endif
+long test_long_t = 0;
+long long test_longlong_t = 0;
+int test_int_t = 0;
+FILE *base;
+FILE *new;
+int last_initial = 'A';
+int linecount = 0;
+int have_auth = 0;
+int in_local_makefile = 0;
+int use_which_db = 0;
+int use_which_db_in_local_makefile = 0;
+int support_crypteq = 0;
+char buffer[1024];
+
+if (argc != 1)
+  {
+  printf("*** Buildconfig: called with incorrect arguments\n");
+  exit(1);
+  }
+
+new = fopen("config.h", "wb");
+if (new == NULL)
+  {
+  printf("*** Buildconfig: failed to open config.h for output\n");
+  exit(1);
+  }
+
+printf("Building configuration file config.h\n");
+
+fprintf(new, "/*************************************************\n");
+fprintf(new, "*           Configuration header for Exim        *\n");
+fprintf(new, "*************************************************/\n\n");
+
+fprintf(new, "/* This file was automatically generated from Makefile and "
+  "config.h.defaults,\n");
+fprintf(new, "using values specified in the configuration file Local/Makefile.\n");
+fprintf(new, "Do not edit it. Instead, edit Local/Makefile and "
+  "rerun make. */\n\n");
+
+/* First, deal with the printing format for off_t variables. We assume that if
+the size of off_t is greater than 4, "%lld" will be available as a format for
+printing long long variables, and there will be support for the long long type.
+This assumption is known to be OK for the common operating systems. */
+
+fprintf(new, "#ifndef OFF_T_FMT\n");
+if (sizeof(test_off_t) > sizeof(test_long_t))
+  fprintf(new, "# define OFF_T_FMT  \"%%lld\"\n");
+else
+  fprintf(new, "# define OFF_T_FMT  \"%%ld\"\n");
+fprintf(new, "#endif\n\n");
+
+fprintf(new, "#ifndef LONGLONG_T\n");
+if (sizeof(test_longlong_t) > sizeof(test_long_t))
+  fprintf(new, "# define LONGLONG_T long long int\n");
+else
+  fprintf(new, "# define LONGLONG_T long int\n");
+fprintf(new, "#endif\n\n");
+
+/* Now do the same thing for time_t variables. If the length is greater than
+4, we want to assume long long support (even if off_t was less than 4). If the
+length is 4 or less, we can leave LONGLONG_T to whatever was defined above for
+off_t. */
+
+fprintf(new, "#ifndef TIME_T_FMT\n");
+if (sizeof(test_time_t) > sizeof(test_long_t))
+  {
+  fprintf(new, "# define TIME_T_FMT  \"%%lld\"\n");
+  fprintf(new, "# undef  LONGLONG_T\n");
+  fprintf(new, "# define LONGLONG_T long long int\n");
+  }
+else
+  fprintf(new, "# define TIME_T_FMT  \"%%ld\"\n");
+fprintf(new, "#endif\n\n");
+
+fprintf(new, "#ifndef INO_T_FMT\n");
+if (sizeof(test_ino_t) > sizeof(test_long_t))
+  fprintf(new, "# define INO_T_FMT  \"%%llu\"\n");
+else
+  fprintf(new, "# define INO_T_FMT  \"%%lu\"\n");
+fprintf(new, "#endif\n\n");
+
+fprintf(new, "#ifndef PID_T_FMT\n");
+fprintf(new, "# define PID_T_FMT  \"%%lu\"\n");
+fprintf(new, "#endif\n\n");
+
+/* And for sizeof() results, size_t, which should with C99 be just %zu, deal
+with C99 not being ubiquitous yet.  Unfortunately.  Assume ssize_t is same
+size as size_t on C99; if someone comes up with a version where it's not, fix
+it then. */
+
+#if __STDC_VERSION__ >= 199901L
+fprintf(new, "#define SIZE_T_FMT  \"%%zu\"\n");
+fprintf(new, "#define SSIZE_T_FMT  \"%%zd\"\n");
+#else
+if (sizeof(test_size_t) > sizeof (test_ulong_t))
+  fprintf(new, "#define SIZE_T_FMT  \"%%llu\"\n");
+else if (sizeof(test_size_t) > sizeof (test_uint_t))
+  fprintf(new, "#define SIZE_T_FMT  \"%%lu\"\n");
+else
+  fprintf(new, "#define SIZE_T_FMT  \"%%u\"\n");
+
+if (sizeof(test_ssize_t) > sizeof(test_long_t))
+  fprintf(new, "#define SSIZE_T_FMT  \"%%lld\"\n");
+else if (sizeof(test_ssize_t) > sizeof(test_int_t))
+  fprintf(new, "#define SSIZE_T_FMT  \"%%ld\"\n");
+else
+  fprintf(new, "#define SSIZE_T_FMT  \"%%d\"\n");
+#endif
+
+/* Now search the makefile for certain settings */
+
+if (!(base = fopen("Makefile", "rb")))
+  {
+  printf("*** Buildconfig: failed to open Makefile\n");
+  (void)fclose(new);
+  exit(1);
+  }
+
+errno_quota[0] = 0;    /* no over-riding value set */
+ostype[0] = 0;         /* just in case */
+cc[0] = 0;
+
+while (fgets(buffer, sizeof(buffer), base) != NULL)
+  {
+  int i;
+  have_item *h;
+  save_item *s;
+  char *p = buffer + (int)strlen(buffer);
+  linecount++;
+  while (p > buffer && isspace((unsigned char)p[-1])) p--;
+  *p = 0;
+  p = buffer;
+  while (isspace((unsigned char)*p)) p++;
+
+  /* Notice when we hit the user's makefile */
+
+  if (strcmp(p, "# From Local/Makefile") == 0)
+    {
+    in_local_makefile = 1;
+    continue;
+    }
+
+  /* Remember the last DB option setting. If we hit two in the user's
+  Makefile, complain. */
+
+  for (i = 1; i < sizeof(db_opts)/sizeof(char *); i++)
+    {
+    int len = (int)strlen(db_opts[i]);
+    if (strncmp(p, db_opts[i], len) == 0 && (p[len] == ' ' || p[len] == '='))
+      {
+      if (in_local_makefile)
+        {
+        if (use_which_db_in_local_makefile)
+          {
+          printf("*** Only one of USE_DB, USE_GDBM, or USE_TDB should be "
+            "defined in Local/Makefile\n");
+          exit(1);
+          }
+        use_which_db_in_local_makefile = 1;
+        }
+      use_which_db = i;
+      break;
+      }
+    }
+  if (i < sizeof(db_opts)/sizeof(char *)) continue;
+
+  /* Items where we just save a boolean */
+
+  for (h = have_list; h->name != NULL; h++)
+    {
+    int len = (int)strlen(h->name);
+    if (strncmp(p, h->name, len) == 0)
+      {
+      p += len;
+      while (isspace((unsigned char)*p)) p++;
+      if (*p++ != '=')
+        {
+        printf("*** Buildconfig: syntax error in Makefile line %d\n", linecount);
+        exit(1);
+        }
+      while (isspace((unsigned char)*p)) p++;
+      if (strcmp(p, "YES") == 0 || strcmp(p, "yes") == 0) *(h->flag) = 1;
+        else *(h->flag) = 0;   /* Must reset in case multiple instances */
+      break;
+      }
+    }
+
+  if (h->name != NULL) continue;
+
+  /* Items where we save the complete string */
+
+  for (s = save_list; s->name != NULL; s++)
+    {
+    int len = (int)strlen(s->name);
+    if (strncmp(p, s->name, len) == 0)
+      {
+      p += len;
+      while (isspace((unsigned char)*p)) p++;
+      if (*p++ != '=')
+        {
+        printf("*** Buildconfig: syntax error in Makefile line %d\n", linecount);
+        exit(1);
+        }
+      while (isspace((unsigned char)*p)) p++;
+      strcpy(s->data, p);
+      }
+    }
+  }
+
+fprintf(new, "#define HAVE_IPV6             %s\n",
+  have_ipv6? "TRUE" : "FALSE");
+
+fprintf(new, "#define HAVE_ICONV            %s\n",
+  have_iconv? "TRUE" : "FALSE");
+
+if (errno_quota[0] != 0)
+  fprintf(new, "\n#define ERRNO_QUOTA           %s\n", errno_quota);
+
+if (strcmp(cc, "gcc") == 0 &&
+    (strstr(ostype, "IRIX") != NULL || strstr(ostype, "AIX") != NULL))
+  {
+  fprintf(new, "\n/* This switch includes the code to fix the inet_ntoa() */");
+  fprintf(new, "\n/* bug when using gcc on an IRIX or AIX system. */");
+  fprintf(new, "\n#define USE_INET_NTOA_FIX");
+  }
+
+fprintf(new, "\n");
+(void)fclose(base);
+
+
+/* Now handle the macros listed in the defaults */
+
+base = fopen("../src/config.h.defaults", "rb");
+if (base == NULL)
+  {
+  printf("*** Buildconfig: failed to open ../src/config.h.defaults\n");
+  (void)fclose(new);
+  exit(1);
+  }
+
+while (fgets(buffer, sizeof(buffer), base) != NULL)
+  {
+  int i;
+  char name[256];
+  char *value;
+  char *p = buffer;
+  char *q = name;
+
+  while (*p == ' ' || *p == '\t') p++;
+
+  if (strncmp(p, "#ifdef ", 7) == 0
+   || strncmp(p, "#ifndef ", 8) == 0
+   || strncmp(p, "#if ", 4) == 0
+   || strncmp(p, "#endif", 6) == 0
+     )
+    {
+    fputs(buffer, new);
+    continue;
+    }
+
+  if (strncmp(p, "#define ", 8) != 0) continue;
+
+  p += 8;
+  while (*p == ' ' || *p == '\t') p++;
+
+  if (*p < last_initial) fprintf(new, "\n");
+  last_initial = *p;
+
+  while (*p && (isalnum((unsigned char)*p) || *p == '_')) *q++ = *p++;
+  *q = 0;
+
+  /* USE_DB, USE_GDBM, and USE_TDB are special cases. We want to have only
+  one of them set. The scan of the Makefile has saved which was the last one
+  encountered. */
+
+  for (i = 1; i < sizeof(db_opts)/sizeof(char *); i++)
+    if (strcmp(name, db_opts[i]) == 0)
+      {
+      if (use_which_db == i)
+        fprintf(new, "#define %s %.*syes\n", db_opts[i],
+          21 - (int)strlen(db_opts[i]), "                         ");
+      else
+        fprintf(new, "/* %s not set */\n", name);
+      break;
+      }
+  if (i < sizeof(db_opts)/sizeof(char *)) continue;
+
+  /* EXIM_USER is a special case. We look in the environment for EXIM_USER or
+  EXIM_UID (the latter for backward compatibility with Exim 3). If the value is
+  not numeric, we look up the user, and default the GID if found. Otherwise,
+  EXIM_GROUP or EXIM_GID must be in the environment. */
+
+  if (strcmp(name, "EXIM_UID") == 0)
+    {
+    uid_t uid = 0;
+    gid_t gid = 0;
+    int gid_set = 0;
+    int uid_not_set = 0;
+    char *username = NULL;
+    char *groupname = NULL;
+    char *s;
+    char *user = getenv("EXIM_USER");
+    char *group = getenv("EXIM_GROUP");
+
+    if (user == NULL) user = getenv("EXIM_UID");
+    if (group == NULL) group = getenv("EXIM_GID");
+
+    if (user == NULL)
+      {
+      printf("\n*** EXIM_USER has not been defined in any of the Makefiles in "
+        "the\n    \"Local\" directory. Please review your build-time "
+        "configuration.\n\n");
+      return 1;
+      }
+
+    while (isspace((unsigned char)(*user))) user++;
+    if (*user == 0)
+      {
+      printf("\n*** EXIM_USER is defined as an empty string in one of the "
+        "files\n    in the \"Local\" directory. Please review your build-time"
+        "\n    configuration.\n\n");
+      return 1;
+      }
+
+    for (s = user; *s != 0; s++)
+      {
+      if (iscntrl((unsigned char)(*s)))
+        {
+        printf("\n*** EXIM_USER contains the control character 0x%02X in one "
+          "of the files\n    in the \"Local\" directory. Please review your "
+          "build-time\n    configuration.\n\n", *s);
+        return 1;
+        }
+      }
+
+    /* Numeric uid given */
+
+    if (user[strspn(user, "0123456789")] == 0)
+      {
+      uid = (uid_t)atoi(user);
+      }
+
+    /* User name given. Normally, we look up the uid right away. However,
+    people building binary distributions sometimes want to retain the name till
+    runtime. This is supported if the name begins "ref:". */
+
+    else if (strncmp(user, "ref:", 4) == 0)
+      {
+      user += 4;
+      while (isspace(*user)) user++;
+      username = user;
+      gid_set = 1;
+      uid_not_set = 1;
+      }
+
+    else
+      {
+      struct passwd *pw = getpwnam(user);
+      if (pw == NULL)
+        {
+        printf("\n*** User \"%s\" (specified in one of the Makefiles) does not "
+          "exist.\n    Please review your build-time configuration.\n\n",
+          user);
+        return 1;
+        }
+
+      uid = pw->pw_uid;
+      gid = pw->pw_gid;
+      gid_set = 1;
+      }
+
+    /* Use explicit group if set. */
+
+    if (group != NULL)
+      {
+      while (isspace((unsigned char)(*group))) group++;
+      if (*group == 0)
+        {
+        printf("\n*** EXIM_GROUP is defined as an empty string in one of "
+          "the files in the\n    \"Local\" directory. ");
+        if (gid_set)
+          {
+          printf("If you want the Exim group to be taken from the\n    "
+            "password data for the Exim user, just remove the EXIM_GROUP "
+            "setting.\n    Otherwise, p");
+          }
+        else printf("EXIM_USER is defined numerically, so there is no"
+          "\n    default for EXIM_GROUP and you must set it explicitly.\n    P");
+        printf("lease review your build-time configuration.\n\n");
+        return 1;
+        }
+
+      for (s = group; *s != 0; s++)
+        {
+        if (iscntrl((unsigned char)(*s)))
+          {
+          printf("\n*** EXIM_GROUP contains the control character 0x%02X in one "
+            "of the files\n    in the \"Local\" directory. Please review your "
+            "build-time\n    configuration.\n\n", *s);
+          return 1;
+          }
+        }
+
+      /* Group name given. This may be by reference or to be looked up now,
+      as for user. */
+
+      if (strncmp(group, "ref:", 4) == 0)
+        {
+        group += 4;
+        while (isspace(*group)) group++;
+        groupname = group;
+        }
+
+      else if (username != NULL)
+        {
+        groupname = group;
+        }
+
+      else if (group[strspn(group, "0123456789")] == 0)
+        {
+        gid = (gid_t)atoi(group);
+        }
+
+      else
+        {
+        struct group *gr = getgrnam(group);
+        if (gr == NULL)
+          {
+          printf("\n*** Group \"%s\" (specified in one of the Makefiles) does "
+            "not exist.\n   Please review your build-time configuration.\n\n",
+            group);
+          return 1;
+          }
+        gid = gr->gr_gid;
+        }
+      }
+
+    /* Else trouble unless found in passwd file with user */
+
+    else if (!gid_set)
+      {
+      printf("\n*** No group set for Exim. Please review your build-time "
+        "configuration.\n\n");
+      return 1;
+      }
+
+    /* security sanity checks
+    if ref: is being used, we can never be sure, but we can take reasonable
+    steps to filter out the most obvious ones.  */
+
+    if ((!uid_not_set && uid == 0) ||
+        ((username != NULL) && (
+          (strcmp(username, "root") == 0) ||
+          (strcmp(username, "toor") == 0) )))
+      {
+      printf("\n*** Exim's internal user must not be root.\n\n");
+      return 1;
+      }
+
+    /* Output user and group names or uid/gid. When names are set, uid/gid
+    are set to zero but will be replaced at runtime. */
+
+    if (username != NULL)
+      fprintf(new, "#define EXIM_USERNAME         \"%s\"\n", username);
+    if (groupname != NULL)
+      fprintf(new, "#define EXIM_GROUPNAME        \"%s\"\n", groupname);
+
+    fprintf(new, "#define EXIM_UID              %d\n", (int)uid);
+    fprintf(new, "#define EXIM_GID              %d\n", (int)gid);
+    continue;
+    }
+
+  /* CONFIGURE_OWNER and CONFIGURE_GROUP are special cases. We look in the
+  environment for first. If the value is not numeric, we look up the user or
+  group. A lot of this code is similar to that for EXIM_USER, but it's easier
+  to keep it separate. */
+
+  if (strcmp(name, "CONFIGURE_OWNER") == 0 ||
+      strcmp(name, "CONFIGURE_GROUP") == 0)
+    {
+    int isgroup = name[10] == 'G';
+    uid_t uid = 0;
+    gid_t gid = 0;
+    const char *s;
+    const char *username = NULL;
+    const char *user = getenv(name);
+
+    if (user == NULL) user = "";
+    while (isspace((unsigned char)(*user))) user++;
+    if (*user == 0)
+      {
+      fprintf(new, "/* %s not set */\n", name);
+      continue;
+      }
+
+    for (s = user; *s != 0; s++)
+      {
+      if (iscntrl((unsigned char)(*s)))
+        {
+        printf("\n*** %s contains the control character 0x%02X in "
+          "one of the files\n    in the \"Local\" directory. Please review "
+          "your build-time\n    configuration.\n\n", name, *s);
+        return 1;
+        }
+      }
+
+    /* Numeric uid given */
+
+    if (user[strspn(user, "0123456789")] == 0)
+      {
+      if (isgroup)
+        gid = (gid_t)atoi(user);
+      else
+        uid = (uid_t)atoi(user);
+      }
+
+    /* Name given. Normally, we look up the uid or gid right away. However,
+    people building binary distributions sometimes want to retain the name till
+    runtime. This is supported if the name begins "ref:". */
+
+    else if (strncmp(user, "ref:", 4) == 0)
+      {
+      user += 4;
+      while (isspace(*user)) user++;
+      username = user;
+      }
+else if (isgroup)
+      {
+      struct group *gr = getgrnam(user);
+      if (gr == NULL)
+        {
+        printf("\n*** Group \"%s\" (specified in one of the Makefiles) does not "
+          "exist.\n    Please review your build-time configuration.\n\n",
+          user);
+        return 1;
+        }
+      gid = gr->gr_gid;
+      }
+
+    else
+      {
+      struct passwd *pw = getpwnam(user);
+      if (pw == NULL)
+        {
+        printf("\n*** User \"%s\" (specified in one of the Makefiles) does not "
+          "exist.\n    Please review your build-time configuration.\n\n",
+          user);
+        return 1;
+        }
+      uid = pw->pw_uid;
+      }
+
+    /* Output user and group names or uid/gid. When names are set, uid/gid
+    are set to zero but will be replaced at runtime. */
+
+    if (username != NULL)
+      {
+      if (isgroup)
+        fprintf(new, "#define CONFIGURE_GROUPNAME         \"%s\"\n", username);
+      else
+        fprintf(new, "#define CONFIGURE_OWNERNAME         \"%s\"\n", username);
+      }
+
+    if (isgroup)
+      fprintf(new, "#define CONFIGURE_GROUP              %d\n", (int)gid);
+    else
+      fprintf(new, "#define CONFIGURE_OWNER              %d\n", (int)uid);
+    continue;
+    }
+
+  /* FIXED_NEVER_USERS is another special case. Look up the uid values and
+  create suitable initialization data for a vector. */
+
+  if (strcmp(name, "FIXED_NEVER_USERS") == 0)
+    {
+    char *list = getenv("FIXED_NEVER_USERS");
+    if (list == NULL)
+      {
+      fprintf(new, "#define FIXED_NEVER_USERS     0\n");
+      }
+    else
+      {
+      int count = 1;
+      int i, j;
+      uid_t *vector;
+      char *p = list;
+      while (*p != 0) if (*p++ == ':') count++;
+
+      vector = malloc((count+1) * sizeof(uid_t));
+      vector[0] = (uid_t)count;
+
+      for (i = 1, j = 0; i <= count; list++, i++)
+        {
+        char name[64];
+
+        p = list;
+        while (*list != 0 && *list != ':') list++;
+        strncpy(name, p, list-p);
+        name[list-p] = 0;
+
+        if (name[0] == 0)
+          {
+          continue;
+          }
+        else if (name[strspn(name, "0123456789")] == 0)
+          {
+          vector[j++] = (uid_t)atoi(name);
+          }
+        else
+          {
+          struct passwd *pw = getpwnam(name);
+          if (pw == NULL)
+            {
+            printf("\n*** User \"%s\" (specified for FIXED_NEVER_USERS in one of the Makefiles) does not "
+              "exist.\n    Please review your build-time configuration.\n\n",
+              name);
+            return 1;
+            }
+          vector[j++] = pw->pw_uid;
+          }
+        }
+      fprintf(new, "#define FIXED_NEVER_USERS     %d", j);
+      for (i = 0; i < j; i++) fprintf(new, ", %d", (unsigned int)vector[i]);
+      fprintf(new, "\n");
+      free(vector);
+      }
+    continue;
+    }
+
+  /* WITH_CONTENT_SCAN is another special case: it must be set if it or
+  EXPERIMENTAL_DCC is set. */
+
+  if (strcmp(name, "WITH_CONTENT_SCAN") == 0)
+    {
+    char *wcs = getenv("WITH_CONTENT_SCAN");
+    char *dcc = getenv("EXPERIMENTAL_DCC");
+    fprintf(new, wcs || dcc
+      ? "#define WITH_CONTENT_SCAN     yes\n"
+      : "/* WITH_CONTENT_SCAN not set */\n");
+    continue;
+    }
+
+  /* DISABLE_DKIM is special; must be forced if DISABLE_TLS */
+  if (strcmp(name, "DISABLE_DKIM") == 0)
+    {
+    char *d_dkim = getenv("DISABLE_DKIM");
+    char *notls = getenv("DISABLE_TLS");
+
+    if (d_dkim)
+      fprintf(new, "#define DISABLE_DKIM          yes\n");
+    else if (notls)
+      fprintf(new, "#define DISABLE_DKIM          yes /* forced by lack of TLS */\n");
+    else
+      fprintf(new, "/* DISABLE_DKIM not set */\n");
+    continue;
+    }
+
+  /* Otherwise, check whether a value exists in the environment. Remember if
+  it is an AUTH setting or SUPPORT_CRYPTEQ. */
+
+  if ((value = getenv(name)) != NULL)
+    {
+    int len;
+    len = 21 - (int)strlen(name);
+
+    if (strncmp(name, "AUTH_", 5) == 0) have_auth = 1;
+    if (strncmp(name, "SUPPORT_CRYPTEQ", 15) == 0) support_crypteq = 1;
+
+    /* The text value of LDAP_LIB_TYPE refers to a macro that gets set. */
+
+    if (strcmp(name, "LDAP_LIB_TYPE") == 0)
+      {
+      if (strcmp(value, "NETSCAPE") == 0 ||
+          strcmp(value, "UMICHIGAN") == 0 ||
+          strcmp(value, "OPENLDAP1") == 0 ||
+          strcmp(value, "OPENLDAP2") == 0 ||
+          strcmp(value, "SOLARIS") == 0 ||
+          strcmp(value, "SOLARIS7") == 0)              /* Compatibility */
+        {
+        fprintf(new, "#define LDAP_LIB_%s\n", value);
+        }
+      else
+        {
+        printf("\n*** LDAP_LIB_TYPE=%s is not a recognized LDAP library type."
+          "\n*** Please review your build-time configuration.\n\n", value);
+        return 1;
+        }
+      }
+
+    else if (strcmp(name, "RADIUS_LIB_TYPE") == 0)
+      {
+      if (strcmp(value, "RADIUSCLIENT") == 0 ||
+          strcmp(value, "RADIUSCLIENTNEW") == 0 ||
+          strcmp(value, "RADLIB") == 0)
+        {
+        fprintf(new, "#define RADIUS_LIB_%s\n", value);
+        }
+      else
+        {
+        printf("\n*** RADIUS_LIB_TYPE=%s is not a recognized RADIUS library type."
+          "\n*** Please review your build-time configuration.\n\n", value);
+        return 1;
+        }
+      }
+
+    /* Other macros get set to the environment value. */
+
+    else
+      {
+      fprintf(new, "#define %s ", name);
+      while(len-- > 0) fputc(' ', new);
+
+      /* LOG_FILE_PATH is now messy because it can be a path containing %s or
+      it can be "syslog" or ":syslog" or "syslog:path" or even "path:syslog". */
+
+      if (strcmp(name, "LOG_FILE_PATH") == 0)
+        {
+        char *ss = value;
+        for(;;)
+          {
+          char *pp;
+          char *sss = strchr(ss, ':');
+          if (sss != NULL)
+            {
+            strncpy(buffer, ss, sss-ss);
+            buffer[sss-ss] = 0;  /* For empty case */
+            }
+          else
+	    {
+       	    strncpy(buffer, ss, sizeof(buffer));
+	    buffer[sizeof(buffer)-1] = 0;
+	    }
+          pp = buffer + (int)strlen(buffer);
+          while (pp > buffer && isspace((unsigned char)pp[-1])) pp--;
+          *pp = 0;
+          if (buffer[0] != 0 && strcmp(buffer, "syslog") != 0)
+            check_percent_ess(buffer, name);
+          if (sss == NULL) break;
+          ss = sss + 1;
+          while (isspace((unsigned char)*ss)) ss++;
+          }
+        fprintf(new, "\"%s\"\n", value);
+        }
+
+      /* Timezone values HEADERS_CHARSET, TCP_WRAPPERS_DAEMON_NAME and
+      WHITELIST_D_MACROS get quoted */
+
+      else if (strcmp(name, "TIMEZONE_DEFAULT") == 0||
+               strcmp(name, "TCP_WRAPPERS_DAEMON_NAME") == 0||
+               strcmp(name, "HEADERS_CHARSET") == 0||
+               strcmp(name, "WHITELIST_D_MACROS") == 0)
+        fprintf(new, "\"%s\"\n", value);
+
+      /* GnuTLS constants; first is for debugging, others are tuning */
+
+      /* less than 0 is not-active; 0-9 are normal, API suggests higher
+      taken without problems */
+      else if (strcmp(name, "EXIM_GNUTLS_LIBRARY_LOG_LEVEL") == 0)
+        {
+        long nv;
+        char *end;
+        nv = strtol(value, &end, 10);
+        if (end != value && *end == '\0' && nv >= -1 && nv <= 100)
+          {
+          fprintf(new, "%s\n", value);
+          }
+        else
+          {
+          printf("Value of %s should be -1..9\n", name);
+          return 1;
+          }
+        }
+
+      /* how many bits Exim, as a client, demands must be in D-H */
+      /* 1024 is a historical figure; some sites actually use lower, so we
+      permit the value to be lowered "dangerously" low, but not "insanely"
+      low.  Though actually, 1024 is becoming "dangerous". */
+      else if ((strcmp(name, "EXIM_CLIENT_DH_MIN_MIN_BITS") == 0) ||
+               (strcmp(name, "EXIM_CLIENT_DH_DEFAULT_MIN_BITS") == 0) ||
+               (strcmp(name, "EXIM_SERVER_DH_BITS_PRE2_12") == 0))
+        {
+        long nv;
+        char *end;
+        nv = strtol(value, &end, 10);
+        if (end != value && *end == '\0' && nv >= 512 && nv < 500000)
+          {
+          fprintf(new, "%s\n", value);
+          }
+        else
+          {
+          printf("Unreasonable value (%s) of \"%s\".\n", value, name);
+          return 1;
+          }
+        }
+
+      /* For others, quote any paths and don't quote anything else */
+
+      else
+        {
+        if (value[0] == '/') fprintf(new, "\"%s\"\n", value);
+          else fprintf(new, "%s\n", value);
+        }
+      }
+    }
+
+  /* Value not defined in the environment; use the default */
+
+  else
+    {
+    char *t = p;
+    while (*p == ' ' || *p == '\t') p++;
+    if (*p != '\n') fputs(buffer, new); else
+      {
+      *t = 0;
+      if (strcmp(name, "BIN_DIRECTORY")   == 0 ||
+          strcmp(name, "CONFIGURE_FILE")  == 0)
+        {
+        printf("\n*** %s has not been defined in any of the Makefiles in the\n"
+          "    \"Local\" directory. "
+          "Please review your build-time configuration.\n\n", name);
+        return 1;
+        }
+
+      if (strcmp(name, "TIMEZONE_DEFAULT") == 0)
+        {
+        char *tz = getenv("TZ");
+        fprintf(new, "#define TIMEZONE_DEFAULT      ");
+        if (tz == NULL) fprintf(new, "NULL\n"); else
+          fprintf(new, "\"%s\"\n", tz);
+        }
+
+      else fprintf(new, "/* %s not set */\n", name);
+      }
+    }
+  }
+
+(void)fclose(base);
+
+/* If any AUTH macros were defined, ensure that SUPPORT_CRYPTEQ is also
+defined. */
+
+if (have_auth)
+  if (!support_crypteq) fprintf(new, "/* Force SUPPORT_CRYPTEQ for AUTH */\n"
+    "#define SUPPORT_CRYPTEQ\n");
+
+/* Check poll() for timer functionality.
+Some OS' have released with it broken. */
+
+  {
+  struct timeval before, after;
+  size_t us;
+
+  gettimeofday(&before, NULL);
+  (void) poll(NULL, 0, 500);
+  gettimeofday(&after, NULL);
+
+  us = (after.tv_sec - before.tv_sec) * 1000000 +
+    (after.tv_usec - before.tv_usec);
+
+  if (us < 400000)
+    fprintf(new, "#define NO_POLL_H\n");
+  }
+
+/* End off */
+
+fprintf(new, "\n/* End of config.h */\n");
+(void)fclose(new);
+return 0;
+}
+
+/* End of buildconfig.c */
diff --git a/src/child.c b/src/child.c
new file mode 100644
index 0000000..1f38b58
--- /dev/null
+++ b/src/child.c
@@ -0,0 +1,556 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "exim.h"
+
+static void (*oldsignal)(int);
+
+
+/*************************************************
+*          Ensure an fd has a given value        *
+*************************************************/
+
+/* This function is called when we want to ensure that a certain fd has a
+specific value (one of 0, 1, 2). If it hasn't got it already, close the value
+we want, duplicate the fd, then close the old one.
+
+Arguments:
+  oldfd        original fd
+  newfd        the fd we want
+
+Returns:       nothing
+*/
+
+void
+force_fd(int oldfd, int newfd)
+{
+if (oldfd == newfd) return;
+(void)close(newfd);
+(void)dup2(oldfd, newfd);
+(void)close(oldfd);
+}
+
+
+#ifndef STAND_ALONE
+/*************************************************
+*   Build argv list and optionally re-exec Exim  *
+*************************************************/
+
+/* This function is called when Exim wants to re-exec (overlay) itself in the
+current process. This is different to child_open_exim(), which runs another
+Exim process in parallel (but it then calls this function). The function's
+basic job is to build the argv list according to the values of current options
+settings. There is a basic list that all calls require, and an additional list
+that some do not require. Further additions can be given as additional
+arguments. An option specifies whether the exec() is actually to happen, and if
+so, what is to be done if it fails.
+
+Arguments:
+  exec_type      CEE_RETURN_ARGV => don't exec; return the argv list
+                 CEE_EXEC_EXIT   => just exit() on exec failure
+                 CEE_EXEC_PANIC  => panic-die on exec failure
+  kill_v         if TRUE, don't pass on the D_v flag
+  pcount         if not NULL, points to extra size of argv required, and if
+                   CEE_RETURN_ARGV is specified, it is updated to give the
+                   number of slots used
+  minimal        TRUE if only minimal argv is required
+  acount         number of additional arguments
+  ...            further values to add to argv
+
+Returns:         if CEE_RETURN_ARGV is given, returns a pointer to argv;
+                 otherwise, does not return
+*/
+
+uschar **
+child_exec_exim(int exec_type, BOOL kill_v, int *pcount, BOOL minimal,
+  int acount, ...)
+{
+int first_special = -1;
+int n = 0;
+int extra = pcount ? *pcount : 0;
+uschar **argv;
+
+argv = store_get((extra + acount + MAX_CLMACROS + 24) * sizeof(char *), GET_UNTAINTED);
+
+/* In all case, the list starts out with the path, any macros, and a changed
+config file. */
+
+argv[n++] = exim_path;		/* assume untainted */
+if (clmacro_count > 0)
+  {
+  memcpy(argv + n, clmacros, clmacro_count * sizeof(uschar *));
+  n += clmacro_count;
+  }
+if (f.config_changed)
+  { argv[n++] = US"-C"; argv[n++] = config_main_filename; }
+
+/* These values are added only for non-minimal cases. If debug_selector is
+precisely D_v, we have to assume this was started by a non-admin user, and
+we suppress the flag when requested. (This happens when passing on an SMTP
+connection, and after ETRN.) If there's more debugging going on, an admin user
+was involved, so we do pass it on. */
+
+if (!minimal)
+  {
+  if (debug_selector == D_v)
+    {
+    if (!kill_v) argv[n++] = US"-v";
+    }
+  else
+    {
+    if (debug_selector != 0)
+      {
+      argv[n++] = string_sprintf("-d=0x%x", debug_selector);
+      if (debug_fd > 2)
+	{
+	int flags = fcntl(debug_fd, F_GETFD);
+	if (flags != -1) (void)fcntl(debug_fd, F_SETFD, flags & ~FD_CLOEXEC);
+	close(2);
+	dup2(debug_fd, 2);
+	close(debug_fd);
+	}
+      }
+    }
+  if (debug_pretrigger_buf)
+    { argv[n++] = US"-dp"; argv[n++] = string_sprintf("0x%x", debug_pretrigger_bsize); }
+  if (dtrigger_selector != 0)
+    argv[n++] = string_sprintf("-dt=0x%x", dtrigger_selector);
+  DEBUG(D_any)
+    {
+    argv[n++] = US"-MCd";
+    argv[n++] = US process_purpose;
+    }
+  if (!f.testsuite_delays)	argv[n++] = US"-odd";
+  if (f.dont_deliver)		argv[n++] = US"-N";
+  if (f.queue_smtp)		argv[n++] = US"-odqs";
+  if (f.synchronous_delivery)	argv[n++] = US"-odi";
+  if (connection_max_messages >= 0)
+    argv[n++] = string_sprintf("-oB%d", connection_max_messages);
+  if (*queue_name)
+    { argv[n++] = US"-MCG"; argv[n++] = queue_name; }
+  }
+
+/* Now add in any others that are in the call. Remember which they were,
+for more helpful diagnosis on failure. */
+
+if (acount > 0)
+  {
+  va_list ap;
+  va_start(ap, acount);
+  first_special = n;
+  while (acount-- > 0)
+    argv[n++] = va_arg(ap, uschar *);
+  va_end(ap);
+  }
+
+/* Terminate the list, and return it, if that is what is wanted. */
+
+argv[n] = NULL;
+if (exec_type == CEE_RETURN_ARGV)
+  {
+  if (pcount) *pcount = n;
+  return argv;
+  }
+
+/* Otherwise, do the exec() here, and handle the consequences of an unexpected
+failure. We know that there will always be at least one extra option in the
+call when exec() is done here, so it can be used to add to the panic data. */
+
+DEBUG(D_exec) debug_print_argv(CUSS argv);
+exim_nullstd();                            /* Make sure std{in,out,err} exist */
+execv(CS argv[0], (char *const *)argv);
+
+log_write(0,
+  LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE),
+  "re-exec of exim (%s) with %s failed: %s", exim_path, argv[first_special],
+  strerror(errno));
+
+/* Get here if exec_type == CEE_EXEC_EXIT.
+Note: this must be _exit(), not exit(). */
+
+_exit(EX_EXECFAILED);
+
+return NULL;   /* To keep compilers happy */
+}
+
+
+
+
+/*************************************************
+*          Create a child Exim process           *
+*************************************************/
+
+/* This function is called when Exim wants to run a parallel instance of itself
+in order to inject a message via the standard input. The function creates a
+child process and runs Exim in it. It sets up a pipe to the standard input of
+the new process, and returns that to the caller via fdptr. The function returns
+the pid of the new process, or -1 if things go wrong. If debug_fd is
+non-negative, it is passed as stderr.
+
+This interface is now a just wrapper for the more complicated function
+child_open_exim2(), which has additional arguments. The wrapper must continue
+to exist, even if all calls from within Exim are changed, because it is
+documented for use from local_scan().
+
+Argument: fdptr   pointer to int for the stdin fd
+	  purpose of the child process, for debug
+Returns:          pid of the created process or -1 if anything has gone wrong
+*/
+
+pid_t
+child_open_exim_function(int * fdptr, const uschar * purpose)
+{
+return child_open_exim2_function(fdptr, US"<>", bounce_sender_authentication,
+  purpose);
+}
+
+
+/* This is a more complicated function for creating a child Exim process, with
+more arguments.
+
+Arguments:
+  fdptr                   pointer to int for the stdin fd
+  sender                  for a sender address (data for -f)
+  sender_authentication   authenticated sender address or NULL
+  purpose		  of the child process, for debug
+
+Returns:          pid of the created process or -1 if anything has gone wrong
+*/
+
+pid_t
+child_open_exim2_function(int * fdptr, uschar * sender,
+  uschar * sender_authentication, const uschar * purpose)
+{
+int pfd[2];
+int save_errno;
+pid_t pid;
+
+/* Create the pipe and fork the process. Ensure that SIGCHLD is set to
+SIG_DFL before forking, so that the child process can be waited for. We
+sometimes get here with it set otherwise. Save the old state for resetting
+on the wait. */
+
+if (pipe(pfd) != 0) return (pid_t)(-1);
+oldsignal = signal(SIGCHLD, SIG_DFL);
+pid = exim_fork(purpose);
+
+/* Child process: make the reading end of the pipe into the standard input and
+close the writing end. If debugging, pass debug_fd as stderr. Then re-exec
+Exim with appropriate options. In the test harness, use -odi unless queue_only
+is set, so that the bounce is fully delivered before returning. Failure is
+signalled with EX_EXECFAILED (specified by CEE_EXEC_EXIT), but this shouldn't
+occur. */
+
+if (pid == 0)
+  {
+  force_fd(pfd[pipe_read], 0);
+  (void)close(pfd[pipe_write]);
+  if (debug_fd > 0) force_fd(debug_fd, 2);
+  if (f.running_in_test_harness && !queue_only)
+    {
+    if (sender_authentication)
+      child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 9,
+        US "-odi", US"-t", US"-oem", US"-oi", US"-f", sender, US"-oMas",
+        sender_authentication, message_id_option);
+    else
+      child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 7,
+        US "-odi", US"-t", US"-oem", US"-oi", US"-f", sender,
+        message_id_option);
+    /* Control does not return here. */
+    }
+  else   /* Not test harness */
+    {
+    if (sender_authentication)
+      child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 8,
+        US"-t", US"-oem", US"-oi", US"-f", sender, US"-oMas",
+        sender_authentication, message_id_option);
+    else
+      child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 6,
+        US"-t", US"-oem", US"-oi", US"-f", sender, message_id_option);
+    /* Control does not return here. */
+    }
+  }
+
+testharness_pause_ms(100); /* let child work even longer, for exec */
+
+/* Parent process. Save fork() errno and close the reading end of the stdin
+pipe. */
+
+save_errno = errno;
+(void)close(pfd[pipe_read]);
+
+/* Fork succeeded */
+
+if (pid > 0)
+  {
+  *fdptr = pfd[pipe_write];   /* return writing end of stdin pipe */
+  return pid;                 /* and pid of new process */
+  }
+
+/* Fork failed */
+
+(void)close(pfd[pipe_write]);
+errno = save_errno;
+return (pid_t)(-1);
+}
+#endif   /* STAND_ALONE */
+
+
+
+/*************************************************
+*         Create a non-Exim child process        *
+*************************************************/
+
+/* This function creates a child process and runs the given command in it. It
+sets up pipes to the standard input and output of the new process, and returns
+them to the caller. The standard error is cloned to the output. If there are
+any file descriptors "in the way" in the new process, they are closed. A new
+umask is supplied for the process, and an optional new uid and gid are also
+available. These are used by the queryprogram router to set an unprivileged id.
+SIGUSR1 is always disabled in the new process, as it is not going to be running
+Exim (the function child_open_exim() is provided for that). This function
+returns the pid of the new process, or -1 if things go wrong.
+
+Arguments:
+  argv        the argv for exec in the new process
+  envp        the envp for exec in the new process
+  newumask    umask to set in the new process
+  newuid      point to uid for the new process or NULL for no change
+  newgid      point to gid for the new process or NULL for no change
+  infdptr     pointer to int into which the fd of the stdin of the new process
+                is placed
+  outfdptr    pointer to int into which the fd of the stdout/stderr of the new
+                process is placed
+  wd          if not NULL, a path to be handed to chdir() in the new process
+  make_leader if TRUE, make the new process a process group leader
+  purpose     for debug: reason for running the task
+
+Returns:      the pid of the created process or -1 if anything has gone wrong
+*/
+
+pid_t
+child_open_uid(const uschar **argv, const uschar **envp, int newumask,
+  uid_t *newuid, gid_t *newgid, int *infdptr, int *outfdptr, uschar *wd,
+  BOOL make_leader, const uschar * purpose)
+{
+int save_errno;
+int inpfd[2], outpfd[2];
+pid_t pid;
+
+if (is_tainted(argv[0]))
+  {
+  log_write(0, LOG_MAIN | LOG_PANIC, "Attempt to exec tainted path: '%s'", argv[0]);
+  errno = EPERM;
+  return (pid_t)(-1);
+  }
+
+/* Create the pipes. */
+
+if (pipe(inpfd) != 0) return (pid_t)(-1);
+if (pipe(outpfd) != 0)
+  {
+  (void)close(inpfd[pipe_read]);
+  (void)close(inpfd[pipe_write]);
+  return (pid_t)(-1);
+  }
+
+/* Fork the process. Ensure that SIGCHLD is set to SIG_DFL before forking, so
+that the child process can be waited for. We sometimes get here with it set
+otherwise. Save the old state for resetting on the wait. */
+
+oldsignal = signal(SIGCHLD, SIG_DFL);
+pid = exim_fork(purpose);
+
+/* Handle the child process. First, set the required environment. We must do
+this before messing with the pipes, in order to be able to write debugging
+output when things go wrong. */
+
+if (pid == 0)
+  {
+  signal(SIGUSR1, SIG_IGN);
+  signal(SIGPIPE, SIG_DFL);
+
+  if (newgid && setgid(*newgid) < 0)
+    {
+    DEBUG(D_any) debug_printf("failed to set gid=%ld in subprocess: %s\n",
+      (long int)(*newgid), strerror(errno));
+    goto CHILD_FAILED;
+    }
+
+  if (newuid && setuid(*newuid) < 0)
+    {
+    DEBUG(D_any) debug_printf("failed to set uid=%ld in subprocess: %s\n",
+      (long int)(*newuid), strerror(errno));
+    goto CHILD_FAILED;
+    }
+
+  (void)umask(newumask);
+
+  if (wd && Uchdir(wd) < 0)
+    {
+    DEBUG(D_any) debug_printf("failed to chdir to %s: %s\n", wd,
+      strerror(errno));
+    goto CHILD_FAILED;
+    }
+
+  /* Becomes a process group leader if requested, and then organize the pipes.
+  Any unexpected failure is signalled with EX_EXECFAILED; these are all "should
+  never occur" failures, except for exec failing because the command doesn't
+  exist. */
+
+  if (make_leader && setpgid(0,0) < 0)
+    {
+    DEBUG(D_any) debug_printf("failed to set group leader in subprocess: %s\n",
+      strerror(errno));
+    goto CHILD_FAILED;
+    }
+
+  (void)close(inpfd[pipe_write]);
+  force_fd(inpfd[pipe_read], 0);
+
+  (void)close(outpfd[pipe_read]);
+  force_fd(outpfd[pipe_write], 1);
+
+  (void)close(2);
+  (void)dup2(1, 2);
+
+  /* Now do the exec */
+
+  if (envp) execve(CS argv[0], (char *const *)argv, (char *const *)envp);
+  else execv(CS argv[0], (char *const *)argv);
+
+  /* Failed to execv. Signal this failure using EX_EXECFAILED. We are
+  losing the actual errno we got back, because there is no way to return
+  this information. */
+
+  CHILD_FAILED:
+  _exit(EX_EXECFAILED);      /* Note: must be _exit(), NOT exit() */
+  }
+
+/* Parent process. Save any fork failure code, and close the reading end of the
+stdin pipe, and the writing end of the stdout pipe. */
+
+save_errno = errno;
+(void)close(inpfd[pipe_read]);
+(void)close(outpfd[pipe_write]);
+
+/* Fork succeeded; return the input/output pipes and the pid */
+
+if (pid > 0)
+  {
+  *infdptr = inpfd[pipe_write];
+  *outfdptr = outpfd[pipe_read];
+  return pid;
+  }
+
+/* Fork failed; reset fork errno before returning */
+
+(void)close(inpfd[pipe_write]);
+(void)close(outpfd[pipe_read]);
+errno = save_errno;
+return (pid_t)(-1);
+}
+
+
+
+
+/*************************************************
+*    Create child process without uid change     *
+*************************************************/
+
+/* This function is a wrapper for child_open_uid() that doesn't have the uid,
+gid and working directory changing arguments. The function is provided so as to
+have a clean interface for use from local_scan(), but also saves writing NULL
+arguments several calls that would otherwise use child_open_uid().
+
+Arguments:
+  argv        the argv for exec in the new process
+  envp        the envp for exec in the new process
+  newumask    umask to set in the new process
+  infdptr     pointer to int into which the fd of the stdin of the new process
+                is placed
+  outfdptr    pointer to int into which the fd of the stdout/stderr of the new
+                process is placed
+  make_leader if TRUE, make the new process a process group leader
+  purpose     for debug: reason for running the task
+
+Returns:      the pid of the created process or -1 if anything has gone wrong
+*/
+
+pid_t
+child_open_function(uschar **argv, uschar **envp, int newumask, int *infdptr,
+  int *outfdptr, BOOL make_leader, const uschar * purpose)
+{
+return child_open_uid(CUSS argv, CUSS envp, newumask, NULL, NULL,
+  infdptr, outfdptr, NULL, make_leader, purpose);
+}
+
+
+
+
+/*************************************************
+*           Close down child process             *
+*************************************************/
+
+/* Wait for the given process to finish, with optional timeout.
+
+Arguments
+  pid:      the pid to wait for
+  timeout:  maximum time to wait; 0 means for as long as it takes
+
+Returns:    >= 0          process terminated by exiting; value is process
+                            ending status; if an execve() failed, the value
+                            is typically 127 (defined as EX_EXECFAILED)
+            < 0 & > -256  process was terminated by a signal; value is the
+                            negation of the signal number
+            -256          timed out
+            -257          other error in wait(); errno still set
+*/
+
+int
+child_close(pid_t pid, int timeout)
+{
+int yield;
+
+if (timeout > 0)
+  {
+  sigalrm_seen = FALSE;
+  ALARM(timeout);
+  }
+
+for(;;)
+  {
+  int status;
+  pid_t rc = waitpid(pid, &status, 0);
+  if (rc == pid)
+    {
+    int lowbyte = status & 255;
+    yield = lowbyte == 0 ? (status >> 8) & 255 : -lowbyte;
+    break;
+    }
+  if (rc < 0)
+    {
+    /* This "shouldn't happen" test does happen on MacOS: for some reason
+    I do not understand we seems to get an alarm signal despite not having
+    an active alarm set. There seems to be only one, so just go round again. */
+
+    if (errno == EINTR && sigalrm_seen && timeout <= 0) continue;
+
+    yield = (errno == EINTR && sigalrm_seen) ? -256 : -257;
+    break;
+    }
+  }
+
+if (timeout > 0) ALARM_CLR(0);
+
+signal(SIGCHLD, oldsignal);   /* restore */
+return yield;
+}
+
+/* End of child.c */
diff --git a/src/cnumber.h b/src/cnumber.h
new file mode 100644
index 0000000..d00491f
--- /dev/null
+++ b/src/cnumber.h
@@ -0,0 +1 @@
+1
diff --git a/src/config.h.defaults b/src/config.h.defaults
new file mode 100644
index 0000000..25ab755
--- /dev/null
+++ b/src/config.h.defaults
@@ -0,0 +1,235 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2018 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* The default settings for Exim configuration variables. A #define without
+any data just defines the existence of the variable; it won't get included
+in config.h unless some value is defined in Local/Makefile. If there is data,
+it's a default value.
+
+Do not put spaces between # and the 'define'.
+*/
+
+#define ALT_CONFIG_PREFIX
+#define TRUSTED_CONFIG_LIST
+
+#define APPENDFILE_MODE            0600
+#define APPENDFILE_DIRECTORY_MODE  0700
+#define APPENDFILE_LOCKFILE_MODE   0600
+
+#define AUTH_CRAM_MD5
+#define AUTH_CYRUS_SASL
+#define AUTH_DOVECOT
+#define AUTH_EXTERNAL
+#define AUTH_GSASL
+#define AUTH_HEIMDAL_GSSAPI
+#define AUTH_PLAINTEXT
+#define AUTH_SPA
+#define AUTH_TLS
+
+#define AUTH_VARS                     4
+
+#define BIN_DIRECTORY
+
+#define CONFIGURE_FILE
+#define CONFIGURE_FILE_USE_EUID
+#define CONFIGURE_FILE_USE_NODE
+#define CONFIGURE_GROUP
+#define CONFIGURE_OWNER
+#define CYRUS_PWCHECK_SOCKET
+#define CYRUS_SASLAUTHD_SOCKET
+
+#define DEFAULT_CRYPT              crypt
+#define DELIVER_IN_BUFFER_SIZE     8192
+#define DELIVER_OUT_BUFFER_SIZE    8192
+
+#define DISABLE_CLIENT_CMD_LOG
+#define DISABLE_D_OPTION
+#define DISABLE_DNSSEC
+#define DISABLE_DKIM
+#define DISABLE_EVENT
+#define DISABLE_OCSP
+#define DISABLE_PIPE_CONNECT
+#define DISABLE_PRDR
+#define DISABLE_QUEUE_RAMP
+#define DISABLE_TLS
+#define DISABLE_TLS_RESUME
+
+#define ENABLE_DISABLE_FSYNC
+
+#define EXIMDB_DIRECTORY_MODE      0750
+#define EXIMDB_LOCK_TIMEOUT          60
+#define EXIMDB_LOCKFILE_MODE       0640
+#define EXIMDB_MODE                0640
+#define EXIM_CLIENT_DH_MIN_MIN_BITS         512
+#define EXIM_CLIENT_DH_DEFAULT_MIN_BITS    1024
+#define EXIM_GNUTLS_LIBRARY_LOG_LEVEL
+#define EXIM_SERVER_DH_BITS_PRE2_12
+#define EXIM_PERL
+/* Both uid and gid are triggered by this */
+#define EXIM_UID
+#define EXPAND_DLFUNC
+#define EXPAND_LISTMATCH_RHS
+
+#define FIXED_NEVER_USERS         "root"
+
+#define HAVE_CRYPT16
+#define HAVE_LOCAL_SCAN
+#define HAVE_SA_LEN
+#define HEADERS_CHARSET           "ISO-8859-1"
+#define HEADER_ADD_BUFFER_SIZE    (8192 * 4)
+#define HEADER_MAXSIZE            (1024*1024)
+
+#define INPUT_DIRECTORY_MODE       0750
+#define IPV6_USE_INET_PTON
+
+#define LDAP_LIB_TYPE
+#define LOCAL_SCAN_HAS_OPTIONS
+
+#define LOG_DIRECTORY_MODE         0750
+#define LOG_FILE_PATH
+#define LOG_MODE                   0640
+
+#define LOOKUP_CDB
+#define LOOKUP_DBM
+#define LOOKUP_DNSDB
+#define LOOKUP_DSEARCH
+#define LOOKUP_IBASE
+#define LOOKUP_JSON
+#define LOOKUP_LDAP
+#define LOOKUP_LMDB
+#define LOOKUP_LSEARCH
+#define LOOKUP_MYSQL
+#define LOOKUP_NIS
+#define LOOKUP_NISPLUS
+#define LOOKUP_ORACLE
+#define LOOKUP_PASSWD
+#define LOOKUP_PGSQL
+#define LOOKUP_REDIS
+#define LOOKUP_SQLITE
+#define LOOKUP_TESTDB
+#define LOOKUP_WHOSON
+#define LOOKUP_WILDLSEARCH
+#define LOOKUP_NWILDLSEARCH
+
+#define LOOKUP_MODULE_DIR
+
+#define MAX_FILTER_SIZE           (1024*1024)
+#define MAX_LOCALHOST_NUMBER        256
+#define MAX_INCLUDE_SIZE          (1024*1024)
+#define MAX_INTERFACES              250
+#define MAX_NAMED_LIST               16
+#define MSGLOG_DIRECTORY_MODE      0750
+
+#define NVALGRIND
+
+#define PID_FILE_PATH
+
+#define RADIUS_CONFIG_FILE
+#define RADIUS_LIB_TYPE
+
+#define REGEX_VARS                 9
+
+#define ROUTER_ACCEPT
+#define ROUTER_DNSLOOKUP
+#define ROUTER_IPLITERAL
+#define ROUTER_IPLOOKUP
+#define ROUTER_MANUALROUTE
+#define ROUTER_QUERYPROGRAM
+#define ROUTER_REDIRECT
+
+#define SPOOL_DIRECTORY
+#define SPOOL_DIRECTORY_MODE       0750
+#define SPOOL_MODE                 0640
+#define STRING_SPRINTF_BUFFER_SIZE (8192 * 4)
+
+#define SUPPORT_CRYPTEQ
+#define SUPPORT_DANE
+#define SUPPORT_DMARC
+#define DMARC_TLD_FILE "/etc/exim/opendmarc.tlds"
+#define SUPPORT_I18N
+#define SUPPORT_I18N_2008
+#define SUPPORT_MAILDIR
+#define SUPPORT_MAILSTORE
+#define SUPPORT_MBX
+#define SUPPORT_MOVE_FROZEN_MESSAGES
+#define SUPPORT_PAM
+#define SUPPORT_PROXY
+#define SUPPORT_SOCKS
+#define SUPPORT_SPF
+#define SUPPORT_SRS
+#define SUPPORT_TRANSLATE_IP_ADDRESS
+
+#define SYSLOG_LOG_PID
+#define SYSLOG_LONG_LINES
+
+#define TCP_WRAPPERS_DAEMON_NAME "exim"
+#define TIMEZONE_DEFAULT
+#define EXIM_TMPDIR
+
+#define TRANSPORT_APPENDFILE
+#define TRANSPORT_AUTOREPLY
+#define TRANSPORT_LMTP
+#define TRANSPORT_PIPE
+#define TRANSPORT_SMTP
+
+#define USE_DB
+#define USE_GDBM
+#define USE_GNUTLS
+#define AVOID_GNUTLS_PKCS11
+#define USE_NDBM
+#define USE_OPENSSL
+#define USE_READLINE
+#define USE_TCP_WRAPPERS
+#define USE_TDB
+
+#define WHITELIST_D_MACROS
+
+#define WITH_CONTENT_SCAN
+#define DISABLE_MAL_FFROTD
+#define DISABLE_MAL_FFROT6D
+#define DISABLE_MAL_DRWEB
+#define DISABLE_MAL_AVE
+#define DISABLE_MAL_FSECURE
+#define DISABLE_MAL_KAV
+#define DISABLE_MAL_SOPHIE
+#define DISABLE_MAL_CLAM
+#define DISABLE_MAL_MKS
+#define DISABLE_MAL_AVAST
+#define DISABLE_MAL_SOCK
+#define DISABLE_MAL_CMDLINE
+
+/* EXPERIMENTAL features */
+#define EXPERIMENTAL_ARC
+#define EXPERIMENTAL_BRIGHTMAIL
+#define EXPERIMENTAL_DCC
+#define EXPERIMENTAL_DSN_INFO
+#define EXPERIMENTAL_ESMTP_LIMITS
+#define EXPERIMENTAL_QUEUEFILE
+
+
+/* For developers */
+#define WANT_DEEPER_PRINTF_CHECKS
+
+/* Things that are not routinely changed but are nevertheless configurable
+just in case. */
+
+#define DNS_MAXNAME                1024
+#define EXPAND_MAXN                  20
+#define ROOT_UID                      0
+#define ROOT_GID                      0
+
+/* Sizes for integer arithmetic.
+Go for 64bit; can be overridden in OS/Makefile-FOO
+If you make it a different number of bits, provide a definition
+for EXIM_ARITH_MAX and _MIN in OS/oh.h-FOO */
+#define int_eximarith_t int64_t
+#define PR_EXIM_ARITH "%" PRId64		/* C99 standard, printf %lld */
+#define SC_EXIM_ARITH "%" SCNi64		/* scanf incl. 0x prefix */
+#define SC_EXIM_DEC   "%" SCNd64		/* scanf decimal */
+
+/* End of config.h.defaults */
diff --git a/src/configure.default b/src/configure.default
new file mode 100644
index 0000000..3761daf
--- /dev/null
+++ b/src/configure.default
@@ -0,0 +1,1015 @@
+######################################################################
+#                  Runtime configuration file for Exim               #
+######################################################################
+
+
+# This is a default configuration file which will operate correctly in
+# uncomplicated installations. Please see the manual for a complete list
+# of all the runtime configuration options that can be included in a
+# configuration file. There are many more than are mentioned here. The
+# manual is in the file doc/spec.txt in the Exim distribution as a plain
+# ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available
+# from the Exim ftp sites. The manual is also online at the Exim website.
+
+
+# This file is divided into several parts, all but the first of which are
+# headed by a line starting with the word "begin". Only those parts that
+# are required need to be present. Blank lines, and lines starting with #
+# are ignored.
+
+
+########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########
+#                                                                          #
+# Whenever you change Exim's configuration file, you *must* remember to    #
+# HUP the Exim daemon, because it will not pick up the new configuration   #
+# until you do. However, any other Exim processes that are started, for    #
+# example, a process started by an MUA in order to send a message, will    #
+# see the new configuration as soon as it is in place.                     #
+#                                                                          #
+# You do not need to HUP the daemon for changes in auxiliary files that    #
+# are referenced from this file. They are read every time they are used.   #
+#                                                                          #
+# It is usually a good idea to test a new configuration for syntactic      #
+# correctness before installing it (for example, by running the command    #
+# "exim -C /config/file.new -bV").                                         #
+#                                                                          #
+########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########
+
+
+
+######################################################################
+#                               MACROS                               #
+######################################################################
+#
+
+# If you want to use a smarthost instead of sending directly to recipient
+# domains, uncomment this macro definition and set a real hostname.
+# An appropriately privileged user can then redirect email on the command-line
+# in emergencies, via -D.
+#
+# ROUTER_SMARTHOST=MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE
+
+######################################################################
+#                    MAIN CONFIGURATION SETTINGS                     #
+######################################################################
+#
+
+# Specify your host's canonical name here. This should normally be the fully
+# qualified "official" name of your host. If this option is not set, the
+# uname() function is called to obtain the name. In many cases this does
+# the right thing and you need not set anything explicitly.
+
+# primary_hostname =
+
+
+# The next three settings create two lists of domains and one list of hosts.
+# These lists are referred to later in this configuration using the syntax
+# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
+# are all colon-separated lists:
+
+domainlist local_domains = @
+domainlist relay_to_domains =
+hostlist   relay_from_hosts = localhost
+# (We rely upon hostname resolution working for localhost, because the default
+# uncommented configuration needs to work in IPv4-only environments.)
+
+# Most straightforward access control requirements can be obtained by
+# appropriate settings of the above options. In more complicated situations,
+# you may need to modify the Access Control Lists (ACLs) which appear later in
+# this file.
+
+# The first setting specifies your local domains, for example:
+#
+#   domainlist local_domains = my.first.domain : my.second.domain
+#
+# You can use "@" to mean "the name of the local host", as in the default
+# setting above. This is the name that is specified by primary_hostname,
+# as specified above (or defaulted). If you do not want to do any local
+# deliveries, remove the "@" from the setting above. If you want to accept mail
+# addressed to your host's literal IP address, for example, mail addressed to
+# "user@[192.168.23.44]", you can add "@[]" as an item in the local domains
+# list. You also need to uncomment "allow_domain_literals" below. This is not
+# recommended for today's Internet.
+
+# The second setting specifies domains for which your host is an incoming relay.
+# If you are not doing any relaying, you should leave the list empty. However,
+# if your host is an MX backup or gateway of some kind for some domains, you
+# must set relay_to_domains to match those domains. For example:
+#
+# domainlist relay_to_domains = *.myco.com : my.friend.org
+#
+# This will allow any host to relay through your host to those domains.
+# See the section of the manual entitled "Control of relaying" for more
+# information.
+
+# The third setting specifies hosts that can use your host as an outgoing relay
+# to any other host on the Internet. Such a setting commonly refers to a
+# complete local network as well as the localhost. For example:
+#
+# hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 192.168.0.0/16
+#
+# The "/16" is a bit mask (CIDR notation), not a number of hosts. Note that you
+# have to include 127.0.0.1 if you want to allow processes on your host to send
+# SMTP mail by using the loopback address. A number of MUAs use this method of
+# sending mail.  Often, connections are made to "localhost", which might be ::1
+# on IPv6-enabled hosts.  Do not forget CIDR for your IPv6 networks.
+
+# All three of these lists may contain many different kinds of item, including
+# wildcarded names, regular expressions, and file lookups. See the reference
+# manual for details. The lists above are used in the access control lists for
+# checking incoming messages. The names of these ACLs are defined here:
+
+acl_smtp_rcpt =         acl_check_rcpt
+.ifdef _HAVE_PRDR
+acl_smtp_data_prdr =    acl_check_prdr
+.endif
+acl_smtp_data =         acl_check_data
+
+# You should not change those settings until you understand how ACLs work.
+
+
+# If you are running a version of Exim that was compiled with the content-
+# scanning extension, you can cause incoming messages to be automatically
+# scanned for viruses. You have to modify the configuration in two places to
+# set this up. The first of them is here, where you define the interface to
+# your scanner. This example is typical for ClamAV; see the manual for details
+# of what to set for other virus scanners. The second modification is in the
+# acl_check_data access control list (see below).
+
+# av_scanner = clamd:/tmp/clamd
+
+
+# For spam scanning, there is a similar option that defines the interface to
+# SpamAssassin. You do not need to set this if you are using the default, which
+# is shown in this commented example. As for virus scanning, you must also
+# modify the acl_check_data access control list to enable spam scanning.
+
+# spamd_address = 127.0.0.1 783
+
+
+# If Exim is compiled with support for TLS, you may want to change the
+# following option so that Exim disallows certain clients from makeing encrypted
+# connections. The default is to allow all.
+# In the authenticators section below, there are template configurations for
+# plaintext username/password authentication. This kind of authentication is
+# only safe when used within a TLS connection, so the authenticators will only
+# work if TLS is allowed here.
+
+# This is equivalent to the default.
+
+# tls_advertise_hosts = *
+
+# Specify the location of the Exim server's TLS certificate and private key.
+# The private key must not be encrypted (password protected). You can put
+# the certificate and private key in the same file, in which case you only
+# need the first setting, or in separate files, in which case you need both
+# options.
+
+# tls_certificate = /etc/ssl/exim.crt
+# tls_privatekey = /etc/ssl/exim.pem
+
+# For OpenSSL, prefer EC- over RSA-authenticated ciphers
+.ifdef _HAVE_OPENSSL
+tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+.endif
+
+# Don't offer resumption to (most) MUAs, who we don't want to reuse
+# tickets.  Once the TLS extension for vended ticket numbers comes
+# though, re-examine since resumption on a single-use ticket is still a benefit.
+.ifdef _HAVE_TLS_RESUME
+tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}}
+.endif
+
+# In order to support roaming users who wish to send email from anywhere,
+# you may want to make Exim listen on other ports as well as port 25, in
+# case these users need to send email from a network that blocks port 25.
+# The standard port for this purpose is port 587, the "message submission"
+# port. See RFC 4409 for details. Microsoft MUAs cannot be configured to
+# talk the message submission protocol correctly, so if you need to support
+# them you should also allow TLS-on-connect on the traditional but
+# non-standard port 465.
+
+# daemon_smtp_ports = 25 : 465 : 587
+# tls_on_connect_ports = 465
+
+
+# Specify the domain you want to be added to all unqualified addresses
+# here. An unqualified address is one that does not contain an "@" character
+# followed by a domain. For example, "caesar@rome.example" is a fully qualified
+# address, but the string "caesar" (i.e. just a login name) is an unqualified
+# email address. Unqualified addresses are accepted only from local callers by
+# default. See the recipient_unqualified_hosts option if you want to permit
+# unqualified addresses from remote sources. If this option is not set, the
+# primary_hostname value is used for qualification.
+
+# qualify_domain =
+
+
+# If you want unqualified recipient addresses to be qualified with a different
+# domain to unqualified sender addresses, specify the recipient domain here.
+# If this option is not set, the qualify_domain value is used.
+
+# qualify_recipient =
+
+
+# The following line must be uncommented if you want Exim to recognize
+# addresses of the form "user@[10.11.12.13]" that is, with a "domain literal"
+# (an IP address) instead of a named domain. The RFCs still require this form,
+# but it makes little sense to permit mail to be sent to specific hosts by
+# their IP address in the modern Internet. This ancient format has been used
+# by those seeking to abuse hosts by using them for unwanted relaying. If you
+# really do want to support domain literals, uncomment the following line, and
+# see also the "domain_literal" router below.
+
+# allow_domain_literals
+
+
+# No deliveries will ever be run under the uids of users specified by
+# never_users (a colon-separated list). An attempt to do so causes a panic
+# error to be logged, and the delivery to be deferred. This is a paranoic
+# safety catch. There is an even stronger safety catch in the form of the
+# FIXED_NEVER_USERS setting in the configuration for building Exim. The list of
+# users that it specifies is built into the binary, and cannot be changed. The
+# option below just adds additional users to the list. The default for
+# FIXED_NEVER_USERS is "root", but just to be absolutely sure, the default here
+# is also "root".
+
+# Note that the default setting means you cannot deliver mail addressed to root
+# as if it were a normal user. This isn't usually a problem, as most sites have
+# an alias for root that redirects such mail to a human administrator.
+
+never_users = root
+
+
+# The setting below causes Exim to do a reverse DNS lookup on all incoming
+# IP calls, in order to get the true host name. If you feel this is too
+# expensive, you can specify the networks for which a lookup is done, or
+# remove the setting entirely.
+
+host_lookup = *
+
+
+# The setting below causes Exim to try to initialize the system resolver
+# library with DNSSEC support.  It has no effect if your library lacks
+# DNSSEC support.
+
+dns_dnssec_ok = 1
+
+
+# The settings below cause Exim to make RFC 1413 (ident) callbacks
+# for all incoming SMTP calls. You can limit the hosts to which these
+# calls are made, and/or change the timeout that is used. If you set
+# the timeout to zero, all RFC 1413 calls are disabled. RFC 1413 calls
+# are cheap and can provide useful information for tracing problem
+# messages, but some hosts and firewalls have problems with them.
+# This can result in a timeout instead of an immediate refused
+# connection, leading to delays on starting up SMTP sessions.
+# (The default was reduced from 30s to 5s for release 4.61. and to
+# disabled for release 4.86)
+#
+#rfc1413_hosts = *
+#rfc1413_query_timeout = 5s
+
+
+# Enable an efficiency feature.  We advertise the feature; clients
+# may request to use it.  For multi-recipient mails we then can
+# reject or accept per-user after the message is received.
+# This supports recipient-dependent content filtering; without it
+# you have to temp-reject any recipients after the first that have
+# incompatible filtering, and do the filtering in the data ACL.
+# Even with this enabled, you must support the old style for peers
+# not flagging support for PRDR (visible via $prdr_requested).
+#
+.ifdef _HAVE_PRDR
+prdr_enable = true
+.endif
+
+
+# By default, Exim expects all envelope addresses to be fully qualified, that
+# is, they must contain both a local part and a domain. If you want to accept
+# unqualified addresses (just a local part) from certain hosts, you can specify
+# these hosts by setting one or both of
+#
+# sender_unqualified_hosts =
+# recipient_unqualified_hosts =
+#
+# to control sender and recipient addresses, respectively. When this is done,
+# unqualified addresses are qualified using the settings of qualify_domain
+# and/or qualify_recipient (see above).
+
+
+# Unless you run a high-volume site you probably want more logging
+# detail than the default.  Adjust to suit.
+
+log_selector = +smtp_protocol_error +smtp_syntax_error \
+        +tls_certificate_verified
+
+
+# If you want Exim to support the "percent hack" for certain domains,
+# uncomment the following line and provide a list of domains. The "percent
+# hack" is the feature by which mail addressed to x%y@z (where z is one of
+# the domains listed) is locally rerouted to x@y and sent on. If z is not one
+# of the "percent hack" domains, x%y is treated as an ordinary local part. This
+# hack is rarely needed nowadays; you should not enable it unless you are sure
+# that you really need it.
+#
+# percent_hack_domains =
+#
+# As well as setting this option you will also need to remove the test
+# for local parts containing % in the ACL definition below.
+
+
+# When Exim can neither deliver a message nor return it to sender, it "freezes"
+# the delivery error message (aka "bounce message"). There are also other
+# circumstances in which messages get frozen. They will stay on the queue for
+# ever unless one of the following options is set.
+
+# This option unfreezes frozen bounce messages after two days, tries
+# once more to deliver them, and ignores any delivery failures.
+
+ignore_bounce_errors_after = 2d
+
+# This option cancels (removes) frozen messages that are older than a week.
+
+timeout_frozen_after = 7d
+
+
+# By default, messages that are waiting on Exim's queue are all held in a
+# single directory called "input" which is itself within Exim's spool
+# directory. (The default spool directory is specified when Exim is built, and
+# is often /var/spool/exim/.) Exim works best when its queue is kept short, but
+# there are circumstances where this is not always possible. If you uncomment
+# the setting below, messages on the queue are held in 62 subdirectories of
+# "input" instead of all in the same directory. The subdirectories are called
+# 0, 1, ... A, B, ... a, b, ... z. This has two benefits: (1) If your file
+# system degrades with many files in one directory, this is less likely to
+# happen; (2) Exim can process the queue one subdirectory at a time instead of
+# all at once, which can give better performance with large queues.
+
+# split_spool_directory = true
+
+
+# If you're in a part of the world where ASCII is not sufficient for most
+# text, then you're probably familiar with RFC2047 message header extensions.
+# By default, Exim adheres to the specification, including a limit of 76
+# characters to a line, with encoded words fitting within a line.
+# If you wish to use decoded headers in message filters in such a way
+# that successful decoding of malformed messages matters, you may wish to
+# configure Exim to be more lenient.
+#
+# check_rfc2047_length = false
+#
+# In particular, the Exim maintainers have had multiple reports of problems
+# from Russian administrators of issues until they disable this check,
+# because of some popular, yet buggy, mail composition software.
+
+
+# If you wish to be strictly RFC compliant, or if you know you'll be
+# exchanging email with systems that are not 8-bit clean, then you may
+# wish to disable advertising 8BITMIME.  Uncomment this option to do so.
+
+# accept_8bitmime = false
+
+
+# Exim does not make use of environment variables itself. However,
+# libraries that Exim uses (e.g. LDAP) depend on specific environment settings.
+# There are two lists: keep_environment for the variables we trust, and
+# add_environment for variables we want to set to a specific value.
+# Note that TZ is handled separately by the timezone runtime option
+# and TIMEZONE_DEFAULT buildtime option.
+
+# keep_environment = ^LDAP
+# add_environment = PATH=/usr/bin::/bin
+
+
+
+######################################################################
+#                       ACL CONFIGURATION                            #
+#         Specifies access control lists for incoming SMTP mail      #
+######################################################################
+
+begin acl
+
+# This access control list is used for every RCPT command in an incoming
+# SMTP message. The tests are run in order until the address is either
+# accepted or denied.
+
+acl_check_rcpt:
+
+  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
+  # testing for an empty sending host field.
+
+  accept  hosts = :
+          control = dkim_disable_verify
+
+  #############################################################################
+  # The following section of the ACL is concerned with local parts that contain
+  # @ or % or ! or / or | or dots in unusual places.
+  #
+  # The characters other than dots are rarely found in genuine local parts, but
+  # are often tried by people looking to circumvent relaying restrictions.
+  # Therefore, although they are valid in local parts, these rules lock them
+  # out, as a precaution.
+  #
+  # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
+  # allows them because they have been encountered. (Consider local parts
+  # constructed as "firstinitial.secondinitial.familyname" when applied to
+  # someone like me, who has no second initial.) However, a local part starting
+  # with a dot or containing /../ can cause trouble if it is used as part of a
+  # file name (e.g. for a mailing list). This is also true for local parts that
+  # contain slashes. A pipe symbol can also be troublesome if the local part is
+  # incorporated unthinkingly into a shell command line.
+  #
+  # Two different rules are used. The first one is stricter, and is applied to
+  # messages that are addressed to one of the local domains handled by this
+  # host. The line "domains = +local_domains" restricts it to domains that are
+  # defined by the "domainlist local_domains" setting above. The rule  blocks
+  # local parts that begin with a dot or contain @ % ! / or |. If you have
+  # local accounts that include these characters, you will have to modify this
+  # rule.
+
+  deny    message       = Restricted characters in address
+          domains       = +local_domains
+          local_parts   = ^[.] : ^.*[@%!/|]
+
+  # The second rule applies to all other domains, and is less strict. The line
+  # "domains = !+local_domains" restricts it to domains that are NOT defined by
+  # the "domainlist local_domains" setting above. The exclamation mark is a
+  # negating operator. This rule allows your own users to send outgoing
+  # messages to sites that use slashes and vertical bars in their local parts.
+  # It blocks local parts that begin with a dot, slash, or vertical bar, but
+  # allows these characters within the local part. However, the sequence /../
+  # is barred. The use of @ % and ! is blocked, as before. The motivation here
+  # is to prevent your users (or your users' viruses) from mounting certain
+  # kinds of attack on remote sites.
+
+  deny    message       = Restricted characters in address
+          domains       = !+local_domains
+          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+  #############################################################################
+
+  # Accept mail to postmaster in any local domain, regardless of the source,
+  # and without verifying the sender.
+
+  accept  local_parts   = postmaster
+          domains       = +local_domains
+
+  # Deny unless the sender address can be verified.
+
+  require verify        = sender
+
+  # Reject all RCPT commands after too many bad recipients
+  # This is partly a defense against spam abuse and partly attacker abuse.
+  # Real senders should manage, by the time they get to 10 RCPT directives,
+  # to have had at least half of them be real addresses.
+  #
+  # This is a lightweight check and can protect you against repeated
+  # invocations of more heavy-weight checks which would come after it.
+
+  deny    condition     = ${if and {\
+                        {>{$rcpt_count}{10}}\
+                        {<{$recipients_count}{${eval:$rcpt_count/2}}} }}
+          message       = Rejected for too many bad recipients
+          logwrite      = REJECT [$sender_host_address]: bad recipient count high [${eval:$rcpt_count-$recipients_count}]
+
+  # Accept if the message comes from one of the hosts for which we are an
+  # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
+  # so we set control=submission to make Exim treat the message as a
+  # submission. It will fix up various errors in the message, for example, the
+  # lack of a Date: header line. If you are actually relaying out out from
+  # MTAs, you may want to disable this. If you are handling both relaying from
+  # MTAs and submissions from MUAs you should probably split them into two
+  # lists, and handle them differently.
+
+  # Recipient verification is omitted here, because in many cases the clients
+  # are dumb MUAs that don't cope well with SMTP error responses. If you are
+  # actually relaying out from MTAs, you should probably add recipient
+  # verification here.
+
+  # Note that, by putting this test before any DNS black list checks, you will
+  # always accept from these hosts, even if they end up on a black list. The
+  # assumption is that they are your friends, and if they get onto a black
+  # list, it is a mistake.
+
+  accept  hosts         = +relay_from_hosts
+          control       = submission
+          control       = dkim_disable_verify
+
+  # Accept if the message arrived over an authenticated connection, from
+  # any host. Again, these messages are usually from MUAs, so recipient
+  # verification is omitted, and submission mode is set. And again, we do this
+  # check before any black list tests.
+
+  accept  authenticated = *
+          control       = submission
+          control       = dkim_disable_verify
+
+  # Insist that any other recipient address that we accept is either in one of
+  # our local domains, or is in a domain for which we explicitly allow
+  # relaying. Any other domain is rejected as being unacceptable for relaying.
+
+  require message = relay not permitted
+          domains = +local_domains : +relay_to_domains
+
+  # We also require all accepted addresses to be verifiable. This check will
+  # do local part verification for local domains, but only check the domain
+  # for remote domains. The only way to check local parts for the remote
+  # relay domains is to use a callout (add /callout), but please read the
+  # documentation about callouts before doing this.
+
+  require verify = recipient
+
+  #############################################################################
+  # There are no default checks on DNS black lists because the domains that
+  # contain these lists are changing all the time. However, here are two
+  # examples of how you can get Exim to perform a DNS black list lookup at this
+  # point. The first one denies, whereas the second just warns.
+  #
+  # deny    dnslists      = black.list.example
+  #         message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
+  #
+  # warn    dnslists      = black.list.example
+  #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
+  #         log_message   = found in $dnslist_domain
+  #############################################################################
+
+  #############################################################################
+  # This check is commented out because it is recognized that not every
+  # sysadmin will want to do it. If you enable it, the check performs
+  # Client SMTP Authorization (csa) checks on the sending host. These checks
+  # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
+  # an Internet draft. You can, of course, add additional conditions to this
+  # ACL statement to restrict the CSA checks to certain hosts only.
+  #
+  # require verify = csa
+  #############################################################################
+
+  #############################################################################
+  # If doing per-user content filtering then recipients with filters different
+  # to the first recipient must be deferred unless the sender talks PRDR.
+  #
+  # defer  !condition     = $prdr_requested
+  #        condition      = ${if > {0}{$recipients_count}}
+  #        condition      = ${if !eq {$acl_m_content_filter} \
+  #                                  {${lookup PER_RCPT_CONTENT_FILTER}}}
+  # warn   !condition     = $prdr_requested
+  #        condition      = ${if > {0}{$recipients_count}}
+  #        set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
+  #############################################################################
+
+  # At this point, the address has passed all the checks that have been
+  # configured, so we accept it unconditionally.
+
+  accept
+
+
+# This ACL is used once per recipient, for multi-recipient messages, if
+# we advertised PRDR.  It can be used to perform receipient-dependent
+# header- and body- based filtering and rejections.
+# We set a variable to record that PRDR was active used, so that checking
+# in the data ACL can be skipped.
+
+.ifdef _HAVE_PRDR
+acl_check_prdr:
+  warn  set acl_m_did_prdr = y
+
+  #############################################################################
+  # do lookup on filtering, with $local_part@$domain, deny on filter match
+  #
+  # deny      set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
+  #           condition    = ...
+  #############################################################################
+
+  accept
+.endif
+
+# This ACL is used after the contents of a message have been received. This
+# is the ACL in which you can test a message's headers or body, and in
+# particular, this is where you can invoke external virus or spam scanners.
+# Some suggested ways of configuring these tests are shown below, commented
+# out. Without any tests, this ACL accepts all messages. If you want to use
+# such tests, you must ensure that Exim is compiled with the content-scanning
+# extension (WITH_CONTENT_SCAN=yes in Local/Makefile).
+
+acl_check_data:
+
+  # Deny if the message contains an overlong line.  Per the standards
+  # we should never receive one such via SMTP.
+  #
+  deny    condition  = ${if > {$max_received_linelength}{998}}
+          message    = maximum allowed line length is 998 octets, \
+                       got $max_received_linelength
+
+  # Deny if the headers contain badly-formed addresses.
+  #
+  deny    !verify =     header_syntax
+          message =     header syntax
+          log_message = header syntax ($acl_verify_message)
+
+  # Deny if the message contains a virus. Before enabling this check, you
+  # must install a virus scanner and set the av_scanner option above.
+  #
+  # deny    malware    = *
+  #         message    = This message contains a virus ($malware_name).
+
+  # Add headers to a message if it is judged to be spam. Before enabling this,
+  # you must install SpamAssassin. You may also need to set the spamd_address
+  # option above.
+  #
+  # warn    spam       = nobody
+  #         add_header = X-Spam_score: $spam_score\n\
+  #                      X-Spam_score_int: $spam_score_int\n\
+  #                      X-Spam_bar: $spam_bar\n\
+  #                      X-Spam_report: $spam_report
+
+  #############################################################################
+  # No more tests if PRDR was actively used.
+  # accept   condition  = ${if def:acl_m_did_prdr}
+  #
+  # To get here, all message recipients must have identical per-user
+  # content filtering (enforced by RCPT ACL).  Do lookup for filter
+  # and deny on match.
+  #
+  # deny      set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
+  #           condition    = ...
+  #############################################################################
+
+
+  # Accept the message.
+
+  accept
+
+
+
+######################################################################
+#                      ROUTERS CONFIGURATION                         #
+#               Specifies how addresses are handled                  #
+######################################################################
+#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
+# An address is passed to each router in turn until it is accepted.  #
+######################################################################
+
+begin routers
+
+# This router routes to remote hosts over SMTP by explicit IP address,
+# when an email address is given in "domain literal" form, for example,
+# <user@[192.168.35.64]>. The RFCs require this facility. However, it is
+# little-known these days, and has been exploited by evil people seeking
+# to abuse SMTP relays. Consequently it is commented out in the default
+# configuration. If you uncomment this router, you also need to uncomment
+# allow_domain_literals above, so that Exim can recognize the syntax of
+# domain literal addresses.
+
+# domain_literal:
+#   driver = ipliteral
+#   domains = ! +local_domains
+#   transport = remote_smtp
+
+
+# This router can be used when you want to send all mail to a
+# server which handles DNS lookups for you; an ISP will typically run such
+# a server for their customers.  The hostname in route_data comes from the
+# macro defined at the top of the file.  If not defined, then we'll use the
+# dnslookup router below instead.
+# Beware that the hostname is specified again in the Transport.
+
+.ifdef ROUTER_SMARTHOST
+
+smarthost:
+  driver = manualroute
+  domains = ! +local_domains
+  transport = smarthost_smtp
+  route_data = ROUTER_SMARTHOST
+  ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
+  no_more
+
+.else
+
+# This router routes addresses that are not in local domains by doing a DNS
+# lookup on the domain name. The exclamation mark that appears in "domains = !
+# +local_domains" is a negating operator, that is, it can be read as "not". The
+# recipient's domain must not be one of those defined by "domainlist
+# local_domains" above for this router to be used.
+#
+# If the router is used, any domain that resolves to 0.0.0.0 or to a loopback
+# interface address (127.0.0.0/8) is treated as if it had no DNS entry. Note
+# that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated as the
+# local host inside the network stack. It is not 0.0.0.0/0, the default route.
+# If the DNS lookup fails, no further routers are tried because of the no_more
+# setting, and consequently the address is unrouteable.
+
+dnslookup:
+  driver = dnslookup
+  domains = ! +local_domains
+  transport = remote_smtp
+  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
+# if ipv6-enabled then instead use:
+# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
+  no_more
+
+# This closes the ROUTER_SMARTHOST ifdef around the choice of routing for
+# off-site mail.
+.endif
+
+
+# The remaining routers handle addresses in the local domain(s), that is those
+# domains that are defined by "domainlist local_domains" above.
+
+
+# This router handles aliasing using a linearly searched alias file with the
+# name SYSTEM_ALIASES_FILE. When this configuration is installed automatically,
+# the name gets inserted into this file from whatever is set in Exim's
+# build-time configuration. The default path is the traditional /etc/aliases.
+# If you install this configuration by hand, you need to specify the correct
+# path in the "data" setting below.
+#
+##### NB  You must ensure that the alias file exists. It used to be the case
+##### NB  that every Unix had that file, because it was the Sendmail default.
+##### NB  These days, there are systems that don't have it. Your aliases
+##### NB  file should at least contain an alias for "postmaster".
+#
+# If any of your aliases expand to pipes or files, you will need to set
+# up a user and a group for these deliveries to run under. You can do
+# this by uncommenting the "user" option below (changing the user name
+# as appropriate) and adding a "group" option if necessary. Alternatively, you
+# can specify "user" on the transports that are used. Note that the transports
+# listed below are the same as are used for .forward files; you might want
+# to set up different ones for pipe and file deliveries from aliases.
+
+system_aliases:
+  driver = redirect
+  allow_fail
+  allow_defer
+  data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}}
+# user = exim
+  file_transport = address_file
+  pipe_transport = address_pipe
+
+
+# This router handles forwarding using traditional .forward files in users'
+# home directories. If you want it also to allow mail filtering when a forward
+# file starts with the string "# Exim filter" or "# Sieve filter", uncomment
+# the "allow_filter" option.
+
+# The no_verify setting means that this router is skipped when Exim is
+# verifying addresses. Similarly, no_expn means that this router is skipped if
+# Exim is processing an EXPN command.
+
+# If you want this router to treat local parts with suffixes introduced by "-"
+# or "+" characters as if the suffixes did not exist, uncomment the two local_
+# part_suffix options. Then, for example, xxxx-foo@your.domain will be treated
+# in the same way as xxxx@your.domain by this router. Because this router is
+# not used for verification, if you choose to uncomment those options, then you
+# will *need* to make the same change to the localuser router.  (There are
+# other approaches, if this is undesirable, but they add complexity).
+
+# The check_ancestor option means that if the forward file generates an
+# address that is an ancestor of the current one, the current one gets
+# passed on instead. This covers the case where A is aliased to B and B
+# has a .forward file pointing to A.
+
+# The three transports specified at the end are those that are used when
+# forwarding generates a direct delivery to a file, or to a pipe, or sets
+# up an auto-reply, respectively.
+
+userforward:
+  driver = redirect
+  check_local_user
+# local_part_suffix = +* : -*
+# local_part_suffix_optional
+  file = $home/.forward
+# allow_filter
+  no_verify
+  no_expn
+  check_ancestor
+  file_transport = address_file
+  pipe_transport = address_pipe
+  reply_transport = address_reply
+
+
+# This router matches local user mailboxes. If the router fails, the error
+# message is "Unknown user".
+
+# If you want this router to treat local parts with suffixes introduced by "-"
+# or "+" characters as if the suffixes did not exist, uncomment the two local_
+# part_suffix options. Then, for example, xxxx-foo@your.domain will be treated
+# in the same way as xxxx@your.domain by this router.
+
+localuser:
+  driver = accept
+  check_local_user
+# local_part_suffix = +* : -*
+# local_part_suffix_optional
+  transport = local_delivery
+  cannot_route_message = Unknown user
+
+
+
+######################################################################
+#                      TRANSPORTS CONFIGURATION                      #
+######################################################################
+#                       ORDER DOES NOT MATTER                        #
+#     Only one appropriate transport is called for each delivery.    #
+######################################################################
+
+# A transport is used only when referenced from a router that successfully
+# handles an address.
+
+begin transports
+
+
+# This transport is used for delivering messages over SMTP connections.
+
+remote_smtp:
+  driver = smtp
+.ifdef _HAVE_TLS_RESUME
+  tls_resumption_hosts = *
+.endif
+
+
+# This transport is used for delivering messages to a smarthost, if the
+# smarthost router is enabled.  This starts from the same basis as
+# "remote_smtp" but then turns on various security options, because
+# we assume that if you're told "use smarthost.example.org as the smarthost"
+# then there will be TLS available, with a verifiable certificate for that
+# hostname, using decent TLS.
+
+smarthost_smtp:
+  driver = smtp
+  multi_domain
+  #
+.ifdef _HAVE_TLS
+  # Comment out any of these which you have to, then file a Support
+  # request with your smarthost provider to get things fixed:
+  hosts_require_tls = *
+  tls_verify_hosts = *
+  # As long as tls_verify_hosts is enabled, this this will have no effect,
+  # but if you have to comment it out then this will at least log whether
+  # you succeed or not:
+  tls_try_verify_hosts = *
+  #
+  # The SNI name should match the name which we'll expect to verify;
+  # many mail systems don't use SNI and this doesn't matter, but if it does,
+  # we need to send a name which the remote site will recognize.
+  # This _should_ be the name which the smarthost operators specified as
+  # the hostname for sending your mail to.
+  tls_sni = ROUTER_SMARTHOST
+  #
+.ifdef _HAVE_OPENSSL
+  tls_require_ciphers = HIGH:!aNULL:@STRENGTH
+.endif
+.ifdef _HAVE_GNUTLS
+  tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
+.endif
+.ifdef _HAVE_TLS_RESUME
+  tls_resumption_hosts = *
+.endif
+.endif
+
+
+# This transport is used for local delivery to user mailboxes in traditional
+# BSD mailbox format. By default it will be run under the uid and gid of the
+# local user, and requires the sticky bit to be set on the /var/mail directory.
+# Some systems use the alternative approach of running mail deliveries under a
+# particular group instead of using the sticky bit. The commented options below
+# show how this can be done.
+
+local_delivery:
+  driver = appendfile
+  file = /var/mail/$local_part_data
+  delivery_date_add
+  envelope_to_add
+  return_path_add
+# group = mail
+# mode = 0660
+
+
+# This transport is used for handling pipe deliveries generated by alias or
+# .forward files. If the pipe generates any standard output, it is returned
+# to the sender of the message as a delivery error. Set return_fail_output
+# instead of return_output if you want this to happen only when the pipe fails
+# to complete normally. You can set different transports for aliases and
+# forwards if you want to - see the references to address_pipe in the routers
+# section above.
+
+address_pipe:
+  driver = pipe
+  return_output
+
+
+# This transport is used for handling deliveries directly to files that are
+# generated by aliasing or forwarding.
+
+address_file:
+  driver = appendfile
+  delivery_date_add
+  envelope_to_add
+  return_path_add
+
+
+# This transport is used for handling autoreplies generated by the filtering
+# option of the userforward router.
+
+address_reply:
+  driver = autoreply
+
+
+
+######################################################################
+#                      RETRY CONFIGURATION                           #
+######################################################################
+
+begin retry
+
+# This single retry rule applies to all domains and all errors. It specifies
+# retries every 15 minutes for 2 hours, then increasing retry intervals,
+# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
+# hours, then retries every 6 hours until 4 days have passed since the first
+# failed delivery.
+
+# WARNING: If you do not have any retry rules at all (this section of the
+# configuration is non-existent or empty), Exim will not do any retries of
+# messages that fail to get delivered at the first attempt. The effect will
+# be to treat temporary errors as permanent. Therefore, DO NOT remove this
+# retry rule unless you really don't want any retries.
+
+# Address or Domain    Error       Retries
+# -----------------    -----       -------
+
+*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
+
+
+
+######################################################################
+#                      REWRITE CONFIGURATION                         #
+######################################################################
+
+# There are no rewriting specifications in this default configuration file.
+
+begin rewrite
+
+
+
+######################################################################
+#                   AUTHENTICATION CONFIGURATION                     #
+######################################################################
+
+# The following authenticators support plaintext username/password
+# authentication using the standard PLAIN mechanism and the traditional
+# but non-standard LOGIN mechanism, with Exim acting as the server.
+# PLAIN and LOGIN are enough to support most MUA software.
+#
+# These authenticators are not complete: you need to change the
+# server_condition settings to specify how passwords are verified.
+# They are set up to offer authentication to the client only if the
+# connection is encrypted with TLS, so you also need to add support
+# for TLS. See the global configuration options section at the start
+# of this file for more about TLS.
+#
+# The default RCPT ACL checks for successful authentication, and will accept
+# messages from authenticated users from anywhere on the Internet.
+
+begin authenticators
+
+# PLAIN authentication has no server prompts. The client sends its
+# credentials in one lump, containing an authorization ID (which we do not
+# use), an authentication ID, and a password. The latter two appear as
+# $auth2 and $auth3 in the configuration and should be checked against a
+# valid username and password. In a real configuration you would typically
+# use $auth2 as a lookup key, and compare $auth3 against the result of the
+# lookup, perhaps using the crypteq{}{} condition.
+
+#PLAIN:
+#  driver                     = plaintext
+#  server_set_id              = $auth2
+#  server_prompts             = :
+#  server_condition           = Authentication is not yet configured
+#  server_advertise_condition = ${if def:tls_in_cipher }
+
+# LOGIN authentication has traditional prompts and responses. There is no
+# authorization ID in this mechanism, so unlike PLAIN the username and
+# password are $auth1 and $auth2. Apart from that you can use the same
+# server_condition setting for both authenticators.
+
+#LOGIN:
+#  driver                     = plaintext
+#  server_set_id              = $auth1
+#  server_prompts             = <| Username: | Password:
+#  server_condition           = Authentication is not yet configured
+#  server_advertise_condition = ${if def:tls_in_cipher }
+
+
+######################################################################
+#                   CONFIGURATION FOR local_scan()                   #
+######################################################################
+
+# If you have built Exim to include a local_scan() function that contains
+# tables for private options, you can define those options here. Remember to
+# uncomment the "begin" line. It is commented by default because it provokes
+# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS
+# set in the Local/Makefile.
+
+# begin local_scan
+
+
+# End of Exim configuration file
diff --git a/src/convert4r3.src b/src/convert4r3.src
new file mode 100755
index 0000000..d0b94d1
--- /dev/null
+++ b/src/convert4r3.src
@@ -0,0 +1,1382 @@
+#! PERL_COMMAND
+
+# This is a Perl script that reads an Exim run-time configuration file and
+# checks for settings that were valid prior to release 3.00 but which were
+# obsoleted by that release. It writes a new file with suggested changes to
+# the standard output, and commentary about what it has done to stderr.
+
+# It is assumed that the input is a valid Exim configuration file.
+
+use warnings;
+BEGIN { pop @INC if $INC[-1] eq '.' };
+
+use Getopt::Long;
+use File::Basename;
+
+GetOptions(
+    'version' => sub {
+        print basename($0) . ": $0\n",
+            "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+            "perl(runtime): $^V\n";
+            exit 0;
+    },
+);
+
+##################################################
+#             Analyse one line                   #
+##################################################
+
+# This is called for the main and the driver sections, not for retry
+# or rewrite sections (which are unmodified).
+
+sub checkline{
+my($line) = $_[0];
+
+return "comment" if $line =~ /^\s*(#|$)/;
+return "end"     if $line =~ /^\s*end\s*$/;
+
+# Macros are recognized only in the first section of the file.
+
+return "macro" if $prefix eq "" && $line =~ /^\s*[A-Z]/;
+
+# Pick out the name at the start and the rest of the line (into global
+# variables) and return whether the start of a driver or not.
+
+($i1,$name,$i2,$rest) = $line =~ /^(\s*)([a-z0-9_]+)(\s*)(.*?)\s*$/;
+return ($rest =~ /^:/)? "driver" : "option";
+}
+
+
+
+
+##################################################
+#       Add transport setting to a director      #
+##################################################
+
+# This function adds a transport setting to an aliasfile or forwardfile
+# director if a global setting exists and a local one does not. If neither
+# exist, it adds file/pipe/reply, but not the directory ones.
+
+sub add_transport{
+my($option) = @_;
+
+my($key) = "$prefix$driver.${option}_transport";
+if (!exists $o{$key})
+  {
+  if (exists $o{"address_${option}_transport"})
+    {
+    print STDOUT "# >> Option added by convert4r3\n";
+    printf STDOUT "${i1}${option}_transport = %s\n",
+      $o{"address_${option}_transport"};
+    printf STDERR
+      "\n%03d ${option}_transport added to $driver director.\n",
+      ++$count;
+    }
+  else
+    {
+    if ($option eq "pipe" || $option eq "file" || $option eq "reply")
+      {
+      print STDOUT "# >> Option added by convert4r3\n";
+      printf STDOUT "${i1}${option}_transport = address_${option}\n";
+      printf STDERR
+        "\n%03d ${option}_transport added to $driver director.\n",
+        ++$count;
+      }
+    }
+  }
+}
+
+
+
+
+##################################################
+#       Negate a list of things                  #
+##################################################
+
+sub negate {
+my($list) = $_[0];
+
+return $list if ! defined $list;
+
+($list) = $list =~ /^"?(.*?)"?\s*$/s;
+
+# Under Perl 5.005 we can split very nicely at colons, ignoring double
+# colons, like this:
+#
+# @split = split /\s*(?<!:):(?!:)\s*(?:\\\s*)?/s, $list;
+#
+# However, we'd better make this work under Perl 5.004, since there is
+# a lot of that about.
+
+$list =~ s/::/>%%%%</g;
+@split = split /\s*:\s*(?:\\\s*)?/s, $list;
+foreach $item (@split)
+  {
+  $item =~ s/>%%%%</::/g;
+  }
+
+$" = " : \\\n    ! ";
+return "! @split";
+}
+
+
+
+
+
+##################################################
+#          Skip blank lines                      #
+##################################################
+
+# This function is called after we have generated no output for an option;
+# it skips subsequent blank lines if the previous line was blank.
+
+sub skipblanks {
+my($i) = $_[0];
+if ($last_was_blank)
+  {
+  $i++ while $c[$i+1] =~ /^\s*$/;
+  }
+return $i;
+}
+
+
+
+
+
+##################################################
+#       Get base name of data key                #
+##################################################
+
+sub base {
+return "$_[0]" if $_[0] !~ /^(?:d|r|t)\.[^.]+\.(.*)/;
+return $1;
+}
+
+
+
+##################################################
+#     Amalgamate accept/reject/reject_except     #
+##################################################
+
+# This function amalgamates the three previous kinds of
+# option into a single list, using negation for the middle one if
+# the final argument is "+", or for the outer two if the final
+# argument is "-".
+
+sub amalgamate {
+my($accept,$reject,$reject_except,$name);
+my($last_was_negated) = 0;
+my($join) = "";
+
+$accept = $o{$_[0]};
+$reject = $o{$_[1]};
+$reject_except = $o{$_[2]};
+$name = $_[3];
+
+if ($_[4] eq "+")
+  {
+  ($accept) = $accept =~ /^"?(.*?)"?\s*$/s if defined $accept;
+  $reject = &negate($reject) if defined $reject;
+  ($reject_except) = $reject_except =~ /^"?(.*?)"?\s*$/s if defined $reject_except;
+  }
+else
+  {
+  $accept = &negate($accept) if defined $accept;
+  ($reject) = $reject =~ /^"?(.*?)"?\s*$/s if defined $reject;
+  $reject_except = &negate($reject_except) if defined $reject_except;
+  }
+
+print STDOUT "# >> Option rewritten by convert4r3\n";
+print STDOUT "${i1}$name = \"";
+
+if (defined $reject_except)
+  {
+  print STDOUT "$reject_except";
+  $join = " : \\\n    ";
+  $last_was_negated = ($_[4] ne "+");
+  }
+if (defined $reject)
+  {
+  print STDOUT "$join$reject";
+  $join = " : \\\n    ";
+  $last_was_negated = ($_[4] eq "+");
+  }
+if (defined $accept)
+  {
+  print STDOUT "$join$accept";
+  $last_was_negated = ($_[4] ne "+");
+  $join = " : \\\n    ";
+  }
+
+print STDOUT "$join*" if $last_was_negated;
+
+print STDOUT "\"\n";
+
+my($driver_name);
+my($driver_type) = "";
+
+if ($_[0] =~ /^(d|r|t)\.([^.]+)\./ ||
+    $_[1] =~ /^(d|r|t)\.([^.]+)\./ ||
+    $_[2] =~ /^(d|r|t)\.([^.]+)\./)
+  {
+  $driver_type = ($1 eq 'd')? "director" : ($1 eq 'r')? "router" : "transport";
+  $driver_name = $2;
+  }
+
+my($x) = ($driver_type ne "")? " in \"$driver_name\" $driver_type" : "";
+
+my($l0) = &base($_[0]);
+my($l1) = &base($_[1]);
+my($l2) = &base($_[2]);
+
+
+if ($l2 eq "")
+  {
+  if ($l0 eq "")
+    {
+    printf STDERR "\n%03d $l1 converted to $name$x.\n", ++$count;
+    }
+  else
+    {
+    printf STDERR "\n%03d $l0 and $l1\n    amalgamated into $name$x.\n",
+      ++$count;
+    }
+  }
+else
+  {
+  if ($l1 eq "")
+    {
+    printf STDERR "\n%03d $l0 and $l2\n    amalgamated into $name$x.\n",
+      ++$count;
+    }
+  else
+    {
+    printf STDERR "\n%03d $l0, $l1 and $l2\n    amalgamated into " .
+      "$name$x.\n", ++$count;
+    }
+  }
+}
+
+
+
+
+##################################################
+#         Join two lists, if they exist          #
+##################################################
+
+sub pair{
+my($l1) = $o{"$_[0]"};
+my($l2) = $o{"$_[1]"};
+
+return $l2 if (!defined $l1);
+return $l1 if (!defined $l2);
+
+($l1) = $l1 =~ /^"?(.*?)"?\s*$/s;
+($l2) = $l2 =~ /^"?(.*?)"?\s*$/s;
+
+return "$l1 : $l2";
+}
+
+
+
+
+##################################################
+#  Amalgamate accept/reject/reject_except pairs  #
+##################################################
+
+# This is like amalgamate, but it combines pairs of arguments, and
+# doesn't output commentary (easier to write a generic one for the few
+# cases).
+
+sub amalgamatepairs {
+my($accept) = &pair($_[0], $_[1]);
+my($reject) = &pair($_[2], $_[3]);
+my($reject_except) = &pair($_[4], $_[5]);
+my($last_was_negated) = 0;
+my($join) = "";
+
+if ($_[7] eq "+")
+  {
+  ($accept) = $accept =~ /^"?(.*?)"?\s*$/s if defined $accept;
+  $reject = &negate($reject) if defined $reject;
+  ($reject_except) = $reject_except =~ /^"?(.*?)"?\s*$/s if defined $reject_except;
+  }
+else
+  {
+  $accept = &negate($accept) if defined $accept;
+  ($reject) = $reject =~ /^"?(.*?)"?$/s if defined $reject;
+  $reject_except = &negate($reject_except) if defined $reject_except;
+  }
+
+print STDOUT "# >> Option rewritten by convert4r3\n";
+print STDOUT "${i1}$_[6] = \"";
+
+if (defined $reject_except)
+  {
+  print STDOUT "$reject_except";
+  $join = " : \\\n    ";
+  $last_was_negated = ($_[7] ne "+");
+  }
+if (defined $reject)
+  {
+  print STDOUT "$join$reject";
+  $join = " : \\\n    ";
+  $last_was_negated = ($_[7] eq "+");
+  }
+if (defined $accept)
+  {
+  print STDOUT "$join$accept";
+  $last_was_negated = ($_[7] ne "+");
+  $join = " : \\\n    ";
+  }
+
+print STDOUT "$join*" if $last_was_negated;
+print STDOUT "\"\n";
+}
+
+
+
+##################################################
+#      Amalgamate boolean and exception list(s)  #
+##################################################
+
+sub amalgboolandlist {
+my($name,$bool,$e1,$e2) = @_;
+
+print STDOUT "# >> Option rewritten by convert4r3\n";
+if ($bool eq "false")
+  {
+  printf STDOUT "$i1$name =\n";
+  }
+else
+  {
+  printf STDOUT "$i1$name = ";
+  my($n1) = &negate($o{$e1});
+  my($n2) = &negate($o{$e2});
+  if (!defined $n1 && !defined $n2)
+    {
+    print STDOUT "*\n";
+    }
+  elsif (!defined $n1)
+    {
+    print STDOUT "\"$n2 : \\\n    *\"\n";
+    }
+  elsif (!defined $n2)
+    {
+    print STDOUT "\"$n1 : \\\n    *\"\n";
+    }
+  else
+    {
+    print STDOUT "\"$n1 : \\\n    $n2 : \\\n    *\"\n";
+    }
+  }
+}
+
+
+
+##################################################
+#             Convert mask format                #
+##################################################
+
+# This function converts an address and mask in old-fashioned dotted-quad
+# format into an address plus a new format mask.
+
+@byte_list = (0, 128, 192, 224, 240, 248, 252, 254, 255);
+
+sub mask {
+my($address,$mask) = @_;
+my($length) = 0;
+my($i, $j);
+
+my(@bytes) = split /\./, $mask;
+
+for ($i = 0; $i < 4; $i++)
+  {
+  for ($j = 0; $j <= 8; $j++)
+    {
+    if ($bytes[$i] == $byte_list[$j])
+      {
+      $length += $j;
+      if ($j != 8)
+        {
+        for ($i++; $i < 4; $i++)
+          {
+          $j = 9 if ($bytes[$i] != 0);
+          }
+        }
+      last;
+      }
+    }
+
+  if ($j > 8)
+    {
+    print STDERR "*** IP mask $mask cannot be converted to /n format. ***\n";
+    return "$address/$mask";
+    }
+  }
+
+if (!defined $masks{$mask})
+  {
+  printf STDERR "\n%03d IP address mask $mask converted to /$length\n",
+    ++$count, $mask, $length;
+  $masks{$mask} = 1;
+  }
+
+return sprintf "$address/%d", $length;
+}
+
+
+
+
+
+##################################################
+#                  Main program                  #
+##################################################
+
+print STDERR "Exim pre-release 3.00 configuration file converter.\n";
+
+$count = 0;
+$seen_helo_accept_junk = 0;
+$seen_hold_domains = 0;
+$seen_receiver_unqualified = 0;
+$seen_receiver_verify_except = 0;
+$seen_receiver_verify_senders = 0;
+$seen_rfc1413_except = 0;
+$seen_sender_accept = 0;
+$seen_sender_accept_recipients = 0;
+$seen_sender_host_accept = 0;
+$seen_sender_host_accept_recipients = 0;
+$seen_sender_host_accept_relay = 0;
+$seen_sender_unqualified = 0;
+$seen_sender_verify_except_hosts = 0;
+$seen_smtp_etrn = 0;
+$seen_smtp_expn = 0;
+$seen_smtp_reserve = 0;
+$semicomma = 0;
+
+# Read the entire file into an array
+
+chomp(@c = <STDIN>);
+
+# First, go through the input and covert any net masks in the old dotted-quad
+# style into the new /n style.
+
+for ($i = 0; $i < scalar(@c); $i++)
+  {
+  $c[$i] =~
+    s"((?:\d{1,3}\.){3}\d{1,3})/((?:\d{1,3}\.){3}\d{1,3})"&mask($1,$2)"eg;
+  }
+
+# We now make two more passes over the input. In the first pass, we place all
+# the option values into an associative array. Main options are keyed by their
+# names; options for drivers are keyed by a driver type letter, the driver
+# name, and the option name, dot-separated. In the second pass we modify
+# the options if necessary, and write the output file.
+
+for ($pass = 1; $pass < 3; $pass++)
+  {
+  $prefix = "";
+  $driver = "";
+  $last_was_blank = 0;
+
+  for ($i = 0; $i < scalar(@c); $i++)
+    {
+    # Everything after the router section is just copied in pass 2 and
+    # ignored in pass 1.
+
+    if ($prefix eq "end")
+      {
+      print STDOUT "$c[$i]\n" if $pass == 2;
+      next;
+      }
+
+    # Analyze the line
+
+    $type = &checkline($c[$i]);
+
+    # Skip comments in pass 1; copy in pass 2
+
+    if ($type eq "comment")
+      {
+      $last_was_blank = ($c[$i] =~ /^\s*$/)? 1 : 0;
+      print STDOUT "$c[$i]\n" if $pass == 2;
+      next;
+      }
+
+    # Skip/copy macro definitions, but must handle continuations
+
+    if ($type eq "macro")
+      {
+      print STDOUT "$c[$i]\n" if $pass == 2;
+      while ($c[$i] =~ /\\\s*$/)
+        {
+        $i++;
+        print STDOUT "$c[$i]\n" if $pass == 2;
+        }
+      $last_was_blank = 0;
+      next;
+      }
+
+    # Handle end of section
+
+    if ($type eq "end")
+      {
+      $prefix = "end"if $prefix eq "r.";
+      $prefix = "r." if $prefix eq "d.";
+      $prefix = "d." if $prefix eq "t.";
+      $prefix = "t." if $prefix eq "";
+      print STDOUT "$c[$i]\n" if $pass == 2;
+      $last_was_blank = 0;
+      next;
+      }
+
+    # Handle start of a new driver
+
+    if ($type eq "driver")
+      {
+      $driver = $name;
+      print STDOUT "$c[$i]\n" if $pass == 2;
+      $last_was_blank = 0;
+      $seen_domains = 0;
+      $seen_local_parts = 0;
+      $seen_senders = 0;
+      $seen_mx_domains = 0;
+      $seen_serialize = 0;
+      next;
+      }
+
+    # Handle definition of an option
+
+    if ($type eq "option")
+      {
+      # Handle continued strings
+
+      if ($rest =~ /^=\s*".*\\$/)
+        {
+        for (;;)
+          {
+          $rest .= "\n$c[++$i]";
+          last unless $c[$i] =~ /(\\\s*$|^\s*#)/;
+          }
+        }
+
+      # Remove any terminating commas and semicolons in pass 2
+
+      if ($pass == 2 && $rest =~ /[;,]\s*$/)
+        {
+        $rest =~ s/\s*[;,]\s*$//;
+        if (!$semicomma)
+          {
+          printf STDERR
+            "\n%03d Terminating semicolons and commas removed from driver " .
+            "options.\n", ++$count;
+          $semicomma = 1;
+          }
+        }
+
+      # Convert all booleans to "x = true/false" format, but save the
+      # original so that it can be reproduced unchanged for options that
+      # are not of interest.
+
+      $origname = $name;
+      $origrest = $rest;
+
+      if ($name =~ /^not?_(.*)/)
+        {
+        $name = $1;
+        $rest = "= false";
+        }
+      elsif ($rest !~ /^=/)
+        {
+        $rest = "= true";
+        }
+
+      # Set up the associative array key, and get rid of the = on the data
+
+      $key = ($prefix eq "")? "$name" : "$prefix$driver.$name";
+      ($rest) = $rest =~ /^=\s*(.*)/s;
+
+      # Create the associative array of values in pass 1
+
+      if ($pass == 1)
+        {
+        $o{$key} = $rest;
+        }
+
+      # In pass 2, test for interesting options and do the necessary; copy
+      # all the rest.
+
+      else
+        {
+        ##########  Global configuration ##########
+
+        # These global options are abolished
+
+        if ($name eq "address_directory_transport" ||
+            $name eq "address_directory2_transport" ||
+            $name eq "address_file_transport" ||
+            $name eq "address_pipe_transport" ||
+            $name eq "address_reply_transport")
+          {
+          ($n2) = $name =~ /^address_(.*)/;
+          printf STDERR "\n%03d $name option deleted.\n", ++$count;
+          printf STDERR "    $n2 will be added to appropriate directors.\n";
+          $i = &skipblanks($i);
+          next;
+          }
+
+        # This debugging option is abolished
+
+        elsif ($name eq "sender_verify_log_details")
+          {
+          printf STDERR "\n%03d $name option deleted.\n", ++$count;
+          printf STDERR "    (Little used facility abolished.)\n";
+          }
+
+        # This option has been renamed
+
+        elsif ($name eq "check_dns_names")
+          {
+          $origname =~ s/check_dns/dns_check/;
+          print STDOUT "# >> Option rewritten by convert4r3\n";
+          print STDOUT "$i1$origname$i2$origrest\n";
+          printf STDERR "\n%03d check_dns_names renamed as dns_check_names.\n",
+            ++$count;
+          }
+
+        # helo_accept_junk_nets is abolished
+
+        elsif ($name eq "helo_accept_junk_nets" ||
+               $name eq "helo_accept_junk_hosts")
+          {
+          if (!$seen_helo_accept_junk)
+            {
+            &amalgamate("helo_accept_junk_nets", "",
+              "helo_accept_junk_hosts", "helo_accept_junk_hosts", "+");
+            $seen_helo_accept_junk = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+        # helo_verify_except_{hosts,nets} are abolished, and helo_verify
+        # is now a host list instead of a boolean.
+
+        elsif ($name eq "helo_verify")
+          {
+          &amalgboolandlist("helo_verify", $rest, "helo_verify_except_hosts",
+            "helo_verify_except_nets");
+          printf STDERR "\n%03d helo_verify converted to host list.\n",
+            ++$count;
+          }
+        elsif ($name eq "helo_verify_except_hosts" ||
+               $name eq "helo_verify_except_nets")
+          {
+          $i = &skipblanks($i);
+          next;
+          }
+
+        # helo_verify_nets was an old synonym for host_lookup_nets; only
+        # one of them will be encountered. Change to a new name.
+
+        elsif ($name eq "helo_verify_nets" ||
+               $name eq "host_lookup_nets")
+          {
+          print STDOUT "# >> Option rewritten by convert4r3\n";
+          print STDOUT "${i1}host_lookup$i2$origrest\n";
+          printf STDERR "\n%03d $name renamed as host_lookup.\n", ++$count;
+          }
+
+        # hold_domains_except is abolished; add as negated items to
+        # hold_domains.
+
+        elsif ($name eq "hold_domains_except" ||
+               $name eq "hold_domains")
+          {
+          if ($seen_hold_domains)         # If already done with these
+            {                             # omit, and following blanks.
+            $i = &skipblanks($i);
+            next;
+            }
+          $seen_hold_domains = 1;
+
+          if (exists $o{"hold_domains_except"})
+            {
+            &amalgamate("hold_domains", "hold_domains_except", "",
+              "hold_domains", "+");
+            }
+          else
+            {
+            print STDOUT "$i1$origname$i2$origrest\n";
+            }
+          }
+
+        # ignore_fromline_nets is renamed as ignore_fromline_hosts
+
+        elsif ($name eq "ignore_fromline_nets")
+          {
+          $origname =~ s/_nets/_hosts/;
+          print STDOUT "# >> Option rewritten by convert4r3\n";
+          print STDOUT "$i1$origname$i2$origrest\n";
+          printf STDERR
+            "\n%03d ignore_fromline_nets renamed as ignore_fromline_hosts.\n",
+            ++$count;
+          }
+
+        # Output a warning for message filters with no transports set
+
+        elsif ($name eq "message_filter")
+          {
+          print STDOUT "$i1$origname$i2$origrest\n";
+
+          if (!exists $o{"message_filter_directory_transport"} &&
+              !exists $o{"message_filter_directory2_transport"} &&
+              !exists $o{"message_filter_file_transport"} &&
+              !exists $o{"message_filter_pipe_transport"} &&
+              !exists $o{"message_filter_reply_transport"})
+            {
+            printf STDERR
+              "\n%03d message_filter is set, but no message_filter transports "
+              . "are defined.\n"
+              . "    If your filter generates file or pipe deliveries, or "
+              . "auto-replies,\n"
+              . "    you will need to define "
+              . "message_filter_{file,pipe,reply}_transport\n"
+              . "    options, as required.\n", ++$count;
+            }
+          }
+
+        # queue_remote_except is abolished, and queue_remote is replaced by
+        # queue_remote_domains, which is a host list.
+
+        elsif ($name eq "queue_remote")
+          {
+          &amalgboolandlist("queue_remote_domains", $rest,
+            "queue_remote_except", "");
+          printf STDERR
+            "\n%03d queue_remote converted to domain list queue_remote_domains.\n",
+            ++$count;
+          }
+        elsif ($name eq "queue_remote_except")
+          {
+          $i = &skipblanks($i);
+          next;
+          }
+
+        # queue_smtp_except is abolished, and queue_smtp is replaced by
+        # queue_smtp_domains, which is a host list.
+
+        elsif ($name eq "queue_smtp")
+          {
+          &amalgboolandlist("queue_smtp_domains", $rest,
+            "queue_smtp_except", "");
+          printf STDERR
+            "\n%03d queue_smtp converted to domain list queue_smtp_domains.\n",
+            ++$count;
+          }
+        elsif ($name eq "queue_smtp_except")
+          {
+          $i = &skipblanks($i);
+          next;
+          }
+
+        # rbl_except_nets is replaced by rbl_hosts
+
+        elsif ($name eq "rbl_except_nets")
+          {
+          &amalgamate("", "rbl_except_nets", "", "rbl_hosts", "+");
+          }
+
+        # receiver_unqualified_nets is abolished
+
+        elsif ($name eq "receiver_unqualified_nets" ||
+               $name eq "receiver_unqualified_hosts")
+          {
+          if (!$seen_receiver_unqualified)
+            {
+            &amalgamate("receiver_unqualified_nets", "",
+              "receiver_unqualified_hosts", "receiver_unqualified_hosts", "+");
+            $seen_receiver_unqualified = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+        # receiver_verify_except_{hosts,nets} are replaced by
+        # receiver_verify_hosts.
+
+        elsif ($name eq "receiver_verify_except_hosts" ||
+               $name eq "receiver_verify_except_nets")
+          {
+          if (!$seen_receiver_verify_except)
+            {
+            &amalgboolandlist("receiver_verify_hosts", "true",
+              "receiver_verify_except_hosts", "receiver_verify_except_nets");
+            printf STDERR
+              "\n%03d receiver_verify_except_{hosts,nets} converted to " .
+              "receiver_verify_hosts.\n",
+              ++$count;
+            $seen_receiver_verify_except = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+        # receiver_verify_senders_except is abolished
+
+        elsif ($name eq "receiver_verify_senders" ||
+               $name eq "receiver_verify_senders_except")
+          {
+          if (defined $o{"receiver_verify_senders_except"})
+            {
+            if (!$seen_receiver_verify_senders)
+              {
+              &amalgamate("receiver_verify_senders",
+                "receiver_verify_senders_except", "",
+                "receiver_verify_senders", "+");
+              $seen_receiver_verify_senders = 1;
+              }
+            else
+              {
+              $i = &skipblanks($i);
+              next;
+              }
+            }
+          else
+            {
+            print STDOUT "$i1$origname$i2$origrest\n";
+            }
+          }
+
+        # rfc1413_except_{hosts,nets} are replaced by rfc1413_hosts.
+
+        elsif ($name eq "rfc1413_except_hosts" ||
+               $name eq "rfc1413_except_nets")
+          {
+          if (!$seen_rfc1413_except)
+            {
+            &amalgboolandlist("rfc1413_hosts", "true",
+              "rfc1413_except_hosts", "rfc1413_except_nets");
+            printf STDERR
+              "\n%03d rfc1413_except_{hosts,nets} converted to rfc1413_hosts.\n",
+              ++$count;
+            $seen_rfc1413_except = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+        # sender_accept and sender_reject_except are abolished
+
+        elsif ($name eq "sender_accept" ||
+               $name eq "sender_reject")
+          {
+          if (!$seen_sender_accept)
+            {
+            &amalgamate("sender_accept", "sender_reject",
+              "sender_reject_except", "sender_reject", "-");
+            $seen_sender_accept = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+        # sender_accept_recipients is also abolished; sender_reject_except
+        # also used to apply to this, so we include it here as well.
+
+        elsif ($name eq "sender_accept_recipients" ||
+               $name eq "sender_reject_recipients")
+          {
+          if (!$seen_sender_accept_recipients)
+            {
+            &amalgamate("sender_accept_recipients", "sender_reject_recipients",
+              "sender_reject_except", "sender_reject_recipients", "-");
+            $seen_sender_accept_recipients = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+        # sender_reject_except must be removed
+
+        elsif ($name eq "sender_reject_except")
+          {
+          $i = &skipblanks($i);
+          next;
+          }
+
+        # sender_{host,net}_{accept,reject}[_except] all collapse into
+        # host_reject.
+
+        elsif ($name eq "sender_host_accept" ||
+               $name eq "sender_net_accept" ||
+               $name eq "sender_host_reject" ||
+               $name eq "sender_net_reject")
+          {
+          if (!$seen_sender_host_accept)
+            {
+            &amalgamatepairs("sender_host_accept", "sender_net_accept",
+              "sender_host_reject", "sender_net_reject",
+              "sender_host_reject_except", "sender_net_reject_except",
+              "host_reject", "-");
+            printf STDERR "\n%03d sender_{host,net}_{accept,reject} and " .
+              "sender_{host_net}_reject_except\n" .
+              "    amalgamated into host_reject.\n", ++$count;
+            $seen_sender_host_accept = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+        # sender_{host,net}_{accept,reject}_recipients all collapse into
+        # host_reject_recipients.
+
+        elsif ($name eq "sender_host_accept_recipients" ||
+               $name eq "sender_net_accept_recipients" ||
+               $name eq "sender_host_reject_recipients" ||
+               $name eq "sender_net_reject_recipients")
+          {
+          if (!$seen_sender_host_accept_recipients)
+            {
+            &amalgamatepairs("sender_host_accept_recipients",
+              "sender_net_accept_recipients",
+              "sender_host_reject_recipients",
+              "sender_net_reject_recipients",
+              "sender_host_reject_except", "sender_net_reject_except",
+              "host_reject_recipients", "-");
+            printf STDERR "\n%03d sender_{host,net}_{accept,reject}_recipients"
+              . "\n    and sender_{host_net}_reject_except"
+              . "\n    amalgamated into host_reject_recipients.\n", ++$count;
+            $seen_sender_host_accept_recipients = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+        # sender_{host,net}_reject_except must be removed
+
+        elsif ($name eq "sender_host_reject_except" ||
+               $name eq "sender_net_reject_except")
+          {
+          $i = &skipblanks($i);
+          next;
+          }
+
+        # sender_{host,net}_{accept,reject}_relay all collapse into
+        # host_accept_relay.
+
+        elsif ($name eq "sender_host_accept_relay" ||
+               $name eq "sender_net_accept_relay" ||
+               $name eq "sender_host_reject_relay" ||
+               $name eq "sender_net_reject_relay")
+          {
+          if (!$seen_sender_host_accept_relay)
+            {
+            &amalgamatepairs("sender_host_accept_relay",
+              "sender_net_accept_relay",
+              "sender_host_reject_relay",
+              "sender_net_reject_relay",
+              "sender_host_reject_relay_except",
+              "sender_net_reject_relay_except",
+              "host_accept_relay", "+");
+            printf STDERR "\n%03d sender_{host,net}_{accept,reject}_relay"
+              . "\n    and sender_{host_net}_reject_relay_except"
+              . "\n    amalgamated into host_accept_relay.\n", ++$count;
+            $seen_sender_host_accept_relay = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+        # sender_{host,net}_reject_relay_except must be removed
+
+        elsif ($name eq "sender_host_reject_relay_except" ||
+               $name eq "sender_net_reject_relay_except")
+          {
+          $i = &skipblanks($i);
+          next;
+          }
+
+
+        # sender_unqualified_nets is abolished
+
+        elsif ($name eq "sender_unqualified_nets" ||
+               $name eq "sender_unqualified_hosts")
+          {
+          if (!$seen_sender_unqualified)
+            {
+            &amalgamate("sender_unqualified_nets", "",
+              "sender_unqualified_hosts", "sender_unqualified_hosts", "+");
+            $seen_sender_unqualified = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+        # sender_verify_except_{hosts,nets} are replaced by sender_verify_hosts.
+
+        elsif ($name eq "sender_verify_except_hosts" ||
+               $name eq "sender_verify_except_nets")
+          {
+          if (!$seen_sender_verify_except_hosts)
+            {
+            &amalgboolandlist("sender_verify_hosts", "true",
+              "sender_verify_except_hosts", "sender_verify_except_nets");
+            printf STDERR
+              "\n%03d sender_verify_except_{hosts,nets} converted to " .
+              "sender_verify_hosts.\n",
+              ++$count;
+            $seen_sender_verify_except_hosts = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+        # smtp_etrn_nets is abolished
+
+        elsif ($name eq "smtp_etrn_nets" ||
+               $name eq "smtp_etrn_hosts")
+          {
+          if (!$seen_smtp_etrn)
+            {
+            &amalgamate("smtp_etrn_nets", "",
+              "smtp_etrn_hosts", "smtp_etrn_hosts", "+");
+            $seen_smtp_etrn = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+        # smtp_expn_nets is abolished
+
+        elsif ($name eq "smtp_expn_nets" ||
+               $name eq "smtp_expn_hosts")
+          {
+          if (!$seen_smtp_expn)
+            {
+            &amalgamate("smtp_expn_nets", "",
+              "smtp_expn_hosts", "smtp_expn_hosts", "+");
+            $seen_smtp_expn = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+        # This option has been renamed
+
+        elsif ($name eq "smtp_log_connections")
+          {
+          $origname =~ s/smtp_log/log_smtp/;
+          print STDOUT "# >> Option rewritten by convert4r3\n";
+          print STDOUT "$i1$origname$i2$origrest\n";
+          printf STDERR "\n%03d smtp_log_connections renamed as " .
+            "log_smtp_connections.\n",
+            ++$count;
+          }
+
+        # smtp_reserve_nets is abolished
+
+        elsif ($name eq "smtp_reserve_nets" ||
+               $name eq "smtp_reserve_hosts")
+          {
+          if (!$seen_smtp_reserve)
+            {
+            &amalgamate("smtp_reserve_nets", "",
+              "smtp_reserve_hosts", "smtp_reserve_hosts", "+");
+            $seen_smtp_reserve = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+        ###########  Driver configurations  ##########
+
+        # For aliasfile and forwardfile directors, add file, pipe, and
+        # reply transports - copying from the globals if they are set.
+
+        elsif ($name eq "driver")
+          {
+          $driver_type = $rest;
+          print STDOUT "$i1$origname$i2$origrest\n";
+          if ($rest eq "aliasfile" || $rest eq "forwardfile")
+            {
+            &add_transport("directory");
+            &add_transport("directory2");
+            &add_transport("file");
+            &add_transport("pipe");
+            &add_transport("reply") if $rest eq "forwardfile";
+            }
+          }
+
+        # except_domains is abolished; add as negated items to domains.
+
+        elsif ($name eq "except_domains" ||
+               $name eq "domains")
+          {
+          if ($seen_domains)              # If already done with these
+            {                             # omit, and following blanks.
+            $i = &skipblanks($i);
+            next;
+            }
+          $seen_domains = 1;
+
+          if (exists $o{"$prefix$driver.except_domains"})
+            {
+            &amalgamate("$prefix$driver.domains",
+                         "$prefix$driver.except_domains", "",
+              "domains", "+");
+            }
+          else
+            {
+            print STDOUT "$i1$origname$i2$origrest\n";
+            }
+          }
+
+        # except_local_parts is abolished; add as negated items to
+        # local_parts.
+
+        elsif ($name eq "except_local_parts" ||
+               $name eq "local_parts")
+          {
+          if ($seen_local_parts)              # If already done with these
+            {                             # omit, and following blanks.
+            $i = &skipblanks($i);
+            next;
+            }
+          $seen_local_parts = 1;
+
+          if (exists $o{"$prefix$driver.except_local_parts"})
+            {
+            &amalgamate("$prefix$driver.local_parts",
+                         "$prefix$driver.except_local_parts", "",
+              "local_parts", "+");
+            }
+          else
+            {
+            print STDOUT "$i1$origname$i2$origrest\n";
+            }
+          }
+
+        # except_senders is abolished; add as negated items to senders
+
+        elsif ($name eq "except_senders" ||
+               $name eq "senders")
+          {
+          if ($seen_senders)              # If already done with these
+            {                             # omit, and following blanks.
+            $i = &skipblanks($i);
+            next;
+            }
+          $seen_senders = 1;
+
+          if (exists $o{"$prefix$driver.except_senders"})
+            {
+            &amalgamate("$prefix$driver.senders",
+                         "$prefix$driver.except_senders", "",
+              "senders", "+");
+            }
+          else
+            {
+            print STDOUT "$i1$origname$i2$origrest\n";
+            }
+          }
+
+        # This option has been renamed
+
+        elsif ($name eq "directory" && $driver_type eq "aliasfile")
+          {
+          $origname =~ s/directory/home_directory/;
+          print STDOUT "# >> Option rewritten by convert4r3\n";
+          print STDOUT "$i1$origname$i2$origrest\n";
+          printf STDERR "\n%03d directory renamed as " .
+            "home_directory in \"$driver\" director.\n",
+            ++$count;
+          }
+
+        # This option has been renamed
+
+        elsif ($name eq "directory" && $driver_type eq "forwardfile")
+          {
+          $origname =~ s/directory/file_directory/;
+          print STDOUT "# >> Option rewritten by convert4r3\n";
+          print STDOUT "$i1$origname$i2$origrest\n";
+          printf STDERR "\n%03d directory renamed as " .
+            "file_directory in \"$driver\" director.\n",
+            ++$count;
+          }
+
+        # This option has been renamed
+
+        elsif ($name eq "forbid_filter_log" && $driver_type eq "forwardfile")
+          {
+          $origname =~ s/log/logwrite/;
+          print STDOUT "# >> Option rewritten by convert4r3\n";
+          print STDOUT "$i1$origname$i2$origrest\n";
+          printf STDERR "\n%03d forbid_filter_log renamed as " .
+            "forbid_filter_logwrite in \"$driver\" director.\n",
+            ++$count;
+          }
+
+        # This option has been renamed
+
+        elsif ($name eq "directory" && $driver_type eq "localuser")
+          {
+          $origname =~ s/directory/match_directory/;
+          print STDOUT "# >> Option rewritten by convert4r3\n";
+          print STDOUT "$i1$origname$i2$origrest\n";
+          printf STDERR "\n%03d directory renamed as " .
+            "match_directory in \"$driver\" director.\n",
+            ++$count;
+          }
+
+        # mx_domains_except (and old synonym non_mx_domains) are abolished
+        # (both lookuphost router and smtp transport)
+
+        elsif ($name eq "mx_domains" ||
+               $name eq "mx_domains_except" ||
+               $name eq "non_mx_domains")
+          {
+          if ($seen_mx_domains)              # If already done with these
+            {                             # omit, and following blanks.
+            $i = &skipblanks($i);
+            next;
+            }
+          $seen_mx_domains = 1;
+
+          if (exists $o{"$prefix$driver.mx_domains_except"} ||
+              exists $o{"$prefix$driver.non_mx_domains"})
+            {
+            $o{"$prefix$driver.mx_domains_except"} =
+              &pair("$prefix$driver.mx_domains_except",
+                    "$prefix$driver.non_mx_domains");
+
+            &amalgamate("$prefix$driver.mx_domains",
+                        "$prefix$driver.mx_domains_except", "",
+              "mx_domains", "+");
+            }
+          else
+            {
+            print STDOUT "$i1$origname$i2$origrest\n";
+            }
+          }
+
+        # This option has been renamed
+
+        elsif ($name eq "directory" && $driver_type eq "pipe")
+          {
+          $origname =~ s/directory/home_directory/;
+          print STDOUT "# >> Option rewritten by convert4r3\n";
+          print STDOUT "$i1$origname$i2$origrest\n";
+          printf STDERR "\n%03d directory renamed as " .
+            "home_directory in \"$driver\" director.\n",
+            ++$count;
+          }
+
+        # serialize_nets is abolished
+
+        elsif ($name eq "serialize_nets" ||
+               $name eq "serialize_hosts")
+          {
+          if (!$seen_serialize)
+            {
+            &amalgamate("$prefix$driver.serialize_nets", "",
+              "$prefix$driver.serialize_hosts", "serialize_hosts", "+");
+            $seen_serialize = 1;
+            }
+          else
+            {
+            $i = &skipblanks($i);
+            next;
+            }
+          }
+
+
+        # Option not of interest; reproduce verbatim
+
+        else
+          {
+          print STDOUT "$i1$origname$i2$origrest\n";
+          }
+
+
+        $last_was_blank = 0;
+        }
+      }
+    }
+
+  }
+
+# Debugging: show the associative array
+# foreach $key (sort keys %o) { print STDERR "$key = $o{$key}\n"; }
+
+print STDERR "\nEnd of configuration file conversion.\n";
+print STDERR "\n*******************************************************\n";
+print STDERR   "***** Please review the generated file carefully. *****\n";
+print STDERR   "*******************************************************\n\n";
+
+print STDERR "In particular:\n\n";
+
+print STDERR "(1) If you use regular expressions in any options that have\n";
+print STDERR "    been rewritten by this script, they might have been put\n";
+print STDERR "    inside quotes, when then were not previously quoted. This\n";
+print STDERR "    means that any backslashes in them must now be escaped.\n\n";
+
+print STDERR "(2) If your configuration refers to any external files that\n";
+print STDERR "    contain lists of network addresses, check that the masks\n";
+print STDERR "    are specified as single numbers, e.g. /24 and NOT as dotted\n";
+print STDERR "    quads (e.g. 255.255.255.0) because Exim release 3.00 does\n";
+print STDERR "    not recognize the dotted quad form.\n\n";
+
+print STDERR "(3) If your configuration uses macros for lists of domains or\n";
+print STDERR "    hosts or addresses, check to see if any of the references\n";
+print STDERR "    have been negated. If so, you will have to rework things,\n";
+print STDERR "    because the negation will apply only to the first item in\n";
+print STDERR "    the macro-generated list.\n\n";
+
+print STDERR "(4) If you do not generate deliveries to pipes, files, or\n";
+print STDERR "    auto-replies in your aliasfile and forwardfile directors,\n";
+print STDERR "    you can remove the added transport settings.\n\n";
+
+# End of convert4r3
diff --git a/src/convert4r4.src b/src/convert4r4.src
new file mode 100755
index 0000000..47987fc
--- /dev/null
+++ b/src/convert4r4.src
@@ -0,0 +1,2527 @@
+#! PERL_COMMAND
+
+# This is a Perl script that reads an Exim run-time configuration file for
+# Exim 3. It makes what changes it can for Exim 4, and also output commentary
+# on what it has done, and on things it cannot do.
+
+# It is assumed that the input is a valid Exim 3 configuration file.
+
+use warnings;
+BEGIN { pop @INC if $INC[-1] eq '.' };
+
+use Getopt::Long;
+use File::Basename;
+
+GetOptions(
+    'version' => sub {
+        print basename($0) . ": $0\n",
+            "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+            "perl(runtime): $^V\n";
+            exit 0;
+    },
+);
+
+# These are lists of main options which are abolished in Exim 4.
+# The first contains options that are used to construct new options.
+
+@skipped_options = (
+"auth_hosts",
+"auth_over_tls_hosts",
+"errors_address",
+"headers_check_syntax",
+"headers_checks_fail",
+"headers_sender_verify",
+"headers_sender_verify_errmsg",
+"host_accept_relay",
+"host_auth_accept_relay",
+"host_reject_recipients",
+"local_domains",
+"local_domains_include_host",
+"local_domains_include_host_literals",
+"log_all_parents",
+"log_arguments",
+"log_incoming_port",
+"log_interface",
+"log_level",
+"log_received_sender",
+"log_received_recipients",
+"log_rewrites",
+"log_sender_on_delivery",
+"log_smtp_confirmation",
+"log_smtp_connections",
+"log_smtp_syntax_errors",
+"log_subject",
+"log_queue_run_level",
+"rbl_domains",
+"rbl_hosts",
+"rbl_reject_recipients",
+"receiver_verify",
+"receiver_verify_addresses",
+"receiver_verify_hosts",
+"receiver_verify_senders",
+"recipients_reject_except",
+"recipients_reject_except_senders",
+"relay_domains",
+"relay_domains_include_local_mx",
+"sender_address_relay",
+"sender_address_relay_hosts",
+"sender_reject_recipients",
+"sender_verify",
+"sender_verify_hosts_callback",
+"sender_verify_callback_domains",
+"sender_verify_callback_timeout",
+"sender_verify_hosts",
+"smtp_etrn_hosts",
+"smtp_expn_hosts",
+"smtp_verify",
+"tls_host_accept_relay",
+"tls_hosts",
+"tls_log_cipher",
+"tls_log_peerdn",
+"tls_verify_ciphers"
+);
+
+# The second contains options that are completely abolished and have
+# no equivalent.
+
+@abolished_options = (
+"always_bcc",
+"debug_level",
+"helo_strict_syntax",
+"kill_ip_options",
+"log_ip_options",
+"log_refused_recipients",
+"message_size_limit_count_recipients",
+"rbl_log_headers",
+"rbl_log_rcpt_count",
+"receiver_try_verify",
+"refuse_ip_options",
+"relay_match_host_or_sender",
+"sender_try_verify",
+"sender_verify_batch",
+"sender_verify_fixup",
+"sender_verify_reject",
+"sender_verify_max_retry_rate",
+);
+
+# This is a list of options that are not otherwise handled, but which
+# contain domain or host lists that have to be processed so that any
+# regular expressions are marked "not for expansion".
+
+@list_options = (
+"dns_again_means_nonexist",
+"hold_domains",
+"hosts_treat_as_local",
+"percent_hack_domains",
+"queue_smtp_domains",
+"helo_accept_junk_hosts",
+"host_lookup",
+"ignore_fromline_hosts",
+"rfc1413_hosts",
+"sender_unqualified_hosts",
+"smtp_reserve_hosts",
+"tls_advertise_hosts",
+"tls_verify_hosts",
+);
+
+
+
+##################################################
+#          Output problem rubric once            #
+##################################################
+
+sub rubric {
+return if $rubric_output;
+$rubric_output = 1;
+print STDERR "\n" .
+"** The following comments describe problems that have been encountered\n" .
+"   while converting an Exim 3 runtime file for Exim 4. More detail can\n" .
+"   be found in the file doc/Exim4.upgrade.\n";
+}
+
+
+##################################################
+#             Analyse one line                   #
+##################################################
+
+sub checkline{
+my($line) = $_[0];
+
+return "comment" if $line =~ /^\s*(#|$)/;
+return "end"     if $line =~ /^\s*end\s*$/i;
+
+# Macros are recognized only in the first section of the file.
+
+return "macro" if $prefix eq "" && $line =~ /^\s*[A-Z]/;
+
+# In retry and rewrite sections, the type is always "other"
+
+return "other" if $prefix eq "=retry" || $prefix eq "=rewrite";
+
+# Pick out the name at the start and the rest of the line (into global
+# variables) and return whether the start of a driver or not.
+
+($hide,$name,$rest) = $line =~ /^\s*(hide\s+|)([a-z0-9_]+)\s*(.*?)\s*$/;
+
+# If $rest begins with a colon, this is a driver name
+
+return "driver" if $rest =~ /^:/;
+
+# If $rest begins with an = the value of the option is given explicitly;
+# remove the = from the start. Turn "yes"/"no" into "true"/"false".
+
+if ($rest =~ /^=/)
+  {
+  $rest =~ s/^=\s*//;
+  $rest = "true" if $rest eq "yes";
+  $rest = "false" if $rest eq "no";
+  }
+
+# Otherwise we have a boolean option. Set up a "true"/"false" value.
+
+else
+  {
+  if ($name =~ /^not?_/)     # Recognize "no_" or "not_"
+    {
+    $rest = "false";
+    $name =~ s/^not?_//;
+    }
+  else
+    {
+    $rest = "true";
+    }
+  }
+
+return "option";
+}
+
+
+
+##################################################
+#       Negate a list of things                  #
+##################################################
+
+# Can be tricky, because there may be comment lines in the list.
+# Also, lists may have different delimiters.
+
+sub negate {
+my($list) = $_[0];
+my($delim) = ":";
+my($leadin) = "";
+
+return $list if ! defined $list;
+
+($list) = $list =~ /^"?(.*?)"?\s*$/s;      # Remove surrounding quotes
+$list =~ s/\\\s*\n\s*//g;                  # Remove continuation markers
+
+if ($list =~ /^(\s*<(\S)\s*)(.*)/s)
+  {
+  $leadin = $1;
+  $delim = $2;
+  $list = $3;
+  }
+
+$list =~ s/^\s+//;
+$list =~ s/\Q$delim$delim/>%%%%</g;
+@split = split /\s*\Q$delim\E\s*/s, $list;
+
+foreach $item (@split)
+  {
+  $item =~ s/>%%%%</$delim$delim/g;
+
+  if ($item =~ /^\s*#/)
+    {
+    $item =~ s/((?:^\s*#[^\n]*\n)+\s*)/$1! /mg;
+    $item =~ s/!\s*!//sg;
+    }
+  else
+    {
+    if ($item =~ /^\s*!(.*)/)
+      { $item = $1; }
+    else
+      { $item = "! " . $item; }
+    }
+  }
+
+$" = " $delim \\\n    ";
+$leadin .= " " if $leadin !~ /(^|\s)$/;
+return "$leadin@split";
+}
+
+
+
+##################################################
+#   Prevent regex expansion in a list of things  #
+##################################################
+
+# Can be tricky, because there may be comment lines in the list.
+# Also, lists may have different delimiters.
+
+sub no_expand_regex {
+my($list) = $_[0];
+my($delim) = ":";
+my($leadin) = "";
+
+return $list if ! defined $list;
+
+$delim = $_[1] if (defined $_[1]);
+
+my($is_route_list) = $delim eq ";";
+
+($list) = $list =~ /^"?(.*?)"?\s*$/s;      # Remove surrounding quotes
+$list =~ s/\\\s*\n\s*//g;                  # Remove continuation markers
+
+if ($list =~ /^(\s*<(\S)\s*)(.*)/s)
+  {
+  $leadin = $1;
+  $delim = $2;
+  $list = $3;
+  }
+
+$list =~ s/^\s+//;
+$list =~ s/\Q$delim$delim/>%%%%</g;
+@split = split /\s*\Q$delim\E\s*/s, $list;
+
+my($changed) = 0;
+foreach $item (@split)
+  {
+  $item =~ s/>%%%%</$delim$delim/g;
+  if ($item =~ /^\^/)
+    {
+    # Fudge for route_list items
+
+    if ($is_route_list)
+      {
+      $item = "\\N$item";      # Only one item ...
+      }
+    else
+      {
+      $item = "\\N$item\\N";
+      }
+    $changed = 1;
+    }
+  }
+print STDOUT
+  "#!!# Regular expressions enclosed in \\N...\\N to avoid expansion\n"
+    if $changed;
+
+$" = " $delim \\\n    ";
+$leadin .= " " if $leadin !~ /(^|\s)$/;
+return "$leadin@split";
+}
+
+
+
+##################################################
+#      Sort out lookups in an address list       #
+##################################################
+
+# Can be tricky, because there may be comment lines in the list.
+# Also, lists may have different delimiters.
+
+sub sort_address_list {
+my($list) = $_[0];
+my($name) = $_[1];
+my($delim) = ":";
+my($leadin) = "";
+my($quoted) = 0;
+
+return $list if ! defined $list;
+
+if ($list =~ /^"(.*?)"\s*$/s)            # Remove surrounding quotes
+  {
+  $list = $1;
+  $quoted = 1;
+  }
+
+$list =~ s/\\\s*\n\s*//g;                  # Remove continuation markers
+
+if ($list =~ /^(\s*<(\S)\s*)(.*)/s)
+  {
+  $leadin = $1;
+  $delim = $2;
+  $list = $3;
+  }
+
+$list =~ s/^\s+//;
+$list =~ s/\Q$delim$delim/>%%%%</g;
+@split = split /\s*\Q$delim\E\s*/s, $list;
+
+foreach $item (@split)
+  {
+  $item =~ s/>%%%%</$delim$delim/g;
+  if ($item =~ /^\s*(?:partial-)?(\w+;.*)$/)
+    {
+    my($lookup) = $1;
+    if ($lookup =~ /^lsearch|^dbm|^cdb|^nis[^p]/)
+      {
+      &rubric();
+      print STDERR "\n" .
+"** The Exim 3 \"$name\" option specifies an address\n" .
+"   list that includes the item\n\n" .
+"     $item\n\n" .
+"   In Exim 4 address lists, single-key lookups without a local part just\n" .
+"   look up the complete address. They don't also try the domain, as\n" .
+"   happened in Exim 3. The item has been rewritten as two items to make\n" .
+"   it behave in the same way as Exim 3, but you should check to see if\n" .
+"   this is actually what you want.\n";
+
+      $item = "*\@$item $delim $lookup";
+      }
+    }
+  }
+
+$" = " $delim \\\n    ";
+$leadin .= " " if $leadin !~ /(^|\s)$/;
+
+return $quoted? "\"$leadin@split\"" : "$leadin@split";
+}
+
+
+
+##################################################
+#       Quote a string against expansion         #
+##################################################
+
+# Used for setting up new "domains" options
+
+sub expquote {
+my($s) = $_[0];
+$s =~ s/\$/\\\$/sg;
+$s =~ s/\\(?!\s*\n)/\\\\/sg;
+return $s;
+}
+
+
+
+##################################################
+#          Dequote an option string              #
+##################################################
+
+# If the original list is not quoted, do nothing.
+# If it is quoted, just get rid of the quotes.
+
+sub unquote {
+my($s) = $_[0];
+$s =~ s/^"(.*)"$/$1/s;
+return $s;
+}
+
+
+##################################################
+#      Quote/dequote an option string            #
+##################################################
+
+# If the original list is not quoted, quote it against expansion.
+# If it is quoted, just get rid of the quotes. Also, indent any
+# continuations.
+
+sub acl_quote {
+my($s) = $_[0];
+$s = ($s =~ /^"(.*)"$/s)? $1 : &expquote($s);
+$s =~ s/\n/\n  /g;
+$s =~ s/\n\s{11,}/\n           /g;
+return $s;
+}
+
+
+##################################################
+#       Handle abolished driver options          #
+##################################################
+
+sub abolished {
+my($hash) = shift @_;
+my($name) = shift @_;
+for $abolished (@_)
+  {
+  if (defined $$hash{$abolished})
+    {
+    &rubric();
+    print STDERR "\n" .
+"** $name used the \"$abolished\" option, which no\n".
+"   longer exists. The option has been removed.\n";
+    print STDOUT "#!!# $abolished option removed\n";
+    delete $$hash{$abolished};
+    }
+  }
+}
+
+
+
+##################################################
+#        Handle renamed driver options           #
+##################################################
+
+sub renamed {
+my($hash,$old,$new) = @_;
+if (defined $$hash{$old})
+  {
+  print STDOUT "#!!# $old renamed $new\n";
+  $$hash{$new} = $$hash{$old};
+  delete $$hash{$old};
+  }
+}
+
+
+
+##################################################
+#      Comment on user names in require_files    #
+##################################################
+
+sub check_require {
+my($string, $name) = @_;
+
+$string =~ s/::/[[[]]]/g;
+my(@list) = split /:/, $string;
+my($item);
+
+for $item (@list)
+  {
+  if ($item =~ /^\s*[\w,]+\s*$/)
+    {
+    &rubric();
+    $item =~ s/^\s*//;
+    $item =~ s/\s*$//;
+    print STDERR "\n" .
+"** A setting of require_files in the $name contains\n" .
+"   what appears to be a user name ('$item'). The ability to check files\n" .
+"   as a specific user is done differently in Exim 4. In fact, because the\n" .
+"   routers run as root, you may not need this at all.\n"
+    }
+  }
+}
+
+
+##################################################
+#        Handle current and home directory       #
+##################################################
+
+sub handle_current_and_home_directory {
+my($hash,$driver,$name) = @_;
+
+for ("current_directory", "home_directory")
+  {
+  if (defined $$hash{$_} && $$hash{$_} eq "check_local_user")
+    {
+    my($article) = (substr($driver, 0, 1) eq "a")? "an" : "a";
+    &rubric();
+    print STDERR "\n" .
+"** The Exim 3 configuration contains $article '$driver' director called\n" .
+"   '$name', which set '$_' to the special value\n" .
+"   'check_local_user'. This facility has been abolished in Exim 4 because\n" .
+"   it is no longer necessary. The setting has therefore been omitted. See\n" .
+"   note X.\n";
+    delete $$hash{$_};
+    }
+  else
+    {
+    &renamed($hash, $_, "transport_$_");
+    }
+  }
+}
+
+
+
+##################################################
+#    Handle batch/bsmtp for appendfile/pipe      #
+##################################################
+
+sub handle_batch_and_bsmtp{
+my($hash) = @_;
+
+if (defined $$hash{"bsmtp"})
+  {
+  if ($$hash{"bsmtp"} ne "none")
+    {
+    $$hash{"use_bsmtp"} = "true";
+    $$hash{"message_prefix"} = "\"HELO \$primary_host_name\\n\""
+      if defined $$hash{"bsmtp_helo"} && $$hash{"bsmtp_helo"} eq "true";
+    }
+
+  if ($$hash{"bsmtp"} eq "one")
+    {
+    delete $$hash{"batch"};
+    }
+  else
+    {
+    $$hash{"batch"} = $$hash{"bsmtp"};
+    }
+
+  delete $$hash{"bsmtp"};
+  delete $$hash{"bsmtp_helo"};
+  }
+
+if (defined $$hash{"batch"} && $$hash{"batch"} ne "none")
+  {
+  $$hash{"batch_max"} = "100" if !defined $$hash{"batch_max"};
+  $$hash{"batch_id"} = "\$domain" if $$hash{"batch"} eq "domain";
+  }
+else
+  {
+  $$hash{"batch_max"} = "1" if defined $$hash{"batch_max"};
+  }
+delete $$hash{"batch"};
+}
+
+
+
+##################################################
+#              Output one option                 #
+##################################################
+
+sub outopt {
+my($hash, $key, $no_expand) = @_;
+my($data) = $$hash{$key};
+
+print STDOUT "hide " if defined $$hash{"$key-hide"};
+
+# Output booleans in the form that doesn't use "="
+
+if ($data eq "true")
+  {
+  print STDOUT "$key\n";
+  }
+elsif ($data eq "false")
+  {
+  print STDOUT "no_$key\n";
+  }
+else
+  {
+  if ($no_expand)
+    {
+    printf STDOUT ("$key = %s\n", &no_expand_regex($data));
+    }
+  else
+    {
+    print STDOUT "$key = $data\n";
+    }
+  }
+}
+
+
+
+##################################################
+#       Output the options for one driver        #
+##################################################
+
+# Put the "driver" option first
+
+sub outdriver {
+my($hash) = $_[0];
+print STDOUT "  driver = $$hash{'driver'}\n";
+foreach $key (sort keys %$hash)
+  {
+  next if $key eq "driver" || $key =~ /-hide$/;
+  print STDOUT "  ";
+  &outopt($hash, $key, 0);
+  }
+}
+
+
+
+##################################################
+#      Output a rewrite or a retry line          #
+##################################################
+
+# These lines start with patterns which are now always expanded. If the
+# pattern is a regex, arrange for it not to expand.
+
+sub print_no_expand {
+my($s) = $_[0];
+if ($s =~ /^\^/)
+  {
+  if (!$escape_output)
+    {
+    &rubric();
+    print STDERR "\n" .
+"** You have a retry or rewrite pattern that is a regular expression. Because\n" .
+"   these patterns are now always expanded, you need to be sure that the\n" .
+"   special characters in the regex are not interpreted by the expander.\n" .
+"   \\N has been inserted at the start of the regex to prevent the rest of\n" .
+"   it from being expanded.\n";
+    $escape_output = 1;
+    }
+  print STDOUT "\\N";
+  }
+print STDOUT "$s\n";
+}
+
+
+
+##################################################
+#          Test a boolean main option            #
+##################################################
+
+# This just saves a lot of typing
+
+sub bool {
+return defined $main{$_[0]} && $main{$_[0]} eq "true";
+}
+
+
+
+##################################################
+#                  Main program                  #
+##################################################
+
+print STDERR "Runtime configuration file converter for Exim release 4.\n";
+
+$transport_start = $director_start = $router_start = $retry_start
+  = $rewrite_start = $auth_start = 999999;
+
+$macro_output = "";
+$rubric_output = 0;
+$errmsg_output = 0;
+$key_output = 0;
+$unk_output = 0;
+$escape_output = 0;
+$add_no_more = 0;
+$add_caseful_local_part = 0;
+$done_dns_check_names = 0;
+
+$queue_only_load_was_present = 0;
+$deliver_queue_load_max_was_present = 0;
+
+# Read the entire file into an array
+
+chomp(@c = <STDIN>);
+$clen = scalar @c;
+
+# Remove the standard comment that appears at the end of the default
+
+if ($clen > 0 && $c[$clen-1] =~ /^#\s*End of Exim configuration file\s*/i)
+  {
+  pop @c;
+  $clen--;
+  }
+
+# The first pass over the input fishes out all the options settings in the
+# main, transport, director, and router sections, and places their values in
+# associative arrays. It also notes the starting position of all the sections.
+
+$prefix = "";
+%main = ();
+$hash = \%main;
+
+for ($i = 0; $i < $clen; $i++)
+  {
+  # Change references to +allow_unknown and +warn_unknown into +include_unknown
+
+  if ($c[$i] =~ /\+(?:allow|warn)_unknown/)
+    {
+    if (!$unk_output)
+      {
+      &rubric();
+      print STDERR "\n" .
+"** You have used '+allow_unknown' or '+warn_unknown' in a configuration\n" .
+"   option. This has been converted to '+include_unknown', but the action\n" .
+"   is different in Exim 4, so you should review all the relevant options.\n";
+      $unk_output = 1;
+      }
+    $c[$i] =~ s/\+(?:allow|warn)_unknown/+include_unknown/g;
+    }
+
+  # Any reference to $errmsg_recipient is changed to $bounce_recipient
+
+  if ($c[$i] =~ /\$errmsg_recipient/)
+    {
+    if (!$errmsg_output)
+      {
+      &rubric();
+      print STDERR "\n" .
+"** References to \$errmsg_recipient have been changed to \$bounce_recipient\n";
+      $errmsg_output = 1;
+      }
+    $c[$i] =~ s/\$errmsg_recipient/\$bounce_recipient/g;
+    }
+
+
+  # Analyse the type of line
+
+  $type = &checkline($c[$i]);
+  next if $type eq "comment";
+
+  # Output a warning if $key is used
+
+  if ($c[$i] =~ /\$key/ && !$key_output)
+    {
+    &rubric();
+    print STDERR "\n" .
+"** You have used '\$key' in a configuration option. This variable does not\n" .
+"   exist in Exim 4. Instead, the value you need for your lookup will be\n" .
+"   in one of the other variables such as '\$domain' or '\$host'. You will\n" .
+"   need to edit the new configuration to sort this out.\n";
+    $key_output = 1;
+    }
+
+  # Save macro definitions so we can output them first; must handle
+  # continuations.
+
+  if ($type eq "macro")
+    {
+    $macro_output .= "$c[$i++]\n" while $c[$i] =~ /\\\s*$|^\s*#/;
+    $macro_output .= "$c[$i]\n";
+    }
+
+  # Handle end of section
+
+  elsif ($type eq "end")
+    {
+    if ($prefix eq "=rewrite")
+      {
+      $prefix = "a.";
+      $auth_start = $i + 1;
+      last;
+      }
+    elsif ($prefix eq "=retry")
+      {
+      $prefix = "=rewrite";
+      $rewrite_start = $i + 1;
+      }
+    elsif ($prefix eq "r.")
+      {
+      $prefix = "=retry";
+      $retry_start = $i + 1;
+      }
+    elsif ($prefix eq "d.")
+      {
+      $prefix = "r.";
+      $router_start = $i + 1;
+      }
+    elsif ($prefix eq "t.")
+      {
+      $prefix = "d.";
+      $director_start = $i + 1;
+      }
+    elsif ($prefix eq "")
+      {
+      $prefix = "t.";
+      $transport_start = $i + 1;
+      }
+    }
+
+  # Handle start of a new director, router or transport driver
+
+  elsif ($type eq "driver" && $prefix !~ /^=/)
+    {
+    $hash = {};
+    if (defined $driverlist{"$prefix$name"})
+      {
+      die "*** There are two drivers with the name \"$name\"\n";
+      }
+    $driverlist{"$prefix$name"} = $hash;
+    $first_director = $name if !defined $first_director && $prefix eq "d.";
+    }
+
+  # Handle definition of an option; we must pull in any continuation
+  # strings, and save the value in the current hash. Note if the option
+  # is hidden.
+
+  elsif ($type eq "option")
+    {
+    my($nextline) = "";
+
+    while ($i < $clen - 1 && ($rest =~ /\\\s*$/s || $nextline =~ /^\s*#/))
+      {
+      $nextline = $c[++$i];
+      $rest .= "\n$nextline";
+      }
+
+    $$hash{$name} = $rest;
+    $$hash{"$name-hide"} = 1 if $hide ne "";
+    }
+  }
+
+
+# Generate the new configuration. Start with a warning rubric.
+
+print STDOUT "#!!# This file is output from the convert4r4 script, which tries\n";
+print STDOUT "#!!# to convert Exim 3 configurations into Exim 4 configurations.\n";
+print STDOUT "#!!# However, it is not perfect, especially with non-simple\n";
+print STDOUT "#!!# configurations. You must check it before running it.\n";
+print STDOUT "\n\n";
+
+# Output the macro definitions
+
+if ($macro_output ne "")
+  {
+  print STDOUT "#!!# All macro definitions have been gathered here to ensure\n";
+  print STDOUT "#!!# they precede any references to them.\n\n";
+  print STDOUT "$macro_output\n";
+  }
+
+# Output some default pointers to ACLs for RCPT and DATA time. If no Exim 3
+# options that apply are set, non-restricting ACLs are generated.
+
+print STDOUT "#!!# These options specify the Access Control Lists (ACLs) that\n";
+print STDOUT "#!!# are used for incoming SMTP messages - after the RCPT and DATA\n";
+print STDOUT "#!!# commands, respectively.\n\n";
+
+print STDOUT "acl_smtp_rcpt = check_recipient\n";
+print STDOUT "acl_smtp_data = check_message\n\n";
+
+if (defined $main{"auth_over_tls_hosts"})
+  {
+  print STDOUT "#!!# This option specifies the Access Control List (ACL) that\n";
+  print STDOUT "#!!# is used after an AUTH command.\n\n";
+  print STDOUT "acl_smtp_auth = check_auth\n\n";
+  }
+
+if (&bool("smtp_verify") ||
+    defined $main{"smtp_etrn_hosts"} ||
+    defined $main{"smtp_expn_hosts"})
+  {
+  print STDOUT "#!!# These options specify the Access Control Lists (ACLs) that\n";
+  print STDOUT "#!!# are used to control the ETRN, EXPN, and VRFY commands.\n";
+  print STDOUT "#!!# Where no ACL is defined, the command is locked out.\n\n";
+
+  print STDOUT "acl_smtp_etrn = check_etrn\n" if defined $main{"smtp_etrn_hosts"};
+  print STDOUT "acl_smtp_expn = check_expn\n" if defined $main{"smtp_expn_hosts"};
+  print STDOUT "acl_smtp_vrfy = check_vrfy\n" if &bool("smtp_verify");
+  print STDOUT "\n";
+  }
+
+# If local_domains was set, get its value; otherwise set to "@". Add into it
+# appropriate magic for local_domains_include_host[_literals].
+
+$local_domains = (defined $main{"local_domains"})? $main{"local_domains"} : "@";
+
+$ldsep = ":";
+if ($local_domains =~ /^\s*<(.)\s*(.*)/s)
+  {
+  $ldsep = $1;
+  $local_domains = $2;
+  }
+
+$local_domains = "\@[] $ldsep " . $local_domains
+  if defined $main{"local_domains_include_host_literals"} &&
+     $main{"local_domains_include_host_literals"} eq "true";
+
+$local_domains = "\@ $ldsep " . $local_domains
+  if defined $main{"local_domains_include_host"} &&
+     $main{"local_domains_include_host"} eq "true";
+
+$local_domains = "<$ldsep " . $local_domains if $ldsep ne ":";
+
+# Output a domain list setting for these domains, provided something is defined
+
+if ($local_domains !~ /^\s*$/)
+  {
+  print STDOUT "#!!# This setting defines a named domain list called\n";
+  print STDOUT "#!!# local_domains, created from the old options that\n";
+  print STDOUT "#!!# referred to local domains. It will be referenced\n";
+  print STDOUT "#!!# later on by the syntax \"+local_domains\".\n";
+  print STDOUT "#!!# Other domain and host lists may follow.\n\n";
+
+  printf STDOUT ("domainlist local_domains = %s\n\n",
+    &no_expand_regex($local_domains));
+  }
+
+$relay_domains = (defined $main{"relay_domains"})? $main{"relay_domains"} : "";
+
+$ldsep = ":";
+if ($relay_domains =~ /^\s*<(.)\s*(.*)/s)
+  {
+  $ldsep = $1;
+  }
+
+if (defined $main{"relay_domains_include_local_mx"})
+  {
+  $relay_domains .= ($relay_domains =~ /^\s*$/)? "\@mx_any" :
+    " $ldsep \@mx_any";
+  }
+
+printf STDOUT ("domainlist relay_domains = %s\n",
+  &no_expand_regex($relay_domains))
+    if $relay_domains !~ /^\s*$/;
+
+
+# If ignore_errmsg_errors is set, we are going to force 0s as the value
+# for ignore_errmsg_errors_after, so arrange to skip any other value.
+
+push @skipped_options, "ignore_errmsg_errors_after"
+   if &bool("ignore_errmsg_errors");
+
+
+# If rbl_domains is set, split it up and generate six lists:
+#   rbl_warn_domains, rbl_warn_domains_skiprelay
+#   rbl_reject_domains, rbl_reject_domains_skiprelay
+#   rbl_accept_domains, rbl_accept_domains_skiprelay
+
+if (defined $main{"rbl_domains"})
+  {
+  my($s) = &unquote($main{"rbl_domains"});
+  $s =~ s/\s*\\\s*\n\s*/ /g;
+  my(@list) = split /\s*:\s*/, $s;
+
+  foreach $d (@list)
+    {
+    my(@sublist) = split /\//, $d;
+    my($name) = shift @sublist;
+    my($warn) = 0;
+    if (defined $main{"rbl_reject_recipients"})
+      {
+      $warn = $main{"rbl_reject_recipients"} ne "true";
+      }
+
+    foreach $o (@sublist)
+      {
+      $warn = 1 if $o eq "warn";
+      $warn = 0 if $o eq "reject";
+      $warn = 2 if $o eq "accept";
+      $skiprelay = 1 if $o eq "skiprelay";
+      }
+
+    if ($skiprelay)
+      {
+      if ($warn == 0)
+        {
+        $rbl_reject_skiprelay .= ((defined $rbl_reject_skiprelay)? ":":"").$name;
+        }
+      elsif ($warn == 1)
+        {
+        $rbl_warn_skiprelay .= ((defined $rbl_warn_skiprelay)? ":":"").$name;
+        }
+      elsif ($warn == 2)
+        {
+        $rbl_accept_skiprelay .= ((defined $rbl_accept_skiprelay)? ":":"").$name;
+        }
+      }
+    else
+      {
+      if ($warn == 0)
+        {
+        $rbl_reject_domains .= ((defined $rbl_reject_domains)? ":":"").$name;
+        }
+      elsif ($warn == 1)
+        {
+        $rbl_warn_domains .= ((defined $rbl_warn_domains)? ":":"").$name;
+        }
+      elsif ($warn == 2)
+        {
+        $rbl_accept_domains .= ((defined $rbl_accept_domains)? ":":"").$name;
+        }
+      }
+    }
+  }
+
+
+# Output host list settings
+
+printf STDOUT ("hostlist auth_hosts = %s\n",
+  &no_expand_regex($main{"auth_hosts"}))
+    if defined $main{"auth_hosts"};
+printf STDOUT ("hostlist rbl_hosts = %s\n",
+  &no_expand_regex($main{"rbl_hosts"}))
+    if defined $main{"rbl_hosts"};
+printf STDOUT ("hostlist relay_hosts = %s\n",
+  &no_expand_regex($main{"host_accept_relay"}))
+    if defined $main{"host_accept_relay"};
+printf STDOUT ("hostlist auth_relay_hosts = %s\n",
+  &no_expand_regex($main{"host_auth_accept_relay"}))
+    if defined $main{"host_auth_accept_relay"};
+
+printf STDOUT ("hostlist auth_over_tls_hosts = %s\n",
+  &no_expand_regex($main{"auth_over_tls_hosts"}))
+    if defined $main{"auth_over_tls_hosts"};
+printf STDOUT ("hostlist tls_hosts = %s\n",
+  &no_expand_regex($main{"tls_hosts"}))
+    if defined $main{"tls_hosts"};
+printf STDOUT ("hostlist tls_relay_hosts = %s\n",
+  &no_expand_regex($main{"tls_host_accept_relay"}))
+    if defined $main{"tls_host_accept_relay"};
+
+print STDOUT "\n";
+
+
+# Convert various logging options
+
+$log_selector = "";
+$sep = " \\\n             ";
+
+if (defined $main{"log_level"})
+  {
+  my($level) = $main{"log_level"};
+  $log_selector .= "$sep -retry_defer$sep -skip_delivery" if $level < 5;
+  $log_selector .= "$sep -lost_incoming_connection$sep -smtp_syntax_error" .
+                   "$sep -delay_delivery" if $level < 4;
+  $log_selector .= "$sep -size_reject" if $level < 2;
+  }
+
+$log_selector .= "$sep -queue_run"
+  if defined $main{"log_queue_run_level"} &&
+     defined $main{"log_level"} &&
+     $main{"log_queue_run_level"} > $main{"log_level"};
+
+$log_selector .= "$sep +address_rewrite"       if &bool("log_rewrites");
+$log_selector .= "$sep +all_parents"           if &bool("log_all_parents");
+$log_selector .= "$sep +arguments"             if &bool("log_arguments");
+$log_selector .= "$sep +incoming_port"         if &bool("log_incoming_port");
+$log_selector .= "$sep +incoming_interface"    if &bool("log_interface");
+$log_selector .= "$sep +received_sender"       if &bool("log_received_sender");
+$log_selector .= "$sep +received_recipients"   if &bool("log_received_recipients");
+$log_selector .= "$sep +sender_on_delivery"    if &bool("log_sender_on_delivery");
+$log_selector .= "$sep +smtp_confirmation"     if &bool("log_smtp_confirmation");
+$log_selector .= "$sep +smtp_connection"       if &bool("log_smtp_connections");
+$log_selector .= "$sep +smtp_syntax_error"     if &bool("log_smtp_syntax_errors");
+$log_selector .= "$sep +subject"               if &bool("log_subject");
+$log_selector .= "$sep +tls_cipher"            if &bool("tls_log_cipher");
+$log_selector .= "$sep +tls_peerdn"            if &bool("tls_log_peerdn");
+
+
+if ($log_selector ne "")
+  {
+  print STDOUT "#!!# All previous logging options are combined into a single\n"
+             . "#!!# option in Exim 4. This setting is an approximation to\n"
+             . "#!!# the previous state - some logging has changed.\n\n";
+  print STDOUT "log_selector = $log_selector\n\n";
+  }
+
+# If deliver_load_max is set, replace it with queue_only_load (taking the
+# lower value if both set) and also set deliver_queue_load_max if it is
+# not already set. When scanning for output, deliver_load_max is skipped.
+
+if (defined $main{"deliver_load_max"})
+  {
+  &rubric();
+  print STDERR "\n" .
+"** deliver_load_max is abolished in Exim 4.\n";
+
+  if (defined $main{"queue_only_load"})
+    {
+    $queue_only_load_was_present = 1;
+    if ($main{"queue_only_load"} < $main{"deliver_load_max"})
+      {
+      print STDERR
+"   As queue_only_load was set lower, deliver_load_max is just removed.\n";
+      }
+    else
+      {
+      print STDERR
+"   As queue_only_load was set higher, it's value has been replaced by\n" .
+"   the value of deliver_load_max.\n";
+      $main{"queue_only_load"} = $main{"deliver_load_max"};
+      }
+    }
+  else
+    {
+    print STDERR
+"   queue_only_load has been set to the load value.\n";
+    $main{"queue_only_load"} = $main{"deliver_load_max"};
+    }
+
+  if (!defined $main{"deliver_queue_load_max"})
+    {
+    print STDERR
+"   deliver_queue_load_max has been set to the value of queue_only_load.\n";
+    $main{"deliver_queue_load_max"} = $main{"queue_only_load"};
+    }
+  else
+    {
+    $deliver_queue_load_max_was_present = 1;
+    }
+  }
+
+
+# Now we scan through the various parts of the file again, making changes
+# as necessary.
+
+# -------- The main configuration --------
+
+$prefix = "";
+MainLine: for ($i = 0; $i < $clen; $i++)
+  {
+  my($nextline) = "";
+  $type = &checkline($c[$i]);
+  last if $type eq "end";
+
+  if ($type eq "macro")
+    {
+    $i++ while $c[$i] =~ /\\\s*$|^\s*#/;
+    next;
+    }
+
+  if ($type eq "comment") { print STDOUT "$c[$i]\n"; next; }
+
+  # Collect any continuation lines for an option setting
+
+  while ($rest =~ /\\\s*$/s || $nextline =~ /^\s*#/)
+    {
+    $nextline = $c[++$i];
+    $rest .= "\n$nextline";
+    }
+
+  $rest =~ s/^=\s*//;
+
+  # Deal with main options that are skipped (they are used in other
+  # options in other places).
+
+  for $skipped (@skipped_options)
+    {
+    next MainLine if $name eq $skipped;
+    }
+
+  # Deal with main options that are totally abolished
+
+  for $abolished (@abolished_options)
+    {
+    if ($name eq $abolished)
+      {
+      &rubric();
+      print STDERR "\n" .
+"** The $name option no longer exists, and has no equivalent\n" .
+"   in Exim 4.\n";
+      next MainLine;
+      }
+    }
+
+  # There is a special case for rbl_warn_header
+
+  if ($name eq "rbl_warn_header")
+    {
+    &rubric();
+    print STDERR "\n" .
+"** The $name option no longer exists. In Exim 4 you can achieve the\n" .
+"   effect by adding a suitable \"message\" statement in the ACL.\n";
+    }
+
+  # There is a special case for sender_reject and host_reject
+
+  elsif ($name eq "sender_reject" || $name eq "host_reject")
+    {
+    &rubric();
+    print STDERR "\n" .
+"** The $name option no longer exists. Its data has been used in\n" .
+"   an Access Control List as if it were in ${name}_recipients.\n";
+    }
+
+  # And a special message for prohibition_message
+
+  elsif ($name eq "prohibition_message")
+    {
+    &rubric();
+    print STDERR "\n" .
+"** The prohibition_message option no longer exists. The facility is\n" .
+"   provided in a different way in Exim 4, via the \"message\" keyword\n" .
+"   in Access Control Lists. It isn't possible to do an automatic conversion,\n" .
+"   so the value of prohibition_message has been ignored. You will have to\n" .
+"   modify the ACLs if you want to reinstate the feature.\n";
+    }
+
+  # auth_always_advertise gets converted to auth_advertise_hosts
+
+  elsif ($name eq "auth_always_advertise")
+    {
+    print STDOUT "#!!# auth_always_advertise converted to auth_advertise_hosts\n";
+    if (&bool("auth_always_advertise"))
+      {
+      print STDOUT "auth_advertise_hosts = *\n";
+      }
+    else
+      {
+      $sep = "";
+      print STDOUT "auth_advertise_hosts =";
+      if (defined $main{"auth_hosts"})
+        {
+        print STDOUT "$sep +auth_hosts";
+        $sep = " :";
+        }
+      if (defined $main{"host_accept_relay"})
+        {
+        print STDOUT "$sep !+relay_hosts";
+        $sep = " :";
+        }
+      if (defined $main{"host_auth_accept_relay"})
+        {
+        print STDOUT "$sep +auth_relay_hosts";
+        }
+      print STDOUT "\n";
+      }
+    }
+
+  # Deal with main options that have to be rewritten
+
+  elsif ($name eq "accept_timeout")
+    {
+    print STDOUT "#!!# accept_timeout renamed receive_timeout\n";
+    print STDOUT "receive_timeout = $rest\n";
+    }
+
+  elsif ($name eq "collapse_source_routes")
+    {
+    print STDOUT "#!!# collapse_source_routes removed\n";
+    print STDOUT "#!!# It has been a no-op since 3.10.\n";
+    }
+
+  elsif ($name eq "daemon_smtp_service")
+    {
+    print STDOUT "#!!# daemon_smtp_service renamed daemon_smtp_port\n";
+    print STDOUT "daemon_smtp_port = $rest\n";
+    }
+
+  elsif ($name eq "dns_check_names" || $name eq "dns_check_names_pattern")
+    {
+    if (!$done_dns_check_names)
+      {
+      if (&bool("dns_check_names"))
+        {
+        if (defined $main{"dns_check_names_pattern"})
+          {
+          &outopt(\%main, "dns_check_names_pattern", 0);
+          }
+        }
+
+      else
+        {
+        print STDOUT "#!!# dns_check_names has been abolished\n";
+        print STDOUT "#!!# setting dns_check_pattern empty to turn off check\n";
+        print STDOUT "dns_check_names_pattern =\n";
+        }
+
+      $done_dns_check_names = 1;
+      }
+    }
+
+  elsif ($name eq "deliver_load_max")
+    {
+    print STDOUT "deliver_queue_load_max = $main{'deliver_queue_load_max'}\n"
+      if !$deliver_queue_load_max_was_present;
+    print STDOUT "queue_only_load = $main{'queue_only_load'}\n"
+      if !$queue_only_load_was_present;
+    }
+
+  elsif ($name eq "errmsg_file")
+    {
+    print STDOUT "#!!# errmsg_file renamed bounce_message_file\n";
+    print STDOUT "bounce_message_file = $rest\n";
+    }
+
+  elsif ($name eq "errmsg_text")
+    {
+    print STDOUT "#!!# errmsg_text renamed bounce_message_text\n";
+    print STDOUT "bounce_message_text = $rest\n";
+    }
+
+  elsif ($name eq "forbid_domain_literals")
+    {
+    print STDOUT "#!!# forbid_domain_literals replaced by allow_domain_literals\n";
+    print STDOUT "allow_domain_literals = ",
+          &bool("forbid_domain_literals")? "false" : "true", "\n";
+    }
+
+  elsif ($name eq "freeze_tell_mailmaster")
+    {
+    print STDOUT "#!!# freeze_tell_mailmaster replaced by freeze_tell\n";
+    if (&bool("freeze_tell_mailmaster"))
+      {
+      print STDOUT "freeze_tell = ",
+        ((defined $main{"errors_address"})?
+          $main{"errors_address"} : "postmaster"), "\n";
+      }
+    else
+      {
+      print STDOUT "#!!# freeze_tell is unset by default\n";
+      }
+    }
+
+  elsif ($name eq "helo_verify")
+    {
+    print STDOUT "#!!# helo_verify renamed helo_verify_hosts\n";
+    printf STDOUT ("helo_verify_hosts = %s\n", &no_expand_regex($rest));
+    }
+
+  elsif ($name eq "ignore_errmsg_errors")
+    {
+    print STDOUT "ignore_bounce_errors_after = 0s\n";
+    }
+
+  elsif ($name eq "ignore_errmsg_errors_after")
+    {
+    print STDOUT "#!!# ignore_errmsg_errors_after renamed ignore_bounce_errors_after\n";
+    print STDOUT "ignore_bounce_errors_after = $rest\n";
+    }
+
+  elsif ($name eq "ipv4_address_lookup" || $name eq "dns_ipv4_lookup")
+    {
+    print STDOUT "#!!# $name changed to dns_ipv4_lookup\n"
+      if $name eq "ipv4_address_lookup";
+    print STDOUT "#!!# dns_ipv4_lookup is now a domain list\n";
+    if (&bool($name))
+      {
+      print STDOUT "dns_ipv4_lookup = *\n";
+      }
+    else
+      {
+      print STDOUT "#!!# default for dns_ipv4_lookup is unset\n";
+      }
+    }
+
+  elsif ($name eq "locally_caseless")
+    {
+    print STDOUT "#!!# locally_caseless removed\n";
+    print STDOUT "#!!# caseful_local_part will be added to ex-directors\n";
+    $add_caseful_local_part = 1;
+    }
+
+  elsif ($name eq "message_filter_directory2_transport")
+    {
+    print STDOUT "#!!# message_filter_directory2_transport removed\n";
+    }
+
+  elsif ($name =~ /^message_filter(.*)/)
+    {
+    print STDOUT "#!!# $name renamed system_filter$1\n";
+    print STDOUT "system_filter$1 = $rest\n";
+    }
+
+  elsif ($name eq "queue_remote_domains")
+    {
+    print STDOUT "#!!# queue_remote_domains renamed queue_domains\n";
+    printf STDOUT ("queue_domains = %s\n", &no_expand_regex($rest));
+    }
+
+  elsif ($name eq "receiver_unqualified_hosts")
+    {
+    print STDOUT "#!!# receiver_unqualified_hosts renamed recipient_unqualified_hosts\n";
+    printf STDOUT ("recipient_unqualified_hosts = %s\n",
+      &no_expand_regex($rest));
+    }
+
+  elsif ($name eq "remote_sort")
+    {
+    print STDOUT "#!!# remote_sort renamed remote_sort_domains\n";
+    printf STDOUT ("remote_sort_domains = %s\n", &no_expand_regex($rest));
+    }
+
+  elsif ($name eq "security")
+    {
+    if ($rest eq "unprivileged")
+      {
+      print STDOUT "#!!# security=unprivileged changed to deliver_drop_privilege\n";
+      print STDOUT "deliver_drop_privilege\n";
+      }
+    else
+      {
+      &rubric();
+      print STDERR "\n" .
+"** The 'security' option no longer exists.\n";
+      }
+    }
+
+  elsif ($name eq "timestamps_utc")
+    {
+    print STDOUT "#!!# timestamps_utc changed to use timezone\n";
+    print STDOUT "timezone = utc\n";
+    }
+
+  elsif ($name eq "untrusted_set_sender")
+    {
+    print STDOUT "#!!# untrusted_set_sender is now a list of what can be set\n";
+    print STDOUT "#!!# The default is an empty list.\n";
+    if (&bool("untrusted_set_sender"))
+      {
+      print STDOUT "untrusted_set_sender = *\n";
+      }
+    }
+
+  elsif ($name eq "warnmsg_file")
+    {
+    print STDOUT "#!!# warnmsg_file renamed warn_message_file\n";
+    print STDOUT "warn_message_file = $rest\n";
+    }
+
+  # Remaining options just get copied unless they are one of those that's
+  # a list where any regular expressions have to be escaped.
+
+  else
+    {
+    my($no_expand) = 0;
+    foreach $o (@list_options)
+      {
+      if ($name eq $o)
+        {
+        $no_expand = 1;
+        last;
+        }
+      }
+    &outopt(\%main, $name, $no_expand);
+    }
+  }
+
+
+# -------- The ACL configuration --------
+
+print STDOUT "\n";
+print STDOUT "#!!#######################################################!!#\n";
+print STDOUT "#!!# This new section of the configuration contains ACLs #!!#\n";
+print STDOUT "#!!# (Access Control Lists) derived from the Exim 3      #!!#\n";
+print STDOUT "#!!# policy control options.                             #!!#\n";
+print STDOUT "#!!#######################################################!!#\n";
+
+print STDOUT "\n";
+print STDOUT "#!!# These ACLs are crudely constructed from Exim 3 options.\n";
+print STDOUT "#!!# They are almost certainly not optimal. You should study\n";
+print STDOUT "#!!# them and rewrite as necessary.\n";
+
+print STDOUT "\nbegin acl\n\n";
+
+
+# Output an ACL for use after the RCPT command. This combines all the previous
+# policy checking options.
+
+print STDOUT "#!!# ACL that is used after the RCPT command\n";
+print STDOUT "check_recipient:\n";
+
+print STDOUT "  # Exim 3 had no checking on -bs messages, so for compatibility\n";
+print STDOUT "  # we accept if the source is local SMTP (i.e. not over TCP/IP).\n";
+print STDOUT "  # We do this by testing for an empty sending host field.\n";
+print STDOUT "  accept  hosts = :\n";
+
+if (defined $main{"tls_verify_ciphers"})
+  {
+  print STDOUT "  deny    ";
+  print STDOUT "hosts = $main{'tls_verify_hosts'}\n         "
+    if defined $main{"tls_verify_hosts"};
+  print STDOUT " encrypted = *\n         ";
+  print STDOUT "!encrypted = $main{'tls_verify_ciphers'}\n";
+  }
+
+print STDOUT "  deny    hosts = +auth_hosts\n" .
+             "          message = authentication required\n" .
+             "         !authenticated = *\n"
+  if defined $main{"auth_hosts"};
+
+print STDOUT "  deny    hosts = +tls_hosts\n" .
+             "          message = encryption required\n" .
+             "         !encrypted = *\n"
+  if defined $main{"tls_hosts"};
+
+printf STDOUT ("  accept  recipients = %s\n",
+  &acl_quote(&sort_address_list($main{"recipients_reject_except"},
+    "recipients_reject_except")))
+      if defined $main{"recipients_reject_except"};
+
+printf STDOUT ("  accept  senders = %s\n",
+  &acl_quote(&sort_address_list($main{"recipients_reject_except_senders"},
+    "recipients_reject_except_senders")))
+      if defined $main{"recipients_reject_except_senders"};
+
+printf STDOUT ("  deny    hosts = %s\n", &acl_quote($main{"host_reject"}))
+  if defined $main{"host_reject"};
+
+printf STDOUT ("  deny    hosts = %s\n",
+  &acl_quote($main{"host_reject_recipients"}))
+    if defined $main{"host_reject_recipients"};
+
+if (defined $main{"rbl_domains"})
+  {
+  my($msg) = "message = host is listed in \$dnslist_domain\n          ";
+  my($hlist) = (defined $main{"rbl_hosts"})?
+    "hosts = +rbl_hosts\n          " : "";
+
+  print STDOUT "  accept  ${hlist}dnslists = $rbl_accept_domains\n"
+    if defined $rbl_accept_domains;
+  print STDOUT "  deny    ${hlist}${msg}dnslists = $rbl_reject_domains\n"
+    if defined $rbl_reject_domains;
+  print STDOUT "  warn    ${hlist}" .
+    "message = X-Warning: \$sender_host_address is listed at \$dnslist_domain\n" .
+    "          dnslists = $rbl_warn_domains\n"
+      if defined $rbl_warn_domains;
+
+  if (defined $main{"host_accept_relay"})
+    {
+    $hlist .= "hosts = !+relay_hosts\n          ";
+    print STDOUT "  accept  ${hlist}dnslists = $rbl_accept_skiprelay\n"
+      if defined $rbl_accept_skiprelay;
+    print STDOUT "  deny    ${hlist}${msg}dnslists = $rbl_reject_skiprelay\n"
+      if defined $rbl_reject_skiprelay;
+    print STDOUT "  warn    ${hlist}" .
+      "message = X-Warning: \$sender_host_address is listed at \$dnslist_domain\n" .
+      "          dnslists = $rbl_warn_skiprelay\n"
+        if defined $rbl_warn_skiprelay;
+    }
+  }
+
+printf STDOUT ("  deny    senders = %s\n",
+  &acl_quote(&sort_address_list($main{"sender_reject"}, "sender_reject")))
+    if defined $main{"sender_reject"};
+
+printf STDOUT ("  deny    senders = %s\n",
+  &acl_quote(&sort_address_list($main{"sender_reject_recipients"},
+    "sender_reject_recipients")))
+      if defined $main{"sender_reject_recipients"};
+
+if (&bool("sender_verify"))
+  {
+  if (defined $main{"sender_verify_hosts_callback"} &&
+      defined $main{"sender_verify_callback_domains"})
+    {
+    printf STDOUT ("  deny    hosts = %s\n",
+      &acl_quote($main{"sender_verify_hosts_callback"}));
+    printf STDOUT ("          sender_domains = %s\n",
+      &acl_quote($main{"sender_verify_callback_domains"}));
+    print  STDOUT  "         !verify = sender/callout";
+    print  STDOUT  "=$main{\"sender_verify_callback_timeout\"}"
+      if defined $main{"sender_verify_callback_timeout"};
+    print  STDOUT  "\n";
+    }
+
+  if (defined $main{"sender_verify_hosts"})
+    {
+    printf STDOUT ("  deny    hosts = %s\n",
+      &acl_quote($main{"sender_verify_hosts"}));
+    print  STDOUT  "         !verify = sender\n";
+    }
+  else
+    {
+    print STDOUT "  require verify = sender\n";
+    }
+  }
+
+if (&bool("receiver_verify"))
+  {
+  print  STDOUT  "  deny    message = unrouteable address\n";
+  printf STDOUT ("          recipients = %s\n",
+    &acl_quote(&sort_address_list($main{"receiver_verify_addresses"},
+      "receiver_verify_addresses")))
+        if defined $main{"receiver_verify_addresses"};
+  printf STDOUT ("          hosts = %s\n",
+    &acl_quote($main{"receiver_verify_hosts"}))
+      if defined $main{"receiver_verify_hosts"};
+  printf STDOUT ("          senders = %s\n",
+    &acl_quote(&sort_address_list($main{"receiver_verify_senders"},
+      "receiver_verify_senders")))
+        if defined $main{"receiver_verify_senders"};
+  print  STDOUT  "         !verify = recipient\n";
+  }
+
+print STDOUT "  accept  domains = +local_domains\n"
+  if $local_domains !~ /^\s*$/;
+
+print STDOUT "  accept  domains = +relay_domains\n"
+  if $relay_domains !~ /^\s*$/;
+
+if (defined $main{"host_accept_relay"})
+  {
+  if (defined $main{"sender_address_relay"})
+    {
+    if (defined $main{"sender_address_relay_hosts"})
+      {
+      printf STDOUT ("  accept  hosts = %s\n",
+        &acl_quote($main{"sender_address_relay_hosts"}));
+      print  STDOUT  "          endpass\n";
+      print  STDOUT  "          message = invalid sender\n";
+      printf STDOUT ("          senders = %s\n",
+        &acl_quote(&sort_address_list($main{"sender_address_relay"},
+          "sender_address_relay")));
+      print  STDOUT  "  accept  hosts = +relay_hosts\n";
+      }
+    else
+      {
+      print  STDOUT  "  accept  hosts = +relay_hosts\n";
+      print  STDOUT  "          endpass\n";
+      print  STDOUT  "          message = invalid sender\n";
+      printf STDOUT ("          senders = %s\n",
+        &acl_quote(&sort_address_list($main{"sender_address_relay"},
+          "sender_address_relay")));
+      }
+    }
+  else
+    {
+    print STDOUT "  accept  hosts = +relay_hosts\n";
+    }
+  }
+
+print STDOUT "  accept  hosts = +auth_relay_hosts\n" .
+             "          endpass\n" .
+             "          message = authentication required\n" .
+             "          authenticated = *\n"
+  if defined $main{"host_auth_accept_relay"};
+
+print STDOUT "  accept  hosts = +tls_relay_hosts\n" .
+             "          endpass\n" .
+             "          message = encryption required\n" .
+             "          encrypted = *\n"
+  if defined $main{"tls_host_accept_relay"};
+
+print STDOUT "  deny    message = relay not permitted\n\n";
+
+
+# Output an ACL for use after the DATA command. This is concerned with
+# header checking.
+
+print STDOUT "#!!# ACL that is used after the DATA command\n";
+print STDOUT "check_message:\n";
+
+# Default for headers_checks_fail is true
+
+if (!defined $main{"headers_checks_fail"} ||
+    $main{"headers_checks_fail"} eq "true")
+  {
+  print STDOUT "  require verify = header_syntax\n"
+    if &bool("headers_check_syntax");
+  print STDOUT "  require verify = header_sender\n"
+    if &bool("headers_sender_verify");
+  print STDOUT "  accept  senders = !:\n  require verify = header_sender\n"
+    if &bool("headers_sender_verify_errmsg");
+  }
+else
+  {
+  print STDOUT "  warn    !verify = header_syntax\n"
+    if &bool("headers_check_syntax");
+  print STDOUT "  warn    !verify = header_sender\n"
+    if &bool("headers_sender_verify");
+  print STDOUT "  accept  senders = !:\n  warn    !verify = header_sender\n"
+    if &bool("headers_sender_verify_errmsg");
+  }
+
+print STDOUT "  accept\n\n";
+
+
+# Output an ACL for AUTH if required
+
+if (defined $main{"auth_over_tls_hosts"})
+  {
+  print STDOUT "#!!# ACL that is used after the AUTH command\n" .
+               "check_auth:\n" .
+               "  accept  hosts = +auth_over_tls_hosts\n" .
+               "          endpass\n" .
+               "          message = STARTTLS required before AUTH\n" .
+               "          encrypted = *\n" .
+               "  accept\n";
+  }
+
+
+# Output ACLs for ETRN, EXPN, and VRFY if required
+
+if (defined $main{"smtp_etrn_hosts"})
+  {
+  print STDOUT "#!!# ACL that is used after the ETRN command\n" .
+               "check_etrn:\n";
+  print STDOUT "  deny    hosts = +auth_hosts\n" .
+               "          message = authentication required\n" .
+               "         !authenticated = *\n"
+    if defined $main{"auth_hosts"};
+  print STDOUT "  accept  hosts = $main{\"smtp_etrn_hosts\"}\n\n";
+  }
+
+if (defined $main{"smtp_expn_hosts"})
+  {
+  print STDOUT "#!!# ACL that is used after the EXPN command\n" .
+               "check_expn:\n";
+  print STDOUT "  deny    hosts = +auth_hosts\n" .
+               "          message = authentication required\n" .
+               "         !authenticated = *\n"
+    if defined $main{"auth_hosts"};
+  print STDOUT "  accept  hosts = $main{\"smtp_expn_hosts\"}\n\n";
+  }
+
+if (&bool("smtp_verify"))
+  {
+  print STDOUT "#!!# ACL that is used after the VRFY command\n" .
+               "check_vrfy:\n";
+  print STDOUT "  deny    hosts = +auth_hosts\n" .
+               "          message = authentication required\n" .
+               "         !authenticated = *\n"
+    if defined $main{"auth_hosts"};
+  print STDOUT "  accept\n\n";
+  }
+
+# -------- The authenticators --------
+
+$started = 0;
+for ($i = $auth_start; $i < $clen; $i++)
+  {
+  if (!$started)
+    {
+    if ($c[$i] !~ /^\s*(#|$)/)
+      {
+      print STDOUT "\nbegin authenticators\n\n";
+      $started = 1;
+      }
+    }
+  print STDOUT "$c[$i]\n";
+  }
+
+
+# -------- Rewrite section --------
+
+$started = 0;
+for ($i = $rewrite_start; $i < $clen && $i < $auth_start - 1; $i++)
+  {
+  if (!$started)
+    {
+    if ($c[$i] !~ /^\s*(#|$)/)
+      {
+      print STDOUT "\nbegin rewrite\n\n";
+      $started = 1;
+      }
+    }
+  &print_no_expand($c[$i]);
+  }
+
+
+# -------- The routers configuration --------
+
+# The new routers configuration is created out of the old directors and routers
+# configuration. We put the old routers first, adding a "domains" option to
+# any that don't have one, to make them select the domains that do not match
+# the original local_domains. The routers get modified as necessary, and the
+# final one has "no_more" set, unless it has conditions. In that case we have
+# to add an extra router to be sure of failing all non-local addresses that
+# fall through. We do this also if there are no routers at all. The old
+# directors follow, modified as required.
+
+$prefix = "r.";
+undef @comments;
+
+print STDOUT "\n";
+print STDOUT "#!!#######################################################!!#\n";
+print STDOUT "#!!# Here follow routers created from the old routers,   #!!#\n";
+print STDOUT "#!!# for handling non-local domains.                     #!!#\n";
+print STDOUT "#!!#######################################################!!#\n";
+
+print STDOUT "\nbegin routers\n\n";
+
+for ($i = $router_start; $i < $clen; $i++)
+  {
+  $type = &checkline($c[$i]);
+  last if $type eq "end";
+
+  if ($type eq "comment") { push(@comments, "$c[$i]\n"); next; }
+
+  # When we hit the start of a driver, modify its options as necessary,
+  # and then output it from the stored option settings, having first output
+  # and previous comments.
+
+  if ($type eq "driver")
+    {
+    print STDOUT shift @comments while scalar(@comments) > 0;
+
+    $hash = $driverlist{"$prefix$name"};
+    $driver = $$hash{"driver"};
+    print STDOUT "$name:\n";
+
+    $add_no_more =
+      ! defined $$hash{"domains"} &&
+      ! defined $$hash{"local_parts"} &&
+      ! defined $$hash{"senders"} &&
+      ! defined $$hash{"condition"} &&
+      ! defined $$hash{"require_files"} &&
+      (!defined $$hash{"verify_only"} || $$hash{"verify_only"} eq "false") &&
+      (!defined $$hash{"verify"} || $$hash{"verify"} eq "true");
+
+    # Create a "domains" setting if there isn't one, unless local domains
+    # was explicitly empty.
+
+    $$hash{"domains"} = "! +local_domains"
+      if !defined $$hash{"domains"} && $local_domains !~ /^\s*$/;
+
+    # If the router had a local_parts setting, add caseful_local_part
+
+    $$hash{"caseful_local_part"} = "true" if defined $$hash{"local_parts"};
+
+    # If the router has "self=local" set, change it to "self=pass", and
+    # set pass_router to the router that was the first director. Change the
+    # obsolete self settings of "fail_hard" and "fail_soft" to "fail" and
+    # "pass".
+
+    if (defined $$hash{"self"})
+      {
+      if ($$hash{"self"} eq "local")
+        {
+        $$hash{"self"} = "pass";
+        $$hash{"pass_router"} = $first_director;
+        }
+      elsif ($$hash{"self"} eq "fail_hard")
+        {
+        $$hash{"self"} = "fail";
+        }
+      elsif ($$hash{"self"} eq "fail_soft")
+        {
+        $$hash{"self"} = "pass";
+        }
+      }
+
+    # If the router had a require_files setting, check it for user names
+    # and colons that are part of expansion items
+
+    if (defined $$hash{"require_files"})
+      {
+      &check_require($$hash{"require_files"}, "'$name' router");
+      if (($$hash{"require_files"} =~ s/(\$\{\w+):/$1::/g) > 0 ||
+          ($$hash{"require_files"} =~ s/ldap:/ldap::/g) > 0)
+        {
+        &rubric();
+        print STDERR "\n" .
+"*** A setting of require_files in the $name router contains\n" .
+"    a colon in what appears to be an expansion item. In Exim 3, the\n" .
+"    whole string was expanded before splitting the list, but in Exim 4\n" .
+"    each item is expanded separately, so colons that are not list\n" .
+"    item separators have to be doubled. One or more such colons in this\n" .
+"    list have been doubled as a precaution. Please check the result.\n";
+        }
+      }
+
+    # If the router had a "senders" setting, munge the address list
+
+    $$hash{"senders"} = &sort_address_list($$hash{"senders"}, "senders")
+      if defined $$hash{"senders"};
+
+    # ---- Changes to domainlist router ----
+
+    if ($driver eq "domainlist")
+      {
+      &abolished($hash, "A domainlist router",
+        "modemask", "owners", "owngroups",
+        "qualify_single", "search_parents");
+
+      # The name has changed
+
+      $$hash{"driver"} = "manualroute";
+
+      # Turn "route_file", "route_query" and "route_queries" into lookups for
+      # route_data.
+
+      if (defined $$hash{"route_file"})
+        {
+        $$hash{"route_data"} = "\${lookup\{\$domain\}$$hash{'search_type'}" .
+                         "\{$$hash{'route_file'}\}\}";
+        }
+      elsif (defined $$hash{"route_query"})
+        {
+        $$hash{"route_data"} = "\${lookup $$hash{'search_type'}" .
+                               "\{" . &unquote($$hash{'route_query'}) . "\}\}";
+        }
+      elsif (defined $$hash{"route_queries"})
+        {
+        $endkets = 0;
+        $$hash{"route_data"} = "";
+        $route_queries = $$hash{'route_queries'};
+        $route_queries =~ s/^"(.*)"$/$1/s;
+        $route_queries =~ s/::/++colons++/g;
+        @qq = split(/:/, $route_queries);
+
+        foreach $q (@qq)
+          {
+          $q =~ s/\+\+colons\+\+/:/g;
+          $q =~ s/^\s+//;
+          $q =~ s/\s+$//;
+          if ($endkets > 0)
+            {
+            $$hash{"route_data"} .= "\\\n    {";
+            $endkets++;
+            }
+          $$hash{"route_data"} .= "\${lookup $$hash{'search_type'} \{$q\}\{\$value\}";
+          $endkets++;
+          }
+
+        $$hash{"route_data"} .= "}" x $endkets;
+        }
+
+      delete $$hash{"route_file"};
+      delete $$hash{"route_query"};
+      delete $$hash{"route_queries"};
+      delete $$hash{"search_type"};
+
+      # But we can't allow both route_data and route_list
+
+      if (defined $$hash{"route_data"} && defined $$hash{"route_list"})
+        {
+        &rubric();
+        print STDERR "\n" .
+"** An Exim 3 'domainlist' router called '$name' contained a 'route_list'\n" .
+"   option as well as a setting of 'route_file', 'route_query', or\n" .
+"   'route_queries'. The latter has been turned into a 'route_data' setting,\n".
+"   but in Exim 4 you can't have both 'route_data' and 'route_list'. You'll\n" .
+"   have to rewrite this router; in the meantime, 'route_list' has been\n" .
+"   omitted.\n";
+        print STDOUT "#!!# route_list option removed\n";
+        delete $$hash{"route_list"};
+        }
+
+      # Change bydns_a into bydns in a route_list; also bydns_mx, but that
+      # works differently.
+
+      if (defined $$hash{"route_list"})
+        {
+        $$hash{"route_list"} =~ s/bydns_a/bydns/g;
+        if ($$hash{"route_list"} =~ /bydns_mx/)
+          {
+          $$hash{"route_list"} =~ s/bydns_mx/bydns/g;
+          &rubric();
+          print STDERR "\n" .
+"*** An Exim 3 'domainlist' router called '$name' contained a 'route_list'\n" .
+"    option which used 'bydns_mx'. This feature no longer exists in Exim 4.\n" .
+"    It has been changed to 'bydns', but it won't have the same effect,\n" .
+"    because it will look for A rather than MX records. Use the 'dnslookup'\n" .
+"    router to do MX lookups - if you want to override the hosts found from\n" .
+"    MX records, you should route to a special 'smtp' transport which has\n" .
+"    both 'hosts' and 'hosts_override' set.\n";
+          }
+        }
+
+      # Arrange to not expand regex
+
+      $$hash{"route_list"} = &no_expand_regex($$hash{"route_list"}, ";")
+        if (defined $$hash{"route_list"})
+      }
+
+
+    # ---- Changes to iplookup router ----
+
+    elsif ($driver eq "iplookup")
+      {
+      &renamed($hash, "service", "port");
+      }
+
+
+    # ---- Changes to lookuphost router ----
+
+    elsif ($driver eq "lookuphost")
+      {
+      $$hash{"driver"} = "dnslookup";
+
+      if (defined $$hash{"gethostbyname"})
+        {
+        &rubric();
+        print STDERR "\n" .
+"** An Exim 3 'lookuphost' router called '$name' used the 'gethostbyname'\n" .
+"   option, which no longer exists. You will have to rewrite it.\n";
+        print STDOUT "#!!# gethostbyname option removed\n";
+        delete $$hash{"gethostbyname"};
+        }
+
+      $$hash{"mx_domains"} = &no_expand_regex($$hash{"mx_domains"})
+        if defined $$hash{"mx_domains"};
+      }
+
+
+    # ---- Changes to the queryprogram router ----
+
+    elsif ($driver eq "queryprogram")
+      {
+      &rubric();
+      print STDERR "\n" .
+"** The configuration contains a 'queryprogram' router. Please note that\n" .
+"   the specification for the text that is returned by the program run\n" .
+"   by this router has changed in Exim 4. You will need to modify your\n" .
+"   program.\n";
+
+      if (!defined $$hash{'command_user'})
+        {
+        &rubric();
+        print STDERR "\n" .
+"** The 'queryprogram' router called '$name' does not have a setting for\n" .
+"   the 'command_user' option. This is mandatory in Exim 4. A setting of\n" .
+"   'nobody' has been created.\n";
+        $$hash{"command_user"} = "nobody";
+        }
+      }
+
+
+    # -------------------------------------
+
+    # Output the router's option settings
+
+    &outdriver($hash);
+    next;
+    }
+
+  # Skip past any continuation lines for an option setting
+  while ($c[$i] =~ /\\\s*$/s && $i < $clen - 1)
+    {
+    $i++;
+    $i++ while ($c[$i] =~ /^\s*#/);
+    }
+  }
+
+# Add "no_more" to the final driver from the old routers, provided it had no
+# conditions. Otherwise, or if there were no routers, make up one to fail all
+# non-local domains.
+
+if ($add_no_more)
+  {
+  print STDOUT "  no_more\n";
+  print STDOUT shift @comments while scalar(@comments) > 0;
+  }
+else
+  {
+  print STDOUT shift @comments while scalar(@comments) > 0;
+  print STDOUT "\n#!!# This new router is put here to fail all domains that\n";
+  print STDOUT "#!!# were not in local_domains in the Exim 3 configuration.\n\n";
+  print STDOUT "fail_remote_domains:\n";
+  print STDOUT "  driver = redirect\n";
+  print STDOUT "  domains = ! +local_domains\n";
+  print STDOUT "  allow_fail\n";
+  print STDOUT "  data = :fail: unrouteable mail domain \"\$domain\"\n\n";
+  }
+
+# Now copy the directors, making appropriate changes
+
+print STDOUT "\n";
+print STDOUT "#!!#######################################################!!#\n";
+print STDOUT "#!!# Here follow routers created from the old directors, #!!#\n";
+print STDOUT "#!!# for handling local domains.                         #!!#\n";
+print STDOUT "#!!#######################################################!!#\n";
+
+$prefix = "d.";
+for ($i = $director_start; $i < $clen; $i++)
+  {
+  $type = &checkline($c[$i]);
+  last if $type eq "end";
+
+  if ($type eq "comment") { print STDOUT "$c[$i]\n"; next; }
+
+  undef $second_router;
+
+  if ($type eq "driver")
+    {
+    $hash = $driverlist{"$prefix$name"};
+    $driver = $$hash{"driver"};
+    print STDOUT "$name:\n";
+
+    $$hash{"caseful_local_part"} = "true" if $add_caseful_local_part;
+
+    if (defined $$hash{"local_parts"} &&
+        (defined $$hash{"prefix"} || defined $hash{"suffix"}))
+      {
+      &rubric();
+      print STDERR "\n" .
+"** The Exim 3 configuration contains a director called '$name' which has\n" .
+"   'local_parts' set, together with either or both of 'prefix' and 'suffix'\n".
+"   This combination has a different effect in Exim 4, where the affix\n" .
+"   is removed *before* 'local_parts' is tested. You will probably need\n" .
+"   to make changes to this driver.\n";
+      }
+
+    &renamed($hash, "prefix", "local_part_prefix");
+    &renamed($hash, "prefix_optional", "local_part_prefix_optional");
+    &renamed($hash, "suffix", "local_part_suffix");
+    &renamed($hash, "suffix_optional", "local_part_suffix_optional");
+    &renamed($hash, "new_director", "redirect_router");
+
+    &handle_current_and_home_directory($hash, $driver, $name);
+
+    # If the director had a require_files setting, check it for user names
+    # and colons that are part of expansion items
+
+    if (defined $$hash{"require_files"})
+      {
+      &check_require($$hash{"require_files"}, "'$name' director");
+      if (($$hash{"require_files"} =~ s/(\$\{\w+):/$1::/g) > 0 ||
+          ($$hash{"require_files"} =~ s/ldap:/ldap::/g) > 0)
+        {
+        &rubric();
+        print STDERR "\n" .
+"*** A setting of require_files in the $name director contains\n" .
+"    a colon in what appears to be an expansion item. In Exim 3, the\n" .
+"    whole string was expanded before splitting the list, but in Exim 4\n" .
+"    each item is expanded separately, so colons that are not list\n" .
+"    item separators have to be doubled. One or more such colons in this\n" .
+"    list have been doubled as a precaution. Please check the result.\n";
+        }
+      }
+
+    # If the director had a "senders" setting, munge the address list
+
+    $$hash{"senders"} = &sort_address_list($$hash{"senders"}, "senders")
+      if defined $$hash{"senders"};
+
+    # ---- Changes to aliasfile director ----
+
+    if ($driver eq "aliasfile")
+      {
+      &abolished($hash, "An aliasfile director",
+        "directory2_transport", "freeze_missing_include",
+        "modemask", "owners", "owngroups");
+
+      $$hash{"driver"} = "redirect";
+
+      $key = "\$local_part";
+      $key = "\$local_part\@\$domain"
+        if defined $$hash{"include_domain"} &&
+          $$hash{"include_domain"} eq "true";
+      delete $$hash{"include_domain"};
+
+      if (defined $$hash{"forbid_special"} && $$hash{"forbid_special"} eq "true")
+        {
+        $$hash{"forbid_blackhole"} = "true";
+        }
+      else
+        {
+        $$hash{"allow_defer"} = "true";
+        $$hash{"allow_fail"} = "true";
+        }
+      delete $$hash{"forbid_special"};
+
+      # Deal with "file", "query", or "queries"
+
+      if (defined $$hash{"file"})
+        {
+        $$hash{"data"} =
+          "\$\{lookup\{$key\}$$hash{'search_type'}\{$$hash{'file'}\}\}";
+        if (defined $$hash{"optional"} && $$hash{"optional"} eq "true")
+          {
+          $$hash{"data"} =
+            "\$\{if exists\{$$hash{'file'}\}\{$$hash{'data'}\}\}";
+          }
+        delete $$hash{"optional"};
+        }
+      elsif (defined $$hash{"query"})
+        {
+        &abolished($hash, "An aliasfile director", "optional");
+        $$hash{"data"} = "\${lookup $$hash{'search_type'} " .
+                         "\{" . &unquote($$hash{'query'}) . "\}\}";
+        }
+      else   # Must be queries
+        {
+        &abolished($hash, "An aliasfile director", "optional");
+        $endkets = 0;
+        $$hash{"data"} = "";
+        $queries = $$hash{'queries'};
+        $queries =~ s/^"(.*)"$/$1/s;
+        $queries =~ s/::/++colons++/g;
+        @qq = split(/:/, $queries);
+
+        foreach $q (@qq)
+          {
+          $q =~ s/\+\+colons\+\+/:/g;
+          $q =~ s/^\s+//;
+          $q =~ s/\s+$//;
+          if ($endkets > 0)
+            {
+            $$hash{"data"} .= "\\\n    {";
+            $endkets++;
+            }
+          $$hash{"data"} .= "\${lookup $$hash{'search_type'} \{$q\}\{\$value\}";
+          $endkets++;
+          }
+
+        $$hash{"data"} .= "}" x $endkets;
+        }
+
+      $$hash{"data"} = "\${expand:$$hash{'data'}\}"
+        if (defined $$hash{"expand"} && $$hash{"expand"} eq "true");
+
+      delete $$hash{"expand"};
+      delete $$hash{"file"};
+      delete $$hash{"query"};
+      delete $$hash{"queries"};
+      delete $$hash{"search_type"};
+
+      # Turn aliasfile + transport into accept + condition
+
+      if (defined $$hash{'transport'})
+        {
+        &rubric();
+        if (!defined $$hash{'condition'})
+          {
+          print STDERR "\n" .
+"** The Exim 3 configuration contains an aliasfile director called '$name',\n".
+"   which has 'transport' set. This has been turned into an 'accept' router\n".
+"   with a 'condition' setting, but should be carefully checked.\n";
+          $$hash{'driver'} = "accept";
+          $$hash{'condition'} =
+            "\$\{if eq \{\}\{$$hash{'data'}\}\{no\}\{yes\}\}";
+          delete $$hash{'data'};
+          delete $$hash{'allow_defer'};
+          delete $$hash{'allow_fail'};
+          }
+        else
+          {
+          print STDERR "\n" .
+"** The Exim 3 configuration contains an aliasfile director called '$name',\n".
+"   which has 'transport' set. This cannot be turned into an 'accept' router\n".
+"   with a 'condition' setting, because there is already a 'condition'\n" .
+"   setting. It has been left as 'redirect' with a transport, which is\n" .
+"   invalid - you must sort this one out.\n";
+          }
+        }
+      }
+
+
+    # ---- Changes to forwardfile director ----
+
+    elsif ($driver eq "forwardfile")
+      {
+      &abolished($hash, "A forwardfile director",
+        "check_group", "directory2_transport",
+        "freeze_missing_include", "match_directory",
+        "seteuid");
+
+      &renamed($hash, "filter", "allow_filter");
+
+      $$hash{"driver"} = "redirect";
+      $$hash{"check_local_user"} = "true"
+        if !defined $$hash{"check_local_user"};
+
+      if (defined $$hash{"forbid_pipe"} && $$hash{"forbid_pipe"} eq "true")
+        {
+        print STDOUT "#!!# forbid_filter_run added because forbid_pipe is set\n";
+        $$hash{"forbid_filter_run"} = "true";
+        }
+
+      if (defined $$hash{'allow_system_actions'} &&
+          $$hash{'allow_system_actions'} eq 'true')
+        {
+        $$hash{'allow_freeze'} = "true";
+        }
+      delete $$hash{'allow_system_actions'};
+
+      # If file_directory is defined, use it to qualify relative paths; if not,
+      # and check_local_user is defined, use $home. Remove file_directory from
+      # the output.
+
+      $dir = "";
+      if (defined $$hash{"file_directory"})
+        {
+        $dir = $$hash{"file_directory"} . "/";
+        delete $$hash{"file_directory"};
+        }
+      elsif ($$hash{"check_local_user"} eq "true")
+        {
+        $dir = "\$home/";
+        }
+
+      # If it begins with an upper case letter, guess that this is really
+      # a macro.
+
+      if (defined $$hash{"file"} && $$hash{"file"} !~ /^[\/A-Z]/)
+        {
+        $$hash{"file"} = $dir . $$hash{"file"};
+        }
+      }
+
+
+    # ---- Changes to localuser director ----
+
+    elsif ($driver eq "localuser")
+      {
+      &abolished($hash, "A localuser director", "match_directory");
+      $$hash{"driver"} = "accept";
+      $$hash{"check_local_user"} = "true";
+      }
+
+
+    # ---- Changes to smartuser director ----
+
+    elsif ($driver eq "smartuser")
+      {
+      &abolished($hash, "A smartuser director", "panic_expansion_fail");
+
+      $transport = $$hash{"transport"};
+      $new_address = $$hash{"new_address"};
+
+      if (defined $transport && defined $new_address)
+        {
+        &rubric();
+        print STDERR "\n" .
+"** The Exim 3 configuration contains a smartuser director called '$name',\n".
+"   which has both 'transport' and 'new_address' set. This has been turned\n".
+"   into two routers for Exim 4. However, if the new address contains a\n" .
+"   reference to \$local_part, this won't work correctly. In any case, you\n".
+"   may be able to make it tidier by rewriting.\n";
+        $$hash{"driver"} = "redirect";
+        $$hash{"data"} = $new_address;
+        $$hash{"redirect_router"} = "${name}_part2";
+
+        $second_router = "\n".
+          "#!!# This router is invented to go with the previous one because\n".
+          "#!!# in Exim 4 you can't have a change of address and a transport\n".
+          "#!!# setting in the same router as you could in Exim 3.\n\n" .
+          "${name}_part2:\n".
+          "  driver = accept\n".
+          "  condition = \$\{if eq\{\$local_part@\$domain\}" .
+          "\{$new_address\}\{yes\}\{no\}\}\n".
+          "  transport = $$hash{'transport'}\n";
+
+        delete $$hash{"new_address"};
+        delete $$hash{"transport"};
+        }
+      elsif (defined $new_address)
+        {
+        $$hash{"driver"} = "redirect";
+        $$hash{"data"} = $new_address;
+        $$hash{"allow_defer"} = "true";
+        $$hash{"allow_fail"} = "true";
+        delete $$hash{"new_address"};
+        }
+      else     # Includes the case of neither set (verify_only)
+        {
+        $$hash{"driver"} = "accept";
+        if (defined $$hash{"rewrite"})
+          {
+          &rubric();
+          print STDERR "\n" .
+"** The Exim 3 configuration contains a setting of the 'rewrite' option on\n".
+"   a smartuser director called '$name', but this director does not have\n".
+"   a setting of 'new_address', so 'rewrite' has no effect. The director\n".
+"   has been turned into an 'accept' router, and 'rewrite' has been discarded.";
+          delete $$hash{"rewrite"};
+          }
+        }
+      }
+
+
+    # -------------------------------------
+
+    # For ex-directors that don't have check_local_user set, add
+    # retry_use_local_part to imitate what Exim 3 would have done.
+
+    $$hash{"retry_use_local_part"} = "true"
+      if (!defined $$hash{"check_local_user"} ||
+          $$hash{"check_local_user"} eq "false") ;
+
+    # Output the router's option settings
+
+    &outdriver($hash);
+
+    # Output an auxiliary router if one is needed
+
+    print STDOUT $second_router if defined $second_router;
+
+    next;
+    }
+
+  # Skip past any continuation lines for an option setting
+  while ($c[$i] =~ /\\\s*$/s)
+    {
+    $i++;
+    $i++ while ($c[$i] =~ /^\s*#/);
+    }
+  }
+
+
+
+# -------- The transports configuration --------
+
+$started = 0;
+$prefix = "t.";
+for ($i = $transport_start; $i < $clen; $i++)
+  {
+  $type = &checkline($c[$i]);
+  last if $type eq "end";
+
+  if ($type eq "comment") { print STDOUT "$c[$i]\n"; next; }
+
+  if (!$started)
+    {
+    print STDOUT "begin transports\n\n";
+    $started = 1;
+    }
+
+  if ($type eq "driver")
+    {
+    $hash = $driverlist{"$prefix$name"};
+    $driver = $$hash{"driver"};
+    print STDOUT "$name:\n";
+
+    # ---- Changes to the appendfile transport ----
+
+    if ($driver eq "appendfile")
+      {
+      &renamed($hash, "prefix", "message_prefix");
+      &renamed($hash, "suffix", "message_suffix");
+      &abolished($hash, "An appendfile transport",
+        "require_lockfile");
+      &handle_batch_and_bsmtp($hash);
+      if (defined $$hash{"from_hack"} && $$hash{"from_hack"} eq "false")
+        {
+        print STDOUT "#!!# no_from_hack replaced by check_string\n";
+        $$hash{"check_string"} = "";
+        }
+      delete $$hash{"from_hack"};
+      }
+
+    # ---- Changes to the lmtp transport ----
+
+    elsif ($driver eq "lmtp")
+      {
+      if (defined $$hash{"batch"} && $$hash{"batch"} ne "none")
+        {
+        $$hash{"batch_max"} = "100" if !defined $$hash{"batch_max"};
+        $$hash{"batch_id"} = "\$domain" if $$hash{"batch"} eq "domain";
+        }
+      else
+        {
+        $$hash{"batch_max"} = "1" if defined $$hash{"batch_max"};
+        }
+      delete $$hash{"batch"};
+      }
+
+    # ---- Changes to the pipe transport ----
+
+    elsif ($driver eq "pipe")
+      {
+      &renamed($hash, "prefix", "message_prefix");
+      &renamed($hash, "suffix", "message_suffix");
+      &handle_batch_and_bsmtp($hash);
+      if (defined $$hash{"from_hack"} && $$hash{"from_hack"} eq "false")
+        {
+        print STDOUT "#!!# no_from_hack replaced by check_string\n";
+        $$hash{"check_string"} = "";
+        }
+      delete $$hash{"from_hack"};
+      }
+
+    # ---- Changes to the smtp transport ----
+
+    elsif ($driver eq "smtp")
+      {
+      &abolished($hash, "An smtp transport", "mx_domains");
+      &renamed($hash, "service", "port");
+      &renamed($hash, "tls_verify_ciphers", "tls_require_ciphers");
+      &renamed($hash, "authenticate_hosts", "hosts_try_auth");
+
+      if (defined $$hash{"batch_max"})
+        {
+        print STDOUT "#!!# batch_max renamed connection_max_messages\n";
+        $$hash{"connection_max_messages"} = $$hash{"batch_max"};
+        delete $$hash{"batch_max"};
+        }
+
+      foreach $o ("hosts_try_auth", "hosts_avoid_tls", "hosts_require_tls",
+                  "mx_domains", "serialize_hosts")
+        {
+        $$hash{$o} = &no_expand_regex($$hash{$o}) if defined $$hash{$o};
+        }
+      }
+
+    &outdriver($driverlist{"$prefix$name"});
+    next;
+    }
+
+  # Skip past any continuation lines for an option setting
+  while ($c[$i] =~ /\\\s*$/s)
+    {
+    $i++;
+    $i++ while ($c[$i] =~ /^\s*#/);
+    }
+  }
+
+
+# -------- The retry configuration --------
+
+$started = 0;
+for ($i = $retry_start; $i < $clen && $i < $rewrite_start - 1; $i++)
+  {
+  if (!$started)
+    {
+    if ($c[$i] !~ /^\s*(#|$)/)
+      {
+      print STDOUT "\nbegin retry\n\n";
+      $started = 1;
+      }
+    }
+  &print_no_expand($c[$i]);
+  }
+
+print STDOUT "\n# End of Exim 4 configuration\n";
+
+print STDERR "\n*******************************************************\n";
+print STDERR   "***** Please review the generated file carefully. *****\n";
+print STDERR   "*******************************************************\n\n";
+
+# End of convert4r4
+
diff --git a/src/crypt16.c b/src/crypt16.c
new file mode 100644
index 0000000..56353c3
--- /dev/null
+++ b/src/crypt16.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2000-2002
+ *   Chris Adams <cmadams@iruntheinter.net>
+ *   written for HiWAAY Internet Services
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307
+ * USA
+ */
+
+/*
+ * Adapted for Exim by Tamas TEVESZ <ice@extreme.hu>
+ * Further adapted by Philip Hazel to cut out this function for operating
+ *   systems that have a built-in version.
+ */
+
+/* The OS has a built-in crypt16(). Some compilers don't like compiling empty
+modules, so keep them happy with a dummy when skipping the rest. */
+
+#include "config.h"
+
+#ifdef HAVE_CRYPT16
+static void dummy(int x) { dummy(x-1); }
+#else
+
+/* The OS doesn't have a built-in crypt16(). Compile this one. */
+
+#include <unistd.h>
+#include <string.h>
+#include "os.h"
+
+#ifdef CRYPT_H
+#include <crypt.h>
+#endif
+
+char *
+crypt16(char *key, char *salt)
+{
+static char res[25];	/* Not threadsafe; like crypt() */
+static char s2[3];
+char *p;
+
+/* Clear the string of any previous data */
+memset (res, 0, sizeof (res));
+
+/* crypt the first part */
+if (!(p = crypt (key, salt))) return NULL;
+strncpy (res, p, 13);
+
+if (strlen (key) > 8)
+  {
+  /* crypt the rest
+   * the first two characters of the first block (not counting
+   * the salt) make up the new salt */
+
+  strncpy (s2, res+2, 2);
+  p = crypt (key+8, s2);
+  strncpy (res+13, p+2, 11);
+  memset (s2, 0, sizeof(s2));
+  }
+
+return (res);
+}
+#endif
+
+/* End of crypt16.c */
diff --git a/src/daemon.c b/src/daemon.c
new file mode 100644
index 0000000..8e8a515
--- /dev/null
+++ b/src/daemon.c
@@ -0,0 +1,2654 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions concerned with running Exim as a daemon */
+
+
+#include "exim.h"
+
+
+/* Structure for holding data for each SMTP connection */
+
+typedef struct smtp_slot {
+  pid_t pid;                       /* pid of the spawned reception process */
+  uschar *host_address;            /* address of the client host */
+} smtp_slot;
+
+/* An empty slot for initializing (Standard C does not allow constructor
+expressions in assignments except as initializers in declarations). */
+
+static smtp_slot empty_smtp_slot = { .pid = 0, .host_address = NULL };
+
+
+
+/*************************************************
+*               Local static variables           *
+*************************************************/
+
+static SIGNAL_BOOL sigchld_seen;
+static SIGNAL_BOOL sighup_seen;
+static SIGNAL_BOOL sigterm_seen;
+
+static int   accept_retry_count = 0;
+static int   accept_retry_errno;
+static BOOL  accept_retry_select_failed;
+
+static int   queue_run_count = 0;
+static pid_t *queue_pid_slots = NULL;
+static smtp_slot *smtp_slots = NULL;
+
+static BOOL  write_pid = TRUE;
+
+
+
+/*************************************************
+*             SIGHUP Handler                     *
+*************************************************/
+
+/* All this handler does is to set a flag and re-enable the signal.
+
+Argument: the signal number
+Returns:  nothing
+*/
+
+static void
+sighup_handler(int sig)
+{
+sighup_seen = TRUE;
+signal(SIGHUP, sighup_handler);
+}
+
+
+
+/*************************************************
+*     SIGCHLD handler for main daemon process    *
+*************************************************/
+
+/* Don't re-enable the handler here, since we aren't doing the
+waiting here. If the signal is re-enabled, there will just be an
+infinite sequence of calls to this handler. The SIGCHLD signal is
+used just as a means of waking up the daemon so that it notices
+terminated subprocesses as soon as possible.
+
+Argument: the signal number
+Returns:  nothing
+*/
+
+static void
+main_sigchld_handler(int sig)
+{
+os_non_restarting_signal(SIGCHLD, SIG_DFL);
+sigchld_seen = TRUE;
+}
+
+
+/* SIGTERM handler.  Try to get the daemon pid file removed
+before exiting. */
+
+static void
+main_sigterm_handler(int sig)
+{
+sigterm_seen = TRUE;
+}
+
+
+
+
+/*************************************************
+*          Unexpected errors in SMTP calls       *
+*************************************************/
+
+/* This function just saves a bit of repetitious coding.
+
+Arguments:
+  log_msg        Text of message to be logged
+  smtp_msg       Text of SMTP error message
+  was_errno      The failing errno
+
+Returns:         nothing
+*/
+
+static void
+never_error(uschar *log_msg, uschar *smtp_msg, int was_errno)
+{
+uschar *emsg = was_errno <= 0
+  ? US"" : string_sprintf(": %s", strerror(was_errno));
+log_write(0, LOG_MAIN|LOG_PANIC, "%s%s", log_msg, emsg);
+if (smtp_out) smtp_printf("421 %s\r\n", FALSE, smtp_msg);
+}
+
+
+
+
+/*************************************************
+*************************************************/
+
+#ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
+static void
+unlink_notifier_socket(void)
+{
+uschar * s = expand_string(notifier_socket);
+DEBUG(D_any) debug_printf("unlinking notifier socket %s\n", s);
+Uunlink(s);
+}
+#endif
+
+
+static void
+close_daemon_sockets(int daemon_notifier_fd,
+  struct pollfd * fd_polls, int listen_socket_count)
+{
+if (daemon_notifier_fd >= 0)
+  {
+  (void) close(daemon_notifier_fd);
+  daemon_notifier_fd = -1;
+#ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
+  unlink_notifier_socket();
+#endif
+  }
+
+for (int i = 0; i < listen_socket_count; i++) (void) close(fd_polls[i].fd);
+}
+
+
+/*************************************************
+*            Handle a connected SMTP call        *
+*************************************************/
+
+/* This function is called when an SMTP connection has been accepted.
+If there are too many, give an error message and close down. Otherwise
+spin off a sub-process to handle the call. The list of listening sockets
+is required so that they can be closed in the sub-process. Take care not to
+leak store in this process - reset the stacking pool at the end.
+
+Arguments:
+  fd_polls        sockets which are listening for incoming calls
+  listen_socket_count   count of listening sockets
+  accept_socket         socket of the current accepted call
+  accepted              socket information about the current call
+
+Returns:            nothing
+*/
+
+static void
+handle_smtp_call(struct pollfd *fd_polls, int listen_socket_count,
+  int accept_socket, struct sockaddr *accepted)
+{
+pid_t pid;
+union sockaddr_46 interface_sockaddr;
+EXIM_SOCKLEN_T ifsize = sizeof(interface_sockaddr);
+int dup_accept_socket = -1;
+int max_for_this_host = 0;
+int save_log_selector = *log_selector;
+gstring * whofrom;
+
+rmark reset_point = store_mark();
+
+/* Make the address available in ASCII representation, and also fish out
+the remote port. */
+
+sender_host_address = host_ntoa(-1, accepted, NULL, &sender_host_port);
+DEBUG(D_any) debug_printf("Connection request from %s port %d\n",
+  sender_host_address, sender_host_port);
+
+/* Set up the output stream, check the socket has duplicated, and set up the
+input stream. These operations fail only the exceptional circumstances. Note
+that never_error() won't use smtp_out if it is NULL. */
+
+if (!(smtp_out = fdopen(accept_socket, "wb")))
+  {
+  never_error(US"daemon: fdopen() for smtp_out failed", US"", errno);
+  goto ERROR_RETURN;
+  }
+
+if ((dup_accept_socket = dup(accept_socket)) < 0)
+  {
+  never_error(US"daemon: couldn't dup socket descriptor",
+    US"Connection setup failed", errno);
+  goto ERROR_RETURN;
+  }
+
+if (!(smtp_in = fdopen(dup_accept_socket, "rb")))
+  {
+  never_error(US"daemon: fdopen() for smtp_in failed",
+    US"Connection setup failed", errno);
+  goto ERROR_RETURN;
+  }
+
+/* Get the data for the local interface address. Panic for most errors, but
+"connection reset by peer" just means the connection went away. */
+
+if (getsockname(accept_socket, (struct sockaddr *)(&interface_sockaddr),
+     &ifsize) < 0)
+  {
+  log_write(0, LOG_MAIN | ((errno == ECONNRESET)? 0 : LOG_PANIC),
+    "getsockname() failed: %s", strerror(errno));
+  smtp_printf("421 Local problem: getsockname() failed; please try again later\r\n", FALSE);
+  goto ERROR_RETURN;
+  }
+
+interface_address = host_ntoa(-1, &interface_sockaddr, NULL, &interface_port);
+DEBUG(D_interface) debug_printf("interface address=%s port=%d\n",
+  interface_address, interface_port);
+
+/* Build a string identifying the remote host and, if requested, the port and
+the local interface data. This is for logging; at the end of this function the
+memory is reclaimed. */
+
+whofrom = string_append(NULL, 3, "[", sender_host_address, "]");
+
+if (LOGGING(incoming_port))
+  whofrom = string_fmt_append(whofrom, ":%d", sender_host_port);
+
+if (LOGGING(incoming_interface))
+  whofrom = string_fmt_append(whofrom, " I=[%s]:%d",
+    interface_address, interface_port);
+
+(void) string_from_gstring(whofrom);    /* Terminate the newly-built string */
+
+/* Check maximum number of connections. We do not check for reserved
+connections or unacceptable hosts here. That is done in the subprocess because
+it might take some time. */
+
+if (smtp_accept_max > 0 && smtp_accept_count >= smtp_accept_max)
+  {
+  DEBUG(D_any) debug_printf("rejecting SMTP connection: count=%d max=%d\n",
+    smtp_accept_count, smtp_accept_max);
+  smtp_printf("421 Too many concurrent SMTP connections; "
+    "please try again later.\r\n", FALSE);
+  log_write(L_connection_reject,
+            LOG_MAIN, "Connection from %s refused: too many connections",
+    whofrom->s);
+  goto ERROR_RETURN;
+  }
+
+/* If a load limit above which only reserved hosts are acceptable is defined,
+get the load average here, and if there are in fact no reserved hosts, do
+the test right away (saves a fork). If there are hosts, do the check in the
+subprocess because it might take time. */
+
+if (smtp_load_reserve >= 0)
+  {
+  load_average = OS_GETLOADAVG();
+  if (!smtp_reserve_hosts && load_average > smtp_load_reserve)
+    {
+    DEBUG(D_any) debug_printf("rejecting SMTP connection: load average = %.2f\n",
+      (double)load_average/1000.0);
+    smtp_printf("421 Too much load; please try again later.\r\n", FALSE);
+    log_write(L_connection_reject,
+              LOG_MAIN, "Connection from %s refused: load average = %.2f",
+      whofrom->s, (double)load_average/1000.0);
+    goto ERROR_RETURN;
+    }
+  }
+
+/* Check that one specific host (strictly, IP address) is not hogging
+resources. This is done here to prevent a denial of service attack by someone
+forcing you to fork lots of times before denying service. The value of
+smtp_accept_max_per_host is a string which is expanded. This makes it possible
+to provide host-specific limits according to $sender_host address, but because
+this is in the daemon mainline, only fast expansions (such as inline address
+checks) should be used. The documentation is full of warnings. */
+
+if (smtp_accept_max_per_host)
+  {
+  uschar *expanded = expand_string(smtp_accept_max_per_host);
+  if (!expanded)
+    {
+    if (!f.expand_string_forcedfail)
+      log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
+        "failed for %s: %s", whofrom->s, expand_string_message);
+    }
+  /* For speed, interpret a decimal number inline here */
+  else
+    {
+    uschar *s = expanded;
+    while (isdigit(*s))
+      max_for_this_host = max_for_this_host * 10 + *s++ - '0';
+    if (*s)
+      log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
+        "for %s contains non-digit: %s", whofrom->s, expanded);
+    }
+  }
+
+/* If we have fewer connections than max_for_this_host, we can skip the tedious
+per host_address checks. Note that at this stage smtp_accept_count contains the
+count of *other* connections, not including this one. */
+
+if (max_for_this_host > 0 && smtp_accept_count >= max_for_this_host)
+  {
+  int host_accept_count = 0;
+  int other_host_count = 0;    /* keep a count of non matches to optimise */
+
+  for (int i = 0; i < smtp_accept_max; ++i)
+    if (smtp_slots[i].host_address)
+      {
+      if (Ustrcmp(sender_host_address, smtp_slots[i].host_address) == 0)
+       host_accept_count++;
+      else
+       other_host_count++;
+
+      /* Testing all these strings is expensive - see if we can drop out
+      early, either by hitting the target, or finding there are not enough
+      connections left to make the target. */
+
+      if (  host_accept_count >= max_for_this_host
+         || smtp_accept_count - other_host_count < max_for_this_host)
+       break;
+      }
+
+  if (host_accept_count >= max_for_this_host)
+    {
+    DEBUG(D_any) debug_printf("rejecting SMTP connection: too many from this "
+      "IP address: count=%d max=%d\n",
+      host_accept_count, max_for_this_host);
+    smtp_printf("421 Too many concurrent SMTP connections "
+      "from this IP address; please try again later.\r\n", FALSE);
+    log_write(L_connection_reject,
+              LOG_MAIN, "Connection from %s refused: too many connections "
+      "from that IP address", whofrom->s);
+    search_tidyup();
+    goto ERROR_RETURN;
+    }
+  }
+
+/* OK, the connection count checks have been passed. Before we can fork the
+accepting process, we must first log the connection if requested. This logging
+used to happen in the subprocess, but doing that means that the value of
+smtp_accept_count can be out of step by the time it is logged. So we have to do
+the logging here and accept the performance cost. Note that smtp_accept_count
+hasn't yet been incremented to take account of this connection.
+
+In order to minimize the cost (because this is going to happen for every
+connection), do a preliminary selector test here. This saves ploughing through
+the generalized logging code each time when the selector is false. If the
+selector is set, check whether the host is on the list for logging. If not,
+arrange to unset the selector in the subprocess. */
+
+if (LOGGING(smtp_connection))
+  {
+  uschar *list = hosts_connection_nolog;
+  memset(sender_host_cache, 0, sizeof(sender_host_cache));
+  if (list && verify_check_host(&list) == OK)
+    save_log_selector &= ~L_smtp_connection;
+  else
+    log_write(L_smtp_connection, LOG_MAIN, "SMTP connection from %s "
+      "(TCP/IP connection count = %d)", whofrom->s, smtp_accept_count + 1);
+  }
+
+/* Now we can fork the accepting process; do a lookup tidy, just in case any
+expansion above did a lookup. */
+
+search_tidyup();
+pid = exim_fork(US"daemon-accept");
+
+/* Handle the child process */
+
+if (pid == 0)
+  {
+  int queue_only_reason = 0;
+  int old_pool = store_pool;
+  int save_debug_selector = debug_selector;
+  BOOL local_queue_only;
+  BOOL session_local_queue_only;
+#ifdef SA_NOCLDWAIT
+  struct sigaction act;
+#endif
+
+  smtp_accept_count++;    /* So that it includes this process */
+
+  /* If the listen backlog was over the monitoring level, log it. */
+
+  if (smtp_listen_backlog > smtp_backlog_monitor)
+    log_write(0, LOG_MAIN, "listen backlog %d I=[%s]:%d",
+		smtp_listen_backlog, interface_address, interface_port);
+
+  /* May have been modified for the subprocess */
+
+  *log_selector = save_log_selector;
+
+  /* Get the local interface address into permanent store */
+
+  store_pool = POOL_PERM;
+  interface_address = string_copy(interface_address);
+  store_pool = old_pool;
+
+  /* Check for a tls-on-connect port */
+
+  if (host_is_tls_on_connect_port(interface_port)) tls_in.on_connect = TRUE;
+
+  /* Expand smtp_active_hostname if required. We do not do this any earlier,
+  because it may depend on the local interface address (indeed, that is most
+  likely what it depends on.) */
+
+  smtp_active_hostname = primary_hostname;
+  if (raw_active_hostname)
+    {
+    uschar * nah = expand_string(raw_active_hostname);
+    if (!nah)
+      {
+      if (!f.expand_string_forcedfail)
+        {
+        log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" "
+          "(smtp_active_hostname): %s", raw_active_hostname,
+          expand_string_message);
+        smtp_printf("421 Local configuration error; "
+          "please try again later.\r\n", FALSE);
+        mac_smtp_fflush();
+        search_tidyup();
+        exim_underbar_exit(EXIT_FAILURE);
+        }
+      }
+    else if (*nah) smtp_active_hostname = nah;
+    }
+
+  /* Initialize the queueing flags */
+
+  queue_check_only();
+  session_local_queue_only = queue_only;
+
+  /* Close the listening sockets, and set the SIGCHLD handler to SIG_IGN.
+  We also attempt to set things up so that children are automatically reaped,
+  but just in case this isn't available, there's a paranoid waitpid() in the
+  loop too (except for systems where we are sure it isn't needed). See the more
+  extensive comment before the reception loop in exim.c for a fuller
+  explanation of this logic. */
+
+  close_daemon_sockets(daemon_notifier_fd, fd_polls, listen_socket_count);
+
+  /* Set FD_CLOEXEC on the SMTP socket. We don't want any rogue child processes
+  to be able to communicate with them, under any circumstances. */
+  (void)fcntl(accept_socket, F_SETFD,
+              fcntl(accept_socket, F_GETFD) | FD_CLOEXEC);
+  (void)fcntl(dup_accept_socket, F_SETFD,
+              fcntl(dup_accept_socket, F_GETFD) | FD_CLOEXEC);
+
+#ifdef SA_NOCLDWAIT
+  act.sa_handler = SIG_IGN;
+  sigemptyset(&(act.sa_mask));
+  act.sa_flags = SA_NOCLDWAIT;
+  sigaction(SIGCHLD, &act, NULL);
+#else
+  signal(SIGCHLD, SIG_IGN);
+#endif
+  signal(SIGTERM, SIG_DFL);
+  signal(SIGINT, SIG_DFL);
+
+  /* Attempt to get an id from the sending machine via the RFC 1413
+  protocol. We do this in the sub-process in order not to hold up the
+  main process if there is any delay. Then set up the fullhost information
+  in case there is no HELO/EHLO.
+
+  If debugging is enabled only for the daemon, we must turn if off while
+  finding the id, but turn it on again afterwards so that information about the
+  incoming connection is output. */
+
+  if (f.debug_daemon) debug_selector = 0;
+  verify_get_ident(IDENT_PORT);
+  host_build_sender_fullhost();
+  debug_selector = save_debug_selector;
+
+  DEBUG(D_any)
+    debug_printf("Process %d is handling incoming connection from %s\n",
+      (int)getpid(), sender_fullhost);
+
+  /* Now disable debugging permanently if it's required only for the daemon
+  process. */
+
+  if (f.debug_daemon) debug_selector = 0;
+
+  /* If there are too many child processes for immediate delivery,
+  set the session_local_queue_only flag, which is initialized from the
+  configured value and may therefore already be TRUE. Leave logging
+  till later so it will have a message id attached. Note that there is no
+  possibility of re-calculating this per-message, because the value of
+  smtp_accept_count does not change in this subprocess. */
+
+  if (smtp_accept_queue > 0 && smtp_accept_count > smtp_accept_queue)
+    {
+    session_local_queue_only = TRUE;
+    queue_only_reason = 1;
+    }
+
+  /* Handle the start of the SMTP session, then loop, accepting incoming
+  messages from the SMTP connection. The end will come at the QUIT command,
+  when smtp_setup_msg() returns 0. A break in the connection causes the
+  process to die (see accept.c).
+
+  NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
+  because a log line has already been written for all its failure exists
+  (usually "connection refused: <reason>") and writing another one is
+  unnecessary clutter. */
+
+  if (!smtp_start_session())
+    {
+    mac_smtp_fflush();
+    search_tidyup();
+    exim_underbar_exit(EXIT_SUCCESS);
+    }
+
+  for (;;)
+    {
+    int rc;
+    message_id[0] = 0;            /* Clear out any previous message_id */
+    reset_point = store_mark();   /* Save current store high water point */
+
+    DEBUG(D_any)
+      debug_printf("Process %d is ready for new message\n", (int)getpid());
+
+    /* Smtp_setup_msg() returns 0 on QUIT or if the call is from an
+    unacceptable host or if an ACL "drop" command was triggered, -1 on
+    connection lost, and +1 on validly reaching DATA. Receive_msg() almost
+    always returns TRUE when smtp_input is true; just retry if no message was
+    accepted (can happen for invalid message parameters). However, it can yield
+    FALSE if the connection was forcibly dropped by the DATA ACL. */
+
+    if ((rc = smtp_setup_msg()) > 0)
+      {
+      BOOL ok = receive_msg(FALSE);
+      search_tidyup();                    /* Close cached databases */
+      if (!ok)                            /* Connection was dropped */
+        {
+	cancel_cutthrough_connection(TRUE, US"receive dropped");
+        mac_smtp_fflush();
+        smtp_log_no_mail();               /* Log no mail if configured */
+        exim_underbar_exit(EXIT_SUCCESS);
+        }
+      if (message_id[0] == 0) continue;   /* No message was accepted */
+      }
+    else				/* bad smtp_setup_msg() */
+      {
+      if (smtp_out)
+	{
+	int fd = fileno(smtp_in);
+	uschar buf[128];
+
+	mac_smtp_fflush();
+	/* drain socket, for clean TCP FINs */
+	if (fcntl(fd, F_SETFL, O_NONBLOCK) == 0)
+	  for(int i = 16; read(fd, buf, sizeof(buf)) > 0 && i > 0; ) i--;
+	}
+      cancel_cutthrough_connection(TRUE, US"message setup dropped");
+      search_tidyup();
+      smtp_log_no_mail();                 /* Log no mail if configured */
+
+      /*XXX should we pause briefly, hoping that the client will be the
+      active TCP closer hence get the TCP_WAIT endpoint? */
+      DEBUG(D_receive) debug_printf("SMTP>>(close on process exit)\n");
+      exim_underbar_exit(rc ? EXIT_FAILURE : EXIT_SUCCESS);
+      }
+
+    /* Show the recipients when debugging */
+
+    DEBUG(D_receive)
+      {
+      if (sender_address)
+        debug_printf("Sender: %s\n", sender_address);
+      if (recipients_list)
+        {
+        debug_printf("Recipients:\n");
+        for (int i = 0; i < recipients_count; i++)
+          debug_printf("  %s\n", recipients_list[i].address);
+        }
+      }
+
+    /* A message has been accepted. Clean up any previous delivery processes
+    that have completed and are defunct, on systems where they don't go away
+    by themselves (see comments when setting SIG_IGN above). On such systems
+    (if any) these delivery processes hang around after termination until
+    the next message is received. */
+
+    #ifndef SIG_IGN_WORKS
+    while (waitpid(-1, NULL, WNOHANG) > 0);
+    #endif
+
+    /* Reclaim up the store used in accepting this message */
+
+      {
+      int r = receive_messagecount;
+      BOOL q = f.queue_only_policy;
+      smtp_reset(reset_point);
+      reset_point = NULL;
+      f.queue_only_policy = q;
+      receive_messagecount = r;
+      }
+
+    /* If queue_only is set or if there are too many incoming connections in
+    existence, session_local_queue_only will be TRUE. If it is not, check
+    whether we have received too many messages in this session for immediate
+    delivery. */
+
+    if (!session_local_queue_only &&
+        smtp_accept_queue_per_connection > 0 &&
+        receive_messagecount > smtp_accept_queue_per_connection)
+      {
+      session_local_queue_only = TRUE;
+      queue_only_reason = 2;
+      }
+
+    /* Initialize local_queue_only from session_local_queue_only. If it is not
+    true, and queue_only_load is set, check that the load average is below it.
+    If local_queue_only is set by this means, we also set if for the session if
+    queue_only_load_latch is true (the default). This means that, once set,
+    local_queue_only remains set for any subsequent messages on the same SMTP
+    connection. This is a deliberate choice; even though the load average may
+    fall, it doesn't seem right to deliver later messages on the same call when
+    not delivering earlier ones. However, the are special circumstances such as
+    very long-lived connections from scanning appliances where this is not the
+    best strategy. In such cases, queue_only_load_latch should be set false. */
+
+    if (  !(local_queue_only = session_local_queue_only)
+       && queue_only_load >= 0
+       && (local_queue_only = (load_average = OS_GETLOADAVG()) > queue_only_load)
+       )
+      {
+      queue_only_reason = 3;
+      if (queue_only_load_latch) session_local_queue_only = TRUE;
+      }
+
+    /* Log the queueing here, when it will get a message id attached, but
+    not if queue_only is set (case 0). */
+
+    if (local_queue_only) switch(queue_only_reason)
+      {
+      case 1: log_write(L_delay_delivery,
+                LOG_MAIN, "no immediate delivery: too many connections "
+                "(%d, max %d)", smtp_accept_count, smtp_accept_queue);
+	      break;
+
+      case 2: log_write(L_delay_delivery,
+                LOG_MAIN, "no immediate delivery: more than %d messages "
+                "received in one connection", smtp_accept_queue_per_connection);
+	      break;
+
+      case 3: log_write(L_delay_delivery,
+                LOG_MAIN, "no immediate delivery: load average %.2f",
+                (double)load_average/1000.0);
+	      break;
+      }
+
+    /* If a delivery attempt is required, spin off a new process to handle it.
+    If we are not root, we have to re-exec exim unless deliveries are being
+    done unprivileged. */
+
+    else if (  (!f.queue_only_policy || f.queue_smtp)
+            && !f.deliver_freeze)
+      {
+      pid_t dpid;
+
+      /* We used to flush smtp_out before forking so that buffered data was not
+      duplicated, but now we want to pipeline the responses for data and quit.
+      Instead, hard-close the fd underlying smtp_out right after fork to discard
+      the data buffer. */
+
+      if ((dpid = exim_fork(US"daemon-accept-delivery")) == 0)
+        {
+        (void)fclose(smtp_in);
+	(void)close(fileno(smtp_out));
+        (void)fclose(smtp_out);
+	smtp_in = smtp_out = NULL;
+
+        /* Don't ever molest the parent's SSL connection, but do clean up
+        the data structures if necessary. */
+
+#ifndef DISABLE_TLS
+        tls_close(NULL, TLS_NO_SHUTDOWN);
+#endif
+
+        /* Reset SIGHUP and SIGCHLD in the child in both cases. */
+
+        signal(SIGHUP,  SIG_DFL);
+        signal(SIGCHLD, SIG_DFL);
+        signal(SIGTERM, SIG_DFL);
+        signal(SIGINT, SIG_DFL);
+
+        if (geteuid() != root_uid && !deliver_drop_privilege)
+          {
+          signal(SIGALRM, SIG_DFL);
+	  delivery_re_exec(CEE_EXEC_PANIC);
+          /* Control does not return here. */
+          }
+
+        /* No need to re-exec; SIGALRM remains set to the default handler */
+
+        (void) deliver_message(message_id, FALSE, FALSE);
+        search_tidyup();
+        exim_underbar_exit(EXIT_SUCCESS);
+        }
+
+      if (dpid > 0)
+        {
+	release_cutthrough_connection(US"passed for delivery");
+        DEBUG(D_any) debug_printf("forked delivery process %d\n", (int)dpid);
+        }
+      else
+	{
+	cancel_cutthrough_connection(TRUE, US"delivery fork failed");
+        log_write(0, LOG_MAIN|LOG_PANIC, "daemon: delivery process fork "
+          "failed: %s", strerror(errno));
+	}
+      }
+    }
+  }
+
+
+/* Carrying on in the parent daemon process... Can't do much if the fork
+failed. Otherwise, keep count of the number of accepting processes and
+remember the pid for ticking off when the child completes. */
+
+if (pid < 0)
+  never_error(US"daemon: accept process fork failed", US"Fork failed", errno);
+else
+  {
+  for (int i = 0; i < smtp_accept_max; ++i)
+    if (smtp_slots[i].pid <= 0)
+      {
+      smtp_slots[i].pid = pid;
+      /* Connection closes come asyncronously, so we cannot stack this store */
+      if (smtp_accept_max_per_host)
+        smtp_slots[i].host_address = string_copy_malloc(sender_host_address);
+      smtp_accept_count++;
+      break;
+      }
+  DEBUG(D_any) debug_printf("%d SMTP accept process%s running\n",
+    smtp_accept_count, smtp_accept_count == 1 ? "" : "es");
+  }
+
+/* Get here via goto in error cases */
+
+ERROR_RETURN:
+
+/* Close the streams associated with the socket which will also close the
+socket fds in this process. We can't do anything if fclose() fails, but
+logging brings it to someone's attention. However, "connection reset by peer"
+isn't really a problem, so skip that one. On Solaris, a dropped connection can
+manifest itself as a broken pipe, so drop that one too. If the streams don't
+exist, something went wrong while setting things up. Make sure the socket
+descriptors are closed, in order to drop the connection. */
+
+if (smtp_out)
+  {
+  if (fclose(smtp_out) != 0 && errno != ECONNRESET && errno != EPIPE)
+    log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_out) failed: %s",
+      strerror(errno));
+  smtp_out = NULL;
+  }
+else (void)close(accept_socket);
+
+if (smtp_in)
+  {
+  if (fclose(smtp_in) != 0 && errno != ECONNRESET && errno != EPIPE)
+    log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_in) failed: %s",
+      strerror(errno));
+  smtp_in = NULL;
+  }
+else (void)close(dup_accept_socket);
+
+/* Release any store used in this process, including the store used for holding
+the incoming host address and an expanded active_hostname. */
+
+log_close_all();
+interface_address = sender_host_name = sender_host_address = NULL;
+store_reset(reset_point);
+}
+
+
+
+
+/*************************************************
+*       Check wildcard listen special cases      *
+*************************************************/
+
+/* This function is used when binding and listening on lists of addresses and
+ports. It tests for special cases of wildcard listening, when IPv4 and IPv6
+sockets may interact in different ways in different operating systems. It is
+passed an error number, the list of listening addresses, and the current
+address. Two checks are available: for a previous wildcard IPv6 address, or for
+a following wildcard IPv4 address, in both cases on the same port.
+
+In practice, pairs of wildcard addresses should be adjacent in the address list
+because they are sorted that way below.
+
+Arguments:
+  eno            the error number
+  addresses      the list of addresses
+  ipa            the current IP address
+  back           if TRUE, check for previous wildcard IPv6 address
+                 if FALSE, check for a following wildcard IPv4 address
+
+Returns:         TRUE or FALSE
+*/
+
+static BOOL
+check_special_case(int eno, ip_address_item *addresses, ip_address_item *ipa,
+  BOOL back)
+{
+ip_address_item *ipa2;
+
+/* For the "back" case, if the failure was "address in use" for a wildcard IPv4
+address, seek a previous IPv6 wildcard address on the same port. As it is
+previous, it must have been successfully bound and be listening. Flag it as a
+"6 including 4" listener. */
+
+if (back)
+  {
+  if (eno != EADDRINUSE || ipa->address[0] != 0) return FALSE;
+  for (ipa2 = addresses; ipa2 != ipa; ipa2 = ipa2->next)
+    {
+    if (ipa2->address[1] == 0 && ipa2->port == ipa->port)
+      {
+      ipa2->v6_include_v4 = TRUE;
+      return TRUE;
+      }
+    }
+  }
+
+/* For the "forward" case, if the current address is a wildcard IPv6 address,
+we seek a following wildcard IPv4 address on the same port. */
+
+else
+  {
+  if (ipa->address[0] != ':' || ipa->address[1] != 0) return FALSE;
+  for (ipa2 = ipa->next; ipa2 != NULL; ipa2 = ipa2->next)
+    if (ipa2->address[0] == 0 && ipa->port == ipa2->port) return TRUE;
+  }
+
+return FALSE;
+}
+
+
+
+
+/*************************************************
+*         Handle terminating subprocesses        *
+*************************************************/
+
+/* Handle the termination of child processes. Theoretically, this need be done
+only when sigchld_seen is TRUE, but rumour has it that some systems lose
+SIGCHLD signals at busy times, so to be on the safe side, this function is
+called each time round. It shouldn't be too expensive.
+
+Arguments:  none
+Returns:    nothing
+*/
+
+static void
+handle_ending_processes(void)
+{
+int status;
+pid_t pid;
+
+while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
+  {
+  DEBUG(D_any)
+    {
+    debug_printf("child %d ended: status=0x%x\n", (int)pid, status);
+#ifdef WCOREDUMP
+    if (WIFEXITED(status))
+      debug_printf("  normal exit, %d\n", WEXITSTATUS(status));
+    else if (WIFSIGNALED(status))
+      debug_printf("  signal exit, signal %d%s\n", WTERMSIG(status),
+          WCOREDUMP(status) ? " (core dumped)" : "");
+#endif
+    }
+
+  /* If it's a listening daemon for which we are keeping track of individual
+  subprocesses, deal with an accepting process that has terminated. */
+
+  if (smtp_slots)
+    {
+    int i;
+    for (i = 0; i < smtp_accept_max; i++)
+      if (smtp_slots[i].pid == pid)
+        {
+        if (smtp_slots[i].host_address)
+          store_free(smtp_slots[i].host_address);
+        smtp_slots[i] = empty_smtp_slot;
+        if (--smtp_accept_count < 0) smtp_accept_count = 0;
+        DEBUG(D_any) debug_printf("%d SMTP accept process%s now running\n",
+          smtp_accept_count, (smtp_accept_count == 1)? "" : "es");
+        break;
+        }
+    if (i < smtp_accept_max) continue;  /* Found an accepting process */
+    }
+
+  /* If it wasn't an accepting process, see if it was a queue-runner
+  process that we are tracking. */
+
+  if (queue_pid_slots)
+    {
+    int max = atoi(CS expand_string(queue_run_max));
+    for (int i = 0; i < max; i++)
+      if (queue_pid_slots[i] == pid)
+        {
+        queue_pid_slots[i] = 0;
+        if (--queue_run_count < 0) queue_run_count = 0;
+        DEBUG(D_any) debug_printf("%d queue-runner process%s now running\n",
+          queue_run_count, (queue_run_count == 1)? "" : "es");
+        break;
+        }
+    }
+  }
+}
+
+
+static void
+set_pid_file_path(void)
+{
+if (override_pid_file_path)
+  pid_file_path = override_pid_file_path;
+
+if (!*pid_file_path)
+  pid_file_path = string_sprintf("%s/exim-daemon.pid", spool_directory);
+
+if (pid_file_path[0] != '/')
+  log_write(0, LOG_PANIC_DIE, "pid file path %s must be absolute\n", pid_file_path);
+}
+
+
+enum pid_op { PID_WRITE, PID_CHECK, PID_DELETE };
+
+/* Do various pid file operations as safe as possible. Ideally we'd just
+drop the privileges for creation of the pid file and not care at all about removal of
+the file. FIXME.
+Returns: true on success, false + errno==EACCES otherwise
+*/
+
+static BOOL
+operate_on_pid_file(const enum pid_op operation, const pid_t pid)
+{
+char pid_line[sizeof(int) * 3 + 2];
+const int pid_len = snprintf(pid_line, sizeof(pid_line), "%d\n", (int)pid);
+BOOL lines_match = FALSE;
+uschar * path, * base, * dir;
+
+const int dir_flags = O_RDONLY | O_NONBLOCK;
+const int base_flags = O_NOFOLLOW | O_NONBLOCK;
+const mode_t base_mode = 0644;
+struct stat sb;
+int cwd_fd = -1, dir_fd = -1, base_fd = -1;
+BOOL success = FALSE;
+errno = EACCES;
+
+set_pid_file_path();
+if (!f.running_in_test_harness && real_uid != root_uid && real_uid != exim_uid) goto cleanup;
+if (pid_len < 2 || pid_len >= (int)sizeof(pid_line)) goto cleanup;
+
+path = string_copy(pid_file_path);
+if ((base = Ustrrchr(path, '/')) == NULL)	/* should not happen, but who knows */
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid file path \"%s\" does not contain a '/'", pid_file_path);
+
+dir = base != path ? path : US"/";
+*base++ = '\0';
+
+if (!dir || !*dir || *dir != '/') goto cleanup;
+if (!base || !*base || Ustrchr(base, '/') != NULL) goto cleanup;
+
+cwd_fd = open(".", dir_flags);
+if (cwd_fd < 0 || fstat(cwd_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
+dir_fd = open(CS dir, dir_flags);
+if (dir_fd < 0 || fstat(dir_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
+
+/* emulate openat */
+if (fchdir(dir_fd) != 0) goto cleanup;
+base_fd = open(CS base, O_RDONLY | base_flags);
+if (fchdir(cwd_fd) != 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
+
+if (base_fd >= 0)
+  {
+  char line[sizeof(pid_line)];
+  ssize_t len = -1;
+
+  if (fstat(base_fd, &sb) != 0 || !S_ISREG(sb.st_mode)) goto cleanup;
+  if ((sb.st_mode & 07777) != base_mode || sb.st_nlink != 1) goto cleanup;
+  if (sb.st_size < 2 || sb.st_size >= (off_t)sizeof(line)) goto cleanup;
+
+  len = read(base_fd, line, sizeof(line));
+  if (len != (ssize_t)sb.st_size) goto cleanup;
+  line[len] = '\0';
+
+  if (strspn(line, "0123456789") != (size_t)len-1) goto cleanup;
+  if (line[len-1] != '\n') goto cleanup;
+  lines_match = len == pid_len && strcmp(line, pid_line) == 0;
+  }
+
+if (operation == PID_WRITE)
+  {
+  if (!lines_match)
+    {
+    if (base_fd >= 0)
+      {
+      int error = -1;
+      /* emulate unlinkat */
+      if (fchdir(dir_fd) != 0) goto cleanup;
+      error = unlink(CS base);
+      if (fchdir(cwd_fd) != 0)
+        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
+      if (error) goto cleanup;
+      (void)close(base_fd);
+      base_fd = -1;
+     }
+    /* emulate openat */
+    if (fchdir(dir_fd) != 0) goto cleanup;
+    base_fd = open(CS base, O_WRONLY | O_CREAT | O_EXCL | base_flags, base_mode);
+    if (fchdir(cwd_fd) != 0)
+        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
+    if (base_fd < 0) goto cleanup;
+    if (fchmod(base_fd, base_mode) != 0) goto cleanup;
+    if (write(base_fd, pid_line, pid_len) != pid_len) goto cleanup;
+    DEBUG(D_any) debug_printf("pid written to %s\n", pid_file_path);
+    }
+  }
+else
+  {
+  if (!lines_match) goto cleanup;
+  if (operation == PID_DELETE)
+    {
+    int error = -1;
+    /* emulate unlinkat */
+    if (fchdir(dir_fd) != 0) goto cleanup;
+    error = unlink(CS base);
+    if (fchdir(cwd_fd) != 0)
+        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
+    if (error) goto cleanup;
+    }
+  }
+
+success = TRUE;
+errno = 0;
+
+cleanup:
+if (cwd_fd >= 0) (void)close(cwd_fd);
+if (dir_fd >= 0) (void)close(dir_fd);
+if (base_fd >= 0) (void)close(base_fd);
+return success;
+}
+
+
+/* Remove the daemon's pidfile.  Note: runs with root privilege,
+as a direct child of the daemon.  Does not return. */
+
+void
+delete_pid_file(void)
+{
+const BOOL success = operate_on_pid_file(PID_DELETE, getppid());
+
+DEBUG(D_any)
+  debug_printf("delete pid file %s %s: %s\n", pid_file_path,
+    success ? "success" : "failure", strerror(errno));
+
+exim_exit(EXIT_SUCCESS);
+}
+
+
+/* Called by the daemon; exec a child to get the pid file deleted
+since we may require privs for the containing directory */
+
+static void
+daemon_die(void)
+{
+int pid;
+
+DEBUG(D_any) debug_printf("SIGTERM/SIGINT seen\n");
+#if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
+tls_watch_invalidate();
+#endif
+
+if (daemon_notifier_fd >= 0)
+  {
+  close(daemon_notifier_fd);
+  daemon_notifier_fd = -1;
+#ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
+  unlink_notifier_socket();
+#endif
+  }
+
+if (f.running_in_test_harness || write_pid)
+  {
+  if ((pid = exim_fork(US"daemon-del-pidfile")) == 0)
+    {
+    if (override_pid_file_path)
+      (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 3,
+	"-oP", override_pid_file_path, "-oPX");
+    else
+      (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 1, "-oPX");
+
+    /* Control never returns here. */
+    }
+  if (pid > 0)
+    child_close(pid, 1);
+  }
+exim_exit(EXIT_SUCCESS);
+}
+
+
+/*************************************************
+*	Listener socket for local work prompts	 *
+*************************************************/
+
+static void
+daemon_notifier_socket(void)
+{
+int fd;
+const uschar * where;
+struct sockaddr_un sa_un = {.sun_family = AF_UNIX};
+int len;
+
+if (!notifier_socket || !*notifier_socket)
+  {
+  DEBUG(D_any) debug_printf("-oY used so not creating notifier socket\n");
+  return;
+  }
+if (override_local_interfaces && !override_pid_file_path)
+  {
+  DEBUG(D_any)
+    debug_printf("-oX used without -oP so not creating notifier socket\n");
+  return;
+  }
+
+DEBUG(D_any) debug_printf("creating notifier socket\n");
+
+#ifdef SOCK_CLOEXEC
+if ((fd = socket(PF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0)) < 0)
+  { where = US"socket"; goto bad; }
+#else
+if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) < 0)
+  { where = US"socket"; goto bad; }
+(void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
+#endif
+
+#ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
+sa_un.sun_path[0] = 0;	/* Abstract local socket addr - Linux-specific? */
+len = offsetof(struct sockaddr_un, sun_path) + 1
+  + snprintf(sa_un.sun_path+1, sizeof(sa_un.sun_path)-1, "%s",
+	      expand_string(notifier_socket));
+DEBUG(D_any) debug_printf(" @%s\n", sa_un.sun_path+1);
+#else			/* filesystem-visible and persistent; will neeed removal */
+len = offsetof(struct sockaddr_un, sun_path)
+  + snprintf(sa_un.sun_path, sizeof(sa_un.sun_path), "%s",
+	      expand_string(notifier_socket));
+DEBUG(D_any) debug_printf(" %s\n", sa_un.sun_path);
+#endif
+
+if (bind(fd, (const struct sockaddr *)&sa_un, len) < 0)
+  { where = US"bind"; goto bad; }
+
+#ifdef SO_PASSCRED		/* Linux */
+if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &on, sizeof(on)) < 0)
+  { where = US"SO_PASSCRED"; goto bad2; }
+#elif defined(LOCAL_CREDS)	/* FreeBSD-ish */
+if (setsockopt(fd, 0, LOCAL_CREDS, &on, sizeof(on)) < 0)
+  { where = US"LOCAL_CREDS"; goto bad2; }
+#endif
+
+/* debug_printf("%s: fd %d\n", __FUNCTION__, fd); */
+daemon_notifier_fd = fd;
+return;
+
+bad2:
+#ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
+  Uunlink(sa_un.sun_path);
+#endif
+bad:
+  log_write(0, LOG_MAIN|LOG_PANIC, "%s %s: %s",
+    __FUNCTION__, where, strerror(errno));
+  close(fd);
+  return;
+}
+
+
+static uschar queuerun_msgid[MESSAGE_ID_LENGTH+1];
+
+/* Return TRUE if a sigalrm should be emulated */
+static BOOL
+daemon_notification(void)
+{
+uschar buf[256], cbuf[256];
+struct sockaddr_un sa_un;
+struct iovec iov = {.iov_base = buf, .iov_len = sizeof(buf)-1};
+struct msghdr msg = { .msg_name = &sa_un,
+		      .msg_namelen = sizeof(sa_un),
+		      .msg_iov = &iov,
+		      .msg_iovlen = 1,
+		      .msg_control = cbuf,
+		      .msg_controllen = sizeof(cbuf)
+		    };
+ssize_t sz;
+
+buf[sizeof(buf)-1] = 0;
+if ((sz = recvmsg(daemon_notifier_fd, &msg, 0)) <= 0) return FALSE;
+if (sz >= sizeof(buf)) return FALSE;
+
+#ifdef notdef
+debug_printf("addrlen %d\n", msg.msg_namelen);
+#endif
+DEBUG(D_queue_run) debug_printf("%s from addr '%s%.*s'\n", __FUNCTION__,
+  *sa_un.sun_path ? "" : "@",
+  (int)msg.msg_namelen - (*sa_un.sun_path ? 0 : 1),
+  sa_un.sun_path + (*sa_un.sun_path ? 0 : 1));
+
+/* Refuse to handle the item unless the peer has good credentials */
+#ifdef SCM_CREDENTIALS
+# define EXIM_SCM_CR_TYPE SCM_CREDENTIALS
+#elif defined(LOCAL_CREDS) && defined(SCM_CREDS)
+# define EXIM_SCM_CR_TYPE SCM_CREDS
+#else
+	/* The OS has no way to get the creds of the caller (for a unix/datagram socket.
+	Punt; don't try to check. */
+#endif
+
+#ifdef EXIM_SCM_CR_TYPE
+for (struct cmsghdr * cp = CMSG_FIRSTHDR(&msg);
+     cp;
+     cp = CMSG_NXTHDR(&msg, cp))
+  if (cp->cmsg_level == SOL_SOCKET && cp->cmsg_type == EXIM_SCM_CR_TYPE)
+  {
+# ifdef SCM_CREDENTIALS					/* Linux */
+  struct ucred * cr = (struct ucred *) CMSG_DATA(cp);
+  if (cr->uid && cr->uid != exim_uid)
+    {
+    DEBUG(D_queue_run) debug_printf("%s: sender creds pid %d uid %d gid %d\n",
+      __FUNCTION__, (int)cr->pid, (int)cr->uid, (int)cr->gid);
+    return FALSE;
+    }
+# elif defined(LOCAL_CREDS)				/* BSD-ish */
+  struct sockcred * cr = (struct sockcred *) CMSG_DATA(cp);
+  if (cr->sc_uid && cr->sc_uid != exim_uid)
+    {
+    DEBUG(D_queue_run) debug_printf("%s: sender creds pid ??? uid %d gid %d\n",
+      __FUNCTION__, (int)cr->sc_uid, (int)cr->sc_gid);
+    return FALSE;
+    }
+# endif
+  break;
+  }
+#endif
+
+buf[sz] = 0;
+switch (buf[0])
+  {
+#ifndef DISABLE_QUEUE_RAMP
+  case NOTIFY_MSG_QRUN:
+    /* this should be a message_id */
+    DEBUG(D_queue_run)
+      debug_printf("%s: qrunner trigger: %s\n", __FUNCTION__, buf+1);
+    memcpy(queuerun_msgid, buf+1, MESSAGE_ID_LENGTH+1);
+    return TRUE;
+#endif
+
+  case NOTIFY_QUEUE_SIZE_REQ:
+    {
+    uschar buf[16];
+    int len = snprintf(CS buf, sizeof(buf), "%u", queue_count_cached());
+
+    DEBUG(D_queue_run)
+      debug_printf("%s: queue size request: %s\n", __FUNCTION__, buf);
+
+    if (sendto(daemon_notifier_fd, buf, len, 0,
+		(const struct sockaddr *)&sa_un, msg.msg_namelen) < 0)
+      log_write(0, LOG_MAIN|LOG_PANIC,
+	"%s: sendto: %s\n", __FUNCTION__, strerror(errno));
+    return FALSE;
+    }
+  }
+return FALSE;
+}
+
+
+
+
+/*************************************************
+*              Exim Daemon Mainline              *
+*************************************************/
+
+/* The daemon can do two jobs, either of which is optional:
+
+(1) Listens for incoming SMTP calls and spawns off a sub-process to handle
+each one. This is requested by the -bd option, with -oX specifying the SMTP
+port on which to listen (for testing).
+
+(2) Spawns a queue-running process every so often. This is controlled by the
+-q option with a an interval time. (If no time is given, a single queue run
+is done from the main function, and control doesn't get here.)
+
+Root privilege is required in order to attach to port 25. Some systems require
+it when calling socket() rather than bind(). To cope with all cases, we run as
+root for both socket() and bind(). Some systems also require root in order to
+write to the pid file directory. This function must therefore be called as root
+if it is to work properly in all circumstances. Once the socket is bound and
+the pid file written, root privilege is given up if there is an exim uid.
+
+There are no arguments to this function, and it never returns. */
+
+void
+daemon_go(void)
+{
+struct passwd * pw;
+struct pollfd * fd_polls, * tls_watch_poll = NULL, * dnotify_poll = NULL;
+int listen_socket_count = 0, poll_fd_count;
+ip_address_item * addresses = NULL;
+time_t last_connection_time = (time_t)0;
+int local_queue_run_max = atoi(CS expand_string(queue_run_max));
+
+process_purpose = US"daemon";
+
+/* If any debugging options are set, turn on the D_pid bit so that all
+debugging lines get the pid added. */
+
+DEBUG(D_any|D_v) debug_selector |= D_pid;
+
+/* Allocate enough pollstructs for inetd mode plus the ancillary sockets;
+also used when there are no listen sockets. */
+
+fd_polls = store_get(sizeof(struct pollfd) * 3, GET_UNTAINTED);
+
+if (f.inetd_wait_mode)
+  {
+  listen_socket_count = 1;
+  (void) close(3);
+  if (dup2(0, 3) == -1)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+        "failed to dup inetd socket safely away: %s", strerror(errno));
+
+  fd_polls[0].fd = 3;
+  fd_polls[0].events = POLLIN;
+  (void) close(0);
+  (void) close(1);
+  (void) close(2);
+  exim_nullstd();
+
+  if (debug_file == stderr)
+    {
+    /* need a call to log_write before call to open debug_file, so that
+    log.c:file_path has been initialised.  This is unfortunate. */
+    log_write(0, LOG_MAIN, "debugging Exim in inetd wait mode starting");
+
+    fclose(debug_file);
+    debug_file = NULL;
+    exim_nullstd(); /* re-open fd2 after we just closed it again */
+    debug_logging_activate(US"-wait", NULL);
+    }
+
+  DEBUG(D_any) debug_printf("running in inetd wait mode\n");
+
+  /* As per below, when creating sockets ourselves, we handle tcp_nodelay for
+  our own buffering; we assume though that inetd set the socket REUSEADDR. */
+
+  if (tcp_nodelay)
+    if (setsockopt(3, IPPROTO_TCP, TCP_NODELAY, US &on, sizeof(on)))
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to set socket NODELAY: %s",
+	strerror(errno));
+  }
+
+
+if (f.inetd_wait_mode || f.daemon_listen)
+  {
+  /* If any option requiring a load average to be available during the
+  reception of a message is set, call os_getloadavg() while we are root
+  for those OS for which this is necessary the first time it is called (in
+  order to perform an "open" on the kernel memory file). */
+
+#ifdef LOAD_AVG_NEEDS_ROOT
+  if (queue_only_load >= 0 || smtp_load_reserve >= 0 ||
+       (deliver_queue_load_max >= 0 && deliver_drop_privilege))
+    (void)os_getloadavg();
+#endif
+  }
+
+
+/* Do the preparation for setting up a listener on one or more interfaces, and
+possible on various ports. This is controlled by the combination of
+local_interfaces (which can set IP addresses and ports) and daemon_smtp_port
+(which is a list of default ports to use for those items in local_interfaces
+that do not specify a port). The -oX command line option can be used to
+override one or both of these options.
+
+If local_interfaces is not set, the default is to listen on all interfaces.
+When it is set, it can include "all IPvx interfaces" as an item. This is useful
+when different ports are in use.
+
+It turns out that listening on all interfaces is messy in an IPv6 world,
+because several different implementation approaches have been taken. This code
+is now supposed to work with all of them. The point of difference is whether an
+IPv6 socket that is listening on all interfaces will receive incoming IPv4
+calls or not. We also have to cope with the case when IPv6 libraries exist, but
+there is no IPv6 support in the kernel.
+
+. On Solaris, an IPv6 socket will accept IPv4 calls, and give them as mapped
+  addresses. However, if an IPv4 socket is also listening on all interfaces,
+  calls are directed to the appropriate socket.
+
+. On (some versions of) Linux, an IPv6 socket will accept IPv4 calls, and
+  give them as mapped addresses, but an attempt also to listen on an IPv4
+  socket on all interfaces causes an error.
+
+. On OpenBSD, an IPv6 socket will not accept IPv4 calls. You have to set up
+  two sockets if you want to accept both kinds of call.
+
+. FreeBSD is like OpenBSD, but it has the IPV6_V6ONLY socket option, which
+  can be turned off, to make it behave like the versions of Linux described
+  above.
+
+. I heard a report that the USAGI IPv6 stack for Linux has implemented
+  IPV6_V6ONLY.
+
+So, what we do when IPv6 is supported is as follows:
+
+ (1) After it is set up, the list of interfaces is scanned for wildcard
+     addresses. If an IPv6 and an IPv4 wildcard are both found for the same
+     port, the list is re-arranged so that they are together, with the IPv6
+     wildcard first.
+
+ (2) If the creation of a wildcard IPv6 socket fails, we just log the error and
+     carry on if an IPv4 wildcard socket for the same port follows later in the
+     list. This allows Exim to carry on in the case when the kernel has no IPv6
+     support.
+
+ (3) Having created an IPv6 wildcard socket, we try to set IPV6_V6ONLY if that
+     option is defined. However, if setting fails, carry on regardless (but log
+     the incident).
+
+ (4) If binding or listening on an IPv6 wildcard socket fails, it is a serious
+     error.
+
+ (5) If binding or listening on an IPv4 wildcard socket fails with the error
+     EADDRINUSE, and a previous interface was an IPv6 wildcard for the same
+     port (which must have succeeded or we wouldn't have got this far), we
+     assume we are in the situation where just a single socket is permitted,
+     and ignore the error.
+
+Phew!
+
+The preparation code decodes options and sets up the relevant data. We do this
+first, so that we can return non-zero if there are any syntax errors, and also
+write to stderr. */
+
+if (f.daemon_listen && !f.inetd_wait_mode)
+  {
+  int *default_smtp_port;
+  int sep;
+  int pct = 0;
+  uschar *s;
+  const uschar * list;
+  uschar *local_iface_source = US"local_interfaces";
+  ip_address_item *ipa;
+  ip_address_item **pipa;
+
+  /* If -oX was used, disable the writing of a pid file unless -oP was
+  explicitly used to force it. Then scan the string given to -oX. Any items
+  that contain neither a dot nor a colon are used to override daemon_smtp_port.
+  Any other items are used to override local_interfaces. */
+
+  if (override_local_interfaces)
+    {
+    gstring * new_smtp_port = NULL;
+    gstring * new_local_interfaces = NULL;
+
+    if (!override_pid_file_path) write_pid = FALSE;
+
+    list = override_local_interfaces;
+    sep = 0;
+    while ((s = string_nextinlist(&list, &sep, NULL, 0)))
+      {
+      uschar joinstr[4];
+      gstring ** gp = Ustrpbrk(s, ".:") ? &new_local_interfaces : &new_smtp_port;
+
+      if (!*gp)
+        {
+        joinstr[0] = sep;
+        joinstr[1] = ' ';
+        *gp = string_catn(*gp, US"<", 1);
+        }
+
+      *gp = string_catn(*gp, joinstr, 2);
+      *gp = string_cat (*gp, s);
+      }
+
+    if (new_smtp_port)
+      {
+      daemon_smtp_port = string_from_gstring(new_smtp_port);
+      DEBUG(D_any) debug_printf("daemon_smtp_port overridden by -oX:\n  %s\n",
+        daemon_smtp_port);
+      }
+
+    if (new_local_interfaces)
+      {
+      local_interfaces = string_from_gstring(new_local_interfaces);
+      local_iface_source = US"-oX data";
+      DEBUG(D_any) debug_printf("local_interfaces overridden by -oX:\n  %s\n",
+        local_interfaces);
+      }
+    }
+
+  /* Create a list of default SMTP ports, to be used if local_interfaces
+  contains entries without explicit ports. First count the number of ports, then
+  build a translated list in a vector. */
+
+  list = daemon_smtp_port;
+  sep = 0;
+  while ((s = string_nextinlist(&list, &sep, NULL, 0)))
+    pct++;
+  default_smtp_port = store_get((pct+1) * sizeof(int), GET_UNTAINTED);
+  list = daemon_smtp_port;
+  sep = 0;
+  for (pct = 0;
+       (s = string_nextinlist(&list, &sep, NULL, 0));
+       pct++)
+    {
+    if (isdigit(*s))
+      {
+      uschar *end;
+      default_smtp_port[pct] = Ustrtol(s, &end, 0);
+      if (end != s + Ustrlen(s))
+        log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "invalid SMTP port: %s", s);
+      }
+    else
+      {
+      struct servent *smtp_service = getservbyname(CS s, "tcp");
+      if (!smtp_service)
+        log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
+      default_smtp_port[pct] = ntohs(smtp_service->s_port);
+      }
+    }
+  default_smtp_port[pct] = 0;
+
+  /* Check the list of TLS-on-connect ports and do name lookups if needed */
+
+  list = tls_in.on_connect_ports;
+  sep = 0;
+  /* the list isn't expanded so cannot be tainted.  If it ever is we will trap here */
+  while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
+    if (!isdigit(*s))
+      {
+      gstring * g = NULL;
+
+      list = tls_in.on_connect_ports;
+      tls_in.on_connect_ports = NULL;
+      sep = 0;
+      while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
+	{
+        if (!isdigit(*s))
+	  {
+	  struct servent * smtp_service = getservbyname(CS s, "tcp");
+	  if (!smtp_service)
+	    log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
+	  s = string_sprintf("%d", (int)ntohs(smtp_service->s_port));
+	  }
+	g = string_append_listele(g, ':', s);
+	}
+      if (g)
+	tls_in.on_connect_ports = g->s;
+      break;
+      }
+
+  /* Create the list of local interfaces, possibly with ports included. This
+  list may contain references to 0.0.0.0 and ::0 as wildcards. These special
+  values are converted below. */
+
+  addresses = host_build_ifacelist(local_interfaces, local_iface_source);
+
+  /* In the list of IP addresses, convert 0.0.0.0 into an empty string, and ::0
+  into the string ":". We use these to recognize wildcards in IPv4 and IPv6. In
+  fact, many IP stacks recognize 0.0.0.0 and ::0 and handle them as wildcards
+  anyway, but we need to know which are the wildcard addresses, and the shorter
+  strings are neater.
+
+  In the same scan, fill in missing port numbers from the default list. When
+  there is more than one item in the list, extra items are created. */
+
+  for (ipa = addresses; ipa; ipa = ipa->next)
+    {
+    if (Ustrcmp(ipa->address, "0.0.0.0") == 0)
+      ipa->address[0] = 0;
+    else if (Ustrcmp(ipa->address, "::0") == 0)
+      {
+      ipa->address[0] = ':';
+      ipa->address[1] = 0;
+      }
+
+    if (ipa->port > 0) continue;
+
+    if (daemon_smtp_port[0] <= 0)
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "no port specified for interface "
+        "%s and daemon_smtp_port is unset; cannot start daemon",
+        ipa->address[0] == 0 ? US"\"all IPv4\"" :
+        ipa->address[1] == 0 ? US"\"all IPv6\"" : ipa->address);
+
+    ipa->port = default_smtp_port[0];
+    for (int i = 1; default_smtp_port[i] > 0; i++)
+      {
+      ip_address_item * new = store_get(sizeof(ip_address_item), GET_UNTAINTED);
+
+      memcpy(new->address, ipa->address, Ustrlen(ipa->address) + 1);
+      new->port = default_smtp_port[i];
+      new->next = ipa->next;
+      ipa->next = new;
+      ipa = new;
+      }
+    }
+
+  /* Scan the list of addresses for wildcards. If we find an IPv4 and an IPv6
+  wildcard for the same port, ensure that (a) they are together and (b) the
+  IPv6 address comes first. This makes handling the messy features easier, and
+  also simplifies the construction of the "daemon started" log line. */
+
+  pipa = &addresses;
+  for (ipa = addresses; ipa; pipa = &ipa->next, ipa = ipa->next)
+    {
+    ip_address_item *ipa2;
+
+    /* Handle an IPv4 wildcard */
+
+    if (ipa->address[0] == 0)
+      for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
+        {
+        ip_address_item *ipa3 = ipa2->next;
+        if (ipa3->address[0] == ':' &&
+            ipa3->address[1] == 0 &&
+            ipa3->port == ipa->port)
+          {
+          ipa2->next = ipa3->next;
+          ipa3->next = ipa;
+          *pipa = ipa3;
+          break;
+          }
+        }
+
+    /* Handle an IPv6 wildcard. */
+
+    else if (ipa->address[0] == ':' && ipa->address[1] == 0)
+      for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
+        {
+        ip_address_item *ipa3 = ipa2->next;
+        if (ipa3->address[0] == 0 && ipa3->port == ipa->port)
+          {
+          ipa2->next = ipa3->next;
+          ipa3->next = ipa->next;
+          ipa->next = ipa3;
+          ipa = ipa3;
+          break;
+          }
+        }
+    }
+
+  /* Get a vector to remember all the sockets in.
+  Two extra elements for the ancillary sockets */
+
+  for (ipa = addresses; ipa; ipa = ipa->next)
+    listen_socket_count++;
+  fd_polls = store_get(sizeof(struct pollfd) * (listen_socket_count + 2),
+			    GET_UNTAINTED);
+  for (struct pollfd * p = fd_polls; p < fd_polls + listen_socket_count + 2;
+       p++)
+    { p->fd = -1; p->events = POLLIN; }
+
+  } /* daemon_listen but not inetd_wait_mode */
+
+if (f.daemon_listen)
+  {
+
+  /* Do a sanity check on the max connects value just to save us from getting
+  a huge amount of store. */
+
+  if (smtp_accept_max > 4095) smtp_accept_max = 4096;
+
+  /* There's no point setting smtp_accept_queue unless it is less than the max
+  connects limit. The configuration reader ensures that the max is set if the
+  queue-only option is set. */
+
+  if (smtp_accept_queue > smtp_accept_max) smtp_accept_queue = 0;
+
+  /* Get somewhere to keep the list of SMTP accepting pids if we are keeping
+  track of them for total number and queue/host limits. */
+
+  if (smtp_accept_max > 0)
+    {
+    smtp_slots = store_get(smtp_accept_max * sizeof(smtp_slot), GET_UNTAINTED);
+    for (int i = 0; i < smtp_accept_max; i++) smtp_slots[i] = empty_smtp_slot;
+    }
+  }
+
+/* The variable background_daemon is always false when debugging, but
+can also be forced false in order to keep a non-debugging daemon in the
+foreground. If background_daemon is true, close all open file descriptors that
+we know about, but then re-open stdin, stdout, and stderr to /dev/null.  Also
+do this for inetd_wait mode.
+
+This is protection against any called functions (in libraries, or in
+Perl, or whatever) that think they can write to stderr (or stdout). Before this
+was added, it was quite likely that an SMTP connection would use one of these
+file descriptors, in which case writing random stuff to it caused chaos.
+
+Then disconnect from the controlling terminal, Most modern Unixes seem to have
+setsid() for getting rid of the controlling terminal. For any OS that doesn't,
+setsid() can be #defined as a no-op, or as something else. */
+
+if (f.background_daemon || f.inetd_wait_mode)
+  {
+  log_close_all();    /* Just in case anything was logged earlier */
+  search_tidyup();    /* Just in case any were used in reading the config. */
+  (void)close(0);           /* Get rid of stdin/stdout/stderr */
+  (void)close(1);
+  (void)close(2);
+  exim_nullstd();     /* Connect stdin/stdout/stderr to /dev/null */
+  log_stderr = NULL;  /* So no attempt to copy paniclog output */
+  }
+
+if (f.background_daemon)
+  {
+  /* If the parent process of this one has pid == 1, we are re-initializing the
+  daemon as the result of a SIGHUP. In this case, there is no need to do
+  anything, because the controlling terminal has long gone. Otherwise, fork, in
+  case current process is a process group leader (see 'man setsid' for an
+  explanation) before calling setsid(). */
+
+  if (getppid() != 1)
+    {
+    pid_t pid = exim_fork(US"daemon");
+    if (pid < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+      "fork() failed when starting daemon: %s", strerror(errno));
+    if (pid > 0) exit(EXIT_SUCCESS);      /* in parent process, just exit */
+    (void)setsid();                       /* release controlling terminal */
+    }
+  }
+
+/* We are now in the disconnected, daemon process (unless debugging). Set up
+the listening sockets if required. */
+
+daemon_notifier_socket();
+
+if (f.daemon_listen && !f.inetd_wait_mode)
+  {
+  int sk;
+  ip_address_item *ipa;
+
+  /* For each IP address, create a socket, bind it to the appropriate port, and
+  start listening. See comments above about IPv6 sockets that may or may not
+  accept IPv4 calls when listening on all interfaces. We also have to cope with
+  the case of a system with IPv6 libraries, but no IPv6 support in the kernel.
+  listening, provided a wildcard IPv4 socket for the same port follows. */
+
+  for (ipa = addresses, sk = 0; sk < listen_socket_count; ipa = ipa->next, sk++)
+    {
+    BOOL wildcard;
+    ip_address_item * ipa2;
+    int fd, af;
+
+    if (Ustrchr(ipa->address, ':') != NULL)
+      {
+      af = AF_INET6;
+      wildcard = ipa->address[1] == 0;
+      }
+    else
+      {
+      af = AF_INET;
+      wildcard = ipa->address[0] == 0;
+      }
+
+    if ((fd_polls[sk].fd = fd = ip_socket(SOCK_STREAM, af)) < 0)
+      {
+      if (check_special_case(0, addresses, ipa, FALSE))
+        {
+        log_write(0, LOG_MAIN, "Failed to create IPv6 socket for wildcard "
+          "listening (%s): will use IPv4", strerror(errno));
+        goto SKIP_SOCKET;
+        }
+      log_write(0, LOG_PANIC_DIE, "IPv%c socket creation failed: %s",
+        af == AF_INET6 ? '6' : '4', strerror(errno));
+      }
+
+    /* If this is an IPv6 wildcard socket, set IPV6_V6ONLY if that option is
+    available. Just log failure (can get protocol not available, just like
+    socket creation can). */
+
+#ifdef IPV6_V6ONLY
+    if (af == AF_INET6 && wildcard &&
+        setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
+      log_write(0, LOG_MAIN, "Setting IPV6_V6ONLY on daemon's IPv6 wildcard "
+        "socket failed (%s): carrying on without it", strerror(errno));
+#endif  /* IPV6_V6ONLY */
+
+    /* Set SO_REUSEADDR so that the daemon can be restarted while a connection
+    is being handled.  Without this, a connection will prevent reuse of the
+    smtp port for listening. */
+
+    if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0)
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "setting SO_REUSEADDR on socket "
+        "failed when starting daemon: %s", strerror(errno));
+
+    /* Set TCP_NODELAY; Exim does its own buffering. There is a switch to
+    disable this because it breaks some broken clients. */
+
+    if (tcp_nodelay) setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on));
+
+    /* Now bind the socket to the required port; if Exim is being restarted
+    it may not always be possible to bind immediately, even with SO_REUSEADDR
+    set, so try 10 times, waiting between each try. After 10 failures, we give
+    up. In an IPv6 environment, if bind () fails with the error EADDRINUSE and
+    we are doing wildcard IPv4 listening and there was a previous IPv6 wildcard
+    address for the same port, ignore the error on the grounds that we must be
+    in a system where the IPv6 socket accepts both kinds of call. This is
+    necessary for (some release of) USAGI Linux; other IP stacks fail at the
+    listen() stage instead. */
+
+#ifdef TCP_FASTOPEN
+    f.tcp_fastopen_ok = TRUE;
+#endif
+    for(;;)
+      {
+      uschar *msg, *addr;
+      if (ip_bind(fd, af, ipa->address, ipa->port) >= 0) break;
+      if (check_special_case(errno, addresses, ipa, TRUE))
+        {
+        DEBUG(D_any) debug_printf("wildcard IPv4 bind() failed after IPv6 "
+          "listen() success; EADDRINUSE ignored\n");
+        (void)close(fd);
+        goto SKIP_SOCKET;
+        }
+      msg = US strerror(errno);
+      addr = wildcard
+        ? af == AF_INET6
+	? US"(any IPv6)"
+	: US"(any IPv4)"
+	: ipa->address;
+      if (daemon_startup_retries <= 0)
+        log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+          "socket bind() to port %d for address %s failed: %s: "
+          "daemon abandoned", ipa->port, addr, msg);
+      log_write(0, LOG_MAIN, "socket bind() to port %d for address %s "
+        "failed: %s: waiting %s before trying again (%d more %s)",
+        ipa->port, addr, msg, readconf_printtime(daemon_startup_sleep),
+        daemon_startup_retries, (daemon_startup_retries > 1)? "tries" : "try");
+      daemon_startup_retries--;
+      sleep(daemon_startup_sleep);
+      }
+
+    DEBUG(D_any)
+      if (wildcard)
+        debug_printf("listening on all interfaces (IPv%c) port %d\n",
+          af == AF_INET6 ? '6' : '4', ipa->port);
+      else
+        debug_printf("listening on %s port %d\n", ipa->address, ipa->port);
+
+    /* Start listening on the bound socket, establishing the maximum backlog of
+    connections that is allowed. On success, add to the set of sockets for select
+    and continue to the next address. */
+
+#if defined(TCP_FASTOPEN) && !defined(__APPLE__)
+    if (  f.tcp_fastopen_ok
+       && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN,
+		    &smtp_connect_backlog, sizeof(smtp_connect_backlog)))
+      {
+      DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
+      f.tcp_fastopen_ok = FALSE;
+      }
+#endif
+    if (listen(fd, smtp_connect_backlog) >= 0)
+      {
+#if defined(TCP_FASTOPEN) && defined(__APPLE__)
+      if (  f.tcp_fastopen_ok
+	 && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &on, sizeof(on)))
+	{
+	DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
+	f.tcp_fastopen_ok = FALSE;
+	}
+#endif
+      fd_polls[sk].fd = fd;
+      continue;
+      }
+
+    /* Listening has failed. In an IPv6 environment, as for bind(), if listen()
+    fails with the error EADDRINUSE and we are doing IPv4 wildcard listening
+    and there was a previous successful IPv6 wildcard listen on the same port,
+    we want to ignore the error on the grounds that we must be in a system
+    where the IPv6 socket accepts both kinds of call. */
+
+    if (!check_special_case(errno, addresses, ipa, TRUE))
+      log_write(0, LOG_PANIC_DIE, "listen() failed on interface %s: %s",
+        wildcard
+	? af == AF_INET6 ? US"(any IPv6)" : US"(any IPv4)" : ipa->address,
+        strerror(errno));
+
+    DEBUG(D_any) debug_printf("wildcard IPv4 listen() failed after IPv6 "
+      "listen() success; EADDRINUSE ignored\n");
+    (void)close(fd);
+
+    /* Come here if there has been a problem with the socket which we
+    are going to ignore. We remove the address from the chain, and back up the
+    counts. */
+
+  SKIP_SOCKET:
+    sk--;                          /* Back up the count */
+    listen_socket_count--;         /* Reduce the total */
+    if (ipa == addresses) addresses = ipa->next; else
+      {
+      for (ipa2 = addresses; ipa2->next != ipa; ipa2 = ipa2->next);
+      ipa2->next = ipa->next;
+      ipa = ipa2;
+      }
+    }          /* End of bind/listen loop for each address */
+  }            /* End of setup for listening */
+
+
+/* If we are not listening, we want to write a pid file only if -oP was
+explicitly given. */
+
+else if (!override_pid_file_path)
+  write_pid = FALSE;
+
+/* Write the pid to a known file for assistance in identification, if required.
+We do this before giving up root privilege, because on some systems it is
+necessary to be root in order to write into the pid file directory. There's
+nothing to stop multiple daemons running, as long as no more than one listens
+on a given TCP/IP port on the same interface(s). However, in these
+circumstances it gets far too complicated to mess with pid file names
+automatically. Consequently, Exim 4 writes a pid file only
+
+  (a) When running in the test harness, or
+  (b) When -bd is used and -oX is not used, or
+  (c) When -oP is used to supply a path.
+
+The variable daemon_write_pid is used to control this. */
+
+if (f.running_in_test_harness || write_pid)
+  {
+  const enum pid_op operation = (f.running_in_test_harness
+     || real_uid == root_uid
+     || (real_uid == exim_uid && !override_pid_file_path)) ? PID_WRITE : PID_CHECK;
+  if (!operate_on_pid_file(operation, getpid()))
+    DEBUG(D_any) debug_printf("%s pid file %s: %s\n", (operation == PID_WRITE) ? "write" : "check", pid_file_path, strerror(errno));
+  }
+
+/* Set up the handler for SIGHUP, which causes a restart of the daemon. */
+
+sighup_seen = FALSE;
+signal(SIGHUP, sighup_handler);
+
+/* Give up root privilege at this point (assuming that exim_uid and exim_gid
+are not root). The third argument controls the running of initgroups().
+Normally we do this, in order to set up the groups for the Exim user. However,
+if we are not root at this time - some odd installations run that way - we
+cannot do this. */
+
+exim_setugid(exim_uid, exim_gid, geteuid()==root_uid, US"running as a daemon");
+
+/* Update the originator_xxx fields so that received messages as listed as
+coming from Exim, not whoever started the daemon. */
+
+originator_uid = exim_uid;
+originator_gid = exim_gid;
+originator_login = (pw = getpwuid(exim_uid))
+  ? string_copy_perm(US pw->pw_name, FALSE) : US"exim";
+
+/* Get somewhere to keep the list of queue-runner pids if we are keeping track
+of them (and also if we are doing queue runs). */
+
+if (queue_interval > 0 && local_queue_run_max > 0)
+  {
+  queue_pid_slots = store_get(local_queue_run_max * sizeof(pid_t), GET_UNTAINTED);
+  for (int i = 0; i < local_queue_run_max; i++) queue_pid_slots[i] = 0;
+  }
+
+/* Set up the handler for termination of child processes, and the one
+telling us to die. */
+
+sigchld_seen = FALSE;
+os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
+
+sigterm_seen = FALSE;
+os_non_restarting_signal(SIGTERM, main_sigterm_handler);
+os_non_restarting_signal(SIGINT, main_sigterm_handler);
+
+/* If we are to run the queue periodically, pretend the alarm has just gone
+off. This will cause the first queue-runner to get kicked off straight away. */
+
+sigalrm_seen = (queue_interval > 0);
+
+/* Log the start up of a daemon - at least one of listening or queue running
+must be set up. */
+
+if (f.inetd_wait_mode)
+  {
+  uschar *p = big_buffer;
+
+  if (inetd_wait_timeout >= 0)
+    sprintf(CS p, "terminating after %d seconds", inetd_wait_timeout);
+  else
+    sprintf(CS p, "with no wait timeout");
+
+  log_write(0, LOG_MAIN,
+    "exim %s daemon started: pid=%d, launched with listening socket, %s",
+    version_string, getpid(), big_buffer);
+  set_process_info("daemon(%s): pre-listening socket", version_string);
+
+  /* set up the timeout logic */
+  sigalrm_seen = TRUE;
+  }
+
+else if (f.daemon_listen)
+  {
+  int smtp_ports = 0;
+  int smtps_ports = 0;
+  ip_address_item * ipa;
+  uschar * p;
+  uschar * qinfo = queue_interval > 0
+    ? string_sprintf("-q%s%s",
+	f.queue_2stage ? "q" : "", readconf_printtime(queue_interval))
+    : US"no queue runs";
+
+  /* Build a list of listening addresses in big_buffer, but limit it to 10
+  items. The style is for backwards compatibility.
+
+  It is now possible to have some ports listening for SMTPS (the old,
+  deprecated protocol that starts TLS without using STARTTLS), and others
+  listening for standard SMTP. Keep their listings separate. */
+
+  for (int j = 0, i; j < 2; j++)
+    {
+    for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
+      {
+      /* First time round, look for SMTP ports; second time round, look for
+      SMTPS ports. Build IP+port strings. */
+
+      if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
+	{
+	if (j == 0)
+	  smtp_ports++;
+	else
+	  smtps_ports++;
+
+	/* Now the information about the port (and sometimes interface) */
+
+	if (ipa->address[0] == ':' && ipa->address[1] == 0)
+	  {						/* v6 wildcard */
+	  if (ipa->next && ipa->next->address[0] == 0 &&
+	      ipa->next->port == ipa->port)
+	    {
+	    ipa->log = string_sprintf(" port %d (IPv6 and IPv4)", ipa->port);
+	    (ipa = ipa->next)->log = NULL;
+	    }
+	  else if (ipa->v6_include_v4)
+	    ipa->log = string_sprintf(" port %d (IPv6 with IPv4)", ipa->port);
+	  else
+	    ipa->log = string_sprintf(" port %d (IPv6)", ipa->port);
+	  }
+	else if (ipa->address[0] == 0)			/* v4 wildcard */
+	  ipa->log = string_sprintf(" port %d (IPv4)", ipa->port);
+	else				/* check for previously-seen IP */
+	  {
+	  ip_address_item * i2;
+	  for (i2 = addresses; i2 != ipa; i2 = i2->next)
+	    if (  host_is_tls_on_connect_port(i2->port) == (j > 0)
+	       && Ustrcmp(ipa->address, i2->address) == 0
+	       )
+	      {				/* found; append port to list */
+	      for (p = i2->log; *p; ) p++;	/* end of existing string */
+	      if (*--p == '}') *p = '\0';	/* drop EOL */
+	      while (isdigit(*--p)) ;		/* char before port */
+
+	      i2->log = *p == ':'		/* no list yet? */
+		? string_sprintf("%.*s{%s,%d}",
+		  (int)(p - i2->log + 1), i2->log, p+1, ipa->port)
+		: string_sprintf("%s,%d}", i2->log, ipa->port);
+	      ipa->log = NULL;
+	      break;
+	      }
+	  if (i2 == ipa)		/* first-time IP */
+	    ipa->log = string_sprintf(" [%s]:%d", ipa->address, ipa->port);
+	  }
+	}
+      }
+    }
+
+  p = big_buffer;
+  for (int j = 0, i; j < 2; j++)
+    {
+    /* First time round, look for SMTP ports; second time round, look for
+    SMTPS ports. For the first one of each, insert leading text. */
+
+    if (j == 0)
+      {
+      if (smtp_ports > 0)
+	p += sprintf(CS p, "SMTP on");
+      }
+    else
+      if (smtps_ports > 0)
+	p += sprintf(CS p, "%sSMTPS on",
+	  smtp_ports == 0 ? "" : " and for ");
+
+    /* Now the information about the port (and sometimes interface) */
+
+    for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
+      if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
+	if (ipa->log)
+	  p += sprintf(CS p, "%s",  ipa->log);
+
+    if (ipa)
+      p += sprintf(CS p, " ...");
+    }
+
+  log_write(0, LOG_MAIN,
+    "exim %s daemon started: pid=%d, %s, listening for %s",
+    version_string, getpid(), qinfo, big_buffer);
+  set_process_info("daemon(%s): %s, listening for %s",
+    version_string, qinfo, big_buffer);
+  }
+
+else
+  {
+  uschar * s = *queue_name
+    ? string_sprintf("-qG%s/%s", queue_name, readconf_printtime(queue_interval))
+    : string_sprintf("-q%s", readconf_printtime(queue_interval));
+  log_write(0, LOG_MAIN,
+    "exim %s daemon started: pid=%d, %s, not listening for SMTP",
+    version_string, getpid(), s);
+  set_process_info("daemon(%s): %s, not listening", version_string, s);
+  }
+
+/* Do any work it might be useful to amortize over our children
+(eg: compile regex) */
+
+dns_pattern_init();
+smtp_deliver_init();	/* Used for callouts */
+
+#ifndef DISABLE_DKIM
+  {
+# ifdef MEASURE_TIMING
+  struct timeval t0;
+  gettimeofday(&t0, NULL);
+# endif
+  dkim_exim_init();
+# ifdef MEASURE_TIMING
+  report_time_since(&t0, US"dkim_exim_init (delta)");
+# endif
+  }
+#endif
+
+#ifdef WITH_CONTENT_SCAN
+malware_init();
+#endif
+#ifdef SUPPORT_SPF
+spf_init();
+#endif
+#ifndef DISABLE_TLS
+tls_daemon_init();
+#endif
+
+/* Add ancillary sockets to the set for select */
+
+poll_fd_count = listen_socket_count;
+#ifndef DISABLE_TLS
+if (tls_watch_fd >= 0)
+  {
+  tls_watch_poll = &fd_polls[poll_fd_count++];
+  tls_watch_poll->fd = tls_watch_fd;
+  tls_watch_poll->events = POLLIN;
+  }
+#endif
+if (daemon_notifier_fd >= 0)
+  {
+  dnotify_poll = &fd_polls[poll_fd_count++];
+  dnotify_poll->fd = daemon_notifier_fd;
+  dnotify_poll->events = POLLIN;
+  }
+
+/* Close the log so it can be renamed and moved. In the few cases below where
+this long-running process writes to the log (always exceptional conditions), it
+closes the log afterwards, for the same reason. */
+
+log_close_all();
+
+DEBUG(D_any) debug_print_ids(US"daemon running with");
+
+/* Any messages accepted via this route are going to be SMTP. */
+
+smtp_input = TRUE;
+
+#ifdef MEASURE_TIMING
+report_time_since(&timestamp_startup, US"daemon loop start");	/* testcase 0022 */
+#endif
+
+/* Enter the never-ending loop... */
+
+for (;;)
+  {
+  pid_t pid;
+
+  if (sigterm_seen)
+    daemon_die();	/* Does not return */
+
+  /* This code is placed first in the loop, so that it gets obeyed at the
+  start, before the first wait, for the queue-runner case, so that the first
+  one can be started immediately.
+
+  The other option is that we have an inetd wait timeout specified to -bw. */
+
+  if (sigalrm_seen)
+    {
+    if (inetd_wait_timeout > 0)
+      {
+      time_t resignal_interval = inetd_wait_timeout;
+
+      if (last_connection_time == (time_t)0)
+        {
+        DEBUG(D_any)
+          debug_printf("inetd wait timeout expired, but still not seen first message, ignoring\n");
+        }
+      else
+        {
+        time_t now = time(NULL);
+        if (now == (time_t)-1)
+          {
+          DEBUG(D_any) debug_printf("failed to get time: %s\n", strerror(errno));
+          }
+        else
+          {
+          if ((now - last_connection_time) >= inetd_wait_timeout)
+            {
+            DEBUG(D_any)
+              debug_printf("inetd wait timeout %d expired, ending daemon\n",
+                  inetd_wait_timeout);
+            log_write(0, LOG_MAIN, "exim %s daemon terminating, inetd wait timeout reached.\n",
+                version_string);
+            exit(EXIT_SUCCESS);
+            }
+          else
+            {
+            resignal_interval -= (now - last_connection_time);
+            }
+          }
+        }
+
+      sigalrm_seen = FALSE;
+      ALARM(resignal_interval);
+      }
+
+    else
+      {
+      DEBUG(D_any) debug_printf("%s received\n",
+#ifndef DISABLE_QUEUE_RAMP
+	*queuerun_msgid ? "qrun notification" :
+#endif
+	"SIGALRM");
+
+      /* Do a full queue run in a child process, if required, unless we already
+      have enough queue runners on the go. If we are not running as root, a
+      re-exec is required. */
+
+      if (  queue_interval > 0
+         && (local_queue_run_max <= 0 || queue_run_count < local_queue_run_max))
+        {
+        if ((pid = exim_fork(US"queue-runner")) == 0)
+          {
+          /* Disable debugging if it's required only for the daemon process. We
+          leave the above message, because it ties up with the "child ended"
+          debugging messages. */
+
+          if (f.debug_daemon) debug_selector = 0;
+
+          /* Close any open listening sockets in the child */
+
+	  close_daemon_sockets(daemon_notifier_fd,
+	    fd_polls, listen_socket_count);
+
+          /* Reset SIGHUP and SIGCHLD in the child in both cases. */
+
+          signal(SIGHUP,  SIG_DFL);
+          signal(SIGCHLD, SIG_DFL);
+          signal(SIGTERM, SIG_DFL);
+          signal(SIGINT, SIG_DFL);
+
+          /* Re-exec if privilege has been given up, unless deliver_drop_
+          privilege is set. Reset SIGALRM before exec(). */
+
+          if (geteuid() != root_uid && !deliver_drop_privilege)
+            {
+            uschar opt[8];
+            uschar *p = opt;
+            uschar *extra[7];
+            int extracount = 1;
+
+            signal(SIGALRM, SIG_DFL);
+            *p++ = '-';
+            *p++ = 'q';
+            if (  f.queue_2stage
+#ifndef DISABLE_QUEUE_RAMP
+	       && !*queuerun_msgid
+#endif
+	       ) *p++ = 'q';
+            if (f.queue_run_first_delivery) *p++ = 'i';
+            if (f.queue_run_force) *p++ = 'f';
+            if (f.deliver_force_thaw) *p++ = 'f';
+            if (f.queue_run_local) *p++ = 'l';
+            *p = 0;
+	    extra[0] = *queue_name
+	      ? string_sprintf("%sG%s", opt, queue_name) : opt;
+
+#ifndef DISABLE_QUEUE_RAMP
+	    if (*queuerun_msgid)
+	      {
+	      log_write(0, LOG_MAIN, "notify triggered queue run");
+	      extra[extracount++] = queuerun_msgid;	/* Trigger only the */
+	      extra[extracount++] = queuerun_msgid;	/* one message      */
+	      }
+#endif
+
+            /* If -R or -S were on the original command line, ensure they get
+            passed on. */
+
+            if (deliver_selectstring)
+              {
+              extra[extracount++] = f.deliver_selectstring_regex ? US"-Rr" : US"-R";
+              extra[extracount++] = deliver_selectstring;
+              }
+
+            if (deliver_selectstring_sender)
+              {
+              extra[extracount++] = f.deliver_selectstring_sender_regex
+	        ? US"-Sr" : US"-S";
+              extra[extracount++] = deliver_selectstring_sender;
+              }
+
+            /* Overlay this process with a new execution. */
+
+            (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, extracount,
+              extra[0], extra[1], extra[2], extra[3], extra[4], extra[5], extra[6]);
+
+            /* Control never returns here. */
+            }
+
+          /* No need to re-exec; SIGALRM remains set to the default handler */
+
+#ifndef DISABLE_QUEUE_RAMP
+	  if (*queuerun_msgid)
+	    {
+	    log_write(0, LOG_MAIN, "notify triggered queue run");
+	    f.queue_2stage = FALSE;
+	    queue_run(queuerun_msgid, queuerun_msgid, FALSE);
+	    }
+	  else
+#endif
+	    queue_run(NULL, NULL, FALSE);
+          exim_underbar_exit(EXIT_SUCCESS);
+          }
+
+        if (pid < 0)
+          {
+          log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fork of queue-runner "
+            "process failed: %s", strerror(errno));
+          log_close_all();
+          }
+        else
+          {
+          for (int i = 0; i < local_queue_run_max; ++i)
+            if (queue_pid_slots[i] <= 0)
+              {
+              queue_pid_slots[i] = pid;
+              queue_run_count++;
+              break;
+              }
+          DEBUG(D_any) debug_printf("%d queue-runner process%s running\n",
+            queue_run_count, queue_run_count == 1 ? "" : "es");
+          }
+        }
+
+      /* Reset the alarm clock */
+
+      sigalrm_seen = FALSE;
+#ifndef DISABLE_QUEUE_RAMP
+      if (*queuerun_msgid)
+	*queuerun_msgid = 0;
+      else
+#endif
+	ALARM(queue_interval);
+      }
+
+    } /* sigalrm_seen */
+
+
+  /* Sleep till a connection happens if listening, and handle the connection if
+  that is why we woke up. The FreeBSD operating system requires the use of
+  select() before accept() because the latter function is not interrupted by
+  a signal, and we want to wake up for SIGCHLD and SIGALRM signals. Some other
+  OS do notice signals in accept() but it does no harm to have the select()
+  in for all of them - and it won't then be a lurking problem for ports to
+  new OS. In fact, the later addition of listening on specific interfaces only
+  requires this way of working anyway. */
+
+  if (f.daemon_listen)
+    {
+    int lcount;
+    BOOL select_failed = FALSE;
+
+    DEBUG(D_any) debug_printf("Listening...\n");
+
+    /* In rare cases we may have had a SIGCHLD signal in the time between
+    setting the handler (below) and getting back here. If so, pretend that the
+    select() was interrupted so that we reap the child. This might still leave
+    a small window when a SIGCHLD could get lost. However, since we use SIGCHLD
+    only to do the reaping more quickly, it shouldn't result in anything other
+    than a delay until something else causes a wake-up. */
+
+    if (sigchld_seen)
+      {
+      lcount = -1;
+      errno = EINTR;
+      }
+    else
+      lcount = poll(fd_polls, poll_fd_count, -1);
+
+    if (lcount < 0)
+      {
+      select_failed = TRUE;
+      lcount = 1;
+      }
+
+    /* Clean up any subprocesses that may have terminated. We need to do this
+    here so that smtp_accept_max_per_host works when a connection to that host
+    has completed, and we are about to accept a new one. When this code was
+    later in the sequence, a new connection could be rejected, even though an
+    old one had just finished. Preserve the errno from any select() failure for
+    the use of the common select/accept error processing below. */
+
+      {
+      int select_errno = errno;
+      handle_ending_processes();
+
+#ifndef DISABLE_TLS
+      {
+      int old_tfd;
+      /* Create or rotate any required keys; handle (delayed) filewatch event */
+
+      if ((old_tfd = tls_daemon_tick()) >= 0)
+	for (struct pollfd * p = &fd_polls[listen_socket_count];
+	     p < fd_polls + poll_fd_count; p++)
+	  if (p->fd == old_tfd) { p->fd = tls_watch_fd ; break; }
+      }
+#endif
+      errno = select_errno;
+      }
+
+    /* Loop for all the sockets that are currently ready to go. If select
+    actually failed, we have set the count to 1 and select_failed=TRUE, so as
+    to use the common error code for select/accept below. */
+
+    while (lcount-- > 0)
+      {
+      int accept_socket = -1;
+#if HAVE_IPV6
+      struct sockaddr_in6 accepted;
+#else
+      struct sockaddr_in accepted;
+#endif
+
+      if (!select_failed)
+	{
+#if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
+	if (tls_watch_poll && tls_watch_poll->revents & POLLIN)
+	  {
+	  tls_watch_poll->revents = 0;
+          tls_watch_trigger_time = time(NULL);	/* Set up delayed event */
+	  tls_watch_discard_event(tls_watch_fd);
+	  break;	/* to top of daemon loop */
+	  }
+#endif
+	if (dnotify_poll && dnotify_poll->revents & POLLIN)
+	  {
+	  dnotify_poll->revents = 0;
+	  sigalrm_seen = daemon_notification();
+	  break;	/* to top of daemon loop */
+	  }
+	for (struct pollfd * p = fd_polls; p < fd_polls + listen_socket_count;
+	     p++)
+	  if (p->revents & POLLIN)
+            {
+	    EXIM_SOCKLEN_T alen = sizeof(accepted);
+#ifdef TCP_INFO
+	    struct tcp_info ti;
+	    socklen_t tlen = sizeof(ti);
+
+	    /* If monitoring the backlog is wanted, grab for later logging */
+
+	    smtp_listen_backlog = 0;
+	    if (  smtp_backlog_monitor > 0
+	       && getsockopt(p->fd, IPPROTO_TCP, TCP_INFO, &ti, &tlen) == 0)
+	      {
+# ifdef EXIM_HAVE_TCPI_UNACKED
+	      DEBUG(D_interface) debug_printf("listen fd %d queue max %u curr %u\n",
+		      p->fd, ti.tcpi_sacked, ti.tcpi_unacked);
+	      smtp_listen_backlog = ti.tcpi_unacked;
+# elif defined(__FreeBSD__)	/* This does not work. Investigate kernel sourcecode. */
+	      DEBUG(D_interface) debug_printf("listen fd %d queue max %u curr %u\n",
+		      p->fd, ti.__tcpi_sacked, ti.__tcpi_unacked);
+	      smtp_listen_backlog = ti.__tcpi_unacked;
+# endif
+	      }
+#endif
+	    p->revents = 0;
+            accept_socket = accept(p->fd, (struct sockaddr *)&accepted, &alen);
+            break;
+            }
+	}
+
+      /* If select or accept has failed and this was not caused by an
+      interruption, log the incident and try again. With asymmetric TCP/IP
+      routing errors such as "No route to network" have been seen here. Also
+      "connection reset by peer" has been seen. These cannot be classed as
+      disastrous errors, but they could fill up a lot of log. The code in smail
+      crashes the daemon after 10 successive failures of accept, on the grounds
+      that some OS fail continuously. Exim originally followed suit, but this
+      appears to have caused problems. Now it just keeps going, but instead of
+      logging each error, it batches them up when they are continuous. */
+
+      if (accept_socket < 0 && errno != EINTR)
+        {
+        if (accept_retry_count == 0)
+          {
+          accept_retry_errno = errno;
+          accept_retry_select_failed = select_failed;
+          }
+        else if (  errno != accept_retry_errno
+		|| select_failed != accept_retry_select_failed
+		|| accept_retry_count >= 50)
+	  {
+	  log_write(0, LOG_MAIN | (accept_retry_count >= 50 ? LOG_PANIC : 0),
+	    "%d %s() failure%s: %s",
+	    accept_retry_count,
+	    accept_retry_select_failed ? "select" : "accept",
+	    accept_retry_count == 1 ? "" : "s",
+	    strerror(accept_retry_errno));
+	  log_close_all();
+	  accept_retry_count = 0;
+	  accept_retry_errno = errno;
+	  accept_retry_select_failed = select_failed;
+	  }
+        accept_retry_count++;
+        }
+      else if (accept_retry_count > 0)
+	{
+	log_write(0, LOG_MAIN, "%d %s() failure%s: %s",
+	  accept_retry_count,
+	  accept_retry_select_failed ? "select" : "accept",
+	  accept_retry_count == 1 ? "" : "s",
+	  strerror(accept_retry_errno));
+	log_close_all();
+	accept_retry_count = 0;
+	}
+
+      /* If select/accept succeeded, deal with the connection. */
+
+      if (accept_socket >= 0)
+        {
+#ifdef TCP_QUICKACK /* Avoid pure-ACKs while in tls protocol pingpong phase */
+	/* Unfortunately we cannot be certain to do this before a TLS-on-connect
+	Client Hello arrives and is acked. We do it as early as possible. */
+	(void) setsockopt(accept_socket, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
+#endif
+        if (inetd_wait_timeout)
+          last_connection_time = time(NULL);
+        handle_smtp_call(fd_polls, listen_socket_count, accept_socket,
+          (struct sockaddr *)&accepted);
+        }
+      }
+    }
+
+  /* If not listening, then just sleep for the queue interval. If we woke
+  up early the last time for some other signal, it won't matter because
+  the alarm signal will wake at the right time. This code originally used
+  sleep() but it turns out that on the FreeBSD system, sleep() is not inter-
+  rupted by signals, so it wasn't waking up for SIGALRM or SIGCHLD. Luckily
+  select() can be used as an interruptible sleep() on all versions of Unix. */
+
+  else
+    {
+    struct pollfd p;
+    poll(&p, 0, queue_interval * 1000);
+    handle_ending_processes();
+    }
+
+  /* Re-enable the SIGCHLD handler if it has been run. It can't do it
+  for itself, because it isn't doing the waiting itself. */
+
+  if (sigchld_seen)
+    {
+    sigchld_seen = FALSE;
+    os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
+    }
+
+  /* Handle being woken by SIGHUP. We know at this point that the result
+  of accept() has been dealt with, so we can re-exec exim safely, first
+  closing the listening sockets so that they can be reused. Cancel any pending
+  alarm in case it is just about to go off, and set SIGHUP to be ignored so
+  that another HUP in quick succession doesn't clobber the new daemon before it
+  gets going. All log files get closed by the close-on-exec flag; however, if
+  the exec fails, we need to close the logs. */
+
+  if (sighup_seen)
+    {
+    log_write(0, LOG_MAIN, "pid %d: SIGHUP received: re-exec daemon",
+      getpid());
+    close_daemon_sockets(daemon_notifier_fd, fd_polls, listen_socket_count);
+    ALARM_CLR(0);
+    signal(SIGHUP, SIG_IGN);
+    sighup_argv[0] = exim_path;
+    exim_nullstd();
+    execv(CS exim_path, (char *const *)sighup_argv);
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid %d: exec of %s failed: %s",
+      getpid(), exim_path, strerror(errno));
+    log_close_all();
+    }
+
+  }   /* End of main loop */
+
+/* Control never reaches here */
+}
+
+/* vi: aw ai sw=2
+*/
+/* End of exim_daemon.c */
diff --git a/src/dane-openssl.c b/src/dane-openssl.c
new file mode 100644
index 0000000..6ed3529
--- /dev/null
+++ b/src/dane-openssl.c
@@ -0,0 +1,1719 @@
+/*
+ *  Author: Viktor Dukhovni
+ *  License: THIS CODE IS IN THE PUBLIC DOMAIN.
+ *
+ * Copyright (c) The Exim Maintainers 2014 - 2019
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <openssl/opensslv.h>
+#include <openssl/err.h>
+#include <openssl/crypto.h>
+#include <openssl/safestack.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x1000000fL
+# error "OpenSSL 1.0.0 or higher required"
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+# define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
+#endif
+
+/* LibreSSL 2.9.0 and later - 2.9.0 has removed a number of macros ... */
+#ifdef LIBRESSL_VERSION_NUMBER
+# if LIBRESSL_VERSION_NUMBER >= 0x2090000fL
+#  define EXIM_HAVE_ASN1_MACROS
+# endif
+#endif
+/* OpenSSL */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+# define EXIM_HAVE_ASN1_MACROS
+# define EXIM_OPAQUE_X509
+/* Older OpenSSL and all LibreSSL */
+#else
+# define X509_STORE_CTX_get_verify(ctx)		(ctx)->verify
+# define X509_STORE_CTX_get_verify_cb(ctx)	(ctx)->verify_cb
+# define X509_STORE_CTX_get0_cert(ctx)		(ctx)->cert
+# define X509_STORE_CTX_get0_chain(ctx)		(ctx)->chain
+# define X509_STORE_CTX_get0_untrusted(ctx)	(ctx)->untrusted
+
+# define X509_STORE_CTX_set_verify(ctx, verify_chain)	(ctx)->verify = (verify_chain)
+# define X509_STORE_CTX_set0_verified_chain(ctx, sk)	(ctx)->chain = (sk)
+# define X509_STORE_CTX_set_error_depth(ctx, val)	(ctx)->error_depth = (val)
+# define X509_STORE_CTX_set_current_cert(ctx, cert)	(ctx)->current_cert = (cert)
+
+# define ASN1_STRING_get0_data	ASN1_STRING_data
+# define X509_getm_notBefore	X509_get_notBefore
+# define X509_getm_notAfter	X509_get_notAfter
+
+# define CRYPTO_ONCE_STATIC_INIT 0
+# define CRYPTO_THREAD_run_once	 run_once
+typedef int CRYPTO_ONCE;
+#endif
+
+
+#include "danessl.h"
+
+#define DANESSL_F_ADD_SKID		100
+#define DANESSL_F_ADD_TLSA		101
+#define DANESSL_F_CHECK_END_ENTITY	102
+#define DANESSL_F_CTX_INIT		103
+#define DANESSL_F_GROW_CHAIN		104
+#define DANESSL_F_INIT			105
+#define DANESSL_F_LIBRARY_INIT		106
+#define DANESSL_F_LIST_ALLOC		107
+#define DANESSL_F_MATCH			108
+#define DANESSL_F_PUSH_EXT		109
+#define DANESSL_F_SET_TRUST_ANCHOR	110
+#define DANESSL_F_VERIFY_CERT		111
+#define DANESSL_F_WRAP_CERT		112
+#define DANESSL_F_DANESSL_VERIFY_CHAIN	113
+
+#define DANESSL_R_BAD_CERT		100
+#define DANESSL_R_BAD_CERT_PKEY		101
+#define DANESSL_R_BAD_DATA_LENGTH	102
+#define DANESSL_R_BAD_DIGEST		103
+#define DANESSL_R_BAD_NULL_DATA		104
+#define DANESSL_R_BAD_PKEY		105
+#define DANESSL_R_BAD_SELECTOR		106
+#define DANESSL_R_BAD_USAGE		107
+#define DANESSL_R_INIT			108
+#define DANESSL_R_LIBRARY_INIT		109
+#define DANESSL_R_NOSIGN_KEY		110
+#define DANESSL_R_SCTX_INIT		111
+#define DANESSL_R_SUPPORT		112
+
+#ifndef OPENSSL_NO_ERR
+#define	DANESSL_F_PLACEHOLDER		0		/* FIRST! Value TBD */
+static ERR_STRING_DATA dane_str_functs[] = {
+    /*	error				string */
+    {DANESSL_F_PLACEHOLDER,		"DANE library"},	/* FIRST!!! */
+    {DANESSL_F_ADD_SKID,		"add_skid"},
+    {DANESSL_F_ADD_TLSA,		"DANESSL_add_tlsa"},
+    {DANESSL_F_CHECK_END_ENTITY,	"check_end_entity"},
+    {DANESSL_F_CTX_INIT,		"DANESSL_CTX_init"},
+    {DANESSL_F_GROW_CHAIN,		"grow_chain"},
+    {DANESSL_F_INIT,			"DANESSL_init"},
+    {DANESSL_F_LIBRARY_INIT,		"DANESSL_library_init"},
+    {DANESSL_F_LIST_ALLOC,		"list_alloc"},
+    {DANESSL_F_MATCH,			"match"},
+    {DANESSL_F_PUSH_EXT,		"push_ext"},
+    {DANESSL_F_SET_TRUST_ANCHOR,	"set_trust_anchor"},
+    {DANESSL_F_VERIFY_CERT,		"verify_cert"},
+    {DANESSL_F_WRAP_CERT,		"wrap_cert"},
+    {0,					NULL}
+};
+static ERR_STRING_DATA dane_str_reasons[] = {
+    /*	error				string */
+    {DANESSL_R_BAD_CERT,	"Bad TLSA record certificate"},
+    {DANESSL_R_BAD_CERT_PKEY,	"Bad TLSA record certificate public key"},
+    {DANESSL_R_BAD_DATA_LENGTH,	"Bad TLSA record digest length"},
+    {DANESSL_R_BAD_DIGEST,	"Bad TLSA record digest"},
+    {DANESSL_R_BAD_NULL_DATA,	"Bad TLSA record null data"},
+    {DANESSL_R_BAD_PKEY,	"Bad TLSA record public key"},
+    {DANESSL_R_BAD_SELECTOR,	"Bad TLSA record selector"},
+    {DANESSL_R_BAD_USAGE,	"Bad TLSA record usage"},
+    {DANESSL_R_INIT,		"DANESSL_init() required"},
+    {DANESSL_R_LIBRARY_INIT,	"DANESSL_library_init() required"},
+    {DANESSL_R_NOSIGN_KEY,	"Certificate usage 2 requires EC support"},
+    {DANESSL_R_SCTX_INIT,	"DANESSL_CTX_init() required"},
+    {DANESSL_R_SUPPORT,		"DANE library features not supported"},
+    {0,				NULL}
+};
+#endif
+
+#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FUNCTION__, __LINE__)
+
+static int err_lib_dane = -1;
+static int dane_idx = -1;
+
+#ifdef X509_V_FLAG_PARTIAL_CHAIN       /* OpenSSL >= 1.0.2 */
+static int wrap_to_root = 0;
+#else
+static int wrap_to_root = 1;
+#endif
+
+static void (*cert_free)(void *) = (void (*)(void *)) X509_free;
+static void (*pkey_free)(void *) = (void (*)(void *)) EVP_PKEY_free;
+
+typedef struct dane_list
+{
+    struct dane_list *next;
+    void *value;
+} *dane_list;
+
+#define LINSERT(h, e) do { (e)->next = (h); (h) = (e); } while (0)
+
+typedef struct dane_host_list
+{
+    struct dane_host_list *next;
+    char *value;
+} *dane_host_list;
+
+typedef struct dane_data
+{
+    size_t datalen;
+    unsigned char data[0];
+} *dane_data;
+
+typedef struct dane_data_list
+{
+    struct dane_data_list *next;
+    dane_data value;
+} *dane_data_list;
+
+typedef struct dane_mtype
+{
+    int mdlen;
+    const EVP_MD *md;
+    dane_data_list data;
+} *dane_mtype;
+
+typedef struct dane_mtype_list
+{
+    struct dane_mtype_list *next;
+    dane_mtype value;
+} *dane_mtype_list;
+
+typedef struct dane_selector
+{
+    uint8_t selector;
+    dane_mtype_list mtype;
+} *dane_selector;
+
+typedef struct dane_selector_list
+{
+    struct dane_selector_list *next;
+    dane_selector value;
+} *dane_selector_list;
+
+typedef struct dane_pkey_list
+{
+    struct dane_pkey_list *next;
+    EVP_PKEY *value;
+} *dane_pkey_list;
+
+typedef struct dane_cert_list
+{
+    struct dane_cert_list *next;
+    X509 *value;
+} *dane_cert_list;
+
+typedef struct ssl_dane
+{
+    int            (*verify)(X509_STORE_CTX *);
+    STACK_OF(X509) *roots;
+    STACK_OF(X509) *chain;
+    X509           *match;		/* Matched cert */
+    const char     *thost;		/* TLSA base domain */
+    char	   *mhost;		/* Matched peer name */
+    dane_pkey_list pkeys;
+    dane_cert_list certs;
+    dane_host_list hosts;
+    dane_selector_list selectors[DANESSL_USAGE_LAST + 1];
+    int            depth;
+    int		   mdpth;		/* Depth of matched cert */
+    int		   multi;		/* Multi-label wildcards? */
+    int		   count;		/* Number of TLSA records */
+} ssl_dane;
+
+#ifndef X509_V_ERR_HOSTNAME_MISMATCH
+# define X509_V_ERR_HOSTNAME_MISMATCH X509_V_ERR_APPLICATION_VERIFICATION
+#endif
+
+
+
+static int
+match(dane_selector_list slist, X509 *cert, int depth)
+{
+int matched;
+
+/*
+ * Note, set_trust_anchor() needs to know whether the match was for a
+ * pkey digest or a certificate digest.  We return MATCHED_PKEY or
+ * MATCHED_CERT accordingly.
+ */
+#define MATCHED_CERT (DANESSL_SELECTOR_CERT + 1)
+#define MATCHED_PKEY (DANESSL_SELECTOR_SPKI + 1)
+
+/*
+ * Loop over each selector, mtype, and associated data element looking
+ * for a match.
+ */
+for (matched = 0; !matched && slist; slist = slist->next)
+  {
+  unsigned char mdbuf[EVP_MAX_MD_SIZE];
+  unsigned char *buf = NULL;
+  unsigned char *buf2;
+  unsigned int len = 0;
+
+  /*
+   * Extract ASN.1 DER form of certificate or public key.
+   */
+  switch(slist->value->selector)
+    {
+    case DANESSL_SELECTOR_CERT:
+      len = i2d_X509(cert, NULL);
+      buf2 = buf = US  OPENSSL_malloc(len);
+      if(buf) i2d_X509(cert, &buf2);
+      break;
+    case DANESSL_SELECTOR_SPKI:
+      len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
+      buf2 = buf = US  OPENSSL_malloc(len);
+      if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
+      break;
+    }
+
+  if (!buf)
+    {
+    DANEerr(DANESSL_F_MATCH, ERR_R_MALLOC_FAILURE);
+    return 0;
+    }
+  OPENSSL_assert(buf2 - buf == len);
+
+  /*
+   * Loop over each mtype and data element
+   */
+  for (dane_mtype_list m = slist->value->mtype; !matched && m; m = m->next)
+    {
+    unsigned char *cmpbuf = buf;
+    unsigned int cmplen = len;
+
+    /*
+     * If it is a digest, compute the corresponding digest of the
+     * DER data for comparison, otherwise, use the full object.
+     */
+    if (m->value->md)
+      {
+      cmpbuf = mdbuf;
+      if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
+	  matched = -1;
+      }
+    for (dane_data_list d = m->value->data; !matched && d; d = d->next)
+	if (  cmplen == d->value->datalen
+	   && memcmp(cmpbuf, d->value->data, cmplen) == 0)
+	    matched = slist->value->selector + 1;
+    }
+
+  OPENSSL_free(buf);
+  }
+
+return matched;
+}
+
+static int
+push_ext(X509 *cert, X509_EXTENSION *ext)
+{
+if (ext)
+  {
+  if (X509_add_ext(cert, ext, -1))
+      return 1;
+  X509_EXTENSION_free(ext);
+  }
+DANEerr(DANESSL_F_PUSH_EXT, ERR_R_MALLOC_FAILURE);
+return 0;
+}
+
+static int
+add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
+{
+X509V3_CTX v3ctx;
+
+X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
+return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
+}
+
+static int
+set_serial(X509 *cert, AUTHORITY_KEYID *akid, X509 *subject)
+{
+int ret = 0;
+BIGNUM *bn;
+
+if (akid && akid->serial)
+  return (X509_set_serialNumber(cert, akid->serial));
+
+/*
+ * Add one to subject's serial to avoid collisions between TA serial and
+ * serial of signing root.
+ */
+if (  (bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(subject), 0)) != 0
+   && BN_add_word(bn, 1)
+   && BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(cert)))
+  ret = 1;
+
+if (bn)
+  BN_free(bn);
+return ret;
+}
+
+static int
+add_akid(X509 *cert, AUTHORITY_KEYID *akid)
+{
+int nid = NID_authority_key_identifier;
+ASN1_OCTET_STRING *id;
+unsigned char c = 0;
+int ret = 0;
+
+/*
+ * 0 will never be our subject keyid from a SHA-1 hash, but it could be
+ * our subject keyid if forced from child's akid.  If so, set our
+ * authority keyid to 1.  This way we are never self-signed, and thus
+ * exempt from any potential (off by default for now in OpenSSL)
+ * self-signature checks!
+ */
+id =  akid && akid->keyid ? akid->keyid : 0;
+if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_get0_data(id) == c)
+  c = 1;
+
+if (  (akid = AUTHORITY_KEYID_new()) != 0
+   && (akid->keyid = ASN1_OCTET_STRING_new()) != 0
+#ifdef EXIM_HAVE_ASN1_MACROS
+   && ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
+#else
+   && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
+#endif
+   && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_APPEND))
+  ret = 1;
+if (akid)
+  AUTHORITY_KEYID_free(akid);
+return ret;
+}
+
+static int
+add_skid(X509 *cert, AUTHORITY_KEYID *akid)
+{
+int nid = NID_subject_key_identifier;
+
+if (!akid || !akid->keyid)
+  return add_ext(0, cert, nid, "hash");
+return X509_add1_ext_i2d(cert, nid, akid->keyid, 0, X509V3_ADD_APPEND) > 0;
+}
+
+static X509_NAME *
+akid_issuer_name(AUTHORITY_KEYID *akid)
+{
+if (akid && akid->issuer)
+  {
+  GENERAL_NAMES *gens = akid->issuer;
+
+  for (int i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
+    {
+    GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
+
+    if (gn->type == GEN_DIRNAME)
+      return (gn->d.dirn);
+    }
+  }
+return 0;
+}
+
+static int
+set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid, X509_NAME *subj)
+{
+X509_NAME *name = akid_issuer_name(akid);
+
+/*
+ * If subject's akid specifies an authority key identifier issuer name, we
+ * must use that.
+ */
+return X509_set_issuer_name(cert,
+			    name ? name : subj);
+}
+
+static int
+grow_chain(ssl_dane *dane, int trusted, X509 *cert)
+{
+STACK_OF(X509) **xs = trusted ? &dane->roots : &dane->chain;
+static ASN1_OBJECT *serverAuth = 0;
+
+#define UNTRUSTED 0
+#define TRUSTED 1
+
+if (  trusted && !serverAuth
+   && !(serverAuth = OBJ_nid2obj(NID_server_auth)))
+  {
+  DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
+  return 0;
+  }
+if (!*xs && !(*xs = sk_X509_new_null()))
+  {
+  DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
+  return 0;
+  }
+
+if (cert)
+  {
+  if (trusted && !X509_add1_trust_object(cert, serverAuth))
+    return 0;
+#ifdef EXIM_OPAQUE_X509
+  X509_up_ref(cert);
+#else
+  CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+#endif
+  if (!sk_X509_push(*xs, cert))
+    {
+    X509_free(cert);
+    DANEerr(DANESSL_F_GROW_CHAIN, ERR_R_MALLOC_FAILURE);
+    return 0;
+    }
+  }
+return 1;
+}
+
+static int
+wrap_issuer(ssl_dane *dane, EVP_PKEY *key, X509 *subject, int depth, int top)
+{
+int ret = 1;
+X509 *cert = 0;
+AUTHORITY_KEYID *akid;
+X509_NAME *name = X509_get_issuer_name(subject);
+EVP_PKEY *newkey = key ? key : X509_get_pubkey(subject);
+
+#define WRAP_MID 0              /* Ensure intermediate. */
+#define WRAP_TOP 1              /* Ensure self-signed. */
+
+if (!name || !newkey || !(cert = X509_new()))
+  return 0;
+
+/*
+ * Record the depth of the trust-anchor certificate.
+ */
+if (dane->depth < 0)
+  dane->depth = depth + 1;
+
+/*
+ * XXX: Uncaught error condition:
+ *
+ * The return value is NULL both when the extension is missing, and when
+ * OpenSSL rans out of memory while parsing the extension.
+ */
+ERR_clear_error();
+akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
+/* XXX: Should we peek at the error stack here??? */
+
+/*
+ * If top is true generate a self-issued root CA, otherwise an
+ * intermediate CA and possibly its self-signed issuer.
+ *
+ * CA cert valid for +/- 30 days
+ */
+if (  !X509_set_version(cert, 2)
+   || !set_serial(cert, akid, subject)
+   || !set_issuer_name(cert, akid, name)
+   || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L)
+   || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L)
+   || !X509_set_subject_name(cert, name)
+   || !X509_set_pubkey(cert, newkey)
+   || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
+   || (!top && !add_akid(cert, akid))
+   || !add_skid(cert, akid)
+   || (  !top && wrap_to_root
+      && !wrap_issuer(dane, newkey, cert, depth, WRAP_TOP)))
+  ret = 0;
+
+if (akid)
+  AUTHORITY_KEYID_free(akid);
+if (!key)
+  EVP_PKEY_free(newkey);
+if (ret)
+  ret = grow_chain(dane, !top && wrap_to_root ? UNTRUSTED : TRUSTED, cert);
+if (cert)
+  X509_free(cert);
+return ret;
+}
+
+static int
+wrap_cert(ssl_dane *dane, X509 *tacert, int depth)
+{
+if (dane->depth < 0)
+  dane->depth = depth + 1;
+
+/*
+ * If the TA certificate is self-issued, or need not be, use it directly.
+ * Otherwise, synthesize requisite ancestors.
+ */
+if (  !wrap_to_root
+   || X509_check_issued(tacert, tacert) == X509_V_OK)
+  return grow_chain(dane, TRUSTED, tacert);
+
+if (wrap_issuer(dane, 0, tacert, depth, WRAP_MID))
+  return grow_chain(dane, UNTRUSTED, tacert);
+return 0;
+}
+
+static int
+ta_signed(ssl_dane *dane, X509 *cert, int depth)
+{
+EVP_PKEY *pk;
+int done = 0;
+
+/*
+ * First check whether issued and signed by a TA cert, this is cheaper
+ * than the bare-public key checks below, since we can determine whether
+ * the candidate TA certificate issued the certificate to be checked
+ * first (name comparisons), before we bother with signature checks
+ * (public key operations).
+ */
+for (dane_cert_list x = dane->certs; !done && x; x = x->next)
+  {
+  if (X509_check_issued(x->value, cert) == X509_V_OK)
+    {
+    if (!(pk = X509_get_pubkey(x->value)))
+      {
+      /*
+       * The cert originally contained a valid pkey, which does
+       * not just vanish, so this is most likely a memory error.
+       */
+      done = -1;
+      break;
+      }
+    /* Check signature, since some other TA may work if not this. */
+    if (X509_verify(cert, pk) > 0)
+      done = wrap_cert(dane, x->value, depth) ? 1 : -1;
+    EVP_PKEY_free(pk);
+    }
+  }
+
+/*
+ * With bare TA public keys, we can't check whether the trust chain is
+ * issued by the key, but we can determine whether it is signed by the
+ * key, so we go with that.
+ *
+ * Ideally, the corresponding certificate was presented in the chain, and we
+ * matched it by its public key digest one level up.  This code is here
+ * to handle adverse conditions imposed by sloppy administrators of
+ * receiving systems with poorly constructed chains.
+ *
+ * We'd like to optimize out keys that should not match when the cert's
+ * authority key id does not match the key id of this key computed via
+ * the RFC keyid algorithm (SHA-1 digest of public key bit-string sans
+ * ASN1 tag and length thus also excluding the unused bits field that is
+ * logically part of the length).  However, some CAs have a non-standard
+ * authority keyid, so we lose.  Too bad.
+ *
+ * This may push errors onto the stack when the certificate signature is
+ * not of the right type or length, throw these away,
+ */
+for (dane_pkey_list k = dane->pkeys; !done && k; k = k->next)
+  if (X509_verify(cert, k->value) > 0)
+    done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
+  else
+    ERR_clear_error();
+
+return done;
+}
+
+static int
+set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
+{
+int matched = 0;
+int depth = 0;
+EVP_PKEY *takey;
+X509 *ca;
+STACK_OF(X509) *in = X509_STORE_CTX_get0_untrusted(ctx);
+
+if (!grow_chain(dane, UNTRUSTED, 0))
+  return -1;
+
+/*
+ * Accept a degenerate case: depth 0 self-signed trust-anchor.
+ */
+if (X509_check_issued(cert, cert) == X509_V_OK)
+  {
+  dane->depth = 0;
+  matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], cert, 0);
+  if (matched > 0 && !grow_chain(dane, TRUSTED, cert))
+    matched = -1;
+  return matched;
+  }
+
+/* Make a shallow copy of the input untrusted chain. */
+if (!(in = sk_X509_dup(in)))
+  {
+  DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
+  return -1;
+  }
+
+/*
+ * At each iteration we consume the issuer of the current cert.  This
+ * reduces the length of the "in" chain by one.  If no issuer is found,
+ * we are done.  We also stop when a certificate matches a TA in the
+ * peer's TLSA RRset.
+ *
+ * Caller ensures that the initial certificate is not self-signed.
+ */
+for (int n = sk_X509_num(in); n > 0; --n, ++depth)
+  {
+  int i;
+  for (i = 0; i < n; ++i)
+    if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
+      break;
+
+  /*
+   * Final untrusted element with no issuer in the peer's chain, it may
+   * however be signed by a pkey or cert obtained via a TLSA RR.
+   */
+  if (i == n)
+    break;
+
+  /* Peer's chain contains an issuer ca. */
+  ca = sk_X509_delete(in, i);
+
+  /* If not a trust anchor, record untrusted ca and continue. */
+  if ((matched = match(dane->selectors[DANESSL_USAGE_DANE_TA], ca,
+		     depth + 1)) == 0)
+    {
+    if (grow_chain(dane, UNTRUSTED, ca))
+      {
+      if (X509_check_issued(ca, ca) != X509_V_OK)
+	{
+	/* Restart with issuer as subject */
+	cert = ca;
+	continue;
+	}
+      /* Final self-signed element, skip ta_signed() check. */
+      cert = 0;
+      }
+    else
+      matched = -1;
+    }
+  else if(matched == MATCHED_CERT)
+    {
+    if(!wrap_cert(dane, ca, depth))
+      matched = -1;
+    }
+  else if(matched == MATCHED_PKEY)
+    {
+    if (  !(takey = X509_get_pubkey(ca))
+       || !wrap_issuer(dane, takey, cert, depth, WRAP_MID))
+      {
+      if (takey)
+	EVP_PKEY_free(takey);
+      else
+	DANEerr(DANESSL_F_SET_TRUST_ANCHOR, ERR_R_MALLOC_FAILURE);
+      matched = -1;
+      }
+    }
+  break;
+  }
+
+/* Shallow free the duplicated input untrusted chain. */
+sk_X509_free(in);
+
+/*
+ * When the loop exits, if "cert" is set, it is not self-signed and has
+ * no issuer in the chain, we check for a possible signature via a DNS
+ * obtained TA cert or public key.
+ */
+if (matched == 0 && cert)
+  matched = ta_signed(dane, cert, depth);
+
+return matched;
+}
+
+static int
+check_end_entity(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
+{
+int matched;
+
+matched = match(dane->selectors[DANESSL_USAGE_DANE_EE], cert, 0);
+if (matched > 0)
+  {
+  dane->mdpth = 0;
+  dane->match = cert;
+  X509_up_ref(cert);
+  if(!X509_STORE_CTX_get0_chain(ctx))
+    {
+    STACK_OF(X509) * sk = sk_X509_new_null();
+    if (sk && sk_X509_push(sk, cert))
+      {
+      X509_up_ref(cert);
+      X509_STORE_CTX_set0_verified_chain(ctx, sk);
+      }
+    else
+      {
+      if (sk) sk_X509_free(sk);
+      DANEerr(DANESSL_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
+      return -1;
+      }
+    }
+  }
+return matched;
+}
+
+static int
+match_name(const char *certid, ssl_dane *dane)
+{
+int multi = dane->multi;
+
+for (dane_host_list hosts = dane->hosts; hosts; hosts = hosts->next)
+  {
+  int match_subdomain = 0;
+  const char *domain = hosts->value;
+  const char *parent;
+  int idlen;
+  int domlen;
+
+  if (*domain == '.' && domain[1] != '\0')
+    {
+    ++domain;
+    match_subdomain = 1;
+    }
+
+  /*
+   * Sub-domain match: certid is any sub-domain of hostname.
+   */
+  if(match_subdomain)
+    {
+    if (  (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
+       && certid[idlen - domlen - 1] == '.'
+       && !strcasecmp(certid + (idlen - domlen), domain))
+      return 1;
+    else
+      continue;
+    }
+
+  /*
+   * Exact match and initial "*" match. The initial "*" in a certid
+   * matches one (if multi is false) or more hostname components under
+   * the condition that the certid contains multiple hostname components.
+   */
+  if (  !strcasecmp(certid, domain)
+     || (  certid[0] == '*' && certid[1] == '.' && certid[2] != 0
+        && (parent = strchr(domain, '.')) != 0
+        && (idlen = strlen(certid + 1)) <= (domlen = strlen(parent))
+        && strcasecmp(multi ? parent + domlen - idlen : parent, certid+1) == 0))
+    return 1;
+  }
+return 0;
+}
+
+static const char *
+check_name(const char *name, int len)
+{
+const char *cp = name + len;
+
+while (len > 0 && !*--cp)
+  --len;                          /* Ignore trailing NULs */
+if (len <= 0)
+  return 0;
+for (cp = name; *cp; cp++)
+  {
+  char c = *cp;
+  if (!((c >= 'a' && c <= 'z') ||
+	(c >= '0' && c <= '9') ||
+	(c >= 'A' && c <= 'Z') ||
+	(c == '.' || c == '-') ||
+	(c == '*')))
+    return 0;                   /* Only LDH, '.' and '*' */
+  }
+if (cp - name != len)               /* Guard against internal NULs */
+  return 0;
+return name;
+}
+
+static const char *
+parse_dns_name(const GENERAL_NAME *gn)
+{
+if (gn->type != GEN_DNS)
+  return 0;
+if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
+  return 0;
+return check_name(CCS  ASN1_STRING_get0_data(gn->d.ia5),
+		  ASN1_STRING_length(gn->d.ia5));
+}
+
+static char *
+parse_subject_name(X509 *cert)
+{
+X509_NAME *name = X509_get_subject_name(cert);
+X509_NAME_ENTRY *entry;
+ASN1_STRING *entry_str;
+unsigned char *namebuf;
+int nid = NID_commonName;
+int len;
+int i;
+
+if (!name || (i = X509_NAME_get_index_by_NID(name, nid, -1)) < 0)
+  return 0;
+if (!(entry = X509_NAME_get_entry(name, i)))
+  return 0;
+if (!(entry_str = X509_NAME_ENTRY_get_data(entry)))
+  return 0;
+
+if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
+  return 0;
+if (len <= 0 || check_name(CS  namebuf, len) == 0)
+  {
+  OPENSSL_free(namebuf);
+  return 0;
+  }
+return CS  namebuf;
+}
+
+static int
+name_check(ssl_dane *dane, X509 *cert)
+{
+int matched = 0;
+BOOL got_altname = FALSE;
+GENERAL_NAMES *gens;
+
+gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
+if (gens)
+  {
+  int n = sk_GENERAL_NAME_num(gens);
+
+  for (int i = 0; i < n; ++i)
+    {
+    const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
+    const char *certid;
+
+    if (gn->type != GEN_DNS)
+	continue;
+    got_altname = TRUE;
+    certid = parse_dns_name(gn);
+    if (certid && *certid)
+      {
+      if ((matched = match_name(certid, dane)) == 0)
+	continue;
+      if (!(dane->mhost = OPENSSL_strdup(certid)))
+	matched = -1;
+      DEBUG(D_tls) debug_printf("Dane name_check: matched SAN %s\n", certid);
+      break;
+      }
+    }
+  GENERAL_NAMES_free(gens);
+  }
+
+/*
+ * XXX: Should the subjectName be skipped when *any* altnames are present,
+ * or only when DNS altnames are present?
+ */
+if (!got_altname)
+  {
+  char *certid = parse_subject_name(cert);
+  if (certid != 0 && *certid && (matched = match_name(certid, dane)) != 0)
+    {
+    DEBUG(D_tls) debug_printf("Dane name_check: matched SN %s\n", certid);
+    dane->mhost = OPENSSL_strdup(certid);
+    }
+  if (certid)
+    OPENSSL_free(certid);
+  }
+return matched;
+}
+
+static int
+verify_chain(X509_STORE_CTX *ctx)
+{
+int (*cb)(int, X509_STORE_CTX *) = X509_STORE_CTX_get_verify_cb(ctx);
+X509 *cert = X509_STORE_CTX_get0_cert(ctx);
+STACK_OF(X509) * chain = X509_STORE_CTX_get0_chain(ctx);
+int chain_length = sk_X509_num(chain);
+int ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
+SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
+ssl_dane *dane = SSL_get_ex_data(ssl, dane_idx);
+dane_selector_list issuer_rrs = dane->selectors[DANESSL_USAGE_PKIX_TA];
+dane_selector_list leaf_rrs = dane->selectors[DANESSL_USAGE_PKIX_EE];
+int matched = 0;
+
+DEBUG(D_tls) debug_printf("Dane verify_chain\n");
+
+/* Restore OpenSSL's internal_verify() as the signature check function */
+X509_STORE_CTX_set_verify(ctx, dane->verify);
+
+if ((matched = name_check(dane, cert)) < 0)
+  {
+  X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
+  return 0;
+  }
+
+if (!matched)
+  {
+  X509_STORE_CTX_set_error_depth(ctx, 0);
+  X509_STORE_CTX_set_current_cert(ctx, cert);
+  X509_STORE_CTX_set_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH);
+  if (!cb(0, ctx))
+    return 0;
+  }
+matched = 0;
+
+/*
+ * Satisfy at least one usage 0 or 1 constraint, unless we've already
+ * matched a usage 2 trust anchor.
+ *
+ * XXX: internal_verify() doesn't callback with top certs that are not
+ * self-issued.  This is fixed in OpenSSL 1.1.0.
+ */
+if (dane->roots && sk_X509_num(dane->roots))
+  {
+  X509 *top = sk_X509_value(chain, dane->depth);
+
+  dane->mdpth = dane->depth;
+  dane->match = top;
+  X509_up_ref(top);
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+  if (X509_check_issued(top, top) != X509_V_OK)
+    {
+    X509_STORE_CTX_set_error_depth(ctx, dane->depth);
+    X509_STORE_CTX_set_current_cert(ctx, top);
+    if (!cb(1, ctx))
+      return 0;
+    }
+#endif
+  /* Pop synthetic trust-anchor ancestors off the chain! */
+  while (--chain_length > dane->depth)
+      X509_free(sk_X509_pop(chain));
+  }
+else
+  {
+  int n = 0;
+  X509 *xn = cert;
+
+  /*
+   * Check for an EE match, then a CA match at depths > 0, and
+   * finally, if the EE cert is self-issued, for a depth 0 CA match.
+   */
+  if (leaf_rrs)
+    matched = match(leaf_rrs, xn, 0);
+  if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched EE\n");
+
+  if (!matched && issuer_rrs)
+    for (n = chain_length-1; !matched && n >= 0; --n)
+      {
+      xn = sk_X509_value(chain, n);
+      if (n > 0 || X509_check_issued(xn, xn) == X509_V_OK)
+	matched = match(issuer_rrs, xn, n);
+      }
+  if (matched) DEBUG(D_tls) debug_printf("Dane verify_chain: matched %s\n",
+    n>0 ? "CA" : "selfisssued EE");
+
+  if (!matched)
+    {
+    X509_STORE_CTX_set_error_depth(ctx, 0);
+    X509_STORE_CTX_set_current_cert(ctx, cert);
+    X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
+    if (!cb(0, ctx))
+      return 0;
+    }
+  else
+    {
+    dane->mdpth = n;
+    dane->match = xn;
+    X509_up_ref(xn);
+    }
+  }
+
+/* Tail recurse into OpenSSL's internal_verify */
+return dane->verify(ctx);
+}
+
+static void
+dane_reset(ssl_dane *dane)
+{
+dane->depth = -1;
+if (dane->mhost)
+  {
+  OPENSSL_free(dane->mhost);
+  dane->mhost = 0;
+  }
+if (dane->roots)
+  {
+  sk_X509_pop_free(dane->roots, X509_free);
+  dane->roots = 0;
+  }
+if (dane->chain)
+  {
+  sk_X509_pop_free(dane->chain, X509_free);
+  dane->chain = 0;
+  }
+if (dane->match)
+  {
+  X509_free(dane->match);
+  dane->match = 0;
+  }
+dane->mdpth = -1;
+}
+
+static int
+verify_cert(X509_STORE_CTX *ctx, void *unused_ctx)
+{
+static int ssl_idx = -1;
+SSL *ssl;
+ssl_dane *dane;
+int (*cb)(int, X509_STORE_CTX *) = X509_STORE_CTX_get_verify_cb(ctx);
+X509 *cert = X509_STORE_CTX_get0_cert(ctx);
+int matched;
+
+DEBUG(D_tls) debug_printf("Dane verify_cert\n");
+
+if (ssl_idx < 0)
+  ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
+if (dane_idx < 0)
+  {
+  DANEerr(DANESSL_F_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
+  return -1;
+  }
+
+ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_idx);
+if (!(dane = SSL_get_ex_data(ssl, dane_idx)) || !cert)
+  return X509_verify_cert(ctx);
+
+/* Reset for verification of a new chain, perhaps a renegotiation. */
+dane_reset(dane);
+
+if (dane->selectors[DANESSL_USAGE_DANE_EE])
+  {
+  if ((matched = check_end_entity(ctx, dane, cert)) > 0)
+    {
+    X509_STORE_CTX_set_error_depth(ctx, 0);
+    X509_STORE_CTX_set_current_cert(ctx, cert);
+    return cb(1, ctx);
+    }
+  if (matched < 0)
+    {
+    X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
+    return -1;
+    }
+  }
+
+if (dane->selectors[DANESSL_USAGE_DANE_TA])
+  {
+  if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
+    {
+    X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
+    return -1;
+    }
+  if (matched)
+    {
+    /*
+     * Check that setting the untrusted chain updates the expected
+     * structure member at the expected offset.
+     */
+    X509_STORE_CTX_trusted_stack(ctx, dane->roots);
+    X509_STORE_CTX_set_chain(ctx, dane->chain);
+    OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx));
+    }
+  }
+
+/*
+ * Name checks and usage 0/1 constraint enforcement are delayed until
+ * X509_verify_cert() builds the full chain and calls our verify_chain()
+ * wrapper.
+ */
+dane->verify = X509_STORE_CTX_get_verify(ctx);
+X509_STORE_CTX_set_verify(ctx, verify_chain);
+
+if (X509_verify_cert(ctx))
+  return 1;
+
+/*
+ * If the chain is invalid, clear any matching cert or hostname, to
+ * protect callers that might erroneously rely on these alone without
+ * checking the validation status.
+ */
+if (dane->match)
+  {
+  X509_free(dane->match);
+  dane->match = 0;
+  }
+if (dane->mhost)
+  {
+  OPENSSL_free(dane->mhost);
+  dane->mhost = 0;
+  }
+ return 0;
+}
+
+static dane_list
+list_alloc(size_t vsize)
+{
+void *value = (void *) OPENSSL_malloc(vsize);
+dane_list l;
+
+if (!value)
+  {
+  DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
+  return 0;
+  }
+if (!(l = (dane_list) OPENSSL_malloc(sizeof(*l))))
+  {
+  OPENSSL_free(value);
+  DANEerr(DANESSL_F_LIST_ALLOC, ERR_R_MALLOC_FAILURE);
+  return 0;
+  }
+l->next = 0;
+l->value = value;
+return l;
+}
+
+static void
+list_free(void *list, void (*f)(void *))
+{
+dane_list next;
+
+for (dane_list head = (dane_list) list; head; head = next)
+  {
+  next = head->next;
+  if (f && head->value)
+      f(head->value);
+  OPENSSL_free(head);
+  }
+}
+
+static void
+ossl_free(void * p)
+{
+OPENSSL_free(p);
+}
+
+static void
+dane_mtype_free(void *p)
+{
+list_free(((dane_mtype) p)->data, ossl_free);
+OPENSSL_free(p);
+}
+
+static void
+dane_selector_free(void *p)
+{
+list_free(((dane_selector) p)->mtype, dane_mtype_free);
+OPENSSL_free(p);
+}
+
+
+
+/*
+
+Tidy up once the connection is finished with.
+
+Arguments
+  ssl		The ssl connection handle
+
+=> Before calling SSL_free()
+tls_close() and tls_getc() [the error path] are the obvious places.
+Could we do it earlier - right after verification?  In tls_client_start()
+right after SSL_connect() returns, in that case.
+
+*/
+
+void
+DANESSL_cleanup(SSL *ssl)
+{
+ssl_dane *dane;
+
+DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
+
+if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
+  return;
+(void) SSL_set_ex_data(ssl, dane_idx, 0);
+
+dane_reset(dane);
+if (dane->hosts)
+  list_free(dane->hosts, ossl_free);
+for (int u = 0; u <= DANESSL_USAGE_LAST; ++u)
+  if (dane->selectors[u])
+    list_free(dane->selectors[u], dane_selector_free);
+if (dane->pkeys)
+  list_free(dane->pkeys, pkey_free);
+if (dane->certs)
+  list_free(dane->certs, cert_free);
+OPENSSL_free(dane);
+}
+
+static dane_host_list
+host_list_init(const char **src)
+{
+dane_host_list head = NULL;
+
+while (*src)
+  {
+  dane_host_list elem = (dane_host_list) OPENSSL_malloc(sizeof(*elem));
+  if (elem == 0)
+    {
+    list_free(head, ossl_free);
+    return 0;
+    }
+  elem->value = OPENSSL_strdup(*src++);
+  LINSERT(head, elem);
+  }
+return head;
+}
+
+
+int
+DANESSL_get_match_cert(SSL *ssl, X509 **match, const char **mhost, int *depth)
+{
+ssl_dane *dane;
+
+if (dane_idx < 0 || (dane = SSL_get_ex_data(ssl, dane_idx)) == 0)
+  {
+  DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
+  return -1;
+  }
+
+if (dane->match)
+  {
+  if (match)
+    *match = dane->match;
+  if (mhost)
+    *mhost = dane->mhost;
+  if (depth)
+    *depth = dane->mdpth;
+  }
+
+  return (dane->match != 0);
+}
+
+
+#ifdef never_called
+int
+DANESSL_verify_chain(SSL *ssl, STACK_OF(X509) *chain)
+{
+int ret;
+X509 *cert;
+X509_STORE_CTX * store_ctx;
+SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl);
+X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
+int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
+
+cert = sk_X509_value(chain, 0);
+if (!(store_ctx = X509_STORE_CTX_new()))
+  {
+  DANEerr(DANESSL_F_DANESSL_VERIFY_CHAIN, ERR_R_MALLOC_FAILURE);
+  return 0;
+  }
+if (!X509_STORE_CTX_init(store_ctx, store, cert, chain))
+  {
+  X509_STORE_CTX_free(store_ctx);
+  return 0;
+  }
+X509_STORE_CTX_set_ex_data(store_ctx, store_ctx_idx, ssl);
+
+X509_STORE_CTX_set_default(store_ctx,
+            SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
+X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
+            SSL_get0_param(ssl));
+
+if (SSL_get_verify_callback(ssl))
+  X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
+
+ret = verify_cert(store_ctx, NULL);
+
+SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(store_ctx));
+X509_STORE_CTX_cleanup(store_ctx);
+
+return (ret);
+}
+#endif
+
+
+
+
+/*
+
+Call this for each TLSA record found for the target, after the
+DANE setup has been done on the ssl connection handle.
+
+Arguments:
+  ssl		Connection handle
+  usage		TLSA record field
+  selector	TLSA record field
+  mdname	??? message digest name?
+  data		??? TLSA record megalump?
+  dlen		length of data
+
+Return
+  -1 on error
+  0  action not taken
+  1  record accepted
+*/
+
+int
+DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
+        unsigned const char *data, size_t dlen)
+{
+ssl_dane *dane;
+dane_selector_list s = 0;
+dane_mtype_list m = 0;
+dane_data_list d = 0;
+dane_cert_list xlist = 0;
+dane_pkey_list klist = 0;
+const EVP_MD *md = 0;
+
+DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
+			  usage, selector, mdname);
+
+if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
+  {
+  DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_INIT);
+  return -1;
+  }
+
+if (usage > DANESSL_USAGE_LAST)
+  {
+  DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_USAGE);
+  return 0;
+  }
+if (selector > DANESSL_SELECTOR_LAST)
+  {
+  DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_SELECTOR);
+  return 0;
+  }
+
+/* Support built-in standard one-digit mtypes */
+if (mdname && *mdname && mdname[1] == '\0')
+  switch (*mdname - '0')
+  {
+  case DANESSL_MATCHING_FULL: mdname = 0;	   break;
+  case DANESSL_MATCHING_2256: mdname = "sha256"; break;
+  case DANESSL_MATCHING_2512: mdname = "sha512"; break;
+  }
+if (mdname && *mdname && !(md = EVP_get_digestbyname(mdname)))
+  {
+  DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
+  return 0;
+  }
+if (mdname && *mdname && dlen != EVP_MD_size(md))
+  {
+  DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
+  return 0;
+  }
+if (!data)
+  {
+  DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
+  return 0;
+  }
+
+/*
+ * Full Certificate or Public Key when NULL or empty digest name
+ */
+if (!mdname || !*mdname)
+  {
+  X509 *x = 0;
+  EVP_PKEY *k = 0;
+  const unsigned char *p = data;
+
+#define xklistinit(lvar, ltype, var, freeFunc) do { \
+	  (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
+	  if ((lvar) == 0) { \
+	      DANEerr(DANESSL_F_ADD_TLSA, ERR_R_MALLOC_FAILURE); \
+	      freeFunc((var)); \
+	      return 0; \
+	  } \
+	  (lvar)->next = 0; \
+	  lvar->value = var; \
+      } while (0)
+#define xkfreeret(ret) do { \
+	  if (xlist) list_free(xlist, cert_free); \
+	  if (klist) list_free(klist, pkey_free); \
+	  return (ret); \
+      } while (0)
+
+  switch (selector)
+    {
+    case DANESSL_SELECTOR_CERT:
+      if (!d2i_X509(&x, &p, dlen) || dlen != p - data)
+	{
+	if (x)
+	  X509_free(x);
+	DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT);
+	return 0;
+	}
+      k = X509_get_pubkey(x);
+      EVP_PKEY_free(k);
+      if (k == 0)
+	{
+	X509_free(x);
+	DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_CERT_PKEY);
+	return 0;
+	}
+      if (usage == DANESSL_USAGE_DANE_TA)
+	xklistinit(xlist, dane_cert_list, x, X509_free);
+      break;
+
+    case DANESSL_SELECTOR_SPKI:
+      if (!d2i_PUBKEY(&k, &p, dlen) || dlen != p - data)
+	{
+	if (k)
+	  EVP_PKEY_free(k);
+      DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_PKEY);
+      return 0;
+	}
+      if (usage == DANESSL_USAGE_DANE_TA)
+	xklistinit(klist, dane_pkey_list, k, EVP_PKEY_free);
+      break;
+    }
+  }
+
+/* Find insertion point and don't add duplicate elements. */
+for (s = dane->selectors[usage]; s; s = s->next)
+  if (s->value->selector == selector)
+    {
+    for (m = s->value->mtype; m; m = m->next)
+      if (m->value->md == md)
+	{
+	for (d = m->value->data; d; d = d->next)
+	  if (  d->value->datalen == dlen
+	     && memcmp(d->value->data, data, dlen) == 0)
+	    xkfreeret(1);
+	break;
+	}
+    break;
+    }
+
+if ((d = (dane_data_list) list_alloc(sizeof(*d->value) + dlen)) == 0)
+  xkfreeret(0);
+d->value->datalen = dlen;
+memcpy(d->value->data, data, dlen);
+if (!m)
+  {
+  if ((m = (dane_mtype_list) list_alloc(sizeof(*m->value))) == 0)
+    {
+    list_free(d, ossl_free);
+    xkfreeret(0);
+    }
+  m->value->data = 0;
+  if ((m->value->md = md) != 0)
+    m->value->mdlen = dlen;
+  if (!s)
+    {
+    if ((s = (dane_selector_list) list_alloc(sizeof(*s->value))) == 0)
+      {
+      list_free(m, dane_mtype_free);
+      xkfreeret(0);
+      }
+    s->value->mtype = 0;
+    s->value->selector = selector;
+    LINSERT(dane->selectors[usage], s);
+    }
+  LINSERT(s->value->mtype, m);
+  }
+LINSERT(m->value->data, d);
+
+if (xlist)
+  LINSERT(dane->certs, xlist);
+else if (klist)
+  LINSERT(dane->pkeys, klist);
+++dane->count;
+return 1;
+}
+
+
+
+
+/*
+Call this once we have an ssl connection handle but before
+making the TLS connection.
+
+=> In tls_client_start() after the call to SSL_new()
+and before the call to SSL_connect().  Exactly where
+probably does not matter.
+We probably want to keep our existing SNI handling;
+call this with NULL.
+
+Arguments:
+  ssl		Connection handle
+  sni_domain	Optional peer server name
+  hostnames	list of names to chack against peer cert
+
+Return
+  -1 on fatal error
+  0  nonfatal error
+  1  success
+*/
+
+int
+DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
+{
+ssl_dane *dane;
+
+DEBUG(D_tls) debug_printf("Dane ssl_init\n");
+if (dane_idx < 0)
+  {
+  DANEerr(DANESSL_F_INIT, DANESSL_R_LIBRARY_INIT);
+  return -1;
+  }
+
+if (sni_domain && !SSL_set_tlsext_host_name(ssl, sni_domain))
+  return 0;
+
+if ((dane = (ssl_dane *) OPENSSL_malloc(sizeof(ssl_dane))) == 0)
+  {
+  DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
+  return 0;
+  }
+if (!SSL_set_ex_data(ssl, dane_idx, dane))
+  {
+  DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
+  OPENSSL_free(dane);
+  return 0;
+  }
+
+dane->verify = 0;
+dane->hosts = 0;
+dane->thost = 0;
+dane->pkeys = 0;
+dane->certs = 0;
+dane->chain = 0;
+dane->match = 0;
+dane->roots = 0;
+dane->depth = -1;
+dane->mhost = 0;			/* Future SSL control interface */
+dane->mdpth = 0;			/* Future SSL control interface */
+dane->multi = 0;			/* Future SSL control interface */
+dane->count = 0;
+dane->hosts = 0;
+
+for (int i = 0; i <= DANESSL_USAGE_LAST; ++i)
+  dane->selectors[i] = 0;
+
+if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)
+  {
+  DANEerr(DANESSL_F_INIT, ERR_R_MALLOC_FAILURE);
+  DANESSL_cleanup(ssl);
+  return 0;
+  }
+
+return 1;
+}
+
+
+/*
+
+Call this once we have a context to work with, but
+before DANESSL_init()
+
+=> in tls_client_start(), after tls_init() call gives us the ctx,
+if we decide we want to (policy) and can (TLSA records available)
+replacing (? what about fallback) everything from testing tls_verify_hosts
+down to just before calling SSL_new() for the conn handle.
+
+Arguments
+  ctx		SSL context
+
+Return
+  -1	Error
+  1	Success
+*/
+
+int
+DANESSL_CTX_init(SSL_CTX *ctx)
+{
+DEBUG(D_tls) debug_printf("Dane ctx-init\n");
+if (dane_idx >= 0)
+  {
+  SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
+  return 1;
+  }
+DANEerr(DANESSL_F_CTX_INIT, DANESSL_R_LIBRARY_INIT);
+return -1;
+}
+
+static void
+dane_init(void)
+{
+/*
+ * Store library id in zeroth function slot, used to locate the library
+ * name.  This must be done before we load the error strings.
+ */
+err_lib_dane = ERR_get_next_error_library();
+
+#ifndef OPENSSL_NO_ERR
+if (err_lib_dane > 0)
+  {
+  dane_str_functs[0].error |= ERR_PACK(err_lib_dane, 0, 0);
+  ERR_load_strings(err_lib_dane, dane_str_functs);
+  ERR_load_strings(err_lib_dane, dane_str_reasons);
+  }
+#endif
+
+/*
+ * Register SHA-2 digests, if implemented and not already registered.
+ */
+#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
+if (!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
+if (!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
+#endif
+#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
+if (!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
+if (!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
+#endif
+
+/*
+ * Register an SSL index for the connection-specific ssl_dane structure.
+ * Using a separate index makes it possible to add DANE support to
+ * existing OpenSSL releases that don't have a suitable pointer in the
+ * SSL structure.
+ */
+dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
+}
+
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+static void
+run_once(volatile int * once, void (*init)(void))
+{
+int wlock = 0;
+
+CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
+if (!*once)
+  {
+  CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
+  CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+  wlock = 1;
+  if (!*once)
+    {
+    *once = 1;
+    init();
+    }
+  }
+if (wlock)
+  CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+else
+  CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
+}
+#endif
+
+
+
+/*
+
+Call this once.  Probably early in startup will do; may need
+to be after SSL library init.
+
+=> put after call to tls_init() for now
+
+Return
+  1	Success
+  0	Fail
+*/
+
+int
+DANESSL_library_init(void)
+{
+static CRYPTO_ONCE once = CRYPTO_ONCE_STATIC_INIT;
+
+DEBUG(D_tls) debug_printf("Dane lib-init\n");
+(void) CRYPTO_THREAD_run_once(&once, dane_init);
+
+#if defined(LN_sha256)
+/* No DANE without SHA256 support */
+if (dane_idx >= 0 && EVP_get_digestbyname(LN_sha256) != 0)
+  return 1;
+#endif
+DANEerr(DANESSL_F_LIBRARY_INIT, DANESSL_R_SUPPORT);
+return 0;
+}
+
+
+/* vi: aw ai sw=2
+*/
diff --git a/src/dane.c b/src/dane.c
new file mode 100644
index 0000000..5ba6196
--- /dev/null
+++ b/src/dane.c
@@ -0,0 +1,48 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2012, 2014 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This module provides DANE (RFC6659) support for Exim.  See also
+the draft RFC for DANE-over-SMTP, "SMTP security via opportunistic DANE TLS"
+(V. Dukhovni, W. Hardaker) - version 10, dated May 25, 2014.
+
+The code for DANE support with Openssl was provided by V.Dukhovni.
+
+No cryptographic code is included in Exim. All this module does is to call
+functions from the OpenSSL or GNU TLS libraries. */
+
+
+#include "exim.h"
+
+/* This module is compiled only when it is specifically requested in the
+build-time configuration. However, some compilers don't like compiling empty
+modules, so keep them happy with a dummy when skipping the rest. Make it
+reference itself to stop picky compilers complaining that it is unused, and put
+in a dummy argument to stop even pickier compilers complaining about infinite
+loops. */
+
+#ifndef SUPPORT_DANE
+static void dummy(int x) { dummy(x-1); }
+#else
+
+/* Enabling DANE without enabling TLS cannot work. Abort the compilation. */
+# ifdef DISABLE_TLS
+#  error DANE support requires that TLS support must be enabled. Abort build.
+# endif
+
+/* DNSSEC support is also required */
+# ifndef RES_USE_DNSSEC
+#  error DANE support requires that the DNS resolver library supports DNSSEC
+# endif
+
+# ifdef USE_OPENSSL
+#  include "dane-openssl.c"
+# endif
+
+
+#endif  /* SUPPORT_DANE */
+
+/* End of dane.c */
diff --git a/src/danessl.h b/src/danessl.h
new file mode 100644
index 0000000..1d6439e
--- /dev/null
+++ b/src/danessl.h
@@ -0,0 +1,47 @@
+/*
+ *  Author: Viktor Dukhovni
+ *  License: THIS CODE IS IN THE PUBLIC DOMAIN.
+ */
+#ifndef HEADER_DANESSL_H
+#define HEADER_DANESSL_H
+
+#include <stdint.h>
+#include <openssl/ssl.h>
+
+/*-
+ * Certificate usages:
+ * https://tools.ietf.org/html/rfc6698#section-2.1.1
+ */
+#define DANESSL_USAGE_PKIX_TA	0
+#define DANESSL_USAGE_PKIX_EE	1
+#define DANESSL_USAGE_DANE_TA	2
+#define DANESSL_USAGE_DANE_EE	3
+#define DANESSL_USAGE_LAST		DANESSL_USAGE_DANE_EE
+
+/*-
+ * Selectors:
+ * https://tools.ietf.org/html/rfc6698#section-2.1.2
+ */
+#define DANESSL_SELECTOR_CERT		0
+#define DANESSL_SELECTOR_SPKI		1
+#define DANESSL_SELECTOR_LAST		DANESSL_SELECTOR_SPKI
+
+/*-
+ * Matching types:
+ * https://tools.ietf.org/html/rfc6698#section-2.1.3
+ */
+#define DANESSL_MATCHING_FULL		0
+#define DANESSL_MATCHING_2256		1
+#define DANESSL_MATCHING_2512		2
+#define DANESSL_MATCHING_LAST		DANESSL_MATCHING_2512
+
+extern int DANESSL_library_init(void);
+extern int DANESSL_CTX_init(SSL_CTX *);
+extern int DANESSL_init(SSL *, const char *, const char **);
+extern void DANESSL_cleanup(SSL *);
+extern int DANESSL_add_tlsa(SSL *, uint8_t, uint8_t, const char *,
+			    unsigned const char *, size_t);
+extern int DANESSL_get_match_cert(SSL *, X509 **, const char **, int *);
+extern int DANESSL_verify_chain(SSL *, STACK_OF(X509) *);
+
+#endif
diff --git a/src/dbfn.c b/src/dbfn.c
new file mode 100644
index 0000000..ea94b7f
--- /dev/null
+++ b/src/dbfn.c
@@ -0,0 +1,681 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "exim.h"
+
+/* We have buffers holding path names for database files.
+PATH_MAX could be used here, but would be wasting memory, as we deal
+with database files like $spooldirectory/db/<name> */
+#define PATHLEN 256
+
+
+/* Functions for accessing Exim's hints database, which consists of a number of
+different DBM files. This module does not contain code for reading DBM files
+for (e.g.) alias expansion. That is all contained within the general search
+functions. As Exim now has support for several DBM interfaces, all the relevant
+functions are called as macros.
+
+All the data in Exim's database is in the nature of *hints*. Therefore it
+doesn't matter if it gets destroyed by accident. These functions are not
+supposed to implement a "safe" database.
+
+Keys are passed in as C strings, and the terminating zero *is* used when
+building the dbm files. This just makes life easier when scanning the files
+sequentially.
+
+Synchronization is required on the database files, and this is achieved by
+means of locking on independent lock files. (Earlier attempts to lock on the
+DBM files themselves were never completely successful.) Since callers may in
+general want to do more than one read or write while holding the lock, there
+are separate open and close functions. However, the calling modules should
+arrange to hold the locks for the bare minimum of time. */
+
+
+
+/*************************************************
+*          Open and lock a database file         *
+*************************************************/
+
+/* Used for accessing Exim's hints databases.
+
+Arguments:
+  name     The single-component name of one of Exim's database files.
+  flags    Either O_RDONLY or O_RDWR, indicating the type of open required;
+             O_RDWR implies "create if necessary"
+  dbblock  Points to an open_db block to be filled in.
+  lof      If TRUE, write to the log for actual open failures (locking failures
+           are always logged).
+  panic	   If TRUE, panic on failure to create the db directory
+
+Returns:   NULL if the open failed, or the locking failed. After locking
+           failures, errno is zero.
+
+           On success, dbblock is returned. This contains the dbm pointer and
+           the fd of the locked lock file.
+
+There are some calls that use O_RDWR|O_CREAT for the flags. Having discovered
+this in December 2005, I'm not sure if this is correct or not, but for the
+moment I haven't changed them.
+*/
+
+open_db *
+dbfn_open(uschar *name, int flags, open_db *dbblock, BOOL lof, BOOL panic)
+{
+int rc, save_errno;
+BOOL read_only = flags == O_RDONLY;
+flock_t lock_data;
+uschar dirname[PATHLEN], filename[PATHLEN];
+
+DEBUG(D_hints_lookup) acl_level++;
+
+/* The first thing to do is to open a separate file on which to lock. This
+ensures that Exim has exclusive use of the database before it even tries to
+open it. Early versions tried to lock on the open database itself, but that
+gave rise to mysterious problems from time to time - it was suspected that some
+DB libraries "do things" on their open() calls which break the interlocking.
+The lock file is never written to, but we open it for writing so we can get a
+write lock if required. If it does not exist, we create it. This is done
+separately so we know when we have done it, because when running as root we
+need to change the ownership - see the bottom of this function. We also try to
+make the directory as well, just in case. We won't be doing this many times
+unnecessarily, because usually the lock file will be there. If the directory
+exists, there is no error. */
+
+snprintf(CS dirname, sizeof(dirname), "%s/db", spool_directory);
+snprintf(CS filename, sizeof(filename), "%s/%s.lockfile", dirname, name);
+
+priv_drop_temp(exim_uid, exim_gid);
+if ((dbblock->lockfd = Uopen(filename, O_RDWR, EXIMDB_LOCKFILE_MODE)) < 0)
+  {
+  (void)directory_make(spool_directory, US"db", EXIMDB_DIRECTORY_MODE, panic);
+  dbblock->lockfd = Uopen(filename, O_RDWR|O_CREAT, EXIMDB_LOCKFILE_MODE);
+  }
+priv_restore();
+
+if (dbblock->lockfd < 0)
+  {
+  log_write(0, LOG_MAIN, "%s",
+    string_open_failed("database lock file %s", filename));
+  errno = 0;      /* Indicates locking failure */
+  DEBUG(D_hints_lookup) acl_level--;
+  return NULL;
+  }
+
+/* Now we must get a lock on the opened lock file; do this with a blocking
+lock that times out. */
+
+lock_data.l_type = read_only? F_RDLCK : F_WRLCK;
+lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
+
+DEBUG(D_hints_lookup|D_retry|D_route|D_deliver)
+  debug_printf_indent("locking %s\n", filename);
+
+sigalrm_seen = FALSE;
+ALARM(EXIMDB_LOCK_TIMEOUT);
+rc = fcntl(dbblock->lockfd, F_SETLKW, &lock_data);
+ALARM_CLR(0);
+
+if (sigalrm_seen) errno = ETIMEDOUT;
+if (rc < 0)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "Failed to get %s lock for %s: %s",
+    read_only ? "read" : "write", filename,
+    errno == ETIMEDOUT ? "timed out" : strerror(errno));
+  (void)close(dbblock->lockfd);
+  errno = 0;       /* Indicates locking failure */
+  DEBUG(D_hints_lookup) acl_level--;
+  return NULL;
+  }
+
+DEBUG(D_hints_lookup) debug_printf_indent("locked  %s\n", filename);
+
+/* At this point we have an opened and locked separate lock file, that is,
+exclusive access to the database, so we can go ahead and open it. If we are
+expected to create it, don't do so at first, again so that we can detect
+whether we need to change its ownership (see comments about the lock file
+above.) There have been regular reports of crashes while opening hints
+databases - often this is caused by non-matching db.h and the library. To make
+it easy to pin this down, there are now debug statements on either side of the
+open call. */
+
+snprintf(CS filename, sizeof(filename), "%s/%s", dirname, name);
+
+priv_drop_temp(exim_uid, exim_gid);
+dbblock->dbptr = exim_dbopen(filename, dirname, flags, EXIMDB_MODE);
+if (!dbblock->dbptr && errno == ENOENT && flags == O_RDWR)
+  {
+  DEBUG(D_hints_lookup)
+    debug_printf_indent("%s appears not to exist: trying to create\n", filename);
+  dbblock->dbptr = exim_dbopen(filename, dirname, flags|O_CREAT, EXIMDB_MODE);
+  }
+save_errno = errno;
+priv_restore();
+
+/* If the open has failed, return NULL, leaving errno set. If lof is TRUE,
+log the event - also for debugging - but debug only if the file just doesn't
+exist. */
+
+if (!dbblock->dbptr)
+  {
+  errno = save_errno;
+  if (lof && save_errno != ENOENT)
+    log_write(0, LOG_MAIN, "%s", string_open_failed("DB file %s",
+        filename));
+  else
+    DEBUG(D_hints_lookup)
+      debug_printf_indent("%s\n", CS string_open_failed("DB file %s",
+          filename));
+  (void)close(dbblock->lockfd);
+  errno = save_errno;
+  DEBUG(D_hints_lookup) acl_level--;
+  return NULL;
+  }
+
+DEBUG(D_hints_lookup)
+  debug_printf_indent("opened hints database %s: flags=%s\n", filename,
+    flags == O_RDONLY ? "O_RDONLY"
+    : flags == O_RDWR ? "O_RDWR"
+    : flags == (O_RDWR|O_CREAT) ? "O_RDWR|O_CREAT"
+    : "??");
+
+/* Pass back the block containing the opened database handle and the open fd
+for the lock. */
+
+return dbblock;
+}
+
+
+
+
+/*************************************************
+*         Unlock and close a database file       *
+*************************************************/
+
+/* Closing a file automatically unlocks it, so after closing the database, just
+close the lock file.
+
+Argument: a pointer to an open database block
+Returns:  nothing
+*/
+
+void
+dbfn_close(open_db *dbblock)
+{
+exim_dbclose(dbblock->dbptr);
+(void)close(dbblock->lockfd);
+DEBUG(D_hints_lookup)
+  { debug_printf_indent("closed hints database and lockfile\n"); acl_level--; }
+}
+
+
+
+
+/*************************************************
+*             Read from database file            *
+*************************************************/
+
+/* Passing back the pointer unchanged is useless, because there is
+no guarantee of alignment. Since all the records used by Exim need
+to be properly aligned to pick out the timestamps, etc., we might as
+well do the copying centrally here.
+
+Most calls don't need the length, so there is a macro called dbfn_read which
+has two arguments; it calls this function adding NULL as the third.
+
+Arguments:
+  dbblock   a pointer to an open database block
+  key       the key of the record to be read
+  length    a pointer to an int into which to return the length, if not NULL
+
+Returns: a pointer to the retrieved record, or
+         NULL if the record is not found
+*/
+
+void *
+dbfn_read_with_length(open_db *dbblock, const uschar *key, int *length)
+{
+void *yield;
+EXIM_DATUM key_datum, result_datum;
+int klen = Ustrlen(key) + 1;
+uschar * key_copy = store_get(klen, key);
+
+memcpy(key_copy, key, klen);
+
+DEBUG(D_hints_lookup) debug_printf_indent("dbfn_read: key=%s\n", key);
+
+exim_datum_init(&key_datum);         /* Some DBM libraries require the datum */
+exim_datum_init(&result_datum);      /* to be cleared before use. */
+exim_datum_data_set(&key_datum, key_copy);
+exim_datum_size_set(&key_datum, klen);
+
+if (!exim_dbget(dbblock->dbptr, &key_datum, &result_datum)) return NULL;
+
+/* Assume the data store could have been tainted.  Properly, we should
+store the taint status with the data. */
+
+yield = store_get(exim_datum_size_get(&result_datum), GET_TAINTED);
+memcpy(yield, exim_datum_data_get(&result_datum), exim_datum_size_get(&result_datum));
+if (length) *length = exim_datum_size_get(&result_datum);
+
+exim_datum_free(&result_datum);    /* Some DBM libs require freeing */
+return yield;
+}
+
+
+/* Read a record.  If the length is not as expected then delete it, write
+an error log line, delete the record and return NULL.
+Use this for fixed-size records (so not retry or wait records).
+
+Arguments:
+  dbblock   a pointer to an open database block
+  key       the key of the record to be read
+  length    the expected record length
+
+Returns: a pointer to the retrieved record, or
+         NULL if the record is not found/bad
+*/
+
+void *
+dbfn_read_enforce_length(open_db * dbblock, const uschar * key, size_t length)
+{
+int rlen;
+void * yield = dbfn_read_with_length(dbblock, key, &rlen);
+
+if (yield)
+  {
+  if (rlen == length) return yield;
+  log_write(0, LOG_MAIN|LOG_PANIC, "Bad db record size for '%s'", key);
+  dbfn_delete(dbblock, key);
+  }
+return NULL;
+}
+
+
+/*************************************************
+*             Write to database file             *
+*************************************************/
+
+/*
+Arguments:
+  dbblock   a pointer to an open database block
+  key       the key of the record to be written
+  ptr       a pointer to the record to be written
+  length    the length of the record to be written
+
+Returns:    the yield of the underlying dbm or db "write" function. If this
+            is dbm, the value is zero for OK.
+*/
+
+int
+dbfn_write(open_db *dbblock, const uschar *key, void *ptr, int length)
+{
+EXIM_DATUM key_datum, value_datum;
+dbdata_generic *gptr = (dbdata_generic *)ptr;
+int klen = Ustrlen(key) + 1;
+uschar * key_copy = store_get(klen, key);
+
+memcpy(key_copy, key, klen);
+gptr->time_stamp = time(NULL);
+
+DEBUG(D_hints_lookup) debug_printf_indent("dbfn_write: key=%s\n", key);
+
+exim_datum_init(&key_datum);         /* Some DBM libraries require the datum */
+exim_datum_init(&value_datum);       /* to be cleared before use. */
+exim_datum_data_set(&key_datum, key_copy);
+exim_datum_size_set(&key_datum, klen);
+exim_datum_data_set(&value_datum, ptr);
+exim_datum_size_set(&value_datum, length);
+return exim_dbput(dbblock->dbptr, &key_datum, &value_datum);
+}
+
+
+
+/*************************************************
+*           Delete record from database file     *
+*************************************************/
+
+/*
+Arguments:
+  dbblock    a pointer to an open database block
+  key        the key of the record to be deleted
+
+Returns: the yield of the underlying dbm or db "delete" function.
+*/
+
+int
+dbfn_delete(open_db *dbblock, const uschar *key)
+{
+int klen = Ustrlen(key) + 1;
+uschar * key_copy = store_get(klen, key);
+EXIM_DATUM key_datum;
+
+DEBUG(D_hints_lookup) debug_printf_indent("dbfn_delete: key=%s\n", key);
+
+memcpy(key_copy, key, klen);
+exim_datum_init(&key_datum);         /* Some DBM libraries require clearing */
+exim_datum_data_set(&key_datum, key_copy);
+exim_datum_size_set(&key_datum, klen);
+return exim_dbdel(dbblock->dbptr, &key_datum);
+}
+
+
+
+/*************************************************
+*         Scan the keys of a database file       *
+*************************************************/
+
+/*
+Arguments:
+  dbblock  a pointer to an open database block
+  start    TRUE if starting a new scan
+           FALSE if continuing with the current scan
+  cursor   a pointer to a pointer to a cursor anchor, for those dbm libraries
+           that use the notion of a cursor
+
+Returns:   the next record from the file, or
+           NULL if there are no more
+*/
+
+uschar *
+dbfn_scan(open_db *dbblock, BOOL start, EXIM_CURSOR **cursor)
+{
+EXIM_DATUM key_datum, value_datum;
+uschar *yield;
+
+DEBUG(D_hints_lookup) debug_printf_indent("dbfn_scan\n");
+
+/* Some dbm require an initialization */
+
+if (start) *cursor = exim_dbcreate_cursor(dbblock->dbptr);
+
+exim_datum_init(&key_datum);         /* Some DBM libraries require the datum */
+exim_datum_init(&value_datum);       /* to be cleared before use. */
+
+yield = exim_dbscan(dbblock->dbptr, &key_datum, &value_datum, start, *cursor)
+  ? US exim_datum_data_get(&key_datum) : NULL;
+
+/* Some dbm require a termination */
+
+if (!yield) exim_dbdelete_cursor(*cursor);
+return yield;
+}
+
+
+
+/*************************************************
+**************************************************
+*             Stand-alone test program           *
+**************************************************
+*************************************************/
+
+#ifdef STAND_ALONE
+
+int
+main(int argc, char **cargv)
+{
+open_db dbblock[8];
+int max_db = sizeof(dbblock)/sizeof(open_db);
+int current = -1;
+int showtime = 0;
+int i;
+dbdata_wait *dbwait = NULL;
+uschar **argv = USS cargv;
+uschar buffer[256];
+uschar structbuffer[1024];
+
+if (argc != 2)
+  {
+  printf("Usage: test_dbfn directory\n");
+  printf("The subdirectory called \"db\" in the given directory is used for\n");
+  printf("the files used in this test program.\n");
+  return 1;
+  }
+
+/* Initialize */
+
+spool_directory = argv[1];
+debug_selector = D_all - D_memory;
+debug_file = stderr;
+big_buffer = malloc(big_buffer_size);
+
+for (i = 0; i < max_db; i++) dbblock[i].dbptr = NULL;
+
+printf("\nExim's db functions tester: interface type is %s\n", EXIM_DBTYPE);
+printf("DBM library: ");
+
+#ifdef DB_VERSION_STRING
+printf("Berkeley DB: %s\n", DB_VERSION_STRING);
+#elif defined(BTREEVERSION) && defined(HASHVERSION)
+  #ifdef USE_DB
+  printf("probably Berkeley DB version 1.8x (native mode)\n");
+  #else
+  printf("probably Berkeley DB version 1.8x (compatibility mode)\n");
+  #endif
+#elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
+printf("probably ndbm\n");
+#elif defined(USE_TDB)
+printf("using tdb\n");
+#else
+  #ifdef USE_GDBM
+  printf("probably GDBM (native mode)\n");
+  #else
+  printf("probably GDBM (compatibility mode)\n");
+  #endif
+#endif
+
+/* Test the functions */
+
+printf("\nTest the functions\n> ");
+
+while (Ufgets(buffer, 256, stdin) != NULL)
+  {
+  int len = Ustrlen(buffer);
+  int count = 1;
+  clock_t start = 1;
+  clock_t stop = 0;
+  uschar *cmd = buffer;
+  while (len > 0 && isspace((uschar)buffer[len-1])) len--;
+  buffer[len] = 0;
+
+  if (isdigit((uschar)*cmd))
+    {
+    count = Uatoi(cmd);
+    while (isdigit((uschar)*cmd)) cmd++;
+    while (isspace((uschar)*cmd)) cmd++;
+    }
+
+  if (Ustrncmp(cmd, "open", 4) == 0)
+    {
+    int i;
+    open_db *odb;
+    uschar *s = cmd + 4;
+    while (isspace((uschar)*s)) s++;
+
+    for (i = 0; i < max_db; i++)
+      if (dbblock[i].dbptr == NULL) break;
+
+    if (i >= max_db)
+      {
+      printf("Too many open databases\n> ");
+      continue;
+      }
+
+    start = clock();
+    odb = dbfn_open(s, O_RDWR, dbblock + i, TRUE, TRUE);
+    stop = clock();
+
+    if (odb)
+      {
+      current = i;
+      printf("opened %d\n", current);
+      }
+    /* Other error cases will have written messages */
+    else if (errno == ENOENT)
+      {
+      printf("open failed: %s%s\n", strerror(errno),
+        #ifdef USE_DB
+        " (or other Berkeley DB error)"
+        #else
+        ""
+        #endif
+        );
+      }
+    }
+
+  else if (Ustrncmp(cmd, "write", 5) == 0)
+    {
+    int rc = 0;
+    uschar *key = cmd + 5;
+    uschar *data;
+
+    if (current < 0)
+      {
+      printf("No current database\n");
+      continue;
+      }
+
+    while (isspace((uschar)*key)) key++;
+    data = key;
+    while (*data != 0 && !isspace((uschar)*data)) data++;
+    *data++ = 0;
+    while (isspace((uschar)*data)) data++;
+
+    dbwait = (dbdata_wait *)(&structbuffer);
+    Ustrcpy(dbwait->text, data);
+
+    start = clock();
+    while (count-- > 0)
+      rc = dbfn_write(dbblock + current, key, dbwait,
+        Ustrlen(data) + sizeof(dbdata_wait));
+    stop = clock();
+    if (rc != 0) printf("Failed: %s\n", strerror(errno));
+    }
+
+  else if (Ustrncmp(cmd, "read", 4) == 0)
+    {
+    uschar *key = cmd + 4;
+    if (current < 0)
+      {
+      printf("No current database\n");
+      continue;
+      }
+    while (isspace((uschar)*key)) key++;
+    start = clock();
+    while (count-- > 0)
+      dbwait = (dbdata_wait *)dbfn_read_with_length(dbblock+ current, key, NULL);
+    stop = clock();
+    printf("%s\n", (dbwait == NULL)? "<not found>" : CS dbwait->text);
+    }
+
+  else if (Ustrncmp(cmd, "delete", 6) == 0)
+    {
+    uschar *key = cmd + 6;
+    if (current < 0)
+      {
+      printf("No current database\n");
+      continue;
+      }
+    while (isspace((uschar)*key)) key++;
+    dbfn_delete(dbblock + current, key);
+    }
+
+  else if (Ustrncmp(cmd, "scan", 4) == 0)
+    {
+    EXIM_CURSOR *cursor;
+    BOOL startflag = TRUE;
+    uschar *key;
+    uschar keybuffer[256];
+    if (current < 0)
+      {
+      printf("No current database\n");
+      continue;
+      }
+    start = clock();
+    while ((key = dbfn_scan(dbblock + current, startflag, &cursor)) != NULL)
+      {
+      startflag = FALSE;
+      Ustrcpy(keybuffer, key);
+      dbwait = (dbdata_wait *)dbfn_read_with_length(dbblock + current,
+        keybuffer, NULL);
+      printf("%s: %s\n", keybuffer, dbwait->text);
+      }
+    stop = clock();
+    printf("End of scan\n");
+    }
+
+  else if (Ustrncmp(cmd, "close", 5) == 0)
+    {
+    uschar *s = cmd + 5;
+    while (isspace((uschar)*s)) s++;
+    i = Uatoi(s);
+    if (i >= max_db || dbblock[i].dbptr == NULL) printf("Not open\n"); else
+      {
+      start = clock();
+      dbfn_close(dbblock + i);
+      stop = clock();
+      dbblock[i].dbptr = NULL;
+      if (i == current) current = -1;
+      }
+    }
+
+  else if (Ustrncmp(cmd, "file", 4) == 0)
+    {
+    uschar *s = cmd + 4;
+    while (isspace((uschar)*s)) s++;
+    i = Uatoi(s);
+    if (i >= max_db || dbblock[i].dbptr == NULL) printf("Not open\n");
+      else current = i;
+    }
+
+  else if (Ustrncmp(cmd, "time", 4) == 0)
+    {
+    showtime = ~showtime;
+    printf("Timing %s\n", showtime? "on" : "off");
+    }
+
+  else if (Ustrcmp(cmd, "q") == 0 || Ustrncmp(cmd, "quit", 4) == 0) break;
+
+  else if (Ustrncmp(cmd, "help", 4) == 0)
+    {
+    printf("close  [<number>]              close file [<number>]\n");
+    printf("delete <key>                   remove record from current file\n");
+    printf("file   <number>                make file <number> current\n");
+    printf("open   <name>                  open db file\n");
+    printf("q[uit]                         exit program\n");
+    printf("read   <key>                   read record from current file\n");
+    printf("scan                           scan current file\n");
+    printf("time                           time display on/off\n");
+    printf("write  <key> <rest-of-line>    write record to current file\n");
+    }
+
+  else printf("Eh?\n");
+
+  if (showtime && stop >= start)
+    printf("start=%d stop=%d difference=%d\n", (int)start, (int)stop,
+     (int)(stop - start));
+
+  printf("> ");
+  }
+
+for (i = 0; i < max_db; i++)
+  {
+  if (dbblock[i].dbptr != NULL)
+    {
+    printf("\nClosing %d", i);
+    dbfn_close(dbblock + i);
+    }
+  }
+
+printf("\n");
+return 0;
+}
+
+#endif
+
+/* End of dbfn.c */
diff --git a/src/dbfunctions.h b/src/dbfunctions.h
new file mode 100644
index 0000000..07d4a62
--- /dev/null
+++ b/src/dbfunctions.h
@@ -0,0 +1,38 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#ifndef DBFUNCTIONS_H
+#define DBFUNCTIONS_H
+
+/* Functions for reading/writing exim database files */
+
+void     dbfn_close(open_db *);
+int      dbfn_delete(open_db *, const uschar *);
+open_db *dbfn_open(uschar *, int, open_db *, BOOL, BOOL);
+void    *dbfn_read_with_length(open_db *, const uschar *, int *);
+void    *dbfn_read_enforce_length(open_db *, const uschar *, size_t);
+uschar  *dbfn_scan(open_db *, BOOL, EXIM_CURSOR **);
+int      dbfn_write(open_db *, const uschar *, void *, int);
+
+/* Macro for the common call to read without wanting to know the length. */
+
+#define  dbfn_read(a, b) dbfn_read_with_length(a, b, NULL)
+
+/* Berkeley DB uses a callback function to pass back error details. Its API
+changed at release 4.3. */
+
+#if defined(USE_DB) && defined(DB_VERSION_STRING)
+# if DB_VERSION_MAJOR > 4 || (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 3)
+void     dbfn_bdb_error_callback(const DB_ENV *, const char *, const char *);
+# else
+void     dbfn_bdb_error_callback(const char *, char *);
+# endif
+#endif
+
+#endif
+/* End of dbfunctions.h */
diff --git a/src/dcc.c b/src/dcc.c
new file mode 100644
index 0000000..a9124a0
--- /dev/null
+++ b/src/dcc.c
@@ -0,0 +1,490 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Wolfgang Breyha 2005 - 2019
+ * Vienna University Computer Center
+ * wbreyha@gmx.net
+ * See the file NOTICE for conditions of use and distribution.
+ *
+ * Copyright (c) The Exim Maintainers 2015 - 2021
+ */
+
+/* Code for calling dccifd. Called from acl.c. */
+
+#include "exim.h"
+#ifdef EXPERIMENTAL_DCC
+#include "dcc.h"
+#include "unistd.h"
+
+#define DCC_HEADER_LIMIT 120
+
+int dcc_ok = 0;
+int dcc_rc = 0;
+
+/* This function takes a file descriptor and a buffer as input and
+returns either 0 for success or errno in case of error. */
+
+static int flushbuffer
+(int socket, gstring *buffer)
+{
+int rsp;
+
+rsp = write(socket, buffer->s, buffer->ptr);
+DEBUG(D_acl)
+  debug_printf("DCC: flushbuffer(): Result of the write() = %d\n", rsp);
+if(rsp < 0)
+  {
+  DEBUG(D_acl)
+    debug_printf("DCC: flushbuffer(): Error writing buffer to socket: %s\n", strerror(errno));
+  return errno;
+  }
+DEBUG(D_acl)
+  debug_printf("DCC: flushbuffer(): Wrote buffer to socket:\n%.*s\n", buffer->ptr, buffer->s);
+return 0;
+}
+
+int
+dcc_process(uschar **listptr)
+{
+int sep = 0;
+const uschar *list = *listptr;
+FILE *data_file;
+uschar *dcc_default_ip_option = US"127.0.0.1";
+uschar *dcc_helo_option = US"localhost";
+uschar *xtra_hdrs = NULL;
+uschar *override_client_ip  = NULL;
+
+/* from local_scan */
+int dcc_resplen, retval, sockfd, resp;
+unsigned int portnr;
+struct sockaddr_un  serv_addr;
+struct sockaddr_in  serv_addr_in;
+struct hostent *ipaddress;
+uschar sockpath[128];
+uschar sockip[40], client_ip[40];
+gstring *dcc_headers;
+gstring *sendbuf;
+uschar *dcc_return_text = US"''";
+struct header_line *mail_headers;
+uschar *dcc_acl_options;
+gstring *dcc_xtra_hdrs;
+gstring *dcc_header_str;
+
+/* grep 1st option */
+if ((dcc_acl_options = string_nextinlist(&list, &sep, NULL, 0)))
+  {
+  /* parse 1st option */
+  if (  strcmpic(dcc_acl_options, US"false") == 0
+     || Ustrcmp(dcc_acl_options, "0") == 0)
+    return FAIL;	/* explicitly no matching */
+  }
+else
+  return FAIL;	/* empty means "don't match anything" */
+
+sep = 0;
+
+/* if we scanned this message last time, just return */
+if (dcc_ok)
+  return dcc_rc;
+
+/* open the spooled body */
+for (int i = 0; i < 2; i++)
+  {
+  uschar message_subdir[2];
+  set_subdir_str(message_subdir, message_id, i);
+  if ((data_file = Ufopen(
+	  spool_fname(US"input", message_subdir, message_id, US"-D"), "rb")))
+    break;
+  }
+
+if (!data_file)
+  {
+  /* error while spooling */
+  log_write(0, LOG_MAIN|LOG_PANIC,
+	 "DCC: error while opening spool file");
+  return DEFER;
+  }
+
+/* Initialize the variables */
+
+bzero(sockip,sizeof(sockip));
+if (dccifd_address)
+  {
+  if (dccifd_address[0] == '/')
+    Ustrncpy(sockpath, dccifd_address, sizeof(sockpath));
+  else
+    if( sscanf(CS dccifd_address, "%s %u", sockip, &portnr) != 2)
+      {
+      log_write(0, LOG_MAIN,
+	"DCC: warning - invalid dccifd address: '%s'", dccifd_address);
+      (void)fclose(data_file);
+      return DEFER;
+      }
+  }
+
+/* dcc_headers is what we send as dccifd options - see man dccifd */
+/* We don't support any other option than 'header' so just copy that */
+dcc_headers = string_cat(NULL, dccifd_options);
+/* if $acl_m_dcc_override_client_ip is set use it */
+if (((override_client_ip = expand_string(US"$acl_m_dcc_override_client_ip")) != NULL) &&
+     (override_client_ip[0] != '\0'))
+  {
+  Ustrncpy(client_ip, override_client_ip, sizeof(client_ip)-1);
+  DEBUG(D_acl)
+    debug_printf("DCC: Client IP (overridden): %s\n", client_ip);
+  }
+else if(sender_host_address)
+  {
+  /* else if $sender_host_address is available use that? */
+  Ustrncpy(client_ip, sender_host_address, sizeof(client_ip)-1);
+  DEBUG(D_acl)
+    debug_printf("DCC: Client IP (sender_host_address): %s\n", client_ip);
+  }
+else
+  {
+  /* sender_host_address is NULL which means it comes from localhost */
+  Ustrncpy(client_ip, dcc_default_ip_option, sizeof(client_ip)-1);
+  DEBUG(D_acl)
+    debug_printf("DCC: Client IP (default): %s\n", client_ip);
+  }
+/* build options block */
+dcc_headers = string_append(dcc_headers, 5, US"\n", client_ip, US"\nHELO ", dcc_helo_option, US"\n");
+
+/* initialize the other variables */
+mail_headers = header_list;
+/* we set the default return value to DEFER */
+retval = DEFER;
+
+/* send a null return path as "<>". */
+dcc_headers = string_cat (dcc_headers, *sender_address ? sender_address : US"<>");
+dcc_headers = string_catn(dcc_headers, US"\n", 1);
+
+/**************************************
+ * Now creating the socket connection *
+ **************************************/
+
+/* If sockip contains an ip, we use a tcp socket, otherwise a UNIX socket */
+if(Ustrcmp(sockip, ""))
+  {
+  ipaddress = gethostbyname(CS sockip);
+  bzero(CS  &serv_addr_in, sizeof(serv_addr_in));
+  serv_addr_in.sin_family = AF_INET;
+  bcopy(CS ipaddress->h_addr, CS &serv_addr_in.sin_addr.s_addr, ipaddress->h_length);
+  serv_addr_in.sin_port = htons(portnr);
+  if ((sockfd = socket(AF_INET, SOCK_STREAM,0)) < 0)
+    {
+    DEBUG(D_acl)
+      debug_printf("DCC: Creating TCP socket connection failed: %s\n", strerror(errno));
+    log_write(0,LOG_PANIC,"DCC: Creating TCP socket connection failed: %s\n", strerror(errno));
+    /* if we cannot create the socket, defer the mail */
+    (void)fclose(data_file);
+    return retval;
+    }
+  /* Now connecting the socket (INET) */
+  if (connect(sockfd, (struct sockaddr *)&serv_addr_in, sizeof(serv_addr_in)) < 0)
+    {
+    DEBUG(D_acl)
+      debug_printf("DCC: Connecting to TCP socket failed: %s\n", strerror(errno));
+    log_write(0,LOG_PANIC,"DCC: Connecting to TCP socket failed: %s\n", strerror(errno));
+    /* if we cannot contact the socket, defer the mail */
+    (void)fclose(data_file);
+    return retval;
+    }
+  }
+else
+  {
+  /* connecting to the dccifd UNIX socket */
+  bzero(&serv_addr, sizeof(serv_addr));
+  serv_addr.sun_family = AF_UNIX;
+  Ustrncpy(US serv_addr.sun_path, sockpath, sizeof(serv_addr.sun_path));
+  if ((sockfd = socket(AF_UNIX, SOCK_STREAM,0)) < 0)
+    {
+    DEBUG(D_acl)
+      debug_printf("DCC: Creating UNIX socket connection failed: %s\n", strerror(errno));
+    log_write(0,LOG_PANIC,"DCC: Creating UNIX socket connection failed: %s\n", strerror(errno));
+    /* if we cannot create the socket, defer the mail */
+    (void)fclose(data_file);
+    return retval;
+    }
+  /* Now connecting the socket (UNIX) */
+  if (connect(sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0)
+    {
+    DEBUG(D_acl)
+      debug_printf("DCC: Connecting to UNIX socket failed: %s\n", strerror(errno));
+    log_write(0,LOG_PANIC,"DCC: Connecting to UNIX socket failed: %s\n", strerror(errno));
+    /* if we cannot contact the socket, defer the mail */
+    (void)fclose(data_file);
+    return retval;
+    }
+  }
+/* the socket is open, now send the options to dccifd*/
+DEBUG(D_acl)
+  debug_printf("DCC: -----------------------------------\nDCC: Socket opened; now sending input\n"
+	       "DCC: -----------------------------------\n");
+
+/* let's send each of the recipients to dccifd */
+for (int i = 0; i < recipients_count; i++)
+  {
+  DEBUG(D_acl)
+    debug_printf("DCC: recipient = %s\n",recipients_list[i].address);
+  dcc_headers = string_append(dcc_headers, 2, recipients_list[i].address, "\n");
+  }
+/* send a blank line between options and message */
+dcc_headers = string_catn(dcc_headers, US"\n", 1);
+/* Now we send the input buffer */
+(void) string_from_gstring(dcc_headers);
+DEBUG(D_acl)
+  debug_printf("DCC: ***********************************\nDCC: Sending options:\n%s"
+	       "DCC: ***********************************\n", dcc_headers->s);
+if (flushbuffer(sockfd, dcc_headers) != 0)
+  {
+  (void)fclose(data_file);
+  return retval;
+  }
+
+/* now send the message */
+/* First send the headers */
+DEBUG(D_acl)
+  debug_printf("DCC: ***********************************\nDCC: Sending headers:\n");
+sendbuf = string_get(8192);
+sendbuf = string_catn(sendbuf, mail_headers->text, mail_headers->slen);
+while((mail_headers=mail_headers->next))
+  sendbuf = string_catn(sendbuf, mail_headers->text, mail_headers->slen);
+
+/* a blank line separates header from body */
+sendbuf = string_catn(sendbuf, US"\r\n", 2);
+(void) string_from_gstring(sendbuf);
+gstring_release_unused(sendbuf);
+DEBUG(D_acl)
+  debug_printf("%sDCC: ***********************************\n", sendbuf->s);
+if (flushbuffer(sockfd, sendbuf) != 0)
+  {
+  (void)fclose(data_file);
+  return retval;
+  }
+
+/* now send the body */
+DEBUG(D_acl)
+  debug_printf("DCC: ***********************************\nDCC: Writing body:\n");
+(void)fseek(data_file, SPOOL_DATA_START_OFFSET, SEEK_SET);
+
+gstring filebuf = { .size = big_buffer_size, .ptr = 0, .s = big_buffer };
+
+while((filebuf.ptr = fread(filebuf.s, 1, filebuf.size, data_file)) > 0)
+  if (flushbuffer(sockfd, &filebuf) != 0)
+    {
+    (void)fclose(data_file);
+    return retval;
+    }
+DEBUG(D_acl)
+  debug_printf("DCC: ***********************************\n");
+
+/* shutdown() the socket */
+if(shutdown(sockfd, SHUT_WR) < 0)
+  {
+  DEBUG(D_acl)
+    debug_printf("DCC: Couldn't shutdown socket: %s\n", strerror(errno));
+  log_write(0,LOG_MAIN,"DCC: Couldn't shutdown socket: %s\n", strerror(errno));
+  /* If there is a problem with the shutdown()
+   * defer the mail. */
+  (void)fclose(data_file);
+  return retval;
+  }
+DEBUG(D_acl)
+  debug_printf("DCC: Input sent.\n"
+	       "DCC: +++++++++++++++++++++++++++++++++++\n"
+	       "DCC: Now receiving output from server\n"
+	       "DCC: -----------------------------------\n");
+
+/********************************
+ * receiving output from dccifd *
+ ********************************/
+
+/******************************************************************
+ * We should get 3 lines:                                         *
+ * 1/ First line is overall result: either 'A' for Accept,        *
+ *    'R' for Reject, 'S' for accept Some recipients or           *
+ *    'T' for a Temporary error.                                  *
+ * 2/ Second line contains the list of Accepted/Rejected          *
+ *    recipients in the form AARRA (A = accepted, R = rejected).  *
+ * 3/ Third line contains the X-DCC header.                       *
+ ******************************************************************/
+
+int line = 1;    /* we start at the first line of the output */
+int bufoffset;
+
+dcc_header_str = string_get(DCC_HEADER_LIMIT + 2);
+/* Let's read from the socket until there's nothing left to read */
+while((dcc_resplen = read(sockfd, big_buffer, big_buffer_size-1)) > 0)
+  {
+  /* fail on read error */
+  if(dcc_resplen < 0)
+    {
+    DEBUG(D_acl)
+      debug_printf("DCC: Error reading from socket: %s\n", strerror(errno));
+    (void)fclose(data_file);
+    return retval;
+    }
+  /* make the answer 0-terminated. only needed for debug_printf */
+  DEBUG(D_acl)
+    debug_printf("DCC: Length of the output buffer is: %d\nDCC: Output buffer is:\n"
+		 "DCC: -----------------------------------\n%.*s\n"
+		 "DCC: -----------------------------------\n", dcc_resplen, dcc_resplen, big_buffer);
+
+  /* Now let's read each character and see what we've got */
+  for(bufoffset = 0; bufoffset < dcc_resplen && line <= 2; bufoffset++)
+    {
+    /* First check if we reached the end of the line and
+    then increment the line counter */
+    if(big_buffer[bufoffset] == '\n')
+      line++;
+    else
+      {
+      /* The first character of the first line is the overall response. If
+      there's another character on that line it is not correct. */
+      if(line == 1)
+	{
+	if(bufoffset == 0)
+	  {
+	  /* Now get the value and set the return value accordingly */
+	  switch (big_buffer[bufoffset])
+	    {
+	    case 'A':
+	      DEBUG(D_acl)
+		debug_printf("DCC: Overall result = A\treturning OK\n");
+	      dcc_return_text = US"Mail accepted by DCC";
+	      dcc_result = US"A";
+	      retval = OK;
+	      break;
+	    case 'R':
+	      DEBUG(D_acl)
+		debug_printf("DCC: Overall result = R\treturning FAIL\n");
+	      dcc_return_text = US"Rejected by DCC";
+	      dcc_result = US"R";
+	      retval = FAIL;
+	      if(sender_host_name)
+		log_write(0, LOG_MAIN, "H=%s [%s] F=<%s>: rejected by DCC",
+			   sender_host_name, sender_host_address, sender_address);
+	      else
+		log_write(0, LOG_MAIN, "H=[%s] F=<%s>: rejected by DCC",
+			   sender_host_address, sender_address);
+	      break;
+	    case 'S':
+	      DEBUG(D_acl)
+		debug_printf("DCC: Overall result  = S\treturning OK\n");
+	      dcc_return_text = US"Not all recipients accepted by DCC";
+	      /* Since we're in an ACL we want a global result so we accept for all */
+	      dcc_result = US"A";
+	      retval = OK;
+	      break;
+	    case 'G':
+	      DEBUG(D_acl)
+		debug_printf("DCC: Overall result  = G\treturning FAIL\n");
+	      dcc_return_text = US"Greylisted by DCC";
+	      dcc_result = US"G";
+	      retval = FAIL;
+	      break;
+	    case 'T':
+	      DEBUG(D_acl)
+		debug_printf("DCC: Overall result = T\treturning DEFER\n");
+	      dcc_return_text = US"Temporary error with DCC";
+	      dcc_result = US"T";
+	      retval = DEFER;
+	      log_write(0,LOG_MAIN,"Temporary error with DCC: %s\n", big_buffer);
+	      break;
+	    default:
+	      DEBUG(D_acl)
+		debug_printf("DCC: Overall result = something else\treturning DEFER\n");
+	      dcc_return_text = US"Unknown DCC response";
+	      dcc_result = US"T";
+	      retval = DEFER;
+	      log_write(0,LOG_MAIN,"Unknown DCC response: %s\n", big_buffer);
+	      break;
+	    }
+	}
+	else
+	  {
+	  /* We're on the first line but not on the first character,
+	   * there must be something wrong. */
+	  DEBUG(D_acl) debug_printf("DCC: Line = %d but bufoffset = %d != 0"
+	      "  character is %c - This is wrong!\n", line, bufoffset, big_buffer[bufoffset]);
+	  log_write(0,LOG_MAIN,"Wrong header from DCC, output is %s\n", big_buffer);
+	  }
+	}
+      else if(line == 2)
+	{
+	/* On the second line we get a list of answers for each recipient. We
+	don't care about it because we're in an acl and take the global result. */
+	}
+      }
+    }
+  if(line > 2)
+    {
+    /* The third and following lines are the X-DCC header, so we store it in
+    dcc_header_str up to our limit. */
+    /* check if buffer contains the end of the header .."\n\n" and truncate it */
+    if ((big_buffer[dcc_resplen-1] == '\n') &&
+	(big_buffer[dcc_resplen-2] == '\n'))
+      dcc_resplen -= 2;
+    dcc_resplen -= bufoffset;
+    if (dcc_header_str->ptr + dcc_resplen > DCC_HEADER_LIMIT)
+      {
+      dcc_resplen = DCC_HEADER_LIMIT - dcc_header_str->ptr;
+      DEBUG(D_acl) debug_printf("DCC: We got more output than we can store"
+			 "in the X-DCC header. Truncating at 120 characters.\n");
+      }
+    dcc_header_str = string_catn(dcc_header_str, &big_buffer[bufoffset], dcc_resplen);
+    }
+  }
+/* We have read everything from the socket. make sure the header ends with "\n" */
+dcc_header_str = string_catn(dcc_header_str, US"\n", 1);
+
+(void) string_from_gstring(dcc_header_str);
+/* Now let's sum up what we've got. */
+DEBUG(D_acl)
+  debug_printf("\nDCC: --------------------------\nDCC: Overall result = %d\n"
+	       "DCC: X-DCC header: %sReturn message: %s\nDCC: dcc_result: %s\n",
+		 retval, dcc_header_str->s, dcc_return_text, dcc_result);
+
+/* We only add the X-DCC header if it starts with X-DCC */
+if(!(Ustrncmp(dcc_header_str->s, "X-DCC", 5)))
+  {
+  dcc_header = dcc_header_str->s;
+  if(dcc_direct_add_header)
+    {
+    header_add(' ' , "%s", dcc_header_str->s);
+/* since the MIME ACL already writes the .eml file to disk without DCC Header we've to erase it */
+    unspool_mbox();
+    }
+  }
+else
+  DEBUG(D_acl)
+    debug_printf("DCC: Wrong format of the X-DCC header: %.*s\n", dcc_header_str->ptr, dcc_header_str->s);
+
+/* check if we should add additional headers passed in acl_m_dcc_add_header */
+if (dcc_direct_add_header)
+  {
+  if (((xtra_hdrs = expand_string(US"$acl_m_dcc_add_header")) != NULL) && (xtra_hdrs[0] != '\0'))
+    {
+    dcc_xtra_hdrs = string_cat(NULL, xtra_hdrs);
+    if (dcc_xtra_hdrs->s[dcc_xtra_hdrs->ptr - 1] != '\n')
+      dcc_xtra_hdrs = string_catn(dcc_xtra_hdrs, US"\n", 1);
+    header_add(' ', "%s", string_from_gstring(dcc_xtra_hdrs));
+    DEBUG(D_acl)
+      debug_printf("DCC: adding additional headers in $acl_m_dcc_add_header: %.*s", dcc_xtra_hdrs->ptr, dcc_xtra_hdrs->s);
+    }
+  }
+
+dcc_ok = 1;
+/* Now return to exim main process */
+DEBUG(D_acl)
+  debug_printf("DCC: Before returning to exim main process:\nDCC: return_text = %s - retval = %d\n"
+	       "DCC: dcc_result = %s\n", dcc_return_text, retval, dcc_result);
+
+(void)fclose(data_file);
+dcc_rc = retval;
+return dcc_rc;
+}
+
+#endif
diff --git a/src/dcc.h b/src/dcc.h
new file mode 100644
index 0000000..9f394f0
--- /dev/null
+++ b/src/dcc.h
@@ -0,0 +1,16 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/*
+ * Copyright (c) Wolfgang Breyha 2005
+ * See the file NOTICE for conditions of use and distribution.
+ *
+ * original dccifd_localscan
+ * Copyright (c) Christopher Bodenstein 2003-2005
+ * <cb@physicman.net>
+*/
+
+#ifdef EXPERIMENTAL_DCC
+/* currently empty */
+#endif
diff --git a/src/debug.c b/src/debug.c
new file mode 100644
index 0000000..26d09ea
--- /dev/null
+++ b/src/debug.c
@@ -0,0 +1,498 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2015 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "exim.h"
+
+static uschar  debug_buffer[2048];
+static uschar *debug_ptr = debug_buffer;
+static int     debug_prefix_length = 0;
+
+static unsigned pretrigger_writeoff;
+static unsigned pretrigger_readoff;
+
+
+const uschar * rc_names[] = {		/* Mostly for debug output */
+  [OK] =		US"OK",
+  [DEFER] =		US"DEFER",
+  [FAIL] =		US"FAIL",
+  [ERROR] =		US"ERROR",
+  [FAIL_FORCED] =	US"FAIL_FORCED",
+  [DECLINE] =		US"DECLINE",
+  [PASS] =		US"PASS",
+  [DISCARD] =		US"DISCARD",
+  [SKIP] =		US"SKIP",
+  [REROUTED] =		US"REROUTED",
+  [PANIC] =		US"PANIC",
+  [BAD64] =		US"BAD64",
+  [UNEXPECTED] =	US"UNEXPECTED",
+  [CANCELLED] =		US"CANCELLED",
+  [FAIL_SEND] =		US"FAIL_SEND",
+  [FAIL_DROP] =		US"FAIL_DROP",
+  [DANE] =		US"DANE",
+};
+
+const uschar * dns_rc_names[] = {
+  [DNS_SUCCEED] =	US"DNS_SUCCEED",
+  [DNS_NOMATCH] =	US"DNS_NOMATCH",
+  [DNS_NODATA] =	US"DNS_NODATA",
+  [DNS_AGAIN] =		US"DNS_AGAIN",
+  [DNS_FAIL] =		US"DNS_FAIL",
+};
+
+
+/*************************************************
+*               Print tree                       *
+*************************************************/
+
+/* Recursive tree-printing subroutine. It uses a static vector of uschar to
+hold the line-drawing characters that need to be printed on every line as it
+moves down the page. This function is used only in debugging circumstances. The
+output is done via debug_printf(). */
+
+#define TREE_PRINTLINESIZE 132   /* line size for printing */
+static uschar tree_printline[TREE_PRINTLINESIZE];
+
+/* Internal recursive subroutine.
+
+Arguments:
+  p          tree node
+  pos        amount of indenting & vertical bars to print
+  barswitch  if TRUE print | at the pos value
+
+Returns:     nothing
+*/
+
+static void
+tree_printsub(tree_node * p, int pos, int barswitch)
+{
+if (p->right) tree_printsub(p->right, pos+2, 1);
+for (int i = 0; i <= pos-1; i++) debug_printf_indent(" %c", tree_printline[i]);
+debug_printf_indent(" -->%s [%d]\n", p->name, p->balance);
+tree_printline[pos] = barswitch ? '|' : ' ';
+if (p->left)
+  {
+  tree_printline[pos+2] = '|';
+  tree_printsub(p->left, pos+2, 0);
+  }
+}
+
+/* The external function, with just a tree node argument. */
+
+void
+debug_print_tree(const char * title, tree_node * p)
+{
+debug_printf_indent("%s:\n", title);
+for (int i = 0; i < TREE_PRINTLINESIZE; i++) tree_printline[i] = ' ';
+if (!p) debug_printf_indent(" Empty Tree\n"); else tree_printsub(p, 0, 0);
+debug_printf_indent("---- End of tree ----\n");
+}
+
+
+
+/*************************************************
+*          Print an argv vector                  *
+*************************************************/
+
+/* Called when about to obey execv().
+
+Argument:    the argv vector
+Returns:     nothing
+*/
+
+void
+debug_print_argv(const uschar ** argv)
+{
+debug_printf("exec");
+while (*argv) debug_printf(" %.256s", *argv++);
+debug_printf("\n");
+}
+
+
+
+/*************************************************
+*      Expand and print debugging string         *
+*************************************************/
+
+/* The string is expanded and written as debugging output. If
+expansion fails, a message is written instead.
+
+Argument:    the string
+Returns:     nothing
+*/
+
+void
+debug_print_string(uschar *debug_string)
+{
+if (!debug_string) return;
+HDEBUG(D_any|D_v)
+  {
+  uschar *s = expand_string(debug_string);
+  if (!s)
+    debug_printf("failed to expand debug_output \"%s\": %s\n", debug_string,
+      expand_string_message);
+  else if (s[0] != 0)
+    debug_printf("%s%s", s, (s[Ustrlen(s)-1] == '\n')? "" : "\n");
+  }
+}
+
+
+
+/*************************************************
+*      Print current uids and gids               *
+*************************************************/
+
+/*
+Argument:   an introductory string
+Returns:    nothing
+*/
+
+void
+debug_print_ids(uschar *s)
+{
+debug_printf("%s uid=%ld gid=%ld euid=%ld egid=%ld\n", s,
+  (long int)getuid(), (long int)getgid(), (long int)geteuid(),
+  (long int)getegid());
+}
+
+/************************************************/
+
+/* Give a string for a return-code */
+
+const uschar *
+rc_to_string(int rc)
+{
+return rc < 0 || rc >= nelem(rc_names) ? US"?" : rc_names[rc];
+}
+
+
+
+
+
+/*************************************************
+*           Print debugging message              *
+*************************************************/
+
+/* There are two entries, one for use when being called directly from a
+function with a variable argument list, one for prepending an indent.
+
+If debug_pid is nonzero, print the pid at the start of each line. This is for
+tidier output when running parallel remote deliveries with debugging turned on.
+Must do the whole thing with a single printf and flush, as otherwise output may
+get interleaved. Since some calls to debug_printf() don't end with newline,
+we save up the text until we do get the newline.
+Take care to not disturb errno. */
+
+
+/* Debug printf indented by ACL nest depth */
+void
+debug_printf_indent(const char * format, ...)
+{
+va_list ap;
+va_start(ap, format);
+debug_vprintf(acl_level + expand_level, format, ap);
+va_end(ap);
+}
+
+void
+debug_printf(const char *format, ...)
+{
+va_list ap;
+va_start(ap, format);
+debug_vprintf(0, format, ap);
+va_end(ap);
+}
+
+void
+debug_vprintf(int indent, const char *format, va_list ap)
+{
+int save_errno = errno;
+
+if (!debug_file) return;
+
+/* Various things can be inserted at the start of a line. Don't use the
+tod_stamp() function for the timestamp, because that will overwrite the
+timestamp buffer, which may contain something useful. (This was a bug fix: the
++memory debugging with +timestamp did cause a problem.) */
+
+if (debug_ptr == debug_buffer)
+  {
+  DEBUG(D_timestamp)
+    {
+    struct timeval now;
+    time_t tmp;
+    struct tm * t;
+
+    gettimeofday(&now, NULL);
+    tmp = now.tv_sec;
+    t = f.timestamps_utc ? gmtime(&tmp) : localtime(&tmp);
+    debug_ptr += sprintf(CS debug_ptr,
+      LOGGING(millisec) ? "%02d:%02d:%02d.%03d " : "%02d:%02d:%02d ",
+      t->tm_hour, t->tm_min, t->tm_sec, (int)(now.tv_usec/1000));
+    }
+
+  DEBUG(D_pid)
+    debug_ptr += sprintf(CS debug_ptr, "%5d ", (int)getpid());
+
+  /* Set up prefix if outputting for host checking and not debugging */
+
+  if (host_checking && debug_selector == 0)
+    {
+    Ustrcpy(debug_ptr, US">>> ");
+    debug_ptr += 4;
+    }
+
+  debug_prefix_length = debug_ptr - debug_buffer;
+  }
+
+if (indent > 0)
+  {
+  for (int i = indent >> 2; i > 0; i--)
+    DEBUG(D_noutf8)
+      {
+      Ustrcpy(debug_ptr, US"   !");
+      debug_ptr += 4;	/* 3 spaces + shriek */
+      debug_prefix_length += 4;
+      }
+    else
+      {
+      Ustrcpy(debug_ptr, US"   " UTF8_VERT_2DASH);
+      debug_ptr += 6;	/* 3 spaces + 3 UTF-8 octets */
+      debug_prefix_length += 6;
+      }
+
+  Ustrncpy(debug_ptr, US"   ", indent &= 3);
+  debug_ptr += indent;
+  debug_prefix_length += indent;
+  }
+
+/* Use the lengthchecked formatting routine to ensure that the buffer
+does not overflow. Ensure there's space for a newline at the end.
+However, use taint-unchecked routines for writing into the buffer
+so that we can write tainted info into the static debug_buffer -
+we trust that we will never expand the results. */
+
+  {
+  gstring gs = { .size = (int)sizeof(debug_buffer) - 1,
+		.ptr = debug_ptr - debug_buffer,
+		.s = debug_buffer };
+  if (!string_vformat(&gs, SVFMT_TAINT_NOCHK, format, ap))
+    {
+    uschar * s = US"**** debug string too long - truncated ****\n";
+    uschar * p = gs.s + gs.ptr;
+    int maxlen = gs.size - Ustrlen(s) - 2;
+    if (p > gs.s + maxlen) p = gs.s + maxlen;
+    if (p > gs.s && p[-1] != '\n') *p++ = '\n';
+    Ustrcpy(p, s);
+    while(*debug_ptr) debug_ptr++;
+    }
+  else
+    {
+    string_from_gstring(&gs);
+    debug_ptr = gs.s + gs.ptr;
+    }
+  }
+
+/* Output the line if it is complete. If we added any prefix data and there
+are internal newlines, make sure the prefix is on the continuation lines,
+as long as there is room in the buffer. We want to do just a single fprintf()
+so as to avoid interleaving. */
+
+if (debug_ptr[-1] == '\n')
+  {
+  if (debug_prefix_length > 0)
+    {
+    uschar *p = debug_buffer;
+    int left = sizeof(debug_buffer) - (debug_ptr - debug_buffer) - 1;
+    while ((p = Ustrchr(p, '\n') + 1) != debug_ptr &&
+           left >= debug_prefix_length)
+      {
+      int len = debug_ptr - p;
+      memmove(p + debug_prefix_length, p, len + 1);
+      memmove(p, debug_buffer, debug_prefix_length);
+      debug_ptr += debug_prefix_length;
+      left -= debug_prefix_length;
+      }
+    }
+
+  if (debug_pretrigger_buf)
+    {
+    int needed = Ustrlen(debug_buffer)+1, avail;
+    char c;
+
+    if (needed > debug_pretrigger_bsize)
+      needed = debug_pretrigger_bsize;
+    if ((avail = pretrigger_readoff - pretrigger_writeoff) <= 0)
+      avail += debug_pretrigger_bsize;
+
+    /* We have a pretrigger set up, trigger not yet hit. Copy the line(s) to the
+    pretrig buffer, dropping earlier lines if needed but truncating this line if
+    the pbuf is maxed out.  In the PTB the lines are NOT nul-terminated. */
+
+    while (avail < needed)
+      do
+	{
+	avail++;
+        c = debug_pretrigger_buf[pretrigger_readoff];
+	if (++pretrigger_readoff >= debug_pretrigger_bsize) pretrigger_readoff = 0;
+	}
+      while (c && c != '\n' && pretrigger_readoff != pretrigger_writeoff);
+
+    needed--;
+    for (int i = 0; needed; i++, needed--)
+      {
+      debug_pretrigger_buf[pretrigger_writeoff] = debug_buffer[i];
+      if (++pretrigger_writeoff >= debug_pretrigger_bsize) pretrigger_writeoff = 0;
+      }
+    }
+  else
+    {
+    fprintf(debug_file, "%s", CS debug_buffer);
+    fflush(debug_file);
+    }
+  debug_ptr = debug_buffer;
+  debug_prefix_length = 0;
+  }
+errno = save_errno;
+}
+
+
+
+/* Output the details of a socket */
+
+void
+debug_print_socket(int fd)
+{
+struct stat s;
+if (fstat(fd, &s) == 0 && (s.st_mode & S_IFMT) == S_IFSOCK)
+  {
+  gstring * g = NULL;
+  int val;
+  socklen_t vlen = sizeof(val);
+  struct sockaddr_storage a;
+  socklen_t alen = sizeof(a);
+  struct sockaddr_in * sinp = (struct sockaddr_in *)&a;
+  struct sockaddr_in6 * sin6p = (struct sockaddr_in6 *)&a;
+  struct sockaddr_un * sunp = (struct sockaddr_un *)&a;
+
+  if (getsockname(fd, (struct sockaddr*)&a, &alen) == 0)
+    switch (a.ss_family)
+      {
+      case AF_INET:
+	g = string_cat(g, US"domain AF_INET");
+	g = string_fmt_append(g, " lcl [%s]:%u",
+	  inet_ntoa(sinp->sin_addr), ntohs(sinp->sin_port));
+	alen = sizeof(*sinp);
+	if (getpeername(fd, (struct sockaddr *)sinp, &alen) == 0)
+	  g = string_fmt_append(g, " rmt [%s]:%u",
+	    inet_ntoa(sinp->sin_addr), ntohs(sinp->sin_port));
+	break;
+      case AF_INET6:
+	{
+	uschar buf[46];
+	g = string_cat(g, US"domain AF_INET6");
+	g = string_fmt_append(g, " lcl [%s]:%u",
+	  inet_ntop(AF_INET6, &sin6p->sin6_addr, CS buf, sizeof(buf)),
+	  ntohs(sin6p->sin6_port));
+	alen = sizeof(*sin6p);
+	if (getpeername(fd, (struct sockaddr *)sin6p, &alen) == 0)
+	  g = string_fmt_append(g, " rmt [%s]:%u",
+	    inet_ntop(AF_INET6, &sin6p->sin6_addr, CS buf, sizeof(buf)),
+	    ntohs(sin6p->sin6_port));
+	break;
+	}
+      case AF_UNIX:
+        g = string_cat(g, US"domain AF_UNIX");
+        if (alen > sizeof(sa_family_t)) /* not unix(7) "unnamed socket" */
+          g = string_fmt_append(g, " lcl %s%s",
+            sunp->sun_path[0] ? US"" : US"@",
+            sunp->sun_path[0] ? sunp->sun_path : sunp->sun_path+1);
+        alen = sizeof(*sunp);
+        if (getpeername(fd, (struct sockaddr *)sunp, &alen) == 0)
+          g = string_fmt_append(g, " rmt %s%s",
+            sunp->sun_path[0] ? US"" : US"@",
+            sunp->sun_path[0] ? sunp->sun_path : sunp->sun_path+1);
+        break;
+      default:
+	g = string_fmt_append(g, "domain %u", sinp->sin_family);
+	break;
+      }
+  if (getsockopt(fd, SOL_SOCKET, SO_TYPE, &val, &vlen) == 0)
+    switch (val)
+      {
+      case SOCK_STREAM:	g = string_cat(g, US" type SOCK_STREAM"); break;
+      case SOCK_DGRAM:	g = string_cat(g, US" type SOCK_DGRAM"); break;
+      default:	g = string_fmt_append(g, " type %d", val); break;
+      }
+#ifdef SO_PROTOCOL
+  if (getsockopt(fd, SOL_SOCKET, SO_PROTOCOL, &val, &vlen) == 0)
+    {
+    struct protoent * p = getprotobynumber(val);
+    g = p
+      ? string_fmt_append(g, " proto %s", p->p_name)
+      : string_fmt_append(g, " proto %d", val);
+    }
+#endif
+  debug_printf_indent(" socket: %s\n", string_from_gstring(g));
+  }
+else
+  debug_printf_indent(" fd st_mode 0%o\n", s.st_mode);
+}
+
+
+/**************************************************************/
+/* Pretrigger handling for debug.  The debug_printf implementation
+diverts output to a circular buffer if the buffer is set up.
+The routines here set up the buffer, and unload it to file (and release it).
+What ends up in the buffer is subject to the usual debug_selector. */
+
+void
+debug_pretrigger_setup(const uschar * size_string)
+{
+long size = Ustrtol(size_string, NULL, 0);
+if (size > 0)
+  {
+  unsigned bufsize = MIN(size, 16384);
+
+  dtrigger_selector |= BIT(DTi_pretrigger);
+  if (debug_pretrigger_buf) store_free(debug_pretrigger_buf);
+  debug_pretrigger_buf = store_malloc((size_t)(debug_pretrigger_bsize = bufsize));
+  pretrigger_readoff = pretrigger_writeoff = 0;
+  }
+}
+
+void
+debug_trigger_fire(void)
+{
+int nbytes;
+
+if (!debug_pretrigger_buf) return;
+
+if (debug_file && (nbytes = pretrigger_writeoff - pretrigger_readoff) != 0)
+  if (nbytes > 0)
+    fwrite(debug_pretrigger_buf + pretrigger_readoff, 1, nbytes, debug_file);
+  else
+    {
+    fwrite(debug_pretrigger_buf + pretrigger_readoff, 1,
+      debug_pretrigger_bsize - pretrigger_readoff, debug_file);
+    fwrite(debug_pretrigger_buf, 1, pretrigger_writeoff, debug_file);
+    }
+
+debug_pretrigger_discard();
+}
+
+void
+debug_pretrigger_discard(void)
+{
+if (debug_pretrigger_buf) store_free(debug_pretrigger_buf);
+debug_pretrigger_buf = NULL;
+dtrigger_selector = 0;
+}
+
+
+/* End of debug.c */
diff --git a/src/deliver.c b/src/deliver.c
new file mode 100644
index 0000000..8a9a174
--- /dev/null
+++ b/src/deliver.c
@@ -0,0 +1,8642 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* The main code for delivering a message. */
+
+
+#include "exim.h"
+#include "transports/smtp.h"
+#include <sys/uio.h>
+#include <assert.h>
+
+
+/* Data block for keeping track of subprocesses for parallel remote
+delivery. */
+
+typedef struct pardata {
+  address_item *addrlist;      /* chain of addresses */
+  address_item *addr;          /* next address data expected for */
+  pid_t pid;                   /* subprocess pid */
+  int fd;                      /* pipe fd for getting result from subprocess */
+  int transport_count;         /* returned transport count value */
+  BOOL done;                   /* no more data needed */
+  uschar *msg;                 /* error message */
+  uschar *return_path;         /* return_path for these addresses */
+} pardata;
+
+/* Values for the process_recipients variable */
+
+enum { RECIP_ACCEPT, RECIP_IGNORE, RECIP_DEFER,
+       RECIP_FAIL, RECIP_FAIL_FILTER, RECIP_FAIL_TIMEOUT,
+       RECIP_FAIL_LOOP};
+
+/* Mutually recursive functions for marking addresses done. */
+
+static void child_done(address_item *, uschar *);
+static void address_done(address_item *, uschar *);
+
+/* Table for turning base-62 numbers into binary */
+
+static uschar tab62[] =
+          {0,1,2,3,4,5,6,7,8,9,0,0,0,0,0,0,     /* 0-9 */
+           0,10,11,12,13,14,15,16,17,18,19,20,  /* A-K */
+          21,22,23,24,25,26,27,28,29,30,31,32,  /* L-W */
+          33,34,35, 0, 0, 0, 0, 0,              /* X-Z */
+           0,36,37,38,39,40,41,42,43,44,45,46,  /* a-k */
+          47,48,49,50,51,52,53,54,55,56,57,58,  /* l-w */
+          59,60,61};                            /* x-z */
+
+
+/*************************************************
+*            Local static variables              *
+*************************************************/
+
+/* addr_duplicate is global because it needs to be seen from the Envelope-To
+writing code. */
+
+static address_item *addr_defer = NULL;
+static address_item *addr_failed = NULL;
+static address_item *addr_fallback = NULL;
+static address_item *addr_local = NULL;
+static address_item *addr_new = NULL;
+static address_item *addr_remote = NULL;
+static address_item *addr_route = NULL;
+static address_item *addr_succeed = NULL;
+static address_item *addr_senddsn = NULL;
+
+static FILE *message_log = NULL;
+static BOOL update_spool;
+static BOOL remove_journal;
+static int  parcount = 0;
+static pardata *parlist = NULL;
+static struct pollfd *parpoll;
+static int  return_count;
+static uschar *frozen_info = US"";
+static uschar *used_return_path = NULL;
+
+
+
+/*************************************************
+*          read as much as requested             *
+*************************************************/
+
+/* The syscall read(2) doesn't always returns as much as we want. For
+several reasons it might get less. (Not talking about signals, as syscalls
+are restartable). When reading from a network or pipe connection the sender
+might send in smaller chunks, with delays between these chunks. The read(2)
+may return such a chunk.
+
+The more the writer writes and the smaller the pipe between write and read is,
+the more we get the chance of reading leass than requested. (See bug 2130)
+
+This function read(2)s until we got all the data we *requested*.
+
+Note: This function may block. Use it only if you're sure about the
+amount of data you will get.
+
+Argument:
+  fd          the file descriptor to read from
+  buffer      pointer to a buffer of size len
+  len         the requested(!) amount of bytes
+
+Returns:      the amount of bytes read
+*/
+static ssize_t
+readn(int fd, void * buffer, size_t len)
+{
+uschar * next = buffer;
+uschar * end = next + len;
+
+while (next < end)
+  {
+  ssize_t got = read(fd, next, end - next);
+
+  /* I'm not sure if there are signals that can interrupt us,
+  for now I assume the worst */
+  if (got == -1 && errno == EINTR) continue;
+  if (got <= 0) return next - US buffer;
+  next += got;
+  }
+
+return len;
+}
+
+
+/*************************************************
+*             Make a new address item            *
+*************************************************/
+
+/* This function gets the store and initializes with default values. The
+transport_return value defaults to DEFER, so that any unexpected failure to
+deliver does not wipe out the message. The default unique string is set to a
+copy of the address, so that its domain can be lowercased.
+
+Argument:
+  address     the RFC822 address string
+  copy        force a copy of the address
+
+Returns:      a pointer to an initialized address_item
+*/
+
+address_item *
+deliver_make_addr(uschar *address, BOOL copy)
+{
+address_item * addr = store_get(sizeof(address_item), GET_UNTAINTED);
+*addr = address_defaults;
+if (copy) address = string_copy(address);
+addr->address = address;
+addr->unique = string_copy(address);
+return addr;
+}
+
+
+
+
+/*************************************************
+*     Set expansion values for an address        *
+*************************************************/
+
+/* Certain expansion variables are valid only when handling an address or
+address list. This function sets them up or clears the values, according to its
+argument.
+
+Arguments:
+  addr          the address in question, or NULL to clear values
+Returns:        nothing
+*/
+
+void
+deliver_set_expansions(address_item *addr)
+{
+if (!addr)
+  {
+  const uschar ***p = address_expansions;
+  while (*p) **p++ = NULL;
+  return;
+  }
+
+/* Exactly what gets set depends on whether there is one or more addresses, and
+what they contain. These first ones are always set, taking their values from
+the first address. */
+
+if (!addr->host_list)
+  {
+  deliver_host = deliver_host_address = US"";
+  deliver_host_port = 0;
+  }
+else
+  {
+  deliver_host = addr->host_list->name;
+  deliver_host_address = addr->host_list->address;
+  deliver_host_port = addr->host_list->port;
+  }
+
+deliver_recipients = addr;
+deliver_address_data = addr->prop.address_data;
+deliver_domain_data = addr->prop.domain_data;
+deliver_localpart_data = addr->prop.localpart_data;
+router_var = addr->prop.variables;
+
+/* These may be unset for multiple addresses */
+
+deliver_domain = addr->domain;
+self_hostname = addr->self_hostname;
+
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+bmi_deliver = 1;    /* deliver by default */
+bmi_alt_location = NULL;
+bmi_base64_verdict = NULL;
+bmi_base64_tracker_verdict = NULL;
+#endif
+
+/* If there's only one address we can set everything. */
+
+if (!addr->next)
+  {
+  address_item *addr_orig;
+
+  deliver_localpart = addr->local_part;
+  deliver_localpart_prefix = addr->prefix;
+  deliver_localpart_prefix_v = addr->prefix_v;
+  deliver_localpart_suffix = addr->suffix;
+  deliver_localpart_suffix_v = addr->suffix_v;
+
+  for (addr_orig = addr; addr_orig->parent; addr_orig = addr_orig->parent) ;
+  deliver_domain_orig = addr_orig->domain;
+
+  /* Re-instate any prefix and suffix in the original local part. In all
+  normal cases, the address will have a router associated with it, and we can
+  choose the caseful or caseless version accordingly. However, when a system
+  filter sets up a pipe, file, or autoreply delivery, no router is involved.
+  In this case, though, there won't be any prefix or suffix to worry about. */
+
+  deliver_localpart_orig = !addr_orig->router
+    ? addr_orig->local_part
+    : addr_orig->router->caseful_local_part
+    ? addr_orig->cc_local_part
+    : addr_orig->lc_local_part;
+
+  /* If there's a parent, make its domain and local part available, and if
+  delivering to a pipe or file, or sending an autoreply, get the local
+  part from the parent. For pipes and files, put the pipe or file string
+  into address_pipe and address_file. */
+
+  if (addr->parent)
+    {
+    deliver_domain_parent = addr->parent->domain;
+    deliver_localpart_parent = !addr->parent->router
+      ? addr->parent->local_part
+      : addr->parent->router->caseful_local_part
+      ? addr->parent->cc_local_part
+      : addr->parent->lc_local_part;
+
+    /* File deliveries have their own flag because they need to be picked out
+    as special more often. */
+
+    if (testflag(addr, af_pfr))
+      {
+      if (testflag(addr, af_file))	    address_file = addr->local_part;
+      else if (deliver_localpart[0] == '|') address_pipe = addr->local_part;
+      deliver_localpart = addr->parent->local_part;
+      deliver_localpart_prefix = addr->parent->prefix;
+      deliver_localpart_prefix_v = addr->parent->prefix_v;
+      deliver_localpart_suffix = addr->parent->suffix;
+      deliver_localpart_suffix_v = addr->parent->suffix_v;
+      }
+    }
+
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+    /* Set expansion variables related to Brightmail AntiSpam */
+    bmi_base64_verdict = bmi_get_base64_verdict(deliver_localpart_orig, deliver_domain_orig);
+    bmi_base64_tracker_verdict = bmi_get_base64_tracker_verdict(bmi_base64_verdict);
+    /* get message delivery status (0 - don't deliver | 1 - deliver) */
+    bmi_deliver = bmi_get_delivery_status(bmi_base64_verdict);
+    /* if message is to be delivered, get eventual alternate location */
+    if (bmi_deliver == 1)
+      bmi_alt_location = bmi_get_alt_location(bmi_base64_verdict);
+#endif
+
+  }
+
+/* For multiple addresses, don't set local part, and leave the domain and
+self_hostname set only if it is the same for all of them. It is possible to
+have multiple pipe and file addresses, but only when all addresses have routed
+to the same pipe or file. */
+
+else
+  {
+  if (testflag(addr, af_pfr))
+    {
+    if (testflag(addr, af_file))	 address_file = addr->local_part;
+    else if (addr->local_part[0] == '|') address_pipe = addr->local_part;
+    }
+  for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next)
+    {
+    if (deliver_domain && Ustrcmp(deliver_domain, addr2->domain) != 0)
+      deliver_domain = NULL;
+    if (  self_hostname
+       && (  !addr2->self_hostname
+          || Ustrcmp(self_hostname, addr2->self_hostname) != 0
+       )  )
+      self_hostname = NULL;
+    if (!deliver_domain && !self_hostname) break;
+    }
+  }
+}
+
+
+
+
+/*************************************************
+*                Open a msglog file              *
+*************************************************/
+
+/* This function is used both for normal message logs, and for files in the
+msglog directory that are used to catch output from pipes. Try to create the
+directory if it does not exist. From release 4.21, normal message logs should
+be created when the message is received.
+
+Called from deliver_message(), can be operating as root.
+
+Argument:
+  filename  the file name
+  mode      the mode required
+  error     used for saying what failed
+
+Returns:    a file descriptor, or -1 (with errno set)
+*/
+
+static int
+open_msglog_file(uschar *filename, int mode, uschar **error)
+{
+if (Ustrstr(filename, US"/../"))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);
+
+for (int i = 2; i > 0; i--)
+  {
+  int fd = Uopen(filename,
+#ifdef O_CLOEXEC
+    O_CLOEXEC |
+#endif
+#ifdef O_NOFOLLOW
+    O_NOFOLLOW |
+#endif
+		O_WRONLY|O_APPEND|O_CREAT, mode);
+  if (fd >= 0)
+    {
+    /* Set the close-on-exec flag and change the owner to the exim uid/gid (this
+    function is called as root). Double check the mode, because the group setting
+    doesn't always get set automatically. */
+
+#ifndef O_CLOEXEC
+    (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
+#endif
+    if (exim_fchown(fd, exim_uid, exim_gid, filename) < 0)
+      {
+      *error = US"chown";
+      return -1;
+      }
+    if (fchmod(fd, mode) < 0)
+      {
+      *error = US"chmod";
+      return -1;
+      }
+    return fd;
+    }
+  if (errno != ENOENT)
+    break;
+
+  (void)directory_make(spool_directory,
+			spool_sname(US"msglog", message_subdir),
+			MSGLOG_DIRECTORY_MODE, TRUE);
+  }
+
+*error = US"create or open";
+return -1;
+}
+
+
+
+
+/*************************************************
+*           Write to msglog if required          *
+*************************************************/
+
+/* Write to the message log, if configured. This function may also be called
+from transports.
+
+Arguments:
+  format       a string format
+
+Returns:       nothing
+*/
+
+void
+deliver_msglog(const char *format, ...)
+{
+va_list ap;
+if (!message_logs) return;
+va_start(ap, format);
+vfprintf(message_log, format, ap);
+fflush(message_log);
+va_end(ap);
+}
+
+
+
+
+/*************************************************
+*            Replicate status for batch          *
+*************************************************/
+
+/* When a transport handles a batch of addresses, it may treat them
+individually, or it may just put the status in the first one, and return FALSE,
+requesting that the status be copied to all the others externally. This is the
+replication function. As well as the status, it copies the transport pointer,
+which may have changed if appendfile passed the addresses on to a different
+transport.
+
+Argument:    pointer to the first address in a chain
+Returns:     nothing
+*/
+
+static void
+replicate_status(address_item *addr)
+{
+for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next)
+  {
+  addr2->transport =	    addr->transport;
+  addr2->transport_return = addr->transport_return;
+  addr2->basic_errno =	    addr->basic_errno;
+  addr2->more_errno =	    addr->more_errno;
+  addr2->delivery_time =    addr->delivery_time;
+  addr2->special_action =   addr->special_action;
+  addr2->message =	    addr->message;
+  addr2->user_message =	    addr->user_message;
+  }
+}
+
+
+
+/*************************************************
+*              Compare lists of hosts            *
+*************************************************/
+
+/* This function is given two pointers to chains of host items, and it yields
+TRUE if the lists refer to the same hosts in the same order, except that
+
+(1) Multiple hosts with the same non-negative MX values are permitted to appear
+    in different orders. Round-robinning nameservers can cause this to happen.
+
+(2) Multiple hosts with the same negative MX values less than MX_NONE are also
+    permitted to appear in different orders. This is caused by randomizing
+    hosts lists.
+
+This enables Exim to use a single SMTP transaction for sending to two entirely
+different domains that happen to end up pointing at the same hosts.
+
+We do not try to batch up different A-record host names that refer to the
+same IP.
+
+Arguments:
+  one       points to the first host list
+  two       points to the second host list
+
+Returns:    TRUE if the lists refer to the same host set
+*/
+
+static BOOL
+same_hosts(host_item *one, host_item *two)
+{
+while (one && two)
+  {
+  if (Ustrcmp(one->name, two->name) != 0)
+    {
+    int mx = one->mx;
+    host_item *end_one = one;
+    host_item *end_two = two;
+
+    /* Batch up only if there was no MX and the list was not randomized */
+
+    if (mx == MX_NONE) return FALSE;
+
+    /* Find the ends of the shortest sequence of identical MX values */
+
+    while (  end_one->next && end_one->next->mx == mx
+          && end_two->next && end_two->next->mx == mx)
+      {
+      end_one = end_one->next;
+      end_two = end_two->next;
+      }
+
+    /* If there aren't any duplicates, there's no match. */
+
+    if (end_one == one) return FALSE;
+
+    /* For each host in the 'one' sequence, check that it appears in the 'two'
+    sequence, returning FALSE if not. */
+
+    for (;;)
+      {
+      host_item *hi;
+      for (hi = two; hi != end_two->next; hi = hi->next)
+        if (Ustrcmp(one->name, hi->name) == 0) break;
+      if (hi == end_two->next) return FALSE;
+      if (one == end_one) break;
+      one = one->next;
+      }
+
+    /* All the hosts in the 'one' sequence were found in the 'two' sequence.
+    Ensure both are pointing at the last host, and carry on as for equality. */
+
+    two = end_two;
+    }
+
+  /* if the names matched but ports do not, mismatch */
+  else if (one->port != two->port)
+    return FALSE;
+
+#ifdef SUPPORT_DANE
+  /* DNSSEC equality */
+  if (one->dnssec != two->dnssec) return FALSE;
+#endif
+
+  /* Hosts matched */
+  one = one->next;
+  two = two->next;
+  }
+
+/* True if both are NULL */
+
+return (one == two);
+}
+
+
+
+/*************************************************
+*              Compare header lines              *
+*************************************************/
+
+/* This function is given two pointers to chains of header items, and it yields
+TRUE if they are the same header texts in the same order.
+
+Arguments:
+  one       points to the first header list
+  two       points to the second header list
+
+Returns:    TRUE if the lists refer to the same header set
+*/
+
+static BOOL
+same_headers(header_line *one, header_line *two)
+{
+for (;; one = one->next, two = two->next)
+  {
+  if (one == two) return TRUE;   /* Includes the case where both NULL */
+  if (!one || !two) return FALSE;
+  if (Ustrcmp(one->text, two->text) != 0) return FALSE;
+  }
+}
+
+
+
+/*************************************************
+*            Compare string settings             *
+*************************************************/
+
+/* This function is given two pointers to strings, and it returns
+TRUE if they are the same pointer, or if the two strings are the same.
+
+Arguments:
+  one       points to the first string
+  two       points to the second string
+
+Returns:    TRUE or FALSE
+*/
+
+static BOOL
+same_strings(uschar *one, uschar *two)
+{
+if (one == two) return TRUE;   /* Includes the case where both NULL */
+if (!one || !two) return FALSE;
+return (Ustrcmp(one, two) == 0);
+}
+
+
+
+/*************************************************
+*        Compare uid/gid for addresses           *
+*************************************************/
+
+/* This function is given a transport and two addresses. It yields TRUE if the
+uid/gid/initgroups settings for the two addresses are going to be the same when
+they are delivered.
+
+Arguments:
+  tp            the transort
+  addr1         the first address
+  addr2         the second address
+
+Returns:        TRUE or FALSE
+*/
+
+static BOOL
+same_ugid(transport_instance *tp, address_item *addr1, address_item *addr2)
+{
+if (  !tp->uid_set && !tp->expand_uid
+   && !tp->deliver_as_creator
+   && (  testflag(addr1, af_uid_set) != testflag(addr2, af_gid_set)
+      || (  testflag(addr1, af_uid_set)
+         && (  addr1->uid != addr2->uid
+	    || testflag(addr1, af_initgroups) != testflag(addr2, af_initgroups)
+   )  )  )  )
+  return FALSE;
+
+if (  !tp->gid_set && !tp->expand_gid
+   && (  testflag(addr1, af_gid_set) != testflag(addr2, af_gid_set)
+      || (  testflag(addr1, af_gid_set)
+         && addr1->gid != addr2->gid
+   )  )  )
+  return FALSE;
+
+return TRUE;
+}
+
+
+
+
+/*************************************************
+*      Record that an address is complete        *
+*************************************************/
+
+/* This function records that an address is complete. This is straightforward
+for most addresses, where the unique address is just the full address with the
+domain lower cased. For homonyms (addresses that are the same as one of their
+ancestors) their are complications. Their unique addresses have \x\ prepended
+(where x = 0, 1, 2...), so that de-duplication works correctly for siblings and
+cousins.
+
+Exim used to record the unique addresses of homonyms as "complete". This,
+however, fails when the pattern of redirection varies over time (e.g. if taking
+unseen copies at only some times of day) because the prepended numbers may vary
+from one delivery run to the next. This problem is solved by never recording
+prepended unique addresses as complete. Instead, when a homonymic address has
+actually been delivered via a transport, we record its basic unique address
+followed by the name of the transport. This is checked in subsequent delivery
+runs whenever an address is routed to a transport.
+
+If the completed address is a top-level one (has no parent, which means it
+cannot be homonymic) we also add the original address to the non-recipients
+tree, so that it gets recorded in the spool file and therefore appears as
+"done" in any spool listings. The original address may differ from the unique
+address in the case of the domain.
+
+Finally, this function scans the list of duplicates, marks as done any that
+match this address, and calls child_done() for their ancestors.
+
+Arguments:
+  addr        address item that has been completed
+  now         current time as a string
+
+Returns:      nothing
+*/
+
+static void
+address_done(address_item *addr, uschar *now)
+{
+update_spool = TRUE;        /* Ensure spool gets updated */
+
+/* Top-level address */
+
+if (!addr->parent)
+  {
+  tree_add_nonrecipient(addr->unique);
+  tree_add_nonrecipient(addr->address);
+  }
+
+/* Homonymous child address */
+
+else if (testflag(addr, af_homonym))
+  {
+  if (addr->transport)
+    tree_add_nonrecipient(
+      string_sprintf("%s/%s", addr->unique + 3, addr->transport->name));
+  }
+
+/* Non-homonymous child address */
+
+else tree_add_nonrecipient(addr->unique);
+
+/* Check the list of duplicate addresses and ensure they are now marked
+done as well. */
+
+for (address_item * dup = addr_duplicate; dup; dup = dup->next)
+  if (Ustrcmp(addr->unique, dup->unique) == 0)
+    {
+    tree_add_nonrecipient(dup->unique);
+    child_done(dup, now);
+    }
+}
+
+
+
+
+/*************************************************
+*      Decrease counts in parents and mark done  *
+*************************************************/
+
+/* This function is called when an address is complete. If there is a parent
+address, its count of children is decremented. If there are still other
+children outstanding, the function exits. Otherwise, if the count has become
+zero, address_done() is called to mark the parent and its duplicates complete.
+Then loop for any earlier ancestors.
+
+Arguments:
+  addr      points to the completed address item
+  now       the current time as a string, for writing to the message log
+
+Returns:    nothing
+*/
+
+static void
+child_done(address_item *addr, uschar *now)
+{
+while (addr->parent)
+  {
+  address_item *aa;
+
+  addr = addr->parent;
+  if (--addr->child_count > 0) return;   /* Incomplete parent */
+  address_done(addr, now);
+
+  /* Log the completion of all descendents only when there is no ancestor with
+  the same original address. */
+
+  for (aa = addr->parent; aa; aa = aa->parent)
+    if (Ustrcmp(aa->address, addr->address) == 0) break;
+  if (aa) continue;
+
+  deliver_msglog("%s %s: children all complete\n", now, addr->address);
+  DEBUG(D_deliver) debug_printf("%s: children all complete\n", addr->address);
+  }
+}
+
+
+
+/*************************************************
+*      Delivery logging support functions        *
+*************************************************/
+
+/* The LOGGING() checks in d_log_interface() are complicated for backwards
+compatibility. When outgoing interface logging was originally added, it was
+conditional on just incoming_interface (which is off by default). The
+outgoing_interface option is on by default to preserve this behaviour, but
+you can enable incoming_interface and disable outgoing_interface to get I=
+fields on incoming lines only.
+
+Arguments:
+  g         The log line
+  addr      The address to be logged
+
+Returns:    New value for s
+*/
+
+static gstring *
+d_log_interface(gstring * g)
+{
+if (LOGGING(incoming_interface) && LOGGING(outgoing_interface)
+    && sending_ip_address)
+  {
+  g = string_fmt_append(g, " I=[%s]", sending_ip_address);
+  if (LOGGING(outgoing_port))
+    g = string_fmt_append(g, ":%d", sending_port);
+  }
+return g;
+}
+
+
+
+static gstring *
+d_hostlog(gstring * g, address_item * addr)
+{
+host_item * h = addr->host_used;
+
+g = string_append(g, 2, US" H=", h->name);
+
+if (LOGGING(dnssec) && h->dnssec == DS_YES)
+  g = string_catn(g, US" DS", 3);
+
+g = string_append(g, 3, US" [", h->address, US"]");
+
+if (LOGGING(outgoing_port))
+  g = string_fmt_append(g, ":%d", h->port);
+
+if (continue_sequence > 1)		/*XXX this is wrong for a dropped proxyconn.  Would have to pass back from transport */
+  g = string_catn(g, US"*", 1);
+
+#ifdef SUPPORT_SOCKS
+if (LOGGING(proxy) && proxy_local_address)
+  {
+  g = string_append(g, 3, US" PRX=[", proxy_local_address, US"]");
+  if (LOGGING(outgoing_port))
+    g = string_fmt_append(g, ":%d", proxy_local_port);
+  }
+#endif
+
+g = d_log_interface(g);
+
+if (testflag(addr, af_tcp_fastopen))
+  g = string_catn(g, US" TFO*", testflag(addr, af_tcp_fastopen_data) ? 5 : 4);
+
+return g;
+}
+
+
+
+
+
+#ifndef DISABLE_TLS
+static gstring *
+d_tlslog(gstring * g, address_item * addr)
+{
+if (LOGGING(tls_cipher) && addr->cipher)
+  {
+  g = string_append(g, 2, US" X=", addr->cipher);
+#ifndef DISABLE_TLS_RESUME
+  if (LOGGING(tls_resumption) && testflag(addr, af_tls_resume))
+    g = string_catn(g, US"*", 1);
+#endif
+  }
+if (LOGGING(tls_certificate_verified) && addr->cipher)
+  g = string_append(g, 2, US" CV=",
+    testflag(addr, af_cert_verified)
+    ?
+#ifdef SUPPORT_DANE
+      testflag(addr, af_dane_verified)
+    ? "dane"
+    :
+#endif
+      "yes"
+    : "no");
+if (LOGGING(tls_peerdn) && addr->peerdn)
+  g = string_append(g, 3, US" DN=\"", string_printing(addr->peerdn), US"\"");
+return g;
+}
+#endif
+
+
+
+
+#ifndef DISABLE_EVENT
+/* Distribute a named event to any listeners.
+
+Args:	action	config option specifying listener
+	event	name of the event
+	ev_data	associated data for the event
+	errnop	pointer to errno for modification, or null
+
+Return: string expansion from listener, or NULL
+*/
+
+uschar *
+event_raise(uschar * action, const uschar * event, uschar * ev_data, int * errnop)
+{
+uschar * s;
+if (action)
+  {
+  DEBUG(D_deliver)
+    debug_printf("Event(%s): event_action=|%s| delivery_IP=%s\n",
+      event,
+      action, deliver_host_address);
+
+  event_name = event;
+  event_data = ev_data;
+
+  if (!(s = expand_string(action)) && *expand_string_message)
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "failed to expand event_action %s in %s: %s\n",
+      event, transport_name ? transport_name : US"main", expand_string_message);
+
+  event_name = event_data = NULL;
+
+  /* If the expansion returns anything but an empty string, flag for
+  the caller to modify his normal processing
+  */
+  if (s && *s)
+    {
+    DEBUG(D_deliver)
+      debug_printf("Event(%s): event_action returned \"%s\"\n", event, s);
+    if (errnop)
+      *errnop = ERRNO_EVENT;
+    return s;
+    }
+  }
+return NULL;
+}
+
+void
+msg_event_raise(const uschar * event, const address_item * addr)
+{
+const uschar * save_domain = deliver_domain;
+uschar * save_local =  deliver_localpart;
+const uschar * save_host = deliver_host;
+const uschar * save_address = deliver_host_address;
+const int      save_port =   deliver_host_port;
+
+router_name =    addr->router ? addr->router->name : NULL;
+deliver_domain = addr->domain;
+deliver_localpart = addr->local_part;
+deliver_host =   addr->host_used ? addr->host_used->name : NULL;
+
+if (!addr->transport)
+  {
+  if (Ustrcmp(event, "msg:fail:delivery") == 0)
+    {
+     /* An address failed with no transport involved. This happens when
+     a filter was used which triggered a fail command (in such a case
+     a transport isn't needed).  Convert it to an internal fail event. */
+
+    (void) event_raise(event_action, US"msg:fail:internal", addr->message, NULL);
+    }
+  }
+else
+  {
+  transport_name = addr->transport->name;
+
+  (void) event_raise(addr->transport->event_action, event,
+	    addr->host_used
+	    || Ustrcmp(addr->transport->driver_name, "smtp") == 0
+	    || Ustrcmp(addr->transport->driver_name, "lmtp") == 0
+	    || Ustrcmp(addr->transport->driver_name, "autoreply") == 0
+	   ? addr->message : NULL,
+	   NULL);
+  }
+
+deliver_host_port =    save_port;
+deliver_host_address = save_address;
+deliver_host =      save_host;
+deliver_localpart = save_local;
+deliver_domain =    save_domain;
+router_name = transport_name = NULL;
+}
+#endif	/*DISABLE_EVENT*/
+
+
+
+/******************************************************************************/
+
+
+/*************************************************
+*        Generate local part for logging         *
+*************************************************/
+
+static uschar *
+string_get_lpart_sub(const address_item * addr, uschar * s)
+{
+#ifdef SUPPORT_I18N
+if (testflag(addr, af_utf8_downcvt))
+  {
+  uschar * t = string_localpart_utf8_to_alabel(s, NULL);
+  return t ? t : s;	/* t is NULL on a failed conversion */
+  }
+#endif
+return s;
+}
+
+/* This function is a subroutine for use in string_log_address() below.
+
+Arguments:
+  addr        the address being logged
+  yield       the current dynamic buffer pointer
+
+Returns:      the new value of the buffer pointer
+*/
+
+static gstring *
+string_get_localpart(address_item * addr, gstring * yield)
+{
+uschar * s;
+
+if (testflag(addr, af_include_affixes) && (s = addr->prefix))
+  yield = string_cat(yield, string_get_lpart_sub(addr, s));
+
+yield = string_cat(yield, string_get_lpart_sub(addr, addr->local_part));
+
+if (testflag(addr, af_include_affixes) && (s = addr->suffix))
+  yield = string_cat(yield, string_get_lpart_sub(addr, s));
+
+return yield;
+}
+
+
+/*************************************************
+*          Generate log address list             *
+*************************************************/
+
+/* This function generates a list consisting of an address and its parents, for
+use in logging lines. For saved onetime aliased addresses, the onetime parent
+field is used. If the address was delivered by a transport with rcpt_include_
+affixes set, the af_include_affixes bit will be set in the address. In that
+case, we include the affixes here too.
+
+Arguments:
+  g             points to growing-string struct
+  addr          bottom (ultimate) address
+  all_parents   if TRUE, include all parents
+  success       TRUE for successful delivery
+
+Returns:        a growable string in dynamic store
+*/
+
+static gstring *
+string_log_address(gstring * g,
+  address_item *addr, BOOL all_parents, BOOL success)
+{
+BOOL add_topaddr = TRUE;
+address_item *topaddr;
+
+/* Find the ultimate parent */
+
+for (topaddr = addr; topaddr->parent; topaddr = topaddr->parent) ;
+
+/* We start with just the local part for pipe, file, and reply deliveries, and
+for successful local deliveries from routers that have the log_as_local flag
+set. File deliveries from filters can be specified as non-absolute paths in
+cases where the transport is going to complete the path. If there is an error
+before this happens (expansion failure) the local part will not be updated, and
+so won't necessarily look like a path. Add extra text for this case. */
+
+if (  testflag(addr, af_pfr)
+   || (  success
+      && addr->router && addr->router->log_as_local
+      && addr->transport && addr->transport->info->local
+   )  )
+  {
+  if (testflag(addr, af_file) && addr->local_part[0] != '/')
+    g = string_catn(g, CUS"save ", 5);
+  g = string_get_localpart(addr, g);
+  }
+
+/* Other deliveries start with the full address. It we have split it into local
+part and domain, use those fields. Some early failures can happen before the
+splitting is done; in those cases use the original field. */
+
+else
+  {
+  uschar * cmp;
+  int off = g->ptr;	/* start of the "full address" */
+
+  if (addr->local_part)
+    {
+    const uschar * s;
+    g = string_get_localpart(addr, g);
+    g = string_catn(g, US"@", 1);
+    s = addr->domain;
+#ifdef SUPPORT_I18N
+    if (testflag(addr, af_utf8_downcvt))
+      s = string_localpart_utf8_to_alabel(s, NULL);
+#endif
+    g = string_cat(g, s);
+    }
+  else
+    g = string_cat(g, addr->address);
+
+  /* If the address we are going to print is the same as the top address,
+  and all parents are not being included, don't add on the top address. First
+  of all, do a caseless comparison; if this succeeds, do a caseful comparison
+  on the local parts. */
+
+  cmp = g->s + off;		/* only now, as rebuffer likely done */
+  string_from_gstring(g);	/* ensure nul-terminated */
+  if (  strcmpic(cmp, topaddr->address) == 0
+     && Ustrncmp(cmp, topaddr->address, Ustrchr(cmp, '@') - cmp) == 0
+     && !addr->onetime_parent
+     && (!all_parents || !addr->parent || addr->parent == topaddr)
+     )
+    add_topaddr = FALSE;
+  }
+
+/* If all parents are requested, or this is a local pipe/file/reply, and
+there is at least one intermediate parent, show it in brackets, and continue
+with all of them if all are wanted. */
+
+if (  (all_parents || testflag(addr, af_pfr))
+   && addr->parent
+   && addr->parent != topaddr)
+  {
+  uschar *s = US" (";
+  for (address_item * addr2 = addr->parent; addr2 != topaddr; addr2 = addr2->parent)
+    {
+    g = string_catn(g, s, 2);
+    g = string_cat (g, addr2->address);
+    if (!all_parents) break;
+    s = US", ";
+    }
+  g = string_catn(g, US")", 1);
+  }
+
+/* Add the top address if it is required */
+
+if (add_topaddr)
+  g = string_append(g, 3,
+    US" <",
+    addr->onetime_parent ? addr->onetime_parent : topaddr->address,
+    US">");
+
+return g;
+}
+
+
+
+/******************************************************************************/
+
+
+
+/* If msg is NULL this is a delivery log and logchar is used. Otherwise
+this is a nonstandard call; no two-character delivery flag is written
+but sender-host and sender are prefixed and "msg" is inserted in the log line.
+
+Arguments:
+  flags		passed to log_write()
+*/
+void
+delivery_log(int flags, address_item * addr, int logchar, uschar * msg)
+{
+gstring * g; /* Used for a temporary, expanding buffer, for building log lines  */
+rmark reset_point;
+
+/* Log the delivery on the main log. We use an extensible string to build up
+the log line, and reset the store afterwards. Remote deliveries should always
+have a pointer to the host item that succeeded; local deliveries can have a
+pointer to a single host item in their host list, for use by the transport. */
+
+#ifndef DISABLE_EVENT
+  /* presume no successful remote delivery */
+  lookup_dnssec_authenticated = NULL;
+#endif
+
+reset_point = store_mark();
+g = string_get_tainted(256, GET_TAINTED);	/* addrs will be tainted, so avoid copy */
+
+if (msg)
+  g = string_append(g, 2, host_and_ident(TRUE), US" ");
+else
+  {
+  g->s[0] = logchar; g->ptr = 1;
+  g = string_catn(g, US"> ", 2);
+  }
+g = string_log_address(g, addr, LOGGING(all_parents), TRUE);
+
+if (LOGGING(sender_on_delivery) || msg)
+  g = string_append(g, 3, US" F=<",
+#ifdef SUPPORT_I18N
+    testflag(addr, af_utf8_downcvt)
+    ? string_address_utf8_to_alabel(sender_address, NULL)
+    :
+#endif
+      sender_address,
+  US">");
+
+if (*queue_name)
+  g = string_append(g, 2, US" Q=", queue_name);
+
+/* You might think that the return path must always be set for a successful
+delivery; indeed, I did for some time, until this statement crashed. The case
+when it is not set is for a delivery to /dev/null which is optimised by not
+being run at all. */
+
+if (used_return_path && LOGGING(return_path_on_delivery))
+  g = string_append(g, 3, US" P=<", used_return_path, US">");
+
+if (msg)
+  g = string_append(g, 2, US" ", msg);
+
+/* For a delivery from a system filter, there may not be a router */
+if (addr->router)
+  g = string_append(g, 2, US" R=", addr->router->name);
+
+g = string_append(g, 2, US" T=", addr->transport->name);
+
+if (LOGGING(delivery_size))
+  g = string_fmt_append(g, " S=%d", transport_count);
+
+/* Local delivery */
+
+if (addr->transport->info->local)
+  {
+  if (addr->host_list)
+    g = string_append(g, 2, US" H=", addr->host_list->name);
+  g = d_log_interface(g);
+  if (addr->shadow_message)
+    g = string_cat(g, addr->shadow_message);
+  }
+
+/* Remote delivery */
+
+else
+  {
+  if (addr->host_used)
+    {
+    g = d_hostlog(g, addr);
+
+#ifndef DISABLE_EVENT
+    deliver_host_address = addr->host_used->address;
+    deliver_host_port =    addr->host_used->port;
+    deliver_host =         addr->host_used->name;
+
+    /* DNS lookup status */
+    lookup_dnssec_authenticated = addr->host_used->dnssec==DS_YES ? US"yes"
+			      : addr->host_used->dnssec==DS_NO ? US"no"
+			      : NULL;
+#endif
+    }
+
+#ifndef DISABLE_TLS
+  g = d_tlslog(g, addr);
+#endif
+
+  if (addr->authenticator)
+    {
+    g = string_append(g, 2, US" A=", addr->authenticator);
+    if (addr->auth_id)
+      {
+      g = string_append(g, 2, US":", addr->auth_id);
+      if (LOGGING(smtp_mailauth) && addr->auth_sndr)
+        g = string_append(g, 2, US":", addr->auth_sndr);
+      }
+    }
+
+  if (LOGGING(pipelining))
+    {
+    if (testflag(addr, af_pipelining))
+      g = string_catn(g, US" L", 2);
+#ifndef DISABLE_PIPE_CONNECT
+    if (testflag(addr, af_early_pipe))
+      g = string_catn(g, US"*", 1);
+#endif
+    }
+
+#ifndef DISABLE_PRDR
+  if (testflag(addr, af_prdr_used))
+    g = string_catn(g, US" PRDR", 5);
+#endif
+
+  if (testflag(addr, af_chunking_used))
+    g = string_catn(g, US" K", 2);
+  }
+
+/* confirmation message (SMTP (host_used) and LMTP (driver_name)) */
+
+if (  LOGGING(smtp_confirmation)
+   && addr->message
+   && (addr->host_used || Ustrcmp(addr->transport->driver_name, "lmtp") == 0)
+   )
+  {
+  unsigned lim = big_buffer_size < 1024 ? big_buffer_size : 1024;
+  uschar *p = big_buffer;
+  uschar *ss = addr->message;
+  *p++ = '\"';
+  for (int i = 0; i < lim && ss[i] != 0; i++)	/* limit logged amount */
+    {
+    if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\'; /* quote \ and " */
+    *p++ = ss[i];
+    }
+  *p++ = '\"';
+  *p = 0;
+  g = string_append(g, 2, US" C=", big_buffer);
+  }
+
+/* Time on queue and actual time taken to deliver */
+
+if (LOGGING(queue_time))
+  g = string_append(g, 2, US" QT=", string_timesince(
+    LOGGING(queue_time_exclusive) ? &received_time_complete : &received_time));
+
+if (LOGGING(deliver_time))
+  g = string_append(g, 2, US" DT=", string_timediff(&addr->delivery_time));
+
+/* string_cat() always leaves room for the terminator. Release the
+store we used to build the line after writing it. */
+
+log_write(0, flags, "%s", string_from_gstring(g));
+
+#ifndef DISABLE_EVENT
+if (!msg) msg_event_raise(US"msg:delivery", addr);
+#endif
+
+store_reset(reset_point);
+return;
+}
+
+
+
+static void
+deferral_log(address_item * addr, uschar * now,
+  int logflags, uschar * driver_name, uschar * driver_kind)
+{
+rmark reset_point = store_mark();
+gstring * g = string_get(256);
+
+/* Build up the line that is used for both the message log and the main
+log. */
+
+/* Create the address string for logging. Must not do this earlier, because
+an OK result may be changed to FAIL when a pipe returns text. */
+
+g = string_log_address(g, addr, LOGGING(all_parents), FALSE);
+
+if (*queue_name)
+  g = string_append(g, 2, US" Q=", queue_name);
+
+/* Either driver_name contains something and driver_kind contains
+" router" or " transport" (note the leading space), or driver_name is
+a null string and driver_kind contains "routing" without the leading
+space, if all routing has been deferred. When a domain has been held,
+so nothing has been done at all, both variables contain null strings. */
+
+if (driver_name)
+  {
+  if (driver_kind[1] == 't' && addr->router)
+    g = string_append(g, 2, US" R=", addr->router->name);
+  g = string_fmt_append(g, " %c=%s", toupper(driver_kind[1]), driver_name);
+  }
+else if (driver_kind)
+  g = string_append(g, 2, US" ", driver_kind);
+
+g = string_fmt_append(g, " defer (%d)", addr->basic_errno);
+
+if (addr->basic_errno > 0)
+  g = string_append(g, 2, US": ", US strerror(addr->basic_errno));
+
+if (addr->host_used)
+  g = d_hostlog(g, addr);
+
+if (LOGGING(deliver_time))
+  g = string_append(g, 2, US" DT=", string_timediff(&addr->delivery_time));
+
+if (addr->message)
+  g = string_append(g, 2, US": ", addr->message);
+
+(void) string_from_gstring(g);
+
+/* Log the deferment in the message log, but don't clutter it
+up with retry-time defers after the first delivery attempt. */
+
+if (f.deliver_firsttime || addr->basic_errno > ERRNO_RETRY_BASE)
+  deliver_msglog("%s %s\n", now, g->s);
+
+/* Write the main log and reset the store.
+For errors of the type "retry time not reached" (also remotes skipped
+on queue run), logging is controlled by L_retry_defer. Note that this kind
+of error number is negative, and all the retry ones are less than any
+others. */
+
+
+log_write(addr->basic_errno <= ERRNO_RETRY_BASE ? L_retry_defer : 0, logflags,
+  "== %s", g->s);
+
+store_reset(reset_point);
+return;
+}
+
+
+
+static void
+failure_log(address_item * addr, uschar * driver_kind, uschar * now)
+{
+rmark reset_point = store_mark();
+gstring * g = string_get(256);
+
+#ifndef DISABLE_EVENT
+/* Message failures for which we will send a DSN get their event raised
+later so avoid doing it here. */
+
+if (  !addr->prop.ignore_error
+   && !(addr->dsn_flags & (rf_dsnflags & ~rf_notify_failure))
+   )
+  msg_event_raise(US"msg:fail:delivery", addr);
+#endif
+
+/* Build up the log line for the message and main logs */
+
+/* Create the address string for logging. Must not do this earlier, because
+an OK result may be changed to FAIL when a pipe returns text. */
+
+g = string_log_address(g, addr, LOGGING(all_parents), FALSE);
+
+if (LOGGING(sender_on_delivery))
+  g = string_append(g, 3, US" F=<", sender_address, US">");
+
+if (*queue_name)
+  g = string_append(g, 2, US" Q=", queue_name);
+
+/* Return path may not be set if no delivery actually happened */
+
+if (used_return_path && LOGGING(return_path_on_delivery))
+  g = string_append(g, 3, US" P=<", used_return_path, US">");
+
+if (addr->router)
+  g = string_append(g, 2, US" R=", addr->router->name);
+if (addr->transport)
+  g = string_append(g, 2, US" T=", addr->transport->name);
+
+if (addr->host_used)
+  g = d_hostlog(g, addr);
+
+#ifndef DISABLE_TLS
+g = d_tlslog(g, addr);
+#endif
+
+if (addr->basic_errno > 0)
+  g = string_append(g, 2, US": ", US strerror(addr->basic_errno));
+
+if (addr->message)
+  g = string_append(g, 2, US": ", addr->message);
+
+if (LOGGING(deliver_time))
+  g = string_append(g, 2, US" DT=", string_timediff(&addr->delivery_time));
+
+(void) string_from_gstring(g);
+
+/* Do the logging. For the message log, "routing failed" for those cases,
+just to make it clearer. */
+
+if (driver_kind)
+  deliver_msglog("%s %s failed for %s\n", now, driver_kind, g->s);
+else
+  deliver_msglog("%s %s\n", now, g->s);
+
+log_write(0, LOG_MAIN, "** %s", g->s);
+
+store_reset(reset_point);
+return;
+}
+
+
+
+/*************************************************
+*    Actions at the end of handling an address   *
+*************************************************/
+
+/* This is a function for processing a single address when all that can be done
+with it has been done.
+
+Arguments:
+  addr         points to the address block
+  result       the result of the delivery attempt
+  logflags     flags for log_write() (LOG_MAIN and/or LOG_PANIC)
+  driver_type  indicates which type of driver (transport, or router) was last
+                 to process the address
+  logchar      '=' or '-' for use when logging deliveries with => or ->
+
+Returns:       nothing
+*/
+
+static void
+post_process_one(address_item *addr, int result, int logflags, int driver_type,
+  int logchar)
+{
+uschar *now = tod_stamp(tod_log);
+uschar *driver_kind = NULL;
+uschar *driver_name = NULL;
+
+DEBUG(D_deliver) debug_printf("post-process %s (%d)\n", addr->address, result);
+
+/* Set up driver kind and name for logging. Disable logging if the router or
+transport has disabled it. */
+
+if (driver_type == EXIM_DTYPE_TRANSPORT)
+  {
+  if (addr->transport)
+    {
+    driver_name = addr->transport->name;
+    driver_kind = US" transport";
+    f.disable_logging = addr->transport->disable_logging;
+    }
+  else driver_kind = US"transporting";
+  }
+else if (driver_type == EXIM_DTYPE_ROUTER)
+  {
+  if (addr->router)
+    {
+    driver_name = addr->router->name;
+    driver_kind = US" router";
+    f.disable_logging = addr->router->disable_logging;
+    }
+  else driver_kind = US"routing";
+  }
+
+/* If there's an error message set, ensure that it contains only printing
+characters - it should, but occasionally things slip in and this at least
+stops the log format from getting wrecked. We also scan the message for an LDAP
+expansion item that has a password setting, and flatten the password. This is a
+fudge, but I don't know a cleaner way of doing this. (If the item is badly
+malformed, it won't ever have gone near LDAP.) */
+
+if (addr->message)
+  {
+  const uschar * s = string_printing(addr->message);
+
+  /* deconst cast ok as string_printing known to have alloc'n'copied */
+  addr->message = expand_hide_passwords(US s);
+  }
+
+/* If we used a transport that has one of the "return_output" options set, and
+if it did in fact generate some output, then for return_output we treat the
+message as failed if it was not already set that way, so that the output gets
+returned to the sender, provided there is a sender to send it to. For
+return_fail_output, do this only if the delivery failed. Otherwise we just
+unlink the file, and remove the name so that if the delivery failed, we don't
+try to send back an empty or unwanted file. The log_output options operate only
+on a non-empty file.
+
+In any case, we close the message file, because we cannot afford to leave a
+file-descriptor for one address while processing (maybe very many) others. */
+
+if (addr->return_file >= 0 && addr->return_filename)
+  {
+  BOOL return_output = FALSE;
+  struct stat statbuf;
+  (void)EXIMfsync(addr->return_file);
+
+  /* If there is no output, do nothing. */
+
+  if (fstat(addr->return_file, &statbuf) == 0 && statbuf.st_size > 0)
+    {
+    transport_instance *tb = addr->transport;
+
+    /* Handle logging options */
+
+    if (  tb->log_output
+       || result == FAIL  && tb->log_fail_output
+       || result == DEFER && tb->log_defer_output
+       )
+      {
+      uschar *s;
+      FILE *f = Ufopen(addr->return_filename, "rb");
+      if (!f)
+        log_write(0, LOG_MAIN|LOG_PANIC, "failed to open %s to log output "
+          "from %s transport: %s", addr->return_filename, tb->name,
+          strerror(errno));
+      else
+        if ((s = US Ufgets(big_buffer, big_buffer_size, f)))
+          {
+          uschar *p = big_buffer + Ustrlen(big_buffer);
+	  const uschar * sp;
+          while (p > big_buffer && isspace(p[-1])) p--;
+          *p = 0;
+          sp = string_printing(big_buffer);
+          log_write(0, LOG_MAIN, "<%s>: %s transport output: %s",
+            addr->address, tb->name, sp);
+          }
+      (void)fclose(f);
+      }
+
+    /* Handle returning options, but only if there is an address to return
+    the text to. */
+
+    if (sender_address[0] != 0 || addr->prop.errors_address)
+      if (tb->return_output)
+        {
+        addr->transport_return = result = FAIL;
+        if (addr->basic_errno == 0 && !addr->message)
+          addr->message = US"return message generated";
+        return_output = TRUE;
+        }
+      else
+        if (tb->return_fail_output && result == FAIL) return_output = TRUE;
+    }
+
+  /* Get rid of the file unless it might be returned, but close it in
+  all cases. */
+
+  if (!return_output)
+    {
+    Uunlink(addr->return_filename);
+    addr->return_filename = NULL;
+    addr->return_file = -1;
+    }
+
+  (void)close(addr->return_file);
+  }
+
+/* Check if the transport notifed continue-conn status explicitly, and
+update our knowlege. */
+
+if (testflag(addr, af_new_conn))       continue_sequence = 1;
+else if (testflag(addr, af_cont_conn)) continue_sequence++;
+
+/* The success case happens only after delivery by a transport. */
+
+if (result == OK)
+  {
+  addr->next = addr_succeed;
+  addr_succeed = addr;
+
+  /* Call address_done() to ensure that we don't deliver to this address again,
+  and write appropriate things to the message log. If it is a child address, we
+  call child_done() to scan the ancestors and mark them complete if this is the
+  last child to complete. */
+
+  address_done(addr, now);
+  DEBUG(D_deliver) debug_printf("%s delivered\n", addr->address);
+
+  if (!addr->parent)
+    deliver_msglog("%s %s: %s%s succeeded\n", now, addr->address,
+      driver_name, driver_kind);
+  else
+    {
+    deliver_msglog("%s %s <%s>: %s%s succeeded\n", now, addr->address,
+      addr->parent->address, driver_name, driver_kind);
+    child_done(addr, now);
+    }
+
+  /* Certificates for logging (via events) */
+#ifndef DISABLE_TLS
+  tls_out.ourcert = addr->ourcert;
+  addr->ourcert = NULL;
+  tls_out.peercert = addr->peercert;
+  addr->peercert = NULL;
+
+  tls_out.ver = addr->tlsver;
+  tls_out.cipher = addr->cipher;
+  tls_out.peerdn = addr->peerdn;
+  tls_out.ocsp = addr->ocsp;
+# ifdef SUPPORT_DANE
+  tls_out.dane_verified = testflag(addr, af_dane_verified);
+# endif
+#endif
+
+  delivery_log(LOG_MAIN, addr, logchar, NULL);
+
+#ifndef DISABLE_TLS
+  tls_free_cert(&tls_out.ourcert);
+  tls_free_cert(&tls_out.peercert);
+  tls_out.ver = NULL;
+  tls_out.cipher = NULL;
+  tls_out.peerdn = NULL;
+  tls_out.ocsp = OCSP_NOT_REQ;
+# ifdef SUPPORT_DANE
+  tls_out.dane_verified = FALSE;
+# endif
+#endif
+  }
+
+
+/* Soft failure, or local delivery process failed; freezing may be
+requested. */
+
+else if (result == DEFER || result == PANIC)
+  {
+  if (result == PANIC) logflags |= LOG_PANIC;
+
+  /* This puts them on the chain in reverse order. Do not change this, because
+  the code for handling retries assumes that the one with the retry
+  information is last. */
+
+  addr->next = addr_defer;
+  addr_defer = addr;
+
+  /* The only currently implemented special action is to freeze the
+  message. Logging of this is done later, just before the -H file is
+  updated. */
+
+  if (addr->special_action == SPECIAL_FREEZE)
+    {
+    f.deliver_freeze = TRUE;
+    deliver_frozen_at = time(NULL);
+    update_spool = TRUE;
+    }
+
+  /* If doing a 2-stage queue run, we skip writing to either the message
+  log or the main log for SMTP defers. */
+
+  if (!f.queue_2stage || addr->basic_errno != 0)
+    deferral_log(addr, now, logflags, driver_name, driver_kind);
+  }
+
+
+/* Hard failure. If there is an address to which an error message can be sent,
+put this address on the failed list. If not, put it on the deferred list and
+freeze the mail message for human attention. The latter action can also be
+explicitly requested by a router or transport. */
+
+else
+  {
+  /* If this is a delivery error, or a message for which no replies are
+  wanted, and the message's age is greater than ignore_bounce_errors_after,
+  force the af_ignore_error flag. This will cause the address to be discarded
+  later (with a log entry). */
+
+  if (!*sender_address && message_age >= ignore_bounce_errors_after)
+    addr->prop.ignore_error = TRUE;
+
+  /* Freeze the message if requested, or if this is a bounce message (or other
+  message with null sender) and this address does not have its own errors
+  address. However, don't freeze if errors are being ignored. The actual code
+  to ignore occurs later, instead of sending a message. Logging of freezing
+  occurs later, just before writing the -H file. */
+
+  if (  !addr->prop.ignore_error
+     && (  addr->special_action == SPECIAL_FREEZE
+        || (sender_address[0] == 0 && !addr->prop.errors_address)
+     )  )
+    {
+    frozen_info = addr->special_action == SPECIAL_FREEZE
+      ? US""
+      : f.sender_local && !f.local_error_message
+      ? US" (message created with -f <>)"
+      : US" (delivery error message)";
+    f.deliver_freeze = TRUE;
+    deliver_frozen_at = time(NULL);
+    update_spool = TRUE;
+
+    /* The address is put on the defer rather than the failed queue, because
+    the message is being retained. */
+
+    addr->next = addr_defer;
+    addr_defer = addr;
+    }
+
+  /* Don't put the address on the nonrecipients tree yet; wait until an
+  error message has been successfully sent. */
+
+  else
+    {
+    addr->next = addr_failed;
+    addr_failed = addr;
+    }
+
+  failure_log(addr, driver_name ? NULL : driver_kind, now);
+  }
+
+/* Ensure logging is turned on again in all cases */
+
+f.disable_logging = FALSE;
+}
+
+
+
+
+/*************************************************
+*            Address-independent error           *
+*************************************************/
+
+/* This function is called when there's an error that is not dependent on a
+particular address, such as an expansion string failure. It puts the error into
+all the addresses in a batch, logs the incident on the main and panic logs, and
+clears the expansions. It is mostly called from local_deliver(), but can be
+called for a remote delivery via findugid().
+
+Arguments:
+  logit        TRUE if (MAIN+PANIC) logging required
+  addr         the first of the chain of addresses
+  code         the error code
+  format       format string for error message, or NULL if already set in addr
+  ...          arguments for the format
+
+Returns:       nothing
+*/
+
+static void
+common_error(BOOL logit, address_item *addr, int code, uschar *format, ...)
+{
+addr->basic_errno = code;
+
+if (format)
+  {
+  va_list ap;
+  gstring * g;
+
+  va_start(ap, format);
+  g = string_vformat(NULL, SVFMT_EXTEND|SVFMT_REBUFFER, CS format, ap);
+  va_end(ap);
+  addr->message = string_from_gstring(g);
+  }
+
+for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next)
+  {
+  addr2->basic_errno = code;
+  addr2->message = addr->message;
+  }
+
+if (logit) log_write(0, LOG_MAIN|LOG_PANIC, "%s", addr->message);
+deliver_set_expansions(NULL);
+}
+
+
+
+
+/*************************************************
+*         Check a "never users" list             *
+*************************************************/
+
+/* This function is called to check whether a uid is on one of the two "never
+users" lists.
+
+Arguments:
+  uid         the uid to be checked
+  nusers      the list to be scanned; the first item in the list is the count
+
+Returns:      TRUE if the uid is on the list
+*/
+
+static BOOL
+check_never_users(uid_t uid, uid_t *nusers)
+{
+if (!nusers) return FALSE;
+for (int i = 1; i <= (int)(nusers[0]); i++) if (nusers[i] == uid) return TRUE;
+return FALSE;
+}
+
+
+
+/*************************************************
+*          Find uid and gid for a transport      *
+*************************************************/
+
+/* This function is called for both local and remote deliveries, to find the
+uid/gid under which to run the delivery. The values are taken preferentially
+from the transport (either explicit or deliver_as_creator), then from the
+address (i.e. the router), and if nothing is set, the exim uid/gid are used. If
+the resulting uid is on the "never_users" or the "fixed_never_users" list, a
+panic error is logged, and the function fails (which normally leads to delivery
+deferral).
+
+Arguments:
+  addr         the address (possibly a chain)
+  tp           the transport
+  uidp         pointer to uid field
+  gidp         pointer to gid field
+  igfp         pointer to the use_initgroups field
+
+Returns:       FALSE if failed - error has been set in address(es)
+*/
+
+static BOOL
+findugid(address_item *addr, transport_instance *tp, uid_t *uidp, gid_t *gidp,
+  BOOL *igfp)
+{
+uschar *nuname;
+BOOL gid_set = FALSE;
+
+/* Default initgroups flag comes from the transport */
+
+*igfp = tp->initgroups;
+
+/* First see if there's a gid on the transport, either fixed or expandable.
+The expanding function always logs failure itself. */
+
+if (tp->gid_set)
+  {
+  *gidp = tp->gid;
+  gid_set = TRUE;
+  }
+else if (tp->expand_gid)
+  {
+  if (!route_find_expanded_group(tp->expand_gid, tp->name, US"transport", gidp,
+    &(addr->message)))
+    {
+    common_error(FALSE, addr, ERRNO_GIDFAIL, NULL);
+    return FALSE;
+    }
+  gid_set = TRUE;
+  }
+
+/* If the transport did not set a group, see if the router did. */
+
+if (!gid_set && testflag(addr, af_gid_set))
+  {
+  *gidp = addr->gid;
+  gid_set = TRUE;
+  }
+
+/* Pick up a uid from the transport if one is set. */
+
+if (tp->uid_set) *uidp = tp->uid;
+
+/* Otherwise, try for an expandable uid field. If it ends up as a numeric id,
+it does not provide a passwd value from which a gid can be taken. */
+
+else if (tp->expand_uid)
+  {
+  struct passwd *pw;
+  if (!route_find_expanded_user(tp->expand_uid, tp->name, US"transport", &pw,
+       uidp, &(addr->message)))
+    {
+    common_error(FALSE, addr, ERRNO_UIDFAIL, NULL);
+    return FALSE;
+    }
+  if (!gid_set && pw)
+    {
+    *gidp = pw->pw_gid;
+    gid_set = TRUE;
+    }
+  }
+
+/* If the transport doesn't set the uid, test the deliver_as_creator flag. */
+
+else if (tp->deliver_as_creator)
+  {
+  *uidp = originator_uid;
+  if (!gid_set)
+    {
+    *gidp = originator_gid;
+    gid_set = TRUE;
+    }
+  }
+
+/* Otherwise see if the address specifies the uid and if so, take it and its
+initgroups flag. */
+
+else if (testflag(addr, af_uid_set))
+  {
+  *uidp = addr->uid;
+  *igfp = testflag(addr, af_initgroups);
+  }
+
+/* Nothing has specified the uid - default to the Exim user, and group if the
+gid is not set. */
+
+else
+  {
+  *uidp = exim_uid;
+  if (!gid_set)
+    {
+    *gidp = exim_gid;
+    gid_set = TRUE;
+    }
+  }
+
+/* If no gid is set, it is a disaster. We default to the Exim gid only if
+defaulting to the Exim uid. In other words, if the configuration has specified
+a uid, it must also provide a gid. */
+
+if (!gid_set)
+  {
+  common_error(TRUE, addr, ERRNO_GIDFAIL, US"User set without group for "
+    "%s transport", tp->name);
+  return FALSE;
+  }
+
+/* Check that the uid is not on the lists of banned uids that may not be used
+for delivery processes. */
+
+nuname = check_never_users(*uidp, never_users)
+  ? US"never_users"
+  : check_never_users(*uidp, fixed_never_users)
+  ? US"fixed_never_users"
+  : NULL;
+if (nuname)
+  {
+  common_error(TRUE, addr, ERRNO_UIDFAIL, US"User %ld set for %s transport "
+    "is on the %s list", (long int)(*uidp), tp->name, nuname);
+  return FALSE;
+  }
+
+/* All is well */
+
+return TRUE;
+}
+
+
+
+
+/*************************************************
+*   Check the size of a message for a transport  *
+*************************************************/
+
+/* Checks that the message isn't too big for the selected transport.
+This is called only when it is known that the limit is set.
+
+Arguments:
+  tp          the transport
+  addr        the (first) address being delivered
+
+Returns:      OK
+              DEFER   expansion failed or did not yield an integer
+              FAIL    message too big
+*/
+
+int
+check_message_size(transport_instance *tp, address_item *addr)
+{
+int rc = OK;
+int size_limit;
+
+deliver_set_expansions(addr);
+size_limit = expand_string_integer(tp->message_size_limit, TRUE);
+deliver_set_expansions(NULL);
+
+if (expand_string_message)
+  {
+  rc = DEFER;
+  addr->message = size_limit == -1
+    ? string_sprintf("failed to expand message_size_limit "
+      "in %s transport: %s", tp->name, expand_string_message)
+    : string_sprintf("invalid message_size_limit "
+      "in %s transport: %s", tp->name, expand_string_message);
+  }
+else if (size_limit > 0 && message_size > size_limit)
+  {
+  rc = FAIL;
+  addr->message =
+    string_sprintf("message is too big (transport limit = %d)",
+      size_limit);
+  }
+
+return rc;
+}
+
+
+
+/*************************************************
+*  Transport-time check for a previous delivery  *
+*************************************************/
+
+/* Check that this base address hasn't previously been delivered to its routed
+transport. If it has been delivered, mark it done. The check is necessary at
+delivery time in order to handle homonymic addresses correctly in cases where
+the pattern of redirection changes between delivery attempts (so the unique
+fields change). Non-homonymic previous delivery is detected earlier, at routing
+time (which saves unnecessary routing).
+
+Arguments:
+  addr      the address item
+  testing   TRUE if testing wanted only, without side effects
+
+Returns:    TRUE if previously delivered by the transport
+*/
+
+static BOOL
+previously_transported(address_item *addr, BOOL testing)
+{
+uschar * s = string_sprintf("%s/%s",
+  addr->unique + (testflag(addr, af_homonym)? 3:0), addr->transport->name);
+
+if (tree_search(tree_nonrecipients, s) != 0)
+  {
+  DEBUG(D_deliver|D_route|D_transport)
+    debug_printf("%s was previously delivered (%s transport): discarded\n",
+    addr->address, addr->transport->name);
+  if (!testing) child_done(addr, tod_stamp(tod_log));
+  return TRUE;
+  }
+
+return FALSE;
+}
+
+
+
+/******************************************************
+*      Check for a given header in a header string    *
+******************************************************/
+
+/* This function is used when generating quota warnings. The configuration may
+specify any header lines it likes in quota_warn_message. If certain of them are
+missing, defaults are inserted, so we need to be able to test for the presence
+of a given header.
+
+Arguments:
+  hdr         the required header name
+  hstring     the header string
+
+Returns:      TRUE  the header is in the string
+              FALSE the header is not in the string
+*/
+
+static BOOL
+contains_header(uschar *hdr, uschar *hstring)
+{
+int len = Ustrlen(hdr);
+uschar *p = hstring;
+while (*p != 0)
+  {
+  if (strncmpic(p, hdr, len) == 0)
+    {
+    p += len;
+    while (*p == ' ' || *p == '\t') p++;
+    if (*p == ':') return TRUE;
+    }
+  while (*p != 0 && *p != '\n') p++;
+  if (*p == '\n') p++;
+  }
+return FALSE;
+}
+
+
+
+
+/*************************************************
+*           Perform a local delivery             *
+*************************************************/
+
+/* Each local delivery is performed in a separate process which sets its
+uid and gid as specified. This is a safer way than simply changing and
+restoring using seteuid(); there is a body of opinion that seteuid()
+cannot be used safely. From release 4, Exim no longer makes any use of
+it for delivery. Besides, not all systems have seteuid().
+
+If the uid/gid are specified in the transport_instance, they are used; the
+transport initialization must ensure that either both or neither are set.
+Otherwise, the values associated with the address are used. If neither are set,
+it is a configuration error.
+
+The transport or the address may specify a home directory (transport over-
+rides), and if they do, this is set as $home. If neither have set a working
+directory, this value is used for that as well. Otherwise $home is left unset
+and the cwd is set to "/" - a directory that should be accessible to all users.
+
+Using a separate process makes it more complicated to get error information
+back. We use a pipe to pass the return code and also an error code and error
+text string back to the parent process.
+
+Arguments:
+  addr       points to an address block for this delivery; for "normal" local
+             deliveries this is the only address to be delivered, but for
+             pseudo-remote deliveries (e.g. by batch SMTP to a file or pipe)
+             a number of addresses can be handled simultaneously, and in this
+             case addr will point to a chain of addresses with the same
+             characteristics.
+
+  shadowing  TRUE if running a shadow transport; this causes output from pipes
+             to be ignored.
+
+Returns:     nothing
+*/
+
+void
+deliver_local(address_item *addr, BOOL shadowing)
+{
+BOOL use_initgroups;
+uid_t uid;
+gid_t gid;
+int status, len, rc;
+int pfd[2];
+pid_t pid;
+uschar *working_directory;
+address_item *addr2;
+transport_instance *tp = addr->transport;
+
+/* Set up the return path from the errors or sender address. If the transport
+has its own return path setting, expand it and replace the existing value. */
+
+if(addr->prop.errors_address)
+  return_path = addr->prop.errors_address;
+else
+  return_path = sender_address;
+
+if (tp->return_path)
+  {
+  uschar * new_return_path = expand_string(tp->return_path);
+  if (new_return_path)
+    return_path = new_return_path;
+  else if (!f.expand_string_forcedfail)
+    {
+    common_error(TRUE, addr, ERRNO_EXPANDFAIL,
+      US"Failed to expand return path \"%s\" in %s transport: %s",
+      tp->return_path, tp->name, expand_string_message);
+    return;
+    }
+  }
+
+/* For local deliveries, one at a time, the value used for logging can just be
+set directly, once and for all. */
+
+used_return_path = return_path;
+
+/* Sort out the uid, gid, and initgroups flag. If an error occurs, the message
+gets put into the address(es), and the expansions are unset, so we can just
+return. */
+
+if (!findugid(addr, tp, &uid, &gid, &use_initgroups)) return;
+
+/* See if either the transport or the address specifies a home directory. A
+home directory set in the address may already be expanded; a flag is set to
+indicate that. In other cases we must expand it. */
+
+if (  (deliver_home = tp->home_dir)		/* Set in transport, or */
+   || (  (deliver_home = addr->home_dir)	/* Set in address and */
+      && !testflag(addr, af_home_expanded)	/*   not expanded */
+   )  )
+  {
+  uschar *rawhome = deliver_home;
+  deliver_home = NULL;                      /* in case it contains $home */
+  if (!(deliver_home = expand_string(rawhome)))
+    {
+    common_error(TRUE, addr, ERRNO_EXPANDFAIL, US"home directory \"%s\" failed "
+      "to expand for %s transport: %s", rawhome, tp->name,
+      expand_string_message);
+    return;
+    }
+  if (*deliver_home != '/')
+    {
+    common_error(TRUE, addr, ERRNO_NOTABSOLUTE, US"home directory path \"%s\" "
+      "is not absolute for %s transport", deliver_home, tp->name);
+    return;
+    }
+  }
+
+/* See if either the transport or the address specifies a current directory,
+and if so, expand it. If nothing is set, use the home directory, unless it is
+also unset in which case use "/", which is assumed to be a directory to which
+all users have access. It is necessary to be in a visible directory for some
+operating systems when running pipes, as some commands (e.g. "rm" under Solaris
+2.5) require this. */
+
+working_directory = tp->current_dir ? tp->current_dir : addr->current_dir;
+if (working_directory)
+  {
+  uschar *raw = working_directory;
+  if (!(working_directory = expand_string(raw)))
+    {
+    common_error(TRUE, addr, ERRNO_EXPANDFAIL, US"current directory \"%s\" "
+      "failed to expand for %s transport: %s", raw, tp->name,
+      expand_string_message);
+    return;
+    }
+  if (*working_directory != '/')
+    {
+    common_error(TRUE, addr, ERRNO_NOTABSOLUTE, US"current directory path "
+      "\"%s\" is not absolute for %s transport", working_directory, tp->name);
+    return;
+    }
+  }
+else working_directory = deliver_home ? deliver_home : US"/";
+
+/* If one of the return_output flags is set on the transport, create and open a
+file in the message log directory for the transport to write its output onto.
+This is mainly used by pipe transports. The file needs to be unique to the
+address. This feature is not available for shadow transports. */
+
+if (  !shadowing
+   && (  tp->return_output || tp->return_fail_output
+      || tp->log_output || tp->log_fail_output || tp->log_defer_output
+   )  )
+  {
+  uschar * error;
+
+  addr->return_filename =
+    spool_fname(US"msglog", message_subdir, message_id,
+      string_sprintf("-%d-%d", getpid(), return_count++));
+
+  if ((addr->return_file = open_msglog_file(addr->return_filename, 0400, &error)) < 0)
+    {
+    common_error(TRUE, addr, errno, US"Unable to %s file for %s transport "
+      "to return message: %s", error, tp->name, strerror(errno));
+    return;
+    }
+  }
+
+/* Create the pipe for inter-process communication. */
+
+if (pipe(pfd) != 0)
+  {
+  common_error(TRUE, addr, ERRNO_PIPEFAIL, US"Creation of pipe failed: %s",
+    strerror(errno));
+  return;
+  }
+
+/* Now fork the process to do the real work in the subprocess, but first
+ensure that all cached resources are freed so that the subprocess starts with
+a clean slate and doesn't interfere with the parent process. */
+
+search_tidyup();
+
+if ((pid = exim_fork(US"delivery-local")) == 0)
+  {
+  BOOL replicate = TRUE;
+
+  /* Prevent core dumps, as we don't want them in users' home directories.
+  HP-UX doesn't have RLIMIT_CORE; I don't know how to do this in that
+  system. Some experimental/developing systems (e.g. GNU/Hurd) may define
+  RLIMIT_CORE but not support it in setrlimit(). For such systems, do not
+  complain if the error is "not supported".
+
+  There are two scenarios where changing the max limit has an effect.  In one,
+  the user is using a .forward and invoking a command of their choice via pipe;
+  for these, we do need the max limit to be 0 unless the admin chooses to
+  permit an increased limit.  In the other, the command is invoked directly by
+  the transport and is under administrator control, thus being able to raise
+  the limit aids in debugging.  So there's no general always-right answer.
+
+  Thus we inhibit core-dumps completely but let individual transports, while
+  still root, re-raise the limits back up to aid debugging.  We make the
+  default be no core-dumps -- few enough people can use core dumps in
+  diagnosis that it's reasonable to make them something that has to be explicitly requested.
+  */
+
+#ifdef RLIMIT_CORE
+  struct rlimit rl;
+  rl.rlim_cur = 0;
+  rl.rlim_max = 0;
+  if (setrlimit(RLIMIT_CORE, &rl) < 0)
+    {
+# ifdef SETRLIMIT_NOT_SUPPORTED
+    if (errno != ENOSYS && errno != ENOTSUP)
+# endif
+      log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_CORE) failed: %s",
+        strerror(errno));
+    }
+#endif
+
+  /* Reset the random number generator, so different processes don't all
+  have the same sequence. */
+
+  random_seed = 0;
+
+  /* If the transport has a setup entry, call this first, while still
+  privileged. (Appendfile uses this to expand quota, for example, while
+  able to read private files.) */
+
+  if (addr->transport->setup)
+    switch((addr->transport->setup)(addr->transport, addr, NULL, uid, gid,
+           &(addr->message)))
+      {
+      case DEFER:
+	addr->transport_return = DEFER;
+	goto PASS_BACK;
+
+      case FAIL:
+	addr->transport_return = PANIC;
+	goto PASS_BACK;
+      }
+
+  /* Ignore SIGINT and SIGTERM during delivery. Also ignore SIGUSR1, as
+  when the process becomes unprivileged, it won't be able to write to the
+  process log. SIGHUP is ignored throughout exim, except when it is being
+  run as a daemon. */
+
+  signal(SIGINT, SIG_IGN);
+  signal(SIGTERM, SIG_IGN);
+  signal(SIGUSR1, SIG_IGN);
+
+  /* Close the unwanted half of the pipe, and set close-on-exec for the other
+  half - for transports that exec things (e.g. pipe). Then set the required
+  gid/uid. */
+
+  (void)close(pfd[pipe_read]);
+  (void)fcntl(pfd[pipe_write], F_SETFD, fcntl(pfd[pipe_write], F_GETFD) |
+    FD_CLOEXEC);
+  exim_setugid(uid, gid, use_initgroups,
+    string_sprintf("local delivery to %s <%s> transport=%s", addr->local_part,
+      addr->address, addr->transport->name));
+
+  DEBUG(D_deliver)
+    {
+    debug_printf("  home=%s current=%s\n", deliver_home, working_directory);
+    for (address_item * batched = addr->next; batched; batched = batched->next)
+      debug_printf("additional batched address: %s\n", batched->address);
+    }
+
+  /* Set an appropriate working directory. */
+
+  if (Uchdir(working_directory) < 0)
+    {
+    addr->transport_return = DEFER;
+    addr->basic_errno = errno;
+    addr->message = string_sprintf("failed to chdir to %s", working_directory);
+    }
+
+  /* If successful, call the transport */
+
+  else
+    {
+    BOOL ok = TRUE;
+    set_process_info("delivering %s to %s using %s", message_id,
+     addr->local_part, tp->name);
+
+    /* Setting these globals in the subprocess means we need never clear them */
+    transport_name = addr->transport->name;
+    driver_srcfile = tp->srcfile;
+    driver_srcline = tp->srcline;
+
+    /* If a transport filter has been specified, set up its argument list.
+    Any errors will get put into the address, and FALSE yielded. */
+
+    if (tp->filter_command)
+      {
+      ok = transport_set_up_command(&transport_filter_argv,
+        tp->filter_command,
+        TRUE, PANIC, addr, FALSE, US"transport filter", NULL);
+      transport_filter_timeout = tp->filter_timeout;
+      }
+    else transport_filter_argv = NULL;
+
+    if (ok)
+      {
+      debug_print_string(tp->debug_string);
+      replicate = !(tp->info->code)(addr->transport, addr);
+      }
+    }
+
+  /* Pass the results back down the pipe. If necessary, first replicate the
+  status in the top address to the others in the batch. The label is the
+  subject of a goto when a call to the transport's setup function fails. We
+  pass the pointer to the transport back in case it got changed as a result of
+  file_format in appendfile. */
+
+  PASS_BACK:
+
+  if (replicate) replicate_status(addr);
+  for (addr2 = addr; addr2; addr2 = addr2->next)
+    {
+    int i;
+    int local_part_length = Ustrlen(addr2->local_part);
+    uschar *s;
+    int ret;
+
+    if(  (i = addr2->transport_return, (ret = write(pfd[pipe_write], &i, sizeof(int))) != sizeof(int))
+      || (ret = write(pfd[pipe_write], &transport_count, sizeof(transport_count))) != sizeof(transport_count)
+      || (ret = write(pfd[pipe_write], &addr2->flags, sizeof(addr2->flags))) != sizeof(addr2->flags)
+      || (ret = write(pfd[pipe_write], &addr2->basic_errno,    sizeof(int))) != sizeof(int)
+      || (ret = write(pfd[pipe_write], &addr2->more_errno,     sizeof(int))) != sizeof(int)
+      || (ret = write(pfd[pipe_write], &addr2->delivery_time,  sizeof(struct timeval))) != sizeof(struct timeval)
+      || (i = addr2->special_action, (ret = write(pfd[pipe_write], &i, sizeof(int))) != sizeof(int))
+      || (ret = write(pfd[pipe_write], &addr2->transport,
+        sizeof(transport_instance *))) != sizeof(transport_instance *)
+
+    /* For a file delivery, pass back the local part, in case the original
+    was only part of the final delivery path. This gives more complete
+    logging. */
+
+      || (testflag(addr2, af_file)
+          && (  (ret = write(pfd[pipe_write], &local_part_length, sizeof(int))) != sizeof(int)
+             || (ret = write(pfd[pipe_write], addr2->local_part, local_part_length)) != local_part_length
+	     )
+	 )
+      )
+      log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s",
+	ret == -1 ? strerror(errno) : "short write");
+
+    /* Now any messages */
+
+    for (i = 0, s = addr2->message; i < 2; i++, s = addr2->user_message)
+      {
+      int message_length = s ? Ustrlen(s) + 1 : 0;
+      if(  (ret = write(pfd[pipe_write], &message_length, sizeof(int))) != sizeof(int)
+        || message_length > 0  && (ret = write(pfd[pipe_write], s, message_length)) != message_length
+	)
+        log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s",
+	  ret == -1 ? strerror(errno) : "short write");
+      }
+    }
+
+  /* OK, this process is now done. Free any cached resources that it opened,
+  and close the pipe we were writing down before exiting. */
+
+  (void)close(pfd[pipe_write]);
+  search_tidyup();
+  exit(EXIT_SUCCESS);
+  }
+
+/* Back in the main process: panic if the fork did not succeed. This seems
+better than returning an error - if forking is failing it is probably best
+not to try other deliveries for this message. */
+
+if (pid < 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Fork failed for local delivery to %s",
+    addr->address);
+
+/* Read the pipe to get the delivery status codes and error messages. Our copy
+of the writing end must be closed first, as otherwise read() won't return zero
+on an empty pipe. We check that a status exists for each address before
+overwriting the address structure. If data is missing, the default DEFER status
+will remain. Afterwards, close the reading end. */
+
+(void)close(pfd[pipe_write]);
+
+for (addr2 = addr; addr2; addr2 = addr2->next)
+  {
+  if ((len = read(pfd[pipe_read], &status, sizeof(int))) > 0)
+    {
+    int i;
+    uschar **sptr;
+
+    addr2->transport_return = status;
+    len = read(pfd[pipe_read], &transport_count,
+      sizeof(transport_count));
+    len = read(pfd[pipe_read], &addr2->flags, sizeof(addr2->flags));
+    len = read(pfd[pipe_read], &addr2->basic_errno,    sizeof(int));
+    len = read(pfd[pipe_read], &addr2->more_errno,     sizeof(int));
+    len = read(pfd[pipe_read], &addr2->delivery_time,  sizeof(struct timeval));
+    len = read(pfd[pipe_read], &i, sizeof(int)); addr2->special_action = i;
+    len = read(pfd[pipe_read], &addr2->transport,
+      sizeof(transport_instance *));
+
+    if (testflag(addr2, af_file))
+      {
+      int llen;
+      if (  read(pfd[pipe_read], &llen, sizeof(int)) != sizeof(int)
+	 || llen > 64*4	/* limit from rfc 5821, times I18N factor */
+         )
+	{
+	log_write(0, LOG_MAIN|LOG_PANIC, "bad local_part length read"
+	  " from delivery subprocess");
+	break;
+	}
+      /* sanity-checked llen so disable the Coverity error */
+      /* coverity[tainted_data] */
+      if (read(pfd[pipe_read], big_buffer, llen) != llen)
+	{
+	log_write(0, LOG_MAIN|LOG_PANIC, "bad local_part read"
+	  " from delivery subprocess");
+	break;
+	}
+      big_buffer[llen] = 0;
+      addr2->local_part = string_copy(big_buffer);
+      }
+
+    for (i = 0, sptr = &addr2->message; i < 2; i++, sptr = &addr2->user_message)
+      {
+      int message_length;
+      len = read(pfd[pipe_read], &message_length, sizeof(int));
+      if (message_length > 0)
+        {
+        len = read(pfd[pipe_read], big_buffer, message_length);
+	big_buffer[big_buffer_size-1] = '\0';		/* guard byte */
+        if (len > 0) *sptr = string_copy(big_buffer);
+        }
+      }
+    }
+
+  else
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "failed to read delivery status for %s "
+      "from delivery subprocess", addr2->unique);
+    break;
+    }
+  }
+
+(void)close(pfd[pipe_read]);
+
+/* Unless shadowing, write all successful addresses immediately to the journal
+file, to ensure they are recorded asap. For homonymic addresses, use the base
+address plus the transport name. Failure to write the journal is panic-worthy,
+but don't stop, as it may prove possible subsequently to update the spool file
+in order to record the delivery. */
+
+if (!shadowing)
+  {
+  for (addr2 = addr; addr2; addr2 = addr2->next)
+    if (addr2->transport_return == OK)
+      {
+      if (testflag(addr2, af_homonym))
+	sprintf(CS big_buffer, "%.500s/%s\n", addr2->unique + 3, tp->name);
+      else
+	sprintf(CS big_buffer, "%.500s\n", addr2->unique);
+
+      /* In the test harness, wait just a bit to let the subprocess finish off
+      any debug output etc first. */
+
+      testharness_pause_ms(300);
+
+      DEBUG(D_deliver) debug_printf("journalling %s", big_buffer);
+      len = Ustrlen(big_buffer);
+      if (write(journal_fd, big_buffer, len) != len)
+	log_write(0, LOG_MAIN|LOG_PANIC, "failed to update journal for %s: %s",
+	  big_buffer, strerror(errno));
+      }
+
+  /* Ensure the journal file is pushed out to disk. */
+
+  if (EXIMfsync(journal_fd) < 0)
+    log_write(0, LOG_MAIN|LOG_PANIC, "failed to fsync journal: %s",
+      strerror(errno));
+  }
+
+/* Wait for the process to finish. If it terminates with a non-zero code,
+freeze the message (except for SIGTERM, SIGKILL and SIGQUIT), but leave the
+status values of all the addresses as they are. Take care to handle the case
+when the subprocess doesn't seem to exist. This has been seen on one system
+when Exim was called from an MUA that set SIGCHLD to SIG_IGN. When that
+happens, wait() doesn't recognize the termination of child processes. Exim now
+resets SIGCHLD to SIG_DFL, but this code should still be robust. */
+
+while ((rc = wait(&status)) != pid)
+  if (rc < 0 && errno == ECHILD)      /* Process has vanished */
+    {
+    log_write(0, LOG_MAIN, "%s transport process vanished unexpectedly",
+      addr->transport->driver_name);
+    status = 0;
+    break;
+    }
+
+if ((status & 0xffff) != 0)
+  {
+  int msb = (status >> 8) & 255;
+  int lsb = status & 255;
+  int code = (msb == 0)? (lsb & 0x7f) : msb;
+  if (msb != 0 || (code != SIGTERM && code != SIGKILL && code != SIGQUIT))
+    addr->special_action = SPECIAL_FREEZE;
+  log_write(0, LOG_MAIN|LOG_PANIC, "%s transport process returned non-zero "
+    "status 0x%04x: %s %d",
+    addr->transport->driver_name,
+    status,
+    msb == 0 ? "terminated by signal" : "exit code",
+    code);
+  }
+
+/* If SPECIAL_WARN is set in the top address, send a warning message. */
+
+if (addr->special_action == SPECIAL_WARN && addr->transport->warn_message)
+  {
+  int fd;
+  uschar *warn_message;
+  pid_t pid;
+
+  DEBUG(D_deliver) debug_printf("Warning message requested by transport\n");
+
+  if (!(warn_message = expand_string(addr->transport->warn_message)))
+    log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand \"%s\" (warning "
+      "message for %s transport): %s", addr->transport->warn_message,
+      addr->transport->name, expand_string_message);
+
+  else if ((pid = child_open_exim(&fd, US"tpt-warning-message")) > 0)
+    {
+    FILE *f = fdopen(fd, "wb");
+    if (errors_reply_to && !contains_header(US"Reply-To", warn_message))
+      fprintf(f, "Reply-To: %s\n", errors_reply_to);
+    fprintf(f, "Auto-Submitted: auto-replied\n");
+    if (!contains_header(US"From", warn_message))
+      moan_write_from(f);
+    fprintf(f, "%s", CS warn_message);
+
+    /* Close and wait for child process to complete, without a timeout. */
+
+    (void)fclose(f);
+    (void)child_close(pid, 0);
+    }
+
+  addr->special_action = SPECIAL_NONE;
+  }
+}
+
+
+
+
+/* Check transport for the given concurrency limit.  Return TRUE if over
+the limit (or an expansion failure), else FALSE and if there was a limit,
+the key for the hints database used for the concurrency count. */
+
+static BOOL
+tpt_parallel_check(transport_instance * tp, address_item * addr, uschar ** key)
+{
+unsigned max_parallel;
+
+if (!tp->max_parallel) return FALSE;
+
+max_parallel = (unsigned) expand_string_integer(tp->max_parallel, TRUE);
+if (expand_string_message)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand max_parallel option "
+	"in %s transport (%s): %s", tp->name, addr->address,
+	expand_string_message);
+  return TRUE;
+  }
+
+if (max_parallel > 0)
+  {
+  uschar * serialize_key = string_sprintf("tpt-serialize-%s", tp->name);
+  if (!enq_start(serialize_key, max_parallel))
+    {
+    address_item * next;
+    DEBUG(D_transport)
+      debug_printf("skipping tpt %s because concurrency limit %u reached\n",
+		  tp->name, max_parallel);
+    do
+      {
+      next = addr->next;
+      addr->message = US"concurrency limit reached for transport";
+      addr->basic_errno = ERRNO_TRETRY;
+      post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_TRANSPORT, 0);
+      } while ((addr = next));
+    return TRUE;
+    }
+  *key = serialize_key;
+  }
+return FALSE;
+}
+
+
+
+/*************************************************
+*              Do local deliveries               *
+*************************************************/
+
+/* This function processes the list of addresses in addr_local. True local
+deliveries are always done one address at a time. However, local deliveries can
+be batched up in some cases. Typically this is when writing batched SMTP output
+files for use by some external transport mechanism, or when running local
+deliveries over LMTP.
+
+Arguments:   None
+Returns:     Nothing
+*/
+
+static void
+do_local_deliveries(void)
+{
+open_db dbblock;
+open_db *dbm_file = NULL;
+time_t now = time(NULL);
+
+/* Loop until we have exhausted the supply of local deliveries */
+
+while (addr_local)
+  {
+  struct timeval delivery_start;
+  struct timeval deliver_time;
+  address_item *addr2, *addr3, *nextaddr;
+  int logflags = LOG_MAIN;
+  int logchar = f.dont_deliver? '*' : '=';
+  transport_instance *tp;
+  uschar * serialize_key = NULL;
+
+  /* Pick the first undelivered address off the chain */
+
+  address_item *addr = addr_local;
+  addr_local = addr->next;
+  addr->next = NULL;
+
+  DEBUG(D_deliver|D_transport)
+    debug_printf("--------> %s <--------\n", addr->address);
+
+  /* An internal disaster if there is no transport. Should not occur! */
+
+  if (!(tp = addr->transport))
+    {
+    logflags |= LOG_PANIC;
+    f.disable_logging = FALSE;  /* Jic */
+    addr->message = addr->router
+      ? string_sprintf("No transport set by %s router", addr->router->name)
+      : US"No transport set by system filter";
+    post_process_one(addr, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
+    continue;
+    }
+
+  /* Check that this base address hasn't previously been delivered to this
+  transport. The check is necessary at this point to handle homonymic addresses
+  correctly in cases where the pattern of redirection changes between delivery
+  attempts. Non-homonymic previous delivery is detected earlier, at routing
+  time. */
+
+  if (previously_transported(addr, FALSE)) continue;
+
+  /* There are weird cases where logging is disabled */
+
+  f.disable_logging = tp->disable_logging;
+
+  /* Check for batched addresses and possible amalgamation. Skip all the work
+  if either batch_max <= 1 or there aren't any other addresses for local
+  delivery. */
+
+  if (tp->batch_max > 1 && addr_local)
+    {
+    int batch_count = 1;
+    BOOL uses_dom = readconf_depends((driver_instance *)tp, US"domain");
+    BOOL uses_lp = (  testflag(addr, af_pfr)
+		   && (testflag(addr, af_file) || addr->local_part[0] == '|')
+		   )
+		|| readconf_depends((driver_instance *)tp, US"local_part");
+    uschar *batch_id = NULL;
+    address_item **anchor = &addr_local;
+    address_item *last = addr;
+    address_item *next;
+
+    /* Expand the batch_id string for comparison with other addresses.
+    Expansion failure suppresses batching. */
+
+    if (tp->batch_id)
+      {
+      deliver_set_expansions(addr);
+      batch_id = expand_string(tp->batch_id);
+      deliver_set_expansions(NULL);
+      if (!batch_id)
+        {
+        log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand batch_id option "
+          "in %s transport (%s): %s", tp->name, addr->address,
+          expand_string_message);
+        batch_count = tp->batch_max;
+        }
+      }
+
+    /* Until we reach the batch_max limit, pick off addresses which have the
+    same characteristics. These are:
+
+      same transport
+      not previously delivered (see comment about 50 lines above)
+      same local part if the transport's configuration contains $local_part
+        or if this is a file or pipe delivery from a redirection
+      same domain if the transport's configuration contains $domain
+      same errors address
+      same additional headers
+      same headers to be removed
+      same uid/gid for running the transport
+      same first host if a host list is set
+    */
+
+    while ((next = *anchor) && batch_count < tp->batch_max)
+      {
+      BOOL ok =
+           tp == next->transport
+	&& !previously_transported(next, TRUE)
+	&& testflag(addr, af_pfr) == testflag(next, af_pfr)
+	&& testflag(addr, af_file) == testflag(next, af_file)
+	&& (!uses_lp  || Ustrcmp(next->local_part, addr->local_part) == 0)
+	&& (!uses_dom || Ustrcmp(next->domain, addr->domain) == 0)
+	&& same_strings(next->prop.errors_address, addr->prop.errors_address)
+	&& same_headers(next->prop.extra_headers, addr->prop.extra_headers)
+	&& same_strings(next->prop.remove_headers, addr->prop.remove_headers)
+	&& same_ugid(tp, addr, next)
+	&& (  !addr->host_list && !next->host_list
+	   ||    addr->host_list
+	      && next->host_list
+	      && Ustrcmp(addr->host_list->name, next->host_list->name) == 0
+	   );
+
+      /* If the transport has a batch_id setting, batch_id will be non-NULL
+      from the expansion outside the loop. Expand for this address and compare.
+      Expansion failure makes this address ineligible for batching. */
+
+      if (ok && batch_id)
+        {
+        uschar *bid;
+        address_item *save_nextnext = next->next;
+        next->next = NULL;            /* Expansion for a single address */
+        deliver_set_expansions(next);
+        next->next = save_nextnext;
+        bid = expand_string(tp->batch_id);
+        deliver_set_expansions(NULL);
+        if (!bid)
+          {
+          log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand batch_id option "
+            "in %s transport (%s): %s", tp->name, next->address,
+            expand_string_message);
+          ok = FALSE;
+          }
+        else ok = (Ustrcmp(batch_id, bid) == 0);
+        }
+
+      /* Take address into batch if OK. */
+
+      if (ok)
+        {
+        *anchor = next->next;           /* Include the address */
+        next->next = NULL;
+        last->next = next;
+        last = next;
+        batch_count++;
+        }
+      else anchor = &next->next;        /* Skip the address */
+      }
+    }
+
+  /* We now have one or more addresses that can be delivered in a batch. Check
+  whether the transport is prepared to accept a message of this size. If not,
+  fail them all forthwith. If the expansion fails, or does not yield an
+  integer, defer delivery. */
+
+  if (tp->message_size_limit)
+    {
+    int rc = check_message_size(tp, addr);
+    if (rc != OK)
+      {
+      replicate_status(addr);
+      while (addr)
+        {
+        addr2 = addr->next;
+        post_process_one(addr, rc, logflags, EXIM_DTYPE_TRANSPORT, 0);
+        addr = addr2;
+        }
+      continue;    /* With next batch of addresses */
+      }
+    }
+
+  /* If we are not running the queue, or if forcing, all deliveries will be
+  attempted. Otherwise, we must respect the retry times for each address. Even
+  when not doing this, we need to set up the retry key string, and determine
+  whether a retry record exists, because after a successful delivery, a delete
+  retry item must be set up. Keep the retry database open only for the duration
+  of these checks, rather than for all local deliveries, because some local
+  deliveries (e.g. to pipes) can take a substantial time. */
+
+  if (!(dbm_file = dbfn_open(US"retry", O_RDONLY, &dbblock, FALSE, TRUE)))
+    DEBUG(D_deliver|D_retry|D_hints_lookup)
+      debug_printf("no retry data available\n");
+
+  addr2 = addr;
+  addr3 = NULL;
+  while (addr2)
+    {
+    BOOL ok = TRUE;   /* to deliver this address */
+    uschar *retry_key;
+
+    /* Set up the retry key to include the domain or not, and change its
+    leading character from "R" to "T". Must make a copy before doing this,
+    because the old key may be pointed to from a "delete" retry item after
+    a routing delay. */
+
+    retry_key = string_copy(
+      tp->retry_use_local_part ? addr2->address_retry_key :
+        addr2->domain_retry_key);
+    *retry_key = 'T';
+
+    /* Inspect the retry data. If there is no hints file, delivery happens. */
+
+    if (dbm_file)
+      {
+      dbdata_retry *retry_record = dbfn_read(dbm_file, retry_key);
+
+      /* If there is no retry record, delivery happens. If there is,
+      remember it exists so it can be deleted after a successful delivery. */
+
+      if (retry_record)
+        {
+        setflag(addr2, af_lt_retry_exists);
+
+        /* A retry record exists for this address. If queue running and not
+        forcing, inspect its contents. If the record is too old, or if its
+        retry time has come, or if it has passed its cutoff time, delivery
+        will go ahead. */
+
+        DEBUG(D_retry)
+          {
+          debug_printf("retry record exists: age=%s ",
+            readconf_printtime(now - retry_record->time_stamp));
+          debug_printf("(max %s)\n", readconf_printtime(retry_data_expire));
+          debug_printf("  time to retry = %s expired = %d\n",
+            readconf_printtime(retry_record->next_try - now),
+            retry_record->expired);
+          }
+
+        if (f.queue_running && !f.deliver_force)
+          {
+          ok = (now - retry_record->time_stamp > retry_data_expire)
+	    || (now >= retry_record->next_try)
+	    || retry_record->expired;
+
+          /* If we haven't reached the retry time, there is one more check
+          to do, which is for the ultimate address timeout. */
+
+          if (!ok)
+            ok = retry_ultimate_address_timeout(retry_key, addr2->domain,
+                retry_record, now);
+          }
+        }
+      else DEBUG(D_retry) debug_printf("no retry record exists\n");
+      }
+
+    /* This address is to be delivered. Leave it on the chain. */
+
+    if (ok)
+      {
+      addr3 = addr2;
+      addr2 = addr2->next;
+      }
+
+    /* This address is to be deferred. Take it out of the chain, and
+    post-process it as complete. Must take it out of the chain first,
+    because post processing puts it on another chain. */
+
+    else
+      {
+      address_item *this = addr2;
+      this->message = US"Retry time not yet reached";
+      this->basic_errno = ERRNO_LRETRY;
+      addr2 = addr3 ? (addr3->next = addr2->next)
+		    : (addr = addr2->next);
+      post_process_one(this, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
+      }
+    }
+
+  if (dbm_file) dbfn_close(dbm_file);
+
+  /* If there are no addresses left on the chain, they all deferred. Loop
+  for the next set of addresses. */
+
+  if (!addr) continue;
+
+  /* If the transport is limited for parallellism, enforce that here.
+  We use a hints DB entry, incremented here and decremented after
+  the transport (and any shadow transport) completes. */
+
+  if (tpt_parallel_check(tp, addr, &serialize_key))
+    {
+    if (expand_string_message)
+      {
+      logflags |= LOG_PANIC;
+      do
+	{
+	addr = addr->next;
+	post_process_one(addr, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
+	} while ((addr = addr2));
+      }
+    continue;			/* Loop for the next set of addresses. */
+    }
+
+
+  /* So, finally, we do have some addresses that can be passed to the
+  transport. Before doing so, set up variables that are relevant to a
+  single delivery. */
+
+  deliver_set_expansions(addr);
+
+  gettimeofday(&delivery_start, NULL);
+  deliver_local(addr, FALSE);
+  timesince(&deliver_time, &delivery_start);
+
+  /* If a shadow transport (which must perforce be another local transport), is
+  defined, and its condition is met, we must pass the message to the shadow
+  too, but only those addresses that succeeded. We do this by making a new
+  chain of addresses - also to keep the original chain uncontaminated. We must
+  use a chain rather than doing it one by one, because the shadow transport may
+  batch.
+
+  NOTE: if the condition fails because of a lookup defer, there is nothing we
+  can do! */
+
+  if (  tp->shadow
+     && (  !tp->shadow_condition
+        || expand_check_condition(tp->shadow_condition, tp->name, US"transport")
+     )  )
+    {
+    transport_instance *stp;
+    address_item *shadow_addr = NULL;
+    address_item **last = &shadow_addr;
+
+    for (stp = transports; stp; stp = stp->next)
+      if (Ustrcmp(stp->name, tp->shadow) == 0) break;
+
+    if (!stp)
+      log_write(0, LOG_MAIN|LOG_PANIC, "shadow transport \"%s\" not found ",
+        tp->shadow);
+
+    /* Pick off the addresses that have succeeded, and make clones. Put into
+    the shadow_message field a pointer to the shadow_message field of the real
+    address. */
+
+    else for (addr2 = addr; addr2; addr2 = addr2->next)
+      if (addr2->transport_return == OK)
+	{
+	addr3 = store_get(sizeof(address_item), GET_UNTAINTED);
+	*addr3 = *addr2;
+	addr3->next = NULL;
+	addr3->shadow_message = US &addr2->shadow_message;
+	addr3->transport = stp;
+	addr3->transport_return = DEFER;
+	addr3->return_filename = NULL;
+	addr3->return_file = -1;
+	*last = addr3;
+	last = &addr3->next;
+	}
+
+    /* If we found any addresses to shadow, run the delivery, and stick any
+    message back into the shadow_message field in the original. */
+
+    if (shadow_addr)
+      {
+      int save_count = transport_count;
+
+      DEBUG(D_deliver|D_transport)
+        debug_printf(">>>>>>>>>>>>>>>> Shadow delivery >>>>>>>>>>>>>>>>\n");
+      deliver_local(shadow_addr, TRUE);
+
+      for(; shadow_addr; shadow_addr = shadow_addr->next)
+        {
+        int sresult = shadow_addr->transport_return;
+        *(uschar **)shadow_addr->shadow_message =
+	  sresult == OK
+	  ? string_sprintf(" ST=%s", stp->name)
+	  : string_sprintf(" ST=%s (%s%s%s)", stp->name,
+	      shadow_addr->basic_errno <= 0
+	      ? US""
+	      : US strerror(shadow_addr->basic_errno),
+	      shadow_addr->basic_errno <= 0 || !shadow_addr->message
+	      ? US""
+	      : US": ",
+	      shadow_addr->message
+	      ? shadow_addr->message
+	      : shadow_addr->basic_errno <= 0
+	      ? US"unknown error"
+	      : US"");
+
+        DEBUG(D_deliver|D_transport)
+          debug_printf("%s shadow transport returned %s for %s\n",
+            stp->name, rc_to_string(sresult), shadow_addr->address);
+        }
+
+      DEBUG(D_deliver|D_transport)
+        debug_printf(">>>>>>>>>>>>>>>> End shadow delivery >>>>>>>>>>>>>>>>\n");
+
+      transport_count = save_count;   /* Restore original transport count */
+      }
+    }
+
+  /* Cancel the expansions that were set up for the delivery. */
+
+  deliver_set_expansions(NULL);
+
+  /* If the transport was parallelism-limited, decrement the hints DB record. */
+
+  if (serialize_key) enq_end(serialize_key);
+
+  /* Now we can process the results of the real transport. We must take each
+  address off the chain first, because post_process_one() puts it on another
+  chain. */
+
+  for (addr2 = addr; addr2; addr2 = nextaddr)
+    {
+    int result = addr2->transport_return;
+    nextaddr = addr2->next;
+
+    DEBUG(D_deliver|D_transport)
+      debug_printf("%s transport returned %s for %s\n",
+        tp->name, rc_to_string(result), addr2->address);
+
+    /* If there is a retry_record, or if delivery is deferred, build a retry
+    item for setting a new retry time or deleting the old retry record from
+    the database. These items are handled all together after all addresses
+    have been handled (so the database is open just for a short time for
+    updating). */
+
+    if (result == DEFER || testflag(addr2, af_lt_retry_exists))
+      {
+      int flags = result == DEFER ? 0 : rf_delete;
+      uschar *retry_key = string_copy(tp->retry_use_local_part
+	? addr2->address_retry_key : addr2->domain_retry_key);
+      *retry_key = 'T';
+      retry_add_item(addr2, retry_key, flags);
+      }
+
+    /* Done with this address */
+
+    addr2->delivery_time = deliver_time;
+    post_process_one(addr2, result, logflags, EXIM_DTYPE_TRANSPORT, logchar);
+
+    /* If a pipe delivery generated text to be sent back, the result may be
+    changed to FAIL, and we must copy this for subsequent addresses in the
+    batch. */
+
+    if (addr2->transport_return != result)
+      {
+      for (addr3 = nextaddr; addr3; addr3 = addr3->next)
+        {
+        addr3->transport_return = addr2->transport_return;
+        addr3->basic_errno = addr2->basic_errno;
+        addr3->message = addr2->message;
+        }
+      result = addr2->transport_return;
+      }
+
+    /* Whether or not the result was changed to FAIL, we need to copy the
+    return_file value from the first address into all the addresses of the
+    batch, so they are all listed in the error message. */
+
+    addr2->return_file = addr->return_file;
+
+    /* Change log character for recording successful deliveries. */
+
+    if (result == OK) logchar = '-';
+    }
+  }        /* Loop back for next batch of addresses */
+}
+
+
+
+
+/*************************************************
+*           Sort remote deliveries               *
+*************************************************/
+
+/* This function is called if remote_sort_domains is set. It arranges that the
+chain of addresses for remote deliveries is ordered according to the strings
+specified. Try to make this shuffling reasonably efficient by handling
+sequences of addresses rather than just single ones.
+
+Arguments:  None
+Returns:    Nothing
+*/
+
+static void
+sort_remote_deliveries(void)
+{
+int sep = 0;
+address_item **aptr = &addr_remote;
+const uschar *listptr = remote_sort_domains;
+uschar *pattern;
+uschar patbuf[256];
+
+/*XXX The list is used before expansion. Not sure how that ties up with the docs */
+while (  *aptr
+      && (pattern = string_nextinlist(&listptr, &sep, patbuf, sizeof(patbuf)))
+      )
+  {
+  address_item *moved = NULL;
+  address_item **bptr = &moved;
+
+  while (*aptr)
+    {
+    address_item **next;
+    deliver_domain = (*aptr)->domain;   /* set $domain */
+    if (match_isinlist(deliver_domain, (const uschar **)&pattern, UCHAR_MAX+1,
+          &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK)
+      {
+      aptr = &(*aptr)->next;
+      continue;
+      }
+
+    next = &(*aptr)->next;
+    while (  *next
+	  && (deliver_domain = (*next)->domain,  /* Set $domain */
+            match_isinlist(deliver_domain, (const uschar **)&pattern, UCHAR_MAX+1,
+              &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL)) != OK
+	  )
+      next = &(*next)->next;
+
+    /* If the batch of non-matchers is at the end, add on any that were
+    extracted further up the chain, and end this iteration. Otherwise,
+    extract them from the chain and hang on the moved chain. */
+
+    if (!*next)
+      {
+      *next = moved;
+      break;
+      }
+
+    *bptr = *aptr;
+    *aptr = *next;
+    *next = NULL;
+    bptr = next;
+    aptr = &(*aptr)->next;
+    }
+
+  /* If the loop ended because the final address matched, *aptr will
+  be NULL. Add on to the end any extracted non-matching addresses. If
+  *aptr is not NULL, the loop ended via "break" when *next is null, that
+  is, there was a string of non-matching addresses at the end. In this
+  case the extracted addresses have already been added on the end. */
+
+  if (!*aptr) *aptr = moved;
+  }
+
+DEBUG(D_deliver)
+  {
+  debug_printf("remote addresses after sorting:\n");
+  for (address_item * addr = addr_remote; addr; addr = addr->next)
+    debug_printf("  %s\n", addr->address);
+  }
+}
+
+
+
+/*************************************************
+*  Read from pipe for remote delivery subprocess *
+*************************************************/
+
+/* This function is called when the subprocess is complete, but can also be
+called before it is complete, in order to empty a pipe that is full (to prevent
+deadlock). It must therefore keep track of its progress in the parlist data
+block.
+
+We read the pipe to get the delivery status codes and a possible error message
+for each address, optionally preceded by unusability data for the hosts and
+also by optional retry data.
+
+Read in large chunks into the big buffer and then scan through, interpreting
+the data therein. In most cases, only a single read will be necessary. No
+individual item will ever be anywhere near 2500 bytes in length, so by ensuring
+that we read the next chunk when there is less than 2500 bytes left in the
+non-final chunk, we can assume each item is complete in the buffer before
+handling it. Each item is written using a single write(), which is atomic for
+small items (less than PIPE_BUF, which seems to be at least 512 in any Unix and
+often bigger) so even if we are reading while the subprocess is still going, we
+should never have only a partial item in the buffer.
+
+hs12: This assumption is not true anymore, since we get quite large items (certificate
+information and such).
+
+Argument:
+  poffset     the offset of the parlist item
+  eop         TRUE if the process has completed
+
+Returns:      TRUE if the terminating 'Z' item has been read,
+              or there has been a disaster (i.e. no more data needed);
+              FALSE otherwise
+*/
+
+static BOOL
+par_read_pipe(int poffset, BOOL eop)
+{
+host_item *h;
+pardata *p = parlist + poffset;
+address_item *addrlist = p->addrlist;
+address_item *addr = p->addr;
+pid_t pid = p->pid;
+int fd = p->fd;
+
+uschar *msg = p->msg;
+BOOL done = p->done;
+
+/* Loop through all items, reading from the pipe when necessary. The pipe
+used to be non-blocking. But I do not see a reason for using non-blocking I/O
+here, as the preceding poll() tells us, if data is available for reading.
+
+A read() on a "selected" handle should never block, but(!) it may return
+less data then we expected. (The buffer size we pass to read() shouldn't be
+understood as a "request", but as a "limit".)
+
+Each separate item is written to the pipe in a timely manner. But, especially for
+larger items, the read(2) may already return partial data from the write(2).
+
+The write is atomic mostly (depending on the amount written), but atomic does
+not imply "all or noting", it just is "not intermixed" with other writes on the
+same channel (pipe).
+
+*/
+
+DEBUG(D_deliver) debug_printf("reading pipe for subprocess %d (%s)\n",
+  (int)p->pid, eop? "ended" : "not ended yet");
+
+while (!done)
+  {
+  retry_item *r, **rp;
+  uschar pipeheader[PIPE_HEADER_SIZE+1];
+  uschar *id = &pipeheader[0];
+  uschar *subid = &pipeheader[1];
+  uschar *ptr = big_buffer;
+  size_t required = PIPE_HEADER_SIZE; /* first the pipehaeder, later the data */
+  ssize_t got;
+
+  DEBUG(D_deliver) debug_printf(
+    "expect %lu bytes (pipeheader) from tpt process %d\n", (u_long)required, pid);
+
+  /* We require(!) all the PIPE_HEADER_SIZE bytes here, as we know,
+  they're written in a timely manner, so waiting for the write shouldn't hurt a lot.
+  If we get less, we can assume the subprocess do be done and do not expect any further
+  information from it. */
+
+  if ((got = readn(fd, pipeheader, required)) != required)
+    {
+    msg = string_sprintf("got " SSIZE_T_FMT " of %d bytes (pipeheader) "
+      "from transport process %d for transport %s",
+      got, PIPE_HEADER_SIZE, pid, addr->transport->driver_name);
+    done = TRUE;
+    break;
+    }
+
+  pipeheader[PIPE_HEADER_SIZE] = '\0';
+  DEBUG(D_deliver)
+    debug_printf("got %ld bytes (pipeheader) from transport process %d\n",
+      (long) got, pid);
+
+  {
+  /* If we can't decode the pipeheader, the subprocess seems to have a
+  problem, we do not expect any furher information from it. */
+  char *endc;
+  required = Ustrtol(pipeheader+2, &endc, 10);
+  if (*endc)
+    {
+    msg = string_sprintf("failed to read pipe "
+      "from transport process %d for transport %s: error decoding size from header",
+      pid, addr->transport->driver_name);
+    done = TRUE;
+    break;
+    }
+  }
+
+  DEBUG(D_deliver)
+    debug_printf("expect %lu bytes (pipedata) from transport process %d\n",
+      (u_long)required, pid);
+
+  /* Same as above, the transport process will write the bytes announced
+  in a timely manner, so we can just wait for the bytes, getting less than expected
+  is considered a problem of the subprocess, we do not expect anything else from it. */
+  if ((got = readn(fd, big_buffer, required)) != required)
+    {
+    msg = string_sprintf("got only " SSIZE_T_FMT " of " SIZE_T_FMT
+      " bytes (pipedata) from transport process %d for transport %s",
+      got, required, pid, addr->transport->driver_name);
+    done = TRUE;
+    break;
+    }
+
+  /* Handle each possible type of item, assuming the complete item is
+  available in store. */
+
+  switch (*id)
+    {
+    /* Host items exist only if any hosts were marked unusable. Match
+    up by checking the IP address. */
+
+    case 'H':
+      for (h = addrlist->host_list; h; h = h->next)
+	{
+	if (!h->address || Ustrcmp(h->address, ptr+2) != 0) continue;
+	h->status = ptr[0];
+	h->why = ptr[1];
+	}
+      ptr += 2;
+      while (*ptr++);
+      break;
+
+    /* Retry items are sent in a preceding R item for each address. This is
+    kept separate to keep each message short enough to guarantee it won't
+    be split in the pipe. Hopefully, in the majority of cases, there won't in
+    fact be any retry items at all.
+
+    The complete set of retry items might include an item to delete a
+    routing retry if there was a previous routing delay. However, routing
+    retries are also used when a remote transport identifies an address error.
+    In that case, there may also be an "add" item for the same key. Arrange
+    that a "delete" item is dropped in favour of an "add" item. */
+
+    case 'R':
+      if (!addr) goto ADDR_MISMATCH;
+
+      DEBUG(D_deliver|D_retry)
+	debug_printf("reading retry information for %s from subprocess\n",
+	  ptr+1);
+
+      /* Cut out any "delete" items on the list. */
+
+      for (rp = &addr->retries; (r = *rp); rp = &r->next)
+	if (Ustrcmp(r->key, ptr+1) == 0)           /* Found item with same key */
+	  {
+	  if (!(r->flags & rf_delete)) break;	   /* It was not "delete" */
+	  *rp = r->next;                           /* Excise a delete item */
+	  DEBUG(D_deliver|D_retry)
+	    debug_printf("  existing delete item dropped\n");
+	  }
+
+      /* We want to add a delete item only if there is no non-delete item;
+      however we still have to step ptr through the data. */
+
+      if (!r || !(*ptr & rf_delete))
+	{
+	r = store_get(sizeof(retry_item), GET_UNTAINTED);
+	r->next = addr->retries;
+	addr->retries = r;
+	r->flags = *ptr++;
+	r->key = string_copy(ptr);
+	while (*ptr++);
+	memcpy(&r->basic_errno, ptr, sizeof(r->basic_errno));
+	ptr += sizeof(r->basic_errno);
+	memcpy(&r->more_errno, ptr, sizeof(r->more_errno));
+	ptr += sizeof(r->more_errno);
+	r->message = *ptr ? string_copy(ptr) : NULL;
+	DEBUG(D_deliver|D_retry) debug_printf("  added %s item\n",
+	    r->flags & rf_delete ? "delete" : "retry");
+	}
+
+      else
+	{
+	DEBUG(D_deliver|D_retry)
+	  debug_printf("  delete item not added: non-delete item exists\n");
+	ptr++;
+	while(*ptr++);
+	ptr += sizeof(r->basic_errno) + sizeof(r->more_errno);
+	}
+
+      while(*ptr++);
+      break;
+
+    /* Put the amount of data written into the parlist block */
+
+    case 'S':
+      memcpy(&(p->transport_count), ptr, sizeof(transport_count));
+      ptr += sizeof(transport_count);
+      break;
+
+    /* Address items are in the order of items on the address chain. We
+    remember the current address value in case this function is called
+    several times to empty the pipe in stages. Information about delivery
+    over TLS is sent in a preceding X item for each address. We don't put
+    it in with the other info, in order to keep each message short enough to
+    guarantee it won't be split in the pipe. */
+
+#ifndef DISABLE_TLS
+    case 'X':
+      if (!addr) goto ADDR_MISMATCH;          /* Below, in 'A' handler */
+      switch (*subid)
+	{
+	case '1':
+	  addr->tlsver = addr->cipher = addr->peerdn = NULL;
+
+	  if (*ptr)
+	    {
+	    addr->cipher = string_copy(ptr);
+	    addr->tlsver = string_copyn(ptr, Ustrchr(ptr, ':') - ptr);
+	    }
+	  while (*ptr++);
+	  if (*ptr)
+	    addr->peerdn = string_copy(ptr);
+	  break;
+
+	case '2':
+	  if (*ptr)
+	    (void) tls_import_cert(ptr, &addr->peercert);
+	  else
+	    addr->peercert = NULL;
+	  break;
+
+	case '3':
+	  if (*ptr)
+	    (void) tls_import_cert(ptr, &addr->ourcert);
+	  else
+	    addr->ourcert = NULL;
+	  break;
+
+# ifndef DISABLE_OCSP
+	case '4':
+	  addr->ocsp = *ptr ? *ptr - '0' : OCSP_NOT_REQ;
+	  break;
+# endif
+	}
+      while (*ptr++);
+      break;
+#endif	/*DISABLE_TLS*/
+
+    case 'C':	/* client authenticator information */
+      switch (*subid)
+	{
+	case '1': addr->authenticator = *ptr ? string_copy(ptr) : NULL; break;
+	case '2': addr->auth_id = *ptr ? string_copy(ptr) : NULL;	break;
+	case '3': addr->auth_sndr = *ptr ? string_copy(ptr) : NULL;	break;
+	}
+      while (*ptr++);
+      break;
+
+#ifndef DISABLE_PRDR
+    case 'P':
+      setflag(addr, af_prdr_used);
+      break;
+#endif
+
+    case 'L':
+      switch (*subid)
+	{
+#ifndef DISABLE_PIPE_CONNECT
+	case 2: setflag(addr, af_early_pipe);	/*FALLTHROUGH*/
+#endif
+	case 1: setflag(addr, af_pipelining); break;
+	}
+      break;
+
+    case 'K':
+      setflag(addr, af_chunking_used);
+      break;
+
+    case 'T':
+      setflag(addr, af_tcp_fastopen_conn);
+      if (*subid > '0') setflag(addr, af_tcp_fastopen);
+      if (*subid > '1') setflag(addr, af_tcp_fastopen_data);
+      break;
+
+    case 'D':
+      if (!addr) goto ADDR_MISMATCH;
+      memcpy(&(addr->dsn_aware), ptr, sizeof(addr->dsn_aware));
+      ptr += sizeof(addr->dsn_aware);
+      DEBUG(D_deliver) debug_printf("DSN read: addr->dsn_aware = %d\n", addr->dsn_aware);
+      break;
+
+    case 'A':
+      if (!addr)
+	{
+	ADDR_MISMATCH:
+	msg = string_sprintf("address count mismatch for data read from pipe "
+	  "for transport process %d for transport %s", pid,
+	    addrlist->transport->driver_name);
+	done = TRUE;
+	break;
+	}
+
+      switch (*subid)
+	{
+	case 3:		/* explicit notification of continued-connection (non)use;
+			overrides caller's knowlege. */
+	  if (*ptr & BIT(1))      setflag(addr, af_new_conn);
+	  else if (*ptr & BIT(2)) setflag(addr, af_cont_conn);
+	  break;
+
+#ifdef SUPPORT_SOCKS
+	case '2':	/* proxy information; must arrive before A0 and applies to that addr XXX oops*/
+	  proxy_session = TRUE;	/*XXX should this be cleared somewhere? */
+	  if (*ptr == 0)
+	    ptr++;
+	  else
+	    {
+	    proxy_local_address = string_copy(ptr);
+	    while(*ptr++);
+	    memcpy(&proxy_local_port, ptr, sizeof(proxy_local_port));
+	    ptr += sizeof(proxy_local_port);
+	    }
+	  break;
+#endif
+
+#ifdef EXPERIMENTAL_DSN_INFO
+	case '1':	/* must arrive before A0, and applies to that addr */
+			/* Two strings: smtp_greeting and helo_response */
+	  addr->smtp_greeting = string_copy(ptr);
+	  while(*ptr++);
+	  addr->helo_response = string_copy(ptr);
+	  while(*ptr++);
+	  break;
+#endif
+
+	case '0':
+	  DEBUG(D_deliver) debug_printf("A0 %s tret %d\n", addr->address, *ptr);
+	  addr->transport_return = *ptr++;
+	  addr->special_action = *ptr++;
+	  memcpy(&addr->basic_errno, ptr, sizeof(addr->basic_errno));
+	  ptr += sizeof(addr->basic_errno);
+	  memcpy(&addr->more_errno, ptr, sizeof(addr->more_errno));
+	  ptr += sizeof(addr->more_errno);
+	  memcpy(&addr->delivery_time, ptr, sizeof(addr->delivery_time));
+	  ptr += sizeof(addr->delivery_time);
+	  memcpy(&addr->flags, ptr, sizeof(addr->flags));
+	  ptr += sizeof(addr->flags);
+	  addr->message = *ptr ? string_copy(ptr) : NULL;
+	  while(*ptr++);
+	  addr->user_message = *ptr ? string_copy(ptr) : NULL;
+	  while(*ptr++);
+
+	  /* Always two strings for host information, followed by the port number and DNSSEC mark */
+
+	  if (*ptr)
+	    {
+	    h = store_get(sizeof(host_item), GET_UNTAINTED);
+	    h->name = string_copy(ptr);
+	    while (*ptr++);
+	    h->address = string_copy(ptr);
+	    while(*ptr++);
+	    memcpy(&h->port, ptr, sizeof(h->port));
+	    ptr += sizeof(h->port);
+	    h->dnssec = *ptr == '2' ? DS_YES
+		      : *ptr == '1' ? DS_NO
+		      : DS_UNK;
+	    ptr++;
+	    addr->host_used = h;
+	    }
+	  else ptr++;
+
+	  /* Finished with this address */
+
+	  addr = addr->next;
+	  break;
+	}
+      break;
+
+    /* Local interface address/port */
+    case 'I':
+      if (*ptr) sending_ip_address = string_copy(ptr);
+      while (*ptr++) ;
+      if (*ptr) sending_port = atoi(CS ptr);
+      while (*ptr++) ;
+      break;
+
+    /* Z marks the logical end of the data. It is followed by '0' if
+    continue_transport was NULL at the end of transporting, otherwise '1'.
+    We need to know when it becomes NULL during a delivery down a passed SMTP
+    channel so that we don't try to pass anything more down it. Of course, for
+    most normal messages it will remain NULL all the time. */
+
+    case 'Z':
+      if (*ptr == '0')
+	{
+	continue_transport = NULL;
+	continue_hostname = NULL;
+	}
+      done = TRUE;
+      DEBUG(D_deliver) debug_printf("Z0%c item read\n", *ptr);
+      break;
+
+    /* Anything else is a disaster. */
+
+    default:
+      msg = string_sprintf("malformed data (%d) read from pipe for transport "
+	"process %d for transport %s", ptr[-1], pid,
+	  addr->transport->driver_name);
+      done = TRUE;
+      break;
+    }
+  }
+
+/* The done flag is inspected externally, to determine whether or not to
+call the function again when the process finishes. */
+
+p->done = done;
+
+/* If the process hadn't finished, and we haven't seen the end of the data
+or if we suffered a disaster, update the rest of the state, and return FALSE to
+indicate "not finished". */
+
+if (!eop && !done)
+  {
+  p->addr = addr;
+  p->msg = msg;
+  return FALSE;
+  }
+
+/* Close our end of the pipe, to prevent deadlock if the far end is still
+pushing stuff into it. */
+
+(void)close(fd);
+p->fd = -1;
+
+/* If we have finished without error, but haven't had data for every address,
+something is wrong. */
+
+if (!msg && addr)
+  msg = string_sprintf("insufficient address data read from pipe "
+    "for transport process %d for transport %s", pid,
+      addr->transport->driver_name);
+
+/* If an error message is set, something has gone wrong in getting back
+the delivery data. Put the message into each address and freeze it. */
+
+if (msg)
+  for (addr = addrlist; addr; addr = addr->next)
+    {
+    addr->transport_return = DEFER;
+    addr->special_action = SPECIAL_FREEZE;
+    addr->message = msg;
+    log_write(0, LOG_MAIN|LOG_PANIC, "Delivery status for %s: %s\n", addr->address, addr->message);
+    }
+
+/* Return TRUE to indicate we have got all we need from this process, even
+if it hasn't actually finished yet. */
+
+return TRUE;
+}
+
+
+
+/*************************************************
+*   Post-process a set of remote addresses       *
+*************************************************/
+
+/* Do what has to be done immediately after a remote delivery for each set of
+addresses, then re-write the spool if necessary. Note that post_process_one
+puts the address on an appropriate queue; hence we must fish off the next
+one first. This function is also called if there is a problem with setting
+up a subprocess to do a remote delivery in parallel. In this case, the final
+argument contains a message, and the action must be forced to DEFER.
+
+Argument:
+   addr      pointer to chain of address items
+   logflags  flags for logging
+   msg       NULL for normal cases; -> error message for unexpected problems
+   fallback  TRUE if processing fallback hosts
+
+Returns:     nothing
+*/
+
+static void
+remote_post_process(address_item *addr, int logflags, uschar *msg,
+  BOOL fallback)
+{
+/* If any host addresses were found to be unusable, add them to the unusable
+tree so that subsequent deliveries don't try them. */
+
+for (host_item * h = addr->host_list; h; h = h->next)
+  if (h->address)
+    if (h->status >= hstatus_unusable) tree_add_unusable(h);
+
+/* Now handle each address on the chain. The transport has placed '=' or '-'
+into the special_action field for each successful delivery. */
+
+while (addr)
+  {
+  address_item *next = addr->next;
+
+  /* If msg == NULL (normal processing) and the result is DEFER and we are
+  processing the main hosts and there are fallback hosts available, put the
+  address on the list for fallback delivery. */
+
+  if (  addr->transport_return == DEFER
+     && addr->fallback_hosts
+     && !fallback
+     && !msg
+     )
+    {
+    addr->host_list = addr->fallback_hosts;
+    addr->next = addr_fallback;
+    addr_fallback = addr;
+    DEBUG(D_deliver) debug_printf("%s queued for fallback host(s)\n", addr->address);
+    }
+
+  /* If msg is set (=> unexpected problem), set it in the address before
+  doing the ordinary post processing. */
+
+  else
+    {
+    if (msg)
+      {
+      addr->message = msg;
+      addr->transport_return = DEFER;
+      }
+    (void)post_process_one(addr, addr->transport_return, logflags,
+      EXIM_DTYPE_TRANSPORT, addr->special_action);
+    }
+
+  /* Next address */
+
+  addr = next;
+  }
+
+/* If we have just delivered down a passed SMTP channel, and that was
+the last address, the channel will have been closed down. Now that
+we have logged that delivery, set continue_sequence to 1 so that
+any subsequent deliveries don't get "*" incorrectly logged. */
+
+if (!continue_transport) continue_sequence = 1;
+}
+
+
+
+/*************************************************
+*     Wait for one remote delivery subprocess    *
+*************************************************/
+
+/* This function is called while doing remote deliveries when either the
+maximum number of processes exist and we need one to complete so that another
+can be created, or when waiting for the last ones to complete. It must wait for
+the completion of one subprocess, empty the control block slot, and return a
+pointer to the address chain.
+
+Arguments:    none
+Returns:      pointer to the chain of addresses handled by the process;
+              NULL if no subprocess found - this is an unexpected error
+*/
+
+static address_item *
+par_wait(void)
+{
+int poffset, status;
+address_item * addr, * addrlist;
+pid_t pid;
+
+set_process_info("delivering %s: waiting for a remote delivery subprocess "
+  "to finish", message_id);
+
+/* Loop until either a subprocess completes, or there are no subprocesses in
+existence - in which case give an error return. We cannot proceed just by
+waiting for a completion, because a subprocess may have filled up its pipe, and
+be waiting for it to be emptied. Therefore, if no processes have finished, we
+wait for one of the pipes to acquire some data by calling poll(), with a
+timeout just in case.
+
+The simple approach is just to iterate after reading data from a ready pipe.
+This leads to non-ideal behaviour when the subprocess has written its final Z
+item, closed the pipe, and is in the process of exiting (the common case). A
+call to waitpid() yields nothing completed, but poll() shows the pipe ready -
+reading it yields EOF, so you end up with busy-waiting until the subprocess has
+actually finished.
+
+To avoid this, if all the data that is needed has been read from a subprocess
+after poll(), an explicit wait() for it is done. We know that all it is doing
+is writing to the pipe and then exiting, so the wait should not be long.
+
+The non-blocking waitpid() is to some extent just insurance; if we could
+reliably detect end-of-file on the pipe, we could always know when to do a
+blocking wait() for a completed process. However, because some systems use
+NDELAY, which doesn't distinguish between EOF and pipe empty, it is easier to
+use code that functions without the need to recognize EOF.
+
+There's a double loop here just in case we end up with a process that is not in
+the list of remote delivery processes. Something has obviously gone wrong if
+this is the case. (For example, a process that is incorrectly left over from
+routing or local deliveries might be found.) The damage can be minimized by
+looping back and looking for another process. If there aren't any, the error
+return will happen. */
+
+for (;;)   /* Normally we do not repeat this loop */
+  {
+  while ((pid = waitpid(-1, &status, WNOHANG)) <= 0)
+    {
+    int readycount;
+
+    /* A return value of -1 can mean several things. If errno != ECHILD, it
+    either means invalid options (which we discount), or that this process was
+    interrupted by a signal. Just loop to try the waitpid() again.
+
+    If errno == ECHILD, waitpid() is telling us that there are no subprocesses
+    in existence. This should never happen, and is an unexpected error.
+    However, there is a nasty complication when running under Linux. If "strace
+    -f" is being used under Linux to trace this process and its children,
+    subprocesses are "stolen" from their parents and become the children of the
+    tracing process. A general wait such as the one we've just obeyed returns
+    as if there are no children while subprocesses are running. Once a
+    subprocess completes, it is restored to the parent, and waitpid(-1) finds
+    it. Thanks to Joachim Wieland for finding all this out and suggesting a
+    palliative.
+
+    This does not happen using "truss" on Solaris, nor (I think) with other
+    tracing facilities on other OS. It seems to be specific to Linux.
+
+    What we do to get round this is to use kill() to see if any of our
+    subprocesses are still in existence. If kill() gives an OK return, we know
+    it must be for one of our processes - it can't be for a re-use of the pid,
+    because if our process had finished, waitpid() would have found it. If any
+    of our subprocesses are in existence, we proceed to use poll() as if
+    waitpid() had returned zero. I think this is safe. */
+
+    if (pid < 0)
+      {
+      if (errno != ECHILD) continue;   /* Repeats the waitpid() */
+
+      DEBUG(D_deliver)
+        debug_printf("waitpid() returned -1/ECHILD: checking explicitly "
+          "for process existence\n");
+
+      for (poffset = 0; poffset < remote_max_parallel; poffset++)
+        {
+        if ((pid = parlist[poffset].pid) != 0 && kill(pid, 0) == 0)
+          {
+          DEBUG(D_deliver) debug_printf("process %d still exists: assume "
+            "stolen by strace\n", (int)pid);
+          break;   /* With poffset set */
+          }
+        }
+
+      if (poffset >= remote_max_parallel)
+        {
+        DEBUG(D_deliver) debug_printf("*** no delivery children found\n");
+	return NULL;	/* This is the error return */
+        }
+      }
+
+    /* A pid value greater than 0 breaks the "while" loop. A negative value has
+    been handled above. A return value of zero means that there is at least one
+    subprocess, but there are no completed subprocesses. See if any pipes are
+    ready with any data for reading. */
+
+    DEBUG(D_deliver) debug_printf("polling subprocess pipes\n");
+
+    for (poffset = 0; poffset < remote_max_parallel; poffset++)
+      if (parlist[poffset].pid != 0)
+	{
+	parpoll[poffset].fd = parlist[poffset].fd;
+	parpoll[poffset].events = POLLIN;
+	}
+      else
+	parpoll[poffset].fd = -1;
+
+    /* Stick in a 60-second timeout, just in case. */
+
+    readycount = poll(parpoll, remote_max_parallel, 60 * 1000);
+
+    /* Scan through the pipes and read any that are ready; use the count
+    returned by poll() to stop when there are no more. Select() can return
+    with no processes (e.g. if interrupted). This shouldn't matter.
+
+    If par_read_pipe() returns TRUE, it means that either the terminating Z was
+    read, or there was a disaster. In either case, we are finished with this
+    process. Do an explicit wait() for the process and break the main loop if
+    it succeeds.
+
+    It turns out that we have to deal with the case of an interrupted system
+    call, which can happen on some operating systems if the signal handling is
+    set up to do that by default. */
+
+    for (poffset = 0;
+         readycount > 0 && poffset < remote_max_parallel;
+         poffset++)
+      {
+      if (  (pid = parlist[poffset].pid) != 0
+	 && parpoll[poffset].revents
+	 )
+        {
+        readycount--;
+        if (par_read_pipe(poffset, FALSE))    /* Finished with this pipe */
+          for (;;)                            /* Loop for signals */
+            {
+            pid_t endedpid = waitpid(pid, &status, 0);
+            if (endedpid == pid) goto PROCESS_DONE;
+            if (endedpid != (pid_t)(-1) || errno != EINTR)
+              log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Unexpected error return "
+                "%d (errno = %d) from waitpid() for process %d",
+                (int)endedpid, errno, (int)pid);
+            }
+        }
+      }
+
+    /* Now go back and look for a completed subprocess again. */
+    }
+
+  /* A completed process was detected by the non-blocking waitpid(). Find the
+  data block that corresponds to this subprocess. */
+
+  for (poffset = 0; poffset < remote_max_parallel; poffset++)
+    if (pid == parlist[poffset].pid) break;
+
+  /* Found the data block; this is a known remote delivery process. We don't
+  need to repeat the outer loop. This should be what normally happens. */
+
+  if (poffset < remote_max_parallel) break;
+
+  /* This situation is an error, but it's probably better to carry on looking
+  for another process than to give up (as we used to do). */
+
+  log_write(0, LOG_MAIN|LOG_PANIC, "Process %d finished: not found in remote "
+    "transport process list", pid);
+  }  /* End of the "for" loop */
+
+/* Come here when all the data was completely read after a poll(), and
+the process in pid has been wait()ed for. */
+
+PROCESS_DONE:
+
+DEBUG(D_deliver)
+  {
+  if (status == 0)
+    debug_printf("remote delivery process %d ended\n", (int)pid);
+  else
+    debug_printf("remote delivery process %d ended: status=%04x\n", (int)pid,
+      status);
+  }
+
+set_process_info("delivering %s", message_id);
+
+/* Get the chain of processed addresses */
+
+addrlist = parlist[poffset].addrlist;
+
+/* If the process did not finish cleanly, record an error and freeze (except
+for SIGTERM, SIGKILL and SIGQUIT), and also ensure the journal is not removed,
+in case the delivery did actually happen. */
+
+if ((status & 0xffff) != 0)
+  {
+  uschar *msg;
+  int msb = (status >> 8) & 255;
+  int lsb = status & 255;
+  int code = (msb == 0)? (lsb & 0x7f) : msb;
+
+  msg = string_sprintf("%s transport process returned non-zero status 0x%04x: "
+    "%s %d",
+    addrlist->transport->driver_name,
+    status,
+    msb == 0 ? "terminated by signal" : "exit code",
+    code);
+
+  if (msb != 0 || (code != SIGTERM && code != SIGKILL && code != SIGQUIT))
+    addrlist->special_action = SPECIAL_FREEZE;
+
+  for (addr = addrlist; addr; addr = addr->next)
+    {
+    addr->transport_return = DEFER;
+    addr->message = msg;
+    }
+
+  remove_journal = FALSE;
+  }
+
+/* Else complete reading the pipe to get the result of the delivery, if all
+the data has not yet been obtained. */
+
+else if (!parlist[poffset].done)
+  (void) par_read_pipe(poffset, TRUE);
+
+/* Put the data count and return path into globals, mark the data slot unused,
+decrement the count of subprocesses, and return the address chain. */
+
+transport_count = parlist[poffset].transport_count;
+used_return_path = parlist[poffset].return_path;
+parlist[poffset].pid = 0;
+parcount--;
+return addrlist;
+}
+
+
+
+/*************************************************
+*      Wait for subprocesses and post-process    *
+*************************************************/
+
+/* This function waits for subprocesses until the number that are still running
+is below a given threshold. For each complete subprocess, the addresses are
+post-processed. If we can't find a running process, there is some shambles.
+Better not bomb out, as that might lead to multiple copies of the message. Just
+log and proceed as if all done.
+
+Arguments:
+  max         maximum number of subprocesses to leave running
+  fallback    TRUE if processing fallback hosts
+
+Returns:      nothing
+*/
+
+static void
+par_reduce(int max, BOOL fallback)
+{
+while (parcount > max)
+  {
+  address_item *doneaddr = par_wait();
+  if (!doneaddr)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "remote delivery process count got out of step");
+    parcount = 0;
+    }
+  else
+    {
+    transport_instance * tp = doneaddr->transport;
+    if (tp->max_parallel)
+      enq_end(string_sprintf("tpt-serialize-%s", tp->name));
+
+    remote_post_process(doneaddr, LOG_MAIN, NULL, fallback);
+    }
+  }
+}
+
+static void
+rmt_dlv_checked_write(int fd, char id, char subid, void * buf, ssize_t size)
+{
+uschar pipe_header[PIPE_HEADER_SIZE+1];
+size_t total_len = PIPE_HEADER_SIZE + size;
+
+struct iovec iov[2] = {
+  { pipe_header, PIPE_HEADER_SIZE },  /* indication about the data to expect */
+  { buf, size }                       /* *the* data */
+};
+
+ssize_t ret;
+
+/* we assume that size can't get larger then BIG_BUFFER_SIZE which currently is set to 16k */
+/* complain to log if someone tries with buffer sizes we can't handle*/
+
+if (size > BIG_BUFFER_SIZE-1)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "Failed writing transport result to pipe: can't handle buffers > %d bytes. truncating!\n",
+      BIG_BUFFER_SIZE-1);
+  size = BIG_BUFFER_SIZE;
+  }
+
+/* Should we check that we do not write more than PIPE_BUF? What would
+that help? */
+
+/* convert size to human readable string prepended by id and subid */
+if (PIPE_HEADER_SIZE != snprintf(CS pipe_header, PIPE_HEADER_SIZE+1, "%c%c%05ld",
+    id, subid, (long)size))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "header snprintf failed\n");
+
+DEBUG(D_deliver) debug_printf("header write id:%c,subid:%c,size:%ld,final:%s\n",
+                                 id, subid, (long)size, pipe_header);
+
+if ((ret = writev(fd, iov, 2)) != total_len)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "Failed writing transport result to pipe (%ld of %ld bytes): %s",
+    (long)ret, (long)total_len, ret == -1 ? strerror(errno) : "short write");
+}
+
+/*************************************************
+*           Do remote deliveries                 *
+*************************************************/
+
+/* This function is called to process the addresses in addr_remote. We must
+pick off the queue all addresses that have the same transport, remote
+destination, and errors address, and hand them to the transport in one go,
+subject to some configured limitations. If this is a run to continue delivering
+to an existing delivery channel, skip all but those addresses that can go to
+that channel. The skipped addresses just get deferred.
+
+If mua_wrapper is set, all addresses must be able to be sent in a single
+transaction. If not, this function yields FALSE.
+
+In Exim 4, remote deliveries are always done in separate processes, even
+if remote_max_parallel = 1 or if there's only one delivery to do. The reason
+is so that the base process can retain privilege. This makes the
+implementation of fallback transports feasible (though not initially done.)
+
+We create up to the configured number of subprocesses, each of which passes
+back the delivery state via a pipe. (However, when sending down an existing
+connection, remote_max_parallel is forced to 1.)
+
+Arguments:
+  fallback  TRUE if processing fallback hosts
+
+Returns:    TRUE normally
+            FALSE if mua_wrapper is set and the addresses cannot all be sent
+              in one transaction
+*/
+
+static BOOL
+do_remote_deliveries(BOOL fallback)
+{
+int parmax;
+int poffset;
+
+parcount = 0;    /* Number of executing subprocesses */
+
+/* When sending down an existing channel, only do one delivery at a time.
+We use a local variable (parmax) to hold the maximum number of processes;
+this gets reduced from remote_max_parallel if we can't create enough pipes. */
+
+if (continue_transport) remote_max_parallel = 1;
+parmax = remote_max_parallel;
+
+/* If the data for keeping a list of processes hasn't yet been
+set up, do so. */
+
+if (!parlist)
+  {
+  parlist = store_get(remote_max_parallel * sizeof(pardata), GET_UNTAINTED);
+  for (poffset = 0; poffset < remote_max_parallel; poffset++)
+    parlist[poffset].pid = 0;
+  parpoll = store_get(remote_max_parallel * sizeof(struct pollfd), GET_UNTAINTED);
+  }
+
+/* Now loop for each remote delivery */
+
+for (int delivery_count = 0; addr_remote; delivery_count++)
+  {
+  pid_t pid;
+  uid_t uid;
+  gid_t gid;
+  int pfd[2];
+  int address_count = 1;
+  int address_count_max;
+  BOOL multi_domain;
+  BOOL use_initgroups;
+  BOOL pipe_done = FALSE;
+  transport_instance *tp;
+  address_item **anchor = &addr_remote;
+  address_item *addr = addr_remote;
+  address_item *last = addr;
+  address_item *next;
+  uschar * panicmsg;
+  uschar * serialize_key = NULL;
+
+  /* Pull the first address right off the list. */
+
+  addr_remote = addr->next;
+  addr->next = NULL;
+
+  DEBUG(D_deliver|D_transport)
+    debug_printf("--------> %s <--------\n", addr->address);
+
+  /* If no transport has been set, there has been a big screw-up somewhere. */
+
+  if (!(tp = addr->transport))
+    {
+    f.disable_logging = FALSE;  /* Jic */
+    panicmsg = US"No transport set by router";
+    goto panic_continue;
+    }
+
+  /* Check that this base address hasn't previously been delivered to this
+  transport. The check is necessary at this point to handle homonymic addresses
+  correctly in cases where the pattern of redirection changes between delivery
+  attempts. Non-homonymic previous delivery is detected earlier, at routing
+  time. */
+
+  if (previously_transported(addr, FALSE)) continue;
+
+  /* Force failure if the message is too big. */
+
+  if (tp->message_size_limit)
+    {
+    int rc = check_message_size(tp, addr);
+    if (rc != OK)
+      {
+      addr->transport_return = rc;
+      remote_post_process(addr, LOG_MAIN, NULL, fallback);
+      continue;
+      }
+    }
+
+/*XXX need to defeat this when DANE is used - but we don't know that yet.
+So look out for the place it gets used.
+*/
+
+  /* Get the flag which specifies whether the transport can handle different
+  domains that nevertheless resolve to the same set of hosts. If it needs
+  expanding, get variables set: $address_data, $domain_data, $localpart_data,
+  $host, $host_address, $host_port. */
+  if (tp->expand_multi_domain)
+    deliver_set_expansions(addr);
+
+  if (exp_bool(addr, US"transport", tp->name, D_transport,
+		US"multi_domain", tp->multi_domain, tp->expand_multi_domain,
+		&multi_domain) != OK)
+    {
+    deliver_set_expansions(NULL);
+    panicmsg = addr->message;
+    goto panic_continue;
+    }
+
+  /* Get the maximum it can handle in one envelope, with zero meaning
+  unlimited, which is forced for the MUA wrapper case. */
+
+  address_count_max = tp->max_addresses;
+  if (address_count_max == 0 || mua_wrapper) address_count_max = 999999;
+
+
+  /************************************************************************/
+  /*****    This is slightly experimental code, but should be safe.   *****/
+
+  /* The address_count_max value is the maximum number of addresses that the
+  transport can send in one envelope. However, the transport must be capable of
+  dealing with any number of addresses. If the number it gets exceeds its
+  envelope limitation, it must send multiple copies of the message. This can be
+  done over a single connection for SMTP, so uses less resources than making
+  multiple connections. On the other hand, if remote_max_parallel is greater
+  than one, it is perhaps a good idea to use parallel processing to move the
+  message faster, even if that results in multiple simultaneous connections to
+  the same host.
+
+  How can we come to some compromise between these two ideals? What we do is to
+  limit the number of addresses passed to a single instance of a transport to
+  the greater of (a) its address limit (rcpt_max for SMTP) and (b) the total
+  number of addresses routed to remote transports divided by
+  remote_max_parallel. For example, if the message has 100 remote recipients,
+  remote max parallel is 2, and rcpt_max is 10, we'd never send more than 50 at
+  once. But if rcpt_max is 100, we could send up to 100.
+
+  Of course, not all the remotely addresses in a message are going to go to the
+  same set of hosts (except in smarthost configurations), so this is just a
+  heuristic way of dividing up the work.
+
+  Furthermore (1), because this may not be wanted in some cases, and also to
+  cope with really pathological cases, there is also a limit to the number of
+  messages that are sent over one connection. This is the same limit that is
+  used when sending several different messages over the same connection.
+  Continue_sequence is set when in this situation, to the number sent so
+  far, including this message.
+
+  Furthermore (2), when somebody explicitly sets the maximum value to 1, it
+  is probably because they are using VERP, in which case they want to pass only
+  one address at a time to the transport, in order to be able to use
+  $local_part and $domain in constructing a new return path. We could test for
+  the use of these variables, but as it is so likely they will be used when the
+  maximum is 1, we don't bother. Just leave the value alone. */
+
+  if (  address_count_max != 1
+     && address_count_max < remote_delivery_count/remote_max_parallel
+     )
+    {
+    int new_max = remote_delivery_count/remote_max_parallel;
+    int message_max = tp->connection_max_messages;
+    if (connection_max_messages >= 0) message_max = connection_max_messages;
+    message_max -= continue_sequence - 1;
+    if (message_max > 0 && new_max > address_count_max * message_max)
+      new_max = address_count_max * message_max;
+    address_count_max = new_max;
+    }
+
+  /************************************************************************/
+
+
+/*XXX don't know yet if DANE will be used.  So tpt will have to
+check at the point if gets next addr from list, and skip/defer any
+nonmatch domains
+*/
+
+  /* Pick off all addresses which have the same transport, errors address,
+  destination, and extra headers. In some cases they point to the same host
+  list, but we also need to check for identical host lists generated from
+  entirely different domains. The host list pointers can be NULL in the case
+  where the hosts are defined in the transport. There is also a configured
+  maximum limit of addresses that can be handled at once (see comments above
+  for how it is computed).
+  If the transport does not handle multiple domains, enforce that also,
+  and if it might need a per-address check for this, re-evaluate it.
+  */
+
+  while ((next = *anchor) && address_count < address_count_max)
+    {
+    BOOL md;
+    if (  (multi_domain || Ustrcmp(next->domain, addr->domain) == 0)
+       && tp == next->transport
+       && same_hosts(next->host_list, addr->host_list)
+       && same_strings(next->prop.errors_address, addr->prop.errors_address)
+       && same_headers(next->prop.extra_headers, addr->prop.extra_headers)
+       && same_ugid(tp, next, addr)
+       && (  next->prop.remove_headers == addr->prop.remove_headers
+	  || (  next->prop.remove_headers
+	     && addr->prop.remove_headers
+	     && Ustrcmp(next->prop.remove_headers, addr->prop.remove_headers) == 0
+	  )  )
+       && (  !multi_domain
+	  || (  (
+		(void)(!tp->expand_multi_domain || ((void)deliver_set_expansions(next), 1)),
+	        exp_bool(addr,
+		    US"transport", next->transport->name, D_transport,
+		    US"multi_domain", next->transport->multi_domain,
+		    next->transport->expand_multi_domain, &md) == OK
+	        )
+	     && md
+       )  )  )
+      {
+      *anchor = next->next;
+      next->next = NULL;
+      next->first = addr;  /* remember top one (for retry processing) */
+      last->next = next;
+      last = next;
+      address_count++;
+      }
+    else anchor = &(next->next);
+    deliver_set_expansions(NULL);
+    }
+
+  /* If we are acting as an MUA wrapper, all addresses must go in a single
+  transaction. If not, put them back on the chain and yield FALSE. */
+
+  if (mua_wrapper && addr_remote)
+    {
+    last->next = addr_remote;
+    addr_remote = addr;
+    return FALSE;
+    }
+
+  /* If the transport is limited for parallellism, enforce that here.
+  The hints DB entry is decremented in par_reduce(), when we reap the
+  transport process. */
+
+  if (tpt_parallel_check(tp, addr, &serialize_key))
+    if ((panicmsg = expand_string_message))
+      goto panic_continue;
+    else
+      continue;			/* Loop for the next set of addresses. */
+
+  /* Set up the expansion variables for this set of addresses */
+
+  deliver_set_expansions(addr);
+
+  /* Ensure any transport-set auth info is fresh */
+  addr->authenticator = addr->auth_id = addr->auth_sndr = NULL;
+
+  /* Compute the return path, expanding a new one if required. The old one
+  must be set first, as it might be referred to in the expansion. */
+
+  if(addr->prop.errors_address)
+    return_path = addr->prop.errors_address;
+  else
+    return_path = sender_address;
+
+  if (tp->return_path)
+    {
+    uschar *new_return_path = expand_string(tp->return_path);
+    if (new_return_path)
+      return_path = new_return_path;
+    else if (!f.expand_string_forcedfail)
+      {
+      panicmsg = string_sprintf("Failed to expand return path \"%s\": %s",
+	tp->return_path, expand_string_message);
+      goto enq_continue;
+      }
+    }
+
+  /* Find the uid, gid, and use_initgroups setting for this transport. Failure
+  logs and sets up error messages, so we just post-process and continue with
+  the next address. */
+
+  if (!findugid(addr, tp, &uid, &gid, &use_initgroups))
+    {
+    panicmsg = NULL;
+    goto enq_continue;
+    }
+
+  /* If this transport has a setup function, call it now so that it gets
+  run in this process and not in any subprocess. That way, the results of
+  any setup that are retained by the transport can be reusable. One of the
+  things the setup does is to set the fallback host lists in the addresses.
+  That is why it is called at this point, before the continue delivery
+  processing, because that might use the fallback hosts. */
+
+  if (tp->setup)
+    (void)((tp->setup)(addr->transport, addr, NULL, uid, gid, NULL));
+
+  /* If we have a connection still open from a verify stage (lazy-close)
+  treat it as if it is a continued connection (apart from the counter used
+  for the log line mark). */
+
+  if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
+    {
+    DEBUG(D_deliver)
+      debug_printf("lazy-callout-close: have conn still open from verification\n");
+    continue_transport = cutthrough.transport;
+    continue_hostname = string_copy(cutthrough.host.name);
+    continue_host_address = string_copy(cutthrough.host.address);
+    continue_sequence = 1;
+    sending_ip_address = cutthrough.snd_ip;
+    sending_port = cutthrough.snd_port;
+    smtp_peer_options = cutthrough.peer_options;
+    }
+
+  /* If this is a run to continue delivery down an already-established
+  channel, check that this set of addresses matches the transport and
+  the channel. If it does not, defer the addresses. If a host list exists,
+  we must check that the continue host is on the list. Otherwise, the
+  host is set in the transport. */
+
+  f.continue_more = FALSE;           /* In case got set for the last lot */
+  if (continue_transport)
+    {
+    BOOL ok = Ustrcmp(continue_transport, tp->name) == 0;
+/*XXX do we need to check for a DANEd conn vs. a change of domain? */
+
+    /* If the transport is about to override the host list do not check
+    it here but take the cost of running the transport process to discover
+    if the continued_hostname connection is suitable.  This is a layering
+    violation which is unfortunate as it requires we haul in the smtp
+    include file. */
+
+    if (ok)
+      {
+      smtp_transport_options_block * ob;
+
+      if (  !(  Ustrcmp(tp->info->driver_name, "smtp") == 0
+	     && (ob = (smtp_transport_options_block *)tp->options_block)
+	     && ob->hosts_override && ob->hosts
+	     )
+	 && addr->host_list
+	 )
+	{
+	ok = FALSE;
+	for (host_item * h = addr->host_list; h; h = h->next)
+	  if (Ustrcmp(h->name, continue_hostname) == 0)
+  /*XXX should also check port here */
+	    { ok = TRUE; break; }
+	}
+      }
+
+    /* Addresses not suitable; defer or queue for fallback hosts (which
+    might be the continue host) and skip to next address. */
+
+    if (!ok)
+      {
+      DEBUG(D_deliver) debug_printf("not suitable for continue_transport (%s)\n",
+	Ustrcmp(continue_transport, tp->name) != 0
+	? string_sprintf("tpt %s vs %s", continue_transport, tp->name)
+	: string_sprintf("no host matching %s", continue_hostname));
+      if (serialize_key) enq_end(serialize_key);
+
+      if (addr->fallback_hosts && !fallback)
+        {
+	for (next = addr; ; next = next->next)
+          {
+          next->host_list = next->fallback_hosts;
+          DEBUG(D_deliver) debug_printf("%s queued for fallback host(s)\n", next->address);
+          if (!next->next) break;
+          }
+        next->next = addr_fallback;
+        addr_fallback = addr;
+        }
+
+      else
+	{
+	for (next = addr; ; next = next->next)
+	  {
+	  DEBUG(D_deliver) debug_printf(" %s to def list\n", next->address);
+          if (!next->next) break;
+	  }
+	next->next = addr_defer;
+	addr_defer = addr;
+	}
+
+      continue;
+      }
+
+    /* Set a flag indicating whether there are further addresses that list
+    the continued host. This tells the transport to leave the channel open,
+    but not to pass it to another delivery process. We'd like to do that
+    for non-continue_transport cases too but the knowlege of which host is
+    connected to is too hard to manage.  Perhaps we need a finer-grain
+    interface to the transport. */
+
+    for (next = addr_remote; next && !f.continue_more; next = next->next)
+      for (host_item * h = next->host_list; h; h = h->next)
+        if (Ustrcmp(h->name, continue_hostname) == 0)
+          { f.continue_more = TRUE; break; }
+    }
+
+  /* The transports set up the process info themselves as they may connect
+  to more than one remote machine. They also have to set up the filter
+  arguments, if required, so that the host name and address are available
+  for expansion. */
+
+  transport_filter_argv = NULL;
+
+  /* Create the pipe for inter-process communication. If pipe creation
+  fails, it is probably because the value of remote_max_parallel is so
+  large that too many file descriptors for pipes have been created. Arrange
+  to wait for a process to finish, and then try again. If we still can't
+  create a pipe when all processes have finished, break the retry loop. */
+
+  while (!pipe_done)
+    {
+    if (pipe(pfd) == 0) pipe_done = TRUE;
+      else if (parcount > 0) parmax = parcount;
+        else break;
+
+    /* We need to make the reading end of the pipe non-blocking. There are
+    two different options for this. Exim is cunningly (I hope!) coded so
+    that it can use either of them, though it prefers O_NONBLOCK, which
+    distinguishes between EOF and no-more-data. */
+
+/* The data appears in a timely manner and we already did a poll on
+all pipes, so I do not see a reason to use non-blocking IO here
+
+#ifdef O_NONBLOCK
+    (void)fcntl(pfd[pipe_read], F_SETFL, O_NONBLOCK);
+#else
+    (void)fcntl(pfd[pipe_read], F_SETFL, O_NDELAY);
+#endif
+*/
+
+    /* If the maximum number of subprocesses already exist, wait for a process
+    to finish. If we ran out of file descriptors, parmax will have been reduced
+    from its initial value of remote_max_parallel. */
+
+    par_reduce(parmax - 1, fallback);
+    }
+
+  /* If we failed to create a pipe and there were no processes to wait
+  for, we have to give up on this one. Do this outside the above loop
+  so that we can continue the main loop. */
+
+  if (!pipe_done)
+    {
+    panicmsg = string_sprintf("unable to create pipe: %s", strerror(errno));
+    goto enq_continue;
+    }
+
+  /* Find a free slot in the pardata list. Must do this after the possible
+  waiting for processes to finish, because a terminating process will free
+  up a slot. */
+
+  for (poffset = 0; poffset < remote_max_parallel; poffset++)
+    if (parlist[poffset].pid == 0)
+      break;
+
+  /* If there isn't one, there has been a horrible disaster. */
+
+  if (poffset >= remote_max_parallel)
+    {
+    (void)close(pfd[pipe_write]);
+    (void)close(pfd[pipe_read]);
+    panicmsg = US"Unexpectedly no free subprocess slot";
+    goto enq_continue;
+    }
+
+  /* Now fork a subprocess to do the remote delivery, but before doing so,
+  ensure that any cached resources are released so as not to interfere with
+  what happens in the subprocess. */
+
+  search_tidyup();
+
+  if ((pid = exim_fork(US"transport")) == 0)
+    {
+    int fd = pfd[pipe_write];
+    host_item *h;
+
+    /* Setting these globals in the subprocess means we need never clear them */
+    transport_name = addr->transport->name;
+    driver_srcfile = tp->srcfile;
+    driver_srcline = tp->srcline;
+
+    /* There are weird circumstances in which logging is disabled */
+    f.disable_logging = tp->disable_logging;
+
+    /* Show pids on debug output if parallelism possible */
+
+    if (parmax > 1 && (parcount > 0 || addr_remote))
+      DEBUG(D_any|D_v) debug_selector |= D_pid;
+
+    /* Reset the random number generator, so different processes don't all
+    have the same sequence. In the test harness we want different, but
+    predictable settings for each delivery process, so do something explicit
+    here rather they rely on the fixed reset in the random number function. */
+
+    random_seed = f.running_in_test_harness ? 42 + 2*delivery_count : 0;
+
+    /* Set close-on-exec on the pipe so that it doesn't get passed on to
+    a new process that may be forked to do another delivery down the same
+    SMTP connection. */
+
+    (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
+
+    /* Close open file descriptors for the pipes of other processes
+    that are running in parallel. */
+
+    for (poffset = 0; poffset < remote_max_parallel; poffset++)
+      if (parlist[poffset].pid != 0) (void)close(parlist[poffset].fd);
+
+    /* This process has inherited a copy of the file descriptor
+    for the data file, but its file pointer is shared with all the
+    other processes running in parallel. Therefore, we have to re-open
+    the file in order to get a new file descriptor with its own
+    file pointer. We don't need to lock it, as the lock is held by
+    the parent process. There doesn't seem to be any way of doing
+    a dup-with-new-file-pointer. */
+
+    (void)close(deliver_datafile);
+    {
+    uschar * fname = spool_fname(US"input", message_subdir, message_id, US"-D");
+
+    if ((deliver_datafile = Uopen(fname,
+#ifdef O_CLOEXEC
+					O_CLOEXEC |
+#endif
+					O_RDWR | O_APPEND, 0)) < 0)
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to reopen %s for remote "
+        "parallel delivery: %s", fname, strerror(errno));
+    }
+
+    /* Set the close-on-exec flag */
+#ifndef O_CLOEXEC
+    (void)fcntl(deliver_datafile, F_SETFD, fcntl(deliver_datafile, F_GETFD) |
+      FD_CLOEXEC);
+#endif
+
+    /* Set the uid/gid of this process; bombs out on failure. */
+
+    exim_setugid(uid, gid, use_initgroups,
+      string_sprintf("remote delivery to %s with transport=%s",
+        addr->address, tp->name));
+
+    /* Close the unwanted half of this process' pipe, set the process state,
+    and run the transport. Afterwards, transport_count will contain the number
+    of bytes written. */
+
+    (void)close(pfd[pipe_read]);
+    set_process_info("delivering %s using %s", message_id, tp->name);
+    debug_print_string(tp->debug_string);
+    if (!(tp->info->code)(addr->transport, addr)) replicate_status(addr);
+
+    set_process_info("delivering %s (just run %s for %s%s in subprocess)",
+      message_id, tp->name, addr->address, addr->next ? ", ..." : "");
+
+    /* Ensure any cached resources that we used are now released */
+
+    search_tidyup();
+
+    /* Pass the result back down the pipe. This is a lot more information
+    than is needed for a local delivery. We have to send back the error
+    status for each address, the usability status for each host that is
+    flagged as unusable, and all the retry items. When TLS is in use, we
+    send also the cipher and peerdn information. Each type of information
+    is flagged by an identifying byte, and is then in a fixed format (with
+    strings terminated by zeros), and there is a final terminator at the
+    end. The host information and retry information is all attached to
+    the first address, so that gets sent at the start. */
+
+    /* Host unusability information: for most success cases this will
+    be null. */
+
+    for (h = addr->host_list; h; h = h->next)
+      {
+      if (!h->address || h->status < hstatus_unusable) continue;
+      sprintf(CS big_buffer, "%c%c%s", h->status, h->why, h->address);
+      rmt_dlv_checked_write(fd, 'H', '0', big_buffer, Ustrlen(big_buffer+2) + 3);
+      }
+
+    /* The number of bytes written. This is the same for each address. Even
+    if we sent several copies of the message down the same connection, the
+    size of each one is the same, and it's that value we have got because
+    transport_count gets reset before calling transport_write_message(). */
+
+    memcpy(big_buffer, &transport_count, sizeof(transport_count));
+    rmt_dlv_checked_write(fd, 'S', '0', big_buffer, sizeof(transport_count));
+
+    /* Information about what happened to each address. Four item types are
+    used: an optional 'X' item first, for TLS information, then an optional "C"
+    item for any client-auth info followed by 'R' items for any retry settings,
+    and finally an 'A' item for the remaining data. */
+
+    for(; addr; addr = addr->next)
+      {
+      uschar *ptr;
+
+      /* The certificate verification status goes into the flags */
+      if (tls_out.certificate_verified) setflag(addr, af_cert_verified);
+#ifdef SUPPORT_DANE
+      if (tls_out.dane_verified)        setflag(addr, af_dane_verified);
+#endif
+# ifndef DISABLE_TLS_RESUME
+      if (tls_out.resumption & RESUME_USED) setflag(addr, af_tls_resume);
+# endif
+
+      /* Use an X item only if there's something to send */
+#ifndef DISABLE_TLS
+      if (addr->cipher)
+        {
+        ptr = big_buffer + sprintf(CS big_buffer, "%.128s", addr->cipher) + 1;
+        if (!addr->peerdn)
+	  *ptr++ = 0;
+	else
+          ptr += sprintf(CS ptr, "%.512s", addr->peerdn) + 1;
+
+        rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer);
+        }
+      else if (continue_proxy_cipher)
+	{
+        ptr = big_buffer + sprintf(CS big_buffer, "%.128s", continue_proxy_cipher) + 1;
+	*ptr++ = 0;
+        rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer);
+	}
+
+      if (addr->peercert)
+	{
+        ptr = big_buffer;
+	if (tls_export_cert(ptr, big_buffer_size-2, addr->peercert))
+	  while(*ptr++);
+	else
+	  *ptr++ = 0;
+        rmt_dlv_checked_write(fd, 'X', '2', big_buffer, ptr - big_buffer);
+	}
+      if (addr->ourcert)
+	{
+        ptr = big_buffer;
+	if (tls_export_cert(ptr, big_buffer_size-2, addr->ourcert))
+	  while(*ptr++);
+	else
+	  *ptr++ = 0;
+        rmt_dlv_checked_write(fd, 'X', '3', big_buffer, ptr - big_buffer);
+	}
+# ifndef DISABLE_OCSP
+      if (addr->ocsp > OCSP_NOT_REQ)
+	{
+	ptr = big_buffer + sprintf(CS big_buffer, "%c", addr->ocsp + '0') + 1;
+        rmt_dlv_checked_write(fd, 'X', '4', big_buffer, ptr - big_buffer);
+	}
+# endif
+#endif	/*DISABLE_TLS*/
+
+      if (client_authenticator)
+        {
+	ptr = big_buffer + sprintf(CS big_buffer, "%.64s", client_authenticator) + 1;
+        rmt_dlv_checked_write(fd, 'C', '1', big_buffer, ptr - big_buffer);
+	}
+      if (client_authenticated_id)
+        {
+        ptr = big_buffer + sprintf(CS big_buffer, "%.64s", client_authenticated_id) + 1;
+        rmt_dlv_checked_write(fd, 'C', '2', big_buffer, ptr - big_buffer);
+	}
+      if (client_authenticated_sender)
+        {
+        ptr = big_buffer + sprintf(CS big_buffer, "%.64s", client_authenticated_sender) + 1;
+        rmt_dlv_checked_write(fd, 'C', '3', big_buffer, ptr - big_buffer);
+	}
+
+#ifndef DISABLE_PRDR
+      if (testflag(addr, af_prdr_used))
+	rmt_dlv_checked_write(fd, 'P', '0', NULL, 0);
+#endif
+
+      if (testflag(addr, af_pipelining))
+#ifndef DISABLE_PIPE_CONNECT
+	if (testflag(addr, af_early_pipe))
+	  rmt_dlv_checked_write(fd, 'L', '2', NULL, 0);
+	else
+#endif
+	  rmt_dlv_checked_write(fd, 'L', '1', NULL, 0);
+
+      if (testflag(addr, af_chunking_used))
+	rmt_dlv_checked_write(fd, 'K', '0', NULL, 0);
+
+      if (testflag(addr, af_tcp_fastopen_conn))
+	rmt_dlv_checked_write(fd, 'T',
+	  testflag(addr, af_tcp_fastopen) ? testflag(addr, af_tcp_fastopen_data)
+	  ? '2' : '1' : '0',
+	  NULL, 0);
+
+      memcpy(big_buffer, &addr->dsn_aware, sizeof(addr->dsn_aware));
+      rmt_dlv_checked_write(fd, 'D', '0', big_buffer, sizeof(addr->dsn_aware));
+
+      /* Retry information: for most success cases this will be null. */
+
+      for (retry_item * r = addr->retries; r; r = r->next)
+        {
+        sprintf(CS big_buffer, "%c%.500s", r->flags, r->key);
+        ptr = big_buffer + Ustrlen(big_buffer+2) + 3;
+        memcpy(ptr, &r->basic_errno, sizeof(r->basic_errno));
+        ptr += sizeof(r->basic_errno);
+        memcpy(ptr, &r->more_errno, sizeof(r->more_errno));
+        ptr += sizeof(r->more_errno);
+        if (!r->message) *ptr++ = 0; else
+          {
+          sprintf(CS ptr, "%.512s", r->message);
+          while(*ptr++);
+          }
+        rmt_dlv_checked_write(fd, 'R', '0', big_buffer, ptr - big_buffer);
+        }
+
+      if (testflag(addr, af_new_conn) || testflag(addr, af_cont_conn))
+	{
+	DEBUG(D_deliver) debug_printf("%scontinued-connection\n",
+	  testflag(addr, af_new_conn) ? "non-" : "");
+	big_buffer[0] = testflag(addr, af_new_conn) ? BIT(1) : BIT(2);
+        rmt_dlv_checked_write(fd, 'A', '3', big_buffer, 1);
+	}
+
+#ifdef SUPPORT_SOCKS
+      if (LOGGING(proxy) && proxy_session)
+	{
+	ptr = big_buffer;
+	if (proxy_local_address)
+	  {
+	  DEBUG(D_deliver) debug_printf("proxy_local_address '%s'\n", proxy_local_address);
+	  ptr = big_buffer + sprintf(CS ptr, "%.128s", proxy_local_address) + 1;
+	  DEBUG(D_deliver) debug_printf("proxy_local_port %d\n", proxy_local_port);
+	  memcpy(ptr, &proxy_local_port, sizeof(proxy_local_port));
+	  ptr += sizeof(proxy_local_port);
+	  }
+	else
+	  *ptr++ = '\0';
+	rmt_dlv_checked_write(fd, 'A', '2', big_buffer, ptr - big_buffer);
+	}
+#endif
+
+#ifdef EXPERIMENTAL_DSN_INFO
+/*um, are they really per-addr?  Other per-conn stuff is not (auth, tls).  But host_used is! */
+      if (addr->smtp_greeting)
+	{
+	DEBUG(D_deliver) debug_printf("smtp_greeting '%s'\n", addr->smtp_greeting);
+	ptr = big_buffer + sprintf(CS big_buffer, "%.128s", addr->smtp_greeting) + 1;
+	if (addr->helo_response)
+	  {
+	  DEBUG(D_deliver) debug_printf("helo_response '%s'\n", addr->helo_response);
+	  ptr += sprintf(CS ptr, "%.128s", addr->helo_response) + 1;
+	  }
+	else
+	  *ptr++ = '\0';
+        rmt_dlv_checked_write(fd, 'A', '1', big_buffer, ptr - big_buffer);
+	}
+#endif
+
+      /* The rest of the information goes in an 'A0' item. */
+
+      sprintf(CS big_buffer, "%c%c", addr->transport_return, addr->special_action);
+      ptr = big_buffer + 2;
+      memcpy(ptr, &addr->basic_errno, sizeof(addr->basic_errno));
+      ptr += sizeof(addr->basic_errno);
+      memcpy(ptr, &addr->more_errno, sizeof(addr->more_errno));
+      ptr += sizeof(addr->more_errno);
+      memcpy(ptr, &addr->delivery_time, sizeof(addr->delivery_time));
+      ptr += sizeof(addr->delivery_time);
+      memcpy(ptr, &addr->flags, sizeof(addr->flags));
+      ptr += sizeof(addr->flags);
+
+      if (!addr->message) *ptr++ = 0; else
+        ptr += sprintf(CS ptr, "%.1024s", addr->message) + 1;
+
+      if (!addr->user_message) *ptr++ = 0; else
+        ptr += sprintf(CS ptr, "%.1024s", addr->user_message) + 1;
+
+      if (!addr->host_used) *ptr++ = 0; else
+        {
+        ptr += sprintf(CS ptr, "%.256s", addr->host_used->name) + 1;
+        ptr += sprintf(CS ptr, "%.64s", addr->host_used->address) + 1;
+        memcpy(ptr, &addr->host_used->port, sizeof(addr->host_used->port));
+        ptr += sizeof(addr->host_used->port);
+
+        /* DNS lookup status */
+	*ptr++ = addr->host_used->dnssec==DS_YES ? '2'
+	       : addr->host_used->dnssec==DS_NO ? '1' : '0';
+
+        }
+      rmt_dlv_checked_write(fd, 'A', '0', big_buffer, ptr - big_buffer);
+      }
+
+    /* Local interface address/port */
+#ifdef EXPERIMENTAL_DSN_INFO
+    if (sending_ip_address)
+#else
+    if (LOGGING(incoming_interface) && sending_ip_address)
+#endif
+      {
+      uschar * ptr;
+      ptr = big_buffer + sprintf(CS big_buffer, "%.128s", sending_ip_address) + 1;
+      ptr += sprintf(CS ptr, "%d", sending_port) + 1;
+      rmt_dlv_checked_write(fd, 'I', '0', big_buffer, ptr - big_buffer);
+      }
+
+    /* Add termination flag, close the pipe, and that's it. The character
+    after 'Z' indicates whether continue_transport is now NULL or not.
+    A change from non-NULL to NULL indicates a problem with a continuing
+    connection. */
+
+    big_buffer[0] = continue_transport ? '1' : '0';
+    rmt_dlv_checked_write(fd, 'Z', '0', big_buffer, 1);
+    (void)close(fd);
+    exit(EXIT_SUCCESS);
+    }
+
+  /* Back in the mainline: close the unwanted half of the pipe. */
+
+  (void)close(pfd[pipe_write]);
+
+  /* If we have a connection still open from a verify stage (lazy-close)
+  release its TLS library context (if any) as responsibility was passed to
+  the delivery child process. */
+
+  if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
+    {
+#ifndef DISABLE_TLS
+    if (cutthrough.is_tls)
+      tls_close(cutthrough.cctx.tls_ctx, TLS_NO_SHUTDOWN);
+#endif
+    (void) close(cutthrough.cctx.sock);
+    release_cutthrough_connection(US"passed to transport proc");
+    }
+
+  /* Fork failed; defer with error message */
+
+  if (pid == -1)
+    {
+    (void)close(pfd[pipe_read]);
+    panicmsg = string_sprintf("fork failed for remote delivery to %s: %s",
+        addr->domain, strerror(errno));
+    goto enq_continue;
+    }
+
+  /* Fork succeeded; increment the count, and remember relevant data for
+  when the process finishes. */
+
+  parcount++;
+  parlist[poffset].addrlist = parlist[poffset].addr = addr;
+  parlist[poffset].pid = pid;
+  parlist[poffset].fd = pfd[pipe_read];
+  parlist[poffset].done = FALSE;
+  parlist[poffset].msg = NULL;
+  parlist[poffset].return_path = return_path;
+
+  /* If the process we've just started is sending a message down an existing
+  channel, wait for it now. This ensures that only one such process runs at
+  once, whatever the value of remote_max parallel. Otherwise, we might try to
+  send two or more messages simultaneously down the same channel. This could
+  happen if there are different domains that include the same host in otherwise
+  different host lists.
+
+  Also, if the transport closes down the channel, this information gets back
+  (continue_transport gets set to NULL) before we consider any other addresses
+  in this message. */
+
+  if (continue_transport) par_reduce(0, fallback);
+
+  /* Otherwise, if we are running in the test harness, wait a bit, to let the
+  newly created process get going before we create another process. This should
+  ensure repeatability in the tests. Wait long enough for most cases to complete
+  the transport. */
+
+  else testharness_pause_ms(600);
+
+  continue;
+
+enq_continue:
+  if (serialize_key) enq_end(serialize_key);
+panic_continue:
+  remote_post_process(addr, LOG_MAIN|LOG_PANIC, panicmsg, fallback);
+  continue;
+  }
+
+/* Reached the end of the list of addresses. Wait for all the subprocesses that
+are still running and post-process their addresses. */
+
+par_reduce(0, fallback);
+return TRUE;
+}
+
+
+
+
+/*************************************************
+*   Split an address into local part and domain  *
+*************************************************/
+
+/* This function initializes an address for routing by splitting it up into a
+local part and a domain. The local part is set up twice - once in its original
+casing, and once in lower case, and it is dequoted. We also do the "percent
+hack" for configured domains. This may lead to a DEFER result if a lookup
+defers. When a percent-hacking takes place, we insert a copy of the original
+address as a new parent of this address, as if we have had a redirection.
+
+Argument:
+  addr      points to an addr_item block containing the address
+
+Returns:    OK
+            DEFER   - could not determine if domain is %-hackable
+*/
+
+int
+deliver_split_address(address_item * addr)
+{
+uschar * address = addr->address;
+uschar * domain;
+uschar * t;
+int len;
+
+if (!(domain = Ustrrchr(address, '@')))
+  return DEFER;		/* should always have a domain, but just in case... */
+
+len = domain - address;
+addr->domain = string_copylc(domain+1);    /* Domains are always caseless */
+
+/* The implication in the RFCs (though I can't say I've seen it spelled out
+explicitly) is that quoting should be removed from local parts at the point
+where they are locally interpreted. [The new draft "821" is more explicit on
+this, Jan 1999.] We know the syntax is valid, so this can be done by simply
+removing quoting backslashes and any unquoted doublequotes. */
+
+t = addr->cc_local_part = store_get(len+1, address);
+while(len-- > 0)
+  {
+  int c = *address++;
+  if (c == '\"') continue;
+  if (c == '\\')
+    {
+    *t++ = *address++;
+    len--;
+    }
+  else *t++ = c;
+  }
+*t = 0;
+
+/* We do the percent hack only for those domains that are listed in
+percent_hack_domains. A loop is required, to copy with multiple %-hacks. */
+
+if (percent_hack_domains)
+  {
+  int rc;
+  uschar *new_address = NULL;
+  uschar *local_part = addr->cc_local_part;
+
+  deliver_domain = addr->domain;  /* set $domain */
+
+  while (  (rc = match_isinlist(deliver_domain, (const uschar **)&percent_hack_domains, 0,
+	       &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE, NULL))
+             == OK
+	&& (t = Ustrrchr(local_part, '%')) != NULL
+	)
+    {
+    new_address = string_copy(local_part);
+    new_address[t - local_part] = '@';
+    deliver_domain = string_copylc(t+1);
+    local_part = string_copyn(local_part, t - local_part);
+    }
+
+  if (rc == DEFER) return DEFER;   /* lookup deferred */
+
+  /* If hackery happened, set up new parent and alter the current address. */
+
+  if (new_address)
+    {
+    address_item * new_parent = store_get(sizeof(address_item), GET_UNTAINTED);
+    *new_parent = *addr;
+    addr->parent = new_parent;
+    new_parent->child_count = 1;
+    addr->address = new_address;
+    addr->unique = string_copy(new_address);
+    addr->domain = deliver_domain;
+    addr->cc_local_part = local_part;
+    DEBUG(D_deliver) debug_printf("%%-hack changed address to: %s\n",
+      addr->address);
+    }
+  }
+
+/* Create the lowercased version of the final local part, and make that the
+default one to be used. */
+
+addr->local_part = addr->lc_local_part = string_copylc(addr->cc_local_part);
+return OK;
+}
+
+
+
+
+/*************************************************
+*      Get next error message text               *
+*************************************************/
+
+/* If f is not NULL, read the next "paragraph", from a customized error message
+text file, terminated by a line containing ****, and expand it.
+
+Arguments:
+  f          NULL or a file to read from
+  which      string indicating which string (for errors)
+
+Returns:     NULL or an expanded string
+*/
+
+static uschar *
+next_emf(FILE *f, uschar *which)
+{
+uschar *yield;
+gstring * para;
+uschar buffer[256];
+
+if (!f) return NULL;
+
+if (!Ufgets(buffer, sizeof(buffer), f) || Ustrcmp(buffer, "****\n") == 0)
+  return NULL;
+
+para = string_get(256);
+for (;;)
+  {
+  para = string_cat(para, buffer);
+  if (!Ufgets(buffer, sizeof(buffer), f) || Ustrcmp(buffer, "****\n") == 0)
+    break;
+  }
+if ((yield = expand_string(string_from_gstring(para))))
+  return yield;
+
+log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand string from "
+  "bounce_message_file or warn_message_file (%s): %s", which,
+  expand_string_message);
+return NULL;
+}
+
+
+
+
+/*************************************************
+*      Close down a passed transport channel     *
+*************************************************/
+
+/* This function is called when a passed transport channel cannot be used.
+It attempts to close it down tidily. The yield is always DELIVER_NOT_ATTEMPTED
+so that the function call can be the argument of a "return" statement.
+
+Arguments:  None
+Returns:    DELIVER_NOT_ATTEMPTED
+*/
+
+static int
+continue_closedown(void)
+{
+if (continue_transport)
+  for (transport_instance * t = transports; t; t = t->next)
+    if (Ustrcmp(t->name, continue_transport) == 0)
+      {
+      if (t->info->closedown) (t->info->closedown)(t);
+      break;
+      }
+return DELIVER_NOT_ATTEMPTED;
+}
+
+
+
+
+/*************************************************
+*           Print address information            *
+*************************************************/
+
+/* This function is called to output an address, or information about an
+address, for bounce or defer messages. If the hide_child flag is set, all we
+output is the original ancestor address.
+
+Arguments:
+  addr         points to the address
+  f            the FILE to print to
+  si           an initial string
+  sc           a continuation string for before "generated"
+  se           an end string
+
+Returns:       TRUE if the address is not hidden
+*/
+
+static BOOL
+print_address_information(address_item *addr, FILE *f, uschar *si, uschar *sc,
+  uschar *se)
+{
+BOOL yield = TRUE;
+uschar *printed = US"";
+address_item *ancestor = addr;
+while (ancestor->parent) ancestor = ancestor->parent;
+
+fprintf(f, "%s", CS si);
+
+if (addr->parent && testflag(addr, af_hide_child))
+  {
+  printed = US"an undisclosed address";
+  yield = FALSE;
+  }
+else if (!testflag(addr, af_pfr) || !addr->parent)
+  printed = addr->address;
+
+else
+  {
+  uschar *s = addr->address;
+  uschar *ss;
+
+  if (addr->address[0] == '>') { ss = US"mail"; s++; }
+  else if (addr->address[0] == '|') ss = US"pipe";
+  else ss = US"save";
+
+  fprintf(f, "%s to %s%sgenerated by ", ss, s, sc);
+  printed = addr->parent->address;
+  }
+
+fprintf(f, "%s", CS string_printing(printed));
+
+if (ancestor != addr)
+  {
+  uschar *original = ancestor->onetime_parent;
+  if (!original) original= ancestor->address;
+  if (strcmpic(original, printed) != 0)
+    fprintf(f, "%s(%sgenerated from %s)", sc,
+      ancestor != addr->parent ? "ultimately " : "",
+      string_printing(original));
+  }
+
+if (addr->host_used)
+  fprintf(f, "\n    host %s [%s]",
+	  addr->host_used->name, addr->host_used->address);
+
+fprintf(f, "%s", CS se);
+return yield;
+}
+
+
+
+
+
+/*************************************************
+*         Print error for an address             *
+*************************************************/
+
+/* This function is called to print the error information out of an address for
+a bounce or a warning message. It tries to format the message reasonably by
+introducing newlines. All lines are indented by 4; the initial printing
+position must be set before calling.
+
+This function used always to print the error. Nowadays we want to restrict it
+to cases such as LMTP/SMTP errors from a remote host, and errors from :fail:
+and filter "fail". We no longer pass other information willy-nilly in bounce
+and warning messages. Text in user_message is always output; text in message
+only if the af_pass_message flag is set.
+
+Arguments:
+  addr         the address
+  f            the FILE to print on
+  t            some leading text
+
+Returns:       nothing
+*/
+
+static void
+print_address_error(address_item * addr, FILE * f, const uschar * t)
+{
+int count = Ustrlen(t);
+uschar * s = testflag(addr, af_pass_message) ? addr->message : NULL;
+
+if (!s && !(s = addr->user_message))
+  return;
+
+fprintf(f, "\n    %s", t);
+
+while (*s)
+  if (*s == '\\' && s[1] == 'n')
+    {
+    fprintf(f, "\n    ");
+    s += 2;
+    count = 0;
+    }
+  else
+    {
+    fputc(*s, f);
+    count++;
+    if (*s++ == ':' && isspace(*s) && count > 45)
+      {
+      fprintf(f, "\n   ");  /* sic (because space follows) */
+      count = 0;
+      }
+    }
+}
+
+
+/***********************************************************
+*         Print Diagnostic-Code for an address             *
+************************************************************/
+
+/* This function is called to print the error information out of an address for
+a bounce or a warning message. It tries to format the message reasonably as
+required by RFC 3461 by adding a space after each newline
+
+it uses the same logic as print_address_error() above. if af_pass_message is true
+and addr->message is set it uses the remote host answer. if not addr->user_message
+is used instead if available.
+
+Arguments:
+  addr         the address
+  f            the FILE to print on
+
+Returns:       nothing
+*/
+
+static void
+print_dsn_diagnostic_code(const address_item *addr, FILE *f)
+{
+uschar * s = testflag(addr, af_pass_message) ? addr->message : NULL;
+unsigned cnt;
+
+/* af_pass_message and addr->message set ? print remote host answer */
+if (s)
+  {
+  DEBUG(D_deliver)
+    debug_printf("DSN Diagnostic-Code: addr->message = %s\n", addr->message);
+
+  /* search first ": ". we assume to find the remote-MTA answer there */
+  if (!(s = Ustrstr(addr->message, ": ")))
+    return;				/* not found, bail out */
+  s += 2;  /* skip ": " */
+  cnt = fprintf(f, "Diagnostic-Code: smtp; ");
+  }
+/* no message available. do nothing */
+else return;
+
+while (*s)
+  {
+  if (cnt > 950)	/* RFC line length limit: 998 */
+    {
+    DEBUG(D_deliver) debug_printf("print_dsn_diagnostic_code() truncated line\n");
+    fputs("[truncated]", f);
+    break;
+    }
+
+  if (*s == '\\' && s[1] == 'n')
+    {
+    fputs("\n ", f);    /* as defined in RFC 3461 */
+    s += 2;
+    cnt += 2;
+    }
+  else
+    {
+    fputc(*s++, f);
+    cnt++;
+    }
+  }
+
+fputc('\n', f);
+}
+
+
+/*************************************************
+*     Check list of addresses for duplication    *
+*************************************************/
+
+/* This function was introduced when the test for duplicate addresses that are
+not pipes, files, or autoreplies was moved from the middle of routing to when
+routing was complete. That was to fix obscure cases when the routing history
+affects the subsequent routing of identical addresses. This function is called
+after routing, to check that the final routed addresses are not duplicates.
+
+If we detect a duplicate, we remember what it is a duplicate of. Note that
+pipe, file, and autoreply de-duplication is handled during routing, so we must
+leave such "addresses" alone here, as otherwise they will incorrectly be
+discarded.
+
+Argument:     address of list anchor
+Returns:      nothing
+*/
+
+static void
+do_duplicate_check(address_item **anchor)
+{
+address_item *addr;
+while ((addr = *anchor))
+  {
+  tree_node *tnode;
+  if (testflag(addr, af_pfr))
+    {
+    anchor = &(addr->next);
+    }
+  else if ((tnode = tree_search(tree_duplicates, addr->unique)))
+    {
+    DEBUG(D_deliver|D_route)
+      debug_printf("%s is a duplicate address: discarded\n", addr->unique);
+    *anchor = addr->next;
+    addr->dupof = tnode->data.ptr;
+    addr->next = addr_duplicate;
+    addr_duplicate = addr;
+    }
+  else
+    {
+    tree_add_duplicate(addr->unique, addr);
+    anchor = &(addr->next);
+    }
+  }
+}
+
+
+
+
+/************************************************/
+
+static void
+print_dsn_addr_action(FILE * f, address_item * addr,
+  uschar * action, uschar * status)
+{
+address_item * pa;
+
+if (addr->dsn_orcpt)
+  fprintf(f,"Original-Recipient: %s\n", addr->dsn_orcpt);
+
+for (pa = addr; pa->parent; ) pa = pa->parent;
+fprintf(f, "Action: %s\n"
+    "Final-Recipient: rfc822;%s\n"
+    "Status: %s\n",
+  action, pa->address, status);
+}
+
+
+
+/* When running in the test harness, there's an option that allows us to
+fudge this time so as to get repeatability of the tests. Take the first
+time off the list. In queue runs, the list pointer gets updated in the
+calling process. */
+
+int
+test_harness_fudged_queue_time(int actual_time)
+{
+int qt;
+if (  f.running_in_test_harness && *fudged_queue_times
+   && (qt = readconf_readtime(fudged_queue_times, '/', FALSE)) >= 0)
+  {
+  DEBUG(D_deliver) debug_printf("fudged queue_times = %s\n",
+    fudged_queue_times);
+  return qt;
+  }
+return actual_time;
+}
+
+/************************************************/
+
+static FILE *
+expand_open(const uschar * filename,
+  const uschar * varname, const uschar * reason)
+{
+const uschar * s = expand_cstring(filename);
+FILE * fp = NULL;
+
+if (!s || !*s)
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "Failed to expand %s: '%s'\n", varname, filename);
+else if (*s != '/' || is_tainted(s))
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "%s is not %s after expansion: '%s'\n",
+    varname, *s == '/' ? "untainted" : "absolute", s);
+else if (!(fp = Ufopen(s, "rb")))
+  log_write(0, LOG_MAIN|LOG_PANIC, "Failed to open %s for %s "
+    "message texts: %s", s, reason, strerror(errno));
+return fp;
+}
+
+/*************************************************
+*              Deliver one message               *
+*************************************************/
+
+/* This is the function which is called when a message is to be delivered. It
+is passed the id of the message. It is possible that the message no longer
+exists, if some other process has delivered it, and it is also possible that
+the message is being worked on by another process, in which case the data file
+will be locked.
+
+If no delivery is attempted for any of the above reasons, the function returns
+DELIVER_NOT_ATTEMPTED.
+
+If the give_up flag is set true, do not attempt any deliveries, but instead
+fail all outstanding addresses and return the message to the sender (or
+whoever).
+
+A delivery operation has a process all to itself; we never deliver more than
+one message in the same process. Therefore we needn't worry too much about
+store leakage.
+
+Liable to be called as root.
+
+Arguments:
+  id          the id of the message to be delivered
+  forced      TRUE if delivery was forced by an administrator; this overrides
+              retry delays and causes a delivery to be tried regardless
+  give_up     TRUE if an administrator has requested that delivery attempts
+              be abandoned
+
+Returns:      When the global variable mua_wrapper is FALSE:
+                DELIVER_ATTEMPTED_NORMAL   if a delivery attempt was made
+                DELIVER_NOT_ATTEMPTED      otherwise (see comment above)
+              When the global variable mua_wrapper is TRUE:
+                DELIVER_MUA_SUCCEEDED      if delivery succeeded
+                DELIVER_MUA_FAILED         if delivery failed
+                DELIVER_NOT_ATTEMPTED      if not attempted (should not occur)
+*/
+
+int
+deliver_message(uschar *id, BOOL forced, BOOL give_up)
+{
+int i, rc;
+int final_yield = DELIVER_ATTEMPTED_NORMAL;
+time_t now = time(NULL);
+address_item *addr_last = NULL;
+uschar *filter_message = NULL;
+int process_recipients = RECIP_ACCEPT;
+open_db dbblock;
+open_db *dbm_file;
+extern int acl_where;
+uschar *info;
+
+#ifdef MEASURE_TIMING
+report_time_since(&timestamp_startup, US"delivery start");	/* testcase 0022, 2100 */
+#endif
+
+info = queue_run_pid == (pid_t)0
+  ? string_sprintf("delivering %s", id)
+  : string_sprintf("delivering %s (queue run pid %d)", id, queue_run_pid);
+
+/* If the D_process_info bit is on, set_process_info() will output debugging
+information. If not, we want to show this initial information if D_deliver or
+D_queue_run is set or in verbose mode. */
+
+set_process_info("%s", info);
+
+if (  !(debug_selector & D_process_info)
+   && (debug_selector & (D_deliver|D_queue_run|D_v))
+   )
+  debug_printf("%s\n", info);
+
+/* Ensure that we catch any subprocesses that are created. Although Exim
+sets SIG_DFL as its initial default, some routes through the code end up
+here with it set to SIG_IGN - cases where a non-synchronous delivery process
+has been forked, but no re-exec has been done. We use sigaction rather than
+plain signal() on those OS where SA_NOCLDWAIT exists, because we want to be
+sure it is turned off. (There was a problem on AIX with this.) */
+
+#ifdef SA_NOCLDWAIT
+  {
+  struct sigaction act;
+  act.sa_handler = SIG_DFL;
+  sigemptyset(&(act.sa_mask));
+  act.sa_flags = 0;
+  sigaction(SIGCHLD, &act, NULL);
+  }
+#else
+signal(SIGCHLD, SIG_DFL);
+#endif
+
+/* Make the forcing flag available for routers and transports, set up the
+global message id field, and initialize the count for returned files and the
+message size. This use of strcpy() is OK because the length id is checked when
+it is obtained from a command line (the -M or -q options), and otherwise it is
+known to be a valid message id. */
+
+if (id != message_id)
+  Ustrcpy(message_id, id);
+f.deliver_force = forced;
+return_count = 0;
+message_size = 0;
+
+/* Initialize some flags */
+
+update_spool = FALSE;
+remove_journal = TRUE;
+
+/* Set a known context for any ACLs we call via expansions */
+acl_where = ACL_WHERE_DELIVERY;
+
+/* Reset the random number generator, so that if several delivery processes are
+started from a queue runner that has already used random numbers (for sorting),
+they don't all get the same sequence. */
+
+random_seed = 0;
+
+/* Open and lock the message's data file. Exim locks on this one because the
+header file may get replaced as it is re-written during the delivery process.
+Any failures cause messages to be written to the log, except for missing files
+while queue running - another process probably completed delivery. As part of
+opening the data file, message_subdir gets set. */
+
+if ((deliver_datafile = spool_open_datafile(id)) < 0)
+  return continue_closedown();  /* yields DELIVER_NOT_ATTEMPTED */
+
+/* The value of message_size at this point has been set to the data length,
+plus one for the blank line that notionally precedes the data. */
+
+/* Now read the contents of the header file, which will set up the headers in
+store, and also the list of recipients and the tree of non-recipients and
+assorted flags. It updates message_size. If there is a reading or format error,
+give up; if the message has been around for sufficiently long, remove it. */
+
+  {
+  uschar * spoolname = string_sprintf("%s-H", id);
+  if ((rc = spool_read_header(spoolname, TRUE, TRUE)) != spool_read_OK)
+    {
+    if (errno == ERRNO_SPOOLFORMAT)
+      {
+      struct stat statbuf;
+      if (Ustat(spool_fname(US"input", message_subdir, spoolname, US""),
+		&statbuf) == 0)
+	log_write(0, LOG_MAIN, "Format error in spool file %s: "
+	  "size=" OFF_T_FMT, spoolname, statbuf.st_size);
+      else
+	log_write(0, LOG_MAIN, "Format error in spool file %s", spoolname);
+      }
+    else
+      log_write(0, LOG_MAIN, "Error reading spool file %s: %s", spoolname,
+	strerror(errno));
+
+    /* If we managed to read the envelope data, received_time contains the
+    time the message was received. Otherwise, we can calculate it from the
+    message id. */
+
+    if (rc != spool_read_hdrerror)
+      {
+      received_time.tv_sec = received_time.tv_usec = 0;
+      /*XXX subsec precision?*/
+      for (i = 0; i < 6; i++)
+	received_time.tv_sec = received_time.tv_sec * BASE_62 + tab62[id[i] - '0'];
+      }
+
+    /* If we've had this malformed message too long, sling it. */
+
+    if (now - received_time.tv_sec > keep_malformed)
+      {
+      Uunlink(spool_fname(US"msglog", message_subdir, id, US""));
+      Uunlink(spool_fname(US"input", message_subdir, id, US"-D"));
+      Uunlink(spool_fname(US"input", message_subdir, id, US"-H"));
+      Uunlink(spool_fname(US"input", message_subdir, id, US"-J"));
+      log_write(0, LOG_MAIN, "Message removed because older than %s",
+	readconf_printtime(keep_malformed));
+      }
+
+    (void)close(deliver_datafile);
+    deliver_datafile = -1;
+    return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
+    }
+  }
+
+/* The spool header file has been read. Look to see if there is an existing
+journal file for this message. If there is, it means that a previous delivery
+attempt crashed (program or host) before it could update the spool header file.
+Read the list of delivered addresses from the journal and add them to the
+nonrecipients tree. Then update the spool file. We can leave the journal in
+existence, as it will get further successful deliveries added to it in this
+run, and it will be deleted if this function gets to its end successfully.
+Otherwise it might be needed again. */
+
+  {
+  uschar * fname = spool_fname(US"input", message_subdir, id, US"-J");
+  FILE * jread;
+
+  if (  (journal_fd = Uopen(fname, O_RDWR|O_APPEND
+#ifdef O_CLOEXEC
+				    | O_CLOEXEC
+#endif
+#ifdef O_NOFOLLOW
+				    | O_NOFOLLOW
+#endif
+	, SPOOL_MODE)) >= 0
+     && lseek(journal_fd, 0, SEEK_SET) == 0
+     && (jread = fdopen(journal_fd, "rb"))
+     )
+    {
+    while (Ufgets(big_buffer, big_buffer_size, jread))
+      {
+      int n = Ustrlen(big_buffer);
+      big_buffer[n-1] = 0;
+      tree_add_nonrecipient(big_buffer);
+      DEBUG(D_deliver) debug_printf("Previously delivered address %s taken from "
+	"journal file\n", big_buffer);
+      }
+    rewind(jread);
+    if ((journal_fd = dup(fileno(jread))) < 0)
+      journal_fd = fileno(jread);
+    else
+      (void) fclose(jread);	/* Try to not leak the FILE resource */
+
+    /* Panic-dies on error */
+    (void)spool_write_header(message_id, SW_DELIVERING, NULL);
+    }
+  else if (errno != ENOENT)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "attempt to open journal for reading gave: "
+      "%s", strerror(errno));
+    return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
+    }
+
+  /* A null recipients list indicates some kind of disaster. */
+
+  if (!recipients_list)
+    {
+    (void)close(deliver_datafile);
+    deliver_datafile = -1;
+    log_write(0, LOG_MAIN, "Spool error: no recipients for %s", fname);
+    return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
+    }
+  }
+
+
+/* Handle a message that is frozen. There are a number of different things that
+can happen, but in the default situation, unless forced, no delivery is
+attempted. */
+
+if (f.deliver_freeze)
+  {
+#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
+  /* Moving to another directory removes the message from Exim's view. Other
+  tools must be used to deal with it. Logging of this action happens in
+  spool_move_message() and its subfunctions. */
+
+  if (  move_frozen_messages
+     && spool_move_message(id, message_subdir, US"", US"F")
+     )
+    return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
+#endif
+
+  /* For all frozen messages (bounces or not), timeout_frozen_after sets the
+  maximum time to keep messages that are frozen. Thaw if we reach it, with a
+  flag causing all recipients to be failed. The time is the age of the
+  message, not the time since freezing. */
+
+  if (timeout_frozen_after > 0 && message_age >= timeout_frozen_after)
+    {
+    log_write(0, LOG_MAIN, "cancelled by timeout_frozen_after");
+    process_recipients = RECIP_FAIL_TIMEOUT;
+    }
+
+  /* For bounce messages (and others with no sender), thaw if the error message
+  ignore timer is exceeded. The message will be discarded if this delivery
+  fails. */
+
+  else if (!*sender_address && message_age >= ignore_bounce_errors_after)
+    log_write(0, LOG_MAIN, "Unfrozen by errmsg timer");
+
+  /* If this is a bounce message, or there's no auto thaw, or we haven't
+  reached the auto thaw time yet, and this delivery is not forced by an admin
+  user, do not attempt delivery of this message. Note that forced is set for
+  continuing messages down the same channel, in order to skip load checking and
+  ignore hold domains, but we don't want unfreezing in that case. */
+
+  else
+    {
+    if (  (  sender_address[0] == 0
+	  || auto_thaw <= 0
+	  || now <= deliver_frozen_at + auto_thaw
+          )
+       && (  !forced || !f.deliver_force_thaw
+	  || !f.admin_user || continue_hostname
+       )  )
+      {
+      (void)close(deliver_datafile);
+      deliver_datafile = -1;
+      log_write(L_skip_delivery, LOG_MAIN, "Message is frozen");
+      return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
+      }
+
+    /* If delivery was forced (by an admin user), assume a manual thaw.
+    Otherwise it's an auto thaw. */
+
+    if (forced)
+      {
+      f.deliver_manual_thaw = TRUE;
+      log_write(0, LOG_MAIN, "Unfrozen by forced delivery");
+      }
+    else log_write(0, LOG_MAIN, "Unfrozen by auto-thaw");
+    }
+
+  /* We get here if any of the rules for unfreezing have triggered. */
+
+  f.deliver_freeze = FALSE;
+  update_spool = TRUE;
+  }
+
+
+/* Open the message log file if we are using them. This records details of
+deliveries, deferments, and failures for the benefit of the mail administrator.
+The log is not used by exim itself to track the progress of a message; that is
+done by rewriting the header spool file. */
+
+if (message_logs)
+  {
+  uschar * fname = spool_fname(US"msglog", message_subdir, id, US"");
+  uschar * error;
+  int fd;
+
+  if ((fd = open_msglog_file(fname, SPOOL_MODE, &error)) < 0)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't %s message log %s: %s", error,
+      fname, strerror(errno));
+    return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
+    }
+
+  /* Make a stdio stream out of it. */
+
+  if (!(message_log = fdopen(fd, "a")))
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't fdopen message log %s: %s",
+      fname, strerror(errno));
+    return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
+    }
+  }
+
+
+/* If asked to give up on a message, log who did it, and set the action for all
+the addresses. */
+
+if (give_up)
+  {
+  struct passwd *pw = getpwuid(real_uid);
+  log_write(0, LOG_MAIN, "cancelled by %s",
+      pw ? US pw->pw_name : string_sprintf("uid %ld", (long int)real_uid));
+  process_recipients = RECIP_FAIL;
+  }
+
+/* Otherwise, if there are too many Received: headers, fail all recipients. */
+
+else if (received_count > received_headers_max)
+  process_recipients = RECIP_FAIL_LOOP;
+
+/* Otherwise, if a system-wide, address-independent message filter is
+specified, run it now, except in the case when we are failing all recipients as
+a result of timeout_frozen_after. If the system filter yields "delivered", then
+ignore the true recipients of the message. Failure of the filter file is
+logged, and the delivery attempt fails. */
+
+else if (system_filter && process_recipients != RECIP_FAIL_TIMEOUT)
+  {
+  int rc;
+  int filtertype;
+  ugid_block ugid;
+  redirect_block redirect;
+
+  if (system_filter_uid_set)
+    {
+    ugid.uid = system_filter_uid;
+    ugid.gid = system_filter_gid;
+    ugid.uid_set = ugid.gid_set = TRUE;
+    }
+  else
+    ugid.uid_set = ugid.gid_set = FALSE;
+
+  return_path = sender_address;
+  f.enable_dollar_recipients = TRUE;   /* Permit $recipients in system filter */
+  f.system_filtering = TRUE;
+
+  /* Any error in the filter file causes a delivery to be abandoned. */
+
+  redirect.string = system_filter;
+  redirect.isfile = TRUE;
+  redirect.check_owner = redirect.check_group = FALSE;
+  redirect.owners = NULL;
+  redirect.owngroups = NULL;
+  redirect.pw = NULL;
+  redirect.modemask = 0;
+
+  DEBUG(D_deliver|D_filter) debug_printf("running system filter\n");
+
+  rc = rda_interpret(
+    &redirect,              /* Where the data is */
+    RDO_DEFER |             /* Turn on all the enabling options */
+      RDO_FAIL |            /* Leave off all the disabling options */
+      RDO_FILTER |
+      RDO_FREEZE |
+      RDO_REALLOG |
+      RDO_REWRITE,
+    NULL,                   /* No :include: restriction (not used in filter) */
+    NULL,                   /* No sieve vacation directory (not sieve!) */
+    NULL,                   /* No sieve enotify mailto owner (not sieve!) */
+    NULL,                   /* No sieve user address (not sieve!) */
+    NULL,                   /* No sieve subaddress (not sieve!) */
+    &ugid,                  /* uid/gid data */
+    &addr_new,              /* Where to hang generated addresses */
+    &filter_message,        /* Where to put error message */
+    NULL,                   /* Don't skip syntax errors */
+    &filtertype,            /* Will always be set to FILTER_EXIM for this call */
+    US"system filter");     /* For error messages */
+
+  DEBUG(D_deliver|D_filter) debug_printf("system filter returned %d\n", rc);
+
+  if (rc == FF_ERROR || rc == FF_NONEXIST)
+    {
+    (void)close(deliver_datafile);
+    deliver_datafile = -1;
+    log_write(0, LOG_MAIN|LOG_PANIC, "Error in system filter: %s",
+      string_printing(filter_message));
+    return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
+    }
+
+  /* Reset things. If the filter message is an empty string, which can happen
+  for a filter "fail" or "freeze" command with no text, reset it to NULL. */
+
+  f.system_filtering = FALSE;
+  f.enable_dollar_recipients = FALSE;
+  if (filter_message && filter_message[0] == 0) filter_message = NULL;
+
+  /* Save the values of the system filter variables so that user filters
+  can use them. */
+
+  memcpy(filter_sn, filter_n, sizeof(filter_sn));
+
+  /* The filter can request that delivery of the original addresses be
+  deferred. */
+
+  if (rc == FF_DEFER)
+    {
+    process_recipients = RECIP_DEFER;
+    deliver_msglog("Delivery deferred by system filter\n");
+    log_write(0, LOG_MAIN, "Delivery deferred by system filter");
+    }
+
+  /* The filter can request that a message be frozen, but this does not
+  take place if the message has been manually thawed. In that case, we must
+  unset "delivered", which is forced by the "freeze" command to make -bF
+  work properly. */
+
+  else if (rc == FF_FREEZE && !f.deliver_manual_thaw)
+    {
+    f.deliver_freeze = TRUE;
+    deliver_frozen_at = time(NULL);
+    process_recipients = RECIP_DEFER;
+    frozen_info = string_sprintf(" by the system filter%s%s",
+      filter_message ? US": " : US"",
+      filter_message ? filter_message : US"");
+    }
+
+  /* The filter can request that a message be failed. The error message may be
+  quite long - it is sent back to the sender in the bounce - but we don't want
+  to fill up the log with repetitions of it. If it starts with << then the text
+  between << and >> is written to the log, with the rest left for the bounce
+  message. */
+
+  else if (rc == FF_FAIL)
+    {
+    uschar *colon = US"";
+    uschar *logmsg = US"";
+    int loglen = 0;
+
+    process_recipients = RECIP_FAIL_FILTER;
+
+    if (filter_message)
+      {
+      uschar *logend;
+      colon = US": ";
+      if (  filter_message[0] == '<'
+         && filter_message[1] == '<'
+	 && (logend = Ustrstr(filter_message, ">>"))
+	 )
+        {
+        logmsg = filter_message + 2;
+        loglen = logend - logmsg;
+        filter_message = logend + 2;
+        if (filter_message[0] == 0) filter_message = NULL;
+        }
+      else
+        {
+        logmsg = filter_message;
+        loglen = Ustrlen(filter_message);
+        }
+      }
+
+    log_write(0, LOG_MAIN, "cancelled by system filter%s%.*s", colon, loglen,
+      logmsg);
+    }
+
+  /* Delivery can be restricted only to those recipients (if any) that the
+  filter specified. */
+
+  else if (rc == FF_DELIVERED)
+    {
+    process_recipients = RECIP_IGNORE;
+    if (addr_new)
+      log_write(0, LOG_MAIN, "original recipients ignored (system filter)");
+    else
+      log_write(0, LOG_MAIN, "=> discarded (system filter)");
+    }
+
+  /* If any new addresses were created by the filter, fake up a "parent"
+  for them. This is necessary for pipes, etc., which are expected to have
+  parents, and it also gives some sensible logging for others. Allow
+  pipes, files, and autoreplies, and run them as the filter uid if set,
+  otherwise as the current uid. */
+
+  if (addr_new)
+    {
+    int uid = system_filter_uid_set ? system_filter_uid : geteuid();
+    int gid = system_filter_gid_set ? system_filter_gid : getegid();
+
+    /* The text "system-filter" is tested in transport_set_up_command() and in
+    set_up_shell_command() in the pipe transport, to enable them to permit
+    $recipients, so don't change it here without also changing it there. */
+
+    address_item *p = addr_new;
+    address_item *parent = deliver_make_addr(US"system-filter", FALSE);
+
+    parent->domain = string_copylc(qualify_domain_recipient);
+    parent->local_part = US"system-filter";
+
+    /* As part of this loop, we arrange for addr_last to end up pointing
+    at the final address. This is used if we go on to add addresses for the
+    original recipients. */
+
+    while (p)
+      {
+      if (parent->child_count == USHRT_MAX)
+        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "system filter generated more "
+          "than %d delivery addresses", USHRT_MAX);
+      parent->child_count++;
+      p->parent = parent;
+
+      if (testflag(p, af_pfr))
+        {
+        uschar *tpname;
+        uschar *type;
+        p->uid = uid;
+        p->gid = gid;
+        setflag(p, af_uid_set);
+        setflag(p, af_gid_set);
+        setflag(p, af_allow_file);
+        setflag(p, af_allow_pipe);
+        setflag(p, af_allow_reply);
+
+        /* Find the name of the system filter's appropriate pfr transport */
+
+        if (p->address[0] == '|')
+          {
+          type = US"pipe";
+          tpname = system_filter_pipe_transport;
+          address_pipe = p->address;
+          }
+        else if (p->address[0] == '>')
+          {
+          type = US"reply";
+          tpname = system_filter_reply_transport;
+          }
+        else
+          {
+          if (p->address[Ustrlen(p->address)-1] == '/')
+            {
+            type = US"directory";
+            tpname = system_filter_directory_transport;
+            }
+          else
+            {
+            type = US"file";
+            tpname = system_filter_file_transport;
+            }
+          address_file = p->address;
+          }
+
+        /* Now find the actual transport, first expanding the name. We have
+        set address_file or address_pipe above. */
+
+        if (tpname)
+          {
+          uschar *tmp = expand_string(tpname);
+          address_file = address_pipe = NULL;
+          if (!tmp)
+            p->message = string_sprintf("failed to expand \"%s\" as a "
+              "system filter transport name", tpname);
+	  if (is_tainted(tmp))
+            p->message = string_sprintf("attempt to used tainted value '%s' for"
+	      "transport '%s' as a system filter", tmp, tpname);
+          tpname = tmp;
+          }
+        else
+          p->message = string_sprintf("system_filter_%s_transport is unset",
+            type);
+
+        if (tpname)
+          {
+          transport_instance *tp;
+          for (tp = transports; tp; tp = tp->next)
+            if (Ustrcmp(tp->name, tpname) == 0)
+              {
+              p->transport = tp;
+              break;
+              }
+          if (!tp)
+            p->message = string_sprintf("failed to find \"%s\" transport "
+              "for system filter delivery", tpname);
+          }
+
+        /* If we couldn't set up a transport, defer the delivery, putting the
+        error on the panic log as well as the main log. */
+
+        if (!p->transport)
+          {
+          address_item *badp = p;
+          p = p->next;
+          if (!addr_last) addr_new = p; else addr_last->next = p;
+          badp->local_part = badp->address;   /* Needed for log line */
+          post_process_one(badp, DEFER, LOG_MAIN|LOG_PANIC, EXIM_DTYPE_ROUTER, 0);
+          continue;
+          }
+        }    /* End of pfr handling */
+
+      /* Either a non-pfr delivery, or we found a transport */
+
+      DEBUG(D_deliver|D_filter)
+        debug_printf("system filter added %s\n", p->address);
+
+      addr_last = p;
+      p = p->next;
+      }    /* Loop through all addr_new addresses */
+    }
+  }
+
+
+/* Scan the recipients list, and for every one that is not in the non-
+recipients tree, add an addr item to the chain of new addresses. If the pno
+value is non-negative, we must set the onetime parent from it. This which
+points to the relevant entry in the recipients list.
+
+This processing can be altered by the setting of the process_recipients
+variable, which is changed if recipients are to be ignored, failed, or
+deferred. This can happen as a result of system filter activity, or if the -Mg
+option is used to fail all of them.
+
+Duplicate addresses are handled later by a different tree structure; we can't
+just extend the non-recipients tree, because that will be re-written to the
+spool if the message is deferred, and in any case there are casing
+complications for local addresses. */
+
+if (process_recipients != RECIP_IGNORE)
+  for (i = 0; i < recipients_count; i++)
+    if (!tree_search(tree_nonrecipients, recipients_list[i].address))
+      {
+      recipient_item *r = recipients_list + i;
+      address_item *new = deliver_make_addr(r->address, FALSE);
+      new->prop.errors_address = r->errors_to;
+#ifdef SUPPORT_I18N
+      if ((new->prop.utf8_msg = message_smtputf8))
+	{
+	new->prop.utf8_downcvt =       message_utf8_downconvert == 1;
+	new->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
+	DEBUG(D_deliver) debug_printf("utf8, downconvert %s\n",
+	  new->prop.utf8_downcvt ? "yes"
+	  : new->prop.utf8_downcvt_maybe ? "ifneeded"
+	  : "no");
+	}
+#endif
+
+      if (r->pno >= 0)
+        new->onetime_parent = recipients_list[r->pno].address;
+
+      /* If DSN support is enabled, set the dsn flags and the original receipt
+      to be passed on to other DSN enabled MTAs */
+
+      new->dsn_flags = r->dsn_flags & rf_dsnflags;
+      new->dsn_orcpt = r->orcpt;
+      DEBUG(D_deliver) debug_printf("DSN: set orcpt: %s  flags: 0x%x\n",
+	new->dsn_orcpt ? new->dsn_orcpt : US"", new->dsn_flags);
+
+      switch (process_recipients)
+        {
+        /* RECIP_DEFER is set when a system filter freezes a message. */
+
+        case RECIP_DEFER:
+	  new->next = addr_defer;
+	  addr_defer = new;
+	  break;
+
+
+        /* RECIP_FAIL_FILTER is set when a system filter has obeyed a "fail"
+        command. */
+
+        case RECIP_FAIL_FILTER:
+	  new->message =
+	    filter_message ? filter_message : US"delivery cancelled";
+	  setflag(new, af_pass_message);
+	  goto RECIP_QUEUE_FAILED;   /* below */
+
+
+        /* RECIP_FAIL_TIMEOUT is set when a message is frozen, but is older
+        than the value in timeout_frozen_after. Treat non-bounce messages
+        similarly to -Mg; for bounce messages we just want to discard, so
+        don't put the address on the failed list. The timeout has already
+        been logged. */
+
+        case RECIP_FAIL_TIMEOUT:
+	  new->message  = US"delivery cancelled; message timed out";
+	  goto RECIP_QUEUE_FAILED;   /* below */
+
+
+        /* RECIP_FAIL is set when -Mg has been used. */
+
+        case RECIP_FAIL:
+	  new->message  = US"delivery cancelled by administrator";
+	  /* Fall through */
+
+        /* Common code for the failure cases above. If this is not a bounce
+        message, put the address on the failed list so that it is used to
+        create a bounce. Otherwise do nothing - this just discards the address.
+        The incident has already been logged. */
+
+        RECIP_QUEUE_FAILED:
+	  if (sender_address[0])
+	    {
+	    new->next = addr_failed;
+	    addr_failed = new;
+	    }
+        break;
+
+
+        /* RECIP_FAIL_LOOP is set when there are too many Received: headers
+        in the message. Process each address as a routing failure; if this
+        is a bounce message, it will get frozen. */
+
+        case RECIP_FAIL_LOOP:
+	  new->message = US"Too many \"Received\" headers - suspected mail loop";
+	  post_process_one(new, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
+	  break;
+
+
+        /* Value should be RECIP_ACCEPT; take this as the safe default. */
+
+        default:
+	  if (!addr_new) addr_new = new; else addr_last->next = new;
+	  addr_last = new;
+	  break;
+        }
+
+#ifndef DISABLE_EVENT
+      if (process_recipients != RECIP_ACCEPT && event_action)
+	{
+	uschar * save_local =  deliver_localpart;
+	const uschar * save_domain = deliver_domain;
+	uschar * addr = new->address, * errmsg = NULL;
+	int start, end, dom;
+
+	if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE))
+	  log_write(0, LOG_MAIN|LOG_PANIC,
+                "failed to parse address '%.100s': %s\n", addr, errmsg);
+	else
+	  {
+	  deliver_localpart =
+	    string_copyn(addr+start, dom ? (dom-1) - start : end - start);
+	  deliver_domain = dom ? CUS string_copyn(addr+dom, end - dom) : CUS"";
+
+	  (void) event_raise(event_action, US"msg:fail:internal", new->message, NULL);
+
+	  deliver_localpart = save_local;
+	  deliver_domain = save_domain;
+	  }
+	}
+#endif
+      }
+
+DEBUG(D_deliver)
+  {
+  debug_printf("Delivery address list:\n");
+  for (address_item * p = addr_new; p; p = p->next)
+    debug_printf("  %s %s\n", p->address,
+      p->onetime_parent ? p->onetime_parent : US"");
+  }
+
+/* Set up the buffers used for copying over the file when delivering. */
+
+deliver_in_buffer = store_malloc(DELIVER_IN_BUFFER_SIZE);
+deliver_out_buffer = store_malloc(DELIVER_OUT_BUFFER_SIZE);
+
+
+
+/* Until there are no more new addresses, handle each one as follows:
+
+ . If this is a generated address (indicated by the presence of a parent
+   pointer) then check to see whether it is a pipe, file, or autoreply, and
+   if so, handle it directly here. The router that produced the address will
+   have set the allow flags into the address, and also set the uid/gid required.
+   Having the routers generate new addresses and then checking them here at
+   the outer level is tidier than making each router do the checking, and
+   means that routers don't need access to the failed address queue.
+
+ . Break up the address into local part and domain, and make lowercased
+   versions of these strings. We also make unquoted versions of the local part.
+
+ . Handle the percent hack for those domains for which it is valid.
+
+ . For child addresses, determine if any of the parents have the same address.
+   If so, generate a different string for previous delivery checking. Without
+   this code, if the address spqr generates spqr via a forward or alias file,
+   delivery of the generated spqr stops further attempts at the top level spqr,
+   which is not what is wanted - it may have generated other addresses.
+
+ . Check on the retry database to see if routing was previously deferred, but
+   only if in a queue run. Addresses that are to be routed are put on the
+   addr_route chain. Addresses that are to be deferred are put on the
+   addr_defer chain. We do all the checking first, so as not to keep the
+   retry database open any longer than necessary.
+
+ . Now we run the addresses through the routers. A router may put the address
+   on either the addr_local or the addr_remote chain for local or remote
+   delivery, respectively, or put it on the addr_failed chain if it is
+   undeliveable, or it may generate child addresses and put them on the
+   addr_new chain, or it may defer an address. All the chain anchors are
+   passed as arguments so that the routers can be called for verification
+   purposes as well.
+
+ . If new addresses have been generated by the routers, da capo.
+*/
+
+f.header_rewritten = FALSE;          /* No headers rewritten yet */
+while (addr_new)           /* Loop until all addresses dealt with */
+  {
+  address_item *addr, *parent;
+
+  /* Failure to open the retry database is treated the same as if it does
+  not exist. In both cases, dbm_file is NULL. */
+
+  if (!(dbm_file = dbfn_open(US"retry", O_RDONLY, &dbblock, FALSE, TRUE)))
+    DEBUG(D_deliver|D_retry|D_route|D_hints_lookup)
+      debug_printf("no retry data available\n");
+
+  /* Scan the current batch of new addresses, to handle pipes, files and
+  autoreplies, and determine which others are ready for routing. */
+
+  while (addr_new)
+    {
+    int rc;
+    tree_node * tnode;
+    dbdata_retry * domain_retry_record, * address_retry_record;
+
+    addr = addr_new;
+    addr_new = addr->next;
+
+    DEBUG(D_deliver|D_retry|D_route)
+      {
+      debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+      debug_printf("Considering: %s\n", addr->address);
+      }
+
+    /* Handle generated address that is a pipe or a file or an autoreply. */
+
+    if (testflag(addr, af_pfr))
+      {
+      /* If an autoreply in a filter could not generate a syntactically valid
+      address, give up forthwith. Set af_ignore_error so that we don't try to
+      generate a bounce. */
+
+      if (testflag(addr, af_bad_reply))
+        {
+        addr->basic_errno = ERRNO_BADADDRESS2;
+        addr->local_part = addr->address;
+        addr->message =
+          US"filter autoreply generated syntactically invalid recipient";
+        addr->prop.ignore_error = TRUE;
+        (void) post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
+        continue;   /* with the next new address */
+        }
+
+      /* If two different users specify delivery to the same pipe or file or
+      autoreply, there should be two different deliveries, so build a unique
+      string that incorporates the original address, and use this for
+      duplicate testing and recording delivery, and also for retrying. */
+
+      addr->unique =
+        string_sprintf("%s:%s", addr->address, addr->parent->unique +
+          (testflag(addr->parent, af_homonym)? 3:0));
+
+      addr->address_retry_key = addr->domain_retry_key =
+        string_sprintf("T:%s", addr->unique);
+
+      /* If a filter file specifies two deliveries to the same pipe or file,
+      we want to de-duplicate, but this is probably not wanted for two mail
+      commands to the same address, where probably both should be delivered.
+      So, we have to invent a different unique string in that case. Just
+      keep piling '>' characters on the front. */
+
+      if (addr->address[0] == '>')
+        while (tree_search(tree_duplicates, addr->unique))
+          addr->unique = string_sprintf(">%s", addr->unique);
+
+      else if ((tnode = tree_search(tree_duplicates, addr->unique)))
+        {
+        DEBUG(D_deliver|D_route)
+          debug_printf("%s is a duplicate address: discarded\n", addr->address);
+        addr->dupof = tnode->data.ptr;
+        addr->next = addr_duplicate;
+        addr_duplicate = addr;
+        continue;
+        }
+
+      DEBUG(D_deliver|D_route) debug_printf("unique = %s\n", addr->unique);
+
+      /* Check for previous delivery */
+
+      if (tree_search(tree_nonrecipients, addr->unique))
+        {
+        DEBUG(D_deliver|D_route)
+          debug_printf("%s was previously delivered: discarded\n", addr->address);
+        child_done(addr, tod_stamp(tod_log));
+        continue;
+        }
+
+      /* Save for checking future duplicates */
+
+      tree_add_duplicate(addr->unique, addr);
+
+      /* Set local part and domain */
+
+      addr->local_part = addr->address;
+      addr->domain = addr->parent->domain;
+
+      /* Ensure that the delivery is permitted. */
+
+      if (testflag(addr, af_file))
+        {
+        if (!testflag(addr, af_allow_file))
+          {
+          addr->basic_errno = ERRNO_FORBIDFILE;
+          addr->message = US"delivery to file forbidden";
+          (void)post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
+          continue;   /* with the next new address */
+          }
+        }
+      else if (addr->address[0] == '|')
+        {
+        if (!testflag(addr, af_allow_pipe))
+          {
+          addr->basic_errno = ERRNO_FORBIDPIPE;
+          addr->message = US"delivery to pipe forbidden";
+          (void)post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
+          continue;   /* with the next new address */
+          }
+        }
+      else if (!testflag(addr, af_allow_reply))
+        {
+        addr->basic_errno = ERRNO_FORBIDREPLY;
+        addr->message = US"autoreply forbidden";
+        (void)post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
+        continue;     /* with the next new address */
+        }
+
+      /* If the errno field is already set to BADTRANSPORT, it indicates
+      failure to expand a transport string, or find the associated transport,
+      or an unset transport when one is required. Leave this test till now so
+      that the forbid errors are given in preference. */
+
+      if (addr->basic_errno == ERRNO_BADTRANSPORT)
+        {
+        (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
+        continue;
+        }
+
+      /* Treat /dev/null as a special case and abandon the delivery. This
+      avoids having to specify a uid on the transport just for this case.
+      Arrange for the transport name to be logged as "**bypassed**".
+      Copy the transport for this fairly unusual case rather than having
+      to make all transports mutable. */
+
+      if (Ustrcmp(addr->address, "/dev/null") == 0)
+        {
+	transport_instance * save_t = addr->transport;
+	transport_instance * t = store_get(sizeof(*t), save_t);
+	*t = *save_t;
+	t->name = US"**bypassed**";
+	addr->transport = t;
+        (void)post_process_one(addr, OK, LOG_MAIN, EXIM_DTYPE_TRANSPORT, '=');
+        addr->transport= save_t;
+        continue;   /* with the next new address */
+        }
+
+      /* Pipe, file, or autoreply delivery is to go ahead as a normal local
+      delivery. */
+
+      DEBUG(D_deliver|D_route)
+        debug_printf("queued for %s transport\n", addr->transport->name);
+      addr->next = addr_local;
+      addr_local = addr;
+      continue;       /* with the next new address */
+      }
+
+    /* Handle normal addresses. First, split up into local part and domain,
+    handling the %-hack if necessary. There is the possibility of a defer from
+    a lookup in percent_hack_domains. */
+
+    if ((rc = deliver_split_address(addr)) == DEFER)
+      {
+      addr->message = US"cannot check percent_hack_domains";
+      addr->basic_errno = ERRNO_LISTDEFER;
+      (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_NONE, 0);
+      continue;
+      }
+
+    /* Check to see if the domain is held. If so, proceed only if the
+    delivery was forced by hand. */
+
+    deliver_domain = addr->domain;  /* set $domain */
+    if (  !forced && hold_domains
+       && (rc = match_isinlist(addr->domain, (const uschar **)&hold_domains, 0,
+           &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE,
+           NULL)) != FAIL
+       )
+      {
+      if (rc == DEFER)
+        {
+        addr->message = US"hold_domains lookup deferred";
+        addr->basic_errno = ERRNO_LISTDEFER;
+        }
+      else
+        {
+        addr->message = US"domain is held";
+        addr->basic_errno = ERRNO_HELD;
+        }
+      (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_NONE, 0);
+      continue;
+      }
+
+    /* Now we can check for duplicates and previously delivered addresses. In
+    order to do this, we have to generate a "unique" value for each address,
+    because there may be identical actual addresses in a line of descendents.
+    The "unique" field is initialized to the same value as the "address" field,
+    but gets changed here to cope with identically-named descendents. */
+
+    for (parent = addr->parent; parent; parent = parent->parent)
+      if (strcmpic(addr->address, parent->address) == 0) break;
+
+    /* If there's an ancestor with the same name, set the homonym flag. This
+    influences how deliveries are recorded. Then add a prefix on the front of
+    the unique address. We use \n\ where n starts at 0 and increases each time.
+    It is unlikely to pass 9, but if it does, it may look odd but will still
+    work. This means that siblings or cousins with the same names are treated
+    as duplicates, which is what we want. */
+
+    if (parent)
+      {
+      setflag(addr, af_homonym);
+      if (parent->unique[0] != '\\')
+        addr->unique = string_sprintf("\\0\\%s", addr->address);
+      else
+        addr->unique = string_sprintf("\\%c\\%s", parent->unique[1] + 1,
+          addr->address);
+      }
+
+    /* Ensure that the domain in the unique field is lower cased, because
+    domains are always handled caselessly. */
+
+    for (uschar * p = Ustrrchr(addr->unique, '@'); *p; p++) *p = tolower(*p);
+
+    DEBUG(D_deliver|D_route) debug_printf("unique = %s\n", addr->unique);
+
+    if (tree_search(tree_nonrecipients, addr->unique))
+      {
+      DEBUG(D_deliver|D_route)
+        debug_printf("%s was previously delivered: discarded\n", addr->unique);
+      child_done(addr, tod_stamp(tod_log));
+      continue;
+      }
+
+    /* Get the routing retry status, saving the two retry keys (with and
+    without the local part) for subsequent use. If there is no retry record for
+    the standard address routing retry key, we look for the same key with the
+    sender attached, because this form is used by the smtp transport after a
+    4xx response to RCPT when address_retry_include_sender is true. */
+
+    addr->domain_retry_key = string_sprintf("R:%s", addr->domain);
+    addr->address_retry_key = string_sprintf("R:%s@%s", addr->local_part,
+      addr->domain);
+
+    if (dbm_file)
+      {
+      domain_retry_record = dbfn_read(dbm_file, addr->domain_retry_key);
+      if (  domain_retry_record
+         && now - domain_retry_record->time_stamp > retry_data_expire
+	 )
+	{
+	DEBUG(D_deliver|D_retry)
+	  debug_printf("domain retry record present but expired\n");
+        domain_retry_record = NULL;    /* Ignore if too old */
+	}
+
+      address_retry_record = dbfn_read(dbm_file, addr->address_retry_key);
+      if (  address_retry_record
+         && now - address_retry_record->time_stamp > retry_data_expire
+	 )
+	{
+	DEBUG(D_deliver|D_retry)
+	  debug_printf("address retry record present but expired\n");
+        address_retry_record = NULL;   /* Ignore if too old */
+	}
+
+      if (!address_retry_record)
+        {
+        uschar *altkey = string_sprintf("%s:<%s>", addr->address_retry_key,
+          sender_address);
+        address_retry_record = dbfn_read(dbm_file, altkey);
+        if (  address_retry_record
+	   && now - address_retry_record->time_stamp > retry_data_expire)
+	  {
+	  DEBUG(D_deliver|D_retry)
+	    debug_printf("address<sender> retry record present but expired\n");
+          address_retry_record = NULL;   /* Ignore if too old */
+	  }
+        }
+      }
+    else
+      domain_retry_record = address_retry_record = NULL;
+
+    DEBUG(D_deliver|D_retry)
+      {
+      if (!domain_retry_record)
+	debug_printf("no   domain  retry record\n");
+      else
+	debug_printf("have domain  retry record; next_try = now%+d\n",
+		      f.running_in_test_harness ? 0 :
+		      (int)(domain_retry_record->next_try - now));
+
+      if (!address_retry_record)
+	debug_printf("no   address retry record\n");
+      else
+	debug_printf("have address retry record; next_try = now%+d\n",
+		      f.running_in_test_harness ? 0 :
+		      (int)(address_retry_record->next_try - now));
+      }
+
+    /* If we are sending a message down an existing SMTP connection, we must
+    assume that the message which created the connection managed to route
+    an address to that connection. We do not want to run the risk of taking
+    a long time over routing here, because if we do, the server at the other
+    end of the connection may time it out. This is especially true for messages
+    with lots of addresses. For this kind of delivery, queue_running is not
+    set, so we would normally route all addresses. We take a pragmatic approach
+    and defer routing any addresses that have any kind of domain retry record.
+    That is, we don't even look at their retry times. It doesn't matter if this
+    doesn't work occasionally. This is all just an optimization, after all.
+
+    The reason for not doing the same for address retries is that they normally
+    arise from 4xx responses, not DNS timeouts. */
+
+    if (continue_hostname && domain_retry_record)
+      {
+      addr->message = US"reusing SMTP connection skips previous routing defer";
+      addr->basic_errno = ERRNO_RRETRY;
+      (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
+
+      addr->message = domain_retry_record->text;
+      setflag(addr, af_pass_message);
+      }
+
+    /* If we are in a queue run, defer routing unless there is no retry data or
+    we've passed the next retry time, or this message is forced. In other
+    words, ignore retry data when not in a queue run.
+
+    However, if the domain retry time has expired, always allow the routing
+    attempt. If it fails again, the address will be failed. This ensures that
+    each address is routed at least once, even after long-term routing
+    failures.
+
+    If there is an address retry, check that too; just wait for the next
+    retry time. This helps with the case when the temporary error on the
+    address was really message-specific rather than address specific, since
+    it allows other messages through.
+
+    We also wait for the next retry time if this is a message sent down an
+    existing SMTP connection (even though that will be forced). Otherwise there
+    will be far too many attempts for an address that gets a 4xx error. In
+    fact, after such an error, we should not get here because, the host should
+    not be remembered as one this message needs. However, there was a bug that
+    used to cause this to  happen, so it is best to be on the safe side.
+
+    Even if we haven't reached the retry time in the hints, there is one more
+    check to do, which is for the ultimate address timeout. We only do this
+    check if there is an address retry record and there is not a domain retry
+    record; this implies that previous attempts to handle the address had the
+    retry_use_local_parts option turned on. We use this as an approximation
+    for the destination being like a local delivery, for example delivery over
+    LMTP to an IMAP message store. In this situation users are liable to bump
+    into their quota and thereby have intermittently successful deliveries,
+    which keep the retry record fresh, which can lead to us perpetually
+    deferring messages. */
+
+    else if (  (  f.queue_running && !f.deliver_force
+	       || continue_hostname
+	       )
+            && (  (  domain_retry_record
+		  && now < domain_retry_record->next_try
+		  && !domain_retry_record->expired
+		  )
+	       || (  address_retry_record
+		  && now < address_retry_record->next_try
+	       )  )
+            && (  domain_retry_record
+	       || !address_retry_record
+	       || !retry_ultimate_address_timeout(addr->address_retry_key,
+				 addr->domain, address_retry_record, now)
+	    )  )
+      {
+      addr->message = US"retry time not reached";
+      addr->basic_errno = ERRNO_RRETRY;
+      (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
+
+      /* For remote-retry errors (here and just above) that we've not yet
+      hit the retry time, use the error recorded in the retry database
+      as info in the warning message.  This lets us send a message even
+      when we're not failing on a fresh attempt.  We assume that this
+      info is not sensitive. */
+
+      addr->message = domain_retry_record
+	? domain_retry_record->text : address_retry_record->text;
+      setflag(addr, af_pass_message);
+      }
+
+    /* The domain is OK for routing. Remember if retry data exists so it
+    can be cleaned up after a successful delivery. */
+
+    else
+      {
+      if (domain_retry_record || address_retry_record)
+        setflag(addr, af_dr_retry_exists);
+      addr->next = addr_route;
+      addr_route = addr;
+      DEBUG(D_deliver|D_route)
+        debug_printf("%s: queued for routing\n", addr->address);
+      }
+    }
+
+  /* The database is closed while routing is actually happening. Requests to
+  update it are put on a chain and all processed together at the end. */
+
+  if (dbm_file) dbfn_close(dbm_file);
+
+  /* If queue_domains is set, we don't even want to try routing addresses in
+  those domains. During queue runs, queue_domains is forced to be unset.
+  Optimize by skipping this pass through the addresses if nothing is set. */
+
+  if (!f.deliver_force && queue_domains)
+    {
+    address_item *okaddr = NULL;
+    while (addr_route)
+      {
+      address_item *addr = addr_route;
+      addr_route = addr->next;
+
+      deliver_domain = addr->domain;  /* set $domain */
+      if ((rc = match_isinlist(addr->domain, CUSS &queue_domains, 0,
+            &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE, NULL))
+              != OK)
+        if (rc == DEFER)
+          {
+          addr->basic_errno = ERRNO_LISTDEFER;
+          addr->message = US"queue_domains lookup deferred";
+          (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
+          }
+        else
+          {
+          addr->next = okaddr;
+          okaddr = addr;
+          }
+      else
+        {
+        addr->basic_errno = ERRNO_QUEUE_DOMAIN;
+        addr->message = US"domain is in queue_domains";
+        (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
+        }
+      }
+
+    addr_route = okaddr;
+    }
+
+  /* Now route those addresses that are not deferred. */
+
+  while (addr_route)
+    {
+    int rc;
+    address_item *addr = addr_route;
+    const uschar *old_domain = addr->domain;
+    uschar *old_unique = addr->unique;
+    addr_route = addr->next;
+    addr->next = NULL;
+
+    /* Just in case some router parameter refers to it. */
+
+    if (!(return_path = addr->prop.errors_address))
+      return_path = sender_address;
+
+    /* If a router defers an address, add a retry item. Whether or not to
+    use the local part in the key is a property of the router. */
+
+    if ((rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
+         &addr_succeed, v_none)) == DEFER)
+      retry_add_item(addr,
+        addr->router->retry_use_local_part
+	  ? string_sprintf("R:%s@%s", addr->local_part, addr->domain)
+	  : string_sprintf("R:%s", addr->domain),
+	0);
+
+    /* Otherwise, if there is an existing retry record in the database, add
+    retry items to delete both forms. We must also allow for the possibility
+    of a routing retry that includes the sender address. Since the domain might
+    have been rewritten (expanded to fully qualified) as a result of routing,
+    ensure that the rewritten form is also deleted. */
+
+    else if (testflag(addr, af_dr_retry_exists))
+      {
+      uschar *altkey = string_sprintf("%s:<%s>", addr->address_retry_key,
+        sender_address);
+      retry_add_item(addr, altkey, rf_delete);
+      retry_add_item(addr, addr->address_retry_key, rf_delete);
+      retry_add_item(addr, addr->domain_retry_key, rf_delete);
+      if (Ustrcmp(addr->domain, old_domain) != 0)
+        retry_add_item(addr, string_sprintf("R:%s", old_domain), rf_delete);
+      }
+
+    /* DISCARD is given for :blackhole: and "seen finish". The event has been
+    logged, but we need to ensure the address (and maybe parents) is marked
+    done. */
+
+    if (rc == DISCARD)
+      {
+      address_done(addr, tod_stamp(tod_log));
+      continue;  /* route next address */
+      }
+
+    /* The address is finished with (failed or deferred). */
+
+    if (rc != OK)
+      {
+      (void)post_process_one(addr, rc, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
+      continue;  /* route next address */
+      }
+
+    /* The address has been routed. If the router changed the domain, it will
+    also have changed the unique address. We have to test whether this address
+    has already been delivered, because it's the unique address that finally
+    gets recorded. */
+
+    if (  addr->unique != old_unique
+       && tree_search(tree_nonrecipients, addr->unique) != 0
+       )
+      {
+      DEBUG(D_deliver|D_route) debug_printf("%s was previously delivered: "
+        "discarded\n", addr->address);
+      if (addr_remote == addr) addr_remote = addr->next;
+      else if (addr_local == addr) addr_local = addr->next;
+      }
+
+    /* If the router has same_domain_copy_routing set, we are permitted to copy
+    the routing for any other addresses with the same domain. This is an
+    optimisation to save repeated DNS lookups for "standard" remote domain
+    routing. The option is settable only on routers that generate host lists.
+    We play it very safe, and do the optimization only if the address is routed
+    to a remote transport, there are no header changes, and the domain was not
+    modified by the router. */
+
+    if (  addr_remote == addr
+       && addr->router->same_domain_copy_routing
+       && !addr->prop.extra_headers
+       && !addr->prop.remove_headers
+       && old_domain == addr->domain
+       )
+      {
+      address_item **chain = &addr_route;
+      while (*chain)
+        {
+        address_item *addr2 = *chain;
+        if (Ustrcmp(addr2->domain, addr->domain) != 0)
+          {
+          chain = &(addr2->next);
+          continue;
+          }
+
+        /* Found a suitable address; take it off the routing list and add it to
+        the remote delivery list. */
+
+        *chain = addr2->next;
+        addr2->next = addr_remote;
+        addr_remote = addr2;
+
+        /* Copy the routing data */
+
+        addr2->domain = addr->domain;
+        addr2->router = addr->router;
+        addr2->transport = addr->transport;
+        addr2->host_list = addr->host_list;
+        addr2->fallback_hosts = addr->fallback_hosts;
+        addr2->prop.errors_address = addr->prop.errors_address;
+        copyflag(addr2, addr, af_hide_child);
+        copyflag(addr2, addr, af_local_host_removed);
+
+        DEBUG(D_deliver|D_route)
+          debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
+                       "routing %s\n"
+                       "Routing for %s copied from %s\n",
+            addr2->address, addr2->address, addr->address);
+        }
+      }
+    }  /* Continue with routing the next address. */
+  }    /* Loop to process any child addresses that the routers created, and
+          any rerouted addresses that got put back on the new chain. */
+
+
+/* Debugging: show the results of the routing */
+
+DEBUG(D_deliver|D_retry|D_route)
+  {
+  debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+  debug_printf("After routing:\n  Local deliveries:\n");
+  for (address_item * p = addr_local; p; p = p->next)
+    debug_printf("    %s\n", p->address);
+
+  debug_printf("  Remote deliveries:\n");
+  for (address_item * p = addr_remote; p; p = p->next)
+    debug_printf("    %s\n", p->address);
+
+  debug_printf("  Failed addresses:\n");
+  for (address_item * p = addr_failed; p; p = p->next)
+    debug_printf("    %s\n", p->address);
+
+  debug_printf("  Deferred addresses:\n");
+  for (address_item * p = addr_defer; p; p = p->next)
+    debug_printf("    %s\n", p->address);
+  }
+
+/* Free any resources that were cached during routing. */
+
+search_tidyup();
+route_tidyup();
+
+/* These two variables are set only during routing, after check_local_user.
+Ensure they are not set in transports. */
+
+local_user_gid = (gid_t)(-1);
+local_user_uid = (uid_t)(-1);
+
+/* Check for any duplicate addresses. This check is delayed until after
+routing, because the flexibility of the routing configuration means that
+identical addresses with different parentage may end up being redirected to
+different addresses. Checking for duplicates too early (as we previously used
+to) makes this kind of thing not work. */
+
+do_duplicate_check(&addr_local);
+do_duplicate_check(&addr_remote);
+
+/* When acting as an MUA wrapper, we proceed only if all addresses route to a
+remote transport. The check that they all end up in one transaction happens in
+the do_remote_deliveries() function. */
+
+if (  mua_wrapper
+   && (addr_local || addr_failed || addr_defer)
+   )
+  {
+  address_item *addr;
+  uschar *which, *colon, *msg;
+
+  if (addr_local)
+    {
+    addr = addr_local;
+    which = US"local";
+    }
+  else if (addr_defer)
+    {
+    addr = addr_defer;
+    which = US"deferred";
+    }
+  else
+    {
+    addr = addr_failed;
+    which = US"failed";
+    }
+
+  while (addr->parent) addr = addr->parent;
+
+  if (addr->message)
+    {
+    colon = US": ";
+    msg = addr->message;
+    }
+  else colon = msg = US"";
+
+  /* We don't need to log here for a forced failure as it will already
+  have been logged. Defer will also have been logged, but as a defer, so we do
+  need to do the failure logging. */
+
+  if (addr != addr_failed)
+    log_write(0, LOG_MAIN, "** %s routing yielded a %s delivery",
+      addr->address, which);
+
+  /* Always write an error to the caller */
+
+  fprintf(stderr, "routing %s yielded a %s delivery%s%s\n", addr->address,
+    which, colon, msg);
+
+  final_yield = DELIVER_MUA_FAILED;
+  addr_failed = addr_defer = NULL;   /* So that we remove the message */
+  goto DELIVERY_TIDYUP;
+  }
+
+
+/* If this is a run to continue deliveries to an external channel that is
+already set up, defer any local deliveries.
+
+jgh 2020/12/20: I don't see why; locals should be quick.
+The defer goes back to version 1.62 in 1997.  A local being still deliverable
+during a continued run might result from something like a defer during the
+original delivery, eg. in a DB lookup.  Unlikely but possible.
+
+To avoid delaying a local when combined with a callout-hold for a remote
+delivery, test continue_sequence rather than continue_transport. */
+
+if (continue_sequence > 1 && addr_local)
+  {
+  DEBUG(D_deliver|D_retry|D_route)
+    debug_printf("deferring local deliveries due to continued-transport\n");
+  if (addr_defer)
+    {
+    address_item * addr = addr_defer;
+    while (addr->next) addr = addr->next;
+    addr->next = addr_local;
+    }
+  else
+    addr_defer = addr_local;
+  addr_local = NULL;
+  }
+
+
+/* Because address rewriting can happen in the routers, we should not really do
+ANY deliveries until all addresses have been routed, so that all recipients of
+the message get the same headers. However, this is in practice not always
+possible, since sometimes remote addresses give DNS timeouts for days on end.
+The pragmatic approach is to deliver what we can now, saving any rewritten
+headers so that at least the next lot of recipients benefit from the rewriting
+that has already been done.
+
+If any headers have been rewritten during routing, update the spool file to
+remember them for all subsequent deliveries. This can be delayed till later if
+there is only address to be delivered - if it succeeds the spool write need not
+happen. */
+
+if (  f.header_rewritten
+   && (  addr_local && (addr_local->next || addr_remote)
+      || addr_remote && addr_remote->next
+   )  )
+  {
+  /* Panic-dies on error */
+  (void)spool_write_header(message_id, SW_DELIVERING, NULL);
+  f.header_rewritten = FALSE;
+  }
+
+
+/* If there are any deliveries to do and we do not already have the journal
+file, create it. This is used to record successful deliveries as soon as
+possible after each delivery is known to be complete. A file opened with
+O_APPEND is used so that several processes can run simultaneously.
+
+The journal is just insurance against crashes. When the spool file is
+ultimately updated at the end of processing, the journal is deleted. If a
+journal is found to exist at the start of delivery, the addresses listed
+therein are added to the non-recipients. */
+
+if (addr_local || addr_remote)
+  {
+  if (journal_fd < 0)
+    {
+    uschar * fname = spool_fname(US"input", message_subdir, id, US"-J");
+
+    if ((journal_fd = Uopen(fname,
+#ifdef O_CLOEXEC
+			O_CLOEXEC |
+#endif
+			O_WRONLY|O_APPEND|O_CREAT|O_EXCL, SPOOL_MODE)) < 0)
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't open journal file %s: %s",
+	fname, strerror(errno));
+      return DELIVER_NOT_ATTEMPTED;
+      }
+
+    /* Set the close-on-exec flag, make the file owned by Exim, and ensure
+    that the mode is correct - the group setting doesn't always seem to get
+    set automatically. */
+
+    if(  exim_fchown(journal_fd, exim_uid, exim_gid, fname)
+      || fchmod(journal_fd, SPOOL_MODE)
+#ifndef O_CLOEXEC
+      || fcntl(journal_fd, F_SETFD, fcntl(journal_fd, F_GETFD) | FD_CLOEXEC)
+#endif
+      )
+      {
+      int ret = Uunlink(fname);
+      log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't set perms on journal file %s: %s",
+	fname, strerror(errno));
+      if(ret  &&  errno != ENOENT)
+	log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s",
+	  fname, strerror(errno));
+      return DELIVER_NOT_ATTEMPTED;
+      }
+    }
+  }
+else if (journal_fd >= 0)
+  {
+  close(journal_fd);
+  journal_fd = -1;
+  }
+
+
+
+/* Now we can get down to the business of actually doing deliveries. Local
+deliveries are done first, then remote ones. If ever the problems of how to
+handle fallback transports are figured out, this section can be put into a loop
+for handling fallbacks, though the uid switching will have to be revised. */
+
+/* Precompile a regex that is used to recognize a parameter in response
+to an LHLO command, if is isn't already compiled. This may be used on both
+local and remote LMTP deliveries. */
+
+if (!regex_IGNOREQUOTA)
+  regex_IGNOREQUOTA =
+    regex_must_compile(US"\\n250[\\s\\-]IGNOREQUOTA(\\s|\\n|$)", FALSE, TRUE);
+
+/* Handle local deliveries */
+
+if (addr_local)
+  {
+  DEBUG(D_deliver|D_transport)
+    debug_printf(">>>>>>>>>>>>>>>> Local deliveries >>>>>>>>>>>>>>>>\n");
+  do_local_deliveries();
+  f.disable_logging = FALSE;
+  }
+
+/* If queue_run_local is set, we do not want to attempt any remote deliveries,
+so just queue them all. */
+
+if (f.queue_run_local)
+  while (addr_remote)
+    {
+    address_item *addr = addr_remote;
+    addr_remote = addr->next;
+    addr->next = NULL;
+    addr->basic_errno = ERRNO_LOCAL_ONLY;
+    addr->message = US"remote deliveries suppressed";
+    (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_TRANSPORT, 0);
+    }
+
+/* Handle remote deliveries */
+
+if (addr_remote)
+  {
+  DEBUG(D_deliver|D_transport)
+    debug_printf(">>>>>>>>>>>>>>>> Remote deliveries >>>>>>>>>>>>>>>>\n");
+
+  /* Precompile some regex that are used to recognize parameters in response
+  to an EHLO command, if they aren't already compiled. */
+
+  smtp_deliver_init();
+
+  /* Now sort the addresses if required, and do the deliveries. The yield of
+  do_remote_deliveries is FALSE when mua_wrapper is set and all addresses
+  cannot be delivered in one transaction. */
+
+  if (remote_sort_domains) sort_remote_deliveries();
+  if (!do_remote_deliveries(FALSE))
+    {
+    log_write(0, LOG_MAIN, "** mua_wrapper is set but recipients cannot all "
+      "be delivered in one transaction");
+    fprintf(stderr, "delivery to smarthost failed (configuration problem)\n");
+
+    final_yield = DELIVER_MUA_FAILED;
+    addr_failed = addr_defer = NULL;   /* So that we remove the message */
+    goto DELIVERY_TIDYUP;
+    }
+
+  /* See if any of the addresses that failed got put on the queue for delivery
+  to their fallback hosts. We do it this way because often the same fallback
+  host is used for many domains, so all can be sent in a single transaction
+  (if appropriately configured). */
+
+  if (addr_fallback && !mua_wrapper)
+    {
+    DEBUG(D_deliver) debug_printf("Delivering to fallback hosts\n");
+    addr_remote = addr_fallback;
+    addr_fallback = NULL;
+    if (remote_sort_domains) sort_remote_deliveries();
+    do_remote_deliveries(TRUE);
+    }
+  f.disable_logging = FALSE;
+  }
+
+
+/* All deliveries are now complete. Ignore SIGTERM during this tidying up
+phase, to minimize cases of half-done things. */
+
+DEBUG(D_deliver)
+  debug_printf(">>>>>>>>>>>>>>>> deliveries are done >>>>>>>>>>>>>>>>\n");
+cancel_cutthrough_connection(TRUE, US"deliveries are done");
+
+/* Root privilege is no longer needed */
+
+exim_setugid(exim_uid, exim_gid, FALSE, US"post-delivery tidying");
+
+set_process_info("tidying up after delivering %s", message_id);
+signal(SIGTERM, SIG_IGN);
+
+/* When we are acting as an MUA wrapper, the smtp transport will either have
+succeeded for all addresses, or failed them all in normal cases. However, there
+are some setup situations (e.g. when a named port does not exist) that cause an
+immediate exit with deferral of all addresses. Convert those into failures. We
+do not ever want to retry, nor do we want to send a bounce message. */
+
+if (mua_wrapper)
+  {
+  if (addr_defer)
+    {
+    address_item * nextaddr;
+    for (address_item * addr = addr_defer; addr; addr = nextaddr)
+      {
+      log_write(0, LOG_MAIN, "** %s mua_wrapper forced failure for deferred "
+        "delivery", addr->address);
+      nextaddr = addr->next;
+      addr->next = addr_failed;
+      addr_failed = addr;
+      }
+    addr_defer = NULL;
+    }
+
+  /* Now all should either have succeeded or failed. */
+
+  if (!addr_failed)
+    final_yield = DELIVER_MUA_SUCCEEDED;
+  else
+    {
+    host_item * host;
+    uschar *s = addr_failed->user_message;
+
+    if (!s) s = addr_failed->message;
+
+    fprintf(stderr, "Delivery failed: ");
+    if (addr_failed->basic_errno > 0)
+      {
+      fprintf(stderr, "%s", strerror(addr_failed->basic_errno));
+      if (s) fprintf(stderr, ": ");
+      }
+    if ((host = addr_failed->host_used))
+      fprintf(stderr, "H=%s [%s]: ", host->name, host->address);
+    if (s)
+      fprintf(stderr, "%s", CS s);
+    else if (addr_failed->basic_errno <= 0)
+      fprintf(stderr, "unknown error");
+    fprintf(stderr, "\n");
+
+    final_yield = DELIVER_MUA_FAILED;
+    addr_failed = NULL;
+    }
+  }
+
+/* In a normal configuration, we now update the retry database. This is done in
+one fell swoop at the end in order not to keep opening and closing (and
+locking) the database. The code for handling retries is hived off into a
+separate module for convenience. We pass it the addresses of the various
+chains, because deferred addresses can get moved onto the failed chain if the
+retry cutoff time has expired for all alternative destinations. Bypass the
+updating of the database if the -N flag is set, which is a debugging thing that
+prevents actual delivery. */
+
+else if (!f.dont_deliver)
+  retry_update(&addr_defer, &addr_failed, &addr_succeed);
+
+/* Send DSN for successful messages if requested */
+addr_senddsn = NULL;
+
+for (address_item * a = addr_succeed; a; a = a->next)
+  {
+  /* af_ignore_error not honored here. it's not an error */
+  DEBUG(D_deliver) debug_printf("DSN: processing router : %s\n"
+      "DSN: processing successful delivery address: %s\n"
+      "DSN: Sender_address: %s\n"
+      "DSN: orcpt: %s  flags: 0x%x\n"
+      "DSN: envid: %s  ret: %d\n"
+      "DSN: Final recipient: %s\n"
+      "DSN: Remote SMTP server supports DSN: %d\n",
+      a->router ? a->router->name : US"(unknown)",
+      a->address,
+      sender_address,
+      a->dsn_orcpt ? a->dsn_orcpt : US"NULL",
+      a->dsn_flags,
+      dsn_envid ? dsn_envid : US"NULL", dsn_ret,
+      a->address,
+      a->dsn_aware
+      );
+
+  /* send report if next hop not DSN aware or a router flagged "last DSN hop"
+  and a report was requested */
+
+  if (  (a->dsn_aware != dsn_support_yes || a->dsn_flags & rf_dsnlasthop)
+     && a->dsn_flags & rf_notify_success
+     )
+    {
+    /* copy and relink address_item and send report with all of them at once later */
+    address_item * addr_next = addr_senddsn;
+    addr_senddsn = store_get(sizeof(address_item), GET_UNTAINTED);
+    *addr_senddsn = *a;
+    addr_senddsn->next = addr_next;
+    }
+  else
+    DEBUG(D_deliver) debug_printf("DSN: not sending DSN success message\n");
+  }
+
+if (addr_senddsn)
+  {
+  pid_t pid;
+  int fd;
+
+  /* create exim process to send message */
+  pid = child_open_exim(&fd, US"DSN");
+
+  DEBUG(D_deliver) debug_printf("DSN: child_open_exim returns: %d\n", pid);
+
+  if (pid < 0)  /* Creation of child failed */
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Process %d (parent %d) failed to "
+      "create child process to send success-dsn message: %s", getpid(),
+      getppid(), strerror(errno));
+
+    DEBUG(D_deliver) debug_printf("DSN: child_open_exim failed\n");
+    }
+  else  /* Creation of child succeeded */
+    {
+    FILE * f = fdopen(fd, "wb");
+    /* header only as required by RFC. only failure DSN needs to honor RET=FULL */
+    uschar * bound;
+    transport_ctx tctx = {{0}};
+
+    DEBUG(D_deliver)
+      debug_printf("sending success-dsn to: %s\n", sender_address);
+
+    /* build unique id for MIME boundary */
+    bound = string_sprintf(TIME_T_FMT "-eximdsn-%d", time(NULL), rand());
+    DEBUG(D_deliver) debug_printf("DSN: MIME boundary: %s\n", bound);
+
+    if (errors_reply_to)
+      fprintf(f, "Reply-To: %s\n", errors_reply_to);
+
+    moan_write_from(f);
+    fprintf(f, "Auto-Submitted: auto-generated\n"
+	"To: %s\n"
+	"Subject: Delivery Status Notification\n",
+      sender_address);
+    moan_write_references(f, NULL);
+    fprintf(f, "Content-Type: multipart/report;"
+    		" report-type=delivery-status; boundary=%s\n"
+	"MIME-Version: 1.0\n\n"
+
+	"--%s\n"
+	"Content-type: text/plain; charset=us-ascii\n\n"
+
+	"This message was created automatically by mail delivery software.\n"
+	" ----- The following addresses had successful delivery notifications -----\n",
+      bound, bound);
+
+    for (address_item * a = addr_senddsn; a; a = a->next)
+      fprintf(f, "<%s> (relayed %s)\n\n",
+	a->address,
+	a->dsn_flags & rf_dsnlasthop ? "via non DSN router"
+	: a->dsn_aware == dsn_support_no ? "to non-DSN-aware mailer"
+	: "via non \"Remote SMTP\" router"
+	);
+
+    fprintf(f, "--%s\n"
+	"Content-type: message/delivery-status\n\n"
+	"Reporting-MTA: dns; %s\n",
+      bound, smtp_active_hostname);
+
+    if (dsn_envid)
+      {			/* must be decoded from xtext: see RFC 3461:6.3a */
+      uschar *xdec_envid;
+      if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0)
+        fprintf(f, "Original-Envelope-ID: %s\n", dsn_envid);
+      else
+        fprintf(f, "X-Original-Envelope-ID: error decoding xtext formatted ENVID\n");
+      }
+    fputc('\n', f);
+
+    for (address_item * a = addr_senddsn; a; a = a->next)
+      {
+      host_item * hu;
+
+      print_dsn_addr_action(f, a, US"delivered", US"2.0.0");
+
+      if ((hu = a->host_used) && hu->name)
+        fprintf(f, "Remote-MTA: dns; %s\nDiagnostic-Code: smtp; 250 Ok\n\n",
+	  hu->name);
+      else
+	fprintf(f, "Diagnostic-Code: X-Exim; relayed via non %s router\n\n",
+	  a->dsn_flags & rf_dsnlasthop ? "DSN" : "SMTP");
+      }
+
+    fprintf(f, "--%s\nContent-type: text/rfc822-headers\n\n", bound);
+
+    fflush(f);
+    transport_filter_argv = NULL;   /* Just in case */
+    return_path = sender_address;   /* In case not previously set */
+
+    /* Write the original email out */
+
+    tctx.u.fd = fd;
+    tctx.options = topt_add_return_path | topt_no_body;
+    /*XXX hmm, FALSE(fail) retval ignored.
+    Could error for any number of reasons, and they are not handled. */
+    transport_write_message(&tctx, 0);
+    fflush(f);
+
+    fprintf(f,"\n--%s--\n", bound);
+
+    fflush(f);
+    fclose(f);
+    rc = child_close(pid, 0);     /* Waits for child to close, no timeout */
+    }
+  }
+
+/* If any addresses failed, we must send a message to somebody, unless
+af_ignore_error is set, in which case no action is taken. It is possible for
+several messages to get sent if there are addresses with different
+requirements. */
+
+while (addr_failed)
+  {
+  pid_t pid;
+  int fd;
+  uschar *logtod = tod_stamp(tod_log);
+  address_item *addr;
+  address_item *handled_addr = NULL;
+  address_item **paddr;
+  address_item *msgchain = NULL;
+  address_item **pmsgchain = &msgchain;
+
+  /* There are weird cases when logging is disabled in the transport. However,
+  there may not be a transport (address failed by a router). */
+
+  f.disable_logging = FALSE;
+  if (addr_failed->transport)
+    f.disable_logging = addr_failed->transport->disable_logging;
+
+  DEBUG(D_deliver)
+    debug_printf("processing failed address %s\n", addr_failed->address);
+
+  /* There are only two ways an address in a bounce message can get here:
+
+  (1) When delivery was initially deferred, but has now timed out (in the call
+      to retry_update() above). We can detect this by testing for
+      af_retry_timedout. If the address does not have its own errors address,
+      we arrange to ignore the error.
+
+  (2) If delivery failures for bounce messages are being ignored. We can detect
+      this by testing for af_ignore_error. This will also be set if a bounce
+      message has been autothawed and the ignore_bounce_errors_after time has
+      passed. It might also be set if a router was explicitly configured to
+      ignore errors (errors_to = "").
+
+  If neither of these cases obtains, something has gone wrong. Log the
+  incident, but then ignore the error. */
+
+  if (sender_address[0] == 0 && !addr_failed->prop.errors_address)
+    {
+    if (  !testflag(addr_failed, af_retry_timedout)
+       && !addr_failed->prop.ignore_error)
+      log_write(0, LOG_MAIN|LOG_PANIC, "internal error: bounce message "
+        "failure is neither frozen nor ignored (it's been ignored)");
+
+    addr_failed->prop.ignore_error = TRUE;
+    }
+
+  /* If the first address on the list has af_ignore_error set, just remove
+  it from the list, throw away any saved message file, log it, and
+  mark the recipient done. */
+
+  if (  addr_failed->prop.ignore_error
+     ||    addr_failed->dsn_flags & rf_dsnflags
+	&& !(addr_failed->dsn_flags & rf_notify_failure)
+     )
+    {
+    addr = addr_failed;
+    addr_failed = addr->next;
+    if (addr->return_filename) Uunlink(addr->return_filename);
+
+#ifndef DISABLE_EVENT
+    msg_event_raise(US"msg:fail:delivery", addr);
+#endif
+    log_write(0, LOG_MAIN, "%s%s%s%s: error ignored%s",
+      addr->address,
+      !addr->parent ? US"" : US" <",
+      !addr->parent ? US"" : addr->parent->address,
+      !addr->parent ? US"" : US">",
+      addr->prop.ignore_error
+      ? US"" : US": RFC 3461 DSN, failure notify not requested");
+
+    address_done(addr, logtod);
+    child_done(addr, logtod);
+    /* Panic-dies on error */
+    (void)spool_write_header(message_id, SW_DELIVERING, NULL);
+    }
+
+  /* Otherwise, handle the sending of a message. Find the error address for
+  the first address, then send a message that includes all failed addresses
+  that have the same error address. Note the bounce_recipient is a global so
+  that it can be accessed by $bounce_recipient while creating a customized
+  error message. */
+
+  else
+    {
+    if (!(bounce_recipient = addr_failed->prop.errors_address))
+      bounce_recipient = sender_address;
+
+    /* Make a subprocess to send a message */
+
+    if ((pid = child_open_exim(&fd, US"bounce-message")) < 0)
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Process %d (parent %d) failed to "
+        "create child process to send failure message: %s", getpid(),
+        getppid(), strerror(errno));
+
+    /* Creation of child succeeded */
+
+    else
+      {
+      int ch, rc;
+      int filecount = 0;
+      int rcount = 0;
+      uschar *bcc, *emf_text;
+      FILE * fp = fdopen(fd, "wb");
+      FILE * emf = NULL;
+      BOOL to_sender = strcmpic(sender_address, bounce_recipient) == 0;
+      int max = (bounce_return_size_limit/DELIVER_IN_BUFFER_SIZE + 1) *
+        DELIVER_IN_BUFFER_SIZE;
+      uschar * bound;
+      uschar *dsnlimitmsg;
+      uschar *dsnnotifyhdr;
+      int topt;
+
+      DEBUG(D_deliver)
+        debug_printf("sending error message to: %s\n", bounce_recipient);
+
+      /* Scan the addresses for all that have the same errors address, removing
+      them from the addr_failed chain, and putting them on msgchain. */
+
+      paddr = &addr_failed;
+      for (addr = addr_failed; addr; addr = *paddr)
+        if (Ustrcmp(bounce_recipient, addr->prop.errors_address
+	      ? addr->prop.errors_address : sender_address) == 0)
+          {                          /* The same - dechain */
+          *paddr = addr->next;
+          *pmsgchain = addr;
+          addr->next = NULL;
+          pmsgchain = &(addr->next);
+          }
+        else
+          paddr = &addr->next;        /* Not the same; skip */
+
+      /* Include X-Failed-Recipients: for automatic interpretation, but do
+      not let any one header line get too long. We do this by starting a
+      new header every 50 recipients. Omit any addresses for which the
+      "hide_child" flag is set. */
+
+      for (addr = msgchain; addr; addr = addr->next)
+        {
+        if (testflag(addr, af_hide_child)) continue;
+        if (rcount >= 50)
+          {
+          fprintf(fp, "\n");
+          rcount = 0;
+          }
+        fprintf(fp, "%s%s",
+          rcount++ == 0
+	  ? "X-Failed-Recipients: "
+	  : ",\n  ",
+          testflag(addr, af_pfr) && addr->parent
+	  ? string_printing(addr->parent->address)
+	  : string_printing(addr->address));
+        }
+      if (rcount > 0) fprintf(fp, "\n");
+
+      /* Output the standard headers */
+
+      if (errors_reply_to)
+        fprintf(fp, "Reply-To: %s\n", errors_reply_to);
+      fprintf(fp, "Auto-Submitted: auto-replied\n");
+      moan_write_from(fp);
+      fprintf(fp, "To: %s\n", bounce_recipient);
+      moan_write_references(fp, NULL);
+
+      /* generate boundary string and output MIME-Headers */
+      bound = string_sprintf(TIME_T_FMT "-eximdsn-%d", time(NULL), rand());
+
+      fprintf(fp, "Content-Type: multipart/report;"
+	    " report-type=delivery-status; boundary=%s\n"
+	  "MIME-Version: 1.0\n",
+	bound);
+
+      /* Open a template file if one is provided. Log failure to open, but
+      carry on - default texts will be used. */
+
+      if (bounce_message_file)
+	emf = expand_open(bounce_message_file,
+		US"bounce_message_file", US"error");
+
+      /* Quietly copy to configured additional addresses if required. */
+
+      if ((bcc = moan_check_errorcopy(bounce_recipient)))
+	fprintf(fp, "Bcc: %s\n", bcc);
+
+      /* The texts for the message can be read from a template file; if there
+      isn't one, or if it is too short, built-in texts are used. The first
+      emf text is a Subject: and any other headers. */
+
+      if ((emf_text = next_emf(emf, US"header")))
+	fprintf(fp, "%s\n", emf_text);
+      else
+        fprintf(fp, "Subject: Mail delivery failed%s\n\n",
+          to_sender? ": returning message to sender" : "");
+
+      /* output human readable part as text/plain section */
+      fprintf(fp, "--%s\n"
+	  "Content-type: text/plain; charset=us-ascii\n\n",
+	bound);
+
+      if ((emf_text = next_emf(emf, US"intro")))
+	fprintf(fp, "%s", CS emf_text);
+      else
+        {
+        fprintf(fp,
+/* This message has been reworded several times. It seems to be confusing to
+somebody, however it is worded. I have retreated to the original, simple
+wording. */
+"This message was created automatically by mail delivery software.\n");
+
+        if (bounce_message_text)
+	  fprintf(fp, "%s", CS bounce_message_text);
+        if (to_sender)
+          fprintf(fp,
+"\nA message that you sent could not be delivered to one or more of its\n"
+"recipients. This is a permanent error. The following address(es) failed:\n");
+        else
+          fprintf(fp,
+"\nA message sent by\n\n  <%s>\n\n"
+"could not be delivered to one or more of its recipients. The following\n"
+"address(es) failed:\n", sender_address);
+        }
+      fputc('\n', fp);
+
+      /* Process the addresses, leaving them on the msgchain if they have a
+      file name for a return message. (There has already been a check in
+      post_process_one() for the existence of data in the message file.) A TRUE
+      return from print_address_information() means that the address is not
+      hidden. */
+
+      paddr = &msgchain;
+      for (addr = msgchain; addr; addr = *paddr)
+        {
+        if (print_address_information(addr, fp, US"  ", US"\n    ", US""))
+          print_address_error(addr, fp, US"");
+
+        /* End the final line for the address */
+
+        fputc('\n', fp);
+
+        /* Leave on msgchain if there's a return file. */
+
+        if (addr->return_file >= 0)
+          {
+          paddr = &(addr->next);
+          filecount++;
+          }
+
+        /* Else save so that we can tick off the recipient when the
+        message is sent. */
+
+        else
+          {
+          *paddr = addr->next;
+          addr->next = handled_addr;
+          handled_addr = addr;
+          }
+        }
+
+      fputc('\n', fp);
+
+      /* Get the next text, whether we need it or not, so as to be
+      positioned for the one after. */
+
+      emf_text = next_emf(emf, US"generated text");
+
+      /* If there were any file messages passed by the local transports,
+      include them in the message. Then put the address on the handled chain.
+      In the case of a batch of addresses that were all sent to the same
+      transport, the return_file field in all of them will contain the same
+      fd, and the return_filename field in the *last* one will be set (to the
+      name of the file). */
+
+      if (msgchain)
+        {
+        address_item *nextaddr;
+
+        if (emf_text)
+	  fprintf(fp, "%s", CS emf_text);
+	else
+          fprintf(fp,
+            "The following text was generated during the delivery "
+            "attempt%s:\n", (filecount > 1)? "s" : "");
+
+        for (addr = msgchain; addr; addr = nextaddr)
+          {
+          FILE *fm;
+          address_item *topaddr = addr;
+
+          /* List all the addresses that relate to this file */
+
+	  fputc('\n', fp);
+          while(addr)                   /* Insurance */
+            {
+            print_address_information(addr, fp, US"------ ",  US"\n       ",
+              US" ------\n");
+            if (addr->return_filename) break;
+            addr = addr->next;
+            }
+	  fputc('\n', fp);
+
+          /* Now copy the file */
+
+          if (!(fm = Ufopen(addr->return_filename, "rb")))
+            fprintf(fp, "    +++ Exim error... failed to open text file: %s\n",
+              strerror(errno));
+          else
+            {
+            while ((ch = fgetc(fm)) != EOF) fputc(ch, fp);
+            (void)fclose(fm);
+            }
+          Uunlink(addr->return_filename);
+
+          /* Can now add to handled chain, first fishing off the next
+          address on the msgchain. */
+
+          nextaddr = addr->next;
+          addr->next = handled_addr;
+          handled_addr = topaddr;
+          }
+	fputc('\n', fp);
+        }
+
+      /* output machine readable part */
+#ifdef SUPPORT_I18N
+      if (message_smtputf8)
+	fprintf(fp, "--%s\n"
+	    "Content-type: message/global-delivery-status\n\n"
+	    "Reporting-MTA: dns; %s\n",
+	  bound, smtp_active_hostname);
+      else
+#endif
+	fprintf(fp, "--%s\n"
+	    "Content-type: message/delivery-status\n\n"
+	    "Reporting-MTA: dns; %s\n",
+	  bound, smtp_active_hostname);
+
+      if (dsn_envid)
+	{
+        /* must be decoded from xtext: see RFC 3461:6.3a */
+        uschar *xdec_envid;
+        if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0)
+          fprintf(fp, "Original-Envelope-ID: %s\n", dsn_envid);
+        else
+          fprintf(fp, "X-Original-Envelope-ID: error decoding xtext formatted ENVID\n");
+        }
+      fputc('\n', fp);
+
+      for (addr = handled_addr; addr; addr = addr->next)
+        {
+	host_item * hu;
+
+	print_dsn_addr_action(fp, addr, US"failed", US"5.0.0");
+
+        if ((hu = addr->host_used) && hu->name)
+	  {
+	  fprintf(fp, "Remote-MTA: dns; %s\n", hu->name);
+#ifdef EXPERIMENTAL_DSN_INFO
+	  {
+	  const uschar * s;
+	  if (hu->address)
+	    {
+	    uschar * p = hu->port == 25
+	      ? US"" : string_sprintf(":%d", hu->port);
+	    fprintf(fp, "Remote-MTA: X-ip; [%s]%s\n", hu->address, p);
+	    }
+	  if ((s = addr->smtp_greeting) && *s)
+	    fprintf(fp, "X-Remote-MTA-smtp-greeting: X-str; %.900s\n", s);
+	  if ((s = addr->helo_response) && *s)
+	    fprintf(fp, "X-Remote-MTA-helo-response: X-str; %.900s\n", s);
+	  if ((s = addr->message) && *s)
+	    fprintf(fp, "X-Exim-Diagnostic: X-str; %.900s\n", s);
+	  }
+#endif
+	  print_dsn_diagnostic_code(addr, fp);
+	  }
+	fputc('\n', fp);
+        }
+
+      /* Now copy the message, trying to give an intelligible comment if
+      it is too long for it all to be copied. The limit isn't strictly
+      applied because of the buffering. There is, however, an option
+      to suppress copying altogether. */
+
+      emf_text = next_emf(emf, US"copy");
+
+      /* add message body
+         we ignore the intro text from template and add
+         the text for bounce_return_size_limit at the end.
+
+         bounce_return_message is ignored
+         in case RET= is defined we honor these values
+         otherwise bounce_return_body is honored.
+
+         bounce_return_size_limit is always honored.
+      */
+
+      fprintf(fp, "--%s\n", bound);
+
+      dsnlimitmsg = US"X-Exim-DSN-Information: Due to administrative limits only headers are returned";
+      dsnnotifyhdr = NULL;
+      topt = topt_add_return_path;
+
+      /* RET=HDRS? top priority */
+      if (dsn_ret == dsn_ret_hdrs)
+        topt |= topt_no_body;
+      else
+	{
+	struct stat statbuf;
+
+        /* no full body return at all? */
+        if (!bounce_return_body)
+          {
+          topt |= topt_no_body;
+          /* add header if we overrule RET=FULL */
+          if (dsn_ret == dsn_ret_full)
+            dsnnotifyhdr = dsnlimitmsg;
+          }
+	/* line length limited... return headers only if oversize */
+        /* size limited ... return headers only if limit reached */
+	else if (  max_received_linelength > bounce_return_linesize_limit
+		|| (  bounce_return_size_limit > 0
+		   && fstat(deliver_datafile, &statbuf) == 0
+		   && statbuf.st_size > max
+		)  )
+	  {
+	  topt |= topt_no_body;
+	  dsnnotifyhdr = dsnlimitmsg;
+          }
+	}
+
+#ifdef SUPPORT_I18N
+      if (message_smtputf8)
+	fputs(topt & topt_no_body ? "Content-type: message/global-headers\n\n"
+				  : "Content-type: message/global\n\n",
+	      fp);
+      else
+#endif
+	fputs(topt & topt_no_body ? "Content-type: text/rfc822-headers\n\n"
+				  : "Content-type: message/rfc822\n\n",
+	      fp);
+
+      fflush(fp);
+      transport_filter_argv = NULL;   /* Just in case */
+      return_path = sender_address;   /* In case not previously set */
+	{			      /* Dummy transport for headers add */
+	transport_ctx tctx = {{0}};
+	transport_instance tb = {0};
+
+	tctx.u.fd = fileno(fp);
+	tctx.tblock = &tb;
+	tctx.options = topt;
+	tb.add_headers = dsnnotifyhdr;
+
+	/*XXX no checking for failure!  buggy! */
+	transport_write_message(&tctx, 0);
+	}
+      fflush(fp);
+
+      /* we never add the final text. close the file */
+      if (emf)
+        (void)fclose(emf);
+
+      fprintf(fp, "\n--%s--\n", bound);
+
+      /* Close the file, which should send an EOF to the child process
+      that is receiving the message. Wait for it to finish. */
+
+      (void)fclose(fp);
+      rc = child_close(pid, 0);     /* Waits for child to close, no timeout */
+
+      /* If the process failed, there was some disaster in setting up the
+      error message. Unless the message is very old, ensure that addr_defer
+      is non-null, which will have the effect of leaving the message on the
+      spool. The failed addresses will get tried again next time. However, we
+      don't really want this to happen too often, so freeze the message unless
+      there are some genuine deferred addresses to try. To do this we have
+      to call spool_write_header() here, because with no genuine deferred
+      addresses the normal code below doesn't get run. */
+
+      if (rc != 0)
+        {
+        uschar *s = US"";
+        if (now - received_time.tv_sec < retry_maximum_timeout && !addr_defer)
+          {
+          addr_defer = (address_item *)(+1);
+          f.deliver_freeze = TRUE;
+          deliver_frozen_at = time(NULL);
+          /* Panic-dies on error */
+          (void)spool_write_header(message_id, SW_DELIVERING, NULL);
+          s = US" (frozen)";
+          }
+        deliver_msglog("Process failed (%d) when writing error message "
+          "to %s%s", rc, bounce_recipient, s);
+        log_write(0, LOG_MAIN, "Process failed (%d) when writing error message "
+          "to %s%s", rc, bounce_recipient, s);
+        }
+
+      /* The message succeeded. Ensure that the recipients that failed are
+      now marked finished with on the spool and their parents updated. */
+
+      else
+        {
+        for (addr = handled_addr; addr; addr = addr->next)
+          {
+          address_done(addr, logtod);
+          child_done(addr, logtod);
+          }
+        /* Panic-dies on error */
+        (void)spool_write_header(message_id, SW_DELIVERING, NULL);
+        }
+      }
+    }
+  }
+
+f.disable_logging = FALSE;  /* In case left set */
+
+/* Come here from the mua_wrapper case if routing goes wrong */
+
+DELIVERY_TIDYUP:
+
+/* If there are now no deferred addresses, we are done. Preserve the
+message log if so configured, and we are using them. Otherwise, sling it.
+Then delete the message itself. */
+
+if (!addr_defer)
+  {
+  uschar * fname;
+
+  if (message_logs)
+    {
+    fname = spool_fname(US"msglog", message_subdir, id, US"");
+    if (preserve_message_logs)
+      {
+      int rc;
+      uschar * moname = spool_fname(US"msglog.OLD", US"", id, US"");
+
+      if ((rc = Urename(fname, moname)) < 0)
+        {
+        (void)directory_make(spool_directory,
+			      spool_sname(US"msglog.OLD", US""),
+			      MSGLOG_DIRECTORY_MODE, TRUE);
+        rc = Urename(fname, moname);
+        }
+      if (rc < 0)
+        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to move %s to the "
+          "msglog.OLD directory", fname);
+      }
+    else
+      if (Uunlink(fname) < 0)
+        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s",
+		  fname, strerror(errno));
+    }
+
+  /* Remove the two message files. */
+
+  fname = spool_fname(US"input", message_subdir, id, US"-D");
+  if (Uunlink(fname) < 0)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s",
+      fname, strerror(errno));
+  fname = spool_fname(US"input", message_subdir, id, US"-H");
+  if (Uunlink(fname) < 0)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s",
+      fname, strerror(errno));
+
+  /* Log the end of this message, with queue time if requested. */
+
+  if (LOGGING(queue_time_overall))
+    log_write(0, LOG_MAIN, "Completed QT=%s", string_timesince(&received_time));
+  else
+    log_write(0, LOG_MAIN, "Completed");
+
+  /* Unset deliver_freeze so that we won't try to move the spool files further down */
+  f.deliver_freeze = FALSE;
+
+#ifndef DISABLE_EVENT
+  (void) event_raise(event_action, US"msg:complete", NULL, NULL);
+#endif
+  }
+
+/* If there are deferred addresses, we are keeping this message because it is
+not yet completed. Lose any temporary files that were catching output from
+pipes for any of the deferred addresses, handle one-time aliases, and see if
+the message has been on the queue for so long that it is time to send a warning
+message to the sender, unless it is a mailer-daemon. If all deferred addresses
+have the same domain, we can set deliver_domain for the expansion of
+delay_warning_ condition - if any of them are pipes, files, or autoreplies, use
+the parent's domain.
+
+If all the deferred addresses have an error number that indicates "retry time
+not reached", skip sending the warning message, because it won't contain the
+reason for the delay. It will get sent at the next real delivery attempt.
+  Exception: for retries caused by a remote peer we use the error message
+  store in the retry DB as the reason.
+However, if at least one address has tried, we'd better include all of them in
+the message.
+
+If we can't make a process to send the message, don't worry.
+
+For mailing list expansions we want to send the warning message to the
+mailing list manager. We can't do a perfect job here, as some addresses may
+have different errors addresses, but if we take the errors address from
+each deferred address it will probably be right in most cases.
+
+If addr_defer == +1, it means there was a problem sending an error message
+for failed addresses, and there were no "real" deferred addresses. The value
+was set just to keep the message on the spool, so there is nothing to do here.
+*/
+
+else if (addr_defer != (address_item *)(+1))
+  {
+  uschar *recipients = US"";
+  BOOL want_warning_msg = FALSE;
+
+  deliver_domain = testflag(addr_defer, af_pfr)
+    ? addr_defer->parent->domain : addr_defer->domain;
+
+  for (address_item * addr = addr_defer; addr; addr = addr->next)
+    {
+    address_item *otaddr;
+
+    if (addr->basic_errno > ERRNO_WARN_BASE) want_warning_msg = TRUE;
+
+    if (deliver_domain)
+      {
+      const uschar *d = testflag(addr, af_pfr)
+	? addr->parent->domain : addr->domain;
+
+      /* The domain may be unset for an address that has never been routed
+      because the system filter froze the message. */
+
+      if (!d || Ustrcmp(d, deliver_domain) != 0)
+        deliver_domain = NULL;
+      }
+
+    if (addr->return_filename) Uunlink(addr->return_filename);
+
+    /* Handle the case of one-time aliases. If any address in the ancestry
+    of this one is flagged, ensure it is in the recipients list, suitably
+    flagged, and that its parent is marked delivered. */
+
+    for (otaddr = addr; otaddr; otaddr = otaddr->parent)
+      if (otaddr->onetime_parent) break;
+
+    if (otaddr)
+      {
+      int i;
+      int t = recipients_count;
+
+      for (i = 0; i < recipients_count; i++)
+        {
+        uschar *r = recipients_list[i].address;
+        if (Ustrcmp(otaddr->onetime_parent, r) == 0) t = i;
+        if (Ustrcmp(otaddr->address, r) == 0) break;
+        }
+
+      /* Didn't find the address already in the list, and did find the
+      ultimate parent's address in the list, and they really are different
+      (i.e. not from an identity-redirect). After adding the recipient,
+      update the errors address in the recipients list. */
+
+      if (  i >= recipients_count && t < recipients_count
+         && Ustrcmp(otaddr->address, otaddr->parent->address) != 0)
+        {
+        DEBUG(D_deliver) debug_printf("one_time: adding %s in place of %s\n",
+          otaddr->address, otaddr->parent->address);
+        receive_add_recipient(otaddr->address, t);
+        recipients_list[recipients_count-1].errors_to = otaddr->prop.errors_address;
+        tree_add_nonrecipient(otaddr->parent->address);
+        update_spool = TRUE;
+        }
+      }
+
+    /* Except for error messages, ensure that either the errors address for
+    this deferred address or, if there is none, the sender address, is on the
+    list of recipients for a warning message. */
+
+    if (sender_address[0])
+      {
+      uschar * s = addr->prop.errors_address;
+      if (!s) s = sender_address;
+      if (Ustrstr(recipients, s) == NULL)
+	recipients = string_sprintf("%s%s%s", recipients,
+	  recipients[0] ? "," : "", s);
+      }
+    }
+
+  /* Send a warning message if the conditions are right. If the condition check
+  fails because of a lookup defer, there is nothing we can do. The warning
+  is not sent. Another attempt will be made at the next delivery attempt (if
+  it also defers). */
+
+  if (  !f.queue_2stage
+     && want_warning_msg
+     && (  !(addr_defer->dsn_flags & rf_dsnflags)
+        || addr_defer->dsn_flags & rf_notify_delay
+	)
+     && delay_warning[1] > 0
+     && sender_address[0] != 0
+     && (  !delay_warning_condition
+        || expand_check_condition(delay_warning_condition,
+            US"delay_warning", US"option")
+	)
+     )
+    {
+    int count;
+    int show_time;
+    int queue_time = time(NULL) - received_time.tv_sec;
+
+    queue_time = test_harness_fudged_queue_time(queue_time);
+
+    /* See how many warnings we should have sent by now */
+
+    for (count = 0; count < delay_warning[1]; count++)
+      if (queue_time < delay_warning[count+2]) break;
+
+    show_time = delay_warning[count+1];
+
+    if (count >= delay_warning[1])
+      {
+      int extra;
+      int last_gap = show_time;
+      if (count > 1) last_gap -= delay_warning[count];
+      extra = (queue_time - delay_warning[count+1])/last_gap;
+      show_time += last_gap * extra;
+      count += extra;
+      }
+
+    DEBUG(D_deliver)
+      {
+      debug_printf("time on queue = %s  id %s  addr %s\n",
+	readconf_printtime(queue_time), message_id, addr_defer->address);
+      debug_printf("warning counts: required %d done %d\n", count,
+        warning_count);
+      }
+
+    /* We have computed the number of warnings there should have been by now.
+    If there haven't been enough, send one, and up the count to what it should
+    have been. */
+
+    if (warning_count < count)
+      {
+      header_line *h;
+      int fd;
+      pid_t pid = child_open_exim(&fd, US"delay-warning-message");
+
+      if (pid > 0)
+        {
+        uschar * wmf_text;
+        FILE * wmf = NULL;
+        FILE * f = fdopen(fd, "wb");
+	uschar * bound;
+	transport_ctx tctx = {{0}};
+
+        if (warn_message_file)
+	  wmf = expand_open(warn_message_file,
+		  US"warn_message_file", US"warning");
+
+        warnmsg_recipients = recipients;
+        warnmsg_delay = queue_time < 120*60
+	  ? string_sprintf("%d minutes", show_time/60)
+	  : string_sprintf("%d hours", show_time/3600);
+
+        if (errors_reply_to)
+          fprintf(f, "Reply-To: %s\n", errors_reply_to);
+        fprintf(f, "Auto-Submitted: auto-replied\n");
+        moan_write_from(f);
+        fprintf(f, "To: %s\n", recipients);
+	moan_write_references(f, NULL);
+
+        /* generated boundary string and output MIME-Headers */
+        bound = string_sprintf(TIME_T_FMT "-eximdsn-%d", time(NULL), rand());
+
+        fprintf(f, "Content-Type: multipart/report;"
+	    " report-type=delivery-status; boundary=%s\n"
+	    "MIME-Version: 1.0\n",
+	  bound);
+
+        if ((wmf_text = next_emf(wmf, US"header")))
+          fprintf(f, "%s\n", wmf_text);
+        else
+          fprintf(f, "Subject: Warning: message %s delayed %s\n\n",
+            message_id, warnmsg_delay);
+
+        /* output human readable part as text/plain section */
+        fprintf(f, "--%s\n"
+	    "Content-type: text/plain; charset=us-ascii\n\n",
+	  bound);
+
+        if ((wmf_text = next_emf(wmf, US"intro")))
+	  fprintf(f, "%s", CS wmf_text);
+	else
+          {
+          fprintf(f,
+"This message was created automatically by mail delivery software.\n");
+
+          if (Ustrcmp(recipients, sender_address) == 0)
+            fprintf(f,
+"A message that you sent has not yet been delivered to one or more of its\n"
+"recipients after more than ");
+
+          else
+	    fprintf(f,
+"A message sent by\n\n  <%s>\n\n"
+"has not yet been delivered to one or more of its recipients after more than \n",
+	      sender_address);
+
+          fprintf(f, "%s on the queue on %s.\n\n"
+	      "The message identifier is:     %s\n",
+	    warnmsg_delay, primary_hostname, message_id);
+
+          for (h = header_list; h; h = h->next)
+            if (strncmpic(h->text, US"Subject:", 8) == 0)
+              fprintf(f, "The subject of the message is: %s", h->text + 9);
+            else if (strncmpic(h->text, US"Date:", 5) == 0)
+              fprintf(f, "The date of the message is:    %s", h->text + 6);
+          fputc('\n', f);
+
+          fprintf(f, "The address%s to which the message has not yet been "
+            "delivered %s:\n",
+            !addr_defer->next ? "" : "es",
+            !addr_defer->next ? "is": "are");
+          }
+
+        /* List the addresses, with error information if allowed */
+
+        fputc('\n', f);
+	for (address_item * addr = addr_defer; addr; addr = addr->next)
+          {
+          if (print_address_information(addr, f, US"  ", US"\n    ", US""))
+            print_address_error(addr, f, US"Delay reason: ");
+          fputc('\n', f);
+          }
+        fputc('\n', f);
+
+        /* Final text */
+
+        if (wmf)
+          {
+          if ((wmf_text = next_emf(wmf, US"final")))
+	    fprintf(f, "%s", CS wmf_text);
+          (void)fclose(wmf);
+          }
+        else
+          {
+          fprintf(f,
+"No action is required on your part. Delivery attempts will continue for\n"
+"some time, and this warning may be repeated at intervals if the message\n"
+"remains undelivered. Eventually the mail delivery software will give up,\n"
+"and when that happens, the message will be returned to you.\n");
+          }
+
+        /* output machine readable part */
+        fprintf(f, "\n--%s\n"
+	    "Content-type: message/delivery-status\n\n"
+	    "Reporting-MTA: dns; %s\n",
+	  bound,
+	  smtp_active_hostname);
+
+
+        if (dsn_envid)
+	  {
+          /* must be decoded from xtext: see RFC 3461:6.3a */
+          uschar *xdec_envid;
+          if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0)
+            fprintf(f,"Original-Envelope-ID: %s\n", dsn_envid);
+          else
+            fprintf(f,"X-Original-Envelope-ID: error decoding xtext formatted ENVID\n");
+          }
+        fputc('\n', f);
+
+	for (address_item * addr = addr_defer; addr; addr = addr->next)
+          {
+	  host_item * hu;
+
+	  print_dsn_addr_action(f, addr, US"delayed", US"4.0.0");
+
+          if ((hu = addr->host_used) && hu->name)
+            {
+            fprintf(f, "Remote-MTA: dns; %s\n", hu->name);
+            print_dsn_diagnostic_code(addr, f);
+            }
+	  fputc('\n', f);
+          }
+
+        fprintf(f, "--%s\n"
+	    "Content-type: text/rfc822-headers\n\n",
+	  bound);
+
+        fflush(f);
+        /* header only as required by RFC. only failure DSN needs to honor RET=FULL */
+	tctx.u.fd = fileno(f);
+        tctx.options = topt_add_return_path | topt_no_body;
+        transport_filter_argv = NULL;   /* Just in case */
+        return_path = sender_address;   /* In case not previously set */
+
+        /* Write the original email out */
+	/*XXX no checking for failure!  buggy! */
+        transport_write_message(&tctx, 0);
+        fflush(f);
+
+        fprintf(f,"\n--%s--\n", bound);
+
+        fflush(f);
+
+        /* Close and wait for child process to complete, without a timeout.
+        If there's an error, don't update the count. */
+
+        (void)fclose(f);
+        if (child_close(pid, 0) == 0)
+          {
+          warning_count = count;
+          update_spool = TRUE;    /* Ensure spool rewritten */
+          }
+        }
+      }
+    }
+
+  /* Clear deliver_domain */
+
+  deliver_domain = NULL;
+
+  /* If this was a first delivery attempt, unset the first time flag, and
+  ensure that the spool gets updated. */
+
+  if (f.deliver_firsttime && !f.queue_2stage)
+    {
+    f.deliver_firsttime = FALSE;
+    update_spool = TRUE;
+    }
+
+  /* If delivery was frozen and freeze_tell is set, generate an appropriate
+  message, unless the message is a local error message (to avoid loops). Then
+  log the freezing. If the text in "frozen_info" came from a system filter,
+  it has been escaped into printing characters so as not to mess up log lines.
+  For the "tell" message, we turn \n back into newline. Also, insert a newline
+  near the start instead of the ": " string. */
+
+  if (f.deliver_freeze)
+    {
+    if (freeze_tell && freeze_tell[0] != 0 && !f.local_error_message)
+      {
+      uschar *s = string_copy(frozen_info);
+      uschar *ss = Ustrstr(s, " by the system filter: ");
+
+      if (ss != NULL)
+        {
+        ss[21] = '.';
+        ss[22] = '\n';
+        }
+
+      ss = s;
+      while (*ss != 0)
+        {
+        if (*ss == '\\' && ss[1] == 'n')
+          {
+          *ss++ = ' ';
+          *ss++ = '\n';
+          }
+        else ss++;
+        }
+      moan_tell_someone(freeze_tell, addr_defer, US"Message frozen",
+        "Message %s has been frozen%s.\nThe sender is <%s>.\n", message_id,
+        s, sender_address);
+      }
+
+    /* Log freezing just before we update the -H file, to minimize the chance
+    of a race problem. */
+
+    deliver_msglog("*** Frozen%s\n", frozen_info);
+    log_write(0, LOG_MAIN, "Frozen%s", frozen_info);
+    }
+
+  /* If there have been any updates to the non-recipients list, or other things
+  that get written to the spool, we must now update the spool header file so
+  that it has the right information for the next delivery attempt. If there
+  was more than one address being delivered, the header_change update is done
+  earlier, in case one succeeds and then something crashes. */
+
+  DEBUG(D_deliver)
+    debug_printf("delivery deferred: update_spool=%d header_rewritten=%d\n",
+      update_spool, f.header_rewritten);
+
+  if (update_spool || f.header_rewritten)
+    /* Panic-dies on error */
+    (void)spool_write_header(message_id, SW_DELIVERING, NULL);
+  }
+
+/* Finished with the message log. If the message is complete, it will have
+been unlinked or renamed above. */
+
+if (message_logs) (void)fclose(message_log);
+
+/* Now we can close and remove the journal file. Its only purpose is to record
+successfully completed deliveries asap so that this information doesn't get
+lost if Exim (or the machine) crashes. Forgetting about a failed delivery is
+not serious, as trying it again is not harmful. The journal might not be open
+if all addresses were deferred at routing or directing. Nevertheless, we must
+remove it if it exists (may have been lying around from a crash during the
+previous delivery attempt). We don't remove the journal if a delivery
+subprocess failed to pass back delivery information; this is controlled by
+the remove_journal flag. When the journal is left, we also don't move the
+message off the main spool if frozen and the option is set. It should get moved
+at the next attempt, after the journal has been inspected. */
+
+if (journal_fd >= 0) (void)close(journal_fd);
+
+if (remove_journal)
+  {
+  uschar * fname = spool_fname(US"input", message_subdir, id, US"-J");
+
+  if (Uunlink(fname) < 0 && errno != ENOENT)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s", fname,
+      strerror(errno));
+
+  /* Move the message off the spool if requested */
+
+#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
+  if (f.deliver_freeze && move_frozen_messages)
+    (void)spool_move_message(id, message_subdir, US"", US"F");
+#endif
+  }
+
+/* Closing the data file frees the lock; if the file has been unlinked it
+will go away. Otherwise the message becomes available for another process
+to try delivery. */
+
+(void)close(deliver_datafile);
+deliver_datafile = -1;
+DEBUG(D_deliver) debug_printf("end delivery of %s\n", id);
+#ifdef MEASURE_TIMING
+report_time_since(&timestamp_startup, US"delivery end"); /* testcase 0005 */
+#endif
+
+/* It is unlikely that there will be any cached resources, since they are
+released after routing, and in the delivery subprocesses. However, it's
+possible for an expansion for something afterwards (for example,
+expand_check_condition) to do a lookup. We must therefore be sure everything is
+released. */
+
+search_tidyup();
+acl_where = ACL_WHERE_UNKNOWN;
+return final_yield;
+}
+
+
+
+void
+tcp_init(void)
+{
+#ifdef EXIM_TFO_PROBE
+tfo_probe();
+#else
+f.tcp_fastopen_ok = TRUE;
+#endif
+}
+
+
+
+/* Called from a commandline, or from the daemon, to do a delivery.
+We need to regain privs; do this by exec of the exim binary. */
+
+void
+delivery_re_exec(int exec_type)
+{
+uschar * where;
+
+if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
+  {
+  int channel_fd = cutthrough.cctx.sock;
+
+  smtp_peer_options = cutthrough.peer_options;
+  continue_sequence = 0;
+
+#ifndef DISABLE_TLS
+  if (cutthrough.is_tls)
+    {
+    int pfd[2], pid;
+
+    smtp_peer_options |= OPTION_TLS;
+    sending_ip_address = cutthrough.snd_ip;
+    sending_port = cutthrough.snd_port;
+
+    where = US"socketpair";
+    if (socketpair(AF_UNIX, SOCK_STREAM, 0, pfd) != 0)
+      goto fail;
+
+    where = US"fork";
+    testharness_pause_ms(150);
+    if ((pid = exim_fork(US"tls-proxy-interproc")) < 0)
+      goto fail;
+
+    if (pid == 0)	/* child: will fork again to totally disconnect */
+      {
+      smtp_proxy_tls(cutthrough.cctx.tls_ctx, big_buffer, big_buffer_size,
+		      pfd, 5*60, cutthrough.host.name);
+      /* does not return */
+      }
+
+    close(pfd[0]);
+    waitpid(pid, NULL, 0);
+    (void) close(channel_fd);	/* release the client socket */
+    channel_fd = pfd[1];
+    }
+#endif
+
+  transport_do_pass_socket(cutthrough.transport, cutthrough.host.name,
+    cutthrough.host.address, message_id, channel_fd);
+  }
+else
+  {
+  cancel_cutthrough_connection(TRUE, US"non-continued delivery");
+  (void) child_exec_exim(exec_type, FALSE, NULL, FALSE, 2, US"-Mc", message_id);
+  }
+return;		/* compiler quietening; control does not reach here. */
+
+#ifndef DISABLE_TLS
+fail:
+  log_write(0,
+    LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE),
+    "delivery re-exec %s failed: %s", where, strerror(errno));
+
+  /* Get here if exec_type == CEE_EXEC_EXIT.
+  Note: this must be _exit(), not exit(). */
+
+  _exit(EX_EXECFAILED);
+#endif
+}
+
+/* vi: aw ai sw=2
+*/
+/* End of deliver.c */
diff --git a/src/directory.c b/src/directory.c
new file mode 100644
index 0000000..1890208
--- /dev/null
+++ b/src/directory.c
@@ -0,0 +1,95 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2010 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "exim.h"
+
+
+/*************************************************
+*           Attempt to create a directory        *
+*************************************************/
+
+/* All the directories that Exim ever creates for itself are within the spool
+directory as defined by spool_directory. We are prepared to create as many as
+necessary from that directory downwards, inclusive. However, directory creation
+can also be required in appendfile and sieve filters. The making function
+therefore has a parent argument, below which the new directories are to go. It
+can be NULL if the name is absolute.
+
+If a non-root uid has been specified for exim, and we are currently running as
+root, ensure the directory is owned by the non-root id if the parent is the
+spool directory.
+
+Arguments:
+  parent    parent directory name; if NULL the name must be absolute
+  name      directory name within the parent that we want
+  mode      mode for the new directory
+  panic     if TRUE, panic on failure
+
+Returns:    panic on failure if panic is set; otherwise return FALSE;
+            TRUE on success.
+*/
+
+BOOL
+directory_make(const uschar *parent, const uschar *name,
+               int mode, BOOL panic)
+{
+BOOL use_chown = parent == spool_directory && geteuid() == root_uid;
+uschar * p;
+uschar c = 1;
+struct stat statbuf;
+uschar * path;
+
+if (is_tainted(name)) 
+  { p = US"create"; path = US name; errno = ERRNO_TAINT; goto bad; }
+
+if (parent)
+  {
+  path = string_sprintf("%s%s%s", parent, US"/", name);
+  p = path + Ustrlen(parent);
+  }
+else
+  {
+  path = string_copy(name);
+  p = path + 1;
+  }
+
+/* Walk the path creating any missing directories */
+
+while (c && *p)
+  {
+  while (*p && *p != '/') p++;
+  c = *p;
+  *p = '\0';
+  if (Ustat(path, &statbuf) != 0)
+    {
+    if (mkdir(CS path, mode) < 0 && errno != EEXIST)
+      { p = US"create"; goto bad; }
+
+    /* Set the ownership if necessary. */
+
+    if (use_chown && exim_chown(path, exim_uid, exim_gid))
+      { p = US"set owner on"; goto bad; }
+
+    /* It appears that any mode bits greater than 0777 are ignored by
+    mkdir(), at least on some operating systems. Therefore, if the mode
+    contains any such bits, do an explicit mode setting. */
+
+    if (mode & 0777000) (void) Uchmod(path, mode);
+    }
+  *p++ = c;
+  }
+
+return TRUE;
+
+bad:
+  if (panic) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "Failed to %s directory \"%s\": %s\n", p, path, exim_errstr(errno));
+  return FALSE;
+}
+
+/* End of directory.c */
diff --git a/src/dkim.c b/src/dkim.c
new file mode 100644
index 0000000..bb916d2
--- /dev/null
+++ b/src/dkim.c
@@ -0,0 +1,895 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge, 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Code for DKIM support. Other DKIM relevant code is in
+   receive.c, transport.c and transports/smtp.c */
+
+#include "exim.h"
+
+#ifndef DISABLE_DKIM
+
+# include "pdkim/pdkim.h"
+
+# ifdef MACRO_PREDEF
+#  include "macro_predef.h"
+
+void
+params_dkim(void)
+{
+builtin_macro_create_var(US"_DKIM_SIGN_HEADERS", US PDKIM_DEFAULT_SIGN_HEADERS);
+builtin_macro_create_var(US"_DKIM_OVERSIGN_HEADERS", US PDKIM_OVERSIGN_HEADERS);
+}
+# else	/*!MACRO_PREDEF*/
+
+
+
+pdkim_ctx dkim_sign_ctx;
+
+int dkim_verify_oldpool;
+pdkim_ctx *dkim_verify_ctx = NULL;
+pdkim_signature *dkim_cur_sig = NULL;
+static const uschar * dkim_collect_error = NULL;
+
+#define DKIM_MAX_SIGNATURES 20
+
+
+
+/* Look up the DKIM record in DNS for the given hostname.
+Will use the first found if there are multiple.
+The return string is tainted, having come from off-site.
+*/
+
+uschar *
+dkim_exim_query_dns_txt(const uschar * name)
+{
+dns_answer * dnsa = store_get_dns_answer();
+dns_scan dnss;
+rmark reset_point = store_mark();
+gstring * g = string_get_tainted(256, GET_TAINTED);
+
+lookup_dnssec_authenticated = NULL;
+if (dns_lookup(dnsa, name, T_TXT, NULL) != DNS_SUCCEED)
+  goto bad;
+
+/* Search for TXT record */
+
+for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
+     rr;
+     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
+  if (rr->type == T_TXT)
+    {			/* Copy record content to the answer buffer */
+    for (int rr_offset = 0; rr_offset < rr->size; )
+      {
+      uschar len = rr->data[rr_offset++];
+
+      g = string_catn(g, US(rr->data + rr_offset), len);
+      if (g->ptr >= PDKIM_DNS_TXT_MAX_RECLEN)
+	goto bad;
+
+      rr_offset += len;
+      }
+
+    /* Check if this looks like a DKIM record */
+    if (Ustrncmp(g->s, "v=", 2) != 0 || strncasecmp(CS g->s, "v=dkim", 6) == 0)
+      {
+      store_free_dns_answer(dnsa);
+      gstring_release_unused(g);
+      return string_from_gstring(g);
+      }
+
+    g->ptr = 0;		/* overwrite previous record */
+    }
+
+bad:
+store_reset(reset_point);
+store_free_dns_answer(dnsa);
+return NULL;	/*XXX better error detail?  logging? */
+}
+
+
+void
+dkim_exim_init(void)
+{
+if (f.dkim_init_done) return;
+f.dkim_init_done = TRUE;
+pdkim_init();
+}
+
+
+
+void
+dkim_exim_verify_init(BOOL dot_stuffing)
+{
+dkim_exim_init();
+
+/* There is a store-reset between header & body reception for the main pool
+(actually, after every header line) so cannot use that as we need the data we
+store per-header, during header processing, at the end of body reception
+for evaluating the signature.  Any allocs done for dkim verify
+memory-handling must use a different pool.  We use a separate one that we
+can reset per message. */
+
+dkim_verify_oldpool = store_pool;
+store_pool = POOL_MESSAGE;
+
+/* Free previous context if there is one */
+
+if (dkim_verify_ctx)
+  pdkim_free_ctx(dkim_verify_ctx);
+
+/* Create new context */
+
+dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing);
+dkim_collect_input = dkim_verify_ctx ? DKIM_MAX_SIGNATURES : 0;
+dkim_collect_error = NULL;
+
+/* Start feed up with any cached data, but limited to message data */
+receive_get_cache(chunking_state == CHUNKING_LAST
+		  ? chunking_data_left : GETC_BUFFER_UNLIMITED);
+
+store_pool = dkim_verify_oldpool;
+}
+
+
+/* Submit a chunk of data for verification input.
+Only use the data when the feed is activated. */
+void
+dkim_exim_verify_feed(uschar * data, int len)
+{
+int rc;
+
+store_pool = POOL_MESSAGE;
+if (  dkim_collect_input
+   && (rc = pdkim_feed(dkim_verify_ctx, data, len)) != PDKIM_OK)
+  {
+  dkim_collect_error = pdkim_errstr(rc);
+  log_write(0, LOG_MAIN,
+	     "DKIM: validation error: %.100s", dkim_collect_error);
+  dkim_collect_input = 0;
+  }
+store_pool = dkim_verify_oldpool;
+}
+
+
+/* Log the result for the given signature */
+static void
+dkim_exim_verify_log_sig(pdkim_signature * sig)
+{
+gstring * logmsg;
+uschar * s;
+
+if (!sig) return;
+
+/* Remember the domain for the first pass result */
+
+if (  !dkim_verify_overall
+   && dkim_verify_status
+      ? Ustrcmp(dkim_verify_status, US"pass") == 0
+      : sig->verify_status == PDKIM_VERIFY_PASS
+   )
+  dkim_verify_overall = string_copy(sig->domain);
+
+/* Rewrite the sig result if the ACL overrode it.  This is only
+needed because the DMARC code (sigh) peeks at the dkim sigs.
+Mark the sig for this having been done. */
+
+if (  dkim_verify_status
+   && (  dkim_verify_status != dkim_exim_expand_query(DKIM_VERIFY_STATUS)
+      || dkim_verify_reason != dkim_exim_expand_query(DKIM_VERIFY_REASON)
+   )  )
+  {			/* overridden by ACL */
+  sig->verify_ext_status = -1;
+  if (Ustrcmp(dkim_verify_status, US"fail") == 0)
+    sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_FAIL;
+  else if (Ustrcmp(dkim_verify_status, US"invalid") == 0)
+    sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_INVALID;
+  else if (Ustrcmp(dkim_verify_status, US"none") == 0)
+    sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_NONE;
+  else if (Ustrcmp(dkim_verify_status, US"pass") == 0)
+    sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_PASS;
+  else
+    sig->verify_status = -1;
+  }
+
+if (!LOGGING(dkim_verbose)) return;
+
+
+logmsg = string_catn(NULL, US"DKIM: ", 6);
+if (!(s = sig->domain)) s = US"<UNSET>";
+logmsg = string_append(logmsg, 2, "d=", s);
+if (!(s = sig->selector)) s = US"<UNSET>";
+logmsg = string_append(logmsg, 2, " s=", s);
+logmsg = string_fmt_append(logmsg, " c=%s/%s a=%s b=" SIZE_T_FMT,
+	  sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
+	  sig->canon_body    == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
+	  dkim_sig_to_a_tag(sig),
+	  (int)sig->sighash.len > -1 ? sig->sighash.len * 8 : (size_t)0);
+if ((s= sig->identity)) logmsg = string_append(logmsg, 2, " i=", s);
+if (sig->created > 0) logmsg = string_fmt_append(logmsg, " t=%lu",
+				    sig->created);
+if (sig->expires > 0) logmsg = string_fmt_append(logmsg, " x=%lu",
+				    sig->expires);
+if (sig->bodylength > -1) logmsg = string_fmt_append(logmsg, " l=%lu",
+				    sig->bodylength);
+
+if (sig->verify_status & PDKIM_VERIFY_POLICY)
+  logmsg = string_append(logmsg, 5,
+	    US" [", dkim_verify_status, US" - ", dkim_verify_reason, US"]");
+else
+  switch (sig->verify_status)
+    {
+    case PDKIM_VERIFY_NONE:
+      logmsg = string_cat(logmsg, US" [not verified]");
+      break;
+
+    case PDKIM_VERIFY_INVALID:
+      logmsg = string_cat(logmsg, US" [invalid - ");
+      switch (sig->verify_ext_status)
+	{
+	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
+	  logmsg = string_cat(logmsg,
+			US"public key record (currently?) unavailable]");
+	  break;
+
+	case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
+	  logmsg = string_cat(logmsg, US"overlong public key record]");
+	  break;
+
+	case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
+	case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
+	  logmsg = string_cat(logmsg, US"syntax error in public key record]");
+	  break;
+
+	case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
+	  logmsg = string_cat(logmsg, US"signature tag missing or invalid]");
+	  break;
+
+	case PDKIM_VERIFY_INVALID_DKIM_VERSION:
+	  logmsg = string_cat(logmsg, US"unsupported DKIM version]");
+	  break;
+
+	default:
+	  logmsg = string_cat(logmsg, US"unspecified problem]");
+	}
+      break;
+
+    case PDKIM_VERIFY_FAIL:
+      logmsg = string_cat(logmsg, US" [verification failed - ");
+      switch (sig->verify_ext_status)
+	{
+	case PDKIM_VERIFY_FAIL_BODY:
+	  logmsg = string_cat(logmsg,
+	       US"body hash mismatch (body probably modified in transit)]");
+	  break;
+
+	case PDKIM_VERIFY_FAIL_MESSAGE:
+	  logmsg = string_cat(logmsg,
+		US"signature did not verify "
+		"(headers probably modified in transit)]");
+	  break;
+
+	case PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE:
+	  logmsg = string_cat(logmsg,
+		US"signature invalid (key too short)]");
+	  break;
+
+	default:
+	  logmsg = string_cat(logmsg, US"unspecified reason]");
+	}
+      break;
+
+    case PDKIM_VERIFY_PASS:
+      logmsg = string_cat(logmsg, US" [verification succeeded]");
+      break;
+    }
+
+log_write(0, LOG_MAIN, "%s", string_from_gstring(logmsg));
+return;
+}
+
+
+/* Log a line for each signature */
+void
+dkim_exim_verify_log_all(void)
+{
+for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next)
+  dkim_exim_verify_log_sig(sig);
+}
+
+
+void
+dkim_exim_verify_finish(void)
+{
+int rc;
+gstring * g = NULL;
+const uschar * errstr = NULL;
+
+store_pool = POOL_MESSAGE;
+
+/* Delete eventual previous signature chain */
+
+dkim_signers = NULL;
+dkim_signatures = NULL;
+
+if (dkim_collect_error)
+  {
+  log_write(0, LOG_MAIN,
+      "DKIM: Error during validation, disabling signature verification: %.100s",
+      dkim_collect_error);
+  f.dkim_disable_verify = TRUE;
+  goto out;
+  }
+
+dkim_collect_input = 0;
+
+/* Finish DKIM operation and fetch link to signatures chain */
+
+rc = pdkim_feed_finish(dkim_verify_ctx, (pdkim_signature **)&dkim_signatures,
+			&errstr);
+if (rc != PDKIM_OK && errstr)
+  log_write(0, LOG_MAIN, "DKIM: validation error: %s", errstr);
+
+/* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
+
+for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next)
+  {
+  if (sig->domain)   g = string_append_listele(g, ':', sig->domain);
+  if (sig->identity) g = string_append_listele(g, ':', sig->identity);
+  }
+
+if (g) dkim_signers = g->s;
+
+out:
+store_pool = dkim_verify_oldpool;
+}
+
+
+
+/* Args as per dkim_exim_acl_run() below */
+static int
+dkim_acl_call(uschar * id, gstring ** res_ptr,
+  uschar ** user_msgptr, uschar ** log_msgptr)
+{
+int rc;
+DEBUG(D_receive)
+  debug_printf("calling acl_smtp_dkim for dkim_cur_signer='%s'\n", id);
+
+rc = acl_check(ACL_WHERE_DKIM, NULL, acl_smtp_dkim, user_msgptr, log_msgptr);
+dkim_exim_verify_log_sig(dkim_cur_sig);
+*res_ptr = string_append_listele(*res_ptr, ':', dkim_verify_status);
+return rc;
+}
+
+
+
+/* For the given identity, run the DKIM ACL once for each matching signature.
+
+Arguments
+ id		Identity to look for in dkim signatures
+ res_ptr	ptr to growable string-list of status results,
+		appended to per ACL run
+ user_msgptr	where to put a user error (for SMTP response)
+ log_msgptr	where to put a logging message (not for SMTP response)
+
+Returns:       OK         access is granted by an ACCEPT verb
+               DISCARD    access is granted by a DISCARD verb
+               FAIL       access is denied
+               FAIL_DROP  access is denied; drop the connection
+               DEFER      can't tell at the moment
+               ERROR      disaster
+*/
+
+int
+dkim_exim_acl_run(uschar * id, gstring ** res_ptr,
+  uschar ** user_msgptr, uschar ** log_msgptr)
+{
+uschar * cmp_val;
+int rc = -1;
+
+dkim_verify_status = US"none";
+dkim_verify_reason = US"";
+dkim_cur_signer = id;
+
+if (f.dkim_disable_verify || !id || !dkim_verify_ctx)
+  return OK;
+
+/* Find signatures to run ACL on */
+
+for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next)
+  if (  (cmp_val = Ustrchr(id, '@') != NULL ? US sig->identity : US sig->domain)
+     && strcmpic(cmp_val, id) == 0
+     )
+    {
+    /* The "dkim_domain" and "dkim_selector" expansion variables have
+    related globals, since they are used in the signing code too.
+    Instead of inventing separate names for verification, we set
+    them here. This is easy since a domain and selector is guaranteed
+    to be in a signature. The other dkim_* expansion items are
+    dynamically fetched from dkim_cur_sig at expansion time (see
+    dkim_exim_expand_query() below). */
+
+    dkim_cur_sig = sig;
+    dkim_signing_domain = US sig->domain;
+    dkim_signing_selector = US sig->selector;
+    dkim_key_length = sig->keybits;
+
+    /* These two return static strings, so we can compare the addr
+    later to see if the ACL overwrote them.  Check that when logging */
+
+    dkim_verify_status = dkim_exim_expand_query(DKIM_VERIFY_STATUS);
+    dkim_verify_reason = dkim_exim_expand_query(DKIM_VERIFY_REASON);
+
+    if ((rc = dkim_acl_call(id, res_ptr, user_msgptr, log_msgptr)) != OK)
+      return rc;
+    }
+
+if (rc != -1)
+  return rc;
+
+/* No matching sig found.  Call ACL once anyway. */
+
+dkim_cur_sig = NULL;
+return dkim_acl_call(id, res_ptr, user_msgptr, log_msgptr);
+}
+
+
+static uschar *
+dkim_exim_expand_defaults(int what)
+{
+switch (what)
+  {
+  case DKIM_ALGO:		return US"";
+  case DKIM_BODYLENGTH:		return US"9999999999999";
+  case DKIM_CANON_BODY:		return US"";
+  case DKIM_CANON_HEADERS:	return US"";
+  case DKIM_COPIEDHEADERS:	return US"";
+  case DKIM_CREATED:		return US"0";
+  case DKIM_EXPIRES:		return US"9999999999999";
+  case DKIM_HEADERNAMES:	return US"";
+  case DKIM_IDENTITY:		return US"";
+  case DKIM_KEY_GRANULARITY:	return US"*";
+  case DKIM_KEY_SRVTYPE:	return US"*";
+  case DKIM_KEY_NOTES:		return US"";
+  case DKIM_KEY_TESTING:	return US"0";
+  case DKIM_NOSUBDOMAINS:	return US"0";
+  case DKIM_VERIFY_STATUS:	return US"none";
+  case DKIM_VERIFY_REASON:	return US"";
+  default:			return US"";
+  }
+}
+
+
+uschar *
+dkim_exim_expand_query(int what)
+{
+if (!dkim_verify_ctx || f.dkim_disable_verify || !dkim_cur_sig)
+  return dkim_exim_expand_defaults(what);
+
+switch (what)
+  {
+  case DKIM_ALGO:
+    return dkim_sig_to_a_tag(dkim_cur_sig);
+
+  case DKIM_BODYLENGTH:
+    return dkim_cur_sig->bodylength >= 0
+      ? string_sprintf("%ld", dkim_cur_sig->bodylength)
+      : dkim_exim_expand_defaults(what);
+
+  case DKIM_CANON_BODY:
+    switch (dkim_cur_sig->canon_body)
+      {
+      case PDKIM_CANON_RELAXED:	return US"relaxed";
+      case PDKIM_CANON_SIMPLE:
+      default:			return US"simple";
+      }
+
+  case DKIM_CANON_HEADERS:
+    switch (dkim_cur_sig->canon_headers)
+      {
+      case PDKIM_CANON_RELAXED:	return US"relaxed";
+      case PDKIM_CANON_SIMPLE:
+      default:			return US"simple";
+      }
+
+  case DKIM_COPIEDHEADERS:
+    return dkim_cur_sig->copiedheaders
+      ? US dkim_cur_sig->copiedheaders : dkim_exim_expand_defaults(what);
+
+  case DKIM_CREATED:
+    return dkim_cur_sig->created > 0
+      ? string_sprintf("%lu", dkim_cur_sig->created)
+      : dkim_exim_expand_defaults(what);
+
+  case DKIM_EXPIRES:
+    return dkim_cur_sig->expires > 0
+      ? string_sprintf("%lu", dkim_cur_sig->expires)
+      : dkim_exim_expand_defaults(what);
+
+  case DKIM_HEADERNAMES:
+    return dkim_cur_sig->headernames
+      ? dkim_cur_sig->headernames : dkim_exim_expand_defaults(what);
+
+  case DKIM_IDENTITY:
+    return dkim_cur_sig->identity
+      ? US dkim_cur_sig->identity : dkim_exim_expand_defaults(what);
+
+  case DKIM_KEY_GRANULARITY:
+    return dkim_cur_sig->pubkey
+      ? dkim_cur_sig->pubkey->granularity
+      ? US dkim_cur_sig->pubkey->granularity
+      : dkim_exim_expand_defaults(what)
+      : dkim_exim_expand_defaults(what);
+
+  case DKIM_KEY_SRVTYPE:
+    return dkim_cur_sig->pubkey
+      ? dkim_cur_sig->pubkey->srvtype
+      ? US dkim_cur_sig->pubkey->srvtype
+      : dkim_exim_expand_defaults(what)
+      : dkim_exim_expand_defaults(what);
+
+  case DKIM_KEY_NOTES:
+    return dkim_cur_sig->pubkey
+      ? dkim_cur_sig->pubkey->notes
+      ? US dkim_cur_sig->pubkey->notes
+      : dkim_exim_expand_defaults(what)
+      : dkim_exim_expand_defaults(what);
+
+  case DKIM_KEY_TESTING:
+    return dkim_cur_sig->pubkey
+      ? dkim_cur_sig->pubkey->testing
+      ? US"1"
+      : dkim_exim_expand_defaults(what)
+      : dkim_exim_expand_defaults(what);
+
+  case DKIM_NOSUBDOMAINS:
+    return dkim_cur_sig->pubkey
+      ? dkim_cur_sig->pubkey->no_subdomaining
+      ? US"1"
+      : dkim_exim_expand_defaults(what)
+      : dkim_exim_expand_defaults(what);
+
+  case DKIM_VERIFY_STATUS:
+    switch (dkim_cur_sig->verify_status)
+      {
+      case PDKIM_VERIFY_INVALID:	return US"invalid";
+      case PDKIM_VERIFY_FAIL:		return US"fail";
+      case PDKIM_VERIFY_PASS:		return US"pass";
+      case PDKIM_VERIFY_NONE:
+      default:				return US"none";
+      }
+
+  case DKIM_VERIFY_REASON:
+    switch (dkim_cur_sig->verify_ext_status)
+      {
+      case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
+						return US"pubkey_unavailable";
+      case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:return US"pubkey_dns_syntax";
+      case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:	return US"pubkey_der_syntax";
+      case PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE:	return US"pubkey_too_short";
+      case PDKIM_VERIFY_FAIL_BODY:		return US"bodyhash_mismatch";
+      case PDKIM_VERIFY_FAIL_MESSAGE:		return US"signature_incorrect";
+      }
+
+  default:
+    return US"";
+  }
+}
+
+
+void
+dkim_exim_sign_init(void)
+{
+int old_pool = store_pool;
+
+dkim_exim_init();
+store_pool = POOL_MAIN;
+pdkim_init_context(&dkim_sign_ctx, FALSE, &dkim_exim_query_dns_txt);
+store_pool = old_pool;
+}
+
+
+/* Generate signatures for the given file.
+If a prefix is given, prepend it to the file for the calculations.
+
+Return:
+  NULL:		error; error string written
+  string: 	signature header(s), or a zero-length string (not an error)
+*/
+
+gstring *
+dkim_exim_sign(int fd, off_t off, uschar * prefix,
+  struct ob_dkim * dkim, const uschar ** errstr)
+{
+const uschar * dkim_domain = NULL;
+int sep = 0;
+gstring * seen_doms = NULL;
+pdkim_signature * sig;
+gstring * sigbuf;
+int pdkim_rc;
+int sread;
+uschar buf[4096];
+int save_errno = 0;
+int old_pool = store_pool;
+uschar * errwhen;
+const uschar * s;
+
+if (dkim->dot_stuffed)
+  dkim_sign_ctx.flags |= PDKIM_DOT_TERM;
+
+store_pool = POOL_MAIN;
+
+if ((s = dkim->dkim_domain) && !(dkim_domain = expand_cstring(s)))
+  /* expansion error, do not send message. */
+  { errwhen = US"dkim_domain"; goto expand_bad; }
+
+/* Set $dkim_domain expansion variable to each unique domain in list. */
+
+if (dkim_domain)
+  while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, NULL, 0)))
+  {
+  const uschar * dkim_sel;
+  int sel_sep = 0;
+
+  if (dkim_signing_domain[0] == '\0')
+    continue;
+
+  /* Only sign once for each domain, no matter how often it
+  appears in the expanded list. */
+
+  dkim_signing_domain = string_copylc(dkim_signing_domain);
+  if (match_isinlist(dkim_signing_domain, CUSS &seen_doms,
+      0, NULL, NULL, MCL_STRING, TRUE, NULL) == OK)
+    continue;
+
+  seen_doms = string_append_listele(seen_doms, ':', dkim_signing_domain);
+
+  /* Set $dkim_selector expansion variable to each selector in list,
+  for this domain. */
+
+  if (!(dkim_sel = expand_string(dkim->dkim_selector)))
+    { errwhen = US"dkim_selector"; goto expand_bad; }
+
+  while ((dkim_signing_selector = string_nextinlist(&dkim_sel, &sel_sep,
+	  NULL, 0)))
+    {
+    uschar * dkim_canon_expanded;
+    int pdkim_canon;
+    uschar * dkim_sign_headers_expanded = NULL;
+    uschar * dkim_private_key_expanded;
+    uschar * dkim_hash_expanded;
+    uschar * dkim_identity_expanded = NULL;
+    uschar * dkim_timestamps_expanded = NULL;
+    unsigned long tval = 0, xval = 0;
+
+    /* Get canonicalization to use */
+
+    dkim_canon_expanded = dkim->dkim_canon
+      ? expand_string(dkim->dkim_canon) : US"relaxed";
+    if (!dkim_canon_expanded)	/* expansion error, do not send message. */
+      { errwhen = US"dkim_canon"; goto expand_bad; }
+
+    if (Ustrcmp(dkim_canon_expanded, "relaxed") == 0)
+      pdkim_canon = PDKIM_CANON_RELAXED;
+    else if (Ustrcmp(dkim_canon_expanded, "simple") == 0)
+      pdkim_canon = PDKIM_CANON_SIMPLE;
+    else
+      {
+      log_write(0, LOG_MAIN,
+		 "DKIM: unknown canonicalization method '%s', defaulting to 'relaxed'.\n",
+		 dkim_canon_expanded);
+      pdkim_canon = PDKIM_CANON_RELAXED;
+      }
+
+    if (  dkim->dkim_sign_headers
+       && !(dkim_sign_headers_expanded = expand_string(dkim->dkim_sign_headers)))
+      { errwhen = US"dkim_sign_header"; goto expand_bad; }
+    /* else pass NULL, which means default header list */
+
+    /* Get private key to use. */
+
+    if (!(dkim_private_key_expanded = expand_string(dkim->dkim_private_key)))
+      { errwhen = US"dkim_private_key"; goto expand_bad; }
+
+    if (  Ustrlen(dkim_private_key_expanded) == 0
+       || Ustrcmp(dkim_private_key_expanded, "0") == 0
+       || Ustrcmp(dkim_private_key_expanded, "false") == 0
+       )
+      continue;		/* don't sign, but no error */
+
+    if (  dkim_private_key_expanded[0] == '/'
+       && !(dkim_private_key_expanded =
+	     expand_file_big_buffer(dkim_private_key_expanded)))
+      goto bad;
+
+    if (!(dkim_hash_expanded = expand_string(dkim->dkim_hash)))
+      { errwhen = US"dkim_hash"; goto expand_bad; }
+
+    if (dkim->dkim_identity)
+      if (!(dkim_identity_expanded = expand_string(dkim->dkim_identity)))
+	{ errwhen = US"dkim_identity"; goto expand_bad; }
+      else if (!*dkim_identity_expanded)
+	dkim_identity_expanded = NULL;
+
+    if (dkim->dkim_timestamps)
+      if (!(dkim_timestamps_expanded = expand_string(dkim->dkim_timestamps)))
+	{ errwhen = US"dkim_timestamps"; goto expand_bad; }
+      else
+	xval = (tval = (unsigned long) time(NULL))
+	      + strtoul(CCS dkim_timestamps_expanded, NULL, 10);
+
+    if (!(sig = pdkim_init_sign(&dkim_sign_ctx, dkim_signing_domain,
+			  dkim_signing_selector,
+			  dkim_private_key_expanded,
+			  dkim_hash_expanded,
+			  errstr
+			  )))
+      goto bad;
+    dkim_private_key_expanded[0] = '\0';
+
+    pdkim_set_optional(sig,
+			CS dkim_sign_headers_expanded,
+			CS dkim_identity_expanded,
+			pdkim_canon,
+			pdkim_canon, -1, tval, xval);
+
+    if (!pdkim_set_sig_bodyhash(&dkim_sign_ctx, sig))
+      goto bad;
+
+    if (!dkim_sign_ctx.sig)		/* link sig to context chain */
+      dkim_sign_ctx.sig = sig;
+    else
+      {
+      pdkim_signature * n = dkim_sign_ctx.sig;
+      while (n->next) n = n->next;
+      n->next = sig;
+      }
+    }
+  }
+
+/* We may need to carry on with the data-feed even if there are no DKIM sigs to
+produce, if some other package (eg. ARC) is signing. */
+
+if (!dkim_sign_ctx.sig && !dkim->force_bodyhash)
+  {
+  DEBUG(D_transport) debug_printf("DKIM: no viable signatures to use\n");
+  sigbuf = string_get(1);	/* return a zero-len string */
+  }
+else
+  {
+  if (prefix && (pdkim_rc = pdkim_feed(&dkim_sign_ctx, prefix, Ustrlen(prefix))) != PDKIM_OK)
+    goto pk_bad;
+
+  if (lseek(fd, off, SEEK_SET) < 0)
+    sread = -1;
+  else
+    while ((sread = read(fd, &buf, sizeof(buf))) > 0)
+      if ((pdkim_rc = pdkim_feed(&dkim_sign_ctx, buf, sread)) != PDKIM_OK)
+	goto pk_bad;
+
+  /* Handle failed read above. */
+  if (sread == -1)
+    {
+    debug_printf("DKIM: Error reading -K file.\n");
+    save_errno = errno;
+    goto bad;
+    }
+
+  /* Build string of headers, one per signature */
+
+  if ((pdkim_rc = pdkim_feed_finish(&dkim_sign_ctx, &sig, errstr)) != PDKIM_OK)
+    goto pk_bad;
+
+  if (!sig)
+    {
+    DEBUG(D_transport) debug_printf("DKIM: no signatures to use\n");
+    sigbuf = string_get(1);	/* return a zero-len string */
+    }
+  else for (sigbuf = NULL; sig; sig = sig->next)
+    sigbuf = string_append(sigbuf, 2, US sig->signature_header, US"\r\n");
+  }
+
+CLEANUP:
+  (void) string_from_gstring(sigbuf);
+  store_pool = old_pool;
+  errno = save_errno;
+  return sigbuf;
+
+pk_bad:
+  log_write(0, LOG_MAIN|LOG_PANIC,
+		"DKIM: signing failed: %.100s", pdkim_errstr(pdkim_rc));
+bad:
+  sigbuf = NULL;
+  goto CLEANUP;
+
+expand_bad:
+  *errstr = string_sprintf("failed to expand %s: %s",
+              errwhen, expand_string_message);
+  log_write(0, LOG_MAIN | LOG_PANIC, "%s", *errstr);
+  goto bad;
+}
+
+
+
+
+gstring *
+authres_dkim(gstring * g)
+{
+int start = 0;		/* compiler quietening */
+
+DEBUG(D_acl) start = g->ptr;
+
+for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next)
+  {
+  g = string_catn(g, US";\n\tdkim=", 8);
+
+  if (sig->verify_status & PDKIM_VERIFY_POLICY)
+    g = string_append(g, 5,
+      US"policy (", dkim_verify_status, US" - ", dkim_verify_reason, US")");
+  else switch(sig->verify_status)
+    {
+    case PDKIM_VERIFY_NONE:    g = string_cat(g, US"none"); break;
+    case PDKIM_VERIFY_INVALID:
+      switch (sig->verify_ext_status)
+	{
+	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
+          g = string_cat(g, US"tmperror (pubkey unavailable)\n\t\t"); break;
+        case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
+          g = string_cat(g, US"permerror (overlong public key record)\n\t\t"); break;
+        case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
+        case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
+          g = string_cat(g, US"neutral (public key record import problem)\n\t\t");
+          break;
+        case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
+          g = string_cat(g, US"neutral (signature tag missing or invalid)\n\t\t");
+          break;
+        case PDKIM_VERIFY_INVALID_DKIM_VERSION:
+          g = string_cat(g, US"neutral (unsupported DKIM version)\n\t\t");
+          break;
+        default:
+          g = string_cat(g, US"permerror (unspecified problem)\n\t\t"); break;
+	}
+      break;
+    case PDKIM_VERIFY_FAIL:
+      switch (sig->verify_ext_status)
+	{
+	case PDKIM_VERIFY_FAIL_BODY:
+          g = string_cat(g,
+	    US"fail (body hash mismatch; body probably modified in transit)\n\t\t");
+	  break;
+        case PDKIM_VERIFY_FAIL_MESSAGE:
+          g = string_cat(g,
+	    US"fail (signature did not verify; headers probably modified in transit)\n\t\t");
+	  break;
+        case PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE:	/* should this really be "polcy"? */
+          g = string_fmt_append(g, "fail (public key too short: %u bits)\n\t\t", sig->keybits);
+          break;
+        default:
+          g = string_cat(g, US"fail (unspecified reason)\n\t\t");
+	  break;
+	}
+      break;
+    case PDKIM_VERIFY_PASS:    g = string_cat(g, US"pass"); break;
+    default:                   g = string_cat(g, US"permerror"); break;
+    }
+  if (sig->domain)   g = string_append(g, 2, US" header.d=", sig->domain);
+  if (sig->identity) g = string_append(g, 2, US" header.i=", sig->identity);
+  if (sig->selector) g = string_append(g, 2, US" header.s=", sig->selector);
+  g = string_append(g, 2, US" header.a=", dkim_sig_to_a_tag(sig));
+  }
+
+DEBUG(D_acl)
+  if (g->ptr == start)
+    debug_printf("DKIM: no authres\n");
+  else
+    debug_printf("DKIM: authres '%.*s'\n", g->ptr - start - 3, g->s + start + 3);
+return g;
+}
+
+
+# endif	/*!MACRO_PREDEF*/
+#endif	/*!DISABLE_DKIM*/
diff --git a/src/dkim.h b/src/dkim.h
new file mode 100644
index 0000000..7b94f22
--- /dev/null
+++ b/src/dkim.h
@@ -0,0 +1,32 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge, 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+void    dkim_exim_init(void);
+gstring * dkim_exim_sign(int, off_t, uschar *, struct ob_dkim *, const uschar **);
+void    dkim_exim_verify_init(BOOL);
+void    dkim_exim_verify_feed(uschar *, int);
+void    dkim_exim_verify_finish(void);
+void    dkim_exim_verify_log_all(void);
+int     dkim_exim_acl_run(uschar *, gstring **, uschar **, uschar **);
+uschar *dkim_exim_expand_query(int);
+
+#define DKIM_ALGO               1
+#define DKIM_BODYLENGTH         2
+#define DKIM_CANON_BODY         3
+#define DKIM_CANON_HEADERS      4
+#define DKIM_COPIEDHEADERS      5
+#define DKIM_CREATED            6
+#define DKIM_EXPIRES            7
+#define DKIM_HEADERNAMES        8
+#define DKIM_IDENTITY           9
+#define DKIM_KEY_GRANULARITY   10
+#define DKIM_KEY_SRVTYPE       11
+#define DKIM_KEY_NOTES         12
+#define DKIM_KEY_TESTING       13
+#define DKIM_NOSUBDOMAINS      14
+#define DKIM_VERIFY_STATUS     15
+#define DKIM_VERIFY_REASON     16
diff --git a/src/dkim_transport.c b/src/dkim_transport.c
new file mode 100644
index 0000000..cfd4b90
--- /dev/null
+++ b/src/dkim_transport.c
@@ -0,0 +1,412 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Transport shim for dkim signing */
+
+
+#include "exim.h"
+
+#ifndef DISABLE_DKIM	/* rest of file */
+
+
+static BOOL
+dkt_sign_fail(struct ob_dkim * dkim, int * errp)
+{
+if (dkim->dkim_strict)
+  {
+  uschar * dkim_strict_result = expand_string(dkim->dkim_strict);
+
+  if (dkim_strict_result)
+    if (  strcmpic(dkim_strict_result, US"1") == 0
+       || strcmpic(dkim_strict_result, US"true") == 0)
+      {
+      /* Set errno to something halfway meaningful */
+      *errp = EACCES;
+      log_write(0, LOG_MAIN, "DKIM: message could not be signed,"
+	" and dkim_strict is set. Deferring message delivery.");
+      return FALSE;
+      }
+  }
+return TRUE;
+}
+
+/* Send the file at in_fd down the output fd */
+
+static BOOL
+dkt_send_file(int out_fd, int in_fd, off_t off
+#ifdef OS_SENDFILE
+  , size_t size
+#endif
+  )
+{
+#ifdef OS_SENDFILE
+DEBUG(D_transport) debug_printf("send file fd=%d size=%u\n", out_fd, (unsigned)(size - off));
+#else
+DEBUG(D_transport) debug_printf("send file fd=%d\n", out_fd);
+#endif
+
+/*XXX should implement timeout, like transport_write_block_fd() ? */
+
+#ifdef OS_SENDFILE
+/* We can use sendfile() to shove the file contents
+   to the socket. However only if we don't use TLS,
+   as then there's another layer of indirection
+   before the data finally hits the socket. */
+if (tls_out.active.sock != out_fd)
+  {
+  ssize_t copied = 0;
+
+  while(copied >= 0 && off < size)
+    copied = os_sendfile(out_fd, in_fd, &off, size - off);
+  if (copied < 0)
+    return FALSE;
+  }
+else
+
+#endif
+
+  {
+  int sread, wwritten;
+
+  /* Rewind file */
+  if (lseek(in_fd, off, SEEK_SET) < 0) return FALSE;
+
+  /* Send file down the original fd */
+  while((sread = read(in_fd, deliver_out_buffer, DELIVER_OUT_BUFFER_SIZE)) > 0)
+    {
+    uschar * p = deliver_out_buffer;
+    /* write the chunk */
+
+    while (sread)
+      {
+#ifndef DISABLE_TLS
+      wwritten = tls_out.active.sock == out_fd
+	? tls_write(tls_out.active.tls_ctx, p, sread, FALSE)
+	: write(out_fd, CS p, sread);
+#else
+      wwritten = write(out_fd, CS p, sread);
+#endif
+      if (wwritten == -1)
+	return FALSE;
+      p += wwritten;
+      sread -= wwritten;
+      }
+    }
+
+  if (sread == -1)
+    return FALSE;
+  }
+
+return TRUE;
+}
+
+
+
+
+/* This function is a wrapper around transport_write_message().
+   It is only called from the smtp transport if DKIM or Domainkeys support
+   is active and no transport filter is to be used.
+
+Arguments:
+  As for transport_write_message() in transort.c, with additional arguments
+  for DKIM.
+
+Returns:       TRUE on success; FALSE (with errno) for any failure
+*/
+
+static BOOL
+dkt_direct(transport_ctx * tctx, struct ob_dkim * dkim,
+  const uschar ** err)
+{
+int save_fd = tctx->u.fd;
+int save_options = tctx->options;
+BOOL save_wireformat = f.spool_file_wireformat;
+uschar * hdrs;
+gstring * dkim_signature;
+int hsize;
+const uschar * errstr;
+BOOL rc;
+
+DEBUG(D_transport) debug_printf("dkim signing direct-mode\n");
+
+/* Get headers in string for signing and transmission.  Do CRLF
+and dotstuffing (but no body nor dot-termination) */
+
+tctx->u.msg = NULL;
+tctx->options = tctx->options & ~(topt_end_dot | topt_use_bdat)
+  | topt_output_string | topt_no_body;
+
+rc = transport_write_message(tctx, 0);
+hdrs = string_from_gstring(tctx->u.msg);
+hsize = tctx->u.msg->ptr;
+
+tctx->u.fd = save_fd;
+tctx->options = save_options;
+if (!rc) return FALSE;
+
+/* Get signatures for headers plus spool data file */
+
+#ifdef EXPERIMENTAL_ARC
+arc_sign_init();
+#endif
+
+/* The dotstuffed status of the datafile depends on whether it was stored
+in wireformat. */
+
+dkim->dot_stuffed = f.spool_file_wireformat;
+if (!(dkim_signature = dkim_exim_sign(deliver_datafile, SPOOL_DATA_START_OFFSET,
+				    hdrs, dkim, &errstr)))
+  if (!(rc = dkt_sign_fail(dkim, &errno)))
+    {
+    *err = errstr;
+    return FALSE;
+    }
+
+#ifdef EXPERIMENTAL_ARC
+if (dkim->arc_signspec)			/* Prepend ARC headers */
+  {
+  uschar * e = NULL;
+  if (!(dkim_signature = arc_sign(dkim->arc_signspec, dkim_signature, &e)))
+    {
+    *err = e;
+    return FALSE;
+    }
+  }
+#endif
+
+/* Write the signature and headers into the deliver-out-buffer.  This should
+mean they go out in the same packet as the MAIL, RCPT and (first) BDAT commands
+(transport_write_message() sizes the BDAT for the buffered amount) - for short
+messages, the BDAT LAST command.  We want no dotstuffing expansion here, it
+having already been done - but we have to say we want CRLF output format, and
+temporarily set the marker for possible already-CRLF input. */
+
+tctx->options &= ~topt_escape_headers;
+f.spool_file_wireformat = TRUE;
+transport_write_reset(0);
+if (  (  dkim_signature
+      && dkim_signature->ptr > 0
+      && !write_chunk(tctx, dkim_signature->s, dkim_signature->ptr)
+      )
+   || !write_chunk(tctx, hdrs, hsize)
+   )
+  return FALSE;
+
+f.spool_file_wireformat = save_wireformat;
+tctx->options = save_options | topt_no_headers | topt_continuation;
+
+if (!(transport_write_message(tctx, 0)))
+  return FALSE;
+
+tctx->options = save_options;
+return TRUE;
+}
+
+
+/* This function is a wrapper around transport_write_message().
+   It is only called from the smtp transport if DKIM or Domainkeys support
+   is active and a transport filter is to be used.  The function sets up a
+   replacement fd into a -K file, then calls the normal function. This way, the
+   exact bits that exim would have put "on the wire" will end up in the file
+   (except for TLS encapsulation, which is the very very last thing). When we
+   are done signing the file, send the signed message down the original fd (or
+   TLS fd).
+
+Arguments:
+  As for transport_write_message() in transort.c, with additional arguments
+  for DKIM.
+
+Returns:       TRUE on success; FALSE (with errno) for any failure
+*/
+
+static BOOL
+dkt_via_kfile(transport_ctx * tctx, struct ob_dkim * dkim, const uschar ** err)
+{
+int dkim_fd;
+int save_errno = 0;
+BOOL rc;
+uschar * dkim_spool_name;
+gstring * dkim_signature;
+int options, dlen;
+off_t k_file_size;
+const uschar * errstr;
+
+dkim_spool_name = spool_fname(US"input", message_subdir, message_id,
+		    string_sprintf("-%d-K", (int)getpid()));
+
+DEBUG(D_transport) debug_printf("dkim signing via file %s\n", dkim_spool_name);
+
+if ((dkim_fd = Uopen(dkim_spool_name, O_RDWR|O_CREAT|O_TRUNC, SPOOL_MODE)) < 0)
+  {
+  /* Can't create spool file. Ugh. */
+  rc = FALSE;
+  save_errno = errno;
+  *err = string_sprintf("dkim spoolfile create: %s", strerror(errno));
+  goto CLEANUP;
+  }
+
+/* Call transport utility function to write the -K file; does the CRLF expansion
+(but, in the CHUNKING case, neither dot-stuffing nor dot-termination). */
+
+  {
+  int save_fd = tctx->u.fd;
+  tctx->u.fd = dkim_fd;
+  options = tctx->options;
+  tctx->options &= ~topt_use_bdat;
+
+  rc = transport_write_message(tctx, 0);
+
+  tctx->u.fd = save_fd;
+  tctx->options = options;
+  }
+
+/* Save error state. We must clean up before returning. */
+if (!rc)
+  {
+  save_errno = errno;
+  goto CLEANUP;
+  }
+
+#ifdef EXPERIMENTAL_ARC
+arc_sign_init();
+#endif
+
+/* Feed the file to the goats^W DKIM lib.  At this point the dotstuffed
+status of the file depends on the output of transport_write_message() just
+above, which should be the result of the end_dot flag in tctx->options. */
+
+dkim->dot_stuffed = !!(options & topt_end_dot);
+if (!(dkim_signature = dkim_exim_sign(dkim_fd, 0, NULL, dkim, &errstr)))
+  {
+  dlen = 0;
+  if (!(rc = dkt_sign_fail(dkim, &save_errno)))
+    {
+    *err = errstr;
+    goto CLEANUP;
+    }
+  }
+else
+  dlen = dkim_signature->ptr;
+
+#ifdef EXPERIMENTAL_ARC
+if (dkim->arc_signspec)				/* Prepend ARC headers */
+  {
+  if (!(dkim_signature = arc_sign(dkim->arc_signspec, dkim_signature, USS err)))
+    goto CLEANUP;
+  dlen = dkim_signature->ptr;
+  }
+#endif
+
+#ifndef OS_SENDFILE
+if (options & topt_use_bdat)
+#endif
+  if ((k_file_size = lseek(dkim_fd, 0, SEEK_END)) < 0)
+    {
+    *err = string_sprintf("dkim spoolfile seek: %s", strerror(errno));
+    goto CLEANUP;
+    }
+
+if (options & topt_use_bdat)
+  {
+  /* On big messages output a precursor chunk to get any pipelined
+  MAIL & RCPT commands flushed, then reap the responses so we can
+  error out on RCPT rejects before sending megabytes. */
+
+  if (  dlen + k_file_size > DELIVER_OUT_BUFFER_SIZE
+     && dlen > 0)
+    {
+    if (  tctx->chunk_cb(tctx, dlen, 0) != OK
+       || !transport_write_block(tctx,
+		    dkim_signature->s, dlen, FALSE)
+       || tctx->chunk_cb(tctx, 0, tc_reap_prev) != OK
+       )
+      goto err;
+    dlen = 0;
+    }
+
+  /* Send the BDAT command for the entire message, as a single LAST-marked
+  chunk. */
+
+  if (tctx->chunk_cb(tctx, dlen + k_file_size, tc_chunk_last) != OK)
+    goto err;
+  }
+
+if(dlen > 0 && !transport_write_block(tctx, dkim_signature->s, dlen, TRUE))
+  goto err;
+
+if (!dkt_send_file(tctx->u.fd, dkim_fd, 0
+#ifdef OS_SENDFILE
+  , k_file_size
+#endif
+  ))
+  {
+  save_errno = errno;
+  rc = FALSE;
+  }
+
+CLEANUP:
+  /* unlink -K file */
+  if (dkim_fd >= 0) (void)close(dkim_fd);
+  Uunlink(dkim_spool_name);
+  errno = save_errno;
+  return rc;
+
+err:
+  save_errno = errno;
+  rc = FALSE;
+  goto CLEANUP;
+}
+
+
+
+/***************************************************************************************************
+*    External interface to write the message, while signing it with DKIM and/or Domainkeys         *
+***************************************************************************************************/
+
+/* This function is a wrapper around transport_write_message().
+   It is only called from the smtp transport if DKIM or Domainkeys support
+   is compiled in.
+
+Arguments:
+  As for transport_write_message() in transort.c, with additional arguments
+  for DKIM.
+
+Returns:       TRUE on success; FALSE (with errno) for any failure
+*/
+
+BOOL
+dkim_transport_write_message(transport_ctx * tctx,
+  struct ob_dkim * dkim, const uschar ** err)
+{
+/* If we can't sign, just call the original function. */
+
+if (  !(dkim->dkim_private_key && dkim->dkim_domain && dkim->dkim_selector)
+   && !dkim->force_bodyhash)
+  return transport_write_message(tctx, 0);
+
+/* If there is no filter command set up, construct the message and calculate
+a dkim signature of it, send the signature and a reconstructed message. This
+avoids using a temprary file. */
+
+if (  !transport_filter_argv
+   || !*transport_filter_argv
+   || !**transport_filter_argv
+   )
+  return dkt_direct(tctx, dkim, err);
+
+/* Use the transport path to write a file, calculate a dkim signature,
+send the signature and then send the file. */
+
+return dkt_via_kfile(tctx, dkim, err);
+}
+
+#endif	/* whole file */
+
+/* vi: aw ai sw=2
+*/
+/* End of dkim_transport.c */
diff --git a/src/dmarc.c b/src/dmarc.c
new file mode 100644
index 0000000..17bba9d
--- /dev/null
+++ b/src/dmarc.c
@@ -0,0 +1,655 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+/* DMARC support.
+   Copyright (c) The Exim Maintainers 2019 - 2022
+   Copyright (c) Todd Lyons <tlyons@exim.org> 2012 - 2014
+   License: GPL */
+
+/* Portions Copyright (c) 2012, 2013, The Trusted Domain Project;
+   All rights reserved, licensed for use per LICENSE.opendmarc. */
+
+/* Code for calling dmarc checks via libopendmarc. Called from acl.c. */
+
+#include "exim.h"
+#ifdef SUPPORT_DMARC
+# if !defined SUPPORT_SPF
+#  error SPF must also be enabled for DMARC
+# elif defined DISABLE_DKIM
+#  error DKIM must also be enabled for DMARC
+# else
+
+#  include "functions.h"
+#  include "dmarc.h"
+#  include "pdkim/pdkim.h"
+
+OPENDMARC_LIB_T     dmarc_ctx;
+DMARC_POLICY_T     *dmarc_pctx = NULL;
+OPENDMARC_STATUS_T  libdm_status, action, dmarc_policy;
+OPENDMARC_STATUS_T  da, sa, action;
+BOOL dmarc_abort  = FALSE;
+uschar *dmarc_pass_fail = US"skipped";
+header_line *from_header   = NULL;
+extern SPF_response_t   *spf_response;
+int dmarc_spf_ares_result  = 0;
+uschar *spf_sender_domain  = NULL;
+uschar *spf_human_readable = NULL;
+u_char *header_from_sender = NULL;
+int history_file_status    = DMARC_HIST_OK;
+uschar *dkim_history_buffer= NULL;
+
+typedef struct dmarc_exim_p {
+  uschar *name;
+  int    value;
+} dmarc_exim_p;
+
+static dmarc_exim_p dmarc_policy_description[] = {
+  /* name		value */
+  { US"",           DMARC_RECORD_P_UNSPECIFIED },
+  { US"none",       DMARC_RECORD_P_NONE },
+  { US"quarantine", DMARC_RECORD_P_QUARANTINE },
+  { US"reject",     DMARC_RECORD_P_REJECT },
+  { NULL,           0 }
+};
+
+
+gstring *
+dmarc_version_report(gstring * g)
+{
+return string_fmt_append(g, "Library version: dmarc: Compile: %d.%d.%d.%d\n",
+    (OPENDMARC_LIB_VERSION & 0xff000000) >> 24, (OPENDMARC_LIB_VERSION & 0x00ff0000) >> 16,
+    (OPENDMARC_LIB_VERSION & 0x0000ff00) >> 8, OPENDMARC_LIB_VERSION & 0x000000ff);
+}
+
+
+/* Accept an error_block struct, initialize if empty, parse to the
+end, and append the two strings passed to it.  Used for adding
+variable amounts of value:pair data to the forensic emails. */
+
+static error_block *
+add_to_eblock(error_block *eblock, uschar *t1, uschar *t2)
+{
+error_block *eb = store_malloc(sizeof(error_block));
+if (!eblock)
+  eblock = eb;
+else
+  {
+  /* Find the end of the eblock struct and point it at eb */
+  error_block *tmp = eblock;
+  while(tmp->next)
+    tmp = tmp->next;
+  tmp->next = eb;
+  }
+eb->text1 = t1;
+eb->text2 = t2;
+eb->next  = NULL;
+return eblock;
+}
+
+/* dmarc_init sets up a context that can be re-used for several
+messages on the same SMTP connection (that come from the
+same host with the same HELO string) */
+
+int
+dmarc_init()
+{
+int *netmask   = NULL;   /* Ignored */
+int is_ipv6    = 0;
+
+/* Set some sane defaults.  Also clears previous results when
+ * multiple messages in one connection. */
+dmarc_pctx         = NULL;
+dmarc_status       = US"none";
+dmarc_abort        = FALSE;
+dmarc_pass_fail    = US"skipped";
+dmarc_used_domain  = US"";
+f.dmarc_has_been_checked = FALSE;
+header_from_sender = NULL;
+spf_sender_domain  = NULL;
+spf_human_readable = NULL;
+
+/* ACLs have "control=dmarc_disable_verify" */
+if (f.dmarc_disable_verify == TRUE)
+  return OK;
+
+(void) memset(&dmarc_ctx, '\0', sizeof dmarc_ctx);
+dmarc_ctx.nscount = 0;
+libdm_status = opendmarc_policy_library_init(&dmarc_ctx);
+if (libdm_status != DMARC_PARSE_OKAY)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "DMARC failure to init library: %s",
+		       opendmarc_policy_status_to_str(libdm_status));
+  dmarc_abort = TRUE;
+  }
+if (!dmarc_tld_file || !*dmarc_tld_file)
+  {
+  DEBUG(D_receive) debug_printf("DMARC: no dmarc_tld_file\n");
+  dmarc_abort = TRUE;
+  }
+else if (opendmarc_tld_read_file(CS dmarc_tld_file, NULL, NULL, NULL))
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "DMARC failure to load tld list '%s': %s",
+		       dmarc_tld_file, strerror(errno));
+  dmarc_abort = TRUE;
+  }
+if (!sender_host_address)
+  {
+  DEBUG(D_receive) debug_printf("DMARC: no sender_host_address\n");
+  dmarc_abort = TRUE;
+  }
+/* This catches locally originated email and startup errors above. */
+if (!dmarc_abort)
+  {
+  is_ipv6 = string_is_ip_address(sender_host_address, netmask) == 6;
+  if (!(dmarc_pctx = opendmarc_policy_connect_init(sender_host_address, is_ipv6)))
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "DMARC failure creating policy context: ip=%s", sender_host_address);
+    dmarc_abort = TRUE;
+    }
+  }
+
+return OK;
+}
+
+
+/* dmarc_store_data stores the header data so that subsequent
+dmarc_process can access the data */
+
+int
+dmarc_store_data(header_line *hdr)
+{
+/* No debug output because would change every test debug output */
+if (!f.dmarc_disable_verify)
+  from_header = hdr;
+return OK;
+}
+
+
+static void
+dmarc_send_forensic_report(u_char **ruf)
+{
+uschar *recipient, *save_sender;
+BOOL  send_status = FALSE;
+error_block *eblock = NULL;
+FILE *message_file = NULL;
+
+/* Earlier ACL does not have *required* control=dmarc_enable_forensic */
+if (!f.dmarc_enable_forensic)
+  return;
+
+if (  dmarc_policy == DMARC_POLICY_REJECT     && action == DMARC_RESULT_REJECT
+   || dmarc_policy == DMARC_POLICY_QUARANTINE && action == DMARC_RESULT_QUARANTINE
+   || dmarc_policy == DMARC_POLICY_NONE       && action == DMARC_RESULT_REJECT
+   || dmarc_policy == DMARC_POLICY_NONE       && action == DMARC_RESULT_QUARANTINE
+   )
+  if (ruf)
+    {
+    eblock = add_to_eblock(eblock, US"Sender Domain", dmarc_used_domain);
+    eblock = add_to_eblock(eblock, US"Sender IP Address", sender_host_address);
+    eblock = add_to_eblock(eblock, US"Received Date", tod_stamp(tod_full));
+    eblock = add_to_eblock(eblock, US"SPF Alignment",
+		     sa == DMARC_POLICY_SPF_ALIGNMENT_PASS ? US"yes" : US"no");
+    eblock = add_to_eblock(eblock, US"DKIM Alignment",
+		     da == DMARC_POLICY_DKIM_ALIGNMENT_PASS ? US"yes" : US"no");
+    eblock = add_to_eblock(eblock, US"DMARC Results", dmarc_status_text);
+
+    for (int c = 0; ruf[c]; c++)
+      {
+      recipient = string_copylc(ruf[c]);
+      if (Ustrncmp(recipient, "mailto:",7))
+	continue;
+      /* Move to first character past the colon */
+      recipient += 7;
+      DEBUG(D_receive)
+	debug_printf("DMARC forensic report to %s%s\n", recipient,
+	     (host_checking || f.running_in_test_harness) ? " (not really)" : "");
+      if (host_checking || f.running_in_test_harness)
+	continue;
+
+      if (!moan_send_message(recipient, ERRMESS_DMARC_FORENSIC, eblock,
+			    header_list, message_file, NULL))
+	log_write(0, LOG_MAIN|LOG_PANIC,
+	  "failure to send DMARC forensic report to %s", recipient);
+      }
+    }
+}
+
+
+/* Look up a DNS dmarc record for the given domain.  Return it or NULL */
+
+static uschar *
+dmarc_dns_lookup(uschar * dom)
+{
+dns_answer * dnsa = store_get_dns_answer();
+dns_scan dnss;
+int rc = dns_lookup(dnsa, string_sprintf("_dmarc.%s", dom), T_TXT, NULL);
+
+if (rc == DNS_SUCCEED)
+  for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+       rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
+    if (rr->type == T_TXT && rr->size > 3)
+      {
+      store_free_dns_answer(dnsa);
+      return string_copyn_taint(US rr->data, rr->size, GET_TAINTED);
+      }
+store_free_dns_answer(dnsa);
+return NULL;
+}
+
+
+static int
+dmarc_write_history_file()
+{
+int history_file_fd;
+ssize_t written_len;
+int tmp_ans;
+u_char **rua; /* aggregate report addressees */
+uschar *history_buffer = NULL;
+
+if (!dmarc_history_file)
+  {
+  DEBUG(D_receive) debug_printf("DMARC history file not set\n");
+  return DMARC_HIST_DISABLED;
+  }
+history_file_fd = log_open_as_exim(dmarc_history_file);
+
+if (history_file_fd < 0)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "failure to create DMARC history file: %s",
+			   dmarc_history_file);
+  return DMARC_HIST_FILE_ERR;
+  }
+
+/* Generate the contents of the history file */
+history_buffer = string_sprintf(
+  "job %s\nreporter %s\nreceived %ld\nipaddr %s\nfrom %s\nmfrom %s\n",
+  message_id, primary_hostname, time(NULL), sender_host_address,
+  header_from_sender, expand_string(US"$sender_address_domain"));
+
+if (spf_response)
+  history_buffer = string_sprintf("%sspf %d\n", history_buffer, dmarc_spf_ares_result);
+  /* history_buffer = string_sprintf("%sspf -1\n", history_buffer); */
+
+history_buffer = string_sprintf(
+  "%s%spdomain %s\npolicy %d\n",
+  history_buffer, dkim_history_buffer, dmarc_used_domain, dmarc_policy);
+
+if ((rua = opendmarc_policy_fetch_rua(dmarc_pctx, NULL, 0, 1)))
+  for (tmp_ans = 0; rua[tmp_ans]; tmp_ans++)
+    history_buffer = string_sprintf("%srua %s\n", history_buffer, rua[tmp_ans]);
+else
+  history_buffer = string_sprintf("%srua -\n", history_buffer);
+
+opendmarc_policy_fetch_pct(dmarc_pctx, &tmp_ans);
+history_buffer = string_sprintf("%spct %d\n", history_buffer, tmp_ans);
+
+opendmarc_policy_fetch_adkim(dmarc_pctx, &tmp_ans);
+history_buffer = string_sprintf("%sadkim %d\n", history_buffer, tmp_ans);
+
+opendmarc_policy_fetch_aspf(dmarc_pctx, &tmp_ans);
+history_buffer = string_sprintf("%saspf %d\n", history_buffer, tmp_ans);
+
+opendmarc_policy_fetch_p(dmarc_pctx, &tmp_ans);
+history_buffer = string_sprintf("%sp %d\n", history_buffer, tmp_ans);
+
+opendmarc_policy_fetch_sp(dmarc_pctx, &tmp_ans);
+history_buffer = string_sprintf("%ssp %d\n", history_buffer, tmp_ans);
+
+history_buffer = string_sprintf(
+  "%salign_dkim %d\nalign_spf %d\naction %d\n",
+  history_buffer, da, sa, action);
+
+/* Write the contents to the history file */
+DEBUG(D_receive)
+  debug_printf("DMARC logging history data for opendmarc reporting%s\n",
+	     (host_checking || f.running_in_test_harness) ? " (not really)" : "");
+if (host_checking || f.running_in_test_harness)
+  {
+  DEBUG(D_receive)
+    debug_printf("DMARC history data for debugging:\n%s", history_buffer);
+  }
+else
+  {
+  written_len = write_to_fd_buf(history_file_fd,
+				history_buffer,
+				Ustrlen(history_buffer));
+  if (written_len == 0)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "failure to write to DMARC history file: %s",
+			   dmarc_history_file);
+    return DMARC_HIST_WRITE_ERR;
+    }
+  (void)close(history_file_fd);
+  }
+return DMARC_HIST_OK;
+}
+
+
+/* dmarc_process adds the envelope sender address to the existing
+context (if any), retrieves the result, sets up expansion
+strings and evaluates the condition outcome. */
+
+int
+dmarc_process()
+{
+int sr, origin;             /* used in SPF section */
+int dmarc_spf_result  = 0;  /* stores spf into dmarc conn ctx */
+int tmp_ans, c;
+pdkim_signature * sig = dkim_signatures;
+uschar * rr;
+BOOL has_dmarc_record = TRUE;
+u_char **ruf; /* forensic report addressees, if called for */
+
+/* ACLs have "control=dmarc_disable_verify" */
+if (f.dmarc_disable_verify)
+  return OK;
+
+/* Store the header From: sender domain for this part of DMARC.
+ * If there is no from_header struct, then it's likely this message
+ * is locally generated and relying on fixups to add it.  Just skip
+ * the entire DMARC system if we can't find a From: header....or if
+ * there was a previous error.
+ */
+if (!from_header)
+  {
+  DEBUG(D_receive) debug_printf("DMARC: no From: header\n");
+  dmarc_abort = TRUE;
+  }
+else if (!dmarc_abort)
+  {
+  uschar * errormsg;
+  int dummy, domain;
+  uschar * p;
+  uschar saveend;
+
+  f.parse_allow_group = TRUE;
+  p = parse_find_address_end(from_header->text, FALSE);
+  saveend = *p; *p = '\0';
+  if ((header_from_sender = parse_extract_address(from_header->text, &errormsg,
+			      &dummy, &dummy, &domain, FALSE)))
+    header_from_sender += domain;
+  *p = saveend;
+
+  /* The opendmarc library extracts the domain from the email address, but
+   * only try to store it if it's not empty.  Otherwise, skip out of DMARC. */
+  if (!header_from_sender || (strcmp( CCS header_from_sender, "") == 0))
+    dmarc_abort = TRUE;
+  libdm_status = dmarc_abort
+    ? DMARC_PARSE_OKAY
+    : opendmarc_policy_store_from_domain(dmarc_pctx, header_from_sender);
+  if (libdm_status != DMARC_PARSE_OKAY)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC,
+	      "failure to store header From: in DMARC: %s, header was '%s'",
+	      opendmarc_policy_status_to_str(libdm_status), from_header->text);
+    dmarc_abort = TRUE;
+    }
+  }
+
+/* Skip DMARC if connection is SMTP Auth. Temporarily, admin should
+ * instead do this in the ACLs.  */
+if (!dmarc_abort && !sender_host_authenticated)
+  {
+  uschar * dmarc_domain;
+
+  /* Use the envelope sender domain for this part of DMARC */
+  spf_sender_domain = expand_string(US"$sender_address_domain");
+  if (!spf_response)
+    {
+    /* No spf data means null envelope sender so generate a domain name
+     * from the sender_helo_name  */
+    if (!spf_sender_domain)
+      {
+      spf_sender_domain = sender_helo_name;
+      log_write(0, LOG_MAIN, "DMARC using synthesized SPF sender domain = %s\n",
+			     spf_sender_domain);
+      DEBUG(D_receive)
+	debug_printf("DMARC using synthesized SPF sender domain = %s\n",
+	  spf_sender_domain);
+      }
+    dmarc_spf_result = DMARC_POLICY_SPF_OUTCOME_NONE;
+    dmarc_spf_ares_result = ARES_RESULT_UNKNOWN;
+    origin = DMARC_POLICY_SPF_ORIGIN_HELO;
+    spf_human_readable = US"";
+    }
+  else
+    {
+    sr = spf_response->result;
+    dmarc_spf_result = sr == SPF_RESULT_NEUTRAL  ? DMARC_POLICY_SPF_OUTCOME_NONE :
+		       sr == SPF_RESULT_PASS     ? DMARC_POLICY_SPF_OUTCOME_PASS :
+		       sr == SPF_RESULT_FAIL     ? DMARC_POLICY_SPF_OUTCOME_FAIL :
+		       sr == SPF_RESULT_SOFTFAIL ? DMARC_POLICY_SPF_OUTCOME_TMPFAIL :
+		       DMARC_POLICY_SPF_OUTCOME_NONE;
+    dmarc_spf_ares_result = sr == SPF_RESULT_NEUTRAL   ? ARES_RESULT_NEUTRAL :
+			    sr == SPF_RESULT_PASS      ? ARES_RESULT_PASS :
+			    sr == SPF_RESULT_FAIL      ? ARES_RESULT_FAIL :
+			    sr == SPF_RESULT_SOFTFAIL  ? ARES_RESULT_SOFTFAIL :
+			    sr == SPF_RESULT_NONE      ? ARES_RESULT_NONE :
+			    sr == SPF_RESULT_TEMPERROR ? ARES_RESULT_TEMPERROR :
+			    sr == SPF_RESULT_PERMERROR ? ARES_RESULT_PERMERROR :
+			    ARES_RESULT_UNKNOWN;
+    origin = DMARC_POLICY_SPF_ORIGIN_MAILFROM;
+    spf_human_readable = US spf_response->header_comment;
+    DEBUG(D_receive)
+      debug_printf("DMARC using SPF sender domain = %s\n", spf_sender_domain);
+    }
+  if (strcmp( CCS spf_sender_domain, "") == 0)
+    dmarc_abort = TRUE;
+  if (!dmarc_abort)
+    {
+    libdm_status = opendmarc_policy_store_spf(dmarc_pctx, spf_sender_domain,
+				dmarc_spf_result, origin, spf_human_readable);
+    if (libdm_status != DMARC_PARSE_OKAY)
+      log_write(0, LOG_MAIN|LOG_PANIC, "failure to store spf for DMARC: %s",
+			   opendmarc_policy_status_to_str(libdm_status));
+    }
+
+  /* Now we cycle through the dkim signature results and put into
+   * the opendmarc context, further building the DMARC reply.  */
+  dkim_history_buffer = US"";
+  while (sig)
+    {
+    int dkim_result, dkim_ares_result, vs, ves;
+
+    vs  = sig->verify_status & ~PDKIM_VERIFY_POLICY;
+    ves = sig->verify_ext_status;
+    dkim_result = vs == PDKIM_VERIFY_PASS ? DMARC_POLICY_DKIM_OUTCOME_PASS :
+		  vs == PDKIM_VERIFY_FAIL ? DMARC_POLICY_DKIM_OUTCOME_FAIL :
+		  vs == PDKIM_VERIFY_INVALID ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL :
+		  DMARC_POLICY_DKIM_OUTCOME_NONE;
+    libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain,
+					       dkim_result, US"");
+    DEBUG(D_receive)
+      debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain);
+    if (libdm_status != DMARC_PARSE_OKAY)
+      log_write(0, LOG_MAIN|LOG_PANIC,
+		"failure to store dkim (%s) for DMARC: %s",
+		sig->domain, opendmarc_policy_status_to_str(libdm_status));
+
+    dkim_ares_result =
+      vs == PDKIM_VERIFY_PASS    ? ARES_RESULT_PASS :
+      vs == PDKIM_VERIFY_FAIL    ? ARES_RESULT_FAIL :
+      vs == PDKIM_VERIFY_NONE    ? ARES_RESULT_NONE :
+      vs == PDKIM_VERIFY_INVALID ?
+       ves == PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE ? ARES_RESULT_PERMERROR :
+       ves == PDKIM_VERIFY_INVALID_BUFFER_SIZE        ? ARES_RESULT_PERMERROR :
+       ves == PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD   ? ARES_RESULT_PERMERROR :
+       ves == PDKIM_VERIFY_INVALID_PUBKEY_IMPORT      ? ARES_RESULT_PERMERROR :
+       ARES_RESULT_UNKNOWN :
+      ARES_RESULT_UNKNOWN;
+    dkim_history_buffer = string_sprintf("%sdkim %s %d\n", dkim_history_buffer,
+					 sig->domain, dkim_ares_result);
+    sig = sig->next;
+    }
+
+  /* Look up DMARC policy record in DNS.  We do this explicitly, rather than
+  letting the dmarc library do it with opendmarc_policy_query_dmarc(), so that
+  our dns access path is used for debug tracing and for the testsuite
+  diversion. */
+
+  libdm_status = (rr = dmarc_dns_lookup(header_from_sender))
+    ? opendmarc_policy_store_dmarc(dmarc_pctx, rr, header_from_sender, NULL)
+    : DMARC_DNS_ERROR_NO_RECORD;
+  switch (libdm_status)
+    {
+    case DMARC_DNS_ERROR_NXDOMAIN:
+    case DMARC_DNS_ERROR_NO_RECORD:
+      DEBUG(D_receive)
+	debug_printf("DMARC no record found for %s\n", header_from_sender);
+      has_dmarc_record = FALSE;
+      break;
+    case DMARC_PARSE_OKAY:
+      DEBUG(D_receive)
+	debug_printf("DMARC record found for %s\n", header_from_sender);
+      break;
+    case DMARC_PARSE_ERROR_BAD_VALUE:
+      DEBUG(D_receive)
+	debug_printf("DMARC record parse error for %s\n", header_from_sender);
+      has_dmarc_record = FALSE;
+      break;
+    default:
+      /* everything else, skip dmarc */
+      DEBUG(D_receive)
+	debug_printf("DMARC skipping (%d), unsure what to do with %s",
+		      libdm_status, from_header->text);
+      has_dmarc_record = FALSE;
+      break;
+    }
+
+/* Store the policy string in an expandable variable. */
+
+  libdm_status = opendmarc_policy_fetch_p(dmarc_pctx, &tmp_ans);
+  for (c = 0; dmarc_policy_description[c].name; c++)
+    if (tmp_ans == dmarc_policy_description[c].value)
+      {
+      dmarc_domain_policy = string_sprintf("%s",dmarc_policy_description[c].name);
+      break;
+      }
+
+  /* Can't use exim's string manipulation functions so allocate memory
+  for libopendmarc using its max hostname length definition. */
+
+  dmarc_domain = store_get(DMARC_MAXHOSTNAMELEN, GET_TAINTED);
+  libdm_status = opendmarc_policy_fetch_utilized_domain(dmarc_pctx,
+    dmarc_domain, DMARC_MAXHOSTNAMELEN-1);
+  store_release_above(dmarc_domain + Ustrlen(dmarc_domain)+1);
+  dmarc_used_domain = dmarc_domain;
+
+  if (libdm_status != DMARC_PARSE_OKAY)
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "failure to read domainname used for DMARC lookup: %s",
+      opendmarc_policy_status_to_str(libdm_status));
+
+  dmarc_policy = libdm_status = opendmarc_get_policy_to_enforce(dmarc_pctx);
+  switch(libdm_status)
+    {
+    case DMARC_POLICY_ABSENT:     /* No DMARC record found */
+      dmarc_status = US"norecord";
+      dmarc_pass_fail = US"none";
+      dmarc_status_text = US"No DMARC record";
+      action = DMARC_RESULT_ACCEPT;
+      break;
+    case DMARC_FROM_DOMAIN_ABSENT:    /* No From: domain */
+      dmarc_status = US"nofrom";
+      dmarc_pass_fail = US"temperror";
+      dmarc_status_text = US"No From: domain found";
+      action = DMARC_RESULT_ACCEPT;
+      break;
+    case DMARC_POLICY_NONE:       /* Accept and report */
+      dmarc_status = US"none";
+      dmarc_pass_fail = US"none";
+      dmarc_status_text = US"None, Accept";
+      action = DMARC_RESULT_ACCEPT;
+      break;
+    case DMARC_POLICY_PASS:       /* Explicit accept */
+      dmarc_status = US"accept";
+      dmarc_pass_fail = US"pass";
+      dmarc_status_text = US"Accept";
+      action = DMARC_RESULT_ACCEPT;
+      break;
+    case DMARC_POLICY_REJECT:       /* Explicit reject */
+      dmarc_status = US"reject";
+      dmarc_pass_fail = US"fail";
+      dmarc_status_text = US"Reject";
+      action = DMARC_RESULT_REJECT;
+      break;
+    case DMARC_POLICY_QUARANTINE:       /* Explicit quarantine */
+      dmarc_status = US"quarantine";
+      dmarc_pass_fail = US"fail";
+      dmarc_status_text = US"Quarantine";
+      action = DMARC_RESULT_QUARANTINE;
+      break;
+    default:
+      dmarc_status = US"temperror";
+      dmarc_pass_fail = US"temperror";
+      dmarc_status_text = US"Internal Policy Error";
+      action = DMARC_RESULT_TEMPFAIL;
+      break;
+    }
+
+  libdm_status = opendmarc_policy_fetch_alignment(dmarc_pctx, &da, &sa);
+  if (libdm_status != DMARC_PARSE_OKAY)
+    log_write(0, LOG_MAIN|LOG_PANIC, "failure to read DMARC alignment: %s",
+			     opendmarc_policy_status_to_str(libdm_status));
+
+  if (has_dmarc_record)
+    {
+    log_write(0, LOG_MAIN, "DMARC results: spf_domain=%s dmarc_domain=%s "
+			   "spf_align=%s dkim_align=%s enforcement='%s'",
+			   spf_sender_domain, dmarc_used_domain,
+			   sa==DMARC_POLICY_SPF_ALIGNMENT_PASS  ?"yes":"no",
+			   da==DMARC_POLICY_DKIM_ALIGNMENT_PASS ?"yes":"no",
+			   dmarc_status_text);
+    history_file_status = dmarc_write_history_file();
+    /* Now get the forensic reporting addresses, if any */
+    ruf = opendmarc_policy_fetch_ruf(dmarc_pctx, NULL, 0, 1);
+    dmarc_send_forensic_report(ruf);
+    }
+  }
+
+/* shut down libopendmarc */
+if (dmarc_pctx)
+  (void) opendmarc_policy_connect_shutdown(dmarc_pctx);
+if (!f.dmarc_disable_verify)
+  (void) opendmarc_policy_library_shutdown(&dmarc_ctx);
+
+return OK;
+}
+
+uschar *
+dmarc_exim_expand_query(int what)
+{
+if (f.dmarc_disable_verify || !dmarc_pctx)
+  return dmarc_exim_expand_defaults(what);
+
+if (what == DMARC_VERIFY_STATUS)
+  return dmarc_status;
+return US"";
+}
+
+uschar *
+dmarc_exim_expand_defaults(int what)
+{
+if (what == DMARC_VERIFY_STATUS)
+  return f.dmarc_disable_verify ?  US"off" : US"none";
+return US"";
+}
+
+
+gstring *
+authres_dmarc(gstring * g)
+{
+if (f.dmarc_has_been_checked)
+  {
+  g = string_append(g, 2, US";\n\tdmarc=", dmarc_pass_fail);
+  if (header_from_sender)
+    g = string_append(g, 2, US" header.from=", header_from_sender);
+  }
+return g;
+}
+
+# endif /* SUPPORT_SPF */
+#endif /* SUPPORT_DMARC */
+/* vi: aw ai sw=2
+ */
diff --git a/src/dmarc.h b/src/dmarc.h
new file mode 100644
index 0000000..899cd7e
--- /dev/null
+++ b/src/dmarc.h
@@ -0,0 +1,60 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Experimental DMARC support.
+   Copyright (c) The Exim Maintainers 2021 - 2022
+   Copyright (c) Todd Lyons <tlyons@exim.org> 2012 - 2014
+   License: GPL */
+
+/* Portions Copyright (c) 2012, 2013, The Trusted Domain Project;
+   All rights reserved, licensed for use per LICENSE.opendmarc. */
+
+#ifdef SUPPORT_DMARC
+
+# include "opendmarc/dmarc.h"
+# ifdef SUPPORT_SPF
+#  include "spf2/spf.h"
+# endif /* SUPPORT_SPF */
+
+/* prototypes */
+gstring * dmarc_version_report(gstring *);
+int dmarc_init();
+int dmarc_store_data(header_line *);
+int dmarc_process();
+uschar *dmarc_exim_expand_query(int);
+uschar *dmarc_exim_expand_defaults(int);
+
+#define DMARC_VERIFY_STATUS    1
+
+#define DMARC_HIST_OK          1
+#define DMARC_HIST_DISABLED    2
+#define DMARC_HIST_EMPTY       3
+#define DMARC_HIST_FILE_ERR    4
+#define DMARC_HIST_WRITE_ERR   5
+
+/* From opendmarc.c */
+#define DMARC_RESULT_REJECT     0
+#define DMARC_RESULT_DISCARD    1
+#define DMARC_RESULT_ACCEPT     2
+#define DMARC_RESULT_TEMPFAIL   3
+#define DMARC_RESULT_QUARANTINE 4
+
+/* From opendmarc-ar.h */
+/* ARES_RESULT_T -- type for specifying an authentication result */
+#define ARES_RESULT_UNDEFINED   (-1)
+#define ARES_RESULT_PASS    0
+#define ARES_RESULT_UNUSED  1
+#define ARES_RESULT_SOFTFAIL    2
+#define ARES_RESULT_NEUTRAL 3
+#define ARES_RESULT_TEMPERROR   4
+#define ARES_RESULT_PERMERROR   5
+#define ARES_RESULT_NONE    6
+#define ARES_RESULT_FAIL    7
+#define ARES_RESULT_POLICY  8
+#define ARES_RESULT_NXDOMAIN    9
+#define ARES_RESULT_SIGNED  10
+#define ARES_RESULT_UNKNOWN 11
+#define ARES_RESULT_DISCARD 12
+
+#endif /* SUPPORT_DMARC */
diff --git a/src/dns.c b/src/dns.c
new file mode 100644
index 0000000..7d7ee0c
--- /dev/null
+++ b/src/dns.c
@@ -0,0 +1,1332 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions for interfacing with the DNS. */
+
+#include "exim.h"
+
+
+/*************************************************
+*               Fake DNS resolver                *
+*************************************************/
+
+/* This function is called instead of res_search() when Exim is running in its
+test harness. It recognizes some special domain names, and uses them to force
+failure and retry responses (optionally with a delay). Otherwise, it calls an
+external utility that mocks-up a nameserver, if it can find the utility.
+If not, it passes its arguments on to res_search(). The fake nameserver may
+also return a code specifying that the name should be passed on.
+
+Background: the original test suite required a real nameserver to carry the
+test zones, whereas the new test suite has the fake server for portability. This
+code supports both.
+
+Arguments:
+  domain      the domain name
+  type        the DNS record type
+  answerptr   where to put the answer
+  size        size of the answer area
+
+Returns:      length of returned data, or -1 on error (h_errno set)
+*/
+
+static int
+fakens_search(const uschar *domain, int type, uschar *answerptr, int size)
+{
+int len = Ustrlen(domain);
+int asize = size;                  /* Locally modified */
+uschar * name;
+uschar utilname[256];
+uschar *aptr = answerptr;          /* Locally modified */
+struct stat statbuf;
+
+/* Remove terminating dot. */
+
+if (domain[len - 1] == '.') len--;
+name = string_copyn(domain, len);
+
+/* Look for the fakens utility, and if it exists, call it. */
+
+(void)string_format(utilname, sizeof(utilname), "%s/bin/fakens",
+  config_main_directory);
+
+if (stat(CS utilname, &statbuf) >= 0)
+  {
+  pid_t pid;
+  int infd, outfd, rc;
+  uschar *argv[5];
+
+  DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) using fakens\n",
+		name, dns_text_type(type));
+
+  argv[0] = utilname;
+  argv[1] = config_main_directory;
+  argv[2] = name;
+  argv[3] = dns_text_type(type);
+  argv[4] = NULL;
+
+  pid = child_open(argv, NULL, 0000, &infd, &outfd, FALSE, US"fakens-search");
+  if (pid < 0)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to run fakens: %s",
+      strerror(errno));
+
+  len = 0;
+  rc = -1;
+  while (asize > 0 && (rc = read(outfd, aptr, asize)) > 0)
+    {
+    len += rc;
+    aptr += rc;       /* Don't modify the actual arguments, because they */
+    asize -= rc;      /* may need to be passed on to res_search(). */
+    }
+
+  /* If we ran out of output buffer before exhausting the return,
+  carry on reading and counting it. */
+
+  if (asize == 0)
+    while ((rc = read(outfd, name, sizeof(name))) > 0)
+      len += rc;
+
+  if (rc < 0)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "read from fakens failed: %s",
+      strerror(errno));
+
+  switch(child_close(pid, 0))
+    {
+    case 0: return len;
+    case 1: h_errno = HOST_NOT_FOUND; return -1;
+    case 2: h_errno = TRY_AGAIN; return -1;
+    default:
+    case 3: h_errno = NO_RECOVERY; return -1;
+    case 4: h_errno = NO_DATA; return -1;
+    case 5: /* Pass on to res_search() */
+    DEBUG(D_dns) debug_printf("fakens returned PASS_ON\n");
+    }
+  }
+else
+  {
+  DEBUG(D_dns) debug_printf("fakens (%s) not found\n", utilname);
+  }
+
+/* fakens utility not found, or it returned "pass on" */
+
+DEBUG(D_dns) debug_printf("passing %s on to res_search()\n", domain);
+
+return res_search(CS domain, C_IN, type, answerptr, size);
+}
+
+
+
+/*************************************************
+*        Initialize and configure resolver       *
+*************************************************/
+
+/* Initialize the resolver and the storage for holding DNS answers if this is
+the first time we have been here, and set the resolver options.
+
+Arguments:
+  qualify_single    TRUE to set the RES_DEFNAMES option
+  search_parents    TRUE to set the RES_DNSRCH option
+  use_dnssec        TRUE to set the RES_USE_DNSSEC option
+
+Returns:            nothing
+*/
+
+void
+dns_init(BOOL qualify_single, BOOL search_parents, BOOL use_dnssec)
+{
+res_state resp = os_get_dns_resolver_res();
+
+if ((resp->options & RES_INIT) == 0)
+  {
+  DEBUG(D_resolver) resp->options |= RES_DEBUG;     /* For Cygwin */
+  os_put_dns_resolver_res(resp);
+  res_init();
+  DEBUG(D_resolver) resp->options |= RES_DEBUG;
+  os_put_dns_resolver_res(resp);
+  }
+
+resp->options &= ~(RES_DNSRCH | RES_DEFNAMES);
+resp->options |= (qualify_single? RES_DEFNAMES : 0) |
+                (search_parents? RES_DNSRCH : 0);
+if (dns_retrans > 0) resp->retrans = dns_retrans;
+if (dns_retry > 0) resp->retry = dns_retry;
+
+#ifdef RES_USE_EDNS0
+if (dns_use_edns0 >= 0)
+  {
+  if (dns_use_edns0)
+    resp->options |= RES_USE_EDNS0;
+  else
+    resp->options &= ~RES_USE_EDNS0;
+  DEBUG(D_resolver)
+    debug_printf("Coerced resolver EDNS0 support %s.\n",
+        dns_use_edns0 ? "on" : "off");
+  }
+#else
+if (dns_use_edns0 >= 0)
+  DEBUG(D_resolver)
+    debug_printf("Unable to %sset EDNS0 without resolver support.\n",
+        dns_use_edns0 ? "" : "un");
+#endif
+
+#ifndef DISABLE_DNSSEC
+# ifdef RES_USE_DNSSEC
+#  ifndef RES_USE_EDNS0
+#   error Have RES_USE_DNSSEC but not RES_USE_EDNS0?  Something hinky ...
+#  endif
+if (use_dnssec)
+  resp->options |= RES_USE_DNSSEC;
+if (dns_dnssec_ok >= 0)
+  {
+  if (dns_use_edns0 == 0 && dns_dnssec_ok != 0)
+    {
+    DEBUG(D_resolver)
+      debug_printf("CONFLICT: dns_use_edns0 forced false, dns_dnssec_ok forced true, ignoring latter!\n");
+    }
+  else
+    {
+    if (dns_dnssec_ok)
+      resp->options |= RES_USE_DNSSEC;
+    else
+      resp->options &= ~RES_USE_DNSSEC;
+    DEBUG(D_resolver) debug_printf("Coerced resolver DNSSEC support %s.\n",
+        dns_dnssec_ok ? "on" : "off");
+    }
+  }
+# else
+if (dns_dnssec_ok >= 0)
+  DEBUG(D_resolver)
+    debug_printf("Unable to %sset DNSSEC without resolver support.\n",
+        dns_dnssec_ok ? "" : "un");
+if (use_dnssec)
+  DEBUG(D_resolver)
+    debug_printf("Unable to set DNSSEC without resolver support.\n");
+# endif
+#endif /* DISABLE_DNSSEC */
+
+os_put_dns_resolver_res(resp);
+}
+
+
+
+/*************************************************
+*       Build key name for PTR records           *
+*************************************************/
+
+/* This function inverts an IP address and adds the relevant domain, to produce
+a name that can be used to look up PTR records.
+
+Arguments:
+  string     the IP address as a string
+
+Returns:     an allocated string
+*/
+
+uschar *
+dns_build_reverse(const uschar * string)
+{
+const uschar * p = string + Ustrlen(string);
+gstring * g = NULL;
+
+/* Handle IPv4 address */
+
+#if HAVE_IPV6
+if (Ustrchr(string, ':') == NULL)
+#endif
+  {
+  for (int i = 0; i < 4; i++)
+    {
+    const uschar * ppp = p;
+    while (ppp > string && ppp[-1] != '.') ppp--;
+    g = string_catn(g, ppp, p - ppp);
+    g = string_catn(g, US".", 1);
+    p = ppp - 1;
+    }
+  g = string_catn(g, US"in-addr.arpa", 12);
+  }
+
+/* Handle IPv6 address; convert to binary so as to fill out any
+abbreviation in the textual form. */
+
+#if HAVE_IPV6
+else
+  {
+  int v6[4];
+
+  g = string_get_tainted(32, string);
+  (void)host_aton(string, v6);
+
+  /* The original specification for IPv6 reverse lookup was to invert each
+  nibble, and look in the ip6.int domain. The domain was subsequently
+  changed to ip6.arpa. */
+
+  for (int i = 3; i >= 0; i--)
+    for (int j = 0; j < 32; j += 4)
+      g = string_fmt_append(g, "%x.", (v6[i] >> j) & 15);
+  g = string_catn(g, US"ip6.arpa.", 9);
+
+  /* Another way of doing IPv6 reverse lookups was proposed in conjunction
+  with A6 records. However, it fell out of favour when they did. The
+  alternative was to construct a binary key, and look in ip6.arpa. I tried
+  to make this code do that, but I could not make it work on Solaris 8. The
+  resolver seems to lose the initial backslash somehow. However, now that
+  this style of reverse lookup has been dropped, it doesn't matter. These
+  lines are left here purely for historical interest. */
+
+  /**************************************************
+  Ustrcpy(pp, "\\[x");
+  pp += 3;
+
+  for (int i = 0; i < 4; i++)
+    {
+    sprintf(pp, "%08X", v6[i]);
+    pp += 8;
+    }
+  Ustrcpy(pp, US"].ip6.arpa.");
+  **************************************************/
+
+  }
+#endif
+return string_from_gstring(g);
+}
+
+
+
+
+/* Increment the aptr in dnss, checking against dnsa length.
+Return: TRUE for a bad result
+*/
+static BOOL
+dnss_inc_aptr(const dns_answer * dnsa, dns_scan * dnss, unsigned delta)
+{
+return (dnss->aptr += delta) >= dnsa->answer + dnsa->answerlen;
+}
+
+/*************************************************
+*       Get next DNS record from answer block    *
+*************************************************/
+
+/* Call this with reset == RESET_ANSWERS to scan the answer block, reset ==
+RESET_AUTHORITY to scan the authority records, reset == RESET_ADDITIONAL to
+scan the additional records, and reset == RESET_NEXT to get the next record.
+The result is in static storage which must be copied if it is to be preserved.
+
+Arguments:
+  dnsa      pointer to dns answer block
+  dnss      pointer to dns scan block
+  reset     option specifying what portion to scan, as described above
+
+Returns:    next dns record, or NULL when no more
+*/
+
+dns_record *
+dns_next_rr(const dns_answer *dnsa, dns_scan *dnss, int reset)
+{
+const HEADER * h = (const HEADER *)dnsa->answer;
+int namelen;
+
+char * trace = NULL;
+#ifdef rr_trace
+# define TRACE DEBUG(D_dns)
+#else
+# define TRACE if (FALSE)
+#endif
+
+/* Reset the saved data when requested to, and skip to the first required RR */
+
+if (reset != RESET_NEXT)
+  {
+  dnss->rrcount = ntohs(h->qdcount);
+  TRACE debug_printf("%s: reset (Q rrcount %d)\n", __FUNCTION__, dnss->rrcount);
+  dnss->aptr = dnsa->answer + sizeof(HEADER);
+
+  /* Skip over questions; failure to expand the name just gives up */
+
+  while (dnss->rrcount-- > 0)
+    {
+    TRACE trace = "Q-namelen";
+    namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
+      dnss->aptr, (DN_EXPAND_ARG4_TYPE) &dnss->srr.name, DNS_MAXNAME);
+    if (namelen < 0) goto null_return;
+    /* skip name & type & class */
+    TRACE trace = "Q-skip";
+    if (dnss_inc_aptr(dnsa, dnss, namelen+4)) goto null_return;
+    }
+
+  /* Get the number of answer records. */
+
+  dnss->rrcount = ntohs(h->ancount);
+  TRACE debug_printf("%s: reset (A rrcount %d)\n", __FUNCTION__, dnss->rrcount);
+
+  /* Skip over answers if we want to look at the authority section. Also skip
+  the NS records (i.e. authority section) if wanting to look at the additional
+  records. */
+
+  if (reset == RESET_ADDITIONAL)
+    {
+    TRACE debug_printf("%s: additional\n", __FUNCTION__);
+    dnss->rrcount += ntohs(h->nscount);
+    TRACE debug_printf("%s: reset (NS rrcount %d)\n", __FUNCTION__, dnss->rrcount);
+    }
+
+  if (reset == RESET_AUTHORITY || reset == RESET_ADDITIONAL)
+    {
+    TRACE if (reset == RESET_AUTHORITY)
+      debug_printf("%s: authority\n", __FUNCTION__);
+    while (dnss->rrcount-- > 0)
+      {
+      TRACE trace = "A-namelen";
+      namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
+        dnss->aptr, (DN_EXPAND_ARG4_TYPE) &dnss->srr.name, DNS_MAXNAME);
+      if (namelen < 0) goto null_return;
+      /* skip name, type, class & TTL */
+      TRACE trace = "A-hdr";
+      if (dnss_inc_aptr(dnsa, dnss, namelen+8)) goto null_return;
+      GETSHORT(dnss->srr.size, dnss->aptr); /* size of data portion */
+      /* skip over it */
+      TRACE trace = "A-skip";
+      if (dnss_inc_aptr(dnsa, dnss, dnss->srr.size)) goto null_return;
+      }
+    dnss->rrcount = reset == RESET_AUTHORITY
+      ? ntohs(h->nscount) : ntohs(h->arcount);
+    TRACE debug_printf("%s: reset (%s rrcount %d)\n", __FUNCTION__,
+      reset == RESET_AUTHORITY ? "NS" : "AR", dnss->rrcount);
+    }
+  TRACE debug_printf("%s: %d RRs to read\n", __FUNCTION__, dnss->rrcount);
+  }
+else
+  TRACE debug_printf("%s: next (%d left)\n", __FUNCTION__, dnss->rrcount);
+
+/* The variable dnss->aptr is now pointing at the next RR, and dnss->rrcount
+contains the number of RR records left. */
+
+if (dnss->rrcount-- <= 0) return NULL;
+
+/* If expanding the RR domain name fails, behave as if no more records
+(something safe). */
+
+TRACE trace = "R-namelen";
+namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, dnss->aptr,
+  (DN_EXPAND_ARG4_TYPE) &dnss->srr.name, DNS_MAXNAME);
+if (namelen < 0) goto null_return;
+
+/* Move the pointer past the name and fill in the rest of the data structure
+from the following bytes. */
+
+TRACE trace = "R-name";
+if (dnss_inc_aptr(dnsa, dnss, namelen)) goto null_return;
+
+GETSHORT(dnss->srr.type, dnss->aptr);		/* Record type */
+TRACE trace = "R-class";
+if (dnss_inc_aptr(dnsa, dnss, 2)) goto null_return;	/* Don't want class */
+GETLONG(dnss->srr.ttl, dnss->aptr);		/* TTL */
+GETSHORT(dnss->srr.size, dnss->aptr);		/* Size of data portion */
+dnss->srr.data = dnss->aptr;			/* The record's data follows */
+
+/* Unchecked increment ok here since no further access on this iteration;
+will be checked on next at "R-name". */
+
+dnss->aptr += dnss->srr.size;			/* Advance to next RR */
+
+/* Return a pointer to the dns_record structure within the dns_answer. This is
+for convenience so that the scans can use nice-looking for loops. */
+
+TRACE debug_printf("%s: return %s\n", __FUNCTION__, dns_text_type(dnss->srr.type));
+return &dnss->srr;
+
+null_return:
+  TRACE debug_printf("%s: terminate (%d RRs left). Last op: %s; errno %d %s\n",
+    __FUNCTION__, dnss->rrcount, trace, errno, strerror(errno));
+  dnss->rrcount = 0;
+  return NULL;
+}
+
+
+/* Extract the AUTHORITY information from the answer. If the answer isn't
+authoritative (AA not set), we do not extract anything.
+
+The AUTHORITY section contains NS records if the name in question was found,
+it contains a SOA record otherwise. (This is just from experience and some
+tests, is there some spec?)
+
+Scan the whole AUTHORITY section, since it may contain other records
+(e.g. NSEC3) too.
+
+Return: name for the authority, in an allocated string, or NULL if none found */
+
+static const uschar *
+dns_extract_auth_name(const dns_answer * dnsa)	/* FIXME: const dns_answer */
+{
+dns_scan dnss;
+const HEADER * h = (const HEADER *) dnsa->answer;
+
+if (h->nscount && h->aa)
+  for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
+       rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
+    if (rr->type == (h->ancount ? T_NS : T_SOA))
+      return string_copy(rr->name);
+return NULL;
+}
+
+
+
+
+/*************************************************
+*    Return whether AD bit set in DNS result     *
+*************************************************/
+
+/* We do not perform DNSSEC work ourselves; if the administrator has installed
+a verifying resolver which sets AD as appropriate, though, we'll use that.
+(AD = Authentic Data, AA = Authoritative Answer)
+
+Argument:   pointer to dns answer block
+Returns:    bool indicating presence of AD bit
+*/
+
+BOOL
+dns_is_secure(const dns_answer * dnsa)
+{
+#ifdef DISABLE_DNSSEC
+DEBUG(D_dns)
+  debug_printf("DNSSEC support disabled at build-time; dns_is_secure() false\n");
+return FALSE;
+#else
+const HEADER * h = (const HEADER *) dnsa->answer;
+const uschar * auth_name;
+const uschar * trusted;
+
+if (dnsa->answerlen < 0) return FALSE;
+/* Beware that newer versions of glibc on Linux will filter out the ad bit
+unless their shiny new RES_TRUSTAD bit is set for the resolver.  */
+if (h->ad) return TRUE;
+
+/* If the resolver we ask is authoritative for the domain in question, it may
+not set the AD but the AA bit. If we explicitly trust the resolver for that
+domain (via a domainlist in dns_trust_aa), we return TRUE to indicate a secure
+answer.  */
+
+if (  !h->aa
+   || !dns_trust_aa
+   || !(trusted = expand_string(dns_trust_aa))
+   || !*trusted
+   || !(auth_name = dns_extract_auth_name(dnsa))
+   || OK != match_isinlist(auth_name, &trusted, 0, &domainlist_anchor, NULL,
+			    MCL_DOMAIN, TRUE, NULL)
+   )
+  return FALSE;
+
+DEBUG(D_dns) debug_printf("DNS faked the AD bit "
+  "(got AA and matched with dns_trust_aa (%s in %s))\n",
+  auth_name, dns_trust_aa);
+
+return TRUE;
+#endif
+}
+
+static void
+dns_set_insecure(dns_answer * dnsa)
+{
+#ifndef DISABLE_DNSSEC
+HEADER * h = (HEADER *)dnsa->answer;
+h->aa = h->ad = 0;
+#endif
+}
+
+/************************************************
+ *	Check whether the AA bit is set		*
+ *	We need this to warn if we requested AD *
+ *	from an authoritative server		*
+ ************************************************/
+
+BOOL
+dns_is_aa(const dns_answer * dnsa)
+{
+#ifdef DISABLE_DNSSEC
+return FALSE;
+#else
+return dnsa->answerlen >= 0 && ((const HEADER *)dnsa->answer)->aa;
+#endif
+}
+
+
+
+/*************************************************
+*            Turn DNS type into text             *
+*************************************************/
+
+/* Turn the coded record type into a string for printing. All those that Exim
+uses should be included here.
+
+Argument:   record type
+Returns:    pointer to string
+*/
+
+uschar *
+dns_text_type(int t)
+{
+switch(t)
+  {
+  case T_A:     return US"A";
+  case T_MX:    return US"MX";
+  case T_AAAA:  return US"AAAA";
+  case T_A6:    return US"A6";
+  case T_TXT:   return US"TXT";
+  case T_SPF:   return US"SPF";
+  case T_PTR:   return US"PTR";
+  case T_SOA:   return US"SOA";
+  case T_SRV:   return US"SRV";
+  case T_NS:    return US"NS";
+  case T_CNAME: return US"CNAME";
+  case T_TLSA:  return US"TLSA";
+  default:      return US"?";
+  }
+}
+
+
+
+/*************************************************
+*        Cache a failed DNS lookup result        *
+*************************************************/
+
+static void
+dns_fail_tag(uschar * buf, const uschar * name, int dns_type)
+{
+res_state resp = os_get_dns_resolver_res();
+
+/*XX buf needs to be 255 +1 + (max(typetext) == 5) +1 + max(chars_for_long-max) +1
+We truncate the name here for safety... could use a dynamic string. */
+
+sprintf(CS buf, "%.255s-%s-%lx", name, dns_text_type(dns_type),
+  (unsigned long) resp->options);
+}
+
+
+/* We cache failed lookup results so as not to experience timeouts many
+times for the same domain. We need to retain the resolver options because they
+may change. For successful lookups, we rely on resolver and/or name server
+caching.
+
+Arguments:
+  name       the domain name
+  type       the lookup type
+  expiry     time TTL expires, or zero for unlimited
+  rc         the return code
+
+Returns:     the return code
+*/
+
+/* we need:  255 +1 + (max(typetext) == 5) +1 + max(chars_for_long-max) +1 */
+#define DNS_FAILTAG_MAX 290
+#define DNS_FAILNODE_SIZE \
+  (sizeof(expiring_data) + sizeof(tree_node) + DNS_FAILTAG_MAX)
+
+static int
+dns_fail_return(const uschar * name, int type, time_t expiry, int rc)
+{
+uschar node_name[DNS_FAILTAG_MAX];
+tree_node * previous, * new;
+expiring_data * e;
+
+dns_fail_tag(node_name, name, type);
+if ((previous = tree_search(tree_dns_fails, node_name)))
+  e = previous->data.ptr;
+else
+  {
+  e = store_get_perm(DNS_FAILNODE_SIZE, name);
+  new = (void *)(e+1);
+  dns_fail_tag(new->name, name, type);
+  new->data.ptr = e;
+  (void)tree_insertnode(&tree_dns_fails, new);
+  }
+
+DEBUG(D_dns) debug_printf(" %s neg-cache entry for %s, ttl %d\n",
+  previous ? "update" : "writing",
+  node_name, expiry ? (int)(expiry - time(NULL)) : -1);
+e->expiry = expiry;
+e->data.val = rc;
+return rc;
+}
+
+
+/* Return the cached result of a known-bad lookup, or -1.
+*/
+static int
+dns_fail_cache_hit(const uschar * name, int type)
+{
+uschar node_name[DNS_FAILTAG_MAX];
+tree_node * previous;
+expiring_data * e;
+int val, rc;
+
+dns_fail_tag(node_name, name, type);
+if (!(previous = tree_search(tree_dns_fails, node_name)))
+  return -1;
+
+e = previous->data.ptr;
+val = e->data.val;
+rc = e->expiry && e->expiry <= time(NULL) ? -1 : val;
+
+DEBUG(D_dns) debug_printf("DNS lookup of %.255s (%s): %scached value %s%s\n",
+  name, dns_text_type(type),
+  rc == -1 ? "" : "using ",
+  dns_rc_names[val],
+  rc == -1 ? " past valid time" : "");
+
+return rc;
+}
+
+
+
+/* This is really gross. The successful return value from res_search() is
+the packet length, which is stored in dnsa->answerlen. If we get a
+negative DNS reply then res_search() returns -1, which causes the bounds
+checks for name decompression to fail when it is treated as a packet
+length, which in turn causes the authority search to fail. The correct
+packet length has been lost inside libresolv, so we have to guess a
+replacement value. (The only way to fix this properly would be to
+re-implement res_search() and res_query() so that they don't muddle their
+success and packet length return values.) For added safety we only reset
+the packet length if the packet header looks plausible.
+
+Return TRUE iff it seemed ok */
+
+static BOOL
+fake_dnsa_len_for_fail(dns_answer * dnsa, int type)
+{
+const HEADER * h = (const HEADER *)dnsa->answer;
+
+if (  h->qr == 1				/* a response */
+   && h->opcode == QUERY
+   && h->tc == 0				/* nmessage not truncated */
+   && (h->rcode == NOERROR || h->rcode == NXDOMAIN)
+   && (  ntohs(h->qdcount) == 1			/* one question record */
+      || f.running_in_test_harness)
+   && ntohs(h->ancount) == 0			/* no answer records */
+   && ntohs(h->nscount) >= 1)			/* authority records */
+  {
+  DEBUG(D_dns) debug_printf("faking res_search(%s) response length as %d\n",
+    dns_text_type(type), (int)sizeof(dnsa->answer));
+  dnsa->answerlen = sizeof(dnsa->answer);
+  return TRUE;
+  }
+DEBUG(D_dns) debug_printf("DNS: couldn't fake dnsa len\n");
+/* Maybe we should just do a second lookup for an SOA? */
+return FALSE;
+}
+
+
+/* Return the TTL suitable for an NXDOMAIN result, which is given
+in the SOA.  We hope that one was returned in the lookup, and do not
+bother doing a separate lookup; if not found return a forever TTL.
+*/
+
+time_t
+dns_expire_from_soa(dns_answer * dnsa, int type)
+{
+dns_scan dnss;
+
+if (fake_dnsa_len_for_fail(dnsa, type))
+  for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
+       rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
+      ) if (rr->type == T_SOA)
+    {
+    const uschar * p = rr->data;
+    uschar discard_buf[256];
+    int len;
+    unsigned long ttl;
+
+    /* Skip the mname & rname strings */
+
+    if ((len = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
+	p, (DN_EXPAND_ARG4_TYPE)discard_buf, 256)) < 0)
+      break;
+    p += len;
+    if ((len = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
+	p, (DN_EXPAND_ARG4_TYPE)discard_buf, 256)) < 0)
+      break;
+    p += len;
+
+    /* Skip the SOA serial, refresh, retry & expire.  Grab the TTL */
+
+    if (p > dnsa->answer + dnsa->answerlen - 5 * INT32SZ)
+      break;
+    p += 4 * INT32SZ;
+    GETLONG(ttl, p);
+
+    return time(NULL) + ttl;
+    }
+
+DEBUG(D_dns) debug_printf("DNS: no SOA record found for neg-TTL\n");
+return 0;
+}
+
+
+/*************************************************
+*              Do basic DNS lookup               *
+*************************************************/
+
+/* Call the resolver to look up the given domain name, using the given type,
+and check the result. The error code TRY_AGAIN is documented as meaning "non-
+Authoritative Host not found, or SERVERFAIL". Sometimes there are badly set
+up nameservers that produce this error continually, so there is the option of
+providing a list of domains for which this is treated as a non-existent
+host.
+
+The dns_answer structure is pretty big; enough to hold a max-sized DNS message
+- so best allocated from fast-release memory.  As of writing, all our callers
+use a stack-auto variable.
+
+Arguments:
+  dnsa      pointer to dns_answer structure
+  name      name to look up
+  type      type of DNS record required (T_A, T_MX, etc)
+
+Returns:    DNS_SUCCEED   successful lookup
+            DNS_NOMATCH   name not found (NXDOMAIN)
+                          or name contains illegal characters (if checking)
+                          or name is an IP address (for IP address lookup)
+            DNS_NODATA    domain exists, but no data for this type (NODATA)
+            DNS_AGAIN     soft failure, try again later
+            DNS_FAIL      DNS failure
+*/
+
+int
+dns_basic_lookup(dns_answer * dnsa, const uschar * name, int type)
+{
+int rc;
+#ifndef STAND_ALONE
+const uschar * save_domain;
+#endif
+
+/* DNS lookup failures of any kind are cached in a tree. This is mainly so that
+a timeout on one domain doesn't happen time and time again for messages that
+have many addresses in the same domain. We rely on the resolver and name server
+caching for successful lookups.
+*/
+
+if ((rc = dns_fail_cache_hit(name, type)) > 0)
+  {
+  dnsa->answerlen = -1;
+  return rc;
+  }
+
+#ifdef SUPPORT_I18N
+/* Convert all names to a-label form before doing lookup */
+  {
+  uschar * alabel;
+  uschar * errstr = NULL;
+  DEBUG(D_dns) if (string_is_utf8(name))
+    debug_printf("convert utf8 '%s' to alabel for for lookup\n", name);
+  if ((alabel = string_domain_utf8_to_alabel(name, &errstr)), errstr)
+    {
+    DEBUG(D_dns)
+      debug_printf("DNS name '%s' utf8 conversion to alabel failed: %s\n", name,
+        errstr);
+    f.host_find_failed_syntax = TRUE;
+    return DNS_NOMATCH;
+    }
+  name = alabel;
+  }
+#endif
+
+/* If configured, check the hygiene of the name passed to lookup. Otherwise,
+although DNS lookups may give REFUSED at the lower level, some resolvers
+turn this into TRY_AGAIN, which is silly. Give a NOMATCH return, since such
+domains cannot be in the DNS. The check is now done by a regular expression;
+give it space for substring storage to save it having to get its own if the
+regex has substrings that are used - the default uses a conditional.
+
+This test is omitted for PTR records. These occur only in calls from the dnsdb
+lookup, which constructs the names itself, so they should be OK. Besides,
+bitstring labels don't conform to normal name syntax. (But they aren't used any
+more.) */
+
+#ifndef STAND_ALONE   /* Omit this for stand-alone tests */
+
+if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
+  {
+  dns_pattern_init();
+  if (!regex_match(regex_check_dns_names, name, -1, NULL))
+    {
+    DEBUG(D_dns)
+      debug_printf("DNS name syntax check failed: %s (%s)\n", name,
+        dns_text_type(type));
+    f.host_find_failed_syntax = TRUE;
+    return DNS_NOMATCH;
+    }
+  }
+
+#endif /* STAND_ALONE */
+
+/* Call the resolver; for an overlong response, res_search() will return the
+number of bytes the message would need, so we need to check for this case. The
+effect is to truncate overlong data.
+
+On some systems, res_search() will recognize "A-for-A" queries and return
+the IP address instead of returning -1 with h_error=HOST_NOT_FOUND. Some
+nameservers are also believed to do this. It is, of course, contrary to the
+specification of the DNS, so we lock it out. */
+
+if ((type == T_A || type == T_AAAA) && string_is_ip_address(name, NULL) != 0)
+  return DNS_NOMATCH;
+
+/* If we are running in the test harness, instead of calling the normal resolver
+(res_search), we call fakens_search(), which recognizes certain special
+domains, and interfaces to a fake nameserver for certain special zones. */
+
+h_errno = 0;
+dnsa->answerlen = f.running_in_test_harness
+  ? fakens_search(name, type, dnsa->answer, sizeof(dnsa->answer))
+  : res_search(CCS name, C_IN, type, dnsa->answer, sizeof(dnsa->answer));
+
+if (dnsa->answerlen > (int) sizeof(dnsa->answer))
+  {
+  DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) resulted in overlong packet"
+    " (size %d), truncating to %u.\n",
+    name, dns_text_type(type), dnsa->answerlen, (unsigned int) sizeof(dnsa->answer));
+  dnsa->answerlen = sizeof(dnsa->answer);
+  }
+
+if (dnsa->answerlen < 0) switch (h_errno)
+  {
+  case HOST_NOT_FOUND:
+    DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave HOST_NOT_FOUND\n"
+      "returning DNS_NOMATCH\n", name, dns_text_type(type));
+    return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH);
+
+  case TRY_AGAIN:
+    DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n",
+      name, dns_text_type(type));
+
+    /* Cut this out for various test programs */
+#ifndef STAND_ALONE
+    save_domain = deliver_domain;
+    deliver_domain = string_copy(name);  /* set $domain */
+    rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
+      &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
+    deliver_domain = save_domain;
+    if (rc != OK)
+      {
+      DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n");
+      return dns_fail_return(name, type, 0, DNS_AGAIN);
+      }
+    DEBUG(D_dns) debug_printf("%s is in dns_again_means_nonexist: returning "
+      "DNS_NOMATCH\n", name);
+    return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH);
+
+#else   /* For stand-alone tests */
+    return dns_fail_return(name, type, 0, DNS_AGAIN);
+#endif
+
+  case NO_RECOVERY:
+    DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_RECOVERY\n"
+      "returning DNS_FAIL\n", name, dns_text_type(type));
+    return dns_fail_return(name, type, 0, DNS_FAIL);
+
+  case NO_DATA:
+    DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_DATA\n"
+      "returning DNS_NODATA\n", name, dns_text_type(type));
+    return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NODATA);
+
+  default:
+    DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave unknown DNS error %d\n"
+      "returning DNS_FAIL\n", name, dns_text_type(type), h_errno);
+    return dns_fail_return(name, type, 0, DNS_FAIL);
+  }
+
+DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) succeeded\n",
+  name, dns_text_type(type));
+
+return DNS_SUCCEED;
+}
+
+
+
+
+/************************************************
+*        Do a DNS lookup and handle CNAMES      *
+************************************************/
+
+/* Look up the given domain name, using the given type. Follow CNAMEs if
+necessary, but only so many times. There aren't supposed to be CNAME chains in
+the DNS, but you are supposed to cope with them if you find them.
+By default, follow one CNAME since a resolver has been seen, faced with
+an MX request and a CNAME (to an A) but no MX present, returning the CNAME.
+
+The assumption is made that if the resolver gives back records of the
+requested type *and* a CNAME, we don't need to make another call to look up
+the CNAME. I can't see how it could return only some of the right records. If
+it's done a CNAME lookup in the past, it will have all of them; if not, it
+won't return any.
+
+If fully_qualified_name is not NULL, set it to point to the full name
+returned by the resolver, if this is different to what it is given, unless
+the returned name starts with "*" as some nameservers seem to be returning
+wildcards in this form.  In international mode "different" means "alabel
+forms are different".
+
+Arguments:
+  dnsa                  pointer to dns_answer structure
+  name                  domain name to look up
+  type                  DNS record type (T_A, T_MX, etc)
+  fully_qualified_name  if not NULL, return the returned name here if its
+                          contents are different (i.e. it must be preset)
+
+Returns:                DNS_SUCCEED   successful lookup
+                        DNS_NOMATCH   name not found
+                        DNS_NODATA    no data found
+                        DNS_AGAIN     soft failure, try again later
+                        DNS_FAIL      DNS failure
+*/
+
+int
+dns_lookup(dns_answer *dnsa, const uschar *name, int type,
+  const uschar **fully_qualified_name)
+{
+const uschar *orig_name = name;
+BOOL secure_so_far = TRUE;
+
+/* By default, assume the resolver follows CNAME chains (and returns NODATA for
+an unterminated one). If it also does that for a CNAME loop, fine; if it returns
+a CNAME (maybe the last?) whine about it.  However, retain the coding for dumb
+resolvers hiding behind a config variable. Loop to follow CNAME chains so far,
+but no further...  The testsuite tests the latter case, mostly assuming that the
+former will work. */
+
+for (int i = 0; i <= dns_cname_loops; i++)
+  {
+  uschar * data;
+  dns_record cname_rr, type_rr;
+  dns_scan dnss;
+  int rc;
+
+  /* DNS lookup failures get passed straight back. */
+
+  if ((rc = dns_basic_lookup(dnsa, name, type)) != DNS_SUCCEED)
+    return rc;
+
+  /* We should have either records of the required type, or a CNAME record,
+  or both. We need to know whether both exist for getting the fully qualified
+  name, but avoid scanning more than necessary. Note that we must copy the
+  contents of any rr blocks returned by dns_next_rr() as they use the same
+  area in the dnsa block. */
+
+  cname_rr.data = type_rr.data = NULL;
+  for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
+       rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
+    if (rr->type == type)
+      {
+      if (type_rr.data == NULL) type_rr = *rr;
+      if (cname_rr.data != NULL) break;
+      }
+    else if (rr->type == T_CNAME)
+      cname_rr = *rr;
+
+  /* For the first time round this loop, if a CNAME was found, take the fully
+  qualified name from it; otherwise from the first data record, if present. */
+
+  if (i == 0 && fully_qualified_name)
+    {
+    uschar * rr_name = cname_rr.data
+      ? cname_rr.name : type_rr.data ? type_rr.name : NULL;
+    if (  rr_name
+       && Ustrcmp(rr_name, *fully_qualified_name) != 0
+       && rr_name[0] != '*'
+#ifdef SUPPORT_I18N
+       && (  !string_is_utf8(*fully_qualified_name)
+	  || Ustrcmp(rr_name,
+	       string_domain_utf8_to_alabel(*fully_qualified_name, NULL)) != 0
+	  )
+#endif
+       )
+        *fully_qualified_name = string_copy_dnsdomain(rr_name);
+    }
+
+  /* If any data records of the correct type were found, we are done. */
+
+  if (type_rr.data)
+    {
+    if (!secure_so_far)	/* mark insecure if any element of CNAME chain was */
+      dns_set_insecure(dnsa);
+    return DNS_SUCCEED;
+    }
+
+  /* If there are no data records, we need to re-scan the DNS using the
+  domain given in the CNAME record, which should exist (otherwise we should
+  have had a failure from dns_lookup). However code against the possibility of
+  its not existing. */
+
+  if (!cname_rr.data)
+    return DNS_FAIL;
+
+  /* DNS data comes from the outside, hence tainted */
+  data = store_get(256, GET_TAINTED);
+  if (dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
+      cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, 256) < 0)
+    return DNS_FAIL;
+  name = data;
+
+  if (!dns_is_secure(dnsa))
+    secure_so_far = FALSE;
+
+  DEBUG(D_dns) debug_printf("CNAME found: change to %s\n", name);
+  }       /* Loop back to do another lookup */
+
+/*Control reaches here after 10 times round the CNAME loop. Something isn't
+right... */
+
+log_write(0, LOG_MAIN, "CNAME loop for %s encountered", orig_name);
+return DNS_FAIL;
+}
+
+
+
+
+
+
+/************************************************
+*    Do a DNS lookup and handle virtual types   *
+************************************************/
+
+/* This function handles some invented "lookup types" that synthesize features
+not available in the basic types. The special types all have negative values.
+Positive type values are passed straight on to dns_lookup().
+
+Arguments:
+  dnsa                  pointer to dns_answer structure
+  name                  domain name to look up
+  type                  DNS record type (T_A, T_MX, etc or a "special")
+  fully_qualified_name  if not NULL, return the returned name here if its
+                          contents are different (i.e. it must be preset)
+
+Returns:                DNS_SUCCEED   successful lookup
+                        DNS_NOMATCH   name not found
+                        DNS_NODATA    no data found
+                        DNS_AGAIN     soft failure, try again later
+                        DNS_FAIL      DNS failure
+*/
+
+int
+dns_special_lookup(dns_answer *dnsa, const uschar *name, int type,
+  const uschar **fully_qualified_name)
+{
+switch (type)
+  {
+  /* The "mx hosts only" type doesn't require any special action here */
+  case T_MXH:
+    return dns_lookup(dnsa, name, T_MX, fully_qualified_name);
+
+  /* Find nameservers for the domain or the nearest enclosing zone, excluding
+  the root servers. */
+  case T_ZNS:
+    type = T_NS;
+    /* FALLTHROUGH */
+  case T_SOA:
+    {
+    const uschar *d = name;
+    while (d != 0)
+      {
+      int rc = dns_lookup(dnsa, d, type, fully_qualified_name);
+      if (rc != DNS_NOMATCH && rc != DNS_NODATA) return rc;
+      while (*d != 0 && *d != '.') d++;
+      if (*d++ == 0) break;
+      }
+    return DNS_NOMATCH;
+    }
+
+  /* Try to look up the Client SMTP Authorization SRV record for the name. If
+  there isn't one, search from the top downwards for a CSA record in a parent
+  domain, which might be making assertions about subdomains. If we find a record
+  we set fully_qualified_name to whichever lookup succeeded, so that the caller
+  can tell whether to look at the explicit authorization field or the subdomain
+  assertion field. */
+  case T_CSA:
+    {
+    uschar *srvname, *namesuff, *tld;
+    int priority, dummy_weight, port;
+    int limit, rc, i;
+    BOOL ipv6;
+    dns_record *rr;
+    dns_scan dnss;
+
+    DEBUG(D_dns) debug_printf("CSA lookup of %s\n", name);
+
+    srvname = string_sprintf("_client._smtp.%s", name);
+    rc = dns_lookup(dnsa, srvname, T_SRV, NULL);
+    if (rc == DNS_SUCCEED || rc == DNS_AGAIN)
+      {
+      if (rc == DNS_SUCCEED) *fully_qualified_name = string_copy(name);
+      return rc;
+      }
+
+    /* Search for CSA subdomain assertion SRV records from the top downwards,
+    starting with the 2nd level domain. This order maximizes cache-friendliness.
+    We skip the top level domains to avoid loading their nameservers and because
+    we know they'll never have CSA SRV records. */
+
+    namesuff = Ustrrchr(name, '.');
+    if (namesuff == NULL) return DNS_NOMATCH;
+    tld = namesuff + 1;
+    ipv6 = FALSE;
+    limit = dns_csa_search_limit;
+
+    /* Use more appropriate search parameters if we are in the reverse DNS. */
+
+    if (strcmpic(namesuff, US".arpa") == 0)
+      if (namesuff - 8 > name && strcmpic(namesuff - 8, US".in-addr.arpa") == 0)
+	{
+	namesuff -= 8;
+	tld = namesuff + 1;
+	limit = 3;
+	}
+      else if (namesuff - 4 > name && strcmpic(namesuff - 4, US".ip6.arpa") == 0)
+	{
+	namesuff -= 4;
+	tld = namesuff + 1;
+	ipv6 = TRUE;
+	limit = 3;
+	}
+
+    DEBUG(D_dns) debug_printf("CSA TLD %s\n", tld);
+
+    /* Do not perform the search if the top level or 2nd level domains do not
+    exist. This is quite common, and when it occurs all the search queries would
+    go to the root or TLD name servers, which is not friendly. So we check the
+    AUTHORITY section; if it contains the root's SOA record or the TLD's SOA then
+    the TLD or the 2LD (respectively) doesn't exist and we can skip the search.
+    If the TLD and the 2LD exist but the explicit CSA record lookup failed, then
+    the AUTHORITY SOA will be the 2LD's or a subdomain thereof. */
+
+    if (rc == DNS_NOMATCH) return DNS_NOMATCH;
+
+    for (i = 0; i < limit; i++)
+      {
+      if (ipv6)
+	{
+	/* Scan through the IPv6 reverse DNS in chunks of 16 bits worth of IP
+	address, i.e. 4 hex chars and 4 dots, i.e. 8 chars. */
+	namesuff -= 8;
+	if (namesuff <= name) return DNS_NOMATCH;
+	}
+      else
+	/* Find the start of the preceding domain name label. */
+	do
+	  if (--namesuff <= name) return DNS_NOMATCH;
+	while (*namesuff != '.');
+
+      DEBUG(D_dns) debug_printf("CSA parent search at %s\n", namesuff + 1);
+
+      srvname = string_sprintf("_client._smtp.%s", namesuff + 1);
+      rc = dns_lookup(dnsa, srvname, T_SRV, NULL);
+      if (rc == DNS_AGAIN) return rc;
+      if (rc != DNS_SUCCEED) continue;
+
+      /* Check that the SRV record we have found is worth returning. We don't
+      just return the first one we find, because some lower level SRV record
+      might make stricter assertions than its parent domain. */
+
+      for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
+	   rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_SRV)
+	{
+	const uschar * p = rr->data;
+
+	/* Extract the numerical SRV fields (p is incremented) */
+	GETSHORT(priority, p);
+	GETSHORT(dummy_weight, p);
+	GETSHORT(port, p);
+
+	/* Check the CSA version number */
+	if (priority != 1) continue;
+
+	/* If it's making an interesting assertion, return this response. */
+	if (port & 1)
+	  {
+	  *fully_qualified_name = namesuff + 1;
+	  return DNS_SUCCEED;
+	  }
+	}
+      }
+    return DNS_NOMATCH;
+    }
+
+  default:
+    if (type >= 0)
+      return dns_lookup(dnsa, name, type, fully_qualified_name);
+  }
+
+/* Control should never reach here */
+
+return DNS_FAIL;
+}
+
+
+
+
+
+/*************************************************
+*          Get address(es) from DNS record       *
+*************************************************/
+
+/* The record type is either T_A for an IPv4 address or T_AAAA for an IPv6 address.
+
+Argument:
+  dnsa       the DNS answer block
+  rr         the RR
+
+Returns:     pointer to a chain of dns_address items; NULL when the dnsa was overrun
+*/
+
+dns_address *
+dns_address_from_rr(dns_answer *dnsa, dns_record *rr)
+{
+dns_address * yield = NULL;
+uschar * dnsa_lim = dnsa->answer + dnsa->answerlen;
+
+if (rr->type == T_A)
+  {
+  uschar *p = US rr->data;
+  if (p + 4 <= dnsa_lim)
+    {
+    /* the IP is not regarded as tainted */
+    yield = store_get(sizeof(dns_address) + 20, GET_UNTAINTED);
+    (void)sprintf(CS yield->address, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+    yield->next = NULL;
+    }
+  }
+
+#if HAVE_IPV6
+
+else
+  {
+  if (rr->data + 16 <= dnsa_lim)
+    {
+    struct in6_addr in6;
+    for (int i = 0; i < 16; i++) in6.s6_addr[i] = rr->data[i];
+    yield = store_get(sizeof(dns_address) + 50, GET_UNTAINTED);
+    inet_ntop(AF_INET6, &in6, CS yield->address, 50);
+    yield->next = NULL;
+    }
+  }
+#endif  /* HAVE_IPV6 */
+
+return yield;
+}
+
+
+
+void
+dns_pattern_init(void)
+{
+if (check_dns_names_pattern[0] != 0 && !regex_check_dns_names)
+  regex_check_dns_names =
+    regex_must_compile(check_dns_names_pattern, FALSE, TRUE);
+}
+
+/* vi: aw ai sw=2
+*/
+/* End of dns.c */
diff --git a/src/dnsbl.c b/src/dnsbl.c
new file mode 100644
index 0000000..db839af
--- /dev/null
+++ b/src/dnsbl.c
@@ -0,0 +1,651 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions concerned with dnsbls */
+
+
+#include "exim.h"
+
+/* Structure for caching DNSBL lookups */
+
+typedef struct dnsbl_cache_block {
+  time_t expiry;
+  dns_address *rhs;
+  uschar *text;
+  int rc;
+  BOOL text_set;
+} dnsbl_cache_block;
+
+
+/* Anchor for DNSBL cache */
+
+static tree_node *dnsbl_cache = NULL;
+
+
+/* Bits for match_type in one_check_dnsbl() */
+
+#define MT_NOT 1
+#define MT_ALL 2
+
+
+/*************************************************
+*          Perform a single dnsbl lookup         *
+*************************************************/
+
+/* This function is called from verify_check_dnsbl() below. It is also called
+recursively from within itself when domain and domain_txt are different
+pointers, in order to get the TXT record from the alternate domain.
+
+Arguments:
+  domain         the outer dnsbl domain
+  domain_txt     alternate domain to lookup TXT record on success; when the
+                   same domain is to be used, domain_txt == domain (that is,
+                   the pointers must be identical, not just the text)
+  keydomain      the current keydomain (for debug message)
+  prepend        subdomain to lookup (like keydomain, but
+                   reversed if IP address)
+  iplist         the list of matching IP addresses, or NULL for "any"
+  bitmask        true if bitmask matching is wanted
+  match_type     condition for 'succeed' result
+                   0 => Any RR in iplist     (=)
+                   1 => No RR in iplist      (!=)
+                   2 => All RRs in iplist    (==)
+                   3 => Some RRs not in iplist (!==)
+                   the two bits are defined as MT_NOT and MT_ALL
+  defer_return   what to return for a defer
+
+Returns:         OK if lookup succeeded
+                 FAIL if not
+*/
+
+static int
+one_check_dnsbl(uschar *domain, uschar *domain_txt, uschar *keydomain,
+  uschar *prepend, uschar *iplist, BOOL bitmask, int match_type,
+  int defer_return)
+{
+dns_answer * dnsa = store_get_dns_answer();
+dns_scan dnss;
+tree_node *t;
+dnsbl_cache_block *cb;
+int old_pool = store_pool;
+uschar * query;
+int qlen, yield;
+
+/* Construct the specific query domainname */
+
+query = string_sprintf("%s.%s", prepend, domain);
+if ((qlen = Ustrlen(query)) >= 256)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "dnslist query is too long "
+    "(ignored): %s...", query);
+  yield = FAIL;
+  goto out;
+  }
+
+/* Look for this query in the cache. */
+
+if (  (t = tree_search(dnsbl_cache, query))
+   && (cb = t->data.ptr)->expiry > time(NULL)
+   )
+
+/* Previous lookup was cached */
+
+  {
+  HDEBUG(D_dnsbl) debug_printf("dnslists: using result of previous lookup\n");
+  }
+
+/* If not cached from a previous lookup, we must do a DNS lookup, and
+cache the result in permanent memory. */
+
+else
+  {
+  uint ttl = 3600;	/* max TTL for positive cache entries */
+
+  store_pool = POOL_PERM;
+
+  if (t)
+    {
+    HDEBUG(D_dnsbl) debug_printf("cached data found but past valid time; ");
+    }
+
+  else
+    {	/* Set up a tree entry to cache the lookup */
+    t = store_get(sizeof(tree_node) + qlen + 1 + 1, query);
+    Ustrcpy(t->name, query);
+    t->data.ptr = cb = store_get(sizeof(dnsbl_cache_block), GET_UNTAINTED);
+    (void)tree_insertnode(&dnsbl_cache, t);
+    }
+
+  /* Do the DNS lookup . */
+
+  HDEBUG(D_dnsbl) debug_printf("new DNS lookup for %s\n", query);
+  cb->rc = dns_basic_lookup(dnsa, query, T_A);
+  cb->text_set = FALSE;
+  cb->text = NULL;
+  cb->rhs = NULL;
+
+  /* If the lookup succeeded, cache the RHS address. The code allows for
+  more than one address - this was for complete generality and the possible
+  use of A6 records. However, A6 records are no longer supported. Leave the code
+  here, just in case.
+
+  Quite apart from one A6 RR generating multiple addresses, there are DNS
+  lists that return more than one A record, so we must handle multiple
+  addresses generated in that way as well.
+
+  Mark the cache entry with the "now" plus the minimum of the address TTLs,
+  or the RFC 2308 negative-cache value from the SOA if none were found. */
+
+  switch (cb->rc)
+    {
+    case DNS_SUCCEED:
+      {
+      dns_address ** addrp = &cb->rhs;
+      dns_address * da;
+      for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+	   rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
+	if (rr->type == T_A && (da = dns_address_from_rr(dnsa, rr)))
+	  {
+	  *addrp = da;
+	  while (da->next) da = da->next;
+	  addrp = &da->next;
+	  if (ttl > rr->ttl) ttl = rr->ttl;
+	  }
+
+      if (cb->rhs)
+	{
+	cb->expiry = time(NULL) + ttl;
+	break;
+	}
+
+      /* If we didn't find any A records, change the return code. This can
+      happen when there is a CNAME record but there are no A records for what
+      it points to. */
+
+      cb->rc = DNS_NODATA;
+      }
+      /*FALLTHROUGH*/
+
+    case DNS_NOMATCH:
+    case DNS_NODATA:
+      {
+      /* Although there already is a neg-cache layer maintained by
+      dns_basic_lookup(), we have a dnslist cache entry allocated and
+      tree-inserted. So we may as well use it. */
+
+      time_t soa_negttl = dns_expire_from_soa(dnsa, T_A);
+      cb->expiry = soa_negttl ? soa_negttl : time(NULL) + ttl;
+      break;
+      }
+
+    default:
+      cb->expiry = time(NULL) + ttl;
+      break;
+    }
+
+  store_pool = old_pool;
+  HDEBUG(D_dnsbl) debug_printf("dnslists: wrote cache entry, ttl=%d\n",
+    (int)(cb->expiry - time(NULL)));
+  }
+
+/* We now have the result of the DNS lookup, either newly done, or cached
+from a previous call. If the lookup succeeded, check against the address
+list if there is one. This may be a positive equality list (introduced by
+"="), a negative equality list (introduced by "!="), a positive bitmask
+list (introduced by "&"), or a negative bitmask list (introduced by "!&").*/
+
+if (cb->rc == DNS_SUCCEED)
+  {
+  dns_address * da = NULL;
+  uschar *addlist = cb->rhs->address;
+
+  /* For A and AAAA records, there may be multiple addresses from multiple
+  records. For A6 records (currently not expected to be used) there may be
+  multiple addresses from a single record. */
+
+  for (da = cb->rhs->next; da; da = da->next)
+    addlist = string_sprintf("%s, %s", addlist, da->address);
+
+  HDEBUG(D_dnsbl) debug_printf("DNS lookup for %s succeeded (yielding %s)\n",
+    query, addlist);
+
+  /* Address list check; this can be either for equality, or via a bitmask.
+  In the latter case, all the bits must match. */
+
+  if (iplist)
+    {
+    for (da = cb->rhs; da; da = da->next)
+      {
+      int ipsep = ',';
+      const uschar *ptr = iplist;
+      uschar *res;
+
+      /* Handle exact matching */
+
+      if (!bitmask)
+	{
+        while ((res = string_nextinlist(&ptr, &ipsep, NULL, 0)))
+          if (Ustrcmp(CS da->address, res) == 0)
+	    break;
+	}
+
+      /* Handle bitmask matching */
+
+      else
+        {
+        int address[4];
+        int mask = 0;
+
+        /* At present, all known DNS blocking lists use A records, with
+        IPv4 addresses on the RHS encoding the information they return. I
+        wonder if this will linger on as the last vestige of IPv4 when IPv6
+        is ubiquitous? Anyway, for now we use paranoia code to completely
+        ignore IPv6 addresses. The default mask is 0, which always matches.
+        We change this only for IPv4 addresses in the list. */
+
+        if (host_aton(da->address, address) == 1)
+	  if ((address[0] & 0xff000000) != 0x7f000000)    /* 127.0.0.0/8 */
+	    log_write(0, LOG_MAIN,
+	      "DNS list lookup for %s at %s returned %s;"
+	      " not in 127.0/8 and discarded",
+	      keydomain, domain, da->address);
+
+	  else
+	    mask = address[0];
+
+        /* Scan the returned addresses, skipping any that are IPv6 */
+
+        while ((res = string_nextinlist(&ptr, &ipsep, NULL, 0)))
+          if (host_aton(res, address) == 1)
+	    if ((address[0] & mask) == address[0])
+	      break;
+        }
+
+      /* If either
+
+         (a) An IP address in an any ('=') list matched, or
+         (b) No IP address in an all ('==') list matched
+
+      then we're done searching. */
+
+      if (((match_type & MT_ALL) != 0) == (res == NULL)) break;
+      }
+
+    /* If da == NULL, either
+
+       (a) No IP address in an any ('=') list matched, or
+       (b) An IP address in an all ('==') list didn't match
+
+    so behave as if the DNSBL lookup had not succeeded, i.e. the host is not on
+    the list. */
+
+    if ((match_type == MT_NOT || match_type == MT_ALL) != (da == NULL))
+      {
+      HDEBUG(D_dnsbl)
+        {
+        uschar *res = NULL;
+        switch(match_type)
+          {
+          case 0:
+	    res = US"was no match"; break;
+          case MT_NOT:
+	    res = US"was an exclude match"; break;
+          case MT_ALL:
+	    res = US"was an IP address that did not match"; break;
+          case MT_NOT|MT_ALL:
+	    res = US"were no IP addresses that did not match"; break;
+          }
+        debug_printf("=> but we are not accepting this block class because\n");
+        debug_printf("=> there %s for %s%c%s\n",
+          res,
+          match_type & MT_ALL ? "=" : "",
+          bitmask ? '&' : '=', iplist);
+        }
+      yield = FAIL;
+      goto out;
+      }
+    }
+
+  /* No address list check; discard any illegal returns and give up if
+  none remain. */
+
+  else
+    {
+    BOOL ok = FALSE;
+    for (da = cb->rhs; da; da = da->next)
+      {
+      int address[4];
+
+      if (  host_aton(da->address, address) == 1		/* ipv4 */
+	 && (address[0] & 0xff000000) == 0x7f000000	/* 127.0.0.0/8 */
+	 )
+	ok = TRUE;
+      else
+	log_write(0, LOG_MAIN,
+	    "DNS list lookup for %s at %s returned %s;"
+	    " not in 127.0/8 and discarded",
+	    keydomain, domain, da->address);
+      }
+    if (!ok)
+      {
+      yield = FAIL;
+      goto out;
+      }
+    }
+
+  /* Either there was no IP list, or the record matched, implying that the
+  domain is on the list. We now want to find a corresponding TXT record. If an
+  alternate domain is specified for the TXT record, call this function
+  recursively to look that up; this has the side effect of re-checking that
+  there is indeed an A record at the alternate domain. */
+
+  if (domain_txt != domain)
+    {
+    yield = one_check_dnsbl(domain_txt, domain_txt, keydomain, prepend, NULL,
+      FALSE, match_type, defer_return);
+    goto out;
+    }
+
+  /* If there is no alternate domain, look up a TXT record in the main domain
+  if it has not previously been cached. */
+
+  if (!cb->text_set)
+    {
+    cb->text_set = TRUE;
+    if (dns_basic_lookup(dnsa, query, T_TXT) == DNS_SUCCEED)
+      for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+           rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
+        if (rr->type == T_TXT)
+	  {
+	  int len = (rr->data)[0];
+	  if (len > 511) len = 127;
+	  store_pool = POOL_PERM;
+	  cb->text = string_copyn_taint(CUS (rr->data+1), len, GET_TAINTED);
+	  store_pool = old_pool;
+	  break;
+	  }
+    }
+
+  dnslist_value = addlist;
+  dnslist_text = cb->text;
+  yield = OK;
+  goto out;
+  }
+
+/* There was a problem with the DNS lookup */
+
+if (cb->rc != DNS_NOMATCH && cb->rc != DNS_NODATA)
+  {
+  log_write(L_dnslist_defer, LOG_MAIN,
+    "DNS list lookup defer (probably timeout) for %s: %s", query,
+    defer_return == OK ?   US"assumed in list" :
+    defer_return == FAIL ? US"assumed not in list" :
+                            US"returned DEFER");
+  yield = defer_return;
+  goto out;
+  }
+
+/* No entry was found in the DNS; continue for next domain */
+
+HDEBUG(D_dnsbl)
+  {
+  debug_printf("DNS lookup for %s failed\n", query);
+  debug_printf("=> that means %s is not listed at %s\n",
+     keydomain, domain);
+  }
+
+yield = FAIL;
+
+out:
+
+store_free_dns_answer(dnsa);
+return yield;
+}
+
+
+
+
+/*************************************************
+*        Check host against DNS black lists      *
+*************************************************/
+
+/* This function runs checks against a list of DNS black lists, until one
+matches. Each item on the list can be of the form
+
+  domain=ip-address/key
+
+The domain is the right-most domain that is used for the query, for example,
+blackholes.mail-abuse.org. If the IP address is present, there is a match only
+if the DNS lookup returns a matching IP address. Several addresses may be
+given, comma-separated, for example: x.y.z=127.0.0.1,127.0.0.2.
+
+If no key is given, what is looked up in the domain is the inverted IP address
+of the current client host. If a key is given, it is used to construct the
+domain for the lookup. For example:
+
+  dsn.rfc-ignorant.org/$sender_address_domain
+
+After finding a match in the DNS, the domain is placed in $dnslist_domain, and
+then we check for a TXT record for an error message, and if found, save its
+value in $dnslist_text. We also cache everything in a tree, to optimize
+multiple lookups.
+
+The TXT record is normally looked up in the same domain as the A record, but
+when many lists are combined in a single DNS domain, this will not be a very
+specific message. It is possible to specify a different domain for looking up
+TXT records; this is given before the main domain, comma-separated. For
+example:
+
+  dnslists = http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \
+             socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3
+
+The caching ensures that only one lookup in dnsbl.sorbs.net is done.
+
+Note: an address for testing RBL is 192.203.178.39
+Note: an address for testing DUL is 192.203.178.4
+Note: a domain for testing RFCI is example.tld.dsn.rfc-ignorant.org
+
+Arguments:
+  where        the acl type
+  listptr      the domain/address/data list
+  log_msgptr   log message on error
+
+Returns:    OK      successful lookup (i.e. the address is on the list), or
+                      lookup deferred after +include_unknown
+            FAIL    name not found, or no data found for the given type, or
+                      lookup deferred after +exclude_unknown (default)
+            DEFER   lookup failure, if +defer_unknown was set
+*/
+
+int
+verify_check_dnsbl(int where, const uschar ** listptr, uschar ** log_msgptr)
+{
+int sep = 0;
+int defer_return = FAIL;
+const uschar *list = *listptr;
+uschar *domain;
+uschar revadd[128];        /* Long enough for IPv6 address */
+
+/* Indicate that the inverted IP address is not yet set up */
+
+revadd[0] = 0;
+
+/* In case this is the first time the DNS resolver is being used. */
+
+dns_init(FALSE, FALSE, FALSE);	/*XXX dnssec? */
+
+/* Loop through all the domains supplied, until something matches */
+
+while ((domain = string_nextinlist(&list, &sep, NULL, 0)))
+  {
+  int rc;
+  BOOL bitmask = FALSE;
+  int match_type = 0;
+  uschar *domain_txt;
+  uschar *comma;
+  uschar *iplist;
+  uschar *key;
+
+  HDEBUG(D_dnsbl) debug_printf("dnslists check: %s\n", domain);
+
+  /* Deal with special values that change the behaviour on defer */
+
+  if (domain[0] == '+')
+    {
+    if      (strcmpic(domain, US"+include_unknown") == 0) defer_return = OK;
+    else if (strcmpic(domain, US"+exclude_unknown") == 0) defer_return = FAIL;
+    else if (strcmpic(domain, US"+defer_unknown") == 0)   defer_return = DEFER;
+    else
+      log_write(0, LOG_MAIN|LOG_PANIC, "unknown item in dnslist (ignored): %s",
+        domain);
+    continue;
+    }
+
+  /* See if there's explicit data to be looked up */
+
+  if ((key = Ustrchr(domain, '/'))) *key++ = 0;
+
+  /* See if there's a list of addresses supplied after the domain name. This is
+  introduced by an = or a & character; if preceded by = we require all matches
+  and if preceded by ! we invert the result. */
+
+  if (!(iplist = Ustrchr(domain, '=')))
+    {
+    bitmask = TRUE;
+    iplist = Ustrchr(domain, '&');
+    }
+
+  if (iplist)				       /* Found either = or & */
+    {
+    if (iplist > domain && iplist[-1] == '!')  /* Handle preceding ! */
+      {
+      match_type |= MT_NOT;
+      iplist[-1] = 0;
+      }
+
+    *iplist++ = 0;                             /* Terminate domain, move on */
+
+    /* If we found = (bitmask == FALSE), check for == or =& */
+
+    if (!bitmask && (*iplist == '=' || *iplist == '&'))
+      {
+      bitmask = *iplist++ == '&';
+      match_type |= MT_ALL;
+      }
+    }
+
+
+  /* If there is a comma in the domain, it indicates that a second domain for
+  looking up TXT records is provided, before the main domain. Otherwise we must
+  set domain_txt == domain. */
+
+  domain_txt = domain;
+  if ((comma = Ustrchr(domain, ',')))
+    {
+    *comma++ = 0;
+    domain = comma;
+    }
+
+  /* Check that what we have left is a sensible domain name. There is no reason
+  why these domains should in fact use the same syntax as hosts and email
+  domains, but in practice they seem to. However, there is little point in
+  actually causing an error here, because that would no doubt hold up incoming
+  mail. Instead, I'll just log it. */
+
+  for (uschar * s = domain; *s; s++)
+    if (!isalnum(*s) && *s != '-' && *s != '.' && *s != '_')
+      {
+      log_write(0, LOG_MAIN, "dnslists domain \"%s\" contains "
+        "strange characters - is this right?", domain);
+      break;
+      }
+
+  /* Check the alternate domain if present */
+
+  if (domain_txt != domain) for (uschar * s = domain_txt; *s; s++)
+    if (!isalnum(*s) && *s != '-' && *s != '.' && *s != '_')
+      {
+      log_write(0, LOG_MAIN, "dnslists domain \"%s\" contains "
+        "strange characters - is this right?", domain_txt);
+      break;
+      }
+
+  /* If there is no key string, construct the query by adding the domain name
+  onto the inverted host address, and perform a single DNS lookup. */
+
+  if (!key)
+    {
+    if (where == ACL_WHERE_NOTSMTP_START || where == ACL_WHERE_NOTSMTP)
+      {
+      *log_msgptr = string_sprintf
+	("cannot test auto-keyed dnslists condition in %s ACL",
+	  acl_wherenames[where]);
+      return ERROR;
+      }
+    if (!sender_host_address) return FAIL;    /* can never match */
+    if (revadd[0] == 0) invert_address(revadd, sender_host_address);
+    rc = one_check_dnsbl(domain, domain_txt, sender_host_address, revadd,
+      iplist, bitmask, match_type, defer_return);
+    if (rc == OK)
+      {
+      dnslist_domain = string_copy(domain_txt);
+      dnslist_matched = string_copy(sender_host_address);
+      HDEBUG(D_dnsbl) debug_printf("=> that means %s is listed at %s\n",
+        sender_host_address, dnslist_domain);
+      }
+    if (rc != FAIL) return rc;     /* OK or DEFER */
+    }
+
+  /* If there is a key string, it can be a list of domains or IP addresses to
+  be concatenated with the main domain. */
+
+  else
+    {
+    int keysep = 0;
+    BOOL defer = FALSE;
+    uschar *keydomain;
+    uschar keyrevadd[128];
+
+    while ((keydomain = string_nextinlist(CUSS &key, &keysep, NULL, 0)))
+      {
+      uschar *prepend = keydomain;
+
+      if (string_is_ip_address(keydomain, NULL) != 0)
+        {
+        invert_address(keyrevadd, keydomain);
+        prepend = keyrevadd;
+        }
+
+      rc = one_check_dnsbl(domain, domain_txt, keydomain, prepend, iplist,
+        bitmask, match_type, defer_return);
+      if (rc == OK)
+        {
+        dnslist_domain = string_copy(domain_txt);
+        dnslist_matched = string_copy(keydomain);
+        HDEBUG(D_dnsbl) debug_printf("=> that means %s is listed at %s\n",
+          keydomain, dnslist_domain);
+        return OK;
+        }
+
+      /* If the lookup deferred, remember this fact. We keep trying the rest
+      of the list to see if we get a useful result, and if we don't, we return
+      DEFER at the end. */
+
+      if (rc == DEFER) defer = TRUE;
+      }    /* continue with next keystring domain/address */
+
+    if (defer) return DEFER;
+    }
+  }        /* continue with next dnsdb outer domain */
+
+return FAIL;
+}
+
+/* vi: aw ai sw=2
+*/
+/* End of dnsbl.c.c */
diff --git a/src/drtables.c b/src/drtables.c
new file mode 100644
index 0000000..513ef6c
--- /dev/null
+++ b/src/drtables.c
@@ -0,0 +1,818 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "exim.h"
+
+#include <string.h>
+
+/* This module contains tables that define the lookup methods and drivers
+that are actually included in the binary. Its contents are controlled by
+various macros in config.h that ultimately come from Local/Makefile. They are
+all described in src/EDITME. */
+
+
+lookup_info **lookup_list;
+int lookup_list_count = 0;
+
+/* Table of information about all possible authentication mechanisms. All
+entries are always present if any mechanism is declared, but the functions are
+set to NULL for those that are not compiled into the binary. */
+
+#ifdef AUTH_CRAM_MD5
+#include "auths/cram_md5.h"
+#endif
+
+#ifdef AUTH_CYRUS_SASL
+#include "auths/cyrus_sasl.h"
+#endif
+
+#ifdef AUTH_DOVECOT
+#include "auths/dovecot.h"
+#endif
+
+#ifdef AUTH_EXTERNAL
+#include "auths/external.h"
+#endif
+
+#ifdef AUTH_GSASL
+#include "auths/gsasl_exim.h"
+#endif
+
+#ifdef AUTH_HEIMDAL_GSSAPI
+#include "auths/heimdal_gssapi.h"
+#endif
+
+#ifdef AUTH_PLAINTEXT
+#include "auths/plaintext.h"
+#endif
+
+#ifdef AUTH_SPA
+#include "auths/spa.h"
+#endif
+
+#ifdef AUTH_TLS
+#include "auths/tls.h"
+#endif
+
+auth_info auths_available[] = {
+
+/* Checking by an expansion condition on plain text */
+
+#ifdef AUTH_CRAM_MD5
+  {
+  .driver_name =	US"cram_md5",                              /* lookup name */
+  .options =		auth_cram_md5_options,
+  .options_count =	&auth_cram_md5_options_count,
+  .options_block =	&auth_cram_md5_option_defaults,
+  .options_len =	sizeof(auth_cram_md5_options_block),
+  .init =		auth_cram_md5_init,
+  .servercode =		auth_cram_md5_server,
+  .clientcode =		auth_cram_md5_client,
+  .version_report =	NULL,
+  .macros_create =	NULL,
+  },
+#endif
+
+#ifdef AUTH_CYRUS_SASL
+  {
+  .driver_name =	US"cyrus_sasl",
+  .options =		auth_cyrus_sasl_options,
+  .options_count =	&auth_cyrus_sasl_options_count,
+  .options_block =	&auth_cyrus_sasl_option_defaults,
+  .options_len =	sizeof(auth_cyrus_sasl_options_block),
+  .init =		auth_cyrus_sasl_init,
+  .servercode =		auth_cyrus_sasl_server,
+  .clientcode =		NULL,
+  .version_report =	auth_cyrus_sasl_version_report,
+  .macros_create =	NULL,
+  },
+#endif
+
+#ifdef AUTH_DOVECOT
+  {
+  .driver_name =	US"dovecot",
+  .options =		auth_dovecot_options,
+  .options_count =	&auth_dovecot_options_count,
+  .options_block =	&auth_dovecot_option_defaults,
+  .options_len =	sizeof(auth_dovecot_options_block),
+  .init =		auth_dovecot_init,
+  .servercode =		auth_dovecot_server,
+  .clientcode =		NULL,
+  .version_report =	NULL,
+  .macros_create =	NULL,
+  },
+#endif
+
+#ifdef AUTH_EXTERNAL
+  {
+  .driver_name =	US"external",
+  .options =		auth_external_options,
+  .options_count =	&auth_external_options_count,
+  .options_block =	&auth_external_option_defaults,
+  .options_len =	sizeof(auth_external_options_block),
+  .init =		auth_external_init,
+  .servercode =		auth_external_server,
+  .clientcode =		auth_external_client,
+  .version_report =	NULL,
+  .macros_create =	NULL,
+  },
+#endif
+
+#ifdef AUTH_GSASL
+  {
+  .driver_name =	US"gsasl",
+  .options =		auth_gsasl_options,
+  .options_count =	&auth_gsasl_options_count,
+  .options_block =	&auth_gsasl_option_defaults,
+  .options_len =	sizeof(auth_gsasl_options_block),
+  .init =		auth_gsasl_init,
+  .servercode =		auth_gsasl_server,
+  .clientcode =		auth_gsasl_client,
+  .version_report =	auth_gsasl_version_report,
+  .macros_create =	auth_gsasl_macros,
+  },
+#endif
+
+#ifdef AUTH_HEIMDAL_GSSAPI
+  {
+  .driver_name =	US"heimdal_gssapi",
+  .options =		auth_heimdal_gssapi_options,
+  .options_count =	&auth_heimdal_gssapi_options_count,
+  .options_block =	&auth_heimdal_gssapi_option_defaults,
+  .options_len =	sizeof(auth_heimdal_gssapi_options_block),
+  .init =		auth_heimdal_gssapi_init,
+  .servercode =		auth_heimdal_gssapi_server,
+  .clientcode =		NULL,
+  .version_report =	auth_heimdal_gssapi_version_report,
+  .macros_create =	NULL,
+  },
+#endif
+
+#ifdef AUTH_PLAINTEXT
+  {
+  .driver_name =	US"plaintext",
+  .options =		auth_plaintext_options,
+  .options_count =	&auth_plaintext_options_count,
+  .options_block =	&auth_plaintext_option_defaults,
+  .options_len =	sizeof(auth_plaintext_options_block),
+  .init =		auth_plaintext_init,
+  .servercode =		auth_plaintext_server,
+  .clientcode =		auth_plaintext_client,
+  .version_report =	NULL,
+  .macros_create =	NULL,
+  },
+#endif
+
+#ifdef AUTH_SPA
+  {
+  .driver_name =	US"spa",
+  .options =		auth_spa_options,
+  .options_count =	&auth_spa_options_count,
+  .options_block =	&auth_spa_option_defaults,
+  .options_len =	sizeof(auth_spa_options_block),
+  .init =		auth_spa_init,
+  .servercode =		auth_spa_server,
+  .clientcode =		auth_spa_client,
+  .version_report =	NULL,
+  .macros_create =	NULL,
+  },
+#endif
+
+#ifdef AUTH_TLS
+  {
+  .driver_name =	US"tls",
+  .options =		auth_tls_options,
+  .options_count =	&auth_tls_options_count,
+  .options_block =	&auth_tls_option_defaults,
+  .options_len =	sizeof(auth_tls_options_block),
+  .init =		auth_tls_init,
+  .servercode =		auth_tls_server,
+  .clientcode =		NULL,
+  .version_report =	NULL,
+  .macros_create =	NULL,
+  },
+#endif
+
+  { .driver_name = US"" }		/* end marker */
+};
+
+
+/* Tables of information about which routers and transports are included in the
+exim binary. */
+
+/* Pull in the necessary header files */
+
+#include "routers/rf_functions.h"
+
+#ifdef ROUTER_ACCEPT
+#include "routers/accept.h"
+#endif
+
+#ifdef ROUTER_DNSLOOKUP
+#include "routers/dnslookup.h"
+#endif
+
+#ifdef ROUTER_MANUALROUTE
+#include "routers/manualroute.h"
+#endif
+
+#ifdef ROUTER_IPLITERAL
+#include "routers/ipliteral.h"
+#endif
+
+#ifdef ROUTER_IPLOOKUP
+#include "routers/iplookup.h"
+#endif
+
+#ifdef ROUTER_QUERYPROGRAM
+#include "routers/queryprogram.h"
+#endif
+
+#ifdef ROUTER_REDIRECT
+#include "routers/redirect.h"
+#endif
+
+#ifdef TRANSPORT_APPENDFILE
+#include "transports/appendfile.h"
+#endif
+
+#ifdef TRANSPORT_AUTOREPLY
+#include "transports/autoreply.h"
+#endif
+
+#ifdef TRANSPORT_LMTP
+#include "transports/lmtp.h"
+#endif
+
+#ifdef TRANSPORT_PIPE
+#include "transports/pipe.h"
+#endif
+
+#ifdef EXPERIMENTAL_QUEUEFILE
+#include "transports/queuefile.h"
+#endif
+
+#ifdef TRANSPORT_SMTP
+#include "transports/smtp.h"
+#endif
+
+
+/* Now set up the structures, terminated by an entry with a null name. */
+
+router_info routers_available[] = {
+#ifdef ROUTER_ACCEPT
+  {
+  .driver_name =	US"accept",
+  .options =		accept_router_options,
+  .options_count =	&accept_router_options_count,
+  .options_block =	&accept_router_option_defaults,
+  .options_len =	sizeof(accept_router_options_block),
+  .init =		accept_router_init,
+  .code =		accept_router_entry,
+  .tidyup =		NULL,     /* no tidyup entry */
+  .ri_flags =		ri_yestransport
+  },
+#endif
+#ifdef ROUTER_DNSLOOKUP
+  {
+  .driver_name =	US"dnslookup",
+  .options =		dnslookup_router_options,
+  .options_count =	&dnslookup_router_options_count,
+  .options_block =	&dnslookup_router_option_defaults,
+  .options_len =	sizeof(dnslookup_router_options_block),
+  .init =		dnslookup_router_init,
+  .code =		dnslookup_router_entry,
+  .tidyup =		NULL,     /* no tidyup entry */
+  .ri_flags =		ri_yestransport
+  },
+#endif
+#ifdef ROUTER_IPLITERAL
+  {
+  .driver_name =	US"ipliteral",
+  .options =		ipliteral_router_options,
+  .options_count =	&ipliteral_router_options_count,
+  .options_block =	&ipliteral_router_option_defaults,
+  .options_len =	sizeof(ipliteral_router_options_block),
+  .init =		ipliteral_router_init,
+  .code =		ipliteral_router_entry,
+  .tidyup =		NULL,     /* no tidyup entry */
+  .ri_flags =		ri_yestransport
+  },
+#endif
+#ifdef ROUTER_IPLOOKUP
+  {
+  .driver_name =	US"iplookup",
+  .options =		iplookup_router_options,
+  .options_count =	&iplookup_router_options_count,
+  .options_block =	&iplookup_router_option_defaults,
+  .options_len =	sizeof(iplookup_router_options_block),
+  .init =		iplookup_router_init,
+  .code =		iplookup_router_entry,
+  .tidyup =		NULL,     /* no tidyup entry */
+  .ri_flags =		ri_notransport
+  },
+#endif
+#ifdef ROUTER_MANUALROUTE
+  {
+  .driver_name =	US"manualroute",
+  .options =		manualroute_router_options,
+  .options_count =	&manualroute_router_options_count,
+  .options_block =	&manualroute_router_option_defaults,
+  .options_len =	sizeof(manualroute_router_options_block),
+  .init =		manualroute_router_init,
+  .code =		manualroute_router_entry,
+  .tidyup =		NULL,     /* no tidyup entry */
+  .ri_flags =		0
+  },
+#endif
+#ifdef ROUTER_QUERYPROGRAM
+  {
+  .driver_name =	US"queryprogram",
+  .options =		queryprogram_router_options,
+  .options_count =	&queryprogram_router_options_count,
+  .options_block =	&queryprogram_router_option_defaults,
+  .options_len =	sizeof(queryprogram_router_options_block),
+  .init =		queryprogram_router_init,
+  .code =		queryprogram_router_entry,
+  .tidyup =		NULL,     /* no tidyup entry */
+  .ri_flags =		0
+  },
+#endif
+#ifdef ROUTER_REDIRECT
+  {
+  .driver_name =	US"redirect",
+  .options =		redirect_router_options,
+  .options_count =	&redirect_router_options_count,
+  .options_block =	&redirect_router_option_defaults,
+  .options_len =	sizeof(redirect_router_options_block),
+  .init =		redirect_router_init,
+  .code =		redirect_router_entry,
+  .tidyup =		NULL,     /* no tidyup entry */
+  .ri_flags =		ri_notransport
+  },
+#endif
+  { US"" }
+};
+
+
+
+transport_info transports_available[] = {
+#ifdef TRANSPORT_APPENDFILE
+  {
+  .driver_name =	US"appendfile",
+  .options =		appendfile_transport_options,
+  .options_count =	&appendfile_transport_options_count,
+  .options_block =	&appendfile_transport_option_defaults,       /* private options defaults */
+  .options_len =	sizeof(appendfile_transport_options_block),
+  .init =		appendfile_transport_init,
+  .code =		appendfile_transport_entry,
+  .tidyup =		NULL,
+  .closedown =		NULL,
+  .local =		TRUE
+  },
+#endif
+#ifdef TRANSPORT_AUTOREPLY
+  {
+  .driver_name =	US"autoreply",
+  .options =		autoreply_transport_options,
+  .options_count =	&autoreply_transport_options_count,
+  .options_block =	&autoreply_transport_option_defaults,
+  .options_len =	sizeof(autoreply_transport_options_block),
+  .init =		autoreply_transport_init,
+  .code =		autoreply_transport_entry,
+  .tidyup =		NULL,
+  .closedown =		NULL,
+  .local =		TRUE
+  },
+#endif
+#ifdef TRANSPORT_LMTP
+  {
+  .driver_name =	US"lmtp",
+  .options =		lmtp_transport_options,
+  .options_count =	&lmtp_transport_options_count,
+  .options_block =	&lmtp_transport_option_defaults,
+  .options_len =	sizeof(lmtp_transport_options_block),
+  .init =		lmtp_transport_init,
+  .code =		lmtp_transport_entry,
+  .tidyup =		NULL,
+  .closedown =		NULL,
+  .local =		TRUE
+  },
+#endif
+#ifdef TRANSPORT_PIPE
+  {
+  .driver_name =	US"pipe",
+  .options =		pipe_transport_options,
+  .options_count =	&pipe_transport_options_count,
+  .options_block =	&pipe_transport_option_defaults,
+  .options_len =	sizeof(pipe_transport_options_block),
+  .init =		pipe_transport_init,
+  .code =		pipe_transport_entry,
+  .tidyup =		NULL,
+  .closedown =		NULL,
+  .local =		TRUE
+  },
+#endif
+#ifdef EXPERIMENTAL_QUEUEFILE
+  {
+  .driver_name =	US"queuefile",
+  .options =		queuefile_transport_options,
+  .options_count =	&queuefile_transport_options_count,
+  .options_block =	&queuefile_transport_option_defaults,
+  .options_len =	sizeof(queuefile_transport_options_block),
+  .init =		queuefile_transport_init,
+  .code =		queuefile_transport_entry,
+  .tidyup =		NULL,
+  .closedown =		NULL,
+  .local =		TRUE
+  },
+#endif
+#ifdef TRANSPORT_SMTP
+  {
+  .driver_name =	US"smtp",
+  .options =		smtp_transport_options,
+  .options_count =	&smtp_transport_options_count,
+  .options_block =	&smtp_transport_option_defaults,
+  .options_len =	sizeof(smtp_transport_options_block),
+  .init =		smtp_transport_init,
+  .code =		smtp_transport_entry,
+  .tidyup =		NULL,
+  .closedown =		smtp_transport_closedown,
+  .local =		FALSE
+  },
+#endif
+  { US"" }
+};
+
+#ifndef MACRO_PREDEF
+
+gstring *
+auth_show_supported(gstring * g)
+{
+g = string_cat(g, US"Authenticators:");
+for (auth_info * ai = auths_available; ai->driver_name[0]; ai++)
+       	g = string_fmt_append(g, " %s", ai->driver_name);
+return string_cat(g, US"\n");
+}
+
+gstring *
+route_show_supported(gstring * g)
+{
+g = string_cat(g, US"Routers:");
+for (router_info * rr = routers_available; rr->driver_name[0]; rr++)
+       	g = string_fmt_append(g, " %s", rr->driver_name);
+return string_cat(g, US"\n");
+}
+
+gstring *
+transport_show_supported(gstring * g)
+{
+g = string_cat(g, US"Transports:");
+#ifdef TRANSPORT_APPENDFILE
+  g = string_cat(g, US" appendfile");
+  #ifdef SUPPORT_MAILDIR
+    g = string_cat(g, US"/maildir");	/* damn these subclasses */
+  #endif
+  #ifdef SUPPORT_MAILSTORE
+    g = string_cat(g, US"/mailstore");
+  #endif
+  #ifdef SUPPORT_MBX
+    g = string_cat(g, US"/mbx");
+  #endif
+#endif
+#ifdef TRANSPORT_AUTOREPLY
+  g = string_cat(g, US" autoreply");
+#endif
+#ifdef TRANSPORT_LMTP
+  g = string_cat(g, US" lmtp");
+#endif
+#ifdef TRANSPORT_PIPE
+  g = string_cat(g, US" pipe");
+#endif
+#ifdef EXPERIMENTAL_QUEUEFILE
+  g = string_cat(g, US" queuefile");
+#endif
+#ifdef TRANSPORT_SMTP
+  g = string_cat(g, US" smtp");
+#endif
+return string_cat(g, US"\n");
+}
+
+
+
+struct lookupmodulestr
+{
+  void *dl;
+  struct lookup_module_info *info;
+  struct lookupmodulestr *next;
+};
+
+static struct lookupmodulestr *lookupmodules = NULL;
+
+static void
+addlookupmodule(void *dl, struct lookup_module_info *info)
+{
+struct lookupmodulestr *p = store_get(sizeof(struct lookupmodulestr), GET_UNTAINTED);
+
+p->dl = dl;
+p->info = info;
+p->next = lookupmodules;
+lookupmodules = p;
+lookup_list_count += info->lookupcount;
+}
+
+/* only valid after lookup_list and lookup_list_count are assigned */
+static void
+add_lookup_to_list(lookup_info *info)
+{
+/* need to add the lookup to lookup_list, sorted */
+int pos = 0;
+
+/* strategy is to go through the list until we find
+either an empty spot or a name that is higher.
+this can't fail because we have enough space. */
+
+while (lookup_list[pos] && (Ustrcmp(lookup_list[pos]->name, info->name) <= 0))
+  pos++;
+
+if (lookup_list[pos])
+  {
+  /* need to insert it, so move all the other items up
+  (last slot is still empty, of course) */
+
+  memmove(&lookup_list[pos+1], &lookup_list[pos],
+	  sizeof(lookup_info *) * (lookup_list_count-pos-1));
+  }
+lookup_list[pos] = info;
+}
+
+
+/* These need to be at file level for old versions of gcc (2.95.2 reported),
+ * which give parse errors on an extern in function scope.  Each entry needs
+ * to also be invoked in init_lookup_list() below  */
+
+#if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
+extern lookup_module_info cdb_lookup_module_info;
+#endif
+#if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
+extern lookup_module_info dbmdb_lookup_module_info;
+#endif
+#if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
+extern lookup_module_info dnsdb_lookup_module_info;
+#endif
+#if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
+extern lookup_module_info dsearch_lookup_module_info;
+#endif
+#if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
+extern lookup_module_info ibase_lookup_module_info;
+#endif
+#if defined(LOOKUP_JSON)
+extern lookup_module_info json_lookup_module_info;
+#endif
+#if defined(LOOKUP_LDAP)
+extern lookup_module_info ldap_lookup_module_info;
+#endif
+#if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
+extern lookup_module_info lsearch_lookup_module_info;
+#endif
+#if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
+extern lookup_module_info mysql_lookup_module_info;
+#endif
+#if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
+extern lookup_module_info nis_lookup_module_info;
+#endif
+#if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
+extern lookup_module_info nisplus_lookup_module_info;
+#endif
+#if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
+extern lookup_module_info oracle_lookup_module_info;
+#endif
+#if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
+extern lookup_module_info passwd_lookup_module_info;
+#endif
+#if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
+extern lookup_module_info pgsql_lookup_module_info;
+#endif
+#if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
+extern lookup_module_info redis_lookup_module_info;
+#endif
+#if defined(LOOKUP_LMDB)
+extern lookup_module_info lmdb_lookup_module_info;
+#endif
+#if defined(SUPPORT_SPF)
+extern lookup_module_info spf_lookup_module_info;
+#endif
+#if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
+extern lookup_module_info sqlite_lookup_module_info;
+#endif
+#if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
+extern lookup_module_info testdb_lookup_module_info;
+#endif
+#if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
+extern lookup_module_info whoson_lookup_module_info;
+#endif
+
+extern lookup_module_info readsock_lookup_module_info;
+
+
+void
+init_lookup_list(void)
+{
+#ifdef LOOKUP_MODULE_DIR
+DIR *dd;
+struct dirent *ent;
+int countmodules = 0;
+int moduleerrors = 0;
+#endif
+static BOOL lookup_list_init_done = FALSE;
+rmark reset_point;
+
+if (lookup_list_init_done)
+  return;
+reset_point = store_mark();
+lookup_list_init_done = TRUE;
+
+#if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
+addlookupmodule(NULL, &cdb_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
+addlookupmodule(NULL, &dbmdb_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
+addlookupmodule(NULL, &dnsdb_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
+addlookupmodule(NULL, &dsearch_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
+addlookupmodule(NULL, &ibase_lookup_module_info);
+#endif
+
+#ifdef LOOKUP_LDAP
+addlookupmodule(NULL, &ldap_lookup_module_info);
+#endif
+
+#ifdef LOOKUP_JSON
+addlookupmodule(NULL, &json_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
+addlookupmodule(NULL, &lsearch_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
+addlookupmodule(NULL, &mysql_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
+addlookupmodule(NULL, &nis_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
+addlookupmodule(NULL, &nisplus_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
+addlookupmodule(NULL, &oracle_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
+addlookupmodule(NULL, &passwd_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
+addlookupmodule(NULL, &pgsql_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
+addlookupmodule(NULL, &redis_lookup_module_info);
+#endif
+
+#ifdef LOOKUP_LMDB
+addlookupmodule(NULL, &lmdb_lookup_module_info);
+#endif
+
+#ifdef SUPPORT_SPF
+addlookupmodule(NULL, &spf_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
+addlookupmodule(NULL, &sqlite_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
+addlookupmodule(NULL, &testdb_lookup_module_info);
+#endif
+
+#if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
+addlookupmodule(NULL, &whoson_lookup_module_info);
+#endif
+
+addlookupmodule(NULL, &readsock_lookup_module_info);
+
+#ifdef LOOKUP_MODULE_DIR
+if (!(dd = exim_opendir(LOOKUP_MODULE_DIR)))
+  {
+  DEBUG(D_lookup) debug_printf("Couldn't open %s: not loading lookup modules\n", LOOKUP_MODULE_DIR);
+  log_write(0, LOG_MAIN, "Couldn't open %s: not loading lookup modules\n", LOOKUP_MODULE_DIR);
+  }
+else
+  {
+  const pcre2_code *regex_islookupmod = regex_must_compile(
+    US"\\." DYNLIB_FN_EXT "$", FALSE, TRUE);
+
+  DEBUG(D_lookup) debug_printf("Loading lookup modules from %s\n", LOOKUP_MODULE_DIR);
+  while ((ent = readdir(dd)))
+    {
+    char * name = ent->d_name;
+    int len = (int)strlen(name);
+    if (regex_match(regex_islookupmod, US name, len, NUL))
+      {
+      int pathnamelen = len + (int)strlen(LOOKUP_MODULE_DIR) + 2;
+      void *dl;
+      struct lookup_module_info *info;
+      const char *errormsg;
+
+      /* SRH: am I being paranoid here or what? */
+      if (pathnamelen > big_buffer_size)
+	{
+	fprintf(stderr, "Loading lookup modules: %s/%s: name too long\n", LOOKUP_MODULE_DIR, name);
+	log_write(0, LOG_MAIN|LOG_PANIC, "%s/%s: name too long\n", LOOKUP_MODULE_DIR, name);
+	continue;
+	}
+
+      /* SRH: snprintf here? */
+      sprintf(CS big_buffer, "%s/%s", LOOKUP_MODULE_DIR, name);
+
+      if (!(dl = dlopen(CS big_buffer, RTLD_NOW)))
+	{
+	errormsg = dlerror();
+	fprintf(stderr, "Error loading %s: %s\n", name, errormsg);
+	log_write(0, LOG_MAIN|LOG_PANIC, "Error loading lookup module %s: %s\n", name, errormsg);
+	moduleerrors++;
+	continue;
+	}
+
+      /* FreeBSD nsdispatch() can trigger dlerror() errors about
+      _nss_cache_cycle_prevention_function; we need to clear the dlerror()
+      state before calling dlsym(), so that any error afterwards only comes
+      from dlsym().  */
+
+      errormsg = dlerror();
+
+      info = (struct lookup_module_info*) dlsym(dl, "_lookup_module_info");
+      if ((errormsg = dlerror()))
+	{
+	fprintf(stderr, "%s does not appear to be a lookup module (%s)\n", name, errormsg);
+	log_write(0, LOG_MAIN|LOG_PANIC, "%s does not appear to be a lookup module (%s)\n", name, errormsg);
+	dlclose(dl);
+	moduleerrors++;
+	continue;
+	}
+      if (info->magic != LOOKUP_MODULE_INFO_MAGIC)
+	{
+	fprintf(stderr, "Lookup module %s is not compatible with this version of Exim\n", name);
+	log_write(0, LOG_MAIN|LOG_PANIC, "Lookup module %s is not compatible with this version of Exim\n", name);
+	dlclose(dl);
+	moduleerrors++;
+	continue;
+	}
+
+      addlookupmodule(dl, info);
+      DEBUG(D_lookup) debug_printf("Loaded \"%s\" (%d lookup types)\n", name, info->lookupcount);
+      countmodules++;
+      }
+    }
+  store_free((void*)regex_islookupmod);
+  closedir(dd);
+  }
+
+DEBUG(D_lookup) debug_printf("Loaded %d lookup modules\n", countmodules);
+#endif
+
+DEBUG(D_lookup) debug_printf("Total %d lookups\n", lookup_list_count);
+
+lookup_list = store_malloc(sizeof(lookup_info *) * lookup_list_count);
+memset(lookup_list, 0, sizeof(lookup_info *) * lookup_list_count);
+
+/* now add all lookups to the real list */
+for (struct lookupmodulestr * p = lookupmodules; p; p = p->next)
+  for (int j = 0; j < p->info->lookupcount; j++)
+    add_lookup_to_list(p->info->lookups[j]);
+store_reset(reset_point);
+/* just to be sure */
+lookupmodules = NULL;
+}
+
+#endif	/*!MACRO_PREDEF*/
+/* End of drtables.c */
diff --git a/src/dummies.c b/src/dummies.c
new file mode 100644
index 0000000..38b514b
--- /dev/null
+++ b/src/dummies.c
@@ -0,0 +1,139 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) The Exim Maintainers 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This file is not part of the main Exim code. There are little bits of test
+code for some of Exim's modules, and when they are used, the module they are
+testing may call other main Exim functions that are not available and/or
+should not be used in a test. The classic case is log_write(). This module
+contains dummy versions of such functions - well not really dummies, more like
+alternates. */
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+
+/* We don't have the full Exim headers dragged in, but this function
+is used for debugging output. */
+
+extern gstring * string_vformat(gstring *, unsigned, const char *, va_list);
+
+
+/*************************************************
+*         Handle calls to write the log          *
+*************************************************/
+
+/* The message gets written to stderr when log_write() is called from a
+utility. The message always gets '\n' added on the end of it.
+
+Arguments:
+  selector  not relevant when running a utility
+  flags     not relevant when running a utility
+  format    a printf() format
+  ...       arguments for format
+
+Returns:    nothing
+*/
+
+void
+log_write(unsigned int selector, int flags, char *format, ...)
+{
+va_list ap;
+va_start(ap, format);
+vfprintf(stderr, format, ap);
+fprintf(stderr, "\n");
+va_end(ap);
+}
+
+
+/*************************************************
+*      Handle calls to print debug output        *
+*************************************************/
+
+/* The message just gets written to stderr.
+We use tainted memory to format into just so that we can handle
+tainted arguments.
+
+Arguments:
+  format    a printf() format
+  ...       arguments for format
+
+Returns:    nothing
+*/
+
+void
+debug_printf(char *format, ...)
+{
+va_list ap;
+rmark reset_point = store_mark();
+gstring * g = string_get_tainted(1024, TRUE);
+
+va_start(ap, format);
+
+if (!string_vformat(g, 0, format, ap))
+  {
+  char * s = "**** debug string overflowed buffer ****\n";
+  char * p = CS g->s + g->ptr;
+  int maxlen = g->size - (int)strlen(s) - 3;
+  if (p > g->s + maxlen) p = g->s + maxlen;
+  if (p > g->s && p[-1] != '\n') *p++ = '\n';
+  strcpy(p, s);
+  }
+
+fprintf(stderr, "%s", string_from_gstring(g));
+fflush(stderr);
+store_reset(reset_point);
+va_end(ap);
+}
+
+
+
+/*************************************************
+*              SIGALRM handler                   *
+*************************************************/
+
+extern int sigalrm_seen;
+
+void
+sigalrm_handler(int sig)
+{
+sigalrm_seen = TRUE;
+}
+
+
+
+/*************************************************
+*              Complete Dummies                  *
+*************************************************/
+
+int
+header_checkname(void *h, char *name, int len)
+{
+return 0;
+}
+
+void
+directory_make(char *parent, char *name, int mode, int panic)
+{
+}
+
+void
+host_build_sender_fullhost(void) { }
+
+/* This one isn't needed for test_host */
+
+#ifndef TEST_HOST
+char *
+host_ntoa(int type, const void *arg, char *buffer, int *portptr)
+{
+return NULL;
+}
+#endif
+
+
+/* End of dummies.c */
diff --git a/src/enq.c b/src/enq.c
new file mode 100644
index 0000000..f7f8c9c
--- /dev/null
+++ b/src/enq.c
@@ -0,0 +1,123 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* Copyright (c) The Exim Maintainers 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions concerned with serialization. */
+
+
+#include "exim.h"
+
+
+
+
+/*************************************************
+*       Test for host or ETRN serialization      *
+*************************************************/
+
+/* This function is called when a host is listed for serialization of
+connections. It is also called when ETRN is listed for serialization. We open
+the misc database and look for a record, which implies an existing connection
+or ETRN run. If increasing the count would take us past the given limit
+value return FALSE.  If not, bump it and return TRUE.  If not found, create
+one with value 1 and return TRUE.
+
+Arguments:
+  key            string on which to serialize
+  lim            parallelism limit
+
+Returns:         TRUE if OK to proceed; FALSE otherwise
+*/
+
+
+BOOL
+enq_start(uschar *key, unsigned lim)
+{
+dbdata_serialize *serial_record;
+dbdata_serialize new_record;
+open_db dbblock;
+open_db *dbm_file;
+
+DEBUG(D_transport) debug_printf("check serialized: %s\n", key);
+
+/* Open and lock the waiting information database. The absence of O_CREAT is
+deliberate; the dbfn_open() function - which is an Exim function - always tries
+to create if it can't open a read/write file. It expects only O_RDWR or
+O_RDONLY as its argument. */
+
+if (!(dbm_file = dbfn_open(US"misc", O_RDWR, &dbblock, TRUE, TRUE)))
+  return FALSE;
+
+/* See if there is a record for this host or queue run; if there is, we cannot
+proceed with the connection unless the record is very old. */
+
+serial_record = dbfn_read_enforce_length(dbm_file, key, sizeof(dbdata_serialize));
+if (serial_record && time(NULL) - serial_record->time_stamp < 6*60*60)
+  {
+  if (serial_record->count >= lim)
+    {
+    dbfn_close(dbm_file);
+    DEBUG(D_transport) debug_printf("outstanding serialization record for %s\n",
+      key);
+    return FALSE;
+    }
+  new_record.count = serial_record->count + 1;
+  }
+else
+  new_record.count = 1;
+
+/* We can proceed - insert a new record or update the old one. */
+
+DEBUG(D_transport) debug_printf("write serialization record for %s val %d\n",
+      key, new_record.count);
+dbfn_write(dbm_file, key, &new_record, (int)sizeof(dbdata_serialize));
+dbfn_close(dbm_file);
+return TRUE;
+}
+
+
+
+/*************************************************
+*              Release serialization             *
+*************************************************/
+
+/* This function is called when a serialized host's connection or serialized
+ETRN queue run ends. We open the relevant database and delete its record.
+
+Arguments:
+  key          the serialization key
+
+Returns:       nothing
+*/
+
+void
+enq_end(uschar *key)
+{
+open_db dbblock;
+open_db *dbm_file;
+dbdata_serialize *serial_record;
+
+DEBUG(D_transport) debug_printf("end serialized: %s\n", key);
+
+if (  !(dbm_file = dbfn_open(US"misc", O_RDWR, &dbblock, TRUE, TRUE))
+   || !(serial_record = dbfn_read_enforce_length(dbm_file, key, sizeof(dbdata_serialize)))
+   )
+  return;
+if (--serial_record->count > 0)
+  {
+  DEBUG(D_transport) debug_printf("write serialization record for %s val %d\n",
+      key, serial_record->count);
+  dbfn_write(dbm_file, key, serial_record, (int)sizeof(dbdata_serialize));
+  }
+else
+  {
+  DEBUG(D_transport) debug_printf("remove serialization record for %s\n", key);
+  dbfn_delete(dbm_file, key);
+  }
+dbfn_close(dbm_file);
+}
+
+/* End of enq.c */
diff --git a/src/environment.c b/src/environment.c
new file mode 100644
index 0000000..9cb90c8
--- /dev/null
+++ b/src/environment.c
@@ -0,0 +1,83 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Heiko Schlittermann 2016
+ * hs@schlittermann.de
+ * See the file NOTICE for conditions of use and distribution.
+ */
+
+#include "exim.h"
+
+extern char **environ;
+
+/* The cleanup_environment() function is used during the startup phase
+of the Exim process, right after reading the configurations main
+part, before any expansions take place. It retains the environment
+variables we trust (via the keep_environment option) and allows to
+set additional variables (via add_environment).
+
+Returns:    TRUE if successful
+            FALSE otherwise
+*/
+
+BOOL
+cleanup_environment()
+{
+int old_pool = store_pool;
+store_pool = POOL_PERM;		/* Need perm memory for any created env vars */
+
+if (!keep_environment || *keep_environment == '\0')
+  {
+  /* From: https://github.com/dovecot/core/blob/master/src/lib/env-util.c#L55
+  Try to clear the environment.
+  a) environ = NULL crashes on OS X.
+  b) *environ = NULL doesn't work on FreeBSD 7.0.
+  c) environ = emptyenv doesn't work on Haiku OS
+  d) environ = calloc() should work everywhere */
+
+  if (environ) *environ = NULL;
+
+  }
+else if (Ustrcmp(keep_environment, "*") != 0)
+  {
+  rmark reset_point = store_mark();
+  if (environ) for (uschar ** p = USS environ; *p; /* see below */)
+    {
+    /* It's considered broken if we do not find the '=', according to
+    Florian Weimer. For now we ignore such strings. unsetenv() would complain,
+    getenv() would complain. */
+    uschar * eqp = Ustrchr(*p, '=');
+
+    if (eqp)
+      {
+      uschar * name = string_copyn(*p, eqp - *p);
+
+      if (OK != match_isinlist(name, CUSS &keep_environment,
+          0, NULL, NULL, MCL_NOEXPAND, FALSE, NULL))
+        if (os_unsetenv(name) < 0) return FALSE;
+        else p = USS environ; /* RESTART from the beginning */
+      else p++;
+      }
+    }
+  store_reset(reset_point);
+  }
+if (add_environment)
+  {
+  uschar * p;
+  int sep = 0;
+  const uschar * envlist = add_environment;
+
+  while ((p = string_nextinlist(&envlist, &sep, NULL, 0)))
+    {
+    DEBUG(D_expand) debug_printf("adding %s\n", p);
+    putenv(CS p);
+    }
+  }
+#ifndef DISABLE_TLS
+tls_clean_env();
+#endif
+
+store_pool = old_pool;
+return TRUE;
+}
diff --git a/src/exicyclog.src b/src/exicyclog.src
new file mode 100644
index 0000000..20bf9fc
--- /dev/null
+++ b/src/exicyclog.src
@@ -0,0 +1,350 @@
+#! /bin/sh
+
+# Copyright (c) University of Cambridge, 1995 - 2015
+# See the file NOTICE for conditions of use and distribution.
+
+# This script takes the following command line arguments:
+# -l dir	Log file directory
+# -k days	Number of days to keep the log files
+
+# Except when they appear in comments, the following placeholders in this
+# source are replaced when it is turned into a runnable script:
+#
+# CONFIGURE_FILE_USE_NODE
+# CONFIGURE_FILE_USE_EUID
+# CONFIGURE_FILE
+# BIN_DIRECTORY
+# EXICYCLOG_MAX
+# COMPRESS_COMMAND
+# COMPRESS_SUFFIX
+# CHOWN_COMMAND
+# CHGRP_COMMAND
+# CHMOD_COMMAND
+# TOUCH_COMMAND
+# MV_COMMAND
+# RM_COMMAND
+
+# PROCESSED_FLAG
+
+# This is a shell script for cycling exim main and reject log files. Each time
+# it is run, the files get "shuffled down" by one, the current one (e.g.
+# mainlog) becoming mainlog.01, the previous mainlog.01 becoming mainlog.02,
+# and so on, up to the limit configured here. When the number to keep is
+# greater than 99 (not common, but some people do it), three digits are used
+# (e.g. mainlog.001). The same shuffling happens to the reject logs. All
+# renamed files with numbers greater than 1 are compressed.
+
+# This script should be called regularly (e.g. daily) by a root crontab
+# entry of the form
+
+# 1 0 * * *   /opt/exim/bin/exicyclog
+
+# The following lines are generated from Exim's configuration file when
+# this source is built into a script, but you can subsequently edit them
+# without rebuilding things, as long are you are careful not to overwrite
+# the script in the next Exim rebuild/install. "Keep" is the number of old log
+# files that are required to be kept. Its value can be overridden by the -k
+# command line option. "Compress" and "suffix" define your chosen compression
+# method. The others are provided because the location of certain commands
+# varies from OS to OS. Sigh.
+
+keep=EXICYCLOG_MAX
+compress=COMPRESS_COMMAND
+suffix=COMPRESS_SUFFIX
+
+chgrp=CHGRP_COMMAND
+chmod=CHMOD_COMMAND
+chown=CHOWN_COMMAND
+mv=MV_COMMAND
+rm=RM_COMMAND
+touch=TOUCH_COMMAND
+
+# End of editable lines
+#########################################################################
+
+# Sort out command line options.
+
+while [ $# -gt 0 ] ; do
+  case "$1" in
+  -l) log_file_path=$2
+      shift
+      ;;
+  -k) keep=$2
+      shift
+      ;;
+   --version)
+      echo "`basename $0`: $0"
+      echo "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION"
+      exit 0
+      ;;
+   *) echo "** exicyclog: unknown option $1"
+      exit 1
+      ;;
+   esac
+   shift
+done
+
+# Some operating systems have different versions in which the commands live
+# in different places. We have a fudge that will search the usual suspects if
+# requested.
+
+for cmd in chgrp chmod chown mv rm touch; do
+  eval "oldcmd=\$$cmd"
+  if [ "$oldcmd" != "look_for_it" ] ; then continue ; fi
+  newcmd=$cmd
+  for dir in /bin /usr/bin /usr/sbin /usr/etc ; do
+    if [ -f $dir/$cmd ] ; then
+      newcmd=$dir/$cmd
+      break
+    fi
+  done
+  eval $cmd=$newcmd
+done
+
+# See if this installation is using the esoteric "USE_EUID" feature of Exim,
+# in which it uses the effective user id as a suffix for the configuration file
+# name. In order for this to work, exicyclog must be run under the appropriate
+# euid.
+
+if [ "CONFIGURE_FILE_USE_EUID" = "yes" ]; then
+  euid=.`id -u`
+fi
+
+# See if this installation is using the esoteric "USE_NODE" feature of Exim,
+# in which it uses the host's name as a suffix for the configuration file name.
+
+if [ "CONFIGURE_FILE_USE_NODE" = "yes" ]; then
+  hostsuffix=.`uname -n`
+fi
+
+# Now find the configuration file name. This has got complicated because the
+# CONFIGURE_FILE value may now be a list of files. The one that is used is the
+# first one that exists. Mimic the code in readconf.c by testing first for the
+# suffixed file in each case.
+
+set `awk -F: '{ for (i = 1; i <= NF; i++) print $i }' <<End
+CONFIGURE_FILE
+End
+`
+while [ "$config" = "" -a $# -gt 0 ] ; do
+  if [ -f "$1$euid$hostsuffix" ] ; then
+    config="$1$euid$hostsuffix"
+  elif [ -f "$1$euid" ] ; then
+    config="$1$euid"
+  elif [ -f "$1$hostsuffix" ] ; then
+    config="$1$hostsuffix"
+  elif [ -f "$1" ] ; then
+    config="$1"
+  fi
+  shift
+done
+
+# Determine if the log file path is set, and where the spool directory is.
+# Search for an exim_path setting in the configure file; otherwise use the bin
+# directory. Call that version of Exim to find the spool directory and log file
+# path, unless log_file_path was set above by a command line option. BEWARE: a
+# tab character is needed in the command below. It has had a nasty tendency to
+# get lost in the past. Use a variable to hold a space and a tab to keep the
+# tab in one place.
+
+st='	 '
+exim_path=`grep "^[$st]*exim_path" $config | sed "s/.*=[$st]*//"`
+if test "$exim_path" = ""; then exim_path=BIN_DIRECTORY/exim; fi
+
+spool_directory=`$exim_path -C $config -bP spool_directory | sed 's/.*=[  ]*//'`
+
+if [ "$log_file_path" = "" ] ; then
+  log_file_path=`$exim_path -C $config -bP log_file_path | sed 's/.*=[  ]*//'`
+fi
+
+# If log_file_path contains only "syslog" then no Exim log files are in use.
+# We can't cycle anything. Complain and give up.
+
+if [ "$log_file_path" = "syslog" ] ; then
+  echo "*** Exim is logging to syslog - no log files to cycle ***"
+  exit 1
+fi
+
+# Otherwise, remove ":syslog" or "syslog:" (some spaces allowed) and inspect
+# what remains. The simplistic regex originally used failed when a filename
+# contained "syslog", so we have to use three less general ones, because sed
+# doesn't have much power in its regexs.
+
+log_file_path=`echo "$log_file_path" | \
+  sed 's/^ *:\{0,1\} *syslog *:\{0,1\} *//;s/: *syslog *:/:/;s/: *syslog *$//'`
+
+# If log_file_path is empty, try and get the compiled in default by using
+# /dev/null as the configuration file.
+
+if [ "$log_file_path" = "" ]; then
+  log_file_path=`$exim_path -C /dev/null -bP log_file_path | sed 's/.*=[  ]*//'`
+  log_file_path=`echo "$log_file_path" | \
+    sed 's/^ *:\{0,1\} *syslog *:\{0,1\} *//;s/: *syslog *:/:/;s/: *syslog *$//'`
+fi
+
+# If log_file_path is still empty, the logs we are interested in are probably
+# called "mainlog" and "rejectlog" in the directory called "log" in the spool
+# directory. Otherwise we fish out the directory from the given path, and also
+# the names of the logs.
+
+if [ "$log_file_path" = "" ]; then
+  logdir=$spool_directory/log
+  mainlog=mainlog
+  rejectlog=rejectlog
+  paniclog=paniclog
+else
+  logdir=`echo $log_file_path | sed 's?/[^/]*$??'`
+  logbase=`echo $log_file_path | sed 's?^.*/??'`
+  mainlog=`echo $logbase | sed 's/%s/main/'`
+  rejectlog=`echo $logbase | sed 's/%s/reject/'`
+  paniclog=`echo $logbase | sed 's/%s/panic/'`
+fi
+
+# Get into the log directory to do the business.
+
+cd $logdir || exit 1
+
+# If there is no main log file, do nothing.
+
+if [ ! -f $mainlog ]; then exit; fi
+
+# Find out the owner and group of the main log file so that we can re-instate
+# this on moved and compressed files, since some operating systems may change
+# things. This is a tedious bit of code, but it should work both in operating
+# systems where the -l option of ls gives the user and group, and those in which
+# you need -lg. The condition is that, if the fifth field of the output from
+# ls consists entirely of digits, then the third and fourth fields are the user
+# and group.
+
+a=`ls -lg $mainlog`
+b=`ls -l  $mainlog`
+
+# These statements work fine in the Bourne or Korn shells, but not in Bash.
+# So for the benefit of systems whose /bin/sh is really Bash, they have been
+# changed to a messier form.
+
+# user=`echo "$a\n$b\n" | awk 'BEGIN { OFS=""} { if ($5 ~ /^[0-9]+$/) print $3; }'`
+# group=`echo "$a\n$b\n" | awk 'BEGIN { OFS=""} { if ($5 ~ /^[0-9]+$/) print $4; }'`
+
+user=`echo "$a
+$b
+" | awk 'BEGIN { OFS=""} { if ($5 ~ /^[0-9]+$/) { print $3; exit; } }'`
+
+group=`echo "$a
+$b
+" | awk 'BEGIN { OFS=""} { if ($5 ~ /^[0-9]+$/) { print $4; exit; } }'`
+
+# Now do the job. First remove the files that have "fallen off the bottom".
+# Look for both the compressed and uncompressed forms.
+
+if [ $keep -lt 10 ]; then rotation=0$keep; else rotation=$keep; fi;
+
+if [ -f $mainlog.$rotation ]; then $rm $mainlog.$rotation; fi;
+if [ -f $mainlog.$rotation.$suffix ]; then $rm $mainlog.$rotation.$suffix; fi;
+
+if [ -f $rejectlog.$rotation ]; then $rm $rejectlog.$rotation; fi;
+if [ -f $rejectlog.$rotation.$suffix ]; then $rm $rejectlog.$rotation.$suffix; fi;
+
+if [ -f $paniclog.$rotation ]; then $rm $paniclog.$rotation; fi;
+if [ -f $paniclog.$rotation.$suffix ]; then $rm $paniclog.$rotation.$suffix; fi;
+
+# Now rename all the previous old files by increasing their numbers by 1.
+# When the number is less than 10, insert a leading zero.
+
+count=$keep
+if [ $count -lt 10 ]; then countt=0$count; else countt=$count; fi
+
+while [ $count -gt 1 ]; do
+  old=`expr -- $count - 1`
+  if [ $keep -gt 99 ]; then
+    if   [ $old -lt 10 ]; then oldt=00$old
+    elif [ $old -lt 100 ]; then oldt=0$old
+    else oldt=$old
+    fi
+  else
+    if [ $old -lt 10 ]; then oldt=0$old; else oldt=$old; fi;
+  fi
+  if [ -f $mainlog.$oldt ]; then
+    $mv $mainlog.$oldt $mainlog.$countt
+  elif [ -f $mainlog.$oldt.$suffix ]; then
+    $mv $mainlog.$oldt.$suffix $mainlog.$countt.$suffix
+  fi
+  if [ -f $rejectlog.$oldt ]; then
+    $mv $rejectlog.$oldt $rejectlog.$countt
+  elif [ -f $rejectlog.$oldt.$suffix ]; then
+    $mv $rejectlog.$oldt.$suffix $rejectlog.$countt.$suffix
+  fi
+  if [ -f $paniclog.$oldt ]; then
+    $mv $paniclog.$oldt $paniclog.$countt
+  elif [ -f $paniclog.$oldt.$suffix ]; then
+    $mv $paniclog.$oldt.$suffix $paniclog.$countt.$suffix
+  fi
+  count=$old
+  countt=$oldt
+done
+
+# Now rename the current files as 01 or 001 if keeping more than 99
+
+if [ $keep -gt 99 ]; then first=001; else first=01; fi
+
+# Grab our pid ro avoid race in file creation
+ourpid=$$
+
+if [ -f $mainlog ]; then
+  $mv $mainlog $mainlog.$first
+  $chown $user:$group $mainlog.$first
+  $touch $mainlog.$ourpid
+  $chown $user:$group $mainlog.$ourpid
+  $chmod 640 $mainlog.$ourpid
+  $mv $mainlog.$ourpid $mainlog
+fi
+
+if [ -f $rejectlog ]; then
+  $mv $rejectlog $rejectlog.$first
+  $chown $user:$group $rejectlog.$first
+  $touch $rejectlog.$ourpid
+  $chown $user:$group $rejectlog.$ourpid
+  $chmod 640 $rejectlog.$ourpid
+  $mv $rejectlog.$ourpid $rejectlog
+fi
+
+if [ -f $paniclog ]; then
+  $mv $paniclog $paniclog.$first
+  $chown $user:$group $paniclog.$first
+  $touch $paniclog.$ourpid
+  $chown $user:$group $paniclog.$ourpid
+  $chmod 640 $paniclog.$ourpid
+  $mv $paniclog.$ourpid $paniclog
+fi
+
+# Now scan the (0)02 and later files, compressing where necessary, and
+# ensuring that their owners and groups are correct.
+
+count=2;
+
+while [ $count -le $keep ]; do
+  if [ $keep -gt 99 ]; then
+    if   [ $count -lt 10 ]; then countt=00$count
+    elif [ $count -lt 100 ]; then countt=0$count
+    else countt=$count
+    fi
+  else
+    if [ $count -lt 10 ]; then countt=0$count; else countt=$count; fi
+  fi
+  if [ -f $mainlog.$countt ]; then $compress $mainlog.$countt; fi
+  if [ -f $mainlog.$countt.$suffix ]; then
+    $chown $user:$group $mainlog.$countt.$suffix
+  fi
+  if [ -f $rejectlog.$countt ]; then $compress $rejectlog.$countt; fi
+  if [ -f $rejectlog.$countt.$suffix ]; then
+    $chown $user:$group $rejectlog.$countt.$suffix
+  fi
+  if [ -f $paniclog.$countt ]; then $compress $paniclog.$countt; fi
+  if [ -f $paniclog.$countt.$suffix ]; then
+    $chown $user:$group $paniclog.$countt.$suffix
+  fi
+
+  count=`expr -- $count + 1`
+done
+
+# End of exicyclog
diff --git a/src/exigrep.src b/src/exigrep.src
new file mode 100644
index 0000000..2c414fd
--- /dev/null
+++ b/src/exigrep.src
@@ -0,0 +1,380 @@
+#! PERL_COMMAND
+
+use warnings;
+use strict;
+BEGIN { pop @INC if $INC[-1] eq '.' };
+
+use Pod::Usage;
+use Getopt::Long qw(:config no_ignore_case);
+use File::Basename;
+
+# Copyright (c) 2007-2017 University of Cambridge.
+# Copyright (c) The Exim Maintainers 2020 - 2021
+# See the file NOTICE for conditions of use and distribution.
+
+# Except when they appear in comments, the following placeholders in this
+# source are replaced when it is turned into a runnable script:
+#
+# PERL_COMMAND
+# ZCAT_COMMAND
+# COMPRESS_SUFFIX
+
+# PROCESSED_FLAG
+
+# This is a perl script which extracts from an Exim log all entries
+# for all messages that have an entry that matches a given pattern.
+# If *any* entry for a particular message matches the pattern, *all*
+# entries for that message are displayed.
+
+# We buffer up information on a per-message basis. It is done this way rather
+# than reading the input twice so that the input can be a pipe.
+
+# There must be one argument, which is the pattern. Subsequent arguments
+# are the files to scan; if none, the standard input is read. If any file
+# appears to be compressed, it is passed through zcat. We can't just do this
+# for all files, because zcat chokes on non-compressed files.
+
+# Performance optimized in 02/02/2007 by Jori Hamalainen
+# Typical run time acceleration: 4 times
+
+
+use POSIX qw(mktime);
+
+
+# This subroutine converts a time/date string from an Exim log line into
+# the number of seconds since the epoch. It handles optional timezone
+# information.
+
+sub seconds
+  {
+  my($year,$month,$day,$hour,$min,$sec,$tzs,$tzh,$tzm) =
+    $_[0] =~ /^(\d{4})-(\d\d)-(\d\d)\s(\d\d):(\d\d):(\d\d)(?:.\d+)?(?>\s([+-])(\d\d)(\d\d))?/o;
+
+  my $seconds = mktime $sec, $min, $hour, $day, $month - 1, $year - 1900;
+
+  if (defined $tzs)
+    {
+    $seconds -= $tzh * 3600 + $tzm * 60 if $tzs eq "+";
+    $seconds += $tzh * 3600 + $tzm * 60 if $tzs eq "-";
+    }
+
+  return $seconds;
+  }
+
+
+# This subroutine processes a single line (in $_) from a log file. Program
+# defensively against short lines finding their way into the log.
+
+my (%saved, %id_list, $pattern);
+
+my $queue_time  = -1;
+my $insensitive = 1;
+my $invert      = 0;
+my $related     = 0;
+my $use_pager   = 1;
+my $literal     = 0;
+
+
+# If using "related" option, have to track extra message IDs
+my $related_re='';
+my @Mids = ();
+
+sub do_line
+  {
+
+  # Convert syslog lines to mainlog format, as in eximstats.
+
+  if (!/^\d{4}-/o) { $_ =~ s/^.*? exim\b.*?: //o; }
+
+  return unless
+    my($date,$id) = /^(\d{4}-\d\d-\d\d \d\d:\d\d:\d\d(?:\.\d+)? (?:[+-]\d{4} )?)(?:\[\d+\] )?(\w{6}\-\w{6}\-\w{2})?/o;
+
+  # Handle the case when the log line belongs to a specific message. We save
+  # lines for specific messages until the message is complete. Then either print
+  # or discard.
+
+  if (defined $id)
+    {
+    $saved{$id} = '' unless defined($saved{$id});
+
+    # Save up the data for this message in case it becomes interesting later.
+
+    $saved{$id} .= $_;
+
+    # Are we interested in this id ? Short circuit if we already were interested.
+
+    if ($invert)
+      {
+      $id_list{$id} = 1 if (!defined($id_list{$id}));
+      $id_list{$id} = 0 if (($insensitive && /$pattern/io) || /$pattern/o);
+      }
+    else
+      {
+      if (defined $id_list{$id} ||
+	($insensitive && /$pattern/io) || /$pattern/o)
+	{
+	$id_list{$id} = 1;
+	get_related_ids($id) if $related;
+	}
+      elsif ($related && $related_re)
+	{
+	grep_for_related($_, $id);
+	}
+      }
+
+    # See if this is a completion for some message. If it is interesting,
+    # print it, but in any event, throw away what was saved.
+
+    if (index($_, 'Completed') != -1 ||
+	index($_, 'SMTP data timeout') != -1 ||
+	  (index($_, 'rejected') != -1 &&
+	    /^(\d{4}-\d\d-\d\d \d\d:\d\d:\d\d(?:\.\d+)? (?:[+-]\d{4} )?)(?:\[\d+\] )?\w{6}\-\w{6}\-\w{2} rejected/o))
+      {
+      if ($queue_time != -1 &&
+	  $saved{$id} =~ /^(\d{4}-\d\d-\d\d \d\d:\d\d:\d\d ([+-]\d{4} )?)/o)
+	{
+	my $old_sec = &seconds($1);
+	my $sec = &seconds($date);
+	$id_list{$id} = 0 if $id_list{$id} && $sec - $old_sec <= $queue_time;
+	}
+
+      print "$saved{$id}\n" if ($id_list{$id});
+      delete $id_list{$id};
+      delete $saved{$id};
+      }
+    }
+
+  # Handle the case where the log line does not belong to a specific message.
+  # Print it if it is interesting.
+
+  elsif ( ($invert && (($insensitive && !/$pattern/io) || !/$pattern/o)) ||
+	 (!$invert && (($insensitive &&  /$pattern/io) ||  /$pattern/o)) )
+    { print "$_\n"; }
+  }
+
+# Rotated log files are frequently compressed and there are a variety of
+# formats it could be compressed with. Rather than use just one that is
+# detected and hardcoded at Exim compile time, detect and use what the
+# logfile is compressed with on the fly.
+#
+# List of known compression extensions and their associated commands:
+my $compressors = {
+  gz   => { cmd => 'zcat',  args => '' },
+  bz2  => { cmd => 'bzcat', args => '' },
+  xz   => { cmd => 'xzcat', args => '' },
+  lzma => { cmd => 'lzma',  args => '-dc' },
+  zst  => { cmd => 'zstdcat', args => '' },
+};
+my $csearch = 0;
+
+sub detect_compressor_bin
+  {
+  my $ext = shift();
+  my $c = $compressors->{$ext}->{cmd};
+  $compressors->{$ext}->{bin} = `which $c 2>/dev/null`;
+  chomp($compressors->{$ext}->{bin});
+  }
+
+sub detect_compressor_capable
+  {
+  my $filename = shift();
+  map { &detect_compressor_bin($_) } keys %$compressors
+    if (!$csearch);
+  $csearch = 1;
+  return undef
+    unless (grep {$filename =~ /\.(?:$_)$/} keys %$compressors);
+  # Loop through them, figure out which one it detected,
+  # and build the commandline.
+  my $cmdline = undef;
+  foreach my $ext (keys %$compressors)
+    {
+    if ($filename =~ /\.(?:$ext)$/)
+      {
+      # Just die if compressor not found; if this occurs in the middle of
+      # two valid files with a lot of matches, error could easily be missed.
+      die("Didn't find $ext decompressor for $filename\n")
+        if ($compressors->{$ext}->{bin} eq '');
+      $cmdline = $compressors->{$ext}->{bin} ." ".
+                   $compressors->{$ext}->{args};
+      last;
+      }
+    }
+  return $cmdline;
+  }
+
+sub grep_for_related
+  {
+  my ($line,$id) = @_;
+  $id_list{$id} = 1 if $line =~ m/$related_re/;
+  }
+
+sub get_related_ids
+  {
+  my ($id) = @_;
+  push @Mids, $id unless grep /\b$id\b/, @Mids;
+  my $re = join '|', @Mids;
+  $related_re = qr/$re/;
+  }
+
+# The main program. Extract the pattern and make sure any relevant characters
+# are quoted if the -l flag is given. The -t flag gives a time-on-queue value
+# which is an additional condition. The -M flag will also display "related"
+# loglines (msgid from matched lines is searched in following lines).
+
+GetOptions(
+    'I|sensitive' => sub { $insensitive = 0 },
+      'l|literal' => \$literal,
+      'M|related' => \$related,
+      't|queue-time=i' => \$queue_time,
+      'pager!'         => \$use_pager,
+      'v|invert'       => \$invert,
+      'h|help'         => sub { pod2usage(-exit => 0, -verbose => 1) },
+      'm|man'          => sub {
+        pod2usage(
+            -exit      => 0,
+            -verbose   => 2,
+            -noperldoc => system('perldoc -V 2>/dev/null >&2')
+        );
+      },
+      'version'        => sub {
+            print basename($0) . ": $0\n",
+                "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+                "perl(runtime): $]\n";
+            exit 0;
+      },
+) and @ARGV or pod2usage;
+
+$pattern = shift @ARGV;
+$pattern = quotemeta $pattern if $literal;
+
+# Start a pager if output goes to a terminal
+if (-t 1 and $use_pager)
+  {
+  # for perl >= v5.10.x: foreach ($ENV{PAGER}//(), 'less', 'more')
+  foreach (defined $ENV{PAGER} ? $ENV{PAGER} : (), 'less', 'more')
+    {
+    local $ENV{LESS} .= ' --no-init --quit-if-one-screen';
+    open(my $pager, '|-', $_) or next;
+    select $pager;
+    last;
+    }
+  }
+
+# If file arguments are given, open each one and process according as it is
+# is compressed or not.
+
+if (@ARGV)
+  {
+  foreach (@ARGV)
+    {
+    my $filename = $_;
+    if (-x 'ZCAT_COMMAND' && $filename =~ /\.(?:COMPRESS_SUFFIX)$/o)
+      {
+      open(LOG, "ZCAT_COMMAND $filename |") ||
+        die "Unable to zcat $filename: $!\n";
+      }
+    elsif (my $cmdline = &detect_compressor_capable($filename))
+      {
+      open(LOG, "$cmdline $filename |") ||
+        die "Unable to decompress $filename: $!\n";
+      }
+    else
+      {
+      open(LOG, "<$filename") || die "Unable to open $filename: $!\n";
+      }
+    do_line() while (<LOG>);
+    close(LOG);
+    }
+  }
+
+# If no files are named, process STDIN only
+
+else { do_line() while (<STDIN>); }
+
+# At the end of processing all the input, print any uncompleted messages.
+
+for (keys %id_list)
+  {
+  print "+++ $_ has not completed +++\n$saved{$_}\n";
+  }
+
+__END__
+
+=head1 NAME
+
+exigrep - search Exim's main log
+
+=head1 SYNOPSIS
+
+B<exigrep> [options] pattern [log] ...
+
+=head1 DESCRIPTION
+
+The B<exigrep> utility is a Perl script that searches one or more main log
+files for entries that match a given pattern.  When it finds  a  match,
+it  extracts  all  the  log  entries for the relevant message, not just
+those that match the pattern.  Thus, B<exigrep> can extract  complete  log
+entries  for  a  given  message, or all mail for a given user, or for a
+given host, for example.
+
+If no file names are given on the command line, the standard input is read.
+
+For known file extensions indicating compression (F<.gz>, F<.bz2>, F<.xz>,
+F<.lzma>, and F<.zst>) a suitable de-compressor is used, if available.
+
+The output is sent through a pager if a terminal is connected to STDOUT. As
+pager are considered: C<$ENV{PAGER}>, C<less>, C<more>.
+
+=head1 OPTIONS
+
+=over
+
+=item B<-l>|B<--literal>
+
+This means 'literal', that is, treat all characters in the
+pattern  as standing for themselves.  Otherwise the pattern must be a
+Perl regular expression.  The pattern match is case-insensitive.
+
+=item B<-t>|B<--queue-time> I<seconds>
+
+Limit the output to messages that spent at least I<seconds> in the
+queue.
+
+=item B<-I>|B<--sensitive>
+
+Do a case sensitive search.
+
+=item B<-v>|B<--invert>
+
+Invert the meaning of the search pattern. That is, print message log
+entries that are not related to that pattern.
+
+=item B<-M>|B<--related>
+
+Search for related messages too.
+
+=item B<--no-pager>
+
+Do not use a pager, even if STDOUT is connected to a terminal.
+
+=item B<-h>|B<--help>
+
+Print a short reference help. For more detailed help try L<exigrep(8)>,
+or C<exigrep --man>.
+
+=item B<-m>|B<--man>
+
+Print this manual page of B<exigrep>.
+
+=back
+
+=head1 SEE ALSO
+
+L<exim(8)>, L<perlre(1)>, L<Exim|http://exim.org/>
+
+=head1 AUTHOR
+
+This  manual  page  was stitched together from spec.txt by Andreas Metzler L<ametzler at downhill.at.eu.org>
+and updated by Heiko Schlittermann L<hs@schlittermann.de>.
+
+=cut
diff --git a/src/exim.c b/src/exim.c
new file mode 100644
index 0000000..fd01d13
--- /dev/null
+++ b/src/exim.c
@@ -0,0 +1,6097 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* The main function: entry point, initialization, and high-level control.
+Also a few functions that don't naturally fit elsewhere. */
+
+
+#include "exim.h"
+
+#if defined(__GLIBC__) && !defined(__UCLIBC__)
+# include <gnu/libc-version.h>
+#endif
+
+#ifdef USE_GNUTLS
+# include <gnutls/gnutls.h>
+# if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
+#  define DISABLE_OCSP
+# endif
+#endif
+
+#ifndef _TIME_H
+# include <time.h>
+#endif
+
+extern void init_lookup_list(void);
+
+
+
+/*************************************************
+*      Function interface to store functions     *
+*************************************************/
+
+/* We need some real functions to pass to the PCRE regular expression library
+for store allocation via Exim's store manager. The normal calls are actually
+macros that pass over location information to make tracing easier. These
+functions just interface to the standard macro calls. A good compiler will
+optimize out the tail recursion and so not make them too expensive. */
+
+static void *
+function_store_malloc(PCRE2_SIZE size, void * tag)
+{
+return store_malloc((int)size);
+}
+
+static void
+function_store_free(void * block, void * tag)
+{
+/* At least some version of pcre2 pass a null pointer */
+if (block) store_free(block);
+}
+
+
+
+
+/*************************************************
+*         Enums for cmdline interface            *
+*************************************************/
+
+enum commandline_info { CMDINFO_NONE=0,
+  CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
+
+
+
+
+/*************************************************
+*  Compile regular expression and panic on fail  *
+*************************************************/
+
+/* This function is called when failure to compile a regular expression leads
+to a panic exit. In other cases, pcre_compile() is called directly. In many
+cases where this function is used, the results of the compilation are to be
+placed in long-lived store, so we temporarily reset the store management
+functions that PCRE uses if the use_malloc flag is set.
+
+Argument:
+  pattern     the pattern to compile
+  caseless    TRUE if caseless matching is required
+  use_malloc  TRUE if compile into malloc store
+
+Returns:      pointer to the compiled pattern
+*/
+
+const pcre2_code *
+regex_must_compile(const uschar * pattern, BOOL caseless, BOOL use_malloc)
+{
+size_t offset;
+int options = caseless ? PCRE_COPT|PCRE2_CASELESS : PCRE_COPT;
+const pcre2_code * yield;
+int err;
+pcre2_general_context * gctx;
+pcre2_compile_context * cctx;
+
+if (use_malloc)
+  {
+  gctx = pcre2_general_context_create(function_store_malloc, function_store_free, NULL);
+  cctx = pcre2_compile_context_create(gctx);
+  }
+else
+  cctx = pcre_cmp_ctx;
+
+if (!(yield = pcre2_compile((PCRE2_SPTR)pattern, PCRE2_ZERO_TERMINATED, options,
+  &err, &offset, cctx)))
+  {
+  uschar errbuf[128];
+  pcre2_get_error_message(err, errbuf, sizeof(errbuf));
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
+    "%s at offset %ld while compiling %s", errbuf, (long)offset, pattern);
+  }
+
+if (use_malloc)
+  {
+  pcre2_compile_context_free(cctx);
+  pcre2_general_context_free(gctx);
+  }
+return yield;
+}
+
+
+static void
+pcre_init(void)
+{
+pcre_gen_ctx = pcre2_general_context_create(function_store_malloc, function_store_free, NULL);
+pcre_cmp_ctx = pcre2_compile_context_create(pcre_gen_ctx);
+pcre_mtc_ctx = pcre2_match_context_create(pcre_gen_ctx);
+}
+
+
+
+
+/*************************************************
+*   Execute regular expression and set strings   *
+*************************************************/
+
+/* This function runs a regular expression match, and sets up the pointers to
+the matched substrings.  The matched strings are copied so the lifetime of
+the subject is not a problem.
+
+Arguments:
+  re          the compiled expression
+  subject     the subject string
+  options     additional PCRE options
+  setup       if < 0 do full setup
+              if >= 0 setup from setup+1 onwards,
+                excluding the full matched string
+
+Returns:      TRUE if matched, or FALSE
+*/
+
+BOOL
+regex_match_and_setup(const pcre2_code * re, const uschar * subject, int options, int setup)
+{
+pcre2_match_data * md = pcre2_match_data_create_from_pattern(re, pcre_gen_ctx);
+int res = pcre2_match(re, (PCRE2_SPTR)subject, PCRE2_ZERO_TERMINATED, 0,
+			PCRE_EOPT | options, md, pcre_mtc_ctx);
+BOOL yield;
+
+if ((yield = (res >= 0)))
+  {
+  res = pcre2_get_ovector_count(md);
+  expand_nmax = setup < 0 ? 0 : setup + 1;
+  for (int matchnum = setup < 0 ? 0 : 1; matchnum < res; matchnum++)
+    {
+    PCRE2_SIZE len;
+    pcre2_substring_get_bynumber(md, matchnum,
+      (PCRE2_UCHAR **)&expand_nstring[expand_nmax], &len);
+    expand_nlength[expand_nmax++] = (int)len;
+    }
+  expand_nmax--;
+  }
+else if (res != PCRE2_ERROR_NOMATCH) DEBUG(D_any)
+  {
+  uschar errbuf[128];
+  pcre2_get_error_message(res, errbuf, sizeof(errbuf));
+  debug_printf_indent("pcre2: %s\n", errbuf);
+  }
+pcre2_match_data_free(md);
+return yield;
+}
+
+
+/* Check just for match with regex.  Uses the common memory-handling.
+
+Arguments:
+	re	compiled regex
+	subject	string to be checked
+	slen	length of subject; -1 for nul-terminated
+	rptr	pointer for matched string, copied, or NULL
+
+Return: TRUE for a match.
+*/
+
+BOOL
+regex_match(const pcre2_code * re, const uschar * subject, int slen, uschar ** rptr)
+{
+pcre2_match_data * md = pcre2_match_data_create(1, pcre_gen_ctx);
+int rc = pcre2_match(re, (PCRE2_SPTR)subject,
+		      slen >= 0 ? slen : PCRE2_ZERO_TERMINATED,
+		      0, PCRE_EOPT, md, pcre_mtc_ctx);
+PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
+if (rc < 0)
+  return FALSE;
+if (rptr)
+  *rptr = string_copyn(subject + ovec[0], ovec[1] - ovec[0]);
+return TRUE;
+}
+
+
+
+/*************************************************
+*            Set up processing details           *
+*************************************************/
+
+/* Save a text string for dumping when SIGUSR1 is received.
+Do checks for overruns.
+
+Arguments: format and arguments, as for printf()
+Returns:   nothing
+*/
+
+void
+set_process_info(const char *format, ...)
+{
+gstring gs = { .size = PROCESS_INFO_SIZE - 2, .ptr = 0, .s = process_info };
+gstring * g;
+int len;
+va_list ap;
+
+g = string_fmt_append(&gs, "%5d ", (int)getpid());
+len = g->ptr;
+va_start(ap, format);
+if (!string_vformat(g, 0, format, ap))
+  {
+  gs.ptr = len;
+  g = string_cat(&gs, US"**** string overflowed buffer ****");
+  }
+g = string_catn(g, US"\n", 1);
+string_from_gstring(g);
+process_info_len = g->ptr;
+DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
+va_end(ap);
+}
+
+/***********************************************
+*            Handler for SIGTERM               *
+***********************************************/
+
+static void
+term_handler(int sig)
+{
+exit(1);
+}
+
+
+/***********************************************
+*            Handler for SIGSEGV               *
+***********************************************/
+
+static void
+#ifdef SA_SIGINFO
+segv_handler(int sig, siginfo_t * info, void * uctx)
+{
+log_write(0, LOG_MAIN|LOG_PANIC, "SIGSEGV (fault address: %p)", info->si_addr);
+# if defined(SEGV_MAPERR) && defined(SEGV_ACCERR) && defined(SEGV_BNDERR) && defined(SEGV_PKUERR)
+switch (info->si_code)
+  {
+  case SEGV_MAPERR: log_write(0, LOG_MAIN|LOG_PANIC, "SEGV_MAPERR"); break;
+  case SEGV_ACCERR: log_write(0, LOG_MAIN|LOG_PANIC, "SEGV_ACCERR"); break;
+  case SEGV_BNDERR: log_write(0, LOG_MAIN|LOG_PANIC, "SEGV_BNDERR"); break;
+  case SEGV_PKUERR: log_write(0, LOG_MAIN|LOG_PANIC, "SEGV_PKUERR"); break;
+  }
+# endif
+if (US info->si_addr < US 4096)
+  log_write(0, LOG_MAIN|LOG_PANIC, "SIGSEGV (null pointer indirection)");
+else
+  log_write(0, LOG_MAIN|LOG_PANIC, "SIGSEGV (maybe attempt to write to immutable memory)");
+if (process_info_len > 0)
+  log_write(0, LOG_MAIN|LOG_PANIC, "SIGSEGV (%.*s)", process_info_len, process_info);
+signal(SIGSEGV, SIG_DFL);
+kill(getpid(), sig);
+}
+
+#else
+segv_handler(int sig)
+{
+log_write(0, LOG_MAIN|LOG_PANIC, "SIGSEGV (maybe attempt to write to immutable memory)");
+if (process_info_len > 0)
+  log_write(0, LOG_MAIN|LOG_PANIC, "SIGSEGV (%.*s)", process_info_len, process_info);
+signal(SIGSEGV, SIG_DFL);
+kill(getpid(), sig);
+}
+#endif
+
+
+/*************************************************
+*             Handler for SIGUSR1                *
+*************************************************/
+
+/* SIGUSR1 causes any exim process to write to the process log details of
+what it is currently doing. It will only be used if the OS is capable of
+setting up a handler that causes automatic restarting of any system call
+that is in progress at the time.
+
+This function takes care to be signal-safe.
+
+Argument: the signal number (SIGUSR1)
+Returns:  nothing
+*/
+
+static void
+usr1_handler(int sig)
+{
+int fd;
+
+os_restarting_signal(sig, usr1_handler);
+
+if (!process_log_path) return;
+fd = log_open_as_exim(process_log_path);
+
+/* If we are neither exim nor root, or if we failed to create the log file,
+give up. There is not much useful we can do with errors, since we don't want
+to disrupt whatever is going on outside the signal handler. */
+
+if (fd < 0) return;
+
+(void)write(fd, process_info, process_info_len);
+(void)close(fd);
+}
+
+
+
+/*************************************************
+*             Timeout handler                    *
+*************************************************/
+
+/* This handler is enabled most of the time that Exim is running. The handler
+doesn't actually get used unless alarm() has been called to set a timer, to
+place a time limit on a system call of some kind. When the handler is run, it
+re-enables itself.
+
+There are some other SIGALRM handlers that are used in special cases when more
+than just a flag setting is required; for example, when reading a message's
+input. These are normally set up in the code module that uses them, and the
+SIGALRM handler is reset to this one afterwards.
+
+Argument: the signal value (SIGALRM)
+Returns:  nothing
+*/
+
+void
+sigalrm_handler(int sig)
+{
+sigalrm_seen = TRUE;
+os_non_restarting_signal(SIGALRM, sigalrm_handler);
+}
+
+
+
+/*************************************************
+*      Sleep for a fractional time interval      *
+*************************************************/
+
+/* This function is called by millisleep() and exim_wait_tick() to wait for a
+period of time that may include a fraction of a second. The coding is somewhat
+tedious. We do not expect setitimer() ever to fail, but if it does, the process
+will wait for ever, so we panic in this instance. (There was a case of this
+when a bug in a function that calls milliwait() caused it to pass invalid data.
+That's when I added the check. :-)
+
+We assume it to be not worth sleeping for under 50us; this value will
+require revisiting as hardware advances.  This avoids the issue of
+a zero-valued timer setting meaning "never fire".
+
+Argument:  an itimerval structure containing the interval
+Returns:   nothing
+*/
+
+static void
+milliwait(struct itimerval *itval)
+{
+sigset_t sigmask;
+sigset_t old_sigmask;
+int save_errno = errno;
+
+if (itval->it_value.tv_usec < 50 && itval->it_value.tv_sec == 0)
+  return;
+(void)sigemptyset(&sigmask);                           /* Empty mask */
+(void)sigaddset(&sigmask, SIGALRM);                    /* Add SIGALRM */
+(void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask);  /* Block SIGALRM */
+if (setitimer(ITIMER_REAL, itval, NULL) < 0)           /* Start timer */
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "setitimer() failed: %s", strerror(errno));
+(void)sigfillset(&sigmask);                            /* All signals */
+(void)sigdelset(&sigmask, SIGALRM);                    /* Remove SIGALRM */
+(void)sigsuspend(&sigmask);                            /* Until SIGALRM */
+(void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL);    /* Restore mask */
+errno = save_errno;
+sigalrm_seen = FALSE;
+}
+
+
+
+
+/*************************************************
+*         Millisecond sleep function             *
+*************************************************/
+
+/* The basic sleep() function has a granularity of 1 second, which is too rough
+in some cases - for example, when using an increasing delay to slow down
+spammers.
+
+Argument:    number of millseconds
+Returns:     nothing
+*/
+
+void
+millisleep(int msec)
+{
+struct itimerval itval = {.it_interval = {.tv_sec = 0, .tv_usec = 0},
+			  .it_value = {.tv_sec = msec/1000,
+				       .tv_usec = (msec % 1000) * 1000}};
+milliwait(&itval);
+}
+
+
+
+/*************************************************
+*         Compare microsecond times              *
+*************************************************/
+
+/*
+Arguments:
+  tv1         the first time
+  tv2         the second time
+
+Returns:      -1, 0, or +1
+*/
+
+static int
+exim_tvcmp(struct timeval *t1, struct timeval *t2)
+{
+if (t1->tv_sec > t2->tv_sec) return +1;
+if (t1->tv_sec < t2->tv_sec) return -1;
+if (t1->tv_usec > t2->tv_usec) return +1;
+if (t1->tv_usec < t2->tv_usec) return -1;
+return 0;
+}
+
+
+
+
+/*************************************************
+*          Clock tick wait function              *
+*************************************************/
+
+#ifdef _POSIX_MONOTONIC_CLOCK
+# ifdef CLOCK_BOOTTIME
+#  define EXIM_CLOCKTYPE CLOCK_BOOTTIME
+# else
+#  define EXIM_CLOCKTYPE CLOCK_MONOTONIC
+# endif
+
+/* Amount EXIM_CLOCK is behind realtime, at startup. */
+static struct timespec offset_ts;
+
+static void
+exim_clock_init(void)
+{
+struct timeval tv;
+if (clock_gettime(EXIM_CLOCKTYPE, &offset_ts) != 0) return;
+(void)gettimeofday(&tv, NULL);
+offset_ts.tv_sec = tv.tv_sec - offset_ts.tv_sec;
+offset_ts.tv_nsec = tv.tv_usec * 1000 - offset_ts.tv_nsec;
+if (offset_ts.tv_nsec >= 0) return;
+offset_ts.tv_sec--;
+offset_ts.tv_nsec += 1000*1000*1000;
+}
+#endif
+
+
+void
+exim_gettime(struct timeval * tv)
+{
+#ifdef _POSIX_MONOTONIC_CLOCK
+struct timespec now_ts;
+
+if (clock_gettime(EXIM_CLOCKTYPE, &now_ts) == 0)
+  {
+  now_ts.tv_sec += offset_ts.tv_sec;
+  if ((now_ts.tv_nsec += offset_ts.tv_nsec) >= 1000*1000*1000)
+    {
+    now_ts.tv_sec++;
+    now_ts.tv_nsec -= 1000*1000*1000;
+    }
+  tv->tv_sec = now_ts.tv_sec;
+  tv->tv_usec = now_ts.tv_nsec / 1000;
+  }
+else
+#endif
+  (void)gettimeofday(tv, NULL);
+}
+
+
+/* Exim uses a time + a pid to generate a unique identifier in two places: its
+message IDs, and in file names for maildir deliveries. Because some OS now
+re-use pids within the same second, sub-second times are now being used.
+However, for absolute certainty, we must ensure the clock has ticked before
+allowing the relevant process to complete. At the time of implementation of
+this code (February 2003), the speed of processors is such that the clock will
+invariably have ticked already by the time a process has done its job. This
+function prepares for the time when things are faster - and it also copes with
+clocks that go backwards.
+
+Arguments:
+  prev_tv      A timeval which was used to create uniqueness; its usec field
+                 has been rounded down to the value of the resolution.
+                 We want to be sure the current time is greater than this.
+		 On return, updated to current (rounded down).
+  resolution   The resolution that was used to divide the microseconds
+                 (1 for maildir, larger for message ids)
+
+Returns:       nothing
+*/
+
+void
+exim_wait_tick(struct timeval * prev_tv, int resolution)
+{
+struct timeval now_tv;
+long int now_true_usec;
+
+exim_gettime(&now_tv);
+now_true_usec = now_tv.tv_usec;
+now_tv.tv_usec = (now_true_usec/resolution) * resolution;
+
+while (exim_tvcmp(&now_tv, prev_tv) <= 0)
+  {
+  struct itimerval itval;
+  itval.it_interval.tv_sec = 0;
+  itval.it_interval.tv_usec = 0;
+  itval.it_value.tv_sec = prev_tv->tv_sec - now_tv.tv_sec;
+  itval.it_value.tv_usec = prev_tv->tv_usec + resolution - now_true_usec;
+
+  /* We know that, overall, "now" is less than or equal to "then". Therefore, a
+  negative value for the microseconds is possible only in the case when "now"
+  is more than a second less than "tgt". That means that itval.it_value.tv_sec
+  is greater than zero. The following correction is therefore safe. */
+
+  if (itval.it_value.tv_usec < 0)
+    {
+    itval.it_value.tv_usec += 1000000;
+    itval.it_value.tv_sec -= 1;
+    }
+
+  DEBUG(D_transport|D_receive)
+    {
+    if (!f.running_in_test_harness)
+      {
+      debug_printf("tick check: " TIME_T_FMT ".%06lu " TIME_T_FMT ".%06lu\n",
+        prev_tv->tv_sec, (long) prev_tv->tv_usec,
+       	now_tv.tv_sec, (long) now_tv.tv_usec);
+      debug_printf("waiting " TIME_T_FMT ".%06lu sec\n",
+        itval.it_value.tv_sec, (long) itval.it_value.tv_usec);
+      }
+    }
+
+  milliwait(&itval);
+
+  /* Be prapared to go around if the kernel does not implement subtick
+  granularity (GNU Hurd) */
+
+  exim_gettime(&now_tv);
+  now_true_usec = now_tv.tv_usec;
+  now_tv.tv_usec = (now_true_usec/resolution) * resolution;
+  }
+*prev_tv = now_tv;
+}
+
+
+
+
+/*************************************************
+*   Call fopen() with umask 777 and adjust mode  *
+*************************************************/
+
+/* Exim runs with umask(0) so that files created with open() have the mode that
+is specified in the open() call. However, there are some files, typically in
+the spool directory, that are created with fopen(). They end up world-writeable
+if no precautions are taken. Although the spool directory is not accessible to
+the world, this is an untidiness. So this is a wrapper function for fopen()
+that sorts out the mode of the created file.
+
+Arguments:
+   filename       the file name
+   options        the fopen() options
+   mode           the required mode
+
+Returns:          the fopened FILE or NULL
+*/
+
+FILE *
+modefopen(const uschar *filename, const char *options, mode_t mode)
+{
+mode_t saved_umask = umask(0777);
+FILE *f = Ufopen(filename, options);
+(void)umask(saved_umask);
+if (f != NULL) (void)fchmod(fileno(f), mode);
+return f;
+}
+
+
+/*************************************************
+*   Ensure stdin, stdout, and stderr exist       *
+*************************************************/
+
+/* Some operating systems grumble if an exec() happens without a standard
+input, output, and error (fds 0, 1, 2) being defined. The worry is that some
+file will be opened and will use these fd values, and then some other bit of
+code will assume, for example, that it can write error messages to stderr.
+This function ensures that fds 0, 1, and 2 are open if they do not already
+exist, by connecting them to /dev/null.
+
+This function is also used to ensure that std{in,out,err} exist at all times,
+so that if any library that Exim calls tries to use them, it doesn't crash.
+
+Arguments:  None
+Returns:    Nothing
+*/
+
+void
+exim_nullstd(void)
+{
+int devnull = -1;
+struct stat statbuf;
+for (int i = 0; i <= 2; i++)
+  {
+  if (fstat(i, &statbuf) < 0 && errno == EBADF)
+    {
+    if (devnull < 0) devnull = open("/dev/null", O_RDWR);
+    if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
+      string_open_failed("/dev/null", NULL));
+    if (devnull != i) (void)dup2(devnull, i);
+    }
+  }
+if (devnull > 2) (void)close(devnull);
+}
+
+
+
+
+/*************************************************
+*   Close unwanted file descriptors for delivery *
+*************************************************/
+
+/* This function is called from a new process that has been forked to deliver
+an incoming message, either directly, or using exec.
+
+We want any smtp input streams to be closed in this new process. However, it
+has been observed that using fclose() here causes trouble. When reading in -bS
+input, duplicate copies of messages have been seen. The files will be sharing a
+file pointer with the parent process, and it seems that fclose() (at least on
+some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
+least sometimes. Hence we go for closing the underlying file descriptors.
+
+If TLS is active, we want to shut down the TLS library, but without molesting
+the parent's SSL connection.
+
+For delivery of a non-SMTP message, we want to close stdin and stdout (and
+stderr unless debugging) because the calling process might have set them up as
+pipes and be waiting for them to close before it waits for the submission
+process to terminate. If they aren't closed, they hold up the calling process
+until the initial delivery process finishes, which is not what we want.
+
+Exception: We do want it for synchronous delivery!
+
+And notwithstanding all the above, if D_resolver is set, implying resolver
+debugging, leave stdout open, because that's where the resolver writes its
+debugging output.
+
+When we close stderr (which implies we've also closed stdout), we also get rid
+of any controlling terminal.
+
+Arguments:   None
+Returns:     Nothing
+*/
+
+static void
+close_unwanted(void)
+{
+if (smtp_input)
+  {
+#ifndef DISABLE_TLS
+  tls_close(NULL, TLS_NO_SHUTDOWN);      /* Shut down the TLS library */
+#endif
+  (void)close(fileno(smtp_in));
+  (void)close(fileno(smtp_out));
+  smtp_in = NULL;
+  }
+else
+  {
+  (void)close(0);                                          /* stdin */
+  if ((debug_selector & D_resolver) == 0) (void)close(1);  /* stdout */
+  if (debug_selector == 0)                                 /* stderr */
+    {
+    if (!f.synchronous_delivery)
+      {
+      (void)close(2);
+      log_stderr = NULL;
+      }
+    (void)setsid();
+    }
+  }
+}
+
+
+
+
+/*************************************************
+*          Set uid and gid                       *
+*************************************************/
+
+/* This function sets a new uid and gid permanently, optionally calling
+initgroups() to set auxiliary groups. There are some special cases when running
+Exim in unprivileged modes. In these situations the effective uid will not be
+root; if we already have the right effective uid/gid, and don't need to
+initialize any groups, leave things as they are.
+
+Arguments:
+  uid        the uid
+  gid        the gid
+  igflag     TRUE if initgroups() wanted
+  msg        text to use in debugging output and failure log
+
+Returns:     nothing; bombs out on failure
+*/
+
+void
+exim_setugid(uid_t uid, gid_t gid, BOOL igflag, const uschar * msg)
+{
+uid_t euid = geteuid();
+gid_t egid = getegid();
+
+if (euid == root_uid || euid != uid || egid != gid || igflag)
+  {
+  /* At least one OS returns +1 for initgroups failure, so just check for
+  non-zero. */
+
+  if (igflag)
+    {
+    struct passwd *pw = getpwuid(uid);
+    if (!pw)
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
+	"no passwd entry for uid=%ld", (long int)uid);
+
+    if (initgroups(pw->pw_name, gid) != 0)
+      log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
+	(long int)uid, strerror(errno));
+    }
+
+  if (setgid(gid) < 0 || setuid(uid) < 0)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
+      "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
+  }
+
+/* Debugging output included uid/gid and all groups */
+
+DEBUG(D_uid)
+  {
+  int group_count, save_errno;
+  gid_t group_list[EXIM_GROUPLIST_SIZE];
+  debug_printf("changed uid/gid: %s\n  uid=%ld gid=%ld pid=%ld\n", msg,
+    (long int)geteuid(), (long int)getegid(), (long int)getpid());
+  group_count = getgroups(nelem(group_list), group_list);
+  save_errno = errno;
+  debug_printf("  auxiliary group list:");
+  if (group_count > 0)
+    for (int i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
+  else if (group_count < 0)
+    debug_printf(" <error: %s>", strerror(save_errno));
+  else debug_printf(" <none>");
+  debug_printf("\n");
+  }
+}
+
+
+
+
+/*************************************************
+*               Exit point                       *
+*************************************************/
+
+/* Exim exits via this function so that it always clears up any open
+databases.
+
+Arguments:
+  rc         return code
+
+Returns:     does not return
+*/
+
+void
+exim_exit(int rc)
+{
+search_tidyup();
+store_exit();
+DEBUG(D_any)
+  debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d (%s) terminating with rc=%d "
+    ">>>>>>>>>>>>>>>>\n",
+    (int)getpid(), process_purpose, rc);
+exit(rc);
+}
+
+
+void
+exim_underbar_exit(int rc)
+{
+store_exit();
+DEBUG(D_any)
+  debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d (%s) terminating with rc=%d "
+    ">>>>>>>>>>>>>>>>\n",
+    (int)getpid(), process_purpose, rc);
+_exit(rc);
+}
+
+
+
+/* Print error string, then die */
+static void
+exim_fail(const char * fmt, ...)
+{
+va_list ap;
+va_start(ap, fmt);
+vfprintf(stderr, fmt, ap);
+exit(EXIT_FAILURE);
+}
+
+/* fail if a length is too long */
+static inline void
+exim_len_fail_toolong(int itemlen, int maxlen, const char *description)
+{
+if (itemlen <= maxlen)
+  return;
+fprintf(stderr, "exim: length limit exceeded (%d > %d) for: %s\n",
+        itemlen, maxlen, description);
+exit(EXIT_FAILURE);
+}
+
+/* only pass through the string item back to the caller if it's short enough */
+static inline const uschar *
+exim_str_fail_toolong(const uschar *item, int maxlen, const char *description)
+{
+exim_len_fail_toolong(Ustrlen(item), maxlen, description);
+return item;
+}
+
+/* exim_chown_failure() called from exim_chown()/exim_fchown() on failure
+of chown()/fchown().  See src/functions.h for more explanation */
+int
+exim_chown_failure(int fd, const uschar *name, uid_t owner, gid_t group)
+{
+int saved_errno = errno;  /* from the preceeding chown call */
+#if 1
+log_write(0, LOG_MAIN|LOG_PANIC,
+  __FILE__ ":%d: chown(%s, %d:%d) failed (%s)."
+  " Please contact the authors and refer to https://bugs.exim.org/show_bug.cgi?id=2391",
+  __LINE__, name?name:US"<unknown>", owner, group, strerror(errno));
+#else
+/* I leave this here, commented, in case the "bug"(?) comes up again.
+   It is not an Exim bug, but we can provide a workaround.
+   See Bug 2391
+   HS 2019-04-18 */
+
+struct stat buf;
+
+if (0 == (fd < 0 ? stat(name, &buf) : fstat(fd, &buf)))
+{
+  if (buf.st_uid == owner && buf.st_gid == group) return 0;
+  log_write(0, LOG_MAIN|LOG_PANIC, "Wrong ownership on %s", name);
+}
+else log_write(0, LOG_MAIN|LOG_PANIC, "Stat failed on %s: %s", name, strerror(errno));
+
+#endif
+errno = saved_errno;
+return -1;
+}
+
+
+/*************************************************
+*         Extract port from host address         *
+*************************************************/
+
+/* Called to extract the port from the values given to -oMa and -oMi.
+It also checks the syntax of the address, and terminates it before the
+port data when a port is extracted.
+
+Argument:
+  address   the address, with possible port on the end
+
+Returns:    the port, or zero if there isn't one
+            bombs out on a syntax error
+*/
+
+static int
+check_port(uschar *address)
+{
+int port = host_address_extract_port(address);
+if (string_is_ip_address(address, NULL) == 0)
+  exim_fail("exim abandoned: \"%s\" is not an IP address\n", address);
+return port;
+}
+
+
+
+/*************************************************
+*              Test/verify an address            *
+*************************************************/
+
+/* This function is called by the -bv and -bt code. It extracts a working
+address from a full RFC 822 address. This isn't really necessary per se, but it
+has the effect of collapsing source routes.
+
+Arguments:
+  s            the address string
+  flags        flag bits for verify_address()
+  exit_value   to be set for failures
+
+Returns:       nothing
+*/
+
+static void
+test_address(uschar *s, int flags, int *exit_value)
+{
+int start, end, domain;
+uschar *parse_error = NULL;
+uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
+  FALSE);
+if (!address)
+  {
+  fprintf(stdout, "syntax error: %s\n", parse_error);
+  *exit_value = 2;
+  }
+else
+  {
+  int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
+    -1, -1, NULL, NULL, NULL);
+  if (rc == FAIL) *exit_value = 2;
+  else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
+  }
+}
+
+
+
+/*************************************************
+*          Show supported features               *
+*************************************************/
+
+static void
+show_string(BOOL is_stdout, gstring * g)
+{
+const uschar * s = string_from_gstring(g);
+if (s)
+  if (is_stdout) fputs(CCS s, stdout);
+  else debug_printf("%s", s);
+}
+
+
+static gstring *
+show_db_version(gstring * g)
+{
+#ifdef DB_VERSION_STRING
+DEBUG(D_any)
+  {
+  g = string_fmt_append(g, "Library version: BDB: Compile: %s\n", DB_VERSION_STRING);
+  g = string_fmt_append(g, "                      Runtime: %s\n",
+    db_version(NULL, NULL, NULL));
+  }
+else
+  g = string_fmt_append(g, "Berkeley DB: %s\n", DB_VERSION_STRING);
+
+#elif defined(BTREEVERSION) && defined(HASHVERSION)
+# ifdef USE_DB
+  g = string_cat(g, US"Probably Berkeley DB version 1.8x (native mode)\n");
+# else
+  g = string_cat(g, US"Probably Berkeley DB version 1.8x (compatibility mode)\n");
+# endif
+
+#elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
+g = string_cat(g, US"Probably ndbm\n");
+#elif defined(USE_TDB)
+g = string_cat(g, US"Using tdb\n");
+#else
+# ifdef USE_GDBM
+  g = string_cat(g, US"Probably GDBM (native mode)\n");
+# else
+  g = string_cat(g, US"Probably GDBM (compatibility mode)\n");
+# endif
+#endif
+return g;
+}
+
+
+/* This function is called for -bV/--version and for -d to output the optional
+features of the current Exim binary.
+
+Arguments:  BOOL, true for stdout else debug channel
+Returns:    nothing
+*/
+
+static void
+show_whats_supported(BOOL is_stdout)
+{
+rmark reset_point = store_mark();
+gstring * g = NULL;
+
+DEBUG(D_any) {} else g = show_db_version(g);
+
+g = string_cat(g, US"Support for:");
+#ifdef SUPPORT_CRYPTEQ
+  g = string_cat(g, US" crypteq");
+#endif
+#if HAVE_ICONV
+  g = string_cat(g, US" iconv()");
+#endif
+#if HAVE_IPV6
+  g = string_cat(g, US" IPv6");
+#endif
+#ifdef HAVE_SETCLASSRESOURCES
+  g = string_cat(g, US" use_setclassresources");
+#endif
+#ifdef SUPPORT_PAM
+  g = string_cat(g, US" PAM");
+#endif
+#ifdef EXIM_PERL
+  g = string_cat(g, US" Perl");
+#endif
+#ifdef EXPAND_DLFUNC
+  g = string_cat(g, US" Expand_dlfunc");
+#endif
+#ifdef USE_TCP_WRAPPERS
+  g = string_cat(g, US" TCPwrappers");
+#endif
+#ifdef USE_GNUTLS
+  g = string_cat(g, US" GnuTLS");
+#endif
+#ifdef USE_OPENSSL
+  g = string_cat(g, US" OpenSSL");
+#endif
+#ifndef DISABLE_TLS_RESUME
+  g = string_cat(g, US" TLS_resume");
+#endif
+#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
+  g = string_cat(g, US" translate_ip_address");
+#endif
+#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
+  g = string_cat(g, US" move_frozen_messages");
+#endif
+#ifdef WITH_CONTENT_SCAN
+  g = string_cat(g, US" Content_Scanning");
+#endif
+#ifdef SUPPORT_DANE
+  g = string_cat(g, US" DANE");
+#endif
+#ifndef DISABLE_DKIM
+  g = string_cat(g, US" DKIM");
+#endif
+#ifdef SUPPORT_DMARC
+  g = string_cat(g, US" DMARC");
+#endif
+#ifndef DISABLE_DNSSEC
+  g = string_cat(g, US" DNSSEC");
+#endif
+#ifndef DISABLE_EVENT
+  g = string_cat(g, US" Event");
+#endif
+#ifdef SUPPORT_I18N
+  g = string_cat(g, US" I18N");
+#endif
+#ifndef DISABLE_OCSP
+  g = string_cat(g, US" OCSP");
+#endif
+#ifndef DISABLE_PIPE_CONNECT
+  g = string_cat(g, US" PIPECONNECT");
+#endif
+#ifndef DISABLE_PRDR
+  g = string_cat(g, US" PRDR");
+#endif
+#ifdef SUPPORT_PROXY
+  g = string_cat(g, US" PROXY");
+#endif
+#ifndef DISABLE_QUEUE_RAMP
+  g = string_cat(g, US" Queue_Ramp");
+#endif
+#ifdef SUPPORT_SOCKS
+  g = string_cat(g, US" SOCKS");
+#endif
+#ifdef SUPPORT_SPF
+  g = string_cat(g, US" SPF");
+#endif
+#if defined(SUPPORT_SRS)
+  g = string_cat(g, US" SRS");
+#endif
+#ifdef TCP_FASTOPEN
+  tcp_init();
+  if (f.tcp_fastopen_ok) g = string_cat(g, US" TCP_Fast_Open");
+#endif
+#ifdef EXPERIMENTAL_ARC
+  g = string_cat(g, US" Experimental_ARC");
+#endif
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+  g = string_cat(g, US" Experimental_Brightmail");
+#endif
+#ifdef EXPERIMENTAL_DCC
+  g = string_cat(g, US" Experimental_DCC");
+#endif
+#ifdef EXPERIMENTAL_DSN_INFO
+  g = string_cat(g, US" Experimental_DSN_info");
+#endif
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+  g = string_cat(g, US" Experimental_ESMTP_Limits");
+#endif
+#ifdef EXPERIMENTAL_QUEUEFILE
+  g = string_cat(g, US" Experimental_QUEUEFILE");
+#endif
+g = string_cat(g, US"\n");
+
+g = string_cat(g, US"Lookups (built-in):");
+#if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
+  g = string_cat(g, US" lsearch wildlsearch nwildlsearch iplsearch");
+#endif
+#if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
+  g = string_cat(g, US" cdb");
+#endif
+#if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
+  g = string_cat(g, US" dbm dbmjz dbmnz");
+#endif
+#if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
+  g = string_cat(g, US" dnsdb");
+#endif
+#if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
+  g = string_cat(g, US" dsearch");
+#endif
+#if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
+  g = string_cat(g, US" ibase");
+#endif
+#if defined(LOOKUP_JSON) && LOOKUP_JSON!=2
+  g = string_cat(g, US" json");
+#endif
+#if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
+  g = string_cat(g, US" ldap ldapdn ldapm");
+#endif
+#ifdef LOOKUP_LMDB
+  g = string_cat(g, US" lmdb");
+#endif
+#if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
+  g = string_cat(g, US" mysql");
+#endif
+#if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
+  g = string_cat(g, US" nis nis0");
+#endif
+#if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
+  g = string_cat(g, US" nisplus");
+#endif
+#if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
+  g = string_cat(g, US" oracle");
+#endif
+#if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
+  g = string_cat(g, US" passwd");
+#endif
+#if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
+  g = string_cat(g, US" pgsql");
+#endif
+#if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
+  g = string_cat(g, US" redis");
+#endif
+#if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
+  g = string_cat(g, US" sqlite");
+#endif
+#if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
+  g = string_cat(g, US" testdb");
+#endif
+#if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
+  g = string_cat(g, US" whoson");
+#endif
+g = string_cat(g, US"\n");
+
+g = auth_show_supported(g);
+g = route_show_supported(g);
+g = transport_show_supported(g);
+
+#ifdef WITH_CONTENT_SCAN
+g = malware_show_supported(g);
+#endif
+show_string(is_stdout, g); g = NULL;
+
+if (fixed_never_users[0] > 0)
+  {
+  int i;
+  g = string_cat(g, US"Fixed never_users: ");
+  for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
+    string_fmt_append(g, "%u:", (unsigned)fixed_never_users[i]);
+  g = string_fmt_append(g, "%u\n", (unsigned)fixed_never_users[i]);
+  }
+
+g = string_fmt_append(g, "Configure owner: %d:%d\n", config_uid, config_gid);
+
+g = string_fmt_append(g, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
+
+/* Everything else is details which are only worth reporting when debugging.
+Perhaps the tls_version_report should move into this too. */
+DEBUG(D_any)
+  {
+
+/* clang defines __GNUC__ (at least, for me) so test for it first */
+#if defined(__clang__)
+  g = string_fmt_append(g, "Compiler: CLang [%s]\n", __clang_version__);
+#elif defined(__GNUC__)
+  g = string_fmt_append(g, "Compiler: GCC [%s]\n",
+# ifdef __VERSION__
+      __VERSION__
+# else
+      "? unknown version ?"
+# endif
+      );
+#else
+  g = string_cat(g, US"Compiler: <unknown>\n");
+#endif
+
+#if defined(__GLIBC__) && !defined(__UCLIBC__)
+  g = string_fmt_append(g, "Library version: Glibc: Compile: %d.%d\n",
+	       	__GLIBC__, __GLIBC_MINOR__);
+  if (__GLIBC_PREREQ(2, 1))
+    g = string_fmt_append(g, "                        Runtime: %s\n",
+	       	gnu_get_libc_version());
+#endif
+
+g = show_db_version(g);
+
+#ifndef DISABLE_TLS
+  g = tls_version_report(g);
+#endif
+#ifdef SUPPORT_I18N
+  g = utf8_version_report(g);
+#endif
+#ifdef SUPPORT_DMARC
+  g = dmarc_version_report(g);
+#endif
+#ifdef SUPPORT_SPF
+  g = spf_lib_version_report(g);
+#endif
+
+show_string(is_stdout, g);
+g = NULL;
+
+for (auth_info * authi = auths_available; *authi->driver_name != '\0'; ++authi)
+  if (authi->version_report)
+    g = (*authi->version_report)(g);
+
+  /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
+  characters; unless it's an ancient version of PCRE in which case it
+  is not defined. */
+#ifndef PCRE_PRERELEASE
+# define PCRE_PRERELEASE
+#endif
+#define QUOTE(X) #X
+#define EXPAND_AND_QUOTE(X) QUOTE(X)
+  {
+  uschar buf[24];
+  pcre2_config(PCRE2_CONFIG_VERSION, buf);
+  g = string_fmt_append(g, "Library version: PCRE2: Compile: %d.%d%s\n"
+              "                        Runtime: %s\n",
+          PCRE2_MAJOR, PCRE2_MINOR,
+          EXPAND_AND_QUOTE(PCRE2_PRERELEASE) "",
+          buf);
+  }
+#undef QUOTE
+#undef EXPAND_AND_QUOTE
+
+show_string(is_stdout, g);
+g = NULL;
+
+init_lookup_list();
+for (int i = 0; i < lookup_list_count; i++)
+  if (lookup_list[i]->version_report)
+    g = lookup_list[i]->version_report(g);
+show_string(is_stdout, g);
+g = NULL;
+
+#ifdef WHITELIST_D_MACROS
+  g = string_fmt_append(g, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
+#else
+  g = string_cat(g, US"WHITELIST_D_MACROS unset\n");
+#endif
+#ifdef TRUSTED_CONFIG_LIST
+  g = string_fmt_append(g, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
+#else
+  g = string_cat(g, US"TRUSTED_CONFIG_LIST unset\n");
+#endif
+  }
+
+show_string(is_stdout, g);
+store_reset(reset_point);
+}
+
+
+/*************************************************
+*     Show auxiliary information about Exim      *
+*************************************************/
+
+static void
+show_exim_information(enum commandline_info request, FILE *stream)
+{
+switch(request)
+  {
+  case CMDINFO_NONE:
+    fprintf(stream, "Oops, something went wrong.\n");
+    return;
+  case CMDINFO_HELP:
+    fprintf(stream,
+"The -bI: flag takes a string indicating which information to provide.\n"
+"If the string is not recognised, you'll get this help (on stderr).\n"
+"\n"
+"  exim -bI:help    this information\n"
+"  exim -bI:dscp    list of known dscp value keywords\n"
+"  exim -bI:sieve   list of supported sieve extensions\n"
+);
+    return;
+  case CMDINFO_SIEVE:
+    for (const uschar ** pp = exim_sieve_extension_list; *pp; ++pp)
+      fprintf(stream, "%s\n", *pp);
+    return;
+  case CMDINFO_DSCP:
+    dscp_list_to_stream(stream);
+    return;
+  }
+}
+
+
+/*************************************************
+*               Quote a local part               *
+*************************************************/
+
+/* This function is used when a sender address or a From: or Sender: header
+line is being created from the caller's login, or from an authenticated_id. It
+applies appropriate quoting rules for a local part.
+
+Argument:    the local part
+Returns:     the local part, quoted if necessary
+*/
+
+uschar *
+local_part_quote(uschar *lpart)
+{
+BOOL needs_quote = FALSE;
+gstring * g;
+
+for (uschar * t = lpart; !needs_quote && *t != 0; t++)
+  {
+  needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
+    (*t != '.' || t == lpart || t[1] == 0);
+  }
+
+if (!needs_quote) return lpart;
+
+g = string_catn(NULL, US"\"", 1);
+
+for (;;)
+  {
+  uschar *nq = US Ustrpbrk(lpart, "\\\"");
+  if (nq == NULL)
+    {
+    g = string_cat(g, lpart);
+    break;
+    }
+  g = string_catn(g, lpart, nq - lpart);
+  g = string_catn(g, US"\\", 1);
+  g = string_catn(g, nq, 1);
+  lpart = nq + 1;
+  }
+
+g = string_catn(g, US"\"", 1);
+return string_from_gstring(g);
+}
+
+
+
+#ifdef USE_READLINE
+/*************************************************
+*         Load readline() functions              *
+*************************************************/
+
+/* This function is called from testing executions that read data from stdin,
+but only when running as the calling user. Currently, only -be does this. The
+function loads the readline() function library and passes back the functions.
+On some systems, it needs the curses library, so load that too, but try without
+it if loading fails. All this functionality has to be requested at build time.
+
+Arguments:
+  fn_readline_ptr   pointer to where to put the readline pointer
+  fn_addhist_ptr    pointer to where to put the addhistory function
+
+Returns:            the dlopen handle or NULL on failure
+*/
+
+static void *
+set_readline(char * (**fn_readline_ptr)(const char *),
+             void   (**fn_addhist_ptr)(const char *))
+{
+void *dlhandle;
+void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
+
+dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
+if (dlhandle_curses) dlclose(dlhandle_curses);
+
+if (dlhandle)
+  {
+  /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
+   *   char * readline (const char *prompt);
+   *   void add_history (const char *string);
+   */
+  *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
+  *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
+  }
+else
+  DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
+
+return dlhandle;
+}
+#endif
+
+
+
+/*************************************************
+*    Get a line from stdin for testing things    *
+*************************************************/
+
+/* This function is called when running tests that can take a number of lines
+of input (for example, -be and -bt). It handles continuations and trailing
+spaces. And prompting and a blank line output on eof. If readline() is in use,
+the arguments are non-NULL and provide the relevant functions.
+
+Arguments:
+  fn_readline   readline function or NULL
+  fn_addhist    addhist function or NULL
+
+Returns:        pointer to dynamic memory, or NULL at end of file
+*/
+
+static uschar *
+get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
+{
+gstring * g = NULL;
+BOOL had_input = FALSE;
+
+if (!fn_readline) { printf("> "); fflush(stdout); }
+
+for (int i = 0;; i++)
+  {
+  uschar buffer[1024];
+  uschar * p, * ss;
+
+#ifdef USE_READLINE
+  char *readline_line = NULL;
+  if (fn_readline)
+    {
+    if (!(readline_line = fn_readline((i > 0)? "":"> "))) break;
+    if (*readline_line && fn_addhist) fn_addhist(readline_line);
+    p = US readline_line;
+    }
+  else
+#endif
+
+  /* readline() not in use */
+
+    {
+    if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;	/*EOF*/
+    p = buffer;
+    }
+
+  /* Handle the line */
+
+  had_input = TRUE;
+  ss = p + Ustrlen(p);
+  while (ss > p && isspace(ss[-1])) ss--; /* strip trailing newline (and spaces) */
+
+  if (i > 0)
+    while (p < ss && isspace(*p)) p++;   /* strip leading space after cont */
+
+  g = string_catn(g, p, ss - p);
+
+#ifdef USE_READLINE
+  if (fn_readline) free(readline_line);
+#endif
+
+  /* g can only be NULL if ss==p */
+  if (ss == p || g->s[g->ptr-1] != '\\') /* not continuation; done */
+    break;
+
+  --g->ptr;				/* drop the \ */
+  }
+
+if (had_input) return g ? string_from_gstring(g) : US"";
+printf("\n");
+return NULL;
+}
+
+
+
+/*************************************************
+*    Output usage information for the program    *
+*************************************************/
+
+/* This function is called when there are no recipients
+   or a specific --help argument was added.
+
+Arguments:
+  progname      information on what name we were called by
+
+Returns:        DOES NOT RETURN
+*/
+
+static void
+exim_usage(uschar *progname)
+{
+
+/* Handle specific program invocation variants */
+if (Ustrcmp(progname, US"-mailq") == 0)
+  exim_fail(
+    "mailq - list the contents of the mail queue\n\n"
+    "For a list of options, see the Exim documentation.\n");
+
+/* Generic usage - we output this whatever happens */
+exim_fail(
+  "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
+  "not directly from a shell command line. Options and/or arguments control\n"
+  "what it does when called. For a list of options, see the Exim documentation.\n");
+}
+
+
+
+/*************************************************
+*    Validate that the macros given are okay     *
+*************************************************/
+
+/* Typically, Exim will drop privileges if macros are supplied.  In some
+cases, we want to not do so.
+
+Arguments:    opt_D_used - true if the commandline had a "-D" option
+Returns:      true if trusted, false otherwise
+*/
+
+static BOOL
+macros_trusted(BOOL opt_D_used)
+{
+#ifdef WHITELIST_D_MACROS
+uschar *whitelisted, *end, *p, **whites;
+int white_count, i, n;
+size_t len;
+BOOL prev_char_item, found;
+#endif
+
+if (!opt_D_used)
+  return TRUE;
+#ifndef WHITELIST_D_MACROS
+return FALSE;
+#else
+
+/* We only trust -D overrides for some invoking users:
+root, the exim run-time user, the optional config owner user.
+I don't know why config-owner would be needed, but since they can own the
+config files anyway, there's no security risk to letting them override -D. */
+if ( ! ((real_uid == root_uid)
+     || (real_uid == exim_uid)
+#ifdef CONFIGURE_OWNER
+     || (real_uid == config_uid)
+#endif
+   ))
+  {
+  debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
+  return FALSE;
+  }
+
+/* Get a list of macros which are whitelisted */
+whitelisted = string_copy_perm(US WHITELIST_D_MACROS, FALSE);
+prev_char_item = FALSE;
+white_count = 0;
+for (p = whitelisted; *p != '\0'; ++p)
+  {
+  if (*p == ':' || isspace(*p))
+    {
+    *p = '\0';
+    if (prev_char_item)
+      ++white_count;
+    prev_char_item = FALSE;
+    continue;
+    }
+  if (!prev_char_item)
+    prev_char_item = TRUE;
+  }
+end = p;
+if (prev_char_item)
+  ++white_count;
+if (!white_count)
+  return FALSE;
+whites = store_malloc(sizeof(uschar *) * (white_count+1));
+for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
+  {
+  if (*p != '\0')
+    {
+    whites[i++] = p;
+    if (i == white_count)
+      break;
+    while (*p != '\0' && p < end)
+      ++p;
+    }
+  }
+whites[i] = NULL;
+
+/* The list of commandline macros should be very short.
+Accept the N*M complexity. */
+for (macro_item * m = macros_user; m; m = m->next) if (m->command_line)
+  {
+  found = FALSE;
+  for (uschar ** w = whites; *w; ++w)
+    if (Ustrcmp(*w, m->name) == 0)
+      {
+      found = TRUE;
+      break;
+      }
+  if (!found)
+    return FALSE;
+  if (!m->replacement)
+    continue;
+  if ((len = m->replen) == 0)
+    continue;
+  if (!regex_match(regex_whitelisted_macro, m->replacement, len, NULL))
+    return FALSE;
+  }
+DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
+return TRUE;
+#endif
+}
+
+
+/*************************************************
+*          Expansion testing			 *
+*************************************************/
+
+/* Expand and print one item, doing macro-processing.
+
+Arguments:
+  item		line for expansion
+*/
+
+static void
+expansion_test_line(const uschar * line)
+{
+int len;
+BOOL dummy_macexp;
+uschar * s;
+
+Ustrncpy(big_buffer, line, big_buffer_size);
+big_buffer[big_buffer_size-1] = '\0';
+len = Ustrlen(big_buffer);
+
+(void) macros_expand(0, &len, &dummy_macexp);
+
+if (isupper(big_buffer[0]))
+  {
+  if (macro_read_assignment(big_buffer))
+    printf("Defined macro '%s'\n", mlast->name);
+  }
+else
+  if ((s = expand_string(big_buffer))) printf("%s\n", CS s);
+  else printf("Failed: %s\n", expand_string_message);
+}
+
+
+
+/*************************************************
+*          Entry point and high-level code       *
+*************************************************/
+
+/* Entry point for the Exim mailer. Analyse the arguments and arrange to take
+the appropriate action. All the necessary functions are present in the one
+binary. I originally thought one should split it up, but it turns out that so
+much of the apparatus is needed in each chunk that one might as well just have
+it all available all the time, which then makes the coding easier as well.
+
+Arguments:
+  argc      count of entries in argv
+  argv      argument strings, with argv[0] being the program name
+
+Returns:    EXIT_SUCCESS if terminated successfully
+            EXIT_FAILURE otherwise, except when a message has been sent
+              to the sender, and -oee was given
+*/
+
+int
+main(int argc, char **cargv)
+{
+uschar **argv = USS cargv;
+int  arg_receive_timeout = -1;
+int  arg_smtp_receive_timeout = -1;
+int  arg_error_handling = error_handling;
+int  filter_sfd = -1;
+int  filter_ufd = -1;
+int  group_count;
+int  i, rv;
+int  list_queue_option = 0;
+int  msg_action = 0;
+int  msg_action_arg = -1;
+int  namelen = argv[0] ? Ustrlen(argv[0]) : 0;
+int  queue_only_reason = 0;
+#ifdef EXIM_PERL
+int  perl_start_option = 0;
+#endif
+int  recipients_arg = argc;
+int  sender_address_domain = 0;
+int  test_retry_arg = -1;
+int  test_rewrite_arg = -1;
+gid_t original_egid;
+BOOL arg_queue_only = FALSE;
+BOOL bi_option = FALSE;
+BOOL checking = FALSE;
+BOOL count_queue = FALSE;
+BOOL expansion_test = FALSE;
+BOOL extract_recipients = FALSE;
+BOOL flag_G = FALSE;
+BOOL flag_n = FALSE;
+BOOL forced_delivery = FALSE;
+BOOL f_end_dot = FALSE;
+BOOL deliver_give_up = FALSE;
+BOOL list_queue = FALSE;
+BOOL list_options = FALSE;
+BOOL list_config = FALSE;
+BOOL local_queue_only;
+BOOL one_msg_action = FALSE;
+BOOL opt_D_used = FALSE;
+BOOL queue_only_set = FALSE;
+BOOL receiving_message = TRUE;
+BOOL sender_ident_set = FALSE;
+BOOL session_local_queue_only;
+BOOL unprivileged;
+BOOL removed_privilege = FALSE;
+BOOL usage_wanted = FALSE;
+BOOL verify_address_mode = FALSE;
+BOOL verify_as_sender = FALSE;
+BOOL rcpt_verify_quota = FALSE;
+BOOL version_printed = FALSE;
+uschar *alias_arg = NULL;
+uschar *called_as = US"";
+uschar *cmdline_syslog_name = NULL;
+uschar *start_queue_run_id = NULL;
+uschar *stop_queue_run_id = NULL;
+uschar *expansion_test_message = NULL;
+const uschar *ftest_domain = NULL;
+const uschar *ftest_localpart = NULL;
+const uschar *ftest_prefix = NULL;
+const uschar *ftest_suffix = NULL;
+uschar *log_oneline = NULL;
+uschar *malware_test_file = NULL;
+uschar *real_sender_address;
+uschar *originator_home = US"/";
+size_t sz;
+
+struct passwd *pw;
+struct stat statbuf;
+pid_t passed_qr_pid = (pid_t)0;
+int passed_qr_pipe = -1;
+gid_t group_list[EXIM_GROUPLIST_SIZE];
+
+/* For the -bI: flag */
+enum commandline_info info_flag = CMDINFO_NONE;
+BOOL info_stdout = FALSE;
+
+/* Possible options for -R and -S */
+
+static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
+
+/* Need to define this in case we need to change the environment in order
+to get rid of a bogus time zone. We have to make it char rather than uschar
+because some OS define it in /usr/include/unistd.h. */
+
+extern char **environ;
+
+#ifdef MEASURE_TIMING
+(void)gettimeofday(&timestamp_startup, NULL);
+#endif
+
+store_init();	/* Initialise the memory allocation susbsystem */
+pcre_init();	/* Set up memory handling for pcre */
+
+/* If the Exim user and/or group and/or the configuration file owner/group were
+defined by ref:name at build time, we must now find the actual uid/gid values.
+This is a feature to make the lives of binary distributors easier. */
+
+#ifdef EXIM_USERNAME
+if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
+  {
+  if (exim_uid == 0)
+    exim_fail("exim: refusing to run with uid 0 for \"%s\"\n", EXIM_USERNAME);
+
+  /* If ref:name uses a number as the name, route_finduser() returns
+  TRUE with exim_uid set and pw coerced to NULL. */
+  if (pw)
+    exim_gid = pw->pw_gid;
+#ifndef EXIM_GROUPNAME
+  else
+    exim_fail(
+        "exim: ref:name should specify a usercode, not a group.\n"
+        "exim: can't let you get away with it unless you also specify a group.\n");
+#endif
+  }
+else
+  exim_fail("exim: failed to find uid for user name \"%s\"\n", EXIM_USERNAME);
+#endif
+
+#ifdef EXIM_GROUPNAME
+if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
+  exim_fail("exim: failed to find gid for group name \"%s\"\n", EXIM_GROUPNAME);
+#endif
+
+#ifdef CONFIGURE_OWNERNAME
+if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
+  exim_fail("exim: failed to find uid for user name \"%s\"\n",
+    CONFIGURE_OWNERNAME);
+#endif
+
+/* We default the system_filter_user to be the Exim run-time user, as a
+sane non-root value. */
+system_filter_uid = exim_uid;
+
+#ifdef CONFIGURE_GROUPNAME
+if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
+  exim_fail("exim: failed to find gid for group name \"%s\"\n",
+    CONFIGURE_GROUPNAME);
+#endif
+
+/* In the Cygwin environment, some initialization used to need doing.
+It was fudged in by means of this macro; now no longer but we'll leave
+it in case of others. */
+
+#ifdef OS_INIT
+OS_INIT
+#endif
+
+/* Check a field which is patched when we are running Exim within its
+testing harness; do a fast initial check, and then the whole thing. */
+
+f.running_in_test_harness =
+  *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
+if (f.running_in_test_harness)
+  debug_store = TRUE;
+
+/* Protect against abusive argv[0] */
+if (!argv[0] || !argc) exim_fail("exim: executable name required\n");
+exim_str_fail_toolong(argv[0], PATH_MAX, "argv[0]");
+
+/* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
+at the start of a program; however, it seems that some environments do not
+follow this. A "strange" locale can affect the formatting of timestamps, so we
+make quite sure. */
+
+setlocale(LC_ALL, "C");
+
+/* Get the offset between CLOCK_MONOTONIC/CLOCK_BOOTTIME and wallclock */
+
+#ifdef _POSIX_MONOTONIC_CLOCK
+exim_clock_init();
+#endif
+
+/* Set up the default handler for timing using alarm(). */
+
+os_non_restarting_signal(SIGALRM, sigalrm_handler);
+
+/* Ensure we have a buffer for constructing log entries. Use malloc directly,
+because store_malloc writes a log entry on failure. */
+
+if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
+  exim_fail("exim: failed to get store for log buffer\n");
+
+/* Initialize the default log options. */
+
+bits_set(log_selector, log_selector_size, log_default);
+
+/* Set log_stderr to stderr, provided that stderr exists. This gets reset to
+NULL when the daemon is run and the file is closed. We have to use this
+indirection, because some systems don't allow writing to the variable "stderr".
+*/
+
+if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
+
+/* Ensure there is a big buffer for temporary use in several places. It is put
+in malloc store so that it can be freed for enlargement if necessary. */
+
+big_buffer = store_malloc(big_buffer_size);
+
+/* Set up the handler for the data request signal, and set the initial
+descriptive text. */
+
+process_info = store_get(PROCESS_INFO_SIZE, GET_TAINTED);
+set_process_info("initializing");
+os_restarting_signal(SIGUSR1, usr1_handler);		/* exiwhat */
+#ifdef SA_SIGINFO
+  {
+  struct sigaction act = { .sa_sigaction = segv_handler, .sa_flags = SA_RESETHAND | SA_SIGINFO };
+  sigaction(SIGSEGV, &act, NULL);
+  }
+#else
+signal(SIGSEGV, segv_handler);				/* log faults */
+#endif
+
+/* If running in a dockerized environment, the TERM signal is only
+delegated to the PID 1 if we request it by setting an signal handler */
+if (getpid() == 1) signal(SIGTERM, term_handler);
+
+/* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
+in the daemon code. For the rest of Exim's uses, we ignore it. */
+
+signal(SIGHUP, SIG_IGN);
+
+/* We don't want to die on pipe errors as the code is written to handle
+the write error instead. */
+
+signal(SIGPIPE, SIG_IGN);
+
+/* Under some circumstance on some OS, Exim can get called with SIGCHLD
+set to SIG_IGN. This causes subprocesses that complete before the parent
+process waits for them not to hang around, so when Exim calls wait(), nothing
+is there. The wait() code has been made robust against this, but let's ensure
+that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
+ending status. We use sigaction rather than plain signal() on those OS where
+SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
+problem on AIX with this.) */
+
+#ifdef SA_NOCLDWAIT
+  {
+  struct sigaction act;
+  act.sa_handler = SIG_DFL;
+  sigemptyset(&(act.sa_mask));
+  act.sa_flags = 0;
+  sigaction(SIGCHLD, &act, NULL);
+  }
+#else
+signal(SIGCHLD, SIG_DFL);
+#endif
+
+/* Save the arguments for use if we re-exec exim as a daemon after receiving
+SIGHUP. */
+
+sighup_argv = argv;
+
+/* Set up the version number. Set up the leading 'E' for the external form of
+message ids, set the pointer to the internal form, and initialize it to
+indicate no message being processed. */
+
+version_init();
+message_id_option[0] = '-';
+message_id_external = message_id_option + 1;
+message_id_external[0] = 'E';
+message_id = message_id_external + 1;
+message_id[0] = 0;
+
+/* Set the umask to zero so that any files Exim creates using open() are
+created with the modes that it specifies. NOTE: Files created with fopen() have
+a problem, which was not recognized till rather late (February 2006). With this
+umask, such files will be world writeable. (They are all content scanning files
+in the spool directory, which isn't world-accessible, so this is not a
+disaster, but it's untidy.) I don't want to change this overall setting,
+however, because it will interact badly with the open() calls. Instead, there's
+now a function called modefopen() that fiddles with the umask while calling
+fopen(). */
+
+(void)umask(0);
+
+/* Precompile the regular expression for matching a message id. Keep this in
+step with the code that generates ids in the accept.c module. We need to do
+this here, because the -M options check their arguments for syntactic validity
+using mac_ismsgid, which uses this. */
+
+regex_ismsgid =
+  regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
+
+/* Precompile the regular expression that is used for matching an SMTP error
+code, possibly extended, at the start of an error message. Note that the
+terminating whitespace character is included. */
+
+regex_smtp_code =
+  regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
+    FALSE, TRUE);
+
+#ifdef WHITELIST_D_MACROS
+/* Precompile the regular expression used to filter the content of macros
+given to -D for permissibility. */
+
+regex_whitelisted_macro =
+  regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
+#endif
+
+for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
+
+/* If the program is called as "mailq" treat it as equivalent to "exim -bp";
+this seems to be a generally accepted convention, since one finds symbolic
+links called "mailq" in standard OS configurations. */
+
+if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
+    (namelen  > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
+  {
+  list_queue = TRUE;
+  receiving_message = FALSE;
+  called_as = US"-mailq";
+  }
+
+/* If the program is called as "rmail" treat it as equivalent to
+"exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
+i.e. preventing a single dot on a line from terminating the message, and
+returning with zero return code, even in cases of error (provided an error
+message has been sent). */
+
+if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
+    (namelen  > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
+  {
+  f.dot_ends = FALSE;
+  called_as = US"-rmail";
+  errors_sender_rc = EXIT_SUCCESS;
+  }
+
+/* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
+this is a smail convention. */
+
+if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
+    (namelen  > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
+  {
+  smtp_input = smtp_batched_input = TRUE;
+  called_as = US"-rsmtp";
+  }
+
+/* If the program is called as "runq" treat it as equivalent to "exim -q";
+this is a smail convention. */
+
+if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
+    (namelen  > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
+  {
+  queue_interval = 0;
+  receiving_message = FALSE;
+  called_as = US"-runq";
+  }
+
+/* If the program is called as "newaliases" treat it as equivalent to
+"exim -bi"; this is a sendmail convention. */
+
+if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
+    (namelen  > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
+  {
+  bi_option = TRUE;
+  receiving_message = FALSE;
+  called_as = US"-newaliases";
+  }
+
+/* Save the original effective uid for a couple of uses later. It should
+normally be root, but in some esoteric environments it may not be. */
+
+original_euid = geteuid();
+original_egid = getegid();
+
+/* Get the real uid and gid. If the caller is root, force the effective uid/gid
+to be the same as the real ones. This makes a difference only if Exim is setuid
+(or setgid) to something other than root, which could be the case in some
+special configurations. */
+
+real_uid = getuid();
+real_gid = getgid();
+
+if (real_uid == root_uid)
+  {
+  if ((rv = setgid(real_gid)))
+    exim_fail("exim: setgid(%ld) failed: %s\n",
+        (long int)real_gid, strerror(errno));
+  if ((rv = setuid(real_uid)))
+    exim_fail("exim: setuid(%ld) failed: %s\n",
+        (long int)real_uid, strerror(errno));
+  }
+
+/* If neither the original real uid nor the original euid was root, Exim is
+running in an unprivileged state. */
+
+unprivileged = (real_uid != root_uid && original_euid != root_uid);
+
+/* For most of the args-parsing we need to use permanent pool memory */
+ {
+ int old_pool = store_pool;
+ store_pool = POOL_PERM;
+
+/* Scan the program's arguments. Some can be dealt with right away; others are
+simply recorded for checking and handling afterwards. Do a high-level switch
+on the second character (the one after '-'), to save some effort. */
+
+ for (i = 1; i < argc; i++)
+  {
+  BOOL badarg = FALSE;
+  uschar * arg = argv[i];
+  uschar * argrest;
+  int switchchar;
+
+  /* An argument not starting with '-' is the start of a recipients list;
+  break out of the options-scanning loop. */
+
+  if (arg[0] != '-')
+    {
+    recipients_arg = i;
+    break;
+    }
+
+  /* An option consisting of -- terminates the options */
+
+  if (Ustrcmp(arg, "--") == 0)
+    {
+    recipients_arg = i + 1;
+    break;
+    }
+
+  /* Handle flagged options */
+
+  switchchar = arg[1];
+  argrest = arg+2;
+
+  /* Make all -ex options synonymous with -oex arguments, since that
+  is assumed by various callers. Also make -qR options synonymous with -R
+  options, as that seems to be required as well. Allow for -qqR too, and
+  the same for -S options. */
+
+  if (Ustrncmp(arg+1, "oe", 2) == 0 ||
+      Ustrncmp(arg+1, "qR", 2) == 0 ||
+      Ustrncmp(arg+1, "qS", 2) == 0)
+    {
+    switchchar = arg[2];
+    argrest++;
+    }
+  else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
+    {
+    switchchar = arg[3];
+    argrest += 2;
+    f.queue_2stage = TRUE;
+    }
+
+  /* Make -r synonymous with -f, since it is a documented alias */
+
+  else if (arg[1] == 'r') switchchar = 'f';
+
+  /* Make -ov synonymous with -v */
+
+  else if (Ustrcmp(arg, "-ov") == 0)
+    {
+    switchchar = 'v';
+    argrest++;
+    }
+
+  /* deal with --option_aliases */
+  else if (switchchar == '-')
+    {
+    if (Ustrcmp(argrest, "help") == 0)
+      {
+      usage_wanted = TRUE;
+      break;
+      }
+    else if (Ustrcmp(argrest, "version") == 0)
+      {
+      switchchar = 'b';
+      argrest = US"V";
+      }
+    }
+
+  /* High-level switch on active initial letter */
+
+  switch(switchchar)
+    {
+
+    /* sendmail uses -Ac and -Am to control which .cf file is used;
+    we ignore them. */
+    case 'A':
+    if (!*argrest) { badarg = TRUE; break; }
+    else
+      {
+      BOOL ignore = FALSE;
+      switch (*argrest)
+        {
+        case 'c':
+        case 'm':
+          if (*(argrest + 1) == '\0')
+            ignore = TRUE;
+          break;
+        }
+      if (!ignore) badarg = TRUE;
+      }
+    break;
+
+    /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
+    so has no need of it. */
+
+    case 'B':
+    if (!*argrest) i++;       /* Skip over the type */
+    break;
+
+
+    case 'b':
+      {
+      receiving_message = FALSE;    /* Reset TRUE for -bm, -bS, -bs below */
+
+      switch (*argrest++)
+	{
+	/* -bd:  Run in daemon mode, awaiting SMTP connections.
+	   -bdf: Ditto, but in the foreground.
+	*/
+	case 'd':
+	  f.daemon_listen = TRUE;
+	  if (*argrest == 'f') f.background_daemon = FALSE;
+	  else if (*argrest) badarg = TRUE;
+	  break;
+
+	/* -be:  Run in expansion test mode
+	   -bem: Ditto, but read a message from a file first
+	*/
+	case 'e':
+	  expansion_test = checking = TRUE;
+	  if (*argrest == 'm')
+	    {
+	    if (++i >= argc) { badarg = TRUE; break; }
+	    expansion_test_message = argv[i];
+	    argrest++;
+	    }
+	  if (*argrest) badarg = TRUE;
+	  break;
+
+	/* -bF:  Run system filter test */
+	case 'F':
+	  filter_test |= checking = FTEST_SYSTEM;
+	  if (*argrest) badarg = TRUE;
+	  else if (++i < argc) filter_test_sfile = argv[i];
+	  else exim_fail("exim: file name expected after %s\n", argv[i-1]);
+	  break;
+
+	/* -bf:  Run user filter test
+	   -bfd: Set domain for filter testing
+	   -bfl: Set local part for filter testing
+	   -bfp: Set prefix for filter testing
+	   -bfs: Set suffix for filter testing
+	*/
+	case 'f':
+	  if (!*argrest)
+	    {
+	    filter_test |= checking = FTEST_USER;
+	    if (++i < argc) filter_test_ufile = argv[i];
+	    else exim_fail("exim: file name expected after %s\n", argv[i-1]);
+	    }
+	  else
+	    {
+	    if (++i >= argc)
+	      exim_fail("exim: string expected after %s\n", arg);
+	    if (Ustrcmp(argrest, "d") == 0) ftest_domain = exim_str_fail_toolong(argv[i], EXIM_DOMAINNAME_MAX, "-bfd");
+	    else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = exim_str_fail_toolong(argv[i], EXIM_LOCALPART_MAX, "-bfl");
+	    else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = exim_str_fail_toolong(argv[i], EXIM_LOCALPART_MAX, "-bfp");
+	    else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = exim_str_fail_toolong(argv[i], EXIM_LOCALPART_MAX, "-bfs");
+	    else badarg = TRUE;
+	    }
+	  break;
+
+	/* -bh: Host checking - an IP address must follow. */
+	case 'h':
+	  if (!*argrest || Ustrcmp(argrest, "c") == 0)
+	    {
+	    if (++i >= argc) { badarg = TRUE; break; }
+	    sender_host_address = string_copy_taint(
+		  exim_str_fail_toolong(argv[i], EXIM_IPADDR_MAX, "-bh"),
+		  GET_TAINTED);
+	    host_checking = checking = f.log_testing_mode = TRUE;
+	    f.host_checking_callout = *argrest == 'c';
+	    message_logs = FALSE;
+	    }
+	  else badarg = TRUE;
+	  break;
+
+	/* -bi: This option is used by sendmail to initialize *the* alias file,
+	though it has the -oA option to specify a different file. Exim has no
+	concept of *the* alias file, but since Sun's YP make script calls
+	sendmail this way, some support must be provided. */
+	case 'i':
+	  if (!*argrest) bi_option = TRUE;
+	  else badarg = TRUE;
+	  break;
+
+	/* -bI: provide information, of the type to follow after a colon.
+	This is an Exim flag. */
+	case 'I':
+	  if (Ustrlen(argrest) >= 1 && *argrest == ':')
+	    {
+	    uschar *p = argrest+1;
+	    info_flag = CMDINFO_HELP;
+	    if (Ustrlen(p))
+	      if (strcmpic(p, CUS"sieve") == 0)
+		{
+		info_flag = CMDINFO_SIEVE;
+		info_stdout = TRUE;
+		}
+	      else if (strcmpic(p, CUS"dscp") == 0)
+		{
+		info_flag = CMDINFO_DSCP;
+		info_stdout = TRUE;
+		}
+	      else if (strcmpic(p, CUS"help") == 0)
+		info_stdout = TRUE;
+	    }
+	  else badarg = TRUE;
+	  break;
+
+	/* -bm: Accept and deliver message - the default option. Reinstate
+	receiving_message, which got turned off for all -b options.
+	   -bmalware: test the filename given for malware */
+	case 'm':
+	  if (!*argrest) receiving_message = TRUE;
+	  else if (Ustrcmp(argrest, "alware") == 0)
+	    {
+	    if (++i >= argc) { badarg = TRUE; break; }
+	    checking = TRUE;
+	    malware_test_file = argv[i];
+	    }
+	  else badarg = TRUE;
+	  break;
+
+	/* -bnq: For locally originating messages, do not qualify unqualified
+	addresses. In the envelope, this causes errors; in header lines they
+	just get left. */
+	case 'n':
+	  if (Ustrcmp(argrest, "q") == 0)
+	    {
+	    f.allow_unqualified_sender = FALSE;
+	    f.allow_unqualified_recipient = FALSE;
+	    }
+	  else badarg = TRUE;
+	  break;
+
+	/* -bpxx: List the contents of the mail queue, in various forms. If
+	the option is -bpc, just a queue count is needed. Otherwise, if the
+	first letter after p is r, then order is random. */
+	case 'p':
+	  if (*argrest == 'c')
+	    {
+	    count_queue = TRUE;
+	    if (*++argrest) badarg = TRUE;
+	    break;
+	    }
+
+	  if (*argrest == 'r')
+	    {
+	    list_queue_option = 8;
+	    argrest++;
+	    }
+	  else list_queue_option = 0;
+
+	  list_queue = TRUE;
+
+	  /* -bp: List the contents of the mail queue, top-level only */
+
+	  if (!*argrest) {}
+
+	  /* -bpu: List the contents of the mail queue, top-level undelivered */
+
+	  else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
+
+	  /* -bpa: List the contents of the mail queue, including all delivered */
+
+	  else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
+
+	  /* Unknown after -bp[r] */
+
+	  else badarg = TRUE;
+	  break;
+
+
+	/* -bP: List the configuration variables given as the address list.
+	Force -v, so configuration errors get displayed. */
+	case 'P':
+
+	  /* -bP config: we need to setup here, because later,
+	  when list_options is checked, the config is read already */
+	  if (*argrest)
+	    badarg = TRUE;
+	  else if (argv[i+1] && Ustrcmp(argv[i+1], "config") == 0)
+	    {
+	    list_config = TRUE;
+	    readconf_save_config(version_string);
+	    }
+	  else
+	    {
+	    list_options = TRUE;
+	    debug_selector |= D_v;
+	    debug_file = stderr;
+	    }
+	  break;
+
+	/* -brt: Test retry configuration lookup */
+	case 'r':
+	  if (Ustrcmp(argrest, "t") == 0)
+	    {
+	    checking = TRUE;
+	    test_retry_arg = i + 1;
+	    goto END_ARG;
+	    }
+
+	  /* -brw: Test rewrite configuration */
+
+	  else if (Ustrcmp(argrest, "w") == 0)
+	    {
+	    checking = TRUE;
+	    test_rewrite_arg = i + 1;
+	    goto END_ARG;
+	    }
+	  else badarg = TRUE;
+	  break;
+
+	/* -bS: Read SMTP commands on standard input, but produce no replies -
+	all errors are reported by sending messages. */
+	case 'S':
+	  if (!*argrest)
+	    smtp_input = smtp_batched_input = receiving_message = TRUE;
+	  else badarg = TRUE;
+	  break;
+
+	/* -bs: Read SMTP commands on standard input and produce SMTP replies
+	on standard output. */
+	case 's':
+	  if (!*argrest) smtp_input = receiving_message = TRUE;
+	  else badarg = TRUE;
+	  break;
+
+	/* -bt: address testing mode */
+	case 't':
+	  if (!*argrest)
+	    f.address_test_mode = checking = f.log_testing_mode = TRUE;
+	  else badarg = TRUE;
+	  break;
+
+	/* -bv: verify addresses */
+	case 'v':
+	  if (!*argrest)
+	    verify_address_mode = checking = f.log_testing_mode = TRUE;
+
+	/* -bvs: verify sender addresses */
+
+	  else if (Ustrcmp(argrest, "s") == 0)
+	    {
+	    verify_address_mode = checking = f.log_testing_mode = TRUE;
+	    verify_as_sender = TRUE;
+	    }
+	  else badarg = TRUE;
+	  break;
+
+	/* -bV: Print version string and support details */
+	case 'V':
+	  if (!*argrest)
+	    {
+	    printf("Exim version %s #%s built %s\n", version_string,
+	      version_cnumber, version_date);
+	    printf("%s\n", CS version_copyright);
+	    version_printed = TRUE;
+	    show_whats_supported(TRUE);
+	    f.log_testing_mode = TRUE;
+	    }
+	  else badarg = TRUE;
+	  break;
+
+	/* -bw: inetd wait mode, accept a listening socket as stdin */
+	case 'w':
+	  f.inetd_wait_mode = TRUE;
+	  f.background_daemon = FALSE;
+	  f.daemon_listen = TRUE;
+	  if (*argrest)
+	    if ((inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE)) <= 0)
+	      exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
+	  break;
+
+	default:
+	  badarg = TRUE;
+	  break;
+	}
+      break;
+      }
+
+
+    /* -C: change configuration file list; ignore if it isn't really
+    a change! Enforce a prefix check if required. */
+
+    case 'C':
+    if (!*argrest)
+      if (++i < argc) argrest = argv[i]; else { badarg = TRUE; break; }
+    if (Ustrcmp(config_main_filelist, argrest) != 0)
+      {
+      #ifdef ALT_CONFIG_PREFIX
+      int sep = 0;
+      int len = Ustrlen(ALT_CONFIG_PREFIX);
+      const uschar *list = argrest;
+      uschar *filename;
+      /* The argv is untainted, so big_buffer (also untainted) is ok to use */
+      while((filename = string_nextinlist(&list, &sep, big_buffer,
+             big_buffer_size)))
+        if (  (  Ustrlen(filename) < len
+	      || Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0
+	      || Ustrstr(filename, "/../") != NULL
+	      )
+	   && (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid)
+	   )
+          exim_fail("-C Permission denied\n");
+      #endif
+      if (real_uid != root_uid)
+        {
+        #ifdef TRUSTED_CONFIG_LIST
+
+        if (real_uid != exim_uid
+            #ifdef CONFIGURE_OWNER
+            && real_uid != config_uid
+            #endif
+            )
+          f.trusted_config = FALSE;
+        else
+          {
+          FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
+          if (trust_list)
+            {
+            struct stat statbuf;
+
+            if (fstat(fileno(trust_list), &statbuf) != 0 ||
+                (statbuf.st_uid != root_uid        /* owner not root */
+                 #ifdef CONFIGURE_OWNER
+                 && statbuf.st_uid != config_uid   /* owner not the special one */
+                 #endif
+                   ) ||                            /* or */
+                (statbuf.st_gid != root_gid        /* group not root */
+                 #ifdef CONFIGURE_GROUP
+                 && statbuf.st_gid != config_gid   /* group not the special one */
+                 #endif
+                 && (statbuf.st_mode & 020) != 0   /* group writeable */
+                   ) ||                            /* or */
+                (statbuf.st_mode & 2) != 0)        /* world writeable */
+              {
+              f.trusted_config = FALSE;
+              fclose(trust_list);
+              }
+	    else
+              {
+              /* Well, the trust list at least is up to scratch... */
+              rmark reset_point;
+              uschar *trusted_configs[32];
+              int nr_configs = 0;
+              int i = 0;
+	      int old_pool = store_pool;
+	      store_pool = POOL_MAIN;
+
+              reset_point = store_mark();
+              while (Ufgets(big_buffer, big_buffer_size, trust_list))
+                {
+                uschar *start = big_buffer, *nl;
+                while (*start && isspace(*start))
+                start++;
+                if (*start != '/')
+                  continue;
+                nl = Ustrchr(start, '\n');
+                if (nl)
+                  *nl = 0;
+                trusted_configs[nr_configs++] = string_copy(start);
+                if (nr_configs == nelem(trusted_configs))
+                  break;
+                }
+              fclose(trust_list);
+
+              if (nr_configs)
+                {
+                int sep = 0;
+                const uschar *list = argrest;
+                uschar *filename;
+                while (f.trusted_config && (filename = string_nextinlist(&list,
+                        &sep, big_buffer, big_buffer_size)))
+                  {
+                  for (i=0; i < nr_configs; i++)
+                    if (Ustrcmp(filename, trusted_configs[i]) == 0)
+                      break;
+                  if (i == nr_configs)
+                    {
+                    f.trusted_config = FALSE;
+                    break;
+                    }
+                  }
+                }
+              else	/* No valid prefixes found in trust_list file. */
+                f.trusted_config = FALSE;
+              store_reset(reset_point);
+	      store_pool = old_pool;
+              }
+	    }
+          else		/* Could not open trust_list file. */
+            f.trusted_config = FALSE;
+          }
+      #else
+        /* Not root; don't trust config */
+        f.trusted_config = FALSE;
+      #endif
+        }
+
+      config_main_filelist = argrest;
+      f.config_changed = TRUE;
+      }
+    break;
+
+
+    /* -D: set up a macro definition */
+
+    case 'D':
+#ifdef DISABLE_D_OPTION
+      exim_fail("exim: -D is not available in this Exim binary\n");
+#else
+      {
+      int ptr = 0;
+      macro_item *m;
+      uschar name[24];
+      uschar *s = argrest;
+
+      opt_D_used = TRUE;
+      while (isspace(*s)) s++;
+
+      if (*s < 'A' || *s > 'Z')
+        exim_fail("exim: macro name set by -D must start with "
+          "an upper case letter\n");
+
+      while (isalnum(*s) || *s == '_')
+        {
+        if (ptr < sizeof(name)-1) name[ptr++] = *s;
+        s++;
+        }
+      name[ptr] = 0;
+      if (ptr == 0) { badarg = TRUE; break; }
+      while (isspace(*s)) s++;
+      if (*s != 0)
+        {
+        if (*s++ != '=') { badarg = TRUE; break; }
+        while (isspace(*s)) s++;
+        }
+
+      for (m = macros_user; m; m = m->next)
+        if (Ustrcmp(m->name, name) == 0)
+          exim_fail("exim: duplicated -D in command line\n");
+
+      m = macro_create(name, s, TRUE);
+
+      if (clmacro_count >= MAX_CLMACROS)
+        exim_fail("exim: too many -D options on command line\n");
+      clmacros[clmacro_count++] =
+	string_sprintf("-D%s=%s", m->name, m->replacement);
+      }
+    #endif
+    break;
+
+    case 'd':
+
+    /* -dropcr: Set this option.  Now a no-op, retained for compatibility only. */
+
+    if (Ustrcmp(argrest, "ropcr") == 0)
+      {
+      /* drop_cr = TRUE; */
+      }
+
+    /* -dp: Set up a debug pretrigger buffer with given size. */
+
+    else if (Ustrcmp(argrest, "p") == 0)
+      if (++i >= argc)
+	badarg = TRUE;
+      else
+	debug_pretrigger_setup(argv[i]);
+
+    /* -dt: Set a debug trigger selector */
+
+    else if (Ustrncmp(argrest, "t=", 2) == 0)
+      dtrigger_selector = (unsigned int) Ustrtol(argrest + 2, NULL, 0);
+
+    /* -d: Set debug level (see also -v below).
+    If -dd is used, debugging subprocesses of the daemon is disabled. */
+
+    else
+      {
+      /* Use an intermediate variable so that we don't set debugging while
+      decoding the debugging bits. */
+
+      unsigned int selector = D_default;
+      debug_selector = 0;
+      debug_file = NULL;
+      if (*argrest == 'd')
+        {
+        f.debug_daemon = TRUE;
+        argrest++;
+        }
+      if (*argrest)
+        decode_bits(&selector, 1, debug_notall, argrest,
+          debug_options, debug_options_count, US"debug", 0);
+      debug_selector = selector;
+      }
+    break;
+
+
+    /* -E: This is a local error message. This option is not intended for
+    external use at all, but is not restricted to trusted callers because it
+    does no harm (just suppresses certain error messages) and if Exim is run
+    not setuid root it won't always be trusted when it generates error
+    messages using this option. If there is a message id following -E, point
+    message_reference at it, for logging. */
+
+    case 'E':
+    f.local_error_message = TRUE;
+    if (mac_ismsgid(argrest)) message_reference = argrest;
+    break;
+
+
+    /* -ex: The vacation program calls sendmail with the undocumented "-eq"
+    option, so it looks as if historically the -oex options are also callable
+    without the leading -o. So we have to accept them. Before the switch,
+    anything starting -oe has been converted to -e. Exim does not support all
+    of the sendmail error options. */
+
+    case 'e':
+    if (Ustrcmp(argrest, "e") == 0)
+      {
+      arg_error_handling = ERRORS_SENDER;
+      errors_sender_rc = EXIT_SUCCESS;
+      }
+    else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
+    else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
+    else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
+    else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
+    else badarg = TRUE;
+    break;
+
+
+    /* -F: Set sender's full name, used instead of the gecos entry from
+    the password file. Since users can usually alter their gecos entries,
+    there's no security involved in using this instead. The data can follow
+    the -F or be in the next argument. */
+
+    case 'F':
+    if (!*argrest)
+      if (++i < argc) argrest = argv[i]; else { badarg = TRUE; break; }
+    originator_name = string_copy_taint(
+		  exim_str_fail_toolong(argrest, EXIM_HUMANNAME_MAX, "-F"),
+		  GET_TAINTED);
+    f.sender_name_forced = TRUE;
+    break;
+
+
+    /* -f: Set sender's address - this value is only actually used if Exim is
+    run by a trusted user, or if untrusted_set_sender is set and matches the
+    address, except that the null address can always be set by any user. The
+    test for this happens later, when the value given here is ignored when not
+    permitted. For an untrusted user, the actual sender is still put in Sender:
+    if it doesn't match the From: header (unless no_local_from_check is set).
+    The data can follow the -f or be in the next argument. The -r switch is an
+    obsolete form of -f but since there appear to be programs out there that
+    use anything that sendmail has ever supported, better accept it - the
+    synonymizing is done before the switch above.
+
+    At this stage, we must allow domain literal addresses, because we don't
+    know what the setting of allow_domain_literals is yet. Ditto for trailing
+    dots and strip_trailing_dot. */
+
+    case 'f':
+      {
+      int dummy_start, dummy_end;
+      uschar *errmess;
+      if (!*argrest)
+        if (i+1 < argc) argrest = argv[++i]; else { badarg = TRUE; break; }
+      (void) exim_str_fail_toolong(argrest, EXIM_DISPLAYMAIL_MAX, "-f");
+      if (!*argrest)
+        *(sender_address = store_get(1, GET_UNTAINTED)) = '\0';  /* Ensure writeable memory */
+      else
+        {
+        uschar * temp = argrest + Ustrlen(argrest) - 1;
+        while (temp >= argrest && isspace(*temp)) temp--;
+        if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
+        allow_domain_literals = TRUE;
+        strip_trailing_dot = TRUE;
+#ifdef SUPPORT_I18N
+	allow_utf8_domains = TRUE;
+#endif
+        if (!(sender_address = parse_extract_address(argrest, &errmess,
+		  &dummy_start, &dummy_end, &sender_address_domain, TRUE)))
+          exim_fail("exim: bad -f address \"%s\": %s\n", argrest, errmess);
+
+	sender_address = string_copy_taint(sender_address, GET_TAINTED);
+#ifdef SUPPORT_I18N
+	message_smtputf8 =  string_is_utf8(sender_address);
+	allow_utf8_domains = FALSE;
+#endif
+        allow_domain_literals = FALSE;
+        strip_trailing_dot = FALSE;
+        }
+      f.sender_address_forced = TRUE;
+      }
+    break;
+
+    /* -G: sendmail invocation to specify that it's a gateway submission and
+    sendmail may complain about problems instead of fixing them.
+    We make it equivalent to an ACL "control = suppress_local_fixups" and do
+    not at this time complain about problems. */
+
+    case 'G':
+    flag_G = TRUE;
+    break;
+
+    /* -h: Set the hop count for an incoming message. Exim does not currently
+    support this; it always computes it by counting the Received: headers.
+    To put it in will require a change to the spool header file format. */
+
+    case 'h':
+    if (!*argrest)
+      if (++i < argc) argrest = argv[i]; else { badarg = TRUE; break; }
+    if (!isdigit(*argrest)) badarg = TRUE;
+    break;
+
+
+    /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
+    not to be documented for sendmail but mailx (at least) uses it) */
+
+    case 'i':
+    if (!*argrest) f.dot_ends = FALSE; else badarg = TRUE;
+    break;
+
+
+    /* -L: set the identifier used for syslog; equivalent to setting
+    syslog_processname in the config file, but needs to be an admin option. */
+
+    case 'L':
+    if (!*argrest)
+      if (++i < argc) argrest = argv[i]; else { badarg = TRUE; break; }
+    if ((sz = Ustrlen(argrest)) > 32)
+      exim_fail("exim: the -L syslog name is too long: \"%s\"\n", argrest);
+    if (sz < 1)
+      exim_fail("exim: the -L syslog name is too short\n");
+    cmdline_syslog_name = string_copy_taint(argrest, GET_TAINTED);
+    break;
+
+    case 'M':
+    receiving_message = FALSE;
+
+    /* -MC:  continue delivery of another message via an existing open
+    file descriptor. This option is used for an internal call by the
+    smtp transport when there is a pending message waiting to go to an
+    address to which it has got a connection. Five subsequent arguments are
+    required: transport name, host name, IP address, sequence number, and
+    message_id. Transports may decline to create new processes if the sequence
+    number gets too big. The channel is stdin. This (-MC) must be the last
+    argument. There's a subsequent check that the real-uid is privileged.
+
+    If we are running in the test harness. delay for a bit, to let the process
+    that set this one up complete. This makes for repeatability of the logging,
+    etc. output. */
+
+    if (Ustrcmp(argrest, "C") == 0)
+      {
+      union sockaddr_46 interface_sock;
+      EXIM_SOCKLEN_T size = sizeof(interface_sock);
+
+      if (argc != i + 6)
+        exim_fail("exim: too many or too few arguments after -MC\n");
+
+      if (msg_action_arg >= 0)
+        exim_fail("exim: incompatible arguments\n");
+
+      continue_transport = string_copy_taint(
+	exim_str_fail_toolong(argv[++i], EXIM_DRIVERNAME_MAX, "-C internal transport"),
+	GET_TAINTED);
+      continue_hostname = string_copy_taint(
+	exim_str_fail_toolong(argv[++i], EXIM_HOSTNAME_MAX, "-C internal hostname"),
+	GET_TAINTED);
+      continue_host_address = string_copy_taint(
+	exim_str_fail_toolong(argv[++i], EXIM_IPADDR_MAX, "-C internal hostaddr"),
+	GET_TAINTED);
+      continue_sequence = Uatoi(argv[++i]);
+      msg_action = MSG_DELIVER;
+      msg_action_arg = ++i;
+      forced_delivery = TRUE;
+      queue_run_pid = passed_qr_pid;
+      queue_run_pipe = passed_qr_pipe;
+
+      if (!mac_ismsgid(argv[i]))
+        exim_fail("exim: malformed message id %s after -MC option\n",
+          argv[i]);
+
+      /* Set up $sending_ip_address and $sending_port, unless proxied */
+
+      if (!continue_proxy_cipher)
+	if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
+	    &size) == 0)
+	  sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
+	    &sending_port);
+	else
+	  exim_fail("exim: getsockname() failed after -MC option: %s\n",
+	    strerror(errno));
+
+      testharness_pause_ms(500);
+      break;
+      }
+
+    else if (*argrest == 'C' && argrest[1] && !argrest[2])
+      {
+      switch(argrest[1])
+	{
+    /* -MCA: set the smtp_authenticated flag; this is useful only when it
+    precedes -MC (see above). The flag indicates that the host to which
+    Exim is connected has accepted an AUTH sequence. */
+
+	case 'A': f.smtp_authenticated = TRUE; break;
+
+    /* -MCD: set the smtp_use_dsn flag; this indicates that the host
+       that exim is connected to supports the esmtp extension DSN */
+
+	case 'D': smtp_peer_options |= OPTION_DSN; break;
+
+    /* -MCd: for debug, set a process-purpose string */
+
+	case 'd': if (++i < argc)
+		    process_purpose = string_copy_taint(
+		      exim_str_fail_toolong(argv[i], EXIM_DRIVERNAME_MAX, "-MCd"),
+		      GET_TAINTED);
+		  else badarg = TRUE;
+		  break;
+
+    /* -MCG: set the queue name, to a non-default value. Arguably, anything
+       from the commandline should be tainted - but we will need an untainted
+       value for the spoolfile when doing a -odi delivery process. */
+
+	case 'G': if (++i < argc) queue_name = string_copy_taint(
+		      exim_str_fail_toolong(argv[i], EXIM_DRIVERNAME_MAX, "-MCG"),
+		      GET_UNTAINTED);
+		  else badarg = TRUE;
+		  break;
+
+    /* -MCK: the peer offered CHUNKING.  Must precede -MC */
+
+	case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
+
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+    /* -MCL: peer used LIMITS RCPTMAX and/or RCPTDOMAINMAX */
+	case 'L': if (++i < argc) continue_limit_mail = Uatoi(argv[i]);
+		  else badarg = TRUE;
+		  if (++i < argc) continue_limit_rcpt = Uatoi(argv[i]);
+		  else badarg = TRUE;
+		  if (++i < argc) continue_limit_rcptdom = Uatoi(argv[i]);
+		  else badarg = TRUE;
+		  break;
+#endif
+
+    /* -MCP: set the smtp_use_pipelining flag; this is useful only when
+    it preceded -MC (see above) */
+
+	case 'P': smtp_peer_options |= OPTION_PIPE; break;
+
+#ifdef SUPPORT_SOCKS
+    /* -MCp: Socks proxy in use; nearside IP, port, external IP, port */
+	case 'p': proxy_session = TRUE;
+		  if (++i < argc)
+		    {
+		    proxy_local_address = string_copy_taint(argv[i], GET_TAINTED);
+		    if (++i < argc)
+		      {
+		      proxy_local_port = Uatoi(argv[i]);
+		      if (++i < argc)
+			{
+			proxy_external_address = string_copy_taint(argv[i], GET_TAINTED);
+			if (++i < argc)
+			  {
+			  proxy_external_port = Uatoi(argv[i]);
+			  break;
+		    } } } }
+		  badarg = TRUE;
+		  break;
+#endif
+    /* -MCQ: pass on the pid of the queue-running process that started
+    this chain of deliveries and the fd of its synchronizing pipe; this
+    is useful only when it precedes -MC (see above) */
+
+	case 'Q': if (++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
+		  else badarg = TRUE;
+		  if (++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
+		  else badarg = TRUE;
+		  break;
+
+    /* -MCq: do a quota check on the given recipient for the given size
+    of message.  Separate from -MC. */
+	case 'q': rcpt_verify_quota = TRUE;
+		  if (++i < argc) message_size = Uatoi(argv[i]);
+		  else badarg = TRUE;
+		  break;
+
+    /* -MCS: set the smtp_use_size flag; this is useful only when it
+    precedes -MC (see above) */
+
+	case 'S': smtp_peer_options |= OPTION_SIZE; break;
+
+#ifndef DISABLE_TLS
+    /* -MCs: used with -MCt; SNI was sent */
+    /* -MCr: ditto, DANE */
+
+	case 'r':
+	case 's': if (++i < argc)
+		    {
+		    continue_proxy_sni = string_copy_taint(
+		      exim_str_fail_toolong(argv[i], EXIM_HOSTNAME_MAX, "-MCr/-MCs"),
+		      GET_TAINTED);
+		    if (argrest[1] == 'r') continue_proxy_dane = TRUE;
+		    }
+		  else badarg = TRUE;
+		  break;
+
+    /* -MCt: similar to -MCT below but the connection is still open
+    via a proxy process which handles the TLS context and coding.
+    Require three arguments for the proxied local address and port,
+    and the TLS cipher. */
+
+	case 't': if (++i < argc)
+		    sending_ip_address = string_copy_taint(
+		      exim_str_fail_toolong(argv[i], EXIM_IPADDR_MAX, "-MCt IP"),
+		      GET_TAINTED);
+		  else badarg = TRUE;
+		  if (++i < argc)
+		    sending_port = (int)(Uatol(argv[i]));
+		  else badarg = TRUE;
+		  if (++i < argc)
+		    continue_proxy_cipher = string_copy_taint(
+		      exim_str_fail_toolong(argv[i], EXIM_CIPHERNAME_MAX, "-MCt cipher"),
+		      GET_TAINTED);
+		  else badarg = TRUE;
+		  /*FALLTHROUGH*/
+
+    /* -MCT: set the tls_offered flag; this is useful only when it
+    precedes -MC (see above). The flag indicates that the host to which
+    Exim is connected has offered TLS support. */
+
+	case 'T': smtp_peer_options |= OPTION_TLS; break;
+#endif
+
+	default:  badarg = TRUE; break;
+	}
+      break;
+      }
+
+    /* -M[x]: various operations on the following list of message ids:
+       -M    deliver the messages, ignoring next retry times and thawing
+       -Mc   deliver the messages, checking next retry times, no thawing
+       -Mf   freeze the messages
+       -Mg   give up on the messages
+       -Mt   thaw the messages
+       -Mrm  remove the messages
+    In the above cases, this must be the last option. There are also the
+    following options which are followed by a single message id, and which
+    act on that message. Some of them use the "recipient" addresses as well.
+       -Mar  add recipient(s)
+       -MG   move to a different queue
+       -Mmad mark all recipients delivered
+       -Mmd  mark recipients(s) delivered
+       -Mes  edit sender
+       -Mset load a message for use with -be
+       -Mvb  show body
+       -Mvc  show copy (of whole message, in RFC 2822 format)
+       -Mvh  show header
+       -Mvl  show log
+    */
+
+    else if (!*argrest)
+      {
+      msg_action = MSG_DELIVER;
+      forced_delivery = f.deliver_force_thaw = TRUE;
+      }
+    else if (Ustrcmp(argrest, "ar") == 0)
+      {
+      msg_action = MSG_ADD_RECIPIENT;
+      one_msg_action = TRUE;
+      }
+    else if (Ustrcmp(argrest, "c") == 0)  msg_action = MSG_DELIVER;
+    else if (Ustrcmp(argrest, "es") == 0)
+      {
+      msg_action = MSG_EDIT_SENDER;
+      one_msg_action = TRUE;
+      }
+    else if (Ustrcmp(argrest, "f") == 0)  msg_action = MSG_FREEZE;
+    else if (Ustrcmp(argrest, "g") == 0)
+      {
+      msg_action = MSG_DELIVER;
+      deliver_give_up = TRUE;
+      }
+   else if (Ustrcmp(argrest, "G") == 0)
+      {
+      msg_action = MSG_SETQUEUE;
+      queue_name_dest = string_copy_taint(
+	exim_str_fail_toolong(argv[++i], EXIM_DRIVERNAME_MAX, "-MG"),
+	GET_TAINTED);
+      }
+    else if (Ustrcmp(argrest, "mad") == 0) msg_action = MSG_MARK_ALL_DELIVERED;
+    else if (Ustrcmp(argrest, "md") == 0)
+      {
+      msg_action = MSG_MARK_DELIVERED;
+      one_msg_action = TRUE;
+      }
+    else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
+    else if (Ustrcmp(argrest, "set") == 0)
+      {
+      msg_action = MSG_LOAD;
+      one_msg_action = TRUE;
+      }
+    else if (Ustrcmp(argrest, "t") == 0)  msg_action = MSG_THAW;
+    else if (Ustrcmp(argrest, "vb") == 0)
+      {
+      msg_action = MSG_SHOW_BODY;
+      one_msg_action = TRUE;
+      }
+    else if (Ustrcmp(argrest, "vc") == 0)
+      {
+      msg_action = MSG_SHOW_COPY;
+      one_msg_action = TRUE;
+      }
+    else if (Ustrcmp(argrest, "vh") == 0)
+      {
+      msg_action = MSG_SHOW_HEADER;
+      one_msg_action = TRUE;
+      }
+    else if (Ustrcmp(argrest, "vl") == 0)
+      {
+      msg_action = MSG_SHOW_LOG;
+      one_msg_action = TRUE;
+      }
+    else { badarg = TRUE; break; }
+
+    /* All the -Mxx options require at least one message id. */
+
+    msg_action_arg = i + 1;
+    if (msg_action_arg >= argc)
+      exim_fail("exim: no message ids given after %s option\n", arg);
+
+    /* Some require only message ids to follow */
+
+    if (!one_msg_action)
+      {
+      for (int j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
+        exim_fail("exim: malformed message id %s after %s option\n",
+          argv[j], arg);
+      goto END_ARG;   /* Remaining args are ids */
+      }
+
+    /* Others require only one message id, possibly followed by addresses,
+    which will be handled as normal arguments. */
+
+    else
+      {
+      if (!mac_ismsgid(argv[msg_action_arg]))
+        exim_fail("exim: malformed message id %s after %s option\n",
+          argv[msg_action_arg], arg);
+      i++;
+      }
+    break;
+
+
+    /* Some programs seem to call the -om option without the leading o;
+    for sendmail it askes for "me too". Exim always does this. */
+
+    case 'm':
+    if (*argrest) badarg = TRUE;
+    break;
+
+
+    /* -N: don't do delivery - a debugging option that stops transports doing
+    their thing. It implies debugging at the D_v level. */
+
+    case 'N':
+    if (!*argrest)
+      {
+      f.dont_deliver = TRUE;
+      debug_selector |= D_v;
+      debug_file = stderr;
+      }
+    else badarg = TRUE;
+    break;
+
+
+    /* -n: This means "don't alias" in sendmail, apparently.
+    For normal invocations, it has no effect.
+    It may affect some other options. */
+
+    case 'n':
+    flag_n = TRUE;
+    break;
+
+    /* -O: Just ignore it. In sendmail, apparently -O option=value means set
+    option to the specified value. This form uses long names. We need to handle
+    -O option=value and -Ooption=value. */
+
+    case 'O':
+    if (!*argrest)
+      if (++i >= argc)
+        exim_fail("exim: string expected after -O\n");
+    break;
+
+    case 'o':
+    switch (*argrest++)
+      {
+      /* -oA: Set an argument for the bi command (sendmail's "alternate alias
+      file" option). */
+      case 'A':
+	if (!*(alias_arg = argrest))
+	  if (i+1 < argc) alias_arg = argv[++i];
+	  else exim_fail("exim: string expected after -oA\n");
+	break;
+
+      /* -oB: Set a connection message max value for remote deliveries */
+      case 'B':
+	{
+	uschar * p = argrest;
+	if (!*p)
+	  if (i+1 < argc && isdigit((argv[i+1][0])))
+	    p = argv[++i];
+	  else
+	    {
+	    connection_max_messages = 1;
+	    p = NULL;
+	    }
+
+	if (p)
+	  {
+	  if (!isdigit(*p))
+	    exim_fail("exim: number expected after -oB\n");
+	  connection_max_messages = Uatoi(p);
+	  }
+	}
+	break;
+
+      /* -odb: background delivery */
+
+      case 'd':
+	if (Ustrcmp(argrest, "b") == 0)
+	  {
+	  f.synchronous_delivery = FALSE;
+	  arg_queue_only = FALSE;
+	  queue_only_set = TRUE;
+	  }
+
+      /* -odd: testsuite-only: add no inter-process delays */
+
+	else if (Ustrcmp(argrest, "d") == 0)
+	  f.testsuite_delays = FALSE;
+
+      /* -odf: foreground delivery (smail-compatible option); same effect as
+	 -odi: interactive (synchronous) delivery (sendmail-compatible option)
+      */
+
+	else if (Ustrcmp(argrest, "f") == 0 || Ustrcmp(argrest, "i") == 0)
+	  {
+	  f.synchronous_delivery = TRUE;
+	  arg_queue_only = FALSE;
+	  queue_only_set = TRUE;
+	  }
+
+      /* -odq: queue only */
+
+	else if (Ustrcmp(argrest, "q") == 0)
+	  {
+	  f.synchronous_delivery = FALSE;
+	  arg_queue_only = TRUE;
+	  queue_only_set = TRUE;
+	  }
+
+      /* -odqs: queue SMTP only - do local deliveries and remote routing,
+      but no remote delivery */
+
+	else if (Ustrcmp(argrest, "qs") == 0)
+	  {
+	  f.queue_smtp = TRUE;
+	  arg_queue_only = FALSE;
+	  queue_only_set = TRUE;
+	  }
+	else badarg = TRUE;
+	break;
+
+      /* -oex: Sendmail error flags. As these are also accepted without the
+      leading -o prefix, for compatibility with vacation and other callers,
+      they are handled with -e above. */
+
+      /* -oi:     Set flag so dot doesn't end non-SMTP input (same as -i)
+	 -oitrue: Another sendmail syntax for the same */
+
+      case 'i':
+	if (!*argrest || Ustrcmp(argrest, "true") == 0)
+	  f.dot_ends = FALSE;
+	else badarg = TRUE;
+	break;
+
+    /* -oM*: Set various characteristics for an incoming message; actually
+    acted on for trusted callers only. */
+
+      case 'M':
+	{
+	if (i+1 >= argc)
+	  exim_fail("exim: data expected after -oM%s\n", argrest);
+
+	/* -oMa: Set sender host address */
+
+	if (Ustrcmp(argrest, "a") == 0)
+	  sender_host_address = string_copy_taint(
+	    exim_str_fail_toolong(argv[++i], EXIM_IPADDR_MAX, "-oMa"),
+	    GET_TAINTED);
+
+	/* -oMaa: Set authenticator name */
+
+	else if (Ustrcmp(argrest, "aa") == 0)
+	  sender_host_authenticated = string_copy_taint(
+	    exim_str_fail_toolong(argv[++i], EXIM_DRIVERNAME_MAX, "-oMaa"),
+	    GET_TAINTED);
+
+	/* -oMas: setting authenticated sender */
+
+	else if (Ustrcmp(argrest, "as") == 0)
+	  authenticated_sender = string_copy_taint(
+	    exim_str_fail_toolong(argv[++i], EXIM_EMAILADDR_MAX, "-oMas"),
+	    GET_TAINTED);
+
+	/* -oMai: setting authenticated id */
+
+	else if (Ustrcmp(argrest, "ai") == 0)
+	  authenticated_id = string_copy_taint(
+	    exim_str_fail_toolong(argv[++i], EXIM_EMAILADDR_MAX, "-oMas"),
+	    GET_TAINTED);
+
+	/* -oMi: Set incoming interface address */
+
+	else if (Ustrcmp(argrest, "i") == 0)
+	  interface_address = string_copy_taint(
+	    exim_str_fail_toolong(argv[++i], EXIM_IPADDR_MAX, "-oMi"),
+	    GET_TAINTED);
+
+	/* -oMm: Message reference */
+
+	else if (Ustrcmp(argrest, "m") == 0)
+	  {
+	  if (!mac_ismsgid(argv[i+1]))
+	      exim_fail("-oMm must be a valid message ID\n");
+	  if (!f.trusted_config)
+	      exim_fail("-oMm must be called by a trusted user/config\n");
+	    message_reference = argv[++i];
+	  }
+
+	/* -oMr: Received protocol */
+
+	else if (Ustrcmp(argrest, "r") == 0)
+
+	  if (received_protocol)
+	    exim_fail("received_protocol is set already\n");
+	  else
+	    received_protocol = string_copy_taint(
+	      exim_str_fail_toolong(argv[++i], EXIM_DRIVERNAME_MAX, "-oMr"),
+	      GET_TAINTED);
+
+	/* -oMs: Set sender host name */
+
+	else if (Ustrcmp(argrest, "s") == 0)
+	  sender_host_name = string_copy_taint(
+	    exim_str_fail_toolong(argv[++i], EXIM_HOSTNAME_MAX, "-oMs"),
+	    GET_TAINTED);
+
+	/* -oMt: Set sender ident */
+
+	else if (Ustrcmp(argrest, "t") == 0)
+	  {
+	  sender_ident_set = TRUE;
+	  sender_ident = string_copy_taint(
+	    exim_str_fail_toolong(argv[++i], EXIM_IDENTUSER_MAX, "-oMt"),
+	    GET_TAINTED);
+	  }
+
+	/* Else a bad argument */
+
+	else
+	  badarg = TRUE;
+	}
+	break;
+
+      /* -om: Me-too flag for aliases. Exim always does this. Some programs
+      seem to call this as -m (undocumented), so that is also accepted (see
+      above). */
+      /* -oo: An ancient flag for old-style addresses which still seems to
+      crop up in some calls (see in SCO). */
+
+      case 'm':
+      case 'o':
+	if (*argrest) badarg = TRUE;
+	break;
+
+      /* -oP <name>: set pid file path for daemon
+	 -oPX:       delete pid file of daemon */
+
+      case 'P':
+	if (!f.running_in_test_harness && real_uid != root_uid && real_uid != exim_uid)
+	  exim_fail("exim: only uid=%d or uid=%d can use -oP and -oPX "
+                    "(uid=%d euid=%d | %d)\n",
+                    root_uid, exim_uid, getuid(), geteuid(), real_uid);
+	if (!*argrest) override_pid_file_path = argv[++i];
+	else if (Ustrcmp(argrest, "X") == 0) delete_pid_file();
+	else badarg = TRUE;
+	break;
+
+
+      /* -or <n>: set timeout for non-SMTP acceptance
+	 -os <n>: set timeout for SMTP acceptance */
+
+      case 'r':
+      case 's':
+	{
+	int * tp = argrest[-1] == 'r'
+	  ? &arg_receive_timeout : &arg_smtp_receive_timeout;
+	if (*argrest)
+	  *tp = readconf_readtime(argrest, 0, FALSE);
+	else if (i+1 < argc)
+	  *tp = readconf_readtime(argv[++i], 0, FALSE);
+
+	if (*tp < 0)
+	  exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
+	}
+	break;
+
+      /* -oX <list>: Override local_interfaces and/or default daemon ports */
+      /* Limits: Is there a real limit we want here?  1024 is very arbitrary. */
+
+      case 'X':
+	if (*argrest) badarg = TRUE;
+	else override_local_interfaces = string_copy_taint(
+	  exim_str_fail_toolong(argv[++i], 1024, "-oX"),
+	  GET_TAINTED);
+	break;
+
+      /* -oY: Override creation of daemon notifier socket */
+
+      case 'Y':
+	if (*argrest) badarg = TRUE;
+	else notifier_socket = NULL;
+	break;
+
+      /* Unknown -o argument */
+
+      default:
+	badarg = TRUE;
+      }
+    break;
+
+
+    /* -ps: force Perl startup; -pd force delayed Perl startup */
+
+    case 'p':
+    #ifdef EXIM_PERL
+    if (*argrest == 's' && argrest[1] == 0)
+      {
+      perl_start_option = 1;
+      break;
+      }
+    if (*argrest == 'd' && argrest[1] == 0)
+      {
+      perl_start_option = -1;
+      break;
+      }
+    #endif
+
+    /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
+    which sets the host protocol and host name */
+
+    if (!*argrest)
+      if (i+1 < argc) argrest = argv[++i]; else { badarg = TRUE; break; }
+
+    if (*argrest)
+      {
+      uschar * hn = Ustrchr(argrest, ':');
+
+      if (received_protocol)
+        exim_fail("received_protocol is set already\n");
+
+      if (!hn)
+        received_protocol = string_copy_taint(
+	  exim_str_fail_toolong(argrest, EXIM_DRIVERNAME_MAX, "-p<protocol>"),
+	  GET_TAINTED);
+      else
+        {
+        (void) exim_str_fail_toolong(argrest, (EXIM_DRIVERNAME_MAX+1+EXIM_HOSTNAME_MAX), "-p<protocol>:<host>");
+        received_protocol = string_copyn_taint(argrest, hn - argrest, GET_TAINTED);
+        sender_host_name = string_copy_taint(hn + 1, GET_TAINTED);
+        }
+      }
+    break;
+
+
+    case 'q':
+    receiving_message = FALSE;
+    if (queue_interval >= 0)
+      exim_fail("exim: -q specified more than once\n");
+
+    /* -qq...: Do queue runs in a 2-stage manner */
+
+    if (*argrest == 'q')
+      {
+      f.queue_2stage = TRUE;
+      argrest++;
+      }
+
+    /* -qi...: Do only first (initial) deliveries */
+
+    if (*argrest == 'i')
+      {
+      f.queue_run_first_delivery = TRUE;
+      argrest++;
+      }
+
+    /* -qf...: Run the queue, forcing deliveries
+       -qff..: Ditto, forcing thawing as well */
+
+    if (*argrest == 'f')
+      {
+      f.queue_run_force = TRUE;
+      if (*++argrest == 'f')
+        {
+        f.deliver_force_thaw = TRUE;
+        argrest++;
+        }
+      }
+
+    /* -q[f][f]l...: Run the queue only on local deliveries */
+
+    if (*argrest == 'l')
+      {
+      f.queue_run_local = TRUE;
+      argrest++;
+      }
+
+    /* -q[f][f][l][G<name>]... Work on the named queue */
+
+    if (*argrest == 'G')
+      {
+      int i;
+      for (argrest++, i = 0; argrest[i] && argrest[i] != '/'; ) i++;
+      exim_len_fail_toolong(i, EXIM_DRIVERNAME_MAX, "-q*G<name>");
+      queue_name = string_copyn(argrest, i);
+      argrest += i;
+      if (*argrest == '/') argrest++;
+      }
+
+    /* -q[f][f][l][G<name>]: Run the queue, optionally forced, optionally local
+    only, optionally named, optionally starting from a given message id. */
+
+    if (!(list_queue || count_queue))
+      if (  !*argrest
+	 && (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
+	{
+	queue_interval = 0;
+	if (i+1 < argc && mac_ismsgid(argv[i+1]))
+	  start_queue_run_id = string_copy_taint(argv[++i], GET_TAINTED);
+	if (i+1 < argc && mac_ismsgid(argv[i+1]))
+	  stop_queue_run_id = string_copy_taint(argv[++i], GET_TAINTED);
+	}
+
+    /* -q[f][f][l][G<name>/]<n>: Run the queue at regular intervals, optionally
+    forced, optionally local only, optionally named. */
+
+      else if ((queue_interval = readconf_readtime(*argrest ? argrest : argv[++i],
+						  0, FALSE)) <= 0)
+	exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
+    break;
+
+
+    case 'R':   /* Synonymous with -qR... */
+      {
+      const uschar *tainted_selectstr;
+
+      receiving_message = FALSE;
+
+    /* -Rf:   As -R (below) but force all deliveries,
+       -Rff:  Ditto, but also thaw all frozen messages,
+       -Rr:   String is regex
+       -Rrf:  Regex and force
+       -Rrff: Regex and force and thaw
+
+    in all cases provided there are no further characters in this
+    argument. */
+
+      if (*argrest)
+	for (int i = 0; i < nelem(rsopts); i++)
+	  if (Ustrcmp(argrest, rsopts[i]) == 0)
+	    {
+	    if (i != 2) f.queue_run_force = TRUE;
+	    if (i >= 2) f.deliver_selectstring_regex = TRUE;
+	    if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
+	    argrest += Ustrlen(rsopts[i]);
+	    }
+
+    /* -R: Set string to match in addresses for forced queue run to
+    pick out particular messages. */
+
+      /* Avoid attacks from people providing very long strings, and do so before
+      we make copies. */
+      if (*argrest)
+	tainted_selectstr = argrest;
+      else if (i+1 < argc)
+	tainted_selectstr = argv[++i];
+      else
+	exim_fail("exim: string expected after -R\n");
+      deliver_selectstring = string_copy_taint(
+	exim_str_fail_toolong(tainted_selectstr, EXIM_EMAILADDR_MAX, "-R"),
+	GET_TAINTED);
+      }
+    break;
+
+    /* -r: an obsolete synonym for -f (see above) */
+
+
+    /* -S: Like -R but works on sender. */
+
+    case 'S':   /* Synonymous with -qS... */
+      {
+      const uschar *tainted_selectstr;
+
+      receiving_message = FALSE;
+
+    /* -Sf:   As -S (below) but force all deliveries,
+       -Sff:  Ditto, but also thaw all frozen messages,
+       -Sr:   String is regex
+       -Srf:  Regex and force
+       -Srff: Regex and force and thaw
+
+    in all cases provided there are no further characters in this
+    argument. */
+
+      if (*argrest)
+	for (int i = 0; i < nelem(rsopts); i++)
+	  if (Ustrcmp(argrest, rsopts[i]) == 0)
+	    {
+	    if (i != 2) f.queue_run_force = TRUE;
+	    if (i >= 2) f.deliver_selectstring_sender_regex = TRUE;
+	    if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
+	    argrest += Ustrlen(rsopts[i]);
+	    }
+
+    /* -S: Set string to match in addresses for forced queue run to
+    pick out particular messages. */
+
+      if (*argrest)
+	tainted_selectstr = argrest;
+      else if (i+1 < argc)
+	tainted_selectstr = argv[++i];
+      else
+	exim_fail("exim: string expected after -S\n");
+      deliver_selectstring_sender = string_copy_taint(
+	exim_str_fail_toolong(tainted_selectstr, EXIM_EMAILADDR_MAX, "-S"),
+	GET_TAINTED);
+      }
+    break;
+
+    /* -Tqt is an option that is exclusively for use by the testing suite.
+    It is not recognized in other circumstances. It allows for the setting up
+    of explicit "queue times" so that various warning/retry things can be
+    tested. Otherwise variability of clock ticks etc. cause problems. */
+
+    case 'T':
+    if (f.running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
+      fudged_queue_times = string_copy_taint(argv[++i], GET_TAINTED);
+    else badarg = TRUE;
+    break;
+
+
+    /* -t: Set flag to extract recipients from body of message. */
+
+    case 't':
+    if (!*argrest) extract_recipients = TRUE;
+
+    /* -ti: Set flag to extract recipients from body of message, and also
+    specify that dot does not end the message. */
+
+    else if (Ustrcmp(argrest, "i") == 0)
+      {
+      extract_recipients = TRUE;
+      f.dot_ends = FALSE;
+      }
+
+    /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
+
+    #ifndef DISABLE_TLS
+    else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
+    #endif
+
+    else badarg = TRUE;
+    break;
+
+
+    /* -U: This means "initial user submission" in sendmail, apparently. The
+    doc claims that in future sendmail may refuse syntactically invalid
+    messages instead of fixing them. For the moment, we just ignore it. */
+
+    case 'U':
+    break;
+
+
+    /* -v: verify things - this is a very low-level debugging */
+
+    case 'v':
+    if (!*argrest)
+      {
+      debug_selector |= D_v;
+      debug_file = stderr;
+      }
+    else badarg = TRUE;
+    break;
+
+
+    /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
+
+      The -x flag tells the sendmail command that mail from a local
+      mail program has National Language Support (NLS) extended characters
+      in the body of the mail item. The sendmail command can send mail with
+      extended NLS characters across networks that normally corrupts these
+      8-bit characters.
+
+    As Exim is 8-bit clean, it just ignores this flag. */
+
+    case 'x':
+    if (*argrest) badarg = TRUE;
+    break;
+
+    /* -X: in sendmail: takes one parameter, logfile, and sends debugging
+    logs to that file.  We swallow the parameter and otherwise ignore it. */
+
+    case 'X':
+    if (!*argrest)
+      if (++i >= argc)
+        exim_fail("exim: string expected after -X\n");
+    break;
+
+    /* -z: a line of text to log */
+
+    case 'z':
+    if (!*argrest)
+      if (++i < argc)
+	log_oneline = string_copy_taint(
+	  exim_str_fail_toolong(argv[i], 2048, "-z logtext"),
+	  GET_TAINTED);
+      else
+        exim_fail("exim: file name expected after %s\n", argv[i-1]);
+    break;
+
+    /* All other initial characters are errors */
+
+    default:
+    badarg = TRUE;
+    break;
+    }         /* End of high-level switch statement */
+
+  /* Failed to recognize the option, or syntax error */
+
+  if (badarg)
+    exim_fail("exim abandoned: unknown, malformed, or incomplete "
+      "option %s\n", arg);
+  }
+
+
+/* If -R or -S have been specified without -q, assume a single queue run. */
+
+ if (  (deliver_selectstring || deliver_selectstring_sender)
+    && queue_interval < 0)
+  queue_interval = 0;
+
+
+END_ARG:
+ store_pool = old_pool;
+ }
+
+/* If usage_wanted is set we call the usage function - which never returns */
+if (usage_wanted) exim_usage(called_as);
+
+/* Arguments have been processed. Check for incompatibilities. */
+if (  (  (smtp_input || extract_recipients || recipients_arg < argc)
+      && (  f.daemon_listen || queue_interval >= 0 || bi_option
+	 || test_retry_arg >= 0 || test_rewrite_arg >= 0
+	 || filter_test != FTEST_NONE
+	 || msg_action_arg > 0 && !one_msg_action
+      )  )
+   || (  msg_action_arg > 0
+      && (  f.daemon_listen || queue_interval > 0 || list_options
+	 || checking && msg_action != MSG_LOAD
+	 || bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0
+      )  )
+   || (  (f.daemon_listen || queue_interval > 0)
+      && (  sender_address || list_options || list_queue || checking
+	 || bi_option
+      )  )
+   || f.daemon_listen && queue_interval == 0
+   || f.inetd_wait_mode && queue_interval >= 0
+   || (  list_options
+      && (  checking || smtp_input || extract_recipients
+	 || filter_test != FTEST_NONE || bi_option
+      )  )
+   || (  verify_address_mode
+      && (  f.address_test_mode || smtp_input || extract_recipients
+	 || filter_test != FTEST_NONE || bi_option
+      )  )
+   || (  f.address_test_mode
+      && (  smtp_input || extract_recipients || filter_test != FTEST_NONE
+	 || bi_option
+      )  )
+   || (  smtp_input
+      && (sender_address || filter_test != FTEST_NONE || extract_recipients)
+      )
+   || deliver_selectstring && queue_interval < 0
+   || msg_action == MSG_LOAD && (!expansion_test || expansion_test_message)
+   )
+  exim_fail("exim: incompatible command-line options or arguments\n");
+
+/* If debugging is set up, set the file and the file descriptor to pass on to
+child processes. It should, of course, be 2 for stderr. Also, force the daemon
+to run in the foreground. */
+
+if (debug_selector != 0)
+  {
+  debug_file = stderr;
+  debug_fd = fileno(debug_file);
+  f.background_daemon = FALSE;
+  testharness_pause_ms(100);   /* lets caller finish */
+  if (debug_selector != D_v)    /* -v only doesn't show this */
+    {
+    debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
+      version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
+      debug_selector);
+    if (!version_printed)
+      show_whats_supported(FALSE);
+    }
+  }
+
+/* When started with root privilege, ensure that the limits on the number of
+open files and the number of processes (where that is accessible) are
+sufficiently large, or are unset, in case Exim has been called from an
+environment where the limits are screwed down. Not all OS have the ability to
+change some of these limits. */
+
+if (unprivileged)
+  {
+  DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
+  }
+else
+  {
+  struct rlimit rlp;
+
+#ifdef RLIMIT_NOFILE
+  if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
+      strerror(errno));
+    rlp.rlim_cur = rlp.rlim_max = 0;
+    }
+
+  /* I originally chose 1000 as a nice big number that was unlikely to
+  be exceeded. It turns out that some older OS have a fixed upper limit of
+  256. */
+
+  if (rlp.rlim_cur < 1000)
+    {
+    rlp.rlim_cur = rlp.rlim_max = 1000;
+    if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
+      {
+      rlp.rlim_cur = rlp.rlim_max = 256;
+      if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
+        log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
+          strerror(errno));
+      }
+    }
+#endif
+
+#ifdef RLIMIT_NPROC
+  if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
+      strerror(errno));
+    rlp.rlim_cur = rlp.rlim_max = 0;
+    }
+
+# ifdef RLIM_INFINITY
+  if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
+    {
+    rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
+# else
+  if (rlp.rlim_cur < 1000)
+    {
+    rlp.rlim_cur = rlp.rlim_max = 1000;
+# endif
+    if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
+      log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
+        strerror(errno));
+    }
+#endif
+  }
+
+/* Exim is normally entered as root (but some special configurations are
+possible that don't do this). However, it always spins off sub-processes that
+set their uid and gid as required for local delivery. We don't want to pass on
+any extra groups that root may belong to, so we want to get rid of them all at
+this point.
+
+We need to obey setgroups() at this stage, before possibly giving up root
+privilege for a changed configuration file, but later on we might need to
+check on the additional groups for the admin user privilege - can't do that
+till after reading the config, which might specify the exim gid. Therefore,
+save the group list here first. */
+
+if ((group_count = getgroups(nelem(group_list), group_list)) < 0)
+  exim_fail("exim: getgroups() failed: %s\n", strerror(errno));
+
+/* There is a fundamental difference in some BSD systems in the matter of
+groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
+known not to be different. On the "different" systems there is a single group
+list, and the first entry in it is the current group. On all other versions of
+Unix there is a supplementary group list, which is in *addition* to the current
+group. Consequently, to get rid of all extraneous groups on a "standard" system
+you pass over 0 groups to setgroups(), while on a "different" system you pass
+over a single group - the current group, which is always the first group in the
+list. Calling setgroups() with zero groups on a "different" system results in
+an error return. The following code should cope with both types of system.
+
+ Unfortunately, recent MacOS, which should be a FreeBSD, "helpfully" succeeds
+ the "setgroups() with zero groups" - and changes the egid.
+ Thanks to that we had to stash the original_egid above, for use below
+ in the call to exim_setugid().
+
+However, if this process isn't running as root, setgroups() can't be used
+since you have to be root to run it, even if throwing away groups.
+Except, sigh, for Hurd - where you can.
+Not being root here happens only in some unusual configurations. */
+
+if (  !unprivileged
+#ifndef OS_SETGROUPS_ZERO_DROPS_ALL
+   && setgroups(0, NULL) != 0
+#endif
+   && setgroups(1, group_list) != 0)
+  exim_fail("exim: setgroups() failed: %s\n", strerror(errno));
+
+/* If the configuration file name has been altered by an argument on the
+command line (either a new file name or a macro definition) and the caller is
+not root, or if this is a filter testing run, remove any setuid privilege the
+program has and run as the underlying user.
+
+The exim user is locked out of this, which severely restricts the use of -C
+for some purposes.
+
+Otherwise, set the real ids to the effective values (should be root unless run
+from inetd, which it can either be root or the exim uid, if one is configured).
+
+There is a private mechanism for bypassing some of this, in order to make it
+possible to test lots of configurations automatically, without having either to
+recompile each time, or to patch in an actual configuration file name and other
+values (such as the path name). If running in the test harness, pretend that
+configuration file changes and macro definitions haven't happened. */
+
+if ((                                            /* EITHER */
+    (!f.trusted_config ||                          /* Config changed, or */
+     !macros_trusted(opt_D_used)) &&		 /*  impermissible macros and */
+    real_uid != root_uid &&                      /* Not root, and */
+    !f.running_in_test_harness                     /* Not fudged */
+    ) ||                                         /*   OR   */
+    expansion_test                               /* expansion testing */
+    ||                                           /*   OR   */
+    filter_test != FTEST_NONE)                   /* Filter testing */
+  {
+  setgroups(group_count, group_list);
+  exim_setugid(real_uid, real_gid, FALSE,
+    US"-C, -D, -be or -bf forces real uid");
+  removed_privilege = TRUE;
+
+  /* In the normal case when Exim is called like this, stderr is available
+  and should be used for any logging information because attempts to write
+  to the log will usually fail. To arrange this, we unset really_exim. However,
+  if no stderr is available there is no point - we might as well have a go
+  at the log (if it fails, syslog will be written).
+
+  Note that if the invoker is Exim, the logs remain available. Messing with
+  this causes unlogged successful deliveries.  */
+
+  if (log_stderr && real_uid != exim_uid)
+    f.really_exim = FALSE;
+  }
+
+/* Privilege is to be retained for the moment. It may be dropped later,
+depending on the job that this Exim process has been asked to do. For now, set
+the real uid to the effective so that subsequent re-execs of Exim are done by a
+privileged user. */
+
+else
+  exim_setugid(geteuid(), original_egid, FALSE, US"forcing real = effective");
+
+/* If testing a filter, open the file(s) now, before wasting time doing other
+setups and reading the message. */
+
+if (filter_test & FTEST_SYSTEM)
+  if ((filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0)) < 0)
+    exim_fail("exim: failed to open %s: %s\n", filter_test_sfile,
+      strerror(errno));
+
+if (filter_test & FTEST_USER)
+  if ((filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0)) < 0)
+    exim_fail("exim: failed to open %s: %s\n", filter_test_ufile,
+      strerror(errno));
+
+/* Initialise lookup_list
+If debugging, already called above via version reporting.
+In either case, we initialise the list of available lookups while running
+as root.  All dynamically modules are loaded from a directory which is
+hard-coded into the binary and is code which, if not a module, would be
+part of Exim already.  Ability to modify the content of the directory
+is equivalent to the ability to modify a setuid binary!
+
+This needs to happen before we read the main configuration. */
+init_lookup_list();
+
+/*XXX this excrescence could move to the testsuite standard config setup file */
+#ifdef SUPPORT_I18N
+if (f.running_in_test_harness) smtputf8_advertise_hosts = NULL;
+#endif
+
+/* Read the main runtime configuration data; this gives up if there
+is a failure. It leaves the configuration file open so that the subsequent
+configuration data for delivery can be read if needed.
+
+NOTE: immediately after opening the configuration file we change the working
+directory to "/"! Later we change to $spool_directory. We do it there, because
+during readconf_main() some expansion takes place already. */
+
+/* Store the initial cwd before we change directories.  Can be NULL if the
+dir has already been unlinked. */
+initial_cwd = os_getcwd(NULL, 0);
+if (!initial_cwd && errno)
+  exim_fail("exim: getting initial cwd failed: %s\n", strerror(errno));
+
+if (initial_cwd && (strlen(CCS initial_cwd) >= BIG_BUFFER_SIZE))
+  exim_fail("exim: initial cwd is far too long (%d)\n", Ustrlen(CCS initial_cwd));
+
+/* checking:
+    -be[m] expansion test        -
+    -b[fF] filter test           new
+    -bh[c] host test             -
+    -bmalware malware_test_file  new
+    -brt   retry test            new
+    -brw   rewrite test          new
+    -bt    address test          -
+    -bv[s] address verify        -
+   list_options:
+    -bP <option> (except -bP config, which sets list_config)
+
+If any of these options is set, we suppress warnings about configuration
+issues (currently about tls_advertise_hosts and keep_environment not being
+defined) */
+
+  {
+  int old_pool = store_pool;
+#ifdef MEASURE_TIMING
+  struct timeval t0;
+  (void)gettimeofday(&t0, NULL);
+#endif
+
+  store_pool = POOL_CONFIG;
+  readconf_main(checking || list_options);
+  store_pool = old_pool;
+
+#ifdef MEASURE_TIMING
+  report_time_since(&t0, US"readconf_main (delta)");
+#endif
+  }
+
+/* Now in directory "/" */
+
+if (cleanup_environment() == FALSE)
+  log_write(0, LOG_PANIC_DIE, "Can't cleanup environment");
+
+
+/* If an action on specific messages is requested, or if a daemon or queue
+runner is being started, we need to know if Exim was called by an admin user.
+This is the case if the real user is root or exim, or if the real group is
+exim, or if one of the supplementary groups is exim or a group listed in
+admin_groups. We don't fail all message actions immediately if not admin_user,
+since some actions can be performed by non-admin users. Instead, set admin_user
+for later interrogation. */
+
+if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
+  f.admin_user = TRUE;
+else
+  for (int i = 0; i < group_count && !f.admin_user; i++)
+    if (group_list[i] == exim_gid)
+      f.admin_user = TRUE;
+    else if (admin_groups)
+      for (int j = 1; j <= (int)admin_groups[0] && !f.admin_user; j++)
+        if (admin_groups[j] == group_list[i])
+          f.admin_user = TRUE;
+
+/* Another group of privileged users are the trusted users. These are root,
+exim, and any caller matching trusted_users or trusted_groups. Trusted callers
+are permitted to specify sender_addresses with -f on the command line, and
+other message parameters as well. */
+
+if (real_uid == root_uid || real_uid == exim_uid)
+  f.trusted_caller = TRUE;
+else
+  {
+  if (trusted_users)
+    for (int i = 1; i <= (int)trusted_users[0] && !f.trusted_caller; i++)
+      if (trusted_users[i] == real_uid)
+        f.trusted_caller = TRUE;
+
+  if (trusted_groups)
+    for (int i = 1; i <= (int)trusted_groups[0] && !f.trusted_caller; i++)
+      if (trusted_groups[i] == real_gid)
+        f.trusted_caller = TRUE;
+      else for (int j = 0; j < group_count && !f.trusted_caller; j++)
+        if (trusted_groups[i] == group_list[j])
+          f.trusted_caller = TRUE;
+  }
+
+/* At this point, we know if the user is privileged and some command-line
+options become possibly impermissible, depending upon the configuration file. */
+
+if (checking && commandline_checks_require_admin && !f.admin_user)
+  exim_fail("exim: those command-line flags are set to require admin\n");
+
+/* Handle the decoding of logging options. */
+
+decode_bits(log_selector, log_selector_size, log_notall,
+  log_selector_string, log_options, log_options_count, US"log", 0);
+
+DEBUG(D_any)
+  {
+  debug_printf("configuration file is %s\n", config_main_filename);
+  debug_printf("log selectors =");
+  for (int i = 0; i < log_selector_size; i++)
+    debug_printf(" %08x", log_selector[i]);
+  debug_printf("\n");
+  }
+
+/* If domain literals are not allowed, check the sender address that was
+supplied with -f. Ditto for a stripped trailing dot. */
+
+if (sender_address)
+  {
+  if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
+    exim_fail("exim: bad -f address \"%s\": domain literals not "
+      "allowed\n", sender_address);
+  if (f_end_dot && !strip_trailing_dot)
+    exim_fail("exim: bad -f address \"%s.\": domain is malformed "
+      "(trailing dot not allowed)\n", sender_address);
+  }
+
+/* See if an admin user overrode our logging. */
+
+if (cmdline_syslog_name)
+  if (f.admin_user)
+    {
+    syslog_processname = cmdline_syslog_name;
+    log_file_path = string_copy(CUS"syslog");
+    }
+  else
+    /* not a panic, non-privileged users should not be able to spam paniclog */
+    exim_fail(
+        "exim: you lack sufficient privilege to specify syslog process name\n");
+
+/* Paranoia check of maximum lengths of certain strings. There is a check
+on the length of the log file path in log.c, which will come into effect
+if there are any calls to write the log earlier than this. However, if we
+get this far but the string is very long, it is better to stop now than to
+carry on and (e.g.) receive a message and then have to collapse. The call to
+log_write() from here will cause the ultimate panic collapse if the complete
+file name exceeds the buffer length. */
+
+if (Ustrlen(log_file_path) > 200)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "log_file_path is longer than 200 chars: aborting");
+
+if (Ustrlen(pid_file_path) > 200)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "pid_file_path is longer than 200 chars: aborting");
+
+if (Ustrlen(spool_directory) > 200)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "spool_directory is longer than 200 chars: aborting");
+
+/* Length check on the process name given to syslog for its TAG field,
+which is only permitted to be 32 characters or less. See RFC 3164. */
+
+if (Ustrlen(syslog_processname) > 32)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "syslog_processname is longer than 32 chars: aborting");
+
+if (log_oneline)
+  if (f.admin_user)
+    {
+    log_write(0, LOG_MAIN, "%s", log_oneline);
+    return EXIT_SUCCESS;
+    }
+  else
+    return EXIT_FAILURE;
+
+/* In some operating systems, the environment variable TMPDIR controls where
+temporary files are created; Exim doesn't use these (apart from when delivering
+to MBX mailboxes), but called libraries such as DBM libraries may require them.
+If TMPDIR is found in the environment, reset it to the value defined in the
+EXIM_TMPDIR macro, if this macro is defined.  For backward compatibility this
+macro may be called TMPDIR in old "Local/Makefile"s. It's converted to
+EXIM_TMPDIR by the build scripts.
+*/
+
+#ifdef EXIM_TMPDIR
+  if (environ) for (uschar ** p = USS environ; *p; p++)
+    if (Ustrncmp(*p, "TMPDIR=", 7) == 0 && Ustrcmp(*p+7, EXIM_TMPDIR) != 0)
+      {
+      uschar * newp = store_malloc(Ustrlen(EXIM_TMPDIR) + 8);
+      sprintf(CS newp, "TMPDIR=%s", EXIM_TMPDIR);
+      *p = newp;
+      DEBUG(D_any) debug_printf("reset TMPDIR=%s in environment\n", EXIM_TMPDIR);
+      }
+#endif
+
+/* Timezone handling. If timezone_string is "utc", set a flag to cause all
+timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise,
+we may need to get rid of a bogus timezone setting. This can arise when Exim is
+called by a user who has set the TZ variable. This then affects the timestamps
+in log files and in Received: headers, and any created Date: header lines. The
+required timezone is settable in the configuration file, so nothing can be done
+about this earlier - but hopefully nothing will normally be logged earlier than
+this. We have to make a new environment if TZ is wrong, but don't bother if
+timestamps_utc is set, because then all times are in UTC anyway. */
+
+if (timezone_string && strcmpic(timezone_string, US"UTC") == 0)
+  f.timestamps_utc = TRUE;
+else
+  {
+  uschar *envtz = US getenv("TZ");
+  if (envtz
+      ? !timezone_string || Ustrcmp(timezone_string, envtz) != 0
+      : timezone_string != NULL
+     )
+    {
+    uschar **p = USS environ;
+    uschar **new;
+    uschar **newp;
+    int count = 0;
+    if (environ) while (*p++) count++;
+    if (!envtz) count++;
+    newp = new = store_malloc(sizeof(uschar *) * (count + 1));
+    if (environ) for (p = USS environ; *p; p++)
+      if (Ustrncmp(*p, "TZ=", 3) != 0) *newp++ = *p;
+    if (timezone_string)
+      {
+      *newp = store_malloc(Ustrlen(timezone_string) + 4);
+      sprintf(CS *newp++, "TZ=%s", timezone_string);
+      }
+    *newp = NULL;
+    environ = CSS new;
+    tzset();
+    DEBUG(D_any) debug_printf("Reset TZ to %s: time is %s\n", timezone_string,
+      tod_stamp(tod_log));
+    }
+  }
+
+/* Handle the case when we have removed the setuid privilege because of -C or
+-D. This means that the caller of Exim was not root.
+
+There is a problem if we were running as the Exim user. The sysadmin may
+expect this case to retain privilege because "the binary was called by the
+Exim user", but it hasn't, because either the -D option set macros, or the
+-C option set a non-trusted configuration file. There are two possibilities:
+
+  (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
+      to do message deliveries. Thus, the fact that it is running as a
+      non-privileged user is plausible, and might be wanted in some special
+      configurations. However, really_exim will have been set false when
+      privilege was dropped, to stop Exim trying to write to its normal log
+      files. Therefore, re-enable normal log processing, assuming the sysadmin
+      has set up the log directory correctly.
+
+  (2) If deliver_drop_privilege is not set, the configuration won't work as
+      apparently intended, and so we log a panic message. In order to retain
+      root for -C or -D, the caller must either be root or be invoking a
+      trusted configuration file (when deliver_drop_privilege is false). */
+
+if (  removed_privilege
+   && (!f.trusted_config || opt_D_used)
+   && real_uid == exim_uid)
+  if (deliver_drop_privilege)
+    f.really_exim = TRUE; /* let logging work normally */
+  else
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "exim user lost privilege for using %s option",
+      f.trusted_config? "-D" : "-C");
+
+/* Start up Perl interpreter if Perl support is configured and there is a
+perl_startup option, and the configuration or the command line specifies
+initializing starting. Note that the global variables are actually called
+opt_perl_xxx to avoid clashing with perl's namespace (perl_*). */
+
+#ifdef EXIM_PERL
+if (perl_start_option != 0)
+  opt_perl_at_start = (perl_start_option > 0);
+if (opt_perl_at_start && opt_perl_startup != NULL)
+  {
+  uschar *errstr;
+  DEBUG(D_any) debug_printf("Starting Perl interpreter\n");
+  if ((errstr = init_perl(opt_perl_startup)))
+    exim_fail("exim: error in perl_startup code: %s\n", errstr);
+  opt_perl_started = TRUE;
+  }
+#endif /* EXIM_PERL */
+
+/* Log the arguments of the call if the configuration file said so. This is
+a debugging feature for finding out what arguments certain MUAs actually use.
+Don't attempt it if logging is disabled, or if listing variables or if
+verifying/testing addresses or expansions. */
+
+if (  (debug_selector & D_any  ||  LOGGING(arguments))
+   && f.really_exim && !list_options && !checking)
+  {
+  uschar *p = big_buffer;
+  Ustrcpy(p, US"cwd= (failed)");
+
+  if (!initial_cwd)
+    p += 13;
+  else
+    {
+    p += 4;
+    snprintf(CS p, big_buffer_size - (p - big_buffer), "%s", CCS initial_cwd);
+    p += Ustrlen(CCS p);
+    }
+
+  (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
+  while (*p) p++;
+  for (int i = 0; i < argc; i++)
+    {
+    int len = Ustrlen(argv[i]);
+    const uschar *printing;
+    uschar *quote;
+    if (p + len + 8 >= big_buffer + big_buffer_size)
+      {
+      Ustrcpy(p, US" ...");
+      log_write(0, LOG_MAIN, "%s", big_buffer);
+      Ustrcpy(big_buffer, US"...");
+      p = big_buffer + 3;
+      }
+    printing = string_printing(argv[i]);
+    if (!*printing) quote = US"\"";
+    else
+      {
+      const uschar *pp = printing;
+      quote = US"";
+      while (*pp) if (isspace(*pp++)) { quote = US"\""; break; }
+      }
+    p += sprintf(CS p, " %s%.*s%s", quote, (int)(big_buffer_size -
+      (p - big_buffer) - 4), printing, quote);
+    }
+
+  if (LOGGING(arguments))
+    log_write(0, LOG_MAIN, "%s", big_buffer);
+  else
+    debug_printf("%s\n", big_buffer);
+  }
+
+/* Set the working directory to be the top-level spool directory. We don't rely
+on this in the code, which always uses fully qualified names, but it's useful
+for core dumps etc. Don't complain if it fails - the spool directory might not
+be generally accessible and calls with the -C option (and others) have lost
+privilege by now. Before the chdir, we try to ensure that the directory exists.
+*/
+
+if (Uchdir(spool_directory) != 0)
+  {
+  (void) directory_make(spool_directory, US"", SPOOL_DIRECTORY_MODE, FALSE);
+  (void) Uchdir(spool_directory);
+  }
+
+/* Handle calls with the -bi option. This is a sendmail option to rebuild *the*
+alias file. Exim doesn't have such a concept, but this call is screwed into
+Sun's YP makefiles. Handle this by calling a configured script, as the real
+user who called Exim. The -oA option can be used to pass an argument to the
+script. */
+
+if (bi_option)
+  {
+  (void) fclose(config_file);
+  if (bi_command && *bi_command)
+    {
+    int i = 0;
+    uschar *argv[3];
+    argv[i++] = bi_command;	/* nonexpanded option so assume untainted */
+    if (alias_arg) argv[i++] = alias_arg;
+    argv[i++] = NULL;
+
+    setgroups(group_count, group_list);
+    exim_setugid(real_uid, real_gid, FALSE, US"running bi_command");
+
+    DEBUG(D_exec) debug_printf("exec '%.256s' %s%.256s%s\n", argv[0],
+      argv[1] ? "'" : "", argv[1] ? argv[1] : US"", argv[1] ? "'" : "");
+
+    execv(CS argv[0], (char *const *)argv);
+    exim_fail("exim: exec '%s' failed: %s\n", argv[0], strerror(errno));
+    }
+  else
+    {
+    DEBUG(D_any) debug_printf("-bi used but bi_command not set; exiting\n");
+    exit(EXIT_SUCCESS);
+    }
+  }
+
+/* We moved the admin/trusted check to be immediately after reading the
+configuration file.  We leave these prints here to ensure that syslog setup,
+logfile setup, and so on has already happened. */
+
+if (f.trusted_caller) DEBUG(D_any) debug_printf("trusted user\n");
+if (f.admin_user) DEBUG(D_any) debug_printf("admin user\n");
+
+/* Only an admin user may start the daemon or force a queue run in the default
+configuration, but the queue run restriction can be relaxed. Only an admin
+user may request that a message be returned to its sender forthwith. Only an
+admin user may specify a debug level greater than D_v (because it might show
+passwords, etc. in lookup queries). Only an admin user may request a queue
+count. Only an admin user can use the test interface to scan for email
+(because Exim will be in the spool dir and able to look at mails). */
+
+if (!f.admin_user)
+  {
+  BOOL debugset = (debug_selector & ~D_v) != 0;
+  if (  deliver_give_up || f.daemon_listen || malware_test_file
+     || count_queue && queue_list_requires_admin
+     || list_queue && queue_list_requires_admin
+     || queue_interval >= 0 && prod_requires_admin
+     || queue_name_dest && prod_requires_admin
+     || debugset && !f.running_in_test_harness
+     )
+    exim_fail("exim:%s permission denied\n", debugset ? " debugging" : "");
+  }
+
+/* If the real user is not root or the exim uid, the argument for passing
+in an open TCP/IP connection for another message is not permitted, nor is
+running with the -N option for any delivery action, unless this call to exim is
+one that supplied an input message, or we are using a patched exim for
+regression testing. */
+
+if (  real_uid != root_uid && real_uid != exim_uid
+   && (  continue_hostname
+      || (  f.dont_deliver
+	 && (queue_interval >= 0 || f.daemon_listen || msg_action_arg > 0)
+      )  )
+   && !f.running_in_test_harness
+   )
+  exim_fail("exim: Permission denied\n");
+
+/* If the caller is not trusted, certain arguments are ignored when running for
+real, but are permitted when checking things (-be, -bv, -bt, -bh, -bf, -bF).
+Note that authority for performing certain actions on messages is tested in the
+queue_action() function. */
+
+if (!f.trusted_caller && !checking)
+  {
+  sender_host_name = sender_host_address = interface_address =
+    sender_ident = received_protocol = NULL;
+  sender_host_port = interface_port = 0;
+  sender_host_authenticated = authenticated_sender = authenticated_id = NULL;
+  }
+
+/* If a sender host address is set, extract the optional port number off the
+end of it and check its syntax. Do the same thing for the interface address.
+Exim exits if the syntax is bad. */
+
+else
+  {
+  if (sender_host_address)
+    sender_host_port = check_port(sender_host_address);
+  if (interface_address)
+    interface_port = check_port(interface_address);
+  }
+
+/* If the caller is trusted, then they can use -G to suppress_local_fixups. */
+if (flag_G)
+  {
+  if (f.trusted_caller)
+    {
+    f.suppress_local_fixups = f.suppress_local_fixups_default = TRUE;
+    DEBUG(D_acl) debug_printf("suppress_local_fixups forced on by -G\n");
+    }
+  else
+    exim_fail("exim: permission denied (-G requires a trusted user)\n");
+  }
+
+/* If an SMTP message is being received check to see if the standard input is a
+TCP/IP socket. If it is, we assume that Exim was called from inetd if the
+caller is root or the Exim user, or if the port is a privileged one. Otherwise,
+barf. */
+
+if (smtp_input)
+  {
+  union sockaddr_46 inetd_sock;
+  EXIM_SOCKLEN_T size = sizeof(inetd_sock);
+  if (getpeername(0, (struct sockaddr *)(&inetd_sock), &size) == 0)
+    {
+    int family = ((struct sockaddr *)(&inetd_sock))->sa_family;
+    if (family == AF_INET || family == AF_INET6)
+      {
+      union sockaddr_46 interface_sock;
+      size = sizeof(interface_sock);
+
+      if (getsockname(0, (struct sockaddr *)(&interface_sock), &size) == 0)
+        interface_address = host_ntoa(-1, &interface_sock, NULL,
+          &interface_port);
+
+      if (host_is_tls_on_connect_port(interface_port)) tls_in.on_connect = TRUE;
+
+      if (real_uid == root_uid || real_uid == exim_uid || interface_port < 1024)
+        {
+        f.is_inetd = TRUE;
+        sender_host_address = host_ntoa(-1, (struct sockaddr *)(&inetd_sock),
+          NULL, &sender_host_port);
+        if (mua_wrapper) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Input from "
+          "inetd is not supported when mua_wrapper is set");
+        }
+      else
+        exim_fail(
+          "exim: Permission denied (unprivileged user, unprivileged port)\n");
+      }
+    }
+  }
+
+/* If the load average is going to be needed while receiving a message, get it
+now for those OS that require the first call to os_getloadavg() to be done as
+root. There will be further calls later for each message received. */
+
+#ifdef LOAD_AVG_NEEDS_ROOT
+if (  receiving_message
+   && (queue_only_load >= 0 || (f.is_inetd && smtp_load_reserve >= 0)))
+  load_average = OS_GETLOADAVG();
+#endif
+
+/* The queue_only configuration option can be overridden by -odx on the command
+line, except that if queue_only_override is false, queue_only cannot be unset
+from the command line. */
+
+if (queue_only_set && (queue_only_override || arg_queue_only))
+  queue_only = arg_queue_only;
+
+/* The receive_timeout and smtp_receive_timeout options can be overridden by
+-or and -os. */
+
+if (arg_receive_timeout >= 0) receive_timeout = arg_receive_timeout;
+if (arg_smtp_receive_timeout >= 0)
+  smtp_receive_timeout = arg_smtp_receive_timeout;
+
+/* If Exim was started with root privilege, unless we have already removed the
+root privilege above as a result of -C, -D, -be, -bf or -bF, remove it now
+except when starting the daemon or doing some kind of delivery or address
+testing (-bt). These are the only cases when root need to be retained. We run
+as exim for -bv and -bh. However, if deliver_drop_privilege is set, root is
+retained only for starting the daemon. We always do the initgroups() in this
+situation (controlled by the TRUE below), in order to be as close as possible
+to the state Exim usually runs in. */
+
+if (  !unprivileged				/* originally had root AND */
+   && !removed_privilege			/* still got root AND      */
+   && !f.daemon_listen				/* not starting the daemon */
+   && queue_interval <= 0			/* (either kind of daemon) */
+   && (						/*    AND EITHER           */
+         deliver_drop_privilege			/* requested unprivileged  */
+      || (					/*       OR                */
+            queue_interval < 0			/* not running the queue   */
+         && (  msg_action_arg < 0		/*       and               */
+            || msg_action != MSG_DELIVER	/* not delivering          */
+	    )					/*       and               */
+         && (!checking || !f.address_test_mode)	/* not address checking    */
+	 && !rcpt_verify_quota			/* and not quota checking  */
+   )  )  )
+  exim_setugid(exim_uid, exim_gid, TRUE, US"privilege not needed");
+
+/* When we are retaining a privileged uid, we still change to the exim gid. */
+
+else
+  {
+  int rv;
+  DEBUG(D_any) debug_printf("dropping to exim gid; retaining priv uid\n");
+  rv = setgid(exim_gid);
+  /* Impact of failure is that some stuff might end up with an incorrect group.
+  We track this for failures from root, since any attempt to change privilege
+  by root should succeed and failures should be examined.  For non-root,
+  there's no security risk.  For me, it's { exim -bV } on a just-built binary,
+  no need to complain then. */
+  if (rv == -1)
+    if (!(unprivileged || removed_privilege))
+      exim_fail("exim: changing group failed: %s\n", strerror(errno));
+    else
+      {
+      DEBUG(D_any) debug_printf("changing group to %ld failed: %s\n",
+          (long int)exim_gid, strerror(errno));
+      }
+  }
+
+/* Handle a request to scan a file for malware */
+if (malware_test_file)
+  {
+#ifdef WITH_CONTENT_SCAN
+  int result;
+  set_process_info("scanning file for malware");
+  if ((result = malware_in_file(malware_test_file)) == FAIL)
+    {
+    printf("No malware found.\n");
+    exit(EXIT_SUCCESS);
+    }
+  if (result != OK)
+    {
+    printf("Malware lookup returned non-okay/fail: %d\n", result);
+    exit(EXIT_FAILURE);
+    }
+  if (malware_name)
+    printf("Malware found: %s\n", malware_name);
+  else
+    printf("Malware scan detected malware of unknown name.\n");
+#else
+  printf("Malware scanning not enabled at compile time.\n");
+#endif
+  exit(EXIT_FAILURE);
+  }
+
+/* Handle a request to list the delivery queue */
+
+if (list_queue)
+  {
+  set_process_info("listing the queue");
+  queue_list(list_queue_option, argv + recipients_arg, argc - recipients_arg);
+  exit(EXIT_SUCCESS);
+  }
+
+/* Handle a request to count the delivery queue */
+
+if (count_queue)
+  {
+  set_process_info("counting the queue");
+  fprintf(stdout, "%u\n", queue_count());
+  exit(EXIT_SUCCESS);
+  }
+
+/* Handle actions on specific messages, except for the force delivery and
+message load actions, which are done below. Some actions take a whole list of
+message ids, which are known to continue up to the end of the arguments. Others
+take a single message id and then operate on the recipients list. */
+
+if (msg_action_arg > 0 && msg_action != MSG_DELIVER && msg_action != MSG_LOAD)
+  {
+  int yield = EXIT_SUCCESS;
+  set_process_info("acting on specified messages");
+
+  /* ACL definitions may be needed when removing a message (-Mrm) because
+  event_action gets expanded */
+
+  if (msg_action == MSG_REMOVE)
+    {
+    int old_pool = store_pool;
+    store_pool = POOL_CONFIG;
+    readconf_rest();
+    store_pool = old_pool;
+    store_writeprotect(POOL_CONFIG);
+    }
+
+  if (!one_msg_action)
+    {
+    for (i = msg_action_arg; i < argc; i++)
+      if (!queue_action(argv[i], msg_action, NULL, 0, 0))
+        yield = EXIT_FAILURE;
+    switch (msg_action)
+      {
+      case MSG_REMOVE: case MSG_FREEZE: case MSG_THAW: break;
+      default: printf("\n"); break;
+      }
+    }
+
+  else if (!queue_action(argv[msg_action_arg], msg_action, argv, argc,
+    recipients_arg)) yield = EXIT_FAILURE;
+  exit(yield);
+  }
+
+/* We used to set up here to skip reading the ACL section, on
+ (msg_action_arg > 0 || (queue_interval == 0 && !f.daemon_listen)
+Now, since the intro of the ${acl } expansion, ACL definitions may be
+needed in transports so we lost the optimisation. */
+
+  {
+  int old_pool = store_pool;
+#ifdef MEASURE_TIMING
+  struct timeval t0;
+  (void)gettimeofday(&t0, NULL);
+#endif
+
+  store_pool = POOL_CONFIG;
+  readconf_rest();
+  store_pool = old_pool;
+
+  /* -be can add macro definitions, needing to link to the macro structure
+  chain.  Otherwise, make the memory used for config data readonly. */
+
+  if (!expansion_test)
+    store_writeprotect(POOL_CONFIG);
+
+#ifdef MEASURE_TIMING
+  report_time_since(&t0, US"readconf_rest (delta)");
+#endif
+  }
+
+/* Handle a request to check quota */
+if (rcpt_verify_quota)
+  if (real_uid != root_uid && real_uid != exim_uid)
+    exim_fail("exim: Permission denied\n");
+  else if (recipients_arg >= argc)
+    exim_fail("exim: missing recipient for quota check\n");
+  else
+    {
+    verify_quota(argv[recipients_arg]);
+    exim_exit(EXIT_SUCCESS);
+    }
+
+/* Handle the -brt option. This is for checking out retry configurations.
+The next three arguments are a domain name or a complete address, and
+optionally two error numbers. All it does is to call the function that
+scans the retry configuration data. */
+
+if (test_retry_arg >= 0)
+  {
+  retry_config *yield;
+  int basic_errno = 0;
+  int more_errno = 0;
+  const uschar *s1, *s2;
+
+  if (test_retry_arg >= argc)
+    {
+    printf("-brt needs a domain or address argument\n");
+    exim_exit(EXIT_FAILURE);
+    }
+  s1 = exim_str_fail_toolong(argv[test_retry_arg++], EXIM_EMAILADDR_MAX, "-brt");
+  s2 = NULL;
+
+  /* If the first argument contains no @ and no . it might be a local user
+  or it might be a single-component name. Treat as a domain. */
+
+  if (Ustrchr(s1, '@') == NULL && Ustrchr(s1, '.') == NULL)
+    {
+    printf("Warning: \"%s\" contains no '@' and no '.' characters. It is "
+      "being \ntreated as a one-component domain, not as a local part.\n\n",
+      s1);
+    }
+
+  /* There may be an optional second domain arg. */
+
+  if (test_retry_arg < argc && Ustrchr(argv[test_retry_arg], '.') != NULL)
+    s2 = exim_str_fail_toolong(argv[test_retry_arg++], EXIM_DOMAINNAME_MAX, "-brt 2nd");
+
+  /* The final arg is an error name */
+
+  if (test_retry_arg < argc)
+    {
+    const uschar *ss = exim_str_fail_toolong(argv[test_retry_arg], EXIM_DRIVERNAME_MAX, "-brt 3rd");
+    uschar *error =
+      readconf_retry_error(ss, ss + Ustrlen(ss), &basic_errno, &more_errno);
+    if (error != NULL)
+      {
+      printf("%s\n", CS error);
+      return EXIT_FAILURE;
+      }
+
+    /* For the {MAIL,RCPT,DATA}_4xx errors, a value of 255 means "any", and a
+    code > 100 as an error is for matching codes to the decade. Turn them into
+    a real error code, off the decade. */
+
+    if (basic_errno == ERRNO_MAIL4XX ||
+        basic_errno == ERRNO_RCPT4XX ||
+        basic_errno == ERRNO_DATA4XX)
+      {
+      int code = (more_errno >> 8) & 255;
+      if (code == 255)
+        more_errno = (more_errno & 0xffff00ff) | (21 << 8);
+      else if (code > 100)
+        more_errno = (more_errno & 0xffff00ff) | ((code - 96) << 8);
+      }
+    }
+
+  if (!(yield = retry_find_config(s1, s2, basic_errno, more_errno)))
+    printf("No retry information found\n");
+  else
+    {
+    more_errno = yield->more_errno;
+    printf("Retry rule: %s  ", yield->pattern);
+
+    if (yield->basic_errno == ERRNO_EXIMQUOTA)
+      {
+      printf("quota%s%s  ",
+        (more_errno > 0)? "_" : "",
+        (more_errno > 0)? readconf_printtime(more_errno) : US"");
+      }
+    else if (yield->basic_errno == ECONNREFUSED)
+      {
+      printf("refused%s%s  ",
+        (more_errno > 0)? "_" : "",
+        (more_errno == 'M')? "MX" :
+        (more_errno == 'A')? "A" : "");
+      }
+    else if (yield->basic_errno == ETIMEDOUT)
+      {
+      printf("timeout");
+      if ((more_errno & RTEF_CTOUT) != 0) printf("_connect");
+      more_errno &= 255;
+      if (more_errno != 0) printf("_%s",
+        (more_errno == 'M')? "MX" : "A");
+      printf("  ");
+      }
+    else if (yield->basic_errno == ERRNO_AUTHFAIL)
+      printf("auth_failed  ");
+    else printf("*  ");
+
+    for (retry_rule * r = yield->rules; r; r = r->next)
+      {
+      printf("%c,%s", r->rule, readconf_printtime(r->timeout)); /* Do not */
+      printf(",%s", readconf_printtime(r->p1));                 /* amalgamate */
+      if (r->rule == 'G')
+        {
+        int x = r->p2;
+        int f = x % 1000;
+        int d = 100;
+        printf(",%d.", x/1000);
+        do
+          {
+          printf("%d", f/d);
+          f %= d;
+          d /= 10;
+          }
+        while (f != 0);
+        }
+      printf("; ");
+      }
+
+    printf("\n");
+    }
+  exim_exit(EXIT_SUCCESS);
+  }
+
+/* Handle a request to list one or more configuration options */
+/* If -n was set, we suppress some information */
+
+if (list_options)
+  {
+  BOOL fail = FALSE;
+  set_process_info("listing variables");
+  if (recipients_arg >= argc)
+    fail = !readconf_print(US"all", NULL, flag_n);
+  else for (i = recipients_arg; i < argc; i++)
+    {
+    if (i < argc - 1 &&
+	(Ustrcmp(argv[i], "router") == 0 ||
+	 Ustrcmp(argv[i], "transport") == 0 ||
+	 Ustrcmp(argv[i], "authenticator") == 0 ||
+	 Ustrcmp(argv[i], "macro") == 0 ||
+	 Ustrcmp(argv[i], "environment") == 0))
+      {
+      fail |= !readconf_print(exim_str_fail_toolong(argv[i+1], EXIM_DRIVERNAME_MAX, "-bP name"), argv[i], flag_n);
+      i++;
+      }
+    else
+      fail = !readconf_print(exim_str_fail_toolong(argv[i], EXIM_DRIVERNAME_MAX, "-bP item"), NULL, flag_n);
+    }
+  exim_exit(fail ? EXIT_FAILURE : EXIT_SUCCESS);
+  }
+
+if (list_config)
+  {
+  set_process_info("listing config");
+  exim_exit(readconf_print(US"config", NULL, flag_n)
+		? EXIT_SUCCESS : EXIT_FAILURE);
+  }
+
+
+/* Initialise subsystems as required. */
+
+tcp_init();
+
+/* Handle a request to deliver one or more messages that are already on the
+queue. Values of msg_action other than MSG_DELIVER and MSG_LOAD are dealt with
+above. MSG_LOAD is handled with -be (which is the only time it applies) below.
+
+Delivery of specific messages is typically used for a small number when
+prodding by hand (when the option forced_delivery will be set) or when
+re-execing to regain root privilege. Each message delivery must happen in a
+separate process, so we fork a process for each one, and run them sequentially
+so that debugging output doesn't get intertwined, and to avoid spawning too
+many processes if a long list is given. However, don't fork for the last one;
+this saves a process in the common case when Exim is called to deliver just one
+message. */
+
+if (msg_action_arg > 0 && msg_action != MSG_LOAD)
+  {
+  if (prod_requires_admin && !f.admin_user)
+    {
+    fprintf(stderr, "exim: Permission denied\n");
+    exim_exit(EXIT_FAILURE);
+    }
+  set_process_info("delivering specified messages");
+  if (deliver_give_up) forced_delivery = f.deliver_force_thaw = TRUE;
+  for (i = msg_action_arg; i < argc; i++)
+    {
+    int status;
+    pid_t pid;
+    /*XXX This use of argv[i] for msg_id should really be tainted, but doing
+    that runs into a later copy into the untainted global message_id[] */
+    /*XXX Do we need a length limit check here? */
+    if (i == argc - 1)
+      (void)deliver_message(argv[i], forced_delivery, deliver_give_up);
+    else if ((pid = exim_fork(US"cmdline-delivery")) == 0)
+      {
+      (void)deliver_message(argv[i], forced_delivery, deliver_give_up);
+      exim_underbar_exit(EXIT_SUCCESS);
+      }
+    else if (pid < 0)
+      {
+      fprintf(stderr, "failed to fork delivery process for %s: %s\n", argv[i],
+        strerror(errno));
+      exim_exit(EXIT_FAILURE);
+      }
+    else wait(&status);
+    }
+  exim_exit(EXIT_SUCCESS);
+  }
+
+
+/* If only a single queue run is requested, without SMTP listening, we can just
+turn into a queue runner, with an optional starting message id. */
+
+if (queue_interval == 0 && !f.daemon_listen)
+  {
+  DEBUG(D_queue_run) debug_printf("Single queue run%s%s%s%s\n",
+    start_queue_run_id ? US" starting at " : US"",
+    start_queue_run_id ? start_queue_run_id: US"",
+    stop_queue_run_id ?  US" stopping at " : US"",
+    stop_queue_run_id ?  stop_queue_run_id : US"");
+  if (*queue_name)
+    set_process_info("running the '%s' queue (single queue run)", queue_name);
+  else
+    set_process_info("running the queue (single queue run)");
+  queue_run(start_queue_run_id, stop_queue_run_id, FALSE);
+  exim_exit(EXIT_SUCCESS);
+  }
+
+
+/* Find the login name of the real user running this process. This is always
+needed when receiving a message, because it is written into the spool file. It
+may also be used to construct a from: or a sender: header, and in this case we
+need the user's full name as well, so save a copy of it, checked for RFC822
+syntax and munged if necessary, if it hasn't previously been set by the -F
+argument. We may try to get the passwd entry more than once, in case NIS or
+other delays are in evidence. Save the home directory for use in filter testing
+(only). */
+
+for (i = 0;;)
+  {
+  if ((pw = getpwuid(real_uid)) != NULL)
+    {
+    originator_login = string_copy(US pw->pw_name);
+    originator_home = string_copy(US pw->pw_dir);
+
+    /* If user name has not been set by -F, set it from the passwd entry
+    unless -f has been used to set the sender address by a trusted user. */
+
+    if (!originator_name)
+      {
+      if (!sender_address || (!f.trusted_caller && filter_test == FTEST_NONE))
+        {
+        uschar *name = US pw->pw_gecos;
+        uschar *amp = Ustrchr(name, '&');
+        uschar buffer[256];
+
+        /* Most Unix specify that a '&' character in the gecos field is
+        replaced by a copy of the login name, and some even specify that
+        the first character should be upper cased, so that's what we do. */
+
+        if (amp)
+          {
+          int loffset;
+          string_format(buffer, sizeof(buffer), "%.*s%n%s%s",
+            (int)(amp - name), name, &loffset, originator_login, amp + 1);
+          buffer[loffset] = toupper(buffer[loffset]);
+          name = buffer;
+          }
+
+        /* If a pattern for matching the gecos field was supplied, apply
+        it and then expand the name string. */
+
+        if (gecos_pattern && gecos_name)
+          {
+          const pcre2_code *re;
+          re = regex_must_compile(gecos_pattern, FALSE, TRUE); /* Use malloc */
+
+          if (regex_match_and_setup(re, name, 0, -1))
+            {
+            uschar *new_name = expand_string(gecos_name);
+            expand_nmax = -1;
+            if (new_name)
+              {
+              DEBUG(D_receive) debug_printf("user name \"%s\" extracted from "
+                "gecos field \"%s\"\n", new_name, name);
+              name = new_name;
+              }
+            else DEBUG(D_receive) debug_printf("failed to expand gecos_name string "
+              "\"%s\": %s\n", gecos_name, expand_string_message);
+            }
+          else DEBUG(D_receive) debug_printf("gecos_pattern \"%s\" did not match "
+            "gecos field \"%s\"\n", gecos_pattern, name);
+          store_free((void *)re);
+          }
+        originator_name = string_copy(name);
+        }
+
+      /* A trusted caller has used -f but not -F */
+
+      else originator_name = US"";
+      }
+
+    /* Break the retry loop */
+
+    break;
+    }
+
+  if (++i > finduser_retries) break;
+  sleep(1);
+  }
+
+/* If we cannot get a user login, log the incident and give up, unless the
+configuration specifies something to use. When running in the test harness,
+any setting of unknown_login overrides the actual name. */
+
+if (!originator_login || f.running_in_test_harness)
+  {
+  if (unknown_login)
+    {
+    originator_login = expand_string(unknown_login);
+    if (!originator_name && unknown_username)
+      originator_name = expand_string(unknown_username);
+    if (!originator_name) originator_name = US"";
+    }
+  if (!originator_login)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to get user name for uid %d",
+      (int)real_uid);
+  }
+
+/* Ensure that the user name is in a suitable form for use as a "phrase" in an
+RFC822 address.*/
+
+originator_name = US parse_fix_phrase(originator_name, Ustrlen(originator_name));
+
+/* If a message is created by this call of Exim, the uid/gid of its originator
+are those of the caller. These values are overridden if an existing message is
+read in from the spool. */
+
+originator_uid = real_uid;
+originator_gid = real_gid;
+
+DEBUG(D_receive) debug_printf("originator: uid=%d gid=%d login=%s name=%s\n",
+  (int)originator_uid, (int)originator_gid, originator_login, originator_name);
+
+/* Run in daemon and/or queue-running mode. The function daemon_go() never
+returns. We leave this till here so that the originator_ fields are available
+for incoming messages via the daemon. The daemon cannot be run in mua_wrapper
+mode. */
+
+if (f.daemon_listen || f.inetd_wait_mode || queue_interval > 0)
+  {
+  if (mua_wrapper)
+    {
+    fprintf(stderr, "Daemon cannot be run when mua_wrapper is set\n");
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Daemon cannot be run when "
+      "mua_wrapper is set");
+    }
+
+# ifndef DISABLE_TLS
+  /* This also checks that the library linkage is working and we can call
+  routines in it, so call even if tls_require_ciphers is unset */
+    {
+# ifdef MEASURE_TIMING
+    struct timeval t0;
+    (void)gettimeofday(&t0, NULL);
+# endif
+    if (!tls_dropprivs_validate_require_cipher(FALSE))
+      exit(1);
+# ifdef MEASURE_TIMING
+    report_time_since(&t0, US"validate_ciphers (delta)");
+# endif
+    }
+#endif
+
+  daemon_go();
+  }
+
+/* If the sender ident has not been set (by a trusted caller) set it to
+the caller. This will get overwritten below for an inetd call. If a trusted
+caller has set it empty, unset it. */
+
+if (!sender_ident) sender_ident = originator_login;
+else if (!*sender_ident) sender_ident = NULL;
+
+/* Handle the -brw option, which is for checking out rewriting rules. Cause log
+writes (on errors) to go to stderr instead. Can't do this earlier, as want the
+originator_* variables set. */
+
+if (test_rewrite_arg >= 0)
+  {
+  f.really_exim = FALSE;
+  if (test_rewrite_arg >= argc)
+    {
+    printf("-brw needs an address argument\n");
+    exim_exit(EXIT_FAILURE);
+    }
+  rewrite_test(exim_str_fail_toolong(argv[test_rewrite_arg], EXIM_EMAILADDR_MAX, "-brw"));
+  exim_exit(EXIT_SUCCESS);
+  }
+
+/* A locally-supplied message is considered to be coming from a local user
+unless a trusted caller supplies a sender address with -f, or is passing in the
+message via SMTP (inetd invocation or otherwise). */
+
+if (  !sender_address && !smtp_input
+   || !f.trusted_caller && filter_test == FTEST_NONE)
+  {
+  f.sender_local = TRUE;
+
+  /* A trusted caller can supply authenticated_sender and authenticated_id
+  via -oMas and -oMai and if so, they will already be set. Otherwise, force
+  defaults except when host checking. */
+
+  if (!authenticated_sender && !host_checking)
+    authenticated_sender = string_sprintf("%s@%s", originator_login,
+      qualify_domain_sender);
+  if (!authenticated_id && !host_checking)
+    authenticated_id = originator_login;
+  }
+
+/* Trusted callers are always permitted to specify the sender address.
+Untrusted callers may specify it if it matches untrusted_set_sender, or if what
+is specified is the empty address. However, if a trusted caller does not
+specify a sender address for SMTP input, we leave sender_address unset. This
+causes the MAIL commands to be honoured. */
+
+if (  !smtp_input && !sender_address
+   || !receive_check_set_sender(sender_address))
+  {
+  /* Either the caller is not permitted to set a general sender, or this is
+  non-SMTP input and the trusted caller has not set a sender. If there is no
+  sender, or if a sender other than <> is set, override with the originator's
+  login (which will get qualified below), except when checking things. */
+
+  if (  !sender_address                  /* No sender_address set */
+     ||                                  /*         OR            */
+       (sender_address[0] != 0 &&        /* Non-empty sender address, AND */
+       !checking))                       /* Not running tests, including filter tests */
+    {
+    sender_address = originator_login;
+    f.sender_address_forced = FALSE;
+    sender_address_domain = 0;
+    }
+  }
+
+/* Remember whether an untrusted caller set the sender address */
+
+f.sender_set_untrusted = sender_address != originator_login && !f.trusted_caller;
+
+/* Ensure that the sender address is fully qualified unless it is the empty
+address, which indicates an error message, or doesn't exist (root caller, smtp
+interface, no -f argument). */
+
+if (sender_address && *sender_address && sender_address_domain == 0)
+  sender_address = string_sprintf("%s@%s", local_part_quote(sender_address),
+    qualify_domain_sender);
+
+DEBUG(D_receive) debug_printf("sender address = %s\n", sender_address);
+
+/* Handle a request to verify a list of addresses, or test them for delivery.
+This must follow the setting of the sender address, since routers can be
+predicated upon the sender. If no arguments are given, read addresses from
+stdin. Set debug_level to at least D_v to get full output for address testing.
+*/
+
+if (verify_address_mode || f.address_test_mode)
+  {
+  int exit_value = 0;
+  int flags = vopt_qualify;
+
+  if (verify_address_mode)
+    {
+    if (!verify_as_sender) flags |= vopt_is_recipient;
+    DEBUG(D_verify) debug_print_ids(US"Verifying:");
+    }
+
+  else
+    {
+    flags |= vopt_is_recipient;
+    debug_selector |= D_v;
+    debug_file = stderr;
+    debug_fd = fileno(debug_file);
+    DEBUG(D_verify) debug_print_ids(US"Address testing:");
+    }
+
+  if (recipients_arg < argc)
+    while (recipients_arg < argc)
+      {
+      /* Supplied addresses are tainted since they come from a user */
+      uschar * s = string_copy_taint(
+	exim_str_fail_toolong(argv[recipients_arg++], EXIM_DISPLAYMAIL_MAX, "address verification"),
+	GET_TAINTED);
+      while (*s)
+        {
+        BOOL finished = FALSE;
+        uschar *ss = parse_find_address_end(s, FALSE);
+        if (*ss == ',') *ss = 0; else finished = TRUE;
+        test_address(s, flags, &exit_value);
+        s = ss;
+        if (!finished)
+          while (*++s == ',' || isspace(*s)) ;
+        }
+      }
+
+  else for (;;)
+    {
+    uschar * s = get_stdinput(NULL, NULL);
+    if (!s) break;
+    test_address(string_copy_taint(
+	exim_str_fail_toolong(s, EXIM_DISPLAYMAIL_MAX, "address verification (stdin)"),
+	GET_TAINTED),
+      flags, &exit_value);
+    }
+
+  route_tidyup();
+  exim_exit(exit_value);
+  }
+
+/* Handle expansion checking. Either expand items on the command line, or read
+from stdin if there aren't any. If -Mset was specified, load the message so
+that its variables can be used, but restrict this facility to admin users.
+Otherwise, if -bem was used, read a message from stdin. */
+
+if (expansion_test)
+  {
+  dns_init(FALSE, FALSE, FALSE);
+  if (msg_action_arg > 0 && msg_action == MSG_LOAD)
+    {
+    uschar * spoolname;
+    if (!f.admin_user)
+      exim_fail("exim: permission denied\n");
+    message_id = US exim_str_fail_toolong(argv[msg_action_arg], MESSAGE_ID_LENGTH, "message-id");
+    /* Checking the length of the ID is sufficient to validate it.
+    Get an untainted version so file opens can be done. */
+    message_id = string_copy_taint(message_id, GET_UNTAINTED);
+
+    spoolname = string_sprintf("%s-H", message_id);
+    if ((deliver_datafile = spool_open_datafile(message_id)) < 0)
+      printf ("Failed to load message datafile %s\n", message_id);
+    if (spool_read_header(spoolname, TRUE, FALSE) != spool_read_OK)
+      printf ("Failed to load message %s\n", message_id);
+    }
+
+  /* Read a test message from a file. We fudge it up to be on stdin, saving
+  stdin itself for later reading of expansion strings. */
+
+  else if (expansion_test_message)
+    {
+    int save_stdin = dup(0);
+    int fd = Uopen(expansion_test_message, O_RDONLY, 0);
+    if (fd < 0)
+      exim_fail("exim: failed to open %s: %s\n", expansion_test_message,
+        strerror(errno));
+    (void) dup2(fd, 0);
+    filter_test = FTEST_USER;      /* Fudge to make it look like filter test */
+    message_ended = END_NOTENDED;
+    read_message_body(receive_msg(extract_recipients));
+    message_linecount += body_linecount;
+    (void)dup2(save_stdin, 0);
+    (void)close(save_stdin);
+    clearerr(stdin);               /* Required by Darwin */
+    }
+
+  /* Only admin users may see config-file macros this way */
+
+  if (!f.admin_user) macros_user = macros = mlast = NULL;
+
+  /* Allow $recipients for this testing */
+
+  f.enable_dollar_recipients = TRUE;
+
+  /* Expand command line items */
+
+  if (recipients_arg < argc)
+    while (recipients_arg < argc)
+      expansion_test_line(exim_str_fail_toolong(argv[recipients_arg++], EXIM_EMAILADDR_MAX, "recipient"));
+
+  /* Read stdin */
+
+  else
+    {
+    char *(*fn_readline)(const char *) = NULL;
+    void (*fn_addhist)(const char *) = NULL;
+    uschar * s;
+
+#ifdef USE_READLINE
+    void *dlhandle = set_readline(&fn_readline, &fn_addhist);
+#endif
+
+    while (s = get_stdinput(fn_readline, fn_addhist))
+      expansion_test_line(s);
+
+#ifdef USE_READLINE
+    if (dlhandle) dlclose(dlhandle);
+#endif
+    }
+
+  /* The data file will be open after -Mset */
+
+  if (deliver_datafile >= 0)
+    {
+    (void)close(deliver_datafile);
+    deliver_datafile = -1;
+    }
+
+  exim_exit(EXIT_SUCCESS);
+  }
+
+
+/* The active host name is normally the primary host name, but it can be varied
+for hosts that want to play several parts at once. We need to ensure that it is
+set for host checking, and for receiving messages. */
+
+smtp_active_hostname = primary_hostname;
+if (raw_active_hostname != NULL)
+  {
+  uschar *nah = expand_string(raw_active_hostname);
+  if (nah == NULL)
+    {
+    if (!f.expand_string_forcedfail)
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand \"%s\" "
+        "(smtp_active_hostname): %s", raw_active_hostname,
+        expand_string_message);
+    }
+  else if (nah[0] != 0) smtp_active_hostname = nah;
+  }
+
+/* Handle host checking: this facility mocks up an incoming SMTP call from a
+given IP address so that the blocking and relay configuration can be tested.
+Unless a sender_ident was set by -oMt, we discard it (the default is the
+caller's login name). An RFC 1413 call is made only if we are running in the
+test harness and an incoming interface and both ports are specified, because
+there is no TCP/IP call to find the ident for. */
+
+if (host_checking)
+  {
+  int x[4];
+  int size;
+
+  if (!sender_ident_set)
+    {
+    sender_ident = NULL;
+    if (f.running_in_test_harness && sender_host_port
+       && interface_address && interface_port)
+      verify_get_ident(1223);		/* note hardwired port number */
+    }
+
+  /* In case the given address is a non-canonical IPv6 address, canonicalize
+  it. The code works for both IPv4 and IPv6, as it happens. */
+
+  size = host_aton(sender_host_address, x);
+  sender_host_address = store_get(48, GET_UNTAINTED);  /* large enough for full IPv6 */
+  (void)host_nmtoa(size, x, -1, sender_host_address, ':');
+
+  /* Now set up for testing */
+
+  host_build_sender_fullhost();
+  smtp_input = TRUE;
+  smtp_in = stdin;
+  smtp_out = stdout;
+  f.sender_local = FALSE;
+  f.sender_host_notsocket = TRUE;
+  debug_file = stderr;
+  debug_fd = fileno(debug_file);
+  fprintf(stdout, "\n**** SMTP testing session as if from host %s\n"
+    "**** but without any ident (RFC 1413) callback.\n"
+    "**** This is not for real!\n\n",
+      sender_host_address);
+
+  memset(sender_host_cache, 0, sizeof(sender_host_cache));
+  if (verify_check_host(&hosts_connection_nolog) == OK)
+    BIT_CLEAR(log_selector, log_selector_size, Li_smtp_connection);
+  log_write(L_smtp_connection, LOG_MAIN, "%s", smtp_get_connection_info());
+
+  /* NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
+  because a log line has already been written for all its failure exists
+  (usually "connection refused: <reason>") and writing another one is
+  unnecessary clutter. */
+
+  if (smtp_start_session())
+    {
+    rmark reset_point;
+    for (; (reset_point = store_mark()); store_reset(reset_point))
+      {
+      if (smtp_setup_msg() <= 0) break;
+      if (!receive_msg(FALSE)) break;
+
+      return_path = sender_address = NULL;
+      dnslist_domain = dnslist_matched = NULL;
+#ifndef DISABLE_DKIM
+      dkim_cur_signer = NULL;
+#endif
+      acl_var_m = NULL;
+      deliver_localpart_orig = NULL;
+      deliver_domain_orig = NULL;
+      callout_address = sending_ip_address = NULL;
+      deliver_localpart_data = deliver_domain_data =
+      recipient_data = sender_data = NULL;
+      sender_rate = sender_rate_limit = sender_rate_period = NULL;
+      }
+    smtp_log_no_mail();
+    }
+  exim_exit(EXIT_SUCCESS);
+  }
+
+
+/* Arrange for message reception if recipients or SMTP were specified;
+otherwise complain unless a version print (-bV) happened or this is a filter
+verification test or info dump.
+In the former case, show the configuration file name. */
+
+if (recipients_arg >= argc && !extract_recipients && !smtp_input)
+  {
+  if (version_printed)
+    {
+    if (Ustrchr(config_main_filelist, ':'))
+      printf("Configuration file search path is %s\n", config_main_filelist);
+    printf("Configuration file is %s\n", config_main_filename);
+    return EXIT_SUCCESS;
+    }
+
+  if (info_flag != CMDINFO_NONE)
+    {
+    show_exim_information(info_flag, info_stdout ? stdout : stderr);
+    return info_stdout ? EXIT_SUCCESS : EXIT_FAILURE;
+    }
+
+  if (filter_test == FTEST_NONE)
+    exim_usage(called_as);
+  }
+
+
+/* If mua_wrapper is set, Exim is being used to turn an MUA that submits on the
+standard input into an MUA that submits to a smarthost over TCP/IP. We know
+that we are not called from inetd, because that is rejected above. The
+following configuration settings are forced here:
+
+  (1) Synchronous delivery (-odi)
+  (2) Errors to stderr (-oep == -oeq)
+  (3) No parallel remote delivery
+  (4) Unprivileged delivery
+
+We don't force overall queueing options because there are several of them;
+instead, queueing is avoided below when mua_wrapper is set. However, we do need
+to override any SMTP queueing. */
+
+if (mua_wrapper)
+  {
+  f.synchronous_delivery = TRUE;
+  arg_error_handling = ERRORS_STDERR;
+  remote_max_parallel = 1;
+  deliver_drop_privilege = TRUE;
+  f.queue_smtp = FALSE;
+  queue_smtp_domains = NULL;
+#ifdef SUPPORT_I18N
+  message_utf8_downconvert = -1;	/* convert-if-needed */
+#endif
+  }
+
+
+/* Prepare to accept one or more new messages on the standard input. When a
+message has been read, its id is returned in message_id[]. If doing immediate
+delivery, we fork a delivery process for each received message, except for the
+last one, where we can save a process switch.
+
+It is only in non-smtp mode that error_handling is allowed to be changed from
+its default of ERRORS_SENDER by argument. (Idle thought: are any of the
+sendmail error modes other than -oem ever actually used? Later: yes.) */
+
+if (!smtp_input) error_handling = arg_error_handling;
+
+/* If this is an inetd call, ensure that stderr is closed to prevent panic
+logging being sent down the socket and make an identd call to get the
+sender_ident. */
+
+else if (f.is_inetd)
+  {
+  (void)fclose(stderr);
+  exim_nullstd();                       /* Re-open to /dev/null */
+  verify_get_ident(IDENT_PORT);
+  host_build_sender_fullhost();
+  set_process_info("handling incoming connection from %s via inetd",
+    sender_fullhost);
+  }
+
+/* If the sender host address has been set, build sender_fullhost if it hasn't
+already been done (which it will have been for inetd). This caters for the
+case when it is forced by -oMa. However, we must flag that it isn't a socket,
+so that the test for IP options is skipped for -bs input. */
+
+if (sender_host_address && !sender_fullhost)
+  {
+  host_build_sender_fullhost();
+  set_process_info("handling incoming connection from %s via -oMa",
+    sender_fullhost);
+  f.sender_host_notsocket = TRUE;
+  }
+
+/* Otherwise, set the sender host as unknown except for inetd calls. This
+prevents host checking in the case of -bs not from inetd and also for -bS. */
+
+else if (!f.is_inetd) f.sender_host_unknown = TRUE;
+
+/* If stdout does not exist, then dup stdin to stdout. This can happen
+if exim is started from inetd. In this case fd 0 will be set to the socket,
+but fd 1 will not be set. This also happens for passed SMTP channels. */
+
+if (fstat(1, &statbuf) < 0) (void)dup2(0, 1);
+
+/* Set up the incoming protocol name and the state of the program. Root is
+allowed to force received protocol via the -oMr option above. If we have come
+via inetd, the process info has already been set up. We don't set
+received_protocol here for smtp input, as it varies according to
+batch/HELO/EHLO/AUTH/TLS. */
+
+if (smtp_input)
+  {
+  if (!f.is_inetd) set_process_info("accepting a local %sSMTP message from <%s>",
+    smtp_batched_input? "batched " : "",
+    sender_address ? sender_address : originator_login);
+  }
+else
+  {
+  int old_pool = store_pool;
+  store_pool = POOL_PERM;
+  if (!received_protocol)
+    received_protocol = string_sprintf("local%s", called_as);
+  store_pool = old_pool;
+  set_process_info("accepting a local non-SMTP message from <%s>",
+    sender_address);
+  }
+
+/* Initialize the session_local_queue-only flag (this will be ignored if
+mua_wrapper is set) */
+
+queue_check_only();
+session_local_queue_only = queue_only;
+
+/* For non-SMTP and for batched SMTP input, check that there is enough space on
+the spool if so configured. On failure, we must not attempt to send an error
+message! (For interactive SMTP, the check happens at MAIL FROM and an SMTP
+error code is given.) */
+
+if ((!smtp_input || smtp_batched_input) && !receive_check_fs(0))
+  exim_fail("exim: insufficient disk space\n");
+
+/* If this is smtp input of any kind, real or batched, handle the start of the
+SMTP session.
+
+NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
+because a log line has already been written for all its failure exists
+(usually "connection refused: <reason>") and writing another one is
+unnecessary clutter. */
+
+if (smtp_input)
+  {
+  smtp_in = stdin;
+  smtp_out = stdout;
+  memset(sender_host_cache, 0, sizeof(sender_host_cache));
+  if (verify_check_host(&hosts_connection_nolog) == OK)
+    BIT_CLEAR(log_selector, log_selector_size, Li_smtp_connection);
+  log_write(L_smtp_connection, LOG_MAIN, "%s", smtp_get_connection_info());
+  if (!smtp_start_session())
+    {
+    mac_smtp_fflush();
+    exim_exit(EXIT_SUCCESS);
+    }
+  }
+
+/* Otherwise, set up the input size limit here and set no stdin stdio buffer
+(we handle buferring so as to have visibility of fill level). */
+
+else
+  {
+  thismessage_size_limit = expand_string_integer(message_size_limit, TRUE);
+  if (expand_string_message)
+    if (thismessage_size_limit == -1)
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand "
+        "message_size_limit: %s", expand_string_message);
+    else
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "invalid value for "
+        "message_size_limit: %s", expand_string_message);
+
+  setvbuf(stdin, NULL, _IONBF, 0);
+  }
+
+/* Loop for several messages when reading SMTP input. If we fork any child
+processes, we don't want to wait for them unless synchronous delivery is
+requested, so set SIGCHLD to SIG_IGN in that case. This is not necessarily the
+same as SIG_DFL, despite the fact that documentation often lists the default as
+"ignore". This is a confusing area. This is what I know:
+
+At least on some systems (e.g. Solaris), just setting SIG_IGN causes child
+processes that complete simply to go away without ever becoming defunct. You
+can't then wait for them - but we don't want to wait for them in the
+non-synchronous delivery case. However, this behaviour of SIG_IGN doesn't
+happen for all OS (e.g. *BSD is different).
+
+But that's not the end of the story. Some (many? all?) systems have the
+SA_NOCLDWAIT option for sigaction(). This requests the behaviour that Solaris
+has by default, so it seems that the difference is merely one of default
+(compare restarting vs non-restarting signals).
+
+To cover all cases, Exim sets SIG_IGN with SA_NOCLDWAIT here if it can. If not,
+it just sets SIG_IGN. To be on the safe side it also calls waitpid() at the end
+of the loop below. Paranoia rules.
+
+February 2003: That's *still* not the end of the story. There are now versions
+of Linux (where SIG_IGN does work) that are picky. If, having set SIG_IGN, a
+process then calls waitpid(), a grumble is written to the system log, because
+this is logically inconsistent. In other words, it doesn't like the paranoia.
+As a consequence of this, the waitpid() below is now excluded if we are sure
+that SIG_IGN works. */
+
+if (!f.synchronous_delivery)
+  {
+#ifdef SA_NOCLDWAIT
+  struct sigaction act;
+  act.sa_handler = SIG_IGN;
+  sigemptyset(&(act.sa_mask));
+  act.sa_flags = SA_NOCLDWAIT;
+  sigaction(SIGCHLD, &act, NULL);
+#else
+  signal(SIGCHLD, SIG_IGN);
+#endif
+  }
+
+/* Save the current store pool point, for resetting at the start of
+each message, and save the real sender address, if any. */
+
+real_sender_address = sender_address;
+
+/* Loop to receive messages; receive_msg() returns TRUE if there are more
+messages to be read (SMTP input), or FALSE otherwise (not SMTP, or SMTP channel
+collapsed). */
+
+for (BOOL more = TRUE; more; )
+  {
+  rmark reset_point = store_mark();
+  message_id[0] = 0;
+
+  /* Handle the SMTP case; call smtp_setup_mst() to deal with the initial SMTP
+  input and build the recipients list, before calling receive_msg() to read the
+  message proper. Whatever sender address is given in the SMTP transaction is
+  often ignored for local senders - we use the actual sender, which is normally
+  either the underlying user running this process or a -f argument provided by
+  a trusted caller. It is saved in real_sender_address. The test for whether to
+  accept the SMTP sender is encapsulated in receive_check_set_sender(). */
+
+  if (smtp_input)
+    {
+    int rc;
+    if ((rc = smtp_setup_msg()) > 0)
+      {
+      if (real_sender_address != NULL &&
+          !receive_check_set_sender(sender_address))
+        {
+        sender_address = raw_sender = real_sender_address;
+        sender_address_unrewritten = NULL;
+        }
+
+      /* For batched SMTP, we have to run the acl_not_smtp_start ACL, since it
+      isn't really SMTP, so no other ACL will run until the acl_not_smtp one at
+      the very end. The result of the ACL is ignored (as for other non-SMTP
+      messages). It is run for its potential side effects. */
+
+      if (smtp_batched_input && acl_not_smtp_start != NULL)
+        {
+        uschar *user_msg, *log_msg;
+        f.enable_dollar_recipients = TRUE;
+        (void)acl_check(ACL_WHERE_NOTSMTP_START, NULL, acl_not_smtp_start,
+          &user_msg, &log_msg);
+        f.enable_dollar_recipients = FALSE;
+        }
+
+      /* Now get the data for the message */
+
+      more = receive_msg(extract_recipients);
+      if (!message_id[0])
+        {
+	cancel_cutthrough_connection(TRUE, US"receive dropped");
+        if (more) goto MORELOOP;
+        smtp_log_no_mail();               /* Log no mail if configured */
+        exim_exit(EXIT_FAILURE);
+        }
+      }
+    else
+      {
+      cancel_cutthrough_connection(TRUE, US"message setup dropped");
+      smtp_log_no_mail();               /* Log no mail if configured */
+      exim_exit(rc ? EXIT_FAILURE : EXIT_SUCCESS);
+      }
+    }
+
+  /* In the non-SMTP case, we have all the information from the command
+  line, but must process it in case it is in the more general RFC822
+  format, and in any case, to detect syntax errors. Also, it appears that
+  the use of comma-separated lists as single arguments is common, so we
+  had better support them. */
+
+  else
+    {
+    int rcount = 0;
+    int count = argc - recipients_arg;
+    uschar **list = argv + recipients_arg;
+
+    /* These options cannot be changed dynamically for non-SMTP messages */
+
+    f.active_local_sender_retain = local_sender_retain;
+    f.active_local_from_check = local_from_check;
+
+    /* Save before any rewriting */
+
+    raw_sender = string_copy(sender_address);
+
+    /* Loop for each argument (supplied by user hence tainted) */
+
+    for (int i = 0; i < count; i++)
+      {
+      int start, end, domain;
+      uschar * errmess;
+      /* There can be multiple addresses, so EXIM_DISPLAYMAIL_MAX (tuned for 1) is too short.
+       * We'll still want to cap it to something, just in case. */
+      uschar * s = string_copy_taint(
+	exim_str_fail_toolong(list[i], BIG_BUFFER_SIZE, "address argument"),
+	GET_TAINTED);
+
+      /* Loop for each comma-separated address */
+
+      while (*s)
+        {
+        BOOL finished = FALSE;
+        uschar *recipient;
+        uschar *ss = parse_find_address_end(s, FALSE);
+
+        if (*ss == ',') *ss = 0; else finished = TRUE;
+
+        /* Check max recipients - if -t was used, these aren't recipients */
+
+        if (recipients_max > 0 && ++rcount > recipients_max &&
+            !extract_recipients)
+          if (error_handling == ERRORS_STDERR)
+            {
+            fprintf(stderr, "exim: too many recipients\n");
+            exim_exit(EXIT_FAILURE);
+            }
+          else
+            return
+              moan_to_sender(ERRMESS_TOOMANYRECIP, NULL, NULL, stdin, TRUE)?
+                errors_sender_rc : EXIT_FAILURE;
+
+#ifdef SUPPORT_I18N
+	{
+	BOOL b = allow_utf8_domains;
+	allow_utf8_domains = TRUE;
+#endif
+        recipient =
+          parse_extract_address(s, &errmess, &start, &end, &domain, FALSE);
+
+#ifdef SUPPORT_I18N
+        if (recipient)
+          if (string_is_utf8(recipient)) message_smtputf8 = TRUE;
+          else allow_utf8_domains = b;
+	}
+#else
+        ;
+#endif
+        if (domain == 0 && !f.allow_unqualified_recipient)
+          {
+          recipient = NULL;
+          errmess = US"unqualified recipient address not allowed";
+          }
+
+        if (!recipient)
+          if (error_handling == ERRORS_STDERR)
+            {
+            fprintf(stderr, "exim: bad recipient address \"%s\": %s\n",
+              string_printing(list[i]), errmess);
+            exim_exit(EXIT_FAILURE);
+            }
+          else
+            {
+            error_block eblock;
+            eblock.next = NULL;
+            eblock.text1 = string_printing(list[i]);
+            eblock.text2 = errmess;
+            return
+              moan_to_sender(ERRMESS_BADARGADDRESS, &eblock, NULL, stdin, TRUE)?
+                errors_sender_rc : EXIT_FAILURE;
+            }
+
+        receive_add_recipient(string_copy_taint(recipient, GET_TAINTED), -1);
+        s = ss;
+        if (!finished)
+          while (*(++s) != 0 && (*s == ',' || isspace(*s)));
+        }
+      }
+
+    /* Show the recipients when debugging */
+
+    DEBUG(D_receive)
+      {
+      if (sender_address) debug_printf("Sender: %s\n", sender_address);
+      if (recipients_list)
+        {
+        debug_printf("Recipients:\n");
+        for (int i = 0; i < recipients_count; i++)
+          debug_printf("  %s\n", recipients_list[i].address);
+        }
+      }
+
+    /* Run the acl_not_smtp_start ACL if required. The result of the ACL is
+    ignored; rejecting here would just add complication, and it can just as
+    well be done later. Allow $recipients to be visible in the ACL. */
+
+    if (acl_not_smtp_start)
+      {
+      uschar *user_msg, *log_msg;
+      f.enable_dollar_recipients = TRUE;
+      (void)acl_check(ACL_WHERE_NOTSMTP_START, NULL, acl_not_smtp_start,
+        &user_msg, &log_msg);
+      f.enable_dollar_recipients = FALSE;
+      }
+
+    /* Pause for a while waiting for input.  If none received in that time,
+    close the logfile, if we had one open; then if we wait for a long-running
+    datasource (months, in one use-case) log rotation will not leave us holding
+    the file copy. */
+
+    if (!receive_timeout)
+      if (poll_one_fd(0, POLLIN, 30*60*1000) == 0)	/* 30 minutes */
+	mainlog_close();
+
+    /* Read the data for the message. If filter_test is not FTEST_NONE, this
+    will just read the headers for the message, and not write anything onto the
+    spool. */
+
+    message_ended = END_NOTENDED;
+    more = receive_msg(extract_recipients);
+
+    /* more is always FALSE here (not SMTP message) when reading a message
+    for real; when reading the headers of a message for filter testing,
+    it is TRUE if the headers were terminated by '.' and FALSE otherwise. */
+
+    if (!message_id[0]) exim_exit(EXIT_FAILURE);
+    }  /* Non-SMTP message reception */
+
+  /* If this is a filter testing run, there are headers in store, but
+  no message on the spool. Run the filtering code in testing mode, setting
+  the domain to the qualify domain and the local part to the current user,
+  unless they have been set by options. The prefix and suffix are left unset
+  unless specified. The the return path is set to to the sender unless it has
+  already been set from a return-path header in the message. */
+
+  if (filter_test != FTEST_NONE)
+    {
+    deliver_domain = ftest_domain ? ftest_domain : qualify_domain_recipient;
+    deliver_domain_orig = deliver_domain;
+    deliver_localpart = ftest_localpart ? US ftest_localpart : originator_login;
+    deliver_localpart_orig = deliver_localpart;
+    deliver_localpart_prefix = US ftest_prefix;
+    deliver_localpart_suffix = US ftest_suffix;
+    deliver_home = originator_home;
+
+    if (!return_path)
+      {
+      printf("Return-path copied from sender\n");
+      return_path = string_copy(sender_address);
+      }
+    else
+      printf("Return-path = %s\n", (return_path[0] == 0)? US"<>" : return_path);
+    printf("Sender      = %s\n", (sender_address[0] == 0)? US"<>" : sender_address);
+
+    receive_add_recipient(
+      string_sprintf("%s%s%s@%s",
+        ftest_prefix ? ftest_prefix : US"",
+        deliver_localpart,
+        ftest_suffix ? ftest_suffix : US"",
+        deliver_domain), -1);
+
+    printf("Recipient   = %s\n", recipients_list[0].address);
+    if (ftest_prefix) printf("Prefix    = %s\n", ftest_prefix);
+    if (ftest_suffix) printf("Suffix    = %s\n", ftest_suffix);
+
+    if (chdir("/"))   /* Get away from wherever the user is running this from */
+      {
+      DEBUG(D_receive) debug_printf("chdir(\"/\") failed\n");
+      exim_exit(EXIT_FAILURE);
+      }
+
+    /* Now we run either a system filter test, or a user filter test, or both.
+    In the latter case, headers added by the system filter will persist and be
+    available to the user filter. We need to copy the filter variables
+    explicitly. */
+
+    if (filter_test & FTEST_SYSTEM)
+      if (!filter_runtest(filter_sfd, filter_test_sfile, TRUE, more))
+        exim_exit(EXIT_FAILURE);
+
+    memcpy(filter_sn, filter_n, sizeof(filter_sn));
+
+    if (filter_test & FTEST_USER)
+      if (!filter_runtest(filter_ufd, filter_test_ufile, FALSE, more))
+        exim_exit(EXIT_FAILURE);
+
+    exim_exit(EXIT_SUCCESS);
+    }
+
+  /* Else act on the result of message reception. We should not get here unless
+  message_id[0] is non-zero. If queue_only is set, session_local_queue_only
+  will be TRUE. If it is not, check on the number of messages received in this
+  connection. */
+
+  if (  !session_local_queue_only
+     && smtp_accept_queue_per_connection > 0
+     && receive_messagecount > smtp_accept_queue_per_connection)
+    {
+    session_local_queue_only = TRUE;
+    queue_only_reason = 2;
+    }
+
+  /* Initialize local_queue_only from session_local_queue_only. If it is false,
+  and queue_only_load is set, check that the load average is below it. If it is
+  not, set local_queue_only TRUE. If queue_only_load_latch is true (the
+  default), we put the whole session into queue_only mode. It then remains this
+  way for any subsequent messages on the same SMTP connection. This is a
+  deliberate choice; even though the load average may fall, it doesn't seem
+  right to deliver later messages on the same call when not delivering earlier
+  ones. However, there are odd cases where this is not wanted, so this can be
+  changed by setting queue_only_load_latch false. */
+
+  if (!(local_queue_only = session_local_queue_only) && queue_only_load >= 0)
+    if ((local_queue_only = (load_average = OS_GETLOADAVG()) > queue_only_load))
+      {
+      queue_only_reason = 3;
+      if (queue_only_load_latch) session_local_queue_only = TRUE;
+      }
+
+  /* If running as an MUA wrapper, all queueing options and freezing options
+  are ignored. */
+
+  if (mua_wrapper)
+    local_queue_only = f.queue_only_policy = f.deliver_freeze = FALSE;
+
+  /* Log the queueing here, when it will get a message id attached, but
+  not if queue_only is set (case 0). Case 1 doesn't happen here (too many
+  connections). */
+
+  if (local_queue_only)
+    {
+    cancel_cutthrough_connection(TRUE, US"no delivery; queueing");
+    switch(queue_only_reason)
+      {
+      case 2:
+	log_write(L_delay_delivery,
+		LOG_MAIN, "no immediate delivery: more than %d messages "
+	  "received in one connection", smtp_accept_queue_per_connection);
+	break;
+
+      case 3:
+	log_write(L_delay_delivery,
+		LOG_MAIN, "no immediate delivery: load average %.2f",
+		(double)load_average/1000.0);
+      break;
+      }
+    }
+
+  else if (f.queue_only_policy || f.deliver_freeze)
+    cancel_cutthrough_connection(TRUE, US"no delivery; queueing");
+
+  /* Else do the delivery unless the ACL or local_scan() called for queue only
+  or froze the message. Always deliver in a separate process. A fork failure is
+  not a disaster, as the delivery will eventually happen on a subsequent queue
+  run. The search cache must be tidied before the fork, as the parent will
+  do it before exiting. The child will trigger a lookup failure and
+  thereby defer the delivery if it tries to use (for example) a cached ldap
+  connection that the parent has called unbind on. */
+
+  else
+    {
+    pid_t pid;
+    search_tidyup();
+
+    if ((pid = exim_fork(US"local-accept-delivery")) == 0)
+      {
+      int rc;
+      close_unwanted();      /* Close unwanted file descriptors and TLS */
+      exim_nullstd();        /* Ensure std{in,out,err} exist */
+
+      /* Re-exec Exim if we need to regain privilege (note: in mua_wrapper
+      mode, deliver_drop_privilege is forced TRUE). */
+
+      if (geteuid() != root_uid && !deliver_drop_privilege && !unprivileged)
+        {
+	delivery_re_exec(CEE_EXEC_EXIT);
+        /* Control does not return here. */
+        }
+
+      /* No need to re-exec */
+
+      rc = deliver_message(message_id, FALSE, FALSE);
+      search_tidyup();
+      exim_underbar_exit(!mua_wrapper || rc == DELIVER_MUA_SUCCEEDED
+        ? EXIT_SUCCESS : EXIT_FAILURE);
+      }
+
+    if (pid < 0)
+      {
+      cancel_cutthrough_connection(TRUE, US"delivery fork failed");
+      log_write(0, LOG_MAIN|LOG_PANIC, "failed to fork automatic delivery "
+        "process: %s", strerror(errno));
+      }
+    else
+      {
+      release_cutthrough_connection(US"msg passed for delivery");
+
+      /* In the parent, wait if synchronous delivery is required. This will
+      always be the case in MUA wrapper mode. */
+
+      if (f.synchronous_delivery)
+	{
+	int status;
+	while (wait(&status) != pid);
+	if ((status & 0x00ff) != 0)
+	  log_write(0, LOG_MAIN|LOG_PANIC,
+	    "process %d crashed with signal %d while delivering %s",
+	    (int)pid, status & 0x00ff, message_id);
+	if (mua_wrapper && (status & 0xffff) != 0) exim_exit(EXIT_FAILURE);
+	}
+      }
+    }
+
+  /* The loop will repeat if more is TRUE. If we do not know know that the OS
+  automatically reaps children (see comments above the loop), clear away any
+  finished subprocesses here, in case there are lots of messages coming in
+  from the same source. */
+
+#ifndef SIG_IGN_WORKS
+  while (waitpid(-1, NULL, WNOHANG) > 0);
+#endif
+
+MORELOOP:
+  return_path = sender_address = NULL;
+  authenticated_sender = NULL;
+  deliver_localpart_orig = NULL;
+  deliver_domain_orig = NULL;
+  deliver_host = deliver_host_address = NULL;
+  dnslist_domain = dnslist_matched = NULL;
+#ifdef WITH_CONTENT_SCAN
+  malware_name = NULL;
+#endif
+  callout_address = NULL;
+  sending_ip_address = NULL;
+  deliver_localpart_data = deliver_domain_data =
+  recipient_data = sender_data = NULL;
+  acl_var_m = NULL;
+  for(int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
+
+  store_reset(reset_point);
+  }
+
+exim_exit(EXIT_SUCCESS);   /* Never returns */
+return 0;                  /* To stop compiler warning */
+}
+
+
+/* End of exim.c */
diff --git a/src/exim.h b/src/exim.h
new file mode 100644
index 0000000..61642b5
--- /dev/null
+++ b/src/exim.h
@@ -0,0 +1,671 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* Source files for exim all #include this header, which drags in everything
+that is needed. They don't all need everything, of course, but it's far too
+messy to have each one importing its own list, and anyway, most of them need
+most of these includes. */
+
+#ifndef EXIM_H
+#define EXIM_H
+
+/* Assume most systems have statfs() unless os.h undefines this macro */
+
+#define HAVE_STATFS
+
+/* Similarly, assume most systems have srandom() unless os.h undefines it.
+This call dates back at least as far as SUSv2. */
+
+#define HAVE_SRANDOM
+
+/* This is primarily for the Gnu C library; we define it before os.h so that
+os.h has a chance to hurriedly undef it, Just In Case.  We need C99 for some
+64-bit math support, and defining _ISOC99_SOURCE breaks <resolv.h> and friends.
+*/
+
+#define _GNU_SOURCE 1
+
+/* First of all include the os-specific header, which might set things that
+are needed by any of the other headers, including system headers. */
+
+#include "os.h"
+
+/* If it didn't define os_find_running_interfaces, use the common function. */
+
+#ifndef os_find_running_interfaces
+# define os_find_running_interfaces os_common_find_running_interfaces
+#endif
+
+/* If it didn't define the base for "base 62" numbers, we really do use 62.
+This is the case for all real Unix and Unix-like OS. It's only Cygwin and
+Darwin, with their case-insensitive file systems, that can't use base 62 for
+making unique names. */
+
+#ifndef BASE_62
+# define BASE_62 62
+#endif
+
+/* The maximum value of localhost_number depends on the base being used */
+
+#if BASE_62 == 62
+# define LOCALHOST_MAX  16
+#else
+# define LOCALHOST_MAX  10
+#endif
+
+/* If not overridden by os.h, dynamic libraries have filenames ending .so */
+#ifndef DYNLIB_FN_EXT
+# define DYNLIB_FN_EXT "so"
+#endif
+
+/* ANSI C standard includes */
+
+#include <ctype.h>
+#include <locale.h>
+#include <math.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+/* Unix includes */
+
+#include <errno.h>
+#if defined(__svr4__) && defined(__sparc) && ! defined(__EXTENSIONS__)
+# define __EXTENSIONS__  /* so that SunOS 5 gets NGROUPS_MAX */
+# include <limits.h>
+# undef  __EXTENSIONS__
+#else
+# include <limits.h>
+#endif
+
+#ifdef EXIM_HAVE_INOTIFY
+# include <sys/inotify.h>
+#endif
+#ifdef EXIM_HAVE_KEVENT
+# include <sys/event.h>
+#endif
+
+/* C99 integer types, figure out how to undo this if needed for older systems */
+
+#include <inttypes.h>
+
+/* Just in case some aged system doesn't define them... */
+
+#ifndef INT_MAX
+# define INT_MAX 2147483647
+#endif
+
+#ifndef INT_MIN
+# define INT_MIN (-INT_MAX - 1)
+#endif
+
+#ifndef SHRT_MAX
+# define SHRT_MAX 32767
+#endif
+
+#ifndef UCHAR_MAX
+# define UCHAR_MAX 255
+#endif
+
+
+/* To match int_eximarith_t.  Define in OS/os.h-<your-system> to override. */
+#ifndef EXIM_ARITH_MAX
+# define EXIM_ARITH_MAX ((int_eximarith_t)9223372036854775807LL)
+#endif
+#ifndef EXIM_ARITH_MIN
+# define EXIM_ARITH_MIN (-EXIM_ARITH_MAX - 1)
+#endif
+
+/* Some systems have PATH_MAX and some have MAX_PATH_LEN. */
+
+#ifndef PATH_MAX
+# ifdef MAX_PATH_LEN
+#  define PATH_MAX MAX_PATH_LEN
+# else
+#  define PATH_MAX 1024
+# endif
+#endif
+
+/* RFC 5321 specifies that the maximum length of a local-part is 64 octets
+and the maximum length of a domain is 255 octets, but then also defines
+the maximum length of a forward/reverse path as 256 not 64+1+255.
+For an IP address, the maximum is 45 without a scope and we don't work
+with scoped addresses, so go with that.  (IPv6 with mapped IPv4).
+
+A hostname maximum length is in practice the same as the domainname, for
+the same core reasons (maximum length of a DNS name), but the semantics
+are different and seeing "DOMAIN" in source is confusing when talking about
+hostnames; so we define a second macro.  We'll use RFC 2181 as the reference
+for this one.
+
+There is no known (to me) specification on the maximum length of a human name
+in email addresses and we should be careful about imposing such a limit on
+received email, but in terms of limiting what untrusted callers specify, or
+local generation, having a limit makes sense.  Err on the side of generosity.
+
+For a display mail address, we have a human name, an email in brackets,
+possibly some (Comments), so it needs to be at least 512+3 and some more to
+avoid extraneous errors.
+Since the sane SMTP line length limit is 998, constraining such parameters to
+be 1024 seems generous and unlikely to spuriously reject legitimate
+invocations.
+
+The driver name is a name of a router/transport/authenticator etc in the
+configuration file.  We also use this for some other short strings, such
+as queue names.
+Also TLS ciphersuite name (no real known limit since the protocols use
+integers, but max seen in reality is 45 octets).
+
+RFC 1413 gives us the 512 limit on IDENT protocol userids.
+*/
+
+#define EXIM_EMAILADDR_MAX     256
+#define EXIM_LOCALPART_MAX      64
+#define EXIM_DOMAINNAME_MAX    255
+#define EXIM_IPADDR_MAX         45
+#define EXIM_HOSTNAME_MAX      255
+#define EXIM_HUMANNAME_MAX     256
+#define EXIM_DISPLAYMAIL_MAX  1024
+#define EXIM_DRIVERNAME_MAX     64
+#define EXIM_CIPHERNAME_MAX     64
+#define EXIM_IDENTUSER_MAX     512
+
+
+#include <sys/types.h>
+#include <sys/file.h>
+#include <dirent.h>
+#include <netdb.h>
+#ifndef NO_POLL_H
+# include <poll.h>
+#endif
+#include <pwd.h>
+#include <grp.h>
+#include <syslog.h>
+
+/* Not all systems have flock() available. Those that do must define LOCK_SH
+in sys/file.h. */
+
+#ifndef LOCK_SH
+# define NO_FLOCK
+#endif
+
+#ifndef NO_SYSEXITS        /* some OS don't have this */
+# include <sysexits.h>
+#endif
+
+/* A few OS don't have socklen_t; their os.h files define EXIM_SOCKLEN_T to
+be size_t or whatever. We used to use SOCKLEN_T, but then it was discovered
+that this is used by the AIX include files. */
+
+#ifndef EXIM_SOCKLEN_T
+# define EXIM_SOCKLEN_T socklen_t
+#endif
+
+/* Ensure that the sysexits we reference are defined */
+
+#ifndef EX_UNAVAILABLE
+# define EX_UNAVAILABLE 69        /* service unavailable; used for execv fail */
+#endif
+#ifndef EX_CANTCREAT
+# define EX_CANTCREAT   73        /* can't create file: treat as temporary */
+#endif
+#ifndef EX_TEMPFAIL
+# define EX_TEMPFAIL    75        /* temp failure; user is invited to retry */
+#endif
+#ifndef EX_CONFIG
+# define EX_CONFIG      78        /* configuration error */
+#endif
+
+/* This one is not in any sysexits file that I've come across */
+
+#define EX_EXECFAILED 127        /* execve() failed */
+
+
+#include <sys/time.h>
+#include <sys/param.h>
+
+#ifndef NO_SYS_RESOURCE_H  /* QNX doesn't have this */
+# include <sys/resource.h>
+#endif
+
+#include <sys/socket.h>
+
+/* If we are on an IPv6 system, the macro AF_INET6 will have been defined in
+the sys/socket.h header. It is helpful to have this defined on an IPv4 system
+so that it can appear in the code, even if it is never actually used when
+the code is run. It saves some #ifdef occurrences. */
+
+#ifndef AF_INET6
+# define AF_INET6 24
+#endif
+
+#include <sys/ioctl.h>
+
+/* The new standard is statvfs; some OS have statfs. For statvfs the block
+counts must be multiplied by the "fragment size" f_frsize to get the actual
+size. In other cases the value seems to be f_bsize (which is sometimes the only
+block size), so we use a macro to get that instead.
+
+Also arrange to be able to cut it out altogether for way-out OS that don't have
+anything. I've indented a bit here to try to make the mess a bit more
+intelligible. Note that simply defining one name to be another when
+HAVE_SYS_STATVFS_H is not set will not work if the system has a statvfs macro
+or a macro with entries f_frsize and f_bsize. */
+
+#ifdef HAVE_STATFS
+  #ifdef HAVE_SYS_STATVFS_H
+    #include <sys/statvfs.h>
+    #define STATVFS statvfs
+    #define F_FRSIZE f_frsize
+  #else
+    #define STATVFS statfs
+    #define F_FRSIZE f_bsize
+    #ifdef HAVE_SYS_VFS_H
+      #include <sys/vfs.h>
+      #ifdef HAVE_SYS_STATFS_H
+      #include <sys/statfs.h>
+      #endif
+    #endif
+    #ifdef HAVE_SYS_MOUNT_H
+    #include <sys/mount.h>
+    #endif
+  #endif
+
+  /* Macros for the fields for the available space for non-superusers; define
+  these only if the OS header has not. Not all OS have f_favail; those that
+  are known to have it define F_FAVAIL as f_favail. The default is to use
+  f_free. */
+
+  #ifndef F_BAVAIL
+  # define F_BAVAIL f_bavail
+  #endif
+
+  #ifndef F_FAVAIL
+  # define F_FAVAIL f_ffree
+  #endif
+
+  /* All the systems I've been able to look at seem to have F_FILES */
+
+  #ifndef F_FILES
+  # define F_FILES  f_files
+  #endif
+
+#endif
+
+
+#ifndef  SIOCGIFCONF   /* HACK for SunOS 5 */
+# include <sys/sockio.h>
+#endif
+
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/utsname.h>
+#include <fcntl.h>
+
+/* There's a shambles in IRIX6 - it defines EX_OK in unistd.h which conflicts
+with the definition in sysexits.h. Exim does not actually use this macro, so we
+just undefine it. It would be nice to be able to re-instate the definition from
+sysexits.h if there is no definition in unistd.h, but I do not think there is a
+way to do this in C because macro definitions are not scanned for other macros
+at definition time. [The code here used to assume they were, until I was
+disabused of the notion. Luckily, since EX_OK is not used, it didn't matter.] */
+
+#ifdef EX_OK
+# undef EX_OK
+#endif
+
+#include <unistd.h>
+
+#include <utime.h>
+#ifndef NO_NET_IF_H
+# include <net/if.h>
+#endif
+#include <sys/un.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+
+/* While IPv6 is still young the definitions of T_AAAA and T_A6 may not be
+included in arpa/nameser.h. Fudge them here. */
+
+#ifndef T_AAAA
+#define T_AAAA 28
+#endif
+
+#ifndef T_A6
+#define T_A6 38
+#endif
+
+/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
+header files. I don't suppose they have T_SRV either. */
+
+#ifndef T_TXT
+# define T_TXT 16
+#endif
+
+#ifndef T_SRV
+# define T_SRV 33
+#endif
+
+/* Many systems do not have T_SPF. */
+
+#ifndef T_SPF
+# define T_SPF 99
+#endif
+
+/* New TLSA record for DANE */
+#ifndef T_TLSA
+# define T_TLSA 52
+#endif
+#define MAX_TLSA_EXPANDED_SIZE 8192
+
+/* It seems that some versions of arpa/nameser.h don't define *any* of the
+T_xxx macros, which seem to be non-standard nowadays. Just to be on the safe
+side, put in definitions for all the ones that Exim uses. */
+
+#ifndef T_A
+# define T_A 1
+#endif
+
+#ifndef T_CNAME
+# define T_CNAME 5
+#endif
+
+#ifndef T_SOA
+# define T_SOA 6
+#endif
+
+#ifndef T_MX
+# define T_MX 15
+#endif
+
+#ifndef T_NS
+# define T_NS 2
+#endif
+
+#ifndef T_PTR
+# define T_PTR 12
+#endif
+
+
+/* We define a few private types for special DNS lookups:
+
+ . T_ZNS gets the nameservers of the enclosing zone of a domain
+
+ . T_MXH gets the MX hostnames only (without their priorities)
+
+ . T_CSA gets the domain's Client SMTP Authorization SRV record
+
+ . T_ADDRESSES looks up both AAAA (or A6) and A records
+
+If any of these names appear in the RRtype list at:
+  <http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml>
+then we should rename Exim's private type away from the conflict.
+*/
+
+#define T_ZNS (-1)
+#define T_MXH (-2)
+#define T_CSA (-3)
+#define T_ADDRESSES (-4)
+
+/* The resolv.h header defines __P(x) on some Solaris 2.5.1 systems (without
+checking that it is already defined, in fact). This conflicts with other
+headers that behave likewise (see below), leading to compiler warnings. Arrange
+to undefine it if resolv.h defines it. */
+
+#if defined(__P)
+# define __P_WAS_DEFINED_BEFORE_RESOLV
+#endif
+
+#include <resolv.h>
+
+#if defined(__P) && ! defined (__P_WAS_DEFINED_BEFORE_RESOLV)
+# undef __P
+#endif
+
+/* If not defined by os.h, we do nothing special to push DNS resolver state
+back to be available by the classic resolver routines.  Also, provide
+prototype for our get routine, unless defined away. */
+
+#ifndef os_put_dns_resolver_res
+# define os_put_dns_resolver_res(R) do {/**/} while(0)
+#endif
+#ifndef os_get_dns_resolver_res
+res_state os_get_dns_resolver_res(void);
+#endif
+
+/* These three are to support the IP option logging code. Linux is
+different to everyone else and there are also other systems which don't
+have netinet/ip_var.h, so there's a general macro to control its inclusion. */
+
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+
+#ifndef NO_IP_VAR_H
+# include <netinet/ip_var.h>
+#endif
+
+/* Linux (and some others) uses a different type for the 2nd argument of
+iconv(). It's os.h file defines ICONV_ARG2_TYPE. For the rest, define a default
+here. */
+
+#ifndef ICONV_ARG2_TYPE
+# define ICONV_ARG2_TYPE char **
+#endif
+
+/* One OS uses a different type for the 5th argument of getsockopt */
+
+#ifndef GETSOCKOPT_ARG5_TYPE
+# define GETSOCKOPT_ARG5_TYPE socklen_t *
+#endif
+
+/* One operating system uses a different type for the 2nd argument of select().
+Its os.h file defines SELECT_ARG2_TYPE. For the rest, define a default here. */
+
+#ifndef SELECT_ARG2_TYPE
+# define SELECT_ARG2_TYPE fd_set
+#endif
+
+/* One operating system uses a different type for the 4th argument of
+dn_expand(). Its os.h file defines DN_EXPAND_ARG4_TYPE. For the rest, define a
+default here. */
+
+#ifndef DN_EXPAND_ARG4_TYPE
+# define DN_EXPAND_ARG4_TYPE char *
+#endif
+
+/* One operating system defines a different type for the yield of inet_addr().
+In Exim code, its value is always assigned to the s_addr members of address
+structures. Casting the yield to the type of s_addr should fix the problem,
+since the size of the data is correct. Just in case this ever has to be
+changed, use a macro for the type, and define it here so that it is possible to
+use different values for specific OS if ever necessary. */
+
+#ifndef S_ADDR_TYPE
+# define S_ADDR_TYPE u_long
+#endif
+
+/* (At least) one operating system (Solaris) defines a different type for the
+second argument of pam_converse() - the difference is the absence of "const".
+Its os.h file defines PAM_CONVERSE_ARG2_TYPE. For the rest, define a default
+here. */
+
+#ifndef PAM_CONVERSE_ARG2_TYPE
+# define PAM_CONVERSE_ARG2_TYPE const struct pam_message
+#endif
+
+/* One operating system (SunOS4) defines getc, ungetc, feof, and ferror as
+macros and not as functions. Exim needs them to be assignable functions. This
+flag gets set to cause this to be sorted out here. */
+
+#ifdef FUDGE_GETC_AND_FRIENDS
+# undef getc
+extern int getc(FILE *);
+# undef ungetc
+extern int ungetc(int, FILE *);
+# undef feof
+extern int feof(FILE *);
+# undef ferror
+extern int ferror(FILE *);
+#endif
+
+/* The header from the PCRE regex package */
+
+#define PCRE2_CODE_UNIT_WIDTH 8
+#include <pcre2.h>
+
+/* Exim includes are in several files. Note that local_scan.h #includes
+config.h, mytypes.h, and store.h, so we don't need to mention them explicitly.
+*/
+
+#include "local_scan.h"
+#include "macros.h"
+#include "hintsdb.h"
+#include "hintsdb_structs.h"
+#include "structs.h"
+#include "blob.h"
+#include "hash.h"
+#include "globals.h"
+#include "functions.h"
+#include "dbfunctions.h"
+#include "osfunctions.h"
+
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+# include "bmi_spam.h"
+#endif
+#ifdef SUPPORT_SPF
+# include "spf.h"
+#endif
+#ifndef DISABLE_DKIM
+# include "dkim.h"
+#endif
+#ifdef SUPPORT_DMARC
+# include "dmarc.h"
+# include <opendmarc/dmarc.h>
+#endif
+
+/* The following stuff must follow the inclusion of config.h because it
+requires various things that are set therein. */
+
+#if HAVE_ICONV             /* Not all OS have this */
+# include <iconv.h>
+#endif
+
+#if defined(USE_READLINE) || defined(EXPAND_DLFUNC) || defined (LOOKUP_MODULE_DIR)
+# include <dlfcn.h>
+#endif
+
+#ifdef ENABLE_DISABLE_FSYNC
+# define EXIMfsync(f) (disable_fsync? 0 : fsync(f))
+#else
+# define EXIMfsync(f) fsync(f)
+#endif
+
+/* Backward compatibility; LOOKUP_LSEARCH now includes all three */
+
+#if (!defined LOOKUP_LSEARCH) && (defined LOOKUP_WILDLSEARCH || defined LOOKUP_NWILDLSEARCH)
+# define LOOKUP_LSEARCH yes
+#endif
+
+/* Define a union to hold either an IPv4 or an IPv6 sockaddr structure; this
+simplifies some of the coding.  We include the sockaddr to reduce type-punning
+issues in C99. */
+
+union sockaddr_46 {
+  struct sockaddr_in v4;
+  #if HAVE_IPV6
+  struct sockaddr_in6 v6;
+  #endif
+  struct sockaddr v0;
+};
+
+/* If DISABLE_TLS is defined, ensure that USE_GNUTLS is not defined
+so that if USE_GNUTLS *is* set, we can assume DISABLE_TLS is not set.
+Ditto USE_OPENSSL.
+Likewise, OSCP, AUTH_TLS and CERTNAMES cannot be supported. */
+
+#ifdef DISABLE_TLS
+# undef USE_OPENSSL
+# undef USE_GNUTLS
+# ifndef DISABLE_OCSP
+#  define DISABLE_OCSP
+# endif
+# undef EXPERIMENTAL_CERTNAMES
+# undef AUTH_TLS
+#endif
+
+/* If SPOOL_DIRECTORY, LOG_FILE_PATH or PID_FILE_PATH have not been defined,
+set them to the null string. */
+
+#ifndef SPOOL_DIRECTORY
+  #define SPOOL_DIRECTORY ""
+#endif
+#ifndef LOG_FILE_PATH
+  #define LOG_FILE_PATH ""
+#endif
+#ifndef PID_FILE_PATH
+  #define PID_FILE_PATH ""
+#endif
+
+/* The EDQUOT error code isn't universally available, though it is widespread.
+There is a particular shambles in SunOS5, where it did not exist originally,
+but got installed with a particular patch for Solaris 2.4. There is a
+configuration variable for specifying what the system's "over quota" error is,
+which will end up in config.h if supplied in OS/Makefile-xxx. If it is not set,
+default to EDQUOT if it exists, otherwise ENOSPC. */
+
+#ifndef ERRNO_QUOTA
+# ifdef  EDQUOT
+#  define ERRNO_QUOTA EDQUOT
+# else
+#  define ERRNO_QUOTA ENOSPC
+# endif
+#endif
+
+/* DANE w/o DNSSEC is useless */
+#if defined(SUPPORT_DANE) && defined(DISABLE_DNSSEC)
+# error DANE support requires DNSSEC support
+#endif
+
+/* Some platforms (FreeBSD, OpenBSD, Solaris) do not seem to define this */
+
+#ifndef POLLRDHUP
+# define POLLRDHUP (POLLIN | POLLHUP)
+#endif
+
+/* Some platforms (Darwin) have to define a larger limit on groups membership */
+
+#ifndef EXIM_GROUPLIST_SIZE
+# define EXIM_GROUPLIST_SIZE NGROUPS_MAX
+#endif
+
+/* Linux has TCP_CORK, FreeBSD has TCP_NOPUSH; they do pretty much the same */
+
+#ifdef TCP_CORK
+# define EXIM_TCP_CORK TCP_CORK
+#elif defined(TCP_NOPUSH)
+# define EXIM_TCP_CORK TCP_NOPUSH
+#endif
+
+/* LibreSSL seems to not push out the SMTP response to QUIT with our usual
+handling which is trying to get the client to FIN first so that the server does
+not get the TIME_WAIT */
+
+#if !defined(DISABLE_TLS) && defined(USE_OPENSSL) && defined(LIBRESSL_VERSION_NUMBER)
+# define SERVERSIDE_CLOSE_NOWAIT
+#endif
+
+#endif
+/* End of exim.h */
diff --git a/src/exim_checkaccess.src b/src/exim_checkaccess.src
new file mode 100755
index 0000000..360f307
--- /dev/null
+++ b/src/exim_checkaccess.src
@@ -0,0 +1,181 @@
+#! /bin/sh
+
+# Copyright (c) University of Cambridge, 1995 - 2007
+# See the file NOTICE for conditions of use and distribution.
+
+# Except when they appear in comments, the following placeholders in this
+# source are replaced when it is turned into a runnable script:
+#
+# CONFIGURE_FILE_USE_NODE
+# CONFIGURE_FILE
+# BIN_DIRECTORY
+# PERL_COMMAND
+
+# PROCESSED_FLAG
+
+# A shell+perl wrapper script to run an automated -bh test to check out
+# ACLs for incoming addresses.
+
+# Save the shell arguments because we are going to need the shell variables
+# while sorting out the configuration file.
+
+args="$@"
+
+# See if this installation is using the esoteric "USE_NODE" feature of Exim,
+# in which it uses the host's name as a suffix for the configuration file name.
+
+if [ "CONFIGURE_FILE_USE_NODE" = "yes" ]; then
+  hostsuffix=.`uname -n`
+fi
+
+# Now find the configuration file name. This has got complicated because
+# CONFIGURE_FILE may now be a list of files. The one that is used is the first
+# one that exists. Mimic the code in readconf.c by testing first for the
+# suffixed file in each case.
+
+set `awk -F: '{ for (i = 1; i <= NF; i++) print $i }' <<End
+CONFIGURE_FILE
+End
+`
+while [ "$config" = "" -a $# -gt 0 ] ; do
+  if [ -f "$1$hostsuffix" ] ; then
+    config="$1$hostsuffix"
+  elif [ -f "$1" ] ; then
+    config="$1"
+  fi
+  shift
+done
+
+# Search for an exim_path setting in the configure file; otherwise use the bin
+# directory. BEWARE: a tab character is needed in the command below. It has had
+# a nasty tendency to get lost in the past. Use a variable to hold a space and
+# a tab to keep the tab in one place.
+
+exim_path=`perl -ne 'chop;if (/^\s*exim_path\s*=\s*(.*)/){print "$1\n";last;}' $config`
+if test "$exim_path" = ""; then exim_path=BIN_DIRECTORY/exim; fi
+
+
+#########################################################################
+
+
+# Now run the perl script, passing in the Exim path and the arguments given
+# to the overall script.
+
+PERL_COMMAND - $exim_path $args <<'End'
+
+BEGIN { pop @INC if $INC[-1] eq '.' };
+use FileHandle;
+use File::Basename;
+use IPC::Open2;
+
+if ($ARGV[0] eq '--version') {
+    print basename($0) . ": $0\n",
+          "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+          "perl(runtime): $]\n";
+          exit 0;
+}
+
+if (scalar(@ARGV) < 3)
+  {
+  print "Usage: exim_checkaccess <IP address> <email address> [exim options]\n";
+  exit(1);
+  }
+
+$exim_path = $ARGV[0];          # Set up by the calling shell script
+$host      = $ARGV[1];          # Mandatory original first argument
+$recipient = $ARGV[2];          # Mandatory original second argument
+
+$c4 = qr/2 (?:[0-4]\d | 5[0-5]) | 1\d\d | \d{1,2}/x;  # IPv4 component
+$a4 = qr/^$c4\.$c4\.$c4\.$c4$/;                       # IPv4 address
+
+$c6 = qr/[0-9a-f]{1,4}/i;                             # IPv6 component
+
+# Split the various formats of IPv6 addresses into several cases. I don't
+# think I can graft regex that matches all of them without using alternatives.
+
+# 1. Starts with :: followed by up to 7 components
+
+$a6_0 = qr/^::(?:$c6:){0,6}$c6$/x;
+
+# 2. 8 non-empty components
+
+$a6_1 = qr/^(?:$c6:){7}$c6$/x;
+
+# 3. This is the cunning one. Up to 7 components, one (and only one) of which
+# can be empty. We use 0 to cause a failure when we've already matched
+# an empty component and may be hitting other. This has to fail, because we
+# know we've just failed to match a component. We also do a final check to
+# ensure that there has been an empty component.
+
+$a6_2 = qr/^(?: (?: $c6 | (?(1)0 | () ) ) : ){1,7}$c6 $ (?(1)|.)/x;
+
+if ($host !~ /$a4 | $a6_0 | $a6_1 | $a6_2/x)
+  {
+  print "** Invalid IP address \"$host\"\n";
+  print "Usage: exim_checkaccess <IP address> <email address> [exim options]\n";
+  exit(1);
+  }
+
+# Build any remaining original arguments into a string for passing over
+# as Exim options.
+
+$opt = "";
+for ($i = 3; $i < scalar(@ARGV); $i++) { $opt .= "$ARGV[$i] "; }
+
+# If the string contains "-f xxxx", extract that as the sender. Otherwise
+# the sender is <>.
+
+$sender    = "";
+if ($opt =~ /(?:^|\s)-f\s+(\S+|"[^"]*")/)
+  {
+  $sender = $1;
+  $opt = $` . $';
+  }
+
+# Run a -bh test in Exim, passing the test data
+
+$pid = open2(*IN, *OUT, "$exim_path -bh $host $opt 2>/dev/null");
+print OUT "HELO [$host]\r\n";
+print OUT "MAIL FROM:<$sender>\r\n";
+print OUT "RCPT TO:<$recipient>\r\n";
+print OUT "QUIT\r\n";
+close OUT;
+
+# Read the output, ignoring anything but the SMTP response to the RCPT
+# command.
+
+$count = 0;
+$reply = "";
+
+while (<IN>)
+  {
+  next if !/^\d\d\d/;
+  $reply .= $_;
+  next if /^\d\d\d\-/;
+
+  if (++$count != 4)
+    {
+    $reply = "";
+    next;
+    }
+
+  # We have the response we want. Interpret it.
+
+  if ($reply =~ /^2\d\d/)
+    {
+    print "Accepted\n";
+    }
+  else
+    {
+    print "Rejected:\n";
+    $reply =~ s/\n(.)/\n  $1/g;
+    print "  $reply";
+    }
+  last;
+  }
+
+# Reap the child process
+
+waitpid $pid, 0;
+
+End
diff --git a/src/exim_dbmbuild.c b/src/exim_dbmbuild.c
new file mode 100644
index 0000000..5c04634
--- /dev/null
+++ b/src/exim_dbmbuild.c
@@ -0,0 +1,536 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* A small freestanding program to build dbm databases from serial input. For
+alias files, this program fulfils the function of the newaliases program used
+by other mailers, but it can be used for other dbm data files too. It operates
+by writing a new file or files, and then renaming; otherwise old entries can
+never get flushed out.
+
+This program is clever enough to cope with ndbm, which creates two files called
+<name>.dir and <name>.pag, or with db, which creates a single file called
+<name>.db. If native db is in use (USE_DB defined) or tdb is in use (USE_TDB
+defined) there is no extension to the output filename. This is also handled. If
+there are any other variants, the program won't cope.
+
+The first argument to the program is the name of the serial file; the second
+is the base name for the DBM file(s). When native db is in use, these must be
+different.
+
+Input lines beginning with # are ignored, as are blank lines. Entries begin
+with a key terminated by a colon or end of line or whitespace and continue with
+indented lines. Keys may be quoted if they contain colons or whitespace or #
+characters. */
+
+
+#include "exim.h"
+
+uschar * spool_directory = NULL;	/* dummy for hintsdb.h */
+
+/******************************************************************************/
+					/* dummies needed by Solaris build */
+void
+millisleep(int msec)
+{}
+uschar *
+readconf_printtime(int t)
+{ return NULL; }
+void *
+store_get_3(int size, const void * proto_mem, const char *filename, int linenumber)
+{ return NULL; }
+void **
+store_reset_3(void **ptr, const char *filename, int linenumber)
+{ return NULL; }
+void
+store_release_above_3(void *ptr, const char *func, int linenumber)
+{ }
+gstring *
+string_vformat_trc(gstring * g, const uschar * func, unsigned line,
+  unsigned size_limit, unsigned flags, const char *format, va_list ap)
+{ return NULL; }
+uschar *
+string_sprintf_trc(const char * a, const uschar * b, unsigned c, ...)
+{ return NULL; }
+BOOL
+string_format_trc(uschar * buf, int len, const uschar * func, unsigned line,
+  const char * fmt, ...)
+{ return FALSE; }
+void
+log_write(unsigned int selector, int flags, const char *format, ...)
+{ }
+
+
+struct global_flags	f;
+unsigned int		log_selector[1];
+uschar *		queue_name;
+BOOL			split_spool_directory;
+
+
+/* These introduced by the taintwarn handling */
+rmark
+store_mark_3(const char *func, int linenumber)
+{ return NULL; }
+#ifdef ALLOW_INSECURE_TAINTED_DATA
+BOOL    allow_insecure_tainted_data;
+#endif
+
+/******************************************************************************/
+
+
+#define max_insize   20000
+#define max_outsize 100000
+
+/* This is global because it's defined in the headers and compilers grumble
+if it is made static. */
+
+const uschar *hex_digits = CUS"0123456789abcdef";
+
+
+#ifdef STRERROR_FROM_ERRLIST
+/* Some old-fashioned systems still around (e.g. SunOS4) don't have strerror()
+in their libraries, but can provide the same facility by this simple
+alternative function. */
+
+char *
+strerror(int n)
+{
+if (n < 0 || n >= sys_nerr) return "unknown error number";
+return sys_errlist[n];
+}
+#endif /* STRERROR_FROM_ERRLIST */
+
+
+
+/*************************************************
+*          Interpret escape sequence             *
+*************************************************/
+
+/* This function is copied from the main Exim code.
+
+Arguments:
+  pp       points a pointer to the initiating "\" in the string;
+           the pointer gets updated to point to the final character
+Returns:   the value of the character escape
+*/
+
+int
+string_interpret_escape(const uschar **pp)
+{
+int ch;
+const uschar *p = *pp;
+ch = *(++p);
+if (ch == '\0') return **pp;
+if (isdigit(ch) && ch != '8' && ch != '9')
+  {
+  ch -= '0';
+  if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
+    {
+    ch = ch * 8 + *(++p) - '0';
+    if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
+      ch = ch * 8 + *(++p) - '0';
+    }
+  }
+else switch(ch)
+  {
+  case 'n':  ch = '\n'; break;
+  case 'r':  ch = '\r'; break;
+  case 't':  ch = '\t'; break;
+  case 'x':
+  ch = 0;
+  if (isxdigit(p[1]))
+    {
+    ch = ch * 16 +
+      Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
+    if (isxdigit(p[1])) ch = ch * 16 +
+      Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
+    }
+  break;
+  }
+*pp = p;
+return ch;
+}
+
+
+/*************************************************
+*               Main Program                     *
+*************************************************/
+
+int main(int argc, char **argv)
+{
+int started;
+int count = 0;
+int dupcount = 0;
+int yield = 0;
+int arg = 1;
+int add_zero = 1;
+BOOL lowercase = TRUE;
+BOOL warn = TRUE;
+BOOL duperr = TRUE;
+BOOL lastdup = FALSE;
+#if !defined (USE_DB) && !defined(USE_TDB) && !defined(USE_GDBM)
+int is_db = 0;
+struct stat statbuf;
+#endif
+FILE *f;
+EXIM_DB *d;
+EXIM_DATUM key, content;
+uschar *bptr;
+uschar  keybuffer[256];
+uschar  temp_dbmname[512];
+uschar  real_dbmname[512];
+uschar  dirname[512];
+uschar *buffer = malloc(max_outsize);
+uschar *line = malloc(max_insize);
+
+while (argc > 1)
+  {
+  if      (Ustrcmp(argv[arg], "-nolc") == 0)     lowercase = FALSE;
+  else if (Ustrcmp(argv[arg], "-nowarn") == 0)   warn = FALSE;
+  else if (Ustrcmp(argv[arg], "-lastdup") == 0)  lastdup = TRUE;
+  else if (Ustrcmp(argv[arg], "-noduperr") == 0) duperr = FALSE;
+  else if (Ustrcmp(argv[arg], "-nozero") == 0)   add_zero = 0;
+  else break;
+  arg++;
+  argc--;
+  }
+
+if (argc != 3)
+  {
+  printf("usage: exim_dbmbuild [-nolc] <source file> <dbm base name>\n");
+  exit(1);
+  }
+
+if (Ustrcmp(argv[arg], "-") == 0)
+  f = stdin;
+else if (!(f = fopen(argv[arg], "rb")))
+  {
+  printf("exim_dbmbuild: unable to open %s: %s\n", argv[arg], strerror(errno));
+  exit(1);
+  }
+
+/* By default Berkeley db does not put extensions on... which
+can be painful! */
+
+#if defined(USE_DB) || defined(USE_TDB) || defined(USE_GDBM)
+if (Ustrcmp(argv[arg], argv[arg+1]) == 0)
+  {
+  printf("exim_dbmbuild: input and output filenames are the same\n");
+  exit(1);
+  }
+#endif
+
+/* Check length of filename; allow for adding .dbmbuild_temp and .db or
+.dir/.pag later. */
+
+if (strlen(argv[arg+1]) > sizeof(temp_dbmname) - 20)
+  {
+  printf("exim_dbmbuild: output filename is ridiculously long\n");
+  exit(1);
+  }
+
+Ustrcpy(temp_dbmname, US argv[arg+1]);
+Ustrcat(temp_dbmname, US".dbmbuild_temp");
+
+Ustrcpy(dirname, temp_dbmname);
+if ((bptr = Ustrrchr(dirname, '/')))
+  *bptr = '\0';
+else
+  Ustrcpy(dirname, US".");
+
+/* It is apparently necessary to open with O_RDWR for this to work
+with gdbm-1.7.3, though no reading is actually going to be done. */
+
+if (!(d = exim_dbopen(temp_dbmname, dirname, O_RDWR|O_CREAT|O_EXCL, 0644)))
+  {
+  printf("exim_dbmbuild: unable to create %s: %s\n", temp_dbmname,
+    strerror(errno));
+  (void)fclose(f);
+  exit(1);
+  }
+
+/* Unless using native db calls, see if we have created <name>.db; if not,
+assume .dir & .pag */
+
+#if !defined(USE_DB) && !defined(USE_TDB) && !defined(USE_GDBM)
+sprintf(CS real_dbmname, "%s.db", temp_dbmname);
+is_db = Ustat(real_dbmname, &statbuf) == 0;
+#endif
+
+/* Now do the business */
+
+bptr = buffer;
+started = 0;
+
+while (Ufgets(line, max_insize, f) != NULL)
+  {
+  uschar *p;
+  int len = Ustrlen(line);
+
+  p = line + len;
+
+  if (len >= max_insize - 1 && p[-1] != '\n')
+    {
+    printf("Overlong line read: max permitted length is %d\n", max_insize - 1);
+    yield = 2;
+    goto TIDYUP;
+    }
+
+  if (line[0] == '#') continue;
+  while (p > line && isspace(p[-1])) p--;
+  *p = 0;
+  if (line[0] == 0) continue;
+
+  /* A continuation line is valid only if there was a previous first
+  line. */
+
+  if (isspace(line[0]))
+    {
+    uschar *s = line;
+    if (!started)
+      {
+      printf("Unexpected continuation line ignored\n%s\n\n", line);
+      continue;
+      }
+    while (isspace(*s)) s++;
+    *(--s) = ' ';
+
+    if (bptr - buffer + p - s >= max_outsize - 1)
+      {
+      printf("Continued set of lines is too long: max permitted length is %d\n",
+        max_outsize -1);
+      yield = 2;
+      goto TIDYUP;
+      }
+
+    Ustrcpy(bptr, s);
+    bptr += p - s;
+    }
+
+  /* A first line must have a name followed by a colon or whitespace or
+  end of line, but first finish with a previous line. The key is lower
+  cased by default - this is what the newaliases program for sendmail does.
+  However, there's an option not to do this. */
+
+  else
+    {
+    int i, rc;
+    uschar *s = line;
+    uschar *keystart;
+
+    if (started)
+      {
+      exim_datum_init(&content);
+      exim_datum_data_set(&content, buffer);
+      exim_datum_size_set(&content, bptr - buffer + add_zero);
+
+      switch(rc = exim_dbputb(d, &key, &content))
+        {
+        case EXIM_DBPUTB_OK:
+	  count++;
+	  break;
+
+        case EXIM_DBPUTB_DUP:
+	  if (warn) fprintf(stderr, "** Duplicate key \"%s\"\n", keybuffer);
+	  dupcount++;
+	  if(duperr) yield = 1;
+	  if (lastdup) exim_dbput(d, &key, &content);
+	  break;
+
+        default:
+	  fprintf(stderr, "Error %d while writing key %s: errno=%d\n", rc,
+	    keybuffer, errno);
+	  yield = 2;
+	  goto TIDYUP;
+        }
+
+      bptr = buffer;
+      }
+
+    exim_datum_init(&key);
+    exim_datum_data_set(&key, keybuffer);
+
+    /* Deal with quoted keys. Escape sequences always make one character
+    out of several, so we can re-build in place. */
+
+    if (*s == '\"')
+      {
+      uschar *t = s++;
+      keystart = t;
+      while (*s != 0 && *s != '\"')
+        {
+	*t++ = *s == '\\'
+	? string_interpret_escape((const uschar **)&s)
+	: *s;
+        s++;
+        }
+      if (*s != 0) s++;               /* Past terminating " */
+      exim_datum_size_set(&key, t - keystart + add_zero);
+      }
+    else
+      {
+      keystart = s;
+      while (*s != 0 && *s != ':' && !isspace(*s)) s++;
+      exim_datum_size_set(&key, s - keystart + add_zero);
+      }
+
+    if (exim_datum_size_get(&key) > 256)
+      {
+      printf("Keys longer than 255 characters cannot be handled\n");
+      started = 0;
+      yield = 2;
+      goto TIDYUP;
+      }
+
+    if (lowercase)
+      for (i = 0; i < exim_datum_size_get(&key) - add_zero; i++)
+        keybuffer[i] = tolower(keystart[i]);
+    else
+      for (i = 0; i < exim_datum_size_get(&key) - add_zero; i++)
+        keybuffer[i] = keystart[i];
+
+    keybuffer[i] = 0;
+    started = 1;
+
+    while (isspace(*s))s++;
+    if (*s == ':')
+      {
+      s++;
+      while (isspace(*s))s++;
+      }
+    if (*s != 0)
+      {
+      Ustrcpy(bptr, s);
+      bptr += p - s;
+      }
+    else buffer[0] = 0;
+    }
+  }
+
+if (started)
+  {
+  int rc;
+  exim_datum_init(&content);
+  exim_datum_data_set(&content, buffer);
+  exim_datum_size_set(&content, bptr - buffer + add_zero);
+
+  switch(rc = exim_dbputb(d, &key, &content))
+    {
+    case EXIM_DBPUTB_OK:
+    count++;
+    break;
+
+    case EXIM_DBPUTB_DUP:
+    if (warn) fprintf(stderr, "** Duplicate key \"%s\"\n", keybuffer);
+    dupcount++;
+    if (duperr) yield = 1;
+    if (lastdup) exim_dbput(d, &key, &content);
+    break;
+
+    default:
+    fprintf(stderr, "Error %d while writing key %s: errno=%d\n", rc,
+      keybuffer, errno);
+    yield = 2;
+    break;
+    }
+  }
+
+/* Close files, rename or abandon the temporary files, and exit */
+
+TIDYUP:
+
+exim_dbclose(d);
+(void)fclose(f);
+
+/* If successful, output the number of entries and rename the temporary
+files. */
+
+if (yield == 0 || yield == 1)
+  {
+  printf("%d entr%s written\n", count, (count == 1)? "y" : "ies");
+  if (dupcount > 0)
+    {
+    printf("%d duplicate key%s \n", dupcount, (dupcount > 1)? "s" : "");
+    }
+
+  #if defined(USE_DB) || defined(USE_TDB) || defined(USE_GDBM)
+  Ustrcpy(real_dbmname, temp_dbmname);
+  Ustrcpy(buffer, US argv[arg+1]);
+  if (Urename(real_dbmname, buffer) != 0)
+    {
+    printf("Unable to rename %s as %s\n", real_dbmname, buffer);
+    return 1;
+    }
+  #else
+
+  /* Rename a single .db file */
+
+  if (is_db)
+    {
+    sprintf(CS real_dbmname, "%s.db", temp_dbmname);
+    sprintf(CS buffer, "%s.db", argv[arg+1]);
+    if (Urename(real_dbmname, buffer) != 0)
+      {
+      printf("Unable to rename %s as %s\n", real_dbmname, buffer);
+      return 1;
+      }
+    }
+
+  /* Rename .dir and .pag files */
+
+  else
+    {
+    sprintf(CS real_dbmname, "%s.dir", temp_dbmname);
+    sprintf(CS buffer, "%s.dir", argv[arg+1]);
+    if (Urename(real_dbmname, buffer) != 0)
+      {
+      printf("Unable to rename %s as %s\n", real_dbmname, buffer);
+      return 1;
+      }
+
+    sprintf(CS real_dbmname, "%s.pag", temp_dbmname);
+    sprintf(CS buffer, "%s.pag", argv[arg+1]);
+    if (Urename(real_dbmname, buffer) != 0)
+      {
+      printf("Unable to rename %s as %s\n", real_dbmname, buffer);
+      return 1;
+      }
+    }
+
+  #endif /* USE_DB || USE_TDB || USE_GDBM */
+  }
+
+/* Otherwise unlink the temporary files. */
+
+else
+  {
+  printf("dbmbuild abandoned\n");
+#if defined(USE_DB) || defined(USE_TDB) || defined(USE_GDBM)
+  /* We created it, so safe to delete despite the name coming from outside */
+  /* coverity[tainted_string] */
+  Uunlink(temp_dbmname);
+#else
+  if (is_db)
+    {
+    sprintf(CS real_dbmname, "%s.db", temp_dbmname);
+    Uunlink(real_dbmname);
+    }
+  else
+    {
+    sprintf(CS real_dbmname, "%s.dir", temp_dbmname);
+    Uunlink(real_dbmname);
+    sprintf(CS real_dbmname, "%s.pag", temp_dbmname);
+    Uunlink(real_dbmname);
+    }
+#endif /* USE_DB || USE_TDB */
+  }
+
+return yield;
+}
+
+/* End of exim_dbmbuild.c */
diff --git a/src/exim_dbutil.c b/src/exim_dbutil.c
new file mode 100644
index 0000000..3824309
--- /dev/null
+++ b/src/exim_dbutil.c
@@ -0,0 +1,1423 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* This single source file is used to compile three utility programs for
+maintaining Exim hints databases.
+
+  exim_dumpdb     dumps out the contents
+  exim_fixdb      patches the database (really for Exim maintenance/testing)
+  exim_tidydb     removed obsolete data
+
+In all cases, the first argument is the name of the spool directory. The second
+argument is the name of the database file. The available names are:
+
+  callout:	callout verification cache
+  misc:		miscellaneous hints data
+  ratelimit:	record for ACL "ratelimit" condition
+  retry:	etry delivery information
+  seen:		imestamp records for ACL "seen" condition
+  tls:		TLS session resumption cache
+  wait-<t>:	message waiting information; <t> is a transport name
+
+There are a number of common subroutines, followed by three main programs,
+whose inclusion is controlled by -D on the compilation command. */
+
+
+#include "exim.h"
+
+
+/* Identifiers for the different database types. */
+
+#define type_retry     1
+#define type_wait      2
+#define type_misc      3
+#define type_callout   4
+#define type_ratelimit 5
+#define type_tls       6
+#define type_seen      7
+
+
+/* This is used by our cut-down dbfn_open(). */
+
+uschar *spool_directory;
+
+BOOL keyonly = FALSE;
+BOOL utc = FALSE;
+
+
+/******************************************************************************/
+      /* dummies needed by Solaris build */
+void
+millisleep(int msec)
+{}
+uschar *
+readconf_printtime(int t)
+{ return NULL; }
+gstring *
+string_vformat_trc(gstring * g, const uschar * func, unsigned line,
+  unsigned size_limit, unsigned flags, const char *format, va_list ap)
+{ return NULL; }
+uschar *
+string_sprintf_trc(const char * fmt, const uschar * func, unsigned line, ...)
+{ return NULL; }
+BOOL
+string_format_trc(uschar * buf, int len, const uschar * func, unsigned line,
+  const char * fmt, ...)
+{ return FALSE; }
+
+struct global_flags	f;
+unsigned int		log_selector[1];
+uschar *		queue_name;
+BOOL			split_spool_directory;
+
+
+/* These introduced by the taintwarn handling */
+#ifdef ALLOW_INSECURE_TAINTED_DATA
+BOOL    allow_insecure_tainted_data;
+#endif
+
+/******************************************************************************/
+
+
+/*************************************************
+*              SIGALRM handler                   *
+*************************************************/
+
+SIGNAL_BOOL sigalrm_seen;
+
+void
+sigalrm_handler(int sig)
+{
+sigalrm_seen = 1;
+}
+
+
+
+/*************************************************
+*        Output usage message and exit           *
+*************************************************/
+
+static void
+usage(uschar *name, uschar *options)
+{
+printf("Usage: exim_%s%s  <spool-directory> <database-name>\n", name, options);
+printf("  <database-name> = retry | misc | wait-<transport-name> | callout | ratelimit | tls | seen\n");
+exit(EXIT_FAILURE);
+}
+
+
+
+/*************************************************
+*           Sort out the command arguments       *
+*************************************************/
+
+/* This function checks that there are exactly 2 arguments, and checks the
+second of them to be sure it is a known database name. */
+
+static int
+check_args(int argc, uschar **argv, uschar *name, uschar *options)
+{
+uschar * aname = argv[optind + 1];
+if (argc - optind == 2)
+  {
+  if (Ustrcmp(aname, "retry") == 0)	return type_retry;
+  if (Ustrcmp(aname, "misc") == 0)	return type_misc;
+  if (Ustrncmp(aname, "wait-", 5) == 0)	return type_wait;
+  if (Ustrcmp(aname, "callout") == 0)	return type_callout;
+  if (Ustrcmp(aname, "ratelimit") == 0)	return type_ratelimit;
+  if (Ustrcmp(aname, "tls") == 0)	return type_tls;
+  if (Ustrcmp(aname, "seen") == 0)	return type_seen;
+  }
+usage(name, options);
+return -1;              /* Never obeyed */
+}
+
+
+FUNC_MAYBE_UNUSED
+static void
+options(int argc, uschar * argv[], uschar * name, const uschar * opts)
+{
+int opt;
+
+opterr = 0;
+while ((opt = getopt(argc, (char * const *)argv, CCS opts)) != -1)
+  switch (opt)
+  {
+  case 'k':	keyonly = TRUE; break;
+  case 'z':	utc = TRUE; break;
+  default:	usage(name, US" [-z] [-k]");
+  }
+}
+
+
+
+
+/*************************************************
+*         Handle attempts to write the log       *
+*************************************************/
+
+/* The message gets written to stderr when log_write() is called from a
+utility. The message always gets '\n' added on the end of it. These calls come
+from modules such as store.c when things go drastically wrong (e.g. malloc()
+failing). In normal use they won't get obeyed.
+
+Arguments:
+  selector  not relevant when running a utility
+  flags     not relevant when running a utility
+  format    a printf() format
+  ...       arguments for format
+
+Returns:    nothing
+*/
+
+void
+log_write(unsigned int selector, int flags, const char *format, ...)
+{
+va_list ap;
+va_start(ap, format);
+vfprintf(stderr, format, ap);
+fprintf(stderr, "\n");
+va_end(ap);
+}
+
+
+
+/*************************************************
+*        Format a time value for printing        *
+*************************************************/
+
+static uschar time_buffer[sizeof("09-xxx-1999 hh:mm:ss  ")];
+
+uschar *
+print_time(time_t t)
+{
+struct tm *tmstr = utc ? gmtime(&t) : localtime(&t);
+Ustrftime(time_buffer, sizeof(time_buffer), "%d-%b-%Y %H:%M:%S", tmstr);
+return time_buffer;
+}
+
+
+
+/*************************************************
+*        Format a cache value for printing       *
+*************************************************/
+
+uschar *
+print_cache(int value)
+{
+return value == ccache_accept ? US"accept" :
+       value == ccache_reject ? US"reject" :
+       US"unknown";
+}
+
+
+#ifdef EXIM_FIXDB
+/*************************************************
+*                Read time value                 *
+*************************************************/
+
+static time_t
+read_time(uschar *s)
+{
+int field = 0;
+int value;
+time_t now = time(NULL);
+struct tm *tm = localtime(&now);
+
+tm->tm_sec = 0;
+tm->tm_isdst = -1;
+
+for (uschar * t = s + Ustrlen(s) - 1; t >= s; t--)
+  {
+  if (*t == ':') continue;
+  if (!isdigit((uschar)*t)) return -1;
+
+  value = *t - '0';
+  if (--t >= s)
+    {
+    if (!isdigit((uschar)*t)) return -1;
+    value = value + (*t - '0')*10;
+    }
+
+  switch (field++)
+    {
+    case 0: tm->tm_min = value; break;
+    case 1: tm->tm_hour = value; break;
+    case 2: tm->tm_mday = value; break;
+    case 3: tm->tm_mon = value - 1; break;
+    case 4: tm->tm_year = (value < 90)? value + 100 : value; break;
+    default: return -1;
+    }
+  }
+
+return mktime(tm);
+}
+#endif  /* EXIM_FIXDB */
+
+
+
+/*************************************************
+*       Open and lock a database file            *
+*************************************************/
+
+/* This is a cut-down version from the function in dbfn.h that Exim itself
+uses. We assume the database exists, and therefore give up if we cannot open
+the lock file.
+
+Arguments:
+  name     The single-component name of one of Exim's database files.
+  flags    O_RDONLY or O_RDWR
+  dbblock  Points to an open_db block to be filled in.
+  lof      Unused.
+  panic	   Unused
+
+Returns:   NULL if the open failed, or the locking failed.
+           On success, dbblock is returned. This contains the dbm pointer and
+           the fd of the locked lock file.
+*/
+
+open_db *
+dbfn_open(uschar *name, int flags, open_db *dbblock, BOOL lof, BOOL panic)
+{
+int rc;
+struct flock lock_data;
+BOOL read_only = flags == O_RDONLY;
+uschar * dirname, * filename;
+
+/* The first thing to do is to open a separate file on which to lock. This
+ensures that Exim has exclusive use of the database before it even tries to
+open it. If there is a database, there should be a lock file in existence. */
+
+#ifdef COMPILE_UTILITY
+if (  asprintf(CSS &dirname, "%s/db", spool_directory) < 0
+   || asprintf(CSS &filename, "%s/%s.lockfile", dirname, name) < 0)
+  return NULL;
+#else
+dirname = string_sprintf("%s/db", spool_directory);
+filename = string_sprintf("%s/%s.lockfile", dirname, name);
+#endif
+
+dbblock->lockfd = Uopen(filename, flags, 0);
+if (dbblock->lockfd < 0)
+  {
+  printf("** Failed to open database lock file %s: %s\n", filename,
+    strerror(errno));
+  return NULL;
+  }
+
+/* Now we must get a lock on the opened lock file; do this with a blocking
+lock that times out. */
+
+lock_data.l_type = read_only ? F_RDLCK : F_WRLCK;
+lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
+
+sigalrm_seen = FALSE;
+os_non_restarting_signal(SIGALRM, sigalrm_handler);
+ALARM(EXIMDB_LOCK_TIMEOUT);
+rc = fcntl(dbblock->lockfd, F_SETLKW, &lock_data);
+ALARM_CLR(0);
+
+if (sigalrm_seen) errno = ETIMEDOUT;
+if (rc < 0)
+  {
+  printf("** Failed to get %s lock for %s: %s",
+    flags & O_WRONLY ? "write" : "read",
+    filename,
+    errno == ETIMEDOUT ? "timed out" : strerror(errno));
+  (void)close(dbblock->lockfd);
+  return NULL;
+  }
+
+/* At this point we have an opened and locked separate lock file, that is,
+exclusive access to the database, so we can go ahead and open it. */
+
+#ifdef COMPILE_UTILITY
+if (asprintf(CSS &filename, "%s/%s", dirname, name) < 0) return NULL;
+#else
+filename = string_sprintf("%s/%s", dirname, name);
+#endif
+dbblock->dbptr = exim_dbopen(filename, dirname, flags, 0);
+
+if (!dbblock->dbptr)
+  {
+  printf("** Failed to open DBM file %s for %s:\n   %s%s\n", filename,
+    read_only? "reading" : "writing", strerror(errno),
+    #ifdef USE_DB
+    " (or Berkeley DB error while opening)"
+    #else
+    ""
+    #endif
+    );
+  (void)close(dbblock->lockfd);
+  return NULL;
+  }
+
+return dbblock;
+}
+
+
+
+
+/*************************************************
+*         Unlock and close a database file       *
+*************************************************/
+
+/* Closing a file automatically unlocks it, so after closing the database, just
+close the lock file.
+
+Argument: a pointer to an open database block
+Returns:  nothing
+*/
+
+void
+dbfn_close(open_db *dbblock)
+{
+exim_dbclose(dbblock->dbptr);
+(void)close(dbblock->lockfd);
+}
+
+
+
+
+/*************************************************
+*             Read from database file            *
+*************************************************/
+
+/* Passing back the pointer unchanged is useless, because there is no guarantee
+of alignment. Since all the records used by Exim need to be properly aligned to
+pick out the timestamps, etc., do the copying centrally here.
+
+Arguments:
+  dbblock   a pointer to an open database block
+  key       the key of the record to be read
+  length    where to put the length (or NULL if length not wanted). Includes overhead.
+
+Returns: a pointer to the retrieved record, or
+         NULL if the record is not found
+*/
+
+void *
+dbfn_read_with_length(open_db *dbblock, const uschar *key, int *length)
+{
+void *yield;
+EXIM_DATUM key_datum, result_datum;
+int klen = Ustrlen(key) + 1;
+uschar * key_copy = store_get(klen, key);
+
+memcpy(key_copy, key, klen);
+
+exim_datum_init(&key_datum);         /* Some DBM libraries require the datum */
+exim_datum_init(&result_datum);      /* to be cleared before use. */
+exim_datum_data_set(&key_datum, key_copy);
+exim_datum_size_set(&key_datum, klen);
+
+if (!exim_dbget(dbblock->dbptr, &key_datum, &result_datum)) return NULL;
+
+/* Assume for now that anything stored could have been tainted. Properly
+we should store the taint status along with the data. */
+
+yield = store_get(exim_datum_size_get(&result_datum), GET_TAINTED);
+memcpy(yield, exim_datum_data_get(&result_datum), exim_datum_size_get(&result_datum));
+if (length) *length = exim_datum_size_get(&result_datum);
+
+exim_datum_free(&result_datum);    /* Some DBM libs require freeing */
+return yield;
+}
+
+
+
+#if defined(EXIM_TIDYDB) || defined(EXIM_FIXDB)
+
+/*************************************************
+*             Write to database file             *
+*************************************************/
+
+/*
+Arguments:
+  dbblock   a pointer to an open database block
+  key       the key of the record to be written
+  ptr       a pointer to the record to be written
+  length    the length of the record to be written
+
+Returns:    the yield of the underlying dbm or db "write" function. If this
+            is dbm, the value is zero for OK.
+*/
+
+int
+dbfn_write(open_db *dbblock, const uschar *key, void *ptr, int length)
+{
+EXIM_DATUM key_datum, value_datum;
+dbdata_generic *gptr = (dbdata_generic *)ptr;
+int klen = Ustrlen(key) + 1;
+uschar * key_copy = store_get(klen, key);
+
+memcpy(key_copy, key, klen);
+gptr->time_stamp = time(NULL);
+
+exim_datum_init(&key_datum);         /* Some DBM libraries require the datum */
+exim_datum_init(&value_datum);       /* to be cleared before use. */
+exim_datum_data_set(&key_datum, key_copy);
+exim_datum_size_set(&key_datum, klen);
+exim_datum_data_set(&value_datum, ptr);
+exim_datum_size_set(&value_datum, length);
+return exim_dbput(dbblock->dbptr, &key_datum, &value_datum);
+}
+
+
+
+/*************************************************
+*           Delete record from database file     *
+*************************************************/
+
+/*
+Arguments:
+  dbblock    a pointer to an open database block
+  key        the key of the record to be deleted
+
+Returns: the yield of the underlying dbm or db "delete" function.
+*/
+
+int
+dbfn_delete(open_db *dbblock, const uschar *key)
+{
+int klen = Ustrlen(key) + 1;
+uschar * key_copy = store_get(klen, key);
+EXIM_DATUM key_datum;
+
+memcpy(key_copy, key, klen);
+exim_datum_init(&key_datum);         /* Some DBM libraries require clearing */
+exim_datum_data_set(&key_datum, key_copy);
+exim_datum_size_set(&key_datum, klen);
+return exim_dbdel(dbblock->dbptr, &key_datum);
+}
+
+#endif  /* EXIM_TIDYDB || EXIM_FIXDB */
+
+
+
+#if defined(EXIM_DUMPDB) || defined(EXIM_TIDYDB)
+/*************************************************
+*         Scan the keys of a database file       *
+*************************************************/
+
+/*
+Arguments:
+  dbblock  a pointer to an open database block
+  start    TRUE if starting a new scan
+           FALSE if continuing with the current scan
+  cursor   a pointer to a pointer to a cursor anchor, for those dbm libraries
+           that use the notion of a cursor
+
+Returns:   the next record from the file, or
+           NULL if there are no more
+*/
+
+uschar *
+dbfn_scan(open_db *dbblock, BOOL start, EXIM_CURSOR **cursor)
+{
+EXIM_DATUM key_datum, value_datum;
+uschar *yield;
+
+/* Some dbm require an initialization */
+
+if (start) *cursor = exim_dbcreate_cursor(dbblock->dbptr);
+
+exim_datum_init(&key_datum);         /* Some DBM libraries require the datum */
+exim_datum_init(&value_datum);       /* to be cleared before use. */
+
+yield = exim_dbscan(dbblock->dbptr, &key_datum, &value_datum, start, *cursor)
+  ? US exim_datum_data_get(&key_datum) : NULL;
+
+/* Some dbm require a termination */
+
+if (!yield) exim_dbdelete_cursor(*cursor);
+return yield;
+}
+#endif  /* EXIM_DUMPDB || EXIM_TIDYDB */
+
+
+
+#ifdef EXIM_DUMPDB
+/*************************************************
+*           The exim_dumpdb main program         *
+*************************************************/
+
+int
+main(int argc, char **cargv)
+{
+int dbdata_type = 0;
+int yield = 0;
+open_db dbblock;
+open_db *dbm;
+EXIM_CURSOR *cursor;
+uschar **argv = USS cargv;
+uschar keybuffer[1024];
+
+store_init();
+options(argc, argv, US"dumpdb", US"kz");
+
+/* Check the arguments, and open the database */
+
+dbdata_type = check_args(argc, argv, US"dumpdb", US" [-z] [-k]");
+argc -= optind; argv += optind;
+spool_directory = argv[0];
+
+if (!(dbm = dbfn_open(argv[1], O_RDONLY, &dbblock, FALSE, TRUE)))
+  exit(1);
+
+/* Scan the file, formatting the information for each entry. Note
+that data is returned in a malloc'ed block, in order that it be
+correctly aligned. */
+
+for (uschar * key = dbfn_scan(dbm, TRUE, &cursor);
+     key;
+     key = dbfn_scan(dbm, FALSE, &cursor))
+  {
+  dbdata_retry *retry;
+  dbdata_wait *wait;
+  dbdata_callout_cache *callout;
+  dbdata_ratelimit *ratelimit;
+  dbdata_ratelimit_unique *rate_unique;
+  dbdata_tls_session *session;
+  dbdata_seen *seen;
+  int count_bad = 0;
+  int length;
+  uschar *t;
+  uschar name[MESSAGE_ID_LENGTH + 1];
+  void *value;
+  rmark reset_point = store_mark();
+
+  /* Keep a copy of the key separate, as in some DBM's the pointer is into data
+  which might change. */
+
+  if (Ustrlen(key) > sizeof(keybuffer) - 1)
+    {
+    printf("**** Overlong key encountered: %s\n", key);
+    return 1;
+    }
+  Ustrcpy(keybuffer, key);
+
+  if (keyonly)
+    printf("  %s\n", keybuffer);
+  else if (!(value = dbfn_read_with_length(dbm, keybuffer, &length)))
+    fprintf(stderr, "**** Entry \"%s\" was in the key scan, but the record "
+                    "was not found in the file - something is wrong!\n",
+      CS keybuffer);
+  else
+    /* Note: don't use print_time more than once in one statement, since
+    it uses a single buffer. */
+
+    switch(dbdata_type)
+      {
+      case type_retry:
+	retry = (dbdata_retry *)value;
+	printf("  %s %d %d %s\n%s  ", keybuffer, retry->basic_errno,
+	  retry->more_errno, retry->text,
+	  print_time(retry->first_failed));
+	printf("%s  ", print_time(retry->last_try));
+	printf("%s %s\n", print_time(retry->next_try),
+	  (retry->expired)? "*" : "");
+	break;
+
+      case type_wait:
+	wait = (dbdata_wait *)value;
+	printf("%s ", keybuffer);
+	t = wait->text;
+	name[MESSAGE_ID_LENGTH] = 0;
+
+    /* Leave corrupt records alone */
+	if (wait->count > WAIT_NAME_MAX)
+	  {
+	  fprintf(stderr,
+	    "**** Data for %s corrupted\n  count=%d=0x%x max=%d\n",
+	    CS keybuffer, wait->count, wait->count, WAIT_NAME_MAX);
+	  wait->count = WAIT_NAME_MAX;
+	  yield = count_bad = 1;
+	  }
+	for (int i = 1; i <= wait->count; i++)
+	  {
+	  Ustrncpy(name, t, MESSAGE_ID_LENGTH);
+	  if (count_bad && name[0] == 0) break;
+	  if (Ustrlen(name) != MESSAGE_ID_LENGTH ||
+	      Ustrspn(name, "0123456789"
+			    "abcdefghijklmnopqrstuvwxyz"
+			    "ABCDEFGHIJKLMNOPQRSTUVWXYZ-") != MESSAGE_ID_LENGTH)
+	    {
+	    fprintf(stderr,
+	      "**** Data for %s corrupted: bad character in message id\n",
+	      CS keybuffer);
+	    for (int j = 0; j < MESSAGE_ID_LENGTH; j++)
+	      fprintf(stderr, "%02x ", name[j]);
+	    fprintf(stderr, "\n");
+	    yield = 1;
+	    break;
+	    }
+	  printf("%s ", name);
+	  t += MESSAGE_ID_LENGTH;
+	  }
+	printf("\n");
+	break;
+
+      case type_misc:
+	printf("%s %s\n", print_time(((dbdata_generic *)value)->time_stamp),
+	  keybuffer);
+	break;
+
+      case type_callout:
+	callout = (dbdata_callout_cache *)value;
+
+	/* New-style address record */
+
+	if (length == sizeof(dbdata_callout_cache_address))
+	  {
+	  printf("%s %s callout=%s\n",
+	    print_time(((dbdata_generic *)value)->time_stamp),
+	    keybuffer,
+	    print_cache(callout->result));
+	  }
+
+	/* New-style domain record */
+
+	else if (length == sizeof(dbdata_callout_cache))
+	  {
+	  printf("%s %s callout=%s postmaster=%s",
+	    print_time(((dbdata_generic *)value)->time_stamp),
+	    keybuffer,
+	    print_cache(callout->result),
+	    print_cache(callout->postmaster_result));
+	  if (callout->postmaster_result != ccache_unknown)
+	    printf(" (%s)", print_time(callout->postmaster_stamp));
+	  printf(" random=%s", print_cache(callout->random_result));
+	  if (callout->random_result != ccache_unknown)
+	    printf(" (%s)", print_time(callout->random_stamp));
+	  printf("\n");
+	  }
+
+	break;
+
+      case type_ratelimit:
+	if (Ustrstr(key, "/unique/") != NULL && length >= sizeof(*rate_unique))
+	  {
+	  ratelimit = (dbdata_ratelimit *)value;
+	  rate_unique = (dbdata_ratelimit_unique *)value;
+	  printf("%s.%06d rate: %10.3f epoch: %s size: %u key: %s\n",
+	    print_time(ratelimit->time_stamp),
+	    ratelimit->time_usec, ratelimit->rate,
+	    print_time(rate_unique->bloom_epoch), rate_unique->bloom_size,
+	    keybuffer);
+	  }
+	else
+	  {
+	  ratelimit = (dbdata_ratelimit *)value;
+	  printf("%s.%06d rate: %10.3f key: %s\n",
+	    print_time(ratelimit->time_stamp),
+	    ratelimit->time_usec, ratelimit->rate,
+	    keybuffer);
+	  }
+	break;
+
+      case type_tls:
+	session = (dbdata_tls_session *)value;
+	printf("  %s %.*s\n", keybuffer, length, session->session);
+	break;
+
+      case type_seen:
+	seen = (dbdata_seen *)value;
+	printf("%s\t%s\n", keybuffer, print_time(seen->time_stamp));
+	break;
+      }
+  store_reset(reset_point);
+  }
+
+dbfn_close(dbm);
+return yield;
+}
+
+#endif  /* EXIM_DUMPDB */
+
+
+
+
+#ifdef EXIM_FIXDB
+/*************************************************
+*           The exim_fixdb main program          *
+*************************************************/
+
+/* In order not to hold the database lock any longer than is necessary, each
+operation on the database uses a separate open/close call. This is expensive,
+but then using this utility is not expected to be very common. Its main use is
+to provide a way of patching up hints databases in order to run tests.
+
+Syntax of commands:
+
+(1) <record name>
+    This causes the data from the given record to be displayed, or "not found"
+    to be output. Note that in the retry database, destination names are
+    preceded by R: or T: for router or transport retry info.
+
+(2) <record name> d
+    This causes the given record to be deleted or "not found" to be output.
+
+(3) <record name> <field number> <value>
+    This sets the given value into the given field, identified by a number
+    which is output by the display command. Not all types of record can
+    be changed.
+
+(4) q
+    This exits from exim_fixdb.
+
+If the record name is omitted from (2) or (3), the previously used record name
+is re-used. */
+
+
+int
+main(int argc, char **cargv)
+{
+int dbdata_type;
+uschar **argv = USS cargv;
+uschar buffer[256];
+uschar name[256];
+rmark reset_point;
+uschar * aname;
+
+store_init();
+options(argc, argv, US"fixdb", US"z");
+name[0] = 0;  /* No name set */
+
+/* Sort out the database type, verify what we are working on and then process
+user requests */
+
+dbdata_type = check_args(argc, argv, US"fixdb", US" [-z]");
+argc -= optind; argv += optind;
+spool_directory = argv[0];
+aname = argv[1];
+
+printf("Modifying Exim hints database %s/db/%s\n", spool_directory, aname);
+
+for(; (reset_point = store_mark()); store_reset(reset_point))
+  {
+  open_db dbblock;
+  open_db *dbm;
+  void *record;
+  dbdata_retry *retry;
+  dbdata_wait *wait;
+  dbdata_callout_cache *callout;
+  dbdata_ratelimit *ratelimit;
+  dbdata_ratelimit_unique *rate_unique;
+  dbdata_tls_session *session;
+  int oldlength;
+  uschar *t;
+  uschar field[256], value[256];
+
+  printf("> ");
+  if (Ufgets(buffer, 256, stdin) == NULL) break;
+
+  buffer[Ustrlen(buffer)-1] = 0;
+  field[0] = value[0] = 0;
+
+  /* If the buffer contains just one digit, or just consists of "d", use the
+  previous name for an update. */
+
+  if ((isdigit((uschar)buffer[0]) && (buffer[1] == ' ' || buffer[1] == '\0'))
+       || Ustrcmp(buffer, "d") == 0)
+    {
+    if (name[0] == 0)
+      {
+      printf("No previous record name is set\n");
+      continue;
+      }
+    (void)sscanf(CS buffer, "%s %s", field, value);
+    }
+  else
+    {
+    name[0] = 0;
+    (void)sscanf(CS buffer, "%s %s %s", name, field, value);
+    }
+
+  /* Handle an update request */
+
+  if (field[0] != 0)
+    {
+    int verify = 1;
+
+    if (!(dbm = dbfn_open(aname, O_RDWR, &dbblock, FALSE, TRUE)))
+      continue;
+
+    if (Ustrcmp(field, "d") == 0)
+      {
+      if (value[0] != 0) printf("unexpected value after \"d\"\n");
+        else printf("%s\n", (dbfn_delete(dbm, name) < 0)?
+          "not found" : "deleted");
+      dbfn_close(dbm);
+      continue;
+      }
+
+    else if (isdigit((uschar)field[0]))
+      {
+      int fieldno = Uatoi(field);
+      if (value[0] == 0)
+        {
+        printf("value missing\n");
+        dbfn_close(dbm);
+        continue;
+        }
+      else
+        {
+        record = dbfn_read_with_length(dbm, name, &oldlength);
+        if (record == NULL) printf("not found\n"); else
+          {
+          time_t tt;
+          /*int length = 0;      Stops compiler warning */
+
+          switch(dbdata_type)
+            {
+            case type_retry:
+	      retry = (dbdata_retry *)record;
+	      /* length = sizeof(dbdata_retry) + Ustrlen(retry->text); */
+
+	      switch(fieldno)
+		{
+		case 0: retry->basic_errno = Uatoi(value);
+			break;
+		case 1: retry->more_errno = Uatoi(value);
+			break;
+		case 2: if ((tt = read_time(value)) > 0) retry->first_failed = tt;
+			else printf("bad time value\n");
+			break;
+		case 3: if ((tt = read_time(value)) > 0) retry->last_try = tt;
+			else printf("bad time value\n");
+			break;
+		case 4: if ((tt = read_time(value)) > 0) retry->next_try = tt;
+			else printf("bad time value\n");
+			break;
+		case 5: if (Ustrcmp(value, "yes") == 0) retry->expired = TRUE;
+			else if (Ustrcmp(value, "no") == 0) retry->expired = FALSE;
+			else printf("\"yes\" or \"no\" expected=n");
+			break;
+		default: printf("unknown field number\n");
+			 verify = 0;
+			 break;
+		}
+	      break;
+
+            case type_wait:
+	      printf("Can't change contents of wait database record\n");
+	      break;
+
+            case type_misc:
+	      printf("Can't change contents of misc database record\n");
+	      break;
+
+            case type_callout:
+	      callout = (dbdata_callout_cache *)record;
+	      /* length = sizeof(dbdata_callout_cache); */
+	      switch(fieldno)
+		{
+		case 0: callout->result = Uatoi(value);
+			break;
+		case 1: callout->postmaster_result = Uatoi(value);
+			break;
+		case 2: callout->random_result = Uatoi(value);
+			break;
+		default: printf("unknown field number\n");
+			 verify = 0;
+			 break;
+		}
+		break;
+
+            case type_ratelimit:
+	      ratelimit = (dbdata_ratelimit *)record;
+	      switch(fieldno)
+		{
+		case 0: if ((tt = read_time(value)) > 0) ratelimit->time_stamp = tt;
+			else printf("bad time value\n");
+			break;
+		case 1: ratelimit->time_usec = Uatoi(value);
+			break;
+		case 2: ratelimit->rate = Ustrtod(value, NULL);
+			break;
+		case 3: if (Ustrstr(name, "/unique/") != NULL
+			    && oldlength >= sizeof(dbdata_ratelimit_unique))
+			  {
+			  rate_unique = (dbdata_ratelimit_unique *)record;
+			  if ((tt = read_time(value)) > 0) rate_unique->bloom_epoch = tt;
+			    else printf("bad time value\n");
+			  break;
+			  }
+			/* else fall through */
+		case 4:
+		case 5: if (Ustrstr(name, "/unique/") != NULL
+			    && oldlength >= sizeof(dbdata_ratelimit_unique))
+			  {
+			  /* see acl.c */
+			  BOOL seen;
+			  unsigned hash, hinc;
+			  uschar md5sum[16];
+			  md5 md5info;
+			  md5_start(&md5info);
+			  md5_end(&md5info, value, Ustrlen(value), md5sum);
+			  hash = md5sum[0] <<  0 | md5sum[1] <<  8
+			       | md5sum[2] << 16 | md5sum[3] << 24;
+			  hinc = md5sum[4] <<  0 | md5sum[5] <<  8
+			       | md5sum[6] << 16 | md5sum[7] << 24;
+			  rate_unique = (dbdata_ratelimit_unique *)record;
+			  seen = TRUE;
+			  for (unsigned n = 0; n < 8; n++, hash += hinc)
+			    {
+			    int bit = 1 << (hash % 8);
+			    int byte = (hash / 8) % rate_unique->bloom_size;
+			    if ((rate_unique->bloom[byte] & bit) == 0)
+			      {
+			      seen = FALSE;
+			      if (fieldno == 5) rate_unique->bloom[byte] |= bit;
+			      }
+			    }
+			  printf("%s %s\n",
+			    seen ? "seen" : fieldno == 5 ? "added" : "unseen", value);
+			  break;
+			  }
+			/* else fall through */
+		default: printf("unknown field number\n");
+			 verify = 0;
+			 break;
+		}
+	      break;
+
+            case type_tls:
+	      printf("Can't change contents of tls database record\n");
+	      break;
+            }
+
+          dbfn_write(dbm, name, record, oldlength);
+          }
+        }
+      }
+
+    else
+      {
+      printf("field number or d expected\n");
+      verify = 0;
+      }
+
+    dbfn_close(dbm);
+    if (!verify) continue;
+    }
+
+  /* The "name" q causes an exit */
+
+  else if (Ustrcmp(name, "q") == 0) return 0;
+
+  /* Handle a read request, or verify after an update. */
+
+  if (!(dbm = dbfn_open(aname, O_RDONLY, &dbblock, FALSE, TRUE)))
+    continue;
+
+  if (!(record = dbfn_read_with_length(dbm, name, &oldlength)))
+    {
+    printf("record %s not found\n", name);
+    name[0] = 0;
+    }
+  else
+    {
+    int count_bad = 0;
+    printf("%s\n", CS print_time(((dbdata_generic *)record)->time_stamp));
+    switch(dbdata_type)
+      {
+      case type_retry:
+	retry = (dbdata_retry *)record;
+	printf("0 error number: %d %s\n", retry->basic_errno, retry->text);
+	printf("1 extra data:   %d\n", retry->more_errno);
+	printf("2 first failed: %s\n", print_time(retry->first_failed));
+	printf("3 last try:     %s\n", print_time(retry->last_try));
+	printf("4 next try:     %s\n", print_time(retry->next_try));
+	printf("5 expired:      %s\n", (retry->expired)? "yes" : "no");
+	break;
+
+      case type_wait:
+	wait = (dbdata_wait *)record;
+	t = wait->text;
+	printf("Sequence: %d\n", wait->sequence);
+	if (wait->count > WAIT_NAME_MAX)
+	  {
+	  printf("**** Data corrupted: count=%d=0x%x max=%d ****\n", wait->count,
+	    wait->count, WAIT_NAME_MAX);
+	  wait->count = WAIT_NAME_MAX;
+	  count_bad = 1;
+	  }
+	for (int i = 1; i <= wait->count; i++)
+	  {
+	  Ustrncpy(value, t, MESSAGE_ID_LENGTH);
+	  value[MESSAGE_ID_LENGTH] = 0;
+	  if (count_bad && value[0] == 0) break;
+	  if (Ustrlen(value) != MESSAGE_ID_LENGTH ||
+	      Ustrspn(value, "0123456789"
+			    "abcdefghijklmnopqrstuvwxyz"
+			    "ABCDEFGHIJKLMNOPQRSTUVWXYZ-") != MESSAGE_ID_LENGTH)
+	    {
+	    printf("\n**** Data corrupted: bad character in message id ****\n");
+	    for (int j = 0; j < MESSAGE_ID_LENGTH; j++)
+	      printf("%02x ", value[j]);
+	    printf("\n");
+	    break;
+	    }
+	  printf("%s ", value);
+	  t += MESSAGE_ID_LENGTH;
+	  }
+	printf("\n");
+	break;
+
+      case type_misc:
+	break;
+
+      case type_callout:
+	callout = (dbdata_callout_cache *)record;
+	printf("0 callout:    %s (%d)\n", print_cache(callout->result),
+	    callout->result);
+	if (oldlength > sizeof(dbdata_callout_cache_address))
+	  {
+	  printf("1 postmaster: %s (%d)\n", print_cache(callout->postmaster_result),
+	      callout->postmaster_result);
+	  printf("2 random:     %s (%d)\n", print_cache(callout->random_result),
+	      callout->random_result);
+	  }
+	break;
+
+      case type_ratelimit:
+	ratelimit = (dbdata_ratelimit *)record;
+	printf("0 time stamp:  %s\n", print_time(ratelimit->time_stamp));
+	printf("1 fract. time: .%06d\n", ratelimit->time_usec);
+	printf("2 sender rate: % .3f\n", ratelimit->rate);
+	if (Ustrstr(name, "/unique/") != NULL
+	 && oldlength >= sizeof(dbdata_ratelimit_unique))
+	 {
+	 rate_unique = (dbdata_ratelimit_unique *)record;
+	 printf("3 filter epoch: %s\n", print_time(rate_unique->bloom_epoch));
+	 printf("4 test filter membership\n");
+	 printf("5 add element to filter\n");
+	 }
+	break;
+
+      case type_tls:
+	session = (dbdata_tls_session *)value;
+	printf("0 time stamp:  %s\n", print_time(session->time_stamp));
+	printf("1 session: .%s\n", session->session);
+	break;
+      }
+    }
+
+  /* The database is closed after each request */
+
+  dbfn_close(dbm);
+  }
+
+printf("\n");
+return 0;
+}
+
+#endif  /* EXIM_FIXDB */
+
+
+
+#ifdef EXIM_TIDYDB
+/*************************************************
+*           The exim_tidydb main program         *
+*************************************************/
+
+
+/* Utility program to tidy the contents of an exim database file. There is one
+option:
+
+   -t <time>  expiry time for old records - default 30 days
+
+For backwards compatibility, an -f option is recognized and ignored. (It used
+to request a "full" tidy. This version always does the whole job.) */
+
+
+typedef struct key_item {
+  struct key_item *next;
+  uschar key[1];
+} key_item;
+
+
+int
+main(int argc, char **cargv)
+{
+struct stat statbuf;
+int maxkeep = 30 * 24 * 60 * 60;
+int dbdata_type, i, oldest, path_len;
+key_item *keychain = NULL;
+rmark reset_point;
+open_db dbblock;
+open_db *dbm;
+EXIM_CURSOR *cursor;
+uschar **argv = USS cargv;
+uschar buffer[256];
+uschar *key;
+
+store_init();
+
+/* Scan the options */
+
+for (i = 1; i < argc; i++)
+  {
+  if (argv[i][0] != '-') break;
+  if (Ustrcmp(argv[i], "-f") == 0) continue;
+  if (Ustrcmp(argv[i], "-t") == 0)
+    {
+    uschar *s;
+    s = argv[++i];
+    maxkeep = 0;
+    while (*s != 0)
+      {
+      int value, count;
+      if (!isdigit(*s)) usage(US"tidydb", US" [-t <time>]");
+      (void)sscanf(CS s, "%d%n", &value, &count);
+      s += count;
+      switch (*s)
+        {
+        case 'w': value *= 7;
+        case 'd': value *= 24;
+        case 'h': value *= 60;
+        case 'm': value *= 60;
+        case 's': s++;
+        break;
+        default: usage(US"tidydb", US" [-t <time>]");
+        }
+      maxkeep += value;
+      }
+    }
+  else usage(US"tidydb", US" [-t <time>]");
+  }
+
+/* Adjust argument values and process arguments */
+
+argc -= --i;
+argv += i;
+
+dbdata_type = check_args(argc, argv, US"tidydb", US" [-t <time>]");
+
+/* Compute the oldest keep time, verify what we are doing, and open the
+database */
+
+oldest = time(NULL) - maxkeep;
+printf("Tidying Exim hints database %s/db/%s\n", argv[1], argv[2]);
+
+spool_directory = argv[1];
+if (!(dbm = dbfn_open(argv[2], O_RDWR, &dbblock, FALSE, TRUE)))
+  exit(1);
+
+/* Prepare for building file names */
+
+sprintf(CS buffer, "%s/input/", argv[1]);
+path_len = Ustrlen(buffer);
+
+
+/* It appears, by experiment, that it is a bad idea to make changes
+to the file while scanning it. Pity the man page doesn't warn you about that.
+Therefore, we scan and build a list of all the keys. Then we use that to
+read the records and possibly update them. */
+
+for (key = dbfn_scan(dbm, TRUE, &cursor);
+     key;
+     key = dbfn_scan(dbm, FALSE, &cursor))
+  {
+  key_item * k = store_get(sizeof(key_item) + Ustrlen(key), key);
+  k->next = keychain;
+  keychain = k;
+  Ustrcpy(k->key, key);
+  }
+
+/* Now scan the collected keys and operate on the records, resetting
+the store each time round. */
+
+for (; keychain && (reset_point = store_mark()); store_reset(reset_point))
+  {
+  dbdata_generic *value;
+
+  key = keychain->key;
+  keychain = keychain->next;
+  value = dbfn_read_with_length(dbm, key, NULL);
+
+  /* A continuation record may have been deleted or renamed already, so
+  non-existence is not serious. */
+
+  if (!value) continue;
+
+  /* Delete if too old */
+
+  if (value->time_stamp < oldest)
+    {
+    printf("deleted %s (too old)\n", key);
+    dbfn_delete(dbm, key);
+    continue;
+    }
+
+  /* Do database-specific tidying for wait databases, and message-
+  specific tidying for the retry database. */
+
+  if (dbdata_type == type_wait)
+    {
+    dbdata_wait *wait = (dbdata_wait *)value;
+    BOOL update = FALSE;
+
+    /* Leave corrupt records alone */
+
+    if (wait->time_stamp > time(NULL))
+      {
+      printf("**** Data for '%s' corrupted\n  time in future: %s\n",
+        key, print_time(((dbdata_generic *)value)->time_stamp));
+      continue;
+      }
+    if (wait->count > WAIT_NAME_MAX)
+      {
+      printf("**** Data for '%s' corrupted\n  count=%d=0x%x max=%d\n",
+        key, wait->count, wait->count, WAIT_NAME_MAX);
+      continue;
+      }
+    if (wait->sequence > WAIT_CONT_MAX)
+      {
+      printf("**** Data for '%s' corrupted\n  sequence=%d=0x%x max=%d\n",
+        key, wait->sequence, wait->sequence, WAIT_CONT_MAX);
+      continue;
+      }
+
+    /* Record over 1 year old; just remove it */
+
+    if (wait->time_stamp < time(NULL) - 365*24*60*60)
+      {
+      dbfn_delete(dbm, key);
+      printf("deleted %s (too old)\n", key);
+      continue;
+      }
+
+    /* Loop for renamed continuation records. For each message id,
+    check to see if the message exists, and if not, remove its entry
+    from the record. Because of the possibility of split input directories,
+    we must look in both possible places for a -D file. */
+
+    for (;;)
+      {
+      int length = wait->count * MESSAGE_ID_LENGTH;
+
+      for (int offset = length - MESSAGE_ID_LENGTH;
+           offset >= 0; offset -= MESSAGE_ID_LENGTH)
+        {
+        Ustrncpy(buffer+path_len, wait->text + offset, MESSAGE_ID_LENGTH);
+        sprintf(CS(buffer+path_len + MESSAGE_ID_LENGTH), "-D");
+
+        if (Ustat(buffer, &statbuf) != 0)
+          {
+          buffer[path_len] = wait->text[offset+5];
+          buffer[path_len+1] = '/';
+          Ustrncpy(buffer+path_len+2, wait->text + offset, MESSAGE_ID_LENGTH);
+          sprintf(CS(buffer+path_len+2 + MESSAGE_ID_LENGTH), "-D");
+
+          if (Ustat(buffer, &statbuf) != 0)
+            {
+            int left = length - offset - MESSAGE_ID_LENGTH;
+            if (left > 0) Ustrncpy(wait->text + offset,
+              wait->text + offset + MESSAGE_ID_LENGTH, left);
+            wait->count--;
+            length -= MESSAGE_ID_LENGTH;
+            update = TRUE;
+            }
+          }
+        }
+
+      /* If record is empty and the main record, either delete it or rename
+      the next continuation, repeating if that is also empty. */
+
+      if (wait->count == 0 && Ustrchr(key, ':') == NULL)
+        {
+        while (wait->count == 0 && wait->sequence > 0)
+          {
+          uschar newkey[256];
+          dbdata_generic *newvalue;
+          sprintf(CS newkey, "%s:%d", key, wait->sequence - 1);
+          newvalue = dbfn_read_with_length(dbm, newkey, NULL);
+          if (newvalue != NULL)
+            {
+            value = newvalue;
+            wait = (dbdata_wait *)newvalue;
+            dbfn_delete(dbm, newkey);
+            printf("renamed %s\n", newkey);
+            update = TRUE;
+            }
+          else wait->sequence--;
+          }
+
+        /* If we have ended up with an empty main record, delete it
+        and break the loop. Otherwise the new record will be scanned. */
+
+        if (wait->count == 0 && wait->sequence == 0)
+          {
+          dbfn_delete(dbm, key);
+          printf("deleted %s (empty)\n", key);
+          update = FALSE;
+          break;
+          }
+        }
+
+      /* If not an empty main record, break the loop */
+
+      else break;
+      }
+
+    /* Re-write the record if required */
+
+    if (update)
+      {
+      printf("updated %s\n", key);
+      dbfn_write(dbm, key, wait, sizeof(dbdata_wait) +
+        wait->count * MESSAGE_ID_LENGTH);
+      }
+    }
+
+  /* If a retry record's key ends with a message-id, check that that message
+  still exists; if not, remove this record. */
+
+  else if (dbdata_type == type_retry)
+    {
+    uschar *id;
+    int len = Ustrlen(key);
+
+    if (len < MESSAGE_ID_LENGTH + 1) continue;
+    id = key + len - MESSAGE_ID_LENGTH - 1;
+    if (*id++ != ':') continue;
+
+    for (i = 0; i < MESSAGE_ID_LENGTH; i++)
+      if (i == 6 || i == 13)
+        { if (id[i] != '-') break; }
+      else
+        { if (!isalnum(id[i])) break; }
+    if (i < MESSAGE_ID_LENGTH) continue;
+
+    Ustrncpy(buffer + path_len, id, MESSAGE_ID_LENGTH);
+    sprintf(CS(buffer + path_len + MESSAGE_ID_LENGTH), "-D");
+
+    if (Ustat(buffer, &statbuf) != 0)
+      {
+      sprintf(CS(buffer + path_len), "%c/%s-D", id[5], id);
+      if (Ustat(buffer, &statbuf) != 0)
+        {
+        dbfn_delete(dbm, key);
+        printf("deleted %s (no message)\n", key);
+        }
+      }
+    }
+  }
+
+dbfn_close(dbm);
+printf("Tidying complete\n");
+return 0;
+}
+
+#endif  /* EXIM_TIDYDB */
+
+/* End of exim_dbutil.c */
diff --git a/src/exim_lock.c b/src/exim_lock.c
new file mode 100644
index 0000000..427d22c
--- /dev/null
+++ b/src/exim_lock.c
@@ -0,0 +1,663 @@
+/* A program to lock a file exactly as Exim would, for investigation of
+interlocking problems.
+
+Options:  -fcntl    use fcntl() lock
+          -flock    use flock() lock
+          -lockfile use lock file
+          -mbx      use mbx locking rules, with either fcntl() or flock()
+
+Default is -fcntl -lockfile.
+
+Argument: the name of the lock file
+
+Copyright (c) The Exim Maintainers 2016 - 2021
+*/
+
+#include "os.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <errno.h>
+#include <time.h>
+#include <netdb.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <utime.h>
+#include <sys/utsname.h>
+#include <sys/stat.h>
+#include <sys/file.h>
+#include <pwd.h>
+
+/* Not all systems have flock() available. Those that do must define LOCK_SH
+in sys/file.h. */
+
+#ifndef LOCK_SH
+#define NO_FLOCK
+#endif
+
+
+typedef unsigned BOOL;
+#define FALSE 0
+#define TRUE  1
+
+
+/* Flag for timeout signal handler */
+
+static int sigalrm_seen = FALSE;
+
+
+/* We need to pull in strerror() and os_non_restarting_signal() from the
+os.c source, if they are required for this OS. However, we don't need any of
+the other stuff in os.c, so force the other macros to omit it. */
+
+#ifndef OS_RESTARTING_SIGNAL
+  #define OS_RESTARTING_SIGNAL
+#endif
+
+#ifndef OS_STRSIGNAL
+  #define OS_STRSIGNAL
+#endif
+
+#ifndef OS_STREXIT
+  #define OS_STREXIT
+#endif
+
+#ifndef OS_LOAD_AVERAGE
+  #define OS_LOAD_AVERAGE
+#endif
+
+#ifndef FIND_RUNNING_INTERFACES
+  #define FIND_RUNNING_INTERFACES
+#endif
+
+#ifndef OS_GET_DNS_RESOLVER_RES
+  #define OS_GET_DNS_RESOLVER_RES
+#endif
+
+#include "../src/os.c"
+
+
+
+/*************************************************
+*             Timeout handler                    *
+*************************************************/
+
+static void
+sigalrm_handler(int sig)
+{
+sigalrm_seen = TRUE;
+}
+
+
+
+/*************************************************
+*           Give usage and die                   *
+*************************************************/
+
+static void
+usage(void)
+{
+printf("usage: exim_lock [-v] [-q] [-lockfile] [-fcntl] [-flock] [-mbx]\n"
+       "       [-retries <n>] [-interval <n>] [-timeout <n>] [-restore-times]\n"
+       "       <file name> [command]\n");
+exit(1);
+}
+
+
+
+/*************************************************
+*         Apply a lock to a file descriptor      *
+*************************************************/
+
+static int
+apply_lock(int fd, int fcntltype, BOOL dofcntl, int fcntltime, BOOL doflock,
+    int flocktime)
+{
+int yield = 0;
+int save_errno;
+struct flock lock_data;
+lock_data.l_type = fcntltype;
+lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
+
+sigalrm_seen = FALSE;
+
+if (dofcntl)
+  {
+  if (fcntltime > 0)
+    {
+    os_non_restarting_signal(SIGALRM, sigalrm_handler);
+    alarm(fcntltime);
+    yield = fcntl(fd, F_SETLKW, &lock_data);
+    save_errno = errno;
+    alarm(0);
+    errno = save_errno;
+    }
+  else yield = fcntl(fd, F_SETLK, &lock_data);
+  if (yield < 0) printf("exim_lock: fcntl() failed: %s\n", strerror(errno));
+  }
+
+#ifndef NO_FLOCK
+if (doflock && (yield >= 0))
+  {
+  int flocktype = (fcntltype == F_WRLCK)? LOCK_EX : LOCK_SH;
+  if (flocktime > 0)
+    {
+    os_non_restarting_signal(SIGALRM, sigalrm_handler);
+    alarm(flocktime);
+    yield = flock(fd, flocktype);
+    save_errno = errno;
+    alarm(0);
+    errno = save_errno;
+    }
+  else yield = flock(fd, flocktype | LOCK_NB);
+  if (yield < 0) printf("exim_lock: flock() failed: %s\n", strerror(errno));
+  }
+#endif
+
+return yield;
+}
+
+
+
+/*************************************************
+*           The exim_lock program                *
+*************************************************/
+
+int main(int argc, char **argv)
+{
+int  lock_retries = 10;
+int  lock_interval = 3;
+int  lock_fcntl_timeout = 0;
+int  lock_flock_timeout = 0;
+int  i, j, len;
+int  fd = -1;
+int  hd = -1;
+int  md = -1;
+int  yield = 0;
+time_t now = time(NULL);
+BOOL use_lockfile = FALSE;
+BOOL use_fcntl = FALSE;
+BOOL use_flock = FALSE;
+BOOL use_mbx = FALSE;
+BOOL verbose = FALSE;
+BOOL quiet = FALSE;
+BOOL restore_times = FALSE;
+char *filename;
+char *lockname = NULL, *hitchname = NULL;
+char *primary_hostname;
+const char *command;
+struct utsname s;
+char buffer[256];
+char tempname[256];
+
+/* Decode options */
+
+for (i = 1; i < argc; i++)
+  {
+  char *arg = argv[i];
+  if (*arg != '-') break;
+  if (strcmp(arg, "-fcntl") == 0) use_fcntl = TRUE;
+  else if (strcmp(arg, "-flock") == 0) use_flock = TRUE;
+  else if (strcmp(arg, "-lockfile") == 0) use_lockfile = TRUE;
+  else if (strcmp(arg, "-mbx") == 0) use_mbx = TRUE;
+  else if (strcmp(arg, "-v") == 0) verbose = TRUE;
+  else if (strcmp(arg, "-q") == 0) quiet = TRUE;
+  else if (strcmp(arg, "-restore-times") == 0) restore_times = TRUE;
+  else if (++i < argc)
+    {
+    int value = atoi(argv[i]);
+    if (strcmp(arg, "-retries") == 0) lock_retries = value;
+    else if (strcmp(arg, "-interval") == 0) lock_interval = value;
+    else if (strcmp(arg, "-timeout") == 0)
+      lock_fcntl_timeout = lock_flock_timeout = value;
+    else usage();
+    }
+  else usage();
+  }
+
+if (quiet) verbose = FALSE;
+
+/* Can't use flock() if the OS doesn't provide it */
+
+#ifdef NO_FLOCK
+if (use_flock)
+  {
+  printf("exim_lock: can't use flock() because it was not available in the\n"
+         "           operating system when exim_lock was compiled\n");
+  exit(1);
+  }
+#endif
+
+/* Default is to use lockfiles and fcntl(). */
+
+if (!use_lockfile && !use_fcntl && !use_flock && !use_mbx)
+  use_lockfile = use_fcntl = TRUE;
+
+/* Default fcntl() for use with mbx */
+
+if (use_mbx && !use_fcntl && !use_flock) use_fcntl = TRUE;
+
+/* Unset unused timeouts */
+
+if (!use_fcntl) lock_fcntl_timeout = 0;
+if (!use_flock) lock_flock_timeout = 0;
+
+/* A file name is required */
+
+if (i >= argc) usage();
+
+filename = argv[i++];
+
+/* Expand file names starting with ~ */
+
+if (*filename == '~')
+  {
+  struct passwd *pw;
+
+  if (*(++filename) == '/')
+    pw = getpwuid(getuid());
+  else
+    {
+    char *s = buffer;
+    while (*filename != 0 && *filename != '/')
+      *s++ = *filename++;
+    *s = 0;
+    pw = getpwnam(buffer);
+    }
+
+  if (pw == NULL)
+    {
+    printf("exim_lock: unable to expand file name %s\n", argv[i-1]);
+    exit(1);
+    }
+
+  if ((int)strlen(pw->pw_dir) + (int)strlen(filename) + 1 > sizeof(buffer))
+    {
+    printf("exim_lock: expanded file name %s%s is too long", pw->pw_dir,
+      filename);
+    exit(1);
+    }
+
+  strcpy(buffer, pw->pw_dir);
+  strcat(buffer, filename);
+  filename = buffer;
+  }
+
+/* If using a lock file, prepare by creating the lock file name and
+the hitching post name. */
+
+if (use_lockfile)
+  {
+  if (uname(&s) < 0)
+    {
+    printf("exim_lock: failed to find host name using uname()\n");
+    exit(1);
+    }
+  primary_hostname = s.nodename;
+
+  len = (int)strlen(filename);
+  lockname = malloc(len + 8);
+  sprintf(lockname, "%s.lock", filename);
+  hitchname = malloc(len + 32 + (int)strlen(primary_hostname));
+
+  /* Presumably, this must match appendfile.c */
+  sprintf(hitchname, "%s.%s.%08x.%08x", lockname, primary_hostname,
+    (unsigned int)now, (unsigned int)getpid());
+
+  if (verbose)
+    printf("exim_lock: lockname =  %s\n           hitchname = %s\n", lockname,
+      hitchname);
+  }
+
+/* Locking retry loop */
+
+for (j = 0; j < lock_retries; j++)
+  {
+  int sleep_before_retry = TRUE;
+  struct stat statbuf, ostatbuf, lstatbuf, statbuf2;
+  int mbx_tmp_oflags;
+
+  /* Try to build a lock file if so configured */
+
+  if (use_lockfile)
+    {
+    int rc, rc2;
+    if (verbose) printf("exim_lock: creating lock file\n");
+    hd = open(hitchname, O_WRONLY | O_CREAT | O_EXCL, 0440);
+    if (hd < 0)
+      {
+      printf("exim_lock: failed to create hitching post %s: %s\n", hitchname,
+        strerror(errno));
+      exit(1);
+      }
+
+    /* Apply hitching post algorithm. */
+
+    if ((rc = link(hitchname, lockname)) != 0)
+     rc2 = fstat(hd, &statbuf);
+    (void)close(hd);
+    unlink(hitchname);
+
+    if (rc != 0 && (rc2 != 0 || statbuf.st_nlink != 2))
+      {
+      printf("exim_lock: failed to link hitching post to lock file\n");
+      hd = -1;
+      goto RETRY;
+      }
+
+    if (!quiet) printf("exim_lock: lock file successfully created\n");
+    }
+
+  /* We are done if no other locking required. */
+
+  if (!use_fcntl && !use_flock && !use_mbx) break;
+
+  /* Open the file for writing. */
+
+  if ((fd = open(filename, O_RDWR + O_APPEND)) < 0)
+    {
+    printf("exim_lock: failed to open %s for writing: %s\n", filename,
+      strerror(errno));
+    yield = 1;
+    goto CLEAN_UP;
+    }
+
+  /* If there is a timeout, implying blocked locking, we don't want to
+  sleep before any retries after this. */
+
+  if (lock_fcntl_timeout > 0 || lock_flock_timeout > 0)
+    sleep_before_retry = FALSE;
+
+  /* Lock using fcntl. There are pros and cons to using a blocking call vs
+  a non-blocking call and retries. Exim is non-blocking by default, but setting
+  a timeout changes it to blocking. */
+
+  if (!use_mbx && (use_fcntl || use_flock))
+    if (apply_lock(fd, F_WRLCK, use_fcntl, lock_fcntl_timeout, use_flock,
+        lock_flock_timeout) >= 0)
+      {
+      if (!quiet)
+        {
+        if (use_fcntl) printf("exim_lock: fcntl() lock successfully applied\n");
+        if (use_flock) printf("exim_lock: flock() lock successfully applied\n");
+        }
+      break;
+      }
+    else
+      goto RETRY;   /* Message already output */
+
+  /* Lock using MBX rules. This is complicated and is documented with the
+  source of the c-client library that goes with Pine and IMAP. What has to
+  be done to interwork correctly is to take out a shared lock on the mailbox,
+  and an exclusive lock on a /tmp file. */
+
+  else
+    {
+    if (apply_lock(fd, F_RDLCK, use_fcntl, lock_fcntl_timeout, use_flock,
+        lock_flock_timeout) >= 0)
+      {
+      if (!quiet)
+        {
+        if (use_fcntl)
+          printf("exim_lock: fcntl() read lock successfully applied\n");
+        if (use_flock)
+          printf("exim_lock: fcntl() read lock successfully applied\n");
+        }
+      }
+    else goto RETRY;   /* Message already output */
+
+    if (fstat(fd, &statbuf) < 0)
+      {
+      printf("exim_lock: fstat() of %s failed: %s\n", filename,
+        strerror(errno));
+      yield = 1;
+      goto CLEAN_UP;
+      }
+
+    /* Set up file in /tmp and check its state if already existing. */
+
+    sprintf(tempname, "/tmp/.%lx.%lx", (long)statbuf.st_dev,
+      (long)statbuf.st_ino);
+
+    if (lstat(tempname, &statbuf) >= 0)
+      {
+      if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
+        {
+        printf("exim_lock: symbolic link on lock name %s\n", tempname);
+        yield = 1;
+        goto CLEAN_UP;
+        }
+      if (statbuf.st_nlink > 1)
+        {
+        printf("exim_lock: hard link to lock name %s\n", tempname);
+        yield = 1;
+        goto CLEAN_UP;
+        }
+      }
+
+    mbx_tmp_oflags = O_RDWR | O_CREAT;
+#ifdef O_NOFOLLOW
+    mbx_tmp_oflags |= O_NOFOLLOW;
+#endif
+    md = open(tempname, mbx_tmp_oflags, 0600);
+    if (md < 0)
+      {
+      printf("exim_lock: failed to create mbx lock file %s: %s\n",
+        tempname, strerror(errno));
+      goto CLEAN_UP;
+      }
+
+    /* security fixes from 2010-05 */
+    if (lstat(tempname, &lstatbuf) < 0)
+      {
+      printf("exim_lock: failed to lstat(%s) after opening it: %s\n",
+          tempname, strerror(errno));
+      goto CLEAN_UP;
+      }
+    if (fstat(md, &statbuf2) < 0)
+      {
+      printf("exim_lock: failed to fstat() open fd of \"%s\": %s\n",
+          tempname, strerror(errno));
+      goto CLEAN_UP;
+      }
+    if ((statbuf2.st_nlink > 1) ||
+        (lstatbuf.st_nlink > 1) ||
+        (!S_ISREG(lstatbuf.st_mode)) ||
+        (lstatbuf.st_dev != statbuf2.st_dev) ||
+        (lstatbuf.st_ino != statbuf2.st_ino))
+      {
+      printf("exim_lock: race condition exploited against us when "
+          "locking \"%s\"\n", tempname);
+      goto CLEAN_UP;
+      }
+
+    (void)chmod(tempname, 0600);
+
+    if (apply_lock(md, F_WRLCK, use_fcntl, lock_fcntl_timeout, use_flock,
+        lock_flock_timeout) >= 0)
+      {
+      if (!quiet)
+        {
+        if (use_fcntl)
+          printf("exim_lock: fcntl() lock successfully applied to mbx "
+            "lock file %s\n", tempname);
+        if (use_flock)
+          printf("exim_lock: flock() lock successfully applied to mbx "
+            "lock file %s\n", tempname);
+        }
+
+      /* This test checks for a race condition */
+
+      if (lstat(tempname, &statbuf) != 0 ||
+          fstat(md, &ostatbuf) != 0 ||
+          statbuf.st_dev != ostatbuf.st_dev ||
+          statbuf.st_ino != ostatbuf.st_ino)
+       {
+       if (!quiet) printf("exim_lock: mbx lock file %s changed between "
+           "creation and locking\n", tempname);
+       goto RETRY;
+       }
+      else break;
+      }
+    else goto RETRY;   /* Message already output */
+    }
+
+  /* Clean up before retrying */
+
+  RETRY:
+
+  if (md >= 0)
+    {
+    if (close(md) < 0)
+      printf("exim_lock: close %s failed: %s\n", tempname, strerror(errno));
+    else
+      if (!quiet) printf("exim_lock: %s closed\n", tempname);
+    md = -1;
+    }
+
+  if (fd >= 0)
+    {
+    if (close(fd) < 0)
+      printf("exim_lock: close failed: %s\n", strerror(errno));
+    else
+      if (!quiet) printf("exim_lock: file closed\n");
+    fd = -1;
+    }
+
+  if (hd >= 0)
+    {
+    if (unlink(lockname) < 0)
+      printf("exim_lock: unlink of %s failed: %s\n", lockname, strerror(errno));
+    else
+      if (!quiet) printf("exim_lock: lock file removed\n");
+    hd = -1;
+    }
+
+  /* If a blocking call timed out, break the retry loop if the total time
+  so far is not less than than retries * interval. */
+
+  if (sigalrm_seen &&
+      (j + 1) * ((lock_fcntl_timeout > lock_flock_timeout)?
+        lock_fcntl_timeout : lock_flock_timeout) >=
+          lock_retries * lock_interval)
+    j = lock_retries;
+
+  /* Wait a bit before retrying, except when it was a blocked fcntl() that
+  caused the problem. */
+
+  if (j < lock_retries && sleep_before_retry)
+    {
+    printf(" ... waiting\n");
+    sleep(lock_interval);
+    }
+  }
+
+if (j >= lock_retries)
+  {
+  printf("exim_lock: locking failed too many times\n");
+  yield = 1;
+  goto CLEAN_UP;
+  }
+
+if (!quiet) printf("exim_lock: locking %s succeeded: ", filename);
+
+/* If there are no further arguments, run the user's shell; otherwise
+the next argument is a command to run. */
+
+if (i >= argc)
+  {
+  command = getenv("SHELL");
+  if (command == NULL || *command == 0) command = "/bin/sh";
+  if (!quiet) printf("running %s ...\n", command);
+  }
+else
+  {
+  command = argv[i];
+  if (!quiet) printf("running the command ...\n");
+  }
+
+/* Run the command, saving and restoring the times if required. */
+
+if (restore_times)
+  {
+  struct stat strestore;
+#ifdef EXIM_HAVE_FUTIMENS
+  int fd = open(filename, O_RDWR); /* use fd for both get & restore */
+  struct timespec tt[2];
+
+  if (fd < 0)
+    {
+    printf("open '%s': %s\n", filename, strerror(errno));
+    yield = 1;
+    goto CLEAN_UP;
+    }
+  if (fstat(fd, &strestore) != 0)
+    {
+    printf("fstat '%s': %s\n", filename, strerror(errno));
+    yield = 1;
+    close(fd);
+    goto CLEAN_UP;
+    }
+  i = system(command);
+  tt[0] = strestore.st_atim;
+  tt[1] = strestore.st_mtim;
+  (void) futimens(fd, tt);
+  (void) close(fd);
+#else
+  struct utimbuf ut;
+
+  stat(filename, &strestore);
+  i = system(command);
+  ut.actime = strestore.st_atime;
+  ut.modtime = strestore.st_mtime;
+  utime(filename, &ut);
+#endif
+  }
+else i = system(command);
+
+if(i && !quiet) printf("warning: nonzero status %d\n", i);
+
+/* Remove the locks and exit. Unlink the /tmp file if we can get an exclusive
+lock on the mailbox. This should be a non-blocking lock call, as there is no
+point in waiting. */
+
+CLEAN_UP:
+
+if (md >= 0)
+  {
+  if (apply_lock(fd, F_WRLCK, use_fcntl, 0, use_flock, 0) >= 0)
+    {
+    if (!quiet) printf("exim_lock: %s unlinked - no sharers\n", tempname);
+    unlink(tempname);
+    }
+  else if (!quiet)
+    printf("exim_lock: %s not unlinked - unable to get exclusive mailbox lock\n",
+      tempname);
+  if (close(md) < 0)
+    printf("exim_lock: close %s failed: %s\n", tempname, strerror(errno));
+  else
+    if (!quiet) printf("exim_lock: %s closed\n", tempname);
+  }
+
+if (fd >= 0)
+  {
+  if (close(fd) < 0)
+    printf("exim_lock: close %s failed: %s\n", filename, strerror(errno));
+  else
+    if (!quiet) printf("exim_lock: %s closed\n", filename);
+  }
+
+if (hd >= 0)
+  {
+  if (unlink(lockname) < 0)
+    printf("exim_lock: unlink %s failed: %s\n", lockname, strerror(errno));
+  else
+    if (!quiet) printf("exim_lock: lock file removed\n");
+  }
+
+return yield;
+}
+
+/* End */
diff --git a/src/eximon.src b/src/eximon.src
new file mode 100644
index 0000000..6293a7c
--- /dev/null
+++ b/src/eximon.src
@@ -0,0 +1,221 @@
+# Base source of start-up shell script for the Exim Monitor. Used to set the
+# required environment variables before running the program. Using script
+# rather than a configuration file means that computation can be done.
+# The build process concatenates on the front of this various settings from
+# os-specific files and from the user's configuration file.
+
+# Copyright (c) 2004 - 2015 University of Cambridge.
+# See the file NOTICE for conditions of use and distribution.
+
+# Except when they appear in comments, the following placeholders in this
+# source are replaced when it is turned into a runnable script:
+#
+# CONFIGURE_FILE_USE_NODE
+# CONFIGURE_FILE
+# BIN_DIRECTORY
+# BASENAME_COMMAND
+# HOSTNAME_COMMAND
+# X11_LD_LIBRARY
+
+# PROCESSED_FLAG
+#
+if test "x$1" = x--version
+then
+    echo "`basename $0`: $0"
+    echo "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION"
+    exit 0
+fi
+
+# See if caller wants to invoke gdb
+
+use_gdb=''
+
+case ${1:-foo} in
+  gdb*) use_gdb="$1"; shift ;;
+esac
+
+# Save arguments (can be the usual X parameters)
+
+cmd_args="$@"
+
+# See if this installation is using the esoteric "USE_NODE" feature of Exim,
+# in which it uses the host's name as a suffix for the configuration file name.
+
+if [ "CONFIGURE_FILE_USE_NODE" = "yes" ]; then
+  hostsuffix=.`uname -n`
+fi
+
+# Now find the configuration file name. This has got complicated because
+# CONFIGURE_FILE may now be a list of files. The one that is used is the first
+# one that exists. Mimic the code in readconf.c by testing first for the
+# suffixed file in each case.
+
+set `awk -F: '{ for (i = 1; i <= NF; i++) print $i }' <<End
+CONFIGURE_FILE
+End
+`
+while [ "$config" = "" -a $# -gt 0 ] ; do
+  if [ -f "$1$hostsuffix" ] ; then
+    config="$1$hostsuffix"
+  elif [ -f "$1" ] ; then
+    config="$1"
+  fi
+  shift
+done
+
+# Determine where the spool directory is and whether there is any setting of
+# log_file_path. Search for an exim_path setting in the configure file;
+# otherwise use the bin directory. Call that version of Exim to find the spool
+# directory and the setting of log_file_path.
+
+config=${EXIMON_EXIM_CONFIG-$config}
+
+# Add code here to redefine "config" if an alternative configuration file
+# should be used in some circumstances. If you do that, you should also arrange
+# for the value to be set in EXIMON_EXIM_CONFIG, and to export that variable
+# into the environment. BEWARE: a tab character is needed in the command below.
+# It has had a nasty tendency to get lost in the past. Use a variable to hold a
+# space and a tab to keep the tab in one place.
+
+st='	 '
+EXIM_PATH=`grep "^[$st]*exim_path" $config | sed "s/.*=[$st]*//"`
+if test "$EXIM_PATH" = ""; then EXIM_PATH=BIN_DIRECTORY/exim; fi
+
+SPOOL_DIRECTORY=`$EXIM_PATH -C $config -bP spool_directory | sed 's/.*=[  ]*//'`
+LOG_FILE_PATH=`$EXIM_PATH -C $config -bP log_file_path | sed 's/.*=[  ]*//'`
+
+# If log_file_path is "syslog" then logging is only to syslog, and the monitor
+# is unable to display a log tail unless EXIMON_LOG_FILE_PATH is set to tell
+# it where the log data is. If log_file_path is unset (i.e. empty) the default
+# is "mainlog" in the "log" directory in the spool directory. Otherwise,
+# remove any occurrences of "syslog:" or ":syslog" (spaces allowed in various
+# places) and look at the remainder of the entry. If it's null, check whether
+# LOG_FILE_NAME was set a compile time and contains a path. Otherwise fall
+# back to the default path.
+
+if [ "$EXIMON_LOG_FILE_PATH" != "" ] ; then
+  LOG_FILE_NAME="$EXIMON_LOG_FILE_PATH"
+elif [ "$LOG_FILE_PATH" = "syslog" ] ; then
+  LOG_FILE_NAME=""
+  echo \*\*\*
+  echo Exim is using the syslog interface for its log data. If you redirect all
+  echo MAIL.INFO syslog messages into a separate file, you can point eximon at
+  echo that file with the EXIMON_LOG_FILE_PATH environment variable.
+  echo \*\*\*
+elif [ "$LOG_FILE_PATH" = "" ] ; then
+    LOG_FILE_NAME=$SPOOL_DIRECTORY/log/mainlog
+else
+  LOG_FILE_NAME=`echo $LOG_FILE_PATH | \
+    sed -e 's/ *: *syslog *: */:/' \
+        -e 's/ *: *syslog *$//' \
+        -e 's/^ *syslog *: *//' \
+        -e 's/%s/main/'`
+  if [ "$LOG_FILE_NAME" = "" ] ; then
+    COMPILETIMEDEFAULT=`$EXIM_PATH -C /dev/null -bP log_file_path | \
+      sed -e 's/.*=[  ]*//' \
+        -e 's/ *: *syslog *: */:/' \
+        -e 's/ *: *syslog *$//' \
+        -e 's/^ *syslog *: *//' \
+        -e 's/%s/main/'`
+    if [ "$COMPILETIMEDEFAULT" != "" ] ; then
+      LOG_FILE_NAME="$COMPILETIMEDEFAULT"
+    else
+      LOG_FILE_NAME=$SPOOL_DIRECTORY/log/mainlog
+    fi
+  fi
+fi
+
+# The basename and hostname commands vary from system to system
+
+basename=BASENAME_COMMAND
+hostname=HOSTNAME_COMMAND
+
+# SunOS5 is a pain in that they may be in one of two places. So is Linux
+# in the case of basename. Set up a general mechanism for searching for
+# them in several places.
+
+if [ "${basename}" = "look_for_it" ] ; then
+  if [ -f /usr/bin/basename ] ; then
+    basename=/usr/bin/basename
+  else
+    if [ -f /bin/basename ] ; then
+      basename=/bin/basename
+    else
+      basename=/usr/ucb/basename
+    fi
+  fi
+fi
+
+if [ "${hostname}" = "look_for_it" ] ; then
+  if [ -f /usr/bin/hostname ] ; then
+    hostname=/usr/bin/hostname
+  else
+    if [ -f /bin/hostname ] ; then
+      hostname=/bin/hostname
+    else
+      hostname=/usr/ucb/hostname
+    fi
+  fi
+fi
+
+# Set hostname to the full hostname with the specified domain
+# stripped off its end. On Solaris 2, the default basename
+# command treats its suffix argument as a pattern. Consequently,
+# if fullhostname contains no dots but ends with what looks like
+# the domain, straightforward use of basename screws things up.
+# Use a general test for this case, just in case any other OS
+# do the same.
+
+fullhostname=`${hostname}`
+case `${basename} abc .c` in
+  a) hostname=`${basename} ${fullhostname} '\.'${DOMAIN}` ;;
+  *) hostname=`${basename} ${fullhostname} .${DOMAIN}` ;;
+esac
+
+
+# Arrange for the window title field to be substituted by the shell
+# so that it can contain either the full or the short host name. This
+# is a tedious little bit of magic, but I don't know how to do it
+# in a less tortuous way.
+
+WINDOW_TITLE=`fullhostname=${fullhostname} hostname=${hostname} /bin/sh <<xx
+echo ${WINDOW_TITLE}
+xx
+`
+
+# Add the X11 library to the library path, and then export the
+# environment variables used by eximon. The string X11-LD-LIBRARY
+# (with underscores, not hyphens) below is replaced by the configured
+# library name when the script is built. (Hyphens are used in the description
+# to stop it getting changed there too.)
+
+X11LIB=X11_LD_LIBRARY
+
+if [ "${LD_LIBRARY_PATH}" = "" ] ; then
+  LD_LIBRARY_PATH=${X11LIB}
+else
+  LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:${X11LIB}
+fi
+
+export EXIM_PATH LD_LIBRARY_PATH \
+  LOG_BUFFER LOG_DEPTH LOG_FILE_NAME LOG_FONT LOG_WIDTH \
+  ACTION_OUTPUT ACTION_QUEUE_UPDATE\
+  MENU_EVENT MIN_HEIGHT MIN_WIDTH \
+  QUALIFY_DOMAIN QUEUE_DEPTH QUEUE_FONT QUEUE_INTERVAL QUEUE_MAX_ADDRESSES \
+  QUEUE_STRIPCHART_NAME QUEUE_TOTAL QUEUE_WIDTH SPOOL_DIRECTORY \
+  START_DEPTH LOG_STRIPCHARTS SIZE_STRIPCHART SIZE_STRIPCHART_NAME \
+  START_SMALL STRIPCHART_INTERVAL \
+  TEXT_DEPTH WINDOW_TITLE
+
+# Exec to the program we really want to run, thereby continuing in
+# just the one process, and let it run in parallel with whatever
+# called this script (unless gdb was requested in original $1).
+
+if [ "${use_gdb:-}" = "" ] ; then
+  exec "${EXIMON_BINARY}" $cmd_args &
+else
+  exec "$use_gdb" "${EXIMON_BINARY}" $cmd_args
+  # not backgrounded
+fi
+
+# End
diff --git a/src/eximstats.src b/src/eximstats.src
new file mode 100644
index 0000000..5e1a084
--- /dev/null
+++ b/src/eximstats.src
@@ -0,0 +1,4246 @@
+#!PERL_COMMAND
+
+# Copyright (c) 2001-2017 University of Cambridge.
+# See the file NOTICE for conditions of use and distribution.
+
+# Perl script to generate statistics from one or more Exim log files.
+
+# Usage: eximstats [<options>] <log file> <log file> ...
+
+# 1996-05-21: Ignore lines not starting with valid date/time, just in case
+#               these get into a log file.
+# 1996-11-19: Add the -h option to control the size of the histogram,
+#               and optionally turn it off.
+#             Use some Perl 5 things; it should be everywhere by now.
+#             Add the Perl -w option and rewrite so no warnings are given.
+#             Add the -t option to control the length of the "top" listing.
+#             Add the -ne, -nt options to turn off errors and transport
+#               information.
+#             Add information about length of time on queue, and -q<list> to
+#               control the intervals and turn it off.
+#             Add count and percentage of delayed messages to the Received
+#               line.
+#             Show total number of errors.
+#             Add count and percentage of messages with errors to Received
+#               line.
+#             Add information about relaying and -nr to suppress it.
+# 1997-02-03  Merged in some of the things Nigel Metheringham had done:
+#               Re-worded headings
+#               Added received histogram as well as delivered
+#               Added local senders' league table
+#               Added local recipients' league table
+# 1997-03-10  Fixed typo "destinationss"
+#             Allow for intermediate address between final and original
+#               when testing for relaying
+#             Give better message when no input
+# 1997-04-24  Fixed bug in layout of error listing that was depending on
+#               text length (output line got repeated).
+# 1997-05-06  Bug in option decoding when only one option.
+#             Overflow bug when handling very large volumes.
+# 1997-10-28  Updated to handle revised log format that might show
+#               HELO name as well as host name before IP number
+# 1998-01-26  Bugs in the function for calculating the number of seconds
+#               since 1970 from a log date
+# 1998-02-02  Delivery to :blackhole: doesn't have a T= entry in the log
+#               line; cope with this, thereby avoiding undefined problems
+#             Very short log line gave substring error
+# 1998-02-03  A routed delivery to a local transport may not have <> in the
+#               log line; terminate the address at white space, not <
+# 1998-09-07  If first line of input was a => line, $thissize was undefined;
+#               ensure it is zero.
+# 1998-12-21  Adding of $thissize from => line should have been adding $size.
+#             Oops. Should have looked more closely when fixing the previous
+#               bug!
+# 1999-11-12  Increased the field widths for printed integers; numbers are
+#               bigger than originally envisaged.
+# 2001-03-21  Converted seconds() routine to use Time::Local, fixing a bug
+#               whereby seconds($timestamp) - id_seconds($id) gave an
+#               incorrect result.
+#             Added POD documentation.
+#             Moved usage instructions into help() subroutine.
+#             Added 'use strict' and declared all global variables.
+#             Added '-html' flag and resultant code.
+#             Added '-cache' flag and resultant code.
+#             Added add_volume() routine and converted all volume variables
+#               to use it, fixing the overflow problems for individual hosts
+#               on large sites.
+#             Converted all volume output to GB/MB/KB as appropriate.
+#             Don't store local user stats if -nfl is specified.
+#             Modifications done by: Steve Campbell (<steve@computurn.com>)
+# 2001-04-02  Added the -t_remote_users flag. Steve Campbell.
+# 2001-10-15  Added the -domain flag. Steve Campbell.
+# 2001-10-16  Accept files on STDIN or on the command line. Steve Campbell.
+# 2001-10-21  Removed -domain flag and added -bydomain, -byhost, and -byemail.
+#             We now generate our main parsing subroutine as an eval statement
+#             which improves performance dramatically when not all the results
+#             are required. We also cache the last timestamp to time conversion.
+#
+#             NOTE: 'Top 50 destinations by (message count|volume)' lines are
+#             now 'Top N (host|email|domain) destinations by (message count|volume)'
+#             where N is the topcount. Steve Campbell.
+#
+# 2001-10-30  V1.16 Joachim Wieland.
+#            Fixed minor bugs in add_volume() when taking over this version
+#               for use in Exim 4: -w gave uninitialized value warnings in
+#               two situations: for the first addition to a counter, and if
+#               there were never any gigabytes, thereby leaving the $gigs
+#               value unset.
+#             Initialized $last_timestamp to stop a -w uninitialized warning.
+#             Minor layout tweak for grand totals (nitpicking).
+#             Put the IP addresses for relaying stats in [] and separated by
+#               a space from the domain name.
+#             Removed the IPv4-specific address test when picking out addresses
+#               for relaying. Anything inside [] is OK.
+#
+# 2002-07-02  Philip Hazel
+#             Fixed "uninitialized variable" message that occurred for relay
+#               messages that arrived from H=[1.2.3.4] hosts (no name shown).
+#               This bug didn't affect the output.
+#
+# 2002-04-15  V1.17 Joachim Wieland.
+#             Added -charts, -chartdir. -chartrel options which use
+#             GD::Graph modules to create graphical charts of the statistics.
+#
+# 2002-04-15  V1.18 Steve Campbell.
+#             Added a check for $domain to to stop a -w uninitialized warning.
+#             Added -byemaildomain option.
+#             Only print HTML header links to included tables!
+#
+# 2002-08-02  V1.19 Steve Campbell.
+#             Changed the debug mode to dump the parser onto STDERR rather
+#             than STDOUT. Documented the -d flag into the help().
+#             Rejoined the divergent 2002-04-15 and 2002-07-02 releases.
+#
+# 2002-08-21  V1.20 Steve Campbell.
+#             Added the '-merge' option to allow merging of previous reports.
+#             Fixed a missing semicolon when doing -bydomain.
+#             Make volume charts plot the data gigs and bytes rather than just bytes.
+#             Only process log lines with $flag =~ /<=|=>|->|==|\*\*|Co/
+#             Converted Emaildomain to Edomain - the column header was too wide!
+#             This changes the text output slightly. You can revert to the old
+#             column widths by changing $COLUMN_WIDTHS to 7;
+#
+# 2002-09-04  V1.21 Andreas J Mueller
+#             Local deliveries domain now defaults to 'localdomain'.
+#             Don't match F=<From> when looking for the user.
+#
+# 2002-09-05  V1.22 Steve Campbell
+#             Fixed a perl 5.005 incompatibility problem ('our' variables).
+#
+# 2002-09-11  V1.23 Steve Campbell
+#             Stopped -charts option from throwing errors on null data.
+#             Don't print out 'Errors encountered' unless there are any.
+
+# 2002-10-21  V1.23a Philip Hazel - patch from Tony Finch put in until
+#               Steve's eximstats catches up.
+#             Handle log files that include the timezone after the timestamp.
+#             Switch to assuming that log timestamps are in local time, with
+#               an option for UTC timestamps, as in Exim itself.
+#
+# 2003-02-05  V1.24 Steve Campbell
+#             Added in Sergey Sholokh's code to convert '<' and '>' characters
+#             in HTML output. Also added code to convert them back with -merge.
+#             Fixed timestamp offsets to convert to seconds rather than minutes.
+#             Updated -merge to work with output files using timezones.
+#             Added caching to speed up the calculation of timezone offsets.
+#
+# 2003-02-07  V1.25 Steve Campbell
+#             Optimised the usage of mktime() in the seconds subroutine.
+#             Removed the now redundant '-cache' option.
+#             html2txt() now explicitly matches HTML tags.
+#             Implemented a new sorting algorithm - the top_n_sort() routine.
+#             Added Danny Carroll's '-nvr' flag and code.
+#
+# 2003-03-13  V1.26 Steve Campbell
+#             Implemented HTML compliance changes recommended by Bernard Massot.
+#             Bug fix to allow top_n_sort() to handle null keys.
+#             Convert all domains and edomains to lowercase.
+#             Remove preceding dots from domains.
+#
+# 2003-03-13  V1.27 Steve Campbell
+#             Replaced border attributes with 'border=1', as recommended by
+#             Bernard Massot.
+#
+# 2003-06-03  V1.28 John Newman
+#             Added in the ability to skip over the parsing and evaluation of
+#             specific transports as passed to eximstats via the new "-nt/.../"
+#             command line argument.  This new switch allows the viewing of
+#             not more accurate statistics but more applicable statistics when
+#             special transports are in use (ie; SpamAssassin).  We need to be
+#             able to ignore transports such as this otherwise the resulting
+#             local deliveries are significantly skewed (doubled)...
+#
+# 2003-11-06  V1.29 Steve Campbell
+#             Added the '-pattern "Description" "/pattern/"' option.
+#
+# 2004-02-17  V1.30 Steve Campbell
+#             Added warnings if required GD::Graph modules are not available or
+#             insufficient -chart* options are specified.
+#
+# 2004-02-20  V1.31 Andrea Balzi
+#             Only show the Local Sender/Destination links if the tables exist.
+#
+# 2004-07-05  V1.32 Steve Campbell
+#             Fix '-merge -h0' divide by zero error.
+#
+# 2004-07-15  V1.33 Steve Campbell
+#             Documentation update - I've converted the subroutine
+#             documentation from POD to comments.
+#
+# 2004-12-10  V1.34 Steve Campbell
+#             Eximstats can now parse syslog lines as well as mainlog lines.
+#
+# 2004-12-20  V1.35 Wouter Verhelst
+#             Pie charts by volume were actually generated by count. Fixed.
+#
+# 2005-02-07  V1.36 Gregor Herrmann / Steve Campbell
+#             Added average sizes to HTML Top tables.
+#
+# 2005-04-26  V1.37 Frank Heydlauf
+#             Added -xls and the ability to specify output files.
+#
+# 2005-04-29  V1.38 Steve Campbell
+#             Use FileHandles for outputting results.
+#             Allow any combination of xls, txt, and html output.
+#             Fixed display of large numbers with -nvr option
+#             Fixed merging of reports with empty tables.
+#
+# 2005-05-27  V1.39 Steve Campbell
+#             Added the -include_original_destination flag
+#             Removed tabs and trailing whitespace.
+#
+# 2005-06-03  V1.40 Steve Campbell
+#             Whilst parsing the mainlog(s), store information about
+#             the messages in a hash of arrays rather than using
+#             individual hashes. This is a bit cleaner and results in
+#             dramatic memory savings, albeit at a slight CPU cost.
+#
+# 2005-06-15  V1.41 Steve Campbell
+#             Added the -show_rt<list> flag.
+#             Added the -show_dt<list> flag.
+#
+# 2005-06-24  V1.42 Steve Campbell
+#             Added Histograms for user specified patterns.
+#
+# 2005-06-30  V1.43 Steve Campbell
+#             Bug fix for V1.42 with -h0 specified. Spotted by Chris Lear.
+#
+# 2005-07-26  V1.44 Steve Campbell
+#             Use a glob alias rather than an array ref in the generated
+#             parser. This improves both readability and performance.
+#
+# 2005-09-30  V1.45 Marco Gaiarin / Steve Campbell
+#             Collect SpamAssassin and rejection statistics.
+#             Don't display local sender or destination tables unless
+#             there is data to show.
+#             Added average volumes into the top table text output.
+#
+# 2006-02-07  V1.46 Steve Campbell
+#             Collect data on the number of addresses (recipients)
+#             as well as the number of messages.
+#
+# 2006-05-05  V1.47 Steve Campbell
+#             Added 'Message too big' to the list of mail rejection
+#             reasons (thanks to Marco Gaiarin).
+#
+# 2006-06-05  V1.48 Steve Campbell
+#             Mainlog lines which have GMT offsets and are too short to
+#             have a flag are now skipped.
+#
+# 2006-11-10  V1.49 Alain Williams
+#             Added the -emptyok flag.
+#
+# 2006-11-16  V1.50 Steve Campbell
+#             Fixes for obtaining the IP address from reject messages.
+#
+# 2006-11-27  V1.51 Steve Campbell
+#             Another update for obtaining the IP address from reject messages.
+#
+# 2006-11-27  V1.52 Steve Campbell
+#             Tally any reject message containing SpamAssassin.
+#
+# 2007-01-31  V1.53 Philip Hazel
+#             Allow for [pid] after date in log lines
+#
+# 2007-02-14  V1.54 Daniel Tiefnig
+#             Improved the '($parent) =' pattern match.
+#
+# 2007-03-19  V1.55 Steve Campbell
+#             Differentiate between permanent and temporary rejects.
+#
+# 2007-03-29  V1.56 Jez Hancock
+#             Fixed some broken HTML links and added missing column headers.
+#
+# 2007-03-30  V1.57 Steve Campbell
+#             Fixed Grand Total Summary Domains, Edomains, and Email columns
+#             for Rejects, Temp Rejects, Ham, and Spam rows.
+#
+# 2007-04-11  V1.58 Steve Campbell
+#             Fix to get <> and blackhole to show in edomain tables.
+#
+# 2007-09-20  V1.59 Steve Campbell
+#             Added the -bylocaldomain option
+#
+# 2007-09-20  V1.60 Heiko Schlittermann
+#             Fix for misinterpreted log lines
+#
+# 2013-01-14  V1.61 Steve Campbell
+#             Watch out for senders sending "HELO [IpAddr]"
+#
+#
+# For documentation on the logfile format, see
+# http://www.exim.org/exim-html-4.50/doc/html/spec_48.html#IX2793
+
+=head1 NAME
+
+eximstats - generates statistics from Exim mainlog or syslog files.
+
+=head1 SYNOPSIS
+
+ eximstats [Output] [Options] mainlog1 mainlog2 ...
+ eximstats -merge [Options] report.1.txt report.2.txt ... > weekly_report.txt
+
+=head2 Output:
+
+=over 4
+
+=item B<-txt>
+
+Output the results in plain text to STDOUT.
+
+=item B<-txt>=I<filename>
+
+Output the results in plain text. Filename '-' for STDOUT is accepted.
+
+=item B<-html>
+
+Output the results in HTML to STDOUT.
+
+=item B<-html>=I<filename>
+
+Output the results in HTML. Filename '-' for STDOUT is accepted.
+
+=item B<-xls>
+
+Output the results in Excel compatible Format to STDOUT.
+Requires the Spreadsheet::WriteExcel CPAN module.
+
+=item B<-xls>=I<filename>
+
+Output the results in Excel compatible format. Filename '-' for STDOUT is accepted.
+
+
+=back
+
+=head2 Options:
+
+=over 4
+
+=item B<-h>I<number>
+
+histogram divisions per hour. The default is 1, and
+0 suppresses histograms. Valid values are:
+
+0, 1, 2, 3, 5, 10, 15, 20, 30 or 60.
+
+=item B<-ne>
+
+Don't display error information.
+
+=item B<-nr>
+
+Don't display relaying information.
+
+=item B<-nr>I</pattern/>
+
+Don't display relaying information that matches.
+
+=item B<-nt>
+
+Don't display transport information.
+
+=item B<-nt>I</pattern/>
+
+Don't display transport information that matches
+
+=item B<-q>I<list>
+
+List of times for queuing information single 0 item suppresses.
+
+=item B<-t>I<number>
+
+Display top <number> sources/destinations
+default is 50, 0 suppresses top listing.
+
+=item B<-tnl>
+
+Omit local sources/destinations in top listing.
+
+=item B<-t_remote_users>
+
+Include remote users in the top source/destination listings.
+
+=item B<-include_original_destination>
+
+Include the original destination email addresses rather than just
+using the final ones.
+Useful for finding out which of your mailing lists are receiving mail.
+
+=item B<-show_dt>I<list>
+
+Show the delivery times (B<DT>)for all the messages.
+
+Exim must have been configured to use the +deliver_time logging option
+for this option to work.
+
+I<list> is an optional list of times. Eg -show_dt1,2,4,8 will show
+the number of messages with delivery times under 1 second, 2 seconds, 4 seconds,
+8 seconds, and over 8 seconds.
+
+=item B<-show_rt>I<list>
+
+Show the receipt times for all the messages. The receipt time is
+defined as the Completed hh:mm:ss - queue_time_overall - the Receipt hh:mm:ss.
+These figures will be skewed by pipelined messages so might not be that useful.
+
+Exim must have been configured to use the +queue_time_overall logging option
+for this option to work.
+
+I<list> is an optional list of times. Eg -show_rt1,2,4,8 will show
+the number of messages with receipt times under 1 second, 2 seconds, 4 seconds,
+8 seconds, and over 8 seconds.
+
+=item B<-byhost>
+
+Show results by sending host. This may be combined with
+B<-bydomain> and/or B<-byemail> and/or B<-byedomain>. If none of these options
+are specified, then B<-byhost> is assumed as a default.
+
+=item B<-bydomain>
+
+Show results by sending domain.
+May be combined with B<-byhost> and/or B<-byemail> and/or B<-byedomain>.
+
+=item B<-byemail>
+
+Show results by sender's email address.
+May be combined with B<-byhost> and/or B<-bydomain> and/or B<-byedomain>.
+
+=item B<-byemaildomain> or B<-byedomain>
+
+Show results by sender's email domain.
+May be combined with B<-byhost> and/or B<-bydomain> and/or B<-byemail>.
+
+=item B<-pattern> I<Description> I</Pattern/>
+
+Look for the specified pattern and count the number of lines in which it appears.
+This option can be specified multiple times. Eg:
+
+ -pattern 'Refused connections' '/refused connection/'
+
+
+=item B<-merge>
+
+This option allows eximstats to merge old eximstat reports together. Eg:
+
+ eximstats mainlog.sun > report.sun.txt
+ eximstats mainlog.mon > report.mon.txt
+ eximstats mainlog.tue > report.tue.txt
+ eximstats mainlog.wed > report.web.txt
+ eximstats mainlog.thu > report.thu.txt
+ eximstats mainlog.fri > report.fri.txt
+ eximstats mainlog.sat > report.sat.txt
+ eximstats -merge       report.*.txt > weekly_report.txt
+ eximstats -merge -html report.*.txt > weekly_report.html
+
+=over 4
+
+=item *
+
+You can merge text or html reports and output the results as text or html.
+
+=item *
+
+You can use all the normal eximstat output options, but only data
+included in the original reports can be shown!
+
+=item *
+
+When merging reports, some loss of accuracy may occur in the top I<n> lists.
+This will be towards the ends of the lists.
+
+=item *
+
+The order of items in the top I<n> lists may vary when the data volumes
+round to the same value.
+
+=back
+
+=item B<-charts>
+
+Create graphical charts to be displayed in HTML output.
+Only valid in combination with I<-html>.
+
+This requires the following modules which can be obtained
+from http://www.cpan.org/modules/01modules.index.html
+
+=over 4
+
+=item GD
+
+=item GDTextUtil
+
+=item GDGraph
+
+=back
+
+To install these, download and unpack them, then use the normal perl installation procedure:
+
+ perl Makefile.PL
+ make
+ make test
+ make install
+
+=item B<-chartdir>I <dir>
+
+Create the charts in the directory <dir>
+
+=item B<-chartrel>I <dir>
+
+Specify the relative directory for the "img src=" tags from where to include
+the charts
+
+=item B<-emptyok>
+
+Specify that it's OK to not find any valid log lines. Without this
+we will output an error message if we don't find any.
+
+=item B<-d>
+
+Debug flag. This outputs the eval()'d parser onto STDOUT which makes it
+easier to trap errors in the eval section. Remember to add 1 to the line numbers to allow for the
+title!
+
+=back
+
+=head1 DESCRIPTION
+
+Eximstats parses exim mainlog and syslog files to output a statistical
+analysis of the messages processed. By default, a text
+analysis is generated, but you can request other output formats
+using flags. See the help (B<-help>) to learn
+about how to create charts from the tables.
+
+=head1 AUTHOR
+
+There is a website at https://www.exim.org - this contains details of the
+mailing list exim-users@exim.org.
+
+=head1 TO DO
+
+This program does not perfectly handle messages whose received
+and delivered log lines are in different files, which can happen
+when you have multiple mail servers and a message cannot be
+immediately delivered. Fixing this could be tricky...
+
+Merging of xls files is not (yet) possible. Be free to implement :)
+
+=cut
+
+use warnings;
+use integer;
+BEGIN { pop @INC if $INC[-1] eq '.' };
+use strict;
+use IO::File;
+use File::Basename;
+
+# use Time::Local;  # PH/FANF
+use POSIX;
+
+if (@ARGV and $ARGV[0] eq '--version') {
+    print basename($0) . ": $0\n",
+        "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+        "perl(runtime): $]\n";
+        exit 0;
+}
+
+use vars qw($HAVE_GD_Graph_pie $HAVE_GD_Graph_linespoints $HAVE_Spreadsheet_WriteExcel);
+eval { require GD::Graph::pie; };
+$HAVE_GD_Graph_pie = $@ ? 0 : 1;
+eval { require GD::Graph::linespoints; };
+$HAVE_GD_Graph_linespoints = $@ ? 0 : 1;
+eval { require Spreadsheet::WriteExcel; };
+$HAVE_Spreadsheet_WriteExcel = $@ ? 0 : 1;
+
+
+##################################################
+#             Static data                        #
+##################################################
+# 'use vars' instead of 'our' as perl5.005 is still in use out there!
+use vars qw(@tab62 @days_per_month $gig);
+use vars qw($VERSION);
+use vars qw($COLUMN_WIDTHS);
+use vars qw($WEEK $DAY $HOUR $MINUTE);
+
+
+@tab62 =
+  (0,1,2,3,4,5,6,7,8,9,0,0,0,0,0,0,     # 0-9
+   0,10,11,12,13,14,15,16,17,18,19,20,  # A-K
+  21,22,23,24,25,26,27,28,29,30,31,32,  # L-W
+  33,34,35, 0, 0, 0, 0, 0,              # X-Z
+   0,36,37,38,39,40,41,42,43,44,45,46,  # a-k
+  47,48,49,50,51,52,53,54,55,56,57,58,  # l-w
+  59,60,61);                            # x-z
+
+@days_per_month = (0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334);
+$gig     = 1024 * 1024 * 1024;
+$VERSION = '1.61';
+
+# How much space do we allow for the Hosts/Domains/Emails/Edomains column headers?
+$COLUMN_WIDTHS = 8;
+
+$MINUTE = 60;
+$HOUR   = 60 * $MINUTE;
+$DAY    = 24 * $HOUR;
+$WEEK   =  7 * $DAY;
+
+# Declare global variables.
+use vars qw($total_received_data  $total_received_data_gigs  $total_received_count);
+use vars qw($total_delivered_data $total_delivered_data_gigs $total_delivered_messages $total_delivered_addresses);
+use vars qw(%timestamp2time);                   #Hash of timestamp => time.
+use vars qw($last_timestamp $last_time);        #The last time conversion done.
+use vars qw($last_date $date_seconds);          #The last date conversion done.
+use vars qw($last_offset $offset_seconds);      #The last time offset conversion done.
+use vars qw($localtime_offset);
+use vars qw($i);                                #General loop counter.
+use vars qw($debug);                            #Debug mode?
+use vars qw($ntopchart);                        #How many entries should make it into the chart?
+use vars qw($gddirectory);                      #Where to put files from GD::Graph
+
+# SpamAssassin variables
+use vars qw($spam_score $spam_score_gigs);
+use vars qw($ham_score  $ham_score_gigs);
+use vars qw(%ham_count_by_ip %spam_count_by_ip);
+use vars qw(%rejected_count_by_ip %rejected_count_by_reason);
+use vars qw(%temporarily_rejected_count_by_ip %temporarily_rejected_count_by_reason);
+
+#For use in Spreadsheet::WriteExcel
+use vars qw($workbook $ws_global $ws_relayed $ws_errors);
+use vars qw($row $col $row_hist $col_hist);
+use vars qw($run_hist);
+use vars qw($f_default $f_header1 $f_header2 $f_header2_m $f_headertab $f_percent); #Format Header
+
+# Output FileHandles
+use vars qw($txt_fh $htm_fh $xls_fh);
+
+$ntopchart = 5;
+
+# The following are parameters whose values are
+# set by command line switches:
+use vars qw($show_errors $show_relay $show_transport $transport_pattern);
+use vars qw($topcount $local_league_table $include_remote_users $do_local_domain);
+use vars qw($hist_opt $hist_interval $hist_number $volume_rounding $emptyOK);
+use vars qw($relay_pattern @queue_times @user_patterns @user_descriptions);
+use vars qw(@rcpt_times @delivery_times);
+use vars qw($include_original_destination);
+use vars qw($txt_fh $htm_fh $xls_fh);
+
+use vars qw(%do_sender);                #Do sender by Host, Domain, Email, and/or Edomain tables.
+use vars qw($charts $chartrel $chartdir $charts_option_specified);
+use vars qw($merge_reports);            #Merge old reports ?
+
+# The following are modified in the parse() routine, and
+# referred to in the print_*() routines.
+use vars qw($delayed_count $relayed_unshown $begin $end);
+use vars qw(%messages @message);
+use vars qw(%received_count       %received_data       %received_data_gigs);
+use vars qw(%delivered_messages      %delivered_data      %delivered_data_gigs %delivered_addresses);
+use vars qw(%received_count_user  %received_data_user  %received_data_gigs_user);
+use vars qw(%delivered_messages_user %delivered_addresses_user %delivered_data_user %delivered_data_gigs_user);
+use vars qw(%delivered_messages_local_domain %delivered_addresses_local_domain %delivered_data_local_domain %delivered_data_gigs_local_domain);
+use vars qw(%transported_count    %transported_data    %transported_data_gigs);
+use vars qw(%relayed %errors_count $message_errors);
+use vars qw(@qt_all_bin @qt_remote_bin);
+use vars qw($qt_all_overflow $qt_remote_overflow);
+use vars qw(@dt_all_bin @dt_remote_bin %rcpt_times_bin);
+use vars qw($dt_all_overflow $dt_remote_overflow %rcpt_times_overflow);
+use vars qw(@received_interval_count @delivered_interval_count);
+use vars qw(@user_pattern_totals @user_pattern_interval_count);
+
+use vars qw(%report_totals);
+
+# Enumerations
+use vars qw($SIZE $FROM_HOST $FROM_ADDRESS $ARRIVAL_TIME $REMOTE_DELIVERED $PROTOCOL);
+use vars qw($DELAYED $HAD_ERROR);
+$SIZE             = 0;
+$FROM_HOST        = 1;
+$FROM_ADDRESS     = 2;
+$ARRIVAL_TIME     = 3;
+$REMOTE_DELIVERED = 4;
+$DELAYED          = 5;
+$HAD_ERROR        = 6;
+$PROTOCOL         = 7;
+
+
+
+##################################################
+#                   Subroutines                  #
+##################################################
+
+#######################################################################
+# get_filehandle($file,\%output_files);
+# Return a filehandle writing to $file.
+#
+# If %output_files is defined, check that $output_files{$file}
+# doesn't exist and die if it does, or set it if it doesn't.
+#######################################################################
+sub get_filehandle {
+  my($file,$output_files_href) = @_;
+
+  $file = '-' if ($file eq '');
+
+  if (defined $output_files_href) {
+    die "You can only output to '$file' once! Use -h for help.\n" if exists $output_files_href->{$file};
+    $output_files_href->{$file} = 1;
+  }
+
+  if ($file eq '-') {
+    return \*STDOUT;
+  }
+
+  if (-e $file) {
+    unlink $file or die "Failed to rm $file: $!";
+  }
+
+  my $fh = new IO::File $file, O_WRONLY|O_CREAT|O_EXCL;
+  die "new IO::File $file failed: $!" unless (defined $fh);
+  return $fh;
+}
+
+
+#######################################################################
+# volume_rounded();
+#
+# $rounded_volume = volume_rounded($bytes,$gigabytes);
+#
+# Given a data size in bytes, round it to KB, MB, or GB
+# as appropriate.
+#
+# Eg 12000 => 12KB, 15000000 => 14GB, etc.
+#
+# Note: I've experimented with Math::BigInt and it results in a 33%
+# performance degredation as opposed to storing numbers split into
+# bytes and gigabytes.
+#######################################################################
+sub volume_rounded {
+  my($x,$g) = @_;
+  $x = 0 unless $x;
+  $g = 0 unless $g;
+  my($rounded);
+
+  while ($x > $gig) {
+    $g++;
+    $x -= $gig;
+  }
+
+  if ($volume_rounding) {
+    # Values < 1 GB
+    if ($g <= 0) {
+      if ($x < 10000) {
+        $rounded = sprintf("%6d", $x);
+      }
+      elsif ($x < 10000000) {
+        $rounded = sprintf("%4dKB", ($x + 512)/1024);
+      }
+      else {
+        $rounded = sprintf("%4dMB", ($x + 512*1024)/(1024*1024));
+      }
+    }
+    # Values between 1GB and 10GB are printed in MB
+    elsif ($g < 10) {
+      $rounded = sprintf("%4dMB", ($g * 1024) + ($x + 512*1024)/(1024*1024));
+    }
+    else {
+      # Handle values over 10GB
+      $rounded = sprintf("%4dGB", $g + ($x + $gig/2)/$gig);
+    }
+  }
+  else {
+    # We don't want any rounding to be done.
+    # and we don't need broken formatted output which on one hand avoids numbers from
+    # being interpreted as string by Spreadsheet Calculators, on the other hand
+    # breaks if more than 4 digits! -> flexible length instead of fixed length
+    # Format the return value at the output routine! -fh
+    #$rounded = sprintf("%d", ($g * $gig) + $x);
+    no integer;
+    $rounded = sprintf("%.0f", ($g * $gig) + $x);
+  }
+
+  return $rounded;
+}
+
+
+#######################################################################
+# un_round();
+#
+#  un_round($rounded_volume,\$bytes,\$gigabytes);
+#
+# Given a volume in KB, MB or GB, as generated by volume_rounded(),
+# do the reverse transformation and convert it back into Bytes and Gigabytes.
+# These are added to the $bytes and $gigabytes parameters.
+#
+# Given a data size in bytes, round it to KB, MB, or GB
+# as appropriate.
+#
+# EG: 500 => (500,0), 14GB => (0,14), etc.
+#######################################################################
+sub un_round {
+  my($rounded,$bytes_sref,$gigabytes_sref) = @_;
+
+  if ($rounded =~ /(\d+)GB/) {
+    $$gigabytes_sref += $1;
+  }
+  elsif ($rounded =~ /(\d+)MB/) {
+    $$gigabytes_sref +=   $1 / 1024;
+    $$bytes_sref     += (($1 % 1024 ) * 1024 * 1024);
+  }
+  elsif ($rounded =~ /(\d+)KB/) {
+    $$gigabytes_sref +=  $1 / (1024 * 1024);
+    $$bytes_sref     += ($1 % (1024 * 1024) * 1024);
+  }
+  elsif ($rounded =~ /(\d+)/) {
+    # We need to turn off integer in case we are merging an -nvr report.
+    no integer;
+    $$gigabytes_sref += int($1 / $gig);
+    $$bytes_sref     += $1 % $gig;
+  }
+
+  #Now reduce the bytes down to less than 1GB.
+  add_volume($bytes_sref,$gigabytes_sref,0) if ($$bytes_sref > $gig);
+}
+
+
+#######################################################################
+# add_volume();
+#
+#   add_volume(\$bytes,\$gigs,$size);
+#
+# Add $size to $bytes/$gigs where this is a number split into
+# bytes ($bytes) and gigabytes ($gigs). This is significantly
+# faster than using Math::BigInt.
+#######################################################################
+sub add_volume {
+  my($bytes_ref,$gigs_ref,$size) = @_;
+  $$bytes_ref = 0 if ! defined $$bytes_ref;
+  $$gigs_ref = 0 if ! defined $$gigs_ref;
+  $$bytes_ref += $size;
+  while ($$bytes_ref > $gig) {
+    $$gigs_ref++;
+    $$bytes_ref -= $gig;
+  }
+}
+
+
+#######################################################################
+# format_time();
+#
+#  $formatted_time = format_time($seconds);
+#
+# Given a time in seconds, break it down into
+# weeks, days, hours, minutes, and seconds.
+#
+# Eg 12005 => 3h20m5s
+#######################################################################
+sub format_time {
+my($t) = pop @_;
+my($s) = $t % 60;
+$t /= 60;
+my($m) = $t % 60;
+$t /= 60;
+my($h) = $t % 24;
+$t /= 24;
+my($d) = $t % 7;
+my($w) = $t/7;
+my($p) = "";
+$p .= "$w"."w" if $w > 0;
+$p .= "$d"."d" if $d > 0;
+$p .= "$h"."h" if $h > 0;
+$p .= "$m"."m" if $m > 0;
+$p .= "$s"."s" if $s > 0 || $p eq "";
+$p;
+}
+
+
+#######################################################################
+#  unformat_time();
+#
+#  $seconds = unformat_time($formatted_time);
+#
+# Given a time in weeks, days, hours, minutes, or seconds, convert it to seconds.
+#
+# Eg 3h20m5s => 12005
+#######################################################################
+sub unformat_time {
+  my($formatted_time) = pop @_;
+  my $time = 0;
+
+  while ($formatted_time =~ s/^(\d+)([wdhms]?)//) {
+    $time +=  $1 if ($2 eq '' || $2 eq 's');
+    $time +=  $1 * 60 if ($2 eq 'm');
+    $time +=  $1 * 60 * 60 if ($2 eq 'h');
+    $time +=  $1 * 60 * 60 * 24 if ($2 eq 'd');
+    $time +=  $1 * 60 * 60 * 24  * 7 if ($2 eq 'w');
+  }
+  $time;
+}
+
+
+#######################################################################
+# seconds();
+#
+#  $time = seconds($timestamp);
+#
+# Given a time-of-day timestamp, convert it into a time() value using
+# POSIX::mktime.  We expect the timestamp to be of the form
+# "$year-$mon-$day $hour:$min:$sec", with month going from 1 to 12,
+# and the year to be absolute (we do the necessary conversions). The
+# seconds value can be followed by decimals, which we ignore. The
+# timestamp may be followed with an offset from UTC like "+$hh$mm"; if the
+# offset is not present, and we have not been told that the log is in UTC
+# (with the -utc option), then we adjust the time by the current local
+# time offset so that it can be compared with the time recorded in message
+# IDs, which is UTC.
+#
+# To improve performance, we only use mktime on the date ($year-$mon-$day),
+# and only calculate it if the date is different to the previous time we
+# came here. We then add on seconds for the '$hour:$min:$sec'.
+#
+# We also store the results of the last conversion done, and only
+# recalculate if the date is different.
+#
+# We used to have the '-cache' flag which would store the results of the
+# mktime() call. However, the current way of just using mktime() on the
+# date obsoletes this.
+#######################################################################
+sub seconds {
+  my($timestamp) = @_;
+
+  # Is the timestamp the same as the last one?
+  return $last_time if ($last_timestamp eq $timestamp);
+
+  return 0 unless ($timestamp =~ /^((\d{4})\-(\d\d)-(\d\d))\s(\d\d):(\d\d):(\d\d)(?:\.\d+)?( ([+-])(\d\d)(\d\d))?/o);
+
+  unless ($last_date eq $1) {
+    $last_date = $1;
+    my(@timestamp) = (0,0,0,$4,$3,$2);
+    $timestamp[5] -= 1900;
+    $timestamp[4]--;
+    $date_seconds = mktime(@timestamp);
+  }
+  my $time = $date_seconds + ($5 * 3600) + ($6 * 60) + $7;
+
+  # SC. Use caching. Also note we want seconds not minutes.
+  #my($this_offset) = ($10 * 60 + $12) * ($9 . "1") if defined $8;
+  if (defined $8 && ($8 ne $last_offset)) {
+    $last_offset = $8;
+    $offset_seconds = ($10 * 60 + $11) * 60;
+    $offset_seconds = -$offset_seconds if ($9 eq '-');
+  }
+
+
+  if (defined $8) {
+    #$time -= $this_offset;
+    $time -= $offset_seconds;
+  } elsif (defined $localtime_offset) {
+    $time -= $localtime_offset;
+  }
+
+  # Store the last timestamp received.
+  $last_timestamp = $timestamp;
+  $last_time      = $time;
+
+  $time;
+}
+
+
+#######################################################################
+#  id_seconds();
+#
+#  $time = id_seconds($message_id);
+#
+# Given a message ID, convert it into a time() value.
+#######################################################################
+sub id_seconds {
+my($sub_id) = substr((pop @_), 0, 6);
+my($s) = 0;
+my(@c) = split(//, $sub_id);
+while($#c >= 0) { $s = $s * 62 + $tab62[ord(shift @c) - ord('0')] }
+$s;
+}
+
+#######################################################################
+#  wdhms_seconds();
+#
+#  $seconds = wdhms_seconds($string);
+#
+# Convert a string in a week/day/hour/minute/second format (eg 4h10s)
+# into seconds.
+#######################################################################
+sub wdhms_seconds {
+  if ($_[0] =~ /^(?:(\d+)w)?(?:(\d+)d)?(?:(\d+)h)?(?:(\d+)m)?(?:(\d+)s)?/) {
+    return((($1||0) * $WEEK) + (($2||0) * $DAY) + (($3||0) * $HOUR) + (($4||0) * $MINUTE) + ($5||0));
+  }
+  return undef;
+}
+
+#######################################################################
+#  queue_time();
+#
+#  $queued = queue_time($completed_tod, $arrival_time, $id);
+#
+# Given the completed time of day and either the arrival time
+# (preferred), or the message ID, calculate how long the message has
+# been on the queue.
+#
+#######################################################################
+sub queue_time {
+  my($completed_tod, $arrival_time, $id) = @_;
+
+  # Note: id_seconds() benchmarks as 42% slower than seconds()
+  # and computing the time accounts for a significant portion of
+  # the run time.
+  if (defined $arrival_time) {
+    return(seconds($completed_tod) - seconds($arrival_time));
+  }
+  else {
+    return(seconds($completed_tod) - id_seconds($id));
+  }
+}
+
+
+#######################################################################
+#  calculate_localtime_offset();
+#
+#  $localtime_offset = calculate_localtime_offset();
+#
+# Calculate the the localtime offset from gmtime in seconds.
+#
+#  $localtime = time() + $localtime_offset.
+#
+# These are the same semantics as ISO 8601 and RFC 2822 timezone offsets.
+# (West is negative, East is positive.)
+#######################################################################
+
+# $localtime = gmtime() + $localtime_offset.  OLD COMMENT
+# This subroutine commented out as it's not currently in use.
+
+#sub calculate_localtime_offset {
+#  # Pick an arbitrary date, convert it to localtime & gmtime, and return the difference.
+#  my (@sample_date) = (0,0,0,5,5,100);
+#  my $localtime = timelocal(@sample_date);
+#  my $gmtime    = timegm(@sample_date);
+#  my $offset = $localtime - $gmtime;
+#  return $offset;
+#}
+
+sub calculate_localtime_offset {
+  # Assume that the offset at the moment is valid across the whole
+  # period covered by the logs that we're analysing. This may not
+  # be true around the time the clocks change in spring or autumn.
+  my $utc = time;
+  # mktime works on local time and gmtime works in UTC
+  my $local = mktime(gmtime($utc));
+  return $local - $utc;
+}
+
+
+
+#######################################################################
+# print_duration_table();
+#
+#  print_duration_table($title, $message_type, \@times, \@values, $overflow);
+#
+# Print a table showing how long a particular step took for
+# the messages. The parameters are:
+#   $title         Eg "Time spent on the queue"
+#   $message_type  Eg "Remote"
+#   \@times        The maximum time a message took for it to increment
+#                  the corresponding @values counter.
+#   \@values       An array of message counters.
+#   $overflow      The number of messages which exceeded the maximum
+#                  time.
+#######################################################################
+sub print_duration_table {
+no integer;
+my($title, $message_type, $times_aref, $values_aref, $overflow) = @_;
+my(@chartdatanames);
+my(@chartdatavals);
+
+my $printed_one = 0;
+my $cumulative_percent = 0;
+
+my $queue_total = $overflow;
+map {$queue_total += $_} @$values_aref;
+
+my $temp = "$title: $message_type";
+
+
+my $txt_format = "%5s %4s   %6d %5.1f%%  %5.1f%%\n";
+my $htm_format = "<tr><td align=\"right\">%s %s</td><td align=\"right\">%d</td><td align=\"right\">%5.1f%%</td><td align=\"right\">%5.1f%%</td>\n";
+
+# write header
+printf $txt_fh ("%s\n%s\n\n", $temp, "-" x length($temp)) if $txt_fh;
+if ($htm_fh) {
+  print $htm_fh "<hr><a name=\"$title $message_type\"></a><h2>$temp</h2>\n";
+  print $htm_fh "<table border=0 width=\"100%\"><tr><td><table border=1>\n";
+  print $htm_fh "<tr><th>Time</th><th>Messages</th><th>Percentage</th><th>Cumulative Percentage</th>\n";
+}
+if ($xls_fh) {
+  $ws_global->write($row++, $col, "$title: ".$message_type, $f_header2);
+  my @content=("Time", "Messages", "Percentage", "Cumulative Percentage");
+  &set_worksheet_line($ws_global, $row++, 1, \@content, $f_headertab);
+}
+
+
+for ($i = 0; $i <= $#$times_aref; ++$i) {
+  if ($$values_aref[$i] > 0)
+    {
+    my $percent = ($values_aref->[$i] * 100)/$queue_total;
+    $cumulative_percent += $percent;
+
+    my @content=($printed_one? "     " : "Under",
+        format_time($times_aref->[$i]),
+        $values_aref->[$i], $percent, $cumulative_percent);
+
+    if ($htm_fh) {
+      printf $htm_fh ($htm_format, @content);
+      if (!defined($values_aref->[$i])) {
+        print $htm_fh "Not defined";
+      }
+    }
+    if ($txt_fh) {
+      printf $txt_fh ($txt_format, @content);
+      if (!defined($times_aref->[$i])) {
+        print $txt_fh "Not defined";
+      }
+    }
+    if ($xls_fh)
+    {
+      no integer;
+      &set_worksheet_line($ws_global, $row, 0, [@content[0,1,2]], $f_default);
+      &set_worksheet_line($ws_global, $row++, 3, [$content[3]/100,$content[4]/100], $f_percent);
+
+      if (!defined($times_aref->[$i])) {
+        $col=0;
+        $ws_global->write($row++, $col, "Not defined"  );
+      }
+    }
+
+    push(@chartdatanames,
+      ($printed_one? "" : "Under") . format_time($times_aref->[$i]));
+    push(@chartdatavals, $$values_aref[$i]);
+    $printed_one = 1;
+  }
+}
+
+if ($overflow && $overflow > 0) {
+  my $percent = ($overflow * 100)/$queue_total;
+  $cumulative_percent += $percent;
+
+    my @content = ("Over ", format_time($times_aref->[-1]),
+        $overflow, $percent, $cumulative_percent);
+
+    printf $txt_fh ($txt_format, @content) if $txt_fh;
+    printf $htm_fh ($htm_format, @content) if $htm_fh;
+    if ($xls_fh)
+    {
+      &set_worksheet_line($ws_global, $row, 0, [@content[0,1,2]], $f_default);
+      &set_worksheet_line($ws_global, $row++, 3, [$content[3]/100,$content[4]/100], $f_percent);
+    }
+
+}
+
+push(@chartdatanames, "Over " . format_time($times_aref->[-1]));
+push(@chartdatavals, $overflow);
+
+#printf("Unknown   %6d\n", $queue_unknown) if $queue_unknown > 0;
+if ($htm_fh) {
+  print $htm_fh "</table></td><td>";
+
+  if ($HAVE_GD_Graph_pie && $charts && ($#chartdatavals > 0)) {
+    my @data = (
+       \@chartdatanames,
+       \@chartdatavals
+    );
+    my $graph = GD::Graph::pie->new(200, 200);
+    my $pngname = "$title-$message_type.png";
+    $pngname =~ s/[^\w\-\.]/_/;
+
+    my $graph_title = "$title ($message_type)";
+    $graph->set(title => $graph_title) if (length($graph_title) < 21);
+
+    my $gd = $graph->plot(\@data) or warn($graph->error);
+    if ($gd) {
+      open(IMG, ">$chartdir/$pngname") or die "Could not write $chartdir/$pngname: $!\n";
+      binmode IMG;
+      print IMG $gd->png;
+      close IMG;
+      print $htm_fh "<img src=\"$chartrel/$pngname\">";
+    }
+  }
+  print $htm_fh "</td></tr></table>\n";
+}
+
+if ($xls_fh)
+{
+  $row++;
+}
+print $txt_fh "\n" if $txt_fh;
+print $htm_fh "\n" if $htm_fh;
+
+}
+
+
+#######################################################################
+# print_histogram();
+#
+#  print_histogram('Deliveries|Messages received|$pattern', $unit, @interval_count);
+#
+# Print a histogram of the messages delivered/received per time slot
+# (hour by default).
+#######################################################################
+sub print_histogram {
+my($text, $unit, @interval_count) = @_;
+my(@chartdatanames);
+my(@chartdatavals);
+my($maxd) = 0;
+
+# save first row of print_histogram for xls output
+if (!$run_hist) {
+  $row_hist = $row;
+}
+else {
+  $row = $row_hist;
+}
+
+for ($i = 0; $i < $hist_number; $i++)
+  { $maxd = $interval_count[$i] if $interval_count[$i] > $maxd; }
+
+my $scale = int(($maxd + 25)/50);
+$scale = 1 if $scale == 0;
+
+if ($scale != 1) {
+  if ($unit !~ s/y$/ies/) {
+    $unit .= 's';
+  }
+}
+
+# make and output title
+my $title = sprintf("$text per %s",
+    ($hist_interval == 60)? "hour" :
+    ($hist_interval == 1)?  "minute" : "$hist_interval minutes");
+
+my $txt_htm_title = $title . " (each dot is $scale $unit)";
+
+printf $txt_fh ("%s\n%s\n\n", $txt_htm_title, "-" x length($txt_htm_title)) if $txt_fh;
+
+if ($htm_fh) {
+  print $htm_fh "<hr><a name=\"$text\"></a><h2>$txt_htm_title</h2>\n";
+  print $htm_fh "<table border=0 width=\"100%\">\n";
+  print $htm_fh "<tr><td><pre>\n";
+}
+
+if ($xls_fh) {
+  $title =~ s/Messages/Msg/ ;
+  $row += 2;
+  $ws_global->write($row++, $col_hist+1, $title, $f_headertab);
+}
+
+
+my $hour = 0;
+my $minutes = 0;
+for ($i = 0; $i < $hist_number; $i++) {
+  my $c = $interval_count[$i];
+
+  # If the interval is an hour (the maximum) print the starting and
+  # ending hours as a label. Otherwise print the starting hour and
+  # minutes, which take up the same space.
+
+  my $temp;
+  if ($hist_opt == 1) {
+    $temp = sprintf("%02d-%02d", $hour, $hour + 1);
+
+    print $txt_fh $temp if $txt_fh;
+    print $htm_fh $temp if $htm_fh;
+
+    if ($xls_fh) {
+      if ($run_hist==0) {
+        # only on first run
+        $ws_global->write($row, 0, [$temp], $f_default);
+      }
+    }
+
+    push(@chartdatanames, $temp);
+    $hour++;
+  }
+  else {
+    if ($minutes == 0)
+      { $temp = sprintf("%02d:%02d", $hour, $minutes) }
+    else
+      { $temp = sprintf("  :%02d", $minutes) }
+
+    print $txt_fh $temp if $txt_fh;
+    print $htm_fh $temp if $htm_fh;
+    if (($xls_fh) and ($run_hist==0)) {
+      # only on first run
+      $temp = sprintf("%02d:%02d", $hour, $minutes);
+      $ws_global->write($row, 0, [$temp], $f_default);
+    }
+
+    push(@chartdatanames, $temp);
+    $minutes += $hist_interval;
+    if ($minutes >= 60) {
+      $minutes = 0;
+      $hour++;
+    }
+  }
+  push(@chartdatavals, $c);
+
+  printf $txt_fh (" %6d %s\n", $c, "." x ($c/$scale)) if $txt_fh;
+  printf $htm_fh (" %6d %s\n", $c, "." x ($c/$scale)) if $htm_fh;
+  $ws_global->write($row++, $col_hist+1, [$c], $f_default) if $xls_fh;
+
+} #end for
+
+printf $txt_fh "\n" if $txt_fh;
+printf $htm_fh "\n" if $htm_fh;
+
+if ($htm_fh)
+{
+  print $htm_fh "</pre>\n";
+  print $htm_fh "</td><td>\n";
+  if ($HAVE_GD_Graph_linespoints && $charts && ($#chartdatavals > 0)) {
+    # calculate the graph
+    my @data = (
+       \@chartdatanames,
+       \@chartdatavals
+    );
+    my $graph = GD::Graph::linespoints->new(300, 300);
+    $graph->set(
+        x_label           => 'Time',
+        y_label           => 'Amount',
+        title             => $text,
+        x_labels_vertical => 1
+    );
+    my $pngname = "histogram_$text.png";
+    $pngname =~ s/[^\w\._]/_/g;
+
+    my $gd = $graph->plot(\@data) or warn($graph->error);
+    if ($gd) {
+      open(IMG, ">$chartdir/$pngname") or die "Could not write $chartdir/$pngname: $!\n";
+      binmode IMG;
+      print IMG $gd->png;
+      close IMG;
+      print $htm_fh "<img src=\"$chartrel/$pngname\">";
+    }
+  }
+  print $htm_fh "</td></tr></table>\n";
+}
+
+$col_hist++; # where to continue next times
+
+$row+=2;     # leave some space after history block
+$run_hist=1; # we have done this once or more
+}
+
+
+
+#######################################################################
+# print_league_table();
+#
+#  print_league_table($league_table_type,\%message_count,\%address_count,\%message_data,\%message_data_gigs, $spreadsheet, $row_sref);
+#
+# Given hashes of message count, address count, and message data,
+# which are keyed by the table type (eg by the sending host), print a
+# league table showing the top $topcount (defaults to 50).
+#######################################################################
+sub print_league_table {
+  my($text,$m_count,$a_count,$m_data,$m_data_gigs,$spreadsheet, $row_sref) = @_;
+  my($name) = ($topcount == 1)? "$text" : "$topcount ${text}s";
+  my($title) = "Top $name by message count";
+  my(@chartdatanames) = ();
+  my(@chartdatavals) = ();
+  my $chartotherval = 0;
+  $text = ucfirst($text);
+
+  # Align non-local addresses to the right (so all the .com's line up).
+  # Local addresses are aligned on the left as they are userids.
+  my $align = ($text !~ /local/i) ? 'right' : 'left';
+
+
+  ################################################
+  # Generate the printf formats and table headers.
+  ################################################
+  my(@headers) = ('Messages');
+  #push(@headers,'Addresses') if defined $a_count;
+  push(@headers,'Addresses') if defined $a_count && %$a_count;
+  push(@headers,'Bytes','Average') if defined $m_data;
+
+  my $txt_format = "%10s " x @headers . "  %s\n";
+  my $txt_col_headers = sprintf $txt_format, @headers, $text;
+  my $htm_format = "<tr>" . '<td align="right">%s</td>'x@headers . "<td align=\"$align\" nowrap>%s</td></tr>\n";
+  my $htm_col_headers = sprintf $htm_format, @headers, $text;
+  $htm_col_headers =~ s/(<\/?)td/$1th/g;      #Convert <td>'s to <th>'s for the header.
+
+
+  ################################################
+  # Write the table headers
+  ################################################
+  printf $txt_fh ("%s\n%s\n%s", $title, "-" x length($title),$txt_col_headers) if $txt_fh;
+
+  if ($htm_fh) {
+    print $htm_fh <<EoText;
+<hr><a name="$text count"></a><h2>$title</h2>
+<table border=0 width="100%">
+<tr><td>
+<table border=1>
+EoText
+  print $htm_fh $htm_col_headers
+  }
+
+  if ($xls_fh) {
+    $spreadsheet->write(${$row_sref}++, 0, $title, $f_header2);
+    $spreadsheet->write(${$row_sref}++, 0, [@headers, $text], $f_headertab);
+  }
+
+
+  # write content
+  foreach my $key (top_n_sort($topcount,$m_count,$m_data_gigs,$m_data)) {
+
+    # When displaying the average figures, we calculate the average of
+    # the rounded data, as the user would calculate it. This reduces
+    # the accuracy slightly, but we have to do it this way otherwise
+    # when using -merge to convert results from text to HTML and
+    # vice-versa discrepencies would occur.
+    my $messages  = $$m_count{$key};
+    my @content = ($messages);
+    push(@content, $$a_count{$key}) if defined $a_count;
+    if (defined $m_data) {
+      my $rounded_volume = volume_rounded($$m_data{$key},$$m_data_gigs{$key});
+      my($data,$gigs) = (0,0);
+      un_round($rounded_volume,\$data,\$gigs);
+      my $rounded_average = volume_rounded($data/$messages,$gigs/$messages);
+      push(@content, $rounded_volume, $rounded_average);
+    }
+
+    # write content
+    printf $txt_fh ($txt_format, @content, $key) if $txt_fh;
+
+    if ($htm_fh) {
+      my $htmlkey = $key;
+      $htmlkey =~ s/>/\&gt\;/g;
+      $htmlkey =~ s/</\&lt\;/g;
+      printf $htm_fh ($htm_format, @content, $htmlkey);
+    }
+    $spreadsheet->write(${$row_sref}++, 0, [@content, $key], $f_default) if $xls_fh;
+
+    if (scalar @chartdatanames < $ntopchart) {
+      push(@chartdatanames, $key);
+      push(@chartdatavals, $$m_count{$key});
+    }
+    else {
+      $chartotherval += $$m_count{$key};
+    }
+  }
+
+  push(@chartdatanames, "Other");
+  push(@chartdatavals, $chartotherval);
+
+  print $txt_fh "\n" if $txt_fh;
+  if ($htm_fh) {
+    print $htm_fh "</table>\n";
+    print $htm_fh "</td><td>\n";
+    if ($HAVE_GD_Graph_pie && $charts && ($#chartdatavals > 0))
+      {
+      # calculate the graph
+      my @data = (
+         \@chartdatanames,
+         \@chartdatavals
+      );
+      my $graph = GD::Graph::pie->new(300, 300);
+      $graph->set(
+          x_label           => 'Name',
+          y_label           => 'Amount',
+          title             => 'By count',
+      );
+      my $gd = $graph->plot(\@data) or warn($graph->error);
+      if ($gd) {
+        my $temp = $text;
+        $temp =~ s/ /_/g;
+        open(IMG, ">$chartdir/${temp}_count.png") or die "Could not write $chartdir/${temp}_count.png: $!\n";
+        binmode IMG;
+        print IMG $gd->png;
+        close IMG;
+        print $htm_fh "<img src=\"$chartrel/${temp}_count.png\">";
+      }
+    }
+    print $htm_fh "</td><td>\n";
+    print $htm_fh "</td></tr></table>\n\n";
+  }
+  ++${$row_sref} if $xls_fh;
+
+
+  if (defined $m_data) {
+    # write header
+
+    $title = "Top $name by volume";
+
+    printf $txt_fh ("%s\n%s\n%s", $title, "-" x length($title),$txt_col_headers) if $txt_fh;
+
+    if ($htm_fh) {
+      print $htm_fh <<EoText;
+<hr><a name="$text volume"></a><h2>$title</h2>
+<table border=0 width="100%">
+<tr><td>
+<table border=1>
+EoText
+    print $htm_fh $htm_col_headers;
+    }
+    if ($xls_fh) {
+      $spreadsheet->write(${$row_sref}++, 0, $title, $f_header2);
+      $spreadsheet->write(${$row_sref}++, 0, [@headers, $text], $f_headertab);
+    }
+
+    @chartdatanames = ();
+    @chartdatavals = ();
+    $chartotherval = 0;
+    my $use_gig = 0;
+    foreach my $key (top_n_sort($topcount,$m_data_gigs,$m_data,$m_count)) {
+      # The largest volume will be the first (top of the list).
+      # If it has at least 1 gig, then just use gigabytes to avoid
+      # risking an integer overflow when generating the pie charts.
+      if ($$m_data_gigs{$key}) {
+        $use_gig = 1;
+      }
+
+      my $messages  = $$m_count{$key};
+      my @content = ($messages);
+      push(@content, $$a_count{$key}) if defined $a_count;
+      my $rounded_volume = volume_rounded($$m_data{$key},$$m_data_gigs{$key});
+      my($data ,$gigs) = (0,0);
+      un_round($rounded_volume,\$data,\$gigs);
+      my $rounded_average = volume_rounded($data/$messages,$gigs/$messages);
+      push(@content, $rounded_volume, $rounded_average );
+
+      # write content
+      printf $txt_fh ($txt_format, @content, $key) if $txt_fh;
+      if ($htm_fh) {
+        my $htmlkey = $key;
+        $htmlkey =~ s/>/\&gt\;/g;
+        $htmlkey =~ s/</\&lt\;/g;
+        printf $htm_fh ($htm_format, @content, $htmlkey);
+      }
+      $spreadsheet->write(${$row_sref}++, 0, [@content, $key], $f_default) if $xls_fh;
+
+
+      if (scalar @chartdatanames < $ntopchart) {
+        if ($use_gig) {
+          if ($$m_data_gigs{$key}) {
+            push(@chartdatanames, $key);
+            push(@chartdatavals, $$m_data_gigs{$key});
+          }
+        }
+        else {
+          push(@chartdatanames, $key);
+          push(@chartdatavals, $$m_data{$key});
+        }
+      }
+      else {
+        $chartotherval += ($use_gig) ? $$m_data_gigs{$key} : $$m_data{$key};
+      }
+    }
+    push(@chartdatanames, "Other");
+    push(@chartdatavals, $chartotherval);
+
+    print $txt_fh "\n" if $txt_fh;
+    if ($htm_fh) {
+      print $htm_fh "</table>\n";
+      print $htm_fh "</td><td>\n";
+      if ($HAVE_GD_Graph_pie && $charts && ($#chartdatavals > 0)) {
+        # calculate the graph
+        my @data = (
+           \@chartdatanames,
+           \@chartdatavals
+        );
+        my $graph = GD::Graph::pie->new(300, 300);
+        $graph->set(
+            x_label           => 'Name',
+            y_label           => 'Volume' ,
+            title             => 'By Volume',
+        );
+        my $gd = $graph->plot(\@data) or warn($graph->error);
+        if ($gd) {
+          my $temp = $text;
+          $temp =~ s/ /_/g;
+          open(IMG, ">$chartdir/${temp}_volume.png") or die "Could not write $chartdir/${temp}_volume.png: $!\n";
+          binmode IMG;
+          print IMG $gd->png;
+          close IMG;
+          print $htm_fh "<img src=\"$chartrel/${temp}_volume.png\">";
+        }
+      }
+      print $htm_fh "</td><td>\n";
+      print $htm_fh "</td></tr></table>\n\n";
+    }
+
+    ++${$row_sref} if $xls_fh;
+  }
+}
+
+
+#######################################################################
+# top_n_sort();
+#
+#   @sorted_keys = top_n_sort($n,$href1,$href2,$href3);
+#
+# Given a hash which has numerical values, return the sorted $n keys which
+# point to the top values. The second and third hashes are used as
+# tiebreakers. They all must have the same keys.
+#
+# The idea behind this routine is that when you only want to see the
+# top n members of a set, rather than sorting the entire set and then
+# plucking off the top n, sort through the stack as you go, discarding
+# any member which is lower than your current n'th highest member.
+#
+# This proves to be an order of magnitude faster for large hashes.
+# On 200,000 lines of mainlog it benchmarked 9 times faster.
+# On 700,000 lines of mainlog it benchmarked 13.8 times faster.
+#
+# We assume the values are > 0.
+#######################################################################
+sub top_n_sort {
+  my($n,$href1,$href2,$href3) = @_;
+
+  # PH's original sort was:
+  #
+  # foreach $key (sort
+  #               {
+  #               $$m_count{$b}     <=> $$m_count{$a} ||
+  #               $$m_data_gigs{$b} <=> $$m_data_gigs{$a}  ||
+  #               $$m_data{$b}      <=> $$m_data{$a}  ||
+  #               $a cmp $b
+  #               }
+  #             keys %{$m_count})
+  #
+
+  #We use a key of '_' to represent non-existant values, as null keys are valid.
+  #'_' is not a valid domain, edomain, host, or email.
+  my(@top_n_keys) = ('_') x $n;
+  my($minimum_value1,$minimum_value2,$minimum_value3) = (0,0,0);
+  my $top_n_key = '';
+  my $n_minus_1 = $n - 1;
+  my $n_minus_2 = $n - 2;
+
+  # Create a dummy hash incase the user has not provided us with
+  # tiebreaker hashes.
+  my(%dummy_hash);
+  $href2 = \%dummy_hash unless defined $href2;
+  $href3 = \%dummy_hash unless defined $href3;
+
+  # Pick out the top $n keys.
+  my($key,$value1,$value2,$value3,$i,$comparison,$insert_position);
+  while (($key,$value1) = each %$href1) {
+
+    #print STDERR "key $key ($value1,",$href2->{$key},",",$href3->{$key},") <=> ($minimum_value1,$minimum_value2,$minimum_value3)\n";
+
+    # Check to see that the new value is bigger than the lowest of the
+    # top n keys that we're keeping. We test the main key first, because
+    # for the majority of cases we can skip creating dummy hash values
+    # should the user have not provided real tie-breaking hashes.
+    next unless $value1 >= $minimum_value1;
+
+    # Create a dummy hash entry for the key if required.
+    # Note that setting the dummy_hash value sets it for both href2 &
+    # href3. Also note that currently we are guaranteed to have a real
+    # value for href3 if a real value for href2 exists so don't need to
+    # test for it as well.
+    $dummy_hash{$key} = 0 unless exists $href2->{$key};
+
+    $comparison = $value1        <=> $minimum_value1 ||
+                  $href2->{$key} <=> $minimum_value2 ||
+                  $href3->{$key} <=> $minimum_value3 ||
+                  $top_n_key cmp $key;
+    next unless ($comparison == 1);
+
+    # As we will be using these values a few times, extract them into scalars.
+    $value2 = $href2->{$key};
+    $value3 = $href3->{$key};
+
+    # This key is bigger than the bottom n key, so the lowest position we
+    # will insert it into is $n minus 1 (the bottom of the list).
+    $insert_position = $n_minus_1;
+
+    # Now go through the list, stopping when we find a key that we're
+    # bigger than, or we come to the penultimate position - we've
+    # already tested bigger than the last.
+    #
+    # Note: we go top down as the list starts off empty.
+    # Note: stepping through the list in this way benchmarks nearly
+    # three times faster than doing a sort() on the reduced list.
+    # I assume this is because the list is already in order, and
+    # we get a performance boost from not having to do hash lookups
+    # on the new key.
+    for ($i = 0; $i < $n_minus_1; $i++) {
+      $top_n_key = $top_n_keys[$i];
+      if ( ($top_n_key eq '_') ||
+           ( ($value1 <=> $href1->{$top_n_key} ||
+              $value2 <=> $href2->{$top_n_key} ||
+              $value3 <=> $href3->{$top_n_key} ||
+              $top_n_key cmp $key) == 1
+           )
+         ) {
+        $insert_position = $i;
+        last;
+      }
+    }
+
+    # Remove the last element, then insert the new one.
+    $#top_n_keys = $n_minus_2;
+    splice(@top_n_keys,$insert_position,0,$key);
+
+    # Extract our new minimum values.
+    $top_n_key = $top_n_keys[$n_minus_1];
+    if ($top_n_key ne '_') {
+      $minimum_value1 = $href1->{$top_n_key};
+      $minimum_value2 = $href2->{$top_n_key};
+      $minimum_value3 = $href3->{$top_n_key};
+    }
+  }
+
+  # Return the top n list, grepping out non-existant values, just in case
+  # we didn't have that many values.
+  return(grep(!/^_$/,@top_n_keys));
+}
+
+
+
+#######################################################################
+# html_header();
+#
+#  $header = html_header($title);
+#
+# Print our HTML header and start the <body> block.
+#######################################################################
+sub html_header {
+  my($title) = @_;
+  my $text = << "EoText";
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-15">
+<title>$title</title>
+</head>
+<body bgcolor="white">
+<h1>$title</h1>
+EoText
+  return $text;
+}
+
+
+
+#######################################################################
+# help();
+#
+#  help();
+#
+# Display usage instructions and exit.
+#######################################################################
+sub help {
+  print << "EoText";
+
+eximstats Version $VERSION
+
+Usage:
+  eximstats [Output] [Options] mainlog1 mainlog2 ...
+  eximstats -merge -html [Options] report.1.html ... > weekly_rep.html
+
+Examples:
+  eximstats -html=eximstats.html mainlog1 mainlog2 ...
+  eximstats mainlog1 mainlog2 ... > report.txt
+
+Parses exim mainlog or syslog files and generates a statistical analysis
+of the messages processed.
+
+Valid output types are:
+-txt[=<file>]   plain text (default unless no other type is specified)
+-html[=<file>]  HTML
+-xls[=<file>]   Excel
+With no type and file given, defaults to -txt and STDOUT.
+
+Valid options are:
+-h<number>      histogram divisions per hour. The default is 1, and
+                0 suppresses histograms. Other valid values are:
+                2, 3, 5, 10, 15, 20, 30 or 60.
+-ne             don't display error information
+-nr             don't display relaying information
+-nr/pattern/    don't display relaying information that matches
+-nt             don't display transport information
+-nt/pattern/    don't display transport information that matches
+-nvr            don't do volume rounding. Display in bytes, not KB/MB/GB.
+-t<number>      display top <number> sources/destinations
+                default is 50, 0 suppresses top listing
+-tnl            omit local sources/destinations in top listing
+-t_remote_users show top user sources/destinations from non-local domains
+-q<list>        list of times for queuing information. -q0 suppresses.
+-show_rt<list>  Show the receipt times for all the messages.
+-show_dt<list>  Show the delivery times for all the messages.
+                <list> is an optional list of times in seconds.
+                Eg -show_rt1,2,4,8.
+
+-include_original_destination   show both the final and original
+                destinations in the results rather than just the final ones.
+
+-byhost         show results by sending host (default unless bydomain or
+                byemail is specified)
+-bydomain       show results by sending domain.
+-byemail        show results by sender's email address
+-byedomain      show results by sender's email domain
+-bylocaldomain  show results by local domain
+
+-pattern "Description" /pattern/
+                Count lines matching specified patterns and show them in
+                the results. It can be specified multiple times. Eg:
+                -pattern 'Refused connections' '/refused connection/'
+
+-merge          merge previously generated reports into a new report
+
+-charts         Create charts (this requires the GD::Graph modules).
+                Only valid with -html.
+-chartdir <dir> Create the charts' png files in the directory <dir>
+-chartrel <dir> Specify the relative directory for the "img src=" tags
+                from where to include the charts in the html file
+                -chartdir and -chartrel default to '.'
+
+-emptyok        It is OK if there is no valid input, don't print an error.
+
+-d              Debug mode - dump the eval'ed parser onto STDERR.
+
+EoText
+
+  exit 1;
+}
+
+
+
+#######################################################################
+# generate_parser();
+#
+#  $parser = generate_parser();
+#
+# This subroutine generates the parsing routine which will be
+# used to parse the mainlog. We take the base operation, and remove bits not in use.
+# This improves performance depending on what bits you take out or add.
+#
+# I've tested using study(), but this does not improve performance.
+#
+# We store our parsing routing in a variable, and process it looking for #IFDEF (Expression)
+# or #IFNDEF (Expression) statements and corresponding #ENDIF (Expression) statements. If
+# the expression evaluates to true, then it is included/excluded accordingly.
+#######################################################################
+sub generate_parser {
+  my $parser = '
+  my($ip,$host,$email,$edomain,$domain,$thissize,$size,$old,$new);
+  my($tod,$m_hour,$m_min,$id,$flag,$extra,$length);
+  my($seconds,$queued,$rcpt_time,$local_domain);
+  my $rej_id = 0;
+  while (<$fh>) {
+
+    # Convert syslog lines to mainlog format.
+    if (! /^\\d{4}/) {
+      next unless s/^.*? exim\\b.*?: //;
+    }
+
+    $length = length($_);
+    next if ($length < 38);
+    next unless /^
+		(\\d{4}\\-\\d\\d-\\d\\d\\s	# 1: YYYYMMDD HHMMSS
+			(\\d\\d)		# 2: HH
+			:
+			(\\d\\d)		# 3: MM
+			:\\d\\d
+		)
+		(\\.\\d+)?			# 4: subseconds
+		(\s[-+]\\d\\d\\d\\d)?		# 5: tz-offset
+		(\s\\[\\d+\\])?			# 6: pid
+		/ox;
+
+    $tod = defined($5) ?  $1 . $5 : $1;
+    ($m_hour,$m_min) = ($2,$3);
+
+    # PH - watch for GMT offsets in the timestamp.
+    if (defined($5)) {
+      $extra = 6;
+      next if ($length < 44);
+    }
+    else {
+      $extra = 0;
+    }
+
+    # watch for subsecond precision
+    if (defined($4)) {
+      $extra += length($4);
+      next if ($length < 38 + $extra);
+    }
+
+    # PH - watch for PID added after the timestamp.
+    if (defined($6)) {
+      $extra += length($6);
+      next if ($length < 38 + $extra);
+    }
+
+    $id   = substr($_, 20 + $extra, 16);
+    $flag = substr($_, 37 + $extra, 2);
+
+    if ($flag !~ /^([<>=*-]+|SA)$/ && /rejected|refused|dropped/) {
+      $flag = "Re";
+      $extra -= 3;
+    }
+
+    # Rejects can have no MSGID...
+    if ($flag eq "Re" && $id !~ /^[-0-9a-zA-Z]+$/) {
+      $id   = "reject:" . ++$rej_id;
+      $extra -= 17;
+    }
+';
+
+  # Watch for user specified patterns.
+  my $user_pattern_index = 0;
+  foreach (@user_patterns) {
+    $user_pattern_totals[$user_pattern_index] = 0;
+    $parser .= "    if ($_) {\n";
+    $parser .= "      \$user_pattern_totals[$user_pattern_index]++;\n";
+    $parser .= "      \$user_pattern_interval_count[$user_pattern_index][(\$m_hour*60 + \$m_min)/$hist_interval]++;\n" if ($hist_opt > 0);
+    $parser .= "    }\n";
+    $user_pattern_index++;
+  }
+
+  $parser .= '
+    next unless ($flag =~ /<=|=>|->|==|\\*\\*|Co|SA|Re/);
+
+    #Strip away the timestamp, ID and flag to speed up later pattern matches.
+    #The flags include Co (Completed), Re (Rejected), and SA (SpamAssassin).
+    $_ = substr($_, 40 + $extra);  # PH
+
+    # Alias @message to the array of information about the message.
+    # This minimises the number of calls to hash functions.
+    $messages{$id} = [] unless exists $messages{$id};
+    *message = $messages{$id};
+
+
+    # JN - Skip over certain transports as specified via the "-nt/.../" command
+    # line switch (where ... is a perl style regular expression).  This is
+    # required so that transports that skew stats such as SpamAssassin can be
+    # ignored.
+    #IFDEF ($transport_pattern)
+    if (/\\sT=(\\S+)/) {
+       next if ($1 =~ /$transport_pattern/o) ;
+    }
+    #ENDIF ($transport_pattern)
+
+
+
+    # Do some pattern matches to get the host and IP address.
+    # We expect lines to be of the form "H=[IpAddr]" or "H=Host [IpAddr]" or
+    # "H=Host (UnverifiedHost) [IpAddr]" or "H=(UnverifiedHost) [IpAddr]".
+    # We do 2 separate matches to keep the matches simple and fast.
+    # Host is local unless otherwise specified.
+    # Watch out for "H=([IpAddr])" in case they send "[IpAddr]" as their HELO!
+    $ip = (/\\bH=(?:|.*? )(\\[[^]]+\\])/) ? $1
+     # 2008-03-31 06:25:22 Connection from [213.246.33.217]:39456 refused: too many connections from that IP address // .hs
+     : (/Connection from (\[\S+\])/) ? $1
+     # 2008-03-31 06:52:40 SMTP call from mail.cacoshrf.com (ccsd02.ccsd.local) [69.24.118.229]:4511 dropped: too many nonmail commands (last was "RSET") // .hs
+     : (/SMTP call from .*?(\[\S+\])/) ? $1
+     : "local";
+    $host = (/\\bH=(\\S+)/) ? $1 : "local";
+
+    $domain = "localdomain";  #Domain is localdomain unless otherwise specified.
+
+    #IFDEF ($do_sender{Domain})
+    if ($host =~ /^\\[/ || $host =~ /^[\\d\\.]+$/) {
+      # Host is just an IP address.
+      $domain = $host;
+    }
+    elsif ($host =~ /^(\\(?)[^\\.]+\\.([^\\.]+\\..*)/) {
+      # Remove the host portion from the DNS name. We ensure that we end up
+      # with at least xxx.yyy. $host can be "(x.y.z)" or  "x.y.z".
+      $domain = lc("$1.$2");
+      $domain =~ s/^\\.//;         #Remove preceding dot.
+    }
+    #ENDIF ($do_sender{Domain})
+
+    #IFDEF ($do_sender{Email})
+      #IFDEF ($include_original_destination)
+      # Catch both "a@b.com <c@d.com>" and "e@f.com"
+      #$email = (/^(\S+) (<(\S*?)>)?/) ? $3 || $1 : "";
+      $email = (/^(\S+ (<[^@>]+@?[^>]*>)?)/) ? $1 : "";
+      chomp($email);
+      #ENDIF ($include_original_destination)
+
+      #IFNDEF ($include_original_destination)
+      $email = (/^(\S+)/) ? $1 : "";
+      #ENDIF ($include_original_destination)
+    #ENDIF ($do_sender{Email})
+
+    #IFDEF ($do_sender{Edomain})
+      if (/^(<>|blackhole)/) {
+        $edomain = $1;
+      }
+      #IFDEF ($include_original_destination)
+        elsif (/^(\S+ (<\S*?\\@(\S+?)>)?)/) {
+          $edomain = $1;
+          chomp($edomain);
+          $edomain =~ s/@(\S+?)>/"@" . lc($1) . ">"/e;
+        }
+      #ENDIF ($include_original_destination)
+      #IFNDEF ($include_original_destination)
+        elsif (/^\S*?\\@(\S+)/) {
+          $edomain = lc($1);
+        }
+      #ENDIF ($include_original_destination)
+      else {
+        $edomain = "";
+      }
+
+    #ENDIF ($do_sender{Edomain})
+
+    if ($tod lt $begin) {
+      $begin = $tod;
+    }
+    elsif ($tod gt $end) {
+      $end   = $tod;
+    }
+
+
+    if ($flag eq "<=") {
+      $thissize = (/\\sS=(\\d+)( |$)/) ? $1 : 0;
+      $message[$SIZE] = $thissize;
+      $message[$PROTOCOL] = (/ P=(\S+)/) ? $1 : undef;
+
+      #IFDEF ($show_relay)
+      if ($host ne "local") {
+        # Save incoming information in case it becomes interesting
+        # later, when delivery lines are read.
+        my($from) = /^(\\S+)/;
+        $message[$FROM_HOST]    = "$host$ip";
+        $message[$FROM_ADDRESS] = $from;
+      }
+      #ENDIF ($show_relay)
+
+      #IFDEF ($local_league_table || $include_remote_users)
+        if (/\sU=(\\S+)/) {
+          my $user = $1;
+
+          #IFDEF ($local_league_table && $include_remote_users)
+          {                         #Store both local and remote users.
+          #ENDIF ($local_league_table && $include_remote_users)
+
+          #IFDEF ($local_league_table && ! $include_remote_users)
+          if ($host eq "local") {   #Store local users only.
+          #ENDIF ($local_league_table && ! $include_remote_users)
+
+          #IFDEF ($include_remote_users && ! $local_league_table)
+          if ($host ne "local") {   #Store remote users only.
+          #ENDIF ($include_remote_users && ! $local_league_table)
+
+            ++$received_count_user{$user};
+            add_volume(\\$received_data_user{$user},\\$received_data_gigs_user{$user},$thissize);
+          }
+        }
+      #ENDIF ($local_league_table || $include_remote_users)
+
+      #IFDEF ($do_sender{Host})
+        ++$received_count{Host}{$host};
+        add_volume(\\$received_data{Host}{$host},\\$received_data_gigs{Host}{$host},$thissize);
+      #ENDIF ($do_sender{Host})
+
+      #IFDEF ($do_sender{Domain})
+        if ($domain) {
+          ++$received_count{Domain}{$domain};
+          add_volume(\\$received_data{Domain}{$domain},\\$received_data_gigs{Domain}{$domain},$thissize);
+        }
+      #ENDIF ($do_sender{Domain})
+
+      #IFDEF ($do_sender{Email})
+        ++$received_count{Email}{$email};
+        add_volume(\\$received_data{Email}{$email},\\$received_data_gigs{Email}{$email},$thissize);
+      #ENDIF ($do_sender{Email})
+
+      #IFDEF ($do_sender{Edomain})
+        ++$received_count{Edomain}{$edomain};
+        add_volume(\\$received_data{Edomain}{$edomain},\\$received_data_gigs{Edomain}{$edomain},$thissize);
+      #ENDIF ($do_sender{Edomain})
+
+      ++$total_received_count;
+      add_volume(\\$total_received_data,\\$total_received_data_gigs,$thissize);
+
+      #IFDEF ($#queue_times >= 0 || $#rcpt_times >= 0)
+        $message[$ARRIVAL_TIME] = $tod;
+      #ENDIF ($#queue_times >= 0 || $#rcpt_times >= 0)
+
+      #IFDEF ($hist_opt > 0)
+        $received_interval_count[($m_hour*60 + $m_min)/$hist_interval]++;
+      #ENDIF ($hist_opt > 0)
+    }
+
+    elsif ($flag eq "=>") {
+      $size = $message[$SIZE] || 0;
+      if ($host ne "local") {
+        $message[$REMOTE_DELIVERED] = 1;
+
+
+        #IFDEF ($show_relay)
+        # Determine relaying address if either only one address listed,
+        # or two the same. If they are different, it implies a forwarding
+        # or aliasing, which is not relaying. Note that for multi-aliased
+        # addresses, there may be a further address between the first
+        # and last.
+
+        if (defined $message[$FROM_HOST]) {
+          if (/^(\\S+)(?:\\s+\\([^)]\\))?\\s+<([^>]+)>/) {
+            ($old,$new) = ($1,$2);
+          }
+          else {
+            $old = $new = "";
+          }
+
+          if ("\\L$new" eq "\\L$old") {
+            ($old) = /^(\\S+)/ if $old eq "";
+            my $key = "H=\\L$message[$FROM_HOST]\\E A=\\L$message[$FROM_ADDRESS]\\E => " .
+              "H=\\L$host\\E$ip A=\\L$old\\E";
+            if (!defined $relay_pattern || $key !~ /$relay_pattern/o) {
+              $relayed{$key} = 0 if !defined $relayed{$key};
+              ++$relayed{$key};
+            }
+            else {
+              ++$relayed_unshown;
+            }
+          }
+        }
+        #ENDIF ($show_relay)
+
+      }
+
+      #IFDEF ($local_league_table || $include_remote_users)
+        #IFDEF ($local_league_table && $include_remote_users)
+        {                         #Store both local and remote users.
+        #ENDIF ($local_league_table && $include_remote_users)
+
+        #IFDEF ($local_league_table && ! $include_remote_users)
+        if ($host eq "local") {   #Store local users only.
+        #ENDIF ($local_league_table && ! $include_remote_users)
+
+        #IFDEF ($include_remote_users && ! $local_league_table)
+        if ($host ne "local") {   #Store remote users only.
+        #ENDIF ($include_remote_users && ! $local_league_table)
+
+          if (my($user) = split((/\\s</)? " <" : " ", $_)) {
+            #IFDEF ($include_original_destination)
+            {
+            #ENDIF ($include_original_destination)
+            #IFNDEF ($include_original_destination)
+            if ($user =~ /^[\\/|]/) {
+            #ENDIF ($include_original_destination)
+              #my($parent) = $_ =~ /(<[^@]+@?[^>]*>)/;
+              my($parent) = $_ =~ / (<.+?>) /;              #DT 1.54
+              if (defined $parent) {
+                $user = "$user $parent";
+                #IFDEF ($do_local_domain)
+                if ($parent =~ /\\@(.+)>/) {
+                  $local_domain = lc($1);
+                  ++$delivered_messages_local_domain{$local_domain};
+                  ++$delivered_addresses_local_domain{$local_domain};
+                  add_volume(\\$delivered_data_local_domain{$local_domain},\\$delivered_data_gigs_local_domain{$local_domain},$size);
+                }
+                #ENDIF ($do_local_domain)
+              }
+            }
+            ++$delivered_messages_user{$user};
+            ++$delivered_addresses_user{$user};
+            add_volume(\\$delivered_data_user{$user},\\$delivered_data_gigs_user{$user},$size);
+          }
+        }
+      #ENDIF ($local_league_table || $include_remote_users)
+
+      #IFDEF ($do_sender{Host})
+        $delivered_messages{Host}{$host}++;
+        $delivered_addresses{Host}{$host}++;
+        add_volume(\\$delivered_data{Host}{$host},\\$delivered_data_gigs{Host}{$host},$size);
+      #ENDIF ($do_sender{Host})
+      #IFDEF ($do_sender{Domain})
+        if ($domain) {
+          ++$delivered_messages{Domain}{$domain};
+          ++$delivered_addresses{Domain}{$domain};
+          add_volume(\\$delivered_data{Domain}{$domain},\\$delivered_data_gigs{Domain}{$domain},$size);
+        }
+      #ENDIF ($do_sender{Domain})
+      #IFDEF ($do_sender{Email})
+        ++$delivered_messages{Email}{$email};
+        ++$delivered_addresses{Email}{$email};
+        add_volume(\\$delivered_data{Email}{$email},\\$delivered_data_gigs{Email}{$email},$size);
+      #ENDIF ($do_sender{Email})
+      #IFDEF ($do_sender{Edomain})
+        ++$delivered_messages{Edomain}{$edomain};
+        ++$delivered_addresses{Edomain}{$edomain};
+        add_volume(\\$delivered_data{Edomain}{$edomain},\\$delivered_data_gigs{Edomain}{$edomain},$size);
+      #ENDIF ($do_sender{Edomain})
+
+      ++$total_delivered_messages;
+      ++$total_delivered_addresses;
+      add_volume(\\$total_delivered_data,\\$total_delivered_data_gigs,$size);
+
+      #IFDEF ($show_transport)
+        my $transport = (/\\sT=(\\S+)/) ? $1 : ":blackhole:";
+        ++$transported_count{$transport};
+        add_volume(\\$transported_data{$transport},\\$transported_data_gigs{$transport},$size);
+      #ENDIF ($show_transport)
+
+      #IFDEF ($hist_opt > 0)
+        $delivered_interval_count[($m_hour*60 + $m_min)/$hist_interval]++;
+      #ENDIF ($hist_opt > 0)
+
+      #IFDEF ($#delivery_times > 0)
+        if (/ DT=(\S+)/) {
+          $seconds = wdhms_seconds($1);
+          for ($i = 0; $i <= $#delivery_times; $i++) {
+            if ($seconds < $delivery_times[$i]) {
+              ++$dt_all_bin[$i];
+              ++$dt_remote_bin[$i] if $message[$REMOTE_DELIVERED];
+              last;
+            }
+          }
+          if ($i > $#delivery_times) {
+            ++$dt_all_overflow;
+            ++$dt_remote_overflow if $message[$REMOTE_DELIVERED];
+          }
+        }
+      #ENDIF ($#delivery_times > 0)
+
+    }
+
+    elsif ($flag eq "->") {
+
+      #IFDEF ($local_league_table || $include_remote_users)
+        #IFDEF ($local_league_table && $include_remote_users)
+        {                         #Store both local and remote users.
+        #ENDIF ($local_league_table && $include_remote_users)
+
+        #IFDEF ($local_league_table && ! $include_remote_users)
+        if ($host eq "local") {   #Store local users only.
+        #ENDIF ($local_league_table && ! $include_remote_users)
+
+        #IFDEF ($include_remote_users && ! $local_league_table)
+        if ($host ne "local") {   #Store remote users only.
+        #ENDIF ($include_remote_users && ! $local_league_table)
+
+          if (my($user) = split((/\\s</)? " <" : " ", $_)) {
+            #IFDEF ($include_original_destination)
+            {
+            #ENDIF ($include_original_destination)
+            #IFNDEF ($include_original_destination)
+            if ($user =~ /^[\\/|]/) {
+            #ENDIF ($include_original_destination)
+              #my($parent) = $_ =~ /(<[^@]+@?[^>]*>)/;
+              my($parent) = $_ =~ / (<.+?>) /;              #DT 1.54
+              $user = "$user $parent" if defined $parent;
+            }
+            ++$delivered_addresses_user{$user};
+          }
+        }
+      #ENDIF ($local_league_table || $include_remote_users)
+
+      #IFDEF ($do_sender{Host})
+        $delivered_addresses{Host}{$host}++;
+      #ENDIF ($do_sender{Host})
+      #IFDEF ($do_sender{Domain})
+        if ($domain) {
+          ++$delivered_addresses{Domain}{$domain};
+        }
+      #ENDIF ($do_sender{Domain})
+      #IFDEF ($do_sender{Email})
+        ++$delivered_addresses{Email}{$email};
+      #ENDIF ($do_sender{Email})
+      #IFDEF ($do_sender{Edomain})
+        ++$delivered_addresses{Edomain}{$edomain};
+      #ENDIF ($do_sender{Edomain})
+
+      ++$total_delivered_addresses;
+    }
+
+    elsif ($flag eq "==" && defined($message[$SIZE]) && !defined($message[$DELAYED])) {
+      ++$delayed_count;
+      $message[$DELAYED] = 1;
+    }
+
+    elsif ($flag eq "**") {
+      if (defined ($message[$SIZE])) {
+        unless (defined $message[$HAD_ERROR]) {
+          ++$message_errors;
+          $message[$HAD_ERROR] = 1;
+        }
+      }
+
+      #IFDEF ($show_errors)
+        ++$errors_count{$_};
+      #ENDIF ($show_errors)
+
+    }
+
+    elsif ($flag eq "Co") {
+      #Completed?
+      #IFDEF ($#queue_times >= 0)
+        $queued = queue_time($tod, $message[$ARRIVAL_TIME], $id);
+
+        for ($i = 0; $i <= $#queue_times; $i++) {
+          if ($queued < $queue_times[$i]) {
+            ++$qt_all_bin[$i];
+            ++$qt_remote_bin[$i] if $message[$REMOTE_DELIVERED];
+            last;
+          }
+        }
+        if ($i > $#queue_times) {
+          ++$qt_all_overflow;
+          ++$qt_remote_overflow if $message[$REMOTE_DELIVERED];
+        }
+      #ENDIF ($#queue_times >= 0)
+
+      #IFDEF ($#rcpt_times >= 0)
+        if (/ QT=(\S+)/) {
+          $seconds = wdhms_seconds($1);
+          #Calculate $queued if not previously calculated above.
+          #IFNDEF ($#queue_times >= 0)
+            $queued = queue_time($tod, $message[$ARRIVAL_TIME], $id);
+          #ENDIF ($#queue_times >= 0)
+          $rcpt_time = $seconds - $queued;
+          my($protocol);
+
+          if (defined $message[$PROTOCOL]) {
+            $protocol = $message[$PROTOCOL];
+
+            # Create the bin if its not already defined.
+            unless (exists $rcpt_times_bin{$protocol}) {
+              initialise_rcpt_times($protocol);
+            }
+          }
+
+
+          for ($i = 0; $i <= $#rcpt_times; ++$i) {
+            if ($rcpt_time < $rcpt_times[$i]) {
+              ++$rcpt_times_bin{all}[$i];
+              ++$rcpt_times_bin{$protocol}[$i] if defined $protocol;
+              last;
+            }
+          }
+
+          if ($i > $#rcpt_times) {
+            ++$rcpt_times_overflow{all};
+            ++$rcpt_times_overflow{$protocol} if defined $protocol;
+          }
+        }
+      #ENDIF ($#rcpt_times >= 0)
+
+      delete($messages{$id});
+    }
+    elsif ($flag eq "SA") {
+      $ip = (/From.*?(\\[[^]]+\\])/ || /\\((local)\\)/) ? $1 : "";
+      #SpamAssassin message
+      if (/Action: ((permanently|temporarily) rejected message|flagged as Spam but accepted): score=(\d+\.\d)/) {
+        #add_volume(\\$spam_score,\\$spam_score_gigs,$3);
+        ++$spam_count_by_ip{$ip};
+      } elsif (/Action: scanned but message isn\'t spam: score=(-?\d+\.\d)/) {
+        #add_volume(\\$ham_score,\\$ham_score_gigs,$1);
+        ++$ham_count_by_ip{$ip};
+      } elsif (/(Not running SA because SAEximRunCond expanded to false|check skipped due to message size)/) {
+        ++$ham_count_by_ip{$ip};
+      }
+    }
+
+    # Look for Reject messages or blackholed messages (deliveries
+    # without a transport)
+    if ($flag eq "Re" || ($flag eq "=>" && ! /\\sT=\\S+/)) {
+      # Correct the IP address for rejects:
+      # rejected EHLO from my.test.net [10.0.0.5]: syntactically invalid argument(s):
+      # rejected EHLO from [10.0.0.6]: syntactically invalid argument(s):
+      $ip = $1 if ($ip eq "local" && /^rejected [HE][HE]LO from .*?(\[.+?\]):/);
+      if (/SpamAssassin/) {
+        ++$rejected_count_by_reason{"Rejected by SpamAssassin"};
+        ++$rejected_count_by_ip{$ip};
+      }
+      elsif (
+        /(temporarily rejected [A-Z]*) .*?(: .*?)(:|\s*$)/
+        ) {
+        ++$temporarily_rejected_count_by_reason{"\u$1$2"};
+        ++$temporarily_rejected_count_by_ip{$ip};
+      }
+      elsif (
+        /(temporarily refused connection)/
+        ) {
+        ++$temporarily_rejected_count_by_reason{"\u$1"};
+        ++$temporarily_rejected_count_by_ip{$ip};
+      }
+      elsif (
+        /(listed at [^ ]+)/ ||
+        /(Forged IP detected in HELO)/ ||
+        /(Invalid domain or IP given in HELO\/EHLO)/ ||
+        /(unqualified recipient rejected)/ ||
+        /(closed connection (after|in response) .*?)\s*$/ ||
+        /(sender rejected)/ ||
+        # 2005-09-23 15:07:49 1EInHJ-0007Ex-Au H=(a.b.c) [10.0.0.1] F=<> rejected after DATA: This message contains a virus: (Eicar-Test-Signature) please scan your system.
+        # 2005-10-06 10:50:07 1ENRS3-0000Nr-Kt => blackhole (DATA ACL discarded recipients): This message contains a virus: (Worm.SomeFool.P) please scan your system.
+        / rejected after DATA: (.*)/ ||
+        / (rejected DATA: .*)/ ||
+        /.DATA ACL discarded recipients.: (.*)/ ||
+        /rejected after DATA: (unqualified address not permitted)/ ||
+        /(VRFY rejected)/ ||
+#        /(sender verify (defer|fail))/i ||
+        /(too many recipients)/ ||
+        /(refused relay.*?) to/ ||
+        /(rejected by non-SMTP ACL: .*)/ ||
+        /(rejected by local_scan.*)/ ||
+        # SMTP call from %s dropped: too many syntax or protocol errors (last command was "%s"
+        # SMTP call from %s dropped: too many nonmail commands
+        /(dropped: too many ((nonmail|unrecognized) commands|syntax or protocol errors))/ ||
+
+        # local_scan() function crashed with signal %d - message temporarily rejected
+        # local_scan() function timed out - message temporarily rejected
+        /(local_scan.. function .* - message temporarily rejected)/ ||
+        # SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from %s
+        /(SMTP protocol .*?(error|violation))/ ||
+        /(message too big)/
+        ) {
+        ++$rejected_count_by_reason{"\u$1"};
+        ++$rejected_count_by_ip{$ip};
+      }
+      elsif (/rejected [HE][HE]LO from [^:]*: syntactically invalid argument/) {
+        ++$rejected_count_by_reason{"Rejected HELO/EHLO: syntactically invalid argument"};
+        ++$rejected_count_by_ip{$ip};
+      }
+      elsif (/response to "RCPT TO.*? was: (.*)/) {
+        ++$rejected_count_by_reason{"Response to RCPT TO was: $1"};
+        ++$rejected_count_by_ip{$ip};
+      }
+      elsif (
+        /(lookup of host )\S+ (failed)/ ||
+
+        # rejected from <%s>%s%s%s%s: message too big:
+        /(rejected [A-Z]*) .*?(: .*?)(:|\s*$)/ ||
+        # refused connection from %s (host_reject_connection)
+        # refused connection from %s (tcp wrappers)
+        /(refused connection )from.*? (\(.*)/ ||
+
+        # error from remote mailer after RCPT TO:<a@b.c>: host a.b.c [10.0.0.1]: 450 <a@b.c>: Recipient address rejected: Greylisted for 60 seconds
+        # error from remote mailer after MAIL FROM:<> SIZE=3468: host a.b.c [10.0.0.1]: 421 a.b.c has refused your connection because your server did not have a PTR record.
+        /(error from remote mailer after .*?:).*(: .*?)(:|\s*$)/ ||
+
+        # a.b.c F=<a@b.c> rejected after DATA: "@" or "." expected after "Undisclosed-Recipient": failing address in "To" header is: <Undisclosed-Recipient:;>
+        /rejected after DATA: ("." or "." expected).*?(: failing address in .*? header)/ ||
+
+        # connection from %s refused load average = %.2f
+        /(Connection )from.*? (refused: load average)/ ||
+        # connection from %s refused (IP options)
+        # Connection from %s refused: too many connections
+        # connection from %s refused
+        /([Cc]onnection )from.*? (refused.*)/ ||
+        # [10.0.0.1]: connection refused
+        /: (Connection refused)()/
+        ) {
+        ++$rejected_count_by_reason{"\u$1$2"};
+        ++$rejected_count_by_ip{$ip};
+      }
+      elsif (
+        # 2008-03-31 06:25:22 H=mail.densitron.com [216.70.140.224]:45386 temporarily rejected connection in "connect" ACL: too fast reconnects // .hs
+        # 2008-03-31 06:25:22 H=mail.densitron.com [216.70.140.224]:45386 temporarily rejected connection in "connect" ACL // .hs
+        /(temporarily rejected connection in .*?ACL:?.*)/
+        ) {
+        ++$temporarily_rejected_count_by_ip{$ip};
+        ++$temporarily_rejected_count_by_reason{"\u$1"};
+      }
+      else {
+        ++$rejected_count_by_reason{Unknown};
+        ++$rejected_count_by_ip{$ip};
+        print STDERR "Unknown rejection: $_" if $debug;
+      }
+    }
+  }';
+
+  # We now do a 'C preprocessor style operation on our parser
+  # to remove bits not in use.
+  my(%defines_in_operation,$removing_lines,$processed_parser);
+  foreach (split (/\n/,$parser)) {
+    if ((/^\s*#\s*IFDEF\s*\((.*?)\)/i  && ! eval $1) ||
+        (/^\s*#\s*IFNDEF\s*\((.*?)\)/i &&   eval $1)    ) {
+      $defines_in_operation{$1} = 1;
+      $removing_lines = 1;
+    }
+
+    # Convert constants.
+    while (/(\$[A-Z][A-Z_]*)\b/) {
+      my $constant = eval $1;
+      s/(\$[A-Z][A-Z_]*)\b/$constant/;
+    }
+
+    $processed_parser .= $_."\n" unless $removing_lines;
+
+    if (/^\s*#\s*ENDIF\s*\((.*?)\)/i) {
+      delete $defines_in_operation{$1};
+      unless (keys %defines_in_operation) {
+        $removing_lines = 0;
+      }
+    }
+  }
+  print STDERR "# START OF PARSER:$processed_parser\n# END OF PARSER\n\n" if $debug;
+
+  return $processed_parser;
+}
+
+
+
+#######################################################################
+# parse();
+#
+#  parse($parser,\*FILEHANDLE);
+#
+# This subroutine accepts a parser and a filehandle from main and parses each
+# line. We store the results into global variables.
+#######################################################################
+sub parse {
+  my($parser,$fh) = @_;
+
+  if ($merge_reports) {
+    parse_old_eximstat_reports($fh);
+  }
+  else {
+    eval $parser;
+    die ($@) if $@;
+  }
+
+}
+
+
+
+#######################################################################
+# print_header();
+#
+#  print_header();
+#
+# Print our headers and contents.
+#######################################################################
+sub print_header {
+
+
+  my $title = "Exim statistics from $begin to $end";
+
+  print $txt_fh "\n$title\n" if $txt_fh;
+  if ($htm_fh) {
+    print $htm_fh html_header($title);
+    print $htm_fh "<ul>\n";
+    print $htm_fh "<li><a href=\"#Grandtotal\">Grand total summary</a>\n";
+    print $htm_fh "<li><a href=\"#Patterns\">User Specified Patterns</a>\n" if @user_patterns;
+    print $htm_fh "<li><a href=\"#Transport\">Deliveries by Transport</a>\n" if $show_transport;
+    if ($hist_opt) {
+      print $htm_fh "<li><a href=\"#Messages received\">Messages received per hour</a>\n";
+      print $htm_fh "<li><a href=\"#Deliveries\">Deliveries per hour</a>\n";
+    }
+
+    if ($#queue_times >= 0) {
+      print $htm_fh "<li><a href=\"#Time spent on the queue all messages\">Time spent on the queue: all messages</a>\n";
+      print $htm_fh "<li><a href=\"#Time spent on the queue messages with at least one remote delivery\">Time spent on the queue: messages with at least one remote delivery</a>\n";
+    }
+
+    if ($#delivery_times >= 0) {
+      print $htm_fh "<li><a href=\"#Delivery times all messages\">Delivery times: all messages</a>\n";
+      print $htm_fh "<li><a href=\"#Delivery times messages with at least one remote delivery\">Delivery times: messages with at least one remote delivery</a>\n";
+    }
+
+    if ($#rcpt_times >= 0) {
+      print $htm_fh "<li><a href=\"#Receipt times all messages\">Receipt times</a>\n";
+    }
+
+    print $htm_fh "<li><a href=\"#Relayed messages\">Relayed messages</a>\n" if $show_relay;
+    if ($topcount) {
+      print $htm_fh "<li><a href=\"#Mail rejection reason count\">Top $topcount mail rejection reasons by message count</a>\n" if %rejected_count_by_reason;
+      foreach ('Host','Domain','Email','Edomain') {
+        next unless $do_sender{$_};
+        print $htm_fh "<li><a href=\"#Sending \l$_ count\">Top $topcount sending \l${_}s by message count</a>\n";
+        print $htm_fh "<li><a href=\"#Sending \l$_ volume\">Top $topcount sending \l${_}s by volume</a>\n";
+      }
+      if (($local_league_table || $include_remote_users) && %received_count_user) {
+        print $htm_fh "<li><a href=\"#Local sender count\">Top $topcount local senders by message count</a>\n";
+        print $htm_fh "<li><a href=\"#Local sender volume\">Top $topcount local senders by volume</a>\n";
+      }
+      foreach ('Host','Domain','Email','Edomain') {
+        next unless $do_sender{$_};
+        print $htm_fh "<li><a href=\"#$_ destination count\">Top $topcount \l$_ destinations by message count</a>\n";
+        print $htm_fh "<li><a href=\"#$_ destination volume\">Top $topcount \l$_ destinations by volume</a>\n";
+      }
+      if (($local_league_table || $include_remote_users) && %delivered_messages_user) {
+        print $htm_fh "<li><a href=\"#Local destination count\">Top $topcount local destinations by message count</a>\n";
+        print $htm_fh "<li><a href=\"#Local destination volume\">Top $topcount local destinations by volume</a>\n";
+      }
+      if (($local_league_table || $include_remote_users) && %delivered_messages_local_domain) {
+        print $htm_fh "<li><a href=\"#Local domain destination count\">Top $topcount local domain destinations by message count</a>\n";
+        print $htm_fh "<li><a href=\"#Local domain destination volume\">Top $topcount local domain destinations by volume</a>\n";
+      }
+
+      print $htm_fh "<li><a href=\"#Rejected ip count\">Top $topcount rejected ips by message count</a>\n" if %rejected_count_by_ip;
+      print $htm_fh "<li><a href=\"#Temporarily rejected ip count\">Top $topcount temporarily rejected ips by message count</a>\n" if %temporarily_rejected_count_by_ip;
+      print $htm_fh "<li><a href=\"#Non-rejected spamming ip count\">Top $topcount non-rejected spamming ips by message count</a>\n" if %spam_count_by_ip;
+
+    }
+    print $htm_fh "<li><a href=\"#errors\">List of errors</a>\n" if %errors_count;
+    print $htm_fh "</ul>\n<hr>\n";
+  }
+  if ($xls_fh)
+  {
+    $ws_global->write($row++, $col+0, "Exim Statistics",  $f_header1);
+    &set_worksheet_line($ws_global, $row, $col, ["from:",  $begin,  "to:", $end], $f_default);
+    $row+=2;
+  }
+}
+
+
+#######################################################################
+# print_grandtotals();
+#
+#  print_grandtotals();
+#
+# Print the grand totals.
+#######################################################################
+sub print_grandtotals {
+
+  # Get the sender by headings and results. This is complicated as we can have
+  # different numbers of columns.
+  my($sender_txt_header,$sender_txt_format,$sender_html_format);
+  my(@received_totals,@delivered_totals);
+  my($row_tablehead, $row_max);
+  my(@col_headers) = ('TOTAL', 'Volume', 'Messages', 'Addresses');
+
+  foreach ('Host','Domain','Email','Edomain') {
+    next unless $do_sender{$_};
+    if ($merge_reports) {
+      push(@received_totals, get_report_total($report_totals{Received},"${_}s"));
+      push(@delivered_totals,get_report_total($report_totals{Delivered},"${_}s"));
+    }
+    else {
+      push(@received_totals,scalar(keys %{$received_data{$_}}));
+      push(@delivered_totals,scalar(keys %{$delivered_data{$_}}));
+    }
+    $sender_txt_header  .= " " x ($COLUMN_WIDTHS - length($_)) . $_ . 's';
+    $sender_html_format .= "<td align=\"right\">%s</td>";
+    $sender_txt_format  .= " " x ($COLUMN_WIDTHS - 5) . "%6s";
+    push(@col_headers,"${_}s");
+  }
+
+  my $txt_format1 = "  %-16s %9s     %6d    %6s $sender_txt_format";
+  my $txt_format2 = "  %6d %4.1f%% %6d %4.1f%%",
+  my $htm_format1 = "<tr><td>%s</td><td align=\"right\">%s</td><td align=\"right\">%s</td><td align=\"right\">%s</td>$sender_html_format";
+  my $htm_format2 = "<td align=\"right\">%d</td><td align=\"right\">%4.1f%%</td><td align=\"right\">%d</td><td align=\"right\">%4.1f%%</td>";
+
+  if ($txt_fh) {
+    my $sender_spaces = " " x length($sender_txt_header);
+    print $txt_fh "\n";
+    print $txt_fh "Grand total summary\n";
+    print $txt_fh "-------------------\n";
+    print $txt_fh "                                              $sender_spaces           At least one address\n";
+    print $txt_fh "  TOTAL               Volume   Messages Addresses $sender_txt_header      Delayed       Failed\n";
+  }
+  if ($htm_fh) {
+    print $htm_fh "<a name=\"Grandtotal\"></a>\n";
+    print $htm_fh "<h2>Grand total summary</h2>\n";
+    print $htm_fh "<table border=1>\n";
+    print $htm_fh "<tr><th>" . join('</th><th>',@col_headers) . "</th><th colspan=2>At least one addr<br>Delayed</th><th colspan=2>At least one addr<br>Failed</th>\n";
+  }
+  if ($xls_fh) {
+    $ws_global->write($row++, 0, "Grand total summary", $f_header2);
+    $ws_global->write($row, 0, \@col_headers, $f_header2);
+    $ws_global->merge_range($row, scalar(@col_headers), $row, scalar(@col_headers)+1, "At least one addr Delayed", $f_header2_m);
+    $ws_global->merge_range($row, scalar(@col_headers)+2, $row, scalar(@col_headers)+3, "At least one addr Failed", $f_header2_m);
+    #$ws_global->write(++$row, scalar(@col_headers), ['Total','Percent','Total','Percent'], $f_header2);
+  }
+
+
+  my($volume,$failed_count);
+  if ($merge_reports) {
+    $volume = volume_rounded($report_totals{Received}{Volume}, $report_totals{Received}{'Volume-gigs'});
+    $total_received_count = get_report_total($report_totals{Received},'Messages');
+    $failed_count  = get_report_total($report_totals{Received},'Failed');
+    $delayed_count = get_report_total($report_totals{Received},'Delayed');
+  }
+  else {
+    $volume = volume_rounded($total_received_data, $total_received_data_gigs);
+    $failed_count = $message_errors;
+  }
+
+  {
+    no integer;
+
+    my @content=(
+        $volume,$total_received_count,'',
+        @received_totals,
+        $delayed_count,
+        ($total_received_count) ? ($delayed_count*100/$total_received_count) : 0,
+        $failed_count,
+        ($total_received_count) ? ($failed_count*100/$total_received_count) : 0
+    );
+
+    printf $txt_fh ("$txt_format1$txt_format2\n", 'Received', @content) if $txt_fh;
+    printf $htm_fh ("$htm_format1$htm_format2\n", 'Received', @content) if $htm_fh;
+    if ($xls_fh) {
+      $ws_global->write(++$row, 0, 'Received', $f_default);
+      for (my $i=0; $i < scalar(@content); $i++) {
+        if ($i == 4 || $i == 6) {
+          $ws_global->write($row, $i+1, $content[$i]/100, $f_percent);
+        }
+        else {
+          $ws_global->write($row, $i+1, $content[$i], $f_default);
+        }
+      }
+    }
+  }
+
+  if ($merge_reports) {
+    $volume = volume_rounded($report_totals{Delivered}{Volume}, $report_totals{Delivered}{'Volume-gigs'});
+    $total_delivered_messages = get_report_total($report_totals{Delivered},'Messages');
+    $total_delivered_addresses = get_report_total($report_totals{Delivered},'Addresses');
+  }
+  else {
+    $volume = volume_rounded($total_delivered_data, $total_delivered_data_gigs);
+  }
+
+  my @content=($volume, $total_delivered_messages, $total_delivered_addresses, @delivered_totals);
+  printf $txt_fh ("$txt_format1\n", 'Delivered', @content) if $txt_fh;
+  printf $htm_fh ("$htm_format1\n", 'Delivered', @content) if $htm_fh;
+
+  if ($xls_fh) {
+    $ws_global->write(++$row, 0, 'Delivered', $f_default);
+    for (my $i=0; $i < scalar(@content); $i++) {
+      $ws_global->write($row, $i+1, $content[$i], $f_default);
+    }
+  }
+
+  if ($merge_reports) {
+    foreach ('Rejects', 'Temp Rejects', 'Ham', 'Spam') {
+      my $messages = get_report_total($report_totals{$_},'Messages');
+      my $addresses = get_report_total($report_totals{$_},'Addresses');
+      if ($messages) {
+        @content = ($_, '', $messages, '');
+        push(@content,get_report_total($report_totals{$_},'Hosts')) if $do_sender{Host};
+        #These rows do not have entries for the following columns (if specified)
+        foreach ('Domain','Email','Edomain') {
+          push(@content,'') if $do_sender{$_};
+        }
+
+        printf $txt_fh ("$txt_format1\n", @content) if $txt_fh;
+        printf $htm_fh ("$htm_format1\n", @content) if $htm_fh;
+        $ws_global->write(++$row, 0, \@content) if $xls_fh;
+      }
+    }
+  }
+  else {
+    foreach my $total_aref (['Rejects',\%rejected_count_by_ip],
+                            ['Temp Rejects',\%temporarily_rejected_count_by_ip],
+                            ['Ham',\%ham_count_by_ip],
+                            ['Spam',\%spam_count_by_ip]) {
+      #Count the number of messages of this type.
+      my $messages = 0;
+      map {$messages += $_} values %{$total_aref->[1]};
+
+      if ($messages > 0) {
+        @content = ($total_aref->[0], '', $messages, '');
+
+        #Count the number of distinct IPs for the Hosts column.
+        push(@content,scalar(keys %{$total_aref->[1]})) if $do_sender{Host};
+
+        #These rows do not have entries for the following columns (if specified)
+        foreach ('Domain','Email','Edomain') {
+          push(@content,'') if $do_sender{$_};
+        }
+
+        printf $txt_fh ("$txt_format1\n", @content) if $txt_fh;
+        printf $htm_fh ("$htm_format1\n", @content) if $htm_fh;
+        $ws_global->write(++$row, 0, \@content) if $xls_fh;
+      }
+    }
+  }
+
+  printf $txt_fh "\n"         if $txt_fh;
+  printf $htm_fh "</table>\n" if $htm_fh;
+  ++$row;
+}
+
+
+#######################################################################
+# print_user_patterns()
+#
+#  print_user_patterns();
+#
+# Print the counts of user specified patterns.
+#######################################################################
+sub print_user_patterns {
+  my $txt_format1 = "  %-18s  %6d";
+  my $htm_format1 = "<tr><td>%s</td><td align=\"right\">%d</td>";
+
+  if ($txt_fh) {
+    print $txt_fh "User Specified Patterns\n";
+    print $txt_fh "-----------------------";
+    print $txt_fh "\n                       Total\n";
+  }
+  if ($htm_fh) {
+    print $htm_fh "<hr><a name=\"Patterns\"></a><h2>User Specified Patterns</h2>\n";
+    print $htm_fh "<table border=0 width=\"100%\">\n";
+    print $htm_fh "<tr><td>\n";
+    print $htm_fh "<table border=1>\n";
+    print $htm_fh "<tr><th>&nbsp;</th><th>Total</th>\n";
+  }
+  if ($xls_fh) {
+      $ws_global->write($row++, $col, "User Specified Patterns", $f_header2);
+      &set_worksheet_line($ws_global, $row++, 1, ["Total"], $f_headertab);
+  }
+
+
+  my($key);
+  if ($merge_reports) {
+    # We are getting our data from previous reports.
+    foreach $key (@user_descriptions) {
+      my $count = get_report_total($report_totals{patterns}{$key},'Total');
+      printf $txt_fh ("$txt_format1\n",$key,$count) if $txt_fh;
+      printf $htm_fh ("$htm_format1\n",$key,$count) if $htm_fh;
+      if ($xls_fh)
+      {
+        &set_worksheet_line($ws_global, $row++, 0, [$key,$count], $f_default);
+      }
+    }
+  }
+  else {
+    # We are getting our data from mainlog files.
+    my $user_pattern_index = 0;
+    foreach $key (@user_descriptions) {
+      printf $txt_fh ("$txt_format1\n",$key,$user_pattern_totals[$user_pattern_index]) if $txt_fh;
+      printf $htm_fh ("$htm_format1\n",$key,$user_pattern_totals[$user_pattern_index]) if $htm_fh;
+      $ws_global->write($row++, 0, [$key,$user_pattern_totals[$user_pattern_index]]) if $xls_fh;
+      $user_pattern_index++;
+    }
+  }
+  print $txt_fh "\n" if $txt_fh;
+  print $htm_fh "</table>\n\n" if $htm_fh;
+  if ($xls_fh)
+  {
+    ++$row;
+  }
+
+  if ($hist_opt > 0) {
+    my $user_pattern_index = 0;
+    foreach $key (@user_descriptions) {
+      print_histogram($key, 'occurence', @{$user_pattern_interval_count[$user_pattern_index]});
+      $user_pattern_index++;
+    }
+  }
+}
+
+#######################################################################
+# print_rejects()
+#
+#  print_rejects();
+#
+# Print statistics about rejected mail.
+#######################################################################
+sub print_rejects {
+  my($format1,$reason);
+
+  my $txt_format1 = "  %-40s  %6d";
+  my $htm_format1 = "<tr><td>%s</td><td align=\"right\">%d</td>";
+
+  if ($txt_fh) {
+    print $txt_fh "Rejected mail by reason\n";
+    print $txt_fh "-----------------------";
+    print $txt_fh "\n                                             Total\n";
+  }
+  if ($htm_fh) {
+    print $htm_fh "<hr><a name=\"patterns\"></a><h2>Rejected mail by reason</h2>\n";
+    print $htm_fh "<table border=0 width=\"100%\"><tr><td><table border=1>\n";
+    print $htm_fh "<tr><th>&nbsp;</th><th>Total</th>\n";
+  }
+  if ($xls_fh) {
+    $ws_global->write($row++, $col, "Rejected mail by reason", $f_header2);
+    &set_worksheet_line($ws_global, $row++, 1, ["Total"], $f_headertab);
+  }
+
+
+  my $href = ($merge_reports) ? $report_totals{rejected_mail_by_reason} : \%rejected_count_by_reason;
+  my(@chartdatanames, @chartdatavals_count);
+
+  foreach $reason (top_n_sort($topcount, $href, undef, undef)) {
+    printf $txt_fh ("$txt_format1\n",$reason,$href->{$reason}) if $txt_fh;
+    printf $htm_fh ("$htm_format1\n",$reason,$href->{$reason}) if $htm_fh;
+    set_worksheet_line($ws_global, $row++, 0, [$reason,$href->{$reason}], $f_default) if $xls_fh;
+    push(@chartdatanames, $reason);
+    push(@chartdatavals_count, $href->{$reason});
+  }
+
+  $row++ if $xls_fh;
+  print $txt_fh "\n" if $txt_fh;
+
+  if ($htm_fh) {
+    print $htm_fh "</tr></table></td><td>";
+    if ($HAVE_GD_Graph_pie && $charts && ($#chartdatavals_count > 0)) {
+      # calculate the graph
+      my @data = (
+         \@chartdatanames,
+         \@chartdatavals_count
+      );
+      my $graph = GD::Graph::pie->new(200, 200);
+      $graph->set(
+          x_label           => 'Rejection Reasons',
+          y_label           => 'Messages',
+          title             => 'By count',
+      );
+      my $gd = $graph->plot(\@data) or warn($graph->error);
+      if ($gd) {
+        open(IMG, ">$chartdir/rejections_count.png") or die "Could not write $chartdir/rejections_count.png: $!\n";
+        binmode IMG;
+        print IMG $gd->png;
+        close IMG;
+        print $htm_fh "<img src=\"$chartrel/rejections_count.png\">";
+      }
+    }
+    print $htm_fh "</td></tr></table>\n\n";
+  }
+}
+
+
+
+
+
+#######################################################################
+# print_transport();
+#
+#  print_transport();
+#
+# Print totals by transport.
+#######################################################################
+sub print_transport {
+  my(@chartdatanames);
+  my(@chartdatavals_count);
+  my(@chartdatavals_vol);
+  no integer;                 #Lose this for charting the data.
+
+  my $txt_format1 = "  %-18s  %6s      %6d";
+  my $htm_format1 = "<tr><td>%s</td><td align=\"right\">%s</td><td align=\"right\">%d</td>";
+
+  if ($txt_fh) {
+    print $txt_fh "Deliveries by transport\n";
+    print $txt_fh "-----------------------";
+    print $txt_fh "\n                      Volume    Messages\n";
+  }
+  if ($htm_fh) {
+    print $htm_fh "<hr><a name=\"Transport\"></a><h2>Deliveries by Transport</h2>\n";
+    print $htm_fh "<table border=0 width=\"100%\"><tr><td><table border=1>\n";
+    print $htm_fh "<tr><th>&nbsp;</th><th>Volume</th><th>Messages</th>\n";
+  }
+  if ($xls_fh) {
+    $ws_global->write(++$row, $col, "Deliveries by transport", $f_header2);
+    $ws_global->write(++$row, 1, ["Volume", "Messages"], $f_headertab);
+  }
+
+  my($key);
+  if ($merge_reports) {
+    # We are getting our data from previous reports.
+    foreach $key (sort keys %{$report_totals{transport}}) {
+      my $count = get_report_total($report_totals{transport}{$key},'Messages');
+      my @content=($key, volume_rounded($report_totals{transport}{$key}{Volume},
+        $report_totals{transport}{$key}{'Volume-gigs'}), $count);
+      push(@chartdatanames, $key);
+      push(@chartdatavals_count, $count);
+      push(@chartdatavals_vol, $report_totals{transport}{$key}{'Volume-gigs'}*$gig + $report_totals{transport}{$key}{Volume} );
+      printf $txt_fh ("$txt_format1\n", @content) if $txt_fh;
+      printf $htm_fh ("$htm_format1\n", @content) if $htm_fh;
+      $ws_global->write(++$row, 0, \@content) if $xls_fh;
+    }
+  }
+  else {
+    # We are getting our data from mainlog files.
+    foreach $key (sort keys %transported_data) {
+      my @content=($key, volume_rounded($transported_data{$key},$transported_data_gigs{$key}),
+        $transported_count{$key});
+      push(@chartdatanames, $key);
+      push(@chartdatavals_count, $transported_count{$key});
+      push(@chartdatavals_vol, $transported_data_gigs{$key}*$gig + $transported_data{$key});
+      printf $txt_fh ("$txt_format1\n", @content) if $txt_fh;
+      printf $htm_fh ("$htm_format1\n", @content) if $htm_fh;
+      $ws_global->write(++$row, 0, \@content) if $xls_fh;
+    }
+  }
+  print $txt_fh "\n" if $txt_fh;
+  if ($htm_fh) {
+    print $htm_fh "</tr></table></td><td>";
+
+    if ($HAVE_GD_Graph_pie && $charts && ($#chartdatavals_count > 0))
+      {
+      # calculate the graph
+      my @data = (
+         \@chartdatanames,
+         \@chartdatavals_count
+      );
+      my $graph = GD::Graph::pie->new(200, 200);
+      $graph->set(
+          x_label           => 'Transport',
+          y_label           => 'Messages',
+          title             => 'By count',
+      );
+      my $gd = $graph->plot(\@data) or warn($graph->error);
+      if ($gd) {
+        open(IMG, ">$chartdir/transports_count.png") or die "Could not write $chartdir/transports_count.png: $!\n";
+        binmode IMG;
+        print IMG $gd->png;
+        close IMG;
+        print $htm_fh "<img src=\"$chartrel/transports_count.png\">";
+      }
+    }
+    print $htm_fh "</td><td>";
+
+    if ($HAVE_GD_Graph_pie && $charts && ($#chartdatavals_vol > 0)) {
+      my @data = (
+         \@chartdatanames,
+         \@chartdatavals_vol
+      );
+      my $graph = GD::Graph::pie->new(200, 200);
+      $graph->set(
+          title             => 'By volume',
+      );
+      my $gd = $graph->plot(\@data) or warn($graph->error);
+      if ($gd) {
+        open(IMG, ">$chartdir/transports_vol.png") or die "Could not write $chartdir/transports_vol.png: $!\n";
+        binmode IMG;
+        print IMG $gd->png;
+        close IMG;
+        print $htm_fh "<img src=\"$chartrel/transports_vol.png\">";
+      }
+    }
+
+    print $htm_fh "</td></tr></table>\n\n";
+  }
+}
+
+
+
+#######################################################################
+# print_relay();
+#
+#  print_relay();
+#
+# Print our totals by relay.
+#######################################################################
+sub print_relay {
+  my $row_print_relay=1;
+  my $temp = "Relayed messages";
+  print $htm_fh "<hr><a name=\"$temp\"></a><h2>$temp</h2>\n" if $htm_fh;
+  if (scalar(keys %relayed) > 0 || $relayed_unshown > 0) {
+    my $shown = 0;
+    my $spacing = "";
+    my $txt_format = "%7d %s\n      => %s\n";
+    my $htm_format = "<tr><td align=\"right\">%d</td><td>%s</td><td>%s</td>\n";
+
+    printf $txt_fh ("%s\n%s\n\n", $temp, "-" x length($temp)) if $txt_fh;
+    if ($htm_fh) {
+      print $htm_fh "<table border=1>\n";
+      print $htm_fh "<tr><th>Count</th><th>From</th><th>To</th>\n";
+    }
+    if ($xls_fh) {
+      $ws_relayed->write($row_print_relay++, $col, $temp, $f_header2);
+      &set_worksheet_line($ws_relayed, $row_print_relay++, 0, ["Count", "From", "To"], $f_headertab);
+    }
+
+
+    my($key);
+    foreach $key (sort keys %relayed) {
+      my $count = $relayed{$key};
+      $shown += $count;
+      $key =~ s/[HA]=//g;
+      my($one,$two) = split(/=> /, $key);
+      my @content=($count, $one, $two);
+      printf $txt_fh ($txt_format, @content) if $txt_fh;
+      printf $htm_fh ($htm_format, @content) if $htm_fh;
+      if ($xls_fh)
+      {
+        &set_worksheet_line($ws_relayed, $row_print_relay++, 0, \@content);
+      }
+      $spacing = "\n";
+    }
+
+    print $htm_fh "</table>\n<p>\n" if $htm_fh;
+    print $txt_fh "${spacing}Total: $shown (plus $relayed_unshown unshown)\n\n" if $txt_fh;
+    print $htm_fh "${spacing}Total: $shown (plus $relayed_unshown unshown)\n\n" if $htm_fh;
+    if ($xls_fh)
+    {
+       &set_worksheet_line($ws_relayed, $row_print_relay++, 0, [$shown, "Sum of shown" ]);
+       &set_worksheet_line($ws_relayed, $row_print_relay++, 0, [$relayed_unshown, "unshown"]);
+       $row_print_relay++;
+    }
+  }
+  else {
+    print $txt_fh "No relayed messages\n-------------------\n\n" if $txt_fh;
+    print $htm_fh "No relayed messages\n\n" if $htm_fh;
+    if ($xls_fh)
+    {
+      $row_print_relay++;
+    }
+  }
+}
+
+
+
+#######################################################################
+# print_errors();
+#
+#  print_errors();
+#
+# Print our errors. In HTML, we display them as a list rather than a table -
+# Netscape doesn't like large tables!
+#######################################################################
+sub print_errors {
+  my $total_errors = 0;
+  $row=1;
+
+  if (scalar(keys %errors_count) != 0) {
+    my $temp = "List of errors";
+    my $htm_format = "<li>%d - %s\n";
+
+    printf $txt_fh ("%s\n%s\n\n", $temp, "-" x length($temp)) if $txt_fh;
+    if ($htm_fh) {
+      print $htm_fh "<hr><a name=\"errors\"></a><h2>$temp</h2>\n";
+      print $htm_fh "<ul><li><b>Count - Error</b>\n";
+    }
+    if ($xls_fh)
+    {
+      $ws_errors->write($row++, 0, $temp, $f_header2);
+      &set_worksheet_line($ws_errors, $row++, 0, ["Count", "Error"], $f_headertab);
+    }
+
+
+    my($key);
+    foreach $key (sort keys %errors_count) {
+      my $text = $key;
+      chomp($text);
+      $text =~ s/\s\s+/ /g;   #Convert multiple spaces to a single space.
+      $total_errors += $errors_count{$key};
+
+      if ($txt_fh) {
+        printf $txt_fh ("%5d ", $errors_count{$key});
+        my $text_remaining = $text;
+        while (length($text_remaining) > 65) {
+          my($first,$rest) = $text_remaining =~ /(.{50}\S*)\s+(.+)/;
+          last if !$first;
+          printf $txt_fh ("%s\n\t    ", $first);
+          $text_remaining = $rest;
+        }
+        printf $txt_fh ("%s\n\n", $text_remaining);
+      }
+
+      if ($htm_fh) {
+
+        #Translate HTML tag characters. Sergey Sholokh.
+        $text =~ s/\</\&lt\;/g;
+        $text =~ s/\>/\&gt\;/g;
+
+        printf $htm_fh ($htm_format,$errors_count{$key},$text);
+      }
+      if ($xls_fh)
+      {
+        &set_worksheet_line($ws_errors, $row++, 0, [$errors_count{$key},$text]);
+      }
+    }
+
+    $temp = "Errors encountered: $total_errors";
+
+    if ($txt_fh) {
+      print $txt_fh $temp, "\n";
+      print $txt_fh "-" x length($temp),"\n";
+    }
+    if ($htm_fh) {
+      print $htm_fh "</ul>\n<p>\n";
+      print $htm_fh $temp, "\n";
+    }
+    if ($xls_fh)
+    {
+        &set_worksheet_line($ws_errors, $row++, 0, [$total_errors, "Sum of Errors encountered"]);
+    }
+  }
+
+}
+
+
+#######################################################################
+# parse_old_eximstat_reports();
+#
+#  parse_old_eximstat_reports($fh);
+#
+# Parse old eximstat output so we can merge daily stats to weekly stats and weekly to monthly etc.
+#
+# To test that the merging still works after changes, do something like the following.
+# All the diffs should produce no output.
+#
+#  options='-bydomain -byemail -byhost -byedomain'
+#  options="$options -show_rt1,2,4 -show_dt 1,2,4"
+#  options="$options -pattern 'Completed Messages' /Completed/"
+#  options="$options -pattern 'Received Messages' /<=/"
+#
+#  ./eximstats $options mainlog > mainlog.txt
+#  ./eximstats $options -merge mainlog.txt > mainlog.2.txt
+#  diff mainlog.txt mainlog.2.txt
+#
+#  ./eximstats $options -html mainlog > mainlog.html
+#  ./eximstats $options -merge -html mainlog.txt  > mainlog.2.html
+#  diff mainlog.html mainlog.2.html
+#
+#  ./eximstats $options -merge mainlog.html > mainlog.3.txt
+#  diff mainlog.txt mainlog.3.txt
+#
+#  ./eximstats $options -merge -html mainlog.html > mainlog.3.html
+#  diff mainlog.html mainlog.3.html
+#
+#  ./eximstats $options -nvr   mainlog > mainlog.nvr.txt
+#  ./eximstats $options -merge mainlog.nvr.txt > mainlog.4.txt
+#  diff mainlog.txt mainlog.4.txt
+#
+#  # double_mainlog.txt should have twice the values that mainlog.txt has.
+#  ./eximstats $options mainlog mainlog > double_mainlog.txt
+#######################################################################
+sub parse_old_eximstat_reports {
+  my($fh) = @_;
+
+  my(%league_table_value_entered, %league_table_value_was_zero, %table_order);
+
+  my(%user_pattern_index);
+  my $user_pattern_index = 0;
+  map {$user_pattern_index{$_} = $user_pattern_index++} @user_descriptions;
+  my $user_pattern_keys = join('|', @user_descriptions);
+
+  while (<$fh>) {
+    PARSE_OLD_REPORT_LINE:
+    if (/Exim statistics from ([\d\-]+ [\d:]+(\s+[\+\-]\d+)?) to ([\d\-]+ [\d:]+(\s+[\+\-]\d+)?)/) {
+      $begin = $1 if ($1 lt $begin);
+      $end   = $3 if ($3 gt $end);
+    }
+    elsif (/Grand total summary/) {
+      # Fill in $report_totals{Received|Delivered}{Volume|Messages|Addresses|Hosts|Domains|...|Delayed|DelayedPercent|Failed|FailedPercent}
+      my(@fields, @delivered_fields);
+      my $doing_table = 0;
+      while (<$fh>) {
+        $_ = html2txt($_);       #Convert general HTML markup to text.
+        s/At least one addr//g;  #Another part of the HTML output we don't want.
+
+#  TOTAL               Volume    Messages Addresses   Hosts Domains      Delayed       Failed
+#  Received              26MB         237               177      23       8  3.4%     28 11.8%
+#  Delivered             13MB         233       250      99      88
+        if (/TOTAL\s+(.*?)\s*$/) {
+          $doing_table = 1;
+          @delivered_fields = split(/\s+/,$1);
+
+          #Delayed and Failed have two columns each, so add the extra field names in.
+          splice(@delivered_fields,-1,1,'DelayedPercent','Failed','FailedPercent');
+
+          # Addresses only figure in the Delivered row, so remove them from the
+          # normal fields.
+          @fields = grep !/Addresses/, @delivered_fields;
+        }
+        elsif (/(Received)\s+(.*?)\s*$/) {
+          print STDERR "Parsing $_" if $debug;
+          add_to_totals($report_totals{$1},\@fields,$2);
+        }
+        elsif (/(Delivered)\s+(.*?)\s*$/) {
+          print STDERR "Parsing $_" if $debug;
+          add_to_totals($report_totals{$1},\@delivered_fields,$2);
+          my $data = $2;
+          # If we're merging an old report which doesn't include addresses,
+          # then use the Messages field instead.
+          unless (grep(/Addresses/, @delivered_fields)) {
+            my %tmp;
+            line_to_hash(\%tmp,\@delivered_fields,$data);
+            add_to_totals($report_totals{Delivered},['Addresses'],$tmp{Messages});
+          }
+        }
+        elsif (/(Temp Rejects|Rejects|Ham|Spam)\s+(.*?)\s*$/) {
+          print STDERR "Parsing $_" if $debug;
+          add_to_totals($report_totals{$1},['Messages','Hosts'],$2);
+        }
+        else {
+          last if $doing_table;
+        }
+      }
+    }
+
+    elsif (/User Specified Patterns/i) {
+#User Specified Patterns
+#-----------------------
+#                       Total
+#  Description             85
+
+      while (<$fh>) { last if (/Total/); }  #Wait until we get the table headers.
+      while (<$fh>) {
+        print STDERR "Parsing $_" if $debug;
+        $_ = html2txt($_);              #Convert general HTML markup to text.
+        if (/^\s*(.*?)\s+(\d+)\s*$/) {
+          $report_totals{patterns}{$1} = {} unless (defined $report_totals{patterns}{$1});
+          add_to_totals($report_totals{patterns}{$1},['Total'],$2);
+        }
+        last if (/^\s*$/);              #Finished if we have a blank line.
+      }
+    }
+
+    elsif (/(^|<h2>)($user_pattern_keys) per /o) {
+      # Parse User defined pattern histograms if they exist.
+      parse_histogram($fh, $user_pattern_interval_count[$user_pattern_index{$2}] );
+    }
+
+
+    elsif (/Deliveries by transport/i) {
+#Deliveries by transport
+#-----------------------
+#                      Volume    Messages
+#  :blackhole:           70KB          51
+#  address_pipe         655KB           1
+#  smtp                  11MB         151
+
+      while (<$fh>) { last if (/Volume/); }  #Wait until we get the table headers.
+      while (<$fh>) {
+        print STDERR "Parsing $_" if $debug;
+        $_ = html2txt($_);              #Convert general HTML markup to text.
+        if (/(\S+)\s+(\d+\S*\s+\d+)/) {
+          $report_totals{transport}{$1} = {} unless (defined $report_totals{transport}{$1});
+          add_to_totals($report_totals{transport}{$1},['Volume','Messages'],$2);
+        }
+        last if (/^\s*$/);              #Finished if we have a blank line.
+      }
+    }
+    elsif (/Messages received per/) {
+      parse_histogram($fh, \@received_interval_count);
+    }
+    elsif (/Deliveries per/) {
+      parse_histogram($fh, \@delivered_interval_count);
+    }
+
+    #elsif (/Time spent on the queue: (all messages|messages with at least one remote delivery)/) {
+    elsif (/(Time spent on the queue|Delivery times|Receipt times): ((\S+) messages|messages with at least one remote delivery)((<[^>]*>)*\s*)$/) {
+#Time spent on the queue: all messages
+#-------------------------------------
+#
+#Under   1m      217  91.9%   91.9%
+#        5m        2   0.8%   92.8%
+#        3h        8   3.4%   96.2%
+#        6h        7   3.0%   99.2%
+#       12h        2   0.8%  100.0%
+
+      # Set a pointer to the queue bin so we can use the same code
+      # block for both all messages and remote deliveries.
+      #my $bin_aref = ($1 eq 'all messages') ? \@qt_all_bin : \@qt_remote_bin;
+      my($bin_aref, $times_aref, $overflow_sref);
+      if ($1 eq 'Time spent on the queue') {
+        $times_aref = \@queue_times;
+        if ($2 eq 'all messages') {
+          $bin_aref = \@qt_all_bin;
+          $overflow_sref = \$qt_all_overflow;
+        }
+        else {
+          $bin_aref = \@qt_remote_bin;
+          $overflow_sref = \$qt_remote_overflow;
+        }
+      }
+      elsif ($1 eq 'Delivery times') {
+        $times_aref = \@delivery_times;
+        if ($2 eq 'all messages') {
+          $bin_aref = \@dt_all_bin;
+          $overflow_sref = \$dt_all_overflow;
+        }
+        else {
+          $bin_aref = \@dt_remote_bin;
+          $overflow_sref = \$dt_remote_overflow;
+        }
+      }
+      else {
+        unless (exists $rcpt_times_bin{$3}) {
+          initialise_rcpt_times($3);
+        }
+        $bin_aref = $rcpt_times_bin{$3};
+        $times_aref = \@rcpt_times;
+        $overflow_sref = \$rcpt_times_overflow{$3};
+      }
+
+
+      my ($blank_lines, $reached_table) = (0,0);
+      while (<$fh>) {
+        $_ = html2txt($_);              #Convert general HTML markup to text.
+        # The table is preceded by one blank line, and has one blank line
+        # following it. As the table may be empty, the best way to determine
+        # that we've finished it is to look for the second blank line.
+        ++$blank_lines if /^\s*$/;
+        last if ($blank_lines >=2);     #Finished the table ?
+        $reached_table = 1 if (/\d/);
+        next unless $reached_table;
+        my $previous_seconds_on_queue = 0;
+        if (/^\s*(Under|Over|)\s+(\d+[smhdw])\s+(\d+)/) {
+          print STDERR "Parsing $_" if $debug;
+          my($modifier,$formatted_time,$count) = ($1,$2,$3);
+          my $seconds = unformat_time($formatted_time);
+          my $time_on_queue = ($seconds + $previous_seconds_on_queue) / 2;
+          $previous_seconds_on_queue = $seconds;
+          $time_on_queue = $seconds * 2 if ($modifier eq 'Over');
+          my($i);
+          for ($i = 0; $i <= $#$times_aref; $i++) {
+            if ($time_on_queue < $times_aref->[$i]) {
+              $$bin_aref[$i] += $count;
+              last;
+            }
+          }
+          $$overflow_sref += $count if ($i > $#$times_aref);
+
+        }
+      }
+    }
+
+    elsif (/Relayed messages/) {
+#Relayed messages
+#----------------
+#
+#      1 addr.domain.com [1.2.3.4] a.user@domain.com
+#      => addr2.domain2.com [5.6.7.8] a2.user2@domain2.com
+#
+#<tr><td align="right">1</td><td>addr.domain.com [1.2.3.4] a.user@domain.com </td><td>addr2.domain2.com [5.6.7.8] a2.user2@domain2.com</td>
+
+      my $reached_table = 0;
+      my($count,$sender);
+      while (<$fh>) {
+        unless ($reached_table) {
+          last if (/No relayed messages/);
+          $reached_table = 1 if (/^\s*\d/ || />\d+</);
+          next unless $reached_table;
+        }
+        if (/>(\d+)<.td><td>(.*?) ?<.td><td>(.*?)</) {
+          update_relayed($1,$2,$3);
+        }
+        elsif (/^\s*(\d+)\s+(.*?)\s*$/) {
+          ($count,$sender) = ($1,$2);
+        }
+        elsif (/=>\s+(.*?)\s*$/) {
+          update_relayed($count,$sender,$1);
+        }
+        else {
+          last;                           #Finished the table ?
+        }
+      }
+    }
+
+    elsif (/Top (.*?) by (message count|volume)/) {
+#Top 50 sending hosts by message count
+#-------------------------------------
+#
+#     48     1468KB   local
+# Could also have average values for HTML output.
+#     48     1468KB   30KB  local
+
+      my($category,$by_count_or_volume) = ($1,$2);
+
+      #As we show 2 views of each table (by count and by volume),
+      #most (but not all) entries will appear in both tables.
+      #Set up a hash to record which entries we have already seen
+      #and one to record which ones we are seeing for the first time.
+      if ($by_count_or_volume =~ /count/) {
+        undef %league_table_value_entered;
+        undef %league_table_value_was_zero;
+        undef %table_order;
+      }
+
+      #As this section processes multiple different table categories,
+      #set up pointers to the hashes to be updated.
+      my($messages_href,$addresses_href,$data_href,$data_gigs_href);
+      if ($category =~ /local sender/) {
+        $messages_href   = \%received_count_user;
+        $addresses_href  = undef;
+        $data_href       = \%received_data_user;
+        $data_gigs_href  = \%received_data_gigs_user;
+      }
+      elsif ($category =~ /sending (\S+?)s?\b/) {
+        #Top 50 sending (host|domain|email|edomain)s
+        #Top sending (host|domain|email|edomain)
+        $messages_href   = \%{$received_count{"\u$1"}};
+        $data_href       = \%{$received_data{"\u$1"}};
+        $data_gigs_href  = \%{$received_data_gigs{"\u$1"}};
+      }
+      elsif ($category =~ /local destination/) {
+        $messages_href   = \%delivered_messages_user;
+        $addresses_href  = \%delivered_addresses_user;
+        $data_href       = \%delivered_data_user;
+        $data_gigs_href  = \%delivered_data_gigs_user;
+      }
+      elsif ($category =~ /local domain destination/) {
+        $messages_href   = \%delivered_messages_local_domain;
+        $addresses_href  = \%delivered_addresses_local_domain;
+        $data_href       = \%delivered_data_local_domain;
+        $data_gigs_href  = \%delivered_data_gigs_local_domain;
+      }
+      elsif ($category =~ /(\S+) destination/) {
+        #Top 50 (host|domain|email|edomain) destinations
+        #Top (host|domain|email|edomain) destination
+        $messages_href   = \%{$delivered_messages{"\u$1"}};
+        $addresses_href  = \%{$delivered_addresses{"\u$1"}};
+        $data_href       = \%{$delivered_data{"\u$1"}};
+        $data_gigs_href  = \%{$delivered_data_gigs{"\u$1"}};
+      }
+      elsif ($category =~ /temporarily rejected ips/) {
+        $messages_href      = \%temporarily_rejected_count_by_ip;
+      }
+      elsif ($category =~ /rejected ips/) {
+        $messages_href      = \%rejected_count_by_ip;
+      }
+      elsif ($category =~ /non-rejected spamming ips/) {
+        $messages_href      = \%spam_count_by_ip;
+      }
+      elsif ($category =~ /mail temporary rejection reasons/) {
+        $messages_href      = \%temporarily_rejected_count_by_reason;
+      }
+      elsif ($category =~ /mail rejection reasons/) {
+        $messages_href      = \%rejected_count_by_reason;
+      }
+
+      my $reached_table = 0;
+      my $row_re;
+      while (<$fh>) {
+        # Watch out for empty tables.
+        goto PARSE_OLD_REPORT_LINE if (/<h2>/ or (/^\s*[a-zA-Z]/ && !/^\s*Messages/));
+
+        $_ = html2txt($_);              #Convert general HTML markup to text.
+
+        # Messages      Addresses  Bytes  Average
+        if (/^\s*Messages/) {
+          my $pattern = '^\s*(\d+)';
+          $pattern .= (/Addresses/) ? '\s+(\d+)' : '()';
+          $pattern .= (/Bytes/)     ? '\s+([\dKMGB]+)' : '()';
+          $pattern .= (/Average/)   ? '\s+[\dKMGB]+' : '';
+          $pattern .= '\s+(.*?)\s*$';
+          $row_re = qr/$pattern/;
+          $reached_table = 1;
+          next;
+        }
+        next unless $reached_table;
+
+        my($messages, $addresses, $rounded_volume, $entry);
+
+        if (/$row_re/) {
+          ($messages, $addresses, $rounded_volume, $entry) = ($1, $2, $3, $4);
+        }
+        else {
+          #Else we have finished the table and we may need to do some
+          #kludging to retain the order of the entries.
+
+          if ($by_count_or_volume =~ /volume/) {
+            #Add a few bytes to appropriate entries to preserve the order.
+            foreach $rounded_volume (keys %table_order) {
+              #For each rounded volume, we want to create a list which has things
+              #ordered from the volume table at the front, and additional things
+              #from the count table ordered at the back.
+              @{$table_order{$rounded_volume}{volume}} = () unless defined $table_order{$rounded_volume}{volume};
+              @{$table_order{$rounded_volume}{'message count'}} = () unless defined $table_order{$rounded_volume}{'message count'};
+              my(@order,%mark);
+              map {$mark{$_} = 1} @{$table_order{$rounded_volume}{volume}};
+              @order = @{$table_order{$rounded_volume}{volume}};
+              map {push(@order,$_)} grep(!$mark{$_},@{$table_order{$rounded_volume}{'message count'}});
+
+              my $bonus_bytes = $#order;
+              $bonus_bytes = 511 if ($bonus_bytes > 511);  #Don't go over the half-K boundary!
+              while (@order and ($bonus_bytes > 0)) {
+                my $entry = shift(@order);
+                if ($league_table_value_was_zero{$entry}) {
+                  $$data_href{$entry} += $bonus_bytes;
+                  print STDERR "$category by $by_count_or_volume: added $bonus_bytes bonus bytes to $entry\n" if $debug;
+                }
+                $bonus_bytes--;
+              }
+            }
+          }
+          last;
+        }
+
+        # Store a new table entry.
+
+        # Add the entry into the %table_order hash if it has a rounded
+        # volume (KB/MB/GB).
+        push(@{$table_order{$rounded_volume}{$by_count_or_volume}},$entry) if ($rounded_volume =~ /\D/);
+
+        unless ($league_table_value_entered{$entry}) {
+          $league_table_value_entered{$entry} = 1;
+          unless ($$messages_href{$entry}) {
+            $$messages_href{$entry}  = 0;
+            $$addresses_href{$entry} = 0;
+            $$data_href{$entry}      = 0;
+            $$data_gigs_href{$entry} = 0;
+            $league_table_value_was_zero{$entry} = 1;
+          }
+
+          $$messages_href{$entry} += $messages;
+
+          # When adding the addresses, be aware that we could be merging
+          # an old report which does not include addresses. In this case,
+          # we add the messages instead.
+          $$addresses_href{$entry} += ($addresses) ? $addresses : $messages;
+
+          #Add the rounded value to the data and data_gigs hashes.
+          un_round($rounded_volume,\$$data_href{$entry},\$$data_gigs_href{$entry}) if $rounded_volume;
+          print STDERR "$category by $by_count_or_volume: added $messages,$rounded_volume to $entry\n" if $debug;
+        }
+
+      }
+    }
+    elsif (/List of errors/) {
+#List of errors
+#--------------
+#
+#    1 07904931641@one2one.net R=external T=smtp: SMTP error
+#            from remote mailer after RCPT TO:<07904931641@one2one.net>:
+#            host mail.one2one.net [193.133.192.24]: 550 User unknown
+#
+#<li>1 - ally.dufc@dunbar.org.uk R=external T=smtp: SMTP error from remote mailer after RCPT TO:<ally.dufc@dunbar.org.uk>: host mail.dunbar.org.uk [216.167.89.88]: 550 Unknown local part ally.dufc in <ally.dufc@dunbar.org.uk>
+
+
+      my $reached_table = 0;
+      my($count,$error,$blanks);
+      while (<$fh>) {
+        $reached_table = 1 if (/^( *|<li>)(\d+)/);
+        next unless $reached_table;
+
+        s/^<li>(\d+) -/$1/;     #Convert an HTML line to a text line.
+        $_ = html2txt($_);      #Convert general HTML markup to text.
+
+        if (/\t\s*(.*)/) {
+          $error .= ' ' . $1;   #Join a multiline error.
+        }
+        elsif (/^\s*(\d+)\s+(.*)/) {
+          if ($error) {
+            #Finished with a previous multiline error so save it.
+            $errors_count{$error} = 0 unless $errors_count{$error};
+            $errors_count{$error} += $count;
+          }
+          ($count,$error) = ($1,$2);
+        }
+        elsif (/Errors encountered/) {
+          if ($error) {
+            #Finished the section, so save our stored last error.
+            $errors_count{$error} = 0 unless $errors_count{$error};
+            $errors_count{$error} += $count;
+          }
+          last;
+        }
+      }
+    }
+
+  }
+}
+
+#######################################################################
+# parse_histogram($fh, \@delivered_interval_count);
+# Parse a histogram into the provided array of counters.
+#######################################################################
+sub parse_histogram {
+  my($fh, $counters_aref) = @_;
+
+  #      Messages received per hour (each dot is 2 messages)
+  #---------------------------------------------------
+  #
+  #00-01    106 .....................................................
+  #01-02    103 ...................................................
+
+  my $reached_table = 0;
+  while (<$fh>) {
+    $reached_table = 1 if (/^00/);
+    next unless $reached_table;
+    print STDERR "Parsing $_" if $debug;
+    if (/^(\d+):(\d+)\s+(\d+)/) {           #hh:mm start time format ?
+      $$counters_aref[($1*60 + $2)/$hist_interval] += $3 if $hist_opt;
+    }
+    elsif (/^(\d+)-(\d+)\s+(\d+)/) {        #hh-hh start-end time format ?
+      $$counters_aref[($1*60)/$hist_interval] += $3 if $hist_opt;
+    }
+    else {                                  #Finished the table ?
+      last;
+    }
+  }
+}
+
+
+#######################################################################
+# update_relayed();
+#
+#  update_relayed($count,$sender,$recipient);
+#
+# Adds an entry into the %relayed hash. Currently only used when
+# merging reports.
+#######################################################################
+sub update_relayed {
+  my($count,$sender,$recipient) = @_;
+
+  #When generating the key, put in the 'H=' and 'A=' which can be used
+  #in searches.
+  my $key = "H=$sender => H=$recipient";
+  $key =~ s/ ([^=\s]+\@\S+|<>)/ A=$1/g;
+  if (!defined $relay_pattern || $key !~ /$relay_pattern/o) {
+    $relayed{$key} = 0 if !defined $relayed{$key};
+    $relayed{$key} += $count;
+  }
+  else {
+    $relayed_unshown += $count;
+  }
+}
+
+
+#######################################################################
+# add_to_totals();
+#
+#  add_to_totals(\%totals,\@keys,$values);
+#
+# Given a line of space separated values, add them into the provided hash using @keys
+# as the hash keys.
+#
+# If the value contains a '%', then the value is set rather than added. Otherwise, we
+# convert the value to bytes and gigs. The gigs get added to I<Key>-gigs.
+#######################################################################
+sub add_to_totals {
+  my($totals_href,$keys_aref,$values) = @_;
+  my(@values) = split(/\s+/,$values);
+
+  for(my $i = 0; $i < @values && $i < @$keys_aref; ++$i) {
+    my $key = $keys_aref->[$i];
+    if ($values[$i] =~ /%/) {
+      $$totals_href{$key} = $values[$i];
+    }
+    else {
+      $$totals_href{$key} = 0 unless ($$totals_href{$key});
+      $$totals_href{"$key-gigs"} = 0 unless ($$totals_href{"$key-gigs"});
+      un_round($values[$i], \$$totals_href{$key}, \$$totals_href{"$key-gigs"});
+      print STDERR "Added $values[$i] to $key - $$totals_href{$key} , " . $$totals_href{"$key-gigs"} . "GB.\n" if $debug;
+    }
+  }
+}
+
+
+#######################################################################
+# line_to_hash();
+#
+#  line_to_hash(\%hash,\@keys,$line);
+#
+# Given a line of space separated values, set them into the provided hash
+# using @keys as the hash keys.
+#######################################################################
+sub line_to_hash {
+  my($href,$keys_aref,$values) = @_;
+  my(@values) = split(/\s+/,$values);
+  for(my $i = 0; $i < @values && $i < @$keys_aref; ++$i) {
+    $$href{$keys_aref->[$i]} = $values[$i];
+  }
+}
+
+
+#######################################################################
+# get_report_total();
+#
+#  $total = get_report_total(\%hash,$key);
+#
+# If %hash contains values split into Units and Gigs, we calculate and return
+#
+#   $hash{$key} + 1024*1024*1024 * $hash{"${key}-gigs"}
+#######################################################################
+sub get_report_total {
+  no integer;
+  my($hash_ref,$key) = @_;
+  if ($$hash_ref{"${key}-gigs"}) {
+    return $$hash_ref{$key} + $gig * $$hash_ref{"${key}-gigs"};
+  }
+  return $$hash_ref{$key} || 0;
+}
+
+#######################################################################
+# html2txt();
+#
+#  $text_line = html2txt($html_line);
+#
+# Convert a line from html to text. Currently we just convert HTML tags to spaces
+# and convert &gt;, &lt;, and &nbsp; tags back.
+#######################################################################
+sub html2txt {
+  ($_) = @_;
+
+  # Convert HTML tags to spacing. Note that the reports may contain <Userid> and
+  # <Userid@Domain> words, so explicitly specify the HTML tags we will remove
+  # (the ones used by this program). If someone is careless enough to have their
+  # Userid the same as an HTML tag, there's not much we can do about it.
+  s/<\/?(html|head|title|body|h\d|ul|li|a\s+|table|tr|td|th|pre|hr|p|br)\b.*?>/ /g;
+
+  s/\&lt\;/\</og;             #Convert '&lt;' to '<'.
+  s/\&gt\;/\>/og;             #Convert '&gt;' to '>'.
+  s/\&nbsp\;/ /og;            #Convert '&nbsp;' to ' '.
+  return($_);
+}
+
+#######################################################################
+# get_next_arg();
+#
+#  $arg = get_next_arg();
+#
+# Because eximstats arguments are often passed as variables,
+# we can't rely on shell parsing to deal with quotes. This
+# subroutine returns $ARGV[1] and does a shift. If $ARGV[1]
+# starts with a quote (' or "), and doesn't end in one, then
+# we append the next argument to it and shift again. We repeat
+# until we've got all of the argument.
+#
+# This isn't perfect as all white space gets reduced to one space,
+# but it's as good as we can get! If it's essential that spacing
+# be preserved precisely, then you get that by not using shell
+# variables.
+#######################################################################
+sub get_next_arg {
+  my $arg = '';
+  my $matched_pattern = 0;
+  while ($ARGV[1]) {
+    $arg .= ' ' if $arg;
+    $arg .= $ARGV[1]; shift(@ARGV);
+    if ($arg !~ /^['"]/) {
+      $matched_pattern = 1;
+      last;
+    }
+    if ($arg =~ s/^(['"])(.*)\1$/$2/) {
+      $matched_pattern = 1;
+      last;
+    }
+  }
+  die "Mismatched argument quotes - <$arg>.\n" unless $matched_pattern;
+  return $arg;
+}
+
+#######################################################################
+# set_worksheet_line($ws_global, $startrow, $startcol, \@content, $format);
+#
+# set values to a sequence of cells in a row.
+#
+#######################################################################
+sub set_worksheet_line {
+  my ($worksheet, $row, $col, $content, $format) = @_;
+
+  foreach my $token (@$content)
+  {
+     $worksheet->write($row, $col++, $token, $format );
+  }
+
+}
+
+#######################################################################
+# @rcpt_times = parse_time_list($string);
+#
+# Parse a comma separated list of time values in seconds given by
+# the user and fill an array.
+#
+# Return a default list if $string is undefined.
+# Return () if $string eq '0'.
+#######################################################################
+sub parse_time_list {
+  my($string) = @_;
+  if (! defined $string) {
+    return(60, 5*60, 15*60, 30*60, 60*60, 3*60*60, 6*60*60, 12*60*60, 24*60*60);
+  }
+  my(@times) = split(/,/, $string);
+  foreach my $q (@times) { $q = eval($q) + 0 }
+  @times = sort { $a <=> $b } @times;
+  @times = () if ($#times == 0 && $times[0] == 0);
+  return(@times);
+}
+
+
+#######################################################################
+# initialise_rcpt_times($protocol);
+# Initialise an array of rcpt_times to 0 for the specified protocol.
+#######################################################################
+sub initialise_rcpt_times {
+  my($protocol) = @_;
+  for (my $i = 0; $i <= $#rcpt_times; ++$i) {
+    $rcpt_times_bin{$protocol}[$i] = 0;
+  }
+  $rcpt_times_overflow{$protocol} = 0;
+}
+
+
+##################################################
+#                 Main Program                   #
+##################################################
+
+
+$last_timestamp = '';
+$last_date = '';
+$show_errors = 1;
+$show_relay = 1;
+$show_transport = 1;
+$topcount = 50;
+$local_league_table = 1;
+$include_remote_users = 0;
+$include_original_destination = 0;
+$hist_opt = 1;
+$volume_rounding = 1;
+$localtime_offset = calculate_localtime_offset();    # PH/FANF
+
+$charts = 0;
+$charts_option_specified = 0;
+$chartrel = ".";
+$chartdir = ".";
+
+@queue_times = parse_time_list();
+@rcpt_times = ();
+@delivery_times = ();
+
+$last_offset = '';
+$offset_seconds = 0;
+
+$row=1;
+$col=0;
+$col_hist=0;
+$run_hist=0;
+my(%output_files);     # What output files have been specified?
+
+# Decode options
+
+while (@ARGV > 0 && substr($ARGV[0], 0, 1) eq '-') {
+  if    ($ARGV[0] =~ /^\-h(\d+)$/) { $hist_opt = $1 }
+  elsif ($ARGV[0] =~ /^\-ne$/)     { $show_errors = 0 }
+  elsif ($ARGV[0] =~ /^\-nr(.?)(.*)\1$/) {
+    if ($1 eq "") { $show_relay = 0 } else { $relay_pattern = $2 }
+  }
+  elsif ($ARGV[0] =~ /^\-q([,\d\+\-\*\/]+)$/) { @queue_times = parse_time_list($1) }
+  elsif ($ARGV[0] =~ /^-nt$/)       { $show_transport = 0 }
+  elsif ($ARGV[0] =~ /^\-nt(.?)(.*)\1$/)
+    {
+    if ($1 eq "") { $show_transport = 0 } else { $transport_pattern = $2 }
+    }
+  elsif ($ARGV[0] =~ /^-t(\d+)$/)   { $topcount = $1 }
+  elsif ($ARGV[0] =~ /^-tnl$/)      { $local_league_table = 0 }
+  elsif ($ARGV[0] =~ /^-txt=?(\S*)$/)  { $txt_fh = get_filehandle($1,\%output_files) }
+  elsif ($ARGV[0] =~ /^-html=?(\S*)$/) { $htm_fh = get_filehandle($1,\%output_files) }
+  elsif ($ARGV[0] =~ /^-xls=?(\S*)$/) {
+    if ($HAVE_Spreadsheet_WriteExcel) {
+      $xls_fh = get_filehandle($1,\%output_files);
+    }
+    else {
+      warn "WARNING: CPAN Module Spreadsheet::WriteExcel not installed. Obtain from www.cpan.org\n";
+    }
+  }
+  elsif ($ARGV[0] =~ /^-merge$/)    { $merge_reports = 1 }
+  elsif ($ARGV[0] =~ /^-charts$/)   {
+    $charts = 1;
+    warn "WARNING: CPAN Module GD::Graph::pie not installed. Obtain from www.cpan.org\n" unless $HAVE_GD_Graph_pie;
+    warn "WARNING: CPAN Module GD::Graph::linespoints not installed. Obtain from www.cpan.org\n" unless $HAVE_GD_Graph_linespoints;
+  }
+  elsif ($ARGV[0] =~ /^-chartdir$/) { $chartdir = $ARGV[1]; shift; $charts_option_specified = 1; }
+  elsif ($ARGV[0] =~ /^-chartrel$/) { $chartrel = $ARGV[1]; shift; $charts_option_specified = 1; }
+  elsif ($ARGV[0] =~ /^-include_original_destination$/)    { $include_original_destination = 1 }
+  elsif ($ARGV[0] =~ /^-cache$/)    { } #Not currently used.
+  elsif ($ARGV[0] =~ /^-byhost$/)   { $do_sender{Host} = 1 }
+  elsif ($ARGV[0] =~ /^-bydomain$/) { $do_sender{Domain} = 1 }
+  elsif ($ARGV[0] =~ /^-byemail$/)  { $do_sender{Email} = 1 }
+  elsif ($ARGV[0] =~ /^-byemaildomain$/)  { $do_sender{Edomain} = 1 }
+  elsif ($ARGV[0] =~ /^-byedomain$/)  { $do_sender{Edomain} = 1 }
+  elsif ($ARGV[0] =~ /^-bylocaldomain$/)  { $do_local_domain = 1 }
+  elsif ($ARGV[0] =~ /^-emptyok$/)  { $emptyOK = 1 }
+  elsif ($ARGV[0] =~ /^-nvr$/)      { $volume_rounding = 0 }
+  elsif ($ARGV[0] =~ /^-show_rt([,\d\+\-\*\/]+)?$/) { @rcpt_times = parse_time_list($1) }
+  elsif ($ARGV[0] =~ /^-show_dt([,\d\+\-\*\/]+)?$/) { @delivery_times = parse_time_list($1) }
+  elsif ($ARGV[0] =~ /^-d$/)        { $debug = 1 }
+  elsif ($ARGV[0] =~ /^--?h(elp)?$/){ help() }
+  elsif ($ARGV[0] =~ /^-t_remote_users$/) { $include_remote_users = 1 }
+  elsif ($ARGV[0] =~ /^-pattern$/)
+    {
+    push(@user_descriptions,get_next_arg());
+    push(@user_patterns,get_next_arg());
+    }
+  elsif ($ARGV[0] =~ /^-utc$/)
+    {
+    # We don't need this value if the log is in UTC.
+    $localtime_offset = undef;
+    }
+  else
+    {
+    print STDERR "Eximstats: Unknown or malformed option $ARGV[0]\n";
+    help();
+    }
+  shift;
+  }
+
+  # keep old default behaviour
+  if (! ($xls_fh or $htm_fh or $txt_fh)) {
+    $txt_fh = \*STDOUT;
+  }
+
+  # Check that all the charts options are specified.
+  warn "-charts option not specified. Use -help for help.\n" if ($charts_option_specified && ! $charts);
+
+  # Default to display tables by sending Host.
+  $do_sender{Host} = 1 unless ($do_sender{Domain} || $do_sender{Email} || $do_sender{Edomain});
+
+  # prepare xls Excel Workbook
+  if (defined $xls_fh) {
+
+    # Create a new Excel workbook
+    $workbook  = Spreadsheet::WriteExcel->new($xls_fh);
+
+    # Add worksheets
+    $ws_global = $workbook->addworksheet('Exim Statistik');
+    # show $ws_global as initial sheet
+    $ws_global->set_first_sheet();
+    $ws_global->activate();
+
+    if ($show_relay) {
+      $ws_relayed = $workbook->addworksheet('Relayed Messages');
+      $ws_relayed->set_column(1, 2,  80);
+    }
+    if ($show_errors) {
+      $ws_errors = $workbook->addworksheet('Errors');
+    }
+
+
+    # set column widths
+    $ws_global->set_column(0, 2,  20); # Columns B-D width set to 30
+    $ws_global->set_column(3, 3,  15); # Columns B-D width set to 30
+    $ws_global->set_column(4, 4,  25); # Columns B-D width set to 30
+
+    # Define Formats
+    $f_default = $workbook->add_format();
+
+    $f_header1 = $workbook->add_format();
+    $f_header1->set_bold();
+    #$f_header1->set_color('red');
+    $f_header1->set_size('15');
+    $f_header1->set_valign();
+    # $f_header1->set_align('center');
+    # $ws_global->write($row++, 2, "Testing Headers 1", $f_header1);
+
+    $f_header2 = $workbook->add_format();
+    $f_header2->set_bold();
+    $f_header2->set_size('12');
+    $f_header2->set_valign();
+    # $ws_global->write($row++, 2, "Testing Headers 2", $f_header2);
+
+    # Create another header2 for use in merged cells.
+    $f_header2_m = $workbook->add_format();
+    $f_header2_m->set_bold();
+    $f_header2_m->set_size('8');
+    $f_header2_m->set_valign();
+    $f_header2_m->set_align('center');
+
+    $f_percent = $workbook->add_format();
+    $f_percent->set_num_format('0.0%');
+
+    $f_headertab = $workbook->add_format();
+    $f_headertab->set_bold();
+    $f_headertab->set_valign();
+    # $ws_global->write($row++, 2, "Testing Headers tab", $f_headertab);
+
+  }
+
+
+# Initialise the queue/delivery/rcpt time counters.
+for (my $i = 0; $i <= $#queue_times; $i++) {
+  $qt_all_bin[$i] = 0;
+  $qt_remote_bin[$i] = 0;
+}
+for (my $i = 0; $i <= $#delivery_times; $i++) {
+  $dt_all_bin[$i] = 0;
+  $dt_remote_bin[$i] = 0;
+}
+initialise_rcpt_times('all');
+
+
+# Compute the number of slots for the histogram
+if ($hist_opt > 0)
+  {
+  if ($hist_opt > 60 || 60 % $hist_opt != 0)
+    {
+    print STDERR "Eximstats: -h must specify a factor of 60\n";
+    exit 1;
+    }
+  $hist_interval = 60/$hist_opt;                #Interval in minutes.
+  $hist_number = (24*60)/$hist_interval;        #Number of intervals per day.
+  @received_interval_count = (0) x $hist_number;
+  @delivered_interval_count = (0) x $hist_number;
+  my $user_pattern_index = 0;
+  for (my $user_pattern_index = 0; $user_pattern_index <= $#user_patterns; ++$user_pattern_index) {
+    @{$user_pattern_interval_count[$user_pattern_index]} = (0) x $hist_number;
+  }
+  @dt_all_bin = (0) x $hist_number;
+  @dt_remote_bin = (0) x $hist_number;
+}
+
+#$queue_unknown = 0;
+
+$total_received_data = 0;
+$total_received_data_gigs = 0;
+$total_received_count = 0;
+
+$total_delivered_data = 0;
+$total_delivered_data_gigs = 0;
+$total_delivered_messages = 0;
+$total_delivered_addresses = 0;
+
+$qt_all_overflow = 0;
+$qt_remote_overflow = 0;
+$dt_all_overflow = 0;
+$dt_remote_overflow = 0;
+$delayed_count = 0;
+$relayed_unshown = 0;
+$message_errors = 0;
+$begin = "9999-99-99 99:99:99";
+$end = "0000-00-00 00:00:00";
+my($section,$type);
+foreach $section ('Received','Delivered','Temp Rejects', 'Rejects','Ham','Spam') {
+  foreach $type ('Volume','Messages','Delayed','Failed','Hosts','Domains','Emails','Edomains') {
+    $report_totals{$section}{$type} = 0;
+  }
+}
+
+# Generate our parser.
+my $parser = generate_parser();
+
+
+
+if (@ARGV) {
+  # Scan the input files and collect the data
+  foreach my $file (@ARGV) {
+    if ($file =~ /\.gz/) {
+      unless (open(FILE,"gunzip -c $file |")) {
+        print STDERR "Failed to gunzip -c $file: $!";
+        next;
+      }
+    }
+    elsif ($file =~ /\.Z/) {
+      unless (open(FILE,"uncompress -c $file |")) {
+        print STDERR "Failed to uncompress -c $file: $!";
+        next;
+      }
+    }
+    else {
+      unless (open(FILE,$file)) {
+        print STDERR "Failed to read $file: $!";
+        next;
+      }
+    }
+    #Now parse the filehandle, updating the global variables.
+    parse($parser,\*FILE);
+    close FILE;
+  }
+}
+else {
+  #No files provided. Parse STDIN, updating the global variables.
+  parse($parser,\*STDIN);
+}
+
+
+if ($begin eq "9999-99-99 99:99:99" && ! $emptyOK) {
+  print STDERR "**** No valid log lines read\n";
+  exit 1;
+}
+
+# Output our results.
+print_header();
+print_grandtotals();
+
+# Print counts of user specified patterns if required.
+print_user_patterns() if @user_patterns;
+
+# Print rejection reasons.
+# print_rejects();
+
+# Print totals by transport if required.
+print_transport() if $show_transport;
+
+# Print the deliveries per interval as a histogram, unless configured not to.
+# First find the maximum in one interval and scale accordingly.
+if ($hist_opt > 0) {
+  print_histogram("Messages received", 'message', @received_interval_count);
+  print_histogram("Deliveries", 'delivery', @delivered_interval_count);
+}
+
+# Print times on queue if required.
+if ($#queue_times >= 0) {
+  print_duration_table("Time spent on the queue", "all messages", \@queue_times, \@qt_all_bin,$qt_all_overflow);
+  print_duration_table("Time spent on the queue", "messages with at least one remote delivery", \@queue_times, \@qt_remote_bin,$qt_remote_overflow);
+}
+
+# Print delivery times if required.
+if ($#delivery_times >= 0) {
+  print_duration_table("Delivery times", "all messages", \@delivery_times, \@dt_all_bin,$dt_all_overflow);
+  print_duration_table("Delivery times", "messages with at least one remote delivery", \@delivery_times, \@dt_remote_bin,$dt_remote_overflow);
+}
+
+# Print rcpt times if required.
+if ($#rcpt_times >= 0) {
+  foreach my $protocol ('all', grep(!/^all$/, sort keys %rcpt_times_bin)) {
+    print_duration_table("Receipt times", "$protocol messages", \@rcpt_times, $rcpt_times_bin{$protocol}, $rcpt_times_overflow{$protocol});
+  }
+}
+
+# Print relay information if required.
+print_relay() if $show_relay;
+
+# Print the league tables, if topcount isn't zero.
+if ($topcount > 0) {
+  my($ws_rej, $ws_top50, $ws_rej_row, $ws_top50_row, $ws_temp_rej, $ws_temp_rej_row);
+  $ws_rej_row = $ws_temp_rej_row = $ws_top50_row = 0;
+  if ($xls_fh) {
+    $ws_top50 = $workbook->addworksheet('Deliveries');
+    $ws_rej = $workbook->addworksheet('Rejections') if (%rejected_count_by_reason || %rejected_count_by_ip || %spam_count_by_ip);
+    $ws_temp_rej = $workbook->addworksheet('Temporary Rejections') if (%temporarily_rejected_count_by_reason || %temporarily_rejected_count_by_ip);
+  }
+
+  print_league_table("mail rejection reason", \%rejected_count_by_reason, undef, undef, undef, $ws_rej, \$ws_rej_row) if %rejected_count_by_reason;
+  print_league_table("mail temporary rejection reason", \%temporarily_rejected_count_by_reason, undef, undef, undef, $ws_temp_rej, \$ws_temp_rej_row) if %temporarily_rejected_count_by_reason;
+
+  foreach ('Host','Domain','Email','Edomain') {
+    next unless $do_sender{$_};
+    print_league_table("sending \l$_", $received_count{$_}, undef, $received_data{$_},$received_data_gigs{$_}, $ws_top50, \$ws_top50_row);
+  }
+
+  print_league_table("local sender", \%received_count_user, undef,
+    \%received_data_user,\%received_data_gigs_user, $ws_top50, \$ws_top50_row) if (($local_league_table || $include_remote_users) && %received_count_user);
+  foreach ('Host','Domain','Email','Edomain') {
+    next unless $do_sender{$_};
+    print_league_table("\l$_ destination", $delivered_messages{$_}, $delivered_addresses{$_}, $delivered_data{$_},$delivered_data_gigs{$_}, $ws_top50, \$ws_top50_row);
+  }
+  print_league_table("local destination", \%delivered_messages_user, \%delivered_addresses_user, \%delivered_data_user,\%delivered_data_gigs_user, $ws_top50, \$ws_top50_row) if (($local_league_table || $include_remote_users) && %delivered_messages_user);
+  print_league_table("local domain destination", \%delivered_messages_local_domain, \%delivered_addresses_local_domain, \%delivered_data_local_domain,\%delivered_data_gigs_local_domain, $ws_top50, \$ws_top50_row) if (($local_league_table || $include_remote_users) && %delivered_messages_local_domain);
+
+  print_league_table("rejected ip", \%rejected_count_by_ip, undef, undef, undef, $ws_rej, \$ws_rej_row) if %rejected_count_by_ip;
+  print_league_table("temporarily rejected ip", \%temporarily_rejected_count_by_ip, undef, undef, undef, $ws_rej, \$ws_rej_row) if %temporarily_rejected_count_by_ip;
+  print_league_table("non-rejected spamming ip", \%spam_count_by_ip, undef, undef, undef, $ws_rej, \$ws_rej_row) if %spam_count_by_ip;
+
+}
+
+# Print the error statistics if required.
+print_errors() if $show_errors;
+
+print $htm_fh "</body>\n</html>\n" if $htm_fh;
+
+
+$txt_fh->close if $txt_fh && ref $txt_fh;
+$htm_fh->close if $htm_fh;
+
+if ($xls_fh) {
+  # close Excel Workbook
+  $ws_global->set_first_sheet();
+  # FIXME: whyever - activate does not work :-/
+  $ws_global->activate();
+  $workbook->close();
+}
+
+
+# End of eximstats
diff --git a/src/exinext.src b/src/exinext.src
new file mode 100644
index 0000000..9138018
--- /dev/null
+++ b/src/exinext.src
@@ -0,0 +1,262 @@
+#! /bin/sh
+
+# Copyright (c) University of Cambridge, 1995 - 2007
+# See the file NOTICE for conditions of use and distribution.
+
+# Except when they appear in comments, the following placeholders in this
+# source are replaced when it is turned into a runnable script:
+#
+# CONFIGURE_FILE_USE_NODE
+# CONFIGURE_FILE
+# BIN_DIRECTORY
+
+# PROCESSED_FLAG
+
+# A shell+perl script to fish out the next retry time for a given domain;
+# it first calls exim to find out which hosts are set up for that domain and
+# then fishes out the retry data for each one.
+
+# For testing the selection and formatting logic, and perhaps for use in
+# special cases, the script can have an argument -C <filename> to specify
+# the use of an alternate Exim configuration file. It may also have any number
+# of -D options to set macros that are passed to exim.
+
+config=
+eximmacdef=
+exim_path=
+
+if test "x$1" = x--version
+then
+    echo "`basename $0`: $0"
+    echo "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION"
+    exit 0
+fi
+
+if expr -- $1 : '\-' >/dev/null ; then
+  while expr -- $1 : '\-' >/dev/null ; do
+    if [ "$1" = "-C" ]; then
+      config=$2
+      shift
+      shift
+    elif expr -- $1 : '\-D' >/dev/null ; then
+      eximmacdef="$eximmacdef $1"
+      if expr -- $1 : '\-DEXIM_PATH=' >/dev/null ; then
+        exim_path=`expr -- $1 : '\-DEXIM_PATH=\(.*\)'`
+      fi
+      shift
+    else
+      break
+    fi
+  done
+fi
+
+# We need to save the script's argument because in the absence of -C we need to
+# use shell arguments for sorting out the configuration file name.
+
+argone=$1
+
+# This is the normal case when no config file or macros are specified
+
+if [ "$config" = "" ]; then
+  # See if this installation is using the esoteric "USE_NODE" feature of Exim,
+  # in which it uses the host's name as a suffix for the configuration file name.
+
+  if [ "CONFIGURE_FILE_USE_NODE" = "yes" ]; then
+    hostsuffix=.`uname -n`
+  fi
+
+  # Now find the configuration file name. This has got complicated because
+  # CONFIGURE_FILE may now be a list of files. The one that is used is the first
+  # one that exists. Mimic the code in readconf.c by testing first for the
+  # suffixed file in each case.
+
+  set `awk -F: '{ for (i = 1; i <= NF; i++) print $i }' <<End
+CONFIGURE_FILE
+End
+`
+  while [ "$config" = "" -a $# -gt 0 ] ; do
+    if [ -f "$1$hostsuffix" ] ; then
+      config="$1$hostsuffix"
+    elif [ -f "$1" ] ; then
+      config="$1"
+    fi
+    shift
+  done
+fi
+
+# Determine where the spool directory is. Search for an exim_path setting
+# in the configure file; otherwise use the bin directory. Call that version of
+# Exim to find the spool directory and the qualify domain. BEWARE: a tab
+# character is needed in the command below. It has had a nasty tendency to get
+# lost in the past. Use a variable to hold a space and a tab to keep the tab in
+# one place.
+
+st='     '
+
+if [ "$exim_path" = "" ]; then
+  exim_path=`grep "^[$st]*exim_path" $config | sed "s/.*=[$st]*//"`
+fi
+
+if test "$exim_path" = ""; then exim_path=BIN_DIRECTORY/exim; fi
+spool_directory=`$exim_path $eximmacdef -C $config -bP spool_directory | sed 's/.*=[  ]*//'`
+qualify_domain=`$exim_path $eximmacdef -C $config -bP qualify_domain | sed 's/.*=[  ]*//'`
+
+# Now do the job. Perl uses $ so frequently that we don't want to have to
+# escape them all from the shell, so pass in shell variable values as
+# arguments.
+
+# 16-May-1996  Fixed it to do better if routing fails to complete.
+#              Improved the format of the output.
+# 10-Jun-1996  Complain if no argument given.
+# 02-Aug-1996  Lower case the domain.
+# 14-Jan-1999  Add subject to want list even if remote host found, so as to
+#              pick up routing delays after temporary recipient errors.
+#              Also add unqualified subject if it looks like a message id.
+# 01-Apr-2004  Add the -C feature for testing
+# 22-Dec-2005  Complete the -C feature (!)
+
+if [ "$argone" = "" ]; then
+  echo "Usage: exinext <address>|<domain>|<local-part>"
+  exit 1
+fi
+
+perl - $exim_path "$eximmacdef" $argone $spool_directory $qualify_domain $config <<'End'
+
+  # We don't import anything, but guard against future changes which do
+  BEGIN { pop @INC if $INC[-1] eq '.' };
+
+  # Name the arguments
+
+  $exim = $ARGV[0];
+  $eximmacdef = $ARGV[1];
+  $subject = $ARGV[2];
+  $spool = $ARGV[3];
+  $qualify = $ARGV[4];
+  $config = $ARGV[5];
+
+  # If the subject doesn't contain an @ then construct an address
+  # for the domain, and ensure that in both cases the domain is
+  # lower cased.
+
+  $address = ($subject =~ /^([^\@]*)\@([^\@]*)$/)?
+    "$1\@\L$2\E" : "User\@\L$subject\E";
+
+  # Run Exim to get a list of hosts for the given domain; for
+  # each one construct the appropriate retry key.
+
+  open(LIST, "$exim -C $config -v -bt $address |") ||
+    die "can't run exim to route $address";
+
+  while (<LIST>)
+    {
+    chop;
+    push(@list, $_) if s/\s*host (\S+)\s+\[(.+)\].*/$1:$2/;
+    print "$_\n" if /cannot be resolved/;
+    }
+  close(LIST);
+
+  # If there were no hosts, assume that what was given was a local
+  # username, unless it contains an @, and construct a suitable retry
+  # key for that. Also, if it looks like a message id, search for that
+  # as well, so as to pick up message-specific retry data.
+
+  if (scalar(@list) == 0)
+    {
+    push(@list, $subject) if $subject =~ /^\w{6}-\w{6}-\w{2}$/;
+
+    if ($subject !~ /\@/ && $subject !~ /\./)
+      {
+      push(@list, "$subject\@$qualify");
+      }
+    else
+      {
+      print "No remote hosts found for $subject\n";
+      }
+    }
+
+  # Always search for the full address, even if hosts are found, in case
+  # there is a routing delay caused by a temporary recipient error.
+
+  push(@list, $subject);
+
+  # Run exim_dumpdb to get out the retry data and pick off what we want
+
+  open(DATA, "${exim}_dumpdb $spool retry |") ||
+    die "can't run exim_dumpdb";
+
+  while (<DATA>)
+    {
+    for ($i = 0; $i <= $#list; $i++)
+      {
+      if (/$list[$i]/)
+        {
+        $printed = 1;
+        if (/^\s*T:[^:\s]*:/)
+          {
+          ($key,$error,$error2,$text) = /^\s*T:(\S+)\s+(\S+)\s+(\S+)\s*(.*)$/;
+
+          # Parsing the keys is a nightmare because of IPv6. The design of the
+          # format for the keys is a complete shambles. All my fault (PH). But
+          # I don't want to change it just for this purpose. If they key
+          # contains more than 3 colons, we have an IPv6 address, because
+          # an IPv6 address must contain at least two colons.
+
+          # Deal with IPv4 addresses (3 colons or fewer)
+
+          if ($key !~ /:([^:]*?:){3}/)
+            {
+            ($host,$ip,$port,$msgid) = $key =~
+              /^([^:]*):([^:]*)(?::([^:]*)(?::(\S*)|)|)/;
+            }
+
+          # Deal with IPv6 addresses; sorting out the colons is a complete
+          # mess. We should be able to find the host name and IP address from
+          # further in the message. That seems the easiest escape plan here. We
+          # can use those to match the rest of the key.
+
+          else
+            {
+            ($host,$ip) = $text =~ /host\s(\S+)\s\[([^]]+)\]/;
+            if (defined $host)
+              {
+              ($port,$msgid) = $key =~
+                /^$host:$ip(?::([^:]*)(?::(\S*)|)|)/;
+              }
+
+           # This will probably be wrong...
+
+           else
+             {
+             ($host,$ip) = $key =~ /([^:]*):(.*)/;
+             }
+            }
+
+          printf("Transport: %s [%s]", $host, $ip);
+          print ":$port" if defined $port;
+          print " $msgid" if defined $msgid;
+          print " error $error: $text\n";
+          }
+
+        else
+          {
+          ($type,$domain,$error,$error2,$text) =
+            /^\s*(\S):(\S+)\s+(\S+)\s+(\S+)\s*(.*)$/;
+          $type = ($type eq 'R')? "Route: " :
+                  ($type eq 'T')? "Transport: " : "";
+          print "$type$domain error $error: $text\n";
+          }
+        $_ = <DATA>;
+        ($first,$last,$next,$expired) =
+          /^(\S+\s+\S+)\s+(\S+\s+\S+)\s+(\S+\s+\S+)\s*(\*?)/;
+        print "  first failed: $first\n";
+        print "  last tried:   $last\n";
+        print "  next try at:  $next\n";
+        print "  past final cutoff time\n" if $expired eq "*";
+        }
+      }
+    }
+
+  close(DATA);
+  print "No retry data found for $subject\n" if !$printed;
+End
+
diff --git a/src/exipick.src b/src/exipick.src
new file mode 100644
index 0000000..a631333
--- /dev/null
+++ b/src/exipick.src
@@ -0,0 +1,1841 @@
+#!PERL_COMMAND
+# Copyright (c) 1995 - 2018 University of Cambridge.
+# See the file NOTICE for conditions of use and distribution.
+
+
+# This variables should be set by the building process
+my $spool = 'SPOOL_DIRECTORY';	# may be overridden later
+my $exim  = 'BIN_DIRECTORY/exim';
+
+# Need to set this dynamically during build, but it's not used right now anyway.
+my $charset = 'ISO-8859-1';
+
+# use 'exipick --help' to view documentation for this program.
+# Documentation also viewable online at
+#       http://www.exim.org/eximwiki/ToolExipickManPage
+
+use strict;
+BEGIN { pop @INC if $INC[-1] eq '.' };
+use Getopt::Long;
+use File::Basename;
+use Pod::Usage;
+
+my $p_name    = basename $0;
+my $p_version = "20100323.0";
+my $p_usage   = "Usage: $p_name [--help|--man|--version] (see --help for details)";
+my $p_cp      = <<EOM;
+        Copyright (c) 2003-2010 John Jetmore <jj33\@pobox.com>
+        Copyright (c) 2019 The Exim Maintainers
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
+EOM
+
+$| = 1; # unbuffer STDOUT
+
+Getopt::Long::Configure("bundling_override");
+GetOptions(
+  'spool=s'     => \$G::spool,      # exim spool dir
+  'C|Config=s'  => \$G::config,     # use alternative Exim configuration file
+  'input-dir=s' => \$G::input_dir,  # name of the "input" dir
+  'queue=s'     => \$G::queue,      # name of the queue
+  'finput'      => \$G::finput,     # same as "--input-dir Finput"
+  'bp'          => \$G::mailq_bp,   # List the queue (noop - default)
+  'bpa'         => \$G::mailq_bpa,  # ... with generated address as well
+  'bpc'         => \$G::mailq_bpc,  # ... but just show a count of messages
+  'bpr'         => \$G::mailq_bpr,  # ... do not sort
+  'bpra'        => \$G::mailq_bpra, # ... with generated addresses, unsorted
+  'bpru'        => \$G::mailq_bpru, # ... only undelivered addresses, unsorted
+  'bpu'         => \$G::mailq_bpu,  # ... only undelivered addresses
+  'and'         => \$G::and,        # 'and' the criteria (default)
+  'or'          => \$G::or,         # 'or' the criteria
+  'f=s'         => \$G::qgrep_f,    # from regexp
+  'r=s'         => \$G::qgrep_r,    # recipient regexp
+  's=s'         => \$G::qgrep_s,    # match against size field
+  'y=s'         => \$G::qgrep_y,    # message younger than (secs)
+  'o=s'         => \$G::qgrep_o,    # message older than (secs)
+  'z'           => \$G::qgrep_z,    # frozen only
+  'x'           => \$G::qgrep_x,    # non-frozen only
+  'c'           => \$G::qgrep_c,    # display match count
+  'l'           => \$G::qgrep_l,    # long format (default)
+  'i'           => \$G::qgrep_i,    # message ids only
+  'b'           => \$G::qgrep_b,    # brief format
+  'size'        => \$G::size_only,  # sum the size of the matching msgs
+  'not'         => \$G::negate,     # flip every test
+  'R|reverse'   => \$G::reverse,    # reverse output (-R is qgrep option)
+  'sort=s'      => \@G::sort,       # allow you to choose variables to sort by
+  'freeze=s'    => \$G::freeze,     # freeze data in this file
+  'thaw=s'      => \$G::thaw,       # thaw data from this file
+  'unsorted'    => \$G::unsorted,   # unsorted, regardless of output format
+  'random'      => \$G::random,     # (poorly) randomize evaluation order
+  'flatq'       => \$G::flatq,      # brief format
+  'caseful'     => \$G::caseful,    # in '=' criteria, respect case
+  'caseless'    => \$G::caseless,   #   ...ignore case (default)
+  'charset=s'   => \$charset,       # charset for $bh and $h variables
+  'show-vars=s' => \$G::show_vars,  # display the contents of these vars
+  'just-vars'   => \$G::just_vars,  # only display vars, no other info
+  'show-rules'  => \$G::show_rules, # display compiled match rules
+  'show-tests'  => \$G::show_tests, # display tests as applied to each message
+  'man'         => sub { pod2usage(-verbose => 2, -exit => 0, -noperldoc => system('perldoc -V >/dev/null 2>&1')) },
+  'help'        => sub { pod2usage(-verbose => 1, -exit => 0) },
+  'version'     => sub {
+        print "$p_name: $0\n",
+            "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+            "perl(runtime): $]\n";
+            exit 0;
+  },
+) or pod2usage;
+
+# if both freeze and thaw specified, only thaw as it is less destructive
+$G::freeze = undef               if ($G::freeze && $G::thaw);
+freeze_start()                   if ($G::freeze);
+thaw_start()                     if ($G::thaw);
+
+# massage sort options (make '$var,Var:' be 'var','var')
+for (my $i = scalar(@G::sort)-1; $i >= 0; $i--) {
+  $G::sort[$i] = lc($G::sort[$i]);
+  $G::sort[$i] =~ s/[\$:\s]//g;
+  if ((my @vars = split(/,/, $G::sort[$i])) > 1) {
+    $G::sort[$i] = $vars[0]; shift(@vars); # replace current slot w/ first var
+    splice(@G::sort, $i+1, 0, @vars);      # add other vars after current pos
+  }
+}
+push(@G::sort, "message_exim_id") if (@G::sort);
+die "empty value provided to --sort not allowed, exiting\n"
+    if (grep /^\s*$/, @G::sort);
+
+# massage the qgrep options into standard criteria
+push(@ARGV, "\$sender_address     =~ /$G::qgrep_f/") if ($G::qgrep_f);
+push(@ARGV, "\$recipients         =~ /$G::qgrep_r/") if ($G::qgrep_r);
+push(@ARGV, "\$shown_message_size eq $G::qgrep_s")   if ($G::qgrep_s);
+push(@ARGV, "\$message_age        <  $G::qgrep_y")   if ($G::qgrep_y);
+push(@ARGV, "\$message_age        >  $G::qgrep_o")   if ($G::qgrep_o);
+push(@ARGV, "\$deliver_freeze")                      if ($G::qgrep_z);
+push(@ARGV, "!\$deliver_freeze")                     if ($G::qgrep_x);
+
+$G::mailq_bp        = $G::mailq_bp;        # shut up -w
+$G::and             = $G::and;             # shut up -w
+$G::msg_ids         = {};                  # short circuit when crit is only MID
+$G::caseless        = $G::caseful ? 0 : 1; # nocase by default, case if both
+@G::recipients_crit = ();                  # holds per-recip criteria
+$spool              = defined $G::spool ? $G::spool
+		      : do { chomp($_ = `$exim @{[defined $G::config ? "-C $G::config" : '']} -n -bP spool_directory`)
+                             and $_ or $spool };
+my $input_dir       = (defined $G::queue ? "$G::queue/" : '')
+                    . (defined $G::input_dir || ($G::finput ? "Finput" : "input"));
+my $count_only      = 1 if ($G::mailq_bpc  || $G::qgrep_c);
+my $unsorted        = 1 if ($G::mailq_bpr  || $G::mailq_bpra ||
+                            $G::mailq_bpru || $G::unsorted);
+my $msg             = $G::thaw ? thaw_message_list()
+                               : get_all_msgs($spool, $input_dir, $unsorted,
+                                              $G::reverse, $G::random);
+die "Problem accessing thaw file\n" if ($G::thaw && !$msg);
+my $crit            = process_criteria(\@ARGV);
+my $e               = Exim::SpoolFile->new();
+my $tcount          = 0 if ($count_only);  # holds count of all messages
+my $mcount          = 0 if ($count_only);  # holds count of matching messages
+my $total_size      = 0 if ($G::size_only);
+$e->set_undelivered_only(1)      if ($G::mailq_bpru || $G::mailq_bpu);
+$e->set_show_generated(1)        if ($G::mailq_bpra || $G::mailq_bpa);
+$e->output_long()                if ($G::qgrep_l);
+$e->output_idonly()              if ($G::qgrep_i);
+$e->output_brief()               if ($G::qgrep_b);
+$e->output_flatq()               if ($G::flatq);
+$e->output_vars_only()           if ($G::just_vars && $G::show_vars);
+$e->set_show_vars($G::show_vars) if ($G::show_vars);
+$e->set_spool($spool, $input_dir);
+
+MSG:
+foreach my $m (@$msg) {
+  next if (scalar(keys(%$G::msg_ids)) && !$G::or
+                                      && !$G::msg_ids->{$m->{message}});
+  if ($G::thaw) {
+    my $data = thaw_data();
+    if (!$e->restore_state($data)) {
+      warn "Couldn't thaw $data->{_message}: ".$e->error()."\n";
+      next MSG;
+    }
+  } else {
+    if (!$e->parse_message($m->{message}, $m->{path})) {
+      warn "Couldn't parse $m->{message}: ".$e->error()."\n";
+      next MSG;
+    }
+  }
+  $tcount++;
+  my $match = 0;
+  my @local_crit = ();
+  foreach my $c (@G::recipients_crit) {              # handle each_recip* vars
+    foreach my $addr (split(/, /, $e->get_var($c->{var}))) {
+      my %t = ( 'cmp' => $c->{cmp}, 'var' => $c->{var} );
+      $t{cmp} =~ s/"?\$var"?/'$addr'/;
+      push(@local_crit, \%t);
+    }
+  }
+  if ($G::show_tests) { print $e->get_var('message_exim_id'), "\n"; }
+  CRITERIA:
+  foreach my $c (@$crit, @local_crit) {
+    my $var = $e->get_var($c->{var});
+    my $ret = eval($c->{cmp});
+    if ($G::show_tests) {
+      printf "  %25s =  '%s'\n  %25s => $ret\n",$c->{var},$var,$c->{cmp},$ret;
+    }
+    if ($@) {
+      print STDERR "Error in eval '$c->{cmp}': $@\n";
+      next MSG;
+    } elsif ($ret) {
+      $match = 1;
+      if ($G::or) { last CRITERIA; }
+      else        { next CRITERIA; }
+    } else { # no match
+      if ($G::or) { next CRITERIA; }
+      else        { next MSG;      }
+    }
+  }
+
+  # skip this message if any criteria were supplied and it didn't match
+  next MSG if ((scalar(@$crit) || scalar(@local_crit)) && !$match);
+
+  if ($count_only || $G::size_only) {
+    $mcount++;
+    $total_size += $e->get_var('message_size');
+  } else {
+    if (@G::sort) {
+      # if we are defining criteria to sort on, save the message here.  If
+      # we don't save here and do the sort later, we have a chicken/egg
+      # problem
+      push(@G::to_print, { vars => {}, output => "" });
+      foreach my $var (@G::sort) {
+        # save any values we want to sort on.  I don't like doing the internal
+        # struct access here, but calling get_var a bunch can be _slow_ =(
+        $G::sort_type{$var} ||= '<=>';
+        $G::to_print[-1]{vars}{$var} = $e->{_vars}{$var};
+        $G::sort_type{$var} = 'cmp' if ($G::to_print[-1]{vars}{$var} =~ /\D/);
+      }
+      $G::to_print[-1]{output} = $e->format_message();
+    } else {
+      print $e->format_message();
+    }
+  }
+
+  if ($G::freeze) {
+    freeze_data($e->get_state());
+    push(@G::frozen_msgs, $m);
+  }
+}
+
+if (@G::to_print) {
+  msg_sort(\@G::to_print, \@G::sort, $G::reverse);
+  foreach my $msg (@G::to_print) {
+    print $msg->{output};
+  }
+}
+
+if ($G::qgrep_c) {
+  print "$mcount matches out of $tcount messages" .
+        ($G::size_only ? " ($total_size)" : "") . "\n";
+} elsif ($G::mailq_bpc) {
+  print "$mcount" .  ($G::size_only ? " ($total_size)" : "") . "\n";
+} elsif ($G::size_only) {
+  print "$total_size\n";
+}
+
+if ($G::freeze) {
+  freeze_message_list(\@G::frozen_msgs);
+  freeze_end();
+} elsif ($G::thaw) {
+  thaw_end();
+}
+
+exit;
+
+# sender_address_domain,shown_message_size
+sub msg_sort {
+  my $msgs    = shift;
+  my $vars    = shift;
+  my $reverse = shift;
+
+  my @pieces = ();
+  foreach my $v (@G::sort) {
+    push(@pieces, "\$a->{vars}{\"$v\"} $G::sort_type{$v} \$b->{vars}{\"$v\"}");
+  }
+  my $sort_str = join(" || ", @pieces);
+
+  @$msgs = sort { eval $sort_str } (@$msgs);
+  @$msgs = reverse(@$msgs) if ($reverse);
+}
+
+sub try_load {
+  my $mod = shift;
+
+  eval("use $mod");
+  return $@ ? 0 : 1;
+}
+
+# FREEZE FILE FORMAT:
+# message_data_bytes
+# message_data
+# <...>
+# EOM
+# message_list
+# message_list_bytes <- 10 bytes, zero-packed, plus \n
+
+sub freeze_start {
+  eval("use Storable");
+  die "Storable module not found: $@\n" if ($@);
+  open(O, ">$G::freeze") || die "Can't open freeze file $G::freeze: $!\n";
+  $G::freeze_handle = \*O;
+}
+
+sub freeze_end {
+  close($G::freeze_handle);
+}
+
+sub thaw_start {
+  eval("use Storable");
+  die "Storable module not found: $@\n" if ($@);
+  open(I, "<$G::thaw") || die "Can't open freeze file $G::thaw: $!\n";
+  $G::freeze_handle = \*I;
+}
+
+sub thaw_end {
+  close($G::freeze_handle);
+}
+
+sub freeze_data {
+  my $h = Storable::freeze($_[0]);
+  print $G::freeze_handle length($h)+1, "\n$h\n";
+}
+
+sub freeze_message_list {
+  my $h = Storable::freeze($_[0]);
+  my $l = length($h) + 1;
+  printf $G::freeze_handle "EOM\n$l\n$h\n%010d\n", $l+11+length($l)+1;
+}
+
+sub thaw_message_list {
+  my $orig_pos = tell($G::freeze_handle);
+  seek($G::freeze_handle, -11, 2);
+  chomp(my $bytes = <$G::freeze_handle>);
+  seek($G::freeze_handle, $bytes * -1, 2);
+  my $obj = thaw_data();
+  seek($G::freeze_handle, 0, $orig_pos);
+  return($obj);
+}
+
+sub thaw_data {
+  my $obj;
+  chomp(my $bytes = <$G::freeze_handle>);
+  return(undef) if (!$bytes || $bytes eq 'EOM');
+  my $read = read(I, $obj, $bytes);
+  die "Format error in thaw file (expected $bytes bytes, got $read)\n"
+      if ($bytes != $read);
+  chomp($obj);
+  return(Storable::thaw($obj));
+}
+
+sub process_criteria {
+  my $a = shift;
+  my @c = ();
+  my $e = 0;
+
+  foreach (@$a) {
+    foreach my $t ('@') { s/$t/\\$t/g; }
+    if (/^(.*?)\s+(<=|>=|==|!=|<|>)\s+(.*)$/) {
+      #print STDERR "found as integer\n";
+      my $v = $1; my $o = $2; my $n = $3;
+      if    ($n =~ /^(-?[\d\.]+)M$/)  { $n = $1 * 1024 * 1024; }
+      elsif ($n =~ /^(-?[\d\.]+)K$/)  { $n = $1 * 1024; }
+      elsif ($n =~ /^(-?[\d\.]+)B?$/) { $n = $1; }
+      elsif ($n =~ /^(-?[\d\.]+)d$/)  { $n = $1 * 60 * 60 * 24; }
+      elsif ($n =~ /^(-?[\d\.]+)h$/)  { $n = $1 * 60 * 60; }
+      elsif ($n =~ /^(-?[\d\.]+)m$/)  { $n = $1 * 60; }
+      elsif ($n =~ /^(-?[\d\.]+)s?$/) { $n = $1; }
+      else {
+        print STDERR "Expression $_ did not parse: numeric comparison with ",
+                     "non-number\n";
+        $e = 1;
+        next;
+      }
+      push(@c, { var => lc($v), cmp => "(\$var $o $n)" });
+    } elsif (/^(.*?)\s+(=~|!~)\s+(.*)$/) {
+      #print STDERR "found as string regexp\n";
+      push(@c, { var => lc($1), cmp => "(\"\$var\" $2 $3)" });
+    } elsif (/^(.*?)\s+=\s+(.*)$/) {
+      #print STDERR "found as bare string regexp\n";
+      my $case = $G::caseful ? '' : 'i';
+      push(@c, { var => lc($1), cmp => "(\"\$var\" =~ /$2/$case)" });
+      # quote special characters in perl text string
+      #foreach my $t ('@') { $c[-1]{cmp} =~ s/$t/\\$t/g; }
+    } elsif (/^(.*?)\s+(eq|ne)\s+(.*)$/) {
+      #print STDERR "found as string cmp\n";
+      my $var = lc($1); my $op = $2; my $val = $3;
+      $val =~ s|^(['"])(.*)\1$|$2|;
+      push(@c, { var => $var, cmp => "(\"\$var\" $op \"$val\")" });
+      if (($var eq 'message_id' || $var eq 'message_exim_id') && $op eq "eq") {
+        #print STDERR "short circuit @c[-1]->{cmp} $val\n";
+        $G::msg_ids->{$val} = 1;
+      }
+      #foreach my $t ('@') { $c[-1]{cmp} =~ s/$t/\\$t/g; }
+    } elsif (/^(\S+)$/) {
+      #print STDERR "found as boolean\n";
+      push(@c, { var => lc($1), cmp => "(\$var)" });
+    } else {
+      print STDERR "Expression $_ did not parse\n";
+      $e = 1;
+      next;
+    }
+    # assign the results of the cmp test here (handle "!" negation)
+    # also handle global --not negation
+    if ($c[-1]{var} =~ s|^!||) {
+      $c[-1]{cmp} .= $G::negate ? " ? 1 : 0" : " ? 0 : 1";
+    } else {
+      $c[-1]{cmp} .= $G::negate ? " ? 0 : 1" : " ? 1 : 0";
+    }
+    # support the each_* pseudo variables.  Steal the criteria off of the
+    # queue for special processing later
+    if ($c[-1]{var} =~ /^each_(recipients(_(un)?del)?)$/) {
+      my $var = $1;
+      push(@G::recipients_crit,pop(@c));
+      $G::recipients_crit[-1]{var} = $var; # remove each_ from the variable
+    }
+  }
+
+  exit(1) if ($e);
+
+  if ($G::show_rules) { foreach (@c) { print "$_->{var}\t$_->{cmp}\n"; } }
+
+  return(\@c);
+}
+
+sub get_all_msgs {
+  my $d = shift();
+  my $i = shift();
+  my $u = shift; # don't sort
+  my $r = shift; # right before returning, reverse order
+  my $o = shift; # if true, randomize list order before returning
+  my @m = ();
+
+  if ($i =~ m|^/|) { $d = $i; } else { $d = $d . '/' . $i; }
+
+  opendir(D, "$d") || die "Couldn't opendir $d: $!\n";
+  foreach my $e (grep !/^\./, readdir(D)) {
+    if ($e =~ /^[a-zA-Z0-9]$/) {
+      opendir(DD, "$d/$e") || next;
+      foreach my $f (grep !/^\./, readdir(DD)) {
+        push(@m, { message => $1, path => "$d/$e" }) if ($f =~ /^(.{16})-H$/);
+      }
+      closedir(DD);
+    } elsif ($e =~ /^(.{16})-H$/) {
+      push(@m, { message => $1, path => $d });
+    }
+  }
+  closedir(D);
+
+  if ($o) {
+    my $c = scalar(@m);
+    # loop twice to pretend we're doing a good job of mixing things up
+    for (my $i = 0; $i < 2 * $c; $i++) {
+      my $rand = int(rand($c));
+      ($m[$i % $c],$m[$rand]) = ($m[$rand],$m[$i % $c]);
+    }
+  } elsif (!$u) {
+    @m = sort { $a->{message} cmp $b->{message} } @m;
+  }
+  @m = reverse(@m) if ($r);
+
+  return(\@m);
+}
+
+BEGIN {
+
+package Exim::SpoolFile;
+
+# versions 4.61 and higher will not need these variables anymore, but they
+# are left for handling legacy installs
+$Exim::SpoolFile::ACL_C_MAX_LEGACY = 10;
+#$Exim::SpoolFile::ACL_M_MAX _LEGACY= 10;
+
+sub new {
+  my $class = shift;
+  my $self  = {};
+  bless($self, $class);
+
+  $self->{_spool_dir}        = '';
+  $self->{_input_path}       = '';
+  $self->{_undelivered_only} = 0;
+  $self->{_show_generated}   = 0;
+  $self->{_output_long}      = 1;
+  $self->{_output_idonly}    = 0;
+  $self->{_output_brief}     = 0;
+  $self->{_output_flatq}     = 0;
+  $self->{_output_vars_only} = 0;
+  $self->{_show_vars}        = [];
+
+  $self->_reset();
+  return($self);
+}
+
+sub output_long {
+  my $self = shift;
+
+  $self->{_output_long}      = 1;
+  $self->{_output_idonly}    = 0;
+  $self->{_output_brief}     = 0;
+  $self->{_output_flatq}     = 0;
+  $self->{_output_vars_only} = 0;
+}
+
+sub output_idonly {
+  my $self = shift;
+
+  $self->{_output_long}      = 0;
+  $self->{_output_idonly}    = 1;
+  $self->{_output_brief}     = 0;
+  $self->{_output_flatq}     = 0;
+  $self->{_output_vars_only} = 0;
+}
+
+sub output_brief {
+  my $self = shift;
+
+  $self->{_output_long}      = 0;
+  $self->{_output_idonly}    = 0;
+  $self->{_output_brief}     = 1;
+  $self->{_output_flatq}     = 0;
+  $self->{_output_vars_only} = 0;
+}
+
+sub output_flatq {
+  my $self = shift;
+
+  $self->{_output_long}      = 0;
+  $self->{_output_idonly}    = 0;
+  $self->{_output_brief}     = 0;
+  $self->{_output_flatq}     = 1;
+  $self->{_output_vars_only} = 0;
+}
+
+sub output_vars_only {
+  my $self = shift;
+
+  $self->{_output_long}      = 0;
+  $self->{_output_idonly}    = 0;
+  $self->{_output_brief}     = 0;
+  $self->{_output_flatq}     = 0;
+  $self->{_output_vars_only} = 1;
+}
+
+sub set_show_vars {
+  my $self = shift;
+  my $s    = shift;
+
+  foreach my $v (split(/\s*,\s*/, $s)) {
+    push(@{$self->{_show_vars}}, $v);
+  }
+}
+
+sub set_show_generated {
+  my $self = shift;
+  $self->{_show_generated} = shift;
+}
+
+sub set_undelivered_only {
+  my $self = shift;
+  $self->{_undelivered_only} = shift;
+}
+
+sub error {
+  my $self = shift;
+  return $self->{_error};
+}
+
+sub _error {
+  my $self = shift;
+  $self->{_error} = shift;
+  return(undef);
+}
+
+sub _reset {
+  my $self = shift;
+
+  $self->{_error}       = '';
+  $self->{_delivered}   = 0;
+  $self->{_message}     = '';
+  $self->{_path}        = '';
+  $self->{_vars}        = {};
+  $self->{_vars_raw}    = {};
+
+  $self->{_numrecips}   = 0;
+  $self->{_udel_tree}   = {};
+  $self->{_del_tree}    = {};
+  $self->{_recips}      = {};
+
+  return($self);
+}
+
+sub parse_message {
+  my $self = shift;
+
+  $self->_reset();
+  $self->{_message} = shift || return(0);
+  $self->{_path}    = shift; # optional path to message
+  return(0) if (!$self->{_input_path});
+  if (!$self->{_path} && !$self->_find_path()) {
+    # assume the message was delivered from under us and ignore
+    $self->{_delivered} = 1;
+    return(1);
+  }
+  $self->_parse_header() || return(0);
+
+  return(1);
+}
+
+# take the output of get_state() and set up a message internally like
+# parse_message (except from a saved data struct, not by parsing the
+# files on disk).
+sub restore_state {
+  my $self = shift;
+  my $h    = shift;
+
+  return(1) if ($h->{_delivered});
+  $self->_reset();
+  $self->{_message} = $h->{_message} || return(0);
+  return(0) if (!$self->{_input_path});
+
+  $self->{_path}      = $h->{_path};
+  $self->{_vars}      = $h->{_vars};
+  $self->{_numrecips} = $h->{_numrecips};
+  $self->{_udel_tree} = $h->{_udel_tree};
+  $self->{_del_tree}  = $h->{_del_tree};
+  $self->{_recips}    = $h->{_recips};
+
+  $self->{_vars}{message_age} = time() - $self->{_vars}{received_time};
+  return(1);
+}
+
+# This returns the state data for a specific message in a format that can
+# be later frozen back in to regain state
+#
+# after calling this function, this specific state is not expect to be
+# reused.  That's because we're returning direct references to specific
+# internal structures.  We're also modifying the structure ourselves
+# by deleting certain internal message variables.
+sub get_state {
+  my $self = shift;
+  my $h    = {};    # this is the hash ref we'll be returning.
+
+  $h->{_delivered} = $self->{_delivered};
+  $h->{_message}   = $self->{_message};
+  $h->{_path}      = $self->{_path};
+  $h->{_vars}      = $self->{_vars};
+  $h->{_numrecips} = $self->{_numrecips};
+  $h->{_udel_tree} = $self->{_udel_tree};
+  $h->{_del_tree}  = $self->{_del_tree};
+  $h->{_recips}    = $self->{_recips};
+
+  # delete some internal variables that we will rebuild later if needed
+  delete($h->{_vars}{message_body});
+  delete($h->{_vars}{message_age});
+
+  return($h);
+}
+
+# keep this sub as a feature if we ever break this module out, but do away
+# with its use in exipick (pass it in from caller instead)
+sub _find_path {
+  my $self = shift;
+
+  return(0) if (!$self->{_message});
+  return(0) if (!$self->{_input_path});
+
+  # test split spool first on the theory that people concerned about
+  # performance will have split spool set =).
+  foreach my $f (substr($self->{_message}, 5, 1).'/', '') {
+    if (-f "$self->{_input_path}/$f$self->{_message}-H") {
+      $self->{_path} = "$self->{_input_path}}/$f";
+      return(1);
+    }
+  }
+  return(0);
+}
+
+sub set_spool {
+  my $self = shift;
+  $self->{_spool_dir} = shift;
+  $self->{_input_path} = shift;
+  if ($self->{_input_path} !~ m|^/|) {
+    $self->{_input_path} = $self->{_spool_dir} . '/' . $self->{_input_path};
+  }
+}
+
+sub get_matching_vars {
+  my $self = shift;
+  my $e    = shift;
+
+  if ($e =~ /^\^/) {
+    my @r = ();
+    foreach my $v (keys %{$self->{_vars}}) { push(@r, $v) if ($v =~ /$e/); }
+    return(@r);
+  } else {
+    return($e);
+  }
+}
+
+# accepts a variable with or without leading '$' or trailing ':'
+sub get_var {
+  my $self = shift;
+  my $var  = lc(shift); $var =~ s/^\$//; $var =~ s/:$//;
+
+  if ($var eq 'message_body' && !defined($self->{_vars}{message_body})) {
+    $self->_parse_body()
+  } elsif ($var =~ s|^([rb]?h)(eader)?_|${1}eader_| &&
+           exists($self->{_vars}{$var}) && !defined($self->{_vars}{$var}))
+  {
+    if ((my $type = $1) eq 'rh') {
+      $self->{_vars}{$var} = join('', @{$self->{_vars_raw}{$var}{vals}});
+    } else {
+      # both bh_ and h_ build their strings from rh_.  Do common work here
+      my $rh = $var; $rh =~ s|^b?|r|;
+      my $comma = 1 if ($self->{_vars_raw}{$rh}{type} =~ /^[BCFRST]$/);
+      foreach (@{$self->{_vars_raw}{$rh}{vals}}) {
+        my $x = $_; # editing $_ here would change the original, which is bad
+        $x =~ s|^\s+||;
+        $x =~ s|\s+$||;
+        if ($comma) { chomp($x); $self->{_vars}{$var} .= "$x,\n"; }
+        else        { $self->{_vars}{$var} .= $x; }
+      }
+      $self->{_vars}{$var} =~ s|[\s\n]*$||;
+      $self->{_vars}{$var} =~ s|,$|| if ($comma);
+      # ok, that's the preprocessing, not do specific processing for h type
+      if ($type eq 'bh') {
+        $self->{_vars}{$var} = $self->_decode_2047($self->{_vars}{$var});
+      } else {
+        $self->{_vars}{$var} =
+            $self->_decode_2047($self->{_vars}{$var}, $charset);
+      }
+    }
+  }
+  elsif ($var eq 'received_count' && !defined($self->{_vars}{received_count}))
+  {
+    $self->{_vars}{received_count} =
+        scalar(@{$self->{_vars_raw}{rheader_received}{vals}});
+  }
+  elsif ($var eq 'message_headers' && !defined($self->{_vars}{message_headers}))
+  {
+    $self->{_vars}{$var} =
+        $self->_decode_2047($self->{_vars}{message_headers_raw}, $charset);
+    chomp($self->{_vars}{$var});
+  }
+  elsif ($var eq 'reply_address' && !defined($self->{_vars}{reply_address}))
+  {
+    $self->{_vars}{reply_address} = exists($self->{_vars}{"header_reply-to"})
+        ? $self->get_var("header_reply-to") : $self->get_var("header_from");
+  }
+
+  #chomp($self->{_vars}{$var}); # I think this was only for headers, obsolete
+  return $self->{_vars}{$var};
+}
+
+sub _decode_2047 {
+  my $self = shift;
+  my $s    = shift; # string to decode
+  my $c    = shift; # target charset.  If empty, just decode, don't convert
+  my $t    = '';    # the translated string
+  my $e    = 0;     # set to true if we get an error in here anywhere
+
+  return($s) if ($s !~ /=\?/); # don't even bother to look if there's no sign
+
+  my @p = ();
+  foreach my $mw (split(/(=\?[^\?]{3,}\?[BQ]\?[^\?]{1,74}\?=)/i, $s)) {
+    next if ($mw eq '');
+    if ($mw =~ /=\?([^\?]{3,})\?([BQ])\?([^\?]{1,74})\?=/i) {
+      push(@p, { data => $3, encoding => uc($2), charset => uc($1),
+                 is_mime => 1 });
+      if ($p[-1]{encoding} eq 'Q') {
+        my @ow = split('', $p[-1]{data});
+        my @nw = ();
+        for (my $i = 0; $i < @ow; $i++) {
+          if ($ow[$i] eq '_') { push(@nw, ' '); }
+          elsif ($ow[$i] eq '=') {
+            if (scalar(@ow) - ($i+1) < 2) {  # ran out of characters
+              $e = 1; last;
+            } elsif ($ow[$i+1] !~ /[\dA-F]/i || $ow[$i+2] !~ /[\dA-F]/i) {
+              $e = 1; last;
+            } else {
+              #push(@nw, chr('0x'.$ow[$i+1].$ow[$i+2]));
+              push(@nw, pack("C", hex($ow[$i+1].$ow[$i+2])));
+              $i += 2;
+            }
+          }
+          elsif ($ow[$i] =~ /\s/) { # whitespace is illegal
+            $e = 1;
+            last;
+          }
+          else { push(@nw, $ow[$i]); }
+        }
+        $p[-1]{data} = join('', @nw);
+      } elsif ($p[-1]{encoding} eq 'B') {
+        my $x = $p[-1]{data};
+        $x    =~ tr#A-Za-z0-9+/##cd;
+        $x    =~ s|=+$||;
+        $x    =~ tr#A-Za-z0-9+/# -_#;
+        my $r = '';
+        while ($x =~ s/(.{1,60})//s) {
+          $r .= unpack("u", chr(32 + int(length($1)*3/4)) . $1);
+        }
+        $p[-1]{data} = $r;
+      }
+    } else {
+      push(@p, { data => $mw, is_mime => 0,
+                 is_ws => ($mw =~ m|^[\s\n]+|sm) ? 1 : 0 });
+    }
+  }
+
+  for (my $i = 0; $i < @p; $i++) {
+    # mark entities we want to skip (whitespace between consecutive mimewords)
+    if ($p[$i]{is_mime} && $p[$i+1]{is_ws} && $p[$i+2]{is_mime}) {
+      $p[$i+1]{skip} = 1;
+    }
+
+    # if word is a mimeword and we have access to Encode and charset was
+    # specified, try to convert text
+    # XXX _cannot_ get consistent conversion results in perl, can't get them
+    # to return same conversions that exim performs.  Until I can figure this
+    # out, don't attempt any conversions (header_ will return same value as
+    # bheader_).
+    #if ($c && $p[$i]{is_mime} && $self->_try_load('Encode')) {
+    #  # XXX not sure how to catch errors here
+    #  Encode::from_to($p[$i]{data}, $p[$i]{charset}, $c);
+    #}
+
+    # replace binary zeros w/ '?' in decoded text
+    if ($p[$i]{is_mime}) { $p[$i]{data} =~ s|\x00|?|g; }
+  }
+
+  if ($e) {
+    return($s);
+  } else {
+    return(join('', map { $_->{data} } grep { !$_->{skip} } @p));
+  }
+}
+
+# This isn't a class func but I'm tired
+sub _try_load {
+  my $self = shift;
+  my $mod  = shift;
+
+  eval("use $mod");
+  return $@ ? 0 : 1;
+}
+
+sub _parse_body {
+  my $self = shift;
+  my $f    = $self->{_path} . '/' . $self->{_message} . '-D';
+  $self->{_vars}{message_body} = ""; # define var so we only come here once
+
+  open(I, "<$f") || return($self->_error("Couldn't open $f: $!"));
+  chomp($_ = <I>);
+  return(0) if ($self->{_message}.'-D' ne $_);
+
+  $self->{_vars}{message_body} = join('', <I>);
+  close(I);
+  $self->{_vars}{message_body} =~ s/\n/ /g;
+  $self->{_vars}{message_body} =~ s/\000/ /g;
+  return(1);
+}
+
+sub _parse_header {
+  my $self = shift;
+  my $f    = $self->{_path} . '/' . $self->{_message} . '-H';
+  $self->{_vars}{header_path} = $f;
+  $self->{_vars}{data_path}   = $self->{_path} . '/' . $self->{_message} . '-D';
+
+  if (!open(I, "<$f")) {
+    # assume message went away and silently ignore
+    $self->{_delivered} = 1;
+    return(1);
+  }
+
+  # There are a few numeric variables that should explicitly be set to
+  # zero if they aren't found in the header.  Technically an empty value
+  # works just as well, but might as well be pedantic
+  $self->{_vars}{body_zerocount}           = 0;
+  $self->{_vars}{host_lookup_deferred}     = 0;
+  $self->{_vars}{host_lookup_failed}       = 0;
+  $self->{_vars}{tls_certificate_verified} = 0;
+
+  chomp($_ = <I>);
+  return(0) if ($self->{_message}.'-H' ne $_);
+  $self->{_vars}{message_id}       = $self->{_message};
+  $self->{_vars}{message_exim_id}  = $self->{_message};
+
+  # line 2
+  chomp($_ = <I>);
+  return(0) if (!/^(.+)\s(\-?\d+)\s(\-?\d+)$/);
+  $self->{_vars}{originator_login} = $1;
+  $self->{_vars}{originator_uid}   = $2;
+  $self->{_vars}{originator_gid}   = $3;
+
+  # line 3
+  chomp($_ = <I>);
+  return(0) if (!/^<(.*)>$/);
+  $self->{_vars}{sender_address}   = $1;
+  $self->{_vars}{sender_address_domain} = $1;
+  $self->{_vars}{sender_address_local_part} = $1;
+  $self->{_vars}{sender_address_domain} =~ s/^.*\@//;
+  $self->{_vars}{sender_address_local_part} =~ s/^(.*)\@.*$/$1/;
+
+  # line 4
+  chomp($_ = <I>);
+  return(0) if (!/^(\d+)\s(\d+)$/);
+  $self->{_vars}{received_time}    = $1;
+  $self->{_vars}{warning_count}    = $2;
+  $self->{_vars}{message_age}      = time() - $self->{_vars}{received_time};
+
+  TAGGED: while (<I>) {
+    my ($tag, $arg) = /^-?(-\S+)(?:\s+(.*))?$/ or last TAGGED;
+    chomp;
+
+    if ($tag eq '-acl') {
+      my $t;
+      return(0) if ($arg !~ /^(\d+)\s(\d+)$/);
+      if ($1 < $Exim::SpoolFile::ACL_C_MAX_LEGACY) {
+        $t = "acl_c$1";
+      } else {
+        $t = "acl_m" . ($1 - $Exim::SpoolFile::ACL_C_MAX_LEGACY);
+      }
+      read(I, $self->{_vars}{$t}, $2+1) || return(0);
+      chomp($self->{_vars}{$t});
+    } elsif ($tag eq '-aclc') {
+      #return(0) if ($arg !~ /^(\d+)\s(\d+)$/);
+      return(0) if ($arg !~ /^(\S+)\s(\d+)$/);
+      my $t = "acl_c$1";
+      read(I, $self->{_vars}{$t}, $2+1) || return(0);
+      chomp($self->{_vars}{$t});
+    } elsif ($tag eq '-aclm') {
+      #return(0) if ($arg !~ /^(\d+)\s(\d+)$/);
+      return(0) if ($arg !~ /^(\S+)\s(\d+)$/);
+      my $t = "acl_m$1";
+      read(I, $self->{_vars}{$t}, $2+1) || return(0);
+      chomp($self->{_vars}{$t});
+    } elsif ($tag eq '-local') {
+      $self->{_vars}{sender_local} = 1;
+    } elsif ($tag eq '-localerror') {
+      $self->{_vars}{local_error_message} = 1;
+    } elsif ($tag eq '-local_scan') {
+      $self->{_vars}{local_scan_data} = $arg;
+    } elsif ($tag eq '-spam_score_int') {
+      $self->{_vars}{spam_score_int} = $arg;
+      $self->{_vars}{spam_score}     = $arg / 10;
+    } elsif ($tag eq '-bmi_verdicts') {
+      $self->{_vars}{bmi_verdicts} = $arg;
+    } elsif ($tag eq '-host_lookup_deferred') {
+      $self->{_vars}{host_lookup_deferred} = 1;
+    } elsif ($tag eq '-host_lookup_failed') {
+      $self->{_vars}{host_lookup_failed} = 1;
+    } elsif ($tag eq '-body_linecount') {
+      $self->{_vars}{body_linecount} = $arg;
+    } elsif ($tag eq '-max_received_linelength') {
+      $self->{_vars}{max_received_linelength} = $arg;
+    } elsif ($tag eq '-body_zerocount') {
+      $self->{_vars}{body_zerocount} = $arg;
+    } elsif ($tag eq '-frozen') {
+      $self->{_vars}{deliver_freeze} = 1;
+      $self->{_vars}{deliver_frozen_at} = $arg;
+    } elsif ($tag eq '-allow_unqualified_recipient') {
+      $self->{_vars}{allow_unqualified_recipient} = 1;
+    } elsif ($tag eq '-allow_unqualified_sender') {
+      $self->{_vars}{allow_unqualified_sender} = 1;
+    } elsif ($tag eq '-deliver_firsttime') {
+      $self->{_vars}{deliver_firsttime} = 1;
+      $self->{_vars}{first_delivery} = 1;
+    } elsif ($tag eq '-manual_thaw') {
+      $self->{_vars}{deliver_manual_thaw} = 1;
+      $self->{_vars}{manually_thawed} = 1;
+    } elsif ($tag eq '-auth_id') {
+      $self->{_vars}{authenticated_id} = $arg;
+    } elsif ($tag eq '-auth_sender') {
+      $self->{_vars}{authenticated_sender} = $arg;
+    } elsif ($tag eq '-sender_set_untrusted') {
+      $self->{_vars}{sender_set_untrusted} = 1;
+    } elsif ($tag eq '-tls_certificate_verified') {
+      $self->{_vars}{tls_certificate_verified} = 1;
+    } elsif ($tag eq '-tls_cipher') {
+      $self->{_vars}{tls_cipher} = $arg;
+    } elsif ($tag eq '-tls_peerdn') {
+      $self->{_vars}{tls_peerdn} = $arg;
+    } elsif ($tag eq '-tls_sni') {
+      $self->{_vars}{tls_sni} = $arg;
+    } elsif ($tag eq '-host_address') {
+      $self->{_vars}{sender_host_port} = $self->_get_host_and_port(\$arg);
+      $self->{_vars}{sender_host_address} = $arg;
+    } elsif ($tag eq '-interface_address') {
+      $self->{_vars}{received_port} =
+          $self->{_vars}{interface_port} = $self->_get_host_and_port(\$arg);
+      $self->{_vars}{received_ip_address} =
+          $self->{_vars}{interface_address} = $arg;
+    } elsif ($tag eq '-active_hostname') {
+      $self->{_vars}{smtp_active_hostname} = $arg;
+    } elsif ($tag eq '-host_auth') {
+      $self->{_vars}{sender_host_authenticated} = $arg;
+    } elsif ($tag eq '-host_name') {
+      $self->{_vars}{sender_host_name} = $arg;
+    } elsif ($tag eq '-helo_name') {
+      $self->{_vars}{sender_helo_name} = $arg;
+    } elsif ($tag eq '-ident') {
+      $self->{_vars}{sender_ident} = $arg;
+    } elsif ($tag eq '-received_protocol') {
+      $self->{_vars}{received_protocol} = $arg;
+    } elsif ($tag eq '-N') {
+      $self->{_vars}{dont_deliver} = 1;
+    } else {
+      # unrecognized tag, save it for reference
+      $self->{$tag} = $arg;
+    }
+  }
+
+  # when we drop out of the while loop, we have the first line of the
+  # delivered tree in $_
+  do {
+    chomp;
+    if ($_ eq 'XX') {
+      ; # noop
+    } elsif ($_ =~ s/^[YN][YN]\s+//) {
+      $self->{_del_tree}{$_} = 1;
+    } else {
+      return(0);
+    }
+    $_ = <I>;
+  } while ($_ !~ /^\d+$/);
+
+  $self->{_numrecips} = $_;
+  $self->{_vars}{recipients_count} = $self->{_numrecips};
+  for (my $i = 0; $i < $self->{_numrecips}; $i++) {
+    chomp($_ = <I>);
+    return(0) if (/^$/);
+    my $addr = '';
+    if (/^(.*)\s\d+,(\d+),\d+$/) {
+      #print STDERR "exim3 type (untested): $_\n";
+      $self->{_recips}{$1} = { pno => $2 };
+      $addr = $1;
+    } elsif (/^(.*)\s(\d+)$/) {
+      #print STDERR "exim4 original type (untested): $_\n";
+      $self->{_recips}{$1} = { pno => $2 };
+      $addr = $1;
+    } elsif (/^(.*)\s(.*)\s(\d+),(\d+)#1$/) {
+      #print STDERR "exim4 new type #1 (untested): $_\n";
+      return($self->_error("incorrect format: $_")) if (length($2) != $3);
+      $self->{_recips}{$1} = { pno => $4, errors_to => $2 };
+      $addr = $1;
+    } elsif (/^(\S*)\s(\S*)\s(\d+),(\d+)\s(\S*)\s(\d+),(-?\d+)#3$/) {
+      #print STDERR "exim4 new type #3 DSN (untested): $_\n";
+      return($self->_error("incorrect format: $_"))
+        if ((length($2) != $3) || (length($5) != $6));
+      $self->{_recips}{$1} = { pno => $7, errors_to => $5 };
+      $addr = $1;
+    } elsif (/^.*#(\d+)$/) {
+      #print STDERR "exim4 #$1 style (unimplemented): $_\n";
+      $self->_error("exim4 #$1 style (unimplemented): $_");
+    } else {
+      #print STDERR "default type: $_\n";
+      $self->{_recips}{$_} = {};
+      $addr = $_;
+    }
+    $self->{_udel_tree}{$addr} = 1 if (!$self->{_del_tree}{$addr});
+  }
+  $self->{_vars}{recipients}         = join(', ', keys(%{$self->{_recips}}));
+  $self->{_vars}{recipients_del}     = join(', ', keys(%{$self->{_del_tree}}));
+  $self->{_vars}{recipients_undel}   = join(', ', keys(%{$self->{_udel_tree}}));
+  $self->{_vars}{recipients_undel_count} = scalar(keys(%{$self->{_udel_tree}}));
+  $self->{_vars}{recipients_del_count}   = 0;
+  foreach my $r (keys %{$self->{_del_tree}}) {
+    next if (!$self->{_recips}{$r});
+    $self->{_vars}{recipients_del_count}++;
+  }
+
+  # blank line
+  $_ = <I>;
+  return(0) if (!/^$/);
+
+  # start reading headers
+  while (read(I, $_, 3) == 3) {
+    my $t = getc(I);
+    return(0) if (!length($t));
+    while ($t =~ /^\d$/) {
+      $_ .= $t;
+      $t  = getc(I);
+    }
+    my $hdr_flag  = $t;
+    my $hdr_bytes = $_;
+    $t            = getc(I);              # strip the space out of the file
+    return(0) if (read(I, $_, $hdr_bytes) != $hdr_bytes);
+    if ($hdr_flag ne '*') {
+      $self->{_vars}{message_linecount} += (tr/\n//);
+      $self->{_vars}{message_size}      += $hdr_bytes;
+    }
+
+    # mark (rb)?header_ vars as existing and store raw value.  They'll be
+    # processed further in get_var() if needed
+    my($v,$d) = split(/:/, $_, 2);
+    $v = "header_" . lc($v);
+    $self->{_vars}{$v} = $self->{_vars}{"b$v"} = $self->{_vars}{"r$v"} = undef;
+    push(@{$self->{_vars_raw}{"r$v"}{vals}}, $d);
+    $self->{_vars_raw}{"r$v"}{type} = $hdr_flag;
+    $self->{_vars}{message_headers_raw} .= $_;
+  }
+  close(I);
+
+  $self->{_vars}{message_body_size} =
+      (stat($self->{_path}.'/'.$self->{_message}.'-D'))[7] - 19;
+  if ($self->{_vars}{message_body_size} < 0) {
+    $self->{_vars}{message_size} = 0;
+    $self->{_vars}{message_body_missing} = 1;
+  } else {
+    $self->{_vars}{message_size} += $self->{_vars}{message_body_size} + 1;
+  }
+
+  $self->{_vars}{message_linecount} += $self->{_vars}{body_linecount};
+
+  my $i = $self->{_vars}{message_size};
+  if ($i == 0)          { $i = ""; }
+  elsif ($i < 1024)     { $i = sprintf("%d",    $i);                    }
+  elsif ($i < 10240)    { $i = sprintf("%.1fK", $i / 1024);             }
+  elsif ($i < 1048576)  { $i = sprintf("%dK",   ($i+512)/1024);         }
+  elsif ($i < 10485760) { $i = sprintf("%.1fM", $i/1048576);            }
+  else                  { $i = sprintf("%dM",   ($i + 524288)/1048576); }
+  $self->{_vars}{shown_message_size} = $i;
+
+  return(1);
+}
+
+# mimic exim's host_extract_port function - receive a ref to a scalar,
+# strip it of port, return port
+sub _get_host_and_port {
+  my $self = shift;
+  my $host = shift; # scalar ref, be careful
+
+  if ($$host =~ /^\[([^\]]+)\](?:\:(\d+))?$/) {
+    $$host = $1;
+    return($2 || 0);
+  } elsif ($$host =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\.(\d+))?$/) {
+    $$host = $1;
+    return($2 || 0);
+  } elsif ($$host =~ /^([\d\:]+)(?:\.(\d+))?$/) {
+    $$host = $1;
+    return($2 || 0);
+  }
+  # implicit else
+  return(0);
+}
+
+# honoring all formatting preferences, return a scalar variable of the
+# information for the single message matching what exim -bp would show.
+# We can print later if we want.
+sub format_message {
+  my $self = shift;
+  my $o    = '';
+  return if ($self->{_delivered});
+
+  # define any vars we want to print out for this message.  The requests
+  # can be regexps, and the defined vars can change for each message, so we
+  # have to build this list for each message
+  my @vars = ();
+  if (@{$self->{_show_vars}}) {
+    my %t = ();
+    foreach my $e (@{$self->{_show_vars}}) {
+      foreach my $v ($self->get_matching_vars($e)) {
+        next if ($t{$v}); $t{$v}++; push(@vars, $v);
+      }
+    }
+  }
+
+  if ($self->{_output_idonly}) {
+    $o .= $self->{_message};
+    foreach my $v (@vars) { $o .= " $v='" . $self->get_var($v) . "'"; }
+    $o .= "\n";
+    return $o;
+  } elsif ($self->{_output_vars_only}) {
+    foreach my $v (@vars) { $o .= $self->get_var($v) . "\n"; }
+    return $o;
+  }
+
+  if ($self->{_output_long} || $self->{_output_flatq}) {
+    my $i = int($self->{_vars}{message_age} / 60);
+    if ($i > 90) {
+      $i = int(($i+30)/60);
+      if ($i > 72) { $o .= sprintf "%2dd ", int(($i+12)/24); }
+      else { $o .= sprintf "%2dh ", $i; }
+    } else { $o .= sprintf "%2dm ", $i; }
+
+    if ($self->{_output_flatq} && @vars) {
+        $o .= join(';', map { "$_='".$self->get_var($_)."'" } (@vars)
+                  );
+    } else {
+      $o .= sprintf "%5s", $self->{_vars}{shown_message_size};
+    }
+    $o .= " ";
+  }
+  $o .= "$self->{_message} ";
+  $o .= "From: " if ($self->{_output_brief});
+  $o .= "<$self->{_vars}{sender_address}>";
+
+  if ($self->{_output_long}) {
+    $o .= " ($self->{_vars}{originator_login})"
+        if ($self->{_vars}{sender_set_untrusted});
+
+    # XXX exim contains code here to print spool format errors
+    $o .= " *** frozen ***" if ($self->{_vars}{deliver_freeze});
+    $o .= "\n";
+
+    foreach my $v (@vars) {
+      $o .= sprintf "  %25s = '%s'\n", $v, $self->get_var($v);
+    }
+
+    foreach my $r (keys %{$self->{_recips}}) {
+      next if ($self->{_del_tree}{$r} && $self->{_undelivered_only});
+      $o .= sprintf "        %s %s\n", $self->{_del_tree}{$r} ? "D" : " ", $r;
+    }
+    if ($self->{_show_generated}) {
+      foreach my $r (keys %{$self->{_del_tree}}) {
+        next if ($self->{_recips}{$r});
+        $o .= sprintf "       +D %s\n", $r;
+      }
+    }
+  } elsif ($self->{_output_brief}) {
+    my @r = ();
+    foreach my $r (keys %{$self->{_recips}}) {
+      next if ($self->{_del_tree}{$r});
+      push(@r, $r);
+    }
+    $o .= " To: " . join(';', @r);
+    if (scalar(@vars)) {
+      $o .= " Vars: ".join(';',map { "$_='".$self->get_var($_)."'" } (@vars));
+    }
+  } elsif ($self->{_output_flatq}) {
+    $o .= " *** frozen ***" if ($self->{_vars}{deliver_freeze});
+    my @r = ();
+    foreach my $r (keys %{$self->{_recips}}) {
+      next if ($self->{_del_tree}{$r});
+      push(@r, $r);
+    }
+    $o .= " " . join(' ', @r);
+  }
+
+  $o .= "\n";
+  return($o);
+}
+
+sub print_message {
+  my $self = shift;
+  my $fh   = shift || \*STDOUT;
+  return if ($self->{_delivered});
+
+  print $fh $self->format_message();
+}
+
+sub dump {
+  my $self = shift;
+
+  foreach my $k (sort keys %$self) {
+    my $r = ref($self->{$k});
+    if ($r eq 'ARRAY') {
+      printf "%20s <<EOM\n", $k;
+      print @{$self->{$k}}, "EOM\n";
+    } elsif ($r eq 'HASH') {
+      printf "%20s <<EOM\n", $k;
+      foreach (sort keys %{$self->{$k}}) {
+        printf "%20s %s\n", $_, $self->{$k}{$_};
+      }
+      print "EOM\n";
+    } else {
+      printf "%20s %s\n", $k, $self->{$k};
+    }
+  }
+}
+
+} # BEGIN
+
+__END__
+
+=head1 NAME
+
+  exipick - selectively display messages from an Exim queue
+
+=head1 SYNOPSIS
+
+  exipick [<options>] [<criterion> [<criterion> ...]]
+  exipick --help|--man
+
+=head1 DESCRIPTION
+
+B<exipick> is a tool to display messages in an Exim queue.  It is very similar to exiqgrep and is, in fact, a drop in replacement for exiqgrep.  B<exipick> allows you to select messages to be displayed using any piece of data stored in an Exim spool file.  Matching messages can be displayed in a variety of formats.
+
+=head1 QUICK START
+
+Delete every frozen message from queue:
+
+    exipick -zi | xargs exim -Mrm
+
+Show only messages which have not yet been virus scanned:
+
+    exipick '$received_protocol ne virus-scanned'
+
+Run the queue in a semi-random order:
+
+    exipick -i --random | xargs exim -M
+
+Show the count and total size of all messages which either originated from localhost or have a received protocol of 'local':
+
+    exipick --or --size --bpc \
+            '$sender_host_address eq 127.0.0.1' \
+            '$received_protocol eq local'
+
+Display all messages received on the MSA port, ordered first by the sender's email domain and then by the size of the emails:
+
+    exipick --sort sender_address_domain,message_size \
+            '$received_port == 587'
+
+Display only messages whose every recipient is in the example.com domain, also listing the IP address of the sending host:
+
+    exipick --show-vars sender_host_address \
+            '$each_recipients = example.com'
+
+Same as above, but show values for all defined variables starting with sender_ and the number of recipients:
+
+    exipick --show-vars ^sender_,recipients_count \
+            '$each_recipients = example.com'
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<--and>
+
+Display messages matching all criteria (default)
+
+=item B<-b>
+
+Display messages in brief format (exiqgrep)
+
+=item B<-bp> | B<-l>
+
+Display messages in standard mailq format (default).
+(exiqgrep: C<-l>)
+
+=item B<-bpa>
+
+Same as C<-bp>, show generated addresses also (exim)
+
+=item B<-bpc>
+
+Show a count of matching messages (exim)
+
+=item B<-bpr>
+
+Same as C<-bp --unsorted> (exim)
+
+=item B<-bpra>
+
+Same as C<-bpa --unsorted> (exim)
+
+=item B<-bpru>
+
+Same as C<-bpu --unsorted> (exim)
+
+=item B<-bpu>
+
+Same as C<-bp>, but only show undelivered messages (exim)
+
+=item B<-C> | B<--config> I<config>
+
+Use I<config> to determine the proper spool directory. (See C<--spool>
+or C<--input> for alternative ways to specify the directories to operate on.)
+
+=item B<-c>
+
+Show a count of matching messages (exiqgrep)
+
+=item B<--caseful>
+
+Make operators involving C<=> honor case
+
+=item B<--charset>
+
+Override the default local character set for C<$header_> decoding
+
+=item B<-f> I<regexp>
+
+Same as C<< $sender_address =~ /<regexp>/ >> (exiqgrep).  Note that this preserves the default case sensitivity of exiqgrep's interface.
+
+=item B<--finput>
+
+Same as C<--input-dir Finput>.  F<Finput> is where exim copies frozen messages when compiled with SUPPORT_MOVE_FROZEN_MESSAGES.
+
+=item B<--flatq>
+
+Use a single-line output format
+
+=item B<--freeze> I<cache file>
+
+Save queue information in an quickly retrievable format
+
+=item B<--help>
+
+Display this output
+
+=item B<-i>
+
+Display only the message IDs (exiqgrep)
+
+=item B<--input-dir> I<inputname>
+
+Set the name of the directory under the spool directory.  By default this is F<input>.  If this starts with F</>,
+the value of C<--spool> is ignored.  See also C<--finput>.
+
+=item B<--not>
+
+Negate all tests.
+
+=item B<-o> I<seconds>
+
+Same as C<< $message_age > <seconds> >> (exiqgrep)
+
+=item B<--or>
+
+Display messages matching any criteria
+
+=item B<--queue> I<name>
+
+Name of the queue (default: ''). See "named queues" in the spec.
+
+=item B<-r> I<regexp>
+
+Same as C<< $recipients =~ /<regexp>/ >> (exiqgrep).  Note that this preserves the default case sensitivity of exiqgrep's interface.
+
+=item B<--random>
+
+Display messages in random order
+
+=item B<--reverse> | B<-R>
+
+Display messages in reverse order (exiqgrep: C<-R>)
+
+=item B<-s> I<string>
+
+Same as C<< $shown_message_size eq <string> >> (exiqgrep)
+
+=item B<--spool> I<path>
+
+Set the path to the exim spool to use.  This value will have the arguments to C<--queue>, and C<--input> or F<input> appended, or be ignored if C<--input> is a full path. If not specified, B<exipick> uses the value from C<exim [-C config] -n -bP spool_directory>, and if this call fails, the  F</opt/exim/spool> from build time (F<Local/Makefile>) is used. See also C<--config>.
+
+=item B<--show-rules>
+
+Show the internal representation of each criterion specified
+
+=item B<--show-tests>
+
+Show the result of each criterion on each message
+
+=item B<--show-vars> I<variable>[,I<variable>...]
+
+Show the value for I<variable> for each displayed message.  I<variable> will be a regular expression if it begins with a circumflex.
+
+=item B<--size>
+
+Show the total bytes used by each displayed message
+
+=item B<--thaw> I<cache file>
+
+Read queue information cached from a previous C<--freeze> run
+
+=item B<--sort> I<variable>[,I<variable>...]
+
+Display matching messages sorted according to I<variable>
+
+=item B<--unsorted>
+
+Do not apply any sorting to output
+
+=item B<--version>
+
+Display the version of this command
+
+=item B<-x>
+
+Same as C<!$deliver_freeze> (exiqgrep)
+
+=item B<-y>
+
+Same as C<< $message_age < <seconds> >> (exiqgrep)
+
+=item B<-z>
+
+Same as C<$deliver_freeze> (exiqgrep)
+
+=back
+
+=head1 CRITERIA
+
+B<Exipick> decides which messages to display by applying a test against each message.  The rules take the general form of "I<VARIABLE> I<OPERATOR> I<VALUE>".  For example, C<< $message_age > 60 >>.  When B<exipick> is deciding which messages to display, it checks the C<$message_age> variable for each message.  If a message's age is greater than 60, the message will be displayed.  If the message's age is 60 or less seconds, it will not be displayed.
+
+Multiple criteria can be used.  The order they are specified does not matter.  By default all criteria must evaluate to true for a message to be displayed.  If the C<--or> option is used, a message is displayed as long as any of the criteria evaluate to true.
+
+See the VARIABLES and OPERATORS sections below for more details
+
+=head1 OPERATORS
+
+=over 4
+
+=item BOOLEAN
+
+Boolean variables are checked simply by being true or false.  There is no real operator except negation.  Examples of valid boolean tests:
+
+  $deliver_freeze
+  !$deliver_freeze
+
+=item NUMERIC
+
+Valid comparisons are <, <=, >, >=, ==, and !=.  Numbers can be integers or floats.  Any number in a test suffixed with d, h, m, s, M, K, or B will be multiplied by 86400, 3600, 60, 1, 1048576, 1024, or 1 respectively.  Examples of valid numeric tests:
+
+  $message_age >= 3d
+  $local_interface == 587
+  $message_size < 30K
+
+=item STRING
+
+The string operators are =, eq, ne, =~, and !~.  With the exception of C<< = >>, the operators all match the functionality of the like-named perl operators.  eq and ne match a string exactly.  !~, =~, and = apply a perl regular expression to a string.  The C<< = >> operator behaves just like =~ but you are not required to place // around the regular expression.  Examples of valid string tests:
+
+  $received_protocol eq esmtp
+  $sender_address = example.com
+  $each_recipients =~ /^a[a-z]{2,3}@example.com$/
+
+=item NEGATION
+
+There are many ways to negate tests, each having a reason for existing.  Many tests can be negated using native operators.  For instance, >1 is the opposite of <=1 and eq and ne are opposites.  In addition, each individual test can be negated by adding a ! at the beginning of the test.  For instance, C<< !$acl_m1 =~ /^DENY$/ >> is the same as C<< $acl_m1 !~ /^DENY$/ >>.  Finally, every test can be specified by using the command line argument C<--not>.  This is functionally equivalent to adding a ! to the beginning of every test.
+
+=back
+
+=head1 VARIABLES
+
+With a few exceptions the available variables match Exim's internal expansion variables in both name and exact contents.  There are a few notable additions and format deviations which are noted below.  Although a brief explanation is offered below, Exim's spec.txt should be consulted for full details.  It is important to remember that not every variable will be defined for every message.  For example, $sender_host_port is not defined for messages not received from a remote host.
+
+Internally, all variables are represented as strings, meaning any operator will work on any variable.  This means that C<< $sender_host_name > 4 >> is a legal criterion, even if it does not produce meaningful results.  Variables in the list below are marked with a 'type' to help in choosing which types of operators make sense to use.
+
+  Identifiers
+    B - Boolean variables
+    S - String variables
+    N - Numeric variables
+    . - Standard variable matching Exim's content definition
+    # - Standard variable, contents differ from Exim's definition
+    + - Non-standard variable
+
+=over 4
+
+=item S . B<$acl_c0>-B<$acl_c9>, B<$acl_m0>-B<$acl_m9>
+
+User definable variables.
+
+=item B + B<$allow_unqualified_recipient>
+
+TRUE if unqualified recipient addresses are permitted in header lines.
+
+=item B + B<$allow_unqualified_sender>
+
+TRUE if unqualified sender addresses are permitted in header lines.
+
+=item S . B<$authenticated_id>
+
+Optional saved information from authenticators, or the login name of the calling process for locally submitted messages.
+
+=item S . B<$authenticated_sender>
+
+The value of AUTH= param for smtp messages, or a generated value from the calling processes login and qualify domain for locally submitted messages.
+
+=item S . B<$bheader_*>, B<$bh_*>
+
+Value of the header(s) with the same name with any RFC2047 words decoded if present.  See section 11.5 of Exim's spec.txt for full details.
+
+=item S + B<$bmi_verdicts>
+
+The verdict string provided by a Brightmail content scan
+
+=item N . B<$body_linecount>
+
+The number of lines in the message's body.
+
+=item N . B<$body_zerocount>
+
+The number of binary zero bytes in the message's body.
+
+=item S + B<$data_path>
+
+The path to the body file's location in the filesystem.
+
+=item B + B<$deliver_freeze>
+
+TRUE if the message is currently frozen.
+
+=item N + B<$deliver_frozen_at>
+
+The epoch time at which message was frozen.
+
+=item B + B<$dont_deliver>
+
+TRUE if, under normal circumstances, Exim will not try to deliver the message.
+
+=item S + B<$each_recipients>
+
+This is a pseudo variable which allows you to apply a test against each address in $recipients individually.  Whereas C<< $recipients =~ /@aol.com/ >> will match if any recipient address contains aol.com, C<< $each_recipients =~ /@aol.com$/ >> will only be true if every recipient matches that pattern.  Note that this obeys C<--and> or C<--or> being set.  Using it with C<--or> is very similar to just matching against $recipients, but with the added benefit of being able to use anchors at the beginning and end of each recipient address.
+
+=item S + B<$each_recipients_del>
+
+Like $each_recipients, but for $recipients_del
+
+=item S + B<$each_recipients_undel>
+
+Like $each_recipients, but for $recipients_undel
+
+=item B . B<$first_delivery>
+
+TRUE if the message has never been deferred.
+
+=item S . B<$header_*>, B<$h_*>
+
+This will always match the contents of the corresponding $bheader_* variable currently (the same behaviour Exim displays when iconv is not installed).
+
+=item S + B<$header_path>
+
+The path to the header file's location in the filesystem.
+
+=item B . B<$host_lookup_deferred>
+
+TRUE if there was an attempt to look up the host's name from its IP address, but an error occurred that during the attempt.
+
+=item B . B<$host_lookup_failed>
+
+TRUE if there was an attempt to look up the host's name from its IP address, but the attempt returned a negative result.
+
+=item B + B<$local_error_message>
+
+TRUE if the message is a locally-generated error message.
+
+=item S . B<$local_scan_data>
+
+The text returned by the local_scan() function when a message is received.
+
+=item B . B<$manually_thawed>
+
+TRUE when the message has been manually thawed.
+
+=item N . B<$max_received_linelength>
+
+The number of bytes in the longest line that was received as part of the message, not counting line termination characters.
+
+=item N . B<$message_age>
+
+The number of seconds since the message was received.
+
+=item S # B<$message_body>
+
+The message's body.  Unlike Exim's variable of the same name, this variable contains the entire message body.  Newlines and nulls are replaced by spaces.
+
+=item B + B<$message_body_missing>
+
+TRUE is a message's spool data file (-D file) is missing or unreadable.
+
+=item N . B<$message_body_size>
+
+The size of the body in bytes.
+
+=item S . B<$message_exim_id>, B<$message_id>
+
+The unique message id that is used by Exim to identify the message.  $message_id is deprecated as of Exim 4.53.
+
+=item S . B<$message_headers>
+
+A concatenation of all the header lines except for lines added by routers or transports.  RFC2047 decoding is performed
+
+=item S . B<$message_headers_raw>
+
+A concatenation of all the header lines except for lines added by routers or transports.  No decoding or translation is performed.
+
+=item N . B<$message_linecount>
+
+The number of lines in the entire message (body and headers).
+
+=item N . B<$message_size>
+
+The size of the message in bytes.
+
+=item N . B<$originator_gid>
+
+The group id under which the process that called Exim was running as when the message was received.
+
+=item S + B<$originator_login>
+
+The login of the process which called Exim.
+
+=item N . B<$originator_uid>
+
+The user id under which the process that called Exim was running as when the message was received.
+
+=item S . B<$received_ip_address>, B<$interface_address>
+
+The address of the local IP interface for network-originated messages.  $interface_address is deprecated as of Exim 4.64
+
+=item N . B<$received_port>, B<$interface_port>
+
+The local port number if network-originated messages.  $interface_port is deprecated as of Exim 4.64
+
+=item N . B<$received_count>
+
+The number of Received: header lines in the message.
+
+=item S . B<$received_protocol>
+
+The name of the protocol by which the message was received.
+
+=item N . B<$received_time>
+
+The epoch time at which the message was received.
+
+=item S # B<$recipients>
+
+The list of envelope recipients for a message.  Unlike Exim's version, this variable always contains every recipient of the message.  The recipients are separated by a comma and a space.  See also $each_recipients.
+
+=item N . B<$recipients_count>
+
+The number of envelope recipients for the message.
+
+=item S + B<$recipients_del>
+
+The list of delivered envelope recipients for a message.  This non-standard variable is in the same format as $recipients and contains the list of already-delivered recipients including any generated addresses.  See also $each_recipients_del.
+
+=item N + B<$recipients_del_count>
+
+The number of envelope recipients for the message which have already been delivered.  Note that this is the count of original recipients to which the message has been delivered.  It does not include generated addresses so it is possible that this number will be less than the number of addresses in the $recipients_del string.
+
+=item S + B<$recipients_undel>
+
+The list of undelivered envelope recipients for a message.  This non-standard variable is in the same format as $recipients and contains the list of undelivered recipients.  See also $each_recipients_undel.
+
+=item N + B<$recipients_undel_count>
+
+The number of envelope recipients for the message which have not yet been delivered.
+
+=item S . B<$reply_address>
+
+The contents of the Reply-To: header line if one exists and it is not empty, or otherwise the contents of the From: header line.
+
+=item S . B<$rheader_*>, B<$rh_*>
+
+The value of the message's header(s) with the same name.  See section 11.5 of Exim's spec.txt for full description.
+
+=item S . B<$sender_address>
+
+The sender's address that was received in the message's envelope.  For bounce messages, the value of this variable is the empty string.
+
+=item S . B<$sender_address_domain>
+
+The domain part of $sender_address.
+
+=item S . B<$sender_address_local_part>
+
+The local part of $sender_address.
+
+=item S . B<$sender_helo_name>
+
+The HELO or EHLO value supplied for smtp or bsmtp messages.
+
+=item S . B<$sender_host_address>
+
+The remote host's IP address.
+
+=item S . B<$sender_host_authenticated>
+
+The name of the authenticator driver which successfully authenticated the client from which the message was received.
+
+=item S . B<$sender_host_name>
+
+The remote host's name as obtained by looking up its IP address.
+
+=item N . B<$sender_host_port>
+
+The port number that was used on the remote host for network-originated messages.
+
+=item S . B<$sender_ident>
+
+The identification received in response to an RFC 1413 request for remote messages, the login name of the user that called Exim for locally generated messages.
+
+=item B + B<$sender_local>
+
+TRUE if the message was locally generated.
+
+=item B + B<$sender_set_untrusted>
+
+TRUE if the envelope sender of this message was set by an untrusted local caller.
+
+=item S + B<$shown_message_size>
+
+This non-standard variable contains the formatted size string.  That is, for a message whose $message_size is 66566 bytes, $shown_message_size is 65K.
+
+=item S . B<$smtp_active_hostname>
+
+The value of the active host name when the message was received, as specified by the "smtp_active_hostname" option.
+
+=item S . B<$spam_score>
+
+The spam score of the message, for example '3.4' or '30.5'.  (Requires exiscan or WITH_CONTENT_SCAN)
+
+=item S . B<$spam_score_int>
+
+The spam score of the message, multiplied by ten, as an integer value.  For instance '34' or '305'.  (Requires exiscan or WITH_CONTENT_SCAN)
+
+=item B . B<$tls_certificate_verified>
+
+TRUE if a TLS certificate was verified when the message was received.
+
+=item S . B<$tls_cipher>
+
+The cipher suite that was negotiated for encrypted SMTP connections.
+
+=item S . B<$tls_peerdn>
+
+The value of the Distinguished Name of the certificate if Exim is configured to request one
+
+=item S . B<$tls_sni>
+
+The value of the Server Name Indication TLS extension sent by a client, if one was sent.
+
+=item N + B<$warning_count>
+
+The number of delay warnings which have been sent for this message.
+
+=back
+
+=head1 CONTACT
+
+=over 4
+
+=item EMAIL: proj-exipick@jetmore.net
+
+=item HOME: L<https://jetmore.org/john/code/#exipick>
+
+This script was incorporated into the main Exim distribution some years ago.
+
+=back
+
+=cut
+
+# vim:ft=perl
diff --git a/src/exiqgrep.src b/src/exiqgrep.src
new file mode 100644
index 0000000..0661c57
--- /dev/null
+++ b/src/exiqgrep.src
@@ -0,0 +1,216 @@
+#!PERL_COMMAND
+
+# Utility for searching and displaying queue information.
+# Written by Matt Hubbard 15 August 2002
+#
+# Copyright (c) The Exim Maintainers 2021 - 2022
+
+# Except when they appear in comments, the following placeholders in this
+# source are replaced when it is turned into a runnable script:
+#
+# BIN_DIRECTORY
+# PERL_COMMAND
+
+# PROCESSED_FLAG
+
+
+# Routine for extracting the UTC timestamp from message ID
+# lifted from eximstat utility
+
+# Version 1.2
+
+use strict;
+BEGIN { pop @INC if $INC[-1] eq '.' };
+
+use Getopt::Std;
+use File::Basename;
+
+# Have this variable point to your exim binary.
+my $exim = 'BIN_DIRECTORY/exim';
+my $eargs = '-bpu';
+my %id;
+my %opt;
+my $count = 0;
+my $mcount = 0;
+my @tab62 =
+  (0,1,2,3,4,5,6,7,8,9,0,0,0,0,0,0,     # 0-9
+   0,10,11,12,13,14,15,16,17,18,19,20,  # A-K
+  21,22,23,24,25,26,27,28,29,30,31,32,  # L-W
+  33,34,35, 0, 0, 0, 0, 0,              # X-Z
+   0,36,37,38,39,40,41,42,43,44,45,46,  # a-k
+  47,48,49,50,51,52,53,54,55,56,57,58,  # l-w
+  59,60,61);                            # x-z
+
+my $base;
+if ($^O eq 'darwin') { # aka MacOS X
+  $base = 36;
+ } else {
+  $base = 62;
+};
+
+if ($ARGV[0] eq '--version') {
+    print basename($0) . ": $0\n",
+        "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+        "perl(runtime): $]\n";
+        exit 0;
+}
+
+if (!getopts('hf:r:y:o:s:C:zxlibRcaG:E:',\%opt)) { &help; exit; }
+if ($opt{h}) { &help; exit; }
+if ($ARGV[0] || !($opt{f} || $opt{r} || $opt{s} || $opt{y} || $opt{o} || $opt{z} || $opt{x} || $opt{c}))
+   { &help; exit(1); }
+if ($opt{a}) { $eargs = '-bp'; }
+if ($opt{C} && -e $opt{C} && -f $opt{C} && -R $opt{C}) { $eargs .= ' -C '.$opt{C}; }
+if ($opt{G}) { $eargs .= ' -qG'.$opt{G}; }
+if ($opt{E}) { $exim = $opt{E}; }
+
+# Read message queue output into hash
+&collect();
+# Identify which messages match selection criteria
+&selection();
+# Print matching data according to display option.
+&display();
+exit;
+
+
+sub help() {
+	print <<'EOF'
+Exim message queue display utility.
+
+	-h		This help message.
+	-C		Specify which exim.conf to use.
+	-E		Specify exim binary to use.
+
+Selection criteria:
+	-f <regexp>	Match sender address sender (field is "< >" wrapped)
+	-r <regexp>	Match recipient address
+	-s <regexp>	Match against the size field from long output
+	-y <seconds>	Message younger than
+	-o <seconds>	Message older than
+	-z		Frozen messages only (exclude non-frozen)
+	-x		Non-frozen messages only (exclude frozen)
+	-G <queuename>	Match in given queue only
+
+[ NB: for regexps, provided string sits in /<string>/ ]
+
+Display options:
+	-c		Display match count
+	-l		Long Format [Default]
+	-i		Message IDs only
+	-b		Brief Format
+	-R		Reverse order
+	-a		All recipients (including delivered)
+EOF
+}
+
+sub collect() {
+	open(QUEUE,"$exim $eargs |") or die("Error opening pipe: $!\n");
+	while(<QUEUE>) {
+		chomp();
+		my $line = $_;
+		#Should be 1st line of record, if not error.
+		if ($line =~ /^\s*(\w+)\s+((?:\d+(?:\.\d+)?[A-Z]?)?)\s*(\w{6}-\w{6}-\w{2})\s+(<.*?>)/) {
+			my $msg = $3;
+			$id{$msg}{age} = $1;
+			$id{$msg}{size} = $2;
+			$id{$msg}{from} = $4;
+			$id{$msg}{birth} = &msg_utc($msg);
+			$id{$msg}{ages} = time - $id{$msg}{birth};
+			if ($line =~ /\*\*\* frozen \*\*\*$/) {
+				$id{$msg}{frozen} = 1;
+			} else {
+				$id{$msg}{frozen} = 0;
+			}
+			while(<QUEUE> =~ /\s+(.*?\@.*)$/) {
+				push(@{$id{$msg}{rcpt}},$1);
+			}
+			# Increment message counter.
+			$count++;
+		} else {
+			print STDERR "Line mismatch: $line\n"; exit 1;
+		}
+	}
+	close(QUEUE) or die("Error closing pipe: $!\n");
+}
+
+sub selection() {
+	foreach my $msg (keys(%id)) {
+		if ($opt{f}) {
+			# Match sender address
+			next unless ($id{$msg}{from} =~ /$opt{f}/i);
+		}
+		if ($opt{r}) {
+			# Match any recipient address
+			my $match = 0;
+			foreach my $rcpt (@{$id{$msg}{rcpt}}) {
+				$match++ if ($rcpt =~ /$opt{r}/i);
+			}
+			next unless ($match);
+		}
+		if ($opt{s}) {
+			# Match against the size string.
+			next unless ($id{$msg}{size} =~ /$opt{s}/);
+		}
+		if ($opt{y}) {
+			# Match younger than
+			next unless ($id{$msg}{ages} < $opt{y});
+		}
+		if ($opt{o}) {
+			# Match older than
+			next unless ($id{$msg}{ages} > $opt{o});
+		}
+		if ($opt{z}) {
+			# Exclude non frozen
+			next unless ($id{$msg}{frozen});
+		}
+		if ($opt{x}) {
+			# Exclude frozen
+			next if ($id{$msg}{frozen});
+		}
+		# Here's what we do to select the record.
+		# Should only get this far if the message passed all of
+		# the active tests.
+		$id{$msg}{d} = 1;
+		# Increment match counter.
+		$mcount++;
+	}
+}
+
+sub display() {
+	if ($opt{c}) {
+		printf("%d matches out of %d messages\n",$mcount,$count);
+		exit;
+	}
+	foreach my $msg (sort { $opt{R} ? $id{$b}{birth} <=> $id{$a}{birth} : $id{$a}{birth} <=> $id{$b}{birth} } keys(%id) ) {
+		if (exists($id{$msg}{d})) {
+			if ($opt{i}) {
+				# Just the msg ID
+				print $msg, "\n";
+			} elsif ($opt{b}) {
+				# Brief format
+				printf("%s From: %s To: %s\n",$msg,$id{$msg}{from},join(';',@{$id{$msg}{rcpt}}))
+			} else {
+				# Otherwise Long format attempted duplication of original format.
+				printf("%3s %5s %s %s%s\n",$id{$msg}{age},$id{$msg}{size},$msg,$id{$msg}{from},$id{$msg}{frozen} ? " *** frozen ***" : "");
+				foreach my $rcpt (@{$id{$msg}{rcpt}}) {
+					printf("	  %s\n",$rcpt);
+				}
+				print "\n";
+			}
+		}
+	}
+}
+
+sub report() {
+	foreach my $msg (keys(%id)) {
+		print "$id{$msg}{birth} $msg\tAge: $id{$msg}{age}\tSize: $id{$msg}{size}\tFrom: $id{$msg}{from}\tTo: " . join(" ",@{$id{$msg}{rcpt}}). "\n";
+	}
+}
+
+sub msg_utc() {
+	my $id = substr((pop @_), 0, 6);
+	my $s = 0;
+	my @c = split(//, $id);
+	while($#c >= 0) { $s = $s * $base + $tab62[ord(shift @c) - ord('0')] }
+	return $s;
+}
diff --git a/src/exiqsumm.src b/src/exiqsumm.src
new file mode 100644
index 0000000..67772f5
--- /dev/null
+++ b/src/exiqsumm.src
@@ -0,0 +1,178 @@
+#! PERL_COMMAND
+
+# Mail Queue Summary
+# Christoph Lameter, 21 May 1997
+# Modified by Philip Hazel, June 1997
+# Bug fix: June 1998 by Philip Hazel
+#   Message sizes not listed by -bp with K or M
+#   suffixes were getting divided by 10.
+# Bug fix: October 1998 by Philip Hazel
+#   Sorting wasn't working right with Perl 5.005
+#   Fix provided by John Horne
+# Bug fix: November 1998 by Philip Hazel
+#   Failing to recognize domain literals in recipient addresses
+#   Fix provided by Malcolm Ray
+# Bug fix: July 2002 by Philip Hazel
+#   Not handling time periods of more than 100 days
+#   Fix provided by Randy Banks
+# Added summary line: September 2002 by Philip Hazel
+#   Code provided by Joachim Wieland
+# June 2003 by Philip Hazel
+#   Initialize $size, $age, $id to avoid warnings when bad
+#   data is provided
+# Bug fix: July 2003 by Philip Hazel
+#   Incorrectly skipping the first lines of messages whose
+#   message ID ends in 'D'! Before Exim 4.14 this didn't
+#   matter because they never did. Looks like an original
+#   typo. Fix provided by Chris Liddiard.
+# November 2006 by Jori Hamalainen
+#   Added feature to separate frozen and bounced messages from queue
+#   Added feature to list queue per source - destination pair
+#   Changed regexps to compile once to very minor speed optimization
+#   Short circuit for empty lines
+#
+# Usage: mailq | exiqsumm [-a] [-b] [-c] [-f] [-s]
+#   Default sorting is by domain name
+#   -a sorts by age of oldest message
+#   -b enables bounce message separation
+#   -c sorts by count of message
+#   -f enables frozen message separation
+#   -s enables source destination separation
+
+# Slightly modified sub from eximstats
+
+use warnings;
+BEGIN { pop @INC if $INC[-1] eq '.' };
+use File::Basename;
+
+if (@ARGV && $ARGV[0] eq '--version') {
+    print basename($0) . ": $0\n",
+        "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+        "perl(runtime): $]\n";
+        exit 0;
+}
+
+sub print_volume_rounded {
+my($x) = pop @_;
+if ($x < 10000)
+  {
+  return sprintf("%6d", $x);
+  }
+elsif ($x < 10000000)
+  {
+  return sprintf("%4dKB", ($x + 512)/1024);
+  }
+else
+  {
+  return sprintf("%4dMB", ($x + 512*1024)/(1024*1024));
+  }
+}
+
+sub s_conv {
+  my($x) = @_;
+  my($v,$s) = $x =~ /([\d\.]+)([A-Z]|)/o;
+  if ($s eq "K") { return $v * 1024 };
+  if ($s eq "M") { return $v * 1024 * 1024 };
+  return $v;
+}
+
+sub older {
+  my($x1,$x2) = @_;
+  my($v1,$s1) = $x1 =~ /(\d+)(\w)/o;
+  my($v2,$s2) = $x2 =~ /(\d+)(\w)/o;
+  return $v1 <=> $v2 if ($s1 eq $s2);
+  return (($s2 eq "m") ||
+          ($s2 eq "h" && $s1 eq "d") ||
+          ($s2 eq "d" && $s1 eq "w"))? 1 : -1;
+}
+
+#
+# Main Program
+#
+
+$sort_by_count = 0;
+$sort_by_age = 0;
+
+$size = "0";
+$age = "0d";
+$id = "";
+
+
+while (@ARGV > 0 && substr($ARGV[0], 0, 1) eq "-")
+  {
+  if ($ARGV[0] eq "-a") { $sort_by_age = 1; }
+  if ($ARGV[0] eq "-c") { $sort_by_count = 1; }
+  if ($ARGV[0] eq "-f") { $enable_frozen = 1; }
+  if ($ARGV[0] eq "-b") { $enable_bounces = 1; }
+  if ($ARGV[0] eq "-s") { $enable_source = 1; }
+  shift @ARGV;
+  }
+
+while (<>)
+{
+# Skip empty and already delivered lines
+
+if (/^$/o || /^\s*D\s\S+/o) { next; }
+
+# If it's the first line of a message, pick out the data. Note: it may
+# have text after the final > (e.g. frozen) so don't insist that it ends >.
+
+if (/^([\d\s]{2,3}\w)\s+(\S+)\s(\S+)\s\<(\S*)\>/o)
+  {
+  ($age,$size,$id,$src)=($1,$2,$3,$4);
+  $src =~ s/([^\@]*)\@(.*?)$/$2/o;
+  if (/\*\*\*\sfrozen\s\*\*\*/o) { $frozen=1; } else { $frozen=0; }
+  if ($src eq "") { $bounce=1; $src="<>"; } else { $bounce=0; }
+  }
+
+# Else check for a recipient line: to handle source-routed addresses, just
+# pick off the first domain.
+
+elsif (/^\s+[^@]*\@([\w\.\-]+|\[(\d+\.){3}\d+\])/o)
+  {
+  if ($enable_source) {
+      $domain = "\L$src > $1";
+  } else {
+      $domain = "\L$1";
+  }
+  $domain .= " (b)" if ($bounce && $enable_bounces);
+  $domain .= " (f)" if ($frozen && $enable_frozen);
+  $queue{$domain}++;
+  $q_oldest{$domain} = $age
+    if (!defined $q_oldest{$domain} || &older($age,$q_oldest{$domain}) > 0);
+  $q_recent{$domain} = $age
+    if (!defined $q_recent{$domain} || &older($q_recent{$domain},$age) > 0);
+  $q_size{$domain} = 0 if (!defined $q_size{$domain});
+  $q_size{$domain} += &s_conv($size);
+  }
+}
+
+print "\nCount  Volume  Oldest  Newest  Domain";
+print "\n-----  ------  ------  ------  ------\n\n";
+
+my ($count, $volume, $max_age, $min_age) = (0, 0, "0m", undef);
+
+foreach $id (sort
+            {
+            $sort_by_age? &older($q_oldest{$b}, $q_oldest{$a}) :
+            $sort_by_count? ($queue{$b} <=> $queue{$a}) :
+            $a cmp $b
+            }
+            keys %queue)
+  {
+  printf("%5d  %.6s  %6s  %6s  %.80s\n",
+    $queue{$id}, &print_volume_rounded($q_size{$id}), $q_oldest{$id},
+    $q_recent{$id}, $id);
+    $max_age = $q_oldest{$id} if &older($q_oldest{$id}, $max_age) > 0;
+    $min_age = $q_recent{$id}
+      if (!defined $min_age || &older($min_age, $q_recent{$id}) > 0);
+    $volume += $q_size{$id};
+    $count += $queue{$id};
+  }
+  $min_age ||= "0000d";
+printf("---------------------------------------------------------------\n");
+printf("%5d  %.6s  %6s  %6s  %.80s\n",
+  $count, &print_volume_rounded($volume), $max_age, $min_age, "TOTAL");
+print "\n";
+
+# End
diff --git a/src/exiwhat.src b/src/exiwhat.src
new file mode 100644
index 0000000..a1f748e
--- /dev/null
+++ b/src/exiwhat.src
@@ -0,0 +1,145 @@
+#! /bin/sh
+
+# Copyright (c) University of Cambridge, 1995 - 2007
+# See the file NOTICE for conditions of use and distribution.
+
+# Except when they appear in comments, the following placeholders in this
+# source are replaced when it is turned into a runnable script:
+#
+# CONFIGURE_FILE_USE_NODE
+# CONFIGURE_FILE
+# BIN_DIRECTORY
+# EXIWHAT_PS_CMD
+# EXIWHAT_PS_ARG
+# EXIWHAT_KILL_SIGNAL
+# EXIWHAT_EGREP_ARG
+# EXIWHAT_MULTIKILL_CMD
+# EXIWHAT_MULTIKILL_ARG
+# RM_COMMAND
+
+# PROCESSED_FLAG
+
+# Shell script for seeing what the exim processes are doing. It gets rid
+# of the old process log, then sends SIGUSR1 to all exim processes to get
+# them to write their state to the log. Then it displays the contents of
+# the log.
+
+# The following lines are generated from Exim's configuration file when
+# this source is built into a script, but you can subsequently edit them
+# without rebuilding things, as long are you are careful not to overwrite
+# the script in the next Exim rebuild/install. However, it's best to
+# arrange your build-time configuration file to get the correct values.
+
+rm=RM_COMMAND
+
+# Some operating systems have a command that finds processes that match
+# certain conditions (by default usually those running specific commands)
+# and sends them signals. If such a command is defined for your OS, the
+# following variables are set and used.
+
+multikill_cmd=EXIWHAT_MULTIKILL_CMD
+multikill_arg=EXIWHAT_MULTIKILL_ARG
+
+# In other operating systems, Exim has to use "ps" and "egrep" to find the
+# processes itself. In those cases, the next three variables are used:
+
+ps_cmd=EXIWHAT_PS_CMD
+ps_arg=EXIWHAT_PS_ARG
+egrep_arg=EXIWHAT_EGREP_ARG
+
+# In both cases, kill_arg is the argument for the (multi)kill command to send
+# SIGUSR1 (at least one OS requires a numeric value).
+
+signal=EXIWHAT_KILL_SIGNAL
+
+# See if this installation is using the esoteric "USE_NODE" feature of Exim,
+# in which it uses the host's name as a suffix for the configuration file name.
+
+if test "x$1" = x--version
+then
+    echo "`basename $0`: $0"
+    echo "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION"
+    exit 0
+fi
+
+if [ "CONFIGURE_FILE_USE_NODE" = "yes" ]; then
+  hostsuffix=.`uname -n`
+fi
+
+# Now find the configuration file name. This has got complicated because
+# CONFIGURE_FILE may now be a list of files. The one that is used is the first
+# one that exists. Mimic the code in readconf.c by testing first for the
+# suffixed file in each case.
+
+set `awk -F: '{ for (i = 1; i <= NF; i++) print $i }' <<End
+CONFIGURE_FILE
+End
+`
+while [ "$config" = "" -a $# -gt 0 ] ; do
+  if [ -f "$1$hostsuffix" ] ; then
+    config="$1$hostsuffix"
+  elif [ -f "$1" ] ; then
+    config="$1"
+  fi
+  shift
+done
+
+# check we have a config file
+if [ "$config" = "" -o ! -f "$config" ]; then
+  echo Config file not found.
+  exit 1
+fi
+
+# Determine where the spool directory is. Search for an exim_path setting
+# in the configure file; otherwise use the bin directory. Call that version of
+# Exim to find the spool directory. BEWARE: a tab character is needed in the
+# first command below. It has had a nasty tendency to get lost in the past. Use
+# a variable to hold a space and a tab. This is less likely to be touched.
+
+st='	 '
+exim_path=`grep "^[$st]*exim_path" $config | sed "s/.*=[$st]*//"`
+if test "$exim_path" = ""; then exim_path=BIN_DIRECTORY/exim; fi
+spool_directory=`$exim_path -C $config -bP spool_directory | sed "s/.*=[ ]*//"`
+process_log_path=`$exim_path -C $config -bP process_log_path | sed "s/.*=[ ]*//"`
+
+# The file that Exim writes when sent the SIGUSR1 signal is specified by
+# the process_log_path option. If that is not defined, Exim uses the file
+# called "exim-process.info" in the spool directory.
+
+log=$process_log_path
+if [ "$log" = "" ] ; then
+  log=$spool_directory/exim-process.info
+fi
+
+# Now do the job.
+
+$rm -f ${log}
+if [ -f ${log} ]; then
+  echo "** Failed to remove ${log}"
+  exit 1
+fi
+
+# If there is a multikill command, use it. On some OS this command is called
+# "killall" (Linux, FreeBSD). On Solaris it is called "pkill". Note that on
+# Solaris, "killall" kills ALL processes - this is the System V version of this
+# command, and not what we want!
+
+if [ "$multikill_cmd" != "" ] && type "$multikill_cmd" >/dev/null 2>&1; then
+  $multikill_cmd $signal "$multikill_arg"
+
+# No multikill command; do it the hard way
+
+else
+  $ps_cmd $ps_arg | \
+    egrep "$egrep_arg" | \
+    awk "{print \"kill $signal \"\$1}" | \
+    uniq | sh
+fi
+
+sleep 1
+
+if [ ! -s ${log} ] ; then echo "No exim process data" ;
+  else sort -nu ${log} ; fi
+
+
+# End of exiwhat
diff --git a/src/expand.c b/src/expand.c
new file mode 100644
index 0000000..36c9f42
--- /dev/null
+++ b/src/expand.c
@@ -0,0 +1,8837 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* Functions for handling string expansion. */
+
+
+#include "exim.h"
+
+/* Recursively called function */
+
+static uschar *expand_string_internal(const uschar *, BOOL, const uschar **, BOOL, BOOL, BOOL *);
+static int_eximarith_t expanded_string_integer(const uschar *, BOOL);
+
+#ifdef STAND_ALONE
+# ifndef SUPPORT_CRYPTEQ
+#  define SUPPORT_CRYPTEQ
+# endif
+#endif
+
+#ifdef LOOKUP_LDAP
+# include "lookups/ldap.h"
+#endif
+
+#ifdef SUPPORT_CRYPTEQ
+# ifdef CRYPT_H
+#  include <crypt.h>
+# endif
+# ifndef HAVE_CRYPT16
+extern char* crypt16(char*, char*);
+# endif
+#endif
+
+/* The handling of crypt16() is a mess. I will record below the analysis of the
+mess that was sent to me. We decided, however, to make changing this very low
+priority, because in practice people are moving away from the crypt()
+algorithms nowadays, so it doesn't seem worth it.
+
+<quote>
+There is an algorithm named "crypt16" in Ultrix and Tru64.  It crypts
+the first 8 characters of the password using a 20-round version of crypt
+(standard crypt does 25 rounds).  It then crypts the next 8 characters,
+or an empty block if the password is less than 9 characters, using a
+20-round version of crypt and the same salt as was used for the first
+block.  Characters after the first 16 are ignored.  It always generates
+a 16-byte hash, which is expressed together with the salt as a string
+of 24 base 64 digits.  Here are some links to peruse:
+
+        http://cvs.pld.org.pl/pam/pamcrypt/crypt16.c?rev=1.2
+        http://seclists.org/bugtraq/1999/Mar/0076.html
+
+There's a different algorithm named "bigcrypt" in HP-UX, Digital Unix,
+and OSF/1.  This is the same as the standard crypt if given a password
+of 8 characters or less.  If given more, it first does the same as crypt
+using the first 8 characters, then crypts the next 8 (the 9th to 16th)
+using as salt the first two base 64 digits from the first hash block.
+If the password is more than 16 characters then it crypts the 17th to 24th
+characters using as salt the first two base 64 digits from the second hash
+block.  And so on: I've seen references to it cutting off the password at
+40 characters (5 blocks), 80 (10 blocks), or 128 (16 blocks).  Some links:
+
+        http://cvs.pld.org.pl/pam/pamcrypt/bigcrypt.c?rev=1.2
+        http://seclists.org/bugtraq/1999/Mar/0109.html
+        http://h30097.www3.hp.com/docs/base_doc/DOCUMENTATION/HTML/AA-Q0R2D-
+             TET1_html/sec.c222.html#no_id_208
+
+Exim has something it calls "crypt16".  It will either use a native
+crypt16 or its own implementation.  A native crypt16 will presumably
+be the one that I called "crypt16" above.  The internal "crypt16"
+function, however, is a two-block-maximum implementation of what I called
+"bigcrypt".  The documentation matches the internal code.
+
+I suspect that whoever did the "crypt16" stuff for Exim didn't realise
+that crypt16 and bigcrypt were different things.
+
+Exim uses the LDAP-style scheme identifier "{crypt16}" to refer
+to whatever it is using under that name.  This unfortunately sets a
+precedent for using "{crypt16}" to identify two incompatible algorithms
+whose output can't be distinguished.  With "{crypt16}" thus rendered
+ambiguous, I suggest you deprecate it and invent two new identifiers
+for the two algorithms.
+
+Both crypt16 and bigcrypt are very poor algorithms, btw.  Hashing parts
+of the password separately means they can be cracked separately, so
+the double-length hash only doubles the cracking effort instead of
+squaring it.  I recommend salted SHA-1 ({SSHA}), or the Blowfish-based
+bcrypt ({CRYPT}$2a$).
+</quote>
+*/
+
+
+
+/*************************************************
+*            Local statics and tables            *
+*************************************************/
+
+/* Table of item names, and corresponding switch numbers. The names must be in
+alphabetical order. */
+
+static uschar *item_table[] = {
+  US"acl",
+  US"authresults",
+  US"certextract",
+  US"dlfunc",
+  US"env",
+  US"extract",
+  US"filter",
+  US"hash",
+  US"hmac",
+  US"if",
+#ifdef SUPPORT_I18N
+  US"imapfolder",
+#endif
+  US"length",
+  US"listextract",
+  US"listquote",
+  US"lookup",
+  US"map",
+  US"nhash",
+  US"perl",
+  US"prvs",
+  US"prvscheck",
+  US"readfile",
+  US"readsocket",
+  US"reduce",
+  US"run",
+  US"sg",
+  US"sort",
+#ifdef SUPPORT_SRS
+  US"srs_encode",
+#endif
+  US"substr",
+  US"tr" };
+
+enum {
+  EITEM_ACL,
+  EITEM_AUTHRESULTS,
+  EITEM_CERTEXTRACT,
+  EITEM_DLFUNC,
+  EITEM_ENV,
+  EITEM_EXTRACT,
+  EITEM_FILTER,
+  EITEM_HASH,
+  EITEM_HMAC,
+  EITEM_IF,
+#ifdef SUPPORT_I18N
+  EITEM_IMAPFOLDER,
+#endif
+  EITEM_LENGTH,
+  EITEM_LISTEXTRACT,
+  EITEM_LISTQUOTE,
+  EITEM_LOOKUP,
+  EITEM_MAP,
+  EITEM_NHASH,
+  EITEM_PERL,
+  EITEM_PRVS,
+  EITEM_PRVSCHECK,
+  EITEM_READFILE,
+  EITEM_READSOCK,
+  EITEM_REDUCE,
+  EITEM_RUN,
+  EITEM_SG,
+  EITEM_SORT,
+#ifdef SUPPORT_SRS
+  EITEM_SRS_ENCODE,
+#endif
+  EITEM_SUBSTR,
+  EITEM_TR };
+
+/* Tables of operator names, and corresponding switch numbers. The names must be
+in alphabetical order. There are two tables, because underscore is used in some
+cases to introduce arguments, whereas for other it is part of the name. This is
+an historical mis-design. */
+
+static uschar * op_table_underscore[] = {
+  US"from_utf8",
+  US"local_part",
+  US"quote_local_part",
+  US"reverse_ip",
+  US"time_eval",
+  US"time_interval"
+#ifdef SUPPORT_I18N
+ ,US"utf8_domain_from_alabel",
+  US"utf8_domain_to_alabel",
+  US"utf8_localpart_from_alabel",
+  US"utf8_localpart_to_alabel"
+#endif
+  };
+
+enum {
+  EOP_FROM_UTF8,
+  EOP_LOCAL_PART,
+  EOP_QUOTE_LOCAL_PART,
+  EOP_REVERSE_IP,
+  EOP_TIME_EVAL,
+  EOP_TIME_INTERVAL
+#ifdef SUPPORT_I18N
+ ,EOP_UTF8_DOMAIN_FROM_ALABEL,
+  EOP_UTF8_DOMAIN_TO_ALABEL,
+  EOP_UTF8_LOCALPART_FROM_ALABEL,
+  EOP_UTF8_LOCALPART_TO_ALABEL
+#endif
+  };
+
+static uschar *op_table_main[] = {
+  US"address",
+  US"addresses",
+  US"base32",
+  US"base32d",
+  US"base62",
+  US"base62d",
+  US"base64",
+  US"base64d",
+  US"domain",
+  US"escape",
+  US"escape8bit",
+  US"eval",
+  US"eval10",
+  US"expand",
+  US"h",
+  US"hash",
+  US"hex2b64",
+  US"hexquote",
+  US"ipv6denorm",
+  US"ipv6norm",
+  US"l",
+  US"lc",
+  US"length",
+  US"listcount",
+  US"listnamed",
+  US"mask",
+  US"md5",
+  US"nh",
+  US"nhash",
+  US"quote",
+  US"randint",
+  US"rfc2047",
+  US"rfc2047d",
+  US"rxquote",
+  US"s",
+  US"sha1",
+  US"sha2",
+  US"sha256",
+  US"sha3",
+  US"stat",
+  US"str2b64",
+  US"strlen",
+  US"substr",
+  US"uc",
+  US"utf8clean" };
+
+enum {
+  EOP_ADDRESS =  nelem(op_table_underscore),
+  EOP_ADDRESSES,
+  EOP_BASE32,
+  EOP_BASE32D,
+  EOP_BASE62,
+  EOP_BASE62D,
+  EOP_BASE64,
+  EOP_BASE64D,
+  EOP_DOMAIN,
+  EOP_ESCAPE,
+  EOP_ESCAPE8BIT,
+  EOP_EVAL,
+  EOP_EVAL10,
+  EOP_EXPAND,
+  EOP_H,
+  EOP_HASH,
+  EOP_HEX2B64,
+  EOP_HEXQUOTE,
+  EOP_IPV6DENORM,
+  EOP_IPV6NORM,
+  EOP_L,
+  EOP_LC,
+  EOP_LENGTH,
+  EOP_LISTCOUNT,
+  EOP_LISTNAMED,
+  EOP_MASK,
+  EOP_MD5,
+  EOP_NH,
+  EOP_NHASH,
+  EOP_QUOTE,
+  EOP_RANDINT,
+  EOP_RFC2047,
+  EOP_RFC2047D,
+  EOP_RXQUOTE,
+  EOP_S,
+  EOP_SHA1,
+  EOP_SHA2,
+  EOP_SHA256,
+  EOP_SHA3,
+  EOP_STAT,
+  EOP_STR2B64,
+  EOP_STRLEN,
+  EOP_SUBSTR,
+  EOP_UC,
+  EOP_UTF8CLEAN };
+
+
+/* Table of condition names, and corresponding switch numbers. The names must
+be in alphabetical order. */
+
+static uschar *cond_table[] = {
+  US"<",
+  US"<=",
+  US"=",
+  US"==",     /* Backward compatibility */
+  US">",
+  US">=",
+  US"acl",
+  US"and",
+  US"bool",
+  US"bool_lax",
+  US"crypteq",
+  US"def",
+  US"eq",
+  US"eqi",
+  US"exists",
+  US"first_delivery",
+  US"forall",
+  US"forall_json",
+  US"forall_jsons",
+  US"forany",
+  US"forany_json",
+  US"forany_jsons",
+  US"ge",
+  US"gei",
+  US"gt",
+  US"gti",
+#ifdef SUPPORT_SRS
+  US"inbound_srs",
+#endif
+  US"inlist",
+  US"inlisti",
+  US"isip",
+  US"isip4",
+  US"isip6",
+  US"ldapauth",
+  US"le",
+  US"lei",
+  US"lt",
+  US"lti",
+  US"match",
+  US"match_address",
+  US"match_domain",
+  US"match_ip",
+  US"match_local_part",
+  US"or",
+  US"pam",
+  US"pwcheck",
+  US"queue_running",
+  US"radius",
+  US"saslauthd"
+};
+
+enum {
+  ECOND_NUM_L,
+  ECOND_NUM_LE,
+  ECOND_NUM_E,
+  ECOND_NUM_EE,
+  ECOND_NUM_G,
+  ECOND_NUM_GE,
+  ECOND_ACL,
+  ECOND_AND,
+  ECOND_BOOL,
+  ECOND_BOOL_LAX,
+  ECOND_CRYPTEQ,
+  ECOND_DEF,
+  ECOND_STR_EQ,
+  ECOND_STR_EQI,
+  ECOND_EXISTS,
+  ECOND_FIRST_DELIVERY,
+  ECOND_FORALL,
+  ECOND_FORALL_JSON,
+  ECOND_FORALL_JSONS,
+  ECOND_FORANY,
+  ECOND_FORANY_JSON,
+  ECOND_FORANY_JSONS,
+  ECOND_STR_GE,
+  ECOND_STR_GEI,
+  ECOND_STR_GT,
+  ECOND_STR_GTI,
+#ifdef SUPPORT_SRS
+  ECOND_INBOUND_SRS,
+#endif
+  ECOND_INLIST,
+  ECOND_INLISTI,
+  ECOND_ISIP,
+  ECOND_ISIP4,
+  ECOND_ISIP6,
+  ECOND_LDAPAUTH,
+  ECOND_STR_LE,
+  ECOND_STR_LEI,
+  ECOND_STR_LT,
+  ECOND_STR_LTI,
+  ECOND_MATCH,
+  ECOND_MATCH_ADDRESS,
+  ECOND_MATCH_DOMAIN,
+  ECOND_MATCH_IP,
+  ECOND_MATCH_LOCAL_PART,
+  ECOND_OR,
+  ECOND_PAM,
+  ECOND_PWCHECK,
+  ECOND_QUEUE_RUNNING,
+  ECOND_RADIUS,
+  ECOND_SASLAUTHD
+};
+
+
+/* Types of table entry */
+
+enum vtypes {
+  vtype_int,            /* value is address of int */
+  vtype_filter_int,     /* ditto, but recognized only when filtering */
+  vtype_ino,            /* value is address of ino_t (not always an int) */
+  vtype_uid,            /* value is address of uid_t (not always an int) */
+  vtype_gid,            /* value is address of gid_t (not always an int) */
+  vtype_bool,           /* value is address of bool */
+  vtype_stringptr,      /* value is address of pointer to string */
+  vtype_msgbody,        /* as stringptr, but read when first required */
+  vtype_msgbody_end,    /* ditto, the end of the message */
+  vtype_msgheaders,     /* the message's headers, processed */
+  vtype_msgheaders_raw, /* the message's headers, unprocessed */
+  vtype_localpart,      /* extract local part from string */
+  vtype_domain,         /* extract domain from string */
+  vtype_string_func,	/* value is string returned by given function */
+  vtype_todbsdin,       /* value not used; generate BSD inbox tod */
+  vtype_tode,           /* value not used; generate tod in epoch format */
+  vtype_todel,          /* value not used; generate tod in epoch/usec format */
+  vtype_todf,           /* value not used; generate full tod */
+  vtype_todl,           /* value not used; generate log tod */
+  vtype_todlf,          /* value not used; generate log file datestamp tod */
+  vtype_todzone,        /* value not used; generate time zone only */
+  vtype_todzulu,        /* value not used; generate zulu tod */
+  vtype_reply,          /* value not used; get reply from headers */
+  vtype_pid,            /* value not used; result is pid */
+  vtype_host_lookup,    /* value not used; get host name */
+  vtype_load_avg,       /* value not used; result is int from os_getloadavg */
+  vtype_pspace,         /* partition space; value is T/F for spool/log */
+  vtype_pinodes,        /* partition inodes; value is T/F for spool/log */
+  vtype_cert		/* SSL certificate */
+#ifndef DISABLE_DKIM
+  ,vtype_dkim           /* Lookup of value in DKIM signature */
+#endif
+};
+
+/* Type for main variable table */
+
+typedef struct {
+  const char *name;
+  enum vtypes type;
+  void       *value;
+} var_entry;
+
+/* Type for entries pointing to address/length pairs. Not currently
+in use. */
+
+typedef struct {
+  uschar **address;
+  int  *length;
+} alblock;
+
+static uschar * fn_recipients(void);
+typedef uschar * stringptr_fn_t(void);
+static uschar * fn_queue_size(void);
+
+/* This table must be kept in alphabetical order. */
+
+static var_entry var_table[] = {
+  /* WARNING: Do not invent variables whose names start acl_c or acl_m because
+     they will be confused with user-creatable ACL variables. */
+  { "acl_arg1",            vtype_stringptr,   &acl_arg[0] },
+  { "acl_arg2",            vtype_stringptr,   &acl_arg[1] },
+  { "acl_arg3",            vtype_stringptr,   &acl_arg[2] },
+  { "acl_arg4",            vtype_stringptr,   &acl_arg[3] },
+  { "acl_arg5",            vtype_stringptr,   &acl_arg[4] },
+  { "acl_arg6",            vtype_stringptr,   &acl_arg[5] },
+  { "acl_arg7",            vtype_stringptr,   &acl_arg[6] },
+  { "acl_arg8",            vtype_stringptr,   &acl_arg[7] },
+  { "acl_arg9",            vtype_stringptr,   &acl_arg[8] },
+  { "acl_narg",            vtype_int,         &acl_narg },
+  { "acl_verify_message",  vtype_stringptr,   &acl_verify_message },
+  { "address_data",        vtype_stringptr,   &deliver_address_data },
+  { "address_file",        vtype_stringptr,   &address_file },
+  { "address_pipe",        vtype_stringptr,   &address_pipe },
+#ifdef EXPERIMENTAL_ARC
+  { "arc_domains",         vtype_string_func, (void *) &fn_arc_domains },
+  { "arc_oldest_pass",     vtype_int,         &arc_oldest_pass },
+  { "arc_state",           vtype_stringptr,   &arc_state },
+  { "arc_state_reason",    vtype_stringptr,   &arc_state_reason },
+#endif
+  { "authenticated_fail_id",vtype_stringptr,  &authenticated_fail_id },
+  { "authenticated_id",    vtype_stringptr,   &authenticated_id },
+  { "authenticated_sender",vtype_stringptr,   &authenticated_sender },
+  { "authentication_failed",vtype_int,        &authentication_failed },
+#ifdef WITH_CONTENT_SCAN
+  { "av_failed",           vtype_int,         &av_failed },
+#endif
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+  { "bmi_alt_location",    vtype_stringptr,   &bmi_alt_location },
+  { "bmi_base64_tracker_verdict", vtype_stringptr, &bmi_base64_tracker_verdict },
+  { "bmi_base64_verdict",  vtype_stringptr,   &bmi_base64_verdict },
+  { "bmi_deliver",         vtype_int,         &bmi_deliver },
+#endif
+  { "body_linecount",      vtype_int,         &body_linecount },
+  { "body_zerocount",      vtype_int,         &body_zerocount },
+  { "bounce_recipient",    vtype_stringptr,   &bounce_recipient },
+  { "bounce_return_size_limit", vtype_int,    &bounce_return_size_limit },
+  { "caller_gid",          vtype_gid,         &real_gid },
+  { "caller_uid",          vtype_uid,         &real_uid },
+  { "callout_address",     vtype_stringptr,   &callout_address },
+  { "compile_date",        vtype_stringptr,   &version_date },
+  { "compile_number",      vtype_stringptr,   &version_cnumber },
+  { "config_dir",          vtype_stringptr,   &config_main_directory },
+  { "config_file",         vtype_stringptr,   &config_main_filename },
+  { "csa_status",          vtype_stringptr,   &csa_status },
+#ifdef EXPERIMENTAL_DCC
+  { "dcc_header",          vtype_stringptr,   &dcc_header },
+  { "dcc_result",          vtype_stringptr,   &dcc_result },
+#endif
+#ifndef DISABLE_DKIM
+  { "dkim_algo",           vtype_dkim,        (void *)DKIM_ALGO },
+  { "dkim_bodylength",     vtype_dkim,        (void *)DKIM_BODYLENGTH },
+  { "dkim_canon_body",     vtype_dkim,        (void *)DKIM_CANON_BODY },
+  { "dkim_canon_headers",  vtype_dkim,        (void *)DKIM_CANON_HEADERS },
+  { "dkim_copiedheaders",  vtype_dkim,        (void *)DKIM_COPIEDHEADERS },
+  { "dkim_created",        vtype_dkim,        (void *)DKIM_CREATED },
+  { "dkim_cur_signer",     vtype_stringptr,   &dkim_cur_signer },
+  { "dkim_domain",         vtype_stringptr,   &dkim_signing_domain },
+  { "dkim_expires",        vtype_dkim,        (void *)DKIM_EXPIRES },
+  { "dkim_headernames",    vtype_dkim,        (void *)DKIM_HEADERNAMES },
+  { "dkim_identity",       vtype_dkim,        (void *)DKIM_IDENTITY },
+  { "dkim_key_granularity",vtype_dkim,        (void *)DKIM_KEY_GRANULARITY },
+  { "dkim_key_length",     vtype_int,         &dkim_key_length },
+  { "dkim_key_nosubdomains",vtype_dkim,       (void *)DKIM_NOSUBDOMAINS },
+  { "dkim_key_notes",      vtype_dkim,        (void *)DKIM_KEY_NOTES },
+  { "dkim_key_srvtype",    vtype_dkim,        (void *)DKIM_KEY_SRVTYPE },
+  { "dkim_key_testing",    vtype_dkim,        (void *)DKIM_KEY_TESTING },
+  { "dkim_selector",       vtype_stringptr,   &dkim_signing_selector },
+  { "dkim_signers",        vtype_stringptr,   &dkim_signers },
+  { "dkim_verify_reason",  vtype_stringptr,   &dkim_verify_reason },
+  { "dkim_verify_status",  vtype_stringptr,   &dkim_verify_status },
+#endif
+#ifdef SUPPORT_DMARC
+  { "dmarc_domain_policy", vtype_stringptr,   &dmarc_domain_policy },
+  { "dmarc_status",        vtype_stringptr,   &dmarc_status },
+  { "dmarc_status_text",   vtype_stringptr,   &dmarc_status_text },
+  { "dmarc_used_domain",   vtype_stringptr,   &dmarc_used_domain },
+#endif
+  { "dnslist_domain",      vtype_stringptr,   &dnslist_domain },
+  { "dnslist_matched",     vtype_stringptr,   &dnslist_matched },
+  { "dnslist_text",        vtype_stringptr,   &dnslist_text },
+  { "dnslist_value",       vtype_stringptr,   &dnslist_value },
+  { "domain",              vtype_stringptr,   &deliver_domain },
+  { "domain_data",         vtype_stringptr,   &deliver_domain_data },
+#ifndef DISABLE_EVENT
+  { "event_data",          vtype_stringptr,   &event_data },
+
+  /*XXX want to use generic vars for as many of these as possible*/
+  { "event_defer_errno",   vtype_int,         &event_defer_errno },
+
+  { "event_name",          vtype_stringptr,   &event_name },
+#endif
+  { "exim_gid",            vtype_gid,         &exim_gid },
+  { "exim_path",           vtype_stringptr,   &exim_path },
+  { "exim_uid",            vtype_uid,         &exim_uid },
+  { "exim_version",        vtype_stringptr,   &version_string },
+  { "headers_added",       vtype_string_func, (void *) &fn_hdrs_added },
+  { "home",                vtype_stringptr,   &deliver_home },
+  { "host",                vtype_stringptr,   &deliver_host },
+  { "host_address",        vtype_stringptr,   &deliver_host_address },
+  { "host_data",           vtype_stringptr,   &host_data },
+  { "host_lookup_deferred",vtype_int,         &host_lookup_deferred },
+  { "host_lookup_failed",  vtype_int,         &host_lookup_failed },
+  { "host_port",           vtype_int,         &deliver_host_port },
+  { "initial_cwd",         vtype_stringptr,   &initial_cwd },
+  { "inode",               vtype_ino,         &deliver_inode },
+  { "interface_address",   vtype_stringptr,   &interface_address },
+  { "interface_port",      vtype_int,         &interface_port },
+  { "item",                vtype_stringptr,   &iterate_item },
+#ifdef LOOKUP_LDAP
+  { "ldap_dn",             vtype_stringptr,   &eldap_dn },
+#endif
+  { "load_average",        vtype_load_avg,    NULL },
+  { "local_part",          vtype_stringptr,   &deliver_localpart },
+  { "local_part_data",     vtype_stringptr,   &deliver_localpart_data },
+  { "local_part_prefix",   vtype_stringptr,   &deliver_localpart_prefix },
+  { "local_part_prefix_v", vtype_stringptr,   &deliver_localpart_prefix_v },
+  { "local_part_suffix",   vtype_stringptr,   &deliver_localpart_suffix },
+  { "local_part_suffix_v", vtype_stringptr,   &deliver_localpart_suffix_v },
+#ifdef HAVE_LOCAL_SCAN
+  { "local_scan_data",     vtype_stringptr,   &local_scan_data },
+#endif
+  { "local_user_gid",      vtype_gid,         &local_user_gid },
+  { "local_user_uid",      vtype_uid,         &local_user_uid },
+  { "localhost_number",    vtype_int,         &host_number },
+  { "log_inodes",          vtype_pinodes,     (void *)FALSE },
+  { "log_space",           vtype_pspace,      (void *)FALSE },
+  { "lookup_dnssec_authenticated",vtype_stringptr,&lookup_dnssec_authenticated},
+  { "mailstore_basename",  vtype_stringptr,   &mailstore_basename },
+#ifdef WITH_CONTENT_SCAN
+  { "malware_name",        vtype_stringptr,   &malware_name },
+#endif
+  { "max_received_linelength", vtype_int,     &max_received_linelength },
+  { "message_age",         vtype_int,         &message_age },
+  { "message_body",        vtype_msgbody,     &message_body },
+  { "message_body_end",    vtype_msgbody_end, &message_body_end },
+  { "message_body_size",   vtype_int,         &message_body_size },
+  { "message_exim_id",     vtype_stringptr,   &message_id },
+  { "message_headers",     vtype_msgheaders,  NULL },
+  { "message_headers_raw", vtype_msgheaders_raw, NULL },
+  { "message_id",          vtype_stringptr,   &message_id },
+  { "message_linecount",   vtype_int,         &message_linecount },
+  { "message_size",        vtype_int,         &message_size },
+#ifdef SUPPORT_I18N
+  { "message_smtputf8",    vtype_bool,        &message_smtputf8 },
+#endif
+#ifdef WITH_CONTENT_SCAN
+  { "mime_anomaly_level",  vtype_int,         &mime_anomaly_level },
+  { "mime_anomaly_text",   vtype_stringptr,   &mime_anomaly_text },
+  { "mime_boundary",       vtype_stringptr,   &mime_boundary },
+  { "mime_charset",        vtype_stringptr,   &mime_charset },
+  { "mime_content_description", vtype_stringptr, &mime_content_description },
+  { "mime_content_disposition", vtype_stringptr, &mime_content_disposition },
+  { "mime_content_id",     vtype_stringptr,   &mime_content_id },
+  { "mime_content_size",   vtype_int,         &mime_content_size },
+  { "mime_content_transfer_encoding",vtype_stringptr, &mime_content_transfer_encoding },
+  { "mime_content_type",   vtype_stringptr,   &mime_content_type },
+  { "mime_decoded_filename", vtype_stringptr, &mime_decoded_filename },
+  { "mime_filename",       vtype_stringptr,   &mime_filename },
+  { "mime_is_coverletter", vtype_int,         &mime_is_coverletter },
+  { "mime_is_multipart",   vtype_int,         &mime_is_multipart },
+  { "mime_is_rfc822",      vtype_int,         &mime_is_rfc822 },
+  { "mime_part_count",     vtype_int,         &mime_part_count },
+#endif
+  { "n0",                  vtype_filter_int,  &filter_n[0] },
+  { "n1",                  vtype_filter_int,  &filter_n[1] },
+  { "n2",                  vtype_filter_int,  &filter_n[2] },
+  { "n3",                  vtype_filter_int,  &filter_n[3] },
+  { "n4",                  vtype_filter_int,  &filter_n[4] },
+  { "n5",                  vtype_filter_int,  &filter_n[5] },
+  { "n6",                  vtype_filter_int,  &filter_n[6] },
+  { "n7",                  vtype_filter_int,  &filter_n[7] },
+  { "n8",                  vtype_filter_int,  &filter_n[8] },
+  { "n9",                  vtype_filter_int,  &filter_n[9] },
+  { "original_domain",     vtype_stringptr,   &deliver_domain_orig },
+  { "original_local_part", vtype_stringptr,   &deliver_localpart_orig },
+  { "originator_gid",      vtype_gid,         &originator_gid },
+  { "originator_uid",      vtype_uid,         &originator_uid },
+  { "parent_domain",       vtype_stringptr,   &deliver_domain_parent },
+  { "parent_local_part",   vtype_stringptr,   &deliver_localpart_parent },
+  { "pid",                 vtype_pid,         NULL },
+#ifndef DISABLE_PRDR
+  { "prdr_requested",      vtype_bool,        &prdr_requested },
+#endif
+  { "primary_hostname",    vtype_stringptr,   &primary_hostname },
+#if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
+  { "proxy_external_address",vtype_stringptr, &proxy_external_address },
+  { "proxy_external_port", vtype_int,         &proxy_external_port },
+  { "proxy_local_address", vtype_stringptr,   &proxy_local_address },
+  { "proxy_local_port",    vtype_int,         &proxy_local_port },
+  { "proxy_session",       vtype_bool,        &proxy_session },
+#endif
+  { "prvscheck_address",   vtype_stringptr,   &prvscheck_address },
+  { "prvscheck_keynum",    vtype_stringptr,   &prvscheck_keynum },
+  { "prvscheck_result",    vtype_stringptr,   &prvscheck_result },
+  { "qualify_domain",      vtype_stringptr,   &qualify_domain_sender },
+  { "qualify_recipient",   vtype_stringptr,   &qualify_domain_recipient },
+  { "queue_name",          vtype_stringptr,   &queue_name },
+  { "queue_size",          vtype_string_func, &fn_queue_size },
+  { "rcpt_count",          vtype_int,         &rcpt_count },
+  { "rcpt_defer_count",    vtype_int,         &rcpt_defer_count },
+  { "rcpt_fail_count",     vtype_int,         &rcpt_fail_count },
+  { "received_count",      vtype_int,         &received_count },
+  { "received_for",        vtype_stringptr,   &received_for },
+  { "received_ip_address", vtype_stringptr,   &interface_address },
+  { "received_port",       vtype_int,         &interface_port },
+  { "received_protocol",   vtype_stringptr,   &received_protocol },
+  { "received_time",       vtype_int,         &received_time.tv_sec },
+  { "recipient_data",      vtype_stringptr,   &recipient_data },
+  { "recipient_verify_failure",vtype_stringptr,&recipient_verify_failure },
+  { "recipients",          vtype_string_func, (void *) &fn_recipients },
+  { "recipients_count",    vtype_int,         &recipients_count },
+#ifdef WITH_CONTENT_SCAN
+  { "regex_match_string",  vtype_stringptr,   &regex_match_string },
+#endif
+  { "reply_address",       vtype_reply,       NULL },
+  { "return_path",         vtype_stringptr,   &return_path },
+  { "return_size_limit",   vtype_int,         &bounce_return_size_limit },
+  { "router_name",         vtype_stringptr,   &router_name },
+  { "runrc",               vtype_int,         &runrc },
+  { "self_hostname",       vtype_stringptr,   &self_hostname },
+  { "sender_address",      vtype_stringptr,   &sender_address },
+  { "sender_address_data", vtype_stringptr,   &sender_address_data },
+  { "sender_address_domain", vtype_domain,    &sender_address },
+  { "sender_address_local_part", vtype_localpart, &sender_address },
+  { "sender_data",         vtype_stringptr,   &sender_data },
+  { "sender_fullhost",     vtype_stringptr,   &sender_fullhost },
+  { "sender_helo_dnssec",  vtype_bool,        &sender_helo_dnssec },
+  { "sender_helo_name",    vtype_stringptr,   &sender_helo_name },
+  { "sender_host_address", vtype_stringptr,   &sender_host_address },
+  { "sender_host_authenticated",vtype_stringptr, &sender_host_authenticated },
+  { "sender_host_dnssec",  vtype_bool,        &sender_host_dnssec },
+  { "sender_host_name",    vtype_host_lookup, NULL },
+  { "sender_host_port",    vtype_int,         &sender_host_port },
+  { "sender_ident",        vtype_stringptr,   &sender_ident },
+  { "sender_rate",         vtype_stringptr,   &sender_rate },
+  { "sender_rate_limit",   vtype_stringptr,   &sender_rate_limit },
+  { "sender_rate_period",  vtype_stringptr,   &sender_rate_period },
+  { "sender_rcvhost",      vtype_stringptr,   &sender_rcvhost },
+  { "sender_verify_failure",vtype_stringptr,  &sender_verify_failure },
+  { "sending_ip_address",  vtype_stringptr,   &sending_ip_address },
+  { "sending_port",        vtype_int,         &sending_port },
+  { "smtp_active_hostname", vtype_stringptr,  &smtp_active_hostname },
+  { "smtp_command",        vtype_stringptr,   &smtp_cmd_buffer },
+  { "smtp_command_argument", vtype_stringptr, &smtp_cmd_argument },
+  { "smtp_command_history", vtype_string_func, (void *) &smtp_cmd_hist },
+  { "smtp_count_at_connection_start", vtype_int, &smtp_accept_count },
+  { "smtp_notquit_reason", vtype_stringptr,   &smtp_notquit_reason },
+  { "sn0",                 vtype_filter_int,  &filter_sn[0] },
+  { "sn1",                 vtype_filter_int,  &filter_sn[1] },
+  { "sn2",                 vtype_filter_int,  &filter_sn[2] },
+  { "sn3",                 vtype_filter_int,  &filter_sn[3] },
+  { "sn4",                 vtype_filter_int,  &filter_sn[4] },
+  { "sn5",                 vtype_filter_int,  &filter_sn[5] },
+  { "sn6",                 vtype_filter_int,  &filter_sn[6] },
+  { "sn7",                 vtype_filter_int,  &filter_sn[7] },
+  { "sn8",                 vtype_filter_int,  &filter_sn[8] },
+  { "sn9",                 vtype_filter_int,  &filter_sn[9] },
+#ifdef WITH_CONTENT_SCAN
+  { "spam_action",         vtype_stringptr,   &spam_action },
+  { "spam_bar",            vtype_stringptr,   &spam_bar },
+  { "spam_report",         vtype_stringptr,   &spam_report },
+  { "spam_score",          vtype_stringptr,   &spam_score },
+  { "spam_score_int",      vtype_stringptr,   &spam_score_int },
+#endif
+#ifdef SUPPORT_SPF
+  { "spf_guess",           vtype_stringptr,   &spf_guess },
+  { "spf_header_comment",  vtype_stringptr,   &spf_header_comment },
+  { "spf_received",        vtype_stringptr,   &spf_received },
+  { "spf_result",          vtype_stringptr,   &spf_result },
+  { "spf_result_guessed",  vtype_bool,        &spf_result_guessed },
+  { "spf_smtp_comment",    vtype_stringptr,   &spf_smtp_comment },
+#endif
+  { "spool_directory",     vtype_stringptr,   &spool_directory },
+  { "spool_inodes",        vtype_pinodes,     (void *)TRUE },
+  { "spool_space",         vtype_pspace,      (void *)TRUE },
+#ifdef SUPPORT_SRS
+  { "srs_recipient",       vtype_stringptr,   &srs_recipient },
+#endif
+  { "thisaddress",         vtype_stringptr,   &filter_thisaddress },
+
+  /* The non-(in,out) variables are now deprecated */
+  { "tls_bits",            vtype_int,         &tls_in.bits },
+  { "tls_certificate_verified", vtype_int,    &tls_in.certificate_verified },
+  { "tls_cipher",          vtype_stringptr,   &tls_in.cipher },
+
+  { "tls_in_bits",         vtype_int,         &tls_in.bits },
+  { "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified },
+  { "tls_in_cipher",       vtype_stringptr,   &tls_in.cipher },
+  { "tls_in_cipher_std",   vtype_stringptr,   &tls_in.cipher_stdname },
+  { "tls_in_ocsp",         vtype_int,         &tls_in.ocsp },
+  { "tls_in_ourcert",      vtype_cert,        &tls_in.ourcert },
+  { "tls_in_peercert",     vtype_cert,        &tls_in.peercert },
+  { "tls_in_peerdn",       vtype_stringptr,   &tls_in.peerdn },
+#ifndef DISABLE_TLS_RESUME
+  { "tls_in_resumption",   vtype_int,         &tls_in.resumption },
+#endif
+#ifndef DISABLE_TLS
+  { "tls_in_sni",          vtype_stringptr,   &tls_in.sni },
+#endif
+  { "tls_in_ver",          vtype_stringptr,   &tls_in.ver },
+  { "tls_out_bits",        vtype_int,         &tls_out.bits },
+  { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
+  { "tls_out_cipher",      vtype_stringptr,   &tls_out.cipher },
+  { "tls_out_cipher_std",  vtype_stringptr,   &tls_out.cipher_stdname },
+#ifdef SUPPORT_DANE
+  { "tls_out_dane",        vtype_bool,        &tls_out.dane_verified },
+#endif
+  { "tls_out_ocsp",        vtype_int,         &tls_out.ocsp },
+  { "tls_out_ourcert",     vtype_cert,        &tls_out.ourcert },
+  { "tls_out_peercert",    vtype_cert,        &tls_out.peercert },
+  { "tls_out_peerdn",      vtype_stringptr,   &tls_out.peerdn },
+#ifndef DISABLE_TLS_RESUME
+  { "tls_out_resumption",  vtype_int,         &tls_out.resumption },
+#endif
+#ifndef DISABLE_TLS
+  { "tls_out_sni",         vtype_stringptr,   &tls_out.sni },
+#endif
+#ifdef SUPPORT_DANE
+  { "tls_out_tlsa_usage",  vtype_int,         &tls_out.tlsa_usage },
+#endif
+  { "tls_out_ver",         vtype_stringptr,   &tls_out.ver },
+
+  { "tls_peerdn",          vtype_stringptr,   &tls_in.peerdn },	/* mind the alphabetical order! */
+#ifndef DISABLE_TLS
+  { "tls_sni",             vtype_stringptr,   &tls_in.sni },	/* mind the alphabetical order! */
+#endif
+
+  { "tod_bsdinbox",        vtype_todbsdin,    NULL },
+  { "tod_epoch",           vtype_tode,        NULL },
+  { "tod_epoch_l",         vtype_todel,       NULL },
+  { "tod_full",            vtype_todf,        NULL },
+  { "tod_log",             vtype_todl,        NULL },
+  { "tod_logfile",         vtype_todlf,       NULL },
+  { "tod_zone",            vtype_todzone,     NULL },
+  { "tod_zulu",            vtype_todzulu,     NULL },
+  { "transport_name",      vtype_stringptr,   &transport_name },
+  { "value",               vtype_stringptr,   &lookup_value },
+  { "verify_mode",         vtype_stringptr,   &verify_mode },
+  { "version_number",      vtype_stringptr,   &version_string },
+  { "warn_message_delay",  vtype_stringptr,   &warnmsg_delay },
+  { "warn_message_recipient",vtype_stringptr, &warnmsg_recipients },
+  { "warn_message_recipients",vtype_stringptr,&warnmsg_recipients },
+  { "warnmsg_delay",       vtype_stringptr,   &warnmsg_delay },
+  { "warnmsg_recipient",   vtype_stringptr,   &warnmsg_recipients },
+  { "warnmsg_recipients",  vtype_stringptr,   &warnmsg_recipients }
+};
+
+static int var_table_size = nelem(var_table);
+static uschar var_buffer[256];
+static BOOL malformed_header;
+
+/* For textual hashes */
+
+static const char *hashcodes = "abcdefghijklmnopqrtsuvwxyz"
+                               "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+                               "0123456789";
+
+enum { HMAC_MD5, HMAC_SHA1 };
+
+/* For numeric hashes */
+
+static unsigned int prime[] = {
+  2,   3,   5,   7,  11,  13,  17,  19,  23,  29,
+ 31,  37,  41,  43,  47,  53,  59,  61,  67,  71,
+ 73,  79,  83,  89,  97, 101, 103, 107, 109, 113};
+
+/* For printing modes in symbolic form */
+
+static uschar *mtable_normal[] =
+  { US"---", US"--x", US"-w-", US"-wx", US"r--", US"r-x", US"rw-", US"rwx" };
+
+static uschar *mtable_setid[] =
+  { US"--S", US"--s", US"-wS", US"-ws", US"r-S", US"r-s", US"rwS", US"rws" };
+
+static uschar *mtable_sticky[] =
+  { US"--T", US"--t", US"-wT", US"-wt", US"r-T", US"r-t", US"rwT", US"rwt" };
+
+/* flags for find_header() */
+#define FH_EXISTS_ONLY	BIT(0)
+#define FH_WANT_RAW	BIT(1)
+#define FH_WANT_LIST	BIT(2)
+
+
+/*************************************************
+*           Tables for UTF-8 support             *
+*************************************************/
+
+/* Table of the number of extra characters, indexed by the first character
+masked with 0x3f. The highest number for a valid UTF-8 character is in fact
+0x3d. */
+
+static uschar utf8_table1[] = {
+  1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
+  1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
+  2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,
+  3,3,3,3,3,3,3,3,4,4,4,4,5,5,5,5 };
+
+/* These are the masks for the data bits in the first byte of a character,
+indexed by the number of additional bytes. */
+
+static int utf8_table2[] = { 0xff, 0x1f, 0x0f, 0x07, 0x03, 0x01};
+
+/* Get the next UTF-8 character, advancing the pointer. */
+
+#define GETUTF8INC(c, ptr) \
+  c = *ptr++; \
+  if ((c & 0xc0) == 0xc0) \
+    { \
+    int a = utf8_table1[c & 0x3f];  /* Number of additional bytes */ \
+    int s = 6*a; \
+    c = (c & utf8_table2[a]) << s; \
+    while (a-- > 0) \
+      { \
+      s -= 6; \
+      c |= (*ptr++ & 0x3f) << s; \
+      } \
+    }
+
+
+
+static uschar * base32_chars = US"abcdefghijklmnopqrstuvwxyz234567";
+
+/*************************************************
+*           Binary chop search on a table        *
+*************************************************/
+
+/* This is used for matching expansion items and operators.
+
+Arguments:
+  name        the name that is being sought
+  table       the table to search
+  table_size  the number of items in the table
+
+Returns:      the offset in the table, or -1
+*/
+
+static int
+chop_match(uschar *name, uschar **table, int table_size)
+{
+uschar **bot = table;
+uschar **top = table + table_size;
+
+while (top > bot)
+  {
+  uschar **mid = bot + (top - bot)/2;
+  int c = Ustrcmp(name, *mid);
+  if (c == 0) return mid - table;
+  if (c > 0) bot = mid + 1; else top = mid;
+  }
+
+return -1;
+}
+
+
+
+/*************************************************
+*          Check a condition string              *
+*************************************************/
+
+/* This function is called to expand a string, and test the result for a "true"
+or "false" value. Failure of the expansion yields FALSE; logged unless it was a
+forced fail or lookup defer.
+
+We used to release all store used, but this is not not safe due
+to ${dlfunc } and ${acl }.  In any case expand_string_internal()
+is reasonably careful to release what it can.
+
+The actual false-value tests should be replicated for ECOND_BOOL_LAX.
+
+Arguments:
+  condition     the condition string
+  m1            text to be incorporated in panic error
+  m2            ditto
+
+Returns:        TRUE if condition is met, FALSE if not
+*/
+
+BOOL
+expand_check_condition(uschar *condition, uschar *m1, uschar *m2)
+{
+uschar * ss = expand_string(condition);
+if (!ss)
+  {
+  if (!f.expand_string_forcedfail && !f.search_find_defer)
+    log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand condition \"%s\" "
+      "for %s %s: %s", condition, m1, m2, expand_string_message);
+  return FALSE;
+  }
+return *ss && Ustrcmp(ss, "0") != 0 && strcmpic(ss, US"no") != 0 &&
+  strcmpic(ss, US"false") != 0;
+}
+
+
+
+
+/*************************************************
+*        Pseudo-random number generation         *
+*************************************************/
+
+/* Pseudo-random number generation.  The result is not "expected" to be
+cryptographically strong but not so weak that someone will shoot themselves
+in the foot using it as a nonce in some email header scheme or whatever
+weirdness they'll twist this into.  The result should ideally handle fork().
+
+However, if we're stuck unable to provide this, then we'll fall back to
+appallingly bad randomness.
+
+If DISABLE_TLS is not defined then this will not be used except as an emergency
+fallback.
+
+Arguments:
+  max       range maximum
+Returns     a random number in range [0, max-1]
+*/
+
+#ifndef DISABLE_TLS
+# define vaguely_random_number vaguely_random_number_fallback
+#endif
+int
+vaguely_random_number(int max)
+{
+#ifndef DISABLE_TLS
+# undef vaguely_random_number
+#endif
+static pid_t pid = 0;
+pid_t p2;
+
+if ((p2 = getpid()) != pid)
+  {
+  if (pid != 0)
+    {
+
+#ifdef HAVE_ARC4RANDOM
+    /* cryptographically strong randomness, common on *BSD platforms, not
+    so much elsewhere.  Alas. */
+# ifndef NOT_HAVE_ARC4RANDOM_STIR
+    arc4random_stir();
+# endif
+#elif defined(HAVE_SRANDOM) || defined(HAVE_SRANDOMDEV)
+# ifdef HAVE_SRANDOMDEV
+    /* uses random(4) for seeding */
+    srandomdev();
+# else
+    {
+    struct timeval tv;
+    gettimeofday(&tv, NULL);
+    srandom(tv.tv_sec | tv.tv_usec | getpid());
+    }
+# endif
+#else
+    /* Poor randomness and no seeding here */
+#endif
+
+    }
+  pid = p2;
+  }
+
+#ifdef HAVE_ARC4RANDOM
+return arc4random() % max;
+#elif defined(HAVE_SRANDOM) || defined(HAVE_SRANDOMDEV)
+return random() % max;
+#else
+/* This one returns a 16-bit number, definitely not crypto-strong */
+return random_number(max);
+#endif
+}
+
+
+
+
+/*************************************************
+*             Pick out a name from a string      *
+*************************************************/
+
+/* If the name is too long, it is silently truncated.
+
+Arguments:
+  name      points to a buffer into which to put the name
+  max       is the length of the buffer
+  s         points to the first alphabetic character of the name
+  extras    chars other than alphanumerics to permit
+
+Returns:    pointer to the first character after the name
+
+Note: The test for *s != 0 in the while loop is necessary because
+Ustrchr() yields non-NULL if the character is zero (which is not something
+I expected). */
+
+static const uschar *
+read_name(uschar *name, int max, const uschar *s, uschar *extras)
+{
+int ptr = 0;
+while (*s && (isalnum(*s) || Ustrchr(extras, *s) != NULL))
+  {
+  if (ptr < max-1) name[ptr++] = *s;
+  s++;
+  }
+name[ptr] = 0;
+return s;
+}
+
+
+
+/*************************************************
+*     Pick out the rest of a header name         *
+*************************************************/
+
+/* A variable name starting $header_ (or just $h_ for those who like
+abbreviations) might not be the complete header name because headers can
+contain any printing characters in their names, except ':'. This function is
+called to read the rest of the name, chop h[eader]_ off the front, and put ':'
+on the end, if the name was terminated by white space.
+
+Arguments:
+  name      points to a buffer in which the name read so far exists
+  max       is the length of the buffer
+  s         points to the first character after the name so far, i.e. the
+            first non-alphameric character after $header_xxxxx
+
+Returns:    a pointer to the first character after the header name
+*/
+
+static const uschar *
+read_header_name(uschar *name, int max, const uschar *s)
+{
+int prelen = Ustrchr(name, '_') - name + 1;
+int ptr = Ustrlen(name) - prelen;
+if (ptr > 0) memmove(name, name+prelen, ptr);
+while (mac_isgraph(*s) && *s != ':')
+  {
+  if (ptr < max-1) name[ptr++] = *s;
+  s++;
+  }
+if (*s == ':') s++;
+name[ptr++] = ':';
+name[ptr] = 0;
+return s;
+}
+
+
+
+/*************************************************
+*           Pick out a number from a string      *
+*************************************************/
+
+/* Arguments:
+  n     points to an integer into which to put the number
+  s     points to the first digit of the number
+
+Returns:  a pointer to the character after the last digit
+*/
+/*XXX consider expanding to int_eximarith_t.  But the test for
+"overbig numbers" in 0002 still needs to overflow it. */
+
+static uschar *
+read_number(int *n, uschar *s)
+{
+*n = 0;
+while (isdigit(*s)) *n = *n * 10 + (*s++ - '0');
+return s;
+}
+
+static const uschar *
+read_cnumber(int *n, const uschar *s)
+{
+*n = 0;
+while (isdigit(*s)) *n = *n * 10 + (*s++ - '0');
+return s;
+}
+
+
+
+/*************************************************
+*        Extract keyed subfield from a string    *
+*************************************************/
+
+/* The yield is in dynamic store; NULL means that the key was not found.
+
+Arguments:
+  key       points to the name of the key
+  s         points to the string from which to extract the subfield
+
+Returns:    NULL if the subfield was not found, or
+            a pointer to the subfield's data
+*/
+
+uschar *
+expand_getkeyed(const uschar * key, const uschar * s)
+{
+int length = Ustrlen(key);
+Uskip_whitespace(&s);
+
+/* Loop to search for the key */
+
+while (*s)
+  {
+  int dkeylength;
+  uschar * data;
+  const uschar * dkey = s;
+
+  while (*s && *s != '=' && !isspace(*s)) s++;
+  dkeylength = s - dkey;
+  if (Uskip_whitespace(&s) == '=') while (isspace(*++s));
+
+  data = string_dequote(&s);
+  if (length == dkeylength && strncmpic(key, dkey, length) == 0)
+    return data;
+
+  Uskip_whitespace(&s);
+  }
+
+return NULL;
+}
+
+
+
+static var_entry *
+find_var_ent(uschar * name)
+{
+int first = 0;
+int last = var_table_size;
+
+while (last > first)
+  {
+  int middle = (first + last)/2;
+  int c = Ustrcmp(name, var_table[middle].name);
+
+  if (c > 0) { first = middle + 1; continue; }
+  if (c < 0) { last = middle; continue; }
+  return &var_table[middle];
+  }
+return NULL;
+}
+
+/*************************************************
+*   Extract numbered subfield from string        *
+*************************************************/
+
+/* Extracts a numbered field from a string that is divided by tokens - for
+example a line from /etc/passwd is divided by colon characters.  First field is
+numbered one.  Negative arguments count from the right. Zero returns the whole
+string. Returns NULL if there are insufficient tokens in the string
+
+***WARNING***
+Modifies final argument - this is a dynamically generated string, so that's OK.
+
+Arguments:
+  field       number of field to be extracted,
+                first field = 1, whole string = 0, last field = -1
+  separators  characters that are used to break string into tokens
+  s           points to the string from which to extract the subfield
+
+Returns:      NULL if the field was not found,
+              a pointer to the field's data inside s (modified to add 0)
+*/
+
+static uschar *
+expand_gettokened (int field, uschar *separators, uschar *s)
+{
+int sep = 1;
+int count;
+uschar *ss = s;
+uschar *fieldtext = NULL;
+
+if (field == 0) return s;
+
+/* Break the line up into fields in place; for field > 0 we stop when we have
+done the number of fields we want. For field < 0 we continue till the end of
+the string, counting the number of fields. */
+
+count = (field > 0)? field : INT_MAX;
+
+while (count-- > 0)
+  {
+  size_t len;
+
+  /* Previous field was the last one in the string. For a positive field
+  number, this means there are not enough fields. For a negative field number,
+  check that there are enough, and scan back to find the one that is wanted. */
+
+  if (sep == 0)
+    {
+    if (field > 0 || (-field) > (INT_MAX - count - 1)) return NULL;
+    if ((-field) == (INT_MAX - count - 1)) return s;
+    while (field++ < 0)
+      {
+      ss--;
+      while (ss[-1] != 0) ss--;
+      }
+    fieldtext = ss;
+    break;
+    }
+
+  /* Previous field was not last in the string; save its start and put a
+  zero at its end. */
+
+  fieldtext = ss;
+  len = Ustrcspn(ss, separators);
+  sep = ss[len];
+  ss[len] = 0;
+  ss += len + 1;
+  }
+
+return fieldtext;
+}
+
+
+static uschar *
+expand_getlistele(int field, const uschar * list)
+{
+const uschar * tlist = list;
+int sep = 0;
+/* Tainted mem for the throwaway element copies */
+uschar * dummy = store_get(2, GET_TAINTED);
+
+if (field < 0)
+  {
+  for (field++; string_nextinlist(&tlist, &sep, dummy, 1); ) field++;
+  sep = 0;
+  }
+if (field == 0) return NULL;
+while (--field > 0 && (string_nextinlist(&list, &sep, dummy, 1))) ;
+return string_nextinlist(&list, &sep, NULL, 0);
+}
+
+
+/* Certificate fields, by name.  Worry about by-OID later */
+/* Names are chosen to not have common prefixes */
+
+#ifndef DISABLE_TLS
+typedef struct
+{
+uschar * name;
+int      namelen;
+uschar * (*getfn)(void * cert, uschar * mod);
+} certfield;
+static certfield certfields[] =
+{			/* linear search; no special order */
+  { US"version",	 7,  &tls_cert_version },
+  { US"serial_number",	 13, &tls_cert_serial_number },
+  { US"subject",	 7,  &tls_cert_subject },
+  { US"notbefore",	 9,  &tls_cert_not_before },
+  { US"notafter",	 8,  &tls_cert_not_after },
+  { US"issuer",		 6,  &tls_cert_issuer },
+  { US"signature",	 9,  &tls_cert_signature },
+  { US"sig_algorithm",	 13, &tls_cert_signature_algorithm },
+  { US"subj_altname",    12, &tls_cert_subject_altname },
+  { US"ocsp_uri",	 8,  &tls_cert_ocsp_uri },
+  { US"crl_uri",	 7,  &tls_cert_crl_uri },
+};
+
+static uschar *
+expand_getcertele(uschar * field, uschar * certvar)
+{
+var_entry * vp;
+
+if (!(vp = find_var_ent(certvar)))
+  {
+  expand_string_message =
+    string_sprintf("no variable named \"%s\"", certvar);
+  return NULL;          /* Unknown variable name */
+  }
+/* NB this stops us passing certs around in variable.  Might
+want to do that in future */
+if (vp->type != vtype_cert)
+  {
+  expand_string_message =
+    string_sprintf("\"%s\" is not a certificate", certvar);
+  return NULL;          /* Unknown variable name */
+  }
+if (!*(void **)vp->value)
+  return NULL;
+
+if (*field >= '0' && *field <= '9')
+  return tls_cert_ext_by_oid(*(void **)vp->value, field, 0);
+
+for (certfield * cp = certfields;
+     cp < certfields + nelem(certfields);
+     cp++)
+  if (Ustrncmp(cp->name, field, cp->namelen) == 0)
+    {
+    uschar * modifier = *(field += cp->namelen) == ','
+      ? ++field : NULL;
+    return (*cp->getfn)( *(void **)vp->value, modifier );
+    }
+
+expand_string_message =
+  string_sprintf("bad field selector \"%s\" for certextract", field);
+return NULL;
+}
+#endif	/*DISABLE_TLS*/
+
+/*************************************************
+*        Extract a substring from a string       *
+*************************************************/
+
+/* Perform the ${substr or ${length expansion operations.
+
+Arguments:
+  subject     the input string
+  value1      the offset from the start of the input string to the start of
+                the output string; if negative, count from the right.
+  value2      the length of the output string, or negative (-1) for unset
+                if value1 is positive, unset means "all after"
+                if value1 is negative, unset means "all before"
+  len         set to the length of the returned string
+
+Returns:      pointer to the output string, or NULL if there is an error
+*/
+
+static uschar *
+extract_substr(uschar *subject, int value1, int value2, int *len)
+{
+int sublen = Ustrlen(subject);
+
+if (value1 < 0)    /* count from right */
+  {
+  value1 += sublen;
+
+  /* If the position is before the start, skip to the start, and adjust the
+  length. If the length ends up negative, the substring is null because nothing
+  can precede. This falls out naturally when the length is unset, meaning "all
+  to the left". */
+
+  if (value1 < 0)
+    {
+    value2 += value1;
+    if (value2 < 0) value2 = 0;
+    value1 = 0;
+    }
+
+  /* Otherwise an unset length => characters before value1 */
+
+  else if (value2 < 0)
+    {
+    value2 = value1;
+    value1 = 0;
+    }
+  }
+
+/* For a non-negative offset, if the starting position is past the end of the
+string, the result will be the null string. Otherwise, an unset length means
+"rest"; just set it to the maximum - it will be cut down below if necessary. */
+
+else
+  {
+  if (value1 > sublen)
+    {
+    value1 = sublen;
+    value2 = 0;
+    }
+  else if (value2 < 0) value2 = sublen;
+  }
+
+/* Cut the length down to the maximum possible for the offset value, and get
+the required characters. */
+
+if (value1 + value2 > sublen) value2 = sublen - value1;
+*len = value2;
+return subject + value1;
+}
+
+
+
+
+/*************************************************
+*            Old-style hash of a string          *
+*************************************************/
+
+/* Perform the ${hash expansion operation.
+
+Arguments:
+  subject     the input string (an expanded substring)
+  value1      the length of the output string; if greater or equal to the
+                length of the input string, the input string is returned
+  value2      the number of hash characters to use, or 26 if negative
+  len         set to the length of the returned string
+
+Returns:      pointer to the output string, or NULL if there is an error
+*/
+
+static uschar *
+compute_hash(uschar *subject, int value1, int value2, int *len)
+{
+int sublen = Ustrlen(subject);
+
+if (value2 < 0) value2 = 26;
+else if (value2 > Ustrlen(hashcodes))
+  {
+  expand_string_message =
+    string_sprintf("hash count \"%d\" too big", value2);
+  return NULL;
+  }
+
+/* Calculate the hash text. We know it is shorter than the original string, so
+can safely place it in subject[] (we know that subject is always itself an
+expanded substring). */
+
+if (value1 < sublen)
+  {
+  int c;
+  int i = 0;
+  int j = value1;
+  while ((c = (subject[j])) != 0)
+    {
+    int shift = (c + j++) & 7;
+    subject[i] ^= (c << shift) | (c >> (8-shift));
+    if (++i >= value1) i = 0;
+    }
+  for (i = 0; i < value1; i++)
+    subject[i] = hashcodes[(subject[i]) % value2];
+  }
+else value1 = sublen;
+
+*len = value1;
+return subject;
+}
+
+
+
+
+/*************************************************
+*             Numeric hash of a string           *
+*************************************************/
+
+/* Perform the ${nhash expansion operation. The first characters of the
+string are treated as most important, and get the highest prime numbers.
+
+Arguments:
+  subject     the input string
+  value1      the maximum value of the first part of the result
+  value2      the maximum value of the second part of the result,
+                or negative to produce only a one-part result
+  len         set to the length of the returned string
+
+Returns:  pointer to the output string, or NULL if there is an error.
+*/
+
+static uschar *
+compute_nhash (uschar *subject, int value1, int value2, int *len)
+{
+uschar *s = subject;
+int i = 0;
+unsigned long int total = 0; /* no overflow */
+
+while (*s != 0)
+  {
+  if (i == 0) i = nelem(prime) - 1;
+  total += prime[i--] * (unsigned int)(*s++);
+  }
+
+/* If value2 is unset, just compute one number */
+
+if (value2 < 0)
+  s = string_sprintf("%lu", total % value1);
+
+/* Otherwise do a div/mod hash */
+
+else
+  {
+  total = total % (value1 * value2);
+  s = string_sprintf("%lu/%lu", total/value2, total % value2);
+  }
+
+*len = Ustrlen(s);
+return s;
+}
+
+
+
+
+
+/*************************************************
+*     Find the value of a header or headers      *
+*************************************************/
+
+/* Multiple instances of the same header get concatenated, and this function
+can also return a concatenation of all the header lines. When concatenating
+specific headers that contain lists of addresses, a comma is inserted between
+them. Otherwise we use a straight concatenation. Because some messages can have
+pathologically large number of lines, there is a limit on the length that is
+returned.
+
+Arguments:
+  name          the name of the header, without the leading $header_ or $h_,
+                or NULL if a concatenation of all headers is required
+  newsize       return the size of memory block that was obtained; may be NULL
+                if exists_only is TRUE
+  flags		FH_EXISTS_ONLY
+		  set if called from a def: test; don't need to build a string;
+		  just return a string that is not "" and not "0" if the header
+		  exists
+		FH_WANT_RAW
+		  set if called for $rh_ or $rheader_ items; no processing,
+		  other than concatenating, will be done on the header. Also used
+		  for $message_headers_raw.
+		FH_WANT_LIST
+		  Double colon chars in the content, and replace newline with
+		  colon between each element when concatenating; returning a
+		  colon-sep list (elements might contain newlines)
+  charset       name of charset to translate MIME words to; used only if
+                want_raw is false; if NULL, no translation is done (this is
+                used for $bh_ and $bheader_)
+
+Returns:        NULL if the header does not exist, else a pointer to a new
+                store block
+*/
+
+static uschar *
+find_header(uschar *name, int *newsize, unsigned flags, const uschar *charset)
+{
+BOOL found = !name;
+int len = name ? Ustrlen(name) : 0;
+BOOL comma = FALSE;
+gstring * g = NULL;
+
+for (header_line * h = header_list; h; h = h->next)
+  if (h->type != htype_old && h->text)  /* NULL => Received: placeholder */
+    if (!name || (len <= h->slen && strncmpic(name, h->text, len) == 0))
+      {
+      uschar * s, * t;
+      size_t inc;
+
+      if (flags & FH_EXISTS_ONLY)
+	return US"1";  /* don't need actual string */
+
+      found = TRUE;
+      s = h->text + len;		/* text to insert */
+      if (!(flags & FH_WANT_RAW))	/* unless wanted raw, */
+	Uskip_whitespace(&s);		/* remove leading white space */
+      t = h->text + h->slen;		/* end-point */
+
+      /* Unless wanted raw, remove trailing whitespace, including the
+      newline. */
+
+      if (flags & FH_WANT_LIST)
+	while (t > s && t[-1] == '\n') t--;
+      else if (!(flags & FH_WANT_RAW))
+	{
+	while (t > s && isspace(t[-1])) t--;
+
+	/* Set comma if handling a single header and it's one of those
+	that contains an address list, except when asked for raw headers. Only
+	need to do this once. */
+
+	if (name && !comma && Ustrchr("BCFRST", h->type)) comma = TRUE;
+	}
+
+      /* Trim the header roughly if we're approaching limits */
+      inc = t - s;
+      if (gstring_length(g) + inc > header_insert_maxlen)
+	inc = header_insert_maxlen - gstring_length(g);
+
+      /* For raw just copy the data; for a list, add the data as a colon-sep
+      list-element; for comma-list add as an unchecked comma,newline sep
+      list-elemment; for other nonraw add as an unchecked newline-sep list (we
+      stripped trailing WS above including the newline). We ignore the potential
+      expansion due to colon-doubling, just leaving the loop if the limit is met
+      or exceeded. */
+
+      if (flags & FH_WANT_LIST)
+        g = string_append_listele_n(g, ':', s, (unsigned)inc);
+      else if (flags & FH_WANT_RAW)
+	g = string_catn(g, s, (unsigned)inc);
+      else if (inc > 0)
+	g = string_append2_listele_n(g, comma ? US",\n" : US"\n",
+	  s, (unsigned)inc);
+
+      if (gstring_length(g) >= header_insert_maxlen) break;
+      }
+
+if (!found) return NULL;	/* No header found */
+if (!g) return US"";
+
+/* That's all we do for raw header expansion. */
+
+*newsize = g->size;
+if (flags & FH_WANT_RAW)
+  return string_from_gstring(g);
+
+/* Otherwise do RFC 2047 decoding, translating the charset if requested.
+The rfc2047_decode2() function can return an error with decoded data if the
+charset translation fails. If decoding fails, it returns NULL. */
+
+else
+  {
+  uschar * error, * decoded = rfc2047_decode2(string_from_gstring(g),
+    check_rfc2047_length, charset, '?', NULL, newsize, &error);
+  if (error)
+    DEBUG(D_any) debug_printf("*** error in RFC 2047 decoding: %s\n"
+      "    input was: %s\n", error, g->s);
+  return decoded ? decoded : string_from_gstring(g);
+  }
+}
+
+
+
+
+/* Append a "local" element to an Authentication-Results: header
+if this was a non-smtp message.
+*/
+
+static gstring *
+authres_local(gstring * g, const uschar * sysname)
+{
+if (!f.authentication_local)
+  return g;
+g = string_append(g, 3, US";\n\tlocal=pass (non-smtp, ", sysname, US")");
+if (authenticated_id) g = string_append(g, 2, " u=", authenticated_id);
+return g;
+}
+
+
+/* Append an "iprev" element to an Authentication-Results: header
+if we have attempted to get the calling host's name.
+*/
+
+static gstring *
+authres_iprev(gstring * g)
+{
+if (sender_host_name)
+  g = string_append(g, 3, US";\n\tiprev=pass (", sender_host_name, US")");
+else if (host_lookup_deferred)
+  g = string_cat(g, US";\n\tiprev=temperror");
+else if (host_lookup_failed)
+  g = string_cat(g, US";\n\tiprev=fail");
+else
+  return g;
+
+if (sender_host_address)
+  g = string_append(g, 2, US" smtp.remote-ip=", sender_host_address);
+return g;
+}
+
+
+
+/*************************************************
+*               Return list of recipients        *
+*************************************************/
+/* A recipients list is available only during system message filtering,
+during ACL processing after DATA, and while expanding pipe commands
+generated from a system filter, but not elsewhere. */
+
+static uschar *
+fn_recipients(void)
+{
+uschar * s;
+gstring * g = NULL;
+
+if (!f.enable_dollar_recipients) return NULL;
+
+for (int i = 0; i < recipients_count; i++)
+  {
+  s = recipients_list[i].address;
+  g = string_append2_listele_n(g, US", ", s, Ustrlen(s));
+  }
+return g ? g->s : NULL;
+}
+
+
+/*************************************************
+*               Return size of queue             *
+*************************************************/
+/* Ask the daemon for the queue size */
+
+static uschar *
+fn_queue_size(void)
+{
+struct sockaddr_un sa_un = {.sun_family = AF_UNIX};
+uschar buf[16];
+int fd;
+ssize_t len;
+const uschar * where;
+#ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
+uschar * sname;
+#endif
+
+if ((fd = socket(AF_UNIX, SOCK_DGRAM, 0)) < 0)
+  {
+  DEBUG(D_expand) debug_printf(" socket: %s\n", strerror(errno));
+  return NULL;
+  }
+
+#ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
+sa_un.sun_path[0] = 0;	/* Abstract local socket addr - Linux-specific? */
+len = offsetof(struct sockaddr_un, sun_path) + 1
+  + snprintf(sa_un.sun_path+1, sizeof(sa_un.sun_path)-1, "exim_%d", getpid());
+#else
+sname = string_sprintf("%s/p_%d", spool_directory, getpid());
+len = offsetof(struct sockaddr_un, sun_path)
+  + snprintf(sa_un.sun_path, sizeof(sa_un.sun_path), "%s", sname);
+#endif
+
+if (bind(fd, (const struct sockaddr *)&sa_un, len) < 0)
+  { where = US"bind"; goto bad; }
+
+#ifdef notdef
+debug_printf("local addr '%s%s'\n",
+  *sa_un.sun_path ? "" : "@",
+  sa_un.sun_path + (*sa_un.sun_path ? 0 : 1));
+#endif
+
+#ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
+sa_un.sun_path[0] = 0;	/* Abstract local socket addr - Linux-specific? */
+len = offsetof(struct sockaddr_un, sun_path) + 1
+  + snprintf(sa_un.sun_path+1, sizeof(sa_un.sun_path)-1, "%s",
+	      expand_string(notifier_socket));
+#else
+len = offsetof(struct sockaddr_un, sun_path)
+  + snprintf(sa_un.sun_path, sizeof(sa_un.sun_path), "%s",
+	      expand_string(notifier_socket));
+#endif
+
+if (connect(fd, (const struct sockaddr *)&sa_un, len) < 0)
+  { where = US"connect"; goto bad2; }
+
+buf[0] = NOTIFY_QUEUE_SIZE_REQ;
+if (send(fd, buf, 1, 0) < 0) { where = US"send"; goto bad; }
+
+if (poll_one_fd(fd, POLLIN, 2 * 1000) != 1)
+  {
+  DEBUG(D_expand) debug_printf("no daemon response; using local evaluation\n");
+  len = snprintf(CS buf, sizeof(buf), "%u", queue_count_cached());
+  }
+else if ((len = recv(fd, buf, sizeof(buf), 0)) < 0)
+  { where = US"recv"; goto bad2; }
+
+close(fd);
+#ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
+Uunlink(sname);
+#endif
+return string_copyn(buf, len);
+
+bad2:
+#ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
+  Uunlink(sname);
+#endif
+bad:
+  close(fd);
+  DEBUG(D_expand) debug_printf(" %s: %s\n", where, strerror(errno));
+  return NULL;
+}
+
+
+/*************************************************
+*               Find value of a variable         *
+*************************************************/
+
+/* The table of variables is kept in alphabetic order, so we can search it
+using a binary chop. The "choplen" variable is nothing to do with the binary
+chop.
+
+Arguments:
+  name          the name of the variable being sought
+  exists_only   TRUE if this is a def: test; passed on to find_header()
+  skipping      TRUE => skip any processing evaluation; this is not the same as
+                  exists_only because def: may test for values that are first
+                  evaluated here
+  newsize       pointer to an int which is initially zero; if the answer is in
+                a new memory buffer, *newsize is set to its size
+
+Returns:        NULL if the variable does not exist, or
+                a pointer to the variable's contents, or
+                something non-NULL if exists_only is TRUE
+*/
+
+static const uschar *
+find_variable(uschar *name, BOOL exists_only, BOOL skipping, int *newsize)
+{
+var_entry * vp;
+uschar *s, *domain;
+uschar **ss;
+void * val;
+
+/* Handle ACL variables, whose names are of the form acl_cxxx or acl_mxxx.
+Originally, xxx had to be a number in the range 0-9 (later 0-19), but from
+release 4.64 onwards arbitrary names are permitted, as long as the first 5
+characters are acl_c or acl_m and the sixth is either a digit or an underscore
+(this gave backwards compatibility at the changeover). There may be built-in
+variables whose names start acl_ but they should never start in this way. This
+slightly messy specification is a consequence of the history, needless to say.
+
+If an ACL variable does not exist, treat it as empty, unless strict_acl_vars is
+set, in which case give an error. */
+
+if ((Ustrncmp(name, "acl_c", 5) == 0 || Ustrncmp(name, "acl_m", 5) == 0) &&
+     !isalpha(name[5]))
+  {
+  tree_node * node =
+    tree_search(name[4] == 'c' ? acl_var_c : acl_var_m, name + 4);
+  return node ? node->data.ptr : strict_acl_vars ? NULL : US"";
+  }
+else if (Ustrncmp(name, "r_", 2) == 0)
+  {
+  tree_node * node = tree_search(router_var, name + 2);
+  return node ? node->data.ptr : strict_acl_vars ? NULL : US"";
+  }
+
+/* Handle $auth<n> variables. */
+
+if (Ustrncmp(name, "auth", 4) == 0)
+  {
+  uschar *endptr;
+  int n = Ustrtoul(name + 4, &endptr, 10);
+  if (!*endptr && n != 0 && n <= AUTH_VARS)
+    return auth_vars[n-1] ? auth_vars[n-1] : US"";
+  }
+else if (Ustrncmp(name, "regex", 5) == 0)
+  {
+  uschar *endptr;
+  int n = Ustrtoul(name + 5, &endptr, 10);
+  if (!*endptr && n != 0 && n <= REGEX_VARS)
+    return regex_vars[n-1] ? regex_vars[n-1] : US"";
+  }
+
+/* For all other variables, search the table */
+
+if (!(vp = find_var_ent(name)))
+  return NULL;          /* Unknown variable name */
+
+/* Found an existing variable. If in skipping state, the value isn't needed,
+and we want to avoid processing (such as looking up the host name). */
+
+if (skipping)
+  return US"";
+
+val = vp->value;
+switch (vp->type)
+  {
+  case vtype_filter_int:
+    if (!f.filter_running) return NULL;
+    /* Fall through */
+    /* VVVVVVVVVVVV */
+  case vtype_int:
+    sprintf(CS var_buffer, "%d", *(int *)(val)); /* Integer */
+    return var_buffer;
+
+  case vtype_ino:
+    sprintf(CS var_buffer, "%ld", (long int)(*(ino_t *)(val))); /* Inode */
+    return var_buffer;
+
+  case vtype_gid:
+    sprintf(CS var_buffer, "%ld", (long int)(*(gid_t *)(val))); /* gid */
+    return var_buffer;
+
+  case vtype_uid:
+    sprintf(CS var_buffer, "%ld", (long int)(*(uid_t *)(val))); /* uid */
+    return var_buffer;
+
+  case vtype_bool:
+    sprintf(CS var_buffer, "%s", *(BOOL *)(val) ? "yes" : "no"); /* bool */
+    return var_buffer;
+
+  case vtype_stringptr:                      /* Pointer to string */
+    return (s = *((uschar **)(val))) ? s : US"";
+
+  case vtype_pid:
+    sprintf(CS var_buffer, "%d", (int)getpid()); /* pid */
+    return var_buffer;
+
+  case vtype_load_avg:
+    sprintf(CS var_buffer, "%d", OS_GETLOADAVG()); /* load_average */
+    return var_buffer;
+
+  case vtype_host_lookup:                    /* Lookup if not done so */
+    if (  !sender_host_name && sender_host_address
+       && !host_lookup_failed && host_name_lookup() == OK)
+      host_build_sender_fullhost();
+    return sender_host_name ? sender_host_name : US"";
+
+  case vtype_localpart:                      /* Get local part from address */
+    if (!(s = *((uschar **)(val)))) return US"";
+    if (!(domain = Ustrrchr(s, '@'))) return s;
+    if (domain - s > sizeof(var_buffer) - 1)
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "local part longer than " SIZE_T_FMT
+	  " in string expansion", sizeof(var_buffer));
+    return string_copyn(s, domain - s);
+
+  case vtype_domain:                         /* Get domain from address */
+    if (!(s = *((uschar **)(val)))) return US"";
+    domain = Ustrrchr(s, '@');
+    return domain ? domain + 1 : US"";
+
+  case vtype_msgheaders:
+    return find_header(NULL, newsize, exists_only ? FH_EXISTS_ONLY : 0, NULL);
+
+  case vtype_msgheaders_raw:
+    return find_header(NULL, newsize,
+		exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW, NULL);
+
+  case vtype_msgbody:                        /* Pointer to msgbody string */
+  case vtype_msgbody_end:                    /* Ditto, the end of the msg */
+    ss = (uschar **)(val);
+    if (!*ss && deliver_datafile >= 0)  /* Read body when needed */
+      {
+      uschar * body;
+      off_t start_offset = SPOOL_DATA_START_OFFSET;
+      int len = message_body_visible;
+
+      if (len > message_size) len = message_size;
+      *ss = body = store_get(len+1, GET_TAINTED);
+      body[0] = 0;
+      if (vp->type == vtype_msgbody_end)
+	{
+	struct stat statbuf;
+	if (fstat(deliver_datafile, &statbuf) == 0)
+	  {
+	  start_offset = statbuf.st_size - len;
+	  if (start_offset < SPOOL_DATA_START_OFFSET)
+	    start_offset = SPOOL_DATA_START_OFFSET;
+	  }
+	}
+      if (lseek(deliver_datafile, start_offset, SEEK_SET) < 0)
+	log_write(0, LOG_MAIN|LOG_PANIC_DIE, "deliver_datafile lseek: %s",
+	  strerror(errno));
+      if ((len = read(deliver_datafile, body, len)) > 0)
+	{
+	body[len] = 0;
+	if (message_body_newlines)   /* Separate loops for efficiency */
+	  while (len > 0)
+	    { if (body[--len] == 0) body[len] = ' '; }
+	else
+	  while (len > 0)
+	    { if (body[--len] == '\n' || body[len] == 0) body[len] = ' '; }
+	}
+      }
+    return *ss ? *ss : US"";
+
+  case vtype_todbsdin:                       /* BSD inbox time of day */
+    return tod_stamp(tod_bsdin);
+
+  case vtype_tode:                           /* Unix epoch time of day */
+    return tod_stamp(tod_epoch);
+
+  case vtype_todel:                          /* Unix epoch/usec time of day */
+    return tod_stamp(tod_epoch_l);
+
+  case vtype_todf:                           /* Full time of day */
+    return tod_stamp(tod_full);
+
+  case vtype_todl:                           /* Log format time of day */
+    return tod_stamp(tod_log_bare);            /* (without timezone) */
+
+  case vtype_todzone:                        /* Time zone offset only */
+    return tod_stamp(tod_zone);
+
+  case vtype_todzulu:                        /* Zulu time */
+    return tod_stamp(tod_zulu);
+
+  case vtype_todlf:                          /* Log file datestamp tod */
+    return tod_stamp(tod_log_datestamp_daily);
+
+  case vtype_reply:                          /* Get reply address */
+    s = find_header(US"reply-to:", newsize,
+		exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW,
+		headers_charset);
+    if (s) Uskip_whitespace(&s);
+    if (!s || !*s)
+      {
+      *newsize = 0;                            /* For the *s==0 case */
+      s = find_header(US"from:", newsize,
+		exists_only ? FH_EXISTS_ONLY|FH_WANT_RAW : FH_WANT_RAW,
+		headers_charset);
+      }
+    if (s)
+      {
+      uschar *t;
+      Uskip_whitespace(&s);
+      for (t = s; *t; t++) if (*t == '\n') *t = ' ';
+      while (t > s && isspace(t[-1])) t--;
+      *t = 0;
+      }
+    return s ? s : US"";
+
+  case vtype_string_func:
+    {
+    stringptr_fn_t * fn = (stringptr_fn_t *) val;
+    uschar* s = fn();
+    return s ? s : US"";
+    }
+
+  case vtype_pspace:
+    {
+    int inodes;
+    sprintf(CS var_buffer, PR_EXIM_ARITH,
+      receive_statvfs(val == (void *)TRUE, &inodes));
+    }
+  return var_buffer;
+
+  case vtype_pinodes:
+    {
+    int inodes;
+    (void) receive_statvfs(val == (void *)TRUE, &inodes);
+    sprintf(CS var_buffer, "%d", inodes);
+    }
+  return var_buffer;
+
+  case vtype_cert:
+    return *(void **)val ? US"<cert>" : US"";
+
+#ifndef DISABLE_DKIM
+  case vtype_dkim:
+    return dkim_exim_expand_query((int)(long)val);
+#endif
+
+  }
+
+return NULL;  /* Unknown variable. Silences static checkers. */
+}
+
+
+
+
+void
+modify_variable(uschar *name, void * value)
+{
+var_entry * vp;
+if ((vp = find_var_ent(name))) vp->value = value;
+return;          /* Unknown variable name, fail silently */
+}
+
+
+
+
+
+
+/*************************************************
+*           Read and expand substrings           *
+*************************************************/
+
+/* This function is called to read and expand argument substrings for various
+expansion items. Some have a minimum requirement that is less than the maximum;
+in these cases, the first non-present one is set to NULL.
+
+Arguments:
+  sub        points to vector of pointers to set
+  n          maximum number of substrings
+  m          minimum required
+  sptr       points to current string pointer
+  skipping   the skipping flag
+  check_end  if TRUE, check for final '}'
+  name       name of item, for error message
+  resetok    if not NULL, pointer to flag - write FALSE if unsafe to reset
+	     the store.
+
+Returns:     0 OK; string pointer updated
+             1 curly bracketing error (too few arguments)
+             2 too many arguments (only if check_end is set); message set
+             3 other error (expansion failure)
+*/
+
+static int
+read_subs(uschar **sub, int n, int m, const uschar **sptr, BOOL skipping,
+  BOOL check_end, uschar *name, BOOL *resetok)
+{
+const uschar *s = *sptr;
+
+Uskip_whitespace(&s);
+for (int i = 0; i < n; i++)
+  {
+  if (*s != '{')
+    {
+    if (i < m)
+      {
+      expand_string_message = string_sprintf("Not enough arguments for '%s' "
+	"(min is %d)", name, m);
+      return 1;
+      }
+    sub[i] = NULL;
+    break;
+    }
+  if (!(sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, resetok)))
+    return 3;
+  if (*s++ != '}') return 1;
+  Uskip_whitespace(&s);
+  }
+if (check_end && *s++ != '}')
+  {
+  if (s[-1] == '{')
+    {
+    expand_string_message = string_sprintf("Too many arguments for '%s' "
+      "(max is %d)", name, n);
+    return 2;
+    }
+  expand_string_message = string_sprintf("missing '}' after '%s'", name);
+  return 1;
+  }
+
+*sptr = s;
+return 0;
+}
+
+
+
+
+/*************************************************
+*     Elaborate message for bad variable         *
+*************************************************/
+
+/* For the "unknown variable" message, take a look at the variable's name, and
+give additional information about possible ACL variables. The extra information
+is added on to expand_string_message.
+
+Argument:   the name of the variable
+Returns:    nothing
+*/
+
+static void
+check_variable_error_message(uschar *name)
+{
+if (Ustrncmp(name, "acl_", 4) == 0)
+  expand_string_message = string_sprintf("%s (%s)", expand_string_message,
+    (name[4] == 'c' || name[4] == 'm')?
+      (isalpha(name[5])?
+        US"6th character of a user-defined ACL variable must be a digit or underscore" :
+        US"strict_acl_vars is set"    /* Syntax is OK, it has to be this */
+      ) :
+      US"user-defined ACL variables must start acl_c or acl_m");
+}
+
+
+
+/*
+Load args from sub array to globals, and call acl_check().
+Sub array will be corrupted on return.
+
+Returns:       OK         access is granted by an ACCEPT verb
+               DISCARD    access is (apparently) granted by a DISCARD verb
+	       FAIL       access is denied
+	       FAIL_DROP  access is denied; drop the connection
+	       DEFER      can't tell at the moment
+	       ERROR      disaster
+*/
+static int
+eval_acl(uschar ** sub, int nsub, uschar ** user_msgp)
+{
+int i;
+int sav_narg = acl_narg;
+int ret;
+uschar * dummy_logmsg;
+extern int acl_where;
+
+if(--nsub > nelem(acl_arg)) nsub = nelem(acl_arg);
+for (i = 0; i < nsub && sub[i+1]; i++)
+  {
+  uschar * tmp = acl_arg[i];
+  acl_arg[i] = sub[i+1];	/* place callers args in the globals */
+  sub[i+1] = tmp;		/* stash the old args using our caller's storage */
+  }
+acl_narg = i;
+while (i < nsub)
+  {
+  sub[i+1] = acl_arg[i];
+  acl_arg[i++] = NULL;
+  }
+
+DEBUG(D_expand)
+  debug_printf_indent("expanding: acl: %s  arg: %s%s\n",
+    sub[0],
+    acl_narg>0 ? acl_arg[0] : US"<none>",
+    acl_narg>1 ? " +more"   : "");
+
+ret = acl_eval(acl_where, sub[0], user_msgp, &dummy_logmsg);
+
+for (i = 0; i < nsub; i++)
+  acl_arg[i] = sub[i+1];	/* restore old args */
+acl_narg = sav_narg;
+
+return ret;
+}
+
+
+
+
+/* Return pointer to dewrapped string, with enclosing specified chars removed.
+The given string is modified on return.  Leading whitespace is skipped while
+looking for the opening wrap character, then the rest is scanned for the trailing
+(non-escaped) wrap character.  A backslash in the string will act as an escape.
+
+A nul is written over the trailing wrap, and a pointer to the char after the
+leading wrap is returned.
+
+Arguments:
+  s	String for de-wrapping
+  wrap  Two-char string, the first being the opener, second the closer wrapping
+        character
+Return:
+  Pointer to de-wrapped string, or NULL on error (with expand_string_message set).
+*/
+
+static uschar *
+dewrap(uschar * s, const uschar * wrap)
+{
+uschar * p = s;
+unsigned depth = 0;
+BOOL quotesmode = wrap[0] == wrap[1];
+
+if (Uskip_whitespace(&p) == *wrap)
+  {
+  s = ++p;
+  wrap++;
+  while (*p)
+    {
+    if (*p == '\\') p++;
+    else if (!quotesmode && *p == wrap[-1]) depth++;
+    else if (*p == *wrap)
+      if (depth == 0)
+	{
+	*p = '\0';
+	return s;
+	}
+      else
+	depth--;
+    p++;
+    }
+  }
+expand_string_message = string_sprintf("missing '%c'", *wrap);
+return NULL;
+}
+
+
+/* Pull off the leading array or object element, returning
+a copy in an allocated string.  Update the list pointer.
+
+The element may itself be an abject or array.
+Return NULL when the list is empty.
+*/
+
+static uschar *
+json_nextinlist(const uschar ** list)
+{
+unsigned array_depth = 0, object_depth = 0;
+const uschar * s = *list, * item;
+
+skip_whitespace(&s);
+
+for (item = s;
+     *s && (*s != ',' || array_depth != 0 || object_depth != 0);
+     s++)
+  switch (*s)
+    {
+    case '[': array_depth++; break;
+    case ']': array_depth--; break;
+    case '{': object_depth++; break;
+    case '}': object_depth--; break;
+    }
+*list = *s ? s+1 : s;
+if (item == s) return NULL;
+item = string_copyn(item, s - item);
+DEBUG(D_expand) debug_printf_indent("  json ele: '%s'\n", item);
+return US item;
+}
+
+
+
+/************************************************/
+/*  Return offset in ops table, or -1 if not found.
+Repoint to just after the operator in the string.
+
+Argument:
+ ss	string representation of operator
+ opname	split-out operator name
+*/
+
+static int
+identify_operator(const uschar ** ss, uschar ** opname)
+{
+const uschar * s = *ss;
+uschar name[256];
+
+/* Numeric comparisons are symbolic */
+
+if (*s == '=' || *s == '>' || *s == '<')
+  {
+  int p = 0;
+  name[p++] = *s++;
+  if (*s == '=')
+    {
+    name[p++] = '=';
+    s++;
+    }
+  name[p] = 0;
+  }
+
+/* All other conditions are named */
+
+else
+  s = read_name(name, sizeof(name), s, US"_");
+*ss = s;
+
+/* If we haven't read a name, it means some non-alpha character is first. */
+
+if (!name[0])
+  {
+  expand_string_message = string_sprintf("condition name expected, "
+    "but found \"%.16s\"", s);
+  return -1;
+  }
+if (opname)
+  *opname = string_copy(name);
+
+return chop_match(name, cond_table, nelem(cond_table));
+}
+
+
+/*************************************************
+*    Handle MD5 or SHA-1 computation for HMAC    *
+*************************************************/
+
+/* These are some wrapping functions that enable the HMAC code to be a bit
+cleaner. A good compiler will spot the tail recursion.
+
+Arguments:
+  type         HMAC_MD5 or HMAC_SHA1
+  remaining    are as for the cryptographic hash functions
+
+Returns:       nothing
+*/
+
+static void
+chash_start(int type, void * base)
+{
+if (type == HMAC_MD5)
+  md5_start((md5 *)base);
+else
+  sha1_start((hctx *)base);
+}
+
+static void
+chash_mid(int type, void * base, const uschar * string)
+{
+if (type == HMAC_MD5)
+  md5_mid((md5 *)base, string);
+else
+  sha1_mid((hctx *)base, string);
+}
+
+static void
+chash_end(int type, void * base, const uschar * string, int length,
+  uschar * digest)
+{
+if (type == HMAC_MD5)
+  md5_end((md5 *)base, string, length, digest);
+else
+  sha1_end((hctx *)base, string, length, digest);
+}
+
+
+
+
+#ifdef SUPPORT_SRS
+/* Do an hmac_md5.  The result is _not_ nul-terminated, and is sized as
+the smaller of a full hmac_md5 result (16 bytes) or the supplied output buffer.
+
+Arguments:
+	key	encoding key, nul-terminated
+	src	data to be hashed, nul-terminated
+	buf	output buffer
+	len	size of output buffer
+*/
+
+static void
+hmac_md5(const uschar * key, const uschar * src, uschar * buf, unsigned len)
+{
+md5 md5_base;
+const uschar * keyptr;
+uschar * p;
+unsigned int keylen;
+
+#define MD5_HASHLEN      16
+#define MD5_HASHBLOCKLEN 64
+
+uschar keyhash[MD5_HASHLEN];
+uschar innerhash[MD5_HASHLEN];
+uschar finalhash[MD5_HASHLEN];
+uschar innerkey[MD5_HASHBLOCKLEN];
+uschar outerkey[MD5_HASHBLOCKLEN];
+
+keyptr = key;
+keylen = Ustrlen(keyptr);
+
+/* If the key is longer than the hash block length, then hash the key
+first */
+
+if (keylen > MD5_HASHBLOCKLEN)
+  {
+  chash_start(HMAC_MD5, &md5_base);
+  chash_end(HMAC_MD5, &md5_base, keyptr, keylen, keyhash);
+  keyptr = keyhash;
+  keylen = MD5_HASHLEN;
+  }
+
+/* Now make the inner and outer key values */
+
+memset(innerkey, 0x36, MD5_HASHBLOCKLEN);
+memset(outerkey, 0x5c, MD5_HASHBLOCKLEN);
+
+for (int i = 0; i < keylen; i++)
+  {
+  innerkey[i] ^= keyptr[i];
+  outerkey[i] ^= keyptr[i];
+  }
+
+/* Now do the hashes */
+
+chash_start(HMAC_MD5, &md5_base);
+chash_mid(HMAC_MD5, &md5_base, innerkey);
+chash_end(HMAC_MD5, &md5_base, src, Ustrlen(src), innerhash);
+
+chash_start(HMAC_MD5, &md5_base);
+chash_mid(HMAC_MD5, &md5_base, outerkey);
+chash_end(HMAC_MD5, &md5_base, innerhash, MD5_HASHLEN, finalhash);
+
+/* Encode the final hash as a hex string, limited by output buffer size */
+
+p = buf;
+for (int i = 0, j = len; i < MD5_HASHLEN; i++)
+  {
+  if (j-- <= 0) break;
+  *p++ = hex_digits[(finalhash[i] & 0xf0) >> 4];
+  if (j-- <= 0) break;
+  *p++ = hex_digits[finalhash[i] & 0x0f];
+  }
+return;
+}
+#endif /*SUPPORT_SRS*/
+
+
+/*************************************************
+*        Read and evaluate a condition           *
+*************************************************/
+
+/*
+Arguments:
+  s        points to the start of the condition text
+  resetok  points to a BOOL which is written false if it is unsafe to
+	   free memory. Certain condition types (acl) may have side-effect
+	   allocation which must be preserved.
+  yield    points to a BOOL to hold the result of the condition test;
+           if NULL, we are just reading through a condition that is
+           part of an "or" combination to check syntax, or in a state
+           where the answer isn't required
+
+Returns:   a pointer to the first character after the condition, or
+           NULL after an error
+*/
+
+static const uschar *
+eval_condition(const uschar *s, BOOL *resetok, BOOL *yield)
+{
+BOOL testfor = TRUE;
+BOOL tempcond, combined_cond;
+BOOL *subcondptr;
+BOOL sub2_honour_dollar = TRUE;
+BOOL is_forany, is_json, is_jsons;
+int rc, cond_type;
+int_eximarith_t num[2];
+struct stat statbuf;
+uschar * opname;
+uschar name[256];
+const uschar *sub[10];
+
+for (;;)
+  if (Uskip_whitespace(&s) == '!') { testfor = !testfor; s++; } else break;
+
+switch(cond_type = identify_operator(&s, &opname))
+  {
+  /* def: tests for a non-empty variable, or for the existence of a header. If
+  yield == NULL we are in a skipping state, and don't care about the answer. */
+
+  case ECOND_DEF:
+    {
+    const uschar * t;
+
+    if (*s != ':')
+      {
+      expand_string_message = US"\":\" expected after \"def\"";
+      return NULL;
+      }
+
+    s = read_name(name, sizeof(name), s+1, US"_");
+
+    /* Test for a header's existence. If the name contains a closing brace
+    character, this may be a user error where the terminating colon has been
+    omitted. Set a flag to adjust a subsequent error message in this case. */
+
+    if (  ( *(t = name) == 'h'
+	  || (*t == 'r' || *t == 'l' || *t == 'b') && *++t == 'h'
+	  )
+       && (*++t == '_' || Ustrncmp(t, "eader_", 6) == 0)
+       )
+      {
+      s = read_header_name(name, sizeof(name), s);
+      /* {-for-text-editors */
+      if (Ustrchr(name, '}') != NULL) malformed_header = TRUE;
+      if (yield) *yield =
+	(find_header(name, NULL, FH_EXISTS_ONLY, NULL) != NULL) == testfor;
+      }
+
+    /* Test for a variable's having a non-empty value. A non-existent variable
+    causes an expansion failure. */
+
+    else
+      {
+      if (!(t = find_variable(name, TRUE, yield == NULL, NULL)))
+	{
+	expand_string_message = name[0]
+	  ? string_sprintf("unknown variable \"%s\" after \"def:\"", name)
+	  : US"variable name omitted after \"def:\"";
+	check_variable_error_message(name);
+	return NULL;
+	}
+      if (yield) *yield = (t[0] != 0) == testfor;
+      }
+
+    return s;
+    }
+
+
+  /* first_delivery tests for first delivery attempt */
+
+  case ECOND_FIRST_DELIVERY:
+  if (yield) *yield = f.deliver_firsttime == testfor;
+  return s;
+
+
+  /* queue_running tests for any process started by a queue runner */
+
+  case ECOND_QUEUE_RUNNING:
+  if (yield) *yield = (queue_run_pid != (pid_t)0) == testfor;
+  return s;
+
+
+  /* exists:  tests for file existence
+       isip:  tests for any IP address
+      isip4:  tests for an IPv4 address
+      isip6:  tests for an IPv6 address
+        pam:  does PAM authentication
+     radius:  does RADIUS authentication
+   ldapauth:  does LDAP authentication
+    pwcheck:  does Cyrus SASL pwcheck authentication
+  */
+
+  case ECOND_EXISTS:
+  case ECOND_ISIP:
+  case ECOND_ISIP4:
+  case ECOND_ISIP6:
+  case ECOND_PAM:
+  case ECOND_RADIUS:
+  case ECOND_LDAPAUTH:
+  case ECOND_PWCHECK:
+
+  if (Uskip_whitespace(&s) != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
+
+  sub[0] = expand_string_internal(s+1, TRUE, &s, yield == NULL, TRUE, resetok);
+  if (!sub[0]) return NULL;
+  /* {-for-text-editors */
+  if (*s++ != '}') goto COND_FAILED_CURLY_END;
+
+  if (!yield) return s;   /* No need to run the test if skipping */
+
+  switch(cond_type)
+    {
+    case ECOND_EXISTS:
+    if ((expand_forbid & RDO_EXISTS) != 0)
+      {
+      expand_string_message = US"File existence tests are not permitted";
+      return NULL;
+      }
+    *yield = (Ustat(sub[0], &statbuf) == 0) == testfor;
+    break;
+
+    case ECOND_ISIP:
+    case ECOND_ISIP4:
+    case ECOND_ISIP6:
+    rc = string_is_ip_address(sub[0], NULL);
+    *yield = ((cond_type == ECOND_ISIP)? (rc != 0) :
+             (cond_type == ECOND_ISIP4)? (rc == 4) : (rc == 6)) == testfor;
+    break;
+
+    /* Various authentication tests - all optionally compiled */
+
+    case ECOND_PAM:
+    #ifdef SUPPORT_PAM
+    rc = auth_call_pam(sub[0], &expand_string_message);
+    goto END_AUTH;
+    #else
+    goto COND_FAILED_NOT_COMPILED;
+    #endif  /* SUPPORT_PAM */
+
+    case ECOND_RADIUS:
+    #ifdef RADIUS_CONFIG_FILE
+    rc = auth_call_radius(sub[0], &expand_string_message);
+    goto END_AUTH;
+    #else
+    goto COND_FAILED_NOT_COMPILED;
+    #endif  /* RADIUS_CONFIG_FILE */
+
+    case ECOND_LDAPAUTH:
+    #ifdef LOOKUP_LDAP
+      {
+      /* Just to keep the interface the same */
+      BOOL do_cache;
+      int old_pool = store_pool;
+      store_pool = POOL_SEARCH;
+      rc = eldapauth_find((void *)(-1), NULL, sub[0], Ustrlen(sub[0]), NULL,
+        &expand_string_message, &do_cache);
+      store_pool = old_pool;
+      }
+    goto END_AUTH;
+    #else
+    goto COND_FAILED_NOT_COMPILED;
+    #endif  /* LOOKUP_LDAP */
+
+    case ECOND_PWCHECK:
+    #ifdef CYRUS_PWCHECK_SOCKET
+    rc = auth_call_pwcheck(sub[0], &expand_string_message);
+    goto END_AUTH;
+    #else
+    goto COND_FAILED_NOT_COMPILED;
+    #endif  /* CYRUS_PWCHECK_SOCKET */
+
+    #if defined(SUPPORT_PAM) || defined(RADIUS_CONFIG_FILE) || \
+        defined(LOOKUP_LDAP) || defined(CYRUS_PWCHECK_SOCKET)
+    END_AUTH:
+    if (rc == ERROR || rc == DEFER) return NULL;
+    *yield = (rc == OK) == testfor;
+    #endif
+    }
+  return s;
+
+
+  /* call ACL (in a conditional context).  Accept true, deny false.
+  Defer is a forced-fail.  Anything set by message= goes to $value.
+  Up to ten parameters are used; we use the braces round the name+args
+  like the saslauthd condition does, to permit a variable number of args.
+  See also the expansion-item version EITEM_ACL and the traditional
+  acl modifier ACLC_ACL.
+  Since the ACL may allocate new global variables, tell our caller to not
+  reclaim memory.
+  */
+
+  case ECOND_ACL:
+    /* ${if acl {{name}{arg1}{arg2}...}  {yes}{no}} */
+    {
+    uschar *sub[10];
+    uschar *user_msg;
+    BOOL cond = FALSE;
+
+    Uskip_whitespace(&s);
+    if (*s++ != '{') goto COND_FAILED_CURLY_START;	/*}*/
+
+    switch(read_subs(sub, nelem(sub), 1,
+      &s, yield == NULL, TRUE, name, resetok))
+      {
+      case 1: expand_string_message = US"too few arguments or bracketing "
+        "error for acl";
+      case 2:
+      case 3: return NULL;
+      }
+
+    if (yield)
+      {
+      int rc;
+      *resetok = FALSE;	/* eval_acl() might allocate; do not reclaim */
+      switch(rc = eval_acl(sub, nelem(sub), &user_msg))
+	{
+	case OK:
+	  cond = TRUE;
+	case FAIL:
+          lookup_value = NULL;
+	  if (user_msg)
+            lookup_value = string_copy(user_msg);
+	  *yield = cond == testfor;
+	  break;
+
+	case DEFER:
+          f.expand_string_forcedfail = TRUE;
+	  /*FALLTHROUGH*/
+	default:
+          expand_string_message = string_sprintf("%s from acl \"%s\"",
+	    rc_names[rc], sub[0]);
+	  return NULL;
+	}
+      }
+    return s;
+    }
+
+
+  /* saslauthd: does Cyrus saslauthd authentication. Four parameters are used:
+
+     ${if saslauthd {{username}{password}{service}{realm}}  {yes}{no}}
+
+  However, the last two are optional. That is why the whole set is enclosed
+  in their own set of braces. */
+
+  case ECOND_SASLAUTHD:
+#ifndef CYRUS_SASLAUTHD_SOCKET
+    goto COND_FAILED_NOT_COMPILED;
+#else
+    {
+    uschar *sub[4];
+    Uskip_whitespace(&s);
+    if (*s++ != '{') goto COND_FAILED_CURLY_START;	/* }-for-text-editors */
+    switch(read_subs(sub, nelem(sub), 2, &s, yield == NULL, TRUE, name,
+		    resetok))
+      {
+      case 1: expand_string_message = US"too few arguments or bracketing "
+	"error for saslauthd";
+      case 2:
+      case 3: return NULL;
+      }
+    if (!sub[2]) sub[3] = NULL;  /* realm if no service */
+    if (yield)
+      {
+      int rc = auth_call_saslauthd(sub[0], sub[1], sub[2], sub[3],
+	&expand_string_message);
+      if (rc == ERROR || rc == DEFER) return NULL;
+      *yield = (rc == OK) == testfor;
+      }
+    return s;
+    }
+#endif /* CYRUS_SASLAUTHD_SOCKET */
+
+
+  /* symbolic operators for numeric and string comparison, and a number of
+  other operators, all requiring two arguments.
+
+  crypteq:           encrypts plaintext and compares against an encrypted text,
+                       using crypt(), crypt16(), MD5 or SHA-1
+  inlist/inlisti:    checks if first argument is in the list of the second
+  match:             does a regular expression match and sets up the numerical
+                       variables if it succeeds
+  match_address:     matches in an address list
+  match_domain:      matches in a domain list
+  match_ip:          matches a host list that is restricted to IP addresses
+  match_local_part:  matches in a local part list
+  */
+
+  case ECOND_MATCH_ADDRESS:
+  case ECOND_MATCH_DOMAIN:
+  case ECOND_MATCH_IP:
+  case ECOND_MATCH_LOCAL_PART:
+#ifndef EXPAND_LISTMATCH_RHS
+    sub2_honour_dollar = FALSE;
+#endif
+    /* FALLTHROUGH */
+
+  case ECOND_CRYPTEQ:
+  case ECOND_INLIST:
+  case ECOND_INLISTI:
+  case ECOND_MATCH:
+
+  case ECOND_NUM_L:     /* Numerical comparisons */
+  case ECOND_NUM_LE:
+  case ECOND_NUM_E:
+  case ECOND_NUM_EE:
+  case ECOND_NUM_G:
+  case ECOND_NUM_GE:
+
+  case ECOND_STR_LT:    /* String comparisons */
+  case ECOND_STR_LTI:
+  case ECOND_STR_LE:
+  case ECOND_STR_LEI:
+  case ECOND_STR_EQ:
+  case ECOND_STR_EQI:
+  case ECOND_STR_GT:
+  case ECOND_STR_GTI:
+  case ECOND_STR_GE:
+  case ECOND_STR_GEI:
+
+  for (int i = 0; i < 2; i++)
+    {
+    /* Sometimes, we don't expand substrings; too many insecure configurations
+    created using match_address{}{} and friends, where the second param
+    includes information from untrustworthy sources. */
+    BOOL honour_dollar = TRUE;
+    if ((i > 0) && !sub2_honour_dollar)
+      honour_dollar = FALSE;
+
+    if (Uskip_whitespace(&s) != '{')
+      {
+      if (i == 0) goto COND_FAILED_CURLY_START;
+      expand_string_message = string_sprintf("missing 2nd string in {} "
+        "after \"%s\"", opname);
+      return NULL;
+      }
+    if (!(sub[i] = expand_string_internal(s+1, TRUE, &s, yield == NULL,
+        honour_dollar, resetok)))
+      return NULL;
+    DEBUG(D_expand) if (i == 1 && !sub2_honour_dollar && Ustrchr(sub[1], '$'))
+      debug_printf_indent("WARNING: the second arg is NOT expanded,"
+			" for security reasons\n");
+    if (*s++ != '}') goto COND_FAILED_CURLY_END;
+
+    /* Convert to numerical if required; we know that the names of all the
+    conditions that compare numbers do not start with a letter. This just saves
+    checking for them individually. */
+
+    if (!isalpha(opname[0]) && yield)
+      if (sub[i][0] == 0)
+        {
+        num[i] = 0;
+        DEBUG(D_expand)
+          debug_printf_indent("empty string cast to zero for numerical comparison\n");
+        }
+      else
+        {
+        num[i] = expanded_string_integer(sub[i], FALSE);
+        if (expand_string_message) return NULL;
+        }
+    }
+
+  /* Result not required */
+
+  if (!yield) return s;
+
+  /* Do an appropriate comparison */
+
+  switch(cond_type)
+    {
+    case ECOND_NUM_E:
+    case ECOND_NUM_EE:
+      tempcond = (num[0] == num[1]); break;
+
+    case ECOND_NUM_G:
+      tempcond = (num[0] > num[1]); break;
+
+    case ECOND_NUM_GE:
+      tempcond = (num[0] >= num[1]); break;
+
+    case ECOND_NUM_L:
+      tempcond = (num[0] < num[1]); break;
+
+    case ECOND_NUM_LE:
+      tempcond = (num[0] <= num[1]); break;
+
+    case ECOND_STR_LT:
+      tempcond = (Ustrcmp(sub[0], sub[1]) < 0); break;
+
+    case ECOND_STR_LTI:
+      tempcond = (strcmpic(sub[0], sub[1]) < 0); break;
+
+    case ECOND_STR_LE:
+      tempcond = (Ustrcmp(sub[0], sub[1]) <= 0); break;
+
+    case ECOND_STR_LEI:
+      tempcond = (strcmpic(sub[0], sub[1]) <= 0); break;
+
+    case ECOND_STR_EQ:
+      tempcond = (Ustrcmp(sub[0], sub[1]) == 0); break;
+
+    case ECOND_STR_EQI:
+      tempcond = (strcmpic(sub[0], sub[1]) == 0); break;
+
+    case ECOND_STR_GT:
+      tempcond = (Ustrcmp(sub[0], sub[1]) > 0); break;
+
+    case ECOND_STR_GTI:
+      tempcond = (strcmpic(sub[0], sub[1]) > 0); break;
+
+    case ECOND_STR_GE:
+      tempcond = (Ustrcmp(sub[0], sub[1]) >= 0); break;
+
+    case ECOND_STR_GEI:
+      tempcond = (strcmpic(sub[0], sub[1]) >= 0); break;
+
+    case ECOND_MATCH:   /* Regular expression match */
+      {
+      const pcre2_code * re;
+      PCRE2_SIZE offset;
+      int err;
+
+      if (!(re = pcre2_compile((PCRE2_SPTR)sub[1], PCRE2_ZERO_TERMINATED,
+				PCRE_COPT, &err, &offset, pcre_cmp_ctx)))
+	{
+	uschar errbuf[128];
+	pcre2_get_error_message(err, errbuf, sizeof(errbuf));
+	expand_string_message = string_sprintf("regular expression error in "
+	  "\"%s\": %s at offset %ld", sub[1], errbuf, (long)offset);
+	return NULL;
+	}
+
+      tempcond = regex_match_and_setup(re, sub[0], 0, -1);
+      break;
+      }
+
+    case ECOND_MATCH_ADDRESS:  /* Match in an address list */
+      rc = match_address_list(sub[0], TRUE, FALSE, &(sub[1]), NULL, -1, 0,
+			      CUSS &lookup_value);
+      goto MATCHED_SOMETHING;
+
+    case ECOND_MATCH_DOMAIN:   /* Match in a domain list */
+      rc = match_isinlist(sub[0], &(sub[1]), 0, &domainlist_anchor, NULL,
+	MCL_DOMAIN + MCL_NOEXPAND, TRUE, CUSS &lookup_value);
+      goto MATCHED_SOMETHING;
+
+    case ECOND_MATCH_IP:       /* Match IP address in a host list */
+      if (sub[0][0] != 0 && string_is_ip_address(sub[0], NULL) == 0)
+	{
+	expand_string_message = string_sprintf("\"%s\" is not an IP address",
+	  sub[0]);
+	return NULL;
+	}
+      else
+	{
+	unsigned int *nullcache = NULL;
+	check_host_block cb;
+
+	cb.host_name = US"";
+	cb.host_address = sub[0];
+
+	/* If the host address starts off ::ffff: it is an IPv6 address in
+	IPv4-compatible mode. Find the IPv4 part for checking against IPv4
+	addresses. */
+
+	cb.host_ipv4 = (Ustrncmp(cb.host_address, "::ffff:", 7) == 0)?
+	  cb.host_address + 7 : cb.host_address;
+
+	rc = match_check_list(
+	       &sub[1],                   /* the list */
+	       0,                         /* separator character */
+	       &hostlist_anchor,          /* anchor pointer */
+	       &nullcache,                /* cache pointer */
+	       check_host,                /* function for testing */
+	       &cb,                       /* argument for function */
+	       MCL_HOST,                  /* type of check */
+	       sub[0],                    /* text for debugging */
+	       CUSS &lookup_value);       /* where to pass back data */
+	}
+      goto MATCHED_SOMETHING;
+
+    case ECOND_MATCH_LOCAL_PART:
+      rc = match_isinlist(sub[0], &(sub[1]), 0, &localpartlist_anchor, NULL,
+	MCL_LOCALPART + MCL_NOEXPAND, TRUE, CUSS &lookup_value);
+      /* Fall through */
+      /* VVVVVVVVVVVV */
+      MATCHED_SOMETHING:
+      switch(rc)
+	{
+	case OK:   tempcond = TRUE;  break;
+	case FAIL: tempcond = FALSE; break;
+
+	case DEFER:
+	  expand_string_message = string_sprintf("unable to complete match "
+	    "against \"%s\": %s", sub[1], search_error_message);
+	  return NULL;
+	}
+
+      break;
+
+    /* Various "encrypted" comparisons. If the second string starts with
+    "{" then an encryption type is given. Default to crypt() or crypt16()
+    (build-time choice). */
+    /* }-for-text-editors */
+
+    case ECOND_CRYPTEQ:
+    #ifndef SUPPORT_CRYPTEQ
+      goto COND_FAILED_NOT_COMPILED;
+    #else
+      if (strncmpic(sub[1], US"{md5}", 5) == 0)
+	{
+	int sublen = Ustrlen(sub[1]+5);
+	md5 base;
+	uschar digest[16];
+
+	md5_start(&base);
+	md5_end(&base, sub[0], Ustrlen(sub[0]), digest);
+
+	/* If the length that we are comparing against is 24, the MD5 digest
+	is expressed as a base64 string. This is the way LDAP does it. However,
+	some other software uses a straightforward hex representation. We assume
+	this if the length is 32. Other lengths fail. */
+
+	if (sublen == 24)
+	  {
+	  uschar *coded = b64encode(CUS digest, 16);
+	  DEBUG(D_auth) debug_printf("crypteq: using MD5+B64 hashing\n"
+	    "  subject=%s\n  crypted=%s\n", coded, sub[1]+5);
+	  tempcond = (Ustrcmp(coded, sub[1]+5) == 0);
+	  }
+	else if (sublen == 32)
+	  {
+	  uschar coded[36];
+	  for (int i = 0; i < 16; i++) sprintf(CS (coded+2*i), "%02X", digest[i]);
+	  coded[32] = 0;
+	  DEBUG(D_auth) debug_printf("crypteq: using MD5+hex hashing\n"
+	    "  subject=%s\n  crypted=%s\n", coded, sub[1]+5);
+	  tempcond = (strcmpic(coded, sub[1]+5) == 0);
+	  }
+	else
+	  {
+	  DEBUG(D_auth) debug_printf("crypteq: length for MD5 not 24 or 32: "
+	    "fail\n  crypted=%s\n", sub[1]+5);
+	  tempcond = FALSE;
+	  }
+	}
+
+      else if (strncmpic(sub[1], US"{sha1}", 6) == 0)
+	{
+	int sublen = Ustrlen(sub[1]+6);
+	hctx h;
+	uschar digest[20];
+
+	sha1_start(&h);
+	sha1_end(&h, sub[0], Ustrlen(sub[0]), digest);
+
+	/* If the length that we are comparing against is 28, assume the SHA1
+	digest is expressed as a base64 string. If the length is 40, assume a
+	straightforward hex representation. Other lengths fail. */
+
+	if (sublen == 28)
+	  {
+	  uschar *coded = b64encode(CUS digest, 20);
+	  DEBUG(D_auth) debug_printf("crypteq: using SHA1+B64 hashing\n"
+	    "  subject=%s\n  crypted=%s\n", coded, sub[1]+6);
+	  tempcond = (Ustrcmp(coded, sub[1]+6) == 0);
+	  }
+	else if (sublen == 40)
+	  {
+	  uschar coded[44];
+	  for (int i = 0; i < 20; i++) sprintf(CS (coded+2*i), "%02X", digest[i]);
+	  coded[40] = 0;
+	  DEBUG(D_auth) debug_printf("crypteq: using SHA1+hex hashing\n"
+	    "  subject=%s\n  crypted=%s\n", coded, sub[1]+6);
+	  tempcond = (strcmpic(coded, sub[1]+6) == 0);
+	  }
+	else
+	  {
+	  DEBUG(D_auth) debug_printf("crypteq: length for SHA-1 not 28 or 40: "
+	    "fail\n  crypted=%s\n", sub[1]+6);
+	  tempcond = FALSE;
+	  }
+	}
+
+      else   /* {crypt} or {crypt16} and non-{ at start */
+	     /* }-for-text-editors */
+	{
+	int which = 0;
+	uschar *coded;
+
+	if (strncmpic(sub[1], US"{crypt}", 7) == 0)
+	  {
+	  sub[1] += 7;
+	  which = 1;
+	  }
+	else if (strncmpic(sub[1], US"{crypt16}", 9) == 0)
+	  {
+	  sub[1] += 9;
+	  which = 2;
+	  }
+	else if (sub[1][0] == '{')		/* }-for-text-editors */
+	  {
+	  expand_string_message = string_sprintf("unknown encryption mechanism "
+	    "in \"%s\"", sub[1]);
+	  return NULL;
+	  }
+
+	switch(which)
+	  {
+	  case 0:  coded = US DEFAULT_CRYPT(CS sub[0], CS sub[1]); break;
+	  case 1:  coded = US crypt(CS sub[0], CS sub[1]); break;
+	  default: coded = US crypt16(CS sub[0], CS sub[1]); break;
+	  }
+
+	#define STR(s) # s
+	#define XSTR(s) STR(s)
+	DEBUG(D_auth) debug_printf("crypteq: using %s()\n"
+	  "  subject=%s\n  crypted=%s\n",
+	  which == 0 ? XSTR(DEFAULT_CRYPT) : which == 1 ? "crypt" : "crypt16",
+	  coded, sub[1]);
+	#undef STR
+	#undef XSTR
+
+	/* If the encrypted string contains fewer than two characters (for the
+	salt), force failure. Otherwise we get false positives: with an empty
+	string the yield of crypt() is an empty string! */
+
+	if (coded)
+	  tempcond = Ustrlen(sub[1]) < 2 ? FALSE : Ustrcmp(coded, sub[1]) == 0;
+	else if (errno == EINVAL)
+	  tempcond = FALSE;
+	else
+	  {
+	  expand_string_message = string_sprintf("crypt error: %s\n",
+	    US strerror(errno));
+	  return NULL;
+	  }
+	}
+      break;
+    #endif  /* SUPPORT_CRYPTEQ */
+
+    case ECOND_INLIST:
+    case ECOND_INLISTI:
+      {
+      const uschar * list = sub[1];
+      int sep = 0;
+      uschar *save_iterate_item = iterate_item;
+      int (*compare)(const uschar *, const uschar *);
+
+      DEBUG(D_expand) debug_printf_indent("condition: %s  item: %s\n", opname, sub[0]);
+
+      tempcond = FALSE;
+      compare = cond_type == ECOND_INLISTI
+        ? strcmpic : (int (*)(const uschar *, const uschar *)) strcmp;
+
+      while ((iterate_item = string_nextinlist(&list, &sep, NULL, 0)))
+	{
+	DEBUG(D_expand) debug_printf_indent(" compare %s\n", iterate_item);
+        if (compare(sub[0], iterate_item) == 0)
+          {
+          tempcond = TRUE;
+	  lookup_value = iterate_item;
+          break;
+          }
+	}
+      iterate_item = save_iterate_item;
+      }
+
+    }   /* Switch for comparison conditions */
+
+  *yield = tempcond == testfor;
+  return s;    /* End of comparison conditions */
+
+
+  /* and/or: computes logical and/or of several conditions */
+
+  case ECOND_AND:
+  case ECOND_OR:
+  subcondptr = (yield == NULL) ? NULL : &tempcond;
+  combined_cond = (cond_type == ECOND_AND);
+
+  Uskip_whitespace(&s);
+  if (*s++ != '{') goto COND_FAILED_CURLY_START;	/* }-for-text-editors */
+
+  for (;;)
+    {
+    /* {-for-text-editors */
+    if (Uskip_whitespace(&s) == '}') break;
+    if (*s != '{')					/* }-for-text-editors */
+      {
+      expand_string_message = string_sprintf("each subcondition "
+        "inside an \"%s{...}\" condition must be in its own {}", opname);
+      return NULL;
+      }
+
+    if (!(s = eval_condition(s+1, resetok, subcondptr)))
+      {
+      expand_string_message = string_sprintf("%s inside \"%s{...}\" condition",
+        expand_string_message, opname);
+      return NULL;
+      }
+    Uskip_whitespace(&s);
+
+    /* {-for-text-editors */
+    if (*s++ != '}')
+      {
+      /* {-for-text-editors */
+      expand_string_message = string_sprintf("missing } at end of condition "
+        "inside \"%s\" group", opname);
+      return NULL;
+      }
+
+    if (yield)
+      if (cond_type == ECOND_AND)
+        {
+        combined_cond &= tempcond;
+        if (!combined_cond) subcondptr = NULL;  /* once false, don't */
+        }                                       /* evaluate any more */
+      else
+        {
+        combined_cond |= tempcond;
+        if (combined_cond) subcondptr = NULL;   /* once true, don't */
+        }                                       /* evaluate any more */
+    }
+
+  if (yield) *yield = (combined_cond == testfor);
+  return ++s;
+
+
+  /* forall/forany: iterates a condition with different values */
+
+  case ECOND_FORALL:	  is_forany = FALSE;  is_json = FALSE; is_jsons = FALSE; goto FORMANY;
+  case ECOND_FORANY:	  is_forany = TRUE;   is_json = FALSE; is_jsons = FALSE; goto FORMANY;
+  case ECOND_FORALL_JSON: is_forany = FALSE;  is_json = TRUE;  is_jsons = FALSE; goto FORMANY;
+  case ECOND_FORANY_JSON: is_forany = TRUE;   is_json = TRUE;  is_jsons = FALSE; goto FORMANY;
+  case ECOND_FORALL_JSONS: is_forany = FALSE; is_json = TRUE;  is_jsons = TRUE;  goto FORMANY;
+  case ECOND_FORANY_JSONS: is_forany = TRUE;  is_json = TRUE;  is_jsons = TRUE;  goto FORMANY;
+
+  FORMANY:
+    {
+    const uschar * list;
+    int sep = 0;
+    uschar *save_iterate_item = iterate_item;
+
+    DEBUG(D_expand) debug_printf_indent("condition: %s\n", opname);
+
+    Uskip_whitespace(&s);
+    if (*s++ != '{') goto COND_FAILED_CURLY_START;	/* }-for-text-editors */
+    if (!(sub[0] = expand_string_internal(s, TRUE, &s, yield == NULL, TRUE, resetok)))
+      return NULL;
+    /* {-for-text-editors */
+    if (*s++ != '}') goto COND_FAILED_CURLY_END;
+
+    Uskip_whitespace(&s);
+    if (*s++ != '{') goto COND_FAILED_CURLY_START;	/* }-for-text-editors */
+
+    sub[1] = s;
+
+    /* Call eval_condition once, with result discarded (as if scanning a
+    "false" part). This allows us to find the end of the condition, because if
+    the list it empty, we won't actually evaluate the condition for real. */
+
+    if (!(s = eval_condition(sub[1], resetok, NULL)))
+      {
+      expand_string_message = string_sprintf("%s inside \"%s\" condition",
+        expand_string_message, opname);
+      return NULL;
+      }
+    Uskip_whitespace(&s);
+
+    /* {-for-text-editors */
+    if (*s++ != '}')
+      {
+      /* {-for-text-editors */
+      expand_string_message = string_sprintf("missing } at end of condition "
+        "inside \"%s\"", opname);
+      return NULL;
+      }
+
+    if (yield) *yield = !testfor;
+    list = sub[0];
+    if (is_json) list = dewrap(string_copy(list), US"[]");
+    while ((iterate_item = is_json
+      ? json_nextinlist(&list) : string_nextinlist(&list, &sep, NULL, 0)))
+      {
+      if (is_jsons)
+	if (!(iterate_item = dewrap(iterate_item, US"\"\"")))
+	  {
+	  expand_string_message =
+	    string_sprintf("%s wrapping string result for extract jsons",
+	      expand_string_message);
+	  iterate_item = save_iterate_item;
+	  return NULL;
+	  }
+
+      DEBUG(D_expand) debug_printf_indent("%s: $item = \"%s\"\n", opname, iterate_item);
+      if (!eval_condition(sub[1], resetok, &tempcond))
+        {
+        expand_string_message = string_sprintf("%s inside \"%s\" condition",
+          expand_string_message, opname);
+        iterate_item = save_iterate_item;
+        return NULL;
+        }
+      DEBUG(D_expand) debug_printf_indent("%s: condition evaluated to %s\n", opname,
+        tempcond? "true":"false");
+
+      if (yield) *yield = (tempcond == testfor);
+      if (tempcond == is_forany) break;
+      }
+
+    iterate_item = save_iterate_item;
+    return s;
+    }
+
+
+  /* The bool{} expansion condition maps a string to boolean.
+  The values supported should match those supported by the ACL condition
+  (acl.c, ACLC_CONDITION) so that we keep to a minimum the different ideas
+  of true/false.  Note that Router "condition" rules have a different
+  interpretation, where general data can be used and only a few values
+  map to FALSE.
+  Note that readconf.c boolean matching, for boolean configuration options,
+  only matches true/yes/false/no.
+  The bool_lax{} condition matches the Router logic, which is much more
+  liberal. */
+  case ECOND_BOOL:
+  case ECOND_BOOL_LAX:
+    {
+    uschar *sub_arg[1];
+    uschar *t, *t2;
+    uschar *ourname;
+    size_t len;
+    BOOL boolvalue = FALSE;
+
+    if (Uskip_whitespace(&s) != '{') goto COND_FAILED_CURLY_START;	/* }-for-text-editors */
+    ourname = cond_type == ECOND_BOOL_LAX ? US"bool_lax" : US"bool";
+    switch(read_subs(sub_arg, 1, 1, &s, yield == NULL, FALSE, ourname, resetok))
+      {
+      case 1: expand_string_message = string_sprintf(
+                  "too few arguments or bracketing error for %s",
+                  ourname);
+      /*FALLTHROUGH*/
+      case 2:
+      case 3: return NULL;
+      }
+    t = sub_arg[0];
+    Uskip_whitespace(&t);
+    if ((len = Ustrlen(t)))
+      {
+      /* trailing whitespace: seems like a good idea to ignore it too */
+      t2 = t + len - 1;
+      while (isspace(*t2)) t2--;
+      if (t2 != (t + len))
+        {
+        *++t2 = '\0';
+        len = t2 - t;
+        }
+      }
+    DEBUG(D_expand)
+      debug_printf_indent("considering %s: %s\n", ourname, len ? t : US"<empty>");
+    /* logic for the lax case from expand_check_condition(), which also does
+    expands, and the logic is both short and stable enough that there should
+    be no maintenance burden from replicating it. */
+    if (len == 0)
+      boolvalue = FALSE;
+    else if (*t == '-'
+	     ? Ustrspn(t+1, "0123456789") == len-1
+	     : Ustrspn(t,   "0123456789") == len)
+      {
+      boolvalue = (Uatoi(t) == 0) ? FALSE : TRUE;
+      /* expand_check_condition only does a literal string "0" check */
+      if ((cond_type == ECOND_BOOL_LAX) && (len > 1))
+        boolvalue = TRUE;
+      }
+    else if (strcmpic(t, US"true") == 0 || strcmpic(t, US"yes") == 0)
+      boolvalue = TRUE;
+    else if (strcmpic(t, US"false") == 0 || strcmpic(t, US"no") == 0)
+      boolvalue = FALSE;
+    else if (cond_type == ECOND_BOOL_LAX)
+      boolvalue = TRUE;
+    else
+      {
+      expand_string_message = string_sprintf("unrecognised boolean "
+       "value \"%s\"", t);
+      return NULL;
+      }
+    DEBUG(D_expand) debug_printf_indent("%s: condition evaluated to %s\n", ourname,
+        boolvalue? "true":"false");
+    if (yield) *yield = (boolvalue == testfor);
+    return s;
+    }
+
+#ifdef SUPPORT_SRS
+  case ECOND_INBOUND_SRS:
+    /* ${if inbound_srs {local_part}{secret}  {yes}{no}} */
+    {
+    uschar * sub[2];
+    const pcre2_code * re;
+    pcre2_match_data * md;
+    PCRE2_SIZE * ovec;
+    int quoting = 0;
+    uschar cksum[4];
+    BOOL boolvalue = FALSE;
+
+    switch(read_subs(sub, 2, 2, CUSS &s, yield == NULL, FALSE, name, resetok))
+      {
+      case 1: expand_string_message = US"too few arguments or bracketing "
+	"error for inbound_srs";
+      case 2:
+      case 3: return NULL;
+      }
+
+    /* Match the given local_part against the SRS-encoded pattern */
+
+    re = regex_must_compile(US"^(?i)SRS0=([^=]+)=([A-Z2-7]+)=([^=]*)=(.*)$",
+			    TRUE, FALSE);
+    md = pcre2_match_data_create(4+1, pcre_gen_ctx);
+    if (pcre2_match(re, sub[0], PCRE2_ZERO_TERMINATED, 0, PCRE_EOPT,
+		    md, pcre_mtc_ctx) < 0)
+      {
+      DEBUG(D_expand) debug_printf("no match for SRS'd local-part pattern\n");
+      goto srs_result;
+      }
+    ovec = pcre2_get_ovector_pointer(md);
+
+    if (sub[0][0] == '"')
+      quoting = 1;
+    else for (uschar * s = sub[0]; *s; s++)
+      if (!isalnum(*s) && Ustrchr(".!#$%&'*+-/=?^_`{|}~", *s) == NULL)
+	{ quoting = 1; break; }
+    if (quoting)
+      DEBUG(D_expand) debug_printf_indent("auto-quoting local part\n");
+
+    /* Record the (quoted, if needed) decoded recipient as $srs_recipient */
+
+    srs_recipient = string_sprintf("%.*s%.*S%.*s@%.*S",   	/* lowercased */
+		      quoting, "\"",
+		      (int) (ovec[9]-ovec[8]), sub[0] + ovec[8],  /* substr 4 */
+		      quoting, "\"",
+		      (int) (ovec[7]-ovec[6]), sub[0] + ovec[6]); /* substr 3 */
+
+    /* If a zero-length secret was given, we're done.  Otherwise carry on
+    and validate the given SRS local_part againt our secret. */
+
+    if (!*sub[1])
+      {
+      boolvalue = TRUE;
+      goto srs_result;
+      }
+
+    /* check the timestamp */
+      {
+      struct timeval now;
+      uschar * ss = sub[0] + ovec[4];	/* substring 2, the timestamp */
+      long d;
+      int n;
+
+      gettimeofday(&now, NULL);
+      now.tv_sec /= 86400;		/* days since epoch */
+
+      /* Decode substring 2 from base32 to a number */
+
+      for (d = 0, n = ovec[5]-ovec[4]; n; n--)
+	{
+	uschar * t = Ustrchr(base32_chars, *ss++);
+	d = d * 32 + (t - base32_chars);
+	}
+
+      if (((now.tv_sec - d) & 0x3ff) > 10)	/* days since SRS generated */
+	{
+	DEBUG(D_expand) debug_printf("SRS too old\n");
+	goto srs_result;
+	}
+      }
+
+    /* check length of substring 1, the offered checksum */
+
+    if (ovec[3]-ovec[2] != 4)
+      {
+      DEBUG(D_expand) debug_printf("SRS checksum wrong size\n");
+      goto srs_result;
+      }
+
+    /* Hash the address with our secret, and compare that computed checksum
+    with the one extracted from the arg */
+
+    hmac_md5(sub[1], srs_recipient, cksum, sizeof(cksum));
+    if (Ustrncmp(cksum, sub[0] + ovec[2], 4) != 0)
+      {
+      DEBUG(D_expand) debug_printf("SRS checksum mismatch\n");
+      goto srs_result;
+      }
+    boolvalue = TRUE;
+
+srs_result:
+    if (yield) *yield = (boolvalue == testfor);
+    return s;
+    }
+#endif /*SUPPORT_SRS*/
+
+  /* Unknown condition */
+
+  default:
+    if (!expand_string_message || !*expand_string_message)
+      expand_string_message = string_sprintf("unknown condition \"%s\"", opname);
+    return NULL;
+  }   /* End switch on condition type */
+
+/* Missing braces at start and end of data */
+
+COND_FAILED_CURLY_START:
+expand_string_message = string_sprintf("missing { after \"%s\"", opname);
+return NULL;
+
+COND_FAILED_CURLY_END:
+expand_string_message = string_sprintf("missing } at end of \"%s\" condition",
+  opname);
+return NULL;
+
+/* A condition requires code that is not compiled */
+
+#if !defined(SUPPORT_PAM) || !defined(RADIUS_CONFIG_FILE) || \
+    !defined(LOOKUP_LDAP) || !defined(CYRUS_PWCHECK_SOCKET) || \
+    !defined(SUPPORT_CRYPTEQ) || !defined(CYRUS_SASLAUTHD_SOCKET)
+COND_FAILED_NOT_COMPILED:
+expand_string_message = string_sprintf("support for \"%s\" not compiled",
+  opname);
+return NULL;
+#endif
+}
+
+
+
+
+/*************************************************
+*          Save numerical variables              *
+*************************************************/
+
+/* This function is called from items such as "if" that want to preserve and
+restore the numbered variables.
+
+Arguments:
+  save_expand_string    points to an array of pointers to set
+  save_expand_nlength   points to an array of ints for the lengths
+
+Returns:                the value of expand max to save
+*/
+
+static int
+save_expand_strings(const uschar **save_expand_nstring, int *save_expand_nlength)
+{
+for (int i = 0; i <= expand_nmax; i++)
+  {
+  save_expand_nstring[i] = expand_nstring[i];
+  save_expand_nlength[i] = expand_nlength[i];
+  }
+return expand_nmax;
+}
+
+
+
+/*************************************************
+*           Restore numerical variables          *
+*************************************************/
+
+/* This function restored saved values of numerical strings.
+
+Arguments:
+  save_expand_nmax      the number of strings to restore
+  save_expand_string    points to an array of pointers
+  save_expand_nlength   points to an array of ints
+
+Returns:                nothing
+*/
+
+static void
+restore_expand_strings(int save_expand_nmax, const uschar **save_expand_nstring,
+  int *save_expand_nlength)
+{
+expand_nmax = save_expand_nmax;
+for (int i = 0; i <= expand_nmax; i++)
+  {
+  expand_nstring[i] = save_expand_nstring[i];
+  expand_nlength[i] = save_expand_nlength[i];
+  }
+}
+
+
+
+
+
+/*************************************************
+*            Handle yes/no substrings            *
+*************************************************/
+
+/* This function is used by ${if}, ${lookup} and ${extract} to handle the
+alternative substrings that depend on whether or not the condition was true,
+or the lookup or extraction succeeded. The substrings always have to be
+expanded, to check their syntax, but "skipping" is set when the result is not
+needed - this avoids unnecessary nested lookups.
+
+Arguments:
+  skipping       TRUE if we were skipping when this item was reached
+  yes            TRUE if the first string is to be used, else use the second
+  save_lookup    a value to put back into lookup_value before the 2nd expansion
+  sptr           points to the input string pointer
+  yieldptr       points to the output growable-string pointer
+  type           "lookup", "if", "extract", "run", "env", "listextract" or
+                 "certextract" for error message
+  resetok	 if not NULL, pointer to flag - write FALSE if unsafe to reset
+		the store.
+
+Returns:         0 OK; lookup_value has been reset to save_lookup
+                 1 expansion failed
+                 2 expansion failed because of bracketing error
+*/
+
+static int
+process_yesno(BOOL skipping, BOOL yes, uschar *save_lookup, const uschar **sptr,
+  gstring ** yieldptr, uschar *type, BOOL *resetok)
+{
+int rc = 0;
+const uschar *s = *sptr;    /* Local value */
+uschar *sub1, *sub2;
+const uschar * errwhere;
+
+/* If there are no following strings, we substitute the contents of $value for
+lookups and for extractions in the success case. For the ${if item, the string
+"true" is substituted. In the fail case, nothing is substituted for all three
+items. */
+
+if (skip_whitespace(&s) == '}')
+  {
+  if (type[0] == 'i')
+    {
+    if (yes && !skipping)
+      *yieldptr = string_catn(*yieldptr, US"true", 4);
+    }
+  else
+    {
+    if (yes && lookup_value && !skipping)
+      *yieldptr = string_cat(*yieldptr, lookup_value);
+    lookup_value = save_lookup;
+    }
+  s++;
+  goto RETURN;
+  }
+
+/* The first following string must be braced. */
+
+if (*s++ != '{')
+  {
+  errwhere = US"'yes' part did not start with '{'";
+  goto FAILED_CURLY;
+  }
+
+/* Expand the first substring. Forced failures are noticed only if we actually
+want this string. Set skipping in the call in the fail case (this will always
+be the case if we were already skipping). */
+
+sub1 = expand_string_internal(s, TRUE, &s, !yes, TRUE, resetok);
+if (sub1 == NULL && (yes || !f.expand_string_forcedfail)) goto FAILED;
+f.expand_string_forcedfail = FALSE;
+if (*s++ != '}')
+  {
+  errwhere = US"'yes' part did not end with '}'";
+  goto FAILED_CURLY;
+  }
+
+/* If we want the first string, add it to the output */
+
+if (yes)
+  *yieldptr = string_cat(*yieldptr, sub1);
+
+/* If this is called from a lookup/env or a (cert)extract, we want to restore
+$value to what it was at the start of the item, so that it has this value
+during the second string expansion. For the call from "if" or "run" to this
+function, save_lookup is set to lookup_value, so that this statement does
+nothing. */
+
+lookup_value = save_lookup;
+
+/* There now follows either another substring, or "fail", or nothing. This
+time, forced failures are noticed only if we want the second string. We must
+set skipping in the nested call if we don't want this string, or if we were
+already skipping. */
+
+if (skip_whitespace(&s) == '{')
+  {
+  sub2 = expand_string_internal(s+1, TRUE, &s, yes || skipping, TRUE, resetok);
+  if (sub2 == NULL && (!yes || !f.expand_string_forcedfail)) goto FAILED;
+  f.expand_string_forcedfail = FALSE;
+  if (*s++ != '}')
+    {
+    errwhere = US"'no' part did not start with '{'";
+    goto FAILED_CURLY;
+    }
+
+  /* If we want the second string, add it to the output */
+
+  if (!yes)
+    *yieldptr = string_cat(*yieldptr, sub2);
+  }
+
+/* If there is no second string, but the word "fail" is present when the use of
+the second string is wanted, set a flag indicating it was a forced failure
+rather than a syntactic error. Swallow the terminating } in case this is nested
+inside another lookup or if or extract. */
+
+else if (*s != '}')
+  {
+  uschar name[256];
+  /* deconst cast ok here as source is s anyway */
+  s = US read_name(name, sizeof(name), s, US"_");
+  if (Ustrcmp(name, "fail") == 0)
+    {
+    if (!yes && !skipping)
+      {
+      Uskip_whitespace(&s);
+      if (*s++ != '}')
+        {
+	errwhere = US"did not close with '}' after forcedfail";
+	goto FAILED_CURLY;
+	}
+      expand_string_message =
+        string_sprintf("\"%s\" failed and \"fail\" requested", type);
+      f.expand_string_forcedfail = TRUE;
+      goto FAILED;
+      }
+    }
+  else
+    {
+    expand_string_message =
+      string_sprintf("syntax error in \"%s\" item - \"fail\" expected", type);
+    goto FAILED;
+    }
+  }
+
+/* All we have to do now is to check on the final closing brace. */
+
+skip_whitespace(&s);
+if (*s++ != '}')
+  {
+  errwhere = US"did not close with '}'";
+  goto FAILED_CURLY;
+  }
+
+
+RETURN:
+/* Update the input pointer value before returning */
+*sptr = s;
+return rc;
+
+FAILED_CURLY:
+  /* Get here if there is a bracketing failure */
+  expand_string_message = string_sprintf(
+    "curly-bracket problem in conditional yes/no parsing: %s\n"
+    " remaining string is '%s'", errwhere, --s);
+  rc = 2;
+  goto RETURN;
+
+FAILED:
+  /* Get here for other failures */
+  rc = 1;
+  goto RETURN;
+}
+
+
+
+
+/********************************************************
+* prvs: Get last three digits of days since Jan 1, 1970 *
+********************************************************/
+
+/* This is needed to implement the "prvs" BATV reverse
+   path signing scheme
+
+Argument: integer "days" offset to add or substract to
+          or from the current number of days.
+
+Returns:  pointer to string containing the last three
+          digits of the number of days since Jan 1, 1970,
+          modified by the offset argument, NULL if there
+          was an error in the conversion.
+
+*/
+
+static uschar *
+prvs_daystamp(int day_offset)
+{
+uschar * days = store_get(32, GET_UNTAINTED);      /* Need at least 24 for cases */
+(void)string_format(days, 32, TIME_T_FMT, 	   /* where TIME_T_FMT is %lld */
+  (time(NULL) + day_offset*86400)/86400);
+return (Ustrlen(days) >= 3) ? &days[Ustrlen(days)-3] : US"100";
+}
+
+
+
+/********************************************************
+*   prvs: perform HMAC-SHA1 computation of prvs bits    *
+********************************************************/
+
+/* This is needed to implement the "prvs" BATV reverse
+   path signing scheme
+
+Arguments:
+  address RFC2821 Address to use
+      key The key to use (must be less than 64 characters
+          in size)
+  key_num Single-digit key number to use. Defaults to
+          '0' when NULL.
+
+Returns:  pointer to string containing the first three
+          bytes of the final hash in hex format, NULL if
+          there was an error in the process.
+*/
+
+static uschar *
+prvs_hmac_sha1(uschar *address, uschar *key, uschar *key_num, uschar *daystamp)
+{
+gstring * hash_source;
+uschar * p;
+hctx h;
+uschar innerhash[20];
+uschar finalhash[20];
+uschar innerkey[64];
+uschar outerkey[64];
+uschar *finalhash_hex;
+
+if (!key_num)
+  key_num = US"0";
+
+if (Ustrlen(key) > 64)
+  return NULL;
+
+hash_source = string_catn(NULL, key_num, 1);
+hash_source = string_catn(hash_source, daystamp, 3);
+hash_source = string_cat(hash_source, address);
+(void) string_from_gstring(hash_source);
+
+DEBUG(D_expand)
+  debug_printf_indent("prvs: hash source is '%s'\n", hash_source->s);
+
+memset(innerkey, 0x36, 64);
+memset(outerkey, 0x5c, 64);
+
+for (int i = 0; i < Ustrlen(key); i++)
+  {
+  innerkey[i] ^= key[i];
+  outerkey[i] ^= key[i];
+  }
+
+chash_start(HMAC_SHA1, &h);
+chash_mid(HMAC_SHA1, &h, innerkey);
+chash_end(HMAC_SHA1, &h, hash_source->s, hash_source->ptr, innerhash);
+
+chash_start(HMAC_SHA1, &h);
+chash_mid(HMAC_SHA1, &h, outerkey);
+chash_end(HMAC_SHA1, &h, innerhash, 20, finalhash);
+
+/* Hashing is deemed sufficient to de-taint any input data */
+
+p = finalhash_hex = store_get(40, GET_UNTAINTED);
+for (int i = 0; i < 3; i++)
+  {
+  *p++ = hex_digits[(finalhash[i] & 0xf0) >> 4];
+  *p++ = hex_digits[finalhash[i] & 0x0f];
+  }
+*p = '\0';
+
+return finalhash_hex;
+}
+
+
+
+
+/*************************************************
+*        Join a file onto the output string      *
+*************************************************/
+
+/* This is used for readfile/readsock and after a run expansion.
+It joins the contents of a file onto the output string, globally replacing
+newlines with a given string (optionally).
+
+Arguments:
+  f            the FILE
+  yield        pointer to the expandable string struct
+  eol          newline replacement string, or NULL
+
+Returns:       new pointer for expandable string, terminated if non-null
+*/
+
+gstring *
+cat_file(FILE * f, gstring * yield, uschar * eol)
+{
+uschar buffer[1024];
+
+while (Ufgets(buffer, sizeof(buffer), f))
+  {
+  int len = Ustrlen(buffer);
+  if (eol && buffer[len-1] == '\n') len--;
+  yield = string_catn(yield, buffer, len);
+  if (eol && buffer[len])
+    yield = string_cat(yield, eol);
+  }
+return yield;
+}
+
+
+#ifndef DISABLE_TLS
+gstring *
+cat_file_tls(void * tls_ctx, gstring * yield, uschar * eol)
+{
+int rc;
+uschar buffer[1024];
+
+/*XXX could we read direct into a pre-grown string? */
+
+while ((rc = tls_read(tls_ctx, buffer, sizeof(buffer))) > 0)
+  for (uschar * s = buffer; rc--; s++)
+    yield = eol && *s == '\n'
+      ? string_cat(yield, eol) : string_catn(yield, s, 1);
+
+/* We assume that all errors, and any returns of zero bytes,
+are actually EOF. */
+
+return yield;
+}
+#endif
+
+
+/*************************************************
+*          Evaluate numeric expression           *
+*************************************************/
+
+/* This is a set of mutually recursive functions that evaluate an arithmetic
+expression involving + - * / % & | ^ ~ << >> and parentheses. The only one of
+these functions that is called from elsewhere is eval_expr, whose interface is:
+
+Arguments:
+  sptr        pointer to the pointer to the string - gets updated
+  decimal     TRUE if numbers are to be assumed decimal
+  error       pointer to where to put an error message - must be NULL on input
+  endket      TRUE if ')' must terminate - FALSE for external call
+
+Returns:      on success: the value of the expression, with *error still NULL
+              on failure: an undefined value, with *error = a message
+*/
+
+static int_eximarith_t eval_op_or(uschar **, BOOL, uschar **);
+
+
+static int_eximarith_t
+eval_expr(uschar **sptr, BOOL decimal, uschar **error, BOOL endket)
+{
+uschar *s = *sptr;
+int_eximarith_t x = eval_op_or(&s, decimal, error);
+
+if (!*error)
+  if (endket)
+    if (*s != ')')
+      *error = US"expecting closing parenthesis";
+    else
+      while (isspace(*++s));
+  else if (*s)
+    *error = US"expecting operator";
+*sptr = s;
+return x;
+}
+
+
+static int_eximarith_t
+eval_number(uschar **sptr, BOOL decimal, uschar **error)
+{
+int c;
+int_eximarith_t n;
+uschar *s = *sptr;
+
+if (isdigit((c = Uskip_whitespace(&s))))
+  {
+  int count;
+  (void)sscanf(CS s, (decimal? SC_EXIM_DEC "%n" : SC_EXIM_ARITH "%n"), &n, &count);
+  s += count;
+  switch (tolower(*s))
+    {
+    default: break;
+    case 'k': n *= 1024; s++; break;
+    case 'm': n *= 1024*1024; s++; break;
+    case 'g': n *= 1024*1024*1024; s++; break;
+    }
+  Uskip_whitespace(&s);
+  }
+else if (c == '(')
+  {
+  s++;
+  n = eval_expr(&s, decimal, error, 1);
+  }
+else
+  {
+  *error = US"expecting number or opening parenthesis";
+  n = 0;
+  }
+*sptr = s;
+return n;
+}
+
+
+static int_eximarith_t
+eval_op_unary(uschar **sptr, BOOL decimal, uschar **error)
+{
+uschar *s = *sptr;
+int_eximarith_t x;
+Uskip_whitespace(&s);
+if (*s == '+' || *s == '-' || *s == '~')
+  {
+  int op = *s++;
+  x = eval_op_unary(&s, decimal, error);
+  if (op == '-') x = -x;
+    else if (op == '~') x = ~x;
+  }
+else
+  x = eval_number(&s, decimal, error);
+
+*sptr = s;
+return x;
+}
+
+
+static int_eximarith_t
+eval_op_mult(uschar **sptr, BOOL decimal, uschar **error)
+{
+uschar *s = *sptr;
+int_eximarith_t x = eval_op_unary(&s, decimal, error);
+if (!*error)
+  {
+  while (*s == '*' || *s == '/' || *s == '%')
+    {
+    int op = *s++;
+    int_eximarith_t y = eval_op_unary(&s, decimal, error);
+    if (*error) break;
+    /* SIGFPE both on div/mod by zero and on INT_MIN / -1, which would give
+     * a value of INT_MAX+1. Note that INT_MIN * -1 gives INT_MIN for me, which
+     * is a bug somewhere in [gcc 4.2.1, FreeBSD, amd64].  In fact, -N*-M where
+     * -N*M is INT_MIN will yield INT_MIN.
+     * Since we don't support floating point, this is somewhat simpler.
+     * Ideally, we'd return an error, but since we overflow for all other
+     * arithmetic, consistency suggests otherwise, but what's the correct value
+     * to use?  There is none.
+     * The C standard guarantees overflow for unsigned arithmetic but signed
+     * overflow invokes undefined behaviour; in practice, this is overflow
+     * except for converting INT_MIN to INT_MAX+1.  We also can't guarantee
+     * that long/longlong larger than int are available, or we could just work
+     * with larger types.  We should consider whether to guarantee 32bit eval
+     * and 64-bit working variables, with errors returned.  For now ...
+     * So, the only SIGFPEs occur with a non-shrinking div/mod, thus -1; we
+     * can just let the other invalid results occur otherwise, as they have
+     * until now.  For this one case, we can coerce.
+     */
+    if (y == -1 && x == EXIM_ARITH_MIN && op != '*')
+      {
+      DEBUG(D_expand)
+        debug_printf("Integer exception dodging: " PR_EXIM_ARITH "%c-1 coerced to " PR_EXIM_ARITH "\n",
+            EXIM_ARITH_MIN, op, EXIM_ARITH_MAX);
+      x = EXIM_ARITH_MAX;
+      continue;
+      }
+    if (op == '*')
+      x *= y;
+    else
+      {
+      if (y == 0)
+        {
+        *error = (op == '/') ? US"divide by zero" : US"modulo by zero";
+        x = 0;
+        break;
+        }
+      if (op == '/')
+        x /= y;
+      else
+        x %= y;
+      }
+    }
+  }
+*sptr = s;
+return x;
+}
+
+
+static int_eximarith_t
+eval_op_sum(uschar **sptr, BOOL decimal, uschar **error)
+{
+uschar *s = *sptr;
+int_eximarith_t x = eval_op_mult(&s, decimal, error);
+if (!*error)
+  {
+  while (*s == '+' || *s == '-')
+    {
+    int op = *s++;
+    int_eximarith_t y = eval_op_mult(&s, decimal, error);
+    if (*error) break;
+    if (  (x >=   EXIM_ARITH_MAX/2  && x >=   EXIM_ARITH_MAX/2)
+       || (x <= -(EXIM_ARITH_MAX/2) && y <= -(EXIM_ARITH_MAX/2)))
+      {			/* over-conservative check */
+      *error = op == '+'
+	? US"overflow in sum" : US"overflow in difference";
+      break;
+      }
+    if (op == '+') x += y; else x -= y;
+    }
+  }
+*sptr = s;
+return x;
+}
+
+
+static int_eximarith_t
+eval_op_shift(uschar **sptr, BOOL decimal, uschar **error)
+{
+uschar *s = *sptr;
+int_eximarith_t x = eval_op_sum(&s, decimal, error);
+if (!*error)
+  {
+  while ((*s == '<' || *s == '>') && s[1] == s[0])
+    {
+    int_eximarith_t y;
+    int op = *s++;
+    s++;
+    y = eval_op_sum(&s, decimal, error);
+    if (*error) break;
+    if (op == '<') x <<= y; else x >>= y;
+    }
+  }
+*sptr = s;
+return x;
+}
+
+
+static int_eximarith_t
+eval_op_and(uschar **sptr, BOOL decimal, uschar **error)
+{
+uschar *s = *sptr;
+int_eximarith_t x = eval_op_shift(&s, decimal, error);
+if (!*error)
+  {
+  while (*s == '&')
+    {
+    int_eximarith_t y;
+    s++;
+    y = eval_op_shift(&s, decimal, error);
+    if (*error) break;
+    x &= y;
+    }
+  }
+*sptr = s;
+return x;
+}
+
+
+static int_eximarith_t
+eval_op_xor(uschar **sptr, BOOL decimal, uschar **error)
+{
+uschar *s = *sptr;
+int_eximarith_t x = eval_op_and(&s, decimal, error);
+if (!*error)
+  {
+  while (*s == '^')
+    {
+    int_eximarith_t y;
+    s++;
+    y = eval_op_and(&s, decimal, error);
+    if (*error) break;
+    x ^= y;
+    }
+  }
+*sptr = s;
+return x;
+}
+
+
+static int_eximarith_t
+eval_op_or(uschar **sptr, BOOL decimal, uschar **error)
+{
+uschar *s = *sptr;
+int_eximarith_t x = eval_op_xor(&s, decimal, error);
+if (!*error)
+  {
+  while (*s == '|')
+    {
+    int_eximarith_t y;
+    s++;
+    y = eval_op_xor(&s, decimal, error);
+    if (*error) break;
+    x |= y;
+    }
+  }
+*sptr = s;
+return x;
+}
+
+
+
+/************************************************/
+/* Comparison operation for sort expansion.  We need to avoid
+re-expanding the fields being compared, so need a custom routine.
+
+Arguments:
+ cond_type		Comparison operator code
+ leftarg, rightarg	Arguments for comparison
+
+Return true iff (leftarg compare rightarg)
+*/
+
+static BOOL
+sortsbefore(int cond_type, BOOL alpha_cond,
+  const uschar * leftarg, const uschar * rightarg)
+{
+int_eximarith_t l_num, r_num;
+
+if (!alpha_cond)
+  {
+  l_num = expanded_string_integer(leftarg, FALSE);
+  if (expand_string_message) return FALSE;
+  r_num = expanded_string_integer(rightarg, FALSE);
+  if (expand_string_message) return FALSE;
+
+  switch (cond_type)
+    {
+    case ECOND_NUM_G:	return l_num >  r_num;
+    case ECOND_NUM_GE:	return l_num >= r_num;
+    case ECOND_NUM_L:	return l_num <  r_num;
+    case ECOND_NUM_LE:	return l_num <= r_num;
+    default: break;
+    }
+  }
+else
+  switch (cond_type)
+    {
+    case ECOND_STR_LT:	return Ustrcmp (leftarg, rightarg) <  0;
+    case ECOND_STR_LTI:	return strcmpic(leftarg, rightarg) <  0;
+    case ECOND_STR_LE:	return Ustrcmp (leftarg, rightarg) <= 0;
+    case ECOND_STR_LEI:	return strcmpic(leftarg, rightarg) <= 0;
+    case ECOND_STR_GT:	return Ustrcmp (leftarg, rightarg) >  0;
+    case ECOND_STR_GTI:	return strcmpic(leftarg, rightarg) >  0;
+    case ECOND_STR_GE:	return Ustrcmp (leftarg, rightarg) >= 0;
+    case ECOND_STR_GEI:	return strcmpic(leftarg, rightarg) >= 0;
+    default: break;
+    }
+return FALSE;	/* should not happen */
+}
+
+
+/* Expand a named list.  Return false on failure. */
+static gstring *
+expand_listnamed(gstring * yield, const uschar * name, const uschar * listtype)
+{
+tree_node *t = NULL;
+const uschar * list;
+int sep = 0;
+uschar * item;
+BOOL needsep = FALSE;
+#define LISTNAMED_BUF_SIZE 256
+uschar b[LISTNAMED_BUF_SIZE];
+uschar * buffer = b;
+
+if (*name == '+') name++;
+if (!listtype)		/* no-argument version */
+  {
+  if (  !(t = tree_search(addresslist_anchor, name))
+     && !(t = tree_search(domainlist_anchor,  name))
+     && !(t = tree_search(hostlist_anchor,    name)))
+    t = tree_search(localpartlist_anchor, name);
+  }
+else switch(*listtype)	/* specific list-type version */
+  {
+  case 'a': t = tree_search(addresslist_anchor,   name); break;
+  case 'd': t = tree_search(domainlist_anchor,    name); break;
+  case 'h': t = tree_search(hostlist_anchor,      name); break;
+  case 'l': t = tree_search(localpartlist_anchor, name); break;
+  default:
+    expand_string_message = US"bad suffix on \"list\" operator";
+    return yield;
+  }
+
+if(!t)
+  {
+  expand_string_message = string_sprintf("\"%s\" is not a %snamed list",
+    name, !listtype?""
+      : *listtype=='a'?"address "
+      : *listtype=='d'?"domain "
+      : *listtype=='h'?"host "
+      : *listtype=='l'?"localpart "
+      : 0);
+  return yield;
+  }
+
+list = ((namedlist_block *)(t->data.ptr))->string;
+
+/* The list could be quite long so we (re)use a buffer for each element
+rather than getting each in new memory */
+
+if (is_tainted(list)) buffer = store_get(LISTNAMED_BUF_SIZE, GET_TAINTED);
+while ((item = string_nextinlist(&list, &sep, buffer, LISTNAMED_BUF_SIZE)))
+  {
+  uschar * buf = US" : ";
+  if (needsep)
+    yield = string_catn(yield, buf, 3);
+  else
+    needsep = TRUE;
+
+  if (*item == '+')	/* list item is itself a named list */
+    {
+    yield = expand_listnamed(yield, item, listtype);
+    if (expand_string_message)
+      return yield;
+    }
+
+  else if (sep != ':')	/* item from non-colon-sep list, re-quote for colon list-separator */
+    {
+    char tok[3];
+    tok[0] = sep; tok[1] = ':'; tok[2] = 0;
+
+    for(char * cp; cp = strpbrk(CCS item, tok); item = US cp)
+      {
+      yield = string_catn(yield, item, cp - CS item);
+      if (*cp++ == ':')	/* colon in a non-colon-sep list item, needs doubling */
+	yield = string_catn(yield, US"::", 2);
+      else		/* sep in item; should already be doubled; emit once */
+	{
+	yield = string_catn(yield, US tok, 1);
+	if (*cp == sep) cp++;
+	}
+      }
+    yield = string_cat(yield, item);
+    }
+  else
+    yield = string_cat(yield, item);
+  }
+return yield;
+}
+
+
+
+/************************************************/
+static void
+debug_expansion_interim(const uschar * what, const uschar * value, int nchar,
+  BOOL skipping)
+{
+DEBUG(D_noutf8)
+  debug_printf_indent("|");
+else
+  debug_printf_indent(UTF8_VERT_RIGHT);
+
+for (int fill = 11 - Ustrlen(what); fill > 0; fill--)
+  DEBUG(D_noutf8)
+    debug_printf("-");
+  else
+    debug_printf(UTF8_HORIZ);
+
+debug_printf("%s: %.*s\n", what, nchar, value);
+if (is_tainted(value))
+  {
+  DEBUG(D_noutf8)
+    debug_printf_indent("%s     \\__", skipping ? "|     " : "      ");
+  else
+    debug_printf_indent("%s",
+      skipping
+      ? UTF8_VERT "             " : "           " UTF8_UP_RIGHT UTF8_HORIZ UTF8_HORIZ);
+  debug_printf("(tainted)\n");
+  }
+}
+
+
+/*************************************************
+*                 Expand string                  *
+*************************************************/
+
+/* Returns either an unchanged string, or the expanded string in stacking pool
+store. Interpreted sequences are:
+
+   \...                    normal escaping rules
+   $name                   substitutes the variable
+   ${name}                 ditto
+   ${op:string}            operates on the expanded string value
+   ${item{arg1}{arg2}...}  expands the args and then does the business
+                             some literal args are not enclosed in {}
+
+There are now far too many operators and item types to make it worth listing
+them here in detail any more.
+
+We use an internal routine recursively to handle embedded substrings. The
+external function follows. The yield is NULL if the expansion failed, and there
+are two cases: if something collapsed syntactically, or if "fail" was given
+as the action on a lookup failure. These can be distinguished by looking at the
+variable expand_string_forcedfail, which is TRUE in the latter case.
+
+The skipping flag is set true when expanding a substring that isn't actually
+going to be used (after "if" or "lookup") and it prevents lookups from
+happening lower down.
+
+Store usage: At start, a store block of the length of the input plus 64
+is obtained. This is expanded as necessary by string_cat(), which might have to
+get a new block, or might be able to expand the original. At the end of the
+function we can release any store above that portion of the yield block that
+was actually used. In many cases this will be optimal.
+
+However: if the first item in the expansion is a variable name or header name,
+we reset the store before processing it; if the result is in fresh store, we
+use that without copying. This is helpful for expanding strings like
+$message_headers which can get very long.
+
+There's a problem if a ${dlfunc item has side-effects that cause allocation,
+since resetting the store at the end of the expansion will free store that was
+allocated by the plugin code as well as the slop after the expanded string. So
+we skip any resets if ${dlfunc } has been used. The same applies for ${acl }
+and, given the acl condition, ${if }. This is an unfortunate consequence of
+string expansion becoming too powerful.
+
+Arguments:
+  string         the string to be expanded
+  ket_ends       true if expansion is to stop at }
+  left           if not NULL, a pointer to the first character after the
+                 expansion is placed here (typically used with ket_ends)
+  skipping       TRUE for recursive calls when the value isn't actually going
+                 to be used (to allow for optimisation)
+  honour_dollar  TRUE if $ is to be expanded,
+                 FALSE if it's just another character
+  resetok_p	 if not NULL, pointer to flag - write FALSE if unsafe to reset
+		 the store.
+
+Returns:         NULL if expansion fails:
+                   expand_string_forcedfail is set TRUE if failure was forced
+                   expand_string_message contains a textual error message
+                 a pointer to the expanded string on success
+*/
+
+static uschar *
+expand_string_internal(const uschar *string, BOOL ket_ends, const uschar **left,
+  BOOL skipping, BOOL honour_dollar, BOOL *resetok_p)
+{
+rmark reset_point = store_mark();
+gstring * yield = string_get(Ustrlen(string) + 64);
+int item_type;
+const uschar * s = string;
+const uschar * save_expand_nstring[EXPAND_MAXN+1];
+int save_expand_nlength[EXPAND_MAXN+1];
+BOOL resetok = TRUE, first = TRUE;
+
+expand_level++;
+f.expand_string_forcedfail = FALSE;
+expand_string_message = US"";
+
+if (is_tainted(string))
+  {
+  expand_string_message =
+    string_sprintf("attempt to expand tainted string '%s'", s);
+  log_write(0, LOG_MAIN|LOG_PANIC, "%s", expand_string_message);
+  goto EXPAND_FAILED;
+  }
+
+while (*s)
+  {
+  uschar name[256];
+
+  DEBUG(D_expand)
+    {
+    DEBUG(D_noutf8)
+      debug_printf_indent("%c%s: %s\n",
+	first ? '/' : '|',
+	skipping ? "---scanning" : "considering", s);
+    else
+      debug_printf_indent("%s%s: %s\n",
+	first ? UTF8_DOWN_RIGHT : UTF8_VERT_RIGHT,
+	skipping
+	? UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ "scanning"
+	: "considering",
+	s);
+    first = FALSE;
+    }
+
+  /* \ escapes the next character, which must exist, or else
+  the expansion fails. There's a special escape, \N, which causes
+  copying of the subject verbatim up to the next \N. Otherwise,
+  the escapes are the standard set. */
+
+  if (*s == '\\')
+    {
+    if (s[1] == 0)
+      {
+      expand_string_message = US"\\ at end of string";
+      goto EXPAND_FAILED;
+      }
+
+    if (s[1] == 'N')
+      {
+      const uschar * t = s + 2;
+      for (s = t; *s ; s++) if (*s == '\\' && s[1] == 'N') break;
+
+      DEBUG(D_expand)
+	debug_expansion_interim(US"protected", t, (int)(s - t), skipping);
+      yield = string_catn(yield, t, s - t);
+      if (*s) s += 2;
+      }
+    else
+      {
+      uschar ch[1];
+      DEBUG(D_expand)
+	DEBUG(D_noutf8)
+	  debug_printf_indent("|backslashed: '\\%c'\n", s[1]);
+	else
+	  debug_printf_indent(UTF8_VERT_RIGHT "backslashed: '\\%c'\n", s[1]);
+      ch[0] = string_interpret_escape(&s);
+      s++;
+      yield = string_catn(yield, ch, 1);
+      }
+    continue;
+    }
+
+									/*{{*/
+  /* Anything other than $ is just copied verbatim, unless we are
+  looking for a terminating } character. */
+
+  if (ket_ends && *s == '}') break;
+
+  if (*s != '$' || !honour_dollar)
+    {
+    int i = 1;								/*{*/
+    for (const uschar * t = s+1;
+	*t && *t != '$' && *t != '}' && *t != '\\'; t++) i++;
+
+    DEBUG(D_expand) debug_expansion_interim(US"text", s, i, skipping);
+
+    yield = string_catn(yield, s, i);
+    s += i;
+    continue;
+    }
+
+  /* No { after the $ - must be a plain name or a number for string
+  match variable. There has to be a fudge for variables that are the
+  names of header fields preceded by "$header_" because header field
+  names can contain any printing characters except space and colon.
+  For those that don't like typing this much, "$h_" is a synonym for
+  "$header_". A non-existent header yields a NULL value; nothing is
+  inserted. */	/*}*/
+
+  if (isalpha(*++s))
+    {
+    const uschar * value;
+    int newsize = 0, len;
+    gstring * g = NULL;
+    uschar * t;
+
+    s = read_name(name, sizeof(name), s, US"_");
+
+    /* If this is the first thing to be expanded, release the pre-allocated
+    buffer. */
+
+    if (!yield)
+      g = store_get(sizeof(gstring), GET_UNTAINTED);
+    else if (yield->ptr == 0)
+      {
+      if (resetok) reset_point = store_reset(reset_point);
+      yield = NULL;
+      reset_point = store_mark();
+      g = store_get(sizeof(gstring), GET_UNTAINTED);	/* alloc _before_ calling find_variable() */
+      }
+
+    /* Header */
+
+    if (  ( *(t = name) == 'h'
+          || (*t == 'r' || *t == 'l' || *t == 'b') && *++t == 'h'
+	  )
+       && (*++t == '_' || Ustrncmp(t, "eader_", 6) == 0)
+       )
+      {
+      unsigned flags = *name == 'r' ? FH_WANT_RAW
+		      : *name == 'l' ? FH_WANT_RAW|FH_WANT_LIST
+		      : 0;
+      const uschar * charset = *name == 'b' ? NULL : headers_charset;
+
+      s = read_header_name(name, sizeof(name), s);
+      value = find_header(name, &newsize, flags, charset);
+
+      /* If we didn't find the header, and the header contains a closing brace
+      character, this may be a user error where the terminating colon
+      has been omitted. Set a flag to adjust the error message in this case.
+      But there is no error here - nothing gets inserted. */
+
+      if (!value)
+        {								/*{*/
+        if (Ustrchr(name, '}')) malformed_header = TRUE;
+        continue;
+        }
+      }
+
+    /* Variable */
+
+    else if (!(value = find_variable(name, FALSE, skipping, &newsize)))
+      {
+      expand_string_message =
+	string_sprintf("unknown variable name \"%s\"", name);
+	check_variable_error_message(name);
+      goto EXPAND_FAILED;
+      }
+
+    /* If the data is known to be in a new buffer, newsize will be set to the
+    size of that buffer. If this is the first thing in an expansion string,
+    yield will be NULL; just point it at the new store instead of copying. Many
+    expansion strings contain just one reference, so this is a useful
+    optimization, especially for humungous headers.  We need to use a gstring
+    structure that is not allocated after that new-buffer, else a later store
+    reset in the middle of the buffer will make it inaccessible. */
+
+    len = Ustrlen(value);
+    if (!yield && newsize != 0)
+      {
+      yield = g;
+      yield->size = newsize;
+      yield->ptr = len;
+      yield->s = US value; /* known to be in new store i.e. a copy, so deconst safe */
+      }
+    else
+      yield = string_catn(yield, value, len);
+
+    continue;
+    }
+
+  if (isdigit(*s))
+    {
+    int n;
+    s = read_cnumber(&n, s);
+    if (n >= 0 && n <= expand_nmax)
+      yield = string_catn(yield, expand_nstring[n], expand_nlength[n]);
+    continue;
+    }
+
+  /* Otherwise, if there's no '{' after $ it's an error. */		/*}*/
+
+  if (*s != '{')							/*}*/
+    {
+    expand_string_message = US"$ not followed by letter, digit, or {";	/*}*/
+    goto EXPAND_FAILED;
+    }
+
+  /* After { there can be various things, but they all start with
+  an initial word, except for a number for a string match variable. */	/*}*/
+
+  if (isdigit(*++s))
+    {
+    int n;
+    s = read_cnumber(&n, s);						/*{{*/
+    if (*s++ != '}')
+      {
+      expand_string_message = US"} expected after number";
+      goto EXPAND_FAILED;
+      }
+    if (n >= 0 && n <= expand_nmax)
+      yield = string_catn(yield, expand_nstring[n], expand_nlength[n]);
+    continue;
+    }
+
+  if (!isalpha(*s))
+    {
+    expand_string_message = US"letter or digit expected after ${";	/*}*/
+    goto EXPAND_FAILED;
+    }
+
+  /* Allow "-" in names to cater for substrings with negative
+  arguments. Since we are checking for known names after { this is
+  OK. */								/*}*/
+
+  s = read_name(name, sizeof(name), s, US"_-");
+  item_type = chop_match(name, item_table, nelem(item_table));
+
+  /* Switch on item type.  All nondefault choices should "continue* when
+  skipping, but "break" otherwise so we get debug output for the item
+  expansion. */
+  {
+  int start = gstring_length(yield);
+  switch(item_type)
+    {
+    /* Call an ACL from an expansion.  We feed data in via $acl_arg1 - $acl_arg9.
+    If the ACL returns accept or reject we return content set by "message ="
+    There is currently no limit on recursion; this would have us call
+    acl_check_internal() directly and get a current level from somewhere.
+    See also the acl expansion condition ECOND_ACL and the traditional
+    acl modifier ACLC_ACL.
+    Assume that the function has side-effects on the store that must be preserved.
+    */
+
+    case EITEM_ACL:
+      /* ${acl {name} {arg1}{arg2}...} */
+      {
+      uschar * sub[10];	/* name + arg1-arg9 (which must match number of acl_arg[]) */
+      uschar * user_msg;
+      int rc;
+
+      switch(read_subs(sub, nelem(sub), 1, &s, skipping, TRUE, name,
+		      &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+      if (skipping) continue;
+
+      resetok = FALSE;
+      switch(rc = eval_acl(sub, nelem(sub), &user_msg))
+	{
+	case OK:
+	case FAIL:
+	  DEBUG(D_expand)
+	    debug_printf_indent("acl expansion yield: %s\n", user_msg);
+	  if (user_msg)
+            yield = string_cat(yield, user_msg);
+	  break;
+
+	case DEFER:
+          f.expand_string_forcedfail = TRUE;
+	  /*FALLTHROUGH*/
+	default:
+          expand_string_message = string_sprintf("%s from acl \"%s\"",
+	    rc_names[rc], sub[0]);
+	  goto EXPAND_FAILED;
+	}
+      break;
+      }
+
+    case EITEM_AUTHRESULTS:
+      /* ${authresults {mysystemname}} */
+      {
+      uschar * sub_arg[1];
+
+      switch(read_subs(sub_arg, nelem(sub_arg), 1, &s, skipping, TRUE, name,
+		      &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+
+      yield = string_append(yield, 3,
+			US"Authentication-Results: ", sub_arg[0], US"; none");
+      yield->ptr -= 6;
+
+      yield = authres_local(yield, sub_arg[0]);
+      yield = authres_iprev(yield);
+      yield = authres_smtpauth(yield);
+#ifdef SUPPORT_SPF
+      yield = authres_spf(yield);
+#endif
+#ifndef DISABLE_DKIM
+      yield = authres_dkim(yield);
+#endif
+#ifdef SUPPORT_DMARC
+      yield = authres_dmarc(yield);
+#endif
+#ifdef EXPERIMENTAL_ARC
+      yield = authres_arc(yield);
+#endif
+      break;
+      }
+
+    /* Handle conditionals - preserve the values of the numerical expansion
+    variables in case they get changed by a regular expression match in the
+    condition. If not, they retain their external settings. At the end
+    of this "if" section, they get restored to their previous values. */
+
+    case EITEM_IF:
+      {
+      BOOL cond = FALSE;
+      const uschar *next_s;
+      int save_expand_nmax =
+        save_expand_strings(save_expand_nstring, save_expand_nlength);
+      uschar * save_lookup_value = lookup_value;
+
+      Uskip_whitespace(&s);
+      if (!(next_s = eval_condition(s, &resetok, skipping ? NULL : &cond)))
+	goto EXPAND_FAILED;  /* message already set */
+
+      DEBUG(D_expand)
+	{
+	debug_expansion_interim(US"condition", s, (int)(next_s - s), skipping);
+	debug_expansion_interim(US"result",
+	  cond ? US"true" : US"false", cond ? 4 : 5, skipping);
+	}
+
+      s = next_s;
+
+      /* The handling of "yes" and "no" result strings is now in a separate
+      function that is also used by ${lookup} and ${extract} and ${run}. */
+
+      switch(process_yesno(
+               skipping,                     /* were previously skipping */
+               cond,                         /* success/failure indicator */
+               lookup_value,                 /* value to reset for string2 */
+               &s,                           /* input pointer */
+               &yield,                       /* output pointer */
+               US"if",                       /* condition type */
+	       &resetok))
+        {
+        case 1: goto EXPAND_FAILED;          /* when all is well, the */
+        case 2: goto EXPAND_FAILED_CURLY;    /* returned value is 0 */
+        }
+
+      /* Restore external setting of expansion variables for continuation
+      at this level. */
+
+      lookup_value = save_lookup_value;
+      restore_expand_strings(save_expand_nmax, save_expand_nstring,
+        save_expand_nlength);
+      break;
+      }
+
+#ifdef SUPPORT_I18N
+    case EITEM_IMAPFOLDER:
+      {				/* ${imapfolder {name}{sep}{specials}} */
+      uschar *sub_arg[3];
+      uschar *encoded;
+
+      switch(read_subs(sub_arg, nelem(sub_arg), 1, &s, skipping, TRUE, name,
+		      &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+
+      if (!sub_arg[1])			/* One argument */
+	{
+	sub_arg[1] = US"/";		/* default separator */
+	sub_arg[2] = NULL;
+	}
+      else if (Ustrlen(sub_arg[1]) != 1)
+	{
+	expand_string_message =
+	  string_sprintf(
+		"IMAP folder separator must be one character, found \"%s\"",
+		sub_arg[1]);
+	goto EXPAND_FAILED;
+	}
+
+      if (skipping) continue;
+
+      if (!(encoded = imap_utf7_encode(sub_arg[0], headers_charset,
+			  sub_arg[1][0], sub_arg[2], &expand_string_message)))
+	goto EXPAND_FAILED;
+      yield = string_cat(yield, encoded);
+      break;
+      }
+#endif
+
+    /* Handle database lookups unless locked out. If "skipping" is TRUE, we are
+    expanding an internal string that isn't actually going to be used. All we
+    need to do is check the syntax, so don't do a lookup at all. Preserve the
+    values of the numerical expansion variables in case they get changed by a
+    partial lookup. If not, they retain their external settings. At the end
+    of this "lookup" section, they get restored to their previous values. */
+
+    case EITEM_LOOKUP:
+      {
+      int stype, partial, affixlen, starflags;
+      int expand_setup = 0;
+      int nameptr = 0;
+      uschar * key, * filename;
+      const uschar * affix, * opts;
+      uschar * save_lookup_value = lookup_value;
+      int save_expand_nmax =
+        save_expand_strings(save_expand_nstring, save_expand_nlength);
+
+      if (expand_forbid & RDO_LOOKUP)
+        {
+        expand_string_message = US"lookup expansions are not permitted";
+        goto EXPAND_FAILED;
+        }
+
+      /* Get the key we are to look up for single-key+file style lookups.
+      Otherwise set the key NULL pro-tem. */
+
+      if (Uskip_whitespace(&s) == '{')					/*}*/
+        {
+        key = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
+        if (!key) goto EXPAND_FAILED;			/*{{*/
+        if (*s++ != '}')
+	  {
+	  expand_string_message = US"missing '}' after lookup key";
+	  goto EXPAND_FAILED_CURLY;
+	  }
+        Uskip_whitespace(&s);
+        }
+      else key = NULL;
+
+      /* Find out the type of database */
+
+      if (!isalpha(*s))
+        {
+        expand_string_message = US"missing lookup type";
+        goto EXPAND_FAILED;
+        }
+
+      /* The type is a string that may contain special characters of various
+      kinds. Allow everything except space or { to appear; the actual content
+      is checked by search_findtype_partial. */		/*}*/
+
+      while (*s && *s != '{' && !isspace(*s))		/*}*/
+        {
+        if (nameptr < sizeof(name) - 1) name[nameptr++] = *s;
+        s++;
+        }
+      name[nameptr] = '\0';
+      Uskip_whitespace(&s);
+
+      /* Now check for the individual search type and any partial or default
+      options. Only those types that are actually in the binary are valid. */
+
+      if ((stype = search_findtype_partial(name, &partial, &affix, &affixlen,
+	  &starflags, &opts)) < 0)
+        {
+        expand_string_message = search_error_message;
+        goto EXPAND_FAILED;
+        }
+
+      /* Check that a key was provided for those lookup types that need it,
+      and was not supplied for those that use the query style. */
+
+      if (!mac_islookup(stype, lookup_querystyle|lookup_absfilequery))
+        {
+        if (!key)
+          {
+          expand_string_message = string_sprintf("missing {key} for single-"
+            "key \"%s\" lookup", name);
+          goto EXPAND_FAILED;
+          }
+        }
+      else if (key)
+	{
+	expand_string_message = string_sprintf("a single key was given for "
+	  "lookup type \"%s\", which is not a single-key lookup type", name);
+	goto EXPAND_FAILED;
+	}
+
+      /* Get the next string in brackets and expand it. It is the file name for
+      single-key+file lookups, and the whole query otherwise. In the case of
+      queries that also require a file name (e.g. sqlite), the file name comes
+      first. */
+
+      if (*s != '{')
+        {
+	expand_string_message = US"missing '{' for lookup file-or-query arg";
+	goto EXPAND_FAILED_CURLY;						/*}}*/
+	}
+      if (!(filename = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok)))
+	goto EXPAND_FAILED;
+      										/*{{*/
+      if (*s++ != '}')
+        {
+	expand_string_message = US"missing '}' closing lookup file-or-query arg";
+	goto EXPAND_FAILED_CURLY;
+	}
+      Uskip_whitespace(&s);
+
+      /* If this isn't a single-key+file lookup, re-arrange the variables
+      to be appropriate for the search_ functions. For query-style lookups,
+      there is just a "key", and no file name. For the special query-style +
+      file types, the query (i.e. "key") starts with a file name. */
+
+      if (!key)
+	key = search_args(stype, name, filename, &filename, opts);
+
+      /* If skipping, don't do the next bit - just lookup_value == NULL, as if
+      the entry was not found. Note that there is no search_close() function.
+      Files are left open in case of re-use. At suitable places in higher logic,
+      search_tidyup() is called to tidy all open files. This can save opening
+      the same file several times. However, files may also get closed when
+      others are opened, if too many are open at once. The rule is that a
+      handle should not be used after a second search_open().
+
+      Request that a partial search sets up $1 and maybe $2 by passing
+      expand_setup containing zero. If its value changes, reset expand_nmax,
+      since new variables will have been set. Note that at the end of this
+      "lookup" section, the old numeric variables are restored. */
+
+      if (skipping)
+        lookup_value = NULL;
+      else
+        {
+        void * handle = search_open(filename, stype, 0, NULL, NULL);
+        if (!handle)
+          {
+          expand_string_message = search_error_message;
+          goto EXPAND_FAILED;
+          }
+        lookup_value = search_find(handle, filename, key, partial, affix,
+          affixlen, starflags, &expand_setup, opts);
+        if (f.search_find_defer)
+          {
+          expand_string_message =
+            string_sprintf("lookup of \"%s\" gave DEFER: %s",
+              string_printing2(key, SP_TAB), search_error_message);
+          goto EXPAND_FAILED;
+          }
+        if (expand_setup > 0) expand_nmax = expand_setup;
+        }
+
+      /* The handling of "yes" and "no" result strings is now in a separate
+      function that is also used by ${if} and ${extract}. */
+
+      switch(process_yesno(
+               skipping,                     /* were previously skipping */
+               lookup_value != NULL,         /* success/failure indicator */
+               save_lookup_value,            /* value to reset for string2 */
+               &s,                           /* input pointer */
+               &yield,                       /* output pointer */
+               US"lookup",                   /* condition type */
+	       &resetok))
+        {
+        case 1: goto EXPAND_FAILED;          /* when all is well, the */
+        case 2: goto EXPAND_FAILED_CURLY;    /* returned value is 0 */
+        }
+
+      /* Restore external setting of expansion variables for carrying on
+      at this level, and continue. */
+
+      restore_expand_strings(save_expand_nmax, save_expand_nstring,
+        save_expand_nlength);
+
+      if (skipping) continue;
+      break;
+      }
+
+    /* If Perl support is configured, handle calling embedded perl subroutines,
+    unless locked out at this time. Syntax is ${perl{sub}} or ${perl{sub}{arg}}
+    or ${perl{sub}{arg1}{arg2}} or up to a maximum of EXIM_PERL_MAX_ARGS
+    arguments (defined below). */
+
+#define EXIM_PERL_MAX_ARGS 8
+
+    case EITEM_PERL:
+#ifndef EXIM_PERL
+      expand_string_message = US"\"${perl\" encountered, but this facility "	/*}*/
+	"is not included in this binary";
+      goto EXPAND_FAILED;
+
+#else   /* EXIM_PERL */
+      {
+      uschar * sub_arg[EXIM_PERL_MAX_ARGS + 2];
+      gstring * new_yield;
+
+      if (expand_forbid & RDO_PERL)
+        {
+        expand_string_message = US"Perl calls are not permitted";
+        goto EXPAND_FAILED;
+        }
+
+      switch(read_subs(sub_arg, EXIM_PERL_MAX_ARGS + 1, 1, &s, skipping, TRUE,
+           name, &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+
+      /* If skipping, we don't actually do anything */
+
+      if (skipping) continue;
+
+      /* Start the interpreter if necessary */
+
+      if (!opt_perl_started)
+        {
+        uschar * initerror;
+        if (!opt_perl_startup)
+          {
+          expand_string_message = US"A setting of perl_startup is needed when "
+            "using the Perl interpreter";
+          goto EXPAND_FAILED;
+          }
+        DEBUG(D_any) debug_printf("Starting Perl interpreter\n");
+        if ((initerror = init_perl(opt_perl_startup)))
+          {
+          expand_string_message =
+            string_sprintf("error in perl_startup code: %s\n", initerror);
+          goto EXPAND_FAILED;
+          }
+        opt_perl_started = TRUE;
+        }
+
+      /* Call the function */
+
+      sub_arg[EXIM_PERL_MAX_ARGS + 1] = NULL;
+      new_yield = call_perl_cat(yield, &expand_string_message,
+        sub_arg[0], sub_arg + 1);
+
+      /* NULL yield indicates failure; if the message pointer has been set to
+      NULL, the yield was undef, indicating a forced failure. Otherwise the
+      message will indicate some kind of Perl error. */
+
+      if (!new_yield)
+        {
+        if (!expand_string_message)
+          {
+          expand_string_message =
+            string_sprintf("Perl subroutine \"%s\" returned undef to force "
+              "failure", sub_arg[0]);
+          f.expand_string_forcedfail = TRUE;
+          }
+        goto EXPAND_FAILED;
+        }
+
+      /* Yield succeeded. Ensure forcedfail is unset, just in case it got
+      set during a callback from Perl. */
+
+      f.expand_string_forcedfail = FALSE;
+      yield = new_yield;
+      break;
+      }
+#endif /* EXIM_PERL */
+
+    /* Transform email address to "prvs" scheme to use
+       as BATV-signed return path */
+
+    case EITEM_PRVS:
+      {
+      uschar * sub_arg[3], * p, * domain;
+
+      switch(read_subs(sub_arg, 3, 2, &s, skipping, TRUE, name, &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+
+      /* If skipping, we don't actually do anything */
+      if (skipping) continue;
+
+      /* sub_arg[0] is the address */
+      if (  !(domain = Ustrrchr(sub_arg[0],'@'))
+	 || domain == sub_arg[0] || Ustrlen(domain) == 1)
+        {
+        expand_string_message = US"prvs first argument must be a qualified email address";
+        goto EXPAND_FAILED;
+        }
+
+      /* Calculate the hash. The third argument must be a single-digit
+      key number, or unset. */
+
+      if (  sub_arg[2]
+         && (!isdigit(sub_arg[2][0]) || sub_arg[2][1] != 0))
+        {
+        expand_string_message = US"prvs third argument must be a single digit";
+        goto EXPAND_FAILED;
+        }
+
+      p = prvs_hmac_sha1(sub_arg[0], sub_arg[1], sub_arg[2], prvs_daystamp(7));
+      if (!p)
+        {
+        expand_string_message = US"prvs hmac-sha1 conversion failed";
+        goto EXPAND_FAILED;
+        }
+
+      /* Now separate the domain from the local part */
+      *domain++ = '\0';
+
+      yield = string_catn(yield, US"prvs=", 5);
+      yield = string_catn(yield, sub_arg[2] ? sub_arg[2] : US"0", 1);
+      yield = string_catn(yield, prvs_daystamp(7), 3);
+      yield = string_catn(yield, p, 6);
+      yield = string_catn(yield, US"=", 1);
+      yield = string_cat (yield, sub_arg[0]);
+      yield = string_catn(yield, US"@", 1);
+      yield = string_cat (yield, domain);
+
+      break;
+      }
+
+    /* Check a prvs-encoded address for validity */
+
+    case EITEM_PRVSCHECK:
+      {
+      uschar * sub_arg[3], * p;
+      gstring * g;
+      const pcre2_code * re;
+
+      /* TF: Ugliness: We want to expand parameter 1 first, then set
+         up expansion variables that are used in the expansion of
+         parameter 2. So we clone the string for the first
+         expansion, where we only expand parameter 1.
+
+         PH: Actually, that isn't necessary. The read_subs() function is
+         designed to work this way for the ${if and ${lookup expansions. I've
+         tidied the code.
+      */								/*}}*/
+
+      /* Reset expansion variables */
+      prvscheck_result = NULL;
+      prvscheck_address = NULL;
+      prvscheck_keynum = NULL;
+
+      switch(read_subs(sub_arg, 1, 1, &s, skipping, FALSE, name, &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+
+      re = regex_must_compile(US"^prvs\\=([0-9])([0-9]{3})([A-F0-9]{6})\\=(.+)\\@(.+)$",
+                              TRUE,FALSE);
+
+      if (regex_match_and_setup(re,sub_arg[0],0,-1))
+        {
+        uschar * local_part = string_copyn(expand_nstring[4],expand_nlength[4]);
+        uschar * key_num = string_copyn(expand_nstring[1],expand_nlength[1]);
+        uschar * daystamp = string_copyn(expand_nstring[2],expand_nlength[2]);
+        uschar * hash = string_copyn(expand_nstring[3],expand_nlength[3]);
+        uschar * domain = string_copyn(expand_nstring[5],expand_nlength[5]);
+
+        DEBUG(D_expand) debug_printf_indent("prvscheck localpart: %s\n", local_part);
+        DEBUG(D_expand) debug_printf_indent("prvscheck key number: %s\n", key_num);
+        DEBUG(D_expand) debug_printf_indent("prvscheck daystamp: %s\n", daystamp);
+        DEBUG(D_expand) debug_printf_indent("prvscheck hash: %s\n", hash);
+        DEBUG(D_expand) debug_printf_indent("prvscheck domain: %s\n", domain);
+
+        /* Set up expansion variables */
+        g = string_cat (NULL, local_part);
+        g = string_catn(g, US"@", 1);
+        g = string_cat (g, domain);
+        prvscheck_address = string_from_gstring(g);
+        prvscheck_keynum = string_copy(key_num);
+
+        /* Now expand the second argument */
+        switch(read_subs(sub_arg, 1, 1, &s, skipping, FALSE, name, &resetok))
+          {
+          case 1: goto EXPAND_FAILED_CURLY;
+          case 2:
+          case 3: goto EXPAND_FAILED;
+          }
+
+        /* Now we have the key and can check the address. */
+
+        p = prvs_hmac_sha1(prvscheck_address, sub_arg[0], prvscheck_keynum,
+          daystamp);
+
+        if (!p)
+          {
+          expand_string_message = US"hmac-sha1 conversion failed";
+          goto EXPAND_FAILED;
+          }
+
+        DEBUG(D_expand) debug_printf_indent("prvscheck: received hash is %s\n", hash);
+        DEBUG(D_expand) debug_printf_indent("prvscheck:      own hash is %s\n", p);
+
+        if (Ustrcmp(p,hash) == 0)
+          {
+          /* Success, valid BATV address. Now check the expiry date. */
+          uschar *now = prvs_daystamp(0);
+          unsigned int inow = 0,iexpire = 1;
+
+          (void)sscanf(CS now,"%u",&inow);
+          (void)sscanf(CS daystamp,"%u",&iexpire);
+
+          /* When "iexpire" is < 7, a "flip" has occurred.
+             Adjust "inow" accordingly. */
+          if ( (iexpire < 7) && (inow >= 993) ) inow = 0;
+
+          if (iexpire >= inow)
+            {
+            prvscheck_result = US"1";
+            DEBUG(D_expand) debug_printf_indent("prvscheck: success, $pvrs_result set to 1\n");
+            }
+	  else
+            {
+            prvscheck_result = NULL;
+            DEBUG(D_expand) debug_printf_indent("prvscheck: signature expired, $pvrs_result unset\n");
+            }
+          }
+        else
+          {
+          prvscheck_result = NULL;
+          DEBUG(D_expand) debug_printf_indent("prvscheck: hash failure, $pvrs_result unset\n");
+          }
+
+        /* Now expand the final argument. We leave this till now so that
+        it can include $prvscheck_result. */
+
+        switch(read_subs(sub_arg, 1, 0, &s, skipping, TRUE, name, &resetok))
+          {
+          case 1: goto EXPAND_FAILED_CURLY;
+          case 2:
+          case 3: goto EXPAND_FAILED;
+          }
+
+	yield = string_cat(yield,
+	  !sub_arg[0] || !*sub_arg[0] ? prvscheck_address : sub_arg[0]);
+
+        /* Reset the "internal" variables afterwards, because they are in
+        dynamic store that will be reclaimed if the expansion succeeded. */
+
+        prvscheck_address = NULL;
+        prvscheck_keynum = NULL;
+        }
+      else
+        /* Does not look like a prvs encoded address, return the empty string.
+           We need to make sure all subs are expanded first, so as to skip over
+           the entire item. */
+
+        switch(read_subs(sub_arg, 2, 1, &s, skipping, TRUE, name, &resetok))
+          {
+          case 1: goto EXPAND_FAILED_CURLY;
+          case 2:
+          case 3: goto EXPAND_FAILED;
+          }
+
+      if (skipping) continue;
+      break;
+      }
+
+    /* Handle "readfile" to insert an entire file */
+
+    case EITEM_READFILE:
+      {
+      FILE * f;
+      uschar * sub_arg[2];
+
+      if ((expand_forbid & RDO_READFILE) != 0)
+        {
+        expand_string_message = US"file insertions are not permitted";
+        goto EXPAND_FAILED;
+        }
+
+      switch(read_subs(sub_arg, 2, 1, &s, skipping, TRUE, name, &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+
+      /* If skipping, we don't actually do anything */
+
+      if (skipping) continue;
+
+      /* Open the file and read it */
+
+      if (!(f = Ufopen(sub_arg[0], "rb")))
+        {
+        expand_string_message = string_open_failed("%s", sub_arg[0]);
+        goto EXPAND_FAILED;
+        }
+
+      yield = cat_file(f, yield, sub_arg[1]);
+      (void)fclose(f);
+      break;
+      }
+
+    /* Handle "readsocket" to insert data from a socket, either
+    Inet or Unix domain */
+
+    case EITEM_READSOCK:
+      {
+      uschar * arg;
+      uschar * sub_arg[4];
+
+      if (expand_forbid & RDO_READSOCK)
+        {
+        expand_string_message = US"socket insertions are not permitted";
+        goto EXPAND_FAILED;
+        }
+
+      /* Read up to 4 arguments, but don't do the end of item check afterwards,
+      because there may be a string for expansion on failure. */
+
+      switch(read_subs(sub_arg, 4, 2, &s, skipping, FALSE, name, &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:                             /* Won't occur: no end check */
+        case 3: goto EXPAND_FAILED;
+        }
+
+      /* If skipping, we don't actually do anything. Otherwise, arrange to
+      connect to either an IP or a Unix socket. */
+
+      if (!skipping)
+        {
+	int stype = search_findtype(US"readsock", 8);
+	gstring * g = NULL;
+	void * handle;
+	int expand_setup = -1;
+	uschar * s;
+
+	/* If the reqstr is empty, flag that and set a dummy */
+
+	if (!sub_arg[1][0])
+	  {
+	  g = string_append_listele(g, ',', US"send=no");
+	  sub_arg[1] = US"DUMMY";
+	  }
+
+	/* Re-marshall the options */
+
+	if (sub_arg[2])
+	  {
+	  const uschar * list = sub_arg[2];
+	  uschar * item;
+	  int sep = 0;
+
+	  /* First option has no tag and is timeout */
+	  if ((item = string_nextinlist(&list, &sep, NULL, 0)))
+	    g = string_append_listele(g, ',',
+		  string_sprintf("timeout=%s", item));
+
+	  /* The rest of the options from the expansion */
+	  while ((item = string_nextinlist(&list, &sep, NULL, 0)))
+	    g = string_append_listele(g, ',', item);
+
+	  /* possibly plus an EOL string.  Process with escapes, to protect
+	  from list-processing.  The only current user of eol= in search
+	  options is the readsock expansion. */
+
+	  if (sub_arg[3] && *sub_arg[3])
+	    g = string_append_listele(g, ',',
+		  string_sprintf("eol=%s",
+		    string_printing2(sub_arg[3], SP_TAB|SP_SPACE)));
+	  }
+
+	/* Gat a (possibly cached) handle for the connection */
+
+	if (!(handle = search_open(sub_arg[0], stype, 0, NULL, NULL)))
+	  {
+	  if (*expand_string_message) goto EXPAND_FAILED;
+	  expand_string_message = search_error_message;
+	  search_error_message = NULL;
+	  goto SOCK_FAIL;
+	  }
+
+	/* Get (possibly cached) results for the lookup */
+	/* sspec: sub_arg[0]  req: sub_arg[1]  opts: g */
+
+	if ((s = search_find(handle, sub_arg[0], sub_arg[1], -1, NULL, 0, 0,
+				    &expand_setup, string_from_gstring(g))))
+	  yield = string_cat(yield, s);
+	else if (f.search_find_defer)
+	  {
+	  expand_string_message = search_error_message;
+	  search_error_message = NULL;
+	  goto SOCK_FAIL;
+	  }
+	else
+	  {	/* should not happen, at present */
+	  expand_string_message = search_error_message;
+	  search_error_message = NULL;
+	  goto SOCK_FAIL;
+	  }
+        }
+
+      /* The whole thing has worked (or we were skipping). If there is a
+      failure string following, we need to skip it. */
+
+      if (*s == '{')							/*}*/
+        {
+        if (!expand_string_internal(s+1, TRUE, &s, TRUE, TRUE, &resetok))
+          goto EXPAND_FAILED;						/*{*/
+        if (*s++ != '}')
+	  {								/*{*/
+	  expand_string_message = US"missing '}' closing failstring for readsocket";
+	  goto EXPAND_FAILED_CURLY;
+	  }
+        Uskip_whitespace(&s);
+        }
+
+    READSOCK_DONE:							/*{*/
+      if (*s++ != '}')
+        {								/*{*/
+	expand_string_message = US"missing '}' closing readsocket";
+	goto EXPAND_FAILED_CURLY;
+	}
+      if (skipping) continue;
+      break;
+
+      /* Come here on failure to create socket, connect socket, write to the
+      socket, or timeout on reading. If another substring follows, expand and
+      use it. Otherwise, those conditions give expand errors. */
+
+    SOCK_FAIL:
+      if (*s != '{') goto EXPAND_FAILED;				/*}*/
+      DEBUG(D_any) debug_printf("%s\n", expand_string_message);
+      if (!(arg = expand_string_internal(s+1, TRUE, &s, FALSE, TRUE, &resetok)))
+        goto EXPAND_FAILED;
+      yield = string_cat(yield, arg);					/*{*/
+      if (*s++ != '}')
+        {								/*{*/
+	expand_string_message = US"missing '}' closing failstring for readsocket";
+	goto EXPAND_FAILED_CURLY;
+	}
+      Uskip_whitespace(&s);
+      goto READSOCK_DONE;
+      }
+
+    /* Handle "run" to execute a program. */
+
+    case EITEM_RUN:
+      {
+      FILE * f;
+      const uschar * arg, ** argv;
+      BOOL late_expand = TRUE;
+
+      if ((expand_forbid & RDO_RUN) != 0)
+        {
+        expand_string_message = US"running a command is not permitted";
+        goto EXPAND_FAILED;
+        }
+
+      /* Handle options to the "run" */
+
+      while (*s == ',')
+	{
+	if (Ustrncmp(++s, "preexpand", 9) == 0)
+	  { late_expand = FALSE; s += 9; }
+	else
+	  {
+	  const uschar * t = s;
+	  while (isalpha(*++t)) ;
+	  expand_string_message = string_sprintf("bad option '%.*s' for run",
+						  (int)(t-s), s);
+	  goto EXPAND_FAILED;
+	  }
+	}
+      Uskip_whitespace(&s);
+
+      if (*s != '{')					/*}*/
+        {
+	expand_string_message = US"missing '{' for command arg of run";
+	goto EXPAND_FAILED_CURLY;			/*"}*/
+	}
+      s++;
+
+      if (late_expand)		/* this is the default case */
+	{
+	int n = Ustrcspn(s, "}");
+	arg = skipping ? NULL : string_copyn(s, n);
+	s += n;
+	}
+      else
+	{
+	if (!(arg = expand_string_internal(s, TRUE, &s, skipping, TRUE, &resetok)))
+	  goto EXPAND_FAILED;
+	Uskip_whitespace(&s);
+	}
+							/*{*/
+      if (*s++ != '}')
+        {						/*{*/
+	expand_string_message = US"missing '}' closing command arg of run";
+	goto EXPAND_FAILED_CURLY;
+	}
+
+      if (skipping)   /* Just pretend it worked when we're skipping */
+	{
+        runrc = 0;
+	lookup_value = NULL;
+	}
+      else
+        {
+	int fd_in, fd_out;
+	pid_t pid;
+
+        if (!transport_set_up_command(&argv,    /* anchor for arg list */
+            arg,                                /* raw command */
+	    late_expand,		/* expand args if not already done */
+            0,                          /* not relevant when... */
+            NULL,                       /* no transporting address */
+	    late_expand,		/* allow tainted args, when expand-after-split */
+            US"${run} expansion",       /* for error messages */
+            &expand_string_message))    /* where to put error message */
+          goto EXPAND_FAILED;
+
+        /* Create the child process, making it a group leader. */
+
+        if ((pid = child_open(USS argv, NULL, 0077, &fd_in, &fd_out, TRUE,
+			      US"expand-run")) < 0)
+          {
+          expand_string_message =
+            string_sprintf("couldn't create child process: %s", strerror(errno));
+          goto EXPAND_FAILED;
+	  }
+
+        /* Nothing is written to the standard input. */
+
+        (void)close(fd_in);
+
+        /* Read the pipe to get the command's output into $value (which is kept
+        in lookup_value). Read during execution, so that if the output exceeds
+        the OS pipe buffer limit, we don't block forever. Remember to not release
+	memory just allocated for $value. */
+
+	resetok = FALSE;
+        f = fdopen(fd_out, "rb");
+        sigalrm_seen = FALSE;
+        ALARM(60);
+	lookup_value = string_from_gstring(cat_file(f, NULL, NULL));
+        ALARM_CLR(0);
+        (void)fclose(f);
+
+        /* Wait for the process to finish, applying the timeout, and inspect its
+        return code for serious disasters. Simple non-zero returns are passed on.
+        */
+
+        if (sigalrm_seen || (runrc = child_close(pid, 30)) < 0)
+          {
+          if (sigalrm_seen || runrc == -256)
+            {
+            expand_string_message = US"command timed out";
+            killpg(pid, SIGKILL);       /* Kill the whole process group */
+            }
+
+          else if (runrc == -257)
+            expand_string_message = string_sprintf("wait() failed: %s",
+              strerror(errno));
+
+          else
+            expand_string_message = string_sprintf("command killed by signal %d",
+              -runrc);
+
+          goto EXPAND_FAILED;
+          }
+        }
+
+      /* Process the yes/no strings; $value may be useful in both cases */
+
+      switch(process_yesno(
+               skipping,                     /* were previously skipping */
+               runrc == 0,                   /* success/failure indicator */
+               lookup_value,                 /* value to reset for string2 */
+               &s,                           /* input pointer */
+               &yield,                       /* output pointer */
+               US"run",                      /* condition type */
+	       &resetok))
+        {
+        case 1: goto EXPAND_FAILED;          /* when all is well, the */
+        case 2: goto EXPAND_FAILED_CURLY;    /* returned value is 0 */
+        }
+
+      if (skipping) continue;
+      break;
+      }
+
+    /* Handle character translation for "tr" */
+
+    case EITEM_TR:
+      {
+      int oldptr = gstring_length(yield);
+      int o2m;
+      uschar * sub[3];
+
+      switch(read_subs(sub, 3, 3, &s, skipping, TRUE, name, &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+
+      yield = string_cat(yield, sub[0]);
+      o2m = Ustrlen(sub[2]) - 1;
+
+      if (o2m >= 0) for (; oldptr < yield->ptr; oldptr++)
+        {
+        uschar *m = Ustrrchr(sub[1], yield->s[oldptr]);
+        if (m)
+          {
+          int o = m - sub[1];
+          yield->s[oldptr] = sub[2][(o < o2m)? o : o2m];
+          }
+        }
+
+      if (skipping) continue;
+      break;
+      }
+
+    /* Handle "hash", "length", "nhash", and "substr" when they are given with
+    expanded arguments. */
+
+    case EITEM_HASH:
+    case EITEM_LENGTH:
+    case EITEM_NHASH:
+    case EITEM_SUBSTR:
+      {
+      int len;
+      uschar *ret;
+      int val[2] = { 0, -1 };
+      uschar * sub[3];
+
+      /* "length" takes only 2 arguments whereas the others take 2 or 3.
+      Ensure that sub[2] is set in the ${length } case. */
+
+      sub[2] = NULL;
+      switch(read_subs(sub, (item_type == EITEM_LENGTH)? 2:3, 2, &s, skipping,
+             TRUE, name, &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+
+      /* Juggle the arguments if there are only two of them: always move the
+      string to the last position and make ${length{n}{str}} equivalent to
+      ${substr{0}{n}{str}}. See the defaults for val[] above. */
+
+      if (!sub[2])
+        {
+        sub[2] = sub[1];
+        sub[1] = NULL;
+        if (item_type == EITEM_LENGTH)
+          {
+          sub[1] = sub[0];
+          sub[0] = NULL;
+          }
+        }
+
+      for (int i = 0; i < 2; i++) if (sub[i])
+        {
+        val[i] = (int)Ustrtol(sub[i], &ret, 10);
+        if (*ret != 0 || (i != 0 && val[i] < 0))
+          {
+          expand_string_message = string_sprintf("\"%s\" is not a%s number "
+            "(in \"%s\" expansion)", sub[i], (i != 0)? " positive" : "", name);
+          goto EXPAND_FAILED;
+          }
+        }
+
+      ret =
+        item_type == EITEM_HASH
+	?  compute_hash(sub[2], val[0], val[1], &len)
+	: item_type == EITEM_NHASH
+	? compute_nhash(sub[2], val[0], val[1], &len)
+	: extract_substr(sub[2], val[0], val[1], &len);
+      if (!ret)
+	goto EXPAND_FAILED;
+      yield = string_catn(yield, ret, len);
+      if (skipping) continue;
+      break;
+      }
+
+    /* Handle HMAC computation: ${hmac{<algorithm>}{<secret>}{<text>}}
+    This code originally contributed by Steve Haslam. It currently supports
+    the use of MD5 and SHA-1 hashes.
+
+    We need some workspace that is large enough to handle all the supported
+    hash types. Use macros to set the sizes rather than be too elaborate. */
+
+    #define MAX_HASHLEN      20
+    #define MAX_HASHBLOCKLEN 64
+
+    case EITEM_HMAC:
+      {
+      uschar * sub[3];
+      md5 md5_base;
+      hctx sha1_ctx;
+      void * use_base;
+      int type;
+      int hashlen;      /* Number of octets for the hash algorithm's output */
+      int hashblocklen; /* Number of octets the hash algorithm processes */
+      uschar * keyptr, * p;
+      unsigned int keylen;
+
+      uschar keyhash[MAX_HASHLEN];
+      uschar innerhash[MAX_HASHLEN];
+      uschar finalhash[MAX_HASHLEN];
+      uschar finalhash_hex[2*MAX_HASHLEN];
+      uschar innerkey[MAX_HASHBLOCKLEN];
+      uschar outerkey[MAX_HASHBLOCKLEN];
+
+      switch (read_subs(sub, 3, 3, &s, skipping, TRUE, name, &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+
+      if (skipping) continue;
+
+      if (Ustrcmp(sub[0], "md5") == 0)
+	{
+	type = HMAC_MD5;
+	use_base = &md5_base;
+	hashlen = 16;
+	hashblocklen = 64;
+	}
+      else if (Ustrcmp(sub[0], "sha1") == 0)
+	{
+	type = HMAC_SHA1;
+	use_base = &sha1_ctx;
+	hashlen = 20;
+	hashblocklen = 64;
+	}
+      else
+	{
+	expand_string_message =
+	  string_sprintf("hmac algorithm \"%s\" is not recognised", sub[0]);
+	goto EXPAND_FAILED;
+	}
+
+      keyptr = sub[1];
+      keylen = Ustrlen(keyptr);
+
+      /* If the key is longer than the hash block length, then hash the key
+      first */
+
+      if (keylen > hashblocklen)
+	{
+	chash_start(type, use_base);
+	chash_end(type, use_base, keyptr, keylen, keyhash);
+	keyptr = keyhash;
+	keylen = hashlen;
+	}
+
+      /* Now make the inner and outer key values */
+
+      memset(innerkey, 0x36, hashblocklen);
+      memset(outerkey, 0x5c, hashblocklen);
+
+      for (int i = 0; i < keylen; i++)
+	{
+	innerkey[i] ^= keyptr[i];
+	outerkey[i] ^= keyptr[i];
+	}
+
+      /* Now do the hashes */
+
+      chash_start(type, use_base);
+      chash_mid(type, use_base, innerkey);
+      chash_end(type, use_base, sub[2], Ustrlen(sub[2]), innerhash);
+
+      chash_start(type, use_base);
+      chash_mid(type, use_base, outerkey);
+      chash_end(type, use_base, innerhash, hashlen, finalhash);
+
+      /* Encode the final hash as a hex string */
+
+      p = finalhash_hex;
+      for (int i = 0; i < hashlen; i++)
+	{
+	*p++ = hex_digits[(finalhash[i] & 0xf0) >> 4];
+	*p++ = hex_digits[finalhash[i] & 0x0f];
+	}
+
+      DEBUG(D_any) debug_printf("HMAC[%s](%.*s,%s)=%.*s\n",
+	sub[0], (int)keylen, keyptr, sub[2], hashlen*2, finalhash_hex);
+
+      yield = string_catn(yield, finalhash_hex, hashlen*2);
+      break;
+      }
+
+    /* Handle global substitution for "sg" - like Perl's s/xxx/yyy/g operator.
+    We have to save the numerical variables and restore them afterwards. */
+
+    case EITEM_SG:
+      {
+      const pcre2_code * re;
+      int moffset, moffsetextra, slen;
+      PCRE2_SIZE roffset;
+      pcre2_match_data * md;
+      int err, emptyopt;
+      uschar * subject, * sub[3];
+      int save_expand_nmax =
+        save_expand_strings(save_expand_nstring, save_expand_nlength);
+
+      switch(read_subs(sub, 3, 3, &s, skipping, TRUE, name, &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+
+      /*XXX no handling of skipping? */
+      /* Compile the regular expression */
+
+      if (!(re = pcre2_compile((PCRE2_SPTR)sub[1], PCRE2_ZERO_TERMINATED,
+		  PCRE_COPT, &err, &roffset, pcre_cmp_ctx)))
+        {
+        uschar errbuf[128];
+	pcre2_get_error_message(err, errbuf, sizeof(errbuf));
+        expand_string_message = string_sprintf("regular expression error in "
+          "\"%s\": %s at offset %ld", sub[1], errbuf, (long)roffset);
+        goto EXPAND_FAILED;
+        }
+      md = pcre2_match_data_create(EXPAND_MAXN + 1, pcre_gen_ctx);
+
+      /* Now run a loop to do the substitutions as often as necessary. It ends
+      when there are no more matches. Take care over matches of the null string;
+      do the same thing as Perl does. */
+
+      subject = sub[0];
+      slen = Ustrlen(sub[0]);
+      moffset = moffsetextra = 0;
+      emptyopt = 0;
+
+      for (;;)
+        {
+	PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
+	int n = pcre2_match(re, (PCRE2_SPTR)subject, slen, moffset + moffsetextra,
+	  PCRE_EOPT | emptyopt, md, pcre_mtc_ctx);
+        uschar * insert;
+
+        /* No match - if we previously set PCRE_NOTEMPTY after a null match, this
+        is not necessarily the end. We want to repeat the match from one
+        character further along, but leaving the basic offset the same (for
+        copying below). We can't be at the end of the string - that was checked
+        before setting PCRE_NOTEMPTY. If PCRE_NOTEMPTY is not set, we are
+        finished; copy the remaining string and end the loop. */
+
+        if (n < 0)
+          {
+          if (emptyopt != 0)
+            {
+            moffsetextra = 1;
+            emptyopt = 0;
+            continue;
+            }
+          yield = string_catn(yield, subject+moffset, slen-moffset);
+          break;
+          }
+
+        /* Match - set up for expanding the replacement. */
+	DEBUG(D_expand) debug_printf_indent("%s: match\n", name);
+
+        if (n == 0) n = EXPAND_MAXN + 1;
+        expand_nmax = 0;
+        for (int nn = 0; nn < n*2; nn += 2)
+          {
+          expand_nstring[expand_nmax] = subject + ovec[nn];
+          expand_nlength[expand_nmax++] = ovec[nn+1] - ovec[nn];
+          }
+        expand_nmax--;
+
+        /* Copy the characters before the match, plus the expanded insertion. */
+
+	yield = string_catn(yield, subject + moffset, ovec[0] - moffset);
+
+        if (!(insert = expand_string(sub[2])))
+	  goto EXPAND_FAILED;
+        yield = string_cat(yield, insert);
+
+        moffset = ovec[1];
+        moffsetextra = 0;
+        emptyopt = 0;
+
+        /* If we have matched an empty string, first check to see if we are at
+        the end of the subject. If so, the loop is over. Otherwise, mimic
+        what Perl's /g options does. This turns out to be rather cunning. First
+        we set PCRE_NOTEMPTY and PCRE_ANCHORED and try the match a non-empty
+        string at the same point. If this fails (picked up above) we advance to
+        the next character. */
+
+        if (ovec[0] == ovec[1])
+          {
+          if (ovec[0] == slen) break;
+          emptyopt = PCRE2_NOTEMPTY | PCRE2_ANCHORED;
+          }
+        }
+
+      /* All done - restore numerical variables. */
+
+      restore_expand_strings(save_expand_nmax, save_expand_nstring,
+        save_expand_nlength);
+      if (skipping) continue;
+      break;
+      }
+
+    /* Handle keyed and numbered substring extraction. If the first argument
+    consists entirely of digits, then a numerical extraction is assumed. */
+
+    case EITEM_EXTRACT:
+      {
+      int field_number = 1;
+      BOOL field_number_set = FALSE;
+      uschar * save_lookup_value = lookup_value, * sub[3];
+      int save_expand_nmax =
+        save_expand_strings(save_expand_nstring, save_expand_nlength);
+
+      /* On reflection the original behaviour of extract-json for a string
+      result, leaving it quoted, was a mistake.  But it was already published,
+      hence the addition of jsons.  In a future major version, make json
+      work like josons, and withdraw jsons. */
+
+      enum {extract_basic, extract_json, extract_jsons} fmt = extract_basic;
+
+      /* Check for a format-variant specifier */
+
+      if (Uskip_whitespace(&s) != '{')					/*}*/
+	if (Ustrncmp(s, "json", 4) == 0)
+	  if (*(s += 4) == 's')
+	    {fmt = extract_jsons; s++;}
+	  else
+	    fmt = extract_json;
+
+      /* While skipping we cannot rely on the data for expansions being
+      available (eg. $item) hence cannot decide on numeric vs. keyed.
+      Read a maximum of 5 arguments (including the yes/no) */
+
+      if (skipping)
+	{
+        for (int j = 5; j > 0 && *s == '{'; j--)			/*'}'*/
+	  {
+          if (!expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok))
+	    goto EXPAND_FAILED;					/*'{'*/
+          if (*s++ != '}')
+	    {
+	    expand_string_message = US"missing '{' for arg of extract";
+	    goto EXPAND_FAILED_CURLY;
+	    }
+	  Uskip_whitespace(&s);
+	  }
+	if (  Ustrncmp(s, "fail", 4) == 0				/*'{'*/
+	   && (s[4] == '}' || s[4] == ' ' || s[4] == '\t' || !s[4])
+	   )
+	  {
+	  s += 4;
+	  Uskip_whitespace(&s);
+	  }								/*'{'*/
+	if (*s != '}')
+	  {
+	  expand_string_message = US"missing '}' closing extract";
+	  goto EXPAND_FAILED_CURLY;
+	  }
+	}
+
+      else for (int i = 0, j = 2; i < j; i++) /* Read the proper number of arguments */
+        {
+	if (Uskip_whitespace(&s) == '{') 				/*'}'*/
+          {
+          if (!(sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok)))
+	    goto EXPAND_FAILED;						/*'{'*/
+          if (*s++ != '}')
+	    {
+	    expand_string_message = string_sprintf(
+	      "missing '}' closing arg %d of extract", i+1);
+	    goto EXPAND_FAILED_CURLY;
+	    }
+
+          /* After removal of leading and trailing white space, the first
+          argument must not be empty; if it consists entirely of digits
+          (optionally preceded by a minus sign), this is a numerical
+          extraction, and we expect 3 arguments (normal) or 2 (json). */
+
+          if (i == 0)
+            {
+            int len;
+            int x = 0;
+            uschar * p = sub[0];
+
+            Uskip_whitespace(&p);
+            sub[0] = p;
+
+            len = Ustrlen(p);
+            while (len > 0 && isspace(p[len-1])) len--;
+            p[len] = 0;
+
+	    if (!*p)
+	      {
+	      expand_string_message = US"first argument of \"extract\" must "
+		"not be empty";
+	      goto EXPAND_FAILED;
+	      }
+
+	    if (*p == '-')
+	      {
+	      field_number = -1;
+	      p++;
+	      }
+	    while (*p && isdigit(*p)) x = x * 10 + *p++ - '0';
+	    if (!*p)
+	      {
+	      field_number *= x;
+	      if (fmt == extract_basic) j = 3;               /* Need 3 args */
+	      field_number_set = TRUE;
+	      }
+            }
+          }
+        else
+	  {
+	  expand_string_message = string_sprintf(
+	    "missing '{' for arg %d of extract", i+1);
+	  goto EXPAND_FAILED_CURLY;
+	  }
+        }
+
+      /* Extract either the numbered or the keyed substring into $value. If
+      skipping, just pretend the extraction failed. */
+
+      if (skipping)
+	lookup_value = NULL;
+      else switch (fmt)
+	{
+	case extract_basic:
+	  lookup_value = field_number_set
+	    ? expand_gettokened(field_number, sub[1], sub[2])
+	    : expand_getkeyed(sub[0], sub[1]);
+	  break;
+
+	case extract_json:
+	case extract_jsons:
+	  {
+	  uschar * s, * item;
+	  const uschar * list;
+
+	  /* Array: Bracket-enclosed and comma-separated.
+	  Object: Brace-enclosed, comma-sep list of name:value pairs */
+
+	  if (!(s = dewrap(sub[1], field_number_set ? US"[]" : US"{}")))
+	    {
+	    expand_string_message =
+	      string_sprintf("%s wrapping %s for extract json",
+		expand_string_message,
+		field_number_set ? "array" : "object");
+	    goto EXPAND_FAILED_CURLY;
+	    }
+
+	  list = s;
+	  if (field_number_set)
+	    {
+	    if (field_number <= 0)
+	      {
+	      expand_string_message = US"first argument of \"extract\" must "
+		"be greater than zero";
+	      goto EXPAND_FAILED;
+	      }
+	    while (field_number > 0 && (item = json_nextinlist(&list)))
+	      field_number--;
+	    if ((lookup_value = s = item))
+	      {
+	      while (*s) s++;
+	      while (--s >= lookup_value && isspace(*s)) *s = '\0';
+	      }
+	    }
+	  else
+	    {
+	    lookup_value = NULL;
+	    while ((item = json_nextinlist(&list)))
+	      {
+	      /* Item is:  string name-sep value.  string is quoted.
+	      Dequote the string and compare with the search key. */
+
+	      if (!(item = dewrap(item, US"\"\"")))
+		{
+		expand_string_message =
+		  string_sprintf("%s wrapping string key for extract json",
+		    expand_string_message);
+		goto EXPAND_FAILED_CURLY;
+		}
+	      if (Ustrcmp(item, sub[0]) == 0)	/*XXX should be a UTF8-compare */
+		{
+		s = item + Ustrlen(item) + 1;
+		if (Uskip_whitespace(&s) != ':')
+		  {
+		  expand_string_message =
+		    US"missing object value-separator for extract json";
+		  goto EXPAND_FAILED_CURLY;
+		  }
+		s++;
+		Uskip_whitespace(&s);
+		lookup_value = s;
+		break;
+		}
+	      }
+	    }
+	  }
+
+	  if (  fmt == extract_jsons
+	     && lookup_value
+	     && !(lookup_value = dewrap(lookup_value, US"\"\"")))
+	    {
+	    expand_string_message =
+	      string_sprintf("%s wrapping string result for extract jsons",
+		expand_string_message);
+	    goto EXPAND_FAILED_CURLY;
+	    }
+	  break;	/* json/s */
+	}
+
+      /* If no string follows, $value gets substituted; otherwise there can
+      be yes/no strings, as for lookup or if. */
+
+      switch(process_yesno(
+               skipping,                     /* were previously skipping */
+               lookup_value != NULL,         /* success/failure indicator */
+               save_lookup_value,            /* value to reset for string2 */
+               &s,                           /* input pointer */
+               &yield,                       /* output pointer */
+               US"extract",                  /* condition type */
+	       &resetok))
+        {
+        case 1: goto EXPAND_FAILED;          /* when all is well, the */
+        case 2: goto EXPAND_FAILED_CURLY;    /* returned value is 0 */
+        }
+
+      /* All done - restore numerical variables. */
+
+      restore_expand_strings(save_expand_nmax, save_expand_nstring,
+        save_expand_nlength);
+
+      if (skipping) continue;
+      break;
+      }
+
+    /* return the Nth item from a list */
+
+    case EITEM_LISTEXTRACT:
+      {
+      int field_number = 1;
+      uschar * save_lookup_value = lookup_value, * sub[2];
+      int save_expand_nmax =
+        save_expand_strings(save_expand_nstring, save_expand_nlength);
+
+      /* Read the field & list arguments */
+
+      for (int i = 0; i < 2; i++)
+        {
+        if (Uskip_whitespace(&s) != '{')				/*}*/
+	  {
+	  expand_string_message = string_sprintf(
+	    "missing '{' for arg %d of listextract", i+1);		/*}*/
+	  goto EXPAND_FAILED_CURLY;
+	  }
+
+	sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
+	if (!sub[i])     goto EXPAND_FAILED;				/*{{*/
+	if (*s++ != '}')
+	  {
+	  expand_string_message = string_sprintf(
+	    "missing '}' closing arg %d of listextract", i+1);
+	  goto EXPAND_FAILED_CURLY;
+	  }
+
+	/* After removal of leading and trailing white space, the first
+	argument must be numeric and nonempty. */
+
+	if (i == 0)
+	  {
+	  int len;
+	  int x = 0;
+	  uschar *p = sub[0];
+
+	  Uskip_whitespace(&p);
+	  sub[0] = p;
+
+	  len = Ustrlen(p);
+	  while (len > 0 && isspace(p[len-1])) len--;
+	  p[len] = 0;
+
+	  if (!*p && !skipping)
+	    {
+	    expand_string_message = US"first argument of \"listextract\" must "
+	      "not be empty";
+	    goto EXPAND_FAILED;
+	    }
+
+	  if (*p == '-')
+	    {
+	    field_number = -1;
+	    p++;
+	    }
+	  while (*p && isdigit(*p)) x = x * 10 + *p++ - '0';
+	  if (*p)
+	    {
+	    expand_string_message = US"first argument of \"listextract\" must "
+	      "be numeric";
+	    goto EXPAND_FAILED;
+	    }
+	  field_number *= x;
+	  }
+        }
+
+      /* Extract the numbered element into $value. If
+      skipping, just pretend the extraction failed. */
+
+      lookup_value = skipping ? NULL : expand_getlistele(field_number, sub[1]);
+
+      /* If no string follows, $value gets substituted; otherwise there can
+      be yes/no strings, as for lookup or if. */
+
+      switch(process_yesno(
+               skipping,                     /* were previously skipping */
+               lookup_value != NULL,         /* success/failure indicator */
+               save_lookup_value,            /* value to reset for string2 */
+               &s,                           /* input pointer */
+               &yield,                       /* output pointer */
+               US"listextract",              /* condition type */
+	       &resetok))
+        {
+        case 1: goto EXPAND_FAILED;          /* when all is well, the */
+        case 2: goto EXPAND_FAILED_CURLY;    /* returned value is 0 */
+        }
+
+      /* All done - restore numerical variables. */
+
+      restore_expand_strings(save_expand_nmax, save_expand_nstring,
+        save_expand_nlength);
+
+      if (skipping) continue;
+      break;
+      }
+
+    case EITEM_LISTQUOTE:
+      {
+      uschar * sub[2];
+      switch(read_subs(sub, 2, 2, &s, skipping, TRUE, name, &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+      if (*sub[1]) for (uschar sep = *sub[0], c; c = *sub[1]; sub[1]++)
+	{
+	if (c == sep) yield = string_catn(yield, sub[1], 1);
+	yield = string_catn(yield, sub[1], 1);
+	}
+      else yield = string_catn(yield, US" ", 1);
+      if (skipping) continue;
+      break;
+      }
+
+#ifndef DISABLE_TLS
+    case EITEM_CERTEXTRACT:
+      {
+      uschar * save_lookup_value = lookup_value, * sub[2];
+      int save_expand_nmax =
+        save_expand_strings(save_expand_nstring, save_expand_nlength);
+
+      /* Read the field argument */
+      if (Uskip_whitespace(&s) != '{')					/*}*/
+	{
+	expand_string_message = US"missing '{' for field arg of certextract";
+	goto EXPAND_FAILED_CURLY;					/*}*/
+	}
+      sub[0] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
+      if (!sub[0])     goto EXPAND_FAILED;				/*{{*/
+      if (*s++ != '}')
+        {
+	expand_string_message = US"missing '}' closing field arg of certextract";
+	goto EXPAND_FAILED_CURLY;
+	}
+      /* strip spaces fore & aft */
+      {
+      int len;
+      uschar *p = sub[0];
+
+      Uskip_whitespace(&p);
+      sub[0] = p;
+
+      len = Ustrlen(p);
+      while (len > 0 && isspace(p[len-1])) len--;
+      p[len] = 0;
+      }
+
+      /* inspect the cert argument */
+      if (Uskip_whitespace(&s) != '{')					/*}*/
+	{
+	expand_string_message = US"missing '{' for cert variable arg of certextract";
+	goto EXPAND_FAILED_CURLY;					/*}*/
+	}
+      if (*++s != '$')
+        {
+	expand_string_message = US"second argument of \"certextract\" must "
+	  "be a certificate variable";
+	goto EXPAND_FAILED;
+	}
+      sub[1] = expand_string_internal(s+1, TRUE, &s, skipping, FALSE, &resetok);
+      if (!sub[1])     goto EXPAND_FAILED;				/*{{*/
+      if (*s++ != '}')
+        {
+	expand_string_message = US"missing '}' closing cert variable arg of certextract";
+	goto EXPAND_FAILED_CURLY;
+	}
+
+      if (skipping)
+	lookup_value = NULL;
+      else
+	{
+	lookup_value = expand_getcertele(sub[0], sub[1]);
+	if (*expand_string_message) goto EXPAND_FAILED;
+	}
+      switch(process_yesno(
+               skipping,                     /* were previously skipping */
+               lookup_value != NULL,         /* success/failure indicator */
+               save_lookup_value,            /* value to reset for string2 */
+               &s,                           /* input pointer */
+               &yield,                       /* output pointer */
+               US"certextract",              /* condition type */
+	       &resetok))
+        {
+        case 1: goto EXPAND_FAILED;          /* when all is well, the */
+        case 2: goto EXPAND_FAILED_CURLY;    /* returned value is 0 */
+        }
+
+      restore_expand_strings(save_expand_nmax, save_expand_nstring,
+        save_expand_nlength);
+      if (skipping) continue;
+      break;
+      }
+#endif	/*DISABLE_TLS*/
+
+    /* Handle list operations */
+
+    case EITEM_FILTER:
+    case EITEM_MAP:
+    case EITEM_REDUCE:
+      {
+      int sep = 0, save_ptr = gstring_length(yield);
+      uschar outsep[2] = { '\0', '\0' };
+      const uschar *list, *expr, *temp;
+      uschar * save_iterate_item = iterate_item;
+      uschar * save_lookup_value = lookup_value;
+
+      Uskip_whitespace(&s);
+      if (*s++ != '{')							/*}*/
+        {
+	expand_string_message =
+	  string_sprintf("missing '{' for first arg of %s", name);
+	goto EXPAND_FAILED_CURLY;					/*}*/
+	}
+
+      if (!(list = expand_string_internal(s, TRUE, &s, skipping, TRUE, &resetok)))
+	goto EXPAND_FAILED;						/*{{*/
+      if (*s++ != '}')
+        {
+	expand_string_message =
+	  string_sprintf("missing '}' closing first arg of %s", name);
+	goto EXPAND_FAILED_CURLY;
+	}
+
+      if (item_type == EITEM_REDUCE)
+        {
+	uschar * t;
+        Uskip_whitespace(&s);
+        if (*s++ != '{')						/*}*/
+	  {
+	  expand_string_message = US"missing '{' for second arg of reduce";
+	  goto EXPAND_FAILED_CURLY;					/*}*/
+	  }
+        t = expand_string_internal(s, TRUE, &s, skipping, TRUE, &resetok);
+        if (!t) goto EXPAND_FAILED;
+        lookup_value = t;						/*{{*/
+        if (*s++ != '}')
+	  {
+	  expand_string_message = US"missing '}' closing second arg of reduce";
+	  goto EXPAND_FAILED_CURLY;
+	  }
+        }
+
+      Uskip_whitespace(&s);
+      if (*s++ != '{')							/*}*/
+        {
+	expand_string_message =
+	  string_sprintf("missing '{' for last arg of %s", name);	/*}*/
+	goto EXPAND_FAILED_CURLY;
+	}
+
+      expr = s;
+
+      /* For EITEM_FILTER, call eval_condition once, with result discarded (as
+      if scanning a "false" part). This allows us to find the end of the
+      condition, because if the list is empty, we won't actually evaluate the
+      condition for real. For EITEM_MAP and EITEM_REDUCE, do the same, using
+      the normal internal expansion function. */
+
+      if (item_type != EITEM_FILTER)
+        temp = expand_string_internal(s, TRUE, &s, TRUE, TRUE, &resetok);
+      else
+        if ((temp = eval_condition(expr, &resetok, NULL))) s = temp;
+
+      if (!temp)
+        {
+        expand_string_message = string_sprintf("%s inside \"%s\" item",
+          expand_string_message, name);
+        goto EXPAND_FAILED;
+        }
+
+      Uskip_whitespace(&s);						/*{{{*/
+      if (*s++ != '}')
+        {
+        expand_string_message = string_sprintf("missing } at end of condition "
+          "or expression inside \"%s\"; could be an unquoted } in the content",
+	  name);
+        goto EXPAND_FAILED;
+        }
+
+      Uskip_whitespace(&s);						/*{{*/
+      if (*s++ != '}')
+        {
+        expand_string_message = string_sprintf("missing } at end of \"%s\"",
+          name);
+        goto EXPAND_FAILED;
+        }
+
+      /* If we are skipping, we can now just move on to the next item. When
+      processing for real, we perform the iteration. */
+
+      if (skipping) continue;
+      while ((iterate_item = string_nextinlist(&list, &sep, NULL, 0)))
+        {
+        *outsep = (uschar)sep;      /* Separator as a string */
+
+	DEBUG(D_expand) debug_printf_indent("%s: $item = '%s'  $value = '%s'\n",
+			  name, iterate_item, lookup_value);
+
+        if (item_type == EITEM_FILTER)
+          {
+          BOOL condresult;
+          if (!eval_condition(expr, &resetok, &condresult))
+            {
+            iterate_item = save_iterate_item;
+            lookup_value = save_lookup_value;
+            expand_string_message = string_sprintf("%s inside \"%s\" condition",
+              expand_string_message, name);
+            goto EXPAND_FAILED;
+            }
+          DEBUG(D_expand) debug_printf_indent("%s: condition is %s\n", name,
+            condresult? "true":"false");
+          if (condresult)
+            temp = iterate_item;    /* TRUE => include this item */
+          else
+            continue;               /* FALSE => skip this item */
+          }
+
+        /* EITEM_MAP and EITEM_REDUCE */
+
+        else
+          {
+	  uschar * t = expand_string_internal(expr, TRUE, NULL, skipping, TRUE, &resetok);
+          temp = t;
+          if (!temp)
+            {
+            iterate_item = save_iterate_item;
+            expand_string_message = string_sprintf("%s inside \"%s\" item",
+              expand_string_message, name);
+            goto EXPAND_FAILED;
+            }
+          if (item_type == EITEM_REDUCE)
+            {
+            lookup_value = t;         /* Update the value of $value */
+            continue;                 /* and continue the iteration */
+            }
+          }
+
+        /* We reach here for FILTER if the condition is true, always for MAP,
+        and never for REDUCE. The value in "temp" is to be added to the output
+        list that is being created, ensuring that any occurrences of the
+        separator character are doubled. Unless we are dealing with the first
+        item of the output list, add in a space if the new item begins with the
+        separator character, or is an empty string. */
+
+/*XXX is there not a standard support function for this, appending to a list? */
+/* yes, string_append_listele(), but it depends on lack of text before the list */
+
+        if (  yield && yield->ptr != save_ptr
+	   && (temp[0] == *outsep || temp[0] == 0))
+          yield = string_catn(yield, US" ", 1);
+
+        /* Add the string in "temp" to the output list that we are building,
+        This is done in chunks by searching for the separator character. */
+
+        for (;;)
+          {
+          size_t seglen = Ustrcspn(temp, outsep);
+
+	  yield = string_catn(yield, temp, seglen + 1);
+
+          /* If we got to the end of the string we output one character
+          too many; backup and end the loop. Otherwise arrange to double the
+          separator. */
+
+          if (!temp[seglen]) { yield->ptr--; break; }
+          yield = string_catn(yield, outsep, 1);
+          temp += seglen + 1;
+          }
+
+        /* Output a separator after the string: we will remove the redundant
+        final one at the end. */
+
+        yield = string_catn(yield, outsep, 1);
+        }   /* End of iteration over the list loop */
+
+      /* REDUCE has generated no output above: output the final value of
+      $value. */
+
+      if (item_type == EITEM_REDUCE)
+        {
+        yield = string_cat(yield, lookup_value);
+        lookup_value = save_lookup_value;  /* Restore $value */
+        }
+
+      /* FILTER and MAP generate lists: if they have generated anything, remove
+      the redundant final separator. Even though an empty item at the end of a
+      list does not count, this is tidier. */
+
+      else if (yield && yield->ptr != save_ptr) yield->ptr--;
+
+      /* Restore preserved $item */
+
+      iterate_item = save_iterate_item;
+      if (skipping) continue;
+      break;
+      }
+
+    case EITEM_SORT:
+      {
+      int sep = 0, cond_type;
+      const uschar * srclist, * cmp, * xtract;
+      uschar * opname, * srcitem;
+      const uschar * dstlist = NULL, * dstkeylist = NULL;
+      uschar * tmp, * save_iterate_item = iterate_item;
+
+      Uskip_whitespace(&s);
+      if (*s++ != '{')							/*}*/
+        {
+        expand_string_message = US"missing '{' for list arg of sort";
+	goto EXPAND_FAILED_CURLY;					/*}*/
+	}
+
+      srclist = expand_string_internal(s, TRUE, &s, skipping, TRUE, &resetok);
+      if (!srclist) goto EXPAND_FAILED;					/*{{*/
+      if (*s++ != '}')
+        {
+        expand_string_message = US"missing '}' closing list arg of sort";
+	goto EXPAND_FAILED_CURLY;
+	}
+
+      Uskip_whitespace(&s);
+      if (*s++ != '{')							/*}*/
+        {
+        expand_string_message = US"missing '{' for comparator arg of sort";
+	goto EXPAND_FAILED_CURLY;					/*}*/
+	}
+
+      cmp = expand_string_internal(s, TRUE, &s, skipping, FALSE, &resetok);
+      if (!cmp) goto EXPAND_FAILED;					/*{{*/
+      if (*s++ != '}')
+        {
+        expand_string_message = US"missing '}' closing comparator arg of sort";
+	goto EXPAND_FAILED_CURLY;
+	}
+
+      if ((cond_type = identify_operator(&cmp, &opname)) == -1)
+	{
+	if (!expand_string_message)
+	  expand_string_message = string_sprintf("unknown condition \"%s\"", s);
+	goto EXPAND_FAILED;
+	}
+      switch(cond_type)
+	{
+	case ECOND_NUM_L: case ECOND_NUM_LE:
+	case ECOND_NUM_G: case ECOND_NUM_GE:
+	case ECOND_STR_GE: case ECOND_STR_GEI: case ECOND_STR_GT: case ECOND_STR_GTI:
+	case ECOND_STR_LE: case ECOND_STR_LEI: case ECOND_STR_LT: case ECOND_STR_LTI:
+	  break;
+
+	default:
+	  expand_string_message = US"comparator not handled for sort";
+	  goto EXPAND_FAILED;
+	}
+
+      Uskip_whitespace(&s);
+      if (*s++ != '{')							/*}*/
+        {
+        expand_string_message = US"missing '{' for extractor arg of sort";
+	goto EXPAND_FAILED_CURLY;					/*}*/
+	}
+
+      xtract = s;
+      if (!(tmp = expand_string_internal(s, TRUE, &s, TRUE, TRUE, &resetok)))
+	goto EXPAND_FAILED;
+      xtract = string_copyn(xtract, s - xtract);
+									/*{{*/
+      if (*s++ != '}')
+        {
+        expand_string_message = US"missing '}' closing extractor arg of sort";
+	goto EXPAND_FAILED_CURLY;
+	}
+									/*{{*/
+      if (*s++ != '}')
+        {
+        expand_string_message = US"missing } at end of \"sort\"";
+        goto EXPAND_FAILED;
+        }
+
+      if (skipping) continue;
+
+      while ((srcitem = string_nextinlist(&srclist, &sep, NULL, 0)))
+	{
+	uschar * srcfield, * dstitem;
+	gstring * newlist = NULL, * newkeylist = NULL;
+
+        DEBUG(D_expand) debug_printf_indent("%s: $item = \"%s\"\n", name, srcitem);
+
+	/* extract field for comparisons */
+	iterate_item = srcitem;
+	if (  !(srcfield = expand_string_internal(xtract, FALSE, NULL, FALSE,
+					  TRUE, &resetok))
+	   || !*srcfield)
+	  {
+	  expand_string_message = string_sprintf(
+	      "field-extract in sort: \"%s\"", xtract);
+	  goto EXPAND_FAILED;
+	  }
+
+	/* Insertion sort */
+
+	/* copy output list until new-item < list-item */
+	while ((dstitem = string_nextinlist(&dstlist, &sep, NULL, 0)))
+	  {
+	  uschar * dstfield;
+
+	  /* field for comparison */
+	  if (!(dstfield = string_nextinlist(&dstkeylist, &sep, NULL, 0)))
+	    goto SORT_MISMATCH;
+
+	  /* String-comparator names start with a letter; numeric names do not */
+
+	  if (sortsbefore(cond_type, isalpha(opname[0]),
+	      srcfield, dstfield))
+	    {
+	    /* New-item sorts before this dst-item.  Append new-item,
+	    then dst-item, then remainder of dst list. */
+
+	    newlist = string_append_listele(newlist, sep, srcitem);
+	    newkeylist = string_append_listele(newkeylist, sep, srcfield);
+	    srcitem = NULL;
+
+	    newlist = string_append_listele(newlist, sep, dstitem);
+	    newkeylist = string_append_listele(newkeylist, sep, dstfield);
+
+/*XXX why field-at-a-time copy?  Why not just dup the rest of the list? */
+	    while ((dstitem = string_nextinlist(&dstlist, &sep, NULL, 0)))
+	      {
+	      if (!(dstfield = string_nextinlist(&dstkeylist, &sep, NULL, 0)))
+		goto SORT_MISMATCH;
+	      newlist = string_append_listele(newlist, sep, dstitem);
+	      newkeylist = string_append_listele(newkeylist, sep, dstfield);
+	      }
+
+	    break;
+	    }
+
+	  newlist = string_append_listele(newlist, sep, dstitem);
+	  newkeylist = string_append_listele(newkeylist, sep, dstfield);
+	  }
+
+	/* If we ran out of dstlist without consuming srcitem, append it */
+	if (srcitem)
+	  {
+	  newlist = string_append_listele(newlist, sep, srcitem);
+	  newkeylist = string_append_listele(newkeylist, sep, srcfield);
+	  }
+
+	dstlist = newlist->s;
+	dstkeylist = newkeylist->s;
+
+        DEBUG(D_expand) debug_printf_indent("%s: dstlist = \"%s\"\n", name, dstlist);
+        DEBUG(D_expand) debug_printf_indent("%s: dstkeylist = \"%s\"\n", name, dstkeylist);
+	}
+
+      if (dstlist)
+	yield = string_cat(yield, dstlist);
+
+      /* Restore preserved $item */
+      iterate_item = save_iterate_item;
+      break;
+
+      SORT_MISMATCH:
+	expand_string_message = US"Internal error in sort (list mismatch)";
+	goto EXPAND_FAILED;
+      }
+
+
+    /* If ${dlfunc } support is configured, handle calling dynamically-loaded
+    functions, unless locked out at this time. Syntax is ${dlfunc{file}{func}}
+    or ${dlfunc{file}{func}{arg}} or ${dlfunc{file}{func}{arg1}{arg2}} or up to
+    a maximum of EXPAND_DLFUNC_MAX_ARGS arguments (defined below). */
+
+    #define EXPAND_DLFUNC_MAX_ARGS 8
+
+    case EITEM_DLFUNC:
+#ifndef EXPAND_DLFUNC
+      expand_string_message = US"\"${dlfunc\" encountered, but this facility "	/*}*/
+	"is not included in this binary";
+      goto EXPAND_FAILED;
+
+#else   /* EXPAND_DLFUNC */
+      {
+      tree_node * t;
+      exim_dlfunc_t * func;
+      uschar * result;
+      int status, argc;
+      uschar * argv[EXPAND_DLFUNC_MAX_ARGS + 3];
+
+      if (expand_forbid & RDO_DLFUNC)
+        {
+        expand_string_message =
+          US"dynamically-loaded functions are not permitted";
+        goto EXPAND_FAILED;
+        }
+
+      switch(read_subs(argv, EXPAND_DLFUNC_MAX_ARGS + 2, 2, &s, skipping,
+           TRUE, name, &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+
+      /* If skipping, we don't actually do anything */
+
+      if (skipping) continue;
+
+      /* Look up the dynamically loaded object handle in the tree. If it isn't
+      found, dlopen() the file and put the handle in the tree for next time. */
+
+      if (!(t = tree_search(dlobj_anchor, argv[0])))
+        {
+        void * handle = dlopen(CS argv[0], RTLD_LAZY);
+        if (!handle)
+          {
+          expand_string_message = string_sprintf("dlopen \"%s\" failed: %s",
+            argv[0], dlerror());
+          log_write(0, LOG_MAIN|LOG_PANIC, "%s", expand_string_message);
+          goto EXPAND_FAILED;
+          }
+        t = store_get_perm(sizeof(tree_node) + Ustrlen(argv[0]), argv[0]);
+        Ustrcpy(t->name, argv[0]);
+        t->data.ptr = handle;
+        (void)tree_insertnode(&dlobj_anchor, t);
+        }
+
+      /* Having obtained the dynamically loaded object handle, look up the
+      function pointer. */
+
+      if (!(func = (exim_dlfunc_t *)dlsym(t->data.ptr, CS argv[1])))
+        {
+        expand_string_message = string_sprintf("dlsym \"%s\" in \"%s\" failed: "
+          "%s", argv[1], argv[0], dlerror());
+        log_write(0, LOG_MAIN|LOG_PANIC, "%s", expand_string_message);
+        goto EXPAND_FAILED;
+        }
+
+      /* Call the function and work out what to do with the result. If it
+      returns OK, we have a replacement string; if it returns DEFER then
+      expansion has failed in a non-forced manner; if it returns FAIL then
+      failure was forced; if it returns ERROR or any other value there's a
+      problem, so panic slightly. In any case, assume that the function has
+      side-effects on the store that must be preserved. */
+
+      resetok = FALSE;
+      result = NULL;
+      for (argc = 0; argv[argc]; argc++) ;
+
+      if ((status = func(&result, argc - 2, &argv[2])) != OK)
+        {
+        expand_string_message = result ? result : US"(no message)";
+        if (status == FAIL_FORCED)
+	  f.expand_string_forcedfail = TRUE;
+	else if (status != FAIL)
+	  log_write(0, LOG_MAIN|LOG_PANIC, "dlfunc{%s}{%s} failed (%d): %s",
+              argv[0], argv[1], status, expand_string_message);
+        goto EXPAND_FAILED;
+        }
+
+      if (result) yield = string_cat(yield, result);
+      break;
+      }
+#endif /* EXPAND_DLFUNC */
+
+    case EITEM_ENV:	/* ${env {name} {val_if_found} {val_if_unfound}} */
+      {
+      uschar * key;
+      uschar *save_lookup_value = lookup_value;
+
+      if (Uskip_whitespace(&s) != '{')					/*}*/
+	goto EXPAND_FAILED;
+
+      key = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
+      if (!key) goto EXPAND_FAILED;					/*{{*/
+      if (*s++ != '}')
+        {
+        expand_string_message = US"missing '}' for name arg of env";
+	goto EXPAND_FAILED_CURLY;
+	}
+
+      lookup_value = US getenv(CS key);
+
+      switch(process_yesno(
+               skipping,                     /* were previously skipping */
+               lookup_value != NULL,         /* success/failure indicator */
+               save_lookup_value,            /* value to reset for string2 */
+               &s,                           /* input pointer */
+               &yield,                       /* output pointer */
+               US"env",                      /* condition type */
+	       &resetok))
+        {
+        case 1: goto EXPAND_FAILED;          /* when all is well, the */
+        case 2: goto EXPAND_FAILED_CURLY;    /* returned value is 0 */
+        }
+      if (skipping) continue;
+      break;
+      }
+
+#ifdef SUPPORT_SRS
+    case EITEM_SRS_ENCODE:
+      /* ${srs_encode {secret} {return_path} {orig_domain}} */
+      {
+      uschar * sub[3];
+      uschar cksum[4];
+      gstring * g = NULL;
+      BOOL quoted = FALSE;
+
+      switch (read_subs(sub, 3, 3, CUSS &s, skipping, TRUE, name, &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+      if (skipping) continue;
+
+      if (sub[1] && *(sub[1]))
+	{
+	g = string_catn(g, US"SRS0=", 5);
+
+	/* ${l_4:${hmac{md5}{SRS_SECRET}{${lc:$return_path}}}}= */
+	hmac_md5(sub[0], string_copylc(sub[1]), cksum, sizeof(cksum));
+	g = string_catn(g, cksum, sizeof(cksum));
+	g = string_catn(g, US"=", 1);
+
+	/* ${base32:${eval:$tod_epoch/86400&0x3ff}}= */
+	  {
+	  struct timeval now;
+	  unsigned long i;
+	  gstring * h = NULL;
+
+	  gettimeofday(&now, NULL);
+	  for (unsigned long i = (now.tv_sec / 86400) & 0x3ff; i; i >>= 5)
+	    h = string_catn(h, &base32_chars[i & 0x1f], 1);
+	  if (h) while (h->ptr > 0)
+	    g = string_catn(g, &h->s[--h->ptr], 1);
+	  }
+	g = string_catn(g, US"=", 1);
+
+	/* ${domain:$return_path}=${local_part:$return_path} */
+	  {
+	  int start, end, domain;
+	  uschar * t = parse_extract_address(sub[1], &expand_string_message,
+					    &start, &end, &domain, FALSE);
+	  uschar * s;
+
+	  if (!t)
+	    goto EXPAND_FAILED;
+
+	  if (domain > 0) g = string_cat(g, t + domain);
+	  g = string_catn(g, US"=", 1);
+
+	  s = domain > 0 ? string_copyn(t, domain - 1) : t;
+	  if ((quoted = Ustrchr(s, '"') != NULL))
+	    {
+	    gstring * h = NULL;
+	    DEBUG(D_expand) debug_printf_indent("auto-quoting local part\n");
+	    while (*s)		/* de-quote */
+	      {
+	      while (*s && *s != '"') h = string_catn(h, s++, 1);
+	      if (*s) s++;
+	      while (*s && *s != '"') h = string_catn(h, s++, 1);
+	      if (*s) s++;
+	      }
+	    gstring_release_unused(h);
+	    s = string_from_gstring(h);
+	    }
+	  g = string_cat(g, s);
+	  }
+
+	/* Assume that if the original local_part had quotes
+	it was for good reason */
+
+	if (quoted) yield = string_catn(yield, US"\"", 1);
+	yield = string_catn(yield, g->s, g->ptr);
+	if (quoted) yield = string_catn(yield, US"\"", 1);
+
+	/* @$original_domain */
+	yield = string_catn(yield, US"@", 1);
+	yield = string_cat(yield, sub[2]);
+	}
+      else
+	DEBUG(D_expand) debug_printf_indent("null return_path for srs-encode\n");
+
+      break;
+      }
+#endif /*SUPPORT_SRS*/
+
+    default:
+      goto NOT_ITEM;
+    }	/* EITEM_* switch */
+    /*NOTREACHED*/
+
+  DEBUG(D_expand)
+    if (yield && (start > 0 || *s))	/* only if not the sole expansion of the line */
+      debug_expansion_interim(US"item-res",
+			      yield->s + start, yield->ptr - start, skipping);
+  continue;
+
+NOT_ITEM: ;
+  }
+
+  /* Control reaches here if the name is not recognized as one of the more
+  complicated expansion items. Check for the "operator" syntax (name terminated
+  by a colon). Some of the operators have arguments, separated by _ from the
+  name. */
+
+  if (*s == ':')
+    {
+    int c;
+    uschar * arg = NULL, * sub;
+#ifndef DISABLE_TLS
+    var_entry * vp = NULL;
+#endif
+
+    /* Owing to an historical mis-design, an underscore may be part of the
+    operator name, or it may introduce arguments.  We therefore first scan the
+    table of names that contain underscores. If there is no match, we cut off
+    the arguments and then scan the main table. */
+
+    if ((c = chop_match(name, op_table_underscore,
+			nelem(op_table_underscore))) < 0)
+      {
+      if ((arg = Ustrchr(name, '_')))
+	*arg = 0;
+      if ((c = chop_match(name, op_table_main, nelem(op_table_main))) >= 0)
+	c += nelem(op_table_underscore);
+      if (arg) *arg++ = '_';		/* Put back for error messages */
+      }
+
+    /* Deal specially with operators that might take a certificate variable
+    as we do not want to do the usual expansion. For most, expand the string.*/
+    switch(c)
+      {
+#ifndef DISABLE_TLS
+      case EOP_MD5:
+      case EOP_SHA1:
+      case EOP_SHA256:
+      case EOP_BASE64:
+	if (s[1] == '$')
+	  {
+	  const uschar * s1 = s;
+	  sub = expand_string_internal(s+2, TRUE, &s1, skipping,
+		  FALSE, &resetok);
+	  if (!sub)       goto EXPAND_FAILED;		/*{*/
+	  if (*s1 != '}')
+	    {						/*{*/
+	    expand_string_message =
+	      string_sprintf("missing '}' closing cert arg of %s", name);
+	    goto EXPAND_FAILED_CURLY;
+	    }
+	  if ((vp = find_var_ent(sub)) && vp->type == vtype_cert)
+	    {
+	    s = s1+1;
+	    break;
+	    }
+	  vp = NULL;
+	  }
+        /*FALLTHROUGH*/
+#endif
+      default:
+	sub = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
+	if (!sub) goto EXPAND_FAILED;
+	s++;
+	break;
+      }
+
+    /* If we are skipping, we don't need to perform the operation at all.
+    This matters for operations like "mask", because the data may not be
+    in the correct format when skipping. For example, the expression may test
+    for the existence of $sender_host_address before trying to mask it. For
+    other operations, doing them may not fail, but it is a waste of time. */
+
+    if (skipping && c >= 0) continue;
+
+    /* Otherwise, switch on the operator type.  After handling go back
+    to the main loop top. */
+
+     {
+     int start = yield->ptr;
+     switch(c)
+      {
+      case EOP_BASE32:
+	{
+	uschar *t;
+	unsigned long int n = Ustrtoul(sub, &t, 10);
+	gstring * g = NULL;
+
+	if (*t != 0)
+	  {
+	  expand_string_message = string_sprintf("argument for base32 "
+	    "operator is \"%s\", which is not a decimal number", sub);
+	  goto EXPAND_FAILED;
+	  }
+	for ( ; n; n >>= 5)
+	  g = string_catn(g, &base32_chars[n & 0x1f], 1);
+
+	if (g) while (g->ptr > 0) yield = string_catn(yield, &g->s[--g->ptr], 1);
+	break;
+	}
+
+      case EOP_BASE32D:
+	{
+	uschar *tt = sub;
+	unsigned long int n = 0;
+	while (*tt)
+	  {
+	  uschar * t = Ustrchr(base32_chars, *tt++);
+	  if (!t)
+	    {
+	    expand_string_message = string_sprintf("argument for base32d "
+	      "operator is \"%s\", which is not a base 32 number", sub);
+	    goto EXPAND_FAILED;
+	    }
+	  n = n * 32 + (t - base32_chars);
+	  }
+	yield = string_fmt_append(yield, "%ld", n);
+	break;
+	}
+
+      case EOP_BASE62:
+	{
+	uschar *t;
+	unsigned long int n = Ustrtoul(sub, &t, 10);
+	if (*t != 0)
+	  {
+	  expand_string_message = string_sprintf("argument for base62 "
+	    "operator is \"%s\", which is not a decimal number", sub);
+	  goto EXPAND_FAILED;
+	  }
+	yield = string_cat(yield, string_base62(n));
+	break;
+	}
+
+      /* Note that for Darwin and Cygwin, BASE_62 actually has the value 36 */
+
+      case EOP_BASE62D:
+	{
+	uschar *tt = sub;
+	unsigned long int n = 0;
+	while (*tt != 0)
+	  {
+	  uschar *t = Ustrchr(base62_chars, *tt++);
+	  if (!t)
+	    {
+	    expand_string_message = string_sprintf("argument for base62d "
+	      "operator is \"%s\", which is not a base %d number", sub,
+	      BASE_62);
+	    goto EXPAND_FAILED;
+	    }
+	  n = n * BASE_62 + (t - base62_chars);
+	  }
+	yield = string_fmt_append(yield, "%ld", n);
+	break;
+	}
+
+      case EOP_EXPAND:
+	{
+	uschar *expanded = expand_string_internal(sub, FALSE, NULL, skipping, TRUE, &resetok);
+	if (!expanded)
+	  {
+	  expand_string_message =
+	    string_sprintf("internal expansion of \"%s\" failed: %s", sub,
+	      expand_string_message);
+	  goto EXPAND_FAILED;
+	  }
+	yield = string_cat(yield, expanded);
+	break;
+	}
+
+      case EOP_LC:
+	{
+	int count = 0;
+	uschar *t = sub - 1;
+	while (*(++t) != 0) { *t = tolower(*t); count++; }
+	yield = string_catn(yield, sub, count);
+	break;
+	}
+
+      case EOP_UC:
+	{
+	int count = 0;
+	uschar *t = sub - 1;
+	while (*(++t) != 0) { *t = toupper(*t); count++; }
+	yield = string_catn(yield, sub, count);
+	break;
+	}
+
+      case EOP_MD5:
+#ifndef DISABLE_TLS
+	if (vp && *(void **)vp->value)
+	  {
+	  uschar * cp = tls_cert_fprt_md5(*(void **)vp->value);
+	  yield = string_cat(yield, cp);
+	  }
+	else
+#endif
+	  {
+	  md5 base;
+	  uschar digest[16];
+	  md5_start(&base);
+	  md5_end(&base, sub, Ustrlen(sub), digest);
+	  for (int j = 0; j < 16; j++)
+	    yield = string_fmt_append(yield, "%02x", digest[j]);
+	  }
+	break;
+
+      case EOP_SHA1:
+#ifndef DISABLE_TLS
+	if (vp && *(void **)vp->value)
+	  {
+	  uschar * cp = tls_cert_fprt_sha1(*(void **)vp->value);
+	  yield = string_cat(yield, cp);
+	  }
+	else
+#endif
+	  {
+	  hctx h;
+	  uschar digest[20];
+	  sha1_start(&h);
+	  sha1_end(&h, sub, Ustrlen(sub), digest);
+	  for (int j = 0; j < 20; j++)
+	    yield = string_fmt_append(yield, "%02X", digest[j]);
+	  }
+	break;
+
+      case EOP_SHA2:
+      case EOP_SHA256:
+#ifdef EXIM_HAVE_SHA2
+	if (vp && *(void **)vp->value)
+	  if (c == EOP_SHA256)
+	    yield = string_cat(yield, tls_cert_fprt_sha256(*(void **)vp->value));
+	  else
+	    expand_string_message = US"sha2_N not supported with certificates";
+	else
+	  {
+	  hctx h;
+	  blob b;
+	  hashmethod m = !arg ? HASH_SHA2_256
+	    : Ustrcmp(arg, "256") == 0 ? HASH_SHA2_256
+	    : Ustrcmp(arg, "384") == 0 ? HASH_SHA2_384
+	    : Ustrcmp(arg, "512") == 0 ? HASH_SHA2_512
+	    : HASH_BADTYPE;
+
+	  if (m == HASH_BADTYPE || !exim_sha_init(&h, m))
+	    {
+	    expand_string_message = US"unrecognised sha2 variant";
+	    goto EXPAND_FAILED;
+	    }
+
+	  exim_sha_update_string(&h, sub);
+	  exim_sha_finish(&h, &b);
+	  while (b.len-- > 0)
+	    yield = string_fmt_append(yield, "%02X", *b.data++);
+	  }
+#else
+	  expand_string_message = US"sha256 only supported with TLS";
+#endif
+	break;
+
+      case EOP_SHA3:
+#ifdef EXIM_HAVE_SHA3
+	{
+	hctx h;
+	blob b;
+	hashmethod m = !arg ? HASH_SHA3_256
+	  : Ustrcmp(arg, "224") == 0 ? HASH_SHA3_224
+	  : Ustrcmp(arg, "256") == 0 ? HASH_SHA3_256
+	  : Ustrcmp(arg, "384") == 0 ? HASH_SHA3_384
+	  : Ustrcmp(arg, "512") == 0 ? HASH_SHA3_512
+	  : HASH_BADTYPE;
+
+	if (m == HASH_BADTYPE || !exim_sha_init(&h, m))
+	  {
+	  expand_string_message = US"unrecognised sha3 variant";
+	  goto EXPAND_FAILED;
+	  }
+
+	exim_sha_update_string(&h, sub);
+	exim_sha_finish(&h, &b);
+	while (b.len-- > 0)
+	  yield = string_fmt_append(yield, "%02X", *b.data++);
+	}
+	break;
+#else
+	expand_string_message = US"sha3 only supported with GnuTLS 3.5.0 + or OpenSSL 1.1.1 +";
+	goto EXPAND_FAILED;
+#endif
+
+      /* Convert hex encoding to base64 encoding */
+
+      case EOP_HEX2B64:
+	{
+	int c = 0;
+	int b = -1;
+	uschar *in = sub;
+	uschar *out = sub;
+	uschar *enc;
+
+	for (enc = sub; *enc; enc++)
+	  {
+	  if (!isxdigit(*enc))
+	    {
+	    expand_string_message = string_sprintf("\"%s\" is not a hex "
+	      "string", sub);
+	    goto EXPAND_FAILED;
+	    }
+	  c++;
+	  }
+
+	if ((c & 1) != 0)
+	  {
+	  expand_string_message = string_sprintf("\"%s\" contains an odd "
+	    "number of characters", sub);
+	  goto EXPAND_FAILED;
+	  }
+
+	while ((c = *in++) != 0)
+	  {
+	  if (isdigit(c)) c -= '0';
+	  else c = toupper(c) - 'A' + 10;
+	  if (b == -1)
+	    b = c << 4;
+	  else
+	    {
+	    *out++ = b | c;
+	    b = -1;
+	    }
+	  }
+
+	enc = b64encode(CUS sub, out - sub);
+	yield = string_cat(yield, enc);
+	break;
+	}
+
+      /* Convert octets outside 0x21..0x7E to \xXX form */
+
+      case EOP_HEXQUOTE:
+	{
+	uschar *t = sub - 1;
+	while (*(++t) != 0)
+	  {
+	  if (*t < 0x21 || 0x7E < *t)
+	    yield = string_fmt_append(yield, "\\x%02x", *t);
+	  else
+	    yield = string_catn(yield, t, 1);
+	  }
+	break;
+	}
+
+      /* count the number of list elements */
+
+      case EOP_LISTCOUNT:
+	{
+	int cnt = 0, sep = 0;
+	uschar * buf = store_get(2, sub);
+
+	while (string_nextinlist(CUSS &sub, &sep, buf, 1)) cnt++;
+	yield = string_fmt_append(yield, "%d", cnt);
+	break;
+	}
+
+      /* expand a named list given the name */
+      /* handles nested named lists; requotes as colon-sep list */
+
+      case EOP_LISTNAMED:
+	expand_string_message = NULL;
+	yield = expand_listnamed(yield, sub, arg);
+	if (expand_string_message)
+	  goto EXPAND_FAILED;
+	break;
+
+      /* quote a list-item for the given list-separator */
+
+      /* mask applies a mask to an IP address; for example the result of
+      ${mask:131.111.10.206/28} is 131.111.10.192/28. */
+
+      case EOP_MASK:
+	{
+	int count;
+	uschar *endptr;
+	int binary[4];
+	int type, mask, maskoffset;
+	BOOL normalised;
+	uschar buffer[64];
+
+	if ((type = string_is_ip_address(sub, &maskoffset)) == 0)
+	  {
+	  expand_string_message = string_sprintf("\"%s\" is not an IP address",
+	   sub);
+	  goto EXPAND_FAILED;
+	  }
+
+	if (maskoffset == 0)
+	  {
+	  expand_string_message = string_sprintf("missing mask value in \"%s\"",
+	    sub);
+	  goto EXPAND_FAILED;
+	  }
+
+	mask = Ustrtol(sub + maskoffset + 1, &endptr, 10);
+
+	if (*endptr || mask < 0 || mask > (type == 4 ? 32 : 128))
+	  {
+	  expand_string_message = string_sprintf("mask value too big in \"%s\"",
+	    sub);
+	  goto EXPAND_FAILED;
+	  }
+
+	/* If an optional 'n' was given, ipv6 gets normalised output:
+	colons rather than dots, and zero-compressed. */
+
+	normalised = arg && *arg == 'n';
+
+	/* Convert the address to binary integer(s) and apply the mask */
+
+	sub[maskoffset] = 0;
+	count = host_aton(sub, binary);
+	host_mask(count, binary, mask);
+
+	/* Convert to masked textual format and add to output. */
+
+	if (type == 4 || !normalised)
+	  yield = string_catn(yield, buffer,
+	    host_nmtoa(count, binary, mask, buffer, '.'));
+	else
+	  {
+	  ipv6_nmtoa(binary, buffer);
+	  yield = string_fmt_append(yield, "%s/%d", buffer, mask);
+	  }
+	break;
+	}
+
+      case EOP_IPV6NORM:
+      case EOP_IPV6DENORM:
+	{
+	int type = string_is_ip_address(sub, NULL);
+	int binary[4];
+	uschar buffer[44];
+
+	switch (type)
+	  {
+	  case 6:
+	    (void) host_aton(sub, binary);
+	    break;
+
+	  case 4:	/* convert to IPv4-mapped IPv6 */
+	    binary[0] = binary[1] = 0;
+	    binary[2] = 0x0000ffff;
+	    (void) host_aton(sub, binary+3);
+	    break;
+
+	  case 0:
+	    expand_string_message =
+	      string_sprintf("\"%s\" is not an IP address", sub);
+	    goto EXPAND_FAILED;
+	  }
+
+	yield = string_catn(yield, buffer, c == EOP_IPV6NORM
+		    ? ipv6_nmtoa(binary, buffer)
+		    : host_nmtoa(4, binary, -1, buffer, ':')
+		  );
+	break;
+	}
+
+      case EOP_ADDRESS:
+      case EOP_LOCAL_PART:
+      case EOP_DOMAIN:
+	{
+	uschar * error;
+	int start, end, domain;
+	uschar * t = parse_extract_address(sub, &error, &start, &end, &domain,
+	  FALSE);
+	if (t)
+	  if (c != EOP_DOMAIN)
+	    yield = c == EOP_LOCAL_PART && domain > 0
+	      ? string_catn(yield, t, domain - 1)
+	      : string_cat(yield, t);
+	  else if (domain > 0)
+	    yield = string_cat(yield, t + domain);
+	break;
+	}
+
+      case EOP_ADDRESSES:
+	{
+	uschar outsep[2] = { ':', '\0' };
+	uschar *address, *error;
+	int save_ptr = gstring_length(yield);
+	int start, end, domain;  /* Not really used */
+
+	if (Uskip_whitespace(&sub) == '>')
+	  if (*outsep = *++sub) ++sub;
+	  else
+	    {
+	    expand_string_message = string_sprintf("output separator "
+	      "missing in expanding ${addresses:%s}", --sub);
+	    goto EXPAND_FAILED;
+	    }
+	f.parse_allow_group = TRUE;
+
+	for (;;)
+	  {
+	  uschar * p = parse_find_address_end(sub, FALSE);
+	  uschar saveend = *p;
+	  *p = '\0';
+	  address = parse_extract_address(sub, &error, &start, &end, &domain,
+	    FALSE);
+	  *p = saveend;
+
+	  /* Add the address to the output list that we are building. This is
+	  done in chunks by searching for the separator character. At the
+	  start, unless we are dealing with the first address of the output
+	  list, add in a space if the new address begins with the separator
+	  character, or is an empty string. */
+
+	  if (address)
+	    {
+	    if (yield && yield->ptr != save_ptr && address[0] == *outsep)
+	      yield = string_catn(yield, US" ", 1);
+
+	    for (;;)
+	      {
+	      size_t seglen = Ustrcspn(address, outsep);
+	      yield = string_catn(yield, address, seglen + 1);
+
+	      /* If we got to the end of the string we output one character
+	      too many. */
+
+	      if (address[seglen] == '\0') { yield->ptr--; break; }
+	      yield = string_catn(yield, outsep, 1);
+	      address += seglen + 1;
+	      }
+
+	    /* Output a separator after the string: we will remove the
+	    redundant final one at the end. */
+
+	    yield = string_catn(yield, outsep, 1);
+	    }
+
+	  if (saveend == '\0') break;
+	  sub = p + 1;
+	  }
+
+	/* If we have generated anything, remove the redundant final
+	separator. */
+
+	if (yield && yield->ptr != save_ptr) yield->ptr--;
+	f.parse_allow_group = FALSE;
+	break;
+	}
+
+
+      /* quote puts a string in quotes if it is empty or contains anything
+      other than alphamerics, underscore, dot, or hyphen.
+
+      quote_local_part puts a string in quotes if RFC 2821/2822 requires it to
+      be quoted in order to be a valid local part.
+
+      In both cases, newlines and carriage returns are converted into \n and \r
+      respectively */
+
+      case EOP_QUOTE:
+      case EOP_QUOTE_LOCAL_PART:
+	if (!arg)
+	  {
+	  BOOL needs_quote = (!*sub);      /* TRUE for empty string */
+	  uschar *t = sub - 1;
+
+	  if (c == EOP_QUOTE)
+	    while (!needs_quote && *++t)
+	      needs_quote = !isalnum(*t) && !strchr("_-.", *t);
+
+	  else  /* EOP_QUOTE_LOCAL_PART */
+	    while (!needs_quote && *++t)
+	      needs_quote = !isalnum(*t)
+		&& strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL
+		&& (*t != '.' || t == sub || !t[1]);
+
+	  if (needs_quote)
+	    {
+	    yield = string_catn(yield, US"\"", 1);
+	    t = sub - 1;
+	    while (*++t)
+	      if (*t == '\n')
+		yield = string_catn(yield, US"\\n", 2);
+	      else if (*t == '\r')
+		yield = string_catn(yield, US"\\r", 2);
+	      else
+		{
+		if (*t == '\\' || *t == '"')
+		  yield = string_catn(yield, US"\\", 1);
+		yield = string_catn(yield, t, 1);
+		}
+	    yield = string_catn(yield, US"\"", 1);
+	    }
+	  else
+	    yield = string_cat(yield, sub);
+	  break;
+	  }
+
+	/* quote_lookuptype does lookup-specific quoting */
+
+	else
+	  {
+	  int n;
+	  uschar * opt = Ustrchr(arg, '_');
+
+	  if (opt) *opt++ = 0;
+
+	  if ((n = search_findtype(arg, Ustrlen(arg))) < 0)
+	    {
+	    expand_string_message = search_error_message;
+	    goto EXPAND_FAILED;
+	    }
+
+	  if (lookup_list[n]->quote)
+	    sub = (lookup_list[n]->quote)(sub, opt, (unsigned)n);
+	  else if (opt)
+	    sub = NULL;
+
+	  if (!sub)
+	    {
+	    expand_string_message = string_sprintf(
+	      "\"%s\" unrecognized after \"${quote_%s\"",	/*}*/
+	      opt, arg);
+	    goto EXPAND_FAILED;
+	    }
+
+	  yield = string_cat(yield, sub);
+	  break;
+	  }
+
+	/* rx quote sticks in \ before any non-alphameric character so that
+	the insertion works in a regular expression. */
+
+	case EOP_RXQUOTE:
+	  {
+	  uschar *t = sub - 1;
+	  while (*(++t) != 0)
+	    {
+	    if (!isalnum(*t))
+	      yield = string_catn(yield, US"\\", 1);
+	    yield = string_catn(yield, t, 1);
+	    }
+	  break;
+	  }
+
+	/* RFC 2047 encodes, assuming headers_charset (default ISO 8859-1) as
+	prescribed by the RFC, if there are characters that need to be encoded */
+
+	case EOP_RFC2047:
+	  yield = string_cat(yield,
+			      parse_quote_2047(sub, Ustrlen(sub), headers_charset,
+				FALSE));
+	  break;
+
+	/* RFC 2047 decode */
+
+	case EOP_RFC2047D:
+	  {
+	  int len;
+	  uschar *error;
+	  uschar *decoded = rfc2047_decode(sub, check_rfc2047_length,
+	    headers_charset, '?', &len, &error);
+	  if (error)
+	    {
+	    expand_string_message = error;
+	    goto EXPAND_FAILED;
+	    }
+	  yield = string_catn(yield, decoded, len);
+	  break;
+	  }
+
+	/* from_utf8 converts UTF-8 to 8859-1, turning non-existent chars into
+	underscores */
+
+	case EOP_FROM_UTF8:
+	  {
+	  uschar * buff = store_get(4, sub);
+	  while (*sub)
+	    {
+	    int c;
+	    GETUTF8INC(c, sub);
+	    if (c > 255) c = '_';
+	    buff[0] = c;
+	    yield = string_catn(yield, buff, 1);
+	    }
+	  break;
+	  }
+
+	/* replace illegal UTF-8 sequences by replacement character  */
+
+	#define UTF8_REPLACEMENT_CHAR US"?"
+
+	case EOP_UTF8CLEAN:
+	  {
+	  int seq_len = 0, index = 0;
+	  int bytes_left = 0;
+	  long codepoint = -1;
+	  int complete;
+	  uschar seq_buff[4];			/* accumulate utf-8 here */
+
+	  /* Manually track tainting, as we deal in individual chars below */
+
+	  if (!yield->s || !yield->ptr)
+	    yield->s = store_get(yield->size = Ustrlen(sub), sub);
+	  else if (is_incompatible(yield->s, sub))
+	    gstring_rebuffer(yield, sub);
+
+	  /* Check the UTF-8, byte-by-byte */
+
+	  while (*sub)
+	    {
+	    complete = 0;
+	    uschar c = *sub++;
+
+	    if (bytes_left)
+	      {
+	      if ((c & 0xc0) != 0x80)
+		      /* wrong continuation byte; invalidate all bytes */
+		complete = 1; /* error */
+	      else
+		{
+		codepoint = (codepoint << 6) | (c & 0x3f);
+		seq_buff[index++] = c;
+		if (--bytes_left == 0)		/* codepoint complete */
+		  if(codepoint > 0x10FFFF)	/* is it too large? */
+		    complete = -1;	/* error (RFC3629 limit) */
+		  else
+		    {		/* finished; output utf-8 sequence */
+		    yield = string_catn(yield, seq_buff, seq_len);
+		    index = 0;
+		    }
+		}
+	      }
+	    else	/* no bytes left: new sequence */
+	      {
+	      if(!(c & 0x80))	/* 1-byte sequence, US-ASCII, keep it */
+		{
+		yield = string_catn(yield, &c, 1);
+		continue;
+		}
+	      if((c & 0xe0) == 0xc0)		/* 2-byte sequence */
+		{
+		if(c == 0xc0 || c == 0xc1)	/* 0xc0 and 0xc1 are illegal */
+		  complete = -1;
+		else
+		  {
+		    bytes_left = 1;
+		    codepoint = c & 0x1f;
+		  }
+		}
+	      else if((c & 0xf0) == 0xe0)		/* 3-byte sequence */
+		{
+		bytes_left = 2;
+		codepoint = c & 0x0f;
+		}
+	      else if((c & 0xf8) == 0xf0)		/* 4-byte sequence */
+		{
+		bytes_left = 3;
+		codepoint = c & 0x07;
+		}
+	      else	/* invalid or too long (RFC3629 allows only 4 bytes) */
+		complete = -1;
+
+	      seq_buff[index++] = c;
+	      seq_len = bytes_left + 1;
+	      }		/* if(bytes_left) */
+
+	    if (complete != 0)
+	      {
+	      bytes_left = index = 0;
+	      yield = string_catn(yield, UTF8_REPLACEMENT_CHAR, 1);
+	      }
+	    if ((complete == 1) && ((c & 0x80) == 0))
+			  /* ASCII character follows incomplete sequence */
+		yield = string_catn(yield, &c, 1);
+	    }
+	  /* If given a sequence truncated mid-character, we also want to report ?
+	  Eg, ${length_1:フィル} is one byte, not one character, so we expect
+	  ${utf8clean:${length_1:フィル}} to yield '?' */
+
+	  if (bytes_left != 0)
+	    yield = string_catn(yield, UTF8_REPLACEMENT_CHAR, 1);
+
+	  break;
+	  }
+
+#ifdef SUPPORT_I18N
+	case EOP_UTF8_DOMAIN_TO_ALABEL:
+	  {
+	  uschar * error = NULL;
+	  uschar * s = string_domain_utf8_to_alabel(sub, &error);
+	  if (error)
+	    {
+	    expand_string_message = string_sprintf(
+	      "error converting utf8 (%s) to alabel: %s",
+	      string_printing(sub), error);
+	    goto EXPAND_FAILED;
+	    }
+	  yield = string_cat(yield, s);
+	  break;
+	  }
+
+	case EOP_UTF8_DOMAIN_FROM_ALABEL:
+	  {
+	  uschar * error = NULL;
+	  uschar * s = string_domain_alabel_to_utf8(sub, &error);
+	  if (error)
+	    {
+	    expand_string_message = string_sprintf(
+	      "error converting alabel (%s) to utf8: %s",
+	      string_printing(sub), error);
+	    goto EXPAND_FAILED;
+	    }
+	  yield = string_cat(yield, s);
+	  break;
+	  }
+
+	case EOP_UTF8_LOCALPART_TO_ALABEL:
+	  {
+	  uschar * error = NULL;
+	  uschar * s = string_localpart_utf8_to_alabel(sub, &error);
+	  if (error)
+	    {
+	    expand_string_message = string_sprintf(
+	      "error converting utf8 (%s) to alabel: %s",
+	      string_printing(sub), error);
+	    goto EXPAND_FAILED;
+	    }
+	  yield = string_cat(yield, s);
+	  DEBUG(D_expand) debug_printf_indent("yield: '%s'\n", yield->s);
+	  break;
+	  }
+
+	case EOP_UTF8_LOCALPART_FROM_ALABEL:
+	  {
+	  uschar * error = NULL;
+	  uschar * s = string_localpart_alabel_to_utf8(sub, &error);
+	  if (error)
+	    {
+	    expand_string_message = string_sprintf(
+	      "error converting alabel (%s) to utf8: %s",
+	      string_printing(sub), error);
+	    goto EXPAND_FAILED;
+	    }
+	  yield = string_cat(yield, s);
+	  break;
+	  }
+#endif	/* EXPERIMENTAL_INTERNATIONAL */
+
+	/* escape turns all non-printing characters into escape sequences. */
+
+	case EOP_ESCAPE:
+	  {
+	  const uschar * t = string_printing(sub);
+	  yield = string_cat(yield, t);
+	  break;
+	  }
+
+	case EOP_ESCAPE8BIT:
+	  {
+	  uschar c;
+
+	  for (const uschar * s = sub; (c = *s); s++)
+	    yield = c < 127 && c != '\\'
+	      ? string_catn(yield, s, 1)
+	      : string_fmt_append(yield, "\\%03o", c);
+	  break;
+	  }
+
+	/* Handle numeric expression evaluation */
+
+	case EOP_EVAL:
+	case EOP_EVAL10:
+	  {
+	  uschar *save_sub = sub;
+	  uschar *error = NULL;
+	  int_eximarith_t n = eval_expr(&sub, (c == EOP_EVAL10), &error, FALSE);
+	  if (error)
+	    {
+	    expand_string_message = string_sprintf("error in expression "
+	      "evaluation: %s (after processing \"%.*s\")", error,
+	      (int)(sub-save_sub), save_sub);
+	    goto EXPAND_FAILED;
+	    }
+	  yield = string_fmt_append(yield, PR_EXIM_ARITH, n);
+	  break;
+	  }
+
+	/* Handle time period formatting */
+
+	case EOP_TIME_EVAL:
+	  {
+	  int n = readconf_readtime(sub, 0, FALSE);
+	  if (n < 0)
+	    {
+	    expand_string_message = string_sprintf("string \"%s\" is not an "
+	      "Exim time interval in \"%s\" operator", sub, name);
+	    goto EXPAND_FAILED;
+	    }
+	  yield = string_fmt_append(yield, "%d", n);
+	  break;
+	  }
+
+	case EOP_TIME_INTERVAL:
+	  {
+	  int n;
+	  uschar *t = read_number(&n, sub);
+	  if (*t != 0) /* Not A Number*/
+	    {
+	    expand_string_message = string_sprintf("string \"%s\" is not a "
+	      "positive number in \"%s\" operator", sub, name);
+	    goto EXPAND_FAILED;
+	    }
+	  t = readconf_printtime(n);
+	  yield = string_cat(yield, t);
+	  break;
+	  }
+
+	/* Convert string to base64 encoding */
+
+	case EOP_STR2B64:
+	case EOP_BASE64:
+	  {
+#ifndef DISABLE_TLS
+	  uschar * s = vp && *(void **)vp->value
+	    ? tls_cert_der_b64(*(void **)vp->value)
+	    : b64encode(CUS sub, Ustrlen(sub));
+#else
+	  uschar * s = b64encode(CUS sub, Ustrlen(sub));
+#endif
+	  yield = string_cat(yield, s);
+	  break;
+	  }
+
+	case EOP_BASE64D:
+	  {
+	  uschar * s;
+	  int len = b64decode(sub, &s);
+	  if (len < 0)
+	    {
+	    expand_string_message = string_sprintf("string \"%s\" is not "
+	      "well-formed for \"%s\" operator", sub, name);
+	    goto EXPAND_FAILED;
+	    }
+	  yield = string_cat(yield, s);
+	  break;
+	  }
+
+	/* strlen returns the length of the string */
+
+	case EOP_STRLEN:
+	  yield = string_fmt_append(yield, "%d", Ustrlen(sub));
+	  break;
+
+	/* length_n or l_n takes just the first n characters or the whole string,
+	whichever is the shorter;
+
+	substr_m_n, and s_m_n take n characters from offset m; negative m take
+	from the end; l_n is synonymous with s_0_n. If n is omitted in substr it
+	takes the rest, either to the right or to the left.
+
+	hash_n or h_n makes a hash of length n from the string, yielding n
+	characters from the set a-z; hash_n_m makes a hash of length n, but
+	uses m characters from the set a-zA-Z0-9.
+
+	nhash_n returns a single number between 0 and n-1 (in text form), while
+	nhash_n_m returns a div/mod hash as two numbers "a/b". The first lies
+	between 0 and n-1 and the second between 0 and m-1. */
+
+	case EOP_LENGTH:
+	case EOP_L:
+	case EOP_SUBSTR:
+	case EOP_S:
+	case EOP_HASH:
+	case EOP_H:
+	case EOP_NHASH:
+	case EOP_NH:
+	  {
+	  int sign = 1;
+	  int value1 = 0;
+	  int value2 = -1;
+	  int *pn;
+	  int len;
+	  uschar *ret;
+
+	  if (!arg)
+	    {
+	    expand_string_message = string_sprintf("missing values after %s",
+	      name);
+	    goto EXPAND_FAILED;
+	    }
+
+	  /* "length" has only one argument, effectively being synonymous with
+	  substr_0_n. */
+
+	  if (c == EOP_LENGTH || c == EOP_L)
+	    {
+	    pn = &value2;
+	    value2 = 0;
+	    }
+
+	  /* The others have one or two arguments; for "substr" the first may be
+	  negative. The second being negative means "not supplied". */
+
+	  else
+	    {
+	    pn = &value1;
+	    if (name[0] == 's' && *arg == '-') { sign = -1; arg++; }
+	    }
+
+	  /* Read up to two numbers, separated by underscores */
+
+	  ret = arg;
+	  while (*arg != 0)
+	    {
+	    if (arg != ret && *arg == '_' && pn == &value1)
+	      {
+	      pn = &value2;
+	      value2 = 0;
+	      if (arg[1] != 0) arg++;
+	      }
+	    else if (!isdigit(*arg))
+	      {
+	      expand_string_message =
+		string_sprintf("non-digit after underscore in \"%s\"", name);
+	      goto EXPAND_FAILED;
+	      }
+	    else *pn = (*pn)*10 + *arg++ - '0';
+	    }
+	  value1 *= sign;
+
+	  /* Perform the required operation */
+
+	  ret = c == EOP_HASH || c == EOP_H
+	    ? compute_hash(sub, value1, value2, &len)
+	    : c == EOP_NHASH || c == EOP_NH
+	    ? compute_nhash(sub, value1, value2, &len)
+	    : extract_substr(sub, value1, value2, &len);
+	  if (!ret) goto EXPAND_FAILED;
+
+	  yield = string_catn(yield, ret, len);
+	  break;
+	  }
+
+	/* Stat a path */
+
+	case EOP_STAT:
+	  {
+	  uschar smode[12];
+	  uschar **modetable[3];
+	  mode_t mode;
+	  struct stat st;
+
+	  if (expand_forbid & RDO_EXISTS)
+	    {
+	    expand_string_message = US"Use of the stat() expansion is not permitted";
+	    goto EXPAND_FAILED;
+	    }
+
+	  if (stat(CS sub, &st) < 0)
+	    {
+	    expand_string_message = string_sprintf("stat(%s) failed: %s",
+	      sub, strerror(errno));
+	    goto EXPAND_FAILED;
+	    }
+	  mode = st.st_mode;
+	  switch (mode & S_IFMT)
+	    {
+	    case S_IFIFO: smode[0] = 'p'; break;
+	    case S_IFCHR: smode[0] = 'c'; break;
+	    case S_IFDIR: smode[0] = 'd'; break;
+	    case S_IFBLK: smode[0] = 'b'; break;
+	    case S_IFREG: smode[0] = '-'; break;
+	    default: smode[0] = '?'; break;
+	    }
+
+	  modetable[0] = ((mode & 01000) == 0)? mtable_normal : mtable_sticky;
+	  modetable[1] = ((mode & 02000) == 0)? mtable_normal : mtable_setid;
+	  modetable[2] = ((mode & 04000) == 0)? mtable_normal : mtable_setid;
+
+	  for (int i = 0; i < 3; i++)
+	    {
+	    memcpy(CS(smode + 7 - i*3), CS(modetable[i][mode & 7]), 3);
+	    mode >>= 3;
+	    }
+
+	  smode[10] = 0;
+	  yield = string_fmt_append(yield,
+	    "mode=%04lo smode=%s inode=%ld device=%ld links=%ld "
+	    "uid=%ld gid=%ld size=" OFF_T_FMT " atime=%ld mtime=%ld ctime=%ld",
+	    (long)(st.st_mode & 077777), smode, (long)st.st_ino,
+	    (long)st.st_dev, (long)st.st_nlink, (long)st.st_uid,
+	    (long)st.st_gid, st.st_size, (long)st.st_atime,
+	    (long)st.st_mtime, (long)st.st_ctime);
+	  break;
+	  }
+
+	/* vaguely random number less than N */
+
+	case EOP_RANDINT:
+	  {
+	  int_eximarith_t max = expanded_string_integer(sub, TRUE);
+
+	  if (expand_string_message)
+	    goto EXPAND_FAILED;
+	  yield = string_fmt_append(yield, "%d", vaguely_random_number((int)max));
+	  break;
+	  }
+
+	/* Reverse IP, including IPv6 to dotted-nibble */
+
+	case EOP_REVERSE_IP:
+	  {
+	  int family, maskptr;
+	  uschar reversed[128];
+
+	  family = string_is_ip_address(sub, &maskptr);
+	  if (family == 0)
+	    {
+	    expand_string_message = string_sprintf(
+		"reverse_ip() not given an IP address [%s]", sub);
+	    goto EXPAND_FAILED;
+	    }
+	  invert_address(reversed, sub);
+	  yield = string_cat(yield, reversed);
+	  break;
+	  }
+
+	/* Unknown operator */
+
+	default:
+	  expand_string_message =
+	    string_sprintf("unknown expansion operator \"%s\"", name);
+	  goto EXPAND_FAILED;
+	}	/* EOP_* switch */
+
+       DEBUG(D_expand)
+	{
+	const uschar * s = yield->s + start;
+	int i = yield->ptr - start;
+	BOOL tainted = is_tainted(s);
+
+	DEBUG(D_noutf8)
+	  {
+	  debug_printf_indent("|-----op-res: %.*s\n", i, s);
+	  if (tainted)
+	    {
+	    debug_printf_indent("%s     \\__", skipping ? "|     " : "      ");
+	    debug_print_taint(yield->s);
+	    }
+	  }
+	else
+	  {
+	  debug_printf_indent(UTF8_VERT_RIGHT
+	    UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
+	    "op-res: %.*s\n", i, s);
+	  if (tainted)
+	    {
+	    debug_printf_indent("%s",
+	      skipping
+	      ? UTF8_VERT "             " : "           " UTF8_UP_RIGHT UTF8_HORIZ UTF8_HORIZ);
+	    debug_print_taint(yield->s);
+	    }
+	  }
+	}
+       continue;
+       }
+    }
+
+  /* Not an item or an operator */
+  /* Handle a plain name. If this is the first thing in the expansion, release
+  the pre-allocated buffer. If the result data is known to be in a new buffer,
+  newsize will be set to the size of that buffer, and we can just point at that
+  store instead of copying. Many expansion strings contain just one reference,
+  so this is a useful optimization, especially for humungous headers
+  ($message_headers). */
+						/*{*/
+  if (*s++ == '}')
+    {
+    const uschar * value;
+    int len;
+    int newsize = 0;
+    gstring * g = NULL;
+
+    if (!yield)
+      g = store_get(sizeof(gstring), GET_UNTAINTED);
+    else if (yield->ptr == 0)
+      {
+      if (resetok) reset_point = store_reset(reset_point);
+      yield = NULL;
+      reset_point = store_mark();
+      g = store_get(sizeof(gstring), GET_UNTAINTED);	/* alloc _before_ calling find_variable() */
+      }
+    if (!(value = find_variable(name, FALSE, skipping, &newsize)))
+      {
+      expand_string_message =
+        string_sprintf("unknown variable in \"${%s}\"", name);
+      check_variable_error_message(name);
+      goto EXPAND_FAILED;
+      }
+    len = Ustrlen(value);
+    if (!yield && newsize)
+      {
+      yield = g;
+      yield->size = newsize;
+      yield->ptr = len;
+      yield->s = US value; /* known to be in new store i.e. a copy, so deconst safe */
+      }
+    else
+      yield = string_catn(yield, value, len);
+    continue;
+    }
+
+  /* Else there's something wrong */
+
+  expand_string_message =
+    string_sprintf("\"${%s\" is not a known operator (or a } is missing "
+    "in a variable reference)", name);
+  goto EXPAND_FAILED;
+  }
+
+/* If we hit the end of the string when ket_ends is set, there is a missing
+terminating brace. */
+
+if (ket_ends && !*s)
+  {
+  expand_string_message = malformed_header
+    ? US"missing } at end of string - could be header name not terminated by colon"
+    : US"missing } at end of string";
+  goto EXPAND_FAILED;
+  }
+
+/* Expansion succeeded; yield may still be NULL here if nothing was actually
+added to the string. If so, set up an empty string. Add a terminating zero. If
+left != NULL, return a pointer to the terminator. */
+
+if (!yield)
+  yield = string_get(1);
+(void) string_from_gstring(yield);
+if (left) *left = s;
+
+/* Any stacking store that was used above the final string is no longer needed.
+In many cases the final string will be the first one that was got and so there
+will be optimal store usage. */
+
+if (resetok) gstring_release_unused(yield);
+else if (resetok_p) *resetok_p = FALSE;
+
+DEBUG(D_expand)
+  {
+  BOOL tainted = is_tainted(yield->s);
+  DEBUG(D_noutf8)
+    {
+    debug_printf_indent("|--expanding: %.*s\n", (int)(s - string), string);
+    debug_printf_indent("%sresult: %s\n",
+      skipping ? "|-----" : "\\_____", yield->s);
+    if (tainted)
+      {
+      debug_printf_indent("%s     \\__", skipping ? "|     " : "      ");
+      debug_print_taint(yield->s);
+      }
+    if (skipping)
+      debug_printf_indent("\\___skipping: result is not used\n");
+    }
+  else
+    {
+    debug_printf_indent(UTF8_VERT_RIGHT UTF8_HORIZ UTF8_HORIZ
+      "expanding: %.*s\n",
+      (int)(s - string), string);
+    debug_printf_indent("%s" UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
+      "result: %s\n",
+      skipping ? UTF8_VERT_RIGHT : UTF8_UP_RIGHT,
+      yield->s);
+    if (tainted)
+      {
+      debug_printf_indent("%s",
+	skipping
+	? UTF8_VERT "             " : "           " UTF8_UP_RIGHT UTF8_HORIZ UTF8_HORIZ);
+      debug_print_taint(yield->s);
+      }
+    if (skipping)
+      debug_printf_indent(UTF8_UP_RIGHT UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
+	"skipping: result is not used\n");
+    }
+  }
+expand_level--;
+return yield->s;
+
+/* This is the failure exit: easiest to program with a goto. We still need
+to update the pointer to the terminator, for cases of nested calls with "fail".
+*/
+
+EXPAND_FAILED_CURLY:
+if (malformed_header)
+  expand_string_message =
+    US"missing or misplaced { or } - could be header name not terminated by colon";
+
+else if (!expand_string_message || !*expand_string_message)
+  expand_string_message = US"missing or misplaced { or }";
+
+/* At one point, Exim reset the store to yield (if yield was not NULL), but
+that is a bad idea, because expand_string_message is in dynamic store. */
+
+EXPAND_FAILED:
+if (left) *left = s;
+DEBUG(D_expand)
+  {
+  DEBUG(D_noutf8)
+    {
+    debug_printf_indent("|failed to expand: %s\n", string);
+    debug_printf_indent("%serror message: %s\n",
+      f.expand_string_forcedfail ? "|---" : "\\___", expand_string_message);
+    if (f.expand_string_forcedfail)
+      debug_printf_indent("\\failure was forced\n");
+    }
+  else
+    {
+    debug_printf_indent(UTF8_VERT_RIGHT "failed to expand: %s\n",
+      string);
+    debug_printf_indent("%s" UTF8_HORIZ UTF8_HORIZ UTF8_HORIZ
+      "error message: %s\n",
+      f.expand_string_forcedfail ? UTF8_VERT_RIGHT : UTF8_UP_RIGHT,
+      expand_string_message);
+    if (f.expand_string_forcedfail)
+      debug_printf_indent(UTF8_UP_RIGHT "failure was forced\n");
+    }
+  }
+if (resetok_p && !resetok) *resetok_p = FALSE;
+expand_level--;
+return NULL;
+}
+
+
+/* This is the external function call. Do a quick check for any expansion
+metacharacters, and if there are none, just return the input string.
+
+Argument: the string to be expanded
+Returns:  the expanded string, or NULL if expansion failed; if failure was
+          due to a lookup deferring, search_find_defer will be TRUE
+*/
+
+const uschar *
+expand_cstring(const uschar * string)
+{
+if (Ustrpbrk(string, "$\\") != NULL)
+  {
+  int old_pool = store_pool;
+  uschar * s;
+
+  f.search_find_defer = FALSE;
+  malformed_header = FALSE;
+  store_pool = POOL_MAIN;
+    s = expand_string_internal(string, FALSE, NULL, FALSE, TRUE, NULL);
+  store_pool = old_pool;
+  return s;
+  }
+return string;
+}
+
+
+uschar *
+expand_string(uschar * string)
+{
+return US expand_cstring(CUS string);
+}
+
+
+
+
+
+/*************************************************
+*              Expand and copy                   *
+*************************************************/
+
+/* Now and again we want to expand a string and be sure that the result is in a
+new bit of store. This function does that.
+Since we know it has been copied, the de-const cast is safe.
+
+Argument: the string to be expanded
+Returns:  the expanded string, always in a new bit of store, or NULL
+*/
+
+uschar *
+expand_string_copy(const uschar *string)
+{
+const uschar *yield = expand_cstring(string);
+if (yield == string) yield = string_copy(string);
+return US yield;
+}
+
+
+
+/*************************************************
+*        Expand and interpret as an integer      *
+*************************************************/
+
+/* Expand a string, and convert the result into an integer.
+
+Arguments:
+  string  the string to be expanded
+  isplus  TRUE if a non-negative number is expected
+
+Returns:  the integer value, or
+          -1 for an expansion error               ) in both cases, message in
+          -2 for an integer interpretation error  ) expand_string_message
+          expand_string_message is set NULL for an OK integer
+*/
+
+int_eximarith_t
+expand_string_integer(uschar *string, BOOL isplus)
+{
+return expanded_string_integer(expand_string(string), isplus);
+}
+
+
+/*************************************************
+ *         Interpret string as an integer        *
+ *************************************************/
+
+/* Convert a string (that has already been expanded) into an integer.
+
+This function is used inside the expansion code.
+
+Arguments:
+  s       the string to be expanded
+  isplus  TRUE if a non-negative number is expected
+
+Returns:  the integer value, or
+          -1 if string is NULL (which implies an expansion error)
+          -2 for an integer interpretation error
+          expand_string_message is set NULL for an OK integer
+*/
+
+static int_eximarith_t
+expanded_string_integer(const uschar *s, BOOL isplus)
+{
+int_eximarith_t value;
+uschar *msg = US"invalid integer \"%s\"";
+uschar *endptr;
+
+/* If expansion failed, expand_string_message will be set. */
+
+if (!s) return -1;
+
+/* On an overflow, strtol() returns LONG_MAX or LONG_MIN, and sets errno
+to ERANGE. When there isn't an overflow, errno is not changed, at least on some
+systems, so we set it zero ourselves. */
+
+errno = 0;
+expand_string_message = NULL;               /* Indicates no error */
+
+/* Before Exim 4.64, strings consisting entirely of whitespace compared
+equal to 0.  Unfortunately, people actually relied upon that, so preserve
+the behaviour explicitly.  Stripping leading whitespace is a harmless
+noop change since strtol skips it anyway (provided that there is a number
+to find at all). */
+if (isspace(*s))
+  if (Uskip_whitespace(&s) == '\0')
+    {
+      DEBUG(D_expand)
+       debug_printf_indent("treating blank string as number 0\n");
+      return 0;
+    }
+
+value = strtoll(CS s, CSS &endptr, 10);
+
+if (endptr == s)
+  msg = US"integer expected but \"%s\" found";
+else if (value < 0 && isplus)
+  msg = US"non-negative integer expected but \"%s\" found";
+else
+  {
+  switch (tolower(*endptr))
+    {
+    default:
+      break;
+    case 'k':
+      if (value > EXIM_ARITH_MAX/1024 || value < EXIM_ARITH_MIN/1024) errno = ERANGE;
+      else value *= 1024;
+      endptr++;
+      break;
+    case 'm':
+      if (value > EXIM_ARITH_MAX/(1024*1024) || value < EXIM_ARITH_MIN/(1024*1024)) errno = ERANGE;
+      else value *= 1024*1024;
+      endptr++;
+      break;
+    case 'g':
+      if (value > EXIM_ARITH_MAX/(1024*1024*1024) || value < EXIM_ARITH_MIN/(1024*1024*1024)) errno = ERANGE;
+      else value *= 1024*1024*1024;
+      endptr++;
+      break;
+    }
+  if (errno == ERANGE)
+    msg = US"absolute value of integer \"%s\" is too large (overflow)";
+  else
+    if (Uskip_whitespace(&endptr) == 0) return value;
+  }
+
+expand_string_message = string_sprintf(CS msg, s);
+return -2;
+}
+
+
+/* These values are usually fixed boolean values, but they are permitted to be
+expanded strings.
+
+Arguments:
+  addr       address being routed
+  mtype      the module type
+  mname      the module name
+  dbg_opt    debug selectors
+  oname      the option name
+  bvalue     the router's boolean value
+  svalue     the router's string value
+  rvalue     where to put the returned value
+
+Returns:     OK     value placed in rvalue
+             DEFER  expansion failed
+*/
+
+int
+exp_bool(address_item *addr,
+  uschar *mtype, uschar *mname, unsigned dbg_opt,
+  uschar *oname, BOOL bvalue,
+  uschar *svalue, BOOL *rvalue)
+{
+uschar *expanded;
+if (!svalue) { *rvalue = bvalue; return OK; }
+
+if (!(expanded = expand_string(svalue)))
+  {
+  if (f.expand_string_forcedfail)
+    {
+    DEBUG(dbg_opt) debug_printf("expansion of \"%s\" forced failure\n", oname);
+    *rvalue = bvalue;
+    return OK;
+    }
+  addr->message = string_sprintf("failed to expand \"%s\" in %s %s: %s",
+      oname, mname, mtype, expand_string_message);
+  DEBUG(dbg_opt) debug_printf("%s\n", addr->message);
+  return DEFER;
+  }
+
+DEBUG(dbg_opt) debug_printf("expansion of \"%s\" yields \"%s\"\n", oname,
+  expanded);
+
+if (strcmpic(expanded, US"true") == 0 || strcmpic(expanded, US"yes") == 0)
+  *rvalue = TRUE;
+else if (strcmpic(expanded, US"false") == 0 || strcmpic(expanded, US"no") == 0)
+  *rvalue = FALSE;
+else
+  {
+  addr->message = string_sprintf("\"%s\" is not a valid value for the "
+    "\"%s\" option in the %s %s", expanded, oname, mname, mtype);
+  return DEFER;
+  }
+
+return OK;
+}
+
+
+
+/* Avoid potentially exposing a password in a string about to be logged */
+
+uschar *
+expand_hide_passwords(uschar * s)
+{
+return (  (  Ustrstr(s, "failed to expand") != NULL
+	  || Ustrstr(s, "expansion of ")    != NULL
+	  )
+       && (  Ustrstr(s, "mysql")   != NULL
+	  || Ustrstr(s, "pgsql")   != NULL
+	  || Ustrstr(s, "redis")   != NULL
+	  || Ustrstr(s, "sqlite")  != NULL
+	  || Ustrstr(s, "ldap:")   != NULL
+	  || Ustrstr(s, "ldaps:")  != NULL
+	  || Ustrstr(s, "ldapi:")  != NULL
+	  || Ustrstr(s, "ldapdn:") != NULL
+	  || Ustrstr(s, "ldapm:")  != NULL
+       )  )
+  ? US"Temporary internal error" : s;
+}
+
+
+/* Read given named file into big_buffer.  Use for keying material etc.
+The content will have an ascii NUL appended.
+
+Arguments:
+ filename	as it says
+
+Return:  pointer to buffer, or NULL on error.
+*/
+
+uschar *
+expand_file_big_buffer(const uschar * filename)
+{
+int fd, off = 0, len;
+
+if ((fd = exim_open2(CS filename, O_RDONLY)) < 0)
+  {
+  log_write(0, LOG_MAIN | LOG_PANIC, "unable to open file for reading: %s",
+	     filename);
+  return NULL;
+  }
+
+do
+  {
+  if ((len = read(fd, big_buffer + off, big_buffer_size - 2 - off)) < 0)
+    {
+    (void) close(fd);
+    log_write(0, LOG_MAIN|LOG_PANIC, "unable to read file: %s", filename);
+    return NULL;
+    }
+  off += len;
+  }
+while (len > 0);
+
+(void) close(fd);
+big_buffer[off] = '\0';
+return big_buffer;
+}
+
+
+
+/*************************************************
+* Error-checking for testsuite                   *
+*************************************************/
+typedef struct {
+  uschar * 	region_start;
+  uschar *	region_end;
+  const uschar *var_name;
+  const uschar *var_data;
+} err_ctx;
+
+/* Called via tree_walk, which allows nonconst name/data.  Our usage is const. */
+static void
+assert_variable_notin(uschar * var_name, uschar * var_data, void * ctx)
+{
+err_ctx * e = ctx;
+if (var_data >= e->region_start  &&  var_data < e->region_end)
+  {
+  e->var_name = CUS var_name;
+  e->var_data = CUS var_data;
+  }
+}
+
+void
+assert_no_variables(void * ptr, int len, const char * filename, int linenumber)
+{
+err_ctx e = { .region_start = ptr, .region_end = US ptr + len,
+	      .var_name = NULL, .var_data = NULL };
+
+/* check acl_ variables */
+tree_walk(acl_var_c, assert_variable_notin, &e);
+tree_walk(acl_var_m, assert_variable_notin, &e);
+
+/* check auth<n> variables.
+assert_variable_notin() treats as const, so deconst is safe. */
+for (int i = 0; i < AUTH_VARS; i++) if (auth_vars[i])
+  assert_variable_notin(US"auth<n>", US auth_vars[i], &e);
+
+/* check regex<n> variables. assert_variable_notin() treats as const. */
+for (int i = 0; i < REGEX_VARS; i++) if (regex_vars[i])
+  assert_variable_notin(US"regex<n>", US regex_vars[i], &e);
+
+/* check known-name variables */
+for (var_entry * v = var_table; v < var_table + var_table_size; v++)
+  if (v->type == vtype_stringptr)
+    assert_variable_notin(US v->name, *(USS v->value), &e);
+
+/* check dns and address trees */
+tree_walk(tree_dns_fails,     assert_variable_notin, &e);
+tree_walk(tree_duplicates,    assert_variable_notin, &e);
+tree_walk(tree_nonrecipients, assert_variable_notin, &e);
+tree_walk(tree_unusable,      assert_variable_notin, &e);
+
+if (e.var_name)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "live variable '%s' destroyed by reset_store at %s:%d\n- value '%.64s'",
+    e.var_name, filename, linenumber, e.var_data);
+}
+
+
+
+/*************************************************
+**************************************************
+*             Stand-alone test program           *
+**************************************************
+*************************************************/
+
+#ifdef STAND_ALONE
+
+
+BOOL
+regex_match_and_setup(const pcre2_code *re, uschar *subject, int options, int setup)
+{
+int ovec[3*(EXPAND_MAXN+1)];
+int n = pcre_exec(re, NULL, subject, Ustrlen(subject), 0, PCRE_EOPT|options,
+  ovec, nelem(ovec));
+BOOL yield = n >= 0;
+if (n == 0) n = EXPAND_MAXN + 1;
+if (yield)
+  {
+  expand_nmax = setup < 0 ? 0 : setup + 1;
+  for (int nn = setup < 0 ? 0 : 2; nn < n*2; nn += 2)
+    {
+    expand_nstring[expand_nmax] = subject + ovec[nn];
+    expand_nlength[expand_nmax++] = ovec[nn+1] - ovec[nn];
+    }
+  expand_nmax--;
+  }
+return yield;
+}
+
+
+int main(int argc, uschar **argv)
+{
+uschar buffer[1024];
+
+debug_selector = D_v;
+debug_file = stderr;
+debug_fd = fileno(debug_file);
+big_buffer = malloc(big_buffer_size);
+store_init();
+
+for (int i = 1; i < argc; i++)
+  {
+  if (argv[i][0] == '+')
+    {
+    debug_trace_memory = 2;
+    argv[i]++;
+    }
+  if (isdigit(argv[i][0]))
+    debug_selector = Ustrtol(argv[i], NULL, 0);
+  else
+    if (Ustrspn(argv[i], "abcdefghijklmnopqrtsuvwxyz0123456789-.:/") ==
+        Ustrlen(argv[i]))
+      {
+#ifdef LOOKUP_LDAP
+      eldap_default_servers = argv[i];
+#endif
+#ifdef LOOKUP_MYSQL
+      mysql_servers = argv[i];
+#endif
+#ifdef LOOKUP_PGSQL
+      pgsql_servers = argv[i];
+#endif
+#ifdef LOOKUP_REDIS
+      redis_servers = argv[i];
+#endif
+      }
+#ifdef EXIM_PERL
+  else opt_perl_startup = argv[i];
+#endif
+  }
+
+printf("Testing string expansion: debug_level = %d\n\n", debug_level);
+
+expand_nstring[1] = US"string 1....";
+expand_nlength[1] = 8;
+expand_nmax = 1;
+
+#ifdef EXIM_PERL
+if (opt_perl_startup != NULL)
+  {
+  uschar *errstr;
+  printf("Starting Perl interpreter\n");
+  errstr = init_perl(opt_perl_startup);
+  if (errstr != NULL)
+    {
+    printf("** error in perl_startup code: %s\n", errstr);
+    return EXIT_FAILURE;
+    }
+  }
+#endif /* EXIM_PERL */
+
+/* Thie deliberately regards the input as untainted, so that it can be
+expanded; only reasonable since this is a test for string-expansions. */
+
+while (fgets(buffer, sizeof(buffer), stdin) != NULL)
+  {
+  rmark reset_point = store_mark();
+  uschar *yield = expand_string(buffer);
+  if (yield)
+    printf("%s\n", yield);
+  else
+    {
+    if (f.search_find_defer) printf("search_find deferred\n");
+    printf("Failed: %s\n", expand_string_message);
+    if (f.expand_string_forcedfail) printf("Forced failure\n");
+    printf("\n");
+    }
+  store_reset(reset_point);
+  }
+
+search_tidyup();
+
+return 0;
+}
+
+#endif
+
+/* vi: aw ai sw=2
+*/
+/* End of expand.c */
diff --git a/src/filter.c b/src/filter.c
new file mode 100644
index 0000000..ad017e5
--- /dev/null
+++ b/src/filter.c
@@ -0,0 +1,2607 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* Code for mail filtering functions. */
+
+#include "exim.h"
+
+
+/* Command arguments and left/right points in conditions can contain different
+types of data, depending on the particular command or condition. Originally,
+(void *) was used as "any old type", with casts, but this gives trouble and
+warnings in some environments. So now it is done "properly", with a union. We
+need to declare the structures first because some of them are recursive. */
+
+struct filter_cmd;
+struct condition_block;
+
+union argtypes {
+  struct string_item     *a;
+  BOOL                    b;
+  struct condition_block *c;
+  struct filter_cmd      *f;
+  int                     i;
+  const uschar            *u;
+};
+
+/* Local structures used in this module */
+
+typedef struct filter_cmd {
+  struct filter_cmd *next;
+  int command;
+  BOOL seen;
+  BOOL noerror;
+  union argtypes args[1];
+} filter_cmd;
+
+typedef struct condition_block {
+  struct condition_block *parent;
+  int type;
+  BOOL testfor;
+  union argtypes left;
+  union argtypes right;
+} condition_block;
+
+/* Miscellaneous other declarations */
+
+static uschar **error_pointer;
+static const uschar *log_filename;
+static int  filter_options;
+static int  line_number;
+static int  expect_endif;
+static int  had_else_endif;
+static int  log_fd;
+static int  log_mode;
+static int  output_indent;
+static BOOL filter_delivered;
+static BOOL finish_obeyed;
+static BOOL seen_force;
+static BOOL seen_value;
+static BOOL noerror_force;
+
+enum { had_neither, had_else, had_elif, had_endif };
+
+static BOOL read_command_list(const uschar **, filter_cmd ***, BOOL);
+
+
+/* The string arguments for the mail command. The header line ones (that are
+permitted to include \n followed by white space) first, and then the body text
+one (it can have \n anywhere). Then the file names and once_repeat, which may
+not contain \n. */
+
+static const char *mailargs[] = {  /* "to" must be first, and */
+  "to",                            /* "cc" and "bcc" must follow */
+  "cc",
+  "bcc",
+  "from",
+  "reply_to",
+  "subject",
+  "extra_headers",           /* miscellaneous added header lines */
+  "text",
+  "file",
+  "log",
+  "once",
+  "once_repeat"
+};
+
+/* The count of string arguments */
+
+#define MAILARGS_STRING_COUNT (nelem(mailargs))
+
+/* The count of string arguments that are actually passed over as strings
+(once_repeat is converted to an int). */
+
+#define mailargs_string_passed (MAILARGS_STRING_COUNT - 1)
+
+/* This defines the offsets for the arguments; first the string ones, and
+then the non-string ones. The order must be as above. */
+
+enum { mailarg_index_to,
+       mailarg_index_cc,
+       mailarg_index_bcc,
+       mailarg_index_from,
+       mailarg_index_reply_to,
+       mailarg_index_subject,
+       mailarg_index_headers,      /* misc headers must be last */
+       mailarg_index_text,         /* text is first after headers */
+       mailarg_index_file,         /* between text and expand are filenames */
+       mailarg_index_log,
+       mailarg_index_once,
+       mailarg_index_once_repeat,  /* a time string */
+       mailarg_index_expand,       /* first non-string argument */
+       mailarg_index_return,
+       mailargs_total              /* total number of arguments */
+       };
+
+/* Offsets in the data structure for the string arguments (note that
+once_repeat isn't a string argument at this point.) */
+
+static int reply_offsets[] = {  /* must be in same order as above */
+  offsetof(reply_item, to),
+  offsetof(reply_item, cc),
+  offsetof(reply_item, bcc),
+  offsetof(reply_item, from),
+  offsetof(reply_item, reply_to),
+  offsetof(reply_item, subject),
+  offsetof(reply_item, headers),
+  offsetof(reply_item, text),
+  offsetof(reply_item, file),
+  offsetof(reply_item, logfile),
+  offsetof(reply_item, oncelog),
+};
+
+/* Condition identities and names, with negated versions for some
+of them. */
+
+enum { cond_and, cond_or, cond_personal, cond_begins, cond_BEGINS,
+       cond_ends, cond_ENDS, cond_is, cond_IS, cond_matches,
+       cond_MATCHES, cond_contains, cond_CONTAINS, cond_delivered,
+       cond_above, cond_below, cond_errormsg, cond_firsttime,
+       cond_manualthaw, cond_foranyaddress };
+
+static const char *cond_names[] = {
+  "and", "or", "personal",
+  "begins", "BEGINS", "ends", "ENDS",
+  "is", "IS", "matches", "MATCHES", "contains",
+  "CONTAINS", "delivered", "above", "below", "error_message",
+  "first_delivery", "manually_thawed", "foranyaddress" };
+
+static const char *cond_not_names[] = {
+  "", "", "not personal",
+  "does not begin", "does not BEGIN",
+  "does not end", "does not END",
+  "is not", "IS not", "does not match",
+  "does not MATCH", "does not contain", "does not CONTAIN",
+  "not delivered", "not above", "not below", "not error_message",
+  "not first_delivery", "not manually_thawed", "not foranyaddress" };
+
+/* Tables of binary condition words and their corresponding types. Not easy
+to amalgamate with the above because of the different variants. */
+
+static const char *cond_words[] = {
+   "BEGIN",
+   "BEGINS",
+   "CONTAIN",
+   "CONTAINS",
+   "END",
+   "ENDS",
+   "IS",
+   "MATCH",
+   "MATCHES",
+   "above",
+   "begin",
+   "begins",
+   "below",
+   "contain",
+   "contains",
+   "end",
+   "ends",
+   "is",
+   "match",
+   "matches"};
+
+static int cond_word_count = nelem(cond_words);
+
+static int cond_types[] = { cond_BEGINS, cond_BEGINS, cond_CONTAINS,
+  cond_CONTAINS, cond_ENDS, cond_ENDS, cond_IS, cond_MATCHES, cond_MATCHES,
+  cond_above, cond_begins, cond_begins, cond_below, cond_contains,
+  cond_contains, cond_ends, cond_ends, cond_is, cond_matches, cond_matches };
+
+/* Command identities: must be kept in step with the list of command words
+and the list of expanded argument counts which follow. */
+
+enum { add_command, defer_command, deliver_command, elif_command, else_command,
+       endif_command, finish_command, fail_command, freeze_command,
+       headers_command, if_command, logfile_command, logwrite_command,
+       mail_command, noerror_command, pipe_command, save_command, seen_command,
+       testprint_command, unseen_command, vacation_command };
+
+static const char *command_list[] = {
+  "add",     "defer",   "deliver", "elif", "else",      "endif",    "finish",
+  "fail",    "freeze",  "headers", "if",   "logfile",   "logwrite", "mail",
+  "noerror", "pipe",    "save",    "seen", "testprint", "unseen",   "vacation"
+};
+
+static int command_list_count = nelem(command_list);
+
+/* This table contains the number of expanded arguments in the bottom 4 bits.
+If the top bit is set, it means that the default for the command is "seen". */
+
+static uschar command_exparg_count[] = {
+      2, /* add */
+      1, /* defer */
+  128+2, /* deliver */
+      0, /* elif */
+      0, /* else */
+      0, /* endif */
+      0, /* finish */
+      1, /* fail */
+      1, /* freeze */
+      1, /* headers */
+      0, /* if */
+      1, /* logfile */
+      1, /* logwrite */
+      MAILARGS_STRING_COUNT, /* mail */
+      0, /* noerror */
+  128+0, /* pipe */
+  128+1, /* save */
+      0, /* seen */
+      1, /* testprint */
+      0, /* unseen */
+      MAILARGS_STRING_COUNT /* vacation */
+};
+
+
+
+/*************************************************
+*          Find next significant uschar            *
+*************************************************/
+
+/* Function to skip over white space and, optionally, comments.
+
+Arguments:
+  ptr              pointer to next character
+  comment_allowed  if TRUE, comments (# to \n) are skipped
+
+Returns:           pointer to next non-whitespace character
+*/
+
+static const uschar *
+nextsigchar(const uschar *ptr, BOOL comment_allowed)
+{
+for (;;)
+  {
+  while (isspace(*ptr))
+    {
+    if (*ptr == '\n') line_number++;
+    ptr++;
+    }
+  if (comment_allowed && *ptr == '#')
+    {
+    while (*(++ptr) != '\n' && *ptr != 0);
+    continue;
+    }
+  else break;
+  }
+return ptr;
+}
+
+
+
+/*************************************************
+*                Read one word                   *
+*************************************************/
+
+/* The terminator is white space unless bracket is TRUE, in which
+case ( and ) terminate.
+
+Arguments
+  ptr       pointer to next character
+  buffer    where to put the word
+  size      size of buffer
+  bracket   if TRUE, terminate on ( and ) as well as space
+
+Returns:    pointer to the next significant character after the word
+*/
+
+static const uschar *
+nextword(const uschar *ptr, uschar *buffer, int size, BOOL bracket)
+{
+uschar *bp = buffer;
+while (*ptr != 0 && !isspace(*ptr) &&
+       (!bracket || (*ptr != '(' && *ptr != ')')))
+  {
+  if (bp - buffer < size - 1) *bp++ = *ptr++; else
+    {
+    *error_pointer = string_sprintf("word is too long in line %d of "
+      "filter file (max = %d chars)", line_number, size);
+    break;
+    }
+  }
+*bp = 0;
+return nextsigchar(ptr, TRUE);
+}
+
+
+
+/*************************************************
+*                Read one item                   *
+*************************************************/
+
+/* Might be a word, or might be a quoted string; in the latter case
+do the escape stuff.
+
+Arguments:
+  ptr        pointer to next character
+  buffer     where to put the item
+  size       size of buffer
+  bracket    if TRUE, terminate non-quoted on ( and ) as well as space
+
+Returns:     the next significant character after the item
+*/
+
+static const uschar *
+nextitem(const uschar *ptr, uschar *buffer, int size, BOOL bracket)
+{
+uschar *bp = buffer;
+if (*ptr != '\"') return nextword(ptr, buffer, size, bracket);
+
+while (*++ptr && *ptr != '\"' && *ptr != '\n')
+  {
+  if (bp - buffer >= size - 1)
+    {
+    *error_pointer = string_sprintf("string is too long in line %d of "
+      "filter file (max = %d chars)", line_number, size);
+    break;
+    }
+
+  if (*ptr != '\\') *bp++ = *ptr; else
+    {
+    if (isspace(ptr[1]))    /* \<whitespace>NL<whitespace> ignored */
+      {
+      const uschar *p = ptr + 1;
+      while (*p != '\n' && isspace(*p)) p++;
+      if (*p == '\n')
+        {
+        line_number++;
+        ptr = p;
+        while (ptr[1] != '\n' && isspace(ptr[1])) ptr++;
+        continue;
+        }
+      }
+
+    *bp++ = string_interpret_escape(CUSS &ptr);
+    }
+  }
+
+if (*ptr == '\"') ptr++;
+  else if (*error_pointer == NULL)
+    *error_pointer = string_sprintf("quote missing at end of string "
+      "in line %d", line_number);
+
+*bp = 0;
+return nextsigchar(ptr, TRUE);
+}
+
+
+
+
+/*************************************************
+*          Convert a string + K|M to a number    *
+*************************************************/
+
+/*
+Arguments:
+  s        points to text string
+  OK       set TRUE if a valid number was read
+
+Returns:   the number, or 0 on error (with *OK FALSE)
+*/
+
+static int
+get_number(const uschar *s, BOOL *ok)
+{
+int value, count;
+*ok = FALSE;
+if (sscanf(CS s, "%i%n", &value, &count) != 1) return 0;
+if (tolower(s[count]) == 'k') { value *= 1024; count++; }
+if (tolower(s[count]) == 'm') { value *= 1024*1024; count++; }
+while (isspace((s[count]))) count++;
+if (s[count] != 0) return 0;
+*ok = TRUE;
+return value;
+}
+
+
+
+/*************************************************
+*            Read one condition                  *
+*************************************************/
+
+/* A complete condition must be terminated by "then"; bracketed internal
+conditions must be terminated by a closing bracket. They are read by calling
+this function recursively.
+
+Arguments:
+  ptr             points to start of condition
+  condition_block where to hang the created condition block
+  toplevel        TRUE when called at the top level
+
+Returns:          points to next character after "then"
+*/
+
+static const uschar *
+read_condition(const uschar *ptr, condition_block **cond, BOOL toplevel)
+{
+uschar buffer[1024];
+BOOL testfor = TRUE;
+condition_block *current_parent = NULL;
+condition_block **current = cond;
+
+*current = NULL;
+
+/* Loop to read next condition */
+
+for (;;)
+  {
+  condition_block *c;
+
+  /* reaching the end of the input is an error. */
+
+  if (!*ptr)
+    {
+    *error_pointer = US"\"then\" missing at end of filter file";
+    break;
+    }
+
+  /* Opening bracket at the start of a condition introduces a nested
+  condition, which must be terminated by a closing bracket. */
+
+  if (*ptr == '(')
+    {
+    ptr = read_condition(nextsigchar(ptr+1, TRUE), &c, FALSE);
+    if (*error_pointer != NULL) break;
+    if (*ptr != ')')
+      {
+      *error_pointer = string_sprintf("expected \")\" in line %d of "
+        "filter file", line_number);
+      break;
+      }
+    if (!testfor)
+      {
+      c->testfor = !c->testfor;
+      testfor = TRUE;
+      }
+    ptr = nextsigchar(ptr+1, TRUE);
+    }
+
+
+  /* Closing bracket at the start of a condition is an error. Give an
+  explicit message, as otherwise "unknown condition" would be confusing. */
+
+  else if (*ptr == ')')
+    {
+    *error_pointer = string_sprintf("unexpected \")\" in line %d of "
+      "filter file", line_number);
+    break;
+    }
+
+  /* Otherwise we expect a word or a string. */
+
+  else
+    {
+    ptr = nextitem(ptr, buffer, sizeof(buffer), TRUE);
+    if (*error_pointer) break;
+
+    /* "Then" at the start of a condition is an error */
+
+    if (Ustrcmp(buffer, "then") == 0)
+      {
+      *error_pointer = string_sprintf("unexpected \"then\" near line %d of "
+        "filter file", line_number);
+      break;
+      }
+
+    /* "Not" at the start of a condition negates the testing condition. */
+
+    if (Ustrcmp(buffer, "not") == 0)
+      {
+      testfor = !testfor;
+      continue;
+      }
+
+    /* Build a condition block from the specific word. */
+
+    c = store_get(sizeof(condition_block), GET_UNTAINTED);
+    c->left.u = c->right.u = NULL;
+    c->testfor = testfor;
+    testfor = TRUE;
+
+    /* Check for conditions that start with a keyword */
+
+    if (Ustrcmp(buffer, "delivered") == 0) c->type = cond_delivered;
+    else if (Ustrcmp(buffer, "error_message") == 0) c->type = cond_errormsg;
+    else if (Ustrcmp(buffer, "first_delivery") == 0) c->type = cond_firsttime;
+    else if (Ustrcmp(buffer, "manually_thawed") == 0) c->type = cond_manualthaw;
+
+    /* Personal can be followed by any number of aliases */
+
+    else if (Ustrcmp(buffer, "personal") == 0)
+      {
+      c->type = cond_personal;
+      for (;;)
+        {
+        string_item *aa;
+        const uschar * saveptr = ptr;
+        ptr = nextword(ptr, buffer, sizeof(buffer), TRUE);
+        if (*error_pointer) break;
+        if (Ustrcmp(buffer, "alias") != 0)
+          {
+          ptr = saveptr;
+          break;
+          }
+        ptr = nextitem(ptr, buffer, sizeof(buffer), TRUE);
+        if (*error_pointer) break;
+        aa = store_get(sizeof(string_item), GET_UNTAINTED);
+        aa->text = string_copy(buffer);
+        aa->next = c->left.a;
+        c->left.a = aa;
+        }
+      }
+
+    /* Foranyaddress must be followed by a string and a condition enclosed
+    in parentheses, which is handled as a subcondition. */
+
+    else if (Ustrcmp(buffer, "foranyaddress") == 0)
+      {
+      ptr = nextitem(ptr, buffer, sizeof(buffer), TRUE);
+      if (*error_pointer) break;
+      if (*ptr != '(')
+        {
+        *error_pointer = string_sprintf("\"(\" expected after \"foranyaddress\" "
+          "near line %d of filter file", line_number);
+        break;
+        }
+
+      c->type = cond_foranyaddress;
+      c->left.u = string_copy(buffer);
+
+      ptr = read_condition(nextsigchar(ptr+1, TRUE), &(c->right.c), FALSE);
+      if (*error_pointer) break;
+      if (*ptr != ')')
+        {
+        *error_pointer = string_sprintf("expected \")\" in line %d of "
+          "filter file", line_number);
+        break;
+        }
+      ptr = nextsigchar(ptr+1, TRUE);
+      }
+
+    /* If it's not a word we recognize, then it must be the lefthand
+    operand of one of the comparison words. */
+
+    else
+      {
+      int i;
+      const uschar *isptr = NULL;
+
+      c->left.u = string_copy(buffer);
+      ptr = nextword(ptr, buffer, sizeof(buffer), TRUE);
+      if (*error_pointer) break;
+
+      /* Handle "does|is [not]", preserving the pointer after "is" in
+      case it isn't that, but the form "is <string>". */
+
+      if (strcmpic(buffer, US"does") == 0 || strcmpic(buffer, US"is") == 0)
+        {
+        if (buffer[0] == 'i') { c->type = cond_is; isptr = ptr; }
+        if (buffer[0] == 'I') { c->type = cond_IS; isptr = ptr; }
+
+        ptr = nextword(ptr, buffer, sizeof(buffer), TRUE);
+        if (*error_pointer) break;
+        if (strcmpic(buffer, US"not") == 0)
+          {
+          c->testfor = !c->testfor;
+          if (isptr) isptr = ptr;
+          ptr = nextword(ptr, buffer, sizeof(buffer), TRUE);
+          if (*error_pointer) break;
+          }
+        }
+
+      for (i = 0; i < cond_word_count; i++)
+        {
+        if (Ustrcmp(buffer, cond_words[i]) == 0)
+          {
+          c->type = cond_types[i];
+          break;
+          }
+        }
+
+      /* If an unknown word follows "is" or "is not"
+      it's actually the argument. Reset to read it. */
+
+      if (i >= cond_word_count)
+        {
+        if (!isptr)
+          {
+          *error_pointer = string_sprintf("unrecognized condition word \"%s\" "
+            "near line %d of filter file", buffer, line_number);
+          break;
+          }
+        ptr = isptr;
+        }
+
+      /* Get the RH argument. */
+
+      ptr = nextitem(ptr, buffer, sizeof(buffer), TRUE);
+      if (*error_pointer) break;
+      c->right.u = string_copy(buffer);
+      }
+    }
+
+  /* We have read some new condition and set it up in the condition block
+  c; point the current pointer at it, and then deal with what follows. */
+
+  *current = c;
+
+  /* Closing bracket terminates if this is a lower-level condition. Otherwise
+  it is unexpected. */
+
+  if (*ptr == ')')
+    {
+    if (toplevel)
+      *error_pointer = string_sprintf("unexpected \")\" in line %d of "
+        "filter file", line_number);
+    break;
+    }
+
+  /* Opening bracket following a condition is an error; give an explicit
+  message to make it clearer what is wrong. */
+
+  else if (*ptr == '(')
+    {
+    *error_pointer = string_sprintf("unexpected \"(\" in line %d of "
+      "filter file", line_number);
+    break;
+    }
+
+  /* Otherwise the next thing must be one of the words "and", "or" or "then" */
+
+  else
+    {
+//    const uschar *saveptr = ptr;
+    ptr = nextword(ptr, buffer, sizeof(buffer), FALSE);
+    if (*error_pointer) break;
+
+    /* "Then" terminates a toplevel condition; otherwise a closing bracket
+    has been omitted. Put a string terminator at the start of "then" so
+    that reflecting the condition can be done when testing. */
+    /*XXX This stops us doing a constification job in this file, unfortunately.
+    Comment it out and see if anything breaks.
+    With one addition down at DEFERFREEZEFAIL it passes the testsuite. */
+
+    if (Ustrcmp(buffer, "then") == 0)
+      {
+//      if (toplevel) *saveptr = 0;
+//      else
+   if (!toplevel)
+      *error_pointer = string_sprintf("missing \")\" at end of "
+          "condition near line %d of filter file", line_number);
+      break;
+      }
+
+    /* "And" causes a new condition block to replace the one we have
+    just read, which becomes the left sub-condition. The current pointer
+    is reset to the pointer for the right sub-condition. We have to keep
+    track of the tree of sequential "ands", so as to traverse back up it
+    if an "or" is met. */
+
+    else if (Ustrcmp(buffer, "and") == 0)
+      {
+      condition_block * andc = store_get(sizeof(condition_block), GET_UNTAINTED);
+      andc->parent = current_parent;
+      andc->type = cond_and;
+      andc->testfor = TRUE;
+      andc->left.c = c;
+      andc->right.u = NULL;    /* insurance */
+      *current = andc;
+      current = &(andc->right.c);
+      current_parent = andc;
+      }
+
+    /* "Or" is similar, but has to be done a bit more carefully to
+    ensure that "and" is more binding. If there's a parent set, we
+    are following a sequence of "and"s and must track back to their
+    start. */
+
+    else if (Ustrcmp(buffer, "or") == 0)
+      {
+      condition_block * orc = store_get(sizeof(condition_block), GET_UNTAINTED);
+      condition_block * or_parent = NULL;
+
+      if (current_parent)
+        {
+        while (current_parent->parent &&
+               current_parent->parent->type == cond_and)
+          current_parent = current_parent->parent;
+
+        /* If the parent has a parent, it must be an "or" parent. */
+
+        if (current_parent->parent)
+          or_parent = current_parent->parent;
+        }
+
+      orc->parent = or_parent;
+      if (!or_parent) *cond = orc;
+      else or_parent->right.c = orc;
+      orc->type = cond_or;
+      orc->testfor = TRUE;
+      orc->left.c = (current_parent == NULL)? c : current_parent;
+      orc->right.c = NULL;   /* insurance */
+      current = &(orc->right.c);
+      current_parent = orc;
+      }
+
+    /* Otherwise there is a disaster */
+
+    else
+      {
+      *error_pointer = string_sprintf("\"and\" or \"or\" or \"%s\" "
+        "expected near line %d of filter file, but found \"%s\"",
+          toplevel? "then" : ")", line_number, buffer);
+      break;
+      }
+    }
+  }
+
+return nextsigchar(ptr, TRUE);
+}
+
+
+
+/*************************************************
+*             Output the current indent          *
+*************************************************/
+
+static void
+indent(void)
+{
+int i;
+for (i = 0; i < output_indent; i++) debug_printf(" ");
+}
+
+
+
+/*************************************************
+*          Condition printer: for debugging      *
+*************************************************/
+
+/*
+Arguments:
+  c           the block at the top of the tree
+  toplevel    TRUE at toplevel - stops overall brackets
+
+Returns:      nothing
+*/
+
+static void
+print_condition(condition_block *c, BOOL toplevel)
+{
+const char *name = (c->testfor)? cond_names[c->type] : cond_not_names[c->type];
+switch(c->type)
+  {
+  case cond_personal:
+  case cond_delivered:
+  case cond_errormsg:
+  case cond_firsttime:
+  case cond_manualthaw:
+  debug_printf("%s", name);
+  break;
+
+  case cond_is:
+  case cond_IS:
+  case cond_matches:
+  case cond_MATCHES:
+  case cond_contains:
+  case cond_CONTAINS:
+  case cond_begins:
+  case cond_BEGINS:
+  case cond_ends:
+  case cond_ENDS:
+  case cond_above:
+  case cond_below:
+  debug_printf("%s %s %s", c->left.u, name, c->right.u);
+  break;
+
+  case cond_and:
+  if (!c->testfor) debug_printf("not (");
+  print_condition(c->left.c, FALSE);
+  debug_printf(" %s ", cond_names[c->type]);
+  print_condition(c->right.c, FALSE);
+  if (!c->testfor) debug_printf(")");
+  break;
+
+  case cond_or:
+  if (!c->testfor) debug_printf("not (");
+  else if (!toplevel) debug_printf("(");
+  print_condition(c->left.c, FALSE);
+  debug_printf(" %s ", cond_names[c->type]);
+  print_condition(c->right.c, FALSE);
+  if (!toplevel || !c->testfor) debug_printf(")");
+  break;
+
+  case cond_foranyaddress:
+  debug_printf("%s %s (", name, c->left.u);
+  print_condition(c->right.c, FALSE);
+  debug_printf(")");
+  break;
+  }
+}
+
+
+
+
+/*************************************************
+*            Read one filtering command          *
+*************************************************/
+
+/*
+Arguments:
+   pptr        points to pointer to first character of command; the pointer
+                 is updated to point after the last character read
+   lastcmdptr  points to pointer to pointer to last command; used for hanging
+                 on the newly read command
+
+Returns:       TRUE if command successfully read, else FALSE
+*/
+
+static BOOL
+read_command(const uschar **pptr, filter_cmd ***lastcmdptr)
+{
+int command, i, cmd_bit;
+filter_cmd *new, **newlastcmdptr;
+BOOL yield = TRUE;
+BOOL was_seen_or_unseen = FALSE;
+BOOL was_noerror = FALSE;
+uschar buffer[1024];
+const uschar *ptr = *pptr;
+const uschar *saveptr;
+uschar *fmsg = NULL;
+
+/* Read the next word and find which command it is. Command words are normally
+terminated by white space, but there are two exceptions, which are the "if" and
+"elif" commands. We must allow for them to be terminated by an opening bracket,
+as brackets are allowed in conditions and users will expect not to require
+white space here. */
+
+*buffer = '\0';	/* compiler quietening */
+
+if (Ustrncmp(ptr, "if(", 3) == 0)
+  {
+  Ustrcpy(buffer, US"if");
+  ptr += 2;
+  }
+else if (Ustrncmp(ptr, "elif(", 5) == 0)
+  {
+  Ustrcpy(buffer, US"elif");
+  ptr += 4;
+  }
+else
+  {
+  ptr = nextword(ptr, buffer, sizeof(buffer), FALSE);
+  if (*error_pointer) return FALSE;
+  }
+
+for (command = 0; command < command_list_count; command++)
+  if (Ustrcmp(buffer, command_list[command]) == 0) break;
+
+/* Handle the individual commands */
+
+switch (command)
+  {
+  /* Add takes two arguments, separated by the word "to". Headers has two
+  arguments, but the first must be "add", "remove", or "charset", and it gets
+  stored in the second argument slot. Neither may be preceded by seen, unseen
+  or noerror. */
+
+  case add_command:
+  case headers_command:
+  if (seen_force || noerror_force)
+    {
+    *error_pointer = string_sprintf("\"seen\", \"unseen\", or \"noerror\" "
+      "found before an \"%s\" command near line %d",
+        command_list[command], line_number);
+    yield = FALSE;
+    }
+  /* Fall through */
+
+  /* Logwrite, logfile, pipe, and testprint all take a single argument, save
+  and logfile can have an option second argument for the mode, and deliver can
+  have "errors_to <address>" in a system filter, or in a user filter if the
+  address is the current one. */
+
+  case deliver_command:
+  case logfile_command:
+  case logwrite_command:
+  case pipe_command:
+  case save_command:
+  case testprint_command:
+
+  ptr = nextitem(ptr, buffer, sizeof(buffer), FALSE);
+  if (!*buffer)
+    *error_pointer = string_sprintf("\"%s\" requires an argument "
+      "near line %d of filter file", command_list[command], line_number);
+
+  if (*error_pointer) yield = FALSE; else
+    {
+    union argtypes argument, second_argument;
+
+    argument.u = second_argument.u = NULL;
+
+    if (command == add_command)
+      {
+      argument.u = string_copy(buffer);
+      ptr = nextitem(ptr, buffer, sizeof(buffer), FALSE);
+      if (!*buffer || Ustrcmp(buffer, "to") != 0)
+        *error_pointer = string_sprintf("\"to\" expected in \"add\" command "
+          "near line %d of filter file", line_number);
+      else
+        {
+        ptr = nextitem(ptr, buffer, sizeof(buffer), FALSE);
+        if (!*buffer)
+          *error_pointer = string_sprintf("value missing after \"to\" "
+            "near line %d of filter file", line_number);
+        else second_argument.u = string_copy(buffer);
+        }
+      }
+
+    else if (command == headers_command)
+      {
+      if (Ustrcmp(buffer, "add") == 0)
+        second_argument.b = TRUE;
+      else
+        if (Ustrcmp(buffer, "remove") == 0) second_argument.b = FALSE;
+      else
+        if (Ustrcmp(buffer, "charset") == 0)
+          second_argument.b = TRUE_UNSET;
+      else
+        {
+        *error_pointer = string_sprintf("\"add\", \"remove\", or \"charset\" "
+          "expected after \"headers\" near line %d of filter file",
+            line_number);
+        yield = FALSE;
+        }
+
+      if (!f.system_filtering && second_argument.b != TRUE_UNSET)
+        {
+        *error_pointer = string_sprintf("header addition and removal is "
+          "available only in system filters: near line %d of filter file",
+          line_number);
+        yield = FALSE;
+        break;
+        }
+
+      if (yield)
+        {
+        ptr = nextitem(ptr, buffer, sizeof(buffer), FALSE);
+        if (!*buffer)
+          *error_pointer = string_sprintf("value missing after \"add\", "
+            "\"remove\", or \"charset\" near line %d of filter file",
+              line_number);
+        else argument.u = string_copy(buffer);
+        }
+      }
+
+    /* The argument for the logwrite command must end in a newline, and the save
+    and logfile commands can have an optional mode argument. The deliver
+    command can have an optional "errors_to <address>" for a system filter,
+    or for a user filter if the address is the user's address. Accept the
+    syntax here - the check is later. */
+
+    else
+      {
+      if (command == logwrite_command)
+        {
+        int len = Ustrlen(buffer);
+        if (len == 0 || buffer[len-1] != '\n') Ustrcat(buffer, US"\n");
+        }
+
+      argument.u = string_copy(buffer);
+
+      if (command == save_command || command == logfile_command)
+        {
+        if (isdigit(*ptr))
+          {
+          ptr = nextword(ptr, buffer, sizeof(buffer), FALSE);
+          second_argument.i = (int)Ustrtol(buffer, NULL, 8);
+          }
+        else second_argument.i = -1;
+        }
+
+      else if (command == deliver_command)
+        {
+        const uschar *save_ptr = ptr;
+        ptr = nextword(ptr, buffer, sizeof(buffer), FALSE);
+        if (Ustrcmp(buffer, "errors_to") == 0)
+          {
+          ptr = nextword(ptr, buffer, sizeof(buffer), FALSE);
+          second_argument.u = string_copy(buffer);
+          }
+        else ptr = save_ptr;
+        }
+      }
+
+    /* Set up the command block. Seen defaults TRUE for delivery commands,
+    FALSE for logging commands, and it doesn't matter for testprint, as
+    that doesn't change the "delivered" status. */
+
+    if (*error_pointer) yield = FALSE;
+    else
+      {
+      new = store_get(sizeof(filter_cmd) + sizeof(union argtypes), GET_UNTAINTED);
+      new->next = NULL;
+      **lastcmdptr = new;
+      *lastcmdptr = &(new->next);
+      new->command = command;
+      new->seen = seen_force? seen_value : command_exparg_count[command] >= 128;
+      new->noerror = noerror_force;
+      new->args[0] = argument;
+      new->args[1] = second_argument;
+      }
+    }
+  break;
+
+
+  /* Elif, else and endif just set a flag if expected. */
+
+  case elif_command:
+  case else_command:
+  case endif_command:
+  if (seen_force || noerror_force)
+    {
+    *error_pointer = string_sprintf("\"seen\", \"unseen\", or \"noerror\" "
+      "near line %d is not followed by a command", line_number);
+    yield = FALSE;
+    }
+
+  if (expect_endif > 0)
+    had_else_endif = (command == elif_command)? had_elif :
+                     (command == else_command)? had_else : had_endif;
+  else
+    {
+    *error_pointer = string_sprintf("unexpected \"%s\" command near "
+      "line %d of filter file", buffer, line_number);
+    yield = FALSE;
+    }
+  break;
+
+
+  /* Defer, freeze, and fail are available only if permitted. */
+
+  case defer_command:
+  cmd_bit = RDO_DEFER;
+  goto DEFER_FREEZE_FAIL;
+
+  case fail_command:
+  cmd_bit = RDO_FAIL;
+  goto DEFER_FREEZE_FAIL;
+
+  case freeze_command:
+  cmd_bit = RDO_FREEZE;
+
+  DEFER_FREEZE_FAIL:
+  if ((filter_options & cmd_bit) == 0)
+    {
+    *error_pointer = string_sprintf("filtering command \"%s\" is disabled: "
+      "near line %d of filter file", buffer, line_number);
+    yield = FALSE;
+    break;
+    }
+
+  /* A text message can be provided after the "text" keyword, or
+  as a string in quotes. */
+
+  saveptr = ptr;
+  ptr = nextitem(ptr, buffer, sizeof(buffer), FALSE);
+  if (*saveptr != '\"' && (!*buffer || Ustrcmp(buffer, "text") != 0))
+    {
+    ptr = saveptr;
+    fmsg = US"";
+    }
+  else
+    {
+    if (*saveptr != '\"')
+      ptr = nextitem(ptr, buffer, sizeof(buffer), FALSE);
+    fmsg = string_copy(buffer);
+    }
+
+  /* Drop through and treat as "finish", but never set "seen". */
+
+  seen_value = FALSE;
+
+  /* Finish has no arguments; fmsg defaults to NULL */
+
+  case finish_command:
+  new = store_get(sizeof(filter_cmd), GET_UNTAINTED);
+  new->next = NULL;
+  **lastcmdptr = new;
+  *lastcmdptr = &(new->next);
+  new->command = command;
+  new->seen = seen_force ? seen_value : FALSE;
+  new->args[0].u = fmsg;
+  break;
+
+
+  /* Seen, unseen, and noerror are not allowed before if, which takes a
+  condition argument and then and else sub-commands. */
+
+  case if_command:
+  if (seen_force || noerror_force)
+    {
+    *error_pointer = string_sprintf("\"seen\", \"unseen\", or \"noerror\" "
+      "found before an \"if\" command near line %d",
+        line_number);
+    yield = FALSE;
+    }
+
+  /* Set up the command block for if */
+
+  new = store_get(sizeof(filter_cmd) + 4 * sizeof(union argtypes), GET_UNTAINTED);
+  new->next = NULL;
+  **lastcmdptr = new;
+  *lastcmdptr = &new->next;
+  new->command = command;
+  new->seen = FALSE;
+  new->args[0].u = NULL;
+  new->args[1].u = new->args[2].u = NULL;
+  new->args[3].u = ptr;
+
+  /* Read the condition */
+
+  ptr = read_condition(ptr, &new->args[0].c, TRUE);
+  if (*error_pointer) { yield = FALSE; break; }
+
+  /* Read the commands to be obeyed if the condition is true */
+
+  newlastcmdptr = &(new->args[1].f);
+  if (!read_command_list(&ptr, &newlastcmdptr, TRUE)) yield = FALSE;
+
+  /* If commands were successfully read, handle the various possible
+  terminators. There may be a number of successive "elif" sections. */
+
+  else
+    {
+    while (had_else_endif == had_elif)
+      {
+      filter_cmd *newnew =
+        store_get(sizeof(filter_cmd) + 4 * sizeof(union argtypes), GET_UNTAINTED);
+      new->args[2].f = newnew;
+      new = newnew;
+      new->next = NULL;
+      new->command = command;
+      new->seen = FALSE;
+      new->args[0].u = NULL;
+      new->args[1].u = new->args[2].u = NULL;
+      new->args[3].u = ptr;
+
+      ptr = read_condition(ptr, &new->args[0].c, TRUE);
+      if (*error_pointer) { yield = FALSE; break; }
+      newlastcmdptr = &(new->args[1].f);
+      if (!read_command_list(&ptr, &newlastcmdptr, TRUE))
+        yield = FALSE;
+      }
+
+    if (yield == FALSE) break;
+
+    /* Handle termination by "else", possibly following one or more
+    "elsif" sections. */
+
+    if (had_else_endif == had_else)
+      {
+      newlastcmdptr = &(new->args[2].f);
+      if (!read_command_list(&ptr, &newlastcmdptr, TRUE))
+        yield = FALSE;
+      else if (had_else_endif != had_endif)
+        {
+        *error_pointer = string_sprintf("\"endif\" missing near line %d of "
+          "filter file", line_number);
+        yield = FALSE;
+        }
+      }
+
+    /* Otherwise the terminator was "endif" - this is checked by
+    read_command_list(). The pointer is already set to NULL. */
+    }
+
+  /* Reset the terminator flag. */
+
+  had_else_endif = had_neither;
+  break;
+
+
+  /* The mail & vacation commands have a whole slew of keyworded arguments.
+  The final argument values are the file expand and return message booleans,
+  whose offsets are defined in mailarg_index_{expand,return}. Although they
+  are logically booleans, because they are stored in a uschar * value, we use
+  NULL and not FALSE, to keep 64-bit compilers happy. */
+
+  case mail_command:
+  case vacation_command:
+  new = store_get(sizeof(filter_cmd) + mailargs_total * sizeof(union argtypes), GET_UNTAINTED);
+  new->next = NULL;
+  new->command = command;
+  new->seen = seen_force ? seen_value : FALSE;
+  new->noerror = noerror_force;
+  for (i = 0; i < mailargs_total; i++) new->args[i].u = NULL;
+
+  /* Read keyword/value pairs until we hit one that isn't. The data
+  must contain only printing chars plus tab, though the "text" value
+  can also contain newlines. The "file" keyword can be preceded by the
+  word "expand", and "return message" has no data. */
+
+  for (;;)
+    {
+    const uschar *saveptr = ptr;
+    ptr = nextword(ptr, buffer, sizeof(buffer), FALSE);
+    if (*error_pointer)
+      { yield = FALSE; break; }
+
+    /* Ensure "return" is followed by "message"; that's a complete option */
+
+    if (Ustrcmp(buffer, "return") == 0)
+      {
+      new->args[mailarg_index_return].u = US"";  /* not NULL => TRUE */
+      ptr = nextword(ptr, buffer, sizeof(buffer), FALSE);
+      if (Ustrcmp(buffer, "message") != 0)
+        {
+        *error_pointer = string_sprintf("\"return\" not followed by \"message\" "
+          " near line %d of filter file", line_number);
+        yield = FALSE;
+        break;
+        }
+      continue;
+      }
+
+    /* Ensure "expand" is followed by "file", then fall through to process the
+    file keyword. */
+
+    if (Ustrcmp(buffer, "expand") == 0)
+      {
+      new->args[mailarg_index_expand].u = US"";  /* not NULL => TRUE */
+      ptr = nextword(ptr, buffer, sizeof(buffer), FALSE);
+      if (Ustrcmp(buffer, "file") != 0)
+        {
+        *error_pointer = string_sprintf("\"expand\" not followed by \"file\" "
+          " near line %d of filter file", line_number);
+        yield = FALSE;
+        break;
+        }
+      }
+
+    /* Scan for the keyword */
+
+    for (i = 0; i < MAILARGS_STRING_COUNT; i++)
+      if (Ustrcmp(buffer, mailargs[i]) == 0) break;
+
+    /* Not found keyword; assume end of this command */
+
+    if (i >= MAILARGS_STRING_COUNT)
+      {
+      ptr = saveptr;
+      break;
+      }
+
+    /* Found keyword, read the data item */
+
+    ptr = nextitem(ptr, buffer, sizeof(buffer), FALSE);
+    if (*error_pointer)
+      { yield = FALSE; break; }
+    else new->args[i].u = string_copy(buffer);
+    }
+
+  /* If this is the vacation command, apply some default settings to
+  some of the arguments. */
+
+  if (command == vacation_command)
+    {
+    if (!new->args[mailarg_index_file].u)
+      {
+      new->args[mailarg_index_file].u = string_copy(US".vacation.msg");
+      new->args[mailarg_index_expand].u = US"";   /* not NULL => TRUE */
+      }
+    if (!new->args[mailarg_index_log].u)
+      new->args[mailarg_index_log].u = string_copy(US".vacation.log");
+    if (!new->args[mailarg_index_once].u)
+      new->args[mailarg_index_once].u = string_copy(US".vacation");
+    if (!new->args[mailarg_index_once_repeat].u)
+      new->args[mailarg_index_once_repeat].u = string_copy(US"7d");
+    if (!new->args[mailarg_index_subject].u)
+      new->args[mailarg_index_subject].u = string_copy(US"On vacation");
+    }
+
+  /* Join the address on to the chain of generated addresses */
+
+  **lastcmdptr = new;
+  *lastcmdptr = &(new->next);
+  break;
+
+
+  /* Seen and unseen just set flags */
+
+  case seen_command:
+  case unseen_command:
+  if (!*ptr)
+    {
+    *error_pointer = string_sprintf("\"seen\" or \"unseen\" "
+      "near line %d is not followed by a command", line_number);
+    yield = FALSE;
+    }
+  if (seen_force)
+    {
+    *error_pointer = string_sprintf("\"seen\" or \"unseen\" repeated "
+      "near line %d", line_number);
+    yield = FALSE;
+    }
+  seen_value = (command == seen_command);
+  seen_force = TRUE;
+  was_seen_or_unseen = TRUE;
+  break;
+
+
+  /* So does noerror */
+
+  case noerror_command:
+  if (!*ptr)
+    {
+    *error_pointer = string_sprintf("\"noerror\" "
+      "near line %d is not followed by a command", line_number);
+    yield = FALSE;
+    }
+  noerror_force = TRUE;
+  was_noerror = TRUE;
+  break;
+
+
+  /* Oops */
+
+  default:
+  *error_pointer = string_sprintf("unknown filtering command \"%s\" "
+    "near line %d of filter file", buffer, line_number);
+  yield = FALSE;
+  break;
+  }
+
+if (!was_seen_or_unseen && !was_noerror)
+  {
+  seen_force = FALSE;
+  noerror_force = FALSE;
+  }
+
+*pptr = ptr;
+return yield;
+}
+
+
+
+/*************************************************
+*              Read a list of commands           *
+*************************************************/
+
+/* If conditional is TRUE, the list must be terminated
+by the words "else" or "endif".
+
+Arguments:
+  pptr        points to pointer to next character; the pointer is updated
+  lastcmdptr  points to pointer to pointer to previously-read command; used
+                for hanging on the new command
+  conditional TRUE if this command is the subject of a condition
+
+Returns:      TRUE on success
+*/
+
+static BOOL
+read_command_list(const uschar **pptr, filter_cmd ***lastcmdptr, BOOL conditional)
+{
+if (conditional) expect_endif++;
+had_else_endif = had_neither;
+while (**pptr && had_else_endif == had_neither)
+  {
+  if (!read_command(pptr, lastcmdptr)) return FALSE;
+  *pptr = nextsigchar(*pptr, TRUE);
+  }
+if (conditional)
+  {
+  expect_endif--;
+  if (had_else_endif == had_neither)
+    {
+    *error_pointer = US"\"endif\" missing at end of filter file";
+    return FALSE;
+    }
+  }
+return TRUE;
+}
+
+
+
+
+/*************************************************
+*             Test a condition                   *
+*************************************************/
+
+/*
+Arguments:
+  c              points to the condition block; c->testfor indicated whether
+                   it's a positive or negative condition
+  toplevel       TRUE if called from "if" directly; FALSE otherwise
+
+Returns:         TRUE if the condition is met
+*/
+
+static BOOL
+test_condition(condition_block *c, BOOL toplevel)
+{
+BOOL yield = FALSE;
+const uschar *exp[2], * p, * pp;
+int val[2];
+int i;
+
+if (c == NULL) return TRUE;  /* does this ever occur? */
+
+switch (c->type)
+  {
+  case cond_and:
+  yield = test_condition(c->left.c, FALSE) &&
+          *error_pointer == NULL &&
+          test_condition(c->right.c, FALSE);
+  break;
+
+  case cond_or:
+  yield = test_condition(c->left.c, FALSE) ||
+          (*error_pointer == NULL &&
+          test_condition(c->right.c, FALSE));
+  break;
+
+  /* The personal test is meaningless in a system filter. The tests are now in
+  a separate function (so Sieve can use them). However, an Exim filter does not
+  scan Cc: (hence the FALSE argument). */
+
+  case cond_personal:
+  yield = f.system_filtering? FALSE : filter_personal(c->left.a, FALSE);
+  break;
+
+  case cond_delivered:
+  yield = filter_delivered;
+  break;
+
+  /* Only TRUE if a message is actually being processed; FALSE for address
+  testing and verification. */
+
+  case cond_errormsg:
+  yield = message_id[0] != 0 &&
+    (sender_address == NULL || sender_address[0] == 0);
+  break;
+
+  /* Only FALSE if a message is actually being processed; TRUE for address
+  and filter testing and verification. */
+
+  case cond_firsttime:
+  yield = filter_test != FTEST_NONE || message_id[0] == 0 || f.deliver_firsttime;
+  break;
+
+  /* Only TRUE if a message is actually being processed; FALSE for address
+  testing and verification. */
+
+  case cond_manualthaw:
+  yield = message_id[0] != 0 && f.deliver_manual_thaw;
+  break;
+
+  /* The foranyaddress condition loops through a list of addresses */
+
+  case cond_foranyaddress:
+  p = c->left.u;
+  if (!(pp = expand_cstring(p)))
+    {
+    *error_pointer = string_sprintf("failed to expand \"%s\" in "
+      "filter file: %s", p, expand_string_message);
+    return FALSE;
+    }
+
+  yield = FALSE;
+  f.parse_allow_group = TRUE;     /* Allow group syntax */
+
+  while (*pp)
+    {
+    uschar *error;
+    int start, end, domain;
+    uschar * s;
+
+    p = parse_find_address_end(pp, FALSE);
+    s = string_copyn(pp, p - pp);
+
+    filter_thisaddress =
+      parse_extract_address(s, &error, &start, &end, &domain, FALSE);
+
+    if (filter_thisaddress)
+      {
+      if ((filter_test != FTEST_NONE && debug_selector != 0) ||
+          (debug_selector & D_filter) != 0)
+        {
+        indent();
+        debug_printf_indent("Extracted address %s\n", filter_thisaddress);
+        }
+      yield = test_condition(c->right.c, FALSE);
+      }
+
+    if (yield) break;
+    if (!*p) break;
+    pp = p + 1;
+    }
+
+  f.parse_allow_group = FALSE;      /* Reset group syntax flags */
+  f.parse_found_group = FALSE;
+  break;
+
+  /* All other conditions have left and right values that need expanding;
+  on error, it doesn't matter what value is returned. */
+
+  default:
+  p = c->left.u;
+  for (i = 0; i < 2; i++)
+    {
+    if (!(exp[i] = expand_cstring(p)))
+      {
+      *error_pointer = string_sprintf("failed to expand \"%s\" in "
+        "filter file: %s", p, expand_string_message);
+      return FALSE;
+      }
+    p = c->right.u;
+    }
+
+  /* Inner switch for the different cases */
+
+  switch(c->type)
+    {
+    case cond_is:
+    yield = strcmpic(exp[0], exp[1]) == 0;
+    break;
+
+    case cond_IS:
+    yield = Ustrcmp(exp[0], exp[1]) == 0;
+    break;
+
+    case cond_contains:
+    yield = strstric_c(exp[0], exp[1], FALSE) != NULL;
+    break;
+
+    case cond_CONTAINS:
+    yield = Ustrstr(exp[0], exp[1]) != NULL;
+    break;
+
+    case cond_begins:
+    yield = strncmpic(exp[0], exp[1], Ustrlen(exp[1])) == 0;
+    break;
+
+    case cond_BEGINS:
+    yield = Ustrncmp(exp[0], exp[1], Ustrlen(exp[1])) == 0;
+    break;
+
+    case cond_ends:
+    case cond_ENDS:
+      {
+      int len = Ustrlen(exp[1]);
+      const uschar *s = exp[0] + Ustrlen(exp[0]) - len;
+      yield = s < exp[0]
+	? FALSE
+	: (c->type == cond_ends ? strcmpic(s, exp[1]) : Ustrcmp(s, exp[1])) == 0;
+      }
+    break;
+
+    case cond_matches:
+    case cond_MATCHES:
+      {
+      const pcre2_code *re;
+      int err;
+      PCRE2_SIZE offset;
+
+      if ((filter_test != FTEST_NONE && debug_selector != 0) ||
+	  (debug_selector & D_filter) != 0)
+	{
+	debug_printf_indent("Match expanded arguments:\n");
+	debug_printf_indent("  Subject = %s\n", exp[0]);
+	debug_printf_indent("  Pattern = %s\n", exp[1]);
+	}
+
+      if (!(re = pcre2_compile((PCRE2_SPTR)exp[1], PCRE2_ZERO_TERMINATED,
+		  PCRE_COPT | (c->type == cond_matches ? PCRE2_CASELESS : 0),
+		  &err, &offset, pcre_cmp_ctx)))
+	{
+	uschar errbuf[128];
+	pcre2_get_error_message(err, errbuf, sizeof(errbuf));
+	*error_pointer = string_sprintf("error while compiling "
+	  "regular expression \"%s\": %s at offset %ld",
+	  exp[1], errbuf, (long)offset);
+	return FALSE;
+	}
+
+      yield = regex_match_and_setup(re, exp[0], PCRE_EOPT, -1);
+      break;
+      }
+
+    /* For above and below, convert the strings to numbers */
+
+    case cond_above:
+    case cond_below:
+    for (i = 0; i < 2; i++)
+      {
+      val[i] = get_number(exp[i], &yield);
+      if (!yield)
+        {
+        *error_pointer = string_sprintf("malformed numerical string \"%s\"",
+          exp[i]);
+        return FALSE;
+        }
+      }
+    yield = (c->type == cond_above)? (val[0] > val[1]) : (val[0] < val[1]);
+    break;
+    }
+  break;
+  }
+
+if ((filter_test != FTEST_NONE && debug_selector != 0) ||
+    (debug_selector & D_filter) != 0)
+  {
+  indent();
+  debug_printf_indent("%sondition is %s: ",
+    toplevel? "C" : "Sub-c",
+    (yield == c->testfor)? "true" : "false");
+  print_condition(c, TRUE);
+  debug_printf_indent("\n");
+  }
+
+return yield == c->testfor;
+}
+
+
+
+/*************************************************
+*          Interpret chain of commands           *
+*************************************************/
+
+/* In testing state, just say what would be done rather than doing it. The
+testprint command just expands and outputs its argument in testing state, and
+does nothing otherwise.
+
+Arguments:
+  commands    points to chain of commands to interpret
+  generated   where to hang newly-generated addresses
+
+Returns:      FF_DELIVERED     success, a significant action was taken
+              FF_NOTDELIVERED  success, no significant action
+              FF_DEFER         defer requested
+              FF_FAIL          fail requested
+              FF_FREEZE        freeze requested
+              FF_ERROR         there was a problem
+*/
+
+static int
+interpret_commands(filter_cmd *commands, address_item **generated)
+{
+const uschar *s;
+int mode;
+address_item *addr;
+BOOL condition_value;
+
+while (commands)
+  {
+  int ff_ret;
+  uschar *fmsg, *ff_name;
+  const uschar *expargs[MAILARGS_STRING_COUNT];
+
+  int i, n[2];
+
+  /* Expand the relevant number of arguments for the command that are
+  not NULL. */
+
+  for (i = 0; i < (command_exparg_count[commands->command] & 15); i++)
+    {
+    const uschar *ss = commands->args[i].u;
+    if (!ss)
+      expargs[i] = NULL;
+    else if (!(expargs[i] = expand_cstring(ss)))
+      {
+      *error_pointer = string_sprintf("failed to expand \"%s\" in "
+	"%s command: %s", ss, command_list[commands->command],
+	expand_string_message);
+      return FF_ERROR;
+      }
+    }
+
+  /* Now switch for each command, setting the "delivered" flag if any of them
+  have "seen" set. */
+
+  if (commands->seen) filter_delivered = TRUE;
+
+  switch(commands->command)
+    {
+    case add_command:
+      for (i = 0; i < 2; i++)
+	{
+	const uschar *ss = expargs[i];
+	uschar *end;
+
+	if (i == 1 && (*ss++ != 'n' || ss[1] != 0))
+	  {
+	  *error_pointer = string_sprintf("unknown variable \"%s\" in \"add\" "
+	    "command", expargs[i]);
+	  return FF_ERROR;
+	  }
+
+	/* Allow for "--" at the start of the value (from -$n0) for example */
+	if (i == 0) while (ss[0] == '-' && ss[1] == '-') ss += 2;
+
+	n[i] = (int)Ustrtol(ss, &end, 0);
+	if (*end != 0)
+	  {
+	  *error_pointer = string_sprintf("malformed number \"%s\" in \"add\" "
+	    "command", ss);
+	  return FF_ERROR;
+	  }
+	}
+
+      filter_n[n[1]] += n[0];
+      if (filter_test != FTEST_NONE) printf("Add %d to n%d\n", n[0], n[1]);
+      break;
+
+      /* A deliver command's argument must be a valid address. Its optional
+      second argument (system filter only) must also be a valid address. */
+
+    case deliver_command:
+      for (i = 0; i < 2; i++)
+	{
+	s = expargs[i];
+	if (s != NULL)
+	  {
+	  int start, end, domain;
+	  uschar *error;
+	  uschar *ss = parse_extract_address(s, &error, &start, &end, &domain,
+	    FALSE);
+	  if (ss)
+	    expargs[i] = filter_options & RDO_REWRITE
+	      ? rewrite_address(ss, TRUE, FALSE, global_rewrite_rules,
+				rewrite_existflags)
+	      : rewrite_address_qualify(ss, TRUE);
+	  else
+	    {
+	    *error_pointer = string_sprintf("malformed address \"%s\" in "
+	      "filter file: %s", s, error);
+	    return FF_ERROR;
+	    }
+	  }
+	}
+
+      /* Stick the errors address into a simple variable, as it will
+      be referenced a few times. Check that the caller is permitted to
+      specify it. */
+
+      s = expargs[1];
+
+      if (s != NULL && !f.system_filtering)
+	{
+	uschar *ownaddress = expand_string(US"$local_part@$domain");
+	if (strcmpic(ownaddress, s) != 0)
+	  {
+	  *error_pointer = US"errors_to must point to the caller's address";
+	  return FF_ERROR;
+	  }
+	}
+
+      /* Test case: report what would happen */
+
+      if (filter_test != FTEST_NONE)
+	{
+	indent();
+	printf("%seliver message to: %s%s%s%s\n",
+	  (commands->seen)? "D" : "Unseen d",
+	  expargs[0],
+	  commands->noerror? " (noerror)" : "",
+	  (s != NULL)? " errors_to " : "",
+	  (s != NULL)? s : US"");
+	}
+
+      /* Real case. */
+
+      else
+	{
+	DEBUG(D_filter) debug_printf_indent("Filter: %sdeliver message to: %s%s%s%s\n",
+	  (commands->seen)? "" : "unseen ",
+	  expargs[0],
+	  commands->noerror? " (noerror)" : "",
+	  (s != NULL)? " errors_to " : "",
+	  (s != NULL)? s : US"");
+
+	/* Create the new address and add it to the chain, setting the
+	af_ignore_error flag if necessary, and the errors address, which can be
+	set in a system filter and to the local address in user filters. */
+
+	addr = deliver_make_addr(US expargs[0], TRUE);  /* TRUE => copy s, so deconst ok */
+	addr->prop.errors_address = !s ? NULL : string_copy(s); /* Default is NULL */
+	if (commands->noerror) addr->prop.ignore_error = TRUE;
+	addr->next = *generated;
+	*generated = addr;
+	}
+      break;
+
+    case save_command:
+      s = expargs[0];
+      mode = commands->args[1].i;
+
+      /* Test case: report what would happen */
+
+      if (filter_test != FTEST_NONE)
+	{
+	indent();
+	if (mode < 0)
+	  printf("%save message to: %s%s\n", (commands->seen)?
+	    "S" : "Unseen s", s, commands->noerror? " (noerror)" : "");
+	else
+	  printf("%save message to: %s %04o%s\n", (commands->seen)?
+	    "S" : "Unseen s", s, mode, commands->noerror? " (noerror)" : "");
+	}
+
+      /* Real case: Ensure save argument starts with / if there is a home
+      directory to prepend. */
+
+      else
+	{
+	if (s[0] != '/' && (filter_options & RDO_PREPEND_HOME) != 0 &&
+	    deliver_home != NULL && deliver_home[0] != 0)
+	  s = string_sprintf("%s/%s", deliver_home, s);
+	DEBUG(D_filter) debug_printf_indent("Filter: %ssave message to: %s%s\n",
+	  (commands->seen)? "" : "unseen ", s,
+	  commands->noerror? " (noerror)" : "");
+
+	/* Create the new address and add it to the chain, setting the
+	af_pfr and af_file flags, the af_ignore_error flag if necessary, and the
+	mode value. */
+
+	addr = deliver_make_addr(US s, TRUE);  /* TRUE => copy s, so deconst ok */
+	setflag(addr, af_pfr);
+	setflag(addr, af_file);
+	if (commands->noerror) addr->prop.ignore_error = TRUE;
+	addr->mode = mode;
+	addr->next = *generated;
+	*generated = addr;
+	}
+      break;
+
+    case pipe_command:
+      s = string_copy(commands->args[0].u);
+      if (filter_test != FTEST_NONE)
+	{
+	indent();
+	printf("%sipe message to: %s%s\n", (commands->seen)?
+	  "P" : "Unseen p", s, commands->noerror? " (noerror)" : "");
+	}
+      else /* Ensure pipe command starts with | */
+	{
+	DEBUG(D_filter) debug_printf_indent("Filter: %spipe message to: %s%s\n",
+	  commands->seen ? "" : "unseen ", s,
+	  commands->noerror ? " (noerror)" : "");
+	if (s[0] != '|') s = string_sprintf("|%s", s);
+
+	/* Create the new address and add it to the chain, setting the
+	af_ignore_error flag if necessary. Set the af_expand_pipe flag so that
+	each command argument is expanded in the transport after the command
+	has been split up into separate arguments. */
+
+	addr = deliver_make_addr(US s, TRUE);  /* TRUE => copy s, so deconst ok */
+	setflag(addr, af_pfr);
+	setflag(addr, af_expand_pipe);
+	if (commands->noerror) addr->prop.ignore_error = TRUE;
+	addr->next = *generated;
+	*generated = addr;
+
+	/* If there are any numeric variables in existence (e.g. after a regex
+	condition), or if $thisaddress is set, take a copy for use in the
+	expansion. Note that we can't pass NULL for filter_thisaddress, because
+	NULL terminates the list. */
+
+	if (expand_nmax >= 0 || filter_thisaddress != NULL)
+	  {
+	  int ecount = expand_nmax >= 0 ? expand_nmax : -1;
+	  uschar ** ss = store_get(sizeof(uschar *) * (ecount + 3), GET_UNTAINTED);
+
+	  addr->pipe_expandn = ss;
+	  if (!filter_thisaddress) filter_thisaddress = US"";
+	  *ss++ = string_copy(filter_thisaddress);
+	  for (int i = 0; i <= expand_nmax; i++)
+	    *ss++ = string_copyn(expand_nstring[i], expand_nlength[i]);
+	  *ss = NULL;
+	  }
+	}
+      break;
+
+      /* Set up the file name and mode, and close any previously open
+      file. */
+
+    case logfile_command:
+      log_mode = commands->args[1].i;
+      if (log_mode == -1) log_mode = 0600;
+      if (log_fd >= 0)
+	{
+	(void)close(log_fd);
+	log_fd = -1;
+	}
+      log_filename = expargs[0];
+      if (filter_test != FTEST_NONE)
+	{
+	indent();
+	printf("%sogfile %s\n", (commands->seen)? "Seen l" : "L", log_filename);
+	}
+      break;
+
+    case logwrite_command:
+      s = expargs[0];
+
+      if (filter_test != FTEST_NONE)
+	{
+	indent();
+	printf("%sogwrite \"%s\"\n", (commands->seen)? "Seen l" : "L",
+	  string_printing(s));
+	}
+
+      /* Attempt to write to a log file only if configured as permissible.
+      Logging may be forcibly skipped for verifying or testing. */
+
+      else if ((filter_options & RDO_LOG) != 0)   /* Locked out */
+	{
+	DEBUG(D_filter)
+	  debug_printf_indent("filter log command aborted: euid=%ld\n",
+	  (long int)geteuid());
+	*error_pointer = US"logwrite command forbidden";
+	return FF_ERROR;
+	}
+      else if ((filter_options & RDO_REALLOG) != 0)
+	{
+	int len;
+	DEBUG(D_filter) debug_printf_indent("writing filter log as euid %ld\n",
+	  (long int)geteuid());
+	if (log_fd < 0)
+	  {
+	  if (!log_filename)
+	    {
+	    *error_pointer = US"attempt to obey \"logwrite\" command "
+	      "without a previous \"logfile\"";
+	    return FF_ERROR;
+	    }
+	  log_fd = Uopen(log_filename, O_CREAT|O_APPEND|O_WRONLY, log_mode);
+	  if (log_fd < 0)
+	    {
+	    *error_pointer = string_open_failed("filter log file \"%s\"",
+	      log_filename);
+	    return FF_ERROR;
+	    }
+	  }
+	len = Ustrlen(s);
+	if (write(log_fd, s, len) != len)
+	  {
+	  *error_pointer = string_sprintf("write error on file \"%s\": %s",
+	    log_filename, strerror(errno));
+	  return FF_ERROR;
+	  }
+	}
+      else
+	DEBUG(D_filter)
+	  debug_printf_indent("skipping logwrite (verifying or testing)\n");
+      break;
+
+      /* Header addition and removal is available only in the system filter. The
+      command is rejected at parse time otherwise. However "headers charset" is
+      always permitted. */
+
+    case headers_command:
+	{
+	int subtype = commands->args[1].i;
+	s = expargs[0];
+
+	if (filter_test != FTEST_NONE)
+	  printf("Headers %s \"%s\"\n",
+	    subtype == TRUE ? "add"
+	    : subtype == FALSE ? "remove"
+	    : "charset",
+	    string_printing(s));
+
+	if (subtype == TRUE)
+	  {
+	  while (isspace(*s)) s++;
+	  if (*s)
+	    {
+	    header_add(htype_other, "%s%s", s,
+	      s[Ustrlen(s)-1] == '\n' ? "" : "\n");
+	    header_last->type = header_checkname(header_last, FALSE);
+	    if (header_last->type >= 'a') header_last->type = htype_other;
+	    }
+	  }
+
+	else if (subtype == FALSE)
+	  {
+	  int sep = 0;
+	  const uschar * list = s;
+
+	  for (uschar * ss; ss = string_nextinlist(&list, &sep, NULL, 0); )
+	    header_remove(0, ss);
+	  }
+
+	/* This setting lasts only while the filter is running; on exit, the
+	variable is reset to the previous value. */
+
+	else headers_charset = s;
+	}
+      break;
+
+      /* Defer, freeze, and fail are available only when explicitly permitted.
+      These commands are rejected at parse time otherwise. The message can get
+      very long by the inclusion of message headers; truncate if it is, and also
+      ensure printing characters so as not to mess up log files. */
+
+    case defer_command:
+      ff_name = US"defer";
+      ff_ret = FF_DEFER;
+      goto DEFERFREEZEFAIL;
+
+    case fail_command:
+      ff_name = US"fail";
+      ff_ret = FF_FAIL;
+      goto DEFERFREEZEFAIL;
+
+    case freeze_command:
+      ff_name = US"freeze";
+      ff_ret = FF_FREEZE;
+
+    DEFERFREEZEFAIL:
+      *error_pointer = fmsg = US string_printing(Ustrlen(expargs[0]) > 1024
+	? string_sprintf("%.1000s ... (truncated)", expargs[0])
+	: string_copy(expargs[0]));
+      for(uschar * s = fmsg; *s; s++)
+	if (!s[1] && *s == '\n') { *s = '\0'; break; }	/* drop trailing newline */
+
+      if (filter_test != FTEST_NONE)
+	{
+	indent();
+	printf("%c%s text \"%s\"\n", toupper(ff_name[0]), ff_name+1, fmsg);
+	}
+      else
+        DEBUG(D_filter) debug_printf_indent("Filter: %s \"%s\"\n", ff_name, fmsg);
+      return ff_ret;
+
+    case finish_command:
+      if (filter_test != FTEST_NONE)
+	{
+	indent();
+	printf("%sinish\n", (commands->seen)? "Seen f" : "F");
+	}
+      else
+	DEBUG(D_filter) debug_printf_indent("Filter: %sfinish\n",
+	  commands->seen ? " Seen " : "");
+      finish_obeyed = TRUE;
+      return filter_delivered ? FF_DELIVERED : FF_NOTDELIVERED;
+
+    case if_command:
+	{
+	uschar *save_address = filter_thisaddress;
+	int ok = FF_DELIVERED;
+	condition_value = test_condition(commands->args[0].c, TRUE);
+	if (*error_pointer)
+	  ok = FF_ERROR;
+	else
+	  {
+	  output_indent += 2;
+	  ok = interpret_commands(commands->args[condition_value? 1:2].f,
+	    generated);
+	  output_indent -= 2;
+	  }
+	filter_thisaddress = save_address;
+	if (finish_obeyed  ||  ok != FF_DELIVERED && ok != FF_NOTDELIVERED)
+	  return ok;
+	}
+      break;
+
+
+      /* To try to catch runaway loops, do not generate mail if the
+      return path is unset or if a non-trusted user supplied -f <>
+      as the return path. */
+
+    case mail_command:
+    case vacation_command:
+	if (!return_path || !*return_path)
+	  {
+	  if (filter_test != FTEST_NONE)
+	    printf("%s command ignored because return_path is empty\n",
+	      command_list[commands->command]);
+	  else DEBUG(D_filter) debug_printf_indent("%s command ignored because return_path "
+	    "is empty\n", command_list[commands->command]);
+	  break;
+	  }
+
+	/* Check the contents of the strings. The type of string can be deduced
+	from the value of i.
+
+	. If i is equal to mailarg_index_text it's a text string for the body,
+	  where anything goes.
+
+	. If i is > mailarg_index_text, we are dealing with a file name, which
+	  cannot contain non-printing characters.
+
+	. If i is less than mailarg_index_headers we are dealing with something
+	  that will go in a single message header line, where newlines must be
+	  followed by white space.
+
+	. If i is equal to mailarg_index_headers, we have a string that contains
+	  one or more headers. Newlines that are not followed by white space must
+	  be followed by a header name.
+	*/
+
+	for (i = 0; i < MAILARGS_STRING_COUNT; i++)
+	  {
+	  const uschar *s = expargs[i];
+
+	  if (!s) continue;
+
+	  if (i != mailarg_index_text) for (const uschar * p = s; *p; p++)
+	    {
+	    int c = *p;
+	    if (i > mailarg_index_text)
+	      {
+	      if (!mac_isprint(c))
+		{
+		*error_pointer = string_sprintf("non-printing character in \"%s\" "
+		  "in %s command", string_printing(s),
+		  command_list[commands->command]);
+		return FF_ERROR;
+		}
+	      }
+
+	    /* i < mailarg_index_text */
+
+	    else if (c == '\n' && !isspace(p[1]))
+	      {
+	      if (i < mailarg_index_headers)
+		{
+		*error_pointer = string_sprintf("\\n not followed by space in "
+		  "\"%.1024s\" in %s command", string_printing(s),
+		  command_list[commands->command]);
+		return FF_ERROR;
+		}
+
+	      /* Check for the start of a new header line within the string */
+
+	      else
+		{
+		const uschar *pp;
+		for (pp = p + 1;; pp++)
+		  {
+		  c = *pp;
+		  if (c == ':' && pp != p + 1) break;
+		  if (!c || c == ':' || isspace(c))
+		    {
+		    *error_pointer = string_sprintf("\\n not followed by space or "
+		      "valid header name in \"%.1024s\" in %s command",
+		      string_printing(s), command_list[commands->command]);
+		    return FF_ERROR;
+		    }
+		  }
+		p = pp;
+		}
+	      }
+	    }       /* Loop to scan the string */
+
+	  /* The string is OK */
+
+	  commands->args[i].u = s;
+	  }
+
+	/* Proceed with mail or vacation command */
+
+	if (filter_test != FTEST_NONE)
+	  {
+	  const uschar *to = commands->args[mailarg_index_to].u;
+	  indent();
+	  printf("%sail to: %s%s%s\n", (commands->seen)? "Seen m" : "M",
+	    to ? to : US"<default>",
+	    commands->command == vacation_command ? " (vacation)" : "",
+	    commands->noerror ? " (noerror)" : "");
+	  for (i = 1; i < MAILARGS_STRING_COUNT; i++)
+	    {
+	    const uschar *arg = commands->args[i].u;
+	    if (arg)
+	      {
+	      int len = Ustrlen(mailargs[i]);
+	      int indent = (debug_selector != 0)? output_indent : 0;
+	      while (len++ < 7 + indent) printf(" ");
+	      printf("%s: %s%s\n", mailargs[i], string_printing(arg),
+		(commands->args[mailarg_index_expand].u != NULL &&
+		  Ustrcmp(mailargs[i], "file") == 0)? " (expanded)" : "");
+	      }
+	    }
+	  if (commands->args[mailarg_index_return].u)
+	    printf("Return original message\n");
+	  }
+	else
+	  {
+	  const uschar *tt;
+	  const uschar *to = commands->args[mailarg_index_to].u;
+	  gstring * log_addr = NULL;
+
+	  if (!to) to = expand_string(US"$reply_address");
+	  while (isspace(*to)) to++;
+
+	  for (tt = to; *tt; tt++)     /* Get rid of newlines */
+	    if (*tt == '\n')
+	      {
+	      uschar * s = string_copy(to);
+	      for (uschar * ss = s; *ss; ss++)
+		if (*ss == '\n') *ss = ' ';
+	      to = s;
+	      break;
+	      }
+
+	  DEBUG(D_filter)
+	    {
+	    debug_printf_indent("Filter: %smail to: %s%s%s\n",
+	      commands->seen ? "seen " : "",
+	      to,
+	      commands->command == vacation_command ? " (vacation)" : "",
+	      commands->noerror ? " (noerror)" : "");
+	    for (i = 1; i < MAILARGS_STRING_COUNT; i++)
+	      {
+	      const uschar *arg = commands->args[i].u;
+	      if (arg)
+		{
+		int len = Ustrlen(mailargs[i]);
+		while (len++ < 15) debug_printf_indent(" ");
+		debug_printf_indent("%s: %s%s\n", mailargs[i], string_printing(arg),
+		  (commands->args[mailarg_index_expand].u != NULL &&
+		    Ustrcmp(mailargs[i], "file") == 0)? " (expanded)" : "");
+		}
+	      }
+	    }
+
+	  /* Create the "address" for the autoreply. This is used only for logging,
+	  as the actual recipients are extracted from the To: line by -t. We use the
+	  same logic here to extract the working addresses (there may be more than
+	  one). Just in case there are a vast number of addresses, stop when the
+	  string gets too long. */
+
+	  tt = to;
+	  while (*tt)
+	    {
+	    uschar *ss = parse_find_address_end(tt, FALSE);
+	    uschar *recipient, *errmess;
+	    int start, end, domain;
+	    int temp = *ss;
+
+	    *ss = 0;
+	    recipient = parse_extract_address(tt, &errmess, &start, &end, &domain,
+	      FALSE);
+	    *ss = temp;
+
+	    /* Ignore empty addresses and errors; an error will occur later if
+	    there's something really bad. */
+
+	    if (recipient)
+	      {
+	      log_addr = string_catn(log_addr, log_addr ? US"," : US">", 1);
+	      log_addr = string_cat (log_addr, recipient);
+	      }
+
+	    /* Check size */
+
+	    if (log_addr && log_addr->ptr > 256)
+	      {
+	      log_addr = string_catn(log_addr, US", ...", 5);
+	      break;
+	      }
+
+	    /* Move on past this address */
+
+	    tt = ss + (*ss ? 1 : 0);
+	    while (isspace(*tt)) tt++;
+	    }
+
+	  if (log_addr)
+	    addr = deliver_make_addr(string_from_gstring(log_addr), FALSE);
+	  else
+	    {
+	    addr = deliver_make_addr(US ">**bad-reply**", FALSE);
+	    setflag(addr, af_bad_reply);
+	    }
+
+	  setflag(addr, af_pfr);
+	  if (commands->noerror) addr->prop.ignore_error = TRUE;
+	  addr->next = *generated;
+	  *generated = addr;
+
+	  addr->reply = store_get(sizeof(reply_item), GET_UNTAINTED);
+	  addr->reply->from = NULL;
+	  addr->reply->to = string_copy(to);
+	  addr->reply->file_expand =
+	    commands->args[mailarg_index_expand].u != NULL;
+	  addr->reply->expand_forbid = expand_forbid;
+	  addr->reply->return_message =
+	    commands->args[mailarg_index_return].u != NULL;
+	  addr->reply->once_repeat = 0;
+
+	  if (commands->args[mailarg_index_once_repeat].u != NULL)
+	    {
+	    addr->reply->once_repeat =
+	      readconf_readtime(commands->args[mailarg_index_once_repeat].u, 0,
+		FALSE);
+	    if (addr->reply->once_repeat < 0)
+	      {
+	      *error_pointer = string_sprintf("Bad time value for \"once_repeat\" "
+		"in mail or vacation command: %s",
+		commands->args[mailarg_index_once_repeat].u);
+	      return FF_ERROR;
+	      }
+	    }
+
+	  /* Set up all the remaining string arguments (those other than "to") */
+
+	  for (i = 1; i < mailargs_string_passed; i++)
+	    {
+	    const uschar *ss = commands->args[i].u;
+	    *(USS((US addr->reply) + reply_offsets[i])) =
+	      ss ? string_copy(ss) : NULL;
+	    }
+	  }
+	break;
+
+    case testprint_command:
+	if (filter_test != FTEST_NONE || (debug_selector & D_filter) != 0)
+	  {
+	  const uschar *s = string_printing(expargs[0]);
+	  if (filter_test == FTEST_NONE)
+	    debug_printf_indent("Filter: testprint: %s\n", s);
+	  else
+	    printf("Testprint: %s\n", s);
+	  }
+    }
+
+  commands = commands->next;
+  }
+
+return filter_delivered? FF_DELIVERED : FF_NOTDELIVERED;
+}
+
+
+
+/*************************************************
+*        Test for a personal message             *
+*************************************************/
+
+/* This function is global so that it can also be called from the code that
+implements Sieve filters.
+
+Arguments:
+  aliases    a chain of aliases
+  scan_cc    TRUE if Cc: and Bcc: are to be scanned (Exim filters do not)
+
+Returns:     TRUE if the message is deemed to be personal
+*/
+
+BOOL
+filter_personal(string_item *aliases, BOOL scan_cc)
+{
+const uschar *self, *self_from, *self_to;
+uschar *psself = NULL;
+const uschar *psself_from = NULL, *psself_to = NULL;
+rmark reset_point = store_mark();
+BOOL yield;
+header_line *h;
+int to_count = 2;
+int from_count = 9;
+
+/* If any header line in the message is a defined "List-" header field, it is
+not a personal message. We used to check for any header line that started with
+"List-", but this was tightened up for release 4.54. The check is now for
+"List-Id", defined in RFC 2929, or "List-Help", "List-Subscribe", "List-
+Unsubscribe", "List-Post", "List-Owner" or "List-Archive", all of which are
+defined in RFC 2369. We also scan for "Auto-Submitted"; if it is found to
+contain any value other than "no", the message is not personal (RFC 3834).
+Previously the test was for "auto-". */
+
+for (h = header_list; h; h = h->next)
+  {
+  if (h->type == htype_old) continue;
+
+  if (strncmpic(h->text, US"List-", 5) == 0)
+    {
+    uschar * s = h->text + 5;
+    if (strncmpic(s, US"Id:", 3) == 0 ||
+        strncmpic(s, US"Help:", 5) == 0 ||
+        strncmpic(s, US"Subscribe:", 10) == 0 ||
+        strncmpic(s, US"Unsubscribe:", 12) == 0 ||
+        strncmpic(s, US"Post:", 5) == 0 ||
+        strncmpic(s, US"Owner:", 6) == 0 ||
+        strncmpic(s, US"Archive:", 8) == 0)
+      return FALSE;
+    }
+
+  else if (strncmpic(h->text, US"Auto-submitted:", 15) == 0)
+    {
+    uschar * s = h->text + 15;
+    Uskip_whitespace(&s);
+    if (strncmpic(s, US"no", 2) != 0) return FALSE;
+    s += 2;
+    Uskip_whitespace(&s);
+    if (*s) return FALSE;
+    }
+  }
+
+/* Set up "my" address */
+
+self = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
+self_from = rewrite_one(self, rewrite_from, NULL, FALSE, US"",
+  global_rewrite_rules);
+self_to   = rewrite_one(self, rewrite_to, NULL, FALSE, US"",
+  global_rewrite_rules);
+
+
+if (!self_from) self_from = self;
+if (self_to) self_to = self;
+
+/* If there's a prefix or suffix set, we must include the prefixed/
+suffixed version of the local part in the tests. */
+
+if (deliver_localpart_prefix || deliver_localpart_suffix)
+  {
+  psself = string_sprintf("%s%s%s@%s",
+    deliver_localpart_prefix ? deliver_localpart_prefix : US"",
+    deliver_localpart,
+    deliver_localpart_suffix ? deliver_localpart_suffix : US"",
+    deliver_domain);
+  psself_from = rewrite_one(psself, rewrite_from, NULL, FALSE, US"",
+    global_rewrite_rules);
+  psself_to   = rewrite_one(psself, rewrite_to, NULL, FALSE, US"",
+    global_rewrite_rules);
+  if (psself_from == NULL) psself_from = psself;
+  if (psself_to == NULL) psself_to = psself;
+  to_count += 2;
+  from_count += 2;
+  }
+
+/* Do all the necessary tests; the counts are adjusted for {pre,suf}fix */
+
+yield =
+  (
+  header_match(US"to:", TRUE, TRUE, aliases, to_count, self, self_to, psself,
+               psself_to) ||
+    (scan_cc &&
+       (
+       header_match(US"cc:", TRUE, TRUE, aliases, to_count, self, self_to,
+                             psself, psself_to)
+       ||
+       header_match(US"bcc:", TRUE, TRUE, aliases, to_count, self, self_to,
+                              psself, psself_to)
+       )
+    )
+  ) &&
+
+  header_match(US"from:", TRUE, FALSE, aliases, from_count, "^server@",
+    "^daemon@", "^root@", "^listserv@", "^majordomo@", "^.*?-request@",
+    "^owner-[^@]+@", self, self_from, psself, psself_from) &&
+
+  header_match(US"precedence:", FALSE, FALSE, NULL, 3, "bulk","list","junk") &&
+
+  (sender_address == NULL || sender_address[0] != 0);
+
+store_reset(reset_point);
+return yield;
+}
+
+
+
+/*************************************************
+*            Interpret a mail filter file        *
+*************************************************/
+
+/*
+Arguments:
+  filter      points to the entire file, read into store as a single string
+  options     controls whether various special things are allowed, and requests
+              special actions
+  generated   where to hang newly-generated addresses
+  error       where to pass back an error text
+
+Returns:      FF_DELIVERED     success, a significant action was taken
+              FF_NOTDELIVERED  success, no significant action
+              FF_DEFER         defer requested
+              FF_FAIL          fail requested
+              FF_FREEZE        freeze requested
+              FF_ERROR         there was a problem
+*/
+
+int
+filter_interpret(const uschar *filter, int options, address_item **generated,
+  uschar **error)
+{
+int i;
+int yield = FF_ERROR;
+const uschar *ptr = filter;
+const uschar *save_headers_charset = headers_charset;
+filter_cmd *commands = NULL;
+filter_cmd **lastcmdptr = &commands;
+
+DEBUG(D_route) debug_printf("Filter: start of processing\n");
+acl_level++;
+
+/* Initialize "not in an if command", set the global flag that is always TRUE
+while filtering, and zero the variables. */
+
+expect_endif = 0;
+output_indent = 0;
+f.filter_running = TRUE;
+for (i = 0; i < FILTER_VARIABLE_COUNT; i++) filter_n[i] = 0;
+
+/* To save having to pass certain values about all the time, make them static.
+Also initialize the line number, for error messages, and the log file
+variables. */
+
+filter_options = options;
+filter_delivered = FALSE;
+finish_obeyed = FALSE;
+error_pointer = error;
+*error_pointer = NULL;
+line_number = 1;
+log_fd = -1;
+log_mode = 0600;
+log_filename = NULL;
+
+/* Scan filter file for syntax and build up an interpretation thereof, and
+interpret the compiled commands, and if testing, say whether we ended up
+delivered or not, unless something went wrong. */
+
+seen_force = FALSE;
+ptr = nextsigchar(ptr, TRUE);
+
+if (read_command_list(&ptr, &lastcmdptr, FALSE))
+  yield = interpret_commands(commands, generated);
+
+if (filter_test != FTEST_NONE || (debug_selector & D_filter) != 0)
+  {
+  uschar *s = US"";
+  switch(yield)
+    {
+    case FF_DEFER:
+      s = US"Filtering ended by \"defer\".";
+      break;
+
+    case FF_FREEZE:
+      s = US"Filtering ended by \"freeze\".";
+      break;
+
+    case FF_FAIL:
+      s = US"Filtering ended by \"fail\".";
+      break;
+
+    case FF_DELIVERED:
+      s = US"Filtering set up at least one significant delivery "
+	     "or other action.\n"
+	     "No other deliveries will occur.";
+      break;
+
+    case FF_NOTDELIVERED:
+      s = US"Filtering did not set up a significant delivery.\n"
+	     "Normal delivery will occur.";
+      break;
+
+    case FF_ERROR:
+      s = string_sprintf("Filter error: %s", *error);
+      break;
+    }
+
+  if (filter_test != FTEST_NONE) printf("%s\n", CS s);
+    else debug_printf_indent("%s\n", s);
+  }
+
+/* Close the log file if it was opened, and kill off any numerical variables
+before returning. Reset the header decoding charset. */
+
+if (log_fd >= 0) (void)close(log_fd);
+expand_nmax = -1;
+f.filter_running = FALSE;
+headers_charset = save_headers_charset;
+
+acl_level--;
+DEBUG(D_route) debug_printf("Filter: end of processing\n");
+return yield;
+}
+
+
+/* End of filter.c */
diff --git a/src/filtertest.c b/src/filtertest.c
new file mode 100644
index 0000000..87ebfb1
--- /dev/null
+++ b/src/filtertest.c
@@ -0,0 +1,282 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* Code for the filter test function. */
+
+#include "exim.h"
+
+
+
+/*************************************************
+*    Read message and set body/size variables    *
+*************************************************/
+
+/* We have to read the remainder of the message in order to find its size, so
+we can set up the message_body variables at the same time (in normal use, the
+message_body variables are not set up unless needed). The reading code is
+written out here rather than having options in read_message_data, in order to
+keep that function as efficient as possible. (Later: this function is now
+global because it is also used by the -bem testing option.) Handling
+message_body_end is somewhat more tedious. Pile it all into a circular buffer
+and sort out at the end.
+
+Arguments:
+  dot_ended   TRUE if message already terminated by '.'
+
+Returns:      nothing
+*/
+
+void
+read_message_body(BOOL dot_ended)
+{
+register int ch;
+int body_len, body_end_len, header_size;
+uschar *s;
+
+message_body = store_malloc(message_body_visible + 1);
+message_body_end = store_malloc(message_body_visible + 1);
+s = message_body_end;
+body_len = 0;
+body_linecount = 0;
+header_size = message_size;
+
+if (!dot_ended && !stdin_feof())
+  {
+  if (!f.dot_ends)
+    {
+    while ((ch = stdin_getc(GETC_BUFFER_UNLIMITED)) != EOF)
+      {
+      if (ch == 0) body_zerocount++;
+      if (ch == '\n') body_linecount++;
+      if (body_len < message_body_visible) message_body[body_len++] = ch;
+      *s++ = ch;
+      if (s > message_body_end + message_body_visible) s = message_body_end;
+      message_size++;
+      }
+    }
+  else
+    {
+    int ch_state = 1;
+    while ((ch = stdin_getc(GETC_BUFFER_UNLIMITED)) != EOF)
+      {
+      if (ch == 0) body_zerocount++;
+      switch (ch_state)
+        {
+        case 0:                         /* Normal state */
+        if (ch == '\n') { body_linecount++; ch_state = 1; }
+        break;
+
+        case 1:                         /* After "\n" */
+        if (ch == '.')
+          {
+          ch_state = 2;
+          continue;
+          }
+        if (ch != '\n') ch_state = 0;
+        break;
+
+        case 2:                         /* After "\n." */
+        if (ch == '\n') goto READ_END;
+        if (body_len < message_body_visible) message_body[body_len++] = '.';
+        *s++ = '.';
+        if (s > message_body_end + message_body_visible)
+          s = message_body_end;
+        message_size++;
+        ch_state = 0;
+        break;
+        }
+      if (body_len < message_body_visible) message_body[body_len++] = ch;
+      *s++ = ch;
+      if (s > message_body_end + message_body_visible) s = message_body_end;
+      message_size++;
+      }
+    READ_END: ;
+    }
+  if (s == message_body_end || s[-1] != '\n') body_linecount++;
+  }
+debug_printf("%s %d\n", __FUNCTION__, __LINE__);
+
+message_body[body_len] = 0;
+message_body_size = message_size - header_size;
+
+/* body_len stops at message_body_visible; it if got there, we may have
+wrapped round in message_body_end. */
+
+if (body_len >= message_body_visible)
+  {
+  int below = s - message_body_end;
+  int above = message_body_visible - below;
+  if (above > 0)
+    {
+    uschar * temp = store_get(below, GET_UNTAINTED);
+    memcpy(temp, message_body_end, below);
+    memmove(message_body_end, s+1, above);
+    memcpy(message_body_end + above, temp, below);
+    s = message_body_end + message_body_visible;
+    }
+  }
+
+*s = 0;
+body_end_len = s - message_body_end;
+
+/* Convert newlines and nulls in the body variables to spaces */
+
+while (body_len > 0)
+  {
+  if (message_body[--body_len] == '\n' || message_body[body_len] == 0)
+    message_body[body_len] = ' ';
+  }
+
+while (body_end_len > 0)
+  {
+  if (message_body_end[--body_end_len] == '\n' ||
+      message_body_end[body_end_len] == 0)
+    message_body_end[body_end_len] = ' ';
+  }
+}
+
+
+
+/*************************************************
+*            Test a mail filter                  *
+*************************************************/
+
+/* This is called when exim is run with the -bf option. At this point it is
+running under an unprivileged uid/gid. A test message's headers have been read
+into store, and the body of the message is still accessible on the standard
+input if this is the first time this function has been called. It may be called
+twice if both system and user filters are being tested.
+
+Argument:
+  fd          an fd containing the filter file
+  filename    the name of the filter file
+  is_system   TRUE if testing is to be as a system filter
+  dot_ended   TRUE if message already terminated by '.'
+
+Returns:      TRUE if no errors
+*/
+
+BOOL
+filter_runtest(int fd, uschar *filename, BOOL is_system, BOOL dot_ended)
+{
+int rc, filter_type;
+BOOL yield;
+struct stat statbuf;
+address_item *generated = NULL;
+uschar *error, *filebuf;
+
+/* Read the filter file into store as will be done by the router in a real
+case. */
+
+if (fstat(fd, &statbuf) != 0)
+  {
+  printf("exim: failed to get size of %s: %s\n", filename, strerror(errno));
+  return FALSE;
+  }
+
+filebuf = store_get(statbuf.st_size + 1, filename);
+rc = read(fd, filebuf, statbuf.st_size);
+(void)close(fd);
+
+if (rc != statbuf.st_size)
+  {
+  printf("exim: error while reading %s: %s\n", filename, strerror(errno));
+  return FALSE;
+  }
+
+filebuf[statbuf.st_size] = 0;
+
+/* Check the filter type. User filters start with "# Exim filter" or "# Sieve
+filter". If the filter type is not recognized, the file is treated as an
+ordinary .forward file. System filters do not need the "# Exim filter" in order
+to be recognized as Exim filters. */
+
+filter_type = rda_is_filter(filebuf);
+if (is_system && filter_type == FILTER_FORWARD) filter_type = FILTER_EXIM;
+
+printf("Testing %s file \"%s\"\n\n",
+  (filter_type == FILTER_EXIM)? "Exim filter" :
+  (filter_type == FILTER_SIEVE)? "Sieve filter" :
+  "forward file",
+  filename);
+
+/* Handle a plain .forward file */
+
+if (filter_type == FILTER_FORWARD)
+  {
+  yield = parse_forward_list(filebuf,
+    RDO_REWRITE,
+    &generated,                     /* for generated addresses */
+    &error,                         /* for errors */
+    deliver_domain,                 /* incoming domain for \name */
+    NULL,                           /* no check on includes */
+    NULL);                          /* fail on syntax errors */
+
+  switch(yield)
+    {
+    case FF_FAIL:
+    printf("exim: forward file contains \":fail:\"\n");
+    break;
+
+    case FF_BLACKHOLE:
+    printf("exim: forwardfile contains \":blackhole:\"\n");
+    break;
+
+    case FF_ERROR:
+    printf("exim: error in forward file: %s\n", error);
+    return FALSE;
+    }
+
+  if (generated == NULL)
+    printf("exim: no addresses generated from forward file\n");
+
+  else
+    {
+    printf("exim: forward file generated:\n");
+    while (generated != NULL)
+      {
+      printf("  %s\n", generated->address);
+      generated = generated->next;
+      }
+    }
+
+  return TRUE;
+  }
+
+/* For a filter, set up the message_body variables and the message size if this
+is the first time this function has been called. */
+
+if (!message_body) read_message_body(dot_ended);
+
+/* Now pass the filter file to the function that interprets it. Because
+filter_test is not FILTER_NONE, the interpreter will output comments about what
+it is doing. No need to clean up store. Indeed, we must not, because we may be
+testing a system filter that is going to be followed by a user filter test. */
+
+if (is_system)
+  {
+  f.system_filtering = TRUE;
+  f.enable_dollar_recipients = TRUE; /* Permit $recipients in system filter */
+  yield = filter_interpret
+    (filebuf,
+    RDO_DEFER|RDO_FAIL|RDO_FILTER|RDO_FREEZE|RDO_REWRITE, &generated, &error);
+  f.enable_dollar_recipients = FALSE;
+  f.system_filtering = FALSE;
+  }
+else
+  {
+  yield = filter_type == FILTER_SIEVE
+    ? sieve_interpret(filebuf, RDO_REWRITE, NULL, NULL, NULL, NULL, &generated, &error)
+    : filter_interpret(filebuf, RDO_REWRITE, &generated, &error);
+  }
+
+return yield != FF_ERROR;
+}
+
+/* End of filtertest.c */
diff --git a/src/functions.h b/src/functions.h
new file mode 100644
index 0000000..224666c
--- /dev/null
+++ b/src/functions.h
@@ -0,0 +1,1305 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* Prototypes for functions that appear in various modules. Gathered together
+to avoid having a lot of tiddly little headers with only a couple of lines in
+them. However, some functions that are used (or not used) by utility programs
+are in in fact in separate headers. */
+#ifndef _FUNCTIONS_H_
+#define _FUNCTIONS_H_
+
+#include <ctype.h>
+#include <sys/time.h>
+
+
+#ifdef EXIM_PERL
+extern gstring *call_perl_cat(gstring *, uschar **, uschar *,
+                 uschar **) WARN_UNUSED_RESULT;
+extern void    cleanup_perl(void);
+extern uschar *init_perl(uschar *);
+#endif
+
+
+#ifndef DISABLE_TLS
+extern const char *
+               std_dh_prime_default(void);
+extern const char *
+               std_dh_prime_named(const uschar *);
+
+extern uschar * tls_cert_crl_uri(void *, uschar * mod);
+extern uschar * tls_cert_ext_by_oid(void *, uschar *, int);
+extern uschar * tls_cert_issuer(void *, uschar * mod);
+extern uschar * tls_cert_not_before(void *, uschar * mod);
+extern uschar * tls_cert_not_after(void *, uschar * mod);
+extern uschar * tls_cert_ocsp_uri(void *, uschar * mod);
+extern uschar * tls_cert_serial_number(void *, uschar * mod);
+extern uschar * tls_cert_signature(void *, uschar * mod);
+extern uschar * tls_cert_signature_algorithm(void *, uschar * mod);
+extern uschar * tls_cert_subject(void *, uschar * mod);
+extern uschar * tls_cert_subject_altname(void *, uschar * mod);
+extern uschar * tls_cert_version(void *, uschar * mod);
+
+extern uschar * tls_cert_der_b64(void * cert);
+extern uschar * tls_cert_fprt_md5(void *);
+extern uschar * tls_cert_fprt_sha1(void *);
+extern uschar * tls_cert_fprt_sha256(void *);
+
+extern void    tls_clean_env(void);
+extern BOOL    tls_client_start(client_conn_ctx *, smtp_connect_args *,
+		  void *, tls_support *, uschar **);
+extern void    tls_client_creds_reload(BOOL);
+
+extern void    tls_close(void *, int);
+extern BOOL    tls_could_getc(void);
+extern void    tls_daemon_init(void);
+extern int     tls_daemon_tick(void);
+extern BOOL    tls_dropprivs_validate_require_cipher(BOOL);
+extern BOOL    tls_export_cert(uschar *, size_t, void *);
+extern int     tls_feof(void);
+extern int     tls_ferror(void);
+extern uschar *tls_field_from_dn(uschar *, const uschar *);
+extern void    tls_free_cert(void **);
+extern int     tls_getc(unsigned);
+extern uschar *tls_getbuf(unsigned *);
+extern void    tls_get_cache(unsigned);
+extern BOOL    tls_hasc(void);
+extern BOOL    tls_import_cert(const uschar *, void **);
+extern BOOL    tls_is_name_for_cert(const uschar *, void *);
+# ifdef USE_OPENSSL
+extern BOOL    tls_openssl_options_parse(uschar *, long *);
+# endif
+extern int     tls_read(void *, uschar *, size_t);
+extern int     tls_server_start(uschar **);
+extern void    tls_shutdown_wr(void *);
+extern BOOL    tls_smtp_buffered(void);
+extern int     tls_ungetc(int);
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+extern void    tls_watch_discard_event(int);
+extern void    tls_watch_invalidate(void);
+#endif
+extern int     tls_write(void *, const uschar *, size_t, BOOL);
+extern uschar *tls_validate_require_cipher(void);
+extern gstring *tls_version_report(gstring *);
+
+# ifdef SUPPORT_DANE
+extern int     tlsa_lookup(const host_item *, dns_answer *, BOOL);
+# endif
+
+#endif	/*DISABLE_TLS*/
+
+
+/* Everything else... */
+
+extern acl_block *acl_read(uschar *(*)(void), uschar **);
+extern int     acl_check(int, uschar *, uschar *, uschar **, uschar **);
+extern uschar *acl_current_verb(void);
+extern int     acl_eval(int, uschar *, uschar **, uschar **);
+
+extern tree_node *acl_var_create(uschar *);
+extern void    acl_var_write(uschar *, uschar *, void *);
+
+#ifdef EXPERIMENTAL_ARC
+extern void   *arc_ams_setup_sign_bodyhash(void);
+extern const uschar *arc_header_feed(gstring *, BOOL);
+extern gstring *arc_sign(const uschar *, gstring *, uschar **);
+extern void     arc_sign_init(void);
+extern const uschar *acl_verify_arc(void);
+extern uschar * fn_arc_domains(void);
+#endif
+
+extern void    assert_no_variables(void *, int, const char *, int);
+extern int     auth_call_pam(const uschar *, uschar **);
+extern int     auth_call_pwcheck(uschar *, uschar **);
+extern int     auth_call_radius(const uschar *, uschar **);
+extern int     auth_call_saslauthd(const uschar *, const uschar *,
+	         const uschar *, const uschar *, uschar **);
+extern int     auth_check_serv_cond(auth_instance *);
+extern int     auth_check_some_cond(auth_instance *, uschar *, uschar *, int);
+extern int     auth_client_item(void *, auth_instance *, const uschar **,
+		 unsigned, int, uschar *, int);
+
+
+extern int     auth_get_data(uschar **, const uschar *, int);
+extern int     auth_get_no64_data(uschar **, uschar *);
+extern int     auth_prompt(const uschar *);
+extern int     auth_read_input(const uschar *);
+extern gstring * auth_show_supported(gstring *);
+extern uschar *auth_xtextencode(uschar *, int);
+extern int     auth_xtextdecode(uschar *, uschar **);
+extern uschar *authenticator_current_name(void);
+
+#ifdef EXPERIMENTAL_ARC
+extern gstring *authres_arc(gstring *);
+#endif
+#ifndef DISABLE_DKIM
+extern gstring *authres_dkim(gstring *);
+#endif
+#ifdef SUPPORT_DMARC
+extern gstring *authres_dmarc(gstring *);
+#endif
+extern gstring *authres_smtpauth(gstring *);
+#ifdef SUPPORT_SPF
+extern gstring *authres_spf(gstring *);
+#endif
+
+extern uschar *b64encode(const uschar *, int);
+extern uschar *b64encode_taint(const uschar *, int, const void *);
+extern int     b64decode(const uschar *, uschar **);
+extern int     bdat_getc(unsigned);
+extern uschar *bdat_getbuf(unsigned *);
+extern BOOL    bdat_hasc(void);
+extern int     bdat_ungetc(int);
+extern void    bdat_flush_data(void);
+
+extern void    bits_clear(unsigned int *, size_t, int *);
+extern void    bits_set(unsigned int *, size_t, int *);
+
+extern void    cancel_cutthrough_connection(BOOL, const uschar *);
+extern gstring *cat_file(FILE *, gstring *, uschar *);
+extern gstring *cat_file_tls(void *, gstring *, uschar *);
+extern int     check_host(void *, const uschar *, const uschar **, uschar **);
+extern uschar **child_exec_exim(int, BOOL, int *, BOOL, int, ...);
+extern pid_t   child_open_exim_function(int *, const uschar *);
+extern pid_t   child_open_exim2_function(int *, uschar *, uschar *,
+		 const uschar *);
+extern pid_t   child_open_function(uschar **, uschar **, int,
+		 int *, int *, BOOL, const uschar *);
+extern pid_t   child_open_uid(const uschar **, const uschar **, int,
+		 uid_t *, gid_t *, int *, int *, uschar *, BOOL, const uschar *);
+extern BOOL    cleanup_environment(void);
+extern void    cutthrough_data_puts(uschar *, int);
+extern void    cutthrough_data_put_nl(void);
+extern uschar *cutthrough_finaldot(void);
+extern BOOL    cutthrough_flush_send(void);
+extern BOOL    cutthrough_headers_send(void);
+extern BOOL    cutthrough_predata(void);
+extern void    release_cutthrough_connection(const uschar *);
+
+extern void    daemon_go(void);
+
+#ifdef EXPERIMENTAL_DCC
+extern int     dcc_process(uschar **);
+#endif
+
+extern void    debug_logging_activate(const uschar *, const uschar *);
+extern void    debug_logging_from_spool(const uschar *);
+extern void    debug_logging_stop(BOOL);
+extern void    debug_print_argv(const uschar **);
+extern void    debug_print_ids(uschar *);
+extern void    debug_printf_indent(const char *, ...) PRINTF_FUNCTION(1,2);
+extern void    debug_print_string(uschar *);
+extern void    debug_print_tree(const char *, tree_node *);
+extern void    debug_vprintf(int, const char *, va_list);
+extern void    debug_pretrigger_setup(const uschar *);
+extern void    debug_pretrigger_discard(void);
+extern void    debug_print_socket(int);
+extern void    debug_trigger_fire(void);
+
+extern void    decode_bits(unsigned int *, size_t, int *,
+	           const uschar *, bit_table *, int, uschar *, int);
+extern void    delete_pid_file(void);
+extern void    deliver_local(address_item *, BOOL);
+extern address_item *deliver_make_addr(uschar *, BOOL);
+extern void    delivery_log(int, address_item *, int, uschar *);
+extern int     deliver_message(uschar *, BOOL, BOOL);
+extern void    deliver_msglog(const char *, ...) PRINTF_FUNCTION(1,2);
+extern void    deliver_set_expansions(address_item *);
+extern int     deliver_split_address(address_item *);
+extern void    deliver_succeeded(address_item *);
+
+extern void    delivery_re_exec(int);
+
+extern void    die_tainted(const uschar *, const uschar *, int);
+extern BOOL    directory_make(const uschar *, const uschar *, int, BOOL);
+#ifndef DISABLE_DKIM
+extern uschar *dkim_exim_query_dns_txt(const uschar *);
+extern void    dkim_exim_sign_init(void);
+
+extern BOOL    dkim_transport_write_message(transport_ctx *,
+		  struct ob_dkim *, const uschar ** errstr);
+#endif
+extern dns_address *dns_address_from_rr(dns_answer *, dns_record *);
+extern int     dns_basic_lookup(dns_answer *, const uschar *, int);
+extern uschar *dns_build_reverse(const uschar *);
+extern time_t  dns_expire_from_soa(dns_answer *, int);
+extern void    dns_init(BOOL, BOOL, BOOL);
+extern BOOL    dns_is_aa(const dns_answer *);
+extern BOOL    dns_is_secure(const dns_answer *);
+extern int     dns_lookup(dns_answer *, const uschar *, int, const uschar **);
+extern void    dns_pattern_init(void);
+extern int     dns_special_lookup(dns_answer *, const uschar *, int, const uschar **);
+extern dns_record *dns_next_rr(const dns_answer *, dns_scan *, int);
+extern uschar *dns_text_type(int);
+extern void    dscp_list_to_stream(FILE *);
+extern BOOL    dscp_lookup(const uschar *, int, int *, int *, int *);
+
+extern void    enq_end(uschar *);
+extern BOOL    enq_start(uschar *, unsigned);
+#ifndef DISABLE_EVENT
+extern uschar *event_raise(uschar *, const uschar *, uschar *, int *);
+extern void    msg_event_raise(const uschar *, const address_item *);
+#endif
+
+extern int     exim_chown_failure(int, const uschar*, uid_t, gid_t);
+extern const uschar * exim_errstr(int);
+extern void    exim_exit(int) NORETURN;
+extern void    exim_gettime(struct timeval *);
+extern void    exim_nullstd(void);
+extern void    exim_setugid(uid_t, gid_t, BOOL, const uschar *);
+extern void    exim_underbar_exit(int) NORETURN;
+extern void    exim_wait_tick(struct timeval *, int);
+extern int     exp_bool(address_item *addr,
+  uschar *mtype, uschar *mname, unsigned dgb_opt, uschar *oname, BOOL bvalue,
+  uschar *svalue, BOOL *rvalue);
+extern BOOL    expand_check_condition(uschar *, uschar *, uschar *);
+extern uschar *expand_file_big_buffer(const uschar *);
+extern uschar *expand_string(uschar *);	/* public, cannot make const */
+extern const uschar *expand_cstring(const uschar *); /* ... so use this one */
+extern uschar *expand_getkeyed(const uschar *, const uschar *);
+
+extern uschar *expand_hide_passwords(uschar * );
+extern uschar *expand_string_copy(const uschar *);
+extern int_eximarith_t expand_string_integer(uschar *, BOOL);
+extern void    modify_variable(uschar *, void *);
+
+extern BOOL    fd_ready(int, time_t);
+
+extern int     filter_interpret(const uschar *, int, address_item **, uschar **);
+extern BOOL    filter_personal(string_item *, BOOL);
+extern BOOL    filter_runtest(int, uschar *, BOOL, BOOL);
+extern BOOL    filter_system_interpret(address_item **, uschar **);
+
+extern uschar * fn_hdrs_added(void);
+extern void    force_fd(int, int);
+
+extern void    header_add(int, const char *, ...);
+extern header_line *header_add_at_position_internal(BOOL, uschar *, BOOL, int, const char *, ...);
+extern int     header_checkname(header_line *, BOOL);
+extern BOOL    header_match(uschar *, BOOL, BOOL, string_item *, int, ...);
+extern int     host_address_extract_port(uschar *);
+extern uschar *host_and_ident(BOOL);
+extern int     host_aton(const uschar *, int *);
+extern void    host_build_hostlist(host_item **, const uschar *, BOOL);
+extern ip_address_item *host_build_ifacelist(const uschar *, uschar *);
+extern void    host_build_log_info(void);
+extern void    host_build_sender_fullhost(void);
+extern int     host_find_byname(host_item *, const uschar *, int,
+				const uschar **, BOOL);
+extern int     host_find_bydns(host_item *, const uschar *, int, uschar *, uschar *,
+                 uschar *, const dnssec_domains *, const uschar **, BOOL *);
+extern ip_address_item *host_find_interfaces(void);
+extern BOOL    host_is_in_net(const uschar *, const uschar *, int);
+extern BOOL    host_is_tls_on_connect_port(int);
+extern int     host_item_get_port(host_item *);
+extern void    host_mask(int, int *, int);
+extern int     host_name_lookup(void);
+extern int     host_nmtoa(int, int *, int, uschar *, int);
+extern uschar *host_ntoa(int, const void *, uschar *, int *);
+extern int     host_scan_for_local_hosts(host_item *, host_item **, BOOL *);
+
+extern uschar *imap_utf7_encode(uschar *, const uschar *,
+				 uschar, uschar *, uschar **);
+
+extern void    invert_address(uschar *, uschar *);
+extern int     ip_addr(void *, int, const uschar *, int);
+extern int     ip_bind(int, int, uschar *, int);
+extern int     ip_connect(int, int, const uschar *, int, int, const blob *);
+extern int     ip_connectedsocket(int, const uschar *, int, int,
+                 int, host_item *, uschar **, const blob *);
+extern int     ip_get_address_family(int);
+extern void    ip_keepalive(int, const uschar *, BOOL);
+extern int     ip_recv(client_conn_ctx *, uschar *, int, time_t);
+extern int     ip_socket(int, int);
+
+extern int     ip_tcpsocket(const uschar *, uschar **, int, host_item *);
+extern int     ip_unixsocket(const uschar *, uschar **);
+extern int     ip_streamsocket(const uschar *, uschar **, int, host_item *);
+
+extern int     ipv6_nmtoa(int *, uschar *);
+
+extern uschar *local_part_quote(uschar *);
+extern int     log_open_as_exim(const uschar * const);
+extern void    log_close_all(void);
+
+extern macro_item * macro_create(const uschar *, const uschar *, BOOL);
+extern BOOL    macro_read_assignment(uschar *);
+extern uschar *macros_expand(int, int *, BOOL *);
+extern void    mainlog_close(void);
+#ifdef WITH_CONTENT_SCAN
+extern int     malware(const uschar *, int);
+extern int     malware_in_file(uschar *);
+extern void    malware_init(void);
+extern gstring * malware_show_supported(gstring *);
+#endif
+extern int     match_address_list(const uschar *, BOOL, BOOL, const uschar **,
+                 unsigned int *, int, int, const uschar **);
+extern int     match_address_list_basic(const uschar *, const uschar **, int);
+extern int     match_check_list(const uschar **, int, tree_node **, unsigned int **,
+                 int(*)(void *, const uschar *, const uschar **, uschar **), void *, int,
+                 const uschar *, const uschar **);
+extern int     match_isinlist(const uschar *, const uschar **, int, tree_node **,
+                 unsigned int *, int, BOOL, const uschar **);
+extern int     match_check_string(const uschar *, const uschar *, int, BOOL, BOOL, BOOL,
+                 const uschar **);
+
+extern void    message_start(void);
+extern void    message_tidyup(void);
+extern void    md5_end(md5 *, const uschar *, int, uschar *);
+extern void    md5_mid(md5 *, const uschar *);
+extern void    md5_start(md5 *);
+extern void    millisleep(int);
+#ifdef WITH_CONTENT_SCAN
+struct mime_boundary_context;
+extern int     mime_acl_check(uschar *acl, FILE *f,
+                 struct mime_boundary_context *, uschar **, uschar **);
+extern int     mime_decode(const uschar **);
+extern ssize_t mime_decode_base64(FILE *, FILE *, uschar *);
+extern int     mime_regex(const uschar **);
+extern void    mime_set_anomaly(int);
+#endif
+extern uschar *moan_check_errorcopy(uschar *);
+extern BOOL    moan_skipped_syntax_errors(uschar *, error_block *, uschar *,
+                 BOOL, uschar *);
+extern void    moan_smtp_batch(uschar *, const char *, ...) PRINTF_FUNCTION(2,3);
+extern BOOL    moan_send_message(uschar *, int, error_block *eblock,
+		 header_line *, FILE *, uschar *);
+extern void    moan_tell_someone(uschar *, address_item *,
+                 const uschar *, const char *, ...) PRINTF_FUNCTION(4,5);
+extern BOOL    moan_to_sender(int, error_block *, header_line *, FILE *, BOOL);
+extern void    moan_write_from(FILE *);
+extern void    moan_write_references(FILE *, uschar *);
+extern FILE   *modefopen(const uschar *, const char *, mode_t);
+
+extern int     open_cutthrough_connection( address_item * addr );
+
+extern uschar *parse_extract_address(const uschar *, uschar **, int *, int *, int *,
+                 BOOL);
+extern int     parse_forward_list(const uschar *, int, address_item **, uschar **,
+                 const uschar *, const uschar *, error_block **);
+extern uschar *parse_find_address_end(const uschar *, BOOL);
+extern const uschar *parse_find_at(const uschar *);
+extern const uschar *parse_fix_phrase(const uschar *, int);
+extern const uschar *parse_message_id(const uschar *, uschar **, uschar **);
+extern const uschar *parse_quote_2047(const uschar *, int, const uschar *,
+				      BOOL);
+extern const uschar *parse_date_time(const uschar *str, time_t *t);
+extern void priv_drop_temp(const uid_t, const gid_t);
+extern void priv_restore(void);
+extern int     vaguely_random_number(int);
+#ifndef DISABLE_TLS
+extern int     vaguely_random_number_fallback(int);
+#endif
+
+extern BOOL    queue_action(uschar *, int, uschar **, int, int);
+extern void    queue_check_only(void);
+extern unsigned queue_count(void);
+extern unsigned queue_count_cached(void);
+extern void    queue_list(int, uschar **, int);
+#ifndef DISABLE_QUEUE_RAMP
+extern void    queue_notify_daemon(const uschar * hostname);
+#endif
+extern void    queue_run(uschar *, uschar *, BOOL);
+
+extern int     random_number(int);
+extern const uschar *rc_to_string(int);
+extern int     rda_interpret(redirect_block *, int, const uschar *, const uschar *,
+                 const uschar *, const uschar *, const uschar *, const ugid_block *, address_item **,
+                 uschar **, error_block **, int *, const uschar *);
+extern int     rda_is_filter(const uschar *);
+extern BOOL    readconf_depends(driver_instance *, uschar *);
+extern void    readconf_driver_init(uschar *, driver_instance **,
+                 driver_info *, int, void *, int, optionlist *, int);
+extern uschar *readconf_find_option(void *);
+extern void    readconf_main(BOOL);
+extern void    readconf_options_from_list(optionlist *, unsigned, const uschar *, uschar *);
+extern BOOL    readconf_print(const uschar *, uschar *, BOOL);
+extern uschar *readconf_printtime(int);
+extern uschar *readconf_readname(uschar *, int, uschar *);
+extern int     readconf_readtime(const uschar *, int, BOOL);
+extern void    readconf_rest(void);
+extern uschar *readconf_retry_error(const uschar *, const uschar *, int *, int *);
+extern void    readconf_save_config(const uschar *);
+extern void    read_message_body(BOOL);
+extern void    receive_bomb_out(uschar *, uschar *) NORETURN;
+extern BOOL    receive_check_fs(int);
+extern BOOL    receive_check_set_sender(uschar *);
+extern BOOL    receive_msg(BOOL);
+extern int_eximarith_t receive_statvfs(BOOL, int *);
+extern void    receive_swallow_smtp(void);
+#ifdef WITH_CONTENT_SCAN
+extern int     regex(const uschar **);
+#endif
+extern BOOL    regex_match(const pcre2_code *, const uschar *, int, uschar **);
+extern BOOL    regex_match_and_setup(const pcre2_code *, const uschar *, int, int);
+extern const pcre2_code *regex_must_compile(const uschar *, BOOL, BOOL);
+extern void    retry_add_item(address_item *, uschar *, int);
+extern BOOL    retry_check_address(const uschar *, host_item *, uschar *, BOOL,
+                 uschar **, uschar **);
+extern retry_config *retry_find_config(const uschar *, const uschar *, int, int);
+extern BOOL    retry_ultimate_address_timeout(uschar *, const uschar *,
+                 dbdata_retry *, time_t);
+extern void    retry_update(address_item **, address_item **, address_item **);
+extern const uschar *rewrite_address(const uschar *, BOOL, BOOL, rewrite_rule *, int);
+extern const uschar *rewrite_address_qualify(const uschar *, BOOL);
+extern header_line *rewrite_header(header_line *,
+               const uschar *, const uschar *,
+               rewrite_rule *, int, BOOL);
+extern const uschar *rewrite_one(const uschar *, int, BOOL *, BOOL, uschar *,
+                 rewrite_rule *);
+extern void    rewrite_test(const uschar *);
+extern uschar *rfc2047_decode2(uschar *, BOOL, const uschar *, int, int *,
+				     int *, uschar **);
+extern int     route_address(address_item *, address_item **, address_item **,
+                 address_item **, address_item **, int);
+extern int     route_check_prefix(const uschar *, const uschar *, unsigned *);
+extern int     route_check_suffix(const uschar *, const uschar *, unsigned *);
+extern BOOL    route_findgroup(uschar *, gid_t *);
+extern BOOL    route_finduser(const uschar *, struct passwd **, uid_t *);
+extern BOOL    route_find_expanded_group(uschar *, uschar *, uschar *, gid_t *,
+                 uschar **);
+extern BOOL    route_find_expanded_user(uschar *, uschar *, uschar *,
+                 struct passwd **, uid_t *, uschar **);
+extern void    route_init(void);
+extern gstring * route_show_supported(gstring *);
+extern void    route_tidyup(void);
+extern uschar *router_current_name(void);
+
+extern uschar *search_args(int, uschar *, uschar *, uschar **, const uschar *);
+extern uschar *search_find(void *, const uschar *, uschar *, int,
+		 const uschar *, int, int, int *, const uschar *);
+extern int     search_findtype(const uschar *, int);
+extern int     search_findtype_partial(const uschar *, int *, const uschar **, int *,
+                 int *, const uschar **);
+extern void   *search_open(const uschar *, int, int, uid_t *, gid_t *);
+extern void    search_tidyup(void);
+extern void    set_process_info(const char *, ...) PRINTF_FUNCTION(1,2);
+extern void    sha1_end(hctx *, const uschar *, int, uschar *);
+extern void    sha1_mid(hctx *, const uschar *);
+extern void    sha1_start(hctx *);
+extern int     sieve_interpret(const uschar *, int, const uschar *,
+		 const uschar *, const uschar *, const uschar *,
+		 address_item **, uschar **);
+extern void    sigalrm_handler(int);
+extern int     smtp_boundsock(smtp_connect_args *);
+extern void    smtp_closedown(uschar *);
+extern void    smtp_command_timeout_exit(void) NORETURN;
+extern void    smtp_command_sigterm_exit(void) NORETURN;
+extern void    smtp_data_timeout_exit(void) NORETURN;
+extern void    smtp_data_sigint_exit(void) NORETURN;
+extern void    smtp_deliver_init(void);
+extern uschar *smtp_cmd_hist(void);
+extern int     smtp_connect(smtp_connect_args *, const blob *);
+extern int     smtp_feof(void);
+extern int     smtp_ferror(void);
+extern uschar *smtp_get_connection_info(void);
+extern BOOL    smtp_get_interface(uschar *, int, address_item *,
+                 uschar **, uschar *);
+extern BOOL    smtp_get_port(uschar *, address_item *, int *, uschar *);
+extern int     smtp_getc(unsigned);
+extern uschar *smtp_getbuf(unsigned *);
+extern void    smtp_get_cache(unsigned);
+extern BOOL    smtp_hasc(void);
+extern int     smtp_handle_acl_fail(int, int, uschar *, uschar *);
+extern void    smtp_log_no_mail(void);
+extern void    smtp_message_code(uschar **, int *, uschar **, uschar **, BOOL);
+extern void    smtp_proxy_tls(void *, uschar *, size_t, int *, int, const uschar *) NORETURN;
+extern BOOL    smtp_read_response(void *, uschar *, int, int, int);
+extern void   *smtp_reset(void *);
+extern void    smtp_respond(uschar *, int, BOOL, uschar *);
+extern void    smtp_notquit_exit(uschar *, uschar *, uschar *, ...);
+extern void    smtp_port_for_connect(host_item *, int);
+extern void    smtp_send_prohibition_message(int, uschar *);
+extern int     smtp_setup_msg(void);
+extern int     smtp_sock_connect(smtp_connect_args *, int, const blob *);
+extern BOOL    smtp_start_session(void);
+extern int     smtp_ungetc(int);
+extern BOOL    smtp_verify_helo(void);
+extern int     smtp_write_command(void *, int, const char *, ...) PRINTF_FUNCTION(3,4);
+#ifdef WITH_CONTENT_SCAN
+extern int     spam(const uschar **);
+extern FILE   *spool_mbox(unsigned long *, const uschar *, uschar **);
+#endif
+extern void    spool_clear_header_globals(void);
+extern BOOL    spool_move_message(uschar *, uschar *, uschar *, uschar *);
+extern int     spool_open_datafile(uschar *);
+extern int     spool_open_temp(uschar *);
+extern int     spool_read_header(uschar *, BOOL, BOOL);
+extern uschar *spool_sender_from_msgid(const uschar *);
+extern int     spool_write_header(uschar *, int, uschar **);
+extern int     stdin_getc(unsigned);
+extern int     stdin_feof(void);
+extern int     stdin_ferror(void);
+extern BOOL    stdin_hasc(void);
+extern int     stdin_ungetc(int);
+
+extern void    store_exit(void);
+extern void    store_init(void);
+extern void    store_writeprotect(int);
+
+extern gstring *string_append(gstring *, int, ...) WARN_UNUSED_RESULT;
+extern gstring *string_append_listele(gstring *, uschar, const uschar *) WARN_UNUSED_RESULT;
+extern gstring *string_append_listele_n(gstring *, uschar, const uschar *, unsigned) WARN_UNUSED_RESULT;
+extern gstring *string_append2_listele_n(gstring *, const uschar *, const uschar *, unsigned) WARN_UNUSED_RESULT;
+extern uschar *string_base62(unsigned long int);
+extern gstring *string_cat (gstring *, const uschar *     ) WARN_UNUSED_RESULT;
+extern gstring *string_catn(gstring *, const uschar *, int) WARN_UNUSED_RESULT;
+extern int     string_compare_by_pointer(const void *, const void *);
+extern uschar *string_copy_dnsdomain(uschar *);
+extern uschar *string_copy_malloc(const uschar *);
+extern uschar *string_dequote(const uschar **);
+extern uschar *string_format_size(int, uschar *);
+extern int     string_interpret_escape(const uschar **);
+extern int     string_is_ip_address(const uschar *, int *);
+#ifdef SUPPORT_I18N
+extern BOOL    string_is_utf8(const uschar *);
+#endif
+extern const uschar *string_printing2(const uschar *, int);
+extern uschar *string_split_message(uschar *);
+extern uschar *string_unprinting(uschar *);
+#ifdef SUPPORT_I18N
+extern uschar *string_address_utf8_to_alabel(const uschar *, uschar **);
+extern uschar *string_domain_alabel_to_utf8(const uschar *, uschar **);
+extern uschar *string_domain_utf8_to_alabel(const uschar *, uschar **);
+extern uschar *string_localpart_alabel_to_utf8(const uschar *, uschar **);
+extern uschar *string_localpart_utf8_to_alabel(const uschar *, uschar **);
+#endif
+
+#define string_format(buf, siz, fmt, ...) \
+	string_format_trc(buf, siz, US __FUNCTION__, __LINE__, fmt, __VA_ARGS__)
+extern BOOL    string_format_trc(uschar *, int, const uschar *, unsigned,
+			const char *, ...) ALMOST_PRINTF(5,6);
+
+#define string_vformat(g, flgs, fmt, ap) \
+	string_vformat_trc(g, US __FUNCTION__, __LINE__, \
+			 STRING_SPRINTF_BUFFER_SIZE, flgs, fmt, ap)
+extern gstring *string_vformat_trc(gstring *, const uschar *, unsigned,
+			unsigned, unsigned, const char *, va_list);
+
+#define string_open_failed(fmt, ...) \
+	string_open_failed_trc(US __FUNCTION__, __LINE__, fmt, __VA_ARGS__)
+extern uschar *string_open_failed_trc(const uschar *, unsigned,
+			const char *, ...) PRINTF_FUNCTION(3,4);
+
+#define string_nextinlist(lp, sp, b, l) \
+	string_nextinlist_trc((lp), (sp), (b), (l), US __FUNCTION__, __LINE__)
+extern uschar *string_nextinlist_trc(const uschar **listptr, int *separator, uschar *buffer, int buflen,
+			const uschar * func, int line);
+
+extern int     strcmpic(const uschar *, const uschar *);
+extern int     strncmpic(const uschar *, const uschar *, int);
+extern uschar *strstric(uschar *, uschar *, BOOL);
+extern const uschar *strstric_c(const uschar *, const uschar *, BOOL);
+
+extern int     test_harness_fudged_queue_time(int);
+extern void    tcp_init(void);
+#ifdef EXIM_TFO_PROBE
+extern void    tfo_probe(void);
+#endif
+extern void    tls_modify_variables(tls_support *);
+extern uschar *tod_stamp(int);
+
+extern BOOL    transport_check_waiting(const uschar *, const uschar *, int, uschar *,
+                 oicf, void*);
+extern uschar *transport_current_name(void);
+extern void    transport_do_pass_socket(const uschar *, const uschar *,
+		 const uschar *, uschar *, int);
+extern void    transport_init(void);
+extern BOOL    transport_pass_socket(const uschar *, const uschar *, const uschar *, uschar *, int
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+			, unsigned, unsigned, unsigned
+#endif
+			);
+extern uschar *transport_rcpt_address(address_item *, BOOL);
+extern BOOL    transport_set_up_command(const uschar ***, const uschar *,
+		 BOOL, int, address_item *, BOOL, const uschar *, uschar **);
+extern void    transport_update_waiting(host_item *, uschar *);
+extern BOOL    transport_write_block(transport_ctx *, uschar *, int, BOOL);
+extern void    transport_write_reset(int);
+extern BOOL    transport_write_string(int, const char *, ...);
+extern BOOL    transport_headers_send(transport_ctx *,
+                 BOOL (*)(transport_ctx *, uschar *, int));
+extern gstring * transport_show_supported(gstring *);
+extern BOOL    transport_write_message(transport_ctx *, int);
+extern void    tree_add_duplicate(const uschar *, address_item *);
+extern void    tree_add_nonrecipient(const uschar *);
+extern void    tree_add_unusable(const host_item *);
+extern void    tree_dup(tree_node **, tree_node *);
+extern int     tree_insertnode(tree_node **, tree_node *);
+extern tree_node *tree_search(tree_node *, const uschar *);
+extern void    tree_write(tree_node *, FILE *);
+extern void    tree_walk(tree_node *, void (*)(uschar*, uschar*, void*), void *);
+
+#ifdef WITH_CONTENT_SCAN
+extern void    unspool_mbox(void);
+#endif
+#ifdef SUPPORT_I18N
+extern gstring *utf8_version_report(gstring *);
+#endif
+
+extern int     verify_address(address_item *, FILE *, int, int, int, int,
+                 uschar *, uschar *, BOOL *);
+extern int     verify_check_dnsbl(int, const uschar **, uschar **);
+extern int     verify_check_header_address(uschar **, uschar **, int, int, int,
+                 uschar *, uschar *, int, int *);
+extern int     verify_check_headers(uschar **);
+extern int     verify_check_header_names_ascii(uschar **);
+extern int     verify_check_host(uschar **);
+extern int     verify_check_notblind(BOOL);
+extern int     verify_check_given_host(const uschar **, const host_item *);
+extern int     verify_check_this_host(const uschar **, unsigned int *,
+	         const uschar*, const uschar *, const uschar **);
+extern address_item *verify_checked_sender(uschar *);
+extern void    verify_get_ident(int);
+extern void    verify_quota(uschar *);
+extern int     verify_quota_call(const uschar *, int, int, uschar **);
+extern BOOL    verify_sender(int *, uschar **);
+extern BOOL    verify_sender_preliminary(int *, uschar **);
+extern void    version_init(void);
+
+extern BOOL    write_chunk(transport_ctx *, uschar *, int);
+extern ssize_t write_to_fd_buf(int, const uschar *, size_t);
+
+
+/******************************************************************************/
+/* Predicate: if an address is in a tainted pool.
+By extension, a variable pointing to this address is tainted.
+*/
+
+static inline BOOL
+is_tainted(const void * p)
+{
+#if defined(COMPILE_UTILITY) || defined(MACRO_PREDEF) || defined(EM_VERSION_C)
+return FALSE;
+
+#else
+extern BOOL is_tainted_fn(const void *);
+return is_tainted_fn(p);
+#endif
+}
+
+static inline BOOL
+is_incompatible(const void * old, const void * new)
+{
+#if defined(COMPILE_UTILITY) || defined(MACRO_PREDEF) || defined(EM_VERSION_C)
+return FALSE;
+
+#else
+extern BOOL is_incompatible_fn(const void *, const void *);
+return is_incompatible_fn(old, new);
+#endif
+}
+
+/******************************************************************************/
+/* String functions */
+static inline uschar * __Ustrcat(uschar * dst, const uschar * src, const char * func, int line)
+{
+#if !defined(COMPILE_UTILITY) && !defined(MACRO_PREDEF)
+if (!is_tainted(dst) && is_tainted(src)) die_tainted(US"Ustrcat", CUS func, line);
+#endif
+return US strcat(CS dst, CCS src);
+}
+static inline uschar * __Ustrcpy(uschar * dst, const uschar * src, const char * func, int line)
+{
+#if !defined(COMPILE_UTILITY) && !defined(MACRO_PREDEF)
+if (!is_tainted(dst) && is_tainted(src)) die_tainted(US"Ustrcpy", CUS func, line);
+#endif
+return US strcpy(CS dst, CCS src);
+}
+static inline uschar * __Ustrncat(uschar * dst, const uschar * src, size_t n, const char * func, int line)
+{
+#if !defined(COMPILE_UTILITY) && !defined(MACRO_PREDEF)
+if (!is_tainted(dst) && is_tainted(src)) die_tainted(US"Ustrncat", CUS func, line);
+#endif
+return US strncat(CS dst, CCS src, n);
+}
+static inline uschar * __Ustrncpy(uschar * dst, const uschar * src, size_t n, const char * func, int line)
+{
+#if !defined(COMPILE_UTILITY) && !defined(MACRO_PREDEF)
+if (!is_tainted(dst) && is_tainted(src)) die_tainted(US"Ustrncpy", CUS func, line);
+#endif
+return US strncpy(CS dst, CCS src, n);
+}
+/*XXX will likely need unchecked copy also */
+
+
+/* Advance the string pointer given over any whitespace.
+Return the next char as there's enought places using it to be useful. */
+
+#define Uskip_whitespace(sp) skip_whitespace(CUSS sp)
+
+static inline uschar skip_whitespace(const uschar ** sp)
+{ while (isspace(**sp)) (*sp)++; return **sp; }
+
+
+/******************************************************************************/
+
+#if !defined(MACRO_PREDEF) && !defined(COMPILE_UTILITY)
+/* exim_chown - in some NFSv4 setups *seemes* to be an issue with
+chown(<exim-uid>, <exim-gid>).
+
+Probably because the idmapping is broken, misconfigured or set up in
+an unusal way. (see Bug 2931). As I'm not sure, if this was a single
+case of misconfiguration, or if there are more such broken systems
+out, I try to impose as least impact as possible and for now just write
+a panic log entry pointing to the bug report. You're encouraged to
+contact the developers, if you experience this issue.
+
+fd     the file descriptor (or -1 if not valid)
+name   the file name for error messages or for file operations,
+  if fd is < 0
+owner  the owner
+group  the group
+
+returns 0 on success, -1 on failure */
+
+static inline int
+exim_fchown(int fd, uid_t owner, gid_t group, const uschar *name)
+{
+return fchown(fd, owner, group)
+  ? exim_chown_failure(fd, name, owner, group) : 0;
+}
+
+static inline int
+exim_chown(const uschar *name, uid_t owner, gid_t group)
+{
+return chown(CCS name, owner, group)
+  ? exim_chown_failure(-1, name, owner, group) : 0;
+}
+#endif	/* !MACRO_PREDEF && !COMPILE_UTILITY */
+
+/******************************************************************************/
+/* String functions */
+
+#if !defined(MACRO_PREDEF)
+/*************************************************
+*            Copy and save string                *
+*************************************************/
+
+/* This function assumes that memcpy() is faster than strcpy().
+The result is explicitly nul-terminated.
+*/
+
+static inline uschar *
+string_copyn_taint_trc(const uschar * s, unsigned len,
+	const void * proto_mem, const char * func, int line)
+{
+uschar * ss;
+unsigned slen = Ustrlen(s);
+if (len > slen) len = slen;
+ss = store_get_3(len + 1, proto_mem, func, line);
+memcpy(ss, s, len);
+ss[len] = '\0';
+return ss;
+}
+
+static inline uschar *
+string_copy_taint_trc(const uschar * s, const void * proto_mem, const char * func, int line)
+{ return string_copyn_taint_trc(s, Ustrlen(s), proto_mem, func, line); }
+
+static inline uschar *
+string_copyn_trc(const uschar * s, unsigned len, const char * func, int line)
+{ return string_copyn_taint_trc(s, len, s, func, line); }
+static inline uschar *
+string_copy_trc(const uschar * s, const char * func, int line)
+{ return string_copy_taint_trc(s, s, func, line); }
+
+
+/* String-copy functions explicitly setting the taint status */
+
+#define string_copyn_taint(s, len, proto_mem) \
+	string_copyn_taint_trc((s), (len), (proto_mem), __FUNCTION__, __LINE__)
+#define string_copy_taint(s, proto_mem) \
+	string_copy_taint_trc((s), (proto_mem), __FUNCTION__, __LINE__)
+
+/* Simple string-copy functions maintaining the taint */
+
+#define string_copyn(s, len) \
+	string_copyn_trc((s), (len), __FUNCTION__, __LINE__)
+#define string_copy(s) \
+	string_copy_trc((s), __FUNCTION__, __LINE__)
+
+
+/*************************************************
+*       Copy, lowercase and save string          *
+*************************************************/
+
+/*
+Argument: string to copy
+Returns:  copy of string in new store, with letters lowercased
+*/
+
+static inline uschar *
+string_copylc(const uschar * s)
+{
+uschar * ss = store_get(Ustrlen(s) + 1, s);
+uschar * p = ss;
+while (*s) *p++ = tolower(*s++);
+*p = 0;
+return ss;
+}
+
+
+
+/*************************************************
+* Copy, lowercase, and save string, given length *
+*************************************************/
+
+/* It is assumed the data contains no zeros. A zero is added
+onto the end.
+
+Arguments:
+  s         string to copy
+  n         number of characters
+
+Returns:    copy of string in new store, with letters lowercased
+*/
+
+static inline uschar *
+string_copynlc(uschar * s, int n)
+{
+uschar * ss = store_get(n + 1, s);
+uschar * p = ss;
+while (n-- > 0) *p++ = tolower(*s++);
+*p = 0;
+return ss;
+}
+
+
+# ifndef COMPILE_UTILITY
+/*************************************************
+*     Copy and save string in longterm store     *
+*************************************************/
+
+/* This function assumes that memcpy() is faster than strcpy().
+
+Argument: string to copy
+Returns:  copy of string in new store
+*/
+
+static inline uschar *
+string_copy_perm(const uschar *s, BOOL force_taint)
+{
+int old_pool = store_pool;
+int len = Ustrlen(s) + 1;
+uschar *ss;
+
+store_pool = POOL_PERM;
+ss = store_get(len, force_taint ? GET_TAINTED : s);
+memcpy(ss, s, len);
+store_pool = old_pool;
+return ss;
+}
+# endif
+
+
+
+/* sprintf into a buffer, taint-unchecked */
+
+static inline void
+string_format_nt(uschar * buf, int siz, const char * fmt, ...)
+{
+gstring gs = { .size = siz, .ptr = 0, .s = buf };
+va_list ap;
+va_start(ap, fmt);
+(void) string_vformat(&gs, SVFMT_TAINT_NOCHK, fmt, ap);
+va_end(ap);
+}
+
+
+
+/******************************************************************************/
+/* Growable-string functions */
+
+/* Create a growable-string with some preassigned space */
+
+#define string_get_tainted(size, proto_mem) \
+	string_get_tainted_trc((size), (proto_mem), __FUNCTION__, __LINE__)
+
+static inline gstring *
+string_get_tainted_trc(unsigned size, const void * proto_mem, const char * func, unsigned line)
+{
+gstring * g = store_get_3(sizeof(gstring) + size, proto_mem, func, line);
+g->size = size;		/*XXX would be good if we could see the actual alloc size */
+g->ptr = 0;
+g->s = US(g + 1);
+return g;
+}
+
+#define string_get(size) \
+	string_get_trc((size), __FUNCTION__, __LINE__)
+
+static inline gstring *
+string_get_trc(unsigned size, const char * func, unsigned line)
+{
+return string_get_tainted_trc(size, GET_UNTAINTED, func, line);
+}
+
+/* NUL-terminate the C string in the growable-string, and return it. */
+
+static inline uschar *
+string_from_gstring(gstring * g)
+{
+if (!g) return NULL;
+g->s[g->ptr] = '\0';
+return g->s;
+}
+
+static inline unsigned
+gstring_length(const gstring * g)
+{
+return g ? (unsigned)g->ptr : 0;
+}
+
+
+#define gstring_release_unused(g) \
+	gstring_release_unused_trc(g, __FUNCTION__, __LINE__)
+
+static inline void
+gstring_release_unused_trc(gstring * g, const char * file, unsigned line)
+{
+if (g) store_release_above_3(g->s + (g->size = g->ptr + 1), file, line);
+}
+
+
+/* sprintf-append to a growable-string */
+
+#define string_fmt_append(g, fmt, ...) \
+	string_fmt_append_f_trc(g, US __FUNCTION__, __LINE__, \
+	SVFMT_EXTEND|SVFMT_REBUFFER, fmt, __VA_ARGS__)
+
+#define string_fmt_append_f(g, flgs, fmt, ...) \
+	string_fmt_append_f_trc(g, US __FUNCTION__, __LINE__, \
+	flgs,         fmt, __VA_ARGS__)
+
+static inline gstring *
+string_fmt_append_f_trc(gstring * g, const uschar * func, unsigned line,
+  unsigned flags, const char *format, ...)
+{
+va_list ap;
+va_start(ap, format);
+g = string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
+			flags, format, ap);
+va_end(ap);
+return g;
+}
+
+
+/* Copy the content of a string to tainted memory.  The proto_mem arg
+will always be tainted, and suitable as a prototype. */
+
+static inline void
+gstring_rebuffer(gstring * g, const void * proto_mem)
+{
+uschar * s = store_get_3(g->size, proto_mem, __FUNCTION__, __LINE__);
+memcpy(s, g->s, g->ptr);
+g->s = s;
+}
+
+
+# ifndef COMPILE_UTILITY
+/******************************************************************************/
+/* Use store_malloc for DNSA structs, and explicit frees. Using the same pool
+for them as the strings we proceed to copy from them meant they could not be
+released, hence blowing 64k for every DNS lookup. That mounted up. With malloc
+we do have to take care over marking tainted all copied strings.  A separate pool
+could be used and would handle that implicitly. */
+
+#define store_get_dns_answer() store_get_dns_answer_trc(CUS __FUNCTION__, __LINE__)
+
+static inline dns_answer *
+store_get_dns_answer_trc(const uschar * func, unsigned line)
+{
+return store_malloc_3(sizeof(dns_answer), CCS func, line);
+}
+
+#define store_free_dns_answer(dnsa) store_free_dns_answer_trc(dnsa, CUS __FUNCTION__, __LINE__)
+
+static inline void
+store_free_dns_answer_trc(dns_answer * dnsa, const uschar * func, unsigned line)
+{
+store_free_3(dnsa, CCS func, line);
+}
+
+/******************************************************************************/
+/* Routines with knowledge of spool layout */
+
+static inline void
+spool_pname_buf(uschar * buf, int len)
+{
+snprintf(CS buf, len, "%s/%s/input", spool_directory, queue_name);
+}
+
+static inline uschar *
+spool_dname(const uschar * purpose, uschar * subdir)
+{
+return string_sprintf("%s/%s/%s/%s",
+	spool_directory, queue_name, purpose, subdir);
+}
+# endif
+
+static inline uschar *
+spool_q_sname(const uschar * purpose, const uschar * q, uschar * subdir)
+{
+return string_sprintf("%s%s%s%s%s",
+		    q, *q ? "/" : "",
+		    purpose,
+		    *subdir ? "/" : "", subdir);
+}
+
+static inline uschar *
+spool_sname(const uschar * purpose, uschar * subdir)
+{
+return spool_q_sname(purpose, queue_name, subdir);
+}
+
+static inline uschar *
+spool_q_fname(const uschar * purpose, const uschar * q,
+	const uschar * subdir, const uschar * fname, const uschar * suffix)
+{
+return string_sprintf("%s/%s/%s/%s/%s%s",
+	spool_directory, q, purpose, subdir, fname, suffix);
+}
+
+static inline uschar *
+spool_fname(const uschar * purpose, const uschar * subdir, const uschar * fname,
+	const uschar * suffix)
+{
+#ifdef COMPILE_UTILITY		/* version avoiding string-extension */
+int len = Ustrlen(spool_directory) + 1 + Ustrlen(queue_name) + 1 + Ustrlen(purpose) + 1
+	+ Ustrlen(subdir) + 1 + Ustrlen(fname) + Ustrlen(suffix) + 1;
+uschar * buf = store_get(len, GET_UNTAINTED);
+string_format(buf, len, "%s/%s/%s/%s/%s%s",
+	spool_directory, queue_name, purpose, subdir, fname, suffix);
+return buf;
+#else
+return spool_q_fname(purpose, queue_name, subdir, fname, suffix);
+#endif
+}
+
+static inline void
+set_subdir_str(uschar * subdir_str, const uschar * name,
+	int search_sequence)
+{
+subdir_str[0] = split_spool_directory == (search_sequence == 0)
+       ? name[5] : '\0';
+subdir_str[1] = '\0';
+}
+
+/******************************************************************************/
+/* Time calculations */
+
+/* Diff two times (later, earlier) returning diff in 1st arg */
+static inline void
+timediff(struct timeval * later, const struct timeval * earlier)
+{
+later->tv_sec -= earlier->tv_sec;
+if ((later->tv_usec -= earlier->tv_usec) < 0)
+  {
+  later->tv_sec--;
+  later->tv_usec += 1000*1000;
+  }
+}
+
+static inline void
+timesince(struct timeval * diff, const struct timeval * then)
+{
+gettimeofday(diff, NULL);
+timediff(diff, then);
+}
+
+static inline uschar *
+string_timediff(const struct timeval * diff)
+{
+static uschar buf[sizeof("0.000s")];
+
+if (diff->tv_sec >= 5 || !LOGGING(millisec))
+  return readconf_printtime((int)diff->tv_sec);
+
+snprintf(CS buf, sizeof(buf), "%u.%03us", (uint)diff->tv_sec, (uint)diff->tv_usec/1000);
+return buf;
+}
+
+
+static inline uschar *
+string_timesince(const struct timeval * then)
+{
+struct timeval diff;
+timesince(&diff, then);
+return string_timediff(&diff);
+}
+
+static inline void
+report_time_since(const struct timeval * t0, const uschar * where)
+{
+# ifdef MEASURE_TIMING
+struct timeval diff;
+timesince(&diff, t0);
+fprintf(stderr, "%d %s:\t%ld.%06ld\n",
+       (uint)getpid(), where, (long)diff.tv_sec, (long)diff.tv_usec);
+# endif
+}
+
+
+static inline void
+testharness_pause_ms(int millisec)
+{
+#ifndef MEASURE_TIMING
+if (f.running_in_test_harness && f.testsuite_delays) millisleep(millisec);
+#endif
+}
+
+/******************************************************************************/
+/* Taint-checked file opens */
+
+static inline int
+exim_open2(const char *pathname, int flags)
+{
+if (!is_tainted(pathname)) return open(pathname, flags);
+log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname);
+errno = EACCES;
+return -1;
+}
+static inline int
+exim_open(const char *pathname, int flags, mode_t mode)
+{
+if (!is_tainted(pathname)) return open(pathname, flags, mode);
+log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname);
+errno = EACCES;
+return -1;
+}
+#ifdef EXIM_HAVE_OPENAT
+static inline int
+exim_openat(int dirfd, const char *pathname, int flags)
+{
+if (!is_tainted(pathname)) return openat(dirfd, pathname, flags);
+log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname);
+errno = EACCES;
+return -1;
+}
+static inline int
+exim_openat4(int dirfd, const char *pathname, int flags, mode_t mode)
+{
+if (!is_tainted(pathname)) return openat(dirfd, pathname, flags, mode);
+log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname);
+errno = EACCES;
+return -1;
+}
+#endif
+
+static inline FILE *
+exim_fopen(const char *pathname, const char *mode)
+{
+if (!is_tainted(pathname)) return fopen(pathname, mode);
+log_write(0, LOG_MAIN|LOG_PANIC, "Tainted filename '%s'", pathname);
+errno = EACCES;
+return NULL;
+}
+
+static inline DIR *
+exim_opendir(const uschar * name)
+{
+if (!is_tainted(name)) return opendir(CCS name);
+log_write(0, LOG_MAIN|LOG_PANIC, "Tainted dirname '%s'", name);
+errno = EACCES;
+return NULL;
+}
+
+/******************************************************************************/
+# if !defined(COMPILE_UTILITY)
+/* Process manipulation */
+
+static inline pid_t
+exim_fork(const unsigned char * purpose)
+{
+pid_t pid;
+DEBUG(D_any) debug_printf("%s forking for %s\n", process_purpose, purpose);
+if ((pid = fork()) == 0)
+  {
+  process_purpose = purpose;
+  DEBUG(D_any) debug_printf("postfork: %s\n", purpose);
+  }
+else
+  {
+  testharness_pause_ms(100); /* let child work */
+  DEBUG(D_any) debug_printf("%s forked for %s: %d\n", process_purpose, purpose, (int)pid);
+  }
+return pid;
+}
+
+
+static inline pid_t
+child_open_exim(int * fdptr, const uschar * purpose)
+{ return child_open_exim_function(fdptr, purpose); }
+
+static inline pid_t
+child_open_exim2(int * fdptr, uschar * sender,
+  uschar * sender_auth, const uschar * purpose)
+{ return child_open_exim2_function(fdptr, sender, sender_auth, purpose); }
+
+static inline pid_t
+child_open(uschar **argv, uschar **envp, int newumask, int *infdptr,
+  int *outfdptr, BOOL make_leader, const uschar * purpose)
+{ return child_open_function(argv, envp, newumask, infdptr,
+  outfdptr, make_leader, purpose);
+}
+
+/* Return 1 if fd is usable per pollbits, else 0 */
+static inline int
+poll_one_fd(int fd, short pollbits, int tmo_millisec)
+{
+struct pollfd p = {.fd = fd, .events = pollbits};
+return poll(&p, 1, tmo_millisec);
+}
+
+/******************************************************************************/
+/* Client-side smtp log string, for debug */
+
+static inline void
+smtp_debug_cmd(const uschar * buf, int mode)
+{
+HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP%c> %s\n",
+  mode == SCMD_BUFFER ? '|' : mode == SCMD_MORE ? '+' : '>', buf);
+
+#  ifndef DISABLE_CLIENT_CMD_LOG
+  {
+  int len = Ustrcspn(buf, " \n");
+  int old_pool = store_pool;
+  store_pool = POOL_PERM;	/* Main pool ACL allocations eg. callouts get released */
+  client_cmd_log = string_append_listele_n(client_cmd_log, ':', buf, MIN(len, 8));
+  if (mode == SCMD_BUFFER) 
+    {
+    client_cmd_log = string_catn(client_cmd_log, US"|", 1); 
+    (void) string_from_gstring(client_cmd_log);
+    }
+  store_pool = old_pool;
+  }
+#  endif
+}
+
+
+static inline void
+smtp_debug_cmd_report(void)
+{
+#  ifndef DISABLE_CLIENT_CMD_LOG
+debug_printf("cmdlog: '%s'\n", client_cmd_log ? client_cmd_log->s : US"(unset)");
+#  endif
+}
+
+
+
+# endif	/* !COMPILE_UTILITY */
+
+/******************************************************************************/
+#endif	/* !MACRO_PREDEF */
+
+#endif  /* _FUNCTIONS_H_ */
+
+/* vi: aw
+*/
+/* End of functions.h */
diff --git a/src/globals.c b/src/globals.c
new file mode 100644
index 0000000..ff246fe
--- /dev/null
+++ b/src/globals.c
@@ -0,0 +1,1653 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* All the global variables are defined together in this one module, so
+that they are easy to find. */
+
+#include "exim.h"
+
+
+/* Generic options for auths, all of which live inside auth_instance
+data blocks and hence have the opt_public flag set. */
+
+optionlist optionlist_auths[] = {
+  { "client_condition", opt_stringptr | opt_public,
+                 OPT_OFF(auth_instance, client_condition) },
+  { "client_set_id", opt_stringptr | opt_public,
+                 OPT_OFF(auth_instance, set_client_id) },
+  { "driver",        opt_stringptr | opt_public,
+                 OPT_OFF(auth_instance, driver_name) },
+  { "public_name",   opt_stringptr | opt_public,
+                 OPT_OFF(auth_instance, public_name) },
+  { "server_advertise_condition", opt_stringptr | opt_public,
+                 OPT_OFF(auth_instance, advertise_condition)},
+  { "server_condition", opt_stringptr | opt_public,
+                 OPT_OFF(auth_instance, server_condition) },
+  { "server_debug_print", opt_stringptr | opt_public,
+                 OPT_OFF(auth_instance, server_debug_string) },
+  { "server_mail_auth_condition", opt_stringptr | opt_public,
+                 OPT_OFF(auth_instance, mail_auth_condition) },
+  { "server_set_id", opt_stringptr | opt_public,
+                 OPT_OFF(auth_instance, set_id) }
+};
+
+int     optionlist_auths_size = nelem(optionlist_auths);
+
+/* An empty host aliases list. */
+
+uschar *no_aliases             = NULL;
+
+
+/* For comments on these variables, see globals.h. I'm too idle to
+duplicate them here... */
+
+#ifdef EXIM_PERL
+uschar *opt_perl_startup       = NULL;
+BOOL    opt_perl_at_start      = FALSE;
+BOOL    opt_perl_started       = FALSE;
+BOOL    opt_perl_taintmode     = FALSE;
+#endif
+
+#ifdef EXPAND_DLFUNC
+tree_node *dlobj_anchor        = NULL;
+#endif
+
+#ifdef LOOKUP_IBASE
+uschar *ibase_servers          = NULL;
+#endif
+
+#ifdef LOOKUP_LDAP
+uschar *eldap_ca_cert_dir      = NULL;
+uschar *eldap_ca_cert_file     = NULL;
+uschar *eldap_cert_file        = NULL;
+uschar *eldap_cert_key         = NULL;
+uschar *eldap_cipher_suite     = NULL;
+uschar *eldap_default_servers  = NULL;
+uschar *eldap_require_cert     = NULL;
+int     eldap_version          = -1;
+BOOL    eldap_start_tls        = FALSE;
+#endif
+
+#ifdef LOOKUP_MYSQL
+uschar *mysql_servers          = NULL;
+#endif
+
+#ifdef LOOKUP_ORACLE
+uschar *oracle_servers         = NULL;
+#endif
+
+#ifdef LOOKUP_PGSQL
+uschar *pgsql_servers          = NULL;
+#endif
+
+#ifdef LOOKUP_REDIS
+uschar *redis_servers          = NULL;
+#endif
+
+#ifdef LOOKUP_SQLITE
+uschar *sqlite_dbfile	       = NULL;
+int     sqlite_lock_timeout    = 5;
+#endif
+
+#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
+BOOL    move_frozen_messages   = FALSE;
+#endif
+
+/* These variables are outside the #ifdef because it keeps the code less
+cluttered in several places (e.g. during logging) if we can always refer to
+them. Also, the tls_ variables are now always visible.  Note that these are
+only used for smtp connections, not for service-daemon access. */
+
+tls_support tls_in = {
+ .active =		{.sock = -1}
+ /* all other elements zero */
+};
+tls_support tls_out = {
+ .active =		{.sock = -1},
+ /* all other elements zero */
+};
+
+uschar *dsn_envid              = NULL;
+int     dsn_ret                = 0;
+const pcre2_code  *regex_DSN         = NULL;
+uschar *dsn_advertise_hosts    = NULL;
+
+#ifndef DISABLE_TLS
+BOOL    gnutls_compat_mode     = FALSE;
+BOOL    gnutls_allow_auto_pkcs11 = FALSE;
+uschar *hosts_require_alpn     = NULL;
+uschar *openssl_options        = NULL;
+const pcre2_code *regex_STARTTLS     = NULL;
+uschar *tls_advertise_hosts    = US"*";
+uschar *tls_alpn	       = US"smtp:esmtp";
+uschar *tls_certificate        = NULL;
+uschar *tls_crl                = NULL;
+/* This default matches NSS DH_MAX_P_BITS value at current time (2012), because
+that's the interop problem which has been observed: GnuTLS suggesting a higher
+bit-count as "NORMAL" (2432) and Thunderbird dropping connection. */
+int     tls_dh_max_bits        = 2236;
+uschar *tls_dhparam            = NULL;
+uschar *tls_eccurve            = US"auto";
+# ifndef DISABLE_OCSP
+uschar *tls_ocsp_file          = NULL;
+# endif
+uschar *tls_privatekey         = NULL;
+BOOL    tls_remember_esmtp     = FALSE;
+uschar *tls_require_ciphers    = NULL;
+# ifndef DISABLE_TLS_RESUME
+uschar *tls_resumption_hosts   = NULL;
+# endif
+uschar *tls_try_verify_hosts   = NULL;
+uschar *tls_verify_certificates= US"system";
+uschar *tls_verify_hosts       = NULL;
+int     tls_watch_fd	       = -1;
+time_t  tls_watch_trigger_time = (time_t)0;
+#else	/*DISABLE_TLS*/
+uschar *tls_advertise_hosts    = NULL;
+#endif
+
+#ifndef DISABLE_PRDR
+/* Per Recipient Data Response variables */
+BOOL    prdr_enable            = FALSE;
+BOOL    prdr_requested         = FALSE;
+const pcre2_code *regex_PRDR         = NULL;
+#endif
+
+#ifdef SUPPORT_I18N
+const pcre2_code *regex_UTF8         = NULL;
+#endif
+
+/* Input-reading functions for messages, so we can use special ones for
+incoming TCP/IP. The defaults use stdin. We never need these for any
+stand-alone tests. */
+
+#if !defined(STAND_ALONE) && !defined(MACRO_PREDEF)
+int	(*lwr_receive_getc)(unsigned)	= stdin_getc;
+uschar * (*lwr_receive_getbuf)(unsigned *) = NULL;
+int	(*lwr_receive_ungetc)(int)	= stdin_ungetc;
+BOOL	(*lwr_receive_hasc)(void)	= stdin_hasc;
+
+int	(*receive_getc)(unsigned) 	= stdin_getc;
+uschar * (*receive_getbuf)(unsigned *) 	= NULL;
+void	(*receive_get_cache)(unsigned)	= NULL;
+BOOL	(*receive_hasc)(void)		= stdin_hasc;
+int	(*receive_ungetc)(int)    	= stdin_ungetc;
+int	(*receive_feof)(void)     	= stdin_feof;
+int	(*receive_ferror)(void)   	= stdin_ferror;
+#endif
+
+
+/* List of per-address expansion variables for clearing and saving/restoring
+when verifying one address while routing/verifying another. We have to have
+the size explicit, because it is referenced from more than one module. */
+
+const uschar **address_expansions[ADDRESS_EXPANSIONS_COUNT] = {
+  CUSS &deliver_address_data,
+  CUSS &deliver_domain,
+  CUSS &deliver_domain_data,
+  CUSS &deliver_domain_orig,
+  CUSS &deliver_domain_parent,
+  CUSS &deliver_localpart,
+  CUSS &deliver_localpart_data,
+  CUSS &deliver_localpart_orig,
+  CUSS &deliver_localpart_parent,
+  CUSS &deliver_localpart_prefix,
+  CUSS &deliver_localpart_suffix,
+  CUSS (uschar **)(&deliver_recipients),
+  CUSS &deliver_host,
+  CUSS &deliver_home,
+  CUSS &address_file,
+  CUSS &address_pipe,
+  CUSS &self_hostname,
+  NULL };
+
+int address_expansions_count = sizeof(address_expansions)/sizeof(uschar **);
+
+/******************************************************************************/
+/* General global variables.  Boolean flags are done as a group
+so that only one bit each is needed, packed, for all those we never
+need to take a pointer - and only a char for the rest.
+This means a struct, unfortunately since it clutters the sourcecode. */
+
+struct global_flags f =
+{
+	.acl_temp_details       = FALSE,
+	.active_local_from_check = FALSE,
+	.active_local_sender_retain = FALSE,
+	.address_test_mode      = FALSE,
+	.admin_user             = FALSE,
+	.allow_auth_unadvertised= FALSE,
+	.allow_unqualified_recipient = TRUE,    /* For local messages */
+	.allow_unqualified_sender = TRUE,       /* Reset for SMTP */
+	.authentication_local   = FALSE,
+
+	.background_daemon      = TRUE,
+	.bdat_readers_wanted    = FALSE,
+
+	.chunking_offered       = FALSE,
+	.config_changed         = FALSE,
+	.continue_more          = FALSE,
+
+	.daemon_listen          = FALSE,
+	.debug_daemon           = FALSE,
+	.deliver_firsttime      = FALSE,
+	.deliver_force          = FALSE,
+	.deliver_freeze         = FALSE,
+	.deliver_force_thaw     = FALSE,
+	.deliver_manual_thaw    = FALSE,
+	.deliver_selectstring_regex = FALSE,
+	.deliver_selectstring_sender_regex = FALSE,
+	.disable_callout_flush  = FALSE,
+	.disable_delay_flush    = FALSE,
+	.disable_logging        = FALSE,
+#ifndef DISABLE_DKIM
+	.dkim_disable_verify      = FALSE,
+	.dkim_init_done           = FALSE,
+#endif
+#ifdef SUPPORT_DMARC
+	.dmarc_has_been_checked  = FALSE,
+	.dmarc_disable_verify    = FALSE,
+	.dmarc_enable_forensic   = FALSE,
+#endif
+	.dont_deliver           = FALSE,
+	.dot_ends               = TRUE,
+
+	.enable_dollar_recipients = FALSE,
+	.expand_string_forcedfail = FALSE,
+
+	.filter_running         = FALSE,
+
+	.header_rewritten       = FALSE,
+	.helo_verified          = FALSE,
+	.helo_verify_failed     = FALSE,
+	.host_checking_callout  = FALSE,
+	.host_find_failed_syntax= FALSE,
+
+	.inetd_wait_mode        = FALSE,
+	.is_inetd               = FALSE,
+
+	.local_error_message    = FALSE,
+	.log_testing_mode       = FALSE,
+
+#ifdef WITH_CONTENT_SCAN
+	.no_mbox_unspool        = FALSE,
+#endif
+	.no_multiline_responses = FALSE,
+
+	.parse_allow_group      = FALSE,
+	.parse_found_group      = FALSE,
+	.pipelining_enable      = TRUE,
+#if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
+	.proxy_session_failed   = FALSE,
+#endif
+
+	.queue_2stage           = FALSE,
+	.queue_only_policy      = FALSE,
+	.queue_run_first_delivery = FALSE,
+	.queue_run_force        = FALSE,
+	.queue_run_local        = FALSE,
+	.queue_running          = FALSE,
+	.queue_smtp             = FALSE,
+
+	.really_exim            = TRUE,
+	.receive_call_bombout   = FALSE,
+	.recipients_discarded   = FALSE,
+	.running_in_test_harness = FALSE,
+
+	.search_find_defer      = FALSE,
+	.sender_address_forced  = FALSE,
+	.sender_host_notsocket  = FALSE,
+	.sender_host_unknown    = FALSE,
+	.sender_local           = FALSE,
+	.sender_name_forced     = FALSE,
+	.sender_set_untrusted   = FALSE,
+	.smtp_authenticated     = FALSE,
+#ifndef DISABLE_PIPE_CONNECT
+	.smtp_in_early_pipe_advertised = FALSE,
+	.smtp_in_early_pipe_no_auth = FALSE,
+	.smtp_in_early_pipe_used = FALSE,
+#endif
+	.smtp_in_pipelining_advertised = FALSE,
+	.smtp_in_pipelining_used = FALSE,
+	.smtp_in_quit		= FALSE,
+	.spool_file_wireformat  = FALSE,
+	.submission_mode        = FALSE,
+	.suppress_local_fixups  = FALSE,
+	.suppress_local_fixups_default = FALSE,
+	.synchronous_delivery   = FALSE,
+	.system_filtering       = FALSE,
+
+	.taint_check_slow       = FALSE,
+	.testsuite_delays	= TRUE,
+	.tcp_fastopen_ok        = FALSE,
+	.tcp_in_fastopen        = FALSE,
+	.tcp_in_fastopen_data   = FALSE,
+	.tcp_in_fastopen_logged = FALSE,
+	.tcp_out_fastopen_logged= FALSE,
+	.timestamps_utc         = FALSE,
+	.transport_filter_timed_out = FALSE,
+	.trusted_caller         = FALSE,
+	.trusted_config         = TRUE,
+};
+
+/******************************************************************************/
+/* These are the flags which are either variables or mainsection options,
+so an address is needed for access, or are exported to local_scan. */
+
+BOOL    accept_8bitmime        = TRUE; /* deliberately not RFC compliant */
+BOOL    allow_domain_literals  = FALSE;
+BOOL    allow_mx_to_ip         = FALSE;
+BOOL    allow_utf8_domains     = FALSE;
+BOOL    authentication_failed  = FALSE;
+
+BOOL    bounce_return_body     = TRUE;
+BOOL    bounce_return_message  = TRUE;
+BOOL    check_rfc2047_length   = TRUE;
+BOOL    commandline_checks_require_admin = FALSE;
+
+#ifdef EXPERIMENTAL_DCC
+BOOL    dcc_direct_add_header  = FALSE;
+#endif
+BOOL    debug_store            = FALSE;
+BOOL    delivery_date_remove   = TRUE;
+BOOL    deliver_drop_privilege = FALSE;
+#ifdef ENABLE_DISABLE_FSYNC
+BOOL    disable_fsync          = FALSE;
+#endif
+BOOL    disable_ipv6           = FALSE;
+BOOL    dns_csa_use_reverse    = TRUE;
+BOOL    drop_cr                = FALSE;         /* No longer used */
+
+BOOL    envelope_to_remove     = TRUE;
+BOOL    exim_gid_set           = TRUE;          /* This gid is always set */
+BOOL    exim_uid_set           = TRUE;          /* This uid is always set */
+BOOL    extract_addresses_remove_arguments = TRUE;
+
+BOOL    host_checking          = FALSE;
+BOOL    host_lookup_deferred   = FALSE;
+BOOL    host_lookup_failed     = FALSE;
+BOOL    ignore_fromline_local  = FALSE;
+
+BOOL    local_from_check       = TRUE;
+BOOL    local_sender_retain    = FALSE;
+BOOL    log_timezone           = FALSE;
+BOOL    message_body_newlines  = FALSE;
+BOOL    message_logs           = TRUE;
+#ifdef SUPPORT_I18N
+BOOL    message_smtputf8       = FALSE;
+#endif
+BOOL    mua_wrapper            = FALSE;
+
+BOOL    preserve_message_logs  = FALSE;
+BOOL    print_topbitchars      = FALSE;
+BOOL    prod_requires_admin    = TRUE;
+#if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
+BOOL    proxy_session          = FALSE;
+#endif
+
+#ifndef DISABLE_QUEUE_RAMP
+BOOL    queue_fast_ramp		= FALSE;
+#endif
+BOOL    queue_list_requires_admin = TRUE;
+BOOL    queue_only             = FALSE;
+BOOL    queue_only_load_latch  = TRUE;
+BOOL    queue_only_override    = TRUE;
+BOOL    queue_run_in_order     = FALSE;
+BOOL    recipients_max_reject  = FALSE;
+BOOL    return_path_remove     = TRUE;
+
+BOOL    smtp_batched_input     = FALSE;
+BOOL    sender_helo_dnssec     = FALSE;
+BOOL    sender_host_dnssec     = FALSE;
+BOOL    smtp_accept_keepalive  = TRUE;
+BOOL    smtp_check_spool_space = TRUE;
+BOOL    smtp_enforce_sync      = TRUE;
+BOOL    smtp_etrn_serialize    = TRUE;
+BOOL    smtp_input             = FALSE;
+BOOL    smtp_return_error_details = FALSE;
+#ifdef SUPPORT_SPF
+BOOL    spf_result_guessed     = FALSE;
+#endif
+BOOL    split_spool_directory  = FALSE;
+BOOL    spool_wireformat       = FALSE;
+BOOL    strict_acl_vars        = FALSE;
+BOOL    strip_excess_angle_brackets = FALSE;
+BOOL    strip_trailing_dot     = FALSE;
+BOOL    syslog_duplication     = TRUE;
+BOOL    syslog_pid             = TRUE;
+BOOL    syslog_timestamp       = TRUE;
+BOOL    system_filter_gid_set  = FALSE;
+BOOL    system_filter_uid_set  = FALSE;
+
+BOOL    tcp_nodelay            = TRUE;
+BOOL    write_rejectlog        = TRUE;
+
+/******************************************************************************/
+
+header_line *acl_added_headers = NULL;
+tree_node *acl_anchor          = NULL;
+uschar *acl_arg[9]             = {NULL, NULL, NULL, NULL, NULL,
+                                  NULL, NULL, NULL, NULL};
+int     acl_narg               = 0;
+
+int     acl_level	       = 0;
+
+uschar *acl_not_smtp           = NULL;
+#ifdef WITH_CONTENT_SCAN
+uschar *acl_not_smtp_mime      = NULL;
+#endif
+uschar *acl_not_smtp_start     = NULL;
+uschar *acl_removed_headers    = NULL;
+uschar *acl_smtp_auth          = NULL;
+uschar *acl_smtp_connect       = NULL;
+uschar *acl_smtp_data          = NULL;
+#ifndef DISABLE_PRDR
+uschar *acl_smtp_data_prdr     = US"accept";
+#endif
+#ifndef DISABLE_DKIM
+uschar *acl_smtp_dkim          = NULL;
+#endif
+uschar *acl_smtp_etrn          = NULL;
+uschar *acl_smtp_expn          = NULL;
+uschar *acl_smtp_helo          = NULL;
+uschar *acl_smtp_mail          = NULL;
+uschar *acl_smtp_mailauth      = NULL;
+#ifdef WITH_CONTENT_SCAN
+uschar *acl_smtp_mime          = NULL;
+#endif
+uschar *acl_smtp_notquit       = NULL;
+uschar *acl_smtp_predata       = NULL;
+uschar *acl_smtp_quit          = NULL;
+uschar *acl_smtp_rcpt          = NULL;
+uschar *acl_smtp_starttls      = NULL;
+uschar *acl_smtp_vrfy          = NULL;
+
+tree_node *acl_var_c           = NULL;
+tree_node *acl_var_m           = NULL;
+uschar *acl_verify_message     = NULL;
+string_item *acl_warn_logged   = NULL;
+
+/* Names of SMTP places for use in ACL error messages, and corresponding SMTP
+error codes - keep in step with definitions of ACL_WHERE_xxxx in macros.h. */
+
+uschar *acl_wherenames[]       = { US"RCPT",
+                                   US"MAIL",
+                                   US"PREDATA",
+                                   US"MIME",
+                                   US"DKIM",
+                                   US"DATA",
+#ifndef DISABLE_PRDR
+                                   US"PRDR",
+#endif
+                                   US"non-SMTP",
+                                   US"AUTH",
+                                   US"connection",
+                                   US"ETRN",
+                                   US"EXPN",
+                                   US"EHLO or HELO",
+                                   US"MAILAUTH",
+                                   US"non-SMTP-start",
+                                   US"NOTQUIT",
+                                   US"QUIT",
+                                   US"STARTTLS",
+                                   US"VRFY",
+				   US"delivery",
+				   US"unknown"
+                                 };
+
+uschar *acl_wherecodes[]       = { US"550",     /* RCPT */
+                                   US"550",     /* MAIL */
+                                   US"550",     /* PREDATA */
+                                   US"550",     /* MIME */
+                                   US"550",     /* DKIM */
+                                   US"550",     /* DATA */
+#ifndef DISABLE_PRDR
+                                   US"550",    /* RCPT PRDR */
+#endif
+                                   US"0",       /* not SMTP; not relevant */
+                                   US"503",     /* AUTH */
+                                   US"550",     /* connect */
+                                   US"458",     /* ETRN */
+                                   US"550",     /* EXPN */
+                                   US"550",     /* HELO/EHLO */
+                                   US"0",       /* MAILAUTH; not relevant */
+                                   US"0",       /* not SMTP; not relevant */
+                                   US"0",       /* NOTQUIT; not relevant */
+                                   US"0",       /* QUIT; not relevant */
+                                   US"550",     /* STARTTLS */
+                                   US"252",     /* VRFY */
+				   US"0",       /* delivery; not relevant */
+				   US"0"        /* unknown; not relevant */
+                                 };
+
+uschar *add_environment        = NULL;
+address_item  *addr_duplicate  = NULL;
+
+address_item address_defaults = {
+  .next =		NULL,
+  .parent =		NULL,
+  .first =		NULL,
+  .dupof =		NULL,
+  .start_router =	NULL,
+  .router =		NULL,
+  .transport =		NULL,
+  .host_list =		NULL,
+  .host_used =		NULL,
+  .fallback_hosts =	NULL,
+  .reply =		NULL,
+  .retries =		NULL,
+  .address =		NULL,
+  .unique =		NULL,
+  .cc_local_part =	NULL,
+  .lc_local_part =	NULL,
+  .local_part =		NULL,
+  .prefix =		NULL,
+  .prefix_v =		NULL,
+  .suffix =		NULL,
+  .suffix_v =		NULL,
+  .domain =		NULL,
+  .address_retry_key =	NULL,
+  .domain_retry_key =	NULL,
+  .current_dir =	NULL,
+  .home_dir =		NULL,
+  .message =		NULL,
+  .user_message =	NULL,
+  .onetime_parent =	NULL,
+  .pipe_expandn =	NULL,
+  .return_filename =	NULL,
+  .self_hostname =	NULL,
+  .shadow_message =	NULL,
+#ifndef DISABLE_TLS
+  .cipher =		NULL,
+  .ourcert =		NULL,
+  .peercert =		NULL,
+  .peerdn =		NULL,
+  .ocsp =		OCSP_NOT_REQ,
+#endif
+#ifdef EXPERIMENTAL_DSN_INFO
+  .smtp_greeting =	NULL,
+  .helo_response =	NULL,
+#endif
+  .authenticator =	NULL,
+  .auth_id =		NULL,
+  .auth_sndr =		NULL,
+  .dsn_orcpt =		NULL,
+  .dsn_flags =		0,
+  .dsn_aware =		0,
+  .uid =		(uid_t)(-1),
+  .gid =		(gid_t)(-1),
+  .flags =		{ 0 },
+  .domain_cache =	{ 0 },                /* domain_cache - any larger array should be zeroed */
+  .localpart_cache =	{ 0 },                /* localpart_cache - ditto */
+  .mode =		-1,
+  .more_errno =		0,
+  .delivery_time =	{.tv_sec = 0, .tv_usec = 0},
+  .basic_errno =	ERRNO_UNKNOWNERROR,
+  .child_count =	0,
+  .return_file =	-1,
+  .special_action =	SPECIAL_NONE,
+  .transport_return =	DEFER,
+  .prop = {					/* fields that are propagated to children */
+    .address_data =	NULL,
+    .domain_data =	NULL,
+    .localpart_data =	NULL,
+    .errors_address =	NULL,
+    .extra_headers =	NULL,
+    .remove_headers =	NULL,
+    .variables =	NULL,
+    .ignore_error =	FALSE,
+#ifdef SUPPORT_I18N
+    .utf8_msg =		FALSE,
+    .utf8_downcvt =	FALSE,
+    .utf8_downcvt_maybe = FALSE
+#endif
+  }
+};
+
+uschar *address_file           = NULL;
+uschar *address_pipe           = NULL;
+tree_node *addresslist_anchor  = NULL;
+int     addresslist_count      = 0;
+gid_t  *admin_groups           = NULL;
+
+#ifdef EXPERIMENTAL_ARC
+struct arc_set *arc_received	= NULL;
+int     arc_received_instance	= 0;
+int     arc_oldest_pass		= 0;
+const uschar *arc_state		= NULL;
+const uschar *arc_state_reason	= NULL;
+#endif
+
+uschar *authenticated_fail_id  = NULL;
+uschar *authenticated_id       = NULL;
+uschar *authenticated_sender   = NULL;
+auth_instance  *auths          = NULL;
+uschar *auth_advertise_hosts   = US"*";
+auth_instance auth_defaults    = {
+    .next =		NULL,
+    .name =		NULL,
+    .info =		NULL,
+    .options_block =	NULL,
+    .driver_name =	NULL,
+    .advertise_condition = NULL,
+    .client_condition =	NULL,
+    .public_name =	NULL,
+    .set_id =		NULL,
+    .set_client_id =	NULL,
+    .mail_auth_condition = NULL,
+    .server_debug_string = NULL,
+    .server_condition =	NULL,
+    .client =		FALSE,
+    .server =		FALSE,
+    .advertised =	FALSE
+};
+
+uschar *auth_defer_msg         = US"reason not recorded";
+uschar *auth_defer_user_msg    = US"";
+const uschar *auth_vars[AUTH_VARS];
+uschar *authenticator_name     = NULL;
+int     auto_thaw              = 0;
+#ifdef WITH_CONTENT_SCAN
+int     av_failed              = FALSE;	/* boolean but accessed as vtype_int*/
+uschar *av_scanner             = US"sophie:/var/run/sophie";  /* AV scanner */
+#endif
+
+#if BASE_62 == 62
+uschar *base62_chars=
+    US"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+#else
+uschar *base62_chars= US"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+#endif
+
+uschar *bi_command             = NULL;
+uschar *big_buffer             = NULL;
+int     big_buffer_size        = BIG_BUFFER_SIZE;
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+uschar *bmi_alt_location       = NULL;
+uschar *bmi_base64_tracker_verdict = NULL;
+uschar *bmi_base64_verdict     = NULL;
+uschar *bmi_config_file        = US"/opt/brightmail/etc/brightmail.cfg";
+int     bmi_deliver            = 1;
+int     bmi_run                = 0;
+uschar *bmi_verdicts           = NULL;
+#endif
+int     bsmtp_transaction_linecount = 0;
+int     body_8bitmime          = 0;
+int     body_linecount         = 0;
+int     body_zerocount         = 0;
+uschar *bounce_message_file    = NULL;
+uschar *bounce_message_text    = NULL;
+uschar *bounce_recipient       = NULL;
+int     bounce_return_linesize_limit = 998;
+int     bounce_return_size_limit = 100*1024;
+uschar *bounce_sender_authentication = NULL;
+
+uschar *callout_address        = NULL;
+int     callout_cache_domain_positive_expire = 7*24*60*60;
+int     callout_cache_domain_negative_expire = 3*60*60;
+int     callout_cache_positive_expire = 24*60*60;
+int     callout_cache_negative_expire = 2*60*60;
+uschar *callout_random_local_part = US"$primary_hostname-$tod_epoch-testing";
+uschar *check_dns_names_pattern= US"(?i)^(?>(?(1)\\.|())[^\\W](?>[a-z0-9/_-]*[^\\W])?)+(\\.?)$";
+int     check_log_inodes       = 100;
+int_eximarith_t check_log_space = 10*1024;	/* 10K Kbyte == 10MB */
+int     check_spool_inodes     = 100;
+int_eximarith_t check_spool_space = 10*1024;	/* 10K Kbyte == 10MB */
+
+uschar *chunking_advertise_hosts = US"*";
+unsigned chunking_datasize     = 0;
+unsigned chunking_data_left    = 0;
+chunking_state_t chunking_state= CHUNKING_NOT_OFFERED;
+const pcre2_code *regex_CHUNKING     = NULL;
+
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+const pcre2_code *regex_LIMITS        = NULL;
+#endif
+
+uschar *client_authenticator   = NULL;
+uschar *client_authenticated_id = NULL;
+uschar *client_authenticated_sender = NULL;
+#ifndef DISABLE_CLIENT_CMD_LOG
+gstring *client_cmd_log        = NULL;
+#endif
+int     clmacro_count          = 0;
+uschar *clmacros[MAX_CLMACROS];
+FILE   *config_file            = NULL;
+const uschar *config_filename  = NULL;
+int     config_lineno          = 0;
+#ifdef CONFIGURE_GROUP
+gid_t   config_gid             = CONFIGURE_GROUP;
+#else
+gid_t   config_gid             = 0;
+#endif
+uschar *config_main_filelist   = US CONFIGURE_FILE
+                         "\0<-----------Space to patch configure_filename->";
+uschar *config_main_filename   = NULL;
+uschar *config_main_directory  = NULL;
+
+#ifdef CONFIGURE_OWNER
+uid_t   config_uid             = CONFIGURE_OWNER;
+#else
+uid_t   config_uid             = 0;
+#endif
+
+int     connection_max_messages= -1;
+uschar *continue_proxy_cipher  = NULL;
+BOOL    continue_proxy_dane    = FALSE;
+uschar *continue_proxy_sni     = NULL;
+uschar *continue_hostname      = NULL;
+uschar *continue_host_address  = NULL;
+int     continue_sequence      = 1;
+uschar *continue_transport     = NULL;
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+unsigned continue_limit_mail   = 0;
+unsigned continue_limit_rcpt   = 0;
+unsigned continue_limit_rcptdom= 0;
+#endif
+
+uschar *csa_status             = NULL;
+cut_t   cutthrough = {
+  .callout_hold_only =	FALSE,				/* verify-only: normal delivery */
+  .delivery =		FALSE,				/* when to attempt */
+  .defer_pass =		FALSE,				/* on defer: spool locally */
+  .is_tls =		FALSE,				/* not a TLS conn yet */
+  .cctx =		{.sock = -1},			/* open connection */
+  .nrcpt =		0,				/* number of addresses */
+};
+
+int	daemon_notifier_fd     = -1;
+uschar *daemon_smtp_port       = US"smtp";
+int     daemon_startup_retries = 9;
+int     daemon_startup_sleep   = 30;
+
+#ifdef EXPERIMENTAL_DCC
+uschar *dcc_header             = NULL;
+uschar *dcc_result             = NULL;
+uschar *dccifd_address         = US"/usr/local/dcc/var/dccifd";
+uschar *dccifd_options         = US"header";
+#endif
+
+int     debug_fd               = -1;
+FILE   *debug_file             = NULL;
+int     debug_notall[]         = {
+  Di_memory,
+  Di_noutf8,
+  -1
+};
+bit_table debug_options[]      = { /* must be in alphabetical order and use
+				 only the enum values from macro.h */
+  BIT_TABLE(D, acl),
+  BIT_TABLE(D, all),
+  BIT_TABLE(D, auth),
+  BIT_TABLE(D, deliver),
+  BIT_TABLE(D, dns),
+  BIT_TABLE(D, dnsbl),
+  BIT_TABLE(D, exec),
+  BIT_TABLE(D, expand),
+  BIT_TABLE(D, filter),
+  BIT_TABLE(D, hints_lookup),
+  BIT_TABLE(D, host_lookup),
+  BIT_TABLE(D, ident),
+  BIT_TABLE(D, interface),
+  BIT_TABLE(D, lists),
+  BIT_TABLE(D, load),
+  BIT_TABLE(D, local_scan),
+  BIT_TABLE(D, lookup),
+  BIT_TABLE(D, memory),
+  BIT_TABLE(D, noutf8),
+  BIT_TABLE(D, pid),
+  BIT_TABLE(D, process_info),
+  BIT_TABLE(D, queue_run),
+  BIT_TABLE(D, receive),
+  BIT_TABLE(D, resolver),
+  BIT_TABLE(D, retry),
+  BIT_TABLE(D, rewrite),
+  BIT_TABLE(D, route),
+  BIT_TABLE(D, timestamp),
+  BIT_TABLE(D, tls),
+  BIT_TABLE(D, transport),
+  BIT_TABLE(D, uid),
+  BIT_TABLE(D, verify),
+};
+int      debug_options_count	= nelem(debug_options);
+uschar   debuglog_name[LOG_NAME_SIZE] = {0};
+unsigned debug_pretrigger_bsize	= 0;
+uschar * debug_pretrigger_buf	= NULL;
+unsigned int debug_selector	= 0;
+
+int     delay_warning[DELAY_WARNING_SIZE] = { DELAY_WARNING_SIZE, 1, 24*60*60 };
+uschar *delay_warning_condition=
+  US"${if or {"
+            "{ !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }"
+            "{ match{$h_precedence:}{(?i)bulk|list|junk} }"
+            "{ match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }"
+            "} {no}{yes}}";
+uschar *deliver_address_data   = NULL;
+int     deliver_datafile       = -1;
+const uschar *deliver_domain   = NULL;
+uschar *deliver_domain_data    = NULL;
+const uschar *deliver_domain_orig = NULL;
+const uschar *deliver_domain_parent = NULL;
+time_t  deliver_frozen_at      = 0;
+uschar *deliver_home           = NULL;
+const uschar *deliver_host     = NULL;
+const uschar *deliver_host_address = NULL;
+int     deliver_host_port      = 0;
+uschar *deliver_in_buffer      = NULL;
+ino_t   deliver_inode          = 0;
+uschar *deliver_localpart      = NULL;
+uschar *deliver_localpart_data = NULL;
+uschar *deliver_localpart_orig = NULL;
+uschar *deliver_localpart_parent = NULL;
+uschar *deliver_localpart_prefix = NULL;
+uschar *deliver_localpart_prefix_v = NULL;
+uschar *deliver_localpart_suffix = NULL;
+uschar *deliver_localpart_suffix_v = NULL;
+uschar *deliver_out_buffer     = NULL;
+int     deliver_queue_load_max = -1;
+address_item  *deliver_recipients = NULL;
+uschar *deliver_selectstring   = NULL;
+uschar *deliver_selectstring_sender = NULL;
+
+#ifndef DISABLE_DKIM
+unsigned dkim_collect_input      = 0;
+uschar *dkim_cur_signer          = NULL;
+int     dkim_key_length          = 0;
+void   *dkim_signatures		 = NULL;
+uschar *dkim_signers             = NULL;
+uschar *dkim_signing_domain      = NULL;
+uschar *dkim_signing_selector    = NULL;
+uschar *dkim_verify_hashes       = US"sha256:sha512";
+uschar *dkim_verify_keytypes     = US"ed25519:rsa";
+uschar *dkim_verify_min_keysizes = US"rsa=1024 ed25519=250";
+BOOL	dkim_verify_minimal      = FALSE;
+uschar *dkim_verify_overall      = NULL;
+uschar *dkim_verify_signers      = US"$dkim_signers";
+uschar *dkim_verify_status	 = NULL;
+uschar *dkim_verify_reason	 = NULL;
+#endif
+#ifdef SUPPORT_DMARC
+uschar *dmarc_domain_policy     = NULL;
+uschar *dmarc_forensic_sender   = NULL;
+uschar *dmarc_history_file      = NULL;
+uschar *dmarc_status            = NULL;
+uschar *dmarc_status_text       = NULL;
+uschar *dmarc_tld_file          = NULL;
+uschar *dmarc_used_domain       = NULL;
+#endif
+
+uschar *dns_again_means_nonexist = NULL;
+int     dns_csa_search_limit   = 5;
+int	dns_cname_loops	       = 1;
+#ifdef SUPPORT_DANE
+int     dns_dane_ok            = -1;
+#endif
+uschar *dns_ipv4_lookup        = NULL;
+int     dns_retrans            = 0;
+int     dns_retry              = 0;
+int     dns_dnssec_ok          = -1; /* <0 = not coerced */
+uschar *dns_trust_aa           = NULL;
+int     dns_use_edns0          = -1; /* <0 = not coerced */
+uschar *dnslist_domain         = NULL;
+uschar *dnslist_matched        = NULL;
+uschar *dnslist_text           = NULL;
+uschar *dnslist_value          = NULL;
+tree_node *domainlist_anchor   = NULL;
+int     domainlist_count       = 0;
+const uschar *driver_srcfile   = NULL;
+int     driver_srcline	       = 0;
+uschar *dsn_from               = US DEFAULT_DSN_FROM;
+unsigned int dtrigger_selector = 0;
+
+int     errno_quota            = ERRNO_QUOTA;
+uschar *errors_copy            = NULL;
+int     error_handling         = ERRORS_SENDER;
+uschar *errors_reply_to        = NULL;
+int     errors_sender_rc       = EXIT_FAILURE;
+#ifndef DISABLE_EVENT
+uschar *event_action             = NULL;	/* expansion for delivery events */
+uschar *event_data               = NULL;	/* auxiliary data variable for event */
+int     event_defer_errno        = 0;
+const uschar *event_name         = NULL;	/* event name variable */
+#endif
+
+
+gid_t   exim_gid               = EXIM_GID;
+uschar *exim_path              = US BIN_DIRECTORY "/exim"
+                        "\0<---------------Space to patch exim_path->";
+uid_t   exim_uid               = EXIM_UID;
+int     expand_level	       = 0;		/* Nesting depth, indent for debug */
+int     expand_forbid          = 0;
+int     expand_nlength[EXPAND_MAXN+1];
+int     expand_nmax            = -1;
+const uschar *expand_nstring[EXPAND_MAXN+1];
+uschar *expand_string_message;
+uschar *extra_local_interfaces = NULL;
+
+int     fake_response          = OK;
+uschar *fake_response_text     = US"Your message has been rejected but is "
+                                   "being kept for evaluation.\nIf it was a "
+                                   "legitimate message, it may still be "
+                                   "delivered to the target recipient(s).";
+int     filter_n[FILTER_VARIABLE_COUNT];
+int     filter_sn[FILTER_VARIABLE_COUNT];
+int     filter_test            = FTEST_NONE;
+uschar *filter_test_sfile      = NULL;
+uschar *filter_test_ufile      = NULL;
+uschar *filter_thisaddress     = NULL;
+int     finduser_retries       = 0;
+uid_t   fixed_never_users[]    = { FIXED_NEVER_USERS };
+uschar *freeze_tell            = NULL;
+uschar *freeze_tell_config     = NULL;
+uschar *fudged_queue_times     = US"";
+
+uschar *gecos_name             = NULL;
+uschar *gecos_pattern          = NULL;
+rewrite_rule  *global_rewrite_rules = NULL;
+
+volatile sig_atomic_t had_command_timeout = 0;
+volatile sig_atomic_t had_command_sigterm = 0;
+volatile sig_atomic_t had_data_timeout    = 0;
+volatile sig_atomic_t had_data_sigint     = 0;
+const uschar *headers_charset  = US HEADERS_CHARSET;
+int     header_insert_maxlen   = 64 * 1024;
+header_line  *header_last      = NULL;
+header_line  *header_list      = NULL;
+int     header_maxsize         = HEADER_MAXSIZE;
+int     header_line_maxsize    = 0;
+
+header_name header_names[] = {
+  /* name		len	allow_resent	htype */
+  { US"bcc",            3,	TRUE,		htype_bcc },
+  { US"cc",             2,	TRUE,		htype_cc },
+  { US"date",           4,	TRUE,		htype_date },
+  { US"delivery-date", 13,	FALSE,		htype_delivery_date },
+  { US"envelope-to",   11,	FALSE,		htype_envelope_to },
+  { US"from",           4,	TRUE,		htype_from },
+  { US"message-id",    10,	TRUE,		htype_id },
+  { US"received",       8,	FALSE,		htype_received },
+  { US"reply-to",       8,	FALSE,		htype_reply_to },
+  { US"return-path",   11,	FALSE,		htype_return_path },
+  { US"sender",         6,	TRUE,		htype_sender },
+  { US"subject",        7,	FALSE,		htype_subject },
+  { US"to",             2,	TRUE,		htype_to }
+};
+
+int header_names_size          = nelem(header_names);
+
+uschar *helo_accept_junk_hosts = NULL;
+uschar *helo_allow_chars       = US"";
+uschar *helo_lookup_domains    = US"@ : @[]";
+uschar *helo_try_verify_hosts  = NULL;
+uschar *helo_verify_hosts      = NULL;
+const uschar *hex_digits       = CUS"0123456789abcdef";
+uschar *hold_domains           = NULL;
+uschar *host_data              = NULL;
+uschar *host_lookup            = NULL;
+uschar *host_lookup_order      = US"bydns:byaddr";
+uschar *host_lookup_msg        = US"";
+int     host_number            = 0;
+uschar *host_number_string     = NULL;
+uschar *host_reject_connection = NULL;
+tree_node *hostlist_anchor     = NULL;
+int     hostlist_count         = 0;
+uschar *hosts_treat_as_local   = NULL;
+uschar *hosts_require_helo     = US"*";
+uschar *hosts_connection_nolog = NULL;
+
+int     ignore_bounce_errors_after = 10*7*24*60*60;  /* 10 weeks */
+uschar *ignore_fromline_hosts  = NULL;
+int     inetd_wait_timeout     = -1;
+uschar *initial_cwd            = NULL;
+uschar *interface_address      = NULL;
+int     interface_port         = -1;
+uschar *iterate_item           = NULL;
+
+int     journal_fd             = -1;
+
+uschar *keep_environment       = NULL;
+
+int     keep_malformed         = 4*24*60*60;    /* 4 days */
+
+uschar *eldap_dn               = NULL;
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+uschar *limits_advertise_hosts = US"*";
+#endif
+int     load_average           = -2;
+uschar *local_from_prefix      = NULL;
+uschar *local_from_suffix      = NULL;
+
+#if HAVE_IPV6
+uschar *local_interfaces       = US"<; ::0 ; 0.0.0.0";
+#else
+uschar *local_interfaces       = US"0.0.0.0";
+#endif
+
+#ifdef HAVE_LOCAL_SCAN
+uschar *local_scan_data        = NULL;
+int     local_scan_timeout     = 5*60;
+#endif
+gid_t   local_user_gid         = (gid_t)(-1);
+uid_t   local_user_uid         = (uid_t)(-1);
+
+tree_node *localpartlist_anchor= NULL;
+int     localpartlist_count    = 0;
+uschar *log_buffer             = NULL;
+
+int     log_default[]          = { /* for initializing log_selector */
+  Li_acl_warn_skipped,
+  Li_connection_reject,
+  Li_delay_delivery,
+  Li_dkim,
+  Li_dnslist_defer,
+  Li_etrn,
+  Li_host_lookup_failed,
+  Li_lost_incoming_connection,
+  Li_outgoing_interface, /* see d_log_interface in deliver.c */
+  Li_msg_id,
+  Li_queue_run,
+  Li_queue_time_exclusive,
+  Li_rejected_header,
+  Li_retry_defer,
+  Li_sender_verify_fail,
+  Li_size_reject,
+  Li_skip_delivery,
+  Li_smtp_confirmation,
+  Li_tls_certificate_verified,
+  Li_tls_cipher,
+  -1
+};
+
+uschar *log_file_path          = US LOG_FILE_PATH
+                           "\0<--------------Space to patch log_file_path->";
+
+int     log_notall[]           = {
+  -1
+};
+bit_table log_options[]        = { /* must be in alphabetical order,
+				with definitions from enum logbit. */
+  BIT_TABLE(L, 8bitmime),
+  BIT_TABLE(L, acl_warn_skipped),
+  BIT_TABLE(L, address_rewrite),
+  BIT_TABLE(L, all),
+  BIT_TABLE(L, all_parents),
+  BIT_TABLE(L, arguments),
+  BIT_TABLE(L, connection_reject),
+  BIT_TABLE(L, delay_delivery),
+  BIT_TABLE(L, deliver_time),
+  BIT_TABLE(L, delivery_size),
+#ifndef DISABLE_DKIM
+  BIT_TABLE(L, dkim),
+  BIT_TABLE(L, dkim_verbose),
+#endif
+  BIT_TABLE(L, dnslist_defer),
+  BIT_TABLE(L, dnssec),
+  BIT_TABLE(L, etrn),
+  BIT_TABLE(L, host_lookup_failed),
+  BIT_TABLE(L, ident_timeout),
+  BIT_TABLE(L, incoming_interface),
+  BIT_TABLE(L, incoming_port),
+  BIT_TABLE(L, lost_incoming_connection),
+  BIT_TABLE(L, millisec),
+  BIT_TABLE(L, msg_id),
+  BIT_TABLE(L, msg_id_created),
+  BIT_TABLE(L, outgoing_interface),
+  BIT_TABLE(L, outgoing_port),
+  BIT_TABLE(L, pid),
+  BIT_TABLE(L, pipelining),
+  BIT_TABLE(L, protocol_detail),
+#if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
+  BIT_TABLE(L, proxy),
+#endif
+  BIT_TABLE(L, queue_run),
+  BIT_TABLE(L, queue_time),
+  BIT_TABLE(L, queue_time_exclusive),
+  BIT_TABLE(L, queue_time_overall),
+  BIT_TABLE(L, receive_time),
+  BIT_TABLE(L, received_recipients),
+  BIT_TABLE(L, received_sender),
+  BIT_TABLE(L, rejected_header),
+  { US"rejected_headers", Li_rejected_header },
+  BIT_TABLE(L, retry_defer),
+  BIT_TABLE(L, return_path_on_delivery),
+  BIT_TABLE(L, sender_on_delivery),
+  BIT_TABLE(L, sender_verify_fail),
+  BIT_TABLE(L, size_reject),
+  BIT_TABLE(L, skip_delivery),
+  BIT_TABLE(L, smtp_confirmation),
+  BIT_TABLE(L, smtp_connection),
+  BIT_TABLE(L, smtp_incomplete_transaction),
+  BIT_TABLE(L, smtp_mailauth),
+  BIT_TABLE(L, smtp_no_mail),
+  BIT_TABLE(L, smtp_protocol_error),
+  BIT_TABLE(L, smtp_syntax_error),
+  BIT_TABLE(L, subject),
+  BIT_TABLE(L, tls_certificate_verified),
+  BIT_TABLE(L, tls_cipher),
+  BIT_TABLE(L, tls_peerdn),
+  BIT_TABLE(L, tls_resumption),
+  BIT_TABLE(L, tls_sni),
+  BIT_TABLE(L, unknown_in_list),
+};
+int     log_options_count      = nelem(log_options);
+
+int     log_reject_target      = 0;
+unsigned int log_selector[log_selector_size]; /* initialized in main() */
+uschar *log_selector_string    = NULL;
+FILE   *log_stderr             = NULL;
+uschar *login_sender_address   = NULL;
+uschar *lookup_dnssec_authenticated = NULL;
+int     lookup_open_max        = 25;
+uschar *lookup_value           = NULL;
+
+macro_item *macros_user        = NULL;
+uschar *mailstore_basename     = NULL;
+#ifdef WITH_CONTENT_SCAN
+uschar *malware_name           = NULL;  /* Virus Name */
+#endif
+int     max_received_linelength= 0;
+int     max_username_length    = 0;
+int     message_age            = 0;
+uschar *message_body           = NULL;
+uschar *message_body_end       = NULL;
+int     message_body_size      = 0;
+int     message_body_visible   = 500;
+int     message_ended          = END_NOTSTARTED;
+uschar *message_headers        = NULL;
+uschar *message_id;
+uschar *message_id_domain      = NULL;
+uschar *message_id_text        = NULL;
+uschar  message_id_option[MESSAGE_ID_LENGTH + 3];
+uschar *message_id_external;
+int     message_linecount      = 0;
+int     message_size           = 0;
+uschar *message_size_limit     = US"50M";
+#ifdef SUPPORT_I18N
+int     message_utf8_downconvert = 0;	/* -1 ifneeded; 0 never; 1 always */
+#endif
+uschar  message_subdir[2]      = { 0, 0 };
+uschar *message_reference      = NULL;
+
+/* MIME ACL expandables */
+#ifdef WITH_CONTENT_SCAN
+int     mime_anomaly_level     = 0;
+const uschar *mime_anomaly_text      = NULL;
+uschar *mime_boundary          = NULL;
+uschar *mime_charset           = NULL;
+uschar *mime_content_description = NULL;
+uschar *mime_content_disposition = NULL;
+uschar *mime_content_id        = NULL;
+unsigned int mime_content_size = 0;
+uschar *mime_content_transfer_encoding = NULL;
+uschar *mime_content_type      = NULL;
+uschar *mime_decoded_filename  = NULL;
+uschar *mime_filename          = NULL;
+int     mime_is_multipart      = 0;
+int     mime_is_coverletter    = 0;
+int     mime_is_rfc822         = 0;
+int     mime_part_count        = -1;
+#endif
+
+uid_t  *never_users            = NULL;
+uschar *notifier_socket        = US"$spool_directory/" NOTIFIER_SOCKET_NAME ;
+
+const int on                   = 1;	/* for setsockopt */
+const int off                  = 0;
+
+uid_t   original_euid;
+gid_t   originator_gid;
+uschar *originator_login       = NULL;
+uschar *originator_name        = NULL;
+uid_t   originator_uid;
+uschar *override_local_interfaces = NULL;
+uschar *override_pid_file_path = NULL;
+
+pcre2_general_context * pcre_gen_ctx = NULL;
+pcre2_compile_context * pcre_cmp_ctx = NULL;
+pcre2_match_context * pcre_mtc_ctx = NULL;
+
+uschar *percent_hack_domains   = NULL;
+uschar *pid_file_path          = US PID_FILE_PATH
+                           "\0<--------------Space to patch pid_file_path->";
+#ifndef DISABLE_PIPE_CONNECT
+uschar *pipe_connect_advertise_hosts = US"*";
+#endif
+uschar *pipelining_advertise_hosts = US"*";
+uschar *primary_hostname       = NULL;
+uschar *process_info;
+int     process_info_len       = 0;
+uschar *process_log_path       = NULL;
+const uschar *process_purpose  = US"fresh-exec";
+
+#if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
+uschar *hosts_proxy            = NULL;
+uschar *proxy_external_address = NULL;
+int     proxy_external_port    = 0;
+uschar *proxy_local_address    = NULL;
+int     proxy_local_port       = 0;
+int     proxy_protocol_timeout = 3;
+#endif
+
+uschar *prvscheck_address      = NULL;
+uschar *prvscheck_keynum       = NULL;
+uschar *prvscheck_result       = NULL;
+
+
+const uschar *qualify_domain_recipient = NULL;
+uschar *qualify_domain_sender  = NULL;
+uschar *queue_domains          = NULL;
+int     queue_interval         = -1;
+uschar *queue_name             = US"";
+uschar *queue_name_dest        = NULL;
+uschar *queue_only_file        = NULL;
+int     queue_only_load        = -1;
+uschar *queue_run_max          = US"5";
+pid_t   queue_run_pid          = (pid_t)0;
+int     queue_run_pipe         = -1;
+unsigned queue_size            = 0;
+time_t  queue_size_next        = 0;
+uschar *queue_smtp_domains     = NULL;
+
+uint32_t random_seed	       = 0;
+tree_node *ratelimiters_cmd    = NULL;
+tree_node *ratelimiters_conn   = NULL;
+tree_node *ratelimiters_mail   = NULL;
+uschar *raw_active_hostname    = NULL;
+uschar *raw_sender             = NULL;
+uschar **raw_recipients        = NULL;
+int     raw_recipients_count   = 0;
+
+int     rcpt_count             = 0;
+int     rcpt_fail_count        = 0;
+int     rcpt_defer_count       = 0;
+gid_t   real_gid;
+uid_t   real_uid;
+int     receive_linecount      = 0;
+int     receive_messagecount   = 0;
+int     receive_timeout        = 0;
+int     received_count         = 0;
+uschar *received_for           = NULL;
+
+/*  This is the default text for Received headers generated by Exim. The
+date  will be automatically added on the end. */
+
+uschar *received_header_text   = US
+     "Received: "
+     "${if def:sender_rcvhost {from $sender_rcvhost\n\t}"
+       "{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}"
+         "${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}"
+     "by $primary_hostname "
+     "${if def:received_protocol {with $received_protocol }}"
+#ifndef DISABLE_TLS
+     "${if def:tls_in_ver        { ($tls_in_ver)}}"
+     "${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}"
+#endif
+     "(Exim $version_number)\n\t"
+     "${if def:sender_address {(envelope-from <$sender_address>)\n\t}}"
+     "id $message_exim_id"
+     "${if def:received_for {\n\tfor $received_for}}"
+     "\0<---------------Space to patch received_header_text->";
+
+int     received_headers_max   = 30;
+uschar *received_protocol      = NULL;
+struct timeval received_time   = { 0, 0 };
+struct timeval received_time_complete = { 0, 0 };
+uschar *recipient_data         = NULL;
+uschar *recipient_unqualified_hosts = NULL;
+uschar *recipient_verify_failure = NULL;
+int     recipients_count       = 0;
+recipient_item  *recipients_list = NULL;
+int     recipients_list_max    = 0;
+int     recipients_max         = 50000;
+const pcre2_code *regex_AUTH         = NULL;
+const pcre2_code *regex_check_dns_names = NULL;
+const pcre2_code *regex_From         = NULL;
+const pcre2_code *regex_IGNOREQUOTA  = NULL;
+const pcre2_code *regex_PIPELINING   = NULL;
+const pcre2_code *regex_SIZE         = NULL;
+#ifndef DISABLE_PIPE_CONNECT
+const pcre2_code *regex_EARLY_PIPE   = NULL;
+#endif
+const pcre2_code *regex_ismsgid      = NULL;
+const pcre2_code *regex_smtp_code    = NULL;
+const uschar *regex_vars[REGEX_VARS];
+#ifdef WHITELIST_D_MACROS
+const pcre2_code *regex_whitelisted_macro = NULL;
+#endif
+#ifdef WITH_CONTENT_SCAN
+uschar *regex_match_string     = NULL;
+#endif
+int     remote_delivery_count  = 0;
+int     remote_max_parallel    = 2;
+uschar *remote_sort_domains    = NULL;
+int     retry_data_expire      = 7*24*60*60;
+int     retry_interval_max     = 24*60*60;
+int     retry_maximum_timeout  = 0;        /* set from retry config */
+retry_config  *retries         = NULL;
+uschar *return_path            = NULL;
+int     rewrite_existflags     = 0;
+uschar *rfc1413_hosts          = US"@[]";
+int     rfc1413_query_timeout  = 0;
+uid_t   root_gid               = ROOT_GID;
+uid_t   root_uid               = ROOT_UID;
+
+router_instance  *routers  = NULL;
+router_instance  router_defaults = {
+    .next =			NULL,
+    .name =			NULL,
+    .info =			NULL,
+    .options_block =		NULL,
+    .driver_name =		NULL,
+
+    .address_data =		NULL,
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+    .bmi_rule =			NULL,
+#endif
+    .cannot_route_message =	NULL,
+    .condition =		NULL,
+    .current_directory =	NULL,
+    .debug_string =		NULL,
+    .domains =			NULL,
+    .errors_to =		NULL,
+    .expand_gid =		NULL,
+    .expand_uid =		NULL,
+    .expand_more =		NULL,
+    .expand_unseen =		NULL,
+    .extra_headers =		NULL,
+    .fallback_hosts =		NULL,
+    .home_directory =		NULL,
+    .ignore_target_hosts =	NULL,
+    .local_parts =		NULL,
+    .pass_router_name =		NULL,
+    .prefix =			NULL,
+    .redirect_router_name =	NULL,
+    .remove_headers =		NULL,
+    .require_files =		NULL,
+    .router_home_directory =	NULL,
+    .self =			US"freeze",
+    .senders =			NULL,
+    .suffix =			NULL,
+    .translate_ip_address =	NULL,
+    .transport_name =		NULL,
+
+    .address_test =		TRUE,
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+    .bmi_deliver_alternate =	FALSE,
+    .bmi_deliver_default =	FALSE,
+    .bmi_dont_deliver =		FALSE,
+#endif
+    .expn =			TRUE,
+    .caseful_local_part =	FALSE,
+    .check_local_user =		FALSE,
+    .disable_logging =		FALSE,
+    .fail_verify_recipient =	FALSE,
+    .fail_verify_sender =	FALSE,
+    .gid_set =			FALSE,
+    .initgroups =		FALSE,
+    .log_as_local =		TRUE_UNSET,
+    .more =			TRUE,
+    .pass_on_timeout =		FALSE,
+    .prefix_optional =		FALSE,
+    .repeat_use =		TRUE,
+    .retry_use_local_part =	TRUE_UNSET,
+    .same_domain_copy_routing =	FALSE,
+    .self_rewrite =		FALSE,
+    .set =			NULL,
+    .suffix_optional =		FALSE,
+    .verify_only =		FALSE,
+    .verify_recipient =		TRUE,
+    .verify_sender =		TRUE,
+    .uid_set =			FALSE,
+    .unseen =			FALSE,
+    .dsn_lasthop =		FALSE,
+
+    .self_code =		self_freeze,
+    .uid =			(uid_t)(-1),
+    .gid =			(gid_t)(-1),
+
+    .fallback_hostlist =	NULL,
+    .transport =		NULL,
+    .pass_router =		NULL,
+    .redirect_router =		NULL,
+
+    .dnssec =                   { .request= US"*", .require=NULL },
+};
+
+uschar *router_name            = NULL;
+tree_node *router_var	       = NULL;
+
+ip_address_item *running_interfaces = NULL;
+
+/* This is a weird one. The following string gets patched in the binary by the
+script that sets up a copy of Exim for running in the test harness. It seems
+that compilers are now clever, and share constant strings if they can.
+Elsewhere in Exim the string "<" is used. The compiler optimization seems to
+make use of the end of this string in order to save space. So the patching then
+wrecks this. We defeat this optimization by adding some additional characters
+onto the end of the string. */
+
+uschar *running_status         = US">>>running<<<" "\0EXTRA";
+
+int     runrc                  = 0;
+
+uschar *search_error_message   = NULL;
+uschar *self_hostname          = NULL;
+uschar *sender_address         = NULL;
+unsigned int sender_address_cache[(MAX_NAMED_LIST * 2)/32];
+uschar *sender_address_data    = NULL;
+uschar *sender_address_unrewritten = NULL;
+uschar *sender_data            = NULL;
+unsigned int sender_domain_cache[(MAX_NAMED_LIST * 2)/32];
+uschar *sender_fullhost        = NULL;
+uschar *sender_helo_name       = NULL;
+uschar **sender_host_aliases   = &no_aliases;
+uschar *sender_host_address    = NULL;
+uschar *sender_host_authenticated = NULL;
+uschar *sender_host_auth_pubname  = NULL;
+unsigned int sender_host_cache[(MAX_NAMED_LIST * 2)/32];
+uschar *sender_host_name       = NULL;
+int     sender_host_port       = 0;
+uschar *sender_ident           = NULL;
+uschar *sender_rate            = NULL;
+uschar *sender_rate_limit      = NULL;
+uschar *sender_rate_period     = NULL;
+uschar *sender_rcvhost         = NULL;
+uschar *sender_unqualified_hosts = NULL;
+uschar *sender_verify_failure = NULL;
+address_item *sender_verified_list  = NULL;
+address_item *sender_verified_failed = NULL;
+int     sender_verified_rc     = -1;
+uschar *sending_ip_address     = NULL;
+int     sending_port           = -1;
+SIGNAL_BOOL sigalrm_seen       = FALSE;
+const uschar *sigalarm_setter  = NULL;
+uschar **sighup_argv           = NULL;
+int     slow_lookup_log        = 0;	/* millisecs, zero disables */
+int     smtp_accept_count      = 0;
+int     smtp_accept_max        = 20;
+int     smtp_accept_max_nonmail= 10;
+uschar *smtp_accept_max_nonmail_hosts = US"*";
+uschar *smtp_accept_max_per_connection = US"1000";
+uschar *smtp_accept_max_per_host = NULL;
+int     smtp_accept_queue      = 0;
+int     smtp_accept_queue_per_connection = 10;
+int     smtp_accept_reserve    = 0;
+uschar *smtp_active_hostname   = NULL;
+int	smtp_backlog_monitor   = 0;
+uschar *smtp_banner            = US"$smtp_active_hostname ESMTP "
+                             "Exim $version_number $tod_full"
+                             "\0<---------------Space to patch smtp_banner->";
+int     smtp_ch_index          = 0;
+uschar *smtp_cmd_argument      = NULL;
+uschar *smtp_cmd_buffer        = NULL;
+struct timeval smtp_connection_start  = {0,0};
+uschar  smtp_connection_had[SMTP_HBUFF_SIZE];
+int     smtp_connect_backlog   = 20;
+double  smtp_delay_mail        = 0.0;
+double  smtp_delay_rcpt        = 0.0;
+FILE   *smtp_in                = NULL;
+int     smtp_listen_backlog    = 0;
+int     smtp_load_reserve      = -1;
+int     smtp_mailcmd_count     = 0;
+int     smtp_mailcmd_max       = -1;
+FILE   *smtp_out               = NULL;
+uschar *smtp_etrn_command      = NULL;
+int     smtp_max_synprot_errors= 3;
+int     smtp_max_unknown_commands = 3;
+uschar *smtp_notquit_reason    = NULL;
+unsigned smtp_peer_options     = 0;
+unsigned smtp_peer_options_wrap= 0;
+uschar *smtp_ratelimit_hosts   = NULL;
+uschar *smtp_ratelimit_mail    = NULL;
+uschar *smtp_ratelimit_rcpt    = NULL;
+uschar *smtp_read_error        = US"";
+int     smtp_receive_timeout   = 5*60;
+uschar *smtp_receive_timeout_s = NULL;
+uschar *smtp_reserve_hosts     = NULL;
+int     smtp_rlm_base          = 0;
+double  smtp_rlm_factor        = 0.0;
+int     smtp_rlm_limit         = 0;
+int     smtp_rlm_threshold     = INT_MAX;
+int     smtp_rlr_base          = 0;
+double  smtp_rlr_factor        = 0.0;
+int     smtp_rlr_limit         = 0;
+int     smtp_rlr_threshold     = INT_MAX;
+#ifdef SUPPORT_I18N
+uschar *smtputf8_advertise_hosts = US"*";	/* overridden under test-harness */
+#endif
+
+#ifdef WITH_CONTENT_SCAN
+uschar *spamd_address          = US"127.0.0.1 783";
+uschar *spam_bar               = NULL;
+uschar *spam_report            = NULL;
+uschar *spam_action            = NULL;
+uschar *spam_score             = NULL;
+uschar *spam_score_int         = NULL;
+#endif
+#ifdef SUPPORT_SPF
+uschar *spf_guess              = US"v=spf1 a/24 mx/24 ptr ?all";
+uschar *spf_header_comment     = NULL;
+uschar *spf_received           = NULL;
+uschar *spf_result             = NULL;
+uschar *spf_smtp_comment       = NULL;
+uschar *spf_smtp_comment_template
+                    /* Used to be: "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}" */
+                               = US"Please%_see%_http://www.open-spf.org/Why";
+
+#endif
+
+FILE   *spool_data_file	       = NULL;
+uschar *spool_directory        = US SPOOL_DIRECTORY
+                           "\0<--------------Space to patch spool_directory->";
+#ifdef SUPPORT_SRS
+uschar *srs_recipient          = NULL;
+#endif
+int     string_datestamp_offset= -1;
+int     string_datestamp_length= 0;
+int     string_datestamp_type  = -1;
+const uschar *submission_domain = NULL;
+const uschar *submission_name  = NULL;
+int     syslog_facility        = LOG_MAIL;
+uschar *syslog_processname     = US"exim";
+uschar *system_filter          = NULL;
+
+uschar *system_filter_directory_transport = NULL;
+uschar *system_filter_file_transport = NULL;
+uschar *system_filter_pipe_transport = NULL;
+uschar *system_filter_reply_transport = NULL;
+
+gid_t   system_filter_gid      = 0;
+uid_t   system_filter_uid      = (uid_t)-1;
+
+blob	tcp_fastopen_nodata    = { .data = NULL, .len = 0 };
+tfo_state_t tcp_out_fastopen   = TFO_NOT_USED;
+#ifdef USE_TCP_WRAPPERS
+uschar *tcp_wrappers_daemon_name = US TCP_WRAPPERS_DAEMON_NAME;
+#endif
+int     test_harness_load_avg  = 0;
+int     thismessage_size_limit = 0;
+int     timeout_frozen_after   = 0;
+#ifdef MEASURE_TIMING
+struct timeval timestamp_startup;
+#endif
+
+transport_instance  *transports = NULL;
+
+transport_instance  transport_defaults = {
+    /* All non-mentioned elements zero/NULL/FALSE */
+    .batch_max =		1,
+    .multi_domain =		TRUE,
+    .max_addresses =		100,
+    .connection_max_messages =	500,
+    .uid =			(uid_t)(-1),
+    .gid =			(gid_t)(-1),
+    .filter_timeout =		300,
+    .retry_use_local_part =	TRUE_UNSET,	/* retry_use_local_part: BOOL, but set neither
+						 1 nor 0 so can detect unset */
+};
+
+int     transport_count;
+uschar *transport_name          = NULL;
+int     transport_newlines;
+const uschar **transport_filter_argv  = NULL;
+int     transport_filter_timeout;
+int     transport_write_timeout= 0;
+
+tree_node  *tree_dns_fails     = NULL;
+tree_node  *tree_duplicates    = NULL;
+tree_node  *tree_nonrecipients = NULL;
+tree_node  *tree_unusable      = NULL;
+
+gid_t  *trusted_groups         = NULL;
+uid_t  *trusted_users          = NULL;
+uschar *timezone_string        = US TIMEZONE_DEFAULT;
+
+uschar *unknown_login          = NULL;
+uschar *unknown_username       = NULL;
+uschar *untrusted_set_sender   = NULL;
+
+/*  A regex for matching a "From_" line in an incoming message, in the form
+
+    From ph10 Fri Jan  5 12:35 GMT 1996
+
+which  the "mail" commands send to the MTA (undocumented, of course), or in
+the  form
+
+    From ph10 Fri, 7 Jan 97 14:00:00 GMT
+
+which  is apparently used by some UUCPs, despite it not being in RFC 976.
+Because  of variations in time formats, just match up to the minutes. That
+should  be sufficient. Examples have been seen of time fields like 12:1:03,
+so  just require one digit for hours and minutes. The weekday is also absent
+in  some forms. */
+
+uschar *uucp_from_pattern      = US
+   "^From\\s+(\\S+)\\s+(?:[a-zA-Z]{3},?\\s+)?"    /* Common start */
+   "(?:"                                          /* Non-extracting bracket */
+   "[a-zA-Z]{3}\\s+\\d?\\d|"                      /* First form */
+   "\\d?\\d\\s+[a-zA-Z]{3}\\s+\\d\\d(?:\\d\\d)?"  /* Second form */
+   ")"                                            /* End alternation */
+   "\\s+\\d\\d?:\\d\\d?";                         /* Start of time */
+
+uschar *uucp_from_sender       = US"$1";
+
+uschar *verify_mode	       = NULL;
+uschar *version_copyright      =
+ US"Copyright (c) University of Cambridge, 1995 - 2018\n"
+   "(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2022";
+uschar *version_date           = US"?";
+uschar *version_cnumber        = US"????";
+uschar *version_string         = US"?";
+
+uschar *warn_message_file      = NULL;
+int     warning_count          = 0;
+uschar *warnmsg_delay          = NULL;
+uschar *warnmsg_recipients     = NULL;
+
+
+/*  End of globals.c */
diff --git a/src/globals.h b/src/globals.h
new file mode 100644
index 0000000..fe099e4
--- /dev/null
+++ b/src/globals.h
@@ -0,0 +1,1120 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Almost all the global variables are defined together in this one header, so
+that they are easy to find. However, those that are visible during the
+compilation of the local_scan() function are defined separately in the
+local_scan.h header file. */
+
+/* First put any specials that are required for some operating systems. */
+
+#ifdef NEED_H_ERRNO
+extern int h_errno;
+#endif
+
+/* We need to be careful about width of int and atomicity in signal handlers,
+especially with the rise of 64-bit systems breaking older assumptions.  But
+sig_atomic_t comes from signal.h so can't go into mytypes.h without including
+signal support in local_scan, which seems precipitous. */
+typedef volatile sig_atomic_t SIGNAL_BOOL;
+
+/* Now things that are present only when configured. */
+
+#ifdef EXIM_PERL
+extern uschar *opt_perl_startup;       /* Startup code for Perl interpreter */
+extern BOOL    opt_perl_at_start;      /* Start Perl interpreter at start */
+extern BOOL    opt_perl_started;       /* Set once interpreter started */
+extern BOOL    opt_perl_taintmode;     /* Enable taint mode in Perl */
+#endif
+
+#ifdef EXPAND_DLFUNC
+extern tree_node *dlobj_anchor;        /* Tree of dynamically-loaded objects */
+#endif
+
+#ifdef LOOKUP_IBASE
+extern uschar *ibase_servers;
+#endif
+
+#ifdef LOOKUP_LDAP
+extern uschar *eldap_ca_cert_dir;      /* Directory with CA certificates */
+extern uschar *eldap_ca_cert_file;     /* CA certificate file */
+extern uschar *eldap_cert_file;        /* Certificate file */
+extern uschar *eldap_cert_key;         /* Certificate key file */
+extern uschar *eldap_cipher_suite;     /* Allowed cipher suite */
+extern uschar *eldap_default_servers;  /* List of default servers */
+extern uschar *eldap_require_cert;     /* Peer certificate checking strategy */
+extern BOOL    eldap_start_tls;        /* Use STARTTLS */
+extern int     eldap_version;          /* LDAP version */
+#endif
+
+#ifdef LOOKUP_MYSQL
+extern uschar *mysql_servers;          /* List of servers and connect info */
+#endif
+
+#ifdef LOOKUP_ORACLE
+extern uschar *oracle_servers;         /* List of servers and connect info */
+#endif
+
+#ifdef LOOKUP_PGSQL
+extern uschar *pgsql_servers;          /* List of servers and connect info */
+#endif
+
+#ifdef LOOKUP_REDIS
+extern uschar *redis_servers;          /* List of servers and connect info */
+#endif
+
+#ifdef LOOKUP_SQLITE
+extern uschar *sqlite_dbfile;	       /* Filname for database */
+extern int     sqlite_lock_timeout;    /* Internal lock waiting timeout */
+#endif
+
+#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
+extern BOOL    move_frozen_messages;   /* Get them out of the normal directory */
+#endif
+
+/* These variables are outside the #ifdef because it keeps the code less
+cluttered in several places (e.g. during logging) if we can always refer to
+them. Also, the tls_ variables are now always visible. */
+
+typedef struct {
+  client_conn_ctx active;     /* fd/socket when in a TLS session, and ptr to TLS context */
+  int     bits;               /* bits used in TLS session */
+  BOOL    certificate_verified; /* Client certificate verified */
+#ifdef SUPPORT_DANE
+  BOOL    dane_verified;        /* ... via DANE */
+  int     tlsa_usage;         /* TLSA record(s) usage */
+#endif
+  uschar *cipher;             /* Cipher used */
+  const uschar *cipher_stdname; /* Cipher used, RFC version */
+  const uschar *ver;	      /* TLS version */
+
+  BOOL    on_connect;         /* For older MTAs that don't STARTTLS */
+  uschar *on_connect_ports;   /* Ports always tls-on-connect */
+  void   *ourcert;            /* Certificate we presented, binary */
+  void	 *peercert;           /* Certificate of peer, binary */
+  uschar *peerdn;             /* DN from peer */
+  uschar *sni;                /* Server Name Indication */
+  uschar *channelbinding;     /* b64'd data identifying channel, for authenticators */
+  enum {
+    OCSP_NOT_REQ=0,		/* not requested */
+    OCSP_NOT_RESP,		/* no response to request */
+    OCSP_VFY_NOT_TRIED,		/* response not verified */
+    OCSP_FAILED,		/* verify failed */
+    OCSP_VFIED			/* verified */
+    }     ocsp;		      /* Stapled OCSP status */
+#ifndef DISABLE_TLS_RESUME
+  hctx	  resume_hctx;		/* session lookup key accumulation */
+  const uschar * resume_index;	/* session lookup key */
+
+  unsigned resumption;		/* Session resumption */
+  BOOL	  host_resumable:1;
+  BOOL	  ticket_received:1;
+#endif
+  BOOL	  verify_override:1;	/* certificate_verified only due to tls_try_verify_hosts */
+  BOOL	  ext_master_secret:1;	/* extended-master-secret was used */
+} tls_support;
+extern tls_support tls_in;
+extern tls_support tls_out;
+
+#ifndef DISABLE_TLS
+extern BOOL    gnutls_compat_mode;     /* Less security, more compatibility */
+extern BOOL    gnutls_allow_auto_pkcs11; /* Let GnuTLS autoload PKCS11 modules */
+extern uschar *hosts_require_alpn;     /* Mandatory ALPN successful nogitiation */
+extern uschar *openssl_options;        /* OpenSSL compatibility options */
+extern const pcre2_code *regex_STARTTLS;     /* For recognizing STARTTLS settings */
+extern uschar *tls_alpn;	       /* ALPN names acceptable */
+extern uschar *tls_certificate;        /* Certificate file */
+extern uschar *tls_crl;                /* CRL File */
+extern int     tls_dh_max_bits;        /* don't accept higher lib suggestions */
+extern uschar *tls_dhparam;            /* DH param file */
+extern uschar *tls_eccurve;            /* EC curve */
+# ifndef DISABLE_OCSP
+extern uschar *tls_ocsp_file;          /* OCSP stapling proof file */
+# endif
+extern uschar *tls_privatekey;         /* Private key file */
+extern BOOL    tls_remember_esmtp;     /* For YAEB */
+extern uschar *tls_require_ciphers;    /* So some can be avoided */
+# ifndef DISABLE_TLS_RESUME
+extern uschar *tls_resumption_hosts;   /* TLS session resumption */
+# endif
+extern uschar *tls_try_verify_hosts;   /* Optional client verification */
+extern uschar *tls_verify_certificates;/* Path for certificates to check */
+extern uschar *tls_verify_hosts;       /* Mandatory client verification */
+extern int     tls_watch_fd;	       /* for inotify of creds files */
+extern time_t  tls_watch_trigger_time; /* non-0: triggered */
+#endif
+extern uschar *tls_advertise_hosts;    /* host for which TLS is advertised */
+
+extern uschar  *dsn_envid;             /* DSN envid string */
+extern int      dsn_ret;               /* DSN ret type*/
+extern const pcre2_code  *regex_DSN;         /* For recognizing DSN settings */
+extern uschar  *dsn_advertise_hosts;   /* host for which TLS is advertised */
+
+/* Input-reading functions for messages, so we can use special ones for
+incoming TCP/IP. */
+
+extern int (*lwr_receive_getc)(unsigned);
+extern uschar * (*lwr_receive_getbuf)(unsigned *);
+extern BOOL (*lwr_receive_hasc)(void);
+extern int (*lwr_receive_ungetc)(int);
+
+extern int (*receive_getc)(unsigned);
+extern uschar * (*receive_getbuf)(unsigned *);
+extern BOOL (*receive_hasc)(void);
+extern void (*receive_get_cache)(unsigned);
+extern int (*receive_ungetc)(int);
+extern int (*receive_feof)(void);
+extern int (*receive_ferror)(void);
+
+
+/* For clearing, saving, restoring address expansion variables. We have to have
+the size of this vector set explicitly, because it is referenced from more than
+one module. */
+
+extern const uschar **address_expansions[ADDRESS_EXPANSIONS_COUNT];
+
+/* Flags for which we don't need an address ever so can use a bitfield */
+
+extern struct global_flags {
+ BOOL   acl_temp_details		:1; /* TRUE to give details for 4xx error */
+ BOOL   active_local_from_check		:1; /* For adding Sender: (switchable) */
+ BOOL   active_local_sender_retain	:1; /* For keeping Sender: (switchable) */
+ BOOL   address_test_mode		:1; /* True for -bt */
+ BOOL   admin_user			:1; /* True if caller can do admin */
+ BOOL   allow_auth_unadvertised		:1; /* As it says */
+ BOOL   allow_unqualified_recipient	:1;    /* For local messages */ /* As it says */
+ BOOL   allow_unqualified_sender	:1;       /* Reset for SMTP */ /* Ditto */
+ BOOL   authentication_local		:1; /* TRUE if non-smtp (implicit authentication) */
+
+ BOOL   background_daemon		:1; /* Set FALSE to keep in foreground */
+ BOOL   bdat_readers_wanted		:1; /* BDAT-handling to be pushed on readfunc stack */
+
+ BOOL   chunking_offered		:1;
+ BOOL   config_changed			:1; /* True if -C used */
+ BOOL   continue_more			:1; /* Flag more addresses waiting */
+
+ BOOL   daemon_listen			:1; /* True if listening required */
+ BOOL   debug_daemon			:1; /* Debug the daemon process only */
+ BOOL   deliver_firsttime		:1; /* True for first delivery attempt */
+ BOOL   deliver_force			:1; /* TRUE if delivery was forced */
+ BOOL   deliver_freeze			:1; /* TRUE if delivery is frozen */
+ BOOL   deliver_force_thaw		:1; /* TRUE to force thaw in queue run */
+ BOOL   deliver_manual_thaw		:1; /* TRUE if manually thawed */
+ BOOL   deliver_selectstring_regex	:1; /* String is regex */
+ BOOL   deliver_selectstring_sender_regex :1; /* String is regex */
+ BOOL   disable_callout_flush		:1; /* Don't flush before callouts */
+ BOOL   disable_delay_flush		:1; /* Don't flush before "delay" in ACL */
+ BOOL   disable_logging			:1; /* Disables log writing when TRUE */
+#ifndef DISABLE_DKIM
+ BOOL   dkim_disable_verify		:1; /* Set via ACL control statement. When set, DKIM verification is disabled for the current message */
+ BOOL   dkim_init_done			:1; /* lazy-init status */
+#endif
+#ifdef SUPPORT_DMARC
+ BOOL   dmarc_has_been_checked		:1; /* Global variable to check if test has been called yet */
+ BOOL   dmarc_disable_verify		:1; /* Set via ACL control statement. When set, DMARC verification is disabled for the current message */
+ BOOL   dmarc_enable_forensic		:1; /* Set via ACL control statement. When set, DMARC forensic reports are enabled for the current message */
+#endif
+ BOOL   dont_deliver			:1; /* TRUE for -N option */
+ BOOL   dot_ends			:1; /* TRUE if "." ends non-SMTP input */
+
+ BOOL   enable_dollar_recipients	:1; /* Make $recipients available */
+ BOOL   expand_string_forcedfail	:1; /* TRUE if failure was "expected" */
+
+ BOOL   filter_running			:1; /* TRUE while running a filter */
+
+ BOOL   header_rewritten		:1; /* TRUE if header changed by router */
+ BOOL   helo_verified			:1; /* True if HELO verified */
+ BOOL   helo_verify_failed		:1; /* True if attempt failed */
+ BOOL   host_checking_callout		:1; /* TRUE if real callout wanted */
+ BOOL   host_find_failed_syntax		:1; /* DNS syntax check failure */
+
+ BOOL   inetd_wait_mode			:1; /* Whether running in inetd wait mode */
+ BOOL   is_inetd			:1; /* True for inetd calls */
+
+ BOOL   local_error_message		:1; /* True if handling one of these */
+ BOOL   log_testing_mode		:1; /* TRUE in various testing modes */
+
+#ifdef WITH_CONTENT_SCAN
+ BOOL   no_mbox_unspool			:1; /* don't unlink files in /scan directory */
+#endif
+ BOOL   no_multiline_responses		:1; /* For broken clients */
+
+ BOOL   parse_allow_group		:1; /* Allow group syntax */
+ BOOL   parse_found_group		:1; /* In the middle of a group */
+ BOOL   pipelining_enable		:1; /* As it says */
+#if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
+ BOOL   proxy_session_failed		:1; /* TRUE if required proxy negotiation failed */
+#endif
+
+ BOOL   queue_2stage			:1; /* Run queue in 2-stage manner */
+ BOOL   queue_only_policy		:1; /* ACL or local_scan wants queue_only */
+ BOOL   queue_run_first_delivery	:1; /* If TRUE, first deliveries only */
+ BOOL   queue_run_force			:1; /* TRUE to force during queue run */
+ BOOL   queue_run_local			:1; /* Local deliveries only in queue run */
+ BOOL   queue_running			:1; /* TRUE for queue running process and */
+ BOOL   queue_smtp			:1; /* Disable all immediate SMTP (-odqs)*/
+
+ BOOL   really_exim			:1; /* FALSE in utilities */
+ BOOL   receive_call_bombout		:1; /* Flag for crashing log */
+ BOOL   recipients_discarded		:1; /* By an ACL */
+ BOOL   running_in_test_harness		:1; /*TRUE when running_status is patched */
+
+ BOOL   search_find_defer		:1; /* Set TRUE if lookup deferred */
+ BOOL   sender_address_forced		:1; /* Set by -f */
+ BOOL   sender_host_notsocket		:1; /* Set for -bs and -bS */
+ BOOL   sender_host_unknown		:1; /* TRUE for -bs and -bS except inetd */
+ BOOL   sender_local			:1; /* TRUE for local senders */
+ BOOL   sender_name_forced		:1; /* Set by -F */
+ BOOL   sender_set_untrusted		:1; /* Sender set by untrusted caller */
+ BOOL   smtp_authenticated		:1; /* Sending client has authenticated */
+#ifndef DISABLE_PIPE_CONNECT
+ BOOL   smtp_in_early_pipe_advertised	:1; /* server advertised PIPECONNECT */
+ BOOL	smtp_in_early_pipe_no_auth	:1; /* too many authenticator names */
+ BOOL   smtp_in_early_pipe_used		:1; /* client did send early data */
+#endif
+ BOOL   smtp_in_pipelining_advertised	:1; /* server advertised PIPELINING */
+ BOOL   smtp_in_pipelining_used		:1; /* server noted client using PIPELINING */
+ BOOL   smtp_in_quit			:1; /* server noted QUIT command */
+ BOOL   spool_file_wireformat		:1; /* current -D file has CRLF rather than NL */
+ BOOL   submission_mode			:1; /* Can be forced from ACL */
+ BOOL   suppress_local_fixups		:1; /* Can be forced from ACL */
+ BOOL   suppress_local_fixups_default	:1; /* former is reset to this; override with -G */
+ BOOL   synchronous_delivery		:1; /* TRUE if -odi is set */
+ BOOL   system_filtering		:1; /* TRUE when running system filter */
+
+ BOOL   taint_check_slow		:1; /* malloc/mmap are not returning distinct ranges */
+ BOOL	testsuite_delays		:1; /* interprocess sequencing delays, under testsuite */
+ BOOL   tcp_fastopen_ok			:1; /* appears to be supported by kernel */
+ BOOL   tcp_in_fastopen			:1; /* conn usefully used fastopen */
+ BOOL   tcp_in_fastopen_data		:1; /* fastopen carried data */
+ BOOL   tcp_in_fastopen_logged		:1; /* one-time logging */
+ BOOL   tcp_out_fastopen_logged		:1; /* one-time logging */
+ BOOL   timestamps_utc			:1; /* Use UTC for all times */
+ BOOL   transport_filter_timed_out	:1; /* True if it did */
+ BOOL   trusted_caller			:1; /* Caller is trusted */
+ BOOL   trusted_config			:1; /* Configuration file is trusted */
+} f;
+
+
+/* General global variables */
+
+extern BOOL    accept_8bitmime;        /* Allow *BITMIME incoming */
+extern uschar *add_environment;        /* List of environment variables to add */
+extern header_line *acl_added_headers; /* Headers added by an ACL */
+extern tree_node *acl_anchor;          /* Tree of named ACLs */
+extern uschar *acl_arg[9];             /* Argument to ACL call */
+extern int     acl_narg;               /* Number of arguments to ACL call */
+extern int     acl_level;	       /* Nesting depth and debug indent */
+extern uschar *acl_not_smtp;           /* ACL run for non-SMTP messages */
+#ifdef WITH_CONTENT_SCAN
+extern uschar *acl_not_smtp_mime;      /* For MIME parts of ditto */
+#endif
+extern uschar *acl_not_smtp_start;     /* ACL run at the beginning of a non-SMTP session */
+extern uschar *acl_removed_headers;    /* Headers deleted by an ACL */
+extern uschar *acl_smtp_auth;          /* ACL run for AUTH */
+extern uschar *acl_smtp_connect;       /* ACL run on SMTP connection */
+extern uschar *acl_smtp_data;          /* ACL run after DATA received */
+#ifndef DISABLE_PRDR
+extern uschar *acl_smtp_data_prdr;     /* ACL run after DATA received if in PRDR mode*/
+const extern pcre2_code *regex_PRDR;         /* For recognizing PRDR settings */
+#endif
+#ifndef DISABLE_DKIM
+extern uschar *acl_smtp_dkim;          /* ACL run for DKIM signatures / domains */
+#endif
+extern uschar *acl_smtp_etrn;          /* ACL run for ETRN */
+extern uschar *acl_smtp_expn;          /* ACL run for EXPN */
+extern uschar *acl_smtp_helo;          /* ACL run for HELO/EHLO */
+extern uschar *acl_smtp_mail;          /* ACL run for MAIL */
+extern uschar *acl_smtp_mailauth;      /* ACL run for MAIL AUTH */
+#ifdef WITH_CONTENT_SCAN
+extern uschar *acl_smtp_mime;          /* ACL run after DATA, before acl_smtp_data, for each MIME part */
+#endif
+extern uschar *acl_smtp_notquit;       /* ACL run for disconnects */
+extern uschar *acl_smtp_predata;       /* ACL run for DATA command */
+extern uschar *acl_smtp_quit;          /* ACL run for QUIT */
+extern uschar *acl_smtp_rcpt;          /* ACL run for RCPT */
+extern uschar *acl_smtp_starttls;      /* ACL run for STARTTLS */
+extern uschar *acl_smtp_vrfy;          /* ACL run for VRFY */
+extern tree_node *acl_var_c;           /* ACL connection variables */
+extern tree_node *acl_var_m;           /* ACL message variables */
+extern uschar *acl_verify_message;     /* User message for verify failure */
+extern string_item *acl_warn_logged;   /* Logged lines */
+extern uschar *acl_wherecodes[];       /* Response codes for ACL fails */
+extern uschar *acl_wherenames[];       /* Names for messages */
+extern address_item *addr_duplicate;   /* Duplicate address list */
+extern address_item address_defaults;  /* Default data for address item */
+extern uschar *address_file;           /* Name of file when delivering to one */
+extern uschar *address_pipe;           /* Pipe command when delivering to one */
+extern tree_node *addresslist_anchor;  /* Tree of defined address lists */
+extern int     addresslist_count;      /* Number defined */
+extern gid_t  *admin_groups;           /* List of admin groups */
+extern BOOL    allow_domain_literals;  /* As it says */
+extern BOOL    allow_mx_to_ip;         /* Allow MX records to -> ip address */
+#ifdef EXPERIMENTAL_ARC
+extern struct arc_set *arc_received;   /* highest ARC instance evaluation struct */
+extern int     arc_received_instance;  /* highest ARC instance number in headers */
+extern int     arc_oldest_pass;        /* lowest passing instance number in headers */
+extern const uschar *arc_state;	       /* verification state */
+extern const uschar *arc_state_reason;
+#endif
+extern BOOL    allow_utf8_domains;     /* For experimenting */
+extern uschar *authenticated_fail_id;  /* ID that failed authentication */
+extern uschar *authenticated_id;       /* ID that was authenticated */
+extern uschar *authenticated_sender;   /* From AUTH on MAIL */
+extern BOOL    authentication_failed;  /* TRUE if AUTH was tried and failed */
+extern uschar *authenticator_name;     /* for debug and error messages */
+extern uschar *auth_advertise_hosts;   /* Only advertise to these */
+extern auth_info auths_available[];    /* Vector of available auth mechanisms */
+extern auth_instance *auths;           /* Chain of instantiated auths */
+extern auth_instance auth_defaults;    /* Default values */
+extern uschar *auth_defer_msg;         /* Error message for log */
+extern uschar *auth_defer_user_msg;    /* Error message for user */
+extern const uschar *auth_vars[];      /* $authn variables */
+extern int     auto_thaw;              /* Auto-thaw interval */
+#ifdef WITH_CONTENT_SCAN
+extern int     av_failed;              /* TRUE if the AV process failed */
+extern uschar *av_scanner;             /* AntiVirus scanner to use for the malware condition */
+#endif
+
+extern uschar *base62_chars;           /* Table of base-62 characters */
+extern uschar *bi_command;             /* Command for -bi option */
+extern uschar *big_buffer;             /* Used for various temp things */
+extern int     big_buffer_size;        /* Current size (can expand) */
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+extern uschar *bmi_alt_location;       /* expansion variable that contains the alternate location for the rcpt (available during routing) */
+extern uschar *bmi_base64_tracker_verdict; /* expansion variable with base-64 encoded OLD verdict string (available during routing) */
+extern uschar *bmi_base64_verdict;     /* expansion variable with base-64 encoded verdict string (available during routing) */
+extern uschar *bmi_config_file;        /* Brightmail config file */
+extern int     bmi_deliver;            /* Flag that determines if the message should be delivered to the rcpt (available during routing) */
+extern int     bmi_run;                /* Flag that determines if message should be run through Brightmail server */
+extern uschar *bmi_verdicts;           /* BASE64-encoded verdicts with recipient lists */
+#endif
+extern int     bsmtp_transaction_linecount; /* Start of last transaction */
+extern int     body_8bitmime;          /* sender declared BODY= ; 7=7BIT, 8=8BITMIME */
+extern uschar *bounce_message_file;    /* Template file */
+extern uschar *bounce_message_text;    /* One-liner */
+extern uschar *bounce_recipient;       /* When writing an errmsg */
+extern BOOL    bounce_return_body;     /* Include body in returned message */
+extern int     bounce_return_linesize_limit; /* Max line length in return */
+extern BOOL    bounce_return_message;  /* Include message in bounce */
+extern int     bounce_return_size_limit; /* Max amount to return */
+extern uschar *bounce_sender_authentication; /* AUTH address for bounces */
+
+extern uschar *callout_address;         /* Address used for a malware/spamd/verify etc. callout */
+extern int     callout_cache_domain_positive_expire; /* Time for positive domain callout cache records to expire */
+extern int     callout_cache_domain_negative_expire; /* Time for negative domain callout cache records to expire */
+extern int     callout_cache_positive_expire; /* Time for positive callout cache records to expire */
+extern int     callout_cache_negative_expire; /* Time for negative callout cache records to expire */
+extern uschar *callout_random_local_part; /* Local part to be used to check if server called will accept any local part */
+extern uschar *check_dns_names_pattern;/* Regex for syntax check */
+extern int     check_log_inodes;       /* Minimum for message acceptance */
+extern int_eximarith_t check_log_space; /* Minimum for message acceptance */
+extern BOOL    check_rfc2047_length;   /* Check RFC 2047 encoded string length */
+extern int     check_spool_inodes;     /* Minimum for message acceptance */
+extern int_eximarith_t check_spool_space; /* Minimum for message acceptance */
+extern uschar *chunking_advertise_hosts;    /* RFC 3030 CHUNKING */
+extern unsigned chunking_datasize;
+extern unsigned chunking_data_left;
+extern chunking_state_t chunking_state;
+extern uschar *client_authenticator;        /* Authenticator name used for smtp delivery */
+extern uschar *client_authenticated_id;     /* "login" name used for SMTP AUTH */
+extern uschar *client_authenticated_sender; /* AUTH option to SMTP MAIL FROM (not yet used) */
+#ifndef DISABLE_CLIENT_CMD_LOG
+extern gstring *client_cmd_log;	       /* debug log of client cmds & responses */
+#endif
+extern int     clmacro_count;          /* Number of command line macros */
+extern uschar *clmacros[];             /* Copy of them, for re-exec */
+extern BOOL    commandline_checks_require_admin; /* belt and braces for insecure setups */
+extern int     connection_max_messages;/* Max down one SMTP connection */
+extern FILE   *config_file;            /* Configuration file */
+extern const uschar *config_filename;  /* Configuration file name */
+extern gid_t   config_gid;             /* Additional group owner */
+extern int     config_lineno;          /* Line number */
+extern uschar *config_main_filelist;   /* List of possible config files */
+extern uschar *config_main_filename;   /* File name actually used */
+extern uschar *config_main_directory;  /* Directory where the main config file was found */
+extern uid_t   config_uid;             /* Additional owner */
+extern uschar *continue_proxy_cipher;  /* TLS cipher for proxied continued delivery */
+extern BOOL    continue_proxy_dane;    /* proxied conn is DANE */
+extern uschar *continue_proxy_sni;     /* proxied conn SNI */
+extern uschar *continue_hostname;      /* Host for continued delivery */
+extern uschar *continue_host_address;  /* IP address for ditto */
+extern int     continue_sequence;      /* Sequence num for continued delivery */
+extern uschar *continue_transport;     /* Transport for continued delivery */
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+extern unsigned continue_limit_mail;   /* Peer advertised limit */
+extern unsigned continue_limit_rcpt;
+extern unsigned continue_limit_rcptdom;
+#endif
+
+
+extern uschar *csa_status;             /* Client SMTP Authorization result */
+
+typedef struct {
+  unsigned     callout_hold_only:1;    /* Conn is only for verify callout */
+  unsigned     delivery:1;             /* When to attempt */
+  unsigned     defer_pass:1;           /* Pass 4xx to caller rather than spooling */
+  unsigned     is_tls:1;	       /* Conn has TLS active */
+  client_conn_ctx cctx;                /* Open connection */
+  int          nrcpt;                  /* Count of addresses */
+  uschar *     transport;	       /* Name of transport */
+  uschar *     interface;              /* (address of) */
+  uschar *     snd_ip;		       /* sending_ip_address */
+  int	       snd_port;	       /* sending_port */
+  unsigned     peer_options;	       /* smtp_peer_options */
+  host_item    host;                   /* Host used */
+  address_item addr;                   /* (Chain of) addresses */
+} cut_t;
+extern cut_t cutthrough;               /* Deliver-concurrently */
+
+extern int     daemon_notifier_fd;     /* Unix socket for notifications */
+extern uschar *daemon_smtp_port;       /* Can be a list of ports */
+extern int     daemon_startup_retries; /* Number of times to retry */
+extern int     daemon_startup_sleep;   /* Sleep between retries */
+
+#ifdef EXPERIMENTAL_DCC
+extern BOOL    dcc_direct_add_header;  /* directly add header */
+extern uschar *dcc_header;             /* dcc header */
+extern uschar *dcc_result;             /* dcc result */
+extern uschar *dccifd_address;         /* address of the dccifd daemon */
+extern uschar *dccifd_options;         /* options for the dccifd daemon */
+#endif
+
+extern int     debug_fd;               /* The fd for debug_file */
+extern FILE   *debug_file;             /* Where to write debugging info */
+extern int     debug_notall[];         /* Debug options excluded from +all */
+extern bit_table debug_options[];      /* Table of debug options */
+extern int     debug_options_count;    /* Size of table */
+extern unsigned debug_pretrigger_bsize;
+extern uschar *debug_pretrigger_buf;   /* circular buffer for precapture */
+extern BOOL    debug_store;	       /* Do extra checks on store_reset */
+extern uschar  debuglog_name[LOG_NAME_SIZE]; /* ACL-init debug */
+
+extern int     delay_warning[];        /* Times between warnings */
+extern uschar *delay_warning_condition; /* Condition string for warnings */
+extern BOOL    delivery_date_remove;   /* Remove delivery-date headers */
+
+extern uschar *deliver_address_data;   /* Arbitrary data for an address */
+extern int     deliver_datafile;       /* FD for data part of message */
+extern const uschar *deliver_domain;   /* The local domain for delivery */
+extern uschar *deliver_domain_data;    /* From domain lookup */
+extern const uschar *deliver_domain_orig; /* The original local domain for delivery */
+extern const uschar *deliver_domain_parent; /* The parent domain for delivery */
+extern BOOL    deliver_drop_privilege; /* TRUE for unprivileged delivery */
+extern time_t  deliver_frozen_at;      /* Time of freezing */
+extern uschar *deliver_home;           /* Home directory for pipes */
+extern const uschar *deliver_host;     /* (First) host for routed local deliveries */
+                                       /* Remote host for filter */
+extern const uschar *deliver_host_address; /* Address for remote delivery filter */
+extern int     deliver_host_port;      /* Address for remote delivery filter */
+extern uschar *deliver_in_buffer;      /* Buffer for copying file */
+extern ino_t   deliver_inode;          /* Inode for appendfile */
+extern uschar *deliver_localpart;      /* The local part for delivery */
+extern uschar *deliver_localpart_data; /* From local part lookup (de-tainted) */
+extern uschar *deliver_localpart_orig; /* The original local part for delivery */
+extern uschar *deliver_localpart_parent; /* The parent local part for delivery */
+extern uschar *deliver_localpart_prefix; /* The stripped prefix, if any */
+extern uschar *deliver_localpart_prefix_v; /* The stripped-prefix variable portion, if any */
+extern uschar *deliver_localpart_suffix; /* The stripped suffix, if any */
+extern uschar *deliver_localpart_suffix_v; /* The stripped-suffix variable portion, if any */
+extern uschar *deliver_out_buffer;     /* Buffer for copying file */
+extern int     deliver_queue_load_max; /* Different value for queue running */
+extern address_item *deliver_recipients; /* Current set of addresses */
+extern uschar *deliver_selectstring;   /* For selecting by recipient */
+extern uschar *deliver_selectstring_sender; /* For selecting by sender */
+#ifdef ENABLE_DISABLE_FSYNC
+extern BOOL    disable_fsync;          /* Not for normal use */
+#endif
+extern BOOL    disable_ipv6;           /* Don't do any IPv6 things */
+
+#ifndef DISABLE_DKIM
+extern unsigned dkim_collect_input;    /* Runtime count of dkim signtures; tracks whether SMTP input is fed to DKIM validation */
+extern uschar *dkim_cur_signer;        /* Expansion variable, holds the current "signer" domain or identity during a acl_smtp_dkim run */
+extern int     dkim_key_length;        /* Expansion variable, length of signing key in bits */
+extern void   *dkim_signatures;	       /* Actually a (pdkim_signature *) but most files do not need to know */
+extern uschar *dkim_signers;           /* Expansion variable, holds colon-separated list of domains and identities that have signed a message */
+extern uschar *dkim_signing_domain;    /* Expansion variable, domain used for signing a message. */
+extern uschar *dkim_signing_selector;  /* Expansion variable, selector used for signing a message. */
+extern uschar *dkim_verify_hashes;     /* Preference order for signatures */
+extern uschar *dkim_verify_keytypes;   /* Preference order for signatures */
+extern uschar *dkim_verify_min_keysizes; /* list of minimum key sizes, keyed by algo */
+extern BOOL    dkim_verify_minimal;    /* Shortcircuit signture verification */
+extern uschar *dkim_verify_overall;    /* First successful domain verified, or null */
+extern uschar *dkim_verify_signers;    /* Colon-separated list of domains for each of which we call the DKIM ACL */
+extern uschar *dkim_verify_status;     /* result for this signature */
+extern uschar *dkim_verify_reason;     /* result for this signature */
+#endif
+#ifdef SUPPORT_DMARC
+extern uschar *dmarc_domain_policy;    /* Expansion for declared policy of used domain */
+extern uschar *dmarc_forensic_sender;  /* Set sender address for forensic reports */
+extern uschar *dmarc_history_file;     /* Expansion variable, file to store dmarc results */
+extern uschar *dmarc_status;           /* Expansion variable, one word value */
+extern uschar *dmarc_status_text;      /* Expansion variable, human readable value */
+extern uschar *dmarc_tld_file;         /* Mozilla TLDs text file */
+extern uschar *dmarc_used_domain;      /* Expansion variable, domain libopendmarc chose for DMARC policy lookup */
+#endif
+
+extern uschar *dns_again_means_nonexist; /* Domains that are badly set up */
+extern int     dns_csa_search_limit;   /* How deep to search for CSA SRV records */
+extern BOOL    dns_csa_use_reverse;    /* Check CSA in reverse DNS? (non-standard) */
+extern int     dns_cname_loops;	       /* Follow CNAMEs returned by resolver to this depth */
+extern uschar *dns_ipv4_lookup;        /* For these domains, don't look for AAAA (or A6) */
+#ifdef SUPPORT_DANE
+extern int     dns_dane_ok;            /* Ok to use DANE when checking TLS authenticity */
+#endif
+extern int     dns_retrans;            /* Retransmission time setting */
+extern int     dns_retry;              /* Number of retries */
+extern int     dns_dnssec_ok;          /* When constructing DNS query, set DO flag */
+extern const uschar * dns_rc_names[];  /* Mostly for debug output */
+extern uschar *dns_trust_aa;           /* DNSSEC trust AA as AD */
+extern int     dns_use_edns0;          /* Coerce EDNS0 support on/off in resolver. */
+extern uschar *dnslist_domain;         /* DNS (black) list domain */
+extern uschar *dnslist_matched;        /* DNS (black) list matched key */
+extern uschar *dnslist_text;           /* DNS (black) list text message */
+extern uschar *dnslist_value;          /* DNS (black) list IP address */
+extern tree_node *domainlist_anchor;   /* Tree of defined domain lists */
+extern int     domainlist_count;       /* Number defined */
+
+/* This option is now a no-opt, retained for compatibility */
+extern BOOL    drop_cr;                /* For broken local MUAs */
+extern const uschar *driver_srcfile;   /* For debug & errors */
+extern int     driver_srcline;	       /* For debug & errors */
+
+extern unsigned int dtrigger_selector; /* when to start debug */
+
+extern uschar *dsn_from;               /* From: string for DSNs */
+
+extern BOOL    envelope_to_remove;     /* Remove envelope_to_headers */
+extern int     errno_quota;            /* Quota errno in this OS */
+extern int     error_handling;         /* Error handling style */
+extern uschar *errors_copy;            /* For taking copies of errors */
+extern uschar *errors_reply_to;        /* Reply-to for error messages */
+extern int     errors_sender_rc;       /* Return after message to sender*/
+
+#ifndef DISABLE_EVENT
+extern uschar *event_action;           /* expansion for delivery events */
+extern uschar *event_data;	       /* event data */
+extern int     event_defer_errno;      /* error number set when a remote delivery is deferred with a host error */
+extern const uschar *event_name;       /* event classification */
+#endif
+
+extern gid_t   exim_gid;               /* To be used with exim_uid */
+extern BOOL    exim_gid_set;           /* TRUE if exim_gid set */
+extern uschar *exim_path;              /* Path to exec exim */
+extern const uschar *exim_sieve_extension_list[]; /* list of sieve extensions */
+extern uid_t   exim_uid;               /* Non-root uid for exim */
+extern BOOL    exim_uid_set;           /* TRUE if exim_uid set */
+extern int     expand_level;	       /* Nesting depth; indent for debug */
+extern int     expand_forbid;          /* RDO flags for forbidding things */
+extern int     expand_nlength[];       /* Lengths of numbered strings */
+extern int     expand_nmax;            /* Max numerical value */
+extern const uschar *expand_nstring[];       /* Numbered strings */
+extern BOOL    extract_addresses_remove_arguments; /* Controls -t behaviour */
+extern uschar *extra_local_interfaces; /* Local, non-listen interfaces */
+
+extern int     fake_response;          /* Fake FAIL or DEFER response to data */
+extern uschar *fake_response_text;     /* User defined message for the above. Default is in globals.c. */
+extern int     filter_n[FILTER_VARIABLE_COUNT]; /* filter variables */
+extern int     filter_sn[FILTER_VARIABLE_COUNT]; /* variables set by system filter */
+extern int     filter_test;            /* Filter test type */
+extern uschar *filter_test_sfile;      /* System filter test file */
+extern uschar *filter_test_ufile;      /* User filter test file */
+extern uschar *filter_thisaddress;     /* For address looping */
+extern int     finduser_retries;       /* Retry count for getpwnam() */
+extern uid_t   fixed_never_users[];    /* Can't be overridden */
+extern uschar *freeze_tell;            /* Message on (some) freezings */
+extern uschar *freeze_tell_config;     /* The configured setting */
+extern uschar *fudged_queue_times;     /* For use in test harness */
+
+extern uschar *gecos_name;             /* To be expanded when pattern matches */
+extern uschar *gecos_pattern;          /* Pattern to match */
+extern rewrite_rule *global_rewrite_rules;  /* Chain of rewriting rules */
+
+extern volatile sig_atomic_t had_command_timeout;   /* Alarm sighandler called */
+extern volatile sig_atomic_t had_command_sigterm;   /* TERM  sighandler called */
+extern volatile sig_atomic_t had_data_timeout;      /* Alarm sighandler called */
+extern volatile sig_atomic_t had_data_sigint;       /* TERM/INT  sighandler called */
+extern int     header_insert_maxlen;   /* Max for inserting headers */
+extern int     header_maxsize;         /* Max total length for header */
+extern int     header_line_maxsize;    /* Max for an individual line */
+extern header_name header_names[];     /* Table of header names */
+extern int     header_names_size;      /* Number of entries */
+extern uschar *helo_accept_junk_hosts; /* Allowed to use junk arg */
+extern uschar *helo_allow_chars;       /* Rogue chars to allow in HELO/EHLO */
+extern uschar *helo_lookup_domains;    /* If these given, lookup host name */
+extern uschar *helo_try_verify_hosts;  /* Soft check HELO argument for these */
+extern uschar *helo_verify_hosts;      /* Hard check HELO argument for these */
+extern const uschar *hex_digits;             /* Used in several places */
+extern uschar *hold_domains;           /* Hold up deliveries to these */
+extern uschar *host_data;              /* Obtained from lookup in ACL */
+extern uschar *host_lookup;            /* For which IP addresses are always looked up */
+extern BOOL    host_lookup_deferred;   /* TRUE if lookup deferred */
+extern BOOL    host_lookup_failed;     /* TRUE if lookup failed */
+extern uschar *host_lookup_order;      /* Order of host lookup types */
+extern uschar *host_lookup_msg;        /* Text for why it failed */
+extern int     host_number;            /* For sharing spools */
+extern uschar *host_number_string;     /* For expanding */
+extern uschar *hosts_require_helo;     /* check for HELO/EHLO before MAIL */
+extern uschar *host_reject_connection; /* Reject these hosts */
+extern tree_node *hostlist_anchor;     /* Tree of defined host lists */
+extern int     hostlist_count;         /* Number defined */
+extern uschar *hosts_connection_nolog; /* Limits the logging option */
+extern uschar *hosts_treat_as_local;   /* For routing */
+
+extern int     ignore_bounce_errors_after; /* Keep them for this time. */
+extern BOOL    ignore_fromline_local;  /* Local SMTP ignore fromline */
+extern uschar *ignore_fromline_hosts;  /* Hosts permitted to send "From " */
+extern int     inetd_wait_timeout;     /* Timeout for inetd wait mode */
+extern uschar *initial_cwd;            /* The directory we where in at startup */
+extern uschar *iterate_item;           /* Item from iterate list */
+
+extern int     journal_fd;             /* Fd for journal file */
+
+extern uschar *keep_environment;       /* Whitelist for environment variables */
+extern int     keep_malformed;         /* Time to keep malformed messages */
+
+extern uschar *eldap_dn;               /* Where LDAP DNs are left */
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+extern uschar *limits_advertise_hosts; /* for banner/EHLO pipelining */
+#endif
+extern int     load_average;           /* Most recently read load average */
+extern BOOL    local_from_check;       /* For adding Sender: (global value) */
+extern uschar *local_from_prefix;      /* Permitted prefixes */
+extern uschar *local_from_suffix;      /* Permitted suffixes */
+extern uschar *local_interfaces;       /* For forcing specific interfaces */
+#ifdef HAVE_LOCAL_SCAN
+extern uschar *local_scan_data;        /* Text returned by local_scan() */
+extern optionlist local_scan_options[];/* Option list for local_scan() */
+extern int     local_scan_options_count; /* Size of the list */
+extern int     local_scan_timeout;     /* Timeout for local_scan() */
+#endif
+extern BOOL    local_sender_retain;    /* Retain Sender: (with no From: check) */
+extern gid_t   local_user_gid;         /* As it says; may be set in routers */
+extern uid_t   local_user_uid;         /* As it says; may be set in routers */
+extern tree_node *localpartlist_anchor;/* Tree of defined localpart lists */
+extern int     localpartlist_count;    /* Number defined */
+extern uschar *log_buffer;             /* For constructing log entries */
+extern int     log_default[];          /* Initialization list for log_selector */
+extern uschar *log_file_path;          /* If unset, use default */
+extern int     log_notall[];           /* Log options excluded from +all */
+extern bit_table log_options[];        /* Table of options */
+extern int     log_options_count;      /* Size of table */
+extern int     log_reject_target;      /* Target log for ACL rejections */
+extern unsigned int log_selector[];    /* Bit map of logging options */
+extern uschar *log_selector_string;    /* As supplied in the config */
+extern FILE   *log_stderr;             /* Copy of stderr for log use, or NULL */
+extern BOOL    log_timezone;           /* TRUE to include the timezone in log lines */
+extern uschar *login_sender_address;   /* The actual sender address */
+extern lookup_info **lookup_list;      /* Array of pointers to available lookups */
+extern int     lookup_list_count;      /* Number of entries in the list */
+extern uschar *lookup_dnssec_authenticated; /* AD status of dns lookup */
+extern int     lookup_open_max;        /* Max lookup files to cache */
+extern uschar *lookup_value;           /* Value looked up from file */
+
+extern macro_item *macros;             /* Configuration macros */
+extern macro_item *macros_user;        /* Non-builtin configuration macros */
+extern macro_item *mlast;              /* Last item in macro list */
+extern uschar *mailstore_basename;     /* For mailstore deliveries */
+#ifdef WITH_CONTENT_SCAN
+extern uschar *malware_name;           /* Name of virus or malware ("W32/Klez-H") */
+#endif
+extern int     max_received_linelength;/* What it says */
+extern int     max_username_length;    /* For systems with broken getpwnam() */
+extern int     message_age;            /* In seconds */
+extern uschar *message_body;           /* Start of message body for filter */
+extern uschar *message_body_end;       /* End of message body for filter */
+extern BOOL    message_body_newlines;  /* FALSE => remove newlines */
+extern int     message_body_size;      /* Sic */
+extern int     message_body_visible;   /* Amount visible in message_body */
+extern int     message_ended;          /* State of message reading and how ended */
+extern uschar *message_headers;        /* When built */
+extern uschar  message_id_option[];    /* -E<message-id> for use as option */
+extern uschar *message_id_external;    /* External form of following */
+extern uschar *message_id_domain;      /* Expanded to form domain-part of message_id */
+extern uschar *message_id_text;        /* Expanded to form message_id */
+extern int     message_linecount;      /* As it says */
+extern BOOL    message_logs;           /* TRUE to write message logs */
+extern int     message_size;           /* Size of message */
+extern uschar *message_size_limit;     /* As it says */
+#ifdef SUPPORT_I18N
+extern BOOL    message_smtputf8;       /* Internationalized mail handling */
+extern int     message_utf8_downconvert; /* convert from utf8 */
+const extern pcre2_code *regex_UTF8;         /* For recognizing SMTPUTF8 settings */
+#endif
+extern uschar  message_subdir[];       /* Subdirectory for messages */
+extern uschar *message_reference;      /* Reference for error messages */
+
+/* MIME ACL expandables */
+#ifdef WITH_CONTENT_SCAN
+extern int     mime_anomaly_level;
+extern const uschar *mime_anomaly_text;
+extern uschar *mime_boundary;
+extern uschar *mime_charset;
+extern uschar *mime_content_description;
+extern uschar *mime_content_disposition;
+extern uschar *mime_content_id;
+extern unsigned int mime_content_size;
+extern uschar *mime_content_transfer_encoding;
+extern uschar *mime_content_type;
+extern uschar *mime_decoded_filename;
+extern uschar *mime_filename;
+extern int     mime_is_multipart;
+extern int     mime_is_coverletter;
+extern int     mime_is_rfc822;
+extern int     mime_part_count;
+#endif
+
+extern BOOL    mua_wrapper;            /* TRUE when Exim is wrapping an MUA */
+
+extern uid_t  *never_users;            /* List of uids never to be used */
+extern uschar *notifier_socket;        /* Name for daemon notifier unix-socket */
+
+extern const int on;                   /* For setsockopt */
+extern const int off;
+
+extern optionlist optionlist_auths[];      /* These option lists are made */
+extern int     optionlist_auths_size;      /* global so that readconf can */
+extern optionlist optionlist_routers[];    /* see them for printing out   */
+extern int     optionlist_routers_size;    /* the options.                */
+extern optionlist optionlist_transports[];
+extern int     optionlist_transports_size;
+
+extern uid_t   original_euid;          /* Original effective uid */
+extern gid_t   originator_gid;         /* Gid of whoever wrote spool file */
+extern uschar *originator_login;       /* Login of same */
+extern uschar *originator_name;        /* Full name of same */
+extern uid_t   originator_uid;         /* Uid of ditto */
+extern uschar *override_local_interfaces; /* Value of -oX argument */
+extern uschar *override_pid_file_path; /* Value of -oP argument */
+
+extern pcre2_general_context * pcre_gen_ctx;	/* pcre memory management */
+extern pcre2_compile_context * pcre_cmp_ctx;
+extern pcre2_match_context *   pcre_mtc_ctx;
+
+extern uschar *percent_hack_domains;   /* Local domains for which '% operates */
+extern uschar *pid_file_path;          /* For writing daemon pids */
+#ifndef DISABLE_PIPE_CONNECT
+extern uschar *pipe_connect_advertise_hosts; /* for banner/EHLO pipelining */
+#endif
+extern uschar *pipelining_advertise_hosts; /* As it says */
+#ifndef DISABLE_PRDR
+extern BOOL    prdr_enable;            /* As it says */
+extern BOOL    prdr_requested;         /* Connecting mail server wants PRDR */
+#endif
+extern BOOL    preserve_message_logs;  /* Save msglog files */
+extern uschar *primary_hostname;       /* Primary name of this computer */
+extern BOOL    print_topbitchars;      /* Topbit chars are printing chars */
+extern uschar *process_info;           /* For SIGUSR1 output */
+extern int     process_info_len;
+extern uschar *process_log_path;       /* Alternate path */
+extern const uschar *process_purpose;  /* for debug output */
+extern BOOL    prod_requires_admin;    /* TRUE if prodding requires admin */
+
+#if defined(SUPPORT_PROXY) || defined(SUPPORT_SOCKS)
+extern uschar *hosts_proxy;            /* Hostlist which (require) use proxy protocol */
+extern uschar *proxy_external_address; /* IP of remote interface of proxy */
+extern int     proxy_external_port;    /* Port on remote interface of proxy */
+extern uschar *proxy_local_address;    /* IP of local interface of proxy */
+extern int     proxy_local_port;       /* Port on local interface of proxy */
+extern int     proxy_protocol_timeout; /* Timeout for proxy negotiation */
+extern BOOL    proxy_session;          /* TRUE if receiving mail from valid proxy  */
+#endif
+
+extern uschar *prvscheck_address;      /* Set during prvscheck expansion item */
+extern uschar *prvscheck_keynum;       /* Set during prvscheck expansion item */
+extern uschar *prvscheck_result;       /* Set during prvscheck expansion item */
+
+extern const uschar *qualify_domain_recipient; /* Domain to qualify recipients with */
+extern uschar *qualify_domain_sender;  /* Domain to qualify senders with */
+extern uschar *queue_domains;          /* Queue these domains */
+#ifndef DISABLE_QUEUE_RAMP
+extern BOOL    queue_fast_ramp;        /* 2-phase queue-run overlap */
+#endif
+extern BOOL    queue_list_requires_admin; /* TRUE if -bp requires admin */
+                                       /*   immediate children */
+extern pid_t   queue_run_pid;          /* PID of the queue running process or 0 */
+extern int     queue_run_pipe;         /* Pipe for synchronizing */
+extern int     queue_interval;         /* Queue running interval */
+extern uschar *queue_name;             /* Name of queue, if nondefault spooling */
+extern uschar *queue_name_dest;	       /* Destination queue, for moving messages */
+extern BOOL    queue_only;             /* TRUE to disable immediate delivery */
+extern int     queue_only_load;        /* Max load before auto-queue */
+extern BOOL    queue_only_load_latch;  /* Latch queue_only_load TRUE */
+extern uschar *queue_only_file;        /* Queue if file exists/not-exists */
+extern BOOL    queue_only_override;    /* Allow override from command line */
+extern BOOL    queue_run_in_order;     /* As opposed to random */
+extern uschar *queue_run_max;          /* Max queue runners */
+extern unsigned queue_size;            /* items in queue */
+extern time_t  queue_size_next;        /* next time to evaluate queue_size */
+extern uschar *queue_smtp_domains;     /* Ditto, for these domains */
+
+extern unsigned int random_seed;       /* Seed for random numbers */
+extern tree_node *ratelimiters_cmd;    /* Results of command ratelimit checks */
+extern tree_node *ratelimiters_conn;   /* Results of connection ratelimit checks */
+extern tree_node *ratelimiters_mail;   /* Results of per-mail ratelimit checks */
+extern uschar *raw_active_hostname;    /* Pre-expansion */
+extern uschar *raw_sender;             /* Before rewriting */
+extern uschar **raw_recipients;        /* Before rewriting */
+extern int     raw_recipients_count;
+extern const uschar * rc_names[];      /* Mostly for debug output */
+extern int     rcpt_count;             /* Count of RCPT commands in a message */
+extern int     rcpt_fail_count;        /* Those that got 5xx */
+extern int     rcpt_defer_count;       /* Those that got 4xx */
+extern gid_t   real_gid;               /* Real gid */
+extern uid_t   real_uid;               /* Real user running program */
+extern int     receive_linecount;      /* Mainly for BSMTP errors */
+extern int     receive_messagecount;   /* Mainly for BSMTP errors */
+extern int     receive_timeout;        /* For non-SMTP acceptance */
+extern int     received_count;         /* Count of Received: headers */
+extern uschar *received_for;           /* For "for" field */
+extern uschar *received_header_text;   /* Definition of Received: header */
+extern int     received_headers_max;   /* Max count of Received: headers */
+extern struct timeval received_time;   /* Time the message started to be received */
+extern struct timeval received_time_complete; /* Time the message completed reception */
+extern uschar *recipient_data;         /* lookup data for recipients */
+extern uschar *recipient_unqualified_hosts; /* Permitted unqualified recipients */
+extern uschar *recipient_verify_failure; /* What went wrong */
+extern int     recipients_list_max;    /* Maximum number fitting in list */
+extern int     recipients_max;         /* Max permitted */
+extern BOOL    recipients_max_reject;  /* If TRUE, reject whole message */
+extern const pcre2_code *regex_AUTH;         /* For recognizing AUTH settings */
+extern const pcre2_code  *regex_check_dns_names; /* For DNS name checking */
+extern const pcre2_code  *regex_From;        /* For recognizing "From_" lines */
+extern const pcre2_code  *regex_CHUNKING;    /* For recognizing CHUNKING (RFC 3030) */
+extern const pcre2_code  *regex_IGNOREQUOTA; /* For recognizing IGNOREQUOTA (LMTP) */
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+extern const pcre2_code  *regex_LIMITS; /* For recognizing LIMITS */
+#endif
+extern const pcre2_code  *regex_PIPELINING;  /* For recognizing PIPELINING */
+extern const pcre2_code  *regex_SIZE;        /* For recognizing SIZE settings */
+#ifndef DISABLE_PIPE_CONNECT
+extern const pcre2_code  *regex_EARLY_PIPE;  /* For recognizing PIPE_CONNCT */
+#endif
+extern const pcre2_code  *regex_ismsgid;     /* Compiled r.e. for message ID */
+extern const pcre2_code  *regex_smtp_code;   /* For recognizing SMTP codes */
+extern const uschar *regex_vars[];           /* $regexN variables */
+#ifdef WHITELIST_D_MACROS
+extern const pcre2_code  *regex_whitelisted_macro; /* For -D macro values */
+#endif
+#ifdef WITH_CONTENT_SCAN
+extern uschar *regex_match_string;     /* regex that matched a line (regex ACL condition) */
+#endif
+extern int     remote_delivery_count;  /* Number of remote addresses */
+extern int     remote_max_parallel;    /* Maximum parallel delivery */
+extern uschar *remote_sort_domains;    /* Remote domain sorting order */
+extern retry_config *retries;          /* Chain of retry config information */
+extern int     retry_data_expire;      /* When to expire retry data */
+extern int     retry_interval_max;     /* Absolute maximum */
+extern int     retry_maximum_timeout;  /* The maximum timeout */
+extern uschar *return_path;            /* Return path for a message */
+extern BOOL    return_path_remove;     /* Remove return-path headers */
+extern int     rewrite_existflags;     /* Indicate which headers have rewrites */
+extern uschar *rfc1413_hosts;          /* RFC hosts */
+extern int     rfc1413_query_timeout;  /* Timeout on RFC 1413 calls */
+/* extern BOOL    rfc821_domains;  */       /* If set, syntax is 821, not 822 => being abolished */
+extern uid_t   root_gid;               /* The gid for root */
+extern uid_t   root_uid;               /* The uid for root */
+extern router_info routers_available[];/* Vector of available routers */
+extern router_instance *routers;       /* Chain of instantiated routers */
+extern router_instance router_defaults;/* Default values */
+extern uschar *router_name;            /* Name of router last started */
+extern tree_node *router_var;	       /* Variables set by router */
+extern ip_address_item *running_interfaces; /* Host's running interfaces */
+extern uschar *running_status;         /* Flag string for testing */
+extern int     runrc;                  /* rc from ${run} */
+
+extern uschar *search_error_message;   /* Details of lookup problem */
+extern uschar *self_hostname;          /* Self host after routing->directors */
+extern unsigned int sender_address_cache[(MAX_NAMED_LIST * 2)/32]; /* Cache bits for sender */
+extern uschar *sender_address_data;    /* address_data from sender verify */
+extern uschar *sender_address_unrewritten; /* Set if rewritten by verify */
+extern uschar *sender_data;            /* lookup result for senders */
+extern unsigned int sender_domain_cache[(MAX_NAMED_LIST * 2)/32]; /* Cache bits for sender domain */
+extern uschar *sender_fullhost;        /* Sender host name + address */
+extern BOOL    sender_helo_dnssec;     /* True if HELO verify used DNS and was DNSSEC */
+extern uschar *sender_helo_name;       /* Host name from HELO/EHLO */
+extern uschar **sender_host_aliases;   /* Points to list of alias names */
+extern uschar *sender_host_auth_pubname; /* Public-name of authentication method */
+extern unsigned int sender_host_cache[(MAX_NAMED_LIST * 2)/32]; /* Cache bits for incoming host */
+extern BOOL    sender_host_dnssec;     /* true if sender_host_name verified in DNSSEC */
+extern uschar *sender_ident;           /* Sender identity via RFC 1413 */
+extern uschar *sender_rate;            /* Sender rate computed by ACL */
+extern uschar *sender_rate_limit;      /* Configured rate limit */
+extern uschar *sender_rate_period;     /* Configured smoothing period */
+extern uschar *sender_rcvhost;         /* Host data for Received: */
+extern uschar *sender_unqualified_hosts; /* Permitted unqualified senders */
+extern uschar *sender_verify_failure;  /* What went wrong */
+extern address_item *sender_verified_list; /* Saved chain of sender verifies */
+extern address_item *sender_verified_failed; /* The one that caused denial */
+extern uschar *sending_ip_address;     /* Address of outgoing (SMTP) interface */
+extern int     sending_port;           /* Port of outgoing interface */
+extern SIGNAL_BOOL sigalrm_seen;       /* Flag for sigalrm_handler */
+extern const uschar *sigalarm_setter;  /* For debug, set to callpoint of alarm() */
+extern uschar **sighup_argv;           /* Args for re-execing after SIGHUP */
+extern int     slow_lookup_log;        /* Log DNS lookups taking longer than N millisecs */
+extern int     smtp_accept_count;      /* Count of connections */
+extern BOOL    smtp_accept_keepalive;  /* Set keepalive on incoming */
+extern int     smtp_accept_max;        /* Max SMTP connections */
+extern int     smtp_accept_max_nonmail;/* Max non-mail commands in one con */
+extern uschar *smtp_accept_max_nonmail_hosts; /* Limit non-mail cmds from these hosts */
+extern uschar *smtp_accept_max_per_connection; /* Max msgs per connection */
+extern uschar *smtp_accept_max_per_host; /* Max SMTP cons from one IP addr */
+extern int     smtp_accept_queue;      /* Queue after so many connections */
+extern int     smtp_accept_queue_per_connection; /* Queue after so many msgs */
+extern int     smtp_accept_reserve;    /* Reserve these SMTP connections */
+extern uschar *smtp_active_hostname;   /* Hostname for this message */
+extern int     smtp_backlog_monitor;   /* listen backlog level to log */
+extern uschar *smtp_banner;            /* Banner string (to be expanded) */
+extern BOOL    smtp_check_spool_space; /* TRUE to check SMTP SIZE value */
+extern int     smtp_ch_index;          /* Index in smtp_connection_had */
+extern uschar *smtp_cmd_argument;      /* For all SMTP commands */
+extern uschar *smtp_cmd_buffer;        /* SMTP command buffer */
+extern struct timeval smtp_connection_start; /* Start time of SMTP connection */
+extern uschar  smtp_connection_had[];  /* Recent SMTP commands */
+extern int     smtp_connect_backlog;   /* Max backlog permitted */
+extern double  smtp_delay_mail;        /* Current MAIL delay */
+extern double  smtp_delay_rcpt;        /* Current RCPT delay */
+extern BOOL    smtp_enforce_sync;      /* Enforce sync rules */
+extern uschar *smtp_etrn_command;      /* Command to run */
+extern BOOL    smtp_etrn_serialize;    /* Only one at once */
+extern FILE   *smtp_in;                /* Incoming SMTP input file */
+extern int     smtp_listen_backlog;    /* Current listener socket backlog, if monitored */
+extern int     smtp_load_reserve;      /* Only from reserved if load > this */
+extern int     smtp_mailcmd_count;     /* Count of MAIL commands */
+extern int     smtp_mailcmd_max;       /* Limit for MAIL commands */
+extern int     smtp_max_synprot_errors;/* Max syntax/protocol errors */
+extern int     smtp_max_unknown_commands; /* As it says */
+extern uschar *smtp_names[];	       /* decode for command codes */
+extern uschar *smtp_notquit_reason;    /* Global for disconnect reason */
+extern FILE   *smtp_out;               /* Incoming SMTP output file */
+extern uschar *smtp_ratelimit_hosts;   /* Rate limit these hosts */
+extern uschar *smtp_ratelimit_mail;    /* Parameters for MAIL limiting */
+extern uschar *smtp_ratelimit_rcpt;    /* Parameters for RCPT limiting */
+extern uschar *smtp_read_error;        /* Message for SMTP input error */
+extern int     smtp_receive_timeout;   /* Applies to each received line */
+extern uschar *smtp_receive_timeout_s; /* ... expandable version */
+extern uschar *smtp_reserve_hosts;     /* Hosts for reserved slots */
+extern BOOL    smtp_return_error_details; /* TRUE to return full info */
+extern int     smtp_rlm_base;          /* Base interval for MAIL rate limit */
+extern double  smtp_rlm_factor;        /* Factor for MAIL rate limit */
+extern int     smtp_rlm_limit;         /* Max delay */
+extern int     smtp_rlm_threshold;     /* Threshold for RCPT rate limit */
+extern int     smtp_rlr_base;          /* Base interval for RCPT rate limit */
+extern double  smtp_rlr_factor;        /* Factor for RCPT rate limit */
+extern int     smtp_rlr_limit;         /* Max delay */
+extern int     smtp_rlr_threshold;     /* Threshold for RCPT rate limit */
+extern unsigned smtp_peer_options;     /* Global flags for passed connections */
+extern unsigned smtp_peer_options_wrap; /* stacked version hidden by TLS */
+#ifdef SUPPORT_I18N
+extern uschar *smtputf8_advertise_hosts; /* ingress control */
+#endif
+
+#ifdef WITH_CONTENT_SCAN
+extern uschar *spamd_address;          /* address for the spamassassin daemon */
+extern uschar *spam_bar;               /* the spam "bar" (textual representation of spam_score) */
+extern uschar *spam_report;            /* the spamd report (multiline) */
+extern uschar *spam_action;            /* the spamd recommended-action */
+extern uschar *spam_score;             /* the spam score (float) */
+extern uschar *spam_score_int;         /* spam_score * 10 (int) */
+#endif
+#ifdef SUPPORT_SPF
+extern uschar *spf_guess;              /* spf best-guess record */
+extern uschar *spf_header_comment;     /* spf header comment */
+extern uschar *spf_received;           /* Received-SPF: header */
+extern uschar *spf_result;             /* spf result in string form */
+extern BOOL    spf_result_guessed;     /* spf result is of best-guess operation */
+extern uschar *spf_smtp_comment;       /* spf comment to include in SMTP reply */
+extern uschar *spf_smtp_comment_template;
+                                       /* template to construct the spf comment by libspf2 */
+#endif
+extern BOOL    split_spool_directory;  /* TRUE to use multiple subdirs */
+extern FILE   *spool_data_file;	       /* handle for -D file */
+extern uschar *spool_directory;        /* Name of spool directory */
+extern BOOL    spool_wireformat;       /* can write wireformat -D files */
+#ifdef SUPPORT_SRS
+extern uschar *srs_recipient;          /* SRS recipient */
+#endif
+extern BOOL    strict_acl_vars;        /* ACL variables have to be set before being used */
+extern int     string_datestamp_offset;/* After insertion by string_format */
+extern int     string_datestamp_length;/* After insertion by string_format */
+extern int     string_datestamp_type;  /* After insertion by string_format */
+extern BOOL    strip_excess_angle_brackets; /* Surrounding route-addrs */
+extern BOOL    strip_trailing_dot;     /* Remove dots at ends of domains */
+extern const uschar *submission_domain;/* Domain for submission mode */
+extern const uschar *submission_name;  /* User name set from ACL */
+extern BOOL    syslog_duplication;     /* FALSE => no duplicate logging */
+extern int     syslog_facility;        /* As defined by Syslog.h */
+extern BOOL    syslog_pid;             /* TRUE if PID on syslogs */
+extern uschar *syslog_processname;     /* 'ident' param to openlog() */
+extern BOOL    syslog_timestamp;       /* TRUE if time on syslogs */
+extern uschar *system_filter;          /* Name of system filter file */
+
+extern uschar *system_filter_directory_transport;  /* Transports for the */
+extern uschar *system_filter_file_transport;       /* system filter */
+extern uschar *system_filter_pipe_transport;
+extern uschar *system_filter_reply_transport;
+
+extern gid_t   system_filter_gid;      /* Gid for running system filter */
+extern BOOL    system_filter_gid_set;  /* TRUE if gid set */
+extern uid_t   system_filter_uid;      /* Uid for running system filter */
+extern BOOL    system_filter_uid_set;  /* TRUE if uid set */
+
+extern blob    tcp_fastopen_nodata;    /* for zero-data TFO connect requests */
+extern BOOL    tcp_nodelay;            /* Controls TCP_NODELAY on daemon */
+extern tfo_state_t tcp_out_fastopen;   /* TCP fast open */
+#ifdef USE_TCP_WRAPPERS
+extern uschar *tcp_wrappers_daemon_name; /* tcpwrappers daemon lookup name */
+#endif
+extern int     test_harness_load_avg;  /* For use when testing */
+extern int     thismessage_size_limit; /* Limit for this message */
+extern int     timeout_frozen_after;   /* Max time to keep frozen messages */
+#ifdef MEASURE_TIMING
+extern struct timeval timestamp_startup; /* For development measurements */
+#endif
+
+extern uschar *transport_name;         /* Name of transport last started */
+extern int     transport_count;        /* Count of bytes transported */
+extern int     transport_newlines;     /* Accurate count of number of newline chars transported */
+extern const uschar **transport_filter_argv; /* For on-the-fly filtering */
+extern int     transport_filter_timeout; /* Timeout for same */
+
+extern transport_info transports_available[]; /* Vector of available transports */
+extern transport_instance *transports; /* Chain of instantiated transports */
+extern transport_instance transport_defaults; /* Default values */
+
+extern int     transport_write_timeout;/* Set to time out individual writes */
+
+extern tree_node *tree_dns_fails;      /* Tree of DNS lookup failures */
+extern tree_node *tree_duplicates;     /* Tree of duplicate addresses */
+extern tree_node *tree_nonrecipients;  /* Tree of nonrecipient addresses */
+extern tree_node *tree_unusable;       /* Tree of unusable addresses */
+
+extern gid_t  *trusted_groups;         /* List of trusted groups */
+extern uid_t  *trusted_users;          /* List of trusted users */
+extern uschar *timezone_string;        /* Required timezone setting */
+
+extern uschar *unknown_login;          /* To use when login id unknown */
+extern uschar *unknown_username;       /* Ditto */
+extern uschar *untrusted_set_sender;   /* Let untrusted users set these senders */
+extern uschar *uucp_from_pattern;      /* For recognizing "From " lines */
+extern uschar *uucp_from_sender;       /* For building the sender */
+
+extern uschar *warn_message_file;      /* Template for warning messages */
+extern uschar *warnmsg_delay;          /* String form of delay time */
+extern uschar *warnmsg_recipients;     /* Recipients of warning message */
+extern BOOL    write_rejectlog;        /* Control of reject logging */
+
+extern uschar *verify_mode;	       /* Running a router in verify mode */
+extern uschar *version_copyright;      /* Copyright notice */
+extern uschar *version_date;           /* Date of compilation */
+extern uschar *version_cnumber;        /* Compile number */
+extern uschar *version_string;         /* Version string */
+
+extern int     warning_count;          /* Delay warnings sent for this msg */
+
+/* End of globals.h */
diff --git a/src/hash.c b/src/hash.c
new file mode 100644
index 0000000..51bcd46
--- /dev/null
+++ b/src/hash.c
@@ -0,0 +1,895 @@
+/*
+ *  Exim - an Internet mail transport agent
+ *
+ *  Copyright (c) The Exim Maintainers 2010 - 2022
+ *  Copyright (c) University of Cambridge 1995 - 2009
+ *
+ *  Hash interface functions
+ */
+
+#ifndef STAND_ALONE
+# include "exim.h"
+
+#else
+
+/* For stand-alone testing, we need to have the structure defined, and
+to be able to do I/O */
+
+# include <stdio.h>
+# include <stdlib.h>
+typedef unsigned char uschar;
+typedef struct sha1 {
+  unsigned int H[5];
+  unsigned int length;
+  }
+sha1;
+#endif	/*STAND_ALONE*/
+
+#include <assert.h>
+
+/******************************************************************************/
+#ifdef SHA_OPENSSL
+# define HAVE_PARTIAL_SHA
+
+BOOL
+exim_sha_init(hctx * h, hashmethod m)
+{
+# if OPENSSL_VERSION_NUMBER < 0x30000000L
+switch (h->method = m)
+  {
+  case HASH_SHA1:     h->hashlen = 20; SHA1_Init  (&h->u.sha1);     break;
+  case HASH_SHA2_256: h->hashlen = 32; SHA256_Init(&h->u.sha2_256); break;
+  case HASH_SHA2_384: h->hashlen = 48; SHA384_Init(&h->u.sha2_512); break;
+  case HASH_SHA2_512: h->hashlen = 64; SHA512_Init(&h->u.sha2_512); break;
+#  ifdef EXIM_HAVE_SHA3
+  case HASH_SHA3_224: h->hashlen = 28;
+		      EVP_DigestInit(h->u.mctx = EVP_MD_CTX_new(), EVP_sha3_224());
+		      break;
+  case HASH_SHA3_256: h->hashlen = 32;
+		      EVP_DigestInit(h->u.mctx = EVP_MD_CTX_new(), EVP_sha3_256());
+		      break;
+  case HASH_SHA3_384: h->hashlen = 48;
+		      EVP_DigestInit(h->u.mctx = EVP_MD_CTX_new(), EVP_sha3_384());
+		      break;
+  case HASH_SHA3_512: h->hashlen = 64;
+		      EVP_DigestInit(h->u.mctx = EVP_MD_CTX_new(), EVP_sha3_512());
+		      break;
+#  endif
+  default:	      h->hashlen = 0; return FALSE;
+  }
+return TRUE;
+
+# else
+EVP_MD * md;
+
+h->hashlen = 0;
+if (!(h->u.mctx = EVP_MD_CTX_new())) return FALSE;
+switch (h->method = m)
+  {
+  case HASH_SHA1:     h->hashlen = 20; md = EVP_MD_fetch(NULL, "SHA1", NULL); break;
+  case HASH_SHA2_256: h->hashlen = 32; md = EVP_MD_fetch(NULL, "SHA2-256", NULL); break;
+  case HASH_SHA2_384: h->hashlen = 48; md = EVP_MD_fetch(NULL, "SHA2-384", NULL); break;
+  case HASH_SHA2_512: h->hashlen = 64; md = EVP_MD_fetch(NULL, "SHA2-512", NULL); break;
+  case HASH_SHA3_224: h->hashlen = 28; md = EVP_MD_fetch(NULL, "SHA3-224", NULL); break;
+  case HASH_SHA3_256: h->hashlen = 32; md = EVP_MD_fetch(NULL, "SHA3-256", NULL); break;
+  case HASH_SHA3_384: h->hashlen = 48; md = EVP_MD_fetch(NULL, "SHA3-384", NULL); break;
+  case HASH_SHA3_512: h->hashlen = 64; md = EVP_MD_fetch(NULL, "SHA3-512", NULL); break;
+  default:	      return FALSE;
+  }
+if (md && EVP_DigestInit_ex(h->u.mctx, md, NULL))
+  return TRUE;
+
+h->hashlen = 0;
+return FALSE;
+# endif
+}
+
+
+void
+exim_sha_update(hctx * h, const uschar * data, int len)
+{
+# if OPENSSL_VERSION_NUMBER < 0x30000000L
+switch (h->method)
+  {
+  case HASH_SHA1:     SHA1_Update  (&h->u.sha1,     data, len); break;
+  case HASH_SHA2_256: SHA256_Update(&h->u.sha2_256, data, len); break;
+  case HASH_SHA2_384: SHA384_Update(&h->u.sha2_512, data, len); break;
+  case HASH_SHA2_512: SHA512_Update(&h->u.sha2_512, data, len); break;
+#  ifdef EXIM_HAVE_SHA3
+  case HASH_SHA3_224:
+  case HASH_SHA3_256:
+  case HASH_SHA3_384:
+  case HASH_SHA3_512: EVP_DigestUpdate(h->u.mctx, data, len); break;
+#  endif
+  /* should be blocked by init not handling these, but be explicit to
+  guard against accidents later (and hush up clang -Wswitch) */
+  default: assert(0);
+  }
+
+# else
+
+EVP_DigestUpdate(h->u.mctx, data, len);
+# endif
+}
+
+
+void
+exim_sha_finish(hctx * h, blob * b)
+{
+/* Hashing is sufficient to purify any tainted input */
+b->data = store_get(b->len = h->hashlen, GET_UNTAINTED);
+
+# if OPENSSL_VERSION_NUMBER < 0x30000000L
+switch (h->method)
+  {
+  case HASH_SHA1:     SHA1_Final  (b->data, &h->u.sha1);     break;
+  case HASH_SHA2_256: SHA256_Final(b->data, &h->u.sha2_256); break;
+  case HASH_SHA2_384: SHA384_Final(b->data, &h->u.sha2_512); break;
+  case HASH_SHA2_512: SHA512_Final(b->data, &h->u.sha2_512); break;
+#  ifdef EXIM_HAVE_SHA3
+  case HASH_SHA3_224:
+  case HASH_SHA3_256:
+  case HASH_SHA3_384:
+  case HASH_SHA3_512: EVP_DigestFinal(h->u.mctx, b->data, NULL); break;
+#  endif
+  default: assert(0);
+  }
+
+# else
+
+EVP_DigestFinal_ex(h->u.mctx, b->data, NULL);
+EVP_MD_free((EVP_MD *) EVP_MD_CTX_get0_md(h->u.mctx));
+EVP_MD_CTX_free(h->u.mctx);
+
+# endif
+}
+
+
+
+#elif defined(SHA_GNUTLS)
+# define HAVE_PARTIAL_SHA
+/******************************************************************************/
+
+BOOL
+exim_sha_init(hctx * h, hashmethod m)
+{
+switch (h->method = m)
+  {
+  case HASH_SHA1:     h->hashlen = 20; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA1);   break;
+  case HASH_SHA2_256: h->hashlen = 32; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA256); break;
+  case HASH_SHA2_384: h->hashlen = 48; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA384); break;
+  case HASH_SHA2_512: h->hashlen = 64; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA512); break;
+#ifdef EXIM_HAVE_SHA3
+  case HASH_SHA3_224: h->hashlen = 28; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA3_224); break;
+  case HASH_SHA3_256: h->hashlen = 32; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA3_256); break;
+  case HASH_SHA3_384: h->hashlen = 48; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA3_384); break;
+  case HASH_SHA3_512: h->hashlen = 64; gnutls_hash_init(&h->sha, GNUTLS_DIG_SHA3_512); break;
+#endif
+  default: h->hashlen = 0; return FALSE;
+  }
+return TRUE;
+}
+
+
+void
+exim_sha_update(hctx * h, const uschar * data, int len)
+{
+gnutls_hash(h->sha, data, len);
+}
+
+
+void
+exim_sha_finish(hctx * h, blob * b)
+{
+b->data = store_get(b->len = h->hashlen, GET_UNTAINTED);
+gnutls_hash_output(h->sha, b->data);
+}
+
+
+
+#elif defined(SHA_GCRYPT)
+# define HAVE_PARTIAL_SHA
+/******************************************************************************/
+
+BOOL
+exim_sha_init(hctx * h, hashmethod m)
+{
+switch (h->method = m)
+  {
+  case HASH_SHA1:     h->hashlen = 20; gcry_md_open(&h->sha, GCRY_MD_SHA1, 0);   break;
+  case HASH_SHA2_256: h->hashlen = 32; gcry_md_open(&h->sha, GCRY_MD_SHA256, 0); break;
+  case HASH_SHA2_384: h->hashlen = 48; gcry_md_open(&h->sha, GCRY_MD_SHA384, 0); break;
+  case HASH_SHA2_512: h->hashlen = 64; gcry_md_open(&h->sha, GCRY_MD_SHA512, 0); break;
+  case HASH_SHA3_256: h->hashlen = 32; gcry_md_open(&h->sha, GCRY_MD_SHA3_256, 0); break;
+  case HASH_SHA3_384: h->hashlen = 48; gcry_md_open(&h->sha, GCRY_MD_SHA3_384, 0); break;
+  case HASH_SHA3_512: h->hashlen = 64; gcry_md_open(&h->sha, GCRY_MD_SHA3_512, 0); break;
+  default:	    h->hashlen = 0; return FALSE;
+  }
+return TRUE;
+}
+
+
+void
+exim_sha_update(hctx * h, const uschar * data, int len)
+{
+gcry_md_write(h->sha, data, len);
+}
+
+
+void
+exim_sha_finish(hctx * h, blob * b)
+{
+b->data = store_get(b->len = h->hashlen, GET_UNTAINTED);
+memcpy(b->data, gcry_md_read(h->sha, 0), h->hashlen);
+}
+
+
+
+
+#elif defined(SHA_POLARSSL)
+# define HAVE_PARTIAL_SHA
+/******************************************************************************/
+
+BOOL
+exim_sha_init(hctx * h, hashmethod m)
+{
+/*XXX extend for sha512 */
+switch (h->method = m)
+  {
+  case HASH_SHA1:   h->hashlen = 20; sha1_starts(&h->u.sha1);    break;
+  case HASH_SHA2_256: h->hashlen = 32; sha2_starts(&h->u.sha2, 0); break;
+  default:	    h->hashlen = 0; return FALSE;
+  }
+return TRUE;
+}
+
+
+void
+exim_sha_update(hctx * h, const uschar * data, int len)
+{
+switch (h->method)
+  {
+  case HASH_SHA1:   sha1_update(h->u.sha1, US data, len); break;
+  case HASH_SHA2_256: sha2_update(h->u.sha2, US data, len); break;
+  }
+}
+
+
+void
+exim_sha_finish(hctx * h, blob * b)
+{
+b->data = store_get(b->len = h->hashlen, GET_INTAINTED);
+switch (h->method)
+  {
+  case HASH_SHA1:   sha1_finish(h->u.sha1, b->data); break;
+  case HASH_SHA2_256: sha2_finish(h->u.sha2, b->data); break;
+  }
+}
+
+
+
+
+#elif defined(SHA_NATIVE)
+/******************************************************************************/
+/* Only sha-1 supported */
+
+/*************************************************
+*        Start off a new SHA-1 computation.      *
+*************************************************/
+
+/*
+Argument:  pointer to sha1 storage structure
+Returns:   nothing
+*/
+
+static void
+native_sha1_start(sha1 *base)
+{
+base->H[0] = 0x67452301;
+base->H[1] = 0xefcdab89;
+base->H[2] = 0x98badcfe;
+base->H[3] = 0x10325476;
+base->H[4] = 0xc3d2e1f0;
+base->length = 0;
+}
+
+
+
+/*************************************************
+*       Process another 64-byte block            *
+*************************************************/
+
+/* This function implements central part of the algorithm
+
+Arguments:
+  base       pointer to sha1 storage structure
+  text       pointer to next 64 bytes of subject text
+
+Returns:     nothing
+*/
+
+static void
+native_sha1_mid(sha1 *base, const uschar *text)
+{
+uint A, B, C, D, E;
+uint W[80];
+
+base->length += 64;
+
+for (int i = 0; i < 16; i++)
+  {
+  W[i] = ((uint)text[0] << 24) | (text[1] << 16) | (text[2] << 8) | text[3];
+  text += 4;
+  }
+
+for (int i = 16; i < 80; i++)
+  {
+  register unsigned int x = W[i-3] ^ W[i-8] ^ W[i-14] ^ W[i-16];
+  W[i] = (x << 1) | (x >> 31);
+  }
+
+A = base->H[0];
+B = base->H[1];
+C = base->H[2];
+D = base->H[3];
+E = base->H[4];
+
+for (int i = 0; i < 20; i++)
+  {
+  unsigned int T;
+  T = ((A << 5) | (A >> 27)) + ((B & C) | ((~B) & D)) + E + W[i] + 0x5a827999;
+  E = D;
+  D = C;
+  C = (B << 30) | (B >> 2);
+  B = A;
+  A = T;
+  }
+
+for (int i = 20; i < 40; i++)
+  {
+  unsigned int T;
+  T = ((A << 5) | (A >> 27)) + (B ^ C ^ D) + E + W[i] + 0x6ed9eba1;
+  E = D;
+  D = C;
+  C = (B << 30) | (B >> 2);
+  B = A;
+  A = T;
+  }
+
+for (int i = 40; i < 60; i++)
+  {
+  unsigned int T;
+  T = ((A << 5) | (A >> 27)) + ((B & C) | (B & D) | (C & D)) + E + W[i] +
+    0x8f1bbcdc;
+  E = D;
+  D = C;
+  C = (B << 30) | (B >> 2);
+  B = A;
+  A = T;
+  }
+
+for (int i = 60; i < 80; i++)
+  {
+  unsigned int T;
+  T = ((A << 5) | (A >> 27)) + (B ^ C ^ D) + E + W[i] + 0xca62c1d6;
+  E = D;
+  D = C;
+  C = (B << 30) | (B >> 2);
+  B = A;
+  A = T;
+  }
+
+base->H[0] += A;
+base->H[1] += B;
+base->H[2] += C;
+base->H[3] += D;
+base->H[4] += E;
+}
+
+
+
+
+/*************************************************
+*     Process the final text string              *
+*************************************************/
+
+/* The string may be of any length. It is padded out according to the rules
+for computing SHA-1 digests. The final result is then converted to text form
+and returned.
+
+Arguments:
+  base      pointer to the sha1 storage structure
+  text      pointer to the final text vector
+  length    length of the final text vector
+  digest    points to 16 bytes in which to place the result
+
+Returns:    nothing
+*/
+
+static void
+native_sha1_end(sha1 *base, const uschar *text, int length, uschar *digest)
+{
+uschar work[64];
+
+/* Process in chunks of 64 until we have less than 64 bytes left. */
+
+while (length >= 64)
+  {
+  native_sha1_mid(base, text);
+  text += 64;
+  length -= 64;
+  }
+
+/* If the remaining string contains more than 55 bytes, we must pad it
+out to 64, process it, and then set up the final chunk as 56 bytes of
+padding. If it has less than 56 bytes, we pad it out to 56 bytes as the
+final chunk. */
+
+memcpy(work, text, length);
+work[length] = 0x80;
+
+if (length > 55)
+  {
+  memset(work+length+1, 0, 63-length);
+  native_sha1_mid(base, work);
+  base->length -= 64;
+  memset(work, 0, 56);
+  }
+else
+  memset(work+length+1, 0, 55-length);
+
+/* The final 8 bytes of the final chunk are a 64-bit representation of the
+length of the input string *bits*, before padding, high order word first, and
+high order bytes first in each word. This implementation is designed for short
+strings, and so operates with a single int counter only. */
+
+length += base->length;   /* Total length in bytes */
+length <<= 3;             /* Total length in bits */
+
+work[63] = length         & 0xff;
+work[62] = (length >>  8) & 0xff;
+work[61] = (length >> 16) & 0xff;
+work[60] = (length >> 24) & 0xff;
+
+memset(work+56, 0, 4);
+
+/* Process the final 64-byte chunk */
+
+native_sha1_mid(base, work);
+
+/* Pass back the result, high-order byte first in each word. */
+
+for (int i = 0; i < 5; i++)
+  {
+  register int x = base->H[i];
+  *digest++ = (x >> 24) & 0xff;
+  *digest++ = (x >> 16) & 0xff;
+  *digest++ = (x >>  8) & 0xff;
+  *digest++ =  x        & 0xff;
+  }
+}
+
+
+
+
+
+
+# ifdef notdef
+BOOL
+exim_sha_init(hctx * h, hashmethod m)
+{
+h->hashlen = 20;
+native_sha1_start(&h->sha1);
+return TRUE;
+}
+
+
+void
+exim_sha_update(hctx * h, const uschar * data, int len)
+{
+native_sha1_mid(&h->sha1, US data);	/* implicit size always 64 */
+}
+
+
+void
+exim_sha_finish(hctx * h, blob * b)
+{
+b->data = store_get(b->len = h->hashlen, GET_UNTAINTED);
+
+native_sha1_end(&h->sha1, NULL, 0, b->data);
+}
+# endif
+
+
+#endif
+
+
+/******************************************************************************/
+/******************************************************************************/
+/******************************************************************************/
+/******************************************************************************/
+/* Original sha-1 interface used by crypteq{shal1},
+${sha1:} ${hmac:} and ${prvs:} */
+
+#ifdef SHA_NATIVE
+
+void
+sha1_start(hctx * h)
+{
+native_sha1_start(&h->sha1);
+}
+
+void
+sha1_mid(hctx * h, const uschar * data)
+{
+native_sha1_mid(&h->sha1, data);
+}
+
+void
+sha1_end(hctx * h, const uschar * data, int len, uschar *digest)
+{
+native_sha1_end(&h->sha1, data, len, digest);
+}
+
+#else
+
+void
+sha1_start(hctx * h)
+{
+(void) exim_sha_init(h, HASH_SHA1);
+}
+
+void
+sha1_mid(hctx * h, const uschar * data)
+{
+exim_sha_update(h, data, 64);
+}
+
+void
+sha1_end(hctx * h, const uschar * data, int len, uschar *digest)
+{
+blob b;
+exim_sha_update(h, data, len);
+exim_sha_finish(h, &b);
+memcpy(digest, b.data, 20);
+}
+
+#endif
+
+
+
+#ifdef HAVE_PARTIAL_SHA
+# undef HAVE_PARTIAL_SHA
+void
+exim_sha_update_string(hctx * h, const uschar * s)
+{
+if (s) exim_sha_update(h, s, Ustrlen(s));
+}
+#endif
+
+
+
+/*************************************************
+**************************************************
+*             Stand-alone test program           *
+**************************************************
+*************************************************/
+
+#ifdef STAND_ALONE
+
+/* Test values. The first 128 may contain binary zeros and have increasing
+length. */
+
+static uschar *tests[] = {
+  "",
+  "\x24",
+  "\x70\xf0",
+  "\x0e\x1e\xf0",
+  "\x08\x38\x78\x8f",
+  "\x10\x3e\x08\xfc\x0f",
+  "\xe7\xc7\x1e\x07\xef\x03",
+  "\xe0\xfb\x71\xf8\xf9\xc1\xfc",
+  "\xff\x7c\x60\x3c\x1f\x80\xe2\x07",
+  "\xf0\x3f\xc8\x60\x81\xfe\x01\xf8\x7f",
+  "\x9f\xc7\xf8\x1f\xc1\xe3\xc7\xc7\x3f\x00",
+  "\x00\x7f\xbf\xdf\xc0\xfe\x02\x7e\x00\xf8\x7f",
+  "\x01\x01\xc0\x1e\x03\xf8\x30\x08\x0f\xf3\xf9\xff",
+  "\xc4\x03\xfc\x0f\xf8\x01\xc0\x0f\xf0\x06\x10\x41\xff",
+  "\xff\x07\x80\x47\xfc\x1f\xc0\x60\x30\x1f\xe0\x3c\x03\xff",
+  "\x80\x3f\x84\x3e\xff\xc0\x3f\x0f\x00\x7f\xc0\x1f\xe7\xfc\x00",
+  "\xff\xe0\x7f\x01\x81\x81\xff\x81\xff\x00\x3e\x00\x20\x7f\x80\x0f",
+  "\x00\x3e\x00\x70\x1f\xe0\x0f\xfa\xff\xc8\x3f\xf3\xfe\x00\xff\x80\xff",
+  "\x7f\xef\xc0\x1e\x7c\xff\xe0\x1f\xfe\x00\x1f\xf0\x08\xff\xc0\x7f\xf0\x00",
+  "\xe0\x0f\x80\x07\x0c\x01\xff\xe0\x03\xf0\x2f\xf8\x3f\xef\x00\x78\x01\xfe\x00",
+  "\xe7\x00\x10\x00\xf8\x18\x0f\xf0\xff\x00\xff\x80\x3f\xc3\xfe\xf0\x0f\xfc\x01\xff",
+  "\x00\x1f\xf8\x0f\xfc\x00\xfc\x00\xff\x87\xc0\x0f\x80\x7b\xff\x00\x0f\x02\x01\xff\xc0",
+  "\x00\x0f\xf0\x03\xc7\xf8\x3e\x03\xff\x80\x03\xff\x80\x07\xff\x0f\xff\x1f\x83\xff\x80\x1f",
+  "\xff\xc0\x1f\x80\x3f\x9f\xf8\x78\x3e\x7f\xf8\x00\x3e\x20\x04\x3f\x80\x7f\xfc\x00\x1f\xfe\x00",
+  "\x3f\x07\x80\xe0\x07\xe0\x00\xfc\x7f\xc0\xc0\x0f\x8f\xf0\x80\x0e\x0e\x03\xff\xbf\xfc\x01\xff\xe0",
+  "\xff\xfc\x11\xfc\xe0\x0e\x1f\xff\x87\x80\x1f\xe0\xff\xfd\xff\xc0\x03\xff\xc0\x0f\x00\x07\xf0\x01\xff",
+  "\xf0\x07\xc1\xfe\x00\xf8\x01\xe7\x80\xff\x80\x3f\x1f\x7f\x8c\x00\x1c\x00\x0f\xf8\x07\xfc\x00\xff\xfc\x00",
+  "\x00\x0f\xf8\x3f\xc0\x60\x00\x7f\xf8\xff\x00\x03\xf0\x3c\x07\xc0\x7f\xe0\x3f\xf8\x01\x00\x7e\x03\xff\xc0\x00",
+  "\x00\x0f\xf8\x03\x00\x1f\xff\x00\x0f\xfe\x00\x3f\x00\x03\xff\xe0\x07\xc0\xff\x00\x3c\x7f\xf0\x01\xff\xf8\x3f\xff",
+  "\x00\x01\xe0\xe0\x1f\xfe\x00\x03\xfc\x00\x0f\xff\xe0\x0f\xff\x00\x0e\x00\x7f\xfc\x0f\xfe\x00\x78\x00\x3f\xff\x00\xff",
+  "\x80\x41\xff\xc3\xfe\x00\x1e\x00\x0f\xff\xe0\xff\x80\x0f\xe0\x00\x7f\xf7\xff\x01\xfe\x01\xff\xdf\xff\x00\x01\xff\xe0\x00",
+  "\xf8\x07\x00\xff\xc0\x7f\xbe\x00\x0f\xff\x00\x03\xe3\xf0\xff\xf0\x00\x1f\x81\xff\x80\x0f\xff\x80\x20\x03\xf0\x03\x80\xff\xfc",
+  "\x00\x38\x20\x00\x7f\xf0\x01\xff\xfe\xcf\xfe\x07\xff\xc0\x00\x7f\xf8\x1f\x00\x00\xc0\x00\xc0\x0f\xff\x3e\x0f\xc0\x0f\xff\x80\x00",
+  "\x1f\xf8\x07\xff\xf8\x03\xe0\x01\xff\xfc\x3f\xf8\x00\x38\x1f\x00\x3f\xdc\x01\xc0\x04\xff\xff\x00\x0f\xfc\x08\x02\x00\x01\xf0\x3f\xff",
+  "\x80\x07\x86\x00\x03\xff\xe0\x00\x3f\xf8\x00\x0f\x80\x0f\xf8\x0f\xff\xe0\x00\x1f\x80\x00\x7f\xf8\xc0\x0f\xff\xf0\x7c\x04\x07\xff\x00\x00",
+  "\x01\xff\x00\x18\x3e\x0f\x00\x07\xff\xc0\x00\xf0\x1f\xfe\x07\x80\x60\x0f\xf8\x00\x3f\xfe\x38\x1f\xc0\x00\x3f\x81\xff\xfc\x1f\xe0\x00\x3f\xff",
+  "\xf0\x3f\xff\xc0\x00\x7f\xf0\x00\x3f\xff\x0f\xe0\x07\x0f\xfc\x7e\x03\xff\xf0\xfc\x0f\x9f\xc0\x3f\xff\xcf\xff\x00\x00\xff\xc0\x00\xe7\x01\xff\xf8",
+  "\x00\x01\xff\x80\x20\x00\x7f\xe0\x00\x7e\x07\xff\xf8\xc7\xf8\xff\xf0\x0f\xfe\x00\x00\xe0\x0f\xe0\x00\x1f\xff\x87\xff\x00\x01\xf0\x00\x7f\xc1\xff\xff",
+  "\x00\x00\x7f\xff\xc0\x01\xfe\x7e\x01\xff\xfe\xff\xf0\x7f\xff\xcf\xf8\x07\xfe\x00\x0f\xff\xc0\x07\xff\xfc\x00\x3e\x00\x07\xfc\x00\x7f\xc0\x07\x80\x0f\xff",
+  "\xff\xff\x03\xff\x07\xf8\xff\xff\x80\x00\x7f\xfe\xff\xfe\x00\x03\xff\xf8\x1f\xff\x3f\xf8\x1f\xff\x00\x1f\xff\x0f\xc0\x7f\xf0\x01\xff\xe0\x00\x1f\xff\x00\x00",
+  "\xff\xff\x00\x00\xff\xfc\x00\x03\x0f\xff\xf0\x01\xf8\x00\x0f\xe1\xff\xff\x03\xe0\x3f\x1f\xff\x80\x00\x7c\x00\x01\xff\xc0\x01\x7f\xfe\x00\x0e\x07\xff\xe0\xff\xff",
+  "\xc0\x00\x3f\xfe\x03\xfc\x0c\x00\x04\x01\xff\xe1\xe0\x03\xff\xe0\x30\x01\xff\x00\x00\x3c\x1e\x01\x80\x01\xff\x00\x40\x3f\xfe\x00\x3f\xff\x80\x7c\x01\xff\x80\x00\x7f",
+  "\x3f\xa0\x00\x0f\xff\x81\xff\xc0\x0f\xf0\x7f\xf8\x00\x0f\xc0\x00\x7f\xe0\x01\xe0\x00\x04\xff\x00\x1f\xfe\x00\x01\xff\x80\x07\xff\xfe\x00\x3f\xff\xc0\x03\xff\x80\x00\x3f",
+  "\xf0\x1f\xff\x01\xff\x80\xff\xc0\x80\x07\xf0\x00\x03\xff\x80\x00\x18\x01\xff\xfc\x00\xff\xfc\x03\xff\xff\x00\x7f\xc0\x03\xff\xc7\xff\xc0\x03\xf0\xff\x80\x00\x3f\xfe\x00\x00",
+  "\x07\xf1\xbf\xff\xe0\x00\x78\x00\x07\xe0\x00\x80\x03\xf0\x3f\xf7\x00\x00\x38\x00\xfe\x00\xf8\x0f\xfe\x00\x00\x80\x3f\xff\xc1\xff\xfc\x00\xff\xff\x8f\xf0\x00\x1f\xff\xf0\x0f\xff",
+  "\x00\x1c\x00\x07\xff\xfc\x00\x5e\x3f\xff\x00\x00\x3c\xff\xff\xc0\x3f\xff\x81\xe0\x70\x00\x1f\xfc\x00\x03\xff\x00\x00\x7f\xff\xc0\x1f\x8c\x0f\xff\xf0\xff\x80\x07\xe0\x10\x01\xff\xff",
+  "\xc0\x00\x07\xff\x80\x7f\xff\x80\x01\x80\x3f\xff\xcf\xc0\xfe\x00\xff\xc0\x1f\xfc\x01\xff\xf8\x00\xff\xfe\x0f\xff\xf0\x06\x00\x00\xc0\x3f\xff\x80\x78\xff\xfc\x00\x0f\xff\xf0\x00\x0f\xff",
+  "\xff\xe0\x07\xff\xf8\x00\x7f\xf0\x1f\xff\x80\x01\xff\xf8\x1f\xf8\x01\x03\xff\xe0\x00\x03\xe0\x78\x0f\xff\x00\x0f\xfc\x1f\xf8\x00\x0f\xff\xe0\x1f\x00\x07\xff\xfc\x00\x1f\x03\xff\xf7\xff\xff",
+  "\xc0\xf8\x00\x03\xfe\x00\x3f\xff\xf0\x00\x03\xfc\x0f\xff\x80\x00\xe3\xff\xf8\x3f\xfe\x00\x00\x73\xe0\xff\xfc\x07\xff\xc3\xff\xfe\x03\x00\x00\x70\x00\x03\xff\xf8\x0f\xff\xe0\x00\x1f\xff\xf8\x00",
+  "\xff\xf0\x0f\xc7\xff\xfc\x00\x3f\xfe\x00\x00\x3f\xff\x80\x3f\x80\x00\x3f\xff\xc0\x00\x70\x01\xff\xc1\x80\x03\xff\xff\x80\x00\x61\xff\xfe\x03\xfd\x80\x3f\xff\xe0\x01\xc1\xff\xff\x80\x00\x0f\xfe\x00",
+  "\xff\xfc\x00\x03\xff\xf0\x0f\xf8\x00\x07\xdf\x8f\xff\xf8\x00\x01\xff\xfe\x00\x80\x00\xff\x80\x1f\xf0\x00\x01\x1c\x00\x00\x3f\xf8\x00\x3f\xff\xef\xff\xfe\x01\xc3\x80\x80\x01\xff\xff\xc0\x00\x07\xff\xff",
+  "\xff\xff\xc0\x01\xff\xc1\xff\xff\x87\xff\xff\x00\x3f\x00\x00\x1f\xfc\x00\x01\xff\x80\x1f\xc0\x1f\xff\x00\x00\xff\x80\x1f\xff\xf8\x7f\xf8\x3f\xff\xc1\xff\xff\xe0\x01\xc0\x3f\xf7\xff\xfe\xfc\x00\x00\x3f\xff",
+  "\x00\xff\x81\xff\xe0\x03\xf8\x0e\x00\x00\xff\xf8\x1f\xff\xfe\x00\x00\xff\x80\x00\x07\xff\xf8\x01\xff\xe0\x00\x0f\xf0\x01\xfe\x00\x3f\xf0\x7f\xe0\x00\x7f\xff\xe0\x1f\xff\xfc\x01\xff\xe0\x01\x80\x00\x07\xff\xff",
+  "\x00\x0f\xff\xf0\x00\x00\xe0\x0f\xf8\x00\x00\xff\xff\x80\x03\xff\xe1\xff\xff\x3f\xf8\x0f\xff\xc7\xe0\x00\x1f\xff\x00\x3f\xfe\x0f\xff\xf0\x03\x00\xc0\x00\x1f\xff\xfc\x3f\xff\xe0\x3f\xff\xf8\x1f\xf0\x00\x1f\xff\xc0",
+  "\x01\x80\x00\x1f\x01\xff\xff\x83\x00\x01\xfc\x00\x7f\xe0\x0e\x7f\xfe\x00\x00\x38\x00\xff\x00\x00\x3f\xff\x83\x83\xff\xc0\x00\x7f\xff\x80\x1f\xff\xf0\x1f\xff\xfc\x00\x03\x7f\xff\x81\xc0\x00\x07\xff\x83\xff\xff\x00\x00",
+  "\xff\x80\x0d\xff\xe0\x03\xff\xf0\x00\xff\xfc\x00\xf0\x01\xf8\x07\xff\xf8\x0f\x80\x0f\xff\xff\x00\xff\xff\x87\xff\xe1\xff\xfc\x67\x8c\x7f\xfe\x00\x03\xff\x3f\xfc\x07\x01\xff\xff\xe0\x00\x01\xff\xff\xc0\x0c\x40\x0f\xff\xff",
+  "\x00\x00\x1f\xff\xfe\x00\x1f\x00\x00\x1f\xff\xff\x07\xff\xff\xc0\x07\xff\xe0\x00\x02\x00\x00\xff\x00\x78\x00\x00\xe0\x00\x08\x00\x1f\xff\xff\x00\x03\xf8\x1f\x00\x00\x0f\xff\xc0\x00\x01\xff\xff\xe1\xf8\x00\x00\x3f\x80\x0f\xff",
+  "\x00\x0f\xf8\x00\xfc\x00\x03\xff\xff\x00\x00\x3f\xf0\x01\xff\xff\xe0\x7f\xf8\x00\xf8\x0f\xff\xff\x80\x00\x0f\xff\xfc\x0f\xff\xe0\x00\x00\xff\xc3\xff\xf0\x07\xff\xff\x00\x38\xf8\x00\x20\x1f\xfe\x3f\xfe\x00\xfe\x00\x7f\xff\xc0\x00",
+  "\x00\x3f\x00\xe0\x00\x0f\xff\xfc\x7f\xff\xfc\x00\x00\x7e\x00\x00\xff\xfe\x1f\xf0\x00\x1f\xf0\x00\x1f\xff\x87\xf0\x00\x3f\xc0\x0f\xff\x87\xff\x00\x3f\x81\xff\xff\xf7\xff\xe0\xff\xe0\x3f\x9f\xff\x00\x07\x00\x7f\xfc\x03\xff\xf0\x00\x00",
+  "\xe0\x3f\xff\xf0\xff\x80\x3e\x00\x03\xff\xe0\x00\x0f\xfc\x00\x07\xff\xf8\x00\x00\x7f\x80\x00\x0f\xf8\x01\xff\x7f\xff\xf0\x00\x3f\xff\xfe\x7f\xff\xe0\x00\xff\xc3\xff\xff\x00\x00\xf0\x00\x00\x7f\xff\x00\x3f\xff\xf0\x00\x01\xc0\x03\xff\xff",
+  "\x00\x03\xc0\x01\xff\xdf\xfd\xff\x9f\xfe\x1f\xff\xff\x00\x3f\xff\xfe\x00\x00\x7f\xcf\xff\xf0\x1f\xff\xfe\x07\xf0\x00\xff\xff\xe0\x00\x01\x00\x07\xff\x80\x1f\xe0\x00\x00\xff\xfe\x03\xff\xff\x80\x03\xf0\x0f\xff\xfe\x00\x00\x1f\xff\xf8\x00\x00",
+  "\x00\x1f\xff\xfb\xff\xfe\x00\x07\xff\xf0\x00\x00\xff\xff\x00\x00\x0f\xf3\xff\xfe\x00\x78\x00\x00\x3e\x00\x00\x3f\xff\xf8\x00\x1f\xff\xff\x80\x00\x03\xff\xff\x00\x07\xff\xee\x00\x1f\xfc\x00\x78\x00\x00\x1f\xff\x07\xff\xfe\x03\xff\xff\xe0\x00\x00",
+  "\x00\x7f\xff\xfe\x00\x00\x3f\xfc\x03\xff\xfc\x1f\xff\xf0\x7f\xd8\x03\xf0\x00\xfd\xfc\x38\x00\x08\x00\x10\x00\xe0\x06\x00\x7f\xfe\x00\x00\x0f\xff\x80\x00\x3f\x03\xff\xfe\xff\xff\xf9\xff\xf8\x00\x07\xff\xfc\x01\xff\xc0\x00\x03\xff\xff\xe0\x03\xff\xff",
+  "\xff\xf0\x0f\xff\xff\x00\x06\x00\xff\xff\xf0\x07\xff\xe0\x04\x00\x03\x00\x00\x03\xf0\xff\xff\x00\x03\xff\xfb\xff\xc3\xff\xf0\x07\xff\xff\xc7\x00\x7f\x80\x00\x03\xff\xf8\x00\x1f\xe1\xff\xf8\x63\xfc\x00\x3f\xc0\x9f\xff\xf8\x00\x00\x7f\xff\x1f\xff\xfc\x00",
+  "\x00\x3f\xff\xfc\x00\x0f\xc7\x80\x00\x02\x00\x1e\x00\x00\x60\x7f\x03\xfe\x00\x00\x1f\xff\x80\x1f\xf8\x00\x00\xff\xff\x80\x00\x03\xff\xc0\x00\x7f\xff\xc0\x7f\xe0\x03\xfc\x00\xff\xf7\xff\xff\x00\x00\x1f\xf0\x00\x03\xff\xff\xe1\xff\xff\x80\x0f\xf8\x00\x00\x1f",
+  "\x00\x01\xfe\x00\x03\x83\xf3\xff\xff\x80\x07\xff\xfc\x3f\xff\xfc\x03\xff\x80\x00\x06\x00\x00\x78\x00\x07\xff\xff\x80\x07\xfc\x01\xf8\x00\x07\xff\xff\xc0\x00\x38\x00\x07\xff\xfe\x3f\xff\xf8\x3f\xff\xcf\x3f\xfc\x00\x7f\xff\x00\x1f\xff\x80\x00\x30\x03\xff\xff\x00",
+  "\xf8\x00\x38\x00\x00\x3e\x3f\x00\x00\x3f\xff\xf0\x02\x00\x00\x0f\xff\xff\x80\x80\x03\xff\xc0\x00\x04\x00\x0f\xc0\x3f\xff\xfe\x00\x00\x3f\xff\xfe\x00\x3f\xff\xf8\x00\x30\x00\x7b\xff\x00\x00\x03\xff\xfc\x3f\xe1\xff\x80\x00\x70\x1f\xff\xc0\x07\xfc\x00\x1f\xff\xf0\x00",
+  "\x00\x03\xf8\x18\x00\x00\x70\x3f\xff\xf8\x00\x00\xff\xcf\xff\xff\xc0\x03\xff\xfe\x00\x10\x00\x00\xfe\x03\xff\xf8\x00\x00\x7e\x00\x00\x7f\x8f\xff\xc0\x00\x00\x7f\xff\xe0\x00\x3c\x07\xc0\x00\x00\x7f\xff\x01\xff\xf8\x01\xff\x80\x00\x0f\xff\xf9\xe0\x00\x3f\xff\xe0\x00\x00",
+  "\xff\xfe\x00\x3f\xc0\x1f\xff\xf0\x7f\xf8\x00\x01\xff\xf8\x1f\xff\xfe\x00\x00\xff\xff\xf8\x00\x7f\xff\x80\x3f\xff\xff\x00\x7f\xff\xf8\x00\x0c\x00\x00\x0f\xfe\x7e\x00\x3f\xe0\x18\x7f\xfe\x00\x00\x38\x00\x00\x3f\xff\xfe\x00\x00\x03\xfc\xff\xe1\xfe\x1f\xff\xfe\x00\x00\x07\xff",
+  "\x00\x00\x07\xff\xfe\x00\x00\x07\xfe\x00\x00\x3f\xe0\x00\x7f\xff\xc0\x00\x00\x7f\xff\xfc\x00\xfe\x00\x03\xff\xe0\x00\x1f\x0f\xfc\x00\x1f\xff\x80\x00\x07\xff\xff\xf0\x00\xff\xff\xf0\x00\x00\x1f\xff\xf8\x01\xff\xe0\x1f\xff\xff\x00\x1f\x80\x07\xf0\x00\x01\xff\xf8\x00\x01\xff\xff",
+  "\x00\x00\x3f\xff\xff\x03\xfe\x00\x00\x07\xc0\x00\x00\x7f\xfc\x0f\xf0\x00\x00\x1f\xff\xfe\x00\x00\x07\xc0\x00\x00\xff\xfe\x00\x00\x3f\xff\xfc\x01\xff\x7f\xfc\x00\x1f\xf8\x00\x1f\xff\x07\xff\xff\xe0\x00\x7f\xff\xfc\x01\xff\xff\xf0\x00\x01\xff\xf8\x00\x1e\x00\x00\x7f\xfc\x00\x3f\xff",
+  "\xfe\x3f\xff\x83\xff\xfe\x00\x07\xff\xff\xf0\x00\x3e\x00\x00\xff\xff\xfc\x00\x40\x3f\xfe\x00\x00\x03\xf0\x00\x00\x70\x3f\xf8\x0f\xff\xff\xe0\x1f\x80\x00\x03\xc3\xff\xff\xf0\x00\x01\xff\xf0\x0f\x80\x00\x0f\xe0\xff\xff\xfe\xf0\x00\x01\xff\xc0\x00\x00\x7f\xf0\x00\x00\x7f\xfe\xe0\x00\x00",
+  "\x00\x00\x03\xff\xf0\x01\xfc\x00\x00\xff\xff\x00\x00\x7f\xff\xff\x80\x07\xff\x8f\xff\x80\x00\x0f\xff\xf0\x00\x00\x3c\x00\x03\xc0\xff\xff\xfe\x01\xff\xff\x80\x0c\x7f\xff\xf8\x00\x00\x1f\xf0\x00\x00\x7f\x80\x00\x00\x80\x00\x00\xff\xff\xf0\x1f\xff\xe0\x00\xff\xff\xfe\x1f\xff\x1f\xc0\x00\x00",
+  "\xff\xff\xfe\x07\xff\xc0\x00\x06\x3f\x9f\xf0\x07\xff\xf0\x3f\xfe\x1f\xff\xff\x81\xff\xff\xc0\x00\x02\x00\xfe\x00\x04\x00\x07\x00\x00\x01\xff\xff\xfe\x00\x00\x07\xff\xfe\x00\x1f\xfe\x00\x00\xff\xff\xe0\x07\xf8\x00\xff\xff\xfc\x00\x3f\xf3\xff\xff\xc0\x00\x7f\xff\xe0\x00\x0f\xff\xfc\x07\xff\xff",
+  "\xff\xf0\x00\x00\x7e\x00\x1e\x03\xff\xff\x00\x00\x73\xff\xf0\x00\x00\x0f\xff\xdf\xff\xff\xdf\xfc\x00\x07\xfe\x07\xff\xfe\x00\x00\x1f\xdf\xef\xff\xf0\x3f\xff\xfc\x00\x00\x07\xff\xff\xf0\x00\x00\x7f\xe0\x07\xff\x80\x00\x00\x7f\xe0\x03\xff\xff\xf9\xff\xe0\x00\x00\x3f\xe3\xff\xff\xfc\x00\x00\x03\xff",
+  "\x00\x03\xff\x00\x00\x3f\xff\x80\x01\xf0\x00\x0f\xfe\x00\x00\x06\x00\x03\xff\xff\xfc\x03\xff\xff\xf7\x80\x00\x00\x7f\xc0\x0f\xff\xe3\xfe\x0f\x00\x00\x7f\xff\x00\x7f\xf8\x00\x00\xff\xff\xee\x00\x7e\x01\xc0\x00\x1f\xe0\x00\x07\xff\xff\xf8\x00\x00\xe1\xff\xfc\x3f\xe7\xff\xff\xf8\x3f\xff\xfc\x00\x1f\xff",
+  "\x00\x00\x0f\xff\xf8\x00\x00\xff\xff\xfc\x00\x1f\xe0\x07\xff\xff\x00\x01\xff\xdf\xff\x80\x00\x3f\xff\xfc\x00\x00\x0f\xfc\x07\xff\x00\x00\xff\x80\x00\x03\xff\xff\xf0\x00\x07\xff\xff\xf0\x00\xff\xfe\x1f\xff\xff\xe0\x3f\xff\xfe\x00\x00\x60\x00\x00\xff\xff\x7f\xff\xf0\x00\x03\xff\xff\xc0\x07\x00\x01\xff\xff",
+  "\x00\x00\x20\x7f\xfe\x0f\x83\xff\xff\x80\x03\xff\x00\x00\x00\xff\xff\xe0\x00\x1f\xff\xff\xe0\x00\x3f\xfe\x7f\xff\xf0\x00\x1f\xff\xff\xe0\x00\x00\xff\xff\x87\xff\xc0\x00\x17\xfd\xff\x9f\xff\xfb\xff\xff\xe0\x00\x03\xe0\x00\x07\xff\x9f\xff\xff\x80\x00\x7f\xff\xff\x00\x01\xff\xff\xc0\xff\xff\xc0\x10\x00\x00\x1f",
+  "\x00\x00\x07\xff\xc0\x00\xff\xe0\x00\x07\xff\x80\x03\x80\x00\x0f\xf8\x00\x00\x7f\xff\xfe\x00\x00\x18\x00\xff\xf0\x20\x01\xff\xfe\x00\x00\x60\x0f\xf0\xe0\x03\xff\xfe\x00\x3e\x1f\xff\xfc\x00\x03\xff\x80\x00\x00\xff\xf8\x00\x01\x00\x00\x0f\xf3\xff\xfc\x00\x03\xff\xff\xe1\xff\xff\xc1\xf0\x00\x00\xff\xff\xff\x00\x00",
+  "\xff\xff\xf0\x00\x00\x07\xff\xfc\x00\x7f\x87\xff\xff\x00\x00\x00\x7f\xff\xc0\x7f\xff\x80\x00\x03\xf0\xff\x3f\xff\x80\x30\x07\xff\xff\x1f\x8e\x00\x7f\xff\xff\xc0\x01\xff\xfc\x07\xf8\x00\x00\x7f\xff\xfc\x00\x3f\xf0\x00\xf8\x00\x00\x07\xff\x00\x00\x0e\x00\x0f\xff\x80\x00\x7f\xc0\x01\xff\x8f\xf8\x00\x07\x01\xff\xff\xff",
+  "\xff\x80\x3f\xff\x3f\xfe\x00\x00\xff\xff\xff\x9f\xff\xf8\x3f\xff\xf8\x00\x00\x0f\xf8\x00\x00\x03\xfe\x00\x7f\xff\xff\x00\x0f\xff\x01\xff\xf0\x0f\xff\xe0\x20\x7f\xff\xfc\xff\x01\xf8\x00\x07\xff\xe0\x00\x7f\xf8\x00\x0f\xff\x80\x00\x00\x7f\xe0\x00\x3f\xf8\x01\xfe\x00\x07\xff\xf0\x00\x00\x7f\xff\xff\xc0\x00\x01\xff\xff\xff",
+  "\x00\x7f\xff\xe0\x00\x01\xff\xff\xf8\x00\x00\x3f\xff\xfc\x00\x7f\xfe\x00\x00\x03\xff\xff\xf0\x03\xff\xe0\x00\x7f\x80\x00\x0f\xff\x3f\xf8\x00\x00\x7f\xff\xff\x00\x07\x80\x1f\x83\xf8\x00\x00\x0f\xfe\x3f\xff\xc0\x3f\xff\xfe\x1f\xe0\x00\x07\xc0\x03\xff\xf0\x0f\xc0\x00\x03\xff\xff\x80\x00\x00\x7f\x80\x00\x00\xff\xff\x80\x00\x00",
+  "\xfe\x00\x00\x20\x00\x04\x00\x0f\xff\xff\xc0\x01\xff\xf8\x3f\xc0\x00\x00\xff\xff\xc0\x00\xff\xff\xff\x80\x00\x3f\xf8\x00\x7f\xff\xfe\x7f\xf8\x00\x7f\xff\x80\x07\xff\xc0\x00\x0f\xff\xf8\x00\x7f\xff\xc0\x00\xff\xff\xc0\x3f\xff\xff\xe0\x0f\xff\xff\xe0\xe0\x1f\xff\x80\x00\x00\x7f\xff\xc0\x71\xff\xff\xfc\x00\x01\xff\xff\xf8\x00\x00",
+  "\xff\xff\xe0\x00\x0f\xff\xf0\x00\x00\x3f\xff\xff\xc0\x00\xff\xff\x00\x00\x0f\xff\xff\xe0\x00\x01\xff\x00\x00\x1f\xff\xe0\x3f\xfc\x00\x03\xe0\x1f\xf0\x1f\xf8\x00\x00\x3f\xff\xff\xc0\x0f\xfe\x00\x00\x20\x00\x00\xff\xfc\x00\x0f\xff\xfe\x3f\xff\xff\x00\xff\xf0\x00\x00\x80\x00\x1f\x03\xe0\x01\xff\xfa\x00\x3f\xe0\x00\x00\x70\x00\x00\x0f",
+  "\xfd\xff\xc0\x00\x20\x01\xfe\x00\x3f\xf8\x00\x03\xff\x00\x00\x03\xf8\xff\xcf\xc3\xff\xff\xfc\x00\x03\xff\xff\xfc\x00\x00\x78\x3f\xff\xf0\x01\xff\xe0\x0f\xff\xff\x00\x00\x07\xff\xff\xfc\xff\xff\xf8\x00\x01\xff\x80\x00\x07\xff\xff\xfc\x00\x00\x1c\x00\x01\xff\xff\x07\xf8\x00\x00\x1f\xff\xff\xf0\x00\x01\xfe\x00\x7f\xff\xf0\x1f\xfc\x00\x00",
+  "\x00\x00\x00\x3f\xff\x00\x00\x07\xff\xff\xfc\x00\x00\x01\xe0\x0f\xff\x83\xfc\x01\xff\xff\xf0\x0f\xff\x00\x00\x00\x3f\xff\xff\xc0\x1f\xff\xff\xe0\x00\x20\x00\x00\x3f\xff\xff\x00\x00\xff\xfc\x03\xff\xff\xf0\x00\x1f\xff\xfc\x00\x00\x03\xff\xff\xc0\x7f\x80\x00\xff\xff\xff\x00\x0f\x0f\xff\xff\xe0\x00\x00\xff\xf8\x00\x00\xff\xfe\x00\x00\x0f\xff",
+  "\xff\xfe\x03\x80\x00\x03\xff\xff\xc0\x3f\xff\xff\x00\x03\xff\xff\xf8\x00\x00\x01\xff\xff\xcf\xfc\x00\x00\xe0\xef\xf8\x00\x0f\xff\xe3\xf8\x00\x3f\xff\xff\x80\x3f\xbf\xfe\x00\x00\xff\xfc\x00\x00\x01\xff\x00\x00\xcf\xc0\x01\xfc\x00\x00\x7f\xff\xff\xc0\x00\x10\x7f\xff\xfc\xfe\x00\x00\x07\xc0\xff\xff\xff\x8f\xff\x00\x00\x1f\x9e\x00\x00\x01\xff\xff",
+  "\x00\x7f\xff\xe0\x00\x01\xff\xff\xc3\xff\x80\x01\x03\xfc\x00\x00\x00\xfc\x01\xff\xff\xf8\x7f\xe7\xf0\x00\x00\x7f\xc0\x3f\xff\xff\xc0\x00\x00\x1f\xff\x80\x00\x01\xff\xe0\x00\x00\x70\x00\x00\x1c\x7f\xff\xf8\x1f\xfc\x00\x00\x07\xef\xe0\xff\xff\xc1\xff\xfc\x00\x00\x01\xff\xff\xff\xa0\x07\xff\x00\x1e\x00\x1f\xfc\x00\x00\x38\x00\x18\xc0\x00\x00\x7f\xff",
+  "\x00\x0f\xff\xf8\x00\x00\x07\xff\x00\xfc\x00\x00\x03\xff\xfc\x00\x07\xff\xff\xe0\x00\x00\xff\xfc\x0f\xff\x00\x00\x0f\xff\xfe\x0f\x80\x07\xff\x03\xff\xff\xf9\xff\xfe\x00\x00\x03\xf8\x00\x00\x07\xe0\x00\x00\xc0\x00\x1f\xff\xf0\x7f\xff\xff\xc0\x07\xff\xff\xfc\x00\x00\x3f\xff\xff\xe0\x00\x00\x1f\xff\xf8\x1f\xfe\x00\x00\x3f\xff\xff\xe0\x3f\x06\x00\x00\x00",
+  "\xff\xf0\x00\x08\x00\x0f\xef\xff\xff\xfc\x00\x00\x7f\xff\xf0\x00\x7f\xff\xf8\x00\xff\xff\x81\xff\xff\xe0\xff\xff\xff\x00\x00\x00\x80\x00\x03\xff\x80\x3f\xff\xfc\x00\x00\x1f\xff\xc0\x0f\xff\xfe\x00\x00\x00\x73\xf0\x1f\xfe\x00\xff\xc0\x3f\xff\x00\x3f\xff\x83\xff\xfe\x01\xff\xff\xf7\xff\xff\x80\x00\x00\x3f\x00\x00\x1f\xe3\xff\xff\xf0\x00\x0f\xff\xf0\x00\x00",
+  "\x00\x00\x7f\xfc\x00\x7f\xe0\x00\x0f\xff\xe0\x01\xf8\x00\x3f\xff\x00\x00\x78\x00\x7f\xe0\x00\x00\x1f\x00\x07\xff\xff\xf8\xf9\xf0\x01\xff\xf8\x07\xc0\x0f\xff\xf8\x00\x07\xf8\x7f\xfe\x00\x00\x0f\xff\xe3\xf0\x00\x07\xff\xff\xfc\x03\x1c\x00\x00\x7f\xe0\x00\xff\xff\xfc\x00\x00\x0f\xf3\xff\xe0\x00\x00\x0f\xff\xf9\x00\x00\x10\x00\x3f\xff\xfc\xf8\x7f\xff\x00\x00\x00",
+  "\x00\x03\xff\xff\xc0\x7f\xff\xff\xc0\x00\x03\xff\xff\xff\x00\x00\x0f\xff\xf0\x1f\xff\xf0\x00\x07\xff\xff\xef\xff\x81\xf7\xff\xfe\x00\x07\xff\xf0\x00\x00\x1f\xff\xc0\x0f\x80\x00\x0f\xff\xfc\x00\x00\xff\xff\xff\xc0\x03\xff\xe3\xff\xff\xfe\x00\x1f\xff\xff\x00\x00\xff\xff\xff\x0f\xff\xf1\xf8\x00\x00\x01\xff\xff\xff\x80\x1f\xff\xfe\x00\x08\x00\x00\x7f\xff\xff\x80\x00",
+  "\x1f\xe0\x00\x7c\x1f\xc0\x07\xff\xc0\x07\xff\xff\xfe\x00\x3c\x00\x00\x00\xff\xff\x80\x00\x07\xff\xff\x00\x1f\xf8\xff\xc0\x00\xff\x81\xff\x01\xff\xfe\x00\x78\x7f\xff\xf0\x00\x01\x80\x00\x00\x1f\xff\x00\x00\x1f\xff\xf0\x00\x1f\xff\xff\xe0\x00\x3c\x00\x00\x1f\xff\xff\x80\x03\xff\xe0\x01\xff\xff\xf9\xff\xf8\x00\x00\x7c\x00\x00\xfe\x00\x00\xff\xff\xff\x00\x00\x0f\xff\xff",
+  "\xfc\x00\x01\xff\x00\x00\x0c\x00\xff\xff\xe3\xff\xff\xf0\x80\x0e\x0e\x00\x00\x0f\xfe\x00\x03\xff\xc0\x00\x00\x7f\xff\xff\xe0\xc0\x00\x00\x07\xe0\xff\xff\x03\x9f\xff\xff\xc1\xc0\x00\x03\xff\xff\xc3\xff\xff\xfc\xff\xff\xc0\x00\x01\xfc\x00\x0f\xfc\x00\x00\x00\x7f\xff\xff\x03\xff\xff\xfc\x0f\xff\xfe\x00\x00\x03\x80\x3f\xff\xff\x00\x00\xff\xff\xf8\x00\x03\xff\xff\x80\x00\x00",
+  "\xff\xff\x80\xff\xff\xf8\x00\x00\xfc\x00\x03\xff\xf8\x00\x0f\xff\xff\x00\x03\x00\x00\x00\x7f\xff\xf0\x00\x3f\xff\xf0\x00\x01\xfc\x01\x00\x03\xff\x80\x1f\xff\xe3\xff\xff\xf8\x00\x1f\xff\xff\xf8\x01\xff\xdf\xff\xfb\xff\xc0\x00\x00\x3f\xff\xf8\x00\x00\x80\xc7\xff\xff\xf8\x0f\xff\x00\x60\x1f\xff\xe0\x00\x01\xff\xff\xfe\x0f\xff\xff\xfc\x00\x00\x00\xf0\x06\x03\xff\xff\xfe\x00\x00",
+  "\xff\x00\x0f\xff\xfc\x00\x0f\xff\xff\xfc\x07\xff\xfc\x00\x00\xf0\x00\x00\x80\x00\x7f\xfe\x00\x00\x0f\xff\xff\xfc\x3f\x00\xff\xff\xff\x00\x1f\xff\xff\xf0\x00\x1f\xff\xff\xe0\x00\x1f\xff\xff\xc3\xff\x00\x00\x01\xff\xff\xf0\x00\x00\x0f\xff\xe0\x07\xfc\x00\x00\x00\xfe\x00\x07\xff\xff\xf8\x00\x00\x3f\x00\x00\x0f\x80\x00\x3f\xff\xc0\x00\x11\xff\xef\x00\x07\x00\x7f\xff\xfc\x00\x00\x00",
+  "\xfe\x00\x00\x7f\xf7\xff\xff\x00\x00\x0f\xff\xff\xe0\x01\xff\xe0\x00\x00\x03\xff\xe0\x00\xff\xfe\x00\x01\xff\xf7\xff\xf8\x00\x0f\xff\x00\x00\x00\x38\x00\x07\xff\xf8\x07\xff\xfc\x00\x1f\xff\xff\x0f\xc1\xff\xff\xc0\x00\xff\xff\x0f\xff\xf0\x01\xff\xf8\x00\x01\xff\xff\x80\x00\x00\x0f\xf8\x00\x3f\xff\xfe\x3f\xff\xff\xf0\x00\x00\x38\x0f\xc3\xff\xff\xff\x1f\xff\xc0\x3f\xff\xff\xe0\x00\x00",
+  "\xff\xff\xf0\x00\x7f\xc0\x07\xff\xff\x81\xff\xc0\x00\x01\xff\xff\xff\xc0\x00\x00\x1f\xff\xfe\x03\xc0\x00\x0f\xff\xff\xfc\x00\x03\xff\xff\xff\x83\xff\xc0\x00\x07\xf0\x00\x00\x1f\x80\x00\x00\x3f\xff\xff\xe7\xff\x00\x07\xff\xff\xfc\x00\x00\x1f\xff\xf8\x00\x03\xf0\x00\xff\xfc\x00\x1f\xff\xff\xe0\x03\xff\xf0\x00\x01\xff\xff\xff\x80\x00\x00\x0f\xff\xff\xf8\x10\x00\x1e\x03\xff\xff\xff\x80\x00",
+  "\x00\x01\xff\xfe\x00\x00\x00\x7f\xff\xff\xf0\x00\x00\x1f\xff\x80\x07\xff\xff\xff\x80\x00\x01\xff\xfc\x03\xff\xff\x9f\xff\xfe\x00\x08\x00\x00\x06\x00\x00\x00\x81\xff\xff\xc0\x00\x07\xf8\x00\xff\xff\xff\x00\x00\x00\xff\xff\xf8\x00\x3f\xff\xff\xf8\x3f\xf8\x00\x00\x00\x7f\xff\xc0\x7f\xff\xff\xc0\xff\xff\xfe\x00\x00\x01\xff\xf8\x00\x00\x03\xff\xc1\xff\xf0\x00\x00\x03\x07\xf8\x01\xff\xfe\x00\x00",
+  "\xf8\x00\x00\x01\xff\xff\x80\x00\x0f\xff\xff\x8f\xff\x00\x1f\xff\x0f\xff\xc0\x00\x00\xff\xff\xfc\x00\x0f\xff\xf0\x00\x70\x00\x00\x3f\xff\xc0\x00\x00\x7c\x00\x00\x7e\x00\x0f\xfc\x00\x00\x00\xff\xff\x80\x00\x00\x0f\xff\xff\xfc\x38\x00\x00\x03\xf0\x00\x31\xf0\x1f\xff\xff\xc0\x07\xff\xff\xe0\x1f\xff\xff\xf3\xfe\x00\x00\x00\xff\xff\xc0\x00\x1f\xe7\xff\xe1\xff\xff\xdf\x00\x00\x00\x1f\xff\x00\x00\x00",
+  "\x3f\xff\xff\xf8\x00\x00\x00\x60\x00\x0f\xff\xff\xe0\x07\xff\xff\xff\x00\x00\x3f\xff\xff\xf0\x1f\xff\xff\x80\x00\x70\x00\x00\x01\x00\x00\x00\x3f\xff\xfe\x00\x00\x00\x1f\xf8\xfc\xc0\x0f\xff\xf8\x00\x3f\xff\xc0\xff\xff\x80\x00\x03\xff\xff\xf8\x00\x3f\xff\xfc\x00\x00\x0f\x81\xff\xc0\x03\xff\xc0\x3f\xff\xff\x80\x03\xff\xfe\x00\xff\xff\xfe\x00\x00\x1c\x00\x00\x00\x3f\xff\xff\xf8\x00\x7f\xff\xc0\x00\x00",
+  "\x00\x00\x00\x0f\xff\xfe\x0f\xff\xff\x87\xff\xff\xff\x00\x80\x00\x0f\xff\xc0\x00\x03\xf0\x1f\xf7\xe0\x00\x00\x70\x00\x01\xff\xff\xff\x80\x01\xfe\x07\xf0\x00\x01\xff\xfc\x00\x00\x04\x00\x01\xff\xfe\x07\xff\xff\xfe\x00\x07\xc0\x00\x00\xff\xff\xff\x87\xf0\x03\xff\xfc\x00\x00\x1f\xf8\x00\x01\xff\xff\xc0\x00\x00\x3f\xff\xc0\x00\x00\x7f\x8f\xff\xf8\x00\x00\x00\x7f\xff\xe0\x06\x0e\x00\x00\x0f\xff\xff\x80\x00",
+  "\x03\xff\xff\xfd\xe0\x00\x00\x1f\xff\xf8\x01\xff\xff\xfb\xff\xff\xe0\x01\xf0\xf0\x00\x00\xff\xff\xff\x80\x00\x00\x7f\xff\xff\xe0\x1f\xff\xff\xf0\x01\x80\xff\xff\xff\xe0\x00\x00\x7f\xff\xf0\xff\xff\xc0\x00\x00\x07\xfe\x00\x00\x00\x1e\x00\x1f\xff\xff\xe0\x1f\xff\xe0\x01\xff\xc0\x00\x3f\xff\xe0\x00\x00\x0f\xf0\x00\xff\xff\x7f\xc0\x1f\xf8\x3f\xff\xff\xc0\x00\x00\x7f\xff\xe0\xff\xfc\x00\x00\xff\x0f\xff\xff\xff",
+  "\x07\xff\xfc\x03\xff\xff\xff\xdf\xff\xff\x87\xff\x18\x00\x03\x80\x01\xff\x00\x00\x00\x1f\xff\x00\x00\x3f\xff\xff\xc0\x1f\xe0\x3f\xff\xff\xfc\x00\x00\x01\xff\xf8\x00\x00\x3f\xff\xff\xf8\x00\x00\x07\xe0\x00\x07\xff\xf9\xff\xe0\x00\x3f\xe0\x00\x7f\xef\xf0\x00\x07\x81\xff\xfc\x00\x00\x00\xff\xe0\x00\x30\x00\x00\x00\xff\xff\xf0\x00\x00\x03\xff\xfc\x7f\x07\xf8\x03\xff\xff\xff\x00\x3f\xfc\x00\x00\x01\xff\xc0\x00\x00",
+  "\x00\x7f\xfc\x00\x00\x03\xff\xf8\x00\x00\x61\xfe\x7f\xff\xfe\x00\x00\x1f\xff\xfc\x3f\xff\x80\x01\xff\xff\xff\xe0\x00\xff\xff\xff\x80\x1f\xf8\x00\x7f\xff\xff\xf8\x00\x00\x07\xff\xff\xe0\x00\x00\x07\xff\xff\xff\x80\x00\xff\x80\x0f\xff\xff\xfc\x00\x00\x7f\xff\xfe\x00\x00\x00\x30\x00\x00\x7f\x80\x00\x07\xff\xff\xf0\x00\x00\x03\xff\xc0\x0f\xff\xff\x80\x3f\xff\x80\x03\xff\xff\xfe\x03\xff\xff\xff\x7f\xfc\x1f\xf0\x00\x00",
+  "\x1f\xf0\x00\x00\x7f\xff\xfe\x02\x00\x00\x03\xff\xff\xff\xd8\x07\xff\xff\xe0\x01\xff\xff\x80\x00\x00\x07\xc0\x00\x0f\xff\xc0\x7f\xf0\x00\x07\xff\xff\x80\x00\x07\xf0\x00\x00\x7f\xfc\x03\xff\xff\xff\xc0\x00\x01\xff\xff\xf9\xff\xfe\x00\x00\x1f\xff\xc0\x00\x00\x03\xfe\x3f\xff\xff\x00\x07\xfe\x00\x00\x03\xc0\x00\x3f\xf8\x00\x10\x03\xfc\x00\x0f\xff\xc0\x00\x7f\xff\xe0\x00\xff\xf0\x00\x00\x7f\xff\xe0\x00\x00\x0f\xff\xff\xff",
+  "\xff\xff\xff\xf8\x00\x00\x60\x00\x00\x00\xff\xff\xfc\x03\xff\xfc\x00\x00\x3c\x00\x3f\xe0\x7f\xf8\x00\x07\xff\xf8\x0f\xf8\x00\x00\x7f\xff\xff\xfc\x00\x7f\xc2\x00\x03\xff\xff\xfe\x00\x01\xff\xff\xff\xf0\x03\xff\xff\xf0\x18\x07\xc0\x00\x0f\xff\xc0\x00\x00\x7f\xff\xff\x87\xe0\x00\x00\x07\x00\x1f\x80\x04\x07\xff\xe0\x00\x00\x1f\xff\x81\xff\x80\x00\x03\xff\xfc\x00\x00\x07\xff\xff\xff\xc0\x00\x00\x1f\x80\x01\xff\xff\x00\x00\x00",
+  "\x00\x0f\xfc\x1f\xf8\x00\x0f\xff\xff\xf8\x07\xff\xf1\xfc\x00\x1f\xff\xff\xf0\x00\x0f\xff\xdf\xff\xff\xff\x00\x00\x03\xff\xff\xff\x00\x01\xff\xff\xff\xc0\x10\x0f\xf0\x00\x00\x00\xfc\x00\x1f\x00\x07\x00\x01\xf0\x00\x00\x1f\xe0\x00\x00\x30\x7c\x3f\xff\xe0\x00\xff\xfc\x07\xff\xfc\x00\x3f\xff\xff\xf8\xff\xff\xc1\xfc\x1f\xff\xff\xf8\x00\x01\xff\xfc\x00\x00\x0f\xff\xff\xff\x00\x00\xff\xf8\x0c\x00\x00\x07\xff\xff\x00\x00\x00\x7f\xff",
+  "\xff\xff\x80\xff\xff\x00\x00\x00\x7f\xff\xff\x00\x1f\xfc\x00\x06\x00\x0f\xf8\x00\x00\x01\x80\x00\x00\x7f\xff\xff\xe0\x3f\xff\xff\xfc\x00\x60\x00\x00\x00\xfe\x00\x00\x07\xff\xff\xf0\x7f\xff\xff\xf8\x00\x00\x80\x00\x00\x0f\xff\xff\xff\xbf\xff\xff\xc0\x07\xff\xfe\x00\x00\x1c\x00\x1f\xfc\x07\x00\x01\xff\xff\x00\x00\x00\x80\x00\x1f\xff\x03\x80\x00\x00\x3f\xff\xff\xf8\x00\x07\xff\xff\xff\x80\x00\x1f\xff\xff\xe0\x1f\xff\xff\xc0\x00\x00",
+  "\xff\xff\xff\xf8\x00\x00\x00\x7e\x00\x00\x00\x1f\xff\x80\x07\xff\xff\xff\x80\x00\x00\x0f\xff\xff\xc3\xff\xf0\x00\x00\x04\x7f\xc0\x7f\xf0\x00\x3f\xff\x80\x00\x7f\xe0\x00\x03\xff\xc0\x00\x07\xff\x00\x00\x0f\xff\x80\x00\x00\x07\x80\x00\x00\x0f\xff\xff\xff\x01\xff\xff\xff\xc0\x03\xc0\x00\x00\x03\xff\xff\xe0\x00\x0f\xff\xff\xc0\x00\x03\xff\xfe\x00\x03\xff\xf8\x00\x00\x0f\xff\xff\xc0\x01\xff\xe0\x00\x00\xff\xff\xfc\x00\x00\x1f\xff\xff\xff",
+  "\xff\xf0\x00\x3f\xfc\x00\x00\xff\xff\xff\xe0\x1f\xc3\xfe\x00\x07\xff\xf8\x00\x0f\xf0\x01\xff\xff\xf0\x00\x00\xff\xc0\x0f\xff\xff\x80\x00\x00\xff\xff\xf3\xff\x80\x00\x00\x80\x08\x38\x00\x00\x0f\xff\xf0\x00\x1f\xff\xff\xfc\x00\x0f\x80\x00\x70\x00\x00\x31\xff\xff\xfe\x3f\xff\xf8\x00\x00\x00\x3c\x3f\xf0\x0f\xff\xff\x00\x03\xff\xfb\xff\xff\xff\x00\x0f\xff\xff\xfe\x00\x00\x00\xf0\x00\x00\x00\xff\xff\xfc\x00\x7f\xff\xf0\x00\x01\xff\xff\xfe\x00",
+  "\xff\xff\xf0\x0f\xf8\x3f\xff\xff\xe0\x00\x03\xff\xfe\x00\x00\x3f\xff\x80\xff\xff\xff\x00\x00\x00\xff\xff\xf8\xff\xff\xf0\x00\x0f\xf1\xff\xff\x00\x00\x00\x0f\xff\xfc\x00\x00\x00\x1f\xf0\x00\x00\x1f\xf0\x03\xff\xff\xff\xe1\xff\xe0\x00\x00\x1f\xff\xc1\xfe\x00\x00\x07\xff\xfc\x00\x00\x00\x1f\xfe\x3f\xc0\x00\x00\x01\xff\xfc\x00\x00\x1f\xff\xff\x0f\xe0\x00\x01\xfc\x00\xfe\x00\x00\x00\x7f\xe0\x00\x1f\xff\xff\xe0\x7f\x00\x0f\xf0\x00\xff\xfe\x00\x00",
+  "\x00\x7f\xff\xc0\x07\xff\xff\xff\x80\x07\xff\xff\xfe\x00\x00\x00\x7e\x00\x00\x00\x0f\xff\x80\x1f\xff\xfe\x07\xff\xff\xf0\x03\xc7\xff\xff\xfe\x00\x00\x00\x7f\xfe\x00\x00\x1f\xff\xfe\x00\x00\x00\xff\xfc\x00\x1f\xff\xc0\x00\x00\x3f\xff\x00\x1e\x00\x00\x03\xff\xff\xff\x80\x00\x00\x7f\xff\xf8\x03\xff\xfc\x00\x01\xff\xff\xfe\x00\x0f\xff\x02\x00\x07\xff\xff\xfe\x00\x00\x00\xfe\x01\xff\xff\xf7\xff\xff\x19\xff\xff\x00\x00\x07\xff\xc1\xff\x00\x00\x07\xff",
+  "\x00\x00\x00\x40\x00\x00\x07\xff\xff\xf8\x1f\xff\xff\xc0\x00\x3e\xff\xff\xf0\x00\x00\x00\x7f\xff\xfe\x00\x00\x00\xff\x80\x00\x00\x3f\xf1\xff\xff\xff\xe0\x00\x00\x01\xff\xff\xff\x00\x00\x1f\xff\xf8\x00\x07\xff\xff\xf8\x00\x1f\xff\xc1\xff\xff\xff\xe0\x01\xff\xff\xff\xe0\x00\x00\x07\xff\xff\xff\xcf\xff\xe0\x00\x3f\xe0\xff\xff\xc0\x00\x07\xff\xff\xe0\x01\xff\xfc\x3f\x00\x01\xff\xff\xfe\x00\x01\xff\x0f\xff\xff\xfc\x00\x00\x01\xff\xff\x80\x00\x00\x0f\xff",
+  "\xff\xff\xf0\xff\xff\xff\xc0\x03\x80\x00\x01\x00\x00\x03\xff\xff\xff\xf1\xff\xff\xff\xe0\x07\xfc\x00\x00\x03\xff\xf0\x00\x00\x00\x7e\x00\x00\x00\x07\x00\x3f\xff\xfc\x00\x0f\xc7\xff\xff\x00\x00\x07\xff\xff\xc0\x00\x00\x03\xff\xfc\x00\x00\xff\xe0\x00\x00\x00\x7f\xf0\x00\x00\xff\xff\xff\xfd\xff\x00\xff\xe0\xff\xff\xe0\x07\xff\xff\xf8\x7f\xff\xfe\x18\x00\x00\x01\xf0\x00\x1f\xff\xfe\x01\xc0\x01\xff\xff\xff\xf8\x00\x01\xfe\xff\xff\xff\x80\x00\x00\x07\xff\xff",
+  "\xff\xff\xf0\x00\x1f\xff\xff\x00\x00\x3f\xff\xf0\x00\xff\xff\x00\x07\xff\xff\xf8\x03\xff\xff\xe7\xff\xff\xff\x81\x00\x00\x01\xff\x00\x00\x3f\xff\xff\xf8\x00\x00\x00\xf0\x07\xff\xc0\x0f\xf0\x00\x3f\xff\xc0\x00\x7f\xf8\x00\xff\xfc\x00\x00\x1f\xff\x80\x1f\xfc\x00\x00\x01\xff\xff\x00\x00\x7f\xff\xff\xfe\x00\x00\x0f\xff\x80\x00\x00\x0f\xff\xff\xfc\x00\x00\x00\xff\xff\xfc\x00\x0f\xff\x80\x00\x3f\xff\xfe\x00\x00\x3f\xe0\x0f\xff\xff\x00\x00\x01\xff\xf0\x00\x00\x00",
+  "\xff\xc0\x00\x00\x03\xff\xff\xfc\x00\xff\xff\xfc\x00\x00\x00\x7f\xff\xff\x00\x00\x00\x1f\xe0\x00\x0f\xff\xc0\xf0\x00\x00\x7f\xff\xff\xe0\x00\x20\x1f\xff\xff\xff\x00\x00\x00\x1f\x80\x00\x00\x07\xff\xf1\xff\xff\xff\xc0\x00\x00\x1f\xff\xff\xf0\x00\x3f\xff\xf8\x00\x3f\xff\xff\xfe\x01\xff\xff\xfe\x7f\x9e\x00\x1f\xff\xfc\x00\x7f\xe0\x7f\xff\xff\xe0\x00\x7f\xff\xfe\x00\x00\x01\xff\xff\xff\xf8\x01\xff\xc0\x03\x00\x0f\xff\xf8\x00\x00\x0f\xf0\x0f\xff\x00\x00\x00\x0f\xff",
+  "\x00\x03\xff\xff\xff\xcf\xff\xf8\x7f\x8f\xff\xff\xfc\x01\xff\xff\xfc\x00\x00\x1f\xff\xff\xff\x80\x00\x00\x01\xff\xff\xe1\xff\xf0\x00\x00\x00\xff\xff\xff\xf8\x03\x80\x00\x3f\x80\x00\x0f\xff\xff\xff\xc0\x00\x00\x02\x7f\xff\xf8\x03\xff\xc0\x00\x00\x3f\xff\x80\x00\x00\x01\xff\xff\xe0\x00\x00\x03\x80\x00\x00\xff\xe0\x7f\xff\xff\xfc\x00\x00\x01\xff\xff\xfc\x00\x00\x00\xff\xff\x80\x00\x07\xfe\x00\x00\x07\xff\xf0\x00\x00\x1f\x80\x00\x00\x3e\x1f\xff\xff\xff\x9f\xff\xff\xff",
+  "\xff\xff\xfe\x00\x03\xff\xff\xff\x80\x01\xff\xff\xff\xa0\x3f\xff\xf8\x00\x7f\x03\xff\xff\xc0\x00\x0f\xff\xc3\xff\xf8\x00\x03\xff\xff\xff\xc0\x7f\xf0\x1f\xe0\x0f\xff\xff\xc0\x00\x1f\xfe\x0f\xff\xff\xe0\x00\x07\xff\xff\xfc\x00\x00\xfc\x00\x3f\xff\xff\xf0\x00\x00\x00\x3f\xfc\x00\x00\x00\x0f\xff\xc4\x00\x00\xff\xc0\x00\x03\xff\xff\xff\x80\x00\x03\xfc\x0f\xff\xff\xf0\x00\x00\x03\xff\xff\xc0\x07\xff\xff\xf8\x0c\x3f\xff\xf0\x00\x1f\xff\x80\x00\x00\x01\xff\xfe\x00\x00\x3f\xff",
+  "\x00\x00\x00\x1f\xff\xc3\xff\xff\x80\x00\x00\x3f\xff\xff\xfe\x00\x00\x00\x0f\xe0\x00\x7f\xff\xe0\x0f\xfe\x00\xff\xff\xff\xe0\x03\xff\xf8\x00\x00\x00\x3f\xe0\x00\x00\x01\xff\xff\xe7\xff\xff\xff\xe0\x00\x00\x07\xff\xff\xc0\x00\x1f\xe0\x00\x00\x01\xff\xff\x00\x00\x03\xff\xff\xff\xe0\x00\x00\x1f\xe0\x03\xff\xff\x00\x00\x00\x07\xff\xf0\x3f\x80\x00\x00\x0f\xff\xff\xfe\x00\x00\xff\xff\xff\x00\x00\x3f\xff\xff\x80\x0f\xff\xfe\x01\xff\xff\xff\xf8\x3f\xff\xff\xc0\x00\x00\xff\xff\xff",
+  "\xff\xff\xff\x80\x00\xff\xff\xff\xf0\x00\x00\x1f\x00\x3f\xff\xfe\x0f\xf0\x1c\x00\xff\xff\xe0\x00\x0f\xc0\x1f\xff\xc0\x00\x00\x01\xff\x80\xf7\xff\xf8\x00\x00\x3f\xff\xc0\x00\x00\x01\xff\xf0\x00\x03\xe3\xfc\x00\x07\xf8\x00\x00\x3f\xff\xff\xfe\x00\x00\x1f\x00\x00\x00\x18\x00\x3f\xff\xff\xf8\x0f\xe0\x00\x00\x00\x60\x00\x07\xff\xff\xfe\x00\x60\xff\xff\xff\xf8\x00\x00\x3f\xff\x80\x00\x00\x3f\xff\xff\xf0\x00\x00\x0f\xf0\x00\xff\xff\xf1\xff\x00\x3f\xff\xff\xff\x01\xff\xe0\x00\x00\x00",
+  "\xff\xff\xff\xfc\x00\x00\x00\xff\xff\xf0\x01\xff\xff\xf8\x00\x00\xff\xff\xff\xe7\xff\xf8\x01\xf8\x7f\xff\xff\x80\x00\x3f\xff\xfc\x00\x00\x01\xff\xff\xe0\x00\x3f\xc0\x00\x00\x7f\xff\xff\x00\x00\x0f\xff\xff\xff\xc0\x00\x0f\xff\xf1\xff\xff\xff\xf8\x00\x0f\xff\xff\xfc\x00\x00\x07\xff\xff\xff\x80\xff\xff\xf8\x07\xf0\x00\x00\x00\x1f\xff\xff\xff\xc0\x00\xff\xff\xff\xc0\x00\x0e\xff\xff\xff\xc0\x00\x00\x03\xff\xf8\x00\x00\x03\xff\x80\x00\x00\x00\xe0\x00\x00\x0f\xf8\x00\x00\x3f\xff\xff\xff",
+  "\x3f\x00\x03\xc0\x1f\x00\x00\x00\x0f\xf0\x00\x07\xff\xff\xef\x00\xfe\x00\x7f\xfe\x00\x00\x3f\xf0\x00\x3f\xc0\x00\x00\x07\xfc\x00\x00\x03\xff\xff\xff\x0f\xff\xff\xff\xc0\x07\xf8\x00\x00\xf8\x00\x00\x3f\x9f\xff\xff\xfc\x00\x00\x3f\xff\xc0\x00\x03\xff\xff\xc0\x00\x00\xff\xfc\x00\x1f\xff\xe0\x00\x00\x07\xff\xe0\x07\x00\x00\x00\x7f\xff\xfe\x00\x00\x00\xff\xff\xfe\x00\x00\x0f\xfc\x00\x07\xff\xf0\x00\x00\x00\x7f\x80\x03\xcf\xff\x80\x00\x01\xff\xff\xe0\x3c\x00\x00\x3f\xff\xff\xff\x80\x00\x00",
+  "\x30\x00\x00\x00\xff\xf8\x00\x00\xff\xfc\x00\x3f\xff\xff\x80\x00\x00\x0f\xcf\xff\xcf\xff\xff\xc0\xff\xff\xff\x80\x00\x00\x01\xff\xff\xff\xf0\x00\x00\x00\x1f\xff\x00\x03\xff\xfc\x00\x00\x00\x07\xff\x80\x00\x7f\xff\xff\xfe\x0f\xff\xc0\x00\x00\x00\x7f\xf0\xbf\xff\xff\xe0\x00\x00\xff\xf8\x00\x00\x01\xff\xff\xf8\x00\x00\x3e\x00\x00\x07\xff\xe0\x00\x00\x00\x80\x00\x03\x80\x01\xff\xff\xff\xf8\x60\x00\x00\x00\xff\xf0\x00\x1f\xff\xff\xc7\xff\xf0\x40\xff\xff\xfe\x00\x00\x07\xff\xdf\xff\x80\x00\x00",
+  "\xff\xff\xff\x83\xff\xf8\x1f\xff\x1f\xff\xff\x80\x0f\xff\xff\xe0\x00\x00\x00\x3f\xff\xff\xc0\xf8\x00\x00\x78\x00\x1c\x00\x00\x00\x1f\xe0\x00\x00\x00\xff\xff\xe0\x3f\xff\xff\xfe\x00\x00\x03\xff\xff\xfe\x00\x00\x00\x1f\xff\xfc\x00\x7f\xff\x00\x00\x00\x1f\xff\xff\x00\x02\x00\x00\x3f\xff\xfc\x00\x00\x00\xff\xf0\x1f\xfe\xff\xff\xc0\x01\xff\xff\xff\xf0\x00\x00\x00\xff\xff\xfe\x00\x00\x00\x0f\xff\xc0\x00\x00\x7f\x7f\xc0\x00\x00\x01\xff\xff\xfe\x0f\xff\xff\xff\xc0\x00\x0f\x80\x00\x00\x3f\xff\xff\xff",
+  "\xff\xff\xff\xfe\x00\x00\x00\xff\xf8\x0f\xff\xff\xf0\x00\x00\x07\xff\xff\xfb\xff\xc0\x00\x07\xfc\x07\xe0\x00\x00\x01\xff\xff\xe0\x00\x7f\xff\xff\xf8\x00\x00\x3f\xff\xf8\x00\x00\x00\x0f\xff\xff\x00\x00\x0f\xc0\x00\x00\x3f\xff\xf0\x00\x00\x01\xff\xff\xfe\x1f\xff\xf8\x00\x00\x20\x00\x00\x00\x3f\xff\xbf\xff\x9f\xff\xff\xfc\x3f\xff\xff\xf0\x00\x00\x07\x80\x00\x00\xff\xff\xe7\xff\xff\xff\xf0\x00\x00\x3f\xff\xff\xff\x00\x00\x07\xff\xff\xe0\xff\xff\xff\xe0\x01\xff\xff\xff\xf8\x00\x00\x00\x7f\xff\xff\xff",
+  "\x00\x00\x00\x1f\xff\xc0\x00\x0f\xff\xc0\x00\x00\x1f\xff\xc0\x00\x1f\xc0\x00\x00\x03\xff\x80\x00\x00\x07\xff\xff\xff\xc0\x00\x00\x00\x80\x00\x3f\xfc\x00\xc0\x00\x0f\xff\xff\x00\x00\x06\x00\x3f\xfc\x1e\x00\x1f\xff\xff\xf0\x00\x3e\x0f\xff\xff\xf0\x00\x00\x3f\xff\xf0\x00\x00\x00\x1f\xff\xc0\x00\x00\xff\xff\xff\xf8\x00\xe0\x00\x00\xff\xff\xff\xfe\x00\x00\x0f\xff\xff\xfe\x3f\xff\xff\xfc\x07\xfe\x00\x00\x00\xc0\x00\x7f\xff\xff\xfe\x00\xff\xff\xff\xfc\x07\xff\xff\xe0\x00\x3f\xe3\xff\xff\xc0\x00\x00\x3f\xff",
+  "\x00\x00\x00\x0f\xff\xc0\x00\x0f\xf8\x00\x00\x00\xff\xfc\x00\x00\x0f\xff\xff\xfe\x00\x00\x00\x03\xff\x00\xff\xfc\x07\xff\xf0\x1f\xff\xfe\x0f\xff\xff\xfd\xff\xff\xff\xf0\x1f\xff\xf0\x00\x07\xf8\xff\xf8\x00\x00\x00\xff\xff\xc0\x3f\xff\xff\xff\x80\x00\x00\x0f\xff\xff\xff\x00\x00\x03\xff\xff\xf0\x00\x07\xff\xff\x00\x00\x3f\xff\xf0\x01\xff\xff\xc0\x01\xff\xff\xff\x00\x3f\xff\xf8\x1f\xff\xff\xfe\x1f\xff\xff\xff\xc0\x00\x00\x7f\xe0\x00\x07\xff\xff\xfe\x00\x00\x00\x03\xe0\x07\xff\xc0\x03\xfc\x00\x07\xff\xff\xff",
+  "\xff\xff\xff\x00\x00\x03\xc0\x00\x00\x01\xff\xff\xf8\x00\x00\x00\x0f\xff\xff\xff\x00\x00\x0f\x00\x00\xff\xff\xf8\x80\x00\xf8\x00\x0f\xc0\x00\x00\x00\xe0\x00\x00\x00\xff\xff\xff\xf8\x0f\xff\xff\xfe\x00\x00\x18\x00\x00\x7f\xff\xff\xff\x00\x00\x03\xff\xff\xff\x00\x7f\xff\xff\xfc\x00\x03\xc0\x00\x00\x0f\xff\xff\xff\xf0\x00\x07\xff\xff\x80\x01\xff\xff\xff\xe0\x00\x0f\xff\xfe\x07\xff\xff\xf8\x00\xff\xff\xff\xc0\x00\x00\x03\xe0\x00\x07\xff\xf0\x0f\xff\xf0\x00\x00\xff\xff\xf8\x7f\xc0\x03\xc0\x3f\xff\xe0\x00\x00\x00",
+
+  /* These are zero-terminated strings */
+
+  "abc",
+  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
+};
+
+static uschar *hashes[] = {
+  "DA39A3EE5E6B4B0D3255BFEF95601890AFD80709",
+  "3CDF2936DA2FC556BFA533AB1EB59CE710AC80E5",
+  "19C1E2048FA7393CFBF2D310AD8209EC11D996E5",
+  "CA775D8C80FAA6F87FA62BECA6CA6089D63B56E5",
+  "71AC973D0E4B50AE9E5043FF4D615381120A25A0",
+  "A6B5B9F854CFB76701C3BDDBF374B3094EA49CBA",
+  "D87A0EE74E4B9AD72E6847C87BDEEB3D07844380",
+  "1976B8DD509FE66BF09C9A8D33534D4EF4F63BFD",
+  "5A78F439B6DB845BB8A558E4CEB106CD7B7FF783",
+  "F871BCE62436C1E280357416695EE2EF9B83695C",
+  "62B243D1B780E1D31CF1BA2DE3F01C72AEEA0E47",
+  "1698994A273404848E56E7FDA4457B5900DE1342",
+  "056F4CDC02791DA7ED1EB2303314F7667518DEEF",
+  "9FE2DA967BD8441EEA1C32DF68DDAA9DC1FC8E4B",
+  "73A31777B4ACE9384EFA8BBEAD45C51A71ABA6DD",
+  "3F9D7C4E2384EDDABFF5DD8A31E23DE3D03F42AC",
+  "4814908F72B93FFD011135BEE347DE9A08DA838F",
+  "0978374B67A412A3102C5AA0B10E1A6596FC68EB",
+  "44AD6CB618BD935460D46D3F921D87B99AB91C1E",
+  "02DC989AF265B09CF8485640842128DCF95E9F39",
+  "67507B8D497B35D6E99FC01976D73F54AECA75CF",
+  "1EAE0373C1317CB60C36A42A867B716039D441F5",
+  "9C3834589E5BFFAC9F50950E0199B3EC2620BEC8",
+  "209F7ABC7F3B878EE46CDF3A1FBB9C21C3474F32",
+  "05FC054B00D97753A9B3E2DA8FBBA3EE808CEF22",
+  "0C4980EA3A46C757DFBFC5BAA38AC6C8E72DDCE7",
+  "96A460D2972D276928B69864445BEA353BDCFFD2",
+  "F3EF04D8FA8C6FA9850F394A4554C080956FA64B",
+  "F2A31D875D1D7B30874D416C4D2EA6BAF0FFBAFE",
+  "F4942D3B9E9588DCFDC6312A84DF75D05F111C20",
+  "310207DF35B014E4676D30806FA34424813734DD",
+  "4DA1955B2FA7C7E74E3F47D7360CE530BBF57CA3",
+  "74C4BC5B26FB4A08602D40CCEC6C6161B6C11478",
+  "0B103CE297338DFC7395F7715EE47539B556DDB6",
+  "EFC72D99E3D2311CE14190C0B726BDC68F4B0821",
+  "660EDAC0A8F4CE33DA0D8DBAE597650E97687250",
+  "FE0A55A988B3B93946A63EB36B23785A5E6EFC3E",
+  "0CBDF2A5781C59F907513147A0DE3CC774B54BF3",
+  "663E40FEE5A44BFCB1C99EA5935A6B5BC9F583B0",
+  "00162134256952DD9AE6B51EFB159B35C3C138C7",
+  "CEB88E4736E354416E2010FC1061B3B53B81664B",
+  "A6A2C4B6BCC41DDC67278F3DF4D8D0B9DD7784EF",
+  "C23D083CD8820B57800A869F5F261D45E02DC55D",
+  "E8AC31927B78DDEC41A31CA7A44EB7177165E7AB",
+  "E864EC5DBAB0F9FF6984AB6AD43A8C9B81CC9F9C",
+  "CFED6269069417A84D6DE2347220F4B858BCD530",
+  "D9217BFB46C96348722C3783D29D4B1A3FEDA38C",
+  "DEC24E5554F79697218D317315FA986229CE3350",
+  "83A099DF7071437BA5495A5B0BFBFEFE1C0EF7F3",
+  "AA3198E30891A83E33CE3BFA0587D86A197D4F80",
+  "9B6ACBEB4989CBEE7015C7D515A75672FFDE3442",
+  "B021EB08A436B02658EAA7BA3C88D49F1219C035",
+  "CAE36DAB8AEA29F62E0855D9CB3CD8E7D39094B1",
+  "02DE8BA699F3C1B0CB5AD89A01F2346E630459D7",
+  "88021458847DD39B4495368F7254941859FAD44B",
+  "91A165295C666FE85C2ADBC5A10329DAF0CB81A0",
+  "4B31312EAF8B506811151A9DBD162961F7548C4B",
+  "3FE70971B20558F7E9BAC303ED2BC14BDE659A62",
+  "93FB769D5BF49D6C563685954E2AECC024DC02D6",
+  "BC8827C3E614D515E83DEA503989DEA4FDA6EA13",
+  "E83868DBE4A389AB48E61CFC4ED894F32AE112AC",
+  "55C95459CDE4B33791B4B2BCAAF840930AF3F3BD",
+  "36BB0E2BA438A3E03214D9ED2B28A4D5C578FCAA",
+  "3ACBF874199763EBA20F3789DFC59572ACA4CF33",
+  "86BE037C4D509C9202020767D860DAB039CADACE",
+  "51B57D7080A87394EEC3EB2E0B242E553F2827C9",
+  "1EFBFA78866315CE6A71E457F3A750A38FACAB41",
+  "57D6CB41AEEC20236F365B3A490C61D0CFA39611",
+  "C532CB64B4BA826372BCCF2B4B5793D5B88BB715",
+  "15833B5631032663E783686A209C6A2B47A1080E",
+  "D04F2043C96E10CD83B574B1E1C217052CD4A6B2",
+  "E8882627C64DB743F7DB8B4413DD033FC63BEB20",
+  "CD2D32286B8867BC124A0AF2236FC74BE3622199",
+  "019B70D745375091ED5C7B218445EC986D0F5A82",
+  "E5FF5FEC1DADBAED02BF2DAD4026BE6A96B3F2AF",
+  "6F4E23B3F2E2C068D13921FE4E5E053FFED4E146",
+  "25E179602A575C915067566FBA6DA930E97F8678",
+  "67DED0E68E235C8A523E051E86108EEB757EFBFD",
+  "AF78536EA83C822796745556D62A3EE82C7BE098",
+  "64D7AC52E47834BE72455F6C64325F9C358B610D",
+  "9D4866BAA3639C13E541F250FFA3D8BC157A491F",
+  "2E258811961D3EB876F30E7019241A01F9517BEC",
+  "8E0EBC487146F83BC9077A1630E0FB3AB3C89E63",
+  "CE8953741FFF3425D2311FBBF4AB481B669DEF70",
+  "789D1D2DAB52086BD90C0E137E2515ED9C6B59B5",
+  "B76CE7472700DD68D6328B7AA8437FB051D15745",
+  "F218669B596C5FFB0B1C14BD03C467FC873230A0",
+  "1FF3BDBE0D504CB0CDFAB17E6C37ABA6B3CFFDED",
+  "2F3CBACBB14405A4652ED52793C1814FD8C4FCE0",
+  "982C8AB6CE164F481915AF59AAED9FFF2A391752",
+  "5CD92012D488A07ECE0E47901D0E083B6BD93E3F",
+  "69603FEC02920851D4B3B8782E07B92BB2963009",
+  "3E90F76437B1EA44CF98A08D83EA24CECF6E6191",
+  "34C09F107C42D990EB4881D4BF2DDDCAB01563AE",
+  "474BE0E5892EB2382109BFC5E3C8249A9283B03D",
+  "A04B4F75051786682483252438F6A75BF4705EC6",
+  "BE88A6716083EB50ED9416719D6A247661299383",
+  "C67E38717FEE1A5F65EC6C7C7C42AFC00CD37F04",
+  "959AC4082388E19E9BE5DE571C047EF10C174A8D",
+  "BAA7AA7B7753FA0ABDC4A541842B5D238D949F0A",
+  "351394DCEBC08155D100FCD488578E6AE71D0E9C",
+  "AB8BE94C5AF60D9477EF1252D604E58E27B2A9EE",
+  "3429EC74A695FDD3228F152564952308AFE0680A",
+  "907FA46C029BC67EAA8E4F46E3C2A232F85BD122",
+  "2644C87D1FBBBC0FC8D65F64BCA2492DA15BAAE4",
+  "110A3EEB408756E2E81ABAF4C5DCD4D4C6AFCF6D",
+  "CD4FDC35FAC7E1ADB5DE40F47F256EF74D584959",
+  "8E6E273208AC256F9ECCF296F3F5A37BC8A0F9F7",
+  "FE0606100BDBC268DB39B503E0FDFE3766185828",
+  "6C63C3E58047BCDB35A17F74EEBA4E9B14420809",
+  "BCC2BD305F0BCDA8CF2D478EF9FE080486CB265F",
+  "CE5223FD3DD920A3B666481D5625B16457DCB5E8",
+  "948886776E42E4F5FAE1B2D0C906AC3759E3F8B0",
+  "4C12A51FCFE242F832E3D7329304B11B75161EFB",
+  "C54BDD2050504D92F551D378AD5FC72C9ED03932",
+  "8F53E8FA79EA09FD1B682AF5ED1515ECA965604C",
+  "2D7E17F6294524CE78B33EAB72CDD08E5FF6E313",
+  "64582B4B57F782C9302BFE7D07F74AA176627A3A",
+  "6D88795B71D3E386BBD1EB830FB9F161BA98869F",
+  "86AD34A6463F12CEE6DE9596ABA72F0DF1397FD1",
+  "7EB46685A57C0D466152DC339C8122548C757ED1",
+  "E7A98FB0692684054407CC221ABC60C199D6F52A",
+  "34DF1306662206FD0A5FC2969A4BEEC4EB0197F7",
+  "56CF7EBF08D10F0CB9FE7EE3B63A5C3A02BCB450",
+  "3BAE5CB8226642088DA760A6F78B0CF8EDDEA9F1",
+  "6475DF681E061FA506672C27CBABFA9AA6DDFF62",
+  "79D81991FA4E4957C8062753439DBFD47BBB277D",
+  "BAE224477B20302E881F5249F52EC6C34DA8ECEF",
+  "EDE4DEB4293CFE4138C2C056B7C46FF821CC0ACC",
+
+  "A9993E364706816ABA3E25717850C26C9CD0D89D",
+  "84983E441C3BD26EBAAE4AA1F95129E5E54670F1"
+};
+
+static uschar *atest = "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F";
+
+int main(void)
+{
+sha1 base;
+int j;
+int i = 0x01020304;
+uschar *ctest = US (&i);
+uschar buffer[256];
+uschar digest[20];
+uschar s[41];
+printf("Checking sha1: %s-endian\n\n", (ctest[0] == 0x04)? "little" : "big");
+
+for (i = 0; i < sizeof(tests)/sizeof(uschar *); i ++)
+  {
+  printf("%d.\nShould be: %s\n", i, hashes[i]);
+  native_sha1_start(&base);
+  native_sha1_end(&base, tests[i], (i <= 128)? i : strlen(tests[i]), digest);
+  for (j = 0; j < 20; j++) sprintf(s+2*j, "%02X", digest[j]);
+  printf("Computed:  %s\n", s);
+  if (strcmp(s, hashes[i]) != 0) printf("*** No match ***\n");
+  printf("\n");
+  }
+
+/* 1 000 000 repetitions of "a" */
+
+ctest = malloc(1000000);
+memset(ctest, 'a', 1000000);
+
+printf("1 000 000 repetitions of 'a'\n");
+printf("Should be: %s\n", atest);
+native_sha1_start(&base);
+native_sha1_end(&base, ctest, 1000000, digest);
+for (j = 0; j < 20; j++) sprintf(s+2*j, "%02X", digest[j]);
+printf("Computed:  %s\n", s);
+if (strcmp(s, atest) != 0) printf("*** No match ***\n");
+
+}
+#endif	/*STAND_ALONE*/
+
+/* End of File */
diff --git a/src/hash.h b/src/hash.h
new file mode 100644
index 0000000..588325b
--- /dev/null
+++ b/src/hash.h
@@ -0,0 +1,83 @@
+/*
+ *  Exim - an Internet mail transport agent
+ *  Copyright (c) The Exim Maintainers 1995 - 2022
+ *
+ *  Hash interface functions
+ */
+
+#include "exim.h"
+
+#if !defined(HASH_H)	/* entire file */
+#define HASH_H
+
+#include "sha_ver.h"
+
+#ifdef SHA_OPENSSL
+# include <openssl/sha.h>
+#elif defined SHA_GNUTLS
+# include <gnutls/crypto.h>
+#elif defined(SHA_GCRYPT)
+# include <gcrypt.h>
+#elif defined(SHA_POLARSSL)
+# include "pdkim/pdkim.h"		/*XXX ugly */
+# include "pdkim/polarssl/sha1.h"
+# include "pdkim/polarssl/sha2.h"
+#endif
+
+
+/* Hash context for the exim_sha_* routines */
+
+typedef enum hashmethod {
+  HASH_BADTYPE,
+  HASH_NULL,
+  HASH_SHA1,
+
+  HASH_SHA2_256,
+  HASH_SHA2_384,
+  HASH_SHA2_512,
+
+  HASH_SHA3_224,
+  HASH_SHA3_256,
+  HASH_SHA3_384,
+  HASH_SHA3_512,
+} hashmethod;
+
+typedef struct {
+  hashmethod	method;
+  int		hashlen;
+
+#ifdef SHA_OPENSSL
+  union {
+    SHA_CTX      sha1;       /* SHA1 block                                */
+    SHA256_CTX   sha2_256;   /* SHA256 or 224 block                       */
+    SHA512_CTX   sha2_512;   /* SHA512 or 384 block                       */
+#ifdef EXIM_HAVE_SHA3
+    EVP_MD_CTX * mctx;	     /* SHA3 block				  */
+#endif
+  } u;
+
+#elif defined(SHA_GNUTLS)
+  gnutls_hash_hd_t sha;      /* Either SHA1 or SHA256 block               */
+
+#elif defined(SHA_GCRYPT)
+  gcry_md_hd_t sha;          /* Either SHA1 or SHA256 block               */
+
+#elif defined(SHA_POLARSSL)
+  union {
+    sha1_context sha1;       /* SHA1 block                                */
+    sha2_context sha2;       /* SHA256 block                              */
+  } u;
+
+#elif defined(SHA_NATIVE)
+  sha1 sha1;
+#endif
+
+} hctx;
+
+extern BOOL     exim_sha_init(hctx *, hashmethod);
+extern void     exim_sha_update(hctx *, const uschar *a, int);
+extern void     exim_sha_update_string(hctx *, const uschar *a);
+extern void     exim_sha_finish(hctx *, blob *);
+
+#endif
+/* End of File */
diff --git a/src/header.c b/src/header.c
new file mode 100644
index 0000000..898d8d5
--- /dev/null
+++ b/src/header.c
@@ -0,0 +1,468 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2016 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "exim.h"
+
+
+/*************************************************
+*         Test a header for matching name        *
+*************************************************/
+
+/* This function tests the name of a header. It is made into a function because
+it isn't just a string comparison: spaces and tabs are permitted between the
+name and the colon. The h->text field should nowadays never be NULL, but check
+it just in case.
+
+Arguments:
+  h         points to the header
+  name      the name to test
+  len       the length of the name
+  notdel    if TRUE, force FALSE for deleted headers
+
+Returns:    TRUE or FALSE
+*/
+
+BOOL
+header_testname(header_line *h, const uschar *name, int len, BOOL notdel)
+{
+uschar *tt;
+if (h->type == '*' && notdel) return FALSE;
+if (h->text == NULL || strncmpic(h->text, name, len) != 0) return FALSE;
+tt = h->text + len;
+while (*tt == ' ' || *tt == '\t') tt++;
+return *tt == ':';
+}
+
+/* This is a copy of the function above, only that it is possible to pass
+   only the beginning of a header name. It simply does a front-anchored
+   substring match. Arguments and Return codes are the same as for
+   header_testname() above. */
+
+BOOL
+header_testname_incomplete(header_line *h, const uschar *name,
+    int len, BOOL notdel)
+{
+if (h->type == '*' && notdel) return FALSE;
+if (h->text == NULL || strncmpic(h->text, name, len) != 0) return FALSE;
+return TRUE;
+}
+
+
+/*************************************************
+*         Add new header backend function        *
+*************************************************/
+
+/* The header_last variable points to the last header during message reception
+and delivery; otherwise it is NULL. We add new headers only when header_last is
+not NULL. The function may get called sometimes when it is NULL (e.g. during
+address verification where rewriting options exist). When called from a filter,
+there may be multiple header lines in a single string.
+
+This is an internal static function that is the common back end to the external
+functions defined below. The general interface allows the header to be inserted
+before or after a given occurrence of a given header.
+
+(a) if "name" is NULL, the header is added at the end of all the existing
+    headers if "after" is true, or at the start if it is false. The "topnot"
+    flag is not used.
+
+(b) If "name" is not NULL, the first existing header with that name is sought.
+    If "after" is false, the new header is added before it. If "after" is true,
+    a check is made for adjacent headers with the same name, and the new header
+    is added after the last of them. If a header of the given name is not
+    found, the new header is added first if "topnot" is true, and at the bottom
+    otherwise.
+
+Arguments:
+  after     TRUE for "after", FALSE for "before"
+  name      name if adding at a specific header, else NULL
+  topnot    TRUE to add at top if no header found
+  type      Exim header type character (htype_something)
+  format    sprintf format
+  ap        va_list value for format arguments
+
+Returns:    pointer to header struct (last one, if multiple added)
+*/
+
+static header_line *
+header_add_backend(BOOL after, uschar *name, BOOL topnot, int type,
+  const char *format, va_list ap)
+{
+header_line *h, *new = NULL;
+header_line **hptr;
+
+uschar * p, * q, * buf;
+gstring gs;
+
+if (!header_last) return NULL;
+
+gs.s = buf = store_get(HEADER_ADD_BUFFER_SIZE, GET_UNTAINTED);
+gs.size = HEADER_ADD_BUFFER_SIZE;
+gs.ptr = 0;
+
+if (!string_vformat(&gs, SVFMT_REBUFFER, format, ap))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "string too long in header_add: "
+    "%.100s ...", string_from_gstring(&gs));
+
+if (gs.s != buf) store_release_above(buf);
+gstring_release_unused(&gs);
+string_from_gstring(&gs);
+
+/* Find where to insert this header */
+
+if (!name)
+  if (after)
+    {
+    hptr = &header_last->next;
+    h = NULL;
+    }
+  else
+    {
+    hptr = &header_list;
+
+    /* header_list->text can be NULL if we get here between when the new
+    received header is allocated and when it is actually filled in. We want
+    that header to be first, so skip it for now. */
+
+    if (!header_list->text)
+      hptr = &header_list->next;
+    h = *hptr;
+    }
+
+else
+  {
+  int len = Ustrlen(name);
+
+  /* Find the first non-deleted header with the correct name. */
+
+  for (hptr = &header_list; (h = *hptr); hptr = &h->next)
+    if (header_testname(h, name, len, TRUE))
+      break;
+
+  /* Handle the case where no header is found. To insert at the bottom, nothing
+  needs to be done. */
+
+  if (!h)
+    {
+    if (topnot)
+      {
+      hptr = &header_list;
+      h = header_list;
+      }
+    }
+
+  /* Handle the case where a header is found. Check for more if "after" is
+  true. In this case, we want to include deleted headers in the block. */
+
+  else if (after)
+    for (;;)
+      {
+      if (!h->next || !header_testname(h, name, len, FALSE)) break;
+      hptr = &h->next;
+      h = h->next;
+      }
+  }
+
+/* Loop for multiple header lines, taking care about continuations. At this
+point, we have hptr pointing to the link field that will point to the new
+header, and h containing the following header, or NULL. */
+
+for (p = q = gs.s; *p; p = q)
+  {
+  for (;;)
+    {
+    q = Ustrchr(q, '\n');
+    if (!q) q = p + Ustrlen(p);
+    if (*(++q) != ' ' && *q != '\t') break;
+    }
+
+  new = store_get(sizeof(header_line), GET_UNTAINTED);
+  new->text = string_copyn(p, q - p);
+  new->slen = q - p;
+  new->type = type;
+  new->next = h;
+
+  *hptr = new;
+  hptr = &new->next;
+
+  if (!h) header_last = new;
+  }
+return new;
+}
+
+
+/*************************************************
+*      Add new header anywhere in the chain      *
+*************************************************/
+
+/* This is an external interface to header_add_backend().
+
+Arguments:
+  after     TRUE for "after", FALSE for "before"
+  name      name if adding at a specific header, else NULL
+  topnot    TRUE to add at top if no header found
+  type      Exim header type character (htype_something)
+  format    sprintf format
+  ...       format arguments
+
+Returns:    pointer to header struct added
+*/
+
+header_line *
+header_add_at_position_internal(BOOL after, uschar *name, BOOL topnot, int type,
+  const char *format, ...)
+{
+header_line * h;
+va_list ap;
+va_start(ap, format);
+h = header_add_backend(after, name, topnot, type, format, ap);
+va_end(ap);
+return h;
+}
+
+
+/* Documented external i/f for local_scan */
+void
+header_add_at_position(BOOL after, uschar *name, BOOL topnot, int type,
+  const char *format, ...)
+{
+va_list ap;
+va_start(ap, format);
+(void) header_add_backend(after, name, topnot, type, format, ap);
+va_end(ap);
+}
+
+/*************************************************
+*            Add new header on end of chain      *
+*************************************************/
+
+/* This is now a convenience interface to header_add_backend().
+
+Arguments:
+  type      Exim header type character
+  format    sprintf format
+  ...       arguments for the format
+
+Returns:    nothing
+*/
+
+void
+header_add(int type, const char *format, ...)
+{
+va_list ap;
+va_start(ap, format);
+(void) header_add_backend(TRUE, NULL, FALSE, type, format, ap);
+va_end(ap);
+}
+
+
+
+/*************************************************
+*        Remove (mark as old) a header           *
+*************************************************/
+
+/* This function is used by the filter code; it is also exported in the
+local_scan() API. If no header is found, the function does nothing.
+
+Arguments:
+  occ           the occurrence number for multiply-defined headers
+                  <= 0 means "all"; deleted headers are not counted
+  name          the header name
+
+Returns:        nothing
+*/
+
+void
+header_remove(int occ, const uschar *name)
+{
+int hcount = 0;
+int len = Ustrlen(name);
+for (header_line * h = header_list; h; h = h->next)
+  if (header_testname(h, name, len, TRUE) && (occ <= 0 || ++hcount == occ))
+    {
+    h->type = htype_old;
+    if (occ > 0) return;
+    }
+}
+
+
+
+/*************************************************
+*          Check the name of a header            *
+*************************************************/
+
+/* This function scans a table of header field names that Exim recognizes, and
+returns the identification of a match. If "resent" is true, the header is known
+to start with "resent-". In that case, the function matches only those fields
+that are allowed to appear with resent- in front of them.
+
+Arguments:
+  h             points to the header line
+  is_resent     TRUE if the name starts "Resent-"
+
+Returns:        One of the htype_ enum values, identifying the header
+*/
+
+int
+header_checkname(header_line *h, BOOL is_resent)
+{
+uschar *text = h->text;
+header_name *bot = header_names;
+header_name *top = header_names + header_names_size;
+
+if (is_resent) text += 7;
+
+while (bot < top)
+  {
+  header_name *mid = bot + (top - bot)/2;
+  int c = strncmpic(text, mid->name, mid->len);
+
+  if (c == 0)
+    {
+    uschar * s = text + mid->len;
+    if (Uskip_whitespace(&s) == ':')
+      return (!is_resent || mid->allow_resent)? mid->htype : htype_other;
+    c = 1;
+    }
+
+  if (c > 0) bot = mid + 1; else top = mid;
+  }
+
+return htype_other;
+}
+
+
+/*************************************************
+*       Scan a header for certain strings        *
+*************************************************/
+
+/* This function is used for the "personal" test. It scans a particular header
+line for any one of a number of strings, matched caselessly either as plain
+strings, or as regular expressions. If the header line contains a list of
+addresses, each match is applied only to the operative part of each address in
+the header, and non-regular expressions must be exact matches.
+
+The patterns can be provided either as a chain of string_item structures, or
+inline in the argument list, or both. If there is more than one header of the
+same name, they are all searched.
+
+Arguments:
+  name           header name, including the trailing colon
+  has_addresses  TRUE if the header contains a list of addresses
+  cond           value to return if the header contains any of the strings
+  strings        points to a chain of string_item blocks
+  count          number of inline strings
+  ...            the inline strings
+
+Returns:         cond if the header exists and contains one of the strings;
+                   otherwise !cond
+*/
+
+
+/* First we have a local subroutine to handle a single pattern */
+
+static BOOL
+one_pattern_match(uschar *name, int slen, BOOL has_addresses, uschar *pattern)
+{
+BOOL yield = FALSE;
+const pcre2_code *re = NULL;
+
+/* If the pattern is a regex, compile it. Bomb out if compiling fails; these
+patterns are all constructed internally and should be valid. */
+
+if (*pattern == '^') re = regex_must_compile(pattern, TRUE, FALSE);
+
+/* Scan for the required header(s) and scan each one */
+
+for (header_line * h = header_list; !yield && h; h = h->next)
+  {
+  if (h->type == htype_old || slen > h->slen ||
+      strncmpic(name, h->text, slen) != 0)
+    continue;
+
+  /* If the header is a list of addresses, extract each one in turn, and scan
+  it. A non-regex scan must be an exact match for the address. */
+
+  if (has_addresses)
+    {
+    uschar *s = h->text + slen;
+
+    while (!yield && *s)
+      {
+      uschar *error, *next;
+      uschar *e = parse_find_address_end(s, FALSE);
+      int terminator = *e;
+      int start, end, domain;
+
+      /* Temporarily terminate the string at the address end while extracting
+      the operative address within. */
+
+      *e = 0;
+      next = parse_extract_address(s, &error, &start, &end, &domain, FALSE);
+      *e = terminator;
+
+      /* Move on, ready for the next address */
+
+      s = e;
+      if (*s == ',') s++;
+
+      /* If there is some kind of syntax error, just give up on this header
+      line. */
+
+      if (!next) break;
+
+      /* Otherwise, test for the pattern; a non-regex must be an exact match */
+
+      yield = re
+	? regex_match(re, next, -1, NULL)
+        : (strcmpic(next, pattern) == 0);
+      }
+    }
+
+  /* For headers that are not lists of addresses, scan the entire header line,
+  and just require "contains" for non-regex patterns. */
+
+  else
+    {
+    yield = re
+      ? regex_match(re, h->text, h->slen, NULL)
+      : (strstric(h->text, pattern, FALSE) != NULL);
+    }
+  }
+
+return yield;
+}
+
+
+/* The externally visible interface */
+
+BOOL
+header_match(uschar *name, BOOL has_addresses, BOOL cond, string_item *strings,
+  int count, ...)
+{
+va_list ap;
+int slen = Ustrlen(name);
+
+for (string_item * s = strings; s; s = s->next)
+  if (one_pattern_match(name, slen, has_addresses, s->text))
+    return cond;
+
+va_start(ap, count);
+for (int i = 0; i < count; i++)
+  if (one_pattern_match(name, slen, has_addresses, va_arg(ap, uschar *)))
+    {
+    va_end(ap);
+    return cond;
+    }
+va_end(ap);
+
+return !cond;
+}
+
+/* End of header.c */
diff --git a/src/hintsdb.h b/src/hintsdb.h
new file mode 100644
index 0000000..b8e6744
--- /dev/null
+++ b/src/hintsdb.h
@@ -0,0 +1,810 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This header file contains macro definitions so that a variety of DBM
+libraries can be used by Exim. Nigel Metheringham provided the original set for
+Berkeley DB 1.x in native mode and ndbm. Subsequently, versions for Berkeley DB
+2.x and 3.x were added. Later still, support for tdb was added, courtesy of
+James Antill. Most recently, support for native mode gdbm was added, with code
+from Pierre A. Humblet, so Exim could be made to work with Cygwin.
+
+For convenience, the definitions of the structures used in the various hints
+databases are also kept in this file, which is used by the maintenance
+utilities as well as the main Exim binary. */
+
+#ifndef HINTSDB_H
+#define HINTSDB_H
+
+
+#if defined(USE_TDB)
+
+/* ************************* tdb interface ************************ */
+/*XXX https://manpages.org/tdb/3 mentions concurrent writes.
+Could we lose the file lock? */
+
+# include <tdb.h>
+
+/* Basic DB type */
+# define EXIM_DB TDB_CONTEXT
+
+/* Cursor type: tdb uses the previous "key" in _nextkey() (really it wants
+tdb_traverse to be called) */
+# define EXIM_CURSOR TDB_DATA
+
+/* The datum type used for queries */
+# define EXIM_DATUM TDB_DATA
+
+/* Some text for messages */
+# define EXIM_DBTYPE "tdb"
+
+/* Access functions */
+
+/* EXIM_DBOPEN - return pointer to an EXIM_DB, NULL if failed */
+static inline EXIM_DB *
+exim_dbopen__(const uschar * name, const uschar * dirname, int flags,
+  unsigned mode)
+{
+return tdb_open(CS name, 0, TDB_DEFAULT, flags, mode);
+}
+
+/* EXIM_DBGET - returns TRUE if successful, FALSE otherwise */
+static inline BOOL
+exim_dbget(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * res)
+{
+*res = tdb_fetch(dbp, *key);	/* A struct arg and return!! */
+return res->dptr != NULL;
+}
+
+/* EXIM_DBPUT - returns nothing useful, assumes replace mode */
+static inline int
+exim_dbput(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data)
+{ return tdb_store(dbp, *key, *data, TDB_REPLACE); }
+
+/* EXIM_DBPUTB - non-overwriting for use by dbmbuild */
+static inline int
+exim_dbputb(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data)
+{ return tdb_store(dbp, *key, *data, TDB_INSERT); }
+
+/* Returns from EXIM_DBPUTB */
+
+# define EXIM_DBPUTB_OK  0
+# define EXIM_DBPUTB_DUP (-1)
+
+/* EXIM_DBDEL */
+static inline int
+exim_dbdel(EXIM_DB * dbp, EXIM_DATUM * key)
+{ return tdb_delete(dbp, *key); }
+
+/* EXIM_DBCREATE_CURSOR - initialize for scanning operation */
+static inline EXIM_CURSOR *
+exim_dbcreate_cursor(EXIM_DB * dbp)
+{
+EXIM_CURSOR * c = store_malloc(sizeof(TDB_DATA));
+c->dptr = NULL;
+return c;
+}
+
+/* EXIM_DBSCAN - This is complicated because we have to free the last datum
+free() must not die when passed NULL */
+
+static inline BOOL
+exim_dbscan(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * res, BOOL first,
+  EXIM_CURSOR * cursor)
+{
+*key = first ? tdb_firstkey(dbp) : tdb_nextkey(dbp, *cursor);
+free(cursor->dptr);
+*cursor = *key;
+return key->dptr != NULL;
+}
+
+/* EXIM_DBDELETE_CURSOR - terminate scanning operation. */
+static inline void
+exim_dbdelete_cursor(EXIM_CURSOR * cursor)
+{ store_free(cursor); }
+
+/* EXIM_DBCLOSE */
+static inline void
+exim_dbclose__(EXIM_DB * db)
+{ tdb_close(db); }
+
+/* Datum access */
+
+static inline uschar *
+exim_datum_data_get(EXIM_DATUM * dp)
+{ return US dp->dptr; }
+static inline void
+exim_datum_data_set(EXIM_DATUM * dp, void * s)
+{ dp->dptr = s; }
+
+static inline unsigned
+exim_datum_size_get(EXIM_DATUM * dp)
+{ return dp->dsize; }
+static inline void
+exim_datum_size_set(EXIM_DATUM * dp, unsigned n)
+{ dp->dsize = n; }
+
+/* No initialization is needed. */
+
+static inline void
+exim_datum_init(EXIM_DATUM * d)
+{ }
+
+/* Free the stuff inside the datum. */
+
+static inline void
+exim_datum_free(EXIM_DATUM * d)
+{
+free(d->dptr);
+d->dptr = NULL;
+}
+
+/* size limit */
+
+# define EXIM_DB_RLIMIT	150
+
+
+
+
+
+
+/********************* Berkeley db native definitions **********************/
+
+#elif defined USE_DB
+
+# include <db.h>
+
+/* 1.x did no locking
+   2.x had facilities, but exim does it's own
+   3.x+ unknown
+*/
+
+/* We can distinguish between versions 1.x and 2.x/3.x by looking for a
+definition of DB_VERSION_STRING, which is present in versions 2.x onwards. */
+
+# ifdef DB_VERSION_STRING
+
+#  if DB_VERSION_MAJOR >= 6
+#   error Version 6 and later BDB API is not supported
+#  endif
+
+/* The API changed (again!) between the 2.x and 3.x versions */
+
+# if DB_VERSION_MAJOR >= 3
+
+/***************** Berkeley db 3.x/4.x native definitions ******************/
+
+/* Basic DB type */
+#  if DB_VERSION_MAJOR > 4 || (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 1)
+#   define EXIM_DB       DB_ENV
+/* Cursor type, for scanning */
+#   define EXIM_CURSOR   DBC
+
+/* The datum type used for queries */
+#   define EXIM_DATUM    DBT
+
+/* Some text for messages */
+#   define EXIM_DBTYPE   "db (v4.1+)"
+
+/* Only more-recent versions.  5+ ? */
+#   ifndef DB_FORCESYNC
+#    define DB_FORCESYNC 0
+#   endif
+
+/* Error callback */
+/* For Berkeley DB >= 2, we can define a function to be called in case of DB
+errors. This should help with debugging strange DB problems, e.g. getting "File
+exists" when you try to open a db file. The API for this function was changed
+at DB release 4.3. */
+
+static inline void
+dbfn_bdb_error_callback(const DB_ENV * dbenv, const char * pfx, const char * msg)
+{
+#ifndef MACRO_PREDEF 
+log_write(0, LOG_MAIN, "Berkeley DB error: %s", msg);
+#endif
+}
+
+
+
+/* Access functions */
+
+/* EXIM_DBOPEN - return pointer to an EXIM_DB, NULL if failed */
+/* The API changed for DB 4.1. - and we also starting using the "env" with a
+specified working dir, to avoid the DBCONFIG file trap. */
+
+#   define ENV_TO_DB(env) ((DB *)(((EXIM_DB *)env)->app_private))
+
+static inline EXIM_DB *
+exim_dbopen__(const uschar * name, const uschar * dirname, int flags,
+  unsigned mode)
+{
+EXIM_DB * dbp;
+DB * b;
+if (  db_env_create(&dbp, 0) != 0
+   || (dbp->set_errcall(dbp, dbfn_bdb_error_callback), 0)
+   || dbp->open(dbp, CS dirname, DB_CREATE|DB_INIT_MPOOL|DB_PRIVATE, 0) != 0
+   )
+  return NULL;
+if (db_create(&b, dbp, 0) == 0)
+  {
+  dbp->app_private = b;
+  if (b->open(b, NULL, CS name, NULL,
+	      flags == O_RDONLY ? DB_UNKNOWN : DB_HASH,
+	      flags == O_RDONLY ? DB_RDONLY : DB_CREATE,
+	      mode) == 0
+	  )
+    return dbp;
+
+  b->close(b, 0);
+  }
+dbp->close(dbp, 0);
+return NULL;
+}
+
+/* EXIM_DBGET - returns TRUE if successful, FALSE otherwise */
+static inline BOOL
+exim_dbget(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * res)
+{
+DB * b = ENV_TO_DB(dbp);
+return b->get(b, NULL, key, res, 0) == 0;
+}
+
+/* EXIM_DBPUT - returns nothing useful, assumes replace mode */
+static inline int
+exim_dbput(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data)
+{
+DB * b = ENV_TO_DB(dbp);
+return b->put(b, NULL, key, data, 0);
+}
+
+/* EXIM_DBPUTB - non-overwriting for use by dbmbuild */
+static inline int
+exim_dbputb(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data)
+{
+DB * b = ENV_TO_DB(dbp);
+return b->put(b, NULL, key, data, DB_NOOVERWRITE);
+}
+
+/* Return values from EXIM_DBPUTB */
+
+#   define EXIM_DBPUTB_OK  0
+#   define EXIM_DBPUTB_DUP DB_KEYEXIST
+
+/* EXIM_DBDEL */
+static inline int
+exim_dbdel(EXIM_DB * dbp, EXIM_DATUM * key)
+{
+DB * b = ENV_TO_DB(dbp);
+return b->del(b, NULL, key, 0);
+}
+
+/* EXIM_DBCREATE_CURSOR - initialize for scanning operation */
+
+static inline EXIM_CURSOR *
+exim_dbcreate_cursor(EXIM_DB * dbp)
+{
+DB * b = ENV_TO_DB(dbp);
+EXIM_CURSOR * c;
+b->cursor(b, NULL, &c, 0);
+return c;
+}
+
+/* EXIM_DBSCAN - returns TRUE if data is returned, FALSE at end */
+static inline BOOL
+exim_dbscan(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data, BOOL first,
+  EXIM_CURSOR * cursor)
+{
+return cursor->c_get(cursor, key, data, first ? DB_FIRST : DB_NEXT) == 0;
+}
+
+/* EXIM_DBDELETE_CURSOR - terminate scanning operation */
+static inline void
+exim_dbdelete_cursor(EXIM_CURSOR * cursor)
+{ cursor->c_close(cursor); }
+
+/* EXIM_DBCLOSE */
+static inline void
+exim_dbclose__(EXIM_DB * dbp_o)
+{
+DB_ENV * dbp = dbp_o;
+DB * b = ENV_TO_DB(dbp);
+b->close(b, 0);
+dbp->close(dbp, DB_FORCESYNC);
+}
+
+/* Datum access */
+
+static inline uschar *
+exim_datum_data_get(EXIM_DATUM * dp)
+{ return dp->data; }
+static inline void
+exim_datum_data_set(EXIM_DATUM * dp, void * s)
+{ dp->data = s; }
+
+static inline unsigned
+exim_datum_size_get(EXIM_DATUM * dp)
+{ return dp->size; }
+static inline void
+exim_datum_size_set(EXIM_DATUM * dp, unsigned n)
+{ dp->size = n; }
+
+/* The whole datum structure contains other fields that must be cleared
+before use, but we don't have to free anything after reading data. */
+
+static inline void
+exim_datum_init(EXIM_DATUM * d)
+{ memset(d, 0, sizeof(*d)); }
+
+static inline void
+exim_datum_free(EXIM_DATUM * d)
+{ }
+
+#  else	/* pre- 4.1 */
+
+#   define EXIM_DB       DB
+
+/* Cursor type, for scanning */
+#   define EXIM_CURSOR   DBC
+
+/* The datum type used for queries */
+#   define EXIM_DATUM    DBT
+
+/* Some text for messages */
+#   define EXIM_DBTYPE   "db (v3/4)"
+
+/* Access functions */
+
+/* EXIM_DBOPEN - return pointer to an EXIM_DB, NULL if failed */
+static inline EXIM_DB *
+exim_dbopen__(const uschar * name, const uschar * dirname, int flags,
+  unsigned mode)
+{
+EXIM_DB * dbp;
+return db_create(&dbp, NULL, 0) == 0
+  && (  dbp->set_errcall(dbp, dbfn_bdb_error_callback),
+	dbp->open(dbp, CS name, NULL,
+	  flags == O_RDONLY ? DB_UNKNOWN : DB_HASH,
+	  flags == O_RDONLY ? DB_RDONLY : DB_CREATE,
+	  mode)
+     ) == 0
+  ? dbp : NULL;
+}
+
+/* EXIM_DBGET - returns TRUE if successful, FALSE otherwise */
+static inline BOOL
+exim_dbget(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * res)
+{ return dbp->get(dbp, NULL, key, res, 0) == 0; }
+
+/* EXIM_DBPUT - returns nothing useful, assumes replace mode */
+static inline int
+exim_dbput(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data)
+{ return dbp->put(dbp, NULL, key, data, 0); }
+
+/* EXIM_DBPUTB - non-overwriting for use by dbmbuild */
+static inline int
+exim_dbputb(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data)
+{ return dbp->put(dbp, NULL, key, data, DB_NOOVERWRITE); }
+
+/* Return values from EXIM_DBPUTB */
+
+#   define EXIM_DBPUTB_OK  0
+#   define EXIM_DBPUTB_DUP DB_KEYEXIST
+
+/* EXIM_DBDEL */
+static inline int
+exim_dbdel(EXIM_DB * dbp, EXIM_DATUM * key)
+{ return dbp->del(dbp, NULL, key, 0); }
+
+/* EXIM_DBCREATE_CURSOR - initialize for scanning operation */
+
+static inline EXIM_CURSOR *
+exim_dbcreate_cursor(EXIM_DB * dbp)
+{
+EXIM_CURSOR * c;
+dbp->cursor(dbp, NULL, &c, 0);
+return c;
+}
+
+/* EXIM_DBSCAN - returns TRUE if data is returned, FALSE at end */
+static inline BOOL
+exim_dbscan(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data, BOOL first,
+  EXIM_CURSOR * cursor)
+{
+return cursor->c_get(cursor, key, data, first ? DB_FIRST : DB_NEXT) == 0;
+}
+
+/* EXIM_DBDELETE_CURSOR - terminate scanning operation */
+static inline void
+exim_dbdelete_cursor(EXIM_CURSOR * cursor)
+{ cursor->c_close(cursor); }
+
+/* EXIM_DBCLOSE */
+static inline void
+exim_dbclose__(EXIM_DB * dbp)
+{ dbp->close(dbp, 0); }
+
+/* Datum access */
+
+static inline uschar *
+exim_datum_data_get(EXIM_DATUM * dp)
+{ return US dp->dptr; }
+static inline void
+exim_datum_data_set(EXIM_DATUM * dp, void * s)
+{ dp->dptr = s; }
+
+static inline uschar *
+exim_datum_size_get(EXIM_DATUM * dp)
+{ return US dp->size; }
+static inline void
+exim_datum_size_set(EXIM_DATUM * dp, uschar * s)
+{ dp->size = CS s; }
+
+/* The whole datum structure contains other fields that must be cleared
+before use, but we don't have to free anything after reading data. */
+
+static inline void
+exim_datum_init(EXIM_DATUM * d)
+{ memset(d, 0, sizeof(*d)); }
+
+static inline void
+exim_datum_free(EXIM_DATUM * d)
+{ }
+
+#  endif
+
+
+#  else /* DB_VERSION_MAJOR >= 3 */
+#   error Berkeley DB versions earlier than 3 are not supported */
+#  endif /* DB_VERSION_MAJOR */
+# else
+#  error Berkeley DB version 1 is no longer supported
+# endif /* DB_VERSION_STRING */
+
+
+/* all BDB versions */
+/* size limit */
+
+# define EXIM_DB_RLIMIT	150
+
+
+
+
+
+
+/********************* gdbm interface definitions **********************/
+
+#elif defined USE_GDBM
+/*XXX TODO: exim's locfile not needed */
+
+# include <gdbm.h>
+
+/* Basic DB type */
+typedef struct {
+       GDBM_FILE gdbm;  /* Database */
+       datum lkey;      /* Last key, for scans */
+} EXIM_DB;
+
+/* Cursor type, not used with gdbm: just set up a dummy */
+# define EXIM_CURSOR int
+
+/* The datum type used for queries */
+# define EXIM_DATUM datum
+
+/* Some text for messages */
+
+# define EXIM_DBTYPE "gdbm"
+
+/* Access functions */
+
+/* EXIM_DBOPEN - return pointer to an EXIM_DB, NULL if failed */
+static inline EXIM_DB *
+exim_dbopen__(const uschar * name, const uschar * dirname, int flags,
+  unsigned mode)
+{
+EXIM_DB * dbp = malloc(sizeof(EXIM_DB));	/*XXX why not exim mem-mgmt? */
+if (dbp)
+  {
+  dbp->lkey.dptr = NULL;
+  dbp->gdbm = gdbm_open(CS name, 0,
+    flags & O_CREAT ? GDBM_WRCREAT
+    : flags & (O_RDWR|O_WRONLY) ? GDBM_WRITER
+    : GDBM_READER,
+    mode, 0);
+  if (dbp->gdbm) return dbp;
+  free(dbp);
+  }
+return NULL;
+}
+
+/* EXIM_DBGET - returns TRUE if successful, FALSE otherwise */
+static inline BOOL
+exim_dbget(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * res)
+{
+*res = gdbm_fetch(dbp->gdbm, *key);	/* A struct arg & return! */
+return res->dptr != NULL;
+}
+
+/* EXIM_DBPUT - returns nothing useful, assumes replace mode */
+static inline int
+exim_dbput(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data)
+{ return gdbm_store(dbp->gdbm, *key, *data, GDBM_REPLACE); }
+
+/* EXIM_DBPUTB - non-overwriting for use by dbmbuild */
+static inline int
+exim_dbputb(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data)
+{ return gdbm_store(dbp->gdbm, *key, *data, GDBM_INSERT); }
+
+/* Returns from EXIM_DBPUTB */
+
+# define EXIM_DBPUTB_OK  0
+# define EXIM_DBPUTB_DUP 1
+
+/* EXIM_DBDEL */
+static inline int
+exim_dbdel(EXIM_DB * dbp, EXIM_DATUM * key)
+{ return gdbm_delete(dbp->gdbm, *key); }
+
+/* EXIM_DBCREATE_CURSOR - initialize for scanning operation (null) */
+static inline EXIM_CURSOR *
+exim_dbcreate_cursor(EXIM_DB * dbp)
+{ return NULL; }
+
+/* EXIM_DBSCAN */
+static inline BOOL
+exim_dbscan(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data, BOOL first,
+  EXIM_CURSOR * cursor)
+{
+char * s;
+*key = first ? gdbm_firstkey(dbp->gdbm) : gdbm_nextkey(dbp->gdbm, dbp->lkey);
+if ((s = dbp->lkey.dptr)) free(s);
+dbp->lkey = *key;
+return key->dptr != NULL;
+}
+
+/* EXIM_DBDELETE_CURSOR - terminate scanning operation (null). */
+static inline void
+exim_dbdelete_cursor(EXIM_CURSOR * cursor)
+{ }
+
+/* EXIM_DBCLOSE */
+static inline void
+exim_dbclose__(EXIM_DB * dbp)
+{
+char * s;
+gdbm_close(dbp->gdbm);
+if ((s = dbp->lkey.dptr)) free(s);
+free(dbp);
+}
+
+/* Datum access types */
+
+static inline uschar *
+exim_datum_data_get(EXIM_DATUM * dp)
+{ return US dp->dptr; }
+static inline void
+exim_datum_data_set(EXIM_DATUM * dp, void * s)
+{ dp->dptr = s; }
+
+static inline unsigned
+exim_datum_size_get(EXIM_DATUM * dp)
+{ return dp->dsize; }
+static inline void
+exim_datum_size_set(EXIM_DATUM * dp, unsigned n)
+{ dp->dsize = n; }
+
+/* There's no clearing required before use, but we have to free the dptr
+after reading data. */
+
+static inline void
+exim_datum_init(EXIM_DATUM * d)
+{ }
+
+static inline void
+exim_datum_free(EXIM_DATUM * d)
+{ free(d->dptr); }
+
+/* size limit */
+
+# define EXIM_DB_RLIMIT	150
+
+#else  /* USE_GDBM */
+
+
+
+
+
+
+/* If none of USE_DB, USG_GDBM, or USE_TDB are set, the default is the NDBM
+interface */
+
+
+/********************* ndbm interface definitions **********************/
+
+# include <ndbm.h>
+
+/* Basic DB type */
+# define EXIM_DB DBM
+
+/* Cursor type, not used with ndbm: just set up a dummy */
+# define EXIM_CURSOR int
+
+/* The datum type used for queries */
+# define EXIM_DATUM datum
+
+/* Some text for messages */
+
+# define EXIM_DBTYPE "ndbm"
+
+/* Access functions */
+
+/* EXIM_DBOPEN - returns a EXIM_DB *, NULL if failed */
+/* Check that the name given is not present. This catches
+a directory name; otherwise we would create the name.pag and
+name.dir files in the directory's parent. */
+
+static inline EXIM_DB *
+exim_dbopen__(const uschar * name, const uschar * dirname, int flags,
+  unsigned mode)
+{
+struct stat st;
+if (!(flags & O_CREAT) || lstat(CCS name, &st) != 0 && errno == ENOENT)
+  return dbm_open(CS name, flags, mode);
+#ifndef COMPILE_UTILITY
+debug_printf("%s %d errno %s\n", __FUNCTION__, __LINE__, strerror(errno));
+#endif
+errno = (st.st_mode & S_IFMT) == S_IFDIR ? EISDIR : EEXIST;
+return NULL;
+}
+
+/* EXIM_DBGET - returns TRUE if successful, FALSE otherwise */
+static inline BOOL
+exim_dbget(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * res)
+{
+*res = dbm_fetch(dbp, *key);	/* A struct arg & return! */
+return res->dptr != NULL;
+}
+
+/* EXIM_DBPUT - returns nothing useful, assumes replace mode */
+static inline int
+exim_dbput(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data)
+{ return dbm_store(dbp, *key, *data, DBM_REPLACE); }
+
+/* EXIM_DBPUTB - non-overwriting for use by dbmbuild */
+static inline int
+exim_dbputb(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data)
+{ return dbm_store(dbp, *key, *data, DBM_INSERT); }
+
+/* Returns from EXIM_DBPUTB */
+
+# define EXIM_DBPUTB_OK  0
+# define EXIM_DBPUTB_DUP 1
+
+/* EXIM_DBDEL */
+static inline int
+exim_dbdel(EXIM_DB * dbp, EXIM_DATUM * key)
+{ return dbm_delete(dbp, *key); }
+
+/* EXIM_DBCREATE_CURSOR - initialize for scanning operation (null) */
+static inline EXIM_CURSOR *
+exim_dbcreate_cursor(EXIM_DB * dbp)
+{ return NULL; }
+
+/* EXIM_DBSCAN */
+static inline BOOL
+exim_dbscan(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data, BOOL first,
+  EXIM_CURSOR * cursor)
+{
+*key = first ? dbm_firstkey(dbp) : dbm_nextkey(dbp);
+return key->dptr != NULL;
+}
+
+/* EXIM_DBDELETE_CURSOR - terminate scanning operation (null). */
+static inline void
+exim_dbdelete_cursor(EXIM_CURSOR * cursor)
+{ }
+
+/* EXIM_DBCLOSE */
+static inline void
+exim_dbclose__(EXIM_DB * dbp)
+{ dbm_close(dbp); }
+
+/* Datum access types */
+
+static inline uschar *
+exim_datum_data_get(EXIM_DATUM * dp)
+{ return US dp->dptr; }
+static inline void
+exim_datum_data_set(EXIM_DATUM * dp, void * s)
+{ dp->dptr = s; }
+
+static inline unsigned
+exim_datum_size_get(EXIM_DATUM * dp)
+{ return dp->dsize; }
+static inline void
+exim_datum_size_set(EXIM_DATUM * dp, unsigned n)
+{ dp->dsize = n; }
+
+/* There's no clearing required before use, and we don't have to free anything
+after reading data. */
+
+static inline void
+exim_datum_init(EXIM_DATUM * d)
+{ }
+
+static inline void
+exim_datum_free(EXIM_DATUM * d)
+{ }
+
+/* size limit */
+
+# define EXIM_DB_RLIMIT	150
+
+#endif /* USE_GDBM */
+
+
+
+
+
+#if defined(COMPILE_UTILITY) || defined(MACRO_PREDEF)
+
+static inline EXIM_DB *
+exim_dbopen(const uschar * name, const uschar * dirname, int flags,
+  unsigned mode)
+{
+return exim_dbopen__(name, dirname, flags, mode);
+}
+
+static inline void
+exim_dbclose(EXIM_DB * dbp)
+{ exim_dbclose__(dbp); }
+
+#else	/*  exim mainline code */
+
+/* Wrappers for open/close with debug tracing */
+
+extern void debug_printf_indent(const char *, ...);
+static inline BOOL is_tainted(const void *);
+
+static inline EXIM_DB *
+exim_dbopen(const uschar * name, const uschar * dirname, int flags,
+  unsigned mode)
+{
+void * dbp;
+DEBUG(D_hints_lookup)
+  debug_printf_indent("EXIM_DBOPEN: file <%s> dir <%s> flags=%s\n",
+    name, dirname,
+    flags == O_RDONLY ? "O_RDONLY"
+    : flags == O_RDWR ? "O_RDWR"
+    : flags == (O_RDWR|O_CREAT) ? "O_RDWR|O_CREAT"
+    : "??");
+if (is_tainted(name) || is_tainted(dirname))
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "Tainted name for DB file not permitted");
+  dbp = NULL;
+  }
+else
+  dbp = exim_dbopen__(name, dirname, flags, mode);
+
+DEBUG(D_hints_lookup) debug_printf_indent("returned from EXIM_DBOPEN: %p\n", dbp);
+return dbp;
+}
+
+static inline void
+exim_dbclose(EXIM_DB * dbp)
+{
+DEBUG(D_hints_lookup) debug_printf_indent("EXIM_DBCLOSE(%p)\n", dbp);
+exim_dbclose__(dbp);
+}
+
+# endif		/* defined(COMPILE_UTILITY) || defined(MACRO_PREDEF) */
+
+/********************* End of dbm library definitions **********************/
+
+
+#endif	/* whole file */
+/* End of hintsdb.h */
diff --git a/src/hintsdb_structs.h b/src/hintsdb_structs.h
new file mode 100644
index 0000000..e0670a1
--- /dev/null
+++ b/src/hintsdb_structs.h
@@ -0,0 +1,189 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 - 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This header file contains the definitions of the structures used in the
+various hints databases are also kept in this file, which is used by the
+maintenance utilities as well as the main Exim binary. */
+
+#ifndef HINTSDB_STRUCTS_H
+#define HINTSDB_STRUCTS_H
+
+
+/* Structure for carrying around an open DBM file, and an open locking file
+that relates to it. */
+
+typedef struct {
+  void *	dbptr;
+  int		lockfd;
+} open_db;
+
+
+/* Structures for records stored in exim database dbm files. They all
+start with the same fields, described in the generic type. */
+
+
+typedef struct {
+  time_t time_stamp;      /* Timestamp of writing */
+} dbdata_generic;
+
+
+/* This structure keeps track of retry information for a host or a local
+address. */
+
+typedef struct {
+  time_t time_stamp;
+  /*************/
+  time_t first_failed;    /* Time of first failure */
+  time_t last_try;        /* Time of last try */
+  time_t next_try;        /* Time of next try */
+  BOOL   expired;         /* Retry time has expired */
+  int    basic_errno;     /* Errno of last failure */
+  int    more_errno;      /* Additional information */
+  uschar text[1];         /* Text message for last failure */
+} dbdata_retry;
+
+/* These structures keep track of addresses that have had callout verification
+performed on them. There are two groups of records:
+
+1. keyed by localpart@domain -
+     Full address was tested and record holds result
+
+2. keyed by domain -
+     Domain response upto MAIL FROM:<>, postmaster, random local part;
+
+If a record exists, the result field is either ccache_accept or ccache_reject,
+or, for a domain record only, ccache_reject_mfnull when MAIL FROM:<> was
+rejected. The other fields, however, (which are only relevant to domain
+records) may also contain ccache_unknown if that particular test has not been
+done.
+
+Originally, there was only one structure, used for both types. However, it got
+expanded for domain records, so it got split. To make it possible for Exim to
+handle the old type of record, we retain the old definition. The different
+kinds of record can be distinguished by their different lengths. */
+
+typedef struct {
+  time_t time_stamp;
+  /*************/
+  int   result;
+  int   postmaster_result; /* Postmaster is accepted */
+  int   random_result;     /* Random local part was accepted */
+} dbdata_callout_cache_obs;
+
+typedef struct {
+  time_t time_stamp;       /* Timestamp of last address check */
+  /*************/
+  int   result;            /* accept or reject */
+} dbdata_callout_cache_address;
+
+/* For this new layout, we put the additional fields (the timestamps)
+last so that if somebody reverts to an older Exim, the new records will
+still make sense because they match the old layout. */
+
+typedef struct {
+  time_t time_stamp;       /* Time stamp of last connection */
+  /*************/
+  int   result;            /* Domain reject or accept */
+  int   postmaster_result; /* Postmaster result */
+  int   random_result;     /* Random result */
+  time_t postmaster_stamp; /* Timestamp of postmaster check */
+  time_t random_stamp;     /* Timestamp of random check */
+} dbdata_callout_cache;
+
+/* This structure keeps track of messages that are waiting for a particular
+host for a particular transport. */
+
+typedef struct {
+  time_t time_stamp;
+  /*************/
+  int    count;           /* Count of message ids */
+  int    sequence;        /* Sequence for continued records */
+  uschar text[1];         /* One long character string */
+} dbdata_wait;
+
+
+/* The contents of the "misc" database are a mixture of different kinds of
+record, as defined below. The keys used for a specific type all start with a
+given string such as "etrn-" or "host-serialize-". */
+
+
+/* This structure records a connection to a particular host, for the
+purpose of serializing access to certain hosts. For possible future extension,
+a field is defined for holding the count of connections, but it is not
+at present in use. The same structure is used for recording a running ETRN
+process. */
+
+typedef struct {
+  time_t time_stamp;
+  /*************/
+  int    count;           /* Reserved for possible connection count */
+} dbdata_serialize;
+
+
+/* This structure records the information required for the ratelimit
+ACL condition. */
+
+typedef struct {
+  time_t time_stamp;
+  /*************/
+  int    time_usec;       /* Fractional part of time, from gettimeofday() */
+  double rate;            /* Smoothed sending rate at that time */
+} dbdata_ratelimit;
+
+/* Same as above, plus a Bloom filter for uniquifying events. */
+
+typedef struct {
+  dbdata_ratelimit dbd;
+  time_t   bloom_epoch;   /* When the Bloom filter was last reset */
+  unsigned bloom_size;    /* Number of bytes in the Bloom filter */
+  uschar   bloom[40];     /* Bloom filter which may be larger than this */
+} dbdata_ratelimit_unique;
+
+
+/* For "seen" ACL condition */
+typedef struct {
+  time_t time_stamp;
+} dbdata_seen;
+
+#ifndef DISABLE_PIPE_CONNECT
+/* This structure records the EHLO responses, cleartext and crypted,
+for an IP, as bitmasks (cf. OPTION_TLS).  For LIMITS, also values
+advertised for MAILMAX, RCPTMAX and RCPTDOMAINMAX; zero meaning no
+value advertised. */
+
+typedef struct {
+  unsigned short cleartext_features;
+  unsigned short crypted_features;
+  unsigned short cleartext_auths;
+  unsigned short crypted_auths;
+
+# ifdef EXPERIMENTAL_ESMTP_LIMITS
+  unsigned int limit_mail;
+  unsigned int limit_rcpt;
+  unsigned int limit_rcptdom;
+# endif
+} ehlo_resp_precis;
+
+typedef struct {
+  time_t time_stamp;
+  /*************/
+  ehlo_resp_precis data;
+} dbdata_ehlo_resp;
+#endif
+
+typedef struct {
+  time_t time_stamp;
+  /*************/
+  uschar verify_override:1;
+  uschar ocsp:3;
+  uschar session[1];
+} dbdata_tls_session;
+
+
+#endif	/* whole file */
+/* End of hintsdb_structs.h */
diff --git a/src/host.c b/src/host.c
new file mode 100644
index 0000000..e43b507
--- /dev/null
+++ b/src/host.c
@@ -0,0 +1,3431 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions for finding hosts, either by gethostbyname(), gethostbyaddr(), or
+directly via the DNS. When IPv6 is supported, getipnodebyname() and
+getipnodebyaddr() may be used instead of gethostbyname() and gethostbyaddr(),
+if the newer functions are available. This module also contains various other
+functions concerned with hosts and addresses, and a random number function,
+used for randomizing hosts with equal MXs but available for use in other parts
+of Exim. */
+
+
+#include "exim.h"
+
+
+/* Static variable for preserving the list of interface addresses in case it is
+used more than once. */
+
+static ip_address_item *local_interface_data = NULL;
+
+
+#ifdef USE_INET_NTOA_FIX
+/*************************************************
+*         Replacement for broken inet_ntoa()     *
+*************************************************/
+
+/* On IRIX systems, gcc uses a different structure passing convention to the
+native libraries. This causes inet_ntoa() to always yield 0.0.0.0 or
+255.255.255.255. To get round this, we provide a private version of the
+function here. It is used only if USE_INET_NTOA_FIX is set, which should happen
+only when gcc is in use on an IRIX system. Code send to me by J.T. Breitner,
+with these comments:
+
+  code by Stuart Levy
+  as seen in comp.sys.sgi.admin
+
+August 2005: Apparently this is also needed for AIX systems; USE_INET_NTOA_FIX
+should now be set for them as well.
+
+Arguments:  sa  an in_addr structure
+Returns:        pointer to static text string
+*/
+
+char *
+inet_ntoa(struct in_addr sa)
+{
+static uschar addr[20];
+sprintf(addr, "%d.%d.%d.%d",
+        (US &sa.s_addr)[0],
+        (US &sa.s_addr)[1],
+        (US &sa.s_addr)[2],
+        (US &sa.s_addr)[3]);
+  return addr;
+}
+#endif
+
+
+
+/*************************************************
+*              Random number generator           *
+*************************************************/
+
+/* This is a simple pseudo-random number generator. It does not have to be
+very good for the uses to which it is put. When running the regression tests,
+start with a fixed seed.
+
+If you need better, see vaguely_random_number() which is potentially stronger,
+if a crypto library is available, but might end up just calling this instead.
+
+Arguments:
+  limit:    one more than the largest number required
+
+Returns:    a pseudo-random number in the range 0 to limit-1
+*/
+
+int
+random_number(int limit)
+{
+if (limit < 1)
+  return 0;
+if (random_seed == 0)
+  {
+  if (f.running_in_test_harness) random_seed = 42; else
+    {
+    int p = (int)getpid();
+    random_seed = (int)time(NULL) ^ ((p << 16) | p);
+    }
+  }
+random_seed = 1103515245 * random_seed + 12345;
+return (unsigned int)(random_seed >> 16) % limit;
+}
+
+/*************************************************
+*      Wrappers for logging lookup times         *
+*************************************************/
+
+/* When the 'slow_lookup_log' variable is enabled, these wrappers will
+write to the log file all (potential) dns lookups that take more than
+slow_lookup_log milliseconds
+*/
+
+static void
+log_long_lookup(const uschar * type, const uschar * data, unsigned long msec)
+{
+log_write(0, LOG_MAIN, "Long %s lookup for '%s': %lu msec",
+  type, data, msec);
+}
+
+
+/* returns the current system epoch time in milliseconds. */
+static unsigned long
+get_time_in_ms()
+{
+struct timeval tmp_time;
+unsigned long seconds, microseconds;
+
+gettimeofday(&tmp_time, NULL);
+seconds = (unsigned long) tmp_time.tv_sec;
+microseconds = (unsigned long) tmp_time.tv_usec;
+return seconds*1000 + microseconds/1000;
+}
+
+
+static int
+dns_lookup_timerwrap(dns_answer *dnsa, const uschar *name, int type,
+  const uschar **fully_qualified_name)
+{
+int retval;
+unsigned long time_msec;
+
+if (!slow_lookup_log)
+  return dns_lookup(dnsa, name, type, fully_qualified_name);
+
+time_msec = get_time_in_ms();
+retval = dns_lookup(dnsa, name, type, fully_qualified_name);
+if ((time_msec = get_time_in_ms() - time_msec) > slow_lookup_log)
+  log_long_lookup(dns_text_type(type), name, time_msec);
+return retval;
+}
+
+
+/*************************************************
+*       Replace gethostbyname() when testing     *
+*************************************************/
+
+/* This function is called instead of gethostbyname(), gethostbyname2(), or
+getipnodebyname() when running in the test harness. . It also
+recognizes an unqualified "localhost" and forces it to the appropriate loopback
+address. IP addresses are treated as literals. For other names, it uses the DNS
+to find the host name. In the test harness, this means it will access only the
+fake DNS resolver.
+
+Arguments:
+  name          the host name or a textual IP address
+  af            AF_INET or AF_INET6
+  error_num     where to put an error code:
+                HOST_NOT_FOUND/TRY_AGAIN/NO_RECOVERY/NO_DATA
+
+Returns:        a hostent structure or NULL for an error
+*/
+
+static struct hostent *
+host_fake_gethostbyname(const uschar *name, int af, int *error_num)
+{
+#if HAVE_IPV6
+int alen = (af == AF_INET)? sizeof(struct in_addr):sizeof(struct in6_addr);
+#else
+int alen = sizeof(struct in_addr);
+#endif
+
+int ipa;
+const uschar *lname = name;
+uschar *adds;
+uschar **alist;
+struct hostent *yield;
+dns_answer * dnsa = store_get_dns_answer();
+dns_scan dnss;
+
+DEBUG(D_host_lookup)
+  debug_printf("using host_fake_gethostbyname for %s (%s)\n", name,
+    af == AF_INET ? "IPv4" : "IPv6");
+
+/* Handle unqualified "localhost" */
+
+if (Ustrcmp(name, "localhost") == 0)
+  lname = af == AF_INET ? US"127.0.0.1" : US"::1";
+
+/* Handle a literal IP address */
+
+if ((ipa = string_is_ip_address(lname, NULL)) != 0)
+  if (   ipa == 4 && af == AF_INET
+     ||  ipa == 6 && af == AF_INET6)
+    {
+    int x[4];
+    yield = store_get(sizeof(struct hostent), GET_UNTAINTED);
+    alist = store_get(2 * sizeof(char *), GET_UNTAINTED);
+    adds  = store_get(alen, GET_UNTAINTED);
+    yield->h_name = CS name;
+    yield->h_aliases = NULL;
+    yield->h_addrtype = af;
+    yield->h_length = alen;
+    yield->h_addr_list = CSS alist;
+    *alist++ = adds;
+    for (int n = host_aton(lname, x), i = 0; i < n; i++)
+      {
+      int y = x[i];
+      *adds++ = (y >> 24) & 255;
+      *adds++ = (y >> 16) & 255;
+      *adds++ = (y >> 8) & 255;
+      *adds++ = y & 255;
+      }
+    *alist = NULL;
+    }
+
+  /* Wrong kind of literal address */
+
+  else
+    {
+    *error_num = HOST_NOT_FOUND;
+    yield = NULL;
+    goto out;
+    }
+
+/* Handle a host name */
+
+else
+  {
+  int type = af == AF_INET ? T_A:T_AAAA;
+  int rc = dns_lookup_timerwrap(dnsa, lname, type, NULL);
+  int count = 0;
+
+  lookup_dnssec_authenticated = NULL;
+
+  switch(rc)
+    {
+    case DNS_SUCCEED: break;
+    case DNS_NOMATCH: *error_num = HOST_NOT_FOUND; yield = NULL; goto out;
+    case DNS_NODATA:  *error_num = NO_DATA; yield = NULL; goto out;
+    case DNS_AGAIN:   *error_num = TRY_AGAIN; yield = NULL; goto out;
+    default:
+    case DNS_FAIL:    *error_num = NO_RECOVERY; yield = NULL; goto out;
+    }
+
+  for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
+       rr;
+       rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == type)
+    count++;
+
+  yield = store_get(sizeof(struct hostent), GET_UNTAINTED);
+  alist = store_get((count + 1) * sizeof(char *), GET_UNTAINTED);
+  adds  = store_get(count *alen, GET_UNTAINTED);
+
+  yield->h_name = CS name;
+  yield->h_aliases = NULL;
+  yield->h_addrtype = af;
+  yield->h_length = alen;
+  yield->h_addr_list = CSS alist;
+
+  for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
+       rr;
+       rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == type)
+    {
+    int x[4];
+    dns_address *da;
+    if (!(da = dns_address_from_rr(dnsa, rr))) break;
+    *alist++ = adds;
+    for (int n = host_aton(da->address, x), i = 0; i < n; i++)
+      {
+      int y = x[i];
+      *adds++ = (y >> 24) & 255;
+      *adds++ = (y >> 16) & 255;
+      *adds++ = (y >> 8) & 255;
+      *adds++ = y & 255;
+      }
+    }
+  *alist = NULL;
+  }
+
+out:
+
+store_free_dns_answer(dnsa);
+return yield;
+}
+
+
+
+/*************************************************
+*       Build chain of host items from list      *
+*************************************************/
+
+/* This function builds a chain of host items from a textual list of host
+names. It does not do any lookups. If randomize is true, the chain is build in
+a randomized order. There may be multiple groups of independently randomized
+hosts; they are delimited by a host name consisting of just "+".
+
+Arguments:
+  anchor      anchor for the chain
+  list        text list
+  randomize   TRUE for randomizing
+
+Returns:      nothing
+*/
+
+void
+host_build_hostlist(host_item **anchor, const uschar *list, BOOL randomize)
+{
+int sep = 0;
+int fake_mx = MX_NONE;          /* This value is actually -1 */
+uschar *name;
+
+if (!list) return;
+if (randomize) fake_mx--;       /* Start at -2 for randomizing */
+
+*anchor = NULL;
+
+while ((name = string_nextinlist(&list, &sep, NULL, 0)))
+  {
+  host_item *h;
+
+  if (name[0] == '+' && name[1] == 0)   /* "+" delimits a randomized group */
+    {                                   /* ignore if not randomizing */
+    if (randomize) fake_mx--;
+    continue;
+    }
+
+  h = store_get(sizeof(host_item), GET_UNTAINTED);
+  h->name = name;
+  h->address = NULL;
+  h->port = PORT_NONE;
+  h->mx = fake_mx;
+  h->sort_key = randomize ? (-fake_mx)*1000 + random_number(1000) : 0;
+  h->status = hstatus_unknown;
+  h->why = hwhy_unknown;
+  h->last_try = 0;
+
+  if (!*anchor)
+    {
+    h->next = NULL;
+    *anchor = h;
+    }
+  else
+    {
+    host_item *hh = *anchor;
+    if (h->sort_key < hh->sort_key)
+      {
+      h->next = hh;
+      *anchor = h;
+      }
+    else
+      {
+      while (hh->next && h->sort_key >= hh->next->sort_key)
+        hh = hh->next;
+      h->next = hh->next;
+      hh->next = h;
+      }
+    }
+  }
+}
+
+
+
+
+
+/*************************************************
+*        Extract port from address string        *
+*************************************************/
+
+/* In the -oMa and -oMi options, a host plus port is given as an IP address
+followed by a dot and a port number. This function decodes this.
+
+An alternative format for the -oMa and -oMi options is [ip address]:port which
+is what Exim uses for output, because it seems to becoming commonly used,
+whereas the dot form confuses some programs/people. So we recognize that form
+too.
+
+The spool file used to use the first form, but this breaks with a v4mapped ipv6
+hybrid, because the parsing here is not clever.  So for spool we now use the
+second form.
+
+Argument:
+  address    points to the string; if there is a port, the '.' in the string
+             is overwritten with zero to terminate the address; if the string
+             is in the [xxx]:ppp format, the address is shifted left and the
+             brackets are removed
+
+Returns:     0 if there is no port, else the port number. If there's a syntax
+             error, leave the incoming address alone, and return 0.
+*/
+
+int
+host_address_extract_port(uschar *address)
+{
+int port = 0;
+uschar *endptr;
+
+/* Handle the "bracketed with colon on the end" format */
+
+if (*address == '[')
+  {
+  uschar *rb = address + 1;
+  while (*rb != 0 && *rb != ']') rb++;
+  if (*rb++ == 0) return 0;        /* Missing ]; leave invalid address */
+  if (*rb == ':')
+    {
+    port = Ustrtol(rb + 1, &endptr, 10);
+    if (*endptr != 0) return 0;    /* Invalid port; leave invalid address */
+    }
+  else if (*rb != 0) return 0;     /* Bad syntax; leave invalid address */
+  memmove(address, address + 1, rb - address - 2);
+  rb[-2] = 0;
+  }
+
+/* Handle the "dot on the end" format */
+
+else
+  {
+  int skip = -3;                   /* Skip 3 dots in IPv4 addresses */
+  address--;
+  while (*(++address) != 0)
+    {
+    int ch = *address;
+    if (ch == ':') skip = 0;       /* Skip 0 dots in IPv6 addresses */
+      else if (ch == '.' && skip++ >= 0) break;
+    }
+  if (*address == 0) return 0;
+  port = Ustrtol(address + 1, &endptr, 10);
+  if (*endptr != 0) return 0;      /* Invalid port; leave invalid address */
+  *address = 0;
+  }
+
+return port;
+}
+
+
+/*************************************************
+*         Get port from a host item's name       *
+*************************************************/
+
+/* This function is called when finding the IP address for a host that is in a
+list of hosts explicitly configured, such as in the manualroute router, or in a
+fallback hosts list. We see if there is a port specification at the end of the
+host name, and if so, remove it. A minimum length of 3 is required for the
+original name; nothing shorter is recognized as having a port.
+
+We test for a name ending with a sequence of digits; if preceded by colon we
+have a port if the character before the colon is ] and the name starts with [
+or if there are no other colons in the name (i.e. it's not an IPv6 address).
+
+Arguments:  pointer to the host item
+Returns:    a port number or PORT_NONE
+*/
+
+int
+host_item_get_port(host_item *h)
+{
+const uschar *p;
+int port, x;
+int len = Ustrlen(h->name);
+
+if (len < 3 || (p = h->name + len - 1, !isdigit(*p))) return PORT_NONE;
+
+/* Extract potential port number */
+
+port = *p-- - '0';
+x = 10;
+
+while (p > h->name + 1 && isdigit(*p))
+  {
+  port += (*p-- - '0') * x;
+  x *= 10;
+  }
+
+/* The smallest value of p at this point is h->name + 1. */
+
+if (*p != ':') return PORT_NONE;
+
+if (p[-1] == ']' && h->name[0] == '[')
+  h->name = string_copyn(h->name + 1, p - h->name - 2);
+else if (Ustrchr(h->name, ':') == p)
+  h->name = string_copyn(h->name, p - h->name);
+else return PORT_NONE;
+
+DEBUG(D_route|D_host_lookup) debug_printf("host=%s port=%d\n", h->name, port);
+return port;
+}
+
+
+
+#ifndef STAND_ALONE    /* Omit when standalone testing */
+
+/*************************************************
+*     Build sender_fullhost and sender_rcvhost   *
+*************************************************/
+
+/* This function is called when sender_host_name and/or sender_helo_name
+have been set. Or might have been set - for a local message read off the spool
+they won't be. In that case, do nothing. Otherwise, set up the fullhost string
+as follows:
+
+(a) No sender_host_name or sender_helo_name: "[ip address]"
+(b) Just sender_host_name: "host_name [ip address]"
+(c) Just sender_helo_name: "(helo_name) [ip address]" unless helo is IP
+            in which case: "[ip address}"
+(d) The two are identical: "host_name [ip address]" includes helo = IP
+(e) The two are different: "host_name (helo_name) [ip address]"
+
+If log_incoming_port is set, the sending host's port number is added to the IP
+address.
+
+This function also builds sender_rcvhost for use in Received: lines, whose
+syntax is a bit different. This value also includes the RFC 1413 identity.
+There wouldn't be two different variables if I had got all this right in the
+first place.
+
+Because this data may survive over more than one incoming SMTP message, it has
+to be in permanent store.  However, STARTTLS has to be forgotten and redone
+on a multi-message conn, so this will be called once per message then.  Hence
+we use malloc, so we can free.
+
+Arguments:  none
+Returns:    nothing
+*/
+
+void
+host_build_sender_fullhost(void)
+{
+BOOL show_helo = TRUE;
+uschar * address, * fullhost, * rcvhost;
+rmark reset_point;
+int len;
+
+if (!sender_host_address) return;
+
+reset_point = store_mark();
+
+/* Set up address, with or without the port. After discussion, it seems that
+the only format that doesn't cause trouble is [aaaa]:pppp. However, we can't
+use this directly as the first item for Received: because it ain't an RFC 2822
+domain. Sigh. */
+
+address = string_sprintf("[%s]:%d", sender_host_address, sender_host_port);
+if (!LOGGING(incoming_port) || sender_host_port <= 0)
+  *(Ustrrchr(address, ':')) = 0;
+
+/* If there's no EHLO/HELO data, we can't show it. */
+
+if (!sender_helo_name) show_helo = FALSE;
+
+/* If HELO/EHLO was followed by an IP literal, it's messy because of two
+features of IPv6. Firstly, there's the "IPv6:" prefix (Exim is liberal and
+doesn't require this, for historical reasons). Secondly, IPv6 addresses may not
+be given in canonical form, so we have to canonicalize them before comparing. As
+it happens, the code works for both IPv4 and IPv6. */
+
+else if (sender_helo_name[0] == '[' &&
+         sender_helo_name[(len=Ustrlen(sender_helo_name))-1] == ']')
+  {
+  int offset = 1;
+  uschar *helo_ip;
+
+  if (strncmpic(sender_helo_name + 1, US"IPv6:", 5) == 0) offset += 5;
+  if (strncmpic(sender_helo_name + 1, US"IPv4:", 5) == 0) offset += 5;
+
+  helo_ip = string_copyn(sender_helo_name + offset, len - offset - 1);
+
+  if (string_is_ip_address(helo_ip, NULL) != 0)
+    {
+    int x[4], y[4];
+    int sizex, sizey;
+    uschar ipx[48], ipy[48];    /* large enough for full IPv6 */
+
+    sizex = host_aton(helo_ip, x);
+    sizey = host_aton(sender_host_address, y);
+
+    (void)host_nmtoa(sizex, x, -1, ipx, ':');
+    (void)host_nmtoa(sizey, y, -1, ipy, ':');
+
+    if (strcmpic(ipx, ipy) == 0) show_helo = FALSE;
+    }
+  }
+
+/* Host name is not verified */
+
+if (!sender_host_name)
+  {
+  uschar *portptr = Ustrstr(address, "]:");
+  gstring * g;
+  int adlen;    /* Sun compiler doesn't like ++ in initializers */
+
+  adlen = portptr ? (++portptr - address) : Ustrlen(address);
+  fullhost = sender_helo_name
+    ? string_sprintf("(%s) %s", sender_helo_name, address)
+    : address;
+
+  g = string_catn(NULL, address, adlen);
+
+  if (sender_ident || show_helo || portptr)
+    {
+    int firstptr;
+    g = string_catn(g, US" (", 2);
+    firstptr = g->ptr;
+
+    if (portptr)
+      g = string_append(g, 2, US"port=", portptr + 1);
+
+    if (show_helo)
+      g = string_append(g, 2,
+        firstptr == g->ptr ? US"helo=" : US" helo=", sender_helo_name);
+
+    if (sender_ident)
+      g = string_append(g, 2,
+        firstptr == g->ptr ? US"ident=" : US" ident=", sender_ident);
+
+    g = string_catn(g, US")", 1);
+    }
+
+  rcvhost = string_from_gstring(g);
+  }
+
+/* Host name is known and verified. Unless we've already found that the HELO
+data matches the IP address, compare it with the name. */
+
+else
+  {
+  if (show_helo && strcmpic(sender_host_name, sender_helo_name) == 0)
+    show_helo = FALSE;
+
+  if (show_helo)
+    {
+    fullhost = string_sprintf("%s (%s) %s", sender_host_name,
+      sender_helo_name, address);
+    rcvhost = sender_ident
+      ?  string_sprintf("%s\n\t(%s helo=%s ident=%s)", sender_host_name,
+        address, sender_helo_name, sender_ident)
+      : string_sprintf("%s (%s helo=%s)", sender_host_name,
+        address, sender_helo_name);
+    }
+  else
+    {
+    fullhost = string_sprintf("%s %s", sender_host_name, address);
+    rcvhost = sender_ident
+      ?  string_sprintf("%s (%s ident=%s)", sender_host_name, address,
+        sender_ident)
+      : string_sprintf("%s (%s)", sender_host_name, address);
+    }
+  }
+
+sender_fullhost = string_copy_perm(fullhost, TRUE);
+sender_rcvhost = string_copy_perm(rcvhost, TRUE);
+
+store_reset(reset_point);
+
+DEBUG(D_host_lookup) debug_printf("sender_fullhost = %s\n", sender_fullhost);
+DEBUG(D_host_lookup) debug_printf("sender_rcvhost = %s\n", sender_rcvhost);
+}
+
+
+
+/*************************************************
+*          Build host+ident message              *
+*************************************************/
+
+/* Used when logging rejections and various ACL and SMTP incidents. The text
+return depends on whether sender_fullhost and sender_ident are set or not:
+
+  no ident, no host   => U=unknown
+  no ident, host set  => H=sender_fullhost
+  ident set, no host  => U=ident
+  ident set, host set => H=sender_fullhost U=ident
+
+Use taint-unchecked routines on the assumption we'll never expand the results.
+
+Arguments:
+  useflag   TRUE if first item to be flagged (H= or U=); if there are two
+              items, the second is always flagged
+
+Returns:    pointer to a string in big_buffer
+*/
+
+uschar *
+host_and_ident(BOOL useflag)
+{
+if (!sender_fullhost)
+  string_format_nt(big_buffer, big_buffer_size, "%s%s", useflag ? "U=" : "",
+     sender_ident ? sender_ident : US"unknown");
+else
+  {
+  uschar * flag = useflag ? US"H=" : US"";
+  uschar * iface = US"";
+  if (LOGGING(incoming_interface) && interface_address)
+    iface = string_sprintf(" I=[%s]:%d", interface_address, interface_port);
+  if (sender_ident)
+    string_format_nt(big_buffer, big_buffer_size, "%s%s%s U=%s",
+      flag, sender_fullhost, iface, sender_ident);
+  else
+    string_format_nt(big_buffer, big_buffer_size, "%s%s%s",
+      flag, sender_fullhost, iface);
+  }
+return big_buffer;
+}
+
+#endif   /* STAND_ALONE */
+
+
+
+
+/*************************************************
+*         Build list of local interfaces         *
+*************************************************/
+
+/* This function interprets the contents of the local_interfaces or
+extra_local_interfaces options, and creates an ip_address_item block for each
+item on the list. There is no special interpretation of any IP addresses; in
+particular, 0.0.0.0 and ::0 are returned without modification. If any address
+includes a port, it is set in the block. Otherwise the port value is set to
+zero.
+
+Arguments:
+  list        the list
+  name        the name of the option being expanded
+
+Returns:      a chain of ip_address_items, each containing to a textual
+              version of an IP address, and a port number (host order) or
+              zero if no port was given with the address
+*/
+
+ip_address_item *
+host_build_ifacelist(const uschar *list, uschar *name)
+{
+int sep = 0;
+uschar *s;
+ip_address_item * yield = NULL, * last = NULL, * next;
+
+while ((s = string_nextinlist(&list, &sep, NULL, 0)))
+  {
+  int ipv;
+  int port = host_address_extract_port(s);            /* Leaves just the IP address */
+
+  if (!(ipv = string_is_ip_address(s, NULL)))
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Malformed IP address \"%s\" in %s",
+      s, name);
+
+  /* Skip IPv6 addresses if IPv6 is disabled. */
+
+  if (disable_ipv6 && ipv == 6) continue;
+
+  /* This use of strcpy() is OK because we have checked that s is a valid IP
+  address above. The field in the ip_address_item is large enough to hold an
+  IPv6 address. */
+
+  next = store_get(sizeof(ip_address_item), list);
+  next->next = NULL;
+  Ustrcpy(next->address, s);
+  next->port = port;
+  next->v6_include_v4 = FALSE;
+  next->log = NULL;
+
+  if (!yield)
+    yield = last = next;
+  else
+    {
+    last->next = next;
+    last = next;
+    }
+  }
+
+return yield;
+}
+
+
+
+
+
+/*************************************************
+*         Find addresses on local interfaces     *
+*************************************************/
+
+/* This function finds the addresses of local IP interfaces. These are used
+when testing for routing to the local host. As the function may be called more
+than once, the list is preserved in permanent store, pointed to by a static
+variable, to save doing the work more than once per process.
+
+The generic list of interfaces is obtained by calling host_build_ifacelist()
+for local_interfaces and extra_local_interfaces. This list scanned to remove
+duplicates (which may exist with different ports - not relevant here). If
+either of the wildcard IP addresses (0.0.0.0 and ::0) are encountered, they are
+replaced by the appropriate (IPv4 or IPv6) list of actual local interfaces,
+obtained from os_find_running_interfaces().
+
+Arguments:    none
+Returns:      a chain of ip_address_items, each containing to a textual
+              version of an IP address; the port numbers are not relevant
+*/
+
+
+/* First, a local subfunction to add an interface to a list in permanent store,
+but only if there isn't a previous copy of that address on the list. */
+
+static ip_address_item *
+add_unique_interface(ip_address_item *list, ip_address_item *ipa)
+{
+ip_address_item *ipa2;
+for (ipa2 = list; ipa2; ipa2 = ipa2->next)
+  if (Ustrcmp(ipa2->address, ipa->address) == 0) return list;
+ipa2 = store_get_perm(sizeof(ip_address_item), FALSE);
+*ipa2 = *ipa;
+ipa2->next = list;
+return ipa2;
+}
+
+
+/* This is the globally visible function */
+
+ip_address_item *
+host_find_interfaces(void)
+{
+ip_address_item *running_interfaces = NULL;
+
+if (!local_interface_data)
+  {
+  void *reset_item = store_mark();
+  ip_address_item *dlist = host_build_ifacelist(CUS local_interfaces,
+    US"local_interfaces");
+  ip_address_item *xlist = host_build_ifacelist(CUS extra_local_interfaces,
+    US"extra_local_interfaces");
+  ip_address_item *ipa;
+
+  if (!dlist) dlist = xlist;
+  else
+    {
+    for (ipa = dlist; ipa->next; ipa = ipa->next) ;
+    ipa->next = xlist;
+    }
+
+  for (ipa = dlist; ipa; ipa = ipa->next)
+    {
+    if (Ustrcmp(ipa->address, "0.0.0.0") == 0 ||
+        Ustrcmp(ipa->address, "::0") == 0)
+      {
+      BOOL ipv6 = ipa->address[0] == ':';
+      if (!running_interfaces)
+        running_interfaces = os_find_running_interfaces();
+      for (ip_address_item * ipa2 = running_interfaces; ipa2; ipa2 = ipa2->next)
+        if ((Ustrchr(ipa2->address, ':') != NULL) == ipv6)
+          local_interface_data = add_unique_interface(local_interface_data,
+						      ipa2);
+      }
+    else
+      {
+      local_interface_data = add_unique_interface(local_interface_data, ipa);
+      DEBUG(D_interface)
+        {
+        debug_printf("Configured local interface: address=%s", ipa->address);
+        if (ipa->port != 0) debug_printf(" port=%d", ipa->port);
+        debug_printf("\n");
+        }
+      }
+    }
+  store_reset(reset_item);
+  }
+
+return local_interface_data;
+}
+
+
+
+
+
+/*************************************************
+*        Convert network IP address to text      *
+*************************************************/
+
+/* Given an IPv4 or IPv6 address in binary, convert it to a text
+string and return the result in a piece of new store. The address can
+either be given directly, or passed over in a sockaddr structure. Note
+that this isn't the converse of host_aton() because of byte ordering
+differences. See host_nmtoa() below.
+
+Arguments:
+  type       if < 0 then arg points to a sockaddr, else
+             either AF_INET or AF_INET6
+  arg        points to a sockaddr if type is < 0, or
+             points to an IPv4 address (32 bits), or
+             points to an IPv6 address (128 bits),
+             in both cases, in network byte order
+  buffer     if NULL, the result is returned in gotten store;
+             else points to a buffer to hold the answer
+  portptr    points to where to put the port number, if non NULL; only
+             used when type < 0
+
+Returns:     pointer to character string
+*/
+
+uschar *
+host_ntoa(int type, const void *arg, uschar *buffer, int *portptr)
+{
+uschar *yield;
+
+/* The new world. It is annoying that we have to fish out the address from
+different places in the block, depending on what kind of address it is. It
+is also a pain that inet_ntop() returns a const uschar *, whereas the IPv4
+function inet_ntoa() returns just uschar *, and some picky compilers insist
+on warning if one assigns a const uschar * to a uschar *. Hence the casts. */
+
+#if HAVE_IPV6
+uschar addr_buffer[46];
+if (type < 0)
+  {
+  int family = ((struct sockaddr *)arg)->sa_family;
+  if (family == AF_INET6)
+    {
+    struct sockaddr_in6 *sk = (struct sockaddr_in6 *)arg;
+    yield = US inet_ntop(family, &(sk->sin6_addr), CS addr_buffer,
+      sizeof(addr_buffer));
+    if (portptr) *portptr = ntohs(sk->sin6_port);
+    }
+  else
+    {
+    struct sockaddr_in *sk = (struct sockaddr_in *)arg;
+    yield = US inet_ntop(family, &(sk->sin_addr), CS addr_buffer,
+      sizeof(addr_buffer));
+    if (portptr) *portptr = ntohs(sk->sin_port);
+    }
+  }
+else
+  {
+  yield = US inet_ntop(type, arg, CS addr_buffer, sizeof(addr_buffer));
+  }
+
+/* If the result is a mapped IPv4 address, show it in V4 format. */
+
+if (Ustrncmp(yield, "::ffff:", 7) == 0) yield += 7;
+
+#else  /* HAVE_IPV6 */
+
+/* The old world */
+
+if (type < 0)
+  {
+  yield = US inet_ntoa(((struct sockaddr_in *)arg)->sin_addr);
+  if (portptr) *portptr = ntohs(((struct sockaddr_in *)arg)->sin_port);
+  }
+else
+  yield = US inet_ntoa(*((struct in_addr *)arg));
+#endif
+
+/* If there is no buffer, put the string into some new store. */
+
+if (!buffer) buffer = store_get(46, GET_UNTAINTED);
+
+/* Callers of this function with a non-NULL buffer must ensure that it is
+large enough to hold an IPv6 address, namely, at least 46 bytes. That's what
+makes this use of strcpy() OK.
+If the library returned apparently an apparently tainted string, clean it;
+we trust IP addresses. */
+
+string_format_nt(buffer, 46, "%s", yield);
+return buffer;
+}
+
+
+
+
+/*************************************************
+*         Convert address text to binary         *
+*************************************************/
+
+/* Given the textual form of an IP address, convert it to binary in an
+array of ints. IPv4 addresses occupy one int; IPv6 addresses occupy 4 ints.
+The result has the first byte in the most significant byte of the first int. In
+other words, the result is not in network byte order, but in host byte order.
+As a result, this is not the converse of host_ntoa(), which expects network
+byte order. See host_nmtoa() below.
+
+Arguments:
+  address    points to the textual address, checked for syntax
+  bin        points to an array of 4 ints
+
+Returns:     the number of ints used
+*/
+
+int
+host_aton(const uschar *address, int *bin)
+{
+int x[4];
+int v4offset = 0;
+
+/* Handle IPv6 address, which may end with an IPv4 address. It may also end
+with a "scope", introduced by a percent sign. This code is NOT enclosed in #if
+HAVE_IPV6 in order that IPv6 addresses are recognized even if IPv6 is not
+supported. */
+
+if (Ustrchr(address, ':') != NULL)
+  {
+  const uschar *p = address;
+  const uschar *component[8];
+  BOOL ipv4_ends = FALSE;
+  int ci = 0;
+  int nulloffset = 0;
+  int v6count = 8;
+  int i;
+
+  /* If the address starts with a colon, it will start with two colons.
+  Just lose the first one, which will leave a null first component. */
+
+  if (*p == ':') p++;
+
+  /* Split the address into components separated by colons. The input address
+  is supposed to be checked for syntax. There was a case where this was
+  overlooked; to guard against that happening again, check here and crash if
+  there are too many components. */
+
+  while (*p != 0 && *p != '%')
+    {
+    int len = Ustrcspn(p, ":%");
+    if (len == 0) nulloffset = ci;
+    if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+      "Internal error: invalid IPv6 address \"%s\" passed to host_aton()",
+      address);
+    component[ci++] = p;
+    p += len;
+    if (*p == ':') p++;
+    }
+
+  /* If the final component contains a dot, it is a trailing v4 address.
+  As the syntax is known to be checked, just set up for a trailing
+  v4 address and restrict the v6 part to 6 components. */
+
+  if (Ustrchr(component[ci-1], '.') != NULL)
+    {
+    address = component[--ci];
+    ipv4_ends = TRUE;
+    v4offset = 3;
+    v6count = 6;
+    }
+
+  /* If there are fewer than 6 or 8 components, we have to insert some
+  more empty ones in the middle. */
+
+  if (ci < v6count)
+    {
+    int insert_count = v6count - ci;
+    for (i = v6count-1; i > nulloffset + insert_count; i--)
+      component[i] = component[i - insert_count];
+    while (i > nulloffset) component[i--] = US"";
+    }
+
+  /* Now turn the components into binary in pairs and bung them
+  into the vector of ints. */
+
+  for (i = 0; i < v6count; i += 2)
+    bin[i/2] = (Ustrtol(component[i], NULL, 16) << 16) +
+      Ustrtol(component[i+1], NULL, 16);
+
+  /* If there was no terminating v4 component, we are done. */
+
+  if (!ipv4_ends) return 4;
+  }
+
+/* Handle IPv4 address */
+
+(void)sscanf(CS address, "%d.%d.%d.%d", x, x+1, x+2, x+3);
+bin[v4offset] = ((uint)x[0] << 24) + (x[1] << 16) + (x[2] << 8) + x[3];
+return v4offset+1;
+}
+
+
+/*************************************************
+*           Apply mask to an IP address          *
+*************************************************/
+
+/* Mask an address held in 1 or 4 ints, with the ms bit in the ms bit of the
+first int, etc.
+
+Arguments:
+  count        the number of ints
+  binary       points to the ints to be masked
+  mask         the count of ms bits to leave, or -1 if no masking
+
+Returns:       nothing
+*/
+
+void
+host_mask(int count, int *binary, int mask)
+{
+if (mask < 0) mask = 99999;
+for (int i = 0; i < count; i++)
+  {
+  int wordmask;
+  if (mask == 0) wordmask = 0;
+  else if (mask < 32)
+    {
+    wordmask = (uint)(-1) << (32 - mask);
+    mask = 0;
+    }
+  else
+    {
+    wordmask = -1;
+    mask -= 32;
+    }
+  binary[i] &= wordmask;
+  }
+}
+
+
+
+
+/*************************************************
+*     Convert masked IP address in ints to text  *
+*************************************************/
+
+/* We can't use host_ntoa() because it assumes the binary values are in network
+byte order, and these are the result of host_aton(), which puts them in ints in
+host byte order. Also, we really want IPv6 addresses to be in a canonical
+format, so we output them with no abbreviation. In a number of cases we can't
+use the normal colon separator in them because it terminates keys in lsearch
+files, so we want to use dot instead. There's an argument that specifies what
+to use for IPv6 addresses.
+
+Arguments:
+  count       1 or 4 (number of ints)
+  binary      points to the ints
+  mask        mask value; if < 0 don't add to result
+  buffer      big enough to hold the result
+  sep         component separator character for IPv6 addresses
+
+Returns:      the number of characters placed in buffer, not counting
+              the final nul.
+*/
+
+int
+host_nmtoa(int count, int *binary, int mask, uschar *buffer, int sep)
+{
+int j;
+uschar *tt = buffer;
+
+if (count == 1)
+  {
+  j = binary[0];
+  for (int i = 24; i >= 0; i -= 8)
+    tt += sprintf(CS tt, "%d.", (j >> i) & 255);
+  }
+else
+  for (int i = 0; i < 4; i++)
+    {
+    j = binary[i];
+    tt += sprintf(CS tt, "%04x%c%04x%c", (j >> 16) & 0xffff, sep, j & 0xffff, sep);
+    }
+
+tt--;   /* lose final separator */
+
+if (mask < 0)
+  *tt = 0;
+else
+  tt += sprintf(CS tt, "/%d", mask);
+
+return tt - buffer;
+}
+
+
+/* Like host_nmtoa() but: ipv6-only, canonical output, no mask
+
+Arguments:
+  binary      points to the ints
+  buffer      big enough to hold the result
+
+Returns:      the number of characters placed in buffer, not counting
+	      the final nul.
+*/
+
+int
+ipv6_nmtoa(int * binary, uschar * buffer)
+{
+int i, j, k;
+uschar * c = buffer;
+uschar * d = NULL;	/* shut insufficiently "clever" compiler up */
+
+for (i = 0; i < 4; i++)
+  {			/* expand to text */
+  j = binary[i];
+  c += sprintf(CS c, "%x:%x:", (j >> 16) & 0xffff, j & 0xffff);
+  }
+
+for (c = buffer, k = -1, i = 0; i < 8; i++)
+  {			/* find longest 0-group sequence */
+  if (*c == '0')	/* must be "0:" */
+    {
+    uschar * s = c;
+    j = i;
+    while (c[2] == '0') i++, c += 2;
+    if (i-j > k)
+      {
+      k = i-j;		/* length of sequence */
+      d = s;		/* start of sequence */
+      }
+    }
+  while (*++c != ':') ;
+  c++;
+  }
+
+*--c = '\0';	/* drop trailing colon */
+
+/* debug_printf("%s: D k %d <%s> <%s>\n", __FUNCTION__, k, buffer, buffer + 2*(k+1)); */
+if (k >= 0)
+  {			/* collapse */
+  c = d + 2*(k+1);
+  if (d == buffer) c--;	/* need extra colon */
+  *d++ = ':';	/* 1st 0 */
+  while ((*d++ = *c++)) ;
+  }
+else
+  d = c;
+
+return d - buffer;
+}
+
+
+
+/*************************************************
+*        Check port for tls_on_connect           *
+*************************************************/
+
+/* This function checks whether a given incoming port is configured for tls-
+on-connect. It is called from the daemon and from inetd handling. If the global
+option tls_on_connect is already set, all ports operate this way. Otherwise, we
+check the tls_on_connect_ports option for a list of ports.
+
+Argument:  a port number
+Returns:   TRUE or FALSE
+*/
+
+BOOL
+host_is_tls_on_connect_port(int port)
+{
+int sep = 0;
+const uschar * list = tls_in.on_connect_ports;
+
+if (tls_in.on_connect) return TRUE;
+
+for (uschar * s, * end; s = string_nextinlist(&list, &sep, NULL, 0); )
+  if (Ustrtol(s, &end, 10) == port)
+    return TRUE;
+
+return FALSE;
+}
+
+
+
+/*************************************************
+*        Check whether host is in a network      *
+*************************************************/
+
+/* This function checks whether a given IP address matches a pattern that
+represents either a single host, or a network (using CIDR notation). The caller
+of this function must check the syntax of the arguments before calling it.
+
+Arguments:
+  host        string representation of the ip-address to check
+  net         string representation of the network, with optional CIDR mask
+  maskoffset  offset to the / that introduces the mask in the key
+              zero if there is no mask
+
+Returns:
+  TRUE   the host is inside the network
+  FALSE  the host is NOT inside the network
+*/
+
+BOOL
+host_is_in_net(const uschar *host, const uschar *net, int maskoffset)
+{
+int address[4];
+int incoming[4];
+int mlen;
+int size = host_aton(net, address);
+int insize;
+
+/* No mask => all bits to be checked */
+
+if (maskoffset == 0) mlen = 99999;    /* Big number */
+  else mlen = Uatoi(net + maskoffset + 1);
+
+/* Convert the incoming address to binary. */
+
+insize = host_aton(host, incoming);
+
+/* Convert IPv4 addresses given in IPv6 compatible mode, which represent
+   connections from IPv4 hosts to IPv6 hosts, that is, addresses of the form
+   ::ffff:<v4address>, to IPv4 format. */
+
+if (insize == 4 && incoming[0] == 0 && incoming[1] == 0 &&
+    incoming[2] == 0xffff)
+  {
+  insize = 1;
+  incoming[0] = incoming[3];
+  }
+
+/* No match if the sizes don't agree. */
+
+if (insize != size) return FALSE;
+
+/* Else do the masked comparison. */
+
+for (int i = 0; i < size; i++)
+  {
+  int mask;
+  if (mlen == 0) mask = 0;
+  else if (mlen < 32)
+    {
+    mask = (uint)(-1) << (32 - mlen);
+    mlen = 0;
+    }
+  else
+    {
+    mask = -1;
+    mlen -= 32;
+    }
+  if ((incoming[i] & mask) != (address[i] & mask)) return FALSE;
+  }
+
+return TRUE;
+}
+
+
+
+/*************************************************
+*       Scan host list for local hosts           *
+*************************************************/
+
+/* Scan through a chain of addresses and check whether any of them is the
+address of an interface on the local machine. If so, remove that address and
+any previous ones with the same MX value, and all subsequent ones (which will
+have greater or equal MX values) from the chain. Note: marking them as unusable
+is NOT the right thing to do because it causes the hosts not to be used for
+other domains, for which they may well be correct.
+
+The hosts may be part of a longer chain; we only process those between the
+initial pointer and the "last" pointer.
+
+There is also a list of "pseudo-local" host names which are checked against the
+host names. Any match causes that host item to be treated the same as one which
+matches a local IP address.
+
+If the very first host is a local host, then all MX records had a precedence
+greater than or equal to that of the local host. Either there's a problem in
+the DNS, or an apparently remote name turned out to be an abbreviation for the
+local host. Give a specific return code, and let the caller decide what to do.
+Otherwise, give a success code if at least one host address has been found.
+
+Arguments:
+  host        pointer to the first host in the chain
+  lastptr     pointer to pointer to the last host in the chain (may be updated)
+  removed     if not NULL, set TRUE if some local addresses were removed
+                from the list
+
+Returns:
+  HOST_FOUND       if there is at least one host with an IP address on the chain
+                     and an MX value less than any MX value associated with the
+                     local host
+  HOST_FOUND_LOCAL if a local host is among the lowest-numbered MX hosts; when
+                     the host addresses were obtained from A records or
+                     gethostbyname(), the MX values are set to -1.
+  HOST_FIND_FAILED if no valid hosts with set IP addresses were found
+*/
+
+int
+host_scan_for_local_hosts(host_item *host, host_item **lastptr, BOOL *removed)
+{
+int yield = HOST_FIND_FAILED;
+host_item *last = *lastptr;
+host_item *prev = NULL;
+host_item *h;
+
+if (removed != NULL) *removed = FALSE;
+
+if (local_interface_data == NULL) local_interface_data = host_find_interfaces();
+
+for (h = host; h != last->next; h = h->next)
+  {
+  #ifndef STAND_ALONE
+  if (hosts_treat_as_local != NULL)
+    {
+    int rc;
+    const uschar *save = deliver_domain;
+    deliver_domain = h->name;   /* set $domain */
+    rc = match_isinlist(string_copylc(h->name), CUSS &hosts_treat_as_local, 0,
+      &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
+    deliver_domain = save;
+    if (rc == OK) goto FOUND_LOCAL;
+    }
+  #endif
+
+  /* It seems that on many operating systems, 0.0.0.0 is treated as a synonym
+  for 127.0.0.1 and refers to the local host. We therefore force it always to
+  be treated as local. */
+
+  if (h->address != NULL)
+    {
+    if (Ustrcmp(h->address, "0.0.0.0") == 0) goto FOUND_LOCAL;
+    for (ip_address_item * ip = local_interface_data; ip; ip = ip->next)
+      if (Ustrcmp(h->address, ip->address) == 0) goto FOUND_LOCAL;
+    yield = HOST_FOUND;  /* At least one remote address has been found */
+    }
+
+  /* Update prev to point to the last host item before any that have
+  the same MX value as the one we have just considered. */
+
+  if (h->next == NULL || h->next->mx != h->mx) prev = h;
+  }
+
+return yield;  /* No local hosts found: return HOST_FOUND or HOST_FIND_FAILED */
+
+/* A host whose IP address matches a local IP address, or whose name matches
+something in hosts_treat_as_local has been found. */
+
+FOUND_LOCAL:
+
+if (prev == NULL)
+  {
+  HDEBUG(D_host_lookup) debug_printf((h->mx >= 0)?
+    "local host has lowest MX\n" :
+    "local host found for non-MX address\n");
+  return HOST_FOUND_LOCAL;
+  }
+
+HDEBUG(D_host_lookup)
+  {
+  debug_printf("local host in host list - removed hosts:\n");
+  for (h = prev->next; h != last->next; h = h->next)
+    debug_printf("  %s %s %d\n", h->name, h->address, h->mx);
+  }
+
+if (removed != NULL) *removed = TRUE;
+prev->next = last->next;
+*lastptr = prev;
+return yield;
+}
+
+
+
+
+/*************************************************
+*        Remove duplicate IPs in host list       *
+*************************************************/
+
+/* You would think that administrators could set up their DNS records so that
+one ended up with a list of unique IP addresses after looking up A or MX
+records, but apparently duplication is common. So we scan such lists and
+remove the later duplicates. Note that we may get lists in which some host
+addresses are not set.
+
+Arguments:
+  host        pointer to the first host in the chain
+  lastptr     pointer to pointer to the last host in the chain (may be updated)
+
+Returns:      nothing
+*/
+
+static void
+host_remove_duplicates(host_item *host, host_item **lastptr)
+{
+while (host != *lastptr)
+  {
+  if (host->address != NULL)
+    {
+    host_item *h = host;
+    while (h != *lastptr)
+      {
+      if (h->next->address != NULL &&
+          Ustrcmp(h->next->address, host->address) == 0)
+        {
+        DEBUG(D_host_lookup) debug_printf("duplicate IP address %s (MX=%d) "
+          "removed\n", host->address, h->next->mx);
+        if (h->next == *lastptr) *lastptr = h;
+        h->next = h->next->next;
+        }
+      else h = h->next;
+      }
+    }
+  /* If the last item was removed, host may have become == *lastptr */
+  if (host != *lastptr) host = host->next;
+  }
+}
+
+
+
+
+/*************************************************
+*    Find sender host name by gethostbyaddr()    *
+*************************************************/
+
+/* This used to be the only way it was done, but it turns out that not all
+systems give aliases for calls to gethostbyaddr() - or one of the modern
+equivalents like getipnodebyaddr(). Fortunately, multiple PTR records are rare,
+but they can still exist. This function is now used only when a DNS lookup of
+the IP address fails, in order to give access to /etc/hosts.
+
+Arguments:   none
+Returns:     OK, DEFER, FAIL
+*/
+
+static int
+host_name_lookup_byaddr(void)
+{
+struct hostent * hosts;
+struct in_addr addr;
+unsigned long time_msec = 0;	/* init to quieten dumb static analysis */
+
+if (slow_lookup_log) time_msec = get_time_in_ms();
+
+/* Lookup on IPv6 system */
+
+#if HAVE_IPV6
+if (Ustrchr(sender_host_address, ':') != NULL)
+  {
+  struct in6_addr addr6;
+  if (inet_pton(AF_INET6, CS sender_host_address, &addr6) != 1)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to parse \"%s\" as an "
+      "IPv6 address", sender_host_address);
+  #if HAVE_GETIPNODEBYADDR
+  hosts = getipnodebyaddr(CS &addr6, sizeof(addr6), AF_INET6, &h_errno);
+  #else
+  hosts = gethostbyaddr(CS &addr6, sizeof(addr6), AF_INET6);
+  #endif
+  }
+else
+  {
+  if (inet_pton(AF_INET, CS sender_host_address, &addr) != 1)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to parse \"%s\" as an "
+      "IPv4 address", sender_host_address);
+  #if HAVE_GETIPNODEBYADDR
+  hosts = getipnodebyaddr(CS &addr, sizeof(addr), AF_INET, &h_errno);
+  #else
+  hosts = gethostbyaddr(CS &addr, sizeof(addr), AF_INET);
+  #endif
+  }
+
+/* Do lookup on IPv4 system */
+
+#else
+addr.s_addr = (S_ADDR_TYPE)inet_addr(CS sender_host_address);
+hosts = gethostbyaddr(CS(&addr), sizeof(addr), AF_INET);
+#endif
+
+if (  slow_lookup_log
+   && (time_msec = get_time_in_ms() - time_msec) > slow_lookup_log
+   )
+  log_long_lookup(US"gethostbyaddr", sender_host_address, time_msec);
+
+/* Failed to look up the host. */
+
+if (!hosts)
+  {
+  HDEBUG(D_host_lookup) debug_printf("IP address lookup failed: h_errno=%d\n",
+    h_errno);
+  return (h_errno == TRY_AGAIN || h_errno == NO_RECOVERY) ? DEFER : FAIL;
+  }
+
+/* It seems there are some records in the DNS that yield an empty name. We
+treat this as non-existent. In some operating systems, this is returned as an
+empty string; in others as a single dot. */
+
+if (!hosts->h_name || !hosts->h_name[0] || hosts->h_name[0] == '.')
+  {
+  HDEBUG(D_host_lookup) debug_printf("IP address lookup yielded an empty name: "
+    "treated as non-existent host name\n");
+  return FAIL;
+  }
+
+/* Copy and lowercase the name, which is in static storage in many systems.
+Put it in permanent memory. */
+
+  {
+  int old_pool = store_pool;
+  store_pool = POOL_TAINT_PERM;		/* names are tainted */
+
+  sender_host_name = string_copylc(US hosts->h_name);
+
+  /* If the host has aliases, build a copy of the alias list */
+
+  if (hosts->h_aliases)
+    {
+    int count = 1;  /* need 1 more for terminating NULL */
+    uschar **ptr;
+
+    for (uschar ** aliases = USS hosts->h_aliases; *aliases; aliases++) count++;
+    store_pool = POOL_PERM;
+    ptr = sender_host_aliases = store_get(count * sizeof(uschar *), GET_UNTAINTED);
+    store_pool = POOL_TAINT_PERM;
+
+    for (uschar ** aliases = USS hosts->h_aliases; *aliases; aliases++)
+      *ptr++ = string_copylc(*aliases);
+    *ptr = NULL;
+    }
+  store_pool = old_pool;
+  }
+
+return OK;
+}
+
+
+
+/*************************************************
+*        Find host name for incoming call        *
+*************************************************/
+
+/* Put the name in permanent store, pointed to by sender_host_name. We also set
+up a list of alias names, pointed to by sender_host_alias. The list is
+NULL-terminated. The incoming address is in sender_host_address, either in
+dotted-quad form for IPv4 or in colon-separated form for IPv6.
+
+This function does a thorough check that the names it finds point back to the
+incoming IP address. Any that do not are discarded. Note that this is relied on
+by the ACL reverse_host_lookup check.
+
+On some systems, get{host,ipnode}byaddr() appears to do this internally, but
+this it not universally true. Also, for release 4.30, this function was changed
+to do a direct DNS lookup first, by default[1], because it turns out that that
+is the only guaranteed way to find all the aliases on some systems. My
+experiments indicate that Solaris gethostbyaddr() gives the aliases for but
+Linux does not.
+
+[1] The actual order is controlled by the host_lookup_order option.
+
+Arguments:    none
+Returns:      OK on success, the answer being placed in the global variable
+                sender_host_name, with any aliases in a list hung off
+                sender_host_aliases
+              FAIL if no host name can be found
+              DEFER if a temporary error was encountered
+
+The variable host_lookup_msg is set to an empty string on success, or to a
+reason for the failure otherwise, in a form suitable for tagging onto an error
+message, and also host_lookup_failed is set TRUE if the lookup failed. If there
+was a defer, host_lookup_deferred is set TRUE.
+
+Any dynamically constructed string for host_lookup_msg must be in permanent
+store, because it might be used for several incoming messages on the same SMTP
+connection. */
+
+int
+host_name_lookup(void)
+{
+int old_pool, rc;
+int sep = 0;
+uschar *save_hostname;
+uschar **aliases;
+uschar *ordername;
+const uschar *list = host_lookup_order;
+dns_answer * dnsa = store_get_dns_answer();
+dns_scan dnss;
+
+sender_host_dnssec = host_lookup_deferred = host_lookup_failed = FALSE;
+
+HDEBUG(D_host_lookup)
+  debug_printf("looking up host name for %s\n", sender_host_address);
+
+/* For testing the case when a lookup does not complete, we have a special
+reserved IP address. */
+
+if (f.running_in_test_harness &&
+    Ustrcmp(sender_host_address, "99.99.99.99") == 0)
+  {
+  HDEBUG(D_host_lookup)
+    debug_printf("Test harness: host name lookup returns DEFER\n");
+  host_lookup_deferred = TRUE;
+  return DEFER;
+  }
+
+/* Do lookups directly in the DNS or via gethostbyaddr() (or equivalent), in
+the order specified by the host_lookup_order option. */
+
+while ((ordername = string_nextinlist(&list, &sep, NULL, 0)))
+  {
+  if (strcmpic(ordername, US"bydns") == 0)
+    {
+    uschar * name = dns_build_reverse(sender_host_address);
+
+    dns_init(FALSE, FALSE, FALSE);    /* dnssec ctrl by dns_dnssec_ok glbl */
+    rc = dns_lookup_timerwrap(dnsa, name, T_PTR, NULL);
+
+    /* The first record we come across is used for the name; others are
+    considered to be aliases. We have to scan twice, in order to find out the
+    number of aliases. However, if all the names are empty, we will behave as
+    if failure. (PTR records that yield empty names have been encountered in
+    the DNS.) */
+
+    if (rc == DNS_SUCCEED)
+      {
+      uschar **aptr = NULL;
+      int ssize = 264;
+      int count = 1;  /* need 1 more for terminating NULL */
+      int old_pool = store_pool;
+
+      sender_host_dnssec = dns_is_secure(dnsa);
+      DEBUG(D_dns)
+        debug_printf("Reverse DNS security status: %s\n",
+            sender_host_dnssec ? "DNSSEC verified (AD)" : "unverified");
+
+      store_pool = POOL_PERM;        /* Save names in permanent storage */
+
+      for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
+           rr;
+           rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_PTR)
+	count++;
+
+      /* Get store for the list of aliases. For compatibility with
+      gethostbyaddr, we make an empty list if there are none. */
+
+      aptr = sender_host_aliases = store_get(count * sizeof(uschar *), GET_UNTAINTED);
+
+      /* Re-scan and extract the names */
+
+      for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
+           rr;
+           rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_PTR)
+        {
+        uschar * s = store_get(ssize, GET_TAINTED);	/* names are tainted */
+
+        /* If an overlong response was received, the data will have been
+        truncated and dn_expand may fail. */
+
+        if (dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
+             US (rr->data), (DN_EXPAND_ARG4_TYPE)(s), ssize) < 0)
+          {
+          log_write(0, LOG_MAIN, "host name alias list truncated for %s",
+            sender_host_address);
+          break;
+          }
+
+        store_release_above(s + Ustrlen(s) + 1);
+        if (!s[0])
+          {
+          HDEBUG(D_host_lookup) debug_printf("IP address lookup yielded an "
+            "empty name: treated as non-existent host name\n");
+          continue;
+          }
+        if (!sender_host_name) sender_host_name = s;
+	else *aptr++ = s;
+        while (*s) { *s = tolower(*s); s++; }
+        }
+
+      *aptr = NULL;            /* End of alias list */
+      store_pool = old_pool;   /* Reset store pool */
+
+      /* If we've found a name, break out of the "order" loop */
+
+      if (sender_host_name) break;
+      }
+
+    /* If the DNS lookup deferred, we must also defer. */
+
+    if (rc == DNS_AGAIN)
+      {
+      HDEBUG(D_host_lookup)
+        debug_printf("IP address PTR lookup gave temporary error\n");
+      host_lookup_deferred = TRUE;
+      return DEFER;
+      }
+    }
+
+  /* Do a lookup using gethostbyaddr() - or equivalent */
+
+  else if (strcmpic(ordername, US"byaddr") == 0)
+    {
+    HDEBUG(D_host_lookup)
+      debug_printf("IP address lookup using gethostbyaddr()\n");
+    rc = host_name_lookup_byaddr();
+    if (rc == DEFER)
+      {
+      host_lookup_deferred = TRUE;
+      return rc;                       /* Can't carry on */
+      }
+    if (rc == OK) break;               /* Found a name */
+    }
+  }      /* Loop for bydns/byaddr scanning */
+
+/* If we have failed to find a name, return FAIL and log when required.
+NB host_lookup_msg must be in permanent store.  */
+
+if (!sender_host_name)
+  {
+  if (host_checking || !f.log_testing_mode)
+    log_write(L_host_lookup_failed, LOG_MAIN, "no host name found for IP "
+      "address %s", sender_host_address);
+  host_lookup_msg = US" (failed to find host name from IP address)";
+  host_lookup_failed = TRUE;
+  return FAIL;
+  }
+
+HDEBUG(D_host_lookup)
+  {
+  uschar **aliases = sender_host_aliases;
+  debug_printf("IP address lookup yielded \"%s\"\n", sender_host_name);
+  while (*aliases) debug_printf("  alias \"%s\"\n", *aliases++);
+  }
+
+/* We need to verify that a forward lookup on the name we found does indeed
+correspond to the address. This is for security: in principle a malefactor who
+happened to own a reverse zone could set it to point to any names at all.
+
+This code was present in versions of Exim before 3.20. At that point I took it
+out because I thought that gethostbyaddr() did the check anyway. It turns out
+that this isn't always the case, so it's coming back in at 4.01. This version
+is actually better, because it also checks aliases.
+
+The code was made more robust at release 4.21. Prior to that, it accepted all
+the names if any of them had the correct IP address. Now the code checks all
+the names, and accepts only those that have the correct IP address. */
+
+save_hostname = sender_host_name;   /* Save for error messages */
+aliases = sender_host_aliases;
+for (uschar * hname = sender_host_name; hname; hname = *aliases++)
+  {
+  int rc;
+  BOOL ok = FALSE;
+  host_item h = { .next = NULL, .name = hname, .mx = MX_NONE, .address = NULL };
+  dnssec_domains d =
+    { .request = sender_host_dnssec ? US"*" : NULL, .require = NULL };
+
+  if (  (rc = host_find_bydns(&h, NULL, HOST_FIND_BY_A | HOST_FIND_BY_AAAA,
+	  NULL, NULL, NULL, &d, NULL, NULL)) == HOST_FOUND
+     || rc == HOST_FOUND_LOCAL
+     )
+    {
+    HDEBUG(D_host_lookup) debug_printf("checking addresses for %s\n", hname);
+
+    /* If the forward lookup was not secure we cancel the is-secure variable */
+
+    DEBUG(D_dns) debug_printf("Forward DNS security status: %s\n",
+	  h.dnssec == DS_YES ? "DNSSEC verified (AD)" : "unverified");
+    if (h.dnssec != DS_YES) sender_host_dnssec = FALSE;
+
+    for (host_item * hh = &h; hh; hh = hh->next)
+      if (host_is_in_net(hh->address, sender_host_address, 0))
+        {
+        HDEBUG(D_host_lookup) debug_printf("  %s OK\n", hh->address);
+        ok = TRUE;
+        break;
+        }
+      else
+        HDEBUG(D_host_lookup) debug_printf("  %s\n", hh->address);
+
+    if (!ok) HDEBUG(D_host_lookup)
+      debug_printf("no IP address for %s matched %s\n", hname,
+        sender_host_address);
+    }
+  else if (rc == HOST_FIND_AGAIN)
+    {
+    HDEBUG(D_host_lookup) debug_printf("temporary error for host name lookup\n");
+    host_lookup_deferred = TRUE;
+    sender_host_name = NULL;
+    return DEFER;
+    }
+  else
+    HDEBUG(D_host_lookup) debug_printf("no IP addresses found for %s\n", hname);
+
+  /* If this name is no good, and it's the sender name, set it null pro tem;
+  if it's an alias, just remove it from the list. */
+
+  if (!ok)
+    {
+    if (hname == sender_host_name) sender_host_name = NULL; else
+      {
+      uschar **a;                              /* Don't amalgamate - some */
+      a = --aliases;                           /* compilers grumble */
+      while (*a != NULL) { *a = a[1]; a++; }
+      }
+    }
+  }
+
+/* If sender_host_name == NULL, it means we didn't like the name. Replace
+it with the first alias, if there is one. */
+
+if (sender_host_name == NULL && *sender_host_aliases != NULL)
+  sender_host_name = *sender_host_aliases++;
+
+/* If we now have a main name, all is well. */
+
+if (sender_host_name != NULL) return OK;
+
+/* We have failed to find an address that matches. */
+
+HDEBUG(D_host_lookup)
+  debug_printf("%s does not match any IP address for %s\n",
+    sender_host_address, save_hostname);
+
+/* This message must be in permanent store */
+
+old_pool = store_pool;
+store_pool = POOL_PERM;
+host_lookup_msg = string_sprintf(" (%s does not match any IP address for %s)",
+  sender_host_address, save_hostname);
+store_pool = old_pool;
+host_lookup_failed = TRUE;
+return FAIL;
+}
+
+
+
+
+/*************************************************
+*    Find IP address(es) for host by name        *
+*************************************************/
+
+/* The input is a host_item structure with the name filled in and the address
+field set to NULL. We use gethostbyname() or getipnodebyname() or
+gethostbyname2(), as appropriate. Of course, these functions may use the DNS,
+but they do not do MX processing. It appears, however, that in some systems the
+current setting of resolver options is used when one of these functions calls
+the resolver. For this reason, we call dns_init() at the start, with arguments
+influenced by bits in "flags", just as we do for host_find_bydns().
+
+The second argument provides a host list (usually an IP list) of hosts to
+ignore. This makes it possible to ignore IPv6 link-local addresses or loopback
+addresses in unreasonable places.
+
+The lookup may result in a change of name. For compatibility with the dns
+lookup, return this via fully_qualified_name as well as updating the host item.
+The lookup may also yield more than one IP address, in which case chain on
+subsequent host_item structures.
+
+Arguments:
+  host                   a host item with the name and MX filled in;
+                           the address is to be filled in;
+                           multiple IP addresses cause other host items to be
+                             chained on.
+  ignore_target_hosts    a list of hosts to ignore
+  flags                  HOST_FIND_QUALIFY_SINGLE   ) passed to
+                         HOST_FIND_SEARCH_PARENTS   )   dns_init()
+  fully_qualified_name   if not NULL, set to point to host name for
+                         compatibility with host_find_bydns
+  local_host_check       TRUE if a check for the local host is wanted
+
+Returns:                 HOST_FIND_FAILED  Failed to find the host or domain
+                         HOST_FIND_AGAIN   Try again later
+                         HOST_FOUND        Host found - data filled in
+                         HOST_FOUND_LOCAL  Host found and is the local host
+*/
+
+int
+host_find_byname(host_item *host, const uschar *ignore_target_hosts, int flags,
+  const uschar **fully_qualified_name, BOOL local_host_check)
+{
+int yield, times;
+host_item *last = NULL;
+BOOL temp_error = FALSE;
+int af;
+
+#ifndef DISABLE_TLS
+/* Copy the host name at this point to the value which is used for
+TLS certificate name checking, before anything modifies it.  */
+
+host->certname = host->name;
+#endif
+
+/* Make sure DNS options are set as required. This appears to be necessary in
+some circumstances when the get..byname() function actually calls the DNS. */
+
+dns_init((flags & HOST_FIND_QUALIFY_SINGLE) != 0,
+         (flags & HOST_FIND_SEARCH_PARENTS) != 0,
+	 FALSE);		/* Cannot retrieve dnssec status so do not request */
+
+/* In an IPv6 world, unless IPv6 has been disabled, we need to scan for both
+kinds of address, so go round the loop twice. Note that we have ensured that
+AF_INET6 is defined even in an IPv4 world, which makes for slightly tidier
+code. However, if dns_ipv4_lookup matches the domain, we also just do IPv4
+lookups here (except when testing standalone). */
+
+#if HAVE_IPV6
+  #ifdef STAND_ALONE
+  if (disable_ipv6)
+  #else
+  if (  disable_ipv6
+     ||    dns_ipv4_lookup
+	&& match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0,
+	    &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK)
+  #endif
+
+    { af = AF_INET; times = 1; }
+  else
+    { af = AF_INET6; times = 2; }
+
+/* No IPv6 support */
+
+#else   /* HAVE_IPV6 */
+  af = AF_INET; times = 1;
+#endif  /* HAVE_IPV6 */
+
+/* Initialize the flag that gets set for DNS syntax check errors, so that the
+interface to this function can be similar to host_find_bydns. */
+
+f.host_find_failed_syntax = FALSE;
+
+/* Loop to look up both kinds of address in an IPv6 world */
+
+for (int i = 1; i <= times;
+     #if HAVE_IPV6
+       af = AF_INET,     /* If 2 passes, IPv4 on the second */
+     #endif
+     i++)
+  {
+  BOOL ipv4_addr;
+  int error_num = 0;
+  struct hostent *hostdata;
+  unsigned long time_msec = 0;	/* compiler quietening */
+
+  #ifdef STAND_ALONE
+  printf("Looking up: %s\n", host->name);
+  #endif
+
+  if (slow_lookup_log) time_msec = get_time_in_ms();
+
+  #if HAVE_IPV6
+  if (f.running_in_test_harness)
+    hostdata = host_fake_gethostbyname(host->name, af, &error_num);
+  else
+    {
+    #if HAVE_GETIPNODEBYNAME
+    hostdata = getipnodebyname(CS host->name, af, 0, &error_num);
+    #else
+    hostdata = gethostbyname2(CS host->name, af);
+    error_num = h_errno;
+    #endif
+    }
+
+  #else    /* not HAVE_IPV6 */
+  if (f.running_in_test_harness)
+    hostdata = host_fake_gethostbyname(host->name, af, &error_num);
+  else
+    {
+    hostdata = gethostbyname(CS host->name);
+    error_num = h_errno;
+    }
+  #endif   /* HAVE_IPV6 */
+
+  if (   slow_lookup_log
+      && (time_msec = get_time_in_ms() - time_msec) > slow_lookup_log)
+    log_long_lookup(US"gethostbyname", host->name, time_msec);
+
+  if (!hostdata)
+    {
+    uschar * error;
+    switch (error_num)
+      {
+      case HOST_NOT_FOUND: error = US"HOST_NOT_FOUND";	break;
+      case TRY_AGAIN:      error = US"TRY_AGAIN";   temp_error = TRUE; break;
+      case NO_RECOVERY:    error = US"NO_RECOVERY"; temp_error = TRUE; break;
+      case NO_DATA:        error = US"NO_DATA";		break;
+    #if NO_DATA != NO_ADDRESS
+      case NO_ADDRESS:     error = US"NO_ADDRESS";	break;
+    #endif
+      default: error = US"?"; break;
+      }
+
+    DEBUG(D_host_lookup) debug_printf("%s(af=%s) returned %d (%s)\n",
+      f.running_in_test_harness ? "host_fake_gethostbyname" :
+#if HAVE_IPV6
+# if HAVE_GETIPNODEBYNAME
+        "getipnodebyname",
+# else
+        "gethostbyname2",
+# endif
+#else
+	"gethostbyname",
+#endif
+      af == AF_INET ? "inet" : "inet6", error_num, error);
+
+    continue;
+    }
+  if (!(hostdata->h_addr_list)[0]) continue;
+
+  /* Replace the name with the fully qualified one if necessary, and fill in
+  the fully_qualified_name pointer. */
+
+  if (hostdata->h_name[0] && Ustrcmp(host->name, hostdata->h_name) != 0)
+    host->name = string_copy_dnsdomain(US hostdata->h_name);
+  if (fully_qualified_name) *fully_qualified_name = host->name;
+
+  /* Get the list of addresses. IPv4 and IPv6 addresses can be distinguished
+  by their different lengths. Scan the list, ignoring any that are to be
+  ignored, and build a chain from the rest. */
+
+  ipv4_addr = hostdata->h_length == sizeof(struct in_addr);
+
+  for (uschar ** addrlist = USS hostdata->h_addr_list; *addrlist; addrlist++)
+    {
+    uschar *text_address =
+      host_ntoa(ipv4_addr? AF_INET:AF_INET6, *addrlist, NULL, NULL);
+
+    #ifndef STAND_ALONE
+    if (  ignore_target_hosts
+       && verify_check_this_host(&ignore_target_hosts, NULL, host->name,
+	    text_address, NULL) == OK)
+      {
+      DEBUG(D_host_lookup)
+        debug_printf("ignored host %s [%s]\n", host->name, text_address);
+      continue;
+      }
+    #endif
+
+    /* If this is the first address, last is NULL and we put the data in the
+    original block. */
+
+    if (!last)
+      {
+      host->address = text_address;
+      host->port = PORT_NONE;
+      host->status = hstatus_unknown;
+      host->why = hwhy_unknown;
+      host->dnssec = DS_UNK;
+      last = host;
+      }
+
+    /* Else add further host item blocks for any other addresses, keeping
+    the order. */
+
+    else
+      {
+      host_item *next = store_get(sizeof(host_item), GET_UNTAINTED);
+      next->name = host->name;
+#ifndef DISABLE_TLS
+      next->certname = host->certname;
+#endif
+      next->mx = host->mx;
+      next->address = text_address;
+      next->port = PORT_NONE;
+      next->status = hstatus_unknown;
+      next->why = hwhy_unknown;
+      next->dnssec = DS_UNK;
+      next->last_try = 0;
+      next->next = last->next;
+      last->next = next;
+      last = next;
+      }
+    }
+  }
+
+/* If no hosts were found, the address field in the original host block will be
+NULL. If temp_error is set, at least one of the lookups gave a temporary error,
+so we pass that back. */
+
+if (!host->address)
+  {
+  uschar *msg =
+    #ifndef STAND_ALONE
+    !message_id[0] && smtp_in
+      ? string_sprintf("no IP address found for host %s (during %s)", host->name,
+          smtp_get_connection_info()) :
+    #endif
+    string_sprintf("no IP address found for host %s", host->name);
+
+  HDEBUG(D_host_lookup) debug_printf("%s\n", msg);
+  if (temp_error) goto RETURN_AGAIN;
+  if (host_checking || !f.log_testing_mode)
+    log_write(L_host_lookup_failed, LOG_MAIN, "%s", msg);
+  return HOST_FIND_FAILED;
+  }
+
+/* Remove any duplicate IP addresses, then check to see if this is the local
+host if required. */
+
+host_remove_duplicates(host, &last);
+yield = local_host_check?
+  host_scan_for_local_hosts(host, &last, NULL) : HOST_FOUND;
+
+HDEBUG(D_host_lookup)
+  {
+  if (fully_qualified_name)
+    debug_printf("fully qualified name = %s\n", *fully_qualified_name);
+  debug_printf("%s looked up these IP addresses:\n",
+    #if HAVE_IPV6
+      #if HAVE_GETIPNODEBYNAME
+      "getipnodebyname"
+      #else
+      "gethostbyname2"
+      #endif
+    #else
+    "gethostbyname"
+    #endif
+    );
+  for (const host_item * h = host; h != last->next; h = h->next)
+    debug_printf("  name=%s address=%s\n", h->name,
+      h->address ? h->address : US"<null>");
+  }
+
+/* Return the found status. */
+
+return yield;
+
+/* Handle the case when there is a temporary error. If the name matches
+dns_again_means_nonexist, return permanent rather than temporary failure. */
+
+RETURN_AGAIN:
+  {
+#ifndef STAND_ALONE
+  int rc;
+  const uschar *save = deliver_domain;
+  deliver_domain = host->name;  /* set $domain */
+  rc = match_isinlist(host->name, CUSS &dns_again_means_nonexist, 0,
+    &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
+  deliver_domain = save;
+  if (rc == OK)
+    {
+    DEBUG(D_host_lookup) debug_printf("%s is in dns_again_means_nonexist: "
+      "returning HOST_FIND_FAILED\n", host->name);
+    return HOST_FIND_FAILED;
+    }
+#endif
+  return HOST_FIND_AGAIN;
+  }
+}
+
+
+
+/*************************************************
+*        Fill in a host address from the DNS     *
+*************************************************/
+
+/* Given a host item, with its name, port and mx fields set, and its address
+field set to NULL, fill in its IP address from the DNS. If it is multi-homed,
+create additional host items for the additional addresses, copying all the
+other fields, and randomizing the order.
+
+On IPv6 systems, AAAA records are sought first, then A records.
+
+The host name may be changed if the DNS returns a different name - e.g. fully
+qualified or changed via CNAME. If fully_qualified_name is not NULL, dns_lookup
+ensures that it points to the fully qualified name. However, this is the fully
+qualified version of the original name; if a CNAME is involved, the actual
+canonical host name may be different again, and so we get it directly from the
+relevant RR. Note that we do NOT change the mx field of the host item in this
+function as it may be called to set the addresses of hosts taken from MX
+records.
+
+Arguments:
+  host                  points to the host item we're filling in
+  lastptr               points to pointer to last host item in a chain of
+                          host items (may be updated if host is last and gets
+                          extended because multihomed)
+  ignore_target_hosts   list of hosts to ignore
+  allow_ip              if TRUE, recognize an IP address and return it
+  fully_qualified_name  if not NULL, return fully qualified name here if
+                          the contents are different (i.e. it must be preset
+                          to something)
+  dnssec_request	if TRUE request the AD bit
+  dnssec_require	if TRUE require the AD bit
+  whichrrs		select ipv4, ipv6 results
+
+Returns:       HOST_FIND_FAILED     couldn't find A record
+               HOST_FIND_AGAIN      try again later
+	       HOST_FIND_SECURITY   dnssec required but not acheived
+               HOST_FOUND           found AAAA and/or A record(s)
+               HOST_IGNORED         found, but all IPs ignored
+*/
+
+static int
+set_address_from_dns(host_item *host, host_item **lastptr,
+  const uschar *ignore_target_hosts, BOOL allow_ip,
+  const uschar **fully_qualified_name,
+  BOOL dnssec_request, BOOL dnssec_require, int whichrrs)
+{
+host_item *thishostlast = NULL;    /* Indicates not yet filled in anything */
+BOOL v6_find_again = FALSE;
+BOOL dnssec_fail = FALSE;
+int i;
+dns_answer * dnsa;
+
+#ifndef DISABLE_TLS
+/* Copy the host name at this point to the value which is used for
+TLS certificate name checking, before any CNAME-following modifies it.  */
+
+host->certname = host->name;
+#endif
+
+/* If allow_ip is set, a name which is an IP address returns that value
+as its address. This is used for MX records when allow_mx_to_ip is set, for
+those sites that feel they have to flaunt the RFC rules. */
+
+if (allow_ip && string_is_ip_address(host->name, NULL) != 0)
+  {
+  #ifndef STAND_ALONE
+  if (  ignore_target_hosts
+     && verify_check_this_host(&ignore_target_hosts, NULL, host->name,
+        host->name, NULL) == OK)
+    return HOST_IGNORED;
+  #endif
+
+  host->address = host->name;
+  return HOST_FOUND;
+  }
+
+dnsa = store_get_dns_answer();
+
+/* On an IPv6 system, unless IPv6 is disabled, go round the loop up to twice,
+looking for AAAA records the first time. However, unless doing standalone
+testing, we force an IPv4 lookup if the domain matches dns_ipv4_lookup global.
+On an IPv4 system, go round the loop once only, looking only for A records. */
+
+#if HAVE_IPV6
+  #ifndef STAND_ALONE
+    if (  disable_ipv6
+       || !(whichrrs & HOST_FIND_BY_AAAA)
+       ||    dns_ipv4_lookup
+          && match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0,
+	      &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK
+       )
+      i = 0;    /* look up A records only */
+    else
+  #endif        /* STAND_ALONE */
+
+  i = 1;        /* look up AAAA and A records */
+
+/* The IPv4 world */
+
+#else           /* HAVE_IPV6 */
+  i = 0;        /* look up A records only */
+#endif          /* HAVE_IPV6 */
+
+for (; i >= 0; i--)
+  {
+  static int types[] = { T_A, T_AAAA };
+  int type = types[i];
+  int randoffset = i == (whichrrs & HOST_FIND_IPV4_FIRST ? 1 : 0)
+    ? 500 : 0;  /* Ensures v6/4 sort order */
+  dns_scan dnss;
+
+  int rc = dns_lookup_timerwrap(dnsa, host->name, type, fully_qualified_name);
+  lookup_dnssec_authenticated = !dnssec_request ? NULL
+    : dns_is_secure(dnsa) ? US"yes" : US"no";
+
+  DEBUG(D_dns)
+    if (  (dnssec_request || dnssec_require)
+       && !dns_is_secure(dnsa)
+       && dns_is_aa(dnsa)
+       )
+      debug_printf("DNS lookup of %.256s (A/AAAA) requested AD, but got AA\n", host->name);
+
+  /* We want to return HOST_FIND_AGAIN if one of the A or AAAA lookups
+  fails or times out, but not if another one succeeds. (In the early
+  IPv6 days there are name servers that always fail on AAAA, but are happy
+  to give out an A record. We want to proceed with that A record.) */
+
+  if (rc != DNS_SUCCEED)
+    {
+    if (i == 0)  /* Just tried for an A record, i.e. end of loop */
+      {
+      if (host->address != NULL)
+        i = HOST_FOUND;  /* AAAA was found */
+      else if (rc == DNS_AGAIN || rc == DNS_FAIL || v6_find_again)
+        i = HOST_FIND_AGAIN;
+      else
+	i = HOST_FIND_FAILED;    /* DNS_NOMATCH or DNS_NODATA */
+      goto out;
+      }
+
+    /* Tried for an AAAA record: remember if this was a temporary
+    error, and look for the next record type. */
+
+    if (rc != DNS_NOMATCH && rc != DNS_NODATA) v6_find_again = TRUE;
+    continue;
+    }
+
+  if (dnssec_request)
+    {
+    if (dns_is_secure(dnsa))
+      {
+      DEBUG(D_host_lookup) debug_printf("%s A DNSSEC\n", host->name);
+      if (host->dnssec == DS_UNK) /* set in host_find_bydns() */
+	host->dnssec = DS_YES;
+      }
+    else
+      {
+      if (dnssec_require)
+	{
+	dnssec_fail = TRUE;
+	DEBUG(D_host_lookup) debug_printf("dnssec fail on %s for %.256s",
+		i>0 ? "AAAA" : "A", host->name);
+	continue;
+	}
+      if (host->dnssec == DS_YES) /* set in host_find_bydns() */
+	{
+	DEBUG(D_host_lookup) debug_printf("%s A cancel DNSSEC\n", host->name);
+	host->dnssec = DS_NO;
+	lookup_dnssec_authenticated = US"no";
+	}
+      }
+    }
+
+  /* Lookup succeeded: fill in the given host item with the first non-ignored
+  address found; create additional items for any others. A single A6 record
+  may generate more than one address.  The lookup had a chance to update the
+  fqdn; we do not want any later times round the loop to do so. */
+
+  fully_qualified_name = NULL;
+
+  for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
+       rr;
+       rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == type)
+    {
+    dns_address * da = dns_address_from_rr(dnsa, rr);
+
+    DEBUG(D_host_lookup)
+      if (!da) debug_printf("no addresses extracted from A6 RR for %s\n",
+	  host->name);
+
+    /* This loop runs only once for A and AAAA records, but may run
+    several times for an A6 record that generated multiple addresses. */
+
+    for (; da; da = da->next)
+      {
+      #ifndef STAND_ALONE
+      if (ignore_target_hosts != NULL &&
+	    verify_check_this_host(&ignore_target_hosts, NULL,
+	      host->name, da->address, NULL) == OK)
+	{
+	DEBUG(D_host_lookup)
+	  debug_printf("ignored host %s [%s]\n", host->name, da->address);
+	continue;
+	}
+      #endif
+
+      /* If this is the first address, stick it in the given host block,
+      and change the name if the returned RR has a different name. */
+
+      if (thishostlast == NULL)
+	{
+	if (strcmpic(host->name, rr->name) != 0)
+	  host->name = string_copy_dnsdomain(rr->name);
+	host->address = da->address;
+	host->sort_key = host->mx * 1000 + random_number(500) + randoffset;
+	host->status = hstatus_unknown;
+	host->why = hwhy_unknown;
+	thishostlast = host;
+	}
+
+      /* Not the first address. Check for, and ignore, duplicates. Then
+      insert in the chain at a random point. */
+
+      else
+	{
+	int new_sort_key;
+	host_item *next;
+
+	/* End of our local chain is specified by "thishostlast". */
+
+	for (next = host;; next = next->next)
+	  {
+	  if (Ustrcmp(CS da->address, next->address) == 0) break;
+	  if (next == thishostlast) { next = NULL; break; }
+	  }
+	if (next != NULL) continue;  /* With loop for next address */
+
+	/* Not a duplicate */
+
+	new_sort_key = host->mx * 1000 + random_number(500) + randoffset;
+	next = store_get(sizeof(host_item), GET_UNTAINTED);
+
+	/* New address goes first: insert the new block after the first one
+	(so as not to disturb the original pointer) but put the new address
+	in the original block. */
+
+	if (new_sort_key < host->sort_key)
+	  {
+	  *next = *host;                                  /* Copies port */
+	  host->next = next;
+	  host->address = da->address;
+	  host->sort_key = new_sort_key;
+	  if (thishostlast == host) thishostlast = next;  /* Local last */
+	  if (*lastptr == host) *lastptr = next;          /* Global last */
+	  }
+
+	/* Otherwise scan down the addresses for this host to find the
+	one to insert after. */
+
+	else
+	  {
+	  host_item *h = host;
+	  while (h != thishostlast)
+	    {
+	    if (new_sort_key < h->next->sort_key) break;
+	    h = h->next;
+	    }
+	  *next = *h;                                 /* Copies port */
+	  h->next = next;
+	  next->address = da->address;
+	  next->sort_key = new_sort_key;
+	  if (h == thishostlast) thishostlast = next; /* Local last */
+	  if (h == *lastptr) *lastptr = next;         /* Global last */
+	  }
+	}
+      }
+    }
+  }
+
+/* Control gets here only if the second lookup (the A record) succeeded.
+However, the address may not be filled in if it was ignored. */
+
+i = host->address
+  ? HOST_FOUND
+  : dnssec_fail
+  ? HOST_FIND_SECURITY
+  : HOST_IGNORED;
+
+out:
+  store_free_dns_answer(dnsa);
+  return i;
+}
+
+
+
+
+/*************************************************
+*    Find IP addresses and host names via DNS    *
+*************************************************/
+
+/* The input is a host_item structure with the name field filled in and the
+address field set to NULL. This may be in a chain of other host items. The
+lookup may result in more than one IP address, in which case we must created
+new host blocks for the additional addresses, and insert them into the chain.
+The original name may not be fully qualified. Use the fully_qualified_name
+argument to return the official name, as returned by the resolver.
+
+Arguments:
+  host                  point to initial host item
+  ignore_target_hosts   a list of hosts to ignore
+  whichrrs              flags indicating which RRs to look for:
+                          HOST_FIND_BY_SRV  => look for SRV
+                          HOST_FIND_BY_MX   => look for MX
+                          HOST_FIND_BY_A    => look for A
+                          HOST_FIND_BY_AAAA => look for AAAA
+                        also flags indicating how the lookup is done
+                          HOST_FIND_QUALIFY_SINGLE   ) passed to the
+                          HOST_FIND_SEARCH_PARENTS   )   resolver
+			  HOST_FIND_IPV4_FIRST => reverse usual result ordering
+			  HOST_FIND_IPV4_ONLY  => MX results elide ipv6
+  srv_service           when SRV used, the service name
+  srv_fail_domains      DNS errors for these domains => assume nonexist
+  mx_fail_domains       DNS errors for these domains => assume nonexist
+  dnssec_d.request =>   make dnssec request: domainlist
+  dnssec_d.require =>   ditto and nonexist failures
+  fully_qualified_name  if not NULL, return fully-qualified name
+  removed               set TRUE if local host was removed from the list
+
+Returns:                HOST_FIND_FAILED  Failed to find the host or domain;
+                                          if there was a syntax error,
+                                          host_find_failed_syntax is set.
+                        HOST_FIND_AGAIN   Could not resolve at this time
+			HOST_FIND_SECURITY dnsssec required but not acheived
+                        HOST_FOUND        Host found
+                        HOST_FOUND_LOCAL  The lowest MX record points to this
+                                          machine, if MX records were found, or
+                                          an A record that was found contains
+                                          an address of the local host
+*/
+
+int
+host_find_bydns(host_item *host, const uschar *ignore_target_hosts, int whichrrs,
+  uschar *srv_service, uschar *srv_fail_domains, uschar *mx_fail_domains,
+  const dnssec_domains *dnssec_d,
+  const uschar **fully_qualified_name, BOOL *removed)
+{
+host_item *h, *last;
+int rc = DNS_FAIL;
+int ind_type = 0;
+int yield;
+dns_answer * dnsa = store_get_dns_answer();
+dns_scan dnss;
+BOOL dnssec_require = dnssec_d
+  && match_isinlist(host->name, CUSS &dnssec_d->require,
+		  0, &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK;
+BOOL dnssec_request = dnssec_require
+    || (  dnssec_d
+       && match_isinlist(host->name, CUSS &dnssec_d->request,
+		    0, &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK);
+dnssec_status_t dnssec;
+
+/* Set the default fully qualified name to the incoming name, initialize the
+resolver if necessary, set up the relevant options, and initialize the flag
+that gets set for DNS syntax check errors. */
+
+if (fully_qualified_name != NULL) *fully_qualified_name = host->name;
+dns_init((whichrrs & HOST_FIND_QUALIFY_SINGLE) != 0,
+         (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0,
+	 dnssec_request);
+f.host_find_failed_syntax = FALSE;
+
+/* First, if requested, look for SRV records. The service name is given; we
+assume TCP protocol. DNS domain names are constrained to a maximum of 256
+characters, so the code below should be safe. */
+
+if (whichrrs & HOST_FIND_BY_SRV)
+  {
+  gstring * g;
+  uschar * temp_fully_qualified_name;
+  int prefix_length;
+
+  g = string_fmt_append(NULL, "_%s._tcp.%n%.256s",
+	srv_service, &prefix_length, host->name);
+  temp_fully_qualified_name = string_from_gstring(g);
+  ind_type = T_SRV;
+
+  /* Search for SRV records. If the fully qualified name is different to
+  the input name, pass back the new original domain, without the prepended
+  magic. */
+
+  dnssec = DS_UNK;
+  lookup_dnssec_authenticated = NULL;
+  rc = dns_lookup_timerwrap(dnsa, temp_fully_qualified_name, ind_type,
+	CUSS &temp_fully_qualified_name);
+
+  DEBUG(D_dns)
+    if ((dnssec_request || dnssec_require)
+	&& !dns_is_secure(dnsa)
+	&& dns_is_aa(dnsa))
+      debug_printf("DNS lookup of %.256s (SRV) requested AD, but got AA\n", host->name);
+
+  if (dnssec_request)
+    {
+    if (dns_is_secure(dnsa))
+      { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; }
+    else
+      { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; }
+    }
+
+  if (temp_fully_qualified_name != g->s && fully_qualified_name != NULL)
+    *fully_qualified_name = temp_fully_qualified_name + prefix_length;
+
+  /* On DNS failures, we give the "try again" error unless the domain is
+  listed as one for which we continue. */
+
+  if (rc == DNS_SUCCEED && dnssec_require && !dns_is_secure(dnsa))
+    {
+    log_write(L_host_lookup_failed, LOG_MAIN,
+		"dnssec fail on SRV for %.256s", host->name);
+    rc = DNS_FAIL;
+    }
+  if (rc == DNS_FAIL || rc == DNS_AGAIN)
+    {
+#ifndef STAND_ALONE
+    if (match_isinlist(host->name, CUSS &srv_fail_domains, 0,
+	&domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) != OK)
+#endif
+      { yield = HOST_FIND_AGAIN; goto out; }
+    DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA "
+      "(domain in srv_fail_domains)\n", rc == DNS_FAIL ? "FAIL":"AGAIN");
+    }
+  }
+
+/* If we did not find any SRV records, search the DNS for MX records, if
+requested to do so. If the result is DNS_NOMATCH, it means there is no such
+domain, and there's no point in going on to look for address records with the
+same domain. The result will be DNS_NODATA if the domain exists but has no MX
+records. On DNS failures, we give the "try again" error unless the domain is
+listed as one for which we continue. */
+
+if (rc != DNS_SUCCEED  &&  whichrrs & HOST_FIND_BY_MX)
+  {
+  ind_type = T_MX;
+  dnssec = DS_UNK;
+  lookup_dnssec_authenticated = NULL;
+  rc = dns_lookup_timerwrap(dnsa, host->name, ind_type, fully_qualified_name);
+
+  DEBUG(D_dns)
+    if (  (dnssec_request || dnssec_require)
+       && !dns_is_secure(dnsa)
+       && dns_is_aa(dnsa))
+      debug_printf("DNS lookup of %.256s (MX) requested AD, but got AA\n", host->name);
+
+  if (dnssec_request)
+    if (dns_is_secure(dnsa))
+      {
+      DEBUG(D_host_lookup) debug_printf("%s (MX resp) DNSSEC\n", host->name);
+      dnssec = DS_YES; lookup_dnssec_authenticated = US"yes";
+      }
+    else
+      {
+      dnssec = DS_NO; lookup_dnssec_authenticated = US"no";
+      }
+
+  switch (rc)
+    {
+    case DNS_NOMATCH:
+      yield = HOST_FIND_FAILED; goto out;
+
+    case DNS_SUCCEED:
+      if (!dnssec_require || dns_is_secure(dnsa))
+	break;
+      DEBUG(D_host_lookup)
+	debug_printf("dnssec fail on MX for %.256s", host->name);
+#ifndef STAND_ALONE
+      if (match_isinlist(host->name, CUSS &mx_fail_domains, 0,
+	  &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) != OK)
+	{ yield = HOST_FIND_SECURITY; goto out; }
+#endif
+      rc = DNS_FAIL;
+      /*FALLTHROUGH*/
+
+    case DNS_FAIL:
+    case DNS_AGAIN:
+#ifndef STAND_ALONE
+      if (match_isinlist(host->name, CUSS &mx_fail_domains, 0,
+	  &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) != OK)
+#endif
+	{ yield = HOST_FIND_AGAIN; goto out; }
+      DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA "
+	"(domain in mx_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN");
+      break;
+    }
+  }
+
+/* If we haven't found anything yet, and we are requested to do so, try for an
+A or AAAA record. If we find it (or them) check to see that it isn't the local
+host. */
+
+if (rc != DNS_SUCCEED)
+  {
+  if (!(whichrrs & (HOST_FIND_BY_A | HOST_FIND_BY_AAAA)))
+    {
+    DEBUG(D_host_lookup) debug_printf("Address records are not being sought\n");
+    yield = HOST_FIND_FAILED;
+    goto out;
+    }
+
+  last = host;        /* End of local chainlet */
+  host->mx = MX_NONE;
+  host->port = PORT_NONE;
+  host->dnssec = DS_UNK;
+  lookup_dnssec_authenticated = NULL;
+  rc = set_address_from_dns(host, &last, ignore_target_hosts, FALSE,
+    fully_qualified_name, dnssec_request, dnssec_require, whichrrs);
+
+  /* If one or more address records have been found, check that none of them
+  are local. Since we know the host items all have their IP addresses
+  inserted, host_scan_for_local_hosts() can only return HOST_FOUND or
+  HOST_FOUND_LOCAL. We do not need to scan for duplicate IP addresses here,
+  because set_address_from_dns() removes them. */
+
+  if (rc == HOST_FOUND)
+    rc = host_scan_for_local_hosts(host, &last, removed);
+  else
+    if (rc == HOST_IGNORED) rc = HOST_FIND_FAILED;  /* No special action */
+
+  DEBUG(D_host_lookup)
+    if (host->address)
+      {
+      if (fully_qualified_name)
+        debug_printf("fully qualified name = %s\n", *fully_qualified_name);
+      for (host_item * h = host; h != last->next; h = h->next)
+        debug_printf("%s %s mx=%d sort=%d %s\n", h->name,
+          h->address ? h->address : US"<null>", h->mx, h->sort_key,
+          h->status >= hstatus_unusable ? US"*" : US"");
+      }
+
+  yield = rc;
+  goto out;
+  }
+
+/* We have found one or more MX or SRV records. Sort them according to
+precedence. Put the data for the first one into the existing host block, and
+insert new host_item blocks into the chain for the remainder. For equal
+precedences one is supposed to randomize the order. To make this happen, the
+sorting is actually done on the MX value * 1000 + a random number. This is put
+into a host field called sort_key.
+
+In the case of hosts with both IPv6 and IPv4 addresses, we want to choose the
+IPv6 address in preference. At this stage, we don't know what kind of address
+the host has. We choose a random number < 500; if later we find an A record
+first, we add 500 to the random number. Then for any other address records, we
+use random numbers in the range 0-499 for AAAA records and 500-999 for A
+records.
+
+At this point we remove any duplicates that point to the same host, retaining
+only the one with the lowest precedence. We cannot yet check for precedence
+greater than that of the local host, because that test cannot be properly done
+until the addresses have been found - an MX record may point to a name for this
+host which is not the primary hostname. */
+
+last = NULL;    /* Indicates that not even the first item is filled yet */
+
+for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
+     rr;
+     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == ind_type)
+  {
+  int precedence, weight;
+  int port = PORT_NONE;
+  const uschar * s = rr->data;	/* MUST be unsigned for GETSHORT */
+  uschar data[256];
+
+  GETSHORT(precedence, s);      /* Pointer s is advanced */
+
+  /* For MX records, we use a random "weight" which causes multiple records of
+  the same precedence to sort randomly. */
+
+  if (ind_type == T_MX)
+    weight = random_number(500);
+  else
+    {
+    /* SRV records are specified with a port and a weight. The weight is used
+    in a special algorithm. However, to start with, we just use it to order the
+    records of equal priority (precedence). */
+    GETSHORT(weight, s);
+    GETSHORT(port, s);
+    }
+
+  /* Get the name of the host pointed to. */
+
+  (void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
+    (DN_EXPAND_ARG4_TYPE)data, sizeof(data));
+
+  /* Check that we haven't already got this host on the chain; if we have,
+  keep only the lower precedence. This situation shouldn't occur, but you
+  never know what junk might get into the DNS (and this case has been seen on
+  more than one occasion). */
+
+  if (last)       /* This is not the first record */
+    {
+    host_item *prev = NULL;
+
+    for (h = host; h != last->next; prev = h, h = h->next)
+      if (strcmpic(h->name, data) == 0)
+        {
+        DEBUG(D_host_lookup)
+          debug_printf("discarded duplicate host %s (MX=%d)\n", data,
+            precedence > h->mx ? precedence : h->mx);
+        if (precedence >= h->mx) goto NEXT_MX_RR; /* Skip greater precedence */
+        if (h == host)                            /* Override first item */
+          {
+          h->mx = precedence;
+          host->sort_key = precedence * 1000 + weight;
+          goto NEXT_MX_RR;
+          }
+
+        /* Unwanted host item is not the first in the chain, so we can get
+        get rid of it by cutting it out. */
+
+        prev->next = h->next;
+        if (h == last) last = prev;
+        break;
+        }
+    }
+
+  /* If this is the first MX or SRV record, put the data into the existing host
+  block. Otherwise, add a new block in the correct place; if it has to be
+  before the first block, copy the first block's data to a new second block. */
+
+  if (!last)
+    {
+    host->name = string_copy_dnsdomain(data);
+    host->address = NULL;
+    host->port = port;
+    host->mx = precedence;
+    host->sort_key = precedence * 1000 + weight;
+    host->status = hstatus_unknown;
+    host->why = hwhy_unknown;
+    host->dnssec = dnssec;
+    last = host;
+    }
+  else
+
+  /* Make a new host item and seek the correct insertion place */
+    {
+    int sort_key = precedence * 1000 + weight;
+    host_item * next = store_get(sizeof(host_item), GET_UNTAINTED);
+    next->name = string_copy_dnsdomain(data);
+    next->address = NULL;
+    next->port = port;
+    next->mx = precedence;
+    next->sort_key = sort_key;
+    next->status = hstatus_unknown;
+    next->why = hwhy_unknown;
+    next->dnssec = dnssec;
+    next->last_try = 0;
+
+    /* Handle the case when we have to insert before the first item. */
+
+    if (sort_key < host->sort_key)
+      {
+      host_item htemp;
+      htemp = *host;
+      *host = *next;
+      *next = htemp;
+      host->next = next;
+      if (last == host) last = next;
+      }
+    else
+
+    /* Else scan down the items we have inserted as part of this exercise;
+    don't go further. */
+      {
+      for (h = host; h != last; h = h->next)
+        if (sort_key < h->next->sort_key)
+          {
+          next->next = h->next;
+          h->next = next;
+          break;
+          }
+
+      /* Join on after the last host item that's part of this
+      processing if we haven't stopped sooner. */
+
+      if (h == last)
+        {
+        next->next = last->next;
+        last->next = next;
+        last = next;
+        }
+      }
+    }
+
+  NEXT_MX_RR: continue;
+  }
+
+if (!last)	/* No rr of correct type; give up */
+  {
+  yield = HOST_FIND_FAILED;
+  goto out;
+  }
+
+/* If the list of hosts was obtained from SRV records, there are two things to
+do. First, if there is only one host, and it's name is ".", it means there is
+no SMTP service at this domain. Otherwise, we have to sort the hosts of equal
+priority according to their weights, using an algorithm that is defined in RFC
+2782. The hosts are currently sorted by priority and weight. For each priority
+group we have to pick off one host and put it first, and then repeat for any
+remaining in the same priority group. */
+
+if (ind_type == T_SRV)
+  {
+  host_item ** pptr;
+
+  if (host == last && host->name[0] == 0)
+    {
+    DEBUG(D_host_lookup) debug_printf("the single SRV record is \".\"\n");
+    yield = HOST_FIND_FAILED;
+    goto out;
+    }
+
+  DEBUG(D_host_lookup)
+    {
+    debug_printf("original ordering of hosts from SRV records:\n");
+    for (h = host; h != last->next; h = h->next)
+      debug_printf("  %s P=%d W=%d\n", h->name, h->mx, h->sort_key % 1000);
+    }
+
+  for (pptr = &host, h = host; h != last; pptr = &h->next, h = h->next)
+    {
+    int sum = 0;
+    host_item *hh;
+
+    /* Find the last following host that has the same precedence. At the same
+    time, compute the sum of the weights and the running totals. These can be
+    stored in the sort_key field. */
+
+    for (hh = h; hh != last; hh = hh->next)
+      {
+      int weight = hh->sort_key % 1000;   /* was precedence * 1000 + weight */
+      sum += weight;
+      hh->sort_key = sum;
+      if (hh->mx != hh->next->mx) break;
+      }
+
+    /* If there's more than one host at this precedence (priority), we need to
+    pick one to go first. */
+
+    if (hh != h)
+      {
+      host_item *hhh;
+      host_item **ppptr;
+      int randomizer = random_number(sum + 1);
+
+      for (ppptr = pptr, hhh = h;
+           hhh != hh;
+           ppptr = &hhh->next, hhh = hhh->next)
+        if (hhh->sort_key >= randomizer)
+	  break;
+
+      /* hhh now points to the host that should go first; ppptr points to the
+      place that points to it. Unfortunately, if the start of the minilist is
+      the start of the entire list, we can't just swap the items over, because
+      we must not change the value of host, since it is passed in from outside.
+      One day, this could perhaps be changed.
+
+      The special case is fudged by putting the new item *second* in the chain,
+      and then transferring the data between the first and second items. We
+      can't just swap the first and the chosen item, because that would mean
+      that an item with zero weight might no longer be first. */
+
+      if (hhh != h)
+        {
+        *ppptr = hhh->next;          /* Cuts it out of the chain */
+
+        if (h == host)
+          {
+          host_item temp = *h;
+          *h = *hhh;
+          *hhh = temp;
+          hhh->next = temp.next;
+          h->next = hhh;
+          }
+        else
+          {
+          hhh->next = h;               /* The rest of the chain follows it */
+          *pptr = hhh;                 /* It takes the place of h */
+          h = hhh;                     /* It's now the start of this minilist */
+          }
+        }
+      }
+
+    /* A host has been chosen to be first at this priority and h now points
+    to this host. There may be others at the same priority, or others at a
+    different priority. Before we leave this host, we need to put back a sort
+    key of the traditional MX kind, in case this host is multihomed, because
+    the sort key is used for ordering the multiple IP addresses. We do not need
+    to ensure that these new sort keys actually reflect the order of the hosts,
+    however. */
+
+    h->sort_key = h->mx * 1000 + random_number(500);
+    }   /* Move on to the next host */
+  }
+
+/* Now we have to find IP addresses for all the hosts. We have ensured above
+that the names in all the host items are unique. Before release 4.61 we used to
+process records from the additional section in the DNS packet that returned the
+MX or SRV records. However, a DNS name server is free to drop any resource
+records from the additional section. In theory, this has always been a
+potential problem, but it is exacerbated by the advent of IPv6. If a host had
+several IPv4 addresses and some were not in the additional section, at least
+Exim would try the others. However, if a host had both IPv4 and IPv6 addresses
+and all the IPv4 (say) addresses were absent, Exim would try only for a IPv6
+connection, and never try an IPv4 address. When there was only IPv4
+connectivity, this was a disaster that did in practice occur.
+
+So, from release 4.61 onwards, we always search for A and AAAA records
+explicitly. The names shouldn't point to CNAMES, but we use the general lookup
+function that handles them, just in case. If any lookup gives a soft error,
+change the default yield.
+
+For these DNS lookups, we must disable qualify_single and search_parents;
+otherwise invalid host names obtained from MX or SRV records can cause trouble
+if they happen to match something local. */
+
+yield = HOST_FIND_FAILED;    /* Default yield */
+dns_init(FALSE, FALSE,       /* Disable qualify_single and search_parents */
+	 dnssec_request || dnssec_require);
+
+for (h = host; h != last->next; h = h->next)
+  {
+  if (h->address) continue;  /* Inserted by a multihomed host */
+
+  rc = set_address_from_dns(h, &last, ignore_target_hosts, allow_mx_to_ip,
+    NULL, dnssec_request, dnssec_require,
+    whichrrs & HOST_FIND_IPV4_ONLY
+    ?  HOST_FIND_BY_A  :  HOST_FIND_BY_A | HOST_FIND_BY_AAAA);
+  if (rc != HOST_FOUND)
+    {
+    h->status = hstatus_unusable;
+    switch (rc)
+      {
+      case HOST_FIND_AGAIN:	yield = rc; h->why = hwhy_deferred; break;
+      case HOST_FIND_SECURITY:	yield = rc; h->why = hwhy_insecure; break;
+      case HOST_IGNORED:	h->why = hwhy_ignored; break;
+      default:			h->why = hwhy_failed; break;
+      }
+    }
+  }
+
+/* Scan the list for any hosts that are marked unusable because they have
+been explicitly ignored, and remove them from the list, as if they did not
+exist. If we end up with just a single, ignored host, flatten its fields as if
+nothing was found. */
+
+if (ignore_target_hosts)
+  {
+  host_item *prev = NULL;
+  for (h = host; h != last->next; h = h->next)
+    {
+    REDO:
+    if (h->why != hwhy_ignored)        /* Non ignored host, just continue */
+      prev = h;
+    else if (prev == NULL)             /* First host is ignored */
+      {
+      if (h != last)                   /* First is not last */
+        {
+        if (h->next == last) last = h; /* Overwrite it with next */
+        *h = *(h->next);               /* and reprocess it. */
+        goto REDO;                     /* C should have redo, like Perl */
+        }
+      }
+    else                               /* Ignored host is not first - */
+      {                                /*   cut it out */
+      prev->next = h->next;
+      if (h == last) last = prev;
+      }
+    }
+
+  if (host->why == hwhy_ignored) host->address = NULL;
+  }
+
+/* There is still one complication in the case of IPv6. Although the code above
+arranges that IPv6 addresses take precedence over IPv4 addresses for multihomed
+hosts, it doesn't do this for addresses that apply to different hosts with the
+same MX precedence, because the sorting on MX precedence happens first. So we
+have to make another pass to check for this case. We ensure that, within a
+single MX preference value, IPv6 addresses come first. This can separate the
+addresses of a multihomed host, but that should not matter. */
+
+#if HAVE_IPV6
+if (h != last && !disable_ipv6) for (h = host; h != last; h = h->next)
+  {
+  host_item temp;
+  host_item *next = h->next;
+
+  if (  h->mx != next->mx			/* If next is different MX */
+     || !h->address				/* OR this one is unset */
+     )
+    continue;					/* move on to next */
+
+  if (  whichrrs & HOST_FIND_IPV4_FIRST
+     ?     !Ustrchr(h->address, ':')		/* OR this one is IPv4 */
+        || next->address
+           && Ustrchr(next->address, ':')	/* OR next is IPv6 */
+
+     :     Ustrchr(h->address, ':')		/* OR this one is IPv6 */
+        || next->address
+           && !Ustrchr(next->address, ':')	/* OR next is IPv4 */
+     )
+    continue;                                /* move on to next */
+
+  temp = *h;                                 /* otherwise, swap */
+  temp.next = next->next;
+  *h = *next;
+  h->next = next;
+  *next = temp;
+  }
+#endif
+
+/* Remove any duplicate IP addresses and then scan the list of hosts for any
+whose IP addresses are on the local host. If any are found, all hosts with the
+same or higher MX values are removed. However, if the local host has the lowest
+numbered MX, then HOST_FOUND_LOCAL is returned. Otherwise, if at least one host
+with an IP address is on the list, HOST_FOUND is returned. Otherwise,
+HOST_FIND_FAILED is returned, but in this case do not update the yield, as it
+might have been set to HOST_FIND_AGAIN just above here. If not, it will already
+be HOST_FIND_FAILED. */
+
+host_remove_duplicates(host, &last);
+rc = host_scan_for_local_hosts(host, &last, removed);
+if (rc != HOST_FIND_FAILED) yield = rc;
+
+DEBUG(D_host_lookup)
+  {
+  if (fully_qualified_name)
+    debug_printf("fully qualified name = %s\n", *fully_qualified_name);
+  debug_printf("host_find_bydns yield = %s (%d); returned hosts:\n",
+    yield == HOST_FOUND		? "HOST_FOUND" :
+    yield == HOST_FOUND_LOCAL	? "HOST_FOUND_LOCAL" :
+    yield == HOST_FIND_SECURITY	? "HOST_FIND_SECURITY" :
+    yield == HOST_FIND_AGAIN	? "HOST_FIND_AGAIN" :
+    yield == HOST_FIND_FAILED	? "HOST_FIND_FAILED" : "?",
+    yield);
+  for (h = host; h != last->next; h = h->next)
+    {
+    debug_printf("  %s %s MX=%d %s", h->name,
+      !h->address ? US"<null>" : h->address, h->mx,
+      h->dnssec == DS_YES ? US"DNSSEC " : US"");
+    if (h->port != PORT_NONE) debug_printf("port=%d ", h->port);
+    if (h->status >= hstatus_unusable) debug_printf("*");
+    debug_printf("\n");
+    }
+  }
+
+out:
+
+dns_init(FALSE, FALSE, FALSE);	/* clear the dnssec bit for getaddrbyname */
+store_free_dns_answer(dnsa);
+return yield;
+}
+
+
+
+
+#ifdef SUPPORT_DANE
+/* Lookup TLSA record for host/port.
+Return:  OK		success with dnssec; DANE mode
+         DEFER		Do not use this host now, may retry later
+	 FAIL_FORCED	No TLSA record; DANE not usable
+	 FAIL		Do not use this connection
+*/
+
+int
+tlsa_lookup(const host_item * host, dns_answer * dnsa, BOOL dane_required)
+{
+uschar buffer[300];
+const uschar * fullname = buffer;
+int rc;
+BOOL sec;
+
+/* TLSA lookup string */
+(void)sprintf(CS buffer, "_%d._tcp.%.256s", host->port, host->name);
+
+rc = dns_lookup_timerwrap(dnsa, buffer, T_TLSA, &fullname);
+sec = dns_is_secure(dnsa);
+DEBUG(D_transport)
+  debug_printf("TLSA lookup ret %s %sDNSSEC\n", dns_rc_names[rc], sec ? "" : "not ");
+
+switch (rc)
+  {
+  case DNS_AGAIN:
+    return DEFER; /* just defer this TLS'd conn */
+
+  case DNS_SUCCEED:
+    if (sec)
+      {
+      DEBUG(D_transport)
+	{
+	dns_scan dnss;
+	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+	     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
+	  if (rr->type == T_TLSA && rr->size > 3)
+	    {
+	    uint16_t payload_length = rr->size - 3;
+	    uschar s[MAX_TLSA_EXPANDED_SIZE], * sp = s, * p = US rr->data;
+
+	    sp += sprintf(CS sp, "%d ", *p++); /* usage */
+	    sp += sprintf(CS sp, "%d ", *p++); /* selector */
+	    sp += sprintf(CS sp, "%d ", *p++); /* matchtype */
+	    while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
+	      sp += sprintf(CS sp, "%02x", *p++);
+
+	    debug_printf(" %s\n", s);
+	    }
+	}
+      return OK;
+      }
+    log_write(0, LOG_MAIN,
+      "DANE error: TLSA lookup for %s not DNSSEC", host->name);
+    /*FALLTRHOUGH*/
+
+  case DNS_NODATA:	/* no TLSA RR for this lookup */
+  case DNS_NOMATCH:	/* no records at all for this lookup */
+    return dane_required ? FAIL : FAIL_FORCED;
+
+  default:
+  case DNS_FAIL:
+    return dane_required ? FAIL : DEFER;
+  }
+}
+#endif	/*SUPPORT_DANE*/
+
+
+
+/*************************************************
+**************************************************
+*             Stand-alone test program           *
+**************************************************
+*************************************************/
+
+#ifdef STAND_ALONE
+
+int main(int argc, char **cargv)
+{
+host_item h;
+int whichrrs = HOST_FIND_BY_MX | HOST_FIND_BY_A | HOST_FIND_BY_AAAA;
+BOOL byname = FALSE;
+BOOL qualify_single = TRUE;
+BOOL search_parents = FALSE;
+BOOL request_dnssec = FALSE;
+BOOL require_dnssec = FALSE;
+uschar **argv = USS cargv;
+uschar buffer[256];
+
+disable_ipv6 = FALSE;
+primary_hostname = US"";
+store_init();
+store_pool = POOL_MAIN;
+debug_selector = D_host_lookup|D_interface;
+debug_file = stdout;
+debug_fd = fileno(debug_file);
+
+printf("Exim stand-alone host functions test\n");
+
+host_find_interfaces();
+debug_selector = D_host_lookup | D_dns;
+
+if (argc > 1) primary_hostname = argv[1];
+
+/* So that debug level changes can be done first */
+
+dns_init(qualify_single, search_parents, FALSE);
+
+printf("Testing host lookup\n");
+printf("> ");
+while (Ufgets(buffer, 256, stdin) != NULL)
+  {
+  int rc;
+  int len = Ustrlen(buffer);
+  uschar *fully_qualified_name;
+
+  while (len > 0 && isspace(buffer[len-1])) len--;
+  buffer[len] = 0;
+
+  if (Ustrcmp(buffer, "q") == 0) break;
+
+  if (Ustrcmp(buffer, "byname") == 0) byname = TRUE;
+  else if (Ustrcmp(buffer, "no_byname") == 0) byname = FALSE;
+  else if (Ustrcmp(buffer, "a_only") == 0) whichrrs = HOST_FIND_BY_A | HOST_FIND_BY_AAAA;
+  else if (Ustrcmp(buffer, "mx_only") == 0) whichrrs = HOST_FIND_BY_MX;
+  else if (Ustrcmp(buffer, "srv_only") == 0) whichrrs = HOST_FIND_BY_SRV;
+  else if (Ustrcmp(buffer, "srv+a") == 0)
+    whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_A | HOST_FIND_BY_AAAA;
+  else if (Ustrcmp(buffer, "srv+mx") == 0)
+    whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX;
+  else if (Ustrcmp(buffer, "srv+mx+a") == 0)
+    whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX | HOST_FIND_BY_A | HOST_FIND_BY_AAAA;
+  else if (Ustrcmp(buffer, "qualify_single")    == 0) qualify_single = TRUE;
+  else if (Ustrcmp(buffer, "no_qualify_single") == 0) qualify_single = FALSE;
+  else if (Ustrcmp(buffer, "search_parents")    == 0) search_parents = TRUE;
+  else if (Ustrcmp(buffer, "no_search_parents") == 0) search_parents = FALSE;
+  else if (Ustrcmp(buffer, "request_dnssec")    == 0) request_dnssec = TRUE;
+  else if (Ustrcmp(buffer, "no_request_dnssec") == 0) request_dnssec = FALSE;
+  else if (Ustrcmp(buffer, "require_dnssec")    == 0) require_dnssec = TRUE;
+  else if (Ustrcmp(buffer, "no_require_dnssec") == 0) require_dnssec = FALSE;
+  else if (Ustrcmp(buffer, "test_harness") == 0)
+    f.running_in_test_harness = !f.running_in_test_harness;
+  else if (Ustrcmp(buffer, "ipv6") == 0) disable_ipv6 = !disable_ipv6;
+  else if (Ustrcmp(buffer, "res_debug") == 0)
+    {
+    _res.options ^= RES_DEBUG;
+    }
+  else if (Ustrncmp(buffer, "retrans", 7) == 0)
+    {
+    (void)sscanf(CS(buffer+8), "%d", &dns_retrans);
+    _res.retrans = dns_retrans;
+    }
+  else if (Ustrncmp(buffer, "retry", 5) == 0)
+    {
+    (void)sscanf(CS(buffer+6), "%d", &dns_retry);
+    _res.retry = dns_retry;
+    }
+  else
+    {
+    int flags = whichrrs;
+    dnssec_domains d;
+
+    h.name = buffer;
+    h.next = NULL;
+    h.mx = MX_NONE;
+    h.port = PORT_NONE;
+    h.status = hstatus_unknown;
+    h.why = hwhy_unknown;
+    h.address = NULL;
+
+    if (qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
+    if (search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
+
+    d.request = request_dnssec ? &h.name : NULL;
+    d.require = require_dnssec ? &h.name : NULL;
+
+    rc = byname
+      ? host_find_byname(&h, NULL, flags, &fully_qualified_name, TRUE)
+      : host_find_bydns(&h, NULL, flags, US"smtp", NULL, NULL,
+			&d, &fully_qualified_name, NULL);
+
+    switch (rc)
+      {
+      case HOST_FIND_FAILED:	printf("Failed\n");	break;
+      case HOST_FIND_AGAIN:	printf("Again\n");	break;
+      case HOST_FIND_SECURITY:	printf("Security\n");	break;
+      case HOST_FOUND_LOCAL:	printf("Local\n");	break;
+      }
+    }
+
+  printf("\n> ");
+  }
+
+printf("Testing host_aton\n");
+printf("> ");
+while (Ufgets(buffer, 256, stdin) != NULL)
+  {
+  int x[4];
+  int len = Ustrlen(buffer);
+
+  while (len > 0 && isspace(buffer[len-1])) len--;
+  buffer[len] = 0;
+
+  if (Ustrcmp(buffer, "q") == 0) break;
+
+  len = host_aton(buffer, x);
+  printf("length = %d ", len);
+  for (int i = 0; i < len; i++)
+    {
+    printf("%04x ", (x[i] >> 16) & 0xffff);
+    printf("%04x ", x[i] & 0xffff);
+    }
+  printf("\n> ");
+  }
+
+printf("\n");
+
+printf("Testing host_name_lookup\n");
+printf("> ");
+while (Ufgets(buffer, 256, stdin) != NULL)
+  {
+  int len = Ustrlen(buffer);
+  while (len > 0 && isspace(buffer[len-1])) len--;
+  buffer[len] = 0;
+  if (Ustrcmp(buffer, "q") == 0) break;
+  sender_host_address = buffer;
+  sender_host_name = NULL;
+  sender_host_aliases = NULL;
+  host_lookup_msg = US"";
+  host_lookup_failed = FALSE;
+  if (host_name_lookup() == FAIL)  /* Debug causes printing */
+    printf("Lookup failed:%s\n", host_lookup_msg);
+  printf("\n> ");
+  }
+
+printf("\n");
+
+return 0;
+}
+#endif  /* STAND_ALONE */
+
+/* vi: aw ai sw=2
+*/
+/* End of host.c */
diff --git a/src/imap_utf7.c b/src/imap_utf7.c
new file mode 100644
index 0000000..aac0fef
--- /dev/null
+++ b/src/imap_utf7.c
@@ -0,0 +1,211 @@
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "exim.h"
+
+#ifdef SUPPORT_I18N
+
+uschar *
+imap_utf7_encode(uschar *string, const uschar *charset, uschar sep,
+  uschar *specials, uschar **error)
+{
+static uschar encode_base64[64] =
+  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+,";
+size_t slen;
+uschar *sptr;
+gstring * yield = NULL;
+int i = 0;	/* compiler quietening */
+uschar c = 0;	/* compiler quietening */
+BOOL base64mode = FALSE;
+BOOL lastsep = FALSE;
+uschar utf16buf[256];
+uschar *utf16ptr;
+uschar *s;
+uschar outbuf[256];
+uschar *outptr = outbuf;
+#if HAVE_ICONV
+iconv_t icd;
+#endif
+
+if (!specials) specials = US"";
+
+/* Pass over the string. If it consists entirely of "normal" characters
+   (possibly with leading seps), return it as is. */
+for (s = string; *s; s++)
+  {
+  if (s == string && *s == sep)
+    string++;
+  if (  *s >= 0x7f
+     || *s < 0x20
+     || strchr("./&", *s)
+     || *s == sep
+     || Ustrchr(specials, *s)
+     )
+    break;
+  }
+
+if (!*s)
+  return string;
+
+sptr = string;
+slen = Ustrlen(string);
+
+#if HAVE_ICONV
+if ((icd = iconv_open("UTF-16BE", CCS charset)) == (iconv_t)-1)
+  {
+  *error = string_sprintf(
+	"imapfolder: iconv_open(\"UTF-16BE\", \"%s\") failed: %s%s",
+    charset, strerror(errno),
+    errno == EINVAL ? " (maybe unsupported conversion)" : "");
+  return NULL;
+  }
+#endif
+
+while (slen > 0)
+  {
+#if HAVE_ICONV
+  size_t left = sizeof(utf16buf);
+  utf16ptr = utf16buf;
+
+  if (  iconv(icd, (ICONV_ARG2_TYPE)&sptr, &slen, CSS &utf16ptr, &left)
+		== (size_t)-1
+     && errno != E2BIG
+	 )
+    {
+    *error = string_sprintf("imapfolder: iconv() failed to convert from %s: %s",
+			      charset, strerror(errno));
+    iconv_close(icd);
+    return NULL;
+    }
+#else
+  for (utf16ptr = utf16buf;
+       slen > 0 && (utf16ptr - utf16buf) < sizeof(utf16buf);
+       utf16ptr += 2, slen--, sptr++)
+    {
+    *utf16ptr = *sptr;
+    *(utf16ptr+1) = '\0';
+    }
+#endif
+
+  s = utf16buf;
+  while (s < utf16ptr)
+    {
+    /* Now encode utf16buf as modified UTF-7 */
+    if (  s[0] != 0
+       || s[1] >= 0x7f
+       || s[1] < 0x20
+       || (Ustrchr(specials, s[1]) && s[1] != sep)
+       )
+      {
+      lastsep = FALSE;
+      /* Encode as modified BASE64 */
+      if (!base64mode)
+        {
+        *outptr++ = '&';
+        base64mode = TRUE;
+        i = 0;
+        }
+
+      for (int j = 0; j < 2; j++, s++) switch (i++)
+	{
+	case 0:
+	  /* Top 6 bits of the first octet */
+	  *outptr++ = encode_base64[(*s >> 2) & 0x3F];
+	  c = (*s & 0x03); break;
+	case 1:
+	  /* Bottom 2 bits of the first octet, and top 4 bits of the second */
+	  *outptr++ = encode_base64[(c << 4) | ((*s >> 4) & 0x0F)];
+	  c = (*s & 0x0F); break;
+	case 2:
+	  /* Bottom 4 bits of the second octet and top 2 bits of the third */
+	  *outptr++ = encode_base64[(c << 2) | ((*s >> 6) & 0x03)];
+	  /* Bottom 6 bits of the third octet */
+	  *outptr++ = encode_base64[*s & 0x3F];
+	  i = 0;
+	}
+      }
+
+    else if (  (s[1] != '.' && s[1] != '/')
+	    || s[1] == sep
+	    )
+      {
+      /* Encode as self (almost) */
+      if (base64mode)
+        {
+        switch (i)
+          {
+          case 1:
+		/* Remaining bottom 2 bits of the last octet */
+		*outptr++ = encode_base64[c << 4];
+		break;
+	  case 2:
+		/* Remaining bottom 4 bits of the last octet */
+		*outptr++ = encode_base64[c << 2];
+	  }
+	*outptr++ = '-';
+	base64mode = FALSE;
+	}
+
+      if (*++s == sep)
+	{
+	if (!lastsep)
+	  {
+	  *outptr++ = '.';
+	  lastsep = TRUE;
+	  }
+	}
+      else
+        {
+        *outptr++ = *s;
+        if (*s == '&')
+	  *outptr++ = '-';
+	lastsep = FALSE;
+        }
+
+      s++;
+      }
+    else
+      {
+      *error = string_sprintf("imapfolder: illegal character '%c'", s[1]);
+      return NULL;
+      }
+
+    if (outptr > outbuf + sizeof(outbuf) - 3)
+      {
+      yield = string_catn(yield, outbuf, outptr - outbuf);
+      outptr = outbuf;
+      }
+
+    }
+  } /* End of input string */
+
+if (base64mode)
+  {
+  switch (i)
+    {
+    case 1:
+      /* Remaining bottom 2 bits of the last octet */
+      *outptr++ = encode_base64[c << 4];
+      break;
+    case 2:
+      /* Remaining bottom 4 bits of the last octet */
+      *outptr++ = encode_base64[c << 2];
+    }
+  *outptr++ = '-';
+  }
+
+#if HAVE_ICONV
+iconv_close(icd);
+#endif
+
+yield = string_catn(yield, outbuf, outptr - outbuf);
+
+if (yield->s[yield->ptr-1] == '.')
+  yield->ptr--;
+
+return string_from_gstring(yield);
+}
+
+#endif	/* whole file */
+/* vi: aw ai sw=2
+*/
diff --git a/src/ip.c b/src/ip.c
new file mode 100644
index 0000000..aa42343
--- /dev/null
+++ b/src/ip.c
@@ -0,0 +1,853 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 - 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions for doing things with sockets. With the advent of IPv6 this has
+got messier, so that it's worth pulling out the code into separate functions
+that other parts of Exim can call, especially as there are now several
+different places in the code where sockets are used. */
+
+
+#include "exim.h"
+
+
+#if defined(TCP_FASTOPEN)
+# if defined(MSG_FASTOPEN) || defined(EXIM_TFO_CONNECTX) || defined(EXIM_TFO_FREEBSD)
+#  define EXIM_SUPPORT_TFO
+# endif
+#endif
+
+/*************************************************
+*             Create a socket                    *
+*************************************************/
+
+/* Socket creation happens in a number of places so it's packaged here for
+convenience.
+
+Arguments:
+  type       SOCK_DGRAM or SOCK_STREAM
+  af         AF_INET or AF_INET6
+
+Returns:     socket number or -1 on failure
+*/
+
+int
+ip_socket(int type, int af)
+{
+int sock = socket(af, type, 0);
+if (sock < 0)
+  log_write(0, LOG_MAIN, "IPv%c socket creation failed: %s",
+    (af == AF_INET6)? '6':'4', strerror(errno));
+return sock;
+}
+
+
+
+
+#if HAVE_IPV6
+/*************************************************
+*      Convert printing address to numeric       *
+*************************************************/
+
+/* This function converts the textual form of an IP address into a numeric form
+in an appropriate structure in an IPv6 environment. The getaddrinfo() function
+can (apparently) handle more complicated addresses (e.g. those containing
+scopes) than inet_pton() in some environments. We use hints to tell it that the
+input must be a numeric address.
+
+However, apparently some operating systems (or libraries) don't support
+getaddrinfo(), so there is a build-time option to revert to inet_pton() (which
+does not support scopes).
+
+Arguments:
+  address     textual form of the address
+  addr        where to copy back the answer
+
+Returns:      nothing - failure provokes a panic-die
+*/
+
+static void
+ip_addrinfo(const uschar *address, struct sockaddr_in6 *saddr)
+{
+#ifdef IPV6_USE_INET_PTON
+
+  if (inet_pton(AF_INET6, CCS address, &saddr->sin6_addr) != 1)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to parse \"%s\" as an "
+      "IP address", address);
+  saddr->sin6_family = AF_INET6;
+
+#else
+
+  int rc;
+  struct addrinfo hints, *res;
+  memset(&hints, 0, sizeof(hints));
+  hints.ai_family = AF_INET6;
+  hints.ai_socktype = SOCK_STREAM;
+  hints.ai_flags = AI_NUMERICHOST;
+  if ((rc = getaddrinfo(CCS address, NULL, &hints, &res)) != 0 || res == NULL)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to parse \"%s\" as an "
+      "IP address: %s", address,
+      (rc == 0)? "NULL result returned" : gai_strerror(rc));
+  memcpy(saddr, res->ai_addr, res->ai_addrlen);
+  freeaddrinfo(res);
+
+#endif
+}
+#endif  /* HAVE_IPV6 */
+
+
+/*************************************************
+*         Bind socket to interface and port      *
+*************************************************/
+
+int
+ip_addr(void * sin_, int af, const uschar * address, int port)
+{
+union sockaddr_46 * sin = sin_;
+memset(sin, 0, sizeof(*sin));
+
+/* Setup code when using an IPv6 socket. The wildcard address is ":", to
+ensure an IPv6 socket is used. */
+
+#if HAVE_IPV6
+if (af == AF_INET6)
+  {
+  if (address[0] == ':' && address[1] == 0)
+    {
+    sin->v6.sin6_family = AF_INET6;
+    sin->v6.sin6_addr = in6addr_any;
+    }
+  else
+    ip_addrinfo(address, &sin->v6);  /* Panic-dies on error */
+  sin->v6.sin6_port = htons(port);
+  return sizeof(sin->v6);
+  }
+else
+#endif    /* HAVE_IPV6 */
+
+/* Setup code when using IPv4 socket. The wildcard address is "". */
+
+  {
+  sin->v4.sin_family = AF_INET;
+  sin->v4.sin_port = htons(port);
+  sin->v4.sin_addr.s_addr = address[0] == 0
+    ? (S_ADDR_TYPE)INADDR_ANY
+    : (S_ADDR_TYPE)inet_addr(CS address);
+  return sizeof(sin->v4);
+  }
+}
+
+
+
+/* This function binds a socket to a local interface address and port. For a
+wildcard IPv6 bind, the address is ":".
+
+Arguments:
+  sock           the socket
+  af             AF_INET or AF_INET6 - the socket type
+  address        the IP address, in text form
+  port           the IP port (host order)
+
+Returns:         the result of bind()
+*/
+
+int
+ip_bind(int sock, int af, uschar *address, int port)
+{
+union sockaddr_46 sin;
+int s_len = ip_addr(&sin, af, address, port);
+return bind(sock, (struct sockaddr *)&sin, s_len);
+}
+
+
+
+/*************************************************
+*        Connect socket to remote host           *
+*************************************************/
+
+/* This function connects a socket to a remote address and port. The socket may
+or may not have previously been bound to a local interface. The socket is not
+closed, even in cases of error. It is expected that the calling function, which
+created the socket, will be the one that closes it.
+
+Arguments:
+  sock        the socket
+  af          AF_INET6 or AF_INET for the socket type
+  address     the remote address, in text form
+  port        the remote port
+  timeout     a timeout (zero for indefinite timeout)
+  fastopen_blob    non-null iff TCP_FASTOPEN can be used; may indicate early-data to
+		be sent in SYN segment.  Any such data must be idempotent.
+
+Returns:      0 on success; -1 on failure, with errno set
+*/
+
+int
+ip_connect(int sock, int af, const uschar *address, int port, int timeout,
+  const blob * fastopen_blob)
+{
+struct sockaddr_in s_in4;
+struct sockaddr *s_ptr;
+int s_len, rc, save_errno;
+
+/* For an IPv6 address, use an IPv6 sockaddr structure. */
+
+#if HAVE_IPV6
+struct sockaddr_in6 s_in6;
+if (af == AF_INET6)
+  {
+  memset(&s_in6, 0, sizeof(s_in6));
+  ip_addrinfo(address, &s_in6);   /* Panic-dies on error */
+  s_in6.sin6_port = htons(port);
+  s_ptr = (struct sockaddr *)&s_in6;
+  s_len = sizeof(s_in6);
+  }
+else
+#endif    /* HAVE_IPV6 */
+
+/* For an IPv4 address, use an IPv4 sockaddr structure, even on a system with
+IPv6 support. */
+
+  {
+  memset(&s_in4, 0, sizeof(s_in4));
+  s_in4.sin_family = AF_INET;
+  s_in4.sin_port = htons(port);
+  s_in4.sin_addr.s_addr = (S_ADDR_TYPE)inet_addr(CCS address);
+  s_ptr = (struct sockaddr *)&s_in4;
+  s_len = sizeof(s_in4);
+  }
+
+/* If no connection timeout is set, just call connect() without setting a
+timer, thereby allowing the inbuilt OS timeout to operate. */
+
+callout_address = string_sprintf("[%s]:%d", address, port);
+sigalrm_seen = FALSE;
+if (timeout > 0) ALARM(timeout);
+
+#ifdef EXIM_SUPPORT_TFO
+/* TCP Fast Open, if the system has a cookie from a previous call to
+this peer, can send data in the SYN packet.  The peer can send data
+before it gets our ACK of its SYN,ACK - the latter is useful for
+the SMTP banner.  Other (than SMTP) cases of TCP connections can
+possibly use the data-on-syn, so support that too. */
+
+if (fastopen_blob && f.tcp_fastopen_ok)
+  {
+# ifdef MSG_FASTOPEN
+  /* This is a Linux implementation. */
+
+  if ((rc = sendto(sock, fastopen_blob->data, fastopen_blob->len,
+		    MSG_FASTOPEN | MSG_DONTWAIT, s_ptr, s_len)) >= 0)
+	/* seen for with-data, experimental TFO option, with-cookie case */
+	/* seen for with-data, proper TFO opt, with-cookie case */
+    {
+    DEBUG(D_transport|D_v)
+      debug_printf(" TFO mode connection attempt to %s, %lu data\n",
+	address, (unsigned long)fastopen_blob->len);
+    /*XXX also seen on successful TFO, sigh */
+    tcp_out_fastopen = fastopen_blob->len > 0 ?  TFO_ATTEMPTED_DATA : TFO_ATTEMPTED_NODATA;
+    }
+  else switch (errno)
+    {
+    case EINPROGRESS:	/* expected if we had no cookie for peer */
+	/* seen for no-data, proper TFO option, both cookie-request and with-cookie cases */
+	/*  apparently no visibility of the diffference at this point */
+	/* seen for with-data, proper TFO opt, cookie-req */
+	/*   with netwk delay, post-conn tcp_info sees unacked 1 for R, 2 for C; code in smtp_out.c */
+	/* ? older Experimental TFO option behaviour ? */
+      DEBUG(D_transport|D_v) debug_printf(" TFO mode sendto, %s data: EINPROGRESS\n",
+	fastopen_blob->len > 0 ? "with"  : "no");
+      if (!fastopen_blob->data)
+	{
+	tcp_out_fastopen = TFO_ATTEMPTED_NODATA;		/* we tried; unknown if useful yet */
+	rc = 0;
+	}
+      else					/* queue unsent data */
+	rc = send(sock, fastopen_blob->data, fastopen_blob->len, 0);
+      break;
+
+    case EOPNOTSUPP:
+      DEBUG(D_transport)
+	debug_printf("Tried TCP Fast Open but apparently not enabled by sysctl\n");
+      goto legacy_connect;
+
+    case EPIPE:
+      DEBUG(D_transport)
+	debug_printf("Tried TCP Fast Open but kernel too old to support it\n");
+      goto legacy_connect;
+    }
+
+# elif defined(EXIM_TFO_FREEBSD)
+  /* Re: https://people.freebsd.org/~pkelsey/tfo-tools/tfo-client.c */
+
+  if (setsockopt(sock, IPPROTO_TCP, TCP_FASTOPEN, &on, sizeof(on)) < 0)
+    {
+    DEBUG(D_transport)
+      debug_printf("Tried TCP Fast Open but apparently not enabled by sysctl\n");
+    goto legacy_connect;
+    }
+  if ((rc = sendto(sock, fastopen_blob->data, fastopen_blob->len, 0,
+		    s_ptr, s_len)) >= 0)
+    {
+    DEBUG(D_transport|D_v)
+      debug_printf(" TFO mode connection attempt to %s, %lu data\n",
+	address, (unsigned long)fastopen_blob->len);
+    tcp_out_fastopen = fastopen_blob->len > 0 ?  TFO_ATTEMPTED_DATA : TFO_ATTEMPTED_NODATA;
+    }
+
+# elif defined(EXIM_TFO_CONNECTX)
+  /* MacOS */
+  sa_endpoints_t ends = {
+    .sae_srcif = 0, .sae_srcaddr = NULL, .sae_srcaddrlen = 0,
+    .sae_dstaddr = s_ptr, .sae_dstaddrlen = s_len };
+  struct iovec iov = {
+    .iov_base = fastopen_blob->data, .iov_len = fastopen_blob->len };
+  size_t len;
+
+  if ((rc = connectx(sock, &ends, SAE_ASSOCID_ANY,
+	     CONNECT_DATA_IDEMPOTENT, &iov, 1, &len, NULL)) == 0)
+    {
+    DEBUG(D_transport|D_v)
+      debug_printf(" TFO mode connection attempt to %s, %lu data\n",
+	address, (unsigned long)fastopen_blob->len);
+    tcp_out_fastopen = fastopen_blob->len > 0 ?  TFO_ATTEMPTED_DATA : TFO_ATTEMPTED_NODATA;
+
+    if (len != fastopen_blob->len)
+      DEBUG(D_transport|D_v)
+	debug_printf(" only queued %lu data!\n", (unsigned long)len);
+    }
+  else if (errno == EINPROGRESS)
+    {
+    DEBUG(D_transport|D_v) debug_printf(" TFO mode connectx, %s data: EINPROGRESS\n",
+      fastopen_blob->len > 0 ? "with"  : "no");
+    if (!fastopen_blob->data)
+      {
+      tcp_out_fastopen = TFO_ATTEMPTED_NODATA;		/* we tried; unknown if useful yet */
+      rc = 0;
+      }
+    else	/* assume that no data was queued; block in send */
+      rc = send(sock, fastopen_blob->data, fastopen_blob->len, 0);
+    }
+# endif
+  }
+else
+#endif	/*EXIM_SUPPORT_TFO*/
+  {
+#if defined(EXIM_SUPPORT_TFO) && !defined(EXIM_TFO_CONNECTX)
+legacy_connect:
+#endif
+
+  DEBUG(D_transport|D_v) if (fastopen_blob)
+    debug_printf(" non-TFO mode connection attempt to %s, %lu data\n",
+      address, (unsigned long)fastopen_blob->len);
+  if ((rc = connect(sock, s_ptr, s_len)) >= 0)
+    if (  fastopen_blob && fastopen_blob->data && fastopen_blob->len
+       && send(sock, fastopen_blob->data, fastopen_blob->len, 0) < 0)
+	rc = -1;
+  }
+
+save_errno = errno;
+ALARM_CLR(0);
+
+/* There is a testing facility for simulating a connection timeout, as I
+can't think of any other way of doing this. It converts a connection refused
+into a timeout if the timeout is set to 999999. */
+
+if (f.running_in_test_harness  && save_errno == ECONNREFUSED && timeout == 999999)
+  {
+  rc = -1;
+  save_errno = EINTR;
+  sigalrm_seen = TRUE;
+  }
+
+/* Success */
+
+if (rc >= 0)
+  return 0;
+
+/* A failure whose error code is "Interrupted system call" is in fact
+an externally applied timeout if the signal handler has been run. */
+
+errno = save_errno == EINTR && sigalrm_seen ? ETIMEDOUT : save_errno;
+return -1;
+}
+
+
+
+/*************************************************
+*    Create connected socket to remote host      *
+*************************************************/
+
+/* Create a socket and connect to host (name or number, ipv6 ok)
+   at one of port-range.
+
+Arguments:
+  type          SOCK_DGRAM or SOCK_STREAM
+  af            AF_INET6 or AF_INET for the socket type
+  hostname	host name, or ip address (as text)
+  portlo,porthi the remote port range
+  timeout       a timeout
+  connhost	if not NULL, host_item to be filled in with connection details
+  errstr        pointer for allocated string on error
+  fastopen_blob	with SOCK_STREAM, if non-null, request TCP Fast Open.
+		Additionally, optional idempotent early-data to send
+
+Return:
+  socket fd, or -1 on failure (having allocated an error string)
+*/
+int
+ip_connectedsocket(int type, const uschar * hostname, int portlo, int porthi,
+      int timeout, host_item * connhost, uschar ** errstr, const blob * fastopen_blob)
+{
+int namelen;
+host_item shost;
+int af = 0, fd, fd4 = -1, fd6 = -1;
+
+shost.next = NULL;
+shost.address = NULL;
+shost.port = portlo;
+shost.mx = -1;
+
+namelen = Ustrlen(hostname);
+
+/* Anything enclosed in [] must be an IP address. */
+
+if (hostname[0] == '[' &&
+    hostname[namelen - 1] == ']')
+  {
+  uschar * host = string_copyn(hostname+1, namelen-2);
+  if (string_is_ip_address(host, NULL) == 0)
+    {
+    *errstr = string_sprintf("malformed IP address \"%s\"", hostname);
+    return -1;
+    }
+  shost.name = shost.address = host;
+  }
+
+/* Otherwise check for an unadorned IP address */
+
+else if (string_is_ip_address(hostname, NULL) != 0)
+  shost.name = shost.address = string_copyn(hostname, namelen);
+
+/* Otherwise lookup IP address(es) from the name */
+
+else
+  {
+  shost.name = string_copyn(hostname, namelen);
+  if (host_find_byname(&shost, NULL, HOST_FIND_QUALIFY_SINGLE,
+      NULL, FALSE) != HOST_FOUND)
+    {
+    *errstr = string_sprintf("no IP address found for host %s", shost.name);
+    return -1;
+    }
+  }
+
+/* Try to connect to the server - test each IP till one works */
+
+for (host_item * h = &shost; h; h = h->next)
+  {
+  fd = Ustrchr(h->address, ':') != 0
+    ? fd6 < 0 ? (fd6 = ip_socket(type, af = AF_INET6)) : fd6
+    : fd4 < 0 ? (fd4 = ip_socket(type, af = AF_INET )) : fd4;
+
+  if (fd < 0)
+    {
+    *errstr = string_sprintf("failed to create socket: %s", strerror(errno));
+    goto bad;
+    }
+
+  for (int port = portlo; port <= porthi; port++)
+    if (ip_connect(fd, af, h->address, port, timeout, fastopen_blob) == 0)
+      {
+      if (fd6 >= 0 && fd != fd6) close(fd6);
+      if (fd4 >= 0 && fd != fd4) close(fd4);
+      if (connhost)
+	{
+	h->port = port;
+	*connhost = *h;
+	connhost->next = NULL;
+	}
+      return fd;
+      }
+  }
+
+*errstr = string_sprintf("failed to connect to any address for %s: %s",
+  hostname, strerror(errno));
+
+bad:
+  close(fd4); close(fd6); return -1;
+}
+
+
+/*XXX TFO? */
+int
+ip_tcpsocket(const uschar * hostport, uschar ** errstr, int tmo,
+  host_item * connhost)
+{
+int scan;
+uschar hostname[256];
+unsigned int portlow, porthigh;
+
+/* extract host and port part */
+scan = sscanf(CS hostport, "%255s %u-%u", hostname, &portlow, &porthigh);
+if (scan != 3)
+  {
+  if (scan != 2)
+    {
+    *errstr = string_sprintf("invalid socket '%s'", hostport);
+    return -1;
+    }
+  porthigh = portlow;
+  }
+
+return ip_connectedsocket(SOCK_STREAM, hostname, portlow, porthigh,
+			  tmo, connhost, errstr, NULL);
+}
+
+int
+ip_unixsocket(const uschar * path, uschar ** errstr)
+{
+int sock;
+struct sockaddr_un server;
+
+if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
+  {
+  *errstr = US"can't open UNIX socket.";
+  return -1;
+  }
+
+callout_address = string_copy(path);
+server.sun_family = AF_UNIX;
+Ustrncpy(US server.sun_path, path, sizeof(server.sun_path)-1);
+server.sun_path[sizeof(server.sun_path)-1] = '\0';
+if (connect(sock, (struct sockaddr *) &server, sizeof(server)) < 0)
+  {
+  int err = errno;
+  (void)close(sock);
+  *errstr = string_sprintf("unable to connect to UNIX socket (%s): %s",
+		path, strerror(err));
+  return -1;
+  }
+return sock;
+}
+
+/* spec is either an absolute path (with a leading /), or
+a host (name or IP) and port (whitespace-separated).
+The port can be a range, dash-separated, or a single number.
+
+For a TCP socket, optionally fill in a  host_item.
+*/
+int
+ip_streamsocket(const uschar * spec, uschar ** errstr, int tmo,
+  host_item * connhost)
+{
+return *spec == '/'
+  ? ip_unixsocket(spec, errstr) : ip_tcpsocket(spec, errstr, tmo, connhost);
+}
+
+/*************************************************
+*         Set keepalive on a socket              *
+*************************************************/
+
+/* Can be called for both incoming and outgoing sockets.
+
+Arguments:
+  sock       the socket
+  address    the remote host address, for failure logging
+  torf       true for outgoing connection, false for incoming
+
+Returns:     nothing
+*/
+
+void
+ip_keepalive(int sock, const uschar *address, BOOL torf)
+{
+int fodder = 1;
+if (setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE,
+    US (&fodder), sizeof(fodder)) != 0)
+  log_write(0, LOG_MAIN, "setsockopt(SO_KEEPALIVE) on connection %s %s "
+    "failed: %s", torf? "to":"from", address, strerror(errno));
+}
+
+
+
+/*************************************************
+*         Receive from a socket with timeout     *
+*************************************************/
+
+/*
+Arguments:
+  fd          the file descriptor
+  timelimit   the timeout endpoint, seconds-since-epoch
+Returns:      TRUE => ready for i/o
+              FALSE => timed out, or other error
+*/
+BOOL
+fd_ready(int fd, time_t timelimit)
+{
+int rc, time_left = timelimit - time(NULL);
+
+if (time_left <= 0)
+  {
+  errno = ETIMEDOUT;
+  return FALSE;
+  }
+/* Wait until the socket is ready */
+
+do
+  {
+  /*DEBUG(D_transport) debug_printf("waiting for data on fd\n");*/
+  rc = poll_one_fd(fd, POLLIN, time_left * 1000);
+
+  /* If some interrupt arrived, just retry. We presume this to be rare,
+  but it can happen (e.g. the SIGUSR1 signal sent by exiwhat causes
+  select() to exit).
+
+  Aug 2004: Somebody set up a cron job that ran exiwhat every 2 minutes, making
+  the interrupt not at all rare. Since the timeout is typically more than 2
+  minutes, the effect was to block the timeout completely. To prevent this
+  happening again, we do an explicit time test and adjust the timeout
+  accordingly */
+
+  if (rc < 0 && errno == EINTR)
+    {
+    DEBUG(D_transport) debug_printf("EINTR while waiting for socket data\n");
+
+    /* Watch out, 'continue' jumps to the condition, not to the loops top */
+    if ((time_left = timelimit - time(NULL)) > 0) continue;
+    }
+
+  if (rc <= 0)
+    {
+    errno = ETIMEDOUT;
+    return FALSE;
+    }
+
+  /* Checking the FD_ISSET is not enough, if we're interrupted, the
+  select_inset may still contain the 'input'. */
+  }
+while (rc < 0);
+return TRUE;
+}
+
+/* The timeout is implemented using select(), and we loop to cover select()
+getting interrupted, and the possibility of select() returning with a positive
+result but no ready descriptor. Is this in fact possible?
+
+Arguments:
+  cctx        the connection context (socket fd, possibly TLS context)
+  buffer      to read into
+  bufsize     the buffer size
+  timelimit   the timeout endpoint, seconds-since-epoch
+
+Returns:      > 0 => that much data read
+              <= 0 on error or EOF; errno set - zero for EOF
+*/
+
+int
+ip_recv(client_conn_ctx * cctx, uschar * buffer, int buffsize, time_t timelimit)
+{
+int rc;
+
+if (!fd_ready(cctx->sock, timelimit))
+  return -1;
+
+/* The socket is ready, read from it (via TLS if it's active). On EOF (i.e.
+close down of the connection), set errno to zero; otherwise leave it alone. */
+
+#ifndef DISABLE_TLS
+if (cctx->tls_ctx)					/* client TLS */
+  rc = tls_read(cctx->tls_ctx, buffer, buffsize);
+else if (tls_in.active.sock == cctx->sock)		/* server TLS */
+  rc = tls_read(NULL, buffer, buffsize);
+else
+#endif
+  rc = recv(cctx->sock, buffer, buffsize, 0);
+
+if (rc > 0) return rc;
+if (rc == 0) errno = 0;
+return -1;
+}
+
+
+
+
+/*************************************************
+*    Lookup address family of potential socket   *
+*************************************************/
+
+/* Given a file-descriptor, check to see if it's a socket and, if so,
+return the address family; detects IPv4 vs IPv6.  If not a socket then
+return -1.
+
+The value 0 is typically AF_UNSPEC, which should not be seen on a connected
+fd.  If the return is -1, the errno will be from getsockname(); probably
+ENOTSOCK or ECONNRESET.
+
+Arguments:     socket-or-not fd
+Returns:       address family or -1
+*/
+
+int
+ip_get_address_family(int fd)
+{
+struct sockaddr_storage ss;
+socklen_t sslen = sizeof(ss);
+
+if (getsockname(fd, (struct sockaddr *) &ss, &sslen) < 0)
+  return -1;
+
+return (int) ss.ss_family;
+}
+
+
+
+
+/*************************************************
+*       Lookup DSCP settings for a socket        *
+*************************************************/
+
+struct dscp_name_tableentry {
+  const uschar *name;
+  int value;
+};
+/* Keep both of these tables sorted! */
+static struct dscp_name_tableentry dscp_table[] = {
+#ifdef IPTOS_DSCP_AF11
+    { CUS"af11", IPTOS_DSCP_AF11 },
+    { CUS"af12", IPTOS_DSCP_AF12 },
+    { CUS"af13", IPTOS_DSCP_AF13 },
+    { CUS"af21", IPTOS_DSCP_AF21 },
+    { CUS"af22", IPTOS_DSCP_AF22 },
+    { CUS"af23", IPTOS_DSCP_AF23 },
+    { CUS"af31", IPTOS_DSCP_AF31 },
+    { CUS"af32", IPTOS_DSCP_AF32 },
+    { CUS"af33", IPTOS_DSCP_AF33 },
+    { CUS"af41", IPTOS_DSCP_AF41 },
+    { CUS"af42", IPTOS_DSCP_AF42 },
+    { CUS"af43", IPTOS_DSCP_AF43 },
+    { CUS"ef", IPTOS_DSCP_EF },
+#endif
+#ifdef IPTOS_LOWCOST
+    { CUS"lowcost", IPTOS_LOWCOST },
+#endif
+    { CUS"lowdelay", IPTOS_LOWDELAY },
+#ifdef IPTOS_MINCOST
+    { CUS"mincost", IPTOS_MINCOST },
+#endif
+    { CUS"reliability", IPTOS_RELIABILITY },
+    { CUS"throughput", IPTOS_THROUGHPUT }
+};
+static int dscp_table_size =
+  sizeof(dscp_table) / sizeof(struct dscp_name_tableentry);
+
+/* DSCP values change by protocol family, and so do the options used for
+setsockopt(); this utility does all the lookups.  It takes an unexpanded
+option string, expands it, strips off affix whitespace, then checks if it's
+a number.  If all of what's left is a number, then that's how the option will
+be parsed and success/failure is a range check.  If it's not all a number,
+then it must be a supported keyword.
+
+Arguments:
+  dscp_name   a string, so far unvalidated
+  af          address_family in use
+  level       setsockopt level to use
+  optname     setsockopt name to use
+  dscp_value  value for dscp_name
+
+Returns: TRUE if okay to setsockopt(), else FALSE
+
+*level and *optname may be set even if FALSE is returned
+*/
+
+BOOL
+dscp_lookup(const uschar *dscp_name, int af,
+    int *level, int *optname, int *dscp_value)
+{
+uschar *dscp_lookup, *p;
+int first, last;
+long rawlong;
+
+if (af == AF_INET)
+  {
+  *level = IPPROTO_IP;
+  *optname = IP_TOS;
+  }
+#if HAVE_IPV6 && defined(IPV6_TCLASS)
+else if (af == AF_INET6)
+  {
+  *level = IPPROTO_IPV6;
+  *optname = IPV6_TCLASS;
+  }
+#endif
+else
+  {
+  DEBUG(D_transport)
+    debug_printf("Unhandled address family %d in dscp_lookup()\n", af);
+  return FALSE;
+  }
+if (!dscp_name)
+  {
+  DEBUG(D_transport)
+    debug_printf("[empty DSCP]\n");
+  return FALSE;
+  }
+dscp_lookup = expand_string(US dscp_name);
+if (dscp_lookup == NULL || *dscp_lookup == '\0')
+  return FALSE;
+
+p = dscp_lookup + Ustrlen(dscp_lookup) - 1;
+while (isspace(*p)) *p-- = '\0';
+while (isspace(*dscp_lookup) && dscp_lookup < p) dscp_lookup++;
+if (*dscp_lookup == '\0')
+  return FALSE;
+
+rawlong = Ustrtol(dscp_lookup, &p, 0);
+if (p != dscp_lookup && *p == '\0')
+  {
+  /* We have six bits available, which will end up shifted to fit in 0xFC mask.
+  RFC 2597 defines the values unshifted. */
+  if (rawlong < 0 || rawlong > 0x3F)
+    {
+    DEBUG(D_transport)
+      debug_printf("DSCP value %ld out of range, ignored.\n", rawlong);
+    return FALSE;
+    }
+  *dscp_value = rawlong << 2;
+  return TRUE;
+  }
+
+first = 0;
+last = dscp_table_size;
+while (last > first)
+  {
+  int middle = (first + last)/2;
+  int c = Ustrcmp(dscp_lookup, dscp_table[middle].name);
+  if (c == 0)
+    {
+    *dscp_value = dscp_table[middle].value;
+    return TRUE;
+    }
+  else if (c > 0)
+    first = middle + 1;
+  else
+    last = middle;
+  }
+return FALSE;
+}
+
+void
+dscp_list_to_stream(FILE *stream)
+{
+for (int i = 0; i < dscp_table_size; ++i)
+  fprintf(stream, "%s\n", dscp_table[i].name);
+}
+
+
+/* End of ip.c */
+/* vi: aw ai sw=2
+*/
diff --git a/src/local_scan.c b/src/local_scan.c
new file mode 100644
index 0000000..7a3bae7
--- /dev/null
+++ b/src/local_scan.c
@@ -0,0 +1,64 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) The Exim Maintainers 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/******************************************************************************
+This file contains a template local_scan() function that just returns ACCEPT.
+If you want to implement your own version, you should copy this file to, say
+Local/local_scan.c, and edit the copy. To use your version instead of the
+default, you must set
+
+HAVE_LOCAL_SCAN=yes
+LOCAL_SCAN_SOURCE=Local/local_scan.c
+
+in your Local/Makefile. This makes it easy to copy your version for use with
+subsequent Exim releases.
+
+For a full description of the API to this function, see the Exim specification.
+******************************************************************************/
+
+
+/* This is the only Exim header that you should include. The effect of
+including any other Exim header is not defined, and may change from release to
+release. Use only the documented interface! */
+
+#include "local_scan.h"
+
+
+/* This is a "do-nothing" version of a local_scan() function. The arguments
+are:
+
+  fd             The file descriptor of the open -D file, which contains the
+                   body of the message. The file is open for reading and
+                   writing, but modifying it is dangerous and not recommended.
+
+  return_text    A pointer to an unsigned char* variable which you can set in
+                   order to return a text string. It is initialized to NULL.
+
+The return values of this function are:
+
+  LOCAL_SCAN_ACCEPT
+                 The message is to be accepted. The return_text argument is
+                   saved in $local_scan_data.
+
+  LOCAL_SCAN_REJECT
+                 The message is to be rejected. The returned text is used
+                   in the rejection message.
+
+  LOCAL_SCAN_TEMPREJECT
+                 This specifies a temporary rejection. The returned text
+                   is used in the rejection message.
+*/
+
+int
+local_scan(int fd, uschar **return_text)
+{
+return LOCAL_SCAN_ACCEPT;
+}
+
+/* End of local_scan.c */
diff --git a/src/local_scan.h b/src/local_scan.h
new file mode 100644
index 0000000..c609a27
--- /dev/null
+++ b/src/local_scan.h
@@ -0,0 +1,239 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This file is the header that is the only Exim header to be included in the
+source for the local_scan.c() function. It contains definitions that are made
+available for use in that function, and which are documented.  That source
+should first #define LOCAL_SCAN
+
+Not every definition that becomes available to the compiler by the inclusion
+of this file is part of the local_scan API.  The "Adding a local scan function
+to Exim" chapter in the documentation is definitive.
+
+This API is also used for functions called by the ${dlfunc expansion item.
+Source for those should first #define DLFUNC_IMPL and then include this file.
+Coders of dlfunc routines should read the notes on tainting at the start of
+store.c
+*/
+
+
+/* Some basic types that make some things easier, the Exim configuration
+settings, and the store functions. */
+
+#include <stdarg.h>
+#include <sys/types.h>
+#include "config.h"
+#include "mytypes.h"
+#include "store.h"
+
+
+/* Some people (Marc Merlin et al) are maintaining a patch that allows for
+dynamic local_scan() libraries. This code is not yet in Exim proper, but it
+helps the maintainers if we keep their ABI version numbers here. This may
+mutate into more general support later. The major number is increased when the
+ABI is changed in a non backward compatible way. The minor number is increased
+each time a new feature is added (in a way that doesn't break backward
+compatibility). */
+
+#define LOCAL_SCAN_ABI_VERSION_MAJOR 6
+#define LOCAL_SCAN_ABI_VERSION_MINOR 0
+#define LOCAL_SCAN_ABI_VERSION \
+  LOCAL_SCAN_ABI_VERSION_MAJOR.LOCAL_SCAN_ABI_VERSION_MINOR
+
+
+
+/* The function and its return codes. */
+
+extern int local_scan(int, uschar **);
+
+enum {
+  LOCAL_SCAN_ACCEPT,              /* Accept */
+  LOCAL_SCAN_ACCEPT_FREEZE,       /* Accept, but freeze */
+  LOCAL_SCAN_ACCEPT_QUEUE,        /* Accept, but no immediate delivery */
+  LOCAL_SCAN_REJECT,              /* Permanent rejection */
+  LOCAL_SCAN_REJECT_NOLOGHDR,     /* Permanent rejection, no log header */
+  LOCAL_SCAN_TEMPREJECT,          /* Temporary rejection */
+  LOCAL_SCAN_TEMPREJECT_NOLOGHDR  /* Temporary rejection, no log header */
+};
+
+
+/* Functions called by ${dlfunc{file}{func}{arg}...} return one of the five
+status codes defined immediately below. The function's first argument is either
+the result of expansion, or the error message in case of failure. The second
+and third arguments are standard argument count and vector, comprising the
+{arg} values specified in the expansion item. */
+
+typedef int exim_dlfunc_t(uschar **yield, int argc, uschar *argv[]);
+
+
+/* Return codes from the support functions lss_match_xxx(). These are also the
+codes that dynamically-loaded ${dlfunc functions must return. */
+
+#define  OK            0          /* Successful match */
+#define  DEFER         1          /* Defer - some problem */
+#define  FAIL          2          /* Matching failed */
+#define  ERROR         3          /* Internal or config error */
+
+/* Extra return code for ${dlfunc functions */
+
+#define  FAIL_FORCED   4          /* "Forced" failure */
+
+
+/* Available logging destinations */
+
+#define LOG_MAIN        1    /* Write to the main log */
+#define LOG_PANIC       2    /* Write to the panic log */
+#define LOG_REJECT     16    /* Write to the reject log, with headers */
+
+
+/* Accessible debugging bits */
+
+#define D_v                          0x00000001
+#define D_local_scan                 0x00000002
+
+
+/* Option types that can be used for local_scan_options. The boolean ones
+MUST be last so that they are contiguous with the internal boolean specials. */
+
+enum { opt_stringptr, opt_int, opt_octint, opt_mkint, opt_Kint, opt_fixed,
+  opt_time, opt_bool };
+
+
+/* The length of message identification strings. This is the id used internally
+by exim. The external version for use in Received: strings has a leading 'E'
+added to ensure it starts with a letter. */
+
+#define MESSAGE_ID_LENGTH 16
+
+/* The offset to the start of the data in the data file - this allows for
+the name of the data file to be present in the first line. */
+
+#define SPOOL_DATA_START_OFFSET (MESSAGE_ID_LENGTH+3)
+
+/* Structure definitions that are documented as visible in the function. */
+
+typedef struct header_line {
+  struct header_line *next;
+  int    type;
+  int    slen;
+  uschar *text;
+} header_line;
+
+/* Entries in lists options are in this form. */
+
+typedef struct {
+  const char *	name; /* should have been uschar but too late now */
+  int		type;
+  union {
+    void *	value;
+    long	offset;
+    void (*	fn)();
+  } v;
+} optionlist;
+#define OPT_OFF(s, field) {.offset = offsetof(s, field)}
+
+/* Structure for holding information about an envelope address. The errors_to
+field is always NULL except for one_time aliases that had errors_to on the
+routers that generated them. */
+
+typedef struct recipient_item {
+  uschar *address;              /* the recipient address */
+  int     pno;                  /* parent number for "one_time" alias, or -1 */
+  uschar *errors_to;            /* the errors_to address or NULL */
+  uschar *orcpt;                /* DSN orcpt */
+  int     dsn_flags;            /* DSN flags */
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+  uschar *bmi_optin;
+#endif
+} recipient_item;
+
+
+/* Global variables that are documented as visible in the function. */
+
+extern unsigned int debug_selector;    /* Debugging bits */
+
+extern int     body_linecount;         /* Line count in body */
+extern int     body_zerocount;         /* Binary zero count in body */
+extern uschar *expand_string_message;  /* Error info for failing expansion */
+extern const uschar *headers_charset;  /* Charset for RFC 2047 decoding */
+extern header_line *header_last;       /* Final header */
+extern header_line *header_list;       /* First header */
+extern BOOL    host_checking;          /* Set when checking a host */
+extern uschar *interface_address;      /* Interface for incoming call */
+extern int     interface_port;         /* Port number for incoming call */
+extern uschar *message_id;             /* Internal id of message being handled */
+extern uschar *received_protocol;      /* Name of incoming protocol */
+extern int     recipients_count;       /* Number of recipients */
+extern recipient_item *recipients_list;/* List of recipient addresses */
+extern unsigned char *sender_address;  /* Sender address */
+extern uschar *sender_host_address;    /* IP address of sender, as chars */
+extern uschar *sender_host_authenticated; /* Name of authentication mechanism */
+extern uschar *sender_host_name;       /* Host name from lookup */
+extern int     sender_host_port;       /* Port number of sender */
+extern BOOL    smtp_batched_input;     /* TRUE if SMTP batch (no interaction) */
+extern BOOL    smtp_input;             /* TRUE if input is via SMTP */
+
+
+/* Functions that are documented as visible in local_scan(). */
+
+extern int     child_close(pid_t, int);
+extern void    debug_printf(const char *, ...) PRINTF_FUNCTION(1,2);
+extern uschar *expand_string(uschar *);
+extern void    header_add(int, const char *, ...);
+extern void    header_add_at_position(BOOL, uschar *, BOOL, int, const char *, ...);
+extern void    header_remove(int, const uschar *);
+extern BOOL    header_testname(header_line *, const uschar *, int, BOOL);
+extern BOOL    header_testname_incomplete(header_line *, const uschar *, int, BOOL);
+extern void    log_write(unsigned int, int, const char *format, ...) PRINTF_FUNCTION(3,4);
+extern int     lss_b64decode(uschar *, uschar **);
+extern uschar *lss_b64encode(uschar *, int);
+extern int     lss_match_domain(uschar *, uschar *);
+extern int     lss_match_local_part(uschar *, uschar *, BOOL);
+extern int     lss_match_address(uschar *, uschar *, BOOL);
+extern int     lss_match_host(uschar *, uschar *, uschar *);
+extern void    receive_add_recipient(uschar *, int);
+extern BOOL    receive_remove_recipient(uschar *);
+extern uschar *rfc2047_decode(uschar *, BOOL, const uschar *, int, int *,
+			      uschar **);
+extern int     smtp_fflush(void);
+extern void    smtp_printf(const char *, BOOL, ...) PRINTF_FUNCTION(1,3);
+extern void    smtp_vprintf(const char *, BOOL, va_list);
+
+#define string_sprintf(fmt, ...) \
+	string_sprintf_trc(fmt, US __FUNCTION__, __LINE__, __VA_ARGS__)
+extern uschar *string_sprintf_trc(const char *, const uschar *, unsigned, ...) ALMOST_PRINTF(1,4);
+
+#define store_get(size, proto_mem) \
+	store_get_3((size), (proto_mem), __FUNCTION__, __LINE__)
+extern void   *store_get_3(int, const void *, const char *, int)	ALLOC ALLOC_SIZE(1) WARN_UNUSED_RESULT;
+#define store_get_perm(size, proto_mem) \
+	store_get_perm_3((size), (proto_mem), __FUNCTION__, __LINE__)
+extern void   *store_get_perm_3(int, const void *, const char *, int)	ALLOC ALLOC_SIZE(1) WARN_UNUSED_RESULT;
+
+
+#if defined(LOCAL_SCAN) || defined(DLFUNC_IMPL)
+/* When compiling a local_scan() file we want to rename a published API, so that
+we can use an inlined implementation in the compiles of the main Exim files,
+with the original name. */
+
+# define string_copy(s) string_copy_function(s)
+# define string_copyn(s, n) string_copyn_function((s), (n))
+# define string_copy_taint(s, t) string_copy_taint_function((s), (t))
+# define child_open_exim(p)        child_open_exim_function((p), US"from local_scan")
+# define child_open_exim2(p, s, a) child_open_exim2_function((p), (s), (a), US"from local_scan")
+# define child_open(a,e,u,i,o,l) child_open_function((a),(e),(u),(i),(o),(l),US"from local_scan")
+
+extern uschar * string_copy_function(const uschar *);
+extern uschar * string_copyn_function(const uschar *, int n);
+extern uschar * string_copy_taint_function(const uschar *, const void * proto_mem);
+extern pid_t    child_open_exim_function(int *, const uschar *);
+extern pid_t    child_open_exim2_function(int *, uschar *, uschar *, const uschar *);
+extern pid_t    child_open_function(uschar **, uschar **, int, int *, int *, BOOL, const uschar *);
+#endif
+
+/* End of local_scan.h */
diff --git a/src/log.c b/src/log.c
new file mode 100644
index 0000000..8ca973f
--- /dev/null
+++ b/src/log.c
@@ -0,0 +1,1554 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions for writing log files. The code for maintaining datestamped
+log files was originally contributed by Tony Sheen. */
+
+
+#include "exim.h"
+
+#define MAX_SYSLOG_LEN 870
+
+#define LOG_MODE_FILE   1
+#define LOG_MODE_SYSLOG 2
+
+enum { lt_main, lt_reject, lt_panic, lt_debug };
+
+static uschar *log_names[] = { US"main", US"reject", US"panic", US"debug" };
+
+
+
+/*************************************************
+*           Local static variables               *
+*************************************************/
+
+static uschar mainlog_name[LOG_NAME_SIZE];
+static uschar rejectlog_name[LOG_NAME_SIZE];
+
+static uschar *mainlog_datestamp = NULL;
+static uschar *rejectlog_datestamp = NULL;
+
+static int    mainlogfd = -1;
+static int    rejectlogfd = -1;
+static ino_t  mainlog_inode = 0;
+static ino_t  rejectlog_inode = 0;
+
+static uschar *panic_save_buffer = NULL;
+static BOOL   panic_recurseflag = FALSE;
+
+static BOOL   syslog_open = FALSE;
+static BOOL   path_inspected = FALSE;
+static int    logging_mode = LOG_MODE_FILE;
+static uschar *file_path = US"";
+
+static size_t pid_position[2];
+
+
+/* These should be kept in-step with the private delivery error
+number definitions in macros.h */
+
+static const uschar * exim_errstrings[] = {
+  [0] = US"",
+  [- ERRNO_UNKNOWNERROR] =	US"unknown error",
+  [- ERRNO_USERSLASH] =		US"user slash",
+  [- ERRNO_EXISTRACE] =		US"exist race",
+  [- ERRNO_NOTREGULAR] =	US"not regular",
+  [- ERRNO_NOTDIRECTORY] =	US"not directory",
+  [- ERRNO_BADUGID] =		US"bad ugid",
+  [- ERRNO_BADMODE] =		US"bad mode",
+  [- ERRNO_INODECHANGED] =	US"inode changed",
+  [- ERRNO_LOCKFAILED] =	US"lock failed",
+  [- ERRNO_BADADDRESS2] =	US"bad address2",
+  [- ERRNO_FORBIDPIPE] =	US"forbid pipe",
+  [- ERRNO_FORBIDFILE] =	US"forbid file",
+  [- ERRNO_FORBIDREPLY] =	US"forbid reply",
+  [- ERRNO_MISSINGPIPE] =	US"missing pipe",
+  [- ERRNO_MISSINGFILE] =	US"missing file",
+  [- ERRNO_MISSINGREPLY] =	US"missing reply",
+  [- ERRNO_BADREDIRECT] =	US"bad redirect",
+  [- ERRNO_SMTPCLOSED] =	US"smtp closed",
+  [- ERRNO_SMTPFORMAT] =	US"smtp format",
+  [- ERRNO_SPOOLFORMAT] =	US"spool format",
+  [- ERRNO_NOTABSOLUTE] =	US"not absolute",
+  [- ERRNO_EXIMQUOTA] =		US"Exim-imposed quota",
+  [- ERRNO_HELD] =		US"held",
+  [- ERRNO_FILTER_FAIL] =	US"Delivery filter process failure",
+  [- ERRNO_CHHEADER_FAIL] =	US"Delivery add/remove header failure",
+  [- ERRNO_WRITEINCOMPLETE] =	US"Delivery write incomplete error",
+  [- ERRNO_EXPANDFAIL] =	US"Some expansion failed",
+  [- ERRNO_GIDFAIL] =		US"Failed to get gid",
+  [- ERRNO_UIDFAIL] =		US"Failed to get uid",
+  [- ERRNO_BADTRANSPORT] =	US"Unset or non-existent transport",
+  [- ERRNO_MBXLENGTH] =		US"MBX length mismatch",
+  [- ERRNO_UNKNOWNHOST] =	US"Lookup failed routing or in smtp tpt",
+  [- ERRNO_FORMATUNKNOWN] =	US"Can't match format in appendfile",
+  [- ERRNO_BADCREATE] =		US"Creation outside home in appendfile",
+  [- ERRNO_LISTDEFER] =		US"Can't check a list; lookup defer",
+  [- ERRNO_DNSDEFER] =		US"DNS lookup defer",
+  [- ERRNO_TLSFAILURE] =	US"Failed to start TLS session",
+  [- ERRNO_TLSREQUIRED] =	US"Mandatory TLS session not started",
+  [- ERRNO_CHOWNFAIL] =		US"Failed to chown a file",
+  [- ERRNO_PIPEFAIL] =		US"Failed to create a pipe",
+  [- ERRNO_CALLOUTDEFER] =	US"When verifying",
+  [- ERRNO_AUTHFAIL] =		US"When required by client",
+  [- ERRNO_CONNECTTIMEOUT] =	US"Used internally in smtp transport",
+  [- ERRNO_RCPT4XX] =		US"RCPT gave 4xx error",
+  [- ERRNO_MAIL4XX] =		US"MAIL gave 4xx error",
+  [- ERRNO_DATA4XX] =		US"DATA gave 4xx error",
+  [- ERRNO_PROXYFAIL] =		US"Negotiation failed for proxy configured host",
+  [- ERRNO_AUTHPROB] =		US"Authenticator 'other' failure",
+  [- ERRNO_UTF8_FWD] =		US"target not supporting SMTPUTF8",
+  [- ERRNO_HOST_IS_LOCAL] =	US"host is local",
+  [- ERRNO_TAINT] =		US"tainted filename",
+
+  [- ERRNO_RRETRY] =		US"Not time for routing",
+
+  [- ERRNO_LRETRY] =		US"Not time for local delivery",
+  [- ERRNO_HRETRY] =		US"Not time for any remote host",
+  [- ERRNO_LOCAL_ONLY] =	US"Local-only delivery",
+  [- ERRNO_QUEUE_DOMAIN] =	US"Domain in queue_domains",
+  [- ERRNO_TRETRY] =		US"Transport concurrency limit",
+
+  [- ERRNO_EVENT] =		US"Event requests alternate response",
+};
+
+
+/************************************************/
+const uschar *
+exim_errstr(int err)
+{
+return err < 0 ? exim_errstrings[-err] : CUS strerror(err);
+}
+
+/*************************************************
+*              Write to syslog                   *
+*************************************************/
+
+/* The given string is split into sections according to length, or at embedded
+newlines, and syslogged as a numbered sequence if it is overlong or if there is
+more than one line. However, if we are running in the test harness, do not do
+anything. (The test harness doesn't use syslog - for obvious reasons - but we
+can get here if there is a failure to open the panic log.)
+
+Arguments:
+  priority       syslog priority
+  s              the string to be written
+
+Returns:         nothing
+*/
+
+static void
+write_syslog(int priority, const uschar *s)
+{
+int len;
+int linecount = 0;
+
+if (!syslog_pid && LOGGING(pid))
+  s = string_sprintf("%.*s%s", (int)pid_position[0], s, s + pid_position[1]);
+if (!syslog_timestamp)
+  {
+  len = log_timezone ? 26 : 20;
+  if (LOGGING(millisec)) len += 4;
+  s += len;
+  }
+
+len = Ustrlen(s);
+
+#ifndef NO_OPENLOG
+if (!syslog_open && !f.running_in_test_harness)
+  {
+# ifdef SYSLOG_LOG_PID
+  openlog(CS syslog_processname, LOG_PID|LOG_CONS, syslog_facility);
+# else
+  openlog(CS syslog_processname, LOG_CONS, syslog_facility);
+# endif
+  syslog_open = TRUE;
+  }
+#endif
+
+/* First do a scan through the message in order to determine how many lines
+it is going to end up as. Then rescan to output it. */
+
+for (int pass = 0; pass < 2; pass++)
+  {
+  const uschar * ss = s;
+  for (int i = 1, tlen = len; tlen > 0; i++)
+    {
+    int plen = tlen;
+    uschar *nlptr = Ustrchr(ss, '\n');
+    if (nlptr != NULL) plen = nlptr - ss;
+#ifndef SYSLOG_LONG_LINES
+    if (plen > MAX_SYSLOG_LEN) plen = MAX_SYSLOG_LEN;
+#endif
+    tlen -= plen;
+    if (ss[plen] == '\n') tlen--;    /* chars left */
+
+    if (pass == 0)
+      linecount++;
+    else if (f.running_in_test_harness)
+      if (linecount == 1)
+        fprintf(stderr, "SYSLOG: '%.*s'\n", plen, ss);
+      else
+        fprintf(stderr, "SYSLOG: '[%d%c%d] %.*s'\n", i,
+          ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
+          linecount, plen, ss);
+    else
+      if (linecount == 1)
+        syslog(priority, "%.*s", plen, ss);
+      else
+        syslog(priority, "[%d%c%d] %.*s", i,
+          ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
+          linecount, plen, ss);
+
+    ss += plen;
+    if (*ss == '\n') ss++;
+    }
+  }
+}
+
+
+
+/*************************************************
+*             Die tidily                         *
+*************************************************/
+
+/* This is called when Exim is dying as a result of something going wrong in
+the logging, or after a log call with LOG_PANIC_DIE set. Optionally write a
+message to debug_file or a stderr file, if they exist. Then, if in the middle
+of accepting a message, throw it away tidily by calling receive_bomb_out();
+this will attempt to send an SMTP response if appropriate. Passing NULL as the
+first argument stops it trying to run the NOTQUIT ACL (which might try further
+logging and thus cause problems). Otherwise, try to close down an outstanding
+SMTP call tidily.
+
+Arguments:
+  s1         Error message to write to debug_file and/or stderr and syslog
+  s2         Error message for any SMTP call that is in progress
+Returns:     The function does not return
+*/
+
+static void
+die(uschar *s1, uschar *s2)
+{
+if (s1)
+  {
+  write_syslog(LOG_CRIT, s1);
+  if (debug_file) debug_printf("%s\n", s1);
+  if (log_stderr && log_stderr != debug_file)
+    fprintf(log_stderr, "%s\n", s1);
+  }
+if (f.receive_call_bombout) receive_bomb_out(NULL, s2);  /* does not return */
+if (smtp_input) smtp_closedown(s2);
+exim_exit(EXIT_FAILURE);
+}
+
+
+
+/*************************************************
+*             Create a log file                  *
+*************************************************/
+
+/* This function is called to create and open a log file. It may be called in a
+subprocess when the original process is root.
+
+Arguments:
+  name         the file name
+
+The file name has been build in a working buffer, so it is permissible to
+overwrite it temporarily if it is necessary to create the directory.
+
+Returns:       a file descriptor, or < 0 on failure (errno set)
+*/
+
+static int
+log_open_already_exim(const uschar * const name)
+{
+int fd = -1;
+const int flags = O_WRONLY | O_APPEND | O_CREAT | O_NONBLOCK;
+
+if (geteuid() != exim_uid)
+  {
+  errno = EACCES;
+  return -1;
+  }
+
+fd = Uopen(name, flags, LOG_MODE);
+
+/* If creation failed, attempt to build a log directory in case that is the
+problem. */
+
+if (fd < 0 && errno == ENOENT)
+  {
+  BOOL created;
+  uschar *lastslash = Ustrrchr(name, '/');
+  *lastslash = 0;
+  created = directory_make(NULL, name, LOG_DIRECTORY_MODE, FALSE);
+  DEBUG(D_any)
+    if (created)
+      debug_printf("created log directory %s\n", name);
+    else
+      debug_printf("failed to create log directory %s: %s\n", name, strerror(errno));
+  *lastslash = '/';
+  if (created) fd = Uopen(name, flags, LOG_MODE);
+  }
+
+return fd;
+}
+
+
+
+/* Inspired by OpenSSH's mm_send_fd(). Thanks!
+Send fd over socketpair.
+Return: true iff good.
+*/
+
+static BOOL
+log_send_fd(const int sock, const int fd)
+{
+struct msghdr msg;
+union {
+  struct cmsghdr hdr;
+  char buf[CMSG_SPACE(sizeof(int))];
+} cmsgbuf;
+struct cmsghdr *cmsg;
+char ch = 'A';
+struct iovec vec = {.iov_base = &ch, .iov_len = 1};
+ssize_t n;
+
+memset(&msg, 0, sizeof(msg));
+memset(&cmsgbuf, 0, sizeof(cmsgbuf));
+msg.msg_control = &cmsgbuf.buf;
+msg.msg_controllen = sizeof(cmsgbuf.buf);
+
+cmsg = CMSG_FIRSTHDR(&msg);
+cmsg->cmsg_len = CMSG_LEN(sizeof(int));
+cmsg->cmsg_level = SOL_SOCKET;
+cmsg->cmsg_type = SCM_RIGHTS;
+*(int *)CMSG_DATA(cmsg) = fd;
+
+msg.msg_iov = &vec;
+msg.msg_iovlen = 1;
+
+while ((n = sendmsg(sock, &msg, 0)) == -1 && errno == EINTR);
+return n == 1;
+}
+
+/* Inspired by OpenSSH's mm_receive_fd(). Thanks!
+Return fd passed over socketpair, or -1 on error.
+*/
+
+static int
+log_recv_fd(const int sock)
+{
+struct msghdr msg;
+union {
+  struct cmsghdr hdr;
+  char buf[CMSG_SPACE(sizeof(int))];
+} cmsgbuf;
+struct cmsghdr *cmsg;
+char ch = '\0';
+struct iovec vec = {.iov_base = &ch, .iov_len = 1};
+ssize_t n;
+int fd;
+
+memset(&msg, 0, sizeof(msg));
+msg.msg_iov = &vec;
+msg.msg_iovlen = 1;
+
+memset(&cmsgbuf, 0, sizeof(cmsgbuf));
+msg.msg_control = &cmsgbuf.buf;
+msg.msg_controllen = sizeof(cmsgbuf.buf);
+
+while ((n = recvmsg(sock, &msg, 0)) == -1 && errno == EINTR) ;
+if (n != 1 || ch != 'A') return -1;
+
+if (!(cmsg = CMSG_FIRSTHDR(&msg))) return -1;
+if (cmsg->cmsg_type != SCM_RIGHTS) return -1;
+if ((fd = *(const int *)CMSG_DATA(cmsg)) < 0) return -1;
+return fd;
+}
+
+
+
+/*************************************************
+*     Create a log file as the exim user         *
+*************************************************/
+
+/* This function is called when we are root to spawn an exim:exim subprocess
+in which we can create a log file. It must be signal-safe since it is called
+by the usr1_handler().
+
+Arguments:
+  name         the file name
+
+Returns:       a file descriptor, or < 0 on failure (errno set)
+*/
+
+int
+log_open_as_exim(const uschar * const name)
+{
+int fd = -1;
+const uid_t euid = geteuid();
+
+if (euid == exim_uid)
+  fd = log_open_already_exim(name);
+else if (euid == root_uid)
+  {
+  int sock[2];
+  if (socketpair(AF_UNIX, SOCK_STREAM, 0, sock) == 0)
+    {
+    const pid_t pid = fork();
+    if (pid == 0)
+      {
+      (void)close(sock[0]);
+      if (  setgroups(1, &exim_gid) != 0
+         || setgid(exim_gid) != 0
+         || setuid(exim_uid) != 0
+
+         || getuid() != exim_uid || geteuid() != exim_uid
+         || getgid() != exim_gid || getegid() != exim_gid
+
+         || (fd = log_open_already_exim(name)) < 0
+         || !log_send_fd(sock[1], fd)
+	 ) _exit(EXIT_FAILURE);
+      (void)close(sock[1]);
+      _exit(EXIT_SUCCESS);
+      }
+
+    (void)close(sock[1]);
+    if (pid > 0)
+      {
+      fd = log_recv_fd(sock[0]);
+      while (waitpid(pid, NULL, 0) == -1 && errno == EINTR);
+      }
+    (void)close(sock[0]);
+    }
+  }
+
+if (fd >= 0)
+  {
+  int flags;
+  flags = fcntl(fd, F_GETFD);
+  if (flags != -1) (void)fcntl(fd, F_SETFD, flags | FD_CLOEXEC);
+  flags = fcntl(fd, F_GETFL);
+  if (flags != -1) (void)fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
+  }
+else
+  errno = EACCES;
+
+return fd;
+}
+
+
+
+
+/*************************************************
+*                Open a log file                 *
+*************************************************/
+
+/* This function opens one of a number of logs, creating the log directory if
+it does not exist. This may be called recursively on failure, in order to open
+the panic log.
+
+The directory is in the static variable file_path. This is static so that
+the work of sorting out the path is done just once per Exim process.
+
+Exim is normally configured to avoid running as root wherever possible, the log
+files must be owned by the non-privileged exim user. To ensure this, first try
+an open without O_CREAT - most of the time this will succeed. If it fails, try
+to create the file; if running as root, this must be done in a subprocess to
+avoid races.
+
+Arguments:
+  fd         where to return the resulting file descriptor
+  type       lt_main, lt_reject, lt_panic, or lt_debug
+  tag        optional tag to include in the name (only hooked up for debug)
+
+Returns:   nothing
+*/
+
+static void
+open_log(int * fd, int type, const uschar * tag)
+{
+uid_t euid;
+BOOL ok, ok2;
+uschar buffer[LOG_NAME_SIZE];
+
+/* The names of the log files are controlled by file_path. The panic log is
+written to the same directory as the main and reject logs, but its name does
+not have a datestamp. The use of datestamps is indicated by %D/%M in file_path.
+When opening the panic log, if %D or %M is present, we remove the datestamp
+from the generated name; if it is at the start, remove a following
+non-alphanumeric character as well; otherwise, remove a preceding
+non-alphanumeric character. This is definitely kludgy, but it sort of does what
+people want, I hope. */
+
+ok = string_format(buffer, sizeof(buffer), CS file_path, log_names[type]);
+
+switch (type)
+  {
+  case lt_main:
+    /* Save the name of the mainlog for rollover processing. Without a datestamp,
+    it gets statted to see if it has been cycled. With a datestamp, the datestamp
+    will be compared. The static slot for saving it is the same size as buffer,
+    and the text has been checked above to fit, so this use of strcpy() is OK. */
+    Ustrcpy(mainlog_name, buffer);
+    if (string_datestamp_offset > 0)
+      mainlog_datestamp = mainlog_name + string_datestamp_offset;
+    break;
+
+  case lt_reject:
+    /* Ditto for the reject log */
+    Ustrcpy(rejectlog_name, buffer);
+    if (string_datestamp_offset > 0)
+      rejectlog_datestamp = rejectlog_name + string_datestamp_offset;
+    break;
+
+  case lt_debug:
+    /* and deal with the debug log (which keeps the datestamp, but does not
+    update it) */
+    Ustrcpy(debuglog_name, buffer);
+    if (tag)
+      {
+      if (is_tainted(tag))
+      	die(US"exim: tainted tag for debug log filename",
+      	      US"Logging failure; please try later");
+
+      /* this won't change the offset of the datestamp */
+      ok2 = string_format(buffer, sizeof(buffer), "%s%s",
+        debuglog_name, tag);
+      if (ok2)
+        Ustrcpy(debuglog_name, buffer);
+      }
+    break;
+
+  default:
+    /* Remove any datestamp if this is the panic log. This is rare, so there's no
+    need to optimize getting the datestamp length. We remove one non-alphanumeric
+    char afterwards if at the start, otherwise one before. */
+    if (string_datestamp_offset >= 0)
+      {
+      uschar * from = buffer + string_datestamp_offset;
+      uschar * to = from + string_datestamp_length;
+
+      if (from == buffer || from[-1] == '/')
+        {
+        if (!isalnum(*to)) to++;
+        }
+      else
+        if (!isalnum(from[-1])) from--;
+
+      /* This copy is ok, because we know that to is a substring of from. But
+      due to overlap we must use memmove() not Ustrcpy(). */
+      memmove(from, to, Ustrlen(to)+1);
+      }
+    break;
+  }
+
+/* If the file name is too long, it is an unrecoverable disaster */
+
+if (!ok)
+  die(US"exim: log file path too long: aborting",
+      US"Logging failure; please try later");
+
+/* We now have the file name. After a successful open, return. */
+
+if ((*fd = log_open_as_exim(buffer)) >= 0)
+  return;
+
+euid = geteuid();
+
+/* Creation failed. There are some circumstances in which we get here when
+the effective uid is not root or exim, which is the problem. (For example, a
+non-setuid binary with log_arguments set, called in certain ways.) Rather than
+just bombing out, force the log to stderr and carry on if stderr is available.
+*/
+
+if (euid != root_uid && euid != exim_uid && log_stderr)
+  {
+  *fd = fileno(log_stderr);
+  return;
+  }
+
+/* Otherwise this is a disaster. This call is deliberately ONLY to the panic
+log. If possible, save a copy of the original line that was being logged. If we
+are recursing (can't open the panic log either), the pointer will already be
+set.  Also, when we had to use a subprocess for the create we didn't retrieve
+errno from it, so get the error from the open attempt above (which is often
+meaningful enough, so leave it). */
+
+if (!panic_save_buffer)
+  if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
+    memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
+
+log_write(0, LOG_PANIC_DIE, "Cannot open %s log file \"%s\": %s: "
+  "euid=%d egid=%d", log_names[type], buffer, strerror(errno), euid, getegid());
+/* Never returns */
+}
+
+
+static void
+unlink_log(int type)
+{
+if (type == lt_debug) unlink(CS debuglog_name);
+}
+
+
+
+/*************************************************
+*     Add configuration file info to log line    *
+*************************************************/
+
+/* This is put in a function because it's needed twice (once for debugging,
+once for real).
+
+Arguments:
+  ptr         pointer to the end of the line we are building
+  flags       log flags
+
+Returns:      updated pointer
+*/
+
+static gstring *
+log_config_info(gstring * g, int flags)
+{
+g = string_cat(g, US"Exim configuration error");
+
+if (flags & (LOG_CONFIG_FOR & ~LOG_CONFIG))
+  return string_cat(g, US" for ");
+
+if (flags & (LOG_CONFIG_IN & ~LOG_CONFIG))
+  g = string_fmt_append(g, " in line %d of %s", config_lineno, config_filename);
+
+return string_catn(g, US":\n  ", 4);
+}
+
+
+/*************************************************
+*           A write() operation failed           *
+*************************************************/
+
+/* This function is called when write() fails on anything other than the panic
+log, which can happen if a disk gets full or a file gets too large or whatever.
+We try to save the relevant message in the panic_save buffer before crashing
+out.
+
+The potential invoker should probably not call us for EINTR -1 writes.  But
+otherwise, short writes are bad as we don't do non-blocking writes to fds
+subject to flow control.  (If we do, that's new and the logic of this should
+be reconsidered).
+
+Arguments:
+  name      the name of the log being written
+  length    the string length being written
+  rc        the return value from write()
+
+Returns:    does not return
+*/
+
+static void
+log_write_failed(uschar *name, int length, int rc)
+{
+int save_errno = errno;
+
+if (!panic_save_buffer)
+  if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
+    memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
+
+log_write(0, LOG_PANIC_DIE, "failed to write to %s: length=%d result=%d "
+  "errno=%d (%s)", name, length, rc, save_errno,
+  (save_errno == 0)? "write incomplete" : strerror(save_errno));
+/* Never returns */
+}
+
+
+
+/*************************************************
+*     Write to an fd, retrying after signals     *
+*************************************************/
+
+/* Basic write to fd for logs, handling EINTR.
+
+Arguments:
+  fd        the fd to write to
+  buf       the string to write
+  length    the string length being written
+
+Returns:
+  length actually written, persisting an errno from write()
+*/
+ssize_t
+write_to_fd_buf(int fd, const uschar *buf, size_t length)
+{
+ssize_t wrote;
+size_t total_written = 0;
+const uschar *p = buf;
+size_t left = length;
+
+while (1)
+  {
+  wrote = write(fd, p, left);
+  if (wrote == (ssize_t)-1)
+    {
+    if (errno == EINTR) continue;
+    return wrote;
+    }
+  total_written += wrote;
+  if (wrote == left)
+    break;
+  else
+    {
+    p += wrote;
+    left -= wrote;
+    }
+  }
+return total_written;
+}
+
+
+
+static void
+set_file_path(void)
+{
+int sep = ':';              /* Fixed separator - outside use */
+uschar *t;
+const uschar *tt = US LOG_FILE_PATH;
+while ((t = string_nextinlist(&tt, &sep, log_buffer, LOG_BUFFER_SIZE)))
+  {
+  if (Ustrcmp(t, "syslog") == 0 || t[0] == 0) continue;
+  file_path = string_copy(t);
+  break;
+  }
+}
+
+
+/* Close mainlog, unless we do not see a chance to open the file mainlog later
+again.  This will happen if we log from a transport process (which has dropped
+privs); something we traditionally avoid, but the introduction of taint-tracking
+and resulting detection of errors is makinng harder. */
+
+void
+mainlog_close(void)
+{
+if (mainlogfd < 0
+   || !(geteuid() == 0 || geteuid() == exim_uid))
+  return;
+(void)close(mainlogfd);
+mainlogfd = -1;
+mainlog_inode = 0;
+}
+
+/*************************************************
+*            Write message to log file           *
+*************************************************/
+
+/* Exim can be configured to log to local files, or use syslog, or both. This
+is controlled by the setting of log_file_path. The following cases are
+recognized:
+
+  log_file_path = ""               write files in the spool/log directory
+  log_file_path = "xxx"            write files in the xxx directory
+  log_file_path = "syslog"         write to syslog
+  log_file_path = "syslog : xxx"   write to syslog and to files (any order)
+
+The message always gets '\n' added on the end of it, since more than one
+process may be writing to the log at once and we don't want intermingling to
+happen in the middle of lines. To be absolutely sure of this we write the data
+into a private buffer and then put it out in a single write() call.
+
+The flags determine which log(s) the message is written to, or for syslogging,
+which priority to use, and in the case of the panic log, whether the process
+should die afterwards.
+
+The variable really_exim is TRUE only when exim is running in privileged state
+(i.e. not with a changed configuration or with testing options such as -brw).
+If it is not, don't try to write to the log because permission will probably be
+denied.
+
+Avoid actually writing to the logs when exim is called with -bv or -bt to
+test an address, but take other actions, such as panicking.
+
+In Exim proper, the buffer for building the message is got at start-up, so that
+nothing gets done if it can't be got. However, some functions that are also
+used in utilities occasionally obey log_write calls in error situations, and it
+is simplest to put a single malloc() here rather than put one in each utility.
+Malloc is used directly because the store functions may call log_write().
+
+If a message_id exists, we include it after the timestamp.
+
+Arguments:
+  selector  write to main log or LOG_INFO only if this value is zero, or if
+              its bit is set in log_selector[0]
+  flags     each bit indicates some independent action:
+              LOG_SENDER      add raw sender to the message
+              LOG_RECIPIENTS  add raw recipients list to message
+              LOG_CONFIG      add "Exim configuration error"
+              LOG_CONFIG_FOR  add " for " instead of ":\n  "
+              LOG_CONFIG_IN   add " in line x[ of file y]"
+              LOG_MAIN        write to main log or syslog LOG_INFO
+              LOG_REJECT      write to reject log or syslog LOG_NOTICE
+              LOG_PANIC       write to panic log or syslog LOG_ALERT
+              LOG_PANIC_DIE   write to panic log or LOG_ALERT and then crash
+  format    a printf() format
+  ...       arguments for format
+
+Returns:    nothing
+*/
+
+void
+log_write(unsigned int selector, int flags, const char *format, ...)
+{
+int paniclogfd;
+ssize_t written_len;
+gstring gs = { .size = LOG_BUFFER_SIZE-1, .ptr = 0, .s = log_buffer };
+gstring * g;
+va_list ap;
+
+/* If panic_recurseflag is set, we have failed to open the panic log. This is
+the ultimate disaster. First try to write the message to a debug file and/or
+stderr and also to syslog. If panic_save_buffer is not NULL, it contains the
+original log line that caused the problem. Afterwards, expire. */
+
+if (panic_recurseflag)
+  {
+  uschar *extra = panic_save_buffer ? panic_save_buffer : US"";
+  if (debug_file) debug_printf("%s%s", extra, log_buffer);
+  if (log_stderr && log_stderr != debug_file)
+    fprintf(log_stderr, "%s%s", extra, log_buffer);
+  if (*extra) write_syslog(LOG_CRIT, extra);
+  write_syslog(LOG_CRIT, log_buffer);
+  die(US"exim: could not open panic log - aborting: see message(s) above",
+    US"Unexpected log failure, please try later");
+  }
+
+/* Ensure we have a buffer (see comment above); this should never be obeyed
+when running Exim proper, only when running utilities. */
+
+if (!log_buffer)
+  if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
+    {
+    fprintf(stderr, "exim: failed to get store for log buffer\n");
+    exim_exit(EXIT_FAILURE);
+    }
+
+/* If we haven't already done so, inspect the setting of log_file_path to
+determine whether to log to files and/or to syslog. Bits in logging_mode
+control this, and for file logging, the path must end up in file_path. This
+variable must be in permanent store because it may be required again later in
+the process. */
+
+if (!path_inspected)
+  {
+  BOOL multiple = FALSE;
+  int old_pool = store_pool;
+
+  store_pool = POOL_PERM;
+
+  /* If nothing has been set, don't waste effort... the default values for the
+  statics are file_path="" and logging_mode = LOG_MODE_FILE. */
+
+  if (*log_file_path)
+    {
+    int sep = ':';              /* Fixed separator - outside use */
+    uschar *s;
+    const uschar *ss = log_file_path;
+
+    logging_mode = 0;
+    while ((s = string_nextinlist(&ss, &sep, log_buffer, LOG_BUFFER_SIZE)))
+      {
+      if (Ustrcmp(s, "syslog") == 0)
+        logging_mode |= LOG_MODE_SYSLOG;
+      else if (logging_mode & LOG_MODE_FILE)
+	multiple = TRUE;
+      else
+        {
+        logging_mode |= LOG_MODE_FILE;
+
+        /* If a non-empty path is given, use it */
+
+        if (*s)
+          file_path = string_copy(s);
+
+        /* If the path is empty, we want to use the first non-empty, non-
+        syslog item in LOG_FILE_PATH, if there is one, since the value of
+        log_file_path may have been set at runtime. If there is no such item,
+        use the ultimate default in the spool directory. */
+
+        else
+	  set_file_path();  /* Empty item in log_file_path */
+        }    /* First non-syslog item in log_file_path */
+      }      /* Scan of log_file_path */
+    }
+
+  /* If no modes have been selected, it is a major disaster */
+
+  if (logging_mode == 0)
+    die(US"Neither syslog nor file logging set in log_file_path",
+        US"Unexpected logging failure");
+
+  /* Set up the ultimate default if necessary. Then revert to the old store
+  pool, and record that we've sorted out the path. */
+
+  if (logging_mode & LOG_MODE_FILE  &&  !file_path[0])
+    file_path = string_sprintf("%s/log/%%slog", spool_directory);
+  store_pool = old_pool;
+  path_inspected = TRUE;
+
+  /* If more than one file path was given, log a complaint. This recursive call
+  should work since we have now set up the routing. */
+
+  if (multiple)
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "More than one path given in log_file_path: using %s", file_path);
+  }
+
+/* Optionally trigger debug */
+
+if (flags & LOG_PANIC && dtrigger_selector & BIT(DTi_panictrigger))
+  debug_trigger_fire();
+
+/* If debugging, show all log entries, but don't show headers. Do it all
+in one go so that it doesn't get split when multi-processing. */
+
+DEBUG(D_any|D_v)
+  {
+  int i;
+
+  g = string_catn(&gs, US"LOG:", 4);
+
+  /* Show the selector that was passed into the call. */
+
+  for (i = 0; i < log_options_count; i++)
+    {
+    unsigned int bitnum = log_options[i].bit;
+    if (bitnum < BITWORDSIZE && selector == BIT(bitnum))
+      g = string_fmt_append(g, " %s", log_options[i].name);
+    }
+
+  g = string_fmt_append(g, "%s%s%s%s\n  ",
+    flags & LOG_MAIN ?    " MAIN"   : "",
+    flags & LOG_PANIC ?   " PANIC"  : "",
+    (flags & LOG_PANIC_DIE) == LOG_PANIC_DIE ? " DIE" : "",
+    flags & LOG_REJECT ?  " REJECT" : "");
+
+  if (flags & LOG_CONFIG) g = log_config_info(g, flags);
+
+  /* We want to be able to log tainted info, but log_buffer is directly
+  malloc'd.  So use deliberately taint-nonchecking routines to build into
+  it, trusting that we will never expand the results. */
+
+  va_start(ap, format);
+  i = g->ptr;
+  if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap))
+    {
+    g->ptr = i;
+    g = string_cat(g, US"**** log string overflowed log buffer ****");
+    }
+  va_end(ap);
+
+  g->size = LOG_BUFFER_SIZE;
+  g = string_catn(g, US"\n", 1);
+  debug_printf("%s", string_from_gstring(g));
+
+  gs.size = LOG_BUFFER_SIZE-1;	/* Having used the buffer for debug output, */
+  gs.ptr = 0;			/* reset it for the real use. */
+  gs.s = log_buffer;
+  }
+/* If no log file is specified, we are in a mess. */
+
+if (!(flags & (LOG_MAIN|LOG_PANIC|LOG_REJECT)))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_write called with no log "
+    "flags set");
+
+/* There are some weird circumstances in which logging is disabled. */
+
+if (f.disable_logging)
+  {
+  DEBUG(D_any) debug_printf("log writing disabled\n");
+  if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE);
+  return;
+  }
+
+/* Handle disabled reject log */
+
+if (!write_rejectlog) flags &= ~LOG_REJECT;
+
+/* Create the main message in the log buffer. Do not include the message id
+when called by a utility. */
+
+g = string_fmt_append(&gs, "%s ", tod_stamp(tod_log));
+
+if (LOGGING(pid))
+  {
+  if (!syslog_pid) pid_position[0] = g->ptr;		/* remember begin … */
+  g = string_fmt_append(g, "[%d] ", (int)getpid());
+  if (!syslog_pid) pid_position[1] = g->ptr;		/*  … and end+1 of the PID */
+  }
+
+if (f.really_exim && message_id[0] != 0)
+  g = string_fmt_append(g, "%s ", message_id);
+
+if (flags & LOG_CONFIG)
+  g = log_config_info(g, flags);
+
+va_start(ap, format);
+  {
+  int i = g->ptr;
+
+  /* We want to be able to log tainted info, but log_buffer is directly
+  malloc'd.  So use deliberately taint-nonchecking routines to build into
+  it, trusting that we will never expand the results. */
+
+  if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap))
+    {
+    g->ptr = i;
+    g = string_cat(g, US"**** log string overflowed log buffer ****\n");
+    }
+  }
+va_end(ap);
+
+/* Add the raw, unrewritten, sender to the message if required. This is done
+this way because it kind of fits with LOG_RECIPIENTS. */
+
+if (   flags & LOG_SENDER
+   && g->ptr < LOG_BUFFER_SIZE - 10 - Ustrlen(raw_sender))
+  g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " from <%s>", raw_sender);
+
+/* Add list of recipients to the message if required; the raw list,
+before rewriting, was saved in raw_recipients. There may be none, if an ACL
+discarded them all. */
+
+if (  flags & LOG_RECIPIENTS
+   && g->ptr < LOG_BUFFER_SIZE - 6
+   && raw_recipients_count > 0)
+  {
+  int i;
+  g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " for", NULL);
+  for (i = 0; i < raw_recipients_count; i++)
+    {
+    uschar * s = raw_recipients[i];
+    if (LOG_BUFFER_SIZE - g->ptr < Ustrlen(s) + 3) break;
+    g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " %s", s);
+    }
+  }
+
+g = string_catn(g, US"\n", 1);
+string_from_gstring(g);
+
+/* Handle loggable errors when running a utility, or when address testing.
+Write to log_stderr unless debugging (when it will already have been written),
+or unless there is no log_stderr (expn called from daemon, for example). */
+
+if (!f.really_exim || f.log_testing_mode)
+  {
+  if (  !debug_selector
+     && log_stderr
+     && (selector == 0 || (selector & log_selector[0]) != 0)
+    )
+    if (host_checking)
+      fprintf(log_stderr, "LOG: %s", CS(log_buffer + 20));  /* no timestamp */
+    else
+      fprintf(log_stderr, "%s", CS log_buffer);
+
+  if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE);
+  return;
+  }
+
+/* Handle the main log. We know that either syslog or file logging (or both) is
+set up. A real file gets left open during reception or delivery once it has
+been opened, but we don't want to keep on writing to it for too long after it
+has been renamed. Therefore, do a stat() and see if the inode has changed, and
+if so, re-open. */
+
+if (  flags & LOG_MAIN
+   && (!selector ||  selector & log_selector[0]))
+  {
+  if (  logging_mode & LOG_MODE_SYSLOG
+     && (syslog_duplication || !(flags & (LOG_REJECT|LOG_PANIC))))
+    write_syslog(LOG_INFO, log_buffer);
+
+  if (logging_mode & LOG_MODE_FILE)
+    {
+    struct stat statbuf;
+
+    /* Check for a change to the mainlog file name when datestamping is in
+    operation. This happens at midnight, at which point we want to roll over
+    the file. Closing it has the desired effect. */
+
+    if (mainlog_datestamp)
+      {
+      uschar *nowstamp = tod_stamp(string_datestamp_type);
+      if (Ustrncmp (mainlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
+        {
+        (void)close(mainlogfd);       /* Close the file */
+        mainlogfd = -1;               /* Clear the file descriptor */
+        mainlog_inode = 0;            /* Unset the inode */
+        mainlog_datestamp = NULL;     /* Clear the datestamp */
+        }
+      }
+
+    /* Otherwise, we want to check whether the file has been renamed by a
+    cycling script. This could be "if else", but for safety's sake, leave it as
+    "if" so that renaming the log starts a new file even when datestamping is
+    happening. */
+
+    if (mainlogfd >= 0)
+      if (Ustat(mainlog_name, &statbuf) < 0 || statbuf.st_ino != mainlog_inode)
+	mainlog_close();
+
+    /* If the log is closed, open it. Then write the line. */
+
+    if (mainlogfd < 0)
+      {
+      open_log(&mainlogfd, lt_main, NULL);     /* No return on error */
+      if (fstat(mainlogfd, &statbuf) >= 0) mainlog_inode = statbuf.st_ino;
+      }
+
+    /* Failing to write to the log is disastrous */
+
+    written_len = write_to_fd_buf(mainlogfd, g->s, g->ptr);
+    if (written_len != g->ptr)
+      {
+      log_write_failed(US"main log", g->ptr, written_len);
+      /* That function does not return */
+      }
+    }
+  }
+
+/* Handle the log for rejected messages. This can be globally disabled, in
+which case the flags are altered above. If there are any header lines (i.e. if
+the rejection is happening after the DATA phase), log the recipients and the
+headers. */
+
+if (flags & LOG_REJECT)
+  {
+  if (header_list && LOGGING(rejected_header))
+    {
+    gstring * g2;
+    int i;
+
+    if (recipients_count > 0)
+      {
+      /* List the sender */
+
+      g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
+			"Envelope-from: <%s>\n", sender_address);
+      if (g2) g = g2;
+
+      /* List up to 5 recipients */
+
+      g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
+			"Envelope-to: <%s>\n", recipients_list[0].address);
+      if (g2) g = g2;
+
+      for (i = 1; i < recipients_count && i < 5; i++)
+        {
+        g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
+			"    <%s>\n", recipients_list[i].address);
+	if (g2) g = g2;
+        }
+
+      if (i < recipients_count)
+        {
+        g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, "    ...\n", NULL);
+	if (g2) g = g2;
+        }
+      }
+
+    /* A header with a NULL text is an unfilled in Received: header */
+
+    for (header_line * h = header_list; h; h = h->next) if (h->text)
+      {
+      g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
+			"%c %s", h->type, h->text);
+      if (g2)
+	g = g2;
+      else		/* Buffer is full; truncate */
+        {
+        g->ptr -= 100;        /* For message and separator */
+        if (g->s[g->ptr-1] == '\n') g->ptr--;
+        g = string_cat(g, US"\n*** truncated ***\n");
+        break;
+        }
+      }
+    }
+
+  /* Write to syslog or to a log file */
+
+  if (  logging_mode & LOG_MODE_SYSLOG
+     && (syslog_duplication || !(flags & LOG_PANIC)))
+    write_syslog(LOG_NOTICE, string_from_gstring(g));
+
+  /* Check for a change to the rejectlog file name when datestamping is in
+  operation. This happens at midnight, at which point we want to roll over
+  the file. Closing it has the desired effect. */
+
+  if (logging_mode & LOG_MODE_FILE)
+    {
+    struct stat statbuf;
+
+    if (rejectlog_datestamp)
+      {
+      uschar *nowstamp = tod_stamp(string_datestamp_type);
+      if (Ustrncmp (rejectlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
+        {
+        (void)close(rejectlogfd);       /* Close the file */
+        rejectlogfd = -1;               /* Clear the file descriptor */
+        rejectlog_inode = 0;            /* Unset the inode */
+        rejectlog_datestamp = NULL;     /* Clear the datestamp */
+        }
+      }
+
+    /* Otherwise, we want to check whether the file has been renamed by a
+    cycling script. This could be "if else", but for safety's sake, leave it as
+    "if" so that renaming the log starts a new file even when datestamping is
+    happening. */
+
+    if (rejectlogfd >= 0)
+      if (Ustat(rejectlog_name, &statbuf) < 0 ||
+           statbuf.st_ino != rejectlog_inode)
+        {
+        (void)close(rejectlogfd);
+        rejectlogfd = -1;
+        rejectlog_inode = 0;
+        }
+
+    /* Open the file if necessary, and write the data */
+
+    if (rejectlogfd < 0)
+      {
+      open_log(&rejectlogfd, lt_reject, NULL); /* No return on error */
+      if (fstat(rejectlogfd, &statbuf) >= 0) rejectlog_inode = statbuf.st_ino;
+      }
+
+    written_len = write_to_fd_buf(rejectlogfd, g->s, g->ptr);
+    if (written_len != g->ptr)
+      {
+      log_write_failed(US"reject log", g->ptr, written_len);
+      /* That function does not return */
+      }
+    }
+  }
+
+
+/* Handle the panic log, which is not kept open like the others. If it fails to
+open, there will be a recursive call to log_write(). We detect this above and
+attempt to write to the system log as a last-ditch try at telling somebody. In
+all cases except mua_wrapper, try to write to log_stderr. */
+
+if (flags & LOG_PANIC)
+  {
+  if (log_stderr && log_stderr != debug_file && !mua_wrapper)
+    fprintf(log_stderr, "%s", CS string_from_gstring(g));
+
+  if (logging_mode & LOG_MODE_SYSLOG)
+    write_syslog(LOG_ALERT, log_buffer);
+
+  /* If this panic logging was caused by a failure to open the main log,
+  the original log line is in panic_save_buffer. Make an attempt to write it. */
+
+  if (logging_mode & LOG_MODE_FILE)
+    {
+    panic_recurseflag = TRUE;
+    open_log(&paniclogfd, lt_panic, NULL);  /* Won't return on failure */
+    panic_recurseflag = FALSE;
+
+    if (panic_save_buffer)
+      (void) write(paniclogfd, panic_save_buffer, Ustrlen(panic_save_buffer));
+
+    written_len = write_to_fd_buf(paniclogfd, g->s, g->ptr);
+    if (written_len != g->ptr)
+      {
+      int save_errno = errno;
+      write_syslog(LOG_CRIT, log_buffer);
+      sprintf(CS log_buffer, "write failed on panic log: length=%d result=%d "
+        "errno=%d (%s)", g->ptr, (int)written_len, save_errno, strerror(save_errno));
+      write_syslog(LOG_CRIT, string_from_gstring(g));
+      flags |= LOG_PANIC_DIE;
+      }
+
+    (void)close(paniclogfd);
+    }
+
+  /* Give up if the DIE flag is set */
+
+  if ((flags & LOG_PANIC_DIE) != LOG_PANIC)
+    die(NULL, US"Unexpected failure, please try later");
+  }
+}
+
+
+
+/*************************************************
+*            Close any open log files            *
+*************************************************/
+
+void
+log_close_all(void)
+{
+if (mainlogfd >= 0)
+  { (void)close(mainlogfd); mainlogfd = -1; }
+if (rejectlogfd >= 0)
+  { (void)close(rejectlogfd); rejectlogfd = -1; }
+closelog();
+syslog_open = FALSE;
+}
+
+
+
+/*************************************************
+*             Multi-bit set or clear             *
+*************************************************/
+
+/* These functions take a list of bit indexes (terminated by -1) and
+clear or set the corresponding bits in the selector.
+
+Arguments:
+  selector       address of the bit string
+  selsize        number of words in the bit string
+  bits           list of bits to set
+*/
+
+void
+bits_clear(unsigned int *selector, size_t selsize, int *bits)
+{
+for(; *bits != -1; ++bits)
+  BIT_CLEAR(selector, selsize, *bits);
+}
+
+void
+bits_set(unsigned int *selector, size_t selsize, int *bits)
+{
+for(; *bits != -1; ++bits)
+  BIT_SET(selector, selsize, *bits);
+}
+
+
+
+/*************************************************
+*         Decode bit settings for log/debug      *
+*************************************************/
+
+/* This function decodes a string containing bit settings in the form of +name
+and/or -name sequences, and sets/unsets bits in a bit string accordingly. It
+also recognizes a numeric setting of the form =<number>, but this is not
+intended for user use. It's an easy way for Exim to pass the debug settings
+when it is re-exec'ed.
+
+The option table is a list of names and bit indexes. The index -1
+means "set all bits, except for those listed in notall". The notall
+list is terminated by -1.
+
+The action taken for bad values varies depending upon why we're here.
+For log messages, or if the debugging is triggered from config, then we write
+to the log on the way out.  For debug setting triggered from the command-line,
+we treat it as an unknown option: error message to stderr and die.
+
+Arguments:
+  selector       address of the bit string
+  selsize        number of words in the bit string
+  notall         list of bits to exclude from "all"
+  string         the configured string
+  options        the table of option names
+  count          size of table
+  which          "log" or "debug"
+  flags          DEBUG_FROM_CONFIG
+
+Returns:         nothing on success - bomb out on failure
+*/
+
+void
+decode_bits(unsigned int * selector, size_t selsize, int * notall,
+  const uschar * string, bit_table * options, int count, uschar * which,
+  int flags)
+{
+uschar *errmsg;
+if (!string) return;
+
+if (*string == '=')
+  {
+  char *end;    /* Not uschar */
+  memset(selector, 0, sizeof(*selector)*selsize);
+  *selector = strtoul(CCS string+1, &end, 0);
+  if (!*end) return;
+  errmsg = string_sprintf("malformed numeric %s_selector setting: %s", which,
+    string);
+  goto ERROR_RETURN;
+  }
+
+/* Handle symbolic setting */
+
+else for(;;)
+  {
+  BOOL adding;
+  const uschar * s;
+  int len;
+  bit_table * start, * end;
+
+  Uskip_whitespace(&string);
+  if (!*string) return;
+
+  if (*string != '+' && *string != '-')
+    {
+    errmsg = string_sprintf("malformed %s_selector setting: "
+      "+ or - expected but found \"%s\"", which, string);
+    goto ERROR_RETURN;
+    }
+
+  adding = *string++ == '+';
+  s = string;
+  while (isalnum(*string) || *string == '_') string++;
+  len = string - s;
+
+  start = options;
+  end = options + count;
+
+  while (start < end)
+    {
+    bit_table *middle = start + (end - start)/2;
+    int c = Ustrncmp(s, middle->name, len);
+    if (c == 0)
+      if (middle->name[len] != 0) c = -1; else
+        {
+        unsigned int bit = middle->bit;
+
+	if (bit == -1)
+	  {
+	  if (adding)
+	    {
+	    memset(selector, -1, sizeof(*selector)*selsize);
+	    bits_clear(selector, selsize, notall);
+	    }
+	  else
+	    memset(selector, 0, sizeof(*selector)*selsize);
+	  }
+	else if (adding)
+	  BIT_SET(selector, selsize, bit);
+	else
+	  BIT_CLEAR(selector, selsize, bit);
+
+        break;  /* Out of loop to match selector name */
+        }
+    if (c < 0) end = middle; else start = middle + 1;
+    }  /* Loop to match selector name */
+
+  if (start >= end)
+    {
+    errmsg = string_sprintf("unknown %s_selector setting: %c%.*s", which,
+      adding? '+' : '-', len, s);
+    goto ERROR_RETURN;
+    }
+  }    /* Loop for selector names */
+
+/* Handle disasters */
+
+ERROR_RETURN:
+if (Ustrcmp(which, "debug") == 0)
+  {
+  if (flags & DEBUG_FROM_CONFIG)
+    {
+    log_write(0, LOG_CONFIG|LOG_PANIC, "%s", errmsg);
+    return;
+    }
+  fprintf(stderr, "exim: %s\n", errmsg);
+  exit(EXIT_FAILURE);
+  }
+else log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "%s", errmsg);
+}
+
+
+
+/*************************************************
+*        Activate a debug logfile (late)         *
+*************************************************/
+
+/* Normally, debugging is activated from the command-line; it may be useful
+within the configuration to activate debugging later, based on certain
+conditions.  If debugging is already in progress, we return early, no action
+taken (besides debug-logging that we wanted debug-logging).
+
+Failures in options are not fatal but will result in paniclog entries for the
+misconfiguration.
+
+The first use of this is in ACL logic, "control = debug/tag=foo/opts=+expand"
+which can be combined with conditions, etc, to activate extra logging only
+for certain sources. The second use is inetd wait mode debug preservation.
+
+It might be nice, in ACL-initiated pretrigger mode, to not create the file
+immediately but only upon a trigger - but we'd need another cmdline option
+to pass the name through child_exxec_exim(). */
+
+void
+debug_logging_activate(const uschar * tag_name, const uschar * opts)
+{
+if (debug_file)
+  {
+  debug_printf("DEBUGGING ACTIVATED FROM WITHIN CONFIG.\n"
+      "DEBUG: Tag=\"%s\" opts=\"%s\"\n", tag_name, opts ? opts : US"");
+  return;
+  }
+
+if (tag_name && (Ustrchr(tag_name, '/') != NULL))
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "debug tag may not contain a '/' in: %s",
+      tag_name);
+  return;
+  }
+
+debug_selector = D_default;
+if (opts)
+  decode_bits(&debug_selector, 1, debug_notall, opts,
+      debug_options, debug_options_count, US"debug", DEBUG_FROM_CONFIG);
+
+/* When activating from a transport process we may never have logged at all
+resulting in certain setup not having been done.  Hack this for now so we
+do not segfault; note that nondefault log locations will not work */
+
+if (!*file_path) set_file_path();
+
+open_log(&debug_fd, lt_debug, tag_name);
+
+if (debug_fd != -1)
+  debug_file = fdopen(debug_fd, "w");
+else
+  log_write(0, LOG_MAIN|LOG_PANIC, "unable to open debug log");
+}
+
+
+void
+debug_logging_from_spool(const uschar * filename)
+{
+if (debug_fd < 0)
+  {
+  Ustrncpy(debuglog_name, filename, sizeof(debuglog_name));
+  if ((debug_fd = log_open_as_exim(filename)) >= 0)
+    debug_file = fdopen(debug_fd, "w");
+  DEBUG(D_deliver) debug_printf("debug enabled by spoolfile\n");
+  }
+/*
+else DEBUG(D_deliver)
+  debug_printf("debug already active; ignoring spoolfile '%s'\n", filename);
+*/
+}
+
+
+void
+debug_logging_stop(BOOL kill)
+{
+debug_pretrigger_discard();
+if (!debug_file || !debuglog_name[0]) return;
+
+debug_selector = 0;
+fclose(debug_file);
+debug_file = NULL;
+debug_fd = -1;
+if (kill) unlink_log(lt_debug);
+}
+
+
+/* End of log.c */
diff --git a/src/lookupapi.h b/src/lookupapi.h
new file mode 100644
index 0000000..41cc239
--- /dev/null
+++ b/src/lookupapi.h
@@ -0,0 +1,65 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* The "type" field in each item is a set of bit flags:
+
+  lookup_querystyle     => this is a query-style lookup,
+                             else single-key (+ file) style
+  lookup_absfile        => an absolute file name is required,
+                             (for single-key style only)
+*/
+
+typedef struct lookup_info {
+  uschar *name;                   /* e.g. "lsearch" */
+  int type;                       /* query/singlekey/abs-file */
+  void *(*open)(                  /* open function */
+    const uschar *,               /* file name for those that have one */
+    uschar **);                   /* for error message */
+  BOOL (*check)(                  /* file checking function */
+    void *,                       /* handle */
+    const uschar *,               /* file name */
+    int,                          /* modemask for file checking */
+    uid_t *,                      /* owners for file checking */
+    gid_t *,                      /* owngroups for file checking */
+    uschar **);                   /* for error messages */
+  int (*find)(                    /* find function */
+    void *,                       /* handle */
+    const uschar *,               /* file name or NULL */
+    const uschar *,               /* key or query */
+    int,                          /* length of key or query */
+    uschar **,                    /* for returning answer */
+    uschar **,                    /* for error message */
+    uint *,                       /* cache TTL, seconds */
+    const uschar *);		  /* options */
+  void (*close)(                  /* close function */
+    void *);                      /* handle */
+  void (*tidy)(void);             /* tidy function */
+  uschar *(*quote)(               /* quoting function */
+    uschar *,                     /* string to quote */
+    uschar *,                     /* additional data from quote name */
+    unsigned);			  /* lookup type index */
+  gstring * (*version_report)(    /* diagnostic function */
+    gstring *);                   /* string to appand to */
+} lookup_info;
+
+/* This magic number is used by the following lookup_module_info structure
+   for checking API compatibility. It used to be equivalent to the string"LMM3" */
+#define LOOKUP_MODULE_INFO_MAGIC 0x4c4d4935
+/* Version 2 adds: version_report */
+/* Version 3 change: non/cache becomes TTL in seconds */
+/* Version 4 add: index on quoting function */
+/* Version 5 change: version report now adds to a gstring */
+
+typedef struct lookup_module_info {
+  uint magic;
+  lookup_info **lookups;
+  uint lookupcount;
+} lookup_module_info;
+
+/* End of lookupapi.h */
diff --git a/src/lookups/Makefile b/src/lookups/Makefile
new file mode 100644
index 0000000..19585bf
--- /dev/null
+++ b/src/lookups/Makefile
@@ -0,0 +1,76 @@
+# Make file for building Exim's lookup modules.
+# This is called from the main make file, after cd'ing
+# to the lookups subdirectory.
+#
+# Copyright (c) The Exim Maintainers 2021
+
+# nb: at build time, the version of this file used will have had some
+#     extra variable definitions and prepended to it and module build rules
+#     interpolated below.
+
+# MAGIC-TAG-MODS-OBJ-RULES-GO-HERE
+
+
+all:             lookups.a lf_quote.o lf_check_file.o lf_sqlperform.o $(MODS)
+
+lookups.a:       $(OBJ)
+		 @$(RM_COMMAND) -f lookups.a
+		 @echo "$(AR) lookups.a"
+		 @$(AR) lookups.a $(OBJ)
+		 $(RANLIB) $@
+
+.SUFFIXES:       .o .c .so
+.c.o:;           @echo "$(CC) $*.c"
+		 $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c
+
+.c.so:;          @echo "$(CC) -shared $*.c"
+		 $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $*.c -o $@
+
+lf_check_file.o: $(HDRS) lf_check_file.c  lf_functions.h
+lf_quote.o:      $(HDRS) lf_quote.c       lf_functions.h
+lf_sqlperform.o: $(HDRS) lf_sqlperform.c  lf_functions.h
+
+cdb.o:           $(HDRS) cdb.c
+dbmdb.o:         $(HDRS) dbmdb.c
+dnsdb.o:         $(HDRS) dnsdb.c
+dsearch.o:       $(HDRS) dsearch.c
+ibase.o:         $(HDRS) ibase.c
+ldap.o:          $(HDRS) ldap.c
+lmdb.o:          $(HDRS) lmdb.c
+json.o:          $(HDRS) json.c
+lsearch.o:       $(HDRS) lsearch.c
+mysql.o:         $(HDRS) mysql.c
+nis.o:           $(HDRS) nis.c
+nisplus.o:       $(HDRS) nisplus.c
+oracle.o:        $(HDRS) oracle.c
+passwd.o:        $(HDRS) passwd.c
+pgsql.o:         $(HDRS) pgsql.c
+readsock.o:      $(HDRS) readsock.c
+redis.o:         $(HDRS) redis.c
+spf.o:           $(HDRS) spf.c
+sqlite.o:        $(HDRS) sqlite.c
+testdb.o:        $(HDRS) testdb.c
+whoson.o:        $(HDRS) whoson.c
+
+cdb.so:           $(HDRS) cdb.c
+dbmdb.so:         $(HDRS) dbmdb.c
+dnsdb.so:         $(HDRS) dnsdb.c
+dsearch.so:       $(HDRS) dsearch.c
+ibase.so:         $(HDRS) ibase.c
+json.so:          $(HDRS) json.c
+ldap.so:          $(HDRS) ldap.c
+lmdb.so:          $(HDRS) lmdb.c
+lsearch.so:       $(HDRS) lsearch.c
+mysql.so:         $(HDRS) mysql.c
+nis.so:           $(HDRS) nis.c
+nisplus.so:       $(HDRS) nisplus.c
+oracle.so:        $(HDRS) oracle.c
+passwd.so:        $(HDRS) passwd.c
+pgsql.so:         $(HDRS) pgsql.c
+redis.so:         $(HDRS) redis.c
+spf.so:           $(HDRS) spf.c
+sqlite.so:        $(HDRS) sqlite.c
+testdb.so:        $(HDRS) testdb.c
+whoson.so:        $(HDRS) whoson.c
+
+# End
diff --git a/src/lookups/README b/src/lookups/README
new file mode 100644
index 0000000..2e87eda
--- /dev/null
+++ b/src/lookups/README
@@ -0,0 +1,181 @@
+LOOKUPS
+-------
+
+Each lookup type is implemented by 6 functions, xxx_open(), xxx_check(),
+xxx_find(), xxx_close(), xxx_tidy(), and xxx_quote(), where xxx is the name of
+the lookup type (e.g. lsearch, dbm, or whatever). In addition, there is
+a version reporting function used to trace compile-vs-runtime conflicts and
+to help administrators ensure that the modules from the correct build are
+in use by the main binary.
+
+The xxx_check(), xxx_close(), xxx_tidy(), and xxx_quote() functions need not
+exist. There is a table in drtables.c which links the lookup names to the
+various sets of functions, with NULL entries for any that don't exist. When
+the code for a lookup type is omitted from the binary, all its entries are
+NULL.
+
+One of the fields in the table contains flags describing the kind of lookup.
+These are
+
+  lookup_querystyle
+
+This is a "query style" lookup without a file name, as opposed to the "single
+key" style, where the key is associated with a "file name".
+
+  lookup_absfile
+
+For single key lookups, this means that the file name must be an absolute path.
+It is set for lsearch and dbm, but not for NIS, for example.
+
+  lookup_absfilequery
+
+This is a query-style lookup that must start with an absolute file name. For
+example, the sqlite lookup is of this type.
+
+When a single-key or absfilequery lookup file is opened, the handle returned by
+the xxx_open() function is saved, along with the file name and lookup type, in
+a tree. Traditionally, lookup_querystyle does not use this (just returning a
+dummy value, and doing the "open" work in the xxx_find() routine); but this is
+not enforced by the framework.
+
+The xxx_close() function is not called when the first lookup is completed. If
+there are subsequent lookups of the same type that quote the same file name,
+xxx_open() isn't called; instead the cached handle is re-used.
+
+Exim calls the function search_tidyup() at strategic points in its processing
+(e.g. after all routing and directing has been done) and this function walks
+the tree and calls the xxx_close() functions for all the cached handles.
+
+Query-style lookups don't have the concept of an open file that can be cached
+this way. Of course, the local code for the lookup can manage its own caching
+information in any way it pleases. This means that the xxx_close()
+function, even it it exists, is never called. However, if an xxx_tidy()
+function exists, it is called once whenever Exim calls search_tidyup().
+
+A single-key lookup type may also have an xxx_tidy() function, which is called
+by search_tidyup() after all cached handles have been closed via the
+xxx_close() function.
+
+The lookup functions are wrapped into a special store pool (POOL_SEARCH). You
+can safely use store_get to allocate store for your handle caching. The store
+will be reset after all xxx_tidy() functions are called.
+
+The function interfaces are as follows:
+
+
+xxx_open()
+----------
+
+This function is called to initiate the lookup. For things that involve files
+it should do a real open; for other kinds of lookup it may do nothing at all.
+The arguments are:
+
+  uschar *filename    the name of the "file" to open, for non-query-style
+                        lookups; NULL for query-style lookups
+  uschar **errmsg     where to put an error message if there is a problem
+
+The yield of xxx_open() is a void * value representing the open file or
+database. For real files is is normally the FILE or DBM value. For other
+kinds of lookup, if there is no natural value to use, (-1) is recommended.
+The value should not be NULL (or 0) as that is taken to indicate failure of
+the xxx_open() function. For single-key lookups, the handle is cached along
+with the filename and type, and may be used for several lookups.
+
+
+xxx_check()
+-----------
+
+If this function exists, it is called after a successful open to check on the
+ownership and mode of the file(s). The arguments are:
+
+  void *handle        the handle passed back from xxx_open()
+  uschar *filename    the filename passed to xxx_open()
+  int modemask        mode bits that must not be set
+  int *owners         permitted owners of the file(s)
+  int *owngroups      permitted group owners of the file(s)
+  uschar **errmsg     where to put an error message if there is a problem
+
+In the owners and owngroups vectors, the first element is the count of the
+remaining elements. There is a common function that can be called to check
+a file:
+
+int search_check_file(int fd, char *filename, int modemask, int *owners,
+  int *owngroups, char *type, char **errmsg);
+
+If fd is >= 0, it is checked using fstat(), and filename is used only in
+error messages. If fd is < 0 then filename is checked using stat(). The yield
+is zero if all is well, +1 if the mode or uid or gid is wrong, or -1 if the
+stat() fails.
+
+The yield of xxx_check() is TRUE if all is well, FALSE otherwise. The
+function should not close the file(s) on failure. That is done from outside
+by calling the xxx_close() function.
+
+
+xxx_find()
+----------
+
+This is called to search an open file/database. The result is OK, FAIL, or
+DEFER. The arguments are:
+
+  void *handle        the handle passed back from xxx_open()
+  uschar *filename    the filename passed to xxx_open() (NULL for querystyle)
+  uschar *keyquery    the key to look up, or query to process, zero-terminated
+  int  length         the length of the key
+  uschar **result     point to the yield, in dynamic store, on success
+  uschar **errmsg     where to put an error message on failure;
+                      this is initially set to "", and should be left
+                      as that for a standard "entry not found" error
+  uint *do_cache      the lookup should set this to 0 when it changes data.
+                      This is MAXINT by default. When set to 0 the cache tree
+                      of the current search handle will be cleaned and the
+                      current result will NOT be cached. Currently the mysql
+                      and pgsql lookups use this when UPDATE/INSERT queries are
+                      executed.
+                      If set to a nonzero number of seconds, the cached value
+                      becomes unusable after this time. Currently the dnsdb
+                      lookup uses this to support the TTL value.
+  uschar *opts	      options, a comma-separated list of tagged values for
+                      modifying the search operation
+
+Even though the key is zero-terminated, the length is passed because in the
+common case it has been computed already and is often needed.
+
+
+xxx_close()
+-----------
+
+This is called for single-key lookups when a file is finished with. There is no
+yield, and the only argument is the handle that was passed back from
+xxx_open(). It is not called for query style lookups.
+
+
+xxx_tidy()
+----------
+
+This function is called once at the end of search_tidyup() for every lookup
+type for which it exists.
+
+
+xxx_quote()
+-----------
+
+This is called by the string expansion code for expansions of the form
+${quote_xxx:<string>}, if it exists. If not, the expansion code makes no change
+to the string. The function must apply any quoting rules that are specific to
+the lookup, and return a pointer to the revised string. If quoting is not
+needed, it can return its single argument, which is a uschar *. This function
+does NOT use the POOL_SEARCH store, because it's usually never called from any
+lookup code.
+
+xxx_version_report()
+--------------------
+
+This is called to report diagnostic information to a file stream.
+Typically it would report both compile-time and run-time version information.
+The arguments are:
+
+  FILE *stream    where to fprintf() the data to
+
+
+****
diff --git a/src/lookups/cdb.c b/src/lookups/cdb.c
new file mode 100644
index 0000000..966078f
--- /dev/null
+++ b/src/lookups/cdb.c
@@ -0,0 +1,490 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/*
+ * Exim - CDB database lookup module
+ * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ *
+ * Copyright (c) The Exim Maintainers 2020 - 2022
+ * Copyright (c) 1998 Nigel Metheringham, Planet Online Ltd
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * --------------------------------------------------------------
+ * Modified by PH for Exim 4:
+ *   Changed over to using unsigned chars
+ *   Makes use of lf_check_file() for file checking
+ * --------------------------------------------------------------
+ * Modified by The Exim Maintainers 2015:
+ *   const propagation
+ * --------------------------------------------------------------
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ *
+ * This code implements Dan Bernstein's Constant DataBase (cdb) spec.
+ * Information, the spec and sample code for cdb can be obtained from
+ *      http://www.pobox.com/~djb/cdb.html
+ *
+ * This implementation borrows some code from Dan Bernstein's
+ * implementation (which has no license restrictions applied to it).
+ * This (read-only) implementation is completely contained within
+ * cdb.[ch] it does *not* link against an external cdb library.
+ *
+ *
+ * There are 2 variants included within this code.  One uses MMAP and
+ * should give better performance especially for multiple lookups on a
+ * modern machine.  The other is the default implementation which is
+ * used in the case where the MMAP fails or if MMAP was not compiled
+ * in.  this implementation is the same as the original reference cdb
+ * implementation.  The MMAP version is compiled in if the HAVE_MMAP
+ * preprocessor define is defined - this should be set in the system
+ * specific os.h file.
+ *
+ */
+
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+#ifdef HAVE_MMAP
+#  include <sys/mman.h>
+/* Not all implementations declare MAP_FAILED */
+#  ifndef MAP_FAILED
+#    define MAP_FAILED ((void *) -1)
+#  endif /* MAP_FAILED */
+#endif /* HAVE_MMAP */
+
+
+#define CDB_HASH_SPLIT 256     /* num pieces the hash table is split into */
+#define CDB_HASH_MASK  255     /* mask to and off split value */
+#define CDB_HASH_ENTRY 8       /* how big each offset it */
+#define CDB_HASH_TABLE (CDB_HASH_SPLIT * CDB_HASH_ENTRY)
+
+/* State information for cdb databases that are open NB while the db
+ * is open its contents will not change (cdb dbs are normally updated
+ * atomically by renaming).  However the lifetime of one of these
+ * state structures should be limited - ie a long running daemon
+ * that opens one may hit problems....
+ */
+
+struct cdb_state {
+  int     fileno;
+  off_t   filelen;
+  uschar *cdb_map;
+  uschar *cdb_offsets;
+};
+
+/* 32 bit unsigned type - this is an int on all modern machines */
+typedef unsigned int uint32;
+
+/*
+ * cdb_hash()
+ * Internal function to make hash value */
+
+static uint32
+cdb_hash(const uschar *buf, unsigned int len)
+{
+  uint32 h;
+
+  h = 5381;
+  while (len) {
+    --len;
+    h += (h << 5);
+    h ^= (uint32) *buf++;
+  }
+  return h;
+}
+
+/*
+ * cdb_bread()
+ * Internal function to read len bytes from disk, coping with oddities */
+
+static int
+cdb_bread(int fd,
+         uschar *buf,
+         int len)
+{
+  int r;
+  while (len > 0) {
+    do
+      r = Uread(fd,buf,len);
+    while ((r == -1) && (errno == EINTR));
+    if (r == -1) return -1;
+    if (r == 0) { errno = EIO; return -1; }
+    buf += r;
+    len -= r;
+  }
+  return 0;
+}
+
+/*
+ * cdb_bread()
+ * Internal function to parse 4 byte number (endian independent) */
+
+static uint32
+cdb_unpack(uschar *buf)
+{
+uint32 num;
+num =  buf[3]; num <<= 8;
+num += buf[2]; num <<= 8;
+num += buf[1]; num <<= 8;
+num += buf[0];
+return num;
+}
+
+static void cdb_close(void *handle);
+
+static void *
+cdb_open(const uschar * filename, uschar ** errmsg)
+{
+int fileno;
+struct cdb_state *cdbp;
+struct stat statbuf;
+void * mapbuf;
+
+if ((fileno = Uopen(filename, O_RDONLY, 0)) < 0)
+  {
+  *errmsg = string_open_failed("%s for cdb lookup", filename);
+  return NULL;
+  }
+
+if (fstat(fileno, &statbuf) != 0)
+  {
+  *errmsg = string_open_failed("fstat(%s) failed - cannot do cdb lookup",
+			      filename);
+  return NULL;
+  }
+
+/* If this is a valid file, then it *must* be at least
+CDB_HASH_TABLE bytes long */
+
+if (statbuf.st_size < CDB_HASH_TABLE)
+  {
+  *errmsg = string_open_failed("%s too short for cdb lookup", filename);
+  return NULL;
+  }
+
+/* Having got a file open we need the structure to put things in */
+cdbp = store_get(sizeof(struct cdb_state), GET_UNTAINTED);
+/* store_get() does not return if memory was not available... */
+/* preload the structure.... */
+cdbp->fileno = fileno;
+cdbp->filelen = statbuf.st_size;
+cdbp->cdb_map = NULL;
+cdbp->cdb_offsets = NULL;
+
+/* if we are allowed to we use mmap here.... */
+#ifdef HAVE_MMAP
+if ((mapbuf = mmap(NULL, statbuf.st_size, PROT_READ, MAP_SHARED, fileno, 0))
+    != MAP_FAILED)
+  {
+  /* We have an mmap-ed section.  Now we can just use it */
+  cdbp->cdb_map = mapbuf;
+  /* The offsets can be set to the same value since they should
+   * effectively be cached as well
+   */
+  cdbp->cdb_offsets = mapbuf;
+
+  /* Now return the state struct */
+  return(cdbp);
+  }
+
+/* If we got here the map failed.  Basically we can ignore this since we fall
+back to slower methods....  However lets debug log it...  */
+
+DEBUG(D_lookup) debug_printf_indent("cdb mmap failed - %d\n", errno);
+#endif /* HAVE_MMAP */
+
+/* In this case we have either not got MMAP allowed, or it failed */
+
+/* get a buffer to stash the basic offsets in - this should speed
+things up a lot - especially on multiple lookups */
+
+cdbp->cdb_offsets = store_get(CDB_HASH_TABLE, GET_UNTAINTED);
+
+/* now fill the buffer up... */
+
+if (cdb_bread(fileno, cdbp->cdb_offsets, CDB_HASH_TABLE) == -1)
+  {
+  /* read of hash table failed, oh dear, oh.....  time to give up I think....
+  call the close routine (deallocs the memory), and return NULL */
+
+  *errmsg = string_open_failed("cannot read header from %s for cdb lookup",
+			      filename);
+  cdb_close(cdbp);
+  return NULL;
+  }
+
+/* Everything else done - return the cache structure */
+return cdbp;
+}
+
+
+
+/*************************************************
+*             Check entry point                  *
+*************************************************/
+
+static BOOL
+cdb_check(void * handle, const uschar * filename, int modemask,
+  uid_t * owners, gid_t * owngroups, uschar ** errmsg)
+{
+struct cdb_state * cdbp = handle;
+return lf_check_file(cdbp->fileno, filename, S_IFREG, modemask,
+		     owners, owngroups, "cdb", errmsg) == 0;
+}
+
+
+
+/*************************************************
+*              Find entry point                  *
+*************************************************/
+
+static int
+cdb_find(void * handle, const uschar * filename, const uschar * keystring,
+  int key_len, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+struct cdb_state * cdbp = handle;
+uint32 item_key_len,
+item_dat_len,
+key_hash,
+item_hash,
+item_posn,
+cur_offset,
+end_offset,
+hash_offset_entry,
+hash_offset,
+hash_offlen,
+hash_slotnm;
+
+key_hash = cdb_hash(keystring, key_len);
+
+hash_offset_entry = CDB_HASH_ENTRY * (key_hash & CDB_HASH_MASK);
+hash_offset = cdb_unpack(cdbp->cdb_offsets + hash_offset_entry);
+hash_offlen = cdb_unpack(cdbp->cdb_offsets + hash_offset_entry + 4);
+
+/* If the offset length is zero this key cannot be in the file */
+
+if (hash_offlen == 0)
+  return FAIL;
+
+hash_slotnm = (key_hash >> 8) % hash_offlen;
+
+/* check to ensure that the file is not corrupt
+ * if the hash_offset + (hash_offlen * CDB_HASH_ENTRY) is longer
+ * than the file, then we have problems.... */
+
+if ((hash_offset + (hash_offlen * CDB_HASH_ENTRY)) > cdbp->filelen)
+  {
+  *errmsg = string_sprintf("cdb: corrupt cdb file %s (too short)",
+		      filename);
+  DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg);
+  return DEFER;
+  }
+
+cur_offset = hash_offset + (hash_slotnm * CDB_HASH_ENTRY);
+end_offset = hash_offset + (hash_offlen * CDB_HASH_ENTRY);
+
+/* if we are allowed to we use mmap here.... */
+
+#ifdef HAVE_MMAP
+/* make sure the mmap was OK */
+if (cdbp->cdb_map != NULL)
+  {
+  uschar * cur_pos = cur_offset + cdbp->cdb_map;
+  uschar * end_pos = end_offset + cdbp->cdb_map;
+
+  for (int loop = 0; (loop < hash_offlen); ++loop)
+    {
+    item_hash = cdb_unpack(cur_pos);
+    cur_pos += 4;
+    item_posn = cdb_unpack(cur_pos);
+    cur_pos += 4;
+
+    /* if the position is zero then we have a definite miss */
+
+    if (item_posn == 0)
+      return FAIL;
+
+    if (item_hash == key_hash)
+      {					/* matching hash value */
+      uschar * item_ptr = cdbp->cdb_map + item_posn;
+
+      item_key_len = cdb_unpack(item_ptr);
+      item_ptr += 4;
+      item_dat_len = cdb_unpack(item_ptr);
+      item_ptr += 4;
+
+      /* check key length matches */
+
+      if (item_key_len == key_len)
+	{
+	 /* finally check if key matches */
+	 if (Ustrncmp(keystring, item_ptr, key_len) == 0)
+	   {
+	   /* we have a match....  * make item_ptr point to data */
+
+	   item_ptr += item_key_len;
+
+	   /* ... and the returned result.  Assume it is not
+	   tainted, lacking any way of telling.  */
+
+	   *result = store_get(item_dat_len + 1, GET_UNTAINTED);
+	   memcpy(*result, item_ptr, item_dat_len);
+	   (*result)[item_dat_len] = 0;
+	   return OK;
+	   }
+	}
+      }
+    /* handle warp round of table */
+    if (cur_pos == end_pos)
+    cur_pos = cdbp->cdb_map + hash_offset;
+    }
+  /* looks like we failed... */
+  return FAIL;
+  }
+
+#endif /* HAVE_MMAP */
+
+for (int loop = 0; (loop < hash_offlen); ++loop)
+  {
+  uschar packbuf[8];
+
+  if (lseek(cdbp->fileno, (off_t) cur_offset, SEEK_SET) == -1) return DEFER;
+  if (cdb_bread(cdbp->fileno, packbuf, 8) == -1) return DEFER;
+
+  item_hash = cdb_unpack(packbuf);
+  item_posn = cdb_unpack(packbuf + 4);
+
+  /* if the position is zero then we have a definite miss */
+
+  if (item_posn == 0)
+    return FAIL;
+
+  if (item_hash == key_hash)
+    {						/* matching hash value */
+    if (lseek(cdbp->fileno, (off_t) item_posn, SEEK_SET) == -1) return DEFER;
+    if (cdb_bread(cdbp->fileno, packbuf, 8) == -1) return DEFER;
+
+    item_key_len = cdb_unpack(packbuf);
+
+    /* check key length matches */
+
+    if (item_key_len == key_len)
+      {					/* finally check if key matches */
+      rmark reset_point = store_mark();
+      uschar * item_key = store_get(key_len, GET_TAINTED); /* keys liable to be tainted */
+
+      if (cdb_bread(cdbp->fileno, item_key, key_len) == -1) return DEFER;
+      if (Ustrncmp(keystring, item_key, key_len) == 0)
+        {
+        /* Reclaim some store */
+        store_reset(reset_point);
+
+        /* matches - get data length */
+        item_dat_len = cdb_unpack(packbuf + 4);
+
+        /* then we build a new result string.  We know we have enough
+        memory so disable Coverity errors about the tainted item_dat_ken */
+
+        *result = store_get(item_dat_len + 1, GET_UNTAINTED);
+        /* coverity[tainted_data] */
+        if (cdb_bread(cdbp->fileno, *result, item_dat_len) == -1)
+	  return DEFER;
+
+        /* coverity[tainted_data] */
+        (*result)[item_dat_len] = 0;
+        return OK;
+        }
+      /* Reclaim some store */
+      store_reset(reset_point);
+      }
+    }
+  cur_offset += 8;
+
+  /* handle warp round of table */
+  if (cur_offset == end_offset)
+  cur_offset = hash_offset;
+  }
+return FAIL;
+}
+
+
+
+/*************************************************
+*              Close entry point                 *
+*************************************************/
+
+/* See local README for interface description */
+
+static void
+cdb_close(void *handle)
+{
+struct cdb_state * cdbp = handle;
+
+#ifdef HAVE_MMAP
+if (cdbp->cdb_map)
+  {
+  munmap(CS cdbp->cdb_map, cdbp->filelen);
+  if (cdbp->cdb_map == cdbp->cdb_offsets)
+     cdbp->cdb_offsets = NULL;
+  }
+#endif /* HAVE_MMAP */
+
+(void)close(cdbp->fileno);
+}
+
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+cdb_version_report(gstring * g)
+{
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "Library version: CDB: Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+
+lookup_info cdb_lookup_info = {
+  .name = US"cdb",			/* lookup name */
+  .type = lookup_absfile,		/* absolute file name */
+  .open = cdb_open,			/* open function */
+  .check = cdb_check,			/* check function */
+  .find = cdb_find,			/* find function */
+  .close = cdb_close,			/* close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = cdb_version_report             /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+#define cdb_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &cdb_lookup_info };
+lookup_module_info cdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+/* End of lookups/cdb.c */
diff --git a/src/lookups/dbmdb.c b/src/lookups/dbmdb.c
new file mode 100644
index 0000000..32514af
--- /dev/null
+++ b/src/lookups/dbmdb.c
@@ -0,0 +1,284 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description */
+
+static void *
+dbmdb_open(const uschar * filename, uschar ** errmsg)
+{
+uschar * dirname = string_copy(filename);
+uschar * s;
+EXIM_DB * yield = NULL;
+
+if ((s = Ustrrchr(dirname, '/'))) *s = '\0';
+if (!(yield = exim_dbopen(filename, dirname, O_RDONLY, 0)))
+  *errmsg = string_open_failed("%s as a %s file", filename, EXIM_DBTYPE);
+return yield;
+}
+
+
+
+/*************************************************
+*             Check entry point                  *
+*************************************************/
+
+/* This needs to know more about the underlying files than is good for it!
+We need to know what the real file names are in order to check the owners and
+modes. If USE_DB is set, we know it is Berkeley DB, which uses an unmodified
+file name. If USE_TDB or USE_GDBM is set, we know it is tdb or gdbm, which do
+the same. Otherwise, for safety, we have to check for x.db or x.dir and x.pag.
+*/
+
+static BOOL
+dbmdb_check(void *handle, const uschar *filename, int modemask, uid_t *owners,
+  gid_t *owngroups, uschar **errmsg)
+{
+int rc;
+
+#if defined(USE_DB) || defined(USE_TDB) || defined(USE_GDBM)
+rc = lf_check_file(-1, filename, S_IFREG, modemask, owners, owngroups,
+  "dbm", errmsg);
+#else
+  {
+  uschar filebuffer[256];
+  (void)sprintf(CS filebuffer, "%.250s.db", filename);
+  rc = lf_check_file(-1, filebuffer, S_IFREG, modemask, owners, owngroups,
+    "dbm", errmsg);
+  if (rc < 0)        /* stat() failed */
+    {
+    (void)sprintf(CS filebuffer, "%.250s.dir", filename);
+    rc = lf_check_file(-1, filebuffer, S_IFREG, modemask, owners, owngroups,
+      "dbm", errmsg);
+    if (rc == 0)     /* x.dir was OK */
+      {
+      (void)sprintf(CS filebuffer, "%.250s.pag", filename);
+      rc = lf_check_file(-1, filebuffer, S_IFREG, modemask, owners, owngroups,
+        "dbm", errmsg);
+      }
+    }
+  }
+#endif
+
+return rc == 0;
+}
+
+
+
+/*************************************************
+*              Find entry point                  *
+*************************************************/
+
+/* See local README for interface description. This function adds 1 to
+the keylength in order to include the terminating zero. */
+
+static int
+dbmdb_find(void * handle, const uschar * filename, const uschar * keystring,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+EXIM_DB *d = (EXIM_DB *)handle;
+EXIM_DATUM key, data;
+
+exim_datum_init(&key);               /* Some DBM libraries require datums to */
+exim_datum_init(&data);              /* be cleared before use. */
+length++;
+exim_datum_data_set(&key,
+  memcpy(store_get(length, keystring), keystring, length)); /* key can have embedded NUL */
+exim_datum_size_set(&key, length);
+
+if (exim_dbget(d, &key, &data))
+  {
+  *result = string_copyn(exim_datum_data_get(&data), exim_datum_size_get(&data));
+  exim_datum_free(&data);            /* Some DBM libraries need a free() call */
+  return OK;
+  }
+return FAIL;
+}
+
+
+
+/*************************************************
+*      Find entry point - no zero on key         *
+*************************************************/
+
+/* See local README for interface description */
+
+static int
+dbmnz_find(void * handle, const uschar * filename, const uschar * keystring,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+return dbmdb_find(handle, filename, keystring, length-1, result, errmsg,
+  do_cache, opts);
+}
+
+
+
+/*************************************************
+*     Find entry point - zero-joined list key    *
+*************************************************/
+
+/*
+ * The parameter passed as a key is a list in normal Exim list syntax.
+ * The elements of that list are joined together on NUL, with no trailing
+ * NUL, to form the key.
+ */
+
+static int
+dbmjz_find(void * handle, const uschar * filename, const uschar * keystring,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+uschar *key_item, *key_buffer, *key_p;
+const uschar *key_elems = keystring;
+int buflen, bufleft, key_item_len, sep = 0;
+
+/* To a first approximation, the size of the lookup key needs to be about,
+or less than, the length of the delimited list passed in + 1. */
+
+buflen = length + 3;
+key_buffer = store_get(buflen, keystring);
+
+key_buffer[0] = '\0';
+
+key_p = key_buffer;
+bufleft = buflen;
+
+/* In all cases of an empty list item, we can set 1 and advance by 1 and then
+pick up the trailing NUL from the previous list item, EXCEPT when at the
+beginning of the output string, in which case we need to supply that NUL
+ourselves.  */
+while ((key_item = string_nextinlist(&key_elems, &sep, key_p, bufleft)) != NULL)
+  {
+  key_item_len = Ustrlen(key_item) + 1;
+  if (key_item_len == 1)
+    {
+    key_p[0] = '\0';
+    if (key_p == key_buffer)
+      {
+      key_p[1] = '\0';
+      key_item_len += 1;
+      }
+    }
+
+  bufleft -= key_item_len;
+  if (bufleft <= 0)
+    {
+    /* The string_nextinlist() will stop at buffer size, but we should always
+    have at least 1 character extra, so some assumption has failed. */
+    *errmsg = string_copy(US"Ran out of buffer space for joining elements");
+    return DEFER;
+    }
+  key_p += key_item_len;
+  }
+
+if (key_p == key_buffer)
+  {
+  *errmsg = string_copy(US"empty list key");
+  return FAIL;
+  }
+
+/* We do not pass in the final NULL; if needed, the list should include an
+empty element to put one in. Boundary: key length 1, is a NULL */
+key_item_len = key_p - key_buffer - 1;
+
+DEBUG(D_lookup) debug_printf_indent("NUL-joined key length: %d\n", key_item_len);
+
+/* beware that dbmdb_find() adds 1 to length to get back terminating NUL, so
+because we've calculated the real length, we need to subtract one more here */
+
+return dbmdb_find(handle, filename, key_buffer, key_item_len - 1,
+    result, errmsg, do_cache, opts);
+}
+
+
+
+/*************************************************
+*              Close entry point                 *
+*************************************************/
+
+/* See local README for interface description */
+
+void
+static dbmdb_close(void *handle)
+{
+exim_dbclose((EXIM_DB *)handle);
+}
+
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+dbm_version_report(gstring * g)
+{
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "Library version: DBM: Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+
+lookup_info dbm_lookup_info = {
+  .name = US"dbm",			/* lookup name */
+  .type = lookup_absfile,		/* uses absolute file name */
+  .open = dbmdb_open,			/* open function */
+  .check = dbmdb_check,			/* check function */
+  .find = dbmdb_find,			/* find function */
+  .close = dbmdb_close,			/* close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = dbm_version_report             /* version reporting */
+};
+
+lookup_info dbmz_lookup_info = {
+  .name = US"dbmnz",			/* lookup name */
+  .type = lookup_absfile,		/* uses absolute file name */
+  .open = dbmdb_open,			/* sic */     /* open function */
+  .check = dbmdb_check,			/* sic */     /* check function */
+  .find = dbmnz_find,			/* find function */
+  .close = dbmdb_close,			/* sic */     /* close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = NULL                           /* no version reporting (redundant) */
+};
+
+lookup_info dbmjz_lookup_info = {
+  .name = US"dbmjz",			/* lookup name */
+  .type = lookup_absfile,		/* uses absolute file name */
+  .open = dbmdb_open,			/* sic */     /* open function */
+  .check = dbmdb_check,			/* sic */     /* check function */
+  .find = dbmjz_find,			/* find function */
+  .close = dbmdb_close,			/* sic */     /* close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = NULL                           /* no version reporting (redundant) */
+};
+
+#ifdef DYNLOOKUP
+#define dbmdb_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &dbm_lookup_info, &dbmz_lookup_info, &dbmjz_lookup_info };
+lookup_module_info dbmdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 3 };
+
+/* End of lookups/dbmdb.c */
diff --git a/src/lookups/dnsdb.c b/src/lookups/dnsdb.c
new file mode 100644
index 0000000..355be1b
--- /dev/null
+++ b/src/lookups/dnsdb.c
@@ -0,0 +1,614 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+
+
+/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
+header files. */
+
+#ifndef T_TXT
+# define T_TXT 16
+#endif
+
+/* Many systems do not have T_SPF. */
+#ifndef T_SPF
+# define T_SPF 99
+#endif
+
+/* New TLSA record for DANE */
+#ifndef T_TLSA
+# define T_TLSA 52
+#endif
+
+/* Table of recognized DNS record types and their integer values. */
+
+static const char *type_names[] = {
+  "a",
+#if HAVE_IPV6
+  "a+",
+  "aaaa",
+#endif
+  "cname",
+  "csa",
+  "mx",
+  "mxh",
+  "ns",
+  "ptr",
+  "soa",
+  "spf",
+  "srv",
+  "tlsa",
+  "txt",
+  "zns"
+};
+
+static int type_values[] = {
+  T_A,
+#if HAVE_IPV6
+  T_ADDRESSES,     /* Private type for AAAA + A */
+  T_AAAA,
+#endif
+  T_CNAME,
+  T_CSA,     /* Private type for "Client SMTP Authorization". */
+  T_MX,
+  T_MXH,     /* Private type for "MX hostnames" */
+  T_NS,
+  T_PTR,
+  T_SOA,
+  T_SPF,
+  T_SRV,
+  T_TLSA,
+  T_TXT,
+  T_ZNS      /* Private type for "zone nameservers" */
+};
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void *
+dnsdb_open(const uschar * filename, uschar **errmsg)
+{
+return (void *)(-1);   /* Any non-0 value */
+}
+
+
+
+/*************************************************
+*           Find entry point for dnsdb           *
+*************************************************/
+
+/* See local README for interface description. The query in the "keystring" may
+consist of a number of parts.
+
+(a) If the first significant character is '>' then the next character is the
+separator character that is used when multiple records are found. The default
+separator is newline.
+
+(b) If the next character is ',' then the next character is the separator
+character used for multiple items of text in "TXT" records. Alternatively,
+if the next character is ';' then these multiple items are concatenated with
+no separator. With neither of these options specified, only the first item
+is output.  Similarly for "SPF" records, but the default for joining multiple
+items in one SPF record is the empty string, for direct concatenation.
+
+(c) Options, all comma-terminated, in any order.  Any unrecognised option
+terminates option processing.  Recognised options are:
+
+- 'defer_FOO':  set the defer behaviour to FOO.  The possible behaviours are:
+'strict', where any defer causes the whole lookup to defer; 'lax', where a defer
+causes the whole lookup to defer only if none of the DNS queries succeeds; and
+'never', where all defers are as if the lookup failed. The default is 'lax'.
+
+- 'dnssec_FOO', with 'strict', 'lax' (default), and 'never'.  The meanings are
+require, try and don't-try dnssec respectively.
+
+- 'retrans_VAL', set the timeout value.  VAL is an Exim time specification
+(eg "5s").  The default is set by the main configuration option 'dns_retrans'.
+
+- 'retry_VAL', set the retry count on timeouts.  VAL is an integer.  The
+default is set by the main configuration option "dns_retry".
+
+(d) If the next sequence of characters is a sequence of letters and digits
+followed by '=', it is interpreted as the name of the DNS record type. The
+default is "TXT".
+
+(e) Then there follows list of domain names. This is a generalized Exim list,
+which may start with '<' in order to set a specific separator. The default
+separator, as always, is colon. */
+
+static int
+dnsdb_find(void * handle, const uschar * filename, const uschar * keystring,
+ int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+ const uschar * opts)
+{
+int rc;
+int sep = 0;
+int defer_mode = PASS;
+int dnssec_mode = PASS;
+int save_retrans = dns_retrans;
+int save_retry =   dns_retry;
+int type;
+int failrc = FAIL;
+const uschar *outsep = CUS"\n";
+const uschar *outsep2 = NULL;
+uschar *equals, *domain, *found;
+
+dns_answer * dnsa = store_get_dns_answer();
+dns_scan dnss;
+
+/* Because we're working in the search pool, we try to reclaim as much
+store as possible later, so we preallocate the result here */
+
+gstring * yield = string_get(256);
+
+/* If the string starts with '>' we change the output separator.
+If it's followed by ';' or ',' we set the TXT output separator. */
+
+while (isspace(*keystring)) keystring++;
+if (*keystring == '>')
+  {
+  outsep = keystring + 1;
+  keystring += 2;
+  if (*keystring == ',')
+    {
+    outsep2 = keystring + 1;
+    keystring += 2;
+    }
+  else if (*keystring == ';')
+    {
+    outsep2 = US"";
+    keystring++;
+    }
+  while (isspace(*keystring)) keystring++;
+  }
+
+/* Check for a modifier keyword. */
+
+for (;;)
+  {
+  if (strncmpic(keystring, US"defer_", 6) == 0)
+    {
+    keystring += 6;
+    if (strncmpic(keystring, US"strict", 6) == 0)
+      { defer_mode = DEFER; keystring += 6; }
+    else if (strncmpic(keystring, US"lax", 3) == 0)
+      { defer_mode = PASS; keystring += 3; }
+    else if (strncmpic(keystring, US"never", 5) == 0)
+      { defer_mode = OK; keystring += 5; }
+    else
+      {
+      *errmsg = US"unsupported dnsdb defer behaviour";
+      rc = DEFER;
+      goto out;
+      }
+    }
+  else if (strncmpic(keystring, US"dnssec_", 7) == 0)
+    {
+    keystring += 7;
+    if (strncmpic(keystring, US"strict", 6) == 0)
+      { dnssec_mode = DEFER; keystring += 6; }
+    else if (strncmpic(keystring, US"lax", 3) == 0)
+      { dnssec_mode = PASS; keystring += 3; }
+    else if (strncmpic(keystring, US"never", 5) == 0)
+      { dnssec_mode = OK; keystring += 5; }
+    else
+      {
+      *errmsg = US"unsupported dnsdb dnssec behaviour";
+      rc = DEFER;
+      goto out;
+      }
+    }
+  else if (strncmpic(keystring, US"retrans_", 8) == 0)
+    {
+    int timeout_sec;
+    if ((timeout_sec = readconf_readtime(keystring += 8, ',', FALSE)) <= 0)
+      {
+      *errmsg = US"unsupported dnsdb timeout value";
+      rc = DEFER;
+      goto out;
+      }
+    dns_retrans = timeout_sec;
+    while (*keystring != ',') keystring++;
+    }
+  else if (strncmpic(keystring, US"retry_", 6) == 0)
+    {
+    int retries;
+    if ((retries = (int)strtol(CCS keystring + 6, CSS &keystring, 0)) < 0)
+      {
+      *errmsg = US"unsupported dnsdb retry count";
+      rc = DEFER;
+      goto out;
+      }
+    dns_retry = retries;
+    }
+  else
+    break;
+
+  while (isspace(*keystring)) keystring++;
+  if (*keystring++ != ',')
+    {
+    *errmsg = US"dnsdb modifier syntax error";
+    rc = DEFER;
+    goto out;
+    }
+  while (isspace(*keystring)) keystring++;
+  }
+
+/* Figure out the "type" value if it is not T_TXT.
+If the keystring contains an = this must be preceded by a valid type name. */
+
+type = T_TXT;
+if ((equals = Ustrchr(keystring, '=')) != NULL)
+  {
+  int i, len;
+  uschar *tend = equals;
+
+  while (tend > keystring && isspace(tend[-1])) tend--;
+  len = tend - keystring;
+
+  for (i = 0; i < nelem(type_names); i++)
+    if (len == Ustrlen(type_names[i]) &&
+        strncmpic(keystring, US type_names[i], len) == 0)
+      {
+      type = type_values[i];
+      break;
+      }
+
+  if (i >= nelem(type_names))
+    {
+    *errmsg = US"unsupported DNS record type";
+    rc = DEFER;
+    goto out;
+    }
+
+  keystring = equals + 1;
+  while (isspace(*keystring)) keystring++;
+  }
+
+/* Initialize the resolver in case this is the first time it has been used. */
+
+dns_init(FALSE, FALSE, dnssec_mode != OK);
+
+/* The remainder of the string must be a list of domains. As long as the lookup
+for at least one of them succeeds, we return success. Failure means that none
+of them were found.
+
+The original implementation did not support a list of domains. Adding the list
+feature is compatible, except in one case: when PTR records are being looked up
+for a single IPv6 address. Fortunately, we can hack in a compatibility feature
+here: If the type is PTR and no list separator is specified, and the entire
+remaining string is valid as an IP address, set an impossible separator so that
+it is treated as one item. */
+
+if (type == T_PTR && keystring[0] != '<' &&
+    string_is_ip_address(keystring, NULL) != 0)
+  sep = -1;
+
+/* SPF strings should be concatenated without a separator, thus make
+it the default if not defined (see RFC 4408 section 3.1.3).
+Multiple SPF records are forbidden (section 3.1.2) but are currently
+not handled specially, thus they are concatenated with \n by default.
+MX priority and value are space-separated by default.
+SRV and TLSA record parts are space-separated by default. */
+
+if (!outsep2) switch(type)
+  {
+  case T_SPF:                         outsep2 = US"";  break;
+  case T_SRV: case T_MX: case T_TLSA: outsep2 = US" "; break;
+  }
+
+/* Now scan the list and do a lookup for each item */
+
+while ((domain = string_nextinlist(&keystring, &sep, NULL, 0)))
+  {
+  int searchtype = type == T_CSA ? T_SRV :         /* record type we want */
+                   type == T_MXH ? T_MX :
+                   type == T_ZNS ? T_NS : type;
+
+  /* If the type is PTR or CSA, we have to construct the relevant magic lookup
+  key if the original is an IP address (some experimental protocols are using
+  PTR records for different purposes where the key string is a host name, and
+  Exim's extended CSA can be keyed by domains or IP addresses). This code for
+  doing the reversal is now in a separate function. */
+
+  if ((type == T_PTR || type == T_CSA) &&
+      string_is_ip_address(domain, NULL) != 0)
+    domain = dns_build_reverse(domain);
+
+  do
+    {
+    DEBUG(D_lookup) debug_printf_indent("dnsdb key: %s\n", domain);
+
+    /* Do the lookup and sort out the result. There are four special types that
+    are handled specially: T_CSA, T_ZNS, T_ADDRESSES and T_MXH.
+    The first two are handled in a special lookup function so that the facility
+    could be used from other parts of the Exim code. T_ADDRESSES is handled by looping
+    over the types of A lookup.  T_MXH affects only what happens later on in
+    this function, but for tidiness it is handled by the "special". If the
+    lookup fails, continue with the next domain. In the case of DEFER, adjust
+    the final "nothing found" result, but carry on to the next domain. */
+
+    found = domain;
+#if HAVE_IPV6
+    if (type == T_ADDRESSES)		/* NB cannot happen unless HAVE_IPV6 */
+      {
+      if (searchtype == T_ADDRESSES) searchtype = T_AAAA;
+      else if (searchtype == T_AAAA) searchtype = T_A;
+      rc = dns_special_lookup(dnsa, domain, searchtype, CUSS &found);
+      }
+    else
+#endif
+      rc = dns_special_lookup(dnsa, domain, type, CUSS &found);
+
+    lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
+      : dns_is_secure(dnsa) ? US"yes" : US"no";
+
+    if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
+    if (  rc != DNS_SUCCEED
+       || (dnssec_mode == DEFER && !dns_is_secure(dnsa))
+       )
+      {
+      if (defer_mode == DEFER)
+	{
+	dns_retrans = save_retrans;
+	dns_retry = save_retry;
+	dns_init(FALSE, FALSE, FALSE);			/* clr dnssec bit */
+	rc = DEFER;					/* always defer */
+	goto out;
+	}
+      if (defer_mode == PASS) failrc = DEFER;         /* defer only if all do */
+      continue;                                       /* treat defer as fail */
+      }
+
+
+    /* Search the returned records */
+
+    for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+         rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == searchtype)
+      {
+      if (*do_cache > rr->ttl)
+	*do_cache = rr->ttl;
+
+      if (type == T_A || type == T_AAAA || type == T_ADDRESSES)
+        {
+        for (dns_address * da = dns_address_from_rr(dnsa, rr); da; da = da->next)
+          {
+          if (yield->ptr) yield = string_catn(yield, outsep, 1);
+          yield = string_cat(yield, da->address);
+          }
+        continue;
+        }
+
+      /* Other kinds of record just have one piece of data each, but there may be
+      several of them, of course. */
+
+      if (yield->ptr) yield = string_catn(yield, outsep, 1);
+
+      if (type == T_TXT || type == T_SPF)
+        {
+        if (outsep2 == NULL)	/* output only the first item of data */
+          yield = string_catn(yield, US (rr->data+1), (rr->data)[0]);
+        else
+          {
+          /* output all items */
+          int data_offset = 0;
+          while (data_offset < rr->size)
+            {
+            uschar chunk_len = (rr->data)[data_offset++];
+            if (outsep2[0] != '\0' && data_offset != 1)
+              yield = string_catn(yield, outsep2, 1);
+            yield = string_catn(yield, US ((rr->data)+data_offset), chunk_len);
+            data_offset += chunk_len;
+            }
+          }
+        }
+      else if (type == T_TLSA)
+        {
+        uint8_t usage, selector, matching_type;
+        uint16_t payload_length;
+        uschar s[MAX_TLSA_EXPANDED_SIZE];
+	uschar * sp = s;
+        uschar * p = US rr->data;
+
+        usage = *p++;
+        selector = *p++;
+        matching_type = *p++;
+        /* What's left after removing the first 3 bytes above */
+        payload_length = rr->size - 3;
+        sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
+		selector, *outsep2, matching_type, *outsep2);
+        /* Now append the cert/identifier, one hex char at a time */
+	while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
+          sp += sprintf(CS sp, "%02x", *p++);
+
+        yield = string_cat(yield, s);
+        }
+      else   /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SOA, T_SRV */
+        {
+        int priority, weight, port;
+        uschar s[264];
+        uschar * p = US rr->data;
+
+	switch (type)
+	  {
+	  case T_MXH:
+	    /* mxh ignores the priority number and includes only the hostnames */
+	    GETSHORT(priority, p);
+	    break;
+
+	  case T_MX:
+	    GETSHORT(priority, p);
+	    sprintf(CS s, "%d%c", priority, *outsep2);
+	    yield = string_cat(yield, s);
+	    break;
+
+	  case T_SRV:
+	    GETSHORT(priority, p);
+	    GETSHORT(weight, p);
+	    GETSHORT(port, p);
+	    sprintf(CS s, "%d%c%d%c%d%c", priority, *outsep2,
+			      weight, *outsep2, port, *outsep2);
+	    yield = string_cat(yield, s);
+	    break;
+
+	  case T_CSA:
+	    /* See acl_verify_csa() for more comments about CSA. */
+	    GETSHORT(priority, p);
+	    GETSHORT(weight, p);
+	    GETSHORT(port, p);
+
+	    if (priority != 1) continue;      /* CSA version must be 1 */
+
+	    /* If the CSA record we found is not the one we asked for, analyse
+	    the subdomain assertions in the port field, else analyse the direct
+	    authorization status in the weight field. */
+
+	    if (Ustrcmp(found, domain) != 0)
+	      {
+	      if (port & 1) *s = 'X';         /* explicit authorization required */
+	      else *s = '?';                  /* no subdomain assertions here */
+	      }
+	    else
+	      {
+	      if (weight < 2) *s = 'N';       /* not authorized */
+	      else if (weight == 2) *s = 'Y'; /* authorized */
+	      else if (weight == 3) *s = '?'; /* unauthorizable */
+	      else continue;                  /* invalid */
+	      }
+
+	    s[1] = ' ';
+	    yield = string_catn(yield, s, 2);
+	    break;
+
+	  default:
+	    break;
+	  }
+
+        /* GETSHORT() has advanced the pointer to the target domain. */
+
+        rc = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
+          (DN_EXPAND_ARG4_TYPE)s, sizeof(s));
+
+        /* If an overlong response was received, the data will have been
+        truncated and dn_expand may fail. */
+
+        if (rc < 0)
+          {
+          log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
+            "domain=%s", dns_text_type(type), domain);
+          break;
+          }
+        else yield = string_cat(yield, s);
+
+	if (type == T_SOA && outsep2 != NULL)
+	  {
+	  unsigned long serial, refresh, retry, expire, minimum;
+
+	  p += rc;
+	  yield = string_catn(yield, outsep2, 1);
+
+	  rc = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
+	    (DN_EXPAND_ARG4_TYPE)s, sizeof(s));
+	  if (rc < 0)
+	    {
+	    log_write(0, LOG_MAIN, "responsible-mailbox truncated: type=%s "
+	      "domain=%s", dns_text_type(type), domain);
+	    break;
+	    }
+	  else yield = string_cat(yield, s);
+
+	  p += rc;
+	  GETLONG(serial, p); GETLONG(refresh, p);
+	  GETLONG(retry,  p); GETLONG(expire,  p); GETLONG(minimum, p);
+	  sprintf(CS s, "%c%lu%c%lu%c%lu%c%lu%c%lu",
+	    *outsep2, serial, *outsep2, refresh,
+	    *outsep2, retry,  *outsep2, expire,  *outsep2, minimum);
+	  yield = string_cat(yield, s);
+	  }
+        }
+      }    /* Loop for list of returned records */
+
+           /* Loop for set of A-lookup types */
+    } while (type == T_ADDRESSES && searchtype != T_A);
+
+  }        /* Loop for list of domains */
+
+/* Reclaim unused memory */
+
+gstring_release_unused(yield);
+
+/* If yield NULL we have not found anything. Otherwise, insert the terminating
+zero and return the result. */
+
+dns_retrans = save_retrans;
+dns_retry = save_retry;
+dns_init(FALSE, FALSE, FALSE);	/* clear the dnssec bit for getaddrbyname */
+
+if (!yield || !yield->ptr)
+  rc = failrc;
+else
+  {
+  *result = string_from_gstring(yield);
+  rc = OK;
+  }
+
+out:
+
+store_free_dns_answer(dnsa);
+return rc;
+}
+
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+dnsdb_version_report(gstring * g)
+{
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+
+static lookup_info _lookup_info = {
+  .name = US"dnsdb",			/* lookup name */
+  .type = lookup_querystyle,		/* query style */
+  .open = dnsdb_open,			/* open function */
+  .check = NULL,			/* check function */
+  .find = dnsdb_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = dnsdb_version_report           /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+#define dnsdb_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &_lookup_info };
+lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+/* vi: aw ai sw=2
+*/
+/* End of lookups/dnsdb.c */
diff --git a/src/lookups/dsearch.c b/src/lookups/dsearch.c
new file mode 100644
index 0000000..a769102
--- /dev/null
+++ b/src/lookups/dsearch.c
@@ -0,0 +1,190 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* The idea for this code came from Matthew Byng-Maddick, but his original has
+been heavily reworked a lot for Exim 4 (and it now uses stat() (more precisely:
+lstat()) rather than a directory scan). */
+
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description. We open the directory to test
+whether it exists and whether it is searchable. However, we don't need to keep
+it open, because the "search" can be done by a call to lstat() rather than
+actually scanning through the list of files. */
+
+static void *
+dsearch_open(const uschar * dirname, uschar ** errmsg)
+{
+DIR * dp = exim_opendir(dirname);
+if (!dp)
+  {
+  *errmsg = string_open_failed("%s for directory search", dirname);
+  return NULL;
+  }
+closedir(dp);
+return (void *)(-1);
+}
+
+
+/*************************************************
+*             Check entry point                  *
+*************************************************/
+
+/* The handle will always be (void *)(-1), but don't try casting it to an
+integer as this gives warnings on 64-bit systems. */
+
+static BOOL
+dsearch_check(void * handle, const uschar * filename, int modemask,
+  uid_t * owners, gid_t * owngroups, uschar ** errmsg)
+{
+handle = handle;
+if (*filename == '/')
+  return lf_check_file(-1, filename, S_IFDIR, modemask, owners, owngroups,
+    "dsearch", errmsg) == 0;
+*errmsg = string_sprintf("dirname '%s' for dsearch is not absolute", filename);
+return FALSE;
+}
+
+
+/*************************************************
+*              Find entry point                  *
+*************************************************/
+
+#define RET_FULL	BIT(0)
+#define FILTER_TYPE	BIT(1)
+#define FILTER_ALL	BIT(1)
+#define FILTER_FILE	BIT(2)
+#define FILTER_DIR	BIT(3)
+#define FILTER_SUBDIR	BIT(4)
+
+/* See local README for interface description. We use lstat() instead of
+scanning the directory, as it is hopefully faster to let the OS do the scanning
+for us. */
+
+static int
+dsearch_find(void * handle, const uschar * dirname, const uschar * keystring,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+struct stat statbuf;
+int save_errno;
+uschar * filename;
+unsigned flags = 0;
+
+if (Ustrchr(keystring, '/') != 0)
+  {
+  *errmsg = string_sprintf("key for dsearch lookup contains a slash: %s",
+    keystring);
+  return DEFER;
+  }
+
+if (opts)
+  {
+  int sep = ',';
+  uschar * ele;
+
+  while ((ele = string_nextinlist(&opts, &sep, NULL, 0)))
+    if (Ustrcmp(ele, "ret=full") == 0)
+      flags |= RET_FULL;
+    else if (Ustrncmp(ele, "filter=", 7) == 0)
+      {
+      ele += 7;
+      if (Ustrcmp(ele, "file") == 0)
+	flags |= FILTER_TYPE | FILTER_FILE;
+      else if (Ustrcmp(ele, "dir") == 0)
+	flags |= FILTER_TYPE | FILTER_DIR;
+      else if (Ustrcmp(ele, "subdir") == 0)
+	flags |= FILTER_TYPE | FILTER_SUBDIR;	/* like dir but not "." or ".." */
+      }
+  }
+
+filename = string_sprintf("%s/%s", dirname, keystring);
+if (  Ulstat(filename, &statbuf) >= 0
+   && (  !(flags & FILTER_TYPE)
+      || (flags & FILTER_FILE && S_ISREG(statbuf.st_mode))
+      || (  flags & (FILTER_DIR | FILTER_SUBDIR)
+       	 && S_ISDIR(statbuf.st_mode)
+	 && (  flags & FILTER_DIR
+	    || keystring[0] != '.'
+	    || keystring[1] && keystring[1] != '.'
+   )  )  )  )
+  {
+  /* Since the filename exists in the filesystem, we can return a
+  non-tainted result. */
+  *result = string_copy_taint(flags & RET_FULL ? filename : keystring, GET_UNTAINTED);
+  return OK;
+  }
+
+if (errno == ENOENT || errno == 0) return FAIL;
+
+save_errno = errno;
+*errmsg = string_sprintf("%s: lstat: %s", filename, strerror(errno));
+errno = save_errno;
+return DEFER;
+}
+
+
+/*************************************************
+*              Close entry point                 *
+*************************************************/
+
+/* See local README for interface description */
+
+void
+static dsearch_close(void *handle)
+{
+handle = handle;   /* Avoid compiler warning */
+}
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+dsearch_version_report(gstring * g)
+{
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "Library version: dsearch: Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+
+static lookup_info _lookup_info = {
+  .name = US"dsearch",			/* lookup name */
+  .type = lookup_absfile,		/* uses absolute file name */
+  .open = dsearch_open,			/* open function */
+  .check = dsearch_check,		/* check function */
+  .find = dsearch_find,			/* find function */
+  .close = dsearch_close,		/* close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = dsearch_version_report         /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+#define dsearch_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &_lookup_info };
+lookup_module_info dsearch_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+/* End of lookups/dsearch.c */
diff --git a/src/lookups/ibase.c b/src/lookups/ibase.c
new file mode 100644
index 0000000..c4fff71
--- /dev/null
+++ b/src/lookups/ibase.c
@@ -0,0 +1,561 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* The code in this module was contributed by Ard Biesheuvel. */
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+#include <ibase.h>              /* The system header */
+
+/* Structure and anchor for caching connections. */
+
+typedef struct ibase_connection {
+    struct ibase_connection *next;
+    uschar *server;
+    isc_db_handle dbh;
+    isc_tr_handle transh;
+} ibase_connection;
+
+static ibase_connection *ibase_connections = NULL;
+
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void *ibase_open(const uschar * filename, uschar ** errmsg)
+{
+return (void *) (1);        /* Just return something non-null */
+}
+
+
+
+/*************************************************
+*               Tidy entry point                 *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void ibase_tidy(void)
+{
+    ibase_connection *cn;
+    ISC_STATUS status[20];
+
+    while ((cn = ibase_connections) != NULL) {
+        ibase_connections = cn->next;
+        DEBUG(D_lookup) debug_printf_indent("close Interbase connection: %s\n",
+                                     cn->server);
+        isc_commit_transaction(status, &cn->transh);
+        isc_detach_database(status, &cn->dbh);
+    }
+}
+
+static int fetch_field(char *buffer, int buffer_size, XSQLVAR * var)
+{
+    if (buffer_size < var->sqllen)
+        return 0;
+
+    switch (var->sqltype & ~1) {
+    case SQL_VARYING:
+        strncpy(buffer, &var->sqldata[2], *(short *) var->sqldata);
+        return *(short *) var->sqldata;
+    case SQL_TEXT:
+        strncpy(buffer, var->sqldata, var->sqllen);
+        return var->sqllen;
+    case SQL_SHORT:
+        return sprintf(buffer, "%d", *(short *) var->sqldata);
+    case SQL_LONG:
+        return sprintf(buffer, "%ld", *(ISC_LONG *) var->sqldata);
+#ifdef SQL_INT64
+    case SQL_INT64:
+        return sprintf(buffer, "%lld", *(ISC_INT64 *) var->sqldata);
+#endif
+    default:
+        /* not implemented */
+        return 0;
+    }
+}
+
+/*************************************************
+*        Internal search function                *
+*************************************************/
+
+/* This function is called from the find entry point to do the search for a
+single server.
+
+Arguments:
+  query        the query string
+  server       the server string
+  resultptr    where to store the result
+  errmsg       where to point an error message
+  defer_break  TRUE if no more servers are to be tried after DEFER
+
+The server string is of the form "host:dbname|user|password". The host can be
+host:port. This string is in a nextinlist temporary buffer, so can be
+overwritten.
+
+Returns:       OK, FAIL, or DEFER
+*/
+
+static int
+perform_ibase_search(uschar * query, uschar * server, uschar ** resultptr,
+                     uschar ** errmsg, BOOL * defer_break)
+{
+isc_stmt_handle stmth = NULL;
+XSQLDA *out_sqlda;
+XSQLVAR *var;
+int i;
+rmark reset_point;
+
+char buffer[256];
+ISC_STATUS status[20], *statusp = status;
+
+gstring * result;
+int yield = DEFER;
+ibase_connection *cn;
+uschar *server_copy = NULL;
+uschar *sdata[3];
+
+/* Disaggregate the parameters from the server argument. The order is host,
+database, user, password. We can write to the string, since it is in a
+nextinlist temporary buffer. The copy of the string that is used for caching
+has the password removed. This copy is also used for debugging output. */
+
+for (int i = 2; i > 0; i--)
+  {
+  uschar *pp = Ustrrchr(server, '|');
+
+  if (pp == NULL)
+    {
+    *errmsg = string_sprintf("incomplete Interbase server data: %s",
+		       (i == 3) ? server : server_copy);
+    *defer_break = TRUE;
+    return DEFER;
+    }
+  *pp++ = 0;
+  sdata[i] = pp;
+  if (i == 2)
+      server_copy = string_copy(server);   /* sans password */
+  }
+sdata[0] = server;          /* What's left at the start */
+
+/* See if we have a cached connection to the server */
+
+for (cn = ibase_connections; cn != NULL; cn = cn->next)
+  if (Ustrcmp(cn->server, server_copy) == 0)
+    break;
+
+/* Use a previously cached connection ? */
+
+if (cn)
+  {
+  static char db_info_options[] = { isc_info_base_level };
+
+  /* test if the connection is alive */
+  if (isc_database_info(status, &cn->dbh, sizeof(db_info_options),
+	db_info_options, sizeof(buffer), buffer))
+    {
+    /* error occurred: assume connection is down */
+    DEBUG(D_lookup)
+	debug_printf
+	("Interbase cleaning up cached connection: %s\n",
+	 cn->server);
+    isc_detach_database(status, &cn->dbh);
+    }
+  else
+    DEBUG(D_lookup) debug_printf_indent("Interbase using cached connection for %s\n",
+		     server_copy);
+  }
+else
+  {
+  cn = store_get(sizeof(ibase_connection), GET_UNTAINTED);
+  cn->server = server_copy;
+  cn->dbh = NULL;
+  cn->transh = NULL;
+  cn->next = ibase_connections;
+  ibase_connections = cn;
+  }
+
+/* If no cached connection, we must set one up. */
+
+if (cn->dbh == NULL || cn->transh == NULL)
+  {
+  char *dpb;
+  short dpb_length;
+  static char trans_options[] =
+      { isc_tpb_version3, isc_tpb_read, isc_tpb_read_committed,
+      isc_tpb_rec_version
+  };
+
+  /* Construct the database parameter buffer. */
+  dpb = buffer;
+  *dpb++ = isc_dpb_version1;
+  *dpb++ = isc_dpb_user_name;
+  *dpb++ = strlen(sdata[1]);
+  for (char * p = sdata[1]; *p;)
+      *dpb++ = *p++;
+  *dpb++ = isc_dpb_password;
+  *dpb++ = strlen(sdata[2]);
+  for (char * p = sdata[2]; *p;)
+      *dpb++ = *p++;
+  dpb_length = dpb - buffer;
+
+  DEBUG(D_lookup)
+      debug_printf_indent("new Interbase connection: database=%s user=%s\n",
+		   sdata[0], sdata[1]);
+
+  /* Connect to the database */
+  if (isc_attach_database
+      (status, 0, sdata[0], &cn->dbh, dpb_length, buffer))
+    {
+    isc_interprete(buffer, &statusp);
+    *errmsg =
+	string_sprintf("Interbase attach() failed: %s", buffer);
+    *defer_break = FALSE;
+    goto IBASE_EXIT;
+    }
+
+  /* Now start a read-only read-committed transaction */
+  if (isc_start_transaction
+      (status, &cn->transh, 1, &cn->dbh, sizeof(trans_options),
+       trans_options))
+    {
+    isc_interprete(buffer, &statusp);
+    isc_detach_database(status, &cn->dbh);
+    *errmsg =
+	string_sprintf("Interbase start_transaction() failed: %s",
+		       buffer);
+    *defer_break = FALSE;
+    goto IBASE_EXIT;
+    }
+  }
+
+/* Run the query */
+if (isc_dsql_allocate_statement(status, &cn->dbh, &stmth))
+  {
+  isc_interprete(buffer, &statusp);
+  *errmsg =
+      string_sprintf("Interbase alloc_statement() failed: %s",
+		     buffer);
+  *defer_break = FALSE;
+  goto IBASE_EXIT;
+  }
+
+/* Lacking any information, assume that the data is untainted */
+reset_point = store_mark();
+out_sqlda = store_get(XSQLDA_LENGTH(1), GET_UNTAINTED);
+out_sqlda->version = SQLDA_VERSION1;
+out_sqlda->sqln = 1;
+
+if (isc_dsql_prepare
+    (status, &cn->transh, &stmth, 0, query, 1, out_sqlda))
+  {
+  isc_interprete(buffer, &statusp);
+  reset_point = store_reset(reset_point);
+  out_sqlda = NULL;
+  *errmsg =
+      string_sprintf("Interbase prepare_statement() failed: %s",
+		     buffer);
+  *defer_break = FALSE;
+  goto IBASE_EXIT;
+  }
+
+/* re-allocate the output structure if there's more than one field */
+if (out_sqlda->sqln < out_sqlda->sqld)
+  {
+  XSQLDA *new_sqlda = store_get(XSQLDA_LENGTH(out_sqlda->sqld), GET_UNTAINTED);
+  if (isc_dsql_describe
+      (status, &stmth, out_sqlda->version, new_sqlda))
+    {
+    isc_interprete(buffer, &statusp);
+    isc_dsql_free_statement(status, &stmth, DSQL_drop);
+    reset_point = store_reset(reset_point);
+    out_sqlda = NULL;
+    *errmsg = string_sprintf("Interbase describe_statement() failed: %s",
+		       buffer);
+    *defer_break = FALSE;
+    goto IBASE_EXIT;
+    }
+  out_sqlda = new_sqlda;
+  }
+
+/* allocate storage for every returned field */
+for (i = 0, var = out_sqlda->sqlvar; i < out_sqlda->sqld; i++, var++)
+  {
+  switch (var->sqltype & ~1)
+    {
+    case SQL_VARYING:
+	var->sqldata = CS store_get(sizeof(char) * var->sqllen + 2, GET_UNTAINTED);
+	break;
+    case SQL_TEXT:
+	var->sqldata = CS store_get(sizeof(char) * var->sqllen, GET_UNTAINTED);
+	break;
+    case SQL_SHORT:
+	var->sqldata = CS  store_get(sizeof(short), GET_UNTAINTED);
+	break;
+    case SQL_LONG:
+	var->sqldata = CS  store_get(sizeof(ISC_LONG), GET_UNTAINTED);
+	break;
+#ifdef SQL_INT64
+    case SQL_INT64:
+	var->sqldata = CS  store_get(sizeof(ISC_INT64), GET_UNTAINTED);
+	break;
+#endif
+    case SQL_FLOAT:
+	var->sqldata = CS  store_get(sizeof(float), GET_UNTAINTED);
+	break;
+    case SQL_DOUBLE:
+	var->sqldata = CS  store_get(sizeof(double), GET_UNTAINTED);
+	break;
+#ifdef SQL_TIMESTAMP
+    case SQL_DATE:
+	var->sqldata = CS  store_get(sizeof(ISC_QUAD), GET_UNTAINTED);
+	break;
+#else
+    case SQL_TIMESTAMP:
+	var->sqldata = CS  store_get(sizeof(ISC_TIMESTAMP), GET_UNTAINTED);
+	break;
+    case SQL_TYPE_DATE:
+	var->sqldata = CS  store_get(sizeof(ISC_DATE), GET_UNTAINTED);
+	break;
+    case SQL_TYPE_TIME:
+	var->sqldata = CS  store_get(sizeof(ISC_TIME), GET_UNTAINTED);
+	break;
+  #endif
+    }
+  if (var->sqltype & 1)
+    var->sqlind = (short *) store_get(sizeof(short), GET_UNTAINTED);
+  }
+
+/* finally, we're ready to execute the statement */
+if (isc_dsql_execute
+    (status, &cn->transh, &stmth, out_sqlda->version, NULL))
+  {
+  isc_interprete(buffer, &statusp);
+  *errmsg = string_sprintf("Interbase describe_statement() failed: %s",
+		     buffer);
+  isc_dsql_free_statement(status, &stmth, DSQL_drop);
+  *defer_break = FALSE;
+  goto IBASE_EXIT;
+  }
+
+while (isc_dsql_fetch(status, &stmth, out_sqlda->version, out_sqlda) != 100L)
+  {
+  /* check if an error occurred */
+  if (status[0] & status[1])
+    {
+    isc_interprete(buffer, &statusp);
+    *errmsg =
+	string_sprintf("Interbase fetch() failed: %s", buffer);
+    isc_dsql_free_statement(status, &stmth, DSQL_drop);
+    *defer_break = FALSE;
+    goto IBASE_EXIT;
+    }
+
+  if (result)
+    result = string_catn(result, US "\n", 1);
+
+  /* Find the number of fields returned. If this is one, we don't add field
+     names to the data. Otherwise we do. */
+  if (out_sqlda->sqld == 1)
+    {
+    if (out_sqlda->sqlvar[0].sqlind == NULL || *out_sqlda->sqlvar[0].sqlind != -1)     /* NULL value yields nothing */
+      result = string_catn(result, US buffer,
+		       fetch_field(buffer, sizeof(buffer),
+				   &out_sqlda->sqlvar[0]));
+    }
+
+  else
+    for (int i = 0; i < out_sqlda->sqld; i++)
+      {
+      int len = fetch_field(buffer, sizeof(buffer), &out_sqlda->sqlvar[i]);
+
+      result = string_catn(result, US out_sqlda->sqlvar[i].aliasname,
+		     out_sqlda->sqlvar[i].aliasname_length);
+      result = string_catn(result, US "=", 1);
+
+      /* Quote the value if it contains spaces or is empty */
+
+      if (*out_sqlda->sqlvar[i].sqlind == -1)       /* NULL value */
+	result = string_catn(result, US "\"\"", 2);
+
+      else if (buffer[0] == 0 || Ustrchr(buffer, ' ') != NULL)
+	{
+	result = string_catn(result, US "\"", 1);
+	for (int j = 0; j < len; j++)
+	  {
+	  if (buffer[j] == '\"' || buffer[j] == '\\')
+	      result = string_cat(result, US "\\", 1);
+	  result = string_cat(result, US buffer + j, 1);
+	  }
+	result = string_catn(result, US "\"", 1);
+	}
+      else
+	result = string_catn(result, US buffer, len);
+      result = string_catn(result, US " ", 1);
+      }
+  }
+
+/* If result is NULL then no data has been found and so we return FAIL.
+Otherwise, we must terminate the string which has been built; string_cat()
+always leaves enough room for a terminating zero. */
+
+if (!result)
+  {
+  yield = FAIL;
+  *errmsg = US "Interbase: no data found";
+  }
+else
+  gstring_release_unused(result);
+
+
+/* Get here by goto from various error checks. */
+
+IBASE_EXIT:
+
+if (stmth)
+  isc_dsql_free_statement(status, &stmth, DSQL_drop);
+
+/* Non-NULL result indicates a successful result */
+
+if (result)
+  {
+  *resultptr = string_from_gstring(result);
+  return OK;
+  }
+else
+  {
+  DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg);
+  return yield;           /* FAIL or DEFER */
+  }
+}
+
+
+
+
+/*************************************************
+*               Find entry point                 *
+*************************************************/
+
+/* See local README for interface description. The handle and filename
+arguments are not used. Loop through a list of servers while the query is
+deferred with a retryable error. */
+
+static int
+ibase_find(void * handle, const uschar * filename, uschar * query, int length,
+  uschar ** result, uschar ** errmsg, uint * do_cache, const uschar * opts)
+{
+int sep = 0;
+uschar *server;
+uschar *list = ibase_servers;
+
+DEBUG(D_lookup) debug_printf_indent("Interbase query: %s\n", query);
+
+while ((server = string_nextinlist(&list, &sep, NULL, 0)))
+  {
+  BOOL defer_break = FALSE;
+  int rc = perform_ibase_search(query, server, result, errmsg, &defer_break);
+  if (rc != DEFER || defer_break)
+    return rc;
+  }
+
+if (!ibase_servers)
+  *errmsg = US "no Interbase servers defined (ibase_servers option)";
+
+return DEFER;
+}
+
+
+
+/*************************************************
+*               Quote entry point                *
+*************************************************/
+
+/* The only characters that need to be quoted (with backslash) are newline,
+tab, carriage return, backspace, backslash itself, and the quote characters.
+Percent, and underscore and not escaped. They are only special in contexts
+where they can be wild cards, and this isn't usually the case for data inserted
+from messages, since that isn't likely to be treated as a pattern of any kind.
+Sadly, MySQL doesn't seem to behave like other programs. If you use something
+like "where id="ab\%cd" it does not treat the string as "ab%cd". So you really
+can't quote "on spec".
+
+Arguments:
+  s          the string to be quoted
+  opt        additional option text or NULL if none
+  idx	     lookup type index
+
+Returns:     the processed string or NULL for a bad option
+*/
+
+static uschar *
+ibase_quote(uschar * s, uschar * opt, unsigned idx)
+{
+int c;
+int count = 0;
+uschar * t = s, * quoted;
+
+if (opt)
+  return NULL;            /* No options recognized */
+
+while ((c = *t++))
+  if (c == '\'') count++;
+
+t = quoted = store_get_quoted(Ustrlen(s) + count + 1, s, idx);
+
+while ((c = *s++))
+  if (c == '\'') { *t++ = '\''; *t++ = '\''; }
+  else *t++ = c;
+
+*t = 0;
+return quoted;
+}
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+ibase_version_report(gstring * g)
+{
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "Library version: ibase: Exim version %s\n", EXIM_VERSION_STR));
+#endif
+return g;
+}
+
+
+static lookup_info _lookup_info = {
+  .name = US"ibase",			/* lookup name */
+  .type = lookup_querystyle,		/* query-style lookup */
+  .open = ibase_open,			/* open function */
+  .check NULL,				/* no check function */
+  .find = ibase_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = ibase_tidy,			/* tidy function */
+  .quote = ibase_quote,			/* quoting function */
+  .version_report = ibase_version_report           /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+#define ibase_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &_lookup_info };
+lookup_module_info ibase_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+/* End of lookups/ibase.c */
diff --git a/src/lookups/json.c b/src/lookups/json.c
new file mode 100644
index 0000000..c9abf8c
--- /dev/null
+++ b/src/lookups/json.c
@@ -0,0 +1,188 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) Jeremy Harris 2019 - 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "lf_functions.h"
+#include <jansson.h>
+
+
+
+/* All use of allocations will be done against the POOL_SEARCH memory,
+which is freed once by search_tidyup(). Make the free call a dummy.
+This burns some 300kB in handling a 37kB JSON file, for the benefit of
+a fast free.  The alternative of staying with malloc is nearly as bad,
+eyeballing the activity there are 20% the number of free vs. alloc
+calls (before the big bunch at the end).
+
+Assume that the file is trusted, so no tainting */
+
+static void *
+json_malloc(size_t nbytes)
+{
+void * p = store_get((int)nbytes, GET_UNTAINTED);
+/* debug_printf("%s %d: %p\n", __FUNCTION__, (int)nbytes, p); */
+return p;
+}
+static void
+json_free(void * p)
+{
+/* debug_printf("%s: %p\n", __FUNCTION__, p); */
+}
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description */
+
+static void *
+json_open(const uschar * filename, uschar ** errmsg)
+{
+FILE * f;
+
+json_set_alloc_funcs(json_malloc, json_free);
+
+if (!(f = Ufopen(filename, "rb")))
+  *errmsg = string_open_failed("%s for json search", filename);
+return f;
+}
+
+
+
+/*************************************************
+*             Check entry point                  *
+*************************************************/
+
+static BOOL
+json_check(void *handle, const uschar *filename, int modemask, uid_t *owners,
+  gid_t *owngroups, uschar **errmsg)
+{
+return lf_check_file(fileno((FILE *)handle), filename, S_IFREG, modemask,
+  owners, owngroups, "json", errmsg) == 0;
+}
+
+
+
+/*************************************************
+*         Find entry point for lsearch           *
+*************************************************/
+
+/* See local README for interface description */
+
+static int
+json_find(void * handle, const uschar * filename, const uschar * keystring,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+FILE * f = handle;
+json_t * j, * j0;
+json_error_t jerr;
+uschar * key;
+int sep = 0;
+
+rewind(f);
+if (!(j = json_loadf(f, 0, &jerr)))
+  {
+  *errmsg = string_sprintf("json error on open: %.*s\n",
+       JSON_ERROR_TEXT_LENGTH, jerr.text);
+  return FAIL;
+  }
+j0 = j;
+
+for (int k = 1;  (key = string_nextinlist(&keystring, &sep, NULL, 0)); k++)
+  {
+  BOOL numeric = TRUE;
+  for (uschar * s = key; *s; s++) if (!isdigit(*s)) { numeric = FALSE; break; }
+
+  if (!(j = numeric
+	? json_array_get(j, (size_t) strtoul(CS key, NULL, 10))
+	: json_object_get(j, CCS key)
+     ) )
+    {
+    DEBUG(D_lookup) debug_printf_indent("%s, for key %d: '%s'\n",
+      numeric
+      ? US"bad index, or not json array"
+      : US"no such key, or not json object",
+      k, key);
+    json_decref(j0);
+    return FAIL;
+    }
+  }
+
+switch (json_typeof(j))
+  {
+  case JSON_STRING:
+    *result = string_copyn(CUS json_string_value(j), json_string_length(j));
+    break;
+  case JSON_INTEGER:
+    *result = string_sprintf("%" JSON_INTEGER_FORMAT, json_integer_value(j));
+    break;
+  case JSON_REAL:
+    *result = string_sprintf("%f", json_real_value(j));
+    break;
+  case JSON_TRUE:	*result = US"true";	break;
+  case JSON_FALSE:	*result = US"false";	break;
+  case JSON_NULL:	*result = NULL;		break;
+  default:		*result = US json_dumps(j, 0); break;
+  }
+json_decref(j0);
+return OK;
+}
+
+
+
+/*************************************************
+*              Close entry point                 *
+*************************************************/
+
+/* See local README for interface description */
+
+static void
+json_close(void *handle)
+{
+(void)fclose((FILE *)handle);
+}
+
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+json_version_report(gstring * g)
+{
+return string_fmt_append(g, "Library version: json: Jansonn version %s\n", JANSSON_VERSION);
+}
+
+
+static lookup_info json_lookup_info = {
+  .name = US"json",			/* lookup name */
+  .type = lookup_absfile,		/* uses absolute file name */
+  .open = json_open,			/* open function */
+  .check = json_check,			/* check function */
+  .find = json_find,			/* find function */
+  .close = json_close,			/* close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = json_version_report         /* version reporting */
+};
+
+
+#ifdef DYNLOOKUP
+#define json_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &json_lookup_info };
+lookup_module_info json_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+/* End of lookups/json.c */
diff --git a/src/lookups/ldap.c b/src/lookups/ldap.c
new file mode 100644
index 0000000..9751fa3
--- /dev/null
+++ b/src/lookups/ldap.c
@@ -0,0 +1,1613 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Many thanks to Stuart Lynne for contributing the original code for this
+driver. Further contributions from Michael Haardt, Brian Candler, Barry
+Pederson, Peter Savitch and Christian Kellner. Particular thanks to Brian for
+researching how to handle the different kinds of error. */
+
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+
+/* Include LDAP headers. The code below uses some "old" LDAP interfaces that
+are deprecated in OpenLDAP. I don't know their status in other LDAP
+implementations. LDAP_DEPRECATED causes their prototypes to be defined in
+ldap.h. */
+
+#define LDAP_DEPRECATED 1
+
+#include <lber.h>
+#include <ldap.h>
+
+
+/* Annoyingly, the different LDAP libraries handle errors in different ways,
+and some other things too. There doesn't seem to be an automatic way of
+distinguishing between them. Local/Makefile should contain a setting of
+LDAP_LIB_TYPE, which in turn causes appropriate macros to be defined for the
+different kinds. Those that matter are:
+
+LDAP_LIB_NETSCAPE
+LDAP_LIB_SOLARIS   with synonym LDAP_LIB_SOLARIS7
+LDAP_LIB_OPENLDAP2
+
+These others may be defined, but are in fact the default, so are not tested:
+
+LDAP_LIB_UMICHIGAN
+LDAP_LIB_OPENLDAP1
+*/
+
+#if defined(LDAP_LIB_SOLARIS7) && ! defined(LDAP_LIB_SOLARIS)
+#define LDAP_LIB_SOLARIS
+#endif
+
+
+/* Just in case LDAP_NO_LIMIT is not defined by some of these libraries. */
+
+#ifndef LDAP_NO_LIMIT
+#define LDAP_NO_LIMIT 0
+#endif
+
+
+/* Just in case LDAP_DEREF_NEVER is not defined */
+
+#ifndef LDAP_DEREF_NEVER
+#define LDAP_DEREF_NEVER 0
+#endif
+
+
+/* Four types of LDAP search are implemented */
+
+#define SEARCH_LDAP_MULTIPLE 0       /* Get attributes from multiple entries */
+#define SEARCH_LDAP_SINGLE 1         /* Get attributes from one entry only */
+#define SEARCH_LDAP_DN 2             /* Get just the DN from one entry */
+#define SEARCH_LDAP_AUTH 3           /* Just checking for authentication */
+
+/* In all 4 cases, the DN is left in $ldap_dn (which post-dates the
+SEARCH_LDAP_DN lookup). */
+
+
+/* Structure and anchor for caching connections. */
+
+typedef struct ldap_connection {
+  struct ldap_connection *next;
+  uschar *host;
+  uschar *user;
+  uschar *password;
+  BOOL  bound;
+  int   port;
+  BOOL  is_start_tls_called;
+  LDAP *ld;
+} LDAP_CONNECTION;
+
+static LDAP_CONNECTION *ldap_connections = NULL;
+
+
+
+/*************************************************
+*         Internal search function               *
+*************************************************/
+
+/* This is the function that actually does the work. It is called (indirectly
+via control_ldap_search) from eldap_find(), eldapauth_find(), eldapdn_find(),
+and eldapm_find(), with a difference in the "search_type" argument.
+
+The case of eldapauth_find() is special in that all it does is do
+authentication, returning OK or FAIL as appropriate. This isn't used as a
+lookup. Instead, it is called from expand.c as an expansion condition test.
+
+The DN from a successful lookup is placed in $ldap_dn. This feature postdates
+the provision of the SEARCH_LDAP_DN facility for returning just the DN as the
+data.
+
+Arguments:
+  ldap_url      the URL to be looked up
+  server        server host name, when URL contains none
+  s_port        server port, used when URL contains no name
+  search_type   SEARCH_LDAP_MULTIPLE allows values from multiple entries
+                SEARCH_LDAP_SINGLE allows values from one entry only
+                SEARCH_LDAP_DN gets the DN from one entry
+  res           set to point at the result (not used for ldapauth)
+  errmsg        set to point a message if result is not OK
+  defer_break   set TRUE if no more servers to be tried after a DEFER
+  user          user name for authentication, or NULL
+  password      password for authentication, or NULL
+  sizelimit     max number of entries returned, or 0 for no limit
+  timelimit     max time to wait, or 0 for no limit
+  tcplimit      max time for network activity, e.g. connect, or 0 for OS default
+  deference     the dereference option, which is one of
+                  LDAP_DEREF_{NEVER,SEARCHING,FINDING,ALWAYS}
+  referrals     the referral option, which is LDAP_OPT_ON or LDAP_OPT_OFF
+
+Returns:        OK or FAIL or DEFER
+                FAIL is given only if a lookup was performed successfully, but
+                returned no data.
+*/
+
+static int
+perform_ldap_search(const uschar *ldap_url, uschar *server, int s_port,
+  int search_type, uschar **res, uschar **errmsg, BOOL *defer_break,
+  uschar *user, uschar *password, int sizelimit, int timelimit, int tcplimit,
+  int dereference, void *referrals)
+{
+LDAPURLDesc     *ludp = NULL;
+LDAPMessage     *result = NULL;
+BerElement      *ber;
+LDAP_CONNECTION *lcp;
+
+struct timeval timeout;
+struct timeval *timeoutptr = NULL;
+
+gstring * data = NULL;
+uschar *dn = NULL;
+uschar *host;
+uschar **values;
+uschar **firstval;
+uschar porttext[16];
+
+uschar *error1 = NULL;   /* string representation of errcode (static) */
+uschar *error2 = NULL;   /* error message from the server */
+uschar *matched = NULL;  /* partially matched DN */
+
+int    attrs_requested = 0;
+int    error_yield = DEFER;
+int    msgid;
+int    rc, ldap_rc, ldap_parse_rc;
+int    port;
+int    rescount = 0;
+BOOL   attribute_found = FALSE;
+BOOL   ldapi = FALSE;
+
+DEBUG(D_lookup) debug_printf_indent("perform_ldap_search:"
+    " ldap%s URL = \"%s\" server=%s port=%d "
+    "sizelimit=%d timelimit=%d tcplimit=%d\n",
+    search_type == SEARCH_LDAP_MULTIPLE ? "m" :
+    search_type == SEARCH_LDAP_DN       ? "dn" :
+    search_type == SEARCH_LDAP_AUTH     ? "auth" : "",
+    ldap_url, server, s_port, sizelimit, timelimit, tcplimit);
+
+/* Check if LDAP thinks the URL is a valid LDAP URL. We assume that if the LDAP
+library that is in use doesn't recognize, say, "ldapi", it will barf here. */
+
+if (!ldap_is_ldap_url(CS ldap_url))
+  {
+  *errmsg = string_sprintf("ldap_is_ldap_url: not an LDAP url \"%s\"\n",
+    ldap_url);
+  goto RETURN_ERROR_BREAK;
+  }
+
+/* Parse the URL */
+
+if ((rc = ldap_url_parse(CS ldap_url, &ludp)) != 0)
+  {
+  *errmsg = string_sprintf("ldap_url_parse: (error %d) parsing \"%s\"\n", rc,
+    ldap_url);
+  goto RETURN_ERROR_BREAK;
+  }
+
+/* If the host name is empty, take it from the separate argument, if one is
+given. OpenLDAP 2.0.6 sets an unset hostname to "" rather than empty, but
+expects NULL later in ldap_init() to mean "default", annoyingly. In OpenLDAP
+2.0.11 this has changed (it uses NULL). */
+
+if ((!ludp->lud_host || !ludp->lud_host[0]) && server)
+  {
+  host = server;
+  port = s_port;
+  }
+else
+  {
+  host = US ludp->lud_host;
+  if (host && !host[0]) host = NULL;
+  port = ludp->lud_port;
+  }
+
+DEBUG(D_lookup) debug_printf_indent("after ldap_url_parse: host=%s port=%d\n",
+  host, port);
+
+if (port == 0) port = LDAP_PORT;      /* Default if none given */
+sprintf(CS porttext, ":%d", port);    /* For messages */
+
+/* If the "host name" is actually a path, we are going to connect using a Unix
+socket, regardless of whether "ldapi" was actually specified or not. This means
+that a Unix socket can be declared in eldap_default_servers, and "traditional"
+LDAP queries using just "ldap" can be used ("ldaps" is similarly overridden).
+The path may start with "/" or it may already be escaped as "%2F" if it was
+actually declared that way in eldap_default_servers. (I did it that way the
+first time.) If the host name is not a path, the use of "ldapi" causes an
+error, except in the default case. (But lud_scheme doesn't seem to exist in
+older libraries.) */
+
+if (host)
+  {
+  if ((host[0] == '/' || Ustrncmp(host, "%2F", 3) == 0))
+    {
+    ldapi = TRUE;
+    porttext[0] = 0;    /* Remove port from messages */
+    }
+
+#if defined LDAP_LIB_OPENLDAP2
+  else if (strncmp(ludp->lud_scheme, "ldapi", 5) == 0)
+    {
+    *errmsg = string_sprintf("ldapi requires an absolute path (\"%s\" given)",
+      host);
+    goto RETURN_ERROR;
+    }
+#endif
+  }
+
+/* Count the attributes; we need this later to tell us how to format results */
+
+for (uschar ** attrp = USS ludp->lud_attrs; attrp && *attrp; attrp++)
+  attrs_requested++;
+
+/* See if we can find a cached connection to this host. The port is not
+relevant for ldapi. The host name pointer is set to NULL if no host was given
+(implying the library default), rather than to the empty string. Note that in
+this case, there is no difference between ldap and ldapi. */
+
+for (lcp = ldap_connections; lcp; lcp = lcp->next)
+  {
+  if ((host == NULL) != (lcp->host == NULL) ||
+      (host != NULL && strcmpic(lcp->host, host) != 0))
+    continue;
+  if (ldapi || port == lcp->port) break;
+  }
+
+/* Use this network timeout in any requests. */
+
+if (tcplimit > 0)
+  {
+  timeout.tv_sec = tcplimit;
+  timeout.tv_usec = 0;
+  timeoutptr = &timeout;
+  }
+
+/* If no cached connection found, we must open a connection to the server. If
+the server name is actually an absolute path, we set ldapi=TRUE above. This
+requests connection via a Unix socket. However, as far as I know, only OpenLDAP
+supports the use of sockets, and the use of ldap_initialize(). */
+
+if (!lcp)
+  {
+  LDAP *ld;
+
+#ifdef LDAP_OPT_X_TLS_NEWCTX
+  int  am_server = 0;
+  LDAP *ldsetctx;
+#else
+  LDAP *ldsetctx = NULL;
+#endif
+
+
+  /* --------------------------- OpenLDAP ------------------------ */
+
+  /* There seems to be a preference under OpenLDAP for ldap_initialize()
+  instead of ldap_init(), though I have as yet been unable to find
+  documentation that says this. (OpenLDAP documentation is sparse to
+  non-existent). So we handle OpenLDAP differently here. Also, support for
+  ldapi seems to be OpenLDAP-only at present. */
+
+#ifdef LDAP_LIB_OPENLDAP2
+
+  /* We now need an empty string for the default host. Get some store in which
+  to build a URL for ldap_initialize(). In the ldapi case, it can't be bigger
+  than (9 + 3*Ustrlen(shost)), whereas in the other cases it can't be bigger
+  than the host name + "ldaps:///" plus : and a port number, say 20 + the
+  length of the host name. What we get should accommodate both, easily. */
+
+  uschar * shost = host ? host : US"";
+  rmark reset_point = store_mark();
+  gstring * g;
+
+  /* Handle connection via Unix socket ("ldapi"). We build a basic LDAP URI to
+  contain the path name, with slashes escaped as %2F. */
+
+  if (ldapi)
+    {
+    g = string_catn(NULL, US"ldapi://", 8);
+    for (uschar ch; (ch = *shost); shost++)
+      g = ch == '/' ? string_catn(g, US"%2F", 3) : string_catn(g, shost, 1);
+    }
+
+  /* This is not an ldapi call. Just build a URI with the protocol type, host
+  name, and port. */
+
+  else
+    {
+    uschar * init_ptr = Ustrchr(ldap_url, '/');
+    g = string_catn(NULL, ldap_url, init_ptr - ldap_url);
+    g = string_fmt_append(g, "//%s:%d/", shost, port);
+    }
+  string_from_gstring(g);
+
+  /* Call ldap_initialize() and check the result */
+
+  DEBUG(D_lookup) debug_printf_indent("ldap_initialize with URL %s\n", g->s);
+  if ((rc = ldap_initialize(&ld, CS g->s)) != LDAP_SUCCESS)
+    {
+    *errmsg = string_sprintf("ldap_initialize: (error %d) URL \"%s\"\n",
+      rc, g->s);
+    goto RETURN_ERROR;
+    }
+  store_reset(reset_point);   /* Might as well save memory when we can */
+
+
+  /* ------------------------- Not OpenLDAP ---------------------- */
+
+  /* For libraries other than OpenLDAP, use ldap_init(). */
+
+#else   /* LDAP_LIB_OPENLDAP2 */
+  ld = ldap_init(CS host, port);
+#endif  /* LDAP_LIB_OPENLDAP2 */
+
+  /* -------------------------------------------------------------- */
+
+
+  /* Handle failure to initialize */
+
+  if (!ld)
+    {
+    *errmsg = string_sprintf("failed to initialize for LDAP server %s%s - %s",
+      host, porttext, strerror(errno));
+    goto RETURN_ERROR;
+    }
+
+#ifdef LDAP_OPT_X_TLS_NEWCTX
+  ldsetctx = ld;
+#endif
+
+  /* Set the TCP connect time limit if available. This is something that is
+  in Netscape SDK v4.1; I don't know about other libraries. */
+
+#ifdef LDAP_X_OPT_CONNECT_TIMEOUT
+  if (tcplimit > 0)
+    {
+    int timeout1000 = tcplimit*1000;
+    ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)&timeout1000);
+    }
+  else
+    {
+    int notimeout = LDAP_X_IO_TIMEOUT_NO_TIMEOUT;
+    ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)&notimeout);
+    }
+#endif
+
+  /* Set the TCP connect timeout. This works with OpenLDAP 2.2.14. */
+
+#ifdef LDAP_OPT_NETWORK_TIMEOUT
+  if (tcplimit > 0)
+    ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, (void *)timeoutptr);
+#endif
+
+  /* I could not get TLS to work until I set the version to 3. That version
+  seems to be the default nowadays. The RFC is dated 1997, so I would hope
+  that all the LDAP libraries support it. Therefore, if eldap_version hasn't
+  been set, go for v3 if we can. */
+
+  if (eldap_version < 0)
+    {
+#ifdef LDAP_VERSION3
+    eldap_version = LDAP_VERSION3;
+#else
+    eldap_version = 2;
+#endif
+    }
+
+#ifdef LDAP_OPT_PROTOCOL_VERSION
+  ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, (void *)&eldap_version);
+#endif
+
+  DEBUG(D_lookup) debug_printf_indent("initialized for LDAP (v%d) server %s%s\n",
+    eldap_version, host, porttext);
+
+  /* If not using ldapi and TLS is available, set appropriate TLS options: hard
+  for "ldaps" and soft otherwise. */
+
+#ifdef LDAP_OPT_X_TLS
+  if (!ldapi)
+    {
+    int tls_option;
+# ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+    if (eldap_require_cert)
+      {
+      tls_option =
+	Ustrcmp(eldap_require_cert, "hard")     == 0 ? LDAP_OPT_X_TLS_HARD
+	: Ustrcmp(eldap_require_cert, "demand") == 0 ? LDAP_OPT_X_TLS_DEMAND
+	: Ustrcmp(eldap_require_cert, "allow")  == 0 ? LDAP_OPT_X_TLS_ALLOW
+	: Ustrcmp(eldap_require_cert, "try")    == 0 ? LDAP_OPT_X_TLS_TRY
+	: LDAP_OPT_X_TLS_NEVER;
+
+      DEBUG(D_lookup) debug_printf_indent(
+	"Require certificate overrides LDAP_OPT_X_TLS option (%d)\n",
+	tls_option);
+      }
+    else
+# endif  /* LDAP_OPT_X_TLS_REQUIRE_CERT */
+    if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
+      {
+      tls_option = LDAP_OPT_X_TLS_HARD;
+      DEBUG(D_lookup)
+        debug_printf_indent("LDAP_OPT_X_TLS_HARD set due to ldaps:// URI\n");
+      }
+    else
+      {
+      tls_option = LDAP_OPT_X_TLS_TRY;
+      DEBUG(D_lookup)
+        debug_printf_indent("LDAP_OPT_X_TLS_TRY set due to ldap:// URI\n");
+      }
+    ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
+    }
+#endif  /* LDAP_OPT_X_TLS */
+
+#ifdef LDAP_OPT_X_TLS_CACERTFILE
+  if (eldap_ca_cert_file)
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
+#endif
+#ifdef LDAP_OPT_X_TLS_CACERTDIR
+  if (eldap_ca_cert_dir)
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
+#endif
+#ifdef LDAP_OPT_X_TLS_CERTFILE
+  if (eldap_cert_file)
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
+#endif
+#ifdef LDAP_OPT_X_TLS_KEYFILE
+  if (eldap_cert_key)
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
+#endif
+#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
+  if (eldap_cipher_suite)
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
+#endif
+#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+  if (eldap_require_cert)
+    {
+    int cert_option =
+      Ustrcmp(eldap_require_cert, "hard")     == 0 ? LDAP_OPT_X_TLS_HARD
+      : Ustrcmp(eldap_require_cert, "demand") == 0 ? LDAP_OPT_X_TLS_DEMAND
+      : Ustrcmp(eldap_require_cert, "allow")  == 0 ? LDAP_OPT_X_TLS_ALLOW
+      : Ustrcmp(eldap_require_cert, "try")    == 0 ? LDAP_OPT_X_TLS_TRY
+      : LDAP_OPT_X_TLS_NEVER;
+
+    /* This ldap handle is set at compile time based on client libs. Older
+     * versions want it to be global and newer versions can force a reload
+     * of the TLS context (to reload these settings we are changing from the
+     * default that loaded at instantiation). */
+    rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+    if (rc)
+      DEBUG(D_lookup)
+        debug_printf_indent("Unable to set TLS require cert_option(%d) globally: %s\n",
+          cert_option, ldap_err2string(rc));
+    }
+#endif
+#ifdef LDAP_OPT_X_TLS_NEWCTX
+  if ((rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server)))
+    DEBUG(D_lookup)
+      debug_printf_indent("Unable to reload TLS context %d: %s\n",
+                   rc, ldap_err2string(rc));
+  #endif
+
+  /* Now add this connection to the chain of cached connections */
+
+  lcp = store_get(sizeof(LDAP_CONNECTION), GET_UNTAINTED);
+  lcp->host = host ? string_copy(host) : NULL;
+  lcp->bound = FALSE;
+  lcp->user = NULL;
+  lcp->password = NULL;
+  lcp->port = port;
+  lcp->ld = ld;
+  lcp->next = ldap_connections;
+  lcp->is_start_tls_called = FALSE;
+  ldap_connections = lcp;
+  }
+
+/* Found cached connection */
+
+else
+  DEBUG(D_lookup)
+    debug_printf_indent("re-using cached connection to LDAP server %s%s\n",
+      host, porttext);
+
+/* Bind with the user/password supplied, or an anonymous bind if these values
+are NULL, unless a cached connection is already bound with the same values. */
+
+if (  !lcp->bound
+   || !lcp->user && user
+   || lcp->user && !user
+   || lcp->user && user && Ustrcmp(lcp->user, user) != 0
+   || !lcp->password && password
+   || lcp->password && !password
+   || lcp->password && password && Ustrcmp(lcp->password, password) != 0
+   )
+  {
+  DEBUG(D_lookup) debug_printf_indent("%sbinding with user=%s password=%s\n",
+    lcp->bound ? "re-" : "", user, password);
+
+  if (eldap_start_tls && !lcp->is_start_tls_called && !ldapi)
+    {
+#if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS)
+    /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this.
+     * Note: moreover, they appear to now define LDAP_OPT_X_TLS and still not
+     *       export an ldap_start_tls_s symbol.
+     */
+    if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS)
+      {
+      *errmsg = string_sprintf("failed to initiate TLS processing on an "
+          "LDAP session to server %s%s - ldap_start_tls_s() returned %d:"
+          " %s", host, porttext, rc, ldap_err2string(rc));
+      goto RETURN_ERROR;
+      }
+    lcp->is_start_tls_called = TRUE;
+#else
+    DEBUG(D_lookup) debug_printf_indent("TLS initiation not supported with this Exim"
+      " and your LDAP library.\n");
+#endif
+    }
+  if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE))
+       == -1)
+    {
+    *errmsg = string_sprintf("failed to bind the LDAP connection to server "
+      "%s%s - ldap_bind() returned -1", host, porttext);
+    goto RETURN_ERROR;
+    }
+
+  if ((rc = ldap_result(lcp->ld, msgid, 1, timeoutptr, &result)) <= 0)
+    {
+    *errmsg = string_sprintf("failed to bind the LDAP connection to server "
+      "%s%s - LDAP error: %s", host, porttext,
+      rc == -1 ? "result retrieval failed" : "timeout" );
+    result = NULL;
+    goto RETURN_ERROR;
+    }
+
+  rc = ldap_result2error(lcp->ld, result, 0);
+
+  /* Invalid credentials when just checking credentials returns FAIL. This
+  stops any further servers being tried. */
+
+  if (search_type == SEARCH_LDAP_AUTH && rc == LDAP_INVALID_CREDENTIALS)
+    {
+    DEBUG(D_lookup)
+      debug_printf_indent("Invalid credentials: ldapauth returns FAIL\n");
+    error_yield = FAIL;
+    goto RETURN_ERROR_NOMSG;
+    }
+
+  /* Otherwise we have a problem that doesn't stop further servers from being
+  tried. */
+
+  if (rc != LDAP_SUCCESS)
+    {
+    *errmsg = string_sprintf("failed to bind the LDAP connection to server "
+      "%s%s - LDAP error %d: %s", host, porttext, rc, ldap_err2string(rc));
+    goto RETURN_ERROR;
+    }
+
+  /* Successful bind */
+
+  lcp->bound = TRUE;
+  lcp->user = !user ? NULL : string_copy(user);
+  lcp->password = !password ? NULL : string_copy(password);
+
+  ldap_msgfree(result);
+  result = NULL;
+  }
+
+/* If we are just checking credentials, return OK. */
+
+if (search_type == SEARCH_LDAP_AUTH)
+  {
+  DEBUG(D_lookup) debug_printf_indent("Bind succeeded: ldapauth returns OK\n");
+  goto RETURN_OK;
+  }
+
+/* Before doing the search, set the time and size limits (if given). Here again
+the different implementations of LDAP have chosen to do things differently. */
+
+#if defined(LDAP_OPT_SIZELIMIT)
+ldap_set_option(lcp->ld, LDAP_OPT_SIZELIMIT, (void *)&sizelimit);
+ldap_set_option(lcp->ld, LDAP_OPT_TIMELIMIT, (void *)&timelimit);
+#else
+lcp->ld->ld_sizelimit = sizelimit;
+lcp->ld->ld_timelimit = timelimit;
+#endif
+
+/* Similarly for dereferencing aliases. Don't know if this is possible on
+an LDAP library without LDAP_OPT_DEREF. */
+
+#if defined(LDAP_OPT_DEREF)
+ldap_set_option(lcp->ld, LDAP_OPT_DEREF, (void *)&dereference);
+#endif
+
+/* Similarly for the referral setting; should the library follow referrals that
+the LDAP server returns? The conditional is just in case someone uses a library
+without it. */
+
+#if defined(LDAP_OPT_REFERRALS)
+ldap_set_option(lcp->ld, LDAP_OPT_REFERRALS, referrals);
+#endif
+
+/* Start the search on the server. */
+
+DEBUG(D_lookup) debug_printf_indent("Start search\n");
+
+msgid = ldap_search(lcp->ld, ludp->lud_dn, ludp->lud_scope, ludp->lud_filter,
+  ludp->lud_attrs, 0);
+
+if (msgid == -1)
+  {
+#if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
+  int err;
+  ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err);
+  *errmsg = string_sprintf("ldap_search failed: %d, %s", err,
+    ldap_err2string(err));
+#else
+  *errmsg = string_sprintf("ldap_search failed");
+#endif
+
+  goto RETURN_ERROR;
+  }
+
+/* Loop to pick up results as they come in, setting a timeout if one was
+given. */
+
+while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) ==
+        LDAP_RES_SEARCH_ENTRY)
+  {
+  LDAPMessage  *e;
+  int valuecount;   /* We can see an attr spread across several
+                    entries. If B is derived from A and we request
+                    A and the directory contains both, A and B,
+                    then we get two entries, one for A and one for B.
+                    Here we just count the values per entry */
+
+  DEBUG(D_lookup) debug_printf_indent("LDAP result loop\n");
+
+  for(e = ldap_first_entry(lcp->ld, result), valuecount = 0;
+      e;
+      e = ldap_next_entry(lcp->ld, e))
+    {
+    uschar *new_dn;
+    BOOL insert_space = FALSE;
+
+    DEBUG(D_lookup) debug_printf_indent("LDAP entry loop\n");
+
+    rescount++;   /* Count results */
+
+    /* Results for multiple entries values are separated by newlines. */
+
+    if (data) data = string_catn(data, US"\n", 1);
+
+    /* Get the DN from the last result. */
+
+    if ((new_dn = US ldap_get_dn(lcp->ld, e)))
+      {
+      if (dn)
+        {
+#if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
+        ldap_memfree(dn);
+#else   /* OPENLDAP 1, UMich, Solaris */
+        free(dn);
+#endif
+        }
+      /* Save for later */
+      dn = new_dn;
+      }
+
+    /* If the data we want is actually the DN rather than any attribute values,
+    (an "ldapdn" search) add it to the data string. If there are multiple
+    entries, the DNs will be concatenated, but we test for this case below, as
+    for SEARCH_LDAP_SINGLE, and give an error. */
+
+    if (search_type == SEARCH_LDAP_DN)	/* Do not amalgamate these into one */
+      {					/* condition, because of the else */
+      if (new_dn)			/* below, that's for the first only */
+        {
+        data = string_cat(data, new_dn);
+	(void) string_from_gstring(data);
+        attribute_found = TRUE;
+        }
+      }
+
+    /* Otherwise, loop through the entry, grabbing attribute values. If there's
+    only one attribute being retrieved, no attribute name is given, and the
+    result is not quoted. Multiple values are separated by (comma).
+    If more than one attribute is being retrieved, the data is given as a
+    sequence of name=value pairs, separated by (space), with the value always in quotes.
+    If there are multiple values, they are given within the quotes, comma separated. */
+
+    else for (uschar * attr = US ldap_first_attribute(lcp->ld, e, &ber);
+              attr; attr = US ldap_next_attribute(lcp->ld, e, ber))
+      {
+      DEBUG(D_lookup) debug_printf_indent("LDAP attr loop\n");
+
+      /* In case of attrs_requested == 1 we just count the values, in all other cases
+      (0, >1) we count the values per attribute */
+      if (attrs_requested != 1) valuecount = 0;
+
+      if (attr[0] != 0)
+        {
+        /* Get array of values for this attribute. */
+
+        if ((firstval = values = USS ldap_get_values(lcp->ld, e, CS attr)))
+          {
+          if (attrs_requested != 1)
+            {
+            if (insert_space)
+              data = string_catn(data, US" ", 1);
+            else
+              insert_space = TRUE;
+            data = string_cat(data, attr);
+            data = string_catn(data, US"=\"", 2);
+            }
+
+          while (*values)
+            {
+            uschar *value = *values;
+            int len = Ustrlen(value);
+            ++valuecount;
+
+            DEBUG(D_lookup) debug_printf_indent("LDAP value loop %s:%s\n", attr, value);
+
+            /* In case we requested one attribute only but got several times
+            into that attr loop, we need to append the additional values.
+            (This may happen if you derive attributeTypes B and C from A and
+            then query for A.) In all other cases we detect the different
+            attribute and append only every non first value. */
+
+            if (data && valuecount > 1)
+              data = string_catn(data, US",", 1);
+
+            /* For multiple attributes, the data is in quotes. We must escape
+            internal quotes, backslashes, newlines, and must double commas. */
+
+            if (attrs_requested != 1)
+              for (int j = 0; j < len; j++)
+                {
+                if (value[j] == '\n')
+                  data = string_catn(data, US"\\n", 2);
+                else if (value[j] == ',')
+                  data = string_catn(data, US",,", 2);
+                else
+                  {
+                  if (value[j] == '\"' || value[j] == '\\')
+                    data = string_catn(data, US"\\", 1);
+                  data = string_catn(data, value+j, 1);
+                  }
+                }
+
+            /* For single attributes, just double commas */
+
+	    else
+	      for (int j = 0; j < len; j++)
+	        if (value[j] == ',')
+	          data = string_catn(data, US",,", 2);
+	        else
+	          data = string_catn(data, value+j, 1);
+
+
+            /* Move on to the next value */
+
+            values++;
+            attribute_found = TRUE;
+            }
+
+          /* Closing quote at the end of the data for a named attribute. */
+
+          if (attrs_requested != 1)
+            data = string_catn(data, US"\"", 1);
+
+          /* Free the values */
+
+          ldap_value_free(CSS firstval);
+          }
+        }
+
+#if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
+
+      /* Netscape and OpenLDAP2 LDAP's attrs are dynamically allocated and need
+      to be freed. UMich LDAP stores them in static storage and does not require
+      this. */
+
+      ldap_memfree(attr);
+#endif
+      }        /* End "for" loop for extracting attributes from an entry */
+    }          /* End "for" loop for extracting entries from a result */
+
+  /* Free the result */
+
+  ldap_msgfree(result);
+  result = NULL;
+  }            /* End "while" loop for multiple results */
+
+/* Terminate the dynamic string that we have built and reclaim unused store.
+In the odd case of a single attribute with zero-length value, allocate
+an empty string. */
+
+if (!data) data = string_get(1);
+(void) string_from_gstring(data);
+gstring_release_unused(data);
+
+/* Copy the last dn into eldap_dn */
+
+if (dn)
+  {
+  eldap_dn = string_copy(dn);
+#if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
+  ldap_memfree(dn);
+#else   /* OPENLDAP 1, UMich, Solaris */
+  free(dn);
+#endif
+  }
+
+DEBUG(D_lookup) debug_printf_indent("search ended by ldap_result yielding %d\n",rc);
+
+if (rc == 0)
+  {
+  *errmsg = US"ldap_result timed out";
+  goto RETURN_ERROR;
+  }
+
+/* A return code of -1 seems to mean "ldap_result failed internally or couldn't
+provide you with a message". Other error states seem to exist where
+ldap_result() didn't give us any message from the server at all, leaving result
+set to NULL. Apparently, "the error parameters of the LDAP session handle will
+be set accordingly". That's the best we can do to retrieve an error status; we
+can't use functions like ldap_result2error because they parse a message from
+the server, which we didn't get.
+
+Annoyingly, the different implementations of LDAP have gone for different
+methods of handling error codes and generating error messages. */
+
+if (rc == -1 || !result)
+  {
+  int err;
+  DEBUG(D_lookup) debug_printf_indent("ldap_result failed\n");
+
+#if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
+    ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err);
+    *errmsg = string_sprintf("ldap_result failed: %d, %s",
+      err, ldap_err2string(err));
+
+#elif defined LDAP_LIB_NETSCAPE
+    /* Dubious (surely 'matched' is spurious here?) */
+    (void)ldap_get_lderrno(lcp->ld, &matched, &error1);
+    *errmsg = string_sprintf("ldap_result failed: %s (%s)", error1, matched);
+
+#else                             /* UMich LDAP aka OpenLDAP 1.x */
+    *errmsg = string_sprintf("ldap_result failed: %d, %s",
+      lcp->ld->ld_errno, ldap_err2string(lcp->ld->ld_errno));
+#endif
+
+  goto RETURN_ERROR;
+  }
+
+/* A return code that isn't -1 doesn't necessarily mean there were no problems
+with the search. The message must be an LDAP_RES_SEARCH_RESULT or
+LDAP_RES_SEARCH_REFERENCE or else it's something we can't handle. Some versions
+of LDAP do not define LDAP_RES_SEARCH_REFERENCE (LDAP v1 is one, it seems). So
+we don't provide that functionality when we can't. :-) */
+
+if (rc != LDAP_RES_SEARCH_RESULT
+#ifdef LDAP_RES_SEARCH_REFERENCE
+    && rc != LDAP_RES_SEARCH_REFERENCE
+#endif
+   )
+  {
+  *errmsg = string_sprintf("ldap_result returned unexpected code %d", rc);
+  goto RETURN_ERROR;
+  }
+
+/* We have a result message from the server. This doesn't yet mean all is well.
+We need to parse the message to find out exactly what's happened. */
+
+#if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
+  ldap_rc = rc;
+  ldap_parse_rc = ldap_parse_result(lcp->ld, result, &rc, CSS &matched,
+    CSS &error2, NULL, NULL, 0);
+  DEBUG(D_lookup) debug_printf_indent("ldap_parse_result: %d\n", ldap_parse_rc);
+  if (ldap_parse_rc < 0 &&
+      (ldap_parse_rc != LDAP_NO_RESULTS_RETURNED
+      #ifdef LDAP_RES_SEARCH_REFERENCE
+      || ldap_rc != LDAP_RES_SEARCH_REFERENCE
+      #endif
+     ))
+    {
+    *errmsg = string_sprintf("ldap_parse_result failed %d", ldap_parse_rc);
+    goto RETURN_ERROR;
+    }
+  error1 = US ldap_err2string(rc);
+
+#elif defined LDAP_LIB_NETSCAPE
+  /* Dubious (it doesn't reference 'result' at all!) */
+  rc = ldap_get_lderrno(lcp->ld, &matched, &error1);
+
+#else                             /* UMich LDAP aka OpenLDAP 1.x */
+  rc = ldap_result2error(lcp->ld, result, 0);
+  error1 = ldap_err2string(rc);
+  error2 = lcp->ld->ld_error;
+  matched = lcp->ld->ld_matched;
+#endif
+
+/* Process the status as follows:
+
+  (1) If we get LDAP_SIZELIMIT_EXCEEDED, just carry on, to return the
+      truncated result list.
+
+  (2) If we get LDAP_RES_SEARCH_REFERENCE, also just carry on. This was a
+      submitted patch that is reported to "do the right thing" with Solaris
+      LDAP libraries. (The problem it addresses apparently does not occur with
+      Open LDAP.)
+
+  (3) The range of errors defined by LDAP_NAME_ERROR generally mean "that
+      object does not, or cannot, exist in the database". For those cases we
+      fail the lookup.
+
+  (4) All other non-successes here are treated as some kind of problem with
+      the lookup, so return DEFER (which is the default in error_yield).
+*/
+
+DEBUG(D_lookup) debug_printf_indent("ldap_parse_result yielded %d: %s\n",
+  rc, ldap_err2string(rc));
+
+if (rc != LDAP_SUCCESS && rc != LDAP_SIZELIMIT_EXCEEDED
+    #ifdef LDAP_RES_SEARCH_REFERENCE
+    && rc != LDAP_RES_SEARCH_REFERENCE
+    #endif
+    )
+  {
+  *errmsg = string_sprintf("LDAP search failed - error %d: %s%s%s%s%s",
+    rc,
+    error1 ?                  error1  : US"",
+    error2 && error2[0] ?     US"/"   : US"",
+    error2 ?                  error2  : US"",
+    matched && matched[0] ?   US"/"   : US"",
+    matched ?                 matched : US"");
+
+#if defined LDAP_NAME_ERROR
+  if (LDAP_NAME_ERROR(rc))
+#elif defined NAME_ERROR    /* OPENLDAP1 calls it this */
+  if (NAME_ERROR(rc))
+#else
+  if (rc == LDAP_NO_SUCH_OBJECT)
+#endif
+
+    {
+    DEBUG(D_lookup) debug_printf_indent("lookup failure forced\n");
+    error_yield = FAIL;
+    }
+  goto RETURN_ERROR;
+  }
+
+/* The search succeeded. Check if we have too many results */
+
+if (search_type != SEARCH_LDAP_MULTIPLE && rescount > 1)
+  {
+  *errmsg = string_sprintf("LDAP search: more than one entry (%d) was returned "
+    "(filter not specific enough?)", rescount);
+  goto RETURN_ERROR_BREAK;
+  }
+
+/* Check if we have too few (zero) entries */
+
+if (rescount < 1)
+  {
+  *errmsg = US"LDAP search: no results";
+  error_yield = FAIL;
+  goto RETURN_ERROR_BREAK;
+  }
+
+/* If an entry was found, but it had no attributes, we behave as if no entries
+were found, that is, the lookup failed. */
+
+if (!attribute_found)
+  {
+  *errmsg = US"LDAP search: found no attributes";
+  error_yield = FAIL;
+  goto RETURN_ERROR;
+  }
+
+/* Otherwise, it's all worked */
+
+DEBUG(D_lookup) debug_printf_indent("LDAP search: returning: %s\n", data->s);
+*res = data->s;
+
+RETURN_OK:
+if (result) ldap_msgfree(result);
+ldap_free_urldesc(ludp);
+return OK;
+
+/* Error returns */
+
+RETURN_ERROR_BREAK:
+*defer_break = TRUE;
+
+RETURN_ERROR:
+DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg);
+
+RETURN_ERROR_NOMSG:
+if (result) ldap_msgfree(result);
+if (ludp) ldap_free_urldesc(ludp);
+
+#if defined LDAP_LIB_OPENLDAP2
+  if (error2)  ldap_memfree(error2);
+  if (matched) ldap_memfree(matched);
+#endif
+
+return error_yield;
+}
+
+
+
+/*************************************************
+*        Internal search control function        *
+*************************************************/
+
+/* This function is called from eldap_find(), eldapauth_find(), eldapdn_find(),
+and eldapm_find() with a difference in the "search_type" argument. It controls
+calls to perform_ldap_search() which actually does the work. We call that
+repeatedly for certain types of defer in the case when the URL contains no host
+name and eldap_default_servers is set to a list of servers to try. This gives
+more control than just passing over a list of hosts to ldap_open() because it
+handles other kinds of defer as well as just a failure to open. Note that the
+URL is defined to contain either zero or one "hostport" only.
+
+Parameter data in addition to the URL can be passed as preceding text in the
+string, as items of the form XXX=yyy. The URL itself can be detected because it
+must begin "ldapx://", where x is empty, s, or i.
+
+Arguments:
+  ldap_url      the URL to be looked up, optionally preceded by other parameter
+                settings
+  search_type   SEARCH_LDAP_MULTIPLE allows values from multiple entries
+                SEARCH_LDAP_SINGLE allows values from one entry only
+                SEARCH_LDAP_DN gets the DN from one entry
+  res           set to point at the result
+  errmsg        set to point a message if result is not OK
+
+Returns:        OK or FAIL or DEFER
+*/
+
+static int
+control_ldap_search(const uschar *ldap_url, int search_type, uschar **res,
+  uschar **errmsg)
+{
+BOOL defer_break = FALSE;
+int timelimit = LDAP_NO_LIMIT;
+int sizelimit = LDAP_NO_LIMIT;
+int tcplimit = 0;
+int sep = 0;
+int dereference = LDAP_DEREF_NEVER;
+void* referrals = LDAP_OPT_ON;
+const uschar *url = ldap_url;
+const uschar *p;
+uschar *user = NULL;
+uschar *password = NULL;
+uschar *local_servers = NULL;
+const uschar *list;
+
+while (isspace(*url)) url++;
+
+/* Until the string begins "ldap", search for the other parameter settings that
+are recognized. They are of the form NAME=VALUE, with the value being
+optionally double-quoted. There must still be a space after it, however. No
+NAME has the value "ldap". */
+
+while (strncmpic(url, US"ldap", 4) != 0)
+  {
+  const uschar *name = url;
+  while (*url && *url != '=') url++;
+  if (*url == '=')
+    {
+    int namelen;
+    uschar *value;
+    namelen = ++url - name;
+    value = string_dequote(&url);
+    if (isspace(*url))
+      {
+      if (strncmpic(name, US"USER=", namelen) == 0) user = value;
+      else if (strncmpic(name, US"PASS=", namelen) == 0) password = value;
+      else if (strncmpic(name, US"SIZE=", namelen) == 0) sizelimit = Uatoi(value);
+      else if (strncmpic(name, US"TIME=", namelen) == 0) timelimit = Uatoi(value);
+      else if (strncmpic(name, US"CONNECT=", namelen) == 0) tcplimit = Uatoi(value);
+      else if (strncmpic(name, US"NETTIME=", namelen) == 0) tcplimit = Uatoi(value);
+      else if (strncmpic(name, US"SERVERS=", namelen) == 0) local_servers = value;
+
+      /* Don't know if all LDAP libraries have LDAP_OPT_DEREF */
+
+      #ifdef LDAP_OPT_DEREF
+      else if (strncmpic(name, US"DEREFERENCE=", namelen) == 0)
+        {
+        if (strcmpic(value, US"never") == 0) dereference = LDAP_DEREF_NEVER;
+        else if (strcmpic(value, US"searching") == 0)
+          dereference = LDAP_DEREF_SEARCHING;
+        else if (strcmpic(value, US"finding") == 0)
+          dereference = LDAP_DEREF_FINDING;
+        if (strcmpic(value, US"always") == 0) dereference = LDAP_DEREF_ALWAYS;
+        }
+      #else
+      else if (strncmpic(name, US"DEREFERENCE=", namelen) == 0)
+        {
+        *errmsg = string_sprintf("LDAP_OP_DEREF not defined in this LDAP "
+          "library - cannot use \"dereference\"");
+        DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg);
+        return DEFER;
+        }
+      #endif
+
+      #ifdef LDAP_OPT_REFERRALS
+      else if (strncmpic(name, US"REFERRALS=", namelen) == 0)
+        {
+        if (strcmpic(value, US"follow") == 0) referrals = LDAP_OPT_ON;
+        else if (strcmpic(value, US"nofollow") == 0) referrals = LDAP_OPT_OFF;
+        else
+          {
+          *errmsg = US"LDAP option REFERRALS is not \"follow\" or \"nofollow\"";
+          DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg);
+          return DEFER;
+          }
+        }
+      #else
+      else if (strncmpic(name, US"REFERRALS=", namelen) == 0)
+        {
+        *errmsg = string_sprintf("LDAP_OP_REFERRALS not defined in this LDAP "
+          "library - cannot use \"referrals\"");
+        DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg);
+        return DEFER;
+        }
+      #endif
+
+      else
+        {
+        *errmsg =
+          string_sprintf("unknown parameter \"%.*s\" precedes LDAP URL",
+            namelen, name);
+        DEBUG(D_lookup) debug_printf_indent("LDAP query error: %s\n", *errmsg);
+        return DEFER;
+        }
+      while (isspace(*url)) url++;
+      continue;
+      }
+    }
+  *errmsg = US"malformed parameter setting precedes LDAP URL";
+  DEBUG(D_lookup) debug_printf_indent("LDAP query error: %s\n", *errmsg);
+  return DEFER;
+  }
+
+/* If user is set, de-URL-quote it. Some LDAP libraries do this for themselves,
+but it seems that not all behave like this. The DN for the user is often the
+result of ${quote_ldap_dn:...} quoting, which does apply URL quoting, because
+that is needed when the DN is used as a base DN in a query. Sigh. This is all
+far too complicated. */
+
+if (user)
+  {
+  uschar *t = user;
+  for (uschar * s = user; *s != 0; s++)
+    {
+    int c, d;
+    if (*s == '%' && isxdigit(c=s[1]) && isxdigit(d=s[2]))
+      {
+      c = tolower(c);
+      d = tolower(d);
+      *t++ =
+        (((c >= 'a')? (10 + c - 'a') : c - '0') << 4) |
+         ((d >= 'a')? (10 + d - 'a') : d - '0');
+      s += 2;
+      }
+    else *t++ = *s;
+    }
+  *t = 0;
+  }
+
+DEBUG(D_lookup)
+  debug_printf_indent("LDAP parameters: user=%s pass=%s size=%d time=%d connect=%d "
+    "dereference=%d referrals=%s\n", user, password, sizelimit, timelimit,
+    tcplimit, dereference, referrals == LDAP_OPT_ON ? "on" : "off");
+
+/* If the request is just to check authentication, some credentials must
+be given. The password must not be empty because LDAP binds with an empty
+password are considered anonymous, and will succeed on most installations. */
+
+if (search_type == SEARCH_LDAP_AUTH)
+  {
+  if (!user || !password)
+    {
+    *errmsg = US"ldapauth lookups must specify the username and password";
+    return DEFER;
+    }
+  if (!*password)
+    {
+    DEBUG(D_lookup) debug_printf_indent("Empty password: ldapauth returns FAIL\n");
+    return FAIL;
+    }
+  }
+
+/* Check for valid ldap url starters */
+
+p = url + 4;
+if (tolower(*p) == 's' || tolower(*p) == 'i') p++;
+if (Ustrncmp(p, "://", 3) != 0)
+  {
+  *errmsg = string_sprintf("LDAP URL does not start with \"ldap://\", "
+    "\"ldaps://\", or \"ldapi://\" (it starts with \"%.16s...\")", url);
+  DEBUG(D_lookup) debug_printf_indent("LDAP query error: %s\n", *errmsg);
+  return DEFER;
+  }
+
+/* No default servers, or URL contains a server name: just one attempt */
+
+if (!eldap_default_servers && !local_servers  || p[3] != '/')
+  return perform_ldap_search(url, NULL, 0, search_type, res, errmsg,
+    &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference,
+    referrals);
+
+/* Loop through the servers until OK or FAIL. Use local_servers list
+if defined in the lookup, otherwise use the global default list */
+
+list = local_servers ? local_servers : eldap_default_servers;
+for (uschar * server; server = string_nextinlist(&list, &sep, NULL, 0); )
+  {
+  int rc, port = 0;
+  uschar *colon = Ustrchr(server, ':');
+  if (colon)
+    {
+    *colon = 0;
+    port = Uatoi(colon+1);
+    }
+  rc = perform_ldap_search(url, server, port, search_type, res, errmsg,
+    &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference,
+    referrals);
+  if (rc != DEFER || defer_break) return rc;
+  }
+
+return DEFER;
+}
+
+
+
+/*************************************************
+*               Find entry point                 *
+*************************************************/
+
+/* See local README for interface description. The different kinds of search
+are handled by a common function, with a flag to differentiate between them.
+The handle and filename arguments are not used. */
+
+static int
+eldap_find(void * handle, const uschar * filename, const uschar * ldap_url,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+return(control_ldap_search(ldap_url, SEARCH_LDAP_SINGLE, result, errmsg));
+}
+
+static int
+eldapm_find(void * handle, const uschar * filename, const uschar * ldap_url,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+return(control_ldap_search(ldap_url, SEARCH_LDAP_MULTIPLE, result, errmsg));
+}
+
+static int
+eldapdn_find(void * handle, const uschar * filename, const uschar * ldap_url,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+return(control_ldap_search(ldap_url, SEARCH_LDAP_DN, result, errmsg));
+}
+
+int
+eldapauth_find(void * handle, const uschar * filename, const uschar * ldap_url,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache)
+{
+return(control_ldap_search(ldap_url, SEARCH_LDAP_AUTH, result, errmsg));
+}
+
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void *
+eldap_open(const uschar * filename, uschar ** errmsg)
+{
+return (void *)(1);    /* Just return something non-null */
+}
+
+
+
+/*************************************************
+*               Tidy entry point                 *
+*************************************************/
+
+/* See local README for interface description.
+Make sure that eldap_dn does not refer to reclaimed or worse, freed store */
+
+static void
+eldap_tidy(void)
+{
+eldap_dn = NULL;
+
+for (LDAP_CONNECTION *lcp; lcp = ldap_connections; ldap_connections = lcp->next)
+  {
+  DEBUG(D_lookup) debug_printf_indent("unbind LDAP connection to %s:%d\n",
+    lcp->host, lcp->port);
+  if(lcp->bound) ldap_unbind(lcp->ld);
+  }
+}
+
+
+
+/*************************************************
+*               Quote entry point                *
+*************************************************/
+
+/* LDAP quoting is unbelievably messy. For a start, two different levels of
+quoting have to be done: LDAP quoting, and URL quoting. The current
+specification is the result of a suggestion by Brian Candler. It recognizes
+two separate cases:
+
+(1) For text that appears in a search filter, the following escapes are
+    required (see RFC 2254):
+
+      *    ->   \2A
+      (    ->   \28
+      )    ->   \29
+      \    ->   \5C
+     NULL  ->   \00
+
+    Then the entire filter text must be URL-escaped. This kind of quoting is
+    implemented by ${quote_ldap:....}. Note that we can never have a NULL
+    in the input string, because that's a terminator.
+
+(2) For a DN that is part of a URL (i.e. the base DN), the characters
+
+      , + " \ < > ;
+
+    must be quoted by backslashing. See RFC 2253. Leading and trailing spaces
+    must be escaped, as must a leading #. Then the string must be URL-quoted.
+    This type of quoting is implemented by ${quote_ldap_dn:....}.
+
+For URL quoting, the only characters that need not be quoted are the
+alphamerics and
+
+  ! $ ' ( ) * + - . _
+
+All the others must be hexified and preceded by %. This includes the
+backslashes used for LDAP quoting.
+
+For a DN that is given in the USER parameter for authentication, we need the
+same initial quoting as (2) but in this case, the result must NOT be
+URL-escaped, because it isn't a URL. The way this is handled is by
+de-URL-quoting the text when processing the USER parameter in
+control_ldap_search() above. That means that the same quote operator can be
+used. This has the additional advantage that spaces in the DN won't cause
+parsing problems. For example:
+
+  USER=cn=${quote_ldap_dn:$1},%20dc=example,%20dc=com
+
+should be safe if there are spaces in $1.
+
+
+Arguments:
+  s          the string to be quoted
+  opt        additional option text or NULL if none
+             only "dn" is recognized
+  idx	     lookup type index
+
+Returns:     the processed string or NULL for a bad option
+*/
+
+
+
+/* The characters in this string, together with alphanumerics, never need
+quoting in any way. */
+
+#define ALWAYS_LITERAL  "!$'-._"
+
+/* The special characters in this string do not need to be URL-quoted. The set
+is a bit larger than the general literals. */
+
+#define URL_NONQUOTE    ALWAYS_LITERAL "()*+"
+
+/* The following macros define the characters that are quoted by quote_ldap and
+quote_ldap_dn, respectively. */
+
+#define LDAP_QUOTE      "*()\\"
+#define LDAP_DN_QUOTE   ",+\"\\<>;"
+
+
+
+static uschar *
+eldap_quote(uschar * s, uschar * opt, unsigned idx)
+{
+int c, count = 0, len = 0;
+BOOL dn = FALSE;
+uschar * t = s, * quoted;
+
+/* Test for a DN quotation. */
+
+if (opt)
+  {
+  if (Ustrcmp(opt, "dn") != 0) return NULL;    /* No others recognized */
+  dn = TRUE;
+  }
+
+/* Compute how much extra store we need for the string. This doesn't have to be
+exact as long as it isn't an underestimate. The worst case is the addition of 5
+extra bytes for a single character. This occurs for certain characters in DNs,
+where, for example, < turns into %5C%3C. For simplicity, we just add 5 for each
+possibly escaped character. The really fast way would be just to test for
+non-alphanumerics, but it is probably better to spot a few others that are
+never escaped, because if there are no specials at all, we can avoid copying
+the string.
+XXX No longer true; we always copy, to support quoted-enforcement */
+
+while ((c = *t++))
+  {
+  len++;
+  if (!isalnum(c) && Ustrchr(ALWAYS_LITERAL, c) == NULL) count += 5;
+  }
+/*if (count == 0) return s;*/
+
+/* Get sufficient store to hold the quoted string */
+
+t = quoted = store_get_quoted(len + count + 1, s, idx);
+
+/* Handle plain quote_ldap */
+
+if (!dn)
+  {
+  while ((c = *s++))
+    {
+    if (!isalnum(c))
+      {
+      if (Ustrchr(LDAP_QUOTE, c) != NULL)
+        {
+        sprintf(CS t, "%%5C%02X", c);        /* e.g. * => %5C2A */
+        t += 5;
+        continue;
+        }
+      if (Ustrchr(URL_NONQUOTE, c) == NULL)  /* e.g. ] => %5D */
+        {
+        sprintf(CS t, "%%%02X", c);
+        t += 3;
+        continue;
+        }
+      }
+    *t++ = c;                                /* unquoted character */
+    }
+  }
+
+/* Handle quote_ldap_dn */
+
+else
+  {
+  uschar * ss = s + len;
+
+  /* Find the last char before any trailing spaces */
+
+  while (ss > s && ss[-1] == ' ') ss--;
+
+  /* Quote leading spaces and sharps */
+
+  for (; s < ss; s++)
+    {
+    if (*s != ' ' && *s != '#') break;
+    sprintf(CS t, "%%5C%%%02X", *s);
+    t += 6;
+    }
+
+  /* Handle the rest of the string, up to the trailing spaces */
+
+  while (s < ss)
+    {
+    c = *s++;
+    if (!isalnum(c))
+      {
+      if (Ustrchr(LDAP_DN_QUOTE, c) != NULL)
+        {
+        Ustrncpy(t, US"%5C", 3);               /* insert \ where needed */
+        t += 3;                              /* fall through to check URL */
+        }
+      if (Ustrchr(URL_NONQUOTE, c) == NULL)  /* e.g. ] => %5D */
+        {
+        sprintf(CS t, "%%%02X", c);
+        t += 3;
+        continue;
+        }
+      }
+    *t++ = c;    /* unquoted character, or non-URL quoted after %5C */
+    }
+
+  /* Handle the trailing spaces */
+
+  while (*ss++ != 0)
+    {
+    Ustrncpy(t, US"%5C%20", 6);
+    t += 6;
+    }
+  }
+
+/* Terminate the new string and return */
+
+*t = 0;
+return quoted;
+}
+
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+ldap_version_report(gstring * g)
+{
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "Library version: LDAP: Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+
+static lookup_info ldap_lookup_info = {
+  .name = US"ldap",			/* lookup name */
+  .type = lookup_querystyle,		/* query-style lookup */
+  .open = eldap_open,			/* open function */
+  .check = NULL,			/* check function */
+  .find = eldap_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = eldap_tidy,			/* tidy function */
+  .quote = eldap_quote,			/* quoting function */
+  .version_report = ldap_version_report            /* version reporting */
+};
+
+static lookup_info ldapdn_lookup_info = {
+  .name = US"ldapdn",			/* lookup name */
+  .type = lookup_querystyle,		/* query-style lookup */
+  .open = eldap_open,			/* sic */    /* open function */
+  .check = NULL,			/* check function */
+  .find = eldapdn_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = eldap_tidy,			/* sic */    /* tidy function */
+  .quote = eldap_quote,			/* sic */    /* quoting function */
+  .version_report = NULL                           /* no version reporting (redundant) */
+};
+
+static lookup_info ldapm_lookup_info = {
+  .name = US"ldapm",			/* lookup name */
+  .type = lookup_querystyle,		/* query-style lookup */
+  .open = eldap_open,			/* sic */    /* open function */
+  .check = NULL,			/* check function */
+  .find = eldapm_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = eldap_tidy,			/* sic */    /* tidy function */
+  .quote = eldap_quote,			/* sic */    /* quoting function */
+  .version_report = NULL                           /* no version reporting (redundant) */
+};
+
+#ifdef DYNLOOKUP
+#define ldap_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &ldap_lookup_info, &ldapdn_lookup_info, &ldapm_lookup_info };
+lookup_module_info ldap_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 3 };
+
+/* End of lookups/ldap.c */
diff --git a/src/lookups/ldap.h b/src/lookups/ldap.h
new file mode 100644
index 0000000..ddfda85
--- /dev/null
+++ b/src/lookups/ldap.h
@@ -0,0 +1,13 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Header for eldapauth_find */
+
+extern int     eldapauth_find(void *, uschar *, const uschar *, int, uschar **,
+                 uschar **, BOOL *);
+
+/* End of lookups/ldap.h */
diff --git a/src/lookups/lf_check_file.c b/src/lookups/lf_check_file.c
new file mode 100644
index 0000000..7f0f128
--- /dev/null
+++ b/src/lookups/lf_check_file.c
@@ -0,0 +1,113 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) The Exim Maintainers 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+
+
+/*************************************************
+*         Check a file's credentials             *
+*************************************************/
+
+/* fstat can normally be expected to work on an open file, but there are some
+NFS states where it may not.
+
+Arguments:
+  fd         an open file descriptor or -1
+  filename   a file name if fd is -1
+  s_type     type of file (S_IFREG or S_IFDIR)
+  modemask   a mask specifying mode bits that must *not* be set
+  owners     NULL or a list of of allowable uids, count in the first item
+  owngroups  NULL or a list of allowable gids, count in the first item
+  type       name of lookup type for putting in error message
+  errmsg     where to put an error message
+
+Returns:     -1 stat() or fstat() failed
+              0 OK
+             +1 something didn't match
+
+Side effect: sets errno to ERRNO_BADUGID, ERRNO_NOTREGULAR or ERRNO_BADMODE for
+             bad uid/gid, not a regular file, or bad mode; otherwise leaves it
+             to what fstat set it to.
+*/
+
+int
+lf_check_file(int fd, const uschar * filename, int s_type, int modemask,
+  uid_t * owners, gid_t * owngroups, const char * type, uschar ** errmsg)
+{
+struct stat statbuf;
+
+if ((fd >= 0 && fstat(fd, &statbuf) != 0) ||
+    (fd  < 0 && Ustat(filename, &statbuf) != 0))
+  {
+  int save_errno = errno;
+  *errmsg = string_sprintf("%s: stat failed", filename);
+  errno = save_errno;
+  return -1;
+  }
+
+if ((statbuf.st_mode & S_IFMT) != s_type)
+  {
+  if (s_type == S_IFREG)
+    {
+    *errmsg = string_sprintf("%s is not a regular file (%s lookup)",
+      filename, type);
+    errno = ERRNO_NOTREGULAR;
+    }
+  else
+    {
+    *errmsg = string_sprintf("%s is not a directory (%s lookup)",
+      filename, type);
+    errno = ERRNO_NOTDIRECTORY;
+    }
+  return +1;
+  }
+
+if ((statbuf.st_mode & modemask) != 0)
+  {
+  *errmsg = string_sprintf("%s (%s lookup): file mode %.4o should not contain "
+    "%.4o", filename, type,  statbuf.st_mode & 07777,
+    statbuf.st_mode & modemask);
+  errno = ERRNO_BADMODE;
+  return +1;
+  }
+
+if (owners != NULL)
+  {
+  BOOL uid_ok = FALSE;
+  for (int i = 1; i <= (int)owners[0]; i++)
+    if (owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
+  if (!uid_ok)
+    {
+    *errmsg = string_sprintf("%s (%s lookup): file has wrong owner", filename,
+      type);
+    errno = ERRNO_BADUGID;
+    return +1;
+    }
+  }
+
+if (owngroups != NULL)
+  {
+  BOOL gid_ok = FALSE;
+  for (int i = 1; i <= (int)owngroups[0]; i++)
+    if (owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
+  if (!gid_ok)
+    {
+    *errmsg = string_sprintf("%s (%s lookup): file has wrong group", filename,
+      type);
+    errno = ERRNO_BADUGID;
+    return +1;
+    }
+  }
+
+return 0;
+}
+
+/* End of lf_check_file.c */
diff --git a/src/lookups/lf_functions.h b/src/lookups/lf_functions.h
new file mode 100644
index 0000000..fd9eb30
--- /dev/null
+++ b/src/lookups/lf_functions.h
@@ -0,0 +1,20 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Header for the functions that are shared by the lookups */
+
+extern int     lf_check_file(int, const uschar *, int, int, uid_t *, gid_t *,
+                 const char *, uschar **);
+extern gstring *lf_quote(uschar *, uschar *, int, gstring *);
+extern int     lf_sqlperform(const uschar *, const uschar *, const uschar *,
+		 const uschar *, uschar **,
+                 uschar **, uint *, const uschar *,
+		 int(*)(const uschar *, uschar *, uschar **,
+                 uschar **, BOOL *, uint *, const uschar *));
+
+/* End of lf_functions.h */
diff --git a/src/lookups/lf_quote.c b/src/lookups/lf_quote.c
new file mode 100644
index 0000000..6f4143d
--- /dev/null
+++ b/src/lookups/lf_quote.c
@@ -0,0 +1,63 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+
+/*************************************************
+*   Add string to result, quoting if necessary   *
+*************************************************/
+
+/* This function is called by some lookups that create name=value result
+strings, to handle the quoting of the data. It adds "name=" to the result,
+followed by appropriately quoted data, followed by a single space.
+
+Arguments:
+  name           the field name
+  value          the data value
+  vlength        the data length
+  result         the result expanding-string
+
+Returns:         the result pointer (possibly updated)
+*/
+
+gstring *
+lf_quote(uschar *name, uschar *value, int vlength, gstring * result)
+{
+result = string_append(result, 2, name, US"=");
+
+/* NULL is handled as an empty string */
+
+if (!value)
+  {
+  value = US"";
+  vlength = 0;
+  }
+
+/* Quote the value if it is empty, contains white space, or starts with a quote
+character. */
+
+if (value[0] == 0 || Ustrpbrk(value, " \t\n\r") != NULL || value[0] == '\"')
+  {
+  result = string_catn(result, US"\"", 1);
+  for (int j = 0; j < vlength; j++)
+    {
+    if (value[j] == '\"' || value[j] == '\\')
+      result = string_catn(result, US"\\", 1);
+    result = string_catn(result, US value+j, 1);
+    }
+  result = string_catn(result, US"\"", 1);
+  }
+else
+  result = string_catn(result, US value, vlength);
+
+return string_catn(result, US" ", 1);
+}
+
+/* End of lf_quote.c */
diff --git a/src/lookups/lf_sqlperform.c b/src/lookups/lf_sqlperform.c
new file mode 100644
index 0000000..ce6f163
--- /dev/null
+++ b/src/lookups/lf_sqlperform.c
@@ -0,0 +1,175 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+
+
+/*************************************************
+*    Call SQL server(s) to run an actual query   *
+*************************************************/
+
+/* All the SQL lookups are of the same form, with a list of servers to try
+until one can be accessed. It is now also possible to provide the server data
+as part of the query. This function manages server selection and looping; each
+lookup has its own function for actually performing the lookup.
+
+Arguments:
+  name           the lookup name, e.g. "MySQL"
+  optionname     the name of the servers option, e.g. "mysql_servers"
+  optserverlist  the value of the servers option
+  query          the query
+  result         where to pass back the result
+  errmsg         where to pass back an error message
+  do_cache       to be set zero if data is changed
+  func           the lookup function to call
+
+Returns:         the return from the lookup function, or DEFER
+*/
+
+int
+lf_sqlperform(const uschar *name, const uschar *optionname,
+  const uschar *optserverlist, const uschar *query,
+  uschar **result, uschar **errmsg, uint *do_cache, const uschar * opts,
+  int(*fn)(const uschar *, uschar *, uschar **, uschar **, BOOL *, uint *, const uschar *))
+{
+int rc;
+uschar *server;
+BOOL defer_break = FALSE;
+
+DEBUG(D_lookup) debug_printf_indent("%s query: \"%s\" opts '%s'\n", name, query, opts);
+
+/* Handle queries that do have server information at the start. */
+
+if (Ustrncmp(query, "servers", 7) == 0)
+  {
+  int qsep = 0;
+  const uschar *s, *ss;
+  const uschar *qserverlist;
+  uschar *qserver;
+
+  s = query + 7;
+  skip_whitespace(&s);
+  if (*s++ != '=')
+    {
+    *errmsg = string_sprintf("missing = after \"servers\" in %s lookup", name);
+    return DEFER;
+    }
+  skip_whitespace(&s);
+
+  ss = Ustrchr(s, ';');
+  if (!ss)
+    {
+    *errmsg = string_sprintf("missing ; after \"servers=\" in %s lookup",
+      name);
+    return DEFER;
+    }
+
+  if (ss == s)
+    {
+    *errmsg = string_sprintf("\"servers=\" defines no servers in \"%s\"",
+      query);
+    return DEFER;
+    }
+
+  qserverlist = string_sprintf("%.*s", (int)(ss - s), s);
+
+  while ((qserver = string_nextinlist(&qserverlist, &qsep, NULL, 0)))
+    {
+    if (Ustrchr(qserver, '/'))
+      server = qserver;
+    else
+      {
+      int len = Ustrlen(qserver);
+      const uschar * serverlist = optserverlist;
+
+      for (int sep = 0; server = string_nextinlist(&serverlist, &sep, NULL, 0);)
+        if (Ustrncmp(server, qserver, len) == 0 && server[len] == '/')
+          break;
+
+      if (!server)
+        {
+        *errmsg = string_sprintf("%s server \"%s\" not found in %s", name,
+          qserver, optionname);
+        return DEFER;
+        }
+      }
+
+    if (is_tainted(server))
+      {
+      *errmsg = string_sprintf("%s server \"%s\" is tainted", name, server);
+      return DEFER;
+      }
+
+    rc = (*fn)(ss+1, server, result, errmsg, &defer_break, do_cache, opts);
+    if (rc != DEFER || defer_break) return rc;
+    }
+  }
+
+/* Handle queries that do not have server information at the start. */
+
+else
+  {
+  const uschar * serverlist = NULL;
+
+  /* If options are present, scan for a server definition.  Default to
+  the "optserverlist" srgument. */
+
+  if (opts)
+    {
+    uschar * ele;
+    for (int sep = ','; ele = string_nextinlist(&opts, &sep, NULL, 0); )
+      if (Ustrncmp(ele, "servers=", 8) == 0)
+	{ serverlist = ele + 8; break; }
+    }
+
+  if (!serverlist)
+    serverlist = optserverlist;
+  if (!serverlist)
+    *errmsg = string_sprintf("no %s servers defined (%s option)", name,
+      optionname);
+  else
+    for (int d = 0; (server = string_nextinlist(&serverlist, &d, NULL, 0)); )
+      {
+      /* If not a full spec assume from options; scan main list for matching
+      hostname */
+
+      if (!Ustrchr(server, '/'))
+	{
+	int len = Ustrlen(server);
+	const uschar * slist = optserverlist;
+	uschar * ele;
+	for (int sep = 0; ele = string_nextinlist(&slist, &sep, NULL, 0); )
+	  if (Ustrncmp(ele, server, len) == 0 && ele[len] == '/')
+	    break;
+	if (!ele)
+	  {
+	  *errmsg = string_sprintf("%s server \"%s\" not found in %s", name,
+	    server, optionname);
+	  return DEFER;
+	  }
+	server = ele;
+	}
+
+      if (is_tainted(server))
+        {
+        *errmsg = string_sprintf("%s server \"%s\" is tainted", name, server);
+        return DEFER;
+        }
+
+      rc = (*fn)(query, server, result, errmsg, &defer_break, do_cache, opts);
+      if (rc != DEFER || defer_break) return rc;
+      }
+  }
+
+return DEFER;
+}
+
+/* End of lf_sqlperform.c */
diff --git a/src/lookups/lmdb.c b/src/lookups/lmdb.c
new file mode 100644
index 0000000..a32c7f7
--- /dev/null
+++ b/src/lookups/lmdb.c
@@ -0,0 +1,162 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 2016 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+
+#ifdef LOOKUP_LMDB
+
+#include <lmdb.h>
+
+typedef struct lmdbstrct
+{
+MDB_txn *txn;
+MDB_dbi db_dbi;
+} Lmdbstrct;
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+static void *
+lmdb_open(const uschar * filename, uschar ** errmsg)
+{
+MDB_env * db_env = NULL;
+Lmdbstrct * lmdb_p;
+int ret, save_errno;
+const uschar * errstr;
+
+lmdb_p = store_get(sizeof(Lmdbstrct), GET_UNTAINTED);
+lmdb_p->txn = NULL;
+
+if ((ret = mdb_env_create(&db_env)))
+  {
+  errstr = US"create environment";
+  goto bad;
+  }
+
+if ((ret = mdb_env_open(db_env, CS filename, MDB_NOSUBDIR|MDB_RDONLY, 0660)))
+  {
+  errstr = string_sprintf("open environment with %s", filename);
+  goto bad;
+  }
+
+if ((ret = mdb_txn_begin(db_env, NULL, MDB_RDONLY, &lmdb_p->txn)))
+  {
+  errstr = US"start transaction";
+  goto bad;
+  }
+
+if ((ret = mdb_open(lmdb_p->txn, NULL, 0, &lmdb_p->db_dbi)))
+  {
+  errstr = US"open database";
+  goto bad;
+  }
+
+return lmdb_p;
+
+bad:
+  save_errno = errno;
+  if (lmdb_p->txn) mdb_txn_abort(lmdb_p->txn);
+  if (db_env) mdb_env_close(db_env);
+  *errmsg = string_sprintf("LMDB: Unable to %s: %s", errstr,  mdb_strerror(ret));
+  errno = save_errno;
+  return NULL;
+}
+
+
+/*************************************************
+*              Find entry point                  *
+*************************************************/
+
+static int
+lmdb_find(void * handle, const uschar * filename,
+    const uschar * keystring, int length, uschar ** result, uschar ** errmsg,
+    uint * do_cache, const uschar * opts)
+{
+int ret;
+MDB_val dbkey, data;
+Lmdbstrct * lmdb_p = handle;
+
+dbkey.mv_data = CS keystring;
+dbkey.mv_size = length;
+
+DEBUG(D_lookup) debug_printf_indent("LMDB: lookup key: %s\n", CS keystring);
+
+if ((ret = mdb_get(lmdb_p->txn, lmdb_p->db_dbi, &dbkey, &data)) == 0)
+  {
+  *result = string_copyn(US data.mv_data, data.mv_size);
+  DEBUG(D_lookup) debug_printf_indent("LMDB: lookup result: %s\n", *result);
+  return OK;
+  }
+else if (ret == MDB_NOTFOUND)
+  {
+  *errmsg = US"LMDB: lookup, no data found";
+  DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg);
+  return FAIL;
+  }
+else
+  {
+  *errmsg = string_sprintf("LMDB: lookup error: %s", mdb_strerror(ret));
+  DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg);
+  return DEFER;
+  }
+}
+
+
+/*************************************************
+*              Close entry point                 *
+*************************************************/
+
+static void
+lmdb_close(void * handle)
+{
+Lmdbstrct * lmdb_p = handle;
+MDB_env * db_env = mdb_txn_env(lmdb_p->txn);
+mdb_txn_abort(lmdb_p->txn);
+mdb_env_close(db_env);
+}
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+#include "../version.h"
+
+gstring *
+lmdb_version_report(gstring * g)
+{
+g = string_fmt_append(g, "Library version: LMDB: Compile: %d.%d.%d\n",
+			  MDB_VERSION_MAJOR, MDB_VERSION_MINOR, MDB_VERSION_PATCH);
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "                        Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+static lookup_info lmdb_lookup_info = {
+  .name = US"lmdb",			/* lookup name */
+  .type = lookup_absfile,		/* query-style lookup */
+  .open = lmdb_open,			/* open function */
+  .check = NULL,			/* no check function */
+  .find = lmdb_find,			/* find function */
+  .close = lmdb_close,			/* close function */
+  .tidy = NULL,				/* tidy function */
+  .quote = NULL,			/* quoting function */
+  .version_report = lmdb_version_report           /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+# define lmdb_lookup_module_info _lookup_module_info
+#endif /* DYNLOOKUP */
+
+static lookup_info *_lookup_list[] = { &lmdb_lookup_info };
+lookup_module_info lmdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+#endif /* LOOKUP_LMDB */
diff --git a/src/lookups/lsearch.c b/src/lookups/lsearch.c
new file mode 100644
index 0000000..dcfdec9
--- /dev/null
+++ b/src/lookups/lsearch.c
@@ -0,0 +1,487 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+/* Codes for the different kinds of lsearch that are supported */
+
+enum {
+  LSEARCH_PLAIN,        /* Literal keys */
+  LSEARCH_WILD,         /* Wild card keys, expanded */
+  LSEARCH_NWILD,        /* Wild card keys, not expanded */
+  LSEARCH_IP            /* IP addresses and networks */
+};
+
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description */
+
+static void *
+lsearch_open(const uschar * filename, uschar ** errmsg)
+{
+FILE * f = Ufopen(filename, "rb");
+if (!f)
+  *errmsg = string_open_failed("%s for linear search", filename);
+return f;
+}
+
+
+
+/*************************************************
+*             Check entry point                  *
+*************************************************/
+
+static BOOL
+lsearch_check(void *handle, const uschar *filename, int modemask, uid_t *owners,
+  gid_t *owngroups, uschar **errmsg)
+{
+return lf_check_file(fileno((FILE *)handle), filename, S_IFREG, modemask,
+  owners, owngroups, "lsearch", errmsg) == 0;
+}
+
+
+
+/*************************************************
+*  Internal function for the various lsearches   *
+*************************************************/
+
+/* See local README for interface description, plus:
+
+Extra argument:
+
+  type     one of the values LSEARCH_PLAIN, LSEARCH_WILD, LSEARCH_NWILD, or
+           LSEARCH_IP
+
+There is some messy logic in here to cope with very long data lines that do not
+fit into the fixed sized buffer. Most of the time this will never be exercised,
+but people do occasionally do weird things. */
+
+static int
+internal_lsearch_find(void * handle, const uschar * filename,
+  const uschar * keystring, int length, uschar ** result, uschar ** errmsg,
+  int type, const uschar * opts)
+{
+FILE *f = handle;
+BOOL ret_full = FALSE;
+int old_pool = store_pool;
+rmark reset_point = NULL;
+uschar buffer[4096];
+
+if (opts)
+  {
+  int sep = ',';
+  uschar * ele;
+
+  while ((ele = string_nextinlist(&opts, &sep, NULL, 0)))
+    if (Ustrcmp(ele, "ret=full") == 0)
+      { ret_full = TRUE; break; }
+  }
+
+/* Wildcard searches may use up some store, because of expansions. We don't
+want them to fill up our search store. What we do is set the pool to the main
+pool and get a point to reset to later. Wildcard searches could also issue
+lookups, but internal_search_find will take care of that, and the cache will be
+safely stored in the search pool again. */
+
+if (type == LSEARCH_WILD || type == LSEARCH_NWILD)
+  {
+  store_pool = POOL_MAIN;
+  reset_point = store_mark();
+  }
+
+rewind(f);
+for (BOOL this_is_eol, last_was_eol = TRUE;
+     Ufgets(buffer, sizeof(buffer), f) != NULL;
+     last_was_eol = this_is_eol)
+  {
+  int p = Ustrlen(buffer);
+  int linekeylength;
+  BOOL this_is_comment;
+  gstring * yield;
+  uschar *s = buffer;
+
+  /* Check whether this the final segment of a line. If it follows an
+  incomplete part-line, skip it. */
+
+  this_is_eol = p > 0 && buffer[p-1] == '\n';
+  if (!last_was_eol) continue;
+
+  /* We now have the start of a physical line. If this is a final line segment,
+  remove trailing white space. */
+
+  if (this_is_eol)
+    {
+    while (p > 0 && isspace((uschar)buffer[p-1])) p--;
+    buffer[p] = 0;
+    }
+
+  /* If the buffer is empty it might be (a) a complete empty line, or (b) the
+  start of a line that begins with so much white space that it doesn't all fit
+  in the buffer. In both cases we want to skip the entire physical line.
+
+  If the buffer begins with # it is a comment line; if it begins with white
+  space it is a logical continuation; again, we want to skip the entire
+  physical line. */
+
+  if (buffer[0] == 0 || buffer[0] == '#' || isspace(buffer[0])) continue;
+
+  /* We assume that they key will fit in the buffer. If the key starts with ",
+  read it as a quoted string. We don't use string_dequote() because that uses
+  new store for the result, and we may be doing this many times in a long file.
+  We know that the dequoted string must be shorter than the original, because
+  we are removing the quotes, and also any escape sequences always turn two or
+  more characters into one character. Therefore, we can store the new string in
+  the same buffer. */
+
+  if (*s == '\"')
+    {
+    uschar *t = s++;
+    while (*s && *s != '\"')
+      {
+      *t++ = *s == '\\' ? string_interpret_escape(CUSS &s) : *s;
+      s++;
+      }
+    linekeylength = t - buffer;
+    if (*s) s++;			/* Past terminating " */
+    if (ret_full)
+      memmove(t, s, Ustrlen(s)+1);	/* copy the rest of line also */
+    }
+
+  /* Otherwise it is terminated by a colon or white space */
+
+  else
+    {
+    while (*s && *s != ':' && !isspace(*s)) s++;
+    linekeylength = s - buffer;
+    }
+
+  /* The matching test depends on which kind of lsearch we are doing */
+
+  switch(type)
+    {
+    /* A plain lsearch treats each key as a literal */
+
+    case LSEARCH_PLAIN:
+      if (linekeylength != length || strncmpic(buffer, keystring, length) != 0)
+	continue;
+      break;      /* Key matched */
+
+    /* A wild lsearch treats each key as a possible wildcarded string; no
+    expansion is done for nwildlsearch. */
+
+    case LSEARCH_WILD:
+    case LSEARCH_NWILD:
+      {
+      int rc;
+      int save = buffer[linekeylength];
+      const uschar *list = buffer;
+      buffer[linekeylength] = 0;
+      rc = match_isinlist(keystring,
+        &list,
+        UCHAR_MAX+1,              /* Single-item list */
+        NULL,                     /* No anchor */
+        NULL,                     /* No caching */
+        MCL_STRING + (type == LSEARCH_WILD ? 0 : MCL_NOEXPAND),
+        TRUE,                     /* Caseless */
+        NULL);
+      buffer[linekeylength] = save;
+      if (rc == FAIL) continue;
+      if (rc == DEFER) return DEFER;
+      }
+
+      /* The key has matched. If the search involved a regular expression, it
+      might have caused numerical variables to be set. However, their values will
+      be in the wrong storage pool for external use. Copying them to the standard
+      pool is not feasible because of the caching of lookup results - a repeated
+      lookup will not match the regular expression again. Therefore, we drop
+      all numeric variables at this point. */
+
+      expand_nmax = -1;
+      break;
+
+    /* Compare an ip address against a list of network/ip addresses. We have to
+    allow for the "*" case specially. */
+
+    case LSEARCH_IP:
+      if (linekeylength == 1 && buffer[0] == '*')
+	{
+	if (length != 1 || keystring[0] != '*') continue;
+	}
+      else if (length == 1 && keystring[0] == '*') continue;
+      else
+	{
+	int maskoffset;
+	int save = buffer[linekeylength];
+	buffer[linekeylength] = 0;
+	if (string_is_ip_address(buffer, &maskoffset) == 0 ||
+	    !host_is_in_net(keystring, buffer, maskoffset)) continue;
+	buffer[linekeylength] = save;
+	}
+      break;      /* Key matched */
+    }
+
+  /* The key has matched. Skip spaces after the key, and allow an optional
+  colon after the spaces. This is an odd specification, but it's for
+  compatibility. */
+
+  if (!ret_full)
+    if (Uskip_whitespace(&s) == ':')
+      {
+      s++;
+      Uskip_whitespace(&s);
+      }
+
+  /* Reset dynamic store, if we need to, and revert to the search pool */
+
+  if (reset_point)
+    {
+    reset_point = store_reset(reset_point);
+    store_pool = old_pool;
+    }
+
+  /* Now we want to build the result string to contain the data. There can be
+  two kinds of continuation: (a) the physical line may not all have fitted into
+  the buffer, and (b) there may be logical continuation lines, for which we
+  must convert all leading white space into a single blank.
+
+  Initialize, and copy the first segment of data. */
+
+  this_is_comment = FALSE;
+  yield = string_get(100);
+  if (ret_full)
+    yield = string_cat(yield, buffer);
+  else if (*s)
+    yield = string_cat(yield, s);
+
+  /* Now handle continuations */
+
+  for (last_was_eol = this_is_eol;
+       Ufgets(buffer, sizeof(buffer), f) != NULL;
+       last_was_eol = this_is_eol)
+    {
+    s = buffer;
+    p = Ustrlen(buffer);
+    this_is_eol = p > 0 && buffer[p-1] == '\n';
+
+    /* Remove trailing white space from a physical line end */
+
+    if (this_is_eol)
+      {
+      while (p > 0 && isspace((uschar)buffer[p-1])) p--;
+      buffer[p] = 0;
+      }
+
+    /* If this is not a physical line continuation, skip it entirely if it's
+    empty or starts with #. Otherwise, break the loop if it doesn't start with
+    white space. Otherwise, replace leading white space with a single blank. */
+
+    if (last_was_eol)
+      {
+      this_is_comment = (this_is_comment || (buffer[0] == 0 || buffer[0] == '#'));
+      if (this_is_comment) continue;
+      if (!isspace((uschar)buffer[0])) break;
+      while (isspace((uschar)*s)) s++;
+      *(--s) = ' ';
+      }
+    if (this_is_comment) continue;
+
+    /* Join a physical or logical line continuation onto the result string. */
+
+    yield = string_cat(yield, s);
+    }
+
+  gstring_release_unused(yield);
+  *result = string_from_gstring(yield);
+  return OK;
+  }
+
+/* Reset dynamic store, if we need to */
+
+if (reset_point)
+  {
+  store_reset(reset_point);
+  store_pool = old_pool;
+  }
+
+return FAIL;
+}
+
+
+/*************************************************
+*         Find entry point for lsearch           *
+*************************************************/
+
+/* See local README for interface description */
+
+static int
+lsearch_find(void * handle, const uschar * filename, const uschar * keystring,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+return internal_lsearch_find(handle, filename, keystring, length, result,
+  errmsg, LSEARCH_PLAIN, opts);
+}
+
+
+
+/*************************************************
+*      Find entry point for wildlsearch          *
+*************************************************/
+
+/* See local README for interface description */
+
+static int
+wildlsearch_find(void * handle, const uschar * filename, const uschar * keystring,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+return internal_lsearch_find(handle, filename, keystring, length, result,
+  errmsg, LSEARCH_WILD, opts);
+}
+
+
+
+/*************************************************
+*      Find entry point for nwildlsearch         *
+*************************************************/
+
+/* See local README for interface description */
+
+static int
+nwildlsearch_find(void * handle, const uschar * filename, const uschar * keystring,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+return internal_lsearch_find(handle, filename, keystring, length, result,
+  errmsg, LSEARCH_NWILD, opts);
+}
+
+
+
+
+/*************************************************
+*      Find entry point for iplsearch            *
+*************************************************/
+
+/* See local README for interface description */
+
+static int
+iplsearch_find(void * handle, uschar const * filename, const uschar * keystring,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+if ((length == 1 && keystring[0] == '*') ||
+    string_is_ip_address(keystring, NULL) != 0)
+  return internal_lsearch_find(handle, filename, keystring, length, result,
+    errmsg, LSEARCH_IP, opts);
+
+*errmsg = string_sprintf("\"%s\" is not a valid iplsearch key (an IP "
+"address, with optional CIDR mask, is wanted): "
+"in a host list, use net-iplsearch as the search type", keystring);
+return DEFER;
+}
+
+
+
+
+/*************************************************
+*              Close entry point                 *
+*************************************************/
+
+/* See local README for interface description */
+
+static void
+lsearch_close(void *handle)
+{
+(void)fclose((FILE *)handle);
+}
+
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+lsearch_version_report(gstring * g)
+{
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "Library version: lsearch: Exim version %s\n", EXIM_VERSION_STR));
+#endif
+return g;
+}
+
+
+static lookup_info iplsearch_lookup_info = {
+  .name = US"iplsearch",		/* lookup name */
+  .type = lookup_absfile,		/* uses absolute file name */
+  .open = lsearch_open,			/* open function */
+  .check = lsearch_check,		/* check function */
+  .find = iplsearch_find,		/* find function */
+  .close = lsearch_close,		/* close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = NULL                           /* no version reporting (redundant) */
+};
+
+static lookup_info lsearch_lookup_info = {
+  .name = US"lsearch",			/* lookup name */
+  .type = lookup_absfile,		/* uses absolute file name */
+  .open = lsearch_open,			/* open function */
+  .check = lsearch_check,		/* check function */
+  .find = lsearch_find,			/* find function */
+  .close = lsearch_close,		/* close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = lsearch_version_report         /* version reporting */
+};
+
+static lookup_info nwildlsearch_lookup_info = {
+  .name = US"nwildlsearch",		/* lookup name */
+  .type = lookup_absfile,		/* uses absolute file name */
+  .open = lsearch_open,			/* open function */
+  .check = lsearch_check,		/* check function */
+  .find = nwildlsearch_find,		/* find function */
+  .close = lsearch_close,		/* close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = NULL                           /* no version reporting (redundant) */
+};
+
+static lookup_info wildlsearch_lookup_info = {
+  .name = US"wildlsearch",		/* lookup name */
+  .type = lookup_absfile,		/* uses absolute file name */
+  .open = lsearch_open,			/* open function */
+  .check = lsearch_check,		/* check function */
+  .find = wildlsearch_find,		/* find function */
+  .close = lsearch_close,		/* close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = NULL                           /* no version reporting (redundant) */
+};
+
+#ifdef DYNLOOKUP
+#define lsearch_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &iplsearch_lookup_info,
+                                       &lsearch_lookup_info,
+                                       &nwildlsearch_lookup_info,
+                                       &wildlsearch_lookup_info };
+lookup_module_info lsearch_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 4 };
+
+/* End of lookups/lsearch.c */
diff --git a/src/lookups/mysql.c b/src/lookups/mysql.c
new file mode 100644
index 0000000..78b8c2b
--- /dev/null
+++ b/src/lookups/mysql.c
@@ -0,0 +1,503 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Thanks to Paul Kelly for contributing the original code for these
+functions. */
+
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+#include <mysql.h>       /* The system header */
+
+/* We define symbols for *_VERSION_ID (numeric), *_VERSION_STR (char*)
+and *_BASE_STR (char*). It's a bit of guesswork. Especially for mariadb
+with versions before 10.2, as they do not define there there specific symbols.
+*/
+
+/* Newer (>= 10.2) MariaDB */
+#if defined                   MARIADB_VERSION_ID
+#define EXIM_MxSQL_VERSION_ID MARIADB_VERSION_ID
+
+/* MySQL defines MYSQL_VERSION_ID, and MariaDB does so */
+/* https://dev.mysql.com/doc/refman/5.7/en/c-api-server-client-versions.html */
+#elif defined                 LIBMYSQL_VERSION_ID
+#define EXIM_MxSQL_VERSION_ID LIBMYSQL_VERSION_ID
+#elif defined                 MYSQL_VERSION_ID
+#define EXIM_MxSQL_VERSION_ID MYSQL_VERSION_ID
+
+#else
+#define EXIM_MYSQL_VERSION_ID  0
+#endif
+
+/* Newer (>= 10.2) MariaDB */
+#ifdef                         MARIADB_CLIENT_VERSION_STR
+#define EXIM_MxSQL_VERSION_STR MARIADB_CLIENT_VERSION_STR
+
+/* Mysql uses MYSQL_SERVER_VERSION */
+#elif defined                  LIBMYSQL_VERSION
+#define EXIM_MxSQL_VERSION_STR LIBMYSQL_VERSION
+#elif defined                  MYSQL_SERVER_VERSION
+#define EXIM_MxSQL_VERSION_STR MYSQL_SERVER_VERSION
+
+#else
+#define EXIM_MxSQL_VERSION_STR  "unknown"
+#endif
+
+#if defined                 MARIADB_BASE_VERSION
+#define EXIM_MxSQL_BASE_STR MARIADB_BASE_VERSION
+
+#elif defined               MARIADB_PACKAGE_VERSION
+#define EXIM_MxSQL_BASE_STR "mariadb"
+
+#elif defined               MYSQL_BASE_VERSION
+#define EXIM_MxSQL_BASE_STR MYSQL_BASE_VERSION
+
+#else
+#define EXIM_MxSQL_BASE_STR  "n.A."
+#endif
+
+
+/* Structure and anchor for caching connections. */
+
+typedef struct mysql_connection {
+  struct mysql_connection *next;
+  uschar  *server;
+  MYSQL *handle;
+} mysql_connection;
+
+static mysql_connection *mysql_connections = NULL;
+
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void *
+mysql_open(const uschar * filename, uschar ** errmsg)
+{
+return (void *)(1);    /* Just return something non-null */
+}
+
+
+
+/*************************************************
+*               Tidy entry point                 *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void
+mysql_tidy(void)
+{
+mysql_connection *cn;
+while ((cn = mysql_connections) != NULL)
+  {
+  mysql_connections = cn->next;
+  DEBUG(D_lookup) debug_printf_indent("close MYSQL connection: %s\n", cn->server);
+  mysql_close(cn->handle);
+  }
+}
+
+
+
+/*************************************************
+*        Internal search function                *
+*************************************************/
+
+/* This function is called from the find entry point to do the search for a
+single server.
+
+Arguments:
+  query        the query string
+  server       the server string
+  resultptr    where to store the result
+  errmsg       where to point an error message
+  defer_break  TRUE if no more servers are to be tried after DEFER
+  do_cache     set zero if data is changed
+  opts	       options
+
+The server string is of the form "host/dbname/user/password". The host can be
+host:port. This string is in a nextinlist temporary buffer, so can be
+overwritten.
+
+Returns:       OK, FAIL, or DEFER
+*/
+
+static int
+perform_mysql_search(const uschar *query, uschar *server, uschar **resultptr,
+  uschar **errmsg, BOOL *defer_break, uint *do_cache, const uschar * opts)
+{
+MYSQL *mysql_handle = NULL;        /* Keep compilers happy */
+MYSQL_RES *mysql_result = NULL;
+MYSQL_ROW mysql_row_data;
+MYSQL_FIELD *fields;
+
+int i;
+int yield = DEFER;
+unsigned int num_fields;
+gstring * result = NULL;
+mysql_connection *cn;
+uschar *server_copy = NULL;
+uschar *sdata[4];
+
+/* Disaggregate the parameters from the server argument. The order is host,
+database, user, password. We can write to the string, since it is in a
+nextinlist temporary buffer. The copy of the string that is used for caching
+has the password removed. This copy is also used for debugging output. */
+
+for (int i = 3; i > 0; i--)
+  {
+  uschar *pp = Ustrrchr(server, '/');
+  if (!pp)
+    {
+    *errmsg = string_sprintf("incomplete MySQL server data: %s",
+      (i == 3)? server : server_copy);
+    *defer_break = TRUE;
+    return DEFER;
+    }
+  *pp++ = 0;
+  sdata[i] = pp;
+  if (i == 3) server_copy = string_copy(server);  /* sans password */
+  }
+sdata[0] = server;   /* What's left at the start */
+
+/* See if we have a cached connection to the server */
+
+for (cn = mysql_connections; cn; cn = cn->next)
+  if (Ustrcmp(cn->server, server_copy) == 0)
+    { mysql_handle = cn->handle; break; }
+
+/* If no cached connection, we must set one up. Mysql allows for a host name
+and port to be specified. It also allows the name of a Unix socket to be used.
+Unfortunately, this contains slashes, but its use is expected to be rare, so
+the rather cumbersome syntax shouldn't inconvenience too many people. We use
+this:  host:port(socket)[group]  where all the parts are optional.
+The "group" parameter specifies an option group from a MySQL option file. */
+
+if (!cn)
+  {
+  uschar *p;
+  uschar *socket = NULL;
+  int port = 0;
+  uschar *group = US"exim";
+
+  if ((p = Ustrchr(sdata[0], '[')))
+    {
+    *p++ = 0;
+    group = p;
+    while (*p && *p != ']') p++;
+    *p = 0;
+    }
+
+  if ((p = Ustrchr(sdata[0], '(')))
+    {
+    *p++ = 0;
+    socket = p;
+    while (*p && *p != ')') p++;
+    *p = 0;
+    }
+
+  if ((p = Ustrchr(sdata[0], ':')))
+    {
+    *p++ = 0;
+    port = Uatoi(p);
+    }
+
+  if (Ustrchr(sdata[0], '/'))
+    {
+    *errmsg = string_sprintf("unexpected slash in MySQL server hostname: %s",
+      sdata[0]);
+    *defer_break = TRUE;
+    return DEFER;
+    }
+
+  /* If the database is the empty string, set it NULL - the query must then
+  define it. */
+
+  if (sdata[1][0] == 0) sdata[1] = NULL;
+
+  DEBUG(D_lookup)
+    debug_printf_indent("MYSQL new connection: host=%s port=%d socket=%s "
+      "database=%s user=%s\n", sdata[0], port, socket, sdata[1], sdata[2]);
+
+  /* Get store for a new handle, initialize it, and connect to the server */
+
+  mysql_handle = store_get(sizeof(MYSQL), GET_UNTAINTED);
+  mysql_init(mysql_handle);
+  mysql_options(mysql_handle, MYSQL_READ_DEFAULT_GROUP, CS group);
+  if (mysql_real_connect(mysql_handle,
+      /*  host        user         passwd     database */
+      CS sdata[0], CS sdata[2], CS sdata[3], CS sdata[1],
+      port, CS socket, CLIENT_MULTI_RESULTS) == NULL)
+    {
+    *errmsg = string_sprintf("MYSQL connection failed: %s",
+      mysql_error(mysql_handle));
+    *defer_break = FALSE;
+    goto MYSQL_EXIT;
+    }
+
+  /* Add the connection to the cache */
+
+  cn = store_get(sizeof(mysql_connection), GET_UNTAINTED);
+  cn->server = server_copy;
+  cn->handle = mysql_handle;
+  cn->next = mysql_connections;
+  mysql_connections = cn;
+  }
+
+/* Else use a previously cached connection */
+
+else
+  {
+  DEBUG(D_lookup)
+    debug_printf_indent("MYSQL using cached connection for %s\n", server_copy);
+  }
+
+/* Run the query */
+
+if (mysql_query(mysql_handle, CS query) != 0)
+  {
+  *errmsg = string_sprintf("MYSQL: query failed: %s\n",
+    mysql_error(mysql_handle));
+  *defer_break = FALSE;
+  goto MYSQL_EXIT;
+  }
+
+/* Pick up the result. If the query was not of the type that returns data,
+namely INSERT, UPDATE, or DELETE, an error occurs here. However, this situation
+can be detected by calling mysql_field_count(). If its result is zero, no data
+was expected (this is all explained clearly in the MySQL manual). In this case,
+we return the number of rows affected by the command. In this event, we do NOT
+want to cache the result; also the whole cache for the handle must be cleaned
+up. Setting do_cache zero requests this. */
+
+if (!(mysql_result = mysql_use_result(mysql_handle)))
+  {
+  if (mysql_field_count(mysql_handle) == 0)
+    {
+    DEBUG(D_lookup) debug_printf_indent("MYSQL: query was not one that returns data\n");
+    result = string_cat(result,
+	       string_sprintf("%lld", mysql_affected_rows(mysql_handle)));
+    *do_cache = 0;
+    goto MYSQL_EXIT;
+    }
+  *errmsg = string_sprintf("MYSQL: lookup result failed: %s\n",
+    mysql_error(mysql_handle));
+  *defer_break = FALSE;
+  goto MYSQL_EXIT;
+  }
+
+/* Find the number of fields returned. If this is one, we don't add field
+names to the data. Otherwise we do. */
+
+num_fields = mysql_num_fields(mysql_result);
+
+/* Get the fields and construct the result string. If there is more than one
+row, we insert '\n' between them. */
+
+fields = mysql_fetch_fields(mysql_result);
+
+while ((mysql_row_data = mysql_fetch_row(mysql_result)))
+  {
+  unsigned long * lengths = mysql_fetch_lengths(mysql_result);
+
+  if (result)
+    result = string_catn(result, US"\n", 1);
+
+  if (num_fields != 1)
+    for (int i = 0; i < num_fields; i++)
+      result = lf_quote(US fields[i].name, US mysql_row_data[i], lengths[i],
+			result);
+
+  else if (mysql_row_data[0] != NULL)    /* NULL value yields nothing */
+      result = lengths[0] == 0 && !result
+	? string_get(1)		/* for 0-len string result ensure non-null gstring */
+        : string_catn(result, US mysql_row_data[0], lengths[0]);
+  }
+
+/* more results? -1 = no, >0 = error, 0 = yes (keep looping)
+   This is needed because of the CLIENT_MULTI_RESULTS on mysql_real_connect(),
+   we don't expect any more results. */
+
+while((i = mysql_next_result(mysql_handle)) >= 0)
+  if(i != 0)
+    {
+    *errmsg = string_sprintf(
+	  "MYSQL: lookup result error when checking for more results: %s\n",
+	  mysql_error(mysql_handle));
+    goto MYSQL_EXIT;
+    }
+  else	/* just ignore more results */
+    DEBUG(D_lookup) debug_printf_indent("MYSQL: got unexpected more results\n");
+
+/* If result is NULL then no data has been found and so we return FAIL.
+Otherwise, we must terminate the string which has been built; string_cat()
+always leaves enough room for a terminating zero. */
+
+if (!result)
+  {
+  yield = FAIL;
+  *errmsg = US"MYSQL: no data found";
+  }
+
+/* Get here by goto from various error checks and from the case where no data
+was read (e.g. an update query). */
+
+MYSQL_EXIT:
+
+/* Free mysal store for any result that was got; don't close the connection, as
+it is cached. */
+
+if (mysql_result) mysql_free_result(mysql_result);
+
+/* Non-NULL result indicates a successful result */
+
+if (result)
+  {
+  *resultptr = string_from_gstring(result);
+  gstring_release_unused(result);
+  return OK;
+  }
+else
+  {
+  DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg);
+  return yield;      /* FAIL or DEFER */
+  }
+}
+
+
+
+
+/*************************************************
+*               Find entry point                 *
+*************************************************/
+
+/* See local README for interface description. The handle and filename
+arguments are not used. The code to loop through a list of servers while the
+query is deferred with a retryable error is now in a separate function that is
+shared with other SQL lookups. */
+
+static int
+mysql_find(void * handle, const uschar * filename, const uschar * query,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+return lf_sqlperform(US"MySQL", US"mysql_servers", mysql_servers, query,
+  result, errmsg, do_cache, opts, perform_mysql_search);
+}
+
+
+
+/*************************************************
+*               Quote entry point                *
+*************************************************/
+
+/* The only characters that need to be quoted (with backslash) are newline,
+tab, carriage return, backspace, backslash itself, and the quote characters.
+Percent, and underscore and not escaped. They are only special in contexts
+where they can be wild cards, and this isn't usually the case for data inserted
+from messages, since that isn't likely to be treated as a pattern of any kind.
+Sadly, MySQL doesn't seem to behave like other programs. If you use something
+like "where id="ab\%cd" it does not treat the string as "ab%cd". So you really
+can't quote "on spec".
+
+Arguments:
+  s          the string to be quoted
+  opt        additional option text or NULL if none
+  idx	     lookup type index
+
+Returns:     the processed string or NULL for a bad option
+*/
+
+static uschar *
+mysql_quote(uschar * s, uschar * opt, unsigned idx)
+{
+int c, count = 0;
+uschar * t = s, * quoted;
+
+if (opt) return NULL;     /* No options recognized */
+
+while ((c = *t++))
+  if (Ustrchr("\n\t\r\b\'\"\\", c) != NULL) count++;
+
+/* Old code:  if (count == 0) return s;
+Now always allocate and copy, to track the quoted status. */
+
+t = quoted = store_get_quoted(Ustrlen(s) + count + 1, s, idx);
+
+while ((c = *s++))
+  {
+  if (Ustrchr("\n\t\r\b\'\"\\", c) != NULL)
+    {
+    *t++ = '\\';
+    switch(c)
+      {
+      case '\n': *t++ = 'n'; break;
+      case '\t': *t++ = 't'; break;
+      case '\r': *t++ = 'r'; break;
+      case '\b': *t++ = 'b'; break;
+      default:   *t++ = c;   break;
+      }
+    }
+  else *t++ = c;
+  }
+
+*t = 0;
+return quoted;
+}
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+mysql_version_report(gstring * g)
+{
+g = string_fmt_append(g,
+  "Library version: MySQL: Compile: %lu %s [%s]\n"
+  "                        Runtime: %lu %s\n",
+        (long)EXIM_MxSQL_VERSION_ID, EXIM_MxSQL_VERSION_STR, EXIM_MxSQL_BASE_STR,
+        mysql_get_client_version(), mysql_get_client_info());
+#ifdef DYNLOOKUP
+g = string_fmt_append(g,
+  "                        Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+/* These are the lookup_info blocks for this driver */
+
+static lookup_info mysql_lookup_info = {
+  .name = US"mysql",			/* lookup name */
+  .type = lookup_querystyle,		/* query-style lookup */
+  .open = mysql_open,			/* open function */
+  .check = NULL,			/* no check function */
+  .find = mysql_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = mysql_tidy,			/* tidy function */
+  .quote = mysql_quote,			/* quoting function */
+  .version_report = mysql_version_report           /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+#define mysql_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &mysql_lookup_info };
+lookup_module_info mysql_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+/* End of lookups/mysql.c */
diff --git a/src/lookups/nis.c b/src/lookups/nis.c
new file mode 100644
index 0000000..0024f44
--- /dev/null
+++ b/src/lookups/nis.c
@@ -0,0 +1,141 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+#include <rpcsvc/ypclnt.h>
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description. This serves for both
+the "nis" and "nis0" lookup types. */
+
+static void *
+nis_open(const uschar * filename, uschar ** errmsg)
+{
+char *nis_domain;
+if (yp_get_default_domain(&nis_domain) != 0)
+  {
+  *errmsg = US"failed to get default NIS domain";
+  return NULL;
+  }
+return nis_domain;
+}
+
+
+
+/*************************************************
+*           Find entry point for nis             *
+*************************************************/
+
+/* See local README for interface description. A separate function is used
+for nis0 because they are so short it isn't worth trying to use any common
+code. */
+
+static int
+nis_find(void * handle, const uschar * filename, const uschar * keystring,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+int rc;
+uschar *nis_data;
+int nis_data_length;
+do_cache = do_cache;   /* Placate picky compilers */
+if ((rc = yp_match(CCS handle, CCS filename, CCS keystring, length,
+    CSS &nis_data, &nis_data_length)) == 0)
+  {
+  *result = string_copy(nis_data);
+  (*result)[nis_data_length] = 0;    /* remove final '\n' */
+  return OK;
+  }
+return (rc == YPERR_KEY || rc == YPERR_MAP)? FAIL : DEFER;
+}
+
+
+
+/*************************************************
+*           Find entry point for nis0            *
+*************************************************/
+
+/* See local README for interface description. */
+
+static int
+nis0_find(void * handle, const uschar * filename, const uschar * keystring,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+int rc;
+uschar *nis_data;
+int nis_data_length;
+do_cache = do_cache;   /* Placate picky compilers */
+if ((rc = yp_match(CCS handle, CCS filename, CCS keystring, length + 1,
+    CSS &nis_data, &nis_data_length)) == 0)
+  {
+  *result = string_copy(nis_data);
+  (*result)[nis_data_length] = 0;    /* remove final '\n' */
+  return OK;
+  }
+return (rc == YPERR_KEY || rc == YPERR_MAP)? FAIL : DEFER;
+}
+
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+nis_version_report(gstring * g)
+{
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "Library version: NIS: Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+
+static lookup_info nis_lookup_info = {
+  .name = US"nis",			/* lookup name */
+  .type = 0,				/* not abs file, not query style*/
+  .open = nis_open,			/* open function */
+  .check = NULL,			/* check function */
+  .find = nis_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = nis_version_report             /* version reporting */
+};
+
+static lookup_info nis0_lookup_info = {
+  .name = US"nis0",			/* lookup name */
+  .type = 0,				/* not absfile, not query style */
+  .open = nis_open,			/* sic */         /* open function */
+  .check = NULL,			/* check function */
+  .find = nis0_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = NULL                           /* no version reporting (redundant) */
+};
+
+#ifdef DYNLOOKUP
+#define nis_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &nis_lookup_info, &nis0_lookup_info };
+lookup_module_info nis_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 2 };
+
+/* End of lookups/nis.c */
diff --git a/src/lookups/nisplus.c b/src/lookups/nisplus.c
new file mode 100644
index 0000000..d9f3f7d
--- /dev/null
+++ b/src/lookups/nisplus.c
@@ -0,0 +1,294 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+#include <rpcsvc/nis.h>
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void *
+nisplus_open(const uschar * filename, uschar ** errmsg)
+{
+return (void *)(1);    /* Just return something non-null */
+}
+
+
+
+/*************************************************
+*               Find entry point                 *
+*************************************************/
+
+/* See local README for interface description. The format of queries for a
+NIS+ search is
+
+  [field=value,...],table-name
+or
+  [field=value,...],table-name:result-field-name
+
+in other words, a normal NIS+ "indexed name", with an optional result field
+name tagged on the end after a colon. If there is no result-field name, the
+yield is the concatenation of all the fields, preceded by their names and an
+equals sign. */
+
+static int
+nisplus_find(void * handle, const uschar * filename, const uschar * query,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+int error_error = FAIL;
+const uschar * field_name = NULL;
+nis_result *nrt = NULL;
+nis_result *nre = NULL;
+nis_object *tno, *eno;
+struct entry_obj *eo;
+struct table_obj *ta;
+const uschar * p = query + length;
+gstring * yield = NULL;
+
+do_cache = do_cache;   /* Placate picky compilers */
+
+/* Search backwards for a colon to see if a result field name
+has been given. */
+
+while (p > query && p[-1] != ':') p--;
+
+if (p > query)		/* get the query without the result-field */
+  {
+  uint len = p-1 - query;
+  field_name = p;
+  query = string_copyn(query, len);
+  p = query + len;
+  }
+else
+  p = query + length;
+
+/* Now search backwards to find the comma that starts the
+table name. */
+
+while (p > query && p[-1] != ',') p--;
+if (p <= query)
+  {
+  *errmsg = US"NIS+ query malformed";
+  error_error = DEFER;
+  goto NISPLUS_EXIT;
+  }
+
+/* Look up the data for the table, in order to get the field names,
+check that we got back a table, and set up pointers so the field
+names can be scanned. */
+
+nrt = nis_lookup(CS p, EXPAND_NAME | NO_CACHE);
+if (nrt->status != NIS_SUCCESS)
+  {
+  *errmsg = string_sprintf("NIS+ error accessing %s table: %s", p,
+    nis_sperrno(nrt->status));
+  if (nrt->status != NIS_NOTFOUND && nrt->status != NIS_NOSUCHTABLE)
+    error_error = DEFER;
+  goto NISPLUS_EXIT;
+  }
+tno = nrt->objects.objects_val;
+if (tno->zo_data.zo_type != TABLE_OBJ)
+  {
+  *errmsg = string_sprintf("NIS+ error: %s is not a table", p);
+  goto NISPLUS_EXIT;
+  }
+ta = &tno->zo_data.objdata_u.ta_data;
+
+/* Now look up the entry in the table, check that we got precisely one
+object and that it is a table entry. */
+
+nre = nis_list(CS query, EXPAND_NAME, NULL, NULL);
+if (nre->status != NIS_SUCCESS)
+  {
+  *errmsg = string_sprintf("NIS+ error accessing entry %s: %s",
+    query, nis_sperrno(nre->status));
+  goto NISPLUS_EXIT;
+  }
+if (nre->objects.objects_len > 1)
+  {
+  *errmsg = string_sprintf("NIS+ returned more than one object for %s",
+    query);
+  goto NISPLUS_EXIT;
+  }
+else if (nre->objects.objects_len < 1)
+  {
+  *errmsg = string_sprintf("NIS+ returned no data for %s", query);
+  goto NISPLUS_EXIT;
+  }
+eno = nre->objects.objects_val;
+if (eno->zo_data.zo_type != ENTRY_OBJ)
+  {
+  *errmsg = string_sprintf("NIS+ error: %s is not an entry", query);
+  goto NISPLUS_EXIT;
+  }
+
+/* Scan the columns in the entry and in the table. If a result field
+was given, look for that field; otherwise concatenate all the fields
+with their names. */
+
+eo = &(eno->zo_data.objdata_u.en_data);
+for (int i = 0; i < eo->en_cols.en_cols_len; i++)
+  {
+  table_col *tc = ta->ta_cols.ta_cols_val + i;
+  entry_col *ec = eo->en_cols.en_cols_val + i;
+  int len = ec->ec_value.ec_value_len;
+  uschar *value = US ec->ec_value.ec_value_val;
+
+  /* The value may be NULL for a zero-length field. Turn this into an
+  empty string for consistency. Remove trailing whitespace and zero
+  bytes. */
+
+  if (!value) value = US"";
+  else
+    while (len > 0 && (value[len-1] == 0 || isspace(value[len-1])))
+      len--;
+
+  /* Concatenate all fields if no specific one selected */
+
+  if (!field_name)
+    {
+    yield = string_cat (yield, US tc->tc_name);
+    yield = string_catn(yield, US"=", 1);
+
+    /* Quote the value if it contains spaces or is empty */
+
+    if (value[0] == 0 || Ustrchr(value, ' ') != NULL)
+      {
+      yield = string_catn(yield, US"\"", 1);
+      for (int j = 0; j < len; j++)
+        {
+        if (value[j] == '\"' || value[j] == '\\')
+          yield = string_catn(yield, US"\\", 1);
+        yield = string_catn(yield, value+j, 1);
+        }
+      yield = string_catn(yield, US"\"", 1);
+      }
+    else
+      yield = string_catn(yield, value, len);
+
+    yield = string_catn(yield, US" ", 1);
+    }
+
+  /* When the specified field is found, grab its data and finish */
+
+  else if (Ustrcmp(field_name, tc->tc_name) == 0)
+    {
+    yield = string_catn(yield, value, len);
+    goto NISPLUS_EXIT;
+    }
+  }
+
+/* Error if a field name was specified and we didn't find it; if no
+field name, ensure the concatenated data is zero-terminated. */
+
+if (field_name)
+  *errmsg = string_sprintf("NIS+ field %s not found for %s", field_name,
+    query);
+else
+  gstring_release_unused(yield);
+
+/* Free result store before finishing. */
+
+NISPLUS_EXIT:
+if (nrt) nis_freeresult(nrt);
+if (nre) nis_freeresult(nre);
+
+if (yield)
+  {
+  *result = string_from_gstring(yield);
+  return OK;
+  }
+
+return error_error;      /* FAIL or DEFER */
+}
+
+
+
+/*************************************************
+*               Quote entry point                *
+*************************************************/
+
+/* The only quoting that is necessary for NIS+ is to double any doublequote
+characters. No options are recognized.
+
+Arguments:
+  s          the string to be quoted
+  opt        additional option text or NULL if none
+  idx	     lookup type index
+
+Returns:     the processed string or NULL for a bad option
+*/
+
+static uschar *
+nisplus_quote(uschar * s, uschar * opt, unsigned idx)
+{
+int count = 0;
+uschar * quoted, * t = s;
+
+if (opt) return NULL;    /* No options recognized */
+
+while (*t) if (*t++ == '\"') count++;
+
+t = quoted = store_get_quoted(Ustrlen(s) + count + 1, s, idx);
+
+while (*s)
+  {
+  *t++ = *s;
+  if (*s++ == '\"') *t++ = '\"';
+  }
+
+*t = 0;
+return quoted;
+}
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+nisplus_version_report(gstring * g)
+{
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "Library version: NIS+: Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+
+static lookup_info _lookup_info = {
+  .name = US"nisplus",			/* lookup name */
+  .type = lookup_querystyle,		/* query-style lookup */
+  .open = nisplus_open,			/* open function */
+  .check = NULL,			/* check function */
+  .find = nisplus_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = nisplus_quote,		/* quoting function */
+  .version_report = nisplus_version_report         /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+#define nisplus_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &_lookup_info };
+lookup_module_info nisplus_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+/* End of lookups/nisplus.c */
diff --git a/src/lookups/oracle.c b/src/lookups/oracle.c
new file mode 100644
index 0000000..d32b5e4
--- /dev/null
+++ b/src/lookups/oracle.c
@@ -0,0 +1,628 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Interface to an Oracle database. This code was originally supplied by
+Paul Kelly, but I have hacked it around for various reasons, and tried to add
+some comments from my position of Oracle ignorance. */
+
+
+#include "../exim.h"
+
+
+/* The Oracle system headers */
+
+#include <oratypes.h>
+#include <ocidfn.h>
+#include <ocikpr.h>
+
+#define PARSE_NO_DEFER           0     /* parse straight away */
+#define PARSE_V7_LNG             2
+#define MAX_ITEM_BUFFER_SIZE  1024     /* largest size of a cell of data */
+#define MAX_SELECT_LIST_SIZE    32     /* maximum number of columns (not rows!) */
+
+/* Paul's comment on this was "change this to 512 for 64bit cpu", but I don't
+understand why. The Oracle manual just asks for 256 bytes.
+
+That was years ago. Jin Choi suggested (March 2007) that this change should
+be made in the source, as at worst it wastes 256 bytes, and it saves people
+having to discover about this for themselves as more and more systems are
+64-bit. So I have changed 256 to 512. */
+
+#define HDA_SIZE 512
+
+/* Internal/external datatype codes */
+
+#define NUMBER_TYPE              2
+#define INT_TYPE                 3
+#define FLOAT_TYPE               4
+#define STRING_TYPE              5
+#define ROWID_TYPE              11
+#define DATE_TYPE               12
+
+/*  ORACLE error codes used in demonstration programs */
+
+#define VAR_NOT_IN_LIST       1007
+#define NO_DATA_FOUND         1403
+
+typedef struct Ora_Describe {
+  sb4   dbsize;
+  sb2   dbtype;
+  sb1   buf[MAX_ITEM_BUFFER_SIZE];
+  sb4   buflen;
+  sb4   dsize;
+  sb2   precision;
+  sb2   scale;
+  sb2   nullok;
+} Ora_Describe;
+
+typedef struct Ora_Define {
+  ub1   buf[MAX_ITEM_BUFFER_SIZE];
+  float flt_buf;
+  sword int_buf;
+  sb2   indp;
+  ub2   col_retlen, col_retcode;
+} Ora_Define;
+
+/* Structure and anchor for caching connections. */
+
+typedef struct oracle_connection {
+  struct oracle_connection *next;
+  uschar *server;
+  struct cda_def *handle;
+  void   *hda_mem;
+} oracle_connection;
+
+static oracle_connection *oracle_connections = NULL;
+
+
+
+
+
+/*************************************************
+*        Set up message after error              *
+*************************************************/
+
+/* Sets up a message from a local string plus whatever Oracle gives.
+
+Arguments:
+  oracle_handle   the handle of the connection
+  rc              the return code
+  msg             local text message
+*/
+
+static uschar *
+oracle_error(struct cda_def *oracle_handle, int rc, uschar *msg)
+{
+uschar tmp[1024];
+oerhms(oracle_handle, rc, tmp, sizeof(tmp));
+return string_sprintf("ORACLE %s: %s", msg, tmp);
+}
+
+
+
+/*************************************************
+*     Describe and define the select list items  *
+*************************************************/
+
+/* Figures out sizes, types, and numbers.
+
+Arguments:
+  cda        the connection
+  def
+  desc       descriptions put here
+
+Returns:     number of fields
+*/
+
+static sword
+describe_define(Cda_Def *cda, Ora_Define *def, Ora_Describe *desc)
+{
+sword col, deflen, deftyp;
+static ub1 *defptr;
+static sword numwidth = 8;
+
+/* Describe the select-list items. */
+
+for (col = 0; col < MAX_SELECT_LIST_SIZE; col++)
+  {
+  desc[col].buflen = MAX_ITEM_BUFFER_SIZE;
+
+  if (odescr(cda, col + 1, &desc[col].dbsize,
+             &desc[col].dbtype, &desc[col].buf[0],
+             &desc[col].buflen, &desc[col].dsize,
+             &desc[col].precision, &desc[col].scale,
+             &desc[col].nullok) != 0)
+    {
+    /* Break on end of select list. */
+    if (cda->rc == VAR_NOT_IN_LIST) break; else return -1;
+    }
+
+  /* Adjust sizes and types for display, handling NUMBER with scale as float. */
+
+  if (desc[col].dbtype == NUMBER_TYPE)
+    {
+    desc[col].dbsize = numwidth;
+    if (desc[col].scale != 0)
+      {
+      defptr = (ub1 *)&def[col].flt_buf;
+      deflen = (sword) sizeof(float);
+      deftyp = FLOAT_TYPE;
+      desc[col].dbtype = FLOAT_TYPE;
+      }
+    else
+      {
+      defptr = (ub1 *)&def[col].int_buf;
+      deflen = (sword) sizeof(sword);
+      deftyp = INT_TYPE;
+      desc[col].dbtype = INT_TYPE;
+      }
+    }
+  else
+    {
+    if (desc[col].dbtype == DATE_TYPE)
+        desc[col].dbsize = 9;
+    if (desc[col].dbtype == ROWID_TYPE)
+        desc[col].dbsize = 18;
+    defptr = def[col].buf;
+    deflen = desc[col].dbsize > MAX_ITEM_BUFFER_SIZE ?
+      MAX_ITEM_BUFFER_SIZE : desc[col].dbsize + 1;
+    deftyp = STRING_TYPE;
+    desc[col].dbtype = STRING_TYPE;
+    }
+
+  /* Define an output variable */
+
+  if (odefin(cda, col + 1,
+             defptr, deflen, deftyp,
+             -1, &def[col].indp, (text *) 0, -1, -1,
+             &def[col].col_retlen,
+             &def[col].col_retcode) != 0)
+    return -1;
+  }  /* Loop for each column */
+
+return col;
+}
+
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void *
+oracle_open(const uschar * filename, uschar ** errmsg)
+{
+return (void *)(1);    /* Just return something non-null */
+}
+
+
+
+/*************************************************
+*               Tidy entry point                 *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void
+oracle_tidy(void)
+{
+oracle_connection *cn;
+while ((cn = oracle_connections) != NULL)
+  {
+  oracle_connections = cn->next;
+  DEBUG(D_lookup) debug_printf_indent("close ORACLE connection: %s\n", cn->server);
+  ologof(cn->handle);
+  }
+}
+
+
+
+/*************************************************
+*        Internal search function                *
+*************************************************/
+
+/* This function is called from the find entry point to do the search for a
+single server.
+
+Arguments:
+  query        the query string
+  server       the server string
+  resultptr    where to store the result
+  errmsg       where to point an error message
+  defer_break  TRUE if no more servers are to be tried after DEFER
+
+The server string is of the form "host/dbname/user/password", for compatibility
+with MySQL and pgsql, but at present, the dbname is not used. This string is in
+a nextinlist temporary buffer, so can be overwritten.
+
+Returns:       OK, FAIL, or DEFER
+*/
+
+static int
+perform_oracle_search(uschar *query, uschar *server, uschar **resultptr,
+  uschar **errmsg, BOOL *defer_break)
+{
+Cda_Def *cda = NULL;
+struct cda_def *oracle_handle = NULL;
+Ora_Describe *desc = NULL;
+Ora_Define *def = NULL;
+void *hda = NULL;
+
+int yield = DEFER;
+unsigned int num_fields = 0;
+gstring * result = NULL;
+oracle_connection *cn = NULL;
+uschar *server_copy = NULL;
+uschar *sdata[4];
+
+/* Disaggregate the parameters from the server argument. The order is host,
+database, user, password. We can write to the string, since it is in a
+nextinlist temporary buffer. The copy of the string that is used for caching
+has the password removed. This copy is also used for debugging output. */
+
+for (int i = 3; i > 0; i--)
+  {
+  uschar *pp = Ustrrchr(server, '/');
+  if (pp == NULL)
+    {
+    *errmsg = string_sprintf("incomplete ORACLE server data: %s", server);
+    *defer_break = TRUE;
+    return DEFER;
+    }
+  *pp++ = 0;
+  sdata[i] = pp;
+  if (i == 3) server_copy = string_copy(server);  /* sans password */
+  }
+sdata[0] = server;   /* What's left at the start */
+
+/* If the database is the empty string, set it NULL - the query must then
+define it. */
+
+if (sdata[1][0] == 0) sdata[1] = NULL;
+
+/* See if we have a cached connection to the server */
+
+for (cn = oracle_connections; cn; cn = cn->next)
+  if (strcmp(cn->server, server_copy) == 0)
+    {
+    oracle_handle = cn->handle;
+    hda = cn->hda_mem;
+    break;
+    }
+
+/* If no cached connection, we must set one up */
+
+if (!cn)
+  {
+  DEBUG(D_lookup) debug_printf_indent("ORACLE new connection: host=%s database=%s "
+    "user=%s\n", sdata[0], sdata[1], sdata[2]);
+
+  /* Get store for a new connection, initialize it, and connect to the server */
+
+   oracle_handle = store_get(sizeof(struct cda_def), GET_UNTAINTED);
+   hda = store_get(HDA_SIZE, GET_UNTAINTED);
+   memset(hda,'\0',HDA_SIZE);
+
+  /*
+   * Perform a default (blocking) login
+   *
+   * sdata[0] = tnsname (service name - typically host name)
+   * sdata[1] = dbname - not used at present
+   * sdata[2] = username
+   * sdata[3] = passwd
+   */
+
+  if(olog(oracle_handle, hda, sdata[2], -1, sdata[3], -1, sdata[0], -1,
+         (ub4)OCI_LM_DEF) != 0)
+    {
+    *errmsg = oracle_error(oracle_handle, oracle_handle->rc,
+      US"connection failed");
+    *defer_break = FALSE;
+    goto ORACLE_EXIT_NO_VALS;
+    }
+
+  /* Add the connection to the cache */
+
+  cn = store_get(sizeof(oracle_connection), GET_UNTAINTED);
+  cn->server = server_copy;
+  cn->handle = oracle_handle;
+  cn->next = oracle_connections;
+  cn->hda_mem = hda;
+  oracle_connections = cn;
+  }
+
+/* Else use a previously cached connection - we can write to the server string
+to obliterate the password because it is in a nextinlist temporary buffer. */
+
+else
+  {
+  DEBUG(D_lookup)
+    debug_printf_indent("ORACLE using cached connection for %s\n", server_copy);
+  }
+
+/* We have a connection. Open a cursor and run the query */
+
+cda = store_get(sizeof(Cda_Def), GET_UNTAINTED);
+
+if (oopen(cda, oracle_handle, (text *)0, -1, -1, (text *)0, -1) != 0)
+  {
+  *errmsg = oracle_error(oracle_handle, cda->rc, "failed to open cursor");
+  *defer_break = FALSE;
+  goto ORACLE_EXIT_NO_VALS;
+  }
+
+if (oparse(cda, (text *)query, (sb4) -1,
+      (sword)PARSE_NO_DEFER, (ub4)PARSE_V7_LNG) != 0)
+  {
+  *errmsg = oracle_error(oracle_handle, cda->rc, "query failed");
+  *defer_break = FALSE;
+  oclose(cda);
+  goto ORACLE_EXIT_NO_VALS;
+  }
+
+/* Find the number of fields returned and sort out their types. If the number
+is one, we don't add field names to the data. Otherwise we do. */
+
+def = store_get(sizeof(Ora_Define)*MAX_SELECT_LIST_SIZE, GET_UNTAINTED);
+desc = store_get(sizeof(Ora_Describe)*MAX_SELECT_LIST_SIZE, GET_UNTAINTED);
+
+if ((num_fields = describe_define(cda,def,desc)) == -1)
+  {
+  *errmsg = oracle_error(oracle_handle, cda->rc, "describe_define failed");
+  *defer_break = FALSE;
+  goto ORACLE_EXIT;
+  }
+
+if (oexec(cda)!=0)
+  {
+  *errmsg = oracle_error(oracle_handle, cda->rc, "oexec failed");
+  *defer_break = FALSE;
+  goto ORACLE_EXIT;
+  }
+
+/* Get the fields and construct the result string. If there is more than one
+row, we insert '\n' between them. */
+
+while (cda->rc != NO_DATA_FOUND)  /* Loop for each row */
+  {
+  ofetch(cda);
+  if(cda->rc == NO_DATA_FOUND) break;
+
+  if (result) result = string_catn(result, "\n", 1);
+
+  /* Single field - just add on the data */
+
+  if (num_fields == 1)
+    result = string_catn(result, def[0].buf, def[0].col_retlen);
+
+  /* Multiple fields - precede by file name, removing {lead,trail}ing WS */
+
+  else for (int i = 0; i < num_fields; i++)
+    {
+    int slen;
+    uschar *s = US desc[i].buf;
+
+    while (*s != 0 && isspace(*s)) s++;
+    slen = Ustrlen(s);
+    while (slen > 0 && isspace(s[slen-1])) slen--;
+    result = string_catn(result, s, slen);
+    result = string_catn(result, US"=", 1);
+
+    /* int and float type won't ever need escaping. Otherwise, quote the value
+    if it contains spaces or is empty. */
+
+    if (desc[i].dbtype != INT_TYPE && desc[i].dbtype != FLOAT_TYPE &&
+       (def[i].buf[0] == 0 || strchr(def[i].buf, ' ') != NULL))
+      {
+      result = string_catn(result, "\"", 1);
+      for (int j = 0; j < def[i].col_retlen; j++)
+        {
+        if (def[i].buf[j] == '\"' || def[i].buf[j] == '\\')
+          result = string_catn(result, "\\", 1);
+        result = string_catn(result, def[i].buf+j, 1);
+        }
+      result = string_catn(result, "\"", 1);
+      }
+
+    else switch(desc[i].dbtype)
+      {
+      case INT_TYPE:
+	result = string_cat(result, string_sprintf("%d", def[i].int_buf));
+	break;
+
+      case FLOAT_TYPE:
+	result = string_cat(result, string_sprintf("%f", def[i].flt_buf));
+	break;
+
+      case STRING_TYPE:
+	result = string_catn(result, def[i].buf, def[i].col_retlen);
+	break;
+
+      default:
+	*errmsg = string_sprintf("ORACLE: unknown field type %d", desc[i].dbtype);
+	*defer_break = FALSE;
+	result = NULL;
+	goto ORACLE_EXIT;
+      }
+
+    result = string_catn(result, " ", 1);
+    }
+  }
+
+/* If result is NULL then no data has been found and so we return FAIL.
+Otherwise, we must terminate the string which has been built; string_cat()
+always leaves enough room for a terminating zero. */
+
+if (!result)
+  {
+  yield = FAIL;
+  *errmsg = "ORACLE: no data found";
+  }
+else
+  gstring_release_unused(result);
+
+/* Get here by goto from various error checks. */
+
+ORACLE_EXIT:
+
+/* Close the cursor; don't close the connection, as it is cached. */
+
+oclose(cda);
+
+ORACLE_EXIT_NO_VALS:
+
+/* Non-NULL result indicates a successful result */
+
+if (result)
+  {
+  *resultptr = string_from_gstring(result);
+  return OK;
+  }
+else
+  {
+  DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg);
+  return yield;      /* FAIL or DEFER */
+  }
+}
+
+
+
+
+/*************************************************
+*               Find entry point                 *
+*************************************************/
+
+/* See local README for interface description. The handle and filename
+arguments are not used. Loop through a list of servers while the query is
+deferred with a retryable error. */
+
+static int
+oracle_find(void * handle, const uschar * filename, uschar * query, int length,
+  uschar ** result, uschar ** errmsg, uint * do_cache, const uschar * opts)
+{
+int sep = 0;
+uschar *server;
+uschar *list = oracle_servers;
+
+do_cache = do_cache;   /* Placate picky compilers */
+
+DEBUG(D_lookup) debug_printf_indent("ORACLE query: %s\n", query);
+
+while ((server = string_nextinlist(&list, &sep, NULL, 0)))
+  {
+  BOOL defer_break;
+  int rc = perform_oracle_search(query, server, result, errmsg, &defer_break);
+  if (rc != DEFER || defer_break) return rc;
+  }
+
+if (!oracle_servers)
+  *errmsg = "no ORACLE servers defined (oracle_servers option)";
+
+return DEFER;
+}
+
+
+
+/*************************************************
+*               Quote entry point                *
+*************************************************/
+
+/* The only characters that need to be quoted (with backslash) are newline,
+tab, carriage return, backspace, backslash itself, and the quote characters.
+Percent and underscore are not escaped. They are only special in contexts where
+they can be wild cards, and this isn't usually the case for data inserted from
+messages, since that isn't likely to be treated as a pattern of any kind.
+
+Arguments:
+  s          the string to be quoted
+  opt        additional option text or NULL if none
+  idx	     lookup type index
+
+Returns:     the processed string or NULL for a bad option
+*/
+
+static uschar *
+oracle_quote(uschar * s, uschar * opt, unsigned idx)
+{
+int c, count = 0;
+uschar * t = s, * quoted;
+
+if (opt) return NULL;    /* No options are recognized */
+
+while ((c = *t++))
+  if (strchr("\n\t\r\b\'\"\\", c) != NULL) count++;
+
+t = quoted = store_get_quoted((int)Ustrlen(s) + count + 1, s, idx);
+
+while ((c = *s++))
+  {
+  if (strchr("\n\t\r\b\'\"\\", c) != NULL)
+    {
+    *t++ = '\\';
+    switch(c)
+      {
+      case '\n': *t++ = 'n';
+      break;
+      case '\t': *t++ = 't';
+      break;
+      case '\r': *t++ = 'r';
+      break;
+      case '\b': *t++ = 'b';
+      break;
+      default:   *t++ = c;
+      break;
+      }
+    }
+  else *t++ = c;
+  }
+
+*t = 0;
+return quoted;
+}
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+oracle_version_report(gstring * g)
+{
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "Library version: Oracle: Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+
+static lookup_info _lookup_info = {
+  .name = US"oracle",			/* lookup name */
+  .type = lookup_querystyle,		/* query-style lookup */
+  .open = oracle_open,			/* open function */
+  .check = NULL,			/* check function */
+  .find = oracle_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = oracle_tidy,			/* tidy function */
+  .quote = oracle_quote,		/* quoting function */
+  .version_report = oracle_version_report          /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+#define oracle_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &_lookup_info };
+lookup_module_info oracle_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+/* End of lookups/oracle.c */
diff --git a/src/lookups/passwd.c b/src/lookups/passwd.c
new file mode 100644
index 0000000..eaf78b2
--- /dev/null
+++ b/src/lookups/passwd.c
@@ -0,0 +1,85 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description */
+
+static void *
+passwd_open(const uschar * filename, uschar ** errmsg)
+{
+return (void *)(-1);     /* Just return something non-null */
+}
+
+
+
+
+/*************************************************
+*         Find entry point for passwd           *
+*************************************************/
+
+/* See local README for interface description */
+
+static int
+passwd_find(void * handle, const uschar * filename, const uschar * keystring,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+struct passwd *pw;
+
+if (!route_finduser(keystring, &pw, NULL)) return FAIL;
+*result = string_sprintf("*:%d:%d:%s:%s:%s", (int)pw->pw_uid, (int)pw->pw_gid,
+  pw->pw_gecos, pw->pw_dir, pw->pw_shell);
+return OK;
+}
+
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+passwd_version_report(gstring * g)
+{
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "Library version: passwd: Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+static lookup_info _lookup_info = {
+  .name = US"passwd",			/* lookup name */
+  .type = lookup_querystyle,		/* query-style lookup */
+  .open = passwd_open,			/* open function */
+  .check = NULL,			/* no check function */
+  .find = passwd_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = passwd_version_report          /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+#define passwd_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &_lookup_info };
+lookup_module_info passwd_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+/* End of lookups/passwd.c */
diff --git a/src/lookups/pgsql.c b/src/lookups/pgsql.c
new file mode 100644
index 0000000..4bb693a
--- /dev/null
+++ b/src/lookups/pgsql.c
@@ -0,0 +1,506 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Thanks to Petr Cech for contributing the original code for these
+functions. Thanks to Joachim Wieland for the initial patch for the Unix domain
+socket extension. */
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+#include <libpq-fe.h>       /* The system header */
+
+/* Structure and anchor for caching connections. */
+
+typedef struct pgsql_connection {
+  struct pgsql_connection *next;
+  uschar *server;
+  PGconn *handle;
+} pgsql_connection;
+
+static pgsql_connection *pgsql_connections = NULL;
+
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void *
+pgsql_open(const uschar * filename, uschar ** errmsg)
+{
+return (void *)(1);    /* Just return something non-null */
+}
+
+
+
+/*************************************************
+*               Tidy entry point                 *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void
+pgsql_tidy(void)
+{
+pgsql_connection *cn;
+while ((cn = pgsql_connections) != NULL)
+  {
+  pgsql_connections = cn->next;
+  DEBUG(D_lookup) debug_printf_indent("close PGSQL connection: %s\n", cn->server);
+  PQfinish(cn->handle);
+  }
+}
+
+
+/*************************************************
+*       Notice processor function for pgsql      *
+*************************************************/
+
+/* This function is passed to pgsql below, and called for any PostgreSQL
+"notices". By default they are written to stderr, which is undesirable.
+
+Arguments:
+  arg        an opaque user cookie (not used)
+  message    the notice
+
+Returns:     nothing
+*/
+
+static void
+notice_processor(void *arg, const char *message)
+{
+arg = arg;   /* Keep compiler happy */
+DEBUG(D_lookup) debug_printf_indent("PGSQL: %s\n", message);
+}
+
+
+
+/*************************************************
+*        Internal search function                *
+*************************************************/
+
+/* This function is called from the find entry point to do the search for a
+single server. The server string is of the form "server/dbname/user/password".
+
+PostgreSQL supports connections through Unix domain sockets. This is usually
+faster and costs less cpu time than a TCP/IP connection. However it can only be
+used if the mail server runs on the same machine as the database server. A
+configuration line for PostgreSQL via Unix domain sockets looks like this:
+
+hide pgsql_servers = (/tmp/.s.PGSQL.5432)/db/user/password[:<nextserver>]
+
+We enclose the path name in parentheses so that its slashes aren't visually
+confused with the delimiters for the other pgsql_server settings.
+
+For TCP/IP connections, the server is a host name and optional port (with a
+colon separator).
+
+NOTE:
+ 1) All three '/' must be present.
+ 2) If host is omitted the local unix socket is used.
+
+Arguments:
+  query        the query string
+  server       the server string; this is in dynamic memory and can be updated
+  resultptr    where to store the result
+  errmsg       where to point an error message
+  defer_break  set TRUE if no more servers are to be tried after DEFER
+  do_cache     set FALSE if data is changed
+  opts	       options list
+
+Returns:       OK, FAIL, or DEFER
+*/
+
+static int
+perform_pgsql_search(const uschar *query, uschar *server, uschar **resultptr,
+  uschar **errmsg, BOOL *defer_break, uint *do_cache, const uschar * opts)
+{
+PGconn *pg_conn = NULL;
+PGresult *pg_result = NULL;
+
+gstring * result = NULL;
+int yield = DEFER;
+unsigned int num_fields, num_tuples;
+pgsql_connection *cn;
+rmark reset_point = store_mark();
+uschar *server_copy = NULL;
+uschar *sdata[3];
+
+/* Disaggregate the parameters from the server argument. The order is host or
+path, database, user, password. We can write to the string, since it is in a
+nextinlist temporary buffer. The copy of the string that is used for caching
+has the password removed. This copy is also used for debugging output. */
+
+for (int i = 2; i >= 0; i--)
+  {
+  uschar *pp = Ustrrchr(server, '/');
+  if (!pp)
+    {
+    *errmsg = string_sprintf("incomplete pgSQL server data: %s",
+      (i == 2)? server : server_copy);
+    *defer_break = TRUE;
+    return DEFER;
+    }
+  *pp++ = 0;
+  sdata[i] = pp;
+  if (i == 2) server_copy = string_copy(server);  /* sans password */
+  }
+
+/* The total server string has now been truncated so that what is left at the
+start is the identification of the server (host or path). See if we have a
+cached connection to the server. */
+
+for (cn = pgsql_connections; cn; cn = cn->next)
+  if (Ustrcmp(cn->server, server_copy) == 0)
+    {
+    pg_conn = cn->handle;
+    break;
+    }
+
+/* If there is no cached connection, we must set one up. */
+
+if (!cn)
+  {
+  uschar *port = US"";
+
+  /* For a Unix domain socket connection, the path is in parentheses */
+
+  if (*server == '(')
+    {
+    uschar *last_slash, *last_dot, *p;
+
+    p = ++server;
+    while (*p && *p != ')') p++;
+    *p = 0;
+
+    last_slash = Ustrrchr(server, '/');
+    last_dot = Ustrrchr(server, '.');
+
+    DEBUG(D_lookup) debug_printf_indent("PGSQL new connection: socket=%s "
+      "database=%s user=%s\n", server, sdata[0], sdata[1]);
+
+    /* A valid socket name looks like this: /var/run/postgresql/.s.PGSQL.5432
+    We have to call PQsetdbLogin with '/var/run/postgresql' as the hostname
+    argument and put '5432' into the port variable. */
+
+    if (!last_slash || !last_dot)
+      {
+      *errmsg = string_sprintf("PGSQL invalid filename for socket: %s", server);
+      *defer_break = TRUE;
+      return DEFER;
+      }
+
+    /* Terminate the path name and set up the port: we'll have something like
+    server = "/var/run/postgresql" and port = "5432". */
+
+    *last_slash = 0;
+    port = last_dot + 1;
+    }
+
+  /* Host connection; sort out the port */
+
+  else
+    {
+    uschar *p;
+    if ((p = Ustrchr(server, ':')))
+      {
+      *p++ = 0;
+      port = p;
+      }
+
+    if (Ustrchr(server, '/'))
+      {
+      *errmsg = string_sprintf("unexpected slash in pgSQL server hostname: %s",
+        server);
+      *defer_break = TRUE;
+      return DEFER;
+      }
+
+    DEBUG(D_lookup) debug_printf_indent("PGSQL new connection: host=%s port=%s "
+      "database=%s user=%s\n", server, port, sdata[0], sdata[1]);
+    }
+
+  /* If the database is the empty string, set it NULL - the query must then
+  define it. */
+
+  if (sdata[0][0] == 0) sdata[0] = NULL;
+
+  /* Get store for a new handle, initialize it, and connect to the server */
+
+  pg_conn=PQsetdbLogin(
+    /*  host      port  options tty   database       user       passwd */
+    CS server, CS port,  NULL, NULL, CS sdata[0], CS sdata[1], CS sdata[2]);
+
+  if(PQstatus(pg_conn) == CONNECTION_BAD)
+    {
+    reset_point = store_reset(reset_point);
+    *errmsg = string_sprintf("PGSQL connection failed: %s",
+      PQerrorMessage(pg_conn));
+    PQfinish(pg_conn);
+    goto PGSQL_EXIT;
+    }
+
+  /* Set the client encoding to SQL_ASCII, which means that the server will
+  not try to interpret the query as being in any fancy encoding such as UTF-8
+  or other multibyte code that might cause problems with escaping. */
+
+  PQsetClientEncoding(pg_conn, "SQL_ASCII");
+
+  /* Set the notice processor to prevent notices from being written to stderr
+  (which is what the default does). Our function (above) just produces debug
+  output. */
+
+  PQsetNoticeProcessor(pg_conn, notice_processor, NULL);
+
+  /* Add the connection to the cache */
+
+  cn = store_get(sizeof(pgsql_connection), GET_UNTAINTED);
+  cn->server = server_copy;
+  cn->handle = pg_conn;
+  cn->next = pgsql_connections;
+  pgsql_connections = cn;
+  }
+
+/* Else use a previously cached connection */
+
+else
+  {
+  DEBUG(D_lookup) debug_printf_indent("PGSQL using cached connection for %s\n",
+    server_copy);
+  }
+
+/* Run the query */
+
+pg_result = PQexec(pg_conn, CS query);
+switch(PQresultStatus(pg_result))
+  {
+  case PGRES_EMPTY_QUERY:
+  case PGRES_COMMAND_OK:
+    /* The command was successful but did not return any data since it was
+    not SELECT but either an INSERT, UPDATE or DELETE statement. Tell the
+    high level code to not cache this query, and clean the current cache for
+    this handle by setting *do_cache zero. */
+
+    result = string_cat(result, US PQcmdTuples(pg_result));
+    *do_cache = 0;
+    DEBUG(D_lookup) debug_printf_indent("PGSQL: command does not return any data "
+      "but was successful. Rows affected: %s\n", string_from_gstring(result));
+    break;
+
+  case PGRES_TUPLES_OK:
+    break;
+
+  default:
+    /* This was the original code:
+    *errmsg = string_sprintf("PGSQL: query failed: %s\n",
+			     PQresultErrorMessage(pg_result));
+    This was suggested by a user:
+    */
+
+    *errmsg = string_sprintf("PGSQL: query failed: %s (%s) (%s)\n",
+			   PQresultErrorMessage(pg_result),
+			   PQresStatus(PQresultStatus(pg_result)), query);
+    goto PGSQL_EXIT;
+  }
+
+/* Result is in pg_result. Find the number of fields returned. If this is one,
+we don't add field names to the data. Otherwise we do. If the query did not
+return anything we skip the for loop; this also applies to the case
+PGRES_COMMAND_OK. */
+
+num_fields = PQnfields(pg_result);
+num_tuples = PQntuples(pg_result);
+
+/* Get the fields and construct the result string. If there is more than one
+row, we insert '\n' between them. */
+
+for (int i = 0; i < num_tuples; i++)
+  {
+  if (result)
+    result = string_catn(result, US"\n", 1);
+
+  if (num_fields == 1)
+    result = string_catn(result,
+	US PQgetvalue(pg_result, i, 0), PQgetlength(pg_result, i, 0));
+  else
+    for (int j = 0; j < num_fields; j++)
+      {
+      uschar *tmp = US PQgetvalue(pg_result, i, j);
+      result = lf_quote(US PQfname(pg_result, j), tmp, Ustrlen(tmp), result);
+      }
+  if (!result) result = string_get(1);
+  }
+
+/* If result is NULL then no data has been found and so we return FAIL. */
+
+if (!result)
+  {
+  yield = FAIL;
+  *errmsg = US"PGSQL: no data found";
+  }
+
+/* Get here by goto from various error checks. */
+
+PGSQL_EXIT:
+
+/* Free store for any result that was got; don't close the connection, as
+it is cached. */
+
+if (pg_result) PQclear(pg_result);
+
+/* Non-NULL result indicates a successful result */
+
+if (result)
+  {
+  gstring_release_unused(result);
+  *resultptr = string_from_gstring(result);
+  return OK;
+  }
+else
+  {
+  DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg);
+  return yield;      /* FAIL or DEFER */
+  }
+}
+
+
+
+
+/*************************************************
+*               Find entry point                 *
+*************************************************/
+
+/* See local README for interface description. The handle and filename
+arguments are not used. The code to loop through a list of servers while the
+query is deferred with a retryable error is now in a separate function that is
+shared with other SQL lookups. */
+
+static int
+pgsql_find(void * handle, const uschar * filename, const uschar * query,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+return lf_sqlperform(US"PostgreSQL", US"pgsql_servers", pgsql_servers, query,
+  result, errmsg, do_cache, opts, perform_pgsql_search);
+}
+
+
+
+/*************************************************
+*               Quote entry point                *
+*************************************************/
+
+/* The characters that always need to be quoted (with backslash) are newline,
+tab, carriage return, backspace, backslash itself, and the quote characters.
+
+The original code quoted single quotes as \' which is documented as valid in
+the O'Reilly book "Practical PostgreSQL" (first edition) as an alternative to
+the SQL standard '' way of representing a single quote as data. However, in
+June 2006 there was some security issue with using \' and so this has been
+changed.
+
+[Note: There is a function called PQescapeStringConn() that quotes strings.
+This cannot be used because it needs a PGconn argument (the connection handle).
+Why, I don't know. Seems odd for just string escaping...]
+
+Arguments:
+  s          the string to be quoted
+  opt        additional option text or NULL if none
+  idx	     lookup type index
+
+Returns:     the processed string or NULL for a bad option
+*/
+
+static uschar *
+pgsql_quote(uschar * s, uschar * opt, unsigned idx)
+{
+int count = 0, c;
+uschar * t = s, * quoted;
+
+if (opt) return NULL;     /* No options recognized */
+
+while ((c = *t++))
+  if (Ustrchr("\n\t\r\b\'\"\\", c) != NULL) count++;
+
+t = quoted = store_get_quoted(Ustrlen(s) + count + 1, s, idx);
+
+while ((c = *s++))
+  {
+  if (c == '\'')
+    {
+    *t++ = '\'';
+    *t++ = '\'';
+    }
+  else if (Ustrchr("\n\t\r\b\"\\", c) != NULL)
+    {
+    *t++ = '\\';
+    switch(c)
+      {
+      case '\n': *t++ = 'n'; break;
+      case '\t': *t++ = 't'; break;
+      case '\r': *t++ = 'r'; break;
+      case '\b': *t++ = 'b'; break;
+      default:   *t++ = c;   break;
+      }
+    }
+  else *t++ = c;
+  }
+
+*t = 0;
+return quoted;
+}
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+pgsql_version_report(gstring * g)
+{
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "Library version: PostgreSQL: Exim version %s\n", EXIM_VERSION_STR);
+#endif
+
+/* Version reporting: there appears to be no available information about
+the client library in libpq-fe.h; once you have a connection object, you
+can access the server version and the chosen protocol version, but those
+aren't really what we want.  It might make sense to debug_printf those
+when the connection is established though? */
+
+return g;
+}
+
+
+static lookup_info _lookup_info = {
+  .name = US"pgsql",			/* lookup name */
+  .type = lookup_querystyle,		/* query-style lookup */
+  .open = pgsql_open,			/* open function */
+  .check = NULL,			/* no check function */
+  .find = pgsql_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = pgsql_tidy,			/* tidy function */
+  .quote = pgsql_quote,			/* quoting function */
+  .version_report = pgsql_version_report           /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+#define pgsql_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &_lookup_info };
+lookup_module_info pgsql_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+/* End of lookups/pgsql.c */
diff --git a/src/lookups/readsock.c b/src/lookups/readsock.c
new file mode 100644
index 0000000..22179c9
--- /dev/null
+++ b/src/lookups/readsock.c
@@ -0,0 +1,341 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) Jeremy Harris 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+
+static int
+internal_readsock_open(client_conn_ctx * cctx, const uschar * sspec,
+  int timeout, BOOL do_tls, uschar ** errmsg)
+{
+const uschar * server_name;
+host_item host;
+
+if (Ustrncmp(sspec, "inet:", 5) == 0)
+  {
+  int port;
+  uschar * port_name;
+
+  DEBUG(D_lookup)
+    debug_printf_indent("  new inet socket needed for readsocket\n");
+
+  server_name = sspec + 5;
+  port_name = Ustrrchr(server_name, ':');
+
+  /* Sort out the port */
+
+  if (!port_name)
+    {
+    /* expand_string_message results in an EXPAND_FAIL, from our
+    only caller.  Lack of it gets a SOCK_FAIL; we feed back via errmsg
+    for that, which gets copied to search_error_message. */
+
+    expand_string_message =
+      string_sprintf("missing port for readsocket %s", sspec);
+    return FAIL;
+    }
+  *port_name++ = 0;           /* Terminate server name */
+
+  if (isdigit(*port_name))
+    {
+    uschar *end;
+    port = Ustrtol(port_name, &end, 0);
+    if (end != port_name + Ustrlen(port_name))
+      {
+      expand_string_message =
+	string_sprintf("invalid port number %s", port_name);
+      return FAIL;
+      }
+    }
+  else
+    {
+    struct servent *service_info = getservbyname(CS port_name, "tcp");
+    if (!service_info)
+      {
+      expand_string_message = string_sprintf("unknown port \"%s\"",
+	port_name);
+      return FAIL;
+      }
+    port = ntohs(service_info->s_port);
+    }
+
+  /* Not having the request-string here in the open routine means
+  that we cannot do TFO; a pity */
+
+  cctx->sock = ip_connectedsocket(SOCK_STREAM, server_name, port, port,
+	  timeout, &host, errmsg, NULL);
+  callout_address = NULL;
+  if (cctx->sock < 0)
+    return FAIL;
+  }
+
+else
+  {
+  struct sockaddr_un sockun;         /* don't call this "sun" ! */
+  int rc;
+
+  DEBUG(D_lookup)
+    debug_printf_indent("  new unix socket needed for readsocket\n");
+
+  if ((cctx->sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
+    {
+    *errmsg = string_sprintf("failed to create socket: %s", strerror(errno));
+    return FAIL;
+    }
+
+  sockun.sun_family = AF_UNIX;
+  sprintf(sockun.sun_path, "%.*s", (int)(sizeof(sockun.sun_path)-1),
+    sspec);
+  server_name = US sockun.sun_path;
+
+  sigalrm_seen = FALSE;
+  ALARM(timeout);
+  rc = connect(cctx->sock, (struct sockaddr *) &sockun, sizeof(sockun));
+  ALARM_CLR(0);
+  if (sigalrm_seen)
+    {
+    *errmsg = US "socket connect timed out";
+    goto bad;
+    }
+  if (rc < 0)
+    {
+    *errmsg = string_sprintf("failed to connect to socket "
+      "%s: %s", sspec, strerror(errno));
+    goto bad;
+    }
+  host.name = server_name;
+  host.address = US"";
+  }
+
+#ifndef DISABLE_TLS
+if (do_tls)
+  {
+  union sockaddr_46 interface_sock;
+  EXIM_SOCKLEN_T size = sizeof(interface_sock);
+  smtp_connect_args conn_args = {.host = &host };
+  tls_support tls_dummy = { .sni = NULL };
+  uschar * errstr;
+
+  if (getsockname(cctx->sock, (struct sockaddr *) &interface_sock, &size) == 0)
+    conn_args.sending_ip_address = host_ntoa(-1, &interface_sock, NULL, NULL);
+  else
+    {
+    *errmsg = string_sprintf("getsockname failed: %s", strerror(errno));
+    goto bad;
+    }
+
+  if (!tls_client_start(cctx, &conn_args, NULL, &tls_dummy, &errstr))
+    {
+    *errmsg = string_sprintf("TLS connect failed: %s", errstr);
+    goto bad;
+    }
+  }
+#endif
+
+DEBUG(D_expand|D_lookup) debug_printf_indent("  connected to socket %s\n", sspec);
+return OK;
+
+bad:
+  close(cctx->sock);
+  return FAIL;
+}
+
+/* All use of allocations will be done against the POOL_SEARCH memory,
+which is freed once by search_tidyup(). */
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description */
+/* We just create a placeholder record with a closed socket, so
+that connection cacheing at the framework layer works. */
+
+static void *
+readsock_open(const uschar * filename, uschar ** errmsg)
+{
+client_conn_ctx * cctx = store_get(sizeof(*cctx), GET_UNTAINTED);
+cctx->sock = -1;
+cctx->tls_ctx = NULL;
+DEBUG(D_lookup) debug_printf_indent("readsock: allocated context\n");
+return cctx;
+}
+
+
+
+
+
+/*************************************************
+*         Find entry point for lsearch           *
+*************************************************/
+
+/* See local README for interface description */
+
+static int
+readsock_find(void * handle, const uschar * filename, const uschar * keystring,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+client_conn_ctx * cctx = handle;
+int sep = ',';
+struct {
+	BOOL do_shutdown:1;
+	BOOL do_tls:1;
+	BOOL cache:1;
+} lf = {.do_shutdown = TRUE};
+uschar * eol = NULL;
+int timeout = 5;
+gstring * yield;
+int ret = DEFER;
+
+DEBUG(D_lookup)
+  debug_printf_indent("readsock: file=\"%s\" key=\"%s\" len=%d opts=\"%s\"\n",
+    filename, keystring, length, opts);
+
+/* Parse options */
+
+if (opts) for (uschar * s; s = string_nextinlist(&opts, &sep, NULL, 0); )
+  if (Ustrncmp(s, "timeout=", 8) == 0)
+    timeout = readconf_readtime(s + 8, 0, FALSE);
+  else if (Ustrncmp(s, "shutdown=", 9) == 0)
+    lf.do_shutdown = Ustrcmp(s + 9, "no") != 0;
+#ifndef DISABLE_TLS
+  else if (Ustrncmp(s, "tls=", 4) == 0 && Ustrcmp(s + 4, US"no") != 0)
+    lf.do_tls = TRUE;
+#endif
+  else if (Ustrncmp(s, "eol=", 4) == 0)
+    eol = string_unprinting(s + 4);
+  else if (Ustrcmp(s, "cache=yes") == 0)
+    lf.cache = TRUE;
+  else if (Ustrcmp(s, "send=no") == 0)
+    length = 0;
+
+if (!filename) return FAIL;	/* Server spec is required */
+
+/* Open the socket, if not cached */
+
+if (cctx->sock == -1)
+  if (internal_readsock_open(cctx, filename, timeout, lf.do_tls, errmsg) != OK)
+    return ret;
+
+testharness_pause_ms(100);	/* Allow sequencing of test actions */
+
+/* Write the request string, if not empty or already done */
+
+if (length)
+  {
+  if ((
+#ifndef DISABLE_TLS
+      cctx->tls_ctx ? tls_write(cctx->tls_ctx, keystring, length, FALSE) :
+#endif
+		      write(cctx->sock, keystring, length)) != length)
+    {
+    *errmsg = string_sprintf("request write to socket "
+      "failed: %s", strerror(errno));
+    goto out;
+    }
+  }
+
+/* Shut down the sending side of the socket. This helps some servers to
+recognise that it is their turn to do some work. Just in case some
+system doesn't have this function, make it conditional. */
+
+#ifdef SHUT_WR
+if (!cctx->tls_ctx && lf.do_shutdown)
+  shutdown(cctx->sock, SHUT_WR);
+#endif
+
+testharness_pause_ms(100);
+
+/* Now we need to read from the socket, under a timeout. The function
+that reads a file can be used.  If we're using a stdio buffered read,
+and might need later write ops on the socket, the stdio must be in
+writable mode or the underlying socket goes non-writable. */
+
+sigalrm_seen = FALSE;
+#ifdef DISABLE_TLS
+if (TRUE)
+#else
+if (!cctx->tls_ctx)
+#endif
+  {
+  FILE * fp = fdopen(cctx->sock, "rb");
+  if (!fp)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "readsock fdopen: %s\n", strerror(errno));
+    goto out;
+    }
+  ALARM(timeout);
+  yield = cat_file(fp, NULL, eol);
+  }
+else
+  {
+  ALARM(timeout);
+  yield = cat_file_tls(cctx->tls_ctx, NULL, eol);
+  }
+
+ALARM_CLR(0);
+
+if (sigalrm_seen)
+  { *errmsg = US "socket read timed out"; goto out; }
+
+*result = yield ? string_from_gstring(yield) : US"";
+ret = OK;
+if (!lf.cache) *do_cache = 0;
+
+out:
+
+(void) close(cctx->sock);
+cctx->sock = -1;
+return ret;
+}
+
+
+
+/*************************************************
+*              Close entry point                 *
+*************************************************/
+
+/* See local README for interface description */
+
+static void
+readsock_close(void * handle)
+{
+client_conn_ctx * cctx = handle;
+if (cctx->sock < 0) return;
+#ifndef DISABLE_TLS
+if (cctx->tls_ctx) tls_close(cctx->tls_ctx, TRUE);
+#endif
+close(cctx->sock);
+cctx->sock = -1;
+}
+
+
+
+static lookup_info readsock_lookup_info = {
+  .name = US"readsock",			/* lookup name */
+  .type = lookup_querystyle,
+  .open = readsock_open,		/* open function */
+  .check = NULL,
+  .find = readsock_find,		/* find function */
+  .close = readsock_close,
+  .tidy = NULL,
+  .quote = NULL,			/* no quoting function */
+  .version_report = NULL
+};
+
+
+#ifdef DYNLOOKUP
+#define readsock_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &readsock_lookup_info };
+lookup_module_info readsock_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+/* End of lookups/readsock.c */
diff --git a/src/lookups/redis.c b/src/lookups/redis.c
new file mode 100644
index 0000000..9c8559c
--- /dev/null
+++ b/src/lookups/redis.c
@@ -0,0 +1,471 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+
+#ifdef LOOKUP_REDIS
+
+#include "lf_functions.h"
+
+#include <hiredis/hiredis.h>
+
+#ifndef nele
+# define nele(arr) (sizeof(arr) / sizeof(*arr))
+#endif
+
+/* Structure and anchor for caching connections. */
+typedef struct redis_connection {
+  struct redis_connection *next;
+  uschar  *server;
+  redisContext    *handle;
+} redis_connection;
+
+static redis_connection *redis_connections = NULL;
+
+
+static void *
+redis_open(const uschar * filename, uschar ** errmsg)
+{
+return (void *)(1);
+}
+
+
+void
+redis_tidy(void)
+{
+redis_connection *cn;
+
+/* XXX: Not sure how often this is called!
+ Guess its called after every lookup which probably would mean to just
+ not use the _tidy() function at all and leave with exim exiting to
+ GC connections!  */
+
+while ((cn = redis_connections))
+  {
+  redis_connections = cn->next;
+  DEBUG(D_lookup) debug_printf_indent("close REDIS connection: %s\n", cn->server);
+  redisFree(cn->handle);
+  }
+}
+
+
+/* This function is called from the find entry point to do the search for a
+single server.
+
+    Arguments:
+      query        the query string
+      server       the server string
+      resultptr    where to store the result
+      errmsg       where to point an error message
+      defer_break  TRUE if no more servers are to be tried after DEFER
+      do_cache     set false if data is changed
+      opts	   options
+
+    The server string is of the form "host/dbnumber/password". The host can be
+    host:port. This string is in a nextinlist temporary buffer, so can be
+    overwritten.
+
+    Returns:       OK, FAIL, or DEFER 
+*/
+
+static int
+perform_redis_search(const uschar *command, uschar *server, uschar **resultptr,
+  uschar **errmsg, BOOL *defer_break, uint *do_cache, const uschar * opts)
+{
+redisContext *redis_handle = NULL;        /* Keep compilers happy */
+redisReply *redis_reply = NULL;
+redisReply *entry = NULL;
+redisReply *tentry = NULL;
+redis_connection *cn;
+int yield = DEFER;
+int i, j;
+gstring * result = NULL;
+uschar *server_copy = NULL;
+uschar *sdata[3];
+
+/* Disaggregate the parameters from the server argument.
+The order is host:port(socket)
+We can write to the string, since it is in a nextinlist temporary buffer.
+This copy is also used for debugging output.  */
+
+memset(sdata, 0, sizeof(sdata)) /* Set all to NULL */;
+for (int i = 2; i > 0; i--)
+  {
+  uschar *pp = Ustrrchr(server, '/');
+
+  if (!pp)
+    {
+    *errmsg = string_sprintf("incomplete Redis server data: %s",
+      i == 2 ? server : server_copy);
+    *defer_break = TRUE;
+    return DEFER;
+    }
+  *pp++ = 0;
+  sdata[i] = pp;
+  if (i == 2) server_copy = string_copy(server);  /* sans password */
+  }
+sdata[0] = server;   /* What's left at the start */
+
+/* If the database or password is an empty string, set it NULL */
+if (sdata[1][0] == 0) sdata[1] = NULL;
+if (sdata[2][0] == 0) sdata[2] = NULL;
+
+/* See if we have a cached connection to the server */
+
+for (cn = redis_connections; cn; cn = cn->next)
+  if (Ustrcmp(cn->server, server_copy) == 0)
+    {
+    redis_handle = cn->handle;
+    break;
+    }
+
+if (!cn)
+  {
+  uschar *p;
+  uschar *socket = NULL;
+  int port = 0;
+  /* int redis_err = REDIS_OK; */
+
+  if ((p = Ustrchr(sdata[0], '(')))
+    {
+    *p++ = 0;
+    socket = p;
+    while (*p != 0 && *p != ')') p++;
+    *p = 0;
+    }
+
+  if ((p = Ustrchr(sdata[0], ':')))
+    {
+    *p++ = 0;
+    port = Uatoi(p);
+    }
+  else
+    port = Uatoi("6379");
+
+  if (Ustrchr(server, '/'))
+    {
+    *errmsg = string_sprintf("unexpected slash in Redis server hostname: %s",
+      sdata[0]);
+    *defer_break = TRUE;
+    return DEFER;
+    }
+
+  DEBUG(D_lookup)
+    debug_printf_indent("REDIS new connection: host=%s port=%d socket=%s database=%s\n",
+      sdata[0], port, socket, sdata[1]);
+
+  /* Get store for a new handle, initialize it, and connect to the server */
+  /* XXX: Use timeouts ? */
+  redis_handle =
+    socket ? redisConnectUnix(CCS socket) : redisConnect(CCS server, port);
+  if (!redis_handle)
+    {
+    *errmsg = US"REDIS connection failed";
+    *defer_break = FALSE;
+    goto REDIS_EXIT;
+    }
+
+  /* Add the connection to the cache */
+  cn = store_get(sizeof(redis_connection), GET_UNTAINTED);
+  cn->server = server_copy;
+  cn->handle = redis_handle;
+  cn->next = redis_connections;
+  redis_connections = cn;
+  }
+else
+  {
+  DEBUG(D_lookup)
+    debug_printf_indent("REDIS using cached connection for %s\n", server_copy);
+}
+
+/* Authenticate if there is a password */
+if(sdata[2])
+  if (!(redis_reply = redisCommand(redis_handle, "AUTH %s", sdata[2])))
+    {
+    *errmsg = string_sprintf("REDIS Authentication failed: %s\n", redis_handle->errstr);
+    *defer_break = FALSE;
+    goto REDIS_EXIT;
+    }
+
+/* Select the database if there is a dbnumber passed */
+if(sdata[1])
+  {
+  if (!(redis_reply = redisCommand(redis_handle, "SELECT %s", sdata[1])))
+    {
+    *errmsg = string_sprintf("REDIS: Selecting database=%s failed: %s\n", sdata[1], redis_handle->errstr);
+    *defer_break = FALSE;
+    goto REDIS_EXIT;
+    }
+  DEBUG(D_lookup) debug_printf_indent("REDIS: Selecting database=%s\n", sdata[1]);
+  }
+
+/* split string on whitespace into argv */
+  {
+  uschar * argv[32];
+  const uschar * s = command;
+  int siz, ptr, i;
+  uschar c;
+
+  while (isspace(*s)) s++;
+
+  for (i = 0; *s && i < nele(argv); i++)
+    {
+    gstring * g;
+
+    for (g = NULL; (c = *s) && !isspace(c); s++)
+      if (c != '\\' || *++s)		/* backslash protects next char */
+	g = string_catn(g, s, 1);
+    argv[i] = string_from_gstring(g);
+
+    DEBUG(D_lookup) debug_printf_indent("REDIS: argv[%d] '%s'\n", i, argv[i]);
+    while (isspace(*s)) s++;
+    }
+
+  /* Run the command. We use the argv form rather than plain as that parses
+  into args by whitespace yet has no escaping mechanism. */
+
+  if (!(redis_reply = redisCommandArgv(redis_handle, i, CCSS argv, NULL)))
+    {
+    *errmsg = string_sprintf("REDIS: query failed: %s\n", redis_handle->errstr);
+    *defer_break = FALSE;
+    goto REDIS_EXIT;
+    }
+  }
+
+switch (redis_reply->type)
+  {
+  case REDIS_REPLY_ERROR:
+    *errmsg = string_sprintf("REDIS: lookup result failed: %s\n", redis_reply->str);
+
+    /* trap MOVED cluster responses and follow them */
+    if (Ustrncmp(redis_reply->str, "MOVED", 5) == 0)
+      {
+      DEBUG(D_lookup)
+        debug_printf_indent("REDIS: cluster redirect %s\n", redis_reply->str);
+      /* follow redirect
+      This is cheating, we simply set defer_break = FALSE to move on to
+      the next server in the redis_servers list */
+      *defer_break = FALSE;
+      return DEFER;
+      } else {
+      *defer_break = TRUE;
+      }
+    *do_cache = 0;
+    goto REDIS_EXIT;
+    /* NOTREACHED */
+
+  case REDIS_REPLY_NIL:
+    DEBUG(D_lookup)
+      debug_printf_indent("REDIS: query was not one that returned any data\n");
+    result = string_catn(result, US"", 1);
+    *do_cache = 0;
+    goto REDIS_EXIT;
+    /* NOTREACHED */
+
+  case REDIS_REPLY_INTEGER:
+    result = string_cat(result, redis_reply->integer != 0 ? US"true" : US"false");
+    break;
+
+  case REDIS_REPLY_STRING:
+  case REDIS_REPLY_STATUS:
+    result = string_catn(result, US redis_reply->str, redis_reply->len);
+    break;
+
+  case REDIS_REPLY_ARRAY:
+ 
+    /* NOTE: For now support 1 nested array result. If needed a limitless
+    result can be parsed */
+
+    for (int i = 0; i < redis_reply->elements; i++)
+      {
+      entry = redis_reply->element[i];
+
+      if (result)
+	result = string_catn(result, US"\n", 1);
+
+      switch (entry->type)
+	{
+	case REDIS_REPLY_INTEGER:
+	  result = string_fmt_append(result, "%d", entry->integer);
+	  break;
+	case REDIS_REPLY_STRING:
+	  result = string_catn(result, US entry->str, entry->len);
+	  break;
+	case REDIS_REPLY_ARRAY:
+	  for (int j = 0; j < entry->elements; j++)
+	    {
+	    tentry = entry->element[j];
+
+	    if (result)
+	      result = string_catn(result, US"\n", 1);
+
+	    switch (tentry->type)
+	      {
+	      case REDIS_REPLY_INTEGER:
+		result = string_fmt_append(result, "%d", tentry->integer);
+		break;
+	      case REDIS_REPLY_STRING:
+		result = string_catn(result, US tentry->str, tentry->len);
+		break;
+	      case REDIS_REPLY_ARRAY:
+		DEBUG(D_lookup)
+		  debug_printf_indent("REDIS: result has nesting of arrays which"
+		    " is not supported. Ignoring!\n");
+		break;
+	      default:
+		DEBUG(D_lookup) debug_printf_indent(
+			  "REDIS: result has unsupported type. Ignoring!\n");
+		break;
+	      }
+	    }
+	    break;
+	  default:
+	    DEBUG(D_lookup) debug_printf_indent("REDIS: query returned unsupported type\n");
+	    break;
+	  }
+	}
+      break;
+  }
+
+
+if (result)
+  gstring_release_unused(result);
+else
+  {
+  yield = FAIL;
+  *errmsg = US"REDIS: no data found";
+  }
+
+REDIS_EXIT:
+
+/* Free store for any result that was got; don't close the connection,
+as it is cached. */
+
+if (redis_reply) freeReplyObject(redis_reply);
+
+/* Non-NULL result indicates a successful result */
+
+if (result)
+  {
+  *resultptr = string_from_gstring(result);
+  return OK;
+  }
+else
+  {
+  DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg);
+  /* NOTE: Required to close connection since it needs to be reopened */
+  return yield;      /* FAIL or DEFER */
+  }
+}
+
+
+
+/*************************************************
+*               Find entry point                 *
+*************************************************/
+/*
+ * See local README for interface description. The handle and filename
+ * arguments are not used. The code to loop through a list of servers while the
+ * query is deferred with a retryable error is now in a separate function that is
+ * shared with other noSQL lookups.
+ */
+
+static int
+redis_find(void * handle __attribute__((unused)),
+  const uschar * filename __attribute__((unused)),
+  const uschar * command, int length, uschar ** result, uschar ** errmsg,
+  uint * do_cache, const uschar * opts)
+{
+return lf_sqlperform(US"Redis", US"redis_servers", redis_servers, command,
+  result, errmsg, do_cache, opts, perform_redis_search);
+}
+
+
+
+/*************************************************
+*               Quote entry point                *
+*************************************************/
+
+/* Prefix any whitespace, or backslash, with a backslash.
+This is not a Redis thing but instead to let the argv splitting
+we do to split on whitespace, yet provide means for getting
+whitespace into an argument.
+
+Arguments:
+  s          the string to be quoted
+  opt        additional option text or NULL if none
+  idx	     lookup type index
+
+Returns:     the processed string or NULL for a bad option
+*/
+
+static uschar *
+redis_quote(uschar * s, uschar * opt, unsigned idx)
+{
+int c, count = 0;
+uschar * t = s, * quoted;
+
+if (opt) return NULL;     /* No options recognized */
+
+while ((c = *t++))
+  if (isspace(c) || c == '\\') count++;
+
+t = quoted = store_get_quoted(Ustrlen(s) + count + 1, s, idx);
+
+while ((c = *s++))
+  {
+  if (isspace(c) || c == '\\') *t++ = '\\';
+  *t++ = c;
+  }
+
+*t = 0;
+return quoted;
+}
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+#include "../version.h"
+
+gstring *
+redis_version_report(gstring * g)
+{
+g = string_fmt_append(g,
+  "Library version: REDIS: Compile: %d [%d]\n", HIREDIS_MAJOR, HIREDIS_MINOR);
+#ifdef DYNLOOKUP
+g = string_fmt_append(g,
+  "                        Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+
+
+/* These are the lookup_info blocks for this driver */
+static lookup_info redis_lookup_info = {
+  .name = US"redis",			/* lookup name */
+  .type = lookup_querystyle,		/* query-style lookup */
+  .open = redis_open,			/* open function */
+  .check = NULL,			/* no check function */
+  .find = redis_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = redis_tidy,			/* tidy function */
+  .quote = redis_quote,			/* quoting function */
+  .version_report = redis_version_report           /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+# define redis_lookup_module_info _lookup_module_info
+#endif /* DYNLOOKUP */
+
+static lookup_info *_lookup_list[] = { &redis_lookup_info };
+lookup_module_info redis_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+#endif /* LOOKUP_REDIS */
+/* End of lookups/redis.c */
diff --git a/src/lookups/spf.c b/src/lookups/spf.c
new file mode 100644
index 0000000..78d954c
--- /dev/null
+++ b/src/lookups/spf.c
@@ -0,0 +1,159 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Exim - SPF lookup module using libspf2
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Copyright (c) The Exim Maintainers 2020 - 2022
+Copyright (c) 2005 Chris Webb, Arachsys Internet Services Ltd
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+*/
+
+#include "../exim.h"
+
+#ifndef SUPPORT_SPF
+static void dummy(int x);
+static void dummy2(int x) { dummy(x-1); }
+static void dummy(int x) { dummy2(x-1); }
+#else
+
+#include "lf_functions.h"
+#if !defined(HAVE_NS_TYPE) && defined(NS_INADDRSZ)
+# define HAVE_NS_TYPE
+#endif
+#include <spf2/spf.h>
+#include <spf2/spf_dns_resolv.h>
+#include <spf2/spf_dns_cache.h>
+
+extern SPF_dns_server_t * SPF_dns_exim_new(int);
+
+
+static void *
+spf_open(const uschar * filename, uschar ** errmsg)
+{
+SPF_dns_server_t * dc;
+SPF_server_t *spf_server = NULL;
+int debug = 0;
+
+DEBUG(D_lookup) debug = 1;
+
+if ((dc = SPF_dns_exim_new(debug)))
+  if ((dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
+    spf_server = SPF_server_new_dns(dc, debug);
+
+if (!spf_server)
+  {
+  *errmsg = US"SPF_dns_exim_nnew() failed";
+  return NULL;
+  }
+return (void *) spf_server;
+}
+
+
+static void
+spf_close(void *handle)
+{
+SPF_server_t *spf_server = handle;
+if (spf_server) SPF_server_free(spf_server);
+}
+
+static int
+spf_find(void * handle, const uschar * filename, const uschar * keystring,
+  int key_len, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+SPF_server_t *spf_server = handle;
+SPF_request_t *spf_request;
+SPF_response_t *spf_response = NULL;
+
+if (!(spf_request = SPF_request_new(spf_server)))
+  {
+  *errmsg = US"SPF_request_new() failed";
+  return FAIL;
+  }
+
+#if HAVE_IPV6
+switch (string_is_ip_address(filename, NULL))
+#else
+switch (4)
+#endif
+  {
+  case 4:
+    if (!SPF_request_set_ipv4_str(spf_request, CS filename))
+      break;
+    *errmsg = string_sprintf("invalid IPv4 address '%s'", filename);
+    return FAIL;
+#if HAVE_IPV6
+
+  case 6:
+    if (!SPF_request_set_ipv6_str(spf_request, CS filename))
+      break;
+    *errmsg = string_sprintf("invalid IPv6 address '%s'", filename);
+    return FAIL;
+
+  default:
+    *errmsg = string_sprintf("invalid IP address '%s'", filename);
+    return FAIL;
+#endif
+  }
+
+if (SPF_request_set_env_from(spf_request, CS keystring))
+    {
+  *errmsg = string_sprintf("invalid envelope from address '%s'", keystring);
+  return FAIL;
+}
+
+SPF_request_query_mailfrom(spf_request, &spf_response);
+*result = string_copy(US SPF_strresult(SPF_response_result(spf_response)));
+
+DEBUG(D_lookup) spf_response_debug(spf_response);
+
+SPF_response_free(spf_response);
+SPF_request_free(spf_request);
+return OK;
+}
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+spf_version_report(gstring * g)
+{
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "Library version: SPF: Exim version %s\n", EXIM_VERSION_STR));
+#endif
+return g;
+}
+
+
+static lookup_info _lookup_info = {
+  .name = US"spf",			/* lookup name */
+  .type = 0,				/* not absfile, not query style */
+  .open = spf_open,			/* open function */
+  .check = NULL,			/* no check function */
+  .find = spf_find,			/* find function */
+  .close = spf_close,			/* close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = spf_version_report             /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+#define spf_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &_lookup_info };
+lookup_module_info spf_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+#endif /* SUPPORT_SPF */
diff --git a/src/lookups/sqlite.c b/src/lookups/sqlite.c
new file mode 100644
index 0000000..9080ae7
--- /dev/null
+++ b/src/lookups/sqlite.c
@@ -0,0 +1,200 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+#include <sqlite3.h>
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void *
+sqlite_open(const uschar * filename, uschar ** errmsg)
+{
+sqlite3 *db = NULL;
+int ret;
+
+if (!filename || !*filename)
+  {
+  DEBUG(D_lookup) debug_printf_indent("Using sqlite_dbfile: %s\n", sqlite_dbfile);
+  filename = sqlite_dbfile;
+  }
+if (!filename || *filename != '/')
+  *errmsg = US"absolute file name expected for \"sqlite\" lookup";
+else if ((ret = sqlite3_open(CCS filename, &db)) != 0)
+  {
+  *errmsg = (void *)sqlite3_errmsg(db);
+  sqlite3_close(db);
+  db = NULL;
+  DEBUG(D_lookup) debug_printf_indent("Error opening database: %s\n", *errmsg);
+  }
+
+if (db)
+  sqlite3_busy_timeout(db, 1000 * sqlite_lock_timeout);
+return db;
+}
+
+
+/*************************************************
+*               Find entry point                 *
+*************************************************/
+
+/* See local README for interface description. */
+
+static int
+sqlite_callback(void *arg, int argc, char **argv, char **azColName)
+{
+gstring * res = *(gstring **)arg;
+
+/* For second and subsequent results, insert \n */
+
+if (res)
+  res = string_catn(res, US"\n", 1);
+
+if (argc > 1)
+  {
+  /* For multiple fields, include the field name too */
+  for (int i = 0; i < argc; i++)
+    {
+    uschar * value = US(argv[i] ? argv[i] : "<NULL>");
+    res = lf_quote(US azColName[i], value, Ustrlen(value), res);
+    }
+  }
+
+else
+  res = string_cat(res, argv[0] ? US argv[0] : US "<NULL>");
+
+/* always return a non-null gstring, even for a zero-length string result */
+*(gstring **)arg = res ? res : string_get(1);
+return 0;
+}
+
+
+static int
+sqlite_find(void * handle, const uschar * filename, const uschar * query,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+int ret;
+gstring * res = NULL;
+
+ret = sqlite3_exec(handle, CS query, sqlite_callback, &res, CSS errmsg);
+if (ret != SQLITE_OK)
+  {
+  debug_printf_indent("sqlite3_exec failed: %s\n", *errmsg);
+  return FAIL;
+  }
+
+if (!res) *do_cache = 0;	/* on fail, wipe cache */
+
+*result = string_from_gstring(res);
+return OK;
+}
+
+
+
+/*************************************************
+*               Close entry point                *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void sqlite_close(void *handle)
+{
+sqlite3_close(handle);
+}
+
+
+
+/*************************************************
+*               Quote entry point                *
+*************************************************/
+
+/* From what I have found so far, the only character that needs to be quoted
+for sqlite is the single quote, and it is quoted by doubling.
+
+Arguments:
+  s          the string to be quoted
+  opt        additional option text or NULL if none
+  idx	     lookup type index
+
+Returns:     the processed string or NULL for a bad option
+*/
+
+static uschar *
+sqlite_quote(uschar * s, uschar * opt, unsigned idx)
+{
+int c, count = 0;
+uschar * t = s, * quoted;
+
+if (opt) return NULL;     /* No options recognized */
+
+while ((c = *t++)) if (c == '\'') count++;
+count += t - s;
+
+t = quoted = store_get_quoted(count + 1, s, idx);
+
+while ((c = *s++))
+  {
+  if (c == '\'') *t++ = '\'';
+  *t++ = c;
+  }
+
+*t = 0;
+return quoted;
+}
+
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+sqlite_version_report(gstring * g)
+{
+g = string_fmt_append(g,
+  "Library version: SQLite: Compile: %s\n"
+  "                         Runtime: %s\n",
+        SQLITE_VERSION, sqlite3_libversion());
+#ifdef DYNLOOKUP
+g = string_fmt_append(g,
+  "                         Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+static lookup_info _lookup_info = {
+  .name = US"sqlite",			/* lookup name */
+  .type = lookup_absfilequery,		/* query-style lookup, starts with file name */
+  .open = sqlite_open,			/* open function */
+  .check = NULL,			/* no check function */
+  .find = sqlite_find,			/* find function */
+  .close = sqlite_close,		/* close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = sqlite_quote,		/* quoting function */
+  .version_report = sqlite_version_report          /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+#define sqlite_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &_lookup_info };
+lookup_module_info sqlite_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+/* End of lookups/sqlite.c */
diff --git a/src/lookups/testdb.c b/src/lookups/testdb.c
new file mode 100644
index 0000000..4824161
--- /dev/null
+++ b/src/lookups/testdb.c
@@ -0,0 +1,100 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "lf_functions.h"
+
+
+/* These are not real lookup functions; they are just a way of testing the
+rest of Exim by providing an easy way of specifying particular yields from
+the find function. */
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void *
+testdb_open(const uschar * filename, uschar ** errmsg)
+{
+return (void *)(1);    /* Just return something non-null */
+}
+
+
+
+/*************************************************
+*               Find entry point                 *
+*************************************************/
+
+/* See local README for interface description. */
+
+static int
+testdb_find(void * handle, const uschar * filename, const uschar * query,
+  int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+  const uschar * opts)
+{
+if (Ustrcmp(query, "fail") == 0)
+  {
+  *errmsg = US"testdb lookup forced FAIL";
+  DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg);
+  return FAIL;
+  }
+if (Ustrcmp(query, "defer") == 0)
+  {
+  *errmsg = US"testdb lookup forced DEFER";
+  DEBUG(D_lookup) debug_printf_indent("%s\n", *errmsg);
+  return DEFER;
+  }
+
+if (Ustrcmp(query, "nocache") == 0) *do_cache = 0;
+
+*result = string_copy(query);
+return OK;
+}
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+testdb_version_report(gstring * g)
+{
+#ifdef DYNLOOKUP
+g = string_fmt_append(g, "Library version: TestDB: Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+
+static lookup_info _lookup_info = {
+  .name = US"testdb",			/* lookup name */
+  .type = lookup_querystyle,		/* query-style lookup */
+  .open = testdb_open,			/* open function */
+  .check = NULL,			/* check function */
+  .find = testdb_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = testdb_version_report          /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+#define testdb_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &_lookup_info };
+lookup_module_info testdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+/* End of lookups/testdb.c */
diff --git a/src/lookups/whoson.c b/src/lookups/whoson.c
new file mode 100644
index 0000000..990703f
--- /dev/null
+++ b/src/lookups/whoson.c
@@ -0,0 +1,98 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This code originally came from Robert Wal. */
+
+#include "../exim.h"
+
+
+#include <whoson.h>        /* Public header */
+
+
+/*************************************************
+*              Open entry point                  *
+*************************************************/
+
+/* See local README for interface description. */
+
+static void *
+whoson_open(const uschar * filename, uschar ** errmsg)
+{
+return (void *)(1);    /* Just return something non-null */
+}
+
+
+/*************************************************
+*               Find entry point                 *
+*************************************************/
+
+/* See local README for interface description. */
+
+static int
+whoson_find(void * handle, const uschar * filename, uschar * query, int length,
+  uschar ** result, uschar ** errmsg, uint * do_cache, const uschar * opts)
+{
+uschar buffer[80];
+
+switch (wso_query(CS query, CS buffer, sizeof(buffer)))
+  {
+  case 0:
+  *result = string_copy(buffer);    /* IP in database; return name of user */
+  return OK;
+
+  case +1:
+  return FAIL;                      /* IP not in database */
+
+  default:
+  *errmsg = string_sprintf("WHOSON: failed to complete: %s", buffer);
+  return DEFER;
+  }
+}
+
+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+gstring *
+whoson_version_report(gstring * g)
+{
+g = string_fmt_append(g,
+  "Library version: Whoson: Runtime: %s\n", wso_version());
+#ifdef DYNLOOKUP
+g = string_fmt_append(g,
+  "                         Exim version %s\n", EXIM_VERSION_STR);
+#endif
+return g;
+}
+
+static lookup_info _lookup_info = {
+  .name = US"whoson",			/* lookup name */
+  .type = lookup_querystyle,		/* query-style lookup */
+  .open = whoson_open,			/* open function */
+  .check = NULL,			/* check function */
+  .find = whoson_find,			/* find function */
+  .close = NULL,			/* no close function */
+  .tidy = NULL,				/* no tidy function */
+  .quote = NULL,			/* no quoting function */
+  .version_report = whoson_version_report          /* version reporting */
+};
+
+#ifdef DYNLOOKUP
+#define whoson_lookup_module_info _lookup_module_info
+#endif
+
+static lookup_info *_lookup_list[] = { &_lookup_info };
+lookup_module_info whoson_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+
+/* End of lookups/whoson.c */
diff --git a/src/lss.c b/src/lss.c
new file mode 100644
index 0000000..167522d
--- /dev/null
+++ b/src/lss.c
@@ -0,0 +1,142 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Support functions for calling from local_scan(). These are mostly just
+wrappers for various internal functions. */
+
+
+#include "exim.h"
+
+
+/*************************************************
+*            Match a domain in a list            *
+*************************************************/
+
+/*
+Arguments:
+  domain         the domain we are testing
+  list           the domain list
+
+Returns:         OK/FAIL/DEFER
+*/
+
+int
+lss_match_domain(uschar *domain, uschar *list)
+{
+return match_isinlist(CUS domain, CUSS &list, 0, &domainlist_anchor, NULL, MCL_DOMAIN,
+  TRUE, NULL);
+}
+
+
+
+/*************************************************
+*            Match a local part in a list        *
+*************************************************/
+
+/*
+Arguments:
+  local_part     the local part we are testing
+  list           the local part list
+  caseless       TRUE for caseless matching
+
+Returns:         OK/FAIL/DEFER
+*/
+
+int
+lss_match_local_part(uschar *local_part, uschar *list, BOOL caseless)
+{
+return match_isinlist(CUS local_part, CUSS &list, 0, &localpartlist_anchor, NULL,
+  MCL_LOCALPART, caseless, NULL);
+}
+
+
+
+/*************************************************
+*            Match an address in a list          *
+*************************************************/
+
+/*
+Arguments:
+  address        the address we are testing
+  list           the address list
+  caseless       TRUE for caseless matching
+
+Returns:         OK/FAIL/DEFER
+*/
+
+int
+lss_match_address(uschar *address, uschar *list, BOOL caseless)
+{
+return match_address_list(CUS address, caseless, TRUE, CUSS &list, NULL, -1, 0, NULL);
+}
+
+
+
+/*************************************************
+*            Match a host in a list              *
+*************************************************/
+
+/*
+Arguments:
+  host name      the name of the host we are testing, or NULL if this is the
+                   sender host and its name hasn't yet been looked up
+  host address   the IP address of the host, or an empty string for a local
+                   message
+  list           the host list
+
+Returns:         OK/FAIL/DEFER
+                 ERROR if failed to find host name when needed
+*/
+
+int
+lss_match_host(uschar *host_name, uschar *host_address, uschar *list)
+{
+return verify_check_this_host(CUSS &list, NULL, host_name, host_address, NULL);
+}
+
+
+
+/*************************************************
+*           Base 64 encode/decode                *
+*************************************************/
+
+/* These functions just give less "internal" names to the functions.
+
+Arguments:
+  clear       points to the clear text bytes
+  len         the number of bytes to encode
+
+Returns:      a pointer to the zero-terminated base 64 string, which
+              is in working store
+*/
+
+uschar *
+lss_b64encode(uschar * clear, int len)
+{
+return b64encode(CUS clear, len);
+}
+
+/*
+Arguments:
+  code        points to the coded string, zero-terminated
+  ptr         where to put the pointer to the result, which is in
+              dynamic store
+
+Returns:      the number of bytes in the result,
+              or -1 if the input was malformed
+
+A zero is added on to the end to make it easy in cases where the result is to
+be interpreted as text. This is not included in the count. */
+
+int
+lss_b64decode(uschar *code, uschar **ptr)
+{
+return b64decode(code, ptr);
+}
+
+
+/* End of lss.c */
diff --git a/src/macro_predef.c b/src/macro_predef.c
new file mode 100644
index 0000000..a0c659c
--- /dev/null
+++ b/src/macro_predef.c
@@ -0,0 +1,345 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) Jeremy Harris 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Create a static data structure with the predefined macros, to be
+included in the main Exim build */
+
+#include "exim.h"
+#include "macro_predef.h"
+
+unsigned mp_index = 0;
+
+/* Global dummy variables */
+
+void fn_smtp_receive_timeout(const uschar * name, const uschar * str) {}
+uschar * syslog_facility_str;
+
+/******************************************************************************/
+
+void
+builtin_macro_create_var(const uschar * name, const uschar * val)
+{
+printf ("static macro_item p%d = { ", mp_index);
+if (mp_index == 0)
+  printf(".next=NULL,");
+else
+  printf(".next=&p%d,", mp_index-1);
+
+printf(" .command_line=FALSE, .namelen=%d, .replen=%d,"
+	" .name=US\"%s\", .replacement=US\"%s\" };\n",
+	Ustrlen(name), Ustrlen(val), CS name, CS val);
+mp_index++;
+}
+
+
+void
+builtin_macro_create(const uschar * name)
+{
+builtin_macro_create_var(name, US"y");
+}
+
+
+/* restricted snprintf */
+void
+spf(uschar * buf, int len, const uschar * fmt, ...)
+{
+va_list ap;
+va_start(ap, fmt);
+
+while (*fmt && len > 1)
+  if (*fmt == '%' && fmt[1] == 'T')
+    {
+    uschar * s = va_arg(ap, uschar *);
+    while (*s && len-- > 1)
+      *buf++ = toupper(*s++);
+    fmt += 2;
+    }
+  else
+    {
+    *buf++ = *fmt++; len--;
+    }
+*buf = '\0';
+va_end(ap);
+}
+
+void
+options_from_list(optionlist * opts, unsigned nopt,
+  const uschar * section, uschar * group)
+{
+const uschar * s;
+uschar buf[EXIM_DRIVERNAME_MAX];
+
+/* The 'previously-defined-substring' rule for macros in config file
+lines is done thus for these builtin macros: we know that the table
+we source from is in strict alpha order, hence the builtins portion
+of the macros list is in reverse-alpha (we prepend them) - so longer
+macros that have substrings are always discovered first during
+expansion. */
+
+for (int i = 0; i < nopt; i++)  if (*(s = US opts[i].name) && *s != '*')
+  {
+  if (group)
+    spf(buf, sizeof(buf), CUS"_OPT_%T_%T_%T", section, group, s);
+  else
+    spf(buf, sizeof(buf), CUS"_OPT_%T_%T", section, s);
+  builtin_macro_create(buf);
+  }
+}
+
+
+/******************************************************************************/
+
+
+/* Create compile-time feature macros */
+static void
+features(void)
+{
+/* Probably we could work out a static initialiser for wherever
+macros are stored, but this will do for now. Some names are awkward
+due to conflicts with other common macros. */
+
+#ifdef SUPPORT_CRYPTEQ
+  builtin_macro_create(US"_HAVE_CRYPTEQ");
+#endif
+#if HAVE_ICONV
+  builtin_macro_create(US"_HAVE_ICONV");
+#endif
+#if HAVE_IPV6
+  builtin_macro_create(US"_HAVE_IPV6");
+#endif
+#ifdef HAVE_SETCLASSRESOURCES
+  builtin_macro_create(US"_HAVE_SETCLASSRESOURCES");
+#endif
+#ifdef SUPPORT_PAM
+  builtin_macro_create(US"_HAVE_PAM");
+#endif
+#ifdef EXIM_PERL
+  builtin_macro_create(US"_HAVE_PERL");
+#endif
+#ifdef EXPAND_DLFUNC
+  builtin_macro_create(US"_HAVE_DLFUNC");
+#endif
+#ifdef USE_TCP_WRAPPERS
+  builtin_macro_create(US"_HAVE_TCPWRAPPERS");
+#endif
+#ifndef DISABLE_TLS
+  builtin_macro_create(US"_HAVE_TLS");
+# ifdef USE_GNUTLS
+  builtin_macro_create(US"_HAVE_GNUTLS");
+# else
+  builtin_macro_create(US"_HAVE_OPENSSL");
+# endif
+#endif
+#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
+  builtin_macro_create(US"_HAVE_TRANSLATE_IP_ADDRESS");
+#endif
+#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
+  builtin_macro_create(US"_HAVE_MOVE_FROZEN_MESSAGES");
+#endif
+#ifdef WITH_CONTENT_SCAN
+  builtin_macro_create(US"_HAVE_CONTENT_SCANNING");
+#endif
+#ifndef DISABLE_DKIM
+  builtin_macro_create(US"_HAVE_DKIM");
+#endif
+#ifdef SUPPORT_DMARC
+  builtin_macro_create(US"_HAVE_DMARC");
+#endif
+#ifndef DISABLE_DNSSEC
+  builtin_macro_create(US"_HAVE_DNSSEC");
+#endif
+#ifndef DISABLE_EVENT
+  builtin_macro_create(US"_HAVE_EVENT");
+#endif
+#ifdef SUPPORT_I18N
+  builtin_macro_create(US"_HAVE_I18N");
+#endif
+#ifndef DISABLE_OCSP
+  builtin_macro_create(US"_HAVE_OCSP");
+#endif
+#ifndef DISABLE_PIPE_CONNECT
+  builtin_macro_create(US"_HAVE_PIPE_CONNECT");
+#endif
+#ifndef DISABLE_PRDR
+  builtin_macro_create(US"_HAVE_PRDR");
+#endif
+#ifdef SUPPORT_PROXY
+  builtin_macro_create(US"_HAVE_PROXY");
+#endif
+#ifdef SUPPORT_SOCKS
+  builtin_macro_create(US"_HAVE_SOCKS");
+#endif
+#if defined(SUPPORT_SRS)
+  builtin_macro_create(US"_HAVE_NATIVE_SRS");	/* beware clash with _HAVE_SRS */
+#endif
+#ifdef TCP_FASTOPEN
+  builtin_macro_create(US"_HAVE_TCP_FASTOPEN");
+#endif
+#ifdef SUPPORT_SPF
+  builtin_macro_create(US"_HAVE_SPF");
+#endif
+#ifdef SUPPORT_SRS
+  builtin_macro_create(US"_HAVE_SRS");
+#endif
+#ifdef EXPERIMENTAL_ARC
+  builtin_macro_create(US"_HAVE_ARC");
+#endif
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+  builtin_macro_create(US"_HAVE_BRIGHTMAIL");
+#endif
+#ifdef SUPPORT_DANE
+  builtin_macro_create(US"_HAVE_DANE");
+#endif
+#ifdef EXPERIMENTAL_DCC
+  builtin_macro_create(US"_HAVE_DCC");
+#endif
+#ifdef EXPERIMENTAL_DSN_INFO
+  builtin_macro_create(US"_HAVE_DSN_INFO");
+#endif
+#ifndef DISABLE_TLS_RESUME
+  builtin_macro_create(US"_HAVE_TLS_RESUME");
+#endif
+
+#ifdef LOOKUP_LSEARCH
+  builtin_macro_create(US"_HAVE_LOOKUP_LSEARCH");
+#endif
+#ifdef LOOKUP_CDB
+  builtin_macro_create(US"_HAVE_LOOKUP_CDB");
+#endif
+#ifdef LOOKUP_DBM
+  builtin_macro_create(US"_HAVE_LOOKUP_DBM");
+#endif
+#ifdef LOOKUP_DNSDB
+  builtin_macro_create(US"_HAVE_LOOKUP_DNSDB");
+#endif
+#ifdef LOOKUP_DSEARCH
+  builtin_macro_create(US"_HAVE_LOOKUP_DSEARCH");
+#endif
+#ifdef LOOKUP_IBASE
+  builtin_macro_create(US"_HAVE_LOOKUP_IBASE");
+#endif
+#ifdef LOOKUP_LMDB
+  builtin_macro_create(US"_HAVE_LMDB");
+  builtin_macro_create(US"_HAVE_LOOKUP_LMDB");
+#endif
+#ifdef LOOKUP_LDAP
+  builtin_macro_create(US"_HAVE_LOOKUP_JSON");
+#endif
+#ifdef LOOKUP_LDAP
+  builtin_macro_create(US"_HAVE_LOOKUP_LDAP");
+#endif
+#ifdef LOOKUP_MYSQL
+  builtin_macro_create(US"_HAVE_LOOKUP_MYSQL");
+#endif
+#ifdef LOOKUP_NIS
+  builtin_macro_create(US"_HAVE_LOOKUP_NIS");
+#endif
+#ifdef LOOKUP_NISPLUS
+  builtin_macro_create(US"_HAVE_LOOKUP_NISPLUS");
+#endif
+#ifdef LOOKUP_ORACLE
+  builtin_macro_create(US"_HAVE_LOOKUP_ORACLE");
+#endif
+#ifdef LOOKUP_PASSWD
+  builtin_macro_create(US"_HAVE_LOOKUP_PASSWD");
+#endif
+#ifdef LOOKUP_PGSQL
+  builtin_macro_create(US"_HAVE_LOOKUP_PGSQL");
+#endif
+#ifdef LOOKUP_REDIS
+  builtin_macro_create(US"_HAVE_LOOKUP_REDIS");
+#endif
+#ifdef LOOKUP_SQLITE
+  builtin_macro_create(US"_HAVE_LOOKUP_SQLITE");
+#endif
+#ifdef LOOKUP_TESTDB
+  builtin_macro_create(US"_HAVE_LOOKUP_TESTDB");
+#endif
+#ifdef LOOKUP_WHOSON
+  builtin_macro_create(US"_HAVE_LOOKUP_WHOSON");
+#endif
+
+#ifdef TRANSPORT_APPENDFILE
+# ifdef SUPPORT_MAILDIR
+  builtin_macro_create(US"_HAVE_TRANSPORT_APPEND_MAILDIR");
+# endif
+# ifdef SUPPORT_MAILSTORE
+  builtin_macro_create(US"_HAVE_TRANSPORT_APPEND_MAILSTORE");
+# endif
+# ifdef SUPPORT_MBX
+  builtin_macro_create(US"_HAVE_TRANSPORT_APPEND_MBX");
+# endif
+#endif
+
+features_acl();
+features_crypto();
+
+#ifdef WITH_CONTENT_SCAN
+features_malware();
+#endif
+}
+
+static void
+exp_features(void)
+{
+#ifdef EXPERIMENTAL_ARC
+  builtin_macro_create(US"_EXP_ARC");
+#endif
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+  builtin_macro_create(US"_EXP_BMI");
+#endif
+#ifdef EXPERIMENTAL_DCC
+  builtin_macro_create(US"_EXP_DCC");
+#endif
+#ifdef EXPERIMENTAL_DSN_INFO
+  builtin_macro_create(US"_EXP_DSNI");
+#endif
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+  builtin_macro_create(US"_EXP_LIMITS");
+#endif
+#ifdef EXPERIMENTAL_QUEUEFILE
+  builtin_macro_create(US"_EXP_QUEUEFILE");
+#endif
+}
+
+
+static void
+options(void)
+{
+options_main();
+options_routers();
+options_transports();
+options_auths();
+options_logging();
+#ifndef DISABLE_TLS
+options_tls();
+#endif
+}
+
+static void
+params(void)
+{
+#ifndef DISABLE_DKIM
+params_dkim();
+#endif
+}
+
+
+int
+main(void)
+{
+printf("#include \"exim.h\"\n");
+features();
+exp_features();
+options();
+params();
+
+printf("macro_item * macros = &p%d;\n", mp_index-1);
+printf("macro_item * mlast = &p0;\n");
+exit(0);
+}
diff --git a/src/macro_predef.h b/src/macro_predef.h
new file mode 100644
index 0000000..59b1bbe
--- /dev/null
+++ b/src/macro_predef.h
@@ -0,0 +1,28 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Jeremy Harris 2017 - 2018 */
+/* Copyright (c) The Exim Maintainers 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Global functions */
+
+extern void spf(uschar *, int, const uschar *, ...);
+extern void builtin_macro_create(const uschar *);
+extern void builtin_macro_create_var(const uschar *, const uschar *);
+extern void options_from_list(optionlist *, unsigned, const uschar *, uschar *);
+
+extern void features_acl(void);
+extern void features_malware(void);
+extern void features_crypto(void);
+extern void options_main(void);
+extern void options_routers(void);
+extern void options_transports(void);
+extern void options_auths(void);
+extern void options_logging(void);
+extern void params_dkim(void);
+#ifndef DISABLE_TLS
+extern void options_tls(void);
+#endif
+
diff --git a/src/macros.h b/src/macros.h
new file mode 100644
index 0000000..fa89de1
--- /dev/null
+++ b/src/macros.h
@@ -0,0 +1,1117 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* These two macros make it possible to obtain the result of macro-expanding
+a string as a text string. This is sometimes useful for debugging output. */
+
+#define mac_string(s) # s
+#define mac_expanded_string(s) mac_string(s)
+
+/* Number of elements of an array */
+#define nelem(arr) (sizeof(arr) / sizeof(*arr))
+
+/* Maximum of two items */
+#ifndef MAX
+# define MAX(a,b) ((a) > (b) ? (a) : (b))
+#endif
+
+
+/* When running in the test harness, the load average is fudged. */
+
+#define OS_GETLOADAVG() \
+  (f.running_in_test_harness? (test_harness_load_avg += 10) : os_getloadavg())
+
+
+/* The address_item structure has a struct full of 1-bit flags. These macros
+manipulate them. */
+
+#define setflag(addr, flagname)    addr->flags.flagname = TRUE
+#define clearflag(addr, flagname)  addr->flags.flagname = FALSE
+
+#define testflag(addr, flagname)   (addr->flags.flagname)
+
+#define copyflag(addrnew, addrold, flagname) \
+  addrnew->flags.flagname = addrold->flags.flagname
+
+
+/* For almost all calls to convert things to printing characters, we want to
+allow tabs & spaces. A macro just makes life a bit easier. */
+
+#define string_printing(s) string_printing2((s), 0)
+#define SP_TAB		BIT(0)
+#define SP_SPACE	BIT(1)
+
+
+/* We need a special return code for "no recipients and failed to send an error
+message". ANSI C defines only EXIT_FAILURE and EXIT_SUCCESS. On the assumption
+that these are always 1 and 0 on Unix systems ... */
+
+#define EXIT_NORECIPIENTS 2
+
+
+/* Character-handling macros. It seems that the set of standard functions in
+ctype.h aren't actually all that useful. One reason for this is that email is
+international, so the concept of using a locale to vary what they do is not
+helpful. Another problem is that in different operating systems, the libraries
+yield different results, even in the default locale. For example, Linux yields
+TRUE for iscntrl() for all characters > 127, whereas many other systems yield
+FALSE. For these reasons we define our own set of macros for a number of
+character testing functions. Ensure that all these tests treat their arguments
+as unsigned. */
+
+#define mac_iscntrl(c) \
+  ((uschar)(c) < 32 || (uschar)(c) == 127)
+
+#define mac_iscntrl_or_special(c) \
+  ((uschar)(c) < 32 || strchr(" ()<>@,;:\\\".[]\177", (uschar)(c)) != NULL)
+
+#define mac_isgraph(c) \
+  ((uschar)(c) > 32 && (uschar)(c) != 127)
+
+#define mac_isprint(c) \
+  (((uschar)(c) >= 32 && (uschar)(c) <= 126) || c == '\t' || \
+  ((uschar)(c) > 127 && print_topbitchars))
+
+
+/* When built with TLS support, the act of flushing SMTP output becomes
+a no-op once an SSL session is in progress. */
+
+#ifndef DISABLE_TLS
+#define mac_smtp_fflush() if (tls_in.active.sock < 0) fflush(smtp_out);
+#else
+#define mac_smtp_fflush() fflush(smtp_out);
+#endif
+
+
+/* Define which ends of pipes are for reading and writing, as some systems
+don't make the file descriptors two-way. */
+
+#define pipe_read  0
+#define pipe_write 1
+
+/* The RFC 1413 ident port */
+
+#define IDENT_PORT 113
+
+/* A macro to simplify testing bits in lookup types */
+
+#define mac_islookup(a,b) ((lookup_list[a]->type & (b)) != 0)
+
+/* Debugging control */
+
+#define LOG_NAME_SIZE 256
+#define DEBUG(x)      if (debug_selector & (x))
+#define HDEBUG(x)     if (host_checking || debug_selector & (x))
+
+/* The default From: text for DSNs */
+
+#define DEFAULT_DSN_FROM "Mail Delivery System <Mailer-Daemon@$qualify_domain>"
+
+/* The size of the vector for saving/restoring address expansion pointers while
+verifying. This has to be explicit because it is referenced in more than one
+source module. */
+
+#define ADDRESS_EXPANSIONS_COUNT 19
+
+/* The maximum permitted number of command-line (-D) macro definitions. We
+need a limit only to make it easier to generate argument vectors for re-exec
+of Exim. */
+
+#define MAX_CLMACROS 10
+
+/* The number of integer variables available in filter files. If this is
+changed, then the tables in expand.c for accessing them must be changed too. */
+
+#define FILTER_VARIABLE_COUNT 10
+
+/* The size of the vector holding delay warning times */
+
+#define DELAY_WARNING_SIZE 12
+
+/* The size of the buffer holding the processing information string. */
+
+#define PROCESS_INFO_SIZE 384
+
+/* The size of buffer to get for constructing log entries. Make it big
+enough to hold all the headers from a normal kind of message. */
+
+#define LOG_BUFFER_SIZE 8192
+
+/* The size of the circular buffer that remembers recent SMTP commands */
+
+#define SMTP_HBUFF_SIZE 20
+#define SMTP_HBUFF_PREV(n)	((n) ? (n)-1 : SMTP_HBUFF_SIZE-1)
+
+/* The initial size of a big buffer for use in various places. It gets put
+into big_buffer_size and in some circumstances increased. It should be at least
+as long as the maximum path length PLUS room for string additions.
+Let's go with "at least twice as large as maximum path length".
+*/
+
+#ifdef AUTH_HEIMDAL_GSSAPI
+		/* RFC 4121 section 5.2, SHOULD support 64K input buffers */
+# define __BIG_BUFFER_SIZE 65536
+#else
+# define __BIG_BUFFER_SIZE 16384
+#endif
+
+#ifndef PATH_MAX
+/* exim.h will have ensured this exists before including us. */
+# error headers confusion, PATH_MAX missing in macros.h
+#endif
+#if (PATH_MAX*2) > __BIG_BUFFER_SIZE
+# define BIG_BUFFER_SIZE (PATH_MAX*2)
+#else
+# define BIG_BUFFER_SIZE __BIG_BUFFER_SIZE
+#endif
+
+/* header size of pipe content
+   currently: char id, char subid, char[5] length */
+#define PIPE_HEADER_SIZE 7
+
+/* This limits the length of data returned by local_scan(). Because it is
+written on the spool, it gets read into big_buffer. */
+
+#define LOCAL_SCAN_MAX_RETURN (BIG_BUFFER_SIZE - 24)
+
+/* The length of the base names of spool files, which consist of an internal
+message id with a trailing "-H" or "-D" added. */
+
+#define SPOOL_NAME_LENGTH (MESSAGE_ID_LENGTH+2)
+
+/* The maximum number of message ids to store in a waiting database
+record, and the max number of continuation records allowed. */
+
+#define WAIT_NAME_MAX 50
+#define WAIT_CONT_MAX 1000
+
+/* Fixed option values for all PCRE functions */
+
+#define PCRE_COPT 0   /* compile */
+#define PCRE_EOPT 0   /* exec */
+
+/* Macros for trivial functions */
+
+#define mac_ismsgid(s)	(regex_match(regex_ismsgid, (s), -1, NULL))
+
+
+/* Options for dns_next_rr */
+
+enum { RESET_NEXT, RESET_ANSWERS, RESET_AUTHORITY, RESET_ADDITIONAL };
+
+/* Argument values for the time-of-day function */
+
+enum { tod_log, tod_log_bare, tod_log_zone, tod_log_datestamp_daily,
+       tod_log_datestamp_monthly, tod_zone, tod_full, tod_bsdin,
+       tod_mbx, tod_epoch, tod_epoch_l, tod_zulu };
+
+/* For identifying types of driver */
+
+enum {
+  EXIM_DTYPE_NONE,
+  EXIM_DTYPE_ROUTER,
+  EXIM_DTYPE_TRANSPORT
+};
+
+/* Error numbers for generating error messages when reading a message on the
+standard input. */
+
+enum {
+  ERRMESS_BADARGADDRESS,    /* Bad address via argument list */
+  ERRMESS_BADADDRESS,       /* Bad address read via -t */
+  ERRMESS_NOADDRESS,        /* Message has no addresses */
+  ERRMESS_IGADDRESS,        /* All -t addresses ignored */
+  ERRMESS_BADNOADDRESS,     /* Bad address via -t, leaving none */
+  ERRMESS_IOERR,            /* I/O error while reading a message */
+  ERRMESS_VLONGHEADER,      /* Excessively long message header */
+  ERRMESS_VLONGHDRLINE,     /* Excessively long single line in header */
+  ERRMESS_TOOBIG,           /* Message too big */
+  ERRMESS_TOOMANYRECIP,     /* Too many recipients */
+  ERRMESS_LOCAL_SCAN,       /* Rejected by local scan */
+  ERRMESS_LOCAL_ACL         /* Rejected by non-SMTP ACL */
+#ifdef SUPPORT_DMARC
+ ,ERRMESS_DMARC_FORENSIC    /* DMARC Forensic Report */
+#endif
+};
+
+/* Error handling styles - set by option, and apply only when receiving
+a local message not via SMTP. */
+
+enum {
+  ERRORS_SENDER,            /* Return to sender (default) */
+  ERRORS_STDERR             /* Write on stderr */
+};
+
+/* Exec control values when Exim execs itself via child_exec_exim. */
+
+enum {
+  CEE_RETURN_ARGV,          /* Don't exec, just build and return argv */
+  CEE_EXEC_EXIT,            /* Just exit if exec fails */
+  CEE_EXEC_PANIC            /* Panic-die if exec fails */
+};
+
+/* Bit values for filter_test */
+
+#define FTEST_NONE     0    /* Not filter testing */
+#define FTEST_USER     1    /* Testing user filter */
+#define FTEST_SYSTEM   2    /* Testing system filter */
+
+/* Returns from the routing, transport and authentication functions (not all
+apply to all of them). Some other functions also use these convenient values,
+and some additional values are used only by non-driver functions.
+
+OK, FAIL, DEFER, ERROR, and FAIL_FORCED are also declared in local_scan.h for
+use in the local_scan() function and in ${dlfunc loaded functions. Do not
+change them unilaterally.
+
+Use rc_names[] for debug strings. */
+
+#define  OK            0    /* Successful match */
+#define  DEFER         1    /* Defer - some problem */
+#define  FAIL          2    /* Matching failed */
+#define  ERROR         3    /* Internal or config error */
+#define  FAIL_FORCED   4    /* "Forced" failure */
+/***********/
+#define DECLINE        5    /* Declined to handle the address, pass to next
+                                 router unless no_more is set */
+#define PASS           6    /* Pass to next driver, or to pass_router,
+                                 even if no_more is set */
+#define DISCARD        7    /* Address routed to :blackhole: or "seen finish" */
+#define SKIP           8    /* Skip this router (used in route_address only) */
+#define REROUTED       9    /* Address was changed and child created*/
+#define PANIC         10    /* Hard failed with internal error */
+#define BAD64         11    /* Bad base64 data (auth) */
+#define UNEXPECTED    12    /* Unexpected initial auth data */
+#define CANCELLED     13    /* Authentication cancelled */
+#define FAIL_SEND     14    /* send() failed in authenticator */
+#define FAIL_DROP     15    /* Fail and drop connection (used in ACL) */
+#define DANE	      16    /* Deferred for domain mismatch (used in transport) */
+
+/* Returns from the deliver_message() function */
+
+#define DELIVER_ATTEMPTED_NORMAL   0  /* Tried a normal delivery */
+#define DELIVER_MUA_SUCCEEDED      1  /* Success when mua_wrapper is set */
+#define DELIVER_MUA_FAILED         2  /* Failure when mua_wrapper is set */
+#define DELIVER_NOT_ATTEMPTED      3  /* Not tried (no msg or is locked */
+
+/* Returns from DNS lookup functions. Use dns_rc_names[] for debug strings */
+
+enum { DNS_SUCCEED, DNS_NOMATCH, DNS_NODATA, DNS_AGAIN, DNS_FAIL };
+
+/* Ending states when reading a message. The order is important. The test
+for having to swallow the rest of an SMTP message is whether the value is
+>= END_NOTENDED. */
+
+#define END_NOTSTARTED 0    /* Message not started */
+#define END_DOT        1    /* Message ended with '.' */
+#define END_EOF        2    /* Message ended with EOF (error for SMTP) */
+#define END_NOTENDED   3    /* Message reading not yet ended */
+#define END_SIZE       4    /* Reading ended because message too big */
+#define END_WERROR     5    /* Write error while reading the message */
+#define END_PROTOCOL   6    /* Protocol error in CHUNKING sequence */
+
+/* result codes for bdat_getc() (which can also return EOF) */
+
+#define EOD (-2)
+#define ERR (-3)
+
+
+/* Bit masks for debug and log selectors */
+
+/* Assume words are 32 bits wide. Tiny waste of space on 64 bit
+platforms, but this ensures bit vectors always work the same way. */
+#define BITWORDSIZE 32
+
+/* This macro is for single-word bit vectors: the debug selector,
+and the first word of the log selector. */
+#define BIT(n) (1UL << (n))
+
+/* And these are for multi-word vectors. */
+#define BITWORD(n) (      (n) / BITWORDSIZE)
+#define BITMASK(n) (1U << (n) % BITWORDSIZE)
+
+#define BIT_CLEAR(s,z,n) ((s)[BITWORD(n)] &= ~BITMASK(n))
+#define BIT_SET(s,z,n)   ((s)[BITWORD(n)] |=  BITMASK(n))
+#define BIT_TEST(s,z,n) (((s)[BITWORD(n)] &   BITMASK(n)) != 0)
+
+/* Used in globals.c for initializing bit_table structures. T will be either
+D or L corresponding to the debug and log selector bits declared below. */
+
+#define BIT_TABLE(T,name) { US #name, T##i_##name }
+
+/* IOTA allows us to keep an implicit sequential count, like a simple enum,
+but we can have sequentially numbered identifiers which are not declared
+sequentially. We use this for more compact declarations of bit indexes and
+masks, alternating between sequential bit index and corresponding mask. */
+
+#define IOTA(iota)      (__LINE__ - iota)
+#define IOTA_INIT(zero) (__LINE__ - zero + 1)
+
+/* Options bits for debugging. DEBUG_BIT() declares both a bit index and the
+corresponding mask. Di_all is a special value recognized by decode_bits().
+These must match the debug_options table in globals.c .
+
+Exim's code assumes in a number of places that the debug_selector is one
+word, and this is exposed in the local_scan ABI. The D_v and D_local_scan bit
+masks are part of the local_scan API so are #defined in local_scan.h */
+
+#define DEBUG_BIT(name) Di_##name = IOTA(Di_iota), D_##name = (int)BIT(Di_##name)
+
+enum {
+  Di_all        = -1,
+  Di_v          = 0,
+  Di_local_scan = 1,
+
+  Di_iota = IOTA_INIT(2),
+  DEBUG_BIT(acl),		/* 2 */
+  DEBUG_BIT(auth),
+  DEBUG_BIT(deliver),
+  DEBUG_BIT(dns),
+  DEBUG_BIT(dnsbl),
+  DEBUG_BIT(exec),		/* 7 */
+  DEBUG_BIT(expand),
+  DEBUG_BIT(filter),
+  DEBUG_BIT(hints_lookup),
+  DEBUG_BIT(host_lookup),
+  DEBUG_BIT(ident),
+  DEBUG_BIT(interface),
+  DEBUG_BIT(lists),
+  DEBUG_BIT(load),		/* 15 */
+  DEBUG_BIT(lookup),
+  DEBUG_BIT(memory),
+  DEBUG_BIT(noutf8),
+  DEBUG_BIT(pid),
+  DEBUG_BIT(process_info),
+  DEBUG_BIT(queue_run),
+  DEBUG_BIT(receive),
+  DEBUG_BIT(resolver),		/* 23 */
+  DEBUG_BIT(retry),
+  DEBUG_BIT(rewrite),
+  DEBUG_BIT(route),
+  DEBUG_BIT(timestamp),
+  DEBUG_BIT(tls),
+  DEBUG_BIT(transport),
+  DEBUG_BIT(uid),
+  DEBUG_BIT(verify),		/* 31 */
+};
+
+/* Multi-bit debug masks */
+
+#define D_all                        0xffffffff
+
+#define D_any                        (D_all & \
+                                       ~(D_v           | \
+					 D_noutf8      | \
+                                         D_pid         | \
+                                         D_timestamp)  )
+
+#define D_default                    (0xffffffff & \
+                                       ~(D_expand      | \
+                                         D_filter      | \
+                                         D_interface   | \
+                                         D_load        | \
+                                         D_local_scan  | \
+                                         D_memory      | \
+					 D_noutf8      | \
+                                         D_pid         | \
+                                         D_timestamp   | \
+                                         D_resolver))
+
+/* Bits for debug triggers */
+
+enum {
+  DTi_panictrigger,
+  DTi_pretrigger,
+};
+
+/* Options bits for logging. Those that have values < BITWORDSIZE can be used
+in calls to log_write(). The others are put into later words in log_selector
+and are only ever tested independently, so they do not need bit mask
+declarations. The Li_all value is recognized specially by decode_bits().
+Add also to log_options[] when creating new ones. */
+
+#define LOG_BIT(name) Li_##name = IOTA(Li_iota), L_##name = BIT(Li_##name)
+
+enum logbit {
+  Li_all = -1,
+
+  Li_iota = IOTA_INIT(0),
+  LOG_BIT(address_rewrite),
+  LOG_BIT(all_parents),
+  LOG_BIT(connection_reject),
+  LOG_BIT(delay_delivery),
+  LOG_BIT(dnslist_defer),
+  LOG_BIT(etrn),
+  LOG_BIT(host_lookup_failed),
+  LOG_BIT(lost_incoming_connection),
+  LOG_BIT(queue_run),
+  LOG_BIT(retry_defer),
+  LOG_BIT(size_reject),
+  LOG_BIT(skip_delivery),
+  LOG_BIT(smtp_connection),
+  LOG_BIT(smtp_incomplete_transaction),
+  LOG_BIT(smtp_protocol_error),
+  LOG_BIT(smtp_syntax_error),
+
+  Li_8bitmime = BITWORDSIZE,
+  Li_acl_warn_skipped,
+  Li_arguments,
+  Li_deliver_time,
+  Li_delivery_size,
+  Li_dkim,
+  Li_dkim_verbose,
+  Li_dnssec,
+  Li_ident_timeout,
+  Li_incoming_interface,
+  Li_incoming_port,
+  Li_millisec,
+  Li_msg_id,
+  Li_msg_id_created,
+  Li_outgoing_interface,
+  Li_outgoing_port,
+  Li_pid,
+  Li_pipelining,
+  Li_protocol_detail,
+  Li_proxy,
+  Li_queue_time,
+  Li_queue_time_exclusive,
+  Li_queue_time_overall,
+  Li_receive_time,
+  Li_received_sender,
+  Li_received_recipients,
+  Li_rejected_header,
+  Li_return_path_on_delivery,
+  Li_sender_on_delivery,
+  Li_sender_verify_fail,
+  Li_smtp_confirmation,
+  Li_smtp_mailauth,
+  Li_smtp_no_mail,
+  Li_subject,
+  Li_tls_certificate_verified,
+  Li_tls_cipher,
+  Li_tls_peerdn,
+  Li_tls_resumption,
+  Li_tls_sni,
+  Li_unknown_in_list,
+
+  log_selector_size = BITWORD(Li_unknown_in_list) + 1
+};
+
+#define LOGGING(opt) BIT_TEST(log_selector, log_selector_size, Li_##opt)
+
+/* Private error numbers for delivery failures, set negative so as not
+to conflict with system errno values.  Take care to maintain the string
+table exim_errstrings[] in log.c */
+
+#define ERRNO_UNKNOWNERROR    (-1)
+#define ERRNO_USERSLASH       (-2)
+#define ERRNO_EXISTRACE       (-3)
+#define ERRNO_NOTREGULAR      (-4)
+#define ERRNO_NOTDIRECTORY    (-5)
+#define ERRNO_BADUGID         (-6)
+#define ERRNO_BADMODE         (-7)
+#define ERRNO_INODECHANGED    (-8)
+#define ERRNO_LOCKFAILED      (-9)
+#define ERRNO_BADADDRESS2    (-10)
+#define ERRNO_FORBIDPIPE     (-11)
+#define ERRNO_FORBIDFILE     (-12)
+#define ERRNO_FORBIDREPLY    (-13)
+#define ERRNO_MISSINGPIPE    (-14)
+#define ERRNO_MISSINGFILE    (-15)
+#define ERRNO_MISSINGREPLY   (-16)
+#define ERRNO_BADREDIRECT    (-17)
+#define ERRNO_SMTPCLOSED     (-18)
+#define ERRNO_SMTPFORMAT     (-19)
+#define ERRNO_SPOOLFORMAT    (-20)
+#define ERRNO_NOTABSOLUTE    (-21)
+#define ERRNO_EXIMQUOTA      (-22)   /* Exim-imposed quota */
+#define ERRNO_HELD           (-23)
+#define ERRNO_FILTER_FAIL    (-24)   /* Delivery filter process failure */
+#define ERRNO_CHHEADER_FAIL  (-25)   /* Delivery add/remove header failure */
+#define ERRNO_WRITEINCOMPLETE (-26)  /* Delivery write incomplete error */
+#define ERRNO_EXPANDFAIL     (-27)   /* Some expansion failed */
+#define ERRNO_GIDFAIL        (-28)   /* Failed to get gid */
+#define ERRNO_UIDFAIL        (-29)   /* Failed to get uid */
+#define ERRNO_BADTRANSPORT   (-30)   /* Unset or non-existent transport */
+#define ERRNO_MBXLENGTH      (-31)   /* MBX length mismatch */
+#define ERRNO_UNKNOWNHOST    (-32)   /* Lookup failed routing or in smtp tpt */
+#define ERRNO_FORMATUNKNOWN  (-33)   /* Can't match format in appendfile */
+#define ERRNO_BADCREATE      (-34)   /* Creation outside home in appendfile */
+#define ERRNO_LISTDEFER      (-35)   /* Can't check a list; lookup defer */
+#define ERRNO_DNSDEFER       (-36)   /* DNS lookup defer */
+#define ERRNO_TLSFAILURE     (-37)   /* Failed to start TLS session */
+#define ERRNO_TLSREQUIRED    (-38)   /* Mandatory TLS session not started */
+#define ERRNO_CHOWNFAIL      (-39)   /* Failed to chown a file */
+#define ERRNO_PIPEFAIL       (-40)   /* Failed to create a pipe */
+#define ERRNO_CALLOUTDEFER   (-41)   /* When verifying */
+#define ERRNO_AUTHFAIL       (-42)   /* When required by client */
+#define ERRNO_CONNECTTIMEOUT (-43)   /* Used internally in smtp transport */
+#define ERRNO_RCPT4XX        (-44)   /* RCPT gave 4xx error */
+#define ERRNO_MAIL4XX        (-45)   /* MAIL gave 4xx error */
+#define ERRNO_DATA4XX        (-46)   /* DATA gave 4xx error */
+#define ERRNO_PROXYFAIL      (-47)   /* Negotiation failed for proxy configured host */
+#define ERRNO_AUTHPROB       (-48)   /* Authenticator "other" failure */
+#define ERRNO_UTF8_FWD       (-49)   /* target not supporting SMTPUTF8 */
+#define ERRNO_HOST_IS_LOCAL  (-50)   /* Transport refuses to talk to localhost */
+#define ERRNO_TAINT          (-51)   /* Transport refuses to talk use tainted filename */
+
+/* These must be last, so all retry deferments can easily be identified */
+
+#define ERRNO_RETRY_BASE     (-52)   /* Base to test against */
+#define ERRNO_RRETRY         (-52)   /* Not time for routing */
+
+#define ERRNO_WARN_BASE      (-53)   /* Base to test against */
+#define ERRNO_LRETRY         (-53)   /* Not time for local delivery */
+#define ERRNO_HRETRY         (-54)   /* Not time for any remote host */
+#define ERRNO_LOCAL_ONLY     (-55)   /* Local-only delivery */
+#define ERRNO_QUEUE_DOMAIN   (-56)   /* Domain in queue_domains */
+#define ERRNO_TRETRY         (-57)   /* Transport concurrency limit */
+#define ERRNO_EVENT	     (-58)   /* Event processing request alternate response */
+
+
+
+/* Special actions to take after failure or deferment. */
+
+enum {
+  SPECIAL_NONE,             /* No special action */
+  SPECIAL_FREEZE,           /* Freeze message */
+  SPECIAL_FAIL,             /* Fail the delivery */
+  SPECIAL_WARN              /* Send a warning message */
+};
+
+/* Flags that get ORed into the more_errno field of an address to give more
+information about errors for retry purposes. They are greater than 256, because
+the bottom byte contains 'A' or 'M' for remote addresses, to indicate whether
+the name was looked up only via an address record or whether MX records were
+used, respectively. */
+
+#define RTEF_CTOUT     0x0100      /* Connection timed out */
+
+/* Permission and other options for parse_extract_addresses(),
+filter_interpret(), and rda_interpret(), i.e. what special things are allowed
+in redirection operations. Not all apply to all cases. Some of the bits allow
+and some forbid, reflecting the "allow" and "forbid" options in the redirect
+router, which were chosen to represent the standard situation for users'
+.forward files. */
+
+#define RDO_BLACKHOLE    0x00000001  /* Forbid :blackhole: */
+#define RDO_DEFER        0x00000002  /* Allow :defer: or "defer" */
+#define RDO_EACCES       0x00000004  /* Ignore EACCES */
+#define RDO_ENOTDIR      0x00000008  /* Ignore ENOTDIR */
+#define RDO_EXISTS       0x00000010  /* Forbid "exists" in expansion in filter */
+#define RDO_FAIL         0x00000020  /* Allow :fail: or "fail" */
+#define RDO_FILTER       0x00000040  /* Allow a filter script */
+#define RDO_FREEZE       0x00000080  /* Allow "freeze" */
+#define RDO_INCLUDE      0x00000100  /* Forbid :include: */
+#define RDO_LOG          0x00000200  /* Forbid "log" */
+#define RDO_LOOKUP       0x00000400  /* Forbid "lookup" in expansion in filter */
+#define RDO_PERL         0x00000800  /* Forbid "perl" in expansion in filter */
+#define RDO_READFILE     0x00001000  /* Forbid "readfile" in exp in filter */
+#define RDO_READSOCK     0x00002000  /* Forbid "readsocket" in exp in filter */
+#define RDO_RUN          0x00004000  /* Forbid "run" in expansion in filter */
+#define RDO_DLFUNC       0x00008000  /* Forbid "dlfunc" in expansion in filter */
+#define RDO_REALLOG      0x00010000  /* Really do log (not testing/verifying) */
+#define RDO_REWRITE      0x00020000  /* Rewrite generated addresses */
+#define RDO_EXIM_FILTER  0x00040000  /* Forbid Exim filters */
+#define RDO_SIEVE_FILTER 0x00080000  /* Forbid Sieve filters */
+#define RDO_PREPEND_HOME 0x00100000  /* Prepend $home to relative paths in Exim filter save commands */
+
+/* This is the set that apply to expansions in filters */
+
+#define RDO_FILTER_EXPANSIONS \
+  (RDO_EXISTS|RDO_LOOKUP|RDO_PERL|RDO_READFILE|RDO_READSOCK|RDO_RUN|RDO_DLFUNC)
+
+/* As well as the RDO bits themselves, we need the bit numbers in order to
+access (most of) the individual bits as separate options. This could be
+automated, but I haven't bothered. Keep this list in step with the above! */
+
+enum { RDON_BLACKHOLE, RDON_DEFER, RDON_EACCES, RDON_ENOTDIR, RDON_EXISTS,
+  RDON_FAIL, RDON_FILTER, RDON_FREEZE, RDON_INCLUDE, RDON_LOG, RDON_LOOKUP,
+  RDON_PERL, RDON_READFILE, RDON_READSOCK, RDON_RUN, RDON_DLFUNC, RDON_REALLOG,
+  RDON_REWRITE, RDON_EXIM_FILTER, RDON_SIEVE_FILTER, RDON_PREPEND_HOME };
+
+/* Results of filter or forward file processing. Some are only from a filter;
+some are only from a forward file. */
+
+enum {
+  FF_DELIVERED,         /* Success, took significant action */
+  FF_NOTDELIVERED,      /* Success, didn't take significant action */
+  FF_BLACKHOLE,         /* Blackholing requested */
+  FF_DEFER,             /* Defer requested */
+  FF_FAIL,              /* Fail requested */
+  FF_INCLUDEFAIL,       /* :include: failed */
+  FF_NONEXIST,          /* Forward file does not exist */
+  FF_FREEZE,            /* Freeze requested */
+  FF_ERROR              /* We have a problem */
+};
+
+/* Values for identifying particular headers; printing characters are used, so
+they can be read in the spool file for those headers that are permanently
+marked. The lower case values don't get onto the spool; they are used only as
+return values from header_checkname(). */
+
+#define htype_other         ' '   /* Unspecified header */
+#define htype_from          'F'
+#define htype_to            'T'
+#define htype_cc            'C'
+#define htype_bcc           'B'
+#define htype_id            'I'   /* for message-id */
+#define htype_reply_to      'R'
+#define htype_received      'P'   /* P for Postmark */
+#define htype_sender        'S'
+#define htype_old           '*'   /* Replaced header */
+
+#define htype_date          'd'
+#define htype_return_path   'p'
+#define htype_delivery_date 'x'
+#define htype_envelope_to   'e'
+#define htype_subject       's'
+
+/* These values are used only when adding new headers from an ACL; they too
+never get onto the spool. The type of the added header is set by reference
+to the header name, by calling header_checkname(). */
+
+#define htype_add_top       'a'
+#define htype_add_rec       'r'
+#define htype_add_bot       'z'
+#define htype_add_rfc       'f'
+
+/* Types of item in options lists. These are the bottom 8 bits of the "type"
+field, which is an int. The opt_void value is used for entries in tables that
+point to special types of value that are accessed only indirectly (e.g. the
+rewrite data that is built out of a string option.) We need to have some values
+visible in local_scan, so the following are declared there:
+
+  opt_stringptr, opt_int, opt_octint, opt_mkint, opt_Kint, opt_fixed, opt_time,
+  opt_bool
+
+To make sure we don't conflict, the local_scan.h values start from zero, and
+those defined here start from 32. The boolean ones must all be together so they
+can be easily tested as a group. That is the only use of opt_bool_last. */
+
+enum { opt_bit = 32, opt_bool_verify, opt_bool_set, opt_expand_bool,
+  opt_bool_last,
+  opt_rewrite, opt_timelist, opt_uid, opt_gid, opt_uidlist, opt_gidlist,
+  opt_expand_uid, opt_expand_gid, opt_func, opt_void };
+
+/* There's a high-ish bit which is used to flag duplicate options, kept
+for compatibility, which shouldn't be output. Also used for hidden options
+that are automatically maintained from others. Another high bit is used to
+flag driver options that although private (so as to be settable only on some
+drivers), are stored in the instance block so as to be accessible from outside.
+A third high bit is set when an option is read, so as to be able to give an
+error if any option is set twice. Finally, there's a bit which is set when an
+option is set with the "hide" prefix, to prevent -bP from showing it to
+non-admin callers. The next byte up in the int is used to keep the bit number
+for booleans that are kept in one bit. */
+
+#define opt_hidden  0x100      /* Private to Exim */
+#define opt_public  0x200      /* Stored in the main instance block */
+#define opt_set     0x400      /* Option is set */
+#define opt_secure  0x800      /* "hide" prefix used */
+#define opt_rep_con 0x1000     /* Can be appended to by a repeated line (condition) */
+#define opt_rep_str 0x2000     /* Can be appended to by a repeated line (string) */
+#define opt_mask    0x00ff
+
+/* Verify types when directing and routing */
+
+enum { v_none, v_sender, v_recipient, v_expn };
+
+/* Option flags for verify_address() */
+
+#define vopt_fake_sender          0x0001   /* for verify=sender=<address> */
+#define vopt_is_recipient         0x0002
+#define vopt_qualify              0x0004
+#define vopt_expn                 0x0008
+#define vopt_callout_fullpm       0x0010   /* full postmaster during callout */
+#define vopt_callout_random       0x0020   /* during callout */
+#define vopt_callout_no_cache     0x0040   /* disable callout cache */
+#define vopt_callout_recipsender  0x0080   /* use real sender to verify recip */
+#define vopt_callout_recippmaster 0x0100   /* use postmaster to verify recip */
+#define vopt_callout_hold	  0x0200   /* lazy close connection */
+#define vopt_success_on_redirect  0x0400
+#define vopt_quota                0x0800   /* quota check, to local/appendfile */
+
+/* Values for fields in callout cache records */
+
+#define ccache_unknown         0       /* test hasn't been done */
+#define ccache_accept          1
+#define ccache_reject          2       /* All rejections except */
+#define ccache_reject_mfnull   3       /* MAIL FROM:<> was rejected */
+
+/* Options for lookup functions */
+
+#define lookup_querystyle      1    /* query-style lookup */
+#define lookup_absfile         2    /* requires absolute file name */
+#define lookup_absfilequery    4    /* query-style starts with file name */
+
+/* Status values for host_item blocks. Require hstatus_unusable and
+hstatus_unusable_expired to be last. */
+
+enum { hstatus_unknown, hstatus_usable, hstatus_unusable,
+       hstatus_unusable_expired };
+
+/* Reasons why a host is unusable (for clearer log messages) */
+
+enum { hwhy_unknown, hwhy_retry, hwhy_insecure, hwhy_failed, hwhy_deferred,
+       hwhy_ignored };
+
+/* Domain lookup types for routers */
+
+#define LK_DEFAULT	BIT(0)
+#define LK_BYNAME	BIT(1)
+#define LK_BYDNS	BIT(2)	/* those 3 should be mutually exclusive */
+
+#define LK_IPV4_ONLY	BIT(3)
+#define LK_IPV4_PREFER	BIT(4)
+
+/* Values for the self_code fields */
+
+enum { self_freeze, self_defer, self_send, self_reroute, self_pass, self_fail };
+
+/* Flags for rewrite rules */
+
+#define rewrite_sender       0x0001
+#define rewrite_from         0x0002
+#define rewrite_to           0x0004
+#define rewrite_cc           0x0008
+#define rewrite_bcc          0x0010
+#define rewrite_replyto      0x0020
+#define rewrite_all_headers  0x003F  /* all header flags */
+
+#define rewrite_envfrom      0x0040
+#define rewrite_envto        0x0080
+#define rewrite_all_envelope 0x00C0  /* all envelope flags */
+
+#define rewrite_all      (rewrite_all_headers | rewrite_all_envelope)
+
+#define rewrite_smtp         0x0100  /* rewrite at SMTP time */
+#define rewrite_smtp_sender  0x0200  /* SMTP sender rewrite (allows <>) */
+#define rewrite_qualify      0x0400  /* qualify if necessary */
+#define rewrite_repeat       0x0800  /* repeat rewrite rule */
+
+#define rewrite_whole        0x1000  /* option bit for headers */
+#define rewrite_quit         0x2000  /* "no more" option */
+
+/* Flags for log_write(); LOG_MAIN, LOG_PANIC, and LOG_REJECT are also in
+local_scan.h */
+
+#define LOG_MAIN           1      /* Write to the main log */
+#define LOG_PANIC          2      /* Write to the panic log */
+#define LOG_PANIC_DIE      6      /* Write to the panic log and then die */
+#define LOG_REJECT        16      /* Write to the reject log, with headers */
+#define LOG_SENDER        32      /* Add raw sender to the message */
+#define LOG_RECIPIENTS    64      /* Add raw recipients to the message */
+#define LOG_CONFIG       128      /* Add "Exim configuration error" */
+#define LOG_CONFIG_FOR  (256+128) /* Add " for" instead of ":\n" */
+#define LOG_CONFIG_IN   (512+128) /* Add " in line x[ of file y]" */
+
+/* and for debug_bits() logging action control: */
+#define DEBUG_FROM_CONFIG       0x0001
+
+/* SMTP command identifiers for the smtp_connection_had field that records the
+most recent SMTP commands. Must be kept in step with the list of names in
+smtp_in.c that is used for creating the smtp_no_mail logging action. SCH_NONE
+is "empty". */
+
+enum { SCH_NONE, SCH_AUTH, SCH_DATA, SCH_BDAT,
+       SCH_EHLO, SCH_ETRN, SCH_EXPN, SCH_HELO,
+       SCH_HELP, SCH_MAIL, SCH_NOOP, SCH_QUIT, SCH_RCPT, SCH_RSET, SCH_STARTTLS,
+       SCH_VRFY };
+
+/* Returns from host_find_by{name,dns}() */
+
+enum {
+  HOST_FIND_FAILED,     /* failed to find the host */
+  HOST_FIND_AGAIN,      /* could not resolve at this time */
+  HOST_FIND_SECURITY,   /* dnssec required but not acheived */
+  HOST_FOUND,           /* found host */
+  HOST_FOUND_LOCAL,     /* found, but MX points to local host */
+  HOST_IGNORED          /* found but ignored - used internally only */
+};
+
+/* Flags for host_find_bydns() */
+
+#define HOST_FIND_BY_SRV          BIT(0)
+#define HOST_FIND_BY_MX           BIT(1)
+#define HOST_FIND_BY_A            BIT(2)
+#define HOST_FIND_BY_AAAA         BIT(3)
+#define HOST_FIND_QUALIFY_SINGLE  BIT(4)
+#define HOST_FIND_SEARCH_PARENTS  BIT(5)
+#define HOST_FIND_IPV4_FIRST	  BIT(6)
+#define HOST_FIND_IPV4_ONLY	  BIT(7)
+
+/* Actions applied to specific messages. */
+
+enum { MSG_DELIVER, MSG_FREEZE, MSG_REMOVE, MSG_THAW, MSG_ADD_RECIPIENT,
+       MSG_MARK_ALL_DELIVERED, MSG_MARK_DELIVERED, MSG_EDIT_SENDER,
+       MSG_SHOW_COPY, MSG_LOAD, MSG_SETQUEUE,
+       /* These ones must be last: a test for >= MSG_SHOW_BODY is used
+       to test for actions that list individual spool files. */
+       MSG_SHOW_BODY, MSG_SHOW_HEADER, MSG_SHOW_LOG };
+
+/* Returns from the spool_read_header() function */
+
+enum {
+  spool_read_OK,        /* success */
+  spool_read_notopen,   /* open failed */
+  spool_read_enverror,  /* error in the envelope */
+  spool_read_hdrerror   /* error in the headers */
+};
+
+/* Options for transport_write_message */
+
+#define topt_add_return_path    0x0001
+#define topt_add_delivery_date  0x0002
+#define topt_add_envelope_to    0x0004
+#define topt_escape_headers     0x0008	/* Apply escape check to headers */
+#define topt_use_crlf           0x0010	/* Terminate lines with CRLF */
+#define topt_no_headers         0x0020	/* Omit headers */
+#define topt_no_body            0x0040	/* Omit body */
+#define topt_end_dot            0x0080	/* Send terminating dot line */
+#define topt_no_flush		0x0100	/* more data expected after message (eg QUIT) */
+#define topt_use_bdat		0x0200	/* prepend chunks with RFC3030 BDAT header */
+#define topt_output_string	0x0400	/* create string rather than write to fd */
+#define topt_continuation	0x0800	/* do not reset buffer */
+#define topt_not_socket		0x1000	/* cannot do socket-only syscalls */
+
+/* Options for smtp_write_command */
+
+enum {
+  SCMD_FLUSH = 0,	/* write to kernel */
+  SCMD_MORE,		/* write to kernel, but likely more soon */
+  SCMD_BUFFER		/* stash in application cmd output buffer */
+};
+
+/* Flags for recipient_block, used in DSN support */
+
+#define rf_dsnlasthop           0x01  /* Do not propagate DSN any further */
+#define rf_notify_never         0x02  /* NOTIFY= settings */
+#define rf_notify_success       0x04
+#define rf_notify_failure       0x08
+#define rf_notify_delay         0x10
+
+#define rf_dsnflags  (rf_notify_never | rf_notify_success | \
+                      rf_notify_failure | rf_notify_delay)
+
+/* DSN RET types */
+
+#define dsn_ret_full            1
+#define dsn_ret_hdrs            2
+
+#define dsn_support_unknown     0
+#define dsn_support_yes         1
+#define dsn_support_no          2
+
+
+/* Codes for the host_find_failed and host_all_ignored options. */
+
+#define hff_freeze   0
+#define hff_defer    1
+#define hff_pass     2
+#define hff_decline  3
+#define hff_fail     4
+#define hff_ignore   5
+
+/* Router information flags */
+
+#define ri_yestransport    0x0001    /* Must have a transport */
+#define ri_notransport     0x0002    /* Must not have a transport */
+
+/* Codes for match types in match_check_list; to any of them, MCL_NOEXPAND may
+be added */
+
+#define MCL_NOEXPAND  16
+
+enum { MCL_STRING, MCL_DOMAIN, MCL_HOST, MCL_ADDRESS, MCL_LOCALPART };
+
+/* Codes for the places from which ACLs can be called. These are cunningly
+ordered to make it easy to implement tests for certain ACLs when processing
+"control" modifiers, by means of a maximum "where" value. Do not modify this
+order without checking carefully!
+
+**** IMPORTANT***
+****   Furthermore, remember to keep these in step with the tables
+****   of names and response codes in globals.c.
+**** IMPORTANT ****
+*/
+
+enum { ACL_WHERE_RCPT,       /* Some controls are for RCPT only */
+       ACL_WHERE_MAIL,       /* )                                           */
+       ACL_WHERE_PREDATA,    /* ) There are several tests for "in message", */
+       ACL_WHERE_MIME,       /* ) implemented by <= WHERE_NOTSMTP           */
+       ACL_WHERE_DKIM,       /* )                                           */
+       ACL_WHERE_DATA,       /* )                                           */
+#ifndef DISABLE_PRDR
+       ACL_WHERE_PRDR,       /* )                                           */
+#endif
+       ACL_WHERE_NOTSMTP,    /* )                                           */
+
+       ACL_WHERE_AUTH,       /* These remaining ones are not currently    */
+       ACL_WHERE_CONNECT,    /* required to be in a special order so they */
+       ACL_WHERE_ETRN,       /* are just alphabetical.                    */
+       ACL_WHERE_EXPN,
+       ACL_WHERE_HELO,
+       ACL_WHERE_MAILAUTH,
+       ACL_WHERE_NOTSMTP_START,
+       ACL_WHERE_NOTQUIT,
+       ACL_WHERE_QUIT,
+       ACL_WHERE_STARTTLS,
+       ACL_WHERE_VRFY,
+
+       ACL_WHERE_DELIVERY,
+       ACL_WHERE_UNKNOWN     /* Currently used by a ${acl:name} expansion */
+     };
+
+#define ACL_BIT_RCPT		BIT(ACL_WHERE_RCPT)
+#define ACL_BIT_MAIL		BIT(ACL_WHERE_MAIL)
+#define ACL_BIT_PREDATA		BIT(ACL_WHERE_PREDATA)
+#define ACL_BIT_MIME		BIT(ACL_WHERE_MIME)
+#define ACL_BIT_DKIM		BIT(ACL_WHERE_DKIM)
+#define ACL_BIT_DATA		BIT(ACL_WHERE_DATA)
+#ifdef DISABLE_PRDR
+# define ACL_BIT_PRDR		0
+#else
+# define ACL_BIT_PRDR		BIT(ACL_WHERE_PRDR)
+#endif
+#define ACL_BIT_NOTSMTP		BIT(ACL_WHERE_NOTSMTP)
+#define ACL_BIT_AUTH		BIT(ACL_WHERE_AUTH)
+#define ACL_BIT_CONNECT		BIT(ACL_WHERE_CONNECT)
+#define ACL_BIT_ETRN		BIT(ACL_WHERE_ETRN)
+#define ACL_BIT_EXPN		BIT(ACL_WHERE_EXPN)
+#define ACL_BIT_HELO		BIT(ACL_WHERE_HELO)
+#define ACL_BIT_MAILAUTH	BIT(ACL_WHERE_MAILAUTH)
+#define ACL_BIT_NOTSMTP_START	BIT(ACL_WHERE_NOTSMTP_START)
+#define ACL_BIT_NOTQUIT		BIT(ACL_WHERE_NOTQUIT)
+#define ACL_BIT_QUIT		BIT(ACL_WHERE_QUIT)
+#define ACL_BIT_STARTTLS	BIT(ACL_WHERE_STARTTLS)
+#define ACL_BIT_VRFY		BIT(ACL_WHERE_VRFY)
+#define ACL_BIT_DELIVERY	BIT(ACL_WHERE_DELIVERY)
+#define ACL_BIT_UNKNOWN		BIT(ACL_WHERE_UNKNOWN)
+
+#define ACL_BITS_HAVEDATA	(ACL_BIT_MIME | ACL_BIT_DKIM | ACL_BIT_DATA \
+				| ACL_BIT_PRDR \
+				| ACL_BIT_NOTSMTP | ACL_BIT_QUIT | ACL_BIT_NOTQUIT)
+
+
+/* Situations for spool_write_header() */
+
+enum { SW_RECEIVING, SW_DELIVERING, SW_MODIFYING };
+
+/* MX fields for hosts not obtained from MX records are always negative.
+MX_NONE is the default case; lesser values are used when the hosts are
+randomized in batches. */
+
+#define MX_NONE           (-1)
+
+/* host_item.port defaults to PORT_NONE; the only current case where this
+is changed before running the transport is when an dnslookup router sets an
+explicit port number. */
+
+#define PORT_NONE     (-1)
+
+/* Flags for single-key search defaults */
+
+#define SEARCH_STAR       0x01
+#define SEARCH_STARAT     0x02
+
+/* Filter types */
+
+enum { FILTER_UNSET, FILTER_FORWARD, FILTER_EXIM, FILTER_SIEVE };
+
+/* Codes for ESMTP facilities offered by peer */
+
+#define OPTION_TLS		BIT(0)
+#define OPTION_IGNQ		BIT(1)
+#define OPTION_PRDR		BIT(2)
+#define OPTION_UTF8		BIT(3)
+#define OPTION_DSN		BIT(4)
+#define OPTION_PIPE		BIT(5)
+#define OPTION_SIZE		BIT(6)
+#define OPTION_CHUNKING		BIT(7)
+#define OPTION_EARLY_PIPE	BIT(8)
+
+/* Argument for *_getc */
+
+#define GETC_BUFFER_UNLIMITED	UINT_MAX
+
+/* UTF-8 chars for line-drawing */
+
+#define UTF8_DOWN_RIGHT		"\xE2\x95\xAD"
+#define UTF8_VERT		"\xE2\x94\x82"
+#define UTF8_HORIZ		"\xE2\x94\x80"
+#define UTF8_VERT_RIGHT		"\xE2\x94\x9C"
+#define UTF8_UP_RIGHT		"\xE2\x95\xB0"
+#define UTF8_VERT_2DASH		"\xE2\x95\x8E"
+
+
+/* Options on tls_close */
+#define TLS_NO_SHUTDOWN		0	/* Just forget the context */
+#define TLS_SHUTDOWN_NOWAIT	1	/* Send alert; do not wait */
+#define TLS_SHUTDOWN_WAIT	2	/* Send alert & wait for peer's alert */
+#define TLS_SHUTDOWN_WONLY	3	/* only wait for peer's alert */
+
+
+#ifdef COMPILE_UTILITY
+# define ALARM(seconds) alarm(seconds);
+# define ALARM_CLR(seconds) alarm(seconds);
+#else
+/* For debugging of odd alarm-signal problems, stash caller info while the
+alarm is active.  Clear it down on cancelling the alarm so we can tell there
+should not be one active. */
+
+# define ALARM(seconds) \
+    debug_selector & D_any \
+    ? (sigalarm_setter = CUS __FUNCTION__, alarm(seconds)) : alarm(seconds);
+# define ALARM_CLR(seconds) \
+    debug_selector & D_any \
+    ? (sigalarm_setter = NULL, alarm(seconds)) : alarm(seconds);
+#endif
+
+#define AUTHS_REGEX US"\\n250[\\s\\-]AUTH\\s+([\\-\\w \\t]+)(?:\\n|$)"
+
+#define EARLY_PIPE_FEATURE_NAME "PIPECONNECT"
+#define EARLY_PIPE_FEATURE_LEN  11
+
+
+/* Flags for auth_client_item() */
+
+#define AUTH_ITEM_FIRST	BIT(0)
+#define AUTH_ITEM_LAST	BIT(1)
+#define AUTH_ITEM_IGN64	BIT(2)
+
+
+/* Flags for tls_{in,out}_resumption */
+#define RESUME_SUPPORTED	BIT(0)
+#define RESUME_CLIENT_REQUESTED	BIT(1)
+#define RESUME_CLIENT_SUGGESTED	BIT(2)
+#define RESUME_SERVER_TICKET	BIT(3)
+#define RESUME_USED		BIT(4)
+
+#define RESUME_DECODE_STRING \
+	  US"not requested or offered : 0x02 :client requested, no server ticket" \
+    ": 0x04 : 0x05 : 0x06 :client offered session, no server action" \
+    ": 0x08 :no client request: 0x0A :client requested new ticket, server provided" \
+    ": 0x0C :client offered session, not used: 0x0E :client offered session, server only provided new ticket" \
+    ": 0x10 :session resumed unasked: 0x12 :session resumed unasked" \
+    ": 0x14 : 0x15 : 0x16 :session resumed" \
+    ": 0x18 :session resumed unasked: 0x1A :session resumed unasked" \
+    ": 0x1C :session resumed: 0x1E :session resumed, also new ticket"
+
+/* Flags for string_vformat */
+#define SVFMT_EXTEND		BIT(0)
+#define SVFMT_REBUFFER		BIT(1)
+#define SVFMT_TAINT_NOCHK	BIT(2)
+
+
+#define NOTIFIER_SOCKET_NAME	"exim_daemon_notify"
+#define NOTIFY_MSG_QRUN		1	/* Notify message types */
+#define NOTIFY_QUEUE_SIZE_REQ	2
+
+/* End of macros.h */
diff --git a/src/malware.c b/src/malware.c
new file mode 100644
index 0000000..4719a5d
--- /dev/null
+++ b/src/malware.c
@@ -0,0 +1,2328 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/*
+ * Copyright (c) The Exim Maintainers 2015 - 2022
+ * Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015
+ * License: GPL
+ */
+
+/* Code for calling virus (malware) scanners. Called from acl.c. */
+
+#include "exim.h"
+#ifdef WITH_CONTENT_SCAN	/* entire file */
+
+typedef enum {
+#ifndef DISABLE_MAL_FFROTD
+	M_FPROTD,
+#endif
+#ifndef DISABLE_MAL_FFROT6D
+	M_FPROT6D,
+#endif
+#ifndef DISABLE_MAL_DRWEB
+	M_DRWEB,
+#endif
+#ifndef DISABLE_MAL_AVE
+	M_AVES,
+#endif
+#ifndef DISABLE_MAL_FSECURE
+	M_FSEC,
+#endif
+#ifndef DISABLE_MAL_KAV
+	M_KAVD,
+#endif
+#ifndef DISABLE_MAL_SOPHIE
+	M_SOPHIE,
+#endif
+#ifndef DISABLE_MAL_CLAM
+	M_CLAMD,
+#endif
+#ifndef DISABLE_MAL_MKS
+	M_MKSD,
+#endif
+#ifndef DISABLE_MAL_AVAST
+	M_AVAST,
+#endif
+#ifndef DISABLE_MAL_SOCK
+	M_SOCK,
+#endif
+#ifndef DISABLE_MAL_CMDLINE
+	M_CMDL,
+#endif
+	M_DUMMY
+	} scanner_t;
+typedef enum {MC_NONE, MC_TCP, MC_UNIX, MC_STRM} contype_t;
+static struct scan
+{
+  scanner_t	scancode;
+  const uschar * name;
+  const uschar * options_default;
+  contype_t	conn;
+} m_scans[] =
+{
+#ifndef DISABLE_MAL_FFROTD
+  { M_FPROTD,	US"f-protd",	US"localhost 10200-10204",	      MC_TCP },
+#endif
+#ifndef DISABLE_MAL_FFROT6D
+  { M_FPROT6D,	US"f-prot6d",	US"localhost 10200",		      MC_TCP },
+#endif
+#ifndef DISABLE_MAL_DRWEB
+  { M_DRWEB,	US"drweb",	US"/usr/local/drweb/run/drwebd.sock", MC_STRM },
+#endif
+#ifndef DISABLE_MAL_AVE
+  { M_AVES,	US"aveserver",	US"/var/run/aveserver",		      MC_UNIX },
+#endif
+#ifndef DISABLE_MAL_FSECURE
+  { M_FSEC,	US"fsecure",	US"/var/run/.fsav",		      MC_UNIX },
+#endif
+#ifndef DISABLE_MAL_KAV
+  { M_KAVD,	US"kavdaemon",	US"/var/run/AvpCtl",		      MC_UNIX },
+#endif
+#ifndef DISABLE_MAL_SOPHIE
+  { M_SOPHIE,	US"sophie",	US"/var/run/sophie",		      MC_UNIX },
+#endif
+#ifndef DISABLE_MAL_CLAM
+  { M_CLAMD,	US"clamd",	US"/tmp/clamd",			      MC_NONE },
+#endif
+#ifndef DISABLE_MAL_MKS
+  { M_MKSD,	US"mksd",	NULL,				      MC_NONE },
+#endif
+#ifndef DISABLE_MAL_AVAST
+  { M_AVAST,	US"avast",	US"/var/run/avast/scan.sock",	      MC_STRM },
+#endif
+#ifndef DISABLE_MAL_SOCK
+  { M_SOCK,	US"sock",	US"/tmp/malware.sock",		      MC_STRM },
+#endif
+#ifndef DISABLE_MAL_CMDLINE
+  { M_CMDL,	US"cmdline",	NULL,				      MC_NONE },
+#endif
+  { -1,		NULL,		NULL, MC_NONE }		/* end-marker */
+};
+
+/******************************************************************************/
+# ifdef MACRO_PREDEF		/* build solely to predefine macros */
+
+#  include "macro_predef.h"
+
+void
+features_malware(void)
+{
+const uschar * s;
+uschar * t;
+uschar buf[EXIM_DRIVERNAME_MAX];
+
+spf(buf, sizeof(buf), US"_HAVE_MALWARE_");
+
+for (const struct scan * sc = m_scans; sc->scancode != -1; sc++)
+  {
+  for (s = sc->name, t = buf+14; *s; s++) if (*s != '-')
+    *t++ = toupper(*s);
+  *t = '\0';
+  builtin_macro_create(buf);
+  }
+}
+
+/******************************************************************************/
+# else	/*!MACRO_PREDEF, main build*/
+
+
+#define MALWARE_TIMEOUT 120	/* default timeout, seconds */
+
+static const uschar * malware_regex_default = US ".+";
+static const pcre2_code * malware_default_re = NULL;
+
+
+#ifndef DISABLE_MAL_CLAM
+/* The maximum number of clamd servers that are supported in the configuration */
+# define MAX_CLAMD_SERVERS 32
+# define MAX_CLAMD_SERVERS_S "32"
+
+typedef struct clamd_address {
+  uschar * hostspec;
+  unsigned tcp_port;
+  unsigned retry;
+} clamd_address;
+#endif
+
+
+#ifndef DISABLE_MAL_DRWEB
+# define DRWEBD_SCAN_CMD             (1)     /* scan file, buffer or diskfile */
+# define DRWEBD_RETURN_VIRUSES       (1<<0)   /* ask daemon return to us viruses names from report */
+# define DRWEBD_IS_MAIL              (1<<19)  /* say to daemon that format is "archive MAIL" */
+
+# define DERR_READ_ERR               (1<<0)   /* read error */
+# define DERR_NOMEMORY               (1<<2)   /* no memory */
+# define DERR_TIMEOUT                (1<<9)   /* scan timeout has run out */
+# define DERR_BAD_CALL               (1<<15)  /* wrong command */
+
+static const uschar * drweb_re_str = US "infected\\swith\\s*(.+?)$";
+static const pcre2_code * drweb_re = NULL;
+#endif
+
+#ifndef DISABLE_MAL_FSECURE
+static const uschar * fsec_re_str = US "\\S{0,5}INFECTED\\t[^\\t]*\\t([^\\t]+)\\t\\S*$";
+static const pcre2_code * fsec_re = NULL;
+#endif
+
+#ifndef DISABLE_MAL_KAV
+static const uschar * kav_re_sus_str = US "suspicion:\\s*(.+?)\\s*$";
+static const uschar * kav_re_inf_str = US "infected:\\s*(.+?)\\s*$";
+static const pcre2_code * kav_re_sus = NULL;
+static const pcre2_code * kav_re_inf = NULL;
+#endif
+
+#ifndef DISABLE_MAL_AVAST
+static const uschar * ava_re_clean_str = US "(?!\\\\)\\t\\[\\+\\]";
+static const uschar * ava_re_virus_str = US "(?!\\\\)\\t\\[L\\]\\d+\\.0\\t0\\s(.*)";
+static const uschar * ava_re_error_str = US "(?!\\\\)\\t\\[E\\]\\d+\\.0\\tError\\s\\d+\\s(.*)";
+static const pcre2_code * ava_re_clean = NULL;
+static const pcre2_code * ava_re_virus = NULL;
+static const pcre2_code * ava_re_error = NULL;
+#endif
+
+#ifndef DISABLE_MAL_FFROT6D
+static const uschar * fprot6d_re_error_str = US "^\\d+\\s<(.+?)>$";
+static const uschar * fprot6d_re_virus_str = US "^\\d+\\s<infected:\\s+(.+?)>\\s+.+$";
+static const pcre2_code * fprot6d_re_error = NULL;
+static const pcre2_code * fprot6d_re_virus = NULL;
+#endif
+
+
+
+/******************************************************************************/
+
+#ifndef DISABLE_MAL_KAV
+/* Routine to check whether a system is big- or little-endian.
+   Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html
+   Needed for proper kavdaemon implementation. Sigh. */
+# define BIG_MY_ENDIAN      0
+# define LITTLE_MY_ENDIAN   1
+static int test_byte_order(void);
+static inline int
+test_byte_order()
+{
+  short int word = 0x0001;
+  char *byte = CS  &word;
+  return(byte[0] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN);
+}
+#endif
+
+BOOL malware_ok = FALSE;
+
+/* Gross hacks for the -bmalware option; perhaps we should just create
+the scan directory normally for that case, but look into rigging up the
+needed header variables if not already set on the command-line? */
+extern int spool_mbox_ok;
+extern uschar spooled_message_id[MESSAGE_ID_LENGTH+1];
+
+
+/* Some (currently avast only) use backslash escaped whitespace,
+this function undoes these escapes */
+
+#ifndef DISABLE_MAL_AVAST
+static inline void
+unescape(uschar *p)
+{
+uschar *p0;
+for (; *p; ++p)
+  if (*p == '\\' && (isspace(p[1]) || p[1] == '\\'))
+    for (p0 = p; *p0; ++p0) *p0 = p0[1];
+}
+#endif
+
+/* --- malware_*_defer --- */
+static inline int
+malware_panic_defer(const uschar * str)
+{
+log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: %s", str);
+return DEFER;
+}
+static inline int
+malware_log_defer(const uschar * str)
+{
+log_write(0, LOG_MAIN, "malware acl condition: %s", str);
+return DEFER;
+}
+/* --- m_*_defer --- */
+static inline int
+m_panic_defer(struct scan * scanent, const uschar * hostport,
+  const uschar * str)
+{
+return malware_panic_defer(string_sprintf("%s %s : %s",
+  scanent->name, hostport ? hostport : CUS"", str));
+}
+/* --- m_*_defer_3 */
+static inline int
+m_panic_defer_3(struct scan * scanent, const uschar * hostport,
+  const uschar * str, int fd_to_close)
+{
+DEBUG(D_acl) debug_print_socket(fd_to_close);
+(void) close(fd_to_close);
+return m_panic_defer(scanent, hostport, str);
+}
+
+/*************************************************/
+
+#ifndef DISABLE_MAL_CLAM
+/* Only used by the Clamav code, which is working from a list of servers and
+uses the returned in_addr to get a second connection to the same system.
+*/
+static inline int
+m_tcpsocket(const uschar * hostname, unsigned int port,
+	host_item * host, uschar ** errstr, const blob * fastopen_blob)
+{
+int fd = ip_connectedsocket(SOCK_STREAM, hostname, port, port, 5,
+			  host, errstr, fastopen_blob);
+#ifdef EXIM_TFO_FREEBSD
+/* Under some fault conditions, FreeBSD 12.2 seen to send a (non-TFO) SYN
+and, getting no response, wait for a long time.  Impose a 5s max. */
+if (fd >= 0)
+  (void) poll_one_fd(fd, POLLOUT, 5 * 1000);
+#endif
+return fd;
+}
+#endif
+
+static int
+m_sock_send(int sock, uschar * buf, int cnt, uschar ** errstr)
+{
+if (send(sock, buf, cnt, 0) < 0)
+  {
+  int err = errno;
+  (void)close(sock);
+  *errstr = string_sprintf("unable to send to socket (%s): %s",
+	 buf, strerror(err));
+  return -1;
+  }
+return sock;
+}
+
+static const pcre2_code *
+m_pcre_compile(const uschar * re, uschar ** errstr)
+{
+int err;
+PCRE2_SIZE roffset;
+const pcre2_code * cre;
+
+if (!(cre = pcre2_compile((PCRE2_SPTR)re, PCRE2_ZERO_TERMINATED,
+	      PCRE_COPT, &err, &roffset, pcre_cmp_ctx)))
+  {
+  uschar errbuf[128];
+  pcre2_get_error_message(err, errbuf, sizeof(errbuf));
+  *errstr= string_sprintf("regular expression error in '%s': %s at offset %ld",
+      re, errbuf, (long)roffset);
+  }
+return cre;
+}
+
+uschar *
+m_pcre_exec(const pcre2_code * cre, uschar * text)
+{
+pcre2_match_data * md = pcre2_match_data_create(2, pcre_gen_ctx);
+int i = pcre2_match(cre, text, PCRE2_ZERO_TERMINATED, 0, 0, md, pcre_mtc_ctx);
+PCRE2_UCHAR * substr = NULL;
+PCRE2_SIZE slen;
+
+if (i >= 2)				/* Got it */
+  pcre2_substring_get_bynumber(md, 1, &substr, &slen);
+return US substr;
+}
+
+static const pcre2_code *
+m_pcre_nextinlist(const uschar ** list, int * sep,
+ char * listerr, uschar ** errstr)
+{
+const uschar * list_ele;
+const pcre2_code * cre = NULL;
+
+if (!(list_ele = string_nextinlist(list, sep, NULL, 0)))
+  *errstr = US listerr;
+else
+  {
+  DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "RE: ",
+    string_printing(list_ele));
+  cre = m_pcre_compile(CUS list_ele, errstr);
+  }
+return cre;
+}
+
+
+/*
+ Simple though inefficient wrapper for reading a line.  Drop CRs and the
+ trailing newline. Can return early on buffer full. Null-terminate.
+ Apply initial timeout if no data ready.
+
+ Return: number of chars - zero for an empty line
+	 -1 on EOF
+         -2 on timeout or error
+*/
+static int
+recv_line(int fd, uschar * buffer, int bsize, time_t tmo)
+{
+uschar * p = buffer;
+ssize_t rcv;
+BOOL ok = FALSE;
+
+if (!fd_ready(fd, tmo))
+  return -2;
+
+/*XXX tmo handling assumes we always get a whole line */
+/* read until \n */
+errno = 0;
+while ((rcv = read(fd, p, 1)) > 0)
+  {
+  ok = TRUE;
+  if (p-buffer > bsize-2) break;
+  if (*p == '\n') break;
+  if (*p != '\r') p++;
+  }
+if (!ok)
+  {
+  DEBUG(D_acl)
+    {
+    debug_printf_indent("Malware scan: read %s (%s)\n",
+		rcv==0 ? "EOF" : "error", strerror(errno));
+    debug_print_socket(fd);
+    }
+  return rcv==0 ? -1 : -2;
+  }
+*p = '\0';
+
+DEBUG(D_acl) debug_printf_indent("Malware scan: read '%s'\n", buffer);
+return p - buffer;
+}
+
+/* return TRUE iff size as requested */
+#ifndef DISABLE_MAL_DRWEB
+static BOOL
+recv_len(int sock, void * buf, int size, time_t tmo)
+{
+return fd_ready(sock, tmo)
+  ? recv(sock, buf, size, 0) == size
+  : FALSE;
+}
+#endif
+
+
+
+#ifndef DISABLE_MAL_MKS
+/* ============= private routines for the "mksd" scanner type ============== */
+
+# include <sys/uio.h>
+
+static inline int
+mksd_writev (int sock, struct iovec * iov, int iovcnt)
+{
+int i;
+
+for (;;)
+  {
+  do
+    i = writev (sock, iov, iovcnt);
+  while (i < 0 && errno == EINTR);
+  if (i <= 0)
+    {
+    (void) malware_panic_defer(
+	    US"unable to write to mksd UNIX socket (/var/run/mksd/socket)");
+    return -1;
+    }
+  for (;;)	/* check for short write */
+    if (i >= iov->iov_len)
+      {
+      if (--iovcnt == 0)
+	return 0;
+      i -= iov->iov_len;
+      iov++;
+      }
+    else
+      {
+      iov->iov_len -= i;
+      iov->iov_base = CS iov->iov_base + i;
+      break;
+      }
+  }
+}
+
+static inline int
+mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size, time_t tmo)
+{
+client_conn_ctx cctx = {.sock = sock};
+int offset = 0;
+int i;
+
+do
+  {
+  i = ip_recv(&cctx, av_buffer+offset, av_buffer_size-offset, tmo);
+  if (i <= 0)
+    {
+    (void) malware_panic_defer(US"unable to read from mksd UNIX socket (/var/run/mksd/socket)");
+    return -1;
+    }
+
+  offset += i;
+  /* offset == av_buffer_size -> buffer full */
+  if (offset == av_buffer_size)
+    {
+    (void) malware_panic_defer(US"malformed reply received from mksd");
+    return -1;
+    }
+  } while (av_buffer[offset-1] != '\n');
+
+av_buffer[offset] = '\0';
+return offset;
+}
+
+static inline int
+mksd_parse_line(struct scan * scanent, char * line)
+{
+char *p;
+
+switch (*line)
+  {
+  case 'O': /* OK */
+    return OK;
+
+  case 'E':
+  case 'A': /* ERR */
+    if ((p = strchr (line, '\n')) != NULL)
+      *p = '\0';
+    return m_panic_defer(scanent, NULL,
+      string_sprintf("scanner failed: %s", line));
+
+  default: /* VIR */
+    if ((p = strchr (line, '\n')) != NULL)
+      {
+      *p = '\0';
+      if (  p-line > 5
+         && line[3] == ' '
+	 && (p = strchr(line+4, ' ')) != NULL
+	 && p-line > 4
+	 )
+	{
+	*p = '\0';
+	malware_name = string_copy(US line+4);
+	return OK;
+	}
+      }
+    return m_panic_defer(scanent, NULL,
+      string_sprintf("malformed reply received: %s", line));
+  }
+}
+
+static int
+mksd_scan_packed(struct scan * scanent, int sock, const uschar * scan_filename,
+  time_t tmo)
+{
+struct iovec iov[3];
+const char *cmd = "MSQ\n";
+uschar av_buffer[1024];
+
+iov[0].iov_base = (void *) cmd;
+iov[0].iov_len = 3;
+iov[1].iov_base = (void *) scan_filename;
+iov[1].iov_len = Ustrlen(scan_filename);
+iov[2].iov_base = (void *) (cmd + 3);
+iov[2].iov_len = 1;
+
+if (mksd_writev (sock, iov, 3) < 0)
+  return DEFER;
+
+if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer), tmo) < 0)
+  return DEFER;
+
+return mksd_parse_line (scanent, CS av_buffer);
+}
+#endif	/* MKSD */
+
+
+#ifndef DISABLE_MAL_CLAM
+static int
+clamd_option(clamd_address * cd, const uschar * optstr, int * subsep)
+{
+uschar * s;
+
+cd->retry = 0;
+while ((s = string_nextinlist(&optstr, subsep, NULL, 0)))
+  if (Ustrncmp(s, "retry=", 6) == 0)
+    {
+    int sec = readconf_readtime((s += 6), '\0', FALSE);
+    if (sec < 0)
+      return FAIL;
+    cd->retry = sec;
+    }
+  else
+    return FAIL;
+return OK;
+}
+#endif
+
+
+
+/*************************************************
+*          Scan content for malware              *
+*************************************************/
+
+/* This is an internal interface for scanning an email; the normal interface
+is via malware(), or there's malware_in_file() used for testing/debugging.
+
+Arguments:
+  malware_re    match condition for "malware="
+  scan_filename  the file holding the email to be scanned, if we're faking
+		this up for the -bmalware test, else NULL
+  timeout	if nonzero, non-default timeoutl
+
+Returns:        Exim message processing code (OK, FAIL, DEFER, ...)
+                where true means malware was found (condition applies)
+*/
+static int
+malware_internal(const uschar * malware_re, const uschar * scan_filename,
+  int timeout)
+{
+int sep = 0;
+const uschar *av_scanner_work = av_scanner;
+uschar *scanner_name;
+unsigned long mbox_size;
+FILE *mbox_file;
+const pcre2_code *re;
+uschar * errstr;
+struct scan * scanent;
+const uschar * scanner_options;
+client_conn_ctx malware_daemon_ctx = {.sock = -1};
+time_t tmo;
+uschar * eml_filename, * eml_dir;
+
+if (!malware_re)
+  return FAIL;		/* empty means "don't match anything" */
+
+/* Ensure the eml mbox file is spooled up */
+
+if (!(mbox_file = spool_mbox(&mbox_size, scan_filename, &eml_filename)))
+  return malware_panic_defer(US"error while creating mbox spool file");
+
+/* None of our current scanners need the mbox file as a stream (they use
+the name), so we can close it right away.  Get the directory too. */
+
+(void) fclose(mbox_file);
+eml_dir = string_copyn(eml_filename, Ustrrchr(eml_filename, '/') - eml_filename);
+
+/* parse 1st option */
+if (strcmpic(malware_re, US"false") == 0  ||  Ustrcmp(malware_re,"0") == 0)
+  return FAIL;		/* explicitly no matching */
+
+/* special cases (match anything except empty) */
+if (  strcmpic(malware_re,US"true") == 0
+   || Ustrcmp(malware_re,"*") == 0
+   || Ustrcmp(malware_re,"1") == 0
+   )
+  {
+  if (  !malware_default_re
+     && !(malware_default_re = m_pcre_compile(malware_regex_default, &errstr)))
+    return malware_panic_defer(errstr);
+  malware_re = malware_regex_default;
+  re = malware_default_re;
+  }
+
+/* compile the regex, see if it works */
+else if (!(re = m_pcre_compile(malware_re, &errstr)))
+  return malware_panic_defer(errstr);
+
+/* if av_scanner starts with a dollar, expand it first */
+if (*av_scanner == '$')
+  {
+  if (!(av_scanner_work = expand_string(av_scanner)))
+    return malware_panic_defer(
+	 string_sprintf("av_scanner starts with $, but expansion failed: %s",
+	 expand_string_message));
+
+  DEBUG(D_acl)
+    debug_printf_indent("Expanded av_scanner global: %s\n", av_scanner_work);
+  /* disable result caching in this case */
+  malware_name = NULL;
+  malware_ok = FALSE;
+  }
+
+/* Do not scan twice (unless av_scanner is dynamic). */
+if (!malware_ok)
+  {
+  /* find the scanner type from the av_scanner option */
+  if (!(scanner_name = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
+    return malware_panic_defer(US"av_scanner configuration variable is empty");
+  if (!timeout) timeout = MALWARE_TIMEOUT;
+  tmo = time(NULL) + timeout;
+
+  for (scanent = m_scans; ; scanent++)
+    {
+    if (!scanent->name)
+      return malware_panic_defer(string_sprintf("unknown scanner type '%s'",
+	scanner_name));
+    if (strcmpic(scanner_name, US scanent->name) != 0)
+      continue;
+    DEBUG(D_acl) debug_printf_indent("Malware scan:  %s tmo=%s\n",
+      scanner_name, readconf_printtime(timeout));
+
+    if (!(scanner_options = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
+      scanner_options = scanent->options_default;
+    if (scanent->conn == MC_NONE)
+      break;
+
+    DEBUG(D_acl) debug_printf_indent("%15s%10s%s\n", "", "socket: ", scanner_options);
+    switch(scanent->conn)
+    {
+    case MC_TCP:
+      malware_daemon_ctx.sock = ip_tcpsocket(scanner_options, &errstr, 5, NULL); break;
+    case MC_UNIX:
+      malware_daemon_ctx.sock = ip_unixsocket(scanner_options, &errstr);	break;
+    case MC_STRM:
+      malware_daemon_ctx.sock = ip_streamsocket(scanner_options, &errstr, 5, NULL); break;
+    default:
+      /* compiler quietening */ break;
+    }
+    if (malware_daemon_ctx.sock < 0)
+      return m_panic_defer(scanent, CUS callout_address, errstr);
+    break;
+  }
+
+  switch (scanent->scancode)
+    {
+#ifndef DISABLE_MAL_FFROTD
+    case M_FPROTD: /* "f-protd" scanner type -------------------------------- */
+      {
+      uschar *fp_scan_option;
+      unsigned int detected=0, par_count=0;
+      uschar * scanrequest;
+      uschar buf[32768], *strhelper, *strhelper2;
+      uschar * malware_name_internal = NULL;
+      int len;
+
+      scanrequest = string_sprintf("GET %s", eml_filename);
+
+      while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep,
+			    NULL, 0)))
+	{
+	scanrequest = string_sprintf("%s%s%s", scanrequest,
+				  par_count ? "%20" : "?", fp_scan_option);
+	par_count++;
+	}
+      scanrequest = string_sprintf("%s HTTP/1.0\r\n\r\n", scanrequest);
+      DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s: %s\n",
+	scanner_name, scanrequest);
+
+      /* send scan request */
+      if (m_sock_send(malware_daemon_ctx.sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
+	return m_panic_defer(scanent, CUS callout_address, errstr);
+
+      while ((len = recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo)) >= 0)
+	if (len > 0)
+	  {
+	  if (Ustrstr(buf, US"<detected type=\"") != NULL)
+	    detected = 1;
+	  else if (detected && (strhelper = Ustrstr(buf, US"<name>")))
+	    {
+	    if ((strhelper2 = Ustrstr(buf, US"</name>")) != NULL)
+	      {
+	      *strhelper2 = '\0';
+	      malware_name_internal = string_copy(strhelper+6);
+	      }
+	    }
+	  else if (Ustrstr(buf, US"<summary code=\""))
+	    {
+	    malware_name = Ustrstr(buf, US"<summary code=\"11\">")
+		? malware_name_internal : NULL;
+	    break;
+	    }
+	  }
+      if (len < -1)
+	{
+	(void)close(malware_daemon_ctx.sock);
+	return DEFER;
+	}
+      break;
+      }	/* f-protd */
+#endif
+
+#ifndef DISABLE_MAL_FFROT6D
+    case M_FPROT6D: /* "f-prot6d" scanner type ----------------------------------- */
+      {
+      int bread;
+      uschar * e;
+      uschar * linebuffer;
+      uschar * scanrequest;
+      uschar av_buffer[1024];
+
+      if ((!fprot6d_re_virus && !(fprot6d_re_virus = m_pcre_compile(fprot6d_re_virus_str, &errstr)))
+        || (!fprot6d_re_error && !(fprot6d_re_error = m_pcre_compile(fprot6d_re_error_str, &errstr))))
+        return malware_panic_defer(errstr);
+
+      scanrequest = string_sprintf("SCAN FILE %s\n", eml_filename);
+      DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s: %s\n",
+        scanner_name, scanrequest);
+
+      if (m_sock_send(malware_daemon_ctx.sock, scanrequest, Ustrlen(scanrequest), &errstr) < 0)
+        return m_panic_defer(scanent, CUS callout_address, errstr);
+
+      bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo);
+
+      if (bread <= 0)
+        return m_panic_defer_3(scanent, CUS callout_address,
+          string_sprintf("unable to read from socket (%s)", strerror(errno)),
+          malware_daemon_ctx.sock);
+
+      if (bread == sizeof(av_buffer))
+        return m_panic_defer_3(scanent, CUS callout_address,
+          US"buffer too small", malware_daemon_ctx.sock);
+
+      av_buffer[bread] = '\0';
+      linebuffer = string_copy(av_buffer);
+
+      m_sock_send(malware_daemon_ctx.sock, US"QUIT\n", 5, 0);
+
+      if ((e = m_pcre_exec(fprot6d_re_error, linebuffer)))
+        return m_panic_defer_3(scanent, CUS callout_address,
+          string_sprintf("scanner reported error (%s)", e), malware_daemon_ctx.sock);
+
+      if (!(malware_name = m_pcre_exec(fprot6d_re_virus, linebuffer)))
+        malware_name = NULL;
+
+      break;
+      }  /* f-prot6d */
+#endif
+
+#ifndef DISABLE_MAL_DRWEB
+    case M_DRWEB: /* "drweb" scanner type ----------------------------------- */
+  /* v0.1 - added support for tcp sockets          */
+  /* v0.0 - initial release -- support for unix sockets      */
+      {
+      int result;
+      off_t fsize;
+      unsigned int fsize_uint;
+      uschar * tmpbuf, *drweb_fbuf;
+      int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd,
+	  drweb_vnum, drweb_slen, drweb_fin = 0x0000;
+
+      /* prepare variables */
+      drweb_cmd = htonl(DRWEBD_SCAN_CMD);
+      drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
+
+      if (*scanner_options != '/')
+	{
+	/* calc file size */
+	if ((drweb_fd = exim_open2(CCS eml_filename, O_RDONLY)) == -1)
+	  return m_panic_defer_3(scanent, NULL,
+	    string_sprintf("can't open spool file %s: %s",
+	      eml_filename, strerror(errno)),
+	    malware_daemon_ctx.sock);
+
+	if ((fsize = lseek(drweb_fd, 0, SEEK_END)) == -1)
+	  {
+	  int err;
+badseek:  err = errno;
+	  (void)close(drweb_fd);
+	  return m_panic_defer_3(scanent, NULL,
+	    string_sprintf("can't seek spool file %s: %s",
+	      eml_filename, strerror(err)),
+	    malware_daemon_ctx.sock);
+	  }
+	fsize_uint = (unsigned int) fsize;
+	if ((off_t)fsize_uint != fsize)
+	  {
+	  (void)close(drweb_fd);
+	  return m_panic_defer_3(scanent, NULL,
+	    string_sprintf("seeking spool file %s, size overflow",
+	      eml_filename),
+	    malware_daemon_ctx.sock);
+	  }
+	drweb_slen = htonl(fsize);
+	if (lseek(drweb_fd, 0, SEEK_SET) < 0)
+	  goto badseek;
+
+	DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s remote scan [%s]\n",
+	    scanner_name, scanner_options);
+
+	/* send scan request */
+	if ((send(malware_daemon_ctx.sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, &drweb_slen, sizeof(drweb_slen), 0) < 0))
+	  {
+	  (void)close(drweb_fd);
+	  return m_panic_defer_3(scanent, CUS callout_address, string_sprintf(
+	    "unable to send commands to socket (%s)", scanner_options),
+	    malware_daemon_ctx.sock);
+	  }
+
+	if (!(drweb_fbuf = store_malloc(fsize_uint)))
+	  {
+	  (void)close(drweb_fd);
+	  return m_panic_defer_3(scanent, NULL,
+	    string_sprintf("unable to allocate memory %u for file (%s)",
+	      fsize_uint, eml_filename),
+	    malware_daemon_ctx.sock);
+	  }
+
+	if ((result = read (drweb_fd, drweb_fbuf, fsize)) == -1)
+	  {
+	  int err = errno;
+	  (void)close(drweb_fd);
+	  store_free(drweb_fbuf);
+	  return m_panic_defer_3(scanent, NULL,
+	    string_sprintf("can't read spool file %s: %s",
+	      eml_filename, strerror(err)),
+	    malware_daemon_ctx.sock);
+	  }
+	(void)close(drweb_fd);
+
+	/* send file body to socket */
+	if (send(malware_daemon_ctx.sock, drweb_fbuf, fsize, 0) < 0)
+	  {
+	  store_free(drweb_fbuf);
+	  return m_panic_defer_3(scanent, CUS callout_address, string_sprintf(
+	    "unable to send file body to socket (%s)", scanner_options),
+	    malware_daemon_ctx.sock);
+	  }
+	store_free(drweb_fbuf);
+	}
+      else
+	{
+	drweb_slen = htonl(Ustrlen(eml_filename));
+
+	DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s local scan [%s]\n",
+	    scanner_name, scanner_options);
+
+	/* send scan request */
+	if ((send(malware_daemon_ctx.sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, eml_filename, Ustrlen(eml_filename), 0) < 0) ||
+	    (send(malware_daemon_ctx.sock, &drweb_fin, sizeof(drweb_fin), 0) < 0))
+	  return m_panic_defer_3(scanent, CUS callout_address, string_sprintf(
+	    "unable to send commands to socket (%s)", scanner_options),
+	    malware_daemon_ctx.sock);
+	}
+
+      /* wait for result */
+      if (!recv_len(malware_daemon_ctx.sock, &drweb_rc, sizeof(drweb_rc), tmo))
+	return m_panic_defer_3(scanent, CUS callout_address,
+		    US"unable to read return code", malware_daemon_ctx.sock);
+      drweb_rc = ntohl(drweb_rc);
+
+      if (!recv_len(malware_daemon_ctx.sock, &drweb_vnum, sizeof(drweb_vnum), tmo))
+	return m_panic_defer_3(scanent, CUS callout_address,
+			    US"unable to read the number of viruses", malware_daemon_ctx.sock);
+      drweb_vnum = ntohl(drweb_vnum);
+
+      /* "virus(es) found" if virus number is > 0 */
+      if (drweb_vnum)
+	{
+	gstring * g = NULL;
+
+	/* setup default virus name */
+	malware_name = US"unknown";
+
+	/* set up match regex */
+	if (!drweb_re)
+	  drweb_re = m_pcre_compile(drweb_re_str, &errstr);
+
+	/* read and concatenate virus names into one string */
+	for (int i = 0; i < drweb_vnum; i++)
+	  {
+	  pcre2_match_data * md = pcre2_match_data_create(2, pcre_gen_ctx);
+
+	  /* read the size of report */
+	  if (!recv_len(malware_daemon_ctx.sock, &drweb_slen, sizeof(drweb_slen), tmo))
+	    return m_panic_defer_3(scanent, CUS callout_address,
+			      US"cannot read report size", malware_daemon_ctx.sock);
+	  drweb_slen = ntohl(drweb_slen);
+
+	  /* assume tainted, since it is external input */
+	  tmpbuf = store_get(drweb_slen, GET_TAINTED);
+
+	  /* read report body */
+	  if (!recv_len(malware_daemon_ctx.sock, tmpbuf, drweb_slen, tmo))
+	    return m_panic_defer_3(scanent, CUS callout_address,
+			      US"cannot read report string", malware_daemon_ctx.sock);
+	  tmpbuf[drweb_slen] = '\0';
+
+	  /* try matcher on the line, grab substring */
+	  result = pcre2_match(drweb_re, (PCRE2_SPTR)tmpbuf, PCRE2_ZERO_TERMINATED,
+				0, 0, md, pcre_mtc_ctx);
+	  if (result >= 2)
+	    {
+	    PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
+
+	    if (i==0)	/* the first name we just copy to malware_name */
+	      g = string_catn(NULL, US ovec[2], ovec[3] - ovec[2]);
+
+	    else	/* concatenate each new virus name to previous */
+	      {
+	      g = string_catn(g, US"/", 1);
+	      g = string_catn(g, US ovec[2], ovec[3] - ovec[2]);
+	      }
+	    }
+	  }
+	  malware_name = string_from_gstring(g);
+	}
+      else
+	{
+	const char *drweb_s = NULL;
+
+	if (drweb_rc & DERR_READ_ERR) drweb_s = "read error";
+	if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory";
+	if (drweb_rc & DERR_TIMEOUT)  drweb_s = "timeout";
+	if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command";
+	/* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED.
+	 * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM,
+	 * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR
+	 * and others are ignored */
+	if (drweb_s)
+	  return m_panic_defer_3(scanent, CUS callout_address,
+	    string_sprintf("drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s),
+	    malware_daemon_ctx.sock);
+
+	/* no virus found */
+	malware_name = NULL;
+	}
+      break;
+      }	/* drweb */
+#endif
+
+#ifndef DISABLE_MAL_AVE
+    case M_AVES: /* "aveserver" scanner type -------------------------------- */
+      {
+      uschar buf[32768];
+      int result;
+
+      /* read aveserver's greeting and see if it is ready (2xx greeting) */
+      buf[0] = 0;
+      recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo);
+
+      if (buf[0] != '2')		/* aveserver is having problems */
+	return m_panic_defer_3(scanent, CUS callout_address,
+	  string_sprintf("unavailable (Responded: %s).",
+			  ((buf[0] != 0) ? buf : US "nothing") ),
+	  malware_daemon_ctx.sock);
+
+      /* prepare our command */
+      (void)string_format(buf, sizeof(buf), "SCAN bPQRSTUW %s\r\n",
+						eml_filename);
+
+      /* and send it */
+      DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s %s\n",
+	scanner_name, buf);
+      if (m_sock_send(malware_daemon_ctx.sock, buf, Ustrlen(buf), &errstr) < 0)
+	return m_panic_defer(scanent, CUS callout_address, errstr);
+
+      malware_name = NULL;
+      result = 0;
+      /* read response lines, find malware name and final response */
+      while (recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo) > 0)
+	{
+	if (buf[0] == '2')
+	  break;
+	if (buf[0] == '5')		/* aveserver is having problems */
+	  {
+	  result = m_panic_defer(scanent, CUS callout_address,
+	     string_sprintf("unable to scan file %s (Responded: %s).",
+			     eml_filename, buf));
+	  break;
+	  }
+	if (Ustrncmp(buf,"322",3) == 0)
+	  {
+	  uschar *p = Ustrchr(&buf[4], ' ');
+	  *p = '\0';
+	  malware_name = string_copy(&buf[4]);
+	  }
+	}
+
+      if (m_sock_send(malware_daemon_ctx.sock, US"quit\r\n", 6, &errstr) < 0)
+	return m_panic_defer(scanent, CUS callout_address, errstr);
+
+      /* read aveserver's greeting and see if it is ready (2xx greeting) */
+      buf[0] = 0;
+      recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo);
+
+      if (buf[0] != '2')		/* aveserver is having problems */
+	return m_panic_defer_3(scanent, CUS callout_address,
+	  string_sprintf("unable to quit dialogue (Responded: %s).",
+			((buf[0] != 0) ? buf : US "nothing") ),
+	  malware_daemon_ctx.sock);
+
+      if (result == DEFER)
+	{
+	(void)close(malware_daemon_ctx.sock);
+	return DEFER;
+	}
+      break;
+      }	/* aveserver */
+#endif
+
+#ifndef DISABLE_MAL_FSECURE
+    case M_FSEC: /* "fsecure" scanner type ---------------------------------- */
+      {
+      int i, bread = 0;
+      uschar * file_name;
+      uschar av_buffer[1024];
+      static uschar *cmdopt[] = { US"CONFIGURE\tARCHIVE\t1\n",
+				      US"CONFIGURE\tTIMEOUT\t0\n",
+				      US"CONFIGURE\tMAXARCH\t5\n",
+				      US"CONFIGURE\tMIME\t1\n" };
+
+      malware_name = NULL;
+
+      DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
+	  scanner_name, scanner_options);
+      /* pass options */
+      memset(av_buffer, 0, sizeof(av_buffer));
+      for (i = 0; i != nelem(cmdopt); i++)
+	{
+
+	if (m_sock_send(malware_daemon_ctx.sock, cmdopt[i], Ustrlen(cmdopt[i]), &errstr) < 0)
+	  return m_panic_defer(scanent, CUS callout_address, errstr);
+
+	bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo);
+	if (bread > 0) av_buffer[bread]='\0';
+	if (bread < 0)
+	  return m_panic_defer_3(scanent, CUS callout_address,
+	    string_sprintf("unable to read answer %d (%s)", i, strerror(errno)),
+	    malware_daemon_ctx.sock);
+	for (int j = 0; j < bread; j++)
+	  if (av_buffer[j] == '\r' || av_buffer[j] == '\n')
+	    av_buffer[j] ='@';
+	}
+
+      /* pass the mailfile to fsecure */
+      file_name = string_sprintf("SCAN\t%s\n", eml_filename);
+
+      if (m_sock_send(malware_daemon_ctx.sock, file_name, Ustrlen(file_name), &errstr) < 0)
+	return m_panic_defer(scanent, CUS callout_address, errstr);
+
+      /* set up match */
+      /* todo also SUSPICION\t */
+      if (!fsec_re)
+	fsec_re = m_pcre_compile(fsec_re_str, &errstr);
+
+      /* read report, linewise. Apply a timeout as the Fsecure daemon
+      sometimes wants an answer to "PING" but they won't tell us what */
+	{
+	uschar * p = av_buffer;
+	uschar * q;
+
+	for (;;)
+	  {
+	  errno = ETIMEDOUT;
+	  i =  av_buffer+sizeof(av_buffer)-p;
+	  if ((bread= ip_recv(&malware_daemon_ctx, p, i-1, tmo)) < 0)
+	    return m_panic_defer_3(scanent, CUS callout_address,
+	      string_sprintf("unable to read result (%s)", strerror(errno)),
+	      malware_daemon_ctx.sock);
+
+	  for (p[bread] = '\0'; (q = Ustrchr(p, '\n')); p = q+1)
+	    {
+	    *q = '\0';
+
+	    /* Really search for virus again? */
+	    if (!malware_name)
+	      /* try matcher on the line, grab substring */
+	      malware_name = m_pcre_exec(fsec_re, p);
+
+	    if (Ustrstr(p, "OK\tScan ok."))
+	      goto fsec_found;
+	    }
+
+	  /* copy down the trailing partial line then read another chunk */
+	  i =  av_buffer+sizeof(av_buffer)-p;
+	  memmove(av_buffer, p, i);
+	  p = av_buffer+i;
+	  }
+	}
+
+      fsec_found:
+	break;
+      }	/* fsecure */
+#endif
+
+#ifndef DISABLE_MAL_KAV
+    case M_KAVD: /* "kavdaemon" scanner type -------------------------------- */
+      {
+      time_t t;
+      uschar tmpbuf[1024];
+      uschar * scanrequest;
+      int kav_rc;
+      unsigned long kav_reportlen;
+      int bread;
+      const pcre2_code *kav_re;
+      uschar *p;
+
+      /* get current date and time, build scan request */
+      time(&t);
+      /* pdp note: before the eml_filename parameter, this scanned the
+      directory; not finding documentation, so we'll strip off the directory.
+      The side-effect is that the test framework scanning may end up in
+      scanning more than was requested, but for the normal interface, this is
+      fine. */
+
+      strftime(CS tmpbuf, sizeof(tmpbuf), "%d %b %H:%M:%S", localtime(&t));
+      scanrequest = string_sprintf("<0>%s:%s", CS tmpbuf, eml_filename);
+      p = Ustrrchr(scanrequest, '/');
+      if (p)
+	*p = '\0';
+
+      DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
+	  scanner_name, scanner_options);
+
+      /* send scan request */
+      if (m_sock_send(malware_daemon_ctx.sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
+	return m_panic_defer(scanent, CUS callout_address, errstr);
+
+      /* wait for result */
+      if (!recv_len(malware_daemon_ctx.sock, tmpbuf, 2, tmo))
+	return m_panic_defer_3(scanent, CUS callout_address,
+			    US"unable to read 2 bytes from socket.", malware_daemon_ctx.sock);
+
+      /* get errorcode from one nibble */
+      kav_rc = tmpbuf[ test_byte_order()==LITTLE_MY_ENDIAN ? 0 : 1 ] & 0x0F;
+      switch(kav_rc)
+      {
+      case 5: case 6: /* improper kavdaemon configuration */
+	return m_panic_defer_3(scanent, CUS callout_address,
+		US"please reconfigure kavdaemon to NOT disinfect or remove infected files.",
+		malware_daemon_ctx.sock);
+      case 1:
+	return m_panic_defer_3(scanent, CUS callout_address,
+		US"reported 'scanning not completed' (code 1).", malware_daemon_ctx.sock);
+      case 7:
+	return m_panic_defer_3(scanent, CUS callout_address,
+		US"reported 'kavdaemon damaged' (code 7).", malware_daemon_ctx.sock);
+      }
+
+      /* code 8 is not handled, since it is ambiguous. It appears mostly on
+      bounces where part of a file has been cut off */
+
+      /* "virus found" return codes (2-4) */
+      if (kav_rc > 1 && kav_rc < 5)
+	{
+	int report_flag = 0;
+
+	/* setup default virus name */
+	malware_name = US"unknown";
+
+	report_flag = tmpbuf[ test_byte_order() == LITTLE_MY_ENDIAN ? 1 : 0 ];
+
+	/* read the report, if available */
+	if (report_flag == 1)
+	  {
+	  /* read report size */
+	  if (!recv_len(malware_daemon_ctx.sock, &kav_reportlen, 4, tmo))
+	    return m_panic_defer_3(scanent, CUS callout_address,
+		  US"cannot read report size", malware_daemon_ctx.sock);
+
+	  /* it's possible that avp returns av_buffer[1] == 1 but the
+	  reportsize is 0 (!?) */
+	  if (kav_reportlen > 0)
+	    {
+	    /* set up match regex, depends on retcode */
+	    if (kav_rc == 3)
+	      {
+	      if (!kav_re_sus) kav_re_sus = m_pcre_compile(kav_re_sus_str, &errstr);
+	      kav_re = kav_re_sus;
+	      }
+	    else
+	      {
+	      if (!kav_re_inf) kav_re_inf = m_pcre_compile(kav_re_inf_str, &errstr);
+	      kav_re = kav_re_inf;
+	      }
+
+	    /* read report, linewise.  Using size from stream to read amount of data
+	    from same stream is safe enough. */
+	    /* coverity[tainted_data] */
+	    while (kav_reportlen > 0)
+	      {
+	      if ((bread = recv_line(malware_daemon_ctx.sock, tmpbuf, sizeof(tmpbuf), tmo)) < 0)
+		break;
+	      kav_reportlen -= bread+1;
+
+	      /* try matcher on the line, grab substring */
+	      if ((malware_name = m_pcre_exec(kav_re, tmpbuf)))
+		break;
+	      }
+	    }
+	  }
+	}
+      else /* no virus found */
+	malware_name = NULL;
+
+      break;
+      }
+#endif
+
+#ifndef DISABLE_MAL_CMDLINE
+    case M_CMDL: /* "cmdline" scanner type ---------------------------------- */
+      {
+      const uschar *cmdline_scanner = scanner_options;
+      const pcre2_code *cmdline_trigger_re;
+      const pcre2_code *cmdline_regex_re;
+      uschar * file_name;
+      uschar * commandline;
+      void (*eximsigchld)(int);
+      void (*eximsigpipe)(int);
+      FILE *scanner_out = NULL;
+      int scanner_fd;
+      FILE *scanner_record = NULL;
+      uschar linebuffer[32767];
+      int rcnt;
+      int trigger = 0;
+      uschar *p;
+
+      if (!cmdline_scanner)
+	return m_panic_defer(scanent, NULL, errstr);
+
+      /* find scanner output trigger */
+      cmdline_trigger_re = m_pcre_nextinlist(&av_scanner_work, &sep,
+				"missing trigger specification", &errstr);
+      if (!cmdline_trigger_re)
+	return m_panic_defer(scanent, NULL, errstr);
+
+      /* find scanner name regex */
+      cmdline_regex_re = m_pcre_nextinlist(&av_scanner_work, &sep,
+			  "missing virus name regex specification", &errstr);
+      if (!cmdline_regex_re)
+	return m_panic_defer(scanent, NULL, errstr);
+
+      /* prepare scanner call; despite the naming, file_name holds a directory
+      name which is documented as the value given to %s. */
+
+      file_name = string_copy(eml_filename);
+      p = Ustrrchr(file_name, '/');
+      if (p)
+	*p = '\0';
+      commandline = string_sprintf(CS cmdline_scanner, file_name);
+
+      /* redirect STDERR too */
+      commandline = string_sprintf("%s 2>&1", commandline);
+
+      DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
+	      scanner_name, commandline);
+
+      /* store exims signal handlers */
+      eximsigchld = signal(SIGCHLD,SIG_DFL);
+      eximsigpipe = signal(SIGPIPE,SIG_DFL);
+
+      if (!(scanner_out = popen(CS commandline,"r")))
+	{
+	int err = errno;
+	signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
+	return m_panic_defer(scanent, NULL,
+	  string_sprintf("call (%s) failed: %s.", commandline, strerror(err)));
+	}
+      scanner_fd = fileno(scanner_out);
+
+      file_name = string_sprintf("%s/%s_scanner_output", eml_dir, message_id);
+
+      if (!(scanner_record = modefopen(file_name, "wb", SPOOL_MODE)))
+	{
+	int err = errno;
+	(void) pclose(scanner_out);
+	signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
+	return m_panic_defer(scanent, NULL, string_sprintf(
+	    "opening scanner output file (%s) failed: %s.",
+	    file_name, strerror(err)));
+	}
+
+      /* look for trigger while recording output */
+      while ((rcnt = recv_line(scanner_fd, linebuffer,
+		      sizeof(linebuffer), tmo)))
+	{
+	if (rcnt < 0)
+	  {
+	  int err = errno;
+	  if (rcnt == -1)
+	    break;
+	  (void) pclose(scanner_out);
+	  signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
+	  return m_panic_defer(scanent, NULL, string_sprintf(
+	      "unable to read from scanner (%s): %s",
+	      commandline, strerror(err)));
+	  }
+
+	if (Ustrlen(linebuffer) > fwrite(linebuffer, 1, Ustrlen(linebuffer), scanner_record))
+	  {
+	  /* short write */
+	  (void) pclose(scanner_out);
+	  signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
+	  return m_panic_defer(scanent, NULL, string_sprintf(
+	    "short write on scanner output file (%s).", file_name));
+	  }
+	putc('\n', scanner_record);
+	/* try trigger match */
+	if (  !trigger
+	   && regex_match_and_setup(cmdline_trigger_re, linebuffer, 0, -1)
+	   )
+	  trigger = 1;
+	}
+
+      (void)fclose(scanner_record);
+      sep = pclose(scanner_out);
+      signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
+      if (sep != 0)
+	  return m_panic_defer(scanent, NULL,
+	      sep == -1
+	      ? string_sprintf("running scanner failed: %s", strerror(sep))
+	      : string_sprintf("scanner returned error code: %d", sep));
+
+      if (trigger)
+	{
+	uschar * s;
+	/* setup default virus name */
+	malware_name = US"unknown";
+
+	/* re-open the scanner output file, look for name match */
+	scanner_record = Ufopen(file_name, "rb");
+	while (Ufgets(linebuffer, sizeof(linebuffer), scanner_record))
+	  if ((s = m_pcre_exec(cmdline_regex_re, linebuffer))) /* try match */
+	    malware_name = s;
+	(void)fclose(scanner_record);
+	}
+      else /* no virus found */
+	malware_name = NULL;
+      break;
+      }	/* cmdline */
+#endif
+
+#ifndef DISABLE_MAL_SOPHIE
+    case M_SOPHIE: /* "sophie" scanner type --------------------------------- */
+      {
+      int bread = 0;
+      uschar *p;
+      uschar * file_name;
+      uschar av_buffer[1024];
+
+      /* pass the scan directory to sophie */
+      file_name = string_copy(eml_filename);
+      if ((p = Ustrrchr(file_name, '/')))
+	*p = '\0';
+
+      DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
+	  scanner_name, scanner_options);
+
+      if (  write(malware_daemon_ctx.sock, file_name, Ustrlen(file_name)) < 0
+	 || write(malware_daemon_ctx.sock, "\n", 1) != 1
+	 )
+	return m_panic_defer_3(scanent, CUS callout_address,
+	  string_sprintf("unable to write to UNIX socket (%s)", scanner_options),
+	  malware_daemon_ctx.sock);
+
+      /* wait for result */
+      memset(av_buffer, 0, sizeof(av_buffer));
+      if ((bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo)) <= 0)
+	return m_panic_defer_3(scanent, CUS callout_address,
+	  string_sprintf("unable to read from UNIX socket (%s)", scanner_options),
+	  malware_daemon_ctx.sock);
+
+      /* infected ? */
+      if (av_buffer[0] == '1') {
+	uschar * s = Ustrchr(av_buffer, '\n');
+	if (s)
+	  *s = '\0';
+	malware_name = string_copy(&av_buffer[2]);
+      }
+      else if (!strncmp(CS av_buffer, "-1", 2))
+	return m_panic_defer_3(scanent, CUS callout_address,
+		US"scanner reported error", malware_daemon_ctx.sock);
+      else /* all ok, no virus */
+	malware_name = NULL;
+
+      break;
+      }
+#endif
+
+#ifndef DISABLE_MAL_CLAM
+    case M_CLAMD: /* "clamd" scanner type ----------------------------------- */
+      {
+/* This code was originally contributed by David Saez */
+/* There are three scanning methods available to us:
+*  (1) Use the SCAN command, pointing to a file in the filesystem
+*  (2) Use the STREAM command, send the data on a separate port
+*  (3) Use the zINSTREAM command, send the data inline
+* The zINSTREAM command was introduced with ClamAV 0.95, which marked
+* STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095
+* In Exim, we use SCAN if using a Unix-domain socket or explicitly told that
+* the TCP-connected daemon is actually local; otherwise we use zINSTREAM
+* See Exim bug 926 for details.  */
+
+      uschar *p, *vname, *result_tag;
+      int bread=0;
+      uschar av_buffer[1024];
+      uschar *hostname = US"";
+      host_item connhost;
+      int clam_fd;
+      unsigned int fsize_uint;
+      BOOL use_scan_command = FALSE;
+      clamd_address * cv[MAX_CLAMD_SERVERS];
+      int num_servers = 0;
+      uint32_t send_size, send_final_zeroblock;
+      blob cmd_str;
+
+      /*XXX if unixdomain socket, only one server supported. Needs fixing;
+      there's no reason we should not mix local and remote servers */
+
+      if (*scanner_options == '/')
+	{
+	clamd_address * cd;
+	const uschar * sublist;
+	int subsep = ' ';
+
+	/* Local file; so we def want to use_scan_command and don't want to try
+	passing IP/port combinations */
+	use_scan_command = TRUE;
+	cd = (clamd_address *) store_get(sizeof(clamd_address), GET_UNTAINTED);
+
+	/* extract socket-path part */
+	sublist = scanner_options;
+	cd->hostspec = string_nextinlist(&sublist, &subsep, NULL, 0);
+
+	/* parse options */
+	if (clamd_option(cd, sublist, &subsep) != OK)
+	  return m_panic_defer(scanent, NULL,
+	    string_sprintf("bad option '%s'", scanner_options));
+	cv[0] = cd;
+	}
+      else
+	{
+	/* Go through the rest of the list of host/port and construct an array
+	 * of servers to try. The first one is the bit we just passed from
+	 * scanner_options so process that first and then scan the remainder of
+	 * the address buffer */
+	do
+	  {
+	  clamd_address * cd;
+	  const uschar * sublist;
+	  int subsep = ' ';
+	  uschar * s;
+
+	  /* The 'local' option means use the SCAN command over the network
+	   * socket (ie common file storage in use) */
+	  /*XXX we could accept this also as a local option? */
+	  if (strcmpic(scanner_options, US"local") == 0)
+	    {
+	    use_scan_command = TRUE;
+	    continue;
+	    }
+
+	  cd = (clamd_address *) store_get(sizeof(clamd_address), GET_UNTAINTED);
+
+	  /* extract host and port part */
+	  sublist = scanner_options;
+	  if (!(cd->hostspec = string_nextinlist(&sublist, &subsep, NULL, 0)))
+	    {
+	    (void) m_panic_defer(scanent, NULL,
+		      string_sprintf("missing address: '%s'", scanner_options));
+	    continue;
+	    }
+	  if (!(s = string_nextinlist(&sublist, &subsep, NULL, 0)))
+	    {
+	    (void) m_panic_defer(scanent, NULL,
+		      string_sprintf("missing port: '%s'", scanner_options));
+	    continue;
+	    }
+	  cd->tcp_port = atoi(CS s);
+
+	  /* parse options */
+	  /*XXX should these options be common over scanner types? */
+	  if (clamd_option(cd, sublist, &subsep) != OK)
+	    return m_panic_defer(scanent, NULL,
+	      string_sprintf("bad option '%s'", scanner_options));
+
+	  cv[num_servers++] = cd;
+	  if (num_servers >= MAX_CLAMD_SERVERS)
+	    {
+	    (void) m_panic_defer(scanent, NULL,
+		  US"More than " MAX_CLAMD_SERVERS_S " clamd servers "
+		  "specified; only using the first " MAX_CLAMD_SERVERS_S );
+	    break;
+	    }
+	  } while ((scanner_options = string_nextinlist(&av_scanner_work, &sep,
+					NULL, 0)));
+
+	/* check if we have at least one server */
+	if (!num_servers)
+	  return m_panic_defer(scanent, NULL,
+	    US"no useable server addresses in malware configuration option.");
+	}
+
+      /* See the discussion of response formats below to see why we really
+      don't like colons in filenames when passing filenames to ClamAV. */
+      if (use_scan_command && Ustrchr(eml_filename, ':'))
+	return m_panic_defer(scanent, NULL,
+	  string_sprintf("local/SCAN mode incompatible with" \
+	    " : in path to email filename [%s]", eml_filename));
+
+      /* Set up the very first data we will be sending */
+      if (!use_scan_command)
+	{ cmd_str.data = US"zINSTREAM"; cmd_str.len = 10; }
+      else
+	{
+	int n;
+	cmd_str.data = string_sprintf("SCAN %s\n%n", eml_filename, &n);
+	cmd_str.len = n;		/* .len is a size_t */
+	}
+
+      /* We have some network servers specified */
+      if (num_servers)
+	{
+	/* Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd
+	only supports AF_INET, but we should probably be looking to the
+	future and rewriting this to be protocol-independent anyway. */
+
+	while (num_servers > 0)
+	  {
+	  int i = random_number(num_servers);
+	  clamd_address * cd = cv[i];
+
+	  DEBUG(D_acl) debug_printf_indent("trying server name %s, port %u\n",
+			 cd->hostspec, cd->tcp_port);
+
+	  /* Lookup the host. This is to ensure that we connect to the same IP
+	  on both connections (as one host could resolve to multiple ips) */
+	  for (;;)
+	    {
+	    /*XXX we trust that the cmd_str is idempotent */
+	    if ((malware_daemon_ctx.sock = m_tcpsocket(cd->hostspec, cd->tcp_port,
+				    &connhost, &errstr,
+				    use_scan_command ? &cmd_str : NULL)) >= 0)
+	      {
+	      /* Connection successfully established with a server */
+	      hostname = cd->hostspec;
+	      if (use_scan_command) cmd_str.len = 0;
+	      break;
+	      }
+	    if (cd->retry <= 0) break;
+	    while (cd->retry > 0) cd->retry = sleep(cd->retry);
+	    }
+	  if (malware_daemon_ctx.sock >= 0)
+	    break;
+
+	  (void) m_panic_defer(scanent, CUS callout_address, errstr);
+
+	  /* Remove the server from the list. XXX We should free the memory */
+	  num_servers--;
+	  for (; i < num_servers; i++)
+	    cv[i] = cv[i+1];
+	  }
+
+	if (num_servers == 0)
+	  return m_panic_defer(scanent, NULL, US"all servers failed");
+	}
+      else
+	for (;;)
+	  {
+	  if ((malware_daemon_ctx.sock = ip_unixsocket(cv[0]->hostspec, &errstr)) >= 0)
+	    {
+	    hostname = cv[0]->hostspec;
+	    break;
+	    }
+	  if (cv[0]->retry <= 0)
+	    return m_panic_defer(scanent, CUS callout_address, errstr);
+	  while (cv[0]->retry > 0) cv[0]->retry = sleep(cv[0]->retry);
+	  }
+
+      /* have socket in variable "sock"; command to use is semi-independent of
+      the socket protocol.  We use SCAN if is local (either Unix/local
+      domain socket, or explicitly told local) else we stream the data.
+      How we stream the data depends upon how we were built.  */
+
+      if (!use_scan_command)
+	{
+	struct stat st;
+#if defined(EXIM_TCP_CORK) && !defined(OS_SENDFILE)
+	BOOL corked = TRUE;
+#endif
+	/* New protocol: "zINSTREAM\n" followed by a sequence of <length><data>
+	chunks, <n> a 4-byte number (network order), terminated by a zero-length
+	chunk. We only send one chunk. */
+
+	DEBUG(D_acl) debug_printf_indent(
+	    "Malware scan: issuing %s new-style remote scan (zINSTREAM)\n",
+	    scanner_name);
+
+#if defined(EXIM_TCP_CORK)
+	(void) setsockopt(malware_daemon_ctx.sock, IPPROTO_TCP, EXIM_TCP_CORK,
+			  US &on, sizeof(on));
+#endif
+	/* Pass the string to ClamAV (10 = "zINSTREAM\0"), if not already sent */
+	if (cmd_str.len)
+	  if (send(malware_daemon_ctx.sock, cmd_str.data, cmd_str.len, 0) < 0)
+	    return m_panic_defer_3(scanent, CUS hostname,
+	      string_sprintf("unable to send zINSTREAM to socket (%s)",
+		strerror(errno)),
+	      malware_daemon_ctx.sock);
+
+	if ((clam_fd = exim_open2(CS eml_filename, O_RDONLY)) < 0)
+	  {
+	  int err = errno;
+	  return m_panic_defer_3(scanent, NULL,
+	    string_sprintf("can't open spool file %s: %s",
+	      eml_filename, strerror(err)),
+	    malware_daemon_ctx.sock);
+	  }
+	if (fstat(clam_fd, &st) < 0)
+	  {
+	  int err = errno;
+	  (void)close(clam_fd);
+	  return m_panic_defer_3(scanent, NULL,
+	    string_sprintf("can't stat spool file %s: %s",
+	      eml_filename, strerror(err)),
+	    malware_daemon_ctx.sock);
+	  }
+	fsize_uint = (unsigned int) st.st_size;
+	if ((off_t)fsize_uint != st.st_size)
+	  {
+	  (void)close(clam_fd);
+	  return m_panic_defer_3(scanent, NULL,
+	    string_sprintf("stat spool file %s, size overflow", eml_filename),
+	    malware_daemon_ctx.sock);
+	  }
+
+	/* send file size */
+	send_size = htonl(fsize_uint);
+	if (send(malware_daemon_ctx.sock, &send_size, sizeof(send_size), 0) < 0)
+	  return m_panic_defer_3(scanent, NULL,
+	    string_sprintf("unable to send file size to socket (%s)", hostname),
+	    malware_daemon_ctx.sock);
+
+	/* send file body */
+	while (fsize_uint)
+	  {
+#ifdef OS_SENDFILE
+	  int n = os_sendfile(malware_daemon_ctx.sock, clam_fd, NULL, (size_t)fsize_uint);
+	  if (n < 0)
+	    return m_panic_defer_3(scanent, NULL,
+	      string_sprintf("unable to send file body to socket (%s): %s", hostname, strerror(errno)),
+	      malware_daemon_ctx.sock);
+	  fsize_uint -= n;
+#else
+	  int n = MIN(fsize_uint, big_buffer_size);
+	  if ((n = read(clam_fd, big_buffer, n)) < 0)
+	    return m_panic_defer_3(scanent, NULL,
+	      string_sprintf("can't read spool file %s: %s",
+		eml_filename, strerror(errno)),
+	      malware_daemon_ctx.sock);
+	  if (send(malware_daemon_ctx.sock, big_buffer, (size_t)n, 0) < 0)
+	    return m_panic_defer_3(scanent, NULL,
+	      string_sprintf("unable to send file body to socket (%s): %s", hostname, strerror(errno)),
+	      malware_daemon_ctx.sock);
+	  fsize_uint -= n;
+# ifdef EXIM_TCP_CORK
+	  if (corked)
+	    {
+	    corked = FALSE;
+	    (void) setsockopt(malware_daemon_ctx.sock, IPPROTO_TCP, EXIM_TCP_CORK,
+			      US &off, sizeof(off));
+	    }
+# endif
+#endif	/*!OS_SENDFILE*/
+
+	  }
+
+	send_final_zeroblock = 0;
+	if (send(malware_daemon_ctx.sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0)
+	  return m_panic_defer_3(scanent, NULL,
+	    string_sprintf("unable to send file terminator to socket (%s)", hostname),
+	    malware_daemon_ctx.sock);
+#ifdef OS_SENDFILE
+	(void) setsockopt(malware_daemon_ctx.sock, IPPROTO_TCP, EXIM_TCP_CORK,
+			  US &off, sizeof(off));
+#endif
+	}
+      else
+	{ /* use scan command */
+	/* Send a SCAN command pointing to a filename; then in the then in the
+	scan-method-neutral part, read the response back */
+
+/* ================================================================= */
+
+	/* Prior to the reworking post-Exim-4.72, this scanned a directory,
+	which dates to when ClamAV needed us to break apart the email into the
+	MIME parts (eg, with the now deprecated demime condition coming first).
+	Some time back, ClamAV gained the ability to deconstruct the emails, so
+	doing this would actually have resulted in the mail attachments being
+	scanned twice, in the broken out files and from the original .eml.
+	Since ClamAV now handles emails (and has for quite some time) we can
+	just use the email file itself. */
+	/* Pass the string to ClamAV (7 = "SCAN \n" + \0), if not already sent */
+
+	DEBUG(D_acl) debug_printf_indent(
+	    "Malware scan: issuing %s local-path scan [%s]\n",
+	    scanner_name, scanner_options);
+
+	if (cmd_str.len)
+	  if (send(malware_daemon_ctx.sock, cmd_str.data, cmd_str.len, 0) < 0)
+	    return m_panic_defer_3(scanent, CUS callout_address,
+	      string_sprintf("unable to write to socket (%s)", strerror(errno)),
+	      malware_daemon_ctx.sock);
+
+	/* Do not shut down the socket for writing; a user report noted that
+	clamd 0.70 does not react well to this. */
+	}
+      /* Commands have been sent, no matter which scan method or connection
+      type we're using; now just read the result, independent of method. */
+
+      /* Read the result */
+      memset(av_buffer, 0, sizeof(av_buffer));
+      bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo);
+      (void)close(malware_daemon_ctx.sock);
+      malware_daemon_ctx.sock = -1;
+      malware_daemon_ctx.tls_ctx = NULL;
+
+      if (bread <= 0)
+	return m_panic_defer(scanent, CUS callout_address,
+	  string_sprintf("unable to read from socket (%s)",
+	  errno == 0 ? "EOF" : strerror(errno)));
+
+      if (bread == sizeof(av_buffer))
+	return m_panic_defer(scanent, CUS callout_address,
+		US"buffer too small");
+      /* We're now assured of a NULL at the end of av_buffer */
+
+      /* Check the result. ClamAV returns one of two result formats.
+      In the basic mode, the response is of the form:
+	infected: -> "<filename>: <virusname> FOUND"
+	not-infected: -> "<filename>: OK"
+	error: -> "<filename>: <errcode> ERROR
+      If the ExtendedDetectionInfo option has been turned on, then we get:
+	"<filename>: <virusname>(<virushash>:<virussize>) FOUND"
+      for the infected case.  Compare:
+/tmp/eicar.com: Eicar-Test-Signature FOUND
+/tmp/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
+
+      In the streaming case, clamd uses the filename "stream" which you should
+      be able to verify with { ktrace clamdscan --stream /tmp/eicar.com }.  (The
+      client app will replace "stream" with the original filename before returning
+      results to stdout, but the trace shows the data).
+
+      We will assume that the pathname passed to clamd from Exim does not contain
+      a colon.  We will have whined loudly above if the eml_filename does (and we're
+      passing a filename to clamd). */
+
+      if (!(*av_buffer))
+	return m_panic_defer(scanent, CUS callout_address,
+		US"ClamAV returned null");
+
+      /* strip newline at the end (won't be present for zINSTREAM)
+      (also any trailing whitespace, which shouldn't exist, but we depend upon
+      this below, so double-check) */
+
+      p = av_buffer + Ustrlen(av_buffer) - 1;
+      if (*p == '\n') *p = '\0';
+
+      DEBUG(D_acl) debug_printf_indent("Malware response: %s\n", av_buffer);
+
+      while (isspace(*--p) && (p > av_buffer))
+	*p = '\0';
+      if (*p) ++p;
+
+      /* colon in returned output? */
+      if (!(p = Ustrchr(av_buffer,':')))
+	return m_panic_defer(scanent, CUS callout_address, string_sprintf(
+		  "ClamAV returned malformed result (missing colon): %s",
+		  av_buffer));
+
+      /* strip filename */
+      while (*p && isspace(*++p)) /**/;
+      vname = p;
+
+      /* It would be bad to encounter a virus with "FOUND" in part of the name,
+      but we should at least be resistant to it. */
+      p = Ustrrchr(vname, ' ');
+      result_tag = p ? p+1 : vname;
+
+      if (Ustrcmp(result_tag, "FOUND") == 0)
+	{
+	/* p should still be the whitespace before the result_tag */
+	while (isspace(*p)) --p;
+	*++p = '\0';
+	/* Strip off the extended information too, which will be in parens
+	after the virus name, with no intervening whitespace. */
+	if (*--p == ')')
+	  {
+	  /* "(hash:size)", so previous '(' will do; if not found, we have
+	  a curious virus name, but not an error. */
+	  p = Ustrrchr(vname, '(');
+	  if (p)
+	    *p = '\0';
+	  }
+	malware_name = string_copy(vname);
+	DEBUG(D_acl) debug_printf_indent("Malware found, name \"%s\"\n", malware_name);
+
+	}
+      else if (Ustrcmp(result_tag, "ERROR") == 0)
+	return m_panic_defer(scanent, CUS callout_address,
+	  string_sprintf("ClamAV returned: %s", av_buffer));
+
+      else if (Ustrcmp(result_tag, "OK") == 0)
+	{
+	/* Everything should be OK */
+	malware_name = NULL;
+	DEBUG(D_acl) debug_printf_indent("Malware not found\n");
+
+	}
+      else
+	return m_panic_defer(scanent, CUS callout_address,
+	  string_sprintf("unparseable response from ClamAV: {%s}", av_buffer));
+
+      break;
+      } /* clamd */
+#endif
+
+#ifndef DISABLE_MAL_SOCK
+    case M_SOCK: /* "sock" scanner type ------------------------------------- */
+    /* This code was derived by Martin Poole from the clamd code contributed
+       by David Saez and the cmdline code
+    */
+      {
+      int bread;
+      uschar * commandline;
+      uschar av_buffer[1024];
+      uschar * linebuffer;
+      uschar * sockline_scanner;
+      uschar sockline_scanner_default[] = "%s\n";
+      const pcre2_code *sockline_trig_re;
+      const pcre2_code *sockline_name_re;
+
+      /* find scanner command line */
+      if (  (sockline_scanner = string_nextinlist(&av_scanner_work, &sep,
+					  NULL, 0))
+	 && *sockline_scanner
+	 )
+      {	/* check for no expansions apart from one %s */
+	uschar * s = Ustrchr(sockline_scanner, '%');
+	if (s++)
+	  if ((*s != 's' && *s != '%') || Ustrchr(s+1, '%'))
+	    return m_panic_defer_3(scanent, NULL,
+				  US"unsafe sock scanner call spec", malware_daemon_ctx.sock);
+      }
+      else
+	sockline_scanner = sockline_scanner_default;
+      DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "cmdline: ",
+	string_printing(sockline_scanner));
+
+      /* find scanner output trigger */
+      sockline_trig_re = m_pcre_nextinlist(&av_scanner_work, &sep,
+				"missing trigger specification", &errstr);
+      if (!sockline_trig_re)
+	return m_panic_defer_3(scanent, NULL, errstr, malware_daemon_ctx.sock);
+
+      /* find virus name regex */
+      sockline_name_re = m_pcre_nextinlist(&av_scanner_work, &sep,
+			  "missing virus name regex specification", &errstr);
+      if (!sockline_name_re)
+	return m_panic_defer_3(scanent, NULL, errstr, malware_daemon_ctx.sock);
+
+      /* prepare scanner call - security depends on expansions check above */
+      commandline = string_sprintf( CS sockline_scanner, CS eml_filename);
+      DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "expanded: ",
+	string_printing(commandline));
+
+      /* Pass the command string to the socket */
+      if (m_sock_send(malware_daemon_ctx.sock, commandline, Ustrlen(commandline), &errstr) < 0)
+	return m_panic_defer(scanent, CUS callout_address, errstr);
+
+      /* Read the result */
+      bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo);
+
+      if (bread <= 0)
+	return m_panic_defer_3(scanent, CUS callout_address,
+	  string_sprintf("unable to read from socket (%s)", strerror(errno)),
+	  malware_daemon_ctx.sock);
+
+      if (bread == sizeof(av_buffer))
+	return m_panic_defer_3(scanent, CUS callout_address,
+		US"buffer too small", malware_daemon_ctx.sock);
+      av_buffer[bread] = '\0';
+      linebuffer = string_copy(av_buffer);
+      DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "answer: ",
+	string_printing(linebuffer));
+
+      /* try trigger match */
+      if (regex_match_and_setup(sockline_trig_re, linebuffer, 0, -1))
+	{
+	if (!(malware_name = m_pcre_exec(sockline_name_re, av_buffer)))
+	  malware_name = US "unknown";
+	DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "name: ",
+	  string_printing(malware_name));
+	}
+      else /* no virus found */
+	malware_name = NULL;
+      break;
+      }
+#endif
+
+#ifndef DISABLE_MAL_MKS
+    case M_MKSD: /* "mksd" scanner type ------------------------------------- */
+      {
+      char *mksd_options_end;
+      int mksd_maxproc = 1;  /* default, if no option supplied */
+      int retval;
+
+      if (scanner_options)
+	{
+	mksd_maxproc = (int)strtol(CS scanner_options, &mksd_options_end, 10);
+	if (  *scanner_options == '\0'
+	   || *mksd_options_end != '\0'
+	   || mksd_maxproc < 1
+	   || mksd_maxproc > 32
+	   )
+	  return m_panic_defer(scanent, CUS callout_address,
+	    string_sprintf("invalid option '%s'", scanner_options));
+	}
+
+      if((malware_daemon_ctx.sock = ip_unixsocket(US "/var/run/mksd/socket", &errstr)) < 0)
+	return m_panic_defer(scanent, CUS callout_address, errstr);
+
+      malware_name = NULL;
+
+      DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan\n", scanner_name);
+
+      if ((retval = mksd_scan_packed(scanent, malware_daemon_ctx.sock, eml_filename, tmo)) != OK)
+	{
+	close (malware_daemon_ctx.sock);
+	return retval;
+	}
+      break;
+      }
+#endif
+
+#ifndef DISABLE_MAL_AVAST
+    case M_AVAST: /* "avast" scanner type ----------------------------------- */
+      {
+      uschar buf[1024];
+      uschar * scanrequest;
+      enum {AVA_HELO, AVA_OPT, AVA_RSP, AVA_DONE} avast_stage;
+      int nread;
+      uschar * error_message = NULL;
+      BOOL more_data = FALSE;
+      BOOL strict = TRUE;
+
+      /* According to Martin Tuma @avast the protocol uses "escaped
+      whitespace", that is, every embedded whitespace is backslash
+      escaped, as well as backslash is protected by backslash.
+      The returned lines contain the name of the scanned file, a tab
+      and the [ ] marker.
+      [+] - not infected
+      [L] - infected
+      [E] - some error occurred
+      Such marker follows the first non-escaped TAB.  For more information
+      see avast-protocol(5)
+
+      We observed two cases:
+      -> SCAN /file
+      <- /file [E]0.0 Error 13 Permission denied
+      <- 451 SCAN Engine error 13 permission denied
+
+      -> SCAN /file
+      <- /file… [E]3.0 Error 41120 The file is a decompression bomb
+      <- /file… [+]2.0
+      <- /file… [+]2.0 0 Eicar Test Virus!!!
+      <- 200 SCAN OK
+
+      If the scanner returns 4xx, DEFER is a good decision, combined
+      with a panic log entry, to get the admin's attention.
+
+      If the scanner returns 200, we reject it as malware, if found any,
+      or, in case of an error, we set the malware message to the error
+      string.
+
+      Some of the >= 42000 errors are message related - usually some
+      broken archives etc, but some of them are e.g. license related.
+      Once the license expires the engine starts returning errors for
+      every scanning attempt.  I¹ have the full list of the error codes
+      but it is not a public API and is subject to change. It is hard
+      for me to say what you should do in case of an engine error. You
+      can have a “Treat * unscanned file as infection” policy or “Treat
+      unscanned file as clean” policy.  ¹) Jakub Bednar
+
+       */
+
+      if (  (  !ava_re_clean
+            && !(ava_re_clean = m_pcre_compile(ava_re_clean_str, &errstr)))
+	 || (  !ava_re_virus
+	    && !(ava_re_virus = m_pcre_compile(ava_re_virus_str, &errstr)))
+	 || (  !ava_re_error
+	    && !(ava_re_error = m_pcre_compile(ava_re_error_str, &errstr)))
+	 )
+	return malware_panic_defer(errstr);
+
+      /* wait for result */
+      for (avast_stage = AVA_HELO;
+	   (nread = recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo)) > 0;
+	  )
+	{
+	int slen = Ustrlen(buf);
+	if (slen >= 1)
+	  {
+
+          /* Multi line responses are bracketed between 210 … and nnn … */
+          if (Ustrncmp(buf, "210", 3) == 0)
+            {
+            more_data = 1;
+            continue;
+            }
+          else if (more_data && isdigit(buf[0])) more_data = 0;
+
+	  switch (avast_stage)
+	    {
+	    case AVA_HELO:
+              if (more_data) continue;
+	      if (Ustrncmp(buf, "220", 3) != 0)
+		goto endloop;			/* require a 220 */
+	      goto sendreq;
+
+	    case AVA_OPT:
+              if (more_data) continue;
+	      if (Ustrncmp(buf, "200", 3) != 0)
+		goto endloop;			/* require a 200 */
+
+	    sendreq:
+	      {
+	      int len;
+	      /* Check for another option to send. Newline-terminate it. */
+	      if ((scanrequest = string_nextinlist(&av_scanner_work, &sep,
+				NULL, 0)))
+		{
+                if (Ustrcmp(scanrequest, "pass_unscanned") == 0)
+                  {
+                  DEBUG(D_acl) debug_printf_indent("pass unscanned files as clean\n");
+                  strict = FALSE;
+                  goto sendreq;
+                  }
+		scanrequest = string_sprintf("%s\n", scanrequest);
+		avast_stage = AVA_OPT;		/* just sent option */
+		DEBUG(D_acl) debug_printf_indent("send to avast OPTION: %s", scanrequest);
+		}
+	      else
+		{
+		scanrequest = string_sprintf("SCAN %s\n", eml_dir);
+		avast_stage = AVA_RSP;		/* just sent command */
+		DEBUG(D_acl) debug_printf_indent("send to avast REQUEST: SCAN %s\n", eml_dir);
+		}
+
+	      /* send config-cmd or scan-request to socket */
+	      len = Ustrlen(scanrequest);
+	      if (send(malware_daemon_ctx.sock, scanrequest, len, 0) == -1)
+		{
+		scanrequest[len-1] = '\0';
+		return m_panic_defer_3(scanent, CUS callout_address, string_sprintf(
+		      "unable to send request '%s' to socket (%s): %s",
+		      scanrequest, scanner_options, strerror(errno)), malware_daemon_ctx.sock);
+		}
+	      break;
+	      }
+
+	    case AVA_RSP:
+
+	      if (isdigit(buf[0]))  /* We're done */
+                goto endloop;
+
+              if (malware_name)     /* Nothing else matters, just read on */
+                break;
+
+	      if (regex_match(ava_re_clean, buf, slen, NULL))
+		break;
+
+              if ((malware_name = m_pcre_exec(ava_re_virus, buf)))
+                {
+                unescape(malware_name);
+                DEBUG(D_acl)
+                  debug_printf_indent("unescaped malware name: '%s'\n", malware_name);
+                break;
+                }
+
+              if (strict)           /* treat scanner errors as malware */
+                {
+                if ((malware_name = m_pcre_exec(ava_re_error, buf)))
+                  {
+                  unescape(malware_name);
+                  DEBUG(D_acl)
+                    debug_printf_indent("unescaped error message: '%s'\n", malware_name);
+                  break;
+                  }
+                }
+              else if (regex_match(ava_re_error, buf, slen, NULL))
+                {
+                log_write(0, LOG_MAIN, "internal scanner error (ignored): %s", buf);
+                break;
+                }
+
+	      /* here also for any unexpected response from the scanner */
+              DEBUG(D_acl) debug_printf("avast response not handled: '%s'\n", buf);
+
+	      goto endloop;
+
+	    default:	log_write(0, LOG_PANIC, "%s:%d:%s: should not happen",
+			    __FILE__, __LINE__, __FUNCTION__);
+	    }
+	  }
+	}
+
+      endloop:
+
+      if (nread == -1) error_message = US"EOF from scanner";
+      else if (nread < 0) error_message = US"timeout from scanner";
+      else if (nread == 0) error_message = US"got nothing from scanner";
+      else if (buf[0] != '2') error_message = buf;
+
+      DEBUG(D_acl) debug_printf_indent("sent to avast QUIT\n");
+      if (send(malware_daemon_ctx.sock, "QUIT\n", 5, 0) == -1)
+        return m_panic_defer_3(scanent, CUS callout_address,
+          string_sprintf("unable to send quit request to socket (%s): %s",
+            scanner_options, strerror(errno)), malware_daemon_ctx.sock);
+
+      if (error_message)
+        return m_panic_defer_3(scanent, CUS callout_address, error_message, malware_daemon_ctx.sock);
+
+      }
+#endif
+  }	/* scanner type switch */
+
+  if (malware_daemon_ctx.sock >= 0)
+    (void) close (malware_daemon_ctx.sock);
+  malware_ok = TRUE;			/* set "been here, done that" marker */
+  }
+
+/* match virus name against pattern (caseless ------->----------v) */
+if (malware_name && regex_match_and_setup(re, malware_name, 0, -1))
+  {
+  DEBUG(D_acl) debug_printf_indent(
+      "Matched regex to malware [%s] [%s]\n", malware_re, malware_name);
+  return OK;
+  }
+else
+  return FAIL;
+}
+
+
+/*************************************************
+*          Scan an email for malware             *
+*************************************************/
+
+/* This is the normal interface for scanning an email, which doesn't need a
+filename; it's a wrapper around the malware_file function.
+
+Arguments:
+  malware_re  match condition for "malware="
+  timeout     if nonzero, timeout in seconds
+
+Returns:      Exim message processing code (OK, FAIL, DEFER, ...)
+              where true means malware was found (condition applies)
+*/
+int
+malware(const uschar * malware_re, int timeout)
+{
+int ret = malware_internal(malware_re, NULL, timeout);
+
+if (ret == DEFER) av_failed = TRUE;
+return ret;
+}
+
+
+/*************************************************
+*          Scan a file for malware               *
+*************************************************/
+
+/* This is a test wrapper for scanning an email, which is not used in
+normal processing.  Scan any file, using the Exim scanning interface.
+This function tampers with various global variables so is unsafe to use
+in any other context.
+
+Arguments:
+  eml_filename  a file holding the message to be scanned
+
+Returns:        Exim message processing code (OK, FAIL, DEFER, ...)
+                where true means malware was found (condition applies)
+*/
+int
+malware_in_file(uschar *eml_filename)
+{
+uschar message_id_buf[64];
+int ret;
+
+/* spool_mbox() assumes various parameters exist, when creating
+the relevant directory and the email within */
+
+(void) string_format(message_id_buf, sizeof(message_id_buf),
+    "dummy-%d", vaguely_random_number(INT_MAX));
+message_id = message_id_buf;
+sender_address = US"malware-sender@example.net";
+return_path = US"";
+recipients_list = NULL;
+receive_add_recipient(US"malware-victim@example.net", -1);
+f.enable_dollar_recipients = TRUE;
+
+ret = malware_internal(US"*", eml_filename, 0);
+
+Ustrncpy(spooled_message_id, message_id, sizeof(spooled_message_id));
+spool_mbox_ok = 1;
+
+/* don't set no_mbox_unspool; at present, there's no way for it to become
+set, but if that changes, then it should apply to these tests too */
+
+unspool_mbox();
+
+/* silence static analysis tools */
+message_id = NULL;
+
+return ret;
+}
+
+
+void
+malware_init(void)
+{
+if (!malware_default_re)
+  malware_default_re = regex_must_compile(malware_regex_default, FALSE, TRUE);
+
+#ifndef DISABLE_MAL_DRWEB
+if (!drweb_re)
+  drweb_re = regex_must_compile(drweb_re_str, FALSE, TRUE);
+#endif
+#ifndef DISABLE_MAL_FSECURE
+if (!fsec_re)
+  fsec_re = regex_must_compile(fsec_re_str, FALSE, TRUE);
+#endif
+#ifndef DISABLE_MAL_KAV
+if (!kav_re_sus)
+  kav_re_sus = regex_must_compile(kav_re_sus_str, FALSE, TRUE);
+if (!kav_re_inf)
+  kav_re_inf = regex_must_compile(kav_re_inf_str, FALSE, TRUE);
+#endif
+#ifndef DISABLE_MAL_AVAST
+if (!ava_re_clean)
+  ava_re_clean = regex_must_compile(ava_re_clean_str, FALSE, TRUE);
+if (!ava_re_virus)
+  ava_re_virus = regex_must_compile(ava_re_virus_str, FALSE, TRUE);
+if (!ava_re_error)
+  ava_re_error = regex_must_compile(ava_re_error_str, FALSE, TRUE);
+#endif
+#ifndef DISABLE_MAL_FFROT6D
+if (!fprot6d_re_error)
+  fprot6d_re_error = regex_must_compile(fprot6d_re_error_str, FALSE, TRUE);
+if (!fprot6d_re_virus)
+  fprot6d_re_virus = regex_must_compile(fprot6d_re_virus_str, FALSE, TRUE);
+#endif
+}
+
+
+gstring *
+malware_show_supported(gstring * g)
+{
+g = string_cat(g, US"Malware:");
+for (struct scan * sc = m_scans; sc->scancode != (scanner_t)-1; sc++)
+  g = string_fmt_append(g, " %s", sc->name);
+return string_cat(g, US"\n");
+}
+
+
+# endif	/*!MACRO_PREDEF*/
+#endif /*WITH_CONTENT_SCAN*/
+/*
+ * vi: aw ai sw=2
+ */
diff --git a/src/match.c b/src/match.c
new file mode 100644
index 0000000..2e4bff0
--- /dev/null
+++ b/src/match.c
@@ -0,0 +1,1352 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions for matching strings */
+
+
+#include "exim.h"
+
+
+/* Argument block for the check_string() function. This is used for general
+strings, domains, and local parts. */
+
+typedef struct check_string_block {
+  const uschar *origsubject;           /* caseful; keep these two first, in */
+  const uschar *subject;               /* step with the block below */
+  int    expand_setup;
+  BOOL   use_partial;
+  BOOL   caseless;
+  BOOL   at_is_special;
+} check_string_block;
+
+
+/* Argument block for the check_address() function. This is used for whole
+addresses. */
+
+typedef struct check_address_block {
+  const uschar *origaddress;         /* caseful; keep these two first, in */
+  uschar *address;                   /* step with the block above */
+  int    expand_setup;
+  BOOL   caseless;
+} check_address_block;
+
+
+
+/*************************************************
+*           Generalized string match             *
+*************************************************/
+
+/* This function does a single match of a subject against a pattern, and
+optionally sets up the numeric variables according to what it matched. It is
+called from match_isinlist() via match_check_list() when scanning a list, and
+from match_check_string() when testing just a single item. The subject and
+options arguments are passed in a check_string_block so as to make it easier to
+pass them through match_check_list.
+
+The possible types of pattern are:
+
+  . regular expression - starts with ^
+  . tail match - starts with *
+  . lookup - starts with search type
+  . if at_is_special is set in the argument block:
+      @              matches the primary host name
+      @[]            matches a local IP address in brackets
+      @mx_any        matches any domain with an MX to the local host
+      @mx_primary    matches any domain with a primary MX to the local host
+      @mx_secondary  matches any domain with a secondary MX to the local host
+  . literal - anything else
+
+Any of the @mx_xxx options can be followed by "/ignore=<list>" where <list> is
+a list of IP addresses that are to be ignored (typically 127.0.0.1).
+
+Arguments:
+  arg            check_string_block pointer - see below
+  pattern        the pattern to be matched
+  valueptr       if not NULL, and a lookup is done, return the result here
+                   instead of discarding it; else set it to point to NULL
+  error          for error messages (not used in this function; it never
+                   returns ERROR)
+
+Contents of the argument block:
+  origsubject    the subject in its original casing
+  subject        the subject string to be checked, lowercased if caseless
+  expand_setup   if < 0, don't set up any numeric expansion variables;
+                 if = 0, set $0 to whole subject, and either
+                   $1 to what matches * or
+                   $1, $2, ... to r.e. bracketed items
+                 if > 0, don't set $0, but do set either
+                   $n to what matches *, or
+                   $n, $n+1, ... to r.e. bracketed items
+                 (where n = expand_setup)
+  use_partial    if FALSE, override any partial- search types
+  caseless       TRUE for caseless matching where possible
+  at_is_special  enable special handling of items starting with @
+
+Returns:       OK    if matched
+               FAIL  if not matched
+               DEFER if lookup deferred
+*/
+
+static int
+check_string(void *arg, const uschar *pattern, const uschar **valueptr, uschar **error)
+{
+const check_string_block *cb = arg;
+int search_type, partial, affixlen, starflags;
+int expand_setup = cb->expand_setup;
+const uschar * affix, * opts;
+uschar *s;
+uschar *filename = NULL;
+uschar *keyquery, *result, *semicolon;
+void *handle;
+
+if (valueptr) *valueptr = NULL;
+
+/* For regular expressions, use cb->origsubject rather than cb->subject so that
+it works if the pattern uses (?-i) to turn off case-independence, overriding
+"caseless". */
+
+s = string_copy(pattern[0] == '^' ? cb->origsubject : cb->subject);
+
+/* If required to set up $0, initialize the data but don't turn on by setting
+expand_nmax until the match is assured. */
+
+expand_nmax = -1;
+if (expand_setup == 0)
+  {
+  expand_nstring[0] = s;	/* $0 (might be) the matched subject in full */
+  expand_nlength[0] = Ustrlen(s);
+  }
+else if (expand_setup > 0) expand_setup--;
+
+/* Regular expression match: compile, match, and set up $ variables if
+required. */
+
+if (pattern[0] == '^')
+  {
+  const pcre2_code * re = regex_must_compile(pattern, cb->caseless, FALSE);
+  if (expand_setup < 0
+      ? !regex_match(re, s, -1, NULL)
+      : !regex_match_and_setup(re, s, 0, expand_setup)
+     )
+    return FAIL;
+  if (valueptr) *valueptr = pattern;	/* "value" gets the RE */
+  return OK;
+  }
+
+/* Tail match */
+
+if (pattern[0] == '*')
+  {
+  int slen = Ustrlen(s);
+  int patlen;    /* Sun compiler doesn't like non-constant initializer */
+
+  patlen = Ustrlen(++pattern);
+  if (patlen > slen) return FAIL;
+  if (cb->caseless
+      ? strncmpic(s + slen - patlen, pattern, patlen) != 0
+      : Ustrncmp(s + slen - patlen, pattern, patlen) != 0)
+    return FAIL;
+  if (expand_setup >= 0)
+    {
+    expand_nstring[++expand_setup] = s;		/* write a $n, the matched subject variable-part */
+    expand_nlength[expand_setup] = slen - patlen;
+    expand_nmax = expand_setup;			/* commit also $0, the matched subject */
+    }
+  if (valueptr) *valueptr = pattern - 1;	/* "value" gets the (original) pattern */
+  return OK;
+  }
+
+/* Match a special item starting with @ if so enabled. On its own, "@" matches
+the primary host name - implement this by changing the pattern. For the other
+cases we have to do some more work. If we don't recognize a special pattern,
+just fall through - the match will fail. */
+
+if (cb->at_is_special && pattern[0] == '@')
+  {
+  if (pattern[1] == 0)
+    {
+    pattern = primary_hostname;
+    goto NOT_AT_SPECIAL;               /* Handle as exact string match */
+    }
+
+  if (Ustrcmp(pattern, "@[]") == 0)
+    {
+    int slen = Ustrlen(s);
+    if (s[0] != '[' && s[slen-1] != ']') return FAIL;		/*XXX should this be || ? */
+    for (ip_address_item * ip = host_find_interfaces(); ip; ip = ip->next)
+      if (Ustrncmp(ip->address, s+1, slen - 2) == 0
+            && ip->address[slen - 2] == 0)
+	{
+	if (expand_setup >= 0) expand_nmax = expand_setup;	/* commit $0, the IP addr */
+	if (valueptr) *valueptr = pattern;	/* "value" gets the pattern */
+        return OK;
+	}
+    return FAIL;
+    }
+
+  if (strncmpic(pattern, US"@mx_", 4) == 0)
+    {
+    int rc;
+    host_item h;
+    BOOL prim = FALSE;
+    BOOL secy = FALSE;
+    BOOL removed = FALSE;
+    const uschar *ss = pattern + 4;
+    const uschar *ignore_target_hosts = NULL;
+
+    if (strncmpic(ss, US"any", 3) == 0) ss += 3;
+    else if (strncmpic(ss, US"primary", 7) == 0)
+      {
+      ss += 7;
+      prim = TRUE;
+      }
+    else if (strncmpic(ss, US"secondary", 9) == 0)
+      {
+      ss += 9;
+      secy = TRUE;
+      }
+    else goto NOT_AT_SPECIAL;
+
+    if (strncmpic(ss, US"/ignore=", 8) == 0) ignore_target_hosts = ss + 8;
+    else if (*ss) goto NOT_AT_SPECIAL;
+
+    h.next = NULL;
+    h.name = s;
+    h.address = NULL;
+
+    rc = host_find_bydns(&h,
+      ignore_target_hosts,
+      HOST_FIND_BY_MX,     /* search only for MX, not SRV or A */
+      NULL,                /* service name not relevant */
+      NULL,                /* srv_fail_domains not relevant */
+      NULL,                /* mx_fail_domains not relevant */
+      NULL,                /* no dnssec request/require XXX ? */
+      NULL,                /* no feedback FQDN */
+      &removed);           /* feedback if local removed */
+
+    if (rc == HOST_FIND_AGAIN)
+      {
+      search_error_message = string_sprintf("DNS lookup of \"%s\" deferred", s);
+      return DEFER;
+      }
+
+    if ((rc != HOST_FOUND_LOCAL || secy) && (prim || !removed))
+      return FAIL;
+
+    if (expand_setup >= 0) expand_nmax = expand_setup;	/* commit $0, the matched subject */
+    if (valueptr) *valueptr = pattern;	/* "value" gets the patterm */
+    return OK;
+
+    /*** The above line used to be the following line, but this is incorrect,
+    because host_find_bydns() may return HOST_NOT_FOUND if it removed some MX
+    hosts, but the remaining ones were non-existent. All we are interested in
+    is whether or not it removed some hosts.
+
+    return (rc == HOST_FOUND && removed)? OK : FAIL;
+    ***/
+    }
+  }
+
+/* Escape point from code for specials that start with "@" */
+
+NOT_AT_SPECIAL:
+
+/* This is an exact string match if there is no semicolon in the pattern. */
+
+if ((semicolon = Ustrchr(pattern, ';')) == NULL)
+  {
+  if (cb->caseless ? strcmpic(s, pattern) != 0 : Ustrcmp(s, pattern) != 0)
+    return FAIL;
+  if (expand_setup >= 0) expand_nmax = expand_setup;	/* Original code!   $0 gets the matched subject */
+  if (valueptr) *valueptr = pattern;	/* "value" gets the pattern */
+  return OK;
+  }
+
+/* Otherwise we have a lookup item. The lookup type, including partial, etc. is
+the part of the string preceding the semicolon. */
+
+*semicolon = 0;
+search_type = search_findtype_partial(pattern, &partial, &affix, &affixlen,
+  &starflags, &opts);
+*semicolon = ';';
+if (search_type < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
+  search_error_message);
+
+/* Partial matching is not appropriate for certain lookups (e.g. when looking
+up user@domain for sender rejection). There's a flag to disable it. */
+
+if (!cb->use_partial) partial = -1;
+
+/* Set the parameters for the three different kinds of lookup. */
+
+keyquery = search_args(search_type, s, semicolon+1, &filename, opts);
+
+/* Now do the actual lookup; throw away the data returned unless it was asked
+for; partial matching is all handled inside search_find(). Note that there is
+no search_close() because of the caching arrangements. */
+
+if (!(handle = search_open(filename, search_type, 0, NULL, NULL)))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", search_error_message);
+result = search_find(handle, filename, keyquery, partial, affix, affixlen,
+  starflags, &expand_setup, opts);
+
+if (!result) return f.search_find_defer ? DEFER : FAIL;
+if (valueptr) *valueptr = result;
+
+expand_nmax = expand_setup;
+return OK;
+}
+
+
+
+/*************************************************
+*      Public interface to check_string()        *
+*************************************************/
+
+/* This function is called from several places where is it most convenient to
+pass the arguments individually. It places them in a check_string_block
+structure, and then calls check_string().
+
+Arguments:
+  s            the subject string to be checked
+  pattern      the pattern to check it against
+  expand_setup expansion setup option (see check_string())
+  use_partial  if FALSE, override any partial- search types
+  caseless     TRUE for caseless matching where possible
+  at_is_special TRUE to recognize @, @[], etc.
+  valueptr     if not NULL, and a file lookup was done, return the result
+                 here instead of discarding it; else set it to point to NULL
+
+Returns:       OK    if matched
+               FAIL  if not matched
+               DEFER if lookup deferred
+*/
+
+int
+match_check_string(const uschar *s, const uschar *pattern, int expand_setup,
+  BOOL use_partial, BOOL caseless, BOOL at_is_special, const uschar **valueptr)
+{
+check_string_block cb;
+cb.origsubject = s;
+cb.subject = caseless ? string_copylc(s) : string_copy(s);
+cb.expand_setup = expand_setup;
+cb.use_partial = use_partial;
+cb.caseless = caseless;
+cb.at_is_special = at_is_special;
+return check_string(&cb, pattern, valueptr, NULL);
+}
+
+
+
+/*************************************************
+*       Get key string from check block          *
+*************************************************/
+
+/* When caching the data from a lookup for a named list, we have to save the
+key that was found, because other lookups of different keys on the same list
+may occur. This function has knowledge of the different lookup types, and
+extracts the appropriate key.
+
+Arguments:
+  arg          the check block
+  type         MCL_STRING, MCL_DOMAIN, MCL_HOST, MCL_ADDRESS, or MCL_LOCALPART
+*/
+
+static const uschar *
+get_check_key(void *arg, int type)
+{
+switch(type)
+  {
+  case MCL_STRING:
+  case MCL_DOMAIN:
+  case MCL_LOCALPART:
+    return ((check_string_block *)arg)->subject;
+
+  case MCL_HOST:
+    return ((check_host_block *)arg)->host_address;
+
+  case MCL_ADDRESS:
+    return ((check_address_block *)arg)->address;
+  }
+return US"";  /* In practice, should never happen */
+}
+
+
+
+/*************************************************
+*       Scan list and run matching function      *
+*************************************************/
+
+/* This function scans a list of patterns, and runs a matching function for
+each item in the list. It is called from the functions that match domains,
+local parts, hosts, and addresses, because its overall structure is the same in
+all cases. However, the details of each particular match is different, so it
+calls back to a given function do perform an actual match.
+
+We can't quite keep the different types anonymous here because they permit
+different special cases. A pity.
+
+If a list item starts with !, that implies negation if the subject matches the
+rest of the item (ignoring white space after the !). The result when the end of
+the list is reached is FALSE unless the last item on the list is negated, in
+which case it is TRUE. A file name in the list causes its lines to be
+interpolated as if items in the list. An item starting with + is a named
+sublist, obtained by searching the tree pointed to by anchorptr, with possible
+cached match results in cache_bits.
+
+Arguments:
+  listptr      pointer to the pointer to the list
+  sep          separator character for string_nextinlist();
+                 normally zero for a standard list;
+                 sometimes UCHAR_MAX+1 for single items;
+  anchorptr    -> tree of named items, or NULL if no named items
+  cache_ptr    pointer to pointer to cache bits for named items, or
+                 pointer to NULL if not caching; may get set NULL if an
+                 uncacheable named list is encountered
+  func         function to call back to do one test
+  arg          pointer to pass to the function; the string to be matched is
+                 in the structure it points to
+  type         MCL_STRING, MCL_DOMAIN, MCL_HOST, MCL_ADDRESS, or MCL_LOCALPART
+                 these are used for some special handling
+               MCL_NOEXPAND (whose value is greater than any of them) may
+                 be added to any value to suppress expansion of the list
+  name         string to use in debugging info
+  valueptr     where to pass back data from a lookup
+
+Returns:       OK    if matched a non-negated item
+               OK    if hit end of list after a negated item
+               FAIL  if expansion force-failed
+               FAIL  if matched a negated item
+               FAIL  if hit end of list after a non-negated item
+               DEFER if a something deferred or expansion failed
+*/
+
+int
+match_check_list(const uschar **listptr, int sep, tree_node **anchorptr,
+  unsigned int **cache_ptr, int (*func)(void *,const uschar *,const uschar **,uschar **),
+  void *arg, int type, const uschar *name, const uschar **valueptr)
+{
+int yield = OK;
+unsigned int * original_cache_bits = *cache_ptr;
+BOOL include_unknown = FALSE, ignore_unknown = FALSE,
+      include_defer = FALSE, ignore_defer = FALSE;
+const uschar *list;
+uschar *sss;
+uschar *ot = NULL;
+
+/* Save time by not scanning for the option name when we don't need it. */
+
+HDEBUG(D_any)
+  {
+  uschar * listname = readconf_find_option(listptr);
+  if (*listname) ot = string_sprintf("%s in %s?", name, listname);
+  }
+
+/* If the list is empty, the answer is no. Skip the debugging output for
+an unnamed list. */
+
+if (!*listptr)
+  {
+  HDEBUG(D_lists) if (ot) debug_printf_indent("%s no (option unset)\n", ot);
+  return FAIL;
+  }
+
+/* Expand the list before we scan it. A forced expansion gives the answer
+"not in list"; other expansion errors cause DEFER to be returned. However,
+if the type value is greater than or equal to than MCL_NOEXPAND, do not expand
+the list. */
+
+if (type >= MCL_NOEXPAND)
+  {
+  list = *listptr;
+  type -= MCL_NOEXPAND;       /* Remove the "no expand" flag */
+  }
+else
+  {
+  /* If we are searching a domain list, and $domain is not set, set it to the
+  subject that is being sought for the duration of the expansion. */
+
+  if (type == MCL_DOMAIN && !deliver_domain)
+    {
+    check_string_block *cb = (check_string_block *)arg;
+    deliver_domain = string_copy(cb->subject);
+    list = expand_cstring(*listptr);
+    deliver_domain = NULL;
+    }
+  else
+    list = expand_cstring(*listptr);
+
+  if (!list)
+    {
+    if (f.expand_string_forcedfail)
+      {
+      HDEBUG(D_lists) debug_printf_indent("expansion of \"%s\" forced failure: "
+        "assume not in this list\n", *listptr);
+      return FAIL;
+      }
+    log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" while checking "
+      "a list: %s", *listptr, expand_string_message);
+    return DEFER;
+    }
+  }
+
+/* For an unnamed list, use the expanded version in comments */
+#define LIST_LIMIT_PR 2048
+
+HDEBUG(D_any) if (!ot)
+  {
+  int n, m;
+  gstring * g = string_fmt_append(NULL, "%s in \"%n%.*s%n\"",
+    name, &n, LIST_LIMIT_PR, list, &m);
+  if (m - n >= LIST_LIMIT_PR) g = string_catn(g, US"...", 3);
+  g = string_catn(g, US"?", 1);
+  gstring_release_unused(g);
+  ot = string_from_gstring(g);
+  }
+
+/* Now scan the list and process each item in turn, until one of them matches,
+or we hit an error. */
+
+while ((sss = string_nextinlist(&list, &sep, NULL, 0)))
+  {
+  uschar * ss = sss;
+
+  /* Address lists may contain +caseful, to restore caseful matching of the
+  local part. We have to know the layout of the control block, unfortunately.
+  The lower cased address is in a temporary buffer, so we just copy the local
+  part back to the start of it (if a local part exists). */
+
+  if (type == MCL_ADDRESS)
+    {
+    if (Ustrcmp(ss, "+caseful") == 0)
+      {
+      check_address_block *cb = (check_address_block *)arg;
+      uschar *at = Ustrrchr(cb->origaddress, '@');
+
+      if (at)
+        Ustrncpy(cb->address, cb->origaddress, at - cb->origaddress);
+      cb->caseless = FALSE;
+      continue;
+      }
+    }
+
+  /* Similar processing for local parts */
+
+  else if (type == MCL_LOCALPART)
+    {
+    if (Ustrcmp(ss, "+caseful") == 0)
+      {
+      check_string_block *cb = (check_string_block *)arg;
+      Ustrcpy(US cb->subject, cb->origsubject);
+      cb->caseless = FALSE;
+      continue;
+      }
+    }
+
+  /* If the host item is "+include_unknown" or "+ignore_unknown", remember it
+  in case there's a subsequent failed reverse lookup. There is similar
+  processing for "defer". */
+
+  else if (type == MCL_HOST && *ss == '+')
+    {
+    if (Ustrcmp(ss, "+include_unknown") == 0)
+      {
+      include_unknown = TRUE;
+      ignore_unknown = FALSE;
+      continue;
+      }
+    if (Ustrcmp(ss, "+ignore_unknown") == 0)
+      {
+      ignore_unknown = TRUE;
+      include_unknown = FALSE;
+      continue;
+      }
+    if (Ustrcmp(ss, "+include_defer") == 0)
+      {
+      include_defer = TRUE;
+      ignore_defer = FALSE;
+      continue;
+      }
+    if (Ustrcmp(ss, "+ignore_defer") == 0)
+      {
+      ignore_defer = TRUE;
+      include_defer = FALSE;
+      continue;
+      }
+    }
+
+  /* Starting with ! specifies a negative item. It is theoretically possible
+  for a local part to start with !. In that case, a regex has to be used. */
+
+  if (*ss == '!')
+    {
+    yield = FAIL;
+    while (isspace((*(++ss))));
+    }
+  else
+    yield = OK;
+
+  /* If the item does not begin with '/', it might be a + item for a named
+  list. Otherwise, it is just a single list entry that has to be matched.
+  We recognize '+' only when supplied with a tree of named lists. */
+
+  if (*ss != '/')
+    {
+    if (*ss == '+' && anchorptr)
+      {
+      int bits = 0;
+      int offset = 0;
+      int shift = 0;
+      unsigned int *use_cache_bits = original_cache_bits;
+      uschar *cached = US"";
+      namedlist_block *nb;
+      tree_node * t;
+
+      if (!(t = tree_search(*anchorptr, ss+1)))
+	{
+        log_write(0, LOG_MAIN|LOG_PANIC, "unknown named%s list \"%s\"",
+          type == MCL_DOMAIN ?    " domain" :
+          type == MCL_HOST ?      " host" :
+          type == MCL_ADDRESS ?   " address" :
+          type == MCL_LOCALPART ? " local part" : "",
+          ss);
+	return DEFER;
+	}
+      nb = t->data.ptr;
+
+      /* If the list number is negative, it means that this list is not
+      cacheable because it contains expansion items. */
+
+      if (nb->number < 0) use_cache_bits = NULL;
+
+      /* If we have got a cache pointer, get the bits. This is not an "else"
+      because the pointer may be NULL from the start if caching is not
+      required. */
+
+      if (use_cache_bits)
+        {
+        offset = (nb->number)/16;
+        shift = ((nb->number)%16)*2;
+        bits = use_cache_bits[offset] & (3 << shift);
+        }
+
+      /* Not previously tested or no cache - run the full test */
+
+      if (bits == 0)
+        {
+        switch (match_check_list(&(nb->string), 0, anchorptr, &use_cache_bits,
+                func, arg, type, name, valueptr))
+          {
+          case OK:   bits = 1; break;
+          case FAIL: bits = 3; break;
+          case DEFER: goto DEFER_RETURN;
+          }
+
+        /* If this list was uncacheable, or a sublist turned out to be
+        uncacheable, the value of use_cache_bits will now be NULL, even if it
+        wasn't before. Ensure that this is passed up to the next level.
+        Otherwise, remember the result of the search in the cache. */
+
+        if (!use_cache_bits)
+          *cache_ptr = NULL;
+        else
+          {
+          use_cache_bits[offset] |= bits << shift;
+
+          if (valueptr)
+            {
+            int old_pool = store_pool;
+            namedlist_cacheblock *p;
+
+            /* Cached data for hosts persists over more than one message,
+            so we use the permanent store pool */
+
+            store_pool = POOL_PERM;
+            p = store_get(sizeof(namedlist_cacheblock), GET_UNTAINTED);
+            p->key = string_copy(get_check_key(arg, type));
+
+
+            p->data = *valueptr ? string_copy(*valueptr) : NULL;
+            store_pool = old_pool;
+
+            p->next = nb->cache_data;
+            nb->cache_data = p;
+            if (*valueptr)
+              DEBUG(D_lists) debug_printf_indent("data from lookup saved for "
+                "cache for %s: key '%s' value '%s'\n", ss, p->key, *valueptr);
+            }
+          }
+        }
+
+       /* Previously cached; to find a lookup value, search a chain of values
+       and compare keys. Typically, there is only one such, but it is possible
+       for different keys to have matched the same named list. */
+
+      else
+        {
+        DEBUG(D_lists) debug_printf_indent("cached %s match for %s\n",
+          (bits & (-bits)) == bits ? "yes" : "no", ss);
+
+        cached = US" - cached";
+        if (valueptr)
+          {
+          const uschar *key = get_check_key(arg, type);
+
+          for (namedlist_cacheblock * p = nb->cache_data; p; p = p->next)
+            if (Ustrcmp(key, p->key) == 0)
+              {
+              *valueptr = p->data;
+              break;
+              }
+          DEBUG(D_lists) debug_printf_indent("cached lookup data = %s\n", *valueptr);
+          }
+        }
+
+      /* Result of test is indicated by value in bits. For each test, we
+      have 00 => untested, 01 => tested yes, 11 => tested no. */
+
+      if ((bits & (-bits)) == bits)    /* Only one of the two bits is set */
+        {
+        HDEBUG(D_lists) debug_printf_indent("%s %s (matched \"%s\"%s)\n", ot,
+          yield == OK ? "yes" : "no", sss, cached);
+        return yield;
+        }
+      }
+
+    /* Run the provided function to do the individual test. */
+
+    else
+      {
+      uschar * error = NULL;
+      switch ((func)(arg, ss, valueptr, &error))
+        {
+        case OK:
+	  HDEBUG(D_lists) debug_printf_indent("%s %s (matched \"%s\")\n", ot,
+	    (yield == OK)? "yes" : "no", sss);
+	  return yield;
+
+        case DEFER:
+	  if (!error)
+	    error = string_sprintf("DNS lookup of \"%s\" deferred", ss);
+	  if (ignore_defer)
+	    {
+	    HDEBUG(D_lists) debug_printf_indent("%s: item ignored by +ignore_defer\n",
+	      error);
+	    break;
+	    }
+	  if (include_defer)
+	    {
+	    log_write(0, LOG_MAIN, "%s: accepted by +include_defer", error);
+	    return OK;
+	    }
+	  if (!search_error_message) search_error_message = error;
+	  goto DEFER_RETURN;
+
+        /* The ERROR return occurs when checking hosts, when either a forward
+        or reverse lookup has failed. It can also occur in a match_ip list if a
+        non-IP address item is encountered. The error string gives details of
+        which it was. */
+
+        case ERROR:
+	  if (ignore_unknown)
+	    {
+	    HDEBUG(D_lists) debug_printf_indent("%s: item ignored by +ignore_unknown\n",
+	      error);
+	    }
+	  else
+	    {
+	    HDEBUG(D_lists) debug_printf_indent("%s %s (%s)\n", ot,
+	      include_unknown? "yes":"no", error);
+	    if (!include_unknown)
+	      {
+	      if (LOGGING(unknown_in_list))
+		log_write(0, LOG_MAIN, "list matching forced to fail: %s", error);
+	      return FAIL;
+	      }
+	    log_write(0, LOG_MAIN, "%s: accepted by +include_unknown", error);
+	    return OK;
+	    }
+        }
+      }
+    }
+
+  /* If the item is a file name, we read the file and do a match attempt
+  on each line in the file, including possibly more negation processing. */
+
+  else
+    {
+    int file_yield = yield;       /* In case empty file */
+    uschar * filename = ss;
+    FILE * f = Ufopen(filename, "rb");
+    uschar filebuffer[1024];
+
+    /* ot will be null in non-debugging cases, and anyway, we get better
+    wording by reworking it. */
+
+    if (!f)
+      {
+      uschar * listname = readconf_find_option(listptr);
+      if (listname[0] == 0)
+        listname = string_sprintf("\"%s\"", *listptr);
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
+        string_open_failed("%s when checking %s", sss, listname));
+      }
+
+    /* Trailing comments are introduced by #, but in an address list or local
+    part list, the # must be preceded by white space or the start of the line,
+    because the # character is a legal character in local parts. */
+
+    while (Ufgets(filebuffer, sizeof(filebuffer), f) != NULL)
+      {
+      uschar *error;
+      uschar *sss = filebuffer;
+
+      while ((ss = Ustrchr(sss, '#')) != NULL)
+        {
+        if ((type != MCL_ADDRESS && type != MCL_LOCALPART) ||
+              ss == filebuffer || isspace(ss[-1]))
+          {
+          *ss = 0;
+          break;
+          }
+        sss = ss + 1;
+        }
+
+      ss = filebuffer + Ustrlen(filebuffer);		/* trailing space */
+      while (ss > filebuffer && isspace(ss[-1])) ss--;
+      *ss = 0;
+
+      ss = filebuffer;
+      while (isspace(*ss)) ss++;			/* leading space */
+
+      if (!*ss) continue;				/* ignore empty */
+
+      file_yield = yield;				/* positive yield */
+      sss = ss;						/* for debugging */
+
+      if (*ss == '!')					/* negation */
+        {
+        file_yield = (file_yield == OK)? FAIL : OK;
+        while (isspace((*(++ss))));
+        }
+
+      switch ((func)(arg, ss, valueptr, &error))
+        {
+        case OK:
+	  (void)fclose(f);
+	  HDEBUG(D_lists) debug_printf_indent("%s %s (matched \"%s\" in %s)\n", ot,
+	    yield == OK ? "yes" : "no", sss, filename);
+
+	  /* The "pattern" being matched came from the file; we use a stack-local.
+	  Copy it to allocated memory now we know it matched. */
+
+	  if (valueptr) *valueptr = string_copy(ss);
+	  return file_yield;
+
+        case DEFER:
+	  if (!error)
+	    error = string_sprintf("DNS lookup of %s deferred", ss);
+	  if (ignore_defer)
+	    {
+	    HDEBUG(D_lists) debug_printf_indent("%s: item ignored by +ignore_defer\n",
+	      error);
+	    break;
+	    }
+	  (void)fclose(f);
+	  if (include_defer)
+	    {
+	    log_write(0, LOG_MAIN, "%s: accepted by +include_defer", error);
+	    return OK;
+	    }
+	  goto DEFER_RETURN;
+
+        case ERROR:		/* host name lookup failed - this can only */
+	  if (ignore_unknown)	/* be for an incoming host (not outgoing) */
+	    {
+	    HDEBUG(D_lists) debug_printf_indent("%s: item ignored by +ignore_unknown\n",
+	      error);
+	    }
+	  else
+	   {
+	    HDEBUG(D_lists) debug_printf_indent("%s %s (%s)\n", ot,
+	      include_unknown? "yes":"no", error);
+	    (void)fclose(f);
+	    if (!include_unknown)
+	      {
+	      if (LOGGING(unknown_in_list))
+		log_write(0, LOG_MAIN, "list matching forced to fail: %s", error);
+	      return FAIL;
+	      }
+	    log_write(0, LOG_MAIN, "%s: accepted by +include_unknown", error);
+	    return OK;
+	    }
+        }
+      }
+
+    /* At the end of the file, leave the yield setting at the final setting
+    for the file, in case this is the last item in the list. */
+
+    yield = file_yield;
+    (void)fclose(f);
+    }
+  }    /* Loop for the next item on the top-level list */
+
+/* End of list reached: if the last item was negated yield OK, else FAIL. */
+
+HDEBUG(D_lists)
+  debug_printf_indent("%s %s (end of list)\n", ot, yield == OK ? "no":"yes");
+return yield == OK ? FAIL : OK;
+
+/* Something deferred */
+
+DEFER_RETURN:
+HDEBUG(D_lists) debug_printf("%s list match deferred for %s\n", ot, sss);
+return DEFER;
+}
+
+
+/*************************************************
+*          Match in colon-separated list         *
+*************************************************/
+
+/* This function is used for domain lists and local part lists. It is not used
+for host lists or address lists, which have additional interpretation of the
+patterns. Some calls of it set sep > UCHAR_MAX in order to use its matching
+facilities on single items. When this is done, it arranges to set the numerical
+variables as a result of the match.
+
+This function is now just a short interface to match_check_list(), which does
+list scanning in a general way. A good compiler will optimize the tail
+recursion.
+
+Arguments:
+  s              string to search for
+  listptr        ptr to ptr to colon separated list of patterns, or NULL
+  sep            a separator value for the list (see string_nextinlist())
+  anchorptr      ptr to tree for named items, or NULL if no named items
+  cache_bits     ptr to cache_bits for ditto, or NULL if not caching
+  type           MCL_DOMAIN when matching a domain list
+                 MCL_LOCALPART when matching a local part list (address lists
+                   have their own function)
+                 MCL_STRING for others (e.g. list of ciphers)
+                 MCL_NOEXPAND (whose value is greater than any of them) may
+                   be added to any value to suppress expansion of the list
+  caseless       TRUE for (mostly) caseless matching - passed directly to
+                   match_check_string()
+  valueptr       pointer to where any lookup data is to be passed back,
+                 or NULL (just passed on to match_check_string)
+
+Returns:         OK    if matched a non-negated item
+                 OK    if hit end of list after a negated item
+                 FAIL  if expansion force-failed
+                 FAIL  if matched a negated item
+                 FAIL  if hit end of list after a non-negated item
+                 DEFER if a lookup deferred
+*/
+
+int
+match_isinlist(const uschar *s, const uschar **listptr, int sep,
+   tree_node **anchorptr,
+  unsigned int *cache_bits, int type, BOOL caseless, const uschar **valueptr)
+{
+unsigned int *local_cache_bits = cache_bits;
+check_string_block cb;
+cb.origsubject = s;
+cb.subject = caseless ? string_copylc(s) : string_copy(s);
+cb.at_is_special = FALSE;
+switch (type & ~MCL_NOEXPAND)
+  {
+  case MCL_DOMAIN:	cb.at_is_special = TRUE;	/*FALLTHROUGH*/
+  case MCL_LOCALPART:	cb.expand_setup = 0;				break;
+  default:		cb.expand_setup = sep > UCHAR_MAX ? 0 : -1;	break;
+  }
+cb.use_partial = TRUE;
+cb.caseless = caseless;
+if (valueptr) *valueptr = NULL;
+return  match_check_list(listptr, sep, anchorptr, &local_cache_bits,
+  check_string, &cb, type, s, valueptr);
+}
+
+
+
+/*************************************************
+*    Match address to single address-list item   *
+*************************************************/
+
+/* This function matches an address to an item from an address list. It is
+called from match_address_list() via match_check_list(). That is why most of
+its arguments are in an indirect block.
+
+Arguments:
+  arg            the argument block (see below)
+  pattern        the pattern to match
+  valueptr       where to return a value
+  error          for error messages (not used in this function; it never
+                   returns ERROR)
+
+The argument block contains:
+  address        the start of the subject address; when called from retry.c
+                   it may be *@domain if the local part isn't relevant
+  origaddress    the original, un-case-forced address (not used here, but used
+                   in match_check_list() when +caseful is encountered)
+  expand_setup   controls setting up of $n variables
+  caseless       TRUE for caseless local part matching
+
+Returns:         OK     for a match
+                 FAIL   for no match
+                 DEFER  if a lookup deferred
+*/
+
+static int
+check_address(void *arg, const uschar *pattern, const uschar **valueptr, uschar **error)
+{
+check_address_block * cb = (check_address_block *)arg;
+check_string_block csb;
+int rc;
+int expand_inc = 0;
+unsigned int * null = NULL;
+const uschar * listptr;
+uschar * subject = cb->address;
+const uschar * s;
+uschar * pdomain, * sdomain;
+uschar * value = NULL;
+
+DEBUG(D_lists) debug_printf_indent("address match test: subject=%s pattern=%s\n",
+  subject, pattern);
+
+/* Find the subject's domain */
+
+sdomain = Ustrrchr(subject, '@');
+
+/* The only case where a subject may not have a domain is if the subject is
+empty. Otherwise, a subject with no domain is a serious configuration error. */
+
+if (sdomain == NULL && *subject != 0)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "no @ found in the subject of an "
+    "address list match: subject=\"%s\" pattern=\"%s\"", subject, pattern);
+  return FAIL;
+  }
+
+/* Handle a regular expression, which must match the entire incoming address.
+This may be the empty address. */
+
+if (*pattern == '^')
+  return match_check_string(subject, pattern, cb->expand_setup, TRUE,
+    cb->caseless, FALSE, NULL);
+
+/* Handle a pattern that is just a lookup. Skip over possible lookup names
+(letters, digits, hyphens). Skip over a possible * or *@ at the end. Then we
+must have a semicolon for it to be a lookup. */
+
+for (s = pattern; isalnum(*s) || *s == '-'; s++);
+if (*s == '*') s++;
+if (*s == '@') s++;
+
+/* If it is a straight lookup, do a lookup for the whole address. This may be
+the empty address. Partial matching doesn't make sense here, so we ignore it,
+but write a panic log entry. However, *@ matching will be honoured. */
+
+if (*s == ';')
+  {
+  if (Ustrncmp(pattern, "partial-", 8) == 0)
+    log_write(0, LOG_MAIN|LOG_PANIC, "partial matching is not applicable to "
+      "whole-address lookups: ignored \"partial-\" in \"%s\"", pattern);
+  return match_check_string(subject, pattern, -1, FALSE, cb->caseless, FALSE,
+    valueptr);
+  }
+
+/* For the remaining cases, an empty subject matches only an empty pattern,
+because other patterns expect to have a local part and a domain to match
+against. */
+
+if (!*subject) return *pattern ? FAIL : OK;
+
+/* If the pattern starts with "@@" we have a split lookup, where the domain is
+looked up to obtain a list of local parts. If the subject's local part is just
+"*" (called from retry) the match always fails. */
+
+if (pattern[0] == '@' && pattern[1] == '@')
+  {
+  int watchdog = 50;
+  uschar *list, *ss;
+
+  if (sdomain == subject + 1 && *subject == '*') return FAIL;
+
+  /* Loop for handling chains. The last item in any list may be of the form
+  ">name" in order to chain on to another list. */
+
+  for (const uschar * key = sdomain + 1; key && watchdog-- > 0; )
+    {
+    int sep = 0;
+
+    if ((rc = match_check_string(key, pattern + 2, -1, TRUE, FALSE, FALSE,
+      CUSS &list)) != OK) return rc;
+
+    /* Check for chaining from the last item; set up the next key if one
+    is found. */
+
+    ss = Ustrrchr(list, ':');
+    if (ss == NULL) ss = list; else ss++;
+    while (isspace(*ss)) ss++;
+    if (*ss == '>')
+      {
+      *ss++ = 0;
+      while (isspace(*ss)) ss++;
+      key = string_copy(ss);
+      }
+    else key = NULL;
+
+    /* Look up the local parts provided by the list; negation is permitted.
+    If a local part has to begin with !, a regex can be used. */
+
+    while ((ss = string_nextinlist(CUSS &list, &sep, NULL, 0)))
+      {
+      int local_yield;
+
+      if (*ss == '!')
+        {
+        local_yield = FAIL;
+        while (isspace((*(++ss))));
+        }
+      else local_yield = OK;
+
+      *sdomain = 0;
+      rc = match_check_string(subject, ss, -1, TRUE, cb->caseless, FALSE,
+        valueptr);
+      *sdomain = '@';
+
+      switch(rc)
+        {
+        case OK:
+        return local_yield;
+
+        case DEFER:
+        return DEFER;
+        }
+      }
+    }
+
+  /* End of chain loop; panic if too many times */
+
+  if (watchdog <= 0)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Loop detected in lookup of "
+      "local part of %s in %s", subject, pattern);
+
+  /* Otherwise the local part check has failed, so the whole match
+  fails. */
+
+  return FAIL;
+  }
+
+
+/* We get here if the pattern is not a lookup or a regular expression. If it
+contains an @ there is both a local part and a domain. */
+
+pdomain = Ustrrchr(pattern, '@');
+if (pdomain != NULL)
+  {
+  int pllen, sllen;
+
+  /* If the domain in the pattern is empty or one of the special cases [] or
+  mx_{any,primary,secondary}, and the local part in the pattern ends in "@",
+  we have a pattern of the form <something>@@, <something>@@[], or
+  <something>@@mx_{any,primary,secondary}. These magic "domains" are
+  automatically interpreted in match_check_string. We just need to arrange that
+  the leading @ is included in the domain. */
+
+  if (pdomain > pattern && pdomain[-1] == '@' &&
+       (pdomain[1] == 0 ||
+        Ustrcmp(pdomain+1, "[]") == 0 ||
+        Ustrcmp(pdomain+1, "mx_any") == 0 ||
+        Ustrcmp(pdomain+1, "mx_primary") == 0 ||
+        Ustrcmp(pdomain+1, "mx_secondary") == 0))
+    pdomain--;
+
+  pllen = pdomain - pattern;
+  sllen = sdomain - subject;
+
+  /* Compare the local parts in the subject and the pattern */
+
+  if (*pattern == '*')
+    {
+    int cllen = pllen - 1;
+    if (sllen < cllen) return FAIL;
+    if (cb->caseless
+        ? strncmpic(subject+sllen-cllen, pattern + 1, cllen) != 0
+        : Ustrncmp(subject+sllen-cllen, pattern + 1, cllen) != 0)
+        return FAIL;
+    if (cb->expand_setup > 0)
+      {
+      expand_nstring[cb->expand_setup] = subject;
+      expand_nlength[cb->expand_setup] = sllen - cllen;
+      expand_inc = 1;
+      }
+    value = string_copyn(pattern + 1, cllen);
+    }
+  else
+    {
+    if (sllen != pllen) return FAIL;
+    if (cb->caseless
+        ? strncmpic(subject, pattern, sllen) != 0
+	: Ustrncmp(subject, pattern, sllen) != 0) return FAIL;
+    }
+    value = string_copyn(pattern, sllen);
+  }
+
+/* If the local part matched, or was not being checked, check the domain using
+the generalized function, which supports file lookups (which may defer). The
+original code read as follows:
+
+  return match_check_string(sdomain + 1,
+      pdomain ? pdomain + 1 : pattern,
+      cb->expand_setup + expand_inc, TRUE, cb->caseless, TRUE, NULL);
+
+This supported only literal domains and *.x.y patterns. In order to allow for
+named domain lists (so that you can right, for example, "senders=+xxxx"), it
+was changed to use the list scanning function. */
+
+csb.origsubject = sdomain + 1;
+csb.subject = cb->caseless ? string_copylc(sdomain+1) : string_copy(sdomain+1);
+csb.expand_setup = cb->expand_setup + expand_inc;
+csb.use_partial = TRUE;
+csb.caseless = cb->caseless;
+csb.at_is_special = TRUE;
+
+listptr = pdomain ? pdomain + 1 : pattern;
+if (valueptr) *valueptr = NULL;
+
+  {
+  const uschar * dvalue = NULL;
+  rc = match_check_list(
+    &listptr,                  /* list of one item */
+    UCHAR_MAX+1,               /* impossible separator; single item */
+    &domainlist_anchor,        /* it's a domain list */
+    &null,                     /* ptr to NULL means no caching */
+    check_string,              /* the function to do one test */
+    &csb,                      /* its data */
+    MCL_DOMAIN + MCL_NOEXPAND, /* domain list; don't expand */
+    csb.subject,               /* string for messages */
+    &dvalue);                       /* where to pass back lookup data */
+  if (valueptr && (value || dvalue))
+    *valueptr = string_sprintf("%s@%s",
+		  value ? value : US"", dvalue ? dvalue : US"");
+  }
+return rc;
+}
+
+
+
+
+/*************************************************
+*    Test whether address matches address list   *
+*************************************************/
+
+/* This function is given an address and a list of things to match it against.
+The list may contain individual addresses, regular expressions, lookup
+specifications, and indirection via bare files. Negation is supported. The
+address to check can consist of just a domain, which will then match only
+domain items or items specified as *@domain.
+
+Domains are always lower cased before the match. Local parts are also lower
+cased unless "caseless" is false. The work of actually scanning the list is
+done by match_check_list(), with an appropriate block of arguments and a
+callback to check_address(). During caseless matching, it will recognize
++caseful and revert to caseful matching.
+
+Arguments:
+  address         address to test
+  caseless        TRUE to start in caseless state
+  expand          TRUE to allow list expansion
+  listptr         list to check against
+  cache_bits      points to cache bits for named address lists, or NULL
+  expand_setup    controls setting up of $n variables - passed through
+                  to check_address (q.v.)
+  sep             separator character for the list;
+                  may be 0 to get separator from the list;
+                  may be UCHAR_MAX+1 for one-item list
+  valueptr        where to return a lookup value, or NULL
+
+Returns:          OK    for a positive match, or end list after a negation;
+                  FAIL  for a negative match, or end list after non-negation;
+                  DEFER if a lookup deferred
+*/
+
+int
+match_address_list(const uschar *address, BOOL caseless, BOOL expand,
+  const uschar **listptr, unsigned int *cache_bits, int expand_setup, int sep,
+  const uschar **valueptr)
+{
+check_address_block ab;
+unsigned int *local_cache_bits = cache_bits;
+int len;
+
+/* RFC 2505 recommends that for spam checking, local parts should be caselessly
+compared. Therefore, Exim now forces the entire address into lower case here,
+provided that "caseless" is set. (It is FALSE for calls for matching rewriting
+patterns.) Otherwise just the domain is lower cases. A magic item "+caseful" in
+the list can be used to restore a caseful copy of the local part from the
+original address.
+Limit the subject address size to avoid mem-exhaustion attacks.  The size chosen
+is historical (we used to use big_buffer here). */
+
+if ((len = Ustrlen(address)) > BIG_BUFFER_SIZE) len = BIG_BUFFER_SIZE;
+ab.address = string_copyn(address, len);
+
+for (uschar * p = ab.address + len - 1; p >= ab.address; p--)
+  {
+  if (!caseless && *p == '@') break;
+  *p = tolower(*p);
+  }
+
+/* If expand_setup is zero, we need to set up $0 to the whole thing, in
+case there is a match. Can't use the built-in facilities of match_check_string
+(via check_address), as we may just be calling that for part of the address
+(the domain). */
+
+if (expand_setup == 0)
+  {
+  expand_nstring[0] = string_copy(address);
+  expand_nlength[0] = Ustrlen(address);
+  expand_setup++;
+  }
+
+/* Set up the data to be passed ultimately to check_address. */
+
+ab.origaddress = address;
+/* ab.address is above */
+ab.expand_setup = expand_setup;
+ab.caseless = caseless;
+
+return match_check_list(listptr, sep, &addresslist_anchor, &local_cache_bits,
+  check_address, &ab, MCL_ADDRESS + (expand? 0:MCL_NOEXPAND), address,
+    valueptr);
+}
+
+/* Simpler version of match_address_list; always caseless, expanding,
+no cache bits, no value-return.
+
+Arguments:
+  address         address to test
+  listptr         list to check against
+  sep             separator character for the list;
+                  may be 0 to get separator from the list;
+                  may be UCHAR_MAX+1 for one-item list
+
+Returns:          OK    for a positive match, or end list after a negation;
+                  FAIL  for a negative match, or end list after non-negation;
+                  DEFER if a lookup deferred
+*/
+
+int
+match_address_list_basic(const uschar *address, const uschar **listptr, int sep)
+{
+return match_address_list(address, TRUE, TRUE, listptr, NULL, -1, sep, NULL);
+}
+
+/* End of match.c */
diff --git a/src/md5.c b/src/md5.c
new file mode 100644
index 0000000..fdb144e
--- /dev/null
+++ b/src/md5.c
@@ -0,0 +1,355 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#ifndef STAND_ALONE
+#include "exim.h"
+
+/* For stand-alone testing, we need to have the structure defined, and
+to be able to do I/O */
+
+#else
+#include <stdio.h>
+#include "../mytypes.h"
+typedef struct md5 {
+  unsigned int length;
+  unsigned int abcd[4];
+  }
+md5;
+#endif
+
+
+
+/*************************************************
+*        Start off a new MD5 computation.        *
+*************************************************/
+
+/*
+Argument:  pointer to md5 storage structure
+Returns:   nothing
+*/
+
+void
+md5_start(md5 *base)
+{
+base->abcd[0] = 0x67452301;
+base->abcd[1] = 0xefcdab89;
+base->abcd[2] = 0x98badcfe;
+base->abcd[3] = 0x10325476;
+base->length = 0;
+}
+
+
+
+/*************************************************
+*       Process another 64-byte block            *
+*************************************************/
+
+/* This function implements central part of the algorithm which is described
+in RFC 1321.
+
+Arguments:
+  base       pointer to md5 storage structure
+  text       pointer to next 64 bytes of subject text
+
+Returns:     nothing
+*/
+
+void
+md5_mid(md5 *base, const uschar *text)
+{
+register unsigned int a = base->abcd[0];
+register unsigned int b = base->abcd[1];
+register unsigned int c = base->abcd[2];
+register unsigned int d = base->abcd[3];
+unsigned int X[16];
+base->length += 64;
+
+/* Load the 64 bytes into a set of working integers, treating them as 32-bit
+numbers in little-endian order. */
+
+for (int i = 0; i < 16; i++)
+  {
+  X[i] = (unsigned int)(text[0]) |
+         ((unsigned int)(text[1]) << 8) |
+         ((unsigned int)(text[2]) << 16) |
+         ((unsigned int)(text[3]) << 24);
+  text += 4;
+  }
+
+/* For each round of processing there is a function to be applied. We define it
+as a macro each time round. */
+
+/***********************************************
+*                    Round 1                   *
+*            F(X,Y,Z) = XY v not(X) Z          *
+* a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s) *
+***********************************************/
+
+#define OP(a, b, c, d, k, s, ti) \
+     a += ((b & c) | (~b & d)) + X[k] + (unsigned int)ti; \
+     a = b + ((a << s) | (a >> (32 - s)))
+
+OP(a, b, c, d,  0,  7, 0xd76aa478);
+OP(d, a, b, c,  1, 12, 0xe8c7b756);
+OP(c, d, a, b,  2, 17, 0x242070db);
+OP(b, c, d, a,  3, 22, 0xc1bdceee);
+OP(a, b, c, d,  4,  7, 0xf57c0faf);
+OP(d, a, b, c,  5, 12, 0x4787c62a);
+OP(c, d, a, b,  6, 17, 0xa8304613);
+OP(b, c, d, a,  7, 22, 0xfd469501);
+OP(a, b, c, d,  8,  7, 0x698098d8);
+OP(d, a, b, c,  9, 12, 0x8b44f7af);
+OP(c, d, a, b, 10, 17, 0xffff5bb1);
+OP(b, c, d, a, 11, 22, 0x895cd7be);
+OP(a, b, c, d, 12,  7, 0x6b901122);
+OP(d, a, b, c, 13, 12, 0xfd987193);
+OP(c, d, a, b, 14, 17, 0xa679438e);
+OP(b, c, d, a, 15, 22, 0x49b40821);
+
+#undef OP
+
+/***********************************************
+*                    Round 2                   *
+*            F(X,Y,Z) = XZ v Y not(Z)          *
+* a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s) *
+***********************************************/
+
+#define OP(a, b, c, d, k, s, ti) \
+     a += ((b & d) | (c & ~d)) + X[k] + (unsigned int)ti; \
+     a = b + ((a << s) | (a >> (32 - s)))
+
+OP(a, b, c, d,  1,  5, 0xf61e2562);
+OP(d, a, b, c,  6,  9, 0xc040b340);
+OP(c, d, a, b, 11, 14, 0x265e5a51);
+OP(b, c, d, a,  0, 20, 0xe9b6c7aa);
+OP(a, b, c, d,  5,  5, 0xd62f105d);
+OP(d, a, b, c, 10,  9, 0x02441453);
+OP(c, d, a, b, 15, 14, 0xd8a1e681);
+OP(b, c, d, a,  4, 20, 0xe7d3fbc8);
+OP(a, b, c, d,  9,  5, 0x21e1cde6);
+OP(d, a, b, c, 14,  9, 0xc33707d6);
+OP(c, d, a, b,  3, 14, 0xf4d50d87);
+OP(b, c, d, a,  8, 20, 0x455a14ed);
+OP(a, b, c, d, 13,  5, 0xa9e3e905);
+OP(d, a, b, c,  2,  9, 0xfcefa3f8);
+OP(c, d, a, b,  7, 14, 0x676f02d9);
+OP(b, c, d, a, 12, 20, 0x8d2a4c8a);
+
+#undef OP
+
+/***********************************************
+*                    Round 3                   *
+*            F(X,Y,Z) = X xor Y xor Z          *
+* a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s) *
+***********************************************/
+
+#define OP(a, b, c, d, k, s, ti) \
+     a += (b ^ c ^ d) + X[k] + (unsigned int)ti; \
+     a = b + ((a << s) | (a >> (32 - s)))
+
+OP(a, b, c, d,  5,  4, 0xfffa3942);
+OP(d, a, b, c,  8, 11, 0x8771f681);
+OP(c, d, a, b, 11, 16, 0x6d9d6122);
+OP(b, c, d, a, 14, 23, 0xfde5380c);
+OP(a, b, c, d,  1,  4, 0xa4beea44);
+OP(d, a, b, c,  4, 11, 0x4bdecfa9);
+OP(c, d, a, b,  7, 16, 0xf6bb4b60);
+OP(b, c, d, a, 10, 23, 0xbebfbc70);
+OP(a, b, c, d, 13,  4, 0x289b7ec6);
+OP(d, a, b, c,  0, 11, 0xeaa127fa);
+OP(c, d, a, b,  3, 16, 0xd4ef3085);
+OP(b, c, d, a,  6, 23, 0x04881d05);
+OP(a, b, c, d,  9,  4, 0xd9d4d039);
+OP(d, a, b, c, 12, 11, 0xe6db99e5);
+OP(c, d, a, b, 15, 16, 0x1fa27cf8);
+OP(b, c, d, a,  2, 23, 0xc4ac5665);
+
+#undef OP
+
+/***********************************************
+*                    Round 4                   *
+*          F(X,Y,Z) = Y xor (X v not(Z))       *
+* a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s) *
+***********************************************/
+
+#define OP(a, b, c, d, k, s, ti) \
+     a += (c ^ (b | ~d)) + X[k] + (unsigned int)ti; \
+     a = b + ((a << s) | (a >> (32 - s)))
+
+OP(a, b, c, d,  0,  6, 0xf4292244);
+OP(d, a, b, c,  7, 10, 0x432aff97);
+OP(c, d, a, b, 14, 15, 0xab9423a7);
+OP(b, c, d, a,  5, 21, 0xfc93a039);
+OP(a, b, c, d, 12,  6, 0x655b59c3);
+OP(d, a, b, c,  3, 10, 0x8f0ccc92);
+OP(c, d, a, b, 10, 15, 0xffeff47d);
+OP(b, c, d, a,  1, 21, 0x85845dd1);
+OP(a, b, c, d,  8,  6, 0x6fa87e4f);
+OP(d, a, b, c, 15, 10, 0xfe2ce6e0);
+OP(c, d, a, b,  6, 15, 0xa3014314);
+OP(b, c, d, a, 13, 21, 0x4e0811a1);
+OP(a, b, c, d,  4,  6, 0xf7537e82);
+OP(d, a, b, c, 11, 10, 0xbd3af235);
+OP(c, d, a, b,  2, 15, 0x2ad7d2bb);
+OP(b, c, d, a,  9, 21, 0xeb86d391);
+
+#undef OP
+
+/* Add the new values back into the accumulators. */
+
+base->abcd[0] += a;
+base->abcd[1] += b;
+base->abcd[2] += c;
+base->abcd[3] += d;
+}
+
+
+
+
+/*************************************************
+*     Process the final text string              *
+*************************************************/
+
+/* The string may be of any length. It is padded out according to the rules
+for computing MD5 digests. The final result is then converted to text form
+and returned.
+
+Arguments:
+  base      pointer to the md5 storage structure
+  text      pointer to the final text vector
+  length    length of the final text vector
+  digest    points to 16 bytes in which to place the result
+
+Returns:    nothing
+*/
+
+void
+md5_end(md5 *base, const uschar *text, int length, uschar *digest)
+{
+uschar work[64];
+
+/* Process in chunks of 64 until we have less than 64 bytes left. */
+
+while (length >= 64)
+  {
+  md5_mid(base, text);
+  text += 64;
+  length -= 64;
+  }
+
+/* If the remaining string contains more than 55 bytes, we must pad it
+out to 64, process it, and then set up the final chunk as 56 bytes of
+padding. If it has less than 56 bytes, we pad it out to 56 bytes as the
+final chunk. */
+
+memcpy(work, text, length);
+work[length] = 0x80;
+
+if (length > 55)
+  {
+  memset(work+length+1, 0, 63-length);
+  md5_mid(base, work);
+  base->length -= 64;
+  memset(work, 0, 56);
+  }
+else
+  {
+  memset(work+length+1, 0, 55-length);
+  }
+
+/* The final 8 bytes of the final chunk are a 64-bit representation of the
+length of the input string *bits*, before padding, low order word first, and
+low order bytes first in each word. This implementation is designed for short
+strings, and so operates with a single int counter only. */
+
+length += base->length;   /* Total length in bytes */
+length <<= 3;             /* Total length in bits */
+
+work[56] = length         & 0xff;
+work[57] = (length >>  8) & 0xff;
+work[58] = (length >> 16) & 0xff;
+work[59] = (length >> 24) & 0xff;
+
+memset(work+60, 0, 4);
+
+/* Process the final 64-byte chunk */
+
+md5_mid(base, work);
+
+/* Pass back the result, low-order byte first in each word. */
+
+for (int i = 0; i < 4; i++)
+  {
+  register int x = base->abcd[i];
+  *digest++ =  x        & 0xff;
+  *digest++ = (x >>  8) & 0xff;
+  *digest++ = (x >> 16) & 0xff;
+  *digest++ = (x >> 24) & 0xff;
+  }
+}
+
+
+
+/*************************************************
+**************************************************
+*             Stand-alone test program           *
+**************************************************
+*************************************************/
+
+#if defined STAND_ALONE & !defined CRAM_STAND_ALONE
+
+/* Test values */
+
+static uschar *tests[] = {
+  "", "d41d8cd98f00b204e9800998ecf8427e",
+
+  "a", "0cc175b9c0f1b6a831c399e269772661",
+
+  "abc", "900150983cd24fb0d6963f7d28e17f72",
+
+  "message digest", "f96b697d7cb7938d525a2f31aaf161d0",
+
+  "abcdefghijklmnopqrstuvwxyz", "c3fcd3d76192e4007dfb496cca67e13b",
+
+  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+     "d174ab98d277d9f5a5611c2c9f419d9f",
+
+  "1234567890123456789012345678901234567890123456789012345678901234567890"
+  "1234567890",
+    "57edf4a22be3c955ac49da2e2107b67a",
+
+  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+    "a0842fcc02167127b0bb9a7c38e71ba8"
+};
+
+int main(void)
+{
+md5 base;
+int i = 0x01020304;
+uschar *ctest = US (&i);
+uschar buffer[256];
+uschar digest[16];
+printf("Checking md5: %s-endian\n", (ctest[0] == 0x04)? "little" : "big");
+
+for (i = 0; i < sizeof(tests)/sizeof(uschar *); i += 2)
+  {
+  uschar s[33];
+  printf("%s\nShould be: %s\n", tests[i], tests[i+1]);
+  md5_start(&base);
+  md5_end(&base, tests[i], strlen(tests[i]), digest);
+  for (int j = 0; j < 16; j++) sprintf(s+2*j, "%02x", digest[j]);
+  printf("Computed:  %s\n", s);
+  if (strcmp(s, tests[i+1]) != 0) printf("*** No match ***\n");
+  printf("\n");
+  }
+}
+#endif
+
+/* End of md5.c */
diff --git a/src/memcheck.h b/src/memcheck.h
new file mode 100644
index 0000000..6f97b09
--- /dev/null
+++ b/src/memcheck.h
@@ -0,0 +1,277 @@
+
+/*
+   ----------------------------------------------------------------
+
+   Notice that the following BSD-style license applies to this one
+   file (memcheck.h) only.  The rest of Valgrind is licensed under the
+   terms of the GNU General Public License, version 2, unless
+   otherwise indicated.  See the COPYING file in the source
+   distribution for details.
+
+   ----------------------------------------------------------------
+
+   This file is part of MemCheck, a heavyweight Valgrind tool for
+   detecting memory errors.
+
+   Copyright (C) 2000-2010 Julian Seward.  All rights reserved.
+
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions
+   are met:
+
+   1. Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+
+   2. The origin of this software must not be misrepresented; you must
+      not claim that you wrote the original software.  If you use this
+      software in a product, an acknowledgment in the product
+      documentation would be appreciated but is not required.
+
+   3. Altered source versions must be plainly marked as such, and must
+      not be misrepresented as being the original software.
+
+   4. The name of the author may not be used to endorse or promote
+      products derived from this software without specific prior written
+      permission.
+
+   THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
+   OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+   WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+   ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+   DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+   GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+   INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+   WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+   SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+   ----------------------------------------------------------------
+
+   Notice that the above BSD-style license applies to this one file
+   (memcheck.h) only.  The entire rest of Valgrind is licensed under
+   the terms of the GNU General Public License, version 2.  See the
+   COPYING file in the source distribution for details.
+
+   ----------------------------------------------------------------
+*/
+
+
+#ifndef __MEMCHECK_H
+#define __MEMCHECK_H
+
+
+/* This file is for inclusion into client (your!) code.
+
+   You can use these macros to manipulate and query memory permissions
+   inside your own programs.
+
+   See comment near the top of valgrind.h on how to use them.
+*/
+
+#include "valgrind.h"
+
+/* !! ABIWARNING !! ABIWARNING !! ABIWARNING !! ABIWARNING !!
+   This enum comprises an ABI exported by Valgrind to programs
+   which use client requests.  DO NOT CHANGE THE ORDER OF THESE
+   ENTRIES, NOR DELETE ANY -- add new ones at the end. */
+typedef
+   enum {
+      VG_USERREQ__MAKE_MEM_NOACCESS = VG_USERREQ_TOOL_BASE('M','C'),
+      VG_USERREQ__MAKE_MEM_UNDEFINED,
+      VG_USERREQ__MAKE_MEM_DEFINED,
+      VG_USERREQ__DISCARD,
+      VG_USERREQ__CHECK_MEM_IS_ADDRESSABLE,
+      VG_USERREQ__CHECK_MEM_IS_DEFINED,
+      VG_USERREQ__DO_LEAK_CHECK,
+      VG_USERREQ__COUNT_LEAKS,
+
+      VG_USERREQ__GET_VBITS,
+      VG_USERREQ__SET_VBITS,
+
+      VG_USERREQ__CREATE_BLOCK,
+
+      VG_USERREQ__MAKE_MEM_DEFINED_IF_ADDRESSABLE,
+
+      /* Not next to VG_USERREQ__COUNT_LEAKS because it was added later. */
+      VG_USERREQ__COUNT_LEAK_BLOCKS,
+
+      /* This is just for memcheck's internal use - don't use it */
+      _VG_USERREQ__MEMCHECK_RECORD_OVERLAP_ERROR
+         = VG_USERREQ_TOOL_BASE('M','C') + 256
+   } Vg_MemCheckClientRequest;
+
+
+
+/* Client-code macros to manipulate the state of memory. */
+
+/* Mark memory at _qzz_addr as unaddressable for _qzz_len bytes. */
+#define VALGRIND_MAKE_MEM_NOACCESS(_qzz_addr,_qzz_len)           \
+    VALGRIND_DO_CLIENT_REQUEST_EXPR(0 /* default return */,      \
+                            VG_USERREQ__MAKE_MEM_NOACCESS,       \
+                            (_qzz_addr), (_qzz_len), 0, 0, 0)
+
+/* Similarly, mark memory at _qzz_addr as addressable but undefined
+   for _qzz_len bytes. */
+#define VALGRIND_MAKE_MEM_UNDEFINED(_qzz_addr,_qzz_len)          \
+    VALGRIND_DO_CLIENT_REQUEST_EXPR(0 /* default return */,      \
+                            VG_USERREQ__MAKE_MEM_UNDEFINED,      \
+                            (_qzz_addr), (_qzz_len), 0, 0, 0)
+
+/* Similarly, mark memory at _qzz_addr as addressable and defined
+   for _qzz_len bytes. */
+#define VALGRIND_MAKE_MEM_DEFINED(_qzz_addr,_qzz_len)            \
+    VALGRIND_DO_CLIENT_REQUEST_EXPR(0 /* default return */,      \
+                            VG_USERREQ__MAKE_MEM_DEFINED,        \
+                            (_qzz_addr), (_qzz_len), 0, 0, 0)
+
+/* Similar to VALGRIND_MAKE_MEM_DEFINED except that addressability is
+   not altered: bytes which are addressable are marked as defined,
+   but those which are not addressable are left unchanged. */
+#define VALGRIND_MAKE_MEM_DEFINED_IF_ADDRESSABLE(_qzz_addr,_qzz_len)     \
+    VALGRIND_DO_CLIENT_REQUEST_EXPR(0 /* default return */,              \
+                            VG_USERREQ__MAKE_MEM_DEFINED_IF_ADDRESSABLE, \
+                            (_qzz_addr), (_qzz_len), 0, 0, 0)
+
+/* Create a block-description handle.  The description is an ascii
+   string which is included in any messages pertaining to addresses
+   within the specified memory range.  Has no other effect on the
+   properties of the memory range. */
+#define VALGRIND_CREATE_BLOCK(_qzz_addr,_qzz_len, _qzz_desc)	   \
+    VALGRIND_DO_CLIENT_REQUEST_EXPR(0 /* default return */,        \
+                            VG_USERREQ__CREATE_BLOCK,              \
+                            (_qzz_addr), (_qzz_len), (_qzz_desc),  \
+                            0, 0)
+
+/* Discard a block-description-handle. Returns 1 for an
+   invalid handle, 0 for a valid handle. */
+#define VALGRIND_DISCARD(_qzz_blkindex)                          \
+    VALGRIND_DO_CLIENT_REQUEST_EXPR(0 /* default return */,      \
+                            VG_USERREQ__DISCARD,                 \
+                            0, (_qzz_blkindex), 0, 0, 0)
+
+
+/* Client-code macros to check the state of memory. */
+
+/* Check that memory at _qzz_addr is addressable for _qzz_len bytes.
+   If suitable addressibility is not established, Valgrind prints an
+   error message and returns the address of the first offending byte.
+   Otherwise it returns zero. */
+#define VALGRIND_CHECK_MEM_IS_ADDRESSABLE(_qzz_addr,_qzz_len)      \
+    VALGRIND_DO_CLIENT_REQUEST_EXPR(0,                             \
+                            VG_USERREQ__CHECK_MEM_IS_ADDRESSABLE,  \
+                            (_qzz_addr), (_qzz_len), 0, 0, 0)
+
+/* Check that memory at _qzz_addr is addressable and defined for
+   _qzz_len bytes.  If suitable addressibility and definedness are not
+   established, Valgrind prints an error message and returns the
+   address of the first offending byte.  Otherwise it returns zero. */
+#define VALGRIND_CHECK_MEM_IS_DEFINED(_qzz_addr,_qzz_len)        \
+    VALGRIND_DO_CLIENT_REQUEST_EXPR(0,                           \
+                            VG_USERREQ__CHECK_MEM_IS_DEFINED,    \
+                            (_qzz_addr), (_qzz_len), 0, 0, 0);
+
+/* Use this macro to force the definedness and addressibility of an
+   lvalue to be checked.  If suitable addressibility and definedness
+   are not established, Valgrind prints an error message and returns
+   the address of the first offending byte.  Otherwise it returns
+   zero. */
+#define VALGRIND_CHECK_VALUE_IS_DEFINED(__lvalue)                \
+   VALGRIND_CHECK_MEM_IS_DEFINED(                                \
+      (volatile unsigned char *)&(__lvalue),                     \
+                      (unsigned long)(sizeof (__lvalue)))
+
+
+/* Do a full memory leak check (like --leak-check=full) mid-execution. */
+#define VALGRIND_DO_LEAK_CHECK                                   \
+   {unsigned long _qzz_res;                                      \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                      \
+                            VG_USERREQ__DO_LEAK_CHECK,           \
+                            0, 0, 0, 0, 0);                      \
+   }
+
+/* Do a summary memory leak check (like --leak-check=summary) mid-execution. */
+#define VALGRIND_DO_QUICK_LEAK_CHECK				 \
+   {unsigned long _qzz_res;                                      \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                      \
+                            VG_USERREQ__DO_LEAK_CHECK,           \
+                            1, 0, 0, 0, 0);                      \
+   }
+
+/* Return number of leaked, dubious, reachable and suppressed bytes found by
+   all previous leak checks.  They must be lvalues.  */
+#define VALGRIND_COUNT_LEAKS(leaked, dubious, reachable, suppressed)     \
+   /* For safety on 64-bit platforms we assign the results to private
+      unsigned long variables, then assign these to the lvalues the user
+      specified, which works no matter what type 'leaked', 'dubious', etc
+      are.  We also initialise '_qzz_leaked', etc because
+      VG_USERREQ__COUNT_LEAKS doesn't mark the values returned as
+      defined. */                                                        \
+   {unsigned long _qzz_res;                                              \
+    unsigned long _qzz_leaked    = 0, _qzz_dubious    = 0;               \
+    unsigned long _qzz_reachable = 0, _qzz_suppressed = 0;               \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                              \
+                               VG_USERREQ__COUNT_LEAKS,                  \
+                               &_qzz_leaked, &_qzz_dubious,              \
+                               &_qzz_reachable, &_qzz_suppressed, 0);    \
+    leaked     = _qzz_leaked;                                            \
+    dubious    = _qzz_dubious;                                           \
+    reachable  = _qzz_reachable;                                         \
+    suppressed = _qzz_suppressed;                                        \
+   }
+
+/* Return number of leaked, dubious, reachable and suppressed bytes found by
+   all previous leak checks.  They must be lvalues.  */
+#define VALGRIND_COUNT_LEAK_BLOCKS(leaked, dubious, reachable, suppressed) \
+   /* For safety on 64-bit platforms we assign the results to private
+      unsigned long variables, then assign these to the lvalues the user
+      specified, which works no matter what type 'leaked', 'dubious', etc
+      are.  We also initialise '_qzz_leaked', etc because
+      VG_USERREQ__COUNT_LEAKS doesn't mark the values returned as
+      defined. */                                                        \
+   {unsigned long _qzz_res;                                              \
+    unsigned long _qzz_leaked    = 0, _qzz_dubious    = 0;               \
+    unsigned long _qzz_reachable = 0, _qzz_suppressed = 0;               \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                              \
+                               VG_USERREQ__COUNT_LEAK_BLOCKS,            \
+                               &_qzz_leaked, &_qzz_dubious,              \
+                               &_qzz_reachable, &_qzz_suppressed, 0);    \
+    leaked     = _qzz_leaked;                                            \
+    dubious    = _qzz_dubious;                                           \
+    reachable  = _qzz_reachable;                                         \
+    suppressed = _qzz_suppressed;                                        \
+   }
+
+
+/* Get the validity data for addresses [zza..zza+zznbytes-1] and copy it
+   into the provided zzvbits array.  Return values:
+      0   if not running on valgrind
+      1   success
+      2   [previously indicated unaligned arrays;  these are now allowed]
+      3   if any parts of zzsrc/zzvbits are not addressable.
+   The metadata is not copied in cases 0, 2 or 3 so it should be
+   impossible to segfault your system by using this call.
+*/
+#define VALGRIND_GET_VBITS(zza,zzvbits,zznbytes)                     \
+    VALGRIND_DO_CLIENT_REQUEST_EXPR(0,                               \
+                                    VG_USERREQ__GET_VBITS,           \
+                                    (char*)(zza), (char*)(zzvbits),  \
+                                    (zznbytes), 0, 0)
+
+/* Set the validity data for addresses [zza..zza+zznbytes-1], copying it
+   from the provided zzvbits array.  Return values:
+      0   if not running on valgrind
+      1   success
+      2   [previously indicated unaligned arrays;  these are now allowed]
+      3   if any parts of zza/zzvbits are not addressable.
+   The metadata is not copied in cases 0, 2 or 3 so it should be
+   impossible to segfault your system by using this call.
+*/
+#define VALGRIND_SET_VBITS(zza,zzvbits,zznbytes)                     \
+    VALGRIND_DO_CLIENT_REQUEST_EXPR(0,                               \
+                                    VG_USERREQ__SET_VBITS,           \
+                                    (char*)(zza), (char*)(zzvbits),  \
+                                    (zznbytes), 0, 0 )
+
+#endif
+
diff --git a/src/mime.c b/src/mime.c
new file mode 100644
index 0000000..c192199
--- /dev/null
+++ b/src/mime.c
@@ -0,0 +1,803 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/*
+ * Copyright (c) The Exim Maintainers 2015 - 2022
+ * Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2015
+ * License: GPL
+ */
+
+#include "exim.h"
+#ifdef WITH_CONTENT_SCAN	/* entire file */
+#include "mime.h"
+#include <sys/stat.h>
+
+FILE *mime_stream = NULL;
+uschar *mime_current_boundary = NULL;
+
+static mime_header mime_header_list[] = {
+  /*	name			namelen		value */
+  { US"content-type:",              13, &mime_content_type },
+  { US"content-disposition:",       20, &mime_content_disposition },
+  { US"content-transfer-encoding:", 26, &mime_content_transfer_encoding },
+  { US"content-id:",                11, &mime_content_id },
+  { US"content-description:",       20, &mime_content_description }
+};
+
+static int mime_header_list_size = nelem(mime_header_list);
+
+static mime_parameter mime_parameter_list[] = {
+  /*	name	namelen	 value */
+  { US"name=",     5, &mime_filename },
+  { US"filename=", 9, &mime_filename },
+  { US"charset=",  8, &mime_charset  },
+  { US"boundary=", 9, &mime_boundary }
+};
+
+
+/*************************************************
+* set MIME anomaly level + text                  *
+*************************************************/
+
+/* Small wrapper to set the two expandables which
+   give info on detected "problems" in MIME
+   encodings. Indexes are defined in mime.h. */
+
+void
+mime_set_anomaly(int idx)
+{
+struct anom {
+  int level;
+  const uschar * text;
+} anom[] = { {1, CUS"Broken Quoted-Printable encoding detected"},
+	     {2, CUS"Broken BASE64 encoding detected"} };
+
+mime_anomaly_level = anom[idx].level;
+mime_anomaly_text =  anom[idx].text;
+}
+
+
+/*************************************************
+* decode quoted-printable chars                  *
+*************************************************/
+
+/* gets called when we hit a =
+   returns: new pointer position
+   result code in c:
+          -2 - decode error
+          -1 - soft line break, no char
+           0-255 - char to write
+*/
+
+static uschar *
+mime_decode_qp_char(uschar *qp_p, int *c)
+{
+uschar *initial_pos = qp_p;
+
+/* advance one char */
+qp_p++;
+
+/* Check for two hex digits and decode them */
+if (isxdigit(*qp_p) && isxdigit(qp_p[1]))
+  {
+  /* Do hex conversion */
+  *c = (isdigit(*qp_p) ? *qp_p - '0' : toupper(*qp_p) - 'A' + 10) <<4;
+  qp_p++;
+  *c |= isdigit(*qp_p) ? *qp_p - '0' : toupper(*qp_p) - 'A' + 10;
+  return qp_p + 1;
+  }
+
+/* tab or whitespace may follow just ignore it if it precedes \n */
+while (*qp_p == '\t' || *qp_p == ' ' || *qp_p == '\r')
+  qp_p++;
+
+if (*qp_p == '\n')	/* hit soft line break */
+  {
+  *c = -1;
+  return qp_p;
+  }
+
+/* illegal char here */
+*c = -2;
+return initial_pos;
+}
+
+
+/* just dump MIME part without any decoding */
+static ssize_t
+mime_decode_asis(FILE* in, FILE* out, uschar* boundary)
+{
+ssize_t len, size = 0;
+uschar buffer[MIME_MAX_LINE_LENGTH];
+
+while(fgets(CS buffer, MIME_MAX_LINE_LENGTH, mime_stream) != NULL)
+  {
+  if (boundary != NULL
+     && Ustrncmp(buffer, "--", 2) == 0
+     && Ustrncmp((buffer+2), boundary, Ustrlen(boundary)) == 0
+     )
+    break;
+
+  len = Ustrlen(buffer);
+  if (fwrite(buffer, 1, (size_t)len, out) < len)
+    return -1;
+  size += len;
+  } /* while */
+return size;
+}
+
+
+
+/* decode quoted-printable MIME part */
+static ssize_t
+mime_decode_qp(FILE* in, FILE* out, uschar* boundary)
+{
+uschar ibuf[MIME_MAX_LINE_LENGTH], obuf[MIME_MAX_LINE_LENGTH];
+uschar *ipos, *opos;
+ssize_t len, size = 0;
+
+while (fgets(CS ibuf, MIME_MAX_LINE_LENGTH, in) != NULL)
+  {
+  if (boundary != NULL
+     && Ustrncmp(ibuf, "--", 2) == 0
+     && Ustrncmp((ibuf+2), boundary, Ustrlen(boundary)) == 0
+     )
+    break; /* todo: check for missing boundary */
+
+  ipos = ibuf;
+  opos = obuf;
+
+  while (*ipos != 0)
+    {
+    if (*ipos == '=')
+      {
+      int decode_qp_result;
+
+      ipos = mime_decode_qp_char(ipos, &decode_qp_result);
+
+      if (decode_qp_result == -2)
+	{
+	/* Error from decoder. ipos is unchanged. */
+	mime_set_anomaly(MIME_ANOMALY_BROKEN_QP);
+	*opos++ = '=';
+	++ipos;
+	}
+      else if (decode_qp_result == -1)
+	break;
+      else if (decode_qp_result >= 0)
+	*opos++ = decode_qp_result;
+      }
+    else
+      *opos++ = *ipos++;
+    }
+  /* something to write? */
+  len = opos - obuf;
+  if (len > 0)
+    {
+    if (fwrite(obuf, 1, len, out) != len) return -1; /* error */
+    size += len;
+    }
+  }
+return size;
+}
+
+
+/*
+ * Return open filehandle for combo of path and file.
+ * Side-effect: set mime_decoded_filename, to copy in allocated mem
+ */
+static FILE *
+mime_get_decode_file(uschar *pname, uschar *fname)
+{
+if (pname && fname)
+  mime_decoded_filename = string_sprintf("%s/%s", pname, fname);
+else if (!pname)
+  mime_decoded_filename = string_copy(fname);
+else if (!fname)
+  {
+  int file_nr = 0;
+  int result = 0;
+
+  /* must find first free sequential filename */
+  do
+    {
+    struct stat mystat;
+    mime_decoded_filename = string_sprintf("%s/%s-%05u", pname, message_id, file_nr++);
+    /* security break */
+    if (file_nr >= 1024)
+      break;
+    result = stat(CS mime_decoded_filename, &mystat);
+    } while(result != -1);
+  }
+
+return modefopen(mime_decoded_filename, "wb+", SPOOL_MODE);
+}
+
+
+int
+mime_decode(const uschar **listptr)
+{
+int sep = 0;
+const uschar *list = *listptr;
+uschar * option;
+uschar * decode_path;
+FILE *decode_file = NULL;
+long f_pos = 0;
+ssize_t size_counter = 0;
+ssize_t (*decode_function)(FILE*, FILE*, uschar*);
+
+if (!mime_stream || (f_pos = ftell(mime_stream)) < 0)
+  return FAIL;
+
+/* build default decode path (will exist since MBOX must be spooled up) */
+decode_path = string_sprintf("%s/scan/%s", spool_directory, message_id);
+
+/* try to find 1st option */
+if ((option = string_nextinlist(&list, &sep, NULL, 0)))
+  {
+  /* parse 1st option */
+  if ((Ustrcmp(option,"false") == 0) || (Ustrcmp(option,"0") == 0))
+    /* explicitly no decoding */
+    return FAIL;
+
+  if (Ustrcmp(option,"default") == 0)
+    /* explicit default path + file names */
+    goto DEFAULT_PATH;
+
+  if (option[0] == '/')
+    {
+    struct stat statbuf;
+
+    memset(&statbuf,0,sizeof(statbuf));
+
+    /* assume either path or path+file name */
+    if ( (stat(CS option, &statbuf) == 0) && S_ISDIR(statbuf.st_mode) )
+      /* is directory, use it as decode_path */
+      decode_file = mime_get_decode_file(option, NULL);
+    else
+      /* does not exist or is a file, use as full file name */
+      decode_file = mime_get_decode_file(NULL, option);
+    }
+  else
+    /* assume file name only, use default path */
+    decode_file = mime_get_decode_file(decode_path, option);
+  }
+else
+  {
+  /* no option? patch default path */
+DEFAULT_PATH:
+  decode_file = mime_get_decode_file(decode_path, NULL);
+  }
+
+if (!decode_file)
+  return DEFER;
+
+/* decode according to mime type */
+decode_function =
+  !mime_content_transfer_encoding
+  ? mime_decode_asis	/* no encoding, dump as-is */
+  : Ustrcmp(mime_content_transfer_encoding, "base64") == 0
+  ? mime_decode_base64
+  : Ustrcmp(mime_content_transfer_encoding, "quoted-printable") == 0
+  ? mime_decode_qp
+  : mime_decode_asis;	/* unknown encoding type, just dump as-is */
+
+size_counter = decode_function(mime_stream, decode_file, mime_current_boundary);
+
+clearerr(mime_stream);
+if (fseek(mime_stream, f_pos, SEEK_SET))
+  return DEFER;
+
+if (fclose(decode_file) != 0 || size_counter < 0)
+  return DEFER;
+
+/* round up to the next KiB */
+mime_content_size = (size_counter + 1023) / 1024;
+
+return OK;
+}
+
+
+static int
+mime_get_header(FILE *f, uschar *header)
+{
+int c = EOF;
+int done = 0;
+int header_value_mode = 0;
+int header_open_brackets = 0;
+int num_copied = 0;
+
+while(!done)
+  {
+  if ((c = fgetc(f)) == EOF) break;
+
+  /* always skip CRs */
+  if (c == '\r') continue;
+
+  if (c == '\n')
+    {
+    if (num_copied > 0)
+      {
+      /* look if next char is '\t' or ' ' */
+      if ((c = fgetc(f)) == EOF) break;
+      if ( (c == '\t') || (c == ' ') ) continue;
+      (void)ungetc(c,f);
+      }
+    /* end of the header, terminate with ';' */
+    c = ';';
+    done = 1;
+    }
+
+  /* skip control characters */
+  if (c < 32) continue;
+
+  if (header_value_mode)
+    {
+    /* --------- value mode ----------- */
+    /* skip leading whitespace */
+    if ( ((c == '\t') || (c == ' ')) && (header_value_mode == 1) )
+      continue;
+
+    /* we have hit a non-whitespace char, start copying value data */
+    header_value_mode = 2;
+
+    if (c == '"')       /* flip "quoted" mode */
+      header_value_mode = header_value_mode==2 ? 3 : 2;
+
+    /* leave value mode on unquoted ';' */
+    if (header_value_mode == 2 && c == ';')
+      header_value_mode = 0;
+    /* -------------------------------- */
+    }
+  else
+    {
+    /* -------- non-value mode -------- */
+    /* skip whitespace + tabs */
+    if ( (c == ' ') || (c == '\t') )
+      continue;
+    if (c == '\\')
+      {
+      /* quote next char. can be used
+      to escape brackets. */
+      if ((c = fgetc(f)) == EOF) break;
+      }
+    else if (c == '(')
+      {
+      header_open_brackets++;
+      continue;
+      }
+    else if ((c == ')') && header_open_brackets)
+      {
+      header_open_brackets--;
+      continue;
+      }
+    else if ( (c == '=') && !header_open_brackets ) /* enter value mode */
+      header_value_mode = 1;
+
+    /* skip chars while we are in a comment */
+    if (header_open_brackets > 0)
+      continue;
+    /* -------------------------------- */
+    }
+
+  /* copy the char to the buffer */
+  header[num_copied++] = (uschar)c;
+
+  /* break if header buffer is full */
+  if (num_copied > MIME_MAX_HEADER_SIZE-1)
+    done = 1;
+  }
+
+if ((num_copied > 0) && (header[num_copied-1] != ';'))
+  header[num_copied-1] = ';';
+
+/* 0-terminate */
+header[num_copied] = '\0';
+
+/* return 0 for EOF or empty line */
+return c == EOF || num_copied == 1 ? 0 : 1;
+}
+
+
+/* reset all per-part mime variables */
+static void
+mime_vars_reset(void)
+{
+mime_anomaly_level     = 0;
+mime_anomaly_text      = NULL;
+mime_boundary          = NULL;
+mime_charset           = NULL;
+mime_decoded_filename  = NULL;
+mime_filename          = NULL;
+mime_content_description = NULL;
+mime_content_disposition = NULL;
+mime_content_id        = NULL;
+mime_content_transfer_encoding = NULL;
+mime_content_type      = NULL;
+mime_is_multipart      = 0;
+mime_content_size      = 0;
+}
+
+
+/* Grab a parameter value, dealing with quoting.
+
+Arguments:
+ str	Input string.  Updated on return to point to terminating ; or NUL
+
+Return:
+ Allocated string with parameter value
+*/
+static uschar *
+mime_param_val(uschar ** sp)
+{
+uschar * s = *sp;
+gstring * val = NULL;
+
+/* debug_printf_indent("   considering paramval '%s'\n", s); */
+
+while (*s && *s != ';')		/* ; terminates */
+  if (*s == '"')
+    {
+    s++;			/* skip opening " */
+    while (*s && *s != '"')	/* " protects ; */
+      val = string_catn(val, s++, 1);
+    if (*s) s++;		/* skip closing " */
+    }
+  else
+    val = string_catn(val, s++, 1);
+*sp = s;
+return string_from_gstring(val);
+}
+
+static uschar *
+mime_next_semicolon(uschar * s)
+{
+while (*s && *s != ';')		/* ; terminates */
+  if (*s == '"')
+    {
+    s++;			/* skip opening " */
+    while (*s && *s != '"')	/* " protects ; */
+      s++;
+    if (*s) s++;		/* skip closing " */
+    }
+  else
+    s++;
+return s;
+}
+
+
+static uschar *
+rfc2231_to_2047(const uschar * fname, const uschar * charset, int * len)
+{
+gstring * val = string_catn(NULL, US"=?", 2);
+uschar c;
+
+if (charset)
+  val = string_cat(val, charset);
+val = string_catn(val, US"?Q?", 3);
+
+while ((c = *fname))
+  if (c == '%' && isxdigit(fname[1]) && isxdigit(fname[2]))
+    {
+    val = string_catn(val, US"=", 1);
+    val = string_catn(val, ++fname, 2);
+    fname += 2;
+    }
+  else
+    val = string_catn(val, fname++, 1);
+
+val = string_catn(val, US"?=", 2);
+*len = val->ptr;
+return string_from_gstring(val);
+}
+
+
+int
+mime_acl_check(uschar *acl, FILE *f, struct mime_boundary_context *context,
+    uschar **user_msgptr, uschar **log_msgptr)
+{
+int rc = OK;
+uschar * header = NULL;
+struct mime_boundary_context nested_context;
+
+/* reserve a line buffer to work in.  Assume tainted data. */
+header = store_get(MIME_MAX_HEADER_SIZE+1, GET_TAINTED);
+
+/* Not actually used at the moment, but will be vital to fixing
+ * some RFC 2046 nonconformance later... */
+nested_context.parent = context;
+
+/* loop through parts */
+while(1)
+  {
+  /* reset all per-part mime variables */
+  mime_vars_reset();
+
+  /* If boundary is null, we assume that *f is positioned on the start of
+  headers (for example, at the very beginning of a message.  If a boundary is
+  given, we must first advance to it to reach the start of the next header
+  block.  */
+
+  /* NOTE -- there's an error here -- RFC2046 specifically says to
+   * check for outer boundaries.  This code doesn't do that, and
+   * I haven't fixed this.
+   *
+   * (I have moved partway towards adding support, however, by adding
+   * a "parent" field to my new boundary-context structure.)
+   */
+  if (context) for (;;)
+    {
+    if (!fgets(CS header, MIME_MAX_HEADER_SIZE, f))
+      {
+      /* Hit EOF or read error. Ugh. */
+      DEBUG(D_acl) debug_printf_indent("MIME: Hit EOF ...\n");
+      return rc;
+      }
+
+    /* boundary line must start with 2 dashes */
+    if (  Ustrncmp(header, "--", 2) == 0
+       && Ustrncmp(header+2, context->boundary, Ustrlen(context->boundary)) == 0
+       )
+      {			/* found boundary */
+      if (Ustrncmp((header+2+Ustrlen(context->boundary)), "--", 2) == 0)
+	{
+	/* END boundary found */
+	DEBUG(D_acl) debug_printf_indent("MIME: End boundary found %s\n",
+	  context->boundary);
+	return rc;
+	}
+
+      DEBUG(D_acl) debug_printf_indent("MIME: Next part with boundary %s\n",
+	context->boundary);
+      break;
+      }
+    }
+
+  /* parse headers, set up expansion variables */
+  while (mime_get_header(f, header))
+
+    /* look for interesting headers */
+    for (struct mime_header * mh = mime_header_list;
+	 mh < mime_header_list + mime_header_list_size;
+	 mh++) if (strncmpic(mh->name, header, mh->namelen) == 0)
+      {
+      uschar * p = header + mh->namelen;
+      uschar * q;
+
+      /* grab the value (normalize to lower case)
+      and copy to its corresponding expansion variable */
+
+      for (q = p; *q != ';' && *q; q++) ;
+      *mh->value = string_copynlc(p, q-p);
+      DEBUG(D_acl) debug_printf_indent("MIME: found %s header, value is '%s'\n",
+	mh->name, *mh->value);
+
+      if (*(p = q)) p++;			/* jump past the ; */
+
+	{
+	uschar * mime_fname = NULL;
+	uschar * mime_fname_rfc2231 = NULL;
+	uschar * mime_filename_charset = NULL;
+	BOOL decoding_failed = FALSE;
+
+	/* grab all param=value tags on the remaining line,
+	check if they are interesting */
+
+	while (*p)
+	  {
+	  DEBUG(D_acl) debug_printf_indent("MIME:   considering paramlist '%s'\n", p);
+
+	  if (  !mime_filename
+	     && strncmpic(CUS"content-disposition:", header, 20) == 0
+	     && strncmpic(CUS"filename*", p, 9) == 0
+	     )
+	    {					/* RFC 2231 filename */
+	    uschar * q;
+
+	    /* find value of the filename */
+	    p += 9;
+	    while(*p != '=' && *p) p++;
+	    if (*p) p++;			/* p is filename or NUL */
+	    q = mime_param_val(&p);		/* p now trailing ; or NUL */
+
+	    if (q && *q)
+	      {
+	      uschar * temp_string, * err_msg;
+	      int slen;
+
+	      /* build up an un-decoded filename over successive
+	      filename*= parameters (for use when 2047 decode fails) */
+
+	      mime_fname_rfc2231 = string_sprintf("%#s%s",
+		mime_fname_rfc2231, q);
+
+	      if (!decoding_failed)
+		{
+		int size;
+		if (!mime_filename_charset)
+		  {
+		  uschar * s = q;
+
+		  /* look for a ' in the "filename" */
+		  while(*s != '\'' && *s) s++;	/* s is 1st ' or NUL */
+
+		  if ((size = s-q) > 0)
+		    mime_filename_charset = string_copyn(q, size);
+
+		  if (*(p = s)) p++;
+		  while(*p == '\'') p++;	/* p is after 2nd ' */
+		  }
+		else
+		  p = q;
+
+		DEBUG(D_acl) debug_printf_indent("MIME:    charset %s fname '%s'\n",
+		  mime_filename_charset ? mime_filename_charset : US"<NULL>", p);
+
+		temp_string = rfc2231_to_2047(p, mime_filename_charset, &slen);
+		DEBUG(D_acl) debug_printf_indent("MIME:    2047-name %s\n", temp_string);
+
+		temp_string = rfc2047_decode(temp_string, FALSE, NULL, ' ',
+		  NULL, &err_msg);
+		DEBUG(D_acl) debug_printf_indent("MIME:    plain-name %s\n", temp_string);
+
+		if (!temp_string || (size = Ustrlen(temp_string))  == slen)
+		  decoding_failed = TRUE;
+		else
+		  /* build up a decoded filename over successive
+		  filename*= parameters */
+
+		  mime_filename = mime_fname = mime_fname
+		    ? string_sprintf("%s%s", mime_fname, temp_string)
+		    : temp_string;
+		}
+	      }
+	    }
+
+	  else
+	    /* look for interesting parameters */
+	    for (mime_parameter * mp = mime_parameter_list;
+		 mp < mime_parameter_list + nelem(mime_parameter_list);
+		 mp++
+		) if (strncmpic(mp->name, p, mp->namelen) == 0)
+	      {
+	      uschar * q;
+	      uschar * dummy_errstr;
+
+	      /* grab the value and copy to its expansion variable */
+	      p += mp->namelen;
+	      q = mime_param_val(&p);		/* p now trailing ; or NUL */
+
+	      *mp->value = q && *q
+		? rfc2047_decode(q, check_rfc2047_length, NULL, 32, NULL,
+		    &dummy_errstr)
+		: NULL;
+	      DEBUG(D_acl) debug_printf_indent(
+		"MIME:  found %s parameter in %s header, value '%s'\n",
+		mp->name, mh->name, *mp->value);
+
+	      break;			/* done matching param names */
+	      }
+
+
+	  /* There is something, but not one of our interesting parameters.
+	     Advance past the next semicolon */
+	  p = mime_next_semicolon(p);
+	  if (*p) p++;
+	  }				/* param scan on line */
+
+	if (strncmpic(CUS"content-disposition:", header, 20) == 0)
+	  {
+	  if (decoding_failed) mime_filename = mime_fname_rfc2231;
+
+	  DEBUG(D_acl) debug_printf_indent(
+	    "MIME:  found %s parameter in %s header, value is '%s'\n",
+	    "filename", mh->name, mime_filename);
+	  }
+	}
+      }
+
+  /* set additional flag variables (easier access) */
+  if (  mime_content_type
+     && Ustrncmp(mime_content_type,"multipart",9) == 0
+     )
+    mime_is_multipart = 1;
+
+  /* Make a copy of the boundary pointer.
+     Required since mime_boundary is global
+     and can be overwritten further down in recursion */
+  nested_context.boundary = mime_boundary;
+
+  /* raise global counter */
+  mime_part_count++;
+
+  /* copy current file handle to global variable */
+  mime_stream = f;
+  mime_current_boundary = context ? context->boundary : 0;
+
+  /* Note the context */
+  mime_is_coverletter = !(context && context->context == MBC_ATTACHMENT);
+
+  /* call ACL handling function */
+  rc = acl_check(ACL_WHERE_MIME, NULL, acl, user_msgptr, log_msgptr);
+
+  mime_stream = NULL;
+  mime_current_boundary = NULL;
+
+  if (rc != OK) break;
+
+  /* If we have a multipart entity and a boundary, go recursive */
+  if (  mime_content_type && nested_context.boundary 
+     && Ustrncmp(mime_content_type,"multipart",9) == 0)
+    {
+    DEBUG(D_acl)
+      debug_printf_indent("MIME: Entering multipart recursion, boundary '%s'\n",
+	nested_context.boundary);
+
+    nested_context.context =
+      context && context->context == MBC_ATTACHMENT
+      ? MBC_ATTACHMENT
+      :    Ustrcmp(mime_content_type,"multipart/alternative") == 0
+	|| Ustrcmp(mime_content_type,"multipart/related") == 0
+      ? MBC_COVERLETTER_ALL
+      : MBC_COVERLETTER_ONESHOT;
+
+    rc = mime_acl_check(acl, f, &nested_context, user_msgptr, log_msgptr);
+    if (rc != OK) break;
+    }
+  else if (  mime_content_type
+	  && Ustrncmp(mime_content_type,"message/rfc822",14) == 0)
+    {
+    const uschar * rfc822name = NULL;
+    uschar * filename;
+    int file_nr = 0;
+    int result = 0;
+
+    /* must find first free sequential filename */
+    for (gstring * g = string_get(64); result != -1; g->ptr = 0)
+      {
+      struct stat mystat;
+      g = string_fmt_append(g,
+	"%s/scan/%s/__rfc822_%05u", spool_directory, message_id, file_nr++);
+      /* security break */
+      if (file_nr >= 128)
+	goto NO_RFC822;
+      result = stat(CS (filename = string_from_gstring(g)), &mystat);
+      }
+
+    rfc822name = filename;
+
+    /* decode RFC822 attachment */
+    mime_decoded_filename = NULL;
+    mime_stream = f;
+    mime_current_boundary = context ? context->boundary : NULL;
+    mime_decode(&rfc822name);
+    mime_stream = NULL;
+    mime_current_boundary = NULL;
+    if (!mime_decoded_filename)		/* decoding failed */
+      {
+      log_write(0, LOG_MAIN,
+	   "MIME acl condition warning - could not decode RFC822 MIME part to file.");
+      rc = DEFER;
+      goto out;
+      }
+    mime_decoded_filename = NULL;
+    }
+
+NO_RFC822:
+  /* If the boundary of this instance is NULL, we are finished here */
+  if (!context) break;
+
+  if (context->context == MBC_COVERLETTER_ONESHOT)
+    context->context = MBC_ATTACHMENT;
+  }
+
+out:
+mime_vars_reset();
+return rc;
+}
+
+#endif	/*WITH_CONTENT_SCAN*/
+
+/* vi: sw ai sw=2
+*/
diff --git a/src/mime.h b/src/mime.h
new file mode 100644
index 0000000..5fd4392
--- /dev/null
+++ b/src/mime.h
@@ -0,0 +1,44 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004, 2015
+ * License: GPL
+ * Copyright (c) The Exim Maintainers 2016
+ */
+
+#ifdef WITH_CONTENT_SCAN
+
+#define MIME_MAX_HEADER_SIZE 8192
+#define MIME_MAX_LINE_LENGTH 32768
+
+#define MBC_ATTACHMENT            0
+#define MBC_COVERLETTER_ONESHOT   1
+#define MBC_COVERLETTER_ALL       2
+
+struct mime_boundary_context
+{
+  struct mime_boundary_context *parent;
+  unsigned char *boundary;
+  int context;
+};
+
+typedef struct mime_header {
+  uschar *  name;
+  int       namelen;
+  uschar ** value;
+} mime_header;
+
+
+typedef struct mime_parameter {
+  uschar *  name;
+  int       namelen;
+  uschar ** value;
+} mime_parameter;
+
+/* MIME Anomaly list */
+#define MIME_ANOMALY_BROKEN_BASE64    1
+#define MIME_ANOMALY_BROKEN_QP        0
+
+
+#endif
diff --git a/src/moan.c b/src/moan.c
new file mode 100644
index 0000000..4f2550d
--- /dev/null
+++ b/src/moan.c
@@ -0,0 +1,874 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions for sending messages to sender or to mailmaster. */
+
+
+#include "exim.h"
+
+
+
+/*************************************************
+*            Write From: line for DSN            *
+*************************************************/
+
+/* This function is called to write the From: line in automatically generated
+messages - bounces, warnings, etc. It expands a configuration item in order to
+get the text. If the expansion fails, a panic is logged and the default value
+for the option is used.
+
+Argument:   the FILE to write to
+Returns:    nothing
+*/
+
+void
+moan_write_from(FILE *f)
+{
+uschar * s = expand_string(dsn_from);
+if (!s)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "Failed to expand dsn_from (using default): %s", expand_string_message);
+  s = expand_string(US DEFAULT_DSN_FROM);
+  }
+fprintf(f, "From: %s\n", s);
+}
+
+
+
+/*************************************************
+*            Write References: line for DSN      *
+*************************************************/
+
+/* Generate a References: header if there is in the header_list
+at least one of Message-ID:, References:, or In-Reply-To: (see RFC 2822).
+
+Arguments:  f		the FILE to write to
+	    message_id	optional already-found message-id, or NULL
+
+Returns:    nothing
+*/
+
+void
+moan_write_references(FILE * fp, uschar * message_id)
+{
+header_line * h;
+
+if (!message_id)
+  for (h = header_list; h; h = h->next)
+    if (h->type == htype_id)
+      {
+      message_id = Ustrchr(h->text, ':') + 1;
+      Uskip_whitespace(&message_id);
+      }
+
+for (h = header_list; h; h = h->next)
+  if (h->type != htype_old && strncmpic(US"References:", h->text, 11) == 0)
+    break;
+
+if (!h)
+  for (h = header_list; h; h = h->next)
+    if (h->type != htype_old && strncmpic(US"In-Reply-To:", h->text, 12) == 0)
+      break;
+
+/* We limit the total length of references.  Although there is no fixed
+limit, some systems do not like headers growing beyond recognition.
+Keep the first message ID for the thread root and the last few for
+the position inside the thread, up to a maximum of 12 altogether. */
+
+if (h || message_id)
+  {
+  fprintf(fp, "References:");
+  if (h)
+    {
+    const uschar * s;
+    uschar * id, * error;
+    uschar * referenced_ids[12];
+    int reference_count = 0;
+
+    s = Ustrchr(h->text, ':') + 1;
+    f.parse_allow_group = FALSE;
+    while (*s && (s = parse_message_id(s, &id, &error)))
+      if (reference_count == nelem(referenced_ids))
+        {
+        memmove(referenced_ids + 1, referenced_ids + 2,
+           sizeof(referenced_ids) - 2*sizeof(uschar *));
+        referenced_ids[reference_count - 1] = id;
+        }
+      else
+	referenced_ids[reference_count++] = id;
+
+    for (int i = 0; i < reference_count; ++i)
+      fprintf(fp, " %s", referenced_ids[i]);
+    }
+
+  /* The message id will have a newline on the end of it. */
+
+  if (message_id) fprintf(fp, " %s", message_id);
+  else fprintf(fp, "\n");
+  }
+}
+
+
+
+/*************************************************
+*              Send error message                *
+*************************************************/
+
+/* This function sends an error message by opening a pipe to a new process
+running Exim, and writing a message to it using the "-t" option. This is not
+used for delivery failures, which have their own code for handing failed
+addresses.
+
+Arguments:
+  recipient      addressee for the message
+  ident          identifies the type of error
+  eblock         chain of error_blocks containing data about the error
+  headers        the message's headers
+  message_file   FILE containing the body of the message
+  firstline      contains first line of file, if it was read to check for
+                   "From ", but it turned out not to be
+
+Returns:         TRUE if message successfully sent
+*/
+
+BOOL
+moan_send_message(uschar *recipient, int ident, error_block *eblock,
+  header_line *headers, FILE *message_file, uschar *firstline)
+{
+int written = 0;
+int fd;
+int status;
+int count = 0;
+int size_limit = bounce_return_size_limit;
+FILE * fp;
+int pid;
+
+#ifdef SUPPORT_DMARC
+uschar * s, * s2;
+
+/* For DMARC if there is a specific sender set, expand the variable for the
+header From: and grab the address from that for the envelope FROM. */
+
+if (  ident == ERRMESS_DMARC_FORENSIC
+   && dmarc_forensic_sender
+   && (s = expand_string(dmarc_forensic_sender))
+   && *s
+   && (s2 = expand_string(string_sprintf("${address:%s}", s)))
+   && *s2
+   )
+  pid = child_open_exim2(&fd, s2, bounce_sender_authentication,
+		US"moan_send_message");
+else
+  {
+  s = NULL;
+  pid = child_open_exim(&fd, US"moan_send_message");
+  }
+
+#else
+pid = child_open_exim(&fd, US"moan_send_message");
+#endif
+
+if (pid < 0)
+  {
+  DEBUG(D_any) debug_printf("Failed to create child to send message: %s\n",
+    strerror(errno));
+  return FALSE;
+  }
+else DEBUG(D_any) debug_printf("Child process %d for sending message\n", pid);
+
+/* Creation of child succeeded */
+
+fp = fdopen(fd, "wb");
+if (errors_reply_to) fprintf(fp, "Reply-To: %s\n", errors_reply_to);
+fprintf(fp, "Auto-Submitted: auto-replied\n");
+
+#ifdef SUPPORT_DMARC
+if (s)
+  fprintf(fp, "From: %s\n", s);
+else
+#endif
+  moan_write_from(fp);
+
+fprintf(fp, "To: %s\n", recipient);
+moan_write_references(fp, NULL);
+
+switch(ident)
+  {
+  case ERRMESS_BADARGADDRESS:
+    fprintf(fp,
+      "Subject: Mail failure - malformed recipient address\n\n");
+    fprintf(fp,
+      "A message that you sent contained a recipient address that was incorrectly\n"
+      "constructed:\n\n");
+    fprintf(fp, "  %s  %s\n", eblock->text1, eblock->text2);
+    count = Ustrlen(eblock->text1);
+    if (count > 0 && eblock->text1[count-1] == '.')
+      fprintf(fp,
+	"\nRecipient addresses must not end with a '.' character.\n");
+    fprintf(fp,
+      "\nThe message has not been delivered to any recipients.\n");
+    break;
+
+  case ERRMESS_BADNOADDRESS:
+  case ERRMESS_BADADDRESS:
+    fprintf(fp,
+      "Subject: Mail failure - malformed recipient address\n\n");
+    fprintf(fp,
+      "A message that you sent contained one or more recipient addresses that were\n"
+      "incorrectly constructed:\n\n");
+
+    while (eblock)
+      {
+      fprintf(fp, "  %s: %s\n", eblock->text1, eblock->text2);
+      count++;
+      eblock = eblock->next;
+      }
+
+    fprintf(fp, (count == 1)? "\nThis address has been ignored. " :
+      "\nThese addresses have been ignored. ");
+
+    fprintf(fp, (ident == ERRMESS_BADADDRESS)?
+      "The other addresses in the message were\n"
+      "syntactically valid and have been passed on for an attempt at delivery.\n" :
+
+      "There were no other addresses in your\n"
+      "message, and so no attempt at delivery was possible.\n");
+    break;
+
+  case ERRMESS_IGADDRESS:
+    fprintf(fp, "Subject: Mail failure - no recipient addresses\n\n");
+    fprintf(fp,
+      "A message that you sent using the -t command line option contained no\n"
+      "addresses that were not also on the command line, and were therefore\n"
+      "suppressed. This left no recipient addresses, and so no delivery could\n"
+      "be attempted.\n");
+    break;
+
+  case ERRMESS_NOADDRESS:
+    fprintf(fp, "Subject: Mail failure - no recipient addresses\n\n");
+    fprintf(fp,
+      "A message that you sent contained no recipient addresses, and therefore no\n"
+      "delivery could be attempted.\n");
+    break;
+
+  case ERRMESS_IOERR:
+    fprintf(fp, "Subject: Mail failure - system failure\n\n");
+    fprintf(fp,
+      "A system failure was encountered while processing a message that you sent,\n"
+      "so it has not been possible to deliver it. The error was:\n\n%s\n",
+      eblock->text1);
+    break;
+
+  case ERRMESS_VLONGHEADER:
+    fprintf(fp, "Subject: Mail failure - overlong header section\n\n");
+    fprintf(fp,
+      "A message that you sent contained a header section that was excessively\n"
+      "long and could not be handled by the mail transmission software. The\n"
+      "message has not been delivered to any recipients.\n");
+    break;
+
+  case ERRMESS_VLONGHDRLINE:
+    fprintf(fp, "Subject: Mail failure - overlong header line\n\n");
+    fprintf(fp,
+      "A message that you sent contained a header line that was excessively\n"
+      "long and could not be handled by the mail transmission software. The\n"
+      "message has not been delivered to any recipients.\n");
+    break;
+
+  case ERRMESS_TOOBIG:
+    fprintf(fp, "Subject: Mail failure - message too big\n\n");
+    fprintf(fp,
+      "A message that you sent was longer than the maximum size allowed on this\n"
+      "system. It was not delivered to any recipients.\n");
+    break;
+
+  case ERRMESS_TOOMANYRECIP:
+    fprintf(fp, "Subject: Mail failure - too many recipients\n\n");
+    fprintf(fp,
+      "A message that you sent contained more recipients than allowed on this\n"
+      "system. It was not delivered to any recipients.\n");
+    break;
+
+  case ERRMESS_LOCAL_SCAN:
+  case ERRMESS_LOCAL_ACL:
+    fprintf(fp, "Subject: Mail failure - rejected by local scanning code\n\n");
+    fprintf(fp,
+      "A message that you sent was rejected by the local scanning code that\n"
+      "checks incoming messages on this system.");
+      if (eblock->text1)
+	fprintf(fp, " The following error was given:\n\n  %s", eblock->text1);
+  fprintf(fp, "\n");
+  break;
+
+#ifdef SUPPORT_DMARC
+  case ERRMESS_DMARC_FORENSIC:
+    bounce_return_message = TRUE;
+    bounce_return_body    = FALSE;
+    fprintf(fp, "Subject: DMARC Forensic Report for %s from IP %s\n\n",
+	  eblock ? eblock->text2 : US"Unknown",
+          sender_host_address);
+    fprintf(fp,
+      "A message claiming to be from you has failed the published DMARC\n"
+      "policy for your domain.\n\n");
+    while (eblock)
+      {
+      fprintf(fp, "  %s: %s\n", eblock->text1, eblock->text2);
+      count++;
+      eblock = eblock->next;
+      }
+  break;
+#endif
+
+  default:
+    fprintf(fp, "Subject: Mail failure\n\n");
+    fprintf(fp,
+      "A message that you sent has caused the error routine to be entered with\n"
+      "an unknown error number (%d).\n", ident);
+    break;
+  }
+
+/* Now, if configured, copy the message; first the headers and then the rest of
+the input if available, up to the configured limit, if the option for including
+message bodies in bounces is set. */
+
+if (bounce_return_message)
+  {
+  if (bounce_return_body)
+    {
+    fprintf(fp, "\n"
+      "------ This is a copy of your message, including all the headers.");
+    if (size_limit == 0 || size_limit > thismessage_size_limit)
+      size_limit = thismessage_size_limit;
+    if (size_limit > 0 && size_limit < message_size)
+      {
+      int x = size_limit;
+      uschar *k = US"";
+      if ((x & 1023) == 0)
+        {
+        k = US"K";
+        x >>= 10;
+        }
+      fprintf(fp, "\n"
+        "------ No more than %d%s characters of the body are included.\n\n",
+          x, k);
+      }
+    else fprintf(fp, " ------\n\n");
+    }
+  else
+    {
+    fprintf(fp, "\n"
+      "------ This is a copy of the headers that were received before the "
+      "error\n       was detected.\n\n");
+    }
+
+  /* If the error occurred before the Received: header was created, its text
+  field will still be NULL; just omit such a header line. */
+
+  while (headers)
+    {
+    if (headers->text != NULL) fprintf(fp, "%s", CS headers->text);
+    headers = headers->next;
+    }
+
+  if (ident != ERRMESS_VLONGHEADER && ident != ERRMESS_VLONGHDRLINE)
+    fputc('\n', fp);
+
+  /* After early detection of an error, the message file may be STDIN,
+  in which case we might have to terminate on a line containing just "."
+  as well as on EOF. We may already have the first line in memory. */
+
+  if (bounce_return_body && message_file)
+    {
+    BOOL enddot = f.dot_ends && message_file == stdin;
+    uschar * buf = store_get(bounce_return_linesize_limit+2, GET_TAINTED);
+
+    if (firstline) fprintf(fp, "%s", CS firstline);
+
+    while (fgets(CS buf, bounce_return_linesize_limit+2, message_file))
+      {
+      int len;
+
+      if (enddot && *buf == '.' && buf[1] == '\n')
+	{
+	fputc('.', fp);
+	break;
+	}
+
+      len = Ustrlen(buf);
+      if (buf[len-1] != '\n')
+	{	/* eat rest of partial line */
+	int ch;
+	while ((ch = fgetc(message_file)) != EOF && ch != '\n') ;
+	}
+
+      if (size_limit > 0 && len > size_limit - written)
+	{
+	buf[size_limit - written] = '\0';
+	fputs(CS buf, fp);
+	break;
+	}
+
+      fputs(CS buf, fp);
+      }
+    }
+#ifdef SUPPORT_DMARC
+  /* Overkill, but use exact test in case future code gets inserted */
+  else if (bounce_return_body && message_file == NULL)
+    {
+    /*XXX limit line length here? */
+    /* This doesn't print newlines, disable until can parse and fix
+     * output to be legible.  */
+    fprintf(fp, "%s", expand_string(US"$message_body"));
+    }
+#endif
+  }
+/* Close the file, which should send an EOF to the child process
+that is receiving the message. Wait for it to finish, without a timeout. */
+
+(void)fclose(fp);
+status = child_close(pid, 0);  /* Waits for child to close */
+if (status != 0)
+  {
+  uschar *msg = US"Child mail process returned status";
+  if (status == -257)
+    log_write(0, LOG_MAIN, "%s %d: errno=%d: %s", msg, status, errno,
+      strerror(errno));
+  else
+    log_write(0, LOG_MAIN, "%s %d", msg, status);
+  return FALSE;
+  }
+
+return TRUE;
+}
+
+
+
+/*************************************************
+*          Send message to sender                *
+*************************************************/
+
+/* This function is called when errors are detected during the receipt of a
+message. Delivery failures are handled separately in deliver.c.
+
+If there is a valid sender_address, and the failing message is not a local
+error message, then this function calls moan_send_message to send a message to
+that person. If the sender's address is null, then an error has occurred with a
+message that was generated by a mailer daemon. All we can do is to write
+information to log files. The same action is taken if local_error_message is
+set - this can happen for non null-senders in certain configurations where exim
+doesn't run setuid root.
+
+Arguments:
+  ident         identifies the particular error
+  eblock        chain of error_blocks containing data about the error
+  headers       message's headers (chain)
+  message_file  a FILE where the body of the message can be read
+  check_sender  if TRUE, read the first line of the file for a possible
+                  "From " sender (if a trusted caller)
+
+Returns:        FALSE if there is no sender_address to send to;
+                else the return from moan_send_message()
+*/
+
+BOOL
+moan_to_sender(int ident, error_block *eblock, header_line *headers,
+  FILE *message_file, BOOL check_sender)
+{
+uschar *firstline = NULL;
+uschar *msg = US"Error while reading message with no usable sender address";
+
+if (message_reference)
+  msg = string_sprintf("%s (R=%s)", msg, message_reference);
+
+/* Find the sender from a From line if permitted and possible */
+
+if (check_sender && message_file && f.trusted_caller &&
+    Ufgets(big_buffer, BIG_BUFFER_SIZE, message_file) != NULL)
+  {
+  uschar *new_sender = NULL;
+  if (regex_match_and_setup(regex_From, big_buffer, 0, -1))
+    new_sender = expand_string(uucp_from_sender);
+  if (new_sender) sender_address = new_sender;
+    else firstline = big_buffer;
+  }
+
+/* If viable sender address, send a message */
+
+if (sender_address && sender_address[0] && !f.local_error_message)
+  return moan_send_message(sender_address, ident, eblock, headers,
+    message_file, firstline);
+
+/* Otherwise, we can only log */
+
+switch(ident)
+  {
+  case ERRMESS_BADARGADDRESS:
+  case ERRMESS_BADNOADDRESS:
+  case ERRMESS_BADADDRESS:
+  log_write(0, LOG_MAIN, "%s: at least one malformed recipient address: "
+    "%s - %s", msg, eblock->text1, eblock->text2);
+  break;
+
+  case ERRMESS_IGADDRESS:
+  case ERRMESS_NOADDRESS:
+  log_write(0, LOG_MAIN, "%s: no recipient addresses", msg);
+  break;
+
+  /* This error has already been logged. */
+  case ERRMESS_IOERR:
+  break;
+
+  case ERRMESS_VLONGHEADER:
+  log_write(0, LOG_MAIN, "%s: excessively long message header section read "
+    "(more than %d characters)", msg, header_maxsize);
+  break;
+
+  case ERRMESS_VLONGHDRLINE:
+  log_write(0, LOG_MAIN, "%s: excessively long message header line read "
+    "(more than %d characters)", msg, header_line_maxsize);
+  break;
+
+  case ERRMESS_TOOBIG:
+  log_write(0, LOG_MAIN, "%s: message too big (limit set to %d)", msg,
+    thismessage_size_limit);
+  break;
+
+  case ERRMESS_TOOMANYRECIP:
+  log_write(0, LOG_MAIN, "%s: too many recipients (max set to %d)", msg,
+    recipients_max);
+  break;
+
+  case ERRMESS_LOCAL_SCAN:
+  log_write(0, LOG_MAIN, "%s: rejected by local_scan: %s", msg, eblock->text1);
+  break;
+
+  case ERRMESS_LOCAL_ACL:
+  log_write(0, LOG_MAIN, "%s: rejected by non-SMTP ACL: %s", msg, eblock->text1);
+  break;
+
+  default:
+  log_write(0, LOG_MAIN|LOG_PANIC, "%s: unknown error number %d", msg,
+    ident);
+  break;
+  }
+
+return FALSE;
+}
+
+
+
+/*************************************************
+*            Send message to someone             *
+*************************************************/
+
+/* This is called when exim is configured to tell someone (often the
+mailmaster) about some incident.
+
+Arguments:
+  who           address to send mail to
+  addr          chain of deferred addresses whose details are to be included
+  subject       subject text for the message
+  format        a printf() format for the body of the message
+  ...           arguments for the format
+
+Returns:        nothing
+*/
+
+void
+moan_tell_someone(uschar *who, address_item *addr,
+  const uschar *subject, const char *format, ...)
+{
+FILE *f;
+va_list ap;
+int fd;
+int pid = child_open_exim(&fd, US"moan_tell_someone");
+
+if (pid < 0)
+  {
+  DEBUG(D_any) debug_printf("Failed to create child to send message: %s\n",
+    strerror(errno));
+  return;
+  }
+
+f = fdopen(fd, "wb");
+fprintf(f, "Auto-Submitted: auto-replied\n");
+moan_write_from(f);
+fprintf(f, "To: %s\n", who);
+moan_write_references(f, NULL);
+fprintf(f, "Subject: %s\n\n", subject);
+va_start(ap, format);
+vfprintf(f, format, ap);
+va_end(ap);
+
+if (addr)
+  {
+  fprintf(f, "\nThe following address(es) have yet to be delivered:\n");
+  for (; addr; addr = addr->next)
+    {
+    uschar * parent = addr->parent ? addr->parent->address : NULL;
+    fprintf(f, "  %s", addr->address);
+    if (parent) fprintf(f, " <%s>", parent);
+    if (addr->basic_errno > 0) fprintf(f, ": %s", strerror(addr->basic_errno));
+    if (addr->message) fprintf(f, ": %s", addr->message);
+    fprintf(f, "\n");
+    }
+  }
+
+(void)fclose(f);
+child_close(pid, 0);  /* Waits for child to close; no timeout */
+}
+
+
+
+/*************************************************
+*            Handle SMTP batch error             *
+*************************************************/
+
+/* This is called when something goes wrong in batched (-bS) SMTP input.
+Information is written to stdout and/or stderr, and Exim exits with a non-zero
+completion code. BSMTP is almost always called by some other program, so it is
+up to that program to interpret the return code and do something with the error
+information, and also to preserve the batch input file for human analysis.
+
+Formerly, Exim used to attempt to continue after some errors, but this strategy
+has been abandoned as it can lead to loss of messages.
+
+Arguments:
+  cmd_buffer   the command causing the error, or NULL
+  format       a printf() format
+  ...          arguments for the format
+
+Returns:       does not return; exits from the program
+               exit code = 1 if some messages were accepted
+               exit code = 2 if no messages were accepted
+*/
+
+void
+moan_smtp_batch(uschar *cmd_buffer, const char *format, ...)
+{
+va_list ap;
+int yield = (receive_messagecount > 0)? 1 : 2;
+
+DEBUG(D_any) debug_printf("Handling error in batched SMTP input\n");
+
+/* On stdout, write stuff that a program could parse fairly easily. */
+
+va_start(ap, format);
+vfprintf(stdout, format, ap);
+va_end(ap);
+
+fprintf(stdout, "\nTransaction started in line %d\n",
+  bsmtp_transaction_linecount);
+fprintf(stdout,   "Error detected in line %d\n", receive_linecount);
+if (cmd_buffer != NULL) fprintf(stdout, "%s\n", cmd_buffer);
+
+/* On stderr, write stuff for human consumption */
+
+fprintf(stderr,
+  "An error was detected while processing a file of BSMTP input.\n"
+  "The error message was:\n\n  ");
+
+va_start(ap, format);
+vfprintf(stderr, format, ap);
+va_end(ap);
+
+fprintf(stderr,
+  "\n\nThe SMTP transaction started in line %d.\n"
+      "The error was detected in line %d.\n",
+  bsmtp_transaction_linecount, receive_linecount);
+
+if (cmd_buffer != NULL)
+  {
+  fprintf(stderr, "The SMTP command at fault was:\n\n   %s\n\n",
+    cmd_buffer);
+  }
+
+fprintf(stderr, "%d previous message%s successfully processed.\n",
+  receive_messagecount, (receive_messagecount == 1)? " was" : "s were");
+
+fprintf(stderr, "The rest of the batch was abandoned.\n");
+
+exim_exit(yield);
+}
+
+
+
+
+/*************************************************
+*         Check for error copies                 *
+*************************************************/
+
+/* This function is passed the recipient of an error message, and must check
+the error_copies string to see whether there is an additional recipient list to
+which errors for this recipient must be bcc'd. The incoming recipient is always
+fully qualified.
+
+Argument:   recipient address
+Returns:    additional recipient list or NULL
+*/
+
+uschar *
+moan_check_errorcopy(uschar *recipient)
+{
+uschar *item, *localpart, *domain;
+const uschar *listptr = errors_copy;
+uschar *yield = NULL;
+int sep = 0;
+int llen;
+
+if (errors_copy == NULL) return NULL;
+
+/* Set up pointer to the local part and domain, and compute the
+length of the local part. */
+
+localpart = recipient;
+domain = Ustrrchr(recipient, '@');
+if (domain == NULL) return NULL;  /* should not occur, but avoid crash */
+llen = domain++ - recipient;
+
+/* Scan through the configured items */
+
+while ((item = string_nextinlist(&listptr, &sep, NULL, 0)))
+  {
+  const uschar *newaddress = item;
+  const uschar *pattern = string_dequote(&newaddress);
+
+  /* If no new address found, just skip this item. */
+
+  while (isspace(*newaddress)) newaddress++;
+  if (*newaddress == 0) continue;
+
+  /* We now have an item to match as an address in item, and the additional
+  address in newaddress. If the pattern matches, expand the new address string
+  and return it. During expansion, make local part and domain available for
+  insertion. This requires a copy to be made; we can't just temporarily
+  terminate it, as the whole address is required for $0. */
+
+  if (match_address_list(recipient, TRUE, TRUE, &pattern, NULL, 0, UCHAR_MAX+1,
+        NULL) == OK)
+    {
+    deliver_localpart = string_copyn(localpart, llen);
+    deliver_domain = domain;
+    yield = expand_string_copy(newaddress);
+    deliver_domain = deliver_localpart = NULL;
+    if (yield == NULL)
+      log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand %s when processing "
+        "errors_copy: %s", newaddress, expand_string_message);
+    break;
+    }
+  }
+
+DEBUG(D_any) debug_printf("errors_copy check returned %s\n",
+  (yield == NULL)? US"NULL" : yield);
+
+expand_nmax = -1;
+return yield;
+}
+
+
+
+/************************************************
+*        Handle skipped syntax errors           *
+************************************************/
+
+/* This function is called by the redirect router when it has skipped over one
+or more syntax errors in the list of addresses. If there is an address to mail
+to, send a message, and always write the information to the log. In the case of
+a filter file, a "syntax error" might actually be something else, such as the
+inability to open a log file. Thus, the wording of the error message is
+general.
+
+Arguments:
+  rname             the router name
+  eblock            chain of error blocks
+  syntax_errors_to  address to send mail to, or NULL
+  some              TRUE if some addresses were generated; FALSE if none were
+  custom            custom message text
+
+Returns:            FALSE if string expansion failed; TRUE otherwise
+*/
+
+BOOL
+moan_skipped_syntax_errors(uschar *rname, error_block *eblock,
+  uschar *syntax_errors_to, BOOL some, uschar *custom)
+{
+int pid, fd;
+uschar *s, *t;
+FILE *f;
+
+for (error_block * e = eblock; e; e = e->next)
+  if (e->text2 != NULL)
+    log_write(0, LOG_MAIN, "%s router: skipped error: %s in \"%s\"",
+      rname, e->text1, e->text2);
+  else
+    log_write(0, LOG_MAIN, "%s router: skipped error: %s", rname,
+      e->text1);
+
+if (!syntax_errors_to) return TRUE;
+
+if (!(s = expand_string(syntax_errors_to)))
+  {
+  log_write(0, LOG_MAIN, "%s router failed to expand %s: %s", rname,
+    syntax_errors_to, expand_string_message);
+  return FALSE;
+  }
+
+/* If we can't create a process to send the message, just forget about
+it. */
+
+pid = child_open_exim(&fd, US"moan_skipped_syntax_errors");
+
+if (pid < 0)
+  {
+  DEBUG(D_any) debug_printf("Failed to create child to send message: %s\n",
+    strerror(errno));
+  return TRUE;
+  }
+
+f = fdopen(fd, "wb");
+fprintf(f, "Auto-Submitted: auto-replied\n");
+moan_write_from(f);
+fprintf(f, "To: %s\n", s);
+fprintf(f, "Subject: error(s) in forwarding or filtering\n\n");
+moan_write_references(f, NULL);
+
+if (custom)
+  {
+  if (!(t = expand_string(custom)))
+    {
+    log_write(0, LOG_MAIN, "%s router failed to expand %s: %s", rname,
+      custom, expand_string_message);
+    return FALSE;
+    }
+  fprintf(f, "%s\n\n", t);
+  }
+
+fprintf(f, "The %s router encountered the following error(s):\n\n",
+  rname);
+
+for (error_block * e = eblock; e; e = e->next)
+  {
+  fprintf(f, "  %s", e->text1);
+  if (e->text2 != NULL)
+    fprintf(f, " in the address\n  \"%s\"", e->text2);
+  fprintf(f, "\n\n");
+  }
+
+if (some)
+  fprintf(f, "Other addresses were processed normally.\n");
+else
+  fprintf(f, "No valid addresses were generated.\n");
+
+(void)fclose(f);
+child_close(pid, 0);  /* Waits for child to close; no timeout */
+
+return TRUE;
+}
+
+/* End of moan.c */
diff --git a/src/mytypes.h b/src/mytypes.h
new file mode 100644
index 0000000..49fed0a
--- /dev/null
+++ b/src/mytypes.h
@@ -0,0 +1,150 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* This header file contains type definitions and macros that I use as
+"standard" in the code of Exim and its utilities. Make it idempotent because
+local_scan.h includes it and exim.h includes them both (to get this earlier). */
+
+#ifndef MYTYPES_H
+#define MYTYPES_H
+
+# include <string.h>
+
+#ifndef FALSE
+# define FALSE         0
+#endif
+
+#ifndef TRUE
+# define TRUE          1
+#endif
+
+#ifndef TRUE_UNSET
+# define TRUE_UNSET    2
+#endif
+
+
+/* If gcc is being used to compile Exim, we can use its facility for checking
+the arguments of printf-like functions. This is done by a macro.
+OpenBSD has unfortunately taken to objecting to use of %n in printf
+so we have to give up on all of the available parameter checking. */
+
+#if defined(__GNUC__) || defined(__clang__)
+# ifndef __OpenBSD__
+#  define PRINTF_FUNCTION(A,B)	__attribute__((format(printf,A,B)))
+# endif
+# define ARG_UNUSED		__attribute__((__unused__))
+# define FUNC_MAYBE_UNUSED	__attribute__((__unused__))
+# define WARN_UNUSED_RESULT	__attribute__((__warn_unused_result__))
+# define ALLOC			__attribute__((malloc))
+# define ALLOC_SIZE(A)		__attribute__((alloc_size(A)))
+# define NORETURN		__attribute__((noreturn))
+#else
+# define ARG_UNUSED		/**/
+# define FUNC_MAYBE_UNUSED	/**/
+# define WARN_UNUSED_RESULT	/**/
+# define ALLOC			/**/
+# define ALLOC_SIZE(A)		/**/
+# define NORETURN		/**/
+#endif
+
+#ifndef PRINTF_FUNCTION
+# define PRINTF_FUNCTION(A,B)	/**/
+#endif
+
+#ifdef WANT_DEEPER_PRINTF_CHECKS
+# define ALMOST_PRINTF(A, B) PRINTF_FUNCTION(A, B)
+#else
+# define ALMOST_PRINTF(A, B)	/**/
+#endif
+
+
+/* Some operating systems (naughtily, imo) include a definition for "uchar" in
+the standard header files, so we use "uschar". Solaris has u_char in
+sys/types.h. This is just a typing convenience, of course. */
+
+typedef unsigned char uschar;
+typedef unsigned BOOL;
+/* We also have SIGNAL_BOOL, which requires signal.h be included, so is defined
+elsewhere */
+
+
+/* These macros save typing for the casting that is needed to cope with the
+mess that is "char" in ISO/ANSI C. Having now been bitten enough times by
+systems where "char" is actually signed, I've converted Exim to use entirely
+unsigned chars, except in a few special places such as arguments that are
+almost always literal strings. */
+
+#define CS   (char *)
+#define CCS  (const char *)
+#define CSS  (char **)
+#define US   (unsigned char *)
+#define CUS  (const unsigned char *)
+#define USS  (unsigned char **)
+#define CUSS (const unsigned char **)
+#define CCSS (const char **)
+
+/* The C library string functions expect "char *" arguments. Use macros to
+avoid having to write a cast each time. We do this for string and file
+functions that are called quite often; for other calls to external libraries
+(which are on the whole special-purpose) we just use individual casts. */
+
+#define Uatoi(s)           atoi(CCS(s))
+#define Uatol(s)           atol(CCS(s))
+#define Uchdir(s)          chdir(CCS(s))
+#define Uchmod(s,n)        chmod(CCS(s),n)
+#define Ufgets(b,n,f)      fgets(CS(b),n,f)
+#define Ufopen(s,t)        exim_fopen(CCS(s),CCS(t))
+#define Ulink(s,t)         link(CCS(s),CCS(t))
+#define Ulstat(s,t)        lstat(CCS(s),t)
+
+#ifdef O_BINARY							/* This is for Cygwin,  */
+# define Uopen(s,n,m)       exim_open(CCS(s),(n)|O_BINARY,m)	/* where all files must */
+# define Uopen2(s,n)        exim_open2(CCS(s),(n)|O_BINARY)
+#else								/* be opened as binary  */
+# define Uopen(s,n,m)       exim_open(CCS(s),n,m)		/* to avoid problems    */
+# define Uopen2(s,n)        exim_open2(CCS(s),n)	
+#endif								/* with CRLF endings.   */
+#define Uread(f,b,l)       read(f,CS(b),l)
+#define Urename(s,t)       rename(CCS(s),CCS(t))
+#define Ustat(s,t)         stat(CCS(s),t)
+#define Ustrchr(s,n)       US strchr(CCS(s),n)
+#define CUstrchr(s,n)      CUS strchr(CCS(s),n)
+#define CUstrerror(n)      CUS strerror(n)
+#define Ustrcmp(s,t)       strcmp(CCS(s),CCS(t))
+#define Ustrcpy_nt(s,t)    strcpy(CS s, CCS t)		/* no taint check */
+#define Ustrcspn(s,t)      strcspn(CCS(s),CCS(t))
+#define Ustrftime(s,m,f,t) strftime(CS(s),m,f,t)
+#define Ustrlen(s)         (int)strlen(CCS(s))
+#define Ustrncmp(s,t,n)    strncmp(CCS(s),CCS(t),n)
+#define Ustrncpy_nt(s,t,n) strncpy(CS s, CCS t, n)	/* no taint check */
+#define Ustrpbrk(s,t)      strpbrk(CCS(s),CCS(t))
+#define Ustrrchr(s,n)      US strrchr(CCS(s),n)
+#define CUstrrchr(s,n)     CUS strrchr(CCS(s),n)
+#define Ustrspn(s,t)       strspn(CCS(s),CCS(t))
+#define Ustrstr(s,t)       US strstr(CCS(s),CCS(t))
+#define CUstrstr(s,t)      CUS strstr(CCS(s),CCS(t))
+#define Ustrtod(s,t)       strtod(CCS(s),CSS(t))
+#define Ustrtol(s,t,b)     strtol(CCS(s),CSS(t),b)
+#define Ustrtoul(s,t,b)    strtoul(CCS(s),CSS(t),b)
+#define Uunlink(s)         unlink(CCS(s))
+
+#if defined(EM_VERSION_C) || defined(LOCAL_SCAN) || defined(DLFUNC_IMPL)
+# define Ustrcat(s,t)       strcat(CS(s), CCS(t))
+# define Ustrcpy(s,t)       strcpy(CS(s), CCS(t))
+# define Ustrncat(s,t,n)    strncat(CS(s), CCS(t), n)
+# define Ustrncpy(s,t,n)    strncpy(CS(s), CCS(t), n)
+#else
+# define Ustrcat(s,t)       __Ustrcat(s, CUS(t), __FUNCTION__, __LINE__)
+# define Ustrcpy(s,t)       __Ustrcpy(s, CUS(t), __FUNCTION__, __LINE__)
+# define Ustrncat(s,t,n)    __Ustrncat(s, CUS(t), n, __FUNCTION__, __LINE__)
+# define Ustrncpy(s,t,n)    __Ustrncpy(s, CUS(t), n, __FUNCTION__, __LINE__)
+#endif
+
+#endif
+/* End of mytypes.h */
diff --git a/src/os.c b/src/os.c
new file mode 100644
index 0000000..ac5f61b
--- /dev/null
+++ b/src/os.c
@@ -0,0 +1,971 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#ifdef STAND_ALONE
+# include <signal.h>
+# include <stdio.h>
+# include <time.h>
+#endif
+
+#ifndef CS
+# define CS (char *)
+# define US (unsigned char *)
+#endif
+
+/* This source file contains "default" system-dependent functions which
+provide functionality (or lack of it) in cases where the OS-specific os.c
+file has not. Some of them are tailored by macros defined in os.h files. */
+
+
+#ifndef OS_RESTARTING_SIGNAL
+/*************************************************
+*          Set up restarting signal              *
+*************************************************/
+
+/* This function has the same functionality as the ANSI C signal() function,
+except that it arranges that, if the signal happens during a system call, the
+system call gets restarted. (Also, it doesn't return a result.) Different
+versions of Unix have different defaults, and different ways of setting up a
+restarting signal handler. If the functionality is not available, the signal
+should be set to be ignored. This function is used only for catching SIGUSR1.
+*/
+
+void
+os_restarting_signal(int sig, void (*handler)(int))
+{
+/* Many systems have the SA_RESTART sigaction for specifying that a signal
+should restart system calls. These include SunOS5, AIX, BSDI, IRIX, FreeBSD,
+OSF1, Linux and HP-UX 10 (but *not* HP-UX 9). */
+
+#ifdef SA_RESTART
+struct sigaction act;
+act.sa_handler = handler;
+sigemptyset(&(act.sa_mask));
+act.sa_flags = SA_RESTART;
+sigaction(sig, &act, NULL);
+
+#ifdef STAND_ALONE
+printf("Used SA_RESTART\n");
+#endif
+
+/* SunOS4 and Ultrix default to non-interruptable signals, with SV_INTERRUPT
+for making them interruptable. This seems to be a dying fashion. */
+
+#elif defined SV_INTERRUPT
+signal(sig, handler);
+
+#ifdef STAND_ALONE
+printf("Used default signal()\n");
+#endif
+
+
+/* If neither SA_RESTART nor SV_INTERRUPT is available we don't know how to
+set up a restarting signal, so simply suppress the facility. */
+
+#else
+signal(sig, SIG_IGN);
+
+#ifdef STAND_ALONE
+printf("Used SIG_IGN\n");
+#endif
+
+#endif
+}
+
+#endif  /* OS_RESTARTING_SIGNAL */
+
+
+#ifndef OS_NON_RESTARTING_SIGNAL
+/*************************************************
+*          Set up non-restarting signal          *
+*************************************************/
+
+/* This function has the same functionality as the ANSI C signal() function,
+except that it arranges that, if the signal happens during a system call, the
+system call gets interrupted. (Also, it doesn't return a result.) Different
+versions of Unix have different defaults, and different ways of setting up a
+non-restarting signal handler. For systems for which we don't know what to do,
+just use the normal signal() function and hope for the best. */
+
+void
+os_non_restarting_signal(int sig, void (*handler)(int))
+{
+/* Many systems have the SA_RESTART sigaction for specifying that a signal
+should restart system calls. These include SunOS5, AIX, BSDI, IRIX, FreeBSD,
+OSF1, Linux and HP-UX 10 (but *not* HP-UX 9). */
+
+#ifdef SA_RESTART
+struct sigaction act;
+act.sa_handler = handler;
+sigemptyset(&(act.sa_mask));
+act.sa_flags = 0;
+sigaction(sig, &act, NULL);
+
+#ifdef STAND_ALONE
+printf("Used sigaction() with flags = 0\n");
+#endif
+
+/* SunOS4 and Ultrix default to non-interruptable signals, with SV_INTERRUPT
+for making them interruptable. This seems to be a dying fashion. */
+
+#elif defined SV_INTERRUPT
+struct sigvec sv;
+sv.sv_handler = handler;
+sv.sv_flags = SV_INTERRUPT;
+sv.sv_mask = -1;
+sigvec(sig, &sv, NULL);
+
+#ifdef STAND_ALONE
+printf("Used sigvec() with flags = SV_INTERRUPT\n");
+#endif
+
+/* If neither SA_RESTART nor SV_INTERRUPT is available we don't know how to
+set up a restarting signal, so just use the standard signal() function. */
+
+#else
+signal(sig, handler);
+
+#ifdef STAND_ALONE
+printf("Used default signal()\n");
+#endif
+
+#endif
+}
+
+#endif  /* OS_NON_RESTARTING_SIGNAL */
+
+
+
+#ifdef STRERROR_FROM_ERRLIST
+/*************************************************
+*     Provide strerror() for non-ANSI libraries  *
+*************************************************/
+
+/* Some old-fashioned systems still around (e.g. SunOS4) don't have strerror()
+in their libraries, but can provide the same facility by this simple
+alternative function. */
+
+char *
+strerror(int n)
+{
+if (n < 0 || n >= sys_nerr) return "unknown error number";
+return sys_errlist[n];
+}
+#endif /* STRERROR_FROM_ERRLIST */
+
+
+
+#ifndef OS_STRSIGNAL
+/*************************************************
+*      Provide strsignal() for systems without   *
+*************************************************/
+
+/* Some systems have strsignal() to turn signal numbers into names; others
+may have other means of doing this. This function is used for those systems
+that have nothing. It provides a basic translation for the common standard
+signal numbers. I've been extra cautious with the ifdef's here. Probably more
+than is necessary... */
+
+const char *
+os_strsignal(const int n)
+{
+switch (n)
+  {
+  #ifdef SIGHUP
+  case SIGHUP:  return "hangup";
+  #endif
+
+  #ifdef SIGINT
+  case SIGINT:  return "interrupt";
+  #endif
+
+  #ifdef SIGQUIT
+  case SIGQUIT: return "quit";
+  #endif
+
+  #ifdef SIGILL
+  case SIGILL:  return "illegal instruction";
+  #endif
+
+  #ifdef SIGTRAP
+  case SIGTRAP: return "trace trap";
+  #endif
+
+  #ifdef SIGABRT
+  case SIGABRT: return "abort";
+  #endif
+
+  #ifdef SIGEMT
+  case SIGEMT:  return "EMT instruction";
+  #endif
+
+  #ifdef SIGFPE
+  case SIGFPE:  return "arithmetic exception";
+  #endif
+
+  #ifdef SIGKILL
+  case SIGKILL: return "killed";
+  #endif
+
+  #ifdef SIGBUS
+  case SIGBUS:  return "bus error";
+  #endif
+
+  #ifdef SIGSEGV
+  case SIGSEGV: return "segmentation fault";
+  #endif
+
+  #ifdef SIGSYS
+  case SIGSYS:  return "bad system call";
+  #endif
+
+  #ifdef SIGPIPE
+  case SIGPIPE: return "broken pipe";
+  #endif
+
+  #ifdef SIGALRM
+  case SIGALRM: return "alarm";
+  #endif
+
+  #ifdef SIGTERM
+  case SIGTERM: return "terminated";
+  #endif
+
+  #ifdef SIGUSR1
+  case SIGUSR1: return "user signal 1";
+  #endif
+
+  #ifdef SIGUSR2
+  case SIGUSR2: return "user signal 2";
+  #endif
+
+  #ifdef SIGCHLD
+  case SIGCHLD: return "child stop or exit";
+  #endif
+
+  #ifdef SIGPWR
+  case SIGPWR:  return "power fail/restart";
+  #endif
+
+  #ifdef SIGURG
+  case SIGURG:  return "urgent condition on I/O channel";
+  #endif
+
+  #ifdef SIGSTOP
+  case SIGSTOP: return "stop";
+  #endif
+
+  #ifdef SIGTSTP
+  case SIGTSTP: return "stop from tty";
+  #endif
+
+  #ifdef SIGXCPU
+  case SIGXCPU: return "exceeded CPU limit";
+  #endif
+
+  #ifdef SIGXFSZ
+  case SIGXFSZ: return "exceeded file size limit";
+  #endif
+
+  default:      return "unrecognized signal number";
+  }
+}
+#endif /* OS_STRSIGNAL */
+
+
+
+#ifndef OS_STREXIT
+/*************************************************
+*      Provide strexit() for systems without     *
+*************************************************/
+
+/* Actually, I don't know of any system that has a strexit() function to turn
+exit codes into text, but this function is implemented this way so that if any
+OS does have such a thing, it could be used instead of this build-in one. */
+
+const char *
+os_strexit(const int n)
+{
+switch (n)
+  {
+  /* On systems without sysexits.h we can assume only those exit codes
+  that are given a default value in exim.h. */
+
+  #ifndef NO_SYSEXITS
+  case EX_USAGE:       return "(could mean usage or syntax error)";
+  case EX_DATAERR:     return "(could mean error in input data)";
+  case EX_NOINPUT:     return "(could mean input data missing)";
+  case EX_NOUSER:      return "(could mean user nonexistent)";
+  case EX_NOHOST:      return "(could mean host nonexistent)";
+  case EX_SOFTWARE:    return "(could mean internal software error)";
+  case EX_OSERR:       return "(could mean internal operating system error)";
+  case EX_OSFILE:      return "(could mean system file missing)";
+  case EX_IOERR:       return "(could mean input/output error)";
+  case EX_PROTOCOL:    return "(could mean protocol error)";
+  case EX_NOPERM:      return "(could mean permission denied)";
+  #endif
+
+  case EX_EXECFAILED:  return "(could mean unable to exec or command does not exist)";
+  case EX_UNAVAILABLE: return "(could mean service or program unavailable)";
+  case EX_CANTCREAT:   return "(could mean can't create output file)";
+  case EX_TEMPFAIL:    return "(could mean temporary error)";
+  case EX_CONFIG:      return "(could mean configuration error)";
+  default:             return "";
+  }
+}
+#endif /* OS_STREXIT */
+
+
+
+
+/***********************************************************
+*                   Load average function                  *
+***********************************************************/
+
+/* Although every Unix seems to have a different way of getting the load
+average, a number of them have things in common. Some common variants are
+provided below, but if an OS has unique requirements it can be handled in
+a specific os.c file. What is required is a function called os_getloadavg
+which takes no arguments and passes back the load average * 1000 as an int,
+or -1 if no data is available. */
+
+
+/* ----------------------------------------------------------------------- */
+/* If the OS has got a BSD getloadavg() function, life is very easy. */
+
+#if !defined(OS_LOAD_AVERAGE) && defined(HAVE_BSD_GETLOADAVG)
+#define OS_LOAD_AVERAGE
+
+int
+os_getloadavg(void)
+{
+double avg;
+int loads = getloadavg (&avg, 1);
+if (loads != 1) return -1;
+return (int)(avg * 1000.0);
+}
+#endif
+/* ----------------------------------------------------------------------- */
+
+
+
+/* ----------------------------------------------------------------------- */
+/* Only SunOS5 has the kstat functions as far as I know, but put the code
+here as there is the -hal variant, and other systems might follow this road one
+day. */
+
+#if !defined(OS_LOAD_AVERAGE) && defined(HAVE_KSTAT)
+#define OS_LOAD_AVERAGE
+
+#include <kstat.h>
+
+int
+os_getloadavg(void)
+{
+int avg;
+kstat_ctl_t *kc;
+kstat_t *ksp;
+kstat_named_t *kn;
+
+if ((kc = kstat_open()) == NULL ||
+    (ksp = kstat_lookup(kc, LOAD_AVG_KSTAT_MODULE, 0, LOAD_AVG_KSTAT))
+        == NULL ||
+     kstat_read(kc, ksp, NULL) < 0 ||
+    (kn = kstat_data_lookup(ksp, LOAD_AVG_SYMBOL)) == NULL)
+  return -1;
+
+avg = (int)(((double)(kn->LOAD_AVG_FIELD)/FSCALE) * 1000.0);
+
+kstat_close(kc);
+return avg;
+}
+
+#endif
+/* ----------------------------------------------------------------------- */
+
+
+
+/* ----------------------------------------------------------------------- */
+/* Handle OS where a kernel symbol has to be read from /dev/kmem */
+
+#if !defined(OS_LOAD_AVERAGE) && defined(HAVE_DEV_KMEM)
+#define OS_LOAD_AVERAGE
+
+#include <nlist.h>
+
+static int  avg_kd = -1;
+static long avg_offset;
+
+int
+os_getloadavg(void)
+{
+LOAD_AVG_TYPE avg;
+
+if (avg_kd < 0)
+  {
+  struct nlist nl[2];
+  nl[0].n_name = LOAD_AVG_SYMBOL;
+  nl[1].n_name = "";
+  nlist (KERNEL_PATH, nl);
+  avg_offset = (long)nl[0].n_value;
+  avg_kd = open ("/dev/kmem", 0);
+  if (avg_kd < 0) return -1;
+  (void) fcntl(avg_kd, F_SETFD, FD_CLOEXEC);
+  }
+
+if (lseek (avg_kd, avg_offset, 0) == -1L
+    || read (avg_kd, CS (&avg), sizeof (avg)) != sizeof(avg))
+  return -1;
+
+return (int)(((double)avg/FSCALE)*1000.0);
+}
+
+#endif
+/* ----------------------------------------------------------------------- */
+
+
+
+/* ----------------------------------------------------------------------- */
+/* If nothing is known about this OS, then the load average facility is
+not available. */
+
+#ifndef OS_LOAD_AVERAGE
+
+int
+os_getloadavg(void)
+{
+return -1;
+}
+
+#endif
+
+/* ----------------------------------------------------------------------- */
+
+
+
+#if !defined FIND_RUNNING_INTERFACES
+/*************************************************
+*     Find all the running network interfaces    *
+*************************************************/
+
+/* Finding all the running interfaces is something that has os-dependent
+tweaks, even in the IPv4 case, and it gets worse for IPv6, which is why this
+code is now in the os-dependent source file. There is a common function which
+works on most OS (except IRIX) for IPv4 interfaces, and, with some variations
+controlled by macros, on at least one OS for IPv6 and IPv4 interfaces. On Linux
+with IPv6, the common function is used for the IPv4 interfaces and additional
+code used for IPv6. Consequently, the real function is called
+os_common_find_running_interfaces() so that it can be called from the Linux
+function. On non-Linux systems, the macro for os_find_running_interfaces just
+calls the common function; on Linux it calls the Linux function.
+
+This function finds the addresses of all the running interfaces on the machine.
+A chain of blocks containing the textual form of the addresses is returned.
+
+getifaddrs() provides a sane consistent way to query this on modern OSs,
+otherwise fall back to a maze of twisty ioctl() calls
+
+Arguments:    none
+Returns:      a chain of ip_address_items, each pointing to a textual
+              version of an IP address, with the port field set to zero
+*/
+
+
+#ifndef NO_FIND_INTERFACES
+
+#ifdef HAVE_GETIFADDRS
+
+#include <ifaddrs.h>
+
+ip_address_item *
+os_common_find_running_interfaces(void)
+{
+struct ifaddrs *ifalist = NULL;
+ip_address_item *yield = NULL;
+ip_address_item *last = NULL;
+ip_address_item  *next;
+
+if (getifaddrs(&ifalist) != 0)
+  log_write(0, LOG_PANIC_DIE, "Unable to call getifaddrs: %d %s",
+    errno, strerror(errno));
+
+for (struct ifaddrs * ifa = ifalist; ifa; ifa = ifa->ifa_next)
+  {
+  struct sockaddr * ifa_addr = ifa->ifa_addr;
+  if (!ifa_addr) continue;
+  if (ifa_addr->sa_family != AF_INET
+#if HAVE_IPV6
+    && ifa_addr->sa_family != AF_INET6
+#endif /* HAVE_IPV6 */
+    )
+    continue;
+
+  if ( !(ifa->ifa_flags & IFF_UP) ) /* Only want 'UP' interfaces */
+    continue;
+
+  /* Create a data block for the address, fill in the data, and put it on the
+  chain. */
+
+  next = store_get(sizeof(ip_address_item), GET_UNTAINTED);
+  next->next = NULL;
+  next->port = 0;
+  (void)host_ntoa(-1, ifa_addr, next->address, NULL);
+
+  if (!yield)
+    yield = last = next;
+  else
+    {
+    last->next = next;
+    last = next;
+    }
+
+  DEBUG(D_interface) debug_printf("Actual local interface address is %s (%s)\n",
+    last->address, ifa->ifa_name);
+  }
+
+/* free the list of addresses, and return the chain of data blocks. */
+
+freeifaddrs (ifalist);
+return yield;
+}
+
+#else /* HAVE_GETIFADDRS */
+
+/*
+Problems:
+
+  (1) Solaris 2 has the SIOGIFNUM call to get the number of interfaces, but
+  other OS (including Solaris 1) appear not to. So just screw in a largeish
+  fixed number, defined by MAX_INTERFACES. This is in the config.h file and
+  can be changed in Local/Makefile. Unfortunately, the www addressing scheme
+  means that some hosts have a very large number of virtual interfaces. Such
+  hosts are recommended to set local_interfaces to avoid problems with this.
+
+  (2) If the standard code is run on IRIX, it does not return any alias
+  interfaces. There is special purpose code for that operating system, which
+  uses the sysctl() function. The code is in OS/os.c-IRIX, and this code isn't
+  used on that OS.
+
+  (3) Some experimental/developing OS (e.g. GNU/Hurd) do not have any means
+  of finding the interfaces. If NO_FIND_INTERFACES is set, a fudge-up is used
+  instead.
+
+  (4) Some operating systems set the IP address in what SIOCGIFCONF returns;
+  others do not, and require SIOCGIFADDR to be called to get it. For most of
+  the former, calling the latter does no harm, but it causes grief on Linux and
+  BSD systems in the case of IP aliasing, so a means of cutting it out is
+  provided.
+*/
+
+/* If there is IPv6 support, and SIOCGLIFCONF is defined, define macros to
+use these new, longer versions of the old IPv4 interfaces. Otherwise, define
+the macros to use the historical versions. */
+
+#if HAVE_IPV6 && defined SIOCGLIFCONF
+#define V_ifconf        lifconf
+#define V_ifreq         lifreq
+#define V_GIFADDR       SIOCGLIFADDR
+#define V_GIFCONF       SIOCGLIFCONF
+#define V_GIFFLAGS      SIOCGLIFFLAGS
+#define V_ifc_buf       lifc_buf
+#define V_ifc_family    lifc_family
+#define V_ifc_flags     lifc_flags
+#define V_ifc_len       lifc_len
+#define V_ifr_addr      lifr_addr
+#define V_ifr_flags     lifr_flags
+#define V_ifr_name      lifr_name
+#define V_FAMILY_QUERY  AF_UNSPEC
+#define V_family        ss_family
+#else
+#define V_ifconf        ifconf
+#define V_ifreq         ifreq
+#define V_GIFADDR       SIOCGIFADDR
+#define V_GIFCONF       SIOCGIFCONF
+#define V_GIFFLAGS      SIOCGIFFLAGS
+#define V_ifc_buf       ifc_buf
+#define V_ifc_family    ifc_family
+#define V_ifc_flags     ifc_flags
+#define V_ifc_len       ifc_len
+#define V_ifr_addr      ifr_addr
+#define V_ifr_flags     ifr_flags
+#define V_ifr_name      ifr_name
+#define V_family        sa_family
+#endif
+
+/* In all cases of IPv6 support, use an IPv6 socket. Otherwise (at least on
+Solaris 8) the call to read the flags doesn't work for IPv6 interfaces. If
+we find we can't actually make an IPv6 socket, the code will revert to trying
+an IPv4 socket. */
+
+#if HAVE_IPV6
+#define FAMILY          AF_INET6
+#else
+#define FAMILY          AF_INET
+#endif
+
+/* OK, after all that preliminary stuff, here's the code. */
+
+ip_address_item *
+os_common_find_running_interfaces(void)
+{
+struct V_ifconf ifc;
+struct V_ifreq ifreq;
+int vs;
+ip_address_item *yield = NULL;
+ip_address_item *last = NULL;
+ip_address_item  *next;
+char buf[MAX_INTERFACES*sizeof(struct V_ifreq)];
+struct sockaddr *addrp;
+size_t len = 0;
+char addrbuf[512];
+
+/* We have to create a socket in order to do ioctls on it to find out
+what we want to know. */
+
+if ((vs = socket(FAMILY, SOCK_DGRAM, 0)) < 0)
+  {
+  #if HAVE_IPV6
+  DEBUG(D_interface)
+    debug_printf("Unable to create IPv6 socket to find interface addresses:\n  "
+      "error %d %s\nTrying for an IPv4 socket\n", errno, strerror(errno));
+  vs = socket(AF_INET, SOCK_DGRAM, 0);
+  if (vs < 0)
+  #endif
+  log_write(0, LOG_PANIC_DIE, "Unable to create IPv4 socket to find interface "
+    "addresses: %d %s", errno, strerror(errno));
+  }
+
+/* Get the interface configuration. Some additional data is required when the
+new structures are in use. */
+
+ifc.V_ifc_len = sizeof(buf);
+ifc.V_ifc_buf = buf;
+
+#ifdef V_FAMILY_QUERY
+ifc.V_ifc_family = V_FAMILY_QUERY;
+ifc.V_ifc_flags = 0;
+#endif
+
+if (ioctl(vs, V_GIFCONF, CS &ifc) < 0)
+  log_write(0, LOG_PANIC_DIE, "Unable to get interface configuration: %d %s",
+    errno, strerror(errno));
+
+/* If the buffer is big enough, the ioctl sets the value of ifc.V_ifc_len to
+the amount actually used. If the buffer isn't big enough, at least on some
+operating systems, ifc.V_ifc_len still gets set to correspond to the total
+number of interfaces, even though they don't all fit in the buffer. */
+
+if (ifc.V_ifc_len > sizeof(buf))
+  {
+  ifc.V_ifc_len = sizeof(buf);
+  DEBUG(D_interface)
+    debug_printf("more than %d interfaces found: remainder not used\n"
+      "(set MAX_INTERFACES in Local/Makefile and rebuild if you want more)\n",
+      MAX_INTERFACES);
+  }
+
+/* For each interface, check it is an IP interface, get its flags, and see if
+it is up; if not, skip.
+
+BSD systems differ from others in what SIOCGIFCONF returns. Other systems
+return a vector of ifreq structures whose size is as defined by the structure.
+BSD systems allow sockaddrs to be longer than their sizeof, which in turn makes
+the ifreq structures longer than their sizeof. The code below has its origins
+in amd and ifconfig; it uses the sa_len field of each sockaddr to determine
+each item's length.
+
+This is complicated by the fact that, at least on BSD systems, the data in the
+buffer is not guaranteed to be aligned. Thus, we must first copy the basic
+struct to some aligned memory before looking at the field in the fixed part to
+find its length, and then recopy the correct length. */
+
+for (char * cp = buf; cp < buf + ifc.V_ifc_len; cp += len)
+  {
+  memcpy(CS &ifreq, cp, sizeof(ifreq));
+
+  #ifndef HAVE_SA_LEN
+  len = sizeof(struct V_ifreq);
+
+  #else
+  len = ((ifreq.ifr_addr.sa_len > sizeof(ifreq.ifr_addr))?
+          ifreq.ifr_addr.sa_len : sizeof(ifreq.ifr_addr)) +
+         sizeof(ifreq.V_ifr_name);
+  if (len > sizeof(addrbuf))
+    log_write(0, LOG_PANIC_DIE, "Address for %s interface is absurdly long",
+        ifreq.V_ifr_name);
+
+  #endif
+
+  /* If not an IP interface, skip */
+
+  if (ifreq.V_ifr_addr.V_family != AF_INET
+  #if HAVE_IPV6
+    && ifreq.V_ifr_addr.V_family != AF_INET6
+  #endif
+    ) continue;
+
+  /* Get the interface flags, and if the interface is down, continue. Formerly,
+  we treated the inability to get the flags as a panic-die error. However, it
+  seems that on some OS (Solaris 9 being the case noted), it is possible to
+  have an interface in this list for which this call fails because the
+  interface hasn't been "plumbed" to any protocol (IPv4 or IPv6). Therefore,
+  we now just treat this case as "down" as well. */
+
+  if (ioctl(vs, V_GIFFLAGS, CS &ifreq) < 0)
+    {
+    continue;
+    /*************
+    log_write(0, LOG_PANIC_DIE, "Unable to get flags for %s interface: %d %s",
+      ifreq.V_ifr_name, errno, strerror(errno));
+    *************/
+    }
+  if ((ifreq.V_ifr_flags & IFF_UP) == 0) continue;
+
+  /* On some operating systems we have to get the IP address of the interface
+  by another call. On others, it's already there, but we must copy the full
+  length because we only copied the basic length above, and anyway,
+  GIFFLAGS may have wrecked the data. */
+
+  #ifndef SIOCGIFCONF_GIVES_ADDR
+  if (ioctl(vs, V_GIFADDR, CS &ifreq) < 0)
+    log_write(0, LOG_PANIC_DIE, "Unable to get IP address for %s interface: "
+      "%d %s", ifreq.V_ifr_name, errno, strerror(errno));
+  addrp = &ifreq.V_ifr_addr;
+
+  #else
+  memcpy(addrbuf, cp + offsetof(struct V_ifreq, V_ifr_addr),
+    len - sizeof(ifreq.V_ifr_name));
+  addrp = (struct sockaddr *)addrbuf;
+  #endif
+
+  /* Create a data block for the address, fill in the data, and put it on the
+  chain. */
+
+  next = store_get(sizeof(ip_address_item), GET_UNTAINTED);
+  next->next = NULL;
+  next->port = 0;
+  (void)host_ntoa(-1, addrp, next->address, NULL);
+
+  if (yield == NULL) yield = last = next; else
+    {
+    last->next = next;
+    last = next;
+    }
+
+  DEBUG(D_interface) debug_printf("Actual local interface address is %s (%s)\n",
+    last->address, ifreq.V_ifr_name);
+  }
+
+/* Close the socket, and return the chain of data blocks. */
+
+(void)close(vs);
+return yield;
+}
+
+#endif /* HAVE_GETIFADDRS */
+
+#else  /* NO_FIND_INTERFACES */
+
+/* Some experimental or developing OS (e.g. GNU/Hurd) do not have the ioctls,
+and there is no other way to get a list of the (IP addresses of) local
+interfaces. We just return the loopback address(es). */
+
+ip_address_item *
+os_common_find_running_interfaces(void)
+{
+ip_address_item *yield = store_get(sizeof(address_item), GET_UNTAINTED);
+yield->address = US"127.0.0.1";
+yield->port = 0;
+yield->next = NULL;
+
+#if HAVE_IPV6
+yield->next = store_get(sizeof(address_item), GET_UNTAINTED);
+yield->next->address = US"::1";
+yield->next->port = 0;
+yield->next->next = NULL;
+#endif
+
+DEBUG(D_interface) debug_printf("Unable to find local interface addresses "
+  "on this OS: returning loopback address(es)\n");
+return yield;
+}
+
+#endif /* NO_FIND_INTERFACES */
+#endif /* FIND_RUNNING_INTERFACES */
+
+
+
+
+/* ----------------------------------------------------------------------- */
+
+/***********************************************************
+*                 DNS Resolver Base Finder                 *
+***********************************************************/
+
+/* We need to be able to set options for the system resolver(5), historically
+made available as _res.  At least one OS (NetBSD) now no longer provides this
+directly, instead making you call a function per thread to get a handle.
+Other OSs handle thread-safe resolver differently, in ways which fail if the
+programmer creates their own structs. */
+
+#if !defined(OS_GET_DNS_RESOLVER_RES) && !defined(COMPILE_UTILITY)
+
+#include <resolv.h>
+
+/* confirmed that res_state is typedef'd as a struct* on BSD and Linux, will
+find out how unportable it is on other OSes, but most resolver implementations
+should be descended from ISC's bind.
+
+Linux and BSD do:
+  define _res (*__res_state())
+identically.  We just can't rely on __foo functions.  It's surprising that use
+of _res has been as portable as it has, for so long.
+
+So, since _res works everywhere, and everything can decode the struct, I'm
+going to gamble that res_state is a typedef everywhere and use that as the
+return type.
+*/
+
+res_state
+os_get_dns_resolver_res(void)
+{
+return &_res;
+}
+
+#endif /* OS_GET_DNS_RESOLVER_RES */
+
+/* ----------------------------------------------------------------------- */
+
+/***********************************************************
+*                 unsetenv()                               *
+***********************************************************/
+
+/* Most modern systems define int unsetenv(const char*),
+* some don't. */
+
+#if !defined(OS_UNSETENV)
+int
+os_unsetenv(const unsigned char * name)
+{
+return unsetenv(CS name);
+}
+#endif
+
+/* ----------------------------------------------------------------------- */
+
+/***********************************************************
+*               getcwd()                                   *
+***********************************************************/
+
+/* Glibc allows getcwd(NULL, 0) to do auto-allocation. Some systems
+do auto-allocation, but need the size of the buffer, and others
+may not even do this. If the OS supports getcwd(NULL, 0) we'll use
+this, for all other systems we provide our own getcwd() */
+
+#if !defined(OS_GETCWD)
+unsigned char *
+os_getcwd(unsigned char * buffer, size_t size)
+{
+return US  getcwd(CS buffer, size);
+}
+#else
+#ifndef PATH_MAX
+# define PATH_MAX 4096
+#endif
+unsigned char *
+os_getcwd(unsigned char * buffer, size_t size)
+{
+char * b = CS buffer;
+
+if (!size) size = PATH_MAX;
+if (!b && !(b = malloc(size))) return NULL;
+if (!(b = getcwd(b, size))) return NULL;
+return buffer ? buffer : realloc(b, strlen(b) + 1);
+}
+#endif
+
+/* ----------------------------------------------------------------------- */
+
+
+
+
+/*************************************************
+**************************************************
+*             Stand-alone test program           *
+**************************************************
+*************************************************/
+
+
+#ifdef STAND_ALONE
+
+#ifdef CLOCKS_PER_SEC
+#define REAL_CLOCK_TICK CLOCKS_PER_SEC
+#else
+  #ifdef CLK_TCK
+  #define REAL_CLOCK_TICK CLK_TCK
+  #else
+  #define REAL_CLOCK_TICK 1000000   /* SunOS4 */
+  #endif
+#endif
+
+
+int main(int argc, char **argv)
+{
+char buffer[128];
+int fd = fileno(stdin);
+int rc;
+
+printf("Testing restarting signal; wait for handler message, then type a line\n");
+strcpy(buffer, "*** default ***\n");
+os_restarting_signal(SIGALRM, sigalrm_handler);
+ALARM(2);
+if ((rc = read(fd, buffer, sizeof(buffer))) < 0)
+  printf("No data read\n");
+else
+  {
+  buffer[rc] = 0;
+  printf("Read: %s", buffer);
+  }
+ALARM_CLR(0);
+
+printf("Testing non-restarting signal; should read no data after handler message\n");
+strcpy(buffer, "*** default ***\n");
+os_non_restarting_signal(SIGALRM, sigalrm_handler);
+ALARM(2);
+if ((rc = read(fd, buffer, sizeof(buffer))) < 0)
+  printf("No data read\n");
+else
+  {
+  buffer[rc] = 0;
+  printf("Read: %s", buffer);
+  }
+ALARM_CLR(0);
+
+printf("Testing load averages (last test - ^C to kill)\n");
+for (;;)
+  {
+  int avg;
+  clock_t used;
+  clock_t before = clock();
+  avg = os_getloadavg();
+  used = clock() - before;
+  printf("cpu time = %.2f ", (double)used/REAL_CLOCK_TICK);
+  if (avg < 0)
+    {
+    printf("load average not available\n");
+    break;
+    }
+  printf("load average = %.2f\n", (double)avg/1000.0);
+  sleep(2);
+  }
+return 0;
+}
+
+#endif
+
+/* End of os.c */
diff --git a/src/osfunctions.h b/src/osfunctions.h
new file mode 100644
index 0000000..547cf13
--- /dev/null
+++ b/src/osfunctions.h
@@ -0,0 +1,43 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2016 */
+/* Copyright (c) The Exim Maintainers 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Prototypes for os-specific functions. For utilities, we don't need the one
+that uses a type that isn't defined for them. */
+
+#ifndef COMPILE_UTILITY
+extern ip_address_item *os_common_find_running_interfaces(void);
+#endif
+
+/* If these exist as a macro, then they're overridden away from us and we
+rely upon the system headers to provide prototype declarations for us.
+Notably, strsignal() is not in the Single Unix Specification (v3) and
+predicting constness is awkward. */
+
+#ifndef os_getloadavg
+extern int           os_getloadavg(void);
+#endif
+#ifndef os_restarting_signal
+extern void          os_restarting_signal(int, void (*)(int));
+#endif
+#ifndef os_non_restarting_signal
+extern void          os_non_restarting_signal(int, void (*)(int));
+#endif
+#ifndef os_strexit
+extern const char   *os_strexit(int);     /* char to match os_strsignal */
+#endif
+#ifndef os_strsignal
+extern const char   *os_strsignal(int);   /* char to match strsignal in some OS */
+#endif
+#ifndef os_unsetenv
+extern int           os_unsetenv(const uschar *);
+#endif
+#ifndef os_getcwd
+extern uschar       *os_getcwd(uschar *, size_t);
+#endif
+
+/* End of osfunctions.h */
diff --git a/src/parse.c b/src/parse.c
new file mode 100644
index 0000000..bdba3ec
--- /dev/null
+++ b/src/parse.c
@@ -0,0 +1,2243 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions for parsing addresses */
+
+
+#include "exim.h"
+
+
+static const uschar *last_comment_position;
+
+
+
+/* In stand-alone mode, provide a replacement for deliver_make_addr()
+and rewrite_address[_qualify]() so as to avoid having to drag in too much
+redundant apparatus. */
+
+#ifdef STAND_ALONE
+
+address_item *
+deliver_make_addr(uschar *address, BOOL copy)
+{
+address_item *addr = store_get(sizeof(address_item), GET_UNTAINTED);
+addr->next = NULL;
+addr->parent = NULL;
+addr->address = address;
+return addr;
+}
+
+uschar *
+rewrite_address(uschar *recipient, BOOL dummy1, BOOL dummy2, rewrite_rule
+  *dummy3, int dummy4)
+{
+return recipient;
+}
+
+uschar *
+rewrite_address_qualify(uschar *recipient, BOOL dummy1)
+{
+return recipient;
+}
+
+#endif
+
+
+
+
+/*************************************************
+*             Find the end of an address         *
+*************************************************/
+
+/* Scan over a string looking for the termination of an address at a comma,
+or end of the string. It's the source-routed addresses which cause much pain
+here. Although Exim ignores source routes, it must recognize such addresses, so
+we cannot get rid of this logic.
+
+Argument:
+  s        pointer to the start of an address
+  nl_ends  if TRUE, '\n' terminates an address
+
+Returns:   pointer past the end of the address
+           (i.e. points to null or comma)
+*/
+
+uschar *
+parse_find_address_end(const uschar *s, BOOL nl_ends)
+{
+BOOL source_routing = *s == '@';
+int no_term = source_routing? 1 : 0;
+
+while (*s != 0 && (*s != ',' || no_term > 0) && (*s != '\n' || !nl_ends))
+  {
+  /* Skip single quoted characters. Strictly these should not occur outside
+  quoted strings in RFC 822 addresses, but they can in RFC 821 addresses. Pity
+  about the lack of consistency, isn't it? */
+
+  if (*s == '\\' && s[1] != 0) s += 2;
+
+  /* Skip quoted items that are not inside brackets. Note that
+  quoted pairs are allowed inside quoted strings. */
+
+  else if (*s == '\"')
+    {
+    while (*(++s) != 0 && (*s != '\n' || !nl_ends))
+      {
+      if (*s == '\\' && s[1] != 0) s++;
+        else if (*s == '\"') { s++; break; }
+      }
+    }
+
+  /* Skip comments, which may include nested brackets, but quotes
+  are not recognized inside comments, though quoted pairs are. */
+
+  else if (*s == '(')
+    {
+    int level = 1;
+    while (*(++s) != 0 && (*s != '\n' || !nl_ends))
+      {
+      if (*s == '\\' && s[1] != 0) s++;
+        else if (*s == '(') level++;
+          else if (*s == ')' && --level <= 0) { s++; break; }
+      }
+    }
+
+  /* Non-special character; just advance. Passing the colon in a source
+  routed address means that any subsequent comma or colon may terminate unless
+  inside angle brackets. */
+
+  else
+    {
+    if (*s == '<')
+      {
+      source_routing = s[1] == '@';
+      no_term = source_routing? 2 : 1;
+      }
+    else if (*s == '>') no_term--;
+    else if (source_routing && *s == ':') no_term--;
+    s++;
+    }
+  }
+
+return US s;
+}
+
+
+
+/*************************************************
+*            Find last @ in an address           *
+*************************************************/
+
+/* This function is used when we have something that may not qualified. If we
+know it's qualified, searching for the rightmost '@' is sufficient. Here we
+have to be a bit more clever than just a plain search, in order to handle
+unqualified local parts like "thing@thong" correctly. Since quotes may not
+legally be part of a domain name, we can give up on hitting the first quote
+when searching from the right. Now that the parsing also permits the RFC 821
+form of address, where quoted-pairs are allowed in unquoted local parts, we
+must take care to handle that too.
+
+Argument:  pointer to an address, possibly unqualified
+Returns:   pointer to the last @ in an address, or NULL if none
+*/
+
+const uschar *
+parse_find_at(const uschar *s)
+{
+const uschar * t = s + Ustrlen(s);
+while (--t >= s)
+  if (*t == '@')
+    {
+    int backslash_count = 0;
+    const uschar *tt = t - 1;
+    while (tt > s && *tt-- == '\\') backslash_count++;
+    if ((backslash_count & 1) == 0) return t;
+    }
+  else if (*t == '\"')
+    return NULL;
+
+return NULL;
+}
+
+
+
+
+/***************************************************************************
+* In all the functions below that read a particular object type from       *
+* the input, return the new value of the pointer s (the first argument),   *
+* and put the object into the store pointed to by t (the second argument), *
+* adding a terminating zero. If no object is found, t will point to zero   *
+* on return.                                                               *
+***************************************************************************/
+
+
+/*************************************************
+*          Skip white space and comment          *
+*************************************************/
+
+/* Algorithm:
+  (1) Skip spaces.
+  (2) If uschar not '(', return.
+  (3) Skip till matching ')', not counting any characters
+      escaped with '\'.
+  (4) Move past ')' and goto (1).
+
+The start of the last potential comment position is remembered to
+make it possible to ignore comments at the end of compound items.
+
+Argument: current character pointer
+Returns:  new character pointer
+*/
+
+static const uschar *
+skip_comment(const uschar *s)
+{
+last_comment_position = s;
+while (*s)
+  {
+  int c, level;
+
+  if (Uskip_whitespace(&s) != '(') break;
+  level = 1;
+  while((c = *(++s)))
+    {
+    if (c == '(') level++;
+    else if (c == ')') { if (--level <= 0) { s++; break; } }
+    else if (c == '\\' && s[1] != 0) s++;
+    }
+  }
+return s;
+}
+
+
+
+/*************************************************
+*             Read a domain                      *
+*************************************************/
+
+/* A domain is a sequence of subdomains, separated by dots. See comments below
+for detailed syntax of the subdomains.
+
+If allow_domain_literals is TRUE, a "domain" may also be an IP address enclosed
+in []. Make sure the output is set to the null string if there is a syntax
+error as well as if there is no domain at all.
+
+Optionally, msg_id domain literals ( printable-ascii enclosed in [] )
+are permitted.
+
+Arguments:
+  s          current character pointer
+  t          where to put the domain
+  msg_id_literals     flag for relaxed domain-literal processing
+  errorptr   put error message here on failure (*t will be 0 on exit)
+
+Returns:     new character pointer
+*/
+
+static const uschar *
+read_domain(const uschar *s, uschar *t, BOOL msg_id_literals, uschar **errorptr)
+{
+uschar *tt = t;
+s = skip_comment(s);
+
+/* Handle domain literals if permitted. An RFC 822 domain literal may contain
+any character except [ ] \, including linear white space, and may contain
+quoted characters. However, RFC 821 restricts literals to being dot-separated
+3-digit numbers, and we make the obvious extension for IPv6. Go for a sequence
+of digits, dots, hex digits, and colons here; later this will be checked for
+being a syntactically valid IP address if it ever gets to a router.
+
+Allow both the formal IPv6 form, with IPV6: at the start, and the informal form
+without it, and accept IPV4: as well, 'cause someone will use it sooner or
+later. */
+
+if (*s == '[')
+  {
+  *t++ = *s++;
+
+  if (strncmpic(s, US"IPv6:", 5) == 0 || strncmpic(s, US"IPv4:", 5) == 0)
+    {
+    memcpy(t, s, 5);
+    t += 5;
+    s += 5;
+    }
+
+  if (msg_id_literals)
+    while (*s >= 33 && *s <= 90 || *s >= 94 && *s <= 126) *t++ = *s++;
+  else
+    while (*s == '.' || *s == ':' || isxdigit(*s)) *t++ = *s++;
+
+  if (*s == ']') *t++ = *s++; else
+    {
+    *errorptr = US"malformed domain literal";
+    *tt = 0;
+    }
+
+  if (!allow_domain_literals && !msg_id_literals)
+    {
+    *errorptr = US"domain literals not allowed";
+    *tt = 0;
+    }
+  *t = 0;
+  return skip_comment(s);
+  }
+
+/* Handle a proper domain, which is a sequence of dot-separated atoms. Remove
+trailing dots if strip_trailing_dot is set. A subdomain is an atom.
+
+An atom is a sequence of any characters except specials, space, and controls.
+The specials are ( ) < > @ , ; : \ " . [ and ]. This is the rule for RFC 822
+and its successor (RFC 2822). However, RFC 821 and its successor (RFC 2821) is
+tighter, allowing only letters, digits, and hyphens, not starting with a
+hyphen.
+
+There used to be a global flag that got set when checking addresses that came
+in over SMTP and which should therefore should be checked according to the
+stricter rule. However, it seems silly to make the distinction, because I don't
+suppose anybody ever uses local domains that are 822-compliant and not
+821-compliant. Furthermore, Exim now has additional data on the spool file line
+after an address (after "one_time" processing), and it makes use of a #
+character to delimit it. When I wrote that code, I forgot about this 822-domain
+stuff, and assumed # could never appear in a domain.
+
+So the old code is now cut out for Release 4.11 onwards, on 09-Aug-02. In a few
+years, when we are sure this isn't actually causing trouble, throw it away.
+
+March 2003: the story continues: There is a camp that is arguing for the use of
+UTF-8 in domain names as the way to internationalization, and other MTAs
+support this. Therefore, we now have a flag that permits the use of characters
+with values greater than 127, encoded in UTF-8, in subdomains, so that Exim can
+be used experimentally in this way. */
+
+for (;;)
+  {
+  uschar *tsave = t;
+
+/*********************
+  if (rfc821_domains)
+    {
+    if (*s != '-') while (isalnum(*s) || *s == '-') *t++ = *s++;
+    }
+  else
+    while (!mac_iscntrl_or_special(*s)) *t++ = *s++;
+*********************/
+
+  if (*s != '-')
+    {
+    /* Only letters, digits, and hyphens */
+
+    if (!allow_utf8_domains)
+      {
+      while (isalnum(*s) || *s == '-') *t++ = *s++;
+      }
+
+    /* Permit legal UTF-8 characters to be included */
+
+    else for(;;)
+      {
+      int i, d;
+      if (isalnum(*s) || *s == '-')    /* legal ascii characters */
+        {
+        *t++ = *s++;
+        continue;
+        }
+      if ((*s & 0xc0) != 0xc0) break;  /* not start of UTF-8 character */
+      d = *s << 2;
+      for (i = 1; i < 6; i++)          /* i is the number of additional bytes */
+        {
+        if ((d & 0x80) == 0) break;
+        d <<= 1;
+        }
+      if (i == 6) goto BAD_UTF8;       /* invalid UTF-8 */
+      *t++ = *s++;                     /* leading UTF-8 byte */
+      while (i-- > 0)                  /* copy and check remainder */
+        {
+        if ((*s & 0xc0) != 0x80)
+          {
+          BAD_UTF8:
+          *errorptr = US"invalid UTF-8 byte sequence";
+          *tt = 0;
+          return s;
+          }
+        *t++ = *s++;
+        }
+      }    /* End of loop for UTF-8 character */
+    }      /* End of subdomain */
+
+  s = skip_comment(s);
+  *t = 0;
+
+  if (t == tsave)   /* empty component */
+    {
+    if (strip_trailing_dot && t > tt && *s != '.') t[-1] = 0; else
+      {
+      *errorptr = US"domain missing or malformed";
+      *tt = 0;
+      }
+    return s;
+    }
+
+  if (*s != '.') break;
+  *t++ = *s++;
+  s = skip_comment(s);
+  }
+
+return s;
+}
+
+
+
+/*************************************************
+*            Read a local-part                   *
+*************************************************/
+
+/* A local-part is a sequence of words, separated by periods. A null word
+between dots is not strictly allowed but apparently many mailers permit it,
+so, sigh, better be compatible. Even accept a trailing dot...
+
+A <word> is either a quoted string, or an <atom>, which is a sequence
+of any characters except specials, space, and controls. The specials are
+( ) < > @ , ; : \ " . [ and ]. In RFC 822, a single quoted character, (a
+quoted-pair) is not allowed in a word. However, in RFC 821, it is permitted in
+the local part of an address. Rather than have separate parsing functions for
+the different cases, take the liberal attitude always. At least one MUA is
+happy to recognize this case; I don't know how many other programs do.
+
+Arguments:
+  s           current character pointer
+  t           where to put the local part
+  error       where to point error text
+  allow_null  TRUE if an empty local part is not an error
+
+Returns:   new character pointer
+*/
+
+static const uschar *
+read_local_part(const uschar *s, uschar *t, uschar **error, BOOL allow_null)
+{
+uschar *tt = t;
+*error = NULL;
+for (;;)
+  {
+  int c;
+  uschar *tsave = t;
+  s = skip_comment(s);
+
+  /* Handle a quoted string */
+
+  if (*s == '\"')
+    {
+    *t++ = '\"';
+    while ((c = *++s) && c != '\"')
+      {
+      *t++ = c;
+      if (c == '\\' && s[1]) *t++ = *++s;
+      }
+    if (c == '\"')
+      {
+      s++;
+      *t++ = '\"';
+      }
+    else
+      {
+      *error = US"unmatched doublequote in local part";
+      return s;
+      }
+    }
+
+  /* Handle an atom, but allow quoted pairs within it. */
+
+  else while (!mac_iscntrl_or_special(*s) || *s == '\\')
+    {
+    c = *t++ = *s++;
+    if (c == '\\' && *s) *t++ = *s++;
+    }
+
+  /* Terminate the word and skip subsequent comment */
+
+  *t = 0;
+  s = skip_comment(s);
+
+  /* If we have read a null component at this point, give an error unless it is
+  terminated by a dot - an extension to RFC 822 - or if it is the first
+  component of the local part and an empty local part is permitted, in which
+  case just return normally. */
+
+  if (t == tsave && *s != '.')
+    {
+    if (t == tt && !allow_null)
+      *error = US"missing or malformed local part";
+    return s;
+    }
+
+  /* Anything other than a dot terminates the local part. Treat multiple dots
+  as a single dot, as this seems to be a common extension. */
+
+  if (*s != '.') break;
+  do { *t++ = *s++; } while (*s == '.');
+  }
+
+return s;
+}
+
+
+/*************************************************
+*            Read route part of route-addr       *
+*************************************************/
+
+/* The pointer is at the initial "@" on entry. Return it following the
+terminating colon. Exim no longer supports the use of source routes, but it is
+required to accept the syntax.
+
+Arguments:
+  s          current character pointer
+  t          where to put the route
+  errorptr   where to put an error message
+
+Returns:     new character pointer
+*/
+
+static const uschar *
+read_route(const uschar *s, uschar *t, uschar **errorptr)
+{
+BOOL commas = FALSE;
+*errorptr = NULL;
+
+while (*s == '@')
+  {
+  *t++ = '@';
+  s = read_domain(s+1, t, FALSE, errorptr);
+  if (*t == 0) return s;
+  t += Ustrlen((const uschar *)t);
+  if (*s != ',') break;
+  *t++ = *s++;
+  commas = TRUE;
+  s = skip_comment(s);
+  }
+
+if (*s == ':') *t++ = *s++;
+
+/* If there is no colon, and there were no commas, the most likely error
+is in fact a missing local part in the address rather than a missing colon
+after the route. */
+
+else *errorptr = commas?
+  US"colon expected after route list" :
+  US"no local part";
+
+/* Terminate the route and return */
+
+*t = 0;
+return skip_comment(s);
+}
+
+
+
+/*************************************************
+*                Read addr-spec                  *
+*************************************************/
+
+/* Addr-spec is local-part@domain. We make the domain optional -
+the expected terminator for the whole thing is passed to check this.
+This function is called only when we know we have a route-addr.
+
+Arguments:
+  s          current character pointer
+  t          where to put the addr-spec
+  term       expected terminator (0 or >)
+  errorptr   where to put an error message
+  domainptr  set to point to the start of the domain
+
+Returns:     new character pointer
+*/
+
+static const uschar *
+read_addr_spec(const uschar *s, uschar *t, int term, uschar **errorptr,
+  uschar **domainptr)
+{
+s = read_local_part(s, t, errorptr, FALSE);
+if (*errorptr == NULL)
+  if (*s != term)
+    if (*s != '@')
+      *errorptr = string_sprintf("\"@\" or \".\" expected after \"%s\"", t);
+    else
+      {
+      t += Ustrlen((const uschar *)t);
+      *t++ = *s++;
+      *domainptr = t;
+      s = read_domain(s, t, FALSE, errorptr);
+      }
+return s;
+}
+
+
+
+/*************************************************
+*         Extract operative address              *
+*************************************************/
+
+/* This function extracts an operative address from a full RFC822 mailbox and
+returns it in a piece of dynamic store. We take the easy way and get a piece
+of store the same size as the input, and then copy into it whatever is
+necessary. If we cannot find a valid address (syntax error), return NULL, and
+point the error pointer to the reason. The arguments "start" and "end" are used
+to return the offsets of the first and one past the last characters in the
+original mailbox of the address that has been extracted, to aid in re-writing.
+The argument "domain" is set to point to the first character after "@" in the
+final part of the returned address, or zero if there is no @.
+
+Exim no longer supports the use of source routed addresses (those of the form
+@domain,...:route_addr). It recognizes the syntax, but collapses such addresses
+down to their final components. Formerly, collapse_source_routes had to be set
+to achieve this effect. RFC 1123 allows collapsing with MAY, while the revision
+of RFC 821 had increased this to SHOULD, so I've gone for it, because it makes
+a lot of code elsewhere in Exim much simpler.
+
+There are some special fudges here for handling RFC 822 group address notation
+which may appear in certain headers. If the flag parse_allow_group is set
+TRUE and parse_found_group is FALSE when this function is called, an address
+which is the start of a group (i.e. preceded by a phrase and a colon) is
+recognized; the phrase is ignored and the flag parse_found_group is set. If
+this flag is TRUE at the end of an address, and if an extraneous semicolon is
+found, it is ignored and the flag is cleared.
+
+This logic is used only when scanning through addresses in headers, either to
+fulfil the -t option, or for rewriting, or for checking header syntax. Because
+the group "state" has to be remembered between multiple calls of this function,
+the variables parse_{allow,found}_group are global. It is important to ensure
+that they are reset to FALSE at the end of scanning a header's list of
+addresses.
+
+Arguments:
+  mailbox     points to the RFC822 mailbox
+  errorptr    where to point an error message
+  start       set to start offset in mailbox
+  end         set to end offset in mailbox
+  domain      set to domain offset in result, or 0 if no domain present
+  allow_null  allow <> if TRUE
+
+Returns:      points to the extracted address, or NULL on error
+*/
+
+#define FAILED(s) { *errorptr = s; goto PARSE_FAILED; }
+
+uschar *
+parse_extract_address(const uschar *mailbox, uschar **errorptr, int *start, int *end,
+  int *domain, BOOL allow_null)
+{
+uschar * yield = store_get(Ustrlen(mailbox) + 1, mailbox);
+const uschar *startptr, *endptr;
+const uschar *s = US mailbox;
+uschar *t = US yield;
+
+*domain = 0;
+
+/* At the start of the string we expect either an addr-spec or a phrase
+preceding a <route-addr>. If groups are allowed, we might also find a phrase
+preceding a colon and an address. If we find an initial word followed by
+a dot, strict interpretation of the RFC would cause it to be taken
+as the start of an addr-spec. However, many mailers break the rules
+and use addresses of the form "a.n.other <ano@somewhere>" and so we
+allow this case. */
+
+RESTART:   /* Come back here after passing a group name */
+
+s = skip_comment(s);
+startptr = s;                                 /* In case addr-spec */
+s = read_local_part(s, t, errorptr, TRUE);    /* Dot separated words */
+if (*errorptr) goto PARSE_FAILED;
+
+/* If the terminator is neither < nor @ then the format of the address
+must either be a bare local-part (we are now at the end), or a phrase
+followed by a route-addr (more words must follow). */
+
+if (*s != '@' && *s != '<')
+  {
+  if (!*s || *s == ';')
+    {
+    if (!*t) FAILED(US"empty address");
+    endptr = last_comment_position;
+    goto PARSE_SUCCEEDED;              /* Bare local part */
+    }
+
+  /* Expect phrase route-addr, or phrase : if groups permitted, but allow
+  dots in the phrase; complete the loop only when '<' or ':' is encountered -
+  end of string will produce a null local_part and therefore fail. We don't
+  need to keep updating t, as the phrase isn't to be kept. */
+
+  while (*s != '<' && (!f.parse_allow_group || *s != ':'))
+    {
+    s = read_local_part(s, t, errorptr, FALSE);
+    if (*errorptr)
+      {
+      *errorptr = string_sprintf("%s (expected word or \"<\")", *errorptr);
+      goto PARSE_FAILED;
+      }
+    }
+
+  if (*s == ':')
+    {
+    f.parse_found_group = TRUE;
+    f.parse_allow_group = FALSE;
+    s++;
+    goto RESTART;
+    }
+
+  /* Assert *s == '<' */
+  }
+
+/* At this point the next character is either '@' or '<'. If it is '@', only a
+single local-part has previously been read. An angle bracket signifies the
+start of an <addr-spec>. Throw away anything we have saved so far before
+processing it. Note that this is "if" rather than "else if" because it's also
+used after reading a preceding phrase.
+
+There are a lot of broken sendmails out there that put additional pairs of <>
+round <route-addr>s.  If strip_excess_angle_brackets is set, allow a limited
+number of them, as long as they match. */
+
+if (*s == '<')
+  {
+  uschar *domainptr = yield;
+  BOOL source_routed = FALSE;
+  int bracket_count = 1;
+
+  s++;
+  if (strip_excess_angle_brackets) while (*s == '<')
+   {
+   if(bracket_count++ > 5) FAILED(US"angle-brackets nested too deep");
+   s++;
+   }
+
+  t = yield;
+  startptr = s;
+  s = skip_comment(s);
+
+  /* Read an optional series of routes, each of which is a domain. They
+  are separated by commas and terminated by a colon. However, we totally ignore
+  such routes (RFC 1123 says we MAY, and the revision of RFC 821 says we
+  SHOULD). */
+
+  if (*s == '@')
+    {
+    s = read_route(s, t, errorptr);
+    if (*errorptr) goto PARSE_FAILED;
+    *t = 0;                  /* Ensure route is ignored - probably overkill */
+    source_routed = TRUE;
+    }
+
+  /* Now an addr-spec, terminated by '>'. If there is no preceding route,
+  we must allow an empty addr-spec if allow_null is TRUE, to permit the
+  address "<>" in some circumstances. A source-routed address MUST have
+  a domain in the final part. */
+
+  if (allow_null && !source_routed && *s == '>')
+    {
+    *t = 0;
+    *errorptr = NULL;
+    }
+  else
+    {
+    s = read_addr_spec(s, t, '>', errorptr, &domainptr);
+    if (*errorptr) goto PARSE_FAILED;
+    *domain = domainptr - yield;
+    if (source_routed && *domain == 0)
+      FAILED(US"domain missing in source-routed address");
+    }
+
+  endptr = s;
+  if (*errorptr) goto PARSE_FAILED;
+  while (bracket_count-- > 0) if (*s++ != '>')
+    {
+    *errorptr = s[-1] == 0
+      ? US"'>' missing at end of address"
+      : string_sprintf("malformed address: %.32s may not follow %.*s",
+	  s-1, (int)(s - US mailbox - 1), mailbox);
+    goto PARSE_FAILED;
+    }
+
+  s = skip_comment(s);
+  }
+
+/* Hitting '@' after the first local-part means we have definitely got an
+addr-spec, on a strict reading of the RFC, and the rest of the string
+should be the domain. However, for flexibility we allow for a route-address
+not enclosed in <> as well, which is indicated by an empty first local
+part preceding '@'. The source routing is, however, ignored. */
+
+else if (!*t)
+  {
+  uschar *domainptr = yield;
+  s = read_route(s, t, errorptr);
+  if (*errorptr) goto PARSE_FAILED;
+  *t = 0;         /* Ensure route is ignored - probably overkill */
+  s = read_addr_spec(s, t, 0, errorptr, &domainptr);
+  if (*errorptr) goto PARSE_FAILED;
+  *domain = domainptr - yield;
+  endptr = last_comment_position;
+  if (*domain == 0) FAILED(US"domain missing in source-routed address");
+  }
+
+/* This is the strict case of local-part@domain. */
+
+else
+  {
+  t += Ustrlen((const uschar *)t);
+  *t++ = *s++;
+  *domain = t - yield;
+  s = read_domain(s, t, TRUE, errorptr);
+  if (!*t) goto PARSE_FAILED;
+  endptr = last_comment_position;
+  }
+
+/* Use goto to get here from the bare local part case. Arrive by falling
+through for other cases. Endptr may have been moved over whitespace, so
+move it back past white space if necessary. */
+
+PARSE_SUCCEEDED:
+if (*s)
+  {
+  if (f.parse_found_group && *s == ';')
+    {
+    f.parse_found_group = FALSE;
+    f.parse_allow_group = TRUE;
+    }
+  else
+    {
+    *errorptr = string_sprintf("malformed address: %.32s may not follow %.*s",
+      s, (int)(s - US mailbox), mailbox);
+    goto PARSE_FAILED;
+    }
+  }
+*start = startptr - US mailbox;      /* Return offsets */
+while (isspace(endptr[-1])) endptr--;
+*end = endptr - US mailbox;
+
+/* Although this code has no limitation on the length of address extracted,
+other parts of Exim may have limits, and in any case, RFC 5321 limits email
+addresses to 256, so we do a check here, giving an error if the address is
+ridiculously long. */
+
+if (*end - *start > EXIM_EMAILADDR_MAX)
+  {
+  *errorptr = string_sprintf("address is ridiculously long: %.64s...", yield);
+  return NULL;
+  }
+
+return yield;
+
+/* Use goto (via the macro FAILED) to get to here from a variety of places.
+We might have an empty address in a group - the caller can choose to ignore
+this. We must, however, keep the flags correct. */
+
+PARSE_FAILED:
+if (f.parse_found_group && *s == ';')
+  {
+  f.parse_found_group = FALSE;
+  f.parse_allow_group = TRUE;
+  }
+return NULL;
+}
+
+#undef FAILED
+
+
+
+/*************************************************
+*        Quote according to RFC 2047             *
+*************************************************/
+
+/* This function is used for quoting text in headers according to RFC 2047.
+If the only characters that strictly need quoting are spaces, we return the
+original string, unmodified.
+
+Hmmph. As always, things get perverted for other uses. This function was
+originally for the "phrase" part of addresses. Now it is being used for much
+longer texts in ACLs and via the ${rfc2047: expansion item. This means we have
+to check for overlong "encoded-word"s and split them. November 2004.
+
+Arguments:
+  string       the string to quote - already checked to contain non-printing
+                 chars
+  len          the length of the string
+  charset      the name of the character set; NULL => iso-8859-1
+  fold         if TRUE, a newline is inserted before the separating space when
+                 more than one encoded-word is generated
+
+Returns:       pointer to the original string, if no quoting needed, or
+               pointer to allocated memory containing the quoted string
+*/
+
+const uschar *
+parse_quote_2047(const uschar *string, int len, const uschar *charset,
+  BOOL fold)
+{
+const uschar * s = string;
+int hlen, l;
+BOOL coded = FALSE;
+BOOL first_byte = FALSE;
+gstring * g =
+  string_fmt_append(NULL, "=?%s?Q?", charset ? charset : US"iso-8859-1");
+
+hlen = l = g->ptr;
+
+for (s = string; len > 0; s++, len--)
+  {
+  int ch = *s;
+
+  if (g->ptr - l > 67 && !first_byte)
+    {
+    g = fold ? string_catn(g, US"?=\n ", 4) : string_catn(g, US"?= ", 3);
+    l = g->ptr;
+    g = string_catn(g, g->s, hlen);
+    }
+
+  if (  ch < 33 || ch > 126
+     || Ustrchr("?=()<>@,;:\\\".[]_", ch) != NULL)
+    {
+    if (ch == ' ')
+      {
+      g = string_catn(g, US"_", 1);
+      first_byte = FALSE;
+      }
+    else
+      {
+      g = string_fmt_append(g, "=%02X", ch);
+      coded = TRUE;
+      first_byte = !first_byte;
+      }
+    }
+  else
+    { g = string_catn(g, s, 1); first_byte = FALSE; }
+  }
+
+if (coded)
+  string = string_from_gstring(g = string_catn(g, US"?=", 2));
+else
+  g->ptr = -1;
+
+gstring_release_unused(g);
+return string;
+}
+
+
+
+
+/*************************************************
+*            Fix up an RFC 822 "phrase"          *
+*************************************************/
+
+/* This function is called to repair any syntactic defects in the "phrase" part
+of an RFC822 address. In particular, it is applied to the user's name as read
+from the passwd file when accepting a local message, and to the data from the
+-F option.
+
+If the string contains existing quoted strings or comments containing
+freestanding quotes, then we just quote those bits that need quoting -
+otherwise it would get awfully messy and probably not look good. If not, we
+quote the whole thing if necessary. Thus
+
+   John Q. Smith            =>  "John Q. Smith"
+   John "Jack" Smith        =>  John "Jack" Smith
+   John "Jack" Q. Smith     =>  John "Jack" "Q." Smith
+   John (Jack) Q. Smith     =>  "John (Jack) Q. Smith"
+   John ("Jack") Q. Smith   =>  John ("Jack") "Q." Smith
+but
+   John (\"Jack\") Q. Smith =>  "John (\"Jack\") Q. Smith"
+
+Sheesh! This is tedious code. It is a great pity that the syntax of RFC822 is
+the way it is...
+
+August 2000: Additional code added:
+
+  Previously, non-printing characters were turned into question marks, which do
+  not need to be quoted.
+
+  Now, a different tactic is used if there are any non-printing ASCII
+  characters. The encoding method from RFC 2047 is used, assuming iso-8859-1 as
+  the character set.
+
+  We *could* use this for all cases, getting rid of the messy original code,
+  but leave it for now. It would complicate simple cases like "John Q. Smith".
+
+The result is passed back in allocated memory.
+
+Arguments:
+  phrase       an RFC822 phrase
+  len          the length of the phrase
+
+Returns:       the fixed RFC822 phrase
+*/
+
+const uschar *
+parse_fix_phrase(const uschar *phrase, int len)
+{
+int ch, i;
+BOOL quoted = FALSE;
+const uschar *s, *end;
+uschar * buffer;
+uschar *t, *yield;
+
+while (len > 0 && isspace(*phrase)) { phrase++; len--; }
+
+/* See if there are any non-printing characters, and if so, use the RFC 2047
+encoding for the whole thing. */
+
+for (i = 0, s = phrase; i < len; i++, s++)
+  if ((*s < 32 && *s != '\t') || *s > 126) break;
+
+if (i < len)
+  return parse_quote_2047(phrase, len, headers_charset, FALSE);
+
+/* No non-printers; use the RFC 822 quoting rules */
+
+if (len <= 0 || len >= INT_MAX/4)
+  return string_copy_taint(CUS"", phrase);
+
+buffer = store_get((len+1)*4, phrase);
+
+s = phrase;
+end = s + len;
+yield = t = buffer + 1;
+
+while (s < end)
+  {
+  ch = *s++;
+
+  /* Copy over quoted strings, remembering we encountered one */
+
+  if (ch == '\"')
+    {
+    *t++ = '\"';
+    while (s < end && (ch = *s++) != '\"')
+      {
+      *t++ = ch;
+      if (ch == '\\' && s < end) *t++ = *s++;
+      }
+    *t++ = '\"';
+    if (s >= end) break;
+    quoted = TRUE;
+    }
+
+  /* Copy over comments, noting if they contain freestanding quote
+  characters */
+
+  else if (ch == '(')
+    {
+    int level = 1;
+    *t++ = '(';
+    while (s < end)
+      {
+      ch = *s++;
+      *t++ = ch;
+      if (ch == '(') level++;
+      else if (ch == ')') { if (--level <= 0) break; }
+      else if (ch == '\\' && s < end) *t++ = *s++ & 127;
+      else if (ch == '\"') quoted = TRUE;
+      }
+    if (ch == 0)
+      {
+      while (level--) *t++ = ')';
+      break;
+      }
+    }
+
+  /* Handle special characters that need to be quoted */
+
+  else if (Ustrchr(")<>@,;:\\.[]", ch) != NULL)
+    {
+    /* If hit previous quotes just make one quoted "word" */
+
+    if (quoted)
+      {
+      uschar *tt = t++;
+      while (*(--tt) != ' ' && *tt != '\"' && *tt != ')') tt[1] = *tt;
+      tt[1] = '\"';
+      *t++ = ch;
+      while (s < end)
+        {
+        ch = *s++;
+        if (ch == ' ' || ch == '\"') { s--; break; } else *t++ = ch;
+        }
+      *t++ = '\"';
+      }
+
+    /* Else quote the whole string so far, and the rest up to any following
+    quotes. We must treat anything following a backslash as a literal. */
+
+    else
+      {
+      BOOL escaped = (ch == '\\');
+      *(--yield) = '\"';
+      *t++ = ch;
+
+      /* Now look for the end or a quote */
+
+      while (s < end)
+        {
+        ch = *s++;
+
+        /* Handle escaped pairs */
+
+        if (escaped)
+          {
+          *t++ = ch;
+          escaped = FALSE;
+          }
+
+        else if (ch == '\\')
+          {
+          *t++ = ch;
+          escaped = TRUE;
+          }
+
+        /* If hit subsequent quotes, insert our quote before any trailing
+        spaces and back up to re-handle the quote in the outer loop. */
+
+        else if (ch == '\"')
+          {
+          int count = 0;
+          while (t[-1] == ' ') { t--; count++; }
+          *t++ = '\"';
+          while (count-- > 0) *t++ = ' ';
+          s--;
+          break;
+          }
+
+        /* If hit a subsequent comment, check it for unescaped quotes,
+        and if so, end our quote before it. */
+
+        else if (ch == '(')
+          {
+          const uschar *ss = s;     /* uschar after '(' */
+          int level = 1;
+          while(ss < end)
+            {
+            ch = *ss++;
+            if (ch == '(') level++;
+            else if (ch == ')') { if (--level <= 0) break; }
+            else if (ch == '\\' && ss+1 < end) ss++;
+            else if (ch == '\"') { quoted = TRUE; break; }
+            }
+
+          /* Comment contains unescaped quotes; end our quote before
+          the start of the comment. */
+
+          if (quoted)
+            {
+            int count = 0;
+            while (t[-1] == ' ') { t--; count++; }
+            *t++ = '\"';
+            while (count-- > 0) *t++ = ' ';
+            break;
+            }
+
+          /* Comment does not contain unescaped quotes; include it in
+          our quote. */
+
+          else
+            {
+            if (ss >= end) ss--;
+            *t++ = '(';
+            if (ss > s)
+              {
+              Ustrncpy(t, s, ss-s);
+              t += ss-s;
+              s = ss;
+              }
+            }
+          }
+
+        /* Not a comment or quote; include this character in our quotes. */
+
+        else *t++ = ch;
+        }
+      }
+
+    /* Add a final quote if we hit the end of the string. */
+
+    if (s >= end) *t++ = '\"';
+    }
+
+  /* Non-special character; just copy it over */
+
+  else *t++ = ch;
+  }
+
+*t = 0;
+store_release_above(t+1);
+return yield;
+}
+
+
+/*************************************************
+*          Extract addresses from a list         *
+*************************************************/
+
+/* This function is called by the redirect router to scan a string containing a
+list of addresses separated by commas (with optional white space) or by
+newlines, and to generate a chain of address items from them. In other words,
+to unpick data from an alias or .forward file.
+
+The SunOS5 documentation for alias files is not very clear on the syntax; it
+does not say that either a comma or a newline can be used for separation.
+However, that is the way Smail does it, so we follow suit.
+
+If a # character is encountered in a white space position, then characters from
+there to the next newline are skipped.
+
+If an unqualified address begins with '\', just skip that character. This gives
+compatibility with Sendmail's use of \ to prevent looping. Exim has its own
+loop prevention scheme which handles other cases too - see the code in
+route_address().
+
+An "address" can be a specification of a file or a pipe; the latter may often
+need to be quoted because it may contain spaces, but we don't want to retain
+the quotes. Quotes may appear in normal addresses too, and should be retained.
+We can distinguish between these cases, because in addresses, quotes are used
+only for parts of the address, not the whole thing. Therefore, we remove quotes
+from items when they entirely enclose them, but not otherwise.
+
+An "address" can also be of the form :include:pathname to include a list of
+addresses contained in the specified file.
+
+Any unqualified addresses are qualified with and rewritten if necessary, via
+the rewrite_address() function.
+
+Arguments:
+  s                the list of addresses (typically a complete
+                     .forward file or a list of entries in an alias file)
+  options          option bits for permitting or denying various special cases;
+                     not all bits are relevant here - some are for filter
+                     files; those we use here are:
+                       RDO_DEFER
+                       RDO_FREEZE
+                       RDO_FAIL
+                       RDO_BLACKHOLE
+                       RDO_REWRITE
+                       RDO_INCLUDE
+  anchor           where to hang the chain of newly-created addresses. This
+                     should be initialized to NULL.
+  error            where to return an error text
+  incoming domain  domain of the incoming address; used to qualify unqualified
+                     local parts preceded by \
+  directory        if NULL, no checks are done on :include: files
+                   otherwise, included file names must start with the given
+                     directory
+  syntax_errors    if not NULL, it carries on after syntax errors in addresses,
+                     building up a list of errors as error blocks chained on
+                     here.
+
+Returns:      FF_DELIVERED      addresses extracted
+              FF_NOTDELIVERED   no addresses extracted, but no errors
+              FF_BLACKHOLE      :blackhole:
+              FF_DEFER          :defer:
+              FF_FAIL           :fail:
+              FF_INCLUDEFAIL    some problem with :include:; *error set
+              FF_ERROR          other problems; *error is set
+*/
+
+int
+parse_forward_list(const uschar *s, int options, address_item **anchor,
+  uschar **error, const uschar *incoming_domain, const uschar *directory,
+  error_block **syntax_errors)
+{
+int count = 0;
+
+DEBUG(D_route) debug_printf("parse_forward_list: %s\n", s);
+
+for (;;)
+  {
+  int len, special = 0, specopt = 0, specbit = 0;
+  const uschar * ss, * nexts;
+  address_item * addr;
+  BOOL inquote = FALSE;
+
+  for (;;)
+    {
+    while (isspace(*s) || *s == ',') s++;
+    if (*s == '#') { while (*s && *s != '\n') s++; } else break;
+    }
+
+  /* When we reach the end of the list, we return FF_DELIVERED if any child
+  addresses have been generated. If nothing has been generated, there are two
+  possibilities: either the list is really empty, or there were syntax errors
+  that are being skipped. (If syntax errors are not being skipped, an FF_ERROR
+  return is generated on hitting a syntax error and we don't get here.) For a
+  truly empty list we return FF_NOTDELIVERED so that the router can decline.
+  However, if the list is empty only because syntax errors were skipped, we
+  return FF_DELIVERED. */
+
+  if (!*s)
+    {
+    return (count > 0 || (syntax_errors && *syntax_errors))
+      ?  FF_DELIVERED : FF_NOTDELIVERED;
+
+    /* This previous code returns FF_ERROR if nothing is generated but a
+    syntax error has been skipped. I now think it is the wrong approach, but
+    have left this here just in case, and for the record. */
+
+#ifdef NEVER
+    if (count > 0) return FF_DELIVERED;   /* Something was generated */
+
+    if (!syntax_errors ||          /* Not skipping syntax errors, or */
+       !*syntax_errors)            /*   we didn't actually skip any */
+      return FF_NOTDELIVERED;
+
+    *error = string_sprintf("no addresses generated: syntax error in %s: %s",
+       (*syntax_errors)->text2, (*syntax_errors)->text1);
+    return FF_ERROR;
+#endif
+    }
+
+  /* Find the end of the next address. Quoted strings in addresses may contain
+  escaped characters; I haven't found a proper specification of .forward or
+  alias files that mentions the quoting properties, but it seems right to do
+  the escaping thing in all cases, so use the function that finds the end of an
+  address. However, don't let a quoted string extend over the end of a line. */
+
+  ss = parse_find_address_end(s, TRUE);
+
+  /* Remember where we finished, for starting the next one. */
+
+  nexts = ss;
+
+  /* Remove any trailing spaces; we know there's at least one non-space. */
+
+  while (isspace(ss[-1])) ss--;
+
+  /* We now have s->start and ss->end of the next address. Remove quotes
+  if they completely enclose, remembering the address started with a quote
+  for handling pipes and files. Another round of removal of leading and
+  trailing spaces is then required. */
+
+  if (*s == '\"' && ss[-1] == '\"')
+    {
+    s++;
+    ss--;
+    inquote = TRUE;
+    while (s < ss && isspace(*s)) s++;
+    while (ss > s && isspace(ss[-1])) ss--;
+    }
+
+  /* Set up the length of the address. */
+
+  len = ss - s;
+
+  DEBUG(D_route) debug_printf("extract item: %.*s\n", len, s);
+
+  /* Handle special addresses if permitted. If the address is :unknown:
+  ignore it - this is for backward compatibility with old alias files. You
+  don't need to use it nowadays - just generate an empty string. For :defer:,
+  :blackhole:, or :fail: we have to set up the error message and give up right
+  away. */
+
+  if (Ustrncmp(s, ":unknown:", len) == 0)
+    {
+    s = nexts;
+    continue;
+    }
+
+  if      (Ustrncmp(s, ":defer:", 7) == 0)
+    { special = FF_DEFER; specopt = RDO_DEFER; }  /* specbit is 0 */
+  else if (Ustrncmp(s, ":blackhole:", 11) == 0)
+    { special = FF_BLACKHOLE; specopt = specbit = RDO_BLACKHOLE; }
+  else if (Ustrncmp(s, ":fail:", 6) == 0)
+    { special = FF_FAIL; specopt = RDO_FAIL; }  /* specbit is 0 */
+
+  if (special)
+    {
+    uschar * ss = Ustrchr(s+1, ':') + 1; /* line after the special... */
+    if ((options & specopt) == specbit)
+      {
+      *error = string_sprintf("\"%.*s\" is not permitted", len, s);
+      return FF_ERROR;
+      }
+    while (*ss && isspace(*ss)) ss++;	/* skip leading whitespace */
+    if ((len = Ustrlen(ss)) > 0)	/* ignore trailing newlines */
+      for (const uschar * t = ss + len - 1; t >= ss && *t == '\n'; t--) len--;
+    *error = string_copyn(ss, len);	/* becomes the error */
+    return special;
+    }
+
+  /* If the address is of the form :include:pathname, read the file, and call
+  this function recursively to extract the addresses from it. If directory is
+  NULL, do no checks. Otherwise, insist that the file name starts with the
+  given directory and is a regular file. */
+
+  if (Ustrncmp(s, ":include:", 9) == 0)
+    {
+    uschar * filebuf;
+    uschar filename[256];
+    const uschar * t = s+9;
+    int flen = len - 9;
+    int frc;
+    struct stat statbuf;
+    address_item * last;
+    FILE * f;
+
+    while (flen > 0 && isspace(*t)) { t++; flen--; }
+
+    if (flen <= 0)
+      {
+      *error = US"file name missing after :include:";
+      return FF_ERROR;
+      }
+
+    if (flen > sizeof(filename)-1)
+      {
+      *error = string_sprintf("included file name \"%s\" is too long", t);
+      return FF_ERROR;
+      }
+
+    Ustrncpy(filename, t, flen);
+    filename[flen] = 0;
+
+    /* Insist on absolute path */
+
+    if (filename[0] != '/')
+      {
+      *error = string_sprintf("included file \"%s\" is not an absolute path",
+        filename);
+      return FF_ERROR;
+      }
+
+    /* Check if include is permitted */
+
+    if (options & RDO_INCLUDE)
+      {
+      *error = US"included files not permitted";
+      return FF_ERROR;
+      }
+
+    if (is_tainted(filename))
+      {
+      *error = string_sprintf("Tainted name '%s' for included file  not permitted\n",
+       filename);
+      return FF_ERROR;
+      }
+
+    /* Check file name if required */
+
+    if (directory)
+      {
+      int len = Ustrlen(directory);
+      uschar * p;
+
+      while (len > 0 && directory[len-1] == '/') len--;		/* ignore trailing '/' */
+      p = filename + len;
+      if (Ustrncmp(filename, directory, len) != 0 || *p != '/')
+        {
+        *error = string_sprintf("included file %s is not in directory %s",
+          filename, directory);
+        return FF_ERROR;
+        }
+
+#ifdef EXIM_HAVE_OPENAT
+      /* It is necessary to check that every component inside the directory
+      is NOT a symbolic link, in order to keep the file inside the directory.
+      This is mighty tedious. We open the directory and openat every component,
+      with a flag that fails symlinks. */
+
+      {
+      int fd = exim_open2(CCS directory, O_RDONLY);
+      if (fd < 0)
+	{
+	*error = string_sprintf("failed to open directory %s", directory);
+	return FF_ERROR;
+	}
+      while (*p)
+	{
+	uschar temp;
+	int fd2;
+	uschar * q = p + 1;		/* skip dividing '/' */
+
+	while (*q == '/') q++;		/* skip extra '/' */
+	while (*++p && *p != '/') ;	/* end of component */
+	temp = *p;
+	*p = '\0';
+
+	fd2 = exim_openat(fd, CS q, O_RDONLY|O_NOFOLLOW);
+	close(fd);
+	*p = temp;
+	if (fd2 < 0)
+	  {
+          *error = string_sprintf("failed to open %s (component of included "
+            "file); could be symbolic link", filename);
+	  return FF_ERROR;
+	  }
+	fd = fd2;
+	}
+      f = fdopen(fd, "rb");
+      }
+#else
+      /* It is necessary to check that every component inside the directory
+      is NOT a symbolic link, in order to keep the file inside the directory.
+      This is mighty tedious. It is also not totally foolproof in that it
+      leaves the possibility of a race attack, but I don't know how to do
+      any better. */
+
+      while (*p)
+        {
+        int temp;
+        while (*++p && *p != '/');
+        temp = *p;
+        *p = 0;
+        if (Ulstat(filename, &statbuf) != 0)
+          {
+          *error = string_sprintf("failed to stat %s (component of included "
+            "file)", filename);
+          *p = temp;
+          return FF_ERROR;
+          }
+
+        *p = temp;
+
+        if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
+          {
+          *error = string_sprintf("included file %s in the %s directory "
+            "involves a symbolic link", filename, directory);
+          return FF_ERROR;
+          }
+        }
+#endif
+      }
+
+#ifdef EXIM_HAVE_OPENAT
+    else
+#endif
+      /* Open and stat the file */
+      f = Ufopen(filename, "rb");
+
+    if (!f)
+      {
+      *error = string_open_failed("included file %s", filename);
+      return FF_INCLUDEFAIL;
+      }
+
+    if (fstat(fileno(f), &statbuf) != 0)
+      {
+      *error = string_sprintf("failed to stat included file %s: %s",
+        filename, strerror(errno));
+      (void)fclose(f);
+      return FF_INCLUDEFAIL;
+      }
+
+    /* If directory was checked, double check that we opened a regular file */
+
+    if (directory && (statbuf.st_mode & S_IFMT) != S_IFREG)
+      {
+      *error = string_sprintf("included file %s is not a regular file in "
+        "the %s directory", filename, directory);
+      return FF_ERROR;
+      }
+
+    /* Get a buffer and read the contents */
+
+    if (statbuf.st_size > MAX_INCLUDE_SIZE)
+      {
+      *error = string_sprintf("included file %s is too big (max %d)",
+        filename, MAX_INCLUDE_SIZE);
+      return FF_ERROR;
+      }
+
+    filebuf = store_get(statbuf.st_size + 1, filename);
+    if (fread(filebuf, 1, statbuf.st_size, f) != statbuf.st_size)
+      {
+      *error = string_sprintf("error while reading included file %s: %s",
+        filename, strerror(errno));
+      (void)fclose(f);
+      return FF_ERROR;
+      }
+    filebuf[statbuf.st_size] = 0;
+    (void)fclose(f);
+
+    addr = NULL;
+    frc = parse_forward_list(filebuf, options, &addr,
+      error, incoming_domain, directory, syntax_errors);
+    if (frc != FF_DELIVERED && frc != FF_NOTDELIVERED) return frc;
+
+    if (addr)
+      {
+      for (last = addr; last->next; last = last->next) count++;
+      last->next = *anchor;
+      *anchor = addr;
+      count++;
+      }
+    }
+
+  /* Else (not :include:) ensure address is syntactically correct and fully
+  qualified if not a pipe or a file, removing a leading \ if present on an
+  unqualified address. For pipes and files we must handle quoting. It's
+  not quite clear exactly what to do for partially quoted things, but the
+  common case of having the whole thing in quotes is straightforward. If this
+  was the case, inquote will have been set TRUE above and the quotes removed.
+
+  There is a possible ambiguity over addresses whose local parts start with
+  a vertical bar or a slash, and the latter do in fact occur, thanks to X.400.
+  Consider a .forward file that contains the line
+
+     /X=xxx/Y=xxx/OU=xxx/@some.gate.way
+
+  Is this a file or an X.400 address? Does it make any difference if it is in
+  quotes? On the grounds that file names of this type are rare, Exim treats
+  something that parses as an RFC 822 address and has a domain as an address
+  rather than a file or a pipe. This is also how an address such as the above
+  would be treated if it came in from outside. */
+
+  else
+    {
+    int start, end, domain;
+    const uschar *recipient = NULL;
+    uschar * s_ltd = string_copyn(s, len);
+
+    /* If it starts with \ and the rest of it parses as a valid mail address
+    without a domain, carry on with that address, but qualify it with the
+    incoming domain. Otherwise arrange for the address to fall through,
+    causing an error message on the re-parse. */
+
+    if (*s_ltd == '\\')
+      {
+      recipient =
+        parse_extract_address(s_ltd+1, error, &start, &end, &domain, FALSE);
+      if (recipient)
+        recipient = domain != 0 ? NULL :
+          string_sprintf("%s@%s", recipient, incoming_domain);
+      }
+
+    /* Try parsing the item as an address. */
+
+    if (!recipient) recipient =
+      parse_extract_address(s_ltd, error, &start, &end, &domain, FALSE);
+
+    /* If item starts with / or | and is not a valid address, or there
+    is no domain, treat it as a file or pipe. If it was a quoted item,
+    remove the quoting occurrences of \ within it. */
+
+    if ((*s_ltd == '|' || *s_ltd == '/') && (!recipient || domain == 0))
+      {
+      uschar * t = store_get(Ustrlen(s_ltd) + 1, s_ltd);
+      uschar * p = t, * q = s_ltd;
+
+      while (*q)
+        {
+        if (inquote)
+          {
+          *p++ = *q == '\\' ? *++q : *q;
+          q++;
+          }
+        else *p++ = *q++;
+        }
+      *p = 0;
+      addr = deliver_make_addr(t, TRUE);
+      setflag(addr, af_pfr);                   /* indicates pipe/file/reply */
+      if (*s_ltd != '|') setflag(addr, af_file);   /* indicates file */
+      }
+
+    /* Item must be an address. Complain if not, else qualify, rewrite and set
+    up the control block. It appears that people are in the habit of using
+    empty addresses but with comments as a way of putting comments into
+    alias and forward files. Therefore, ignore the error "empty address".
+    Mailing lists might want to tolerate syntax errors; there is therefore
+    an option to do so. */
+
+    else
+      {
+      if (!recipient)
+        {
+        if (Ustrcmp(*error, "empty address") == 0)
+          {
+          *error = NULL;
+          s = nexts;
+          continue;
+          }
+
+        if (syntax_errors)
+          {
+          error_block * e = store_get(sizeof(error_block), GET_UNTAINTED);
+          error_block * last = *syntax_errors;
+          if (last)
+            {
+            while (last->next) last = last->next;
+            last->next = e;
+            }
+          else
+	    *syntax_errors = e;
+          e->next = NULL;
+          e->text1 = *error;
+          e->text2 = s_ltd;
+          s = nexts;
+          continue;
+          }
+        else
+          {
+          *error = string_sprintf("%s in \"%s\"", *error, s_ltd);
+          return FF_ERROR;
+          }
+        }
+
+      /* Address was successfully parsed. Rewrite, and then make an address
+      block. */
+
+      recipient = options & RDO_REWRITE
+	? rewrite_address(recipient, TRUE, FALSE, global_rewrite_rules,
+			  rewrite_existflags)
+	: rewrite_address_qualify(recipient, TRUE);	/*XXX loses track of const */
+      addr = deliver_make_addr(US recipient, TRUE);  /* TRUE => copy recipient, so deconst ok */
+      }
+
+    /* Add the original data to the output chain. */
+
+    addr->next = *anchor;
+    *anchor = addr;
+    count++;
+    }
+
+  /* Advance pointer for the next address */
+
+  s = nexts;
+  }
+}
+
+
+/*************************************************
+*            Extract a Message-ID                *
+*************************************************/
+
+/* This function is used to extract message ids from In-Reply-To: and
+References: header lines.
+
+Arguments:
+  str          pointer to the start of the message-id
+  yield        put pointer to the message id (in dynamic memory) here
+  error        put error message here on failure
+
+Returns:       points after the processed message-id or NULL on error
+*/
+
+const uschar *
+parse_message_id(const uschar *str, uschar **yield, uschar **error)
+{
+uschar *domain = NULL;
+uschar *id;
+rmark reset_point;
+
+str = skip_comment(str);
+if (*str != '<')
+  {
+  *error = US"Missing '<' before message-id";
+  return NULL;
+  }
+
+/* Getting a block the size of the input string will definitely be sufficient
+for the answer, but it may also be very long if we are processing a header
+line. Therefore, take care to release unwanted store afterwards. */
+
+reset_point = store_mark();
+id = *yield = store_get(Ustrlen(str) + 1, str);
+*id++ = *str++;
+
+str = read_addr_spec(str, id, '>', error, &domain);
+
+if (!*error)
+  {
+  if (*str != '>') *error = US"Missing '>' after message-id";
+    else if (domain == NULL) *error = US"domain missing in message-id";
+  }
+
+if (*error)
+  {
+  store_reset(reset_point);
+  return NULL;
+  }
+
+while (*id) id++;
+*id++ = *str++;
+*id++ = 0;
+store_release_above(id);
+
+return skip_comment(str);
+}
+
+
+/*************************************************
+*        Parse a fixed digit number              *
+*************************************************/
+
+/* Parse a string containing an ASCII encoded fixed digits number
+
+Arguments:
+  str          pointer to the start of the ASCII encoded number
+  n            pointer to the resulting value
+  digits       number of required digits
+
+Returns:       points after the processed date or NULL on error
+*/
+
+static const uschar *
+parse_number(const uschar *str, int *n, int digits)
+{
+*n=0;
+while (digits--)
+  {
+  if (*str<'0' || *str>'9') return NULL;
+  *n=10*(*n)+(*str++-'0');
+  }
+return str;
+}
+
+
+/*************************************************
+*        Parse a RFC 2822 day of week            *
+*************************************************/
+
+/* Parse the day of the week from a RFC 2822 date, but do not
+   decode it, because it is only for humans.
+
+Arguments:
+  str          pointer to the start of the day of the week
+
+Returns:       points after the parsed day or NULL on error
+*/
+
+static const uschar *
+parse_day_of_week(const uschar * str)
+{
+/*
+day-of-week     =       ([FWS] day-name) / obs-day-of-week
+
+day-name        =       "Mon" / "Tue" / "Wed" / "Thu" /
+                        "Fri" / "Sat" / "Sun"
+
+obs-day-of-week =       [CFWS] day-name [CFWS]
+*/
+
+static const uschar *day_name[7]={ US"mon", US"tue", US"wed", US"thu", US"fri", US"sat", US"sun" };
+int i;
+uschar day[4];
+
+str = skip_comment(str);
+for (i = 0; i < 3; ++i)
+  {
+  if ((day[i] = tolower(*str)) == '\0') return NULL;
+  ++str;
+  }
+day[3] = '\0';
+for (i = 0; i<7; ++i) if (Ustrcmp(day,day_name[i]) == 0) break;
+if (i == 7) return NULL;
+return skip_comment(str);
+}
+
+
+/*************************************************
+*            Parse a RFC 2822 date               *
+*************************************************/
+
+/* Parse the date part of a RFC 2822 date-time, extracting the
+   day, month and year.
+
+Arguments:
+  str          pointer to the start of the date
+  d            pointer to the resulting day
+  m            pointer to the resulting month
+  y            pointer to the resulting year
+
+Returns:       points after the processed date or NULL on error
+*/
+
+static const uschar *
+parse_date(const uschar *str, int *d, int *m, int *y)
+{
+/*
+date            =       day month year
+
+year            =       4*DIGIT / obs-year
+
+obs-year        =       [CFWS] 2*DIGIT [CFWS]
+
+month           =       (FWS month-name FWS) / obs-month
+
+month-name      =       "Jan" / "Feb" / "Mar" / "Apr" /
+                        "May" / "Jun" / "Jul" / "Aug" /
+                        "Sep" / "Oct" / "Nov" / "Dec"
+
+obs-month       =       CFWS month-name CFWS
+
+day             =       ([FWS] 1*2DIGIT) / obs-day
+
+obs-day         =       [CFWS] 1*2DIGIT [CFWS]
+*/
+
+const uschar * s, * n;
+static const uschar *month_name[]={ US"jan", US"feb", US"mar", US"apr", US"may", US"jun", US"jul", US"aug", US"sep", US"oct", US"nov", US"dec" };
+int i;
+uschar month[4];
+
+str = skip_comment(str);
+if ((str = parse_number(str,d,1)) == NULL) return NULL;
+
+if (*str>='0' && *str<='9') *d = 10*(*d)+(*str++-'0');
+s = skip_comment(str);
+if (s == str) return NULL;
+str = s;
+
+for (i = 0; i<3; ++i) if ((month[i]=tolower(*(str+i))) == '\0') return NULL;
+month[3] = '\0';
+for (i = 0; i<12; ++i) if (Ustrcmp(month,month_name[i]) == 0) break;
+if (i == 12) return NULL;
+str+=3;
+*m = i;
+s = skip_comment(str);
+if (s == str) return NULL;
+str=s;
+
+if ((n = parse_number(str,y,4)))
+  {
+  str = n;
+  if (*y<1900) return NULL;
+  *y = *y-1900;
+  }
+else if ((n = parse_number(str,y,2)))
+  {
+  str = skip_comment(n);
+  while (*(str-1) == ' ' || *(str-1) == '\t') --str; /* match last FWS later */
+  if (*y<50) *y+=100;
+  }
+else return NULL;
+return str;
+}
+
+
+/*************************************************
+*            Parse a RFC 2822 Time               *
+*************************************************/
+
+/* Parse the time part of a RFC 2822 date-time, extracting the
+   hour, minute, second and timezone.
+
+Arguments:
+  str          pointer to the start of the time
+  h            pointer to the resulting hour
+  m            pointer to the resulting minute
+  s            pointer to the resulting second
+  z            pointer to the resulting timezone (offset in seconds)
+
+Returns:       points after the processed time or NULL on error
+*/
+
+static const uschar *
+parse_time(const uschar *str, int *h, int *m, int *s, int *z)
+{
+/*
+time            =       time-of-day FWS zone
+
+time-of-day     =       hour ":" minute [ ":" second ]
+
+hour            =       2DIGIT / obs-hour
+
+obs-hour        =       [CFWS] 2DIGIT [CFWS]
+
+minute          =       2DIGIT / obs-minute
+
+obs-minute      =       [CFWS] 2DIGIT [CFWS]
+
+second          =       2DIGIT / obs-second
+
+obs-second      =       [CFWS] 2DIGIT [CFWS]
+
+zone            =       (( "+" / "-" ) 4DIGIT) / obs-zone
+
+obs-zone        =       "UT" / "GMT" /          ; Universal Time
+                                                ; North American UT
+                                                ; offsets
+                        "EST" / "EDT" /         ; Eastern:  - 5/ - 4
+                        "CST" / "CDT" /         ; Central:  - 6/ - 5
+                        "MST" / "MDT" /         ; Mountain: - 7/ - 6
+                        "PST" / "PDT" /         ; Pacific:  - 8/ - 7
+
+                        %d65-73 /               ; Military zones - "A"
+                        %d75-90 /               ; through "I" and "K"
+                        %d97-105 /              ; through "Z", both
+                        %d107-122               ; upper and lower case
+*/
+
+const uschar * c;
+
+str = skip_comment(str);
+if ((str = parse_number(str,h,2)) == NULL) return NULL;
+str = skip_comment(str);
+if (*str!=':') return NULL;
+++str;
+str = skip_comment(str);
+if ((str = parse_number(str,m,2)) == NULL) return NULL;
+c = skip_comment(str);
+if (*str == ':')
+  {
+  ++str;
+  str = skip_comment(str);
+  if ((str = parse_number(str,s,2)) == NULL) return NULL;
+  c = skip_comment(str);
+  }
+if (c == str) return NULL;
+else str=c;
+if (*str == '+' || *str == '-')
+  {
+  int neg;
+
+  neg = (*str == '-');
+  ++str;
+  if ((str = parse_number(str,z,4)) == NULL) return NULL;
+  *z = (*z/100)*3600+(*z%100)*60;
+  if (neg) *z = -*z;
+  }
+else
+  {
+  char zone[5];
+  struct { const char *name; int off; } zone_name[10] =
+  { {"gmt",0}, {"ut",0}, {"est",-5}, {"edt",-4}, {"cst",-6}, {"cdt",-5}, {"mst",-7}, {"mdt",-6}, {"pst",-8}, {"pdt",-7}};
+  int i,j;
+
+  for (i = 0; i<4; ++i)
+    {
+    zone[i] = tolower(*(str+i));
+    if (zone[i]<'a' || zone[i]>'z') break;
+    }
+  zone[i] = '\0';
+  for (j = 0; j<10 && strcmp(zone,zone_name[j].name); ++j);
+  /* Besides zones named in the grammar, RFC 2822 says other alphabetic */
+  /* time zones should be treated as unknown offsets. */
+  if (j<10)
+    {
+    *z = zone_name[j].off*3600;
+    str+=i;
+    }
+  else if (zone[0]<'a' || zone[1]>'z') return 0;
+  else
+    {
+    while ((*str>='a' && *str<='z') || (*str>='A' && *str<='Z')) ++str;
+    *z = 0;
+    }
+  }
+return str;
+}
+
+
+/*************************************************
+*          Parse a RFC 2822 date-time            *
+*************************************************/
+
+/* Parse a RFC 2822 date-time and return it in seconds since the epoch.
+
+Arguments:
+  str          pointer to the start of the date-time
+  t            pointer to the parsed time
+
+Returns:       points after the processed date-time or NULL on error
+*/
+
+const uschar *
+parse_date_time(const uschar *str, time_t *t)
+{
+/*
+date-time       =       [ day-of-week "," ] date FWS time [CFWS]
+*/
+
+struct tm tm;
+int zone;
+extern char **environ;
+char **old_environ;
+static char gmt0[]="TZ=GMT0";
+static char *gmt_env[]={ gmt0, (char*)0 };
+const uschar * try;
+
+if ((try = parse_day_of_week(str)))
+  {
+  str = try;
+  if (*str!=',') return 0;
+  ++str;
+  }
+if ((str = parse_date(str,&tm.tm_mday,&tm.tm_mon,&tm.tm_year)) == NULL) return NULL;
+if (*str!=' ' && *str!='\t') return NULL;
+while (*str == ' ' || *str == '\t') ++str;
+if ((str = parse_time(str,&tm.tm_hour,&tm.tm_min,&tm.tm_sec,&zone)) == NULL) return NULL;
+tm.tm_isdst = 0;
+old_environ = environ;
+environ = gmt_env;
+*t = mktime(&tm);
+environ = old_environ;
+if (*t == -1) return NULL;
+*t-=zone;
+return skip_comment(str);
+}
+
+
+
+
+/*************************************************
+**************************************************
+*             Stand-alone test program           *
+**************************************************
+*************************************************/
+
+#if defined STAND_ALONE
+int main(void)
+{
+int start, end, domain;
+uschar buffer[1024];
+
+store_init();
+big_buffer = store_malloc(big_buffer_size);
+
+/* strip_trailing_dot = TRUE; */
+allow_domain_literals = TRUE;
+
+printf("Testing parse_fix_phrase\n");
+
+while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
+  {
+  buffer[Ustrlen(buffer)-1] = 0;
+  if (buffer[0] == 0) break;
+  printf("%s\n", CS parse_fix_phrase(buffer, Ustrlen(buffer)));
+  }
+
+printf("Testing parse_extract_address without group syntax and without UTF-8\n");
+
+while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
+  {
+  uschar *out;
+  uschar *errmess;
+  buffer[Ustrlen(buffer) - 1] = 0;
+  if (buffer[0] == 0) break;
+  out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
+  if (!out)
+    printf("*** bad address: %s\n", errmess);
+  else
+    {
+    uschar extract[1024];
+    Ustrncpy(extract, buffer+start, end-start);
+    extract[end-start] = 0;
+    printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
+    }
+  }
+
+printf("Testing parse_extract_address without group syntax but with UTF-8\n");
+
+allow_utf8_domains = TRUE;
+while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
+  {
+  uschar *out;
+  uschar *errmess;
+  buffer[Ustrlen(buffer) - 1] = 0;
+  if (buffer[0] == 0) break;
+  out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
+  if (!out)
+    printf("*** bad address: %s\n", errmess);
+  else
+    {
+    uschar extract[1024];
+    Ustrncpy(extract, buffer+start, end-start);
+    extract[end-start] = 0;
+    printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
+    }
+  }
+allow_utf8_domains = FALSE;
+
+printf("Testing parse_extract_address with group syntax\n");
+
+f.parse_allow_group = TRUE;
+while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
+  {
+  uschar *out;
+  uschar *errmess;
+  uschar *s;
+  buffer[Ustrlen(buffer) - 1] = 0;
+  if (buffer[0] == 0) break;
+  s = buffer;
+  while (*s)
+    {
+    uschar *ss = parse_find_address_end(s, FALSE);
+    int terminator = *ss;
+    *ss = 0;
+    out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
+    *ss = terminator;
+
+    if (!out)
+      printf("*** bad address: %s\n", errmess);
+    else
+      {
+      uschar extract[1024];
+      Ustrncpy(extract, buffer+start, end-start);
+      extract[end-start] = 0;
+      printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
+      }
+
+    s = ss + (terminator? 1:0);
+    Uskip_whitespace(&s);
+    }
+  }
+
+printf("Testing parse_find_at\n");
+
+while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
+  {
+  uschar *s;
+  buffer[Ustrlen(buffer)-1] = 0;
+  if (buffer[0] == 0) break;
+  s = parse_find_at(buffer);
+  if (s == NULL) printf("no @ found\n");
+    else printf("offset = %d\n", s - buffer);
+  }
+
+printf("Testing parse_extract_addresses\n");
+
+while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
+  {
+  uschar *errmess;
+  int extracted;
+  address_item *anchor = NULL;
+  buffer[Ustrlen(buffer) - 1] = 0;
+  if (buffer[0] == 0) break;
+  if ((extracted = parse_forward_list(buffer, -1, &anchor,
+      &errmess, US"incoming.domain", NULL, NULL)) == FF_DELIVERED)
+    {
+    while (anchor != NULL)
+      {
+      address_item *addr = anchor;
+      anchor = anchor->next;
+      printf("%d %s\n", testflag(addr, af_pfr), addr->address);
+      }
+    }
+  else printf("Failed: %d %s\n", extracted, errmess);
+  }
+
+printf("Testing parse_message_id\n");
+
+while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
+  {
+  uschar *s, *t, *errmess;
+  buffer[Ustrlen(buffer) - 1] = 0;
+  if (buffer[0] == 0) break;
+  s = buffer;
+  while (*s != 0)
+    {
+    s = parse_message_id(s, &t, &errmess);
+    if (errmess != NULL)
+      {
+      printf("Failed: %s\n", errmess);
+      break;
+      }
+    printf("%s\n", t);
+    }
+  }
+
+return 0;
+}
+
+#endif
+
+/* End of parse.c */
diff --git a/src/pdkim/Makefile b/src/pdkim/Makefile
new file mode 100644
index 0000000..47f92ee
--- /dev/null
+++ b/src/pdkim/Makefile
@@ -0,0 +1,19 @@
+# Make file for building the pdkim library.
+# Copyright (c) The Exim Maintainers 1995 - 2018
+
+OBJ = pdkim.o signing.o
+
+pdkim.a:         $(OBJ)
+		 @$(RM_COMMAND) -f pdkim.a
+		 @echo "$(AR) pdkim.a"
+		 $(FE)$(AR) pdkim.a $(OBJ)
+		 $(RANLIB) $@
+
+.SUFFIXES:       .o .c
+.c.o:;           @echo "$(CC) $*.c"
+		 $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) -I. $*.c
+
+pdkim.o: $(HDRS) crypt_ver.h pdkim.h pdkim.c
+signing.o: $(HDRS) crypt_ver.h signing.h signing.c
+
+# End
diff --git a/src/pdkim/README b/src/pdkim/README
new file mode 100644
index 0000000..953e86e
--- /dev/null
+++ b/src/pdkim/README
@@ -0,0 +1,9 @@
+PDKIM - a RFC4871 (DKIM) implementation
+http://duncanthrax.net/pdkim/
+Copyright (C) 2009      Tom Kistner <tom@duncanthrax.net>
+
+No longer includes code from the PolarSSL project.
+Copyright (C) 2016 Jeremy Harris <jgh@exim.org>
+
+This copy of PDKIM is included with Exim. For a standalone distribution,
+visit http://duncanthrax.net/pdkim/.
diff --git a/src/pdkim/config.h b/src/pdkim/config.h
new file mode 100644
index 0000000..fdd4cfe
--- /dev/null
+++ b/src/pdkim/config.h
@@ -0,0 +1,4 @@
+#define POLARSSL_BASE64_C
+
+
+
diff --git a/src/pdkim/crypt_ver.h b/src/pdkim/crypt_ver.h
new file mode 100644
index 0000000..a6d7e36
--- /dev/null
+++ b/src/pdkim/crypt_ver.h
@@ -0,0 +1,33 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Jeremy Harris 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Signing and hashing routine selection for PDKIM */
+
+#include "../exim.h"
+#include "../sha_ver.h"
+
+
+#ifdef USE_GNUTLS
+# include <gnutls/gnutls.h>
+
+# if GNUTLS_VERSION_NUMBER >= 0x030000
+#  define SIGN_GNUTLS
+#  if GNUTLS_VERSION_NUMBER >= 0x030600
+#   define SIGN_HAVE_ED25519
+#  endif
+# else
+#  define SIGN_GCRYPT
+# endif
+#endif
+
+#ifdef USE_OPENSSL
+# define SIGN_OPENSSL
+# if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10101000L
+#  define SIGN_HAVE_ED25519
+# endif
+#endif
+
diff --git a/src/pdkim/pdkim.c b/src/pdkim/pdkim.c
new file mode 100644
index 0000000..e47bfc5
--- /dev/null
+++ b/src/pdkim/pdkim.c
@@ -0,0 +1,2097 @@
+/*
+ *  PDKIM - a RFC4871 (DKIM) implementation
+ *
+ *  Copyright (c) The Exim Maintainers 2021 - 2022
+ *  Copyright (C) 2009 - 2016  Tom Kistner <tom@duncanthrax.net>
+ *  Copyright (C) 2016 - 2020  Jeremy Harris <jgh@exim.org>
+ *
+ *  http://duncanthrax.net/pdkim/
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "../exim.h"
+
+
+#ifndef DISABLE_DKIM	/* entire file */
+
+#ifdef DISABLE_TLS
+# error Must not DISABLE_TLS, for DKIM
+#endif
+
+#include "crypt_ver.h"
+
+#ifdef SIGN_OPENSSL
+# include <openssl/rsa.h>
+# include <openssl/ssl.h>
+# include <openssl/err.h>
+#elif defined(SIGN_GNUTLS)
+# include <gnutls/gnutls.h>
+# include <gnutls/x509.h>
+#endif
+
+#include "pdkim.h"
+#include "signing.h"
+
+#define PDKIM_SIGNATURE_VERSION     "1"
+#define PDKIM_PUB_RECORD_VERSION    US "DKIM1"
+
+#define PDKIM_MAX_HEADER_LEN        65536
+#define PDKIM_MAX_HEADERS           512
+#define PDKIM_MAX_BODY_LINE_LEN     16384
+#define PDKIM_DNS_TXT_MAX_NAMELEN   1024
+
+/* -------------------------------------------------------------------------- */
+struct pdkim_stringlist {
+  uschar * value;
+  int      tag;
+  void *   next;
+};
+
+/* -------------------------------------------------------------------------- */
+/* A bunch of list constants */
+const uschar * pdkim_querymethods[] = {
+  US"dns/txt",
+  NULL
+};
+const uschar * pdkim_canons[] = {
+  US"simple",
+  US"relaxed",
+  NULL
+};
+
+const pdkim_hashtype pdkim_hashes[] = {
+  { US"sha1",   HASH_SHA1 },
+  { US"sha256", HASH_SHA2_256 },
+  { US"sha512", HASH_SHA2_512 }
+};
+
+const uschar * pdkim_keytypes[] = {
+  [KEYTYPE_RSA] =	US"rsa",
+#ifdef SIGN_HAVE_ED25519
+  [KEYTYPE_ED25519] =	US"ed25519",		/* Works for 3.6.0 GnuTLS, OpenSSL 1.1.1 */
+#endif
+
+#ifdef notyet_EC_dkim_extensions	/* https://tools.ietf.org/html/draft-srose-dkim-ecc-00 */
+  US"eccp256",
+  US"eccp348",
+  US"ed448",
+#endif
+};
+
+typedef struct pdkim_combined_canon_entry {
+  const uschar *	str;
+  int			canon_headers;
+  int			canon_body;
+} pdkim_combined_canon_entry;
+
+pdkim_combined_canon_entry pdkim_combined_canons[] = {
+  { US"simple/simple",    PDKIM_CANON_SIMPLE,   PDKIM_CANON_SIMPLE },
+  { US"simple/relaxed",   PDKIM_CANON_SIMPLE,   PDKIM_CANON_RELAXED },
+  { US"relaxed/simple",   PDKIM_CANON_RELAXED,  PDKIM_CANON_SIMPLE },
+  { US"relaxed/relaxed",  PDKIM_CANON_RELAXED,  PDKIM_CANON_RELAXED },
+  { US"simple",           PDKIM_CANON_SIMPLE,   PDKIM_CANON_SIMPLE },
+  { US"relaxed",          PDKIM_CANON_RELAXED,  PDKIM_CANON_SIMPLE },
+  { NULL,                 0,                    0 }
+};
+
+
+static const blob lineending = {.data = US"\r\n", .len = 2};
+
+/* -------------------------------------------------------------------------- */
+uschar *
+dkim_sig_to_a_tag(const pdkim_signature * sig)
+{
+if (  sig->keytype < 0  || sig->keytype > nelem(pdkim_keytypes)
+   || sig->hashtype < 0 || sig->hashtype > nelem(pdkim_hashes))
+  return US"err";
+return string_sprintf("%s-%s",
+  pdkim_keytypes[sig->keytype], pdkim_hashes[sig->hashtype].dkim_hashname);
+}
+
+
+static int
+pdkim_keyname_to_keytype(const uschar * s)
+{
+for (int i = 0; i < nelem(pdkim_keytypes); i++)
+  if (Ustrcmp(s, pdkim_keytypes[i]) == 0) return i;
+return -1;
+}
+
+int
+pdkim_hashname_to_hashtype(const uschar * s, unsigned len)
+{
+if (!len) len = Ustrlen(s);
+for (int i = 0; i < nelem(pdkim_hashes); i++)
+  if (Ustrncmp(s, pdkim_hashes[i].dkim_hashname, len) == 0)
+    return i;
+return -1;
+}
+
+void
+pdkim_cstring_to_canons(const uschar * s, unsigned len,
+  int * canon_head, int * canon_body)
+{
+if (!len) len = Ustrlen(s);
+for (int i = 0; pdkim_combined_canons[i].str; i++)
+  if (  Ustrncmp(s, pdkim_combined_canons[i].str, len) == 0
+     && len == Ustrlen(pdkim_combined_canons[i].str))
+    {
+    *canon_head = pdkim_combined_canons[i].canon_headers;
+    *canon_body = pdkim_combined_canons[i].canon_body;
+    break;
+    }
+}
+
+
+
+const char *
+pdkim_verify_status_str(int status)
+{
+switch(status)
+  {
+  case PDKIM_VERIFY_NONE:    return "PDKIM_VERIFY_NONE";
+  case PDKIM_VERIFY_INVALID: return "PDKIM_VERIFY_INVALID";
+  case PDKIM_VERIFY_FAIL:    return "PDKIM_VERIFY_FAIL";
+  case PDKIM_VERIFY_PASS:    return "PDKIM_VERIFY_PASS";
+  default:                   return "PDKIM_VERIFY_UNKNOWN";
+  }
+}
+
+const char *
+pdkim_verify_ext_status_str(int ext_status)
+{
+switch(ext_status)
+  {
+  case PDKIM_VERIFY_FAIL_BODY: return "PDKIM_VERIFY_FAIL_BODY";
+  case PDKIM_VERIFY_FAIL_MESSAGE: return "PDKIM_VERIFY_FAIL_MESSAGE";
+  case PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH: return "PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH";
+  case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE: return "PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE";
+  case PDKIM_VERIFY_INVALID_BUFFER_SIZE: return "PDKIM_VERIFY_INVALID_BUFFER_SIZE";
+  case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD: return "PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD";
+  case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT: return "PDKIM_VERIFY_INVALID_PUBKEY_IMPORT";
+  case PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE: return "PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE";
+  case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR: return "PDKIM_VERIFY_INVALID_SIGNATURE_ERROR";
+  case PDKIM_VERIFY_INVALID_DKIM_VERSION: return "PDKIM_VERIFY_INVALID_DKIM_VERSION";
+  default: return "PDKIM_VERIFY_UNKNOWN";
+  }
+}
+
+const uschar *
+pdkim_errstr(int status)
+{
+switch(status)
+  {
+  case PDKIM_OK:		return US"OK";
+  case PDKIM_FAIL:		return US"FAIL";
+  case PDKIM_ERR_RSA_PRIVKEY:	return US"PRIVKEY";
+  case PDKIM_ERR_RSA_SIGNING:	return US"SIGNING";
+  case PDKIM_ERR_LONG_LINE:	return US"LONG_LINE";
+  case PDKIM_ERR_BUFFER_TOO_SMALL:	return US"BUFFER_TOO_SMALL";
+  case PDKIM_ERR_EXCESS_SIGS:	return US"EXCESS_SIGS";
+  case PDKIM_SIGN_PRIVKEY_WRAP:	return US"PRIVKEY_WRAP";
+  case PDKIM_SIGN_PRIVKEY_B64D:	return US"PRIVKEY_B64D";
+  default: return US"(unknown)";
+  }
+}
+
+
+/* -------------------------------------------------------------------------- */
+/* Print debugging functions */
+void
+pdkim_quoteprint(const uschar *data, int len)
+{
+for (int i = 0; i < len; i++)
+  {
+  const int c = data[i];
+  switch (c)
+    {
+    case ' ' : debug_printf("{SP}"); break;
+    case '\t': debug_printf("{TB}"); break;
+    case '\r': debug_printf("{CR}"); break;
+    case '\n': debug_printf("{LF}"); break;
+    case '{' : debug_printf("{BO}"); break;
+    case '}' : debug_printf("{BC}"); break;
+    default:
+      if ( (c < 32) || (c > 127) )
+	debug_printf("{%02x}", c);
+      else
+	debug_printf("%c", c);
+      break;
+    }
+  }
+debug_printf("\n");
+}
+
+void
+pdkim_hexprint(const uschar *data, int len)
+{
+if (data) for (int i = 0 ; i < len; i++) debug_printf("%02x", data[i]);
+else debug_printf("<NULL>");
+debug_printf("\n");
+}
+
+
+
+static pdkim_stringlist *
+pdkim_prepend_stringlist(pdkim_stringlist * base, const uschar * str)
+{
+pdkim_stringlist * new_entry = store_get(sizeof(pdkim_stringlist), GET_UNTAINTED);
+
+memset(new_entry, 0, sizeof(pdkim_stringlist));
+new_entry->value = string_copy(str);
+if (base) new_entry->next = base;
+return new_entry;
+}
+
+
+
+/* Trim whitespace fore & aft */
+
+static void
+pdkim_strtrim(gstring * str)
+{
+uschar * p = str->s;
+uschar * q;
+
+while (*p == '\t' || *p == ' ')		/* dump the leading whitespace */
+  { str->size--; str->ptr--; str->s++; }
+
+while (  str->ptr > 0
+      && ((q = str->s + str->ptr - 1),  (*q == '\t' || *q == ' '))
+      )
+  str->ptr--;				/* dump trailing whitespace */
+
+(void) string_from_gstring(str);
+}
+
+
+
+/* -------------------------------------------------------------------------- */
+
+DLLEXPORT void
+pdkim_free_ctx(pdkim_ctx *ctx)
+{
+}
+
+
+/* -------------------------------------------------------------------------- */
+/* Matches the name of the passed raw "header" against
+   the passed colon-separated "tick", and invalidates
+   the entry in tick.  Entries can be prefixed for multi- or over-signing,
+   in which case do not invalidate.
+
+   Returns OK for a match, or fail-code
+*/
+
+static int
+header_name_match(const uschar * header, uschar * tick)
+{
+const uschar * ticklist = tick;
+int sep = ':';
+BOOL multisign;
+uschar * hname, * p, * ele;
+uschar * hcolon = Ustrchr(header, ':');		/* Get header name */
+
+if (!hcolon)
+  return PDKIM_FAIL; /* This isn't a header */
+
+/* if we had strncmpic() we wouldn't need this copy */
+hname = string_copyn(header, hcolon-header);
+
+while (p = US ticklist, ele = string_nextinlist(&ticklist, &sep, NULL, 0))
+  {
+  switch (*ele)
+  {
+  case '=': case '+':	multisign = TRUE; ele++; break;
+  default:		multisign = FALSE; break;
+  }
+
+  if (strcmpic(ele, hname) == 0)
+    {
+    if (!multisign)
+      *p = '_';	/* Invalidate this header name instance in tick-off list */
+    return PDKIM_OK;
+    }
+  }
+return PDKIM_FAIL;
+}
+
+
+/* -------------------------------------------------------------------------- */
+/* Performs "relaxed" canonicalization of a header. */
+
+uschar *
+pdkim_relax_header_n(const uschar * header, int len, BOOL append_crlf)
+{
+BOOL past_field_name = FALSE;
+BOOL seen_wsp = FALSE;
+uschar * relaxed = store_get(len+3, GET_TAINTED);
+uschar * q = relaxed;
+
+for (const uschar * p = header; p - header < len; p++)
+  {
+  uschar c = *p;
+
+  if (c == '\r' || c == '\n')	/* Ignore CR & LF */
+    continue;
+  if (c == '\t' || c == ' ')
+    {
+    if (seen_wsp)
+      continue;
+    c = ' ';			/* Turns WSP into SP */
+    seen_wsp = TRUE;
+    }
+  else
+    if (!past_field_name && c == ':')
+      {
+      if (seen_wsp) q--;	/* This removes WSP immediately before the colon */
+      seen_wsp = TRUE;		/* This removes WSP immediately after the colon */
+      past_field_name = TRUE;
+      }
+    else
+      seen_wsp = FALSE;
+
+  /* Lowercase header name */
+  if (!past_field_name) c = tolower(c);
+  *q++ = c;
+  }
+
+if (q > relaxed && q[-1] == ' ') q--; /* Squash eventual trailing SP */
+
+if (append_crlf) { *q++ = '\r'; *q++ = '\n'; }
+*q = '\0';
+return relaxed;
+}
+
+
+uschar *
+pdkim_relax_header(const uschar * header, BOOL append_crlf)
+{
+return pdkim_relax_header_n(header, Ustrlen(header), append_crlf);
+}
+
+
+/* -------------------------------------------------------------------------- */
+#define PDKIM_QP_ERROR_DECODE -1
+
+static const uschar *
+pdkim_decode_qp_char(const uschar *qp_p, int *c)
+{
+const uschar *initial_pos = qp_p;
+
+/* Advance one char */
+qp_p++;
+
+/* Check for two hex digits and decode them */
+if (isxdigit(*qp_p) && isxdigit(qp_p[1]))
+  {
+  /* Do hex conversion */
+  *c = (isdigit(*qp_p) ? *qp_p - '0' : toupper(*qp_p) - 'A' + 10) << 4;
+  *c |= isdigit(qp_p[1]) ? qp_p[1] - '0' : toupper(qp_p[1]) - 'A' + 10;
+  return qp_p + 2;
+  }
+
+/* Illegal char here */
+*c = PDKIM_QP_ERROR_DECODE;
+return initial_pos;
+}
+
+
+/* -------------------------------------------------------------------------- */
+
+static uschar *
+pdkim_decode_qp(const uschar * str)
+{
+int nchar = 0;
+uschar * q;
+const uschar * p = str;
+uschar * n = store_get(Ustrlen(str)+1, GET_TAINTED);
+
+*n = '\0';
+q = n;
+while (*p)
+  {
+  if (*p == '=')
+    {
+    p = pdkim_decode_qp_char(p, &nchar);
+    if (nchar >= 0)
+      {
+      *q++ = nchar;
+      continue;
+      }
+    }
+  else
+    *q++ = *p;
+  p++;
+  }
+*q = '\0';
+return n;
+}
+
+
+/* -------------------------------------------------------------------------- */
+
+void
+pdkim_decode_base64(const uschar * str, blob * b)
+{
+int dlen = b64decode(str, &b->data);
+if (dlen < 0) b->data = NULL;
+b->len = dlen;
+}
+
+uschar *
+pdkim_encode_base64(blob * b)
+{
+return b64encode(CUS b->data, b->len);
+}
+
+
+/* -------------------------------------------------------------------------- */
+#define PDKIM_HDR_LIMBO 0
+#define PDKIM_HDR_TAG   1
+#define PDKIM_HDR_VALUE 2
+
+static pdkim_signature *
+pdkim_parse_sig_header(pdkim_ctx * ctx, uschar * raw_hdr)
+{
+pdkim_signature * sig;
+uschar *q;
+gstring * cur_tag = NULL;
+gstring * cur_val = NULL;
+BOOL past_hname = FALSE;
+BOOL in_b_val = FALSE;
+int where = PDKIM_HDR_LIMBO;
+
+sig = store_get(sizeof(pdkim_signature), GET_UNTAINTED);
+memset(sig, 0, sizeof(pdkim_signature));
+sig->bodylength = -1;
+
+/* Set so invalid/missing data error display is accurate */
+sig->version = 0;
+sig->keytype = -1;
+sig->hashtype = -1;
+
+q = sig->rawsig_no_b_val = store_get(Ustrlen(raw_hdr)+1, GET_TAINTED);
+
+for (uschar * p = raw_hdr; ; p++)
+  {
+  char c = *p;
+
+  /* Ignore FWS */
+  if (c == '\r' || c == '\n')
+    goto NEXT_CHAR;
+
+  /* Fast-forward through header name */
+  if (!past_hname)
+    {
+    if (c == ':') past_hname = TRUE;
+    goto NEXT_CHAR;
+    }
+
+  if (where == PDKIM_HDR_LIMBO)
+    {
+    /* In limbo, just wait for a tag-char to appear */
+    if (!(c >= 'a' && c <= 'z'))
+      goto NEXT_CHAR;
+
+    where = PDKIM_HDR_TAG;
+    }
+
+  if (where == PDKIM_HDR_TAG)
+    {
+    if (c >= 'a' && c <= 'z')
+      cur_tag = string_catn(cur_tag, p, 1);
+
+    if (c == '=')
+      {
+      if (Ustrcmp(string_from_gstring(cur_tag), "b") == 0)
+        {
+	*q++ = '=';
+	in_b_val = TRUE;
+	}
+      where = PDKIM_HDR_VALUE;
+      goto NEXT_CHAR;
+      }
+    }
+
+  if (where == PDKIM_HDR_VALUE)
+    {
+    if (c == '\r' || c == '\n' || c == ' ' || c == '\t')
+      goto NEXT_CHAR;
+
+    if (c == ';' || c == '\0')
+      {
+      /* We must have both tag and value, and tags must be one char except
+      for the possibility of "bh". */
+
+      if (  cur_tag && cur_val
+	 && (cur_tag->ptr == 1 || *cur_tag->s == 'b')
+	 )
+        {
+	(void) string_from_gstring(cur_val);
+	pdkim_strtrim(cur_val);
+
+	DEBUG(D_acl) debug_printf(" %s=%s\n", cur_tag->s, cur_val->s);
+
+	switch (*cur_tag->s)
+	  {
+	  case 'b':				/* sig-data or body-hash */
+	    switch (cur_tag->s[1])
+	      {
+	      case '\0': pdkim_decode_base64(cur_val->s, &sig->sighash); break;
+	      case 'h':  if (cur_tag->ptr == 2)
+			   pdkim_decode_base64(cur_val->s, &sig->bodyhash);
+			 break;
+	      default:   break;
+	      }
+	    break;
+	  case 'v':					/* version */
+	      /* We only support version 1, and that is currently the
+		 only version there is. */
+	    sig->version =
+	      Ustrcmp(cur_val->s, PDKIM_SIGNATURE_VERSION) == 0 ? 1 : -1;
+	    break;
+	  case 'a':					/* algorithm */
+	    {
+	    const uschar * list = cur_val->s;
+	    int sep = '-';
+	    uschar * elem;
+
+	    if ((elem = string_nextinlist(&list, &sep, NULL, 0)))
+	      sig->keytype = pdkim_keyname_to_keytype(elem);
+	    if ((elem = string_nextinlist(&list, &sep, NULL, 0)))
+	      for (int i = 0; i < nelem(pdkim_hashes); i++)
+		if (Ustrcmp(elem, pdkim_hashes[i].dkim_hashname) == 0)
+		  { sig->hashtype = i; break; }
+	    }
+
+	  case 'c':					/* canonicalization */
+	    pdkim_cstring_to_canons(cur_val->s, 0,
+				    &sig->canon_headers, &sig->canon_body);
+	    break;
+	  case 'q':				/* Query method (for pubkey)*/
+	    for (int i = 0; pdkim_querymethods[i]; i++)
+	      if (Ustrcmp(cur_val->s, pdkim_querymethods[i]) == 0)
+	        {
+		sig->querymethod = i;	/* we never actually use this */
+		break;
+		}
+	    break;
+	  case 's':					/* Selector */
+	    sig->selector = string_copyn(cur_val->s, cur_val->ptr); break;
+	  case 'd':					/* SDID */
+	    sig->domain = string_copyn(cur_val->s, cur_val->ptr); break;
+	  case 'i':					/* AUID */
+	    sig->identity = pdkim_decode_qp(cur_val->s); break;
+	  case 't':					/* Timestamp */
+	    sig->created = strtoul(CS cur_val->s, NULL, 10); break;
+	  case 'x':					/* Expiration */
+	    sig->expires = strtoul(CS cur_val->s, NULL, 10); break;
+	  case 'l':					/* Body length count */
+	    sig->bodylength = strtol(CS cur_val->s, NULL, 10); break;
+	  case 'h':					/* signed header fields */
+	    sig->headernames = string_copyn(cur_val->s, cur_val->ptr); break;
+	  case 'z':					/* Copied headfields */
+	    sig->copiedheaders = pdkim_decode_qp(cur_val->s); break;
+/*XXX draft-ietf-dcrup-dkim-crypto-05 would need 'p' tag support
+for rsafp signatures.  But later discussion is dropping those. */
+	  default:
+	    DEBUG(D_acl) debug_printf(" Unknown tag encountered\n");
+	    break;
+	  }
+	}
+      cur_tag = cur_val = NULL;
+      in_b_val = FALSE;
+      where = PDKIM_HDR_LIMBO;
+      }
+    else
+      cur_val = string_catn(cur_val, p, 1);
+    }
+
+NEXT_CHAR:
+  if (c == '\0')
+    break;
+
+  if (!in_b_val)
+    *q++ = c;
+  }
+
+if (sig->keytype < 0 || sig->hashtype < 0)	/* Cannot verify this signature */
+  return NULL;
+
+*q = '\0';
+/* Chomp raw header. The final newline must not be added to the signature. */
+while (--q > sig->rawsig_no_b_val  && (*q == '\r' || *q == '\n'))
+  *q = '\0';
+
+DEBUG(D_acl)
+  {
+  debug_printf(
+	  "DKIM >> Raw signature w/o b= tag value >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+  pdkim_quoteprint(US sig->rawsig_no_b_val, Ustrlen(sig->rawsig_no_b_val));
+  debug_printf(
+	  "DKIM >> Sig size: %4u bits\n", (unsigned) sig->sighash.len*8);
+  debug_printf(
+	  "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+  }
+
+if (!pdkim_set_sig_bodyhash(ctx, sig))
+  return NULL;
+
+return sig;
+}
+
+
+/* -------------------------------------------------------------------------- */
+
+pdkim_pubkey *
+pdkim_parse_pubkey_record(const uschar *raw_record)
+{
+const uschar * ele;
+int sep = ';';
+pdkim_pubkey * pub;
+
+pub = store_get(sizeof(pdkim_pubkey), GET_TAINTED);
+memset(pub, 0, sizeof(pdkim_pubkey));
+
+while ((ele = string_nextinlist(&raw_record, &sep, NULL, 0)))
+  {
+  const uschar * val;
+
+  if ((val = Ustrchr(ele, '=')))
+    {
+    int taglen = val++ - ele;
+
+    DEBUG(D_acl) debug_printf(" %.*s=%s\n", taglen, ele, val);
+    switch (ele[0])
+      {
+      case 'v': pub->version = val;			break;
+      case 'h': pub->hashes = val;			break;
+      case 'k': pub->keytype = val;			break;
+      case 'g': pub->granularity = val;			break;
+      case 'n': pub->notes = pdkim_decode_qp(val);	break;
+      case 'p': pdkim_decode_base64(val, &pub->key);	break;
+      case 's': pub->srvtype = val;			break;
+      case 't': if (Ustrchr(val, 'y')) pub->testing = 1;
+		if (Ustrchr(val, 's')) pub->no_subdomaining = 1;
+		break;
+      default:  DEBUG(D_acl) debug_printf(" Unknown tag encountered\n"); break;
+      }
+    }
+  }
+
+/* Set fallback defaults */
+if (!pub->version)
+  pub->version = string_copy(PDKIM_PUB_RECORD_VERSION);
+else if (Ustrcmp(pub->version, PDKIM_PUB_RECORD_VERSION) != 0)
+  {
+  DEBUG(D_acl) debug_printf(" Bad v= field\n");
+  return NULL;
+  }
+
+if (!pub->granularity) pub->granularity = US"*";
+if (!pub->keytype    ) pub->keytype     = US"rsa";
+if (!pub->srvtype    ) pub->srvtype     = US"*";
+
+/* p= is required */
+if (pub->key.data)
+  return pub;
+
+DEBUG(D_acl) debug_printf(" Missing p= field\n");
+return NULL;
+}
+
+
+/* -------------------------------------------------------------------------- */
+
+/* Update one bodyhash with some additional data.
+If we have to relax the data for this sig, return our copy of it. */
+
+static blob *
+pdkim_update_ctx_bodyhash(pdkim_bodyhash * b, const blob * orig_data, blob * relaxed_data)
+{
+const blob * canon_data = orig_data;
+size_t left;
+
+/* Defaults to simple canon (no further treatment necessary) */
+
+if (b->canon_method == PDKIM_CANON_RELAXED)
+  {
+  /* Relax the line if not done already */
+  if (!relaxed_data)
+    {
+    BOOL seen_wsp = FALSE;
+    int q = 0;
+
+    /* We want to be able to free this else we allocate
+    for the entire message which could be many MB. Since
+    we don't know what allocations the SHA routines might
+    do, not safe to use store_get()/store_reset(). */
+
+    relaxed_data = store_malloc(sizeof(blob) + orig_data->len+1);
+    relaxed_data->data = US (relaxed_data+1);
+
+    for (const uschar * p = orig_data->data, * r = p + orig_data->len; p < r; p++)
+      {
+      char c = *p;
+      if (c == '\r')
+	{
+	if (q > 0 && relaxed_data->data[q-1] == ' ')
+	  q--;
+	}
+      else if (c == '\t' || c == ' ')
+	{
+	c = ' '; /* Turns WSP into SP */
+	if (seen_wsp)
+	  continue;
+	seen_wsp = TRUE;
+	}
+      else
+	seen_wsp = FALSE;
+      relaxed_data->data[q++] = c;
+      }
+    relaxed_data->data[q] = '\0';
+    relaxed_data->len = q;
+    }
+  canon_data = relaxed_data;
+  }
+
+/* Make sure we don't exceed the to-be-signed body length */
+left = canon_data->len;
+if (  b->bodylength >= 0
+   && left > (unsigned long)b->bodylength - b->signed_body_bytes
+   )
+  left = (unsigned long)b->bodylength - b->signed_body_bytes;
+
+if (left > 0)
+  {
+  exim_sha_update(&b->body_hash_ctx, CUS canon_data->data, left);
+  b->signed_body_bytes += left;
+  DEBUG(D_acl) pdkim_quoteprint(canon_data->data, left);
+  }
+
+return relaxed_data;
+}
+
+
+/* -------------------------------------------------------------------------- */
+
+static void
+pdkim_finish_bodyhash(pdkim_ctx * ctx)
+{
+for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)     /* Finish hashes */
+  {
+  DEBUG(D_acl) debug_printf("DKIM: finish bodyhash %s/%s/%ld len %ld\n",
+      pdkim_hashes[b->hashtype].dkim_hashname, pdkim_canons[b->canon_method],
+      b->bodylength, b->signed_body_bytes);
+  exim_sha_finish(&b->body_hash_ctx, &b->bh);
+  }
+
+/* Traverse all signatures */
+for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next)
+  {
+  pdkim_bodyhash * b = sig->calc_body_hash;
+
+  DEBUG(D_acl)
+    {
+    debug_printf("DKIM [%s]%s Body bytes (%s) hashed: %lu\n"
+		 "DKIM [%s]%s Body %s computed: ",
+	sig->domain, sig->selector, pdkim_canons[b->canon_method], b->signed_body_bytes,
+	sig->domain, sig->selector, pdkim_hashes[b->hashtype].dkim_hashname);
+    pdkim_hexprint(CUS b->bh.data, b->bh.len);
+    }
+
+  /* SIGNING -------------------------------------------------------------- */
+  if (ctx->flags & PDKIM_MODE_SIGN)
+    {
+    /* If bodylength limit is set, and we have received less bytes
+       than the requested amount, effectively remove the limit tag. */
+    if (b->signed_body_bytes < sig->bodylength)
+      sig->bodylength = -1;
+    }
+
+  else
+  /* VERIFICATION --------------------------------------------------------- */
+  /* Be careful that the header sig included a bodyash */
+
+    if (sig->bodyhash.data && sig->bodyhash.len == b->bh.len
+       && memcmp(b->bh.data, sig->bodyhash.data, b->bh.len) == 0)
+      {
+      DEBUG(D_acl) debug_printf("DKIM [%s] Body hash compared OK\n", sig->domain);
+      }
+    else
+      {
+      DEBUG(D_acl)
+        {
+	debug_printf("DKIM [%s] Body hash signature from headers: ", sig->domain);
+	pdkim_hexprint(sig->bodyhash.data, sig->bodyhash.len);
+	debug_printf("DKIM [%s] Body hash did NOT verify\n", sig->domain);
+	}
+      sig->verify_status     = PDKIM_VERIFY_FAIL;
+      sig->verify_ext_status = PDKIM_VERIFY_FAIL_BODY;
+      }
+  }
+}
+
+
+
+static void
+pdkim_body_complete(pdkim_ctx * ctx)
+{
+/* In simple body mode, if any empty lines were buffered,
+replace with one. rfc 4871 3.4.3 */
+/*XXX checking the signed-body-bytes is a gross hack; I think
+it indicates that all linebreaks should be buffered, including
+the one terminating a text line */
+
+for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
+  if (  b->canon_method == PDKIM_CANON_SIMPLE
+     && b->signed_body_bytes == 0
+     && b->num_buffered_blanklines > 0
+     )
+    (void) pdkim_update_ctx_bodyhash(b, &lineending, NULL);
+
+ctx->flags |= PDKIM_SEEN_EOD;
+ctx->linebuf_offset = 0;
+}
+
+
+
+/* -------------------------------------------------------------------------- */
+/* Call from pdkim_feed below for processing complete body lines */
+/* NOTE: the line is not NUL-terminated; but we have a count */
+
+static void
+pdkim_bodyline_complete(pdkim_ctx * ctx)
+{
+blob line = {.data = ctx->linebuf, .len = ctx->linebuf_offset};
+blob * rnl = NULL;
+blob * rline = NULL;
+
+/* Ignore extra data if we've seen the end-of-data marker */
+if (ctx->flags & PDKIM_SEEN_EOD) goto all_skip;
+
+/* We've always got one extra byte to stuff a zero ... */
+ctx->linebuf[line.len] = '\0';
+
+/* Terminate on EOD marker */
+if (ctx->flags & PDKIM_DOT_TERM)
+  {
+  if (memcmp(line.data, ".\r\n", 3) == 0)
+    { pdkim_body_complete(ctx); return; }
+
+  /* Unstuff dots */
+  if (memcmp(line.data, "..", 2) == 0)
+    { line.data++; line.len--; }
+  }
+
+/* Empty lines need to be buffered until we find a non-empty line */
+if (memcmp(line.data, "\r\n", 2) == 0)
+  {
+  for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
+    b->num_buffered_blanklines++;
+  goto all_skip;
+  }
+
+/* Process line for each bodyhash separately */
+for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
+  {
+  if (b->canon_method == PDKIM_CANON_RELAXED)
+    {
+    /* Lines with just spaces need to be buffered too */
+    uschar * cp = line.data;
+    char c;
+
+    while ((c = *cp))
+      {
+      if (c == '\r' && cp[1] == '\n') break;
+      if (c != ' ' && c != '\t') goto hash_process;
+      cp++;
+      }
+
+    b->num_buffered_blanklines++;
+    goto hash_skip;
+    }
+
+hash_process:
+  /* At this point, we have a non-empty line, so release the buffered ones. */
+
+  while (b->num_buffered_blanklines)
+    {
+    rnl = pdkim_update_ctx_bodyhash(b, &lineending, rnl);
+    b->num_buffered_blanklines--;
+    }
+
+  rline = pdkim_update_ctx_bodyhash(b, &line, rline);
+hash_skip: ;
+  }
+
+if (rnl) store_free(rnl);
+if (rline) store_free(rline);
+
+all_skip:
+
+ctx->linebuf_offset = 0;
+return;
+}
+
+
+/* -------------------------------------------------------------------------- */
+/* Callback from pdkim_feed below for processing complete headers */
+#define DKIM_SIGNATURE_HEADERNAME "DKIM-Signature:"
+
+static int
+pdkim_header_complete(pdkim_ctx * ctx)
+{
+if ( (ctx->cur_header->ptr > 1) &&
+     (ctx->cur_header->s[ctx->cur_header->ptr-1] == '\r') )
+  --ctx->cur_header->ptr;
+(void) string_from_gstring(ctx->cur_header);
+
+#ifdef EXPERIMENTAL_ARC
+/* Feed the header line to ARC processing */
+(void) arc_header_feed(ctx->cur_header, !(ctx->flags & PDKIM_MODE_SIGN));
+#endif
+
+if (++ctx->num_headers > PDKIM_MAX_HEADERS) goto BAIL;
+
+/* SIGNING -------------------------------------------------------------- */
+if (ctx->flags & PDKIM_MODE_SIGN)
+  for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next)  /* Traverse all signatures */
+
+    /* Add header to the signed headers list (in reverse order) */
+    sig->headers = pdkim_prepend_stringlist(sig->headers, ctx->cur_header->s);
+
+/* VERIFICATION ----------------------------------------------------------- */
+/* DKIM-Signature: headers are added to the verification list */
+else
+  {
+#ifdef notdef
+  DEBUG(D_acl)
+    {
+    debug_printf("DKIM >> raw hdr: ");
+    pdkim_quoteprint(CUS ctx->cur_header->s, ctx->cur_header->ptr);
+    }
+#endif
+  if (strncasecmp(CCS ctx->cur_header->s,
+		  DKIM_SIGNATURE_HEADERNAME,
+		  Ustrlen(DKIM_SIGNATURE_HEADERNAME)) == 0)
+    {
+    pdkim_signature * sig, * last_sig;
+    /* Create and chain new signature block.  We could error-check for all
+    required tags here, but prefer to create the internal sig and expicitly
+    fail verification of it later. */
+
+    DEBUG(D_acl) debug_printf(
+	"DKIM >> Found sig, trying to parse >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+
+    sig = pdkim_parse_sig_header(ctx, ctx->cur_header->s);
+
+    if (!(last_sig = ctx->sig))
+      ctx->sig = sig;
+    else
+      {
+      while (last_sig->next) last_sig = last_sig->next;
+      last_sig->next = sig;
+      }
+
+    if (dkim_collect_input && --dkim_collect_input == 0)
+      {
+      ctx->headers = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header->s);
+      ctx->cur_header->s[ctx->cur_header->ptr = 0] = '\0';
+      return PDKIM_ERR_EXCESS_SIGS;
+      }
+    }
+
+  /* all headers are stored for signature verification */
+  ctx->headers = pdkim_prepend_stringlist(ctx->headers, ctx->cur_header->s);
+  }
+
+BAIL:
+ctx->cur_header->s[ctx->cur_header->ptr = 0] = '\0';	/* leave buffer for reuse */
+return PDKIM_OK;
+}
+
+
+
+/* -------------------------------------------------------------------------- */
+#define HEADER_BUFFER_FRAG_SIZE 256
+
+DLLEXPORT int
+pdkim_feed(pdkim_ctx * ctx, uschar * data, int len)
+{
+/* Alternate EOD signal, used in non-dotstuffing mode */
+if (!data)
+  pdkim_body_complete(ctx);
+
+else for (int p = 0; p < len; p++)
+  {
+  uschar c = data[p];
+  int rc;
+
+  if (ctx->flags & PDKIM_PAST_HDRS)
+    {
+    if (c == '\n' && !(ctx->flags & PDKIM_SEEN_CR))	/* emulate the CR */
+      {
+      ctx->linebuf[ctx->linebuf_offset++] = '\r';
+      if (ctx->linebuf_offset == PDKIM_MAX_BODY_LINE_LEN-1)
+	return PDKIM_ERR_LONG_LINE;
+      }
+
+    /* Processing body byte */
+    ctx->linebuf[ctx->linebuf_offset++] = c;
+    if (c == '\r')
+      ctx->flags |= PDKIM_SEEN_CR;
+    else if (c == '\n')
+      {
+      ctx->flags &= ~PDKIM_SEEN_CR;
+      pdkim_bodyline_complete(ctx);
+      }
+
+    if (ctx->linebuf_offset == PDKIM_MAX_BODY_LINE_LEN-1)
+      return PDKIM_ERR_LONG_LINE;
+    }
+  else
+    {
+    /* Processing header byte */
+    if (c == '\r')
+      ctx->flags |= PDKIM_SEEN_CR;
+    else if (c == '\n')
+      {
+      if (!(ctx->flags & PDKIM_SEEN_CR))		/* emulate the CR */
+	ctx->cur_header = string_catn(ctx->cur_header, CUS "\r", 1);
+
+      if (ctx->flags & PDKIM_SEEN_LF)		/* Seen last header line */
+	{
+	if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
+	  return rc;
+
+	ctx->flags = (ctx->flags & ~(PDKIM_SEEN_LF|PDKIM_SEEN_CR)) | PDKIM_PAST_HDRS;
+	DEBUG(D_acl) debug_printf(
+	    "DKIM >> Body data for hash, canonicalized >>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+	continue;
+	}
+      else
+	ctx->flags = (ctx->flags & ~PDKIM_SEEN_CR) | PDKIM_SEEN_LF;
+      }
+    else if (ctx->flags & PDKIM_SEEN_LF)
+      {
+      if (!(c == '\t' || c == ' '))			/* End of header */
+	if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
+	  return rc;
+      ctx->flags &= ~PDKIM_SEEN_LF;
+      }
+
+    if (!ctx->cur_header || ctx->cur_header->ptr < PDKIM_MAX_HEADER_LEN)
+      ctx->cur_header = string_catn(ctx->cur_header, CUS &data[p], 1);
+    }
+  }
+return PDKIM_OK;
+}
+
+
+
+/* Extend a growing header with a continuation-linebreak */
+static gstring *
+pdkim_hdr_cont(gstring * str, int * col)
+{
+*col = 1;
+return string_catn(str, US"\r\n\t", 3);
+}
+
+
+
+/*
+ * RFC 5322 specifies that header line length SHOULD be no more than 78
+ *  pdkim_headcat
+ *
+ * Returns gstring (not nul-terminated) appending to one supplied
+ *
+ * col: this int holds and receives column number (octets since last '\n')
+ * str: partial string to append to
+ * pad: padding, split line or space after before or after eg: ";".
+ *               Only the initial charater is used.
+ * intro: - must join to payload eg "h=", usually the tag name
+ * payload: eg base64 data - long data can be split arbitrarily.
+ *
+ * this code doesn't fold the header in some of the places that RFC4871
+ * allows: As per RFC5322(2.2.3) it only folds before or after tag-value
+ * pairs and inside long values. it also always spaces or breaks after the
+ * "pad"
+ *
+ * No guarantees are made for output given out-of range input. like tag
+ * names longer than 78, or bogus col. Input is assumed to be free of line breaks.
+ */
+
+static gstring *
+pdkim_headcat(int * col, gstring * str,
+  const uschar * pad, const uschar * intro, const uschar * payload)
+{
+int len, chomp, padded = 0;
+
+/* If we can fit at least the pad at the end of current line, do it now.
+Otherwise, wrap if there is a pad. */
+
+if (pad)
+  if (*col + 1 <= 78)
+    {
+    str = string_catn(str, pad, 1);
+    (*col)++;
+    pad = NULL;
+    padded = 1;
+    }
+  else
+    str = pdkim_hdr_cont(str, col);
+
+/* Special case: if the whole addition does not fit at the end of the current
+line, but could fit on a new line, wrap to give it its full, dedicated line.  */
+
+len = (pad ? 2 : padded)
+    + (intro ? Ustrlen(intro) : 0)
+    + (payload ? Ustrlen(payload) : 0);
+if (len <= 77 && *col+len > 78)
+  {
+  str = pdkim_hdr_cont(str, col);
+  padded = 0;
+  }
+
+/* Either we already dealt with the pad or we know there is room */
+
+if (pad)
+  {
+  str = string_catn(str, pad, 1);
+  str = string_catn(str, US" ", 1);
+  *col += 2;
+  }
+else if (padded && *col < 78)
+  {
+  str = string_catn(str, US" ", 1);
+  (*col)++;
+  }
+
+/* Call recursively with intro as payload: it gets the same, special treatment
+(that is, not split if < 78).  */
+
+if (intro)
+  str = pdkim_headcat(col, str, NULL, NULL, intro);
+
+if (payload)
+  for (len = Ustrlen(payload); len; len -= chomp)
+    {
+    if (*col >= 78)
+      str = pdkim_hdr_cont(str, col);
+    chomp = *col+len > 78 ? 78 - *col : len;
+    str = string_catn(str, payload, chomp);
+    *col += chomp;
+    payload += chomp;
+    }
+
+return str;
+}
+
+
+/* -------------------------------------------------------------------------- */
+
+/* Signing: create signature header
+*/
+static uschar *
+pdkim_create_header(pdkim_signature * sig, BOOL final)
+{
+uschar * base64_bh;
+uschar * base64_b;
+int col = 0;
+gstring * hdr;
+gstring * canon_all;
+
+canon_all = string_cat (NULL, pdkim_canons[sig->canon_headers]);
+canon_all = string_catn(canon_all, US"/", 1);
+canon_all = string_cat (canon_all, pdkim_canons[sig->canon_body]);
+(void) string_from_gstring(canon_all);
+
+hdr = string_cat(NULL, US"DKIM-Signature: v="PDKIM_SIGNATURE_VERSION);
+col = hdr->ptr;
+
+/* Required and static bits */
+hdr = pdkim_headcat(&col, hdr, US";", US"a=", dkim_sig_to_a_tag(sig));
+hdr = pdkim_headcat(&col, hdr, US";", US"q=", pdkim_querymethods[sig->querymethod]);
+hdr = pdkim_headcat(&col, hdr, US";", US"c=", canon_all->s);
+hdr = pdkim_headcat(&col, hdr, US";", US"d=", sig->domain);
+hdr = pdkim_headcat(&col, hdr, US";", US"s=", sig->selector);
+
+/* list of header names can be split between items. */
+  {
+  uschar * n = string_copy(sig->headernames);
+  uschar * i = US"h=";
+  uschar * s = US";";
+
+  while (*n)
+    {
+    uschar * c = Ustrchr(n, ':');
+
+    if (c) *c ='\0';
+
+    if (!i)
+      hdr = pdkim_headcat(&col, hdr, NULL, NULL, US":");
+
+    hdr = pdkim_headcat(&col, hdr, s, i, n);
+
+    if (!c)
+      break;
+
+    n = c+1;
+    s = NULL;
+    i = NULL;
+    }
+  }
+
+base64_bh = pdkim_encode_base64(&sig->calc_body_hash->bh);
+hdr = pdkim_headcat(&col, hdr, US";", US"bh=", base64_bh);
+
+/* Optional bits */
+if (sig->identity)
+  hdr = pdkim_headcat(&col, hdr, US";", US"i=", sig->identity);
+
+if (sig->created > 0)
+  {
+  uschar minibuf[21];
+
+  snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->created);
+  hdr = pdkim_headcat(&col, hdr, US";", US"t=", minibuf);
+}
+
+if (sig->expires > 0)
+  {
+  uschar minibuf[21];
+
+  snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->expires);
+  hdr = pdkim_headcat(&col, hdr, US";", US"x=", minibuf);
+  }
+
+if (sig->bodylength >= 0)
+  {
+  uschar minibuf[21];
+
+  snprintf(CS minibuf, sizeof(minibuf), "%lu", sig->bodylength);
+  hdr = pdkim_headcat(&col, hdr, US";", US"l=", minibuf);
+  }
+
+/* Preliminary or final version? */
+if (final)
+  {
+  base64_b = pdkim_encode_base64(&sig->sighash);
+  hdr = pdkim_headcat(&col, hdr, US";", US"b=", base64_b);
+
+  /* add trailing semicolon: I'm not sure if this is actually needed */
+  hdr = pdkim_headcat(&col, hdr, NULL, US";", US"");
+  }
+else
+  {
+  /* To satisfy the rule "all surrounding whitespace [...] deleted"
+  ( RFC 6376 section 3.7 ) we ensure there is no whitespace here.  Otherwise
+  the headcat routine could insert a linebreak which the relaxer would reduce
+  to a single space preceding the terminating semicolon, resulting in an
+  incorrect header-hash. */
+  hdr = pdkim_headcat(&col, hdr, US";", US"b=;", US"");
+  }
+
+return string_from_gstring(hdr);
+}
+
+
+/* -------------------------------------------------------------------------- */
+
+/* According to draft-ietf-dcrup-dkim-crypto-07 "keys are 256 bits" (referring
+to DNS, hence the pubkey).  Check for more than 32 bytes; if so assume the
+alternate possible representation (still) being discussed: a
+SubjectPublickeyInfo wrapped key - and drop all but the trailing 32-bytes (it
+should be a DER, with exactly 12 leading bytes - but we could accept a BER also,
+which could be any size).  We still rely on the crypto library for checking for
+undersize.
+
+When the RFC is published this should be re-addressed. */
+
+static void
+check_bare_ed25519_pubkey(pdkim_pubkey * p)
+{
+int excess = p->key.len - 32;
+if (excess > 0)
+  {
+  DEBUG(D_acl)
+    debug_printf("DKIM: unexpected pubkey len %lu\n", (unsigned long) p->key.len);
+  p->key.data += excess; p->key.len = 32;
+  }
+}
+
+
+static pdkim_pubkey *
+pdkim_key_from_dns(pdkim_ctx * ctx, pdkim_signature * sig, ev_ctx * vctx,
+  const uschar ** errstr)
+{
+uschar * dns_txt_name, * dns_txt_reply;
+pdkim_pubkey * p;
+
+/* Fetch public key for signing domain, from DNS */
+
+dns_txt_name = string_sprintf("%s._domainkey.%s.", sig->selector, sig->domain);
+
+if (  !(dns_txt_reply = ctx->dns_txt_callback(dns_txt_name))
+   || dns_txt_reply[0] == '\0'
+   )
+  {
+  sig->verify_status =      PDKIM_VERIFY_INVALID;
+  sig->verify_ext_status =  PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE;
+  return NULL;
+  }
+
+DEBUG(D_acl)
+  {
+  debug_printf(
+    "DKIM >> Parsing public key record >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
+    " %s\n"
+    " Raw record: ",
+    dns_txt_name);
+  pdkim_quoteprint(CUS dns_txt_reply, Ustrlen(dns_txt_reply));
+  }
+
+if (  !(p = pdkim_parse_pubkey_record(CUS dns_txt_reply))
+   || (Ustrcmp(p->srvtype, "*") != 0 && Ustrcmp(p->srvtype, "email") != 0)
+   )
+  {
+  sig->verify_status =      PDKIM_VERIFY_INVALID;
+  sig->verify_ext_status =  PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD;
+
+  DEBUG(D_acl)
+    {
+    if (p)
+      debug_printf(" Invalid public key service type '%s'\n", p->srvtype);
+    else
+      debug_printf(" Error while parsing public key record\n");
+    debug_printf(
+      "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+    }
+  return NULL;
+  }
+
+DEBUG(D_acl) debug_printf(
+      "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+
+/* Import public key */
+
+/* Normally we use the signature a= tag to tell us the pubkey format.
+When signing under debug we do a test-import of the pubkey, and at that
+time we do not have a signature so we must interpret the pubkey k= tag
+instead.  Assume writing on the sig is ok in that case. */
+
+if (sig->keytype < 0)
+  if ((sig->keytype = pdkim_keyname_to_keytype(p->keytype)) < 0)
+    {
+    DEBUG(D_acl) debug_printf("verify_init: unhandled keytype %s\n", p->keytype);
+    sig->verify_status =      PDKIM_VERIFY_INVALID;
+    sig->verify_ext_status =  PDKIM_VERIFY_INVALID_PUBKEY_IMPORT;
+    return NULL;
+    }
+
+if (sig->keytype == KEYTYPE_ED25519)
+  check_bare_ed25519_pubkey(p);
+
+if ((*errstr = exim_dkim_verify_init(&p->key,
+	    sig->keytype == KEYTYPE_ED25519 ? KEYFMT_ED25519_BARE : KEYFMT_DER,
+	    vctx, &sig->keybits)))
+  {
+  DEBUG(D_acl) debug_printf("verify_init: %s\n", *errstr);
+  sig->verify_status =      PDKIM_VERIFY_INVALID;
+  sig->verify_ext_status =  PDKIM_VERIFY_INVALID_PUBKEY_IMPORT;
+  return NULL;
+  }
+
+vctx->keytype = sig->keytype;
+return p;
+}
+
+
+/* -------------------------------------------------------------------------- */
+/* Sort and filter the sigs developed from the message */
+
+static pdkim_signature *
+sort_sig_methods(pdkim_signature * siglist)
+{
+pdkim_signature * yield, ** ss;
+const uschar * prefs;
+uschar * ele;
+int sep;
+
+if (!siglist) return NULL;
+
+/* first select in order of hashtypes */
+DEBUG(D_acl) debug_printf("DKIM: dkim_verify_hashes   '%s'\n", dkim_verify_hashes);
+for (prefs = dkim_verify_hashes, sep = 0, yield = NULL, ss = &yield;
+     ele = string_nextinlist(&prefs, &sep, NULL, 0); )
+  {
+  int i = pdkim_hashname_to_hashtype(CUS ele, 0);
+  for (pdkim_signature * s = siglist, * next, ** prev = &siglist; s;
+       s = next)
+    {
+    next = s->next;
+    if (s->hashtype == i)
+      { *prev = next; s->next = NULL; *ss = s; ss = &s->next; }
+    else
+      prev = &s->next;
+    }
+  }
+
+/* then in order of keytypes */
+siglist = yield;
+DEBUG(D_acl) debug_printf("DKIM: dkim_verify_keytypes '%s'\n", dkim_verify_keytypes);
+for (prefs = dkim_verify_keytypes, sep = 0, yield = NULL, ss = &yield;
+     ele = string_nextinlist(&prefs, &sep, NULL, 0); )
+  {
+  int i = pdkim_keyname_to_keytype(CUS ele);
+  for (pdkim_signature * s = siglist, * next, ** prev = &siglist; s;
+       s = next)
+    {
+    next = s->next;
+    if (s->keytype == i)
+      { *prev = next; s->next = NULL; *ss = s; ss = &s->next; }
+    else
+      prev = &s->next;
+    }
+  }
+
+DEBUG(D_acl) for (pdkim_signature * s = yield; s; s = s->next)
+  debug_printf(" retain d=%s s=%s a=%s\n",
+    s->domain, s->selector, dkim_sig_to_a_tag(s));
+return yield;
+}
+
+
+/* -------------------------------------------------------------------------- */
+
+DLLEXPORT int
+pdkim_feed_finish(pdkim_ctx * ctx, pdkim_signature ** return_signatures,
+  const uschar ** err)
+{
+BOOL verify_pass = FALSE;
+
+/* Check if we must still flush a (partial) header. If that is the
+   case, the message has no body, and we must compute a body hash
+   out of '<CR><LF>' */
+if (ctx->cur_header && ctx->cur_header->ptr > 0)
+  {
+  blob * rnl = NULL;
+  int rc;
+
+  if ((rc = pdkim_header_complete(ctx)) != PDKIM_OK)
+    return rc;
+
+  for (pdkim_bodyhash * b = ctx->bodyhash; b; b = b->next)
+    rnl = pdkim_update_ctx_bodyhash(b, &lineending, rnl);
+  if (rnl) store_free(rnl);
+  }
+else
+  DEBUG(D_acl) debug_printf(
+      "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+
+/* Build (and/or evaluate) body hash.  Do this even if no DKIM sigs, in case we
+have a hash to do for ARC. */
+
+pdkim_finish_bodyhash(ctx);
+
+/* Sort and filter the recived signatures */
+
+if (!(ctx->flags & PDKIM_MODE_SIGN))
+  ctx->sig = sort_sig_methods(ctx->sig);
+
+if (!ctx->sig)
+  {
+  DEBUG(D_acl) debug_printf("DKIM: no signatures\n");
+  *return_signatures = NULL;
+  return PDKIM_OK;
+  }
+
+for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next)
+  {
+  hctx hhash_ctx;
+  uschar * sig_hdr = US"";
+  blob hhash;
+  gstring * hdata = NULL;
+  es_ctx sctx;
+
+  if (  !(ctx->flags & PDKIM_MODE_SIGN)
+     && sig->verify_status == PDKIM_VERIFY_FAIL)
+    {
+    DEBUG(D_acl)
+       debug_printf("DKIM: [%s] abandoning this signature\n", sig->domain);
+    continue;
+    }
+
+  /*XXX The hash of the headers is needed for GCrypt (for which we can do RSA
+  signing only, as it happens) and for either GnuTLS and OpenSSL when we are
+  signing with EC (specifically, Ed25519).  The former is because the GCrypt
+  signing operation is pure (does not do its own hash) so we must hash.  The
+  latter is because we (stupidly, but this is what the IETF draft is saying)
+  must hash with the declared hash method, then pass the result to the library
+  hash-and-sign routine (because that's all the libraries are providing.  And
+  we're stuck with whatever that hidden hash method is, too).  We may as well
+  do this hash incrementally.
+  We don't need the hash we're calculating here for the GnuTLS and OpenSSL
+  cases of RSA signing, since those library routines can do hash-and-sign.
+
+  Some time in the future we could easily avoid doing the hash here for those
+  cases (which will be common for a long while.  We could also change from
+  the current copy-all-the-headers-into-one-block, then call the hash-and-sign
+  implementation  - to a proper incremental one.  Unfortunately, GnuTLS just
+  cannot do incremental - either signing or verification.  Unsure about GCrypt.
+  */
+
+  /*XXX The header hash is also used (so far) by the verify operation */
+
+  if (!exim_sha_init(&hhash_ctx, pdkim_hashes[sig->hashtype].exim_hashmethod))
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "DKIM: hash setup error, possibly nonhandled hashtype");
+    break;
+    }
+
+  if (ctx->flags & PDKIM_MODE_SIGN)
+    DEBUG(D_acl) debug_printf(
+	"DKIM >> Headers to be signed:                            >>>>>>>>>>>>\n"
+	" %s\n",
+	sig->sign_headers);
+
+  DEBUG(D_acl) debug_printf(
+      "DKIM >> Header data for hash, canonicalized (%-7s), in sequence >>\n",
+	pdkim_canons[sig->canon_headers]);
+
+
+  /* SIGNING ---------------------------------------------------------------- */
+  /* When signing, walk through our header list and add them to the hash. As we
+     go, construct a list of the header's names to use for the h= parameter.
+     Then append to that list any remaining header names for which there was no
+     header to sign. */
+
+  if (ctx->flags & PDKIM_MODE_SIGN)
+    {
+    gstring * g = NULL;
+    const uschar * l;
+    uschar * s;
+    int sep = 0;
+
+    /* Import private key, including the keytype which we need for building
+    the signature header  */
+
+    if ((*err = exim_dkim_signing_init(CUS sig->privkey, &sctx)))
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC, "signing_init: %s", *err);
+      return PDKIM_ERR_RSA_PRIVKEY;
+      }
+    sig->keytype = sctx.keytype;
+
+    sig->headernames = NULL;			/* Collected signed header names */
+    for (pdkim_stringlist * p = sig->headers; p; p = p->next)
+      {
+      uschar * rh = p->value;
+
+      if (header_name_match(rh, sig->sign_headers) == PDKIM_OK)
+	{
+	/* Collect header names (Note: colon presence is guaranteed here) */
+	g = string_append_listele_n(g, ':', rh, Ustrchr(rh, ':') - rh);
+
+	if (sig->canon_headers == PDKIM_CANON_RELAXED)
+	  rh = pdkim_relax_header(rh, TRUE);	/* cook header for relaxed canon */
+
+	/* Feed header to the hash algorithm */
+	exim_sha_update_string(&hhash_ctx, CUS rh);
+
+	/* Remember headers block for signing (when the library cannot do incremental)  */
+	/*XXX we could avoid doing this for all but the GnuTLS/RSA case */
+	hdata = exim_dkim_data_append(hdata, rh);
+
+	DEBUG(D_acl) pdkim_quoteprint(rh, Ustrlen(rh));
+	}
+      }
+
+    /* Any headers we wanted to sign but were not present must also be listed.
+    Ignore elements that have been ticked-off or are marked as never-oversign. */
+
+    l = sig->sign_headers;
+    while((s = string_nextinlist(&l, &sep, NULL, 0)))
+      {
+      if (*s == '+')			/* skip oversigning marker */
+        s++;
+      if (*s != '_' && *s != '=')
+	g = string_append_listele(g, ':', s);
+      }
+    sig->headernames = string_from_gstring(g);
+
+    /* Create signature header with b= omitted */
+    sig_hdr = pdkim_create_header(sig, FALSE);
+    }
+
+  /* VERIFICATION ----------------------------------------------------------- */
+  /* When verifying, walk through the header name list in the h= parameter and
+     add the headers to the hash in that order. */
+  else
+    {
+    uschar * p = sig->headernames;
+    uschar * q;
+
+    if (p)
+      {
+      /* clear tags */
+      for (pdkim_stringlist * hdrs = ctx->headers; hdrs; hdrs = hdrs->next)
+	hdrs->tag = 0;
+
+      p = string_copy(p);
+      while(1)
+	{
+	if ((q = Ustrchr(p, ':')))
+	  *q = '\0';
+
+  /*XXX walk the list of headers in same order as received. */
+	for (pdkim_stringlist * hdrs = ctx->headers; hdrs; hdrs = hdrs->next)
+	  if (  hdrs->tag == 0
+	     && strncasecmp(CCS hdrs->value, CCS p, Ustrlen(p)) == 0
+	     && (hdrs->value)[Ustrlen(p)] == ':'
+	     )
+	    {
+	    /* cook header for relaxed canon, or just copy it for simple  */
+
+	    uschar * rh = sig->canon_headers == PDKIM_CANON_RELAXED
+	      ? pdkim_relax_header(hdrs->value, TRUE)
+	      : string_copy(CUS hdrs->value);
+
+	    /* Feed header to the hash algorithm */
+	    exim_sha_update_string(&hhash_ctx, CUS rh);
+
+	    DEBUG(D_acl) pdkim_quoteprint(rh, Ustrlen(rh));
+	    hdrs->tag = 1;
+	    break;
+	    }
+
+	if (!q) break;
+	p = q+1;
+	}
+
+      sig_hdr = string_copy(sig->rawsig_no_b_val);
+      }
+    }
+
+  DEBUG(D_acl) debug_printf(
+	    "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+
+  DEBUG(D_acl)
+    {
+    debug_printf(
+	    "DKIM >> Signed DKIM-Signature header, pre-canonicalized >>>>>>>>>>>>>\n");
+    pdkim_quoteprint(CUS sig_hdr, Ustrlen(sig_hdr));
+    debug_printf(
+	    "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+    }
+
+  /* Relax header if necessary */
+  if (sig->canon_headers == PDKIM_CANON_RELAXED)
+    sig_hdr = pdkim_relax_header(sig_hdr, FALSE);
+
+  DEBUG(D_acl)
+    {
+    debug_printf("DKIM >> Signed DKIM-Signature header, canonicalized (%-7s) >>>>>>>\n",
+	    pdkim_canons[sig->canon_headers]);
+    pdkim_quoteprint(CUS sig_hdr, Ustrlen(sig_hdr));
+    debug_printf(
+	    "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+    }
+
+  /* Finalize header hash */
+  exim_sha_update_string(&hhash_ctx, CUS sig_hdr);
+  exim_sha_finish(&hhash_ctx, &hhash);
+
+  DEBUG(D_acl)
+    {
+    debug_printf("DKIM [%s] Header %s computed: ",
+      sig->domain, pdkim_hashes[sig->hashtype].dkim_hashname);
+    pdkim_hexprint(hhash.data, hhash.len);
+    }
+
+  /* Remember headers block for signing (when the signing library cannot do
+  incremental)  */
+  if (ctx->flags & PDKIM_MODE_SIGN)
+    hdata = exim_dkim_data_append(hdata, US sig_hdr);
+
+  /* SIGNING ---------------------------------------------------------------- */
+  if (ctx->flags & PDKIM_MODE_SIGN)
+    {
+    hashmethod hm = sig->keytype == KEYTYPE_ED25519
+#if defined(SIGN_OPENSSL)
+      ? HASH_NULL
+#else
+      ? HASH_SHA2_512
+#endif
+      : pdkim_hashes[sig->hashtype].exim_hashmethod;
+
+#ifdef SIGN_HAVE_ED25519
+    /* For GCrypt, and for EC, we pass the hash-of-headers to the signing
+    routine.  For anything else we just pass the headers. */
+
+    if (sig->keytype != KEYTYPE_ED25519)
+#endif
+      {
+      hhash.data = hdata->s;
+      hhash.len = hdata->ptr;
+      }
+
+    if ((*err = exim_dkim_sign(&sctx, hm, &hhash, &sig->sighash)))
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC, "signing: %s", *err);
+      return PDKIM_ERR_RSA_SIGNING;
+      }
+
+    DEBUG(D_acl)
+      {
+      debug_printf( "DKIM [%s] b computed: ", sig->domain);
+      pdkim_hexprint(sig->sighash.data, sig->sighash.len);
+      }
+
+    sig->signature_header = pdkim_create_header(sig, TRUE);
+    }
+
+  /* VERIFICATION ----------------------------------------------------------- */
+  else
+    {
+    ev_ctx vctx;
+    hashmethod hm;
+
+    /* Make sure we have all required signature tags */
+    if (!(  sig->domain        && *sig->domain
+	 && sig->selector      && *sig->selector
+	 && sig->headernames   && *sig->headernames
+	 && sig->bodyhash.data
+	 && sig->sighash.data
+	 && sig->keytype >= 0
+	 && sig->hashtype >= 0
+	 && sig->version
+       ) )
+      {
+      sig->verify_status     = PDKIM_VERIFY_INVALID;
+      sig->verify_ext_status = PDKIM_VERIFY_INVALID_SIGNATURE_ERROR;
+
+      DEBUG(D_acl) debug_printf(
+	  " Error in DKIM-Signature header: tags missing or invalid (%s)\n"
+	  "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n",
+	  !(sig->domain && *sig->domain) ? "d="
+	  : !(sig->selector && *sig->selector) ? "s="
+	  : !(sig->headernames && *sig->headernames) ? "h="
+	  : !sig->bodyhash.data ? "bh="
+	  : !sig->sighash.data ? "b="
+	  : sig->keytype < 0 || sig->hashtype < 0 ? "a="
+	  : "v="
+	  );
+      goto NEXT_VERIFY;
+      }
+
+    /* Make sure sig uses supported DKIM version (only v1) */
+    if (sig->version != 1)
+      {
+      sig->verify_status     = PDKIM_VERIFY_INVALID;
+      sig->verify_ext_status = PDKIM_VERIFY_INVALID_DKIM_VERSION;
+
+      DEBUG(D_acl) debug_printf(
+          " Error in DKIM-Signature header: unsupported DKIM version\n"
+          "DKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+      goto NEXT_VERIFY;
+      }
+
+    DEBUG(D_acl)
+      {
+      debug_printf( "DKIM [%s] b from mail: ", sig->domain);
+      pdkim_hexprint(sig->sighash.data, sig->sighash.len);
+      }
+
+    if (!(sig->pubkey = pdkim_key_from_dns(ctx, sig, &vctx, err)))
+      {
+      log_write(0, LOG_MAIN, "DKIM: %s%s %s%s [failed key import]",
+	sig->domain   ? "d=" : "", sig->domain   ? sig->domain   : US"",
+	sig->selector ? "s=" : "", sig->selector ? sig->selector : US"");
+      goto NEXT_VERIFY;
+      }
+
+    /* If the pubkey limits to a list of specific hashes, ignore sigs that
+    do not have the hash part of the sig algorithm matching */
+
+    if (sig->pubkey->hashes)
+      {
+      const uschar * list = sig->pubkey->hashes, * ele;
+      int sep = ':';
+      while ((ele = string_nextinlist(&list, &sep, NULL, 0)))
+	if (Ustrcmp(ele, pdkim_hashes[sig->hashtype].dkim_hashname) == 0) break;
+      if (!ele)
+	{
+	DEBUG(D_acl) debug_printf("pubkey h=%s vs. sig a=%s_%s\n",
+	  sig->pubkey->hashes,
+	  pdkim_keytypes[sig->keytype],
+	  pdkim_hashes[sig->hashtype].dkim_hashname);
+	sig->verify_status =      PDKIM_VERIFY_FAIL;
+	sig->verify_ext_status =  PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH;
+	goto NEXT_VERIFY;
+	}
+      }
+
+    hm = sig->keytype == KEYTYPE_ED25519
+#if defined(SIGN_OPENSSL)
+      ? HASH_NULL
+#else
+      ? HASH_SHA2_512
+#endif
+      : pdkim_hashes[sig->hashtype].exim_hashmethod;
+
+    /* Check the signature */
+
+    if ((*err = exim_dkim_verify(&vctx, hm, &hhash, &sig->sighash)))
+      {
+      DEBUG(D_acl) debug_printf("headers verify: %s\n", *err);
+      sig->verify_status =      PDKIM_VERIFY_FAIL;
+      sig->verify_ext_status =  PDKIM_VERIFY_FAIL_MESSAGE;
+      goto NEXT_VERIFY;
+      }
+    if (*dkim_verify_min_keysizes)
+      {
+      unsigned minbits;
+      uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype],
+				    dkim_verify_min_keysizes);
+      if (ss &&  (minbits = atoi(CS ss)) > sig->keybits)
+	{
+	DEBUG(D_acl) debug_printf("Key too short: Actual: %s %u  Minima '%s'\n",
+	  pdkim_keytypes[sig->keytype], sig->keybits, dkim_verify_min_keysizes);
+	sig->verify_status =      PDKIM_VERIFY_FAIL;
+	sig->verify_ext_status =  PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE;
+	}
+      }
+
+
+    /* We have a winner! (if bodyhash was correct earlier) */
+    if (sig->verify_status == PDKIM_VERIFY_NONE)
+      {
+      sig->verify_status = PDKIM_VERIFY_PASS;
+      verify_pass = TRUE;
+      if (dkim_verify_minimal) break;
+      }
+
+NEXT_VERIFY:
+
+    DEBUG(D_acl)
+      {
+      debug_printf("DKIM [%s] %s signature status: %s",
+	      sig->domain, dkim_sig_to_a_tag(sig),
+	      pdkim_verify_status_str(sig->verify_status));
+      if (sig->verify_ext_status > 0)
+	debug_printf(" (%s)\n",
+		pdkim_verify_ext_status_str(sig->verify_ext_status));
+      else
+	debug_printf("\n");
+      }
+    }
+  }
+
+/* If requested, set return pointer to signature(s) */
+if (return_signatures)
+  *return_signatures = ctx->sig;
+
+return ctx->flags & PDKIM_MODE_SIGN  ||  verify_pass
+  ? PDKIM_OK : PDKIM_FAIL;
+}
+
+
+/* -------------------------------------------------------------------------- */
+
+DLLEXPORT pdkim_ctx *
+pdkim_init_verify(uschar * (*dns_txt_callback)(const uschar *), BOOL dot_stuffing)
+{
+pdkim_ctx * ctx;
+
+ctx = store_get(sizeof(pdkim_ctx), GET_UNTAINTED);
+memset(ctx, 0, sizeof(pdkim_ctx));
+
+if (dot_stuffing) ctx->flags = PDKIM_DOT_TERM;
+/* The line-buffer is for message data, hence tainted */
+ctx->linebuf = store_get(PDKIM_MAX_BODY_LINE_LEN, GET_TAINTED);
+ctx->dns_txt_callback = dns_txt_callback;
+ctx->cur_header = string_get_tainted(36, GET_TAINTED);
+
+return ctx;
+}
+
+
+/* -------------------------------------------------------------------------- */
+
+DLLEXPORT pdkim_signature *
+pdkim_init_sign(pdkim_ctx * ctx,
+  uschar * domain, uschar * selector, uschar * privkey,
+  uschar * hashname, const uschar ** errstr)
+{
+int hashtype;
+pdkim_signature * sig;
+
+if (!domain || !selector || !privkey)
+  return NULL;
+
+/* Allocate & init one signature struct */
+
+sig = store_get(sizeof(pdkim_signature), GET_UNTAINTED);
+memset(sig, 0, sizeof(pdkim_signature));
+
+sig->bodylength = -1;
+
+sig->domain = string_copy(US domain);
+sig->selector = string_copy(US selector);
+sig->privkey = string_copy(US privkey);
+sig->keytype = -1;
+
+for (hashtype = 0; hashtype < nelem(pdkim_hashes); hashtype++)
+  if (Ustrcmp(hashname, pdkim_hashes[hashtype].dkim_hashname) == 0)
+  { sig->hashtype = hashtype; break; }
+if (hashtype >= nelem(pdkim_hashes))
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "DKIM: unrecognised hashname '%s'", hashname);
+  return NULL;
+  }
+
+DEBUG(D_acl)
+  {
+  pdkim_signature s = *sig;
+  ev_ctx vctx;
+
+  debug_printf("DKIM (checking verify key)>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+  if (!pdkim_key_from_dns(ctx, &s, &vctx, errstr))
+    debug_printf("WARNING: bad dkim key in dns\n");
+  debug_printf("DKIM (finished checking verify key)<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+  }
+return sig;
+}
+
+
+/* -------------------------------------------------------------------------- */
+
+DLLEXPORT void
+pdkim_set_optional(pdkim_signature * sig,
+                       char * sign_headers,
+                       char * identity,
+                       int canon_headers,
+                       int canon_body,
+                       long bodylength,
+                       unsigned long created,
+                       unsigned long expires)
+{
+if (identity)
+  sig->identity = string_copy(US identity);
+
+sig->sign_headers = string_copy(sign_headers
+	? US sign_headers : US PDKIM_DEFAULT_SIGN_HEADERS);
+
+sig->canon_headers = canon_headers;
+sig->canon_body = canon_body;
+sig->bodylength = bodylength;
+sig->created = created;
+sig->expires = expires;
+
+return;
+}
+
+
+
+/* Set up a blob for calculating the bodyhash according to the
+given needs.  Use an existing one if possible, or create a new one.
+
+Return: hashblob pointer, or NULL on error
+*/
+pdkim_bodyhash *
+pdkim_set_bodyhash(pdkim_ctx * ctx, int hashtype, int canon_method,
+	long bodylength)
+{
+pdkim_bodyhash * b;
+
+if (hashtype == -1 || canon_method == -1) return NULL;
+
+for (b = ctx->bodyhash; b; b = b->next)
+  if (  hashtype == b->hashtype
+     && canon_method == b->canon_method
+     && bodylength == b->bodylength)
+    {
+    DEBUG(D_receive) debug_printf("DKIM: using existing bodyhash %s/%s/%ld\n",
+      pdkim_hashes[hashtype].dkim_hashname, pdkim_canons[canon_method], bodylength);
+    return b;
+    }
+
+DEBUG(D_receive) debug_printf("DKIM: new bodyhash %s/%s/%ld\n",
+    pdkim_hashes[hashtype].dkim_hashname, pdkim_canons[canon_method], bodylength);
+b = store_get(sizeof(pdkim_bodyhash), GET_UNTAINTED);
+b->next = ctx->bodyhash;
+b->hashtype = hashtype;
+b->canon_method = canon_method;
+b->bodylength = bodylength;
+if (!exim_sha_init(&b->body_hash_ctx,		/*XXX hash method: extend for sha512 */
+		  pdkim_hashes[hashtype].exim_hashmethod))
+  {
+  DEBUG(D_acl)
+    debug_printf("DKIM: hash init error, possibly nonhandled hashtype\n");
+  return NULL;
+  }
+b->signed_body_bytes = 0;
+b->num_buffered_blanklines = 0;
+ctx->bodyhash = b;
+return b;
+}
+
+
+/* Set up a blob for calculating the bodyhash according to the
+needs of this signature.  Use an existing one if possible, or
+create a new one.
+
+Return: hashblob pointer, or NULL on error (only used as a boolean).
+*/
+pdkim_bodyhash *
+pdkim_set_sig_bodyhash(pdkim_ctx * ctx, pdkim_signature * sig)
+{
+pdkim_bodyhash * b = pdkim_set_bodyhash(ctx,
+			sig->hashtype, sig->canon_body, sig->bodylength);
+sig->calc_body_hash = b;
+return b;
+}
+
+
+/* -------------------------------------------------------------------------- */
+
+
+void
+pdkim_init_context(pdkim_ctx * ctx, BOOL dot_stuffed,
+  uschar * (*dns_txt_callback)(const uschar *))
+{
+memset(ctx, 0, sizeof(pdkim_ctx));
+ctx->flags = dot_stuffed ? PDKIM_MODE_SIGN | PDKIM_DOT_TERM : PDKIM_MODE_SIGN;
+/* The line buffer is for message data, hence tainted */
+ctx->linebuf = store_get(PDKIM_MAX_BODY_LINE_LEN, GET_TAINTED);
+DEBUG(D_acl) ctx->dns_txt_callback = dns_txt_callback;
+}
+
+
+void
+pdkim_init(void)
+{
+exim_dkim_init();
+}
+
+
+
+#endif	/*DISABLE_DKIM*/
diff --git a/src/pdkim/pdkim.h b/src/pdkim/pdkim.h
new file mode 100644
index 0000000..f6ff782
--- /dev/null
+++ b/src/pdkim/pdkim.h
@@ -0,0 +1,369 @@
+/*
+ *  PDKIM - a RFC4871 (DKIM) implementation
+ *
+ *  Copyright (C) 2009 - 2012  Tom Kistner <tom@duncanthrax.net>
+ *  Copyright (c) 2016 - 2020  Jeremy Harris
+ *
+ *  http://duncanthrax.net/pdkim/
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#ifndef PDKIM_H
+#define PDKIM_H
+
+#include "../blob.h"
+#include "../hash.h"
+
+#define PDKIM_DEFAULT_SIGN_HEADERS "From:Sender:Reply-To:Subject:Date:"\
+                             "Message-ID:To:Cc:MIME-Version:Content-Type:"\
+                             "Content-Transfer-Encoding:Content-ID:"\
+                             "Content-Description:Resent-Date:Resent-From:"\
+                             "Resent-Sender:Resent-To:Resent-Cc:"\
+                             "Resent-Message-ID:In-Reply-To:References:"\
+                             "List-Id:List-Help:List-Unsubscribe:"\
+                             "List-Subscribe:List-Post:List-Owner:List-Archive"
+
+#define PDKIM_OVERSIGN_HEADERS "+From:+Sender:+Reply-To:+Subject:+Date:"\
+                             "+Message-ID:+To:+Cc:+MIME-Version:+Content-Type:"\
+                             "+Content-Transfer-Encoding:+Content-ID:"\
+                             "+Content-Description:+Resent-Date:+Resent-From:"\
+                             "+Resent-Sender:+Resent-To:+Resent-Cc:"\
+                             "+Resent-Message-ID:+In-Reply-To:+References:"\
+                             "+List-Id:+List-Help:+List-Unsubscribe:"\
+                             "+List-Subscribe:+List-Post:+List-Owner:+List-Archive"
+
+/* -------------------------------------------------------------------------- */
+/* Length of the preallocated buffer for the "answer" from the dns/txt
+   callback function. This should match the maximum RDLENGTH from DNS. */
+#define PDKIM_DNS_TXT_MAX_RECLEN    (1 << 16)
+
+/* -------------------------------------------------------------------------- */
+/* Function success / error codes */
+#define PDKIM_OK                      0
+#define PDKIM_FAIL                   -1
+#define PDKIM_ERR_RSA_PRIVKEY      -101
+#define PDKIM_ERR_RSA_SIGNING      -102
+#define PDKIM_ERR_LONG_LINE        -103
+#define PDKIM_ERR_BUFFER_TOO_SMALL -104
+#define PDKIM_ERR_EXCESS_SIGS	   -105
+#define PDKIM_SIGN_PRIVKEY_WRAP    -106
+#define PDKIM_SIGN_PRIVKEY_B64D    -107
+
+/* -------------------------------------------------------------------------- */
+/* Main/Extended verification status */
+#define PDKIM_VERIFY_NONE      0
+#define PDKIM_VERIFY_INVALID   1
+#define PDKIM_VERIFY_FAIL      2
+#define PDKIM_VERIFY_PASS      3
+#define PDKIM_VERIFY_POLICY    BIT(31)
+
+#define PDKIM_VERIFY_FAIL_BODY                    1
+#define PDKIM_VERIFY_FAIL_MESSAGE                 2
+#define PDKIM_VERIFY_FAIL_SIG_ALGO_MISMATCH	  3
+#define PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE   4
+#define PDKIM_VERIFY_INVALID_BUFFER_SIZE          5
+#define PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD     6
+#define PDKIM_VERIFY_INVALID_PUBKEY_IMPORT        7
+#define PDKIM_VERIFY_INVALID_PUBKEY_KEYSIZE       8
+#define PDKIM_VERIFY_INVALID_SIGNATURE_ERROR      9
+#define PDKIM_VERIFY_INVALID_DKIM_VERSION         10
+
+/* -------------------------------------------------------------------------- */
+/* Some parameter values */
+#define PDKIM_QUERYMETHOD_DNS_TXT 0
+
+#define PDKIM_CANON_SIMPLE        0
+#define PDKIM_CANON_RELAXED       1
+
+/* -------------------------------------------------------------------------- */
+/* Some required forward declarations, please ignore */
+typedef struct pdkim_stringlist pdkim_stringlist;
+typedef struct pdkim_str pdkim_str;
+typedef struct sha1_context sha1_context;
+typedef struct sha2_context sha2_context;
+#define HAVE_SHA1_CONTEXT
+#define HAVE_SHA2_CONTEXT
+
+/* -------------------------------------------------------------------------- */
+/* Some concessions towards Redmond */
+#ifdef WINDOWS
+#define snprintf _snprintf
+#define strcasecmp _stricmp
+#define strncasecmp _strnicmp
+#define DLLEXPORT __declspec(dllexport)
+#else
+#define DLLEXPORT
+#endif
+
+
+/* -------------------------------------------------------------------------- */
+/* Public key as (usually) fetched from DNS */
+typedef struct pdkim_pubkey {
+  const uschar * version;         /* v=  */
+  const uschar *granularity;      /* g=  */
+
+  const uschar * hashes;          /* h=  */
+  const uschar * keytype;         /* k=  */
+  const uschar * srvtype;         /* s=  */
+  uschar *notes;                  /* n=  */
+
+  blob  key;                      /* p=  */
+  int   testing;                  /* t=y */
+  int   no_subdomaining;          /* t=s */
+} pdkim_pubkey;
+
+/* -------------------------------------------------------------------------- */
+/* Body-hash to be calculated */
+typedef struct pdkim_bodyhash {
+  struct pdkim_bodyhash *	next;
+  int				hashtype;
+  int 				canon_method;
+  long				bodylength;
+
+  hctx         			body_hash_ctx;
+  unsigned long			signed_body_bytes;	/* done so far */
+  int				num_buffered_blanklines;
+
+  blob				bh;			/* completed hash */
+} pdkim_bodyhash;
+
+/* -------------------------------------------------------------------------- */
+/* Signature as it appears in a DKIM-Signature header */
+typedef struct pdkim_signature {
+  struct pdkim_signature * next;
+
+  /* Bits stored in a DKIM signature header --------------------------- */
+
+  /* (v=) The version, as an integer. Currently, always "1" */
+  int version;
+
+  /* (a=) The signature algorithm. */
+  int		keytype;	/* pdkim_keytypes index */
+  unsigned	keybits;	/* size of the key */
+  int		hashtype;	/* pdkim_hashes index */
+
+  /* (c=x/) Header canonicalization method. Either PDKIM_CANON_SIMPLE
+     or PDKIM_CANON_RELAXED */
+  int canon_headers;
+
+  /* (c=/x) Body canonicalization method. Either PDKIM_CANON_SIMPLE
+     or PDKIM_CANON_RELAXED */
+  int canon_body;
+
+  /* (q=) Query Method. Currently, only PDKIM_QUERYMETHOD_DNS_TXT
+     is specified */
+  int querymethod;
+
+  /* (s=) The selector string as given in the signature */
+  uschar *selector;
+
+  /* (d=) The domain as given in the signature */
+  uschar *domain;
+
+  /* (i=) The identity as given in the signature */
+  uschar *identity;
+
+  /* (t=) Timestamp of signature creation */
+  unsigned long created;
+
+  /* (x=) Timestamp of expiry of signature */
+  unsigned long expires;
+
+  /* (l=) Amount of hashed body bytes (after canonicalization). Default
+     is -1. Note: a value of 0 means that the body is unsigned! */
+  long bodylength;
+
+  /* (h=) Colon-separated list of header names that are included in the
+     signature */
+  uschar *headernames;
+
+  /* (z=) */
+  uschar *copiedheaders;
+
+  /* (b=) Raw signature data, along with its length in bytes */
+  blob sighash;
+
+  /* (bh=) Raw body hash data, along with its length in bytes */
+  blob bodyhash;
+
+  /* Folded DKIM-Signature: header. Signing only, NULL for verifying.
+     Ready for insertion into the message. Note: Folded using CRLFTB,
+     but final line terminator is NOT included. Note2: This buffer is
+     free()d when you call pdkim_free_ctx(). */
+  uschar *signature_header;
+
+  /* The main verification status. Verification only. One of:
+
+     PDKIM_VERIFY_NONE      Verification was not attempted. This status
+                            should not appear.
+
+     PDKIM_VERIFY_INVALID   There was an error while trying to verify
+                            the signature. A more precise description
+                            is available in verify_ext_status.
+
+     PDKIM_VERIFY_FAIL      Verification failed because either the body
+                            hash did not match, or the signature verification
+                            failed. This means the message was modified.
+                            Check verify_ext_status for the exact reason.
+
+     PDKIM_VERIFY_PASS      Verification succeeded.
+  */
+  int verify_status;
+
+  /* Extended verification status. Verification only. Depending on the value
+     of verify_status, it can contain:
+
+     For verify_status == PDKIM_VERIFY_INVALID:
+
+        PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE
+          Unable to retrieve a public key container.
+
+        PDKIM_VERIFY_INVALID_BUFFER_SIZE
+          Either the DNS name constructed to retrieve the public key record
+          does not fit into PDKIM_DNS_TXT_MAX_NAMELEN bytes, or the retrieved
+          record is longer than PDKIM_DNS_TXT_MAX_RECLEN bytes.
+
+        PDKIM_VERIFY_INVALID_PUBKEY_PARSING
+          (Syntax) error while parsing the retrieved public key record.
+
+
+     For verify_status == PDKIM_VERIFY_FAIL:
+
+        PDKIM_VERIFY_FAIL_BODY
+          The calculated body hash does not match the advertised body hash
+          from the bh= tag of the signature.
+
+        PDKIM_VERIFY_FAIL_MESSAGE
+          RSA verification of the signature (b= tag) failed.
+  */
+  int verify_ext_status;
+
+  /* Pointer to a public key record that was used to verify the signature.
+     See pdkim_pubkey declaration above for more information.
+     Caution: is NULL if signing or if no record was retrieved. */
+  pdkim_pubkey *pubkey;
+
+  /* Properties below this point are used internally only ------------- */
+
+  /* Per-signature helper variables ----------------------------------- */
+  pdkim_bodyhash *calc_body_hash;	/* hash to be / being calculated */
+
+  pdkim_stringlist *headers;		/* Raw headers included in the sig */
+
+  /* Signing specific ------------------------------------------------- */
+  uschar * privkey;	     /* Private key                                 */
+  uschar * sign_headers;    /* To-be-signed header names                   */
+  uschar * rawsig_no_b_val; /* Original signature header w/o b= tag value. */
+} pdkim_signature;
+
+
+/* -------------------------------------------------------------------------- */
+/* Context to keep state between all operations. */
+typedef struct pdkim_ctx {
+
+#define PDKIM_MODE_SIGN   BIT(0)	/* if unset, mode==verify */
+#define PDKIM_DOT_TERM	  BIT(1)	/* dot termination and unstuffing */
+#define PDKIM_SEEN_CR	  BIT(2)
+#define PDKIM_SEEN_LF	  BIT(3)
+#define PDKIM_PAST_HDRS	  BIT(4)
+#define PDKIM_SEEN_EOD	  BIT(5)
+  unsigned   flags;
+
+  /* One (signing) or several chained (verification) signatures */
+  pdkim_signature *sig;
+
+  /* One (signing) or several chained (verification) bodyhashes */
+  pdkim_bodyhash *bodyhash;
+
+  /* Callback for dns/txt query method (verification only) */
+  uschar * (*dns_txt_callback)(const uschar *);
+
+  /* Coder's little helpers */
+  gstring   *cur_header;
+  uschar    *linebuf;
+  int        linebuf_offset;
+  int        num_headers;
+  pdkim_stringlist *headers; /* Raw headers for verification         */
+} pdkim_ctx;
+
+
+/******************************************************************************/
+
+typedef struct {
+  const uschar * dkim_hashname;
+  hashmethod	 exim_hashmethod;
+} pdkim_hashtype;
+extern const pdkim_hashtype pdkim_hashes[];
+
+/******************************************************************************/
+
+
+/* -------------------------------------------------------------------------- */
+/* API functions. Please see the sample code in sample/test_sign.c and
+   sample/test_verify.c for documentation.
+*/
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+void	   pdkim_init         (void);
+
+void	   pdkim_init_context (pdkim_ctx *, BOOL, uschar * (*)(const uschar *));
+
+DLLEXPORT
+pdkim_signature *pdkim_init_sign    (pdkim_ctx *,
+			       uschar *, uschar *, uschar *, uschar *,
+			       const uschar **);
+
+DLLEXPORT
+pdkim_ctx *pdkim_init_verify  (uschar * (*)(const uschar *), BOOL);
+
+DLLEXPORT
+void       pdkim_set_optional (pdkim_signature *, char *, char *,int, int,
+                               long,
+                               unsigned long,
+                               unsigned long);
+
+int		pdkim_hashname_to_hashtype(const uschar *, unsigned);
+void		pdkim_cstring_to_canons(const uschar *, unsigned, int *, int *);
+pdkim_bodyhash *pdkim_set_bodyhash(pdkim_ctx *, int, int, long);
+pdkim_bodyhash *pdkim_set_sig_bodyhash(pdkim_ctx *, pdkim_signature *);
+
+DLLEXPORT
+int        pdkim_feed         (pdkim_ctx *, uschar *, int);
+DLLEXPORT
+int        pdkim_feed_finish  (pdkim_ctx *, pdkim_signature **, const uschar **);
+
+DLLEXPORT
+void       pdkim_free_ctx     (pdkim_ctx *);
+
+
+const uschar *	pdkim_errstr(int);
+
+extern uschar *		pdkim_encode_base64(blob *);
+extern void		pdkim_decode_base64(const uschar *, blob *);
+extern void		pdkim_hexprint(const uschar *, int);
+extern void		pdkim_quoteprint(const uschar *, int);
+extern pdkim_pubkey *	pdkim_parse_pubkey_record(const uschar *);
+extern uschar *		pdkim_relax_header_n(const uschar *, int, BOOL);
+extern uschar *		pdkim_relax_header(const uschar *, BOOL);
+extern uschar *		dkim_sig_to_a_tag(const pdkim_signature *);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/pdkim/pdkim_hash.h b/src/pdkim/pdkim_hash.h
new file mode 100644
index 0000000..8f9a126
--- /dev/null
+++ b/src/pdkim/pdkim_hash.h
@@ -0,0 +1,38 @@
+/*
+ *  PDKIM - a RFC4871 (DKIM) implementation
+ *
+ *  Copyright (C) 1995 - 2018  Exim maintainers
+ *
+ *  Hash interface functions
+ */
+
+#include "../exim.h"
+
+#if !defined(HASH_H)	/* entire file */
+#define HASH_H
+
+#ifdef DISABLE_TLS
+# error Must not DISABLE_TLS, for DKIM
+#endif
+
+#include "crypt_ver.h"
+#include "../blob.h"
+#include "../hash.h"
+
+#ifdef SIGN_OPENSSL
+# include <openssl/rsa.h>
+# include <openssl/ssl.h>
+# include <openssl/err.h>
+#elif defined(SIGN_GNUTLS)
+# include <gnutls/gnutls.h>
+# include <gnutls/x509.h>
+#endif
+
+#if defined(SHA_OPENSSL)
+# include "pdkim.h"
+#elif defined(SHA_GCRYPT)
+# include "pdkim.h"
+#endif
+
+#endif
+/* End of File */
diff --git a/src/pdkim/signing.c b/src/pdkim/signing.c
new file mode 100644
index 0000000..d78f31a
--- /dev/null
+++ b/src/pdkim/signing.c
@@ -0,0 +1,903 @@
+/*
+ *  PDKIM - a RFC4871 (DKIM) implementation
+ *  Copyright (c) The Exim Maintainers 1995 - 2022
+ *
+ *  signing/verification interface
+ */
+
+#include "../exim.h"
+#include "crypt_ver.h"
+#include "signing.h"
+
+
+#ifdef MACRO_PREDEF
+# include "../macro_predef.h"
+
+void
+features_crypto(void)
+{
+# ifdef SIGN_HAVE_ED25519
+  builtin_macro_create(US"_CRYPTO_SIGN_ED25519");
+# endif
+# ifdef EXIM_HAVE_SHA3
+  builtin_macro_create(US"_CRYPTO_HASH_SHA3");
+# endif
+}
+#else
+
+#ifndef DISABLE_DKIM	/* rest of file */
+
+#ifdef DISABLE_TLS
+# error Must no DISABLE_TLS, for DKIM
+#endif
+
+
+/******************************************************************************/
+#ifdef SIGN_GNUTLS
+# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL 3
+
+# ifndef GNUTLS_VERIFY_ALLOW_BROKEN
+#  define GNUTLS_VERIFY_ALLOW_BROKEN 0
+# endif
+
+
+/* Logging function which can be registered with
+ *   gnutls_global_set_log_function()
+ *   gnutls_global_set_log_level() 0..9
+ */
+#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
+static void
+exim_gnutls_logger_cb(int level, const char *message)
+{
+size_t len = strlen(message);
+if (len < 1)
+  {
+  DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
+  return;
+  }
+DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
+    message[len-1] == '\n' ? "" : "\n");
+}
+#endif
+
+
+
+void
+exim_dkim_init(void)
+{
+#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
+DEBUG(D_tls)
+  {
+  gnutls_global_set_log_function(exim_gnutls_logger_cb);
+  /* arbitrarily chosen level; bump upto 9 for more */
+  gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
+  }
+#endif
+}
+
+
+/* accumulate data (gnutls-only).  String to be appended must be nul-terminated. */
+gstring *
+exim_dkim_data_append(gstring * g, uschar * s)
+{
+return string_cat(g, s);
+}
+
+
+
+/* import private key from PEM string in memory.
+Return: NULL for success, or an error string */
+
+const uschar *
+exim_dkim_signing_init(const uschar * privkey_pem, es_ctx * sign_ctx)
+{
+gnutls_datum_t k = { .data = (void *)privkey_pem, .size = Ustrlen(privkey_pem) };
+gnutls_x509_privkey_t x509_key;
+const uschar * where;
+int rc;
+
+if (  (where = US"internal init", rc = gnutls_x509_privkey_init(&x509_key))
+   || (rc = gnutls_privkey_init(&sign_ctx->key))
+   || (where = US"privkey PEM-block import",
+       rc = gnutls_x509_privkey_import(x509_key, &k, GNUTLS_X509_FMT_PEM))
+   || (where = US"internal privkey transfer",
+       rc = gnutls_privkey_import_x509(sign_ctx->key, x509_key, 0))
+   )
+  return string_sprintf("%s: %s", where, gnutls_strerror(rc));
+
+switch (rc = gnutls_privkey_get_pk_algorithm(sign_ctx->key, NULL))
+  {
+  case GNUTLS_PK_RSA:		sign_ctx->keytype = KEYTYPE_RSA;     break;
+#ifdef SIGN_HAVE_ED25519
+  case GNUTLS_PK_EDDSA_ED25519:	sign_ctx->keytype = KEYTYPE_ED25519; break;
+#endif
+  default: return rc < 0
+    ? CUS gnutls_strerror(rc)
+    : string_sprintf("Unhandled key type: %d '%s'", rc, gnutls_pk_get_name(rc));
+  }
+
+return NULL;
+}
+
+
+
+/* allocate mem for signature (when signing) */
+/* hash & sign data.   No way to do incremental.
+
+Return: NULL for success, or an error string */
+
+const uschar *
+exim_dkim_sign(es_ctx * sign_ctx, hashmethod hash, blob * data, blob * sig)
+{
+gnutls_datum_t k_data = { .data = data->data, .size = data->len };
+gnutls_digest_algorithm_t dig;
+gnutls_datum_t k_sig;
+int rc;
+
+switch (hash)
+  {
+  case HASH_SHA1:	dig = GNUTLS_DIG_SHA1; break;
+  case HASH_SHA2_256:	dig = GNUTLS_DIG_SHA256; break;
+  case HASH_SHA2_512:	dig = GNUTLS_DIG_SHA512; break;
+  default:		return US"nonhandled hash type";
+  }
+
+if ((rc = gnutls_privkey_sign_data(sign_ctx->key, dig, 0, &k_data, &k_sig)))
+  return CUS gnutls_strerror(rc);
+
+/* Don't care about deinit for the key; shortlived process */
+
+sig->data = k_sig.data;
+sig->len = k_sig.size;
+return NULL;
+}
+
+
+
+/* import public key (from blob in memory)
+Return: NULL for success, or an error string */
+
+const uschar *
+exim_dkim_verify_init(blob * pubkey, keyformat fmt, ev_ctx * verify_ctx,
+  unsigned * bits)
+{
+gnutls_datum_t k;
+int rc;
+const uschar * ret = NULL;
+
+gnutls_pubkey_init(&verify_ctx->key);
+k.data = pubkey->data;
+k.size = pubkey->len;
+
+switch(fmt)
+  {
+  case KEYFMT_DER:
+    if ((rc = gnutls_pubkey_import(verify_ctx->key, &k, GNUTLS_X509_FMT_DER)))
+      ret = US gnutls_strerror(rc);
+    break;
+#ifdef SIGN_HAVE_ED25519
+  case KEYFMT_ED25519_BARE:
+    if ((rc = gnutls_pubkey_import_ecc_raw(verify_ctx->key,
+					  GNUTLS_ECC_CURVE_ED25519, &k, NULL)))
+      ret = US gnutls_strerror(rc);
+    break;
+#endif
+  default:
+    ret = US"pubkey format not handled";
+    break;
+  }
+if (!ret && bits) gnutls_pubkey_get_pk_algorithm(verify_ctx->key, bits);
+return ret;
+}
+
+
+/* verify signature (of hash if RSA sig, of data if EC sig.  No way to do incremental)
+(given pubkey & alleged sig)
+Return: NULL for success, or an error string */
+
+const uschar *
+exim_dkim_verify(ev_ctx * verify_ctx, hashmethod hash, blob * data_hash, blob * sig)
+{
+gnutls_datum_t k = { .data = data_hash->data, .size = data_hash->len };
+gnutls_datum_t s = { .data = sig->data,       .size = sig->len };
+int rc;
+const uschar * ret = NULL;
+
+#ifdef SIGN_HAVE_ED25519
+if (verify_ctx->keytype == KEYTYPE_ED25519)
+  {
+  if ((rc = gnutls_pubkey_verify_data2(verify_ctx->key,
+				      GNUTLS_SIGN_EDDSA_ED25519, 0, &k, &s)) < 0)
+    ret = US gnutls_strerror(rc);
+  }
+else
+#endif
+  {
+  gnutls_sign_algorithm_t algo;
+  switch (hash)
+    {
+    case HASH_SHA1:	algo = GNUTLS_SIGN_RSA_SHA1;   break;
+    case HASH_SHA2_256:	algo = GNUTLS_SIGN_RSA_SHA256; break;
+    case HASH_SHA2_512:	algo = GNUTLS_SIGN_RSA_SHA512; break;
+    default:		return US"nonhandled hash type";
+    }
+
+  if ((rc = gnutls_pubkey_verify_hash2(verify_ctx->key, algo,
+	      GNUTLS_VERIFY_ALLOW_BROKEN, &k, &s)) < 0)
+    ret = US gnutls_strerror(rc);
+  }
+
+gnutls_pubkey_deinit(verify_ctx->key);
+return ret;
+}
+
+
+
+
+#elif defined(SIGN_GCRYPT)
+/******************************************************************************/
+/* This variant is used under pre-3.0.0 GnuTLS.  Only rsa-sha1 and rsa-sha256 */
+
+
+/* Internal service routine:
+Read and move past an asn.1 header, checking class & tag,
+optionally returning the data-length */
+
+static int
+as_tag(blob * der, uschar req_cls, long req_tag, long * alen)
+{
+int rc;
+uschar tag_class;
+int taglen;
+long tag, len;
+
+debug_printf_indent("as_tag: %02x %02x %02x %02x\n",
+	der->data[0], der->data[1], der->data[2], der->data[3]);
+
+if ((rc = asn1_get_tag_der(der->data++, der->len--, &tag_class, &taglen, &tag))
+    != ASN1_SUCCESS)
+  return rc;
+
+if (tag_class != req_cls || tag != req_tag) return ASN1_ELEMENT_NOT_FOUND;
+
+if ((len = asn1_get_length_der(der->data, der->len, &taglen)) < 0)
+  return ASN1_DER_ERROR;
+if (alen) *alen = len;
+
+/* debug_printf_indent("as_tag:  tlen %d dlen %d\n", taglen, (int)len); */
+
+der->data += taglen;
+der->len -= taglen;
+return rc;
+}
+
+/* Internal service routine:
+Read and move over an asn.1 integer, setting an MPI to the value
+*/
+
+static uschar *
+as_mpi(blob * der, gcry_mpi_t * mpi)
+{
+long alen;
+int rc;
+gcry_error_t gerr;
+
+debug_printf_indent("%s\n", __FUNCTION__);
+
+/* integer; move past the header */
+if ((rc = as_tag(der, 0, ASN1_TAG_INTEGER, &alen)) != ASN1_SUCCESS)
+  return US asn1_strerror(rc);
+
+/* read to an MPI */
+if ((gerr = gcry_mpi_scan(mpi, GCRYMPI_FMT_STD, der->data, alen, NULL)))
+  return US gcry_strerror(gerr);
+
+/* move over the data */
+der->data += alen; der->len -= alen;
+return NULL;
+}
+
+
+
+void
+exim_dkim_init(void)
+{
+/* Version check should be the very first call because it
+makes sure that important subsystems are initialized. */
+if (!gcry_check_version (GCRYPT_VERSION))
+  {
+  fputs ("libgcrypt version mismatch\n", stderr);
+  exit (2);
+  }
+
+/* We don't want to see any warnings, e.g. because we have not yet
+parsed program options which might be used to suppress such
+warnings. */
+gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
+
+/* ... If required, other initialization goes here.  Note that the
+process might still be running with increased privileges and that
+the secure memory has not been initialized.  */
+
+/* Allocate a pool of 16k secure memory.  This make the secure memory
+available and also drops privileges where needed.  */
+gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
+
+/* It is now okay to let Libgcrypt complain when there was/is
+a problem with the secure memory. */
+gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
+
+/* ... If required, other initialization goes here.  */
+
+/* Tell Libgcrypt that initialization has completed. */
+gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+
+return;
+}
+
+
+
+
+/* Accumulate data (gnutls-only).
+String to be appended must be nul-terminated. */
+
+gstring *
+exim_dkim_data_append(gstring * g, uschar * s)
+{
+return g;	/*dummy*/
+}
+
+
+
+/* import private key from PEM string in memory.
+Only handles RSA keys.
+Return: NULL for success, or an error string */
+
+const uschar *
+exim_dkim_signing_init(const uschar * privkey_pem, es_ctx * sign_ctx)
+{
+uschar * s1, * s2;
+blob der;
+long alen;
+int rc;
+
+/*XXX will need extension to _spot_ as well as handle a
+non-RSA key?  I think...
+So... this is not a PrivateKeyInfo - which would have a field
+identifying the keytype - PrivateKeyAlgorithmIdentifier -
+but a plain RSAPrivateKey (wrapped in PEM-headers.  Can we
+use those as a type tag?  What forms are there?  "BEGIN EC PRIVATE KEY" (cf. ec(1ssl))
+
+How does OpenSSL PEM_read_bio_PrivateKey() deal with it?
+gnutls_x509_privkey_import() ?
+*/
+
+/*
+ *  RSAPrivateKey ::= SEQUENCE
+ *      version           Version,
+ *      modulus           INTEGER,  -- n
+ *      publicExponent    INTEGER,  -- e
+ *      privateExponent   INTEGER,  -- d
+ *      prime1            INTEGER,  -- p
+ *      prime2            INTEGER,  -- q
+ *      exponent1         INTEGER,  -- d mod (p-1)
+ *      exponent2         INTEGER,  -- d mod (q-1)
+ *      coefficient       INTEGER,  -- (inverse of q) mod p
+ *      otherPrimeInfos   OtherPrimeInfos OPTIONAL
+
+ * ECPrivateKey ::= SEQUENCE {
+ *     version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+ *     privateKey     OCTET STRING,
+ *     parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+ *     publicKey  [1] BIT STRING OPTIONAL
+ *   }
+ * Hmm, only 1 useful item, and not even an integer?  Wonder how we might use it...
+
+- actually, gnutls_x509_privkey_import() appears to require a curve name parameter
+	value for that is an OID? a local-only integer (it's an enum in GnuTLS)?
+
+
+Useful cmds:
+  ssh-keygen -t ecdsa -f foo.privkey
+  ssh-keygen -t ecdsa -b384 -f foo.privkey
+  ssh-keygen -t ecdsa -b521 -f foo.privkey
+  ssh-keygen -t ed25519 -f foo.privkey
+
+  < foo openssl pkcs8 -in /dev/stdin -inform PEM -nocrypt -topk8 -outform DER | od -x
+
+  openssl asn1parse -in foo -inform PEM -dump
+  openssl asn1parse -in foo -inform PEM -dump -stroffset 24    (??)
+(not good for ed25519)
+
+ */
+
+if (  !(s1 = Ustrstr(CS privkey_pem, "-----BEGIN RSA PRIVATE KEY-----"))
+   || !(s2 = Ustrstr(CS (s1+=31),    "-----END RSA PRIVATE KEY-----" ))
+   )
+  return US"Bad PEM wrapper";
+
+*s2 = '\0';
+
+if ((rc = b64decode(s1, &der.data) < 0))
+  return US"Bad PEM-DER b64 decode";
+der.len = rc;
+
+/* untangle asn.1 */
+
+/* sequence; just move past the header */
+if ((rc = as_tag(&der, ASN1_CLASS_STRUCTURED, ASN1_TAG_SEQUENCE, NULL))
+   != ASN1_SUCCESS) goto asn_err;
+
+/* integer version; move past the header, check is zero */
+if ((rc = as_tag(&der, 0, ASN1_TAG_INTEGER, &alen)) != ASN1_SUCCESS)
+  goto asn_err;
+if (alen != 1 || *der.data != 0)
+  return US"Bad version number";
+der.data++; der.len--;
+
+if (  (s1 = as_mpi(&der, &sign_ctx->n))
+   || (s1 = as_mpi(&der, &sign_ctx->e))
+   || (s1 = as_mpi(&der, &sign_ctx->d))
+   || (s1 = as_mpi(&der, &sign_ctx->p))
+   || (s1 = as_mpi(&der, &sign_ctx->q))
+   || (s1 = as_mpi(&der, &sign_ctx->dp))
+   || (s1 = as_mpi(&der, &sign_ctx->dq))
+   || (s1 = as_mpi(&der, &sign_ctx->qp))
+   )
+  return s1;
+
+#ifdef extreme_debug
+DEBUG(D_acl) debug_printf_indent("rsa_signing_init:\n");
+  {
+  uschar * s;
+  gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->n);
+  debug_printf_indent(" N : %s\n", s);
+  gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->e);
+  debug_printf_indent(" E : %s\n", s);
+  gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->d);
+  debug_printf_indent(" D : %s\n", s);
+  gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->p);
+  debug_printf_indent(" P : %s\n", s);
+  gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->q);
+  debug_printf_indent(" Q : %s\n", s);
+  gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->dp);
+  debug_printf_indent(" DP: %s\n", s);
+  gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->dq);
+  debug_printf_indent(" DQ: %s\n", s);
+  gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, sign_ctx->qp);
+  debug_printf_indent(" QP: %s\n", s);
+  }
+#endif
+
+sign_ctx->keytype = KEYTYPE_RSA;
+return NULL;
+
+asn_err: return US asn1_strerror(rc);
+}
+
+
+
+/* allocate mem for signature (when signing) */
+/* sign already-hashed data.
+
+Return: NULL for success, or an error string */
+
+const uschar *
+exim_dkim_sign(es_ctx * sign_ctx, hashmethod hash, blob * data, blob * sig)
+{
+char * sexp_hash;
+gcry_sexp_t s_hash = NULL, s_key = NULL, s_sig = NULL;
+gcry_mpi_t m_sig;
+uschar * errstr;
+gcry_error_t gerr;
+
+/*XXX will need extension for hash types (though, possibly, should
+be re-specced to not rehash but take an already-hashed value? Actually
+current impl looks WRONG - it _is_ given a hash so should not be
+re-hashing.  Has this been tested?
+
+Will need extension for non-RSA sugning algos. */
+
+switch (hash)
+  {
+  case HASH_SHA1:	sexp_hash = "(data(flags pkcs1)(hash sha1 %b))"; break;
+  case HASH_SHA2_256:	sexp_hash = "(data(flags pkcs1)(hash sha256 %b))"; break;
+  default:		return US"nonhandled hash type";
+  }
+
+#define SIGSPACE 128
+sig->data = store_get(SIGSPACE, GET_UNTAINTED);
+
+if (gcry_mpi_cmp (sign_ctx->p, sign_ctx->q) > 0)
+  {
+  gcry_mpi_swap (sign_ctx->p, sign_ctx->q);
+  gcry_mpi_invm (sign_ctx->qp, sign_ctx->p, sign_ctx->q);
+  }
+
+if (  (gerr = gcry_sexp_build (&s_key, NULL,
+		"(private-key (rsa (n%m)(e%m)(d%m)(p%m)(q%m)(u%m)))",
+		sign_ctx->n, sign_ctx->e,
+		sign_ctx->d, sign_ctx->p,
+		sign_ctx->q, sign_ctx->qp))
+   || (gerr = gcry_sexp_build (&s_hash, NULL, sexp_hash,
+		(int) data->len, CS data->data))
+   ||  (gerr = gcry_pk_sign (&s_sig, s_hash, s_key))
+   )
+  return US gcry_strerror(gerr);
+
+/* gcry_sexp_dump(s_sig); */
+
+if (  !(s_sig = gcry_sexp_find_token(s_sig, "s", 0))
+   )
+  return US"no sig result";
+
+m_sig = gcry_sexp_nth_mpi(s_sig, 1, GCRYMPI_FMT_USG);
+
+#ifdef extreme_debug
+DEBUG(D_acl)
+  {
+  uschar * s;
+  gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, m_sig);
+  debug_printf_indent(" SG: %s\n", s);
+  }
+#endif
+
+gerr = gcry_mpi_print(GCRYMPI_FMT_USG, sig->data, SIGSPACE, &sig->len, m_sig);
+if (gerr)
+  {
+  debug_printf_indent("signature conversion from MPI to buffer failed\n");
+  return US gcry_strerror(gerr);
+  }
+#undef SIGSPACE
+
+return NULL;
+}
+
+
+/* import public key (from blob in memory)
+Return: NULL for success, or an error string */
+
+const uschar *
+exim_dkim_verify_init(blob * pubkey, keyformat fmt, ev_ctx * verify_ctx,
+  unsigned * bits)
+{
+/*
+in code sequence per b81207d2bfa92 rsa_parse_public_key() and asn1_get_mpi()
+*/
+uschar tag_class;
+int taglen;
+long alen;
+unsigned nbits;
+int rc;
+uschar * errstr;
+gcry_error_t gerr;
+uschar * stage = US"S1";
+
+if (fmt != KEYFMT_DER) return US"pubkey format not handled";
+
+/*
+sequence
+ sequence
+  OBJECT:rsaEncryption
+  NULL
+ BIT STRING:RSAPublicKey
+  sequence
+   INTEGER:Public modulus
+   INTEGER:Public exponent
+
+openssl rsa -in aux-fixed/dkim/dkim.private -pubout -outform DER | od -t x1 | head;
+openssl rsa -in aux-fixed/dkim/dkim.private -pubout | openssl asn1parse -dump;
+openssl rsa -in aux-fixed/dkim/dkim.private -pubout | openssl asn1parse -dump -offset 22;
+*/
+
+/* sequence; just move past the header */
+if ((rc = as_tag(pubkey, ASN1_CLASS_STRUCTURED, ASN1_TAG_SEQUENCE, NULL))
+   != ASN1_SUCCESS) goto asn_err;
+
+/* sequence; skip the entire thing */
+DEBUG(D_acl) stage = US"S2";
+if ((rc = as_tag(pubkey, ASN1_CLASS_STRUCTURED, ASN1_TAG_SEQUENCE, &alen))
+   != ASN1_SUCCESS) goto asn_err;
+pubkey->data += alen; pubkey->len -= alen;
+
+
+/* bitstring: limit range to size of bitstring;
+move over header + content wrapper */
+DEBUG(D_acl) stage = US"BS";
+if ((rc = as_tag(pubkey, 0, ASN1_TAG_BIT_STRING, &alen)) != ASN1_SUCCESS)
+  goto asn_err;
+pubkey->len = alen;
+pubkey->data++; pubkey->len--;
+
+/* sequence; just move past the header */
+DEBUG(D_acl) stage = US"S3";
+if ((rc = as_tag(pubkey, ASN1_CLASS_STRUCTURED, ASN1_TAG_SEQUENCE, NULL))
+   != ASN1_SUCCESS) goto asn_err;
+
+/* read two integers */
+DEBUG(D_acl) stage = US"MPI";
+nbits = pubkey->len;
+if ((errstr = as_mpi(pubkey, &verify_ctx->n))) return errstr;
+nbits = (nbits - pubkey->len) * 8;
+if ((errstr = as_mpi(pubkey, &verify_ctx->e))) return errstr;
+
+#ifdef extreme_debug
+DEBUG(D_acl) debug_printf_indent("rsa_verify_init:\n");
+	{
+	uschar * s;
+	gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, verify_ctx->n);
+	debug_printf_indent(" N : %s\n", s);
+	gcry_mpi_aprint (GCRYMPI_FMT_HEX, &s, NULL, verify_ctx->e);
+	debug_printf_indent(" E : %s\n", s);
+	}
+
+#endif
+if (bits) *bits = nbits;
+return NULL;
+
+asn_err:
+DEBUG(D_acl) return string_sprintf("%s: %s", stage, asn1_strerror(rc));
+	     return US asn1_strerror(rc);
+}
+
+
+/* verify signature (of hash)
+XXX though we appear to be doing a hash, too!
+(given pubkey & alleged sig)
+Return: NULL for success, or an error string */
+
+const uschar *
+exim_dkim_verify(ev_ctx * verify_ctx, hashmethod hash, blob * data_hash, blob * sig)
+{
+/*
+cf. libgnutls 2.8.5 _wrap_gcry_pk_verify()
+*/
+char * sexp_hash;
+gcry_mpi_t m_sig;
+gcry_sexp_t s_sig = NULL, s_hash = NULL, s_pkey = NULL;
+gcry_error_t gerr;
+uschar * stage;
+
+/*XXX needs extension for SHA512 */
+switch (hash)
+  {
+  case HASH_SHA1:     sexp_hash = "(data(flags pkcs1)(hash sha1 %b))"; break;
+  case HASH_SHA2_256: sexp_hash = "(data(flags pkcs1)(hash sha256 %b))"; break;
+  default:	      return US"nonhandled hash type";
+  }
+
+if (  (stage = US"pkey sexp build",
+       gerr = gcry_sexp_build (&s_pkey, NULL, "(public-key(rsa(n%m)(e%m)))",
+		        verify_ctx->n, verify_ctx->e))
+   || (stage = US"data sexp build",
+       gerr = gcry_sexp_build (&s_hash, NULL, sexp_hash,
+		(int) data_hash->len, CS data_hash->data))
+   || (stage = US"sig mpi scan",
+       gerr = gcry_mpi_scan(&m_sig, GCRYMPI_FMT_USG, sig->data, sig->len, NULL))
+   || (stage = US"sig sexp build",
+       gerr = gcry_sexp_build (&s_sig, NULL, "(sig-val(rsa(s%m)))", m_sig))
+   || (stage = US"verify",
+       gerr = gcry_pk_verify (s_sig, s_hash, s_pkey))
+   )
+  {
+  DEBUG(D_acl) debug_printf_indent("verify: error in stage '%s'\n", stage);
+  return US gcry_strerror(gerr);
+  }
+
+if (s_sig) gcry_sexp_release (s_sig);
+if (s_hash) gcry_sexp_release (s_hash);
+if (s_pkey) gcry_sexp_release (s_pkey);
+gcry_mpi_release (m_sig);
+gcry_mpi_release (verify_ctx->n);
+gcry_mpi_release (verify_ctx->e);
+
+return NULL;
+}
+
+
+
+
+#elif defined(SIGN_OPENSSL)
+/******************************************************************************/
+
+void
+exim_dkim_init(void)
+{
+ERR_load_crypto_strings();
+}
+
+
+/* accumulate data (was gnutls-only but now needed for OpenSSL non-EC too
+because now using hash-and-sign interface) */
+gstring *
+exim_dkim_data_append(gstring * g, uschar * s)
+{
+return string_cat(g, s);
+}
+
+
+/* import private key from PEM string in memory.
+Return: NULL for success, or an error string */
+
+const uschar *
+exim_dkim_signing_init(const uschar * privkey_pem, es_ctx * sign_ctx)
+{
+BIO * bp = BIO_new_mem_buf((void *)privkey_pem, -1);
+
+if (!(sign_ctx->key = PEM_read_bio_PrivateKey(bp, NULL, NULL, NULL)))
+  return string_sprintf("privkey PEM-block import: %s",
+		       	ERR_error_string(ERR_get_error(), NULL));
+
+sign_ctx->keytype =
+#ifdef SIGN_HAVE_ED25519
+	EVP_PKEY_type(EVP_PKEY_id(sign_ctx->key)) == EVP_PKEY_ED25519
+	  ? KEYTYPE_ED25519 : KEYTYPE_RSA;
+#else
+	KEYTYPE_RSA;
+#endif
+return NULL;
+}
+
+
+
+/* allocate mem for signature (when signing) */
+/* hash & sign data.  Incremental not supported.
+
+Return: NULL for success with the signaature in the sig blob, or an error string */
+
+const uschar *
+exim_dkim_sign(es_ctx * sign_ctx, hashmethod hash, blob * data, blob * sig)
+{
+const EVP_MD * md;
+EVP_MD_CTX * ctx;
+size_t siglen;
+
+switch (hash)
+  {
+  case HASH_NULL:	md = NULL;	   break;	/* Ed25519 signing */
+  case HASH_SHA1:	md = EVP_sha1();   break;
+  case HASH_SHA2_256:	md = EVP_sha256(); break;
+  case HASH_SHA2_512:	md = EVP_sha512(); break;
+  default:		return US"nonhandled hash type";
+  }
+
+#ifdef SIGN_HAVE_ED25519
+if (  (ctx = EVP_MD_CTX_new())
+   && EVP_DigestSignInit(ctx, NULL, md, NULL, sign_ctx->key) > 0
+   && EVP_DigestSign(ctx, NULL, &siglen, NULL, 0) > 0
+   && (sig->data = store_get(siglen, GET_UNTAINTED))
+
+   /* Obtain the signature (slen could change here!) */
+   && EVP_DigestSign(ctx, sig->data, &siglen, data->data, data->len) > 0
+   )
+  {
+  EVP_MD_CTX_destroy(ctx);
+  sig->len = siglen;
+  return NULL;
+  }
+#else
+/*XXX renamed to EVP_MD_CTX_new() in 1.1.0 */
+if (  (ctx = EVP_MD_CTX_create())
+   && EVP_DigestSignInit(ctx, NULL, md, NULL, sign_ctx->key) > 0
+   && EVP_DigestSignUpdate(ctx, data->data, data->len) > 0
+   && EVP_DigestSignFinal(ctx, NULL, &siglen) > 0
+   && (sig->data = store_get(siglen, GET_UNTAINTED))
+ 
+   /* Obtain the signature (slen could change here!) */
+   && EVP_DigestSignFinal(ctx, sig->data, &siglen) > 0
+   )
+  {
+  EVP_MD_CTX_destroy(ctx);
+  sig->len = siglen;
+  return NULL;
+  }
+#endif
+
+if (ctx) EVP_MD_CTX_destroy(ctx);
+return US ERR_error_string(ERR_get_error(), NULL);
+}
+
+
+
+/* import public key (from blob in memory)
+Return: NULL for success, or an error string */
+
+const uschar *
+exim_dkim_verify_init(blob * pubkey, keyformat fmt, ev_ctx * verify_ctx,
+  unsigned * bits)
+{
+const uschar * s = pubkey->data;
+uschar * ret = NULL;
+
+switch(fmt)
+  {
+  case KEYFMT_DER:
+    /*XXX hmm, we never free this */
+    if (!(verify_ctx->key = d2i_PUBKEY(NULL, &s, pubkey->len)))
+      ret = US ERR_error_string(ERR_get_error(), NULL);
+    break;
+#ifdef SIGN_HAVE_ED25519
+  case KEYFMT_ED25519_BARE:
+    if (!(verify_ctx->key = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, NULL,
+							s, pubkey->len)))
+      ret = US ERR_error_string(ERR_get_error(), NULL);
+    break;
+#endif
+  default:
+    ret = US"pubkey format not handled";
+    break;
+  }
+
+if (!ret && bits) *bits = EVP_PKEY_bits(verify_ctx->key);
+return ret;
+}
+
+
+
+
+/* verify signature (of hash, except Ed25519 where of-data)
+(given pubkey & alleged sig)
+Return: NULL for success, or an error string */
+
+const uschar *
+exim_dkim_verify(ev_ctx * verify_ctx, hashmethod hash, blob * data, blob * sig)
+{
+const EVP_MD * md;
+
+switch (hash)
+  {
+  case HASH_NULL:	md = NULL;	   break;
+  case HASH_SHA1:	md = EVP_sha1();   break;
+  case HASH_SHA2_256:	md = EVP_sha256(); break;
+  case HASH_SHA2_512:	md = EVP_sha512(); break;
+  default:		return US"nonhandled hash type";
+  }
+
+#ifdef SIGN_HAVE_ED25519
+if (!md)
+  {
+  EVP_MD_CTX * ctx;
+
+  if ((ctx = EVP_MD_CTX_new()))
+    {
+    if (  EVP_DigestVerifyInit(ctx, NULL, md, NULL, verify_ctx->key) > 0
+       && EVP_DigestVerify(ctx, sig->data, sig->len, data->data, data->len) > 0
+       )
+      { EVP_MD_CTX_free(ctx); return NULL; }
+    EVP_MD_CTX_free(ctx);
+    }
+  }
+else
+#endif
+  {
+  EVP_PKEY_CTX * ctx;
+
+  if ((ctx = EVP_PKEY_CTX_new(verify_ctx->key, NULL)))
+    {
+    if (  EVP_PKEY_verify_init(ctx) > 0
+       && EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) > 0
+       && EVP_PKEY_CTX_set_signature_md(ctx, md) > 0
+       && EVP_PKEY_verify(ctx, sig->data, sig->len,
+				      data->data, data->len) == 1
+       )
+      { EVP_PKEY_CTX_free(ctx); return NULL; }
+    EVP_PKEY_CTX_free(ctx);
+
+    DEBUG(D_tls)
+      if (Ustrcmp(ERR_reason_error_string(ERR_peek_error()), "wrong signature length") == 0)
+	debug_printf("sig len (from msg hdr): %d, expected (from dns pubkey) %d\n",
+	 (int) sig->len, EVP_PKEY_size(verify_ctx->key));
+    }
+  }
+
+return US ERR_error_string(ERR_get_error(), NULL);
+}
+
+
+
+#endif
+/******************************************************************************/
+
+#endif	/*DISABLE_DKIM*/
+#endif	/*MACRO_PREDEF*/
+/* End of File */
diff --git a/src/pdkim/signing.h b/src/pdkim/signing.h
new file mode 100644
index 0000000..ed6f397
--- /dev/null
+++ b/src/pdkim/signing.h
@@ -0,0 +1,97 @@
+/*
+ *  PDKIM - a RFC4871 (DKIM) implementation
+ *
+ *  Copyright (C) 1995 - 2020  Exim maintainers
+ *
+ *  RSA signing/verification interface
+ */
+
+#include "../exim.h"
+
+#ifndef DISABLE_DKIM	/* entire file */
+
+#include "crypt_ver.h"
+
+#ifdef SIGN_OPENSSL
+# include <openssl/rsa.h>
+# include <openssl/ssl.h>
+# include <openssl/err.h>
+#elif defined(SIGN_GNUTLS)
+# include <gnutls/gnutls.h>
+# include <gnutls/x509.h>
+# include <gnutls/abstract.h>
+#elif defined(SIGN_GCRYPT)
+# include <gcrypt.h>
+# include <libtasn1.h>
+#endif
+
+#include "../blob.h"
+
+typedef enum {
+  KEYTYPE_RSA,
+  KEYTYPE_ED25519
+} keytype;
+
+typedef enum {
+  KEYFMT_DER,		/* an asn.1 structure */
+  KEYFMT_ED25519_BARE	/* just the key */
+} keyformat;
+
+
+#ifdef SIGN_OPENSSL
+
+typedef struct {
+  keytype	keytype;
+  EVP_PKEY *	key;
+} es_ctx;
+
+typedef struct {
+  keytype	keytype;
+  EVP_PKEY *	key;
+} ev_ctx;
+
+#elif defined(SIGN_GNUTLS)
+
+typedef struct {
+  keytype	keytype;
+  gnutls_privkey_t key;
+} es_ctx;
+
+typedef struct {
+  keytype	keytype;
+  gnutls_pubkey_t key;
+} ev_ctx;
+
+#elif defined(SIGN_GCRYPT)
+
+typedef struct {
+  keytype	keytype;
+  gcry_mpi_t n;
+  gcry_mpi_t e;
+  gcry_mpi_t d;
+  gcry_mpi_t p;
+  gcry_mpi_t q;
+  gcry_mpi_t dp;
+  gcry_mpi_t dq;
+  gcry_mpi_t qp;
+} es_ctx;
+
+typedef struct {
+  keytype	keytype;
+  gcry_mpi_t n;
+  gcry_mpi_t e;
+} ev_ctx;
+
+#endif
+
+
+extern void exim_dkim_init(void);
+extern gstring * exim_dkim_data_append(gstring *, uschar *);
+
+extern const uschar * exim_dkim_signing_init(const uschar *, es_ctx *);
+extern const uschar * exim_dkim_sign(es_ctx *, hashmethod, blob *, blob *);
+extern const uschar * exim_dkim_verify_init(blob *, keyformat, ev_ctx *, unsigned *);
+extern const uschar * exim_dkim_verify(ev_ctx *, hashmethod, blob *, blob *);
+
+#endif	/*DISABLE_DKIM*/
+/* End of File */
diff --git a/src/perl.c b/src/perl.c
new file mode 100644
index 0000000..f07ee2e
--- /dev/null
+++ b/src/perl.c
@@ -0,0 +1,201 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 1999 - 2022 */
+/* Copyright (c) 1998 Malcolm Beattie */
+
+/* Modified by PH to get rid of the "na" usage, March 1999.
+   Modified further by PH for general tidying for Exim 4.
+   Threaded Perl support added by Stefan Traby, Nov 2002
+*/
+
+
+/* This Perl add-on can be distributed under the same terms as Exim itself. */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include <assert.h>
+
+#define HINTSDB_H
+#define DBFUNCTIONS_H
+
+#include "exim.h"
+
+#define EXIM_TRUE TRUE
+#undef TRUE
+
+#define EXIM_FALSE FALSE
+#undef FALSE
+
+#define EXIM_DEBUG DEBUG
+#undef DEBUG
+
+#include <EXTERN.h>
+#include <perl.h>
+#include <XSUB.h>
+
+#ifndef ERRSV
+#define ERRSV (GvSV(errgv))
+#endif
+
+/* Some people like very old perl versions, so avoid any build side-effects. */
+
+#ifndef pTHX
+# define pTHX
+# define pTHX_
+#endif
+#ifndef EXTERN_C
+# define EXTERN_C extern
+#endif
+
+EXTERN_C void boot_DynaLoader(pTHX_ CV *cv);
+
+
+static PerlInterpreter *interp_perl = 0;
+
+XS(xs_expand_string)
+{
+  dXSARGS;
+  uschar *str;
+  STRLEN len;
+
+  if (items != 1)
+    croak("Usage: Exim::expand_string(string)");
+
+  str = expand_string(US SvPV(ST(0), len));
+  ST(0) = sv_newmortal();
+  if (str != NULL)
+    sv_setpv(ST(0), CCS  str);
+  else if (!f.expand_string_forcedfail)
+    croak("syntax error in Exim::expand_string argument: %s",
+      expand_string_message);
+}
+
+XS(xs_debug_write)
+{
+  dXSARGS;
+  STRLEN len;
+  if (items != 1)
+    croak("Usage: Exim::debug_write(string)");
+  debug_printf("%s", US SvPV(ST(0), len));
+}
+
+XS(xs_log_write)
+{
+  dXSARGS;
+  STRLEN len;
+  if (items != 1)
+    croak("Usage: Exim::log_write(string)");
+  log_write(0, LOG_MAIN, "%s", US SvPV(ST(0), len));
+}
+
+static void  xs_init(pTHX)
+{
+  char *file = __FILE__;
+  newXS("DynaLoader::boot_DynaLoader", boot_DynaLoader, file);
+  newXS("Exim::expand_string", xs_expand_string, file);
+  newXS("Exim::debug_write", xs_debug_write, file);
+  newXS("Exim::log_write", xs_log_write, file);
+}
+
+uschar *
+init_perl(uschar *startup_code)
+{
+  static int argc = 1;
+  static char *argv[4] = { "exim-perl" };
+  SV *sv;
+  STRLEN len;
+
+  if (opt_perl_taintmode) argv[argc++] = "-T";
+  argv[argc++] = "/dev/null";
+  argv[argc] = 0;
+
+  assert(sizeof(argv)/sizeof(argv[0]) > argc);
+
+  if (interp_perl) return 0;
+  interp_perl = perl_alloc();
+  perl_construct(interp_perl);
+  perl_parse(interp_perl, xs_init, argc, argv, 0);
+  perl_run(interp_perl);
+    {
+    dSP;
+
+    /*********************************************************************/
+    /* These lines by PH added to make "warn" output go to the Exim log; I
+    hope this doesn't break anything. */
+
+    sv = newSVpv(
+      "$SIG{__WARN__} = sub { my($s) = $_[0];"
+      "$s =~ s/\\n$//;"
+      "Exim::log_write($s) };", 0);
+    PUSHMARK(SP);
+    perl_eval_sv(sv, G_SCALAR|G_DISCARD|G_KEEPERR);
+    SvREFCNT_dec(sv);
+    if (SvTRUE(ERRSV)) return US SvPV(ERRSV, len);
+    /*********************************************************************/
+
+    sv = newSVpv(CS startup_code, 0);
+    PUSHMARK(SP);
+    perl_eval_sv(sv, G_SCALAR|G_DISCARD|G_KEEPERR);
+    SvREFCNT_dec(sv);
+    if (SvTRUE(ERRSV)) return US SvPV(ERRSV, len);
+
+    setlocale(LC_ALL, "C");    /* In case it got changed */
+    return NULL;
+    }
+}
+
+void
+cleanup_perl(void)
+{
+  if (!interp_perl)
+    return;
+  perl_destruct(interp_perl);
+  perl_free(interp_perl);
+  interp_perl = 0;
+}
+
+gstring *
+call_perl_cat(gstring * yield, uschar **errstrp, uschar *name, uschar **arg)
+{
+  dSP;
+  SV *sv;
+  STRLEN len;
+  uschar *str;
+  int items;
+
+  if (!interp_perl)
+    {
+    *errstrp = US"the Perl interpreter has not been started";
+    return 0;
+    }
+
+  ENTER;
+  SAVETMPS;
+  PUSHMARK(SP);
+  while (*arg != NULL) XPUSHs(newSVpv(CS (*arg++), 0));
+  PUTBACK;
+  items = perl_call_pv(CS name, G_SCALAR|G_EVAL);
+  SPAGAIN;
+  sv = POPs;
+  PUTBACK;
+  if (SvTRUE(ERRSV))
+    {
+    *errstrp = US SvPV(ERRSV, len);
+    return NULL;
+    }
+  if (!SvOK(sv))
+    {
+    *errstrp = 0;
+    return NULL;
+    }
+  str = US SvPV(sv, len);
+  yield = string_catn(yield, str, (int)len);
+  FREETMPS;
+  LEAVE;
+
+  setlocale(LC_ALL, "C");    /* In case it got changed */
+  return yield;
+}
+
+/* End of perl.c */
diff --git a/src/priv.c b/src/priv.c
new file mode 100644
index 0000000..94d4254
--- /dev/null
+++ b/src/priv.c
@@ -0,0 +1,76 @@
+#include "exim.h"
+#include <sys/types.h>
+#include <unistd.h>
+#include <string.h>
+
+static enum {
+  PRIV_DROPPING, PRIV_DROPPED,
+  PRIV_RESTORING, PRIV_RESTORED
+} priv_state = PRIV_RESTORED;
+
+
+static uid_t priv_euid;
+static gid_t priv_egid;
+static gid_t priv_groups[EXIM_GROUPLIST_SIZE + 1];
+static int priv_ngroups;
+
+/* Inspired by OpenSSH's temporarily_use_uid(). Thanks! */
+
+void
+priv_drop_temp(const uid_t temp_uid, const gid_t temp_gid)
+{
+if (priv_state != PRIV_RESTORED)
+  log_write(0, LOG_PANIC_DIE, "priv_drop_temp: unexpected priv_state %d != %d", priv_state, PRIV_RESTORED);
+
+priv_state = PRIV_DROPPING;
+
+priv_euid = geteuid();
+if (priv_euid == root_uid)
+  {
+  priv_egid = getegid();
+  priv_ngroups = getgroups(nelem(priv_groups), priv_groups);
+  if (priv_ngroups < 0)
+    log_write(0, LOG_PANIC_DIE, "getgroups: %s", strerror(errno));
+
+  if (priv_ngroups > 0 && setgroups(1, &temp_gid) != 0)
+    log_write(0, LOG_PANIC_DIE, "setgroups: %s", strerror(errno));
+  if (setegid(temp_gid) != 0)
+    log_write(0, LOG_PANIC_DIE, "setegid(%d): %s", temp_gid, strerror(errno));
+  if (seteuid(temp_uid) != 0)
+    log_write(0, LOG_PANIC_DIE, "seteuid(%d): %s", temp_uid, strerror(errno));
+
+  if (geteuid() != temp_uid)
+    log_write(0, LOG_PANIC_DIE, "getdeuid() != %d", temp_uid);
+  if (getegid() != temp_gid)
+    log_write(0, LOG_PANIC_DIE, "getegid() != %d", temp_gid);
+  }
+
+priv_state = PRIV_DROPPED;
+}
+
+/* Inspired by OpenSSH's restore_uid(). Thanks! */
+
+void
+priv_restore(void)
+{
+if (priv_state != PRIV_DROPPED)
+  log_write(0, LOG_PANIC_DIE, "priv_restore: unexpected priv_state %d != %d", priv_state, PRIV_DROPPED);
+priv_state = PRIV_RESTORING;
+
+if (priv_euid == root_uid)
+  {
+  if (seteuid(priv_euid) != 0)
+    log_write(0, LOG_PANIC_DIE, "seteuid(%d): %s", priv_euid, strerror(errno));
+  if (setegid(priv_egid) != 0)
+    log_write(0, LOG_PANIC_DIE, "setegid(%d): %s", priv_egid, strerror(errno));
+  if (priv_ngroups > 0 && setgroups(priv_ngroups, priv_groups) != 0)
+    log_write(0, LOG_PANIC_DIE, "setgroups: %s", strerror(errno));
+
+  if (geteuid() != priv_euid)
+    log_write(0, LOG_PANIC_DIE, "getdeuid() != %d", priv_euid);
+  if (getegid() != priv_egid)
+    log_write(0, LOG_PANIC_DIE, "getdegid() != %d", priv_egid);
+  }
+
+priv_state = PRIV_RESTORED;
+}
diff --git a/src/queue.c b/src/queue.c
new file mode 100644
index 0000000..4bdd6fb
--- /dev/null
+++ b/src/queue.c
@@ -0,0 +1,1588 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions that operate on the input queue. */
+
+
+#include "exim.h"
+
+
+
+
+
+
+
+#ifndef COMPILE_UTILITY
+
+/* The number of nodes to use for the bottom-up merge sort when a list of queue
+items is to be ordered. The code for this sort was contributed as a patch by
+Michael Haardt. */
+
+#define LOG2_MAXNODES 32
+
+
+#ifndef DISABLE_TLS
+static BOOL queue_tls_init = FALSE;
+#endif
+
+/*************************************************
+*  Helper sort function for queue_get_spool_list *
+*************************************************/
+
+/* This function is used when sorting the queue list in the function
+queue_get_spool_list() below.
+
+Arguments:
+  a            points to an ordered list of queue_filename items
+  b            points to another ordered list
+
+Returns:       a pointer to a merged ordered list
+*/
+
+static queue_filename *
+merge_queue_lists(queue_filename *a, queue_filename *b)
+{
+queue_filename *first = NULL;
+queue_filename **append = &first;
+
+while (a && b)
+  {
+  int d;
+  if ((d = Ustrncmp(a->text, b->text, 6)) == 0)
+    d = Ustrcmp(a->text + 14, b->text + 14);
+  if (d < 0)
+    {
+    *append = a;
+    append= &a->next;
+    a = a->next;
+    }
+  else
+    {
+    *append = b;
+    append= &b->next;
+    b = b->next;
+    }
+  }
+
+*append = a ? a : b;
+return first;
+}
+
+
+
+
+
+/*************************************************
+*             Get list of spool files            *
+*************************************************/
+
+/* Scan the spool directory and return a list of the relevant file names
+therein. Single-character sub-directories are handled as follows:
+
+  If the first argument is > 0, a sub-directory is scanned; the letter is
+  taken from the nth entry in subdirs.
+
+  If the first argument is 0, sub-directories are not scanned. However, a
+  list of them is returned.
+
+  If the first argument is < 0, sub-directories are scanned for messages,
+  and a single, unified list is created. The returned data blocks contain the
+  identifying character of the subdirectory, if any. The subdirs vector is
+  still required as an argument.
+
+If the randomize argument is TRUE, messages are returned in "randomized" order.
+Actually, the order is anything but random, but the algorithm is cheap, and the
+point is simply to ensure that the same order doesn't occur every time, in case
+a particular message is causing a remote MTA to barf - we would like to try
+other messages to that MTA first.
+
+If the randomize argument is FALSE, sort the list according to the file name.
+This should give the order in which the messages arrived. It is normally used
+only for presentation to humans, in which case the (possibly expensive) sort
+that it does is not part of the normal operational code. However, if
+queue_run_in_order is set, sorting has to take place for queue runs as well.
+When randomize is FALSE, the first argument is normally -1, so all messages are
+included.
+
+Arguments:
+  subdiroffset   sub-directory character offset, or 0 or -1 (see above)
+  subdirs        vector to store list of subdirchars
+  subcount       pointer to int in which to store count of subdirs
+  randomize      TRUE if the order of the list is to be unpredictable
+  pcount	 If not NULL, fill in with count of files and do not return list
+
+Returns:         pointer to a chain of queue name items
+*/
+
+static queue_filename *
+queue_get_spool_list(int subdiroffset, uschar *subdirs, int *subcount,
+  BOOL randomize, unsigned * pcount)
+{
+int i;
+int flags = 0;
+int resetflags = -1;
+int subptr;
+queue_filename *yield = NULL;
+queue_filename *last = NULL;
+uschar buffer[256];
+queue_filename *root[LOG2_MAXNODES];
+
+/* When randomizing, the file names are added to the start or end of the list
+according to the bits of the flags variable. Get a collection of bits from the
+current time. Use the bottom 16 and just keep re-using them if necessary. When
+not randomizing, initialize the sublists for the bottom-up merge sort. */
+
+if (pcount)
+  *pcount = 0;
+else if (randomize)
+  resetflags = time(NULL) & 0xFFFF;
+else
+   for (i = 0; i < LOG2_MAXNODES; i++)
+     root[i] = NULL;
+
+/* If processing the full queue, or just the top-level, start at the base
+directory, and initialize the first subdirectory name (as none). Otherwise,
+start at the sub-directory offset. */
+
+if (subdiroffset <= 0)
+  {
+  i = 0;
+  subdirs[0] = 0;
+  *subcount = 0;
+  }
+else
+  i = subdiroffset;
+
+/* Set up prototype for the directory name. */
+
+spool_pname_buf(buffer, sizeof(buffer));
+buffer[sizeof(buffer) - 3] = 0;
+subptr = Ustrlen(buffer);
+buffer[subptr+2] = 0;               /* terminator for lengthened name */
+
+/* This loop runs at least once, for the main or given directory, and then as
+many times as necessary to scan any subdirectories encountered in the main
+directory, if they are to be scanned at this time. */
+
+for (; i <= *subcount; i++)
+  {
+  int count = 0;
+  int subdirchar = subdirs[i];      /* 0 for main directory */
+  DIR *dd;
+
+  if (subdirchar != 0)
+    {
+    buffer[subptr] = '/';
+    buffer[subptr+1] = subdirchar;
+    }
+
+  DEBUG(D_queue_run) debug_printf("looking in %s\n", buffer);
+  if (!(dd = exim_opendir(buffer)))
+    continue;
+
+  /* Now scan the directory. */
+
+  for (struct dirent *ent; ent = readdir(dd); )
+    {
+    uschar *name = US ent->d_name;
+    int len = Ustrlen(name);
+
+    /* Count entries */
+
+    count++;
+
+    /* If we find a single alphameric sub-directory in the base directory,
+    add it to the list for subsequent scans. */
+
+    if (i == 0 && len == 1 && isalnum(*name))
+      {
+      *subcount = *subcount + 1;
+      subdirs[*subcount] = *name;
+      continue;
+      }
+
+    /* Otherwise, if it is a header spool file, add it to the list */
+
+    if (len == SPOOL_NAME_LENGTH &&
+        Ustrcmp(name + SPOOL_NAME_LENGTH - 2, "-H") == 0)
+      if (pcount)
+	(*pcount)++;
+      else
+	{
+	queue_filename * next =
+	  store_get(sizeof(queue_filename) + Ustrlen(name), name);
+	Ustrcpy(next->text, name);
+	next->dir_uschar = subdirchar;
+
+	/* Handle the creation of a randomized list. The first item becomes both
+	the top and bottom of the list. Subsequent items are inserted either at
+	the top or the bottom, randomly. This is, I argue, faster than doing a
+	sort by allocating a random number to each item, and it also saves having
+	to store the number with each item. */
+
+	if (randomize)
+	  if (!yield)
+	    {
+	    next->next = NULL;
+	    yield = last = next;
+	    }
+	  else
+	    {
+	    if (flags == 0)
+	      flags = resetflags;
+	    if ((flags & 1) == 0)
+	      {
+	      next->next = yield;
+	      yield = next;
+	      }
+	    else
+	      {
+	      next->next = NULL;
+	      last->next = next;
+	      last = next;
+	      }
+	    flags = flags >> 1;
+	    }
+
+	/* Otherwise do a bottom-up merge sort based on the name. */
+
+	else
+	  {
+	  next->next = NULL;
+	  for (int j = 0; j < LOG2_MAXNODES; j++)
+	    if (root[j])
+	      {
+	      next = merge_queue_lists(next, root[j]);
+	      root[j] = j == LOG2_MAXNODES - 1 ? next : NULL;
+	      }
+	    else
+	      {
+	      root[j] = next;
+	      break;
+	      }
+	  }
+	}
+    }
+
+  /* Finished with this directory */
+
+  closedir(dd);
+
+  /* If we have just scanned a sub-directory, and it was empty (count == 2
+  implies just "." and ".." entries), and Exim is no longer configured to
+  use sub-directories, attempt to get rid of it. At the same time, try to
+  get rid of any corresponding msglog subdirectory. These are just cosmetic
+  tidying actions, so just ignore failures. If we are scanning just a single
+  sub-directory, break the loop. */
+
+  if (i != 0)
+    {
+    if (!split_spool_directory && count <= 2)
+      {
+      uschar subdir[2];
+
+      rmdir(CS buffer);
+      subdir[0] = subdirchar; subdir[1] = 0;
+      rmdir(CS spool_dname(US"msglog", subdir));
+      }
+    if (subdiroffset > 0) break;    /* Single sub-directory */
+    }
+
+  /* If we have just scanned the base directory, and subdiroffset is 0,
+  we do not want to continue scanning the sub-directories. */
+
+  else if (subdiroffset == 0)
+    break;
+  }    /* Loop for multiple subdirectories */
+
+/* When using a bottom-up merge sort, do the final merging of the sublists.
+Then pass back the final list of file items. */
+
+if (!pcount && !randomize)
+  for (i = 0; i < LOG2_MAXNODES; ++i)
+    yield = merge_queue_lists(yield, root[i]);
+
+return yield;
+}
+
+
+
+
+/*************************************************
+*              Perform a queue run               *
+*************************************************/
+
+/* The arguments give the messages to start and stop at; NULL means start at
+the beginning or stop at the end. If the given start message doesn't exist, we
+start at the next lexically greater one, and likewise we stop at the after the
+previous lexically lesser one if the given stop message doesn't exist. Because
+a queue run can take some time, stat each file before forking, in case it has
+been delivered in the meantime by some other means.
+
+The global variables queue_run_force and queue_run_local may be set to cause
+forced deliveries or local-only deliveries, respectively.
+
+If deliver_selectstring[_sender] is not NULL, skip messages whose recipients do
+not contain the string. As this option is typically used when a machine comes
+back online, we want to ensure that at least one delivery attempt takes place,
+so force the first one. The selecting string can optionally be a regex, or
+refer to the sender instead of recipients.
+
+If queue_2stage is set, the queue is scanned twice. The first time, queue_smtp
+is set so that routing is done for all messages. Thus in the second run those
+that are routed to the same host should go down the same SMTP connection.
+
+Arguments:
+  start_id   message id to start at, or NULL for all
+  stop_id    message id to end at, or NULL for all
+  recurse    TRUE if recursing for 2-stage run
+
+Returns:     nothing
+*/
+
+void
+queue_run(uschar *start_id, uschar *stop_id, BOOL recurse)
+{
+BOOL force_delivery = f.queue_run_force || deliver_selectstring != NULL ||
+  deliver_selectstring_sender != NULL;
+const pcre2_code *selectstring_regex = NULL;
+const pcre2_code *selectstring_regex_sender = NULL;
+uschar *log_detail = NULL;
+int subcount = 0;
+uschar subdirs[64];
+pid_t qpid[4] = {0};	/* Parallelism factor for q2stage 1st phase */
+BOOL single_id = FALSE;
+
+#ifdef MEASURE_TIMING
+report_time_since(&timestamp_startup, US"queue_run start");
+#endif
+
+/* Cancel any specific queue domains. Turn off the flag that causes SMTP
+deliveries not to happen, unless doing a 2-stage queue run, when the SMTP flag
+gets set. Save the queue_runner's pid and the flag that indicates any
+deliveries run directly from this process. Deliveries that are run by handing
+on TCP/IP channels have queue_run_pid set, but not queue_running. */
+
+queue_domains = NULL;
+queue_smtp_domains = NULL;
+f.queue_smtp = f.queue_2stage;
+
+queue_run_pid = getpid();
+f.queue_running = TRUE;
+
+/* Log the true start of a queue run, and fancy options */
+
+if (!recurse)
+  {
+  uschar extras[8];
+  uschar *p = extras;
+
+  if (f.queue_2stage) *p++ = 'q';
+  if (f.queue_run_first_delivery) *p++ = 'i';
+  if (f.queue_run_force) *p++ = 'f';
+  if (f.deliver_force_thaw) *p++ = 'f';
+  if (f.queue_run_local) *p++ = 'l';
+  *p = 0;
+
+  p = big_buffer;
+  p += sprintf(CS p, "pid=%d", (int)queue_run_pid);
+
+  if (extras[0] != 0)
+    p += sprintf(CS p, " -q%s", extras);
+
+  if (deliver_selectstring)
+    {
+    snprintf(CS p, big_buffer_size - (p - big_buffer), " -R%s %s",
+      f.deliver_selectstring_regex? "r" : "", deliver_selectstring);
+    p += Ustrlen(CCS p);
+    }
+
+  if (deliver_selectstring_sender)
+    {
+    snprintf(CS p, big_buffer_size - (p - big_buffer), " -S%s %s",
+      f.deliver_selectstring_sender_regex? "r" : "", deliver_selectstring_sender);
+    p += Ustrlen(CCS p);
+    }
+
+  log_detail = string_copy(big_buffer);
+  if (*queue_name)
+    log_write(L_queue_run, LOG_MAIN, "Start '%s' queue run: %s",
+      queue_name, log_detail);
+  else
+    log_write(L_queue_run, LOG_MAIN, "Start queue run: %s", log_detail);
+
+  single_id = start_id && stop_id && !f.queue_2stage
+	      && Ustrcmp(start_id, stop_id) == 0;
+  }
+
+/* If deliver_selectstring is a regex, compile it. */
+
+if (deliver_selectstring && f.deliver_selectstring_regex)
+  selectstring_regex = regex_must_compile(deliver_selectstring, TRUE, FALSE);
+
+if (deliver_selectstring_sender && f.deliver_selectstring_sender_regex)
+  selectstring_regex_sender =
+    regex_must_compile(deliver_selectstring_sender, TRUE, FALSE);
+
+/* If the spool is split into subdirectories, we want to process it one
+directory at a time, so as to spread out the directory scanning and the
+delivering when there are lots of messages involved, except when
+queue_run_in_order is set.
+
+In the random order case, this loop runs once for the main directory (handling
+any messages therein), and then repeats for any subdirectories that were found.
+When the first argument of queue_get_spool_list() is 0, it scans the top
+directory, fills in subdirs, and sets subcount. The order of the directories is
+then randomized after the first time through, before they are scanned in
+subsequent iterations.
+
+When the first argument of queue_get_spool_list() is -1 (for queue_run_in_
+order), it scans all directories and makes a single message list. */
+
+for (int i = queue_run_in_order ? -1 : 0;
+     i <= (queue_run_in_order ? -1 : subcount);
+     i++)
+  {
+  rmark reset_point1 = store_mark();
+
+  DEBUG(D_queue_run)
+    {
+    if (i == 0)
+      debug_printf("queue running main directory\n");
+    else if (i == -1)
+      debug_printf("queue running combined directories\n");
+    else
+      debug_printf("queue running subdirectory '%c'\n", subdirs[i]);
+    }
+
+  for (queue_filename * fq = queue_get_spool_list(i, subdirs, &subcount,
+					     !queue_run_in_order, NULL);
+       fq; fq = fq->next)
+    {
+    pid_t pid;
+    int status;
+    int pfd[2];
+    struct stat statbuf;
+    uschar buffer[256];
+
+    /* Unless deliveries are forced, if deliver_queue_load_max is non-negative,
+    check that the load average is low enough to permit deliveries. */
+
+    if (!f.queue_run_force && deliver_queue_load_max >= 0)
+      if ((load_average = os_getloadavg()) > deliver_queue_load_max)
+        {
+        log_write(L_queue_run, LOG_MAIN, "Abandon queue run: %s (load %.2f, max %.2f)",
+          log_detail,
+          (double)load_average/1000.0,
+          (double)deliver_queue_load_max/1000.0);
+        i = subcount;                 /* Don't process other directories */
+        break;
+        }
+      else
+        DEBUG(D_load) debug_printf("load average = %.2f max = %.2f\n",
+          (double)load_average/1000.0,
+          (double)deliver_queue_load_max/1000.0);
+
+    /* If initial of a 2-phase run, maintain a set of child procs
+    to get disk parallelism */
+
+    if (f.queue_2stage && !queue_run_in_order)
+      {
+      int i;
+      if (qpid[f.running_in_test_harness ? 0 : nelem(qpid) - 1])
+	{
+	DEBUG(D_queue_run) debug_printf("q2stage waiting for child %d\n", (int)qpid[0]);
+	waitpid(qpid[0], NULL, 0);
+	DEBUG(D_queue_run) debug_printf("q2stage reaped child %d\n", (int)qpid[0]);
+	if (f.running_in_test_harness) i = 0;
+	else for (i = 0; i < nelem(qpid) - 1; i++) qpid[i] = qpid[i+1];
+	qpid[i] = 0;
+	}
+      else
+	for (i = 0; qpid[i]; ) i++;
+      if ((qpid[i] = exim_fork(US"qrun-phase-one")))
+	continue;	/* parent loops around */
+      }
+
+    /* Skip this message unless it's within the ID limits */
+
+    if (stop_id && Ustrncmp(fq->text, stop_id, MESSAGE_ID_LENGTH) > 0)
+      goto go_around;
+    if (start_id && Ustrncmp(fq->text, start_id, MESSAGE_ID_LENGTH) < 0)
+      goto go_around;
+
+    /* Check that the message still exists */
+
+    message_subdir[0] = fq->dir_uschar;
+    if (Ustat(spool_fname(US"input", message_subdir, fq->text, US""), &statbuf) < 0)
+      goto go_around;
+
+    /* There are some tests that require the reading of the header file. Ensure
+    the store used is scavenged afterwards so that this process doesn't keep
+    growing its store. We have to read the header file again when actually
+    delivering, but it's cheaper than forking a delivery process for each
+    message when many are not going to be delivered. */
+
+    if (deliver_selectstring || deliver_selectstring_sender ||
+        f.queue_run_first_delivery)
+      {
+      BOOL wanted = TRUE;
+      BOOL orig_dont_deliver = f.dont_deliver;
+      rmark reset_point2 = store_mark();
+
+      /* Restore the original setting of dont_deliver after reading the header,
+      so that a setting for a particular message doesn't force it for any that
+      follow. If the message is chosen for delivery, the header is read again
+      in the deliver_message() function, in a subprocess. */
+
+      if (spool_read_header(fq->text, FALSE, TRUE) != spool_read_OK) goto go_around;
+      f.dont_deliver = orig_dont_deliver;
+
+      /* Now decide if we want to deliver this message. As we have read the
+      header file, we might as well do the freeze test now, and save forking
+      another process. */
+
+      if (f.deliver_freeze && !f.deliver_force_thaw)
+        {
+        log_write(L_skip_delivery, LOG_MAIN, "Message is frozen");
+        wanted = FALSE;
+        }
+
+      /* Check first_delivery in the case when there are no message logs. */
+
+      else if (f.queue_run_first_delivery && !f.deliver_firsttime)
+        {
+        DEBUG(D_queue_run) debug_printf("%s: not first delivery\n", fq->text);
+        wanted = FALSE;
+        }
+
+      /* Check for a matching address if deliver_selectstring[_sender] is set.
+      If so, we do a fully delivery - don't want to omit other addresses since
+      their routing might trigger re-writing etc. */
+
+      /* Sender matching */
+
+      else if (  deliver_selectstring_sender
+	      && !(f.deliver_selectstring_sender_regex
+		  ? regex_match(selectstring_regex_sender, sender_address, -1, NULL)
+		  : (strstric(sender_address, deliver_selectstring_sender, FALSE)
+		      != NULL)
+	      )   )
+        {
+        DEBUG(D_queue_run) debug_printf("%s: sender address did not match %s\n",
+          fq->text, deliver_selectstring_sender);
+        wanted = FALSE;
+        }
+
+      /* Recipient matching */
+
+      else if (deliver_selectstring)
+        {
+        int i;
+        for (i = 0; i < recipients_count; i++)
+          {
+          uschar *address = recipients_list[i].address;
+          if (  (f.deliver_selectstring_regex
+		? regex_match(selectstring_regex, address, -1, NULL)
+                : (strstric(address, deliver_selectstring, FALSE) != NULL)
+		)
+             && tree_search(tree_nonrecipients, address) == NULL
+	     )
+            break;
+          }
+
+        if (i >= recipients_count)
+          {
+          DEBUG(D_queue_run)
+            debug_printf("%s: no recipient address matched %s\n",
+              fq->text, deliver_selectstring);
+          wanted = FALSE;
+          }
+        }
+
+      /* Recover store used when reading the header */
+
+      spool_clear_header_globals();
+      store_reset(reset_point2);
+      if (!wanted) goto go_around;      /* With next message */
+      }
+
+    /* OK, got a message we want to deliver. Create a pipe which will
+    serve as a means of detecting when all the processes created by the
+    delivery process are finished. This is relevant when the delivery
+    process passes one or more SMTP channels on to its own children. The
+    pipe gets passed down; by reading on it here we detect when the last
+    descendent dies by the unblocking of the read. It's a pity that for
+    most of the time the pipe isn't used, but creating a pipe should be
+    pretty cheap. */
+
+    if (pipe(pfd) < 0)
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to create pipe in queue "
+        "runner process %d: %s", queue_run_pid, strerror(errno));
+    queue_run_pipe = pfd[pipe_write];  /* To ensure it gets passed on. */
+
+    /* Make sure it isn't stdin. This seems unlikely, but just to be on the
+    safe side... */
+
+    if (queue_run_pipe == 0)
+      {
+      queue_run_pipe = dup(queue_run_pipe);
+      (void)close(0);
+      }
+
+    /* Before forking to deliver the message, ensure any open and cached
+    lookup files or databases are closed. Otherwise, closing in the subprocess
+    can make the next subprocess have problems. There won't often be anything
+    open here, but it is possible (e.g. if spool_directory is an expanded
+    string). A single call before this loop would probably suffice, but just in
+    case expansions get inserted at some point, I've taken the heavy-handed
+    approach. When nothing is open, the call should be cheap. */
+
+    search_tidyup();
+
+    /* Now deliver the message; get the id by cutting the -H off the file
+    name. The return of the process is zero if a delivery was attempted. */
+
+    set_process_info("running queue: %s", fq->text);
+    fq->text[SPOOL_NAME_LENGTH-2] = 0;
+#ifdef MEASURE_TIMING
+    report_time_since(&timestamp_startup, US"queue msg selected");
+#endif
+
+#ifndef DISABLE_TLS
+    if (!queue_tls_init)
+      {
+      queue_tls_init = TRUE;
+      /* Preload TLS library info for smtp transports.  Once, and only if we
+      have a delivery to do. */
+      tls_client_creds_reload(FALSE);
+      }
+#endif
+
+single_item_retry:
+    if ((pid = exim_fork(US"qrun-delivery")) == 0)
+      {
+      int rc;
+      (void)close(pfd[pipe_read]);
+      rc = deliver_message(fq->text, force_delivery, FALSE);
+      exim_underbar_exit(rc == DELIVER_NOT_ATTEMPTED
+		? EXIT_FAILURE : EXIT_SUCCESS);
+      }
+    if (pid < 0)
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork of delivery process from "
+        "queue runner %d failed\n", queue_run_pid);
+
+    /* Close the writing end of the synchronizing pipe in this process,
+    then wait for the first level process to terminate. */
+
+    (void)close(pfd[pipe_write]);
+    set_process_info("running queue: waiting for %s (%d)", fq->text, pid);
+    while (wait(&status) != pid);
+
+    /* A zero return means a delivery was attempted; turn off the force flag
+    for any subsequent calls unless queue_force is set. */
+
+    if (!(status & 0xffff)) force_delivery = f.queue_run_force;
+
+    /* If the process crashed, tell somebody */
+
+    else if (status & 0x00ff)
+      log_write(0, LOG_MAIN|LOG_PANIC,
+        "queue run: process %d crashed with signal %d while delivering %s",
+        (int)pid, status & 0x00ff, fq->text);
+
+    /* If single-item delivery was untried (likely due to locking)
+    retry once after a delay */
+
+    if (status & 0xff00 && single_id)
+      {
+      single_id = FALSE;
+      DEBUG(D_queue_run) debug_printf("qrun single-item pause before retry\n");
+      millisleep(500);
+      DEBUG(D_queue_run) debug_printf("qrun single-item retry after pause\n");
+      goto single_item_retry;
+      }
+
+    /* Before continuing, wait till the pipe gets closed at the far end. This
+    tells us that any children created by the delivery to re-use any SMTP
+    channels have all finished. Since no process actually writes to the pipe,
+    the mere fact that read() unblocks is enough. */
+
+    set_process_info("running queue: waiting for children of %d", pid);
+    if ((status = read(pfd[pipe_read], buffer, sizeof(buffer))) != 0)
+      log_write(0, LOG_MAIN|LOG_PANIC, status > 0 ?
+	"queue run: unexpected data on pipe" : "queue run: error on pipe: %s",
+	strerror(errno));
+    (void)close(pfd[pipe_read]);
+    set_process_info("running queue");
+
+    /* If initial of a 2-phase run, we are a child - so just exit */
+    if (f.queue_2stage && !queue_run_in_order)
+      exim_exit(EXIT_SUCCESS);
+
+    /* If we are in the test harness, and this is not the first of a 2-stage
+    queue run, update fudged queue times. */
+
+    if (f.running_in_test_harness && !f.queue_2stage)
+      {
+      uschar * fqtnext = Ustrchr(fudged_queue_times, '/');
+      if (fqtnext) fudged_queue_times = fqtnext + 1;
+      }
+
+
+    continue;
+
+  go_around:
+    /* If initial of a 2-phase run, we are a child - so just exit */
+    if (f.queue_2stage && !queue_run_in_order)
+      exim_exit(EXIT_SUCCESS);
+    }                                  /* End loop for list of messages */
+
+  tree_nonrecipients = NULL;
+  store_reset(reset_point1);           /* Scavenge list of messages */
+
+  /* If this was the first time through for random order processing, and
+  sub-directories have been found, randomize their order if necessary. */
+
+  if (i == 0 && subcount > 1 && !queue_run_in_order)
+    for (int j = 1; j <= subcount; j++)
+      {
+      int r;
+      if ((r = random_number(100)) >= 50)
+        {
+        int k = (r % subcount) + 1;
+        int x = subdirs[j];
+        subdirs[j] = subdirs[k];
+        subdirs[k] = x;
+        }
+      }
+  }                                    /* End loop for multiple directories */
+
+/* If queue_2stage is true, we do it all again, with the 2stage flag
+turned off. */
+
+if (f.queue_2stage)
+  {
+
+  /* wait for last children */
+  for (int i = 0; i < nelem(qpid); i++)
+    if (qpid[i])
+      {
+      DEBUG(D_queue_run) debug_printf("q2stage reaped child %d\n", (int)qpid[i]);
+      waitpid(qpid[i], NULL, 0);
+      }
+    else break;
+
+#ifdef MEASURE_TIMING
+  report_time_since(&timestamp_startup, US"queue_run 1st phase done");
+#endif
+  f.queue_2stage = FALSE;
+  queue_run(start_id, stop_id, TRUE);
+  }
+
+/* At top level, log the end of the run. */
+
+if (!recurse)
+  if (*queue_name)
+    log_write(L_queue_run, LOG_MAIN, "End '%s' queue run: %s",
+      queue_name, log_detail);
+  else
+    log_write(L_queue_run, LOG_MAIN, "End queue run: %s", log_detail);
+}
+
+
+
+
+/************************************************
+*         Count messages on the queue           *
+************************************************/
+
+/* Called as a result of -bpc
+
+Arguments:  none
+Returns:    count
+*/
+
+unsigned
+queue_count(void)
+{
+int subcount;
+unsigned count = 0;
+uschar subdirs[64];
+
+(void) queue_get_spool_list(-1,		/* entire queue */
+			subdirs,        /* for holding sub list */
+			&subcount,      /* for subcount */
+			FALSE,		/* not random */
+			&count);	/* just get the count */
+return count;
+}
+
+
+#define QUEUE_SIZE_AGE 60	/* update rate for queue_size */
+
+unsigned
+queue_count_cached(void)
+{
+time_t now;
+if ((now = time(NULL)) >= queue_size_next)
+  {
+  queue_size = queue_count();
+  queue_size_next = now + (f.running_in_test_harness ? 3 : QUEUE_SIZE_AGE);
+  }
+return queue_size;
+}
+
+/************************************************
+*          List extra deliveries                *
+************************************************/
+
+/* This is called from queue_list below to print out all addresses that
+have received a message but which were not primary addresses. That is, all
+the addresses in the tree of non-recipients that are not primary addresses.
+The tree has been scanned and the data field filled in for those that are
+primary addresses.
+
+Argument:    points to the tree node
+Returns:     nothing
+*/
+
+static void
+queue_list_extras(tree_node *p)
+{
+if (p->left) queue_list_extras(p->left);
+if (!p->data.val) printf("       +D %s\n", p->name);
+if (p->right) queue_list_extras(p->right);
+}
+
+
+
+/************************************************
+*          List messages on the queue           *
+************************************************/
+
+/* Or a given list of messages. In the "all" case, we get a list of file names
+as quickly as possible, then scan each one for information to output. If any
+disappear while we are processing, just leave them out, but give an error if an
+explicit list was given. This function is a top-level function that is obeyed
+as a result of the -bp argument. As there may be a lot of messages on the
+queue, we must tidy up the store after reading the headers for each one.
+
+Arguments:
+   option     0 => list top-level recipients, with "D" for those delivered
+              1 => list only undelivered top-level recipients
+              2 => as 0, plus any generated delivered recipients
+              If 8 is added to any of these values, the queue is listed in
+                random order.
+   list       => first of any message ids to list
+   count      count of message ids; 0 => all
+
+Returns:      nothing
+*/
+
+void
+queue_list(int option, uschar **list, int count)
+{
+int subcount;
+int now = (int)time(NULL);
+rmark reset_point;
+queue_filename * qf = NULL;
+uschar subdirs[64];
+
+/* If given a list of messages, build a chain containing their ids. */
+
+if (count > 0)
+  {
+  queue_filename *last = NULL;
+  for (int i = 0; i < count; i++)
+    {
+    queue_filename * next =
+      store_get(sizeof(queue_filename) + Ustrlen(list[i]) + 2, list[i]);
+    sprintf(CS next->text, "%s-H", list[i]);
+    next->dir_uschar = '*';
+    next->next = NULL;
+    if (i == 0) qf = next; else last->next = next;
+    last = next;
+    }
+  }
+
+/* Otherwise get a list of the entire queue, in order if necessary. */
+
+else
+  qf = queue_get_spool_list(
+          -1,             /* entire queue */
+          subdirs,        /* for holding sub list */
+          &subcount,      /* for subcount */
+          option >= 8,	  /* randomize if required */
+	  NULL);	  /* don't just count */
+
+if (option >= 8) option -= 8;
+
+/* Now scan the chain and print information, resetting store used
+each time. */
+
+for (;
+    qf && (reset_point = store_mark());
+    spool_clear_header_globals(), store_reset(reset_point), qf = qf->next
+    )
+  {
+  int rc, save_errno;
+  int size = 0;
+  BOOL env_read;
+
+  message_size = 0;
+  message_subdir[0] = qf->dir_uschar;
+  rc = spool_read_header(qf->text, FALSE, count <= 0);
+  if (rc == spool_read_notopen && errno == ENOENT && count <= 0)
+    continue;
+  save_errno = errno;
+
+  env_read = (rc == spool_read_OK || rc == spool_read_hdrerror);
+
+  if (env_read)
+    {
+    int i, ptr;
+    FILE *jread;
+    struct stat statbuf;
+    uschar * fname = spool_fname(US"input", message_subdir, qf->text, US"");
+
+    ptr = Ustrlen(fname)-1;
+    fname[ptr] = 'D';
+
+    /* Add the data size to the header size; don't count the file name
+    at the start of the data file, but add one for the notional blank line
+    that precedes the data. */
+
+    if (Ustat(fname, &statbuf) == 0)
+      size = message_size + statbuf.st_size - SPOOL_DATA_START_OFFSET + 1;
+    i = (now - received_time.tv_sec)/60;  /* minutes on queue */
+    if (i > 90)
+      {
+      i = (i + 30)/60;
+      if (i > 72) printf("%2dd ", (i + 12)/24); else printf("%2dh ", i);
+      }
+    else printf("%2dm ", i);
+
+    /* Collect delivered addresses from any J file */
+
+    fname[ptr] = 'J';
+    if ((jread = Ufopen(fname, "rb")))
+      {
+      while (Ufgets(big_buffer, big_buffer_size, jread) != NULL)
+        {
+        int n = Ustrlen(big_buffer);
+        big_buffer[n-1] = 0;
+        tree_add_nonrecipient(big_buffer);
+        }
+      (void)fclose(jread);
+      }
+    }
+
+  fprintf(stdout, "%s ", string_format_size(size, big_buffer));
+  for (int i = 0; i < 16; i++) fputc(qf->text[i], stdout);
+
+  if (env_read && sender_address)
+    {
+    printf(" <%s>", sender_address);
+    if (f.sender_set_untrusted) printf(" (%s)", originator_login);
+    }
+
+  if (rc != spool_read_OK)
+    {
+    printf("\n    ");
+    if (save_errno == ERRNO_SPOOLFORMAT)
+      {
+      struct stat statbuf;
+      uschar * fname = spool_fname(US"input", message_subdir, qf->text, US"");
+
+      if (Ustat(fname, &statbuf) == 0)
+        printf("*** spool format error: size=" OFF_T_FMT " ***",
+          statbuf.st_size);
+      else printf("*** spool format error ***");
+      }
+    else printf("*** spool read error: %s ***", strerror(save_errno));
+    if (rc != spool_read_hdrerror)
+      {
+      printf("\n\n");
+      continue;
+      }
+    }
+
+  if (f.deliver_freeze) printf(" *** frozen ***");
+
+  printf("\n");
+
+  if (recipients_list)
+    {
+    for (int i = 0; i < recipients_count; i++)
+      {
+      tree_node *delivered =
+        tree_search(tree_nonrecipients, recipients_list[i].address);
+      if (!delivered || option != 1)
+        printf("        %s %s\n",
+	  delivered ? "D" : " ", recipients_list[i].address);
+      if (delivered) delivered->data.val = TRUE;
+      }
+    if (option == 2 && tree_nonrecipients)
+      queue_list_extras(tree_nonrecipients);
+    printf("\n");
+    }
+  }
+}
+
+
+
+/*************************************************
+*             Act on a specific message          *
+*************************************************/
+
+/* Actions that require a list of addresses make use of argv/argc/
+recipients_arg. Other actions do not. This function does its own
+authority checking.
+
+Arguments:
+  id              id of the message to work on
+  action          which action is required (MSG_xxx)
+  argv            the original argv for Exim
+  argc            the original argc for Exim
+  recipients_arg  offset to the list of recipients in argv
+
+Returns:          FALSE if there was any problem
+*/
+
+BOOL
+queue_action(uschar *id, int action, uschar **argv, int argc, int recipients_arg)
+{
+BOOL yield = TRUE;
+BOOL removed = FALSE;
+struct passwd *pw;
+uschar *doing = NULL;
+uschar *username;
+uschar *errmsg;
+uschar spoolname[32];
+
+/* Set the global message_id variable, used when re-writing spool files. This
+also causes message ids to be added to log messages. */
+
+Ustrcpy(message_id, id);
+
+/* The "actions" that just list the files do not require any locking to be
+done. Only admin users may read the spool files. */
+
+if (action >= MSG_SHOW_BODY)
+  {
+  int fd, rc;
+  uschar *subdirectory, *suffix;
+
+  if (!f.admin_user)
+    {
+    printf("Permission denied\n");
+    return FALSE;
+    }
+
+  if (recipients_arg < argc)
+    {
+    printf("*** Only one message can be listed at once\n");
+    return FALSE;
+    }
+
+  if (action == MSG_SHOW_BODY)
+    {
+    subdirectory = US"input";
+    suffix = US"-D";
+    }
+  else if (action == MSG_SHOW_HEADER)
+    {
+    subdirectory = US"input";
+    suffix = US"-H";
+    }
+  else
+    {
+    subdirectory = US"msglog";
+    suffix = US"";
+    }
+
+  for (int i = 0; i < 2; i++)
+    {
+    set_subdir_str(message_subdir, id, i);
+    if ((fd = Uopen(spool_fname(subdirectory, message_subdir, id, suffix),
+		    O_RDONLY, 0)) >= 0)
+      break;
+    if (i == 0)
+      continue;
+
+    printf("Failed to open %s file for %s%s: %s\n", subdirectory, id, suffix,
+      strerror(errno));
+    if (action == MSG_SHOW_LOG && !message_logs)
+      printf("(No message logs are being created because the message_logs "
+        "option is false.)\n");
+    return FALSE;
+    }
+
+  while((rc = read(fd, big_buffer, big_buffer_size)) > 0)
+    rc = write(fileno(stdout), big_buffer, rc);
+
+  (void)close(fd);
+  return TRUE;
+  }
+
+/* For actions that actually act, open and lock the data file to ensure that no
+other process is working on this message. If the file does not exist, continue
+only if the action is remove and the user is an admin user, to allow for
+tidying up broken states. */
+
+if ((deliver_datafile = spool_open_datafile(id)) < 0)
+  if (errno == ENOENT)
+    {
+    yield = FALSE;
+    printf("Spool data file for %s does not exist\n", id);
+    if (action != MSG_REMOVE || !f.admin_user) return FALSE;
+    printf("Continuing, to ensure all files removed\n");
+    }
+  else
+    {
+    if (errno == 0) printf("Message %s is locked\n", id);
+      else printf("Couldn't open spool file for %s: %s\n", id,
+        strerror(errno));
+    return FALSE;
+    }
+
+/* Read the spool header file for the message. Again, continue after an
+error only in the case of deleting by an administrator. Setting the third
+argument false causes it to look both in the main spool directory and in
+the appropriate subdirectory, and set message_subdir according to where it
+found the message. */
+
+sprintf(CS spoolname, "%s-H", id);
+if (spool_read_header(spoolname, TRUE, FALSE) != spool_read_OK)
+  {
+  yield = FALSE;
+  if (errno != ERRNO_SPOOLFORMAT)
+    printf("Spool read error for %s: %s\n", spoolname, strerror(errno));
+  else
+    printf("Spool format error for %s\n", spoolname);
+  if (action != MSG_REMOVE || !f.admin_user)
+    {
+    (void)close(deliver_datafile);
+    deliver_datafile = -1;
+    return FALSE;
+    }
+  printf("Continuing to ensure all files removed\n");
+  }
+
+/* Check that the user running this process is entitled to operate on this
+message. Only admin users may freeze/thaw, add/cancel recipients, or otherwise
+mess about, but the original sender is permitted to remove a message. That's
+why we leave this check until after the headers are read. */
+
+if (!f.admin_user && (action != MSG_REMOVE || real_uid != originator_uid))
+  {
+  printf("Permission denied\n");
+  (void)close(deliver_datafile);
+  deliver_datafile = -1;
+  return FALSE;
+  }
+
+/* Set up the user name for logging. */
+
+pw = getpwuid(real_uid);
+username = (pw != NULL)?
+  US pw->pw_name : string_sprintf("uid %ld", (long int)real_uid);
+
+/* Take the necessary action. */
+
+if (action != MSG_SHOW_COPY) printf("Message %s ", id);
+
+switch(action)
+  {
+  case MSG_SHOW_COPY:
+    {
+    transport_ctx tctx = {{0}};
+    deliver_in_buffer = store_malloc(DELIVER_IN_BUFFER_SIZE);
+    deliver_out_buffer = store_malloc(DELIVER_OUT_BUFFER_SIZE);
+    tctx.u.fd = 1;
+    (void) transport_write_message(&tctx, 0);
+    break;
+    }
+
+
+  case MSG_FREEZE:
+  if (f.deliver_freeze)
+    {
+    yield = FALSE;
+    printf("is already frozen\n");
+    }
+  else
+    {
+    f.deliver_freeze = TRUE;
+    f.deliver_manual_thaw = FALSE;
+    deliver_frozen_at = time(NULL);
+    if (spool_write_header(id, SW_MODIFYING, &errmsg) >= 0)
+      {
+      printf("is now frozen\n");
+      log_write(0, LOG_MAIN, "frozen by %s", username);
+      }
+    else
+      {
+      yield = FALSE;
+      printf("could not be frozen: %s\n", errmsg);
+      }
+    }
+  break;
+
+
+  case MSG_THAW:
+  if (!f.deliver_freeze)
+    {
+    yield = FALSE;
+    printf("is not frozen\n");
+    }
+  else
+    {
+    f.deliver_freeze = FALSE;
+    f.deliver_manual_thaw = TRUE;
+    if (spool_write_header(id, SW_MODIFYING, &errmsg) >= 0)
+      {
+      printf("is no longer frozen\n");
+      log_write(0, LOG_MAIN, "unfrozen by %s", username);
+      }
+    else
+      {
+      yield = FALSE;
+      printf("could not be unfrozen: %s\n", errmsg);
+      }
+    }
+  break;
+
+
+  /* We must ensure all files are removed from both the input directory
+  and the appropriate subdirectory, to clean up cases when there are odd
+  files left lying around in odd places. In the normal case message_subdir
+  will have been set correctly by spool_read_header, but as this is a rare
+  operation, just run everything twice. */
+
+  case MSG_REMOVE:
+    {
+    uschar suffix[3];
+
+    suffix[0] = '-';
+    suffix[2] = 0;
+    message_subdir[0] = id[5];
+
+    for (int j = 0; j < 2; message_subdir[0] = 0, j++)
+      {
+      uschar * fname = spool_fname(US"msglog", message_subdir, id, US"");
+
+      DEBUG(D_any) debug_printf(" removing %s", fname);
+      if (Uunlink(fname) < 0)
+	{
+	if (errno != ENOENT)
+	  {
+	  yield = FALSE;
+	  printf("Error while removing %s: %s\n", fname, strerror(errno));
+	  }
+	else DEBUG(D_any) debug_printf(" (no file)\n");
+	}
+      else
+	{
+	removed = TRUE;
+	DEBUG(D_any) debug_printf(" (ok)\n");
+	}
+
+      for (int i = 0; i < 3; i++)
+	{
+	uschar * fname;
+
+	suffix[1] = (US"DHJ")[i];
+	fname = spool_fname(US"input", message_subdir, id, suffix);
+
+	DEBUG(D_any) debug_printf(" removing %s", fname);
+	if (Uunlink(fname) < 0)
+	  {
+	  if (errno != ENOENT)
+	    {
+	    yield = FALSE;
+	    printf("Error while removing %s: %s\n", fname, strerror(errno));
+	    }
+	  else DEBUG(D_any) debug_printf(" (no file)\n");
+	  }
+	else
+	  {
+	  removed = TRUE;
+	  DEBUG(D_any) debug_printf(" (done)\n");
+	  }
+	}
+      }
+
+    /* In the common case, the datafile is open (and locked), so give the
+    obvious message. Otherwise be more specific. */
+
+    if (deliver_datafile >= 0) printf("has been removed\n");
+      else printf("has been removed or did not exist\n");
+    if (removed)
+      {
+#ifndef DISABLE_EVENT
+      if (event_action) for (int i = 0; i < recipients_count; i++)
+	{
+	tree_node *delivered =
+	  tree_search(tree_nonrecipients, recipients_list[i].address);
+	if (!delivered)
+	  {
+	  uschar * save_local = deliver_localpart;
+	  const uschar * save_domain = deliver_domain;
+	  uschar * addr = recipients_list[i].address, * errmsg = NULL;
+	  int start, end, dom;
+
+	  if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE))
+	    log_write(0, LOG_MAIN|LOG_PANIC,
+	      "failed to parse address '%.100s'\n: %s", addr, errmsg);
+	  else
+	    {
+	    deliver_localpart =
+	      string_copyn(addr+start, dom ? (dom-1) - start : end - start);
+	    deliver_domain = dom
+	      ? CUS string_copyn(addr+dom, end - dom) : CUS"";
+
+	    (void) event_raise(event_action, US"msg:fail:internal",
+	      string_sprintf("message removed by %s", username), NULL);
+
+	    deliver_localpart = save_local;
+	    deliver_domain = save_domain;
+	    }
+	  }
+	}
+      (void) event_raise(event_action, US"msg:complete", NULL, NULL);
+#endif
+      log_write(0, LOG_MAIN, "removed by %s", username);
+      log_write(0, LOG_MAIN, "Completed");
+      }
+    break;
+    }
+
+
+  case MSG_SETQUEUE:
+    /* The global "queue_name_dest" is used as destination, "queue_name"
+    as source */
+
+    spool_move_message(id, message_subdir, US"", US"");
+    break;
+
+
+  case MSG_MARK_ALL_DELIVERED:
+  for (int i = 0; i < recipients_count; i++)
+    tree_add_nonrecipient(recipients_list[i].address);
+
+  if (spool_write_header(id, SW_MODIFYING, &errmsg) >= 0)
+    {
+    printf("has been modified\n");
+    for (int i = 0; i < recipients_count; i++)
+      log_write(0, LOG_MAIN, "address <%s> marked delivered by %s",
+        recipients_list[i].address, username);
+    }
+  else
+    {
+    yield = FALSE;
+    printf("- could not mark all delivered: %s\n", errmsg);
+    }
+  break;
+
+
+  case MSG_EDIT_SENDER:
+  if (recipients_arg < argc - 1)
+    {
+    yield = FALSE;
+    printf("- only one sender address can be specified\n");
+    break;
+    }
+  doing = US"editing sender";
+  /* Fall through */
+
+  case MSG_ADD_RECIPIENT:
+  if (doing == NULL) doing = US"adding recipient";
+  /* Fall through */
+
+  case MSG_MARK_DELIVERED:
+  if (doing == NULL) doing = US"marking as delivered";
+
+  /* Common code for EDIT_SENDER, ADD_RECIPIENT, & MARK_DELIVERED */
+
+  if (recipients_arg >= argc)
+    {
+    yield = FALSE;
+    printf("- error while %s: no address given\n", doing);
+    break;
+    }
+
+  for (; recipients_arg < argc; recipients_arg++)
+    {
+    int start, end, domain;
+    uschar *errmess;
+    uschar *recipient =
+      parse_extract_address(argv[recipients_arg], &errmess, &start, &end,
+        &domain, (action == MSG_EDIT_SENDER));
+
+    if (!recipient)
+      {
+      yield = FALSE;
+      printf("- error while %s:\n  bad address %s: %s\n",
+        doing, argv[recipients_arg], errmess);
+      }
+    else if (*recipient && domain == 0)
+      {
+      yield = FALSE;
+      printf("- error while %s:\n  bad address %s: "
+        "domain missing\n", doing, argv[recipients_arg]);
+      }
+    else
+      {
+      if (action == MSG_ADD_RECIPIENT)
+        {
+#ifdef SUPPORT_I18N
+	if (string_is_utf8(recipient)) allow_utf8_domains = message_smtputf8 = TRUE;
+#endif
+        receive_add_recipient(recipient, -1);
+        log_write(0, LOG_MAIN, "recipient <%s> added by %s",
+          recipient, username);
+        }
+      else if (action == MSG_MARK_DELIVERED)
+        {
+	int i;
+        for (i = 0; i < recipients_count; i++)
+          if (Ustrcmp(recipients_list[i].address, recipient) == 0) break;
+        if (i >= recipients_count)
+          {
+          printf("- error while %s:\n  %s is not a recipient:"
+            " message not updated\n", doing, recipient);
+          yield = FALSE;
+          }
+        else
+          {
+          tree_add_nonrecipient(recipients_list[i].address);
+          log_write(0, LOG_MAIN, "address <%s> marked delivered by %s",
+            recipient, username);
+          }
+        }
+      else  /* MSG_EDIT_SENDER */
+        {
+#ifdef SUPPORT_I18N
+	if (string_is_utf8(recipient)) allow_utf8_domains = message_smtputf8 = TRUE;
+#endif
+        sender_address = recipient;
+        log_write(0, LOG_MAIN, "sender address changed to <%s> by %s",
+          recipient, username);
+        }
+      }
+    }
+
+  if (yield)
+    if (spool_write_header(id, SW_MODIFYING, &errmsg) >= 0)
+      printf("has been modified\n");
+    else
+      {
+      yield = FALSE;
+      printf("- while %s: %s\n", doing, errmsg);
+      }
+
+  break;
+  }
+
+/* Closing the datafile releases the lock and permits other processes
+to operate on the message (if it still exists). */
+
+if (deliver_datafile >= 0)
+  {
+  (void)close(deliver_datafile);
+  deliver_datafile = -1;
+  }
+return yield;
+}
+
+
+
+/*************************************************
+*       Check the queue_only_file condition      *
+*************************************************/
+
+/* The queue_only_file option forces certain kinds of queueing if a given file
+exists.
+
+Arguments:  none
+Returns:    nothing
+*/
+
+void
+queue_check_only(void)
+{
+int sep = 0;
+struct stat statbuf;
+const uschar * s = queue_only_file;
+uschar * ss;
+
+if (s)
+  while ((ss = string_nextinlist(&s, &sep, NULL, 0)))
+    if (Ustrncmp(ss, "smtp", 4) == 0)
+      {
+      ss += 4;
+      if (Ustat(ss, &statbuf) == 0)
+	{
+	f.queue_smtp = TRUE;
+	DEBUG(D_receive) debug_printf("queue_smtp set because %s exists\n", ss);
+	}
+      }
+    else
+      if (Ustat(ss, &statbuf) == 0)
+	{
+	queue_only = TRUE;
+	DEBUG(D_receive) debug_printf("queue_only set because %s exists\n", ss);
+	}
+}
+
+
+
+/******************************************************************************/
+/******************************************************************************/
+
+#ifndef DISABLE_QUEUE_RAMP
+void
+queue_notify_daemon(const uschar * msgid)
+{
+uschar buf[MESSAGE_ID_LENGTH + 2];
+int fd;
+
+DEBUG(D_queue_run) debug_printf("%s: %s\n", __FUNCTION__, msgid);
+
+buf[0] = NOTIFY_MSG_QRUN;
+memcpy(buf+1, msgid, MESSAGE_ID_LENGTH+1);
+
+if ((fd = socket(AF_UNIX, SOCK_DGRAM, 0)) >= 0)
+  {
+  struct sockaddr_un sa_un = {.sun_family = AF_UNIX};
+
+#ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
+  int len = offsetof(struct sockaddr_un, sun_path) + 1
+    + snprintf(sa_un.sun_path+1, sizeof(sa_un.sun_path)-1, "%s",
+		expand_string(notifier_socket));
+  sa_un.sun_path[0] = 0;
+#else
+  int len = offsetof(struct sockaddr_un, sun_path)
+    + snprintf(sa_un.sun_path, sizeof(sa_un.sun_path), "%s",
+		expand_string(notifier_socket));
+#endif
+
+  if (sendto(fd, buf, sizeof(buf), 0, (struct sockaddr *)&sa_un, len) < 0)
+    DEBUG(D_queue_run)
+      debug_printf("%s: sendto %s\n", __FUNCTION__, strerror(errno));
+  close(fd);
+  }
+else DEBUG(D_queue_run) debug_printf(" socket: %s\n", strerror(errno));
+}
+#endif
+
+#endif /*!COMPILE_UTILITY*/
+
+/* End of queue.c */
diff --git a/src/rda.c b/src/rda.c
new file mode 100644
index 0000000..b635ebf
--- /dev/null
+++ b/src/rda.c
@@ -0,0 +1,997 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This module contains code for extracting addresses from a forwarding list
+(from an alias or forward file) or by running the filter interpreter. It may do
+this in a sub-process if a uid/gid are supplied. */
+
+
+#include "exim.h"
+
+enum { FILE_EXIST, FILE_NOT_EXIST, FILE_EXIST_UNCLEAR };
+
+#define REPLY_EXISTS    0x01
+#define REPLY_EXPAND    0x02
+#define REPLY_RETURN    0x04
+
+
+/*************************************************
+*         Check string for filter program        *
+*************************************************/
+
+/* This function checks whether a string is actually a filter program. The rule
+is that it must start with "# Exim filter ..." (any capitalization, spaces
+optional). It is envisaged that in future, other kinds of filter may be
+implemented. That's why it is implemented the way it is. The function is global
+because it is also called from filter.c when checking filters.
+
+Argument:  the string
+
+Returns:   FILTER_EXIM    if it starts with "# Exim filter"
+           FILTER_SIEVE   if it starts with "# Sieve filter"
+           FILTER_FORWARD otherwise
+*/
+
+/* This is an auxiliary function for matching a tag. */
+
+static BOOL
+match_tag(const uschar *s, const uschar *tag)
+{
+for (; *tag; s++, tag++)
+  if (*tag == ' ')
+    {
+    while (*s == ' ' || *s == '\t') s++;
+    s--;
+    }
+  else
+   if (tolower(*s) != tolower(*tag)) break;
+
+return (*tag == 0);
+}
+
+/* This is the real function. It should be easy to add checking different
+tags for other types of filter. */
+
+int
+rda_is_filter(const uschar *s)
+{
+Uskip_whitespace(&s);			/* Skips initial blank lines */
+if (match_tag(s, CUS"# exim filter"))		return FILTER_EXIM;
+else if (match_tag(s, CUS"# sieve filter"))	return FILTER_SIEVE;
+else						return FILTER_FORWARD;
+}
+
+
+
+
+/*************************************************
+*         Check for existence of file            *
+*************************************************/
+
+/* First of all, we stat the file. If this fails, we try to stat the enclosing
+directory, because a file in an unmounted NFS directory will look the same as a
+non-existent file. It seems that in Solaris 2.6, statting an entry in an
+indirect map that is currently unmounted does not cause the mount to happen.
+Instead, dummy data is returned, which defeats the whole point of this test.
+However, if a stat() is done on some object inside the directory, such as the
+"." back reference to itself, then the mount does occur. If an NFS host is
+taken offline, it is possible for the stat() to get stuck until it comes back.
+To guard against this, stick a timer round it. If we can't access the "."
+inside the directory, try the plain directory, just in case that helps.
+
+Argument:
+  filename   the file name
+  error      for message on error
+
+Returns:     FILE_EXIST          the file exists
+             FILE_NOT_EXIST      the file does not exist
+             FILE_EXIST_UNCLEAR  cannot determine existence
+*/
+
+static int
+rda_exists(uschar *filename, uschar **error)
+{
+int rc, saved_errno;
+struct stat statbuf;
+uschar * s;
+
+if ((rc = Ustat(filename, &statbuf)) >= 0) return FILE_EXIST;
+saved_errno = errno;
+
+s = string_copy(filename);
+sigalrm_seen = FALSE;
+
+if (saved_errno == ENOENT)
+  {
+  uschar * slash = Ustrrchr(s, '/');
+  Ustrcpy(slash+1, US".");
+
+  ALARM(30);
+  rc = Ustat(s, &statbuf);
+  if (rc != 0 && errno == EACCES && !sigalrm_seen)
+    {
+    *slash = 0;
+    rc = Ustat(s, &statbuf);
+    }
+  saved_errno = errno;
+  ALARM_CLR(0);
+
+  DEBUG(D_route) debug_printf("stat(%s)=%d\n", s, rc);
+  }
+
+if (sigalrm_seen || rc != 0)
+  {
+  *error = string_sprintf("failed to stat %s (%s)", s,
+    sigalrm_seen?  "timeout" : strerror(saved_errno));
+  return FILE_EXIST_UNCLEAR;
+  }
+
+*error = string_sprintf("%s does not exist", filename);
+DEBUG(D_route) debug_printf("%s\n", *error);
+return FILE_NOT_EXIST;
+}
+
+
+
+/*************************************************
+*     Get forwarding list from a file            *
+*************************************************/
+
+/* Open a file and read its entire contents into a block of memory. Certain
+opening errors are optionally treated the same as "file does not exist".
+
+ENOTDIR means that something along the line is not a directory: there are
+installations that set home directories to be /dev/null for non-login accounts
+but in normal circumstances this indicates some kind of configuration error.
+
+EACCES means there's a permissions failure. Some users turn off read permission
+on a .forward file to suspend forwarding, but this is probably an error in any
+kind of mailing list processing.
+
+The redirect block that contains the file name also contains constraints such
+as who may own the file, and mode bits that must not be set. This function is
+
+Arguments:
+  rdata       rdirect block, containing file name and constraints
+  options     for the RDO_ENOTDIR and RDO_EACCES options
+  error       where to put an error message
+  yield       what to return from rda_interpret on error
+
+Returns:      pointer to string in store; NULL on error
+*/
+
+static uschar *
+rda_get_file_contents(const redirect_block *rdata, int options, uschar **error,
+  int *yield)
+{
+FILE *fwd;
+uschar *filebuf;
+uschar *filename = rdata->string;
+BOOL uid_ok = !rdata->check_owner;
+BOOL gid_ok = !rdata->check_group;
+struct stat statbuf;
+
+/* Reading a file is a form of expansion; we wish to deny attackers the
+capability to specify the file name. */
+
+if (is_tainted(filename))
+  {
+  *error = string_sprintf("Tainted name '%s' for file read not permitted\n",
+			filename);
+  *yield = FF_ERROR;
+  return NULL;
+  }
+
+/* Attempt to open the file. If it appears not to exist, check up on the
+containing directory by statting it. If the directory does not exist, we treat
+this situation as an error (which will cause delivery to defer); otherwise we
+pass back FF_NONEXIST, which causes the redirect router to decline.
+
+However, if the ignore_enotdir option is set (to ignore "something on the
+path is not a directory" errors), the right behaviour seems to be not to do the
+directory test. */
+
+if (!(fwd = Ufopen(filename, "rb"))) switch(errno)
+  {
+  case ENOENT:          /* File does not exist */
+    DEBUG(D_route) debug_printf("%s does not exist\n%schecking parent directory\n",
+      filename, options & RDO_ENOTDIR ? "ignore_enotdir set => skip " : "");
+    *yield =
+	options & RDO_ENOTDIR || rda_exists(filename, error) == FILE_NOT_EXIST
+	? FF_NONEXIST : FF_ERROR;
+    return NULL;
+
+  case ENOTDIR:         /* Something on the path isn't a directory */
+    if (!(options & RDO_ENOTDIR)) goto DEFAULT_ERROR;
+    DEBUG(D_route) debug_printf("non-directory on path %s: file assumed not to "
+      "exist\n", filename);
+    *yield = FF_NONEXIST;
+    return NULL;
+
+  case EACCES:           /* Permission denied */
+    if (!(options & RDO_EACCES)) goto DEFAULT_ERROR;
+    DEBUG(D_route) debug_printf("permission denied for %s: file assumed not to "
+      "exist\n", filename);
+    *yield = FF_NONEXIST;
+    return NULL;
+
+DEFAULT_ERROR:
+  default:
+    *error = string_open_failed("%s", filename);
+    *yield = FF_ERROR;
+    return NULL;
+  }
+
+/* Check that we have a regular file. */
+
+if (fstat(fileno(fwd), &statbuf) != 0)
+  {
+  *error = string_sprintf("failed to stat %s: %s", filename, strerror(errno));
+  goto ERROR_RETURN;
+  }
+
+if ((statbuf.st_mode & S_IFMT) != S_IFREG)
+  {
+  *error = string_sprintf("%s is not a regular file", filename);
+  goto ERROR_RETURN;
+  }
+
+/* Check for unwanted mode bits */
+
+if ((statbuf.st_mode & rdata->modemask) != 0)
+  {
+  *error = string_sprintf("bad mode (0%o) for %s: 0%o bit(s) unexpected",
+    statbuf.st_mode, filename, statbuf.st_mode & rdata->modemask);
+  goto ERROR_RETURN;
+  }
+
+/* Check the file owner and file group if required to do so. */
+
+if (!uid_ok)
+  if (rdata->pw && statbuf.st_uid == rdata->pw->pw_uid)
+    uid_ok = TRUE;
+  else if (rdata->owners)
+    for (int i = 1; i <= (int)(rdata->owners[0]); i++)
+      if (rdata->owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
+
+if (!gid_ok)
+  if (rdata->pw && statbuf.st_gid == rdata->pw->pw_gid)
+    gid_ok = TRUE;
+  else if (rdata->owngroups)
+    for (int i = 1; i <= (int)(rdata->owngroups[0]); i++)
+      if (rdata->owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
+
+if (!uid_ok || !gid_ok)
+  {
+  *error = string_sprintf("bad %s for %s", uid_ok? "group" : "owner", filename);
+  goto ERROR_RETURN;
+  }
+
+/* Put an upper limit on the size of the file, just to stop silly people
+feeding in ridiculously large files, which can easily be created by making
+files that have holes in them. */
+
+if (statbuf.st_size > MAX_FILTER_SIZE)
+  {
+  *error = string_sprintf("%s is too big (max %d)", filename, MAX_FILTER_SIZE);
+  goto ERROR_RETURN;
+  }
+
+/* Read the file in one go in order to minimize the time we have it open. */
+
+filebuf = store_get(statbuf.st_size + 1, filename);
+
+if (fread(filebuf, 1, statbuf.st_size, fwd) != statbuf.st_size)
+  {
+  *error = string_sprintf("error while reading %s: %s",
+    filename, strerror(errno));
+  goto ERROR_RETURN;
+  }
+filebuf[statbuf.st_size] = 0;
+
+DEBUG(D_route) debug_printf(OFF_T_FMT " %sbytes read from %s\n",
+  statbuf.st_size, is_tainted(filename) ? "(tainted) " : "", filename);
+
+(void)fclose(fwd);
+return filebuf;
+
+/* Return an error: the string is already set up. */
+
+ERROR_RETURN:
+*yield = FF_ERROR;
+(void)fclose(fwd);
+return NULL;
+}
+
+
+
+/*************************************************
+*      Extract info from list or filter          *
+*************************************************/
+
+/* This function calls the appropriate function to extract addresses from a
+forwarding list, or to run a filter file and get addresses from there.
+
+Arguments:
+  rdata                     the redirection block
+  options                   the options bits
+  include_directory         restrain to this directory
+  sieve_vacation_directory  passed to sieve_interpret
+  sieve_enotify_mailto_owner passed to sieve_interpret
+  sieve_useraddress         passed to sieve_interpret
+  sieve_subaddress          passed to sieve_interpret
+  generated                 where to hang generated addresses
+  error                     for error messages
+  eblockp                   for details of skipped syntax errors
+                              (NULL => no skip)
+  filtertype                set to the filter type:
+                              FILTER_FORWARD => a traditional .forward file
+                              FILTER_EXIM    => an Exim filter file
+                              FILTER_SIEVE   => a Sieve filter file
+                            a system filter is always forced to be FILTER_EXIM
+
+Returns:                    a suitable return for rda_interpret()
+*/
+
+static int
+rda_extract(const redirect_block * rdata, int options,
+  const uschar * include_directory, const uschar * sieve_vacation_directory,
+  const uschar * sieve_enotify_mailto_owner, const uschar * sieve_useraddress,
+  const uschar * sieve_subaddress, address_item ** generated, uschar ** error,
+  error_block ** eblockp, int * filtertype)
+{
+const uschar * data;
+
+if (rdata->isfile)
+  {
+  int yield = 0;
+  if (!(data = rda_get_file_contents(rdata, options, error, &yield)))
+    return yield;
+  }
+else data = rdata->string;
+
+*filtertype = f.system_filtering ? FILTER_EXIM : rda_is_filter(data);
+
+/* Filter interpretation is done by a general function that is also called from
+the filter testing option (-bf). There are two versions: one for Exim filtering
+and one for Sieve filtering. Several features of string expansion may be locked
+out at sites that don't trust users. This is done by setting flags in
+expand_forbid that the expander inspects. */
+
+if (*filtertype != FILTER_FORWARD)
+  {
+  int frc;
+  int old_expand_forbid = expand_forbid;
+
+  DEBUG(D_route) debug_printf("data is %s filter program\n",
+    *filtertype == FILTER_EXIM ? "an Exim" : "a Sieve");
+
+  /* RDO_FILTER is an "allow" bit */
+
+  if (!(options & RDO_FILTER))
+    {
+    *error = US"filtering not enabled";
+    return FF_ERROR;
+    }
+
+  expand_forbid =
+    expand_forbid & ~RDO_FILTER_EXPANSIONS  |  options & RDO_FILTER_EXPANSIONS;
+
+  /* RDO_{EXIM,SIEVE}_FILTER are forbid bits */
+
+  if (*filtertype == FILTER_EXIM)
+    {
+    if ((options & RDO_EXIM_FILTER) != 0)
+      {
+      *error = US"Exim filtering not enabled";
+      return FF_ERROR;
+      }
+    frc = filter_interpret(data, options, generated, error);
+    }
+  else
+    {
+    if (options & RDO_SIEVE_FILTER)
+      {
+      *error = US"Sieve filtering not enabled";
+      return FF_ERROR;
+      }
+    frc = sieve_interpret(data, options, sieve_vacation_directory,
+      sieve_enotify_mailto_owner, sieve_useraddress, sieve_subaddress,
+      generated, error);
+    }
+
+  expand_forbid = old_expand_forbid;
+  return frc;
+  }
+
+/* Not a filter script */
+
+DEBUG(D_route) debug_printf("file is not a filter file\n");
+
+return parse_forward_list(data,
+  options,                           /* specials that are allowed */
+  generated,                         /* where to hang them */
+  error,                             /* for errors */
+  deliver_domain,                    /* to qualify \name */
+  include_directory,                 /* restrain to directory */
+  eblockp);                          /* for skipped syntax errors */
+}
+
+
+
+
+/*************************************************
+*         Write string down pipe                 *
+*************************************************/
+
+/* This function is used for transferring a string down a pipe between
+processes. If the pointer is NULL, a length of zero is written.
+
+Arguments:
+  fd         the pipe
+  s          the string
+
+Returns:     -1 on error, else 0
+*/
+
+static int
+rda_write_string(int fd, const uschar *s)
+{
+int len = s ? Ustrlen(s) + 1 : 0;
+return (  write(fd, &len, sizeof(int)) != sizeof(int)
+       || (s   &&  write(fd, s, len) != len)
+       )
+       ? -1 : 0;
+}
+
+
+
+/*************************************************
+*          Read string from pipe                 *
+*************************************************/
+
+/* This function is used for receiving a string from a pipe.
+
+Arguments:
+  fd         the pipe
+  sp         where to put the string
+
+Returns:     FALSE if data missing
+*/
+
+static BOOL
+rda_read_string(int fd, uschar **sp)
+{
+int len;
+
+if (read(fd, &len, sizeof(int)) != sizeof(int)) return FALSE;
+if (len == 0)
+  *sp = NULL;
+else
+  /* We know we have enough memory so disable the error on "len" */
+  /* coverity[tainted_data] */
+  /* We trust the data source, so untainted */
+  if (read(fd, *sp = store_get(len, GET_UNTAINTED), len) != len) return FALSE;
+return TRUE;
+}
+
+
+
+/*************************************************
+*         Interpret forward list or filter       *
+*************************************************/
+
+/* This function is passed a forward list string (unexpanded) or the name of a
+file (unexpanded) whose contents are the forwarding list. The list may in fact
+be a filter program if it starts with "#Exim filter" or "#Sieve filter". Other
+types of filter, with different initial tag strings, may be introduced in due
+course.
+
+The job of the function is to process the forwarding list or filter. It is
+pulled out into this separate function, because it is used for system filter
+files as well as from the redirect router.
+
+If the function is given a uid/gid, it runs a subprocess that passes the
+results back via a pipe. This provides security for things like :include:s in
+users' .forward files, and "logwrite" calls in users' filter files. A
+sub-process is NOT used when:
+
+  . No uid/gid is provided
+  . The input is a string which is not a filter string, and does not contain
+    :include:
+  . The input is a file whose non-existence can be detected in the main
+    process (which is usually running as root).
+
+Arguments:
+  rdata                     redirect data (file + constraints, or data string)
+  options                   options to pass to the extraction functions,
+                              plus ENOTDIR and EACCES handling bits
+  include_directory         restrain :include: to this directory
+  sieve_vacation_directory  directory passed to sieve_interpret
+  sieve_enotify_mailto_owner passed to sieve_interpret
+  sieve_useraddress         passed to sieve_interpret
+  sieve_subaddress          passed to sieve_interpret
+  ugid                      uid/gid to run under - if NULL, no change
+  generated                 where to hang generated addresses, initially NULL
+  error                     pointer for error message
+  eblockp                   for skipped syntax errors; NULL if no skipping
+  filtertype                set to the type of file:
+                              FILTER_FORWARD => traditional .forward file
+                              FILTER_EXIM    => an Exim filter file
+                              FILTER_SIEVE   => a Sieve filter file
+                            a system filter is always forced to be FILTER_EXIM
+  rname                     router name for error messages in the format
+                              "xxx router" or "system filter"
+
+Returns:        values from extraction function, or FF_NONEXIST:
+                  FF_DELIVERED     success, a significant action was taken
+                  FF_NOTDELIVERED  success, no significant action
+                  FF_BLACKHOLE     :blackhole:
+                  FF_DEFER         defer requested
+                  FF_FAIL          fail requested
+                  FF_INCLUDEFAIL   some problem with :include:
+                  FF_FREEZE        freeze requested
+                  FF_ERROR         there was a problem
+                  FF_NONEXIST      the file does not exist
+*/
+
+int
+rda_interpret(redirect_block * rdata, int options,
+  const uschar * include_directory, const uschar * sieve_vacation_directory,
+  const uschar * sieve_enotify_mailto_owner, const uschar * sieve_useraddress,
+  const uschar * sieve_subaddress, const ugid_block * ugid, address_item ** generated,
+  uschar ** error, error_block ** eblockp, int * filtertype, const uschar * rname)
+{
+int fd, rc, pfd[2];
+int yield, status;
+BOOL had_disaster = FALSE;
+pid_t pid;
+uschar *data;
+uschar *readerror = US"";
+void (*oldsignal)(int);
+
+DEBUG(D_route) debug_printf("rda_interpret (%s): '%s'\n",
+  rdata->isfile ? "file" : "string", string_printing(rdata->string));
+
+/* Do the expansions of the file name or data first, while still privileged. */
+
+if (!(data = expand_string(rdata->string)))
+  {
+  if (f.expand_string_forcedfail) return FF_NOTDELIVERED;
+  *error = string_sprintf("failed to expand \"%s\": %s", rdata->string,
+    expand_string_message);
+  return FF_ERROR;
+  }
+rdata->string = data;
+
+DEBUG(D_route)
+  debug_printf("expanded: '%s'%s\n", data, is_tainted(data) ? " (tainted)":"");
+
+if (rdata->isfile && data[0] != '/')
+  {
+  *error = string_sprintf("\"%s\" is not an absolute path", data);
+  return FF_ERROR;
+  }
+
+/* If no uid/gid are supplied, or if we have a data string which does not start
+with #Exim filter or #Sieve filter, and does not contain :include:, do all the
+work in this process. Note that for a system filter, we always have a file, so
+the work is done in this process only if no user is supplied. */
+
+if (!ugid->uid_set ||                         /* Either there's no uid, or */
+    (!rdata->isfile &&                        /* We've got the data, and */
+     rda_is_filter(data) == FILTER_FORWARD && /* It's not a filter script, */
+     Ustrstr(data, ":include:") == NULL))     /* and there's no :include: */
+  return rda_extract(rdata, options, include_directory,
+    sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
+    sieve_subaddress, generated, error, eblockp, filtertype);
+
+/* We need to run the processing code in a sub-process. However, if we can
+determine the non-existence of a file first, we can decline without having to
+create the sub-process. */
+
+if (rdata->isfile && rda_exists(data, error) == FILE_NOT_EXIST)
+  return FF_NONEXIST;
+
+/* If the file does exist, or we can't tell (non-root mounted NFS directory)
+we have to create the subprocess to do everything as the given user. The
+results of processing are passed back via a pipe. */
+
+if (pipe(pfd) != 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "creation of pipe for filter or "
+    ":include: failed for %s: %s", rname, strerror(errno));
+
+/* Ensure that SIGCHLD is set to SIG_DFL before forking, so that the child
+process can be waited for. We sometimes get here with it set otherwise. Save
+the old state for resetting on the wait. Ensure that all cached resources are
+freed so that the subprocess starts with a clean slate and doesn't interfere
+with the parent process. */
+
+oldsignal = signal(SIGCHLD, SIG_DFL);
+search_tidyup();
+
+if ((pid = exim_fork(US"router-interpret")) == 0)
+  {
+  header_line *waslast = header_last;   /* Save last header */
+  int fd_flags = -1;
+
+  fd = pfd[pipe_write];
+  (void)close(pfd[pipe_read]);
+
+  if ((fd_flags = fcntl(fd, F_GETFD)) == -1) goto bad;
+  if (fcntl(fd, F_SETFD, fd_flags | FD_CLOEXEC) == -1) goto bad;
+
+  exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
+
+  /* Addresses can get rewritten in filters; if we are not root or the exim
+  user (and we probably are not), turn off rewrite logging, because we cannot
+  write to the log now. */
+
+  if (ugid->uid != root_uid && ugid->uid != exim_uid)
+    {
+    DEBUG(D_rewrite) debug_printf("turned off address rewrite logging (not "
+      "root or exim in this process)\n");
+    BIT_CLEAR(log_selector, log_selector_size, Li_address_rewrite);
+    }
+
+  /* Now do the business */
+
+  yield = rda_extract(rdata, options, include_directory,
+    sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
+    sieve_subaddress, generated, error, eblockp, filtertype);
+
+  /* Pass back whether it was a filter, and the return code and any overall
+  error text via the pipe. */
+
+  if (  write(fd, filtertype, sizeof(int)) != sizeof(int)
+     || write(fd, &yield, sizeof(int)) != sizeof(int)
+     || rda_write_string(fd, *error) != 0
+     )
+    goto bad;
+
+  /* Pass back the contents of any syntax error blocks if we have a pointer */
+
+  if (eblockp)
+    {
+    for (error_block * ep = *eblockp; ep; ep = ep->next)
+      if (  rda_write_string(fd, ep->text1) != 0
+         || rda_write_string(fd, ep->text2) != 0
+	 )
+	goto bad;
+    if (rda_write_string(fd, NULL) != 0)    /* Indicates end of eblocks */
+      goto bad;
+    }
+
+  /* If this is a system filter, we have to pass back the numbers of any
+  original header lines that were removed, and then any header lines that were
+  added but not subsequently removed. */
+
+  if (f.system_filtering)
+    {
+    int i = 0;
+    for (header_line * h = header_list; h != waslast->next; i++, h = h->next)
+      if (  h->type == htype_old
+         && write(fd, &i, sizeof(i)) != sizeof(i)
+	 )
+	goto bad;
+
+    i = -1;
+    if (write(fd, &i, sizeof(i)) != sizeof(i))
+	goto bad;
+
+    while (waslast != header_last)
+      {
+      waslast = waslast->next;
+      if (waslast->type != htype_old)
+	if (  rda_write_string(fd, waslast->text) != 0
+           || write(fd, &(waslast->type), sizeof(waslast->type))
+	      != sizeof(waslast->type)
+	   )
+	  goto bad;
+      }
+    if (rda_write_string(fd, NULL) != 0)    /* Indicates end of added headers */
+      goto bad;
+    }
+
+  /* Write the contents of the $n variables */
+
+  if (write(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n))
+    goto bad;
+
+  /* If the result was DELIVERED or NOTDELIVERED, we pass back the generated
+  addresses, and their associated information, through the pipe. This is
+  just tedious, but it seems to be the only safe way. We do this also for
+  FAIL and FREEZE, because a filter is allowed to set up deliveries that
+  are honoured before freezing or failing. */
+
+  if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
+      yield == FF_FAIL || yield == FF_FREEZE)
+    {
+    for (address_item * addr = *generated; addr; addr = addr->next)
+      {
+      int reply_options = 0;
+      int ig_err = addr->prop.ignore_error ? 1 : 0;
+
+      if (  rda_write_string(fd, addr->address) != 0
+         || write(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
+         || write(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
+         || rda_write_string(fd, addr->prop.errors_address) != 0
+         || write(fd, &ig_err, sizeof(ig_err)) != sizeof(ig_err)
+	 )
+	goto bad;
+
+      if (addr->pipe_expandn)
+        for (uschar ** pp = addr->pipe_expandn; *pp; pp++)
+          if (rda_write_string(fd, *pp) != 0)
+	    goto bad;
+      if (rda_write_string(fd, NULL) != 0)
+        goto bad;
+
+      if (!addr->reply)
+	{
+        if (write(fd, &reply_options, sizeof(int)) != sizeof(int))    /* 0 means no reply */
+	  goto bad;
+	}
+      else
+        {
+        reply_options |= REPLY_EXISTS;
+        if (addr->reply->file_expand) reply_options |= REPLY_EXPAND;
+        if (addr->reply->return_message) reply_options |= REPLY_RETURN;
+        if (  write(fd, &reply_options, sizeof(int)) != sizeof(int)
+           || write(fd, &(addr->reply->expand_forbid), sizeof(int))
+	      != sizeof(int)
+           || write(fd, &(addr->reply->once_repeat), sizeof(time_t))
+	      != sizeof(time_t)
+           || rda_write_string(fd, addr->reply->to) != 0
+           || rda_write_string(fd, addr->reply->cc) != 0
+           || rda_write_string(fd, addr->reply->bcc) != 0
+           || rda_write_string(fd, addr->reply->from) != 0
+           || rda_write_string(fd, addr->reply->reply_to) != 0
+           || rda_write_string(fd, addr->reply->subject) != 0
+           || rda_write_string(fd, addr->reply->headers) != 0
+           || rda_write_string(fd, addr->reply->text) != 0
+           || rda_write_string(fd, addr->reply->file) != 0
+           || rda_write_string(fd, addr->reply->logfile) != 0
+           || rda_write_string(fd, addr->reply->oncelog) != 0
+	   )
+	  goto bad;
+        }
+      }
+
+    if (rda_write_string(fd, NULL) != 0)   /* Marks end of addresses */
+      goto bad;
+    }
+
+  /* OK, this process is now done. Free any cached resources. Must use _exit()
+  and not exit() !! */
+
+out:
+  (void)close(fd);
+  search_tidyup();
+  exim_underbar_exit(EXIT_SUCCESS);
+
+bad:
+  DEBUG(D_rewrite) debug_printf("rda_interpret: failed write to pipe\n");
+  goto out;
+  }
+
+/* Back in the main process: panic if the fork did not succeed. */
+
+if (pid < 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for %s", rname);
+
+/* Read the pipe to get the data from the filter/forward. Our copy of the
+writing end must be closed first, as otherwise read() won't return zero on an
+empty pipe. Afterwards, close the reading end. */
+
+(void)close(pfd[pipe_write]);
+
+/* Read initial data, including yield and contents of *error */
+
+fd = pfd[pipe_read];
+if (read(fd, filtertype, sizeof(int)) != sizeof(int) ||
+    read(fd, &yield, sizeof(int)) != sizeof(int) ||
+    !rda_read_string(fd, error)) goto DISASTER;
+
+/* Read the contents of any syntax error blocks if we have a pointer */
+
+if (eblockp)
+  {
+  error_block *e;
+  for (error_block ** p = eblockp; ; p = &e->next)
+    {
+    uschar *s;
+    if (!rda_read_string(fd, &s)) goto DISASTER;
+    if (!s) break;
+    e = store_get(sizeof(error_block), GET_UNTAINTED);
+    e->next = NULL;
+    e->text1 = s;
+    if (!rda_read_string(fd, &s)) goto DISASTER;
+    e->text2 = s;
+    *p = e;
+    }
+  }
+
+/* If this is a system filter, read the identify of any original header lines
+that were removed, and then read data for any new ones that were added. */
+
+if (f.system_filtering)
+  {
+  int hn = 0;
+  header_line *h = header_list;
+
+  for (;;)
+    {
+    int n;
+    if (read(fd, &n, sizeof(int)) != sizeof(int)) goto DISASTER;
+    if (n < 0) break;
+    while (hn < n)
+      {
+      hn++;
+      if (!(h = h->next)) goto DISASTER_NO_HEADER;
+      }
+    h->type = htype_old;
+    }
+
+  for (;;)
+    {
+    uschar *s;
+    int type;
+    if (!rda_read_string(fd, &s)) goto DISASTER;
+    if (!s) break;
+    if (read(fd, &type, sizeof(type)) != sizeof(type)) goto DISASTER;
+    header_add(type, "%s", s);
+    }
+  }
+
+/* Read the values of the $n variables */
+
+if (read(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n)) goto DISASTER;
+
+/* If the yield is DELIVERED, NOTDELIVERED, FAIL, or FREEZE there may follow
+addresses and data to go with them. Keep them in the same order in the
+generated chain. */
+
+if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
+    yield == FF_FAIL || yield == FF_FREEZE)
+  {
+  address_item **nextp = generated;
+
+  for (;;)
+    {
+    int i, reply_options;
+    address_item *addr;
+    uschar *recipient;
+    uschar *expandn[EXPAND_MAXN + 2];
+
+    /* First string is the address; NULL => end of addresses */
+
+    if (!rda_read_string(fd, &recipient)) goto DISASTER;
+    if (!recipient) break;
+
+    /* Hang on the end of the chain */
+
+    addr = deliver_make_addr(recipient, FALSE);
+    *nextp = addr;
+    nextp = &(addr->next);
+
+    /* Next comes the mode and the flags fields */
+
+    if (  read(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
+       || read(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
+       || !rda_read_string(fd, &addr->prop.errors_address)
+       || read(fd, &i, sizeof(i)) != sizeof(i)
+       )
+      goto DISASTER;
+    addr->prop.ignore_error = (i != 0);
+
+    /* Next comes a possible setting for $thisaddress and any numerical
+    variables for pipe expansion, terminated by a NULL string. The maximum
+    number of numericals is EXPAND_MAXN. Note that we put filter_thisaddress
+    into the zeroth item in the vector - this is sorted out inside the pipe
+    transport. */
+
+    for (i = 0; i < EXPAND_MAXN + 1; i++)
+      {
+      uschar *temp;
+      if (!rda_read_string(fd, &temp)) goto DISASTER;
+      if (i == 0) filter_thisaddress = temp;           /* Just in case */
+      expandn[i] = temp;
+      if (temp == NULL) break;
+      }
+
+    if (i > 0)
+      {
+      addr->pipe_expandn = store_get((i+1) * sizeof(uschar *), GET_UNTAINTED);
+      addr->pipe_expandn[i] = NULL;
+      while (--i >= 0) addr->pipe_expandn[i] = expandn[i];
+      }
+
+    /* Then an int containing reply options; zero => no reply data. */
+
+    if (read(fd, &reply_options, sizeof(int)) != sizeof(int)) goto DISASTER;
+    if ((reply_options & REPLY_EXISTS) != 0)
+      {
+      addr->reply = store_get(sizeof(reply_item), GET_UNTAINTED);
+
+      addr->reply->file_expand = (reply_options & REPLY_EXPAND) != 0;
+      addr->reply->return_message = (reply_options & REPLY_RETURN) != 0;
+
+      if (read(fd,&(addr->reply->expand_forbid),sizeof(int)) !=
+            sizeof(int) ||
+          read(fd,&(addr->reply->once_repeat),sizeof(time_t)) !=
+            sizeof(time_t) ||
+          !rda_read_string(fd, &addr->reply->to) ||
+          !rda_read_string(fd, &addr->reply->cc) ||
+          !rda_read_string(fd, &addr->reply->bcc) ||
+          !rda_read_string(fd, &addr->reply->from) ||
+          !rda_read_string(fd, &addr->reply->reply_to) ||
+          !rda_read_string(fd, &addr->reply->subject) ||
+          !rda_read_string(fd, &addr->reply->headers) ||
+          !rda_read_string(fd, &addr->reply->text) ||
+          !rda_read_string(fd, &addr->reply->file) ||
+          !rda_read_string(fd, &addr->reply->logfile) ||
+          !rda_read_string(fd, &addr->reply->oncelog))
+        goto DISASTER;
+      }
+    }
+  }
+
+/* All data has been transferred from the sub-process. Reap it, close the
+reading end of the pipe, and we are done. */
+
+WAIT_EXIT:
+while ((rc = wait(&status)) != pid)
+  if (rc < 0 && errno == ECHILD)      /* Process has vanished */
+    {
+    log_write(0, LOG_MAIN, "redirection process %d vanished unexpectedly", pid);
+    goto FINAL_EXIT;
+    }
+
+DEBUG(D_route)
+  debug_printf("rda_interpret: subprocess yield=%d error=%s\n", yield, *error);
+
+if (had_disaster)
+  {
+  *error = string_sprintf("internal problem in %s: failure to transfer "
+    "data from subprocess: status=%04x%s%s%s", rname,
+    status, readerror,
+    *error ? US": error=" : US"",
+    *error ? *error : US"");
+  log_write(0, LOG_MAIN|LOG_PANIC, "%s", *error);
+  }
+else if (status != 0)
+  log_write(0, LOG_MAIN|LOG_PANIC, "internal problem in %s: unexpected status "
+    "%04x from redirect subprocess (but data correctly received)", rname,
+    status);
+
+FINAL_EXIT:
+(void)close(fd);
+signal(SIGCHLD, oldsignal);   /* restore */
+return yield;
+
+
+/* Come here if the data indicates removal of a header that we can't find */
+
+DISASTER_NO_HEADER:
+readerror = US" readerror=bad header identifier";
+had_disaster = TRUE;
+yield = FF_ERROR;
+goto WAIT_EXIT;
+
+/* Come here is there's a shambles in transferring the data over the pipe. The
+value of errno should still be set. */
+
+DISASTER:
+readerror = string_sprintf(" readerror='%s'", strerror(errno));
+had_disaster = TRUE;
+yield = FF_ERROR;
+goto WAIT_EXIT;
+}
+
+/* End of rda.c */
diff --git a/src/readconf.c b/src/readconf.c
new file mode 100644
index 0000000..06bc50f
--- /dev/null
+++ b/src/readconf.c
@@ -0,0 +1,4510 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions for reading the configuration file, and for displaying
+overall configuration values. Thanks to Brian Candler for the original
+implementation of the conditional .ifdef etc. */
+
+#include "exim.h"
+
+#ifdef MACRO_PREDEF
+# include "macro_predef.h"
+#endif
+
+#define READCONF_DEBUG	if (FALSE)	/* Change to TRUE to enable */
+
+
+static uschar * syslog_facility_str;
+static void fn_smtp_receive_timeout(const uschar *, const uschar *, unsigned);
+
+/*************************************************
+*           Main configuration options           *
+*************************************************/
+
+/* The list of options that can be set in the main configuration file. This
+must be in alphabetic order because it is searched by binary chop. */
+
+static optionlist optionlist_config[] = {
+  { "*set_exim_group",          opt_bool|opt_hidden, {&exim_gid_set} },
+  { "*set_exim_user",           opt_bool|opt_hidden, {&exim_uid_set} },
+  { "*set_system_filter_group", opt_bool|opt_hidden, {&system_filter_gid_set} },
+  { "*set_system_filter_user",  opt_bool|opt_hidden, {&system_filter_uid_set} },
+  { "accept_8bitmime",          opt_bool,        {&accept_8bitmime} },
+  { "acl_not_smtp",             opt_stringptr,   {&acl_not_smtp} },
+#ifdef WITH_CONTENT_SCAN
+  { "acl_not_smtp_mime",        opt_stringptr,   {&acl_not_smtp_mime} },
+#endif
+  { "acl_not_smtp_start",       opt_stringptr,   {&acl_not_smtp_start} },
+  { "acl_smtp_auth",            opt_stringptr,   {&acl_smtp_auth} },
+  { "acl_smtp_connect",         opt_stringptr,   {&acl_smtp_connect} },
+  { "acl_smtp_data",            opt_stringptr,   {&acl_smtp_data} },
+#ifndef DISABLE_PRDR
+  { "acl_smtp_data_prdr",       opt_stringptr,   {&acl_smtp_data_prdr} },
+#endif
+#ifndef DISABLE_DKIM
+  { "acl_smtp_dkim",            opt_stringptr,   {&acl_smtp_dkim} },
+#endif
+  { "acl_smtp_etrn",            opt_stringptr,   {&acl_smtp_etrn} },
+  { "acl_smtp_expn",            opt_stringptr,   {&acl_smtp_expn} },
+  { "acl_smtp_helo",            opt_stringptr,   {&acl_smtp_helo} },
+  { "acl_smtp_mail",            opt_stringptr,   {&acl_smtp_mail} },
+  { "acl_smtp_mailauth",        opt_stringptr,   {&acl_smtp_mailauth} },
+#ifdef WITH_CONTENT_SCAN
+  { "acl_smtp_mime",            opt_stringptr,   {&acl_smtp_mime} },
+#endif
+  { "acl_smtp_notquit",         opt_stringptr,   {&acl_smtp_notquit} },
+  { "acl_smtp_predata",         opt_stringptr,   {&acl_smtp_predata} },
+  { "acl_smtp_quit",            opt_stringptr,   {&acl_smtp_quit} },
+  { "acl_smtp_rcpt",            opt_stringptr,   {&acl_smtp_rcpt} },
+#ifndef DISABLE_TLS
+  { "acl_smtp_starttls",        opt_stringptr,   {&acl_smtp_starttls} },
+#endif
+  { "acl_smtp_vrfy",            opt_stringptr,   {&acl_smtp_vrfy} },
+  { "add_environment",          opt_stringptr,   {&add_environment} },
+  { "admin_groups",             opt_gidlist,     {&admin_groups} },
+  { "allow_domain_literals",    opt_bool,        {&allow_domain_literals} },
+  { "allow_mx_to_ip",           opt_bool,        {&allow_mx_to_ip} },
+  { "allow_utf8_domains",       opt_bool,        {&allow_utf8_domains} },
+  { "auth_advertise_hosts",     opt_stringptr,   {&auth_advertise_hosts} },
+  { "auto_thaw",                opt_time,        {&auto_thaw} },
+#ifdef WITH_CONTENT_SCAN
+  { "av_scanner",               opt_stringptr,   {&av_scanner} },
+#endif
+  { "bi_command",               opt_stringptr,   {&bi_command} },
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+  { "bmi_config_file",          opt_stringptr,   {&bmi_config_file} },
+#endif
+  { "bounce_message_file",      opt_stringptr,   {&bounce_message_file} },
+  { "bounce_message_text",      opt_stringptr,   {&bounce_message_text} },
+  { "bounce_return_body",       opt_bool,        {&bounce_return_body} },
+  { "bounce_return_linesize_limit", opt_mkint,   {&bounce_return_linesize_limit} },
+  { "bounce_return_message",    opt_bool,        {&bounce_return_message} },
+  { "bounce_return_size_limit", opt_mkint,       {&bounce_return_size_limit} },
+  { "bounce_sender_authentication",opt_stringptr,{&bounce_sender_authentication} },
+  { "callout_domain_negative_expire", opt_time,  {&callout_cache_domain_negative_expire} },
+  { "callout_domain_positive_expire", opt_time,  {&callout_cache_domain_positive_expire} },
+  { "callout_negative_expire",  opt_time,        {&callout_cache_negative_expire} },
+  { "callout_positive_expire",  opt_time,        {&callout_cache_positive_expire} },
+  { "callout_random_local_part",opt_stringptr,   {&callout_random_local_part} },
+  { "check_log_inodes",         opt_int,         {&check_log_inodes} },
+  { "check_log_space",          opt_Kint,        {&check_log_space} },
+  { "check_rfc2047_length",     opt_bool,        {&check_rfc2047_length} },
+  { "check_spool_inodes",       opt_int,         {&check_spool_inodes} },
+  { "check_spool_space",        opt_Kint,        {&check_spool_space} },
+  { "chunking_advertise_hosts", opt_stringptr,	 {&chunking_advertise_hosts} },
+  { "commandline_checks_require_admin", opt_bool,{&commandline_checks_require_admin} },
+  { "daemon_smtp_port",         opt_stringptr|opt_hidden, {&daemon_smtp_port} },
+  { "daemon_smtp_ports",        opt_stringptr,   {&daemon_smtp_port} },
+  { "daemon_startup_retries",   opt_int,         {&daemon_startup_retries} },
+  { "daemon_startup_sleep",     opt_time,        {&daemon_startup_sleep} },
+#ifdef EXPERIMENTAL_DCC
+  { "dcc_direct_add_header",    opt_bool,        {&dcc_direct_add_header} },
+  { "dccifd_address",           opt_stringptr,   {&dccifd_address} },
+  { "dccifd_options",           opt_stringptr,   {&dccifd_options} },
+#endif
+  { "debug_store",              opt_bool,        {&debug_store} },
+  { "delay_warning",            opt_timelist,    {&delay_warning} },
+  { "delay_warning_condition",  opt_stringptr,   {&delay_warning_condition} },
+  { "deliver_drop_privilege",   opt_bool,        {&deliver_drop_privilege} },
+  { "deliver_queue_load_max",   opt_fixed,       {&deliver_queue_load_max} },
+  { "delivery_date_remove",     opt_bool,        {&delivery_date_remove} },
+#ifdef ENABLE_DISABLE_FSYNC
+  { "disable_fsync",            opt_bool,        {&disable_fsync} },
+#endif
+  { "disable_ipv6",             opt_bool,        {&disable_ipv6} },
+#ifndef DISABLE_DKIM
+  { "dkim_verify_hashes",       opt_stringptr,   {&dkim_verify_hashes} },
+  { "dkim_verify_keytypes",     opt_stringptr,   {&dkim_verify_keytypes} },
+  { "dkim_verify_min_keysizes", opt_stringptr,   {&dkim_verify_min_keysizes} },
+  { "dkim_verify_minimal",      opt_bool,        {&dkim_verify_minimal} },
+  { "dkim_verify_signers",      opt_stringptr,   {&dkim_verify_signers} },
+#endif
+#ifdef SUPPORT_DMARC
+  { "dmarc_forensic_sender",    opt_stringptr,   {&dmarc_forensic_sender} },
+  { "dmarc_history_file",       opt_stringptr,   {&dmarc_history_file} },
+  { "dmarc_tld_file",           opt_stringptr,   {&dmarc_tld_file} },
+#endif
+  { "dns_again_means_nonexist", opt_stringptr,   {&dns_again_means_nonexist} },
+  { "dns_check_names_pattern",  opt_stringptr,   {&check_dns_names_pattern} },
+  { "dns_cname_loops",		opt_int,	 {&dns_cname_loops} },
+  { "dns_csa_search_limit",     opt_int,         {&dns_csa_search_limit} },
+  { "dns_csa_use_reverse",      opt_bool,        {&dns_csa_use_reverse} },
+  { "dns_dnssec_ok",            opt_int,         {&dns_dnssec_ok} },
+  { "dns_ipv4_lookup",          opt_stringptr,   {&dns_ipv4_lookup} },
+  { "dns_retrans",              opt_time,        {&dns_retrans} },
+  { "dns_retry",                opt_int,         {&dns_retry} },
+  { "dns_trust_aa",             opt_stringptr,   {&dns_trust_aa} },
+  { "dns_use_edns0",            opt_int,         {&dns_use_edns0} },
+ /* This option is now a no-op, retained for compatibility */
+  { "drop_cr",                  opt_bool,        {&drop_cr} },
+/*********************************************************/
+  { "dsn_advertise_hosts",      opt_stringptr,   {&dsn_advertise_hosts} },
+  { "dsn_from",                 opt_stringptr,   {&dsn_from} },
+  { "envelope_to_remove",       opt_bool,        {&envelope_to_remove} },
+  { "errors_copy",              opt_stringptr,   {&errors_copy} },
+  { "errors_reply_to",          opt_stringptr,   {&errors_reply_to} },
+#ifndef DISABLE_EVENT
+  { "event_action",             opt_stringptr,   {&event_action} },
+#endif
+  { "exim_group",               opt_gid,         {&exim_gid} },
+  { "exim_path",                opt_stringptr,   {&exim_path} },
+  { "exim_user",                opt_uid,         {&exim_uid} },
+  { "exim_version",             opt_stringptr,   {&version_string} },
+  { "extra_local_interfaces",   opt_stringptr,   {&extra_local_interfaces} },
+  { "extract_addresses_remove_arguments", opt_bool, {&extract_addresses_remove_arguments} },
+  { "finduser_retries",         opt_int,         {&finduser_retries} },
+  { "freeze_tell",              opt_stringptr,   {&freeze_tell} },
+  { "gecos_name",               opt_stringptr,   {&gecos_name} },
+  { "gecos_pattern",            opt_stringptr,   {&gecos_pattern} },
+#ifndef DISABLE_TLS
+  { "gnutls_allow_auto_pkcs11", opt_bool,        {&gnutls_allow_auto_pkcs11} },
+  { "gnutls_compat_mode",       opt_bool,        {&gnutls_compat_mode} },
+#endif
+  { "header_line_maxsize",      opt_int,         {&header_line_maxsize} },
+  { "header_maxsize",           opt_int,         {&header_maxsize} },
+  { "headers_charset",          opt_stringptr,   {&headers_charset} },
+  { "helo_accept_junk_hosts",   opt_stringptr,   {&helo_accept_junk_hosts} },
+  { "helo_allow_chars",         opt_stringptr,   {&helo_allow_chars} },
+  { "helo_lookup_domains",      opt_stringptr,   {&helo_lookup_domains} },
+  { "helo_try_verify_hosts",    opt_stringptr,   {&helo_try_verify_hosts} },
+  { "helo_verify_hosts",        opt_stringptr,   {&helo_verify_hosts} },
+  { "hold_domains",             opt_stringptr,   {&hold_domains} },
+  { "host_lookup",              opt_stringptr,   {&host_lookup} },
+  { "host_lookup_order",        opt_stringptr,   {&host_lookup_order} },
+  { "host_reject_connection",   opt_stringptr,   {&host_reject_connection} },
+  { "hosts_connection_nolog",   opt_stringptr,   {&hosts_connection_nolog} },
+#ifdef SUPPORT_PROXY
+  { "hosts_proxy",              opt_stringptr,   {&hosts_proxy} },
+#endif
+#ifndef DISABLE_TLS
+  { "hosts_require_alpn",       opt_stringptr,   {&hosts_require_alpn} },
+#endif
+  { "hosts_require_helo",       opt_stringptr,   {&hosts_require_helo} },
+  { "hosts_treat_as_local",     opt_stringptr,   {&hosts_treat_as_local} },
+#ifdef LOOKUP_IBASE
+  { "ibase_servers",            opt_stringptr,   {&ibase_servers} },
+#endif
+  { "ignore_bounce_errors_after", opt_time,      {&ignore_bounce_errors_after} },
+  { "ignore_fromline_hosts",    opt_stringptr,   {&ignore_fromline_hosts} },
+  { "ignore_fromline_local",    opt_bool,        {&ignore_fromline_local} },
+  { "keep_environment",         opt_stringptr,   {&keep_environment} },
+  { "keep_malformed",           opt_time,        {&keep_malformed} },
+#ifdef LOOKUP_LDAP
+  { "ldap_ca_cert_dir",         opt_stringptr,   {&eldap_ca_cert_dir} },
+  { "ldap_ca_cert_file",        opt_stringptr,   {&eldap_ca_cert_file} },
+  { "ldap_cert_file",           opt_stringptr,   {&eldap_cert_file} },
+  { "ldap_cert_key",            opt_stringptr,   {&eldap_cert_key} },
+  { "ldap_cipher_suite",        opt_stringptr,   {&eldap_cipher_suite} },
+  { "ldap_default_servers",     opt_stringptr,   {&eldap_default_servers} },
+  { "ldap_require_cert",        opt_stringptr,   {&eldap_require_cert} },
+  { "ldap_start_tls",           opt_bool,        {&eldap_start_tls} },
+  { "ldap_version",             opt_int,         {&eldap_version} },
+#endif
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+  { "limits_advertise_hosts", opt_stringptr, {&limits_advertise_hosts} },
+#endif
+  { "local_from_check",         opt_bool,        {&local_from_check} },
+  { "local_from_prefix",        opt_stringptr,   {&local_from_prefix} },
+  { "local_from_suffix",        opt_stringptr,   {&local_from_suffix} },
+  { "local_interfaces",         opt_stringptr,   {&local_interfaces} },
+#ifdef HAVE_LOCAL_SCAN
+  { "local_scan_timeout",       opt_time,        {&local_scan_timeout} },
+#endif
+  { "local_sender_retain",      opt_bool,        {&local_sender_retain} },
+  { "localhost_number",         opt_stringptr,   {&host_number_string} },
+  { "log_file_path",            opt_stringptr,   {&log_file_path} },
+  { "log_selector",             opt_stringptr,   {&log_selector_string} },
+  { "log_timezone",             opt_bool,        {&log_timezone} },
+  { "lookup_open_max",          opt_int,         {&lookup_open_max} },
+  { "max_username_length",      opt_int,         {&max_username_length} },
+  { "message_body_newlines",    opt_bool,        {&message_body_newlines} },
+  { "message_body_visible",     opt_mkint,       {&message_body_visible} },
+  { "message_id_header_domain", opt_stringptr,   {&message_id_domain} },
+  { "message_id_header_text",   opt_stringptr,   {&message_id_text} },
+  { "message_logs",             opt_bool,        {&message_logs} },
+  { "message_size_limit",       opt_stringptr,   {&message_size_limit} },
+#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
+  { "move_frozen_messages",     opt_bool,        {&move_frozen_messages} },
+#endif
+  { "mua_wrapper",              opt_bool,        {&mua_wrapper} },
+#ifdef LOOKUP_MYSQL
+  { "mysql_servers",            opt_stringptr,   {&mysql_servers} },
+#endif
+  { "never_users",              opt_uidlist,     {&never_users} },
+  { "notifier_socket",          opt_stringptr,   {&notifier_socket} },
+#ifndef DISABLE_TLS
+  { "openssl_options",          opt_stringptr,   {&openssl_options} },
+#endif
+#ifdef LOOKUP_ORACLE
+  { "oracle_servers",           opt_stringptr,   {&oracle_servers} },
+#endif
+  { "percent_hack_domains",     opt_stringptr,   {&percent_hack_domains} },
+#ifdef EXIM_PERL
+  { "perl_at_start",            opt_bool,        {&opt_perl_at_start} },
+  { "perl_startup",             opt_stringptr,   {&opt_perl_startup} },
+  { "perl_taintmode",           opt_bool,        {&opt_perl_taintmode} },
+#endif
+#ifdef LOOKUP_PGSQL
+  { "pgsql_servers",            opt_stringptr,   {&pgsql_servers} },
+#endif
+  { "pid_file_path",            opt_stringptr,   {&pid_file_path} },
+  { "pipelining_advertise_hosts", opt_stringptr, {&pipelining_advertise_hosts} },
+#ifndef DISABLE_PIPE_CONNECT
+  { "pipelining_connect_advertise_hosts", opt_stringptr,
+						 {&pipe_connect_advertise_hosts} },
+#endif
+#ifndef DISABLE_PRDR
+  { "prdr_enable",              opt_bool,        {&prdr_enable} },
+#endif
+  { "preserve_message_logs",    opt_bool,        {&preserve_message_logs} },
+  { "primary_hostname",         opt_stringptr,   {&primary_hostname} },
+  { "print_topbitchars",        opt_bool,        {&print_topbitchars} },
+  { "process_log_path",         opt_stringptr,   {&process_log_path} },
+  { "prod_requires_admin",      opt_bool,        {&prod_requires_admin} },
+#ifdef SUPPORT_PROXY
+  { "proxy_protocol_timeout",   opt_time,        {&proxy_protocol_timeout} },
+#endif
+  { "qualify_domain",           opt_stringptr,   {&qualify_domain_sender} },
+  { "qualify_recipient",        opt_stringptr,   {&qualify_domain_recipient} },
+  { "queue_domains",            opt_stringptr,   {&queue_domains} },
+#ifndef DISABLE_QUEUE_RAMP
+  { "queue_fast_ramp",          opt_bool,        {&queue_fast_ramp} },
+#endif
+  { "queue_list_requires_admin",opt_bool,        {&queue_list_requires_admin} },
+  { "queue_only",               opt_bool,        {&queue_only} },
+  { "queue_only_file",          opt_stringptr,   {&queue_only_file} },
+  { "queue_only_load",          opt_fixed,       {&queue_only_load} },
+  { "queue_only_load_latch",    opt_bool,        {&queue_only_load_latch} },
+  { "queue_only_override",      opt_bool,        {&queue_only_override} },
+  { "queue_run_in_order",       opt_bool,        {&queue_run_in_order} },
+  { "queue_run_max",            opt_stringptr,   {&queue_run_max} },
+  { "queue_smtp_domains",       opt_stringptr,   {&queue_smtp_domains} },
+  { "receive_timeout",          opt_time,        {&receive_timeout} },
+  { "received_header_text",     opt_stringptr,   {&received_header_text} },
+  { "received_headers_max",     opt_int,         {&received_headers_max} },
+  { "recipient_unqualified_hosts", opt_stringptr, {&recipient_unqualified_hosts} },
+  { "recipients_max",           opt_int,         {&recipients_max} },
+  { "recipients_max_reject",    opt_bool,        {&recipients_max_reject} },
+#ifdef LOOKUP_REDIS
+  { "redis_servers",            opt_stringptr,   {&redis_servers} },
+#endif
+  { "remote_max_parallel",      opt_int,         {&remote_max_parallel} },
+  { "remote_sort_domains",      opt_stringptr,   {&remote_sort_domains} },
+  { "retry_data_expire",        opt_time,        {&retry_data_expire} },
+  { "retry_interval_max",       opt_time,        {&retry_interval_max} },
+  { "return_path_remove",       opt_bool,        {&return_path_remove} },
+  { "return_size_limit",        opt_mkint|opt_hidden, {&bounce_return_size_limit} },
+  { "rfc1413_hosts",            opt_stringptr,   {&rfc1413_hosts} },
+  { "rfc1413_query_timeout",    opt_time,        {&rfc1413_query_timeout} },
+  { "sender_unqualified_hosts", opt_stringptr,   {&sender_unqualified_hosts} },
+  { "slow_lookup_log",          opt_int,         {&slow_lookup_log} },
+  { "smtp_accept_keepalive",    opt_bool,        {&smtp_accept_keepalive} },
+  { "smtp_accept_max",          opt_int,         {&smtp_accept_max} },
+  { "smtp_accept_max_nonmail",  opt_int,         {&smtp_accept_max_nonmail} },
+  { "smtp_accept_max_nonmail_hosts", opt_stringptr, {&smtp_accept_max_nonmail_hosts} },
+  { "smtp_accept_max_per_connection", opt_stringptr,   {&smtp_accept_max_per_connection} },
+  { "smtp_accept_max_per_host", opt_stringptr,   {&smtp_accept_max_per_host} },
+  { "smtp_accept_queue",        opt_int,         {&smtp_accept_queue} },
+  { "smtp_accept_queue_per_connection", opt_int, {&smtp_accept_queue_per_connection} },
+  { "smtp_accept_reserve",      opt_int,         {&smtp_accept_reserve} },
+  { "smtp_active_hostname",     opt_stringptr,   {&raw_active_hostname} },
+  { "smtp_backlog_monitor",     opt_int,         {&smtp_backlog_monitor} },
+  { "smtp_banner",              opt_stringptr,   {&smtp_banner} },
+  { "smtp_check_spool_space",   opt_bool,        {&smtp_check_spool_space} },
+  { "smtp_connect_backlog",     opt_int,         {&smtp_connect_backlog} },
+  { "smtp_enforce_sync",        opt_bool,        {&smtp_enforce_sync} },
+  { "smtp_etrn_command",        opt_stringptr,   {&smtp_etrn_command} },
+  { "smtp_etrn_serialize",      opt_bool,        {&smtp_etrn_serialize} },
+  { "smtp_load_reserve",        opt_fixed,       {&smtp_load_reserve} },
+  { "smtp_max_synprot_errors",  opt_int,         {&smtp_max_synprot_errors} },
+  { "smtp_max_unknown_commands",opt_int,         {&smtp_max_unknown_commands} },
+  { "smtp_ratelimit_hosts",     opt_stringptr,   {&smtp_ratelimit_hosts} },
+  { "smtp_ratelimit_mail",      opt_stringptr,   {&smtp_ratelimit_mail} },
+  { "smtp_ratelimit_rcpt",      opt_stringptr,   {&smtp_ratelimit_rcpt} },
+  { "smtp_receive_timeout",     opt_func,        {.fn = &fn_smtp_receive_timeout} },
+  { "smtp_reserve_hosts",       opt_stringptr,   {&smtp_reserve_hosts} },
+  { "smtp_return_error_details",opt_bool,        {&smtp_return_error_details} },
+#ifdef SUPPORT_I18N
+  { "smtputf8_advertise_hosts", opt_stringptr,   {&smtputf8_advertise_hosts} },
+#endif
+#ifdef WITH_CONTENT_SCAN
+  { "spamd_address",            opt_stringptr,   {&spamd_address} },
+#endif
+#ifdef SUPPORT_SPF
+  { "spf_guess",                opt_stringptr,   {&spf_guess} },
+  { "spf_smtp_comment_template",opt_stringptr,   {&spf_smtp_comment_template} },
+#endif
+  { "split_spool_directory",    opt_bool,        {&split_spool_directory} },
+  { "spool_directory",          opt_stringptr,   {&spool_directory} },
+  { "spool_wireformat",         opt_bool,        {&spool_wireformat} },
+#ifdef LOOKUP_SQLITE
+  { "sqlite_dbfile",            opt_stringptr,   {&sqlite_dbfile} },
+  { "sqlite_lock_timeout",      opt_int,         {&sqlite_lock_timeout} },
+#endif
+  { "strict_acl_vars",          opt_bool,        {&strict_acl_vars} },
+  { "strip_excess_angle_brackets", opt_bool,     {&strip_excess_angle_brackets} },
+  { "strip_trailing_dot",       opt_bool,        {&strip_trailing_dot} },
+  { "syslog_duplication",       opt_bool,        {&syslog_duplication} },
+  { "syslog_facility",          opt_stringptr,   {&syslog_facility_str} },
+  { "syslog_pid",               opt_bool,        {&syslog_pid} },
+  { "syslog_processname",       opt_stringptr,   {&syslog_processname} },
+  { "syslog_timestamp",         opt_bool,        {&syslog_timestamp} },
+  { "system_filter",            opt_stringptr,   {&system_filter} },
+  { "system_filter_directory_transport", opt_stringptr,{&system_filter_directory_transport} },
+  { "system_filter_file_transport",opt_stringptr,{&system_filter_file_transport} },
+  { "system_filter_group",      opt_gid,         {&system_filter_gid} },
+  { "system_filter_pipe_transport",opt_stringptr,{&system_filter_pipe_transport} },
+  { "system_filter_reply_transport",opt_stringptr,{&system_filter_reply_transport} },
+  { "system_filter_user",       opt_uid,         {&system_filter_uid} },
+  { "tcp_nodelay",              opt_bool,        {&tcp_nodelay} },
+#ifdef USE_TCP_WRAPPERS
+  { "tcp_wrappers_daemon_name", opt_stringptr,   {&tcp_wrappers_daemon_name} },
+#endif
+  { "timeout_frozen_after",     opt_time,        {&timeout_frozen_after} },
+  { "timezone",                 opt_stringptr,   {&timezone_string} },
+  { "tls_advertise_hosts",      opt_stringptr,   {&tls_advertise_hosts} },
+#ifndef DISABLE_TLS
+  { "tls_alpn",		        opt_stringptr,   {&tls_alpn} },
+  { "tls_certificate",          opt_stringptr,   {&tls_certificate} },
+  { "tls_crl",                  opt_stringptr,   {&tls_crl} },
+  { "tls_dh_max_bits",          opt_int,         {&tls_dh_max_bits} },
+  { "tls_dhparam",              opt_stringptr,   {&tls_dhparam} },
+  { "tls_eccurve",              opt_stringptr,   {&tls_eccurve} },
+# ifndef DISABLE_OCSP
+  { "tls_ocsp_file",            opt_stringptr,   {&tls_ocsp_file} },
+# endif
+  { "tls_on_connect_ports",     opt_stringptr,   {&tls_in.on_connect_ports} },
+  { "tls_privatekey",           opt_stringptr,   {&tls_privatekey} },
+  { "tls_remember_esmtp",       opt_bool,        {&tls_remember_esmtp} },
+  { "tls_require_ciphers",      opt_stringptr,   {&tls_require_ciphers} },
+# ifndef DISABLE_TLS_RESUME
+  { "tls_resumption_hosts",     opt_stringptr,   {&tls_resumption_hosts} },
+# endif
+  { "tls_try_verify_hosts",     opt_stringptr,   {&tls_try_verify_hosts} },
+  { "tls_verify_certificates",  opt_stringptr,   {&tls_verify_certificates} },
+  { "tls_verify_hosts",         opt_stringptr,   {&tls_verify_hosts} },
+#endif
+  { "trusted_groups",           opt_gidlist,     {&trusted_groups} },
+  { "trusted_users",            opt_uidlist,     {&trusted_users} },
+  { "unknown_login",            opt_stringptr,   {&unknown_login} },
+  { "unknown_username",         opt_stringptr,   {&unknown_username} },
+  { "untrusted_set_sender",     opt_stringptr,   {&untrusted_set_sender} },
+  { "uucp_from_pattern",        opt_stringptr,   {&uucp_from_pattern} },
+  { "uucp_from_sender",         opt_stringptr,   {&uucp_from_sender} },
+  { "warn_message_file",        opt_stringptr,   {&warn_message_file} },
+  { "write_rejectlog",          opt_bool,        {&write_rejectlog} }
+};
+
+#ifndef MACRO_PREDEF
+static int optionlist_config_size = nelem(optionlist_config);
+#endif
+
+
+#ifdef MACRO_PREDEF
+
+static void
+fn_smtp_receive_timeout(const uschar * name, const uschar * str, unsigned flags) {/*Dummy*/}
+
+void
+options_main(void)
+{
+options_from_list(optionlist_config, nelem(optionlist_config), US"MAIN", NULL);
+}
+
+void
+options_auths(void)
+{
+uschar buf[EXIM_DRIVERNAME_MAX];
+
+options_from_list(optionlist_auths, optionlist_auths_size, US"AUTHENTICATORS", NULL);
+
+for (struct auth_info * ai = auths_available; ai->driver_name[0]; ai++)
+  {
+  spf(buf, sizeof(buf), US"_DRIVER_AUTHENTICATOR_%T", ai->driver_name);
+  builtin_macro_create(buf);
+  options_from_list(ai->options, (unsigned)*ai->options_count, US"AUTHENTICATOR", ai->driver_name);
+
+  if (ai->macros_create) (ai->macros_create)();
+  }
+}
+
+void
+options_logging(void)
+{
+uschar buf[EXIM_DRIVERNAME_MAX];
+
+for (bit_table * bp = log_options; bp < log_options + log_options_count; bp++)
+  {
+  spf(buf, sizeof(buf), US"_LOG_%T", bp->name);
+  builtin_macro_create(buf);
+  }
+}
+
+
+#else	/*!MACRO_PREDEF*/
+
+extern char **environ;
+
+static void save_config_line(const uschar* line);
+static void save_config_position(const uschar *file, int line);
+static void print_config(BOOL admin, BOOL terse);
+
+
+#define CSTATE_STACK_SIZE 10
+
+const uschar *config_directory = NULL;
+
+
+/* Structure for chain (stack) of .included files */
+
+typedef struct config_file_item {
+  struct config_file_item *next;
+  const uschar *filename;
+  const uschar *directory;
+  FILE *file;
+  int lineno;
+} config_file_item;
+
+/* Structure for chain of configuration lines (-bP config) */
+
+typedef struct config_line_item {
+  struct config_line_item *next;
+  uschar *line;
+} config_line_item;
+
+static config_line_item* config_lines;
+
+/* Structure of table of conditional words and their state transitions */
+
+typedef struct cond_item {
+  uschar *name;
+  int    namelen;
+  int    action1;
+  int    action2;
+  int    pushpop;
+} cond_item;
+
+/* Structure of table of syslog facility names and values */
+
+typedef struct syslog_fac_item {
+  uschar *name;
+  int    value;
+} syslog_fac_item;
+
+/* constants */
+static const uschar * const hidden = US"<value not displayable>";
+
+/* Static variables */
+
+static config_file_item *config_file_stack = NULL;  /* For includes */
+
+static uschar *syslog_facility_str  = NULL;
+static uschar next_section[24];
+static uschar time_buffer[24];
+
+/* State variables for conditional loading (.ifdef / .else / .endif) */
+
+static int cstate = 0;
+static int cstate_stack_ptr = -1;
+static int cstate_stack[CSTATE_STACK_SIZE];
+
+/* Table of state transitions for handling conditional inclusions. There are
+four possible state transitions:
+
+  .ifdef true
+  .ifdef false
+  .elifdef true  (or .else)
+  .elifdef false
+
+.endif just causes the previous cstate to be popped off the stack */
+
+static int next_cstate[3][4] =
+  {
+  /* State 0: reading from file, or reading until next .else or .endif */
+  { 0, 1, 2, 2 },
+  /* State 1: condition failed, skipping until next .else or .endif */
+  { 2, 2, 0, 1 },
+  /* State 2: skipping until .endif */
+  { 2, 2, 2, 2 },
+  };
+
+/* Table of conditionals and the states to set. For each name, there are four
+values: the length of the name (to save computing it each time), the state to
+set if a macro was found in the line, the state to set if a macro was not found
+in the line, and a stack manipulation setting which is:
+
+  -1   pull state value off the stack
+   0   don't alter the stack
+  +1   push value onto stack, before setting new state
+*/
+
+static cond_item cond_list[] = {
+  { US"ifdef",    5, 0, 1,  1 },
+  { US"ifndef",   6, 1, 0,  1 },
+  { US"elifdef",  7, 2, 3,  0 },
+  { US"elifndef", 8, 3, 2,  0 },
+  { US"else",     4, 2, 2,  0 },
+  { US"endif",    5, 0, 0, -1 }
+};
+
+static int cond_list_size = sizeof(cond_list)/sizeof(cond_item);
+
+/* Table of syslog facility names and their values */
+
+static syslog_fac_item syslog_list[] = {
+  { US"mail",   LOG_MAIL },
+  { US"user",   LOG_USER },
+  { US"news",   LOG_NEWS },
+  { US"uucp",   LOG_UUCP },
+  { US"local0", LOG_LOCAL0 },
+  { US"local1", LOG_LOCAL1 },
+  { US"local2", LOG_LOCAL2 },
+  { US"local3", LOG_LOCAL3 },
+  { US"local4", LOG_LOCAL4 },
+  { US"local5", LOG_LOCAL5 },
+  { US"local6", LOG_LOCAL6 },
+  { US"local7", LOG_LOCAL7 },
+  { US"daemon", LOG_DAEMON }
+};
+
+static int syslog_list_size = sizeof(syslog_list)/sizeof(syslog_fac_item);
+
+
+#define opt_fn_print		BIT(0)
+#define opt_fn_print_label	BIT(1)
+
+
+/*************************************************
+*         Find the name of an option             *
+*************************************************/
+
+/* This function is to aid debugging. Various functions take arguments that are
+pointer variables in the options table or in option tables for various drivers.
+For debugging output, it is useful to be able to find the name of the option
+which is currently being processed. This function finds it, if it exists, by
+searching the table(s).
+
+Arguments:   a value that is presumed to be in the table above
+Returns:     the option name, or an empty string
+*/
+
+uschar *
+readconf_find_option(void *p)
+{
+for (int i = 0; i < nelem(optionlist_config); i++)
+  if (p == optionlist_config[i].v.value) return US optionlist_config[i].name;
+
+for (router_instance * r = routers; r; r = r->next)
+  {
+  router_info *ri = r->info;
+  for (int i = 0; i < *ri->options_count; i++)
+    {
+    if ((ri->options[i].type & opt_mask) != opt_stringptr) continue;
+    if (p == CS (r->options_block) + ri->options[i].v.offset)
+      return US ri->options[i].name;
+    }
+  }
+
+for (transport_instance * t = transports; t; t = t->next)
+  {
+  transport_info *ti = t->info;
+  for (int i = 0; i < *ti->options_count; i++)
+    {
+    optionlist * op = &ti->options[i];
+    if ((op->type & opt_mask) != opt_stringptr) continue;
+    if (p == (  op->type & opt_public
+	     ? CS t
+	     : CS t->options_block
+	     )
+	     + op->v.offset)
+	return US op->name;
+    }
+  }
+
+return US"";
+}
+
+
+
+
+/*************************************************
+*       Deal with an assignment to a macro       *
+*************************************************/
+
+/* We have a new definition; append to the list.
+
+Args:
+ name	Name of the macro; will be copied
+ val	Expansion result for the macro; will be copied
+*/
+
+macro_item *
+macro_create(const uschar * name, const uschar * val, BOOL command_line)
+{
+macro_item * m = store_get(sizeof(macro_item), GET_UNTAINTED);
+
+READCONF_DEBUG fprintf(stderr, "%s: '%s' '%s'\n", __FUNCTION__, name, val);
+m->next = NULL;
+m->command_line = command_line;
+m->namelen = Ustrlen(name);
+m->replen = Ustrlen(val);
+m->name = string_copy(name);
+m->replacement = string_copy(val);
+if (mlast)
+  mlast->next = m;
+else
+  macros = m;
+mlast = m;
+if (!macros_user)
+  macros_user = m;
+return m;
+}
+
+
+/* This function is called when a line that starts with an upper case letter is
+encountered. The argument "line" should contain a complete logical line, and
+start with the first letter of the macro name. The macro name and the
+replacement text are extracted and stored. Redefinition of existing,
+non-command line, macros is permitted using '==' instead of '='.
+
+Arguments:
+  s            points to the start of the logical line
+
+Returns:       FALSE iff fatal error
+*/
+
+BOOL
+macro_read_assignment(uschar *s)
+{
+uschar name[EXIM_DRIVERNAME_MAX];
+int namelen = 0;
+BOOL redef = FALSE;
+macro_item *m;
+
+while (isalnum(*s) || *s == '_')
+  {
+  if (namelen >= sizeof(name) - 1)
+    {
+    log_write(0, LOG_PANIC|LOG_CONFIG_IN,
+      "macro name too long (maximum is " SIZE_T_FMT " characters)", sizeof(name) - 1);
+    return FALSE;
+    }
+  name[namelen++] = *s++;
+  }
+name[namelen] = 0;
+
+Uskip_whitespace(&s);
+if (*s++ != '=')
+  {
+  log_write(0, LOG_PANIC|LOG_CONFIG_IN, "malformed macro definition");
+  return FALSE;
+  }
+
+if (*s == '=')
+  {
+  redef = TRUE;
+  s++;
+  }
+Uskip_whitespace(&s);
+
+/* If an existing macro of the same name was defined on the command line, we
+just skip this definition. It's an error to attempt to redefine a macro without
+redef set to TRUE, or to redefine a macro when it hasn't been defined earlier.
+It is also an error to define a macro whose name begins with the name of a
+previously defined macro.  This is the requirement that make using a tree
+for macros hard; we must check all macros for the substring.  Perhaps a
+sorted list, and a bsearch, would work?
+Note: it is documented that the other way round works. */
+
+for (m = macros; m; m = m->next)
+  {
+  if (Ustrcmp(m->name, name) == 0)
+    {
+    if (!m->command_line && !redef)
+      {
+      log_write(0, LOG_CONFIG|LOG_PANIC, "macro \"%s\" is already "
+       "defined (use \"==\" if you want to redefine it)", name);
+      return FALSE;
+      }
+    break;
+    }
+
+  if (m->namelen < namelen && Ustrstr(name, m->name) != NULL)
+    {
+    log_write(0, LOG_CONFIG|LOG_PANIC, "\"%s\" cannot be defined as "
+      "a macro because previously defined macro \"%s\" is a substring",
+      name, m->name);
+    return FALSE;
+    }
+
+  /* We cannot have this test, because it is documented that a substring
+  macro is permitted (there is even an example).
+  *
+  * if (m->namelen > namelen && Ustrstr(m->name, name) != NULL)
+  *   log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "\"%s\" cannot be defined as "
+  *     "a macro because it is a substring of previously defined macro \"%s\"",
+  *     name, m->name);
+  */
+  }
+
+/* Check for an overriding command-line definition. */
+
+if (m && m->command_line) return TRUE;
+
+/* Redefinition must refer to an existing macro. */
+
+if (redef)
+  if (m)
+    {
+    m->replen = Ustrlen(s);
+    m->replacement = string_copy(s);
+    }
+  else
+    {
+    log_write(0, LOG_CONFIG|LOG_PANIC, "can't redefine an undefined macro "
+      "\"%s\"", name);
+    return FALSE;
+    }
+
+/* We have a new definition. */
+else
+  (void) macro_create(name, s, FALSE);
+return TRUE;
+}
+
+
+
+
+
+/* Process line for macros. The line is in big_buffer starting at offset len.
+Expand big_buffer if needed.  Handle definitions of new macros, and
+macro expansions, rewriting the line in the buffer.
+
+Arguments:
+ len		Offset in buffer of start of line
+ newlen		Pointer to offset of end of line, updated on return
+ macro_found	Pointer to return that a macro was expanded
+
+Return: pointer to first nonblank char in line
+*/
+
+uschar *
+macros_expand(int len, int * newlen, BOOL * macro_found)
+{
+uschar * ss = big_buffer + len;
+uschar * s;
+
+/* Find the true start of the physical line - leading spaces are always
+ignored. */
+
+Uskip_whitespace(&ss);
+
+/* Process the physical line for macros. If this is the start of the logical
+line, skip over initial text at the start of the line if it starts with an
+upper case character followed by a sequence of name characters and an equals
+sign, because that is the definition of a new macro, and we don't do
+replacement therein. */
+
+s = ss;
+if (len == 0 && isupper(*s))
+  {
+  while (isalnum(*s) || *s == '_') s++;
+  if (Uskip_whitespace(&s) != '=') s = ss;          /* Not a macro definition */
+  }
+
+/* Skip leading chars which cannot start a macro name, to avoid multiple
+pointless rescans in Ustrstr calls. */
+
+while (*s && !isupper(*s) && !(*s == '_' && isupper(s[1]))) s++;
+
+/* For each defined macro, scan the line (from after XXX= if present),
+replacing all occurrences of the macro. */
+
+*macro_found = FALSE;
+if (*s) for (macro_item * m = *s == '_' ? macros : macros_user; m; m = m->next)
+  {
+  uschar * p, *pp;
+  uschar * t;
+
+  while (*s && !isupper(*s) && !(*s == '_' && isupper(s[1]))) s++;
+  if (!*s) break;
+
+  t = s;
+  while ((p = Ustrstr(t, m->name)) != NULL)
+    {
+    int moveby;
+
+    READCONF_DEBUG fprintf(stderr, "%s: matched '%s' in '%.*s'\n", __FUNCTION__,
+      m->name, (int) Ustrlen(ss)-1, ss);
+    /* Expand the buffer if necessary */
+
+    while (*newlen - m->namelen + m->replen + 1 > big_buffer_size)
+      {
+      int newsize = big_buffer_size + BIG_BUFFER_SIZE;
+      uschar *newbuffer = store_malloc(newsize);
+      memcpy(newbuffer, big_buffer, *newlen + 1);
+      p = newbuffer  + (p - big_buffer);
+      s = newbuffer  + (s - big_buffer);
+      ss = newbuffer + (ss - big_buffer);
+      t = newbuffer  + (t - big_buffer);
+      big_buffer_size = newsize;
+      store_free(big_buffer);
+      big_buffer = newbuffer;
+      }
+
+    /* Shuffle the remaining characters up or down in the buffer before
+    copying in the replacement text. Don't rescan the replacement for this
+    same macro. */
+
+    pp = p + m->namelen;
+    if ((moveby = m->replen - m->namelen) != 0)
+      {
+      memmove(p + m->replen, pp, (big_buffer + *newlen) - pp + 1);
+      *newlen += moveby;
+      }
+    Ustrncpy(p, m->replacement, m->replen);
+    t = p + m->replen;
+    while (*t && !isupper(*t) && !(*t == '_' && isupper(t[1]))) t++;
+    *macro_found = TRUE;
+    }
+  }
+
+/* An empty macro replacement at the start of a line could mean that ss no
+longer points to the first non-blank character. */
+
+Uskip_whitespace(&ss);
+return ss;
+}
+
+/*************************************************
+*            Read configuration line             *
+*************************************************/
+
+/* A logical line of text is read from the configuration file into the big
+buffer, taking account of macros, .includes, and continuations. The size of
+big_buffer is increased if necessary. The count of configuration lines is
+maintained. Physical input lines starting with # (ignoring leading white space,
+and after macro replacement) and empty logical lines are always ignored.
+Leading and trailing spaces are removed.
+
+If we hit a line of the form "begin xxxx", the xxxx is placed in the
+next_section vector, and the function returns NULL, indicating the end of a
+configuration section. On end-of-file, NULL is returned with next_section
+empty.
+
+Arguments:      none
+
+Returns:        a pointer to the first non-blank in the line,
+                or NULL if eof or end of section is reached
+*/
+
+static uschar *
+get_config_line(void)
+{
+int startoffset = 0;         /* To first non-blank char in logical line */
+int len = 0;                 /* Of logical line so far */
+int newlen;
+uschar *s, *ss;
+BOOL macro_found;
+
+/* Loop for handling continuation lines, skipping comments, and dealing with
+.include files. */
+
+for (;;)
+  {
+  if (Ufgets(big_buffer+len, big_buffer_size-len, config_file) == NULL)
+    {
+    if (config_file_stack != NULL)    /* EOF inside .include */
+      {
+      (void)fclose(config_file);
+      config_file = config_file_stack->file;
+      config_filename = config_file_stack->filename;
+      config_directory = config_file_stack->directory;
+      config_lineno = config_file_stack->lineno;
+      config_file_stack = config_file_stack->next;
+      if (config_lines)
+        save_config_position(config_filename, config_lineno);
+      continue;
+      }
+
+    /* EOF at top level */
+
+    if (cstate_stack_ptr >= 0)
+      log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+        "Unexpected end of configuration file: .endif missing");
+
+    if (len != 0) break;        /* EOF after continuation */
+    next_section[0] = 0;        /* EOF at start of logical line */
+    return NULL;
+    }
+
+  config_lineno++;
+  newlen = len + Ustrlen(big_buffer + len);
+
+  if (config_lines && config_lineno == 1)
+    save_config_position(config_filename, config_lineno);
+
+  /* Handle pathologically long physical lines - yes, it did happen - by
+  extending big_buffer at this point. The code also copes with very long
+  logical lines. */
+
+  while (newlen == big_buffer_size - 1 && big_buffer[newlen - 1] != '\n')
+    {
+    uschar *newbuffer;
+    big_buffer_size += BIG_BUFFER_SIZE;
+    newbuffer = store_malloc(big_buffer_size);
+
+    /* This use of strcpy is OK because we know that the string in the old
+    buffer is shorter than the new buffer. */
+
+    Ustrcpy(newbuffer, big_buffer);
+    store_free(big_buffer);
+    big_buffer = newbuffer;
+    if (Ufgets(big_buffer+newlen, big_buffer_size-newlen, config_file) == NULL)
+      break;
+    newlen += Ustrlen(big_buffer + newlen);
+    }
+
+  ss = macros_expand(len, &newlen, &macro_found);
+
+  /* Check for comment lines - these are physical lines. */
+
+  if (*ss == '#') continue;
+
+  /* Handle conditionals, which are also applied to physical lines. Conditions
+  are of the form ".ifdef ANYTEXT" and are treated as true if any macro
+  expansion occurred on the rest of the line. A preliminary test for the leading
+  '.' saves effort on most lines. */
+
+  if (*ss == '.')
+    {
+    int i;
+
+    /* Search the list of conditional directives */
+
+    for (i = 0; i < cond_list_size; i++)
+      {
+      int n;
+      cond_item *c = cond_list+i;
+      if (Ustrncmp(ss+1, c->name, c->namelen) != 0) continue;
+
+      /* The following character must be white space or end of string */
+
+      n = ss[1 + c->namelen];
+      if (n != ' ' && n != 't' && n != '\n' && n != 0) break;
+
+      /* .ifdef and .ifndef push the current state onto the stack, then set
+      a new one from the table. Stack overflow is an error */
+
+      if (c->pushpop > 0)
+        {
+        if (cstate_stack_ptr >= CSTATE_STACK_SIZE - 1)
+          log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+            ".%s nested too deeply", c->name);
+        cstate_stack[++cstate_stack_ptr] = cstate;
+        cstate = next_cstate[cstate][macro_found? c->action1 : c->action2];
+        }
+
+      /* For any of the others, stack underflow is an error. The next state
+      comes either from the stack (.endif) or from the table. */
+
+      else
+        {
+        if (cstate_stack_ptr < 0)
+          log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+            ".%s without matching .ifdef", c->name);
+        cstate = (c->pushpop < 0)? cstate_stack[cstate_stack_ptr--] :
+          next_cstate[cstate][macro_found? c->action1 : c->action2];
+        }
+
+      /* Having dealt with a directive, break the loop */
+
+      break;
+      }
+
+    /* If we have handled a conditional directive, continue with the next
+    physical line. Otherwise, fall through. */
+
+    if (i < cond_list_size) continue;
+    }
+
+  /* If the conditional state is not 0 (actively using these lines), ignore
+  this input line. */
+
+  if (cstate != 0) continue;  /* Conditional skip */
+
+  /* Handle .include lines - these are also physical lines. */
+
+  if (Ustrncmp(ss, ".include", 8) == 0 &&
+       (isspace(ss[8]) ||
+         (Ustrncmp(ss+8, "_if_exists", 10) == 0 && isspace(ss[18]))))
+    {
+    uschar *t;
+    int include_if_exists = isspace(ss[8])? 0 : 10;
+    config_file_item *save;
+    struct stat statbuf;
+
+    ss += 9 + include_if_exists;
+    Uskip_whitespace(&ss);
+    t = ss + Ustrlen(ss);
+    while (t > ss && isspace(t[-1])) t--;
+    if (*ss == '\"' && t[-1] == '\"')
+      {
+      ss++;
+      t--;
+      }
+    *t = 0;
+
+    /* We allow relative file names. For security reasons currently
+    relative names not allowed with .include_if_exists. For .include_if_exists
+    we need to check the permissions/ownership of the containing folder */
+    if (*ss != '/')
+      if (include_if_exists) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, ".include specifies a non-"
+          "absolute path \"%s\"", ss);
+      else
+        {
+	gstring * g = string_append(NULL, 3, config_directory, "/", ss);
+	ss = string_from_gstring(g);
+        }
+
+    if (include_if_exists != 0 && (Ustat(ss, &statbuf) != 0)) continue;
+
+    if (config_lines)
+      save_config_position(config_filename, config_lineno);
+    save = store_get(sizeof(config_file_item), GET_UNTAINTED);
+    save->next = config_file_stack;
+    config_file_stack = save;
+    save->file = config_file;
+    save->filename = config_filename;
+    save->directory = config_directory;
+    save->lineno = config_lineno;
+
+    if (!(config_file = Ufopen(ss, "rb")))
+      log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "failed to open included "
+        "configuration file %s", ss);
+
+    config_filename = string_copy(ss);
+    config_directory = string_copyn(ss, CUstrrchr(ss, '/') - ss);
+    config_lineno = 0;
+    continue;
+    }
+
+  /* If this is the start of the logical line, remember where the non-blank
+  data starts. Otherwise shuffle down continuation lines to remove leading
+  white space. */
+
+  if (len == 0)
+    startoffset = ss - big_buffer;
+  else
+    {
+    s = big_buffer + len;
+    if (ss > s)
+      {
+      memmove(s, ss, (newlen - len) -  (ss - s) + 1);
+      newlen -= ss - s;
+      }
+    }
+
+  /* Accept the new addition to the line. Remove trailing white space. */
+
+  len = newlen;
+  while (len > 0 && isspace(big_buffer[len-1])) len--;
+  big_buffer[len] = 0;
+
+  /* We are done if the line does not end in backslash and contains some data.
+  Empty logical lines are ignored. For continuations, remove the backslash and
+  go round the loop to read the continuation line. */
+
+  if (len > 0)
+    {
+    if (big_buffer[len-1] != '\\') break;   /* End of logical line */
+    big_buffer[--len] = 0;                  /* Remove backslash */
+    }
+  }     /* Loop for reading multiple physical lines */
+
+/* We now have a logical line. Test for the end of a configuration section (or,
+more accurately, for the start of the next section). Place the name of the next
+section in next_section, and return NULL. If the name given is longer than
+next_section, truncate it. It will be unrecognized later, because all the known
+section names do fit. Leave space for pluralizing. */
+
+s = big_buffer + startoffset;            /* First non-space character */
+
+if (config_lines)
+  save_config_line(s);
+
+if (strncmpic(s, US"begin ", 6) == 0)
+  {
+  s += 6;
+  Uskip_whitespace(&s);
+  if (big_buffer + len - s > sizeof(next_section) - 2)
+    s[sizeof(next_section) - 2] = 0;
+  Ustrcpy(next_section, s);
+  return NULL;
+  }
+
+/* Return the first non-blank character. */
+
+return s;
+}
+
+
+
+/*************************************************
+*             Read a name                        *
+*************************************************/
+
+/* The yield is the pointer to the next uschar. Names longer than the
+output space are silently truncated. This function is also used from acl.c when
+parsing ACLs.
+
+Arguments:
+  name      where to put the name
+  len       length of name
+  s         input pointer
+
+Returns:    new input pointer
+*/
+
+uschar *
+readconf_readname(uschar *name, int len, uschar *s)
+{
+int p = 0;
+BOOL broken = FALSE;
+
+if (isalpha(Uskip_whitespace(&s)))
+  while (isalnum(*s) || *s == '_')
+    {
+    if (p < len-1) name[p++] = *s;
+    else {
+      broken = TRUE;
+      break;
+    }
+    s++;
+    }
+
+name[p] = 0;
+if (broken) {
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+            "exim item name too long (>%d), unable to use \"%s\" (truncated)",
+            len, name);
+}
+Uskip_whitespace(&s);
+return s;
+}
+
+
+
+
+/*************************************************
+*          Read a time value                     *
+*************************************************/
+
+/* This function is also called from outside, to read argument
+time values. The format of a time value is:
+
+  [<n>w][<n>d][<n>h][<n>m][<n>s]
+
+as long as at least one is present. If a format error is encountered,
+return a negative value. The value must be terminated by the given
+terminator.
+
+Arguments:
+  s             input pointer
+  terminator    required terminating character
+  return_msec   if TRUE, allow fractional seconds and return milliseconds
+
+Returns:        the time value, or -1 on syntax error
+                value is seconds if return_msec is FALSE
+                value is milliseconds if return_msec is TRUE
+*/
+
+int
+readconf_readtime(const uschar *s, int terminator, BOOL return_msec)
+{
+int yield = 0;
+for (;;)
+  {
+  int value, count;
+  double fraction;
+
+  if (!isdigit(*s)) return -1;
+  (void)sscanf(CCS s, "%d%n", &value, &count);
+  s += count;
+
+  switch (*s)
+    {
+    case 'w': value *= 7;
+    case 'd': value *= 24;
+    case 'h': value *= 60;
+    case 'm': value *= 60;
+    case 's': s++;
+    break;
+
+    case '.':
+    if (!return_msec) return -1;
+    (void)sscanf(CCS s, "%lf%n", &fraction, &count);
+    s += count;
+    if (*s++ != 's') return -1;
+    yield += (int)(fraction * 1000.0);
+    break;
+
+    default: return -1;
+    }
+
+  if (return_msec) value *= 1000;
+  yield += value;
+  if (*s == terminator) return yield;
+  }
+/* Control never reaches here. */
+}
+
+
+
+/*************************************************
+*          Read a fixed point value              *
+*************************************************/
+
+/* The value is returned *1000
+
+Arguments:
+  s           input pointer
+  terminator  required terminator
+
+Returns:      the value, or -1 on error
+*/
+
+static int
+readconf_readfixed(const uschar *s, int terminator)
+{
+int yield = 0;
+int value, count;
+if (!isdigit(*s)) return -1;
+(void)sscanf(CS  s, "%d%n", &value, &count);
+s += count;
+yield = value * 1000;
+if (*s == '.')
+  {
+  int m = 100;
+  while (isdigit((*(++s))))
+    {
+    yield += (*s - '0') * m;
+    m /= 10;
+    }
+  }
+
+return (*s == terminator)? yield : (-1);
+}
+
+
+
+/*************************************************
+*            Find option in list                 *
+*************************************************/
+
+/* The lists are always in order, so binary chop can be used.
+
+Arguments:
+  name      the option name to search for
+  ol        the first entry in the option list
+  last      one more than the offset of the last entry in the option list
+
+Returns:    pointer to an option entry, or NULL if not found
+*/
+
+static optionlist *
+find_option(const uschar *name, optionlist *ol, int last)
+{
+int first = 0;
+while (last > first)
+  {
+  int middle = (first + last)/2;
+  int c = Ustrcmp(name, ol[middle].name);
+
+  if (c == 0) return ol + middle;
+  else if (c > 0) first = middle + 1;
+  else last = middle;
+  }
+return NULL;
+}
+
+
+
+/*************************************************
+*      Find a set flag in option list            *
+*************************************************/
+
+/* Because some versions of Unix make no restrictions on the values of uids and
+gids (even negative ones), we cannot represent "unset" by a special value.
+There is therefore a separate boolean variable for each one indicating whether
+a value is set or not. This function returns a pointer to the boolean, given
+the original option name. It is a major disaster if the flag cannot be found.
+
+Arguments:
+  name          the name of the uid or gid option
+  oltop         points to the start of the relevant option list
+  last          one more than the offset of the last item in the option list
+  data_block    NULL when reading main options => data values in the option
+                  list are absolute addresses; otherwise they are byte offsets
+                  in data_block (used for driver options)
+
+Returns:        a pointer to the boolean flag.
+*/
+
+static BOOL *
+get_set_flag(const uschar *name, optionlist *oltop, int last, void *data_block)
+{
+optionlist *ol;
+uschar name2[EXIM_DRIVERNAME_MAX];
+sprintf(CS name2, "*set_%.50s", name);
+if (!(ol = find_option(name2, oltop, last)))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "Exim internal error: missing set flag for %s", name);
+return data_block
+  ? (BOOL *)(US data_block + ol->v.offset) : (BOOL *)ol->v.value;
+}
+
+
+
+
+/*************************************************
+*    Output extra characters message and die     *
+*************************************************/
+
+/* Called when an option line has junk on the end. Sometimes this is because
+the sysadmin thinks comments are permitted.
+
+Arguments:
+  s          points to the extra characters
+  t1..t3     strings to insert in the log message
+
+Returns:     doesn't return; dies
+*/
+
+static void
+extra_chars_error(const uschar *s, const uschar *t1, const uschar *t2, const uschar *t3)
+{
+uschar *comment = US"";
+if (*s == '#') comment = US" (# is comment only at line start)";
+log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+  "extra characters follow %s%s%s%s", t1, t2, t3, comment);
+}
+
+
+
+/*************************************************
+*              Read rewrite information          *
+*************************************************/
+
+/* Each line of rewrite information contains:
+
+.  A complete address in the form user@domain, possibly with
+   leading * for each part; or alternatively, a regex.
+
+.  A replacement string (which will be expanded).
+
+.  An optional sequence of one-letter flags, indicating which
+   headers etc. to apply this rule to.
+
+All this is decoded and placed into a control block. The OR of the flags is
+maintained in a common word.
+
+Arguments:
+  p           points to the string that makes up the rule
+  existflags  points to the overall flag word
+  isglobal    TRUE if reading global rewrite rules
+
+Returns:      the control block for the parsed rule.
+*/
+
+static rewrite_rule *
+readconf_one_rewrite(const uschar *p, int *existflags, BOOL isglobal)
+{
+rewrite_rule * next = store_get(sizeof(rewrite_rule), GET_UNTAINTED);
+
+next->next = NULL;
+next->key = string_dequote(&p);
+
+Uskip_whitespace(&p);
+if (!*p)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+    "missing rewrite replacement string");
+
+next->flags = 0;
+next->replacement = string_dequote(&p);
+
+while (*p) switch (*p++)
+  {
+  case ' ': case '\t': break;
+
+  case 'q': next->flags |= rewrite_quit; break;
+  case 'w': next->flags |= rewrite_whole; break;
+
+  case 'h': next->flags |= rewrite_all_headers; break;
+  case 's': next->flags |= rewrite_sender; break;
+  case 'f': next->flags |= rewrite_from; break;
+  case 't': next->flags |= rewrite_to;   break;
+  case 'c': next->flags |= rewrite_cc;   break;
+  case 'b': next->flags |= rewrite_bcc;  break;
+  case 'r': next->flags |= rewrite_replyto; break;
+
+  case 'E': next->flags |= rewrite_all_envelope; break;
+  case 'F': next->flags |= rewrite_envfrom; break;
+  case 'T': next->flags |= rewrite_envto; break;
+
+  case 'Q': next->flags |= rewrite_qualify; break;
+  case 'R': next->flags |= rewrite_repeat; break;
+
+  case 'S':
+  next->flags |= rewrite_smtp;
+  if (next->key[0] != '^' && Ustrncmp(next->key, "\\N^", 3) != 0)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+      "rewrite rule has the S flag but is not a regular expression");
+  break;
+
+  default:
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+    "unknown rewrite flag character '%c' "
+    "(could be missing quotes round replacement item)", p[-1]);
+  break;
+  }
+
+/* If no action flags are set, set all the "normal" rewrites. */
+
+if ((next->flags & (rewrite_all | rewrite_smtp)) == 0)
+  next->flags |= isglobal? rewrite_all : rewrite_all_headers;
+
+/* Remember which exist, for optimization, and return the rule */
+
+*existflags |= next->flags;
+return next;
+}
+
+
+
+
+/*************************************************
+*          Read global rewrite information       *
+*************************************************/
+
+/* Each line is a single rewrite rule; it is parsed into a control block
+by readconf_one_rewrite(), and its flags are ORed into the global flag
+word rewrite_existflags. */
+
+void
+readconf_rewrites(void)
+{
+rewrite_rule **chain = &global_rewrite_rules;
+uschar *p;
+
+while ((p = get_config_line()) != NULL)
+  {
+  rewrite_rule *next = readconf_one_rewrite(p, &rewrite_existflags, TRUE);
+  *chain = next;
+  chain = &(next->next);
+  }
+}
+
+
+
+/*************************************************
+*               Read a string                    *
+*************************************************/
+
+/* Strings are read into the normal store pool. As long we aren't too
+near the end of the current block, the string will just use what is necessary
+on the top of the stacking pool, because string_cat() uses the extension
+mechanism.
+
+Argument:
+  s         the rest of the input line
+  name      the option name (for errors)
+
+Returns:    pointer to the string
+*/
+
+static uschar *
+read_string(const uschar *s, const uschar *name)
+{
+uschar *yield;
+const uschar *ss;
+
+if (*s != '\"') return string_copy(s);
+
+ss = s;
+yield = string_dequote(&s);
+
+if (s == ss+1 || s[-1] != '\"')
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+    "missing quote at end of string value for %s", name);
+
+if (*s != 0) extra_chars_error(s, US"string value for ", name, US"");
+
+return yield;
+}
+
+
+/*************************************************
+*            Custom-handler options              *
+*************************************************/
+static void
+fn_smtp_receive_timeout(const uschar * name, const uschar * str, unsigned flags)
+{
+if (flags & opt_fn_print)
+  {
+  if (flags & opt_fn_print_label) printf("%s = ", name);
+  printf("%s\n", smtp_receive_timeout_s
+    ? string_printing2(smtp_receive_timeout_s, SP_TAB)
+    : readconf_printtime(smtp_receive_timeout));
+  }
+else if (*str == '$')
+  smtp_receive_timeout_s = string_copy(str);
+else
+  {
+  /* "smtp_receive_timeout",     opt_time,        &smtp_receive_timeout */
+  smtp_receive_timeout = readconf_readtime(str, 0, FALSE);
+  if (smtp_receive_timeout < 0)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "invalid time value for %s",
+      name);
+  }
+}
+
+/*************************************************
+*            Handle option line                  *
+*************************************************/
+
+/* This function is called from several places to process a line containing the
+setting of an option. The first argument is the line to be decoded; it has been
+checked not to be empty and not to start with '#'. Trailing newlines and white
+space have been removed. The second argument is a pointer to the list of
+variable names that are to be recognized, together with their types and
+locations, and the third argument gives the number of entries in the list.
+
+The fourth argument is a pointer to a data block. If it is NULL, then the data
+values in the options list are absolute addresses. Otherwise, they are byte
+offsets in the data block.
+
+String option data may continue onto several lines; this function reads further
+data from config_file if necessary.
+
+The yield of this function is normally zero. If a string continues onto
+multiple lines, then the data value is permitted to be followed by a comma
+or a semicolon (for use in drivers) and the yield is that character.
+
+Arguments:
+  buffer        contains the configuration line to be handled
+  oltop         points to the start of the relevant option list
+  last          one more than the offset of the last item in the option list
+  data_block    NULL when reading main options => data values in the option
+                  list are absolute addresses; otherwise they are byte offsets
+                  in data_block when they have opt_public set; otherwise
+                  they are byte offsets in data_block->options_block.
+  unknown_txt   format string to use in panic message for unknown option;
+                  must contain %s for option name
+                if given as NULL, don't panic on unknown option
+
+Returns:        TRUE if an option was read successfully,
+                FALSE false for an unknown option if unknown_txt == NULL,
+                  otherwise panic and die on an unknown option
+*/
+
+static BOOL
+readconf_handle_option(uschar *buffer, optionlist *oltop, int last,
+  void *data_block, uschar *unknown_txt)
+{
+int ptr = 0;
+int offset = 0;
+int count, type, value;
+int issecure = 0;
+uid_t uid;
+gid_t gid;
+BOOL boolvalue = TRUE;
+BOOL freesptr = TRUE;
+optionlist *ol, *ol2;
+struct passwd *pw;
+rmark reset_point;
+int intbase = 0;
+uschar *inttype = US"";
+uschar *sptr;
+uschar *s = buffer;
+uschar **str_target;
+uschar name[EXIM_DRIVERNAME_MAX];
+uschar name2[EXIM_DRIVERNAME_MAX];
+
+/* There may be leading spaces; thereafter, we expect an option name starting
+with a letter. */
+
+while (isspace(*s)) s++;
+if (!isalpha(*s))
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "option setting expected: %s", s);
+
+/* Read the name of the option, and skip any subsequent white space. If
+it turns out that what we read was "hide", set the flag indicating that
+this is a secure option, and loop to read the next word. */
+
+for (int n = 0; n < 2; n++)
+  {
+  while (isalnum(*s) || *s == '_')
+    {
+    if (ptr < sizeof(name)-1) name[ptr++] = *s;
+    s++;
+    }
+  name[ptr] = 0;
+  while (isspace(*s)) s++;
+  if (Ustrcmp(name, "hide") != 0) break;
+  issecure = opt_secure;
+  ptr = 0;
+  }
+
+/* Deal with "no_" or "not_" here for booleans */
+
+if (Ustrncmp(name, "no_", 3) == 0)
+  {
+  boolvalue = FALSE;
+  offset = 3;
+  }
+
+if (Ustrncmp(name, "not_", 4) == 0)
+  {
+  boolvalue = FALSE;
+  offset = 4;
+  }
+
+/* Search the list for the given name. A non-existent name, or an option that
+is set twice, is a disaster. */
+
+if (!(ol = find_option(name + offset, oltop, last)))
+  {
+  if (!unknown_txt) return FALSE;
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, CS unknown_txt, name);
+  }
+
+if ((ol->type & opt_set)  && !(ol->type & (opt_rep_con | opt_rep_str)))
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+    "\"%s\" option set for the second time", name);
+
+ol->type |= opt_set | issecure;
+type = ol->type & opt_mask;
+
+/* Types with data values must be followed by '='; the "no[t]_" prefix
+applies only to boolean values. */
+
+if (type < opt_bool || type > opt_bool_last)
+  {
+  if (offset != 0)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+      "negation prefix applied to a non-boolean option");
+  if (!*s)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+      "unexpected end of line (data missing) after %s", name);
+  if (*s != '=')
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "missing \"=\" after %s", name);
+  }
+
+/* If a boolean wasn't preceded by "no[t]_" it can be followed by = and
+true/false/yes/no, or, in the case of opt_expand_bool, a general string that
+ultimately expands to one of those values. */
+
+else if (*s && (offset != 0 || *s != '='))
+  extra_chars_error(s, US"boolean option ", name, US"");
+
+/* Skip white space after = */
+
+if (*s == '=') while (isspace((*(++s))));
+
+/* If there is a data block and the opt_public flag is not set, change
+the data block pointer to the private options block. */
+
+if (data_block && !(ol->type & opt_public))
+  data_block = (void *)(((driver_instance *)data_block)->options_block);
+
+/* Now get the data according to the type. */
+
+switch (type)
+  {
+  /* If a string value is not enclosed in quotes, it consists of
+  the rest of the current line, verbatim. Otherwise, string escapes
+  are processed.
+
+  A transport is specified as a string, which is then looked up in the
+  list of transports. A search type is specified as one of a number of
+  known strings.
+
+  A set or rewrite rules for a driver is specified as a string, which is
+  then parsed into a suitable chain of control blocks.
+
+  Uids and gids are specified as strings which are then looked up in the
+  passwd file. Lists of uids and gids are similarly specified as colon-
+  separated strings. */
+
+  case opt_stringptr:
+  case opt_uid:
+  case opt_gid:
+  case opt_expand_uid:
+  case opt_expand_gid:
+  case opt_uidlist:
+  case opt_gidlist:
+  case opt_rewrite:
+
+  reset_point = store_mark();
+  sptr = read_string(s, name);
+
+  /* Having read a string, we now have several different ways of using it,
+  depending on the data type, so do another switch. If keeping the actual
+  string is not required (because it is interpreted), freesptr is set TRUE,
+  and at the end we reset the pool. */
+
+  switch (type)
+    {
+    /* If this was a string, set the variable to point to the new string,
+    and set the flag so its store isn't reclaimed. If it was a list of rewrite
+    rules, we still keep the string (for printing), and parse the rules into a
+    control block and flags word. */
+
+    case opt_stringptr:
+    str_target = data_block ? USS (US data_block + ol->v.offset)
+			    : USS ol->v.value;
+    if (ol->type & opt_rep_con)
+      {
+      uschar * saved_condition;
+      /* We already have a condition, we're conducting a crude hack to let
+      multiple condition rules be chained together, despite storing them in
+      text form. */
+      *str_target = string_copy_perm( (saved_condition = *str_target)
+	? string_sprintf("${if and{{bool_lax{%s}}{bool_lax{%s}}}}",
+	    saved_condition, sptr)
+	: sptr,
+	FALSE);
+      /* TODO(pdp): there is a memory leak here and just below
+      when we set 3 or more conditions; I still don't
+      understand the store mechanism enough to know
+      what's the safe way to free content from an earlier store.
+      AFAICT, stores stack, so freeing an early stored item also stores
+      all data alloc'd after it.  If we knew conditions were adjacent,
+      we could survive that, but we don't.  So I *think* we need to take
+      another bit from opt_type to indicate "malloced"; this seems like
+      quite a hack, especially for this one case.  It also means that
+      we can't ever reclaim the store from the *first* condition.
+
+      Because we only do this once, near process start-up, I'm prepared to
+      let this slide for the time being, even though it rankles.  */
+      }
+    else if (ol->type & opt_rep_str)
+      {
+      uschar sep_o =
+	Ustrncmp(name, "headers_add", 11) == 0	? '\n'
+	: Ustrncmp(name, "set", 3) == 0		? ';'
+	: ':';
+      int    sep_i = -(int)sep_o;
+      const uschar * list = sptr;
+      uschar * s;
+      gstring * list_o = NULL;
+
+      if (*str_target)
+	{
+	list_o = string_get(Ustrlen(*str_target) + Ustrlen(sptr));
+	list_o = string_cat(list_o, *str_target);
+	}
+
+      while ((s = string_nextinlist(&list, &sep_i, NULL, 0)))
+	list_o = string_append_listele(list_o, sep_o, s);
+
+      if (list_o)
+	*str_target = string_copy_perm(string_from_gstring(list_o), FALSE);
+      }
+    else
+      {
+      *str_target = sptr;
+      freesptr = FALSE;
+      }
+    break;
+
+    case opt_rewrite:
+    if (data_block)
+      *USS (US data_block + ol->v.offset) = sptr;
+    else
+      *USS ol->v.value = sptr;
+    freesptr = FALSE;
+    if (type == opt_rewrite)
+      {
+      int sep = 0;
+      int *flagptr;
+      uschar *p = sptr;
+      rewrite_rule **chain;
+      optionlist *ol3;
+
+      sprintf(CS name2, "*%.50s_rules", name);
+      ol2 = find_option(name2, oltop, last);
+      sprintf(CS name2, "*%.50s_flags", name);
+      ol3 = find_option(name2, oltop, last);
+
+      if (!ol2 || !ol3)
+        log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+          "rewrite rules not available for driver");
+
+      if (data_block)
+        {
+        chain = (rewrite_rule **)(US data_block + ol2->v.offset);
+        flagptr = (int *)(US data_block + ol3->v.offset);
+        }
+      else
+        {
+        chain = (rewrite_rule **)ol2->v.value;
+        flagptr = (int *)ol3->v.value;
+        }
+
+      /* This will trap if sptr is tainted. Not sure if that can happen */
+      while ((p = string_nextinlist(CUSS &sptr, &sep, big_buffer, BIG_BUFFER_SIZE)))
+        {
+        rewrite_rule *next = readconf_one_rewrite(p, flagptr, FALSE);
+        *chain = next;
+        chain = &(next->next);
+        }
+
+      if ((*flagptr & (rewrite_all_envelope | rewrite_smtp)) != 0)
+        log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "rewrite rule specifies a "
+          "non-header rewrite - not allowed at transport time -");
+      }
+    break;
+
+    /* If it was an expanded uid, see if there is any expansion to be
+    done by checking for the presence of a $ character. If there is, save it
+    in the corresponding *expand_user option field. Otherwise, fall through
+    to treat it as a fixed uid. Ensure mutual exclusivity of the two kinds
+    of data. */
+
+    case opt_expand_uid:
+    sprintf(CS name2, "*expand_%.50s", name);
+    if ((ol2 = find_option(name2, oltop, last)))
+      {
+      uschar *ss = (Ustrchr(sptr, '$') != NULL) ? sptr : NULL;
+
+      if (data_block)
+        *(USS(US data_block + ol2->v.offset)) = ss;
+      else
+        *(USS ol2->v.value) = ss;
+
+      if (ss)
+        {
+        *(get_set_flag(name, oltop, last, data_block)) = FALSE;
+        freesptr = FALSE;
+        break;
+        }
+      }
+
+    /* Look up a fixed uid, and also make use of the corresponding gid
+    if a passwd entry is returned and the gid has not been set. */
+
+    case opt_uid:
+    if (!route_finduser(sptr, &pw, &uid))
+      log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "user %s was not found", sptr);
+    if (data_block)
+      *(uid_t *)(US data_block + ol->v.offset) = uid;
+    else
+      *(uid_t *)ol->v.value = uid;
+
+    /* Set the flag indicating a fixed value is set */
+
+    *(get_set_flag(name, oltop, last, data_block)) = TRUE;
+
+    /* Handle matching gid if we have a passwd entry: done by finding the
+    same name with terminating "user" changed to "group"; if not found,
+    ignore. Also ignore if the value is already set. */
+
+    if (pw == NULL) break;
+    Ustrcpy(name+Ustrlen(name)-4, US"group");
+    ol2 = find_option(name, oltop, last);
+    if (ol2 && ((ol2->type & opt_mask) == opt_gid ||
+        (ol2->type & opt_mask) == opt_expand_gid))
+      {
+      BOOL *set_flag = get_set_flag(name, oltop, last, data_block);
+      if (!*set_flag)
+        {
+        if (data_block)
+          *((gid_t *)(US data_block + ol2->v.offset)) = pw->pw_gid;
+        else
+          *((gid_t *)ol2->v.value) = pw->pw_gid;
+        *set_flag = TRUE;
+        }
+      }
+    break;
+
+    /* If it was an expanded gid, see if there is any expansion to be
+    done by checking for the presence of a $ character. If there is, save it
+    in the corresponding *expand_user option field. Otherwise, fall through
+    to treat it as a fixed gid. Ensure mutual exclusivity of the two kinds
+    of data. */
+
+    case opt_expand_gid:
+    sprintf(CS name2, "*expand_%.50s", name);
+    if ((ol2 = find_option(name2, oltop, last)))
+      {
+      uschar *ss = (Ustrchr(sptr, '$') != NULL) ? sptr : NULL;
+
+      if (data_block)
+        *(USS(US data_block + ol2->v.offset)) = ss;
+      else
+        *(USS ol2->v.value) = ss;
+
+      if (ss)
+        {
+        *(get_set_flag(name, oltop, last, data_block)) = FALSE;
+        freesptr = FALSE;
+        break;
+        }
+      }
+
+    /* Handle freestanding gid */
+
+    case opt_gid:
+    if (!route_findgroup(sptr, &gid))
+      log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "group %s was not found", sptr);
+    if (data_block)
+      *((gid_t *)(US data_block + ol->v.offset)) = gid;
+    else
+      *((gid_t *)ol->v.value) = gid;
+    *(get_set_flag(name, oltop, last, data_block)) = TRUE;
+    break;
+
+    /* If it was a uid list, look up each individual entry, and build
+    a vector of uids, with a count in the first element. Put the vector
+    in malloc store so we can free the string. (We are reading into
+    permanent store already.) */
+
+    case opt_uidlist:
+      {
+      int count = 1;
+      uid_t *list;
+      int ptr = 0;
+      const uschar *p;
+      const uschar *op = expand_string (sptr);
+
+      if (op == NULL)
+        log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "failed to expand %s: %s",
+          name, expand_string_message);
+
+      p = op;
+      if (*p != 0) count++;
+      while (*p != 0) if (*p++ == ':' && *p != 0) count++;
+      list = store_malloc(count*sizeof(uid_t));
+      list[ptr++] = (uid_t)(count - 1);
+
+      if (data_block)
+        *((uid_t **)(US data_block + ol->v.offset)) = list;
+      else
+        *((uid_t **)ol->v.value) = list;
+
+      p = op;
+      while (count-- > 1)
+        {
+        int sep = 0;
+	/* If p is tainted we trap.  Not sure that can happen */
+        (void)string_nextinlist(&p, &sep, big_buffer, BIG_BUFFER_SIZE);
+        if (!route_finduser(big_buffer, NULL, &uid))
+          log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "user %s was not found",
+            big_buffer);
+        list[ptr++] = uid;
+        }
+      }
+    break;
+
+    /* If it was a gid list, look up each individual entry, and build
+    a vector of gids, with a count in the first element. Put the vector
+    in malloc store so we can free the string. (We are reading into permanent
+    store already.) */
+
+    case opt_gidlist:
+      {
+      int count = 1;
+      gid_t *list;
+      int ptr = 0;
+      const uschar *p;
+      const uschar *op = expand_string (sptr);
+
+      if (!op)
+        log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "failed to expand %s: %s",
+          name, expand_string_message);
+
+      p = op;
+      if (*p != 0) count++;
+      while (*p != 0) if (*p++ == ':' && *p != 0) count++;
+      list = store_malloc(count*sizeof(gid_t));
+      list[ptr++] = (gid_t)(count - 1);
+
+      if (data_block)
+        *((gid_t **)(US data_block + ol->v.offset)) = list;
+      else
+        *((gid_t **)ol->v.value) = list;
+
+      p = op;
+      while (count-- > 1)
+        {
+        int sep = 0;
+	/* If p is tainted we trap.  Not sure that can happen */
+        (void)string_nextinlist(&p, &sep, big_buffer, BIG_BUFFER_SIZE);
+        if (!route_findgroup(big_buffer, &gid))
+          log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "group %s was not found",
+            big_buffer);
+        list[ptr++] = gid;
+        }
+      }
+    break;
+    }
+
+  /* Release store if the value of the string doesn't need to be kept. */
+
+  if (freesptr) reset_point = store_reset(reset_point);
+  break;
+
+  /* Expanded boolean: if no characters follow, or if there are no dollar
+  characters, this is a fixed-valued boolean, and we fall through. Otherwise,
+  save the string for later expansion in the alternate place. */
+
+  case opt_expand_bool:
+  if (*s && Ustrchr(s, '$') != 0)
+    {
+    sprintf(CS name2, "*expand_%.50s", name);
+    if ((ol2 = find_option(name2, oltop, last)))
+      {
+      reset_point = store_mark();
+      sptr = read_string(s, name);
+      if (data_block)
+        *(USS(US data_block + ol2->v.offset)) = sptr;
+      else
+        *(USS ol2->v.value) = sptr;
+      freesptr = FALSE;
+      break;
+      }
+    }
+  /* Fall through */
+
+  /* Boolean: if no characters follow, the value is boolvalue. Otherwise
+  look for yes/not/true/false. Some booleans are stored in a single bit in
+  a single int. There's a special fudge for verify settings; without a suffix
+  they set both xx_sender and xx_recipient. The table points to the sender
+  value; search subsequently for the recipient. There's another special case:
+  opt_bool_set also notes when a boolean has been set. */
+
+  case opt_bool:
+  case opt_bit:
+  case opt_bool_verify:
+  case opt_bool_set:
+  if (*s != 0)
+    {
+    s = readconf_readname(name2, EXIM_DRIVERNAME_MAX, s);
+    if (strcmpic(name2, US"true") == 0 || strcmpic(name2, US"yes") == 0)
+      boolvalue = TRUE;
+    else if (strcmpic(name2, US"false") == 0 || strcmpic(name2, US"no") == 0)
+      boolvalue = FALSE;
+    else log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+      "\"%s\" is not a valid value for the \"%s\" option", name2, name);
+    if (*s != 0) extra_chars_error(s, string_sprintf("\"%s\" ", name2),
+      US"for boolean option ", name);
+    }
+
+  /* Handle single-bit type. */
+
+  if (type == opt_bit)
+    {
+    int bit = 1 << ((ol->type >> 16) & 31);
+    int * ptr = data_block
+      ? (int *)(US data_block + ol->v.offset)
+      : (int *)ol->v.value;
+    if (boolvalue) *ptr |= bit; else *ptr &= ~bit;
+    break;
+    }
+
+  /* Handle full BOOL types */
+
+  if (data_block)
+    *((BOOL *)(US data_block + ol->v.offset)) = boolvalue;
+  else
+    *((BOOL *)ol->v.value) = boolvalue;
+
+  /* Verify fudge */
+
+  if (type == opt_bool_verify)
+    {
+    sprintf(CS name2, "%.50s_recipient", name + offset);
+    if ((ol2 = find_option(name2, oltop, last)))
+      if (data_block)
+        *((BOOL *)(US data_block + ol2->v.offset)) = boolvalue;
+      else
+        *((BOOL *)ol2->v.value) = boolvalue;
+    }
+
+  /* Note that opt_bool_set type is set, if there is somewhere to do so */
+
+  else if (type == opt_bool_set)
+    {
+    sprintf(CS name2, "*set_%.50s", name + offset);
+    if ((ol2 = find_option(name2, oltop, last)))
+      if (data_block)
+        *((BOOL *)(US data_block + ol2->v.offset)) = TRUE;
+      else
+        *((BOOL *)ol2->v.value) = TRUE;
+    }
+  break;
+
+  /* Octal integer */
+
+  case opt_octint:
+  intbase = 8;
+  inttype = US"octal ";
+
+  /*  Integer: a simple(ish) case; allow octal and hex formats, and
+  suffixes K, M, G, and T.  The different types affect output, not input. */
+
+  case opt_mkint:
+  case opt_int:
+    {
+    uschar *endptr;
+    long int lvalue;
+
+    errno = 0;
+    lvalue = strtol(CS s, CSS &endptr, intbase);
+
+    if (endptr == s)
+      log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "%sinteger expected for %s",
+        inttype, name);
+
+    if (errno != ERANGE && *endptr)
+      {
+      uschar * mp = US"TtGgMmKk\0";	/* YyZzEePpTtGgMmKk */
+
+      if ((mp = Ustrchr(mp, *endptr)))
+	{
+	endptr++;
+	do
+	  {
+	  if (lvalue > INT_MAX/1024 || lvalue < INT_MIN/1024)
+	    {
+	    errno = ERANGE;
+	    break;
+	    }
+	  lvalue *= 1024;
+	  }
+	while (*(mp += 2));
+	}
+      }
+
+    if (errno == ERANGE || lvalue > INT_MAX || lvalue < INT_MIN)
+      log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+        "absolute value of integer \"%s\" is too large (overflow)", s);
+
+    while (isspace(*endptr)) endptr++;
+    if (*endptr)
+      extra_chars_error(endptr, inttype, US"integer value for ", name);
+
+    value = (int)lvalue;
+    }
+
+  if (data_block)
+    *(int *)(US data_block + ol->v.offset) = value;
+  else
+    *(int *)ol->v.value = value;
+  break;
+
+  /*  Integer held in K: again, allow formats and suffixes as above. */
+
+  case opt_Kint:
+    {
+    uschar *endptr;
+    errno = 0;
+    int_eximarith_t lvalue = strtol(CS s, CSS &endptr, intbase);
+
+    if (endptr == s)
+      log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "%sinteger expected for %s",
+        inttype, name);
+
+    if (errno != ERANGE && *endptr)
+      {
+      uschar * mp = US"ZzEePpTtGgMmKk\0";	/* YyZzEePpTtGgMmKk */
+
+      if ((mp = Ustrchr(mp, *endptr)))
+	{
+	endptr++;
+	while (*(mp += 2))
+	  {
+	  if (lvalue > EXIM_ARITH_MAX/1024 || lvalue < EXIM_ARITH_MIN/1024)
+	    {
+	    errno = ERANGE;
+	    break;
+	    }
+	  lvalue *= 1024;
+	  }
+	}
+      else
+	lvalue = (lvalue + 512)/1024;
+      }
+
+    if (errno == ERANGE) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+      "absolute value of integer \"%s\" is too large (overflow)", s);
+
+    while (isspace(*endptr)) endptr++;
+    if (*endptr != 0)
+      extra_chars_error(endptr, inttype, US"integer value for ", name);
+
+    if (data_block)
+      *(int_eximarith_t *)(US data_block + ol->v.offset) = lvalue;
+    else
+      *(int_eximarith_t *)ol->v.value = lvalue;
+    break;
+    }
+
+  /*  Fixed-point number: held to 3 decimal places. */
+
+  case opt_fixed:
+  if (sscanf(CS s, "%d%n", &value, &count) != 1)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+      "fixed-point number expected for %s", name);
+
+  if (value < 0) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+    "integer \"%s\" is too large (overflow)", s);
+
+  value *= 1000;
+
+  if (value < 0) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+    "integer \"%s\" is too large (overflow)", s);
+
+  /* We get a coverity error here for using count, as it derived
+  from the tainted buffer pointed to by s, as parsed by sscanf().
+  By the definition of sscanf we must be accessing between start
+  and end of s (assuming it is nul-terminated...) so ignore the error.  */
+  /* coverity[tainted_data] */
+  if (s[count] == '.')
+    {
+    int d = 100;
+    while (isdigit(s[++count]))
+      {
+      value += (s[count] - '0') * d;
+      d /= 10;
+      }
+    }
+
+  while (isspace(s[count])) count++;
+
+  if (s[count] != 0)
+    extra_chars_error(s+count, US"fixed-point value for ", name, US"");
+
+  if (data_block)
+    *((int *)(US data_block + ol->v.offset)) = value;
+  else
+    *((int *)ol->v.value) = value;
+  break;
+
+  /* There's a special routine to read time values. */
+
+  case opt_time:
+  value = readconf_readtime(s, 0, FALSE);
+  if (value < 0)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "invalid time value for %s",
+      name);
+  if (data_block)
+    *((int *)(US data_block + ol->v.offset)) = value;
+  else
+    *((int *)ol->v.value) = value;
+  break;
+
+  /* A time list is a list of colon-separated times, with the first
+  element holding the size of the list and the second the number of
+  entries used. */
+
+  case opt_timelist:
+    {
+    int count = 0;
+    int * list = data_block
+      ? (int *)(US data_block + ol->v.offset)
+      : (int *)ol->v.value;
+
+    if (*s != 0) for (count = 1; count <= list[0] - 2; count++)
+      {
+      int terminator = 0;
+      uschar *snext = Ustrchr(s, ':');
+      if (snext != NULL)
+        {
+        uschar *ss = snext;
+        while (ss > s && isspace(ss[-1])) ss--;
+        terminator = *ss;
+        }
+      value = readconf_readtime(s, terminator, FALSE);
+      if (value < 0)
+        log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "invalid time value for %s",
+          name);
+      if (count > 1 && value <= list[count])
+        log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+          "time value out of order for %s", name);
+      list[count+1] = value;
+      if (snext == NULL) break;
+      s = snext + 1;
+      while (isspace(*s)) s++;
+      }
+
+    if (count > list[0] - 2)
+      log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "too many time values for %s",
+        name);
+    if (count > 0 && list[2] == 0) count = 0;
+    list[1] = count;
+    break;
+    }
+
+  case opt_func:
+    {
+    void (*fn)() = ol->v.fn;
+    fn(name, s, 0);
+    break;
+    }
+  }
+
+return TRUE;
+}
+
+
+
+/*************************************************
+*               Print a time value               *
+*************************************************/
+
+/*
+Argument:  a time value in seconds
+Returns:   pointer to a fixed buffer containing the time as a string,
+           in readconf_readtime() format
+*/
+
+uschar *
+readconf_printtime(int t)
+{
+int s, m, h, d, w;
+uschar *p = time_buffer;
+
+if (t < 0)
+  {
+  *p++ = '-';
+  t = -t;
+  }
+
+s = t % 60;
+t /= 60;
+m = t % 60;
+t /= 60;
+h = t % 24;
+t /= 24;
+d = t % 7;
+w = t/7;
+
+if (w > 0) p += sprintf(CS p, "%dw", w);
+if (d > 0) p += sprintf(CS p, "%dd", d);
+if (h > 0) p += sprintf(CS p, "%dh", h);
+if (m > 0) p += sprintf(CS p, "%dm", m);
+if (s > 0 || p == time_buffer) sprintf(CS p, "%ds", s);
+
+return time_buffer;
+}
+
+
+
+/*************************************************
+*      Print an individual option value          *
+*************************************************/
+
+/* This is used by the -bP option, so prints to the standard output.
+The entire options list is passed in as an argument, because some options come
+in pairs - typically uid/gid settings, which can either be explicit numerical
+values, or strings to be expanded later. If the numerical value is unset,
+search for "*expand_<name>" to see if there is a string equivalent.
+
+Arguments:
+  ol             option entry, or NULL for an unknown option
+  name           option name
+  options_block  NULL for main configuration options; otherwise points to
+                   a driver block; if the option doesn't have opt_public
+                   set, then options_block->options_block is where the item
+                   resides.
+  oltop          points to the option list in which ol exists
+  last           one more than the offset of the last entry in optop
+  no_labels      do not show "foo = " at the start.
+
+Returns:         boolean success
+*/
+
+static BOOL
+print_ol(optionlist *ol, const uschar *name, void *options_block,
+  optionlist *oltop, int last, BOOL no_labels)
+{
+struct passwd *pw;
+struct group *gr;
+optionlist *ol2;
+void *value;
+uid_t *uidlist;
+gid_t *gidlist;
+uschar *s;
+uschar name2[EXIM_DRIVERNAME_MAX];
+
+if (!ol)
+  {
+  printf("%s is not a known option\n", name);
+  return FALSE;
+  }
+
+/* Non-admin callers cannot see options that have been flagged secure by the
+"hide" prefix. */
+
+if (!f.admin_user && ol->type & opt_secure)
+  {
+  if (no_labels)
+    printf("%s\n", CCS hidden);
+  else
+    printf("%s = %s\n", name, CCS hidden);
+  return TRUE;
+  }
+
+/* Else show the value of the option */
+
+value = ol->v.value;
+if (options_block)
+  {
+  if (!(ol->type & opt_public))
+    options_block = (void *)(((driver_instance *)options_block)->options_block);
+  value = (void *)(US options_block + (long int)value);
+  }
+
+switch(ol->type & opt_mask)
+  {
+  case opt_stringptr:
+  case opt_rewrite:        /* Show the text value */
+    s = *(USS value);
+    if (!no_labels) printf("%s = ", name);
+    printf("%s\n", s ? string_printing2(s, SP_TAB) : US"");
+    break;
+
+  case opt_int:
+    if (!no_labels) printf("%s = ", name);
+    printf("%d\n", *((int *)value));
+    break;
+
+  case opt_mkint:
+    {
+    int x = *((int *)value);
+    if (x != 0 && (x & 1023) == 0)
+      {
+      int c = 'K';
+      x >>= 10;
+      if ((x & 1023) == 0)
+        {
+        c = 'M';
+        x >>= 10;
+        }
+      if (!no_labels) printf("%s = ", name);
+      printf("%d%c\n", x, c);
+      }
+    else
+      {
+      if (!no_labels) printf("%s = ", name);
+      printf("%d\n", x);
+      }
+    }
+    break;
+
+  case opt_Kint:
+    {
+    int_eximarith_t x = *((int_eximarith_t *)value);
+    if (!no_labels) printf("%s = ", name);
+    if (x == 0) printf("0\n");
+    else if ((x & ((1<<30)-1)) == 0) printf(PR_EXIM_ARITH "T\n", x >> 30);
+    else if ((x & ((1<<20)-1)) == 0) printf(PR_EXIM_ARITH "G\n", x >> 20);
+    else if ((x & ((1<<10)-1)) == 0) printf(PR_EXIM_ARITH "M\n", x >> 10);
+    else printf(PR_EXIM_ARITH "K\n", x);
+    }
+    break;
+
+  case opt_octint:
+    if (!no_labels) printf("%s = ", name);
+    printf("%#o\n", *((int *)value));
+    break;
+
+  /* Can be negative only when "unset", in which case integer */
+
+  case opt_fixed:
+    {
+    int x = *((int *)value);
+    int f = x % 1000;
+    int d = 100;
+    if (x < 0) printf("%s =\n", name); else
+      {
+      if (!no_labels) printf("%s = ", name);
+      printf("%d.", x/1000);
+      do
+        {
+        printf("%d", f/d);
+        f %= d;
+        d /= 10;
+        }
+      while (f != 0);
+      printf("\n");
+      }
+    }
+    break;
+
+  /* If the numerical value is unset, try for the string value */
+
+  case opt_expand_uid:
+    if (! *get_set_flag(name, oltop, last, options_block))
+      {
+      sprintf(CS name2, "*expand_%.50s", name);
+      if ((ol2 = find_option(name2, oltop, last)))
+	{
+	if (options_block)
+	  s = *USS (US options_block + ol2->v.offset);
+	else
+	  s = *USS ol2->v.value;
+	if (!no_labels) printf("%s = ", name);
+	printf("%s\n", s ? string_printing(s) : US"");
+	break;
+	}
+      }
+
+    /* Else fall through */
+
+  case opt_uid:
+    if (!no_labels) printf("%s = ", name);
+    if (! *get_set_flag(name, oltop, last, options_block))
+      printf("\n");
+    else
+      if ((pw = getpwuid(*((uid_t *)value))))
+	printf("%s\n", pw->pw_name);
+      else
+	printf("%ld\n", (long int)(*((uid_t *)value)));
+    break;
+
+  /* If the numerical value is unset, try for the string value */
+
+  case opt_expand_gid:
+    if (! *get_set_flag(name, oltop, last, options_block))
+      {
+      sprintf(CS name2, "*expand_%.50s", name);
+      if (  (ol2 = find_option(name2, oltop, last))
+	 && (ol2->type & opt_mask) == opt_stringptr)
+	{
+	if (options_block)
+	  s = *USS (US options_block + ol2->v.offset);
+	else
+	  s = *USS ol2->v.value;
+	if (!no_labels) printf("%s = ", name);
+	printf("%s\n", s ? string_printing(s) : US"");
+	break;
+	}
+      }
+
+    /* Else fall through */
+
+  case opt_gid:
+    if (!no_labels) printf("%s = ", name);
+    if (! *get_set_flag(name, oltop, last, options_block))
+      printf("\n");
+    else
+      if ((gr = getgrgid(*((int *)value))))
+	printf("%s\n", gr->gr_name);
+      else
+	 printf("%ld\n", (long int)(*((int *)value)));
+    break;
+
+  case opt_uidlist:
+    uidlist = *((uid_t **)value);
+    if (!no_labels) printf("%s =", name);
+    if (uidlist)
+      {
+      uschar sep = no_labels ? '\0' : ' ';
+      for (int i = 1; i <= (int)(uidlist[0]); i++)
+	{
+	uschar *name = NULL;
+	if ((pw = getpwuid(uidlist[i]))) name = US pw->pw_name;
+	if (sep != '\0') printf("%c", sep);
+	if (name) printf("%s", name);
+	else printf("%ld", (long int)(uidlist[i]));
+	sep = ':';
+	}
+      }
+    printf("\n");
+    break;
+
+  case opt_gidlist:
+    gidlist = *((gid_t **)value);
+    if (!no_labels) printf("%s =", name);
+    if (gidlist)
+      {
+      uschar sep = no_labels ? '\0' : ' ';
+      for (int i = 1; i <= (int)(gidlist[0]); i++)
+	{
+	uschar *name = NULL;
+	if ((gr = getgrgid(gidlist[i]))) name = US gr->gr_name;
+	if (sep != '\0') printf("%c", sep);
+	if (name) printf("%s", name);
+	else printf("%ld", (long int)(gidlist[i]));
+	sep = ':';
+	}
+      }
+    printf("\n");
+    break;
+
+  case opt_time:
+    if (!no_labels) printf("%s = ", name);
+    printf("%s\n", readconf_printtime(*((int *)value)));
+    break;
+
+  case opt_timelist:
+    {
+    int *list = (int *)value;
+    if (!no_labels) printf("%s = ", name);
+    for (int i = 0; i < list[1]; i++)
+      printf("%s%s", i == 0 ? "" : ":", readconf_printtime(list[i+2]));
+    printf("\n");
+    }
+    break;
+
+  case opt_bit:
+    printf("%s%s\n", ((*((int *)value)) & (1 << ((ol->type >> 16) & 31)))?
+      "" : "no_", name);
+    break;
+
+  case opt_expand_bool:
+    sprintf(CS name2, "*expand_%.50s", name);
+    if ((ol2 = find_option(name2, oltop, last)) && ol2->v.value)
+      {
+      if (options_block)
+	s = *USS (US options_block + ol2->v.offset);
+      else
+	s = *USS ol2->v.value;
+      if (s)
+	{
+	if (!no_labels) printf("%s = ", name);
+	printf("%s\n", string_printing(s));
+	break;
+	}
+      /* s == NULL => string not set; fall through */
+      }
+
+    /* Fall through */
+
+  case opt_bool:
+  case opt_bool_verify:
+  case opt_bool_set:
+    printf("%s%s\n", (*((BOOL *)value))? "" : "no_", name);
+    break;
+
+  case opt_func:
+    ol->v.fn(name, NULL, no_labels ? opt_fn_print : opt_fn_print|opt_fn_print_label);
+    break;
+  }
+return TRUE;
+}
+
+
+
+/*************************************************
+*        Print value from main configuration     *
+*************************************************/
+
+/* This function, called as a result of encountering the -bP option,
+causes the value of any main configuration variable to be output if the
+second argument is NULL. There are some special values:
+
+  all                print all main configuration options
+  config_file        print the name of the configuration file
+                     (configure_file will still work, for backward
+                     compatibility)
+  routers            print the routers' configurations
+  transports         print the transports' configuration
+  authenticators     print the authenticators' configuration
+  macros             print the macros' configuration
+  router_list        print a list of router names
+  transport_list     print a list of transport names
+  authenticator_list print a list of authentication mechanism names
+  macro_list         print a list of macro names
+  +name              print a named list item
+  local_scan         print the local_scan options
+  config             print the configuration as it is parsed
+  environment        print the used execution environment
+
+If the second argument is not NULL, it must be one of "router", "transport",
+"authenticator" or "macro" in which case the first argument identifies the
+driver whose options are to be printed.
+
+Arguments:
+  name        option name if type == NULL; else driver name
+  type        NULL or driver type name, as described above
+  no_labels   avoid the "foo = " at the start of an item
+
+Returns:      Boolean success
+*/
+
+BOOL
+readconf_print(const uschar *name, uschar *type, BOOL no_labels)
+{
+BOOL names_only = FALSE;
+optionlist *ol2 = NULL;
+driver_instance *d = NULL;
+int size = 0;
+
+if (!type)
+  {
+  if (*name == '+')
+    {
+    tree_node *t;
+    BOOL found = FALSE;
+    static uschar *types[] = { US"address", US"domain", US"host",
+      US"localpart" };
+    static tree_node **anchors[] = { &addresslist_anchor, &domainlist_anchor,
+      &hostlist_anchor, &localpartlist_anchor };
+
+    for (int i = 0; i < 4; i++)
+      if ((t = tree_search(*(anchors[i]), name+1)))
+        {
+	namedlist_block * nb = t->data.ptr;
+	const uschar * s = nb->hide ? hidden : nb->string;
+        found = TRUE;
+        if (no_labels)
+          printf("%s\n", CCS s);
+        else
+          printf("%slist %s = %s\n", types[i], name+1, CCS s);
+        }
+
+    if (!found)
+      printf("no address, domain, host, or local part list called \"%s\" "
+        "exists\n", name+1);
+
+    return found;
+    }
+
+  if (  Ustrcmp(name, "configure_file") == 0
+     || Ustrcmp(name, "config_file") == 0)
+    {
+    printf("%s\n", CS config_main_filename);
+    return TRUE;
+    }
+
+  if (Ustrcmp(name, "all") == 0)
+    {
+    for (optionlist * ol = optionlist_config;
+         ol < optionlist_config + nelem(optionlist_config); ol++)
+      if (!(ol->type & opt_hidden))
+        (void) print_ol(ol, US ol->name, NULL,
+		  optionlist_config, nelem(optionlist_config),
+		  no_labels);
+    return TRUE;
+    }
+
+  if (Ustrcmp(name, "local_scan") == 0)
+    {
+#ifndef LOCAL_SCAN_HAS_OPTIONS
+    printf("local_scan() options are not supported\n");
+    return FALSE;
+#else
+    for (optionlist * ol = local_scan_options;
+         ol < local_scan_options + local_scan_options_count; ol++)
+      (void) print_ol(ol, US ol->name, NULL, local_scan_options,
+		  local_scan_options_count, no_labels);
+    return TRUE;
+#endif
+    }
+
+  if (Ustrcmp(name, "config") == 0)
+    {
+    print_config(f.admin_user, no_labels);
+    return TRUE;
+    }
+
+  if (Ustrcmp(name, "routers") == 0)
+    {
+    type = US"router";
+    name = NULL;
+    }
+  else if (Ustrcmp(name, "transports") == 0)
+    {
+    type = US"transport";
+    name = NULL;
+    }
+  else if (Ustrcmp(name, "authenticators") == 0)
+    {
+    type = US"authenticator";
+    name = NULL;
+    }
+  else if (Ustrcmp(name, "macros") == 0)
+    {
+    type = US"macro";
+    name = NULL;
+    }
+  else if (Ustrcmp(name, "router_list") == 0)
+    {
+    type = US"router";
+    name = NULL;
+    names_only = TRUE;
+    }
+  else if (Ustrcmp(name, "transport_list") == 0)
+    {
+    type = US"transport";
+    name = NULL;
+    names_only = TRUE;
+    }
+  else if (Ustrcmp(name, "authenticator_list") == 0)
+    {
+    type = US"authenticator";
+    name = NULL;
+    names_only = TRUE;
+    }
+  else if (Ustrcmp(name, "macro_list") == 0)
+    {
+    type = US"macro";
+    name = NULL;
+    names_only = TRUE;
+    }
+  else if (Ustrcmp(name, "environment") == 0)
+    {
+    if (environ)
+      {
+      uschar ** p;
+      for (p = USS environ; *p; p++) ;
+      qsort(environ, p - USS environ, sizeof(*p), string_compare_by_pointer);
+
+      for (p = USS environ; *p; p++)
+        {
+	uschar * q;
+        if (no_labels && (q = Ustrchr(*p, '='))) *q  = '\0';
+        puts(CS *p);
+        }
+      }
+    return TRUE;
+    }
+
+  else
+    return print_ol(find_option(name,
+		      optionlist_config, nelem(optionlist_config)),
+      name, NULL, optionlist_config, nelem(optionlist_config), no_labels);
+  }
+
+/* Handle the options for a router or transport. Skip options that are flagged
+as hidden. Some of these are options with names starting with '*', used for
+internal alternative representations of other options (which the printing
+function will sort out). Others are synonyms kept for backward compatibility.
+*/
+
+if (Ustrcmp(type, "router") == 0)
+  {
+  d = (driver_instance *)routers;
+  ol2 = optionlist_routers;
+  size = optionlist_routers_size;
+  }
+else if (Ustrcmp(type, "transport") == 0)
+  {
+  d = (driver_instance *)transports;
+  ol2 = optionlist_transports;
+  size = optionlist_transports_size;
+  }
+else if (Ustrcmp(type, "authenticator") == 0)
+  {
+  d = (driver_instance *)auths;
+  ol2 = optionlist_auths;
+  size = optionlist_auths_size;
+  }
+
+else if (Ustrcmp(type, "macro") == 0)
+  {
+  /* People store passwords in macros and they were previously not available
+  for printing.  So we have an admin_users restriction. */
+  if (!f.admin_user)
+    {
+    fprintf(stderr, "exim: permission denied\n");
+    return FALSE;
+    }
+  for (macro_item * m = macros; m; m = m->next)
+    if (!name || Ustrcmp(name, m->name) == 0)
+      {
+      if (names_only)
+        printf("%s\n", CS m->name);
+      else if (no_labels)
+        printf("%s\n", CS m->replacement);
+      else
+        printf("%s=%s\n", CS m->name, CS m->replacement);
+      if (name)
+        return TRUE;
+      }
+  if (!name) return TRUE;
+
+  printf("%s %s not found\n", type, name);
+  return FALSE;
+  }
+
+if (names_only)
+  {
+  for (; d; d = d->next) printf("%s\n", CS d->name);
+  return TRUE;
+  }
+
+/* Either search for a given driver, or print all of them */
+
+for (; d; d = d->next)
+  {
+  BOOL rc = FALSE;
+  if (!name)
+    printf("\n%s %s:\n", d->name, type);
+  else if (Ustrcmp(d->name, name) != 0) continue;
+
+  for (optionlist * ol = ol2; ol < ol2 + size; ol++)
+    if (!(ol->type & opt_hidden))
+      rc |= print_ol(ol, US ol->name, d, ol2, size, no_labels);
+
+  for (optionlist * ol = d->info->options;
+       ol < d->info->options + *(d->info->options_count); ol++)
+    if (!(ol->type & opt_hidden))
+      rc |= print_ol(ol, US ol->name, d, d->info->options,
+		    *d->info->options_count, no_labels);
+
+  if (name) return rc;
+  }
+if (!name) return TRUE;
+
+printf("%s %s not found\n", type, name);
+return FALSE;
+}
+
+
+
+/*************************************************
+*          Read a named list item                *
+*************************************************/
+
+/* This function reads a name and a list (i.e. string). The name is used to
+save the list in a tree, sorted by its name. Each entry also has a number,
+which can be used for caching tests, but if the string contains any expansion
+items other than $key, the number is set negative to inhibit caching. This
+mechanism is used for domain, host, and address lists that are referenced by
+the "+name" syntax.
+
+Arguments:
+  anchorp     points to the tree anchor
+  numberp     points to the current number for this tree
+  max         the maximum number permitted
+  s           the text of the option line, starting immediately after the name
+                of the list type
+  tname       the name of the list type, for messages
+  hide	      do not output value on "-bP"
+
+Returns:      nothing
+*/
+
+static void
+read_named_list(tree_node **anchorp, int *numberp, int max, uschar *s,
+  uschar *tname, BOOL hide)
+{
+BOOL forcecache = FALSE;
+uschar *ss;
+tree_node *t;
+namedlist_block * nb = store_get_perm(sizeof(namedlist_block), FALSE);
+
+if (Ustrncmp(s, "_cache", 6) == 0)
+  {
+  forcecache = TRUE;
+  s += 6;
+  }
+
+if (!isspace(*s))
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "unrecognized configuration line");
+
+if (*numberp >= max)
+ log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "too many named %ss (max is %d)\n",
+   tname, max);
+
+Uskip_whitespace(&s);
+ss = s;
+while (isalnum(*s) || *s == '_') s++;
+t = store_get(sizeof(tree_node) + s-ss, ss);
+Ustrncpy(t->name, ss, s-ss);
+t->name[s-ss] = 0;
+Uskip_whitespace(&s);
+
+if (!tree_insertnode(anchorp, t))
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+    "duplicate name \"%s\" for a named %s", t->name, tname);
+
+t->data.ptr = nb;
+nb->number = *numberp;
+*numberp += 1;
+nb->hide = hide;
+
+if (*s++ != '=') log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+  "missing '=' after \"%s\"", t->name);
+Uskip_whitespace(&s);
+nb->string = read_string(s, t->name);
+nb->cache_data = NULL;
+
+/* Check the string for any expansions; if any are found, mark this list
+uncacheable unless the user has explicited forced caching. */
+
+if (!forcecache && Ustrchr(nb->string, '$') != NULL) nb->number = -1;
+}
+
+
+
+
+/*************************************************
+*        Unpick data for a rate limit            *
+*************************************************/
+
+/* This function is called to unpick smtp_ratelimit_{mail,rcpt} into four
+separate values.
+
+Arguments:
+  s            string, in the form t,b,f,l
+               where t is the threshold (integer)
+               b is the initial delay (time)
+               f is the multiplicative factor (fixed point)
+               k is the maximum time (time)
+  threshold    where to store threshold
+  base         where to store base in milliseconds
+  factor       where to store factor in milliseconds
+  limit        where to store limit
+
+Returns:       nothing (panics on error)
+*/
+
+static void
+unpick_ratelimit(uschar *s, int *threshold, int *base, double *factor,
+  int *limit)
+{
+uschar bstring[16], lstring[16];
+
+if (sscanf(CS s, "%d, %15[0123456789smhdw.], %lf, %15s", threshold, bstring,
+    factor, lstring) == 4)
+  {
+  *base = readconf_readtime(bstring, 0, TRUE);
+  *limit = readconf_readtime(lstring, 0, TRUE);
+  if (*base >= 0 && *limit >= 0) return;
+  }
+log_write(0, LOG_MAIN|LOG_PANIC_DIE, "malformed ratelimit data: %s", s);
+}
+
+
+
+
+/*************************************************
+*         Read main configuration options        *
+*************************************************/
+
+/* This function is the first to be called for configuration reading. It
+opens the configuration file and reads general configuration settings until
+it reaches the end of the configuration section. The file is then left open so
+that the remaining configuration data can subsequently be read if needed for
+this run of Exim.
+
+The configuration file must be owned either by root or exim, and be writeable
+only by root or uid/gid exim. The values for Exim's uid and gid can be changed
+in the config file, so the test is done on the compiled in values. A slight
+anomaly, to be carefully documented.
+
+The name of the configuration file is taken from a list that is included in the
+binary of Exim. It can be altered from the command line, but if that is done,
+root privilege is immediately withdrawn unless the caller is root or exim.
+The first file on the list that exists is used.
+
+For use on multiple systems that share file systems, first look for a
+configuration file whose name has the current node name on the end. If that is
+not found, try the generic name. For really contorted configurations, that run
+multiple Exims with different uid settings, first try adding the effective uid
+before the node name. These complications are going to waste resources on most
+systems. Therefore they are available only when requested by compile-time
+options. */
+
+void
+readconf_main(BOOL nowarn)
+{
+int sep = 0;
+struct stat statbuf;
+uschar *s, *filename;
+const uschar *list = config_main_filelist;
+
+/* Loop through the possible file names */
+
+/* Should never be a tainted list */
+while((filename = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
+  {
+
+  /* Cut out all the fancy processing unless specifically wanted */
+
+#if defined(CONFIGURE_FILE_USE_NODE) || defined(CONFIGURE_FILE_USE_EUID)
+  uschar *suffix = filename + Ustrlen(filename);
+
+  /* Try for the node-specific file if a node name exists */
+
+# ifdef CONFIGURE_FILE_USE_NODE
+  struct utsname uts;
+  if (uname(&uts) >= 0)
+    {
+#  ifdef CONFIGURE_FILE_USE_EUID
+    sprintf(CS suffix, ".%ld.%.256s", (long int)original_euid, uts.nodename);
+    if (!(config_file = Ufopen(filename, "rb")))
+#  endif  /* CONFIGURE_FILE_USE_EUID */
+      {
+      sprintf(CS suffix, ".%.256s", uts.nodename);
+      config_file = Ufopen(filename, "rb");
+      }
+    }
+# endif  /* CONFIGURE_FILE_USE_NODE */
+
+  /* Otherwise, try the generic name, possibly with the euid added */
+
+# ifdef CONFIGURE_FILE_USE_EUID
+  if (!config_file)
+    {
+    sprintf(CS suffix, ".%ld", (long int)original_euid);
+    config_file = Ufopen(filename, "rb");
+    }
+# endif  /* CONFIGURE_FILE_USE_EUID */
+
+  /* Finally, try the unadorned name */
+
+  if (!config_file)
+    {
+    *suffix = 0;
+    config_file = Ufopen(filename, "rb");
+    }
+#else  /* if neither defined */
+
+  /* This is the common case when the fancy processing is not included. */
+
+  config_file = Ufopen(filename, "rb");
+#endif
+
+  /* If the file does not exist, continue to try any others. For any other
+  error, break out (and die). */
+
+  if (config_file || errno != ENOENT) break;
+  }
+
+/* On success, save the name for verification; config_filename is used when
+logging configuration errors (it changes for .included files) whereas
+config_main_filename is the name shown by -bP. Failure to open a configuration
+file is a serious disaster. */
+
+if (config_file)
+  {
+  uschar *last_slash = Ustrrchr(filename, '/');
+  config_filename = config_main_filename = string_copy(filename);
+
+  /* The config_main_directory we need for the $config_dir expansion.
+  config_main_filename we need for $config_file expansion.
+  And config_dir is the directory of the current configuration, used for
+  relative .includes. We do need to know it's name, as we change our working
+  directory later. */
+
+  if (filename[0] == '/')
+    config_main_directory = last_slash == filename ? US"/" : string_copyn(filename, last_slash - filename);
+  else
+    {
+    /* relative configuration file name: working dir + / + basename(filename) */
+
+    uschar buf[PATH_MAX];
+    gstring * g;
+
+    if (os_getcwd(buf, PATH_MAX) == NULL)
+      {
+      perror("exim: getcwd");
+      exit(EXIT_FAILURE);
+      }
+    g = string_cat(NULL, buf);
+
+    /* If the dir does not end with a "/", append one */
+    if (g->s[g->ptr-1] != '/')
+      g = string_catn(g, US"/", 1);
+
+    /* If the config file contains a "/", extract the directory part */
+    if (last_slash)
+      g = string_catn(g, filename, last_slash - filename);
+
+    config_main_directory = string_from_gstring(g);
+    }
+  config_directory = config_main_directory;
+  }
+else
+  if (!filename)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "non-existent configuration file(s): "
+      "%s", config_main_filelist);
+  else
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
+      string_open_failed("configuration file %s", filename));
+
+/* Now, once we found and opened our configuration file, we change the directory
+to a safe place. Later we change to $spool_directory. */
+
+if (Uchdir("/") < 0)
+  {
+  perror("exim: chdir `/': ");
+  exit(EXIT_FAILURE);
+  }
+
+/* Check the status of the file we have opened, if we have retained root
+privileges and the file isn't /dev/null (which *should* be 0666). */
+
+if (f.trusted_config && Ustrcmp(filename, US"/dev/null"))
+  {
+  if (fstat(fileno(config_file), &statbuf) != 0)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to stat configuration file %s",
+      big_buffer);
+
+  if (    statbuf.st_uid != root_uid		/* owner not root */
+#ifdef CONFIGURE_OWNER
+       && statbuf.st_uid != config_uid		/* owner not the special one */
+#endif
+     ||						/* or */
+	  statbuf.st_gid != root_gid		/* group not root & */
+#ifdef CONFIGURE_GROUP
+       && statbuf.st_gid != config_gid		/* group not the special one */
+#endif
+       && (statbuf.st_mode & 020) != 0		/* group writeable  */
+     ||						/* or */
+       (statbuf.st_mode & 2) != 0		/* world writeable  */
+     )
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Exim configuration file %s has the "
+      "wrong owner, group, or mode", big_buffer);
+
+  /* Do a dummy store-allocation of a size related to the (toplevel) file size.
+  This assumes we will need this much storage to handle all the allocations
+  during startup; it won't help when .include is being used.  When it does, it
+  will cut down on the number of store blocks (and malloc calls, and sbrk
+  syscalls).  It also assume we're on the relevant pool. */
+
+  if (statbuf.st_size > 8192)
+    {
+    rmark r = store_mark();
+    void * dummy = store_get((int)statbuf.st_size, GET_UNTAINTED);
+    store_reset(r);
+    }
+  }
+
+/* Process the main configuration settings. They all begin with a lower case
+letter. If we see something starting with an upper case letter, it is taken as
+a macro definition. */
+
+while ((s = get_config_line()))
+  {
+  BOOL hide;
+  uschar * t;
+
+  if (config_lineno == 1 && Ustrstr(s, "\xef\xbb\xbf") == s)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+      "found unexpected BOM (Byte Order Mark)");
+
+  if (isupper(*s))
+    {
+    if (!macro_read_assignment(s)) exim_exit(EXIT_FAILURE);
+    continue;
+    }
+
+  t = (hide = Ustrncmp(s, "hide", 4) == 0 && isspace(s[4])) ? s + 5 : s;
+
+  if (Ustrncmp(t, "domainlist", 10) == 0)
+    read_named_list(&domainlist_anchor, &domainlist_count,
+      MAX_NAMED_LIST, t+10, US"domain list", hide);
+
+  else if (Ustrncmp(t, "hostlist", 8) == 0)
+    read_named_list(&hostlist_anchor, &hostlist_count,
+      MAX_NAMED_LIST, t+8, US"host list", hide);
+
+  else if (Ustrncmp(t, "addresslist", 11) == 0)
+    read_named_list(&addresslist_anchor, &addresslist_count,
+      MAX_NAMED_LIST, t+11, US"address list", hide);
+
+  else if (Ustrncmp(t, "localpartlist", 13) == 0)
+    read_named_list(&localpartlist_anchor, &localpartlist_count,
+      MAX_NAMED_LIST, t+13, US"local part list", hide);
+
+  else
+    (void) readconf_handle_option(s, optionlist_config, optionlist_config_size,
+      NULL, US"main option \"%s\" unknown");
+  }
+
+
+/* If local_sender_retain is set, local_from_check must be unset. */
+
+if (local_sender_retain && local_from_check)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "both local_from_check and "
+    "local_sender_retain are set; this combination is not allowed");
+
+/* If the timezone string is empty, set it to NULL, implying no TZ variable
+wanted. */
+
+if (timezone_string && !*timezone_string) timezone_string = NULL;
+
+/* The max retry interval must not be greater than 24 hours. */
+
+if (retry_interval_max > 24*60*60) retry_interval_max = 24*60*60;
+
+/* remote_max_parallel must be > 0 */
+
+if (remote_max_parallel <= 0) remote_max_parallel = 1;
+
+/* Save the configured setting of freeze_tell, so we can re-instate it at the
+start of a new SMTP message. */
+
+freeze_tell_config = freeze_tell;
+
+/* The primary host name may be required for expansion of spool_directory
+and log_file_path, so make sure it is set asap. It is obtained from uname(),
+but if that yields an unqualified value, make a FQDN by using gethostbyname to
+canonize it. Some people like upper case letters in their host names, so we
+don't force the case. */
+
+if (!primary_hostname)
+  {
+  const uschar * hostname;
+  struct utsname uts;
+
+  if (uname(&uts) < 0)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "uname() failed to yield host name");
+  hostname = US uts.nodename;
+
+  if (Ustrchr(hostname, '.') == NULL)
+    {
+    int af = AF_INET;
+    struct hostent *hostdata;
+
+#if HAVE_IPV6
+    if (  !disable_ipv6
+       && (  !dns_ipv4_lookup
+	  || match_isinlist(hostname, CUSS &dns_ipv4_lookup, 0, NULL, NULL,
+	    MCL_DOMAIN, TRUE, NULL) != OK))
+      af = AF_INET6;
+#endif
+
+    for (;;)
+      {
+#if HAVE_IPV6
+# if HAVE_GETIPNODEBYNAME
+        int error_num;
+        hostdata = getipnodebyname(CS hostname, af, 0, &error_num);
+        #else
+        hostdata = gethostbyname2(CS hostname, af);
+# endif
+#else
+      hostdata = gethostbyname(CS hostname);
+#endif
+
+      if (hostdata)
+        { hostname = US hostdata->h_name; break; }
+
+      if (af == AF_INET) break;
+      af = AF_INET;
+      }
+    }
+
+  primary_hostname = string_copy(hostname);
+  }
+
+/* Set up default value for smtp_active_hostname */
+
+smtp_active_hostname = primary_hostname;
+
+/* If spool_directory wasn't set in the build-time configuration, it must have
+got set above. Of course, writing to the log may not work if log_file_path is
+not set, but it will at least get to syslog or somewhere, with any luck. */
+
+if (!*spool_directory)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "spool_directory undefined: cannot "
+    "proceed");
+
+/* Expand the spool directory name; it may, for example, contain the primary
+host name. Same comment about failure. */
+
+if (!(s = expand_string(spool_directory)))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand spool_directory "
+    "\"%s\": %s", spool_directory, expand_string_message);
+spool_directory = s;
+
+/* Expand log_file_path, which must contain "%s" in any component that isn't
+the null string or "syslog". It is also allowed to contain one instance of %D
+or %M. However, it must NOT contain % followed by anything else. */
+
+if (*log_file_path)
+  {
+  const uschar *ss, *sss;
+  int sep = ':';                       /* Fixed for log file path */
+  if (!(s = expand_string(log_file_path)))
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand log_file_path "
+      "\"%s\": %s", log_file_path, expand_string_message);
+
+  ss = s;
+  /* should never be a tainted list */
+  while ((sss = string_nextinlist(&ss, &sep, big_buffer, big_buffer_size)))
+    {
+    uschar *t;
+    if (sss[0] == 0 || Ustrcmp(sss, "syslog") == 0) continue;
+    if (!(t = Ustrstr(sss, "%s")))
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_file_path \"%s\" does not "
+        "contain \"%%s\"", sss);
+    *t = 'X';
+    if ((t = Ustrchr(sss, '%')))
+      if ((t[1] != 'D' && t[1] != 'M') || Ustrchr(t+2, '%') != NULL)
+        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_file_path \"%s\" contains "
+          "unexpected \"%%\" character", s);
+    }
+
+  log_file_path = s;
+  }
+
+/* Interpret syslog_facility into an integer argument for 'ident' param to
+openlog(). Default is LOG_MAIL set in globals.c. Allow the user to omit the
+leading "log_". */
+
+if (syslog_facility_str)
+  {
+  int i;
+  uschar *s = syslog_facility_str;
+
+  if ((Ustrlen(syslog_facility_str) >= 4) &&
+        (strncmpic(syslog_facility_str, US"log_", 4) == 0))
+    s += 4;
+
+  for (i = 0; i < syslog_list_size; i++)
+    if (strcmpic(s, syslog_list[i].name) == 0)
+      {
+      syslog_facility = syslog_list[i].value;
+      break;
+      }
+
+  if (i >= syslog_list_size)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+      "failed to interpret syslog_facility \"%s\"", syslog_facility_str);
+  }
+
+/* Expand pid_file_path */
+
+if (*pid_file_path)
+  {
+  if (!(s = expand_string(pid_file_path)))
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand pid_file_path "
+      "\"%s\": %s", pid_file_path, expand_string_message);
+  pid_file_path = s;
+  }
+
+/* Set default value of process_log_path */
+
+if (!process_log_path || !*process_log_path)
+  process_log_path = string_sprintf("%s/exim-process.info", spool_directory);
+
+/* Compile the regex for matching a UUCP-style "From_" line in an incoming
+message. */
+
+regex_From = regex_must_compile(uucp_from_pattern, FALSE, TRUE);
+
+/* Unpick the SMTP rate limiting options, if set */
+
+if (smtp_ratelimit_mail)
+  unpick_ratelimit(smtp_ratelimit_mail, &smtp_rlm_threshold,
+    &smtp_rlm_base, &smtp_rlm_factor, &smtp_rlm_limit);
+
+if (smtp_ratelimit_rcpt)
+  unpick_ratelimit(smtp_ratelimit_rcpt, &smtp_rlr_threshold,
+    &smtp_rlr_base, &smtp_rlr_factor, &smtp_rlr_limit);
+
+/* The qualify domains default to the primary host name */
+
+if (!qualify_domain_sender)
+  qualify_domain_sender = primary_hostname;
+if (!qualify_domain_recipient)
+  qualify_domain_recipient = qualify_domain_sender;
+
+/* Setting system_filter_user in the configuration sets the gid as well if a
+name is given, but a numerical value does not. */
+
+if (system_filter_uid_set && !system_filter_gid_set)
+  {
+  struct passwd *pw = getpwuid(system_filter_uid);
+  if (!pw)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to look up uid %ld",
+      (long int)system_filter_uid);
+  system_filter_gid = pw->pw_gid;
+  system_filter_gid_set = TRUE;
+  }
+
+/* If the errors_reply_to field is set, check that it is syntactically valid
+and ensure it contains a domain. */
+
+if (errors_reply_to)
+  {
+  uschar *errmess;
+  int start, end, domain;
+  uschar *recipient = parse_extract_address(errors_reply_to, &errmess,
+    &start, &end, &domain, FALSE);
+
+  if (!recipient)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+      "error in errors_reply_to (%s): %s", errors_reply_to, errmess);
+
+  if (!domain)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+      "errors_reply_to (%s) does not contain a domain", errors_reply_to);
+  }
+
+/* If smtp_accept_queue or smtp_accept_max_per_host is set, then
+smtp_accept_max must also be set. */
+
+if (smtp_accept_max == 0 && (smtp_accept_queue > 0 || smtp_accept_max_per_host))
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "smtp_accept_max must be set if smtp_accept_queue or "
+    "smtp_accept_max_per_host is set");
+
+/* Set up the host number if anything is specified. It is an expanded string
+so that it can be computed from the host name, for example. We do this last
+so as to ensure that everything else is set up before the expansion. */
+
+if (host_number_string)
+  {
+  long int n;
+  uschar *end;
+  uschar *s = expand_string(host_number_string);
+
+  if (!s)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+        "failed to expand localhost_number \"%s\": %s",
+        host_number_string, expand_string_message);
+  n = Ustrtol(s, &end, 0);
+  while (isspace(*end)) end++;
+  if (*end)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+      "localhost_number value is not a number: %s", s);
+  if (n > LOCALHOST_MAX)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+      "localhost_number is greater than the maximum allowed value (%d)",
+        LOCALHOST_MAX);
+  host_number = n;
+  }
+
+#ifndef DISABLE_TLS
+/* If tls_verify_hosts is set, tls_verify_certificates must also be set */
+
+if ((tls_verify_hosts || tls_try_verify_hosts) && !tls_verify_certificates)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "tls_%sverify_hosts is set, but tls_verify_certificates is not set",
+    tls_verify_hosts ? "" : "try_");
+
+/* Magic number: at time of writing, 1024 has been the long-standing value
+used by so many clients, and what Exim used to use always, that it makes
+sense to just min-clamp this max-clamp at that. */
+if (tls_dh_max_bits < 1024)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+      "tls_dh_max_bits is too small, must be at least 1024 for interop");
+
+/* If openssl_options is set, validate it */
+if (openssl_options)
+  {
+# ifdef USE_GNUTLS
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "openssl_options is set but we're using GnuTLS");
+# else
+  long dummy;
+  if (!tls_openssl_options_parse(openssl_options, &dummy))
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+      "openssl_options parse error: %s", openssl_options);
+# endif
+  }
+#endif	/*DISABLE_TLS*/
+
+if (!nowarn && !keep_environment && environ && *environ)
+  log_write(0, LOG_MAIN,
+      "Warning: purging the environment.\n"
+      " Suggested action: use keep_environment.");
+}
+
+
+
+/*************************************************
+*          Initialize one driver                 *
+*************************************************/
+
+/* This is called once the driver's generic options, if any, have been read.
+We can now find the driver, set up defaults for the private options, and
+unset any "set" bits in the private options table (which might have been
+set by another incarnation of the same driver).
+
+Arguments:
+  d                   pointer to driver instance block, with generic
+                        options filled in
+  drivers_available   vector of available drivers
+  size_of_info        size of each block in drivers_available
+  class               class of driver, for error message
+
+Returns:              pointer to the driver info block
+*/
+
+static driver_info *
+init_driver(driver_instance *d, driver_info *drivers_available,
+  int size_of_info, uschar *class)
+{
+for (driver_info * dd = drivers_available; dd->driver_name[0] != 0;
+     dd = (driver_info *)((US dd) + size_of_info))
+  if (Ustrcmp(d->driver_name, dd->driver_name) == 0)
+    {
+    int len = dd->options_len;
+    d->info = dd;
+    d->options_block = store_get_perm(len, FALSE);
+    memcpy(d->options_block, dd->options_block, len);
+    for (int i = 0; i < *(dd->options_count); i++)
+      dd->options[i].type &= ~opt_set;
+    return dd;
+    }
+
+log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+  "%s %s: cannot find %s driver \"%s\"", class, d->name, class, d->driver_name);
+
+return NULL;   /* never obeyed */
+}
+
+
+
+
+static void
+driver_init_fini(driver_instance * d, const uschar * class)
+{
+if (!d->driver_name)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "no driver defined for %s \"%s\"", class, d->name);
+(d->info->init)(d);
+}
+
+
+/*************************************************
+*             Initialize driver list             *
+*************************************************/
+
+/* This function is called for routers, transports, and authentication
+mechanisms. It reads the data from the current point in the configuration file
+up to the end of the section, and sets up a chain of instance blocks according
+to the file's contents. The file will already have been opened by a call to
+readconf_main, and must be left open for subsequent reading of further data.
+
+Any errors cause a panic crash. Note that the blocks with names driver_info and
+driver_instance must map the first portions of all the _info and _instance
+blocks for this shared code to work.
+
+Arguments:
+  class                      "router", "transport", or "authenticator"
+  anchor                     &routers, &transports, &auths
+  drivers_available          available drivers
+  size_of_info               size of each info block
+  instance_default           points to default data for an instance
+  instance_size              size of instance block
+  driver_optionlist          generic option list
+  driver_optionlist_count    count of generic option list
+
+Returns:                     nothing
+*/
+
+void
+readconf_driver_init(
+  uschar *class,
+  driver_instance **anchor,
+  driver_info *drivers_available,
+  int size_of_info,
+  void *instance_default,
+  int  instance_size,
+  optionlist *driver_optionlist,
+  int  driver_optionlist_count)
+{
+driver_instance **p = anchor;
+driver_instance *d = NULL;
+uschar *buffer;
+
+while ((buffer = get_config_line()))
+  {
+  uschar name[EXIM_DRIVERNAME_MAX];
+  uschar *s;
+
+  /* Read the first name on the line and test for the start of a new driver. A
+  macro definition indicates the end of the previous driver. If this isn't the
+  start of a new driver, the line will be re-read. */
+
+  s = readconf_readname(name, sizeof(name), buffer);
+
+  /* Handle macro definition, first finishing off the initialization of the
+  previous driver, if any. */
+
+  if (isupper(*name) && *s == '=')
+    {
+    if (d)
+      {
+      /* s is using big_buffer, so this call had better not */
+      driver_init_fini(d, class);
+      d = NULL;
+      }
+    if (!macro_read_assignment(buffer)) exim_exit(EXIT_FAILURE);
+    continue;
+    }
+
+  /* If the line starts with a name terminated by a colon, we are at the
+  start of the definition of a new driver. The rest of the line must be
+  blank. */
+
+  if (*s++ == ':')
+    {
+    /* Finish off initializing the previous driver. */
+
+    if (d)
+      driver_init_fini(d, class);
+
+    /* Check that we haven't already got a driver of this name */
+
+    for (d = *anchor; d; d = d->next)
+      if (Ustrcmp(name, d->name) == 0)
+        log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+          "there are two %ss called \"%s\"", class, name);
+
+    /* Set up a new driver instance data block on the chain, with
+    its default values installed. */
+
+    d = store_get_perm(instance_size, FALSE);
+    memcpy(d, instance_default, instance_size);
+    *p = d;
+    p = &d->next;
+    d->name = string_copy(name);
+    d->srcfile = config_filename;
+    d->srcline = config_lineno; 
+
+    /* Clear out the "set" bits in the generic options */
+
+    for (int i = 0; i < driver_optionlist_count; i++)
+      driver_optionlist[i].type &= ~opt_set;
+
+    /* Check nothing more on this line, then do the next loop iteration. */
+
+    Uskip_whitespace(&s);
+    if (*s) extra_chars_error(s, US"driver name ", name, US"");
+    continue;
+    }
+
+  /* Not the start of a new driver. Give an error if we have not set up a
+  current driver yet. */
+
+  if (!d)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "%s name missing", class);
+
+  /* First look to see if this is a generic option; if it is "driver",
+  initialize the driver. If is it not a generic option, we can look for a
+  private option provided that the driver has been previously set up. */
+
+  if (readconf_handle_option(buffer, driver_optionlist,
+        driver_optionlist_count, d, NULL))
+    {
+    if (!d->info && d->driver_name)
+      init_driver(d, drivers_available, size_of_info, class);
+    }
+
+  /* Handle private options - pass the generic block because some may
+  live therein. A flag with each option indicates if it is in the public
+  block. */
+
+  else if (d->info)
+    readconf_handle_option(buffer, d->info->options,
+      *(d->info->options_count), d, US"option \"%s\" unknown");
+
+  /* The option is not generic and the driver name has not yet been given. */
+
+  else log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "option \"%s\" unknown "
+    "(\"driver\" must be specified before any private options)", name);
+  }
+
+/* Run the initialization function for the final driver. */
+
+if (d)
+  driver_init_fini(d, class);
+}
+
+
+
+/*************************************************
+*            Check driver dependency             *
+*************************************************/
+
+/* This function is passed a driver instance and a string. It checks whether
+any of the string options for the driver contains the given string as an
+expansion variable.
+
+Arguments:
+  d        points to a driver instance block
+  s        the string to search for
+
+Returns:   TRUE if a dependency is found
+*/
+
+BOOL
+readconf_depends(driver_instance *d, uschar *s)
+{
+int count = *(d->info->options_count);
+uschar *ss;
+
+for (optionlist * ol = d->info->options; ol < d->info->options + count; ol++)
+  if ((ol->type & opt_mask) == opt_stringptr)
+    {
+    void * options_block = ol->type & opt_public ? (void *)d : d->options_block;
+    uschar * value = *USS(US options_block + ol->v.offset);
+
+    if (value && (ss = Ustrstr(value, s)) != NULL)
+      {
+      if (ss <= value || (ss[-1] != '$' && ss[-1] != '{') ||
+	isalnum(ss[Ustrlen(s)])) continue;
+      DEBUG(D_transport) debug_printf("driver %s: \"%s\" option depends on %s\n",
+	d->name, ol->name, s);
+      return TRUE;
+      }
+    }
+
+DEBUG(D_transport) debug_printf("driver %s does not depend on %s\n", d->name, s);
+return FALSE;
+}
+
+
+
+
+/*************************************************
+*      Decode an error type for retries          *
+*************************************************/
+
+/* This function is global because it is also called from the main
+program when testing retry information. It decodes strings such as "quota_7d"
+into numerical error codes.
+
+Arguments:
+  pp           points to start of text
+  p            points past end of text
+  basic_errno  points to an int to receive the main error number
+  more_errno   points to an int to receive the secondary error data
+
+Returns:       NULL if decoded correctly; else points to error text
+*/
+
+uschar *
+readconf_retry_error(const uschar *pp, const uschar *p,
+  int *basic_errno, int *more_errno)
+{
+int len;
+const uschar *q = pp;
+while (q < p && *q != '_') q++;
+len = q - pp;
+
+if (len == 5 && strncmpic(pp, US"quota", len) == 0)
+  {
+  *basic_errno = ERRNO_EXIMQUOTA;
+  if (q != p && (*more_errno = readconf_readtime(q+1, *p, FALSE)) < 0)
+      return US"bad time value";
+  }
+
+else if (len == 7 && strncmpic(pp, US"refused", len) == 0)
+  {
+  *basic_errno = ECONNREFUSED;
+  if (q != p)
+    {
+    if (strncmpic(q+1, US"MX", p-q-1) == 0) *more_errno = 'M';
+    else if (strncmpic(q+1, US"A", p-q-1) == 0) *more_errno = 'A';
+    else return US"A or MX expected after \"refused\"";
+    }
+  }
+
+else if (len == 7 && strncmpic(pp, US"timeout", len) == 0)
+  {
+  *basic_errno = ETIMEDOUT;
+  if (q != p)
+    {
+    int i;
+    int xlen = p - q - 1;
+    const uschar *x = q + 1;
+
+    static uschar *extras[] =
+      { US"A", US"MX", US"connect", US"connect_A",  US"connect_MX" };
+    static int values[] =
+      { 'A',   'M',    RTEF_CTOUT,  RTEF_CTOUT|'A', RTEF_CTOUT|'M' };
+
+    for (i = 0; i < nelem(extras); i++)
+      if (strncmpic(x, extras[i], xlen) == 0)
+        {
+        *more_errno = values[i];
+        break;
+        }
+
+    if (i >= nelem(extras))
+      if (strncmpic(x, US"DNS", xlen) == 0)
+        log_write(0, LOG_MAIN|LOG_PANIC, "\"timeout_dns\" is no longer "
+          "available in retry rules (it has never worked) - treated as "
+          "\"timeout\"");
+      else
+        return US"\"A\", \"MX\", or \"connect\" expected after \"timeout\"";
+    }
+  }
+
+else if (strncmpic(pp, US"mail_4", 6) == 0 ||
+         strncmpic(pp, US"rcpt_4", 6) == 0 ||
+         strncmpic(pp, US"data_4", 6) == 0)
+  {
+  BOOL bad = FALSE;
+  int x = 255;                           /* means "any 4xx code" */
+  if (p != pp + 8) bad = TRUE; else
+    {
+    int a = pp[6], b = pp[7];
+    if (isdigit(a))
+      {
+      x = (a - '0') * 10;
+      if (isdigit(b)) x += b - '0';
+      else if (b == 'x') x += 100;
+      else bad = TRUE;
+      }
+    else if (a != 'x' || b != 'x') bad = TRUE;
+    }
+
+  if (bad)
+    return string_sprintf("%.4s_4 must be followed by xx, dx, or dd, where "
+      "x is literal and d is any digit", pp);
+
+  *basic_errno = *pp == 'm' ? ERRNO_MAIL4XX :
+                 *pp == 'r' ? ERRNO_RCPT4XX : ERRNO_DATA4XX;
+  *more_errno = x << 8;
+  }
+
+else if (len == 4 && strncmpic(pp, US"auth", len) == 0 &&
+         strncmpic(q+1, US"failed", p-q-1) == 0)
+  *basic_errno = ERRNO_AUTHFAIL;
+
+else if (strncmpic(pp, US"lost_connection", p - pp) == 0)
+  *basic_errno = ERRNO_SMTPCLOSED;
+
+else if (strncmpic(pp, US"tls_required", p - pp) == 0)
+  *basic_errno = ERRNO_TLSREQUIRED;
+
+else if (strncmpic(pp, US"lookup", p - pp) == 0)
+  *basic_errno = ERRNO_UNKNOWNHOST;
+
+else if (len != 1 || Ustrncmp(pp, "*", 1) != 0)
+  return string_sprintf("unknown or malformed retry error \"%.*s\"", (int) (p-pp), pp);
+
+return NULL;
+}
+
+
+
+
+/*************************************************
+*                Read retry information          *
+*************************************************/
+
+/* Each line of retry information contains:
+
+.  A domain name pattern or an address pattern;
+
+.  An error name, possibly with additional data, or *;
+
+.  An optional sequence of retry items, each consisting of an identifying
+   letter, a cutoff time, and optional parameters.
+
+All this is decoded and placed into a control block. */
+
+
+/* Subroutine to read an argument, preceded by a comma and terminated
+by comma, semicolon, whitespace, or newline. The types are: 0 = time value,
+1 = fixed point number (returned *1000).
+
+Arguments:
+  paddr     pointer to pointer to current character; updated
+  type      0 => read a time; 1 => read a fixed point number
+
+Returns:    time in seconds or fixed point number * 1000
+*/
+
+static int
+retry_arg(const uschar **paddr, int type)
+{
+const uschar *p = *paddr;
+const uschar *pp;
+
+if (*p++ != ',') log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "comma expected");
+
+Uskip_whitespace(&p);
+pp = p;
+while (isalnum(*p) || (type == 1 && *p == '.')) p++;
+
+if (*p != 0 && !isspace(*p) && *p != ',' && *p != ';')
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "comma or semicolon expected");
+
+*paddr = p;
+switch (type)
+  {
+  case 0: return readconf_readtime(pp, *p, FALSE);
+  case 1: return readconf_readfixed(pp, *p);
+  }
+return 0;    /* Keep picky compilers happy */
+}
+
+/* The function proper */
+
+void
+readconf_retries(void)
+{
+retry_config **chain = &retries;
+retry_config *next;
+const uschar *p;
+
+while ((p = get_config_line()))
+  {
+  retry_rule **rchain;
+  const uschar *pp;
+  uschar *error;
+
+  next = store_get(sizeof(retry_config), GET_UNTAINTED);
+  next->next = NULL;
+  *chain = next;
+  chain = &(next->next);
+  next->basic_errno = next->more_errno = 0;
+  next->senders = NULL;
+  next->rules = NULL;
+  rchain = &(next->rules);
+
+  next->pattern = string_dequote(&p);
+  Uskip_whitespace(&p);
+  pp = p;
+  while (mac_isgraph(*p)) p++;
+  if (p - pp <= 0) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+    "missing error type in retry rule");
+
+  /* Test error names for things we understand. */
+
+  if ((error = readconf_retry_error(pp, p, &next->basic_errno,
+       &next->more_errno)))
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "%s", error);
+
+  /* There may be an optional address list of senders to be used as another
+  constraint on the rule. This was added later, so the syntax is a bit of a
+  fudge. Anything that is not a retry rule starting "F," or "G," is treated as
+  an address list. */
+
+  Uskip_whitespace(&p);
+  if (Ustrncmp(p, "senders", 7) == 0)
+    {
+    p += 7;
+    Uskip_whitespace(&p);
+    if (*p++ != '=') log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+      "\"=\" expected after \"senders\" in retry rule");
+    Uskip_whitespace(&p);
+    next->senders = string_dequote(&p);
+    }
+
+  /* Now the retry rules. Keep the maximum timeout encountered. */
+
+  Uskip_whitespace(&p);
+
+  while (*p)
+    {
+    retry_rule * rule = store_get(sizeof(retry_rule), GET_UNTAINTED);
+    *rchain = rule;
+    rchain = &(rule->next);
+    rule->next = NULL;
+    rule->rule = toupper(*p++);
+    rule->timeout = retry_arg(&p, 0);
+    if (rule->timeout > retry_maximum_timeout)
+      retry_maximum_timeout = rule->timeout;
+
+    switch (rule->rule)
+      {
+      case 'F':   /* Fixed interval */
+	rule->p1 = retry_arg(&p, 0);
+	break;
+
+      case 'G':   /* Geometrically increasing intervals */
+      case 'H':   /* Ditto, but with randomness */
+	rule->p1 = retry_arg(&p, 0);
+	rule->p2 = retry_arg(&p, 1);
+	break;
+
+      default:
+	log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "unknown retry rule letter");
+	break;
+      }
+
+    if (rule->timeout <= 0 || rule->p1 <= 0 ||
+          (rule->rule != 'F' && rule->p2 < 1000))
+      log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+        "bad parameters for retry rule");
+
+    if (Uskip_whitespace(&p) == ';')
+      {
+      p++;
+      Uskip_whitespace(&p);
+      }
+    else if (*p)
+      log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "semicolon expected");
+    }
+  }
+}
+
+
+
+/*************************************************
+*         Initialize authenticators              *
+*************************************************/
+
+/* Read the authenticators section of the configuration file.
+
+Arguments:   none
+Returns:     nothing
+*/
+
+static void
+auths_init(void)
+{
+#ifndef DISABLE_PIPE_CONNECT
+int nauths = 0;
+#endif
+
+readconf_driver_init(US"authenticator",
+  (driver_instance **)(&auths),      /* chain anchor */
+  (driver_info *)auths_available,    /* available drivers */
+  sizeof(auth_info),                 /* size of info block */
+  &auth_defaults,                    /* default values for generic options */
+  sizeof(auth_instance),             /* size of instance block */
+  optionlist_auths,                  /* generic options */
+  optionlist_auths_size);
+
+for (auth_instance * au = auths; au; au = au->next)
+  {
+  if (!au->public_name)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "no public name specified for "
+      "the %s authenticator", au->name);
+
+  for (auth_instance * bu = au->next; bu; bu = bu->next)
+    if (strcmpic(au->public_name, bu->public_name) == 0)
+      if (  au->client && bu->client
+	 || au->server && bu->server)
+        log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "two %s authenticators "
+          "(%s and %s) have the same public name (%s)",
+          au->client && bu->client ? US"client" : US"server",
+	  au->name, bu->name, au->public_name);
+#ifndef DISABLE_PIPE_CONNECT
+  nauths++;
+#endif
+  }
+#ifndef DISABLE_PIPE_CONNECT
+f.smtp_in_early_pipe_no_auth = nauths > 16;
+#endif
+}
+
+
+/* For error messages, a string describing the config location associated
+with current processing.  NULL if we are not in an authenticator. */
+
+uschar *
+authenticator_current_name(void)
+{
+if (!authenticator_name) return NULL;
+return string_sprintf(" (authenticator %s, %s %d)", authenticator_name, driver_srcfile, driver_srcline);
+}
+
+
+
+
+
+/*************************************************
+*             Read ACL information               *
+*************************************************/
+
+/* If this run of Exim is not doing something that involves receiving a
+message, we can just skip over the ACL information. No need to parse it.
+
+First, we have a function for acl_read() to call back to get the next line. We
+need to remember the line we passed, because at the end it will contain the
+name of the next ACL. */
+
+static uschar *acl_line;
+
+static uschar *
+acl_callback(void)
+{
+acl_line = get_config_line();
+return acl_line;
+}
+
+
+/* Now the main function:
+
+Arguments:    none
+Returns:      nothing
+*/
+
+static void
+readconf_acl(void)
+{
+uschar *p;
+
+/* Read each ACL and add it into the tree. Macro (re)definitions are allowed
+between ACLs. */
+
+acl_line = get_config_line();
+
+while(acl_line)
+  {
+  uschar name[EXIM_DRIVERNAME_MAX];
+  tree_node *node;
+  uschar *error;
+
+  p = readconf_readname(name, sizeof(name), acl_line);
+  if (isupper(*name) && *p == '=')
+    {
+    if (!macro_read_assignment(acl_line)) exim_exit(EXIT_FAILURE);
+    acl_line = get_config_line();
+    continue;
+    }
+
+  if (*p != ':' || name[0] == 0)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "missing or malformed ACL name");
+
+  node = store_get_perm(sizeof(tree_node) + Ustrlen(name), name);
+  Ustrcpy(node->name, name);
+  if (!tree_insertnode(&acl_anchor, node))
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+      "there are two ACLs called \"%s\"", name);
+
+  node->data.ptr = acl_read(acl_callback, &error);
+
+  if (node->data.ptr == NULL && error != NULL)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "error in ACL: %s", error);
+  }
+}
+
+
+
+/*************************************************
+*     Read configuration for local_scan()        *
+*************************************************/
+
+/* This function is called after "begin local_scan" is encountered in the
+configuration file. If the local_scan() function allows for configuration
+options, we can process them. Otherwise, we expire in a panic.
+
+Arguments:  none
+Returns:    nothing
+*/
+
+static void
+local_scan_init(void)
+{
+#ifndef LOCAL_SCAN_HAS_OPTIONS
+log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "local_scan() options not supported: "
+  "(LOCAL_SCAN_HAS_OPTIONS not defined in Local/Makefile)");
+#else
+
+uschar *p;
+while ((p = get_config_line()))
+  (void) readconf_handle_option(p, local_scan_options, local_scan_options_count,
+    NULL, US"local_scan option \"%s\" unknown");
+#endif
+}
+
+
+
+/*************************************************
+*     Read rest of configuration (after main)    *
+*************************************************/
+
+/* This function reads the rest of the runtime configuration, after the main
+configuration. It is called only when actually needed. Each subsequent section
+of the configuration starts with a line of the form
+
+  begin name
+
+where the name is "routers", "transports", etc. A section is terminated by
+hitting the next "begin" line, and the next name is left in next_section.
+Because it may confuse people as to whether the names are singular or plural,
+we add "s" if it's missing. There is always enough room in next_section for
+this. This function is basically just a switch.
+
+Arguments:   none
+Returns:     nothing
+*/
+
+static uschar *section_list[] = {
+  US"acls",
+  US"authenticators",
+  US"local_scans",
+  US"retrys",
+  US"rewrites",
+  US"routers",
+  US"transports"};
+
+void
+readconf_rest(void)
+{
+int had = 0;
+
+while(next_section[0] != 0)
+  {
+  int bit;
+  int first = 0;
+  int last = nelem(section_list);
+  int mid = last/2;
+  int n = Ustrlen(next_section);
+
+  if (tolower(next_section[n-1]) != 's') Ustrcpy(next_section+n, US"s");
+
+  for (;;)
+    {
+    int c = strcmpic(next_section, section_list[mid]);
+    if (c == 0) break;
+    if (c > 0) first = mid + 1; else last = mid;
+    if (first >= last)
+      log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+        "\"%.*s\" is not a known configuration section name", n, next_section);
+    mid = (last + first)/2;
+    }
+
+  bit = 1 << mid;
+  if (((had ^= bit) & bit) == 0)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+      "\"%.*s\" section is repeated in the configuration file", n,
+        next_section);
+
+  switch(mid)
+    {
+    case 0: readconf_acl(); break;
+    case 1: auths_init(); break;
+    case 2: local_scan_init(); break;
+    case 3: readconf_retries(); break;
+    case 4: readconf_rewrites(); break;
+    case 5: route_init(); break;
+    case 6: transport_init(); break;
+    }
+  }
+
+(void)fclose(config_file);
+}
+
+/* Init the storage for the pre-parsed config lines */
+void
+readconf_save_config(const uschar *s)
+{
+save_config_line(string_sprintf("# Exim Configuration (%s)",
+  f.running_in_test_harness ? US"X" : s));
+}
+
+static void
+save_config_position(const uschar *file, int line)
+{
+save_config_line(string_sprintf("# %d \"%s\"", line, file));
+}
+
+/* Append a pre-parsed logical line to the config lines store,
+this operates on a global (static) list that holds all the pre-parsed
+config lines, we do no further processing here, output formatting and
+honouring of <hide> or macros will be done during output */
+
+static void
+save_config_line(const uschar* line)
+{
+static config_line_item *current;
+config_line_item *next;
+
+next = (config_line_item*) store_get(sizeof(config_line_item), GET_UNTAINTED);
+next->line = string_copy(line);
+next->next = NULL;
+
+if (!config_lines) config_lines = next;
+else current->next = next;
+
+current = next;
+}
+
+/* List the parsed config lines, care about nice formatting and
+hide the <hide> values unless we're the admin user */
+void
+print_config(BOOL admin, BOOL terse)
+{
+const int TS = terse ? 0 : 2;
+int indent = 0;
+rmark r = NULL;
+
+for (const config_line_item * i = config_lines; i; i = i->next)
+  {
+  uschar * current, * p;
+
+  if (r) store_reset(r);
+  r = store_mark();
+
+  /* skip over to the first non-space */
+  for (current = string_copy(i->line); *current && isspace(*current); ++current)
+    ;
+
+  if (!*current)
+    continue;
+
+  /* Collapse runs of spaces. We stop this if we encounter one of the
+  following characters: "'$, as this may indicate careful formatting */
+
+  for (p = current; *p; p++) if (isspace(*p))
+    {
+    uschar *next;
+    if (*p != ' ') *p = ' ';
+
+    for (next = p; isspace(*next); ++next)
+      ;
+
+    if (next - p > 1)
+      memmove(p+1, next, Ustrlen(next)+1);
+
+    if (*next == '"' || *next == '\'' || *next == '$')
+      break;
+    }
+
+  /* # lines */
+  if (current[0] == '#')
+    puts(CCS current);
+
+  /* begin lines are left aligned */
+  else if (Ustrncmp(current, "begin", 5) == 0 && isspace(current[5]))
+    {
+    if (!terse) puts("");
+    puts(CCS current);
+    indent = TS;
+    }
+
+  /* router/acl/transport block names */
+  else if (current[Ustrlen(current)-1] == ':' && !Ustrchr(current, '='))
+    {
+    if (!terse) puts("");
+    printf("%*s%s\n", TS, "", current);
+    indent = 2 * TS;
+    }
+
+  /* hidden lines (all MACROS or lines prefixed with "hide") */
+  else if (  !admin
+	  && (  isupper(*current)
+	     || Ustrncmp(current, "hide", 4) == 0 && isspace(current[4])
+	     )
+	  )
+    {
+    if ((p = Ustrchr(current, '=')))
+      {
+      *p = '\0';
+      printf("%*s%s= %s\n", indent, "", current, CCS hidden);
+      }
+    /* e.g.: hide split_spool_directory */
+    else
+      printf("%*s\n", indent, CCS hidden);
+    }
+
+  else
+    /* rest is public */
+    printf("%*s%s\n", indent, "", current);
+  }
+if (r) store_reset(r);
+}
+
+#endif	/*!MACRO_PREDEF*/
+/* vi: aw ai sw=2
+*/
+/* End of readconf.c */
diff --git a/src/receive.c b/src/receive.c
new file mode 100644
index 0000000..0a27c79
--- /dev/null
+++ b/src/receive.c
@@ -0,0 +1,4528 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Code for receiving a message and setting up spool files. */
+
+#include "exim.h"
+#include <setjmp.h>
+
+#ifdef EXPERIMENTAL_DCC
+extern int dcc_ok;
+#endif
+
+#ifdef SUPPORT_DMARC
+# include "dmarc.h"
+#endif
+
+/*************************************************
+*                Local static variables          *
+*************************************************/
+
+static int     data_fd = -1;
+static uschar *spool_name = US"";
+
+enum CH_STATE {LF_SEEN, MID_LINE, CR_SEEN};
+
+#ifdef HAVE_LOCAL_SCAN
+jmp_buf local_scan_env;		/* error-handling context for local_scan */
+unsigned had_local_scan_crash;
+unsigned had_local_scan_timeout;
+#endif
+
+
+/*************************************************
+*      Non-SMTP character reading functions      *
+*************************************************/
+
+/* These are the default functions that are set up in the variables such as
+receive_getc initially. They just call the standard functions, passing stdin as
+the file. (When SMTP input is occurring, different functions are used by
+changing the pointer variables.) */
+
+uschar stdin_buf[4096];
+uschar * stdin_inptr = stdin_buf;
+uschar * stdin_inend = stdin_buf;
+
+static BOOL
+stdin_refill(void)
+{
+size_t rc = fread(stdin_buf, 1, sizeof(stdin_buf), stdin);
+if (rc <= 0)
+  {
+  if (had_data_timeout)
+    {
+    fprintf(stderr, "exim: timed out while reading - message abandoned\n");
+    log_write(L_lost_incoming_connection,
+	      LOG_MAIN, "timed out while reading local message");
+    receive_bomb_out(US"data-timeout", NULL);   /* Does not return */
+    }
+  if (had_data_sigint)
+    {
+    if (filter_test == FTEST_NONE)
+      {
+      fprintf(stderr, "\nexim: %s received - message abandoned\n",
+	had_data_sigint == SIGTERM ? "SIGTERM" : "SIGINT");
+      log_write(0, LOG_MAIN, "%s received while reading local message",
+	had_data_sigint == SIGTERM ? "SIGTERM" : "SIGINT");
+      }
+    receive_bomb_out(US"signal-exit", NULL);    /* Does not return */
+    }
+  return FALSE;
+  }
+stdin_inend = stdin_buf + rc;
+stdin_inptr = stdin_buf;
+return TRUE;
+}
+
+int
+stdin_getc(unsigned lim)
+{
+if (stdin_inptr >= stdin_inend)
+  if (!stdin_refill())
+      return EOF;
+return *stdin_inptr++;
+}
+
+
+BOOL
+stdin_hasc(void)
+{
+return stdin_inptr < stdin_inend;
+}
+
+int
+stdin_ungetc(int c)
+{
+if (stdin_inptr <= stdin_buf)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in stdin_ungetc");
+
+*--stdin_inptr = c;
+return c;
+}
+
+int
+stdin_feof(void)
+{
+return stdin_hasc() ? FALSE : feof(stdin);
+}
+
+int
+stdin_ferror(void)
+{
+return ferror(stdin);
+}
+
+
+
+
+/*************************************************
+*     Check that a set sender is allowed         *
+*************************************************/
+
+/* This function is called when a local caller sets an explicit sender address.
+It checks whether this is permitted, which it is for trusted callers.
+Otherwise, it must match the pattern(s) in untrusted_set_sender.
+
+Arguments:  the proposed sender address
+Returns:    TRUE for a trusted caller
+            TRUE if the address has been set, untrusted_set_sender has been
+              set, and the address matches something in the list
+            FALSE otherwise
+*/
+
+BOOL
+receive_check_set_sender(uschar *newsender)
+{
+uschar *qnewsender;
+if (f.trusted_caller) return TRUE;
+if (!newsender || !untrusted_set_sender) return FALSE;
+qnewsender = Ustrchr(newsender, '@')
+  ? newsender : string_sprintf("%s@%s", newsender, qualify_domain_sender);
+return match_address_list_basic(qnewsender, CUSS &untrusted_set_sender, 0) == OK;
+}
+
+
+
+
+/*************************************************
+*          Read space info for a partition       *
+*************************************************/
+
+/* This function is called by receive_check_fs() below, and also by string
+expansion for variables such as $spool_space. The field names for the statvfs
+structure are macros, because not all OS have F_FAVAIL and it seems tidier to
+have macros for F_BAVAIL and F_FILES as well. Some kinds of file system do not
+have inodes, and they return -1 for the number available.
+
+Later: It turns out that some file systems that do not have the concept of
+inodes return 0 rather than -1. Such systems should also return 0 for the total
+number of inodes, so we require that to be greater than zero before returning
+an inode count.
+
+Arguments:
+  isspool       TRUE for spool partition, FALSE for log partition
+  inodeptr      address of int to receive inode count; -1 if there isn't one
+
+Returns:        available on-root space, in kilobytes
+                -1 for log partition if there isn't one
+
+All values are -1 if the STATFS functions are not available.
+*/
+
+int_eximarith_t
+receive_statvfs(BOOL isspool, int *inodeptr)
+{
+#ifdef HAVE_STATFS
+struct STATVFS statbuf;
+struct stat dummy;
+uschar *path;
+uschar *name;
+uschar buffer[1024];
+
+/* The spool directory must always exist. */
+
+if (isspool)
+  {
+  path = spool_directory;
+  name = US"spool";
+  }
+
+/* Need to cut down the log file path to the directory, and to ignore any
+appearance of "syslog" in it. */
+
+else
+  {
+  int sep = ':';              /* Not variable - outside scripts use */
+  const uschar *p = log_file_path;
+  name = US"log";
+
+  /* An empty log_file_path means "use the default". This is the same as an
+  empty item in a list. */
+
+  if (*p == 0) p = US":";
+  /* should never be a tainted list */
+  while ((path = string_nextinlist(&p, &sep, buffer, sizeof(buffer))))
+    if (Ustrcmp(path, "syslog") != 0)
+      break;
+
+  if (path == NULL)  /* No log files */
+    {
+    *inodeptr = -1;
+    return -1;
+    }
+
+  /* An empty string means use the default, which is in the spool directory.
+  But don't just use the spool directory, as it is possible that the log
+  subdirectory has been symbolically linked elsewhere. */
+
+  if (path[0] == 0)
+    {
+    sprintf(CS buffer, CS"%s/log", CS spool_directory);
+    path = buffer;
+    }
+  else
+    {
+    uschar *cp;
+    if ((cp = Ustrrchr(path, '/')) != NULL) *cp = 0;
+    }
+  }
+
+/* We now have the path; do the business */
+
+memset(&statbuf, 0, sizeof(statbuf));
+
+if (STATVFS(CS path, &statbuf) != 0)
+  if (stat(CS path, &dummy) == -1 && errno == ENOENT)
+    {				/* Can happen on first run after installation */
+    *inodeptr = -1;
+    return -1;
+    }
+  else
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "cannot accept message: failed to stat "
+      "%s directory %s: %s", name, path, strerror(errno));
+    smtp_closedown(US"spool or log directory problem");
+    exim_exit(EXIT_FAILURE);
+    }
+
+*inodeptr = (statbuf.F_FILES > 0)? statbuf.F_FAVAIL : -1;
+
+/* Disks are getting huge. Take care with computing the size in kilobytes. */
+
+return (int_eximarith_t)(((double)statbuf.F_BAVAIL * (double)statbuf.F_FRSIZE)/1024.0);
+
+#else
+/* Unable to find partition sizes in this environment. */
+
+*inodeptr = -1;
+return -1;
+#endif
+}
+
+
+
+
+/*************************************************
+*     Check space on spool and log partitions    *
+*************************************************/
+
+/* This function is called before accepting a message; if any thresholds are
+set, it checks them. If a message_size is supplied, it checks that there is
+enough space for that size plus the threshold - i.e. that the message won't
+reduce the space to the threshold. Not all OS have statvfs(); for those that
+don't, this function always returns TRUE. For some OS the old function and
+struct name statfs is used; that is handled by a macro, defined in exim.h.
+
+Arguments:
+  msg_size     the (estimated) size of an incoming message
+
+Returns:       FALSE if there isn't enough space, or if the information cannot
+                 be obtained
+               TRUE if no check was done or there is enough space
+*/
+
+BOOL
+receive_check_fs(int msg_size)
+{
+int_eximarith_t space;
+int inodes;
+
+if (check_spool_space > 0 || msg_size > 0 || check_spool_inodes > 0)
+  {
+  space = receive_statvfs(TRUE, &inodes);
+
+  DEBUG(D_receive)
+    debug_printf("spool directory space = " PR_EXIM_ARITH "K inodes = %d "
+      "check_space = " PR_EXIM_ARITH "K inodes = %d msg_size = %d\n",
+      space, inodes, check_spool_space, check_spool_inodes, msg_size);
+
+  if (  space >= 0 && space + msg_size / 1024 < check_spool_space
+     || inodes >= 0 && inodes < check_spool_inodes)
+    {
+    log_write(0, LOG_MAIN, "spool directory space check failed: space="
+      PR_EXIM_ARITH " inodes=%d", space, inodes);
+    return FALSE;
+    }
+  }
+
+if (check_log_space > 0 || check_log_inodes > 0)
+  {
+  space = receive_statvfs(FALSE, &inodes);
+
+  DEBUG(D_receive)
+    debug_printf("log directory space = " PR_EXIM_ARITH "K inodes = %d "
+      "check_space = " PR_EXIM_ARITH "K inodes = %d\n",
+      space, inodes, check_log_space, check_log_inodes);
+
+  if (  space >= 0 && space < check_log_space
+     || inodes >= 0 && inodes < check_log_inodes)
+    {
+    log_write(0, LOG_MAIN, "log directory space check failed: space=" PR_EXIM_ARITH
+      " inodes=%d", space, inodes);
+    return FALSE;
+    }
+  }
+
+return TRUE;
+}
+
+
+
+/*************************************************
+*         Bomb out while reading a message       *
+*************************************************/
+
+/* The common case of wanting to bomb out is if a SIGTERM or SIGINT is
+received, or if there is a timeout. A rarer case might be if the log files are
+screwed up and Exim can't open them to record a message's arrival. Handling
+that case is done by setting a flag to cause the log functions to call this
+function if there is an ultimate disaster. That is why it is globally
+accessible.
+
+Arguments:
+  reason     text reason to pass to the not-quit ACL
+  msg        default SMTP response to give if in an SMTP session
+Returns:     it doesn't
+*/
+
+void
+receive_bomb_out(uschar *reason, uschar *msg)
+{
+  static BOOL already_bombing_out;
+/* The smtp_notquit_exit() below can call ACLs which can trigger recursive
+timeouts, if someone has something slow in their quit ACL.  Since the only
+things we should be doing are to close down cleanly ASAP, on the second
+pass we also close down stuff that might be opened again, before bypassing
+the ACL call and exiting. */
+
+/* If spool_name is set, it contains the name of the data file that is being
+written. Unlink it before closing so that it cannot be picked up by a delivery
+process. Ensure that any header file is also removed. */
+
+if (spool_name[0] != '\0')
+  {
+  Uunlink(spool_name);
+  spool_name[Ustrlen(spool_name) - 1] = 'H';
+  Uunlink(spool_name);
+  spool_name[0] = '\0';
+  }
+
+/* Now close the file if it is open, either as a fd or a stream. */
+
+if (spool_data_file)
+  {
+  (void)fclose(spool_data_file);
+  spool_data_file = NULL;
+  }
+else if (data_fd >= 0)
+  {
+  (void)close(data_fd);
+  data_fd = -1;
+  }
+
+/* Attempt to close down an SMTP connection tidily. For non-batched SMTP, call
+smtp_notquit_exit(), which runs the NOTQUIT ACL, if present, and handles the
+SMTP response. */
+
+if (!already_bombing_out)
+  {
+  already_bombing_out = TRUE;
+  if (smtp_input)
+    {
+    if (smtp_batched_input)
+      moan_smtp_batch(NULL, "421 %s - message abandoned", msg);  /* No return */
+    smtp_notquit_exit(reason, US"421", US"%s %s - closing connection.",
+      smtp_active_hostname, msg);
+    }
+  }
+
+/* Exit from the program (non-BSMTP cases) */
+
+exim_exit(EXIT_FAILURE);
+}
+
+
+/*************************************************
+*              Data read timeout                 *
+*************************************************/
+
+/* Handler function for timeouts that occur while reading the data that
+comprises a message.
+
+Argument:  the signal number
+Returns:   nothing
+*/
+
+static void
+data_timeout_handler(int sig)
+{
+had_data_timeout = sig;
+}
+
+
+
+#ifdef HAVE_LOCAL_SCAN
+/*************************************************
+*              local_scan() timeout              *
+*************************************************/
+
+/* Handler function for timeouts that occur while running a local_scan()
+function.  Posix recommends against calling longjmp() from a signal-handler,
+but the GCC manual says you can so we will, and trust that it's better than
+calling probably non-signal-safe funxtions during logging from within the
+handler, even with other compilers.
+
+See also https://cwe.mitre.org/data/definitions/745.html which also lists
+it as unsafe.
+
+This is all because we have no control over what might be written for a
+local-scan function, so cannot sprinkle had-signal checks after each
+call-site.  At least with the default "do-nothing" function we won't
+ever get here.
+
+Argument:  the signal number
+Returns:   nothing
+*/
+
+static void
+local_scan_timeout_handler(int sig)
+{
+had_local_scan_timeout = sig;
+siglongjmp(local_scan_env, 1);
+}
+
+
+
+/*************************************************
+*            local_scan() crashed                *
+*************************************************/
+
+/* Handler function for signals that occur while running a local_scan()
+function.
+
+Argument:  the signal number
+Returns:   nothing
+*/
+
+static void
+local_scan_crash_handler(int sig)
+{
+had_local_scan_crash = sig;
+siglongjmp(local_scan_env, 1);
+}
+
+#endif /*HAVE_LOCAL_SCAN*/
+
+
+/*************************************************
+*           SIGTERM or SIGINT received           *
+*************************************************/
+
+/* Handler for SIGTERM or SIGINT signals that occur while reading the
+data that comprises a message.
+
+Argument:  the signal number
+Returns:   nothing
+*/
+
+static void
+data_sigterm_sigint_handler(int sig)
+{
+had_data_sigint = sig;
+}
+
+
+
+/*************************************************
+*          Add new recipient to list             *
+*************************************************/
+
+/* This function builds a list of recipient addresses in argc/argv
+format.
+
+Arguments:
+  recipient   the next address to add to recipients_list
+  pno         parent number for fixed aliases; -1 otherwise
+
+Returns:      nothing
+*/
+
+void
+receive_add_recipient(uschar *recipient, int pno)
+{
+if (recipients_count >= recipients_list_max)
+  {
+  recipient_item *oldlist = recipients_list;
+  int oldmax = recipients_list_max;
+
+  const int safe_recipients_limit = INT_MAX / 2 / sizeof(recipient_item);
+  if (recipients_list_max < 0 || recipients_list_max >= safe_recipients_limit)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Too many recipients: %d", recipients_list_max);
+    }
+
+  recipients_list_max = recipients_list_max ? 2*recipients_list_max : 50;
+  recipients_list = store_get(recipients_list_max * sizeof(recipient_item), GET_UNTAINTED);
+  if (oldlist)
+    memcpy(recipients_list, oldlist, oldmax * sizeof(recipient_item));
+  }
+
+recipients_list[recipients_count].address = recipient;
+recipients_list[recipients_count].pno = pno;
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+recipients_list[recipients_count].bmi_optin = bmi_current_optin;
+/* reset optin string pointer for next recipient */
+bmi_current_optin = NULL;
+#endif
+recipients_list[recipients_count].orcpt = NULL;
+recipients_list[recipients_count].dsn_flags = 0;
+recipients_list[recipients_count++].errors_to = NULL;
+}
+
+
+
+
+/*************************************************
+*        Send user response message              *
+*************************************************/
+
+/* This function is passed a default response code and a user message. It calls
+smtp_message_code() to check and possibly modify the response code, and then
+calls smtp_respond() to transmit the response. I put this into a function
+just to avoid a lot of repetition.
+
+Arguments:
+  code         the response code
+  user_msg     the user message
+
+Returns:       nothing
+*/
+
+#ifndef DISABLE_PRDR
+static void
+smtp_user_msg(uschar *code, uschar *user_msg)
+{
+int len = 3;
+smtp_message_code(&code, &len, &user_msg, NULL, TRUE);
+smtp_respond(code, len, TRUE, user_msg);
+}
+#endif
+
+
+
+
+
+/*************************************************
+*        Remove a recipient from the list        *
+*************************************************/
+
+/* This function is provided for local_scan() to use.
+
+Argument:
+  recipient   address to remove
+
+Returns:      TRUE if it did remove something; FALSE otherwise
+*/
+
+BOOL
+receive_remove_recipient(uschar *recipient)
+{
+DEBUG(D_receive) debug_printf("receive_remove_recipient(\"%s\") called\n",
+  recipient);
+for (int count = 0; count < recipients_count; count++)
+  if (Ustrcmp(recipients_list[count].address, recipient) == 0)
+    {
+    if ((--recipients_count - count) > 0)
+      memmove(recipients_list + count, recipients_list + count + 1,
+        (recipients_count - count)*sizeof(recipient_item));
+    return TRUE;
+    }
+return FALSE;
+}
+
+
+
+
+
+/* Pause for a while waiting for input.  If none received in that time,
+close the logfile, if we had one open; then if we wait for a long-running
+datasource (months, in one use-case) log rotation will not leave us holding
+the file copy. */
+
+static void
+log_close_chk(void)
+{
+if (!receive_timeout && !receive_hasc())
+  {
+  struct timeval t;
+  timesince(&t, &received_time);
+  if (t.tv_sec > 30*60)
+    mainlog_close();
+  else
+    if (poll_one_fd(0, POLLIN, (30*60 - t.tv_sec) * 1000) == 0)
+      mainlog_close();
+  }
+}
+
+/*************************************************
+*     Read data portion of a non-SMTP message    *
+*************************************************/
+
+/* This function is called to read the remainder of a message (following the
+header) when the input is not from SMTP - we are receiving a local message on
+a standard input stream. The message is always terminated by EOF, and is also
+terminated by a dot on a line by itself if the flag dot_ends is TRUE. Split the
+two cases for maximum efficiency.
+
+Ensure that the body ends with a newline. This will naturally be the case when
+the termination is "\n.\n" but may not be otherwise. The RFC defines messages
+as "sequences of lines" - this of course strictly applies only to SMTP, but
+deliveries into BSD-type mailbox files also require it. Exim used to have a
+flag for doing this at delivery time, but as it was always set for all
+transports, I decided to simplify things by putting the check here instead.
+
+There is at least one MUA (dtmail) that sends CRLF via this interface, and
+other programs are known to do this as well. Exim used to have a option for
+dealing with this: in July 2003, after much discussion, the code has been
+changed to default to treat any of LF, CRLF, and bare CR as line terminators.
+
+However, for the case when a dot on a line by itself terminates a message, the
+only recognized terminating sequences before and after the dot are LF and CRLF.
+Otherwise, having read EOL . CR, you don't know whether to read another
+character or not.
+
+Internally, in messages stored in Exim's spool files, LF is used as the line
+terminator. Under the new regime, bare CRs will no longer appear in these
+files.
+
+Arguments:
+  fout      a FILE to which to write the message
+
+Returns:    One of the END_xxx values indicating why it stopped reading
+*/
+
+static int
+read_message_data(FILE *fout)
+{
+int ch_state;
+register int ch;
+register int linelength = 0;
+
+/* Handle the case when only EOF terminates the message */
+
+if (!f.dot_ends)
+  {
+  int last_ch = '\n';
+
+  for ( ;
+       log_close_chk(), (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF;
+       last_ch = ch)
+    {
+    if (ch == 0) body_zerocount++;
+    if (last_ch == '\r' && ch != '\n')
+      {
+      if (linelength > max_received_linelength)
+        max_received_linelength = linelength;
+      linelength = 0;
+      if (fputc('\n', fout) == EOF) return END_WERROR;
+      message_size++;
+      body_linecount++;
+      }
+    if (ch == '\r') continue;
+
+    if (fputc(ch, fout) == EOF) return END_WERROR;
+    if (ch == '\n')
+      {
+      if (linelength > max_received_linelength)
+        max_received_linelength = linelength;
+      linelength = 0;
+      body_linecount++;
+      }
+    else linelength++;
+    if (++message_size > thismessage_size_limit) return END_SIZE;
+    }
+
+  if (last_ch != '\n')
+    {
+    if (linelength > max_received_linelength)
+      max_received_linelength = linelength;
+    if (fputc('\n', fout) == EOF) return END_WERROR;
+    message_size++;
+    body_linecount++;
+    }
+
+  return END_EOF;
+  }
+
+/* Handle the case when a dot on a line on its own, or EOF, terminates. */
+
+ch_state = 1;
+
+while (log_close_chk(), (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
+  {
+  if (ch == 0) body_zerocount++;
+  switch (ch_state)
+    {
+    case 0:                         /* Normal state (previous char written) */
+    if (ch == '\n')
+      {
+      body_linecount++;
+      if (linelength > max_received_linelength)
+        max_received_linelength = linelength;
+      linelength = -1;
+      ch_state = 1;
+      }
+    else if (ch == '\r')
+      { ch_state = 2; continue; }
+    break;
+
+    case 1:                         /* After written "\n" */
+    if (ch == '.') { ch_state = 3; continue; }
+    if (ch == '\r') { ch_state = 2; continue; }
+    if (ch == '\n') { body_linecount++; linelength = -1; }
+    else ch_state = 0;
+    break;
+
+    case 2:
+    body_linecount++;               /* After unwritten "\r" */
+    if (linelength > max_received_linelength)
+      max_received_linelength = linelength;
+    if (ch == '\n')
+      {
+      ch_state = 1;
+      linelength = -1;
+      }
+    else
+      {
+      if (message_size++, fputc('\n', fout) == EOF) return END_WERROR;
+      if (ch == '\r') continue;
+      ch_state = 0;
+      linelength = 0;
+      }
+    break;
+
+    case 3:                         /* After "\n." (\n written, dot not) */
+    if (ch == '\n') return END_DOT;
+    if (ch == '\r') { ch_state = 4; continue; }
+    message_size++;
+    linelength++;
+    if (fputc('.', fout) == EOF) return END_WERROR;
+    ch_state = 0;
+    break;
+
+    case 4:                         /* After "\n.\r" (\n written, rest not) */
+    if (ch == '\n') return END_DOT;
+    message_size += 2;
+    body_linecount++;
+    if (fputs(".\n", fout) == EOF) return END_WERROR;
+    if (ch == '\r') { ch_state = 2; continue; }
+    ch_state = 0;
+    break;
+    }
+
+  linelength++;
+  if (fputc(ch, fout) == EOF) return END_WERROR;
+  if (++message_size > thismessage_size_limit) return END_SIZE;
+  }
+
+/* Get here if EOF read. Unless we have just written "\n", we need to ensure
+the message ends with a newline, and we must also write any characters that
+were saved up while testing for an ending dot. */
+
+if (ch_state != 1)
+  {
+  static uschar *ends[] = { US"\n", NULL, US"\n", US".\n", US".\n" };
+  if (fputs(CS ends[ch_state], fout) == EOF) return END_WERROR;
+  message_size += Ustrlen(ends[ch_state]);
+  body_linecount++;
+  }
+
+return END_EOF;
+}
+
+
+
+
+/*************************************************
+*      Read data portion of an SMTP message      *
+*************************************************/
+
+/* This function is called to read the remainder of an SMTP message (after the
+headers), or to skip over it when an error has occurred. In this case, the
+output file is passed as NULL.
+
+If any line begins with a dot, that character is skipped. The input should only
+be successfully terminated by CR LF . CR LF unless it is local (non-network)
+SMTP, in which case the CRs are optional, but...
+
+FUDGE: It seems that sites on the net send out messages with just LF
+terminators, despite the warnings in the RFCs, and other MTAs handle this. So
+we make the CRs optional in all cases.
+
+July 2003: Bare CRs cause trouble. We now treat them as line terminators as
+well, so that there are no CRs in spooled messages. However, the message
+terminating dot is not recognized between two bare CRs.
+
+Arguments:
+  fout      a FILE to which to write the message; NULL if skipping
+
+Returns:    One of the END_xxx values indicating why it stopped reading
+*/
+
+static int
+read_message_data_smtp(FILE *fout)
+{
+int ch_state = 0;
+int ch;
+int linelength = 0;
+
+while ((ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
+  {
+  if (ch == 0) body_zerocount++;
+  switch (ch_state)
+    {
+    case 0:                             /* After LF or CRLF */
+    if (ch == '.')
+      {
+      ch_state = 3;
+      continue;                         /* Don't ever write . after LF */
+      }
+    ch_state = 1;
+
+    /* Else fall through to handle as normal uschar. */
+
+    case 1:                             /* Normal state */
+    if (ch == '\n')
+      {
+      ch_state = 0;
+      body_linecount++;
+      if (linelength > max_received_linelength)
+        max_received_linelength = linelength;
+      linelength = -1;
+      }
+    else if (ch == '\r')
+      {
+      ch_state = 2;
+      continue;
+      }
+    break;
+
+    case 2:                             /* After (unwritten) CR */
+    body_linecount++;
+    if (linelength > max_received_linelength)
+      max_received_linelength = linelength;
+    linelength = -1;
+    if (ch == '\n')
+      {
+      ch_state = 0;
+      }
+    else
+      {
+      message_size++;
+      if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
+      cutthrough_data_put_nl();
+      if (ch != '\r') ch_state = 1; else continue;
+      }
+    break;
+
+    case 3:                             /* After [CR] LF . */
+    if (ch == '\n')
+      return END_DOT;
+    if (ch == '\r')
+      {
+      ch_state = 4;
+      continue;
+      }
+    /* The dot was removed at state 3. For a doubled dot, here, reinstate
+    it to cutthrough. The current ch, dot or not, is passed both to cutthrough
+    and to file below. */
+    if (ch == '.')
+      {
+      uschar c= ch;
+      cutthrough_data_puts(&c, 1);
+      }
+    ch_state = 1;
+    break;
+
+    case 4:                             /* After [CR] LF . CR */
+    if (ch == '\n') return END_DOT;
+    message_size++;
+    body_linecount++;
+    if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
+    cutthrough_data_put_nl();
+    if (ch == '\r')
+      {
+      ch_state = 2;
+      continue;
+      }
+    ch_state = 1;
+    break;
+    }
+
+  /* Add the character to the spool file, unless skipping; then loop for the
+  next. */
+
+  message_size++;
+  linelength++;
+  if (fout)
+    {
+    if (fputc(ch, fout) == EOF) return END_WERROR;
+    if (message_size > thismessage_size_limit) return END_SIZE;
+    }
+  if(ch == '\n')
+    cutthrough_data_put_nl();
+  else
+    {
+    uschar c = ch;
+    cutthrough_data_puts(&c, 1);
+    }
+  }
+
+/* Fall through here if EOF encountered. This indicates some kind of error,
+since a correct message is terminated by [CR] LF . [CR] LF. */
+
+return END_EOF;
+}
+
+
+
+
+/* Variant of the above read_message_data_smtp() specialised for RFC 3030
+CHUNKING. Accept input lines separated by either CRLF or CR or LF and write
+LF-delimited spoolfile.  Until we have wireformat spoolfiles, we need the
+body_linecount accounting for proper re-expansion for the wire, so use
+a cut-down version of the state-machine above; we don't need to do leading-dot
+detection and unstuffing.
+
+Arguments:
+  fout      a FILE to which to write the message; NULL if skipping;
+            must be open for both writing and reading.
+
+Returns:    One of the END_xxx values indicating why it stopped reading
+*/
+
+static int
+read_message_bdat_smtp(FILE * fout)
+{
+int linelength = 0, ch;
+enum CH_STATE ch_state = LF_SEEN;
+BOOL fix_nl = FALSE;
+
+for(;;)
+  {
+  switch ((ch = bdat_getc(GETC_BUFFER_UNLIMITED)))
+    {
+    case EOF:	return END_EOF;
+    case ERR:	return END_PROTOCOL;
+    case EOD:
+      /* Nothing to get from the sender anymore. We check the last
+      character written to the spool.
+
+      RFC 3030 states, that BDAT chunks are normal text, terminated by CRLF.
+      If we would be strict, we would refuse such broken messages.
+      But we are liberal, so we fix it.  It would be easy just to append
+      the "\n" to the spool.
+
+      But there are some more things (line counting, message size calculation and such),
+      that would need to be duplicated here.  So we simply do some ungetc
+      trickery.
+      */
+      if (fout)
+	{
+	if (fseek(fout, -1, SEEK_CUR) < 0)	return END_PROTOCOL;
+	if (fgetc(fout) == '\n')		return END_DOT;
+	}
+
+      if (linelength == -1)    /* \r already seen (see below) */
+        {
+        DEBUG(D_receive) debug_printf("Add missing LF\n");
+        bdat_ungetc('\n');
+        continue;
+        }
+      DEBUG(D_receive) debug_printf("Add missing CRLF\n");
+      bdat_ungetc('\r');      /* not even \r was seen */
+      fix_nl = TRUE;
+
+      continue;
+    case '\0':  body_zerocount++; break;
+    }
+  switch (ch_state)
+    {
+    case LF_SEEN:                             /* After LF or CRLF */
+      ch_state = MID_LINE;
+      /* fall through to handle as normal uschar. */
+
+    case MID_LINE:                            /* Mid-line state */
+      if (ch == '\n')
+	{
+	ch_state = LF_SEEN;
+	body_linecount++;
+	if (linelength > max_received_linelength)
+	  max_received_linelength = linelength;
+	linelength = -1;
+	}
+      else if (ch == '\r')
+	{
+	ch_state = CR_SEEN;
+       if (fix_nl) bdat_ungetc('\n');
+	continue;			/* don't write CR */
+	}
+      break;
+
+    case CR_SEEN:                       /* After (unwritten) CR */
+      body_linecount++;
+      if (linelength > max_received_linelength)
+	max_received_linelength = linelength;
+      linelength = -1;
+      if (ch == '\n')
+	ch_state = LF_SEEN;
+      else
+	{
+	message_size++;
+	if (fout && fputc('\n', fout) == EOF) return END_WERROR;
+	cutthrough_data_put_nl();
+	if (ch == '\r') continue;	/* don't write CR */
+	ch_state = MID_LINE;
+	}
+      break;
+    }
+
+  /* Add the character to the spool file, unless skipping */
+
+  message_size++;
+  linelength++;
+  if (fout)
+    {
+    if (fputc(ch, fout) == EOF) return END_WERROR;
+    if (message_size > thismessage_size_limit) return END_SIZE;
+    }
+  if(ch == '\n')
+    cutthrough_data_put_nl();
+  else
+    {
+    uschar c = ch;
+    cutthrough_data_puts(&c, 1);
+    }
+  }
+/*NOTREACHED*/
+}
+
+static int
+read_message_bdat_smtp_wire(FILE * fout)
+{
+int ch;
+
+/* Remember that this message uses wireformat. */
+
+DEBUG(D_receive) debug_printf("CHUNKING: %s\n",
+	fout ? "writing spoolfile in wire format" : "flushing input");
+f.spool_file_wireformat = TRUE;
+
+for (;;)
+  {
+  if (chunking_data_left > 0)
+    {
+    unsigned len = MAX(chunking_data_left, thismessage_size_limit - message_size + 1);
+    uschar * buf = bdat_getbuf(&len);
+
+    if (!buf) return END_EOF;
+    message_size += len;
+    if (fout && fwrite(buf, len, 1, fout) != 1) return END_WERROR;
+    }
+  else switch (ch = bdat_getc(GETC_BUFFER_UNLIMITED))
+    {
+    case EOF: return END_EOF;
+    case EOD: return END_DOT;
+    case ERR: return END_PROTOCOL;
+
+    default:
+      message_size++;
+  /*XXX not done:
+  linelength
+  max_received_linelength
+  body_linecount
+  body_zerocount
+  */
+      if (fout && fputc(ch, fout) == EOF) return END_WERROR;
+      break;
+    }
+  if (message_size > thismessage_size_limit) return END_SIZE;
+  }
+/*NOTREACHED*/
+}
+
+
+
+
+/*************************************************
+*             Swallow SMTP message               *
+*************************************************/
+
+/* This function is called when there has been some kind of error while reading
+an SMTP message, and the remaining data may need to be swallowed. It is global
+because it is called from smtp_closedown() to shut down an incoming call
+tidily.
+
+Argument:    a FILE from which to read the message
+Returns:     nothing
+*/
+
+void
+receive_swallow_smtp(void)
+{
+if (message_ended >= END_NOTENDED)
+  message_ended = chunking_state <= CHUNKING_OFFERED
+     ? read_message_data_smtp(NULL)
+     : read_message_bdat_smtp_wire(NULL);
+}
+
+
+
+/*************************************************
+*           Handle lost SMTP connection          *
+*************************************************/
+
+/* This function logs connection loss incidents and generates an appropriate
+SMTP response.
+
+Argument:  additional data for the message
+Returns:   the SMTP response
+*/
+
+static uschar *
+handle_lost_connection(uschar *s)
+{
+log_write(L_lost_incoming_connection | L_smtp_connection, LOG_MAIN,
+  "%s lost while reading message data%s", smtp_get_connection_info(), s);
+smtp_notquit_exit(US"connection-lost", NULL, NULL);
+return US"421 Lost incoming connection";
+}
+
+
+
+
+/*************************************************
+*         Handle a non-smtp reception error      *
+*************************************************/
+
+/* This function is called for various errors during the reception of non-SMTP
+messages. It either sends a message to the sender of the problem message, or it
+writes to the standard error stream.
+
+Arguments:
+  errcode     code for moan_to_sender(), identifying the error
+  text1       first message text, passed to moan_to_sender()
+  text2       second message text, used only for stderrr
+  error_rc    code to pass to exim_exit if no problem
+  f           FILE containing body of message (may be stdin)
+  hptr        pointer to instore headers or NULL
+
+Returns:      calls exim_exit(), which does not return
+*/
+
+static void
+give_local_error(int errcode, uschar *text1, uschar *text2, int error_rc,
+  FILE *f, header_line *hptr)
+{
+if (error_handling == ERRORS_SENDER)
+  {
+  error_block eblock;
+  eblock.next = NULL;
+  eblock.text1 = text1;
+  eblock.text2 = US"";
+  if (!moan_to_sender(errcode, &eblock, hptr, f, FALSE))
+    error_rc = EXIT_FAILURE;
+  }
+else
+  fprintf(stderr, "exim: %s%s\n", text2, text1);  /* Sic */
+(void)fclose(f);
+exim_exit(error_rc);
+}
+
+
+
+/*************************************************
+*          Add header lines set up by ACL        *
+*************************************************/
+
+/* This function is called to add the header lines that were set up by
+statements in an ACL to the list of headers in memory. It is done in two stages
+like this, because when the ACL for RCPT is running, the other headers have not
+yet been received. This function is called twice; once just before running the
+DATA ACL, and once after. This is so that header lines added by MAIL or RCPT
+are visible to the DATA ACL.
+
+Originally these header lines were added at the end. Now there is support for
+three different places: top, bottom, and after the Received: header(s). There
+will always be at least one Received: header, even if it is marked deleted, and
+even if something else has been put in front of it.
+
+Arguments:
+  acl_name   text to identify which ACL
+
+Returns:     nothing
+*/
+
+static void
+add_acl_headers(int where, uschar *acl_name)
+{
+header_line *last_received = NULL;
+
+switch(where)
+  {
+  case ACL_WHERE_DKIM:
+  case ACL_WHERE_MIME:
+  case ACL_WHERE_DATA:
+    if (  cutthrough.cctx.sock >= 0 && cutthrough.delivery
+       && (acl_removed_headers || acl_added_headers))
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "Header modification in data ACLs"
+			" will not take effect on cutthrough deliveries");
+    return;
+    }
+  }
+
+if (acl_removed_headers)
+  {
+  DEBUG(D_receive|D_acl) debug_printf_indent(">>Headers removed by %s ACL:\n", acl_name);
+
+  for (header_line * h = header_list; h; h = h->next) if (h->type != htype_old)
+    {
+    const uschar * list = acl_removed_headers;
+    int sep = ':';         /* This is specified as a colon-separated list */
+    uschar *s;
+
+    while ((s = string_nextinlist(&list, &sep, NULL, 0)))
+      if (header_testname(h, s, Ustrlen(s), FALSE))
+	{
+	h->type = htype_old;
+        DEBUG(D_receive|D_acl) debug_printf_indent("  %s", h->text);
+	}
+    }
+  acl_removed_headers = NULL;
+  DEBUG(D_receive|D_acl) debug_printf_indent(">>\n");
+  }
+
+if (!acl_added_headers) return;
+DEBUG(D_receive|D_acl) debug_printf_indent(">>Headers added by %s ACL:\n", acl_name);
+
+for (header_line * h = acl_added_headers, * next; h; h = next)
+  {
+  next = h->next;
+
+  switch(h->type)
+    {
+    case htype_add_top:
+      h->next = header_list;
+      header_list = h;
+      DEBUG(D_receive|D_acl) debug_printf_indent("  (at top)");
+      break;
+
+    case htype_add_rec:
+      if (!last_received)
+	{
+	last_received = header_list;
+	while (!header_testname(last_received, US"Received", 8, FALSE))
+	  last_received = last_received->next;
+	while (last_received->next &&
+	       header_testname(last_received->next, US"Received", 8, FALSE))
+	  last_received = last_received->next;
+	}
+      h->next = last_received->next;
+      last_received->next = h;
+      DEBUG(D_receive|D_acl) debug_printf_indent("  (after Received:)");
+      break;
+
+    case htype_add_rfc:
+      /* add header before any header which is NOT Received: or Resent- */
+      last_received = header_list;
+      while ( last_received->next &&
+	      ( (header_testname(last_received->next, US"Received", 8, FALSE)) ||
+		(header_testname_incomplete(last_received->next, US"Resent-", 7, FALSE)) ) )
+		last_received = last_received->next;
+      /* last_received now points to the last Received: or Resent-* header
+	 in an uninterrupted chain of those header types (seen from the beginning
+	 of all headers. Our current header must follow it. */
+      h->next = last_received->next;
+      last_received->next = h;
+      DEBUG(D_receive|D_acl) debug_printf_indent("  (before any non-Received: or Resent-*: header)");
+      break;
+
+    default:
+      h->next = NULL;
+      header_last->next = h;
+      DEBUG(D_receive|D_acl) debug_printf_indent("  ");
+      break;
+    }
+
+  if (!h->next) header_last = h;
+
+  /* Check for one of the known header types (From:, To:, etc.) though in
+  practice most added headers are going to be "other". Lower case
+  identification letters are never stored with the header; they are used
+  for existence tests when messages are received. So discard any lower case
+  flag values. */
+
+  h->type = header_checkname(h, FALSE);
+  if (h->type >= 'a') h->type = htype_other;
+
+  DEBUG(D_receive|D_acl) debug_printf("%s", h->text);
+  }
+
+acl_added_headers = NULL;
+DEBUG(D_receive|D_acl) debug_printf_indent(">>\n");
+}
+
+
+
+/*************************************************
+*       Add host information for log line        *
+*************************************************/
+
+/* Called for acceptance and rejecting log lines. This adds information about
+the calling host to a string that is being built dynamically.
+
+Arguments:
+  s           the dynamic string
+
+Returns:      the extended string
+*/
+
+static gstring *
+add_host_info_for_log(gstring * g)
+{
+if (sender_fullhost)
+  {
+  if (LOGGING(dnssec) && sender_host_dnssec)	/*XXX sender_helo_dnssec? */
+    g = string_catn(g, US" DS", 3);
+  g = string_append(g, 2, US" H=", sender_fullhost);
+  if (LOGGING(incoming_interface) && interface_address)
+    g = string_fmt_append(g, " I=[%s]:%d", interface_address, interface_port);
+  }
+if (f.tcp_in_fastopen && !f.tcp_in_fastopen_logged)
+  {
+  g = string_catn(g, US" TFO*", f.tcp_in_fastopen_data ? 5 : 4);
+  f.tcp_in_fastopen_logged = TRUE;
+  }
+if (sender_ident)
+  g = string_append(g, 2, US" U=", sender_ident);
+if (received_protocol)
+  g = string_append(g, 2, US" P=", received_protocol);
+if (LOGGING(pipelining) && f.smtp_in_pipelining_advertised)
+  {
+  g = string_catn(g, US" L", 2);
+#ifndef DISABLE_PIPE_CONNECT
+  if (f.smtp_in_early_pipe_used)
+    g = string_catn(g, US"*", 1);
+  else if (f.smtp_in_early_pipe_advertised)
+    g = string_catn(g, US".", 1);
+#endif
+  if (!f.smtp_in_pipelining_used)
+    g = string_catn(g, US"-", 1);
+  }
+return g;
+}
+
+
+
+#ifdef WITH_CONTENT_SCAN
+
+/*************************************************
+*       Run the MIME ACL on a message            *
+*************************************************/
+
+/* This code is in a subroutine so that it can be used for both SMTP
+and non-SMTP messages. It is called with a non-NULL ACL pointer.
+
+Arguments:
+  acl                The ACL to run (acl_smtp_mime or acl_not_smtp_mime)
+  smtp_yield_ptr     Set FALSE to kill messages after dropped connection
+  smtp_reply_ptr     Where SMTP reply is being built
+  blackholed_by_ptr  Where "blackholed by" message is being built
+
+Returns:             TRUE to carry on; FALSE to abandon the message
+*/
+
+static BOOL
+run_mime_acl(uschar *acl, BOOL *smtp_yield_ptr, uschar **smtp_reply_ptr,
+  uschar **blackholed_by_ptr)
+{
+FILE *mbox_file;
+uschar * rfc822_file_path = NULL;
+unsigned long mbox_size;
+uschar *user_msg, *log_msg;
+int mime_part_count_buffer = -1;
+uschar * mbox_filename;
+int rc = OK;
+
+/* check if it is a MIME message */
+
+for (header_line * my_headerlist = header_list; my_headerlist;
+     my_headerlist = my_headerlist->next)
+  if (  my_headerlist->type != '*'			/* skip deleted headers */
+     && strncmpic(my_headerlist->text, US"Content-Type:", 13) == 0
+     )
+    {
+    DEBUG(D_receive) debug_printf("Found Content-Type: header - executing acl_smtp_mime.\n");
+    goto DO_MIME_ACL;
+    }
+
+DEBUG(D_receive) debug_printf("No Content-Type: header - presumably not a MIME message.\n");
+return TRUE;
+
+DO_MIME_ACL:
+
+/* make sure the eml mbox file is spooled up */
+if (!(mbox_file = spool_mbox(&mbox_size, NULL, &mbox_filename)))
+  {								/* error while spooling */
+  log_write(0, LOG_MAIN|LOG_PANIC,
+         "acl_smtp_mime: error while creating mbox spool file, message temporarily rejected.");
+  Uunlink(spool_name);
+  unspool_mbox();
+#ifdef EXPERIMENTAL_DCC
+  dcc_ok = 0;
+#endif
+  smtp_respond(US"451", 3, TRUE, US"temporary local problem");
+  message_id[0] = 0;            /* Indicate no message accepted */
+  *smtp_reply_ptr = US"";       /* Indicate reply already sent */
+  return FALSE;                 /* Indicate skip to end of receive function */
+  }
+
+mime_is_rfc822 = 0;
+
+MIME_ACL_CHECK:
+mime_part_count = -1;
+rc = mime_acl_check(acl, mbox_file, NULL, &user_msg, &log_msg);
+(void)fclose(mbox_file);
+
+if (rfc822_file_path)
+  {
+  mime_part_count = mime_part_count_buffer;
+
+  if (unlink(CS rfc822_file_path) == -1)
+    {
+    log_write(0, LOG_PANIC,
+         "acl_smtp_mime: can't unlink RFC822 spool file, skipping.");
+    goto END_MIME_ACL;
+    }
+  rfc822_file_path = NULL;
+  }
+
+/* check if we must check any message/rfc822 attachments */
+if (rc == OK)
+  {
+  uschar * scandir = string_copyn(mbox_filename,
+	      Ustrrchr(mbox_filename, '/') - mbox_filename);
+  struct dirent * entry;
+  DIR * tempdir;
+
+  for (tempdir = exim_opendir(scandir); entry = readdir(tempdir); )
+    if (strncmpic(US entry->d_name, US"__rfc822_", 9) == 0)
+      {
+      rfc822_file_path = string_sprintf("%s/%s", scandir, entry->d_name);
+      DEBUG(D_receive)
+	debug_printf("RFC822 attachment detected: running MIME ACL for '%s'\n",
+	  rfc822_file_path);
+      break;
+      }
+  closedir(tempdir);
+
+  if (rfc822_file_path)
+    {
+    if ((mbox_file = Ufopen(rfc822_file_path, "rb")))
+      {
+      /* set RFC822 expansion variable */
+      mime_is_rfc822 = 1;
+      mime_part_count_buffer = mime_part_count;
+      goto MIME_ACL_CHECK;
+      }
+    log_write(0, LOG_PANIC,
+       "acl_smtp_mime: can't open RFC822 spool file, skipping.");
+    unlink(CS rfc822_file_path);
+    }
+  }
+
+END_MIME_ACL:
+add_acl_headers(ACL_WHERE_MIME, US"MIME");
+if (rc == DISCARD)
+  {
+  recipients_count = 0;
+  *blackholed_by_ptr = US"MIME ACL";
+  cancel_cutthrough_connection(TRUE, US"mime acl discard");
+  }
+else if (rc != OK)
+  {
+  Uunlink(spool_name);
+  cancel_cutthrough_connection(TRUE, US"mime acl not ok");
+  unspool_mbox();
+#ifdef EXPERIMENTAL_DCC
+  dcc_ok = 0;
+#endif
+  if (smtp_input)
+    {
+    if (smtp_handle_acl_fail(ACL_WHERE_MIME, rc, user_msg, log_msg) != 0)
+      *smtp_yield_ptr = FALSE;  /* No more messages after dropped connection */
+    *smtp_reply_ptr = US"";     /* Indicate reply already sent */
+    }
+  message_id[0] = 0;            /* Indicate no message accepted */
+  return FALSE;                 /* Cause skip to end of receive function */
+  }
+
+return TRUE;
+}
+
+#endif  /* WITH_CONTENT_SCAN */
+
+
+
+void
+received_header_gen(void)
+{
+uschar * received;
+uschar * timestamp = expand_string(US"${tod_full}");
+header_line * received_header= header_list;
+
+if (recipients_count == 1) received_for = recipients_list[0].address;
+received = expand_string(received_header_text);
+received_for = NULL;
+
+if (!received)
+  {
+  if(spool_name[0] != 0)
+    Uunlink(spool_name);           /* Lose the data file */
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
+    "(received_header_text) failed: %s", string_printing(received_header_text),
+      expand_string_message);
+  }
+
+/* The first element on the header chain is reserved for the Received header,
+so all we have to do is fill in the text pointer, and set the type. However, if
+the result of the expansion is an empty string, we leave the header marked as
+"old" so as to refrain from adding a Received header. */
+
+if (!received[0])
+  {
+  received_header->text = string_sprintf("Received: ; %s\n", timestamp);
+  received_header->type = htype_old;
+  }
+else
+  {
+  received_header->text = string_sprintf("%s;\n\t%s\n", received, timestamp);
+  received_header->type = htype_received;
+  }
+
+received_header->slen = Ustrlen(received_header->text);
+
+DEBUG(D_receive) debug_printf(">>Generated Received: header line\n%c %s",
+  received_header->type, received_header->text);
+}
+
+
+
+/*************************************************
+*                 Receive message                *
+*************************************************/
+
+/* Receive a message on the given input, and put it into a pair of spool files.
+Either a non-null list of recipients, or the extract flag will be true, or
+both. The flag sender_local is true for locally generated messages. The flag
+submission_mode is true if an ACL has obeyed "control = submission". The flag
+suppress_local_fixups is true if an ACL has obeyed "control =
+suppress_local_fixups" or -G was passed on the command-line.
+The flag smtp_input is true if the message is to be
+handled using SMTP conventions about termination and lines starting with dots.
+For non-SMTP messages, dot_ends is true for dot-terminated messages.
+
+If a message was successfully read, message_id[0] will be non-zero.
+
+The general actions of this function are:
+
+  . Read the headers of the message (if any) into a chain of store
+    blocks.
+
+  . If there is a "sender:" header and the message is locally originated,
+    throw it away, unless the caller is trusted, or unless
+    active_local_sender_retain is set - which can only happen if
+    active_local_from_check is false.
+
+  . If recipients are to be extracted from the message, build the
+    recipients list from the headers, removing any that were on the
+    original recipients list (unless extract_addresses_remove_arguments is
+    false), and at the same time, remove any bcc header that may be present.
+
+  . Get the spool file for the data, sort out its unique name, open
+    and lock it (but don't give it the name yet).
+
+  . Generate a "Message-Id" header if the message doesn't have one, for
+    locally-originated messages.
+
+  . Generate a "Received" header.
+
+  . Ensure the recipients list is fully qualified and rewritten if necessary.
+
+  . If there are any rewriting rules, apply them to the sender address
+    and also to the headers.
+
+  . If there is no from: header, generate one, for locally-generated messages
+    and messages in "submission mode" only.
+
+  . If the sender is local, check that from: is correct, and if not, generate
+    a Sender: header, unless message comes from a trusted caller, or this
+    feature is disabled by active_local_from_check being false.
+
+  . If there is no "date" header, generate one, for locally-originated
+    or submission mode messages only.
+
+  . Copy the rest of the input, or up to a terminating "." if in SMTP or
+    dot_ends mode, to the data file. Leave it open, to hold the lock.
+
+  . Write the envelope and the headers to a new file.
+
+  . Set the name for the header file; close it.
+
+  . Set the name for the data file; close it.
+
+Because this function can potentially be called many times in a single
+SMTP connection, all store should be got by store_get(), so that it will be
+automatically retrieved after the message is accepted.
+
+FUDGE: It seems that sites on the net send out messages with just LF
+terminators, despite the warnings in the RFCs, and other MTAs handle this. So
+we make the CRs optional in all cases.
+
+July 2003: Bare CRs in messages, especially in header lines, cause trouble. A
+new regime is now in place in which bare CRs in header lines are turned into LF
+followed by a space, so as not to terminate the header line.
+
+February 2004: A bare LF in a header line in a message whose first line was
+terminated by CRLF is treated in the same way as a bare CR.
+
+Arguments:
+  extract_recip  TRUE if recipients are to be extracted from the message's
+                   headers
+
+Returns:  TRUE   there are more messages to be read (SMTP input)
+          FALSE  there are no more messages to be read (non-SMTP input
+                 or SMTP connection collapsed, or other failure)
+
+When reading a message for filter testing, the returned value indicates
+whether the headers (which is all that is read) were terminated by '.' or
+not. */
+
+BOOL
+receive_msg(BOOL extract_recip)
+{
+int  rc = FAIL;
+int  msg_size = 0;
+int  process_info_len = Ustrlen(process_info);
+int  error_rc = error_handling == ERRORS_SENDER
+	? errors_sender_rc : EXIT_FAILURE;
+int  header_size = 256;
+int  had_zero = 0;
+int  prevlines_length = 0;
+const int id_resolution = BASE_62 == 62 ? 5000 : 10000;
+
+int ptr = 0;
+
+BOOL contains_resent_headers = FALSE;
+BOOL extracted_ignored = FALSE;
+BOOL first_line_ended_crlf = TRUE_UNSET;
+BOOL smtp_yield = TRUE;
+BOOL yield = FALSE;
+
+BOOL resents_exist = FALSE;
+uschar *resent_prefix = US"";
+uschar *blackholed_by = NULL;
+uschar *blackhole_log_msg = US"";
+enum {NOT_TRIED, TMP_REJ, PERM_REJ, ACCEPTED} cutthrough_done = NOT_TRIED;
+
+flock_t lock_data;
+error_block *bad_addresses = NULL;
+
+uschar *frozen_by = NULL;
+uschar *queued_by = NULL;
+
+uschar *errmsg;
+rmark rcvd_log_reset_point;
+gstring * g;
+struct stat statbuf;
+
+/* Final message to give to SMTP caller, and messages from ACLs */
+
+uschar *smtp_reply = NULL;
+uschar *user_msg, *log_msg;
+
+/* Working header pointers */
+
+rmark reset_point;
+header_line *next;
+
+/* Flags for noting the existence of certain headers (only one left) */
+
+BOOL date_header_exists = FALSE;
+
+/* Pointers to receive the addresses of headers whose contents we need. */
+
+header_line *from_header = NULL;
+header_line *subject_header = NULL;
+header_line *msgid_header = NULL;
+header_line *received_header;
+BOOL msgid_header_newly_created = FALSE;
+
+/* Variables for use when building the Received: header. */
+
+uschar *timestamp;
+int tslen;
+
+/* Time of creation of message_id */
+
+static struct timeval message_id_tv = { 0, 0 };
+
+
+/* Release any open files that might have been cached while preparing to
+accept the message - e.g. by verifying addresses - because reading a message
+might take a fair bit of real time. */
+
+search_tidyup();
+
+/* Extracting the recipient list from an input file is incompatible with
+cutthrough delivery with the no-spool option.  It shouldn't be possible
+to set up the combination, but just in case kill any ongoing connection. */
+if (extract_recip || !smtp_input)
+  cancel_cutthrough_connection(TRUE, US"not smtp input");
+
+/* Initialize the chain of headers by setting up a place-holder for Received:
+header. Temporarily mark it as "old", i.e. not to be used. We keep header_last
+pointing to the end of the chain to make adding headers simple. */
+
+received_header = header_list = header_last = store_get(sizeof(header_line), GET_UNTAINTED);
+header_list->next = NULL;
+header_list->type = htype_old;
+header_list->text = NULL;
+header_list->slen = 0;
+
+/* Control block for the next header to be read.
+The data comes from the message, so is tainted. */
+
+reset_point = store_mark();
+next = store_get(sizeof(header_line), GET_UNTAINTED);
+next->text = store_get(header_size, GET_TAINTED);
+
+/* Initialize message id to be null (indicating no message read), and the
+header names list to be the normal list. Indicate there is no data file open
+yet, initialize the size and warning count, and deal with no size limit. */
+
+message_id[0] = 0;
+spool_data_file = NULL;
+data_fd = -1;
+spool_name = US"";
+message_size = 0;
+warning_count = 0;
+received_count = 1;            /* For the one we will add */
+
+if (thismessage_size_limit <= 0) thismessage_size_limit = INT_MAX;
+
+/* While reading the message, the following counts are computed. */
+
+message_linecount = body_linecount = body_zerocount =
+  max_received_linelength = 0;
+
+#ifdef WITH_CONTENT_SCAN
+/* reset non-per-part mime variables */
+mime_is_coverletter    = 0;
+mime_is_rfc822         = 0;
+mime_part_count        = -1;
+#endif
+
+#ifndef DISABLE_DKIM
+/* Call into DKIM to set up the context.  In CHUNKING mode
+we clear the dot-stuffing flag */
+if (smtp_input && !smtp_batched_input && !f.dkim_disable_verify)
+  dkim_exim_verify_init(chunking_state <= CHUNKING_OFFERED);
+#endif
+
+#ifdef SUPPORT_DMARC
+if (sender_host_address) dmarc_init();	/* initialize libopendmarc */
+#endif
+
+/* In SMTP sessions we may receive several messages in one connection. Before
+each subsequent one, we wait for the clock to tick at the level of message-id
+granularity.
+This is so that the combination of time+pid is unique, even on systems where the
+pid can be re-used within our time interval. We can't shorten the interval
+without re-designing the message-id. See comments above where the message id is
+created. This is Something For The Future.
+Do this wait any time we have previously created a message-id, even if we
+rejected the message.  This gives unique IDs for logging done by ACLs.
+The initial timestamp must have been obtained via exim_gettime() to avoid
+issues on Linux with suspend/resume. */
+
+if (message_id_tv.tv_sec)
+  {
+  message_id_tv.tv_usec = (message_id_tv.tv_usec/id_resolution) * id_resolution;
+  exim_wait_tick(&message_id_tv, id_resolution);
+  }
+
+/* Remember the time of reception. Exim uses time+pid for uniqueness of message
+ids, and fractions of a second are required. See the comments that precede the
+message id creation below.
+We use a routine that if possible uses a monotonic clock, and can be used again
+after reception for the tick-wait even under the Linux non-Posix behaviour. */
+
+else
+  exim_gettime(&message_id_tv);
+
+/* For other uses of the received time we can operate with granularity of one
+second, and for that we use the global variable received_time. This is for
+things like ultimate message timeouts.
+For this we do not care about the Linux suspend/resume problem, so rather than
+use exim_gettime() everywhere we use a plain gettimeofday() here. */
+
+gettimeofday(&received_time, NULL);
+
+/* If SMTP input, set the special handler for timeouts. The alarm() calls
+happen in the smtp_getc() function when it refills its buffer. */
+
+had_data_timeout = 0;
+if (smtp_input)
+  os_non_restarting_signal(SIGALRM, data_timeout_handler);
+
+/* If not SMTP input, timeout happens only if configured, and we just set a
+single timeout for the whole message. */
+
+else if (receive_timeout > 0)
+  {
+  os_non_restarting_signal(SIGALRM, data_timeout_handler);
+  ALARM(receive_timeout);
+  }
+
+/* SIGTERM and SIGINT are caught always. */
+
+had_data_sigint = 0;
+signal(SIGTERM, data_sigterm_sigint_handler);
+signal(SIGINT, data_sigterm_sigint_handler);
+
+/* Header lines in messages are not supposed to be very long, though when
+unfolded, to: and cc: headers can take up a lot of store. We must also cope
+with the possibility of junk being thrown at us. Start by getting 256 bytes for
+storing the header, and extend this as necessary using string_cat().
+
+To cope with total lunacies, impose an upper limit on the length of the header
+section of the message, as otherwise the store will fill up. We must also cope
+with the possibility of binary zeros in the data. Hence we cannot use fgets().
+Folded header lines are joined into one string, leaving the '\n' characters
+inside them, so that writing them out reproduces the input.
+
+Loop for each character of each header; the next structure for chaining the
+header is set up already, with ptr the offset of the next character in
+next->text. */
+
+for (;;)
+  {
+  int ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
+
+  /* If we hit EOF on a SMTP connection, it's an error, since incoming
+  SMTP must have a correct "." terminator. */
+
+  if (smtp_input /* && !smtp_batched_input */)
+    if (ch == EOF)
+      {
+      smtp_reply = handle_lost_connection(US" (header)");
+      smtp_yield = FALSE;
+      goto TIDYUP;                       /* Skip to end of function */
+      }
+    else if (ch == ERR)
+      goto TIDYUP;
+
+  /* See if we are at the current header's size limit - there must be at least
+  four bytes left. This allows for the new character plus a zero, plus two for
+  extra insertions when we are playing games with dots and carriage returns. If
+  we are at the limit, extend the text buffer. This could have been done
+  automatically using string_cat() but because this is a tightish loop storing
+  only one character at a time, we choose to do it inline. Normally
+  store_extend() will be able to extend the block; only at the end of a big
+  store block will a copy be needed. To handle the case of very long headers
+  (and sometimes lunatic messages can have ones that are 100s of K long) we
+  call store_release() for strings that have been copied - if the string is at
+  the start of a block (and therefore the only thing in it, because we aren't
+  doing any other gets), the block gets freed. We can only do this release if
+  there were no allocations since the once that we want to free. */
+
+  if (ptr >= header_size - 4)
+    {
+    int oldsize = header_size;
+
+    if (header_size >= INT_MAX/2)
+      goto OVERSIZE;
+    header_size *= 2;
+
+    if (!store_extend(next->text, oldsize, header_size))
+      next->text = store_newblock(next->text, header_size, ptr);
+    }
+
+  /* Cope with receiving a binary zero. There is dispute about whether
+  these should be allowed in RFC 822 messages. The middle view is that they
+  should not be allowed in headers, at least. Exim takes this attitude at
+  the moment. We can't just stomp on them here, because we don't know that
+  this line is a header yet. Set a flag to cause scanning later. */
+
+  if (ch == 0) had_zero++;
+
+  /* Test for termination. Lines in remote SMTP are terminated by CRLF, while
+  those from data files use just LF. Treat LF in local SMTP input as a
+  terminator too. Treat EOF as a line terminator always. */
+
+  if (ch < 0) goto EOL;
+
+  /* FUDGE: There are sites out there that don't send CRs before their LFs, and
+  other MTAs accept this. We are therefore forced into this "liberalisation"
+  too, so we accept LF as a line terminator whatever the source of the message.
+  However, if the first line of the message ended with a CRLF, we treat a bare
+  LF specially by inserting a white space after it to ensure that the header
+  line is not terminated. */
+
+  if (ch == '\n')
+    {
+    if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = FALSE;
+      else if (first_line_ended_crlf) receive_ungetc(' ');
+    goto EOL;
+    }
+
+  /* This is not the end of the line. If this is SMTP input and this is
+  the first character in the line and it is a "." character, ignore it.
+  This implements the dot-doubling rule, though header lines starting with
+  dots aren't exactly common. They are legal in RFC 822, though. If the
+  following is CRLF or LF, this is the line that that terminates the
+  entire message. We set message_ended to indicate this has happened (to
+  prevent further reading), and break out of the loop, having freed the
+  empty header, and set next = NULL to indicate no data line. */
+
+  if (f.dot_ends && ptr == 0 && ch == '.')
+    {
+    ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
+    if (ch == '\r')
+      {
+      ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
+      if (ch != '\n')
+        {
+	if (ch >= 0) receive_ungetc(ch);
+        ch = '\r';              /* Revert to CR */
+        }
+      }
+    if (ch == '\n')
+      {
+      message_ended = END_DOT;
+      reset_point = store_reset(reset_point);
+      next = NULL;
+      break;                    /* End character-reading loop */
+      }
+
+    /* For non-SMTP input, the dot at the start of the line was really a data
+    character. What is now in ch is the following character. We guaranteed
+    enough space for this above. */
+
+    if (!smtp_input)
+      {
+      next->text[ptr++] = '.';
+      message_size++;
+      }
+    }
+
+  /* If CR is immediately followed by LF, end the line, ignoring the CR, and
+  remember this case if this is the first line ending. */
+
+  if (ch == '\r')
+    {
+    ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
+    if (ch == '\n')
+      {
+      if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = TRUE;
+      goto EOL;
+      }
+
+    /* Otherwise, put back the character after CR, and turn the bare CR
+    into LF SP. */
+
+    if (ch >= 0) (receive_ungetc)(ch);
+    next->text[ptr++] = '\n';
+    message_size++;
+    ch = ' ';
+    }
+
+  /* We have a data character for the header line. */
+
+  next->text[ptr++] = ch;    /* Add to buffer */
+  message_size++;            /* Total message size so far */
+
+  /* Handle failure due to a humungously long header section. The >= allows
+  for the terminating \n. Add what we have so far onto the headers list so
+  that it gets reflected in any error message, and back up the just-read
+  character. */
+
+  if (message_size >= header_maxsize)
+    {
+OVERSIZE:
+    next->text[ptr] = 0;
+    next->slen = ptr;
+    next->type = htype_other;
+    next->next = NULL;
+    header_last->next = next;
+    header_last = next;
+
+    log_write(0, LOG_MAIN, "ridiculously long message header received from "
+      "%s (more than %d characters): message abandoned",
+      f.sender_host_unknown ? sender_ident : sender_fullhost, header_maxsize);
+
+    if (smtp_input)
+      {
+      smtp_reply = US"552 Message header is ridiculously long";
+      receive_swallow_smtp();
+      goto TIDYUP;                             /* Skip to end of function */
+      }
+
+    else
+      {
+      give_local_error(ERRMESS_VLONGHEADER,
+        string_sprintf("message header longer than %d characters received: "
+         "message not accepted", header_maxsize), US"", error_rc, stdin,
+           header_list->next);
+      /* Does not return */
+      }
+    }
+
+  continue;                  /* With next input character */
+
+  /* End of header line reached */
+
+  EOL:
+
+  /* Keep track of lines for BSMTP errors and overall message_linecount. */
+
+  receive_linecount++;
+  message_linecount++;
+
+  /* Keep track of maximum line length */
+
+  if (ptr - prevlines_length > max_received_linelength)
+    max_received_linelength = ptr - prevlines_length;
+  prevlines_length = ptr + 1;
+
+  /* Now put in the terminating newline. There is always space for
+  at least two more characters. */
+
+  next->text[ptr++] = '\n';
+  message_size++;
+
+  /* A blank line signals the end of the headers; release the unwanted
+  space and set next to NULL to indicate this. */
+
+  if (ptr == 1)
+    {
+    reset_point = store_reset(reset_point);
+    next = NULL;
+    break;
+    }
+
+  /* There is data in the line; see if the next input character is a
+  whitespace character. If it is, we have a continuation of this header line.
+  There is always space for at least one character at this point. */
+
+  if (ch >= 0)
+    {
+    int nextch = (receive_getc)(GETC_BUFFER_UNLIMITED);
+    if (nextch == ' ' || nextch == '\t')
+      {
+      next->text[ptr++] = nextch;
+      if (++message_size >= header_maxsize)
+	goto OVERSIZE;
+      continue;                      /* Iterate the loop */
+      }
+    else if (nextch >= 0)	/* not EOF, ERR etc */
+      (receive_ungetc)(nextch);   /* For next time */
+    else ch = nextch;                   /* Cause main loop to exit at end */
+    }
+
+  /* We have got to the real line end. Terminate the string and release store
+  beyond it. If it turns out to be a real header, internal binary zeros will
+  be squashed later. */
+
+  next->text[ptr] = 0;
+  next->slen = ptr;
+  store_release_above(next->text + ptr + 1);
+
+  /* Check the running total size against the overall message size limit. We
+  don't expect to fail here, but if the overall limit is set less than MESSAGE_
+  MAXSIZE and a big header is sent, we want to catch it. Just stop reading
+  headers - the code to read the body will then also hit the buffer. */
+
+  if (message_size > thismessage_size_limit) break;
+
+  /* A line that is not syntactically correct for a header also marks
+  the end of the headers. In this case, we leave next containing the
+  first data line. This might actually be several lines because of the
+  continuation logic applied above, but that doesn't matter.
+
+  It turns out that smail, and presumably sendmail, accept leading lines
+  of the form
+
+  From ph10 Fri Jan  5 12:35 GMT 1996
+
+  in messages. The "mail" command on Solaris 2 sends such lines. I cannot
+  find any documentation of this, but for compatibility it had better be
+  accepted. Exim restricts it to the case of non-smtp messages, and
+  treats it as an alternative to the -f command line option. Thus it is
+  ignored except for trusted users or filter testing. Otherwise it is taken
+  as the sender address, unless -f was used (sendmail compatibility).
+
+  It further turns out that some UUCPs generate the From_line in a different
+  format, e.g.
+
+  From ph10 Fri, 7 Jan 97 14:00:00 GMT
+
+  The regex for matching these things is now capable of recognizing both
+  formats (including 2- and 4-digit years in the latter). In fact, the regex
+  is now configurable, as is the expansion string to fish out the sender.
+
+  Even further on it has been discovered that some broken clients send
+  these lines in SMTP messages. There is now an option to ignore them from
+  specified hosts or networks. Sigh. */
+
+  if (  header_last == header_list
+     && (  !smtp_input
+        || (  sender_host_address
+	   && verify_check_host(&ignore_fromline_hosts) == OK
+	   )
+        || (!sender_host_address && ignore_fromline_local)
+        )
+     && regex_match_and_setup(regex_From, next->text, 0, -1)
+     )
+    {
+    if (!f.sender_address_forced)
+      {
+      uschar *uucp_sender = expand_string(uucp_from_sender);
+      if (!uucp_sender)
+        log_write(0, LOG_MAIN|LOG_PANIC,
+          "expansion of \"%s\" failed after matching "
+          "\"From \" line: %s", uucp_from_sender, expand_string_message);
+      else
+        {
+        int start, end, domain;
+        uschar *errmess;
+        uschar *newsender = parse_extract_address(uucp_sender, &errmess,
+          &start, &end, &domain, TRUE);
+        if (newsender)
+          {
+          if (domain == 0 && newsender[0] != 0)
+	    /* deconst ok as newsender was not const */
+            newsender = US rewrite_address_qualify(newsender, FALSE);
+
+          if (filter_test != FTEST_NONE || receive_check_set_sender(newsender))
+            {
+            sender_address = newsender;
+
+            if (f.trusted_caller || filter_test != FTEST_NONE)
+              {
+              authenticated_sender = NULL;
+              originator_name = US"";
+              f.sender_local = FALSE;
+              }
+
+            if (filter_test != FTEST_NONE)
+              printf("Sender taken from \"From \" line\n");
+            }
+          }
+        }
+      }
+    }
+
+  /* Not a leading "From " line. Check to see if it is a valid header line.
+  Header names may contain any non-control characters except space and colon,
+  amazingly. */
+
+  else
+    {
+    uschar * p = next->text;
+
+    /* If not a valid header line, break from the header reading loop, leaving
+    next != NULL, indicating that it holds the first line of the body. */
+
+    if (isspace(*p)) break;
+    while (mac_isgraph(*p) && *p != ':') p++;
+    while (isspace(*p)) p++;
+    if (*p != ':')
+      {
+      body_zerocount = had_zero;
+      break;
+      }
+
+    /* We have a valid header line. If there were any binary zeroes in
+    the line, stomp on them here. */
+
+    if (had_zero > 0)
+      for (uschar * p = next->text; p < next->text + ptr; p++) if (*p == 0)
+       	*p = '?';
+
+    /* It is perfectly legal to have an empty continuation line
+    at the end of a header, but it is confusing to humans
+    looking at such messages, since it looks like a blank line.
+    Reduce confusion by removing redundant white space at the
+    end. We know that there is at least one printing character
+    (the ':' tested for above) so there is no danger of running
+    off the end. */
+
+    p = next->text + ptr - 2;
+    for (;;)
+      {
+      while (*p == ' ' || *p == '\t') p--;
+      if (*p != '\n') break;
+      ptr = (p--) - next->text + 1;
+      message_size -= next->slen - ptr;
+      next->text[ptr] = 0;
+      next->slen = ptr;
+      }
+
+    /* Add the header to the chain */
+
+    next->type = htype_other;
+    next->next = NULL;
+    header_last->next = next;
+    header_last = next;
+
+    /* Check the limit for individual line lengths. This comes after adding to
+    the chain so that the failing line is reflected if a bounce is generated
+    (for a local message). */
+
+    if (header_line_maxsize > 0 && next->slen > header_line_maxsize)
+      {
+      log_write(0, LOG_MAIN, "overlong message header line received from "
+        "%s (more than %d characters): message abandoned",
+        f.sender_host_unknown ? sender_ident : sender_fullhost,
+        header_line_maxsize);
+
+      if (smtp_input)
+        {
+        smtp_reply = US"552 A message header line is too long";
+        receive_swallow_smtp();
+        goto TIDYUP;                             /* Skip to end of function */
+        }
+
+      else
+        give_local_error(ERRMESS_VLONGHDRLINE,
+          string_sprintf("message header line longer than %d characters "
+           "received: message not accepted", header_line_maxsize), US"",
+           error_rc, stdin, header_list->next);
+        /* Does not return */
+      }
+
+    /* Note if any resent- fields exist. */
+
+    if (!resents_exist && strncmpic(next->text, US"resent-", 7) == 0)
+      {
+      resents_exist = TRUE;
+      resent_prefix = US"Resent-";
+      }
+    }
+
+  /* Reject CHUNKING messages that do not CRLF their first header line */
+
+  if (!first_line_ended_crlf && chunking_state > CHUNKING_OFFERED)
+    {
+    log_write(L_size_reject, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
+      "Non-CRLF-terminated header, under CHUNKING: message abandoned",
+      sender_address,
+      sender_fullhost ? " H=" : "", sender_fullhost ? sender_fullhost : US"",
+      sender_ident ? " U=" : "",    sender_ident ? sender_ident : US"");
+    smtp_printf("552 Message header not CRLF terminated\r\n", FALSE);
+    bdat_flush_data();
+    smtp_reply = US"";
+    goto TIDYUP;                             /* Skip to end of function */
+    }
+
+  /* The line has been handled. If we have hit EOF, break out of the loop,
+  indicating no pending data line and no more data for the message */
+
+  if (ch < 0)
+    {
+    next = NULL;
+    if (ch == EOF)	message_ended = END_DOT;
+    else if (ch == ERR) message_ended = END_PROTOCOL;
+    break;
+    }
+
+  /* Set up for the next header */
+
+  reset_point = store_mark();
+  header_size = 256;
+  next = store_get(sizeof(header_line), GET_UNTAINTED);
+  next->text = store_get(header_size, GET_TAINTED);
+  ptr = 0;
+  had_zero = 0;
+  prevlines_length = 0;
+  }      /* Continue, starting to read the next header */
+
+/* At this point, we have read all the headers into a data structure in main
+store. The first header is still the dummy placeholder for the Received: header
+we are going to generate a bit later on. If next != NULL, it contains the first
+data line - which terminated the headers before reaching a blank line (not the
+normal case). */
+
+DEBUG(D_receive)
+  {
+  debug_printf(">>Headers received:\n");
+  for (header_line * h = header_list->next; h; h = h->next)
+    debug_printf("%s", h->text);
+  debug_printf("\n");
+  }
+
+/* End of file on any SMTP connection is an error. If an incoming SMTP call
+is dropped immediately after valid headers, the next thing we will see is EOF.
+We must test for this specially, as further down the reading of the data is
+skipped if already at EOF.
+In CHUNKING mode, a protocol error makes us give up on the message. */
+
+if (smtp_input)
+  if ((receive_feof)())
+    {
+    smtp_reply = handle_lost_connection(US" (after header)");
+    smtp_yield = FALSE;
+    goto TIDYUP;			/* Skip to end of function */
+    }
+  else if (message_ended == END_PROTOCOL)
+    {
+    smtp_reply = US"";			/* no reply needed */
+    goto TIDYUP;
+    }
+
+/* If this is a filter test run and no headers were read, output a warning
+in case there is a mistake in the test message. */
+
+if (filter_test != FTEST_NONE && header_list->next == NULL)
+  printf("Warning: no message headers read\n");
+
+
+/* Scan the headers to identify them. Some are merely marked for later
+processing; some are dealt with here. */
+
+for (header_line * h = header_list->next; h; h = h->next)
+  {
+  BOOL is_resent = strncmpic(h->text, US"resent-", 7) == 0;
+  if (is_resent) contains_resent_headers = TRUE;
+
+  switch (header_checkname(h, is_resent))
+    {
+    case htype_bcc:
+      h->type = htype_bcc;        /* Both Bcc: and Resent-Bcc: */
+      break;
+
+    case htype_cc:
+      h->type = htype_cc;         /* Both Cc: and Resent-Cc: */
+      break;
+
+      /* Record whether a Date: or Resent-Date: header exists, as appropriate. */
+
+    case htype_date:
+      if (!resents_exist || is_resent) date_header_exists = TRUE;
+      break;
+
+      /* Same comments as about Return-Path: below. */
+
+    case htype_delivery_date:
+      if (delivery_date_remove) h->type = htype_old;
+      break;
+
+      /* Same comments as about Return-Path: below. */
+
+    case htype_envelope_to:
+      if (envelope_to_remove) h->type = htype_old;
+      break;
+
+      /* Mark all "From:" headers so they get rewritten. Save the one that is to
+      be used for Sender: checking. For Sendmail compatibility, if the "From:"
+      header consists of just the login id of the user who called Exim, rewrite
+      it with the gecos field first. Apply this rule to Resent-From: if there
+      are resent- fields. */
+
+    case htype_from:
+      h->type = htype_from;
+      if (!resents_exist || is_resent)
+	{
+	from_header = h;
+	if (!smtp_input)
+	  {
+	  int len;
+	  uschar *s = Ustrchr(h->text, ':') + 1;
+	  while (isspace(*s)) s++;
+	  len = h->slen - (s - h->text) - 1;
+	  if (Ustrlen(originator_login) == len &&
+	      strncmpic(s, originator_login, len) == 0)
+	    {
+	    uschar *name = is_resent? US"Resent-From" : US"From";
+	    header_add(htype_from, "%s: %s <%s@%s>\n", name, originator_name,
+	      originator_login, qualify_domain_sender);
+	    from_header = header_last;
+	    h->type = htype_old;
+	    DEBUG(D_receive|D_rewrite)
+	      debug_printf("rewrote \"%s:\" header using gecos\n", name);
+	   }
+	  }
+	}
+      break;
+
+      /* Identify the Message-id: header for generating "in-reply-to" in the
+      autoreply transport. For incoming logging, save any resent- value. In both
+      cases, take just the first of any multiples. */
+
+    case htype_id:
+      if (!msgid_header && (!resents_exist || is_resent))
+	{
+	msgid_header = h;
+	h->type = htype_id;
+	}
+      break;
+
+      /* Flag all Received: headers */
+
+    case htype_received:
+      h->type = htype_received;
+      received_count++;
+      break;
+
+      /* "Reply-to:" is just noted (there is no resent-reply-to field) */
+
+    case htype_reply_to:
+      h->type = htype_reply_to;
+      break;
+
+      /* The Return-path: header is supposed to be added to messages when
+      they leave the SMTP system. We shouldn't receive messages that already
+      contain Return-path. However, since Exim generates Return-path: on
+      local delivery, resent messages may well contain it. We therefore
+      provide an option (which defaults on) to remove any Return-path: headers
+      on input. Removal actually means flagging as "old", which prevents the
+      header being transmitted with the message. */
+
+    case htype_return_path:
+      if (return_path_remove) h->type = htype_old;
+
+      /* If we are testing a mail filter file, use the value of the
+      Return-Path: header to set up the return_path variable, which is not
+      otherwise set. However, remove any <> that surround the address
+      because the variable doesn't have these. */
+
+      if (filter_test != FTEST_NONE)
+	{
+	uschar *start = h->text + 12;
+	uschar *end = start + Ustrlen(start);
+	while (isspace(*start)) start++;
+	while (end > start && isspace(end[-1])) end--;
+	if (*start == '<' && end[-1] == '>')
+	  {
+	  start++;
+	  end--;
+	  }
+	return_path = string_copyn(start, end - start);
+	printf("Return-path taken from \"Return-path:\" header line\n");
+	}
+      break;
+
+    /* If there is a "Sender:" header and the message is locally originated,
+    and from an untrusted caller and suppress_local_fixups is not set, or if we
+    are in submission mode for a remote message, mark it "old" so that it will
+    not be transmitted with the message, unless active_local_sender_retain is
+    set. (This can only be true if active_local_from_check is false.) If there
+    are any resent- headers in the message, apply this rule to Resent-Sender:
+    instead of Sender:. Messages with multiple resent- header sets cannot be
+    tidily handled. (For this reason, at least one MUA - Pine - turns old
+    resent- headers into X-resent- headers when resending, leaving just one
+    set.) */
+
+    case htype_sender:
+      h->type =    !f.active_local_sender_retain
+		&& (  f.sender_local && !f.trusted_caller && !f.suppress_local_fixups
+		   || f.submission_mode
+		   )
+		&& (!resents_exist || is_resent)
+	? htype_old : htype_sender;
+      break;
+
+      /* Remember the Subject: header for logging. There is no Resent-Subject */
+
+    case htype_subject:
+      subject_header = h;
+      break;
+
+      /* "To:" gets flagged, and the existence of a recipient header is noted,
+      whether it's resent- or not. */
+
+    case htype_to:
+      h->type = htype_to;
+      /****
+      to_or_cc_header_exists = TRUE;
+      ****/
+      break;
+    }
+  }
+
+/* Extract recipients from the headers if that is required (the -t option).
+Note that this is documented as being done *before* any address rewriting takes
+place. There are two possibilities:
+
+(1) According to sendmail documentation for Solaris, IRIX, and HP-UX, any
+recipients already listed are to be REMOVED from the message. Smail 3 works
+like this. We need to build a non-recipients tree for that list, because in
+subsequent processing this data is held in a tree and that's what the
+spool_write_header() function expects. Make sure that non-recipient addresses
+are fully qualified and rewritten if necessary.
+
+(2) According to other sendmail documentation, -t ADDS extracted recipients to
+those in the command line arguments (and it is rumoured some other MTAs do
+this). Therefore, there is an option to make Exim behave this way.
+
+*** Notes on "Resent-" header lines ***
+
+The presence of resent-headers in the message makes -t horribly ambiguous.
+Experiments with sendmail showed that it uses recipients for all resent-
+headers, totally ignoring the concept of "sets of resent- headers" as described
+in RFC 2822 section 3.6.6. Sendmail also amalgamates them into a single set
+with all the addresses in one instance of each header.
+
+This seems to me not to be at all sensible. Before release 4.20, Exim 4 gave an
+error for -t if there were resent- headers in the message. However, after a
+discussion on the mailing list, I've learned that there are MUAs that use
+resent- headers with -t, and also that the stuff about sets of resent- headers
+and their ordering in RFC 2822 is generally ignored. An MUA that submits a
+message with -t and resent- header lines makes sure that only *its* resent-
+headers are present; previous ones are often renamed as X-resent- for example.
+
+Consequently, Exim has been changed so that, if any resent- header lines are
+present, the recipients are taken from all of the appropriate resent- lines,
+and not from the ordinary To:, Cc:, etc. */
+
+if (extract_recip)
+  {
+  int rcount = 0;
+  error_block **bnext = &bad_addresses;
+
+  if (extract_addresses_remove_arguments)
+    {
+    while (recipients_count-- > 0)
+      {
+      const uschar * s = rewrite_address(recipients_list[recipients_count].address,
+        TRUE, TRUE, global_rewrite_rules, rewrite_existflags);
+      tree_add_nonrecipient(s);
+      }
+    recipients_list = NULL;
+    recipients_count = recipients_list_max = 0;
+    }
+
+  /* Now scan the headers */
+
+  for (header_line * h = header_list->next; h; h = h->next)
+    {
+    if ((h->type == htype_to || h->type == htype_cc || h->type == htype_bcc) &&
+        (!contains_resent_headers || strncmpic(h->text, US"resent-", 7) == 0))
+      {
+      uschar *s = Ustrchr(h->text, ':') + 1;
+      while (isspace(*s)) s++;
+
+      f.parse_allow_group = TRUE;          /* Allow address group syntax */
+
+      while (*s != 0)
+        {
+        uschar *ss = parse_find_address_end(s, FALSE);
+        uschar *recipient, *errmess, *pp;
+        int start, end, domain;
+
+        /* Check on maximum */
+
+        if (recipients_max > 0 && ++rcount > recipients_max)
+          give_local_error(ERRMESS_TOOMANYRECIP, US"too many recipients",
+            US"message rejected: ", error_rc, stdin, NULL);
+          /* Does not return */
+
+        /* Make a copy of the address, and remove any internal newlines. These
+        may be present as a result of continuations of the header line. The
+        white space that follows the newline must not be removed - it is part
+        of the header. */
+
+        pp = recipient = store_get(ss - s + 1, s);
+        for (uschar * p = s; p < ss; p++) if (*p != '\n') *pp++ = *p;
+        *pp = 0;
+
+#ifdef SUPPORT_I18N
+	{
+	BOOL b = allow_utf8_domains;
+	allow_utf8_domains = TRUE;
+#endif
+        recipient = parse_extract_address(recipient, &errmess, &start, &end,
+          &domain, FALSE);
+
+#ifdef SUPPORT_I18N
+        if (recipient)
+          if (string_is_utf8(recipient)) message_smtputf8 = TRUE;
+          else allow_utf8_domains = b;
+	}
+#else
+        ;
+#endif
+
+        /* Keep a list of all the bad addresses so we can send a single
+        error message at the end. However, an empty address is not an error;
+        just ignore it. This can come from an empty group list like
+
+          To: Recipients of list:;
+
+        If there are no recipients at all, an error will occur later. */
+
+        if (!recipient && Ustrcmp(errmess, "empty address") != 0)
+          {
+          int len = Ustrlen(s);
+          error_block * b = store_get(sizeof(error_block), GET_UNTAINTED);
+          while (len > 0 && isspace(s[len-1])) len--;
+          b->next = NULL;
+          b->text1 = string_printing(string_copyn(s, len));
+          b->text2 = errmess;
+          *bnext = b;
+          bnext = &(b->next);
+          }
+
+        /* If the recipient is already in the nonrecipients tree, it must
+        have appeared on the command line with the option extract_addresses_
+        remove_arguments set. Do not add it to the recipients, and keep a note
+        that this has happened, in order to give a better error if there are
+        no recipients left. */
+
+        else if (recipient != NULL)
+          {
+          if (tree_search(tree_nonrecipients, recipient) == NULL)
+            receive_add_recipient(recipient, -1);
+          else
+            extracted_ignored = TRUE;
+          }
+
+        /* Move on past this address */
+
+        s = ss + (*ss? 1:0);
+        while (isspace(*s)) s++;
+        }    /* Next address */
+
+      f.parse_allow_group = FALSE;      /* Reset group syntax flags */
+      f.parse_found_group = FALSE;
+
+      /* If this was the bcc: header, mark it "old", which means it
+      will be kept on the spool, but not transmitted as part of the
+      message. */
+
+      if (h->type == htype_bcc) h->type = htype_old;
+      }   /* For appropriate header line */
+    }     /* For each header line */
+
+  }
+
+/* Now build the unique message id. This has changed several times over the
+lifetime of Exim. This description was rewritten for Exim 4.14 (February 2003).
+Retaining all the history in the comment has become too unwieldy - read
+previous release sources if you want it.
+
+The message ID has 3 parts: tttttt-pppppp-ss. Each part is a number in base 62.
+The first part is the current time, in seconds. The second part is the current
+pid. Both are large enough to hold 32-bit numbers in base 62. The third part
+can hold a number in the range 0-3843. It used to be a computed sequence
+number, but is now the fractional component of the current time in units of
+1/2000 of a second (i.e. a value in the range 0-1999). After a message has been
+received, Exim ensures that the timer has ticked at the appropriate level
+before proceeding, to avoid duplication if the pid happened to be re-used
+within the same time period. It seems likely that most messages will take at
+least half a millisecond to be received, so no delay will normally be
+necessary. At least for some time...
+
+There is a modification when localhost_number is set. Formerly this was allowed
+to be as large as 255. Now it is restricted to the range 0-16, and the final
+component of the message id becomes (localhost_number * 200) + fractional time
+in units of 1/200 of a second (i.e. a value in the range 0-3399).
+
+Some not-really-Unix operating systems use case-insensitive file names (Darwin,
+Cygwin). For these, we have to use base 36 instead of base 62. Luckily, this
+still allows the tttttt field to hold a large enough number to last for some
+more decades, and the final two-digit field can hold numbers up to 1295, which
+is enough for milliseconds (instead of 1/2000 of a second).
+
+However, the pppppp field cannot hold a 32-bit pid, but it can hold a 31-bit
+pid, so it is probably safe because pids have to be positive. The
+localhost_number is restricted to 0-10 for these hosts, and when it is set, the
+final field becomes (localhost_number * 100) + fractional time in centiseconds.
+
+Note that string_base62() returns its data in a static storage block, so it
+must be copied before calling string_base62() again. It always returns exactly
+6 characters.
+
+There doesn't seem to be anything in the RFC which requires a message id to
+start with a letter, but Smail was changed to ensure this. The external form of
+the message id (as supplied by string expansion) therefore starts with an
+additional leading 'E'. The spool file names do not include this leading
+letter and it is not used internally.
+
+NOTE: If ever the format of message ids is changed, the regular expression for
+checking that a string is in this format must be updated in a corresponding
+way. It appears in the initializing code in exim.c. The macro MESSAGE_ID_LENGTH
+must also be changed to reflect the correct string length. The queue-sort code
+needs to know the layout. Then, of course, other programs that rely on the
+message id format will need updating too. */
+
+Ustrncpy(message_id, string_base62((long int)(message_id_tv.tv_sec)), 6);
+message_id[6] = '-';
+Ustrncpy(message_id + 7, string_base62((long int)getpid()), 6);
+
+/* Deal with the case where the host number is set. The value of the number was
+checked when it was read, to ensure it isn't too big. */
+
+if (host_number_string)
+  sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s",
+    string_base62((long int)(
+      host_number * (1000000/id_resolution) +
+        message_id_tv.tv_usec/id_resolution)) + 4);
+
+/* Host number not set: final field is just the fractional time at an
+appropriate resolution. */
+
+else
+  sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s",
+    string_base62((long int)(message_id_tv.tv_usec/id_resolution)) + 4);
+
+/* Add the current message id onto the current process info string if
+it will fit. */
+
+(void)string_format(process_info + process_info_len,
+  PROCESS_INFO_SIZE - process_info_len, " id=%s", message_id);
+
+/* If we are using multiple input directories, set up the one for this message
+to be the least significant base-62 digit of the time of arrival. Otherwise
+ensure that it is an empty string. */
+
+set_subdir_str(message_subdir, message_id, 0);
+
+/* Now that we have the message-id, if there is no message-id: header, generate
+one, but only for local (without suppress_local_fixups) or submission mode
+messages. This can be user-configured if required, but we had better flatten
+any illegal characters therein. */
+
+if (  !msgid_header
+   && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode))
+  {
+  uschar *id_text = US"";
+  uschar *id_domain = primary_hostname;
+  header_line * h;
+
+  /* Permit only letters, digits, dots, and hyphens in the domain */
+
+  if (message_id_domain)
+    {
+    uschar *new_id_domain = expand_string(message_id_domain);
+    if (!new_id_domain)
+      {
+      if (!f.expand_string_forcedfail)
+        log_write(0, LOG_MAIN|LOG_PANIC,
+          "expansion of \"%s\" (message_id_header_domain) "
+          "failed: %s", message_id_domain, expand_string_message);
+      }
+    else if (*new_id_domain)
+      {
+      id_domain = new_id_domain;
+      for (uschar * p = id_domain; *p; p++)
+        if (!isalnum(*p) && *p != '.') *p = '-';  /* No need to test '-' ! */
+      }
+    }
+
+  /* Permit all characters except controls and RFC 2822 specials in the
+  additional text part. */
+
+  if (message_id_text)
+    {
+    uschar *new_id_text = expand_string(message_id_text);
+    if (!new_id_text)
+      {
+      if (!f.expand_string_forcedfail)
+        log_write(0, LOG_MAIN|LOG_PANIC,
+          "expansion of \"%s\" (message_id_header_text) "
+          "failed: %s", message_id_text, expand_string_message);
+      }
+    else if (*new_id_text)
+      {
+      id_text = new_id_text;
+      for (uschar * p = id_text; *p; p++) if (mac_iscntrl_or_special(*p)) *p = '-';
+      }
+    }
+
+  /* Add the header line.
+  Resent-* headers are prepended, per RFC 5322 3.6.6.  Non-Resent-* are
+  appended, to preserve classical expectations of header ordering. */
+
+  h = header_add_at_position_internal(!resents_exist, NULL, FALSE, htype_id,
+    "%sMessage-Id: <%s%s%s@%s>\n", resent_prefix, message_id_external,
+    *id_text == 0 ? "" : ".", id_text, id_domain);
+
+  /* Arrange for newly-created Message-Id to be logged */
+
+  if (!resents_exist)
+    {
+    msgid_header_newly_created = TRUE;
+    msgid_header = h;
+    }
+  }
+
+/* If we are to log recipients, keep a copy of the raw ones before any possible
+rewriting. Must copy the count, because later ACLs and the local_scan()
+function may mess with the real recipients. */
+
+if (LOGGING(received_recipients))
+  {
+  raw_recipients = store_get(recipients_count * sizeof(uschar *), GET_UNTAINTED);
+  for (int i = 0; i < recipients_count; i++)
+    raw_recipients[i] = string_copy(recipients_list[i].address);
+  raw_recipients_count = recipients_count;
+  }
+
+/* Ensure the recipients list is fully qualified and rewritten. Unqualified
+recipients will get here only if the conditions were right (allow_unqualified_
+recipient is TRUE). */
+
+DEBUG(D_rewrite)
+  { debug_printf_indent("qualify & rewrite recipients list\n"); acl_level++; }
+for (int i = 0; i < recipients_count; i++)
+  recipients_list[i].address =	/* deconst ok as src was not cont */
+    US rewrite_address(recipients_list[i].address, TRUE, TRUE,
+      global_rewrite_rules, rewrite_existflags);
+DEBUG(D_rewrite) acl_level--;
+
+/* If there is no From: header, generate one for local (without
+suppress_local_fixups) or submission_mode messages. If there is no sender
+address, but the sender is local or this is a local delivery error, use the
+originator login. This shouldn't happen for genuine bounces, but might happen
+for autoreplies. The addition of From: must be done *before* checking for the
+possible addition of a Sender: header, because untrusted_set_sender allows an
+untrusted user to set anything in the envelope (which might then get info
+From:) but we still want to ensure a valid Sender: if it is required. */
+
+if (  !from_header
+   && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode))
+  {
+  const uschar * oname = US"";
+
+  /* Use the originator_name if this is a locally submitted message and the
+  caller is not trusted. For trusted callers, use it only if -F was used to
+  force its value or if we have a non-SMTP message for which -f was not used
+  to set the sender. */
+
+  if (!sender_host_address)
+    {
+    if (!f.trusted_caller || f.sender_name_forced ||
+         (!smtp_input && !f.sender_address_forced))
+      oname = originator_name;
+    }
+
+  /* For non-locally submitted messages, the only time we use the originator
+  name is when it was forced by the /name= option on control=submission. */
+
+  else if (submission_name) oname = submission_name;
+
+  /* Envelope sender is empty */
+
+  if (!*sender_address)
+    {
+    uschar *fromstart, *fromend;
+
+    fromstart = string_sprintf("%sFrom: %s%s",
+      resent_prefix, oname, *oname ? " <" : "");
+    fromend = *oname ? US">" : US"";
+
+    if (f.sender_local || f.local_error_message)
+      header_add(htype_from, "%s%s@%s%s\n", fromstart,
+        local_part_quote(originator_login), qualify_domain_sender,
+        fromend);
+
+    else if (f.submission_mode && authenticated_id)
+      {
+      if (!submission_domain)
+        header_add(htype_from, "%s%s@%s%s\n", fromstart,
+          local_part_quote(authenticated_id), qualify_domain_sender,
+          fromend);
+
+      else if (!*submission_domain)  /* empty => whole address set */
+        header_add(htype_from, "%s%s%s\n", fromstart, authenticated_id,
+          fromend);
+
+      else
+        header_add(htype_from, "%s%s@%s%s\n", fromstart,
+          local_part_quote(authenticated_id), submission_domain, fromend);
+
+      from_header = header_last;    /* To get it checked for Sender: */
+      }
+    }
+
+  /* There is a non-null envelope sender. Build the header using the original
+  sender address, before any rewriting that might have been done while
+  verifying it. */
+
+  else
+    {
+    header_add(htype_from, "%sFrom: %s%s%s%s\n", resent_prefix,
+      oname,
+      *oname ? " <" : "",
+      sender_address_unrewritten ? sender_address_unrewritten : sender_address,
+      *oname ? ">" : "");
+
+    from_header = header_last;    /* To get it checked for Sender: */
+    }
+  }
+
+
+/* If the sender is local (without suppress_local_fixups), or if we are in
+submission mode and there is an authenticated_id, check that an existing From:
+is correct, and if not, generate a Sender: header, unless disabled. Any
+previously-existing Sender: header was removed above. Note that sender_local,
+as well as being TRUE if the caller of exim is not trusted, is also true if a
+trusted caller did not supply a -f argument for non-smtp input. To allow
+trusted callers to forge From: without supplying -f, we have to test explicitly
+here. If the From: header contains more than one address, then the call to
+parse_extract_address fails, and a Sender: header is inserted, as required. */
+
+if (  from_header
+   && (  f.active_local_from_check
+      && (  f.sender_local && !f.trusted_caller && !f.suppress_local_fixups
+	 || f.submission_mode && authenticated_id
+   )  )  )
+  {
+  BOOL make_sender = TRUE;
+  int start, end, domain;
+  uschar *errmess;
+  uschar *from_address =
+    parse_extract_address(Ustrchr(from_header->text, ':') + 1, &errmess,
+      &start, &end, &domain, FALSE);
+  uschar *generated_sender_address;
+
+  generated_sender_address = f.submission_mode
+    ? !submission_domain
+    ? string_sprintf("%s@%s",
+	local_part_quote(authenticated_id), qualify_domain_sender)
+    : !*submission_domain			/* empty => full address */
+    ? string_sprintf("%s", authenticated_id)
+    : string_sprintf("%s@%s",
+	local_part_quote(authenticated_id), submission_domain)
+    : string_sprintf("%s@%s",
+	local_part_quote(originator_login), qualify_domain_sender);
+
+  /* Remove permitted prefixes and suffixes from the local part of the From:
+  address before doing the comparison with the generated sender. */
+
+  if (from_address)
+    {
+    int slen;
+    uschar *at = domain ? from_address + domain - 1 : NULL;
+
+    if (at) *at = 0;
+    from_address += route_check_prefix(from_address, local_from_prefix, NULL);
+    if ((slen = route_check_suffix(from_address, local_from_suffix, NULL)) > 0)
+      {
+      memmove(from_address+slen, from_address, Ustrlen(from_address)-slen);
+      from_address += slen;
+      }
+    if (at) *at = '@';
+
+    if (  strcmpic(generated_sender_address, from_address) == 0
+       || (!domain && strcmpic(from_address, originator_login) == 0))
+        make_sender = FALSE;
+    }
+
+  /* We have to cause the Sender header to be rewritten if there are
+  appropriate rewriting rules. */
+
+  if (make_sender)
+    if (f.submission_mode && !submission_name)
+      header_add(htype_sender, "%sSender: %s\n", resent_prefix,
+        generated_sender_address);
+    else
+      header_add(htype_sender, "%sSender: %s <%s>\n",
+        resent_prefix,
+        f.submission_mode ? submission_name : originator_name,
+        generated_sender_address);
+
+  /* Ensure that a non-null envelope sender address corresponds to the
+  submission mode sender address. */
+
+  if (f.submission_mode && *sender_address)
+    {
+    if (!sender_address_unrewritten)
+      sender_address_unrewritten = sender_address;
+    sender_address = generated_sender_address;
+    if (Ustrcmp(sender_address_unrewritten, generated_sender_address) != 0)
+      log_write(L_address_rewrite, LOG_MAIN,
+        "\"%s\" from env-from rewritten as \"%s\" by submission mode",
+        sender_address_unrewritten, generated_sender_address);
+    }
+  }
+
+/* If there are any rewriting rules, apply them to the sender address, unless
+it has already been rewritten as part of verification for SMTP input. */
+
+DEBUG(D_rewrite)
+  { debug_printf("global rewrite rules\n"); acl_level++; }
+if (global_rewrite_rules && !sender_address_unrewritten && *sender_address)
+  {
+  /* deconst ok as src was not const */
+  sender_address = US rewrite_address(sender_address, FALSE, TRUE,
+    global_rewrite_rules, rewrite_existflags);
+  DEBUG(D_receive|D_rewrite)
+    debug_printf("rewritten sender = %s\n", sender_address);
+  }
+DEBUG(D_rewrite) acl_level--;
+
+
+/* The headers must be run through rewrite_header(), because it ensures that
+addresses are fully qualified, as well as applying any rewriting rules that may
+exist.
+
+Qualification of header addresses in a message from a remote host happens only
+if the host is in sender_unqualified_hosts or recipient_unqualified hosts, as
+appropriate. For local messages, qualification always happens, unless -bnq is
+used to explicitly suppress it. No rewriting is done for an unqualified address
+that is left untouched.
+
+We start at the second header, skipping our own Received:. This rewriting is
+documented as happening *after* recipient addresses are taken from the headers
+by the -t command line option. An added Sender: gets rewritten here. */
+
+DEBUG(D_rewrite)
+  { debug_printf("rewrite headers\n"); acl_level++; }
+for (header_line * h = header_list->next, * newh; h; h = h->next)
+  if ((newh = rewrite_header(h, NULL, NULL, global_rewrite_rules,
+			      rewrite_existflags, TRUE)))
+    h = newh;
+DEBUG(D_rewrite) acl_level--;
+
+
+/* An RFC 822 (sic) message is not legal unless it has at least one of "to",
+"cc", or "bcc". Note that although the minimal examples in RFC 822 show just
+"to" or "bcc", the full syntax spec allows "cc" as well. If any resent- header
+exists, this applies to the set of resent- headers rather than the normal set.
+
+The requirement for a recipient header has been removed in RFC 2822. At this
+point in the code, earlier versions of Exim added a To: header for locally
+submitted messages, and an empty Bcc: header for others. In the light of the
+changes in RFC 2822, this was dropped in November 2003. */
+
+
+/* If there is no date header, generate one if the message originates locally
+(i.e. not over TCP/IP) and suppress_local_fixups is not set, or if the
+submission mode flag is set. Messages without Date: are not valid, but it seems
+to be more confusing if Exim adds one to all remotely-originated messages.
+As per Message-Id, we prepend if resending, else append.
+*/
+
+if (  !date_header_exists
+   && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode))
+  header_add_at_position(!resents_exist, NULL, FALSE, htype_other,
+    "%sDate: %s\n", resent_prefix, tod_stamp(tod_full));
+
+search_tidyup();    /* Free any cached resources */
+
+/* Show the complete set of headers if debugging. Note that the first one (the
+new Received:) has not yet been set. */
+
+DEBUG(D_receive)
+  {
+  debug_printf(">>Headers after rewriting and local additions:\n");
+  for (header_line * h = header_list->next; h; h = h->next)
+    debug_printf("%c %s", h->type, h->text);
+  debug_printf("\n");
+  }
+
+/* The headers are now complete in store. If we are running in filter
+testing mode, that is all this function does. Return TRUE if the message
+ended with a dot. */
+
+if (filter_test != FTEST_NONE)
+  {
+  process_info[process_info_len] = 0;
+  return message_ended == END_DOT;
+  }
+
+/*XXX CHUNKING: need to cancel cutthrough under BDAT, for now.  In future,
+think more if it could be handled.  Cannot do onward CHUNKING unless
+inbound is, but inbound chunking ought to be ok with outbound plain.
+Could we do onward CHUNKING given inbound CHUNKING?
+*/
+if (chunking_state > CHUNKING_OFFERED)
+  cancel_cutthrough_connection(FALSE, US"chunking active");
+
+/* Cutthrough delivery:
+We have to create the Received header now rather than at the end of reception,
+so the timestamp behaviour is a change to the normal case.
+Having created it, send the headers to the destination. */
+
+if (cutthrough.cctx.sock >= 0 && cutthrough.delivery)
+  {
+  if (received_count > received_headers_max)
+    {
+    cancel_cutthrough_connection(TRUE, US"too many headers");
+    if (smtp_input) receive_swallow_smtp();  /* Swallow incoming SMTP */
+    log_write(0, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
+      "Too many \"Received\" headers",
+      sender_address,
+      sender_fullhost ? "H=" : "", sender_fullhost ? sender_fullhost : US"",
+      sender_ident ? "U=" : "", sender_ident ? sender_ident : US"");
+    message_id[0] = 0;                       /* Indicate no message accepted */
+    smtp_reply = US"550 Too many \"Received\" headers - suspected mail loop";
+    goto TIDYUP;                             /* Skip to end of function */
+    }
+  received_header_gen();
+  add_acl_headers(ACL_WHERE_RCPT, US"MAIL or RCPT");
+  (void) cutthrough_headers_send();
+  }
+
+
+/* Open a new spool file for the data portion of the message. We need
+to access it both via a file descriptor and a stream. Try to make the
+directory if it isn't there. */
+
+spool_name = spool_fname(US"input", message_subdir, message_id, US"-D");
+DEBUG(D_receive) debug_printf("Data file name: %s\n", spool_name);
+
+if ((data_fd = Uopen(spool_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE)) < 0)
+  {
+  if (errno == ENOENT)
+    {
+    (void) directory_make(spool_directory,
+		        spool_sname(US"input", message_subdir),
+			INPUT_DIRECTORY_MODE, TRUE);
+    data_fd = Uopen(spool_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE);
+    }
+  if (data_fd < 0)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to create spool file %s: %s",
+      spool_name, strerror(errno));
+  }
+
+/* Make sure the file's group is the Exim gid, and double-check the mode
+because the group setting doesn't always get set automatically. */
+
+if (0 != exim_fchown(data_fd, exim_uid, exim_gid, spool_name))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "Failed setting ownership on spool file %s: %s",
+    spool_name, strerror(errno));
+(void)fchmod(data_fd, SPOOL_MODE);
+
+/* We now have data file open. Build a stream for it and lock it. We lock only
+the first line of the file (containing the message ID) because otherwise there
+are problems when Exim is run under Cygwin (I'm told). See comments in
+spool_in.c, where the same locking is done. */
+
+spool_data_file = fdopen(data_fd, "w+");
+lock_data.l_type = F_WRLCK;
+lock_data.l_whence = SEEK_SET;
+lock_data.l_start = 0;
+lock_data.l_len = SPOOL_DATA_START_OFFSET;
+
+if (fcntl(data_fd, F_SETLK, &lock_data) < 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Cannot lock %s (%d): %s", spool_name,
+    errno, strerror(errno));
+
+/* We have an open, locked data file. Write the message id to it to make it
+self-identifying. Then read the remainder of the input of this message and
+write it to the data file. If the variable next != NULL, it contains the first
+data line (which was read as a header but then turned out not to have the right
+format); write it (remembering that it might contain binary zeros). The result
+of fwrite() isn't inspected; instead we call ferror() below. */
+
+fprintf(spool_data_file, "%s-D\n", message_id);
+if (next)
+  {
+  uschar *s = next->text;
+  int len = next->slen;
+  if (fwrite(s, 1, len, spool_data_file) == len) /* "if" for compiler quietening */
+    body_linecount++;                 /* Assumes only 1 line */
+  }
+
+/* Note that we might already be at end of file, or the logical end of file
+(indicated by '.'), or might have encountered an error while writing the
+message id or "next" line. */
+
+if (!ferror(spool_data_file) && !(receive_feof)() && message_ended != END_DOT)
+  {
+  if (smtp_input)
+    {
+    message_ended = chunking_state <= CHUNKING_OFFERED
+      ? read_message_data_smtp(spool_data_file)
+      : spool_wireformat
+      ? read_message_bdat_smtp_wire(spool_data_file)
+      : read_message_bdat_smtp(spool_data_file);
+    receive_linecount++;                /* The terminating "." line */
+    }
+  else
+    message_ended = read_message_data(spool_data_file);
+
+  receive_linecount += body_linecount;  /* For BSMTP errors mainly */
+  message_linecount += body_linecount;
+
+  switch (message_ended)
+    {
+    /* Handle premature termination of SMTP */
+
+    case END_EOF:
+      if (smtp_input)
+	{
+	Uunlink(spool_name);                 /* Lose data file when closed */
+	cancel_cutthrough_connection(TRUE, US"sender closed connection");
+	message_id[0] = 0;                   /* Indicate no message accepted */
+	smtp_reply = handle_lost_connection(US"");
+	smtp_yield = FALSE;
+	goto TIDYUP;                         /* Skip to end of function */
+	}
+      break;
+
+    /* Handle message that is too big. Don't use host_or_ident() in the log
+    message; we want to see the ident value even for non-remote messages. */
+
+    case END_SIZE:
+      Uunlink(spool_name);                /* Lose the data file when closed */
+      cancel_cutthrough_connection(TRUE, US"mail too big");
+      if (smtp_input) receive_swallow_smtp();  /* Swallow incoming SMTP */
+
+      log_write(L_size_reject, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
+	"message too big: read=%d max=%d",
+	sender_address,
+	sender_fullhost ? " H=" : "",
+	sender_fullhost ? sender_fullhost : US"",
+	sender_ident ? " U=" : "",
+	sender_ident ? sender_ident : US"",
+	message_size,
+	thismessage_size_limit);
+
+      if (smtp_input)
+	{
+	smtp_reply = US"552 Message size exceeds maximum permitted";
+	message_id[0] = 0;               /* Indicate no message accepted */
+	goto TIDYUP;                     /* Skip to end of function */
+	}
+      else
+	{
+	fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+	give_local_error(ERRMESS_TOOBIG,
+	  string_sprintf("message too big (max=%d)", thismessage_size_limit),
+	  US"message rejected: ", error_rc, spool_data_file, header_list);
+	/* Does not return */
+	}
+      break;
+
+    /* Handle bad BDAT protocol sequence */
+
+    case END_PROTOCOL:
+      Uunlink(spool_name);		/* Lose the data file when closed */
+      cancel_cutthrough_connection(TRUE, US"sender protocol error");
+      smtp_reply = US"";		/* Response already sent */
+      message_id[0] = 0;		/* Indicate no message accepted */
+      goto TIDYUP;			/* Skip to end of function */
+    }
+  }
+
+/* Restore the standard SIGALRM handler for any subsequent processing. (For
+example, there may be some expansion in an ACL that uses a timer.) */
+
+os_non_restarting_signal(SIGALRM, sigalrm_handler);
+
+/* The message body has now been read into the data file. Call fflush() to
+empty the buffers in C, and then call fsync() to get the data written out onto
+the disk, as fflush() doesn't do this (or at least, it isn't documented as
+having to do this). If there was an I/O error on either input or output,
+attempt to send an error message, and unlink the spool file. For non-SMTP input
+we can then give up. Note that for SMTP input we must swallow the remainder of
+the input in cases of output errors, since the far end doesn't expect to see
+anything until the terminating dot line is sent. */
+
+if (fflush(spool_data_file) == EOF || ferror(spool_data_file) ||
+    EXIMfsync(fileno(spool_data_file)) < 0 || (receive_ferror)())
+  {
+  uschar *msg_errno = US strerror(errno);
+  BOOL input_error = (receive_ferror)() != 0;
+  uschar *msg = string_sprintf("%s error (%s) while receiving message from %s",
+    input_error? "Input read" : "Spool write",
+    msg_errno,
+    sender_fullhost ? sender_fullhost : sender_ident);
+
+  log_write(0, LOG_MAIN, "Message abandoned: %s", msg);
+  Uunlink(spool_name);                /* Lose the data file */
+  cancel_cutthrough_connection(TRUE, US"error writing spoolfile");
+
+  if (smtp_input)
+    {
+    if (input_error)
+      smtp_reply = US"451 Error while reading input data";
+    else
+      {
+      smtp_reply = US"451 Error while writing spool file";
+      receive_swallow_smtp();
+      }
+    message_id[0] = 0;               /* Indicate no message accepted */
+    goto TIDYUP;                     /* Skip to end of function */
+    }
+
+  else
+    {
+    fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+    give_local_error(ERRMESS_IOERR, msg, US"", error_rc, spool_data_file,
+      header_list);
+    /* Does not return */
+    }
+  }
+
+
+/* No I/O errors were encountered while writing the data file. */
+
+DEBUG(D_receive) debug_printf("Data file written for message %s\n", message_id);
+gettimeofday(&received_time_complete, NULL);
+
+
+/* If there were any bad addresses extracted by -t, or there were no recipients
+left after -t, send a message to the sender of this message, or write it to
+stderr if the error handling option is set that way. Note that there may
+legitimately be no recipients for an SMTP message if they have all been removed
+by "discard".
+
+We need to rewind the data file in order to read it. In the case of no
+recipients or stderr error writing, throw the data file away afterwards, and
+exit. (This can't be SMTP, which always ensures there's at least one
+syntactically good recipient address.) */
+
+if (extract_recip && (bad_addresses || recipients_count == 0))
+  {
+  DEBUG(D_receive)
+    {
+    if (recipients_count == 0) debug_printf("*** No recipients\n");
+    if (bad_addresses)
+      {
+      debug_printf("*** Bad address(es)\n");
+      for (error_block * eblock = bad_addresses; eblock; eblock = eblock->next)
+        debug_printf("  %s: %s\n", eblock->text1, eblock->text2);
+      }
+    }
+
+  log_write(0, LOG_MAIN|LOG_PANIC, "%s %s found in headers",
+    message_id, bad_addresses ? "bad addresses" : "no recipients");
+
+  fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+
+  /* If configured to send errors to the sender, but this fails, force
+  a failure error code. We use a special one for no recipients so that it
+  can be detected by the autoreply transport. Otherwise error_rc is set to
+  errors_sender_rc, which is EXIT_FAILURE unless -oee was given, in which case
+  it is EXIT_SUCCESS. */
+
+  if (error_handling == ERRORS_SENDER)
+    {
+    if (!moan_to_sender(
+          bad_addresses
+	  ? recipients_list ? ERRMESS_BADADDRESS : ERRMESS_BADNOADDRESS
+	  : extracted_ignored ? ERRMESS_IGADDRESS : ERRMESS_NOADDRESS,
+          bad_addresses, header_list, spool_data_file, FALSE
+       )	       )
+      error_rc = bad_addresses ? EXIT_FAILURE : EXIT_NORECIPIENTS;
+    }
+  else
+    {
+    if (!bad_addresses)
+      if (extracted_ignored)
+        fprintf(stderr, "exim: all -t recipients overridden by command line\n");
+      else
+        fprintf(stderr, "exim: no recipients in message\n");
+    else
+      {
+      fprintf(stderr, "exim: invalid address%s",
+        bad_addresses->next ? "es:\n" : ":");
+      for ( ; bad_addresses; bad_addresses = bad_addresses->next)
+        fprintf(stderr, "  %s: %s\n", bad_addresses->text1,
+          bad_addresses->text2);
+      }
+    }
+
+  if (recipients_count == 0 || error_handling == ERRORS_STDERR)
+    {
+    Uunlink(spool_name);
+    (void)fclose(spool_data_file);
+    exim_exit(error_rc);
+    }
+  }
+
+/* Data file successfully written. Generate text for the Received: header by
+expanding the configured string, and adding a timestamp. By leaving this
+operation till now, we ensure that the timestamp is the time that message
+reception was completed. However, this is deliberately done before calling the
+data ACL and local_scan().
+
+This Received: header may therefore be inspected by the data ACL and by code in
+the local_scan() function. When they have run, we update the timestamp to be
+the final time of reception.
+
+If there is just one recipient, set up its value in the $received_for variable
+for use when we generate the Received: header.
+
+Note: the checking for too many Received: headers is handled by the delivery
+code. */
+/*XXX eventually add excess Received: check for cutthrough case back when classifying them */
+
+if (!received_header->text)	/* Non-cutthrough case */
+  {
+  received_header_gen();
+
+  /* Set the value of message_body_size for the DATA ACL and for local_scan() */
+
+  message_body_size = (fstat(data_fd, &statbuf) == 0)?
+    statbuf.st_size - SPOOL_DATA_START_OFFSET : -1;
+
+  /* If an ACL from any RCPT commands set up any warning headers to add, do so
+  now, before running the DATA ACL. */
+
+  add_acl_headers(ACL_WHERE_RCPT, US"MAIL or RCPT");
+  }
+else
+  message_body_size = (fstat(data_fd, &statbuf) == 0)?
+    statbuf.st_size - SPOOL_DATA_START_OFFSET : -1;
+
+/* If an ACL is specified for checking things at this stage of reception of a
+message, run it, unless all the recipients were removed by "discard" in earlier
+ACLs. That is the only case in which recipients_count can be zero at this
+stage. Set deliver_datafile to point to the data file so that $message_body and
+$message_body_end can be extracted if needed. Allow $recipients in expansions.
+*/
+
+deliver_datafile = data_fd;
+user_msg = NULL;
+
+f.enable_dollar_recipients = TRUE;
+
+if (recipients_count == 0)
+  blackholed_by = f.recipients_discarded ? US"MAIL ACL" : US"RCPT ACL";
+
+else
+  {
+  /* Handle interactive SMTP messages */
+
+  if (smtp_input && !smtp_batched_input)
+    {
+
+#ifndef DISABLE_DKIM
+    if (!f.dkim_disable_verify)
+      {
+      /* Finish verification */
+      dkim_exim_verify_finish();
+
+      /* Check if we must run the DKIM ACL */
+      if (acl_smtp_dkim && dkim_verify_signers && *dkim_verify_signers)
+        {
+        uschar * dkim_verify_signers_expanded =
+          expand_string(dkim_verify_signers);
+	gstring * results = NULL;
+	int signer_sep = 0;
+	const uschar * ptr;
+	uschar * item;
+	gstring * seen_items = NULL;
+	int old_pool = store_pool;
+
+	store_pool = POOL_PERM;   /* Allow created variables to live to data ACL */
+
+        if (!(ptr = dkim_verify_signers_expanded))
+          log_write(0, LOG_MAIN|LOG_PANIC,
+            "expansion of dkim_verify_signers option failed: %s",
+            expand_string_message);
+
+	/* Default to OK when no items are present */
+	rc = OK;
+	while ((item = string_nextinlist(&ptr, &signer_sep, NULL, 0)))
+	  {
+	  /* Prevent running ACL for an empty item */
+	  if (!item || !*item) continue;
+
+	  /* Only run ACL once for each domain or identity,
+	  no matter how often it appears in the expanded list. */
+	  if (seen_items)
+	    {
+	    uschar * seen_item;
+	    const uschar * seen_items_list = string_from_gstring(seen_items);
+	    int seen_sep = ':';
+	    BOOL seen_this_item = FALSE;
+
+	    while ((seen_item = string_nextinlist(&seen_items_list, &seen_sep,
+						  NULL, 0)))
+	      if (Ustrcmp(seen_item,item) == 0)
+		{
+		seen_this_item = TRUE;
+		break;
+		}
+
+	    if (seen_this_item)
+	      {
+	      DEBUG(D_receive)
+		debug_printf("acl_smtp_dkim: skipping signer %s, "
+		  "already seen\n", item);
+	      continue;
+	      }
+
+	    seen_items = string_catn(seen_items, US":", 1);
+	    }
+	  seen_items = string_cat(seen_items, item);
+
+	  rc = dkim_exim_acl_run(item, &results, &user_msg, &log_msg);
+	  if (rc != OK)
+	    {
+	    DEBUG(D_receive)
+	      debug_printf("acl_smtp_dkim: acl_check returned %d on %s, "
+		"skipping remaining items\n", rc, item);
+	    cancel_cutthrough_connection(TRUE, US"dkim acl not ok");
+	    break;
+	    }
+	  }
+	dkim_verify_status = string_from_gstring(results);
+	store_pool = old_pool;
+	add_acl_headers(ACL_WHERE_DKIM, US"DKIM");
+	if (rc == DISCARD)
+	  {
+	  recipients_count = 0;
+	  blackholed_by = US"DKIM ACL";
+	  if (log_msg)
+	    blackhole_log_msg = string_sprintf(": %s", log_msg);
+	  }
+	else if (rc != OK)
+	  {
+	  Uunlink(spool_name);
+	  if (smtp_handle_acl_fail(ACL_WHERE_DKIM, rc, user_msg, log_msg) != 0)
+	    smtp_yield = FALSE;    /* No more messages after dropped connection */
+	  smtp_reply = US"";       /* Indicate reply already sent */
+	  message_id[0] = 0;       /* Indicate no message accepted */
+	  goto TIDYUP;             /* Skip to end of function */
+	  }
+        }
+      else
+	dkim_exim_verify_log_all();
+      }
+#endif /* DISABLE_DKIM */
+
+#ifdef WITH_CONTENT_SCAN
+    if (  recipients_count > 0
+       && acl_smtp_mime
+       && !run_mime_acl(acl_smtp_mime, &smtp_yield, &smtp_reply, &blackholed_by)
+       )
+      goto TIDYUP;
+#endif /* WITH_CONTENT_SCAN */
+
+#ifdef SUPPORT_DMARC
+    dmarc_store_data(from_header);
+#endif
+
+#ifndef DISABLE_PRDR
+    if (prdr_requested && recipients_count > 1 && acl_smtp_data_prdr)
+      {
+      int all_pass = OK;
+      int all_fail = FAIL;
+
+      smtp_printf("353 PRDR content analysis beginning\r\n", TRUE);
+      /* Loop through recipients, responses must be in same order received */
+      for (unsigned int c = 0; recipients_count > c; c++)
+        {
+	uschar * addr= recipients_list[c].address;
+	uschar * msg= US"PRDR R=<%s> %s";
+	uschar * code;
+        DEBUG(D_receive)
+          debug_printf("PRDR processing recipient %s (%d of %d)\n",
+                       addr, c+1, recipients_count);
+        rc = acl_check(ACL_WHERE_PRDR, addr,
+                       acl_smtp_data_prdr, &user_msg, &log_msg);
+
+        /* If any recipient rejected content, indicate it in final message */
+        all_pass |= rc;
+        /* If all recipients rejected, indicate in final message */
+        all_fail &= rc;
+
+        switch (rc)
+          {
+          case OK: case DISCARD: code = US"250"; break;
+          case DEFER:            code = US"450"; break;
+          default:               code = US"550"; break;
+          }
+	if (user_msg != NULL)
+	  smtp_user_msg(code, user_msg);
+	else
+	  {
+	  switch (rc)
+            {
+            case OK: case DISCARD:
+              msg = string_sprintf(CS msg, addr, "acceptance");        break;
+            case DEFER:
+              msg = string_sprintf(CS msg, addr, "temporary refusal"); break;
+            default:
+              msg = string_sprintf(CS msg, addr, "refusal");           break;
+            }
+          smtp_user_msg(code, msg);
+	  }
+	if (log_msg)       log_write(0, LOG_MAIN, "PRDR %s %s", addr, log_msg);
+	else if (user_msg) log_write(0, LOG_MAIN, "PRDR %s %s", addr, user_msg);
+	else               log_write(0, LOG_MAIN, "%s", CS msg);
+
+	if (rc != OK) { receive_remove_recipient(addr); c--; }
+        }
+      /* Set up final message, used if data acl gives OK */
+      smtp_reply = string_sprintf("%s id=%s message %s",
+		       all_fail == FAIL ? US"550" : US"250",
+		       message_id,
+                       all_fail == FAIL
+		         ? US"rejected for all recipients"
+			 : all_pass == OK
+			   ? US"accepted"
+			   : US"accepted for some recipients");
+      if (recipients_count == 0)
+        {
+        message_id[0] = 0;       /* Indicate no message accepted */
+	goto TIDYUP;
+	}
+      }
+    else
+      prdr_requested = FALSE;
+#endif /* !DISABLE_PRDR */
+
+    /* Check the recipients count again, as the MIME ACL might have changed
+    them. */
+
+    if (acl_smtp_data != NULL && recipients_count > 0)
+      {
+      rc = acl_check(ACL_WHERE_DATA, NULL, acl_smtp_data, &user_msg, &log_msg);
+      add_acl_headers(ACL_WHERE_DATA, US"DATA");
+      if (rc == DISCARD)
+        {
+        recipients_count = 0;
+        blackholed_by = US"DATA ACL";
+        if (log_msg)
+          blackhole_log_msg = string_sprintf(": %s", log_msg);
+	cancel_cutthrough_connection(TRUE, US"data acl discard");
+        }
+      else if (rc != OK)
+        {
+        Uunlink(spool_name);
+	cancel_cutthrough_connection(TRUE, US"data acl not ok");
+#ifdef WITH_CONTENT_SCAN
+        unspool_mbox();
+#endif
+#ifdef EXPERIMENTAL_DCC
+	dcc_ok = 0;
+#endif
+        if (smtp_handle_acl_fail(ACL_WHERE_DATA, rc, user_msg, log_msg) != 0)
+          smtp_yield = FALSE;    /* No more messages after dropped connection */
+        smtp_reply = US"";       /* Indicate reply already sent */
+        message_id[0] = 0;       /* Indicate no message accepted */
+        goto TIDYUP;             /* Skip to end of function */
+        }
+      }
+    }
+
+  /* Handle non-SMTP and batch SMTP (i.e. non-interactive) messages. Note that
+  we cannot take different actions for permanent and temporary rejections. */
+
+  else
+    {
+
+#ifdef WITH_CONTENT_SCAN
+    if (  acl_not_smtp_mime
+       && !run_mime_acl(acl_not_smtp_mime, &smtp_yield, &smtp_reply,
+          &blackholed_by)
+       )
+      goto TIDYUP;
+#endif /* WITH_CONTENT_SCAN */
+
+    if (acl_not_smtp)
+      {
+      uschar *user_msg, *log_msg;
+      f.authentication_local = TRUE;
+      rc = acl_check(ACL_WHERE_NOTSMTP, NULL, acl_not_smtp, &user_msg, &log_msg);
+      if (rc == DISCARD)
+        {
+        recipients_count = 0;
+        blackholed_by = US"non-SMTP ACL";
+        if (log_msg)
+          blackhole_log_msg = string_sprintf(": %s", log_msg);
+        }
+      else if (rc != OK)
+        {
+        Uunlink(spool_name);
+#ifdef WITH_CONTENT_SCAN
+        unspool_mbox();
+#endif
+#ifdef EXPERIMENTAL_DCC
+	dcc_ok = 0;
+#endif
+        /* The ACL can specify where rejections are to be logged, possibly
+        nowhere. The default is main and reject logs. */
+
+        if (log_reject_target)
+          log_write(0, log_reject_target, "F=<%s> rejected by non-SMTP ACL: %s",
+            sender_address, log_msg);
+
+        if (!user_msg) user_msg = US"local configuration problem";
+        if (smtp_batched_input)
+          moan_smtp_batch(NULL, "%d %s", 550, user_msg);
+          /* Does not return */
+        else
+          {
+          fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+          give_local_error(ERRMESS_LOCAL_ACL, user_msg,
+            US"message rejected by non-SMTP ACL: ", error_rc, spool_data_file,
+              header_list);
+          /* Does not return */
+          }
+        }
+      add_acl_headers(ACL_WHERE_NOTSMTP, US"non-SMTP");
+      }
+    }
+
+  /* The applicable ACLs have been run */
+
+  if (f.deliver_freeze) frozen_by = US"ACL";     /* for later logging */
+  if (f.queue_only_policy) queued_by = US"ACL";
+  }
+
+#ifdef WITH_CONTENT_SCAN
+unspool_mbox();
+#endif
+
+#ifdef EXPERIMENTAL_DCC
+dcc_ok = 0;
+#endif
+
+
+#ifdef HAVE_LOCAL_SCAN
+/* The final check on the message is to run the scan_local() function. The
+version supplied with Exim always accepts, but this is a hook for sysadmins to
+supply their own checking code. The local_scan() function is run even when all
+the recipients have been discarded. */
+
+lseek(data_fd, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+
+/* Arrange to catch crashes in local_scan(), so that the -D file gets
+deleted, and the incident gets logged. */
+
+if (sigsetjmp(local_scan_env, 1) == 0)
+  {
+  had_local_scan_crash = 0;
+  os_non_restarting_signal(SIGSEGV, local_scan_crash_handler);
+  os_non_restarting_signal(SIGFPE, local_scan_crash_handler);
+  os_non_restarting_signal(SIGILL, local_scan_crash_handler);
+  os_non_restarting_signal(SIGBUS, local_scan_crash_handler);
+
+  DEBUG(D_receive) debug_printf("calling local_scan(); timeout=%d\n",
+    local_scan_timeout);
+  local_scan_data = NULL;
+
+  had_local_scan_timeout = 0;
+  os_non_restarting_signal(SIGALRM, local_scan_timeout_handler);
+  if (local_scan_timeout > 0) ALARM(local_scan_timeout);
+  rc = local_scan(data_fd, &local_scan_data);
+  ALARM_CLR(0);
+  os_non_restarting_signal(SIGALRM, sigalrm_handler);
+
+  f.enable_dollar_recipients = FALSE;
+
+  store_pool = POOL_MAIN;   /* In case changed */
+  DEBUG(D_receive) debug_printf("local_scan() returned %d %s\n", rc,
+    local_scan_data);
+
+  os_non_restarting_signal(SIGSEGV, SIG_DFL);
+  os_non_restarting_signal(SIGFPE, SIG_DFL);
+  os_non_restarting_signal(SIGILL, SIG_DFL);
+  os_non_restarting_signal(SIGBUS, SIG_DFL);
+  }
+else
+  {
+  if (had_local_scan_crash)
+    {
+    log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function crashed with "
+      "signal %d - message temporarily rejected (size %d)",
+      had_local_scan_crash, message_size);
+    receive_bomb_out(US"local-scan-error", US"local verification problem");
+    /* Does not return */
+    }
+  if (had_local_scan_timeout)
+    {
+    log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function timed out - "
+      "message temporarily rejected (size %d)", message_size);
+    receive_bomb_out(US"local-scan-timeout", US"local verification problem");
+    /* Does not return */
+    }
+  }
+
+/* The length check is paranoia against some runaway code, and also because
+(for a success return) lines in the spool file are read into big_buffer. */
+
+if (local_scan_data)
+  {
+  int len = Ustrlen(local_scan_data);
+  if (len > LOCAL_SCAN_MAX_RETURN) len = LOCAL_SCAN_MAX_RETURN;
+  local_scan_data = string_copyn(local_scan_data, len);
+  }
+
+if (rc == LOCAL_SCAN_ACCEPT_FREEZE)
+  {
+  if (!f.deliver_freeze)         /* ACL might have already frozen */
+    {
+    f.deliver_freeze = TRUE;
+    deliver_frozen_at = time(NULL);
+    frozen_by = US"local_scan()";
+    }
+  rc = LOCAL_SCAN_ACCEPT;
+  }
+else if (rc == LOCAL_SCAN_ACCEPT_QUEUE)
+  {
+  if (!f.queue_only_policy)      /* ACL might have already queued */
+    {
+    f.queue_only_policy = TRUE;
+    queued_by = US"local_scan()";
+    }
+  rc = LOCAL_SCAN_ACCEPT;
+  }
+
+/* Message accepted: remove newlines in local_scan_data because otherwise
+the spool file gets corrupted. Ensure that all recipients are qualified. */
+
+if (rc == LOCAL_SCAN_ACCEPT)
+  {
+  if (local_scan_data)
+    for (uschar * s = local_scan_data; *s != 0; s++) if (*s == '\n') *s = ' ';
+  for (int i = 0; i < recipients_count; i++)
+    {
+    recipient_item *r = recipients_list + i;
+    r->address = rewrite_address_qualify(r->address, TRUE);
+    if (r->errors_to)
+      r->errors_to = rewrite_address_qualify(r->errors_to, TRUE);
+    }
+  if (recipients_count == 0 && !blackholed_by)
+    blackholed_by = US"local_scan";
+  }
+
+/* Message rejected: newlines permitted in local_scan_data to generate
+multiline SMTP responses. */
+
+else
+  {
+  uschar *istemp = US"";
+  uschar *smtp_code;
+  gstring * g;
+
+  errmsg = local_scan_data;
+
+  Uunlink(spool_name);          /* Cancel this message */
+  switch(rc)
+    {
+    default:
+      log_write(0, LOG_MAIN, "invalid return %d from local_scan(). Temporary "
+	"rejection given", rc);
+      goto TEMPREJECT;
+
+    case LOCAL_SCAN_REJECT_NOLOGHDR:
+      BIT_CLEAR(log_selector, log_selector_size, Li_rejected_header);
+      /* Fall through */
+
+    case LOCAL_SCAN_REJECT:
+      smtp_code = US"550";
+      if (!errmsg) errmsg =  US"Administrative prohibition";
+      break;
+
+    case LOCAL_SCAN_TEMPREJECT_NOLOGHDR:
+      BIT_CLEAR(log_selector, log_selector_size, Li_rejected_header);
+      /* Fall through */
+
+    case LOCAL_SCAN_TEMPREJECT:
+    TEMPREJECT:
+      smtp_code = US"451";
+      if (!errmsg) errmsg = US"Temporary local problem";
+      istemp = US"temporarily ";
+      break;
+    }
+
+  g = string_append(NULL, 2, US"F=",
+    sender_address[0] == 0 ? US"<>" : sender_address);
+  g = add_host_info_for_log(g);
+
+  log_write(0, LOG_MAIN|LOG_REJECT, "%s %srejected by local_scan(): %.256s",
+    string_from_gstring(g), istemp, string_printing(errmsg));
+
+  if (smtp_input)
+    if (!smtp_batched_input)
+      {
+      smtp_respond(smtp_code, 3, TRUE, errmsg);
+      message_id[0] = 0;            /* Indicate no message accepted */
+      smtp_reply = US"";            /* Indicate reply already sent */
+      goto TIDYUP;                  /* Skip to end of function */
+      }
+    else
+      moan_smtp_batch(NULL, "%s %s", smtp_code, errmsg);
+      /* Does not return */
+  else
+    {
+    fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+    give_local_error(ERRMESS_LOCAL_SCAN, errmsg,
+      US"message rejected by local scan code: ", error_rc, spool_data_file,
+        header_list);
+    /* Does not return */
+    }
+  }
+
+/* Reset signal handlers to ignore signals that previously would have caused
+the message to be abandoned. */
+
+signal(SIGTERM, SIG_IGN);
+signal(SIGINT, SIG_IGN);
+#endif	/* HAVE_LOCAL_SCAN */
+
+
+/* Ensure the first time flag is set in the newly-received message. */
+
+f.deliver_firsttime = TRUE;
+
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+if (bmi_run == 1)
+  { /* rewind data file */
+  lseek(data_fd, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+  bmi_verdicts = bmi_process_message(header_list, data_fd);
+  }
+#endif
+
+/* Update the timestamp in our Received: header to account for any time taken by
+an ACL or by local_scan(). The new time is the time that all reception
+processing is complete. */
+
+timestamp = expand_string(US"${tod_full}");
+tslen = Ustrlen(timestamp);
+
+memcpy(received_header->text + received_header->slen - tslen - 1,
+  timestamp, tslen);
+
+/* In MUA wrapper mode, ignore queueing actions set by ACL or local_scan() */
+
+if (mua_wrapper)
+  {
+  f.deliver_freeze = FALSE;
+  f.queue_only_policy = FALSE;
+  }
+
+/* Keep the data file open until we have written the header file, in order to
+hold onto the lock. In a -bh run, or if the message is to be blackholed, we
+don't write the header file, and we unlink the data file. If writing the header
+file fails, we have failed to accept this message. */
+
+if (host_checking || blackholed_by)
+  {
+  Uunlink(spool_name);
+  msg_size = 0;                                  /* Compute size for log line */
+  for (header_line * h = header_list; h; h = h->next)
+    if (h->type != '*') msg_size += h->slen;
+  }
+
+/* Write the -H file */
+
+else
+  if ((msg_size = spool_write_header(message_id, SW_RECEIVING, &errmsg)) < 0)
+    {
+    log_write(0, LOG_MAIN, "Message abandoned: %s", errmsg);
+    Uunlink(spool_name);           /* Lose the data file */
+
+    if (smtp_input)
+      {
+      smtp_reply = US"451 Error in writing spool file";
+      message_id[0] = 0;          /* Indicate no message accepted */
+      goto TIDYUP;
+      }
+    else
+      {
+      fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+      give_local_error(ERRMESS_IOERR, errmsg, US"", error_rc, spool_data_file,
+        header_list);
+      /* Does not return */
+      }
+    }
+
+
+/* The message has now been successfully received. */
+
+receive_messagecount++;
+
+/* Add data size to written header size. We do not count the initial file name
+that is in the file, but we do add one extra for the notional blank line that
+precedes the data. This total differs from message_size in that it include the
+added Received: header and any other headers that got created locally. */
+
+if (fflush(spool_data_file))
+  {
+  errmsg = string_sprintf("Spool write error: %s", strerror(errno));
+  log_write(0, LOG_MAIN, "%s\n", errmsg);
+  Uunlink(spool_name);           /* Lose the data file */
+
+  if (smtp_input)
+    {
+    smtp_reply = US"451 Error in writing spool file";
+    message_id[0] = 0;          /* Indicate no message accepted */
+    goto TIDYUP;
+    }
+  else
+    {
+    fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
+    give_local_error(ERRMESS_IOERR, errmsg, US"", error_rc, spool_data_file,
+      header_list);
+    /* Does not return */
+    }
+  }
+fstat(data_fd, &statbuf);
+
+msg_size += statbuf.st_size - SPOOL_DATA_START_OFFSET + 1;
+
+/* Generate a "message received" log entry. We do this by building up a dynamic
+string as required.  We log the arrival of a new message while the
+file is still locked, just in case the machine is *really* fast, and delivers
+it first! Include any message id that is in the message - since the syntax of a
+message id is actually an addr-spec, we can use the parse routine to canonicalize
+it. */
+
+rcvd_log_reset_point = store_mark();
+g = string_get(256);
+
+g = string_append(g, 2,
+  fake_response == FAIL ? US"(= " : US"<= ",
+  sender_address[0] == 0 ? US"<>" : sender_address);
+if (message_reference)
+  g = string_append(g, 2, US" R=", message_reference);
+
+g = add_host_info_for_log(g);
+
+#ifndef DISABLE_TLS
+if (LOGGING(tls_cipher) && tls_in.cipher)
+  {
+  g = string_append(g, 2, US" X=", tls_in.cipher);
+# ifndef DISABLE_TLS_RESUME
+  if (LOGGING(tls_resumption) && tls_in.resumption & RESUME_USED)
+    g = string_catn(g, US"*", 1);
+# endif
+  }
+if (LOGGING(tls_certificate_verified) && tls_in.cipher)
+  g = string_append(g, 2, US" CV=", tls_in.certificate_verified ? "yes":"no");
+if (LOGGING(tls_peerdn) && tls_in.peerdn)
+  g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\"");
+if (LOGGING(tls_sni) && tls_in.sni)
+  g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE));
+#endif
+
+if (sender_host_authenticated)
+  {
+  g = string_append(g, 2, US" A=", sender_host_authenticated);
+  if (authenticated_id)
+    {
+    g = string_append(g, 2, US":", authenticated_id);
+    if (LOGGING(smtp_mailauth) && authenticated_sender)
+      g = string_append(g, 2, US":", authenticated_sender);
+    }
+  }
+
+#ifndef DISABLE_PRDR
+if (prdr_requested)
+  g = string_catn(g, US" PRDR", 5);
+#endif
+
+#ifdef SUPPORT_PROXY
+if (proxy_session && LOGGING(proxy))
+  g = string_append(g, 2, US" PRX=", proxy_local_address);
+#endif
+
+if (chunking_state > CHUNKING_OFFERED)
+  g = string_catn(g, US" K", 2);
+
+g = string_fmt_append(g, " S=%d", msg_size);
+
+/* log 8BITMIME mode announced in MAIL_FROM
+   0 ... no BODY= used
+   7 ... 7BIT
+   8 ... 8BITMIME */
+if (LOGGING(8bitmime))
+  g = string_fmt_append(g, " M8S=%d", body_8bitmime);
+
+#ifndef DISABLE_DKIM
+if (LOGGING(dkim) && dkim_verify_overall)
+  g = string_append(g, 2, US" DKIM=", dkim_verify_overall);
+# ifdef EXPERIMENTAL_ARC
+if (LOGGING(dkim) && arc_state && Ustrcmp(arc_state, "pass") == 0)
+  g = string_catn(g, US" ARC", 4);
+# endif
+#endif
+
+if (LOGGING(receive_time))
+  {
+  struct timeval diff = received_time_complete;
+  timediff(&diff, &received_time);
+  g = string_append(g, 2, US" RT=", string_timediff(&diff));
+  }
+
+if (*queue_name)
+  g = string_append(g, 2, US" Q=", queue_name);
+
+/* If an addr-spec in a message-id contains a quoted string, it can contain
+any characters except " \ and CR and so in particular it can contain NL!
+Therefore, make sure we use a printing-characters only version for the log.
+Also, allow for domain literals in the message id. */
+
+if (  LOGGING(msg_id) && msgid_header
+   && (LOGGING(msg_id_created) || !msgid_header_newly_created)
+   )
+  {
+  uschar * old_id;
+  BOOL save_allow_domain_literals = allow_domain_literals;
+  allow_domain_literals = TRUE;
+  int start, end, domain;
+
+  old_id = parse_extract_address(Ustrchr(msgid_header->text, ':') + 1,
+    &errmsg, &start, &end, &domain, FALSE);
+  allow_domain_literals = save_allow_domain_literals;
+  if (old_id)
+    g = string_append(g, 2,
+      msgid_header_newly_created ? US" id*=" : US" id=",
+      string_printing(old_id));
+  }
+
+/* If subject logging is turned on, create suitable printing-character
+text. By expanding $h_subject: we make use of the MIME decoding. */
+
+if (LOGGING(subject) && subject_header)
+  {
+  uschar *p = big_buffer;
+  uschar *ss = expand_string(US"$h_subject:");
+
+  /* Backslash-quote any double quotes or backslashes so as to make a
+  a C-like string, and turn any non-printers into escape sequences. */
+
+  *p++ = '\"';
+  if (*ss != 0) for (int i = 0; i < 100 && ss[i] != 0; i++)
+    {
+    if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\';
+    *p++ = ss[i];
+    }
+  *p++ = '\"';
+  *p = 0;
+  g = string_append(g, 2, US" T=", string_printing(big_buffer));
+  }
+
+/* Terminate the string: string_cat() and string_append() leave room, but do
+not put the zero in. */
+
+(void) string_from_gstring(g);
+
+/* Create a message log file if message logs are being used and this message is
+not blackholed. Write the reception stuff to it. We used to leave message log
+creation until the first delivery, but this has proved confusing for some
+people. */
+
+if (message_logs && !blackholed_by)
+  {
+  int fd;
+  uschar * m_name = spool_fname(US"msglog", message_subdir, message_id, US"");
+
+  if (  (fd = Uopen(m_name, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE)) < 0
+     && errno == ENOENT
+     )
+    {
+    (void)directory_make(spool_directory,
+			spool_sname(US"msglog", message_subdir),
+			MSGLOG_DIRECTORY_MODE, TRUE);
+    fd = Uopen(m_name, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE);
+    }
+
+  if (fd < 0)
+    log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't open message log %s: %s",
+      m_name, strerror(errno));
+  else
+    {
+    FILE *message_log = fdopen(fd, "a");
+    if (!message_log)
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't fdopen message log %s: %s",
+        m_name, strerror(errno));
+      (void)close(fd);
+      }
+    else
+      {
+      uschar *now = tod_stamp(tod_log);
+      fprintf(message_log, "%s Received from %s\n", now, g->s+3);
+      if (f.deliver_freeze) fprintf(message_log, "%s frozen by %s\n", now,
+        frozen_by);
+      if (f.queue_only_policy) fprintf(message_log,
+        "%s no immediate delivery: queued%s%s by %s\n", now,
+        *queue_name ? " in " : "", *queue_name ? CS queue_name : "",
+	queued_by);
+      (void)fclose(message_log);
+      }
+    }
+  }
+
+/* Everything has now been done for a successful message except logging its
+arrival, and outputting an SMTP response. While writing to the log, set a flag
+to cause a call to receive_bomb_out() if the log cannot be opened. */
+
+f.receive_call_bombout = TRUE;
+
+/* Before sending an SMTP response in a TCP/IP session, we check to see if the
+connection has gone away. This can only be done if there is no unconsumed input
+waiting in the local input buffer. We can test for this by calling
+receive_hasc(). RFC 2920 (pipelining) explicitly allows for additional
+input to be sent following the final dot, so the presence of following input is
+not an error.
+
+If the connection is still present, but there is no unread input for the
+socket, the result of a select() call will be zero. If, however, the connection
+has gone away, or if there is pending input, the result of select() will be
+non-zero. The two cases can be distinguished by trying to read the next input
+character. If we succeed, we can unread it so that it remains in the local
+buffer for handling later. If not, the connection has been lost.
+
+Of course, since TCP/IP is asynchronous, there is always a chance that the
+connection will vanish between the time of this test and the sending of the
+response, but the chance of this happening should be small. */
+
+if (  smtp_input && sender_host_address && !f.sender_host_notsocket
+   && !receive_hasc())
+  {
+  if (poll_one_fd(fileno(smtp_in), POLLIN, 0) != 0)
+    {
+    int c = (receive_getc)(GETC_BUFFER_UNLIMITED);
+    if (c != EOF) (receive_ungetc)(c);
+    else
+      {
+      smtp_notquit_exit(US"connection-lost", NULL, NULL);
+      smtp_reply = US"";    /* No attempt to send a response */
+      smtp_yield = FALSE;   /* Nothing more on this connection */
+
+      /* Re-use the log line workspace */
+
+      g->ptr = 0;
+      g = string_cat(g, US"SMTP connection lost after final dot");
+      g = add_host_info_for_log(g);
+      log_write(0, LOG_MAIN, "%s", string_from_gstring(g));
+
+      /* Delete the files for this aborted message. */
+
+      Uunlink(spool_name);
+      Uunlink(spool_fname(US"input", message_subdir, message_id, US"-H"));
+      Uunlink(spool_fname(US"msglog", message_subdir, message_id, US""));
+
+      goto TIDYUP;
+      }
+    }
+  }
+
+/* The connection has not gone away; we really are going to take responsibility
+for this message. */
+
+/* Cutthrough - had sender last-dot; assume we've sent (or bufferred) all
+   data onward by now.
+
+   Send dot onward.  If accepted, wipe the spooled files, log as delivered and accept
+   the sender's dot (below).
+   If rejected: copy response to sender, wipe the spooled files, log appropriately.
+   If temp-reject: normally accept to sender, keep the spooled file - unless defer=pass
+   in which case pass temp-reject back to initiator and dump the files.
+
+   Having the normal spool files lets us do data-filtering, and store/forward on temp-reject.
+
+   XXX We do not handle queue-only, freezing, or blackholes.
+*/
+if(cutthrough.cctx.sock >= 0 && cutthrough.delivery)
+  {
+  uschar * msg = cutthrough_finaldot();	/* Ask the target system to accept the message */
+					/* Logging was done in finaldot() */
+  switch(msg[0])
+    {
+    case '2':	/* Accept. Do the same to the source; dump any spoolfiles.   */
+      cutthrough_done = ACCEPTED;
+      break;					/* message_id needed for SMTP accept below */
+
+    case '4':	/* Temp-reject. Keep spoolfiles and accept, unless defer-pass mode.
+      		... for which, pass back the exact error */
+      if (cutthrough.defer_pass) smtp_reply = string_copy_perm(msg, TRUE);
+      cutthrough_done = TMP_REJ;		/* Avoid the usual immediate delivery attempt */
+      break;					/* message_id needed for SMTP accept below */
+
+    default:	/* Unknown response, or error.  Treat as temp-reject.         */
+      if (cutthrough.defer_pass) smtp_reply = US"450 Onward transmission not accepted";
+      cutthrough_done = TMP_REJ;		/* Avoid the usual immediate delivery attempt */
+      break;					/* message_id needed for SMTP accept below */
+
+    case '5':	/* Perm-reject.  Do the same to the source.  Dump any spoolfiles */
+      smtp_reply = string_copy_perm(msg, TRUE);		/* Pass on the exact error */
+      cutthrough_done = PERM_REJ;
+      break;
+    }
+  }
+
+#ifndef DISABLE_PRDR
+if(!smtp_reply || prdr_requested)
+#else
+if(!smtp_reply)
+#endif
+  {
+  log_write(0, LOG_MAIN |
+    (LOGGING(received_recipients) ? LOG_RECIPIENTS : 0) |
+    (LOGGING(received_sender) ? LOG_SENDER : 0),
+    "%s", g->s);
+
+  /* Log any control actions taken by an ACL or local_scan(). */
+
+  if (f.deliver_freeze) log_write(0, LOG_MAIN, "frozen by %s", frozen_by);
+  if (f.queue_only_policy) log_write(L_delay_delivery, LOG_MAIN,
+    "no immediate delivery: queued%s%s by %s",
+    *queue_name ? " in " : "", *queue_name ? CS queue_name : "",
+    queued_by);
+  }
+f.receive_call_bombout = FALSE;
+
+/* The store for the main log message can be reused */
+rcvd_log_reset_point = store_reset(rcvd_log_reset_point);
+
+/* If the message is frozen, and freeze_tell is set, do the telling. */
+
+if (f.deliver_freeze && freeze_tell && freeze_tell[0])
+  moan_tell_someone(freeze_tell, NULL, US"Message frozen on arrival",
+    "Message %s was frozen on arrival by %s.\nThe sender is <%s>.\n",
+    message_id, frozen_by, sender_address);
+
+
+/* Either a message has been successfully received and written to the two spool
+files, or an error in writing the spool has occurred for an SMTP message, or
+an SMTP message has been rejected for policy reasons, or a message was passed on
+by cutthrough delivery. (For a non-SMTP message we will have already given up
+because there's no point in carrying on!) For non-cutthrough we must now close
+(and thereby unlock) the data file. In the successful case, this leaves the
+message on the spool, ready for delivery. In the error case, the spool file will
+be deleted. Then tidy up store, interact with an SMTP call if necessary, and
+return.
+
+For cutthrough we hold the data file locked until we have deleted it, otherwise
+a queue-runner could grab it in the window.
+
+A fflush() was done earlier in the expectation that any write errors on the
+data file will be flushed(!) out thereby. Nevertheless, it is theoretically
+possible for fclose() to fail - but what to do? What has happened to the lock
+if this happens?  We can at least log it; if it is observed on some platform
+then we can think about properly declaring the message not-received. */
+
+
+TIDYUP:
+process_info[process_info_len] = 0;			/* Remove message id */
+if (spool_data_file && cutthrough_done == NOT_TRIED)
+  {
+  if (fclose(spool_data_file))				/* Frees the lock */
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "spoolfile error on close: %s", strerror(errno));
+  spool_data_file = NULL;
+  }
+
+/* Now reset signal handlers to their defaults */
+
+signal(SIGTERM, SIG_DFL);
+signal(SIGINT, SIG_DFL);
+
+/* Tell an SMTP caller the state of play, and arrange to return the SMTP return
+value, which defaults TRUE - meaning there may be more incoming messages from
+this connection. For non-SMTP callers (where there is only ever one message),
+the default is FALSE. */
+
+if (smtp_input)
+  {
+  yield = smtp_yield;
+
+  /* Handle interactive SMTP callers. After several kinds of error, smtp_reply
+  is set to the response that should be sent. When it is NULL, we generate
+  default responses. After an ACL error or local_scan() error, the response has
+  already been sent, and smtp_reply is an empty string to indicate this. */
+
+  if (!smtp_batched_input)
+    {
+    if (!smtp_reply)
+      {
+      if (fake_response != OK)
+        smtp_respond(fake_response == DEFER ? US"450" : US"550",
+	  3, TRUE, fake_response_text);
+
+      /* An OK response is required; use "message" text if present. */
+
+      else if (user_msg)
+        {
+        uschar *code = US"250";
+        int len = 3;
+        smtp_message_code(&code, &len, &user_msg, NULL, TRUE);
+        smtp_respond(code, len, TRUE, user_msg);
+        }
+
+      /* Default OK response */
+
+      else if (chunking_state > CHUNKING_OFFERED)
+	{
+	/* If there is more input waiting, no need to flush (probably the client
+	pipelined QUIT after data).  We check only the in-process buffer, not
+	the socket. */
+
+        smtp_printf("250- %u byte chunk, total %d\r\n250 OK id=%s\r\n",
+	    receive_hasc(),
+	    chunking_datasize, message_size+message_linecount, message_id);
+	chunking_state = CHUNKING_OFFERED;
+	}
+      else
+        smtp_printf("250 OK id=%s\r\n", receive_hasc(), message_id);
+
+      if (host_checking)
+        fprintf(stdout,
+          "\n**** SMTP testing: that is not a real message id!\n\n");
+      }
+
+    /* smtp_reply is set non-empty */
+
+    else if (smtp_reply[0] != 0)
+      if (fake_response != OK && smtp_reply[0] == '2')
+        smtp_respond(fake_response == DEFER ? US"450" : US"550", 3, TRUE,
+          fake_response_text);
+      else
+        smtp_printf("%.1024s\r\n", FALSE, smtp_reply);
+
+    switch (cutthrough_done)
+      {
+      case ACCEPTED:
+	log_write(0, LOG_MAIN, "Completed");/* Delivery was done */
+      case PERM_REJ:
+							 /* Delete spool files */
+	Uunlink(spool_name);
+	Uunlink(spool_fname(US"input", message_subdir, message_id, US"-H"));
+	Uunlink(spool_fname(US"msglog", message_subdir, message_id, US""));
+	break;
+
+      case TMP_REJ:
+	if (cutthrough.defer_pass)
+	  {
+	  Uunlink(spool_name);
+	  Uunlink(spool_fname(US"input", message_subdir, message_id, US"-H"));
+	  Uunlink(spool_fname(US"msglog", message_subdir, message_id, US""));
+	  }
+      default:
+	break;
+      }
+    if (cutthrough_done != NOT_TRIED)
+      {
+      if (spool_data_file)
+	{
+	(void) fclose(spool_data_file);  /* Frees the lock; do not care if error */
+	spool_data_file = NULL;
+	}
+      message_id[0] = 0;	  /* Prevent a delivery from starting */
+      cutthrough.delivery = cutthrough.callout_hold_only = FALSE;
+      cutthrough.defer_pass = FALSE;
+      }
+    }
+
+  /* For batched SMTP, generate an error message on failure, and do
+  nothing on success. The function moan_smtp_batch() does not return -
+  it exits from the program with a non-zero return code. */
+
+  else if (smtp_reply)
+    moan_smtp_batch(NULL, "%s", smtp_reply);
+  }
+
+
+/* If blackholing, we can immediately log this message's sad fate. The data
+file has already been unlinked, and the header file was never written to disk.
+We must now indicate that nothing was received, to prevent a delivery from
+starting. */
+
+if (blackholed_by)
+  {
+  const uschar *detail =
+#ifdef HAVE_LOCAL_SCAN
+    local_scan_data ? string_printing(local_scan_data) :
+#endif
+    string_sprintf("(%s discarded recipients)", blackholed_by);
+  log_write(0, LOG_MAIN, "=> blackhole %s%s", detail, blackhole_log_msg);
+  log_write(0, LOG_MAIN, "Completed");
+  message_id[0] = 0;
+  }
+
+/* Reset headers so that logging of rejects for a subsequent message doesn't
+include them. It is also important to set header_last = NULL before exiting
+from this function, as this prevents certain rewrites that might happen during
+subsequent verifying (of another incoming message) from trying to add headers
+when they shouldn't. */
+
+header_list = header_last = NULL;
+
+return yield;  /* TRUE if more messages (SMTP only) */
+}
+
+/* End of receive.c */
diff --git a/src/regex.c b/src/regex.c
new file mode 100644
index 0000000..5c0f7c4
--- /dev/null
+++ b/src/regex.c
@@ -0,0 +1,217 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/*
+ * Copyright (c) The Exim Maintainers 2016 - 2022
+ * Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003-2015
+ * License: GPL
+ */
+
+/* Code for matching regular expressions against headers and body.
+ Called from acl.c. */
+
+#include "exim.h"
+#ifdef WITH_CONTENT_SCAN
+#include <unistd.h>
+#include <sys/mman.h>
+
+/* Structure to hold a list of Regular expressions */
+typedef struct pcre_list {
+  pcre2_code *re;
+  uschar *pcre_text;
+  struct pcre_list *next;
+} pcre_list;
+
+uschar regex_match_string_buffer[1024];
+
+extern FILE *mime_stream;
+extern uschar *mime_current_boundary;
+
+static pcre_list *
+compile(const uschar * list)
+{
+int sep = 0;
+uschar *regex_string;
+pcre_list *re_list_head = NULL;
+pcre_list *ri;
+
+/* precompile our regexes */
+while ((regex_string = string_nextinlist(&list, &sep, NULL, 0)))
+  if (strcmpic(regex_string, US"false") != 0 && Ustrcmp(regex_string, "0") != 0)
+    {
+    pcre2_code * re;
+    int err;
+    PCRE2_SIZE pcre_erroffset;
+
+    /* compile our regular expression */
+    if (!(re = pcre2_compile( (PCRE2_SPTR) regex_string, PCRE2_ZERO_TERMINATED,
+		  0, &err, &pcre_erroffset, pcre_cmp_ctx)))
+      {
+      uschar errbuf[128];
+      pcre2_get_error_message(err, errbuf, sizeof(errbuf));
+      log_write(0, LOG_MAIN,
+	   "regex acl condition warning - error in regex '%s': %s at offset %ld, skipped.",
+	   regex_string, errbuf, (long)pcre_erroffset);
+      continue;
+      }
+
+    ri = store_get(sizeof(pcre_list), GET_UNTAINTED);
+    ri->re = re;
+    ri->pcre_text = regex_string;
+    ri->next = re_list_head;
+    re_list_head = ri;
+    }
+return re_list_head;
+}
+
+static int
+matcher(pcre_list * re_list_head, uschar * linebuffer, int len)
+{
+pcre2_match_data * md = pcre2_match_data_create(REGEX_VARS + 1, pcre_gen_ctx);
+
+for (pcre_list * ri = re_list_head; ri; ri = ri->next)
+  {
+  int n;
+
+  /* try matcher on the line */
+  if ((n = pcre2_match(ri->re, (PCRE2_SPTR)linebuffer, len, 0, 0, md, pcre_mtc_ctx)) > 0)
+    {
+    Ustrncpy(regex_match_string_buffer, ri->pcre_text,
+	      sizeof(regex_match_string_buffer)-1);
+    regex_match_string = regex_match_string_buffer;
+
+    for (int nn = 1; nn < n; nn++)
+      {
+      PCRE2_UCHAR * cstr;
+      PCRE2_SIZE cslen;
+      pcre2_substring_get_bynumber(md, nn, &cstr, &cslen);
+      regex_vars[nn-1] = CUS cstr;
+      }
+
+    return OK;
+    }
+  }
+pcre2_match_data_free(md);
+return FAIL;
+}
+
+int
+regex(const uschar **listptr)
+{
+unsigned long mbox_size;
+FILE *mbox_file;
+pcre_list *re_list_head;
+uschar *linebuffer;
+long f_pos = 0;
+int ret = FAIL;
+
+/* reset expansion variable */
+regex_match_string = NULL;
+
+if (!mime_stream)				/* We are in the DATA ACL */
+  {
+  if (!(mbox_file = spool_mbox(&mbox_size, NULL, NULL)))
+    {						/* error while spooling */
+    log_write(0, LOG_MAIN|LOG_PANIC,
+	   "regex acl condition: error while creating mbox spool file");
+    return DEFER;
+    }
+  }
+else
+  {
+  if ((f_pos = ftell(mime_stream)) < 0)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC,
+	   "regex acl condition: mime_stream: %s", strerror(errno));
+    return DEFER;
+    }
+  mbox_file = mime_stream;
+  }
+
+/* precompile our regexes */
+if (!(re_list_head = compile(*listptr)))
+  return FAIL;			/* no regexes -> nothing to do */
+
+/* match each line against all regexes */
+linebuffer = store_get(32767, GET_TAINTED);
+while (fgets(CS linebuffer, 32767, mbox_file))
+  {
+  if (  mime_stream && mime_current_boundary		/* check boundary */
+     && Ustrncmp(linebuffer, "--", 2) == 0
+     && Ustrncmp((linebuffer+2), mime_current_boundary,
+		  Ustrlen(mime_current_boundary)) == 0)
+      break;						/* found boundary */
+
+  if ((ret = matcher(re_list_head, linebuffer, (int)Ustrlen(linebuffer))) == OK)
+    goto done;
+  }
+/* no matches ... */
+
+done:
+if (!mime_stream)
+  (void)fclose(mbox_file);
+else
+  {
+  clearerr(mime_stream);
+  if (fseek(mime_stream, f_pos, SEEK_SET) == -1)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC,
+	   "regex acl condition: mime_stream: %s", strerror(errno));
+    clearerr(mime_stream);
+    }
+  }
+
+return ret;
+}
+
+
+int
+mime_regex(const uschar **listptr)
+{
+pcre_list *re_list_head = NULL;
+FILE *f;
+uschar *mime_subject = NULL;
+int mime_subject_len = 0;
+int ret;
+
+/* reset expansion variable */
+regex_match_string = NULL;
+
+/* precompile our regexes */
+if (!(re_list_head = compile(*listptr)))
+  return FAIL;			/* no regexes -> nothing to do */
+
+/* check if the file is already decoded */
+if (!mime_decoded_filename)
+  {				/* no, decode it first */
+  const uschar *empty = US"";
+  mime_decode(&empty);
+  if (!mime_decoded_filename)
+    {				/* decoding failed */
+    log_write(0, LOG_MAIN,
+       "mime_regex acl condition warning - could not decode MIME part to file");
+    return DEFER;
+    }
+  }
+
+/* open file */
+if (!(f = fopen(CS mime_decoded_filename, "rb")))
+  {
+  log_write(0, LOG_MAIN,
+       "mime_regex acl condition warning - can't open '%s' for reading",
+       mime_decoded_filename);
+  return DEFER;
+  }
+
+/* get 32k memory, tainted */
+mime_subject = store_get(32767, GET_TAINTED);
+
+mime_subject_len = fread(mime_subject, 1, 32766, f);
+
+ret = matcher(re_list_head, mime_subject, mime_subject_len);
+(void)fclose(f);
+return ret;
+}
+
+#endif /* WITH_CONTENT_SCAN */
diff --git a/src/retry.c b/src/retry.c
new file mode 100644
index 0000000..033afb4
--- /dev/null
+++ b/src/retry.c
@@ -0,0 +1,934 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions concerned with retrying unsuccessful deliveries. */
+
+
+#include "exim.h"
+
+
+
+/*************************************************
+*         Check the ultimate address timeout     *
+*************************************************/
+
+/* This function tests whether a message has been on the queue longer than
+the maximum retry time for a particular host or address.
+
+Arguments:
+  retry_key     the key to look up a retry rule
+  domain        the domain to look up a domain retry rule
+  retry_record  contains error information for finding rule
+  now           the time
+
+Returns:        TRUE if the ultimate timeout has been reached
+*/
+
+BOOL
+retry_ultimate_address_timeout(uschar *retry_key, const uschar *domain,
+  dbdata_retry *retry_record, time_t now)
+{
+BOOL address_timeout;
+retry_config * retry;
+
+DEBUG(D_retry)
+  {
+  debug_printf("retry time not reached: checking ultimate address timeout\n");
+  debug_printf("  now=" TIME_T_FMT " first_failed=" TIME_T_FMT
+		" next_try=" TIME_T_FMT " expired=%c\n",
+		now, retry_record->first_failed,
+		retry_record->next_try, retry_record->expired ? 'T' : 'F');
+  }
+
+retry = retry_find_config(retry_key+2, domain,
+    retry_record->basic_errno, retry_record->more_errno);
+
+if (retry && retry->rules)
+  {
+  retry_rule *last_rule;
+  for (last_rule = retry->rules; last_rule->next; last_rule = last_rule->next) ;
+  DEBUG(D_retry)
+    debug_printf("  received_time=" TIME_T_FMT " diff=%d timeout=%d\n",
+      received_time.tv_sec, (int)(now - received_time.tv_sec), last_rule->timeout);
+  address_timeout = (now - received_time.tv_sec > last_rule->timeout);
+  }
+else
+  {
+  DEBUG(D_retry)
+    debug_printf("no retry rule found: assume timed out\n");
+  address_timeout = TRUE;
+  }
+
+DEBUG(D_retry)
+  if (address_timeout)
+    debug_printf("on queue longer than maximum retry for address - "
+      "allowing delivery\n");
+
+return address_timeout;
+}
+
+
+
+/*************************************************
+*     Set status of a host+address item          *
+*************************************************/
+
+/* This function is passed a host_item which contains a host name and an
+IP address string. Its job is to set the status of the address if it is not
+already set (indicated by hstatus_unknown). The possible values are:
+
+   hstatus_usable    the address is not listed in the unusable tree, and does
+                     not have a retry record, OR the time is past the next
+                     try time, OR the message has been on the queue for more
+                     than the maximum retry time for a failing host
+
+   hstatus_unusable  the address is listed in the unusable tree, or does have
+                     a retry record, and the time is not yet at the next retry
+                     time.
+
+   hstatus_unusable_expired  as above, but also the retry time has expired
+                     for this address.
+
+The reason a delivery is permitted when a message has been around for a very
+long time is to allow the ultimate address timeout to operate after a delivery
+failure. Otherwise some messages may stick around without being tried for too
+long.
+
+If a host retry record is retrieved from the hints database, the time of last
+trying is filled into the last_try field of the host block. If a host is
+generally usable, a check is made to see if there is a retry delay on this
+specific message at this host.
+
+If a non-standard port is being used, it is added to the retry key.
+
+Arguments:
+  domain              the address domain
+  host                pointer to a host item
+  portstring          "" for standard port, ":xxxx" for a non-standard port
+  include_ip_address  TRUE to include the address in the key - this is
+                        usual, but sometimes is not wanted
+  retry_host_key      where to put a pointer to the key for the host-specific
+                        retry record, if one is read and the host is usable
+  retry_message_key   where to put a pointer to the key for the message+host
+                        retry record, if one is read and the host is usable
+
+Returns:    TRUE if the host has expired but is usable because
+             its retry time has come
+*/
+
+BOOL
+retry_check_address(const uschar *domain, host_item *host, uschar *portstring,
+  BOOL include_ip_address, uschar **retry_host_key, uschar **retry_message_key)
+{
+BOOL yield = FALSE;
+time_t now = time(NULL);
+uschar * host_key, * message_key;
+open_db dbblock, * dbm_file;
+tree_node * node;
+dbdata_retry * host_retry_record, * message_retry_record;
+
+*retry_host_key = *retry_message_key = NULL;
+
+DEBUG(D_transport|D_retry) debug_printf("checking status of %s\n", host->name);
+
+/* Do nothing if status already set; otherwise initialize status as usable. */
+
+if (host->status != hstatus_unknown) return FALSE;
+host->status = hstatus_usable;
+
+/* Generate the host key for the unusable tree and the retry database. Ensure
+host names are lower cased (that's what %S does). */
+
+host_key = include_ip_address
+  ? string_sprintf("T:%S:%s%s", host->name, host->address, portstring)
+  : string_sprintf("T:%S%s", host->name, portstring);
+
+/* Generate the message-specific key */
+
+message_key = string_sprintf("%s:%s", host_key, message_id);
+
+/* Search the tree of unusable IP addresses. This is filled in when deliveries
+fail, because the retry database itself is not updated until the end of all
+deliveries (so as to do it all in one go). The tree records addresses that have
+become unusable during this delivery process (i.e. those that will get put into
+the retry database when it is updated). */
+
+if ((node = tree_search(tree_unusable, host_key)))
+  {
+  DEBUG(D_transport|D_retry) debug_printf("found in tree of unusables\n");
+  host->status = (node->data.val > 255)?
+    hstatus_unusable_expired : hstatus_unusable;
+  host->why = node->data.val & 255;
+  return FALSE;
+  }
+
+/* Open the retry database, giving up if there isn't one. Otherwise, search for
+the retry records, and then close the database again. */
+
+if (!(dbm_file = dbfn_open(US"retry", O_RDONLY, &dbblock, FALSE, TRUE)))
+  {
+  DEBUG(D_deliver|D_retry|D_hints_lookup)
+    debug_printf("no retry data available\n");
+  return FALSE;
+  }
+host_retry_record = dbfn_read(dbm_file, host_key);
+message_retry_record = dbfn_read(dbm_file, message_key);
+dbfn_close(dbm_file);
+
+/* Ignore the data if it is too old - too long since it was written */
+
+if (!host_retry_record)
+  {
+  DEBUG(D_transport|D_retry) debug_printf("no host retry record\n");
+  }
+else if (now - host_retry_record->time_stamp > retry_data_expire)
+  {
+  host_retry_record = NULL;
+  DEBUG(D_transport|D_retry) debug_printf("host retry record too old\n");
+  }
+
+if (!message_retry_record)
+  {
+  DEBUG(D_transport|D_retry) debug_printf("no message retry record\n");
+  }
+else if (now - message_retry_record->time_stamp > retry_data_expire)
+  {
+  message_retry_record = NULL;
+  DEBUG(D_transport|D_retry) debug_printf("message retry record too old\n");
+  }
+
+/* If there's a host-specific retry record, check for reaching the retry
+time (or forcing). If not, and the host is not expired, check for the message
+having been around for longer than the maximum retry time for this host or
+address. Allow the delivery if it has. Otherwise set the appropriate unusable
+flag and return FALSE. Otherwise arrange to return TRUE if this is an expired
+host. */
+
+if (host_retry_record)
+  {
+  *retry_host_key = host_key;
+
+  /* We have not reached the next try time. Check for the ultimate address
+  timeout if the host has not expired. */
+
+  if (now < host_retry_record->next_try && !f.deliver_force)
+    {
+    if (!host_retry_record->expired &&
+        retry_ultimate_address_timeout(host_key, domain,
+          host_retry_record, now))
+      return FALSE;
+
+    /* We have not hit the ultimate address timeout; host is unusable. */
+
+    host->status = (host_retry_record->expired)?
+      hstatus_unusable_expired : hstatus_unusable;
+    host->why = hwhy_retry;
+    host->last_try = host_retry_record->last_try;
+    return FALSE;
+    }
+
+  /* Host is usable; set return TRUE if expired. */
+
+  yield = host_retry_record->expired;
+  }
+
+/* It's OK to try the host. If there's a message-specific retry record, check
+for reaching its retry time (or forcing). If not, mark the host unusable,
+unless the ultimate address timeout has been reached. */
+
+if (message_retry_record)
+  {
+  *retry_message_key = message_key;
+  if (now < message_retry_record->next_try && !f.deliver_force)
+    {
+    if (!retry_ultimate_address_timeout(host_key, domain,
+        message_retry_record, now))
+      {
+      host->status = hstatus_unusable;
+      host->why = hwhy_retry;
+      }
+    return FALSE;
+    }
+  }
+
+return yield;
+}
+
+
+
+
+/*************************************************
+*           Add a retry item to an address       *
+*************************************************/
+
+/* Retry items are chained onto an address when it is deferred either by router
+or by a transport, or if it succeeds or fails and there was a previous retry
+item that now needs to be deleted. Sometimes there can be both kinds of item:
+for example, if routing was deferred but then succeeded, and delivery then
+deferred. In that case there is a delete item for the routing retry, and an
+updating item for the delivery.
+
+(But note that that is only visible at the outer level, because in remote
+delivery subprocesses, the address starts "clean", with no retry items carried
+in.)
+
+These items are used at the end of a delivery attempt to update the retry
+database. The keys start R: for routing delays and T: for transport delays.
+
+Arguments:
+  addr    the address block onto which to hang the item
+  key     the retry key
+  flags   delete, host, and message flags, copied into the block
+
+Returns:  nothing
+*/
+
+void
+retry_add_item(address_item *addr, uschar *key, int flags)
+{
+retry_item * rti = store_get(sizeof(retry_item), GET_UNTAINTED);
+host_item * host = addr->host_used;
+
+rti->next = addr->retries;
+addr->retries = rti;
+rti->key = key;
+rti->basic_errno = addr->basic_errno;
+rti->more_errno = addr->more_errno;
+rti->message = host
+  ? string_sprintf("H=%s [%s]: %s", host->name, host->address, addr->message)
+  : addr->message;
+rti->flags = flags;
+
+DEBUG(D_transport|D_retry)
+  {
+  int letter = rti->more_errno & 255;
+  debug_printf("added retry item for %s: errno=%d more_errno=", rti->key,
+    rti->basic_errno);
+  if (letter == 'A' || letter == 'M')
+    debug_printf("%d,%c", (rti->more_errno >> 8) & 255, letter);
+  else
+    debug_printf("%d", rti->more_errno);
+  debug_printf(" flags=%d\n", flags);
+  }
+}
+
+
+
+/*************************************************
+*        Find retry configuration data           *
+*************************************************/
+
+/* Search the in-store retry information for the first retry item that applies
+to a given destination. If the key contains an @ we are probably handling a
+local delivery and have a complete address to search for; this happens when
+retry_use_local_part is set on a router. Otherwise, the key is likely to be a
+host name for a remote delivery, or a domain name for a local delivery. We
+prepend *@ on the front of it so that it will match a retry item whose address
+item pattern is independent of the local part. The alternate key, if set, is
+always just a domain, so we treat it likewise.
+
+Arguments:
+  key          key for which retry info is wanted
+  alternate    alternative key, always just a domain
+  basic_errno  specific error predicate on the retry rule, or zero
+  more_errno   additional data for errno predicate
+
+Returns:       pointer to retry rule, or NULL
+*/
+
+retry_config *
+retry_find_config(const uschar *key, const uschar *alternate, int basic_errno,
+  int more_errno)
+{
+const uschar *colon = Ustrchr(key, ':');
+retry_config *yield;
+
+/* If there's a colon in the key, there are two possibilities:
+
+(1) This is a key for a host, ip address, and possibly port, in the format
+
+      hostname:ip+port
+
+    In this case, we copy the host name.
+
+(2) This is a key for a pipe, file, or autoreply delivery, in the format
+
+      pipe-or-file-or-auto:x@y
+
+    where x@y is the original address that provoked the delivery. The pipe or
+    file or auto will start with | or / or >, whereas a host name will start
+    with a letter or a digit. In this case we want to use the original address
+    to search for a retry rule. */
+
+if (colon)
+  key = isalnum(*key)
+    ? string_copyn(key, colon-key)	/* the hostname */
+    : Ustrrchr(key, ':') + 1;		/* Take from the last colon */
+
+/* Sort out the keys */
+
+if (!Ustrchr(key, '@')) key = string_sprintf("*@%s", key);
+if (alternate)    alternate = string_sprintf("*@%s", alternate);
+
+/* Scan the configured retry items. */
+
+for (yield = retries; yield; yield = yield->next)
+  {
+  const uschar *plist = yield->pattern;
+  const uschar *slist = yield->senders;
+
+  /* If a specific error is set for this item, check that we are handling that
+  specific error, and if so, check any additional error information if
+  required. */
+
+  if (yield->basic_errno != 0)
+    {
+    /* Special code is required for quota errors, as these can either be system
+    quota errors, or Exim's own quota imposition, which has a different error
+    number. Full partitions are also treated in the same way as quota errors.
+    */
+
+    if (yield->basic_errno == ERRNO_EXIMQUOTA)
+      {
+      if ((basic_errno != ERRNO_EXIMQUOTA && basic_errno != errno_quota &&
+           basic_errno != ENOSPC) ||
+          (yield->more_errno != 0 && yield->more_errno > more_errno))
+        continue;
+      }
+
+    /* The TLSREQUIRED error also covers TLSFAILURE. These are subtly different
+    errors, but not worth separating at this level. */
+
+    else if (yield->basic_errno == ERRNO_TLSREQUIRED)
+      {
+      if (basic_errno != ERRNO_TLSREQUIRED && basic_errno != ERRNO_TLSFAILURE)
+        continue;
+      }
+
+    /* Handle 4xx responses to MAIL, RCPT, or DATA. The code that was received
+    is in the 2nd least significant byte of more_errno (with 400 subtracted).
+    The required value is coded in the 2nd least significant byte of the
+    yield->more_errno field as follows:
+
+      255     => any 4xx code
+      >= 100  => the decade must match the value less 100
+      < 100   => the exact value must match
+    */
+
+    else if (yield->basic_errno == ERRNO_MAIL4XX ||
+             yield->basic_errno == ERRNO_RCPT4XX ||
+             yield->basic_errno == ERRNO_DATA4XX)
+      {
+      int wanted;
+      if (basic_errno != yield->basic_errno) continue;
+      wanted = (yield->more_errno >> 8) & 255;
+      if (wanted != 255)
+        {
+        int evalue = (more_errno >> 8) & 255;
+        if (wanted >= 100)
+          {
+          if ((evalue/10)*10 != wanted - 100) continue;
+          }
+        else if (evalue != wanted) continue;
+        }
+      }
+
+    /* There are some special cases for timeouts */
+
+    else if (yield->basic_errno == ETIMEDOUT)
+      {
+      if (basic_errno != ETIMEDOUT) continue;
+
+      /* Just RTEF_CTOUT in the rule => don't care about 'A'/'M' addresses */
+      if (yield->more_errno == RTEF_CTOUT)
+        {
+        if ((more_errno & RTEF_CTOUT) == 0) continue;
+        }
+
+      else if (yield->more_errno != 0)
+        {
+        int cf_errno = more_errno;
+        if ((yield->more_errno & RTEF_CTOUT) == 0) cf_errno &= ~RTEF_CTOUT;
+        if (yield->more_errno != cf_errno) continue;
+        }
+      }
+
+    /* Default checks for exact match */
+
+    else
+      {
+      if (yield->basic_errno != basic_errno ||
+         (yield->more_errno != 0 && yield->more_errno != more_errno))
+       continue;
+      }
+    }
+
+  /* If the "senders" condition is set, check it. Note that sender_address may
+  be null during -brt checking, in which case we do not use this rule. */
+
+  if (  slist
+     && (  !sender_address
+       	|| match_address_list_basic(sender_address, &slist, 0) != OK
+     )  )
+    continue;
+
+  /* Check for a match between the address list item at the start of this retry
+  rule and either the main or alternate keys. */
+
+  if (  match_address_list_basic(key, &plist, UCHAR_MAX+1) == OK
+     || (  alternate
+	&& match_address_list_basic(alternate, &plist, UCHAR_MAX+1) == OK
+     )  )
+    break;
+  }
+
+return yield;
+}
+
+
+
+
+/*************************************************
+*              Update retry database             *
+*************************************************/
+
+/* Update the retry data for any directing/routing/transporting that was
+deferred, or delete it for those that succeeded after a previous defer. This is
+done all in one go to minimize opening/closing/locking of the database file.
+
+Note that, because SMTP delivery involves a list of destinations to try, there
+may be defer-type retry information for some of them even when the message was
+successfully delivered. Likewise if it eventually failed.
+
+This function may move addresses from the defer to the failed queue if the
+ultimate retry time has expired.
+
+Arguments:
+  addr_defer    queue of deferred addresses
+  addr_failed   queue of failed addresses
+  addr_succeed  queue of successful addresses
+
+Returns:        nothing
+*/
+
+void
+retry_update(address_item **addr_defer, address_item **addr_failed,
+  address_item **addr_succeed)
+{
+open_db dbblock;
+open_db *dbm_file = NULL;
+time_t now = time(NULL);
+
+DEBUG(D_retry) debug_printf("Processing retry items\n");
+
+/* Three-times loop to handle succeeded, failed, and deferred addresses.
+Deferred addresses must be handled after failed ones, because some may be moved
+to the failed chain if they have timed out. */
+
+for (int i = 0; i < 3; i++)
+  {
+  address_item *endaddr, *addr;
+  address_item *last_first = NULL;
+  address_item **paddr = i==0 ? addr_succeed :
+    i==1 ? addr_failed : addr_defer;
+  address_item **saved_paddr = NULL;
+
+  DEBUG(D_retry) debug_printf("%s addresses:\n",
+    i == 0 ? "Succeeded" : i == 1 ? "Failed" : "Deferred");
+
+  /* Loop for each address on the chain. For deferred addresses, the whole
+  address times out unless one of its retry addresses has a retry rule that
+  hasn't yet timed out. Deferred addresses should not be requesting deletion
+  of retry items, but just in case they do by accident, treat that case
+  as "not timed out".
+
+  As well as handling the addresses themselves, we must also process any
+  retry items for any parent addresses - these are typically "delete" items,
+  because the parent must have succeeded in order to generate the child. */
+
+  while ((endaddr = *paddr))
+    {
+    BOOL timed_out = FALSE;
+
+    for (addr = endaddr; addr; addr = addr->parent)
+      {
+      int update_count = 0;
+      int timedout_count = 0;
+
+      DEBUG(D_retry) debug_printf(" %s%s\n", addr->address,
+       	addr->retries ? "" : ": no retry items");
+
+      /* Loop for each retry item. */
+
+      for (retry_item * rti = addr->retries; rti; rti = rti->next)
+        {
+        uschar *message;
+        int message_length, message_space, failing_interval, next_try;
+        retry_rule *rule, *final_rule;
+        retry_config *retry;
+        dbdata_retry *retry_record;
+
+        /* Open the retry database if it is not already open; failure to open
+        the file is logged, but otherwise ignored - deferred addresses will
+        get retried at the next opportunity. Not opening earlier than this saves
+        opening if no addresses have retry items - common when none have yet
+        reached their retry next try time. */
+
+        if (!dbm_file)
+          dbm_file = dbfn_open(US"retry", O_RDWR, &dbblock, TRUE, TRUE);
+
+        if (!dbm_file)
+          {
+          DEBUG(D_deliver|D_retry|D_hints_lookup)
+            debug_printf("retry database not available for updating\n");
+          return;
+          }
+
+        /* If there are no deferred addresses, that is, if this message is
+        completing, and the retry item is for a message-specific SMTP error,
+        force it to be deleted, because there's no point in keeping data for
+        no-longer-existing messages. This situation can occur when a domain has
+        two hosts and a message-specific error occurs for the first of them,
+        but the address gets delivered to the second one. This optimization
+        doesn't succeed in cleaning out all the dead entries, but it helps. */
+
+        if (!*addr_defer  &&  rti->flags & rf_message)
+          rti->flags |= rf_delete;
+
+        /* Handle the case of a request to delete the retry info for this
+        destination. */
+
+        if (rti->flags & rf_delete)
+          {
+          (void)dbfn_delete(dbm_file, rti->key);
+          DEBUG(D_retry)
+            debug_printf("deleted retry information for %s\n", rti->key);
+          continue;
+          }
+
+        /* Count the number of non-delete retry items. This is so that we
+        can compare it to the count of timed_out ones, to check whether
+        all are timed out. */
+
+        update_count++;
+
+        /* Get the retry information for this destination and error code, if
+        any. If this item is for a remote host with ip address, then pass
+        the domain name as an alternative to search for. If no retry
+        information is found, we can't generate a retry time, so there is
+        no point updating the database. This retry item is timed out. */
+
+        if (!(retry = retry_find_config(rti->key + 2,
+             rti->flags & rf_host ? addr->domain : NULL,
+             rti->basic_errno, rti->more_errno)))
+          {
+          DEBUG(D_retry) debug_printf("No configured retry item for %s%s%s\n",
+            rti->key,
+            rti->flags & rf_host ? US" or " : US"",
+            rti->flags & rf_host ? addr->domain : US"");
+          if (addr == endaddr) timedout_count++;
+          continue;
+          }
+
+        DEBUG(D_retry)
+          if (rti->flags & rf_host)
+            debug_printf("retry for %s (%s) = %s %d %d\n", rti->key,
+              addr->domain, retry->pattern, retry->basic_errno,
+              retry->more_errno);
+          else
+            debug_printf("retry for %s = %s %d %d\n", rti->key, retry->pattern,
+              retry->basic_errno, retry->more_errno);
+
+        /* Set up the message for the database retry record. Because DBM
+        records have a maximum data length, we enforce a limit. There isn't
+        much point in keeping a huge message here, anyway. */
+
+        message = rti->basic_errno > 0
+	  ? US strerror(rti->basic_errno)
+	  : rti->message
+	  ? US string_printing(rti->message)
+	  : US"unknown error";
+        message_length = Ustrlen(message);
+        if (message_length > EXIM_DB_RLIMIT) message_length = EXIM_DB_RLIMIT;
+
+        /* Read a retry record from the database or construct a new one.
+        Ignore an old one if it is too old since it was last updated. */
+
+        retry_record = dbfn_read_with_length(dbm_file, rti->key,
+					      &message_space);
+        if (  retry_record
+	   && now - retry_record->time_stamp > retry_data_expire)
+          retry_record = NULL;
+
+        if (!retry_record)
+          {
+          retry_record = store_get(sizeof(dbdata_retry) + message_length,
+				   message);
+          message_space = message_length;
+          retry_record->first_failed = now;
+          retry_record->last_try = now;
+          retry_record->next_try = now;
+          retry_record->expired = FALSE;
+          retry_record->text[0] = 0;      /* just in case */
+          }
+	else message_space -= sizeof(dbdata_retry);
+
+        /* Compute how long this destination has been failing */
+
+        failing_interval = now - retry_record->first_failed;
+        DEBUG(D_retry) debug_printf("failing_interval=%d message_age=%d\n",
+          failing_interval, message_age);
+
+        /* For a non-host error, if the message has been on the queue longer
+        than the recorded time of failure, use the message's age instead. This
+        can happen when some messages can be delivered and others cannot; a
+        successful delivery will reset the first_failed time, and this can lead
+        to a failing message being retried too often. */
+
+        if (!(rti->flags & rf_host) && message_age > failing_interval)
+          failing_interval = message_age;
+
+        /* Search for the current retry rule. The cutoff time of the
+        last rule is handled differently to the others. The rule continues
+        to operate for ever (the global maximum interval will eventually
+        limit the gaps) but its cutoff time determines when an individual
+        destination times out. If there are no retry rules, the destination
+        always times out, but we can't compute a retry time. */
+
+        final_rule = NULL;
+        for (rule = retry->rules; rule; rule = rule->next)
+          {
+          if (failing_interval <= rule->timeout) break;
+          final_rule = rule;
+          }
+
+        /* If there's an un-timed out rule, the destination has not
+        yet timed out, so the address as a whole has not timed out (but we are
+        interested in this only for the end address). Make sure the expired
+        flag is false (can be forced via fixdb from outside, but ensure it is
+        consistent with the rules whenever we go through here). */
+
+        if (rule)
+          retry_record->expired = FALSE;
+
+        /* Otherwise, set the retry timeout expired, and set the final rule
+        as the one from which to compute the next retry time. Subsequent
+        messages will fail immediately until the retry time is reached (unless
+        there are other, still active, retries). */
+
+        else
+          {
+          rule = final_rule;
+          retry_record->expired = TRUE;
+          if (addr == endaddr) timedout_count++;
+          }
+
+        /* There is a special case to consider when some messages get through
+        to a destination and others don't. This can happen locally when a
+        large message pushes a user over quota, and it can happen remotely
+        when a machine is on a dodgy Internet connection. The messages that
+        get through wipe the retry information, causing those that don't to
+        stay on the queue longer than the final retry time. In order to
+        avoid this, we check, using the time of arrival of the message, to
+        see if it has been on the queue for more than the final cutoff time,
+        and if so, cause this retry item to time out, and the retry time to
+        be set to "now" so that any subsequent messages in the same condition
+        also get tried. We search for the last rule onwards from the one that
+        is in use. If there are no retry rules for the item, rule will be null
+        and timedout_count will already have been updated.
+
+        This implements "timeout this rule if EITHER the host (or routing or
+        directing) has been failing for more than the maximum time, OR if the
+        message has been on the queue for more than the maximum time."
+
+        February 2006: It is possible that this code is no longer needed
+        following the change to the retry calculation to use the message age if
+        it is larger than the time since first failure. It may be that the
+        expired flag is always set when the other conditions are met. However,
+        this is a small bit of code, and it does no harm to leave it in place,
+        just in case. */
+
+        if (  received_time.tv_sec <= retry_record->first_failed
+	   && addr == endaddr
+	   && !retry_record->expired
+	   && rule)
+          {
+          retry_rule *last_rule;
+          for (last_rule = rule; last_rule->next; last_rule = last_rule->next)
+	    ;
+          if (now - received_time.tv_sec > last_rule->timeout)
+            {
+            DEBUG(D_retry) debug_printf("on queue longer than maximum retry\n");
+            timedout_count++;
+            rule = NULL;
+            }
+          }
+
+        /* Compute the next try time from the rule, subject to the global
+        maximum, and update the retry database. If rule == NULL it means
+        there were no rules at all (and the timeout will be set expired),
+        or we have a message that is older than the final timeout. In this
+        case set the next retry time to now, so that one delivery attempt
+        happens for subsequent messages. */
+
+        if (!rule)
+	  next_try = now;
+	else
+          {
+          if (rule->rule == 'F')
+	    next_try = now + rule->p1;
+          else  /* rule = 'G' or 'H' */
+            {
+            int last_predicted_gap =
+              retry_record->next_try - retry_record->last_try;
+            int last_actual_gap = now - retry_record->last_try;
+            int lastgap = (last_predicted_gap < last_actual_gap)?
+              last_predicted_gap : last_actual_gap;
+            int next_gap = (lastgap * rule->p2)/1000;
+            if (rule->rule == 'G')
+              next_try = now + ((lastgap < rule->p1)? rule->p1 : next_gap);
+            else  /* The 'H' rule */
+              {
+              next_try = now + rule->p1;
+              if (next_gap > rule->p1)
+                next_try += random_number(next_gap - rule->p1)/2 +
+                  (next_gap - rule->p1)/2;
+              }
+            }
+          }
+
+        /* Impose a global retry max */
+
+        if (next_try - now > retry_interval_max)
+          next_try = now + retry_interval_max;
+
+        /* If the new message length is greater than the previous one, we have
+	to copy the record first.  If we're using an old one, the read used
+	tainted memory so we're ok to write into it. */
+
+	if (message_length > message_space)
+	  {
+	  dbdata_retry * newr =
+	    store_get(sizeof(dbdata_retry) + message_length, message);
+	  memcpy(newr, retry_record, sizeof(dbdata_retry));
+	  retry_record = newr;
+	  }
+
+        /* Set up the retry record; message_length may be less than the string
+        length for very long error strings. */
+
+        retry_record->last_try = now;
+        retry_record->next_try = next_try;
+        retry_record->basic_errno = rti->basic_errno;
+        retry_record->more_errno = rti->more_errno;
+        Ustrncpy(retry_record->text, message, message_length);
+        retry_record->text[message_length] = 0;
+
+        DEBUG(D_retry)
+          {
+          int letter = retry_record->more_errno & 255;
+          debug_printf("Writing retry data for %s\n", rti->key);
+          debug_printf("  first failed=%d last try=%d next try=%d expired=%d\n",
+            (int)retry_record->first_failed, (int)retry_record->last_try,
+            (int)retry_record->next_try, retry_record->expired);
+          debug_printf("  errno=%d more_errno=", retry_record->basic_errno);
+          if (letter == 'A' || letter == 'M')
+            debug_printf("%d,%c", (retry_record->more_errno >> 8) & 255,
+              letter);
+          else
+            debug_printf("%d", retry_record->more_errno);
+          debug_printf(" %s\n", retry_record->text);
+          }
+
+        (void)dbfn_write(dbm_file, rti->key, retry_record,
+          sizeof(dbdata_retry) + message_length);
+        }                            /* Loop for each retry item */
+
+      /* If all the non-delete retry items are timed out, the address is
+      timed out, provided that we didn't skip any hosts because their retry
+      time was not reached (or because of hosts_max_try). */
+
+      if (update_count > 0 && update_count == timedout_count)
+        if (!testflag(endaddr, af_retry_skipped))
+          {
+          DEBUG(D_retry) debug_printf("timed out: all retries expired\n");
+          timed_out = TRUE;
+          }
+        else
+          DEBUG(D_retry)
+            debug_printf("timed out but some hosts were skipped\n");
+      }     /* Loop for an address and its parents */
+
+    /* If this is a deferred address, and retry processing was requested by
+    means of one or more retry items, and they all timed out, move the address
+    to the failed queue, and restart this loop without updating paddr.
+
+    If there were several addresses batched in the same remote delivery, only
+    the original top one will have host retry items attached to it, but we want
+    to handle all the same. Each will have a pointer back to its "top" address,
+    and they will now precede the item with the retries because addresses are
+    inverted when added to these final queues. We have saved information about
+    them in passing (below) so they can all be cut out at once. */
+
+    if (i == 2)   /* Handling defers */
+      {
+      if (endaddr->retries && timed_out)
+        {
+        if (last_first == endaddr) paddr = saved_paddr;
+        addr = *paddr;
+        *paddr = endaddr->next;
+
+        endaddr->next = *addr_failed;
+        *addr_failed = addr;
+
+        for (;; addr = addr->next)
+          {
+          setflag(addr, af_retry_timedout);
+          addr->message = addr->message
+            ? string_sprintf("%s: retry timeout exceeded", addr->message)
+	    : US"retry timeout exceeded";
+          addr->user_message = addr->user_message
+	    ? string_sprintf("%s: retry timeout exceeded", addr->user_message)
+	    : US"retry timeout exceeded";
+          log_write(0, LOG_MAIN, "** %s%s%s%s: retry timeout exceeded",
+            addr->address,
+            addr->parent ? US" <" : US"",
+            addr->parent ? addr->parent->address : US"",
+            addr->parent ? US">" : US"");
+
+          if (addr == endaddr) break;
+          }
+
+        continue;                       /* Restart from changed *paddr */
+        }
+
+      /* This address is to remain on the defer chain. If it has a "first"
+      pointer, save the pointer to it in case we want to fail the set of
+      addresses when we get to the first one. */
+
+      if (endaddr->first != last_first)
+        {
+        last_first = endaddr->first;
+        saved_paddr = paddr;
+        }
+      }
+
+    /* All cases (succeed, fail, defer left on queue) */
+
+    paddr = &(endaddr->next);         /* Advance to next address */
+    }                                 /* Loop for all addresses  */
+  }                                   /* Loop for succeed, fail, defer */
+
+/* Close and unlock the database */
+
+if (dbm_file) dbfn_close(dbm_file);
+
+DEBUG(D_retry) debug_printf("end of retry processing\n");
+}
+
+/* End of retry.c */
diff --git a/src/rewrite.c b/src/rewrite.c
new file mode 100644
index 0000000..005dc51
--- /dev/null
+++ b/src/rewrite.c
@@ -0,0 +1,825 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions concerned with rewriting headers */
+
+
+#include "exim.h"
+
+/* Names for testing rewriting */
+
+static const char *rrname[] = {
+  "  sender",
+  "    from",
+  "      to",
+  "      cc",
+  "     bcc",
+  "reply-to",
+  "env-from",
+  "  env-to"
+};
+
+/* Structure and table for finding source of address for debug printing */
+
+typedef struct where_list_block {
+  int bit;
+  const uschar *string;
+} where_list_block;
+
+static where_list_block where_list[] = {
+  { rewrite_sender,  CUS"sender:" },
+  { rewrite_from,    CUS"from:" },
+  { rewrite_to,      CUS"to:" },
+  { rewrite_cc,      CUS"cc:" },
+  { rewrite_bcc,     CUS"bcc:" },
+  { rewrite_replyto, CUS"reply-to:" },
+  { rewrite_envfrom, CUS"env-from" },
+  { rewrite_envto,   CUS"env-to" },
+  { rewrite_smtp,    CUS"smtp recipient" },
+  { rewrite_smtp|rewrite_smtp_sender, CUS"smtp sender" }
+};
+
+static int where_list_size = sizeof(where_list)/sizeof(where_list_block);
+
+
+
+/*************************************************
+*            Ensure an address is qualified      *
+*************************************************/
+
+/*
+Arguments:
+  s              address to check
+  is_recipient   TRUE if a recipient address; FALSE if a sender address
+
+Returns:         fully-qualified address
+*/
+
+const uschar *
+rewrite_address_qualify(const uschar *s, BOOL is_recipient)
+{
+return parse_find_at(s)
+  ? s : string_sprintf("%s@%s", s,
+	  is_recipient ? qualify_domain_recipient : qualify_domain_sender);
+}
+
+
+
+/*************************************************
+*               Rewrite a single address         *
+*************************************************/
+
+/* The yield is the input address if there is no rewriting to be done. Assume
+the input is a valid address, except in the case of SMTP-time rewriting, which
+is handled specially. When this function is called while processing filter and
+forward files, the uid may be that of the user. Ensure it is reset while
+expanding a replacement, in case that involves file lookups.
+
+Arguments:
+  s              address to rewrite
+  flag           indicates where this address comes from; it must match the
+                   flags in the rewriting rule
+  whole          if not NULL, set TRUE if any rewriting rule contained the
+                   "whole" bit and it is a header that is being rewritten
+  add_header     if TRUE and rewriting occurs, add an "X-rewrote-xxx" header
+                   if headers are in existence; this should be TRUE only when
+                   a message is being received, not during delivery
+  name           name of header, for use when adding X-rewrote-xxxx
+  rewrite_rules  chain of rewriting rules
+
+Returns:         new address if rewritten; the input address if no change;
+                 for a header rewrite, if the "whole" bit is set, the entire
+                 rewritten address is returned, not just the active bit.
+*/
+
+const uschar *
+rewrite_one(const uschar *s, int flag, BOOL *whole, BOOL add_header, uschar *name,
+  rewrite_rule *rewrite_rules)
+{
+const uschar *yield = s;
+const uschar *subject = s;
+uschar *domain = NULL;
+BOOL done = FALSE;
+int rule_number = 1;
+int yield_start = 0, yield_end = 0;
+
+if (whole) *whole = FALSE;
+
+/* Scan the rewriting rules, ignoring any without matching flag */
+
+for (rewrite_rule * rule = rewrite_rules;
+     rule && !done;
+     rule_number++, rule = rule->next) if (rule->flags & flag)
+  {
+  int start, end, pdomain;
+  int count = 0;
+  uschar *save_localpart;
+  const uschar *save_domain;
+  uschar *error, *new;
+  const uschar * newparsed;
+
+  /* Come back here for a repeat after a successful rewrite. We do this
+  only so many times. */
+
+  REPEAT_RULE:
+
+  /* If this is an SMTP-time rewrite, the pattern must be a regex and
+  the subject may have any structure. No local part or domain variables
+  can be set for the expansion. We expand the pattern in order to be consistent
+  with the other kinds of rewrite, where expansion happens inside
+  match_address_list(). */
+
+  if (flag & rewrite_smtp)
+    {
+    uschar *key = expand_string(rule->key);
+    if (!key)
+      {
+      if (!f.expand_string_forcedfail)
+        log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" while "
+          "checking for SMTP rewriting: %s", rule->key, expand_string_message);
+      continue;
+      }
+    if (match_check_string(subject, key, 0, TRUE, FALSE, FALSE, NULL) != OK)
+      continue;
+    new = expand_string(rule->replacement);
+    }
+
+  /* All other rewrites expect the input to be a valid address, so local part
+  and domain variables can be set for expansion. For the first rule, to be
+  applied to this address, domain will be NULL and needs to be set. */
+
+  else
+    {
+    if (!domain) domain = Ustrrchr(subject, '@') + 1;
+
+    /* Use the general function for matching an address against a list (here
+    just one item, so use the "impossible value" separator UCHAR_MAX+1). */
+
+    if (match_address_list(subject, FALSE, TRUE, CUSS &(rule->key), NULL, 0,
+        UCHAR_MAX + 1, NULL) != OK)
+      continue;
+
+    /* The source address matches, and numerical variables have been
+    set up. If the replacement string consists of precisely "*" then no
+    rewriting is required for this address - the behaviour is as for "fail"
+    in the replacement expansion, but assuming the quit flag. */
+
+    if (Ustrcmp(rule->replacement, "*") == 0) break;
+
+    /* Otherwise, expand the replacement string. Set $local_part and $domain to
+    the appropriate values, restoring whatever value they previously had
+    afterwards. */
+
+    save_localpart = deliver_localpart;
+    save_domain = deliver_domain;
+
+    /* We have subject pointing to "localpart@domain" and domain pointing to
+    the domain. Temporarily terminate the local part so that it can be
+    set up as an expansion variable */
+
+    domain[-1] = 0;
+    deliver_localpart = US subject;
+    deliver_domain = domain;
+
+    new = expand_string(rule->replacement);
+
+    domain[-1] = '@';
+    deliver_localpart = save_localpart;
+    deliver_domain = save_domain;
+    }
+
+  /* If the expansion failed with the "forcedfail" flag, don't generate
+  an error - just give up on this rewriting rule. If the "q" flag is set,
+  give up altogether. For other expansion failures we have a configuration
+  error. */
+
+  if (!new)
+    {
+    if (f.expand_string_forcedfail)
+      { if (rule->flags & rewrite_quit) break; else continue; }
+
+    expand_string_message = expand_hide_passwords(expand_string_message);
+
+    log_write(0, LOG_MAIN|LOG_PANIC, "Expansion of %s failed while rewriting: "
+      "%s", rule->replacement, expand_string_message);
+    break;
+    }
+
+  /* Check the what has been generated is a valid RFC 2822 address. Only
+  envelope from or SMTP sender is permitted to be rewritten as <>.*/
+
+  newparsed = parse_extract_address(new, &error, &start, &end, &pdomain,
+    flag == rewrite_envfrom || flag == (rewrite_smtp|rewrite_smtp_sender));
+
+  if (!newparsed)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "Rewrite of %s yielded unparseable "
+      "address: %s in address %s", subject, error, new);
+    break;   /* Give up on this address */
+    }
+
+  /* A non-null unqualified address can be qualified if requested. Otherwise,
+  this is an error unless it's the empty address in circumstances where that is
+  permitted. */
+
+  if (pdomain == 0 && (*newparsed != 0 ||
+      (flag != rewrite_envfrom && flag != (rewrite_smtp|rewrite_smtp_sender))))
+    {
+    if (rule->flags & rewrite_qualify)
+      {
+      newparsed = rewrite_address_qualify(newparsed, TRUE);
+      new = string_sprintf("%.*s%s%.*s", start, new, newparsed,
+        Ustrlen(new) - end, new + end);
+      end = start + Ustrlen(newparsed);
+      }
+    else
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC, "Rewrite of %s yielded unqualified "
+        "address \"%s\"", subject, new);
+      break;   /* Give up on this address */
+      }
+    }
+
+  /* We have a validly rewritten address */
+
+  if (LOGGING(address_rewrite) || (debug_selector & D_rewrite) != 0)
+    {
+    const uschar *where = CUS"?";
+
+    for (int i = 0; i < where_list_size; i++)
+      if (flag == where_list[i].bit)
+        {
+        where = where_list[i].string;
+        break;
+        }
+    log_write(L_address_rewrite,
+           LOG_MAIN, "\"%s\" from %s rewritten as \"%s\" by rule %d",
+           yield, where, new, rule_number);
+    }
+
+  /* A header will only actually be added if header_last is non-NULL,
+  i.e. during message reception or delivery, but add_header should not
+  be set TRUE during delivery, as otherwise multiple instances of the header
+  can fill up the -H file and make it embarrassingly large. We don't need
+  to set header_rewritten because the -H file always gets written at the end
+  of message reception. */
+
+  if (add_header)
+    header_add(htype_old, "X-rewrote-%s: %s\n", name, subject);
+
+  /* Handle the case when replacement of the whole address is possible.
+  This happens only when whole is not NULL and we are rewriting a header.
+  If *whole is already TRUE it means that a previous rule had the w
+  flag set and so we must preserve the non-active portion of the current
+  subject unless the current rule also has the w flag set. */
+
+  if (whole && (flag & rewrite_all_headers))
+    {
+    /* Current rule has the w flag set. We must ensure the phrase parts
+    are syntactically valid if they are present. */
+
+    if (rule->flags & rewrite_whole)
+      {
+      if (start > 0 && new[start-1] == '<')
+        {
+        uschar *p1 = new + start - 1;
+        uschar *p2 = new + end + 1;
+        const uschar *pf1, *pf2;
+
+        while (p1 > new && p1[-1] == ' ') p1--;
+        pf1 = parse_fix_phrase(new, p1 - new);
+        while (*p2 == ' ') p2++;
+        pf2 = parse_fix_phrase(p2, Ustrlen(p2));
+
+        start = Ustrlen(pf1) + start + new - p1;
+        end = start + Ustrlen(newparsed);
+        new = string_sprintf("%s%.*s%s", pf1, (int)(p2 - p1), p1, pf2);
+        }
+
+      /* Now accept the whole thing */
+
+      yield = new;
+      yield_start = start;
+      yield_end = end;
+      subject = newparsed;
+      *whole = TRUE;
+      }
+
+    /* Current rule does not have the w flag set; if not previously
+    done any whole rewriting, behave in non-whole manner. */
+
+    else if (!*whole) goto NEVER_WHOLE;
+
+    /* Current rule does not have the w flag set, but a previous
+    rule did rewrite the whole address. Thus yield and subject will be
+    different. Preserve the previous non-active part of the address. */
+
+    else
+      {
+      subject = newparsed;
+      new = string_sprintf("%.*s%s%n%s",
+         yield_start, yield, subject, &end, yield + yield_end);
+      yield_end = end;
+      yield = new;
+      }
+    }
+
+  /* Rule just rewrites active part, or handling an envelope. This
+  code is obeyed only when all rules so far have not done "whole"
+  replacement. */
+
+  else
+    {
+    NEVER_WHOLE:
+    subject = yield = newparsed;
+    }
+
+  domain = NULL;    /* Reset for next rule */
+
+  /* If no further rewrites are to be done, set the done flag. This allows
+  repeats of the current rule if configured before breaking the loop. */
+
+  if (rule->flags & rewrite_quit) done = TRUE;
+
+  /* Allow the current rule to be applied up to 10 times if
+  requested. */
+
+  if (rule->flags & rewrite_repeat)
+    {
+    if (count++ < 10) goto REPEAT_RULE;
+    log_write(0, LOG_MAIN|LOG_PANIC, "rewrite rule repeat ignored after 10 "
+      "times");
+    }
+  }
+
+/* Unset expansion numeric variables, and that's it. */
+
+expand_nmax = -1;
+return yield;
+}
+
+
+
+/*************************************************
+*         Ensure qualification and rewrite       *
+*************************************************/
+
+/* This function is called for envelope addresses, the boolean specifying
+whether a recipient or a sender. It must first of all ensure the address is
+fully qualified, and then apply any relevant re-writing rules. The add-header
+flag causes a header to be added, recording the old address. This is marked
+"old", so that it is never transported anywhere; it exists for local checking
+and debugging purposes.
+
+Arguments:
+  s              the address to be considered
+  is_recipient   TRUE for recipient addresses; FALSE otherwise
+  add_header     add "X-rewrote-xxx" header when rewriting; this is
+                   set TRUE only for calls from the reception functions
+  rewrite_rules  points to chain of rewrite rules
+  existflags     bits indicating which headers there are rewrites for
+                 (just an optimisation)
+
+Returns:         possibly rewritten address
+*/
+
+const uschar *
+rewrite_address(const uschar *s, BOOL is_recipient, BOOL add_header,
+  rewrite_rule *rewrite_rules, int existflags)
+{
+int flag = is_recipient ? rewrite_envto : rewrite_envfrom;
+
+s = rewrite_address_qualify(s, is_recipient);
+if (existflags & flag)
+  {
+  const uschar *new = rewrite_one(s, flag, NULL, add_header, is_recipient?
+    US"original-recipient" : US"sender", rewrite_rules);
+  if (new != s) s = new;
+  }
+return s;
+}
+
+
+
+/*************************************************
+*    Qualify and possibly rewrite one header     *
+*************************************************/
+
+/* This is called only from rewrite_header() below, either when reading a
+message. or when routing, in order to rewrite addresses that get changed by a
+router. This is normally the addition of full qualification to a partial
+domain. The first rewriting rule in this case is "change routed_old into
+routed_new", and it applies to all header lines that contain addresses. Then
+header-specific rewriting rules are applied.
+
+Before rewriting can be done, addresses without domains have to be qualified.
+This should only be done for messages from "local" senders. This is a difficult
+concept to pin down, what with the use of SMTP both as a submission and as a
+transmission protocol. Exim normally requires incoming SMTP to contain fully-
+qualified addresses, but there are options to permit unqualified ones from
+certain hosts. For those hosts only, addresses in headers can also be
+qualified. For other hosts, unqualified addresses in headers do not get touched
+in any way. For locally sourced messages, unqualified addresses always get
+qualified, except when -bnq is used to explicitly suppress this.
+
+Arguments:
+  h              pointer to header line block
+  flag           indicates which header this is
+  routed_old     if not NULL, this is a rewrite caused by a router, changing
+                   this domain into routed_new
+  routed_new     new routed domain if routed_old is not NULL
+  rewrite_rules  points to chain of rewriting rules
+  existflags     bits indicating which rewrites exist
+  replace        if TRUE, insert the new header in the chain after the old
+                   one, and mark the old one "replaced"
+
+Returns:         NULL if header unchanged; otherwise the rewritten header
+*/
+
+static header_line *
+rewrite_one_header(header_line *h, int flag,
+  const uschar *routed_old, const uschar *routed_new,
+  rewrite_rule *rewrite_rules, int existflags, BOOL replace)
+{
+int lastnewline = 0;
+header_line *newh = NULL;
+rmark function_reset_point = store_mark();
+uschar *s = Ustrchr(h->text, ':') + 1;
+
+while (isspace(*s)) s++;
+
+DEBUG(D_rewrite)
+  debug_printf_indent("rewrite_one_header: type=%c:\n  %s", h->type, h->text);
+
+f.parse_allow_group = TRUE;     /* Allow group syntax */
+
+/* Loop for multiple addresses in the header. We have to go through them all
+in case any need qualifying, even if there's no rewriting. Pathological headers
+may have thousands of addresses in them, so cause the store to be reset for
+any that don't actually get rewritten. We also play silly games for those that
+_are_ rewritten so as to avoid runaway store usage for these kinds of header.
+We want to avoid keeping store for any intermediate versions. */
+
+while (*s)
+  {
+  uschar *sprev;
+  uschar *ss = parse_find_address_end(s, FALSE);
+  uschar *recipient, *new;
+  rmark loop_reset_point = store_mark();
+  uschar *errmess = NULL;
+  BOOL changed = FALSE;
+  int terminator = *ss;
+  int start, end, domain;
+
+  /* Temporarily terminate the string at this point, and extract the
+  operative address within. Then put back the terminator and prepare for
+  the next address, saving the start of the old one. */
+
+  *ss = 0;
+  recipient = parse_extract_address(s, &errmess, &start, &end, &domain, FALSE);
+  *ss = terminator;
+  sprev = s;
+  s = ss + (terminator ? 1 : 0);
+  while (isspace(*s)) s++;
+
+  /* There isn't much we can do for syntactic disasters at this stage.
+  Pro tem (possibly for ever) ignore them.
+  If we got nothing, then there was any sort of error: non-parsable address,
+  empty address, overlong addres. Sometimes the result matters, sometimes not.
+  It seems this function is called for *any* header we see. */
+
+  if (!recipient)
+    {
+    /* Handle unparesable addresses in the header. Slightly ugly because a
+    null output from the extract can also result from a header without an
+    address, "To: undisclosed recpients:;" being the classic case. */
+
+    if ((rewrite_rules || routed_old) && Ustrcmp(errmess, "empty address") != 0)
+      {
+      log_write(0, LOG_MAIN, "rewrite: %s", errmess);
+      exim_exit(EXIT_FAILURE);
+      }
+    loop_reset_point = store_reset(loop_reset_point);
+    continue;
+    }
+
+  /* If routed_old is not NULL, this is a rewrite caused by a router,
+  consisting of changing routed_old into routed_new, and applying to all
+  headers. If the header address has no domain, it is excluded, since a router
+  rewrite affects domains only. The new value should always be fully qualified,
+  but it may be something that has an explicit re-write rule set, so we need to
+  check the configured rules subsequently as well. (Example: there's an
+  explicit rewrite turning *.foo.com into foo.com, and an address is supplied
+  as abc@xyz, which the DNS lookup turns into abc@xyz.foo.com). However, if no
+  change is made here, don't bother carrying on. */
+
+  if (routed_old)
+    {
+    if (domain <= 0 || strcmpic(recipient+domain, routed_old) != 0) continue;
+    recipient[domain-1] = 0;
+    new = string_sprintf("%s@%s", recipient, routed_new);
+    DEBUG(D_rewrite)
+      {
+      recipient[domain-1] = '@';
+      debug_printf("%s rewritten by router as %s\n", recipient, new);
+      }
+    recipient = new;
+    changed = TRUE;
+    }
+
+  /* This is not a router-inspired rewrite. Ensure the address is fully
+  qualified if that is permitted. If an unqualified address was received
+  from a host that isn't listed, do not continue rewriting this address.
+  Sender, From or Reply-To headers are treated as senders, the rest as
+  recipients. This matters only when there are different qualify strings. */
+
+  else
+    {
+    BOOL is_recipient =
+      (flag & (rewrite_sender | rewrite_from | rewrite_replyto)) == 0;
+    /* deconst ok as recipient was notconst */
+    new = US rewrite_address_qualify(recipient, is_recipient);
+    changed = (new != recipient);
+    recipient = new;
+
+    /* Can only qualify if permitted; if not, no rewrite. */
+
+    if (changed && ((is_recipient && !f.allow_unqualified_recipient) ||
+                    (!is_recipient && !f.allow_unqualified_sender)))
+      {
+      loop_reset_point = store_reset(loop_reset_point);
+      continue;
+      }
+    }
+
+  /* If there are rewrite rules for this type of header, apply
+  them. This test is just for efficiency, to save scanning the rules
+  in cases when nothing is going to change. If any rewrite rule had the
+  "whole" flag set, adjust the pointers so that the whole address gets
+  replaced, except possibly a final \n. */
+
+  if (existflags & flag)
+    {
+    BOOL whole;
+    /* deconst ok as recipient was notconst */
+    new = US rewrite_one(recipient, flag, &whole, FALSE, NULL, rewrite_rules);
+    if (new != recipient)
+      {
+      changed = TRUE;
+      if (whole)
+        {
+        start = 0;
+        end = ss - sprev;
+        if (sprev[end-1] == '\n') end--;
+        }
+      }
+    }
+
+  /* If nothing has changed, lose all dynamic store obtained in this loop, and
+  move on to the next address. We can't reset to the function start store
+  point, because we may have a rewritten line from a previous time round the
+  loop. */
+
+  if (!changed) loop_reset_point = store_reset(loop_reset_point);
+
+  /* If the address has changed, create a new header containing the
+  rewritten address. We do not need to set the chain pointers at this
+  stage. We want to avoid using more and more memory if the header is very long
+  and contains lots and lots of rewritten addresses. Therefore, we build the
+  new text string in malloc store, then at the end we reset dynamic store
+  before copying the new header to a new block (and then freeing the malloc
+  block). The header must end up in dynamic store so that it's freed at the end
+  of receiving a message. */
+
+  else
+    {
+    int remlen;
+    int newlen = Ustrlen(new);
+    int oldlen = end - start;
+
+    header_line * prev = newh ? newh : h;
+    uschar * newt = store_get_perm(prev->slen - oldlen + newlen + 4, GET_TAINTED);
+    uschar * newtstart = newt;
+
+    int type = prev->type;
+    int slen = prev->slen - oldlen + newlen;
+
+    /* Build the new header text by copying the old and putting in the
+    replacement. This process may make the header substantially longer
+    than it was before - qualification of a list of bare addresses can
+    often do this - so we stick in a newline after the re-written address
+    if it has increased in length and ends more than 40 characters in. In
+    fact, the code is not perfect, since it does not scan for existing
+    newlines in the header, but it doesn't seem worth going to that
+    amount of trouble. */
+
+    Ustrncpy(newt, prev->text, sprev - prev->text + start);
+    newt += sprev - prev->text + start;
+    *newt = 0;
+    Ustrcat(newt, new);
+    newt += newlen;
+    remlen = s - (sprev + end);
+    if (remlen > 0)
+      {
+      Ustrncpy(newt, sprev + end, remlen);
+      newt += remlen;
+      *newt = 0;
+      }
+
+    /* Must check that there isn't a newline here anyway; in particular, there
+    will be one at the very end of the header, where we DON'T want to insert
+    another one! The pointer s has been skipped over white space, so just
+    look back to see if the last non-space-or-tab was a newline. */
+
+    if (newlen > oldlen && newt - newtstart - lastnewline > 40)
+      {
+      uschar *p = s - 1;
+      while (p >= prev->text && (*p == ' ' || *p == '\t')) p--;
+      if (*p != '\n')
+        {
+        lastnewline = newt - newtstart;
+        Ustrcat(newt, US"\n\t");
+        slen += 2;
+        }
+      }
+
+    /* Finally, the remaining unprocessed addresses, if any. */
+
+    Ustrcat(newt, s);
+
+    DEBUG(D_rewrite) debug_printf("newlen=%d newtype=%c newtext:\n%s",
+      slen, type, newtstart);
+
+    /* Compute the length of the rest of the header line before we possibly
+    flatten a previously rewritten copy. */
+
+    remlen = (s - prev->text) - oldlen + newlen;
+
+    /* We have the new text in a malloc block. That enables us to release all
+    the memory that has been used, back to the point at which the function was
+    entered. Then set up a new header in dynamic store. This will override a
+    rewritten copy from a previous time round this loop. */
+
+    store_reset(function_reset_point);
+    function_reset_point = store_mark();
+    newh = store_get(sizeof(header_line), GET_UNTAINTED);
+    newh->type = type;
+    newh->slen = slen;
+    newh->text = string_copyn(newtstart, slen);
+
+    /* Set up for scanning the rest of the header */
+
+    s = newh->text + remlen;
+    DEBUG(D_rewrite) debug_printf("remainder: %s", *s ? s : US"\n");
+    }
+  }
+
+f.parse_allow_group = FALSE;  /* Reset group flags */
+f.parse_found_group = FALSE;
+
+/* If a rewrite happened and "replace" is true, put the new header into the
+chain following the old one, and mark the old one as replaced. */
+
+if (newh && replace)
+  {
+  newh->next = h->next;
+  if (!newh->next) header_last = newh;
+  h->type = htype_old;
+  h->next = newh;
+  }
+
+return newh;
+}
+
+
+
+
+/*************************************************
+*              Rewrite a header line             *
+*************************************************/
+
+/* This function may be passed any old header line. It must detect those which
+contain addresses, then then apply any rewriting rules that apply. If
+routed_old is NULL, only the configured rewriting rules are consulted.
+Otherwise, the rewriting rule is "change routed_old into routed_new", and it
+applies to all header lines that contain addresses. Then header-specific
+rewriting rules are applied.
+
+The old header line is flagged as "old". Old headers are saved on the spool for
+debugging but are never sent to any recipients.
+
+Arguments:
+  h              header line to rewrite
+  routed_old     if not NULL, this is a rewrite caused by a router, changing
+                   this domain into routed_new
+  routed_new     new routed domain if routed_old is not NULL
+  rewrite_rules  points to chain of rewrite rules
+  existflags     bits indicating which rewrites exist
+  replace        if TRUE, the new header is inserted into the header chain
+                    after the old one, and the old one is marked replaced
+
+Returns:         NULL if header unchanged; otherwise the rewritten header
+*/
+
+header_line *
+rewrite_header(header_line *h,
+  const uschar *routed_old, const uschar *routed_new,
+  rewrite_rule *rewrite_rules, int existflags, BOOL replace)
+{
+int flag;
+switch (h->type)
+  {
+  case htype_sender:	flag = rewrite_sender;	break;
+  case htype_from:	flag = rewrite_from;	break;
+  case htype_to:	flag = rewrite_to;	break;
+  case htype_cc:	flag = rewrite_cc;	break;
+  case htype_bcc:	flag = rewrite_bcc;	break;
+  case htype_reply_to:	flag = rewrite_replyto;	break;
+  default:		return NULL;
+  }
+return rewrite_one_header(h, flag, routed_old, routed_new,
+  rewrite_rules, existflags, replace);
+}
+
+
+
+/************************************************
+*            Test rewriting rules               *
+************************************************/
+
+/* Called from the mainline as a result of the -brw option. Test the
+address for all possible cases.
+
+Argument: the address to test
+Returns:  nothing
+*/
+
+void
+rewrite_test(const uschar *s)
+{
+uschar *recipient, *error;
+int start, end, domain;
+BOOL done_smtp = FALSE;
+
+if (rewrite_existflags == 0)
+  {
+  printf("No rewrite rules are defined\n");
+  return;
+  }
+
+/* Do SMTP rewrite only if a rule with the S flag exists. Allow <> by
+pretending it is a sender. */
+
+if ((rewrite_existflags & rewrite_smtp) != 0)
+  {
+  const uschar * new = rewrite_one(s, rewrite_smtp|rewrite_smtp_sender, NULL,
+    FALSE, US"", global_rewrite_rules);
+  if (new != s)
+    {
+    if (*new == 0)
+      printf("    SMTP: <>\n");
+    else
+      printf("    SMTP: %s\n", new);
+    done_smtp = TRUE;
+    }
+  }
+
+/* Do the other rewrites only if a rule without the S flag exists */
+
+if ((rewrite_existflags & ~rewrite_smtp) == 0) return;
+
+/* Qualify if necessary before extracting the address */
+
+if (parse_find_at(s) == NULL)
+  s = string_sprintf("%s@%s", s, qualify_domain_recipient);
+
+recipient = parse_extract_address(s, &error, &start, &end, &domain, FALSE);
+
+if (!recipient)
+  {
+  if (!done_smtp)
+    printf("Syntax error in %s\n%c%s\n", s, toupper(error[0]), error+1);
+  return;
+  }
+
+for (int i = 0; i < 8; i++)
+  {
+  BOOL whole = FALSE;
+  int flag = 1 << i;
+  const uschar * new = rewrite_one(recipient, flag, &whole, FALSE, US"",
+    global_rewrite_rules);
+  printf("%s: ", rrname[i]);
+  if (*new == 0)
+    printf("<>\n");
+  else if (whole || (flag & rewrite_all_headers) == 0)
+    printf("%s\n", CS new);
+  else printf("%.*s%s%s\n", start, s, new, s+end);
+  }
+}
+
+/* End of rewrite.c */
diff --git a/src/rfc2047.c b/src/rfc2047.c
new file mode 100644
index 0000000..1ed1dd8
--- /dev/null
+++ b/src/rfc2047.c
@@ -0,0 +1,345 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This file contains a function for decoding message header lines that may
+contain encoded "words" according to the rules described in
+
+  RFC-2047 at http://www.ietf.org/rfc/rfc2047.txt
+
+The function is a rewritten version of code created by Norihisa Washitake.
+The original could be used both inside Exim (as part of a patch) or in a
+freestanding form. The original contained some built-in code conversions; I
+have chosen only to do code conversions if iconv() is supported by the OS.
+Because there were quite a lot of hacks to be done, for a variety of reasons,
+I rewrote the code.
+
+You can find the latest version of the original library at
+
+  http://washitake.com/mail/exim/mime/
+
+The code below is almost completely unlike the original. */
+
+
+#include "exim.h"
+
+
+/*************************************************
+*                Do a QP conversion              *
+*************************************************/
+
+/* This function decodes "quoted printable" into bytes.
+
+Arguments:
+  string      the string that includes QP escapes
+  ptrptr      where to return pointer to the decoded string
+
+Returns:      the length of the decoded string, or -1 on failure
+*/
+
+static int
+rfc2047_qpdecode(uschar *string, uschar **ptrptr)
+{
+int len = 0;
+uschar *ptr;
+
+ptr = *ptrptr = store_get(Ustrlen(string) + 1, string);  /* No longer than this */
+
+while (*string != 0)
+  {
+  int ch = *string++;
+
+  if (ch == '_') *ptr++ = ' ';
+  else if (ch == '=')
+    {
+    int a = *string;
+    int b = (a == 0)? 0 : string[1];
+    if (!isxdigit(a) || !isxdigit(b)) return -1;  /* Bad QP string */
+    *ptr++ = ((Ustrchr(hex_digits, tolower(a)) - hex_digits) << 4) +
+               Ustrchr(hex_digits, tolower(b)) - hex_digits;
+    string += 2;
+    }
+  else if (ch == ' ' || ch == '\t') return -1;    /* Whitespace is illegal */
+  else *ptr++ = ch;
+
+  len++;
+  }
+
+*ptr = 0;
+return len;
+}
+
+
+
+/*************************************************
+*            Decode next MIME word               *
+*************************************************/
+
+/* Scan a string to see if a MIME word exists; pass back the separator
+points in the string.
+
+Arguments:
+  string     subject string
+  lencheck   TRUE to enforce maximum length check
+  q1ptr      pass back address of first question mark
+  q2ptr      pass back address of second question mark
+  endptr     pass back address of final ?=
+  dlenptr    pass back length of decoded string
+  dptrptr    pass back pointer to decoded string
+
+Returns:     address of =? or NULL if not present
+*/
+
+static uschar *
+decode_mimeword(uschar *string, BOOL lencheck, uschar **q1ptr, uschar **q2ptr,
+  uschar **endptr, size_t *dlenptr, uschar **dptrptr)
+{
+uschar *mimeword;
+for (;; string = mimeword + 2)
+  {
+  int encoding;
+  int dlen = -1;
+
+  if ((mimeword = Ustrstr(string, "=?"))  == NULL ||
+      (*q1ptr = Ustrchr(mimeword+2, '?')) == NULL ||
+      (*q2ptr = Ustrchr(*q1ptr+1, '?')) == NULL ||
+      (*endptr = Ustrstr(*q2ptr+1, "?=")) == NULL) return NULL;
+
+  /* We have found =?xxx?xxx?xxx?= in the string. Optionally check the
+  length, and that the second field is just one character long. If not,
+  continue the loop to search again. We must start just after the initial =?
+  because we might have found =?xxx=?xxx?xxx?xxx?=. */
+
+  if ((lencheck && *endptr - mimeword > 73) || *q2ptr - *q1ptr != 2) continue;
+
+  /* Get the encoding letter, and decode the data string. */
+
+  encoding = toupper((*q1ptr)[1]);
+  **endptr = 0;
+  if (encoding == 'B')
+    dlen = b64decode(*q2ptr+1, dptrptr);
+  else if (encoding == 'Q')
+    dlen = rfc2047_qpdecode(*q2ptr+1, dptrptr);
+  **endptr = '?';   /* restore */
+
+  /* If the decoding succeeded, we are done. Set the length of the decoded
+  string, and pass back the initial pointer. Otherwise, the loop continues. */
+
+  if (dlen >= 0)
+    {
+    *dlenptr = (size_t)dlen;
+    return mimeword;
+    }
+  }
+
+/* Control should never actually get here */
+}
+
+
+
+/*************************************************
+*    Decode and convert an RFC 2047 string       *
+*************************************************/
+
+/* There are two functions defined here. The original one was rfc2047_decode()
+and it was documented in the local_scan() interface. I needed to add an extra
+argument for use by expand_string(), so I created rfc2047_decode2() for that
+purpose. The original function became a stub that just supplies NULL for the
+new argument (sizeptr).
+
+An RFC 2047-encoded string may contain one or more "words", each of the
+form  =?...?.?...?=  with the first ... specifying the character code, the
+second being Q (for quoted printable) or B for Base64 encoding. The third ...
+is the actual data.
+
+This function first decodes each "word" into bytes from the Q or B encoding.
+Then, if provided with the name of a charset encoding, and if iconv() is
+available, it attempts to translate the result to the named character set.
+If this fails, the binary string is returned with an error message.
+
+If a binary zero is encountered in the decoded string, it is replaced by the
+contents of the zeroval argument. For use with Exim headers, the value must not
+be 0 because they are handled as zero-terminated strings. When zeroval==0,
+lenptr should not be NULL.
+
+Arguments:
+    string       the subject string
+    lencheck     TRUE to enforce maximum MIME word length
+    target       the name of the target encoding for MIME words, or NULL for
+                   no charset translation
+    zeroval      the value to use for binary zero bytes
+    lenptr       if not NULL, the length of the result is returned via
+                   this variable
+    sizeptr      if not NULL, the length of a new store block in which the
+                   result is built is placed here; if no new store is obtained,
+                   the value is not changed
+    error        for error messages; NULL if no problem; this can be set
+                   when the yield is non-NULL if there was a charset
+                   translation problem
+
+Returns:         the decoded, converted string, or NULL on error; if there are
+                   no MIME words in the string, the original string is returned
+*/
+
+uschar *
+rfc2047_decode2(uschar *string, BOOL lencheck, const uschar *target,
+  int zeroval, int *lenptr, int *sizeptr, uschar **error)
+{
+int size = Ustrlen(string);
+size_t dlen;
+uschar *dptr;
+gstring *yield;
+uschar *mimeword, *q1, *q2, *endword;
+
+*error = NULL;
+mimeword = decode_mimeword(string, lencheck, &q1, &q2, &endword, &dlen, &dptr);
+
+if (!mimeword)
+  {
+  if (lenptr) *lenptr = size;
+  return string;
+  }
+
+/* Scan through the string, decoding MIME words and copying intermediate text,
+building the result as we go. The result may be longer than the input if it is
+translated into a multibyte code such as UTF-8. That's why we use the dynamic
+string building code. */
+
+yield = store_get(sizeof(gstring) + ++size, string);
+yield->size = size;
+yield->ptr = 0;
+yield->s = US(yield + 1);
+
+while (mimeword)
+  {
+
+  #if HAVE_ICONV
+  iconv_t icd = (iconv_t)(-1);
+  #endif
+
+  if (mimeword != string)
+    yield = string_catn(yield, string, mimeword - string);
+/*XXX that might have to convert an untainted string to a tainted one */
+
+  /* Do a charset translation if required. This is supported only on hosts
+  that have the iconv() function. Translation errors set error, but carry on,
+  using the untranslated data. If there is more than one error, the message
+  passed back refers to the final one. We use a loop to cater for the case
+  of long strings - the RFC puts limits on the length, but it's best to be
+  robust. */
+
+  #if HAVE_ICONV
+  *q1 = 0;
+  if (target && strcmpic(target, mimeword+2) != 0)
+    if ((icd = iconv_open(CS target, CS(mimeword+2))) == (iconv_t)-1)
+      *error = string_sprintf("iconv_open(\"%s\", \"%s\") failed: %s%s",
+        target, mimeword+2, strerror(errno),
+        (errno == EINVAL)? " (maybe unsupported conversion)" : "");
+  *q1 = '?';
+  #endif
+
+  while (dlen > 0)
+    {
+    uschar *tptr = NULL;   /* Stops compiler warning */
+    int tlen = -1;
+
+    #if HAVE_ICONV
+    uschar tbuffer[256];
+    uschar *outptr = tbuffer;
+    size_t outleft = sizeof(tbuffer);
+
+    /* If translation is required, go for it. */
+
+    if (icd != (iconv_t)(-1))
+      {
+      (void)iconv(icd, (ICONV_ARG2_TYPE)(&dptr), &dlen, CSS &outptr, &outleft);
+
+      /* If outptr has been adjusted, there is some output. Set up to add it to
+      the output buffer. The function will have adjusted dptr and dlen. If
+      iconv() stopped because of an error, we'll pick it up next time when
+      there's no output.
+
+      If there is no output, we expect there to have been a translation
+      error, because we know there was at least one input byte. We leave the
+      value of tlen as -1, which causes the rest of the input to be copied
+      verbatim. */
+
+      if (outptr > tbuffer)
+        {
+        tptr = tbuffer;
+        tlen = outptr - tbuffer;
+        }
+      else
+        {
+        DEBUG(D_any) debug_printf("iconv error translating \"%.*s\" to %s: "
+        "%s\n", (int)(endword + 2 - mimeword), mimeword, target, strerror(errno));
+        }
+      }
+
+    #endif
+
+    /* No charset translation is happening or there was a translation error;
+    just set up the original as the string to be added, and mark it all used.
+    */
+
+    if (tlen == -1)
+      {
+      tptr = dptr;
+      tlen = dlen;
+      dlen = 0;
+      }
+
+    /* Deal with zero values; convert them if requested. */
+
+    if (zeroval != 0)
+      for (int i = 0; i < tlen; i++)
+        if (tptr[i] == 0) tptr[i] = zeroval;
+
+    /* Add the new string onto the result */
+
+    yield = string_catn(yield, tptr, tlen);
+    }
+
+  #if HAVE_ICONV
+  if (icd != (iconv_t)(-1))  iconv_close(icd);
+  #endif
+
+  /* Update string past the MIME word; skip any white space if the next thing
+  is another MIME word. */
+
+  string = endword + 2;
+  mimeword = decode_mimeword(string, lencheck, &q1, &q2, &endword, &dlen, &dptr);
+  if (mimeword)
+    {
+    uschar *s = string;
+    while (isspace(*s)) s++;
+    if (s == mimeword) string = s;
+    }
+  }
+
+/* Copy the remaining characters of the string, zero-terminate it, and return
+the length as well if requested. */
+
+yield = string_cat(yield, string);
+
+if (lenptr) *lenptr = yield->ptr;
+if (sizeptr) *sizeptr = yield->size;
+return string_from_gstring(yield);
+}
+
+
+/* This is the stub that provides the original interface without the sizeptr
+argument. */
+
+uschar *
+rfc2047_decode(uschar *string, BOOL lencheck, const uschar *target, int zeroval,
+  int *lenptr, uschar **error)
+{
+return rfc2047_decode2(string, lencheck, target, zeroval, lenptr, NULL, error);
+}
+
+/* End of rfc2047.c */
diff --git a/src/route.c b/src/route.c
new file mode 100644
index 0000000..fa69b8b
--- /dev/null
+++ b/src/route.c
@@ -0,0 +1,2072 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions concerned with routing, and the list of generic router options. */
+
+
+#include "exim.h"
+
+
+
+/* Generic options for routers, all of which live inside router_instance
+data blocks and which therefore have the opt_public flag set. */
+#define LOFF(field) OPT_OFF(router_instance, field)
+
+optionlist optionlist_routers[] = {
+  { "*expand_group",      opt_stringptr | opt_hidden | opt_public,
+                 LOFF(expand_gid) },
+  { "*expand_more",       opt_stringptr | opt_hidden | opt_public,
+                 LOFF(expand_more) },
+  { "*expand_unseen",     opt_stringptr | opt_hidden | opt_public,
+                 LOFF(expand_unseen) },
+  { "*expand_user",       opt_stringptr | opt_hidden | opt_public,
+                 LOFF(expand_uid) },
+  { "*set_group",         opt_bool | opt_hidden | opt_public,
+                 LOFF(gid_set) },
+  { "*set_user",          opt_bool | opt_hidden | opt_public,
+                 LOFF(uid_set) },
+  { "address_data",       opt_stringptr|opt_public,
+                 LOFF(address_data) },
+  { "address_test",       opt_bool|opt_public,
+                 LOFF(address_test) },
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+  { "bmi_deliver_alternate",   opt_bool | opt_public,
+                 LOFF(bmi_deliver_alternate) },
+  { "bmi_deliver_default",   opt_bool | opt_public,
+                 LOFF(bmi_deliver_default) },
+  { "bmi_dont_deliver",   opt_bool | opt_public,
+                 LOFF(bmi_dont_deliver) },
+  { "bmi_rule",           opt_stringptr|opt_public,
+                 LOFF(bmi_rule) },
+#endif
+  { "cannot_route_message", opt_stringptr | opt_public,
+                 LOFF(cannot_route_message) },
+  { "caseful_local_part", opt_bool | opt_public,
+                 LOFF(caseful_local_part) },
+  { "check_local_user",   opt_bool | opt_public,
+                 LOFF(check_local_user) },
+  { "condition",          opt_stringptr|opt_public|opt_rep_con,
+                 LOFF(condition) },
+  { "debug_print",        opt_stringptr | opt_public,
+                 LOFF(debug_string) },
+  { "disable_logging",    opt_bool | opt_public,
+                 LOFF(disable_logging) },
+  { "dnssec_request_domains",            opt_stringptr|opt_public,
+                 LOFF(dnssec.request) },
+  { "dnssec_require_domains",            opt_stringptr|opt_public,
+                 LOFF(dnssec.require) },
+  { "domains",            opt_stringptr|opt_public,
+                 LOFF(domains) },
+  { "driver",             opt_stringptr|opt_public,
+                 LOFF(driver_name) },
+  { "dsn_lasthop",        opt_bool|opt_public,
+                 LOFF(dsn_lasthop) },
+  { "errors_to",          opt_stringptr|opt_public,
+                 LOFF(errors_to) },
+  { "expn",               opt_bool|opt_public,
+                 LOFF(expn) },
+  { "fail_verify",        opt_bool_verify|opt_hidden|opt_public,
+                 LOFF(fail_verify_sender) },
+  { "fail_verify_recipient", opt_bool|opt_public,
+                 LOFF(fail_verify_recipient) },
+  { "fail_verify_sender", opt_bool|opt_public,
+                 LOFF(fail_verify_sender) },
+  { "fallback_hosts",     opt_stringptr|opt_public,
+                 LOFF(fallback_hosts) },
+  { "group",              opt_expand_gid | opt_public,
+                 LOFF(gid) },
+  { "headers_add",        opt_stringptr|opt_public|opt_rep_str,
+                 LOFF(extra_headers) },
+  { "headers_remove",     opt_stringptr|opt_public|opt_rep_str,
+                 LOFF(remove_headers) },
+  { "ignore_target_hosts",opt_stringptr|opt_public,
+                 LOFF(ignore_target_hosts) },
+  { "initgroups",         opt_bool | opt_public,
+                 LOFF(initgroups) },
+  { "local_part_prefix",  opt_stringptr|opt_public,
+                 LOFF(prefix) },
+  { "local_part_prefix_optional",opt_bool|opt_public,
+                 LOFF(prefix_optional) },
+  { "local_part_suffix",  opt_stringptr|opt_public,
+                 LOFF(suffix) },
+  { "local_part_suffix_optional",opt_bool|opt_public,
+                 LOFF(suffix_optional) },
+  { "local_parts",        opt_stringptr|opt_public,
+                 LOFF(local_parts) },
+  { "log_as_local",       opt_bool|opt_public,
+                 LOFF(log_as_local) },
+  { "more",               opt_expand_bool|opt_public,
+                 LOFF(more) },
+  { "pass_on_timeout",    opt_bool|opt_public,
+                 LOFF(pass_on_timeout) },
+  { "pass_router",       opt_stringptr|opt_public,
+                 LOFF(pass_router_name) },
+  { "redirect_router",    opt_stringptr|opt_public,
+                 LOFF(redirect_router_name) },
+  { "require_files",      opt_stringptr|opt_public,
+                 LOFF(require_files) },
+  { "retry_use_local_part", opt_bool|opt_public,
+                 LOFF(retry_use_local_part) },
+  { "router_home_directory", opt_stringptr|opt_public,
+                 LOFF(router_home_directory) },
+  { "self",               opt_stringptr|opt_public,
+                 LOFF(self) },
+  { "senders",            opt_stringptr|opt_public,
+                 LOFF(senders) },
+  { "set",                opt_stringptr|opt_public|opt_rep_str,
+                 LOFF(set) },
+  #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
+  { "translate_ip_address", opt_stringptr|opt_public,
+                 LOFF(translate_ip_address) },
+  #endif
+  { "transport",          opt_stringptr|opt_public,
+                 LOFF(transport_name) },
+  { "transport_current_directory", opt_stringptr|opt_public,
+                 LOFF(current_directory) },
+  { "transport_home_directory", opt_stringptr|opt_public,
+                 LOFF(home_directory) },
+  { "unseen",             opt_expand_bool|opt_public,
+                 LOFF(unseen) },
+  { "user",               opt_expand_uid | opt_public,
+                 LOFF(uid) },
+  { "verify",             opt_bool_verify|opt_hidden|opt_public,
+                 LOFF(verify_sender) },
+  { "verify_only",        opt_bool|opt_public,
+                 LOFF(verify_only) },
+  { "verify_recipient",   opt_bool|opt_public,
+                 LOFF(verify_recipient) },
+  { "verify_sender",      opt_bool|opt_public,
+                 LOFF(verify_sender) }
+};
+
+int optionlist_routers_size = nelem(optionlist_routers);
+
+
+#ifdef MACRO_PREDEF
+
+# include "macro_predef.h"
+
+void
+options_routers(void)
+{
+uschar buf[64];
+
+options_from_list(optionlist_routers, nelem(optionlist_routers), US"ROUTERS", NULL);
+
+for (router_info * ri = routers_available; ri->driver_name[0]; ri++)
+  {
+  spf(buf, sizeof(buf), US"_DRIVER_ROUTER_%T", ri->driver_name);
+  builtin_macro_create(buf);
+  options_from_list(ri->options, (unsigned)*ri->options_count, US"ROUTER", ri->driver_name);
+  }
+}
+
+#else	/*!MACRO_PREDEF*/
+
+/*************************************************
+*          Set router pointer from name          *
+*************************************************/
+
+/* This function is used for the redirect_router and pass_router options and
+called from route_init() below.
+
+Arguments:
+  r           the current router
+  name        new router name
+  ptr         where to put the pointer
+  after       TRUE if router must follow this one
+
+Returns:      nothing.
+*/
+
+static void
+set_router(router_instance *r, uschar *name, router_instance **ptr, BOOL after)
+{
+BOOL afterthis = FALSE;
+router_instance *rr;
+
+for (rr = routers; rr; rr = rr->next)
+  {
+  if (Ustrcmp(name, rr->name) == 0)
+    {
+    *ptr = rr;
+    break;
+    }
+  if (rr == r) afterthis = TRUE;
+  }
+
+if (!rr)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "new_router \"%s\" not found for \"%s\" router", name, r->name);
+
+if (after && !afterthis)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "new_router \"%s\" does not follow \"%s\" router", name, r->name);
+}
+
+
+
+/*************************************************
+*             Initialize router list             *
+*************************************************/
+
+/* Read the routers section of the configuration file, and set up a chain of
+router instances according to its contents. Each router has generic options and
+may also have its own private options. This function is only ever called when
+routers == NULL. We use generic code in readconf to do the work. It will set
+values from the configuration file, and then call the driver's initialization
+function. */
+
+void
+route_init(void)
+{
+readconf_driver_init(US"router",
+  (driver_instance **)(&routers),     /* chain anchor */
+  (driver_info *)routers_available,   /* available drivers */
+  sizeof(router_info),                /* size of info blocks */
+  &router_defaults,                   /* default values for generic options */
+  sizeof(router_instance),            /* size of instance block */
+  optionlist_routers,                 /* generic options */
+  optionlist_routers_size);
+
+for (router_instance * r = routers; r; r = r->next)
+  {
+  uschar *s = r->self;
+
+  /* If log_as_local is unset, its overall default is FALSE. (The accept
+  router defaults it to TRUE.) */
+
+  if (r->log_as_local == TRUE_UNSET) r->log_as_local = FALSE;
+
+  /* Check for transport or no transport on certain routers */
+
+  if (  (r->info->ri_flags & ri_yestransport)
+     && !r->transport_name && !r->verify_only)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "%s router:\n  "
+      "a transport is required for this router", r->name);
+
+  if ((r->info->ri_flags & ri_notransport) && r->transport_name)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "%s router:\n  "
+      "a transport must not be defined for this router", r->name);
+
+  /* The "self" option needs to be decoded into a code value and possibly a
+  new domain string and a rewrite boolean. */
+
+  if      (Ustrcmp(s, "freeze") == 0)    r->self_code = self_freeze;
+  else if (Ustrcmp(s, "defer") == 0)     r->self_code = self_defer;
+  else if (Ustrcmp(s, "send") == 0)      r->self_code = self_send;
+  else if (Ustrcmp(s, "pass") == 0)      r->self_code = self_pass;
+  else if (Ustrcmp(s, "fail") == 0)      r->self_code = self_fail;
+  else if (Ustrncmp(s, "reroute:", 8) == 0)
+    {
+    s += 8;
+    while (isspace(*s)) s++;
+    if (Ustrncmp(s, "rewrite:", 8) == 0)
+      {
+      r->self_rewrite = TRUE;
+      s += 8;
+      while (isspace(*s)) s++;
+      }
+    r->self = s;
+    r->self_code = self_reroute;
+    }
+
+  else log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n  "
+      "%s is not valid for the self option", r->name, s);
+
+  /* If any router has check_local_user set, default retry_use_local_part
+  TRUE; otherwise its default is FALSE. */
+
+  if (r->retry_use_local_part == TRUE_UNSET)
+    r->retry_use_local_part =
+      r->check_local_user || r->local_parts || r->condition || r->prefix || r->suffix || r->senders || r->require_files;
+
+  /* Build a host list if fallback hosts is set. */
+
+    {
+    int old_pool = store_pool;
+    store_pool = POOL_PERM;
+    host_build_hostlist(&r->fallback_hostlist, r->fallback_hosts, FALSE);
+    store_pool = old_pool;
+    }
+
+  /* Check redirect_router and pass_router are valid */
+
+  if (r->redirect_router_name)
+    set_router(r, r->redirect_router_name, &(r->redirect_router), FALSE);
+
+  if (r->pass_router_name)
+    set_router(r, r->pass_router_name, &(r->pass_router), TRUE);
+
+#ifdef notdef
+  DEBUG(D_route) debug_printf("DSN: %s %s\n", r->name,
+	r->dsn_lasthop ? "lasthop set" : "propagating DSN");
+#endif
+  }
+}
+
+
+
+/*************************************************
+*             Tidy up after routing              *
+*************************************************/
+
+/* Routers are entitled to keep hold of certain resources in their instance
+blocks so as to save setting them up each time. An example is an open file.
+Such routers must provide a tidyup entry point which is called when all routing
+is finished, via this function. */
+
+void
+route_tidyup(void)
+{
+for (router_instance * r = routers; r; r = r->next)
+  if (r->info->tidyup) (r->info->tidyup)(r);
+}
+
+
+
+/*************************************************
+*         Check local part for prefix            *
+*************************************************/
+
+/* This function is handed a local part and a list of possible prefixes; if any
+one matches, return the prefix length. A prefix beginning with '*' is a
+wildcard.
+
+Arguments:
+  local_part    the local part to check
+  prefixes      the list of prefixes
+  vp		if set, pointer to place for size of wildcard portion
+
+Returns:        length of matching prefix or zero
+*/
+
+int
+route_check_prefix(const uschar * local_part, const uschar * prefixes,
+  unsigned * vp)
+{
+int sep = 0;
+uschar *prefix;
+const uschar *listptr = prefixes;
+
+while ((prefix = string_nextinlist(&listptr, &sep, NULL, 0)))
+  {
+  int plen = Ustrlen(prefix);
+  if (prefix[0] == '*')
+    {
+    prefix++;
+    for (const uschar * p = local_part + Ustrlen(local_part) - (--plen);
+         p >= local_part; p--)
+      if (strncmpic(prefix, p, plen) == 0)
+	{
+	unsigned vlen = p - local_part;
+	if (vp) *vp = vlen;
+	return plen + vlen;
+	}
+    }
+  else
+    if (strncmpic(prefix, local_part, plen) == 0)
+      {
+      if (vp) *vp = 0;
+      return plen;
+      }
+  }
+
+return 0;
+}
+
+
+
+/*************************************************
+*         Check local part for suffix            *
+*************************************************/
+
+/* This function is handed a local part and a list of possible suffixes;
+if any one matches, return the suffix length. A suffix ending with '*'
+is a wildcard.
+
+Arguments:
+  local_part    the local part to check
+  suffixes      the list of suffixes
+  vp		if set, pointer to place for size of wildcard portion
+
+Returns:        length of matching suffix or zero
+*/
+
+int
+route_check_suffix(const uschar * local_part, const uschar * suffixes,
+  unsigned * vp)
+{
+int sep = 0;
+int alen = Ustrlen(local_part);
+uschar *suffix;
+const uschar *listptr = suffixes;
+
+while ((suffix = string_nextinlist(&listptr, &sep, NULL, 0)))
+  {
+  int slen = Ustrlen(suffix);
+  if (suffix[slen-1] == '*')
+    {
+    const uschar * pend = local_part + alen - (--slen) + 1;
+    for (const uschar * p = local_part; p < pend; p++)
+      if (strncmpic(suffix, p, slen) == 0)
+	{
+	int tlen = alen - (p - local_part);
+	if (vp) *vp = tlen - slen;
+	return tlen;
+	}
+    }
+  else
+    if (alen > slen && strncmpic(suffix, local_part + alen - slen, slen) == 0)
+      {
+      if (vp) *vp = 0;
+      return slen;
+      }
+  }
+
+return 0;
+}
+
+
+
+
+/*************************************************
+*     Check local part, domain, or sender        *
+*************************************************/
+
+/* The checks in check_router_conditions() require similar code, so we use
+this function to save repetition.
+
+Arguments:
+  rname          router name for error messages
+  type           type of check, for error message
+  list           domains, local_parts, or senders list
+  anchorptr      -> tree for possibly cached items (domains)
+  cache_bits     cached bits pointer
+  listtype       MCL_DOMAIN for domain check
+                 MCL_LOCALPART for local part check
+                 MCL_ADDRESS for sender check
+  domloc         current domain, current local part, or NULL for sender check
+  ldata          where to put lookup data
+  caseless       passed on to match_isinlist()
+  perror         where to put an error message
+
+Returns:         OK     item is in list
+                 SKIP   item is not in list, router is to be skipped
+                 DEFER  lookup or other defer
+*/
+
+static int
+route_check_dls(uschar *rname, uschar *type, const uschar *list,
+  tree_node **anchorptr, unsigned int *cache_bits, int listtype,
+  const uschar *domloc, const uschar **ldata, BOOL caseless, uschar **perror)
+{
+if (!list) return OK;   /* Empty list always succeeds */
+
+DEBUG(D_route) debug_printf("checking %s\n", type);
+
+/* The domain and local part use the same matching function, whereas sender
+has its own code. */
+
+switch(domloc
+  ? match_isinlist(domloc, &list, 0, anchorptr, cache_bits, listtype,
+    caseless, ldata)
+  : match_address_list(sender_address ? sender_address : US"",
+    TRUE, TRUE, &list, cache_bits, -1, 0, CUSS &sender_data)
+      )
+  {
+  case OK:
+    return OK;
+
+  case FAIL:
+    *perror = string_sprintf("%s router skipped: %s mismatch", rname, type);
+    DEBUG(D_route) debug_printf("%s\n", *perror);
+    return SKIP;
+
+  default:      /* Paranoia, and keeps compilers happy */
+  case DEFER:
+    *perror = string_sprintf("%s check lookup or other defer", type);
+    DEBUG(D_route) debug_printf("%s\n", *perror);
+    return DEFER;
+  }
+}
+
+
+
+/*************************************************
+*        Check access by a given uid/gid         *
+*************************************************/
+
+/* This function checks whether a given uid/gid has access to a given file or
+directory. It is called only from check_files() below. This is hopefully a
+cheapish check that does the job most of the time. Exim does *not* rely on this
+test when actually accessing any file. The test is used when routing to make it
+possible to take actions such as "if user x can access file y then run this
+router".
+
+During routing, Exim is normally running as root, and so the test will work
+except for NFS non-root mounts. When verifying during message reception, Exim
+is running as "exim", so the test may not work. This is a limitation of the
+Exim design.
+
+Code in check_files() below detects the case when it cannot stat() the file (as
+root), and in that situation it uses a setuid subprocess in which to run this
+test.
+
+Arguments:
+  path          the path to check
+  uid           the user
+  gid           the group
+  bits          the bits required in the final component
+
+Returns:        TRUE
+                FALSE errno=EACCES or ENOENT (or others from realpath or stat)
+*/
+
+static BOOL
+route_check_access(uschar *path, uid_t uid, gid_t gid, int bits)
+{
+struct stat statbuf;
+uschar *slash;
+uschar *rp = US realpath(CS path, CS big_buffer);
+uschar *sp = rp + 1;
+
+DEBUG(D_route) debug_printf("route_check_access(%s,%d,%d,%o)\n", path,
+  (int)uid, (int)gid, bits);
+
+if (!rp) return FALSE;
+
+while ((slash = Ustrchr(sp, '/')))
+  {
+  *slash = 0;
+  DEBUG(D_route) debug_printf("stat %s\n", rp);
+  if (Ustat(rp, &statbuf) < 0) return FALSE;
+  if ((statbuf.st_mode &
+       ((statbuf.st_uid == uid)? 0100 : (statbuf.st_gid == gid)? 0010 : 001)
+      ) == 0)
+    {
+    errno = EACCES;
+    return FALSE;
+    }
+  *slash = '/';
+  sp = slash + 1;
+  }
+
+/* Down to the final component */
+
+DEBUG(D_route) debug_printf("stat %s\n", rp);
+
+if (Ustat(rp, &statbuf) < 0) return FALSE;
+
+if (statbuf.st_uid == uid) bits = bits << 6;
+  else if (statbuf.st_gid == gid) bits = bits << 3;
+if ((statbuf.st_mode & bits) != bits)
+  {
+  errno = EACCES;
+  return FALSE;
+  }
+
+DEBUG(D_route) debug_printf("route_check_access() succeeded\n");
+return TRUE;
+}
+
+
+
+/*************************************************
+*           Do file existence tests              *
+*************************************************/
+
+/* This function is given a colon-separated list of file tests, each of which
+is expanded before use. A test consists of a file name, optionally preceded by
+! (require non-existence) and/or + for handling permission denied (+ means
+treat as non-existing).
+
+An item that contains no slashes is interpreted as a username or id, with an
+optional group id, for checking access to the file. This cannot be done
+"perfectly", but it is good enough for a number of applications.
+
+Arguments:
+  s        a colon-separated list of file tests or NULL
+  perror   a pointer to an anchor for an error text in the case of a DEFER
+
+Returns:   OK if s == NULL or all tests are as required
+           DEFER if the existence of at least one of the files is
+             unclear (an error other than non-existence occurred);
+           DEFER if an expansion failed
+           DEFER if a name is not absolute
+           DEFER if problems with user/group
+           SKIP otherwise
+*/
+
+static int
+check_files(const uschar *s, uschar **perror)
+{
+int sep = 0;              /* List has default separators */
+uid_t uid = 0;            /* For picky compilers */
+gid_t gid = 0;            /* For picky compilers */
+BOOL ugid_set = FALSE;
+const uschar *listptr;
+uschar *check;
+
+if (!s) return OK;
+
+DEBUG(D_route) debug_printf("checking require_files\n");
+
+listptr = s;
+while ((check = string_nextinlist(&listptr, &sep, NULL, 0)))
+  {
+  int rc;
+  int eacces_code = 0;
+  BOOL invert = FALSE;
+  struct stat statbuf;
+  uschar *ss = expand_string(check);
+
+  if (!ss)
+    {
+    if (f.expand_string_forcedfail) continue;
+    *perror = string_sprintf("failed to expand \"%s\" for require_files: %s",
+      check, expand_string_message);
+    goto RETURN_DEFER;
+    }
+
+  /* Empty items are just skipped */
+
+  if (*ss == 0) continue;
+
+  /* If there are no slashes in the string, we have a user name or uid, with
+  optional group/gid. */
+
+  if (Ustrchr(ss, '/') == NULL)
+    {
+    BOOL ok;
+    struct passwd *pw;
+    uschar *comma = Ustrchr(ss, ',');
+
+    /* If there's a comma, temporarily terminate the user name/number
+    at that point. Then set the uid. */
+
+    if (comma != NULL) *comma = 0;
+    ok = route_finduser(ss, &pw, &uid);
+    if (comma != NULL) *comma = ',';
+
+    if (!ok)
+      {
+      *perror = string_sprintf("user \"%s\" for require_files not found", ss);
+      goto RETURN_DEFER;
+      }
+
+    /* If there was no comma, the gid is that associated with the user. */
+
+    if (comma == NULL)
+      {
+      if (pw != NULL) gid = pw->pw_gid; else
+        {
+        *perror = string_sprintf("group missing after numerical uid %d for "
+          "require_files", (int)uid);
+        goto RETURN_DEFER;
+        }
+      }
+    else
+      {
+      if (!route_findgroup(comma + 1, &gid))
+        {
+        *perror = string_sprintf("group \"%s\" for require_files not found\n",
+          comma + 1);
+        goto RETURN_DEFER;
+        }
+      }
+
+    /* Note that we have values set, and proceed to next item */
+
+    DEBUG(D_route)
+      debug_printf("check subsequent files for access by %s\n", ss);
+    ugid_set = TRUE;
+    continue;
+    }
+
+  /* Path, possibly preceded by + and ! */
+
+  if (*ss == '+')
+    {
+    eacces_code = 1;
+    while (isspace((*(++ss))));
+    }
+
+  if (*ss == '!')
+    {
+    invert = TRUE;
+    while (isspace((*(++ss))));
+    }
+
+  if (*ss != '/')
+    {
+    *perror = string_sprintf("require_files: \"%s\" is not absolute", ss);
+    goto RETURN_DEFER;
+    }
+
+  /* Stat the file, either as root (while routing) or as exim (while verifying
+  during message reception). */
+
+  rc = Ustat(ss, &statbuf);
+
+  DEBUG(D_route)
+    {
+    debug_printf("file check: %s\n", check);
+    if (ss != check) debug_printf("expanded file: %s\n", ss);
+    debug_printf("stat() yielded %d\n", rc);
+    }
+
+  /* If permission is denied, and we are running as root (i.e. routing for
+  delivery rather than verifying), and the requirement is to test for access by
+  a particular uid/gid, it must mean that the file is on a non-root-mounted NFS
+  system. In this case, we have to use a subprocess that runs as the relevant
+  uid in order to do the test. */
+
+  if (rc != 0 && errno == EACCES && ugid_set && getuid() == root_uid)
+    {
+    int status;
+    pid_t pid;
+    void (*oldsignal)(int);
+
+    DEBUG(D_route) debug_printf("root is denied access: forking to check "
+      "in subprocess\n");
+
+    /* Before forking, ensure that SIGCHLD is set to SIG_DFL before forking, so
+    that the child process can be waited for, just in case get here with it set
+    otherwise. Save the old state for resetting on the wait. */
+
+    oldsignal = signal(SIGCHLD, SIG_DFL);
+    pid = exim_fork(US"require-files");
+
+    /* If fork() fails, reinstate the original error and behave as if
+    this block of code were not present. This is the same behaviour as happens
+    when Exim is not running as root at this point. */
+
+    if (pid < 0)
+      {
+      DEBUG(D_route)
+       debug_printf("require_files: fork failed: %s\n", strerror(errno));
+      errno = EACCES;
+      goto HANDLE_ERROR;
+      }
+
+    /* In the child process, change uid and gid, and then do the check using
+    the route_check_access() function. This does more than just stat the file;
+    it tests permissions as well. Return 0 for OK and 1 for failure. */
+
+    if (pid == 0)
+      {
+      exim_setugid(uid, gid, TRUE,
+        string_sprintf("require_files check, file=%s", ss));
+      if (route_check_access(ss, uid, gid, 4))
+	exim_underbar_exit(EXIT_SUCCESS);
+      DEBUG(D_route) debug_printf("route_check_access() failed\n");
+      exim_underbar_exit(EXIT_FAILURE);
+      }
+
+    /* In the parent, wait for the child to finish */
+
+    while (waitpid(pid, &status, 0) < 0)
+     if (errno != EINTR)  /* unexpected error, interpret as failure */
+       {
+       status = 1;
+       break;
+       }
+
+    signal(SIGCHLD, oldsignal);   /* restore */
+    if ((status == 0) == invert) return SKIP;
+    continue;   /* to test the next file */
+    }
+
+  /* Control reaches here if the initial stat() succeeds, or fails with an
+  error other than EACCES, or no uid/gid is set, or we are not running as root.
+  If we know the file exists and uid/gid are set, try to check read access for
+  that uid/gid as best we can. */
+
+  if (rc == 0 && ugid_set && !route_check_access(ss, uid, gid, 4))
+    {
+    DEBUG(D_route) debug_printf("route_check_access() failed\n");
+    rc = -1;
+    }
+
+  /* Handle error returns from stat() or route_check_access(). The EACCES error
+  is handled specially. At present, we can force it to be treated as
+  non-existence. Write the code so that it will be easy to add forcing for
+  existence if required later. */
+
+  HANDLE_ERROR:
+  if (rc < 0)
+    {
+    DEBUG(D_route) debug_printf("errno = %d\n", errno);
+    if (errno == EACCES)
+      {
+      if (eacces_code == 1)
+        {
+        DEBUG(D_route) debug_printf("EACCES => ENOENT\n");
+        errno = ENOENT;   /* Treat as non-existent */
+        }
+      }
+    if (errno != ENOENT)
+      {
+      *perror = string_sprintf("require_files: error for %s: %s", ss,
+        strerror(errno));
+      goto RETURN_DEFER;
+      }
+    }
+
+  /* At this point, rc < 0 => non-existence; rc >= 0 => existence */
+
+  if ((rc >= 0) == invert) return SKIP;
+  }
+
+return OK;
+
+/* Come here on any of the errors that return DEFER. */
+
+RETURN_DEFER:
+DEBUG(D_route) debug_printf("%s\n", *perror);
+return DEFER;
+}
+
+
+
+
+
+/*************************************************
+*             Check for router skipping          *
+*************************************************/
+
+/* This function performs various checks to see whether a router should be
+skipped. The order in which they are performed is important.
+
+Arguments:
+  r            pointer to router instance block
+  addr         address that is being handled
+  verify       the verification type
+  pw           ptr to ptr to passwd structure for local user
+  perror       for lookup errors
+
+Returns:       OK if all the tests succeed
+               SKIP if router is to be skipped
+               DEFER for a lookup defer
+               FAIL for address to be failed
+*/
+
+static BOOL
+check_router_conditions(router_instance *r, address_item *addr, int verify,
+  struct passwd **pw, uschar **perror)
+{
+int rc;
+uschar *check_local_part;
+unsigned int *localpart_cache;
+
+/* Reset variables to hold a home directory and data from lookup of a domain or
+local part, and ensure search_find_defer is unset, in case there aren't any
+actual lookups. */
+
+deliver_home = NULL;
+deliver_domain_data = NULL;
+deliver_localpart_data = NULL;
+sender_data = NULL;
+local_user_gid = (gid_t)(-1);
+local_user_uid = (uid_t)(-1);
+f.search_find_defer = FALSE;
+
+/* Skip this router if not verifying and it has verify_only set */
+
+if ((verify == v_none || verify == v_expn) && r->verify_only)
+  {
+  DEBUG(D_route) debug_printf("%s router skipped: verify_only set\n", r->name);
+  return SKIP;
+  }
+
+/* Skip this router if testing an address (-bt) and address_test is not set */
+
+if (f.address_test_mode && !r->address_test)
+  {
+  DEBUG(D_route) debug_printf("%s router skipped: address_test is unset\n",
+    r->name);
+  return SKIP;
+  }
+
+/* Skip this router if verifying and it hasn't got the appropriate verify flag
+set. */
+
+if ((verify == v_sender && !r->verify_sender) ||
+    (verify == v_recipient && !r->verify_recipient))
+  {
+  DEBUG(D_route) debug_printf("%s router skipped: verify %d %d %d\n",
+    r->name, verify, r->verify_sender, r->verify_recipient);
+  return SKIP;
+  }
+
+/* Skip this router if processing EXPN and it doesn't have expn set */
+
+if (verify == v_expn && !r->expn)
+  {
+  DEBUG(D_route) debug_printf("%s router skipped: no_expn set\n", r->name);
+  return SKIP;
+  }
+
+/* Skip this router if there's a domain mismatch. */
+
+if ((rc = route_check_dls(r->name, US"domains", r->domains, &domainlist_anchor,
+     addr->domain_cache, TRUE, addr->domain, CUSS &deliver_domain_data,
+     MCL_DOMAIN, perror)) != OK)
+  return rc;
+
+/* Skip this router if there's a local part mismatch. We want to pass over the
+caseful local part, so that +caseful can restore it, even if this router is
+handling local parts caselessly. However, we can't just pass cc_local_part,
+because that doesn't have the prefix or suffix stripped. A bit of massaging is
+required. Also, we only use the match cache for local parts that have not had
+a prefix or suffix stripped. */
+
+if (!addr->prefix && !addr->suffix)
+  {
+  localpart_cache = addr->localpart_cache;
+  check_local_part = addr->cc_local_part;
+  }
+else
+  {
+  localpart_cache = NULL;
+  check_local_part = string_copy(addr->cc_local_part);
+  if (addr->prefix)
+    check_local_part += Ustrlen(addr->prefix);
+  if (addr->suffix)
+    check_local_part[Ustrlen(check_local_part) - Ustrlen(addr->suffix)] = 0;
+  }
+
+if ((rc = route_check_dls(r->name, US"local_parts", r->local_parts,
+       &localpartlist_anchor, localpart_cache, MCL_LOCALPART,
+       check_local_part, CUSS &deliver_localpart_data,
+       !r->caseful_local_part, perror)) != OK)
+  return rc;
+
+/* If the check_local_user option is set, check that the local_part is the
+login of a local user. Note: the third argument to route_finduser() must be
+NULL here, to prevent a numeric string being taken as a numeric uid. If the
+user is found, set deliver_home to the home directory, and also set
+local_user_{uid,gid} and local_part_data.  */
+
+if (r->check_local_user)
+  {
+  DEBUG(D_route) debug_printf("checking for local user\n");
+  if (!route_finduser(addr->local_part, pw, NULL))
+    {
+    DEBUG(D_route) debug_printf("%s router skipped: %s is not a local user\n",
+      r->name, addr->local_part);
+    return SKIP;
+    }
+  addr->prop.localpart_data =
+    deliver_localpart_data = string_copy(US (*pw)->pw_name);
+  deliver_home = string_copy(US (*pw)->pw_dir);
+  local_user_gid = (*pw)->pw_gid;
+  local_user_uid = (*pw)->pw_uid;
+  }
+
+/* Set (or override in the case of check_local_user) the home directory if
+router_home_directory is set. This is done here so that it overrides $home from
+check_local_user before any subsequent expansions are done. Otherwise, $home
+could mean different things for different options, which would be extremely
+confusing. */
+
+if (r->router_home_directory)
+  {
+  uschar * router_home = expand_string(r->router_home_directory);
+  if (router_home)
+    {
+    setflag(addr, af_home_expanded); /* Note set from router_home_directory */
+    deliver_home = router_home;
+    }
+  else if (!f.expand_string_forcedfail)
+    {
+    *perror = string_sprintf("failed to expand \"%s\" for "
+      "router_home_directory: %s", r->router_home_directory,
+      expand_string_message);
+    return DEFER;
+    }
+  }
+
+/* Skip if the sender condition is not met. We leave this one till after the
+local user check so that $home is set - enabling the possibility of letting
+individual recipients specify lists of acceptable/unacceptable senders. */
+
+if ((rc = route_check_dls(r->name, US"senders", r->senders, NULL,
+     sender_address_cache, MCL_ADDRESS, NULL, NULL, FALSE, perror)) != OK)
+  return rc;
+
+/* This is the point at which we print out the router's debugging string if it
+is set. We wait till here so as to have $home available for local users (and
+anyway, we don't want too much stuff for skipped routers). */
+
+debug_print_string(r->debug_string);
+
+/* Perform file existence tests. */
+
+if ((rc = check_files(r->require_files, perror)) != OK)
+  {
+  DEBUG(D_route) debug_printf("%s router %s: file check\n", r->name,
+    (rc == SKIP)? "skipped" : "deferred");
+  return rc;
+  }
+
+/* Now the general condition test. */
+
+if (r->condition)
+  {
+  DEBUG(D_route) debug_printf("checking \"condition\" \"%.80s\"...\n", r->condition);
+  if (!expand_check_condition(r->condition, r->name, US"router"))
+    {
+    if (f.search_find_defer)
+      {
+      *perror = US"condition check lookup defer";
+      DEBUG(D_route) debug_printf("%s\n", *perror);
+      return DEFER;
+      }
+    DEBUG(D_route)
+      debug_printf("%s router skipped: condition failure\n", r->name);
+    return SKIP;
+    }
+  }
+
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+/* check if a specific Brightmail AntiSpam rule fired on the message */
+if (r->bmi_rule)
+  {
+  DEBUG(D_route) debug_printf("checking bmi_rule\n");
+  if (bmi_check_rule(bmi_base64_verdict, r->bmi_rule) == 0)
+    {    /* none of the rules fired */
+    DEBUG(D_route)
+      debug_printf("%s router skipped: none of bmi_rule rules fired\n", r->name);
+    return SKIP;
+    }
+  }
+
+/* check if message should not be delivered */
+if (r->bmi_dont_deliver && bmi_deliver == 1)
+  {
+  DEBUG(D_route)
+    debug_printf("%s router skipped: bmi_dont_deliver is FALSE\n", r->name);
+  return SKIP;
+  }
+
+/* check if message should go to an alternate location */
+if (  r->bmi_deliver_alternate
+   && (bmi_deliver == 0 || !bmi_alt_location)
+   )
+  {
+  DEBUG(D_route)
+    debug_printf("%s router skipped: bmi_deliver_alternate is FALSE\n", r->name);
+  return SKIP;
+  }
+
+/* check if message should go to default location */
+if (  r->bmi_deliver_default
+   && (bmi_deliver == 0 || bmi_alt_location)
+   )
+  {
+  DEBUG(D_route)
+    debug_printf("%s router skipped: bmi_deliver_default is FALSE\n", r->name);
+  return SKIP;
+  }
+#endif
+
+/* All the checks passed. */
+
+return OK;
+}
+
+
+
+
+/*************************************************
+*           Find a local user                    *
+*************************************************/
+
+/* Try several times (if configured) to find a local user, in case delays in
+NIS or NFS whatever cause an incorrect refusal. It's a pity that getpwnam()
+doesn't have some kind of indication as to why it has failed. If the string
+given consists entirely of digits, and the third argument is not NULL, assume
+the string is the numerical value of the uid. Otherwise it is looked up using
+getpwnam(). The uid is passed back via return_uid, if not NULL, and the
+pointer to a passwd structure, if found, is passed back via pw, if not NULL.
+
+Because this may be called several times in succession for the same user for
+different routers, cache the result of the previous getpwnam call so that it
+can be re-used. Note that we can't just copy the structure, as the store it
+points to can get trashed.
+
+Arguments:
+  s           the login name or textual form of the numerical uid of the user
+  pw          if not NULL, return the result of getpwnam here, or set NULL
+                if no call to getpwnam is made (s numeric, return_uid != NULL)
+  return_uid  if not NULL, return the uid via this address
+
+Returns:      TRUE if s is numerical or was looked up successfully
+
+*/
+
+static struct passwd pwcopy;
+static struct passwd *lastpw = NULL;
+static uschar lastname[48] = { 0 };
+static uschar lastdir[128];
+static uschar lastgecos[128];
+static uschar lastshell[128];
+
+BOOL
+route_finduser(const uschar *s, struct passwd **pw, uid_t *return_uid)
+{
+BOOL cache_set = (Ustrcmp(lastname, s) == 0);
+
+DEBUG(D_uid) debug_printf("seeking password data for user \"%s\": %s\n", s,
+  cache_set ? "using cached result" : "cache not available");
+
+if (!cache_set)
+  {
+  int i = 0;
+
+  if (return_uid && (isdigit(*s) || *s == '-') &&
+       s[Ustrspn(s+1, "0123456789")+1] == 0)
+    {
+    *return_uid = (uid_t)Uatoi(s);
+    if (pw) *pw = NULL;
+    return TRUE;
+    }
+
+  string_format_nt(lastname, sizeof(lastname), "%s", s);
+
+  /* Force failure if string length is greater than given maximum */
+
+  if (max_username_length > 0 && Ustrlen(lastname) > max_username_length)
+    {
+    DEBUG(D_uid) debug_printf("forced failure of finduser(): string "
+      "length of %s is greater than %d\n", lastname, max_username_length);
+    lastpw = NULL;
+    }
+
+  /* Try a few times if so configured; this handles delays in NIS etc. */
+
+  else for (;;)
+    {
+    errno = 0;
+    if ((lastpw = getpwnam(CS s))) break;
+    if (++i > finduser_retries) break;
+    sleep(1);
+    }
+
+  if (lastpw)
+    {
+    pwcopy.pw_uid = lastpw->pw_uid;
+    pwcopy.pw_gid = lastpw->pw_gid;
+    (void)string_format(lastdir, sizeof(lastdir), "%s", lastpw->pw_dir);
+    (void)string_format(lastgecos, sizeof(lastgecos), "%s", lastpw->pw_gecos);
+    (void)string_format(lastshell, sizeof(lastshell), "%s", lastpw->pw_shell);
+    pwcopy.pw_name = CS lastname;
+    pwcopy.pw_dir = CS lastdir;
+    pwcopy.pw_gecos = CS lastgecos;
+    pwcopy.pw_shell = CS lastshell;
+    lastpw = &pwcopy;
+    }
+
+  else DEBUG(D_uid) if (errno != 0)
+    debug_printf("getpwnam(%s) failed: %s\n", s, strerror(errno));
+  }
+
+if (!lastpw)
+  {
+  DEBUG(D_uid) debug_printf("getpwnam() returned NULL (user not found)\n");
+  return FALSE;
+  }
+
+DEBUG(D_uid) debug_printf("getpwnam() succeeded uid=%d gid=%d\n",
+    lastpw->pw_uid, lastpw->pw_gid);
+
+if (return_uid) *return_uid = lastpw->pw_uid;
+if (pw) *pw = lastpw;
+
+return TRUE;
+}
+
+
+
+
+/*************************************************
+*           Find a local group                   *
+*************************************************/
+
+/* Try several times (if configured) to find a local group, in case delays in
+NIS or NFS whatever cause an incorrect refusal. It's a pity that getgrnam()
+doesn't have some kind of indication as to why it has failed.
+
+Arguments:
+  s           the group name or textual form of the numerical gid
+  return_gid  return the gid via this address
+
+Returns:      TRUE if the group was found; FALSE otherwise
+
+*/
+
+BOOL
+route_findgroup(uschar *s, gid_t *return_gid)
+{
+int i = 0;
+struct group *gr;
+
+if ((isdigit(*s) || *s == '-') && s[Ustrspn(s+1, "0123456789")+1] == 0)
+  {
+  *return_gid = (gid_t)Uatoi(s);
+  return TRUE;
+  }
+
+for (;;)
+  {
+  if ((gr = getgrnam(CS s)))
+    {
+    *return_gid = gr->gr_gid;
+    return TRUE;
+    }
+  if (++i > finduser_retries) break;
+  sleep(1);
+  }
+
+return FALSE;
+}
+
+
+
+
+/*************************************************
+*          Find user by expanding string         *
+*************************************************/
+
+/* Expands a string, and then looks up the result in the passwd file.
+
+Arguments:
+  string       the string to be expanded, yielding a login name or a numerical
+                 uid value (to be passed to route_finduser())
+  driver_name  caller name for panic error message (only)
+  driver_type  caller type for panic error message (only)
+  pw           return passwd entry via this pointer
+  uid          return uid via this pointer
+  errmsg       where to point a message on failure
+
+Returns:       TRUE if user found, FALSE otherwise
+*/
+
+BOOL
+route_find_expanded_user(uschar *string, uschar *driver_name,
+  uschar *driver_type, struct passwd **pw, uid_t *uid, uschar **errmsg)
+{
+uschar *user = expand_string(string);
+
+if (!user)
+  {
+  *errmsg = string_sprintf("Failed to expand user string \"%s\" for the "
+    "%s %s: %s", string, driver_name, driver_type, expand_string_message);
+  log_write(0, LOG_MAIN|LOG_PANIC, "%s", *errmsg);
+  return FALSE;
+  }
+
+if (route_finduser(user, pw, uid)) return TRUE;
+
+*errmsg = string_sprintf("Failed to find user \"%s\" from expanded string "
+  "\"%s\" for the %s %s", user, string, driver_name, driver_type);
+log_write(0, LOG_MAIN|LOG_PANIC, "%s", *errmsg);
+return FALSE;
+}
+
+
+
+/*************************************************
+*          Find group by expanding string        *
+*************************************************/
+
+/* Expands a string and then looks up the result in the group file.
+
+Arguments:
+  string       the string to be expanded, yielding a group name or a numerical
+                 gid value (to be passed to route_findgroup())
+  driver_name  caller name for panic error message (only)
+  driver_type  caller type for panic error message (only)
+  gid          return gid via this pointer
+  errmsg       return error message via this pointer
+
+Returns:       TRUE if found group, FALSE otherwise
+*/
+
+BOOL
+route_find_expanded_group(uschar *string, uschar *driver_name, uschar *driver_type,
+  gid_t *gid, uschar **errmsg)
+{
+BOOL yield = TRUE;
+uschar *group = expand_string(string);
+
+if (!group)
+  {
+  *errmsg = string_sprintf("Failed to expand group string \"%s\" for the "
+    "%s %s: %s", string, driver_name, driver_type, expand_string_message);
+  log_write(0, LOG_MAIN|LOG_PANIC, "%s", *errmsg);
+  return FALSE;
+  }
+
+if (!route_findgroup(group, gid))
+  {
+  *errmsg = string_sprintf("Failed to find group \"%s\" from expanded string "
+    "\"%s\" for the %s %s", group, string, driver_name, driver_type);
+  log_write(0, LOG_MAIN|LOG_PANIC, "%s", *errmsg);
+  yield = FALSE;
+  }
+
+return yield;
+}
+
+
+
+/*************************************************
+*            Handle an unseen routing            *
+*************************************************/
+
+/* This function is called when an address is routed by a router with "unseen"
+set. It must make a clone of the address, for handling by subsequent drivers.
+The clone is set to start routing at the next router.
+
+The original address must be replaced by an invented "parent" which has the
+routed address plus the clone as its children. This is necessary in case the
+address is at the top level - we don't want to mark it complete until both
+deliveries have been done.
+
+A new unique field must be made, so that the record of the delivery isn't a
+record of the original address, and checking for already delivered has
+therefore to be done here. If the delivery has happened, then take the base
+address off whichever delivery queue it is on - it will always be the top item.
+
+Arguments:
+  name          router name
+  addr          address that was routed
+  paddr_local   chain of local-delivery addresses
+  paddr_remote  chain of remote-delivery addresses
+  addr_new      chain for newly created addresses
+
+Returns:        nothing
+*/
+
+static void
+route_unseen(uschar *name, address_item *addr, address_item **paddr_local,
+  address_item **paddr_remote, address_item **addr_new)
+{
+address_item *parent = deliver_make_addr(addr->address, TRUE);
+address_item *new = deliver_make_addr(addr->address, TRUE);
+
+/* The invented parent is a copy that replaces the original; note that
+this copies its parent pointer. It has two children, and its errors_address is
+from the original address' parent, if present, otherwise unset. */
+
+*parent = *addr;
+parent->child_count = 2;
+parent->prop.errors_address =
+  addr->parent ? addr->parent->prop.errors_address : NULL;
+
+/* The routed address gets a new parent. */
+
+addr->parent = parent;
+
+/* The clone has this parent too. Set its errors address from the parent. This
+was set from the original parent (or to NULL) - see above. We do NOT want to
+take the errors address from the unseen router. */
+
+new->parent = parent;
+new->prop.errors_address = parent->prop.errors_address;
+
+/* Copy the propagated flags and address_data from the original. */
+
+new->prop.ignore_error = addr->prop.ignore_error;
+new->prop.address_data = addr->prop.address_data;
+new->prop.variables = NULL;
+tree_dup((tree_node **)&new->prop.variables, addr->prop.variables);
+new->dsn_flags = addr->dsn_flags;
+new->dsn_orcpt = addr->dsn_orcpt;
+
+
+/* As it has turned out, we haven't set headers_add or headers_remove for the
+ * clone. Thinking about it, it isn't entirely clear whether they should be
+ * copied from the original parent, like errors_address, or taken from the
+ * unseen router, like address_data and the flags. Until somebody brings this
+ * up, I propose to leave the code as it is.
+ */
+
+
+/* Set the cloned address to start at the next router, and put it onto the
+chain of new addresses. */
+
+new->start_router = addr->router->next;
+new->next = *addr_new;
+*addr_new = new;
+
+DEBUG(D_route) debug_printf("\"unseen\" set: replicated %s\n", addr->address);
+
+/* Make a new unique field, to distinguish from the normal one. */
+
+addr->unique = string_sprintf("%s/%s", addr->unique, name);
+
+/* If the address has been routed to a transport, see if it was previously
+delivered. If so, we take it off the relevant queue so that it isn't delivered
+again. Otherwise, it was an alias or something, and the addresses it generated
+are handled in the normal way. */
+
+if (addr->transport && tree_search(tree_nonrecipients, addr->unique))
+  {
+  DEBUG(D_route)
+    debug_printf("\"unseen\" delivery previously done - discarded\n");
+  parent->child_count--;
+  if (*paddr_remote == addr) *paddr_remote = addr->next;
+  if (*paddr_local == addr) *paddr_local = addr->next;
+  }
+}
+
+
+
+/************************************************/
+/* Add router-assigned variables
+Return OK/DEFER/FAIL/PASS */
+
+static int
+set_router_vars(address_item * addr, const router_instance * r)
+{
+const uschar * varlist = r->set;
+tree_node ** root = (tree_node **) &addr->prop.variables;
+int sep = ';';
+
+if (!varlist) return OK;
+
+/* Walk the varlist, creating variables */
+
+for (uschar * ele; (ele = string_nextinlist(&varlist, &sep, NULL, 0)); )
+  {
+  const uschar * assignment = ele;
+  int esep = '=';
+  uschar * name = string_nextinlist(&assignment, &esep, NULL, 0);
+  uschar * val;
+  tree_node * node;
+
+  /* Variable name must exist and start "r_". */
+
+  if (!name || name[0] != 'r' || name[1] != '_' || !name[2])
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC,
+	"bad router variable name '%s' in router '%s'\n", name, r->name);
+    return FAIL;
+    }
+  name += 2;
+
+  while (isspace(*assignment)) assignment++;
+
+  if (!(val = expand_string(US assignment)))
+    if (f.expand_string_forcedfail)
+      {
+      int yield;
+      BOOL more;
+      DEBUG(D_route) debug_printf("forced failure in expansion of \"%s\" "
+	  "(router variable): decline action taken\n", ele);
+
+      /* Expand "more" if necessary; DEFER => an expansion failed */
+
+      yield = exp_bool(addr, US"router", r->name, D_route,
+		      US"more", r->more, r->expand_more, &more);
+      if (yield != OK) return yield;
+
+      if (!more)
+	{
+	DEBUG(D_route)
+	  debug_printf("\"more\"=false: skipping remaining routers\n");
+	router_name = NULL;
+	r = NULL;
+	return FAIL;
+	}
+      return PASS;
+      }
+    else
+      {
+      addr->message = string_sprintf("expansion of \"%s\" failed "
+	"in %s router: %s", ele, r->name, expand_string_message);
+      return DEFER;
+      }
+
+  if (!(node = tree_search(*root, name)))
+    {				/* name should never be tainted */
+    node = store_get(sizeof(tree_node) + Ustrlen(name), GET_UNTAINTED);
+    Ustrcpy(node->name, name);
+    (void)tree_insertnode(root, node);
+    }
+  node->data.ptr = US val;
+  DEBUG(D_route) debug_printf("set r_%s%s = '%s'%s\n",
+		    name, is_tainted(name)?" (tainted)":"",
+		    val, is_tainted(val)?" (tainted)":"");
+
+  /* All expansions after this point need visibility of that variable */
+  router_var = *root;
+  }
+return OK;
+}
+
+
+/*************************************************
+*                 Route one address              *
+*************************************************/
+
+/* This function is passed in one address item, for processing by the routers.
+The verify flag is set if this is being called for verification rather than
+delivery. If the router doesn't have its "verify" flag set, it is skipped.
+
+Arguments:
+  addr           address to route
+  paddr_local    chain of local-delivery addresses
+  paddr_remote   chain of remote-delivery addresses
+  addr_new       chain for newly created addresses
+  addr_succeed   chain for completed addresses
+  verify         v_none if not verifying
+                 v_sender if verifying a sender address
+                 v_recipient if verifying a recipient address
+                 v_expn if processing an EXPN address
+
+Returns:         OK      => address successfully routed
+                 DISCARD => address was discarded
+                 FAIL    => address could not be routed
+                 DEFER   => some temporary problem
+                 ERROR   => some major internal or configuration failure
+*/
+
+int
+route_address(address_item *addr, address_item **paddr_local,
+  address_item **paddr_remote, address_item **addr_new,
+  address_item **addr_succeed, int verify)
+{
+int yield = OK;
+BOOL unseen;
+router_instance *r, *nextr;
+const uschar *old_domain = addr->domain;
+
+HDEBUG(D_route)
+  {
+  debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+  debug_printf("routing %s\n", addr->address);
+  }
+
+/* Loop through all router instances until a router succeeds, fails, defers, or
+encounters an error. If the address has start_router set, we begin from there
+instead of at the first router. */
+
+for (r = addr->start_router ? addr->start_router : routers; r; r = nextr)
+  {
+  uschar *error;
+  struct passwd *pw = NULL;
+  struct passwd pwcopy;
+  BOOL loop_detected = FALSE;
+  BOOL more;
+  int loopcount = 0;
+  int rc;
+
+  DEBUG(D_route) debug_printf("--------> %s router <--------\n", r->name);
+
+  /* Reset any search error message from the previous router. */
+
+  search_error_message = NULL;
+
+  /* There are some weird cases where logging is disabled */
+
+  f.disable_logging = r->disable_logging;
+
+  /* Record the last router to handle the address, and set the default
+  next router. */
+
+  addr->router = r;
+  nextr = r->next;
+
+  /* Loop protection: If this address has an ancestor with the same address,
+  and that ancestor was routed by this router, we skip this router. This
+  prevents a variety of looping states when a new address is created by
+  redirection or by the use of "unseen" on a router.
+
+  If no_repeat_use is set on the router, we skip if _any_ ancestor was routed
+  by  this router, even if it was different to the current address.
+
+  Just in case someone does put it into a loop (possible with redirection
+  continually adding to an address, for example), put a long stop counter on
+  the number of parents. */
+
+  for (address_item * parent = addr->parent; parent; parent = parent->parent)
+    {
+    if (parent->router == r)
+      {
+      BOOL break_loop = !r->repeat_use;
+
+      /* When repeat_use is set, first check the active addresses caselessly.
+      If they match, we have to do a further caseful check of the local parts
+      when caseful_local_part is set. This is assumed to be rare, which is why
+      the code is written this way. */
+
+      if (!break_loop)
+        {
+        break_loop = strcmpic(parent->address, addr->address) == 0;
+        if (break_loop && r->caseful_local_part)
+          break_loop = Ustrncmp(parent->address, addr->address,
+             Ustrrchr(addr->address, '@') - addr->address) == 0;
+        }
+
+      if (break_loop)
+        {
+        DEBUG(D_route) debug_printf("%s router skipped: previously routed %s\n",
+          r->name, parent->address);
+        loop_detected = TRUE;
+        break;
+        }
+      }
+
+    /* Continue with parents, limiting the size of the dynasty. */
+
+    if (loopcount++ > 100)
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC, "routing loop for %s", addr->address);
+      yield = DEFER;
+      goto ROUTE_EXIT;
+      }
+    }
+
+  if (loop_detected) continue;
+
+  /* Default no affixes and select whether to use a caseful or caseless local
+  part in this router. */
+
+  addr->prefix = addr->prefix_v = addr->suffix = addr->suffix_v = NULL;
+  addr->local_part = r->caseful_local_part
+    ? addr->cc_local_part : addr->lc_local_part;
+
+  DEBUG(D_route) debug_printf("local_part=%s domain=%s\n", addr->local_part,
+    addr->domain);
+
+  /* Handle any configured prefix by replacing the local_part address,
+  and setting the prefix. Skip the router if the prefix doesn't match,
+  unless the prefix is optional. */
+
+  if (r->prefix)
+    {
+    unsigned vlen;
+    int plen = route_check_prefix(addr->local_part, r->prefix, &vlen);
+    if (plen > 0)
+      {
+      /* If the variable-part is zero-length then the prefix was not
+      wildcarded and we can detaint-copy it since it matches the
+      (non-expandable) router option.  Otherwise copy the (likely) tainted match
+      and the variable-part of the match from the local_part. */
+
+      if (vlen)
+	{
+	addr->prefix = string_copyn(addr->local_part, plen);
+	addr->prefix_v = string_copyn(addr->local_part, vlen);
+	}
+      else
+	addr->prefix = string_copyn_taint(addr->local_part, plen, GET_UNTAINTED);
+      addr->local_part += plen;
+      DEBUG(D_route) debug_printf("stripped prefix %s\n", addr->prefix);
+      }
+    else if (!r->prefix_optional)
+      {
+      DEBUG(D_route) debug_printf("%s router skipped: prefix mismatch\n",
+        r->name);
+      continue;
+      }
+    }
+
+  /* Handle any configured suffix likewise. */
+
+  if (r->suffix)
+    {
+    unsigned vlen;
+    int slen = route_check_suffix(addr->local_part, r->suffix, &vlen);
+    if (slen > 0)
+      {
+      int lplen = Ustrlen(addr->local_part) - slen;
+      addr->suffix = vlen
+	? addr->local_part + lplen
+	: string_copy_taint(addr->local_part + lplen, GET_UNTAINTED);
+      addr->suffix_v = addr->suffix + Ustrlen(addr->suffix) - vlen;
+      addr->local_part = string_copyn(addr->local_part, lplen);
+      DEBUG(D_route) debug_printf("stripped suffix %s\n", addr->suffix);
+      }
+    else if (!r->suffix_optional)
+      {
+      DEBUG(D_route) debug_printf("%s router skipped: suffix mismatch\n",
+        r->name);
+      continue;
+      }
+    }
+
+  /* Set the expansion variables now that we have the affixes and the case of
+  the local part sorted. */
+
+  router_name = r->name;
+  driver_srcfile = r->srcfile;
+  driver_srcline = r->srcline;
+  deliver_set_expansions(addr);
+
+  /* For convenience, the pre-router checks are in a separate function, which
+  returns OK, SKIP, FAIL, or DEFER. */
+
+  if ((rc = check_router_conditions(r, addr, verify, &pw, &error)) != OK)
+    {
+    driver_srcfile = router_name = NULL; driver_srcline = 0;
+    if (rc == SKIP) continue;
+    addr->message = error;
+    yield = rc;
+    goto ROUTE_EXIT;
+    }
+
+  /* All pre-conditions have been met. Reset any search error message from
+  pre-condition tests. These can arise in negated tests where the failure of
+  the lookup leads to a TRUE pre-condition. */
+
+  search_error_message = NULL;
+
+  /* Add any variable-settings that are on the router, to the set on the
+  addr. Expansion is done here and not later when the addr is used.  There may
+  be multiple settings, gathered during readconf; this code gathers them during
+  router traversal.  On the addr string they are held as a variable tree, so
+  as to maintain the post-expansion taints separate. */
+
+  switch (set_router_vars(addr, r))
+    {
+    case OK:	break;
+    case PASS:	continue;		/* with next router */
+    default:	 goto ROUTE_EXIT;
+    }
+
+  /* Finally, expand the address_data field in the router. Forced failure
+  behaves as if the router declined. Any other failure is more serious. On
+  success, the string is attached to the address for all subsequent processing.
+  */
+
+  if (r->address_data)
+    {
+    DEBUG(D_route) debug_printf("processing address_data\n");
+    if (!(deliver_address_data = expand_string(r->address_data)))
+      {
+      if (f.expand_string_forcedfail)
+        {
+        DEBUG(D_route) debug_printf("forced failure in expansion of \"%s\" "
+            "(address_data): decline action taken\n", r->address_data);
+
+        /* Expand "more" if necessary; DEFER => an expansion failed */
+
+        yield = exp_bool(addr, US"router", r->name, D_route,
+			US"more", r->more, r->expand_more, &more);
+        if (yield != OK) goto ROUTE_EXIT;
+
+        if (!more)
+          {
+          DEBUG(D_route)
+            debug_printf("\"more\"=false: skipping remaining routers\n");
+	  driver_srcfile = router_name = NULL; driver_srcline = 0;
+          r = NULL;
+          break;
+          }
+        else continue;    /* With next router */
+        }
+
+      else
+        {
+        addr->message = string_sprintf("expansion of \"%s\" failed "
+          "in %s router: %s", r->address_data, r->name, expand_string_message);
+        yield = DEFER;
+        goto ROUTE_EXIT;
+        }
+      }
+    addr->prop.address_data = deliver_address_data;
+    }
+
+  /* We are finally cleared for take-off with this router. Clear the the flag
+  that records that a local host was removed from a routed host list. Make a
+  copy of relevant fields in the password information from check_local_user,
+  because it will be overwritten if check_local_user is invoked again while
+  verifying an errors_address setting. */
+
+  clearflag(addr, af_local_host_removed);
+
+  if (pw)
+    {
+    pwcopy.pw_name = CS string_copy(US pw->pw_name);
+    pwcopy.pw_uid = pw->pw_uid;
+    pwcopy.pw_gid = pw->pw_gid;
+    pwcopy.pw_gecos = CS string_copy(US pw->pw_gecos);
+    pwcopy.pw_dir = CS string_copy(US pw->pw_dir);
+    pwcopy.pw_shell = CS string_copy(US pw->pw_shell);
+    pw = &pwcopy;
+    }
+
+  /* If this should be the last hop for DSN flag the addr. */
+
+  if (r->dsn_lasthop && !(addr->dsn_flags & rf_dsnlasthop))
+    {
+    addr->dsn_flags |= rf_dsnlasthop;
+    HDEBUG(D_route) debug_printf("DSN: last hop for %s\n", addr->address);
+    }
+
+  /* Run the router, and handle the consequences. */
+
+  HDEBUG(D_route) debug_printf("calling %s router\n", r->name);
+
+  yield = (r->info->code)(r, addr, pw, verify, paddr_local, paddr_remote,
+    addr_new, addr_succeed);
+
+  driver_srcfile = router_name = NULL; driver_srcline = 0;
+
+  if (yield == FAIL)
+    {
+    HDEBUG(D_route) debug_printf("%s router forced address failure\n", r->name);
+    goto ROUTE_EXIT;
+    }
+
+  /* If succeeded while verifying but fail_verify is set, convert into
+  a failure, and take it off the local or remote delivery list. */
+
+  if (  (  verify == v_sender && r->fail_verify_sender
+	|| verify == v_recipient && r->fail_verify_recipient
+	)
+     && (yield == OK || yield == PASS))
+    {
+    addr->message = string_sprintf("%s router forced verify failure", r->name);
+    if (*paddr_remote == addr) *paddr_remote = addr->next;
+    if (*paddr_local == addr) *paddr_local = addr->next;
+    yield = FAIL;
+    goto ROUTE_EXIT;
+    }
+
+  /* PASS and DECLINE are the only two cases where the loop continues. For all
+  other returns, we break the loop and handle the result below. */
+
+  if (yield != PASS && yield != DECLINE) break;
+
+  HDEBUG(D_route)
+    {
+    debug_printf("%s router %s for %s\n", r->name,
+      yield == PASS ? "passed" : "declined", addr->address);
+    if (Ustrcmp(old_domain, addr->domain) != 0)
+      debug_printf("domain %s rewritten\n", old_domain);
+    }
+
+  /* PASS always continues to another router; DECLINE does so if "more"
+  is true. Initialization insists that pass_router is always a following
+  router. Otherwise, break the loop as if at the end of the routers. */
+
+  if (yield == PASS)
+    {
+    if (r->pass_router != NULL) nextr = r->pass_router;
+    }
+  else
+    {
+    /* Expand "more" if necessary */
+
+    yield = exp_bool(addr, US"router", r->name, D_route,
+		       	US"more", r->more, r->expand_more, &more);
+    if (yield != OK) goto ROUTE_EXIT;
+
+    if (!more)
+      {
+      HDEBUG(D_route)
+        debug_printf("\"more\" is false: skipping remaining routers\n");
+      r = NULL;
+      break;
+      }
+    }
+  }                                      /* Loop for all routers */
+
+/* On exit from the routers loop, if r == NULL we have run out of routers,
+either genuinely, or as a result of no_more. Otherwise, the loop ended
+prematurely, either because a router succeeded, or because of some special
+router response. Note that FAIL errors and errors detected before actually
+running a router go direct to ROUTE_EXIT from code above. */
+
+if (!r)
+  {
+  HDEBUG(D_route) debug_printf("no more routers\n");
+  if (!addr->message)
+    {
+    uschar *message = US"Unrouteable address";
+    if (addr->router && addr->router->cannot_route_message)
+      {
+      uschar *expmessage = expand_string(addr->router->cannot_route_message);
+      if (!expmessage)
+        {
+        if (!f.expand_string_forcedfail)
+          log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
+            "cannot_route_message in %s router: %s", addr->router->name,
+            expand_string_message);
+        }
+      else message = expmessage;
+      }
+    addr->user_message = addr->message = message;
+    }
+  addr->router = NULL;         /* For logging */
+  yield = FAIL;
+  goto ROUTE_EXIT;
+  }
+
+if (yield == DEFER)
+  {
+  HDEBUG(D_route) debug_printf("%s router: defer for %s\n  message: %s\n",
+      r->name, addr->address, addr->message ? addr->message : US"<none>");
+  goto ROUTE_EXIT;
+  }
+
+if (yield == DISCARD) goto ROUTE_EXIT;
+
+/* The yield must be either OK or REROUTED. */
+
+if (yield != OK && yield != REROUTED)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s router returned unknown value %d",
+    r->name, yield);
+
+/* If the yield was REROUTED, the router put a child address on the new chain
+as a result of a domain change of some sort (widening, typically). */
+
+if (yield == REROUTED)
+  {
+  HDEBUG(D_route) debug_printf("re-routed to %s\n", addr->address);
+  yield = OK;
+  goto ROUTE_EXIT;
+  }
+
+/* The only remaining possibility is that the router succeeded. If the
+translate_ip_address options is set and host addresses were associated with the
+address, run them through the translation. This feature is for weird and
+wonderful situations (the amateur packet radio people need it) or very broken
+networking, so it is included in the binary only if requested. */
+
+#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
+
+if (r->translate_ip_address)
+  {
+  int rc;
+  int old_pool = store_pool;
+  for (host_item * h = addr->host_list; h; h = h->next)
+    {
+    uschar *newaddress;
+    uschar *oldaddress, *oldname;
+
+    if (!h->address) continue;
+
+    deliver_host_address = h->address;
+    newaddress = expand_string(r->translate_ip_address);
+    deliver_host_address = NULL;
+
+    if (!newaddress)
+      {
+      if (f.expand_string_forcedfail) continue;
+      addr->basic_errno = ERRNO_EXPANDFAIL;
+      addr->message = string_sprintf("translate_ip_address expansion "
+        "failed: %s", expand_string_message);
+      yield = DEFER;
+      goto ROUTE_EXIT;
+      }
+
+    DEBUG(D_route) debug_printf("%s [%s] translated to %s\n",
+      h->name, h->address, newaddress);
+    if (string_is_ip_address(newaddress, NULL) != 0)
+      {
+      h->address = newaddress;
+      continue;
+      }
+
+    oldname = h->name;
+    oldaddress = h->address;
+    h->name = newaddress;
+    h->address = NULL;
+    h->mx = MX_NONE;
+
+    store_pool = POOL_PERM;
+    rc = host_find_byname(h, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, TRUE);
+    store_pool = old_pool;
+
+    if (rc == HOST_FIND_FAILED || rc == HOST_FIND_AGAIN)
+      {
+      addr->basic_errno = ERRNO_UNKNOWNHOST;
+      addr->message = string_sprintf("host %s not found when "
+        "translating %s [%s]", h->name, oldname, oldaddress);
+      yield = DEFER;
+      goto ROUTE_EXIT;
+      }
+    }
+  }
+#endif  /* SUPPORT_TRANSLATE_IP_ADDRESS */
+
+/* See if this is an unseen routing; first expand the option if necessary.
+DEFER can be given if the expansion fails */
+
+yield = exp_bool(addr, US"router", r->name, D_route,
+	       	US"unseen", r->unseen, r->expand_unseen, &unseen);
+if (yield != OK) goto ROUTE_EXIT;
+
+/* Debugging output recording a successful routing */
+
+HDEBUG(D_route) debug_printf("routed by %s router%s\n", r->name,
+    unseen? " (unseen)" : "");
+
+DEBUG(D_route)
+  {
+  debug_printf("  envelope to: %s\n", addr->address);
+  debug_printf("  transport: %s\n", addr->transport
+    ? addr->transport->name : US"<none>");
+
+  if (addr->prop.errors_address)
+    debug_printf("  errors to %s\n", addr->prop.errors_address);
+
+  for (host_item * h = addr->host_list; h; h = h->next)
+    {
+    debug_printf("  host %s", h->name);
+    if (h->address) debug_printf(" [%s]", h->address);
+    if (h->mx >= 0) debug_printf(" MX=%d", h->mx);
+      else if (h->mx != MX_NONE) debug_printf(" rgroup=%d", h->mx);
+    if (h->port != PORT_NONE) debug_printf(" port=%d", h->port);
+    if (h->dnssec != DS_UNK) debug_printf(" dnssec=%s", h->dnssec==DS_YES ? "yes" : "no");
+    debug_printf("\n");
+    }
+  }
+
+/* Clear any temporary error message set by a router that declined, and handle
+the "unseen" option (ignore if there are no further routers). */
+
+addr->message = NULL;
+if (unseen && r->next)
+  route_unseen(r->name, addr, paddr_local, paddr_remote, addr_new);
+
+/* Unset the address expansions, and return the final result. */
+
+ROUTE_EXIT:
+if (yield == DEFER && addr->message)
+  addr->message = expand_hide_passwords(addr->message);
+
+deliver_set_expansions(NULL);
+driver_srcfile = router_name = NULL; driver_srcline = 0;
+f.disable_logging = FALSE;
+return yield;
+}
+
+
+
+/* For error messages, a string describing the config location associated
+with current processing.  NULL if we are not in a router. */
+/* Name only, for now */
+
+uschar *
+router_current_name(void)
+{
+if (!router_name) return NULL;
+return string_sprintf(" (router %s, %s %d)", router_name, driver_srcfile, driver_srcline);
+}
+
+#endif	/*!MACRO_PREDEF*/
+/* End of route.c */
diff --git a/src/routers/Makefile b/src/routers/Makefile
new file mode 100644
index 0000000..8f2432d
--- /dev/null
+++ b/src/routers/Makefile
@@ -0,0 +1,43 @@
+# Make file for building a library containing all the available routers and
+# calling it routers.a. This is called from the main make file, after cd'ing
+# to the directors subdirectory. The library also contains functions that
+# are called only from within the individual routers.
+
+OBJ = accept.o dnslookup.o ipliteral.o iplookup.o manualroute.o \
+      queryprogram.o redirect.o \
+      rf_change_domain.o rf_expand_data.o rf_get_errors_address.o \
+      rf_get_munge_headers.o rf_get_transport.o rf_get_ugid.o \
+      rf_lookup_hostlist.o \
+      rf_queue_add.o rf_self_action.o \
+      rf_set_ugid.o
+
+routers.a:       $(OBJ)
+		 @$(RM_COMMAND) -f routers.a
+		 @echo "$(AR) routers.a"
+		 @$(AR) routers.a $(OBJ)
+		 $(RANLIB) $@
+
+.SUFFIXES:       .o .c
+.c.o:;           @echo "$(CC) $*.c"
+		 $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c
+
+rf_change_domain.o:      $(HDRS) rf_change_domain.c      rf_functions.h
+rf_expand_data.o:        $(HDRS) rf_expand_data.c        rf_functions.h
+rf_get_errors_address.o: $(HDRS) rf_get_errors_address.c rf_functions.h
+rf_get_munge_headers.o:  $(HDRS) rf_get_munge_headers.c  rf_functions.h
+rf_get_transport.o:      $(HDRS) rf_get_transport.c      rf_functions.h
+rf_get_ugid.o:           $(HDRS) rf_get_ugid.c           rf_functions.h
+rf_lookup_hostlist.o:    $(HDRS) rf_lookup_hostlist.c    rf_functions.h
+rf_queue_add.o:          $(HDRS) rf_queue_add.c          rf_functions.h
+rf_self_action.o:        $(HDRS) rf_self_action.c        rf_functions.h
+rf_set_ugid.o:           $(HDRS) rf_set_ugid.c           rf_functions.h
+
+accept.o:        $(HDRS) accept.c       rf_functions.h accept.h
+dnslookup.o:     $(HDRS) dnslookup.c    rf_functions.h dnslookup.h
+ipliteral.o:     $(HDRS) ipliteral.c    rf_functions.h ipliteral.h
+iplookup.o:      $(HDRS) iplookup.c     rf_functions.h iplookup.h
+manualroute.o:   $(HDRS) manualroute.c  rf_functions.h manualroute.h
+queryprogram.o:  $(HDRS) queryprogram.c rf_functions.h queryprogram.h
+redirect.o:      $(HDRS) redirect.c     rf_functions.h redirect.h
+
+# End
diff --git a/src/routers/README b/src/routers/README
new file mode 100644
index 0000000..a674e8b
--- /dev/null
+++ b/src/routers/README
@@ -0,0 +1,57 @@
+ROUTERS:
+
+The yield of a router is one of:
+
+  OK              the address was routed and either added to one of the
+                  addr_local or addr_remote chains, or one or more new
+                  addresses were added to addr_new. The original may be added
+                  to addr_succeed.
+
+  REROUTED        this is used when a child address is created and added to
+                  addr_new as a consequence of a domain widening or because
+                  "self = reroute" was encountered. The only time it is handled
+                  differently from OK is when verifying, to force it to
+                  continue with the child address.
+
+  DECLINE         the address was not routed; pass to next router unless
+                  no_more is set. It is permitted for additional addresses to
+                  have been added to addr_new (or indeed for addresses to have
+                  been put on the other chains).
+
+  PASS            the address was not routed, but might have been modified;
+                  pass to the next router unconditionally.
+
+  DISCARD         the address was discarded (:blackhole: or "seen finish")
+
+  FAIL            the address was not routed; do not pass to any subsequent
+                  routers, i.e. cause routing to fail.
+
+  DEFER           retry this address later.
+
+Both ERROR and DEFER cause the message to be kept on the queue; either may
+request freezing, but nowadays we try not to request freezing from routers
+because it may hold up other addresses in the message.
+
+
+When routing succeeds, the following field in the address can be set:
+
+  transport       points to the transport instance control block
+
+  uid, gid        are the uid and gid under which a local transport is to be
+                  run if the transport does not itself specify them.
+
+  initgroups      is set true if initgroups() is to be called when using the
+                  uid and gid set up by the router.
+
+  fallback_hosts  fallback host list - relevant only if the router sets up
+                  a remote transport for the address.
+
+  errors_address  where to send error messages for this address.
+
+  extra_headers   additional headers to be added to the message for this
+                  address.
+
+  remove_headers  the names of headers to be removed from the message for this
+                  address
+
+****
diff --git a/src/routers/accept.c b/src/routers/accept.c
new file mode 100644
index 0000000..110a1ef
--- /dev/null
+++ b/src/routers/accept.c
@@ -0,0 +1,139 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 - 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "rf_functions.h"
+#include "accept.h"
+
+
+/* Options specific to the accept router. Because some compilers do not like
+empty declarations ("undefined" in the Standard) we put in a dummy value. */
+
+optionlist accept_router_options[] = {
+  { "", opt_hidden, {NULL} }
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int accept_router_options_count =
+  sizeof(accept_router_options)/sizeof(optionlist);
+
+/* Default private options block for the accept router. Again, a dummy
+value is used. */
+
+accept_router_options_block accept_router_option_defaults = {
+  NULL        /* dummy */
+};
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy entries */
+void accept_router_init(router_instance *rblock) {}
+int accept_router_entry(router_instance *rblock, address_item *addr,
+  struct passwd *pw, int verify, address_item **addr_local,
+  address_item **addr_remote, address_item **addr_new,
+  address_item **addr_succeed) {return 0;}
+
+#else	/*!MACRO_PREDEF*/
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to enable
+consistency checks to be done, or anything else that needs to be set up. */
+
+void accept_router_init(router_instance *rblock)
+{
+/*
+accept_router_options_block *ob =
+  (accept_router_options_block *)(rblock->options_block);
+*/
+
+/* By default, log deliveries via this router as local deliveries. We can't
+just leave it as TRUE_UNSET, because the global default is FALSE. */
+
+if (rblock->log_as_local == TRUE_UNSET) rblock->log_as_local = TRUE;
+}
+
+
+
+/*************************************************
+*              Main entry point                  *
+*************************************************/
+
+/* See local README for interface description. This router returns:
+
+DEFER
+  . verifying the errors address caused a deferment or a big disaster such
+      as an expansion failure (rf_get_errors_address)
+  . expanding a headers_{add,remove} string caused a deferment or another
+      expansion error (rf_get_munge_headers)
+  . a problem in rf_get_transport: no transport when one is needed;
+    failed to expand dynamic transport; failed to find dynamic transport
+  . failure to expand or find a uid/gid (rf_get_ugid via rf_queue_add)
+
+OK
+  added address to addr_local or addr_remote, as appropriate for the
+  type of transport
+*/
+
+int accept_router_entry(
+  router_instance *rblock,        /* data for this instantiation */
+  address_item *addr,             /* address we are working on */
+  struct passwd *pw,              /* passwd entry after check_local_user */
+  int verify,                     /* v_none/v_recipient/v_sender/v_expn */
+  address_item **addr_local,      /* add it to this if it's local */
+  address_item **addr_remote,     /* add it to this if it's remote */
+  address_item **addr_new,        /* put new addresses on here */
+  address_item **addr_succeed)    /* put old address here on success */
+{
+/*
+accept_router_options_block *ob =
+  (accept_router_options_block *)(rblock->options_block);
+*/
+int rc;
+uschar *errors_to;
+uschar *remove_headers;
+header_line *extra_headers;
+
+DEBUG(D_route) debug_printf("%s router called for %s\n  domain = %s\n",
+  rblock->name, addr->address, addr->domain);
+
+/* Set up the errors address, if any. */
+
+rc = rf_get_errors_address(addr, rblock, verify, &errors_to);
+if (rc != OK) return rc;
+
+/* Set up the additional and removable headers for the address. */
+
+rc = rf_get_munge_headers(addr, rblock, &extra_headers, &remove_headers);
+if (rc != OK) return rc;
+
+/* Set the transport and accept the address; update its errors address and
+header munging. Initialization ensures that there is a transport except when
+verifying. */
+
+if (!rf_get_transport(rblock->transport_name, &(rblock->transport),
+  addr, rblock->name, NULL)) return DEFER;
+
+addr->transport = rblock->transport;
+addr->prop.errors_address = errors_to;
+addr->prop.extra_headers = extra_headers;
+addr->prop.remove_headers = remove_headers;
+
+return rf_queue_add(addr, addr_local, addr_remote, rblock, pw)? OK : DEFER;
+}
+
+#endif	/*!MACRO_PREDEF*/
+/* End of routers/accept.c */
diff --git a/src/routers/accept.h b/src/routers/accept.h
new file mode 100644
index 0000000..43494fb
--- /dev/null
+++ b/src/routers/accept.h
@@ -0,0 +1,31 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Private structure for the private options (there aren't any). */
+
+typedef struct {
+  uschar *dummy;
+} accept_router_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist accept_router_options[];
+extern int accept_router_options_count;
+
+/* Block containing default values. */
+
+extern accept_router_options_block accept_router_option_defaults;
+
+/* The main and initialization entry points for the router */
+
+extern int accept_router_entry(router_instance *, address_item *,
+  struct passwd *, int, address_item **, address_item **,
+  address_item **, address_item **);
+
+extern void accept_router_init(router_instance *);
+
+/* End of routers/accept.h */
diff --git a/src/routers/dnslookup.c b/src/routers/dnslookup.c
new file mode 100644
index 0000000..a845b4e
--- /dev/null
+++ b/src/routers/dnslookup.c
@@ -0,0 +1,477 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "rf_functions.h"
+#include "dnslookup.h"
+
+
+
+/* Options specific to the dnslookup router. */
+#define LOFF(field) OPT_OFF(dnslookup_router_options_block, field)
+
+optionlist dnslookup_router_options[] = {
+  { "check_secondary_mx", opt_bool,		LOFF(check_secondary_mx) },
+  { "check_srv",          opt_stringptr,	LOFF(check_srv) },
+  { "fail_defer_domains", opt_stringptr,	LOFF(fail_defer_domains) },
+  { "ipv4_only",          opt_stringptr,	LOFF(ipv4_only) },
+  { "ipv4_prefer",        opt_stringptr,	LOFF(ipv4_prefer) },
+  { "mx_domains",         opt_stringptr,	LOFF(mx_domains) },
+  { "mx_fail_domains",    opt_stringptr,	LOFF(mx_fail_domains) },
+  { "qualify_single",     opt_bool,		LOFF(qualify_single) },
+  { "rewrite_headers",    opt_bool,		LOFF(rewrite_headers) },
+  { "same_domain_copy_routing", opt_bool|opt_public, OPT_OFF(router_instance, same_domain_copy_routing) },
+  { "search_parents",     opt_bool,		LOFF(search_parents) },
+  { "srv_fail_domains",   opt_stringptr,	LOFF(srv_fail_domains) },
+  { "widen_domains",      opt_stringptr,	LOFF(widen_domains) }
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int dnslookup_router_options_count =
+  sizeof(dnslookup_router_options)/sizeof(optionlist);
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy entries */
+dnslookup_router_options_block dnslookup_router_option_defaults = {0};
+void dnslookup_router_init(router_instance *rblock) {}
+int dnslookup_router_entry(router_instance *rblock, address_item *addr,
+  struct passwd *pw, int verify, address_item **addr_local,
+  address_item **addr_remote, address_item **addr_new,
+  address_item **addr_succeed) {return 0;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+
+
+/* Default private options block for the dnslookup router. */
+
+dnslookup_router_options_block dnslookup_router_option_defaults = {
+  .check_secondary_mx =	FALSE,
+  .qualify_single =	TRUE,
+  .search_parents =	FALSE,
+  .rewrite_headers =	TRUE,
+  .widen_domains =	NULL,
+  .mx_domains =		NULL,
+  .mx_fail_domains =	NULL,
+  .srv_fail_domains =	NULL,
+  .check_srv =		NULL,
+  .fail_defer_domains =	NULL,
+  .ipv4_only =		NULL,
+  .ipv4_prefer =	NULL,
+};
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to enable
+consistency checks to be done, or anything else that needs to be set up. */
+
+void
+dnslookup_router_init(router_instance *rblock)
+{
+/*
+dnslookup_router_options_block *ob =
+  (dnslookup_router_options_block *)(rblock->options_block);
+*/
+rblock = rblock;
+}
+
+
+
+/*************************************************
+*              Main entry point                  *
+*************************************************/
+
+/* See local README for interface details. This router returns:
+
+DECLINE
+  . the domain does not exist in the DNS
+  . MX records point to non-existent hosts (including RHS = IP address)
+  . a single SRV record has a host name of "." (=> no service)
+  . syntactically invalid mail domain
+  . check_secondary_mx set, and local host not in host list
+
+DEFER
+  . lookup defer for mx_domains
+  . timeout etc on DNS lookup
+  . verifying the errors address caused a deferment or a big disaster such
+      as an expansion failure (rf_get_errors_address)
+  . expanding a headers_{add,remove} string caused a deferment or another
+      expansion error (rf_get_munge_headers)
+  . a problem in rf_get_transport: no transport when one is needed;
+      failed to expand dynamic transport; failed to find dynamic transport
+  . failure to expand or find a uid/gid (rf_get_ugid via rf_queue_add)
+  . self = "freeze", self = "defer"
+
+PASS
+  . timeout etc on DNS lookup and pass_on_timeout set
+  . self = "pass"
+
+REROUTED
+  . routed to local host, but name was expanded by DNS lookup, so a
+      re-routing should take place
+  . self = "reroute"
+
+  In both cases the new address will have been set up as a child
+
+FAIL
+  . self = "fail"
+
+OK
+  added address to addr_local or addr_remote, as appropriate for the
+  type of transport; this includes the self="send" case.
+*/
+
+int
+dnslookup_router_entry(
+  router_instance *rblock,        /* data for this instantiation */
+  address_item *addr,             /* address we are working on */
+  struct passwd *pw,              /* passwd entry after check_local_user */
+  int verify,                     /* v_none/v_recipient/v_sender/v_expn */
+  address_item **addr_local,      /* add it to this if it's local */
+  address_item **addr_remote,     /* add it to this if it's remote */
+  address_item **addr_new,        /* put new addresses on here */
+  address_item **addr_succeed)    /* put old address here on success */
+{
+host_item h;
+int rc;
+int widen_sep = 0;
+int whichrrs = HOST_FIND_BY_MX | HOST_FIND_BY_A | HOST_FIND_BY_AAAA;
+dnslookup_router_options_block *ob =
+  (dnslookup_router_options_block *)(rblock->options_block);
+uschar *srv_service = NULL;
+uschar *widen = NULL;
+const uschar *pre_widen = addr->domain;
+const uschar *post_widen = NULL;
+const uschar *fully_qualified_name;
+const uschar *listptr;
+uschar widen_buffer[256];
+
+DEBUG(D_route)
+  debug_printf("%s router called for %s\n  domain = %s\n",
+    rblock->name, addr->address, addr->domain);
+
+/* If an SRV check is required, expand the service name */
+
+if (ob->check_srv)
+  {
+  if (  !(srv_service = expand_string(ob->check_srv))
+     && !f.expand_string_forcedfail)
+    {
+    addr->message = string_sprintf("%s router: failed to expand \"%s\": %s",
+      rblock->name, ob->check_srv, expand_string_message);
+    return DEFER;
+    }
+  else whichrrs |= HOST_FIND_BY_SRV;
+  }
+
+/* Set up the first of any widening domains. The code further down copes with
+either pre- or post-widening, but at present there is no way to turn on
+pre-widening, as actually doing so seems like a rather bad idea, and nobody has
+requested it. Pre-widening would cause local abbreviated names to take
+precedence over global names. For example, if the domain is "xxx.ch" it might
+be something in the "ch" toplevel domain, but it also might be xxx.ch.xyz.com.
+The choice of pre- or post-widening affects which takes precedence. If ever
+somebody comes up with some kind of requirement for pre-widening, presumably
+with some conditions under which it is done, it can be selected here.
+
+The rewrite_headers option works only when routing an address at transport
+time, because the alterations to the headers are not persistent so must be
+worked out immediately before they are used. Sender addresses are routed for
+verification purposes, but never at transport time, so any header changes that
+you might expect as a result of sender domain widening do not occur. Therefore
+we do not perform widening when verifying sender addresses; however, widening
+sender addresses is OK if we do not have to rewrite the headers. A corollary
+of this is that if the current address is not the original address, then it
+does not appear in the message header so it is also OK to widen. The
+suppression of widening for sender addresses is silent because it is the
+normal desirable behaviour. */
+
+if (  ob->widen_domains
+   && (verify != v_sender || !ob->rewrite_headers || addr->parent))
+  {
+  listptr = ob->widen_domains;
+  /* not expanded so should never be tainted */
+  widen = string_nextinlist(&listptr, &widen_sep, widen_buffer,
+    sizeof(widen_buffer));
+
+/****
+  if (some condition requiring pre-widening)
+    {
+    post_widen = pre_widen;
+    pre_widen = NULL;
+    }
+****/
+  }
+
+/* Loop to cope with explicit widening of domains as configured. This code
+copes with widening that may happen before or after the original name. The
+decision as to which is taken above. */
+
+for (;;)
+  {
+  int flags = whichrrs;
+  BOOL removed = FALSE;
+
+  if (pre_widen)
+    {
+    h.name = pre_widen;
+    pre_widen = NULL;
+    }
+  else if (widen)
+    {
+    h.name = string_sprintf("%s.%s", addr->domain, widen);
+    /* not expanded so should never be tainted */
+    widen = string_nextinlist(&listptr, &widen_sep, widen_buffer,
+      sizeof(widen_buffer));
+    DEBUG(D_route) debug_printf("%s router widened %s to %s\n", rblock->name,
+      addr->domain, h.name);
+    }
+  else if (post_widen)
+    {
+    h.name = post_widen;
+    post_widen = NULL;
+    DEBUG(D_route) debug_printf("%s router trying %s after widening failed\n",
+      rblock->name, h.name);
+    }
+  else return DECLINE;
+
+  /* Check if we must request only. or prefer, ipv4 */
+
+  if (  ob->ipv4_only
+     && expand_check_condition(ob->ipv4_only, rblock->name, US"router"))
+    flags = flags & ~HOST_FIND_BY_AAAA | HOST_FIND_IPV4_ONLY;
+  else if (f.search_find_defer)
+    return DEFER;
+  if (  ob->ipv4_prefer
+     && expand_check_condition(ob->ipv4_prefer, rblock->name, US"router"))
+    flags |= HOST_FIND_IPV4_FIRST;
+  else if (f.search_find_defer)
+    return DEFER;
+
+  /* Set up the rest of the initial host item. Others may get chained on if
+  there is more than one IP address. We set it up here instead of outside the
+  loop so as to re-initialize if a previous try succeeded but was rejected
+  because of not having an MX record. */
+
+  h.next = NULL;
+  h.address = NULL;
+  h.port = PORT_NONE;
+  h.mx = MX_NONE;
+  h.status = hstatus_unknown;
+  h.why = hwhy_unknown;
+  h.last_try = 0;
+
+  /* Unfortunately, we cannot set the mx_only option in advance, because the
+  DNS lookup may extend an unqualified name. Therefore, we must do the test
+  subsequently. We use the same logic as that for widen_domains above to avoid
+  requesting a header rewrite that cannot work. */
+
+  if (verify != v_sender || !ob->rewrite_headers || addr->parent)
+    {
+    if (ob->qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
+    if (ob->search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
+    }
+
+  rc = host_find_bydns(&h, CUS rblock->ignore_target_hosts, flags,
+    srv_service, ob->srv_fail_domains, ob->mx_fail_domains,
+    &rblock->dnssec,
+    &fully_qualified_name, &removed);
+
+  if (removed) setflag(addr, af_local_host_removed);
+
+  /* If host found with only address records, test for the domain's being in
+  the mx_domains list. Note that this applies also to SRV records; the name of
+  the option is historical. */
+
+  if ((rc == HOST_FOUND || rc == HOST_FOUND_LOCAL) && h.mx < 0 &&
+       ob->mx_domains)
+    switch(match_isinlist(fully_qualified_name,
+          CUSS &(ob->mx_domains), 0,
+          &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE, NULL))
+      {
+      case DEFER:
+      addr->message = US"lookup defer for mx_domains";
+      return DEFER;
+
+      case OK:
+      DEBUG(D_route) debug_printf("%s router rejected %s: no MX record(s)\n",
+        rblock->name, fully_qualified_name);
+      continue;
+      }
+
+  /* Deferral returns forthwith, and anything other than failure breaks the
+  loop. */
+
+  if (rc == HOST_FIND_SECURITY)
+    {
+    addr->message = US"host lookup done insecurely";
+    return DEFER;
+    }
+  if (rc == HOST_FIND_AGAIN)
+    {
+    if (rblock->pass_on_timeout)
+      {
+      DEBUG(D_route) debug_printf("%s router timed out, and pass_on_timeout is set\n",
+        rblock->name);
+      return PASS;
+      }
+    addr->message = US"host lookup did not complete";
+    return DEFER;
+    }
+
+  if (rc != HOST_FIND_FAILED) break;
+
+  if (ob->fail_defer_domains)
+    switch(match_isinlist(fully_qualified_name,
+	  CUSS &ob->fail_defer_domains, 0,
+	  &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE, NULL))
+      {
+      case DEFER:
+	addr->message = US"lookup defer for fail_defer_domains option";
+	return DEFER;
+
+      case OK:
+	DEBUG(D_route) debug_printf("%s router: matched fail_defer_domains\n",
+	  rblock->name);
+	addr->message = US"missing MX, or all MXs point to missing A records,"
+	  " and defer requested";
+	return DEFER;
+      }
+  /* Check to see if the failure is the result of MX records pointing to
+  non-existent domains, and if so, set an appropriate error message; the case
+  of an MX or SRV record pointing to "." is another special case that we can
+  detect. Otherwise "unknown mail domain" is used, which is confusing. Also, in
+  this case don't do the widening. We need check only the first host to see if
+  its MX has been filled in, but there is no address, because if there were any
+  usable addresses returned, we would not have had HOST_FIND_FAILED.
+
+  As a common cause of this problem is MX records with IP addresses on the
+  RHS, give a special message in this case. */
+
+  if (h.mx >= 0 && h.address == NULL)
+    {
+    setflag(addr, af_pass_message);   /* This is not a security risk */
+    if (h.name[0] == 0)
+      addr->message = US"an MX or SRV record indicated no SMTP service";
+    else
+      {
+      addr->basic_errno = ERRNO_UNKNOWNHOST;
+      addr->message = US"all relevant MX records point to non-existent hosts";
+      if (!allow_mx_to_ip && string_is_ip_address(h.name, NULL) != 0)
+        {
+        addr->user_message =
+          string_sprintf("It appears that the DNS operator for %s\n"
+            "has installed an invalid MX record with an IP address\n"
+            "instead of a domain name on the right hand side.", addr->domain);
+        addr->message = string_sprintf("%s or (invalidly) to IP addresses",
+          addr->message);
+        }
+      }
+    return DECLINE;
+    }
+
+  /* If there's a syntax error, do not continue with any widening, and note
+  the error. */
+
+  if (f.host_find_failed_syntax)
+    {
+    addr->message = string_sprintf("mail domain \"%s\" is syntactically "
+      "invalid", h.name);
+    return DECLINE;
+    }
+  }
+
+/* If the original domain name has been changed as a result of the host lookup,
+set up a child address for rerouting and request header rewrites if so
+configured. Then yield REROUTED. However, if the only change is a change of
+case in the domain name, which some resolvers yield (others don't), just change
+the domain name in the original address so that the official version is used in
+RCPT commands. */
+
+if (Ustrcmp(addr->domain, fully_qualified_name) != 0)
+  {
+  if (strcmpic(addr->domain, fully_qualified_name) == 0)
+    {
+    uschar *at = Ustrrchr(addr->address, '@');
+    memcpy(at+1, fully_qualified_name, Ustrlen(at+1));
+    }
+  else
+    {
+    rf_change_domain(addr, fully_qualified_name, ob->rewrite_headers, addr_new);
+    return REROUTED;
+    }
+  }
+
+/* If the yield is HOST_FOUND_LOCAL, the remote domain name either found MX
+records with the lowest numbered one pointing to a host with an IP address that
+is set on one of the interfaces of this machine, or found A records or got
+addresses from gethostbyname() that contain one for this machine. This can
+happen quite legitimately if the original name was a shortened form of a
+domain, but we will have picked that up already via the name change test above.
+
+Otherwise, the action to be taken can be configured by the self option, the
+handling of which is in a separate function, as it is also required for other
+routers. */
+
+if (rc == HOST_FOUND_LOCAL)
+  {
+  rc = rf_self_action(addr, &h, rblock->self_code, rblock->self_rewrite,
+    rblock->self, addr_new);
+  if (rc != OK) return rc;
+  }
+
+/* Otherwise, insist on being a secondary MX if so configured */
+
+else if (ob->check_secondary_mx && !testflag(addr, af_local_host_removed))
+  {
+  DEBUG(D_route) debug_printf("check_secondary_mx set and local host not secondary\n");
+  return DECLINE;
+  }
+
+/* Set up the errors address, if any. */
+
+rc = rf_get_errors_address(addr, rblock, verify, &addr->prop.errors_address);
+if (rc != OK) return rc;
+
+/* Set up the additional and removable headers for this address. */
+
+rc = rf_get_munge_headers(addr, rblock, &addr->prop.extra_headers,
+  &addr->prop.remove_headers);
+if (rc != OK) return rc;
+
+/* Get store in which to preserve the original host item, chained on
+to the address. */
+
+addr->host_list = store_get(sizeof(host_item), GET_UNTAINTED);
+addr->host_list[0] = h;
+
+/* Fill in the transport and queue the address for delivery. */
+
+if (!rf_get_transport(rblock->transport_name, &(rblock->transport),
+      addr, rblock->name, NULL))
+  return DEFER;
+
+addr->transport = rblock->transport;
+
+return rf_queue_add(addr, addr_local, addr_remote, rblock, pw)?
+  OK : DEFER;
+}
+
+#endif   /*!MACRO_PREDEF*/
+/* End of routers/dnslookup.c */
+/* vi: aw ai sw=2
+*/
diff --git a/src/routers/dnslookup.h b/src/routers/dnslookup.h
new file mode 100644
index 0000000..b7e0915
--- /dev/null
+++ b/src/routers/dnslookup.h
@@ -0,0 +1,42 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Private structure for the private options. */
+
+typedef struct {
+  BOOL check_secondary_mx;
+  BOOL qualify_single;
+  BOOL search_parents;
+  BOOL rewrite_headers;
+  uschar *widen_domains;
+  uschar *mx_domains;
+  uschar *mx_fail_domains;
+  uschar *srv_fail_domains;
+  uschar *check_srv;
+  uschar *fail_defer_domains;
+  uschar *ipv4_only;
+  uschar *ipv4_prefer;
+} dnslookup_router_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist dnslookup_router_options[];
+extern int dnslookup_router_options_count;
+
+/* Block containing default values. */
+
+extern dnslookup_router_options_block dnslookup_router_option_defaults;
+
+/* The main and initialization entry points for the router */
+
+extern int dnslookup_router_entry(router_instance *, address_item *,
+  struct passwd *, int, address_item **, address_item **,
+  address_item **, address_item **);
+
+extern void dnslookup_router_init(router_instance *);
+
+/* End of routers/dnslookup.h */
diff --git a/src/routers/ipliteral.c b/src/routers/ipliteral.c
new file mode 100644
index 0000000..3d68642
--- /dev/null
+++ b/src/routers/ipliteral.c
@@ -0,0 +1,202 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "rf_functions.h"
+#include "ipliteral.h"
+
+
+/* Options specific to the ipliteral router. Because some compilers do not like
+empty declarations ("undefined" in the Standard) we put in a dummy value. */
+
+optionlist ipliteral_router_options[] = {
+  { "", opt_hidden, {NULL} }
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int ipliteral_router_options_count =
+  sizeof(ipliteral_router_options)/sizeof(optionlist);
+
+/* Default private options block for the ipliteral router. Again, a dummy
+value is present to keep some compilers happy. */
+
+ipliteral_router_options_block ipliteral_router_option_defaults = { 0 };
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy entries */
+void ipliteral_router_init(router_instance *rblock) {}
+int ipliteral_router_entry(router_instance *rblock, address_item *addr,
+  struct passwd *pw, int verify, address_item **addr_local,
+  address_item **addr_remote, address_item **addr_new,
+  address_item **addr_succeed) {return 0;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to enable
+consistency checks to be done, or anything else that needs to be set up. */
+
+void
+ipliteral_router_init(router_instance *rblock)
+{
+/*
+ipliteral_router_options_block *ob =
+  (ipliteral_router_options_block *)(rblock->options_block);
+*/
+}
+
+
+
+/*************************************************
+*              Main entry point                  *
+*************************************************/
+
+/* See local README for interface details. This router returns:
+
+DECLINE
+  . the domain is not in the form of an IP literal
+
+DEFER
+  . verifying the errors address caused a deferment or a big disaster such
+      as an expansion failure (rf_get_errors_address)
+  . expanding a headers_{add,remove} string caused a deferment or another
+      expansion error (rf_get_munge_headers)
+  . a problem in rf_get_transport: no transport when one is needed;
+      failed to expand dynamic transport; failed to find dynamic transport
+  . failure to expand or find a uid/gid (rf_get_ugid via rf_queue_add)
+  . self = "freeze", self = "defer"
+
+PASS
+  . self = "pass"
+
+REROUTED
+  . self = "reroute"
+
+FAIL
+  . self = "fail"
+
+OK
+  added address to addr_local or addr_remote, as appropriate for the
+  type of transport; this includes the self="send" case.
+*/
+
+int
+ipliteral_router_entry(
+  router_instance *rblock,        /* data for this instantiation */
+  address_item *addr,             /* address we are working on */
+  struct passwd *pw,              /* passwd entry after check_local_user */
+  int verify,                     /* v_none/v_recipient/v_sender/v_expn */
+  address_item **addr_local,      /* add it to this if it's local */
+  address_item **addr_remote,     /* add it to this if it's remote */
+  address_item **addr_new,        /* put new addresses on here */
+  address_item **addr_succeed)    /* put old address here on success */
+{
+/*
+ipliteral_router_options_block *ob =
+  (ipliteral_router_options_block *)(rblock->options_block);
+*/
+host_item *h;
+const uschar *domain = addr->domain;
+const uschar *ip;
+int len = Ustrlen(domain);
+int rc, ipv;
+
+DEBUG(D_route) debug_printf("%s router called for %s: domain = %s\n",
+  rblock->name, addr->address, addr->domain);
+
+/* Check that the domain is an IP address enclosed in square brackets. Remember
+to allow for the "official" form of IPv6 addresses. If not, the router
+declines. Otherwise route to the single IP address, setting the host name to
+"(unnamed)". */
+
+if (domain[0] != '[' || domain[len-1] != ']') return DECLINE;
+ip = string_copyn(domain+1, len-2);
+if (strncmpic(ip, US"IPV6:", 5) == 0 || strncmpic(ip, US"IPV4:", 5) == 0)
+  ip += 5;
+
+ipv = string_is_ip_address(ip, NULL);
+if (ipv == 0 || (disable_ipv6 && ipv == 6))
+  return DECLINE;
+
+/* It seems unlikely that ignore_target_hosts will be used with this router,
+but if it is set, it should probably work. */
+
+if (verify_check_this_host(CUSS&rblock->ignore_target_hosts,
+       	NULL, domain, ip, NULL) == OK)
+  {
+  DEBUG(D_route)
+      debug_printf("%s is in ignore_target_hosts\n", ip);
+  addr->message = US"IP literal host explicitly ignored";
+  return DECLINE;
+  }
+
+/* Set up a host item */
+
+h = store_get(sizeof(host_item), GET_UNTAINTED);
+
+h->next = NULL;
+h->address = string_copy(ip);
+h->port = PORT_NONE;
+h->name = domain;
+h->mx = MX_NONE;
+h->status = hstatus_unknown;
+h->why = hwhy_unknown;
+h->last_try = 0;
+
+/* Determine whether the host is the local host, and if so, take action
+according to the configuration. */
+
+if (host_scan_for_local_hosts(h, &h, NULL) == HOST_FOUND_LOCAL)
+  {
+  int rc = rf_self_action(addr, h, rblock->self_code, rblock->self_rewrite,
+    rblock->self, addr_new);
+  if (rc != OK) return rc;
+  }
+
+/* Address is routed to this host */
+
+addr->host_list = h;
+
+/* Set up the errors address, if any. */
+
+rc = rf_get_errors_address(addr, rblock, verify, &addr->prop.errors_address);
+if (rc != OK) return rc;
+
+/* Set up the additional and removable headers for this address. */
+
+rc = rf_get_munge_headers(addr, rblock, &addr->prop.extra_headers,
+  &addr->prop.remove_headers);
+if (rc != OK) return rc;
+
+/* Fill in the transport, queue the address for local or remote delivery, and
+yield success. For local delivery, of course, the IP address won't be used. If
+just verifying, there need not be a transport, in which case it doesn't matter
+which queue we put the address on. This is all now handled by the route_queue()
+function. */
+
+if (!rf_get_transport(rblock->transport_name, &(rblock->transport),
+      addr, rblock->name, NULL))
+  return DEFER;
+
+addr->transport = rblock->transport;
+
+return rf_queue_add(addr, addr_local, addr_remote, rblock, pw)?
+  OK : DEFER;
+}
+
+#endif   /*!MACRO_PREDEF*/
+/* End of routers/ipliteral.c */
diff --git a/src/routers/ipliteral.h b/src/routers/ipliteral.h
new file mode 100644
index 0000000..1ddb38b
--- /dev/null
+++ b/src/routers/ipliteral.h
@@ -0,0 +1,34 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* Private structure for the private options. Some compilers do not like empty
+structures - the Standard, alas, says "undefined behaviour" for an empty
+structure - so we have to put in a dummy value. */
+
+typedef struct {
+  int dummy;
+} ipliteral_router_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist ipliteral_router_options[];
+extern int ipliteral_router_options_count;
+
+/* Block containing default values. */
+
+extern ipliteral_router_options_block ipliteral_router_option_defaults;
+
+/* The main and initialization entry points for the router */
+
+extern int ipliteral_router_entry(router_instance *, address_item *,
+  struct passwd *, int, address_item **, address_item **,
+  address_item **, address_item **);
+
+extern void ipliteral_router_init(router_instance *);
+
+/* End of routers/ipliteral.h */
diff --git a/src/routers/iplookup.c b/src/routers/iplookup.c
new file mode 100644
index 0000000..94cde4e
--- /dev/null
+++ b/src/routers/iplookup.c
@@ -0,0 +1,418 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "rf_functions.h"
+#include "iplookup.h"
+
+
+/* IP connection types */
+
+#define ip_udp 0
+#define ip_tcp 1
+
+
+/* Options specific to the iplookup router. */
+
+optionlist iplookup_router_options[] = {
+  { "hosts",    opt_stringptr,
+      OPT_OFF(iplookup_router_options_block, hosts) },
+  { "optional", opt_bool,
+      OPT_OFF(iplookup_router_options_block, optional) },
+  { "port",     opt_int,
+      OPT_OFF(iplookup_router_options_block, port) },
+  { "protocol", opt_stringptr,
+      OPT_OFF(iplookup_router_options_block, protocol_name) },
+  { "query",    opt_stringptr,
+      OPT_OFF(iplookup_router_options_block, query) },
+  { "reroute",  opt_stringptr,
+      OPT_OFF(iplookup_router_options_block, reroute) },
+  { "response_pattern", opt_stringptr,
+      OPT_OFF(iplookup_router_options_block, response_pattern) },
+  { "timeout",  opt_time,
+      OPT_OFF(iplookup_router_options_block, timeout) }
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int iplookup_router_options_count =
+  sizeof(iplookup_router_options)/sizeof(optionlist);
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy entries */
+iplookup_router_options_block iplookup_router_option_defaults = {0};
+void iplookup_router_init(router_instance *rblock) {}
+int iplookup_router_entry(router_instance *rblock, address_item *addr,
+  struct passwd *pw, int verify, address_item **addr_local,
+  address_item **addr_remote, address_item **addr_new,
+  address_item **addr_succeed) {return 0;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+/* Default private options block for the iplookup router. */
+
+iplookup_router_options_block iplookup_router_option_defaults = {
+  -1,       /* port */
+  ip_udp,   /* protocol */
+  5,        /* timeout */
+  NULL,     /* protocol_name */
+  NULL,     /* hosts */
+  NULL,     /* query; NULL => local_part@domain */
+  NULL,     /* response_pattern; NULL => don't apply regex */
+  NULL,     /* reroute; NULL => just used returned data */
+  NULL,     /* re_response_pattern; compiled pattern */
+  FALSE     /* optional */
+};
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to enable
+consistency checks to be done, or anything else that needs to be set up. */
+
+void
+iplookup_router_init(router_instance *rblock)
+{
+iplookup_router_options_block *ob =
+  (iplookup_router_options_block *)(rblock->options_block);
+
+/* A port and a host list must be given */
+
+if (ob->port < 0)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n  "
+    "a port must be specified", rblock->name);
+
+if (ob->hosts == NULL)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n  "
+    "a host list must be specified", rblock->name);
+
+/* Translate protocol name into value */
+
+if (ob->protocol_name != NULL)
+  {
+  if (Ustrcmp(ob->protocol_name, "udp") == 0) ob->protocol = ip_udp;
+  else if (Ustrcmp(ob->protocol_name, "tcp") == 0) ob->protocol = ip_tcp;
+  else log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n  "
+    "protocol not specified as udp or tcp", rblock->name);
+  }
+
+/* If a response pattern is given, compile it now to get the error early. */
+
+if (ob->response_pattern != NULL)
+  ob->re_response_pattern =
+    regex_must_compile(ob->response_pattern, FALSE, TRUE);
+}
+
+
+
+/*************************************************
+*              Main entry point                  *
+*************************************************/
+
+/* See local README for interface details. This router returns:
+
+DECLINE
+  . pattern or identification match on returned data failed
+
+DEFER
+  . failed to expand the query or rerouting string
+  . failed to create socket ("optional" not set)
+  . failed to find a host, failed to connect, timed out ("optional" not set)
+  . rerouting string is not in the form localpart@domain
+  . verifying the errors address caused a deferment or a big disaster such
+      as an expansion failure (rf_get_errors_address)
+  . expanding a headers_{add,remove} string caused a deferment or another
+      expansion error (rf_get_munge_headers)
+
+PASS
+  . failed to create socket ("optional" set)
+  . failed to find a host, failed to connect, timed out ("optional" set)
+
+OK
+  . new address added to addr_new
+*/
+
+int
+iplookup_router_entry(
+  router_instance *rblock,        /* data for this instantiation */
+  address_item *addr,             /* address we are working on */
+  struct passwd *pw,              /* passwd entry after check_local_user */
+  int verify,                     /* v_none/v_recipient/v_sender/v_expn */
+  address_item **addr_local,      /* add it to this if it's local */
+  address_item **addr_remote,     /* add it to this if it's remote */
+  address_item **addr_new,        /* put new addresses on here */
+  address_item **addr_succeed)    /* put old address here on success */
+{
+uschar *query = NULL;
+uschar *reply;
+uschar *hostname, *reroute, *domain;
+const uschar *listptr;
+uschar host_buffer[256];
+host_item *host = store_get(sizeof(host_item), GET_UNTAINTED);
+address_item *new_addr;
+iplookup_router_options_block *ob =
+  (iplookup_router_options_block *)(rblock->options_block);
+const pcre2_code *re = ob->re_response_pattern;
+int count, query_len, rc;
+int sep = 0;
+
+DEBUG(D_route) debug_printf("%s router called for %s: domain = %s\n",
+  rblock->name, addr->address, addr->domain);
+
+reply = store_get(256, GET_TAINTED);
+
+/* Build the query string to send. If not explicitly given, a default of
+"user@domain user@domain" is used. */
+
+if (ob->query == NULL)
+  query = string_sprintf("%s@%s %s@%s", addr->local_part, addr->domain,
+    addr->local_part, addr->domain);
+else
+  {
+  query = expand_string(ob->query);
+  if (query == NULL)
+    {
+    addr->message = string_sprintf("%s router: failed to expand %s: %s",
+      rblock->name, ob->query, expand_string_message);
+    return DEFER;
+    }
+  }
+
+query_len = Ustrlen(query);
+DEBUG(D_route) debug_printf("%s router query is \"%s\"\n", rblock->name,
+  string_printing(query));
+
+/* Now connect to the required port for each of the hosts in turn, until a
+response it received. Initialization insists on the port being set and there
+being a host list. */
+
+listptr = ob->hosts;
+/* not expanded so should never be tainted */
+while ((hostname = string_nextinlist(&listptr, &sep, host_buffer,
+       sizeof(host_buffer))))
+  {
+  host_item *h;
+
+  DEBUG(D_route) debug_printf("calling host %s\n", hostname);
+
+  host->name = hostname;
+  host->address = NULL;
+  host->port = PORT_NONE;
+  host->mx = MX_NONE;
+  host->next = NULL;
+
+  if (string_is_ip_address(host->name, NULL) != 0)
+    host->address = host->name;
+  else
+    {
+/*XXX might want dnssec request/require on an iplookup router? */
+    int rc = host_find_byname(host, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, TRUE);
+    if (rc == HOST_FIND_FAILED || rc == HOST_FIND_AGAIN) continue;
+    }
+
+  /* Loop for possible multiple IP addresses for the given name. */
+
+  for (h = host; h; h = h->next)
+    {
+    int host_af;
+    client_conn_ctx query_cctx = {0};
+
+    /* Skip any hosts for which we have no address */
+
+    if (!h->address) continue;
+
+    /* Create a socket, for UDP or TCP, as configured. IPv6 addresses are
+    detected by checking for a colon in the address. */
+
+    host_af = (Ustrchr(h->address, ':') != NULL)? AF_INET6 : AF_INET;
+
+    query_cctx.sock = ip_socket(ob->protocol == ip_udp ? SOCK_DGRAM:SOCK_STREAM,
+      host_af);
+    if (query_cctx.sock < 0)
+      {
+      if (ob->optional) return PASS;
+      addr->message = string_sprintf("failed to create socket in %s router",
+        rblock->name);
+      return DEFER;
+      }
+
+    /* Connect to the remote host, under a timeout. In fact, timeouts can occur
+    here only for TCP calls; for a UDP socket, "connect" always works (the
+    router will timeout later on the read call). */
+/*XXX could take advantage of TFO */
+
+    if (ip_connect(query_cctx.sock, host_af, h->address,ob->port, ob->timeout,
+		ob->protocol == ip_udp ? NULL : &tcp_fastopen_nodata) < 0)
+      {
+      close(query_cctx.sock);
+      DEBUG(D_route)
+        debug_printf("connection to %s failed: %s\n", h->address,
+          strerror(errno));
+      continue;
+      }
+
+    /* Send the query. If it fails, just continue with the next address. */
+
+    if (send(query_cctx.sock, query, query_len, 0) < 0)
+      {
+      DEBUG(D_route) debug_printf("send to %s failed\n", h->address);
+      (void)close(query_cctx.sock);
+      continue;
+      }
+
+    /* Read the response and close the socket. If the read fails, try the
+    next IP address. */
+
+    count = ip_recv(&query_cctx, reply, sizeof(reply) - 1, time(NULL) + ob->timeout);
+    (void)close(query_cctx.sock);
+    if (count <= 0)
+      {
+      DEBUG(D_route) debug_printf("%s from %s\n", (errno == ETIMEDOUT)?
+        "timed out" : "recv failed", h->address);
+      *reply = 0;
+      continue;
+      }
+
+    /* Success; break the loop */
+
+    reply[count] = 0;
+    DEBUG(D_route) debug_printf("%s router received \"%s\" from %s\n",
+      rblock->name, string_printing(reply), h->address);
+    break;
+    }
+
+  /* If h == NULL we have tried all the IP addresses and failed on all of them,
+  so we must continue to try more host names. Otherwise we have succeeded. */
+
+  if (h) break;
+  }
+
+
+/* If hostname is NULL, we have failed to find any host, or failed to
+connect to any of the IP addresses, or timed out while reading or writing to
+those we have connected to. In all cases, we must pass if optional and
+defer otherwise. */
+
+if (hostname == NULL)
+  {
+  DEBUG(D_route) debug_printf("%s router failed to get anything\n", rblock->name);
+  if (ob->optional) return PASS;
+  addr->message = string_sprintf("%s router: failed to communicate with any "
+    "host", rblock->name);
+  return DEFER;
+  }
+
+
+/* If a response pattern was supplied, match the returned string against it. A
+failure to match causes the router to decline. After a successful match, the
+numerical variables for expanding the rerouted address are set up. */
+
+if (re != NULL)
+  {
+  if (!regex_match_and_setup(re, reply, 0, -1))
+    {
+    DEBUG(D_route) debug_printf("%s router: %s failed to match response %s\n",
+      rblock->name, ob->response_pattern, reply);
+    return DECLINE;
+    }
+  }
+
+
+/* If no response pattern was supplied, set up $0 as the response up to the
+first white space (if any). Also, if no query was specified, check that what
+follows the white space matches user@domain. */
+
+else
+  {
+  int n = 0;
+  while (reply[n] != 0 && !isspace(reply[n])) n++;
+  expand_nmax = 0;
+  expand_nstring[0] = reply;
+  expand_nlength[0] = n;
+
+  if (ob->query == NULL)
+    {
+    int nn = n;
+    while (isspace(reply[nn])) nn++;
+    if (Ustrcmp(query + query_len/2 + 1, reply+nn) != 0)
+      {
+      DEBUG(D_route) debug_printf("%s router: failed to match identification "
+        "in response %s\n", rblock->name, reply);
+      return DECLINE;
+      }
+    }
+
+  reply[n] = 0;  /* Terminate for the default case */
+  }
+
+/* If an explicit rerouting string is specified, expand it. Otherwise, use
+what was sent back verbatim. */
+
+if (ob->reroute != NULL)
+  {
+  reroute = expand_string(ob->reroute);
+  expand_nmax = -1;
+  if (reroute == NULL)
+    {
+    addr->message = string_sprintf("%s router: failed to expand %s: %s",
+      rblock->name, ob->reroute, expand_string_message);
+    return DEFER;
+    }
+  }
+else reroute = reply;
+
+/* We should now have a new address in the form user@domain. */
+
+domain = Ustrchr(reroute, '@');
+if (domain == NULL)
+  {
+  log_write(0, LOG_MAIN, "%s router: reroute string %s is not of the form "
+    "user@domain", rblock->name, reroute);
+  addr->message = string_sprintf("%s router: reroute string %s is not of the "
+    "form user@domain", rblock->name, reroute);
+  return DEFER;
+  }
+
+/* Create a child address with the old one as parent. Put the new address on
+the chain of new addressess. */
+
+new_addr = deliver_make_addr(reroute, TRUE);
+new_addr->parent = addr;
+
+new_addr->prop = addr->prop;
+
+if (addr->child_count == USHRT_MAX)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s router generated more than %d "
+    "child addresses for <%s>", rblock->name, USHRT_MAX, addr->address);
+addr->child_count++;
+new_addr->next = *addr_new;
+*addr_new = new_addr;
+
+/* Set up the errors address, if any, and the additional and removable headers
+for this new address. */
+
+rc = rf_get_errors_address(addr, rblock, verify, &new_addr->prop.errors_address);
+if (rc != OK) return rc;
+
+rc = rf_get_munge_headers(addr, rblock, &new_addr->prop.extra_headers,
+  &new_addr->prop.remove_headers);
+if (rc != OK) return rc;
+
+return OK;
+}
+
+#endif   /*!MACRO_PREDEF*/
+/* End of routers/iplookup.c */
diff --git a/src/routers/iplookup.h b/src/routers/iplookup.h
new file mode 100644
index 0000000..dbcb03c
--- /dev/null
+++ b/src/routers/iplookup.h
@@ -0,0 +1,42 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) The Exim Maintainers 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* Private structure for the private options. */
+
+typedef struct {
+  int   port;
+  int   protocol;
+  int   timeout;
+  uschar *protocol_name;
+  uschar *hosts;
+  uschar *query;
+  uschar *response_pattern;
+  uschar *reroute;
+  const pcre2_code *re_response_pattern;
+  BOOL  optional;
+} iplookup_router_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist iplookup_router_options[];
+extern int iplookup_router_options_count;
+
+/* Block containing default values. */
+
+extern iplookup_router_options_block iplookup_router_option_defaults;
+
+/* The main and initialization entry points for the router */
+
+extern int iplookup_router_entry(router_instance *, address_item *,
+  struct passwd *, int, address_item **, address_item **,
+  address_item **, address_item **);
+
+extern void iplookup_router_init(router_instance *);
+
+/* End of routers/iplookup.h */
diff --git a/src/routers/manualroute.c b/src/routers/manualroute.c
new file mode 100644
index 0000000..974ad0c
--- /dev/null
+++ b/src/routers/manualroute.c
@@ -0,0 +1,490 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "rf_functions.h"
+#include "manualroute.h"
+
+
+/* Options specific to the manualroute router. */
+
+optionlist manualroute_router_options[] = {
+  { "host_all_ignored", opt_stringptr,
+      OPT_OFF(manualroute_router_options_block, host_all_ignored) },
+  { "host_find_failed", opt_stringptr,
+      OPT_OFF(manualroute_router_options_block, host_find_failed) },
+  { "hosts_randomize",  opt_bool,
+      OPT_OFF(manualroute_router_options_block, hosts_randomize) },
+  { "route_data",       opt_stringptr,
+      OPT_OFF(manualroute_router_options_block, route_data) },
+  { "route_list",       opt_stringptr,
+      OPT_OFF(manualroute_router_options_block, route_list) },
+  { "same_domain_copy_routing", opt_bool|opt_public,
+      OPT_OFF(router_instance, same_domain_copy_routing) }
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int manualroute_router_options_count =
+  sizeof(manualroute_router_options)/sizeof(optionlist);
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy entries */
+manualroute_router_options_block manualroute_router_option_defaults = {0};
+void manualroute_router_init(router_instance *rblock) {}
+int manualroute_router_entry(router_instance *rblock, address_item *addr,
+  struct passwd *pw, int verify, address_item **addr_local,
+  address_item **addr_remote, address_item **addr_new,
+  address_item **addr_succeed) {return 0;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+
+/* Default private options block for the manualroute router. */
+
+manualroute_router_options_block manualroute_router_option_defaults = {
+  -1,           /* host_all_ignored code (unset) */
+  -1,           /* host_find_failed code (unset) */
+  FALSE,        /* hosts_randomize */
+  US"defer",    /* host_all_ignored */
+  US"freeze",   /* host_find_failed */
+  NULL,         /* route_data */
+  NULL          /* route_list */
+};
+
+
+/* Names and values for host_find_failed and host_all_ignored.  */
+
+static uschar *hff_names[] = {
+  US"ignore",  /* MUST be first - not valid for host_all_ignored */
+  US"decline",
+  US"defer",
+  US"fail",
+  US"freeze",
+  US"pass" };
+
+static int hff_codes[] = { hff_ignore, hff_decline, hff_defer, hff_fail,
+  hff_freeze, hff_pass };
+
+static int hff_count= sizeof(hff_codes)/sizeof(int);
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to enable
+consistency checks to be done, or anything else that needs to be set up. */
+
+void
+manualroute_router_init(router_instance *rblock)
+{
+manualroute_router_options_block *ob =
+  (manualroute_router_options_block *)(rblock->options_block);
+
+/* Host_find_failed must be a recognized word */
+
+for (int i = 0; i < hff_count; i++)
+  if (Ustrcmp(ob->host_find_failed, hff_names[i]) == 0)
+    {
+    ob->hff_code = hff_codes[i];
+    break;
+    }
+if (ob->hff_code < 0)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n  "
+    "unrecognized setting for host_find_failed option", rblock->name);
+
+for (int i = 1; i < hff_count; i++)   /* NB starts at 1 to skip "ignore" */
+  if (Ustrcmp(ob->host_all_ignored, hff_names[i]) == 0)
+    {
+    ob->hai_code = hff_codes[i];
+    break;
+    }
+if (ob->hai_code < 0)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n  "
+    "unrecognized setting for host_all_ignored option", rblock->name);
+
+/* One of route_list or route_data must be specified */
+
+if ((ob->route_list == NULL && ob->route_data == NULL) ||
+    (ob->route_list != NULL && ob->route_data != NULL))
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n  "
+    "route_list or route_data (but not both) must be specified",
+    rblock->name);
+}
+
+
+
+
+/*************************************************
+*               Parse a route item               *
+*************************************************/
+
+/* The format of a route list item is:
+
+  <domain> [<host[list]> [<options>]]
+
+if obtained from route_list. The domain is absent if the string came from
+route_data, in which case domain==NULL. The domain and the host list may be
+enclosed in quotes.
+
+Arguments:
+  s         pointer to route list item
+  domain    if not NULL, where to put the domain pointer
+  hostlist  where to put the host[list] pointer
+  options   where to put the options pointer
+
+Returns:    FALSE if domain expected and string is empty;
+            TRUE otherwise
+*/
+
+static BOOL
+parse_route_item(const uschar *s, const uschar **domain, const uschar **hostlist,
+  const uschar **options)
+{
+while (*s != 0 && isspace(*s)) s++;
+
+if (domain)
+  {
+  if (!*s) return FALSE;            /* missing data */
+  *domain = string_dequote(&s);
+  while (*s && isspace(*s)) s++;
+  }
+
+*hostlist = string_dequote(&s);
+while (*s && isspace(*s)) s++;
+*options = s;
+return TRUE;
+}
+
+
+
+/*************************************************
+*              Main entry point                  *
+*************************************************/
+
+/* The manualroute router provides a manual routing facility (surprise,
+surprise). The data that defines the routing can either be set in route_data
+(which means it can be found by, for example, looking up the domain in a file),
+or a list of domain patterns and their corresponding data can be provided in
+route_list. */
+
+/* See local README for interface details. This router returns:
+
+DECLINE
+  . no pattern in route_list matched (route_data not set)
+  . route_data was an empty string (route_list not set)
+  . forced expansion failure in route_data (rf_expand_data)
+  . forced expansion of host list
+  . host_find_failed = decline
+
+DEFER
+  . transport not defined when needed
+  . lookup defer in route_list when matching domain pattern
+  . non-forced expansion failure in route_data
+  . non-forced expansion failure in host list
+  . unknown routing option
+  . host list missing for remote transport (not verifying)
+  . timeout etc on host lookup (pass_on_timeout not set)
+  . verifying the errors address caused a deferment or a big disaster such
+      as an expansion failure (rf_get_errors_address)
+  . expanding a headers_{add,remove} string caused a deferment or another
+      expansion error (rf_get_munge_headers)
+  . a problem in rf_get_transport: no transport when one is needed;
+      failed to expand dynamic transport; failed to find dynamic transport
+  . failure to expand or find a uid/gid (rf_get_ugid via rf_queue_add)
+  . host_find_failed = freeze or defer
+  . self = freeze or defer
+
+PASS
+  . timeout etc on host lookup (pass_on_timeout set)
+  . host_find_failed = pass
+  . self = pass
+
+REROUTED
+  . self = reroute
+
+FAIL
+  . host_find_failed = fail
+  . self = fail
+
+OK
+  . added address to addr_local or addr_remote, as appropriate for the
+    type of transport; this includes the self="send" case.
+*/
+
+int
+manualroute_router_entry(
+  router_instance *rblock,        /* data for this instantiation */
+  address_item *addr,             /* address we are working on */
+  struct passwd *pw,              /* passwd entry after check_local_user */
+  int verify,                     /* v_none/v_recipient/v_sender/v_expn */
+  address_item **addr_local,      /* add it to this if it's local */
+  address_item **addr_remote,     /* add it to this if it's remote */
+  address_item **addr_new,        /* put new addresses on here */
+  address_item **addr_succeed)    /* put old address here on success */
+{
+int rc, lookup_type;
+uschar *route_item = NULL;
+const uschar *options = NULL;
+const uschar *hostlist = NULL;
+const uschar *domain;
+uschar *newhostlist;
+const uschar *listptr;
+manualroute_router_options_block *ob =
+  (manualroute_router_options_block *)(rblock->options_block);
+transport_instance *transport = NULL;
+BOOL individual_transport_set = FALSE;
+BOOL randomize = ob->hosts_randomize;
+
+DEBUG(D_route) debug_printf("%s router called for %s\n  domain = %s\n",
+  rblock->name, addr->address, addr->domain);
+
+/* The initialization check ensures that either route_list or route_data is
+set. */
+
+if (ob->route_list)
+  {
+  int sep = -(';');             /* Default is semicolon */
+  listptr = ob->route_list;
+
+  while ((route_item = string_nextinlist(&listptr, &sep, NULL, 0)))
+    {
+    int rc;
+
+    DEBUG(D_route) debug_printf("route_item = %s\n", route_item);
+    if (!parse_route_item(route_item, &domain, &hostlist, &options))
+      continue;     /* Ignore blank items */
+
+    /* Check the current domain; if it matches, break the loop */
+
+    if ((rc = match_isinlist(addr->domain, &domain, UCHAR_MAX+1,
+           &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, CUSS &lookup_value)) == OK)
+      break;
+
+    /* If there was a problem doing the check, defer */
+
+    if (rc == DEFER)
+      {
+      addr->message = US"lookup defer in route_list";
+      return DEFER;
+      }
+    }
+
+  if (!route_item) return DECLINE;  /* No pattern in the list matched */
+  }
+
+/* Handle a single routing item in route_data. If it expands to an empty
+string, decline. */
+
+else
+  {
+  if (!(route_item = rf_expand_data(addr, ob->route_data, &rc)))
+    return rc;
+  (void) parse_route_item(route_item, NULL, &hostlist, &options);
+  if (!hostlist[0]) return DECLINE;
+  }
+
+/* Expand the hostlist item. It may then pointing to an empty string, or to a
+single host or a list of hosts; options is pointing to the rest of the
+routelist item, which is either empty or contains various option words. */
+
+DEBUG(D_route) debug_printf("original list of hosts = '%s' options = '%s'\n",
+  hostlist, options);
+
+newhostlist = expand_string_copy(hostlist);
+lookup_value = NULL;                        /* Finished with */
+expand_nmax = -1;
+
+/* If the expansion was forced to fail, just decline. Otherwise there is a
+configuration problem. */
+
+if (!newhostlist)
+  {
+  if (f.expand_string_forcedfail) return DECLINE;
+  addr->message = string_sprintf("%s router: failed to expand \"%s\": %s",
+    rblock->name, hostlist, expand_string_message);
+  return DEFER;
+  }
+else hostlist = newhostlist;
+
+DEBUG(D_route) debug_printf("expanded list of hosts = '%s' options = '%s'\n",
+  hostlist, options);
+
+/* Set default lookup type and scan the options */
+
+lookup_type = LK_DEFAULT;
+
+while (*options)
+  {
+  unsigned n;
+  const uschar *s = options;
+  while (*options != 0 && !isspace(*options)) options++;
+  n = options-s;
+
+  if (Ustrncmp(s, "randomize", n) == 0) randomize = TRUE;
+  else if (Ustrncmp(s, "no_randomize", n) == 0) randomize = FALSE;
+  else if (Ustrncmp(s, "byname", n) == 0)
+    lookup_type = lookup_type & ~(LK_DEFAULT | LK_BYDNS) | LK_BYNAME;
+  else if (Ustrncmp(s, "bydns", n) == 0)
+    lookup_type = lookup_type & ~(LK_DEFAULT | LK_BYNAME) & LK_BYDNS;
+  else if (Ustrncmp(s, "ipv4_prefer", n) == 0) lookup_type |= LK_IPV4_PREFER;
+  else if (Ustrncmp(s, "ipv4_only",   n) == 0) lookup_type |= LK_IPV4_ONLY;
+  else
+    {
+    transport_instance *t;
+    for (t = transports; t; t = t->next)
+      if (Ustrncmp(t->name, s, n) == 0)
+        {
+        transport = t;
+        individual_transport_set = TRUE;
+        break;
+        }
+
+    if (!t)
+      {
+      s = string_sprintf("unknown routing option or transport name \"%s\"", s);
+      log_write(0, LOG_MAIN, "Error in %s router: %s", rblock->name, s);
+      addr->message = string_sprintf("error in router: %s", s);
+      return DEFER;
+      }
+    }
+
+  if (*options)
+    {
+    options++;
+    while (*options != 0 && isspace(*options)) options++;
+    }
+  }
+
+/* Set up the errors address, if any. */
+
+rc = rf_get_errors_address(addr, rblock, verify, &addr->prop.errors_address);
+if (rc != OK) return rc;
+
+/* Set up the additional and removable headers for this address. */
+
+rc = rf_get_munge_headers(addr, rblock, &addr->prop.extra_headers,
+  &addr->prop.remove_headers);
+if (rc != OK) return rc;
+
+/* If an individual transport is not set, get the transport for this router, if
+any. It might be expanded, or it might be unset if this router has verify_only
+set. */
+
+if (!individual_transport_set)
+  {
+  if (!rf_get_transport(rblock->transport_name, &(rblock->transport), addr,
+      rblock->name, NULL))
+    return DEFER;
+  transport = rblock->transport;
+  }
+
+/* Deal with the case of a local transport. The host list is passed over as a
+single text string that ends up in $host. */
+
+if (transport && transport->info->local)
+  {
+  if (hostlist[0])
+    {
+    host_item *h;
+    addr->host_list = h = store_get(sizeof(host_item), GET_UNTAINTED);
+    h->name = string_copy(hostlist);
+    h->address = NULL;
+    h->port = PORT_NONE;
+    h->mx = MX_NONE;
+    h->status = hstatus_unknown;
+    h->why = hwhy_unknown;
+    h->last_try = 0;
+    h->next = NULL;
+    }
+
+  /* There is nothing more to do other than to queue the address for the
+  local transport, filling in any uid/gid. This can be done by the common
+  rf_queue_add() function. */
+
+  addr->transport = transport;
+  return rf_queue_add(addr, addr_local, addr_remote, rblock, pw)?
+    OK : DEFER;
+  }
+
+/* There is either no transport (verify_only) or a remote transport. A host
+list is mandatory in either case, except when verifying, in which case the
+address is just accepted. */
+
+if (!hostlist[0])
+  {
+  if (verify != v_none) goto ROUTED;
+  addr->message = string_sprintf("error in %s router: no host(s) specified "
+    "for domain %s", rblock->name, addr->domain);
+  log_write(0, LOG_MAIN, "%s", addr->message);
+  return DEFER;
+  }
+
+/* Otherwise we finish the routing here by building a chain of host items
+for the list of configured hosts, and then finding their addresses. */
+
+host_build_hostlist(&addr->host_list, hostlist, randomize);
+rc = rf_lookup_hostlist(rblock, addr, rblock->ignore_target_hosts, lookup_type,
+  ob->hff_code, addr_new);
+if (rc != OK) return rc;
+
+/* If host_find_failed is set to "ignore", it is possible for all the hosts to
+be ignored, in which case we will end up with an empty host list. What happens
+is controlled by host_all_ignored. */
+
+if (!addr->host_list)
+  {
+  int i;
+  DEBUG(D_route) debug_printf("host_find_failed ignored every host\n");
+  if (ob->hai_code == hff_decline) return DECLINE;
+  if (ob->hai_code == hff_pass) return PASS;
+
+  for (i = 0; i < hff_count; i++)
+    if (ob->hai_code == hff_codes[i]) break;
+
+  addr->message = string_sprintf("lookup failed for all hosts in %s router: "
+    "host_find_failed=ignore host_all_ignored=%s", rblock->name, hff_names[i]);
+
+  if (ob->hai_code == hff_defer) return DEFER;
+  if (ob->hai_code == hff_fail) return FAIL;
+
+  addr->special_action = SPECIAL_FREEZE;
+  return DEFER;
+  }
+
+/* Finally, since we have done all the routing here, there must be a transport
+defined for these hosts. It will be a remote one, as a local transport is
+dealt with above. However, we don't need one if verifying only. */
+
+if (!transport && verify == v_none)
+    {
+    log_write(0, LOG_MAIN, "Error in %s router: no transport defined",
+      rblock->name);
+    addr->message = US"error in router: transport missing";
+    return DEFER;
+    }
+
+/* Fill in the transport, queue for remote delivery. The yield of
+rf_queue_add() is always TRUE for a remote transport. */
+
+ROUTED:
+
+addr->transport = transport;
+(void)rf_queue_add(addr, addr_local, addr_remote, rblock, NULL);
+return OK;
+}
+
+#endif   /*!MACRO_PREDEF*/
+/* End of routers/manualroute.c */
diff --git a/src/routers/manualroute.h b/src/routers/manualroute.h
new file mode 100644
index 0000000..9c20b6f
--- /dev/null
+++ b/src/routers/manualroute.h
@@ -0,0 +1,39 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Header for the manualroute router */
+
+/* Structure for the private options. */
+
+typedef struct {
+  int   hai_code;
+  int   hff_code;
+  BOOL  hosts_randomize;
+  uschar *host_all_ignored;
+  uschar *host_find_failed;
+  uschar *route_data;
+  uschar *route_list;
+} manualroute_router_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist manualroute_router_options[];
+extern int manualroute_router_options_count;
+
+/* Block containing default values. */
+
+extern manualroute_router_options_block manualroute_router_option_defaults;
+
+/* The main and initialization entry points for the router */
+
+extern int manualroute_router_entry(router_instance *, address_item *,
+  struct passwd *, int, address_item **, address_item **,
+  address_item **, address_item **);
+
+extern void manualroute_router_init(router_instance *);
+
+/* End of routers/manualroute.h */
diff --git a/src/routers/queryprogram.c b/src/routers/queryprogram.c
new file mode 100644
index 0000000..55f03a4
--- /dev/null
+++ b/src/routers/queryprogram.c
@@ -0,0 +1,538 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "rf_functions.h"
+#include "queryprogram.h"
+
+
+
+/* Options specific to the queryprogram router. */
+
+optionlist queryprogram_router_options[] = {
+  { "*expand_command_group", opt_bool | opt_hidden,
+      OPT_OFF(queryprogram_router_options_block, expand_cmd_gid) },
+  { "*expand_command_user", opt_bool | opt_hidden,
+      OPT_OFF(queryprogram_router_options_block, expand_cmd_uid) },
+  { "*set_command_group",   opt_bool | opt_hidden,
+      OPT_OFF(queryprogram_router_options_block, cmd_gid_set) },
+  { "*set_command_user",    opt_bool | opt_hidden,
+      OPT_OFF(queryprogram_router_options_block, cmd_uid_set) },
+  { "command",      opt_stringptr,
+      OPT_OFF(queryprogram_router_options_block, command) },
+  { "command_group",opt_expand_gid,
+      OPT_OFF(queryprogram_router_options_block, cmd_gid) },
+  { "command_user", opt_expand_uid,
+      OPT_OFF(queryprogram_router_options_block, cmd_uid) },
+  { "current_directory", opt_stringptr,
+      OPT_OFF(queryprogram_router_options_block, current_directory) },
+  { "timeout",      opt_time,
+      OPT_OFF(queryprogram_router_options_block, timeout) }
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int queryprogram_router_options_count =
+  sizeof(queryprogram_router_options)/sizeof(optionlist);
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy entries */
+queryprogram_router_options_block queryprogram_router_option_defaults = {0};
+void queryprogram_router_init(router_instance *rblock) {}
+int queryprogram_router_entry(router_instance *rblock, address_item *addr,
+  struct passwd *pw, int verify, address_item **addr_local,
+  address_item **addr_remote, address_item **addr_new,
+  address_item **addr_succeed) {return 0;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+/* Default private options block for the queryprogram router. */
+
+queryprogram_router_options_block queryprogram_router_option_defaults = {
+  NULL,         /* command */
+  60*60,        /* timeout */
+  (uid_t)(-1),  /* cmd_uid */
+  (gid_t)(-1),  /* cmd_gid */
+  FALSE,        /* cmd_uid_set */
+  FALSE,        /* cmd_gid_set */
+  US"/",        /* current_directory */
+  NULL,         /* expand_cmd_gid */
+  NULL          /* expand_cmd_uid */
+};
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to enable
+consistency checks to be done, or anything else that needs to be set up. */
+
+void
+queryprogram_router_init(router_instance *rblock)
+{
+queryprogram_router_options_block *ob =
+  (queryprogram_router_options_block *)(rblock->options_block);
+
+/* A command must be given */
+
+if (!ob->command)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n  "
+    "a command specification is required", rblock->name);
+
+/* A uid/gid must be supplied */
+
+if (!ob->cmd_uid_set && !ob->expand_cmd_uid)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n  "
+    "command_user must be specified", rblock->name);
+}
+
+
+
+/*************************************************
+*    Process a set of generated new addresses    *
+*************************************************/
+
+/* This function sets up a set of newly generated child addresses and puts them
+on the new address chain.
+
+Arguments:
+  rblock                  router block
+  addr_new                new address chain
+  addr                    original address
+  generated               list of generated addresses
+  addr_prop               the propagated data block, containing errors_to,
+                            header change stuff, and address_data
+
+Returns:         nothing
+*/
+
+static void
+add_generated(router_instance *rblock, address_item **addr_new,
+  address_item *addr, address_item *generated,
+  address_item_propagated *addr_prop)
+{
+while (generated != NULL)
+  {
+  BOOL ignore_error = addr->prop.ignore_error;
+  address_item *next = generated;
+
+  generated = next->next;
+
+  next->parent = addr;
+  next->prop = *addr_prop;
+  next->prop.ignore_error = next->prop.ignore_error || ignore_error;
+  next->start_router = rblock->redirect_router;
+
+  next->next = *addr_new;
+  *addr_new = next;
+
+  if (addr->child_count == USHRT_MAX)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s router generated more than %d "
+      "child addresses for <%s>", rblock->name, USHRT_MAX, addr->address);
+  addr->child_count++;
+
+  DEBUG(D_route)
+    debug_printf("%s router generated %s\n", rblock->name, next->address);
+  }
+}
+
+
+
+
+/*************************************************
+*              Main entry point                  *
+*************************************************/
+
+/* See local README for interface details. This router returns:
+
+DECLINE
+  . DECLINE returned
+  . self = DECLINE
+
+PASS
+  . PASS returned
+  . timeout of host lookup and pass_on_timeout set
+  . self = PASS
+
+DEFER
+  . verifying the errors address caused a deferment or a big disaster such
+      as an expansion failure (rf_get_errors_address)
+  . expanding a headers_{add,remove} string caused a deferment or another
+      expansion error (rf_get_munge_headers)
+  . a problem in rf_get_transport: no transport when one is needed;
+      failed to expand dynamic transport; failed to find dynamic transport
+  . bad lookup type
+  . problem looking up host (rf_lookup_hostlist)
+  . self = DEFER or FREEZE
+  . failure to set up uid/gid for running the command
+  . failure of transport_set_up_command: too many arguments, expansion fail
+  . failure to create child process
+  . child process crashed or timed out or didn't return data
+  . :defer: in data
+  . DEFER or FREEZE returned
+  . problem in redirection data
+  . unknown transport name or trouble expanding router transport
+
+FAIL
+  . :fail: in data
+  . FAIL returned
+  . self = FAIL
+
+OK
+  . address added to addr_local or addr_remote for delivery
+  . new addresses added to addr_new
+*/
+
+int
+queryprogram_router_entry(
+  router_instance *rblock,        /* data for this instantiation */
+  address_item *addr,             /* address we are working on */
+  struct passwd *pw,              /* passwd entry after check_local_user */
+  int verify,                     /* v_none/v_recipient/v_sender/v_expn */
+  address_item **addr_local,      /* add it to this if it's local */
+  address_item **addr_remote,     /* add it to this if it's remote */
+  address_item **addr_new,        /* put new addresses on here */
+  address_item **addr_succeed)    /* put old address here on success */
+{
+int fd_in, fd_out, len, rc;
+pid_t pid;
+struct passwd *upw = NULL;
+uschar buffer[1024];
+const uschar **argvptr;
+uschar *rword, *rdata, *s;
+address_item_propagated addr_prop;
+queryprogram_router_options_block *ob =
+  (queryprogram_router_options_block *)(rblock->options_block);
+uschar *current_directory = ob->current_directory;
+ugid_block ugid;
+uid_t curr_uid = getuid();
+gid_t curr_gid = getgid();
+uid_t uid = ob->cmd_uid;
+gid_t gid = ob->cmd_gid;
+uid_t *puid = &uid;
+gid_t *pgid = &gid;
+
+DEBUG(D_route) debug_printf("%s router called for %s: domain = %s\n",
+  rblock->name, addr->address, addr->domain);
+
+ugid.uid_set = ugid.gid_set = FALSE;
+
+/* Set up the propagated data block with the current address_data and the
+errors address and extra header stuff. */
+
+bzero(&addr_prop, sizeof(addr_prop));
+addr_prop.address_data = deliver_address_data;
+tree_dup((tree_node **)&addr_prop.variables, addr->prop.variables);
+
+rc = rf_get_errors_address(addr, rblock, verify, &addr_prop.errors_address);
+if (rc != OK) return rc;
+
+rc = rf_get_munge_headers(addr, rblock, &addr_prop.extra_headers,
+  &addr_prop.remove_headers);
+if (rc != OK) return rc;
+
+/* Get the fixed or expanded uid under which the command is to run
+(initialization ensures that one or the other is set). */
+
+if (  !ob->cmd_uid_set
+   && !route_find_expanded_user(ob->expand_cmd_uid, rblock->name, US"router",
+	&upw, &uid, &(addr->message)))
+    return DEFER;
+
+/* Get the fixed or expanded gid, or take the gid from the passwd entry. */
+
+if (!ob->cmd_gid_set)
+  if (ob->expand_cmd_gid)
+    {
+    if (route_find_expanded_group(ob->expand_cmd_gid, rblock->name,
+        US"router", &gid, &(addr->message)))
+      return DEFER;
+    }
+  else if (upw)
+    gid = upw->pw_gid;
+  else
+    {
+    addr->message = string_sprintf("command_user set without command_group "
+      "for %s router", rblock->name);
+    return DEFER;
+    }
+
+DEBUG(D_route) debug_printf("requires uid=%ld gid=%ld current_directory=%s\n",
+  (long int)uid, (long int)gid, current_directory);
+
+/* If we are not running as root, we will not be able to change uid/gid. */
+
+if (curr_uid != root_uid && (uid != curr_uid || gid != curr_gid))
+  {
+  DEBUG(D_route)
+    {
+    debug_printf("not running as root: cannot change uid/gid\n");
+    debug_printf("subprocess will run with uid=%ld gid=%ld\n",
+      (long int)curr_uid, (long int)curr_gid);
+    }
+  puid = pgid = NULL;
+  }
+
+/* Set up the command to run */
+
+if (!transport_set_up_command(&argvptr, /* anchor for arg list */
+    ob->command,                        /* raw command */
+    TRUE,                               /* expand the arguments */
+    0,                                  /* not relevant when... */
+    NULL,                               /* no transporting address */
+    FALSE,				/* args must be untainted */
+    US"queryprogram router",            /* for error messages */
+    &addr->message))                    /* where to put error message */
+  return DEFER;
+
+/* Create the child process, making it a group leader. */
+
+if ((pid = child_open_uid(argvptr, NULL, 0077, puid, pgid, &fd_in, &fd_out,
+			  current_directory, TRUE, US"queryprogram-cmd")) < 0)
+  {
+  addr->message = string_sprintf("%s router couldn't create child process: %s",
+    rblock->name, strerror(errno));
+  return DEFER;
+  }
+
+/* Nothing is written to the standard input. */
+
+(void)close(fd_in);
+
+/* Wait for the process to finish, applying the timeout, and inspect its return
+code. */
+
+if ((rc = child_close(pid, ob->timeout)) != 0)
+  {
+  if (rc > 0)
+    addr->message = string_sprintf("%s router: command returned non-zero "
+      "code %d", rblock->name, rc);
+
+  else if (rc == -256)
+    {
+    addr->message = string_sprintf("%s router: command timed out",
+      rblock->name);
+    killpg(pid, SIGKILL);       /* Kill the whole process group */
+    }
+
+  else if (rc == -257)
+    addr->message = string_sprintf("%s router: wait() failed: %s",
+      rblock->name, strerror(errno));
+
+  else
+    addr->message = string_sprintf("%s router: command killed by signal %d",
+      rblock->name, -rc);
+
+  return DEFER;
+  }
+
+/* Read the pipe to get the command's output, and then close it. */
+
+len = read(fd_out, buffer, sizeof(buffer) - 1);
+(void)close(fd_out);
+
+/* Failure to return any data is an error. */
+
+if (len <= 0)
+  {
+  addr->message = string_sprintf("%s router: command failed to return data",
+    rblock->name);
+  return DEFER;
+  }
+
+/* Get rid of leading and trailing white space, and pick off the first word of
+the result. */
+
+while (len > 0 && isspace(buffer[len-1])) len--;
+buffer[len] = 0;
+
+DEBUG(D_route) debug_printf("command wrote: %s\n", buffer);
+
+rword = buffer;
+while (isspace(*rword)) rword++;
+rdata = rword;
+while (*rdata && !isspace(*rdata)) rdata++;
+if (*rdata) *rdata++ = 0;
+
+/* The word must be a known yield name. If it is "REDIRECT", the rest of the
+line is redirection data, as for a .forward file. It may not contain filter
+data, and it may not contain anything other than addresses (no files, no pipes,
+no specials). */
+
+if (strcmpic(rword, US"REDIRECT") == 0)
+  {
+  int filtertype;
+  redirect_block redirect;
+  address_item *generated = NULL;
+
+  redirect.string = rdata;
+  redirect.isfile = FALSE;
+
+  rc = rda_interpret(&redirect,  /* redirection data */
+    RDO_BLACKHOLE |              /* forbid :blackhole: */
+      RDO_FAIL    |              /* forbid :fail: */
+      RDO_INCLUDE |              /* forbid :include: */
+      RDO_REWRITE,               /* rewrite generated addresses */
+    NULL,                        /* :include: directory not relevant */
+    NULL,                        /* sieve vacation directory not relevant */
+    NULL,                        /* sieve enotify mailto owner not relevant */
+    NULL,                        /* sieve useraddress not relevant */
+    NULL,                        /* sieve subaddress not relevant */
+    &ugid,                       /* uid/gid (but not set) */
+    &generated,                  /* where to hang the results */
+    &addr->message,              /* where to put messages */
+    NULL,                        /* don't skip syntax errors */
+    &filtertype,                 /* not used; will always be FILTER_FORWARD */
+    string_sprintf("%s router", rblock->name));
+
+  switch (rc)
+    {
+    /* FF_DEFER and FF_FAIL can arise only as a result of explicit commands.
+    If a configured message was supplied, allow it to be  included in an SMTP
+    response after verifying. */
+
+    case FF_DEFER:
+      if (!addr->message) addr->message = US"forced defer";
+      else addr->user_message = addr->message;
+      return DEFER;
+
+    case FF_FAIL:
+      add_generated(rblock, addr_new, addr, generated, &addr_prop);
+      if (!addr->message) addr->message = US"forced rejection";
+      else addr->user_message = addr->message;
+      return FAIL;
+
+    case FF_DELIVERED:
+      break;
+
+    case FF_NOTDELIVERED:    /* an empty redirection list is bad */
+      addr->message = US"no addresses supplied";
+    /* Fall through */
+
+    case FF_ERROR:
+    default:
+      addr->basic_errno = ERRNO_BADREDIRECT;
+      addr->message = string_sprintf("error in redirect data: %s", addr->message);
+      return DEFER;
+    }
+
+  /* Handle the generated addresses, if any. */
+
+  add_generated(rblock, addr_new, addr, generated, &addr_prop);
+
+  /* Put the original address onto the succeed queue so that any retry items
+  that get attached to it get processed. */
+
+  addr->next = *addr_succeed;
+  *addr_succeed = addr;
+
+  return OK;
+  }
+
+/* Handle other returns that are not ACCEPT */
+
+if (strcmpic(rword, US"accept") != 0)
+  {
+  if (strcmpic(rword, US"decline") == 0) return DECLINE;
+  if (strcmpic(rword, US"pass") == 0) return PASS;
+  addr->message = string_copy(rdata);                /* data is a message */
+  if (strcmpic(rword, US"fail") == 0)
+    {
+    setflag(addr, af_pass_message);
+    return FAIL;
+    }
+  if (strcmpic(rword, US"freeze") == 0) addr->special_action = SPECIAL_FREEZE;
+  else if (strcmpic(rword, US"defer") != 0)
+    {
+    addr->message = string_sprintf("bad command yield: %s %s", rword, rdata);
+    log_write(0, LOG_PANIC, "%s router: %s", rblock->name, addr->message);
+    }
+  return DEFER;
+  }
+
+/* The command yielded "ACCEPT". The rest of the string is a number of keyed
+fields from which we can fish out values using the equivalent of the "extract"
+expansion function. */
+
+if ((s = expand_getkeyed(US"data", rdata)) && *s)
+  addr_prop.address_data = string_copy(s);
+
+/* If we found a transport name, find the actual transport */
+
+if ((s = expand_getkeyed(US"transport", rdata)) && *s)
+  {
+  transport_instance *transport;
+  for (transport = transports; transport; transport = transport->next)
+    if (Ustrcmp(transport->name, s) == 0) break;
+  if (!transport)
+    {
+    addr->message = string_sprintf("unknown transport name %s yielded by "
+      "command", s);
+    log_write(0, LOG_PANIC, "%s router: %s", rblock->name, addr->message);
+    return DEFER;
+    }
+  addr->transport = transport;
+  }
+
+/* No transport given; get the transport from the router configuration. It may
+be fixed or expanded, but there will be an error if it is unset, requested by
+the last argument not being NULL. */
+
+else
+  {
+  if (!rf_get_transport(rblock->transport_name, &rblock->transport, addr,
+       rblock->name, US"transport"))
+    return DEFER;
+  addr->transport = rblock->transport;
+  }
+
+/* See if a host list is given, and if so, look up the addresses. */
+
+if ((s = expand_getkeyed(US"hosts", rdata)) && *s)
+  {
+  int lookup_type = LK_DEFAULT;
+  uschar * ss = expand_getkeyed(US"lookup", rdata);
+
+  if (ss && *ss)
+    {
+    if (Ustrcmp(ss, "byname") == 0) lookup_type = LK_BYNAME;
+    else if (Ustrcmp(ss, "bydns") == 0) lookup_type = LK_BYDNS;
+    else
+      {
+      addr->message = string_sprintf("bad lookup type \"%s\" yielded by "
+        "command", ss);
+      log_write(0, LOG_PANIC, "%s router: %s", rblock->name, addr->message);
+      return DEFER;
+      }
+    }
+
+  host_build_hostlist(&(addr->host_list), s, FALSE);  /* pro tem no randomize */
+
+  rc = rf_lookup_hostlist(rblock, addr, rblock->ignore_target_hosts,
+    lookup_type, hff_defer, addr_new);
+  if (rc != OK) return rc;
+  }
+lookup_value = NULL;
+
+/* Put the errors address, extra headers, and address_data into this address */
+
+addr->prop = addr_prop;
+
+/* Queue the address for local or remote delivery. */
+
+return rf_queue_add(addr, addr_local, addr_remote, rblock, pw) ? OK : DEFER;
+}
+
+#endif   /*!MACRO_PREDEF*/
+/* End of routers/queryprogram.c */
diff --git a/src/routers/queryprogram.h b/src/routers/queryprogram.h
new file mode 100644
index 0000000..93046bd
--- /dev/null
+++ b/src/routers/queryprogram.h
@@ -0,0 +1,40 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* Private structure for the private options. */
+
+typedef struct {
+  uschar *command;
+  int timeout;
+  uid_t cmd_uid;
+  gid_t cmd_gid;
+  BOOL cmd_uid_set;
+  BOOL cmd_gid_set;
+  uschar *current_directory;
+  uschar *expand_cmd_gid;
+  uschar *expand_cmd_uid;
+} queryprogram_router_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist queryprogram_router_options[];
+extern int queryprogram_router_options_count;
+
+/* Block containing default values. */
+
+extern queryprogram_router_options_block queryprogram_router_option_defaults;
+
+/* The main and initialization entry points for the router */
+
+extern int queryprogram_router_entry(router_instance *, address_item *,
+  struct passwd *, int, address_item **, address_item **,
+  address_item **, address_item **);
+
+extern void queryprogram_router_init(router_instance *);
+
+/* End of routers/queryprogram.h */
diff --git a/src/routers/redirect.c b/src/routers/redirect.c
new file mode 100644
index 0000000..31c07f5
--- /dev/null
+++ b/src/routers/redirect.c
@@ -0,0 +1,801 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "rf_functions.h"
+#include "redirect.h"
+
+
+
+/* Options specific to the redirect router. */
+#define LOFF(field) OPT_OFF(redirect_router_options_block, field)
+
+optionlist redirect_router_options[] = {
+  { "allow_defer",        opt_bit | (RDON_DEFER << 16),
+      LOFF(bit_options) },
+  { "allow_fail",         opt_bit | (RDON_FAIL << 16),
+      LOFF(bit_options) },
+  { "allow_filter",       opt_bit | (RDON_FILTER << 16),
+      LOFF(bit_options) },
+  { "allow_freeze",       opt_bit | (RDON_FREEZE << 16),
+      LOFF(bit_options) },
+  { "check_ancestor",     opt_bool,		LOFF(check_ancestor) },
+  { "check_group",        opt_bool,		LOFF(check_group) },
+  { "check_owner",        opt_bool,		LOFF(check_owner) },
+  { "data",               opt_stringptr,	LOFF(data) },
+  { "directory_transport",opt_stringptr,	LOFF(directory_transport_name) },
+  { "file",               opt_stringptr,	LOFF(file) },
+  { "file_transport",     opt_stringptr,	LOFF(file_transport_name) },
+
+  { "filter_prepend_home",opt_bit | (RDON_PREPEND_HOME << 16),
+      LOFF(bit_options) },
+  { "forbid_blackhole",   opt_bit | (RDON_BLACKHOLE << 16),
+      LOFF(bit_options) },
+  { "forbid_exim_filter", opt_bit | (RDON_EXIM_FILTER << 16),
+      LOFF(bit_options) },
+  { "forbid_file",        opt_bool,
+      LOFF(forbid_file) },
+  { "forbid_filter_dlfunc", opt_bit | (RDON_DLFUNC << 16),
+      LOFF(bit_options) },
+  { "forbid_filter_existstest",  opt_bit | (RDON_EXISTS << 16),
+      LOFF(bit_options) },
+  { "forbid_filter_logwrite",opt_bit | (RDON_LOG << 16),
+      LOFF(bit_options) },
+  { "forbid_filter_lookup", opt_bit | (RDON_LOOKUP << 16),
+      LOFF(bit_options) },
+  { "forbid_filter_perl", opt_bit | (RDON_PERL << 16),
+      LOFF(bit_options) },
+  { "forbid_filter_readfile", opt_bit | (RDON_READFILE << 16),
+      LOFF(bit_options) },
+  { "forbid_filter_readsocket", opt_bit | (RDON_READSOCK << 16),
+      LOFF(bit_options) },
+  { "forbid_filter_reply",opt_bool,
+      LOFF(forbid_filter_reply) },
+  { "forbid_filter_run",  opt_bit | (RDON_RUN << 16),
+      LOFF(bit_options) },
+  { "forbid_include",     opt_bit | (RDON_INCLUDE << 16),
+      LOFF(bit_options) },
+  { "forbid_pipe",        opt_bool,
+      LOFF(forbid_pipe) },
+  { "forbid_sieve_filter",opt_bit | (RDON_SIEVE_FILTER << 16),
+      LOFF(bit_options) },
+  { "forbid_smtp_code",     opt_bool,
+      LOFF(forbid_smtp_code) },
+  { "hide_child_in_errmsg", opt_bool,
+      LOFF( hide_child_in_errmsg) },
+  { "ignore_eacces",      opt_bit | (RDON_EACCES << 16),
+      LOFF(bit_options) },
+  { "ignore_enotdir",     opt_bit | (RDON_ENOTDIR << 16),
+      LOFF(bit_options) },
+
+  { "include_directory",  opt_stringptr,	LOFF( include_directory) },
+  { "modemask",           opt_octint,		LOFF(modemask) },
+  { "one_time",           opt_bool,		LOFF(one_time) },
+  { "owners",             opt_uidlist,		LOFF(owners) },
+  { "owngroups",          opt_gidlist,		LOFF(owngroups) },
+  { "pipe_transport",     opt_stringptr,	LOFF(pipe_transport_name) },
+  { "qualify_domain",     opt_stringptr,	LOFF(qualify_domain) },
+  { "qualify_preserve_domain", opt_bool,	LOFF(qualify_preserve_domain) },
+  { "repeat_use",         opt_bool | opt_public, OPT_OFF(router_instance, repeat_use) },
+  { "reply_transport",    opt_stringptr,	LOFF(reply_transport_name) },
+
+  { "rewrite",            opt_bit | (RDON_REWRITE << 16),
+      LOFF(bit_options) },
+
+  { "sieve_enotify_mailto_owner", opt_stringptr, LOFF(sieve_enotify_mailto_owner) },
+  { "sieve_subaddress", opt_stringptr,		LOFF(sieve_subaddress) },
+  { "sieve_useraddress", opt_stringptr,		LOFF(sieve_useraddress) },
+  { "sieve_vacation_directory", opt_stringptr,	LOFF(sieve_vacation_directory) },
+  { "skip_syntax_errors", opt_bool,		LOFF(skip_syntax_errors) },
+  { "syntax_errors_text", opt_stringptr,	LOFF(syntax_errors_text) },
+  { "syntax_errors_to",   opt_stringptr,	LOFF(syntax_errors_to) }
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int redirect_router_options_count =
+  sizeof(redirect_router_options)/sizeof(optionlist);
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy entries */
+redirect_router_options_block redirect_router_option_defaults = {0};
+void redirect_router_init(router_instance *rblock) {}
+int redirect_router_entry(router_instance *rblock, address_item *addr,
+  struct passwd *pw, int verify, address_item **addr_local,
+  address_item **addr_remote, address_item **addr_new,
+  address_item **addr_succeed) {return 0;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+
+/* Default private options block for the redirect router. */
+
+redirect_router_options_block redirect_router_option_defaults = {
+  NULL,        /* directory_transport */
+  NULL,        /* file_transport */
+  NULL,        /* pipe_transport */
+  NULL,        /* reply_transport */
+  NULL,        /* data */
+  NULL,        /* directory_transport_name */
+  NULL,        /* file */
+  NULL,        /* file_dir */
+  NULL,        /* file_transport_name */
+  NULL,        /* include_directory */
+  NULL,        /* pipe_transport_name */
+  NULL,        /* reply_transport_name */
+  NULL,        /* sieve_subaddress */
+  NULL,        /* sieve_useraddress */
+  NULL,        /* sieve_vacation_directory */
+  NULL,        /* sieve_enotify_mailto_owner */
+  NULL,        /* syntax_errors_text */
+  NULL,        /* syntax_errors_to */
+  NULL,        /* qualify_domain */
+  NULL,        /* owners */
+  NULL,        /* owngroups */
+  022,         /* modemask */
+  RDO_REWRITE | RDO_PREPEND_HOME, /* bit_options */
+  FALSE,       /* check_ancestor */
+  TRUE_UNSET,  /* check_owner */
+  TRUE_UNSET,  /* check_group */
+  FALSE,       /* forbid_file */
+  FALSE,       /* forbid_filter_reply */
+  FALSE,       /* forbid_pipe */
+  FALSE,       /* forbid_smtp_code */
+  FALSE,       /* hide_child_in_errmsg */
+  FALSE,       /* one_time */
+  FALSE,       /* qualify_preserve_domain */
+  FALSE        /* skip_syntax_errors */
+};
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to enable
+consistency checks to be done, or anything else that needs to be set up. */
+
+void redirect_router_init(router_instance *rblock)
+{
+redirect_router_options_block *ob =
+  (redirect_router_options_block *)(rblock->options_block);
+
+/* Either file or data must be set, but not both */
+
+if ((ob->file == NULL) == (ob->data == NULL))
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n  "
+    "%sone of \"file\" or \"data\" must be specified",
+    rblock->name, (ob->file == NULL)? "" : "only ");
+
+/* Onetime aliases can only be real addresses. Headers can't be manipulated.
+The combination of one_time and unseen is not allowed. We can't check the
+expansion of "unseen" here, but we assume that if it is set to anything other
+than false, there is likely to be a problem. */
+
+if (ob->one_time)
+  {
+  ob->forbid_pipe = ob->forbid_file = ob->forbid_filter_reply = TRUE;
+  if (rblock->extra_headers || rblock->remove_headers)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n  "
+      "\"headers_add\" and \"headers_remove\" are not permitted with "
+      "\"one_time\"", rblock->name);
+  if (rblock->unseen || rblock->expand_unseen)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n  "
+      "\"unseen\" may not be used with \"one_time\"", rblock->name);
+  }
+
+/* The defaults for check_owner and check_group depend on other settings. The
+defaults are: Check the owner if check_local_user or owners is set; check the
+group if check_local_user is set without a restriction on the group write bit,
+or if owngroups is set. */
+
+if (ob->check_owner == TRUE_UNSET)
+  ob->check_owner = rblock->check_local_user ||
+                    (ob->owners && ob->owners[0] != 0);
+
+if (ob->check_group == TRUE_UNSET)
+  ob->check_group = (rblock->check_local_user && (ob->modemask & 020) == 0) ||
+                    (ob->owngroups != NULL && ob->owngroups[0] != 0);
+
+/* If explicit qualify domain set, the preserve option is locked out */
+
+if (ob->qualify_domain && ob->qualify_preserve_domain)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n  "
+    "only one of \"qualify_domain\" or \"qualify_preserve_domain\" must be set",
+    rblock->name);
+
+/* If allow_filter is set, either user or check_local_user must be set. */
+
+if (!rblock->check_local_user &&
+    !rblock->uid_set &&
+    rblock->expand_uid == NULL &&
+    (ob->bit_options & RDO_FILTER) != 0)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n  "
+    "\"user\" or \"check_local_user\" must be set with \"allow_filter\"",
+    rblock->name);
+}
+
+
+
+/*************************************************
+*       Get errors address and header mods       *
+*************************************************/
+
+/* This function is called when new addresses are generated, in order to
+sort out errors address and header modifications. We put the errors address
+into the parent address (even though it is never used from there because that
+address is never transported) so that it can be retrieved if any of the
+children gets routed by an "unseen" router. The clone of the child that is
+passed on must have the original errors_address value.
+
+Arguments:
+  rblock               the router control block
+  addr                 the address being routed
+  verify               v_none/v_recipient/v_sender/v_expn
+  addr_prop            point to the propagated block, which is where the
+                         new values are to be placed
+
+Returns:    the result of rf_get_errors_address() or rf_get_munge_headers(),
+            which is either OK or DEFER
+*/
+
+static int
+sort_errors_and_headers(router_instance *rblock, address_item *addr,
+  int verify, address_item_propagated *addr_prop)
+{
+int frc = rf_get_errors_address(addr, rblock, verify,
+  &addr_prop->errors_address);
+if (frc != OK) return frc;
+addr->prop.errors_address = addr_prop->errors_address;
+return rf_get_munge_headers(addr, rblock, &addr_prop->extra_headers,
+  &addr_prop->remove_headers);
+}
+
+
+
+/*************************************************
+*    Process a set of generated new addresses    *
+*************************************************/
+
+/* This function sets up a set of newly generated child addresses and puts them
+on the new address chain. Copy in the uid, gid and permission flags for use by
+pipes and files, set the parent, and "or" its af_ignore_error flag. Also record
+the setting for any starting router.
+
+If the generated address is the same as one of its ancestors, and the
+check_ancestor flag is set, do not use this generated address, but replace it
+with a copy of the input address. This is to cope with cases where A is aliased
+to B and B has a .forward file pointing to A, though it is usually set on the
+forwardfile rather than the aliasfile. We can't just pass on the old
+address by returning FAIL, because it must act as a general parent for
+generated addresses, and only get marked "done" when all its children are
+delivered.
+
+Arguments:
+  rblock                  router block
+  addr_new                new address chain
+  addr                    original address
+  generated               list of generated addresses
+  addr_prop               the propagated block, containing the errors_address,
+                            header modification stuff, and address_data
+  ugidptr                 points to uid/gid data for files, pipes, autoreplies
+  pw                      password entry, set if ob->check_local_user is TRUE
+
+Returns:         nothing
+*/
+
+static void
+add_generated(router_instance *rblock, address_item **addr_new,
+  address_item *addr, address_item *generated,
+  address_item_propagated *addr_prop, ugid_block *ugidptr, struct passwd *pw)
+{
+redirect_router_options_block *ob =
+  (redirect_router_options_block *)(rblock->options_block);
+
+while (generated)
+  {
+  address_item *parent;
+  address_item *next = generated;
+  uschar *errors_address = next->prop.errors_address;
+
+  generated = next->next;
+  next->parent = addr;
+  next->start_router = rblock->redirect_router;
+  if (addr->child_count == USHRT_MAX)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s router generated more than %d "
+      "child addresses for <%s>", rblock->name, USHRT_MAX, addr->address);
+  addr->child_count++;
+
+  next->next = *addr_new;
+  *addr_new = next;
+
+  /* Don't do the "one_time" thing for the first pass of a 2-stage queue run. */
+
+  if (ob->one_time && !f.queue_2stage)
+    {
+    for (parent = addr; parent->parent; parent = parent->parent) ;
+    next->onetime_parent = parent->address;
+    }
+
+  if (ob->hide_child_in_errmsg) setflag(next, af_hide_child);
+
+  /* If check_ancestor is set, we want to know if any ancestor of this address
+  is the address we are about to generate. The check must be done caselessly
+  unless the ancestor was routed by a case-sensitive router. */
+
+  if (ob->check_ancestor)
+    for (parent = addr; parent; parent = parent->parent)
+      if ((parent->router && parent->router->caseful_local_part
+	   ? Ustrcmp(next->address, parent->address)
+           : strcmpic(next->address, parent->address)
+          ) == 0)
+        {
+        DEBUG(D_route) debug_printf("generated parent replaced by child\n");
+        next->address = string_copy(addr->address);
+        break;
+        }
+
+  /* A user filter may, under some circumstances, set up an errors address.
+  If so, we must take care to re-instate it when we copy in the propagated
+  data so that it overrides any errors_to setting on the router. */
+
+    {
+    BOOL ignore_error = next->prop.ignore_error;
+    next->prop = *addr_prop;
+    next->prop.ignore_error = ignore_error || addr->prop.ignore_error;
+    }
+  if (errors_address) next->prop.errors_address = errors_address;
+
+  /* For pipes, files, and autoreplies, record this router as handling them,
+  because they don't go through the routing process again. Then set up uid,
+  gid, home and current directories for transporting. */
+
+  if (testflag(next, af_pfr))
+    {
+    next->router = rblock;
+    rf_set_ugid(next, ugidptr);   /* Will contain pw values if not overridden */
+
+    /* When getting the home directory out of the password information, wrap it
+    in \N...\N to avoid expansion later. In Cygwin, home directories can
+    contain $ characters. */
+
+    if (rblock->home_directory != NULL)
+      next->home_dir = rblock->home_directory;
+    else if (rblock->check_local_user)
+      next->home_dir = string_sprintf("\\N%s\\N", pw->pw_dir);
+    else if (rblock->router_home_directory != NULL &&
+             testflag(addr, af_home_expanded))
+      {
+      next->home_dir = deliver_home;
+      setflag(next, af_home_expanded);
+      }
+
+    next->current_dir = rblock->current_directory;
+
+    /* Permission options */
+
+    if (!ob->forbid_pipe) setflag(next, af_allow_pipe);
+    if (!ob->forbid_file) setflag(next, af_allow_file);
+    if (!ob->forbid_filter_reply) setflag(next, af_allow_reply);
+
+    /* If the transport setting fails, the error gets picked up at the outer
+    level from the setting of basic_errno in the address. */
+
+    if (next->address[0] == '|')
+      {
+      address_pipe = next->address;
+      if (rf_get_transport(ob->pipe_transport_name, &ob->pipe_transport,
+          next, rblock->name, US"pipe_transport"))
+        next->transport = ob->pipe_transport;
+      address_pipe = NULL;
+      }
+    else if (next->address[0] == '>')
+      {
+      if (rf_get_transport(ob->reply_transport_name, &ob->reply_transport,
+          next, rblock->name, US"reply_transport"))
+        next->transport = ob->reply_transport;
+      }
+    else  /* must be file or directory */
+      {
+      int len = Ustrlen(next->address);
+      address_file = next->address;
+      if (next->address[len-1] == '/')
+        {
+        if (rf_get_transport(ob->directory_transport_name,
+            &(ob->directory_transport), next, rblock->name,
+            US"directory_transport"))
+          next->transport = ob->directory_transport;
+        }
+      else
+        if (rf_get_transport(ob->file_transport_name, &ob->file_transport,
+            next, rblock->name, US"file_transport"))
+          next->transport = ob->file_transport;
+
+      address_file = NULL;
+      }
+    }
+
+#ifdef SUPPORT_I18N
+    if (!next->prop.utf8_msg)
+      next->prop.utf8_msg = string_is_utf8(next->address)
+        || (sender_address && string_is_utf8(sender_address));
+#endif
+
+  DEBUG(D_route)
+    {
+    debug_printf("%s router generated %s\n  %serrors_to=%s transport=%s\n",
+      rblock->name,
+      next->address,
+      testflag(next, af_pfr)? "pipe, file, or autoreply\n  " : "",
+      next->prop.errors_address,
+      (next->transport == NULL)? US"NULL" : next->transport->name);
+
+    if (testflag(next, af_uid_set))
+      debug_printf("  uid=%ld ", (long int)(next->uid));
+    else
+      debug_printf("  uid=unset ");
+
+    if (testflag(next, af_gid_set))
+      debug_printf("gid=%ld ", (long int)(next->gid));
+    else
+      debug_printf("gid=unset ");
+
+#ifdef SUPPORT_I18N
+    if (next->prop.utf8_msg) debug_printf("utf8 ");
+#endif
+
+    debug_printf("home=%s\n", next->home_dir);
+    }
+  }
+}
+
+
+/*************************************************
+*              Main entry point                  *
+*************************************************/
+
+/* See local README for interface description. This router returns:
+
+DECLINE
+  . empty address list, or filter did nothing significant
+
+DEFER
+  . verifying the errors address caused a deferment or a big disaster such
+      as an expansion failure (rf_get_errors_address)
+  . expanding a headers_{add,remove} string caused a deferment or another
+      expansion error (rf_get_munge_headers)
+  . :defer: or "freeze" in a filter
+  . error in address list or filter
+  . skipped syntax errors, but failed to send the message
+
+DISCARD
+  . address was :blackhole:d or "seen finish"ed
+
+FAIL
+  . :fail:
+
+OK
+  . new addresses added to addr_new
+*/
+
+int redirect_router_entry(
+  router_instance *rblock,        /* data for this instantiation */
+  address_item *addr,             /* address we are working on */
+  struct passwd *pw,              /* passwd entry after check_local_user */
+  int verify,                     /* v_none/v_recipient/v_sender/v_expn */
+  address_item **addr_local,      /* add it to this if it's local */
+  address_item **addr_remote,     /* add it to this if it's remote */
+  address_item **addr_new,        /* put new addresses on here */
+  address_item **addr_succeed)    /* put old address here on success */
+{
+redirect_router_options_block *ob =
+  (redirect_router_options_block *)(rblock->options_block);
+address_item *generated = NULL;
+const uschar *save_qualify_domain_recipient = qualify_domain_recipient;
+uschar *discarded = US"discarded";
+address_item_propagated addr_prop;
+error_block *eblock = NULL;
+ugid_block ugid;
+redirect_block redirect;
+int filtertype = FILTER_UNSET;
+int yield = OK;
+int options = ob->bit_options;
+int frc = 0;
+int xrc = 0;
+
+/* Initialize the data to be propagated to the children */
+
+addr_prop.address_data = deliver_address_data;
+addr_prop.domain_data = deliver_domain_data;
+addr_prop.localpart_data = deliver_localpart_data;
+addr_prop.errors_address = NULL;
+addr_prop.extra_headers = NULL;
+addr_prop.remove_headers = NULL;
+addr_prop.variables = NULL;
+tree_dup((tree_node **)&addr_prop.variables, addr->prop.variables);
+
+#ifdef SUPPORT_I18N
+addr_prop.utf8_msg = addr->prop.utf8_msg;
+addr_prop.utf8_downcvt = addr->prop.utf8_downcvt;
+addr_prop.utf8_downcvt_maybe = addr->prop.utf8_downcvt_maybe;
+#endif
+
+
+/* When verifying and testing addresses, the "logwrite" command in filters
+must be bypassed. */
+
+if (verify == v_none && !f.address_test_mode) options |= RDO_REALLOG;
+
+/* Sort out the fixed or dynamic uid/gid. This uid is used (a) for reading the
+file (and interpreting a filter) and (b) for running the transports for
+generated file and pipe addresses. It is not (necessarily) the same as the uids
+that may own the file. Exim panics if an expanded string is not a number and
+can't be found in the password file. Other errors set the freezing bit. */
+
+if (!rf_get_ugid(rblock, addr, &ugid)) return DEFER;
+
+if (!ugid.uid_set && pw != NULL)
+  {
+  ugid.uid = pw->pw_uid;
+  ugid.uid_set = TRUE;
+  }
+
+if (!ugid.gid_set && pw != NULL)
+  {
+  ugid.gid = pw->pw_gid;
+  ugid.gid_set = TRUE;
+  }
+
+/* Call the function that interprets redirection data, either inline or from a
+file. This is a separate function so that the system filter can use it. It will
+run the function in a subprocess if necessary. If qualify_preserve_domain is
+set, temporarily reset qualify_domain_recipient to the current domain so that
+any unqualified addresses get qualified with the same domain as the incoming
+address. Otherwise, if a local qualify_domain is provided, set that up. */
+
+if (ob->qualify_preserve_domain)
+  qualify_domain_recipient = addr->domain;
+else if (ob->qualify_domain)
+  {
+  uschar *new_qdr = rf_expand_data(addr, ob->qualify_domain, &xrc);
+  if (!new_qdr) return xrc;
+  qualify_domain_recipient = new_qdr;
+  }
+
+redirect.owners = ob->owners;
+redirect.owngroups = ob->owngroups;
+redirect.modemask = ob->modemask;
+redirect.check_owner = ob->check_owner;
+redirect.check_group = ob->check_group;
+redirect.pw = pw;
+
+redirect.string = (redirect.isfile = (ob->file != NULL))
+  ? ob->file : ob->data;
+
+frc = rda_interpret(&redirect, options, ob->include_directory,
+  ob->sieve_vacation_directory, ob->sieve_enotify_mailto_owner,
+  ob->sieve_useraddress, ob->sieve_subaddress, &ugid, &generated,
+  &addr->message, ob->skip_syntax_errors? &eblock : NULL, &filtertype,
+  string_sprintf("%s router (recipient is %s)", rblock->name, addr->address));
+
+qualify_domain_recipient = save_qualify_domain_recipient;
+
+/* Handle exceptional returns from filtering or processing an address list.
+For FAIL and FREEZE we honour any previously set up deliveries by a filter. */
+
+switch (frc)
+  {
+  case FF_NONEXIST:
+    addr->message = addr->user_message = NULL;
+    return DECLINE;
+
+  case FF_BLACKHOLE:
+    DEBUG(D_route) debug_printf("address :blackhole:d\n");
+    generated = NULL;
+    discarded = US":blackhole:";
+    frc = FF_DELIVERED;
+    break;
+
+    /* FF_DEFER and FF_FAIL can arise only as a result of explicit commands
+    (:defer: or :fail: in an alias file or "fail" in a filter). If a configured
+    message was supplied, allow it to be included in an SMTP response after
+    verifying. Remove any SMTP code if it is not allowed. */
+
+  case FF_DEFER:
+    yield = DEFER;
+    goto SORT_MESSAGE;
+
+  case FF_FAIL:
+    if ((xrc = sort_errors_and_headers(rblock, addr, verify, &addr_prop)) != OK)
+      return xrc;
+    add_generated(rblock, addr_new, addr, generated, &addr_prop, &ugid, pw);
+    yield = FAIL;
+
+    SORT_MESSAGE:
+    if (!addr->message)
+      addr->message = yield == FAIL ? US"forced rejection" : US"forced defer";
+    else
+      {
+      uschar * matched;
+      if (  ob->forbid_smtp_code
+	 && regex_match(regex_smtp_code, addr->message, -1, &matched))
+	{
+	DEBUG(D_route) debug_printf("SMTP code at start of error message "
+	  "is ignored because forbid_smtp_code is set\n");
+	addr->message += Ustrlen(matched);
+	}
+      addr->user_message = addr->message;
+      setflag(addr, af_pass_message);
+      }
+    return yield;
+
+    /* As in the case of a system filter, a freeze does not happen after a manual
+    thaw. In case deliveries were set up by the filter, we set the child count
+    high so that their completion does not mark the original address done. */
+
+  case FF_FREEZE:
+    if (!f.deliver_manual_thaw)
+      {
+      if ((xrc = sort_errors_and_headers(rblock, addr, verify, &addr_prop))
+	!= OK) return xrc;
+      add_generated(rblock, addr_new, addr, generated, &addr_prop, &ugid, pw);
+      if (addr->message == NULL) addr->message = US"frozen by filter";
+      addr->special_action = SPECIAL_FREEZE;
+      addr->child_count = 9999;
+      return DEFER;
+      }
+    frc = FF_NOTDELIVERED;
+    break;
+
+    /* Handle syntax errors and :include: failures and lookup defers */
+
+  case FF_ERROR:
+  case FF_INCLUDEFAIL:
+
+    /* If filtertype is still FILTER_UNSET, it means that the redirection data
+    was never inspected, so the error was an expansion failure or failure to open
+    the file, or whatever. In these cases, the existing error message is probably
+    sufficient. */
+
+    if (filtertype == FILTER_UNSET) return DEFER;
+
+    /* If it was a filter and skip_syntax_errors is set, we want to set up
+    the error message so that it can be logged and mailed to somebody. */
+
+    if (filtertype != FILTER_FORWARD && ob->skip_syntax_errors)
+      {
+      eblock = store_get(sizeof(error_block), GET_UNTAINTED);
+      eblock->next = NULL;
+      eblock->text1 = addr->message;
+      eblock->text2 = NULL;
+      addr->message = addr->user_message = NULL;
+      }
+
+    /* Otherwise set up the error for the address and defer. */
+
+    else
+      {
+      addr->basic_errno = ERRNO_BADREDIRECT;
+      addr->message = string_sprintf("error in %s %s: %s",
+	filtertype == FILTER_FORWARD ? "redirect" : "filter",
+	ob->data ? "data" : "file",
+	addr->message);
+      return DEFER;
+      }
+  }
+
+
+/* Yield is either FF_DELIVERED (significant action) or FF_NOTDELIVERED (no
+significant action). Before dealing with these, however, we must handle the
+effect of skip_syntax_errors.
+
+If skip_syntax_errors was set and there were syntax errors in an address list,
+error messages will be present in eblock. Log them and send a message if so
+configured. We cannot do this earlier, because the error message must not be
+sent as the local user. If there were no valid addresses, generated will be
+NULL. In this case, the router declines.
+
+For a filter file, the error message has been fudged into an eblock. After
+dealing with it, the router declines. */
+
+if (eblock != NULL)
+  {
+  if (!moan_skipped_syntax_errors(
+        rblock->name,                            /* For message content */
+        eblock,                                  /* Ditto */
+        (verify != v_none || f.address_test_mode)?
+          NULL : ob->syntax_errors_to,           /* Who to mail */
+        generated != NULL,                       /* True if not all failed */
+        ob->syntax_errors_text))                 /* Custom message */
+    return DEFER;
+
+  if (filtertype != FILTER_FORWARD || generated == NULL)
+    {
+    addr->message = US"syntax error in redirection data";
+    return DECLINE;
+    }
+  }
+
+/* Sort out the errors address and any header modifications, and handle the
+generated addresses, if any. If there are no generated addresses, we must avoid
+calling sort_errors_and_headers() in case this router declines - that function
+may modify the errors_address field in the current address, and we don't want
+to do that for a decline. */
+
+if (generated != NULL)
+  {
+  if ((xrc = sort_errors_and_headers(rblock, addr, verify, &addr_prop)) != OK)
+    return xrc;
+  add_generated(rblock, addr_new, addr, generated, &addr_prop, &ugid, pw);
+  }
+
+/* FF_DELIVERED with no generated addresses is what we get when an address list
+contains :blackhole: or a filter contains "seen finish" without having
+generated anything. Log what happened to this address, and return DISCARD. */
+
+if (frc == FF_DELIVERED)
+  {
+  if (generated == NULL && verify == v_none && !f.address_test_mode)
+    {
+    log_write(0, LOG_MAIN, "=> %s <%s> R=%s", discarded, addr->address,
+      rblock->name);
+    yield = DISCARD;
+    }
+  }
+
+/* For an address list, FF_NOTDELIVERED always means that no addresses were
+generated. For a filter, addresses may or may not have been generated. If none
+were, it's the same as an empty address list, and the router declines. However,
+if addresses were generated, we can't just decline because successful delivery
+of the base address gets it marked "done", so deferred generated addresses
+never get tried again. We have to generate a new version of the base address,
+as if there were a "deliver" command in the filter file, with the original
+address as parent. */
+
+else
+  {
+  address_item *next;
+
+  if (generated == NULL) return DECLINE;
+
+  next = deliver_make_addr(addr->address, FALSE);
+  next->parent = addr;
+  addr->child_count++;
+  next->next = *addr_new;
+  *addr_new = next;
+
+  /* Set the data that propagates. */
+
+  next->prop = addr_prop;
+
+  DEBUG(D_route) debug_printf("%s router autogenerated %s\n%s%s%s",
+    rblock->name,
+    next->address,
+    (addr_prop.errors_address != NULL)? "  errors to " : "",
+    (addr_prop.errors_address != NULL)? addr_prop.errors_address : US"",
+    (addr_prop.errors_address != NULL)? "\n" : "");
+  }
+
+/* Control gets here only when the address has been completely handled. Put the
+original address onto the succeed queue so that any retry items that get
+attached to it get processed. */
+
+addr->next = *addr_succeed;
+*addr_succeed = addr;
+
+return yield;
+}
+
+#endif   /*!MACRO_PREDEF*/
+/* End of routers/redirect.c */
diff --git a/src/routers/redirect.h b/src/routers/redirect.h
new file mode 100644
index 0000000..4c0399a
--- /dev/null
+++ b/src/routers/redirect.h
@@ -0,0 +1,70 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Header for the redirect router */
+
+/* Private structure for the private options. */
+
+typedef struct {
+  transport_instance *directory_transport;
+  transport_instance *file_transport;
+  transport_instance *pipe_transport;
+  transport_instance *reply_transport;
+
+  uschar *data;
+  uschar *directory_transport_name;
+  uschar *file;
+  uschar *file_dir;
+  uschar *file_transport_name;
+  uschar *include_directory;
+  uschar *pipe_transport_name;
+  uschar *reply_transport_name;
+  uschar *sieve_subaddress;
+  uschar *sieve_useraddress;
+  uschar *sieve_vacation_directory;
+  uschar *sieve_enotify_mailto_owner;
+  uschar *syntax_errors_text;
+  uschar *syntax_errors_to;
+  uschar *qualify_domain;
+
+  uid_t  *owners;
+  gid_t  *owngroups;
+
+  int   modemask;
+  int   bit_options;
+  BOOL  check_ancestor;
+  BOOL  check_group;
+  BOOL  check_owner;
+  BOOL  forbid_file;
+  BOOL  forbid_filter_reply;
+  BOOL  forbid_pipe;
+  BOOL  forbid_smtp_code;
+  BOOL  hide_child_in_errmsg;
+  BOOL  one_time;
+  BOOL  qualify_preserve_domain;
+  BOOL  skip_syntax_errors;
+} redirect_router_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist redirect_router_options[];
+extern int redirect_router_options_count;
+
+/* Block containing default values. */
+
+extern redirect_router_options_block redirect_router_option_defaults;
+
+/* The main and initialization entry points for the router */
+
+extern int redirect_router_entry(router_instance *, address_item *,
+  struct passwd *, int, address_item **, address_item **,
+  address_item **, address_item **);
+
+extern void redirect_router_init(router_instance *);
+
+/* End of routers/redirect.h */
diff --git a/src/routers/rf_change_domain.c b/src/routers/rf_change_domain.c
new file mode 100644
index 0000000..d7c9c1c
--- /dev/null
+++ b/src/routers/rf_change_domain.c
@@ -0,0 +1,85 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "rf_functions.h"
+
+
+
+/*************************************************
+*          Change domain in an address           *
+*************************************************/
+
+/* When a router wants to change the address that is being routed, it is like a
+redirection. We insert a new parent of the current address to hold the original
+information, and change the data in the original address, which is now the
+child. The child address is put onto the addr_new chain. Pick up the local part
+from the "address" field so as to get it in external form - caseful, and with
+any quoting retained.
+
+Arguments:
+  addr        the address block
+  domain      the new domain
+  rewrite     TRUE if headers lines are to be rewritten
+  addr_new    the new address chain
+
+Returns:      nothing
+*/
+
+void
+rf_change_domain(address_item *addr, const uschar *domain, BOOL rewrite,
+  address_item **addr_new)
+{
+address_item * parent = store_get(sizeof(address_item), GET_UNTAINTED);
+uschar * at = Ustrrchr(addr->address, '@');
+uschar * address = string_sprintf("%.*s@%s",
+  (int)(at - addr->address), addr->address, domain);
+
+DEBUG(D_route) debug_printf("domain changed to %s\n", domain);
+
+/* The current address item is made into the parent, and a new address is set
+up in the old space. */
+
+*parent = *addr;
+
+/* First copy in initializing values, to wipe out stuff such as the named
+domain cache. Then copy over the propagating fields from the parent. Then set
+up the new fields. */
+
+*addr = address_defaults;
+addr->prop = parent->prop;
+
+addr->address = address;
+addr->unique = string_copy(address);
+addr->parent = parent;
+parent->child_count = 1;
+
+addr->next = *addr_new;
+*addr_new = addr;
+
+/* Rewrite header lines if requested */
+
+if (rewrite)
+  {
+  DEBUG(D_route|D_rewrite) debug_printf("rewriting header lines\n");
+  for (header_line * h = header_list; h != NULL; h = h->next)
+    {
+    header_line *newh =
+      rewrite_header(h, parent->domain, domain,
+        global_rewrite_rules, rewrite_existflags, TRUE);
+    if (newh)
+      {
+      h = newh;
+      f.header_rewritten = TRUE;
+      }
+    }
+  }
+}
+
+/* End of rf_change_domain.c */
diff --git a/src/routers/rf_expand_data.c b/src/routers/rf_expand_data.c
new file mode 100644
index 0000000..6a8ad17
--- /dev/null
+++ b/src/routers/rf_expand_data.c
@@ -0,0 +1,48 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "rf_functions.h"
+
+
+/*************************************************
+*       Expand data string and handle errors     *
+*************************************************/
+
+/* This little function is used by a couple of routers for expanding things. It
+just saves repeating this code too many times. It does an expansion, and
+chooses a suitable return code on error.
+
+Arguments:
+  addr       the address that's being routed
+  s          the string to be expanded
+  prc        pointer to where to put the return code on failure
+
+Returns:     the expanded string, or NULL (with prc set) on failure
+*/
+
+uschar *
+rf_expand_data(address_item *addr, uschar *s, int *prc)
+{
+uschar *yield = expand_string(s);
+if (yield != NULL) return yield;
+if (f.expand_string_forcedfail)
+  {
+  DEBUG(D_route) debug_printf("forced failure for expansion of \"%s\"\n", s);
+  *prc = DECLINE;
+  }
+else
+  {
+  addr->message = string_sprintf("failed to expand \"%s\": %s", s,
+    expand_string_message);
+  *prc = DEFER;
+  }
+return NULL;
+}
+
+/* End of routers/rf_expand_data.c */
diff --git a/src/routers/rf_functions.h b/src/routers/rf_functions.h
new file mode 100644
index 0000000..f310d5a
--- /dev/null
+++ b/src/routers/rf_functions.h
@@ -0,0 +1,31 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Header for the functions that are shared by the routers */
+
+
+extern void rf_add_generated(router_instance *, address_item **,
+              address_item *, address_item *, uschar *, header_line *,
+              uschar *, ugid_block *, struct passwd *);
+extern void rf_change_domain(address_item *, const uschar *, BOOL, address_item **);
+extern uschar *rf_expand_data(address_item *, uschar *, int *);
+extern int  rf_get_errors_address(address_item *, router_instance *,
+              int, uschar **);
+extern int  rf_get_munge_headers(address_item *, router_instance *,
+              header_line **, uschar **);
+extern BOOL rf_get_transport(uschar *, transport_instance **,  address_item *,
+              uschar *, uschar *);
+extern BOOL rf_get_ugid(router_instance *, address_item *, ugid_block *);
+extern int  rf_lookup_hostlist(router_instance *, address_item *, uschar *,
+              int, int, address_item **);
+extern BOOL rf_queue_add(address_item *, address_item **, address_item **,
+              router_instance *, struct passwd *);
+extern int  rf_self_action(address_item *, host_item *, int, BOOL, uschar *,
+              address_item **);
+extern void rf_set_ugid(address_item *, ugid_block *);
+
+/* End of rf_functions.h */
diff --git a/src/routers/rf_get_errors_address.c b/src/routers/rf_get_errors_address.c
new file mode 100644
index 0000000..b9cf781
--- /dev/null
+++ b/src/routers/rf_get_errors_address.c
@@ -0,0 +1,132 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "rf_functions.h"
+
+
+/*************************************************
+*        Get errors address for a router         *
+*************************************************/
+
+/* This function is called by routers to sort out the errors address for a
+particular address. If there is a setting in the router block, then expand and
+verify it, and if it works, use it. Otherwise use any setting that is in the
+address itself. This might be NULL, meaning unset (the message's sender is then
+used). Verification isn't done when the original address is just being
+verified, as otherwise there might be routing loops if someone sets up a silly
+configuration.
+
+Arguments:
+  addr         the input address
+  rblock       the router instance
+  verify       v_none / v_recipient / v_sender / v_expn
+  errors_to    point the errors address here
+
+Returns:       OK if no problem
+               DEFER if verifying the address caused a deferment
+                 or a big disaster (e.g. expansion failure)
+*/
+
+int
+rf_get_errors_address(address_item *addr, router_instance *rblock,
+  int verify, uschar **errors_to)
+{
+uschar *s;
+
+*errors_to = addr->prop.errors_address;
+if (rblock->errors_to == NULL) return OK;
+
+s = expand_string(rblock->errors_to);
+
+if (s == NULL)
+  {
+  if (f.expand_string_forcedfail)
+    {
+    DEBUG(D_route)
+      debug_printf("forced expansion failure - ignoring errors_to\n");
+    return OK;
+    }
+  addr->message = string_sprintf("%s router failed to expand \"%s\": %s",
+    rblock->name, rblock->errors_to, expand_string_message);
+  return DEFER;
+  }
+
+/* If the errors_to address is empty, it means "ignore errors" */
+
+if (*s == 0)
+  {
+  addr->prop.ignore_error = TRUE;   /* For locally detected errors */
+  *errors_to = US"";                   /* Return path for SMTP */
+  return OK;
+  }
+
+/* If we are already verifying, do not check the errors address, in order to
+save effort (but we do verify when testing an address). When we do verify, set
+the sender address to null, because that's what it will be when sending an
+error message, and there are now configuration options that control the running
+of routers by checking the sender address. When testing an address, there may
+not be a sender address. We also need to save and restore the expansion values
+associated with an address. */
+
+if (verify != v_none)
+  {
+  *errors_to = s;
+  DEBUG(D_route)
+    debug_printf("skipped verify errors_to address: already verifying\n");
+  }
+else
+  {
+  BOOL save_address_test_mode = f.address_test_mode;
+  int save1 = 0;
+  int i;
+  const uschar ***p;
+  const uschar *address_expansions_save[ADDRESS_EXPANSIONS_COUNT];
+  address_item *snew = deliver_make_addr(s, FALSE);
+
+  if (sender_address)
+    {
+    save1 = sender_address[0];
+    sender_address[0] = 0;
+    }
+
+  for (i = 0, p = address_expansions; *p;)
+    address_expansions_save[i++] = **p++;
+  f.address_test_mode = FALSE;
+
+  /* NOTE: the address is verified as a recipient, not a sender. This is
+  perhaps confusing. It isn't immediately obvious what to do: we want to have
+  some confidence that we can deliver to the address, in which case it will be
+  a recipient, but on the other hand, it will be passed on in SMTP deliveries
+  as a sender. However, I think on balance recipient is right because sender
+  verification is really about the *incoming* sender of the message.
+
+  If this code is changed, note that you must set vopt_fake_sender instead of
+  vopt_is_recipient, as otherwise sender_address may be altered because
+  verify_address() thinks it is dealing with *the* sender of the message. */
+
+  DEBUG(D_route|D_verify)
+    debug_printf("------ Verifying errors address %s ------\n", s);
+  if (verify_address(snew, NULL,
+      vopt_is_recipient /* vopt_fake_sender is the alternative */
+      | vopt_qualify, -1, -1, -1, NULL, NULL, NULL) == OK)
+    *errors_to = snew->address;
+  DEBUG(D_route|D_verify)
+    debug_printf("------ End verifying errors address %s ------\n", s);
+
+  f.address_test_mode = save_address_test_mode;
+  for (i = 0, p = address_expansions; *p; )
+    **p++ = address_expansions_save[i++];
+
+  if (sender_address) sender_address[0] = save1;
+  }
+
+return OK;
+}
+
+/* End of rf_get_errors_address.c */
diff --git a/src/routers/rf_get_munge_headers.c b/src/routers/rf_get_munge_headers.c
new file mode 100644
index 0000000..d304d11
--- /dev/null
+++ b/src/routers/rf_get_munge_headers.c
@@ -0,0 +1,123 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "rf_functions.h"
+
+
+/*************************************************
+*      Get additional headers for a router       *
+*************************************************/
+
+/* This function is called by routers to sort out the additional headers
+and header remove list for a particular address.
+
+Arguments:
+  addr           the input address
+  rblock         the router instance
+  extra_headers  points to where to hang the header chain
+  remove_headers points to where to hang the remove list
+
+Returns:         OK if no problem
+                 DEFER if expanding a string caused a deferment
+                   or a big disaster (e.g. expansion failure)
+*/
+
+int
+rf_get_munge_headers(address_item *addr, router_instance *rblock,
+  header_line **extra_headers, uschar **remove_headers)
+{
+/* Default is to retain existing headers */
+*extra_headers = addr->prop.extra_headers;
+
+if (rblock->extra_headers)
+  {
+  const uschar * list = rblock->extra_headers;
+  int sep = '\n';
+  uschar * s, * t;
+  int slen;
+
+  while ((s = string_nextinlist(&list, &sep, NULL, 0)))
+    if (!(s = expand_string(t = s)))
+      {
+      if (!f.expand_string_forcedfail)
+	{
+	addr->message = string_sprintf(
+	  "%s router failed to expand add_headers item \"%s\": %s",
+	  rblock->name, t, expand_string_message);
+	return DEFER;
+	}
+      }
+    else if ((slen = Ustrlen(s)) > 0)
+      {
+      /* Expand succeeded. Put extra headers at the start of the chain because
+      further down it may point to headers from other routers, which may be
+      shared with other addresses. The output function outputs them in reverse
+      order. */
+
+      header_line *  h = store_get(sizeof(header_line), GET_UNTAINTED);
+
+      /* We used to use string_sprintf() to add the newline if needed, but that
+      causes problems if the header line is exceedingly long (e.g. adding
+      something to a pathologically long line). So avoid it. */
+
+      if (s[slen-1] == '\n')
+	h->text = s;
+      else
+	{
+	h->text = store_get(slen+2, s);
+	memcpy(h->text, s, slen);
+	h->text[slen++] = '\n';
+	h->text[slen] = 0;
+	}
+
+      h->next = *extra_headers;
+      h->type = htype_other;
+      h->slen = slen;
+      *extra_headers = h;
+      }
+  }
+
+/* Default is to retain existing removes */
+*remove_headers = addr->prop.remove_headers;
+
+/* Expand items from colon-sep list separately, then build new list */
+if (rblock->remove_headers)
+  {
+  const uschar * list = rblock->remove_headers;
+  int sep = ':';
+  uschar * s, * t;
+  gstring * g = NULL;
+
+  if (*remove_headers)
+    g = string_cat(NULL, *remove_headers);
+
+  while ((s = string_nextinlist(&list, &sep, NULL, 0)))
+    if (!(s = expand_string(t = s)))
+      {
+      if (!f.expand_string_forcedfail)
+	{
+	addr->message = string_sprintf(
+	  "%s router failed to expand remove_headers item \"%s\": %s",
+	  rblock->name, t, expand_string_message);
+	return DEFER;
+	}
+      }
+    else if (*s)
+      g = string_append_listele(g, ':', s);
+
+  if (g)
+    *remove_headers = g->s;
+  }
+
+return OK;
+}
+
+/* vi: aw ai sw=2
+*/
+/* End of rf_get_munge_headers.c */
diff --git a/src/routers/rf_get_transport.c b/src/routers/rf_get_transport.c
new file mode 100644
index 0000000..2f639e0
--- /dev/null
+++ b/src/routers/rf_get_transport.c
@@ -0,0 +1,97 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "rf_functions.h"
+
+
+/*************************************************
+*       Get transport for a router               *
+*************************************************/
+
+/* If transport_name contains $, it must be expanded each time and used as a
+transport name. Otherwise, look up the transport only if the destination is not
+already set.
+
+Some routers (e.g. accept) insist that their transport option is set at
+initialization time. However, for some (e.g. file_transport in redirect), there
+is no such check, because the transport may not be required. Calls to this
+function from the former type of router have require_name = NULL, because it
+will never be used. NULL is also used in verify_only cases, where a transport
+is not required.
+
+Arguments:
+  tpname        the text of the transport name
+  tpptr         where to put the transport
+  addr          the address being processed
+  router_name   for error messages
+  require_name  used in the error message if transport is unset
+
+Returns:        TRUE if *tpptr is already set and tpname has no '$' in it;
+                TRUE if a transport has been placed in tpptr;
+                FALSE if there's a problem, in which case
+                addr->message contains a message, and addr->basic_errno has
+                ERRNO_BADTRANSPORT set in it.
+*/
+
+BOOL
+rf_get_transport(uschar *tpname, transport_instance **tpptr, address_item *addr,
+  uschar *router_name, uschar *require_name)
+{
+uschar *ss;
+BOOL expandable;
+
+if (!tpname)
+  {
+  if (!require_name) return TRUE;
+  addr->basic_errno = ERRNO_BADTRANSPORT;
+  addr->message = string_sprintf("%s unset in %s router", require_name,
+    router_name);
+  return FALSE;
+  }
+
+expandable = Ustrchr(tpname, '$') != NULL;
+if (*tpptr != NULL && !expandable) return TRUE;
+
+if (expandable)
+  {
+  if (!(ss = expand_string(tpname)))
+    {
+    addr->basic_errno = ERRNO_BADTRANSPORT;
+    addr->message = string_sprintf("failed to expand transport "
+      "\"%s\" in %s router: %s", tpname, router_name, expand_string_message);
+    return FALSE;
+    }
+  if (is_tainted(ss))
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "attempt to use tainted value '%s' from '%s' for transport", ss, tpname);
+    addr->basic_errno = ERRNO_BADTRANSPORT;
+    /* Avoid leaking info to an attacker */
+    addr->message = US"internal configuration error";
+    return FALSE;
+    }
+  }
+else
+  ss = tpname;
+
+for (transport_instance * tp = transports; tp; tp = tp->next)
+  if (Ustrcmp(tp->name, ss) == 0)
+    {
+    DEBUG(D_route) debug_printf("set transport %s\n", ss);
+    *tpptr = tp;
+    return TRUE;
+    }
+
+addr->basic_errno = ERRNO_BADTRANSPORT;
+addr->message = string_sprintf("transport \"%s\" not found in %s router", ss,
+  router_name);
+return FALSE;
+}
+
+/* End of rf_get_transport.c */
diff --git a/src/routers/rf_get_ugid.c b/src/routers/rf_get_ugid.c
new file mode 100644
index 0000000..1735e59
--- /dev/null
+++ b/src/routers/rf_get_ugid.c
@@ -0,0 +1,80 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "rf_functions.h"
+
+
+/*************************************************
+*            Get uid/gid for a router            *
+*************************************************/
+
+/* This function is called by routers to sort out the uid/gid values which are
+passed with an address for use by local transports.
+
+Arguments:
+  rblock       the router block
+  addr         the address being worked on
+  ugid         pointer to a ugid block to fill in
+
+Returns:       TRUE if all goes well, else FALSE
+*/
+
+BOOL
+rf_get_ugid(router_instance *rblock, address_item *addr, ugid_block *ugid)
+{
+struct passwd *upw = NULL;
+
+/* Initialize from fixed values */
+
+ugid->uid = rblock->uid;
+ugid->gid = rblock->gid;
+ugid->uid_set = rblock->uid_set;
+ugid->gid_set = rblock->gid_set;
+ugid->initgroups = rblock->initgroups;
+
+/* If there is no fixed uid set, see if there's a dynamic one that can
+be expanded and possibly looked up. */
+
+if (!ugid->uid_set && rblock->expand_uid != NULL)
+  {
+  if (route_find_expanded_user(rblock->expand_uid, rblock->name, US"router",
+    &upw, &(ugid->uid), &(addr->message))) ugid->uid_set = TRUE;
+  else return FALSE;
+  }
+
+/* Likewise for the gid */
+
+if (!ugid->gid_set && rblock->expand_gid != NULL)
+  {
+  if (route_find_expanded_group(rblock->expand_gid, rblock->name, US"router",
+    &(ugid->gid), &(addr->message))) ugid->gid_set = TRUE;
+  else return FALSE;
+  }
+
+/* If a uid is set, then a gid must also be available; use one from the passwd
+lookup if it happened. */
+
+if (ugid->uid_set && !ugid->gid_set)
+  {
+  if (upw != NULL)
+    {
+    ugid->gid = upw->pw_gid;
+    ugid->gid_set = TRUE;
+    }
+  else
+    {
+    addr->message = string_sprintf("user set without group for %s router",
+      rblock->name);
+    return FALSE;
+    }
+  }
+
+return TRUE;
+}
+
+/* End of rf_get_ugid.c */
diff --git a/src/routers/rf_lookup_hostlist.c b/src/routers/rf_lookup_hostlist.c
new file mode 100644
index 0000000..79a7799
--- /dev/null
+++ b/src/routers/rf_lookup_hostlist.c
@@ -0,0 +1,262 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* Copyright (c) The Exim Maintainers 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "rf_functions.h"
+
+
+
+/*************************************************
+*     Look up IP addresses for a set of hosts    *
+*************************************************/
+
+/* This function is called by a router to fill in the IP addresses for a set of
+hosts that are attached to an address. Each host has its name and MX value set;
+and those that need processing have their address fields set NULL. Multihomed
+hosts cause additional blocks to be inserted into the chain.
+
+This function also supports pseudo-hosts whose names end with "/MX". In this
+case, MX records are looked up for the name, and the list of hosts obtained
+replaces the incoming "host". In other words, "x/MX" is shorthand for "those
+hosts pointed to by x's MX records".
+
+It is also possible for a port to be specified along with the host name or IP
+address. The syntax is to add ":port" on to the end. This doesn't work with
+IPv6 addresses, so we allow IP addresses to be enclosed in [] in order to make
+this work. The specification of the port must come last, that is, after "/MX"
+if that is present.
+
+Arguments:
+  rblock               the router block
+  addr                 the address being routed
+  ignore_target_hosts  list of hosts to ignore
+  lookup_type          LK_DEFAULT or LK_BYNAME or LK_BYDNS,
+		       plus LK_IPV4_{ONLY,PREFER}
+  hff_code             what to do for host find failed
+  addr_new             passed to rf_self_action for self=reroute
+
+Returns:               OK
+                       DEFER host lookup defer
+                       PASS  timeout etc and pass_on_timeout set
+                       self_action: PASS, DECLINE, DEFER, FAIL, FREEZE
+                       hff_code after host find failed
+*/
+
+int
+rf_lookup_hostlist(router_instance *rblock, address_item *addr,
+  uschar *ignore_target_hosts, int lookup_type, int hff_code,
+  address_item **addr_new)
+{
+BOOL self_send = FALSE;
+
+/* Look up each host address. A lookup may add additional items into the chain
+if there are multiple addresses. Hence the use of next_h to start each cycle of
+the loop at the next original host. If any host is identified as being the local
+host, omit it and any subsequent hosts - i.e. treat the list like an ordered
+list of MX hosts. If the first host is the local host, act according to the
+"self" option in the configuration. */
+
+for (host_item * prev = NULL, * h = addr->host_list, *next_h; h; h = next_h)
+  {
+  const uschar *canonical_name;
+  int rc, len, port, mx, sort_key;
+
+  next_h = h->next;
+  if (h->address) { prev = h; continue; }
+
+  DEBUG(D_route|D_host_lookup)
+    debug_printf("finding IP address for %s\n", h->name);
+
+  /* Handle any port setting that may be on the name; it will be removed
+  from the end of the name. */
+
+  port = host_item_get_port(h);
+
+  /* Store the previous mx and sort_key values, which were assigned in
+  host_build_hostlist and will be overwritten by host_find_bydns. */
+
+  mx = h->mx;
+  sort_key = h->sort_key;
+
+  /* If the name ends with "/MX", we interpret it to mean "the list of hosts
+  pointed to by MX records with this name", and the MX record values override
+  the ordering from host_build_hostlist. */
+
+  len = Ustrlen(h->name);
+  if (len > 3 && strcmpic(h->name + len - 3, US"/mx") == 0)
+    {
+    int whichrrs = lookup_type & LK_IPV4_ONLY
+      ? HOST_FIND_BY_MX | HOST_FIND_IPV4_ONLY
+      : lookup_type & LK_IPV4_PREFER
+      ? HOST_FIND_BY_MX | HOST_FIND_IPV4_FIRST
+      : HOST_FIND_BY_MX;
+
+    DEBUG(D_route|D_host_lookup)
+      debug_printf("doing DNS MX lookup for %s\n", h->name);
+
+    mx = MX_NONE;
+    h->name = string_copyn(h->name, len - 3);
+    rc = host_find_bydns(h,
+        ignore_target_hosts,
+        whichrrs,			/* look only for MX records */
+        NULL,				/* SRV service not relevant */
+        NULL,				/* failing srv domains not relevant */
+        NULL,				/* no special mx failing domains */
+        &rblock->dnssec,		/* dnssec request/require */
+        NULL,				/* fully_qualified_name */
+        NULL);				/* indicate local host removed */
+    }
+
+  /* If explicitly configured to look up by name, or if the "host name" is
+  actually an IP address, do a byname lookup. */
+
+  else if (lookup_type & LK_BYNAME || string_is_ip_address(h->name, NULL) != 0)
+    {
+    DEBUG(D_route|D_host_lookup) debug_printf("calling host_find_byname\n");
+    rc = host_find_byname(h, ignore_target_hosts, HOST_FIND_QUALIFY_SINGLE,
+      &canonical_name, TRUE);
+    }
+
+  /* Otherwise, do a DNS lookup. If that yields "host not found", and the
+  lookup type is the default (i.e. "bydns" is not explicitly configured),
+  follow up with a byname lookup, just in case. */
+
+  else
+    {
+    BOOL removed;
+    int whichrrs = lookup_type & LK_IPV4_ONLY
+      ? HOST_FIND_BY_A
+      : lookup_type & LK_IPV4_PREFER
+      ? HOST_FIND_BY_A | HOST_FIND_BY_AAAA | HOST_FIND_IPV4_FIRST
+      : HOST_FIND_BY_A | HOST_FIND_BY_AAAA;
+
+    DEBUG(D_route|D_host_lookup) debug_printf("doing DNS lookup\n");
+    switch (rc = host_find_bydns(h, ignore_target_hosts, whichrrs, NULL,
+	NULL, NULL,
+	&rblock->dnssec,			/* domains for request/require */
+	&canonical_name, &removed))
+      {
+      case HOST_FOUND:
+        if (removed) setflag(addr, af_local_host_removed);
+	break;
+      case HOST_FIND_FAILED:
+	if (lookup_type & LK_DEFAULT)
+	  {
+	  DEBUG(D_route|D_host_lookup)
+	    debug_printf("DNS lookup failed: trying %s\n",
+	      f.running_in_test_harness
+	      ? "host_fake_gethostbyname" : "getipnodebyname");
+	  rc = host_find_byname(h, ignore_target_hosts, HOST_FIND_QUALIFY_SINGLE,
+	    &canonical_name, TRUE);
+	  }
+	break;
+      }
+    }
+
+  /* Temporary failure defers, unless pass_on_timeout is set */
+
+  if (rc == HOST_FIND_SECURITY)
+    {
+    addr->message = string_sprintf("host lookup for %s done insecurely" , h->name);
+    addr->basic_errno = ERRNO_DNSDEFER;
+    return DEFER;
+    }
+  if (rc == HOST_FIND_AGAIN)
+    {
+    if (rblock->pass_on_timeout)
+      {
+      DEBUG(D_route)
+        debug_printf("%s router timed out and pass_on_timeout set\n",
+          rblock->name);
+      return PASS;
+      }
+    addr->message = string_sprintf("host lookup for %s did not complete "
+      "(DNS timeout?)", h->name);
+    addr->basic_errno = ERRNO_DNSDEFER;
+    return DEFER;
+    }
+
+  /* Permanent failure is controlled by host_find_failed */
+
+  if (rc == HOST_FIND_FAILED)
+    {
+    if (hff_code == hff_ignore)
+      {
+      if (prev == NULL) addr->host_list = next_h; else prev->next = next_h;
+      continue;   /* With the next host, leave prev unchanged */
+      }
+
+    if (hff_code == hff_pass) return PASS;
+    if (hff_code == hff_decline) return DECLINE;
+
+    addr->basic_errno = ERRNO_UNKNOWNHOST;
+    addr->message =
+      string_sprintf("lookup of host \"%s\" failed in %s router%s",
+        h->name, rblock->name,
+        f.host_find_failed_syntax? ": syntax error in name" : "");
+
+    if (hff_code == hff_defer) return DEFER;
+    if (hff_code == hff_fail) return FAIL;
+
+    addr->special_action = SPECIAL_FREEZE;
+    return DEFER;
+    }
+
+  /* Deal with the settings that were previously cleared:
+  port, mx and sort_key. */
+
+  if (port != PORT_NONE)
+    for (host_item * hh = h; hh != next_h; hh = hh->next)
+      hh->port = port;
+
+  if (mx != MX_NONE)
+    for (host_item * hh = h; hh != next_h; hh = hh->next)
+      {
+      hh->mx = mx;
+      hh->sort_key = sort_key;
+      }
+
+  /* A local host gets chopped, with its successors, if there are previous
+  hosts. Otherwise the self option is used. If it is set to "send", any
+  subsequent hosts that are also the local host do NOT get chopped. */
+
+  if (rc == HOST_FOUND_LOCAL && !self_send)
+    {
+    if (prev)
+      {
+      DEBUG(D_route)
+        {
+        debug_printf("Removed from host list:\n");
+        for (; h; h = h->next) debug_printf("  %s\n", h->name);
+        }
+      prev->next = NULL;
+      setflag(addr, af_local_host_removed);
+      break;
+      }
+    rc = rf_self_action(addr, h, rblock->self_code, rblock->self_rewrite,
+      rblock->self, addr_new);
+    if (rc != OK)
+      {
+      addr->host_list = NULL;   /* Kill the host list for */
+      return rc;                /* anything other than "send" */
+      }
+    self_send = TRUE;
+    }
+
+  /* Ensure that prev is the host before next_h; this will not be h if a lookup
+  found multiple addresses or multiple MX records. */
+
+  prev = h;
+  while (prev->next != next_h) prev = prev->next;
+  }
+
+return OK;
+}
+
+/* End of rf_lookup_hostlist.c */
diff --git a/src/routers/rf_queue_add.c b/src/routers/rf_queue_add.c
new file mode 100644
index 0000000..0693c8c
--- /dev/null
+++ b/src/routers/rf_queue_add.c
@@ -0,0 +1,109 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "rf_functions.h"
+
+
+/*************************************************
+*        Queue address for transport             *
+*************************************************/
+
+/* This function is called to put an address onto the local or remote transport
+queue, as appropriate. When the driver is for verifying only, a transport need
+not be set, in which case it doesn't actually matter which queue the address
+gets put on.
+
+The generic uid/gid options are inspected and put into the address if they are
+set. For a remote transport, if there are fallback hosts, they are added to the
+address.
+
+Arguments:
+  addr          the address, with the transport field set (if not verify only)
+  paddr_local   pointer to the anchor of the local transport chain
+  paddr_remote  pointer to the anchor of the remote transport chain
+  rblock        the router block
+  pw            password entry if check_local_user was set, or NULL
+
+Returns:        FALSE on error; the only case is failing to get a uid/gid
+*/
+
+BOOL
+rf_queue_add(address_item *addr, address_item **paddr_local,
+  address_item **paddr_remote, router_instance *rblock, struct passwd *pw)
+{
+addr->prop.domain_data = deliver_domain_data;         /* Save these values for */
+addr->prop.localpart_data = deliver_localpart_data;   /* use in the transport */
+
+/* Handle a local transport */
+
+if (addr->transport && addr->transport->info->local)
+  {
+  ugid_block ugid;
+
+  /* Default uid/gid and transport-time home directory are from the passwd file
+  when check_local_user is set, but can be overridden by explicit settings.
+  When getting the home directory out of the password information, set the
+  flag that prevents expansion later. */
+
+  if (pw)
+    {
+    addr->uid = pw->pw_uid;
+    addr->gid = pw->pw_gid;
+    setflag(addr, af_uid_set);
+    setflag(addr, af_gid_set);
+    setflag(addr, af_home_expanded);
+    addr->home_dir = string_copy(US pw->pw_dir);
+    }
+
+  if (!rf_get_ugid(rblock, addr, &ugid)) return FALSE;
+  rf_set_ugid(addr, &ugid);
+
+  /* transport_home_directory (in rblock->home_directory) takes priority;
+  otherwise use the expanded value of router_home_directory. The flag also
+  tells the transport not to re-expand it. */
+
+  if (rblock->home_directory)
+    {
+    addr->home_dir = rblock->home_directory;
+    clearflag(addr, af_home_expanded);
+    }
+  else if (!addr->home_dir && testflag(addr, af_home_expanded))
+    addr->home_dir = deliver_home;
+
+  addr->current_dir = rblock->current_directory;
+
+  addr->next = *paddr_local;
+  *paddr_local = addr;
+  }
+
+/* For a remote transport, set up the fallback host list, and keep a count of
+the total number of addresses routed to remote transports. */
+
+else
+  {
+  addr->fallback_hosts = rblock->fallback_hostlist;
+  addr->next = *paddr_remote;
+  *paddr_remote = addr;
+  remote_delivery_count++;
+  }
+
+DEBUG(D_route)
+  {
+  debug_printf("queued for %s transport: local_part = %s\ndomain = %s\n"
+    "  errors_to=%s\n",
+    addr->transport ? addr->transport->name : US"<unset>",
+    addr->local_part, addr->domain, addr->prop.errors_address);
+  debug_printf("  domain_data=%s local_part_data=%s\n", addr->prop.domain_data,
+    addr->prop.localpart_data);
+  }
+
+return TRUE;
+}
+
+/* End of rf_queue_add.c */
diff --git a/src/routers/rf_self_action.c b/src/routers/rf_self_action.c
new file mode 100644
index 0000000..9a4dc3c
--- /dev/null
+++ b/src/routers/rf_self_action.c
@@ -0,0 +1,123 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "rf_functions.h"
+
+
+
+/*************************************************
+*        Decode actions for self reference       *
+*************************************************/
+
+/* This function is called from a number of routers on receiving
+HOST_FOUND_LOCAL when looking up a supposedly remote host. The action is
+controlled by a generic configuration option called "self" on each router,
+which can be one of:
+
+   . freeze:                       Log the incident, freeze, and return DEFER
+
+   . defer:                        Log the incident and return DEFER
+
+   . fail:                         Fail the address
+
+   . send:                         Carry on with the delivery regardless -
+                                   this makes sense only if the SMTP
+                                   listener on this machine is a differently
+                                   configured MTA
+
+   . pass:                         The router passes; the address
+                                   gets passed to the next router, overriding
+                                   the setting of no_more
+
+   . reroute:<new-domain>          Change the domain to the given domain
+                                   and return REROUTE so it gets passed back
+                                   to the routers.
+
+   . reroute:rewrite:<new-domain>  The same, but headers containing the
+                                   old domain get rewritten.
+
+These string values are interpreted earlier on, and passed into this function
+as the values of "code" and "rewrite".
+
+Arguments:
+  addr       the address being routed
+  host       the host that is local, with MX set (or -1 if MX not used)
+  code       the action to be taken (one of the self_xxx enums)
+  rewrite    TRUE if rewriting headers required for REROUTED
+  new        new domain to be used for REROUTED
+  addr_new   child chain for REROUTEED
+
+Returns:   DEFER, REROUTED, PASS, FAIL, or OK, according to the value of code.
+*/
+
+int
+rf_self_action(address_item *addr, host_item *host, int code, BOOL rewrite,
+  uschar *new, address_item **addr_new)
+{
+uschar * msg = host->mx >= 0
+  ? US"lowest numbered MX record points to local host"
+  : US"remote host address is the local host";
+
+switch (code)
+  {
+  case self_freeze:
+
+    /* If there is no message id, this is happening during an address
+    verification, so give information about the address that is being verified,
+    and where it has come from. Otherwise, during message delivery, the normal
+    logging for the address will be sufficient. */
+
+    if (message_id[0] == 0)
+      if (sender_fullhost)
+	log_write(0, LOG_MAIN, "%s: %s (while verifying <%s> from host %s)",
+	  msg, addr->domain, addr->address, sender_fullhost);
+      else
+	log_write(0, LOG_MAIN, "%s: %s (while routing <%s>)", msg,
+	  addr->domain, addr->address);
+    else
+      log_write(0, LOG_MAIN, "%s: %s", msg, addr->domain);
+
+    addr->message = msg;
+    addr->special_action = SPECIAL_FREEZE;
+    return DEFER;
+
+  case self_defer:
+    addr->message = msg;
+    return DEFER;
+
+  case self_reroute:
+    DEBUG(D_route)
+      debug_printf("%s: %s: domain changed to %s\n", msg, addr->domain, new);
+    rf_change_domain(addr, new, rewrite, addr_new);
+    return REROUTED;
+
+  case self_send:
+    DEBUG(D_route)
+      debug_printf("%s: %s: configured to try delivery anyway\n", msg, addr->domain);
+    return OK;
+
+  case self_pass:    /* This is soft failure; pass to next router */
+    DEBUG(D_route)
+      debug_printf("%s: %s: passed to next router (self = pass)\n", msg, addr->domain);
+    addr->message = msg;
+    addr->self_hostname = string_copy(host->name);
+    return PASS;
+
+  case self_fail:
+    DEBUG(D_route)
+      debug_printf("%s: %s: address failed (self = fail)\n", msg, addr->domain);
+    addr->message = msg;
+    setflag(addr, af_pass_message);
+    return FAIL;
+  }
+
+return DEFER;   /* paranoia */
+}
+
+/* End of rf_self_action.c */
diff --git a/src/routers/rf_set_ugid.c b/src/routers/rf_set_ugid.c
new file mode 100644
index 0000000..e1346b4
--- /dev/null
+++ b/src/routers/rf_set_ugid.c
@@ -0,0 +1,44 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "rf_functions.h"
+
+
+/*************************************************
+*      Set uid/gid from block into address       *
+*************************************************/
+
+/* This function copies any set uid or gid from a ugid block into an
+address.
+
+Arguments:
+  addr        the address
+  ugid        the ugid block
+
+Returns:      nothing
+*/
+
+void
+rf_set_ugid(address_item *addr, ugid_block *ugid)
+{
+if (ugid->uid_set)
+  {
+  addr->uid = ugid->uid;
+  setflag(addr, af_uid_set);
+  }
+
+if (ugid->gid_set)
+  {
+  addr->gid = ugid->gid;
+  setflag(addr, af_gid_set);
+  }
+
+if (ugid->initgroups) setflag(addr, af_initgroups);
+}
+
+/* End of rf_set_ugid.c */
diff --git a/src/search.c b/src/search.c
new file mode 100644
index 0000000..eec5437
--- /dev/null
+++ b/src/search.c
@@ -0,0 +1,967 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* A set of functions to search databases in various formats. An open
+database is represented by a void * value which is returned from a lookup-
+specific "open" function. These are now all held in individual modules in the
+lookups subdirectory and the functions here form a generic interface.
+
+Caching is used to improve performance. Open files are cached until a tidyup
+function is called, and for each file the result of the last lookup is cached.
+However, if too many files are opened, some of those that are not in use have
+to be closed. Those open items that use real files are kept on a LRU chain to
+help with this.
+
+All the data is held in permanent store so as to be independent of the stacking
+pool that is reset from time to time. In fact, we use malloc'd store so that it
+can be freed when the caches are tidied up. It isn't actually clear whether
+this is a benefit or not, to be honest. */
+
+#include "exim.h"
+
+
+/* Tree in which to cache open files until tidyup called. */
+
+static tree_node *search_tree = NULL;
+
+/* Two-way chain of open databases that use real files. This is maintained in
+recently-used order for the purposes of closing the least recently used when
+too many files are open. */
+
+static tree_node *open_top = NULL;
+static tree_node *open_bot = NULL;
+
+/* Count of open databases that use real files */
+
+static int open_filecount = 0;
+
+/* Allow us to reset store used for lookups and lookup caching */
+
+static rmark search_reset_point = NULL;
+
+
+
+/*************************************************
+*      Validate a plain lookup type name         *
+*************************************************/
+
+/* Only those names that are recognized and whose code is included in the
+binary give an OK response. Use a binary chop search now that the list has got
+so long.
+
+Arguments:
+  name       lookup type name - not necessarily zero terminated (e.g. dbm*)
+  len        length of the name
+
+Returns:     +ve => valid lookup name; value is offset in lookup_list
+             -ve => invalid name; message in search_error_message.
+*/
+
+int
+search_findtype(const uschar * name, int len)
+{
+for (int bot = 0, top = lookup_list_count; top > bot; )
+  {
+  int mid = (top + bot)/2;
+  int c = Ustrncmp(name, lookup_list[mid]->name, len);
+
+  /* If c == 0 we have matched the incoming name with the start of the search
+  type name. However, some search types are substrings of others (e.g. nis and
+  nisplus) so we need to check that the lengths are the same. The length of the
+  type name cannot be shorter (else c would not be 0); if it is not equal it
+  must be longer, and in that case, the incoming name comes before the name we
+  are testing. By leaving c == 0 when the lengths are different, and doing a
+  > 0 test below, this all falls out correctly. */
+
+  if (c == 0 && Ustrlen(lookup_list[mid]->name) == len)
+    {
+    if (lookup_list[mid]->find != NULL) return mid;
+    search_error_message  = string_sprintf("lookup type \"%.*s\" is not "
+      "available (not in the binary - check buildtime LOOKUP configuration)",
+      len, name);
+    return -1;
+    }
+
+  if (c > 0) bot = mid + 1; else top = mid;
+  }
+
+search_error_message = string_sprintf("unknown lookup type \"%.*s\"", len, name);
+return -1;
+}
+
+
+
+/*************************************************
+*       Validate a full lookup type name         *
+*************************************************/
+
+/* This function recognizes the "partial-" prefix and also terminating * and *@
+suffixes.
+
+Arguments:
+  name         the full lookup type name
+  ptypeptr     where to put the partial type
+                 after subtraction of 1024 or 2048:
+                   negative     => no partial matching
+                   non-negative => minimum number of non-wild components
+  ptypeaff     where to put a pointer to the affix
+                 the affix is within name if supplied therein
+                 otherwise it's a literal string
+  afflen       the length of the affix
+  starflags    where to put the SEARCH_STAR and SEARCH_STARAT flags
+  opts	       where to put the options
+
+Returns:     +ve => valid lookup name; value is offset in lookup_list
+             -ve => invalid name; message in search_error_message.
+*/
+
+int
+search_findtype_partial(const uschar *name, int *ptypeptr, const uschar **ptypeaff,
+  int *afflen, int *starflags, const uschar ** opts)
+{
+int len, stype;
+int pv = -1;
+const uschar *ss = name;
+const uschar * t;
+
+*starflags = 0;
+*ptypeaff = NULL;
+
+/* Check for a partial matching type. It must start with "partial", optionally
+followed by a sequence of digits. If this is followed by "-", the affix is the
+default "*." string. Otherwise we expect an affix in parentheses. Affixes are a
+limited number of characters, not including parens. */
+
+if (Ustrncmp(name, "partial", 7) == 0)
+  {
+  ss += 7;
+  if (isdigit (*ss))
+    {
+    pv = 0;
+    while (isdigit(*ss)) pv = pv*10 + *ss++ - '0';
+    }
+  else pv = 2;         /* Default number of wild components */
+
+  if (*ss == '(')
+    {
+    *ptypeaff = ++ss;
+    while (ispunct(*ss) && *ss != ')') ss++;
+    if (*ss != ')') goto BAD_TYPE;
+    *afflen = ss++ - *ptypeaff;
+    }
+  else if (*ss++ == '-')
+    {
+    *ptypeaff = US "*.";
+    *afflen = 2;
+    }
+  else
+    {
+    BAD_TYPE:
+    search_error_message = string_sprintf("format error in lookup type \"%s\"",
+      name);
+    return -1;
+    }
+  }
+
+/* Now we are left with a lookup name, possibly followed by * or *@,
+and then by options starting with a "," */
+
+len = Ustrlen(ss);
+if ((t = Ustrchr(ss, '*')))
+  {
+  len = t - ss;
+  *starflags |= (t[1] == '@' ? SEARCH_STARAT : SEARCH_STAR);
+  }
+else
+  t = ss;
+
+if ((t = Ustrchr(t, ',')))
+  {
+  int l = t - ss;
+  if (l < len) len = l;
+  *opts = string_copy(t+1);
+  }
+else
+  *opts = NULL;
+
+/* Check for the individual search type. Only those that are actually in the
+binary are valid. For query-style types, "partial" and default types are
+erroneous. */
+
+stype = search_findtype(ss, len);
+if (stype >= 0 && mac_islookup(stype, lookup_querystyle))
+  {
+  if (pv >= 0)
+    {
+    search_error_message = string_sprintf("\"partial\" is not permitted "
+      "for lookup type \"%s\"", ss);
+    return -1;
+    }
+  if ((*starflags & (SEARCH_STAR|SEARCH_STARAT)) != 0)
+    {
+    search_error_message = string_sprintf("defaults using \"*\" or \"*@\" are "
+      "not permitted for lookup type \"%s\"", ss);
+    return -1;
+    }
+  }
+
+*ptypeptr = pv;
+return stype;
+}
+
+
+/* Set the parameters for the three different kinds of lookup.
+Arguments:
+ search_type	the search-type code
+ search		the search-type string
+ query		argument for the search; filename or query
+ fnamep		pointer to return filename
+ opts		options
+
+Return:	keyquery	the search-type (for single-key) or query (for query-type)
+ */
+uschar *
+search_args(int search_type, uschar * search, uschar * query, uschar ** fnamep,
+  const uschar * opts)
+{
+Uskip_whitespace(&query);
+if (mac_islookup(search_type, lookup_absfilequery))
+  {					/* query-style but with file (sqlite) */
+  int sep = ',';
+
+  /* Check options first for new-style file spec */
+  if (opts) for (uschar * s; s = string_nextinlist(&opts, &sep, NULL, 0); )
+    if (Ustrncmp(s, "file=", 5) == 0)
+      {
+      *fnamep = s+5;
+      return query;
+      }
+
+  /* If no filename from options, use old-tyle space-sep prefix on query */
+  if (*query == '/')
+    {
+    uschar * s = query;
+    while (*query && !isspace(*query)) query++;
+    *fnamep = string_copyn(s, query - s);
+    Uskip_whitespace(&query);
+    }
+  else
+    *fnamep = NULL;
+  return query;		/* remainder after file skipped */
+  }
+if (!mac_islookup(search_type, lookup_querystyle))
+  {					/* single-key */
+  *fnamep = query;
+  return search;	/* modifiers important so use "keyquery" for them */
+  }
+*fnamep = NULL;				/* else query-style */
+return query;
+}
+
+
+
+/*************************************************
+*               Release cached resources         *
+*************************************************/
+
+/* When search_open is called it caches the "file" that it opens in
+search_tree. The name of the tree node is a concatenation of the search type
+with the file name. For query-style lookups, the file name is empty. Real files
+are normally closed only when this tidyup routine is called, typically at the
+end of sections of code where a number of lookups might occur. However, if too
+many files are open simultaneously, some get closed beforehand. They can't be
+removed from the tree. There is also a general tidyup function which is called
+for the lookup driver, if it exists.
+
+First, there is an internal, recursive subroutine.
+
+Argument:    a pointer to a search_openfile tree node
+Returns:     nothing
+*/
+
+static void
+tidyup_subtree(tree_node *t)
+{
+search_cache * c = (search_cache *)(t->data.ptr);
+if (t->left)  tidyup_subtree(t->left);
+if (t->right) tidyup_subtree(t->right);
+if (c && c->handle && lookup_list[c->search_type]->close)
+  lookup_list[c->search_type]->close(c->handle);
+}
+
+
+/* The external entry point
+
+Argument: none
+Returns:  nothing
+*/
+
+void
+search_tidyup(void)
+{
+int old_pool = store_pool;
+
+DEBUG(D_lookup) debug_printf_indent("search_tidyup called\n");
+
+/* Close individually each cached open file. */
+
+store_pool = POOL_SEARCH;
+if (search_tree)
+  {
+  tidyup_subtree(search_tree);
+  search_tree = NULL;
+  }
+open_top = open_bot = NULL;
+open_filecount = 0;
+
+/* Call the general tidyup entry for any drivers that have one. */
+
+for (int i = 0; i < lookup_list_count; i++) if (lookup_list[i]->tidy)
+  (lookup_list[i]->tidy)();
+
+if (search_reset_point) search_reset_point = store_reset(search_reset_point);
+store_pool = old_pool;
+}
+
+
+
+
+/*************************************************
+*             Open search database               *
+*************************************************/
+
+/* A mode, and lists of owners and groups, are passed over for checking in
+the cases where the database is one or more files. Return NULL, with a message
+pointed to by message, in cases of error.
+
+For search types that use a file or files, check up on the mode after
+opening. It is tempting to do a stat before opening the file, and use it as
+an existence check. However, doing that opens a small security loophole in
+that the status could be changed before the file is opened. Can't quite see
+what problems this might lead to, but you can't be too careful where security
+is concerned. Fstat() on an open file can normally be expected to succeed,
+but there are some NFS states where it does not.
+
+There are two styles of query: (1) in the "single-key+file" style, a single
+key string and a file name are given, for example, for linear searches, DBM
+files, or for NIS. (2) In the "query" style, no "filename" is given; instead
+just a single query string is passed. This applies to multiple-key lookup
+types such as NIS+.
+
+Before opening, scan the tree of cached files to see if this file is already
+open for the correct search type. If so, return the saved handle. If not, put
+the handle in the tree for possible subsequent use. See search_tidyup above for
+closing all the cached files.
+
+A count of open databases which use real files is maintained, and if this
+gets too large, we have to close a cached file. Its entry remains in the tree,
+but is marked closed.
+
+Arguments:
+  filename       the name of the file for single-key+file style lookups,
+                 NULL for query-style lookups
+  search_type    the type of search required
+  modemask       if a real single file is used, this specifies mode bits that
+                 must not be set; otherwise it is ignored
+  owners         if a real single file is used, this specifies the possible
+                 owners of the file; otherwise it is ignored
+  owngroups      if a real single file is used, this specifies the possible
+                 group owners of the file; otherwise it is ignored
+
+Returns:         an identifying handle for the open database;
+                 this is the pointer to the tree block in the
+                 cache of open files; return NULL on open failure, with
+                 a message in search_error_message
+*/
+
+void *
+search_open(const uschar * filename, int search_type, int modemask,
+  uid_t * owners, gid_t * owngroups)
+{
+void *handle;
+tree_node *t;
+search_cache *c;
+lookup_info *lk = lookup_list[search_type];
+uschar keybuffer[256];
+int old_pool = store_pool;
+
+if (filename && is_tainted(filename))
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "Tainted filename for search: '%s'", filename);
+  return NULL;
+  }
+
+/* Change to the search store pool and remember our reset point */
+
+store_pool = POOL_SEARCH;
+if (!search_reset_point) search_reset_point = store_mark();
+
+DEBUG(D_lookup) debug_printf_indent("search_open: %s \"%s\"\n", lk->name,
+  filename ? filename : US"NULL");
+
+/* See if we already have this open for this type of search, and if so,
+pass back the tree block as the handle. The key for the tree node is the search
+type plus '0' concatenated with the file name. There may be entries in the tree
+with closed files if a lot of files have been opened. */
+
+sprintf(CS keybuffer, "%c%.254s", search_type + '0',
+  filename ? filename : US"");
+
+if ((t = tree_search(search_tree, keybuffer)))
+  {
+  if ((c = (search_cache *)t->data.ptr)->handle)
+    {
+    DEBUG(D_lookup) debug_printf_indent("  cached open\n");
+    store_pool = old_pool;
+    return t;
+    }
+  DEBUG(D_lookup) debug_printf_indent("  cached closed\n");
+  }
+
+/* Otherwise, we need to open the file or database - each search type has its
+own code, which is now split off into separately compiled modules. Before doing
+this, if the search type is one that uses real files, check on the number that
+we are holding open in the cache. If the limit is reached, close the least
+recently used one. */
+
+if (lk->type == lookup_absfile && open_filecount >= lookup_open_max)
+  if (!open_bot)
+    log_write(0, LOG_MAIN|LOG_PANIC, "too many lookups open, but can't find "
+      "one to close");
+  else
+    {
+    search_cache *c = (search_cache *)(open_bot->data.ptr);
+    DEBUG(D_lookup) debug_printf_indent("Too many lookup files open\n  closing %s\n",
+      open_bot->name);
+    if ((open_bot = c->up))
+      ((search_cache *)(open_bot->data.ptr))->down = NULL;
+    else
+      open_top = NULL;
+    ((lookup_list[c->search_type])->close)(c->handle);
+    c->handle = NULL;
+    open_filecount--;
+    }
+
+/* If opening is successful, call the file-checking function if there is one,
+and if all is still well, enter the open database into the tree. */
+
+if (!(handle = (lk->open)(filename, &search_error_message)))
+  {
+  store_pool = old_pool;
+  return NULL;
+  }
+
+if (  lk->check
+   && !lk->check(handle, filename, modemask, owners, owngroups,
+	 &search_error_message))
+  {
+  lk->close(handle);
+  store_pool = old_pool;
+  return NULL;
+  }
+
+/* If this is a search type that uses real files, keep count. */
+
+if (lk->type == lookup_absfile) open_filecount++;
+
+/* If we found a previously opened entry in the tree, re-use it; otherwise
+insert a new entry. On re-use, leave any cached lookup data and the lookup
+count alone. */
+
+if (!t)
+  {
+  t = store_get(sizeof(tree_node) + Ustrlen(keybuffer), GET_UNTAINTED);
+  t->data.ptr = c = store_get(sizeof(search_cache), GET_UNTAINTED);
+  c->item_cache = NULL;
+  Ustrcpy(t->name, keybuffer);
+  tree_insertnode(&search_tree, t);
+  }
+else c = t->data.ptr;
+
+c->handle = handle;
+c->search_type = search_type;
+c->up = c->down = NULL;
+
+store_pool = old_pool;
+return t;
+}
+
+
+
+
+
+/*************************************************
+*  Internal function: Find one item in database  *
+*************************************************/
+
+/* The answer is always put into dynamic store. The last lookup for each handle
+is cached.
+
+Arguments:
+  handle       the handle from search_open; points to tree node
+  filename     the filename that was handed to search_open, or
+               NULL for query-style searches
+  keystring    the keystring for single-key+file lookups, or
+               the querystring for query-style lookups
+  cache_rd     FALSE to avoid lookup in cache layer
+  opts	       type-specific options
+
+Returns:       a pointer to a dynamic string containing the answer,
+               or NULL if the query failed or was deferred; in the
+               latter case, search_find_defer is set TRUE; after an unusual
+               failure, there may be a message in search_error_message.
+*/
+
+static uschar *
+internal_search_find(void * handle, const uschar * filename, uschar * keystring,
+  BOOL cache_rd, const uschar * opts)
+{
+tree_node * t = (tree_node *)handle;
+search_cache * c = (search_cache *)(t->data.ptr);
+expiring_data * e = NULL;	/* compiler quietening */
+uschar * data = NULL;
+int search_type = t->name[0] - '0';
+int old_pool = store_pool;
+
+/* Lookups that return DEFER may not always set an error message. So that
+the callers don't have to test for NULL, set an empty string. */
+
+search_error_message = US"";
+f.search_find_defer = FALSE;
+
+DEBUG(D_lookup) debug_printf_indent("internal_search_find: file=\"%s\"\n  "
+  "type=%s key=\"%s\" opts=%s%s%s\n", filename,
+  lookup_list[search_type]->name, keystring,
+  opts ? "\"" : "", opts, opts ? "\"" : "");
+
+/* Insurance. If the keystring is empty, just fail. */
+
+if (keystring[0] == 0) return NULL;
+
+/* Use the special store pool for search data */
+
+store_pool = POOL_SEARCH;
+
+/* Look up the data for the key, unless it is already in the cache for this
+file. No need to check c->item_cache for NULL, tree_search will do so. Check
+whether we want to use the cache entry last so that we can always replace it. */
+
+if (  (t = tree_search(c->item_cache, keystring))
+   && (!(e = t->data.ptr)->expiry || e->expiry > time(NULL))
+   && (!opts && !e->opts  ||  opts && e->opts && Ustrcmp(opts, e->opts) == 0)
+   && cache_rd
+   )
+  { /* Data was in the cache already; set the pointer from the tree node */
+  data = e->data.ptr;
+  DEBUG(D_lookup) debug_printf_indent("cached data used for lookup of %s%s%s\n",
+    keystring,
+    filename ? US"\n  in " : US"", filename ? filename : US"");
+  }
+else
+  {
+  uint do_cache = UINT_MAX;
+  int keylength = Ustrlen(keystring);
+
+  DEBUG(D_lookup)
+    {
+    if (t)
+      debug_printf_indent("cached data found but %s; ",
+	e->expiry && e->expiry <= time(NULL) ? "out-of-date"
+	: cache_rd ? "wrong opts" : "no_rd option set");
+    debug_printf_indent("%s lookup required for %s%s%s\n",
+      filename ? US"file" : US"database",
+      keystring,
+      filename ? US"\n  in " : US"", filename ? filename : US"");
+    if (!filename && is_tainted(keystring))
+      {
+      debug_printf_indent("                             ");
+      debug_print_taint(keystring);
+      }
+    }
+
+  /* Check that the query, for query-style lookups,
+  is either untainted or properly quoted for the lookup type.
+
+  XXX Should we this move into lf_sqlperform() ?  The server-taint check is there.
+  */
+
+  if (  !filename && lookup_list[search_type]->quote
+     && is_tainted(keystring) && !is_quoted_like(keystring, search_type))
+    {
+    uschar * s = acl_current_verb();
+    if (!s) s = authenticator_current_name();	/* must be before transport */
+    if (!s) s = transport_current_name();	/* must be before router */
+    if (!s) s = router_current_name();	/* GCC ?: would be good, but not in clang */
+    if (!s) s = US"";
+#ifdef enforce_quote_protection_notyet
+    search_error_message = string_sprintf(
+      "tainted search query is not properly quoted%s: %s%s",
+      s, keystring);
+    f.search_find_defer = TRUE;
+#else
+     {
+      int q = quoter_for_address(keystring);
+      /* If we're called from a transport, no privs to open the paniclog;
+      the logging punts to using stderr - and that seems to stop the debug
+      stream. */
+      log_write(0,
+	transport_name ? LOG_MAIN : LOG_MAIN|LOG_PANIC,
+	"tainted search query is not properly quoted%s: %s", s, keystring);
+
+      DEBUG(D_lookup) debug_printf_indent("search_type %d (%s) quoting %d (%s)\n",
+	search_type, lookup_list[search_type]->name,
+	q, is_real_quoter(q) ? lookup_list[q]->name : US"none");
+     }
+#endif
+    }
+
+  /* Call the code for the different kinds of search. DEFER is handled
+  like FAIL, except that search_find_defer is set so the caller can
+  distinguish if necessary. */
+
+  if (lookup_list[search_type]->find(c->handle, filename, keystring, keylength,
+	  &data, &search_error_message, &do_cache, opts) == DEFER)
+    f.search_find_defer = TRUE;
+
+  /* A record that has been found is now in data, which is either NULL
+  or points to a bit of dynamic store. Cache the result of the lookup if
+  caching is permitted. Lookups can disable caching, when they did something
+  that changes their data. The mysql and pgsql lookups do this when an
+  UPDATE/INSERT query was executed.  Lookups can also set a TTL for the
+  cache entry; the dnsdb lookup does.
+  Finally, the caller can request no caching by setting an option. */
+
+  else if (do_cache)
+    {
+    DEBUG(D_lookup) debug_printf_indent("%s cache entry\n",
+      t ? "replacing old" : "creating new");
+    if (!t)	/* No existing entry.  Create new one. */
+      {
+      int len = keylength + 1;
+      /* The cache node value should never be expanded so use tainted mem */
+      e = store_get(sizeof(expiring_data) + sizeof(tree_node) + len, GET_TAINTED);
+      t = (tree_node *)(e+1);
+      memcpy(t->name, keystring, len);
+      t->data.ptr = e;
+      tree_insertnode(&c->item_cache, t);
+      }
+      /* Else previous, out-of-date cache entry.  Update with the */
+      /* new result and forget the old one */
+    e->expiry = do_cache == UINT_MAX ? 0 : time(NULL)+do_cache;
+    e->opts = opts ? string_copy(opts) : NULL;
+    e->data.ptr = data;
+    }
+
+/* If caching was disabled, empty the cache tree. We just set the cache
+pointer to NULL here, because we cannot release the store at this stage. */
+
+  else
+    {
+    DEBUG(D_lookup) debug_printf_indent("lookup forced cache cleanup\n");
+    c->item_cache = NULL; 	/* forget all lookups on this connection */
+    }
+  }
+
+DEBUG(D_lookup)
+  {
+  if (data)
+    debug_printf_indent("lookup yielded: %s\n", data);
+  else if (f.search_find_defer)
+    debug_printf_indent("lookup deferred: %s\n", search_error_message);
+  else debug_printf_indent("lookup failed\n");
+  }
+
+/* Return it in new dynamic store in the regular pool */
+
+store_pool = old_pool;
+return data ? string_copy(data) : NULL;
+}
+
+
+
+
+/*************************************************
+* Find one item in database, possibly wildcarded *
+*************************************************/
+
+/* This function calls the internal function above; once only if there
+is no partial matching, but repeatedly when partial matching is requested.
+
+Arguments:
+  handle         the handle from search_open
+  filename       the filename that was handed to search_open, or
+                   NULL for query-style searches
+  keystring      the keystring for single-key+file lookups, or
+                   the querystring for query-style lookups
+  partial        -1 means no partial matching;
+                   otherwise it's the minimum number of components;
+  affix          the affix string for partial matching
+  affixlen       the length of the affix string
+  starflags      SEARCH_STAR and SEARCH_STARAT flags
+  expand_setup   pointer to offset for setting up expansion strings;
+                 don't do any if < 0
+  opts		 type-specific options
+
+Returns:         a pointer to a dynamic string containing the answer,
+                 or NULL if the query failed or was deferred; in the
+                 latter case, search_find_defer is set TRUE
+*/
+
+uschar *
+search_find(void * handle, const uschar * filename, uschar * keystring,
+  int partial, const uschar * affix, int affixlen, int starflags,
+  int * expand_setup, const uschar * opts)
+{
+tree_node * t = (tree_node *)handle;
+BOOL set_null_wild = FALSE, cache_rd = TRUE, ret_key = FALSE;
+uschar * yield;
+
+DEBUG(D_lookup)
+  {
+  if (partial < 0) affixlen = 99;   /* So that "NULL" prints */
+  debug_printf_indent("search_find: file=\"%s\"\n  key=\"%s\" "
+    "partial=%d affix=%.*s starflags=%x opts=%s%s%s\n",
+    filename ? filename : US"NULL",
+    keystring, partial, affixlen, affix, starflags,
+    opts ? "\"" : "", opts, opts ? "\"" : "");
+
+  }
+
+/* Parse global lookup options. Also, create a new options list with
+the global options dropped so that the cache-modifiers are not
+used in the cache key. */
+
+if (opts)
+  {
+  int sep = ',';
+  gstring * g = NULL;
+
+  for (uschar * ele; ele = string_nextinlist(&opts, &sep, NULL, 0); )
+    if (Ustrcmp(ele, "ret=key") == 0) ret_key = TRUE;
+    else if (Ustrcmp(ele, "cache=no_rd") == 0) cache_rd = FALSE;
+    else g = string_append_listele(g, ',', ele);
+
+  opts = string_from_gstring(g);
+  }
+
+/* Arrange to put this database at the top of the LRU chain if it is a type
+that opens real files. */
+
+if (  open_top != (tree_node *)handle 
+   && lookup_list[t->name[0]-'0']->type == lookup_absfile)
+  {
+  search_cache *c = (search_cache *)(t->data.ptr);
+  tree_node *up = c->up;
+  tree_node *down = c->down;
+
+  /* Cut it out of the list. A newly opened file will a NULL up pointer.
+  Otherwise there will be a non-NULL up pointer, since we checked above that
+  this block isn't already at the top of the list. */
+
+  if (up)
+    {
+    ((search_cache *)(up->data.ptr))->down = down;
+    if (down)
+      ((search_cache *)(down->data.ptr))->up = up;
+    else
+      open_bot = up;
+    }
+
+  /* Now put it at the head of the list. */
+
+  c->up = NULL;
+  c->down = open_top;
+  if (!open_top) open_bot = t;
+  else ((search_cache *)(open_top->data.ptr))->up = t;
+  open_top = t;
+  }
+
+DEBUG(D_lookup)
+  {
+  debug_printf_indent("LRU list:\n");
+  for (tree_node *t = open_top; t; )
+    {
+    search_cache *c = (search_cache *)(t->data.ptr);
+    debug_printf_indent("  %s\n", t->name);
+    if (t == open_bot) debug_printf_indent("  End\n");
+    t = c->down;
+    }
+  }
+
+/* First of all, try to match the key string verbatim. If matched a complete
+entry but could have been partial, flag to set up variables. */
+
+yield = internal_search_find(handle, filename, keystring, cache_rd, opts);
+if (f.search_find_defer) return NULL;
+
+if (yield) { if (partial >= 0) set_null_wild = TRUE; }
+
+/* Not matched a complete entry; handle partial lookups, but only if the full
+search didn't defer. Don't use string_sprintf() to construct the initial key,
+just in case the original key is too long for the string_sprintf() buffer (it
+*has* happened!). The case of a zero-length affix has to be treated specially.
+*/
+
+else if (partial >= 0)
+  {
+  int len = Ustrlen(keystring);
+  uschar *keystring2;
+
+  /* Try with the affix on the front, except for a zero-length affix */
+
+  if (affixlen == 0) keystring2 = keystring; else
+    {
+    keystring2 = store_get(len + affixlen + 1,
+	  is_tainted(keystring) || is_tainted(affix) ? GET_TAINTED : GET_UNTAINTED);
+    Ustrncpy(keystring2, affix, affixlen);
+    Ustrcpy(keystring2 + affixlen, keystring);
+    DEBUG(D_lookup) debug_printf_indent("trying partial match %s\n", keystring2);
+    yield = internal_search_find(handle, filename, keystring2, cache_rd, opts);
+    if (f.search_find_defer) return NULL;
+    }
+
+  /* The key in its entirety did not match a wild entry; try chopping off
+  leading components. */
+
+  if (!yield)
+    {
+    int dotcount = 0;
+    uschar *keystring3 = keystring2 + affixlen;
+    uschar *s = keystring3;
+    while (*s != 0) if (*s++ == '.') dotcount++;
+
+    while (dotcount-- >= partial)
+      {
+      while (*keystring3 != 0 && *keystring3 != '.') keystring3++;
+
+      /* If we get right to the end of the string (which will be the last time
+      through this loop), we've failed if the affix is null. Otherwise do one
+      last lookup for the affix itself, but if it is longer than 1 character,
+      remove the last character if it is ".". */
+
+      if (*keystring3 == 0)
+        {
+        if (affixlen < 1) break;
+        if (affixlen > 1 && affix[affixlen-1] == '.') affixlen--;
+        Ustrncpy(keystring2, affix, affixlen);
+        keystring2[affixlen] = 0;
+        keystring3 = keystring2;
+        }
+      else
+        {
+        keystring3 -= affixlen - 1;
+        if (affixlen > 0) Ustrncpy(keystring3, affix, affixlen);
+        }
+
+      DEBUG(D_lookup) debug_printf_indent("trying partial match %s\n", keystring3);
+      yield = internal_search_find(handle, filename, keystring3,
+		cache_rd, opts);
+      if (f.search_find_defer) return NULL;
+      if (yield)
+        {
+        /* First variable is the wild part; second is the fixed part. Take care
+        to get it right when keystring3 is just "*". */
+
+        if (expand_setup && *expand_setup >= 0)
+          {
+          int fixedlength = Ustrlen(keystring3) - affixlen;
+          int wildlength = Ustrlen(keystring) - fixedlength - 1;
+          *expand_setup += 1;
+          expand_nstring[*expand_setup] = keystring;
+          expand_nlength[*expand_setup] = wildlength;
+          *expand_setup += 1;
+          expand_nstring[*expand_setup] = keystring + wildlength + 1;
+          expand_nlength[*expand_setup] = (fixedlength < 0)? 0 : fixedlength;
+          }
+        break;
+        }
+      keystring3 += affixlen;
+      }
+    }
+
+  else set_null_wild = TRUE; /* Matched a wild entry without any wild part */
+  }
+
+/* If nothing has been matched, but the option to look for "*@" is set, try
+replacing everything to the left of @ by *. After a match, the wild part
+is set to the string to the left of the @. */
+
+if (!yield  &&  starflags & SEARCH_STARAT)
+  {
+  uschar *atat = Ustrrchr(keystring, '@');
+  if (atat != NULL && atat > keystring)
+    {
+    int savechar;
+    savechar = *(--atat);
+    *atat = '*';
+
+    DEBUG(D_lookup) debug_printf_indent("trying default match %s\n", atat);
+    yield = internal_search_find(handle, filename, atat, cache_rd, opts);
+    *atat = savechar;
+    if (f.search_find_defer) return NULL;
+
+    if (yield && expand_setup && *expand_setup >= 0)
+      {
+      *expand_setup += 1;
+      expand_nstring[*expand_setup] = keystring;
+      expand_nlength[*expand_setup] = atat - keystring + 1;
+      *expand_setup += 1;
+      expand_nstring[*expand_setup] = keystring;
+      expand_nlength[*expand_setup] = 0;
+      }
+    }
+  }
+
+/* If we still haven't matched anything, and the option to look for "*" is set,
+try that. If we do match, the first variable (the wild part) is the whole key,
+and the second is empty. */
+
+if (!yield  &&  starflags & (SEARCH_STAR|SEARCH_STARAT))
+  {
+  DEBUG(D_lookup) debug_printf_indent("trying to match *\n");
+  yield = internal_search_find(handle, filename, US"*", cache_rd, opts);
+  if (yield && expand_setup && *expand_setup >= 0)
+    {
+    *expand_setup += 1;
+    expand_nstring[*expand_setup] = keystring;
+    expand_nlength[*expand_setup] = Ustrlen(keystring);
+    *expand_setup += 1;
+    expand_nstring[*expand_setup] = keystring;
+    expand_nlength[*expand_setup] = 0;
+    }
+  }
+
+/* If this was a potentially partial lookup, and we matched either a
+complete non-wild domain entry, or we matched a wild-carded entry without
+chopping off any of the domain components, set up the expansion variables
+(if required) so that the first one is empty, and the second one is the
+fixed part of the domain. The set_null_wild flag is set only when yield is not
+NULL. */
+
+if (set_null_wild && expand_setup && *expand_setup >= 0)
+  {
+  *expand_setup += 1;
+  expand_nstring[*expand_setup] = keystring;
+  expand_nlength[*expand_setup] = 0;
+  *expand_setup += 1;
+  expand_nstring[*expand_setup] = keystring;
+  expand_nlength[*expand_setup] = Ustrlen(keystring);
+  }
+
+/* If we have a result, check the options to see if the key was wanted rather
+than the result.  Return a de-tainted version of the key on the grounds that
+it have been validated by the lookup. */
+
+if (yield && ret_key)
+  yield = string_copy_taint(keystring, GET_UNTAINTED);
+
+return yield;
+}
+
+/* End of search.c */
diff --git a/src/setenv.c b/src/setenv.c
new file mode 100644
index 0000000..90e6793
--- /dev/null
+++ b/src/setenv.c
@@ -0,0 +1,58 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Michael Haardt 2015
+ * Copyright (c) Jeremy Harris 2015 - 2016
+ * Copyright (c) The Exim Maintainers 2016 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This module provides (un)setenv routines for those environments
+lacking them in libraries. It is #include'd by OS/os.c-foo files. */
+
+
+int
+setenv(const char * name, const char * val, int overwrite)
+{
+uschar * s;
+if (Ustrchr(name, '=')) return -1;
+if (overwrite || !getenv(name))
+  putenv(CS string_copy_perm(string_sprintf("%s=%s", name, val), FALSE));
+return 0;
+}
+
+int
+unsetenv(const char *name)
+{
+size_t len;
+const char * end;
+extern char ** environ;
+
+if (!name)
+  {
+  errno = EINVAL;
+  return -1;
+  }
+
+if (!environ)
+  return 0;
+
+for (end = name; *end != '=' && *end; ) end++;
+len = end - name;
+  
+/* Find name in environment and move remaining variables down.
+Do not early-out in case there are duplicate names. */
+
+for (char ** e = environ; *e; e++)
+  if (strncmp(*e, name, len) == 0 && (*e)[len] == '=')
+    {
+    char ** sp = e;
+    do *sp = sp[1]; while (*++sp);
+    }
+
+return 0;
+}
+
+/* vi: aw ai sw=2
+*/
+/* End of setenv.c */
diff --git a/src/sha_ver.h b/src/sha_ver.h
new file mode 100644
index 0000000..bc2b2f8
--- /dev/null
+++ b/src/sha_ver.h
@@ -0,0 +1,47 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Jeremy Harris 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* SHA routine selection */
+
+#include "exim.h"
+
+/* Please be aware that pulling in extra headers which are not in the system
+ * includes may require careful juggling of CFLAGS in
+ * scripts/Configure-Makefile -- that logic should be kept in sync with this.
+ * In particular, building with just something like USE_OPENSSL_PC=openssl
+ * and not massaging CFLAGS in Local/Makefile is fully supported.
+ */
+
+#ifndef DISABLE_TLS
+
+# define EXIM_HAVE_SHA2
+
+# ifdef USE_GNUTLS
+#  include <gnutls/gnutls.h>
+
+#  if GNUTLS_VERSION_NUMBER >= 0x020a00
+#   define SHA_GNUTLS
+#   if GNUTLS_VERSION_NUMBER >= 0x030500
+#    define EXIM_HAVE_SHA3		/*MMMM*/
+#   endif
+#  else
+#   define SHA_GCRYPT
+#  endif
+# endif
+
+# ifdef USE_OPENSSL
+#  define SHA_OPENSSL
+#  include <openssl/ssl.h>
+#  if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
+#   define EXIM_HAVE_SHA3
+#  endif
+# endif
+
+#else
+# define SHA_NATIVE
+#endif
+
diff --git a/src/sieve.c b/src/sieve.c
new file mode 100644
index 0000000..af3bc9d
--- /dev/null
+++ b/src/sieve.c
@@ -0,0 +1,3629 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/*
+ * Copyright (c) The Exim Maintainers 2016 - 2022
+ * Copyright (c) Michael Haardt 2003 - 2015
+ * See the file NOTICE for conditions of use and distribution.
+ */
+
+/* This code was contributed by Michael Haardt. */
+
+
+/* Sieve mail filter. */
+
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "exim.h"
+
+#if HAVE_ICONV
+# include <iconv.h>
+#endif
+
+/* Define this for RFC compliant \r\n end-of-line terminators.      */
+/* Undefine it for UNIX-style \n end-of-line terminators (default). */
+#undef RFC_EOL
+
+/* Define this for development of the Sieve extension "encoded-character". */
+#define ENCODED_CHARACTER
+
+/* Define this for development of the Sieve extension "envelope-auth". */
+#undef ENVELOPE_AUTH
+
+/* Define this for development of the Sieve extension "enotify".    */
+#define ENOTIFY
+
+/* Define this for the Sieve extension "subaddress".                */
+#define SUBADDRESS
+
+/* Define this for the Sieve extension "vacation".                  */
+#define VACATION
+
+/* Must be >= 1                                                     */
+#define VACATION_MIN_DAYS 1
+/* Must be >= VACATION_MIN_DAYS, must be > 7, should be > 30        */
+#define VACATION_MAX_DAYS 31
+
+/* Keep this at 75 to accept only RFC compliant MIME words.         */
+/* Increase it if you want to match headers from buggy MUAs.        */
+#define MIMEWORD_LENGTH 75
+
+struct Sieve
+  {
+  const uschar *filter;
+  const uschar *pc;
+  int line;
+  const uschar *errmsg;
+  int keep;
+  int require_envelope;
+  int require_fileinto;
+#ifdef ENCODED_CHARACTER
+  int require_encoded_character;
+#endif
+#ifdef ENVELOPE_AUTH
+  int require_envelope_auth;
+#endif
+#ifdef ENOTIFY
+  int require_enotify;
+  struct Notification *notified;
+#endif
+  const uschar *enotify_mailto_owner;
+#ifdef SUBADDRESS
+  int require_subaddress;
+#endif
+#ifdef VACATION
+  int require_vacation;
+  int vacation_ran;
+#endif
+  const uschar *vacation_directory;
+  const uschar *subaddress;
+  const uschar *useraddress;
+  int require_copy;
+  int require_iascii_numeric;
+  };
+
+enum Comparator { COMP_OCTET, COMP_EN_ASCII_CASEMAP, COMP_ASCII_NUMERIC };
+enum MatchType { MATCH_IS, MATCH_CONTAINS, MATCH_MATCHES };
+#ifdef SUBADDRESS
+enum AddressPart { ADDRPART_USER, ADDRPART_DETAIL, ADDRPART_LOCALPART, ADDRPART_DOMAIN, ADDRPART_ALL };
+#else
+enum AddressPart { ADDRPART_LOCALPART, ADDRPART_DOMAIN, ADDRPART_ALL };
+#endif
+enum RelOp { LT, LE, EQ, GE, GT, NE };
+
+struct String
+  {
+  uschar *character;
+  int length;
+  };
+
+struct Notification
+  {
+  struct String method;
+  struct String importance;
+  struct String message;
+  struct Notification *next;
+  };
+
+/* This should be a complete list of supported extensions, so that an external
+ManageSieve (RFC 5804) program can interrogate the current Exim binary for the
+list of extensions and provide correct information to a client.
+
+We'll emit the list in the order given here; keep it alphabetically sorted, so
+that callers don't get surprised.
+
+List *MUST* end with a NULL.  Which at least makes ifdef-vs-comma easier. */
+
+const uschar *exim_sieve_extension_list[] = {
+  CUS"comparator-i;ascii-numeric",
+  CUS"copy",
+#ifdef ENCODED_CHARACTER
+  CUS"encoded-character",
+#endif
+#ifdef ENOTIFY
+  CUS"enotify",
+#endif
+  CUS"envelope",
+#ifdef ENVELOPE_AUTH
+  CUS"envelope-auth",
+#endif
+  CUS"fileinto",
+#ifdef SUBADDRESS
+  CUS"subaddress",
+#endif
+#ifdef VACATION
+  CUS"vacation",
+#endif
+  NULL
+};
+
+static int eq_asciicase(const struct String *needle, const struct String *haystack, int match_prefix);
+static int parse_test(struct Sieve *filter, int *cond, int exec);
+static int parse_commands(struct Sieve *filter, int exec, address_item **generated);
+
+static uschar str_from_c[]="From";
+static const struct String str_from={ str_from_c, 4 };
+static uschar str_to_c[]="To";
+static const struct String str_to={ str_to_c, 2 };
+static uschar str_cc_c[]="Cc";
+static const struct String str_cc={ str_cc_c, 2 };
+static uschar str_bcc_c[]="Bcc";
+static const struct String str_bcc={ str_bcc_c, 3 };
+#ifdef ENVELOPE_AUTH
+static uschar str_auth_c[]="auth";
+static const struct String str_auth={ str_auth_c, 4 };
+#endif
+static uschar str_sender_c[]="Sender";
+static const struct String str_sender={ str_sender_c, 6 };
+static uschar str_resent_from_c[]="Resent-From";
+static const struct String str_resent_from={ str_resent_from_c, 11 };
+static uschar str_resent_to_c[]="Resent-To";
+static const struct String str_resent_to={ str_resent_to_c, 9 };
+static uschar str_fileinto_c[]="fileinto";
+static const struct String str_fileinto={ str_fileinto_c, 8 };
+static uschar str_envelope_c[]="envelope";
+static const struct String str_envelope={ str_envelope_c, 8 };
+#ifdef ENCODED_CHARACTER
+static uschar str_encoded_character_c[]="encoded-character";
+static const struct String str_encoded_character={ str_encoded_character_c, 17 };
+#endif
+#ifdef ENVELOPE_AUTH
+static uschar str_envelope_auth_c[]="envelope-auth";
+static const struct String str_envelope_auth={ str_envelope_auth_c, 13 };
+#endif
+#ifdef ENOTIFY
+static uschar str_enotify_c[]="enotify";
+static const struct String str_enotify={ str_enotify_c, 7 };
+static uschar str_online_c[]="online";
+static const struct String str_online={ str_online_c, 6 };
+static uschar str_maybe_c[]="maybe";
+static const struct String str_maybe={ str_maybe_c, 5 };
+static uschar str_auto_submitted_c[]="Auto-Submitted";
+static const struct String str_auto_submitted={ str_auto_submitted_c, 14 };
+#endif
+#ifdef SUBADDRESS
+static uschar str_subaddress_c[]="subaddress";
+static const struct String str_subaddress={ str_subaddress_c, 10 };
+#endif
+#ifdef VACATION
+static uschar str_vacation_c[]="vacation";
+static const struct String str_vacation={ str_vacation_c, 8 };
+static uschar str_subject_c[]="Subject";
+static const struct String str_subject={ str_subject_c, 7 };
+#endif
+static uschar str_copy_c[]="copy";
+static const struct String str_copy={ str_copy_c, 4 };
+static uschar str_iascii_casemap_c[]="i;ascii-casemap";
+static const struct String str_iascii_casemap={ str_iascii_casemap_c, 15 };
+static uschar str_enascii_casemap_c[]="en;ascii-casemap";
+static const struct String str_enascii_casemap={ str_enascii_casemap_c, 16 };
+static uschar str_ioctet_c[]="i;octet";
+static const struct String str_ioctet={ str_ioctet_c, 7 };
+static uschar str_iascii_numeric_c[]="i;ascii-numeric";
+static const struct String str_iascii_numeric={ str_iascii_numeric_c, 15 };
+static uschar str_comparator_iascii_casemap_c[]="comparator-i;ascii-casemap";
+static const struct String str_comparator_iascii_casemap={ str_comparator_iascii_casemap_c, 26 };
+static uschar str_comparator_enascii_casemap_c[]="comparator-en;ascii-casemap";
+static const struct String str_comparator_enascii_casemap={ str_comparator_enascii_casemap_c, 27 };
+static uschar str_comparator_ioctet_c[]="comparator-i;octet";
+static const struct String str_comparator_ioctet={ str_comparator_ioctet_c, 18 };
+static uschar str_comparator_iascii_numeric_c[]="comparator-i;ascii-numeric";
+static const struct String str_comparator_iascii_numeric={ str_comparator_iascii_numeric_c, 26 };
+
+
+/*************************************************
+*          Encode to quoted-printable            *
+*************************************************/
+
+/*
+Arguments:
+  src               UTF-8 string
+  dst               US-ASCII string
+
+Returns
+  dst
+*/
+
+static struct String *
+quoted_printable_encode(const struct String *src, struct String *dst)
+{
+uschar *new = NULL;
+uschar ch;
+size_t line;
+
+/* Two passes: one to count output allocation size, second
+to do the encoding */
+
+for (int pass = 0; pass <= 1; pass++)
+  {
+  line=0;
+  if (pass==0)
+    dst->length=0;
+  else
+    {
+    dst->character = store_get(dst->length+1, src->character); /* plus one for \0 */
+    new=dst->character;
+    }
+  for (const uschar * start = src->character, * end = start + src->length;
+       start < end; ++start)
+    {
+    ch=*start;
+    if (line>=73)	/* line length limit */
+      {
+      if (pass==0)
+        dst->length+=2;
+      else
+        {
+        *new++='=';	/* line split */
+        *new++='\n';
+        }
+      line=0;
+      }
+    if (  (ch>='!' && ch<='<')
+       || (ch>='>' && ch<='~')
+       || (  (ch=='\t' || ch==' ')
+          && start+2<end
+          && (*(start+1)!='\r' || *(start+2)!='\n')	/* CRLF */
+          )
+       )
+      {
+      if (pass==0)
+        ++dst->length;
+      else
+        *new++=*start;	/* copy char */
+      ++line;
+      }
+    else if (ch=='\r' && start+1<end && *(start+1)=='\n') /* CRLF */
+      {
+      if (pass==0)
+        ++dst->length;
+      else
+        *new++='\n';					/* NL */
+      line=0;
+      ++start;	/* consume extra input char */
+      }
+    else
+      {
+      if (pass==0)
+        dst->length+=3;
+      else
+        {		/* encoded char */
+        new += sprintf(CS new,"=%02X",ch);
+        }
+      line+=3;
+      }
+    }
+  }
+  *new='\0'; /* not included in length, but nice */
+  return dst;
+}
+
+
+/*************************************************
+*     Check mail address for correct syntax      *
+*************************************************/
+
+/*
+Check mail address for being syntactically correct.
+
+Arguments:
+  filter      points to the Sieve filter including its state
+  address     String containing one address
+
+Returns
+  1           Mail address is syntactically OK
+ -1           syntax error
+*/
+
+int check_mail_address(struct Sieve *filter, const struct String *address)
+{
+int start, end, domain;
+uschar *error,*ss;
+
+if (address->length>0)
+  {
+  ss = parse_extract_address(address->character, &error, &start, &end, &domain,
+    FALSE);
+  if (!ss)
+    {
+    filter->errmsg=string_sprintf("malformed address \"%s\" (%s)",
+      address->character, error);
+    return -1;
+    }
+  else
+    return 1;
+  }
+else
+  {
+  filter->errmsg=CUS "empty address";
+  return -1;
+  }
+}
+
+
+/*************************************************
+*          Decode URI encoded string             *
+*************************************************/
+
+/*
+Arguments:
+  str               URI encoded string
+
+Returns
+  0                 Decoding successful
+ -1                 Encoding error
+*/
+
+#ifdef ENOTIFY
+static int
+uri_decode(struct String *str)
+{
+uschar *s,*t,*e;
+
+if (str->length==0) return 0;
+for (s=str->character,t=s,e=s+str->length; s<e; )
+  if (*s=='%')
+    {
+    if (s+2<e && isxdigit(*(s+1)) && isxdigit(*(s+2)))
+      {
+      *t++=((isdigit(*(s+1)) ? *(s+1)-'0' : tolower(*(s+1))-'a'+10)<<4)
+           | (isdigit(*(s+2)) ? *(s+2)-'0' : tolower(*(s+2))-'a'+10);
+      s+=3;
+      }
+    else return -1;
+    }
+  else
+    *t++=*s++;
+
+*t='\0';
+str->length=t-str->character;
+return 0;
+}
+
+
+/*************************************************
+*               Parse mailto URI                 *
+*************************************************/
+
+/*
+Parse mailto-URI.
+
+       mailtoURI   = "mailto:" [ to ] [ headers ]
+       to          = [ addr-spec *("%2C" addr-spec ) ]
+       headers     = "?" header *( "&" header )
+       header      = hname "=" hvalue
+       hname       = *urlc
+       hvalue      = *urlc
+
+Arguments:
+  filter      points to the Sieve filter including its state
+  uri         URI, excluding scheme
+  recipient
+  body
+
+Returns
+  1           URI is syntactically OK
+  0           Unknown URI scheme
+ -1           syntax error
+*/
+
+static int
+parse_mailto_uri(struct Sieve *filter, const uschar *uri,
+  string_item **recipient, struct String *header, struct String *subject,
+  struct String *body)
+{
+const uschar *start;
+struct String to, hname;
+struct String hvalue = {.character = NULL, .length = 0};
+string_item *new;
+
+if (Ustrncmp(uri,"mailto:",7))
+  {
+  filter->errmsg=US "Unknown URI scheme";
+  return 0;
+  }
+
+uri+=7;
+if (*uri && *uri!='?')
+  for (;;)
+    {
+    /* match to */
+    for (start=uri; *uri && *uri!='?' && (*uri!='%' || *(uri+1)!='2' || tolower(*(uri+2))!='c'); ++uri);
+    if (uri>start)
+      {
+      gstring * g = string_catn(NULL, start, uri-start);
+
+      to.character = string_from_gstring(g);
+      to.length = g->ptr;
+      if (uri_decode(&to)==-1)
+        {
+        filter->errmsg=US"Invalid URI encoding";
+        return -1;
+        }
+      new = store_get(sizeof(string_item), GET_UNTAINTED);
+      new->text = store_get(to.length+1, to.character);
+      if (to.length) memcpy(new->text, to.character, to.length);
+      new->text[to.length] = '\0';
+      new->next = *recipient;
+      *recipient = new;
+      }
+    else
+      {
+      filter->errmsg = US"Missing addr-spec in URI";
+      return -1;
+      }
+    if (*uri=='%') uri+=3;
+    else break;
+    }
+if (*uri=='?')
+  {
+  ++uri;
+  for (;;)
+    {
+    /* match hname */
+    for (start=uri; *uri && (isalnum(*uri) || strchr("$-_.+!*'(),%",*uri)); ++uri);
+    if (uri>start)
+      {
+      gstring * g = string_catn(NULL, start, uri-start);
+
+      hname.character = string_from_gstring(g);
+      hname.length = g->ptr;
+      if (uri_decode(&hname)==-1)
+        {
+        filter->errmsg=US"Invalid URI encoding";
+        return -1;
+        }
+      }
+    /* match = */
+    if (*uri=='=')
+      ++uri;
+    else
+      {
+      filter->errmsg=US"Missing equal after hname";
+      return -1;
+      }
+    /* match hvalue */
+    for (start=uri; *uri && (isalnum(*uri) || strchr("$-_.+!*'(),%",*uri)); ++uri);
+    if (uri>start)
+      {
+      gstring * g = string_catn(NULL, start, uri-start);
+
+      hname.character = string_from_gstring(g);
+      hname.length = g->ptr;
+      if (uri_decode(&hvalue)==-1)
+        {
+        filter->errmsg=US"Invalid URI encoding";
+        return -1;
+        }
+      }
+    if (hname.length==2 && strcmpic(hname.character, US"to")==0)
+      {
+      new=store_get(sizeof(string_item), GET_UNTAINTED);
+      new->text = store_get(hvalue.length+1, hvalue.character);
+      if (hvalue.length) memcpy(new->text, hvalue.character, hvalue.length);
+      new->text[hvalue.length]='\0';
+      new->next=*recipient;
+      *recipient=new;
+      }
+    else if (hname.length==4 && strcmpic(hname.character, US"body")==0)
+      *body=hvalue;
+    else if (hname.length==7 && strcmpic(hname.character, US"subject")==0)
+      *subject=hvalue;
+    else
+      {
+      static struct String ignore[]=
+        {
+        {US"date",4},
+        {US"from",4},
+        {US"message-id",10},
+        {US"received",8},
+        {US"auto-submitted",14}
+        };
+      static struct String *end=ignore+sizeof(ignore)/sizeof(ignore[0]);
+      struct String *i;
+
+      for (i=ignore; i<end && !eq_asciicase(&hname,i,0); ++i);
+      if (i==end)
+        {
+	gstring * g;
+
+        if (header->length==-1) header->length = 0;
+
+	g = string_catn(NULL, header->character, header->length);
+        g = string_catn(g, hname.character, hname.length);
+        g = string_catn(g, CUS ": ", 2);
+        g = string_catn(g, hvalue.character, hvalue.length);
+        g = string_catn(g, CUS "\n", 1);
+
+	header->character = string_from_gstring(g);
+	header->length = g->ptr;
+        }
+      }
+    if (*uri=='&') ++uri;
+    else break;
+    }
+  }
+if (*uri)
+  {
+  filter->errmsg=US"Syntactically invalid URI";
+  return -1;
+  }
+return 1;
+}
+#endif
+
+
+/*************************************************
+*          Octet-wise string comparison          *
+*************************************************/
+
+/*
+Arguments:
+  needle            UTF-8 string to search ...
+  haystack          ... inside the haystack
+  match_prefix      1 to compare if needle is a prefix of haystack
+
+Returns:      0               needle not found in haystack
+              1               needle found
+*/
+
+static int eq_octet(const struct String *needle,
+  const struct String *haystack, int match_prefix)
+{
+size_t nl,hl;
+const uschar *n,*h;
+
+nl=needle->length;
+n=needle->character;
+hl=haystack->length;
+h=haystack->character;
+while (nl>0 && hl>0)
+  {
+#if !HAVE_ICONV
+  if (*n&0x80) return 0;
+  if (*h&0x80) return 0;
+#endif
+  if (*n!=*h) return 0;
+  ++n;
+  ++h;
+  --nl;
+  --hl;
+  }
+return (match_prefix ? nl==0 : nl==0 && hl==0);
+}
+
+
+/*************************************************
+*    ASCII case-insensitive string comparison    *
+*************************************************/
+
+/*
+Arguments:
+  needle            UTF-8 string to search ...
+  haystack          ... inside the haystack
+  match_prefix      1 to compare if needle is a prefix of haystack
+
+Returns:      0               needle not found in haystack
+              1               needle found
+*/
+
+static int eq_asciicase(const struct String *needle,
+  const struct String *haystack, int match_prefix)
+{
+size_t nl,hl;
+const uschar *n,*h;
+uschar nc,hc;
+
+nl=needle->length;
+n=needle->character;
+hl=haystack->length;
+h=haystack->character;
+while (nl>0 && hl>0)
+  {
+  nc=*n;
+  hc=*h;
+#if !HAVE_ICONV
+  if (nc&0x80) return 0;
+  if (hc&0x80) return 0;
+#endif
+  /* tolower depends on the locale and only ASCII case must be insensitive */
+  if ((nc>='A' && nc<='Z' ? nc|0x20 : nc) != (hc>='A' && hc<='Z' ? hc|0x20 : hc)) return 0;
+  ++n;
+  ++h;
+  --nl;
+  --hl;
+  }
+return (match_prefix ? nl==0 : nl==0 && hl==0);
+}
+
+
+/*************************************************
+*              Glob pattern search               *
+*************************************************/
+
+/*
+Arguments:
+  needle          pattern to search ...
+  haystack        ... inside the haystack
+  ascii_caseless  ignore ASCII case
+  match_octet     match octets, not UTF-8 multi-octet characters
+
+Returns:      0               needle not found in haystack
+              1               needle found
+              -1              pattern error
+*/
+
+static int eq_glob(const struct String *needle,
+  const struct String *haystack, int ascii_caseless, int match_octet)
+{
+const uschar *n,*h,*nend,*hend;
+int may_advance=0;
+
+n=needle->character;
+h=haystack->character;
+nend=n+needle->length;
+hend=h+haystack->length;
+while (n<nend)
+  {
+  if (*n=='*')
+    {
+    ++n;
+    may_advance=1;
+    }
+  else
+    {
+    const uschar *npart,*hpart;
+
+    /* Try to match a non-star part of the needle at the current */
+    /* position in the haystack.                                 */
+    match_part:
+    npart=n;
+    hpart=h;
+    while (npart<nend && *npart!='*') switch (*npart)
+      {
+      case '?':
+        {
+        if (hpart==hend) return 0;
+        if (match_octet)
+          ++hpart;
+        else
+          {
+          /* Match one UTF8 encoded character */
+          if ((*hpart&0xc0)==0xc0)
+            {
+            ++hpart;
+            while (hpart<hend && ((*hpart&0xc0)==0x80)) ++hpart;
+            }
+          else
+            ++hpart;
+          }
+        ++npart;
+        break;
+        }
+      case '\\':
+        {
+        ++npart;
+        if (npart==nend) return -1;
+        /* FALLTHROUGH */
+        }
+      default:
+        {
+        if (hpart==hend) return 0;
+        /* tolower depends on the locale, but we need ASCII */
+        if
+          (
+#if !HAVE_ICONV
+          (*hpart&0x80) || (*npart&0x80) ||
+#endif
+          ascii_caseless
+          ? ((*npart>='A' && *npart<='Z' ? *npart|0x20 : *npart) != (*hpart>='A' && *hpart<='Z' ? *hpart|0x20 : *hpart))
+          : *hpart!=*npart
+          )
+          {
+          if (may_advance)
+            /* string match after a star failed, advance and try again */
+            {
+            ++h;
+            goto match_part;
+            }
+          else return 0;
+          }
+        else
+          {
+          ++npart;
+          ++hpart;
+          };
+        }
+      }
+    /* at this point, a part was matched successfully */
+    if (may_advance && npart==nend && hpart<hend)
+      /* needle ends, but haystack does not: if there was a star before, advance and try again */
+      {
+      ++h;
+      goto match_part;
+      }
+    h=hpart;
+    n=npart;
+    may_advance=0;
+    }
+  }
+return (h==hend ? 1 : may_advance);
+}
+
+
+/*************************************************
+*    ASCII numeric comparison                    *
+*************************************************/
+
+/*
+Arguments:
+  a                 first numeric string
+  b                 second numeric string
+  relop             relational operator
+
+Returns:      0               not (a relop b)
+              1               a relop b
+*/
+
+static int eq_asciinumeric(const struct String *a,
+  const struct String *b, enum RelOp relop)
+{
+size_t al,bl;
+const uschar *as,*aend,*bs,*bend;
+int cmp;
+
+as=a->character;
+aend=a->character+a->length;
+bs=b->character;
+bend=b->character+b->length;
+
+while (*as>='0' && *as<='9' && as<aend) ++as;
+al=as-a->character;
+while (*bs>='0' && *bs<='9' && bs<bend) ++bs;
+bl=bs-b->character;
+
+if (al && bl==0) cmp=-1;
+else if (al==0 && bl==0) cmp=0;
+else if (al==0 && bl) cmp=1;
+else
+  {
+  cmp=al-bl;
+  if (cmp==0) cmp=memcmp(a->character,b->character,al);
+  }
+switch (relop)
+  {
+  case LT: return cmp<0;
+  case LE: return cmp<=0;
+  case EQ: return cmp==0;
+  case GE: return cmp>=0;
+  case GT: return cmp>0;
+  case NE: return cmp!=0;
+  }
+  /*NOTREACHED*/
+  return -1;
+}
+
+
+/*************************************************
+*             Compare strings                    *
+*************************************************/
+
+/*
+Arguments:
+  filter      points to the Sieve filter including its state
+  needle      UTF-8 pattern or string to search ...
+  haystack    ... inside the haystack
+  co          comparator to use
+  mt          match type to use
+
+Returns:      0               needle not found in haystack
+              1               needle found
+              -1              comparator does not offer matchtype
+*/
+
+static int compare(struct Sieve *filter, const struct String *needle, const struct String *haystack,
+  enum Comparator co, enum MatchType mt)
+{
+int r=0;
+
+if ((filter_test != FTEST_NONE && debug_selector != 0) ||
+  (debug_selector & D_filter) != 0)
+  {
+  debug_printf("String comparison (match ");
+  switch (mt)
+    {
+    case MATCH_IS: debug_printf(":is"); break;
+    case MATCH_CONTAINS: debug_printf(":contains"); break;
+    case MATCH_MATCHES: debug_printf(":matches"); break;
+    }
+  debug_printf(", comparison \"");
+  switch (co)
+    {
+    case COMP_OCTET: debug_printf("i;octet"); break;
+    case COMP_EN_ASCII_CASEMAP: debug_printf("en;ascii-casemap"); break;
+    case COMP_ASCII_NUMERIC: debug_printf("i;ascii-numeric"); break;
+    }
+  debug_printf("\"):\n");
+  debug_printf("  Search = %s (%d chars)\n", needle->character,needle->length);
+  debug_printf("  Inside = %s (%d chars)\n", haystack->character,haystack->length);
+  }
+switch (mt)
+  {
+  case MATCH_IS:
+    switch (co)
+      {
+      case COMP_OCTET:
+        if (eq_octet(needle,haystack,0)) r=1;
+        break;
+      case COMP_EN_ASCII_CASEMAP:
+        if (eq_asciicase(needle,haystack,0)) r=1;
+        break;
+      case COMP_ASCII_NUMERIC:
+        if (!filter->require_iascii_numeric)
+          {
+          filter->errmsg=CUS "missing previous require \"comparator-i;ascii-numeric\";";
+          return -1;
+          }
+        if (eq_asciinumeric(needle,haystack,EQ)) r=1;
+        break;
+      }
+    break;
+
+  case MATCH_CONTAINS:
+    {
+    struct String h;
+
+    switch (co)
+      {
+      case COMP_OCTET:
+        for (h = *haystack; h.length; ++h.character,--h.length)
+	 if (eq_octet(needle,&h,1)) { r=1; break; }
+        break;
+      case COMP_EN_ASCII_CASEMAP:
+        for (h = *haystack; h.length; ++h.character, --h.length)
+	  if (eq_asciicase(needle,&h,1)) { r=1; break; }
+        break;
+      default:
+        filter->errmsg=CUS "comparator does not offer specified matchtype";
+        return -1;
+      }
+    break;
+    }
+
+  case MATCH_MATCHES:
+    switch (co)
+      {
+      case COMP_OCTET:
+        if ((r=eq_glob(needle,haystack,0,1))==-1)
+          {
+          filter->errmsg=CUS "syntactically invalid pattern";
+          return -1;
+          }
+        break;
+      case COMP_EN_ASCII_CASEMAP:
+        if ((r=eq_glob(needle,haystack,1,1))==-1)
+          {
+          filter->errmsg=CUS "syntactically invalid pattern";
+          return -1;
+          }
+        break;
+      default:
+        filter->errmsg=CUS "comparator does not offer specified matchtype";
+        return -1;
+      }
+    break;
+  }
+if ((filter_test != FTEST_NONE && debug_selector != 0) ||
+  (debug_selector & D_filter) != 0)
+  debug_printf("  Result %s\n",r?"true":"false");
+return r;
+}
+
+
+/*************************************************
+*         Check header field syntax              *
+*************************************************/
+
+/*
+RFC 2822, section 3.6.8 says:
+
+  field-name      =       1*ftext
+
+  ftext           =       %d33-57 /               ; Any character except
+                          %d59-126                ;  controls, SP, and
+                                                  ;  ":".
+
+That forbids 8-bit header fields.  This implementation accepts them, since
+all of Exim is 8-bit clean, so it adds %d128-%d255.
+
+Arguments:
+  header      header field to quote for suitable use in Exim expansions
+
+Returns:      0               string is not a valid header field
+              1               string is a value header field
+*/
+
+static int is_header(const struct String *header)
+{
+size_t l;
+const uschar *h;
+
+l=header->length;
+h=header->character;
+if (l==0) return 0;
+while (l)
+  {
+  if (((unsigned char)*h)<33 || ((unsigned char)*h)==':' || ((unsigned char)*h)==127) return 0;
+  else
+    {
+    ++h;
+    --l;
+    }
+  }
+return 1;
+}
+
+
+/*************************************************
+*       Quote special characters string          *
+*************************************************/
+
+/*
+Arguments:
+  header      header field to quote for suitable use in Exim expansions
+              or as debug output
+
+Returns:      quoted string
+*/
+
+static const uschar *
+quote(const struct String *header)
+{
+gstring * quoted = NULL;
+size_t l;
+const uschar *h;
+
+l=header->length;
+h=header->character;
+while (l)
+  {
+  switch (*h)
+    {
+    case '\0':
+      quoted = string_catn(quoted, CUS "\\0", 2);
+      break;
+    case '$':
+    case '{':
+    case '}':
+      quoted = string_catn(quoted, CUS "\\", 1);
+    default:
+      quoted = string_catn(quoted, h, 1);
+    }
+  ++h;
+  --l;
+  }
+quoted = string_catn(quoted, CUS "", 1);
+return string_from_gstring(quoted);
+}
+
+
+/*************************************************
+*   Add address to list of generated addresses   *
+*************************************************/
+
+/*
+According to RFC 5228, duplicate delivery to the same address must
+not happen, so the list is first searched for the address.
+
+Arguments:
+  generated   list of generated addresses
+  addr        new address to add
+  file        address denotes a file
+
+Returns:      nothing
+*/
+
+static void
+add_addr(address_item **generated, uschar *addr, int file, int maxage, int maxmessages, int maxstorage)
+{
+address_item *new_addr;
+
+for (new_addr = *generated; new_addr; new_addr = new_addr->next)
+  if (  Ustrcmp(new_addr->address,addr) == 0
+     && (  !file
+	|| testflag(new_addr, af_pfr)
+	|| testflag(new_addr, af_file)
+	)
+     )
+    {
+    if ((filter_test != FTEST_NONE && debug_selector != 0) || (debug_selector & D_filter) != 0)
+      debug_printf("Repeated %s `%s' ignored.\n",file ? "fileinto" : "redirect", addr);
+
+    return;
+    }
+
+if ((filter_test != FTEST_NONE && debug_selector != 0) || (debug_selector & D_filter) != 0)
+  debug_printf("%s `%s'\n",file ? "fileinto" : "redirect", addr);
+
+new_addr = deliver_make_addr(addr,TRUE);
+if (file)
+  {
+  setflag(new_addr, af_pfr);
+  setflag(new_addr, af_file);
+  new_addr->mode = 0;
+  }
+new_addr->prop.errors_address = NULL;
+new_addr->next = *generated;
+*generated = new_addr;
+}
+
+
+/*************************************************
+*         Return decoded header field            *
+*************************************************/
+
+/*
+Unfold the header field as described in RFC 2822 and remove all
+leading and trailing white space, then perform MIME decoding and
+translate the header field to UTF-8.
+
+Arguments:
+  value       returned value of the field
+  header      name of the header field
+
+Returns:      nothing          The expanded string is empty
+                               in case there is no such header
+*/
+
+static void expand_header(struct String *value, const struct String *header)
+{
+uschar *s,*r,*t;
+uschar *errmsg;
+
+value->length=0;
+value->character=(uschar*)0;
+
+t = r = s = expand_string(string_sprintf("$rheader_%s",quote(header)));
+if (!t) return;
+while (*r==' ' || *r=='\t') ++r;
+while (*r)
+  {
+  if (*r=='\n')
+    ++r;
+  else
+    *t++=*r++;
+  }
+while (t>s && (*(t-1)==' ' || *(t-1)=='\t')) --t;
+*t='\0';
+value->character=rfc2047_decode(s,check_rfc2047_length,US"utf-8",'\0',&value->length,&errmsg);
+}
+
+
+/*************************************************
+*        Parse remaining hash comment            *
+*************************************************/
+
+/*
+Token definition:
+  Comment up to terminating CRLF
+
+Arguments:
+  filter      points to the Sieve filter including its state
+
+Returns:      1                success
+              -1               syntax error
+*/
+
+static int parse_hashcomment(struct Sieve *filter)
+{
+++filter->pc;
+while (*filter->pc)
+  {
+#ifdef RFC_EOL
+  if (*filter->pc=='\r' && *(filter->pc+1)=='\n')
+#else
+  if (*filter->pc=='\n')
+#endif
+    {
+#ifdef RFC_EOL
+    filter->pc+=2;
+#else
+    ++filter->pc;
+#endif
+    ++filter->line;
+    return 1;
+    }
+  else ++filter->pc;
+  }
+filter->errmsg=CUS "missing end of comment";
+return -1;
+}
+
+
+/*************************************************
+*       Parse remaining C-style comment          *
+*************************************************/
+
+/*
+Token definition:
+  Everything up to star slash
+
+Arguments:
+  filter      points to the Sieve filter including its state
+
+Returns:      1                success
+              -1               syntax error
+*/
+
+static int parse_comment(struct Sieve *filter)
+{
+  filter->pc+=2;
+  while (*filter->pc)
+  {
+    if (*filter->pc=='*' && *(filter->pc+1)=='/')
+    {
+      filter->pc+=2;
+      return 1;
+    }
+    else ++filter->pc;
+  }
+  filter->errmsg=CUS "missing end of comment";
+  return -1;
+}
+
+
+/*************************************************
+*         Parse optional white space             *
+*************************************************/
+
+/*
+Token definition:
+  Spaces, tabs, CRLFs, hash comments or C-style comments
+
+Arguments:
+  filter      points to the Sieve filter including its state
+
+Returns:      1                success
+              -1               syntax error
+*/
+
+static int parse_white(struct Sieve *filter)
+{
+while (*filter->pc)
+  {
+  if (*filter->pc==' ' || *filter->pc=='\t') ++filter->pc;
+#ifdef RFC_EOL
+  else if (*filter->pc=='\r' && *(filter->pc+1)=='\n')
+#else
+  else if (*filter->pc=='\n')
+#endif
+    {
+#ifdef RFC_EOL
+    filter->pc+=2;
+#else
+    ++filter->pc;
+#endif
+    ++filter->line;
+    }
+  else if (*filter->pc=='#')
+    {
+    if (parse_hashcomment(filter)==-1) return -1;
+    }
+  else if (*filter->pc=='/' && *(filter->pc+1)=='*')
+    {
+    if (parse_comment(filter)==-1) return -1;
+    }
+  else break;
+  }
+return 1;
+}
+
+
+#ifdef ENCODED_CHARACTER
+/*************************************************
+*      Decode hex-encoded-character string       *
+*************************************************/
+
+/*
+Encoding definition:
+   blank                = SP / TAB / CRLF
+   hex-pair-seq         = *blank hex-pair *(1*blank hex-pair) *blank
+   hex-pair             = 1*2HEXDIG
+
+Arguments:
+  src         points to a hex-pair-seq
+  end         points to its end
+  dst         points to the destination of the decoded octets,
+              optionally to (uschar*)0 for checking only
+
+Returns:      >=0              number of decoded octets
+              -1               syntax error
+*/
+
+static int hex_decode(uschar *src, uschar *end, uschar *dst)
+{
+int decoded=0;
+
+while (*src==' ' || *src=='\t' || *src=='\n') ++src;
+do
+  {
+  int x,d,n;
+
+  for (x = 0, d = 0;
+      d<2 && src<end && isxdigit(n=tolower(*src));
+      x=(x<<4)|(n>='0' && n<='9' ? n-'0' : 10+(n-'a')) ,++d, ++src) ;
+  if (d==0) return -1;
+  if (dst) *dst++=x;
+  ++decoded;
+  if (src==end) return decoded;
+  if (*src==' ' || *src=='\t' || *src=='\n')
+    while (*src==' ' || *src=='\t' || *src=='\n') ++src;
+  else
+    return -1;
+  }
+while (src<end);
+return decoded;
+}
+
+
+/*************************************************
+*    Decode unicode-encoded-character string     *
+*************************************************/
+
+/*
+Encoding definition:
+   blank                = SP / TAB / CRLF
+   unicode-hex-seq      = *blank unicode-hex *(blank unicode-hex) *blank
+   unicode-hex          = 1*HEXDIG
+
+   It is an error for a script to use a hexadecimal value that isn't in
+   either the range 0 to D7FF or the range E000 to 10FFFF.
+
+   At this time, strings are already scanned, thus the CRLF is converted
+   to the internally used \n (should RFC_EOL have been used).
+
+Arguments:
+  src         points to a unicode-hex-seq
+  end         points to its end
+  dst         points to the destination of the decoded octets,
+              optionally to (uschar*)0 for checking only
+
+Returns:      >=0              number of decoded octets
+              -1               syntax error
+              -2               semantic error (character range violation)
+*/
+
+static int
+unicode_decode(uschar *src, uschar *end, uschar *dst)
+{
+int decoded=0;
+
+while (*src==' ' || *src=='\t' || *src=='\n') ++src;
+do
+  {
+  uschar *hex_seq;
+  int c,d,n;
+
+  unicode_hex:
+  for (hex_seq = src; src < end && *src=='0'; ) src++;
+  for (c = 0, d = 0;
+       d < 7 && src < end && isxdigit(n=tolower(*src));
+       c=(c<<4)|(n>='0' && n<='9' ? n-'0' : 10+(n-'a')), ++d, ++src) ;
+  if (src == hex_seq) return -1;
+  if (d==7 || (!((c>=0 && c<=0xd7ff) || (c>=0xe000 && c<=0x10ffff)))) return -2;
+  if (c<128)
+    {
+    if (dst) *dst++=c;
+    ++decoded;
+    }
+  else if (c>=0x80 && c<=0x7ff)
+    {
+      if (dst)
+        {
+        *dst++=192+(c>>6);
+        *dst++=128+(c&0x3f);
+        }
+      decoded+=2;
+    }
+  else if (c>=0x800 && c<=0xffff)
+    {
+      if (dst)
+        {
+        *dst++=224+(c>>12);
+        *dst++=128+((c>>6)&0x3f);
+        *dst++=128+(c&0x3f);
+        }
+      decoded+=3;
+    }
+  else if (c>=0x10000 && c<=0x1fffff)
+    {
+      if (dst)
+        {
+        *dst++=240+(c>>18);
+        *dst++=128+((c>>10)&0x3f);
+        *dst++=128+((c>>6)&0x3f);
+        *dst++=128+(c&0x3f);
+        }
+      decoded+=4;
+    }
+  if (*src==' ' || *src=='\t' || *src=='\n')
+    {
+    while (*src==' ' || *src=='\t' || *src=='\n') ++src;
+    if (src==end) return decoded;
+    goto unicode_hex;
+    }
+  }
+while (src<end);
+return decoded;
+}
+
+
+/*************************************************
+*       Decode encoded-character string          *
+*************************************************/
+
+/*
+Encoding definition:
+   encoded-arb-octets   = "${hex:" hex-pair-seq "}"
+   encoded-unicode-char = "${unicode:" unicode-hex-seq "}"
+
+Arguments:
+  encoded     points to an encoded string, returns decoded string
+  filter      points to the Sieve filter including its state
+
+Returns:      1                success
+              -1               syntax error
+*/
+
+static int string_decode(struct Sieve *filter, struct String *data)
+{
+uschar *src,*dst,*end;
+
+src=data->character;
+dst=src;
+end=data->character+data->length;
+while (src<end)
+  {
+  uschar *brace;
+
+  if (
+      strncmpic(src,US "${hex:",6)==0
+      && (brace=Ustrchr(src+6,'}'))!=(uschar*)0
+      && (hex_decode(src+6,brace,(uschar*)0))>=0
+     )
+    {
+    dst+=hex_decode(src+6,brace,dst);
+    src=brace+1;
+    }
+  else if (
+           strncmpic(src,US "${unicode:",10)==0
+           && (brace=Ustrchr(src+10,'}'))!=(uschar*)0
+          )
+    {
+    switch (unicode_decode(src+10,brace,(uschar*)0))
+      {
+      case -2:
+        {
+        filter->errmsg=CUS "unicode character out of range";
+        return -1;
+        }
+      case -1:
+        {
+        *dst++=*src++;
+        break;
+        }
+      default:
+        {
+        dst+=unicode_decode(src+10,brace,dst);
+        src=brace+1;
+        }
+      }
+    }
+  else *dst++=*src++;
+  }
+  data->length=dst-data->character;
+  *dst='\0';
+return 1;
+}
+#endif
+
+
+/*************************************************
+*          Parse an optional string              *
+*************************************************/
+
+/*
+Token definition:
+   quoted-string = DQUOTE *CHAR DQUOTE
+           ;; in general, \ CHAR inside a string maps to CHAR
+           ;; so \" maps to " and \\ maps to \
+           ;; note that newlines and other characters are all allowed
+           ;; in strings
+
+   multi-line          = "text:" *(SP / HTAB) (hash-comment / CRLF)
+                         *(multi-line-literal / multi-line-dotstuff)
+                         "." CRLF
+   multi-line-literal  = [CHAR-NOT-DOT *CHAR-NOT-CRLF] CRLF
+   multi-line-dotstuff = "." 1*CHAR-NOT-CRLF CRLF
+           ;; A line containing only "." ends the multi-line.
+           ;; Remove a leading '.' if followed by another '.'.
+  string           = quoted-string / multi-line
+
+Arguments:
+  filter      points to the Sieve filter including its state
+  id          specifies identifier to match
+
+Returns:      1                success
+              -1               syntax error
+              0                identifier not matched
+*/
+
+static int
+parse_string(struct Sieve *filter, struct String *data)
+{
+gstring * g = NULL;
+
+data->length = 0;
+data->character = NULL;
+
+if (*filter->pc=='"') /* quoted string */
+  {
+  ++filter->pc;
+  while (*filter->pc)
+    {
+    if (*filter->pc=='"') /* end of string */
+      {
+      ++filter->pc;
+
+      if (g)
+	{
+	data->character = string_from_gstring(g);
+	data->length = g->ptr;
+	}
+      else
+	data->character = US"\0";
+      /* that way, there will be at least one character allocated */
+
+#ifdef ENCODED_CHARACTER
+      if (filter->require_encoded_character
+          && string_decode(filter,data)==-1)
+        return -1;
+#endif
+      return 1;
+      }
+    else if (*filter->pc=='\\' && *(filter->pc+1)) /* quoted character */
+      {
+      g = string_catn(g, filter->pc+1, 1);
+      filter->pc+=2;
+      }
+    else /* regular character */
+      {
+#ifdef RFC_EOL
+      if (*filter->pc=='\r' && *(filter->pc+1)=='\n') ++filter->line;
+#else
+      if (*filter->pc=='\n')
+        {
+        g = string_catn(g, US"\r", 1);
+        ++filter->line;
+        }
+#endif
+      g = string_catn(g, filter->pc, 1);
+      filter->pc++;
+      }
+    }
+  filter->errmsg=CUS "missing end of string";
+  return -1;
+  }
+else if (Ustrncmp(filter->pc,CUS "text:",5)==0) /* multiline string */
+  {
+  filter->pc+=5;
+  /* skip optional white space followed by hashed comment or CRLF */
+  while (*filter->pc==' ' || *filter->pc=='\t') ++filter->pc;
+  if (*filter->pc=='#')
+    {
+    if (parse_hashcomment(filter)==-1) return -1;
+    }
+#ifdef RFC_EOL
+  else if (*filter->pc=='\r' && *(filter->pc+1)=='\n')
+#else
+  else if (*filter->pc=='\n')
+#endif
+    {
+#ifdef RFC_EOL
+    filter->pc+=2;
+#else
+    ++filter->pc;
+#endif
+    ++filter->line;
+    }
+  else
+    {
+    filter->errmsg=CUS "syntax error";
+    return -1;
+    }
+  while (*filter->pc)
+    {
+#ifdef RFC_EOL
+    if (*filter->pc=='\r' && *(filter->pc+1)=='\n') /* end of line */
+#else
+    if (*filter->pc=='\n') /* end of line */
+#endif
+      {
+      g = string_catn(g, CUS "\r\n", 2);
+#ifdef RFC_EOL
+      filter->pc+=2;
+#else
+      ++filter->pc;
+#endif
+      ++filter->line;
+#ifdef RFC_EOL
+      if (*filter->pc=='.' && *(filter->pc+1)=='\r' && *(filter->pc+2)=='\n') /* end of string */
+#else
+      if (*filter->pc=='.' && *(filter->pc+1)=='\n') /* end of string */
+#endif
+        {
+	if (g)
+	  {
+	  data->character = string_from_gstring(g);
+	  data->length = g->ptr;
+	  }
+	else
+	  data->character = US"\0";
+	/* that way, there will be at least one character allocated */
+
+#ifdef RFC_EOL
+        filter->pc+=3;
+#else
+        filter->pc+=2;
+#endif
+        ++filter->line;
+#ifdef ENCODED_CHARACTER
+        if (filter->require_encoded_character
+            && string_decode(filter,data)==-1)
+          return -1;
+#endif
+        return 1;
+        }
+      else if (*filter->pc=='.' && *(filter->pc+1)=='.') /* remove dot stuffing */
+        {
+        g = string_catn(g, CUS ".", 1);
+        filter->pc+=2;
+        }
+      }
+    else /* regular character */
+      {
+      g = string_catn(g, filter->pc, 1);
+      filter->pc++;
+      }
+    }
+  filter->errmsg=CUS "missing end of multi line string";
+  return -1;
+  }
+else return 0;
+}
+
+
+/*************************************************
+*          Parse a specific identifier           *
+*************************************************/
+
+/*
+Token definition:
+  identifier       = (ALPHA / "_") *(ALPHA DIGIT "_")
+
+Arguments:
+  filter      points to the Sieve filter including its state
+  id          specifies identifier to match
+
+Returns:      1                success
+              0                identifier not matched
+*/
+
+static int parse_identifier(struct Sieve *filter, const uschar *id)
+{
+  size_t idlen=Ustrlen(id);
+
+  if (strncmpic(US filter->pc,US id,idlen)==0)
+  {
+    uschar next=filter->pc[idlen];
+
+    if ((next>='A' && next<='Z') || (next>='a' && next<='z') || next=='_' || (next>='0' && next<='9')) return 0;
+    filter->pc+=idlen;
+    return 1;
+  }
+  else return 0;
+}
+
+
+/*************************************************
+*                 Parse a number                 *
+*************************************************/
+
+/*
+Token definition:
+  number           = 1*DIGIT [QUANTIFIER]
+  QUANTIFIER       = "K" / "M" / "G"
+
+Arguments:
+  filter      points to the Sieve filter including its state
+  data        returns value
+
+Returns:      1                success
+              -1               no string list found
+*/
+
+static int parse_number(struct Sieve *filter, unsigned long *data)
+{
+unsigned long d,u;
+
+if (*filter->pc>='0' && *filter->pc<='9')
+  {
+  uschar *e;
+
+  errno=0;
+  d=Ustrtoul(filter->pc,&e,10);
+  if (errno==ERANGE)
+    {
+    filter->errmsg=CUstrerror(ERANGE);
+    return -1;
+    }
+  filter->pc=e;
+  u=1;
+  if (*filter->pc=='K') { u=1024; ++filter->pc; }
+  else if (*filter->pc=='M') { u=1024*1024; ++filter->pc; }
+  else if (*filter->pc=='G') { u=1024*1024*1024; ++filter->pc; }
+  if (d>(ULONG_MAX/u))
+    {
+    filter->errmsg=CUstrerror(ERANGE);
+    return -1;
+    }
+  d*=u;
+  *data=d;
+  return 1;
+  }
+else
+  {
+  filter->errmsg=CUS "missing number";
+  return -1;
+  }
+}
+
+
+/*************************************************
+*              Parse a string list               *
+*************************************************/
+
+/*
+Grammar:
+  string-list      = "[" string *("," string) "]" / string
+
+Arguments:
+  filter      points to the Sieve filter including its state
+  data        returns string list
+
+Returns:      1                success
+              -1               no string list found
+*/
+
+static int
+parse_stringlist(struct Sieve *filter, struct String **data)
+{
+const uschar *orig=filter->pc;
+int dataCapacity = 0;
+int dataLength = 0;
+struct String *d = NULL;
+int m;
+
+if (*filter->pc=='[') /* string list */
+  {
+  ++filter->pc;
+  for (;;)
+    {
+    if (parse_white(filter)==-1) goto error;
+    if (dataLength+1 >= dataCapacity) /* increase buffer */
+      {
+      struct String *new;
+
+      dataCapacity = dataCapacity ? dataCapacity * 2 : 4;
+      new = store_get(sizeof(struct String) * dataCapacity, GET_UNTAINTED);
+
+      if (d) memcpy(new,d,sizeof(struct String)*dataLength);
+      d = new;
+      }
+
+    m=parse_string(filter,&d[dataLength]);
+    if (m==0)
+      {
+      if (dataLength==0) break;
+      else
+        {
+        filter->errmsg=CUS "missing string";
+        goto error;
+        }
+      }
+    else if (m==-1) goto error;
+    else ++dataLength;
+    if (parse_white(filter)==-1) goto error;
+    if (*filter->pc==',') ++filter->pc;
+    else break;
+    }
+  if (*filter->pc==']')
+    {
+    d[dataLength].character=(uschar*)0;
+    d[dataLength].length=-1;
+    ++filter->pc;
+    *data=d;
+    return 1;
+    }
+  else
+    {
+    filter->errmsg=CUS "missing closing bracket";
+    goto error;
+    }
+  }
+else /* single string */
+  {
+  if (!(d=store_get(sizeof(struct String)*2, GET_UNTAINTED)))
+    return -1;
+
+  m=parse_string(filter,&d[0]);
+  if (m==-1)
+    return -1;
+
+  else if (m==0)
+    {
+    filter->pc=orig;
+    return 0;
+    }
+  else
+    {
+    d[1].character=(uschar*)0;
+    d[1].length=-1;
+    *data=d;
+    return 1;
+    }
+  }
+error:
+filter->errmsg=CUS "missing string list";
+return -1;
+}
+
+
+/*************************************************
+*    Parse an optional address part specifier    *
+*************************************************/
+
+/*
+Grammar:
+  address-part     =  ":localpart" / ":domain" / ":all"
+  address-part     =/ ":user" / ":detail"
+
+Arguments:
+  filter      points to the Sieve filter including its state
+  a           returns address part specified
+
+Returns:      1                success
+              0                no comparator found
+              -1               syntax error
+*/
+
+static int parse_addresspart(struct Sieve *filter, enum AddressPart *a)
+{
+#ifdef SUBADDRESS
+if (parse_identifier(filter,CUS ":user")==1)
+  {
+  if (!filter->require_subaddress)
+    {
+    filter->errmsg=CUS "missing previous require \"subaddress\";";
+    return -1;
+    }
+  *a=ADDRPART_USER;
+  return 1;
+  }
+else if (parse_identifier(filter,CUS ":detail")==1)
+  {
+  if (!filter->require_subaddress)
+    {
+    filter->errmsg=CUS "missing previous require \"subaddress\";";
+    return -1;
+    }
+  *a=ADDRPART_DETAIL;
+  return 1;
+  }
+else
+#endif
+if (parse_identifier(filter,CUS ":localpart")==1)
+  {
+  *a=ADDRPART_LOCALPART;
+  return 1;
+  }
+else if (parse_identifier(filter,CUS ":domain")==1)
+  {
+  *a=ADDRPART_DOMAIN;
+  return 1;
+  }
+else if (parse_identifier(filter,CUS ":all")==1)
+  {
+  *a=ADDRPART_ALL;
+  return 1;
+  }
+else return 0;
+}
+
+
+/*************************************************
+*         Parse an optional comparator           *
+*************************************************/
+
+/*
+Grammar:
+  comparator = ":comparator" <comparator-name: string>
+
+Arguments:
+  filter      points to the Sieve filter including its state
+  c           returns comparator
+
+Returns:      1                success
+              0                no comparator found
+              -1               incomplete comparator found
+*/
+
+static int parse_comparator(struct Sieve *filter, enum Comparator *c)
+{
+struct String comparator_name;
+
+if (parse_identifier(filter,CUS ":comparator")==0) return 0;
+if (parse_white(filter)==-1) return -1;
+switch (parse_string(filter,&comparator_name))
+  {
+  case -1: return -1;
+  case 0:
+    {
+    filter->errmsg=CUS "missing comparator";
+    return -1;
+    }
+  default:
+    {
+    int match;
+
+    if (eq_asciicase(&comparator_name,&str_ioctet,0))
+      {
+      *c=COMP_OCTET;
+      match=1;
+      }
+    else if (eq_asciicase(&comparator_name,&str_iascii_casemap,0))
+      {
+      *c=COMP_EN_ASCII_CASEMAP;
+      match=1;
+      }
+    else if (eq_asciicase(&comparator_name,&str_enascii_casemap,0))
+      {
+      *c=COMP_EN_ASCII_CASEMAP;
+      match=1;
+      }
+    else if (eq_asciicase(&comparator_name,&str_iascii_numeric,0))
+      {
+      *c=COMP_ASCII_NUMERIC;
+      match=1;
+      }
+    else
+      {
+      filter->errmsg=CUS "invalid comparator";
+      match=-1;
+      }
+    return match;
+    }
+  }
+}
+
+
+/*************************************************
+*          Parse an optional match type          *
+*************************************************/
+
+/*
+Grammar:
+  match-type = ":is" / ":contains" / ":matches"
+
+Arguments:
+  filter      points to the Sieve filter including its state
+  m           returns match type
+
+Returns:      1                success
+              0                no match type found
+*/
+
+static int parse_matchtype(struct Sieve *filter, enum MatchType *m)
+{
+  if (parse_identifier(filter,CUS ":is")==1)
+  {
+    *m=MATCH_IS;
+    return 1;
+  }
+  else if (parse_identifier(filter,CUS ":contains")==1)
+  {
+    *m=MATCH_CONTAINS;
+    return 1;
+  }
+  else if (parse_identifier(filter,CUS ":matches")==1)
+  {
+    *m=MATCH_MATCHES;
+    return 1;
+  }
+  else return 0;
+}
+
+
+/*************************************************
+*   Parse and interpret an optional test list    *
+*************************************************/
+
+/*
+Grammar:
+  test-list = "(" test *("," test) ")"
+
+Arguments:
+  filter      points to the Sieve filter including its state
+  n           total number of tests
+  num_true    number of passed tests
+  exec        Execute parsed statements
+
+Returns:      1                success
+              0                no test list found
+              -1               syntax or execution error
+*/
+
+static int parse_testlist(struct Sieve *filter, int *n, int *num_true, int exec)
+{
+if (parse_white(filter)==-1) return -1;
+if (*filter->pc=='(')
+  {
+  ++filter->pc;
+  *n=0;
+   *num_true=0;
+  for (;;)
+    {
+    int cond;
+
+    switch (parse_test(filter,&cond,exec))
+      {
+      case -1: return -1;
+      case 0: filter->errmsg=CUS "missing test"; return -1;
+      default: ++*n; if (cond) ++*num_true; break;
+      }
+    if (parse_white(filter)==-1) return -1;
+    if (*filter->pc==',') ++filter->pc;
+    else break;
+    }
+  if (*filter->pc==')')
+    {
+    ++filter->pc;
+    return 1;
+    }
+  else
+    {
+    filter->errmsg=CUS "missing closing paren";
+    return -1;
+    }
+  }
+else return 0;
+}
+
+
+/*************************************************
+*     Parse and interpret an optional test       *
+*************************************************/
+
+/*
+Arguments:
+  filter      points to the Sieve filter including its state
+  cond        returned condition status
+  exec        Execute parsed statements
+
+Returns:      1                success
+              0                no test found
+              -1               syntax or execution error
+*/
+
+static int
+parse_test(struct Sieve *filter, int *cond, int exec)
+{
+if (parse_white(filter)==-1) return -1;
+if (parse_identifier(filter,CUS "address"))
+  {
+  /*
+  address-test = "address" { [address-part] [comparator] [match-type] }
+                 <header-list: string-list> <key-list: string-list>
+
+  header-list From, To, Cc, Bcc, Sender, Resent-From, Resent-To
+  */
+
+  enum AddressPart addressPart=ADDRPART_ALL;
+  enum Comparator comparator=COMP_EN_ASCII_CASEMAP;
+  enum MatchType matchType=MATCH_IS;
+  struct String *hdr,*key;
+  int m;
+  int ap=0,co=0,mt=0;
+
+  for (;;)
+    {
+    if (parse_white(filter)==-1) return -1;
+    if ((m=parse_addresspart(filter,&addressPart))!=0)
+      {
+      if (m==-1) return -1;
+      if (ap)
+        {
+        filter->errmsg=CUS "address part already specified";
+        return -1;
+        }
+      else ap=1;
+      }
+    else if ((m=parse_comparator(filter,&comparator))!=0)
+      {
+      if (m==-1) return -1;
+      if (co)
+        {
+        filter->errmsg=CUS "comparator already specified";
+        return -1;
+        }
+      else co=1;
+      }
+    else if ((m=parse_matchtype(filter,&matchType))!=0)
+      {
+      if (m==-1) return -1;
+      if (mt)
+        {
+        filter->errmsg=CUS "match type already specified";
+        return -1;
+        }
+      else mt=1;
+      }
+    else break;
+    }
+  if (parse_white(filter)==-1) return -1;
+  if ((m=parse_stringlist(filter,&hdr))!=1)
+    {
+    if (m==0) filter->errmsg=CUS "header string list expected";
+    return -1;
+    }
+  if (parse_white(filter)==-1) return -1;
+  if ((m=parse_stringlist(filter,&key))!=1)
+    {
+    if (m==0) filter->errmsg=CUS "key string list expected";
+    return -1;
+    }
+  *cond=0;
+  for (struct String * h = hdr; h->length!=-1 && !*cond; ++h)
+    {
+    uschar *header_value=(uschar*)0,*extracted_addr,*end_addr;
+
+    if
+      (
+      !eq_asciicase(h,&str_from,0)
+      && !eq_asciicase(h,&str_to,0)
+      && !eq_asciicase(h,&str_cc,0)
+      && !eq_asciicase(h,&str_bcc,0)
+      && !eq_asciicase(h,&str_sender,0)
+      && !eq_asciicase(h,&str_resent_from,0)
+      && !eq_asciicase(h,&str_resent_to,0)
+      )
+      {
+      filter->errmsg=CUS "invalid header field";
+      return -1;
+      }
+    if (exec)
+      {
+      /* We are only interested in addresses below, so no MIME decoding */
+      if (!(header_value = expand_string(string_sprintf("$rheader_%s",quote(h)))))
+        {
+        filter->errmsg=CUS "header string expansion failed";
+        return -1;
+        }
+      f.parse_allow_group = TRUE;
+      while (*header_value && !*cond)
+        {
+        uschar *error;
+        int start, end, domain;
+        int saveend;
+        uschar *part=NULL;
+
+        end_addr = parse_find_address_end(header_value, FALSE);
+        saveend = *end_addr;
+        *end_addr = 0;
+        extracted_addr = parse_extract_address(header_value, &error, &start, &end, &domain, FALSE);
+
+        if (extracted_addr) switch (addressPart)
+          {
+          case ADDRPART_ALL: part=extracted_addr; break;
+#ifdef SUBADDRESS
+          case ADDRPART_USER:
+#endif
+          case ADDRPART_LOCALPART: part=extracted_addr; part[domain-1]='\0'; break;
+          case ADDRPART_DOMAIN: part=extracted_addr+domain; break;
+#ifdef SUBADDRESS
+          case ADDRPART_DETAIL: part=NULL; break;
+#endif
+          }
+
+        *end_addr = saveend;
+        if (part)
+          {
+          for (struct String * k = key; k->length !=- 1; ++k)
+            {
+            struct String partStr = {.character = part, .length = Ustrlen(part)};
+
+            if (extracted_addr)
+              {
+              *cond=compare(filter,k,&partStr,comparator,matchType);
+              if (*cond==-1) return -1;
+              if (*cond) break;
+              }
+            }
+          }
+        if (saveend == 0) break;
+        header_value = end_addr + 1;
+        }
+      f.parse_allow_group = FALSE;
+      f.parse_found_group = FALSE;
+      }
+    }
+  return 1;
+  }
+else if (parse_identifier(filter,CUS "allof"))
+  {
+  /*
+  allof-test   = "allof" <tests: test-list>
+  */
+
+  int n,num_true;
+
+  switch (parse_testlist(filter,&n,&num_true,exec))
+    {
+    case -1: return -1;
+    case 0: filter->errmsg=CUS "missing test list"; return -1;
+    default: *cond=(n==num_true); return 1;
+    }
+  }
+else if (parse_identifier(filter,CUS "anyof"))
+  {
+  /*
+  anyof-test   = "anyof" <tests: test-list>
+  */
+
+  int n,num_true;
+
+  switch (parse_testlist(filter,&n,&num_true,exec))
+    {
+    case -1: return -1;
+    case 0: filter->errmsg=CUS "missing test list"; return -1;
+    default: *cond=(num_true>0); return 1;
+    }
+  }
+else if (parse_identifier(filter,CUS "exists"))
+  {
+  /*
+  exists-test = "exists" <header-names: string-list>
+  */
+
+  struct String *hdr;
+  int m;
+
+  if (parse_white(filter)==-1) return -1;
+  if ((m=parse_stringlist(filter,&hdr))!=1)
+    {
+    if (m==0) filter->errmsg=CUS "header string list expected";
+    return -1;
+    }
+  if (exec)
+    {
+    *cond=1;
+    for (struct String * h = hdr; h->length != -1 && *cond; ++h)
+      {
+      uschar *header_def;
+
+      header_def = expand_string(string_sprintf("${if def:header_%s {true}{false}}",quote(h)));
+      if (!header_def)
+        {
+        filter->errmsg=CUS "header string expansion failed";
+        return -1;
+        }
+      if (Ustrcmp(header_def,"false")==0) *cond=0;
+      }
+    }
+  return 1;
+  }
+else if (parse_identifier(filter,CUS "false"))
+  {
+  /*
+  false-test = "false"
+  */
+
+  *cond=0;
+  return 1;
+  }
+else if (parse_identifier(filter,CUS "header"))
+  {
+  /*
+  header-test = "header" { [comparator] [match-type] }
+                <header-names: string-list> <key-list: string-list>
+  */
+
+  enum Comparator comparator=COMP_EN_ASCII_CASEMAP;
+  enum MatchType matchType=MATCH_IS;
+  struct String *hdr,*key;
+  int m;
+  int co=0,mt=0;
+
+  for (;;)
+    {
+    if (parse_white(filter)==-1) return -1;
+    if ((m=parse_comparator(filter,&comparator))!=0)
+      {
+      if (m==-1) return -1;
+      if (co)
+        {
+        filter->errmsg=CUS "comparator already specified";
+        return -1;
+        }
+      else co=1;
+      }
+    else if ((m=parse_matchtype(filter,&matchType))!=0)
+      {
+      if (m==-1) return -1;
+      if (mt)
+        {
+        filter->errmsg=CUS "match type already specified";
+        return -1;
+        }
+      else mt=1;
+      }
+    else break;
+    }
+  if (parse_white(filter)==-1) return -1;
+  if ((m=parse_stringlist(filter,&hdr))!=1)
+    {
+    if (m==0) filter->errmsg=CUS "header string list expected";
+    return -1;
+    }
+  if (parse_white(filter)==-1) return -1;
+  if ((m=parse_stringlist(filter,&key))!=1)
+    {
+    if (m==0) filter->errmsg=CUS "key string list expected";
+    return -1;
+    }
+  *cond=0;
+  for (struct String * h = hdr; h->length != -1 && !*cond; ++h)
+    {
+    if (!is_header(h))
+      {
+      filter->errmsg=CUS "invalid header field";
+      return -1;
+      }
+    if (exec)
+      {
+      struct String header_value;
+      uschar *header_def;
+
+      expand_header(&header_value,h);
+      header_def = expand_string(string_sprintf("${if def:header_%s {true}{false}}",quote(h)));
+      if (!header_value.character || !header_def)
+        {
+        filter->errmsg=CUS "header string expansion failed";
+        return -1;
+        }
+      for (struct String * k = key; k->length != -1; ++k)
+        if (Ustrcmp(header_def,"true")==0)
+          {
+          *cond=compare(filter,k,&header_value,comparator,matchType);
+          if (*cond==-1) return -1;
+          if (*cond) break;
+          }
+      }
+    }
+  return 1;
+  }
+else if (parse_identifier(filter,CUS "not"))
+  {
+  if (parse_white(filter)==-1) return -1;
+  switch (parse_test(filter,cond,exec))
+    {
+    case -1: return -1;
+    case 0: filter->errmsg=CUS "missing test"; return -1;
+    default: *cond=!*cond; return 1;
+    }
+  }
+else if (parse_identifier(filter,CUS "size"))
+  {
+  /*
+  relop = ":over" / ":under"
+  size-test = "size" relop <limit: number>
+  */
+
+  unsigned long limit;
+  int overNotUnder;
+
+  if (parse_white(filter)==-1) return -1;
+  if (parse_identifier(filter,CUS ":over")) overNotUnder=1;
+  else if (parse_identifier(filter,CUS ":under")) overNotUnder=0;
+  else
+    {
+    filter->errmsg=CUS "missing :over or :under";
+    return -1;
+    }
+  if (parse_white(filter)==-1) return -1;
+  if (parse_number(filter,&limit)==-1) return -1;
+  *cond=(overNotUnder ? (message_size>limit) : (message_size<limit));
+  return 1;
+  }
+else if (parse_identifier(filter,CUS "true"))
+  {
+  *cond=1;
+  return 1;
+  }
+else if (parse_identifier(filter,CUS "envelope"))
+  {
+  /*
+  envelope-test = "envelope" { [comparator] [address-part] [match-type] }
+                  <envelope-part: string-list> <key-list: string-list>
+
+  envelope-part is case insensitive "from" or "to"
+#ifdef ENVELOPE_AUTH
+  envelope-part =/ "auth"
+#endif
+  */
+
+  enum Comparator comparator=COMP_EN_ASCII_CASEMAP;
+  enum AddressPart addressPart=ADDRPART_ALL;
+  enum MatchType matchType=MATCH_IS;
+  struct String *env,*key;
+  int m;
+  int co=0,ap=0,mt=0;
+
+  if (!filter->require_envelope)
+    {
+    filter->errmsg=CUS "missing previous require \"envelope\";";
+    return -1;
+    }
+  for (;;)
+    {
+    if (parse_white(filter)==-1) return -1;
+    if ((m=parse_comparator(filter,&comparator))!=0)
+      {
+      if (m==-1) return -1;
+      if (co)
+        {
+        filter->errmsg=CUS "comparator already specified";
+        return -1;
+        }
+      else co=1;
+      }
+    else if ((m=parse_addresspart(filter,&addressPart))!=0)
+      {
+      if (m==-1) return -1;
+      if (ap)
+        {
+        filter->errmsg=CUS "address part already specified";
+        return -1;
+        }
+      else ap=1;
+      }
+    else if ((m=parse_matchtype(filter,&matchType))!=0)
+      {
+      if (m==-1) return -1;
+      if (mt)
+        {
+        filter->errmsg=CUS "match type already specified";
+        return -1;
+        }
+      else mt=1;
+      }
+    else break;
+    }
+  if (parse_white(filter)==-1) return -1;
+  if ((m=parse_stringlist(filter,&env))!=1)
+    {
+    if (m==0) filter->errmsg=CUS "envelope string list expected";
+    return -1;
+    }
+  if (parse_white(filter)==-1) return -1;
+  if ((m=parse_stringlist(filter,&key))!=1)
+    {
+    if (m==0) filter->errmsg=CUS "key string list expected";
+    return -1;
+    }
+  *cond=0;
+  for (struct String * e = env; e->length != -1 && !*cond; ++e)
+    {
+    const uschar *envelopeExpr=CUS 0;
+    uschar *envelope=US 0;
+
+    if (eq_asciicase(e,&str_from,0))
+      {
+      switch (addressPart)
+        {
+        case ADDRPART_ALL: envelopeExpr=CUS "$sender_address"; break;
+#ifdef SUBADDRESS
+        case ADDRPART_USER:
+#endif
+        case ADDRPART_LOCALPART: envelopeExpr=CUS "${local_part:$sender_address}"; break;
+        case ADDRPART_DOMAIN: envelopeExpr=CUS "${domain:$sender_address}"; break;
+#ifdef SUBADDRESS
+        case ADDRPART_DETAIL: envelopeExpr=CUS 0; break;
+#endif
+        }
+      }
+    else if (eq_asciicase(e,&str_to,0))
+      {
+      switch (addressPart)
+        {
+        case ADDRPART_ALL: envelopeExpr=CUS "$local_part_prefix$local_part$local_part_suffix@$domain"; break;
+#ifdef SUBADDRESS
+        case ADDRPART_USER: envelopeExpr=filter->useraddress; break;
+        case ADDRPART_DETAIL: envelopeExpr=filter->subaddress; break;
+#endif
+        case ADDRPART_LOCALPART: envelopeExpr=CUS "$local_part_prefix$local_part$local_part_suffix"; break;
+        case ADDRPART_DOMAIN: envelopeExpr=CUS "$domain"; break;
+        }
+      }
+#ifdef ENVELOPE_AUTH
+    else if (eq_asciicase(e,&str_auth,0))
+      {
+      switch (addressPart)
+        {
+        case ADDRPART_ALL: envelopeExpr=CUS "$authenticated_sender"; break;
+#ifdef SUBADDRESS
+        case ADDRPART_USER:
+#endif
+        case ADDRPART_LOCALPART: envelopeExpr=CUS "${local_part:$authenticated_sender}"; break;
+        case ADDRPART_DOMAIN: envelopeExpr=CUS "${domain:$authenticated_sender}"; break;
+#ifdef SUBADDRESS
+        case ADDRPART_DETAIL: envelopeExpr=CUS 0; break;
+#endif
+        }
+      }
+#endif
+    else
+      {
+      filter->errmsg=CUS "invalid envelope string";
+      return -1;
+      }
+    if (exec && envelopeExpr)
+      {
+      if (!(envelope=expand_string(US envelopeExpr)))
+        {
+        filter->errmsg=CUS "header string expansion failed";
+        return -1;
+        }
+      for (struct String * k = key; k->length != -1; ++k)
+        {
+        struct String envelopeStr = {.character = envelope, .length = Ustrlen(envelope)};
+
+        *cond=compare(filter,k,&envelopeStr,comparator,matchType);
+        if (*cond==-1) return -1;
+        if (*cond) break;
+        }
+      }
+    }
+  return 1;
+  }
+#ifdef ENOTIFY
+else if (parse_identifier(filter,CUS "valid_notify_method"))
+  {
+  /*
+  valid_notify_method = "valid_notify_method"
+                        <notification-uris: string-list>
+  */
+
+  struct String *uris;
+  int m;
+
+  if (!filter->require_enotify)
+    {
+    filter->errmsg=CUS "missing previous require \"enotify\";";
+    return -1;
+    }
+  if (parse_white(filter)==-1) return -1;
+  if ((m=parse_stringlist(filter,&uris))!=1)
+    {
+    if (m==0) filter->errmsg=CUS "URI string list expected";
+    return -1;
+    }
+  if (exec)
+    {
+    *cond=1;
+    for (struct String * u = uris; u->length != -1 && *cond; ++u)
+      {
+        string_item *recipient;
+        struct String header,subject,body;
+
+        recipient=NULL;
+        header.length=-1;
+        header.character=(uschar*)0;
+        subject.length=-1;
+        subject.character=(uschar*)0;
+        body.length=-1;
+        body.character=(uschar*)0;
+        if (parse_mailto_uri(filter,u->character,&recipient,&header,&subject,&body)!=1)
+          *cond=0;
+      }
+    }
+  return 1;
+  }
+else if (parse_identifier(filter,CUS "notify_method_capability"))
+  {
+  /*
+  notify_method_capability = "notify_method_capability" [COMPARATOR] [MATCH-TYPE]
+                             <notification-uri: string>
+                             <notification-capability: string>
+                             <key-list: string-list>
+  */
+
+  int m;
+  int co=0,mt=0;
+
+  enum Comparator comparator=COMP_EN_ASCII_CASEMAP;
+  enum MatchType matchType=MATCH_IS;
+  struct String uri,capa,*keys;
+
+  if (!filter->require_enotify)
+    {
+    filter->errmsg=CUS "missing previous require \"enotify\";";
+    return -1;
+    }
+  for (;;)
+    {
+    if (parse_white(filter)==-1) return -1;
+    if ((m=parse_comparator(filter,&comparator))!=0)
+      {
+      if (m==-1) return -1;
+      if (co)
+        {
+        filter->errmsg=CUS "comparator already specified";
+        return -1;
+        }
+      else co=1;
+      }
+    else if ((m=parse_matchtype(filter,&matchType))!=0)
+      {
+      if (m==-1) return -1;
+      if (mt)
+        {
+        filter->errmsg=CUS "match type already specified";
+        return -1;
+        }
+      else mt=1;
+      }
+    else break;
+    }
+    if ((m=parse_string(filter,&uri))!=1)
+      {
+      if (m==0) filter->errmsg=CUS "missing notification URI string";
+      return -1;
+      }
+    if (parse_white(filter)==-1) return -1;
+    if ((m=parse_string(filter,&capa))!=1)
+      {
+      if (m==0) filter->errmsg=CUS "missing notification capability string";
+      return -1;
+      }
+    if (parse_white(filter)==-1) return -1;
+    if ((m=parse_stringlist(filter,&keys))!=1)
+      {
+      if (m==0) filter->errmsg=CUS "missing key string list";
+      return -1;
+      }
+    if (exec)
+      {
+      string_item *recipient;
+      struct String header,subject,body;
+
+      *cond=0;
+      recipient=NULL;
+      header.length=-1;
+      header.character=(uschar*)0;
+      subject.length=-1;
+      subject.character=(uschar*)0;
+      body.length=-1;
+      body.character=(uschar*)0;
+      if (parse_mailto_uri(filter,uri.character,&recipient,&header,&subject,&body)==1)
+        if (eq_asciicase(&capa,&str_online,0)==1)
+          for (struct String * k = keys; k->length != -1; ++k)
+            {
+            *cond=compare(filter,k,&str_maybe,comparator,matchType);
+            if (*cond==-1) return -1;
+            if (*cond) break;
+            }
+      }
+    return 1;
+  }
+#endif
+else return 0;
+}
+
+
+/*************************************************
+*     Parse and interpret an optional block      *
+*************************************************/
+
+/*
+Arguments:
+  filter      points to the Sieve filter including its state
+  exec        Execute parsed statements
+  generated   where to hang newly-generated addresses
+
+Returns:      2                success by stop
+              1                other success
+              0                no block command found
+              -1               syntax or execution error
+*/
+
+static int parse_block(struct Sieve *filter, int exec,
+  address_item **generated)
+{
+int r;
+
+if (parse_white(filter)==-1) return -1;
+if (*filter->pc=='{')
+  {
+  ++filter->pc;
+  if ((r=parse_commands(filter,exec,generated))==-1 || r==2) return r;
+  if (*filter->pc=='}')
+    {
+    ++filter->pc;
+    return 1;
+    }
+  else
+    {
+    filter->errmsg=CUS "expecting command or closing brace";
+    return -1;
+    }
+  }
+else return 0;
+}
+
+
+/*************************************************
+*           Match a semicolon                    *
+*************************************************/
+
+/*
+Arguments:
+  filter      points to the Sieve filter including its state
+
+Returns:      1                success
+              -1               syntax error
+*/
+
+static int parse_semicolon(struct Sieve *filter)
+{
+  if (parse_white(filter)==-1) return -1;
+  if (*filter->pc==';')
+  {
+    ++filter->pc;
+    return 1;
+  }
+  else
+  {
+    filter->errmsg=CUS "missing semicolon";
+    return -1;
+  }
+}
+
+
+/*************************************************
+*     Parse and interpret a Sieve command        *
+*************************************************/
+
+/*
+Arguments:
+  filter      points to the Sieve filter including its state
+  exec        Execute parsed statements
+  generated   where to hang newly-generated addresses
+
+Returns:      2                success by stop
+              1                other success
+              -1               syntax or execution error
+*/
+static int
+parse_commands(struct Sieve *filter, int exec, address_item **generated)
+{
+while (*filter->pc)
+  {
+  if (parse_white(filter)==-1) return -1;
+  if (parse_identifier(filter,CUS "if"))
+    {
+    /*
+    if-command = "if" test block *( "elsif" test block ) [ else block ]
+    */
+
+    int cond,m,unsuccessful;
+
+    /* test block */
+    if (parse_white(filter)==-1) return -1;
+    if ((m=parse_test(filter,&cond,exec))==-1) return -1;
+    if (m==0)
+      {
+      filter->errmsg=CUS "missing test";
+      return -1;
+      }
+    if ((filter_test != FTEST_NONE && debug_selector != 0) ||
+        (debug_selector & D_filter) != 0)
+      {
+      if (exec) debug_printf("if %s\n",cond?"true":"false");
+      }
+    m=parse_block(filter,exec ? cond : 0, generated);
+    if (m==-1 || m==2) return m;
+    if (m==0)
+      {
+      filter->errmsg=CUS "missing block";
+      return -1;
+      }
+    unsuccessful = !cond;
+    for (;;) /* elsif test block */
+      {
+      if (parse_white(filter)==-1) return -1;
+      if (parse_identifier(filter,CUS "elsif"))
+        {
+        if (parse_white(filter)==-1) return -1;
+        m=parse_test(filter,&cond,exec && unsuccessful);
+        if (m==-1 || m==2) return m;
+        if (m==0)
+          {
+          filter->errmsg=CUS "missing test";
+          return -1;
+          }
+        if ((filter_test != FTEST_NONE && debug_selector != 0) ||
+            (debug_selector & D_filter) != 0)
+          {
+          if (exec) debug_printf("elsif %s\n",cond?"true":"false");
+          }
+        m=parse_block(filter,exec && unsuccessful ? cond : 0, generated);
+        if (m==-1 || m==2) return m;
+        if (m==0)
+          {
+          filter->errmsg=CUS "missing block";
+          return -1;
+          }
+        if (exec && unsuccessful && cond) unsuccessful = 0;
+        }
+      else break;
+      }
+    /* else block */
+    if (parse_white(filter)==-1) return -1;
+    if (parse_identifier(filter,CUS "else"))
+      {
+      m=parse_block(filter,exec && unsuccessful, generated);
+      if (m==-1 || m==2) return m;
+      if (m==0)
+        {
+        filter->errmsg=CUS "missing block";
+        return -1;
+        }
+      }
+    }
+  else if (parse_identifier(filter,CUS "stop"))
+    {
+    /*
+    stop-command     =  "stop" { stop-options } ";"
+    stop-options     =
+    */
+
+    if (parse_semicolon(filter)==-1) return -1;
+    if (exec)
+      {
+      filter->pc+=Ustrlen(filter->pc);
+      return 2;
+      }
+    }
+  else if (parse_identifier(filter,CUS "keep"))
+    {
+    /*
+    keep-command     =  "keep" { keep-options } ";"
+    keep-options     =
+    */
+
+    if (parse_semicolon(filter)==-1) return -1;
+    if (exec)
+      {
+      add_addr(generated,US"inbox",1,0,0,0);
+      filter->keep = 0;
+      }
+    }
+  else if (parse_identifier(filter,CUS "discard"))
+    {
+    /*
+    discard-command  =  "discard" { discard-options } ";"
+    discard-options  =
+    */
+
+    if (parse_semicolon(filter)==-1) return -1;
+    if (exec) filter->keep=0;
+    }
+  else if (parse_identifier(filter,CUS "redirect"))
+    {
+    /*
+    redirect-command =  "redirect" redirect-options "string" ";"
+    redirect-options =
+    redirect-options =) ":copy"
+    */
+
+    struct String recipient;
+    int m;
+    int copy=0;
+
+    for (;;)
+      {
+      if (parse_white(filter)==-1) return -1;
+      if (parse_identifier(filter,CUS ":copy")==1)
+        {
+        if (!filter->require_copy)
+          {
+          filter->errmsg=CUS "missing previous require \"copy\";";
+          return -1;
+          }
+          copy=1;
+        }
+      else break;
+      }
+    if (parse_white(filter)==-1) return -1;
+    if ((m=parse_string(filter,&recipient))!=1)
+      {
+      if (m==0) filter->errmsg=CUS "missing redirect recipient string";
+      return -1;
+      }
+    if (strchr(CCS recipient.character,'@')==(char*)0)
+      {
+      filter->errmsg=CUS "unqualified recipient address";
+      return -1;
+      }
+    if (exec)
+      {
+      add_addr(generated,recipient.character,0,0,0,0);
+      if (!copy) filter->keep = 0;
+      }
+    if (parse_semicolon(filter)==-1) return -1;
+    }
+  else if (parse_identifier(filter,CUS "fileinto"))
+    {
+    /*
+    fileinto-command =  "fileinto" { fileinto-options } string ";"
+    fileinto-options =
+    fileinto-options =) [ ":copy" ]
+    */
+
+    struct String folder;
+    uschar *s;
+    int m;
+    unsigned long maxage, maxmessages, maxstorage;
+    int copy=0;
+
+    maxage = maxmessages = maxstorage = 0;
+    if (!filter->require_fileinto)
+      {
+      filter->errmsg=CUS "missing previous require \"fileinto\";";
+      return -1;
+      }
+    for (;;)
+      {
+      if (parse_white(filter)==-1) return -1;
+      if (parse_identifier(filter,CUS ":copy")==1)
+        {
+        if (!filter->require_copy)
+          {
+          filter->errmsg=CUS "missing previous require \"copy\";";
+          return -1;
+          }
+          copy=1;
+        }
+      else break;
+      }
+    if (parse_white(filter)==-1) return -1;
+    if ((m=parse_string(filter,&folder))!=1)
+      {
+      if (m==0) filter->errmsg=CUS "missing fileinto folder string";
+      return -1;
+      }
+    m=0; s=folder.character;
+    if (folder.length==0) m=1;
+    if (Ustrcmp(s,"..")==0 || Ustrncmp(s,"../",3)==0) m=1;
+    else while (*s)
+      {
+      if (Ustrcmp(s,"/..")==0 || Ustrncmp(s,"/../",4)==0) { m=1; break; }
+      ++s;
+      }
+    if (m)
+      {
+      filter->errmsg=CUS "invalid folder";
+      return -1;
+      }
+    if (exec)
+      {
+      add_addr(generated, folder.character, 1, maxage, maxmessages, maxstorage);
+      if (!copy) filter->keep = 0;
+      }
+    if (parse_semicolon(filter)==-1) return -1;
+    }
+#ifdef ENOTIFY
+  else if (parse_identifier(filter,CUS "notify"))
+    {
+    /*
+    notify-command =  "notify" { notify-options } <method: string> ";"
+    notify-options =  [":from" string]
+                      [":importance" <"1" / "2" / "3">]
+                      [":options" 1*(string-list / number)]
+                      [":message" string]
+    */
+
+    int m;
+    struct String from;
+    struct String importance;
+    struct String message;
+    struct String method;
+    struct Notification *already;
+    string_item *recipient;
+    struct String header;
+    struct String subject;
+    struct String body;
+    uschar *envelope_from;
+    struct String auto_submitted_value;
+    uschar *auto_submitted_def;
+
+    if (!filter->require_enotify)
+      {
+      filter->errmsg=CUS "missing previous require \"enotify\";";
+      return -1;
+      }
+    from.character=(uschar*)0;
+    from.length=-1;
+    importance.character=(uschar*)0;
+    importance.length=-1;
+    message.character=(uschar*)0;
+    message.length=-1;
+    recipient=NULL;
+    header.length=-1;
+    header.character=(uschar*)0;
+    subject.length=-1;
+    subject.character=(uschar*)0;
+    body.length=-1;
+    body.character=(uschar*)0;
+    envelope_from = sender_address && sender_address[0]
+     ? expand_string(US"$local_part_prefix$local_part$local_part_suffix@$domain") : US "";
+    if (!envelope_from)
+      {
+      filter->errmsg=CUS "expansion failure for envelope from";
+      return -1;
+      }
+    for (;;)
+      {
+      if (parse_white(filter)==-1) return -1;
+      if (parse_identifier(filter,CUS ":from")==1)
+        {
+        if (parse_white(filter)==-1) return -1;
+        if ((m=parse_string(filter,&from))!=1)
+          {
+          if (m==0) filter->errmsg=CUS "from string expected";
+          return -1;
+          }
+        }
+      else if (parse_identifier(filter,CUS ":importance")==1)
+        {
+        if (parse_white(filter)==-1) return -1;
+        if ((m=parse_string(filter,&importance))!=1)
+          {
+          if (m==0) filter->errmsg=CUS "importance string expected";
+          return -1;
+          }
+        if (importance.length!=1 || importance.character[0]<'1' || importance.character[0]>'3')
+          {
+          filter->errmsg=CUS "invalid importance";
+          return -1;
+          }
+        }
+      else if (parse_identifier(filter,CUS ":options")==1)
+        {
+        if (parse_white(filter)==-1) return -1;
+        }
+      else if (parse_identifier(filter,CUS ":message")==1)
+        {
+        if (parse_white(filter)==-1) return -1;
+        if ((m=parse_string(filter,&message))!=1)
+          {
+          if (m==0) filter->errmsg=CUS "message string expected";
+          return -1;
+          }
+        }
+      else break;
+      }
+    if (parse_white(filter)==-1) return -1;
+    if ((m=parse_string(filter,&method))!=1)
+      {
+      if (m==0) filter->errmsg=CUS "missing method string";
+      return -1;
+      }
+    if (parse_semicolon(filter)==-1) return -1;
+    if (parse_mailto_uri(filter,method.character,&recipient,&header,&subject,&body)!=1)
+      return -1;
+    if (exec)
+      {
+      if (message.length==-1) message=subject;
+      if (message.length==-1) expand_header(&message,&str_subject);
+      expand_header(&auto_submitted_value,&str_auto_submitted);
+      auto_submitted_def=expand_string(US"${if def:header_auto-submitted {true}{false}}");
+      if (!auto_submitted_value.character || !auto_submitted_def)
+        {
+        filter->errmsg=CUS "header string expansion failed";
+        return -1;
+        }
+        if (Ustrcmp(auto_submitted_def,"true")!=0 || Ustrcmp(auto_submitted_value.character,"no")==0)
+        {
+        for (already=filter->notified; already; already=already->next)
+          {
+          if (already->method.length==method.length
+              && (method.length==-1 || Ustrcmp(already->method.character,method.character)==0)
+              && already->importance.length==importance.length
+              && (importance.length==-1 || Ustrcmp(already->importance.character,importance.character)==0)
+              && already->message.length==message.length
+              && (message.length==-1 || Ustrcmp(already->message.character,message.character)==0))
+            break;
+          }
+        if (!already)
+          /* New notification, process it */
+          {
+          struct Notification * sent = store_get(sizeof(struct Notification), GET_UNTAINTED);
+          sent->method=method;
+          sent->importance=importance;
+          sent->message=message;
+          sent->next=filter->notified;
+          filter->notified=sent;
+  #ifndef COMPILE_SYNTAX_CHECKER
+          if (filter_test == FTEST_NONE)
+            {
+            int pid, fd;
+
+            if ((pid = child_open_exim2(&fd, envelope_from, envelope_from,
+			US"sieve-notify")) >= 1)
+              {
+              FILE * f = fdopen(fd, "wb");
+
+              fprintf(f,"From: %s\n", from.length == -1
+		? expand_string(US"$local_part_prefix$local_part$local_part_suffix@$domain")
+		: from.character);
+              for (string_item * p = recipient; p; p=p->next)
+	       	fprintf(f, "To: %s\n",p->text);
+              fprintf(f, "Auto-Submitted: auto-notified; %s\n", filter->enotify_mailto_owner);
+              if (header.length > 0) fprintf(f, "%s", header.character);
+              if (message.length==-1)
+                {
+                message.character=US"Notification";
+                message.length=Ustrlen(message.character);
+                }
+              if (message.length != -1)
+		fprintf(f, "Subject: %s\n", parse_quote_2047(message.character,
+		  message.length, US"utf-8", TRUE));
+              fprintf(f,"\n");
+              if (body.length > 0) fprintf(f, "%s\n", body.character);
+              fflush(f);
+              (void)fclose(f);
+              (void)child_close(pid, 0);
+              }
+            }
+          if ((filter_test != FTEST_NONE && debug_selector != 0) || debug_selector & D_filter)
+            debug_printf("Notification to `%s': '%s'.\n",method.character,message.length!=-1 ? message.character : CUS "");
+#endif
+          }
+        else
+          if ((filter_test != FTEST_NONE && debug_selector != 0) || debug_selector & D_filter)
+            debug_printf("Repeated notification to `%s' ignored.\n",method.character);
+        }
+      else
+        if ((filter_test != FTEST_NONE && debug_selector != 0) || debug_selector & D_filter)
+          debug_printf("Ignoring notification, triggering message contains Auto-submitted: field.\n");
+      }
+    }
+#endif
+#ifdef VACATION
+  else if (parse_identifier(filter,CUS "vacation"))
+    {
+    /*
+    vacation-command =  "vacation" { vacation-options } <reason: string> ";"
+    vacation-options =  [":days" number]
+                        [":subject" string]
+                        [":from" string]
+                        [":addresses" string-list]
+                        [":mime"]
+                        [":handle" string]
+    */
+
+    int m;
+    unsigned long days;
+    struct String subject;
+    struct String from;
+    struct String *addresses;
+    int reason_is_mime;
+    string_item *aliases;
+    struct String handle;
+    struct String reason;
+
+    if (!filter->require_vacation)
+      {
+      filter->errmsg=CUS "missing previous require \"vacation\";";
+      return -1;
+      }
+    if (exec)
+      {
+      if (filter->vacation_ran)
+        {
+        filter->errmsg=CUS "trying to execute vacation more than once";
+        return -1;
+        }
+      filter->vacation_ran=1;
+      }
+    days=VACATION_MIN_DAYS>7 ? VACATION_MIN_DAYS : 7;
+    subject.character=(uschar*)0;
+    subject.length=-1;
+    from.character=(uschar*)0;
+    from.length=-1;
+    addresses=(struct String*)0;
+    aliases=NULL;
+    reason_is_mime=0;
+    handle.character=(uschar*)0;
+    handle.length=-1;
+    for (;;)
+      {
+      if (parse_white(filter)==-1) return -1;
+      if (parse_identifier(filter,CUS ":days")==1)
+        {
+        if (parse_white(filter)==-1) return -1;
+        if (parse_number(filter,&days)==-1) return -1;
+        if (days<VACATION_MIN_DAYS) days=VACATION_MIN_DAYS;
+        else if (days>VACATION_MAX_DAYS) days=VACATION_MAX_DAYS;
+        }
+      else if (parse_identifier(filter,CUS ":subject")==1)
+        {
+        if (parse_white(filter)==-1) return -1;
+        if ((m=parse_string(filter,&subject))!=1)
+          {
+          if (m==0) filter->errmsg=CUS "subject string expected";
+          return -1;
+          }
+        }
+      else if (parse_identifier(filter,CUS ":from")==1)
+        {
+        if (parse_white(filter)==-1) return -1;
+        if ((m=parse_string(filter,&from))!=1)
+          {
+          if (m==0) filter->errmsg=CUS "from string expected";
+          return -1;
+          }
+        if (check_mail_address(filter,&from)!=1)
+          return -1;
+        }
+      else if (parse_identifier(filter,CUS ":addresses")==1)
+        {
+        if (parse_white(filter)==-1) return -1;
+        if ((m=parse_stringlist(filter,&addresses))!=1)
+          {
+          if (m==0) filter->errmsg=CUS "addresses string list expected";
+          return -1;
+          }
+        for (struct String * a = addresses; a->length != -1; ++a)
+          {
+          string_item * new = store_get(sizeof(string_item), GET_UNTAINTED);
+
+          new->text = store_get(a->length+1, a->character);
+          if (a->length) memcpy(new->text,a->character,a->length);
+          new->text[a->length]='\0';
+          new->next=aliases;
+          aliases=new;
+          }
+        }
+      else if (parse_identifier(filter,CUS ":mime")==1)
+        reason_is_mime=1;
+      else if (parse_identifier(filter,CUS ":handle")==1)
+        {
+        if (parse_white(filter)==-1) return -1;
+        if ((m=parse_string(filter,&from))!=1)
+          {
+          if (m==0) filter->errmsg=CUS "handle string expected";
+          return -1;
+          }
+        }
+      else break;
+      }
+    if (parse_white(filter)==-1) return -1;
+    if ((m=parse_string(filter,&reason))!=1)
+      {
+      if (m==0) filter->errmsg=CUS "missing reason string";
+      return -1;
+      }
+    if (reason_is_mime)
+      {
+      uschar *s,*end;
+
+      for (s = reason.character, end = reason.character + reason.length;
+	  s<end && (*s&0x80)==0; ) s++;
+      if (s<end)
+        {
+        filter->errmsg=CUS "MIME reason string contains 8bit text";
+        return -1;
+        }
+      }
+    if (parse_semicolon(filter)==-1) return -1;
+
+    if (exec)
+      {
+      address_item *addr;
+      md5 base;
+      uschar digest[16];
+      uschar hexdigest[33];
+      gstring * once;
+
+      if (filter_personal(aliases,TRUE))
+        {
+        if (filter_test == FTEST_NONE)
+          {
+          /* ensure oncelog directory exists; failure will be detected later */
+
+          (void)directory_make(NULL, filter->vacation_directory, 0700, FALSE);
+          }
+        /* build oncelog filename */
+
+        md5_start(&base);
+
+        if (handle.length==-1)
+          {
+	  gstring * key = NULL;
+          if (subject.length!=-1) key =string_catn(key, subject.character, subject.length);
+          if (from.length!=-1) key = string_catn(key, from.character, from.length);
+          key = string_catn(key, reason_is_mime?US"1":US"0", 1);
+          key = string_catn(key, reason.character, reason.length);
+	  md5_end(&base, key->s, key->ptr, digest);
+          }
+        else
+	  md5_end(&base, handle.character, handle.length, digest);
+
+        for (int i = 0; i < 16; i++) sprintf(CS (hexdigest+2*i), "%02X", digest[i]);
+
+        if ((filter_test != FTEST_NONE && debug_selector != 0) || (debug_selector & D_filter) != 0)
+          debug_printf("Sieve: mail was personal, vacation file basename: %s\n", hexdigest);
+
+        if (filter_test == FTEST_NONE)
+          {
+          once = string_cat (NULL, filter->vacation_directory);
+          once = string_catn(once, US"/", 1);
+          once = string_catn(once, hexdigest, 33);
+
+          /* process subject */
+
+          if (subject.length==-1)
+            {
+            uschar *subject_def;
+
+            subject_def = expand_string(US"${if def:header_subject {true}{false}}");
+            if (subject_def && Ustrcmp(subject_def,"true")==0)
+              {
+	      gstring * g = string_catn(NULL, US"Auto: ", 6);
+
+              expand_header(&subject,&str_subject);
+              g = string_catn(g, subject.character, subject.length);
+	      subject.character = string_from_gstring(g);
+              subject.length = g->ptr;
+              }
+            else
+              {
+              subject.character=US"Automated reply";
+              subject.length=Ustrlen(subject.character);
+              }
+            }
+
+          /* add address to list of generated addresses */
+
+          addr = deliver_make_addr(string_sprintf(">%.256s", sender_address), FALSE);
+          setflag(addr, af_pfr);
+          addr->prop.ignore_error = TRUE;
+          addr->next = *generated;
+          *generated = addr;
+          addr->reply = store_get(sizeof(reply_item), GET_UNTAINTED);
+          memset(addr->reply,0,sizeof(reply_item)); /* XXX */
+          addr->reply->to = string_copy(sender_address);
+          if (from.length==-1)
+            addr->reply->from = expand_string(US"$local_part@$domain");
+          else
+            addr->reply->from = from.character;
+	  /* deconst cast safe as we pass in a non-const item */
+          addr->reply->subject = US parse_quote_2047(subject.character, subject.length, US"utf-8", TRUE);
+          addr->reply->oncelog = string_from_gstring(once);
+          addr->reply->once_repeat=days*86400;
+
+          /* build body and MIME headers */
+
+          if (reason_is_mime)
+            {
+            uschar *mime_body,*reason_end;
+            static const uschar nlnl[]="\r\n\r\n";
+
+            for
+              (
+              mime_body = reason.character, reason_end = reason.character + reason.length;
+              mime_body < (reason_end-(sizeof(nlnl)-1)) && memcmp(mime_body, nlnl, (sizeof(nlnl)-1));
+	      ) mime_body++;
+
+            addr->reply->headers = string_copyn(reason.character, mime_body-reason.character);
+
+            if (mime_body+(sizeof(nlnl)-1)<reason_end) mime_body+=(sizeof(nlnl)-1);
+            else mime_body=reason_end-1;
+            addr->reply->text = string_copyn(mime_body, reason_end-mime_body);
+            }
+          else
+            {
+            struct String qp = { .character = NULL, .length = 0 };  /* Keep compiler happy (PH) */
+
+            addr->reply->headers = US"MIME-Version: 1.0\n"
+                                   "Content-Type: text/plain;\n"
+                                   "\tcharset=\"utf-8\"\n"
+                                   "Content-Transfer-Encoding: quoted-printable";
+            addr->reply->text = quoted_printable_encode(&reason,&qp)->character;
+            }
+          }
+        }
+        else if ((filter_test != FTEST_NONE && debug_selector != 0) || (debug_selector & D_filter) != 0)
+          debug_printf("Sieve: mail was not personal, vacation would ignore it\n");
+      }
+    }
+    else break;
+#endif
+  }
+return 1;
+}
+
+
+/*************************************************
+*       Parse and interpret a sieve filter       *
+*************************************************/
+
+/*
+Arguments:
+  filter      points to the Sieve filter including its state
+  exec        Execute parsed statements
+  generated   where to hang newly-generated addresses
+
+Returns:      1                success
+              -1               syntax or execution error
+*/
+
+static int
+parse_start(struct Sieve *filter, int exec, address_item **generated)
+{
+filter->pc=filter->filter;
+filter->line=1;
+filter->keep=1;
+filter->require_envelope=0;
+filter->require_fileinto=0;
+#ifdef ENCODED_CHARACTER
+filter->require_encoded_character=0;
+#endif
+#ifdef ENVELOPE_AUTH
+filter->require_envelope_auth=0;
+#endif
+#ifdef ENOTIFY
+filter->require_enotify=0;
+filter->notified=(struct Notification*)0;
+#endif
+#ifdef SUBADDRESS
+filter->require_subaddress=0;
+#endif
+#ifdef VACATION
+filter->require_vacation=0;
+filter->vacation_ran=0;
+#endif
+filter->require_copy=0;
+filter->require_iascii_numeric=0;
+
+if (parse_white(filter)==-1) return -1;
+
+if (exec && filter->vacation_directory && filter_test == FTEST_NONE)
+  {
+  DIR *oncelogdir;
+  struct dirent *oncelog;
+  struct stat properties;
+  time_t now;
+
+  /* clean up old vacation log databases */
+
+  if (  !(oncelogdir = exim_opendir(filter->vacation_directory))
+     && errno != ENOENT)
+    {
+    filter->errmsg = CUS "unable to open vacation directory";
+    return -1;
+    }
+
+  if (oncelogdir)
+    {
+    time(&now);
+
+    while ((oncelog = readdir(oncelogdir)))
+      if (strlen(oncelog->d_name)==32)
+        {
+        uschar *s = string_sprintf("%s/%s", filter->vacation_directory, oncelog->d_name);
+        if (Ustat(s,&properties) == 0 && properties.st_mtime+VACATION_MAX_DAYS*86400 < now)
+          Uunlink(s);
+        }
+    closedir(oncelogdir);
+    }
+  }
+
+while (parse_identifier(filter,CUS "require"))
+  {
+  /*
+  require-command = "require" <capabilities: string-list>
+  */
+
+  struct String *cap;
+  int m;
+
+  if (parse_white(filter)==-1) return -1;
+  if ((m=parse_stringlist(filter,&cap))!=1)
+    {
+    if (m==0) filter->errmsg=CUS "capability string list expected";
+    return -1;
+    }
+  for (struct String * check = cap; check->character; ++check)
+    {
+    if (eq_octet(check,&str_envelope,0)) filter->require_envelope=1;
+    else if (eq_octet(check,&str_fileinto,0)) filter->require_fileinto=1;
+#ifdef ENCODED_CHARACTER
+    else if (eq_octet(check,&str_encoded_character,0)) filter->require_encoded_character=1;
+#endif
+#ifdef ENVELOPE_AUTH
+    else if (eq_octet(check,&str_envelope_auth,0)) filter->require_envelope_auth=1;
+#endif
+#ifdef ENOTIFY
+    else if (eq_octet(check,&str_enotify,0))
+      {
+      if (!filter->enotify_mailto_owner)
+        {
+        filter->errmsg=CUS "enotify disabled";
+        return -1;
+        }
+        filter->require_enotify=1;
+      }
+#endif
+#ifdef SUBADDRESS
+    else if (eq_octet(check,&str_subaddress,0)) filter->require_subaddress=1;
+#endif
+#ifdef VACATION
+    else if (eq_octet(check,&str_vacation,0))
+      {
+      if (filter_test == FTEST_NONE && !filter->vacation_directory)
+        {
+        filter->errmsg=CUS "vacation disabled";
+        return -1;
+        }
+      filter->require_vacation=1;
+      }
+#endif
+    else if (eq_octet(check,&str_copy,0)) filter->require_copy=1;
+    else if (eq_octet(check,&str_comparator_ioctet,0)) ;
+    else if (eq_octet(check,&str_comparator_iascii_casemap,0)) ;
+    else if (eq_octet(check,&str_comparator_enascii_casemap,0)) ;
+    else if (eq_octet(check,&str_comparator_iascii_numeric,0)) filter->require_iascii_numeric=1;
+    else
+      {
+      filter->errmsg=CUS "unknown capability";
+      return -1;
+      }
+    }
+    if (parse_semicolon(filter)==-1) return -1;
+  }
+  if (parse_commands(filter,exec,generated)==-1) return -1;
+  if (*filter->pc)
+    {
+    filter->errmsg=CUS "syntax error";
+    return -1;
+    }
+  return 1;
+}
+
+
+/*************************************************
+*            Interpret a sieve filter file       *
+*************************************************/
+
+/*
+Arguments:
+  filter      points to the entire file, read into store as a single string
+  options     controls whether various special things are allowed, and requests
+              special actions (not currently used)
+  vacation_directory    where to store vacation "once" files
+  enotify_mailto_owner  owner of mailto notifications
+  useraddress string expression for :user part of address
+  subaddress  string expression for :subaddress part of address
+  generated   where to hang newly-generated addresses
+  error       where to pass back an error text
+
+Returns:      FF_DELIVERED     success, a significant action was taken
+              FF_NOTDELIVERED  success, no significant action
+              FF_DEFER         defer requested
+              FF_FAIL          fail requested
+              FF_FREEZE        freeze requested
+              FF_ERROR         there was a problem
+*/
+
+int
+sieve_interpret(const uschar * filter, int options,
+  const uschar * vacation_directory, const uschar * enotify_mailto_owner,
+  const uschar * useraddress, const uschar * subaddress,
+  address_item ** generated, uschar ** error)
+{
+struct Sieve sieve;
+int r;
+uschar * msg;
+
+DEBUG(D_route) debug_printf("Sieve: start of processing\n");
+sieve.filter = filter;
+
+if (!vacation_directory)
+  sieve.vacation_directory = NULL;
+else if (!(sieve.vacation_directory = expand_cstring(vacation_directory)))
+  {
+  *error = string_sprintf("failed to expand \"%s\" "
+    "(sieve_vacation_directory): %s", vacation_directory,
+    expand_string_message);
+  return FF_ERROR;
+  }
+
+if (!enotify_mailto_owner)
+  sieve.enotify_mailto_owner = NULL;
+else if (!(sieve.enotify_mailto_owner = expand_cstring(enotify_mailto_owner)))
+  {
+  *error = string_sprintf("failed to expand \"%s\" "
+    "(sieve_enotify_mailto_owner): %s", enotify_mailto_owner,
+    expand_string_message);
+  return FF_ERROR;
+  }
+
+sieve.useraddress = useraddress
+  ? useraddress : CUS "$local_part_prefix$local_part$local_part_suffix";
+sieve.subaddress = subaddress;
+
+#ifdef COMPILE_SYNTAX_CHECKER
+if (parse_start(&sieve, 0, generated) == 1)
+#else
+if (parse_start(&sieve, 1, generated) == 1)
+#endif
+  if (sieve.keep)
+    {
+    add_addr(generated, US"inbox", 1, 0, 0, 0);
+    msg = US"Implicit keep";
+    r = FF_DELIVERED;
+    }
+  else
+    {
+    msg = US"No implicit keep";
+    r = FF_DELIVERED;
+    }
+else
+  {
+  msg = string_sprintf("Sieve error: %s in line %d",sieve.errmsg,sieve.line);
+#ifdef COMPILE_SYNTAX_CHECKER
+  r = FF_ERROR;
+  *error = msg;
+#else
+  add_addr(generated,US"inbox",1,0,0,0);
+  r = FF_DELIVERED;
+#endif
+  }
+
+#ifndef COMPILE_SYNTAX_CHECKER
+if (filter_test != FTEST_NONE) printf("%s\n", (const char*) msg);
+  else debug_printf("%s\n", msg);
+#endif
+
+DEBUG(D_route) debug_printf("Sieve: end of processing\n");
+return r;
+}
diff --git a/src/smtp_in.c b/src/smtp_in.c
new file mode 100644
index 0000000..edb0adf
--- /dev/null
+++ b/src/smtp_in.c
@@ -0,0 +1,6068 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions for handling an incoming SMTP call. */
+
+
+#include "exim.h"
+#include <assert.h>
+
+
+/* Initialize for TCP wrappers if so configured. It appears that the macro
+HAVE_IPV6 is used in some versions of the tcpd.h header, so we unset it before
+including that header, and restore its value afterwards. */
+
+#ifdef USE_TCP_WRAPPERS
+
+  #if HAVE_IPV6
+  #define EXIM_HAVE_IPV6
+  #endif
+  #undef HAVE_IPV6
+  #include <tcpd.h>
+  #undef HAVE_IPV6
+  #ifdef EXIM_HAVE_IPV6
+  #define HAVE_IPV6 TRUE
+  #endif
+
+int allow_severity = LOG_INFO;
+int deny_severity  = LOG_NOTICE;
+uschar *tcp_wrappers_name;
+#endif
+
+
+/* Size of buffer for reading SMTP commands. We used to use 512, as defined
+by RFC 821. However, RFC 1869 specifies that this must be increased for SMTP
+commands that accept arguments, and this in particular applies to AUTH, where
+the data can be quite long.  More recently this value was 2048 in Exim;
+however, RFC 4954 (circa 2007) recommends 12288 bytes to handle AUTH.  Clients
+such as Thunderbird will send an AUTH with an initial-response for GSSAPI.
+The maximum size of a Kerberos ticket under Windows 2003 is 12000 bytes, and
+we need room to handle large base64-encoded AUTHs for GSSAPI.
+*/
+
+#define SMTP_CMD_BUFFER_SIZE  16384
+
+/* Size of buffer for reading SMTP incoming packets */
+
+#define IN_BUFFER_SIZE  8192
+
+/* Structure for SMTP command list */
+
+typedef struct {
+  const char *name;
+  int len;
+  short int cmd;
+  short int has_arg;
+  short int is_mail_cmd;
+} smtp_cmd_list;
+
+/* Codes for identifying commands. We order them so that those that come first
+are those for which synchronization is always required. Checking this can help
+block some spam.  */
+
+enum {
+  /* These commands are required to be synchronized, i.e. to be the last in a
+  block of commands when pipelining. */
+
+  HELO_CMD, EHLO_CMD, DATA_CMD, /* These are listed in the pipelining */
+  VRFY_CMD, EXPN_CMD, NOOP_CMD, /* RFC as requiring synchronization */
+  ETRN_CMD,                     /* This by analogy with TURN from the RFC */
+  STARTTLS_CMD,                 /* Required by the STARTTLS RFC */
+  TLS_AUTH_CMD,			/* auto-command at start of SSL */
+
+  /* This is a dummy to identify the non-sync commands when pipelining */
+
+  NON_SYNC_CMD_PIPELINING,
+
+  /* These commands need not be synchronized when pipelining */
+
+  MAIL_CMD, RCPT_CMD, RSET_CMD,
+
+  /* This is a dummy to identify the non-sync commands when not pipelining */
+
+  NON_SYNC_CMD_NON_PIPELINING,
+
+  /* RFC3030 section 2: "After all MAIL and RCPT responses are collected and
+  processed the message is sent using a series of BDAT commands"
+  implies that BDAT should be synchronized.  However, we see Google, at least,
+  sending MAIL,RCPT,BDAT-LAST in a single packet, clearly not waiting for
+  processing of the RCPT response(s).  We shall do the same, and not require
+  synch for BDAT.  Worse, as the chunk may (very likely will) follow the
+  command-header in the same packet we cannot do the usual "is there any
+  follow-on data after the command line" even for non-pipeline mode.
+  So we'll need an explicit check after reading the expected chunk amount
+  when non-pipe, before sending the ACK. */
+
+  BDAT_CMD,
+
+  /* I have been unable to find a statement about the use of pipelining
+  with AUTH, so to be on the safe side it is here, though I kind of feel
+  it should be up there with the synchronized commands. */
+
+  AUTH_CMD,
+
+  /* I'm not sure about these, but I don't think they matter. */
+
+  QUIT_CMD, HELP_CMD,
+
+#ifdef SUPPORT_PROXY
+  PROXY_FAIL_IGNORE_CMD,
+#endif
+
+  /* These are specials that don't correspond to actual commands */
+
+  EOF_CMD, OTHER_CMD, BADARG_CMD, BADCHAR_CMD, BADSYN_CMD,
+  TOO_MANY_NONMAIL_CMD };
+
+
+/* This is a convenience macro for adding the identity of an SMTP command
+to the circular buffer that holds a list of the last n received. */
+
+#define HAD(n) \
+    smtp_connection_had[smtp_ch_index++] = n; \
+    if (smtp_ch_index >= SMTP_HBUFF_SIZE) smtp_ch_index = 0
+
+
+/*************************************************
+*                Local static variables          *
+*************************************************/
+
+static struct {
+  BOOL auth_advertised			:1;
+#ifndef DISABLE_TLS
+  BOOL tls_advertised			:1;
+#endif
+  BOOL dsn_advertised			:1;
+  BOOL esmtp				:1;
+  BOOL helo_verify_required		:1;
+  BOOL helo_verify			:1;
+  BOOL helo_seen			:1;
+  BOOL helo_accept_junk			:1;
+#ifndef DISABLE_PIPE_CONNECT
+  BOOL pipe_connect_acceptable		:1;
+#endif
+  BOOL rcpt_smtp_response_same		:1;
+  BOOL rcpt_in_progress			:1;
+  BOOL smtp_exit_function_called	:1;
+#ifdef SUPPORT_I18N
+  BOOL smtputf8_advertised		:1;
+#endif
+} fl = {
+  .helo_verify_required = FALSE,
+  .helo_verify = FALSE,
+  .smtp_exit_function_called = FALSE,
+};
+
+static auth_instance *authenticated_by;
+static int  count_nonmail;
+static int  nonmail_command_count;
+static int  synprot_error_count;
+static int  unknown_command_count;
+static int  sync_cmd_limit;
+static int  smtp_write_error = 0;
+
+static uschar *rcpt_smtp_response;
+static uschar *smtp_data_buffer;
+static uschar *smtp_cmd_data;
+
+/* We need to know the position of RSET, HELO, EHLO, AUTH, and STARTTLS. Their
+final fields of all except AUTH are forced TRUE at the start of a new message
+setup, to allow one of each between messages that is not counted as a nonmail
+command. (In fact, only one of HELO/EHLO is not counted.) Also, we have to
+allow a new EHLO after starting up TLS.
+
+AUTH is "falsely" labelled as a mail command initially, so that it doesn't get
+counted. However, the flag is changed when AUTH is received, so that multiple
+failing AUTHs will eventually hit the limit. After a successful AUTH, another
+AUTH is already forbidden. After a TLS session is started, AUTH's flag is again
+forced TRUE, to allow for the re-authentication that can happen at that point.
+
+QUIT is also "falsely" labelled as a mail command so that it doesn't up the
+count of non-mail commands and possibly provoke an error.
+
+tls_auth is a pseudo-command, never expected in input.  It is activated
+on TLS startup and looks for a tls authenticator. */
+
+static smtp_cmd_list cmd_list[] = {
+  /* name         len                     cmd     has_arg is_mail_cmd */
+
+  { "rset",       sizeof("rset")-1,       RSET_CMD, FALSE, FALSE },  /* First */
+  { "helo",       sizeof("helo")-1,       HELO_CMD, TRUE,  FALSE },
+  { "ehlo",       sizeof("ehlo")-1,       EHLO_CMD, TRUE,  FALSE },
+  { "auth",       sizeof("auth")-1,       AUTH_CMD, TRUE,  TRUE  },
+#ifndef DISABLE_TLS
+  { "starttls",   sizeof("starttls")-1,   STARTTLS_CMD, FALSE, FALSE },
+  { "tls_auth",   0,                      TLS_AUTH_CMD, FALSE, FALSE },
+#endif
+
+/* If you change anything above here, also fix the definitions below. */
+
+  { "mail from:", sizeof("mail from:")-1, MAIL_CMD, TRUE,  TRUE  },
+  { "rcpt to:",   sizeof("rcpt to:")-1,   RCPT_CMD, TRUE,  TRUE  },
+  { "data",       sizeof("data")-1,       DATA_CMD, FALSE, TRUE  },
+  { "bdat",       sizeof("bdat")-1,       BDAT_CMD, TRUE,  TRUE  },
+  { "quit",       sizeof("quit")-1,       QUIT_CMD, FALSE, TRUE  },
+  { "noop",       sizeof("noop")-1,       NOOP_CMD, TRUE,  FALSE },
+  { "etrn",       sizeof("etrn")-1,       ETRN_CMD, TRUE,  FALSE },
+  { "vrfy",       sizeof("vrfy")-1,       VRFY_CMD, TRUE,  FALSE },
+  { "expn",       sizeof("expn")-1,       EXPN_CMD, TRUE,  FALSE },
+  { "help",       sizeof("help")-1,       HELP_CMD, TRUE,  FALSE }
+};
+
+static smtp_cmd_list *cmd_list_end =
+  cmd_list + sizeof(cmd_list)/sizeof(smtp_cmd_list);
+
+#define CMD_LIST_RSET      0
+#define CMD_LIST_HELO      1
+#define CMD_LIST_EHLO      2
+#define CMD_LIST_AUTH      3
+#define CMD_LIST_STARTTLS  4
+#define CMD_LIST_TLS_AUTH  5
+
+/* This list of names is used for performing the smtp_no_mail logging action.
+It must be kept in step with the SCH_xxx enumerations. */
+
+uschar * smtp_names[] =
+  {
+  US"NONE", US"AUTH", US"DATA", US"BDAT", US"EHLO", US"ETRN", US"EXPN",
+  US"HELO", US"HELP", US"MAIL", US"NOOP", US"QUIT", US"RCPT", US"RSET",
+  US"STARTTLS", US"VRFY" };
+
+static uschar *protocols_local[] = {
+  US"local-smtp",        /* HELO */
+  US"local-smtps",       /* The rare case EHLO->STARTTLS->HELO */
+  US"local-esmtp",       /* EHLO */
+  US"local-esmtps",      /* EHLO->STARTTLS->EHLO */
+  US"local-esmtpa",      /* EHLO->AUTH */
+  US"local-esmtpsa"      /* EHLO->STARTTLS->EHLO->AUTH */
+  };
+static uschar *protocols[] = {
+  US"smtp",              /* HELO */
+  US"smtps",             /* The rare case EHLO->STARTTLS->HELO */
+  US"esmtp",             /* EHLO */
+  US"esmtps",            /* EHLO->STARTTLS->EHLO */
+  US"esmtpa",            /* EHLO->AUTH */
+  US"esmtpsa"            /* EHLO->STARTTLS->EHLO->AUTH */
+  };
+
+#define pnormal  0
+#define pextend  2
+#define pcrpted  1  /* added to pextend or pnormal */
+#define pauthed  2  /* added to pextend */
+
+/* Sanity check and validate optional args to MAIL FROM: envelope */
+enum {
+  ENV_MAIL_OPT_NULL,
+  ENV_MAIL_OPT_SIZE, ENV_MAIL_OPT_BODY, ENV_MAIL_OPT_AUTH,
+#ifndef DISABLE_PRDR
+  ENV_MAIL_OPT_PRDR,
+#endif
+  ENV_MAIL_OPT_RET, ENV_MAIL_OPT_ENVID,
+#ifdef SUPPORT_I18N
+  ENV_MAIL_OPT_UTF8,
+#endif
+  };
+typedef struct {
+  uschar *   name;  /* option requested during MAIL cmd */
+  int       value;  /* enum type */
+  BOOL need_value;  /* TRUE requires value (name=value pair format)
+                       FALSE is a singleton */
+  } env_mail_type_t;
+static env_mail_type_t env_mail_type_list[] = {
+    { US"SIZE",   ENV_MAIL_OPT_SIZE,   TRUE  },
+    { US"BODY",   ENV_MAIL_OPT_BODY,   TRUE  },
+    { US"AUTH",   ENV_MAIL_OPT_AUTH,   TRUE  },
+#ifndef DISABLE_PRDR
+    { US"PRDR",   ENV_MAIL_OPT_PRDR,   FALSE },
+#endif
+    { US"RET",    ENV_MAIL_OPT_RET,    TRUE },
+    { US"ENVID",  ENV_MAIL_OPT_ENVID,  TRUE },
+#ifdef SUPPORT_I18N
+    { US"SMTPUTF8",ENV_MAIL_OPT_UTF8,  FALSE },		/* rfc6531 */
+#endif
+    /* keep this the last entry */
+    { US"NULL",   ENV_MAIL_OPT_NULL,   FALSE },
+  };
+
+/* When reading SMTP from a remote host, we have to use our own versions of the
+C input-reading functions, in order to be able to flush the SMTP output only
+when about to read more data from the socket. This is the only way to get
+optimal performance when the client is using pipelining. Flushing for every
+command causes a separate packet and reply packet each time; saving all the
+responses up (when pipelining) combines them into one packet and one response.
+
+For simplicity, these functions are used for *all* SMTP input, not only when
+receiving over a socket. However, after setting up a secure socket (SSL), input
+is read via the OpenSSL library, and another set of functions is used instead
+(see tls.c).
+
+These functions are set in the receive_getc etc. variables and called with the
+same interface as the C functions. However, since there can only ever be
+one incoming SMTP call, we just use a single buffer and flags. There is no need
+to implement a complicated private FILE-like structure.*/
+
+static uschar *smtp_inbuffer;
+static uschar *smtp_inptr;
+static uschar *smtp_inend;
+static int     smtp_had_eof;
+static int     smtp_had_error;
+
+
+/* forward declarations */
+static int smtp_read_command(BOOL check_sync, unsigned buffer_lim);
+static int synprot_error(int type, int code, uschar *data, uschar *errmess);
+static void smtp_quit_handler(uschar **, uschar **);
+static void smtp_rset_handler(void);
+
+/*************************************************
+*          Log incomplete transactions           *
+*************************************************/
+
+/* This function is called after a transaction has been aborted by RSET, QUIT,
+connection drops or other errors. It logs the envelope information received
+so far in order to preserve address verification attempts.
+
+Argument:   string to indicate what aborted the transaction
+Returns:    nothing
+*/
+
+static void
+incomplete_transaction_log(uschar *what)
+{
+if (!sender_address				/* No transaction in progress */
+   || !LOGGING(smtp_incomplete_transaction))
+  return;
+
+/* Build list of recipients for logging */
+
+if (recipients_count > 0)
+  {
+  raw_recipients = store_get(recipients_count * sizeof(uschar *), GET_UNTAINTED);
+  for (int i = 0; i < recipients_count; i++)
+    raw_recipients[i] = recipients_list[i].address;
+  raw_recipients_count = recipients_count;
+  }
+
+log_write(L_smtp_incomplete_transaction, LOG_MAIN|LOG_SENDER|LOG_RECIPIENTS,
+  "%s incomplete transaction (%s)", host_and_ident(TRUE), what);
+}
+
+
+
+
+void
+smtp_command_timeout_exit(void)
+{
+log_write(L_lost_incoming_connection,
+	  LOG_MAIN, "SMTP command timeout on%s connection from %s",
+	  tls_in.active.sock >= 0 ? " TLS" : "", host_and_ident(FALSE));
+if (smtp_batched_input)
+  moan_smtp_batch(NULL, "421 SMTP command timeout"); /* Does not return */
+smtp_notquit_exit(US"command-timeout", US"421",
+  US"%s: SMTP command timeout - closing connection",
+  smtp_active_hostname);
+exim_exit(EXIT_FAILURE);
+}
+
+void
+smtp_command_sigterm_exit(void)
+{
+log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info());
+if (smtp_batched_input)
+  moan_smtp_batch(NULL, "421 SIGTERM received");  /* Does not return */
+smtp_notquit_exit(US"signal-exit", US"421",
+  US"%s: Service not available - closing connection", smtp_active_hostname);
+exim_exit(EXIT_FAILURE);
+}
+
+void
+smtp_data_timeout_exit(void)
+{
+log_write(L_lost_incoming_connection,
+  LOG_MAIN, "SMTP data timeout (message abandoned) on connection from %s F=<%s>",
+  sender_fullhost ? sender_fullhost : US"local process", sender_address);
+receive_bomb_out(US"data-timeout", US"SMTP incoming data timeout");
+/* Does not return */
+}
+
+void
+smtp_data_sigint_exit(void)
+{
+log_write(0, LOG_MAIN, "%s closed after %s",
+  smtp_get_connection_info(), had_data_sigint == SIGTERM ? "SIGTERM":"SIGINT");
+receive_bomb_out(US"signal-exit",
+  US"Service not available - SIGTERM or SIGINT received");
+/* Does not return */
+}
+
+
+/******************************************************************************/
+/* SMTP input buffer handling.  Most of these are similar to stdio routines.  */
+
+static void
+smtp_buf_init(void)
+{
+/* Set up the buffer for inputting using direct read() calls, and arrange to
+call the local functions instead of the standard C ones.  Place a NUL at the
+end of the buffer to safety-stop C-string reads from it. */
+
+if (!(smtp_inbuffer = US malloc(IN_BUFFER_SIZE)))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "malloc() failed for SMTP input buffer");
+smtp_inbuffer[IN_BUFFER_SIZE-1] = '\0';
+
+smtp_inptr = smtp_inend = smtp_inbuffer;
+smtp_had_eof = smtp_had_error = 0;
+}
+
+
+
+/* Refill the buffer, and notify DKIM verification code.
+Return false for error or EOF.
+*/
+
+static BOOL
+smtp_refill(unsigned lim)
+{
+int rc, save_errno;
+
+if (!smtp_out) return FALSE;
+fflush(smtp_out);
+if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
+
+/* Limit amount read, so non-message data is not fed to DKIM.
+Take care to not touch the safety NUL at the end of the buffer. */
+
+rc = read(fileno(smtp_in), smtp_inbuffer, MIN(IN_BUFFER_SIZE-1, lim));
+save_errno = errno;
+if (smtp_receive_timeout > 0) ALARM_CLR(0);
+if (rc <= 0)
+  {
+  /* Must put the error text in fixed store, because this might be during
+  header reading, where it releases unused store above the header. */
+  if (rc < 0)
+    {
+    if (had_command_timeout)		/* set by signal handler */
+      smtp_command_timeout_exit();	/* does not return */
+    if (had_command_sigterm)
+      smtp_command_sigterm_exit();
+    if (had_data_timeout)
+      smtp_data_timeout_exit();
+    if (had_data_sigint)
+      smtp_data_sigint_exit();
+
+    smtp_had_error = save_errno;
+    smtp_read_error = string_copy_perm(
+      string_sprintf(" (error: %s)", strerror(save_errno)), FALSE);
+    }
+  else
+    smtp_had_eof = 1;
+  return FALSE;
+  }
+#ifndef DISABLE_DKIM
+dkim_exim_verify_feed(smtp_inbuffer, rc);
+#endif
+smtp_inend = smtp_inbuffer + rc;
+smtp_inptr = smtp_inbuffer;
+return TRUE;
+}
+
+
+/* Check if there is buffered data */
+
+BOOL
+smtp_hasc(void)
+{
+return smtp_inptr < smtp_inend;
+}
+
+/* SMTP version of getc()
+
+This gets the next byte from the SMTP input buffer. If the buffer is empty,
+it flushes the output, and refills the buffer, with a timeout. The signal
+handler is set appropriately by the calling function. This function is not used
+after a connection has negotiated itself into an TLS/SSL state.
+
+Arguments:  lim		Maximum amount to read/buffer
+Returns:    the next character or EOF
+*/
+
+int
+smtp_getc(unsigned lim)
+{
+if (!smtp_hasc() && !smtp_refill(lim)) return EOF;
+return *smtp_inptr++;
+}
+
+/* Get many bytes, refilling buffer if needed */
+
+uschar *
+smtp_getbuf(unsigned * len)
+{
+unsigned size;
+uschar * buf;
+
+if (!smtp_hasc() && !smtp_refill(*len))
+  { *len = 0; return NULL; }
+
+if ((size = smtp_inend - smtp_inptr) > *len) size = *len;
+buf = smtp_inptr;
+smtp_inptr += size;
+*len = size;
+return buf;
+}
+
+/* Copy buffered data to the dkim feed.
+Called, unless TLS, just before starting to read message headers. */
+
+void
+smtp_get_cache(unsigned lim)
+{
+#ifndef DISABLE_DKIM
+int n = smtp_inend - smtp_inptr;
+if (n > lim)
+  n = lim;
+if (n > 0)
+  dkim_exim_verify_feed(smtp_inptr, n);
+#endif
+}
+
+
+/* SMTP version of ungetc()
+Puts a character back in the input buffer. Only ever called once.
+
+Arguments:
+  ch           the character
+
+Returns:       the character
+*/
+
+int
+smtp_ungetc(int ch)
+{
+if (smtp_inptr <= smtp_inbuffer)	/* NB: NOT smtp_hasc() ! */
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in smtp_ungetc");
+
+*--smtp_inptr = ch;
+return ch;
+}
+
+
+/* SMTP version of feof()
+Tests for a previous EOF
+
+Arguments:     none
+Returns:       non-zero if the eof flag is set
+*/
+
+int
+smtp_feof(void)
+{
+return smtp_had_eof;
+}
+
+
+/* SMTP version of ferror()
+Tests for a previous read error, and returns with errno
+restored to what it was when the error was detected.
+
+Arguments:     none
+Returns:       non-zero if the error flag is set
+*/
+
+int
+smtp_ferror(void)
+{
+errno = smtp_had_error;
+return smtp_had_error;
+}
+
+
+/* Check if a getc will block or not */
+
+static BOOL
+smtp_could_getc(void)
+{
+int fd, rc;
+fd_set fds;
+struct timeval tzero = {.tv_sec = 0, .tv_usec = 0};
+
+if (smtp_inptr < smtp_inend)
+  return TRUE;
+
+fd = fileno(smtp_in);
+FD_ZERO(&fds);
+FD_SET(fd, &fds);
+rc = select(fd + 1, (SELECT_ARG2_TYPE *)&fds, NULL, NULL, &tzero);
+
+if (rc <= 0) return FALSE;     /* Not ready to read */
+rc = smtp_getc(GETC_BUFFER_UNLIMITED);
+if (rc < 0) return FALSE;      /* End of file or error */
+
+smtp_ungetc(rc);
+return TRUE;
+}
+
+
+/******************************************************************************/
+/*************************************************
+*          Recheck synchronization               *
+*************************************************/
+
+/* Synchronization checks can never be perfect because a packet may be on its
+way but not arrived when the check is done.  Normally, the checks happen when
+commands are read: Exim ensures that there is no more input in the input buffer.
+In normal cases, the response to the command will be fast, and there is no
+further check.
+
+However, for some commands an ACL is run, and that can include delays. In those
+cases, it is useful to do another check on the input just before sending the
+response. This also applies at the start of a connection. This function does
+that check by means of the select() function, as long as the facility is not
+disabled or inappropriate. A failure of select() is ignored.
+
+When there is unwanted input, we read it so that it appears in the log of the
+error.
+
+Arguments: none
+Returns:   TRUE if all is well; FALSE if there is input pending
+*/
+
+static BOOL
+wouldblock_reading(void)
+{
+#ifndef DISABLE_TLS
+if (tls_in.active.sock >= 0)
+ return !tls_could_getc();
+#endif
+
+return !smtp_could_getc();
+}
+
+static BOOL
+check_sync(void)
+{
+if (!smtp_enforce_sync || !sender_host_address || f.sender_host_notsocket)
+  return TRUE;
+
+return wouldblock_reading();
+}
+
+
+/******************************************************************************/
+/* Variants of the smtp_* input handling functions for use in CHUNKING mode */
+
+/* Forward declarations */
+static inline void bdat_push_receive_functions(void);
+static inline void bdat_pop_receive_functions(void);
+
+
+/* Get a byte from the smtp input, in CHUNKING mode.  Handle ack of the
+previous BDAT chunk and getting new ones when we run out.  Uses the
+underlying smtp_getc or tls_getc both for that and for getting the
+(buffered) data byte.  EOD signals (an expected) no further data.
+ERR signals a protocol error, and EOF a closed input stream.
+
+Called from read_bdat_smtp() in receive.c for the message body, but also
+by the headers read loop in receive_msg(); manipulates chunking_state
+to handle the BDAT command/response.
+Placed here due to the correlation with the above smtp_getc(), which it wraps,
+and also by the need to do smtp command/response handling.
+
+Arguments:  lim		(ignored)
+Returns:    the next character or ERR, EOD or EOF
+*/
+
+int
+bdat_getc(unsigned lim)
+{
+uschar * user_msg = NULL;
+uschar * log_msg;
+
+for(;;)
+  {
+#ifndef DISABLE_DKIM
+  unsigned dkim_save;
+#endif
+
+  if (chunking_data_left > 0)
+    return lwr_receive_getc(chunking_data_left--);
+
+  bdat_pop_receive_functions();
+#ifndef DISABLE_DKIM
+  dkim_save = dkim_collect_input;
+  dkim_collect_input = 0;
+#endif
+
+  /* Unless PIPELINING was offered, there should be no next command
+  until after we ack that chunk */
+
+  if (!f.smtp_in_pipelining_advertised && !check_sync())
+    {
+    unsigned n = smtp_inend - smtp_inptr;
+    if (n > 32) n = 32;
+
+    incomplete_transaction_log(US"sync failure");
+    log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol synchronization error "
+      "(next input sent too soon: pipelining was not advertised): "
+      "rejected \"%s\" %s next input=\"%s\"%s",
+      smtp_cmd_buffer, host_and_ident(TRUE),
+      string_printing(string_copyn(smtp_inptr, n)),
+      smtp_inend - smtp_inptr > n ? "..." : "");
+    (void) synprot_error(L_smtp_protocol_error, 554, NULL,
+      US"SMTP synchronization error");
+    goto repeat_until_rset;
+    }
+
+  /* If not the last, ack the received chunk.  The last response is delayed
+  until after the data ACL decides on it */
+
+  if (chunking_state == CHUNKING_LAST)
+    {
+#ifndef DISABLE_DKIM
+    dkim_collect_input = dkim_save;
+    dkim_exim_verify_feed(NULL, 0);	/* notify EOD */
+    dkim_collect_input = 0;
+#endif
+    return EOD;
+    }
+
+  smtp_printf("250 %u byte chunk received\r\n", FALSE, chunking_datasize);
+  chunking_state = CHUNKING_OFFERED;
+  DEBUG(D_receive) debug_printf("chunking state %d\n", (int)chunking_state);
+
+  /* Expect another BDAT cmd from input. RFC 3030 says nothing about
+  QUIT, RSET or NOOP but handling them seems obvious */
+
+next_cmd:
+  switch(smtp_read_command(TRUE, 1))
+    {
+    default:
+      (void) synprot_error(L_smtp_protocol_error, 503, NULL,
+	US"only BDAT permissible after non-LAST BDAT");
+
+  repeat_until_rset:
+      switch(smtp_read_command(TRUE, 1))
+	{
+	case QUIT_CMD:	smtp_quit_handler(&user_msg, &log_msg);	/*FALLTHROUGH */
+	case EOF_CMD:	return EOF;
+	case RSET_CMD:	smtp_rset_handler(); return ERR;
+	default:	if (synprot_error(L_smtp_protocol_error, 503, NULL,
+					  US"only RSET accepted now") > 0)
+			  return EOF;
+			goto repeat_until_rset;
+	}
+
+    case QUIT_CMD:
+      smtp_quit_handler(&user_msg, &log_msg);
+      /*FALLTHROUGH*/
+    case EOF_CMD:
+      return EOF;
+
+    case RSET_CMD:
+      smtp_rset_handler();
+      return ERR;
+
+    case NOOP_CMD:
+      HAD(SCH_NOOP);
+      smtp_printf("250 OK\r\n", FALSE);
+      goto next_cmd;
+
+    case BDAT_CMD:
+      {
+      int n;
+
+      if (sscanf(CS smtp_cmd_data, "%u %n", &chunking_datasize, &n) < 1)
+	{
+	(void) synprot_error(L_smtp_protocol_error, 501, NULL,
+	  US"missing size for BDAT command");
+	return ERR;
+	}
+      chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
+	? CHUNKING_LAST : CHUNKING_ACTIVE;
+      chunking_data_left = chunking_datasize;
+      DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
+				    (int)chunking_state, chunking_data_left);
+
+      if (chunking_datasize == 0)
+	if (chunking_state == CHUNKING_LAST)
+	  return EOD;
+	else
+	  {
+	  (void) synprot_error(L_smtp_protocol_error, 504, NULL,
+	    US"zero size for BDAT command");
+	  goto repeat_until_rset;
+	  }
+
+      bdat_push_receive_functions();
+#ifndef DISABLE_DKIM
+      dkim_collect_input = dkim_save;
+#endif
+      break;	/* to top of main loop */
+      }
+    }
+  }
+}
+
+BOOL
+bdat_hasc(void)
+{
+if (chunking_data_left > 0)
+  return lwr_receive_hasc();
+return TRUE;
+}
+
+uschar *
+bdat_getbuf(unsigned * len)
+{
+uschar * buf;
+
+if (chunking_data_left <= 0)
+  { *len = 0; return NULL; }
+
+if (*len > chunking_data_left) *len = chunking_data_left;
+buf = lwr_receive_getbuf(len);	/* Either smtp_getbuf or tls_getbuf */
+chunking_data_left -= *len;
+return buf;
+}
+
+void
+bdat_flush_data(void)
+{
+while (chunking_data_left)
+  {
+  unsigned n = chunking_data_left;
+  if (!bdat_getbuf(&n)) break;
+  }
+
+bdat_pop_receive_functions();
+chunking_state = CHUNKING_OFFERED;
+DEBUG(D_receive) debug_printf("chunking state %d\n", (int)chunking_state);
+}
+
+
+static inline void
+bdat_push_receive_functions(void)
+{
+/* push the current receive_* function on the "stack", and
+replace them by bdat_getc(), which in turn will use the lwr_receive_*
+functions to do the dirty work. */
+if (!lwr_receive_getc)
+  {
+  lwr_receive_getc = receive_getc;
+  lwr_receive_getbuf = receive_getbuf;
+  lwr_receive_hasc = receive_hasc;
+  lwr_receive_ungetc = receive_ungetc;
+  }
+else
+  {
+  DEBUG(D_receive) debug_printf("chunking double-push receive functions\n");
+  }
+
+receive_getc = bdat_getc;
+receive_getbuf = bdat_getbuf;
+receive_hasc = bdat_hasc;
+receive_ungetc = bdat_ungetc;
+}
+
+static inline void
+bdat_pop_receive_functions(void)
+{
+if (!lwr_receive_getc)
+  {
+  DEBUG(D_receive) debug_printf("chunking double-pop receive functions\n");
+  return;
+  }
+receive_getc = lwr_receive_getc;
+receive_getbuf = lwr_receive_getbuf;
+receive_hasc = lwr_receive_hasc;
+receive_ungetc = lwr_receive_ungetc;
+
+lwr_receive_getc = NULL;
+lwr_receive_getbuf = NULL;
+lwr_receive_hasc = NULL;
+lwr_receive_ungetc = NULL;
+}
+
+int
+bdat_ungetc(int ch)
+{
+chunking_data_left++;
+bdat_push_receive_functions();  /* we're not done yet, calling push is safe, because it checks the state before pushing anything */
+return lwr_receive_ungetc(ch);
+}
+
+
+
+/******************************************************************************/
+
+/*************************************************
+*     Write formatted string to SMTP channel     *
+*************************************************/
+
+/* This is a separate function so that we don't have to repeat everything for
+TLS support or debugging. It is global so that the daemon and the
+authentication functions can use it. It does not return any error indication,
+because major problems such as dropped connections won't show up till an output
+flush for non-TLS connections. The smtp_fflush() function is available for
+checking that: for convenience, TLS output errors are remembered here so that
+they are also picked up later by smtp_fflush().
+
+This function is exposed to the local_scan API; do not change the signature.
+
+Arguments:
+  format      format string
+  more	      further data expected
+  ...         optional arguments
+
+Returns:      nothing
+*/
+
+void
+smtp_printf(const char *format, BOOL more, ...)
+{
+va_list ap;
+
+va_start(ap, more);
+smtp_vprintf(format, more, ap);
+va_end(ap);
+}
+
+/* This is split off so that verify.c:respond_printf() can, in effect, call
+smtp_printf(), bearing in mind that in C a vararg function can't directly
+call another vararg function, only a function which accepts a va_list.
+
+This function is exposed to the local_scan API; do not change the signature.
+*/
+/*XXX consider passing caller-info in, for string_vformat-onward */
+
+void
+smtp_vprintf(const char *format, BOOL more, va_list ap)
+{
+gstring gs = { .size = big_buffer_size, .ptr = 0, .s = big_buffer };
+BOOL yield;
+
+/* Use taint-unchecked routines for writing into big_buffer, trusting
+that we'll never expand it. */
+
+yield = !! string_vformat(&gs, SVFMT_TAINT_NOCHK, format, ap);
+string_from_gstring(&gs);
+
+DEBUG(D_receive) for (const uschar * t, * s = gs.s;
+		      s && (t = Ustrchr(s, '\r'));
+		      s = t + 2)				/* \r\n */
+    debug_printf("%s %.*s\n",
+		  s == gs.s ? "SMTP>>" : "      ",
+		  (int)(t - s), s);
+
+if (!yield)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_printf()");
+  smtp_closedown(US"Unexpected error");
+  exim_exit(EXIT_FAILURE);
+  }
+
+/* If this is the first output for a (non-batch) RCPT command, see if all RCPTs
+have had the same. Note: this code is also present in smtp_respond(). It would
+be tidier to have it only in one place, but when it was added, it was easier to
+do it that way, so as not to have to mess with the code for the RCPT command,
+which sometimes uses smtp_printf() and sometimes smtp_respond(). */
+
+if (fl.rcpt_in_progress)
+  {
+  if (!rcpt_smtp_response)
+    rcpt_smtp_response = string_copy(big_buffer);
+  else if (fl.rcpt_smtp_response_same &&
+           Ustrcmp(rcpt_smtp_response, big_buffer) != 0)
+    fl.rcpt_smtp_response_same = FALSE;
+  fl.rcpt_in_progress = FALSE;
+  }
+
+/* Now write the string */
+
+if (
+#ifndef DISABLE_TLS
+    tls_in.active.sock >= 0 ? (tls_write(NULL, gs.s, gs.ptr, more) < 0) :
+#endif
+    (fwrite(gs.s, gs.ptr, 1, smtp_out) == 0)
+   )
+    smtp_write_error = -1;
+}
+
+
+
+/*************************************************
+*        Flush SMTP out and check for error      *
+*************************************************/
+
+/* This function isn't currently used within Exim (it detects errors when it
+tries to read the next SMTP input), but is available for use in local_scan().
+It flushes the output and checks for errors.
+
+Arguments:  none
+Returns:    0 for no error; -1 after an error
+*/
+
+int
+smtp_fflush(void)
+{
+if (tls_in.active.sock < 0 && fflush(smtp_out) != 0) smtp_write_error = -1;
+
+if (
+#ifndef DISABLE_TLS
+    tls_in.active.sock >= 0 ? (tls_write(NULL, NULL, 0, FALSE) < 0) :
+#endif
+    (fflush(smtp_out) != 0)
+   )
+    smtp_write_error = -1;
+
+return smtp_write_error;
+}
+
+
+
+/* If there's input waiting (and we're doing pipelineing) then we can pipeline
+a reponse with the one following. */
+
+static BOOL
+pipeline_response(void)
+{
+if (  !smtp_enforce_sync || !sender_host_address
+   || f.sender_host_notsocket || !f.smtp_in_pipelining_advertised)
+  return FALSE;
+
+if (wouldblock_reading()) return FALSE;
+f.smtp_in_pipelining_used = TRUE;
+return TRUE;
+}
+
+
+#ifndef DISABLE_PIPE_CONNECT
+static BOOL
+pipeline_connect_sends(void)
+{
+if (!sender_host_address || f.sender_host_notsocket || !fl.pipe_connect_acceptable)
+  return FALSE;
+
+if (wouldblock_reading()) return FALSE;
+f.smtp_in_early_pipe_used = TRUE;
+return TRUE;
+}
+#endif
+
+/*************************************************
+*          SMTP command read timeout             *
+*************************************************/
+
+/* Signal handler for timing out incoming SMTP commands. This attempts to
+finish off tidily.
+
+Argument: signal number (SIGALRM)
+Returns:  nothing
+*/
+
+static void
+command_timeout_handler(int sig)
+{
+had_command_timeout = sig;
+}
+
+
+
+/*************************************************
+*               SIGTERM received                 *
+*************************************************/
+
+/* Signal handler for handling SIGTERM. Again, try to finish tidily.
+
+Argument: signal number (SIGTERM)
+Returns:  nothing
+*/
+
+static void
+command_sigterm_handler(int sig)
+{
+had_command_sigterm = sig;
+}
+
+
+
+
+#ifdef SUPPORT_PROXY
+/*************************************************
+*       Check if host is required proxy host     *
+*************************************************/
+/* The function determines if inbound host will be a regular smtp host
+or if it is configured that it must use Proxy Protocol.  A local
+connection cannot.
+
+Arguments: none
+Returns:   bool
+*/
+
+static BOOL
+check_proxy_protocol_host()
+{
+int rc;
+
+if (  sender_host_address
+   && (rc = verify_check_this_host(CUSS &hosts_proxy, NULL, NULL,
+                           sender_host_address, NULL)) == OK)
+  {
+  DEBUG(D_receive)
+    debug_printf("Detected proxy protocol configured host\n");
+  proxy_session = TRUE;
+  }
+return proxy_session;
+}
+
+
+/*************************************************
+*    Read data until newline or end of buffer    *
+*************************************************/
+/* While SMTP is server-speaks-first, TLS is client-speaks-first, so we can't
+read an entire buffer and assume there will be nothing past a proxy protocol
+header.  Our approach normally is to use stdio, but again that relies upon
+"STARTTLS\r\n" and a server response before the client starts TLS handshake, or
+reading _nothing_ before client TLS handshake.  So we don't want to use the
+usual buffering reads which may read enough to block TLS starting.
+
+So unfortunately we're down to "read one byte at a time, with a syscall each,
+and expect a little overhead", for all proxy-opened connections which are v1,
+just to handle the TLS-on-connect case.  Since SSL functions wrap the
+underlying fd, we can't assume that we can feed them any already-read content.
+
+We need to know where to read to, the max capacity, and we'll read until we
+get a CR and one more character.  Let the caller scream if it's CR+!LF.
+
+Return the amount read.
+*/
+
+static int
+swallow_until_crlf(int fd, uschar *base, int already, int capacity)
+{
+uschar *to = base + already;
+uschar *cr;
+int have = 0;
+int ret;
+int last = 0;
+
+/* For "PROXY UNKNOWN\r\n" we, at time of writing, expect to have read
+up through the \r; for the _normal_ case, we haven't yet seen the \r. */
+
+cr = memchr(base, '\r', already);
+if (cr != NULL)
+  {
+  if ((cr - base) < already - 1)
+    {
+    /* \r and presumed \n already within what we have; probably not
+    actually proxy protocol, but abort cleanly. */
+    return 0;
+    }
+  /* \r is last character read, just need one more. */
+  last = 1;
+  }
+
+while (capacity > 0)
+  {
+  do { ret = read(fd, to, 1); } while (ret == -1 && errno == EINTR && !had_command_timeout);
+  if (ret == -1)
+    return -1;
+  have++;
+  if (last)
+    return have;
+  if (*to == '\r')
+    last = 1;
+  capacity--;
+  to++;
+  }
+
+/* reached end without having room for a final newline, abort */
+errno = EOVERFLOW;
+return -1;
+}
+
+/*************************************************
+*         Setup host for proxy protocol          *
+*************************************************/
+/* The function configures the connection based on a header from the
+inbound host to use Proxy Protocol. The specification is very exact
+so exit with an error if do not find the exact required pieces. This
+includes an incorrect number of spaces separating args.
+
+Arguments: none
+Returns:   Boolean success
+*/
+
+static void
+setup_proxy_protocol_host()
+{
+union {
+  struct {
+    uschar line[108];
+  } v1;
+  struct {
+    uschar sig[12];
+    uint8_t ver_cmd;
+    uint8_t fam;
+    uint16_t len;
+    union {
+      struct { /* TCP/UDP over IPv4, len = 12 */
+        uint32_t src_addr;
+        uint32_t dst_addr;
+        uint16_t src_port;
+        uint16_t dst_port;
+      } ip4;
+      struct { /* TCP/UDP over IPv6, len = 36 */
+        uint8_t  src_addr[16];
+        uint8_t  dst_addr[16];
+        uint16_t src_port;
+        uint16_t dst_port;
+      } ip6;
+      struct { /* AF_UNIX sockets, len = 216 */
+        uschar   src_addr[108];
+        uschar   dst_addr[108];
+      } unx;
+    } addr;
+  } v2;
+} hdr;
+
+/* Temp variables used in PPv2 address:port parsing */
+uint16_t tmpport;
+char tmpip[INET_ADDRSTRLEN];
+struct sockaddr_in tmpaddr;
+char tmpip6[INET6_ADDRSTRLEN];
+struct sockaddr_in6 tmpaddr6;
+
+/* We can't read "all data until end" because while SMTP is
+server-speaks-first, the TLS handshake is client-speaks-first, so for
+TLS-on-connect ports the proxy protocol header will usually be immediately
+followed by a TLS handshake, and with N TLS libraries, we can't reliably
+reinject data for reading by those.  So instead we first read "enough to be
+safely read within the header, and figure out how much more to read".
+For v1 we will later read to the end-of-line, for v2 we will read based upon
+the stated length.
+
+The v2 sig is 12 octets, and another 4 gets us the length, so we know how much
+data is needed total.  For v1, where the line looks like:
+PROXY TCPn L3src L3dest SrcPort DestPort \r\n
+
+However, for v1 there's also `PROXY UNKNOWN\r\n` which is only 15 octets.
+We seem to support that.  So, if we read 14 octets then we can tell if we're
+v2 or v1.  If we're v1, we can continue reading as normal.
+
+If we're v2, we can't slurp up the entire header.  We need the length in the
+15th & 16th octets, then to read everything after that.
+
+So to safely handle v1 and v2, with client-sent-first supported correctly,
+we have to do a minimum of 3 read calls, not 1.  Eww.
+*/
+
+#define PROXY_INITIAL_READ 14
+#define PROXY_V2_HEADER_SIZE 16
+#if PROXY_INITIAL_READ > PROXY_V2_HEADER_SIZE
+# error Code bug in sizes of data to read for proxy usage
+#endif
+
+int get_ok = 0;
+int size, ret;
+int fd = fileno(smtp_in);
+const char v2sig[12] = "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A";
+uschar * iptype;  /* To display debug info */
+socklen_t vslen = sizeof(struct timeval);
+BOOL yield = FALSE;
+
+os_non_restarting_signal(SIGALRM, command_timeout_handler);
+ALARM(proxy_protocol_timeout);
+
+do
+  {
+  /* The inbound host was declared to be a Proxy Protocol host, so
+  don't do a PEEK into the data, actually slurp up enough to be
+  "safe". Can't take it all because TLS-on-connect clients follow
+  immediately with TLS handshake. */
+  ret = read(fd, &hdr, PROXY_INITIAL_READ);
+  }
+  while (ret == -1 && errno == EINTR && !had_command_timeout);
+
+if (ret == -1)
+  goto proxyfail;
+
+/* For v2, handle reading the length, and then the rest. */
+if ((ret == PROXY_INITIAL_READ) && (memcmp(&hdr.v2, v2sig, sizeof(v2sig)) == 0))
+  {
+  int retmore;
+  uint8_t ver;
+
+  /* First get the length fields. */
+  do
+    {
+    retmore = read(fd, (uschar*)&hdr + ret, PROXY_V2_HEADER_SIZE - PROXY_INITIAL_READ);
+    } while (retmore == -1 && errno == EINTR && !had_command_timeout);
+  if (retmore == -1)
+    goto proxyfail;
+  ret += retmore;
+
+  ver = (hdr.v2.ver_cmd & 0xf0) >> 4;
+
+  /* May 2014: haproxy combined the version and command into one byte to
+  allow two full bytes for the length field in order to proxy SSL
+  connections.  SSL Proxy is not supported in this version of Exim, but
+  must still separate values here. */
+
+  if (ver != 0x02)
+    {
+    DEBUG(D_receive) debug_printf("Invalid Proxy Protocol version: %d\n", ver);
+    goto proxyfail;
+    }
+
+  /* The v2 header will always be 16 bytes per the spec. */
+  size = 16 + ntohs(hdr.v2.len);
+  DEBUG(D_receive) debug_printf("Detected PROXYv2 header, size %d (limit %d)\n",
+      size, (int)sizeof(hdr));
+
+  /* We should now have 16 octets (PROXY_V2_HEADER_SIZE), and we know the total
+  amount that we need.  Double-check that the size is not unreasonable, then
+  get the rest. */
+  if (size > sizeof(hdr))
+    {
+    DEBUG(D_receive) debug_printf("PROXYv2 header size unreasonably large; security attack?\n");
+    goto proxyfail;
+    }
+
+  do
+    {
+    do
+      {
+      retmore = read(fd, (uschar*)&hdr + ret, size-ret);
+      } while (retmore == -1 && errno == EINTR && !had_command_timeout);
+    if (retmore == -1)
+      goto proxyfail;
+    ret += retmore;
+    DEBUG(D_receive) debug_printf("PROXYv2: have %d/%d required octets\n", ret, size);
+    } while (ret < size);
+
+  } /* end scope for getting rest of data for v2 */
+
+/* At this point: if PROXYv2, we've read the exact size required for all data;
+if PROXYv1 then we've read "less than required for any valid line" and should
+read the rest". */
+
+if (ret >= 16 && memcmp(&hdr.v2, v2sig, 12) == 0)
+  {
+  uint8_t cmd = (hdr.v2.ver_cmd & 0x0f);
+
+  switch (cmd)
+    {
+    case 0x01: /* PROXY command */
+      switch (hdr.v2.fam)
+        {
+        case 0x11:  /* TCPv4 address type */
+          iptype = US"IPv4";
+          tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr;
+          inet_ntop(AF_INET, &tmpaddr.sin_addr, CS &tmpip, sizeof(tmpip));
+          if (!string_is_ip_address(US tmpip, NULL))
+            {
+            DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
+            goto proxyfail;
+            }
+          proxy_local_address = sender_host_address;
+          sender_host_address = string_copy(US tmpip);
+          tmpport             = ntohs(hdr.v2.addr.ip4.src_port);
+          proxy_local_port    = sender_host_port;
+          sender_host_port    = tmpport;
+          /* Save dest ip/port */
+          tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.dst_addr;
+          inet_ntop(AF_INET, &tmpaddr.sin_addr, CS &tmpip, sizeof(tmpip));
+          if (!string_is_ip_address(US tmpip, NULL))
+            {
+            DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
+            goto proxyfail;
+            }
+          proxy_external_address = string_copy(US tmpip);
+          tmpport              = ntohs(hdr.v2.addr.ip4.dst_port);
+          proxy_external_port  = tmpport;
+          goto done;
+        case 0x21:  /* TCPv6 address type */
+          iptype = US"IPv6";
+          memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16);
+          inet_ntop(AF_INET6, &tmpaddr6.sin6_addr, CS &tmpip6, sizeof(tmpip6));
+          if (!string_is_ip_address(US tmpip6, NULL))
+            {
+            DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
+            goto proxyfail;
+            }
+          proxy_local_address = sender_host_address;
+          sender_host_address = string_copy(US tmpip6);
+          tmpport             = ntohs(hdr.v2.addr.ip6.src_port);
+          proxy_local_port    = sender_host_port;
+          sender_host_port    = tmpport;
+          /* Save dest ip/port */
+          memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.dst_addr, 16);
+          inet_ntop(AF_INET6, &tmpaddr6.sin6_addr, CS &tmpip6, sizeof(tmpip6));
+          if (!string_is_ip_address(US tmpip6, NULL))
+            {
+            DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
+            goto proxyfail;
+            }
+          proxy_external_address = string_copy(US tmpip6);
+          tmpport              = ntohs(hdr.v2.addr.ip6.dst_port);
+          proxy_external_port  = tmpport;
+          goto done;
+        default:
+          DEBUG(D_receive)
+            debug_printf("Unsupported PROXYv2 connection type: 0x%02x\n",
+                         hdr.v2.fam);
+          goto proxyfail;
+        }
+      /* Unsupported protocol, keep local connection address */
+      break;
+    case 0x00: /* LOCAL command */
+      /* Keep local connection address for LOCAL */
+      iptype = US"local";
+      break;
+    default:
+      DEBUG(D_receive)
+        debug_printf("Unsupported PROXYv2 command: 0x%x\n", cmd);
+      goto proxyfail;
+    }
+  }
+else if (ret >= 8 && memcmp(hdr.v1.line, "PROXY", 5) == 0)
+  {
+  uschar *p;
+  uschar *end;
+  uschar *sp;     /* Utility variables follow */
+  int     tmp_port;
+  int     r2;
+  char   *endc;
+
+  /* get the rest of the line */
+  r2 = swallow_until_crlf(fd, (uschar*)&hdr, ret, sizeof(hdr)-ret);
+  if (r2 == -1)
+    goto proxyfail;
+  ret += r2;
+
+  p = string_copy(hdr.v1.line);
+  end = memchr(p, '\r', ret - 1);
+
+  if (!end || (end == (uschar*)&hdr + ret) || end[1] != '\n')
+    {
+    DEBUG(D_receive) debug_printf("Partial or invalid PROXY header\n");
+    goto proxyfail;
+    }
+  *end = '\0'; /* Terminate the string */
+  size = end + 2 - p; /* Skip header + CRLF */
+  DEBUG(D_receive) debug_printf("Detected PROXYv1 header\n");
+  DEBUG(D_receive) debug_printf("Bytes read not within PROXY header: %d\n", ret - size);
+  /* Step through the string looking for the required fields. Ensure
+  strict adherence to required formatting, exit for any error. */
+  p += 5;
+  if (!isspace(*(p++)))
+    {
+    DEBUG(D_receive) debug_printf("Missing space after PROXY command\n");
+    goto proxyfail;
+    }
+  if (!Ustrncmp(p, CCS"TCP4", 4))
+    iptype = US"IPv4";
+  else if (!Ustrncmp(p,CCS"TCP6", 4))
+    iptype = US"IPv6";
+  else if (!Ustrncmp(p,CCS"UNKNOWN", 7))
+    {
+    iptype = US"Unknown";
+    goto done;
+    }
+  else
+    {
+    DEBUG(D_receive) debug_printf("Invalid TCP type\n");
+    goto proxyfail;
+    }
+
+  p += Ustrlen(iptype);
+  if (!isspace(*(p++)))
+    {
+    DEBUG(D_receive) debug_printf("Missing space after TCP4/6 command\n");
+    goto proxyfail;
+    }
+  /* Find the end of the arg */
+  if ((sp = Ustrchr(p, ' ')) == NULL)
+    {
+    DEBUG(D_receive)
+      debug_printf("Did not find proxied src %s\n", iptype);
+    goto proxyfail;
+    }
+  *sp = '\0';
+  if(!string_is_ip_address(p, NULL))
+    {
+    DEBUG(D_receive)
+      debug_printf("Proxied src arg is not an %s address\n", iptype);
+    goto proxyfail;
+    }
+  proxy_local_address = sender_host_address;
+  sender_host_address = p;
+  p = sp + 1;
+  if ((sp = Ustrchr(p, ' ')) == NULL)
+    {
+    DEBUG(D_receive)
+      debug_printf("Did not find proxy dest %s\n", iptype);
+    goto proxyfail;
+    }
+  *sp = '\0';
+  if(!string_is_ip_address(p, NULL))
+    {
+    DEBUG(D_receive)
+      debug_printf("Proxy dest arg is not an %s address\n", iptype);
+    goto proxyfail;
+    }
+  proxy_external_address = p;
+  p = sp + 1;
+  if ((sp = Ustrchr(p, ' ')) == NULL)
+    {
+    DEBUG(D_receive) debug_printf("Did not find proxied src port\n");
+    goto proxyfail;
+    }
+  *sp = '\0';
+  tmp_port = strtol(CCS p, &endc, 10);
+  if (*endc || tmp_port == 0)
+    {
+    DEBUG(D_receive)
+      debug_printf("Proxied src port '%s' not an integer\n", p);
+    goto proxyfail;
+    }
+  proxy_local_port = sender_host_port;
+  sender_host_port = tmp_port;
+  p = sp + 1;
+  if ((sp = Ustrchr(p, '\0')) == NULL)
+    {
+    DEBUG(D_receive) debug_printf("Did not find proxy dest port\n");
+    goto proxyfail;
+    }
+  tmp_port = strtol(CCS p, &endc, 10);
+  if (*endc || tmp_port == 0)
+    {
+    DEBUG(D_receive)
+      debug_printf("Proxy dest port '%s' not an integer\n", p);
+    goto proxyfail;
+    }
+  proxy_external_port = tmp_port;
+  /* Already checked for /r /n above. Good V1 header received. */
+  }
+else
+  {
+  /* Wrong protocol */
+  DEBUG(D_receive) debug_printf("Invalid proxy protocol version negotiation\n");
+  (void) swallow_until_crlf(fd, (uschar*)&hdr, ret, sizeof(hdr)-ret);
+  goto proxyfail;
+  }
+
+done:
+  DEBUG(D_receive)
+    debug_printf("Valid %s sender from Proxy Protocol header\n", iptype);
+  yield = proxy_session;
+
+/* Don't flush any potential buffer contents. Any input on proxyfail
+should cause a synchronization failure */
+
+proxyfail:
+  DEBUG(D_receive) if (had_command_timeout)
+    debug_printf("Timeout while reading proxy header\n");
+
+bad:
+  if (yield)
+    {
+    sender_host_name = NULL;
+    (void) host_name_lookup();
+    host_build_sender_fullhost();
+    }
+  else
+    {
+    f.proxy_session_failed = TRUE;
+    DEBUG(D_receive)
+      debug_printf("Failure to extract proxied host, only QUIT allowed\n");
+    }
+
+ALARM(0);
+return;
+}
+#endif
+
+/*************************************************
+*           Read one command line                *
+*************************************************/
+
+/* Strictly, SMTP commands coming over the net are supposed to end with CRLF.
+There are sites that don't do this, and in any case internal SMTP probably
+should check only for LF. Consequently, we check here for LF only. The line
+ends up with [CR]LF removed from its end. If we get an overlong line, treat as
+an unknown command. The command is read into the global smtp_cmd_buffer so that
+it is available via $smtp_command.
+
+The character reading routine sets up a timeout for each block actually read
+from the input (which may contain more than one command). We set up a special
+signal handler that closes down the session on a timeout. Control does not
+return when it runs.
+
+Arguments:
+  check_sync	if TRUE, check synchronization rules if global option is TRUE
+  buffer_lim	maximum to buffer in lower layer
+
+Returns:       a code identifying the command (enumerated above)
+*/
+
+static int
+smtp_read_command(BOOL check_sync, unsigned buffer_lim)
+{
+int c;
+int ptr = 0;
+BOOL hadnull = FALSE;
+
+had_command_timeout = 0;
+os_non_restarting_signal(SIGALRM, command_timeout_handler);
+
+while ((c = (receive_getc)(buffer_lim)) != '\n' && c != EOF)
+  {
+  if (ptr >= SMTP_CMD_BUFFER_SIZE)
+    {
+    os_non_restarting_signal(SIGALRM, sigalrm_handler);
+    return OTHER_CMD;
+    }
+  if (c == 0)
+    {
+    hadnull = TRUE;
+    c = '?';
+    }
+  smtp_cmd_buffer[ptr++] = c;
+  }
+
+receive_linecount++;    /* For BSMTP errors */
+os_non_restarting_signal(SIGALRM, sigalrm_handler);
+
+/* If hit end of file, return pseudo EOF command. Whether we have a
+part-line already read doesn't matter, since this is an error state. */
+
+if (c == EOF) return EOF_CMD;
+
+/* Remove any CR and white space at the end of the line, and terminate the
+string. */
+
+while (ptr > 0 && isspace(smtp_cmd_buffer[ptr-1])) ptr--;
+smtp_cmd_buffer[ptr] = 0;
+
+DEBUG(D_receive) debug_printf("SMTP<< %s\n", smtp_cmd_buffer);
+
+/* NULLs are not allowed in SMTP commands */
+
+if (hadnull) return BADCHAR_CMD;
+
+/* Scan command list and return identity, having set the data pointer
+to the start of the actual data characters. Check for SMTP synchronization
+if required. */
+
+for (smtp_cmd_list * p = cmd_list; p < cmd_list_end; p++)
+  {
+#ifdef SUPPORT_PROXY
+  /* Only allow QUIT command if Proxy Protocol parsing failed */
+  if (proxy_session && f.proxy_session_failed && p->cmd != QUIT_CMD)
+    continue;
+#endif
+  if (  p->len
+     && strncmpic(smtp_cmd_buffer, US p->name, p->len) == 0
+     && (  smtp_cmd_buffer[p->len-1] == ':'    /* "mail from:" or "rcpt to:" */
+        || smtp_cmd_buffer[p->len] == 0
+	|| smtp_cmd_buffer[p->len] == ' '
+     )  )
+    {
+    if (   smtp_inptr < smtp_inend		/* Outstanding input */
+       &&  p->cmd < sync_cmd_limit		/* Command should sync */
+       &&  check_sync				/* Local flag set */
+       &&  smtp_enforce_sync			/* Global flag set */
+       &&  sender_host_address != NULL		/* Not local input */
+       &&  !f.sender_host_notsocket		/* Really is a socket */
+       )
+      return BADSYN_CMD;
+
+    /* The variables $smtp_command and $smtp_command_argument point into the
+    unmodified input buffer. A copy of the latter is taken for actual
+    processing, so that it can be chopped up into separate parts if necessary,
+    for example, when processing a MAIL command options such as SIZE that can
+    follow the sender address. */
+
+    smtp_cmd_argument = smtp_cmd_buffer + p->len;
+    while (isspace(*smtp_cmd_argument)) smtp_cmd_argument++;
+    Ustrcpy(smtp_data_buffer, smtp_cmd_argument);
+    smtp_cmd_data = smtp_data_buffer;
+
+    /* Count non-mail commands from those hosts that are controlled in this
+    way. The default is all hosts. We don't waste effort checking the list
+    until we get a non-mail command, but then cache the result to save checking
+    again. If there's a DEFER while checking the host, assume it's in the list.
+
+    Note that one instance of RSET, EHLO/HELO, and STARTTLS is allowed at the
+    start of each incoming message by fiddling with the value in the table. */
+
+    if (!p->is_mail_cmd)
+      {
+      if (count_nonmail == TRUE_UNSET) count_nonmail =
+        verify_check_host(&smtp_accept_max_nonmail_hosts) != FAIL;
+      if (count_nonmail && ++nonmail_command_count > smtp_accept_max_nonmail)
+        return TOO_MANY_NONMAIL_CMD;
+      }
+
+    /* If there is data for a command that does not expect it, generate the
+    error here. */
+
+    return (p->has_arg || *smtp_cmd_data == 0)? p->cmd : BADARG_CMD;
+    }
+  }
+
+#ifdef SUPPORT_PROXY
+/* Only allow QUIT command if Proxy Protocol parsing failed */
+if (proxy_session && f.proxy_session_failed)
+  return PROXY_FAIL_IGNORE_CMD;
+#endif
+
+/* Enforce synchronization for unknown commands */
+
+if (  smtp_inptr < smtp_inend		/* Outstanding input */
+   && check_sync			/* Local flag set */
+   && smtp_enforce_sync			/* Global flag set */
+   && sender_host_address		/* Not local input */
+   && !f.sender_host_notsocket		/* Really is a socket */
+   )
+  return BADSYN_CMD;
+
+return OTHER_CMD;
+}
+
+
+
+/*************************************************
+*          Forced closedown of call              *
+*************************************************/
+
+/* This function is called from log.c when Exim is dying because of a serious
+disaster, and also from some other places. If an incoming non-batched SMTP
+channel is open, it swallows the rest of the incoming message if in the DATA
+phase, sends the reply string, and gives an error to all subsequent commands
+except QUIT. The existence of an SMTP call is detected by the non-NULLness of
+smtp_in.
+
+Arguments:
+  message   SMTP reply string to send, excluding the code
+
+Returns:    nothing
+*/
+
+void
+smtp_closedown(uschar * message)
+{
+if (!smtp_in || smtp_batched_input) return;
+receive_swallow_smtp();
+smtp_printf("421 %s\r\n", FALSE, message);
+
+for (;;) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
+  {
+  case EOF_CMD:
+    return;
+
+  case QUIT_CMD:
+    f.smtp_in_quit = TRUE;
+    smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname);
+    mac_smtp_fflush();
+    return;
+
+  case RSET_CMD:
+    smtp_printf("250 Reset OK\r\n", FALSE);
+    break;
+
+  default:
+    smtp_printf("421 %s\r\n", FALSE, message);
+    break;
+  }
+}
+
+
+
+
+/*************************************************
+*        Set up connection info for logging      *
+*************************************************/
+
+/* This function is called when logging information about an SMTP connection.
+It sets up appropriate source information, depending on the type of connection.
+If sender_fullhost is NULL, we are at a very early stage of the connection;
+just use the IP address.
+
+Argument:    none
+Returns:     a string describing the connection
+*/
+
+uschar *
+smtp_get_connection_info(void)
+{
+const uschar * hostname = sender_fullhost
+  ? sender_fullhost : sender_host_address;
+
+if (host_checking)
+  return string_sprintf("SMTP connection from %s", hostname);
+
+if (f.sender_host_unknown || f.sender_host_notsocket)
+  return string_sprintf("SMTP connection from %s", sender_ident);
+
+if (f.is_inetd)
+  return string_sprintf("SMTP connection from %s (via inetd)", hostname);
+
+if (LOGGING(incoming_interface) && interface_address)
+  return string_sprintf("SMTP connection from %s I=[%s]:%d", hostname,
+    interface_address, interface_port);
+
+return string_sprintf("SMTP connection from %s", hostname);
+}
+
+
+
+#ifndef DISABLE_TLS
+/* Append TLS-related information to a log line
+
+Arguments:
+  g		String under construction: allocated string to extend, or NULL
+
+Returns:	Allocated string or NULL
+*/
+static gstring *
+s_tlslog(gstring * g)
+{
+if (LOGGING(tls_cipher) && tls_in.cipher)
+  {
+  g = string_append(g, 2, US" X=", tls_in.cipher);
+#ifndef DISABLE_TLS_RESUME
+  if (LOGGING(tls_resumption) && tls_in.resumption & RESUME_USED)
+    g = string_catn(g, US"*", 1);
+#endif
+  }
+if (LOGGING(tls_certificate_verified) && tls_in.cipher)
+  g = string_append(g, 2, US" CV=", tls_in.certificate_verified? "yes":"no");
+if (LOGGING(tls_peerdn) && tls_in.peerdn)
+  g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\"");
+if (LOGGING(tls_sni) && tls_in.sni)
+  g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE));
+return g;
+}
+#endif
+
+
+
+static gstring *
+s_connhad_log(gstring * g)
+{
+const uschar * sep = smtp_connection_had[SMTP_HBUFF_SIZE-1] != SCH_NONE
+  ? US" C=..." : US" C=";
+
+for (int i = smtp_ch_index; i < SMTP_HBUFF_SIZE; i++)
+  if (smtp_connection_had[i] != SCH_NONE)
+    {
+    g = string_append(g, 2, sep, smtp_names[smtp_connection_had[i]]);
+    sep = US",";
+    }
+for (int i = 0; i < smtp_ch_index; i++, sep = US",")
+  g = string_append(g, 2, sep, smtp_names[smtp_connection_had[i]]);
+return g;
+}
+
+
+/*************************************************
+*      Log lack of MAIL if so configured         *
+*************************************************/
+
+/* This function is called when an SMTP session ends. If the log selector
+smtp_no_mail is set, write a log line giving some details of what has happened
+in the SMTP session.
+
+Arguments:   none
+Returns:     nothing
+*/
+
+void
+smtp_log_no_mail(void)
+{
+uschar * s;
+gstring * g = NULL;
+
+if (smtp_mailcmd_count > 0 || !LOGGING(smtp_no_mail))
+  return;
+
+if (sender_host_authenticated)
+  {
+  g = string_append(g, 2, US" A=", sender_host_authenticated);
+  if (authenticated_id) g = string_append(g, 2, US":", authenticated_id);
+  }
+
+#ifndef DISABLE_TLS
+g = s_tlslog(g);
+#endif
+
+g = s_connhad_log(g);
+
+if (!(s = string_from_gstring(g))) s = US"";
+
+log_write(0, LOG_MAIN, "no MAIL in %sSMTP connection from %s D=%s%s",
+  f.tcp_in_fastopen ? f.tcp_in_fastopen_data ? US"TFO* " : US"TFO " : US"",
+  host_and_ident(FALSE), string_timesince(&smtp_connection_start), s);
+}
+
+
+/* Return list of recent smtp commands */
+
+uschar *
+smtp_cmd_hist(void)
+{
+gstring * list = NULL;
+uschar * s;
+
+for (int i = smtp_ch_index; i < SMTP_HBUFF_SIZE; i++)
+  if (smtp_connection_had[i] != SCH_NONE)
+    list = string_append_listele(list, ',', smtp_names[smtp_connection_had[i]]);
+
+for (int i = 0; i < smtp_ch_index; i++)
+  list = string_append_listele(list, ',', smtp_names[smtp_connection_had[i]]);
+
+s = string_from_gstring(list);
+return s ? s : US"";
+}
+
+
+
+
+/*************************************************
+*   Check HELO line and set sender_helo_name     *
+*************************************************/
+
+/* Check the format of a HELO line. The data for HELO/EHLO is supposed to be
+the domain name of the sending host, or an ip literal in square brackets. The
+argument is placed in sender_helo_name, which is in malloc store, because it
+must persist over multiple incoming messages. If helo_accept_junk is set, this
+host is permitted to send any old junk (needed for some broken hosts).
+Otherwise, helo_allow_chars can be used for rogue characters in general
+(typically people want to let in underscores).
+
+Argument:
+  s       the data portion of the line (already past any white space)
+
+Returns:  TRUE or FALSE
+*/
+
+static BOOL
+check_helo(uschar *s)
+{
+uschar *start = s;
+uschar *end = s + Ustrlen(s);
+BOOL yield = fl.helo_accept_junk;
+
+/* Discard any previous helo name */
+
+sender_helo_name = NULL;
+
+/* Skip tests if junk is permitted. */
+
+if (!yield)
+
+  /* Allow the new standard form for IPv6 address literals, namely,
+  [IPv6:....], and because someone is bound to use it, allow an equivalent
+  IPv4 form. Allow plain addresses as well. */
+
+  if (*s == '[')
+    {
+    if (end[-1] == ']')
+      {
+      end[-1] = 0;
+      if (strncmpic(s, US"[IPv6:", 6) == 0)
+        yield = (string_is_ip_address(s+6, NULL) == 6);
+      else if (strncmpic(s, US"[IPv4:", 6) == 0)
+        yield = (string_is_ip_address(s+6, NULL) == 4);
+      else
+        yield = (string_is_ip_address(s+1, NULL) != 0);
+      end[-1] = ']';
+      }
+    }
+
+  /* Non-literals must be alpha, dot, hyphen, plus any non-valid chars
+  that have been configured (usually underscore - sigh). */
+
+  else if (*s)
+    for (yield = TRUE; *s; s++)
+      if (!isalnum(*s) && *s != '.' && *s != '-' &&
+          Ustrchr(helo_allow_chars, *s) == NULL)
+        {
+        yield = FALSE;
+        break;
+        }
+
+/* Save argument if OK */
+
+if (yield) sender_helo_name = string_copy_perm(start, TRUE);
+return yield;
+}
+
+
+
+
+
+/*************************************************
+*         Extract SMTP command option            *
+*************************************************/
+
+/* This function picks the next option setting off the end of smtp_cmd_data. It
+is called for MAIL FROM and RCPT TO commands, to pick off the optional ESMTP
+things that can appear there.
+
+Arguments:
+   name           point this at the name
+   value          point this at the data string
+
+Returns:          TRUE if found an option
+*/
+
+static BOOL
+extract_option(uschar **name, uschar **value)
+{
+uschar *n;
+uschar *v;
+if (Ustrlen(smtp_cmd_data) <= 0) return FALSE;
+v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
+while (v > smtp_cmd_data && isspace(*v)) v--;
+v[1] = 0;
+
+while (v > smtp_cmd_data && *v != '=' && !isspace(*v))
+  {
+  /* Take care to not stop at a space embedded in a quoted local-part */
+  if (*v == '"')
+    {
+    do v--; while (v > smtp_cmd_data && *v != '"');
+    if (v <= smtp_cmd_data) return FALSE;
+    }
+  v--;
+  }
+if (v <= smtp_cmd_data) return FALSE;
+
+n = v;
+if (*v == '=')
+  {
+  while (n > smtp_cmd_data && isalpha(n[-1])) n--;
+  /* RFC says SP, but TAB seen in wild and other major MTAs accept it */
+  if (n <= smtp_cmd_data || !isspace(n[-1])) return FALSE;
+  n[-1] = 0;
+  }
+else
+  {
+  n++;
+  }
+*v++ = 0;
+*name = n;
+*value = v;
+return TRUE;
+}
+
+
+
+
+
+/*************************************************
+*         Reset for new message                  *
+*************************************************/
+
+/* This function is called whenever the SMTP session is reset from
+within either of the setup functions; also from the daemon loop.
+
+Argument:   the stacking pool storage reset point
+Returns:    nothing
+*/
+
+void *
+smtp_reset(void *reset_point)
+{
+recipients_list = NULL;
+rcpt_count = rcpt_defer_count = rcpt_fail_count =
+  raw_recipients_count = recipients_count = recipients_list_max = 0;
+message_linecount = 0;
+message_size = -1;
+message_body = message_body_end = NULL;
+acl_added_headers = NULL;
+acl_removed_headers = NULL;
+f.queue_only_policy = FALSE;
+rcpt_smtp_response = NULL;
+fl.rcpt_smtp_response_same = TRUE;
+fl.rcpt_in_progress = FALSE;
+f.deliver_freeze = FALSE;				/* Can be set by ACL */
+freeze_tell = freeze_tell_config;			/* Can be set by ACL */
+fake_response = OK;					/* Can be set by ACL */
+#ifdef WITH_CONTENT_SCAN
+f.no_mbox_unspool = FALSE;				/* Can be set by ACL */
+#endif
+f.submission_mode = FALSE;				/* Can be set by ACL */
+f.suppress_local_fixups = f.suppress_local_fixups_default; /* Can be set by ACL */
+f.active_local_from_check = local_from_check;		/* Can be set by ACL */
+f.active_local_sender_retain = local_sender_retain;	/* Can be set by ACL */
+sending_ip_address = NULL;
+return_path = sender_address = NULL;
+deliver_localpart_data = deliver_domain_data =
+recipient_data = sender_data = NULL;			/* Can be set by ACL */
+recipient_verify_failure = NULL;
+deliver_localpart_parent = deliver_localpart_orig = NULL;
+deliver_domain_parent = deliver_domain_orig = NULL;
+callout_address = NULL;
+submission_name = NULL;					/* Can be set by ACL */
+raw_sender = NULL;                  /* After SMTP rewrite, before qualifying */
+sender_address_unrewritten = NULL;  /* Set only after verify rewrite */
+sender_verified_list = NULL;        /* No senders verified */
+memset(sender_address_cache, 0, sizeof(sender_address_cache));
+memset(sender_domain_cache, 0, sizeof(sender_domain_cache));
+
+authenticated_sender = NULL;
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+bmi_run = 0;
+bmi_verdicts = NULL;
+#endif
+dnslist_domain = dnslist_matched = NULL;
+#ifdef SUPPORT_SPF
+spf_header_comment = spf_received = spf_result = spf_smtp_comment = NULL;
+spf_result_guessed = FALSE;
+#endif
+#ifndef DISABLE_DKIM
+dkim_cur_signer = dkim_signers =
+dkim_signing_domain = dkim_signing_selector = dkim_signatures = NULL;
+dkim_cur_signer = dkim_signers = dkim_signing_domain = dkim_signing_selector = NULL;
+f.dkim_disable_verify = FALSE;
+dkim_collect_input = 0;
+dkim_verify_overall = dkim_verify_status = dkim_verify_reason = NULL;
+dkim_key_length = 0;
+#endif
+#ifdef SUPPORT_DMARC
+f.dmarc_has_been_checked = f.dmarc_disable_verify = f.dmarc_enable_forensic = FALSE;
+dmarc_domain_policy = dmarc_status = dmarc_status_text =
+dmarc_used_domain = NULL;
+#endif
+#ifdef EXPERIMENTAL_ARC
+arc_state = arc_state_reason = NULL;
+arc_received_instance = 0;
+#endif
+dsn_ret = 0;
+dsn_envid = NULL;
+deliver_host = deliver_host_address = NULL;	/* Can be set by ACL */
+#ifndef DISABLE_PRDR
+prdr_requested = FALSE;
+#endif
+#ifdef SUPPORT_I18N
+message_smtputf8 = FALSE;
+#endif
+body_linecount = body_zerocount = 0;
+
+sender_rate = sender_rate_limit = sender_rate_period = NULL;
+ratelimiters_mail = NULL;           /* Updated by ratelimit ACL condition */
+                   /* Note that ratelimiters_conn persists across resets. */
+
+/* Reset message ACL variables */
+
+acl_var_m = NULL;
+
+/* Warning log messages are saved in malloc store. They are saved to avoid
+repetition in the same message, but it seems right to repeat them for different
+messages. */
+
+while (acl_warn_logged)
+  {
+  string_item *this = acl_warn_logged;
+  acl_warn_logged = acl_warn_logged->next;
+  store_free(this);
+  }
+
+message_tidyup();
+store_reset(reset_point);
+
+message_start();
+return store_mark();
+}
+
+
+
+
+
+/*************************************************
+*  Initialize for incoming batched SMTP message  *
+*************************************************/
+
+/* This function is called from smtp_setup_msg() in the case when
+smtp_batched_input is true. This happens when -bS is used to pass a whole batch
+of messages in one file with SMTP commands between them. All errors must be
+reported by sending a message, and only MAIL FROM, RCPT TO, and DATA are
+relevant. After an error on a sender, or an invalid recipient, the remainder
+of the message is skipped. The value of received_protocol is already set.
+
+Argument: none
+Returns:  > 0 message successfully started (reached DATA)
+          = 0 QUIT read or end of file reached
+          < 0 should not occur
+*/
+
+static int
+smtp_setup_batch_msg(void)
+{
+int done = 0;
+rmark reset_point = store_mark();
+
+/* Save the line count at the start of each transaction - single commands
+like HELO and RSET count as whole transactions. */
+
+bsmtp_transaction_linecount = receive_linecount;
+
+if ((receive_feof)()) return 0;   /* Treat EOF as QUIT */
+
+cancel_cutthrough_connection(TRUE, US"smtp_setup_batch_msg");
+reset_point = smtp_reset(reset_point);                /* Reset for start of message */
+
+/* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
+value. The values are 2 larger than the required yield of the function. */
+
+while (done <= 0)
+  {
+  uschar *errmess;
+  uschar *recipient = NULL;
+  int start, end, sender_domain, recipient_domain;
+
+  switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
+    {
+    /* The HELO/EHLO commands set sender_address_helo if they have
+    valid data; otherwise they are ignored, except that they do
+    a reset of the state. */
+
+    case HELO_CMD:
+    case EHLO_CMD:
+
+      check_helo(smtp_cmd_data);
+      /* Fall through */
+
+    case RSET_CMD:
+      cancel_cutthrough_connection(TRUE, US"RSET received");
+      reset_point = smtp_reset(reset_point);
+      bsmtp_transaction_linecount = receive_linecount;
+      break;
+
+
+    /* The MAIL FROM command requires an address as an operand. All we
+    do here is to parse it for syntactic correctness. The form "<>" is
+    a special case which converts into an empty string. The start/end
+    pointers in the original are not used further for this address, as
+    it is the canonical extracted address which is all that is kept. */
+
+    case MAIL_CMD:
+      smtp_mailcmd_count++;              /* Count for no-mail log */
+      if (sender_address)
+	/* The function moan_smtp_batch() does not return. */
+	moan_smtp_batch(smtp_cmd_buffer, "503 Sender already given");
+
+      if (smtp_cmd_data[0] == 0)
+	/* The function moan_smtp_batch() does not return. */
+	moan_smtp_batch(smtp_cmd_buffer, "501 MAIL FROM must have an address operand");
+
+      /* Reset to start of message */
+
+      cancel_cutthrough_connection(TRUE, US"MAIL received");
+      reset_point = smtp_reset(reset_point);
+
+      /* Apply SMTP rewrite */
+
+      raw_sender = rewrite_existflags & rewrite_smtp
+	/* deconst ok as smtp_cmd_data was not const */
+        ? US rewrite_one(smtp_cmd_data, rewrite_smtp|rewrite_smtp_sender, NULL,
+		      FALSE, US"", global_rewrite_rules)
+	: smtp_cmd_data;
+
+      /* Extract the address; the TRUE flag allows <> as valid */
+
+      raw_sender =
+	parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
+	  TRUE);
+
+      if (!raw_sender)
+	/* The function moan_smtp_batch() does not return. */
+	moan_smtp_batch(smtp_cmd_buffer, "501 %s", errmess);
+
+      sender_address = string_copy(raw_sender);
+
+      /* Qualify unqualified sender addresses if permitted to do so. */
+
+      if (  !sender_domain
+         && sender_address[0] != 0 && sender_address[0] != '@')
+	if (f.allow_unqualified_sender)
+	  {
+	  /* deconst ok as sender_address was not const */
+	  sender_address = US rewrite_address_qualify(sender_address, FALSE);
+	  DEBUG(D_receive) debug_printf("unqualified address %s accepted "
+	    "and rewritten\n", raw_sender);
+	  }
+	/* The function moan_smtp_batch() does not return. */
+	else
+	  moan_smtp_batch(smtp_cmd_buffer, "501 sender address must contain "
+	    "a domain");
+      break;
+
+
+    /* The RCPT TO command requires an address as an operand. All we do
+    here is to parse it for syntactic correctness. There may be any number
+    of RCPT TO commands, specifying multiple senders. We build them all into
+    a data structure that is in argc/argv format. The start/end values
+    given by parse_extract_address are not used, as we keep only the
+    extracted address. */
+
+    case RCPT_CMD:
+      if (!sender_address)
+	/* The function moan_smtp_batch() does not return. */
+	moan_smtp_batch(smtp_cmd_buffer, "503 No sender yet given");
+
+      if (smtp_cmd_data[0] == 0)
+	/* The function moan_smtp_batch() does not return. */
+	moan_smtp_batch(smtp_cmd_buffer,
+	  "501 RCPT TO must have an address operand");
+
+      /* Check maximum number allowed */
+
+      if (recipients_max > 0 && recipients_count + 1 > recipients_max)
+	/* The function moan_smtp_batch() does not return. */
+	moan_smtp_batch(smtp_cmd_buffer, "%s too many recipients",
+	  recipients_max_reject? "552": "452");
+
+      /* Apply SMTP rewrite, then extract address. Don't allow "<>" as a
+      recipient address */
+
+      recipient = rewrite_existflags & rewrite_smtp
+	/* deconst ok as smtp_cmd_data was not const */
+	? US rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
+		      global_rewrite_rules)
+	: smtp_cmd_data;
+
+      recipient = parse_extract_address(recipient, &errmess, &start, &end,
+	&recipient_domain, FALSE);
+
+      if (!recipient)
+	/* The function moan_smtp_batch() does not return. */
+	moan_smtp_batch(smtp_cmd_buffer, "501 %s", errmess);
+
+      /* If the recipient address is unqualified, qualify it if permitted. Then
+      add it to the list of recipients. */
+
+      if (!recipient_domain)
+	if (f.allow_unqualified_recipient)
+	  {
+	  DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
+	    recipient);
+	  /* deconst ok as recipient was not const */
+	  recipient = US rewrite_address_qualify(recipient, TRUE);
+	  }
+	/* The function moan_smtp_batch() does not return. */
+	else
+	  moan_smtp_batch(smtp_cmd_buffer,
+	    "501 recipient address must contain a domain");
+
+      receive_add_recipient(recipient, -1);
+      break;
+
+
+    /* The DATA command is legal only if it follows successful MAIL FROM
+    and RCPT TO commands. This function is complete when a valid DATA
+    command is encountered. */
+
+    case DATA_CMD:
+      if (!sender_address || recipients_count <= 0)
+	/* The function moan_smtp_batch() does not return. */
+	if (!sender_address)
+	  moan_smtp_batch(smtp_cmd_buffer,
+	    "503 MAIL FROM:<sender> command must precede DATA");
+	else
+	  moan_smtp_batch(smtp_cmd_buffer,
+	    "503 RCPT TO:<recipient> must precede DATA");
+      else
+	{
+	done = 3;                      /* DATA successfully achieved */
+	message_ended = END_NOTENDED;  /* Indicate in middle of message */
+	}
+      break;
+
+
+    /* The VRFY, EXPN, HELP, ETRN, and NOOP commands are ignored. */
+
+    case VRFY_CMD:
+    case EXPN_CMD:
+    case HELP_CMD:
+    case NOOP_CMD:
+    case ETRN_CMD:
+      bsmtp_transaction_linecount = receive_linecount;
+      break;
+
+
+    case QUIT_CMD:
+      f.smtp_in_quit = TRUE;
+    case EOF_CMD:
+      done = 2;
+      break;
+
+
+    case BADARG_CMD:
+      /* The function moan_smtp_batch() does not return. */
+      moan_smtp_batch(smtp_cmd_buffer, "501 Unexpected argument data");
+      break;
+
+
+    case BADCHAR_CMD:
+      /* The function moan_smtp_batch() does not return. */
+      moan_smtp_batch(smtp_cmd_buffer, "501 Unexpected NULL in SMTP command");
+      break;
+
+
+    default:
+      /* The function moan_smtp_batch() does not return. */
+      moan_smtp_batch(smtp_cmd_buffer, "500 Command unrecognized");
+      break;
+    }
+  }
+
+return done - 2;  /* Convert yield values */
+}
+
+
+
+
+#ifndef DISABLE_TLS
+static BOOL
+smtp_log_tls_fail(const uschar * errstr)
+{
+const uschar * conn_info = smtp_get_connection_info();
+
+if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
+/* I'd like to get separated H= here, but too hard for now */
+
+log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
+return FALSE;
+}
+#endif
+
+
+
+
+#ifdef TCP_FASTOPEN
+static void
+tfo_in_check(void)
+{
+# ifdef __FreeBSD__
+int is_fastopen;
+socklen_t len = sizeof(is_fastopen);
+
+/* The tinfo TCPOPT_FAST_OPEN bit seems unreliable, and we don't see state
+TCP_SYN_RCV (as of 12.1) so no idea about data-use. */
+
+if (getsockopt(fileno(smtp_out), IPPROTO_TCP, TCP_FASTOPEN, &is_fastopen, &len) == 0)
+  {
+  if (is_fastopen)
+    {
+    DEBUG(D_receive)
+      debug_printf("TFO mode connection (TCP_FASTOPEN getsockopt)\n");
+    f.tcp_in_fastopen = TRUE;
+    }
+  }
+else DEBUG(D_receive)
+  debug_printf("TCP_INFO getsockopt: %s\n", strerror(errno));
+
+# elif defined(TCP_INFO)
+struct tcp_info tinfo;
+socklen_t len = sizeof(tinfo);
+
+if (getsockopt(fileno(smtp_out), IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0)
+#  ifdef TCPI_OPT_SYN_DATA	/* FreeBSD 11,12 do not seem to have this yet */
+  if (tinfo.tcpi_options & TCPI_OPT_SYN_DATA)
+    {
+    DEBUG(D_receive)
+      debug_printf("TFO mode connection (ACKd data-on-SYN)\n");
+    f.tcp_in_fastopen_data = f.tcp_in_fastopen = TRUE;
+    }
+  else
+#  endif
+    if (tinfo.tcpi_state == TCP_SYN_RECV)	/* Not seen on FreeBSD 12.1 */
+    {
+    DEBUG(D_receive)
+      debug_printf("TFO mode connection (state TCP_SYN_RECV)\n");
+    f.tcp_in_fastopen = TRUE;
+    }
+else DEBUG(D_receive)
+  debug_printf("TCP_INFO getsockopt: %s\n", strerror(errno));
+# endif
+}
+#endif
+
+
+/*************************************************
+*          Start an SMTP session                 *
+*************************************************/
+
+/* This function is called at the start of an SMTP session. Thereafter,
+smtp_setup_msg() is called to initiate each separate message. This
+function does host-specific testing, and outputs the banner line.
+
+Arguments:     none
+Returns:       FALSE if the session can not continue; something has
+               gone wrong, or the connection to the host is blocked
+*/
+
+BOOL
+smtp_start_session(void)
+{
+int esclen;
+uschar *user_msg, *log_msg;
+uschar *code, *esc;
+uschar *p, *s;
+gstring * ss;
+
+gettimeofday(&smtp_connection_start, NULL);
+for (smtp_ch_index = 0; smtp_ch_index < SMTP_HBUFF_SIZE; smtp_ch_index++)
+  smtp_connection_had[smtp_ch_index] = SCH_NONE;
+smtp_ch_index = 0;
+
+/* Default values for certain variables */
+
+fl.helo_seen = fl.esmtp = fl.helo_accept_junk = FALSE;
+smtp_mailcmd_count = 0;
+count_nonmail = TRUE_UNSET;
+synprot_error_count = unknown_command_count = nonmail_command_count = 0;
+smtp_delay_mail = smtp_rlm_base;
+fl.auth_advertised = FALSE;
+f.smtp_in_pipelining_advertised = f.smtp_in_pipelining_used = FALSE;
+f.pipelining_enable = TRUE;
+sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
+fl.smtp_exit_function_called = FALSE;    /* For avoiding loop in not-quit exit */
+
+/* If receiving by -bs from a trusted user, or testing with -bh, we allow
+authentication settings from -oMaa to remain in force. */
+
+if (!host_checking && !f.sender_host_notsocket)
+  sender_host_auth_pubname = sender_host_authenticated = NULL;
+authenticated_by = NULL;
+
+#ifndef DISABLE_TLS
+tls_in.ver = tls_in.cipher = tls_in.peerdn = NULL;
+tls_in.ourcert = tls_in.peercert = NULL;
+tls_in.sni = NULL;
+tls_in.ocsp = OCSP_NOT_REQ;
+fl.tls_advertised = FALSE;
+#endif
+fl.dsn_advertised = FALSE;
+#ifdef SUPPORT_I18N
+fl.smtputf8_advertised = FALSE;
+#endif
+
+/* Reset ACL connection variables */
+
+acl_var_c = NULL;
+
+/* Allow for trailing 0 in the command and data buffers.  Tainted. */
+
+smtp_cmd_buffer = store_get_perm(2*SMTP_CMD_BUFFER_SIZE + 2, GET_TAINTED);
+
+smtp_cmd_buffer[0] = 0;
+smtp_data_buffer = smtp_cmd_buffer + SMTP_CMD_BUFFER_SIZE + 1;
+
+/* For batched input, the protocol setting can be overridden from the
+command line by a trusted caller. */
+
+if (smtp_batched_input)
+  {
+  if (!received_protocol) received_protocol = US"local-bsmtp";
+  }
+
+/* For non-batched SMTP input, the protocol setting is forced here. It will be
+reset later if any of EHLO/AUTH/STARTTLS are received. */
+
+else
+  received_protocol =
+    (sender_host_address ? protocols : protocols_local) [pnormal];
+
+/* Set up the buffer for inputting using direct read() calls, and arrange to
+call the local functions instead of the standard C ones. */
+
+smtp_buf_init();
+
+receive_getc = smtp_getc;
+receive_getbuf = smtp_getbuf;
+receive_get_cache = smtp_get_cache;
+receive_hasc = smtp_hasc;
+receive_ungetc = smtp_ungetc;
+receive_feof = smtp_feof;
+receive_ferror = smtp_ferror;
+lwr_receive_getc = NULL;
+lwr_receive_getbuf = NULL;
+lwr_receive_hasc = NULL;
+lwr_receive_ungetc = NULL;
+
+/* Set up the message size limit; this may be host-specific */
+
+thismessage_size_limit = expand_string_integer(message_size_limit, TRUE);
+if (expand_string_message)
+  {
+  if (thismessage_size_limit == -1)
+    log_write(0, LOG_MAIN|LOG_PANIC, "unable to expand message_size_limit: "
+      "%s", expand_string_message);
+  else
+    log_write(0, LOG_MAIN|LOG_PANIC, "invalid message_size_limit: "
+      "%s", expand_string_message);
+  smtp_closedown(US"Temporary local problem - please try later");
+  return FALSE;
+  }
+
+/* When a message is input locally via the -bs or -bS options, sender_host_
+unknown is set unless -oMa was used to force an IP address, in which case it
+is checked like a real remote connection. When -bs is used from inetd, this
+flag is not set, causing the sending host to be checked. The code that deals
+with IP source routing (if configured) is never required for -bs or -bS and
+the flag sender_host_notsocket is used to suppress it.
+
+If smtp_accept_max and smtp_accept_reserve are set, keep some connections in
+reserve for certain hosts and/or networks. */
+
+if (!f.sender_host_unknown)
+  {
+  int rc;
+  BOOL reserved_host = FALSE;
+
+  /* Look up IP options (source routing info) on the socket if this is not an
+  -oMa "host", and if any are found, log them and drop the connection.
+
+  Linux (and others now, see below) is different to everyone else, so there
+  has to be some conditional compilation here. Versions of Linux before 2.1.15
+  used a structure whose name was "options". Somebody finally realized that
+  this name was silly, and it got changed to "ip_options". I use the
+  newer name here, but there is a fudge in the script that sets up os.h
+  to define a macro in older Linux systems.
+
+  Sigh. Linux is a fast-moving target. Another generation of Linux uses
+  glibc 2, which has chosen ip_opts for the structure name. This is now
+  really a glibc thing rather than a Linux thing, so the condition name
+  has been changed to reflect this. It is relevant also to GNU/Hurd.
+
+  Mac OS 10.x (Darwin) is like the later glibc versions, but without the
+  setting of the __GLIBC__ macro, so we can't detect it automatically. There's
+  a special macro defined in the os.h file.
+
+  Some DGUX versions on older hardware appear not to support IP options at
+  all, so there is now a general macro which can be set to cut out this
+  support altogether.
+
+  How to do this properly in IPv6 is not yet known. */
+
+#if !HAVE_IPV6 && !defined(NO_IP_OPTIONS)
+
+  #ifdef GLIBC_IP_OPTIONS
+    #if (!defined __GLIBC__) || (__GLIBC__ < 2)
+    #define OPTSTYLE 1
+    #else
+    #define OPTSTYLE 2
+    #endif
+  #elif defined DARWIN_IP_OPTIONS
+    #define OPTSTYLE 2
+  #else
+    #define OPTSTYLE 3
+  #endif
+
+  if (!host_checking && !f.sender_host_notsocket)
+    {
+    #if OPTSTYLE == 1
+    EXIM_SOCKLEN_T optlen = sizeof(struct ip_options) + MAX_IPOPTLEN;
+    struct ip_options *ipopt = store_get(optlen, GET_UNTAINTED);
+    #elif OPTSTYLE == 2
+    struct ip_opts ipoptblock;
+    struct ip_opts *ipopt = &ipoptblock;
+    EXIM_SOCKLEN_T optlen = sizeof(ipoptblock);
+    #else
+    struct ipoption ipoptblock;
+    struct ipoption *ipopt = &ipoptblock;
+    EXIM_SOCKLEN_T optlen = sizeof(ipoptblock);
+    #endif
+
+    /* Occasional genuine failures of getsockopt() have been seen - for
+    example, "reset by peer". Therefore, just log and give up on this
+    call, unless the error is ENOPROTOOPT. This error is given by systems
+    that have the interfaces but not the mechanism - e.g. GNU/Hurd at the time
+    of writing. So for that error, carry on - we just can't do an IP options
+    check. */
+
+    DEBUG(D_receive) debug_printf("checking for IP options\n");
+
+    if (getsockopt(fileno(smtp_out), IPPROTO_IP, IP_OPTIONS, US (ipopt),
+          &optlen) < 0)
+      {
+      if (errno != ENOPROTOOPT)
+        {
+        log_write(0, LOG_MAIN, "getsockopt() failed from %s: %s",
+          host_and_ident(FALSE), strerror(errno));
+        smtp_printf("451 SMTP service not available\r\n", FALSE);
+        return FALSE;
+        }
+      }
+
+    /* Deal with any IP options that are set. On the systems I have looked at,
+    the value of MAX_IPOPTLEN has been 40, meaning that there should never be
+    more logging data than will fit in big_buffer. Nevertheless, after somebody
+    questioned this code, I've added in some paranoid checking. */
+
+    else if (optlen > 0)
+      {
+      uschar *p = big_buffer;
+      uschar *pend = big_buffer + big_buffer_size;
+      uschar *adptr;
+      int optcount;
+      struct in_addr addr;
+
+      #if OPTSTYLE == 1
+      uschar *optstart = US (ipopt->__data);
+      #elif OPTSTYLE == 2
+      uschar *optstart = US (ipopt->ip_opts);
+      #else
+      uschar *optstart = US (ipopt->ipopt_list);
+      #endif
+
+      DEBUG(D_receive) debug_printf("IP options exist\n");
+
+      Ustrcpy(p, "IP options on incoming call:");
+      p += Ustrlen(p);
+
+      for (uschar * opt = optstart; opt && opt < US (ipopt) + optlen; )
+        switch (*opt)
+          {
+          case IPOPT_EOL:
+          opt = NULL;
+          break;
+
+          case IPOPT_NOP:
+          opt++;
+          break;
+
+          case IPOPT_SSRR:
+          case IPOPT_LSRR:
+          if (!string_format(p, pend-p, " %s [@%s",
+               (*opt == IPOPT_SSRR)? "SSRR" : "LSRR",
+               #if OPTSTYLE == 1
+               inet_ntoa(*((struct in_addr *)(&(ipopt->faddr))))))
+               #elif OPTSTYLE == 2
+               inet_ntoa(ipopt->ip_dst)))
+               #else
+               inet_ntoa(ipopt->ipopt_dst)))
+               #endif
+            {
+            opt = NULL;
+            break;
+            }
+
+          p += Ustrlen(p);
+          optcount = (opt[1] - 3) / sizeof(struct in_addr);
+          adptr = opt + 3;
+          while (optcount-- > 0)
+            {
+            memcpy(&addr, adptr, sizeof(addr));
+            if (!string_format(p, pend - p - 1, "%s%s",
+                  (optcount == 0)? ":" : "@", inet_ntoa(addr)))
+              {
+              opt = NULL;
+              break;
+              }
+            p += Ustrlen(p);
+            adptr += sizeof(struct in_addr);
+            }
+          *p++ = ']';
+          opt += opt[1];
+          break;
+
+          default:
+            {
+            if (pend - p < 4 + 3*opt[1]) { opt = NULL; break; }
+            Ustrcat(p, "[ ");
+            p += 2;
+            for (int i = 0; i < opt[1]; i++)
+              p += sprintf(CS p, "%2.2x ", opt[i]);
+            *p++ = ']';
+            }
+          opt += opt[1];
+          break;
+          }
+
+      *p = 0;
+      log_write(0, LOG_MAIN, "%s", big_buffer);
+
+      /* Refuse any call with IP options. This is what tcpwrappers 7.5 does. */
+
+      log_write(0, LOG_MAIN|LOG_REJECT,
+        "connection from %s refused (IP options)", host_and_ident(FALSE));
+
+      smtp_printf("554 SMTP service not available\r\n", FALSE);
+      return FALSE;
+      }
+
+    /* Length of options = 0 => there are no options */
+
+    else DEBUG(D_receive) debug_printf("no IP options found\n");
+    }
+#endif  /* HAVE_IPV6 && !defined(NO_IP_OPTIONS) */
+
+  /* Set keep-alive in socket options. The option is on by default. This
+  setting is an attempt to get rid of some hanging connections that stick in
+  read() when the remote end (usually a dialup) goes away. */
+
+  if (smtp_accept_keepalive && !f.sender_host_notsocket)
+    ip_keepalive(fileno(smtp_out), sender_host_address, FALSE);
+
+  /* If the current host matches host_lookup, set the name by doing a
+  reverse lookup. On failure, sender_host_name will be NULL and
+  host_lookup_failed will be TRUE. This may or may not be serious - optional
+  checks later. */
+
+  if (verify_check_host(&host_lookup) == OK)
+    {
+    (void)host_name_lookup();
+    host_build_sender_fullhost();
+    }
+
+  /* Delay this until we have the full name, if it is looked up. */
+
+  set_process_info("handling incoming connection from %s",
+    host_and_ident(FALSE));
+
+  /* Expand smtp_receive_timeout, if needed */
+
+  if (smtp_receive_timeout_s)
+    {
+    uschar * exp;
+    if (  !(exp = expand_string(smtp_receive_timeout_s))
+       || !(*exp)
+       || (smtp_receive_timeout = readconf_readtime(exp, 0, FALSE)) < 0
+       )
+      log_write(0, LOG_MAIN|LOG_PANIC,
+	"bad value for smtp_receive_timeout: '%s'", exp ? exp : US"");
+    }
+
+  /* Test for explicit connection rejection */
+
+  if (verify_check_host(&host_reject_connection) == OK)
+    {
+    log_write(L_connection_reject, LOG_MAIN|LOG_REJECT, "refused connection "
+      "from %s (host_reject_connection)", host_and_ident(FALSE));
+    smtp_printf("554 SMTP service not available\r\n", FALSE);
+    return FALSE;
+    }
+
+  /* Test with TCP Wrappers if so configured. There is a problem in that
+  hosts_ctl() returns 0 (deny) under a number of system failure circumstances,
+  such as disks dying. In these cases, it is desirable to reject with a 4xx
+  error instead of a 5xx error. There isn't a "right" way to detect such
+  problems. The following kludge is used: errno is zeroed before calling
+  hosts_ctl(). If the result is "reject", a 5xx error is given only if the
+  value of errno is 0 or ENOENT (which happens if /etc/hosts.{allow,deny} does
+  not exist). */
+
+#ifdef USE_TCP_WRAPPERS
+  errno = 0;
+  if (!(tcp_wrappers_name = expand_string(tcp_wrappers_daemon_name)))
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
+      "(tcp_wrappers_name) failed: %s", string_printing(tcp_wrappers_name),
+        expand_string_message);
+
+  if (!hosts_ctl(tcp_wrappers_name,
+         sender_host_name ? CS sender_host_name : STRING_UNKNOWN,
+         sender_host_address ? CS sender_host_address : STRING_UNKNOWN,
+         sender_ident ? CS sender_ident : STRING_UNKNOWN))
+    {
+    if (errno == 0 || errno == ENOENT)
+      {
+      HDEBUG(D_receive) debug_printf("tcp wrappers rejection\n");
+      log_write(L_connection_reject,
+                LOG_MAIN|LOG_REJECT, "refused connection from %s "
+                "(tcp wrappers)", host_and_ident(FALSE));
+      smtp_printf("554 SMTP service not available\r\n", FALSE);
+      }
+    else
+      {
+      int save_errno = errno;
+      HDEBUG(D_receive) debug_printf("tcp wrappers rejected with unexpected "
+        "errno value %d\n", save_errno);
+      log_write(L_connection_reject,
+                LOG_MAIN|LOG_REJECT, "temporarily refused connection from %s "
+                "(tcp wrappers errno=%d)", host_and_ident(FALSE), save_errno);
+      smtp_printf("451 Temporary local problem - please try later\r\n", FALSE);
+      }
+    return FALSE;
+    }
+#endif
+
+  /* Check for reserved slots. The value of smtp_accept_count has already been
+  incremented to include this process. */
+
+  if (smtp_accept_max > 0 &&
+      smtp_accept_count > smtp_accept_max - smtp_accept_reserve)
+    {
+    if ((rc = verify_check_host(&smtp_reserve_hosts)) != OK)
+      {
+      log_write(L_connection_reject,
+        LOG_MAIN, "temporarily refused connection from %s: not in "
+        "reserve list: connected=%d max=%d reserve=%d%s",
+        host_and_ident(FALSE), smtp_accept_count - 1, smtp_accept_max,
+        smtp_accept_reserve, (rc == DEFER)? " (lookup deferred)" : "");
+      smtp_printf("421 %s: Too many concurrent SMTP connections; "
+        "please try again later\r\n", FALSE, smtp_active_hostname);
+      return FALSE;
+      }
+    reserved_host = TRUE;
+    }
+
+  /* If a load level above which only messages from reserved hosts are
+  accepted is set, check the load. For incoming calls via the daemon, the
+  check is done in the superior process if there are no reserved hosts, to
+  save a fork. In all cases, the load average will already be available
+  in a global variable at this point. */
+
+  if (smtp_load_reserve >= 0 &&
+       load_average > smtp_load_reserve &&
+       !reserved_host &&
+       verify_check_host(&smtp_reserve_hosts) != OK)
+    {
+    log_write(L_connection_reject,
+      LOG_MAIN, "temporarily refused connection from %s: not in "
+      "reserve list and load average = %.2f", host_and_ident(FALSE),
+      (double)load_average/1000.0);
+    smtp_printf("421 %s: Too much load; please try again later\r\n", FALSE,
+      smtp_active_hostname);
+    return FALSE;
+    }
+
+  /* Determine whether unqualified senders or recipients are permitted
+  for this host. Unfortunately, we have to do this every time, in order to
+  set the flags so that they can be inspected when considering qualifying
+  addresses in the headers. For a site that permits no qualification, this
+  won't take long, however. */
+
+  f.allow_unqualified_sender =
+    verify_check_host(&sender_unqualified_hosts) == OK;
+
+  f.allow_unqualified_recipient =
+    verify_check_host(&recipient_unqualified_hosts) == OK;
+
+  /* Determine whether HELO/EHLO is required for this host. The requirement
+  can be hard or soft. */
+
+  fl.helo_verify_required = verify_check_host(&helo_verify_hosts) == OK;
+  if (!fl.helo_verify_required)
+    fl.helo_verify = verify_check_host(&helo_try_verify_hosts) == OK;
+
+  /* Determine whether this hosts is permitted to send syntactic junk
+  after a HELO or EHLO command. */
+
+  fl.helo_accept_junk = verify_check_host(&helo_accept_junk_hosts) == OK;
+  }
+
+/* For batch SMTP input we are now done. */
+
+if (smtp_batched_input) return TRUE;
+
+/* If valid Proxy Protocol source is connecting, set up session.
+Failure will not allow any SMTP function other than QUIT. */
+
+#ifdef SUPPORT_PROXY
+proxy_session = FALSE;
+f.proxy_session_failed = FALSE;
+if (check_proxy_protocol_host())
+  setup_proxy_protocol_host();
+#endif
+
+/* Start up TLS if tls_on_connect is set. This is for supporting the legacy
+smtps port for use with older style SSL MTAs. */
+
+#ifndef DISABLE_TLS
+if (tls_in.on_connect)
+  {
+  if (tls_server_start(&user_msg) != OK)
+    return smtp_log_tls_fail(user_msg);
+  cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = TRUE;
+  }
+#endif
+
+/* Run the connect ACL if it exists */
+
+user_msg = NULL;
+if (acl_smtp_connect)
+  {
+  int rc;
+  if ((rc = acl_check(ACL_WHERE_CONNECT, NULL, acl_smtp_connect, &user_msg,
+		      &log_msg)) != OK)
+    {
+    (void) smtp_handle_acl_fail(ACL_WHERE_CONNECT, rc, user_msg, log_msg);
+    return FALSE;
+    }
+  }
+
+/* Output the initial message for a two-way SMTP connection. It may contain
+newlines, which then cause a multi-line response to be given. */
+
+code = US"220";   /* Default status code */
+esc = US"";       /* Default extended status code */
+esclen = 0;       /* Length of esc */
+
+if (!user_msg)
+  {
+  if (!(s = expand_string(smtp_banner)))
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" (smtp_banner) "
+      "failed: %s", smtp_banner, expand_string_message);
+  }
+else
+  {
+  int codelen = 3;
+  s = user_msg;
+  smtp_message_code(&code, &codelen, &s, NULL, TRUE);
+  if (codelen > 4)
+    {
+    esc = code + 4;
+    esclen = codelen - 4;
+    }
+  }
+
+/* Remove any terminating newlines; might as well remove trailing space too */
+
+p = s + Ustrlen(s);
+while (p > s && isspace(p[-1])) p--;
+s = string_copyn(s, p-s);
+
+/* It seems that CC:Mail is braindead, and assumes that the greeting message
+is all contained in a single IP packet. The original code wrote out the
+greeting using several calls to fprint/fputc, and on busy servers this could
+cause it to be split over more than one packet - which caused CC:Mail to fall
+over when it got the second part of the greeting after sending its first
+command. Sigh. To try to avoid this, build the complete greeting message
+first, and output it in one fell swoop. This gives a better chance of it
+ending up as a single packet. */
+
+ss = string_get(256);
+
+p = s;
+do       /* At least once, in case we have an empty string */
+  {
+  int len;
+  uschar *linebreak = Ustrchr(p, '\n');
+  ss = string_catn(ss, code, 3);
+  if (!linebreak)
+    {
+    len = Ustrlen(p);
+    ss = string_catn(ss, US" ", 1);
+    }
+  else
+    {
+    len = linebreak - p;
+    ss = string_catn(ss, US"-", 1);
+    }
+  ss = string_catn(ss, esc, esclen);
+  ss = string_catn(ss, p, len);
+  ss = string_catn(ss, US"\r\n", 2);
+  p += len;
+  if (linebreak) p++;
+  }
+while (*p);
+
+/* Before we write the banner, check that there is no input pending, unless
+this synchronisation check is disabled. */
+
+#ifndef DISABLE_PIPE_CONNECT
+fl.pipe_connect_acceptable =
+  sender_host_address && verify_check_host(&pipe_connect_advertise_hosts) == OK;
+
+if (!check_sync())
+  if (fl.pipe_connect_acceptable)
+    f.smtp_in_early_pipe_used = TRUE;
+  else
+#else
+if (!check_sync())
+#endif
+    {
+    unsigned n = smtp_inend - smtp_inptr;
+    if (n > 128) n = 128;
+
+    log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol "
+      "synchronization error (input sent without waiting for greeting): "
+      "rejected connection from %s input=\"%s\"", host_and_ident(TRUE),
+      string_printing(string_copyn(smtp_inptr, n)));
+    smtp_printf("554 SMTP synchronization error\r\n", FALSE);
+    return FALSE;
+    }
+
+/* Now output the banner */
+/*XXX the ehlo-resp code does its own tls/nontls bit.  Maybe subroutine that? */
+
+smtp_printf("%s",
+#ifndef DISABLE_PIPE_CONNECT
+  fl.pipe_connect_acceptable && pipeline_connect_sends(),
+#else
+  FALSE,
+#endif
+  string_from_gstring(ss));
+
+/* Attempt to see if we sent the banner before the last ACK of the 3-way
+handshake arrived.  If so we must have managed a TFO. */
+
+#ifdef TCP_FASTOPEN
+if (sender_host_address && !f.sender_host_notsocket) tfo_in_check();
+#endif
+
+return TRUE;
+}
+
+
+
+
+
+/*************************************************
+*     Handle SMTP syntax and protocol errors     *
+*************************************************/
+
+/* Write to the log for SMTP syntax errors in incoming commands, if configured
+to do so. Then transmit the error response. The return value depends on the
+number of syntax and protocol errors in this SMTP session.
+
+Arguments:
+  type      error type, given as a log flag bit
+  code      response code; <= 0 means don't send a response
+  data      data to reflect in the response (can be NULL)
+  errmess   the error message
+
+Returns:    -1   limit of syntax/protocol errors NOT exceeded
+            +1   limit of syntax/protocol errors IS exceeded
+
+These values fit in with the values of the "done" variable in the main
+processing loop in smtp_setup_msg(). */
+
+static int
+synprot_error(int type, int code, uschar *data, uschar *errmess)
+{
+int yield = -1;
+
+log_write(type, LOG_MAIN, "SMTP %s error in \"%s\" %s %s",
+  type == L_smtp_syntax_error ? "syntax" : "protocol",
+  string_printing(smtp_cmd_buffer), host_and_ident(TRUE), errmess);
+
+if (++synprot_error_count > smtp_max_synprot_errors)
+  {
+  yield = 1;
+  log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
+    "syntax or protocol errors (last command was \"%s\", %s)",
+    host_and_ident(FALSE), string_printing(smtp_cmd_buffer),
+    string_from_gstring(s_connhad_log(NULL))
+    );
+  }
+
+if (code > 0)
+  {
+  smtp_printf("%d%c%s%s%s\r\n", FALSE, code, yield == 1 ? '-' : ' ',
+    data ? data : US"", data ? US": " : US"", errmess);
+  if (yield == 1)
+    smtp_printf("%d Too many syntax or protocol errors\r\n", FALSE, code);
+  }
+
+return yield;
+}
+
+
+
+
+/*************************************************
+*    Send SMTP response, possibly multiline      *
+*************************************************/
+
+/* There are, it seems, broken clients out there that cannot handle multiline
+responses. If no_multiline_responses is TRUE (it can be set from an ACL), we
+output nothing for non-final calls, and only the first line for anything else.
+
+Arguments:
+  code          SMTP code, may involve extended status codes
+  codelen       length of smtp code; if > 4 there's an ESC
+  final         FALSE if the last line isn't the final line
+  msg           message text, possibly containing newlines
+
+Returns:        nothing
+*/
+
+void
+smtp_respond(uschar* code, int codelen, BOOL final, uschar *msg)
+{
+int esclen = 0;
+uschar *esc = US"";
+
+if (!final && f.no_multiline_responses) return;
+
+if (codelen > 4)
+  {
+  esc = code + 4;
+  esclen = codelen - 4;
+  }
+
+/* If this is the first output for a (non-batch) RCPT command, see if all RCPTs
+have had the same. Note: this code is also present in smtp_printf(). It would
+be tidier to have it only in one place, but when it was added, it was easier to
+do it that way, so as not to have to mess with the code for the RCPT command,
+which sometimes uses smtp_printf() and sometimes smtp_respond(). */
+
+if (fl.rcpt_in_progress)
+  {
+  if (!rcpt_smtp_response)
+    rcpt_smtp_response = string_copy(msg);
+  else if (fl.rcpt_smtp_response_same &&
+           Ustrcmp(rcpt_smtp_response, msg) != 0)
+    fl.rcpt_smtp_response_same = FALSE;
+  fl.rcpt_in_progress = FALSE;
+  }
+
+/* Now output the message, splitting it up into multiple lines if necessary.
+We only handle pipelining these responses as far as nonfinal/final groups,
+not the whole MAIL/RCPT/DATA response set. */
+
+for (;;)
+  {
+  uschar *nl = Ustrchr(msg, '\n');
+  if (!nl)
+    {
+    smtp_printf("%.3s%c%.*s%s\r\n", !final, code, final ? ' ':'-', esclen, esc, msg);
+    return;
+    }
+  else if (nl[1] == 0 || f.no_multiline_responses)
+    {
+    smtp_printf("%.3s%c%.*s%.*s\r\n", !final, code, final ? ' ':'-', esclen, esc,
+      (int)(nl - msg), msg);
+    return;
+    }
+  else
+    {
+    smtp_printf("%.3s-%.*s%.*s\r\n", TRUE, code, esclen, esc, (int)(nl - msg), msg);
+    msg = nl + 1;
+    Uskip_whitespace(&msg);
+    }
+  }
+}
+
+
+
+
+/*************************************************
+*            Parse user SMTP message             *
+*************************************************/
+
+/* This function allows for user messages overriding the response code details
+by providing a suitable response code string at the start of the message
+user_msg. Check the message for starting with a response code and optionally an
+extended status code. If found, check that the first digit is valid, and if so,
+change the code pointer and length to use the replacement. An invalid code
+causes a panic log; in this case, if the log messages is the same as the user
+message, we must also adjust the value of the log message to show the code that
+is actually going to be used (the original one).
+
+This function is global because it is called from receive.c as well as within
+this module.
+
+Note that the code length returned includes the terminating whitespace
+character, which is always included in the regex match.
+
+Arguments:
+  code          SMTP code, may involve extended status codes
+  codelen       length of smtp code; if > 4 there's an ESC
+  msg           message text
+  log_msg       optional log message, to be adjusted with the new SMTP code
+  check_valid   if true, verify the response code
+
+Returns:        nothing
+*/
+
+void
+smtp_message_code(uschar **code, int *codelen, uschar **msg, uschar **log_msg,
+  BOOL check_valid)
+{
+uschar * match;
+int len;
+
+if (!msg || !*msg || !regex_match(regex_smtp_code, *msg, -1, &match))
+  return;
+
+len = Ustrlen(match);
+if (check_valid && (*msg)[0] != (*code)[0])
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "configured error code starts with "
+    "incorrect digit (expected %c) in \"%s\"", (*code)[0], *msg);
+  if (log_msg && *log_msg == *msg)
+    *log_msg = string_sprintf("%s %s", *code, *log_msg + len);
+  }
+else
+  {
+  *code = *msg;
+  *codelen = len;    /* Includes final space */
+  }
+*msg += len;         /* Chop the code off the message */
+return;
+}
+
+
+
+
+/*************************************************
+*           Handle an ACL failure                *
+*************************************************/
+
+/* This function is called when acl_check() fails. As well as calls from within
+this module, it is called from receive.c for an ACL after DATA. It sorts out
+logging the incident, and sends the error response. A message containing
+newlines is turned into a multiline SMTP response, but for logging, only the
+first line is used.
+
+There's a table of default permanent failure response codes to use in
+globals.c, along with the table of names. VFRY is special. Despite RFC1123 it
+defaults disabled in Exim. However, discussion in connection with RFC 821bis
+(aka RFC 2821) has concluded that the response should be 252 in the disabled
+state, because there are broken clients that try VRFY before RCPT. A 5xx
+response should be given only when the address is positively known to be
+undeliverable. Sigh. We return 252 if there is no VRFY ACL or it provides
+no explicit code, but if there is one we let it know best.
+Also, for ETRN, 458 is given on refusal, and for AUTH, 503.
+
+From Exim 4.63, it is possible to override the response code details by
+providing a suitable response code string at the start of the message provided
+in user_msg. The code's first digit is checked for validity.
+
+Arguments:
+  where        where the ACL was called from
+  rc           the failure code
+  user_msg     a message that can be included in an SMTP response
+  log_msg      a message for logging
+
+Returns:     0 in most cases
+             2 if the failure code was FAIL_DROP, in which case the
+               SMTP connection should be dropped (this value fits with the
+               "done" variable in smtp_setup_msg() below)
+*/
+
+int
+smtp_handle_acl_fail(int where, int rc, uschar *user_msg, uschar *log_msg)
+{
+BOOL drop = rc == FAIL_DROP;
+int codelen = 3;
+uschar *smtp_code;
+uschar *lognl;
+uschar *sender_info = US"";
+uschar *what;
+
+if (drop) rc = FAIL;
+
+/* Set the default SMTP code, and allow a user message to change it. */
+
+smtp_code = rc == FAIL ? acl_wherecodes[where] : US"451";
+smtp_message_code(&smtp_code, &codelen, &user_msg, &log_msg,
+  where != ACL_WHERE_VRFY);
+
+/* We used to have sender_address here; however, there was a bug that was not
+updating sender_address after a rewrite during a verify. When this bug was
+fixed, sender_address at this point became the rewritten address. I'm not sure
+this is what should be logged, so I've changed to logging the unrewritten
+address to retain backward compatibility. */
+
+switch (where)
+  {
+#ifdef WITH_CONTENT_SCAN
+  case ACL_WHERE_MIME:		what = US"during MIME ACL checks";	break;
+#endif
+  case ACL_WHERE_PREDATA:	what = US"DATA";			break;
+  case ACL_WHERE_DATA:		what = US"after DATA";			break;
+#ifndef DISABLE_PRDR
+  case ACL_WHERE_PRDR:		what = US"after DATA PRDR";		break;
+#endif
+  default:
+    {
+    uschar * place = smtp_cmd_data ? smtp_cmd_data : US"in \"connect\" ACL";
+    int lim = 100;
+
+    if (where == ACL_WHERE_AUTH)	/* avoid logging auth creds */
+      {
+      uschar * s;
+      for (s = smtp_cmd_data; *s && !isspace(*s); ) s++;
+      lim = s - smtp_cmd_data;	/* atop after method */
+      }
+    what = string_sprintf("%s %.*s", acl_wherenames[where], lim, place);
+    }
+  }
+switch (where)
+  {
+  case ACL_WHERE_RCPT:
+  case ACL_WHERE_DATA:
+#ifdef WITH_CONTENT_SCAN
+  case ACL_WHERE_MIME:
+#endif
+    sender_info = string_sprintf("F=<%s>%s%s%s%s ",
+      sender_address_unrewritten ? sender_address_unrewritten : sender_address,
+      sender_host_authenticated ? US" A="                                    : US"",
+      sender_host_authenticated ? sender_host_authenticated                  : US"",
+      sender_host_authenticated && authenticated_id ? US":"                  : US"",
+      sender_host_authenticated && authenticated_id ? authenticated_id       : US""
+      );
+  break;
+  }
+
+/* If there's been a sender verification failure with a specific message, and
+we have not sent a response about it yet, do so now, as a preliminary line for
+failures, but not defers. However, always log it for defer, and log it for fail
+unless the sender_verify_fail log selector has been turned off. */
+
+if (sender_verified_failed &&
+    !testflag(sender_verified_failed, af_sverify_told))
+  {
+  BOOL save_rcpt_in_progress = fl.rcpt_in_progress;
+  fl.rcpt_in_progress = FALSE;  /* So as not to treat these as the error */
+
+  setflag(sender_verified_failed, af_sverify_told);
+
+  if (rc != FAIL || LOGGING(sender_verify_fail))
+    log_write(0, LOG_MAIN|LOG_REJECT, "%s sender verify %s for <%s>%s",
+      host_and_ident(TRUE),
+      ((sender_verified_failed->special_action & 255) == DEFER)? "defer":"fail",
+      sender_verified_failed->address,
+      (sender_verified_failed->message == NULL)? US"" :
+      string_sprintf(": %s", sender_verified_failed->message));
+
+  if (rc == FAIL && sender_verified_failed->user_message)
+    smtp_respond(smtp_code, codelen, FALSE, string_sprintf(
+        testflag(sender_verified_failed, af_verify_pmfail)?
+          "Postmaster verification failed while checking <%s>\n%s\n"
+          "Several RFCs state that you are required to have a postmaster\n"
+          "mailbox for each mail domain. This host does not accept mail\n"
+          "from domains whose servers reject the postmaster address."
+          :
+        testflag(sender_verified_failed, af_verify_nsfail)?
+          "Callback setup failed while verifying <%s>\n%s\n"
+          "The initial connection, or a HELO or MAIL FROM:<> command was\n"
+          "rejected. Refusing MAIL FROM:<> does not help fight spam, disregards\n"
+          "RFC requirements, and stops you from receiving standard bounce\n"
+          "messages. This host does not accept mail from domains whose servers\n"
+          "refuse bounces."
+          :
+          "Verification failed for <%s>\n%s",
+        sender_verified_failed->address,
+        sender_verified_failed->user_message));
+
+  fl.rcpt_in_progress = save_rcpt_in_progress;
+  }
+
+/* Sort out text for logging */
+
+log_msg = log_msg ? string_sprintf(": %s", log_msg) : US"";
+if ((lognl = Ustrchr(log_msg, '\n'))) *lognl = 0;
+
+/* Send permanent failure response to the command, but the code used isn't
+always a 5xx one - see comments at the start of this function. If the original
+rc was FAIL_DROP we drop the connection and yield 2. */
+
+if (rc == FAIL)
+  smtp_respond(smtp_code, codelen, TRUE,
+    user_msg ? user_msg : US"Administrative prohibition");
+
+/* Send temporary failure response to the command. Don't give any details,
+unless acl_temp_details is set. This is TRUE for a callout defer, a "defer"
+verb, and for a header verify when smtp_return_error_details is set.
+
+This conditional logic is all somewhat of a mess because of the odd
+interactions between temp_details and return_error_details. One day it should
+be re-implemented in a tidier fashion. */
+
+else
+  if (f.acl_temp_details && user_msg)
+    {
+    if (  smtp_return_error_details
+       && sender_verified_failed
+       && sender_verified_failed->message
+       )
+      smtp_respond(smtp_code, codelen, FALSE, sender_verified_failed->message);
+
+    smtp_respond(smtp_code, codelen, TRUE, user_msg);
+    }
+  else
+    smtp_respond(smtp_code, codelen, TRUE,
+      US"Temporary local problem - please try later");
+
+/* Log the incident to the logs that are specified by log_reject_target
+(default main, reject). This can be empty to suppress logging of rejections. If
+the connection is not forcibly to be dropped, return 0. Otherwise, log why it
+is closing if required and return 2.  */
+
+if (log_reject_target != 0)
+  {
+#ifndef DISABLE_TLS
+  gstring * g = s_tlslog(NULL);
+  uschar * tls = string_from_gstring(g);
+  if (!tls) tls = US"";
+#else
+  uschar * tls = US"";
+#endif
+  log_write(where == ACL_WHERE_CONNECT ? L_connection_reject : 0,
+    log_reject_target, "%s%s%s %s%srejected %s%s",
+    LOGGING(dnssec) && sender_host_dnssec ? US" DS" : US"",
+    host_and_ident(TRUE),
+    tls,
+    sender_info,
+    rc == FAIL ? US"" : US"temporarily ",
+    what, log_msg);
+  }
+
+if (!drop) return 0;
+
+log_write(L_smtp_connection, LOG_MAIN, "%s closed by DROP in ACL",
+  smtp_get_connection_info());
+
+/* Run the not-quit ACL, but without any custom messages. This should not be a
+problem, because we get here only if some other ACL has issued "drop", and
+in that case, *its* custom messages will have been used above. */
+
+smtp_notquit_exit(US"acl-drop", NULL, NULL);
+return 2;
+}
+
+
+
+
+/*************************************************
+*     Handle SMTP exit when QUIT is not given    *
+*************************************************/
+
+/* This function provides a logging/statistics hook for when an SMTP connection
+is dropped on the floor or the other end goes away. It's a global function
+because it's called from receive.c as well as this module. As well as running
+the NOTQUIT ACL, if there is one, this function also outputs a final SMTP
+response, either with a custom message from the ACL, or using a default. There
+is one case, however, when no message is output - after "drop". In that case,
+the ACL that obeyed "drop" has already supplied the custom message, and NULL is
+passed to this function.
+
+In case things go wrong while processing this function, causing an error that
+may re-enter this function, there is a recursion check.
+
+Arguments:
+  reason          What $smtp_notquit_reason will be set to in the ACL;
+                    if NULL, the ACL is not run
+  code            The error code to return as part of the response
+  defaultrespond  The default message if there's no user_msg
+
+Returns:          Nothing
+*/
+
+void
+smtp_notquit_exit(uschar *reason, uschar *code, uschar *defaultrespond, ...)
+{
+int rc;
+uschar *user_msg = NULL;
+uschar *log_msg = NULL;
+
+/* Check for recursive call */
+
+if (fl.smtp_exit_function_called)
+  {
+  log_write(0, LOG_PANIC, "smtp_notquit_exit() called more than once (%s)",
+    reason);
+  return;
+  }
+fl.smtp_exit_function_called = TRUE;
+
+/* Call the not-QUIT ACL, if there is one, unless no reason is given. */
+
+if (acl_smtp_notquit && reason)
+  {
+  smtp_notquit_reason = reason;
+  if ((rc = acl_check(ACL_WHERE_NOTQUIT, NULL, acl_smtp_notquit, &user_msg,
+		      &log_msg)) == ERROR)
+    log_write(0, LOG_MAIN|LOG_PANIC, "ACL for not-QUIT returned ERROR: %s",
+      log_msg);
+  }
+
+/* If the connection was dropped, we certainly are no longer talking TLS */
+tls_in.active.sock = -1;
+
+/* Write an SMTP response if we are expected to give one. As the default
+responses are all internal, they should be reasonable size. */
+
+if (code && defaultrespond)
+  {
+  if (user_msg)
+    smtp_respond(code, 3, TRUE, user_msg);
+  else
+    {
+    gstring * g;
+    va_list ap;
+
+    va_start(ap, defaultrespond);
+    g = string_vformat(NULL, SVFMT_EXTEND|SVFMT_REBUFFER, CS defaultrespond, ap);
+    va_end(ap);
+    smtp_printf("%s %s\r\n", FALSE, code, string_from_gstring(g));
+    }
+  mac_smtp_fflush();
+  }
+}
+
+
+
+
+/*************************************************
+*             Verify HELO argument               *
+*************************************************/
+
+/* This function is called if helo_verify_hosts or helo_try_verify_hosts is
+matched. It is also called from ACL processing if verify = helo is used and
+verification was not previously tried (i.e. helo_try_verify_hosts was not
+matched). The result of its processing is to set helo_verified and
+helo_verify_failed. These variables should both be FALSE for this function to
+be called.
+
+Note that EHLO/HELO is legitimately allowed to quote an address literal. Allow
+for IPv6 ::ffff: literals.
+
+Argument:   none
+Returns:    TRUE if testing was completed;
+            FALSE on a temporary failure
+*/
+
+BOOL
+smtp_verify_helo(void)
+{
+BOOL yield = TRUE;
+
+HDEBUG(D_receive) debug_printf("verifying EHLO/HELO argument \"%s\"\n",
+  sender_helo_name);
+
+if (sender_helo_name == NULL)
+  {
+  HDEBUG(D_receive) debug_printf("no EHLO/HELO command was issued\n");
+  }
+
+/* Deal with the case of -bs without an IP address */
+
+else if (sender_host_address == NULL)
+  {
+  HDEBUG(D_receive) debug_printf("no client IP address: assume success\n");
+  f.helo_verified = TRUE;
+  }
+
+/* Deal with the more common case when there is a sending IP address */
+
+else if (sender_helo_name[0] == '[')
+  {
+  f.helo_verified = Ustrncmp(sender_helo_name+1, sender_host_address,
+    Ustrlen(sender_host_address)) == 0;
+
+#if HAVE_IPV6
+  if (!f.helo_verified)
+    {
+    if (strncmpic(sender_host_address, US"::ffff:", 7) == 0)
+      f.helo_verified = Ustrncmp(sender_helo_name + 1,
+        sender_host_address + 7, Ustrlen(sender_host_address) - 7) == 0;
+    }
+#endif
+
+  HDEBUG(D_receive)
+    { if (f.helo_verified) debug_printf("matched host address\n"); }
+  }
+
+/* Do a reverse lookup if one hasn't already given a positive or negative
+response. If that fails, or the name doesn't match, try checking with a forward
+lookup. */
+
+else
+  {
+  if (sender_host_name == NULL && !host_lookup_failed)
+    yield = host_name_lookup() != DEFER;
+
+  /* If a host name is known, check it and all its aliases. */
+
+  if (sender_host_name)
+    if ((f.helo_verified = strcmpic(sender_host_name, sender_helo_name) == 0))
+      {
+      sender_helo_dnssec = sender_host_dnssec;
+      HDEBUG(D_receive) debug_printf("matched host name\n");
+      }
+    else
+      {
+      uschar **aliases = sender_host_aliases;
+      while (*aliases)
+        if ((f.helo_verified = strcmpic(*aliases++, sender_helo_name) == 0))
+	  {
+	  sender_helo_dnssec = sender_host_dnssec;
+	  break;
+	  }
+
+      HDEBUG(D_receive) if (f.helo_verified)
+          debug_printf("matched alias %s\n", *(--aliases));
+      }
+
+  /* Final attempt: try a forward lookup of the helo name */
+
+  if (!f.helo_verified)
+    {
+    int rc;
+    host_item h =
+      {.name = sender_helo_name, .address = NULL, .mx = MX_NONE, .next = NULL};
+    dnssec_domains d =
+      {.request = US"*", .require = US""};
+
+    HDEBUG(D_receive) debug_printf("getting IP address for %s\n",
+      sender_helo_name);
+    rc = host_find_bydns(&h, NULL, HOST_FIND_BY_A | HOST_FIND_BY_AAAA,
+			  NULL, NULL, NULL, &d, NULL, NULL);
+    if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
+      for (host_item * hh = &h; hh; hh = hh->next)
+        if (Ustrcmp(hh->address, sender_host_address) == 0)
+          {
+          f.helo_verified = TRUE;
+	  if (h.dnssec == DS_YES) sender_helo_dnssec = TRUE;
+          HDEBUG(D_receive)
+            debug_printf("IP address for %s matches calling address\n"
+	      "Forward DNS security status: %sverified\n",
+              sender_helo_name, sender_helo_dnssec ? "" : "un");
+          break;
+          }
+    }
+  }
+
+if (!f.helo_verified) f.helo_verify_failed = TRUE;  /* We've tried ... */
+return yield;
+}
+
+
+
+
+/*************************************************
+*        Send user response message              *
+*************************************************/
+
+/* This function is passed a default response code and a user message. It calls
+smtp_message_code() to check and possibly modify the response code, and then
+calls smtp_respond() to transmit the response. I put this into a function
+just to avoid a lot of repetition.
+
+Arguments:
+  code         the response code
+  user_msg     the user message
+
+Returns:       nothing
+*/
+
+static void
+smtp_user_msg(uschar *code, uschar *user_msg)
+{
+int len = 3;
+smtp_message_code(&code, &len, &user_msg, NULL, TRUE);
+smtp_respond(code, len, TRUE, user_msg);
+}
+
+
+
+static int
+smtp_in_auth(auth_instance *au, uschar ** s, uschar ** ss)
+{
+const uschar *set_id = NULL;
+int rc;
+
+/* Set up globals for error messages */
+
+authenticator_name = au->name;
+driver_srcfile = au->srcfile;
+driver_srcline = au->srcline;
+
+/* Run the checking code, passing the remainder of the command line as
+data. Initials the $auth<n> variables as empty. Initialize $0 empty and set
+it as the only set numerical variable. The authenticator may set $auth<n>
+and also set other numeric variables. The $auth<n> variables are preferred
+nowadays; the numerical variables remain for backwards compatibility.
+
+Afterwards, have a go at expanding the set_id string, even if
+authentication failed - for bad passwords it can be useful to log the
+userid. On success, require set_id to expand and exist, and put it in
+authenticated_id. Save this in permanent store, as the working store gets
+reset at HELO, RSET, etc. */
+
+for (int i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
+expand_nmax = 0;
+expand_nlength[0] = 0;   /* $0 contains nothing */
+
+rc = (au->info->servercode)(au, smtp_cmd_data);
+if (au->set_id) set_id = expand_string(au->set_id);
+expand_nmax = -1;        /* Reset numeric variables */
+for (int i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;   /* Reset $auth<n> */
+driver_srcfile = authenticator_name = NULL; driver_srcline = 0;
+
+/* The value of authenticated_id is stored in the spool file and printed in
+log lines. It must not contain binary zeros or newline characters. In
+normal use, it never will, but when playing around or testing, this error
+can (did) happen. To guard against this, ensure that the id contains only
+printing characters. */
+
+if (set_id) set_id = string_printing(set_id);
+
+/* For the non-OK cases, set up additional logging data if set_id
+is not empty. */
+
+if (rc != OK)
+  set_id = set_id && *set_id
+    ? string_sprintf(" (set_id=%s)", set_id) : US"";
+
+/* Switch on the result */
+
+switch(rc)
+  {
+  case OK:
+    if (!au->set_id || set_id)    /* Complete success */
+      {
+      if (set_id) authenticated_id = string_copy_perm(set_id, TRUE);
+      sender_host_authenticated = au->name;
+      sender_host_auth_pubname  = au->public_name;
+      authentication_failed = FALSE;
+      authenticated_fail_id = NULL;   /* Impossible to already be set? */
+
+      received_protocol =
+	(sender_host_address ? protocols : protocols_local)
+	  [pextend + pauthed + (tls_in.active.sock >= 0 ? pcrpted:0)];
+      *s = *ss = US"235 Authentication succeeded";
+      authenticated_by = au;
+      break;
+      }
+
+    /* Authentication succeeded, but we failed to expand the set_id string.
+    Treat this as a temporary error. */
+
+    auth_defer_msg = expand_string_message;
+    /* Fall through */
+
+  case DEFER:
+    if (set_id) authenticated_fail_id = string_copy_perm(set_id, TRUE);
+    *s = string_sprintf("435 Unable to authenticate at present%s",
+      auth_defer_user_msg);
+    *ss = string_sprintf("435 Unable to authenticate at present%s: %s",
+      set_id, auth_defer_msg);
+    break;
+
+  case BAD64:
+    *s = *ss = US"501 Invalid base64 data";
+    break;
+
+  case CANCELLED:
+    *s = *ss = US"501 Authentication cancelled";
+    break;
+
+  case UNEXPECTED:
+    *s = *ss = US"553 Initial data not expected";
+    break;
+
+  case FAIL:
+    if (set_id) authenticated_fail_id = string_copy_perm(set_id, TRUE);
+    *s = US"535 Incorrect authentication data";
+    *ss = string_sprintf("535 Incorrect authentication data%s", set_id);
+    break;
+
+  default:
+    if (set_id) authenticated_fail_id = string_copy_perm(set_id, TRUE);
+    *s = US"435 Internal error";
+    *ss = string_sprintf("435 Internal error%s: return %d from authentication "
+      "check", set_id, rc);
+    break;
+  }
+
+return rc;
+}
+
+
+
+
+
+static int
+qualify_recipient(uschar ** recipient, uschar * smtp_cmd_data, uschar * tag)
+{
+int rd;
+if (f.allow_unqualified_recipient || strcmpic(*recipient, US"postmaster") == 0)
+  {
+  DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
+    *recipient);
+  rd = Ustrlen(recipient) + 1;
+  /* deconst ok as *recipient was not const */
+  *recipient = US rewrite_address_qualify(*recipient, TRUE);
+  return rd;
+  }
+smtp_printf("501 %s: recipient address must contain a domain\r\n", FALSE,
+  smtp_cmd_data);
+log_write(L_smtp_syntax_error,
+  LOG_MAIN|LOG_REJECT, "unqualified %s rejected: <%s> %s%s",
+  tag, *recipient, host_and_ident(TRUE), host_lookup_msg);
+return 0;
+}
+
+
+
+
+static void
+smtp_quit_handler(uschar ** user_msgp, uschar ** log_msgp)
+{
+HAD(SCH_QUIT);
+f.smtp_in_quit = TRUE;
+incomplete_transaction_log(US"QUIT");
+if (  acl_smtp_quit
+   && acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_quit, user_msgp, log_msgp)
+	== ERROR)
+    log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
+      *log_msgp);
+
+#ifdef EXIM_TCP_CORK
+(void) setsockopt(fileno(smtp_out), IPPROTO_TCP, EXIM_TCP_CORK, US &on, sizeof(on));
+#endif
+
+if (*user_msgp)
+  smtp_respond(US"221", 3, TRUE, *user_msgp);
+else
+  smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname);
+
+#ifdef SERVERSIDE_CLOSE_NOWAIT
+# ifndef DISABLE_TLS
+tls_close(NULL, TLS_SHUTDOWN_NOWAIT);
+# endif
+
+log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
+  smtp_get_connection_info());
+#else
+
+# ifndef DISABLE_TLS
+tls_close(NULL, TLS_SHUTDOWN_WAIT);
+# endif
+
+log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
+  smtp_get_connection_info());
+
+/* Pause, hoping client will FIN first so that they get the TIME_WAIT.
+The socket should become readble (though with no data) */
+
+(void) poll_one_fd(fileno(smtp_in), POLLIN, 200);
+#endif	/*!SERVERSIDE_CLOSE_NOWAIT*/
+}
+
+
+static void
+smtp_rset_handler(void)
+{
+HAD(SCH_RSET);
+incomplete_transaction_log(US"RSET");
+smtp_printf("250 Reset OK\r\n", FALSE);
+cmd_list[CMD_LIST_RSET].is_mail_cmd = FALSE;
+if (chunking_state > CHUNKING_OFFERED)
+  chunking_state = CHUNKING_OFFERED;
+}
+
+
+static int
+expand_mailmax(const uschar * s)
+{
+if (!(s = expand_cstring(s)))
+  log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand smtp_accept_max_per_connection");
+return *s ? Uatoi(s) : 0;
+}
+
+/*************************************************
+*       Initialize for SMTP incoming message     *
+*************************************************/
+
+/* This function conducts the initial dialogue at the start of an incoming SMTP
+message, and builds a list of recipients. However, if the incoming message
+is part of a batch (-bS option) a separate function is called since it would
+be messy having tests splattered about all over this function. This function
+therefore handles the case where interaction is occurring. The input and output
+files are set up in smtp_in and smtp_out.
+
+The global recipients_list is set to point to a vector of recipient_item
+blocks, whose number is given by recipients_count. This is extended by the
+receive_add_recipient() function. The global variable sender_address is set to
+the sender's address. The yield is +1 if a message has been successfully
+started, 0 if a QUIT command was encountered or the connection was refused from
+the particular host, or -1 if the connection was lost.
+
+Argument: none
+
+Returns:  > 0 message successfully started (reached DATA)
+          = 0 QUIT read or end of file reached or call refused
+          < 0 lost connection
+*/
+
+int
+smtp_setup_msg(void)
+{
+int done = 0;
+BOOL toomany = FALSE;
+BOOL discarded = FALSE;
+BOOL last_was_rej_mail = FALSE;
+BOOL last_was_rcpt = FALSE;
+rmark reset_point = store_mark();
+
+DEBUG(D_receive) debug_printf("smtp_setup_msg entered\n");
+
+/* Reset for start of new message. We allow one RSET not to be counted as a
+nonmail command, for those MTAs that insist on sending it between every
+message. Ditto for EHLO/HELO and for STARTTLS, to allow for going in and out of
+TLS between messages (an Exim client may do this if it has messages queued up
+for the host). Note: we do NOT reset AUTH at this point. */
+
+reset_point = smtp_reset(reset_point);
+message_ended = END_NOTSTARTED;
+
+chunking_state = f.chunking_offered ? CHUNKING_OFFERED : CHUNKING_NOT_OFFERED;
+
+cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE;
+cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE;
+cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
+#ifndef DISABLE_TLS
+cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE;
+#endif
+
+if (lwr_receive_getc != NULL)
+  {
+  /* This should have already happened, but if we've gotten confused,
+  force a reset here. */
+  DEBUG(D_receive) debug_printf("WARNING: smtp_setup_msg had to restore receive functions to lowers\n");
+  bdat_pop_receive_functions();
+  }
+
+/* Set the local signal handler for SIGTERM - it tries to end off tidily */
+
+had_command_sigterm = 0;
+os_non_restarting_signal(SIGTERM, command_sigterm_handler);
+
+/* Batched SMTP is handled in a different function. */
+
+if (smtp_batched_input) return smtp_setup_batch_msg();
+
+#ifdef TCP_QUICKACK
+if (smtp_in)		/* Avoid pure-ACKs while in cmd pingpong phase */
+  (void) setsockopt(fileno(smtp_in), IPPROTO_TCP, TCP_QUICKACK,
+	  US &off, sizeof(off));
+#endif
+
+/* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
+value. The values are 2 larger than the required yield of the function. */
+
+while (done <= 0)
+  {
+  const uschar **argv;
+  uschar *etrn_command;
+  uschar *etrn_serialize_key;
+  uschar *errmess;
+  uschar *log_msg, *smtp_code;
+  uschar *user_msg = NULL;
+  uschar *recipient = NULL;
+  uschar *hello = NULL;
+  uschar *s, *ss;
+  BOOL was_rej_mail = FALSE;
+  BOOL was_rcpt = FALSE;
+  void (*oldsignal)(int);
+  pid_t pid;
+  int start, end, sender_domain, recipient_domain;
+  int rc;
+  int c;
+  uschar *orcpt = NULL;
+  int dsn_flags;
+  gstring * g;
+
+#ifdef AUTH_TLS
+  /* Check once per STARTTLS or SSL-on-connect for a TLS AUTH */
+  if (  tls_in.active.sock >= 0
+     && tls_in.peercert
+     && tls_in.certificate_verified
+     && cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd
+     )
+    {
+    cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = FALSE;
+
+    for (auth_instance * au = auths; au; au = au->next)
+      if (strcmpic(US"tls", au->driver_name) == 0)
+	{
+	if (  acl_smtp_auth
+	   && (rc = acl_check(ACL_WHERE_AUTH, NULL, acl_smtp_auth,
+		      &user_msg, &log_msg)) != OK
+	   )
+	  done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
+	else
+	  {
+	  smtp_cmd_data = NULL;
+
+	  if (smtp_in_auth(au, &s, &ss) == OK)
+	    { DEBUG(D_auth) debug_printf("tls auth succeeded\n"); }
+	  else
+	    { DEBUG(D_auth) debug_printf("tls auth not succeeded\n"); }
+	  }
+	break;
+	}
+    }
+#endif
+
+  switch(smtp_read_command(
+#ifndef DISABLE_PIPE_CONNECT
+	  !fl.pipe_connect_acceptable,
+#else
+	  TRUE,
+#endif
+	  GETC_BUFFER_UNLIMITED))
+    {
+    /* The AUTH command is not permitted to occur inside a transaction, and may
+    occur successfully only once per connection. Actually, that isn't quite
+    true. When TLS is started, all previous information about a connection must
+    be discarded, so a new AUTH is permitted at that time.
+
+    AUTH may only be used when it has been advertised. However, it seems that
+    there are clients that send AUTH when it hasn't been advertised, some of
+    them even doing this after HELO. And there are MTAs that accept this. Sigh.
+    So there's a get-out that allows this to happen.
+
+    AUTH is initially labelled as a "nonmail command" so that one occurrence
+    doesn't get counted. We change the label here so that multiple failing
+    AUTHS will eventually hit the nonmail threshold. */
+
+    case AUTH_CMD:
+      HAD(SCH_AUTH);
+      authentication_failed = TRUE;
+      cmd_list[CMD_LIST_AUTH].is_mail_cmd = FALSE;
+
+      if (!fl.auth_advertised && !f.allow_auth_unadvertised)
+	{
+	done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	  US"AUTH command used when not advertised");
+	break;
+	}
+      if (sender_host_authenticated)
+	{
+	done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	  US"already authenticated");
+	break;
+	}
+      if (sender_address)
+	{
+	done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	  US"not permitted in mail transaction");
+	break;
+	}
+
+      /* Check the ACL */
+
+      if (  acl_smtp_auth
+	 && (rc = acl_check(ACL_WHERE_AUTH, NULL, acl_smtp_auth,
+		    &user_msg, &log_msg)) != OK
+	 )
+	{
+	done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
+	break;
+	}
+
+      /* Find the name of the requested authentication mechanism. */
+
+      s = smtp_cmd_data;
+      for (; (c = *smtp_cmd_data) && !isspace(c); smtp_cmd_data++)
+	if (!isalnum(c) && c != '-' && c != '_')
+	  {
+	  done = synprot_error(L_smtp_syntax_error, 501, NULL,
+	    US"invalid character in authentication mechanism name");
+	  goto COMMAND_LOOP;
+	  }
+
+      /* If not at the end of the line, we must be at white space. Terminate the
+      name and move the pointer on to any data that may be present. */
+
+      if (*smtp_cmd_data)
+	{
+	*smtp_cmd_data++ = 0;
+	while (isspace(*smtp_cmd_data)) smtp_cmd_data++;
+	}
+
+      /* Search for an authentication mechanism which is configured for use
+      as a server and which has been advertised (unless, sigh, allow_auth_
+      unadvertised is set). */
+
+	{
+	auth_instance * au;
+	for (au = auths; au; au = au->next)
+	  if (strcmpic(s, au->public_name) == 0 && au->server &&
+	      (au->advertised || f.allow_auth_unadvertised))
+	    break;
+
+	if (au)
+	  {
+	  c = smtp_in_auth(au, &s, &ss);
+
+	  smtp_printf("%s\r\n", FALSE, s);
+	  if (c != OK)
+	    log_write(0, LOG_MAIN|LOG_REJECT, "%s authenticator failed for %s: %s",
+	      au->name, host_and_ident(FALSE), ss);
+	  }
+	else
+	  done = synprot_error(L_smtp_protocol_error, 504, NULL,
+	    string_sprintf("%s authentication mechanism not supported", s));
+	}
+
+      break;  /* AUTH_CMD */
+
+    /* The HELO/EHLO commands are permitted to appear in the middle of a
+    session as well as at the beginning. They have the effect of a reset in
+    addition to their other functions. Their absence at the start cannot be
+    taken to be an error.
+
+    RFC 2821 says:
+
+      If the EHLO command is not acceptable to the SMTP server, 501, 500,
+      or 502 failure replies MUST be returned as appropriate.  The SMTP
+      server MUST stay in the same state after transmitting these replies
+      that it was in before the EHLO was received.
+
+    Therefore, we do not do the reset until after checking the command for
+    acceptability. This change was made for Exim release 4.11. Previously
+    it did the reset first. */
+
+    case HELO_CMD:
+      HAD(SCH_HELO);
+      hello = US"HELO";
+      fl.esmtp = FALSE;
+      goto HELO_EHLO;
+
+    case EHLO_CMD:
+      HAD(SCH_EHLO);
+      hello = US"EHLO";
+      fl.esmtp = TRUE;
+
+    HELO_EHLO:      /* Common code for HELO and EHLO */
+      cmd_list[CMD_LIST_HELO].is_mail_cmd = FALSE;
+      cmd_list[CMD_LIST_EHLO].is_mail_cmd = FALSE;
+
+      /* Reject the HELO if its argument was invalid or non-existent. A
+      successful check causes the argument to be saved in malloc store. */
+
+      if (!check_helo(smtp_cmd_data))
+	{
+	smtp_printf("501 Syntactically invalid %s argument(s)\r\n", FALSE, hello);
+
+	log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
+	  "invalid argument(s): %s", hello, host_and_ident(FALSE),
+	  *smtp_cmd_argument == 0 ? US"(no argument given)" :
+			     string_printing(smtp_cmd_argument));
+
+	if (++synprot_error_count > smtp_max_synprot_errors)
+	  {
+	  log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
+	    "syntax or protocol errors (last command was \"%s\", %s)",
+	    host_and_ident(FALSE), string_printing(smtp_cmd_buffer),
+	    string_from_gstring(s_connhad_log(NULL))
+	    );
+	  done = 1;
+	  }
+
+	break;
+	}
+
+      /* If sender_host_unknown is true, we have got here via the -bs interface,
+      not called from inetd. Otherwise, we are running an IP connection and the
+      host address will be set. If the helo name is the primary name of this
+      host and we haven't done a reverse lookup, force one now. If helo_verify_required
+      is set, ensure that the HELO name matches the actual host. If helo_verify
+      is set, do the same check, but softly. */
+
+      if (!f.sender_host_unknown)
+	{
+	BOOL old_helo_verified = f.helo_verified;
+	uschar *p = smtp_cmd_data;
+
+	while (*p != 0 && !isspace(*p)) { *p = tolower(*p); p++; }
+	*p = 0;
+
+	/* Force a reverse lookup if HELO quoted something in helo_lookup_domains
+	because otherwise the log can be confusing. */
+
+	if (  !sender_host_name
+	   && match_isinlist(sender_helo_name, CUSS &helo_lookup_domains, 0,
+		&domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK)
+	  (void)host_name_lookup();
+
+	/* Rebuild the fullhost info to include the HELO name (and the real name
+	if it was looked up.) */
+
+	host_build_sender_fullhost();  /* Rebuild */
+	set_process_info("handling%s incoming connection from %s",
+	  tls_in.active.sock >= 0 ? " TLS" : "", host_and_ident(FALSE));
+
+	/* Verify if configured. This doesn't give much security, but it does
+	make some people happy to be able to do it. If helo_verify_required is set,
+	(host matches helo_verify_hosts) failure forces rejection. If helo_verify
+	is set (host matches helo_try_verify_hosts), it does not. This is perhaps
+	now obsolescent, since the verification can now be requested selectively
+	at ACL time. */
+
+	f.helo_verified = f.helo_verify_failed = sender_helo_dnssec = FALSE;
+	if (fl.helo_verify_required || fl.helo_verify)
+	  {
+	  BOOL tempfail = !smtp_verify_helo();
+	  if (!f.helo_verified)
+	    {
+	    if (fl.helo_verify_required)
+	      {
+	      smtp_printf("%d %s argument does not match calling host\r\n", FALSE,
+		tempfail? 451 : 550, hello);
+	      log_write(0, LOG_MAIN|LOG_REJECT, "%srejected \"%s %s\" from %s",
+		tempfail? "temporarily " : "",
+		hello, sender_helo_name, host_and_ident(FALSE));
+	      f.helo_verified = old_helo_verified;
+	      break;                   /* End of HELO/EHLO processing */
+	      }
+	    HDEBUG(D_all) debug_printf("%s verification failed but host is in "
+	      "helo_try_verify_hosts\n", hello);
+	    }
+	  }
+	}
+
+#ifdef SUPPORT_SPF
+      /* set up SPF context */
+      spf_conn_init(sender_helo_name, sender_host_address);
+#endif
+
+      /* Apply an ACL check if one is defined; afterwards, recheck
+      synchronization in case the client started sending in a delay. */
+
+      if (acl_smtp_helo)
+	if ((rc = acl_check(ACL_WHERE_HELO, NULL, acl_smtp_helo,
+		  &user_msg, &log_msg)) != OK)
+	  {
+	  done = smtp_handle_acl_fail(ACL_WHERE_HELO, rc, user_msg, log_msg);
+	  sender_helo_name = NULL;
+	  host_build_sender_fullhost();  /* Rebuild */
+	  break;
+	  }
+#ifndef DISABLE_PIPE_CONNECT
+	else if (!fl.pipe_connect_acceptable && !check_sync())
+#else
+	else if (!check_sync())
+#endif
+	  goto SYNC_FAILURE;
+
+      /* Generate an OK reply. The default string includes the ident if present,
+      and also the IP address if present. Reflecting back the ident is intended
+      as a deterrent to mail forgers. For maximum efficiency, and also because
+      some broken systems expect each response to be in a single packet, arrange
+      that the entire reply is sent in one write(). */
+
+      fl.auth_advertised = FALSE;
+      f.smtp_in_pipelining_advertised = FALSE;
+#ifndef DISABLE_TLS
+      fl.tls_advertised = FALSE;
+#endif
+      fl.dsn_advertised = FALSE;
+#ifdef SUPPORT_I18N
+      fl.smtputf8_advertised = FALSE;
+#endif
+
+      /* Expand the per-connection message count limit option */
+      smtp_mailcmd_max = expand_mailmax(smtp_accept_max_per_connection);
+
+      smtp_code = US"250 ";        /* Default response code plus space*/
+      if (!user_msg)
+	{
+	/* sender_host_name below will be tainted, so save on copy when we hit it */
+	g = string_get_tainted(24, GET_TAINTED);
+	g = string_fmt_append(g, "%.3s %s Hello %s%s%s",
+	  smtp_code,
+	  smtp_active_hostname,
+	  sender_ident ? sender_ident : US"",
+	  sender_ident ? US" at " : US"",
+	  sender_host_name ? sender_host_name : sender_helo_name);
+
+	if (sender_host_address)
+	  g = string_fmt_append(g, " [%s]", sender_host_address);
+	}
+
+      /* A user-supplied EHLO greeting may not contain more than one line. Note
+      that the code returned by smtp_message_code() includes the terminating
+      whitespace character. */
+
+      else
+	{
+	char *ss;
+	int codelen = 4;
+	smtp_message_code(&smtp_code, &codelen, &user_msg, NULL, TRUE);
+	s = string_sprintf("%.*s%s", codelen, smtp_code, user_msg);
+	if ((ss = strpbrk(CS s, "\r\n")) != NULL)
+	  {
+	  log_write(0, LOG_MAIN|LOG_PANIC, "EHLO/HELO response must not contain "
+	    "newlines: message truncated: %s", string_printing(s));
+	  *ss = 0;
+	  }
+	g = string_cat(NULL, s);
+	}
+
+      g = string_catn(g, US"\r\n", 2);
+
+      /* If we received EHLO, we must create a multiline response which includes
+      the functions supported. */
+
+      if (fl.esmtp)
+	{
+	g->s[3] = '-';
+
+	/* I'm not entirely happy with this, as an MTA is supposed to check
+	that it has enough room to accept a message of maximum size before
+	it sends this. However, there seems little point in not sending it.
+	The actual size check happens later at MAIL FROM time. By postponing it
+	till then, VRFY and EXPN can be used after EHLO when space is short. */
+
+	if (thismessage_size_limit > 0)
+	  g = string_fmt_append(g, "%.3s-SIZE %d\r\n", smtp_code,
+	    thismessage_size_limit);
+	else
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-SIZE\r\n", 7);
+	  }
+
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+	if (  (smtp_mailcmd_max > 0 || recipients_max)
+	   && verify_check_host(&limits_advertise_hosts) == OK)
+	  {
+	  g = string_fmt_append(g, "%.3s-LIMITS", smtp_code);
+	  if (smtp_mailcmd_max > 0)
+	    g = string_fmt_append(g, " MAILMAX=%d", smtp_mailcmd_max);
+	  if (recipients_max)
+	    g = string_fmt_append(g, " RCPTMAX=%d", recipients_max);
+	  g = string_catn(g, US"\r\n", 2);
+	  }
+#endif
+
+	/* Exim does not do protocol conversion or data conversion. It is 8-bit
+	clean; if it has an 8-bit character in its hand, it just sends it. It
+	cannot therefore specify 8BITMIME and remain consistent with the RFCs.
+	However, some users want this option simply in order to stop MUAs
+	mangling messages that contain top-bit-set characters. It is therefore
+	provided as an option. */
+
+	if (accept_8bitmime)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-8BITMIME\r\n", 11);
+	  }
+
+	/* Advertise DSN support if configured to do so. */
+	if (verify_check_host(&dsn_advertise_hosts) != FAIL)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-DSN\r\n", 6);
+	  fl.dsn_advertised = TRUE;
+	  }
+
+	/* Advertise ETRN/VRFY/EXPN if there's are ACL checking whether a host is
+	permitted to issue them; a check is made when any host actually tries. */
+
+	if (acl_smtp_etrn)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-ETRN\r\n", 7);
+	  }
+	if (acl_smtp_vrfy)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-VRFY\r\n", 7);
+	  }
+	if (acl_smtp_expn)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-EXPN\r\n", 7);
+	  }
+
+	/* Exim is quite happy with pipelining, so let the other end know that
+	it is safe to use it, unless advertising is disabled. */
+
+	if (  f.pipelining_enable
+	   && verify_check_host(&pipelining_advertise_hosts) == OK)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-PIPELINING\r\n", 13);
+	  sync_cmd_limit = NON_SYNC_CMD_PIPELINING;
+	  f.smtp_in_pipelining_advertised = TRUE;
+
+#ifndef DISABLE_PIPE_CONNECT
+	  if (fl.pipe_connect_acceptable)
+	    {
+	    f.smtp_in_early_pipe_advertised = TRUE;
+	    g = string_catn(g, smtp_code, 3);
+	    g = string_catn(g, US"-" EARLY_PIPE_FEATURE_NAME "\r\n", EARLY_PIPE_FEATURE_LEN+3);
+	    }
+#endif
+	  }
+
+
+	/* If any server authentication mechanisms are configured, advertise
+	them if the current host is in auth_advertise_hosts. The problem with
+	advertising always is that some clients then require users to
+	authenticate (and aren't configurable otherwise) even though it may not
+	be necessary (e.g. if the host is in host_accept_relay).
+
+	RFC 2222 states that SASL mechanism names contain only upper case
+	letters, so output the names in upper case, though we actually recognize
+	them in either case in the AUTH command. */
+
+	if (  auths
+#ifdef AUTH_TLS
+	   && !sender_host_authenticated
+#endif
+	   && verify_check_host(&auth_advertise_hosts) == OK
+	   )
+	  {
+	  BOOL first = TRUE;
+	  for (auth_instance * au = auths; au; au = au->next)
+	    {
+	    au->advertised = FALSE;
+	    if (au->server)
+	      {
+	      DEBUG(D_auth+D_expand) debug_printf_indent(
+		"Evaluating advertise_condition for %s %s athenticator\n",
+		au->name, au->public_name);
+	      if (  !au->advertise_condition
+		 || expand_check_condition(au->advertise_condition, au->name,
+			US"authenticator")
+		 )
+		{
+		int saveptr;
+		if (first)
+		  {
+		  g = string_catn(g, smtp_code, 3);
+		  g = string_catn(g, US"-AUTH", 5);
+		  first = FALSE;
+		  fl.auth_advertised = TRUE;
+		  }
+		saveptr = g->ptr;
+		g = string_catn(g, US" ", 1);
+		g = string_cat (g, au->public_name);
+		while (++saveptr < g->ptr) g->s[saveptr] = toupper(g->s[saveptr]);
+		au->advertised = TRUE;
+		}
+	      }
+	    }
+
+	  if (!first) g = string_catn(g, US"\r\n", 2);
+	  }
+
+	/* RFC 3030 CHUNKING */
+
+	if (verify_check_host(&chunking_advertise_hosts) != FAIL)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-CHUNKING\r\n", 11);
+	  f.chunking_offered = TRUE;
+	  chunking_state = CHUNKING_OFFERED;
+	  }
+
+	/* Advertise TLS (Transport Level Security) aka SSL (Secure Socket Layer)
+	if it has been included in the binary, and the host matches
+	tls_advertise_hosts. We must *not* advertise if we are already in a
+	secure connection. */
+
+#ifndef DISABLE_TLS
+	if (tls_in.active.sock < 0 &&
+	    verify_check_host(&tls_advertise_hosts) != FAIL)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-STARTTLS\r\n", 11);
+	  fl.tls_advertised = TRUE;
+	  }
+#endif
+
+#ifndef DISABLE_PRDR
+	/* Per Recipient Data Response, draft by Eric A. Hall extending RFC */
+	if (prdr_enable)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-PRDR\r\n", 7);
+	  }
+#endif
+
+#ifdef SUPPORT_I18N
+	if (  accept_8bitmime
+	   && verify_check_host(&smtputf8_advertise_hosts) != FAIL)
+	  {
+	  g = string_catn(g, smtp_code, 3);
+	  g = string_catn(g, US"-SMTPUTF8\r\n", 11);
+	  fl.smtputf8_advertised = TRUE;
+	  }
+#endif
+
+	/* Finish off the multiline reply with one that is always available. */
+
+	g = string_catn(g, smtp_code, 3);
+	g = string_catn(g, US" HELP\r\n", 7);
+	}
+
+      /* Terminate the string (for debug), write it, and note that HELO/EHLO
+      has been seen. */
+
+#ifndef DISABLE_TLS
+      if (tls_in.active.sock >= 0)
+	(void)tls_write(NULL, g->s, g->ptr,
+# ifndef DISABLE_PIPE_CONNECT
+			fl.pipe_connect_acceptable && pipeline_connect_sends());
+# else
+			FALSE);
+# endif
+      else
+#endif
+	(void) fwrite(g->s, 1, g->ptr, smtp_out);
+
+      DEBUG(D_receive) for (const uschar * t, * s = string_from_gstring(g);
+			    s && (t = Ustrchr(s, '\r'));
+			    s = t + 2)				/* \r\n */
+	  debug_printf("%s %.*s\n",
+			s == g->s ? "SMTP>>" : "      ",
+			(int)(t - s), s);
+      fl.helo_seen = TRUE;
+
+      /* Reset the protocol and the state, abandoning any previous message. */
+      received_protocol =
+	(sender_host_address ? protocols : protocols_local)
+	  [ (fl.esmtp
+	    ? pextend + (sender_host_authenticated ? pauthed : 0)
+	    : pnormal)
+	  + (tls_in.active.sock >= 0 ? pcrpted : 0)
+	  ];
+      cancel_cutthrough_connection(TRUE, US"sent EHLO response");
+      reset_point = smtp_reset(reset_point);
+      toomany = FALSE;
+      break;   /* HELO/EHLO */
+
+
+    /* The MAIL command requires an address as an operand. All we do
+    here is to parse it for syntactic correctness. The form "<>" is
+    a special case which converts into an empty string. The start/end
+    pointers in the original are not used further for this address, as
+    it is the canonical extracted address which is all that is kept. */
+
+    case MAIL_CMD:
+      HAD(SCH_MAIL);
+      smtp_mailcmd_count++;              /* Count for limit and ratelimit */
+      message_start();
+      was_rej_mail = TRUE;               /* Reset if accepted */
+      env_mail_type_t * mail_args;       /* Sanity check & validate args */
+
+      if (!fl.helo_seen)
+	if (  fl.helo_verify_required
+	   || verify_check_host(&hosts_require_helo) == OK)
+	  {
+	  smtp_printf("503 HELO or EHLO required\r\n", FALSE);
+	  log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL from %s: no "
+	    "HELO/EHLO given", host_and_ident(FALSE));
+	  break;
+	  }
+	else if (smtp_mailcmd_max < 0)
+	  smtp_mailcmd_max = expand_mailmax(smtp_accept_max_per_connection);
+
+      if (sender_address)
+	{
+	done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	  US"sender already given");
+	break;
+	}
+
+      if (!*smtp_cmd_data)
+	{
+	done = synprot_error(L_smtp_protocol_error, 501, NULL,
+	  US"MAIL must have an address operand");
+	break;
+	}
+
+      /* Check to see if the limit for messages per connection would be
+      exceeded by accepting further messages. */
+
+      if (smtp_mailcmd_max > 0 && smtp_mailcmd_count > smtp_mailcmd_max)
+	{
+	smtp_printf("421 too many messages in this connection\r\n", FALSE);
+	log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL command %s: too many "
+	  "messages in one connection", host_and_ident(TRUE));
+	break;
+	}
+
+      /* Reset for start of message - even if this is going to fail, we
+      obviously need to throw away any previous data. */
+
+      cancel_cutthrough_connection(TRUE, US"MAIL received");
+      reset_point = smtp_reset(reset_point);
+      toomany = FALSE;
+      sender_data = recipient_data = NULL;
+
+      /* Loop, checking for ESMTP additions to the MAIL FROM command. */
+
+      if (fl.esmtp) for(;;)
+	{
+	uschar *name, *value, *end;
+	unsigned long int size;
+	BOOL arg_error = FALSE;
+
+	if (!extract_option(&name, &value)) break;
+
+	for (mail_args = env_mail_type_list;
+	     mail_args->value != ENV_MAIL_OPT_NULL;
+	     mail_args++
+	    )
+	  if (strcmpic(name, mail_args->name) == 0)
+	    break;
+	if (mail_args->need_value && strcmpic(value, US"") == 0)
+	  break;
+
+	switch(mail_args->value)
+	  {
+	  /* Handle SIZE= by reading the value. We don't do the check till later,
+	  in order to be able to log the sender address on failure. */
+	  case ENV_MAIL_OPT_SIZE:
+	    if (((size = Ustrtoul(value, &end, 10)), *end == 0))
+	      {
+	      if ((size == ULONG_MAX && errno == ERANGE) || size > INT_MAX)
+		size = INT_MAX;
+	      message_size = (int)size;
+	      }
+	    else
+	      arg_error = TRUE;
+	    break;
+
+	  /* If this session was initiated with EHLO and accept_8bitmime is set,
+	  Exim will have indicated that it supports the BODY=8BITMIME option. In
+	  fact, it does not support this according to the RFCs, in that it does not
+	  take any special action for forwarding messages containing 8-bit
+	  characters. That is why accept_8bitmime is not the default setting, but
+	  some sites want the action that is provided. We recognize both "8BITMIME"
+	  and "7BIT" as body types, but take no action. */
+	  case ENV_MAIL_OPT_BODY:
+	    if (accept_8bitmime) {
+	      if (strcmpic(value, US"8BITMIME") == 0)
+		body_8bitmime = 8;
+	      else if (strcmpic(value, US"7BIT") == 0)
+		body_8bitmime = 7;
+	      else
+		{
+		body_8bitmime = 0;
+		done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		  US"invalid data for BODY");
+		goto COMMAND_LOOP;
+		}
+	      DEBUG(D_receive) debug_printf("8BITMIME: %d\n", body_8bitmime);
+	      break;
+	    }
+	    arg_error = TRUE;
+	    break;
+
+	  /* Handle the two DSN options, but only if configured to do so (which
+	  will have caused "DSN" to be given in the EHLO response). The code itself
+	  is included only if configured in at build time. */
+
+	  case ENV_MAIL_OPT_RET:
+	    if (fl.dsn_advertised)
+	      {
+	      /* Check if RET has already been set */
+	      if (dsn_ret > 0)
+		{
+		done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		  US"RET can be specified once only");
+		goto COMMAND_LOOP;
+		}
+	      dsn_ret = strcmpic(value, US"HDRS") == 0
+		? dsn_ret_hdrs
+		: strcmpic(value, US"FULL") == 0
+		? dsn_ret_full
+		: 0;
+	      DEBUG(D_receive) debug_printf("DSN_RET: %d\n", dsn_ret);
+	      /* Check for invalid invalid value, and exit with error */
+	      if (dsn_ret == 0)
+		{
+		done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		  US"Value for RET is invalid");
+		goto COMMAND_LOOP;
+		}
+	      }
+	    break;
+	  case ENV_MAIL_OPT_ENVID:
+	    if (fl.dsn_advertised)
+	      {
+	      /* Check if the dsn envid has been already set */
+	      if (dsn_envid)
+		{
+		done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		  US"ENVID can be specified once only");
+		goto COMMAND_LOOP;
+		}
+	      dsn_envid = string_copy(value);
+	      DEBUG(D_receive) debug_printf("DSN_ENVID: %s\n", dsn_envid);
+	      }
+	    break;
+
+	  /* Handle the AUTH extension. If the value given is not "<>" and either
+	  the ACL says "yes" or there is no ACL but the sending host is
+	  authenticated, we set it up as the authenticated sender. However, if the
+	  authenticator set a condition to be tested, we ignore AUTH on MAIL unless
+	  the condition is met. The value of AUTH is an xtext, which means that +,
+	  = and cntrl chars are coded in hex; however "<>" is unaffected by this
+	  coding. */
+	  case ENV_MAIL_OPT_AUTH:
+	    if (Ustrcmp(value, "<>") != 0)
+	      {
+	      int rc;
+	      uschar *ignore_msg;
+
+	      if (auth_xtextdecode(value, &authenticated_sender) < 0)
+		{
+		/* Put back terminator overrides for error message */
+		value[-1] = '=';
+		name[-1] = ' ';
+		done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		  US"invalid data for AUTH");
+		goto COMMAND_LOOP;
+		}
+	      if (!acl_smtp_mailauth)
+		{
+		ignore_msg = US"client not authenticated";
+		rc = sender_host_authenticated ? OK : FAIL;
+		}
+	      else
+		{
+		ignore_msg = US"rejected by ACL";
+		rc = acl_check(ACL_WHERE_MAILAUTH, NULL, acl_smtp_mailauth,
+		  &user_msg, &log_msg);
+		}
+
+	      switch (rc)
+		{
+		case OK:
+		  if (authenticated_by == NULL ||
+		      authenticated_by->mail_auth_condition == NULL ||
+		      expand_check_condition(authenticated_by->mail_auth_condition,
+			  authenticated_by->name, US"authenticator"))
+		    break;     /* Accept the AUTH */
+
+		  ignore_msg = US"server_mail_auth_condition failed";
+		  if (authenticated_id != NULL)
+		    ignore_msg = string_sprintf("%s: authenticated ID=\"%s\"",
+		      ignore_msg, authenticated_id);
+
+		/* Fall through */
+
+		case FAIL:
+		  authenticated_sender = NULL;
+		  log_write(0, LOG_MAIN, "ignoring AUTH=%s from %s (%s)",
+		    value, host_and_ident(TRUE), ignore_msg);
+		  break;
+
+		/* Should only get DEFER or ERROR here. Put back terminator
+		overrides for error message */
+
+		default:
+		  value[-1] = '=';
+		  name[-1] = ' ';
+		  (void)smtp_handle_acl_fail(ACL_WHERE_MAILAUTH, rc, user_msg,
+		    log_msg);
+		  goto COMMAND_LOOP;
+		}
+	      }
+	      break;
+
+#ifndef DISABLE_PRDR
+	  case ENV_MAIL_OPT_PRDR:
+	    if (prdr_enable)
+	      prdr_requested = TRUE;
+	    break;
+#endif
+
+#ifdef SUPPORT_I18N
+	  case ENV_MAIL_OPT_UTF8:
+	    if (!fl.smtputf8_advertised)
+	      {
+	      done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		US"SMTPUTF8 used when not advertised");
+	      goto COMMAND_LOOP;
+	      }
+
+	    DEBUG(D_receive) debug_printf("smtputf8 requested\n");
+	    message_smtputf8 = allow_utf8_domains = TRUE;
+	    if (Ustrncmp(received_protocol, US"utf8", 4) != 0)
+	      {
+	      int old_pool = store_pool;
+	      store_pool = POOL_PERM;
+	      received_protocol = string_sprintf("utf8%s", received_protocol);
+	      store_pool = old_pool;
+	      }
+	    break;
+#endif
+
+	  /* No valid option. Stick back the terminator characters and break
+	  the loop.  Do the name-terminator second as extract_option sets
+	  value==name when it found no equal-sign.
+	  An error for a malformed address will occur. */
+	  case ENV_MAIL_OPT_NULL:
+	    value[-1] = '=';
+	    name[-1] = ' ';
+	    arg_error = TRUE;
+	    break;
+
+	  default:  assert(0);
+	  }
+	/* Break out of for loop if switch() had bad argument or
+	   when start of the email address is reached */
+	if (arg_error) break;
+	}
+
+      /* If we have passed the threshold for rate limiting, apply the current
+      delay, and update it for next time, provided this is a limited host. */
+
+      if (smtp_mailcmd_count > smtp_rlm_threshold &&
+	  verify_check_host(&smtp_ratelimit_hosts) == OK)
+	{
+	DEBUG(D_receive) debug_printf("rate limit MAIL: delay %.3g sec\n",
+	  smtp_delay_mail/1000.0);
+	millisleep((int)smtp_delay_mail);
+	smtp_delay_mail *= smtp_rlm_factor;
+	if (smtp_delay_mail > (double)smtp_rlm_limit)
+	  smtp_delay_mail = (double)smtp_rlm_limit;
+	}
+
+      /* Now extract the address, first applying any SMTP-time rewriting. The
+      TRUE flag allows "<>" as a sender address. */
+
+      raw_sender = rewrite_existflags & rewrite_smtp
+	/* deconst ok as smtp_cmd_data was not const */
+	? US rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
+		      global_rewrite_rules)
+	: smtp_cmd_data;
+
+      raw_sender =
+	parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
+	  TRUE);
+
+      if (!raw_sender)
+	{
+	done = synprot_error(L_smtp_syntax_error, 501, smtp_cmd_data, errmess);
+	break;
+	}
+
+      sender_address = raw_sender;
+
+      /* If there is a configured size limit for mail, check that this message
+      doesn't exceed it. The check is postponed to this point so that the sender
+      can be logged. */
+
+      if (thismessage_size_limit > 0 && message_size > thismessage_size_limit)
+	{
+	smtp_printf("552 Message size exceeds maximum permitted\r\n", FALSE);
+	log_write(L_size_reject,
+	    LOG_MAIN|LOG_REJECT, "rejected MAIL FROM:<%s> %s: "
+	    "message too big: size%s=%d max=%d",
+	    sender_address,
+	    host_and_ident(TRUE),
+	    (message_size == INT_MAX)? ">" : "",
+	    message_size,
+	    thismessage_size_limit);
+	sender_address = NULL;
+	break;
+	}
+
+      /* Check there is enough space on the disk unless configured not to.
+      When smtp_check_spool_space is set, the check is for thismessage_size_limit
+      plus the current message - i.e. we accept the message only if it won't
+      reduce the space below the threshold. Add 5000 to the size to allow for
+      overheads such as the Received: line and storing of recipients, etc.
+      By putting the check here, even when SIZE is not given, it allow VRFY
+      and EXPN etc. to be used when space is short. */
+
+      if (!receive_check_fs(
+	   smtp_check_spool_space && message_size >= 0
+	      ? message_size + 5000 : 0))
+	{
+	smtp_printf("452 Space shortage, please try later\r\n", FALSE);
+	sender_address = NULL;
+	break;
+	}
+
+      /* If sender_address is unqualified, reject it, unless this is a locally
+      generated message, or the sending host or net is permitted to send
+      unqualified addresses - typically local machines behaving as MUAs -
+      in which case just qualify the address. The flag is set above at the start
+      of the SMTP connection. */
+
+      if (!sender_domain && *sender_address)
+	if (f.allow_unqualified_sender)
+	  {
+	  sender_domain = Ustrlen(sender_address) + 1;
+	  /* deconst ok as sender_address was not const */
+	  sender_address = US rewrite_address_qualify(sender_address, FALSE);
+	  DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
+	    raw_sender);
+	  }
+	else
+	  {
+	  smtp_printf("501 %s: sender address must contain a domain\r\n", FALSE,
+	    smtp_cmd_data);
+	  log_write(L_smtp_syntax_error,
+	    LOG_MAIN|LOG_REJECT,
+	    "unqualified sender rejected: <%s> %s%s",
+	    raw_sender,
+	    host_and_ident(TRUE),
+	    host_lookup_msg);
+	  sender_address = NULL;
+	  break;
+	  }
+
+      /* Apply an ACL check if one is defined, before responding. Afterwards,
+      when pipelining is not advertised, do another sync check in case the ACL
+      delayed and the client started sending in the meantime. */
+
+      if (acl_smtp_mail)
+	{
+	rc = acl_check(ACL_WHERE_MAIL, NULL, acl_smtp_mail, &user_msg, &log_msg);
+	if (rc == OK && !f.smtp_in_pipelining_advertised && !check_sync())
+	  goto SYNC_FAILURE;
+	}
+      else
+	rc = OK;
+
+      if (rc == OK || rc == DISCARD)
+	{
+	BOOL more = pipeline_response();
+
+	if (!user_msg)
+	  smtp_printf("%s%s%s", more, US"250 OK",
+		    #ifndef DISABLE_PRDR
+		      prdr_requested ? US", PRDR Requested" : US"",
+		    #else
+		      US"",
+		    #endif
+		      US"\r\n");
+	else
+	  {
+	#ifndef DISABLE_PRDR
+	  if (prdr_requested)
+	     user_msg = string_sprintf("%s%s", user_msg, US", PRDR Requested");
+	#endif
+	  smtp_user_msg(US"250", user_msg);
+	  }
+	smtp_delay_rcpt = smtp_rlr_base;
+	f.recipients_discarded = (rc == DISCARD);
+	was_rej_mail = FALSE;
+	}
+      else
+	{
+	done = smtp_handle_acl_fail(ACL_WHERE_MAIL, rc, user_msg, log_msg);
+	sender_address = NULL;
+	}
+      break;
+
+
+    /* The RCPT command requires an address as an operand. There may be any
+    number of RCPT commands, specifying multiple recipients. We build them all
+    into a data structure. The start/end values given by parse_extract_address
+    are not used, as we keep only the extracted address. */
+
+    case RCPT_CMD:
+      HAD(SCH_RCPT);
+      /* We got really to many recipients. A check against configured
+      limits is done later */
+      if (rcpt_count < 0 || rcpt_count >= INT_MAX/2)
+        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Too many recipients: %d", rcpt_count);
+      rcpt_count++;
+      was_rcpt = fl.rcpt_in_progress = TRUE;
+
+      /* There must be a sender address; if the sender was rejected and
+      pipelining was advertised, we assume the client was pipelining, and do not
+      count this as a protocol error. Reset was_rej_mail so that further RCPTs
+      get the same treatment. */
+
+      if (!sender_address)
+	{
+	if (f.smtp_in_pipelining_advertised && last_was_rej_mail)
+	  {
+	  smtp_printf("503 sender not yet given\r\n", FALSE);
+	  was_rej_mail = TRUE;
+	  }
+	else
+	  {
+	  done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	    US"sender not yet given");
+	  was_rcpt = FALSE;             /* Not a valid RCPT */
+	  }
+	rcpt_fail_count++;
+	break;
+	}
+
+      /* Check for an operand */
+
+      if (!smtp_cmd_data[0])
+	{
+	done = synprot_error(L_smtp_syntax_error, 501, NULL,
+	  US"RCPT must have an address operand");
+	rcpt_fail_count++;
+	break;
+	}
+
+      /* Set the DSN flags orcpt and dsn_flags from the session*/
+      orcpt = NULL;
+      dsn_flags = 0;
+
+      if (fl.esmtp) for(;;)
+	{
+	uschar *name, *value;
+
+	if (!extract_option(&name, &value))
+	  break;
+
+	if (fl.dsn_advertised && strcmpic(name, US"ORCPT") == 0)
+	  {
+	  /* Check whether orcpt has been already set */
+	  if (orcpt)
+	    {
+	    done = synprot_error(L_smtp_syntax_error, 501, NULL,
+	      US"ORCPT can be specified once only");
+	    goto COMMAND_LOOP;
+	    }
+	  orcpt = string_copy(value);
+	  DEBUG(D_receive) debug_printf("DSN orcpt: %s\n", orcpt);
+	  }
+
+	else if (fl.dsn_advertised && strcmpic(name, US"NOTIFY") == 0)
+	  {
+	  /* Check if the notify flags have been already set */
+	  if (dsn_flags > 0)
+	    {
+	    done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		US"NOTIFY can be specified once only");
+	    goto COMMAND_LOOP;
+	    }
+	  if (strcmpic(value, US"NEVER") == 0)
+	    dsn_flags |= rf_notify_never;
+	  else
+	    {
+	    uschar *p = value;
+	    while (*p != 0)
+	      {
+	      uschar *pp = p;
+	      while (*pp != 0 && *pp != ',') pp++;
+	      if (*pp == ',') *pp++ = 0;
+	      if (strcmpic(p, US"SUCCESS") == 0)
+		{
+		DEBUG(D_receive) debug_printf("DSN: Setting notify success\n");
+		dsn_flags |= rf_notify_success;
+		}
+	      else if (strcmpic(p, US"FAILURE") == 0)
+		{
+		DEBUG(D_receive) debug_printf("DSN: Setting notify failure\n");
+		dsn_flags |= rf_notify_failure;
+		}
+	      else if (strcmpic(p, US"DELAY") == 0)
+		{
+		DEBUG(D_receive) debug_printf("DSN: Setting notify delay\n");
+		dsn_flags |= rf_notify_delay;
+		}
+	      else
+		{
+		/* Catch any strange values */
+		done = synprot_error(L_smtp_syntax_error, 501, NULL,
+		  US"Invalid value for NOTIFY parameter");
+		goto COMMAND_LOOP;
+		}
+	      p = pp;
+	      }
+	      DEBUG(D_receive) debug_printf("DSN Flags: %x\n", dsn_flags);
+	    }
+	  }
+
+	/* Unknown option. Stick back the terminator characters and break
+	the loop. An error for a malformed address will occur. */
+
+	else
+	  {
+	  DEBUG(D_receive) debug_printf("Invalid RCPT option: %s : %s\n", name, value);
+	  name[-1] = ' ';
+	  value[-1] = '=';
+	  break;
+	  }
+	}
+
+      /* Apply SMTP rewriting then extract the working address. Don't allow "<>"
+      as a recipient address */
+
+      recipient = rewrite_existflags & rewrite_smtp
+	/* deconst ok as smtp_cmd_data was not const */
+	? US rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
+	    global_rewrite_rules)
+	: smtp_cmd_data;
+
+      if (!(recipient = parse_extract_address(recipient, &errmess, &start, &end,
+	&recipient_domain, FALSE)))
+	{
+	done = synprot_error(L_smtp_syntax_error, 501, smtp_cmd_data, errmess);
+	rcpt_fail_count++;
+	break;
+	}
+
+      /* If the recipient address is unqualified, reject it, unless this is a
+      locally generated message. However, unqualified addresses are permitted
+      from a configured list of hosts and nets - typically when behaving as
+      MUAs rather than MTAs. Sad that SMTP is used for both types of traffic,
+      really. The flag is set at the start of the SMTP connection.
+
+      RFC 1123 talks about supporting "the reserved mailbox postmaster"; I always
+      assumed this meant "reserved local part", but the revision of RFC 821 and
+      friends now makes it absolutely clear that it means *mailbox*. Consequently
+      we must always qualify this address, regardless. */
+
+      if (!recipient_domain)
+	if (!(recipient_domain = qualify_recipient(&recipient, smtp_cmd_data,
+				    US"recipient")))
+	  {
+	  rcpt_fail_count++;
+	  break;
+	  }
+
+      /* Check maximum allowed */
+
+      if (rcpt_count+1 < 0 || rcpt_count > recipients_max && recipients_max > 0)
+	{
+	if (recipients_max_reject)
+	  {
+	  rcpt_fail_count++;
+	  smtp_printf("552 too many recipients\r\n", FALSE);
+	  if (!toomany)
+	    log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: message "
+	      "rejected: sender=<%s> %s", sender_address, host_and_ident(TRUE));
+	  }
+	else
+	  {
+	  rcpt_defer_count++;
+	  smtp_printf("452 too many recipients\r\n", FALSE);
+	  if (!toomany)
+	    log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: excess "
+	      "temporarily rejected: sender=<%s> %s", sender_address,
+	      host_and_ident(TRUE));
+	  }
+
+	toomany = TRUE;
+	break;
+	}
+
+      /* If we have passed the threshold for rate limiting, apply the current
+      delay, and update it for next time, provided this is a limited host. */
+
+      if (rcpt_count > smtp_rlr_threshold &&
+	  verify_check_host(&smtp_ratelimit_hosts) == OK)
+	{
+	DEBUG(D_receive) debug_printf("rate limit RCPT: delay %.3g sec\n",
+	  smtp_delay_rcpt/1000.0);
+	millisleep((int)smtp_delay_rcpt);
+	smtp_delay_rcpt *= smtp_rlr_factor;
+	if (smtp_delay_rcpt > (double)smtp_rlr_limit)
+	  smtp_delay_rcpt = (double)smtp_rlr_limit;
+	}
+
+      /* If the MAIL ACL discarded all the recipients, we bypass ACL checking
+      for them. Otherwise, check the access control list for this recipient. As
+      there may be a delay in this, re-check for a synchronization error
+      afterwards, unless pipelining was advertised. */
+
+      if (f.recipients_discarded)
+	rc = DISCARD;
+      else
+	if (  (rc = acl_check(ACL_WHERE_RCPT, recipient, acl_smtp_rcpt, &user_msg,
+		      &log_msg)) == OK
+	   && !f.smtp_in_pipelining_advertised && !check_sync())
+	  goto SYNC_FAILURE;
+
+      /* The ACL was happy */
+
+      if (rc == OK)
+	{
+	BOOL more = pipeline_response();
+
+	if (user_msg)
+	  smtp_user_msg(US"250", user_msg);
+	else
+	  smtp_printf("250 Accepted\r\n", more);
+	receive_add_recipient(recipient, -1);
+
+	/* Set the dsn flags in the recipients_list */
+	recipients_list[recipients_count-1].orcpt = orcpt;
+	recipients_list[recipients_count-1].dsn_flags = dsn_flags;
+
+	/* DEBUG(D_receive) debug_printf("DSN: orcpt: %s  flags: %d\n",
+	  recipients_list[recipients_count-1].orcpt,
+	  recipients_list[recipients_count-1].dsn_flags); */
+	}
+
+      /* The recipient was discarded */
+
+      else if (rc == DISCARD)
+	{
+	if (user_msg)
+	  smtp_user_msg(US"250", user_msg);
+	else
+	  smtp_printf("250 Accepted\r\n", FALSE);
+	rcpt_fail_count++;
+	discarded = TRUE;
+	log_write(0, LOG_MAIN|LOG_REJECT, "%s F=<%s> RCPT %s: "
+	  "discarded by %s ACL%s%s", host_and_ident(TRUE),
+	  sender_address_unrewritten ? sender_address_unrewritten : sender_address,
+	  smtp_cmd_argument, f.recipients_discarded ? "MAIL" : "RCPT",
+	  log_msg ? US": " : US"", log_msg ? log_msg : US"");
+	}
+
+      /* Either the ACL failed the address, or it was deferred. */
+
+      else
+	{
+	if (rc == FAIL) rcpt_fail_count++; else rcpt_defer_count++;
+	done = smtp_handle_acl_fail(ACL_WHERE_RCPT, rc, user_msg, log_msg);
+	}
+      break;
+
+
+    /* The DATA command is legal only if it follows successful MAIL FROM
+    and RCPT TO commands. However, if pipelining is advertised, a bad DATA is
+    not counted as a protocol error if it follows RCPT (which must have been
+    rejected if there are no recipients.) This function is complete when a
+    valid DATA command is encountered.
+
+    Note concerning the code used: RFC 2821 says this:
+
+     -  If there was no MAIL, or no RCPT, command, or all such commands
+        were rejected, the server MAY return a "command out of sequence"
+        (503) or "no valid recipients" (554) reply in response to the
+        DATA command.
+
+    The example in the pipelining RFC 2920 uses 554, but I use 503 here
+    because it is the same whether pipelining is in use or not.
+
+    If all the RCPT commands that precede DATA provoked the same error message
+    (often indicating some kind of system error), it is helpful to include it
+    with the DATA rejection (an idea suggested by Tony Finch). */
+
+    case BDAT_CMD:
+      {
+      int n;
+
+      HAD(SCH_BDAT);
+      if (chunking_state != CHUNKING_OFFERED)
+	{
+	done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	  US"BDAT command used when CHUNKING not advertised");
+	break;
+	}
+
+      /* grab size, endmarker */
+
+      if (sscanf(CS smtp_cmd_data, "%u %n", &chunking_datasize, &n) < 1)
+	{
+	done = synprot_error(L_smtp_protocol_error, 501, NULL,
+	  US"missing size for BDAT command");
+	break;
+	}
+      chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
+	? CHUNKING_LAST : CHUNKING_ACTIVE;
+      chunking_data_left = chunking_datasize;
+      DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
+				    (int)chunking_state, chunking_data_left);
+
+      f.bdat_readers_wanted = TRUE; /* FIXME: redundant vs chunking_state? */
+      f.dot_ends = FALSE;
+
+      goto DATA_BDAT;
+      }
+
+    case DATA_CMD:
+      HAD(SCH_DATA);
+      f.dot_ends = TRUE;
+      f.bdat_readers_wanted = FALSE;
+
+    DATA_BDAT:		/* Common code for DATA and BDAT */
+#ifndef DISABLE_PIPE_CONNECT
+      fl.pipe_connect_acceptable = FALSE;
+#endif
+      if (!discarded && recipients_count <= 0)
+	{
+	if (fl.rcpt_smtp_response_same && rcpt_smtp_response)
+	  {
+	  uschar *code = US"503";
+	  int len = Ustrlen(rcpt_smtp_response);
+	  smtp_respond(code, 3, FALSE, US"All RCPT commands were rejected with "
+	    "this error:");
+	  /* Responses from smtp_printf() will have \r\n on the end */
+	  if (len > 2 && rcpt_smtp_response[len-2] == '\r')
+	    rcpt_smtp_response[len-2] = 0;
+	  smtp_respond(code, 3, FALSE, rcpt_smtp_response);
+	  }
+	if (f.smtp_in_pipelining_advertised && last_was_rcpt)
+	  smtp_printf("503 Valid RCPT command must precede %s\r\n", FALSE,
+	    smtp_names[smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)]]);
+	else
+	  done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	    smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)] == SCH_DATA
+	    ? US"valid RCPT command must precede DATA"
+	    : US"valid RCPT command must precede BDAT");
+
+	if (chunking_state > CHUNKING_OFFERED)
+	  {
+	  bdat_push_receive_functions();
+	  bdat_flush_data();
+	  }
+	break;
+	}
+
+      if (toomany && recipients_max_reject)
+	{
+	sender_address = NULL;  /* This will allow a new MAIL without RSET */
+	sender_address_unrewritten = NULL;
+	smtp_printf("554 Too many recipients\r\n", FALSE);
+
+	if (chunking_state > CHUNKING_OFFERED)
+	  {
+	  bdat_push_receive_functions();
+	  bdat_flush_data();
+	  }
+	break;
+	}
+
+      if (chunking_state > CHUNKING_OFFERED)
+	rc = OK;			/* No predata ACL or go-ahead output for BDAT */
+      else
+	{
+	/* If there is an ACL, re-check the synchronization afterwards, since the
+	ACL may have delayed.  To handle cutthrough delivery enforce a dummy call
+	to get the DATA command sent. */
+
+	if (!acl_smtp_predata && cutthrough.cctx.sock < 0)
+	  rc = OK;
+	else
+	  {
+	  uschar * acl = acl_smtp_predata ? acl_smtp_predata : US"accept";
+	  f.enable_dollar_recipients = TRUE;
+	  rc = acl_check(ACL_WHERE_PREDATA, NULL, acl, &user_msg,
+	    &log_msg);
+	  f.enable_dollar_recipients = FALSE;
+	  if (rc == OK && !check_sync())
+	    goto SYNC_FAILURE;
+
+	  if (rc != OK)
+	    {	/* Either the ACL failed the address, or it was deferred. */
+	    done = smtp_handle_acl_fail(ACL_WHERE_PREDATA, rc, user_msg, log_msg);
+	    break;
+	    }
+	  }
+
+	if (user_msg)
+	  smtp_user_msg(US"354", user_msg);
+	else
+	  smtp_printf(
+	    "354 Enter message, ending with \".\" on a line by itself\r\n", FALSE);
+	}
+
+      if (f.bdat_readers_wanted)
+	bdat_push_receive_functions();
+
+#ifdef TCP_QUICKACK
+      if (smtp_in)	/* all ACKs needed to ramp window up for bulk data */
+	(void) setsockopt(fileno(smtp_in), IPPROTO_TCP, TCP_QUICKACK,
+		US &on, sizeof(on));
+#endif
+      done = 3;
+      message_ended = END_NOTENDED;   /* Indicate in middle of data */
+
+      break;
+
+
+    case VRFY_CMD:
+      {
+      uschar * address;
+
+      HAD(SCH_VRFY);
+
+      if (!(address = parse_extract_address(smtp_cmd_data, &errmess,
+            &start, &end, &recipient_domain, FALSE)))
+	{
+	smtp_printf("501 %s\r\n", FALSE, errmess);
+	break;
+	}
+
+      if (!recipient_domain)
+	if (!(recipient_domain = qualify_recipient(&address, smtp_cmd_data,
+				    US"verify")))
+	  break;
+
+      if ((rc = acl_check(ACL_WHERE_VRFY, address, acl_smtp_vrfy,
+		    &user_msg, &log_msg)) != OK)
+	done = smtp_handle_acl_fail(ACL_WHERE_VRFY, rc, user_msg, log_msg);
+      else
+	{
+	uschar * s = NULL;
+	address_item * addr = deliver_make_addr(address, FALSE);
+
+	switch(verify_address(addr, NULL, vopt_is_recipient | vopt_qualify, -1,
+	       -1, -1, NULL, NULL, NULL))
+	  {
+	  case OK:
+	    s = string_sprintf("250 <%s> is deliverable", address);
+	    break;
+
+	  case DEFER:
+	    s = (addr->user_message != NULL)?
+	      string_sprintf("451 <%s> %s", address, addr->user_message) :
+	      string_sprintf("451 Cannot resolve <%s> at this time", address);
+	    break;
+
+	  case FAIL:
+	    s = (addr->user_message != NULL)?
+	      string_sprintf("550 <%s> %s", address, addr->user_message) :
+	      string_sprintf("550 <%s> is not deliverable", address);
+	    log_write(0, LOG_MAIN, "VRFY failed for %s %s",
+	      smtp_cmd_argument, host_and_ident(TRUE));
+	    break;
+	  }
+
+	smtp_printf("%s\r\n", FALSE, s);
+	}
+      break;
+      }
+
+
+    case EXPN_CMD:
+      HAD(SCH_EXPN);
+      rc = acl_check(ACL_WHERE_EXPN, NULL, acl_smtp_expn, &user_msg, &log_msg);
+      if (rc != OK)
+	done = smtp_handle_acl_fail(ACL_WHERE_EXPN, rc, user_msg, log_msg);
+      else
+	{
+	BOOL save_log_testing_mode = f.log_testing_mode;
+	f.address_test_mode = f.log_testing_mode = TRUE;
+	(void) verify_address(deliver_make_addr(smtp_cmd_data, FALSE),
+	  smtp_out, vopt_is_recipient | vopt_qualify | vopt_expn, -1, -1, -1,
+	  NULL, NULL, NULL);
+	f.address_test_mode = FALSE;
+	f.log_testing_mode = save_log_testing_mode;    /* true for -bh */
+	}
+      break;
+
+
+    #ifndef DISABLE_TLS
+
+    case STARTTLS_CMD:
+      HAD(SCH_STARTTLS);
+      if (!fl.tls_advertised)
+	{
+	done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	  US"STARTTLS command used when not advertised");
+	break;
+	}
+
+      /* Apply an ACL check if one is defined */
+
+      if (  acl_smtp_starttls
+	 && (rc = acl_check(ACL_WHERE_STARTTLS, NULL, acl_smtp_starttls,
+		    &user_msg, &log_msg)) != OK
+	 )
+	{
+	done = smtp_handle_acl_fail(ACL_WHERE_STARTTLS, rc, user_msg, log_msg);
+	break;
+	}
+
+      /* RFC 2487 is not clear on when this command may be sent, though it
+      does state that all information previously obtained from the client
+      must be discarded if a TLS session is started. It seems reasonable to
+      do an implied RSET when STARTTLS is received. */
+
+      incomplete_transaction_log(US"STARTTLS");
+      cancel_cutthrough_connection(TRUE, US"STARTTLS received");
+      reset_point = smtp_reset(reset_point);
+      toomany = FALSE;
+      cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = FALSE;
+
+      /* There's an attack where more data is read in past the STARTTLS command
+      before TLS is negotiated, then assumed to be part of the secure session
+      when used afterwards; we use segregated input buffers, so are not
+      vulnerable, but we want to note when it happens and, for sheer paranoia,
+      ensure that the buffer is "wiped".
+      Pipelining sync checks will normally have protected us too, unless disabled
+      by configuration. */
+
+      if (receive_hasc())
+	{
+	DEBUG(D_any)
+	  debug_printf("Non-empty input buffer after STARTTLS; naive attack?\n");
+	if (tls_in.active.sock < 0)
+	  smtp_inend = smtp_inptr = smtp_inbuffer;
+	/* and if TLS is already active, tls_server_start() should fail */
+	}
+
+      /* There is nothing we value in the input buffer and if TLS is successfully
+      negotiated, we won't use this buffer again; if TLS fails, we'll just read
+      fresh content into it.  The buffer contains arbitrary content from an
+      untrusted remote source; eg: NOOP <shellcode>\r\nSTARTTLS\r\n
+      It seems safest to just wipe away the content rather than leave it as a
+      target to jump to. */
+
+      memset(smtp_inbuffer, 0, IN_BUFFER_SIZE);
+
+      /* Attempt to start up a TLS session, and if successful, discard all
+      knowledge that was obtained previously. At least, that's what the RFC says,
+      and that's what happens by default. However, in order to work round YAEB,
+      there is an option to remember the esmtp state. Sigh.
+
+      We must allow for an extra EHLO command and an extra AUTH command after
+      STARTTLS that don't add to the nonmail command count. */
+
+      s = NULL;
+      if ((rc = tls_server_start(&s)) == OK)
+	{
+	if (!tls_remember_esmtp)
+	  fl.helo_seen = fl.esmtp = fl.auth_advertised = f.smtp_in_pipelining_advertised = FALSE;
+	cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
+	cmd_list[CMD_LIST_AUTH].is_mail_cmd = TRUE;
+	cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = TRUE;
+	if (sender_helo_name)
+	  {
+	  sender_helo_name = NULL;
+	  host_build_sender_fullhost();  /* Rebuild */
+	  set_process_info("handling incoming TLS connection from %s",
+	    host_and_ident(FALSE));
+	  }
+	received_protocol =
+	  (sender_host_address ? protocols : protocols_local)
+	    [ (fl.esmtp
+	      ? pextend + (sender_host_authenticated ? pauthed : 0)
+	      : pnormal)
+	    + (tls_in.active.sock >= 0 ? pcrpted : 0)
+	    ];
+
+	sender_host_auth_pubname = sender_host_authenticated = NULL;
+	authenticated_id = NULL;
+	sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
+	DEBUG(D_tls) debug_printf("TLS active\n");
+	break;     /* Successful STARTTLS */
+	}
+      else
+	(void) smtp_log_tls_fail(s);
+
+      /* Some local configuration problem was discovered before actually trying
+      to do a TLS handshake; give a temporary error. */
+
+      if (rc == DEFER)
+	{
+	smtp_printf("454 TLS currently unavailable\r\n", FALSE);
+	break;
+	}
+
+      /* Hard failure. Reject everything except QUIT or closed connection. One
+      cause for failure is a nested STARTTLS, in which case tls_in.active remains
+      set, but we must still reject all incoming commands.  Another is a handshake
+      failure - and there may some encrypted data still in the pipe to us, which we
+      see as garbage commands. */
+
+      DEBUG(D_tls) debug_printf("TLS failed to start\n");
+      while (done <= 0) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
+	{
+	case EOF_CMD:
+	  log_write(L_smtp_connection, LOG_MAIN, "%s closed by EOF",
+	    smtp_get_connection_info());
+	  smtp_notquit_exit(US"tls-failed", NULL, NULL);
+	  done = 2;
+	  break;
+
+	/* It is perhaps arguable as to which exit ACL should be called here,
+	but as it is probably a situation that almost never arises, it
+	probably doesn't matter. We choose to call the real QUIT ACL, which in
+	some sense is perhaps "right". */
+
+	case QUIT_CMD:
+	  f.smtp_in_quit = TRUE;
+	  user_msg = NULL;
+	  if (  acl_smtp_quit
+	     && ((rc = acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_quit, &user_msg,
+				&log_msg)) == ERROR))
+	      log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
+		log_msg);
+	  if (user_msg)
+	    smtp_respond(US"221", 3, TRUE, user_msg);
+	  else
+	    smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname);
+	  log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
+	    smtp_get_connection_info());
+	  done = 2;
+	  break;
+
+	default:
+	  smtp_printf("554 Security failure\r\n", FALSE);
+	  break;
+	}
+      tls_close(NULL, TLS_SHUTDOWN_NOWAIT);
+      break;
+    #endif
+
+
+    /* The ACL for QUIT is provided for gathering statistical information or
+    similar; it does not affect the response code, but it can supply a custom
+    message. */
+
+    case QUIT_CMD:
+      smtp_quit_handler(&user_msg, &log_msg);
+      done = 2;
+      break;
+
+
+    case RSET_CMD:
+      smtp_rset_handler();
+      cancel_cutthrough_connection(TRUE, US"RSET received");
+      reset_point = smtp_reset(reset_point);
+      toomany = FALSE;
+      break;
+
+
+    case NOOP_CMD:
+      HAD(SCH_NOOP);
+      smtp_printf("250 OK\r\n", FALSE);
+      break;
+
+
+    /* Show ETRN/EXPN/VRFY if there's an ACL for checking hosts; if actually
+    used, a check will be done for permitted hosts. Show STARTTLS only if not
+    already in a TLS session and if it would be advertised in the EHLO
+    response. */
+
+    case HELP_CMD:
+      HAD(SCH_HELP);
+      smtp_printf("214-Commands supported:\r\n", TRUE);
+	{
+	uschar buffer[256];
+	buffer[0] = 0;
+	Ustrcat(buffer, US" AUTH");
+	#ifndef DISABLE_TLS
+	if (tls_in.active.sock < 0 &&
+	    verify_check_host(&tls_advertise_hosts) != FAIL)
+	  Ustrcat(buffer, US" STARTTLS");
+	#endif
+	Ustrcat(buffer, US" HELO EHLO MAIL RCPT DATA BDAT");
+	Ustrcat(buffer, US" NOOP QUIT RSET HELP");
+	if (acl_smtp_etrn) Ustrcat(buffer, US" ETRN");
+	if (acl_smtp_expn) Ustrcat(buffer, US" EXPN");
+	if (acl_smtp_vrfy) Ustrcat(buffer, US" VRFY");
+	smtp_printf("214%s\r\n", FALSE, buffer);
+	}
+      break;
+
+
+    case EOF_CMD:
+      incomplete_transaction_log(US"connection lost");
+      smtp_notquit_exit(US"connection-lost", US"421",
+	US"%s lost input connection", smtp_active_hostname);
+
+      /* Don't log by default unless in the middle of a message, as some mailers
+      just drop the call rather than sending QUIT, and it clutters up the logs.
+      */
+
+      if (sender_address || recipients_count > 0)
+	log_write(L_lost_incoming_connection, LOG_MAIN,
+	  "unexpected %s while reading SMTP command from %s%s%s D=%s",
+	  f.sender_host_unknown ? "EOF" : "disconnection",
+	  f.tcp_in_fastopen_logged
+	  ? US""
+	  : f.tcp_in_fastopen
+	  ? f.tcp_in_fastopen_data ? US"TFO* " : US"TFO "
+	  : US"",
+	  host_and_ident(FALSE), smtp_read_error,
+	  string_timesince(&smtp_connection_start)
+	  );
+
+      else
+	log_write(L_smtp_connection, LOG_MAIN, "%s %slost%s D=%s",
+	  smtp_get_connection_info(),
+	  f.tcp_in_fastopen && !f.tcp_in_fastopen_logged ? US"TFO " : US"",
+	  smtp_read_error,
+	  string_timesince(&smtp_connection_start)
+	  );
+
+      done = 1;
+      break;
+
+
+    case ETRN_CMD:
+      HAD(SCH_ETRN);
+      if (sender_address)
+	{
+	done = synprot_error(L_smtp_protocol_error, 503, NULL,
+	  US"ETRN is not permitted inside a transaction");
+	break;
+	}
+
+      log_write(L_etrn, LOG_MAIN, "ETRN %s received from %s", smtp_cmd_argument,
+	host_and_ident(FALSE));
+
+      if ((rc = acl_check(ACL_WHERE_ETRN, NULL, acl_smtp_etrn,
+		  &user_msg, &log_msg)) != OK)
+	{
+	done = smtp_handle_acl_fail(ACL_WHERE_ETRN, rc, user_msg, log_msg);
+	break;
+	}
+
+      /* Compute the serialization key for this command. */
+
+      etrn_serialize_key = string_sprintf("etrn-%s\n", smtp_cmd_data);
+
+      /* If a command has been specified for running as a result of ETRN, we
+      permit any argument to ETRN. If not, only the # standard form is permitted,
+      since that is strictly the only kind of ETRN that can be implemented
+      according to the RFC. */
+
+      if (smtp_etrn_command)
+	{
+	uschar *error;
+	BOOL rc;
+	etrn_command = smtp_etrn_command;
+	deliver_domain = smtp_cmd_data;
+	rc = transport_set_up_command(&argv, smtp_etrn_command, TRUE, 0, NULL,
+	  FALSE, US"ETRN processing", &error);
+	deliver_domain = NULL;
+	if (!rc)
+	  {
+	  log_write(0, LOG_MAIN|LOG_PANIC, "failed to set up ETRN command: %s",
+	    error);
+	  smtp_printf("458 Internal failure\r\n", FALSE);
+	  break;
+	  }
+	}
+
+      /* Else set up to call Exim with the -R option. */
+
+      else
+	{
+	if (*smtp_cmd_data++ != '#')
+	  {
+	  done = synprot_error(L_smtp_syntax_error, 501, NULL,
+	    US"argument must begin with #");
+	  break;
+	  }
+	etrn_command = US"exim -R";
+	argv = CUSS child_exec_exim(CEE_RETURN_ARGV, TRUE, NULL, TRUE,
+	  *queue_name ? 4 : 2,
+	  US"-R", smtp_cmd_data,
+	  US"-MCG", queue_name);
+	}
+
+      /* If we are host-testing, don't actually do anything. */
+
+      if (host_checking)
+	{
+	HDEBUG(D_any)
+	  {
+	  debug_printf("ETRN command is: %s\n", etrn_command);
+	  debug_printf("ETRN command execution skipped\n");
+	  }
+	if (user_msg == NULL) smtp_printf("250 OK\r\n", FALSE);
+	  else smtp_user_msg(US"250", user_msg);
+	break;
+	}
+
+
+      /* If ETRN queue runs are to be serialized, check the database to
+      ensure one isn't already running. */
+
+      if (smtp_etrn_serialize && !enq_start(etrn_serialize_key, 1))
+	{
+	smtp_printf("458 Already processing %s\r\n", FALSE, smtp_cmd_data);
+	break;
+	}
+
+      /* Fork a child process and run the command. We don't want to have to
+      wait for the process at any point, so set SIGCHLD to SIG_IGN before
+      forking. It should be set that way anyway for external incoming SMTP,
+      but we save and restore to be tidy. If serialization is required, we
+      actually run the command in yet another process, so we can wait for it
+      to complete and then remove the serialization lock. */
+
+      oldsignal = signal(SIGCHLD, SIG_IGN);
+
+      if ((pid = exim_fork(US"etrn-command")) == 0)
+	{
+	smtp_input = FALSE;       /* This process is not associated with the */
+	(void)fclose(smtp_in);    /* SMTP call any more. */
+	(void)fclose(smtp_out);
+
+	signal(SIGCHLD, SIG_DFL);      /* Want to catch child */
+
+	/* If not serializing, do the exec right away. Otherwise, fork down
+	into another process. */
+
+	if (  !smtp_etrn_serialize
+	   || (pid = exim_fork(US"etrn-serialised-command")) == 0)
+	  {
+	  DEBUG(D_exec) debug_print_argv(argv);
+	  exim_nullstd();                   /* Ensure std{in,out,err} exist */
+	  /* argv[0] should be untainted, from child_exec_exim() */
+	  execv(CS argv[0], (char *const *)argv);
+	  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "exec of \"%s\" (ETRN) failed: %s",
+	    etrn_command, strerror(errno));
+	  _exit(EXIT_FAILURE);         /* paranoia */
+	  }
+
+	/* Obey this if smtp_serialize and the 2nd fork yielded non-zero. That
+	is, we are in the first subprocess, after forking again. All we can do
+	for a failing fork is to log it. Otherwise, wait for the 2nd process to
+	complete, before removing the serialization. */
+
+	if (pid < 0)
+	  log_write(0, LOG_MAIN|LOG_PANIC, "2nd fork for serialized ETRN "
+	    "failed: %s", strerror(errno));
+	else
+	  {
+	  int status;
+	  DEBUG(D_any) debug_printf("waiting for serialized ETRN process %d\n",
+	    (int)pid);
+	  (void)wait(&status);
+	  DEBUG(D_any) debug_printf("serialized ETRN process %d ended\n",
+	    (int)pid);
+	  }
+
+	enq_end(etrn_serialize_key);
+	exim_underbar_exit(EXIT_SUCCESS);
+	}
+
+      /* Back in the top level SMTP process. Check that we started a subprocess
+      and restore the signal state. */
+
+      if (pid < 0)
+	{
+	log_write(0, LOG_MAIN|LOG_PANIC, "fork of process for ETRN failed: %s",
+	  strerror(errno));
+	smtp_printf("458 Unable to fork process\r\n", FALSE);
+	if (smtp_etrn_serialize) enq_end(etrn_serialize_key);
+	}
+      else
+	if (!user_msg)
+	  smtp_printf("250 OK\r\n", FALSE);
+	else
+	  smtp_user_msg(US"250", user_msg);
+
+      signal(SIGCHLD, oldsignal);
+      break;
+
+
+    case BADARG_CMD:
+      done = synprot_error(L_smtp_syntax_error, 501, NULL,
+	US"unexpected argument data");
+      break;
+
+
+    /* This currently happens only for NULLs, but could be extended. */
+
+    case BADCHAR_CMD:
+      done = synprot_error(L_smtp_syntax_error, 0, NULL,       /* Just logs */
+	US"NUL character(s) present (shown as '?')");
+      smtp_printf("501 NUL characters are not allowed in SMTP commands\r\n",
+		  FALSE);
+      break;
+
+
+    case BADSYN_CMD:
+    SYNC_FAILURE:
+      if (smtp_inend >= smtp_inbuffer + IN_BUFFER_SIZE)
+	smtp_inend = smtp_inbuffer + IN_BUFFER_SIZE - 1;
+      c = smtp_inend - smtp_inptr;
+      if (c > 150) c = 150;	/* limit logged amount */
+      smtp_inptr[c] = 0;
+      incomplete_transaction_log(US"sync failure");
+      log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol synchronization error "
+	"(next input sent too soon: pipelining was%s advertised): "
+	"rejected \"%s\" %s next input=\"%s\"",
+	f.smtp_in_pipelining_advertised ? "" : " not",
+	smtp_cmd_buffer, host_and_ident(TRUE),
+	string_printing(smtp_inptr));
+      smtp_notquit_exit(US"synchronization-error", US"554",
+	US"SMTP synchronization error");
+      done = 1;   /* Pretend eof - drops connection */
+      break;
+
+
+    case TOO_MANY_NONMAIL_CMD:
+      s = smtp_cmd_buffer;
+      while (*s != 0 && !isspace(*s)) s++;
+      incomplete_transaction_log(US"too many non-mail commands");
+      log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
+	"nonmail commands (last was \"%.*s\")",  host_and_ident(FALSE),
+	(int)(s - smtp_cmd_buffer), smtp_cmd_buffer);
+      smtp_notquit_exit(US"bad-commands", US"554", US"Too many nonmail commands");
+      done = 1;   /* Pretend eof - drops connection */
+      break;
+
+#ifdef SUPPORT_PROXY
+    case PROXY_FAIL_IGNORE_CMD:
+      smtp_printf("503 Command refused, required Proxy negotiation failed\r\n", FALSE);
+      break;
+#endif
+
+    default:
+      if (unknown_command_count++ >= smtp_max_unknown_commands)
+	{
+	log_write(L_smtp_syntax_error, LOG_MAIN,
+	  "SMTP syntax error in \"%s\" %s %s",
+	  string_printing(smtp_cmd_buffer), host_and_ident(TRUE),
+	  US"unrecognized command");
+	incomplete_transaction_log(US"unrecognized command");
+	smtp_notquit_exit(US"bad-commands", US"500",
+	  US"Too many unrecognized commands");
+	done = 2;
+	log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
+	  "unrecognized commands (last was \"%s\")", host_and_ident(FALSE),
+	  string_printing(smtp_cmd_buffer));
+	}
+      else
+	done = synprot_error(L_smtp_syntax_error, 500, NULL,
+	  US"unrecognized command");
+      break;
+    }
+
+  /* This label is used by goto's inside loops that want to break out to
+  the end of the command-processing loop. */
+
+  COMMAND_LOOP:
+  last_was_rej_mail = was_rej_mail;     /* Remember some last commands for */
+  last_was_rcpt = was_rcpt;             /* protocol error handling */
+  }
+
+return done - 2;  /* Convert yield values */
+}
+
+
+
+gstring *
+authres_smtpauth(gstring * g)
+{
+if (!sender_host_authenticated)
+  return g;
+
+g = string_append(g, 2, US";\n\tauth=pass (", sender_host_auth_pubname);
+
+if (Ustrcmp(sender_host_auth_pubname, "tls") == 0)
+  g = authenticated_id
+    ? string_append(g, 2, US") x509.auth=", authenticated_id)
+    : string_cat(g, US") reason=x509.auth");
+else
+  g = authenticated_id
+    ? string_append(g, 2, US") smtp.auth=", authenticated_id)
+    : string_cat(g, US", no id saved)");
+
+if (authenticated_sender)
+  g = string_append(g, 2, US" smtp.mailfrom=", authenticated_sender);
+return g;
+}
+
+
+
+/* vi: aw ai sw=2
+*/
+/* End of smtp_in.c */
diff --git a/src/smtp_out.c b/src/smtp_out.c
new file mode 100644
index 0000000..7b7bdf7
--- /dev/null
+++ b/src/smtp_out.c
@@ -0,0 +1,936 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* A number of functions for driving outgoing SMTP calls. */
+
+
+#include "exim.h"
+#include "transports/smtp.h"
+
+
+
+/*************************************************
+*           Find an outgoing interface           *
+*************************************************/
+
+/* This function is called from the smtp transport and also from the callout
+code in verify.c. Its job is to expand a string to get a list of interfaces,
+and choose a suitable one (IPv4 or IPv6) for the outgoing address.
+
+Arguments:
+  istring    string interface setting, may be NULL, meaning "any", in
+               which case the function does nothing
+  host_af    AF_INET or AF_INET6 for the outgoing IP address
+  addr       the mail address being handled (for setting errors)
+  interface  point this to the interface if there is one defined
+  msg        to add to any error message
+
+Returns:     TRUE on success, FALSE on failure, with error message
+               set in addr and transport_return set to PANIC
+*/
+
+BOOL
+smtp_get_interface(uschar *istring, int host_af, address_item *addr,
+  uschar **interface, uschar *msg)
+{
+const uschar * expint;
+uschar *iface;
+int sep = 0;
+
+if (!istring) return TRUE;
+
+if (!(expint = expand_string(istring)))
+  {
+  if (f.expand_string_forcedfail) return TRUE;
+  addr->transport_return = PANIC;
+  addr->message = string_sprintf("failed to expand \"interface\" "
+      "option for %s: %s", msg, expand_string_message);
+  return FALSE;
+  }
+
+if (is_tainted(expint))
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "attempt to use tainted value '%s' from '%s' for interface",
+    expint, istring);
+  addr->transport_return = PANIC;
+  addr->message = string_sprintf("failed to expand \"interface\" "
+      "option for %s: configuration error", msg);
+  return FALSE;
+  }
+
+Uskip_whitespace(&expint);
+if (!*expint) return TRUE;
+
+while ((iface = string_nextinlist(&expint, &sep, NULL, 0)))
+  {
+  int if_af = string_is_ip_address(iface, NULL);
+  if (if_af == 0)
+    {
+    addr->transport_return = PANIC;
+    addr->message = string_sprintf("\"%s\" is not a valid IP "
+      "address for the \"interface\" option for %s",
+      iface, msg);
+    return FALSE;
+    }
+
+  if ((if_af == 4 ? AF_INET : AF_INET6) == host_af)
+    break;
+  }
+
+*interface = iface;
+return TRUE;
+}
+
+
+
+/*************************************************
+*           Find an outgoing port                *
+*************************************************/
+
+/* This function is called from the smtp transport and also from the callout
+code in verify.c. Its job is to find a port number. Note that getservbyname()
+produces the number in network byte order.
+
+Arguments:
+  rstring     raw (unexpanded) string representation of the port
+  addr        the mail address being handled (for setting errors)
+  port        stick the port in here
+  msg         for adding to error message
+
+Returns:      TRUE on success, FALSE on failure, with error message set
+                in addr, and transport_return set to PANIC
+*/
+
+BOOL
+smtp_get_port(uschar *rstring, address_item *addr, int *port, uschar *msg)
+{
+uschar *pstring = expand_string(rstring);
+
+if (!pstring)
+  {
+  addr->transport_return = PANIC;
+  addr->message = string_sprintf("failed to expand \"%s\" (\"port\" option) "
+    "for %s: %s", rstring, msg, expand_string_message);
+  return FALSE;
+  }
+
+if (isdigit(*pstring))
+  {
+  uschar *end;
+  *port = Ustrtol(pstring, &end, 0);
+  if (end != pstring + Ustrlen(pstring))
+    {
+    addr->transport_return = PANIC;
+    addr->message = string_sprintf("invalid port number for %s: %s", msg,
+      pstring);
+    return FALSE;
+    }
+  }
+
+else
+  {
+  struct servent *smtp_service = getservbyname(CS pstring, "tcp");
+  if (!smtp_service)
+    {
+    addr->transport_return = PANIC;
+    addr->message = string_sprintf("TCP port \"%s\" is not defined for %s",
+      pstring, msg);
+    return FALSE;
+    }
+  *port = ntohs(smtp_service->s_port);
+  }
+
+return TRUE;
+}
+
+
+
+
+#ifdef TCP_FASTOPEN
+/* Try to record if TFO was attmepted and if it was successfully used.  */
+
+static void
+tfo_out_check(int sock)
+{
+static BOOL done_once = FALSE;
+
+if (done_once) return;
+done_once = TRUE;
+
+# ifdef __FreeBSD__
+struct tcp_info tinfo;
+socklen_t len = sizeof(tinfo);
+
+/* A getsockopt TCP_FASTOPEN unfortunately returns "was-used" for a TFO/R as
+well as a TFO/C.  Use what we can of the Linux hack below; reliability issues ditto. */
+switch (tcp_out_fastopen)
+  {
+  case TFO_ATTEMPTED_NODATA:
+    if (  getsockopt(sock, IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0
+       && tinfo.tcpi_state == TCPS_SYN_SENT
+       && tinfo.__tcpi_unacked > 0
+       )
+      {
+      DEBUG(D_transport|D_v)
+       debug_printf("TCP_FASTOPEN tcpi_unacked %d\n", tinfo.__tcpi_unacked);
+      tcp_out_fastopen = TFO_USED_NODATA;
+      }
+    break;
+  /*
+  case TFO_ATTEMPTED_DATA:
+  case TFO_ATTEMPTED_DATA:
+       if (tinfo.tcpi_options & TCPI_OPT_SYN_DATA)   XXX no equvalent as of 12.2
+  */
+  }
+
+switch (tcp_out_fastopen)
+  {
+  case TFO_ATTEMPTED_DATA:	tcp_out_fastopen = TFO_USED_DATA; break;
+  default: break; /* compiler quietening */
+  }
+
+# else	/* Linux & Apple */
+#  if defined(TCP_INFO) && defined(EXIM_HAVE_TCPI_UNACKED)
+struct tcp_info tinfo;
+socklen_t len = sizeof(tinfo);
+
+switch (tcp_out_fastopen)
+  {
+    /* This is a somewhat dubious detection method; totally undocumented so likely
+    to fail in future kernels.  There seems to be no documented way.  What we really
+    want to know is if the server sent smtp-banner data before our ACK of his SYN,ACK
+    hit him.  What this (possibly?) detects is whether we sent a TFO cookie with our
+    SYN, as distinct from a TFO request.  This gets a false-positive when the server
+    key is rotated; we send the old one (which this test sees) but the server returns
+    the new one and does not send its SMTP banner before we ACK his SYN,ACK.
+     To force that rotation case:
+     '# echo -n "00000000-00000000-00000000-0000000" >/proc/sys/net/ipv4/tcp_fastopen_key'
+    The kernel seems to be counting unack'd packets. */
+
+  case TFO_ATTEMPTED_NODATA:
+    if (  getsockopt(sock, IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0
+       && tinfo.tcpi_state == TCP_SYN_SENT
+       && tinfo.tcpi_unacked > 1
+       )
+      {
+      DEBUG(D_transport|D_v)
+	debug_printf("TCP_FASTOPEN tcpi_unacked %d\n", tinfo.tcpi_unacked);
+      tcp_out_fastopen = TFO_USED_NODATA;
+      }
+    break;
+
+    /* When called after waiting for received data we should be able
+    to tell if data we sent was accepted. */
+
+  case TFO_ATTEMPTED_DATA:
+    if (  getsockopt(sock, IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0
+       && tinfo.tcpi_state == TCP_ESTABLISHED
+       )
+      if (tinfo.tcpi_options & TCPI_OPT_SYN_DATA)
+	{
+	DEBUG(D_transport|D_v) debug_printf("TFO: data was acked\n");
+	tcp_out_fastopen = TFO_USED_DATA;
+	}
+      else
+	{
+	DEBUG(D_transport|D_v) debug_printf("TFO: had to retransmit\n");
+	tcp_out_fastopen = TFO_NOT_USED;
+	}
+    break;
+
+  default: break; /* compiler quietening */
+  }
+#  endif
+# endif	/* Linux & Apple */
+}
+#endif
+
+
+/* Create and bind a socket, given the connect-args.
+Update those with the state.  Return the fd, or -1 with errno set.
+*/
+
+int
+smtp_boundsock(smtp_connect_args * sc)
+{
+transport_instance * tb = sc->tblock;
+smtp_transport_options_block * ob =
+  (smtp_transport_options_block *)tb->options_block;
+const uschar * dscp = ob->dscp;
+int sock, dscp_value, dscp_level, dscp_option;
+
+if ((sock = ip_socket(SOCK_STREAM, sc->host_af)) < 0)
+  return -1;
+
+/* Set TCP_NODELAY; Exim does its own buffering. */
+
+if (setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, US &on, sizeof(on)))
+  HDEBUG(D_transport|D_acl|D_v)
+    debug_printf_indent("failed to set NODELAY: %s ", strerror(errno));
+
+/* Set DSCP value, if we can. For now, if we fail to set the value, we don't
+bomb out, just log it and continue in default traffic class. */
+
+if (dscp && dscp_lookup(dscp, sc->host_af, &dscp_level, &dscp_option, &dscp_value))
+  {
+  HDEBUG(D_transport|D_acl|D_v)
+    debug_printf_indent("DSCP \"%s\"=%x ", dscp, dscp_value);
+  if (setsockopt(sock, dscp_level, dscp_option, &dscp_value, sizeof(dscp_value)) < 0)
+    HDEBUG(D_transport|D_acl|D_v)
+      debug_printf_indent("failed to set DSCP: %s ", strerror(errno));
+  /* If the kernel supports IPv4 and IPv6 on an IPv6 socket, we need to set the
+  option for both; ignore failures here */
+  if (sc->host_af == AF_INET6 &&
+      dscp_lookup(dscp, AF_INET, &dscp_level, &dscp_option, &dscp_value))
+    (void) setsockopt(sock, dscp_level, dscp_option, &dscp_value, sizeof(dscp_value));
+  }
+
+/* Bind to a specific interface if requested. Caller must ensure the interface
+is the same type (IPv4 or IPv6) as the outgoing address. */
+
+if (sc->interface)
+  {
+  union sockaddr_46 interface_sock;
+  EXIM_SOCKLEN_T size = sizeof(interface_sock);
+
+  if (  ip_bind(sock, sc->host_af, sc->interface, 0) < 0
+     || getsockname(sock, (struct sockaddr *) &interface_sock, &size) < 0
+     )
+    {
+    HDEBUG(D_transport|D_acl|D_v)
+      debug_printf_indent("unable to bind outgoing SMTP call to %s: %s", sc->interface,
+	strerror(errno));
+    close(sock);
+    return -1;
+    }
+  sending_ip_address = host_ntoa(-1, &interface_sock, NULL, &sending_port);
+  }
+
+sc->sock = sock;
+return sock;
+}
+
+
+/* Arguments:
+  host        host item containing name and address and port
+  host_af     AF_INET or AF_INET6
+  port	      TCP port number
+  interface   outgoing interface address or NULL
+  tb          transport
+  timeout     timeout value or 0
+  early_data	if non-NULL, idempotent data to be sent -
+		preferably in the TCP SYN segment
+	      Special case: non-NULL but with NULL blob.data - caller is
+	      client-data-first (eg. TLS-on-connect) and a lazy-TCP-connect is
+	      acceptable.
+
+Returns:      connected socket number, or -1 with errno set
+*/
+
+int
+smtp_sock_connect(smtp_connect_args * sc, int timeout, const blob * early_data)
+{
+smtp_transport_options_block * ob =
+  (smtp_transport_options_block *)sc->tblock->options_block;
+int sock;
+int save_errno = 0;
+const blob * fastopen_blob = NULL;
+
+
+#ifndef DISABLE_EVENT
+deliver_host_address = sc->host->address;
+deliver_host_port = sc->host->port;
+if (event_raise(sc->tblock->event_action, US"tcp:connect", NULL, &errno)) return -1;
+#endif
+
+if (  (sock = sc->sock) < 0
+   && (sock = smtp_boundsock(sc)) < 0)
+  save_errno = errno;
+sc->sock = -1;
+
+/* Connect to the remote host, and add keepalive to the socket before returning
+it, if requested.  If the build supports TFO, request it - and if the caller
+requested some early-data then include that in the TFO request.  If there is
+early-data but no TFO support, send it after connecting. */
+
+if (!save_errno)
+  {
+#ifdef TCP_FASTOPEN
+  /* See if TCP Fast Open usable.  Default is a traditional 3WHS connect */
+  if (verify_check_given_host(CUSS &ob->hosts_try_fastopen, sc->host) == OK)
+    {
+    if (!early_data)
+      fastopen_blob = &tcp_fastopen_nodata;	/* TFO, with no data */
+    else if (early_data->data)
+      fastopen_blob = early_data;		/* TFO, with data */
+# ifdef TCP_FASTOPEN_CONNECT
+    else
+      {						/* expecting client data */
+      debug_printf(" set up lazy-connect\n");
+      setsockopt(sock, IPPROTO_TCP, TCP_FASTOPEN_CONNECT, US &on, sizeof(on));
+      /* fastopen_blob = NULL;		 lazy TFO, triggered by data write */
+      }
+# endif
+    }
+#endif
+
+  if (ip_connect(sock, sc->host_af, sc->host->address, sc->host->port, timeout, fastopen_blob) < 0)
+    save_errno = errno;
+  else if (early_data && !fastopen_blob && early_data->data && early_data->len)
+    {
+    /* We had some early-data to send, but couldn't do TFO */
+    HDEBUG(D_transport|D_acl|D_v)
+      debug_printf("sending %ld nonTFO early-data\n", (long)early_data->len);
+
+#ifdef TCP_QUICKACK_notdef
+    (void) setsockopt(sock, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
+#endif
+    if (send(sock, early_data->data, early_data->len, 0) < 0)
+      save_errno = errno;
+    }
+#ifdef TCP_QUICKACK_notdef
+  /* Under TFO (with openssl & pipe-conn; testcase 4069, as of
+  5.10.8-100.fc32.x86_64) this seems to be inop.
+  Perhaps overwritten when we (client) go -> ESTABLISHED on seeing the 3rd-ACK?
+  For that case, added at smtp_reap_banner(). */
+  (void) setsockopt(sock, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
+#endif
+  }
+
+if (!save_errno)
+  {
+  union sockaddr_46 interface_sock;
+  EXIM_SOCKLEN_T size = sizeof(interface_sock);
+
+  /* Both bind() and connect() succeeded, and any early-data */
+
+  HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" connected\n");
+  if (getsockname(sock, (struct sockaddr *)(&interface_sock), &size) == 0)
+    sending_ip_address = host_ntoa(-1, &interface_sock, NULL, &sending_port);
+  else
+    {
+    log_write(0, LOG_MAIN | ((errno == ECONNRESET)? 0 : LOG_PANIC),
+      "getsockname() failed: %s", strerror(errno));
+    close(sock);
+    return -1;
+    }
+
+  if (ob->keepalive) ip_keepalive(sock, sc->host->address, TRUE);
+#ifdef TCP_FASTOPEN
+  tfo_out_check(sock);
+#endif
+  return sock;
+  }
+
+/* Either bind() or connect() failed */
+
+HDEBUG(D_transport|D_acl|D_v)
+  {
+  debug_printf_indent(" failed: %s", CUstrerror(save_errno));
+  if (save_errno == ETIMEDOUT)
+    debug_printf(" (timeout=%s)", readconf_printtime(timeout));
+  debug_printf("\n");
+  }
+(void)close(sock);
+errno = save_errno;
+return -1;
+}
+
+
+
+
+
+void
+smtp_port_for_connect(host_item * host, int port)
+{
+if (host->port != PORT_NONE)
+  {
+  HDEBUG(D_transport|D_acl|D_v) if (port != host->port)
+    debug_printf_indent("Transport port=%d replaced by host-specific port=%d\n", port,
+      host->port);
+  port = host->port;
+  }
+else host->port = port;    /* Set the port actually used */
+}
+
+
+/*************************************************
+*           Connect to remote host               *
+*************************************************/
+
+/* Create a socket, and connect it to a remote host. IPv6 addresses are
+detected by checking for a colon in the address. AF_INET6 is defined even on
+non-IPv6 systems, to enable the code to be less messy. However, on such systems
+host->address will always be an IPv4 address.
+
+Arguments:
+  sc	      details for making connection: host, af, interface, transport
+  early_data  if non-NULL, data to be sent - preferably in the TCP SYN segment
+	      Special case: non-NULL but with NULL blob.data - caller is
+	      client-data-first (eg. TLS-on-connect) and a lazy-TCP-connect is
+	      acceptable.
+
+Returns:      connected socket number, or -1 with errno set
+*/
+
+int
+smtp_connect(smtp_connect_args * sc, const blob * early_data)
+{
+int port = sc->host->port;
+smtp_transport_options_block * ob = sc->ob;
+
+callout_address = string_sprintf("[%s]:%d", sc->host->address, port);
+
+HDEBUG(D_transport|D_acl|D_v)
+  {
+  uschar * s = US" ";
+  if (sc->interface) s = string_sprintf(" from %s ", sc->interface);
+#ifdef SUPPORT_SOCKS
+  if (ob->socks_proxy) s = string_sprintf("%svia proxy ", s);
+#endif
+  debug_printf_indent("Connecting to %s %s%s... ", sc->host->name, callout_address, s);
+  }
+
+/* Create and connect the socket */
+
+#ifdef SUPPORT_SOCKS
+if (ob->socks_proxy)
+  {
+  int sock = socks_sock_connect(sc->host, sc->host_af, port, sc->interface,
+				sc->tblock, ob->connect_timeout);
+  
+  if (sock >= 0)
+    {
+    if (early_data && early_data->data && early_data->len)
+      if (send(sock, early_data->data, early_data->len, 0) < 0)
+	{
+	int save_errno = errno;
+	HDEBUG(D_transport|D_acl|D_v)
+	  {
+	  debug_printf_indent("failed: %s", CUstrerror(save_errno));
+	  if (save_errno == ETIMEDOUT)
+	    debug_printf(" (timeout=%s)", readconf_printtime(ob->connect_timeout));
+	  debug_printf("\n");
+	  }
+	(void)close(sock);
+	sock = -1;
+	errno = save_errno;
+	}
+    }
+  return sock;
+  }
+#endif
+
+return smtp_sock_connect(sc, ob->connect_timeout, early_data);
+}
+
+
+/*************************************************
+*        Flush outgoing command buffer           *
+*************************************************/
+
+/* This function is called only from smtp_write_command() below. It flushes
+the buffer of outgoing commands. There is more than one in the buffer only when
+pipelining.
+
+Argument:
+  outblock   the SMTP output block
+  mode	     further data expected, or plain
+
+Returns:     TRUE if OK, FALSE on error, with errno set
+*/
+
+static BOOL
+flush_buffer(smtp_outblock * outblock, int mode)
+{
+int rc;
+int n = outblock->ptr - outblock->buffer;
+BOOL more = mode == SCMD_MORE;
+client_conn_ctx * cctx;
+
+HDEBUG(D_transport|D_acl) debug_printf_indent("cmd buf flush %d bytes%s\n", n,
+  more ? " (more expected)" : "");
+
+if (!(cctx = outblock->cctx))
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "null conn-context pointer");
+  errno = 0;
+  return FALSE;
+  }
+
+#ifndef DISABLE_TLS
+if (cctx->tls_ctx)		/*XXX have seen a null cctx here, rvfy sending QUIT, hence check above */
+  rc = tls_write(cctx->tls_ctx, outblock->buffer, n, more);
+else
+#endif
+
+  {
+  if (outblock->conn_args)
+    {
+    blob early_data = { .data = outblock->buffer, .len = n };
+
+    /* We ignore the more-flag if we're doing a connect with early-data, which
+    means we won't get BDAT+data. A pity, but wise due to the idempotency
+    requirement: TFO with data can, in rare cases, replay the data to the
+    receiver. */
+
+    if (  (cctx->sock = smtp_connect(outblock->conn_args, &early_data))
+       < 0)
+      return FALSE;
+    outblock->conn_args = NULL;
+    rc = n;
+    }
+  else
+    {
+    rc = send(cctx->sock, outblock->buffer, n,
+#ifdef MSG_MORE
+	      more ? MSG_MORE : 0
+#else
+	      0
+#endif
+	     );
+
+#if defined(__linux__)
+    /* This is a workaround for a current linux kernel bug: as of
+    5.6.8-200.fc31.x86_64  small (<MSS) writes get delayed by about 200ms,
+    This is despite NODELAY being active.
+    https://bugzilla.redhat.com/show_bug.cgi?id=1803806 */
+
+    if (!more)
+      setsockopt(cctx->sock, IPPROTO_TCP, TCP_CORK, &off, sizeof(off));
+#endif
+    }
+  }
+
+if (rc <= 0)
+  {
+  HDEBUG(D_transport|D_acl) debug_printf_indent("send failed: %s\n", strerror(errno));
+  return FALSE;
+  }
+
+outblock->ptr = outblock->buffer;
+outblock->cmd_count = 0;
+return TRUE;
+}
+
+
+
+/* This might be called both due to callout and then from delivery.
+Use memory that will not be released between those phases.
+*/
+static void
+smtp_debug_resp(const uschar * buf)
+{
+#ifndef DISABLE_CLIENT_CMD_LOG
+int old_pool = store_pool;
+store_pool = POOL_PERM;
+client_cmd_log = string_append_listele_n(client_cmd_log, ':', buf,
+  buf[3] == ' ' ? 3 : 4);
+store_pool = old_pool;
+#endif
+}
+
+
+/*************************************************
+*             Write SMTP command                 *
+*************************************************/
+
+/* The formatted command is left in big_buffer so that it can be reflected in
+any error message.
+
+Arguments:
+  sx	     SMTP connection, contains buffer for pipelining, and socket
+  mode       buffer, write-with-more-likely, write
+  format     a format, starting with one of
+             of HELO, MAIL FROM, RCPT TO, DATA, ".", or QUIT.
+	     If NULL, flush pipeline buffer only.
+  ...        data for the format
+
+Returns:     0 if command added to pipelining buffer, with nothing transmitted
+            +n if n commands transmitted (may still have buffered the new one)
+            -1 on error, with errno set
+*/
+
+int
+smtp_write_command(void * sx, int mode, const char * format, ...)
+{
+smtp_outblock * outblock = &((smtp_context *)sx)->outblock;
+int rc = 0;
+
+if (format)
+  {
+  gstring gs = { .size = big_buffer_size, .ptr = 0, .s = big_buffer };
+  va_list ap;
+
+  /* Use taint-unchecked routines for writing into big_buffer, trusting that
+  we'll never expand the results.  Actually, the error-message use - leaving
+  the results in big_buffer for potential later use - is uncomfortably distant.
+  XXX Would be better to assume all smtp commands are short, use normal pool
+  alloc rather than big_buffer, and another global for the data-for-error. */
+
+  va_start(ap, format);
+  if (!string_vformat(&gs, SVFMT_TAINT_NOCHK, CS format, ap))
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "overlong write_command in outgoing "
+      "SMTP");
+  va_end(ap);
+  string_from_gstring(&gs);
+
+  if (gs.ptr > outblock->buffersize)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "overlong write_command in outgoing "
+      "SMTP");
+
+  if (gs.ptr > outblock->buffersize - (outblock->ptr - outblock->buffer))
+    {
+    rc = outblock->cmd_count;                 /* flush resets */
+    if (!flush_buffer(outblock, SCMD_FLUSH)) return -1;
+    }
+
+  Ustrncpy(outblock->ptr, gs.s, gs.ptr);
+  outblock->ptr += gs.ptr;
+  outblock->cmd_count++;
+  gs.ptr -= 2; string_from_gstring(&gs); /* remove \r\n for error message */
+
+  /* We want to hide the actual data sent in AUTH transactions from reflections
+  and logs. While authenticating, a flag is set in the outblock to enable this.
+  The AUTH command itself gets any data flattened. Other lines are flattened
+  completely. */
+
+  if (outblock->authenticating)
+    {
+    uschar *p = big_buffer;
+    if (Ustrncmp(big_buffer, "AUTH ", 5) == 0)
+      {
+      p += 5;
+      while (isspace(*p)) p++;
+      while (!isspace(*p)) p++;
+      while (isspace(*p)) p++;
+      }
+    while (*p) *p++ = '*';
+    }
+
+  smtp_debug_cmd(big_buffer, mode);
+  }
+
+if (mode != SCMD_BUFFER)
+  {
+  rc += outblock->cmd_count;                /* flush resets */
+  if (!flush_buffer(outblock, mode)) return -1;
+  }
+
+return rc;
+}
+
+
+
+/*************************************************
+*          Read one line of SMTP response        *
+*************************************************/
+
+/* This function reads one line of SMTP response from the server host. This may
+not be a complete response - it could be just part of a multiline response. We
+have to use a buffer for incoming packets, because when pipelining or using
+LMTP, there may well be more than one response in a single packet. This
+function is called only from the one that follows.
+
+Arguments:
+  inblock   the SMTP input block (contains holding buffer, socket, etc.)
+  buffer    where to put the line
+  size      space available for the line
+  timelimit deadline for reading the lime, seconds past epoch
+
+Returns:    length of a line that has been put in the buffer
+            -1 otherwise, with errno set, and inblock->ptr adjusted
+*/
+
+static int
+read_response_line(smtp_inblock *inblock, uschar *buffer, int size, time_t timelimit)
+{
+uschar *p = buffer;
+uschar *ptr = inblock->ptr;
+uschar *ptrend = inblock->ptrend;
+client_conn_ctx * cctx = inblock->cctx;
+
+/* Loop for reading multiple packets or reading another packet after emptying
+a previously-read one. */
+
+for (;;)
+  {
+  int rc;
+
+  /* If there is data in the input buffer left over from last time, copy
+  characters from it until the end of a line, at which point we can return,
+  having removed any whitespace (which will include CR) at the end of the line.
+  The rules for SMTP say that lines end in CRLF, but there are have been cases
+  of hosts using just LF, and other MTAs are reported to handle this, so we
+  just look for LF. If we run out of characters before the end of a line,
+  carry on to read the next incoming packet. */
+
+  while (ptr < ptrend)
+    {
+    int c = *ptr++;
+    if (c == '\n')
+      {
+      while (p > buffer && isspace(p[-1])) p--;
+      *p = 0;
+      inblock->ptr = ptr;
+      return p - buffer;
+      }
+    *p++ = c;
+    if (--size < 4)
+      {
+      *p = 0;                     /* Leave malformed line for error message */
+      errno = ERRNO_SMTPFORMAT;
+      inblock->ptr = ptr;
+      return -1;
+      }
+    }
+
+  /* Need to read a new input packet. */
+
+  if((rc = ip_recv(cctx, inblock->buffer, inblock->buffersize, timelimit)) <= 0)
+    {
+    DEBUG(D_deliver|D_transport|D_acl|D_v)
+      debug_printf_indent(errno ? "  SMTP(%s)<<\n" : "  SMTP(closed)<<\n",
+	strerror(errno));
+    break;
+    }
+
+  /* Another block of data has been successfully read. Set up the pointers
+  and let the loop continue. */
+
+  ptrend = inblock->ptrend = inblock->buffer + rc;
+  ptr = inblock->buffer;
+  DEBUG(D_transport|D_acl) debug_printf_indent("read response data: size=%d\n", rc);
+  }
+
+/* Get here if there has been some kind of recv() error; errno is set, but we
+ensure that the result buffer is empty before returning. */
+
+inblock->ptr = inblock->ptrend = inblock->buffer;
+*buffer = 0;
+return -1;
+}
+
+
+
+
+
+/*************************************************
+*              Read SMTP response                *
+*************************************************/
+
+/* This function reads an SMTP response with a timeout, and returns the
+response in the given buffer, as a string. A multiline response will contain
+newline characters between the lines. The function also analyzes the first
+digit of the reply code and returns FALSE if it is not acceptable. FALSE is
+also returned after a reading error. In this case buffer[0] will be zero, and
+the error code will be in errno.
+
+Arguments:
+  sx        the SMTP connection (contains input block with holding buffer,
+		socket, etc.)
+  buffer    where to put the response
+  size      the size of the buffer
+  okdigit   the expected first digit of the response
+  timeout   the timeout to use, in seconds
+
+Returns:    TRUE if a valid, non-error response was received; else FALSE
+*/
+/*XXX could move to smtp transport; no other users */
+
+BOOL
+smtp_read_response(void * sx0, uschar * buffer, int size, int okdigit,
+   int timeout)
+{
+smtp_context * sx = sx0;
+uschar * ptr = buffer;
+int count = 0;
+time_t timelimit = time(NULL) + timeout;
+BOOL yield = FALSE;
+
+errno = 0;  /* Ensure errno starts out zero */
+buffer[0] = '\0';
+
+#ifndef DISABLE_PIPE_CONNECT
+if (sx->pending_BANNER || sx->pending_EHLO)
+  {
+  int rc;
+  if ((rc = smtp_reap_early_pipe(sx, &count)) != OK)
+    {
+    DEBUG(D_transport) debug_printf("failed reaping pipelined cmd responsess\n");
+    if (rc == DEFER) errno = ERRNO_TLSFAILURE;
+    goto out;
+    }
+  }
+#endif
+
+/* This is a loop to read and concatenate the lines that make up a multi-line
+response. */
+
+for (;;)
+  {
+  if ((count = read_response_line(&sx->inblock, ptr, size, timelimit)) < 0)
+    return FALSE;
+
+  HDEBUG(D_transport|D_acl|D_v)
+    debug_printf_indent("  %s %s\n", ptr == buffer ? "SMTP<<" : "      ", ptr);
+
+  /* Check the format of the response: it must start with three digits; if
+  these are followed by a space or end of line, the response is complete. If
+  they are followed by '-' this is a multi-line response and we must look for
+  another line until the final line is reached. The only use made of multi-line
+  responses is to pass them back as error messages. We therefore just
+  concatenate them all within the buffer, which should be large enough to
+  accept any reasonable number of lines. */
+
+  if (count < 3 ||
+     !isdigit(ptr[0]) ||
+     !isdigit(ptr[1]) ||
+     !isdigit(ptr[2]) ||
+     (ptr[3] != '-' && ptr[3] != ' ' && ptr[3] != 0))
+    {
+    errno = ERRNO_SMTPFORMAT;    /* format error */
+    goto out;
+    }
+
+  /* If the line we have just read is a terminal line, line, we are done.
+  Otherwise more data has to be read. */
+
+  if (ptr[3] != '-') break;
+
+  /* Move the reading pointer upwards in the buffer and insert \n between the
+  components of a multiline response. Space is left for this by read_response_
+  line(). */
+
+  ptr += count;
+  *ptr++ = '\n';
+  size -= count + 1;
+  }
+
+#ifdef TCP_FASTOPEN
+tfo_out_check(sx->cctx.sock);
+#endif
+
+/* Return a value that depends on the SMTP return code. On some systems a
+non-zero value of errno has been seen at this point, so ensure it is zero,
+because the caller of this function looks at errno when FALSE is returned, to
+distinguish between an unexpected return code and other errors such as
+timeouts, lost connections, etc. */
+
+errno = 0;
+yield = buffer[0] == okdigit;
+
+out:
+  smtp_debug_resp(buffer);
+  return yield;
+}
+
+/* End of smtp_out.c */
+/* vi: aw ai sw=2
+*/
diff --git a/src/spam.c b/src/spam.c
new file mode 100644
index 0000000..a68b9bf
--- /dev/null
+++ b/src/spam.c
@@ -0,0 +1,614 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/*
+ * Copyright (c) The Exim Maintainers 2016 - 2022
+ * Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015
+ * License: GPL
+ */
+
+/* Code for calling spamassassin's spamd. Called from acl.c. */
+
+#include "exim.h"
+#ifdef WITH_CONTENT_SCAN
+#include "spam.h"
+
+uschar spam_score_buffer[16];
+uschar spam_score_int_buffer[16];
+uschar spam_bar_buffer[128];
+uschar spam_action_buffer[32];
+uschar spam_report_buffer[32600];
+uschar * prev_user_name = NULL;
+int spam_ok = 0;
+int spam_rc = 0;
+uschar *prev_spamd_address_work = NULL;
+
+static const uschar * loglabel = US"spam acl condition:";
+
+
+static int
+spamd_param_init(spamd_address_container *spamd)
+{
+/* default spamd server weight, time and priority value */
+spamd->is_rspamd = FALSE;
+spamd->is_failed = FALSE;
+spamd->weight = SPAMD_WEIGHT;
+spamd->timeout = SPAMD_TIMEOUT;
+spamd->retry = 0;
+spamd->priority = SPAMD_PRIORITY;
+return 0;
+}
+
+
+static int
+spamd_param(const uschar * param, spamd_address_container * spamd)
+{
+static int timesinceday = -1;
+const uschar * s;
+const uschar * name;
+
+/*XXX more clever parsing could discard embedded spaces? */
+
+if (sscanf(CCS param, "pri=%u", &spamd->priority))
+  return 0; /* OK */
+
+if (sscanf(CCS param, "weight=%u", &spamd->weight))
+  {
+  if (spamd->weight == 0) /* this server disabled: skip it */
+    return 1;
+  return 0; /* OK */
+  }
+
+if (Ustrncmp(param, "time=", 5) == 0)
+  {
+  unsigned int start_h = 0, start_m = 0, start_s = 0;
+  unsigned int end_h = 24, end_m = 0, end_s = 0;
+  unsigned int time_start, time_end;
+  const uschar * end_string;
+
+  name = US"time";
+  s = param+5;
+  if ((end_string = Ustrchr(s, '-')))
+    {
+    end_string++;
+    if (  sscanf(CS end_string, "%u.%u.%u", &end_h,   &end_m,   &end_s)   == 0
+       || sscanf(CS s,          "%u.%u.%u", &start_h, &start_m, &start_s) == 0
+       )
+      goto badval;
+    }
+  else
+    goto badval;
+
+  if (timesinceday < 0)
+    {
+    time_t now = time(NULL);
+    struct tm *tmp = localtime(&now);
+    timesinceday = tmp->tm_hour*3600 + tmp->tm_min*60 + tmp->tm_sec;
+    }
+
+  time_start = start_h*3600 + start_m*60 + start_s;
+  time_end = end_h*3600 + end_m*60 + end_s;
+
+  if (timesinceday < time_start || timesinceday >= time_end)
+    return 1; /* skip spamd server */
+
+  return 0; /* OK */
+  }
+
+if (Ustrcmp(param, "variant=rspamd") == 0)
+  {
+  spamd->is_rspamd = TRUE;
+  return 0;
+  }
+
+if (Ustrncmp(param, "tmo=", 4) == 0)
+  {
+  int sec = readconf_readtime((s = param+4), '\0', FALSE);
+  name = US"timeout";
+  if (sec < 0)
+    goto badval;
+  spamd->timeout = sec;
+  return 0;
+  }
+
+if (Ustrncmp(param, "retry=", 6) == 0)
+  {
+  int sec = readconf_readtime((s = param+6), '\0', FALSE);
+  name = US"retry";
+  if (sec < 0)
+    goto badval;
+  spamd->retry = sec;
+  return 0;
+  }
+
+log_write(0, LOG_MAIN, "%s warning - invalid spamd parameter: '%s'",
+  loglabel, param);
+return -1; /* syntax error */
+
+badval:
+  log_write(0, LOG_MAIN,
+    "%s warning - invalid spamd %s value: '%s'", loglabel, name, s);
+  return -1; /* syntax error */
+}
+
+
+static int
+spamd_get_server(spamd_address_container ** spamds, int num_servers)
+{
+unsigned int i;
+spamd_address_container * sd;
+long weights;
+unsigned pri;
+
+/* speedup, if we have only 1 server */
+if (num_servers == 1)
+  return (spamds[0]->is_failed ? -1 : 0);
+
+/* scan for highest pri */
+for (pri = 0, i = 0; i < num_servers; i++)
+  {
+  sd = spamds[i];
+  if (!sd->is_failed && sd->priority > pri) pri = sd->priority;
+  }
+
+/* get sum of weights */
+for (weights = 0, i = 0; i < num_servers; i++)
+  {
+  sd = spamds[i];
+  if (!sd->is_failed && sd->priority == pri) weights += sd->weight;
+  }
+if (weights == 0)	/* all servers failed */
+  return -1;
+
+for (long rnd = random_number(weights), i = 0; i < num_servers; i++)
+  {
+  sd = spamds[i];
+  if (!sd->is_failed && sd->priority == pri)
+    if ((rnd -= sd->weight) < 0)
+      return i;
+  }
+
+log_write(0, LOG_MAIN|LOG_PANIC,
+  "%s unknown error (memory/cpu corruption?)", loglabel);
+return -1;
+}
+
+
+int
+spam(const uschar **listptr)
+{
+int sep = 0;
+const uschar *list = *listptr;
+uschar *user_name;
+unsigned long mbox_size;
+FILE *mbox_file;
+client_conn_ctx spamd_cctx = {.sock = -1};
+uschar spamd_buffer[32600];
+int i, j, offset, result;
+uschar spamd_version[8];
+uschar spamd_short_result[8];
+uschar spamd_score_char;
+double spamd_threshold, spamd_score, spamd_reject_score;
+int spamd_report_offset;
+uschar *p,*q;
+int override = 0;
+time_t start;
+size_t read, wrote;
+uschar *spamd_address_work;
+spamd_address_container * sd;
+
+/* stop compiler warning */
+result = 0;
+
+/* find the username from the option list */
+if (!(user_name = string_nextinlist(&list, &sep, NULL, 0)))
+  {
+  /* no username given, this means no scanning should be done */
+  return FAIL;
+  }
+
+/* if username is "0" or "false", do not scan */
+if (Ustrcmp(user_name, "0") == 0 || strcmpic(user_name, US"false") == 0)
+  return FAIL;
+
+/* if there is an additional option, check if it is "true" */
+if (strcmpic(list,US"true") == 0)
+  /* in that case, always return true later */
+  override = 1;
+
+/* expand spamd_address if needed */
+if (*spamd_address != '$')
+  spamd_address_work = spamd_address;
+else if (!(spamd_address_work = expand_string(spamd_address)))
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "%s spamd_address starts with $, but expansion failed: %s",
+    loglabel, expand_string_message);
+  return DEFER;
+  }
+
+DEBUG(D_acl) debug_printf_indent("spamd: addrlist '%s'\n", spamd_address_work);
+
+/* check if previous spamd_address was expanded and has changed. dump cached results if so */
+if (  spam_ok
+   && prev_spamd_address_work != NULL
+   && Ustrcmp(prev_spamd_address_work, spamd_address_work) != 0
+   )
+  spam_ok = 0;
+
+/* if we scanned for this username last time, just return */
+if (spam_ok && Ustrcmp(prev_user_name, user_name) == 0)
+  return override ? OK : spam_rc;
+
+/* make sure the eml mbox file is spooled up */
+
+if (!(mbox_file = spool_mbox(&mbox_size, NULL, NULL)))
+  {								/* error while spooling */
+  log_write(0, LOG_MAIN|LOG_PANIC,
+	 "%s error while creating mbox spool file", loglabel);
+  return DEFER;
+  }
+
+start = time(NULL);
+
+  {
+  int num_servers = 0;
+  int current_server;
+  uschar * address;
+  const uschar * spamd_address_list_ptr = spamd_address_work;
+  spamd_address_container * spamd_address_vector[32];
+
+  /* Check how many spamd servers we have
+     and register their addresses */
+  sep = 0;				/* default colon-sep */
+  while ((address = string_nextinlist(&spamd_address_list_ptr, &sep, NULL, 0)))
+    {
+    const uschar * sublist;
+    int sublist_sep = -(int)' ';	/* default space-sep */
+    unsigned args;
+    uschar * s;
+
+    DEBUG(D_acl) debug_printf_indent("spamd: addr entry '%s'\n", address);
+    sd = store_get(sizeof(spamd_address_container), GET_UNTAINTED);
+
+    for (sublist = address, args = 0, spamd_param_init(sd);
+	 (s = string_nextinlist(&sublist, &sublist_sep, NULL, 0));
+	 args++
+	 )
+      {
+	DEBUG(D_acl) debug_printf_indent("spamd:  addr parm '%s'\n", s);
+	switch (args)
+	{
+	case 0:   sd->hostspec = s;
+		  if (*s == '/') args++;	/* local; no port */
+		  break;
+	case 1:   sd->hostspec = string_sprintf("%s %s", sd->hostspec, s);
+		  break;
+	default:  spamd_param(s, sd);
+		  break;
+	}
+      }
+    if (args < 2)
+      {
+      log_write(0, LOG_MAIN,
+	"%s warning - invalid spamd address: '%s'", loglabel, address);
+      continue;
+      }
+
+    spamd_address_vector[num_servers] = sd;
+    if (++num_servers > 31)
+      break;
+    }
+
+  /* check if we have at least one server */
+  if (!num_servers)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC,
+       "%s no useable spamd server addresses in spamd_address configuration option.",
+       loglabel);
+    goto defer;
+    }
+
+  current_server = spamd_get_server(spamd_address_vector, num_servers);
+  sd = spamd_address_vector[current_server];
+  for(;;)
+    {
+    uschar * errstr;
+
+    DEBUG(D_acl) debug_printf_indent("spamd: trying server %s\n", sd->hostspec);
+
+    for (;;)
+      {
+      /*XXX could potentially use TFO early-data here */
+      if (  (spamd_cctx.sock = ip_streamsocket(sd->hostspec, &errstr, 5, NULL)) >= 0
+         || sd->retry <= 0
+	 )
+	break;
+      DEBUG(D_acl) debug_printf_indent("spamd: server %s: retry conn\n", sd->hostspec);
+      while (sd->retry > 0) sd->retry = sleep(sd->retry);
+      }
+    if (spamd_cctx.sock >= 0)
+      break;
+
+    log_write(0, LOG_MAIN, "%s spamd: %s", loglabel, errstr);
+    sd->is_failed = TRUE;
+
+    current_server = spamd_get_server(spamd_address_vector, num_servers);
+    if (current_server < 0)
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC, "%s all spamd servers failed", loglabel);
+      goto defer;
+      }
+    sd = spamd_address_vector[current_server];
+    }
+  }
+
+(void)fcntl(spamd_cctx.sock, F_SETFL, O_NONBLOCK);
+/* now we are connected to spamd on spamd_cctx.sock */
+if (sd->is_rspamd)
+  {
+  gstring * req_str;
+  const uschar * s;
+
+  req_str = string_append(NULL, 8,
+    "CHECK RSPAMC/1.3\r\nContent-length: ", string_sprintf("%lu\r\n", mbox_size),
+    "Queue-Id: ", message_id,
+    "\r\nFrom: <", sender_address,
+    ">\r\nRecipient-Number: ", string_sprintf("%d\r\n", recipients_count));
+
+  for (int i = 0; i < recipients_count; i++)
+    req_str = string_append(req_str, 3,
+      "Rcpt: <", recipients_list[i].address, ">\r\n");
+  if ((s = expand_string(US"$sender_helo_name")) && *s)
+    req_str = string_append(req_str, 3, "Helo: ", s, "\r\n");
+  if ((s = expand_string(US"$sender_host_name")) && *s)
+    req_str = string_append(req_str, 3, "Hostname: ", s, "\r\n");
+  if (sender_host_address)
+    req_str = string_append(req_str, 3, "IP: ", sender_host_address, "\r\n");
+  if ((s = expand_string(US"$authenticated_id")) && *s)
+    req_str = string_append(req_str, 3, "User: ", s, "\r\n");
+  req_str = string_catn(req_str, US"\r\n", 2);
+  wrote = send(spamd_cctx.sock, req_str->s, req_str->ptr, 0);
+  }
+else
+  {				/* spamassassin variant */
+  int n;
+  uschar * s = string_sprintf(
+	  "REPORT SPAMC/1.2\r\nUser: %s\r\nContent-length: %ld\r\n\r\n%n",
+	  user_name, mbox_size, &n);
+  /* send our request */
+  wrote = send(spamd_cctx.sock, s, n, 0);
+  }
+
+if (wrote == -1)
+  {
+  (void)close(spamd_cctx.sock);
+  log_write(0, LOG_MAIN|LOG_PANIC,
+       "%s spamd %s send failed: %s", loglabel, callout_address, strerror(errno));
+  goto defer;
+  }
+
+/* now send the file */
+/* spamd sometimes accepts connections but doesn't read data off the connection.
+We make the file descriptor non-blocking so that the write will only write
+sufficient data without blocking and we poll the descriptor to make sure that we
+can write without blocking.  Short writes are gracefully handled and if the
+whole transaction takes too long it is aborted.
+
+Note: poll() is not supported in OSX 10.2 and is reported to be broken in more
+      recent versions (up to 10.4). Workaround using select() removed 2021/11 (jgh).
+ */
+#ifdef NO_POLL_H
+# error Need poll(2) support
+#endif
+
+(void)fcntl(spamd_cctx.sock, F_SETFL, O_NONBLOCK);
+do
+  {
+  read = fread(spamd_buffer,1,sizeof(spamd_buffer),mbox_file);
+  if (read > 0)
+    {
+    offset = 0;
+again:
+    result = poll_one_fd(spamd_cctx.sock, POLLOUT, 1000);
+    if (result == -1 && errno == EINTR)
+      goto again;
+    else if (result < 1)
+      {
+      if (result == -1)
+	log_write(0, LOG_MAIN|LOG_PANIC,
+	  "%s %s on spamd %s socket", loglabel, callout_address, strerror(errno));
+      else
+	{
+	if (time(NULL) - start < sd->timeout)
+	  goto again;
+	log_write(0, LOG_MAIN|LOG_PANIC,
+	  "%s timed out writing spamd %s, socket", loglabel, callout_address);
+	}
+      (void)close(spamd_cctx.sock);
+      goto defer;
+      }
+
+    wrote = send(spamd_cctx.sock,spamd_buffer + offset,read - offset,0);
+    if (wrote == -1)
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC,
+	  "%s %s on spamd %s socket", loglabel, callout_address, strerror(errno));
+      (void)close(spamd_cctx.sock);
+      goto defer;
+      }
+    if (offset + wrote != read)
+      {
+      offset += wrote;
+      goto again;
+      }
+    }
+  }
+while (!feof(mbox_file) && !ferror(mbox_file));
+
+if (ferror(mbox_file))
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "%s error reading spool file: %s", loglabel, strerror(errno));
+  (void)close(spamd_cctx.sock);
+  goto defer;
+  }
+
+(void)fclose(mbox_file);
+
+/* we're done sending, close socket for writing */
+if (!sd->is_rspamd)
+  shutdown(spamd_cctx.sock,SHUT_WR);
+
+/* read spamd response using what's left of the timeout.  */
+memset(spamd_buffer, 0, sizeof(spamd_buffer));
+offset = 0;
+while ((i = ip_recv(&spamd_cctx,
+		   spamd_buffer + offset,
+		   sizeof(spamd_buffer) - offset - 1,
+		   sd->timeout + start)) > 0)
+  offset += i;
+spamd_buffer[offset] = '\0';	/* guard byte */
+
+/* error handling */
+if (i <= 0 && errno != 0)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC,
+       "%s error reading from spamd %s, socket: %s", loglabel, callout_address, strerror(errno));
+  (void)close(spamd_cctx.sock);
+  return DEFER;
+  }
+
+/* reading done */
+(void)close(spamd_cctx.sock);
+
+if (sd->is_rspamd)
+  {				/* rspamd variant of reply */
+  int r;
+  if (  (r = sscanf(CS spamd_buffer,
+	  "RSPAMD/%7s 0 EX_OK\r\nMetric: default; %7s %lf / %lf / %lf\r\n%n",
+	  spamd_version, spamd_short_result, &spamd_score, &spamd_threshold,
+	  &spamd_reject_score, &spamd_report_offset)) != 5
+     || spamd_report_offset >= offset		/* verify within buffer */
+     )
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC,
+	      "%s cannot parse spamd %s, output: %d", loglabel, callout_address, r);
+    return DEFER;
+    }
+  /* now parse action */
+  p = &spamd_buffer[spamd_report_offset];
+
+  if (Ustrncmp(p, "Action: ", sizeof("Action: ") - 1) == 0)
+    {
+    p += sizeof("Action: ") - 1;
+    q = &spam_action_buffer[0];
+    while (*p && *p != '\r' && (q - spam_action_buffer) < sizeof(spam_action_buffer) - 1)
+      *q++ = *p++;
+    *q = '\0';
+    }
+  }
+else
+  {				/* spamassassin */
+  /* dig in the spamd output and put the report in a multiline header,
+  if requested */
+  if (sscanf(CS spamd_buffer,
+       "SPAMD/%7s 0 EX_OK\r\nContent-length: %*u\r\n\r\n%lf/%lf\r\n%n",
+       spamd_version,&spamd_score,&spamd_threshold,&spamd_report_offset) != 3)
+    {
+      /* try to fall back to pre-2.50 spamd output */
+      if (sscanf(CS spamd_buffer,
+	   "SPAMD/%7s 0 EX_OK\r\nSpam: %*s ; %lf / %lf\r\n\r\n%n",
+	   spamd_version,&spamd_score,&spamd_threshold,&spamd_report_offset) != 3)
+	{
+	log_write(0, LOG_MAIN|LOG_PANIC,
+		  "%s cannot parse spamd %s output", loglabel, callout_address);
+	return DEFER;
+	}
+    }
+
+  Ustrcpy(spam_action_buffer,
+    spamd_score >= spamd_threshold ? US"reject" : US"no action");
+  }
+
+/* Create report. Since this is a multiline string,
+we must hack it into shape first */
+p = &spamd_buffer[spamd_report_offset];
+q = spam_report_buffer;
+while (*p != '\0')
+  {
+  /* skip \r */
+  if (*p == '\r')
+    {
+    p++;
+    continue;
+    }
+  *q++ = *p;
+  if (*p++ == '\n')
+    {
+    /* add an extra space after the newline to ensure
+    that it is treated as a header continuation line */
+    *q++ = ' ';
+    }
+  }
+/* NULL-terminate */
+*q-- = '\0';
+/* cut off trailing leftovers */
+while (*q <= ' ')
+  *q-- = '\0';
+
+spam_report = spam_report_buffer;
+spam_action = spam_action_buffer;
+
+/* create spam bar */
+spamd_score_char = spamd_score > 0 ? '+' : '-';
+j = abs((int)(spamd_score));
+i = 0;
+if (j != 0)
+  while ((i < j) && (i <= MAX_SPAM_BAR_CHARS))
+     spam_bar_buffer[i++] = spamd_score_char;
+else
+  {
+  spam_bar_buffer[0] = '/';
+  i = 1;
+  }
+spam_bar_buffer[i] = '\0';
+spam_bar = spam_bar_buffer;
+
+/* create "float" spam score */
+(void)string_format(spam_score_buffer, sizeof(spam_score_buffer),
+	"%.1f", spamd_score);
+spam_score = spam_score_buffer;
+
+/* create "int" spam score */
+j = (int)((spamd_score + 0.001)*10);
+(void)string_format(spam_score_int_buffer, sizeof(spam_score_int_buffer),
+	"%d", j);
+spam_score_int = spam_score_int_buffer;
+
+/* compare threshold against score */
+spam_rc = spamd_score >= spamd_threshold
+  ? OK	/* spam as determined by user's threshold */
+  : FAIL;	/* not spam */
+
+/* remember expanded spamd_address if needed */
+if (spamd_address_work != spamd_address)
+  prev_spamd_address_work = string_copy(spamd_address_work);
+
+/* remember user name and "been here" for it */
+prev_user_name = user_name;
+spam_ok = 1;
+
+return override
+  ? OK		/* always return OK, no matter what the score */
+  : spam_rc;
+
+defer:
+  (void)fclose(mbox_file);
+  return DEFER;
+}
+
+#endif
+/* vi: aw ai sw=2
+*/
diff --git a/src/spam.h b/src/spam.h
new file mode 100644
index 0000000..cc36ffd
--- /dev/null
+++ b/src/spam.h
@@ -0,0 +1,40 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015 */
+/* Copyright (c) The Exim Maintainers 2021 */
+/* License: GPL */
+
+/* spam defines */
+
+#ifdef WITH_CONTENT_SCAN
+
+/* timeout for reading and writing spamd */
+#define SPAMD_TIMEOUT 120
+
+/* maximum length of the spam bar, please update the
+ * spec, the max length is mentioned there */
+#define MAX_SPAM_BAR_CHARS 50
+
+/* SHUT_WR seems to be undefined on Unixware ? */
+#ifndef SHUT_WR
+# define SHUT_WR 1
+#endif
+
+/* Defaults */
+#define SPAMD_WEIGHT 1
+#define SPAMD_PRIORITY 1
+
+typedef struct spamd_address_container
+{
+  uschar * hostspec;
+  int is_rspamd:1;
+  int is_failed:1;
+  unsigned int weight;
+  unsigned int timeout;
+  unsigned int retry;
+  unsigned int priority;
+} spamd_address_container;
+
+#endif
diff --git a/src/spf.c b/src/spf.c
new file mode 100644
index 0000000..db6eea3
--- /dev/null
+++ b/src/spf.c
@@ -0,0 +1,420 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* SPF support.
+   Copyright (c) The Exim Maintainers 2015 - 2022
+   Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
+   License: GPL
+*/
+
+/* Code for calling spf checks via libspf-alt. Called from acl.c. */
+
+#include "exim.h"
+#ifdef SUPPORT_SPF
+
+/* must be kept in numeric order */
+static spf_result_id spf_result_id_list[] = {
+  /* name		value */
+  { US"invalid",	0},
+  { US"neutral",	1 },
+  { US"pass",		2 },
+  { US"fail",		3 },
+  { US"softfail",	4 },
+  { US"none",		5 },
+  { US"temperror",	6 }, /* RFC 4408 defined */
+  { US"permerror",	7 }  /* RFC 4408 defined */
+};
+
+SPF_server_t    *spf_server = NULL;
+SPF_request_t   *spf_request = NULL;
+SPF_response_t  *spf_response = NULL;
+SPF_response_t  *spf_response_2mx = NULL;
+
+SPF_dns_rr_t  * spf_nxdomain = NULL;
+
+
+gstring *
+spf_lib_version_report(gstring * g)
+{
+int maj, min, patch;
+
+SPF_get_lib_version(&maj, &min, &patch);
+g = string_fmt_append(g, "Library version: spf2: Compile: %d.%d.%d\n",
+	SPF_LIB_VERSION_MAJOR, SPF_LIB_VERSION_MINOR, SPF_LIB_VERSION_PATCH);
+g = string_fmt_append(g,    "                       Runtime: %d.%d.%d\n",
+	 maj, min, patch);
+return g;
+}
+
+
+
+static SPF_dns_rr_t *
+SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
+  const char *domain, ns_type rr_type, int should_cache)
+{
+dns_answer * dnsa = store_get_dns_answer();
+dns_scan dnss;
+SPF_dns_rr_t * spfrr;
+unsigned found = 0;
+
+SPF_dns_rr_t srr = {
+  .domain = CS domain,			/* query information */
+  .domain_buf_len = 0,
+  .rr_type = rr_type,
+
+  .rr_buf_len = 0,			/* answer information */
+  .rr_buf_num = 0, /* no free of s */
+  .utc_ttl = 0,
+
+  .hook = NULL,				/* misc information */
+  .source = spf_dns_server
+};
+int dns_rc;
+
+DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", domain);
+
+/* Shortcircuit SPF RR lookups by returning NO_DATA.  They were obsoleted by
+RFC 6686/7208 years ago. see bug #1294 */
+
+if (rr_type == T_SPF)
+  {
+  HDEBUG(D_host_lookup) debug_printf("faking NO_DATA for SPF RR(99) lookup\n");
+  srr.herrno = NO_DATA;
+  SPF_dns_rr_dup(&spfrr, &srr);
+  store_free_dns_answer(dnsa);
+  return spfrr;
+  }
+
+switch (dns_rc = dns_lookup(dnsa, US domain, rr_type, NULL))
+  {
+  case DNS_SUCCEED:	srr.herrno = NETDB_SUCCESS;	break;
+  case DNS_AGAIN:	srr.herrno = TRY_AGAIN;		break;
+  case DNS_NOMATCH:	srr.herrno = HOST_NOT_FOUND;	break;
+  case DNS_NODATA:	srr.herrno = NO_DATA;		break;
+  case DNS_FAIL:
+  default:		srr.herrno = NO_RECOVERY;	break;
+  }
+
+for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
+  if (rr->type == rr_type) found++;
+
+if (found == 0)
+  {
+  SPF_dns_rr_dup(&spfrr, &srr);
+  store_free_dns_answer(dnsa);
+  return spfrr;
+  }
+
+srr.rr = store_malloc(sizeof(SPF_dns_rr_data_t) * found);
+
+found = 0;
+for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+   rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
+  if (rr->type == rr_type)
+    {
+    const uschar * s = rr->data;
+
+    srr.ttl = rr->ttl;
+    switch(rr_type)
+      {
+      case T_MX:
+	s += 2;	/* skip the MX precedence field */
+      case T_PTR:
+	{
+	uschar * buf = store_malloc(256);
+	(void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
+	  (DN_EXPAND_ARG4_TYPE)buf, 256);
+	s = buf;
+	break;
+	}
+
+      case T_TXT:
+	{
+	gstring * g = NULL;
+	uschar chunk_len;
+
+	if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
+	  {
+	  HDEBUG(D_host_lookup) debug_printf("not an spf record: %.*s\n",
+	    (int) s[0], s+1);
+	  continue;
+	  }
+
+	for (int off = 0; off < rr->size; off += chunk_len)
+	  {
+	  if (!(chunk_len = s[off++])) break;
+	  g = string_catn(g, s+off, chunk_len);
+	  }
+	if (!g)
+	  continue;
+	gstring_release_unused(g);
+	s = string_copy_malloc(string_from_gstring(g));
+	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", s);
+	break;
+	}
+
+      case T_A:
+      case T_AAAA:
+      default:
+	{
+	uschar * buf = store_malloc(dnsa->answerlen + 1);
+	s = memcpy(buf, s, dnsa->answerlen + 1);
+	break;
+	}
+      }
+    srr.rr[found++] = (void *) s;
+    }
+
+/* Did we filter out all TXT RRs? Return NO_DATA instead of SUCCESS with
+empty ANSWER section. */
+
+if (!(srr.num_rr = found))
+  srr.herrno = NO_DATA;
+
+/* spfrr->rr must have been malloc()d for this */
+SPF_dns_rr_dup(&spfrr, &srr);
+store_free_dns_answer(dnsa);
+return spfrr;
+}
+
+
+
+SPF_dns_server_t *
+SPF_dns_exim_new(int debug)
+{
+SPF_dns_server_t * spf_dns_server = store_malloc(sizeof(SPF_dns_server_t));
+
+DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");
+
+memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
+spf_dns_server->destroy      = NULL;
+spf_dns_server->lookup       = SPF_dns_exim_lookup;
+spf_dns_server->get_spf      = NULL;
+spf_dns_server->get_exp      = NULL;
+spf_dns_server->add_cache    = NULL;
+spf_dns_server->layer_below  = NULL;
+spf_dns_server->name         = "exim";
+spf_dns_server->debug        = debug;
+
+/* XXX This might have to return NO_DATA sometimes. */
+
+spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
+  "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
+if (!spf_nxdomain)
+  {
+  free(spf_dns_server);
+  return NULL;
+  }
+
+return spf_dns_server;
+}
+
+
+
+
+/* Construct the SPF library stack.
+   Return: Boolean success.
+*/
+
+BOOL
+spf_init(void)
+{
+SPF_dns_server_t * dc;
+int debug = 0;
+const uschar *s;
+
+DEBUG(D_receive) debug = 1;
+
+/* We insert our own DNS access layer rather than letting the spf library
+do it, so that our dns access path is used for debug tracing and for the
+testsuite. */
+
+if (!(dc = SPF_dns_exim_new(debug)))
+  {
+  DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
+  return FALSE;
+  }
+if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
+  {
+  DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
+  return FALSE;
+  }
+if (!(spf_server = SPF_server_new_dns(dc, debug)))
+  {
+  DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
+  return FALSE;
+  }
+  /* Override the outdated explanation URL.
+  See https://www.mail-archive.com/mailop@mailop.org/msg08019.html
+  Used to work as "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}",
+  but is broken now (May 18th, 2020) */
+if (!(s = expand_string(spf_smtp_comment_template)))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "expansion of spf_smtp_comment_template failed");
+
+SPF_server_set_explanation(spf_server, CCS s, &spf_response);
+if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));
+
+return TRUE;
+}
+
+
+/* Set up a context that can be re-used for several
+   messages on the same SMTP connection (that come from the
+   same host with the same HELO string).
+
+Return: Boolean success
+*/
+
+BOOL
+spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
+{
+DEBUG(D_receive)
+  debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);
+
+if (!spf_server && !spf_init()) return FALSE;
+
+if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
+  {
+  DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
+    primary_hostname);
+  spf_server = NULL;
+  return FALSE;
+  }
+
+spf_request = SPF_request_new(spf_server);
+
+if (  SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
+   && SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
+   )
+  {
+  DEBUG(D_receive)
+    debug_printf("spf: SPF_request_set_ipv4_str() and "
+      "SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
+  spf_server = NULL;
+  spf_request = NULL;
+  return FALSE;
+  }
+
+if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
+  {
+  DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
+    spf_helo_domain);
+  spf_server = NULL;
+  spf_request = NULL;
+  return FALSE;
+  }
+
+return TRUE;
+}
+
+
+void
+spf_response_debug(SPF_response_t * spf_response)
+{
+if (SPF_response_messages(spf_response) == 0)
+  debug_printf(" (no errors)\n");
+else for (int i = 0; i < SPF_response_messages(spf_response); i++)
+  {
+  SPF_error_t * err = SPF_response_message(spf_response, i);
+  debug_printf( "%s_msg = (%d) %s\n",
+		  (SPF_error_errorp(err) ? "warn" : "err"),
+		  SPF_error_code(err),
+		  SPF_error_message(err));
+  }
+}
+
+
+/* spf_process adds the envelope sender address to the existing
+   context (if any), retrieves the result, sets up expansion
+   strings and evaluates the condition outcome.
+
+Return: OK/FAIL  */
+
+int
+spf_process(const uschar **listptr, uschar *spf_envelope_sender, int action)
+{
+int sep = 0;
+const uschar *list = *listptr;
+uschar *spf_result_id;
+int rc = SPF_RESULT_PERMERROR;
+
+DEBUG(D_receive) debug_printf("spf_process\n");
+
+if (!(spf_server && spf_request))
+  /* no global context, assume temp error and skip to evaluation */
+  rc = SPF_RESULT_PERMERROR;
+
+else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
+  /* Invalid sender address. This should be a real rare occurrence */
+  rc = SPF_RESULT_PERMERROR;
+
+else
+  {
+  /* get SPF result */
+  if (action == SPF_PROCESS_FALLBACK)
+    {
+    SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
+    spf_result_guessed = TRUE;
+    }
+  else
+    SPF_request_query_mailfrom(spf_request, &spf_response);
+
+  /* set up expansion items */
+  spf_header_comment     = US SPF_response_get_header_comment(spf_response);
+  spf_received           = US SPF_response_get_received_spf(spf_response);
+  spf_result             = US SPF_strresult(SPF_response_result(spf_response));
+  spf_smtp_comment       = US SPF_response_get_smtp_comment(spf_response);
+
+  rc = SPF_response_result(spf_response);
+
+  DEBUG(D_acl) spf_response_debug(spf_response);
+  }
+
+/* We got a result. Now see if we should return OK or FAIL for it */
+DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);
+
+if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
+  return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);
+
+while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
+  {
+  BOOL negate, result;
+
+  if ((negate = spf_result_id[0] == '!'))
+    spf_result_id++;
+
+  result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
+  if (negate != result) return OK;
+  }
+
+/* no match */
+return FAIL;
+}
+
+
+
+gstring *
+authres_spf(gstring * g)
+{
+uschar * s;
+if (!spf_result) return g;
+
+g = string_append(g, 2, US";\n\tspf=", spf_result);
+if (spf_result_guessed)
+  g = string_cat(g, US" (best guess record for domain)");
+
+s = expand_string(US"$sender_address_domain");
+if (s && *s)
+  return string_append(g, 2, US" smtp.mailfrom=", s);
+
+s = sender_helo_name;
+return s && *s
+  ? string_append(g, 2, US" smtp.helo=", s)
+  : string_cat(g, US" smtp.mailfrom=<>");
+}
+
+
+#endif
diff --git a/src/spf.h b/src/spf.h
new file mode 100644
index 0000000..f32d069
--- /dev/null
+++ b/src/spf.h
@@ -0,0 +1,38 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Experimental SPF support.
+   Copyright (c) The Exim Maintainers 2016 - 2022
+   Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004
+   License: GPL
+*/
+
+#ifdef SUPPORT_SPF
+
+/* Yes, we do have ns_type. spf.h redefines it if we don't set this. Doh */
+#if !defined(HAVE_NS_TYPE) && defined(NS_INADDRSZ)
+# define HAVE_NS_TYPE
+#endif
+#include <spf2/spf.h>
+
+#include <spf2/spf_dns_resolv.h>
+#include <spf2/spf_dns_cache.h>
+
+typedef struct spf_result_id {
+  uschar *name;
+  int    value;
+} spf_result_id;
+
+/* prototypes */
+gstring * spf_lib_version_report(gstring *);
+BOOL spf_init(void);
+BOOL spf_conn_init(uschar *, uschar *);
+int  spf_process(const uschar **, uschar *, int);
+void spf_response_debug(SPF_response_t *);
+
+#define SPF_PROCESS_NORMAL  0
+#define SPF_PROCESS_GUESS   1
+#define SPF_PROCESS_FALLBACK    2
+
+#endif
diff --git a/src/spool_in.c b/src/spool_in.c
new file mode 100644
index 0000000..2aa0b0b
--- /dev/null
+++ b/src/spool_in.c
@@ -0,0 +1,1094 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions for reading spool files. When compiling for a utility (eximon),
+not all are needed, and some functionality can be cut out. */
+
+
+#include "exim.h"
+
+
+
+#ifndef COMPILE_UTILITY
+/*************************************************
+*           Open and lock data file              *
+*************************************************/
+
+/* The data file is the one that is used for locking, because the header file
+can get replaced during delivery because of header rewriting. The file has
+to opened with write access so that we can get an exclusive lock, but in
+fact it won't be written to. Just in case there's a major disaster (e.g.
+overwriting some other file descriptor with the value of this one), open it
+with append.
+
+As called by deliver_message() (at least) we are operating as root.
+
+Argument: the id of the message
+Returns:  fd if file successfully opened and locked, else -1
+
+Side effect: message_subdir is set for the (possibly split) spool directory
+*/
+
+int
+spool_open_datafile(uschar *id)
+{
+struct stat statbuf;
+flock_t lock_data;
+int fd;
+
+/* If split_spool_directory is set, first look for the file in the appropriate
+sub-directory of the input directory. If it is not found there, try the input
+directory itself, to pick up leftovers from before the splitting. If split_
+spool_directory is not set, first look in the main input directory. If it is
+not found there, try the split sub-directory, in case it is left over from a
+splitting state. */
+
+for (int i = 0; i < 2; i++)
+  {
+  uschar * fname;
+  int save_errno;
+
+  set_subdir_str(message_subdir, id, i);
+  fname = spool_fname(US"input", message_subdir, id, US"-D");
+  DEBUG(D_deliver) debug_printf_indent("Trying spool file %s\n", fname);
+
+  /* We protect against symlink attacks both in not propagating the
+   * file-descriptor to other processes as we exec, and also ensuring that we
+   * don't even open symlinks.
+   * No -D file inside the spool area should be a symlink.
+   */
+  if ((fd = Uopen(fname,
+#ifdef O_CLOEXEC
+		      O_CLOEXEC |
+#endif
+#ifdef O_NOFOLLOW
+		      O_NOFOLLOW |
+#endif
+		      O_RDWR | O_APPEND, 0)) >= 0)
+    break;
+  save_errno = errno;
+  if (errno == ENOENT)
+    {
+    if (i == 0) continue;
+    if (!f.queue_running)
+      log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
+	*queue_name ? US" Q=" : US"",
+	*queue_name ? queue_name : US"",
+	id);
+    }
+  else
+    log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
+  errno = save_errno;
+  return -1;
+  }
+
+/* File is open and message_subdir is set. Set the close-on-exec flag, and lock
+the file. We lock only the first line of the file (containing the message ID)
+because this apparently is needed for running Exim under Cygwin. If the entire
+file is locked in one process, a sub-process cannot access it, even when passed
+an open file descriptor (at least, I think that's the Cygwin story). On real
+Unix systems it doesn't make any difference as long as Exim is consistent in
+what it locks. */
+
+#ifndef O_CLOEXEC
+(void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
+#endif
+
+lock_data.l_type = F_WRLCK;
+lock_data.l_whence = SEEK_SET;
+lock_data.l_start = 0;
+lock_data.l_len = SPOOL_DATA_START_OFFSET;
+
+if (fcntl(fd, F_SETLK, &lock_data) < 0)
+  {
+  log_write(L_skip_delivery, LOG_MAIN,
+      "Spool file for %s is locked (another process is handling this message)",
+      id);
+  (void)close(fd);
+  errno = 0;
+  return -1;
+  }
+
+/* Get the size of the data; don't include the leading filename line
+in the count, but add one for the newline before the data. */
+
+if (fstat(fd, &statbuf) == 0)
+  {
+  message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
+  message_size = message_body_size + 1;
+  }
+
+return fd;
+}
+#endif  /* COMPILE_UTILITY */
+
+
+
+/*************************************************
+*    Read non-recipients tree from spool file    *
+*************************************************/
+
+/* The tree of non-recipients is written to the spool file in a form that
+makes it easy to read back into a tree. The format is as follows:
+
+   . Each node is preceded by two letter(Y/N) indicating whether it has left
+     or right children. There's one space after the two flags, before the name.
+
+   . The left subtree (if any) then follows, then the right subtree (if any).
+
+This function is entered with the next input line in the buffer. Note we must
+save the right flag before recursing with the same buffer.
+
+Once the tree is read, we re-construct the balance fields by scanning the tree.
+I forgot to write them out originally, and the compatible fix is to do it this
+way. This initial local recursing function does the necessary.
+
+Arguments:
+  node      tree node
+
+Returns:    maximum depth below the node, including the node itself
+*/
+
+static int
+count_below(tree_node *node)
+{
+int nleft, nright;
+if (node == NULL) return 0;
+nleft = count_below(node->left);
+nright = count_below(node->right);
+node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
+return 1 + ((nleft > nright)? nleft : nright);
+}
+
+/* This is the real function...
+
+Arguments:
+  connect      pointer to the root of the tree
+  f            FILE to read data from
+  buffer       contains next input line; further lines read into it
+  buffer_size  size of the buffer
+
+Returns:       FALSE on format error
+*/
+
+static BOOL
+read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
+  int buffer_size)
+{
+tree_node *node;
+int n = Ustrlen(buffer);
+BOOL right = buffer[1] == 'Y';
+
+if (n < 5) return FALSE;    /* malformed line */
+buffer[n-1] = 0;            /* Remove \n */
+node = store_get(sizeof(tree_node) + n - 3, GET_TAINTED);	/* rcpt names tainted */
+*connect = node;
+Ustrcpy(node->name, buffer + 3);
+node->data.ptr = NULL;
+
+if (buffer[0] == 'Y')
+  {
+  if (Ufgets(buffer, buffer_size, f) == NULL ||
+    !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
+      return FALSE;
+  }
+else node->left = NULL;
+
+if (right)
+  {
+  if (Ufgets(buffer, buffer_size, f) == NULL ||
+    !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
+      return FALSE;
+  }
+else node->right = NULL;
+
+(void) count_below(*connect);
+return TRUE;
+}
+
+
+
+
+/* Reset all the global variables to their default values. However, there is
+one exception. DO NOT change the default value of dont_deliver, because it may
+be forced by an external setting. */
+
+void
+spool_clear_header_globals(void)
+{
+acl_var_c = acl_var_m = NULL;
+authenticated_id = NULL;
+authenticated_sender = NULL;
+f.allow_unqualified_recipient = FALSE;
+f.allow_unqualified_sender = FALSE;
+body_linecount = 0;
+body_zerocount = 0;
+f.deliver_firsttime = FALSE;
+f.deliver_freeze = FALSE;
+deliver_frozen_at = 0;
+f.deliver_manual_thaw = FALSE;
+/* f.dont_deliver must NOT be reset */
+header_list = header_last = NULL;
+host_lookup_deferred = FALSE;
+host_lookup_failed = FALSE;
+interface_address = NULL;
+interface_port = 0;
+f.local_error_message = FALSE;
+#ifdef HAVE_LOCAL_SCAN
+local_scan_data = NULL;
+#endif
+max_received_linelength = 0;
+message_linecount = 0;
+received_protocol = NULL;
+received_count = 0;
+recipients_list = NULL;
+sender_address = NULL;
+sender_fullhost = NULL;
+sender_helo_name = NULL;
+sender_host_address = NULL;
+sender_host_name = NULL;
+sender_host_port = 0;
+sender_host_authenticated = sender_host_auth_pubname = NULL;
+sender_ident = NULL;
+f.sender_local = FALSE;
+f.sender_set_untrusted = FALSE;
+smtp_active_hostname = primary_hostname;
+#ifndef COMPILE_UTILITY
+f.spool_file_wireformat = FALSE;
+#endif
+tree_nonrecipients = NULL;
+
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+bmi_run = 0;
+bmi_verdicts = NULL;
+#endif
+
+#ifndef DISABLE_DKIM
+dkim_signers = NULL;
+f.dkim_disable_verify = FALSE;
+dkim_collect_input = 0;
+#endif
+
+#ifndef DISABLE_TLS
+tls_in.certificate_verified = FALSE;
+# ifdef SUPPORT_DANE
+tls_in.dane_verified = FALSE;
+# endif
+tls_in.ver = tls_in.cipher = NULL;
+# ifndef COMPILE_UTILITY	/* tls support fns not built in */
+tls_free_cert(&tls_in.ourcert);
+tls_free_cert(&tls_in.peercert);
+# endif
+tls_in.peerdn = NULL;
+tls_in.sni = NULL;
+tls_in.ocsp = OCSP_NOT_REQ;
+#endif
+
+#ifdef WITH_CONTENT_SCAN
+spam_bar = NULL;
+spam_score = NULL;
+spam_score_int = NULL;
+#endif
+
+#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
+message_smtputf8 = FALSE;
+message_utf8_downconvert = 0;
+#endif
+
+#ifndef COMPILE_UTILITY
+debuglog_name[0] = '\0';
+#endif
+dsn_ret = 0;
+dsn_envid = NULL;
+}
+
+static void *
+fgets_big_buffer(FILE *fp)
+{
+int len = 0;
+
+big_buffer[0] = 0;
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) return NULL;
+
+while ((len = Ustrlen(big_buffer)) == big_buffer_size-1
+      && big_buffer[len-1] != '\n')
+  {
+  uschar *newbuffer;
+  int newsize;
+
+  if (big_buffer_size >= BIG_BUFFER_SIZE * 4) return NULL;
+  newsize = big_buffer_size * 2;
+  newbuffer = store_get_perm(newsize, FALSE);
+  memcpy(newbuffer, big_buffer, len);
+
+  big_buffer = newbuffer;
+  big_buffer_size = newsize;
+  if (Ufgets(big_buffer + len, big_buffer_size - len, fp) == NULL) return NULL;
+  }
+
+if (len <= 0 || big_buffer[len-1] != '\n') return NULL;
+return big_buffer;
+}
+
+
+
+/*************************************************
+*             Read spool header file             *
+*************************************************/
+
+/* This function reads a spool header file and places the data into the
+appropriate global variables. The header portion is always read, but header
+structures are built only if read_headers is set true. It isn't, for example,
+while generating -bp output.
+
+It may be possible for blocks of nulls (binary zeroes) to get written on the
+end of a file if there is a system crash during writing. It was observed on an
+earlier version of Exim that omitted to fsync() the files - this is thought to
+have been the cause of that incident, but in any case, this code must be robust
+against such an event, and if such a file is encountered, it must be treated as
+malformed.
+
+As called from deliver_message() (at least) we are running as root.
+
+Arguments:
+  name          name of the header file, including the -H
+  read_headers  TRUE if in-store header structures are to be built
+  subdir_set    TRUE is message_subdir is already set
+
+Returns:        spool_read_OK        success
+                spool_read_notopen   open failed
+                spool_read_enverror  error in the envelope portion
+                spool_read_hdrerror  error in the header portion
+*/
+
+int
+spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
+{
+FILE * fp = NULL;
+int n;
+int rcount = 0;
+long int uid, gid;
+BOOL inheader = FALSE;
+
+/* Reset all the global variables to their default values. However, there is
+one exception. DO NOT change the default value of dont_deliver, because it may
+be forced by an external setting. */
+
+spool_clear_header_globals();
+
+/* Generate the full name and open the file. If message_subdir is already
+set, just look in the given directory. Otherwise, look in both the split
+and unsplit directories, as for the data file above. */
+
+for (int n = 0; n < 2; n++)
+  {
+  if (!subdir_set)
+    set_subdir_str(message_subdir, name, n);
+
+  if ((fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
+    break;
+  if (n != 0 || subdir_set || errno != ENOENT)
+    return spool_read_notopen;
+  }
+
+errno = 0;
+
+#ifndef COMPILE_UTILITY
+DEBUG(D_deliver) debug_printf_indent("reading spool file %s\n", name);
+#endif  /* COMPILE_UTILITY */
+
+/* The first line of a spool file contains the message id followed by -H (i.e.
+the file name), in order to make the file self-identifying. */
+
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
+if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
+    Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
+  goto SPOOL_FORMAT_ERROR;
+
+/* The next three lines in the header file are in a fixed format. The first
+contains the login, uid, and gid of the user who caused the file to be written.
+There are known cases where a negative gid is used, so we allow for both
+negative uids and gids. The second contains the mail address of the message's
+sender, enclosed in <>. The third contains the time the message was received,
+and the number of warning messages for delivery delays that have been sent. */
+
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
+
+ {
+  uschar *p = big_buffer + Ustrlen(big_buffer);
+  while (p > big_buffer && isspace(p[-1])) p--;
+  *p = 0;
+  if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
+  while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
+  gid = Uatoi(p);
+  if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
+  *p = 0;
+  if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
+  while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
+  uid = Uatoi(p);
+  if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
+  *p = 0;
+ }
+
+originator_login = string_copy(big_buffer);
+originator_uid = (uid_t)uid;
+originator_gid = (gid_t)gid;
+
+/* envelope from */
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
+n = Ustrlen(big_buffer);
+if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
+  goto SPOOL_FORMAT_ERROR;
+
+sender_address = store_get(n-2, GET_TAINTED);
+Ustrncpy(sender_address, big_buffer+1, n-3);
+sender_address[n-3] = 0;
+
+/* time */
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
+if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
+  goto SPOOL_FORMAT_ERROR;
+received_time.tv_usec = 0;
+received_time_complete = received_time;
+
+
+message_age = time(NULL) - received_time.tv_sec;
+#ifndef COMPILE_UTILITY
+if (f.running_in_test_harness)
+  message_age = test_harness_fudged_queue_time(message_age);
+#endif
+
+#ifndef COMPILE_UTILITY
+DEBUG(D_deliver) debug_printf_indent("user=%s uid=%ld gid=%ld sender=%s\n",
+  originator_login, (long int)originator_uid, (long int)originator_gid,
+  sender_address);
+#endif
+
+/* Now there may be a number of optional lines, each starting with "-". If you
+add a new setting here, make sure you set the default above.
+
+Because there are now quite a number of different possibilities, we use a
+switch on the first character to avoid too many failing tests. Thanks to Nico
+Erfurth for the patch that implemented this. I have made it even more efficient
+by not re-scanning the first two characters.
+
+To allow new versions of Exim that add additional flags to interwork with older
+versions that do not understand them, just ignore any lines starting with "-"
+that we don't recognize. Otherwise it wouldn't be possible to back off a new
+version that left new-style flags written on the spool.
+
+If the line starts with "--" the content of the variable is tainted.
+If the line start "--(<lookuptype>)" it is also quoted for the given <lookuptype>.
+*/
+
+for (;;)
+  {
+  const void * proto_mem;
+  uschar * var;
+  const uschar * p;
+
+  if (fgets_big_buffer(fp) == NULL) goto SPOOL_READ_ERROR;
+  if (big_buffer[0] != '-') break;
+  big_buffer[Ustrlen(big_buffer)-1] = 0;
+
+  proto_mem = big_buffer[1] == '-' ? GET_TAINTED : GET_UNTAINTED;
+  var =  big_buffer + (proto_mem == GET_UNTAINTED ? 1 : 2);
+  if (*var == '(')				/* marker for quoted value */
+    {
+    uschar * s;
+    int idx;
+    for (s = ++var; *s != ')'; ) s++;
+#ifndef COMPILE_UTILITY
+    if ((idx = search_findtype(var, s - var)) < 0)
+      {
+      DEBUG(D_any) debug_printf("Unrecognised quoter %.*s\n", (int)(s - var), var+1);
+      goto SPOOL_FORMAT_ERROR;
+      }
+    proto_mem = store_get_quoted(1, GET_TAINTED, idx);
+#endif  /* COMPILE_UTILITY */
+    var = s + 1;
+    }
+  p = var + 1;
+
+  switch(*var)
+    {
+    case 'a':
+
+    /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
+    variable, because Exim allows any number of them, with arbitrary names.
+    The line in the spool file is "-acl[cm] <name> <length>". The name excludes
+    the c or m. */
+
+    if (Ustrncmp(p, "clc ", 4) == 0 ||
+        Ustrncmp(p, "clm ", 4) == 0)
+      {
+      uschar *name, *endptr;
+      int count;
+      tree_node *node;
+      endptr = Ustrchr(var + 5, ' ');
+      if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
+      name = string_sprintf("%c%.*s", var[3],
+        (int)(endptr - var - 5), var + 5);
+      if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
+      node = acl_var_create(name);
+      node->data.ptr = store_get(count + 1, proto_mem);
+      if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
+      ((uschar*)node->data.ptr)[count] = 0;
+      }
+
+    else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
+      f.allow_unqualified_recipient = TRUE;
+    else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
+      f.allow_unqualified_sender = TRUE;
+
+    else if (Ustrncmp(p, "uth_id", 6) == 0)
+      authenticated_id = string_copy_taint(var + 8, proto_mem);
+    else if (Ustrncmp(p, "uth_sender", 10) == 0)
+      authenticated_sender = string_copy_taint(var + 12, proto_mem);
+    else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
+      smtp_active_hostname = string_copy_taint(var + 16, proto_mem);
+
+    /* For long-term backward compatibility, we recognize "-acl", which was
+    used before the number of ACL variables changed from 10 to 20. This was
+    before the subsequent change to an arbitrary number of named variables.
+    This code is retained so that upgrades from very old versions can still
+    handle old-format spool files. The value given after "-acl" is a number
+    that is 0-9 for connection variables, and 10-19 for message variables. */
+
+    else if (Ustrncmp(p, "cl ", 3) == 0)
+      {
+      unsigned index, count;
+      uschar name[20];   /* Need plenty of space for %u format */
+      tree_node * node;
+      if (  sscanf(CS var + 4, "%u %u", &index, &count) != 2
+	 || index >= 20
+	 || count > 16384	/* arbitrary limit on variable size */
+         )
+        goto SPOOL_FORMAT_ERROR;
+      if (index < 10)
+        (void) string_format(name, sizeof(name), "%c%u", 'c', index);
+      else
+        (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
+      node = acl_var_create(name);
+      node->data.ptr = store_get(count + 1, proto_mem);
+      /* We sanity-checked the count, so disable the Coverity error */
+      /* coverity[tainted_data] */
+      if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
+      (US node->data.ptr)[count] = '\0';
+      }
+    break;
+
+    case 'b':
+    if (Ustrncmp(p, "ody_linecount", 13) == 0)
+      body_linecount = Uatoi(var + 14);
+    else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
+      body_zerocount = Uatoi(var + 14);
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+    else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
+      bmi_verdicts = string_copy_taint(var + 13, proto_mem);
+#endif
+    break;
+
+    case 'd':
+    if (Ustrcmp(p, "eliver_firsttime") == 0)
+      f.deliver_firsttime = TRUE;
+    else if (Ustrncmp(p, "sn_ret", 6) == 0)
+      dsn_ret= atoi(CS var + 7);
+    else if (Ustrncmp(p, "sn_envid", 8) == 0)
+      dsn_envid = string_copy_taint(var + 10, proto_mem);
+#ifndef COMPILE_UTILITY
+    else if (Ustrncmp(p, "ebug_selector ", 14) == 0)
+      debug_selector = strtol(CS var + 15, NULL, 0);
+    else if (Ustrncmp(p, "ebuglog_name ", 13) == 0)
+      debug_logging_from_spool(var + 14);
+#endif
+    break;
+
+    case 'f':
+    if (Ustrncmp(p, "rozen", 5) == 0)
+      {
+      f.deliver_freeze = TRUE;
+      if (sscanf(CS var+6, TIME_T_FMT, &deliver_frozen_at) != 1)
+	goto SPOOL_READ_ERROR;
+      }
+    break;
+
+    case 'h':
+    if (Ustrcmp(p, "ost_lookup_deferred") == 0)
+      host_lookup_deferred = TRUE;
+    else if (Ustrcmp(p, "ost_lookup_failed") == 0)
+      host_lookup_failed = TRUE;
+    else if (Ustrncmp(p, "ost_auth_pubname", 16) == 0)
+      sender_host_auth_pubname = string_copy_taint(var + 18, proto_mem);
+    else if (Ustrncmp(p, "ost_auth", 8) == 0)
+      sender_host_authenticated = string_copy_taint(var + 10, proto_mem);
+    else if (Ustrncmp(p, "ost_name", 8) == 0)
+      sender_host_name = string_copy_taint(var + 10, proto_mem);
+    else if (Ustrncmp(p, "elo_name", 8) == 0)
+      sender_helo_name = string_copy_taint(var + 10, proto_mem);
+
+    /* We now record the port number after the address, separated by a
+    dot. For compatibility during upgrading, do nothing if there
+    isn't a value (it gets left at zero). */
+
+    else if (Ustrncmp(p, "ost_address", 11) == 0)
+      {
+      sender_host_port = host_address_extract_port(var + 13);
+      sender_host_address = string_copy_taint(var + 13, proto_mem);
+      }
+    break;
+
+    case 'i':
+    if (Ustrncmp(p, "nterface_address", 16) == 0)
+      {
+      interface_port = host_address_extract_port(var + 18);
+      interface_address = string_copy_taint(var + 18, proto_mem);
+      }
+    else if (Ustrncmp(p, "dent", 4) == 0)
+      sender_ident = string_copy_taint(var + 6, proto_mem);
+    break;
+
+    case 'l':
+    if (Ustrcmp(p, "ocal") == 0)
+      f.sender_local = TRUE;
+    else if (Ustrcmp(var, "localerror") == 0)
+      f.local_error_message = TRUE;
+#ifdef HAVE_LOCAL_SCAN
+    else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
+      local_scan_data = string_copy_taint(var + 11, proto_mem);
+#endif
+    break;
+
+    case 'm':
+    if (Ustrcmp(p, "anual_thaw") == 0)
+      f.deliver_manual_thaw = TRUE;
+    else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
+      max_received_linelength = Uatoi(var + 23);
+    break;
+
+    case 'N':
+    if (*p == 0) f.dont_deliver = TRUE;   /* -N */
+    break;
+
+    case 'r':
+    if (Ustrncmp(p, "eceived_protocol", 16) == 0)
+      received_protocol = string_copy_taint(var + 18, proto_mem);
+    else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
+      {
+      unsigned usec;
+      if (sscanf(CS var + 20, "%u", &usec) == 1)
+	{
+	received_time.tv_usec = usec;
+	if (!received_time_complete.tv_sec) received_time_complete.tv_usec = usec;
+	}
+      }
+    else if (Ustrncmp(p, "eceived_time_complete", 21) == 0)
+      {
+      unsigned sec, usec;
+      if (sscanf(CS var + 23, "%u.%u", &sec, &usec) == 2)
+	{
+	received_time_complete.tv_sec = sec;
+	received_time_complete.tv_usec = usec;
+	}
+      }
+    break;
+
+    case 's':
+    if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
+      f.sender_set_untrusted = TRUE;
+#ifdef WITH_CONTENT_SCAN
+    else if (Ustrncmp(p, "pam_bar ", 8) == 0)
+      spam_bar = string_copy_taint(var + 9, proto_mem);
+    else if (Ustrncmp(p, "pam_score ", 10) == 0)
+      spam_score = string_copy_taint(var + 11, proto_mem);
+    else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
+      spam_score_int = string_copy_taint(var + 15, proto_mem);
+#endif
+#ifndef COMPILE_UTILITY
+    else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
+      f.spool_file_wireformat = TRUE;
+#endif
+#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
+    else if (Ustrncmp(p, "mtputf8", 7) == 0)
+      message_smtputf8 = TRUE;
+#endif
+    break;
+
+#ifndef DISABLE_TLS
+    case 't':
+    if (Ustrncmp(p, "ls_", 3) == 0)
+      {
+      const uschar * q = p + 3;
+      if (Ustrncmp(q, "certificate_verified", 20) == 0)
+	tls_in.certificate_verified = TRUE;
+      else if (Ustrncmp(q, "cipher", 6) == 0)
+	tls_in.cipher = string_copy_taint(q+7, proto_mem);
+# ifndef COMPILE_UTILITY	/* tls support fns not built in */
+      else if (Ustrncmp(q, "ourcert", 7) == 0)
+	(void) tls_import_cert(q+8, &tls_in.ourcert);
+      else if (Ustrncmp(q, "peercert", 8) == 0)
+	(void) tls_import_cert(q+9, &tls_in.peercert);
+# endif
+      else if (Ustrncmp(q, "peerdn", 6) == 0)
+	tls_in.peerdn = string_unprinting(string_copy_taint(q+7, proto_mem));
+      else if (Ustrncmp(q, "sni", 3) == 0)
+	tls_in.sni = string_unprinting(string_copy_taint(q+4, proto_mem));
+      else if (Ustrncmp(q, "ocsp", 4) == 0)
+	tls_in.ocsp = q[5] - '0';
+# ifndef DISABLE_TLS_RESUME
+      else if (Ustrncmp(q, "resumption", 10) == 0)
+	tls_in.resumption = q[11] - 'A';
+# endif
+      else if (Ustrncmp(q, "ver", 3) == 0)
+	tls_in.ver = string_copy_taint(q+4, proto_mem);
+      }
+    break;
+#endif
+
+#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
+    case 'u':
+    if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
+      message_utf8_downconvert = 1;
+    else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
+      message_utf8_downconvert = -1;
+    break;
+#endif
+
+    default:    /* Present because some compilers complain if all */
+    break;      /* possibilities are not covered. */
+    }
+  }
+
+/* Build sender_fullhost if required */
+
+#ifndef COMPILE_UTILITY
+host_build_sender_fullhost();
+#endif  /* COMPILE_UTILITY */
+
+#ifndef COMPILE_UTILITY
+DEBUG(D_deliver)
+  debug_printf_indent("sender_local=%d ident=%s\n", f.sender_local,
+    sender_ident ? sender_ident : US"unset");
+#endif  /* COMPILE_UTILITY */
+
+/* We now have the tree of addresses NOT to deliver to, or a line
+containing "XX", indicating no tree. */
+
+if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
+  !read_nonrecipients_tree(&tree_nonrecipients, fp, big_buffer, big_buffer_size))
+    goto SPOOL_FORMAT_ERROR;
+
+#ifndef COMPILE_UTILITY
+DEBUG(D_deliver) debug_print_tree("Non-recipients", tree_nonrecipients);
+#endif  /* COMPILE_UTILITY */
+
+/* After reading the tree, the next line has not yet been read into the
+buffer. It contains the count of recipients which follow on separate lines.
+Apply an arbitrary sanity check.*/
+
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
+if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
+  goto SPOOL_FORMAT_ERROR;
+
+#ifndef COMPILE_UTILITY
+DEBUG(D_deliver) debug_printf_indent("recipients_count=%d\n", rcount);
+#endif  /* COMPILE_UTILITY */
+
+recipients_list_max = rcount;
+recipients_list = store_get(rcount * sizeof(recipient_item), GET_UNTAINTED);
+
+/* We sanitised the count and know we have enough memory, so disable
+the Coverity error on recipients_count */
+/* coverity[tainted_data] */
+
+for (recipients_count = 0; recipients_count < rcount; recipients_count++)
+  {
+  int nn;
+  int pno = -1;
+  int dsn_flags = 0;
+  uschar *orcpt = NULL;
+  uschar *errors_to = NULL;
+  uschar *p;
+
+  if (fgets_big_buffer(fp) == NULL) goto SPOOL_READ_ERROR;
+  nn = Ustrlen(big_buffer);
+  if (nn < 2) goto SPOOL_FORMAT_ERROR;
+
+  /* Remove the newline; this terminates the address if there is no additional
+  data on the line. */
+
+  p = big_buffer + nn - 1;
+  *p-- = 0;
+
+  /* Look back from the end of the line for digits and special terminators.
+  Since an address must end with a domain, we can tell that extra data is
+  present by the presence of the terminator, which is always some character
+  that cannot exist in a domain. (If I'd thought of the need for additional
+  data early on, I'd have put it at the start, with the address at the end. As
+  it is, we have to operate backwards. Addresses are permitted to contain
+  spaces, you see.)
+
+  This code has to cope with various versions of this data that have evolved
+  over time. In all cases, the line might just contain an address, with no
+  additional data. Otherwise, the possibilities are as follows:
+
+  Exim 3 type:       <address><space><digits>,<digits>,<digits>
+
+    The second set of digits is the parent number for one_time addresses. The
+    other values were remnants of earlier experiments that were abandoned.
+
+  Exim 4 first type: <address><space><digits>
+
+    The digits are the parent number for one_time addresses.
+
+  Exim 4 new type:   <address><space><data>#<type bits>
+
+    The type bits indicate what the contents of the data are.
+
+    Bit 01 indicates that, reading from right to left, the data
+      ends with <errors_to address><space><len>,<pno> where pno is
+      the parent number for one_time addresses, and len is the length
+      of the errors_to address (zero meaning none).
+
+    Bit 02 indicates that, again reading from right to left, the data continues
+     with orcpt len(orcpt),dsn_flags
+   */
+
+  while (isdigit(*p)) p--;
+
+  /* Handle Exim 3 spool files */
+
+  if (*p == ',')
+    {
+    int dummy;
+#if !defined (COMPILE_UTILITY)
+    DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - Exim 3 spool file\n");
+#endif
+    while (isdigit(*(--p)) || *p == ',');
+    if (*p == ' ')
+      {
+      *p++ = 0;
+      (void)sscanf(CS p, "%d,%d", &dummy, &pno);
+      }
+    }
+
+  /* Handle early Exim 4 spool files */
+
+  else if (*p == ' ')
+    {
+#if !defined (COMPILE_UTILITY)
+    DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - early Exim 4 spool file\n");
+#endif
+    *p++ = 0;
+    (void)sscanf(CS p, "%d", &pno);
+    }
+
+  /* Handle current format Exim 4 spool files */
+
+  else if (*p == '#')
+    {
+    int flags;
+
+#if !defined (COMPILE_UTILITY)
+    DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - Exim standard format spoolfile\n");
+#endif
+
+    (void)sscanf(CS p+1, "%d", &flags);
+
+    if (flags & 0x01)      /* one_time data exists */
+      {
+      int len;
+      while (isdigit(*(--p)) || *p == ',' || *p == '-');
+      (void)sscanf(CS p+1, "%d,%d", &len, &pno);
+      *p = 0;
+      if (len > 0)
+        {
+        p -= len;
+        errors_to = string_copy_taint(p, GET_TAINTED);
+        }
+      }
+
+    *--p = 0;   /* Terminate address */
+    if (flags & 0x02)      /* one_time data exists */
+      {
+      int len;
+      while (isdigit(*(--p)) || *p == ',' || *p == '-');
+      (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
+      *p = 0;
+      if (len > 0)
+        {
+        p -= len;
+        orcpt = string_copy_taint(p, GET_TAINTED);
+        }
+      }
+
+    *--p = 0;   /* Terminate address */
+    }
+#if !defined(COMPILE_UTILITY)
+  else
+    { DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - No additional fields\n"); }
+
+  if (orcpt || dsn_flags)
+    DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - address: <%s> orcpt: <%s> dsn_flags: 0x%x\n",
+      big_buffer, orcpt, dsn_flags);
+  if (errors_to)
+    DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - address: <%s> errorsto: <%s>\n",
+      big_buffer, errors_to);
+#endif
+
+  recipients_list[recipients_count].address = string_copy_taint(big_buffer, GET_TAINTED);
+  recipients_list[recipients_count].pno = pno;
+  recipients_list[recipients_count].errors_to = errors_to;
+  recipients_list[recipients_count].orcpt = orcpt;
+  recipients_list[recipients_count].dsn_flags = dsn_flags;
+  }
+
+/* The remainder of the spool header file contains the headers for the message,
+separated off from the previous data by a blank line. Each header is preceded
+by a count of its length and either a certain letter (for various identified
+headers), space (for a miscellaneous live header) or an asterisk (for a header
+that has been rewritten). Count the Received: headers. We read the headers
+always, in order to check on the format of the file, but only create a header
+list if requested to do so. */
+
+inheader = TRUE;
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
+if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
+
+while ((n = fgetc(fp)) != EOF)
+  {
+  header_line *h;
+  uschar flag[4];
+  int i;
+
+  if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
+  if(ungetc(n, fp) == EOF  ||  fscanf(fp, "%d%c ", &n, flag) == EOF)
+    goto SPOOL_READ_ERROR;
+  if (flag[0] != '*') message_size += n;  /* Omit non-transmitted headers */
+
+  if (read_headers)
+    {
+    h = store_get(sizeof(header_line), GET_UNTAINTED);
+    h->next = NULL;
+    h->type = flag[0];
+    h->slen = n;
+    h->text = store_get(n+1, GET_TAINTED);
+
+    if (h->type == htype_received) received_count++;
+
+    if (header_list) header_last->next = h;
+    else header_list = h;
+    header_last = h;
+
+    for (i = 0; i < n; i++)
+      {
+      int c = fgetc(fp);
+      if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
+      if (c == '\n' && h->type != htype_old) message_linecount++;
+      h->text[i] = c;
+      }
+    h->text[i] = 0;
+    }
+
+  /* Not requiring header data, just skip through the bytes */
+
+  else for (i = 0; i < n; i++)
+    {
+    int c = fgetc(fp);
+    if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
+    }
+  }
+
+/* We have successfully read the data in the header file. Update the message
+line count by adding the body linecount to the header linecount. Close the file
+and give a positive response. */
+
+#ifndef COMPILE_UTILITY
+DEBUG(D_deliver) debug_printf_indent("body_linecount=%d message_linecount=%d\n",
+  body_linecount, message_linecount);
+#endif  /* COMPILE_UTILITY */
+
+message_linecount += body_linecount;
+
+fclose(fp);
+return spool_read_OK;
+
+
+/* There was an error reading the spool or there was missing data,
+or there was a format error. A "read error" with no errno means an
+unexpected EOF, which we treat as a format error. */
+
+SPOOL_READ_ERROR:
+if (errno != 0)
+  {
+  n = errno;
+
+#ifndef COMPILE_UTILITY
+  DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
+#endif  /* COMPILE_UTILITY */
+
+  fclose(fp);
+  errno = n;
+  return inheader ? spool_read_hdrerror : spool_read_enverror;
+  }
+
+SPOOL_FORMAT_ERROR:
+
+#ifndef COMPILE_UTILITY
+DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
+#endif  /* COMPILE_UTILITY */
+
+fclose(fp);
+errno = ERRNO_SPOOLFORMAT;
+return inheader? spool_read_hdrerror : spool_read_enverror;
+}
+
+
+#ifndef COMPILE_UTILITY
+/* Read out just the (envelope) sender string from the spool -H file.
+Remove the <> wrap and return it in allocated store.  Return NULL on error.
+
+We assume that message_subdir is already set.
+*/
+
+uschar *
+spool_sender_from_msgid(const uschar * id)
+{
+uschar * name = string_sprintf("%s-H", id);
+FILE * fp;
+int n;
+uschar * yield = NULL;
+
+if (!(fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
+  return NULL;
+
+DEBUG(D_deliver) debug_printf_indent("reading spool file %s\n", name);
+
+/* Skip the line with the copy of the filename, then the line with login/uid/gid.
+Read the next line, which should be the envelope sender.
+Do basic validation on that. */
+
+if (  Ufgets(big_buffer, big_buffer_size, fp) != NULL
+   && Ufgets(big_buffer, big_buffer_size, fp) != NULL
+   && Ufgets(big_buffer, big_buffer_size, fp) != NULL
+   && (n = Ustrlen(big_buffer)) >= 3
+   && big_buffer[0] == '<' && big_buffer[n-2] == '>'
+   )
+  {
+  yield = store_get(n-2, GET_TAINTED);
+  Ustrncpy(yield, big_buffer+1, n-3);
+  yield[n-3] = 0;
+  }
+fclose(fp);
+return yield;
+}
+#endif  /* COMPILE_UTILITY */
+
+/* vi: aw ai sw=2
+*/
+/* End of spool_in.c */
diff --git a/src/spool_mbox.c b/src/spool_mbox.c
new file mode 100644
index 0000000..8b2aae3
--- /dev/null
+++ b/src/spool_mbox.c
@@ -0,0 +1,247 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015
+ * License: GPL
+ * Copyright (c) The Exim Maintainers 2016 - 2021
+ */
+
+/* Code for setting up a MBOX style spool file inside a /scan/<msgid>
+sub directory of exim's spool directory. */
+
+#include "exim.h"
+#ifdef WITH_CONTENT_SCAN
+
+extern int malware_ok;
+extern int spam_ok;
+
+int spool_mbox_ok = 0;
+uschar spooled_message_id[MESSAGE_ID_LENGTH+1];
+
+/*
+Create an MBOX-style message file from the spooled files.
+
+Returns a pointer to the FILE, and puts the size in bytes into mbox_file_size.
+If mbox_fname is non-null, fill in a pointer to the name.
+Normally, source_file_override is NULL
+*/
+
+FILE *
+spool_mbox(unsigned long *mbox_file_size, const uschar *source_file_override,
+  uschar ** mbox_fname)
+{
+uschar message_subdir[2];
+uschar buffer[16384];
+uschar *temp_string;
+uschar *mbox_path;
+FILE *mbox_file = NULL, *l_data_file = NULL, *yield = NULL;
+struct stat statbuf;
+int j;
+rmark reset_point;
+
+mbox_path = string_sprintf("%s/scan/%s/%s.eml",
+  spool_directory, message_id, message_id);
+if (mbox_fname) *mbox_fname = mbox_path;
+
+reset_point = store_mark();
+
+/* Skip creation if already spooled out as mbox file */
+if (!spool_mbox_ok)
+  {
+  /* create temp directory inside scan dir, directory_make works recursively */
+  temp_string = string_sprintf("scan/%s", message_id);
+  if (!directory_make(spool_directory, temp_string, 0750, FALSE))
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "%s",
+      string_open_failed("scan directory %s/scan/%s", spool_directory, temp_string));
+    goto OUT;
+    }
+
+  /* open [message_id].eml file for writing */
+
+  if (!(mbox_file = modefopen(mbox_path, "wb", SPOOL_MODE)))
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "%s",
+      string_open_failed("scan file %s", mbox_path));
+    goto OUT;
+    }
+
+  /* Generate mailbox headers. The $received_for variable is (up to at least
+  Exim 4.64) never set here, because it is only set when expanding the
+  contents of the Received: header line. However, the code below will use it
+  if it should become available in future. */
+
+  temp_string = expand_string(
+    US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n"
+    "${if def:sender_address{X-Envelope-From: <${sender_address}>\n}}"
+    "${if def:recipients{X-Envelope-To: ${recipients}\n}}");
+
+  if (temp_string)
+    if (fwrite(temp_string, Ustrlen(temp_string), 1, mbox_file) != 1)
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC, "Error/short write while writing \
+	  mailbox headers to %s", mbox_path);
+      goto OUT;
+      }
+
+  /* write all non-deleted header lines to mbox file */
+
+  for (header_line * my_headerlist = header_list; my_headerlist;
+      my_headerlist = my_headerlist->next)
+    if (my_headerlist->type != '*')
+      if (fwrite(my_headerlist->text, my_headerlist->slen, 1, mbox_file) != 1)
+	{
+	log_write(0, LOG_MAIN|LOG_PANIC, "Error/short write while writing \
+	    message headers to %s", mbox_path);
+	goto OUT;
+	}
+
+  /* End headers */
+  if (fwrite("\n", 1, 1, mbox_file) != 1)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "Error/short write while writing \
+      message headers to %s", mbox_path);
+    goto OUT;
+    }
+
+  /* Copy body file.  If the main receive still has it open then it is holding
+  a lock, and we must not close it (which releases the lock), so just use the
+  global file handle. */
+  if (source_file_override)
+    l_data_file = Ufopen(source_file_override, "rb");
+  else if (spool_data_file)
+    l_data_file = spool_data_file;
+  else
+    {
+    message_subdir[1] = '\0';
+    for (int i = 0; i < 2; i++)
+      {
+      set_subdir_str(message_subdir, message_id, i);
+      temp_string = spool_fname(US"input", message_subdir, message_id, US"-D");
+      if ((l_data_file = Ufopen(temp_string, "rb"))) break;
+      }
+    }
+
+  if (!l_data_file)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "Could not open datafile for message %s",
+      message_id);
+    goto OUT;
+    }
+
+  /* The code used to use this line, but it doesn't work in Cygwin.
+
+      (void)fread(data_buffer, 1, 18, l_data_file);
+
+     What's happening is that spool_mbox used to use an fread to jump over the
+     file header. That fails under Cygwin because the header is locked, but
+     doing an fseek succeeds. We have to output the leading newline
+     explicitly, because the one in the file is parted of the locked area.  */
+
+  if (!source_file_override)
+    (void)fseek(l_data_file, SPOOL_DATA_START_OFFSET, SEEK_SET);
+
+  do
+    {
+    uschar * s;
+
+    if (!f.spool_file_wireformat || source_file_override)
+      j = fread(buffer, 1, sizeof(buffer), l_data_file);
+    else						/* needs CRLF -> NL */
+      if ((s = US fgets(CS buffer, sizeof(buffer), l_data_file)))
+	{
+	uschar * p = s + Ustrlen(s) - 1;
+
+	if (*p == '\n' && p[-1] == '\r')
+	  *--p = '\n';
+	else if (*p == '\r')
+	  ungetc(*p--, l_data_file);
+
+	j = p - buffer;
+	}
+      else
+	j = 0;
+
+    if (j > 0)
+      if (fwrite(buffer, j, 1, mbox_file) != 1)
+        {
+	log_write(0, LOG_MAIN|LOG_PANIC, "Error/short write while writing \
+	    message body to %s", mbox_path);
+	goto OUT;
+	}
+    } while (j > 0);
+
+  (void)fclose(mbox_file);
+  mbox_file = NULL;
+
+  Ustrncpy(spooled_message_id, message_id, sizeof(spooled_message_id));
+  spooled_message_id[sizeof(spooled_message_id)-1] = '\0';
+  spool_mbox_ok = 1;
+  }
+
+/* get the size of the mbox message and open [message_id].eml file for reading*/
+
+if (  !(yield = Ufopen(mbox_path,"rb"))
+   || fstat(fileno(yield), &statbuf) != 0
+   )
+  log_write(0, LOG_MAIN|LOG_PANIC, "%s",
+    string_open_failed( "scan file %s", mbox_path));
+else
+  *mbox_file_size = statbuf.st_size;
+
+OUT:
+if (l_data_file && !spool_data_file) (void)fclose(l_data_file);
+if (mbox_file) (void)fclose(mbox_file);
+store_reset(reset_point);
+return yield;
+}
+
+
+
+
+
+/* remove mbox spool file and temp directory */
+void
+unspool_mbox(void)
+{
+spam_ok = 0;
+malware_ok = 0;
+
+if (spool_mbox_ok && !f.no_mbox_unspool)
+  {
+  uschar *file_path;
+  DIR *tempdir;
+  rmark reset_point = store_mark();
+  uschar * mbox_path = string_sprintf("%s/scan/%s", spool_directory, spooled_message_id);
+
+  if (!(tempdir = exim_opendir(mbox_path)))
+    {
+    debug_printf("Unable to opendir(%s): %s\n", mbox_path, strerror(errno));
+    /* Just in case we still can: */
+    (void) rmdir(CS mbox_path);
+    return;
+    }
+  /* loop thru dir & delete entries */
+  for (struct dirent *entry; entry = readdir(tempdir); )
+    {
+    uschar *name = US entry->d_name;
+    if (Ustrcmp(name, US".") == 0 || Ustrcmp(name, US"..") == 0) continue;
+
+    file_path = string_sprintf("%s/%s", mbox_path, name);
+    debug_printf("unspool_mbox(): unlinking '%s'\n", file_path);
+    if (unlink(CS file_path) != 0)
+      log_write(0, LOG_MAIN|LOG_PANIC, "unlink(%s): %s", file_path, strerror(errno));
+    }
+
+  closedir(tempdir);
+
+  /* remove directory */
+  if (rmdir(CS mbox_path) != 0)
+    log_write(0, LOG_MAIN|LOG_PANIC, "rmdir(%s): %s", mbox_path, strerror(errno));
+  store_reset(reset_point);
+  }
+spool_mbox_ok = 0;
+}
+
+#endif
diff --git a/src/spool_out.c b/src/spool_out.c
new file mode 100644
index 0000000..510eda6
--- /dev/null
+++ b/src/spool_out.c
@@ -0,0 +1,580 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions for writing spool files, and moving them about. */
+
+
+#include "exim.h"
+
+
+
+/*************************************************
+*       Deal with header writing errors          *
+*************************************************/
+
+/* This function is called immediately after errors in writing the spool, with
+errno still set. It creates an error message, depending on the circumstances.
+If errmsg is NULL, it logs the message and panic-dies. Otherwise errmsg is set
+to point to the message, and -1 is returned. This function makes the code of
+spool_write_header() a bit neater.
+
+Arguments:
+   where      SW_RECEIVING, SW_DELIVERING, or SW_MODIFYING
+   errmsg     where to put the message; NULL => panic-die
+   s          text to add to log string
+   temp_name  name of temp file to unlink
+   f          FILE to close, if not NULL
+
+Returns:      -1 if errmsg is not NULL; otherwise doesn't return
+*/
+
+static int
+spool_write_error(int where, uschar **errmsg, uschar *s, uschar *temp_name,
+  FILE *f)
+{
+uschar *msg = where == SW_RECEIVING
+  ? string_sprintf("spool file %s error while receiving from %s: %s", s,
+      sender_fullhost ? sender_fullhost : sender_ident,
+      strerror(errno))
+  : string_sprintf("spool file %s error while %s: %s", s,
+      where == SW_DELIVERING ? "delivering" : "modifying",
+      strerror(errno));
+
+if (temp_name) Uunlink(temp_name);
+if (f) (void)fclose(f);
+
+if (errmsg)
+  *errmsg = msg;
+else
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", msg);
+
+return -1;
+}
+
+
+
+/*************************************************
+*            Open file under temporary name      *
+*************************************************/
+
+/* This is used for opening spool files under a temporary name,
+with a single attempt at deleting if they already exist.
+
+Argument: temporary name for spool header file
+Returns:  file descriptor of open file, or < 0 on failure, with errno unchanged
+*/
+
+int
+spool_open_temp(uschar *temp_name)
+{
+int fd = Uopen(temp_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE);
+
+/* If the file already exists, something has gone wrong. This process may well
+have previously created the file if it is delivering more than one address, but
+it should have renamed it almost immediately. A file could, however, be left
+around as a result of a system crash, and by coincidence this process might
+have the same pid. We therefore have one go at unlinking it before giving up.
+*/
+
+if (fd < 0 && errno == EEXIST)
+  {
+  DEBUG(D_any) debug_printf("%s exists: unlinking\n", temp_name);
+  Uunlink(temp_name);
+  fd = Uopen(temp_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE);
+  }
+
+/* If the file has been opened, make sure the file's group is the Exim gid, and
+double-check the mode because the group setting doesn't always get set
+automatically. */
+
+if (fd >= 0)
+  if (exim_fchown(fd, exim_uid, exim_gid, temp_name) || fchmod(fd, SPOOL_MODE))
+    {
+    DEBUG(D_any) debug_printf("failed setting perms on %s\n", temp_name);
+    (void) close(fd); fd = -1;
+    Uunlink(temp_name);
+    }
+
+return fd;
+}
+
+
+
+static const uschar *
+zap_newlines(const uschar *s)
+{
+uschar *z, *p;
+
+if (Ustrchr(s, '\n') == NULL) return s;
+
+p = z = string_copy(s);
+while ((p = Ustrchr(p, '\n')) != NULL) *p++ = ' ';
+return z;
+}
+
+static void
+spool_var_write(FILE * fp, const uschar * name, const uschar * val)
+{
+putc('-', fp);
+if (is_tainted(val))
+  {
+  int q = quoter_for_address(val);
+  putc('-', fp);
+  if (is_real_quoter(q)) fprintf(fp, "(%s)", lookup_list[q]->name);
+  }
+fprintf(fp, "%s %s\n", name, val);
+}
+
+/*************************************************
+*          Write the header spool file           *
+*************************************************/
+
+/* Returns the size of the file for success; zero for failure. The file is
+written under a temporary name, and then renamed. It's done this way so that it
+works with re-writing the file on message deferral as well as for the initial
+write. Whenever this function is called, the data file for the message should
+be open and locked, thus preventing any other exim process from working on this
+message.
+
+Argument:
+  id      the message id
+  where   SW_RECEIVING, SW_DELIVERING, or SW_MODIFYING
+  errmsg  where to put an error message; if NULL, panic-die on error
+
+Returns:  the size of the header texts on success;
+          negative on writing failure, unless errmsg == NULL
+*/
+
+int
+spool_write_header(uschar *id, int where, uschar **errmsg)
+{
+int fd;
+int size_correction;
+FILE * fp;
+struct stat statbuf;
+uschar * tname;
+uschar * fname;
+
+tname = spool_fname(US"input", message_subdir, US"hdr.", message_id);
+
+if ((fd = spool_open_temp(tname)) < 0)
+  return spool_write_error(where, errmsg, US"open", NULL, NULL);
+fp = fdopen(fd, "wb");
+DEBUG(D_receive|D_deliver) debug_printf("Writing spool header file: %s\n", tname);
+
+/* We now have an open file to which the header data is to be written. Start
+with the file's leaf name, to make the file self-identifying. Continue with the
+identity of the submitting user, followed by the sender's address. The sender's
+address is enclosed in <> because it might be the null address. Then write the
+received time and the number of warning messages that have been sent. */
+
+fprintf(fp, "%s-H\n", message_id);
+fprintf(fp, "%.63s %ld %ld\n", originator_login, (long int)originator_uid,
+  (long int)originator_gid);
+fprintf(fp, "<%s>\n", sender_address);
+fprintf(fp, "%d %d\n", (int)received_time.tv_sec, warning_count);
+
+fprintf(fp, "-received_time_usec .%06d\n", (int)received_time.tv_usec);
+fprintf(fp, "-received_time_complete %d.%06d\n",
+  (int)received_time_complete.tv_sec, (int)received_time_complete.tv_usec);
+
+/* If there is information about a sending host, remember it. The HELO
+data can be set for local SMTP as well as remote. */
+
+if (sender_helo_name) spool_var_write(fp, US"helo_name", sender_helo_name);
+
+if (sender_host_address)
+  {
+  if (is_tainted(sender_host_address)) putc('-', fp);
+  fprintf(fp, "-host_address [%s]:%d\n", sender_host_address, sender_host_port);
+  if (sender_host_name)
+    spool_var_write(fp, US"host_name", sender_host_name);
+  }
+if (sender_host_authenticated)
+  spool_var_write(fp, US"host_auth", sender_host_authenticated);
+if (sender_host_auth_pubname)
+  spool_var_write(fp, US"host_auth_pubname", sender_host_auth_pubname);
+
+/* Also about the interface a message came in on */
+
+if (interface_address)
+  {
+  if (is_tainted(interface_address)) putc('-', fp);
+  fprintf(fp, "-interface_address [%s]:%d\n", interface_address, interface_port);
+  }
+
+if (smtp_active_hostname != primary_hostname)
+  spool_var_write(fp, US"active_hostname", smtp_active_hostname);
+
+/* Likewise for any ident information; for local messages this is
+likely to be the same as originator_login, but will be different if
+the originator was root, forcing a different ident. */
+
+if (sender_ident)
+  spool_var_write(fp, US"ident", sender_ident);
+
+/* Ditto for the received protocol */
+
+if (received_protocol)
+  spool_var_write(fp, US"received_protocol", received_protocol);
+
+/* Preserve any ACL variables that are set. */
+
+tree_walk(acl_var_c, &acl_var_write, fp);
+tree_walk(acl_var_m, &acl_var_write, fp);
+
+/* Now any other data that needs to be remembered. */
+
+if (*debuglog_name)
+  {
+  fprintf(fp, "-debug_selector 0x%x\n", debug_selector);
+  fprintf(fp, "-debuglog_name %s\n", debuglog_name);
+  }
+
+if (f.spool_file_wireformat)
+  fprintf(fp, "-spool_file_wireformat\n");
+else
+  fprintf(fp, "-body_linecount %d\n", body_linecount);
+fprintf(fp, "-max_received_linelength %d\n", max_received_linelength);
+
+if (body_zerocount > 0) fprintf(fp, "-body_zerocount %d\n", body_zerocount);
+
+if (authenticated_id)
+  spool_var_write(fp, US"auth_id", authenticated_id);
+if (authenticated_sender)
+  spool_var_write(fp, US"auth_sender", zap_newlines(authenticated_sender));
+
+if (f.allow_unqualified_recipient) fprintf(fp, "-allow_unqualified_recipient\n");
+if (f.allow_unqualified_sender) fprintf(fp, "-allow_unqualified_sender\n");
+if (f.deliver_firsttime) fprintf(fp, "-deliver_firsttime\n");
+if (f.deliver_freeze) fprintf(fp, "-frozen " TIME_T_FMT "\n", deliver_frozen_at);
+if (f.dont_deliver) fprintf(fp, "-N\n");
+if (host_lookup_deferred) fprintf(fp, "-host_lookup_deferred\n");
+if (host_lookup_failed) fprintf(fp, "-host_lookup_failed\n");
+if (f.sender_local) fprintf(fp, "-local\n");
+if (f.local_error_message) fprintf(fp, "-localerror\n");
+#ifdef HAVE_LOCAL_SCAN
+if (local_scan_data) spool_var_write(fp, US"local_scan", local_scan_data);
+#endif
+#ifdef WITH_CONTENT_SCAN
+if (spam_bar)       spool_var_write(fp, US"spam_bar",       spam_bar);
+if (spam_score)     spool_var_write(fp, US"spam_score",     spam_score);
+if (spam_score_int) spool_var_write(fp, US"spam_score_int", spam_score_int);
+#endif
+if (f.deliver_manual_thaw) fprintf(fp, "-manual_thaw\n");
+if (f.sender_set_untrusted) fprintf(fp, "-sender_set_untrusted\n");
+
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+if (bmi_verdicts) spool_var_write(fp, US"bmi_verdicts", bmi_verdicts);
+#endif
+
+#ifndef DISABLE_TLS
+if (tls_in.certificate_verified) fprintf(fp, "-tls_certificate_verified\n");
+if (tls_in.cipher) spool_var_write(fp, US"tls_cipher", tls_in.cipher);
+if (tls_in.peercert)
+  {
+  if (tls_export_cert(big_buffer, big_buffer_size, tls_in.peercert))
+    fprintf(fp, "--tls_peercert %s\n", CS big_buffer);
+  }
+if (tls_in.peerdn)       spool_var_write(fp, US"tls_peerdn", string_printing(tls_in.peerdn));
+if (tls_in.sni)		 spool_var_write(fp, US"tls_sni",    string_printing(tls_in.sni));
+if (tls_in.ourcert)
+  {
+  if (tls_export_cert(big_buffer, big_buffer_size, tls_in.ourcert))
+    fprintf(fp, "-tls_ourcert %s\n", CS big_buffer);
+  }
+if (tls_in.ocsp)	 fprintf(fp, "-tls_ocsp %d\n",   tls_in.ocsp);
+# ifndef DISABLE_TLS_RESUME
+fprintf(fp, "-tls_resumption %c\n", 'A' + tls_in.resumption);
+# endif
+if (tls_in.ver) spool_var_write(fp, US"tls_ver", tls_in.ver);
+#endif
+
+#ifdef SUPPORT_I18N
+if (message_smtputf8)
+  {
+  fprintf(fp, "-smtputf8\n");
+  if (message_utf8_downconvert)
+    fprintf(fp, "-utf8_%sdowncvt\n", message_utf8_downconvert < 0 ? "opt" : "");
+  }
+#endif
+
+/* Write the dsn flags to the spool header file */
+/* DEBUG(D_deliver) debug_printf("DSN: Write SPOOL: -dsn_envid %s\n", dsn_envid); */
+if (dsn_envid) fprintf(fp, "-dsn_envid %s\n", dsn_envid);
+/* DEBUG(D_deliver) debug_printf("DSN: Write SPOOL: -dsn_ret %d\n", dsn_ret); */
+if (dsn_ret) fprintf(fp, "-dsn_ret %d\n", dsn_ret);
+
+/* To complete the envelope, write out the tree of non-recipients, followed by
+the list of recipients. These won't be disjoint the first time, when no
+checking has been done. If a recipient is a "one-time" alias, it is followed by
+a space and its parent address number (pno). */
+
+tree_write(tree_nonrecipients, fp);
+fprintf(fp, "%d\n", recipients_count);
+for (int i = 0; i < recipients_count; i++)
+  {
+  recipient_item *r = recipients_list + i;
+  const uschar *address = zap_newlines(r->address);
+
+  /* DEBUG(D_deliver) debug_printf("DSN: Flags: 0x%x\n", r->dsn_flags); */
+
+  if (r->pno < 0 && !r->errors_to && r->dsn_flags == 0)
+    fprintf(fp, "%s\n", address);
+  else
+    {
+    const uschar *errors_to = r->errors_to ? zap_newlines(r->errors_to) : CUS"";
+    /* for DSN SUPPORT extend exim 4 spool in a compatible way by
+    adding new values upfront and add flag 0x02 */
+    const uschar *orcpt = r->orcpt ? zap_newlines(r->orcpt) : CUS"";
+
+    fprintf(fp, "%s %s %d,%d %s %d,%d#3\n", address, orcpt, Ustrlen(orcpt),
+      r->dsn_flags, errors_to, Ustrlen(errors_to), r->pno);
+    }
+
+    DEBUG(D_deliver) debug_printf("DSN: **** SPOOL_OUT - "
+      "address: <%s> errorsto: <%s> orcpt: <%s> dsn_flags: 0x%x\n",
+      r->address, r->errors_to, r->orcpt, r->dsn_flags);
+  }
+
+/* Put a blank line before the headers */
+
+fprintf(fp, "\n");
+
+/* Save the size of the file so far so we can subtract it from the final length
+to get the actual size of the headers. */
+
+fflush(fp);
+if (fstat(fd, &statbuf))
+  return spool_write_error(where, errmsg, US"fstat", tname, fp);
+size_correction = statbuf.st_size;
+
+/* Finally, write out the message's headers. To make it easier to read them
+in again, precede each one with the count of its length. Make the count fixed
+length to aid human eyes when debugging and arrange for it not be included in
+the size. It is followed by a space for normal headers, a flagging letter for
+various other headers, or an asterisk for old headers that have been rewritten.
+These are saved as a record for debugging. Don't included them in the message's
+size. */
+
+for (header_line * h = header_list; h; h = h->next)
+  {
+  fprintf(fp, "%03d%c %s", h->slen, h->type, h->text);
+  size_correction += 5;
+  if (h->type == '*') size_correction += h->slen;
+  }
+
+/* Flush and check for any errors while writing */
+
+if (fflush(fp) != 0 || ferror(fp))
+  return spool_write_error(where, errmsg, US"write", tname, fp);
+
+/* Force the file's contents to be written to disk. Note that fflush()
+just pushes it out of C, and fclose() doesn't guarantee to do the write
+either. That's just the way Unix works... */
+
+if (EXIMfsync(fileno(fp)) < 0)
+  return spool_write_error(where, errmsg, US"sync", tname, fp);
+
+/* Get the size of the file, and close it. */
+
+if (fstat(fd, &statbuf) != 0)
+  return spool_write_error(where, errmsg, US"fstat", tname, NULL);
+if (fclose(fp) != 0)
+  return spool_write_error(where, errmsg, US"close", tname, NULL);
+
+/* Rename the file to its correct name, thereby replacing any previous
+incarnation. */
+
+fname = spool_fname(US"input", message_subdir, id, US"-H");
+DEBUG(D_receive|D_deliver) debug_printf("Renaming spool header file: %s\n", fname);
+
+if (Urename(tname, fname) < 0)
+  return spool_write_error(where, errmsg, US"rename", tname, NULL);
+
+/* Linux (and maybe other OS?) does not automatically sync a directory after
+an operation like rename. We therefore have to do it forcibly ourselves in
+these cases, to make sure the file is actually accessible on disk, as opposed
+to just the data being accessible from a file in lost+found. Linux also has
+O_DIRECTORY, for opening a directory.
+
+However, it turns out that some file systems (some versions of NFS?) do not
+support directory syncing. It seems safe enough to ignore EINVAL to cope with
+these cases. One hack on top of another... but that's life. */
+
+#ifdef NEED_SYNC_DIRECTORY
+
+tname = spool_fname(US"input", message_subdir, US".", US"");
+
+# ifndef O_DIRECTORY
+#  define O_DIRECTORY 0
+# endif
+
+if ((fd = Uopen(tname, O_RDONLY|O_DIRECTORY, 0)) < 0)
+  return spool_write_error(where, errmsg, US"directory open", fname, NULL);
+
+if (EXIMfsync(fd) < 0 && errno != EINVAL)
+  return spool_write_error(where, errmsg, US"directory sync", fname, NULL);
+
+if (close(fd) < 0)
+  return spool_write_error(where, errmsg, US"directory close", fname, NULL);
+
+#endif  /* NEED_SYNC_DIRECTORY */
+
+/* Return the number of characters in the headers, which is the file size, less
+the preliminary stuff, less the additional count fields on the headers. */
+
+DEBUG(D_receive) debug_printf("Size of headers = %d\n",
+  (int)(statbuf.st_size - size_correction));
+
+return statbuf.st_size - size_correction;
+}
+
+
+/************************************************
+*              Make a hard link                 *
+************************************************/
+
+/* Used by spool_move_message() below. Note re the use of sprintf(): the value
+of spool_directory is checked to ensure that it is less than 200 characters at
+start-up time.
+
+Arguments:
+  dir        base directory name
+  dq	     destiinationqueue name
+  subdir     subdirectory name
+  id         message id
+  suffix     suffix to add to id
+  from       source directory prefix
+  to         destination directory prefix
+  noentok    if TRUE, absence of file is not an error
+
+Returns:     TRUE if all went well
+             FALSE, having panic logged if not
+*/
+
+static BOOL
+make_link(uschar *dir, uschar * dq, uschar *subdir, uschar *id, uschar *suffix,
+  uschar *from, uschar *to, BOOL noentok)
+{
+uschar * fname = spool_fname(string_sprintf("%s%s", from, dir), subdir, id, suffix);
+uschar * tname = spool_q_fname(string_sprintf("%s%s", to,   dir), dq, subdir, id, suffix);
+if (Ulink(fname, tname) < 0 && (!noentok || errno != ENOENT))
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "link(\"%s\", \"%s\") failed while moving "
+    "message: %s", fname, tname, strerror(errno));
+  return FALSE;
+  }
+return TRUE;
+}
+
+
+
+/************************************************
+*                Break a link                   *
+************************************************/
+
+/* Used by spool_move_message() below. Note re the use of sprintf(): the value
+of spool_directory is checked to ensure that it is less than 200 characters at
+start-up time.
+
+Arguments:
+  dir        base directory name
+  subdir     subdirectory name
+  id         message id
+  suffix     suffix to add to id
+  from       source directory prefix
+  noentok    if TRUE, absence of file is not an error
+
+Returns:     TRUE if all went well
+             FALSE, having panic logged if not
+*/
+
+static BOOL
+break_link(uschar *dir, uschar *subdir, uschar *id, uschar *suffix, uschar *from,
+  BOOL noentok)
+{
+uschar * fname = spool_fname(string_sprintf("%s%s", from, dir), subdir, id, suffix);
+if (Uunlink(fname) < 0 && (!noentok || errno != ENOENT))
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "unlink(\"%s\") failed while moving "
+    "message: %s", fname, strerror(errno));
+  return FALSE;
+  }
+return TRUE;
+}
+
+
+
+/************************************************
+*            Move message files                 *
+************************************************/
+
+/* Move the files for a message (-H, -D, and msglog) from one directory (or
+hierarchy) to another. It is assume that there is no -J file in existence when
+this is done.
+
+Arguments:
+  id          the id of the message to be delivered
+  subdir      the subdirectory name, or an empty string
+  from        a prefix for "input" or "msglog" for where the message is now
+  to          a prefix for "input" or "msglog" for where the message is to go
+
+Returns:      TRUE if all is well
+              FALSE if not, with error logged in panic and main logs
+*/
+
+BOOL
+spool_move_message(uschar *id, uschar *subdir, uschar *from, uschar *to)
+{
+uschar * dest_qname = queue_name_dest ? queue_name_dest : queue_name;
+
+/* Since we are working within the spool, de-taint the dest queue name */
+dest_qname = string_copy_taint(dest_qname, GET_UNTAINTED);
+
+/* Create any output directories that do not exist. */
+
+(void) directory_make(spool_directory,
+  spool_q_sname(string_sprintf("%sinput", to), dest_qname, subdir),
+  INPUT_DIRECTORY_MODE, TRUE);
+(void) directory_make(spool_directory,
+  spool_q_sname(string_sprintf("%smsglog", to), dest_qname, subdir),
+  INPUT_DIRECTORY_MODE, TRUE);
+
+/* Move the message by first creating new hard links for all the files, and
+then removing the old links. When moving messages onto the main spool, the -H
+file should be set up last, because that's the one that tells Exim there is a
+message to be delivered, so we create its new link last and remove its old link
+first. Programs that look at the alternate directories should follow the same
+rule of waiting for a -H file before doing anything. When moving messages off
+the mail spool, the -D file should be open and locked at the time, thus keeping
+Exim's hands off. */
+
+if (!make_link(US"msglog", dest_qname, subdir, id, US"", from, to, TRUE) ||
+    !make_link(US"input",  dest_qname, subdir, id, US"-D", from, to, FALSE) ||
+    !make_link(US"input",  dest_qname, subdir, id, US"-H", from, to, FALSE))
+  return FALSE;
+
+if (!break_link(US"input",  subdir, id, US"-H", from, FALSE) ||
+    !break_link(US"input",  subdir, id, US"-D", from, FALSE) ||
+    !break_link(US"msglog", subdir, id, US"", from, TRUE))
+  return FALSE;
+
+log_write(0, LOG_MAIN, "moved from %s%s%s%sinput, %smsglog to %s%s%s%sinput, %smsglog",
+   *queue_name?"(":"", *queue_name?queue_name:US"", *queue_name?") ":"",
+   from, from,
+   *dest_qname?"(":"", *dest_qname?dest_qname:US"", *dest_qname?") ":"",
+   to, to);
+
+return TRUE;
+}
+
+
+/* End of spool_out.c */
+/* vi: aw ai sw=2
+*/
diff --git a/src/std-crypto.c b/src/std-crypto.c
new file mode 100644
index 0000000..200fb71
--- /dev/null
+++ b/src/std-crypto.c
@@ -0,0 +1,1031 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Phil Pennock 2012, 2016
+ * Copyright (c) The Exim Maintainers 2017 - 2021
+ * But almost everything here is fixed published constants from RFCs, so also:
+ * Copyright (C) The Internet Society (2003)
+ * Copyright (C) The IETF Trust (2008)
+ * Most of the text in RFC referencing comments is copy/paste from RFC,
+ * as is undoubtedly the intention.
+ * The constants are generated from that text using util/gen_pkcs3.c invoked
+ * with the -C option.
+ */
+
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "exim.h"
+
+#ifdef DISABLE_TLS
+static void dummy(int x) { dummy(x-1); }
+#else
+
+/* The IETF defines standard primes as "Modular Exponential (MODP) Groups" for
+use in IKE in RFC 2409 and 3526, and then some more, "for Use with IETF
+Standards" in RFC 5114.  These have been thoroughly reviewed as meeting
+certain eligibility criteria, which is more than can be said for primes
+generated quickly on no particular criteria.
+
+Any prime used in TLS is disclosed publicly, and if the security of your
+session depends upon the prime being secret, then one of three situations
+holds:
+ (1) the prime is too small
+ (2) the prime is flawed, use one of these instead
+ (3) you know of fundamental cryptanalytic breaks not currently publicly known
+     to the cryptographic community.
+*/
+
+/* RFC 2409 MODP IKE_id=1 generator=2 bits=768
+   The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 }
+   Its hexadecimal value is
+         FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
+         29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
+         EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
+         E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF
+*/
+static const char dh_ike_1_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MGYCYQD//////////8kP2qIhaMI0xMZii4DcHNEpAk4IimfMdAILvqY7E5siUUoI\n"
+"eY40BN3vlRmzzTpDGzArCm3yXxQ3T+E1bW1RwkXkhbV2Yl5+xvRMQummOjYg////\n"
+"//////8CAQI=\n"
+"-----END DH PARAMETERS-----\n";
+
+/* RFC 2409 MODP IKE_id=2 generator=2 bits=1024
+   The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
+   Its hexadecimal value is
+
+         FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
+         29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
+         EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
+         E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
+         EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
+         FFFFFFFF FFFFFFFF
+*/
+static const char dh_ike_2_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR\n"
+"Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL\n"
+"/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC\n"
+"-----END DH PARAMETERS-----\n";
+
+/* RFC 2409; id=3 and id=4 are EC2N, not yet supported here */
+
+/* RFC 3526 MODP IKE_id=5 generator=2 bits=1536
+   The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }
+   Its hexadecimal value is:
+
+      FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
+      29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
+      EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
+      E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
+      EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
+      C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
+      83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
+      670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF
+*/
+static const char dh_ike_5_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIHHAoHBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR\n"
+"Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL\n"
+"/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7ORbPcIAfLihY78FmNpINhxV05pp\n"
+"Fj+o/STPX4NlXSPco62WHGLzViCFUrue1SkHcJaWbWcMNU5KvJgE8XRsCMojcyf/\n"
+"/////////wIBAg==\n"
+"-----END DH PARAMETERS-----\n";
+
+/* RFC 3526 MODP IKE_id=14 generator=2 bits=2048
+   This prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }
+   Its hexadecimal value is:
+
+      FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
+      29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
+      EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
+      E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
+      EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
+      C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
+      83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
+      670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
+      E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
+      DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
+      15728E5A 8AACAA68 FFFFFFFF FFFFFFFF
+*/
+static const char dh_ike_14_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb\n"
+"IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft\n"
+"awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT\n"
+"mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh\n"
+"fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq\n"
+"5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==\n"
+"-----END DH PARAMETERS-----\n";
+
+/* RFC 3526 MODP IKE_id=15 generator=2 bits=3072
+   This prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 }
+   Its hexadecimal value is:
+
+      FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
+      29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
+      EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
+      E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
+      EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
+      C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
+      83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
+      670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
+      E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
+      DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
+      15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64
+      ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7
+      ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B
+      F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C
+      BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31
+      43DB5BFC E0FD108E 4B82D120 A93AD2CA FFFFFFFF FFFFFFFF
+*/
+static const char dh_ike_15_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIIBiAKCAYEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb\n"
+"IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft\n"
+"awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT\n"
+"mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh\n"
+"fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq\n"
+"5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM\n"
+"fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq\n"
+"ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqTrS\n"
+"yv//////////AgEC\n"
+"-----END DH PARAMETERS-----\n";
+
+/* RFC 3526 MODP IKE_id=16 generator=2 bits=4096
+   This prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 }
+   Its hexadecimal value is:
+
+      FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
+      29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
+      EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
+      E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
+      EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
+      C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
+      83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
+      670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
+      E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
+      DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
+      15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64
+      ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7
+      ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B
+      F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C
+      BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31
+      43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7
+      88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA
+      2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6
+      287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED
+      1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9
+      93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199
+      FFFFFFFF FFFFFFFF
+*/
+static const char dh_ike_16_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb\n"
+"IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft\n"
+"awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT\n"
+"mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh\n"
+"fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq\n"
+"5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM\n"
+"fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq\n"
+"ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI\n"
+"ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O\n"
+"+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI\n"
+"HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=\n"
+"-----END DH PARAMETERS-----\n";
+
+/* RFC 3526 MODP IKE_id=17 generator=2 bits=6144
+   This prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 }
+   Its hexadecimal value is:
+
+   FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08
+   8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B
+   302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9
+   A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6
+   49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8
+   FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
+   670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B E39E772C
+   180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 DE2BCBF6 95581718
+   3995497C EA956AE5 15D22618 98FA0510 15728E5A 8AAAC42D AD33170D
+   04507A33 A85521AB DF1CBA64 ECFB8504 58DBEF0A 8AEA7157 5D060C7D
+   B3970F85 A6E1E4C7 ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226
+   1AD2EE6B F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C
+   BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31 43DB5BFC
+   E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7 88719A10 BDBA5B26
+   99C32718 6AF4E23C 1A946834 B6150BDA 2583E9CA 2AD44CE8 DBBBC2DB
+   04DE8EF9 2E8EFC14 1FBECAA6 287C5947 4E6BC05D 99B2964F A090C3A2
+   233BA186 515BE7ED 1F612970 CEE2D7AF B81BDD76 2170481C D0069127
+   D5B05AA9 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492
+   36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD F8FF9406
+   AD9E530E E5DB382F 413001AE B06A53ED 9027D831 179727B0 865A8918
+   DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B DB7F1447 E6CC254B 33205151
+   2BD7AF42 6FB8F401 378CD2BF 5983CA01 C64B92EC F032EA15 D1721D03
+   F482D7CE 6E74FEF6 D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F
+   BEC7E8F3 23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA
+   CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328 06A1D58B
+   B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C DA56C9EC 2EF29632
+   387FE8D7 6E3C0468 043E8F66 3F4860EE 12BF2D5B 0B7474D6 E694F91E
+   6DCC4024 FFFFFFFF FFFFFFFF
+*/
+static const char dh_ike_17_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIIDCAKCAwEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb\n"
+"IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft\n"
+"awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT\n"
+"mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh\n"
+"fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq\n"
+"5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM\n"
+"fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq\n"
+"ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI\n"
+"ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O\n"
+"+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI\n"
+"HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG\n"
+"3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU\n"
+"7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId\n"
+"A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha\n"
+"xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/\n"
+"8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebcxA\n"
+"JP//////////AgEC\n"
+"-----END DH PARAMETERS-----\n";
+
+/* RFC 3526 MODP IKE_id=18 generator=2 bits=8192
+   This prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 }
+   Its hexadecimal value is:
+
+      FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
+      29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
+      EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
+      E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
+      EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
+      C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
+      83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
+      670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
+      E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
+      DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
+      15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64
+      ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7
+      ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B
+      F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C
+      BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31
+      43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7
+      88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA
+      2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6
+      287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED
+      1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9
+      93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492
+      36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD
+      F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831
+      179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B
+      DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF
+      5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6
+      D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3
+      23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA
+      CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328
+      06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C
+      DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE
+      12BF2D5B 0B7474D6 E694F91E 6DBE1159 74A3926F 12FEE5E4
+      38777CB6 A932DF8C D8BEC4D0 73B931BA 3BC832B6 8D9DD300
+      741FA7BF 8AFC47ED 2576F693 6BA42466 3AAB639C 5AE4F568
+      3423B474 2BF1C978 238F16CB E39D652D E3FDB8BE FC848AD9
+      22222E04 A4037C07 13EB57A8 1A23F0C7 3473FC64 6CEA306B
+      4BCBC886 2F8385DD FA9D4B7F A2C087E8 79683303 ED5BDD3A
+      062B3CF5 B3A278A6 6D2A13F8 3F44F82D DF310EE0 74AB6A36
+      4597E899 A0255DC1 64F31CC5 0846851D F9AB4819 5DED7EA1
+      B1D510BD 7EE74D73 FAF36BC3 1ECFA268 359046F4 EB879F92
+      4009438B 481C6CD7 889A002E D5EE382B C9190DA6 FC026E47
+      9558E447 5677E9AA 9E3050E2 765694DF C81F56E8 80B96E71
+      60C980DD 98EDD3DF FFFFFFFF FFFFFFFF
+*/
+static const char dh_ike_18_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb\n"
+"IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft\n"
+"awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT\n"
+"mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh\n"
+"fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq\n"
+"5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM\n"
+"fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq\n"
+"ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI\n"
+"ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O\n"
+"+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI\n"
+"HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG\n"
+"3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU\n"
+"7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId\n"
+"A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha\n"
+"xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/\n"
+"8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R\n"
+"WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk\n"
+"ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw\n"
+"xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4\n"
+"Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i\n"
+"aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU\n"
+"38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==\n"
+"-----END DH PARAMETERS-----\n";
+
+/* RFC 5114 IKE_id=22
+2.1.  1024-bit MODP Group with 160-bit Prime Order Subgroup
+
+   The hexadecimal value of the prime is:
+
+   p = B10B8F96 A080E01D DE92DE5E AE5D54EC 52C99FBC FB06A3C6
+       9A6A9DCA 52D23B61 6073E286 75A23D18 9838EF1E 2EE652C0
+       13ECB4AE A9061123 24975C3C D49B83BF ACCBDD7D 90C4BD70
+       98488E9C 219A7372 4EFFD6FA E5644738 FAA31A4F F55BCCC0
+       A151AF5F 0DC8B4BD 45BF37DF 365C1A65 E68CFDA7 6D4DA708
+       DF1FB2BC 2E4A4371
+
+   The hexadecimal value of the generator is:
+
+   g = A4D1CBD5 C3FD3412 6765A442 EFB99905 F8104DD2 58AC507F
+       D6406CFF 14266D31 266FEA1E 5C41564B 777E690F 5504F213
+       160217B4 B01B886A 5E91547F 9E2749F4 D7FBD7D3 B9A92EE1
+       909D0D22 63F80A76 A6A24C08 7A091F53 1DBF0A01 69B6A28A
+       D662A4D1 8E73AFA3 2D779D59 18D08BC8 858F4DCE F97C2A24
+       855E6EEB 22B3B2E5
+
+   The generator generates a prime-order subgroup of size:
+
+   q = F518AA87 81A8DF27 8ABA4E7D 64B7CB9D 49462353
+*/
+static const char dh_ike_22_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y\n"
+"mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4\n"
+"+qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV\n"
+"w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0\n"
+"sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR\n"
+"jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA=\n"
+"-----END DH PARAMETERS-----\n";
+
+/* RFC 5114 IKE_id=23
+2.2.  2048-bit MODP Group with 224-bit Prime Order Subgroup
+
+   The hexadecimal value of the prime is:
+
+   p =  AD107E1E 9123A9D0 D660FAA7 9559C51F A20D64E5 683B9FD1
+        B54B1597 B61D0A75 E6FA141D F95A56DB AF9A3C40 7BA1DF15
+        EB3D688A 309C180E 1DE6B85A 1274A0A6 6D3F8152 AD6AC212
+        9037C9ED EFDA4DF8 D91E8FEF 55B7394B 7AD5B7D0 B6C12207
+        C9F98D11 ED34DBF6 C6BA0B2C 8BBC27BE 6A00E0A0 B9C49708
+        B3BF8A31 70918836 81286130 BC8985DB 1602E714 415D9330
+        278273C7 DE31EFDC 7310F712 1FD5A074 15987D9A DC0A486D
+        CDF93ACC 44328387 315D75E1 98C641A4 80CD86A1 B9E587E8
+        BE60E69C C928B2B9 C52172E4 13042E9B 23F10B0E 16E79763
+        C9B53DCF 4BA80A29 E3FB73C1 6B8E75B9 7EF363E2 FFA31F71
+        CF9DE538 4E71B81C 0AC4DFFE 0C10E64F
+
+   The hexadecimal value of the generator is:
+
+   g =  AC4032EF 4F2D9AE3 9DF30B5C 8FFDAC50 6CDEBE7B 89998CAF
+        74866A08 CFE4FFE3 A6824A4E 10B9A6F0 DD921F01 A70C4AFA
+        AB739D77 00C29F52 C57DB17C 620A8652 BE5E9001 A8D66AD7
+        C1766910 1999024A F4D02727 5AC1348B B8A762D0 521BC98A
+        E2471504 22EA1ED4 09939D54 DA7460CD B5F6C6B2 50717CBE
+        F180EB34 118E98D1 19529A45 D6F83456 6E3025E3 16A330EF
+        BB77A86F 0C1AB15B 051AE3D4 28C8F8AC B70A8137 150B8EEB
+        10E183ED D19963DD D9E263E4 770589EF 6AA21E7F 5F2FF381
+        B539CCE3 409D13CD 566AFBB4 8D6C0191 81E1BCFE 94B30269
+        EDFE72FE 9B6AA4BD 7B5A0F1C 71CFFF4C 19C418E1 F6EC0179
+        81BC087F 2A7065B3 84B890D3 191F2BFA
+
+   The generator generates a prime-order subgroup of size:
+
+   q =  801C0D34 C58D93FE 99717710 1F80535A 4738CEBC BF389A99
+        B36371EB
+*/
+static const char dh_ike_23_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIICDgKCAQEArRB+HpEjqdDWYPqnlVnFH6INZOVoO5/RtUsVl7YdCnXm+hQd+VpW\n"
+"26+aPEB7od8V6z1oijCcGA4d5rhaEnSgpm0/gVKtasISkDfJ7e/aTfjZHo/vVbc5\n"
+"S3rVt9C2wSIHyfmNEe002/bGugssi7wnvmoA4KC5xJcIs7+KMXCRiDaBKGEwvImF\n"
+"2xYC5xRBXZMwJ4Jzx94x79xzEPcSH9WgdBWYfZrcCkhtzfk6zEQyg4cxXXXhmMZB\n"
+"pIDNhqG55YfovmDmnMkosrnFIXLkEwQumyPxCw4W55djybU9z0uoCinj+3PBa451\n"
+"uX7zY+L/ox9xz53lOE5xuBwKxN/+DBDmTwKCAQEArEAy708tmuOd8wtcj/2sUGze\n"
+"vnuJmYyvdIZqCM/k/+OmgkpOELmm8N2SHwGnDEr6q3OddwDCn1LFfbF8YgqGUr5e\n"
+"kAGo1mrXwXZpEBmZAkr00CcnWsE0i7inYtBSG8mK4kcVBCLqHtQJk51U2nRgzbX2\n"
+"xrJQcXy+8YDrNBGOmNEZUppF1vg0Vm4wJeMWozDvu3eobwwasVsFGuPUKMj4rLcK\n"
+"gTcVC47rEOGD7dGZY93Z4mPkdwWJ72qiHn9fL/OBtTnM40CdE81Wavu0jWwBkYHh\n"
+"vP6UswJp7f5y/ptqpL17Wg8ccc//TBnEGOH27AF5gbwIfypwZbOEuJDTGR8r+gIC\n"
+"AOA=\n"
+"-----END DH PARAMETERS-----\n";
+
+/* RFC 5114 IKE_id=24
+2.3.  2048-bit MODP Group with 256-bit Prime Order Subgroup
+
+   The hexadecimal value of the prime is:
+
+   p = 87A8E61D B4B6663C FFBBD19C 65195999 8CEEF608 660DD0F2
+       5D2CEED4 435E3B00 E00DF8F1 D61957D4 FAF7DF45 61B2AA30
+       16C3D911 34096FAA 3BF4296D 830E9A7C 209E0C64 97517ABD
+       5A8A9D30 6BCF67ED 91F9E672 5B4758C0 22E0B1EF 4275BF7B
+       6C5BFC11 D45F9088 B941F54E B1E59BB8 BC39A0BF 12307F5C
+       4FDB70C5 81B23F76 B63ACAE1 CAA6B790 2D525267 35488A0E
+       F13C6D9A 51BFA4AB 3AD83477 96524D8E F6A167B5 A41825D9
+       67E144E5 14056425 1CCACB83 E6B486F6 B3CA3F79 71506026
+       C0B857F6 89962856 DED4010A BD0BE621 C3A3960A 54E710C3
+       75F26375 D7014103 A4B54330 C198AF12 6116D227 6E11715F
+       693877FA D7EF09CA DB094AE9 1E1A1597
+
+   The hexadecimal value of the generator is:
+
+   g = 3FB32C9B 73134D0B 2E775066 60EDBD48 4CA7B18F 21EF2054
+       07F4793A 1A0BA125 10DBC150 77BE463F FF4FED4A AC0BB555
+       BE3A6C1B 0C6B47B1 BC3773BF 7E8C6F62 901228F8 C28CBB18
+       A55AE313 41000A65 0196F931 C77A57F2 DDF463E5 E9EC144B
+       777DE62A AAB8A862 8AC376D2 82D6ED38 64E67982 428EBC83
+       1D14348F 6F2F9193 B5045AF2 767164E1 DFC967C1 FB3F2E55
+       A4BD1BFF E83B9C80 D052B985 D182EA0A DB2A3B73 13D3FE14
+       C8484B1E 052588B9 B7D2BBD2 DF016199 ECD06E15 57CD0915
+       B3353BBB 64E0EC37 7FD02837 0DF92B52 C7891428 CDC67EB6
+       184B523D 1DB246C3 2F630784 90F00EF8 D647D148 D4795451
+       5E2327CF EF98C582 664B4C0F 6CC41659
+
+   The generator generates a prime-order subgroup of size:
+
+   q = 8CF83642 A709A097 B4479976 40129DA2 99B1A47D 1EB3750B
+       A308B0FE 64F5FBD3
+*/
+static const char dh_ike_24_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIICDQKCAQEAh6jmHbS2Zjz/u9GcZRlZmYzu9ghmDdDyXSzu1ENeOwDgDfjx1hlX\n"
+"1Pr330VhsqowFsPZETQJb6o79Cltgw6afCCeDGSXUXq9WoqdMGvPZ+2R+eZyW0dY\n"
+"wCLgse9Cdb97bFv8EdRfkIi5QfVOseWbuLw5oL8SMH9cT9twxYGyP3a2Osrhyqa3\n"
+"kC1SUmc1SIoO8TxtmlG/pKs62DR3llJNjvahZ7WkGCXZZ+FE5RQFZCUcysuD5rSG\n"
+"9rPKP3lxUGAmwLhX9omWKFbe1AEKvQvmIcOjlgpU5xDDdfJjddcBQQOktUMwwZiv\n"
+"EmEW0iduEXFfaTh3+tfvCcrbCUrpHhoVlwKCAQA/syybcxNNCy53UGZg7b1ITKex\n"
+"jyHvIFQH9Hk6GguhJRDbwVB3vkY//0/tSqwLtVW+OmwbDGtHsbw3c79+jG9ikBIo\n"
+"+MKMuxilWuMTQQAKZQGW+THHelfy3fRj5ensFEt3feYqqrioYorDdtKC1u04ZOZ5\n"
+"gkKOvIMdFDSPby+Rk7UEWvJ2cWTh38lnwfs/LlWkvRv/6DucgNBSuYXRguoK2yo7\n"
+"cxPT/hTISEseBSWIubfSu9LfAWGZ7NBuFVfNCRWzNTu7ZODsN3/QKDcN+StSx4kU\n"
+"KM3GfrYYS1I9HbJGwy9jB4SQ8A741kfRSNR5VFFeIyfP75jFgmZLTA9sxBZZAgIB\n"
+"AA==\n"
+"-----END DH PARAMETERS-----\n";
+
+/* ------------------------------------------------------------------------- */
+/* RFC 7919 Published August 2016, so strength estimates date from then.
+
+A.1.  ffdhe2048
+
+   The 2048-bit group has registry value 256 and is calculated from the
+   following formula:
+
+   The modulus is:
+
+   p = 2^2048 - 2^1984 + {[2^1918 * e] + 560316 } * 2^64 - 1
+
+   The hexadecimal representation of p is:
+
+    FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
+    D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
+    7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
+    2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
+    984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
+    30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
+    B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
+    0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
+    9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
+    3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
+    886B4238 61285C97 FFFFFFFF FFFFFFFF
+
+   The generator is: g = 2
+
+   The group size is: q = (p-1)/2
+
+   The hexadecimal representation of q is:
+
+    7FFFFFFF FFFFFFFF D6FC2A2C 515DA54D 57EE2B10 139E9E78
+    EC5CE2C1 E7169B4A D4F09B20 8A3219FD E649CEE7 124D9F7C
+    BE97F1B1 B1863AEC 7B40D901 576230BD 69EF8F6A EAFEB2B0
+    9219FA8F AF833768 42B1B2AA 9EF68D79 DAAB89AF 3FABE49A
+    CC278638 707345BB F15344ED 79F7F439 0EF8AC50 9B56F39A
+    98566527 A41D3CBD 5E0558C1 59927DB0 E88454A5 D96471FD
+    DCB56D5B B06BFA34 0EA7A151 EF1CA6FA 572B76F3 B1B95D8C
+    8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0
+    C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9
+    9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD
+    4435A11C 30942E4B FFFFFFFF FFFFFFFF
+
+   The estimated symmetric-equivalent strength of this group is 103
+   bits.
+*/
+static const char dh_ffdhe2048_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
+"+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
+"87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
+"YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
+"7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
+"ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICB/8=\n"
+"-----END DH PARAMETERS-----\n";
+
+/*
+A.2.  ffdhe3072
+
+   The 3072-bit prime has registry value 257 and is calculated from the
+   following formula:
+
+   The modulus is:
+
+   p = 2^3072 - 2^3008 + {[2^2942 * e] + 2625351} * 2^64 - 1
+
+   The hexadecimal representation of p is:
+
+    FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
+    D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
+    7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
+    2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
+    984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
+    30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
+    B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
+    0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
+    9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
+    3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
+    886B4238 611FCFDC DE355B3B 6519035B BC34F4DE F99C0238
+    61B46FC9 D6E6C907 7AD91D26 91F7F7EE 598CB0FA C186D91C
+    AEFE1309 85139270 B4130C93 BC437944 F4FD4452 E2D74DD3
+    64F2E21E 71F54BFF 5CAE82AB 9C9DF69E E86D2BC5 22363A0D
+    ABC52197 9B0DEADA 1DBF9A42 D5C4484E 0ABCD06B FA53DDEF
+    3C1B20EE 3FD59D7C 25E41D2B 66C62E37 FFFFFFFF FFFFFFFF
+
+   The generator is: g = 2
+
+   The group size is: q = (p-1)/2
+
+   The hexadecimal representation of q is:
+
+    7FFFFFFF FFFFFFFF D6FC2A2C 515DA54D 57EE2B10 139E9E78
+    EC5CE2C1 E7169B4A D4F09B20 8A3219FD E649CEE7 124D9F7C
+    BE97F1B1 B1863AEC 7B40D901 576230BD 69EF8F6A EAFEB2B0
+    9219FA8F AF833768 42B1B2AA 9EF68D79 DAAB89AF 3FABE49A
+    CC278638 707345BB F15344ED 79F7F439 0EF8AC50 9B56F39A
+    98566527 A41D3CBD 5E0558C1 59927DB0 E88454A5 D96471FD
+    DCB56D5B B06BFA34 0EA7A151 EF1CA6FA 572B76F3 B1B95D8C
+    8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0
+    C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9
+    9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD
+    4435A11C 308FE7EE 6F1AAD9D B28C81AD DE1A7A6F 7CCE011C
+    30DA37E4 EB736483 BD6C8E93 48FBFBF7 2CC6587D 60C36C8E
+    577F0984 C289C938 5A098649 DE21BCA2 7A7EA229 716BA6E9
+    B279710F 38FAA5FF AE574155 CE4EFB4F 743695E2 911B1D06
+    D5E290CB CD86F56D 0EDFCD21 6AE22427 055E6835 FD29EEF7
+    9E0D9077 1FEACEBE 12F20E95 B363171B FFFFFFFF FFFFFFFF
+
+   The estimated symmetric-equivalent strength of this group is 125
+   bits.
+*/
+static const char dh_ffdhe3072_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIIBjAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
+"+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
+"87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
+"YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
+"7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
+"ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3\n"
+"7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32\n"
+"nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu\n"
+"N///////////AgECAgIL/w==\n"
+"-----END DH PARAMETERS-----\n";
+
+/*
+A.3.  ffdhe4096
+
+   The 4096-bit group has registry value 258 and is calculated from the
+   following formula:
+
+   The modulus is:
+
+   p = 2^4096 - 2^4032 + {[2^3966 * e] + 5736041} * 2^64 - 1
+
+   The hexadecimal representation of p is:
+
+    FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
+    D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
+    7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
+    2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
+    984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
+    30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
+    B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
+    0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
+    9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
+    3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
+    886B4238 611FCFDC DE355B3B 6519035B BC34F4DE F99C0238
+    61B46FC9 D6E6C907 7AD91D26 91F7F7EE 598CB0FA C186D91C
+    AEFE1309 85139270 B4130C93 BC437944 F4FD4452 E2D74DD3
+    64F2E21E 71F54BFF 5CAE82AB 9C9DF69E E86D2BC5 22363A0D
+    ABC52197 9B0DEADA 1DBF9A42 D5C4484E 0ABCD06B FA53DDEF
+    3C1B20EE 3FD59D7C 25E41D2B 669E1EF1 6E6F52C3 164DF4FB
+    7930E9E4 E58857B6 AC7D5F42 D69F6D18 7763CF1D 55034004
+    87F55BA5 7E31CC7A 7135C886 EFB4318A ED6A1E01 2D9E6832
+    A907600A 918130C4 6DC778F9 71AD0038 092999A3 33CB8B7A
+    1A1DB93D 7140003C 2A4ECEA9 F98D0ACC 0A8291CD CEC97DCF
+    8EC9B55A 7F88A46B 4DB5A851 F44182E1 C68A007E 5E655F6A
+    FFFFFFFF FFFFFFFF
+
+   The generator is: g = 2
+
+   The group size is: q = (p-1)/2
+
+   The hexadecimal representation of q is:
+
+    7FFFFFFF FFFFFFFF D6FC2A2C 515DA54D 57EE2B10 139E9E78
+    EC5CE2C1 E7169B4A D4F09B20 8A3219FD E649CEE7 124D9F7C
+    BE97F1B1 B1863AEC 7B40D901 576230BD 69EF8F6A EAFEB2B0
+    9219FA8F AF833768 42B1B2AA 9EF68D79 DAAB89AF 3FABE49A
+    CC278638 707345BB F15344ED 79F7F439 0EF8AC50 9B56F39A
+    98566527 A41D3CBD 5E0558C1 59927DB0 E88454A5 D96471FD
+    DCB56D5B B06BFA34 0EA7A151 EF1CA6FA 572B76F3 B1B95D8C
+    8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0
+    C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9
+    9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD
+    4435A11C 308FE7EE 6F1AAD9D B28C81AD DE1A7A6F 7CCE011C
+    30DA37E4 EB736483 BD6C8E93 48FBFBF7 2CC6587D 60C36C8E
+    577F0984 C289C938 5A098649 DE21BCA2 7A7EA229 716BA6E9
+    B279710F 38FAA5FF AE574155 CE4EFB4F 743695E2 911B1D06
+    D5E290CB CD86F56D 0EDFCD21 6AE22427 055E6835 FD29EEF7
+    9E0D9077 1FEACEBE 12F20E95 B34F0F78 B737A961 8B26FA7D
+    BC9874F2 72C42BDB 563EAFA1 6B4FB68C 3BB1E78E AA81A002
+    43FAADD2 BF18E63D 389AE443 77DA18C5 76B50F00 96CF3419
+    5483B005 48C09862 36E3BC7C B8D6801C 0494CCD1 99E5C5BD
+    0D0EDC9E B8A0001E 15276754 FCC68566 054148E6 E764BEE7
+    C764DAAD 3FC45235 A6DAD428 FA20C170 E345003F 2F32AFB5
+    7FFFFFFF FFFFFFFF
+
+   The estimated symmetric-equivalent strength of this group is 150
+   bits.
+*/
+static const char dh_ffdhe4096_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIICDAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
+"+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
+"87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
+"YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
+"7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
+"ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3\n"
+"7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32\n"
+"nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e\n"
+"8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx\n"
+"iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K\n"
+"zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQICAg//\n"
+"-----END DH PARAMETERS-----\n";
+
+/*
+A.4.  ffdhe6144
+
+   The 6144-bit group has registry value 259 and is calculated from the
+   following formula:
+
+   The modulus is:
+
+   p = 2^6144 - 2^6080 + {[2^6014 * e] + 15705020} * 2^64 - 1
+
+   The hexadecimal representation of p is:
+
+    FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
+    D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
+    7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
+    2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
+    984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
+    30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
+    B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
+    0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
+    9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
+    3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
+    886B4238 611FCFDC DE355B3B 6519035B BC34F4DE F99C0238
+    61B46FC9 D6E6C907 7AD91D26 91F7F7EE 598CB0FA C186D91C
+    AEFE1309 85139270 B4130C93 BC437944 F4FD4452 E2D74DD3
+    64F2E21E 71F54BFF 5CAE82AB 9C9DF69E E86D2BC5 22363A0D
+    ABC52197 9B0DEADA 1DBF9A42 D5C4484E 0ABCD06B FA53DDEF
+    3C1B20EE 3FD59D7C 25E41D2B 669E1EF1 6E6F52C3 164DF4FB
+    7930E9E4 E58857B6 AC7D5F42 D69F6D18 7763CF1D 55034004
+    87F55BA5 7E31CC7A 7135C886 EFB4318A ED6A1E01 2D9E6832
+    A907600A 918130C4 6DC778F9 71AD0038 092999A3 33CB8B7A
+    1A1DB93D 7140003C 2A4ECEA9 F98D0ACC 0A8291CD CEC97DCF
+    8EC9B55A 7F88A46B 4DB5A851 F44182E1 C68A007E 5E0DD902
+    0BFD64B6 45036C7A 4E677D2C 38532A3A 23BA4442 CAF53EA6
+    3BB45432 9B7624C8 917BDD64 B1C0FD4C B38E8C33 4C701C3A
+    CDAD0657 FCCFEC71 9B1F5C3E 4E46041F 388147FB 4CFDB477
+    A52471F7 A9A96910 B855322E DB6340D8 A00EF092 350511E3
+    0ABEC1FF F9E3A26E 7FB29F8C 183023C3 587E38DA 0077D9B4
+    763E4E4B 94B2BBC1 94C6651E 77CAF992 EEAAC023 2A281BF6
+    B3A739C1 22611682 0AE8DB58 47A67CBE F9C9091B 462D538C
+    D72B0374 6AE77F5E 62292C31 1562A846 505DC82D B854338A
+    E49F5235 C95B9117 8CCF2DD5 CACEF403 EC9D1810 C6272B04
+    5B3B71F9 DC6B80D6 3FDD4A8E 9ADB1E69 62A69526 D43161C1
+    A41D570D 7938DAD4 A40E329C D0E40E65 FFFFFFFF FFFFFFFF
+
+   The generator is: g = 2
+
+   The group size is: q = (p-1)/2
+
+   The hexadecimal representation of q is:
+
+    7FFFFFFF FFFFFFFF D6FC2A2C 515DA54D 57EE2B10 139E9E78
+    EC5CE2C1 E7169B4A D4F09B20 8A3219FD E649CEE7 124D9F7C
+    BE97F1B1 B1863AEC 7B40D901 576230BD 69EF8F6A EAFEB2B0
+    9219FA8F AF833768 42B1B2AA 9EF68D79 DAAB89AF 3FABE49A
+    CC278638 707345BB F15344ED 79F7F439 0EF8AC50 9B56F39A
+    98566527 A41D3CBD 5E0558C1 59927DB0 E88454A5 D96471FD
+    DCB56D5B B06BFA34 0EA7A151 EF1CA6FA 572B76F3 B1B95D8C
+    8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0
+    C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9
+    9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD
+    4435A11C 308FE7EE 6F1AAD9D B28C81AD DE1A7A6F 7CCE011C
+    30DA37E4 EB736483 BD6C8E93 48FBFBF7 2CC6587D 60C36C8E
+    577F0984 C289C938 5A098649 DE21BCA2 7A7EA229 716BA6E9
+    B279710F 38FAA5FF AE574155 CE4EFB4F 743695E2 911B1D06
+    D5E290CB CD86F56D 0EDFCD21 6AE22427 055E6835 FD29EEF7
+    9E0D9077 1FEACEBE 12F20E95 B34F0F78 B737A961 8B26FA7D
+    BC9874F2 72C42BDB 563EAFA1 6B4FB68C 3BB1E78E AA81A002
+    43FAADD2 BF18E63D 389AE443 77DA18C5 76B50F00 96CF3419
+    5483B005 48C09862 36E3BC7C B8D6801C 0494CCD1 99E5C5BD
+    0D0EDC9E B8A0001E 15276754 FCC68566 054148E6 E764BEE7
+    C764DAAD 3FC45235 A6DAD428 FA20C170 E345003F 2F06EC81
+    05FEB25B 2281B63D 2733BE96 1C29951D 11DD2221 657A9F53
+    1DDA2A19 4DBB1264 48BDEEB2 58E07EA6 59C74619 A6380E1D
+    66D6832B FE67F638 CD8FAE1F 2723020F 9C40A3FD A67EDA3B
+    D29238FB D4D4B488 5C2A9917 6DB1A06C 50077849 1A8288F1
+    855F60FF FCF1D137 3FD94FC6 0C1811E1 AC3F1C6D 003BECDA
+    3B1F2725 CA595DE0 CA63328F 3BE57CC9 77556011 95140DFB
+    59D39CE0 91308B41 05746DAC 23D33E5F 7CE4848D A316A9C6
+    6B9581BA 3573BFAF 31149618 8AB15423 282EE416 DC2A19C5
+    724FA91A E4ADC88B C66796EA E5677A01 F64E8C08 63139582
+    2D9DB8FC EE35C06B 1FEEA547 4D6D8F34 B1534A93 6A18B0E0
+    D20EAB86 BC9C6D6A 5207194E 68720732 FFFFFFFF FFFFFFFF
+
+   The estimated symmetric-equivalent strength of this group is 175
+   bits.
+*/
+static const char dh_ffdhe6144_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIIDDAKCAwEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
+"+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
+"87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
+"YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
+"7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
+"ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3\n"
+"7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32\n"
+"nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e\n"
+"8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx\n"
+"iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K\n"
+"zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eDdkCC/1ktkUDbHpOZ30sOFMq\n"
+"OiO6RELK9T6mO7RUMpt2JMiRe91kscD9TLOOjDNMcBw6za0GV/zP7HGbH1w+TkYE\n"
+"HziBR/tM/bR3pSRx96mpaRC4VTIu22NA2KAO8JI1BRHjCr7B//njom5/sp+MGDAj\n"
+"w1h+ONoAd9m0dj5OS5Syu8GUxmUed8r5ku6qwCMqKBv2s6c5wSJhFoIK6NtYR6Z8\n"
+"vvnJCRtGLVOM1ysDdGrnf15iKSwxFWKoRlBdyC24VDOK5J9SNclbkReMzy3Vys70\n"
+"A+ydGBDGJysEWztx+dxrgNY/3UqOmtseaWKmlSbUMWHBpB1XDXk42tSkDjKc0OQO\n"
+"Zf//////////AgECAgIX/w==\n"
+"-----END DH PARAMETERS-----\n";
+
+/*
+A.5.  ffdhe8192
+
+   The 8192-bit group has registry value 260 and is calculated from the
+   following formula:
+
+   The modulus is:
+
+   p = 2^8192 - 2^8128 + {[2^8062 * e] + 10965728} * 2^64 - 1
+
+   The hexadecimal representation of p is:
+
+    FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
+    D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
+    7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
+    2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
+    984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
+    30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
+    B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
+    0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
+    9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
+    3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
+    886B4238 611FCFDC DE355B3B 6519035B BC34F4DE F99C0238
+    61B46FC9 D6E6C907 7AD91D26 91F7F7EE 598CB0FA C186D91C
+    AEFE1309 85139270 B4130C93 BC437944 F4FD4452 E2D74DD3
+    64F2E21E 71F54BFF 5CAE82AB 9C9DF69E E86D2BC5 22363A0D
+    ABC52197 9B0DEADA 1DBF9A42 D5C4484E 0ABCD06B FA53DDEF
+    3C1B20EE 3FD59D7C 25E41D2B 669E1EF1 6E6F52C3 164DF4FB
+    7930E9E4 E58857B6 AC7D5F42 D69F6D18 7763CF1D 55034004
+    87F55BA5 7E31CC7A 7135C886 EFB4318A ED6A1E01 2D9E6832
+    A907600A 918130C4 6DC778F9 71AD0038 092999A3 33CB8B7A
+    1A1DB93D 7140003C 2A4ECEA9 F98D0ACC 0A8291CD CEC97DCF
+    8EC9B55A 7F88A46B 4DB5A851 F44182E1 C68A007E 5E0DD902
+    0BFD64B6 45036C7A 4E677D2C 38532A3A 23BA4442 CAF53EA6
+    3BB45432 9B7624C8 917BDD64 B1C0FD4C B38E8C33 4C701C3A
+    CDAD0657 FCCFEC71 9B1F5C3E 4E46041F 388147FB 4CFDB477
+    A52471F7 A9A96910 B855322E DB6340D8 A00EF092 350511E3
+    0ABEC1FF F9E3A26E 7FB29F8C 183023C3 587E38DA 0077D9B4
+    763E4E4B 94B2BBC1 94C6651E 77CAF992 EEAAC023 2A281BF6
+    B3A739C1 22611682 0AE8DB58 47A67CBE F9C9091B 462D538C
+    D72B0374 6AE77F5E 62292C31 1562A846 505DC82D B854338A
+    E49F5235 C95B9117 8CCF2DD5 CACEF403 EC9D1810 C6272B04
+    5B3B71F9 DC6B80D6 3FDD4A8E 9ADB1E69 62A69526 D43161C1
+    A41D570D 7938DAD4 A40E329C CFF46AAA 36AD004C F600C838
+    1E425A31 D951AE64 FDB23FCE C9509D43 687FEB69 EDD1CC5E
+    0B8CC3BD F64B10EF 86B63142 A3AB8829 555B2F74 7C932665
+    CB2C0F1C C01BD702 29388839 D2AF05E4 54504AC7 8B758282
+    2846C0BA 35C35F5C 59160CC0 46FD8251 541FC68C 9C86B022
+    BB709987 6A460E74 51A8A931 09703FEE 1C217E6C 3826E52C
+    51AA691E 0E423CFC 99E9E316 50C1217B 624816CD AD9A95F9
+    D5B80194 88D9C0A0 A1FE3075 A577E231 83F81D4A 3F2FA457
+    1EFC8CE0 BA8A4FE8 B6855DFE 72B0A66E DED2FBAB FBE58A30
+    FAFABE1C 5D71A87E 2F741EF8 C1FE86FE A6BBFDE5 30677F0D
+    97D11D49 F7A8443D 0822E506 A9F4614E 011E2A94 838FF88C
+    D68C8BB7 C5C6424C FFFFFFFF FFFFFFFF
+
+   The generator is: g = 2
+
+   The group size is: q = (p-1)/2
+
+   The hexadecimal representation of q is:
+
+    7FFFFFFF FFFFFFFF D6FC2A2C 515DA54D 57EE2B10 139E9E78
+    EC5CE2C1 E7169B4A D4F09B20 8A3219FD E649CEE7 124D9F7C
+    BE97F1B1 B1863AEC 7B40D901 576230BD 69EF8F6A EAFEB2B0
+    9219FA8F AF833768 42B1B2AA 9EF68D79 DAAB89AF 3FABE49A
+    CC278638 707345BB F15344ED 79F7F439 0EF8AC50 9B56F39A
+    98566527 A41D3CBD 5E0558C1 59927DB0 E88454A5 D96471FD
+    DCB56D5B B06BFA34 0EA7A151 EF1CA6FA 572B76F3 B1B95D8C
+    8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0
+    C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9
+    9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD
+    4435A11C 308FE7EE 6F1AAD9D B28C81AD DE1A7A6F 7CCE011C
+    30DA37E4 EB736483 BD6C8E93 48FBFBF7 2CC6587D 60C36C8E
+    577F0984 C289C938 5A098649 DE21BCA2 7A7EA229 716BA6E9
+    B279710F 38FAA5FF AE574155 CE4EFB4F 743695E2 911B1D06
+    D5E290CB CD86F56D 0EDFCD21 6AE22427 055E6835 FD29EEF7
+    9E0D9077 1FEACEBE 12F20E95 B34F0F78 B737A961 8B26FA7D
+    BC9874F2 72C42BDB 563EAFA1 6B4FB68C 3BB1E78E AA81A002
+    43FAADD2 BF18E63D 389AE443 77DA18C5 76B50F00 96CF3419
+    5483B005 48C09862 36E3BC7C B8D6801C 0494CCD1 99E5C5BD
+    0D0EDC9E B8A0001E 15276754 FCC68566 054148E6 E764BEE7
+    C764DAAD 3FC45235 A6DAD428 FA20C170 E345003F 2F06EC81
+    05FEB25B 2281B63D 2733BE96 1C29951D 11DD2221 657A9F53
+    1DDA2A19 4DBB1264 48BDEEB2 58E07EA6 59C74619 A6380E1D
+    66D6832B FE67F638 CD8FAE1F 2723020F 9C40A3FD A67EDA3B
+    D29238FB D4D4B488 5C2A9917 6DB1A06C 50077849 1A8288F1
+    855F60FF FCF1D137 3FD94FC6 0C1811E1 AC3F1C6D 003BECDA
+    3B1F2725 CA595DE0 CA63328F 3BE57CC9 77556011 95140DFB
+    59D39CE0 91308B41 05746DAC 23D33E5F 7CE4848D A316A9C6
+    6B9581BA 3573BFAF 31149618 8AB15423 282EE416 DC2A19C5
+    724FA91A E4ADC88B C66796EA E5677A01 F64E8C08 63139582
+    2D9DB8FC EE35C06B 1FEEA547 4D6D8F34 B1534A93 6A18B0E0
+    D20EAB86 BC9C6D6A 5207194E 67FA3555 1B568026 7B00641C
+    0F212D18 ECA8D732 7ED91FE7 64A84EA1 B43FF5B4 F6E8E62F
+    05C661DE FB258877 C35B18A1 51D5C414 AAAD97BA 3E499332
+    E596078E 600DEB81 149C441C E95782F2 2A282563 C5BAC141
+    1423605D 1AE1AFAE 2C8B0660 237EC128 AA0FE346 4E435811
+    5DB84CC3 B523073A 28D45498 84B81FF7 0E10BF36 1C137296
+    28D5348F 07211E7E 4CF4F18B 286090BD B1240B66 D6CD4AFC
+    EADC00CA 446CE050 50FF183A D2BBF118 C1FC0EA5 1F97D22B
+    8F7E4670 5D4527F4 5B42AEFF 39585337 6F697DD5 FDF2C518
+    7D7D5F0E 2EB8D43F 17BA0F7C 60FF437F 535DFEF2 9833BF86
+    CBE88EA4 FBD4221E 84117283 54FA30A7 008F154A 41C7FC46
+    6B4645DB E2E32126 7FFFFFFF FFFFFFFF
+
+   The estimated symmetric-equivalent strength of this group is 192
+   bits.
+*/
+static const char dh_ffdhe8192_pem[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIIEDAKCBAEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
+"+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
+"87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
+"YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
+"7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
+"ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3\n"
+"7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32\n"
+"nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e\n"
+"8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx\n"
+"iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K\n"
+"zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eDdkCC/1ktkUDbHpOZ30sOFMq\n"
+"OiO6RELK9T6mO7RUMpt2JMiRe91kscD9TLOOjDNMcBw6za0GV/zP7HGbH1w+TkYE\n"
+"HziBR/tM/bR3pSRx96mpaRC4VTIu22NA2KAO8JI1BRHjCr7B//njom5/sp+MGDAj\n"
+"w1h+ONoAd9m0dj5OS5Syu8GUxmUed8r5ku6qwCMqKBv2s6c5wSJhFoIK6NtYR6Z8\n"
+"vvnJCRtGLVOM1ysDdGrnf15iKSwxFWKoRlBdyC24VDOK5J9SNclbkReMzy3Vys70\n"
+"A+ydGBDGJysEWztx+dxrgNY/3UqOmtseaWKmlSbUMWHBpB1XDXk42tSkDjKcz/Rq\n"
+"qjatAEz2AMg4HkJaMdlRrmT9sj/OyVCdQ2h/62nt0cxeC4zDvfZLEO+GtjFCo6uI\n"
+"KVVbL3R8kyZlyywPHMAb1wIpOIg50q8F5FRQSseLdYKCKEbAujXDX1xZFgzARv2C\n"
+"UVQfxoychrAiu3CZh2pGDnRRqKkxCXA/7hwhfmw4JuUsUappHg5CPPyZ6eMWUMEh\n"
+"e2JIFs2tmpX51bgBlIjZwKCh/jB1pXfiMYP4HUo/L6RXHvyM4LqKT+i2hV3+crCm\n"
+"bt7S+6v75Yow+vq+HF1xqH4vdB74wf6G/qa7/eUwZ38Nl9EdSfeoRD0IIuUGqfRh\n"
+"TgEeKpSDj/iM1oyLt8XGQkz//////////wIBAgICH/8=\n"
+"-----END DH PARAMETERS-----\n";
+
+/* ========================================================================= */
+
+/* Generated by Phil as a non-standard option.
+openssl dhparam -2 2048
+No provenance to prove non-tampering available, beyond trusting that this
+developer generated this as stated above. */
+
+
+/* MacOSX 10.10.5 invoking system OpenSSL 0.9.8zg */
+static const char dh_exim_20160529_1[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIIBCAKCAQEA8ZMf89Gaye4bDEX1BXZ9+2edkXym9EK0GxmFilHEGpnhgLNmCk+H\n"
+"cCb+zn8Ed5bpCOmRuEv9N/VKPjSpno8jYiQbFgUL3vh8uKvQLJNTzDVDbpd3YO7E\n"
+"tiS0L0qWL57zIf8b3VZTMRsH4Orz2Rla61wVl6XpxE5WRfGqPS264Vvfew7xmCoi\n"
+"INaFzIU6zwk2WeD6K5asctYlQG/UtgY1nRFkQTebIOpm03a6/hw7F14l3yUZgXfv\n"
+"I3m4MFaWvxGcuZxddTijXw3VfjMdWvdH3Iz7IcqD32uEzK6Rgi/t4OVSw1kE2oDt\n"
+"cFThPUCWb7O4TVq9Xt2UZqZFNU6kUAkv2wIBAg==\n"
+"-----END DH PARAMETERS-----\n";
+
+/* MacOSX 10.10.5 invoking OpenSSL 1.0.2h installed from brew bottle */
+static const char dh_exim_20160529_2[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIIBCAKCAQEAot84eqyfSb5l8GRCN2ioWP5T85Z/2lVX9A9r9JzwDfvliAAqm6Vp\n"
+"UcHdAfVt54kc8DsmLiHdDhxY1I/wo+DcBylfVx13cmkroAocowOD5dwQMYk6iXjV\n"
+"ys4heRJhYlAHgt8QZH8dA8c/HLs+rlAHhSUPnetsZmcoPE0LRsjigJsiVXasm+sl\n"
+"g/77u5FCkgSrFILcD9PLPto1ciIXp2y8cjXQDk+D9FH1HaSCXLCLkuHxhQXxjTYO\n"
+"C3Q53aNLkDJ4zpPt7Kc9NxQFBVlNc260IFDOHTWhgV2zpyG6oIzQoHSmmiLAAfcF\n"
+"HrG7I06uZBLjuNGGaM0eeuxHNhs2G2EduwIBAg==\n"
+"-----END DH PARAMETERS-----\n";
+
+/* Ubuntu 14.04.4 running on dual-core Atom D2500 with OneRNG entropy key */
+static const char dh_exim_20160529_3[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIIBCAKCAQEAkbRYVoge2PtrmV1eKCKluSBFELgckuLSnkuH0TffqbmfoYM34lFu\n"
+"2vPM2LhnzKvEBQlIICOTzQD29kROacRfSKpsNINRXhXKUqI6sFXzUZu4Flk69XKG\n"
+"ZOSDYvWkI5pSn1amQ4Nnvn6s+uwn/f0ZDZDiKLW9TgntxJV4A2+yeymaeoGCbIXX\n"
+"5q8WgajFhAeut36RL93HBnXT1hT7Eja1Y81w9fOzQrwBuXhyfCkAdiMA/VCp0UD4\n"
+"0p7uf+okpckVnwD6WnUCHMij8nGlVblZELFYzNi0udtzIrSwlALbZXIeAqhbZXJO\n"
+"lCuYspJhzV0Vs0lDJwrxvNwtdg1ernVIowIBAg==\n"
+"-----END DH PARAMETERS-----\n";
+
+/* ========================================================================= */
+
+struct dh_constant {
+  const char *	label;
+  const char *	pem;
+  int		logging;
+};
+
+#define EXIM_DH_PRIME_DEFAULT dh_exim_20160529_3
+
+/* KEEP SORTED ALPHABETICALLY;
+duplicate PEM are okay, if we want aliases, but names must be alphabetical */
+
+static struct dh_constant dh_constants[] = {
+    /*  label			pem */
+    { "default",		EXIM_DH_PRIME_DEFAULT,	0 },
+    { "exim.dev.20160529.1",	dh_exim_20160529_1,	0 },
+    { "exim.dev.20160529.2",	dh_exim_20160529_2,	0 },
+    { "exim.dev.20160529.3",	dh_exim_20160529_3,	0 },
+    { "ffdhe2048",		dh_ffdhe2048_pem,	0 },
+    { "ffdhe3072",		dh_ffdhe3072_pem,	0 },
+    { "ffdhe4096",		dh_ffdhe4096_pem,	0 },
+    { "ffdhe6144",		dh_ffdhe6144_pem,	0 },
+    { "ffdhe8192",		dh_ffdhe8192_pem,	0 },
+    { "ike1",			dh_ike_1_pem,		LOG_MAIN | LOG_PANIC },
+    { "ike14",			dh_ike_14_pem,		0 },
+    { "ike15",			dh_ike_15_pem,		0 },
+    { "ike16",			dh_ike_16_pem,		0 },
+    { "ike17",			dh_ike_17_pem,		0 },
+    { "ike18",			dh_ike_18_pem,		0 },
+    { "ike2",			dh_ike_2_pem,		LOG_MAIN },
+    { "ike22",			dh_ike_22_pem,		LOG_MAIN | LOG_PANIC },
+    { "ike23",			dh_ike_23_pem,		LOG_MAIN },
+    { "ike24",			dh_ike_24_pem,		LOG_MAIN },
+    { "ike5",			dh_ike_5_pem,		0 },
+};
+static const int dh_constants_count = nelem(dh_constants);
+
+
+/* A policy decision; in absence of any other data, use a 2048 bit prime,
+pick the first one from the latest RFC providing such. */
+
+const char *
+std_dh_prime_default(void)
+{
+return EXIM_DH_PRIME_DEFAULT;
+}
+
+
+/* Return PEM string for given name */
+
+const char *
+std_dh_prime_named(const uschar * name)
+{
+for (int first = 0, last = dh_constants_count; last > first; )
+  {
+  int middle = (first + last)/2;
+  struct dh_constant * dp = &dh_constants[middle];
+  int c = Ustrcmp(name, dp->label);
+  if (c == 0)
+    {
+    if (dp->logging)
+      log_write(0, dp->logging,
+	"WARNING: deprecated Diffie-Hellman parameter '%s' used", dp->label);
+    return dp->pem;
+    }
+  else if (c > 0)
+    first = middle + 1;
+  else
+    last = middle;
+  }
+return NULL;
+}
+
+#endif /*DISABLE_TLS*/
+/* EOF */
diff --git a/src/store.c b/src/store.c
new file mode 100644
index 0000000..c98fcbf
--- /dev/null
+++ b/src/store.c
@@ -0,0 +1,1301 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim maintainers 2019 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Exim gets and frees all its store through these functions. In the original
+implementation there was a lot of mallocing and freeing of small bits of store.
+The philosophy has now changed to a scheme which includes the concept of
+"stacking pools" of store. For the short-lived processes, there isn't any real
+need to do any garbage collection, but the stack concept allows quick resetting
+in places where this seems sensible.
+
+Obviously the long-running processes (the daemon, the queue runner, and eximon)
+must take care not to eat store.
+
+The following different types of store are recognized:
+
+. Long-lived, large blocks: This is implemented by retaining the original
+  malloc/free functions, and it used for permanent working buffers and for
+  getting blocks to cut up for the other types.
+
+. Long-lived, small blocks: This is used for blocks that have to survive until
+  the process exits. It is implemented as a stacking pool (POOL_PERM). This is
+  functionally the same as store_malloc(), except that the store can't be
+  freed, but I expect it to be more efficient for handling small blocks.
+
+. Short-lived, short blocks: Most of the dynamic store falls into this
+  category. It is implemented as a stacking pool (POOL_MAIN) which is reset
+  after accepting a message when multiple messages are received by a single
+  process. Resetting happens at some other times as well, usually fairly
+  locally after some specific processing that needs working store.
+
+. There is a separate pool (POOL_SEARCH) that is used only for lookup storage.
+  This means it can be freed when search_tidyup() is called to close down all
+  the lookup caching.
+
+- There is another pool (POOL_MESSAGE) used for medium-lifetime objects; within
+  a single message transaction but needed for longer than the use of the main
+  pool permits.  Currently this means only receive-time DKIM information.
+
+- There is a dedicated pool for configuration data read from the config file(s).
+  Once complete, it is made readonly.
+
+- There are pools for each active combination of lookup-quoting, dynamically created.
+
+. Orthogonal to the four main pool types, there are two classes of memory: untainted
+  and tainted.  The latter is used for values derived from untrusted input, and
+  the string-expansion mechanism refuses to operate on such values (obviously,
+  it can expand an untainted value to return a tainted result).  The classes
+  are implemented by duplicating the four pool types.  Pool resets are requested
+  against the nontainted sibling and apply to both siblings.
+
+  Only memory blocks requested for tainted use are regarded as tainted; anything
+  else (including stack auto variables) is untainted.  Care is needed when coding
+  to not copy untrusted data into untainted memory, as downstream taint-checks
+  would be avoided.
+
+  Intermediate layers (eg. the string functions) can test for taint, and use this
+  for ensurinng that results have proper state.  For example the
+  string_vformat_trc() routing supporting the string_sprintf() interface will
+  recopy a string being built into a tainted allocation if it meets a %s for a
+  tainted argument.  Any intermediate-layer function that (can) return a new
+  allocation should behave this way; returning a tainted result if any tainted
+  content is used.  Intermediate-layer functions (eg. Ustrncpy) that modify
+  existing allocations fail if tainted data is written into an untainted area.
+  Users of functions that modify existing allocations should check if a tainted
+  source and an untainted destination is used, and fail instead (sprintf() being
+  the classic case).
+*/
+
+
+#include "exim.h"
+/* keep config.h before memcheck.h, for NVALGRIND */
+#include "config.h"
+
+#include <sys/mman.h>
+#include "memcheck.h"
+
+
+/* We need to know how to align blocks of data for general use. I'm not sure
+how to get an alignment factor in general. In the current world, a value of 8
+is probably right, and this is sizeof(double) on some systems and sizeof(void
+*) on others, so take the larger of those. Since everything in this expression
+is a constant, the compiler should optimize it to a simple constant wherever it
+appears (I checked that gcc does do this). */
+
+#define alignment \
+  (sizeof(void *) > sizeof(double) ? sizeof(void *) : sizeof(double))
+
+/* store_reset() will not free the following block if the last used block has
+less than this much left in it. */
+
+#define STOREPOOL_MIN_SIZE 256
+
+/* Structure describing the beginning of each big block. */
+
+typedef struct storeblock {
+  struct storeblock *next;
+  size_t length;
+} storeblock;
+
+/* Pool descriptor struct */
+
+typedef struct pooldesc {
+  storeblock *	chainbase;		/* list of blocks in pool */
+  storeblock *	current_block;		/* top block, still with free space */
+  void *	next_yield;		/* next allocation point */
+  int		yield_length;		/* remaining space in current block */
+  unsigned	store_block_order;	/* log2(size) block allocation size */
+
+  /* This variable is set by store_get() to its yield, and by store_reset() to
+  NULL. This enables string_cat() to optimize its store handling for very long
+  strings. That's why the variable is global. */
+
+  void *	store_last_get;
+
+  /* These are purely for stats-gathering */
+
+  int		nbytes;
+  int		maxbytes;
+  int		nblocks;
+  int		maxblocks;
+  unsigned	maxorder;
+} pooldesc;
+
+/* Enhanced pool descriptor for quoted pools */
+
+typedef struct quoted_pooldesc {
+  pooldesc			pool;
+  unsigned			quoter;
+  struct quoted_pooldesc *	next;
+} quoted_pooldesc;
+
+/* Just in case we find ourselves on a system where the structure above has a
+length that is not a multiple of the alignment, set up a macro for the padded
+length. */
+
+#define ALIGNED_SIZEOF_STOREBLOCK \
+  (((sizeof(storeblock) + alignment - 1) / alignment) * alignment)
+
+/* Size of block to get from malloc to carve up into smaller ones. This
+must be a multiple of the alignment. We assume that 4096 is going to be
+suitably aligned.  Double the size per-pool for every malloc, to mitigate
+certain denial-of-service attacks.  Don't bother to decrease on block frees.
+We waste average half the current alloc size per pool.  This could be several
+hundred kB now, vs. 4kB with a constant-size block size.  But the search time
+for is_tainted(), linear in the number of blocks for the pool, is O(n log n)
+rather than O(n^2).
+A test of 2000 RCPTs and just accept ACL had 370kB in 21 blocks before,
+504kB in 6 blocks now, for the untainted-main (largest) pool.
+Builds for restricted-memory system can disable the expansion by
+defining RESTRICTED_MEMORY */
+/*XXX should we allow any for malloc's own overhead?  But how much? */
+
+/* #define RESTRICTED_MEMORY */
+#define STORE_BLOCK_SIZE(order) ((1U << (order)) - ALIGNED_SIZEOF_STOREBLOCK)
+
+/* Variables holding data for the local pools of store. The current pool number
+is held in store_pool, which is global so that it can be changed from outside.
+Setting the initial length values to -1 forces a malloc for the first call,
+even if the length is zero (which is used for getting a point to reset to). */
+
+int store_pool = POOL_MAIN;
+
+pooldesc paired_pools[N_PAIRED_POOLS];
+quoted_pooldesc * quoted_pools = NULL;
+
+static int n_nonpool_blocks;	/* current number of direct store_malloc() blocks */
+static int max_nonpool_blocks;
+static int max_pool_malloc;	/* max value for pool_malloc */
+static int max_nonpool_malloc;	/* max value for nonpool_malloc */
+
+/* pool_malloc holds the amount of memory used by the store pools; this goes up
+and down as store is reset or released. nonpool_malloc is the total got by
+malloc from other calls; this doesn't go down because it is just freed by
+pointer. */
+
+static int pool_malloc;
+static int nonpool_malloc;
+
+
+#ifndef COMPILE_UTILITY
+static const uschar * pooluse[N_PAIRED_POOLS] = {
+[POOL_MAIN] =		US"main",
+[POOL_PERM] =		US"perm",
+[POOL_CONFIG] =		US"config",
+[POOL_SEARCH] =		US"search",
+[POOL_MESSAGE] =	US"message",
+[POOL_TAINT_MAIN] =	US"main",
+[POOL_TAINT_PERM] =	US"perm",
+[POOL_TAINT_CONFIG] =	US"config",
+[POOL_TAINT_SEARCH] =	US"search",
+[POOL_TAINT_MESSAGE] =	US"message",
+};
+static const uschar * poolclass[N_PAIRED_POOLS] = {
+[POOL_MAIN] =		US"untainted",
+[POOL_PERM] =		US"untainted",
+[POOL_CONFIG] =		US"untainted",
+[POOL_SEARCH] =		US"untainted",
+[POOL_MESSAGE] =	US"untainted",
+[POOL_TAINT_MAIN] =	US"tainted",
+[POOL_TAINT_PERM] =	US"tainted",
+[POOL_TAINT_CONFIG] =	US"tainted",
+[POOL_TAINT_SEARCH] =	US"tainted",
+[POOL_TAINT_MESSAGE] =	US"tainted",
+};
+#endif
+
+
+static void * internal_store_malloc(size_t, const char *, int);
+static void   internal_store_free(void *, const char *, int linenumber);
+
+/******************************************************************************/
+
+static void
+pool_init(pooldesc * pp)
+{
+memset(pp, 0, sizeof(*pp));
+pp->yield_length = -1;
+pp->store_block_order = 12; /* log2(allocation_size) ie. 4kB */
+}
+
+/* Initialisation, for things fragile with parameter channges when using
+static initialisers. */
+
+void
+store_init(void)
+{
+for (pooldesc * pp = paired_pools; pp < paired_pools + N_PAIRED_POOLS; pp++)
+  pool_init(pp);
+}
+
+/******************************************************************************/
+/* Locating elements given memory pointer */
+
+static BOOL
+is_pointer_in_block(const storeblock * b, const void * p)
+{
+uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK;
+return US p >= bc && US p < bc + b->length;
+}
+
+static pooldesc *
+pool_current_for_pointer(const void * p)
+{
+storeblock * b;
+
+for (quoted_pooldesc * qp = quoted_pools; qp; qp = qp->next)
+  if ((b = qp->pool.current_block) && is_pointer_in_block(b, p))
+    return &qp->pool;
+
+for (pooldesc * pp = paired_pools; pp < paired_pools + N_PAIRED_POOLS; pp++)
+  if ((b = pp->current_block) && is_pointer_in_block(b, p))
+    return pp;
+return NULL;
+}
+
+static pooldesc *
+pool_for_pointer(const void * p, const char * func, int linenumber)
+{
+pooldesc * pp;
+storeblock * b;
+
+if ((pp = pool_current_for_pointer(p))) return pp;
+
+for (quoted_pooldesc * qp = quoted_pools; qp; qp = qp->next)
+  for (b = qp->pool.chainbase; b; b = b->next)
+    if (is_pointer_in_block(b, p)) return &qp->pool;
+
+for (pp = paired_pools; pp < paired_pools + N_PAIRED_POOLS; pp++)
+  for (b = pp->chainbase; b; b = b->next)
+    if (is_pointer_in_block(b, p)) return pp;
+
+log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+  "bad memory reference; pool not found, at %s %d", func, linenumber);
+return NULL;
+}
+
+/******************************************************************************/
+/* Test if a pointer refers to tainted memory.
+
+Slower version check, for use when platform intermixes malloc and mmap area
+addresses. Test against the current-block of all tainted pools first, then all
+blocks of all tainted pools.
+
+Return: TRUE iff tainted
+*/
+
+BOOL
+is_tainted_fn(const void * p)
+{
+storeblock * b;
+
+if (p == GET_UNTAINTED) return FALSE;
+if (p == GET_TAINTED) return TRUE;
+
+for (pooldesc * pp = paired_pools + POOL_TAINT_BASE;
+     pp < paired_pools + N_PAIRED_POOLS; pp++)
+  if ((b = pp->current_block))
+    if (is_pointer_in_block(b, p)) return TRUE;
+
+for (quoted_pooldesc * qp = quoted_pools; qp; qp = qp->next)
+  if (b = qp->pool.current_block)
+    if (is_pointer_in_block(b, p)) return TRUE;
+
+for (pooldesc * pp = paired_pools + POOL_TAINT_BASE;
+     pp < paired_pools + N_PAIRED_POOLS; pp++)
+  for (b = pp->chainbase; b; b = b->next)
+    if (is_pointer_in_block(b, p)) return TRUE;
+
+for (quoted_pooldesc * qp = quoted_pools; qp; qp = qp->next)
+  for (b = qp->pool.chainbase; b; b = b->next)
+    if (is_pointer_in_block(b, p)) return TRUE;
+
+return FALSE;
+}
+
+
+void
+die_tainted(const uschar * msg, const uschar * func, int line)
+{
+log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Taint mismatch, %s: %s %d\n",
+	msg, func, line);
+}
+
+
+#ifndef COMPILE_UTILITY
+/* Return the pool for the given quoter, or null */
+
+static pooldesc *
+pool_for_quoter(unsigned quoter)
+{
+for (quoted_pooldesc * qp = quoted_pools; qp; qp = qp->next)
+  if (qp->quoter == quoter)
+    return &qp->pool;
+return NULL;
+}
+
+/* Allocate/init a new quoted-pool and return the pool */
+
+static pooldesc *
+quoted_pool_new(unsigned quoter)
+{
+// debug_printf("allocating quoted-pool\n");
+quoted_pooldesc * qp = store_get_perm(sizeof(quoted_pooldesc), GET_UNTAINTED);
+
+pool_init(&qp->pool);
+qp->quoter = quoter;
+qp->next = quoted_pools;
+quoted_pools = qp;
+return &qp->pool;
+}
+#endif
+
+
+/******************************************************************************/
+void
+store_writeprotect(int pool)
+{
+#if !defined(COMPILE_UTILITY) && !defined(MISSING_POSIX_MEMALIGN)
+for (storeblock * b =  paired_pools[pool].chainbase; b; b = b->next)
+  if (mprotect(b, ALIGNED_SIZEOF_STOREBLOCK + b->length, PROT_READ) != 0)
+    DEBUG(D_any) debug_printf("config block mprotect: (%d) %s\n", errno, strerror(errno));
+#endif
+}
+
+/******************************************************************************/
+
+static void *
+pool_get(pooldesc * pp, int size, BOOL align_mem, const char * func, int linenumber)
+{
+/* Ensure we've been asked to allocate memory.
+A negative size is a sign of a security problem.
+A zero size might be also suspect, but our internal usage deliberately
+does this to return a current watermark value for a later release of
+allocated store. */
+
+if (size < 0 || size >= INT_MAX/2)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+            "bad memory allocation requested (%d bytes) from %s %d",
+            size, func, linenumber);
+
+/* Round up the size to a multiple of the alignment. Although this looks a
+messy statement, because "alignment" is a constant expression, the compiler can
+do a reasonable job of optimizing, especially if the value of "alignment" is a
+power of two. I checked this with -O2, and gcc did very well, compiling it to 4
+instructions on a Sparc (alignment = 8). */
+
+if (size % alignment != 0) size += alignment - (size % alignment);
+
+/* If there isn't room in the current block, get a new one. The minimum
+size is STORE_BLOCK_SIZE, and we would expect this to be the norm, since
+these functions are mostly called for small amounts of store. */
+
+if (size > pp->yield_length)
+  {
+  int length = MAX(
+	  STORE_BLOCK_SIZE(pp->store_block_order) - ALIGNED_SIZEOF_STOREBLOCK,
+	  size);
+  int mlength = length + ALIGNED_SIZEOF_STOREBLOCK;
+  storeblock * newblock;
+
+  /* Sometimes store_reset() may leave a block for us; check if we can use it */
+
+  if (  (newblock = pp->current_block)
+     && (newblock = newblock->next)
+     && newblock->length < length
+     )
+    {
+    /* Give up on this block, because it's too small */
+    pp->nblocks--;
+    internal_store_free(newblock, func, linenumber);
+    newblock = NULL;
+    }
+
+  /* If there was no free block, get a new one */
+
+  if (!newblock)
+    {
+    if ((pp->nbytes += mlength) > pp->maxbytes)
+      pp->maxbytes = pp->nbytes;
+    if ((pool_malloc += mlength) > max_pool_malloc)	/* Used in pools */
+      max_pool_malloc = pool_malloc;
+    nonpool_malloc -= mlength;			/* Exclude from overall total */
+    if (++pp->nblocks > pp->maxblocks)
+      pp->maxblocks = pp->nblocks;
+
+#ifndef MISSING_POSIX_MEMALIGN
+    if (align_mem)
+      {
+      long pgsize = sysconf(_SC_PAGESIZE);
+      int err = posix_memalign((void **)&newblock,
+				pgsize, (mlength + pgsize - 1) & ~(pgsize - 1));
+      if (err)
+	log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+	  "failed to alloc (using posix_memalign) %d bytes of memory: '%s'"
+	  "called from line %d in %s",
+	  size, strerror(err), linenumber, func);
+      }
+    else
+#endif
+      newblock = internal_store_malloc(mlength, func, linenumber);
+    newblock->next = NULL;
+    newblock->length = length;
+#ifndef RESTRICTED_MEMORY
+    if (pp->store_block_order++ > pp->maxorder)
+      pp->maxorder = pp->store_block_order;
+#endif
+
+    if (! pp->chainbase)
+       pp->chainbase = newblock;
+    else
+      pp->current_block->next = newblock;
+    }
+
+  pp->current_block = newblock;
+  pp->yield_length = newblock->length;
+  pp->next_yield =
+    (void *)(CS pp->current_block + ALIGNED_SIZEOF_STOREBLOCK);
+  (void) VALGRIND_MAKE_MEM_NOACCESS(pp->next_yield, pp->yield_length);
+  }
+
+/* There's (now) enough room in the current block; the yield is the next
+pointer. */
+
+pp->store_last_get = pp->next_yield;
+
+(void) VALGRIND_MAKE_MEM_UNDEFINED(pp->store_last_get, size);
+/* Update next pointer and number of bytes left in the current block. */
+
+pp->next_yield = (void *)(CS pp->next_yield + size);
+pp->yield_length -= size;
+return pp->store_last_get;
+}
+
+/*************************************************
+*       Get a block from the current pool        *
+*************************************************/
+
+/* Running out of store is a total disaster. This function is called via the
+macro store_get(). The current store_pool is used, adjusting for taint.
+If the protoype is quoted, use a quoted-pool.
+Return a block of store within the current big block of the pool, getting a new
+one if necessary. The address is saved in store_last_get for the pool.
+
+Arguments:
+  size        amount wanted, bytes
+  proto_mem   class: get store conformant to this
+		Special values: 0 forces untainted, 1 forces tainted
+  func        function from which called
+  linenumber  line number in source file
+
+Returns:      pointer to store (panic on malloc failure)
+*/
+
+void *
+store_get_3(int size, const void * proto_mem, const char * func, int linenumber)
+{
+#ifndef COMPILE_UTILITY
+int quoter = quoter_for_address(proto_mem);
+#endif
+pooldesc * pp;
+void * yield;
+
+#ifndef COMPILE_UTILITY
+if (!is_real_quoter(quoter))
+#endif
+  {
+  BOOL tainted = is_tainted(proto_mem);
+  int pool = tainted ? store_pool + POOL_TAINT_BASE : store_pool;
+  pp = paired_pools + pool;
+  yield = pool_get(pp, size, (pool == POOL_CONFIG), func, linenumber);
+
+  /* Cut out the debugging stuff for utilities, but stop picky compilers from
+  giving warnings. */
+
+#ifndef COMPILE_UTILITY
+  DEBUG(D_memory)
+    debug_printf("---%d Get %6p %5d %-14s %4d\n", pool,
+      pp->store_last_get, size, func, linenumber);
+#endif
+  }
+#ifndef COMPILE_UTILITY
+else
+  {
+  DEBUG(D_memory)
+    debug_printf("allocating quoted-block for quoter %u (from %s %d)\n",
+      quoter, func, linenumber);
+  if (!(pp = pool_for_quoter(quoter))) pp = quoted_pool_new(quoter);
+  yield = pool_get(pp, size, FALSE, func, linenumber);
+  DEBUG(D_memory)
+    debug_printf("---QQ Get %6p %5d %-14s %4d\n",
+      pp->store_last_get, size, func, linenumber);
+  }
+#endif
+return yield;
+}
+
+
+
+/*************************************************
+*       Get a block from the PERM pool           *
+*************************************************/
+
+/* This is just a convenience function, useful when just a single block is to
+be obtained.
+
+Arguments:
+  size        amount wanted
+  proto_mem   class: get store conformant to this
+  func        function from which called
+  linenumber  line number in source file
+
+Returns:      pointer to store (panic on malloc failure)
+*/
+
+void *
+store_get_perm_3(int size, const void * proto_mem, const char * func, int linenumber)
+{
+void * yield;
+int old_pool = store_pool;
+store_pool = POOL_PERM;
+yield = store_get_3(size, proto_mem, func, linenumber);
+store_pool = old_pool;
+return yield;
+}
+
+
+#ifndef COMPILE_UTILITY
+/*************************************************
+*  Get a block annotated as being lookup-quoted  *
+*************************************************/
+
+/* Allocate from pool a pool consistent with the proto_mem augmented by the
+requested quoter type.
+
+XXX currently not handling mark/release
+
+Args:	size		number of bytes to allocate
+	quoter		id for the quoting type
+	func		caller, for debug
+	linenumber	caller, for debug
+
+Return:	allocated memory block
+*/
+
+static void *
+store_force_get_quoted(int size, unsigned quoter,
+  const char * func, int linenumber)
+{
+pooldesc * pp = pool_for_quoter(quoter);
+void * yield;
+
+DEBUG(D_memory)
+  debug_printf("allocating quoted-block for quoter %u (from %s %d)\n", quoter, func, linenumber);
+
+if (!pp) pp = quoted_pool_new(quoter);
+yield = pool_get(pp, size, FALSE, func, linenumber);
+
+DEBUG(D_memory)
+  debug_printf("---QQ Get %6p %5d %-14s %4d\n",
+    pp->store_last_get, size, func, linenumber);
+
+return yield;
+}
+
+/* Maybe get memory for the specified quoter, but only if the
+prototype memory is tainted. Otherwise, get plain memory.
+*/
+void *
+store_get_quoted_3(int size, const void * proto_mem, unsigned quoter,
+  const char * func, int linenumber)
+{
+// debug_printf("store_get_quoted_3: quoter %u\n", quoter);
+return is_tainted(proto_mem)
+  ? store_force_get_quoted(size, quoter, func, linenumber)
+  : store_get_3(size, proto_mem, func, linenumber);
+}
+
+/* Return quoter for given address, or -1 if not in a quoted-pool. */
+int
+quoter_for_address(const void * p)
+{
+for (quoted_pooldesc * qp = quoted_pools; qp; qp = qp->next)
+  {
+  pooldesc * pp = &qp->pool;
+  storeblock * b;
+
+  if (b = pp->current_block)
+    if (is_pointer_in_block(b, p))
+      return qp->quoter;
+
+  for (b = pp->chainbase; b; b = b->next)
+    if (is_pointer_in_block(b, p))
+      return qp->quoter;
+  }
+return -1;
+}
+
+/* Return TRUE iff the given address is quoted for the given type.
+There is extra complexity to handle lookup providers with multiple
+find variants but shared quote functions. */
+BOOL
+is_quoted_like(const void * p, unsigned quoter)
+{
+int pq = quoter_for_address(p);
+BOOL y =
+  is_real_quoter(pq) && lookup_list[pq]->quote == lookup_list[quoter]->quote;
+/* debug_printf("is_quoted(%p, %u): %c\n", p, quoter, y?'T':'F'); */
+return y;
+}
+
+/* Return TRUE if the quoter value indicates an actual quoter */
+BOOL
+is_real_quoter(int quoter)
+{
+return quoter >= 0;
+}
+
+/* Return TRUE if the "new" data requires that the "old" data
+be recopied to new-class memory.  We order the classes as
+
+  2: tainted, not quoted
+  1: quoted (which is also tainted)
+  0: untainted
+
+If the "new" is higher-order than the "old", they are not compatible
+and a copy is needed.  If both are quoted, but the quoters differ,
+not compatible.  Otherwise they are compatible.
+*/
+BOOL
+is_incompatible_fn(const void * old, const void * new)
+{
+int oq, nq;
+unsigned oi, ni;
+
+ni = is_real_quoter(nq = quoter_for_address(new)) ? 1 : is_tainted(new) ? 2 : 0;
+oi = is_real_quoter(oq = quoter_for_address(old)) ? 1 : is_tainted(old) ? 2 : 0;
+return ni > oi || ni == oi && nq != oq;
+}
+
+#endif	/*!COMPILE_UTILITY*/
+
+/*************************************************
+*      Extend a block if it is at the top        *
+*************************************************/
+
+/* While reading strings of unknown length, it is often the case that the
+string is being read into the block at the top of the stack. If it needs to be
+extended, it is more efficient just to extend within the top block rather than
+allocate a new block and then have to copy the data. This function is provided
+for the use of string_cat(), but of course can be used elsewhere too.
+The block itself is not expanded; only the top allocation from it.
+
+Arguments:
+  ptr        pointer to store block
+  oldsize    current size of the block, as requested by user
+  newsize    new size required
+  func       function from which called
+  linenumber line number in source file
+
+Returns:     TRUE if the block is at the top of the stack and has been
+             extended; FALSE if it isn't at the top of the stack, or cannot
+             be extended
+
+XXX needs extension for quoted-tracking.  This assumes that the global store_pool
+is the one to alloc from, which breaks with separated pools.
+*/
+
+BOOL
+store_extend_3(void * ptr, int oldsize, int newsize,
+   const char * func, int linenumber)
+{
+pooldesc * pp = pool_for_pointer(ptr, func, linenumber);
+int inc = newsize - oldsize;
+int rounded_oldsize = oldsize;
+
+if (oldsize < 0 || newsize < oldsize || newsize >= INT_MAX/2)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+            "bad memory extension requested (%d -> %d bytes) at %s %d",
+            oldsize, newsize, func, linenumber);
+
+if (rounded_oldsize % alignment != 0)
+  rounded_oldsize += alignment - (rounded_oldsize % alignment);
+
+if (CS ptr + rounded_oldsize != CS (pp->next_yield) ||
+    inc > pp->yield_length + rounded_oldsize - oldsize)
+  return FALSE;
+
+/* Cut out the debugging stuff for utilities, but stop picky compilers from
+giving warnings. */
+
+#ifndef COMPILE_UTILITY
+DEBUG(D_memory)
+  {
+  quoted_pooldesc * qp;
+  for (qp = quoted_pools; qp; qp = qp->next)
+    if (pp == &qp->pool)
+      {
+      debug_printf("---Q%d Ext %6p %5d %-14s %4d\n",
+	(int)(qp - quoted_pools),
+	ptr, newsize, func, linenumber);
+      break;
+      }
+  if (!qp)
+    debug_printf("---%d Ext %6p %5d %-14s %4d\n",
+      (int)(pp - paired_pools),
+      ptr, newsize, func, linenumber);
+  }
+#endif  /* COMPILE_UTILITY */
+
+if (newsize % alignment != 0) newsize += alignment - (newsize % alignment);
+pp->next_yield = CS ptr + newsize;
+pp->yield_length -= newsize - rounded_oldsize;
+(void) VALGRIND_MAKE_MEM_UNDEFINED(ptr + oldsize, inc);
+return TRUE;
+}
+
+
+
+
+static BOOL
+is_pwr2_size(int len)
+{
+unsigned x = len;
+return (x & (x - 1)) == 0;
+}
+
+
+/*************************************************
+*    Back up to a previous point on the stack    *
+*************************************************/
+
+/* This function resets the next pointer, freeing any subsequent whole blocks
+that are now unused. Call with a cookie obtained from store_mark() only; do
+not call with a pointer returned by store_get().  Both the untainted and tainted
+pools corresposding to store_pool are reset.
+
+Quoted pools are not handled.
+
+Arguments:
+  ptr         place to back up to
+  pool	      pool holding the pointer
+  func        function from which called
+  linenumber  line number in source file
+
+Returns:      nothing
+*/
+
+static void
+internal_store_reset(void * ptr, int pool, const char *func, int linenumber)
+{
+storeblock * bb;
+pooldesc * pp = paired_pools + pool;
+storeblock * b = pp->current_block;
+char * bc = CS b + ALIGNED_SIZEOF_STOREBLOCK;
+int newlength, count;
+#ifndef COMPILE_UTILITY
+int oldmalloc = pool_malloc;
+#endif
+
+if (!b) return;	/* exim_dumpdb gets this, becuse it has never used tainted mem */
+
+/* Last store operation was not a get */
+
+pp->store_last_get = NULL;
+
+/* See if the place is in the current block - as it often will be. Otherwise,
+search for the block in which it lies. */
+
+if (CS ptr < bc || CS ptr > bc + b->length)
+  {
+  for (b =  pp->chainbase; b; b = b->next)
+    {
+    bc = CS b + ALIGNED_SIZEOF_STOREBLOCK;
+    if (CS ptr >= bc && CS ptr <= bc + b->length) break;
+    }
+  if (!b)
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal error: store_reset(%p) "
+      "failed: pool=%d %-14s %4d", ptr, pool, func, linenumber);
+  }
+
+/* Back up, rounding to the alignment if necessary. When testing, flatten
+the released memory. */
+
+newlength = bc + b->length - CS ptr;
+#ifndef COMPILE_UTILITY
+if (debug_store)
+  {
+  assert_no_variables(ptr, newlength, func, linenumber);
+  if (f.running_in_test_harness)
+    {
+    (void) VALGRIND_MAKE_MEM_DEFINED(ptr, newlength);
+    memset(ptr, 0xF0, newlength);
+    }
+  }
+#endif
+(void) VALGRIND_MAKE_MEM_NOACCESS(ptr, newlength);
+pp->next_yield = CS ptr + (newlength % alignment);
+count = pp->yield_length;
+count = (pp->yield_length = newlength - (newlength % alignment)) - count;
+pp->current_block = b;
+
+/* Free any subsequent block. Do NOT free the first
+successor, if our current block has less than 256 bytes left. This should
+prevent us from flapping memory. However, keep this block only when it has
+a power-of-two size so probably is not a custom inflated one. */
+
+if (  pp->yield_length < STOREPOOL_MIN_SIZE
+   && b->next
+   && is_pwr2_size(b->next->length + ALIGNED_SIZEOF_STOREBLOCK))
+  {
+  b = b->next;
+#ifndef COMPILE_UTILITY
+  if (debug_store)
+    assert_no_variables(b, b->length + ALIGNED_SIZEOF_STOREBLOCK,
+			func, linenumber);
+#endif
+  (void) VALGRIND_MAKE_MEM_NOACCESS(CS b + ALIGNED_SIZEOF_STOREBLOCK,
+		b->length - ALIGNED_SIZEOF_STOREBLOCK);
+  }
+
+bb = b->next;
+if (pool != POOL_CONFIG)
+  b->next = NULL;
+
+while ((b = bb))
+  {
+  int siz = b->length + ALIGNED_SIZEOF_STOREBLOCK;
+
+#ifndef COMPILE_UTILITY
+  if (debug_store)
+    assert_no_variables(b, b->length + ALIGNED_SIZEOF_STOREBLOCK,
+			func, linenumber);
+#endif
+  bb = bb->next;
+  pp->nbytes -= siz;
+  pool_malloc -= siz;
+  pp->nblocks--;
+  if (pool != POOL_CONFIG)
+    internal_store_free(b, func, linenumber);
+
+#ifndef RESTRICTED_MEMORY
+  if (pp->store_block_order > 13) pp->store_block_order--;
+#endif
+  }
+
+/* Cut out the debugging stuff for utilities, but stop picky compilers from
+giving warnings. */
+
+#ifndef COMPILE_UTILITY
+DEBUG(D_memory)
+  debug_printf("---%d Rst %6p %5d %-14s %4d\tpool %d\n", pool, ptr,
+    count + oldmalloc - pool_malloc,
+    func, linenumber, pool_malloc);
+#endif  /* COMPILE_UTILITY */
+}
+
+
+/* Back up the pool pair, untainted and tainted, of the store_pool setting.
+Quoted pools are not handled.
+*/
+
+rmark
+store_reset_3(rmark r, const char * func, int linenumber)
+{
+void ** ptr = r;
+
+if (store_pool >= POOL_TAINT_BASE)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "store_reset called for pool %d: %s %d\n", store_pool, func, linenumber);
+if (!r)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "store_reset called with bad mark: %s %d\n", func, linenumber);
+
+internal_store_reset(*ptr, store_pool + POOL_TAINT_BASE, func, linenumber);
+internal_store_reset(ptr,  store_pool,		   func, linenumber);
+return NULL;
+}
+
+
+/**************/
+
+/* Free tail-end unused allocation.  This lets us allocate a big chunk
+early, for cases when we only discover later how much was really needed.
+
+Can be called with a value from store_get(), or an offset after such.  Only
+the tainted or untainted pool that serviced the store_get() will be affected.
+
+This is mostly a cut-down version of internal_store_reset().
+XXX needs rationalising
+*/
+
+void
+store_release_above_3(void * ptr, const char * func, int linenumber)
+{
+pooldesc * pp;
+
+/* Search all pools' "current" blocks.  If it isn't one of those,
+ignore it (it usually will be). */
+
+if ((pp = pool_current_for_pointer(ptr)))
+  {
+  storeblock * b = pp->current_block;
+  int count, newlength;
+
+  /* Last store operation was not a get */
+
+  pp->store_last_get = NULL;
+
+  /* Back up, rounding to the alignment if necessary. When testing, flatten
+  the released memory. */
+
+  newlength = (CS b + ALIGNED_SIZEOF_STOREBLOCK) + b->length - CS ptr;
+#ifndef COMPILE_UTILITY
+  if (debug_store)
+    {
+    assert_no_variables(ptr, newlength, func, linenumber);
+    if (f.running_in_test_harness)
+      {
+      (void) VALGRIND_MAKE_MEM_DEFINED(ptr, newlength);
+      memset(ptr, 0xF0, newlength);
+      }
+    }
+#endif
+  (void) VALGRIND_MAKE_MEM_NOACCESS(ptr, newlength);
+  pp->next_yield = CS ptr + (newlength % alignment);
+  count = pp->yield_length;
+  count = (pp->yield_length = newlength - (newlength % alignment)) - count;
+
+  /* Cut out the debugging stuff for utilities, but stop picky compilers from
+  giving warnings. */
+
+#ifndef COMPILE_UTILITY
+  DEBUG(D_memory)
+    {
+    quoted_pooldesc * qp;
+    for (qp = quoted_pools; qp; qp = qp->next)
+      if (pp == &qp->pool)
+	debug_printf("---Q%d Rel %6p %5d %-14s %4d\tpool %d\n",
+	  (int)(qp - quoted_pools),
+	  ptr, count, func, linenumber, pool_malloc);
+    if (!qp)
+      debug_printf("---%d Rel %6p %5d %-14s %4d\tpool %d\n",
+	(int)(pp - paired_pools), ptr, count,
+	func, linenumber, pool_malloc);
+    }
+#endif
+  return;
+  }
+#ifndef COMPILE_UTILITY
+DEBUG(D_memory)
+  debug_printf("non-last memory release try: %s %d\n", func, linenumber);
+#endif
+}
+
+
+
+rmark
+store_mark_3(const char * func, int linenumber)
+{
+void ** p;
+
+#ifndef COMPILE_UTILITY
+DEBUG(D_memory)
+  debug_printf("---%d Mrk                    %-14s %4d\tpool %d\n",
+    store_pool, func, linenumber, pool_malloc);
+#endif  /* COMPILE_UTILITY */
+
+if (store_pool >= POOL_TAINT_BASE)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "store_mark called for pool %d: %s %d\n", store_pool, func, linenumber);
+
+/* Stash a mark for the tainted-twin release, in the untainted twin. Return
+a cookie (actually the address in the untainted pool) to the caller.
+Reset uses the cookie to recover the t-mark, winds back the tainted pool with it
+and winds back the untainted pool with the cookie. */
+
+p = store_get_3(sizeof(void *), GET_UNTAINTED, func, linenumber);
+*p = store_get_3(0, GET_TAINTED, func, linenumber);
+return p;
+}
+
+
+
+
+/************************************************
+*             Release store                     *
+************************************************/
+
+/* This function checks that the pointer it is given is the first thing in a
+block, and if so, releases that block.
+
+Arguments:
+  block       block of store to consider
+  pp	      pool containing the block
+  func        function from which called
+  linenumber  line number in source file
+
+Returns:      nothing
+*/
+
+static void
+store_release_3(void * block, pooldesc * pp, const char * func, int linenumber)
+{
+/* It will never be the first block, so no need to check that. */
+
+for (storeblock * b =  pp->chainbase; b; b = b->next)
+  {
+  storeblock * bb = b->next;
+  if (bb && CS block == CS bb + ALIGNED_SIZEOF_STOREBLOCK)
+    {
+    int siz = bb->length + ALIGNED_SIZEOF_STOREBLOCK;
+    b->next = bb->next;
+    pp->nbytes -= siz;
+    pool_malloc -= siz;
+    pp->nblocks--;
+
+    /* Cut out the debugging stuff for utilities, but stop picky compilers
+    from giving warnings. */
+
+#ifndef COMPILE_UTILITY
+    DEBUG(D_memory)
+      debug_printf("-Release %6p %-20s %4d %d\n", (void *)bb, func,
+	linenumber, pool_malloc);
+
+    if (f.running_in_test_harness)
+      memset(bb, 0xF0, bb->length+ALIGNED_SIZEOF_STOREBLOCK);
+#endif  /* COMPILE_UTILITY */
+
+    internal_store_free(bb, func, linenumber);
+    return;
+    }
+  }
+}
+
+
+/************************************************
+*             Move store                        *
+************************************************/
+
+/* Allocate a new block big enough to expend to the given size and
+copy the current data into it.  Free the old one if possible.
+
+This function is specifically provided for use when reading very
+long strings, e.g. header lines. When the string gets longer than a
+complete block, it gets copied to a new block. It is helpful to free
+the old block iff the previous copy of the string is at its start,
+and therefore the only thing in it. Otherwise, for very long strings,
+dead store can pile up somewhat disastrously. This function checks that
+the pointer it is given is the first thing in a block, and that nothing
+has been allocated since. If so, releases that block.
+
+Arguments:
+  oldblock
+  newsize	requested size
+  len		current size
+
+Returns:	new location of data
+*/
+
+void *
+store_newblock_3(void * oldblock, int newsize, int len,
+  const char * func, int linenumber)
+{
+pooldesc * pp = pool_for_pointer(oldblock, func, linenumber);
+BOOL release_ok = !is_tainted(oldblock) && pp->store_last_get == oldblock;		/*XXX why tainted not handled? */
+uschar * newblock;
+
+if (len < 0 || len > newsize)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+            "bad memory extension requested (%d -> %d bytes) at %s %d",
+            len, newsize, func, linenumber);
+
+newblock = store_get(newsize, oldblock);
+memcpy(newblock, oldblock, len);
+if (release_ok) store_release_3(oldblock, pp, func, linenumber);
+return (void *)newblock;
+}
+
+
+
+
+/*************************************************
+*                Malloc store                    *
+*************************************************/
+
+/* Running out of store is a total disaster for exim. Some malloc functions
+do not run happily on very small sizes, nor do they document this fact. This
+function is called via the macro store_malloc().
+
+Arguments:
+  size        amount of store wanted
+  func        function from which called
+  line	      line number in source file
+
+Returns:      pointer to gotten store (panic on failure)
+*/
+
+static void *
+internal_store_malloc(size_t size, const char *func, int line)
+{
+void * yield;
+
+/* Check specifically for a possibly result of conversion from
+a negative int, to the (unsigned, wider) size_t */
+
+if (size >= INT_MAX/2)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "bad internal_store_malloc request (" SIZE_T_FMT " bytes) from %s %d",
+    size, func, line);
+
+size += sizeof(size_t);	/* space to store the size, used under debug */
+if (size < 16) size = 16;
+
+if (!(yield = malloc(size)))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to malloc " SIZE_T_FMT " bytes of memory: "
+    "called from line %d in %s", size, line, func);
+
+#ifndef COMPILE_UTILITY
+DEBUG(D_any) *(size_t *)yield = size;
+#endif
+yield = US yield + sizeof(size_t);
+
+if ((nonpool_malloc += size) > max_nonpool_malloc)
+  max_nonpool_malloc = nonpool_malloc;
+
+/* Cut out the debugging stuff for utilities, but stop picky compilers from
+giving warnings. */
+
+#ifndef COMPILE_UTILITY
+/* If running in test harness, spend time making sure all the new store
+is not filled with zeros so as to catch problems. */
+
+if (f.running_in_test_harness)
+  memset(yield, 0xF0, size - sizeof(size_t));
+DEBUG(D_memory) debug_printf("--Malloc %6p %5lu bytes\t%-20s %4d\tpool %5d  nonpool %5d\n",
+  yield, size, func, line, pool_malloc, nonpool_malloc);
+#endif  /* COMPILE_UTILITY */
+
+return yield;
+}
+
+void *
+store_malloc_3(size_t size, const char *func, int linenumber)
+{
+if (n_nonpool_blocks++ > max_nonpool_blocks)
+  max_nonpool_blocks = n_nonpool_blocks;
+return internal_store_malloc(size, func, linenumber);
+}
+
+
+/************************************************
+*             Free store                        *
+************************************************/
+
+/* This function is called by the macro store_free().
+
+Arguments:
+  block       block of store to free
+  func        function from which called
+  linenumber  line number in source file
+
+Returns:      nothing
+*/
+
+static void
+internal_store_free(void * block, const char * func, int linenumber)
+{
+uschar * p = US block - sizeof(size_t);
+#ifndef COMPILE_UTILITY
+DEBUG(D_any) nonpool_malloc -= *(size_t *)p;
+DEBUG(D_memory) debug_printf("----Free %6p %5ld bytes\t%-20s %4d\n",
+		    block, *(size_t *)p, func, linenumber);
+#endif
+free(p);
+}
+
+void
+store_free_3(void * block, const char * func, int linenumber)
+{
+n_nonpool_blocks--;
+internal_store_free(block, func, linenumber);
+}
+
+/******************************************************************************/
+/* Stats output on process exit */
+void
+store_exit(void)
+{
+#ifndef COMPILE_UTILITY
+DEBUG(D_memory)
+ {
+ int i;
+ debug_printf("----Exit nonpool max: %3d kB in %d blocks\n",
+  (max_nonpool_malloc+1023)/1024, max_nonpool_blocks);
+ debug_printf("----Exit npools  max: %3d kB\n", max_pool_malloc/1024);
+
+ for (i = 0; i < N_PAIRED_POOLS; i++)
+   {
+   pooldesc * pp = paired_pools + i;
+   debug_printf("----Exit  pool %2d max: %3d kB in %d blocks at order %u\t%s %s\n",
+    i, (pp->maxbytes+1023)/1024, pp->maxblocks, pp->maxorder,
+    poolclass[i], pooluse[i]);
+   }
+ i = 0;
+ for (quoted_pooldesc * qp = quoted_pools; qp; i++, qp = qp->next)
+   {
+   pooldesc * pp = &qp->pool;
+   debug_printf("----Exit  pool Q%d max: %3d kB in %d blocks at order %u\ttainted quoted:%s\n",
+    i, (pp->maxbytes+1023)/1024, pp->maxblocks, pp->maxorder, lookup_list[qp->quoter]->name);
+   }
+ }
+#endif
+}
+
+
+/******************************************************************************/
+/* Per-message pool management */
+
+static rmark   message_reset_point    = NULL;
+
+void
+message_start(void)
+{
+int oldpool = store_pool;
+store_pool = POOL_MESSAGE;
+if (!message_reset_point) message_reset_point = store_mark();
+store_pool = oldpool;
+}
+
+void
+message_tidyup(void)
+{
+int oldpool;
+if (!message_reset_point) return;
+oldpool = store_pool;
+store_pool = POOL_MESSAGE;
+message_reset_point = store_reset(message_reset_point);
+store_pool = oldpool;
+}
+
+/******************************************************************************/
+/* Debug analysis of address */
+
+#ifndef COMPILE_UTILITY
+void
+debug_print_taint(const void * p)
+{
+int q = quoter_for_address(p);
+if (!is_tainted(p)) return;
+debug_printf("(tainted");
+if (is_real_quoter(q)) debug_printf(", quoted:%s", lookup_list[q]->name);
+debug_printf(")\n");
+}
+#endif
+
+/* End of store.c */
diff --git a/src/store.h b/src/store.h
new file mode 100644
index 0000000..ee6d79c
--- /dev/null
+++ b/src/store.h
@@ -0,0 +1,89 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Header for Exim's memory allocation functions */
+
+#ifndef STORE_H
+#define STORE_H
+
+/* Define symbols for identifying the store pools. */
+
+enum { POOL_MAIN,
+       POOL_PERM,
+       POOL_CONFIG,
+       POOL_SEARCH,
+       POOL_MESSAGE,
+
+       POOL_TAINT_BASE,
+
+       POOL_TAINT_MAIN = POOL_TAINT_BASE,
+       POOL_TAINT_PERM,
+       POOL_TAINT_CONFIG,
+       POOL_TAINT_SEARCH,
+       POOL_TAINT_MESSAGE,
+
+       N_PAIRED_POOLS
+};
+
+/* This variable (the one for the current pool) is set by store_get() to its
+yield, and by store_reset() to NULL. This allows string_cat() to optimize its
+store handling. */
+
+extern void * store_last_get[];
+
+/* This variable contains the current store pool number. */
+
+extern int store_pool;
+
+/* Macros for calling the memory allocation routines with
+tracing information for debugging. */
+
+#define store_extend(addr, old, new) \
+  store_extend_3(addr, old, new, __FUNCTION__, __LINE__)
+
+#define store_free(addr) \
+	store_free_3(addr, __FUNCTION__, __LINE__)
+/* store_get & store_get_perm are in local_scan.h */
+#define store_get_quoted(size, proto_mem, quoter) \
+	store_get_quoted_3((size), (proto_mem), (quoter), __FUNCTION__, __LINE__)
+#define store_malloc(size) \
+	store_malloc_3(size, __FUNCTION__, __LINE__)
+#define store_mark(void) \
+	store_mark_3(__FUNCTION__, __LINE__)
+#define store_newblock(oldblock, newsize, datalen) \
+	store_newblock_3(oldblock, newsize, datalen, __FUNCTION__, __LINE__)
+#define store_release_above(addr) \
+	store_release_above_3(addr, __FUNCTION__, __LINE__)
+#define store_reset(mark) \
+	store_reset_3(mark, __FUNCTION__, __LINE__)
+
+
+/* The real functions */
+typedef void ** rmark;
+
+extern BOOL    store_extend_3(void *, int, int, const char *, int);
+extern void    store_free_3(void *, const char *, int);
+/* store_get_3 & store_get_perm_3 are in local_scan.h */
+extern void *  store_get_quoted_3(int, const void *, unsigned, const char *, int);
+extern void *  store_malloc_3(size_t, const char *, int)		ALLOC ALLOC_SIZE(1) WARN_UNUSED_RESULT;
+extern rmark   store_mark_3(const char *, int);
+extern void *  store_newblock_3(void *, int, int, const char *, int);
+extern void    store_release_above_3(void *, const char *, int);
+extern rmark   store_reset_3(rmark, const char *, int);
+
+#define GET_UNTAINTED	(const void *)0
+#define GET_TAINTED	(const void *)1
+
+extern int	quoter_for_address(const void *);
+extern BOOL	is_quoted_like(const void *, unsigned);
+extern BOOL	is_real_quoter(int);
+extern void	debug_print_taint(const void * p);
+
+#endif  /* STORE_H */
+
+/* End of store.h */
diff --git a/src/string.c b/src/string.c
new file mode 100644
index 0000000..a5161bb
--- /dev/null
+++ b/src/string.c
@@ -0,0 +1,1859 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Miscellaneous string-handling functions. Some are not required for
+utilities and tests, and are cut out by the COMPILE_UTILITY macro. */
+
+
+#include "exim.h"
+#include <assert.h>
+
+
+#ifndef COMPILE_UTILITY
+/*************************************************
+*            Test for IP address                 *
+*************************************************/
+
+/* This used just to be a regular expression, but with IPv6 things are a bit
+more complicated. If the address contains a colon, it is assumed to be a v6
+address (assuming HAVE_IPV6 is set). If a mask is permitted and one is present,
+and maskptr is not NULL, its offset is placed there.
+
+Arguments:
+  s         a string
+  maskptr   NULL if no mask is permitted to follow
+            otherwise, points to an int where the offset of '/' is placed
+            if there is no / followed by trailing digits, *maskptr is set 0
+
+Returns:    0 if the string is not a textual representation of an IP address
+            4 if it is an IPv4 address
+            6 if it is an IPv6 address
+*/
+
+int
+string_is_ip_address(const uschar *s, int *maskptr)
+{
+int yield = 4;
+
+/* If an optional mask is permitted, check for it. If found, pass back the
+offset. */
+
+if (maskptr)
+  {
+  const uschar *ss = s + Ustrlen(s);
+  *maskptr = 0;
+  if (s != ss && isdigit(*(--ss)))
+    {
+    while (ss > s && isdigit(ss[-1])) ss--;
+    if (ss > s && *(--ss) == '/') *maskptr = ss - s;
+    }
+  }
+
+/* A colon anywhere in the string => IPv6 address */
+
+if (Ustrchr(s, ':') != NULL)
+  {
+  BOOL had_double_colon = FALSE;
+  BOOL v4end = FALSE;
+
+  yield = 6;
+
+  /* An IPv6 address must start with hex digit or double colon. A single
+  colon is invalid. */
+
+  if (*s == ':' && *(++s) != ':') return 0;
+
+  /* Now read up to 8 components consisting of up to 4 hex digits each. There
+  may be one and only one appearance of double colon, which implies any number
+  of binary zero bits. The number of preceding components is held in count. */
+
+  for (int count = 0; count < 8; count++)
+    {
+    /* If the end of the string is reached before reading 8 components, the
+    address is valid provided a double colon has been read. This also applies
+    if we hit the / that introduces a mask or the % that introduces the
+    interface specifier (scope id) of a link-local address. */
+
+    if (*s == 0 || *s == '%' || *s == '/') return had_double_colon ? yield : 0;
+
+    /* If a component starts with an additional colon, we have hit a double
+    colon. This is permitted to appear once only, and counts as at least
+    one component. The final component may be of this form. */
+
+    if (*s == ':')
+      {
+      if (had_double_colon) return 0;
+      had_double_colon = TRUE;
+      s++;
+      continue;
+      }
+
+    /* If the remainder of the string contains a dot but no colons, we
+    can expect a trailing IPv4 address. This is valid if either there has
+    been no double-colon and this is the 7th component (with the IPv4 address
+    being the 7th & 8th components), OR if there has been a double-colon
+    and fewer than 6 components. */
+
+    if (Ustrchr(s, ':') == NULL && Ustrchr(s, '.') != NULL)
+      {
+      if ((!had_double_colon && count != 6) ||
+          (had_double_colon && count > 6)) return 0;
+      v4end = TRUE;
+      yield = 6;
+      break;
+      }
+
+    /* Check for at least one and not more than 4 hex digits for this
+    component. */
+
+    if (!isxdigit(*s++)) return 0;
+    if (isxdigit(*s) && isxdigit(*(++s)) && isxdigit(*(++s))) s++;
+
+    /* If the component is terminated by colon and there is more to
+    follow, skip over the colon. If there is no more to follow the address is
+    invalid. */
+
+    if (*s == ':' && *(++s) == 0) return 0;
+    }
+
+  /* If about to handle a trailing IPv4 address, drop through. Otherwise
+  all is well if we are at the end of the string or at the mask or at a percent
+  sign, which introduces the interface specifier (scope id) of a link local
+  address. */
+
+  if (!v4end)
+    return (*s == 0 || *s == '%' ||
+           (*s == '/' && maskptr != NULL && *maskptr != 0))? yield : 0;
+  }
+
+/* Test for IPv4 address, which may be the tail-end of an IPv6 address. */
+
+for (int i = 0; i < 4; i++)
+  {
+  long n;
+  uschar * end;
+
+  if (i != 0 && *s++ != '.') return 0;
+  n = strtol(CCS s, CSS &end, 10);
+  if (n > 255 || n < 0 || end <= s || end > s+3) return 0;
+  s = end;
+  }
+
+return !*s || (*s == '/' && maskptr && *maskptr != 0) ? yield : 0;
+}
+#endif  /* COMPILE_UTILITY */
+
+
+/*************************************************
+*              Format message size               *
+*************************************************/
+
+/* Convert a message size in bytes to printing form, rounding
+according to the magnitude of the number. A value of zero causes
+a string of spaces to be returned.
+
+Arguments:
+  size        the message size in bytes
+  buffer      where to put the answer
+
+Returns:      pointer to the buffer
+              a string of exactly 5 characters is normally returned
+*/
+
+uschar *
+string_format_size(int size, uschar *buffer)
+{
+if (size == 0) Ustrcpy(buffer, US"     ");
+else if (size < 1024) sprintf(CS buffer, "%5d", size);
+else if (size < 10*1024)
+  sprintf(CS buffer, "%4.1fK", (double)size / 1024.0);
+else if (size < 1024*1024)
+  sprintf(CS buffer, "%4dK", (size + 512)/1024);
+else if (size < 10*1024*1024)
+  sprintf(CS buffer, "%4.1fM", (double)size / (1024.0 * 1024.0));
+else
+  sprintf(CS buffer, "%4dM", (size + 512 * 1024)/(1024*1024));
+return buffer;
+}
+
+
+
+#ifndef COMPILE_UTILITY
+/*************************************************
+*       Convert a number to base 62 format       *
+*************************************************/
+
+/* Convert a long integer into an ASCII base 62 string. For Cygwin the value of
+BASE_62 is actually 36. Always return exactly 6 characters plus zero, in a
+static area.
+
+Argument: a long integer
+Returns:  pointer to base 62 string
+*/
+
+uschar *
+string_base62(unsigned long int value)
+{
+static uschar yield[7];
+uschar *p = yield + sizeof(yield) - 1;
+*p = 0;
+while (p > yield)
+  {
+  *(--p) = base62_chars[value % BASE_62];
+  value /= BASE_62;
+  }
+return yield;
+}
+#endif  /* COMPILE_UTILITY */
+
+
+
+/*************************************************
+*          Interpret escape sequence             *
+*************************************************/
+
+/* This function is called from several places where escape sequences are to be
+interpreted in strings.
+
+Arguments:
+  pp       points a pointer to the initiating "\" in the string;
+           the pointer gets updated to point to the final character
+           If the backslash is the last character in the string, it
+           is not interpreted.
+Returns:   the value of the character escape
+*/
+
+int
+string_interpret_escape(const uschar **pp)
+{
+#ifdef COMPILE_UTILITY
+const uschar *hex_digits= CUS"0123456789abcdef";
+#endif
+int ch;
+const uschar *p = *pp;
+ch = *(++p);
+if (ch == '\0') return **pp;
+if (isdigit(ch) && ch != '8' && ch != '9')
+  {
+  ch -= '0';
+  if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
+    {
+    ch = ch * 8 + *(++p) - '0';
+    if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
+      ch = ch * 8 + *(++p) - '0';
+    }
+  }
+else switch(ch)
+  {
+  case 'b':  ch = '\b'; break;
+  case 'f':  ch = '\f'; break;
+  case 'n':  ch = '\n'; break;
+  case 'r':  ch = '\r'; break;
+  case 't':  ch = '\t'; break;
+  case 'v':  ch = '\v'; break;
+  case 'x':
+  ch = 0;
+  if (isxdigit(p[1]))
+    {
+    ch = ch * 16 +
+      Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
+    if (isxdigit(p[1])) ch = ch * 16 +
+      Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
+    }
+  break;
+  }
+*pp = p;
+return ch;
+}
+
+
+
+#ifndef COMPILE_UTILITY
+/*************************************************
+*          Ensure string is printable            *
+*************************************************/
+
+/* This function is called for critical strings. It checks for any
+non-printing characters, and if any are found, it makes a new copy
+of the string with suitable escape sequences. It is most often called by the
+macro string_printing(), which sets flags to 0.
+
+Arguments:
+  s             the input string
+  flags		Bit 0: convert tabs.  Bit 1: convert spaces.
+
+Returns:        string with non-printers encoded as printing sequences
+*/
+
+const uschar *
+string_printing2(const uschar *s, int flags)
+{
+int nonprintcount = 0;
+int length = 0;
+const uschar *t = s;
+uschar *ss, *tt;
+
+while (*t)
+  {
+  int c = *t++;
+  if (  !mac_isprint(c)
+     || flags & SP_TAB && c == '\t'
+     || flags & SP_SPACE && c == ' '
+     ) nonprintcount++;
+  length++;
+  }
+
+if (nonprintcount == 0) return s;
+
+/* Get a new block of store guaranteed big enough to hold the
+expanded string. */
+
+tt = ss = store_get(length + nonprintcount * 3 + 1, s);
+
+/* Copy everything, escaping non printers. */
+
+for (t = s; *t; )
+  {
+  int c = *t;
+  if (  mac_isprint(c)
+     && (!(flags & SP_TAB) || c != '\t')
+     && (!(flags & SP_SPACE) || c != ' ')
+     )
+    *tt++ = *t++;
+  else
+    {
+    *tt++ = '\\';
+    switch (*t)
+      {
+      case '\n': *tt++ = 'n'; break;
+      case '\r': *tt++ = 'r'; break;
+      case '\b': *tt++ = 'b'; break;
+      case '\v': *tt++ = 'v'; break;
+      case '\f': *tt++ = 'f'; break;
+      case '\t': *tt++ = 't'; break;
+      default: sprintf(CS tt, "%03o", *t); tt += 3; break;
+      }
+    t++;
+    }
+  }
+*tt = 0;
+return ss;
+}
+#endif  /* COMPILE_UTILITY */
+
+/*************************************************
+*        Undo printing escapes in string         *
+*************************************************/
+
+/* This function is the reverse of string_printing2.  It searches for
+backslash characters and if any are found, it makes a new copy of the
+string with escape sequences parsed.  Otherwise it returns the original
+string.
+
+Arguments:
+  s             the input string
+
+Returns:        string with printing escapes parsed back
+*/
+
+uschar *
+string_unprinting(uschar *s)
+{
+uschar *p, *q, *r, *ss;
+int len, off;
+
+p = Ustrchr(s, '\\');
+if (!p) return s;
+
+len = Ustrlen(s) + 1;
+ss = store_get(len, s);
+
+q = ss;
+off = p - s;
+if (off)
+  {
+  memcpy(q, s, off);
+  q += off;
+  }
+
+while (*p)
+  {
+  if (*p == '\\')
+    {
+    *q++ = string_interpret_escape((const uschar **)&p);
+    p++;
+    }
+  else
+    {
+    r = Ustrchr(p, '\\');
+    if (!r)
+      {
+      off = Ustrlen(p);
+      memcpy(q, p, off);
+      p += off;
+      q += off;
+      break;
+      }
+    else
+      {
+      off = r - p;
+      memcpy(q, p, off);
+      q += off;
+      p = r;
+      }
+    }
+  }
+*q = '\0';
+
+return ss;
+}
+
+
+
+
+#if (defined(HAVE_LOCAL_SCAN) || defined(EXPAND_DLFUNC)) \
+	&& !defined(MACRO_PREDEF) && !defined(COMPILE_UTILITY)
+/*************************************************
+*            Copy and save string                *
+*************************************************/
+
+/*
+Argument: string to copy
+Returns:  copy of string in new store with the same taint status
+*/
+
+uschar *
+string_copy_function(const uschar * s)
+{
+return string_copy_taint(s, s);
+}
+
+/* As above, but explicitly specifying the result taint status
+*/
+
+uschar *
+string_copy_taint_function(const uschar * s, const void * proto_mem)
+{
+return string_copy_taint(s, proto_mem);
+}
+
+
+
+/*************************************************
+*       Copy and save string, given length       *
+*************************************************/
+
+/* It is assumed the data contains no zeros. A zero is added
+onto the end.
+
+Arguments:
+  s         string to copy
+  n         number of characters
+
+Returns:    copy of string in new store
+*/
+
+uschar *
+string_copyn_function(const uschar * s, int n)
+{
+return string_copyn(s, n);
+}
+#endif
+
+
+/*************************************************
+*     Copy and save string in malloc'd store     *
+*************************************************/
+
+/* This function assumes that memcpy() is faster than strcpy().
+
+Argument: string to copy
+Returns:  copy of string in new store
+*/
+
+uschar *
+string_copy_malloc(const uschar * s)
+{
+int len = Ustrlen(s) + 1;
+uschar * ss = store_malloc(len);
+memcpy(ss, s, len);
+return ss;
+}
+
+
+
+/*************************************************
+*    Copy string if long, inserting newlines     *
+*************************************************/
+
+/* If the given string is longer than 75 characters, it is copied, and within
+the copy, certain space characters are converted into newlines.
+
+Argument:  pointer to the string
+Returns:   pointer to the possibly altered string
+*/
+
+uschar *
+string_split_message(uschar * msg)
+{
+uschar *s, *ss;
+
+if (!msg || Ustrlen(msg) <= 75) return msg;
+s = ss = msg = string_copy(msg);
+
+for (;;)
+  {
+  int i = 0;
+  while (i < 75 && *ss && *ss != '\n') ss++, i++;
+  if (!*ss) break;
+  if (*ss == '\n')
+    s = ++ss;
+  else
+    {
+    uschar * t = ss + 1;
+    uschar * tt = NULL;
+    while (--t > s + 35)
+      {
+      if (*t == ' ')
+        {
+        if (t[-1] == ':') { tt = t; break; }
+        if (!tt) tt = t;
+        }
+      }
+
+    if (!tt)          /* Can't split behind - try ahead */
+      {
+      t = ss + 1;
+      while (*t)
+        {
+        if (*t == ' ' || *t == '\n')
+          { tt = t; break; }
+        t++;
+        }
+      }
+
+    if (!tt) break;   /* Can't find anywhere to split */
+    *tt = '\n';
+    s = ss = tt+1;
+    }
+  }
+
+return msg;
+}
+
+
+
+/*************************************************
+*   Copy returned DNS domain name, de-escaping   *
+*************************************************/
+
+/* If a domain name contains top-bit characters, some resolvers return
+the fully qualified name with those characters turned into escapes. The
+convention is a backslash followed by _decimal_ digits. We convert these
+back into the original binary values. This will be relevant when
+allow_utf8_domains is set true and UTF-8 characters are used in domain
+names. Backslash can also be used to escape other characters, though we
+shouldn't come across them in domain names.
+
+Argument:   the domain name string
+Returns:    copy of string in new store, de-escaped
+*/
+
+uschar *
+string_copy_dnsdomain(uschar * s)
+{
+uschar * yield;
+uschar * ss = yield = store_get(Ustrlen(s) + 1, GET_TAINTED);	/* always treat as tainted */
+
+while (*s)
+  {
+  if (*s != '\\')
+    *ss++ = *s++;
+  else if (isdigit(s[1]))
+    {
+    *ss++ = (s[1] - '0')*100 + (s[2] - '0')*10 + s[3] - '0';
+    s += 4;
+    }
+  else if (*++s)
+    *ss++ = *s++;
+  }
+
+*ss = 0;
+return yield;
+}
+
+
+#ifndef COMPILE_UTILITY
+/*************************************************
+*     Copy space-terminated or quoted string     *
+*************************************************/
+
+/* This function copies from a string until its end, or until whitespace is
+encountered, unless the string begins with a double quote, in which case the
+terminating quote is sought, and escaping within the string is done. The length
+of a de-quoted string can be no longer than the original, since escaping always
+turns n characters into 1 character.
+
+Argument:  pointer to the pointer to the first character, which gets updated
+Returns:   the new string
+*/
+
+uschar *
+string_dequote(const uschar ** sptr)
+{
+const uschar * s = * sptr;
+uschar * t, * yield;
+
+/* First find the end of the string */
+
+if (*s != '\"')
+  while (*s && !isspace(*s)) s++;
+else
+  {
+  s++;
+  while (*s && *s != '\"')
+    {
+    if (*s == '\\') (void)string_interpret_escape(&s);
+    s++;
+    }
+  if (*s) s++;
+  }
+
+/* Get enough store to copy into */
+
+t = yield = store_get(s - *sptr + 1, *sptr);
+s = *sptr;
+
+/* Do the copy */
+
+if (*s != '\"')
+  while (*s && !isspace(*s)) *t++ = *s++;
+else
+  {
+  s++;
+  while (*s && *s != '\"')
+    {
+    *t++ = *s == '\\' ? string_interpret_escape(&s) : *s;
+    s++;
+    }
+  if (*s) s++;
+  }
+
+/* Update the pointer and return the terminated copy */
+
+*sptr = s;
+*t = 0;
+return yield;
+}
+#endif  /* COMPILE_UTILITY */
+
+
+
+/*************************************************
+*          Format a string and save it           *
+*************************************************/
+
+/* The formatting is done by string_vformat, which checks the length of
+everything.  Taint is taken from the worst of the arguments.
+
+Arguments:
+  format    a printf() format - deliberately char * rather than uschar *
+              because it will most usually be a literal string
+  func	    caller, for debug
+  line	    caller, for debug
+  ...       arguments for format
+
+Returns:    pointer to fresh piece of store containing sprintf'ed string
+*/
+
+uschar *
+string_sprintf_trc(const char * format, const uschar * func, unsigned line, ...)
+{
+#ifdef COMPILE_UTILITY
+uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
+gstring gs = { .size = STRING_SPRINTF_BUFFER_SIZE, .ptr = 0, .s = buffer };
+gstring * g = &gs;
+unsigned flags = 0;
+#else
+gstring * g = NULL;
+unsigned flags = SVFMT_REBUFFER|SVFMT_EXTEND;
+#endif
+
+va_list ap;
+va_start(ap, line);
+g = string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
+	flags, format, ap);
+va_end(ap);
+
+if (!g)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "string_sprintf expansion was longer than %d; format string was (%s)\n"
+    " called from %s %d\n",
+    STRING_SPRINTF_BUFFER_SIZE, format, func, line);
+
+#ifdef COMPILE_UTILITY
+return string_copyn(g->s, g->ptr);
+#else
+gstring_release_unused(g);
+return string_from_gstring(g);
+#endif
+}
+
+
+
+/*************************************************
+*         Case-independent strncmp() function    *
+*************************************************/
+
+/*
+Arguments:
+  s         first string
+  t         second string
+  n         number of characters to compare
+
+Returns:    < 0, = 0, or > 0, according to the comparison
+*/
+
+int
+strncmpic(const uschar * s, const uschar * t, int n)
+{
+while (n--)
+  {
+  int c = tolower(*s++) - tolower(*t++);
+  if (c) return c;
+  }
+return 0;
+}
+
+
+/*************************************************
+*         Case-independent strcmp() function     *
+*************************************************/
+
+/*
+Arguments:
+  s         first string
+  t         second string
+
+Returns:    < 0, = 0, or > 0, according to the comparison
+*/
+
+int
+strcmpic(const uschar * s, const uschar * t)
+{
+while (*s)
+  {
+  int c = tolower(*s++) - tolower(*t++);
+  if (c != 0) return c;
+  }
+return *t;
+}
+
+
+/*************************************************
+*         Case-independent strstr() function     *
+*************************************************/
+
+/* The third argument specifies whether whitespace is required
+to follow the matched string.
+
+Arguments:
+  s              string to search
+  t              substring to search for
+  space_follows  if TRUE, match only if whitespace follows
+
+Returns:         pointer to substring in string, or NULL if not found
+*/
+
+const uschar *
+strstric_c(const uschar * s, const uschar * t, BOOL space_follows)
+{
+const uschar * p = t;
+const uschar * yield = NULL;
+int cl = tolower(*p);
+int cu = toupper(*p);
+
+while (*s)
+  {
+  if (*s == cl || *s == cu)
+    {
+    if (!yield) yield = s;
+    if (!*++p)
+      {
+      if (!space_follows || s[1] == ' ' || s[1] == '\n' ) return yield;
+      yield = NULL;
+      p = t;
+      }
+    cl = tolower(*p);
+    cu = toupper(*p);
+    s++;
+    }
+  else if (yield)
+    {
+    yield = NULL;
+    p = t;
+    cl = tolower(*p);
+    cu = toupper(*p);
+    }
+  else s++;
+  }
+return NULL;
+}
+
+uschar *
+strstric(uschar * s, uschar * t, BOOL space_follows)
+{
+return US strstric_c(s, t, space_follows);
+}
+
+
+#ifdef COMPILE_UTILITY
+/* Dummy version for this function; it should never be called */
+static void
+gstring_grow(gstring * g, int count)
+{
+assert(FALSE);
+}
+#endif
+
+
+
+#ifndef COMPILE_UTILITY
+/*************************************************
+*       Get next string from separated list      *
+*************************************************/
+
+/* Leading and trailing space is removed from each item. The separator in the
+list is controlled by the int pointed to by the separator argument as follows:
+
+  If the value is > 0 it is used as the separator. This is typically used for
+  sublists such as slash-separated options. The value is always a printing
+  character.
+
+    (If the value is actually > UCHAR_MAX there is only one item in the list.
+    This is used for some cases when called via functions that sometimes
+    plough through lists, and sometimes are given single items.)
+
+  If the value is <= 0, the string is inspected for a leading <x, where x is an
+  ispunct() or an iscntrl() character. If found, x is used as the separator. If
+  not found:
+
+      (a) if separator == 0, ':' is used
+      (b) if separator <0, -separator is used
+
+  In all cases the value of the separator that is used is written back to the
+  int so that it is used on subsequent calls as we progress through the list.
+
+A literal ispunct() separator can be represented in an item by doubling, but
+there is no way to include an iscntrl() separator as part of the data.
+
+Arguments:
+  listptr    points to a pointer to the current start of the list; the
+             pointer gets updated to point after the end of the next item
+  separator  a pointer to the separator character in an int (see above)
+  buffer     where to put a copy of the next string in the list; or
+               NULL if the next string is returned in new memory
+	     Note that if the list is tainted then a provided buffer must be
+	     also (else we trap, with a message referencing the callsite).
+	     If we do the allocation, taint is handled there.
+  buflen     when buffer is not NULL, the size of buffer; otherwise ignored
+
+  func	     caller, for debug
+  line	     caller, for debug
+
+Returns:     pointer to buffer, containing the next substring,
+             or NULL if no more substrings
+*/
+
+uschar *
+string_nextinlist_trc(const uschar ** listptr, int * separator, uschar * buffer,
+  int buflen, const uschar * func, int line)
+{
+int sep = *separator;
+const uschar * s = *listptr;
+BOOL sep_is_special;
+
+if (!s) return NULL;
+
+/* This allows for a fixed specified separator to be an iscntrl() character,
+but at the time of implementation, this is never the case. However, it's best
+to be conservative. */
+
+while (isspace(*s) && *s != sep) s++;
+
+/* A change of separator is permitted, so look for a leading '<' followed by an
+allowed character. */
+
+if (sep <= 0)
+  {
+  if (*s == '<' && (ispunct(s[1]) || iscntrl(s[1])))
+    {
+    sep = s[1];
+    if (*++s) ++s;
+    while (isspace(*s) && *s != sep) s++;
+    }
+  else
+    sep = sep ? -sep : ':';
+  *separator = sep;
+  }
+
+/* An empty string has no list elements */
+
+if (!*s) return NULL;
+
+/* Note whether whether or not the separator is an iscntrl() character. */
+
+sep_is_special = iscntrl(sep);
+
+/* Handle the case when a buffer is provided. */
+/*XXX need to also deal with qouted-requirements mismatch */
+
+if (buffer)
+  {
+  int p = 0;
+  if (is_tainted(s) && !is_tainted(buffer))
+    die_tainted(US"string_nextinlist", func, line);
+  for (; *s; s++)
+    {
+    if (*s == sep && (*(++s) != sep || sep_is_special)) break;
+    if (p < buflen - 1) buffer[p++] = *s;
+    }
+  while (p > 0 && isspace(buffer[p-1])) p--;
+  buffer[p] = '\0';
+  }
+
+/* Handle the case when a buffer is not provided. */
+
+else
+  {
+  gstring * g = NULL;
+
+  /* We know that *s != 0 at this point. However, it might be pointing to a
+  separator, which could indicate an empty string, or (if an ispunct()
+  character) could be doubled to indicate a separator character as data at the
+  start of a string. Avoid getting working memory for an empty item. */
+
+  if (*s == sep)
+    if (*++s != sep || sep_is_special)
+      {
+      *listptr = s;
+      return string_copy(US"");
+      }
+
+  /* Not an empty string; the first character is guaranteed to be a data
+  character. */
+
+  for (;;)
+    {
+    const uschar * ss;
+    for (ss = s + 1; *ss && *ss != sep; ) ss++;
+    g = string_catn(g, s, ss-s);
+    s = ss;
+    if (!*s || *++s != sep || sep_is_special) break;
+    }
+
+  /* Trim trailing spaces from the returned string */
+
+  /* while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--; */
+  while (  g->ptr > 0 && isspace(g->s[g->ptr-1])
+	&& (g->ptr == 1 || g->s[g->ptr-2] != '\\') )
+    g->ptr--;
+  buffer = string_from_gstring(g);
+  gstring_release_unused_trc(g, CCS func, line);
+  }
+
+/* Update the current pointer and return the new string */
+
+*listptr = s;
+return buffer;
+}
+
+
+static const uschar *
+Ustrnchr(const uschar * s, int c, unsigned * len)
+{
+unsigned siz = *len;
+while (siz)
+  {
+  if (!*s) return NULL;
+  if (*s == c)
+    {
+    *len = siz;
+    return s;
+    }
+  s++;
+  siz--;
+  }
+return NULL;
+}
+
+
+/************************************************
+*	Add element to separated list           *
+************************************************/
+/* This function is used to build a list, returning an allocated null-terminated
+growable string. The given element has any embedded separator characters
+doubled.
+
+Despite having the same growable-string interface as string_cat() the list is
+always returned null-terminated.
+
+Arguments:
+  list	expanding-string for the list that is being built, or NULL
+	if this is a new list that has no contents yet
+  sep	list separator character
+  ele	new element to be appended to the list
+
+Returns:  pointer to the start of the list, changed if copied for expansion.
+*/
+
+gstring *
+string_append_listele(gstring * list, uschar sep, const uschar * ele)
+{
+uschar * sp;
+
+if (list && list->ptr)
+  list = string_catn(list, &sep, 1);
+
+while((sp = Ustrchr(ele, sep)))
+  {
+  list = string_catn(list, ele, sp-ele+1);
+  list = string_catn(list, &sep, 1);
+  ele = sp+1;
+  }
+list = string_cat(list, ele);
+(void) string_from_gstring(list);
+return list;
+}
+
+
+gstring *
+string_append_listele_n(gstring * list, uschar sep, const uschar * ele,
+ unsigned len)
+{
+const uschar * sp;
+
+if (list && list->ptr)
+  list = string_catn(list, &sep, 1);
+
+while((sp = Ustrnchr(ele, sep, &len)))
+  {
+  list = string_catn(list, ele, sp-ele+1);
+  list = string_catn(list, &sep, 1);
+  ele = sp+1;
+  len--;
+  }
+list = string_catn(list, ele, len);
+(void) string_from_gstring(list);
+return list;
+}
+
+
+
+/* A slightly-bogus listmaker utility; the separator is a string so
+can be multiple chars - there is no checking for the element content
+containing any of the separator. */
+
+gstring *
+string_append2_listele_n(gstring * list, const uschar * sepstr,
+ const uschar * ele, unsigned len)
+{
+if (list && list->ptr)
+  list = string_cat(list, sepstr);
+
+list = string_catn(list, ele, len);
+(void) string_from_gstring(list);
+return list;
+}
+
+
+
+/************************************************/
+/* Add more space to a growable-string.  The caller should check
+first if growth is required.  The gstring struct is modified on
+return; specifically, the string-base-pointer may have been changed.
+
+Arguments:
+  g		the growable-string
+  count		amount needed for g->ptr to increase by
+*/
+
+static void
+gstring_grow(gstring * g, int count)
+{
+int p = g->ptr;
+int oldsize = g->size;
+
+/* Mostly, string_cat() is used to build small strings of a few hundred
+characters at most. There are times, however, when the strings are very much
+longer (for example, a lookup that returns a vast number of alias addresses).
+To try to keep things reasonable, we use increments whose size depends on the
+existing length of the string. */
+
+unsigned inc = oldsize < 4096 ? 127 : 1023;
+
+if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size);
+
+if (count <= 0) return;
+
+if (count >= INT_MAX/2 - g->ptr)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "internal error in gstring_grow (ptr %d count %d)", g->ptr, count);
+
+g->size = (p + count + inc + 1) & ~inc;		/* one for a NUL */
+
+/* Try to extend an existing allocation. If the result of calling
+store_extend() is false, either there isn't room in the current memory block,
+or this string is not the top item on the dynamic store stack. We then have
+to get a new chunk of store and copy the old string. When building large
+strings, it is helpful to call store_release() on the old string, to release
+memory blocks that have become empty. (The block will be freed if the string
+is at its start.) However, we can do this only if we know that the old string
+was the last item on the dynamic memory stack. This is the case if it matches
+store_last_get. */
+
+if (!store_extend(g->s, oldsize, g->size))
+  g->s = store_newblock(g->s, g->size, p);
+}
+
+
+
+/*************************************************
+*             Add chars to string                *
+*************************************************/
+/* This function is used when building up strings of unknown length. Room is
+always left for a terminating zero to be added to the string that is being
+built. This function does not require the string that is being added to be NUL
+terminated, because the number of characters to add is given explicitly. It is
+sometimes called to extract parts of other strings.
+
+Arguments:
+  g	   growable-string that is being built, or NULL if not assigned yet
+  s        points to characters to add
+  count    count of characters to add; must not exceed the length of s, if s
+             is a C string.
+
+Returns:   growable string, changed if copied for expansion.
+           Note that a NUL is not added, though space is left for one. This is
+           because string_cat() is often called multiple times to build up a
+           string - there's no point adding the NUL till the end.
+	   NULL is a possible return.
+
+*/
+/* coverity[+alloc] */
+
+gstring *
+string_catn(gstring * g, const uschar * s, int count)
+{
+int p;
+
+if (count < 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "internal error in string_catn (count %d)", count);
+if (count == 0) return g;
+
+/*debug_printf("string_catn '%.*s'\n", count, s);*/
+if (!g)
+  {
+  unsigned inc = count < 4096 ? 127 : 1023;
+  unsigned size = ((count + inc) &  ~inc) + 1;	/* round up requested count */
+  g = string_get_tainted(size, s);
+  }
+else if (!g->s)			/* should not happen */
+  {
+  g->s = string_copyn(s, count);
+  g->ptr = count;
+  g->size = count;	/*XXX suboptimal*/
+  return g;
+  }
+else if (is_incompatible(g->s, s))
+  {
+/* debug_printf("rebuf A\n"); */
+  gstring_rebuffer(g, s);
+  }
+
+if (g->ptr < 0 || g->ptr > g->size)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "internal error in string_catn (ptr %d size %d)", g->ptr, g->size);
+
+p = g->ptr;
+if (count >= g->size - p)
+  gstring_grow(g, count);
+
+/* Because we always specify the exact number of characters to copy, we can
+use memcpy(), which is likely to be more efficient than strncopy() because the
+latter has to check for zero bytes. */
+
+memcpy(g->s + p, s, count);
+g->ptr = p + count;
+return g;
+}
+
+
+gstring *
+string_cat(gstring * g, const uschar * s)
+{
+return string_catn(g, s, Ustrlen(s));
+}
+
+
+
+/*************************************************
+*        Append strings to another string        *
+*************************************************/
+
+/* This function can be used to build a string from many other strings.
+It calls string_cat() to do the dirty work.
+
+Arguments:
+  g	   growable-string that is being built, or NULL if not yet assigned
+  count    the number of strings to append
+  ...      "count" uschar* arguments, which must be valid zero-terminated
+             C strings
+
+Returns:   growable string, changed if copied for expansion.
+           The string is not zero-terminated - see string_cat() above.
+*/
+
+__inline__ gstring *
+string_append(gstring * g, int count, ...)
+{
+va_list ap;
+
+va_start(ap, count);
+while (count-- > 0)
+  {
+  uschar * t = va_arg(ap, uschar *);
+  g = string_cat(g, t);
+  }
+va_end(ap);
+
+return g;
+}
+#endif
+
+
+
+/*************************************************
+*        Format a string with length checks      *
+*************************************************/
+
+/* This function is used to format a string with checking of the length of the
+output for all conversions. It protects Exim from absent-mindedness when
+calling functions like debug_printf and string_sprintf, and elsewhere. There
+are two different entry points to what is actually the same function, depending
+on whether the variable length list of data arguments are given explicitly or
+as a va_list item.
+
+The formats are the usual printf() ones, with some omissions (never used) and
+three additions for strings: %S forces lower case, %T forces upper case, and
+%#s or %#S prints nothing for a NULL string. Without the # "NULL" is printed
+(useful in debugging). There is also the addition of %D and %M, which insert
+the date in the form used for datestamped log files.
+
+Arguments:
+  buffer       a buffer in which to put the formatted string
+  buflen       the length of the buffer
+  format       the format string - deliberately char * and not uschar *
+  ... or ap    variable list of supplementary arguments
+
+Returns:       TRUE if the result fitted in the buffer
+*/
+
+BOOL
+string_format_trc(uschar * buffer, int buflen,
+  const uschar * func, unsigned line, const char * format, ...)
+{
+gstring g = { .size = buflen, .ptr = 0, .s = buffer }, * gp;
+va_list ap;
+va_start(ap, format);
+gp = string_vformat_trc(&g, func, line, STRING_SPRINTF_BUFFER_SIZE,
+	0, format, ap);
+va_end(ap);
+g.s[g.ptr] = '\0';
+return !!gp;
+}
+
+
+
+
+/* Build or append to a growing-string, sprintf-style.
+
+Arguments:
+	g	a growable-string
+	func	called-from function name, for debug
+	line	called-from file line number, for debug
+	limit	maximum string size
+	flags	see below
+	format	printf-like format string
+	ap	variable-args pointer
+
+Flags:
+	SVFMT_EXTEND            buffer can be created or exteded as needed
+	SVFMT_REBUFFER          buffer can be recopied to tainted mem as needed
+	SVFMT_TAINT_NOCHK       do not check inputs for taint
+
+If the "extend" flag is true, the string passed in can be NULL,
+empty, or non-empty.  Growing is subject to an overall limit given
+by the limit argument.
+
+If the "extend" flag is false, the string passed in may not be NULL,
+will not be grown, and is usable in the original place after return.
+The return value can be NULL to signify overflow.
+
+Returns the possibly-new (if copy for growth or taint-handling was needed)
+string, not nul-terminated.
+*/
+
+gstring *
+string_vformat_trc(gstring * g, const uschar * func, unsigned line,
+  unsigned size_limit, unsigned flags, const char * format, va_list ap)
+{
+enum ltypes { L_NORMAL=1, L_SHORT=2, L_LONG=3, L_LONGLONG=4, L_LONGDOUBLE=5, L_SIZE=6 };
+
+int width, precision, off, lim, need;
+const char * fp = format;	/* Deliberately not unsigned */
+
+string_datestamp_offset = -1;	/* Datestamp not inserted */
+string_datestamp_length = 0;	/* Datestamp not inserted */
+string_datestamp_type = 0;	/* Datestamp not inserted */
+
+#ifdef COMPILE_UTILITY
+assert(!(flags & SVFMT_EXTEND));
+assert(g);
+#else
+
+/* Ensure we have a string, to save on checking later */
+if (!g) g = string_get(16);
+
+if (!(flags & SVFMT_TAINT_NOCHK) && is_incompatible(g->s, format))
+  {
+#ifndef MACRO_PREDEF
+  if (!(flags & SVFMT_REBUFFER))
+    die_tainted(US"string_vformat", func, line);
+#endif
+/* debug_printf("rebuf B\n"); */
+  gstring_rebuffer(g, format);
+  }
+#endif	/*!COMPILE_UTILITY*/
+
+lim = g->size - 1;	/* leave one for a nul */
+off = g->ptr;		/* remember initial offset in gstring */
+
+/* Scan the format and handle the insertions */
+
+while (*fp)
+  {
+  int length = L_NORMAL;
+  int * nptr;
+  int slen;
+  const char *null = "NULL";		/* ) These variables */
+  const char *item_start, *s;		/* ) are deliberately */
+  char newformat[16];			/* ) not unsigned */
+  char * gp = CS g->s + g->ptr;		/* ) */
+
+  /* Non-% characters just get copied verbatim */
+
+  if (*fp != '%')
+    {
+    /* Avoid string_copyn() due to COMPILE_UTILITY */
+    if ((need = g->ptr + 1) > lim)
+      {
+      if (!(flags & SVFMT_EXTEND) || need > size_limit) return NULL;
+      gstring_grow(g, 1);
+      lim = g->size - 1;
+      }
+    g->s[g->ptr++] = (uschar) *fp++;
+    continue;
+    }
+
+  /* Deal with % characters. Pick off the width and precision, for checking
+  strings, skipping over the flag and modifier characters. */
+
+  item_start = fp;
+  width = precision = -1;
+
+  if (strchr("-+ #0", *(++fp)) != NULL)
+    {
+    if (*fp == '#') null = "";
+    fp++;
+    }
+
+  if (isdigit((uschar)*fp))
+    {
+    width = *fp++ - '0';
+    while (isdigit((uschar)*fp)) width = width * 10 + *fp++ - '0';
+    }
+  else if (*fp == '*')
+    {
+    width = va_arg(ap, int);
+    fp++;
+    }
+
+  if (*fp == '.')
+    if (*(++fp) == '*')
+      {
+      precision = va_arg(ap, int);
+      fp++;
+      }
+    else
+      for (precision = 0; isdigit((uschar)*fp); fp++)
+        precision = precision*10 + *fp - '0';
+
+  /* Skip over 'h', 'L', 'l', 'll' and 'z', remembering the item length */
+
+  if (*fp == 'h')
+    { fp++; length = L_SHORT; }
+  else if (*fp == 'L')
+    { fp++; length = L_LONGDOUBLE; }
+  else if (*fp == 'l')
+    if (fp[1] == 'l')
+      { fp += 2; length = L_LONGLONG; }
+    else
+      { fp++; length = L_LONG; }
+  else if (*fp == 'z')
+    { fp++; length = L_SIZE; }
+
+  /* Handle each specific format type. */
+
+  switch (*fp++)
+    {
+    case 'n':
+      nptr = va_arg(ap, int *);
+      *nptr = g->ptr - off;
+      break;
+
+    case 'd':
+    case 'o':
+    case 'u':
+    case 'x':
+    case 'X':
+      width = length > L_LONG ? 24 : 12;
+      if ((need = g->ptr + width) > lim)
+	{
+	if (!(flags & SVFMT_EXTEND) || need >= size_limit) return NULL;
+	gstring_grow(g, width);
+	lim = g->size - 1;
+	gp = CS g->s + g->ptr;
+	}
+      strncpy(newformat, item_start, fp - item_start);
+      newformat[fp - item_start] = 0;
+
+      /* Short int is promoted to int when passing through ..., so we must use
+      int for va_arg(). */
+
+      switch(length)
+	{
+	case L_SHORT:
+	case L_NORMAL:
+	  g->ptr += sprintf(gp, newformat, va_arg(ap, int)); break;
+	case L_LONG:
+	  g->ptr += sprintf(gp, newformat, va_arg(ap, long int)); break;
+	case L_LONGLONG:
+	  g->ptr += sprintf(gp, newformat, va_arg(ap, LONGLONG_T)); break;
+	case L_SIZE:
+	  g->ptr += sprintf(gp, newformat, va_arg(ap, size_t)); break;
+	}
+      break;
+
+    case 'p':
+      {
+      void * ptr;
+      if ((need = g->ptr + 24) > lim)
+	{
+	if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
+	gstring_grow(g, 24);
+	lim = g->size - 1;
+	gp = CS g->s + g->ptr;
+	}
+      /* sprintf() saying "(nil)" for a null pointer seems unreliable.
+      Handle it explicitly. */
+      if ((ptr = va_arg(ap, void *)))
+	{
+	strncpy(newformat, item_start, fp - item_start);
+	newformat[fp - item_start] = 0;
+	g->ptr += sprintf(gp, newformat, ptr);
+	}
+      else
+	g->ptr += sprintf(gp, "(nil)");
+      }
+    break;
+
+    /* %f format is inherently insecure if the numbers that it may be
+    handed are unknown (e.g. 1e300). However, in Exim, %f is used for
+    printing load averages, and these are actually stored as integers
+    (load average * 1000) so the size of the numbers is constrained.
+    It is also used for formatting sending rates, where the simplicity
+    of the format prevents overflow. */
+
+    case 'f':
+    case 'e':
+    case 'E':
+    case 'g':
+    case 'G':
+      if (precision < 0) precision = 6;
+      if ((need = g->ptr + precision + 8) > lim)
+	{
+	if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
+	gstring_grow(g, precision+8);
+	lim = g->size - 1;
+	gp = CS g->s + g->ptr;
+	}
+      strncpy(newformat, item_start, fp - item_start);
+      newformat[fp-item_start] = 0;
+      if (length == L_LONGDOUBLE)
+	g->ptr += sprintf(gp, newformat, va_arg(ap, long double));
+      else
+	g->ptr += sprintf(gp, newformat, va_arg(ap, double));
+      break;
+
+    /* String types */
+
+    case '%':
+      if ((need = g->ptr + 1) > lim)
+	{
+	if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
+	gstring_grow(g, 1);
+	lim = g->size - 1;
+	}
+      g->s[g->ptr++] = (uschar) '%';
+      break;
+
+    case 'c':
+      if ((need = g->ptr + 1) > lim)
+	{
+	if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
+	gstring_grow(g, 1);
+	lim = g->size - 1;
+	}
+      g->s[g->ptr++] = (uschar) va_arg(ap, int);
+      break;
+
+    case 'D':                   /* Insert daily datestamp for log file names */
+      s = CS tod_stamp(tod_log_datestamp_daily);
+      string_datestamp_offset = g->ptr;		/* Passed back via global */
+      string_datestamp_length = Ustrlen(s);	/* Passed back via global */
+      string_datestamp_type = tod_log_datestamp_daily;
+      slen = string_datestamp_length;
+      goto INSERT_STRING;
+
+    case 'M':                   /* Insert monthly datestamp for log file names */
+      s = CS tod_stamp(tod_log_datestamp_monthly);
+      string_datestamp_offset = g->ptr;		/* Passed back via global */
+      string_datestamp_length = Ustrlen(s);	/* Passed back via global */
+      string_datestamp_type = tod_log_datestamp_monthly;
+      slen = string_datestamp_length;
+      goto INSERT_STRING;
+
+    case 's':
+    case 'S':                   /* Forces *lower* case */
+    case 'T':                   /* Forces *upper* case */
+      s = va_arg(ap, char *);
+
+      if (!s) s = null;
+      slen = Ustrlen(s);
+
+      if (!(flags & SVFMT_TAINT_NOCHK) && is_incompatible(g->s, s))
+	if (flags & SVFMT_REBUFFER)
+	  {
+/* debug_printf("%s %d: untainted workarea, tainted %%s :- rebuffer\n", __FUNCTION__, __LINE__); */
+	  gstring_rebuffer(g, s);
+	  gp = CS g->s + g->ptr;
+	  }
+#ifndef MACRO_PREDEF
+	else
+	  die_tainted(US"string_vformat", func, line);
+#endif
+
+    INSERT_STRING:              /* Come to from %D or %M above */
+
+      {
+      BOOL truncated = FALSE;
+
+      /* If the width is specified, check that there is a precision
+      set; if not, set it to the width to prevent overruns of long
+      strings. */
+
+      if (width >= 0)
+	{
+	if (precision < 0) precision = width;
+	}
+
+      /* If a width is not specified and the precision is specified, set
+      the width to the precision, or the string length if shorted. */
+
+      else if (precision >= 0)
+	width = precision < slen ? precision : slen;
+
+      /* If neither are specified, set them both to the string length. */
+
+      else
+	width = precision = slen;
+
+      if ((need = g->ptr + width) >= size_limit || !(flags & SVFMT_EXTEND))
+	{
+	if (g->ptr == lim) return NULL;
+	if (need > lim)
+	  {
+	  truncated = TRUE;
+	  width = precision = lim - g->ptr - 1;
+	  if (width < 0) width = 0;
+	  if (precision < 0) precision = 0;
+	  }
+	}
+      else if (need > lim)
+	{
+	gstring_grow(g, width);
+	lim = g->size - 1;
+	gp = CS g->s + g->ptr;
+	}
+
+      g->ptr += sprintf(gp, "%*.*s", width, precision, s);
+      if (fp[-1] == 'S')
+	while (*gp) { *gp = tolower(*gp); gp++; }
+      else if (fp[-1] == 'T')
+	while (*gp) { *gp = toupper(*gp); gp++; }
+
+      if (truncated) return NULL;
+      break;
+      }
+
+    /* Some things are never used in Exim; also catches junk. */
+
+    default:
+      strncpy(newformat, item_start, fp - item_start);
+      newformat[fp-item_start] = 0;
+      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "string_format: unsupported type "
+	"in \"%s\" in \"%s\"", newformat, format);
+      break;
+    }
+  }
+
+if (g->ptr > g->size)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "string_format internal error: caller %s %d", func, line);
+return g;
+}
+
+
+
+#ifndef COMPILE_UTILITY
+/*************************************************
+*       Generate an "open failed" message        *
+*************************************************/
+
+/* This function creates a message after failure to open a file. It includes a
+string supplied as data, adds the strerror() text, and if the failure was
+"Permission denied", reads and includes the euid and egid.
+
+Arguments:
+  format        a text format string - deliberately not uschar *
+  func		caller, for debug
+  line		caller, for debug
+  ...           arguments for the format string
+
+Returns:        a message, in dynamic store
+*/
+
+uschar *
+string_open_failed_trc(const uschar * func, unsigned line,
+  const char * format, ...)
+{
+va_list ap;
+gstring * g = string_get(1024);
+
+g = string_catn(g, US"failed to open ", 15);
+
+/* Use the checked formatting routine to ensure that the buffer
+does not overflow. It should not, since this is called only for internally
+specified messages. If it does, the message just gets truncated, and there
+doesn't seem much we can do about that. */
+
+va_start(ap, format);
+(void) string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
+	SVFMT_REBUFFER, format, ap);
+va_end(ap);
+
+g = string_catn(g, US": ", 2);
+g = string_cat(g, US strerror(errno));
+
+if (errno == EACCES)
+  {
+  int save_errno = errno;
+  g = string_fmt_append(g, " (euid=%ld egid=%ld)",
+    (long int)geteuid(), (long int)getegid());
+  errno = save_errno;
+  }
+gstring_release_unused(g);
+return string_from_gstring(g);
+}
+
+
+
+
+
+/* qsort(3), currently used to sort the environment variables
+for -bP environment output, needs a function to compare two pointers to string
+pointers. Here it is. */
+
+int
+string_compare_by_pointer(const void *a, const void *b)
+{
+return Ustrcmp(* CUSS a, * CUSS b);
+}
+#endif /* COMPILE_UTILITY */
+
+
+
+
+/*************************************************
+**************************************************
+*             Stand-alone test program           *
+**************************************************
+*************************************************/
+
+#ifdef STAND_ALONE
+int main(void)
+{
+uschar buffer[256];
+
+printf("Testing is_ip_address\n");
+store_init();
+
+while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
+  {
+  int offset;
+  buffer[Ustrlen(buffer) - 1] = 0;
+  printf("%d\n", string_is_ip_address(buffer, NULL));
+  printf("%d %d %s\n", string_is_ip_address(buffer, &offset), offset, buffer);
+  }
+
+printf("Testing string_nextinlist\n");
+
+while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
+  {
+  uschar *list = buffer;
+  uschar *lp1, *lp2;
+  uschar item[256];
+  int sep1 = 0;
+  int sep2 = 0;
+
+  if (*list == '<')
+    {
+    sep1 = sep2 = list[1];
+    list += 2;
+    }
+
+  lp1 = lp2 = list;
+  for (;;)
+    {
+    uschar *item1 = string_nextinlist(&lp1, &sep1, item, sizeof(item));
+    uschar *item2 = string_nextinlist(&lp2, &sep2, NULL, 0);
+
+    if (item1 == NULL && item2 == NULL) break;
+    if (item == NULL || item2 == NULL || Ustrcmp(item1, item2) != 0)
+      {
+      printf("***ERROR\nitem1=\"%s\"\nitem2=\"%s\"\n",
+        (item1 == NULL)? "NULL" : CS item1,
+        (item2 == NULL)? "NULL" : CS item2);
+      break;
+      }
+    else printf("  \"%s\"\n", CS item1);
+    }
+  }
+
+/* This is a horrible lash-up, but it serves its purpose. */
+
+printf("Testing string_format\n");
+
+while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
+  {
+  void *args[3];
+  long long llargs[3];
+  double dargs[3];
+  int dflag = 0;
+  int llflag = 0;
+  int n = 0;
+  int count;
+  int countset = 0;
+  uschar format[256];
+  uschar outbuf[256];
+  uschar *s;
+  buffer[Ustrlen(buffer) - 1] = 0;
+
+  s = Ustrchr(buffer, ',');
+  if (s == NULL) s = buffer + Ustrlen(buffer);
+
+  Ustrncpy(format, buffer, s - buffer);
+  format[s-buffer] = 0;
+
+  if (*s == ',') s++;
+
+  while (*s != 0)
+    {
+    uschar *ss = s;
+    s = Ustrchr(ss, ',');
+    if (s == NULL) s = ss + Ustrlen(ss);
+
+    if (isdigit(*ss))
+      {
+      Ustrncpy(outbuf, ss, s-ss);
+      if (Ustrchr(outbuf, '.') != NULL)
+        {
+        dflag = 1;
+        dargs[n++] = Ustrtod(outbuf, NULL);
+        }
+      else if (Ustrstr(outbuf, "ll") != NULL)
+        {
+        llflag = 1;
+        llargs[n++] = strtoull(CS outbuf, NULL, 10);
+        }
+      else
+        {
+        args[n++] = (void *)Uatoi(outbuf);
+        }
+      }
+
+    else if (Ustrcmp(ss, "*") == 0)
+      {
+      args[n++] = (void *)(&count);
+      countset = 1;
+      }
+
+    else
+      {
+      uschar *sss = malloc(s - ss + 1);
+      Ustrncpy(sss, ss, s-ss);
+      args[n++] = sss;
+      }
+
+    if (*s == ',') s++;
+    }
+
+  if (!dflag && !llflag)
+    printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
+      args[0], args[1], args[2])? "True" : "False");
+
+  else if (dflag)
+    printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
+      dargs[0], dargs[1], dargs[2])? "True" : "False");
+
+  else printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
+    llargs[0], llargs[1], llargs[2])? "True" : "False");
+
+  printf("%s\n", CS outbuf);
+  if (countset) printf("count=%d\n", count);
+  }
+
+return 0;
+}
+#endif
+
+/* End of string.c */
diff --git a/src/structs.h b/src/structs.h
new file mode 100644
index 0000000..b38aa6a
--- /dev/null
+++ b/src/structs.h
@@ -0,0 +1,960 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+/* Definitions of various structures. In addition, those that are visible for
+the compilation of local_scan() are defined in local_scan.h. These are
+
+  header_line
+  optionlist
+  recipient_item
+
+For those declared here, we have to pre-declare some because of mutually
+recursive definitions in the auths, routers, and transports blocks. */
+
+struct address_item;
+struct auth_info;
+struct driver_info;
+struct director_info;
+struct smtp_inblock;
+struct smtp_outblock;
+struct transport_info;
+struct router_info;
+
+/* Growable-string */
+typedef struct gstring {
+  int	size;		/* Current capacity of string memory */
+  int	ptr;		/* Offset at which to append further chars */
+  uschar * s;		/* The string memory */
+} gstring;
+
+/* Structure for remembering macros for the configuration file */
+
+typedef struct macro_item {
+  struct  macro_item * next;
+  BOOL     	command_line;
+  unsigned	namelen;
+  unsigned	replen;
+  const uschar * name;
+  const uschar * replacement;
+} macro_item;
+
+/* Structure for bit tables for debugging and logging */
+
+typedef struct bit_table {
+  uschar *name;
+  int bit;
+} bit_table;
+
+/* Block for holding a uid and gid, possibly unset, and an initgroups flag. */
+
+typedef struct ugid_block {
+  uid_t   uid;
+  gid_t   gid;
+  BOOL    uid_set;
+  BOOL    gid_set;
+  BOOL    initgroups;
+} ugid_block;
+
+typedef enum {	CHUNKING_NOT_OFFERED = -1,
+		CHUNKING_OFFERED,
+		CHUNKING_ACTIVE,
+		CHUNKING_LAST} chunking_state_t;
+
+typedef enum {	TFO_NOT_USED = 0,
+		TFO_ATTEMPTED_NODATA,
+		TFO_ATTEMPTED_DATA,
+		TFO_USED_NODATA,
+		TFO_USED_DATA } tfo_state_t;
+
+/* Structure for holding information about a host for use mainly by routers,
+but also used when checking lists of hosts and when transporting. Looking up
+host addresses is done using this structure. */
+
+typedef enum {DS_UNK=-1, DS_NO, DS_YES} dnssec_status_t;
+
+typedef struct host_item {
+  struct host_item *next;
+  const uschar *name;		/* Host name */
+#ifndef DISABLE_TLS
+  const uschar *certname;	/* Name used for certificate checks */
+#endif
+  const uschar *address;	/* IP address in text form */
+  int     port;			/* port value in host order (if SRV lookup) */
+  int     mx;			/* MX value if found via MX records */
+  int     sort_key;		/* MX*1000 plus random "fraction" */
+  int     status;		/* Usable, unusable, or unknown */
+  int     why;			/* Why host is unusable */
+  int     last_try;		/* Time of last try if known */
+  dnssec_status_t dnssec;
+} host_item;
+
+/* Chain of rewrite rules, read from the rewrite config, or parsed from the
+rewrite_headers field of a transport. */
+
+typedef struct rewrite_rule {
+  struct rewrite_rule *next;
+  int     flags;
+  uschar *key;
+  uschar *replacement;
+} rewrite_rule;
+
+/* This structure is used to pass back configuration data from the smtp
+transport to the outside world. It is used during callback processing. If ever
+another remote transport were implemented, it could use the same structure. */
+
+typedef struct transport_feedback {
+  uschar *interface;
+  uschar *port;
+  uschar *protocol;
+  uschar *hosts;
+  uschar *helo_data;
+  BOOL   hosts_override;
+  BOOL   hosts_randomize;
+  BOOL   gethostbyname;
+  BOOL   qualify_single;
+  BOOL   search_parents;
+} transport_feedback;
+
+/* Routers, transports, and authenticators have similar data blocks. Each
+driver that is compiled into the code is represented by a xxx_info block; the
+active drivers are represented by a chain of xxx_instance blocks. To make it
+possible to use the same code for reading the configuration files for all
+three, the layout of the start of the blocks is kept the same, and represented
+by the generic structures driver_info and driver_instance. */
+
+typedef struct driver_instance {
+  struct driver_instance *next;
+  uschar *name;                   /* Instance name */
+  struct driver_info *info;       /* Points to info for this driver */
+  void   *options_block;          /* Pointer to private options */
+
+  uschar *driver_name;            /* All start with this generic option */
+  const uschar *srcfile;	  /* and config source info for errors */
+  int	  srcline;
+} driver_instance;
+
+typedef struct driver_info {
+  uschar *driver_name;            /* Name of driver */
+
+  optionlist *options;            /* Table of private options names */
+  int    *options_count;          /* -> Number of entries in table */
+  void   *options_block;          /* Points to default private block */
+  int     options_len;            /* Length of same in bytes */
+  void  (*init)(                  /* Initialization entry point */
+    struct driver_instance *);
+} driver_info;
+
+
+/* Structure for holding information about the configured transports. Some
+of the generally accessible options are set from the configuration file; others
+are set by transport initialization, since they can only be set for certain
+transports. They need to be generally accessible, however, as they are used by
+the main transport code. */
+
+typedef struct transport_instance {
+  struct transport_instance *next;
+  uschar *name;                   /* Instance name */
+  struct transport_info *info;    /* Info for this driver */
+  void *options_block;            /* Pointer to private options */
+  uschar *driver_name;            /* Must be first */
+  const uschar *srcfile;
+  int	  srcline;
+
+  int   (*setup)(                 /* Setup entry point */
+    struct transport_instance *,
+    struct address_item *,
+    struct transport_feedback *,  /* For passing back config data */
+    uid_t,                        /* The uid that will be used */
+    gid_t,                        /* The gid that will be used */
+    uschar **);                   /* For an error message */
+                                  /**************************************/
+  int     batch_max;              /* )                                  */
+  uschar *batch_id;               /* )                                  */
+  uschar *home_dir;               /* ) Used only for local transports   */
+  uschar *current_dir;            /* )                                  */
+                                  /**************************************/
+  uschar *expand_multi_domain;    /* )                                  */
+  BOOL    multi_domain;           /* )                                  */
+  BOOL    overrides_hosts;        /* ) Used only for remote transports  */
+  int     max_addresses;          /* )                                  */
+  int     connection_max_messages;/* )                                  */
+                                  /**************************************/
+  BOOL    deliver_as_creator;     /* Used only by pipe at present */
+  BOOL    disable_logging;        /* For very weird requirements */
+  BOOL    initgroups;             /* Initialize groups when setting uid */
+  BOOL    uid_set;                /* uid is set */
+  BOOL    gid_set;                /* gid is set */
+  uid_t   uid;
+  gid_t   gid;
+  uschar *expand_uid;             /* Variable uid */
+  uschar *expand_gid;             /* Variable gid */
+  uschar *warn_message;           /* Used only by appendfile at present */
+  uschar *shadow;                 /* Name of shadow transport */
+  uschar *shadow_condition;       /* Condition for running it */
+  uschar *filter_command;         /* For on-the-fly-filtering */
+  uschar *add_headers;            /* Add these headers */
+  uschar *remove_headers;         /* Remove these headers */
+  uschar *return_path;            /* Overriding (rewriting) return path */
+  uschar *debug_string;           /* Debugging output */
+  uschar *max_parallel;           /* Number of concurrent instances */
+  uschar *message_size_limit;     /* Biggest message this transport handles */
+  uschar *headers_rewrite;        /* Rules for rewriting headers */
+  rewrite_rule *rewrite_rules;    /* Parsed rewriting rules */
+  int     rewrite_existflags;     /* Bits showing which headers are rewritten */
+  int     filter_timeout;         /* For transport filter timing */
+  BOOL    body_only;              /* Deliver only the body */
+  BOOL    delivery_date_add;      /* Add Delivery-Date header */
+  BOOL    envelope_to_add;        /* Add Envelope-To header */
+  BOOL    headers_only;           /* Deliver only the headers */
+  BOOL    rcpt_include_affixes;   /* TRUE to retain affixes in RCPT commands */
+  BOOL    return_path_add;        /* Add Return-Path header */
+  BOOL    return_output;          /* TRUE if output should always be returned */
+  BOOL    return_fail_output;     /* ditto, but only on failure */
+  BOOL    log_output;             /* Similarly for logging */
+  BOOL    log_fail_output;
+  BOOL    log_defer_output;
+  BOOL    retry_use_local_part;   /* Defaults true for local, false for remote */
+#ifndef DISABLE_EVENT
+  uschar  *event_action;          /* String to expand on notable events */
+#endif
+} transport_instance;
+
+
+/* Structure for holding information about a type of transport. The first six
+fields must match driver_info above. */
+
+typedef struct transport_info {
+  uschar *driver_name;            /* Driver name */
+  optionlist *options;            /* Table of private options names */
+  int    *options_count;          /* -> Number of entries in table */
+  void   *options_block;          /* Points to default private block */
+  int     options_len;            /* Length of same in bytes */
+  void (*init)(                   /* Initialization function */
+    struct transport_instance *);
+/****/
+  BOOL (*code)(                   /* Main entry point */
+    transport_instance *,
+    struct address_item *);
+  void (*tidyup)(                 /* Tidyup function */
+    struct transport_instance *);
+  void  (*closedown)(             /* For closing down a passed channel */
+    struct transport_instance *);
+  BOOL    local;                  /* TRUE for local transports */
+} transport_info;
+
+
+/* smtp transport datachunk callback */
+
+#define tc_reap_prev	BIT(0)	/* Flags: reap previous SMTP cmd responses */
+#define tc_chunk_last	BIT(1)	/* annotate chunk SMTP cmd as LAST */
+
+struct transport_context;
+typedef int (*tpt_chunk_cmd_cb)(struct transport_context *, unsigned, unsigned);
+
+/* Structure for information about a delivery-in-progress */
+
+typedef struct transport_context {
+  union {			/* discriminated by option topt_output_string */
+    int			  fd;	/* file descriptor to write message to */
+    gstring *		  msg;	/* allocated string with written message */
+  } u;
+  transport_instance	* tblock;		/* transport */
+  struct address_item	* addr;
+  uschar		* check_string;		/* string replacement */
+  uschar		* escape_string;
+  int		  	  options;		/* output processing topt_* */
+
+  /* items below only used with option topt_use_bdat */
+  tpt_chunk_cmd_cb	  chunk_cb;		/* per-datachunk callback */
+  void			* smtp_context;
+} transport_ctx;
+
+
+
+typedef struct {
+  uschar *request;
+  uschar *require;
+} dnssec_domains;
+
+/* Structure for holding information about the configured routers. */
+
+typedef struct router_instance {
+  struct router_instance *next;
+  uschar *name;
+  struct router_info *info;
+  void   *options_block;          /* Pointer to private options */
+  uschar *driver_name;            /* Must be first */
+  const uschar *srcfile;
+  int	  srcline;
+
+  uschar *address_data;           /* Arbitrary data */
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+  uschar *bmi_rule;               /* Brightmail AntiSpam rule checking */
+#endif
+  uschar *cannot_route_message;   /* Used when routing fails */
+  uschar *condition;              /* General condition */
+  uschar *current_directory;      /* For use during delivery */
+  uschar *debug_string;           /* Debugging output */
+  uschar *domains;                /* Specific domains */
+  uschar *errors_to;              /* Errors address */
+  uschar *expand_gid;             /* Expanded gid string */
+  uschar *expand_uid;             /* Expanded uid string */
+  uschar *expand_more;            /* Expanded more string */
+  uschar *expand_unseen;          /* Expanded unseen string */
+  uschar *extra_headers;          /* Additional headers */
+  uschar *fallback_hosts;         /* For remote transports (text list) */
+  uschar *home_directory;         /* For use during delivery */
+  uschar *ignore_target_hosts;    /* Target hosts to ignore */
+  uschar *local_parts;            /* Specific local parts */
+  uschar *pass_router_name;       /* Router for passed address */
+  uschar *prefix;                 /* Address prefix */
+  uschar *redirect_router_name;   /* Router for generated address */
+  uschar *remove_headers;         /* Removed headers */
+  uschar *require_files;          /* File checks before router is run */
+  uschar *router_home_directory;  /* For use while routing */
+  uschar *self;                   /* Text option for handling self reference */
+  uschar *senders;                /* Specific senders */
+  uschar *suffix;                 /* Address suffix */
+  uschar *translate_ip_address;   /* IP address translation fudgery */
+  uschar *transport_name;         /* Transport name */
+
+  BOOL    address_test;           /* Use this router when testing addresses */
+#ifdef EXPERIMENTAL_BRIGHTMAIL
+  BOOL    bmi_deliver_alternate;  /* TRUE => BMI said that message should be delivered to alternate location */
+  BOOL    bmi_deliver_default;    /* TRUE => BMI said that message should be delivered to default location */
+  BOOL    bmi_dont_deliver;       /* TRUE => BMI said that message should not be delivered at all */
+#endif
+  BOOL    expn;                   /* Use this router when processing EXPN */
+  BOOL    caseful_local_part;     /* TRUE => don't lowercase */
+  BOOL    check_local_user;       /* TRUE => check local user */
+  BOOL    disable_logging;        /* For very weird requirements */
+  BOOL    fail_verify_recipient;  /* Fail verify if recipient match this router */
+  BOOL    fail_verify_sender;     /* Fail verify if sender match this router */
+  BOOL    gid_set;                /* Flag to indicate gid is set */
+  BOOL    initgroups;             /* TRUE if initgroups is required */
+  BOOL    log_as_local;           /* TRUE logs as a local delivery */
+  BOOL    more;                   /* If FALSE, do no more if this one fails */
+  BOOL    pass_on_timeout;        /* Treat timeout DEFERs as fails */
+  BOOL    prefix_optional;        /* Just what it says */
+  BOOL    repeat_use;             /* If FALSE, skip if ancestor used it */
+  BOOL    retry_use_local_part;   /* Just what it says */
+  BOOL    same_domain_copy_routing; /* TRUE => copy routing for same domain */
+  BOOL    self_rewrite;           /* TRUE to rewrite headers if making local */
+  uschar *set;			  /* Variable = value to set; list */
+  BOOL    suffix_optional;        /* As it says */
+  BOOL    verify_only;            /* Skip this router if not verifying */
+  BOOL    verify_recipient;       /* Use this router when verifying a recipient*/
+  BOOL    verify_sender;          /* Use this router when verifying a sender */
+  BOOL    uid_set;                /* Flag to indicate uid is set */
+  BOOL    unseen;                 /* If TRUE carry on, even after success */
+  BOOL    dsn_lasthop;            /* If TRUE, this router is a DSN endpoint */
+
+  int     self_code;              /* Encoded version of "self" */
+  uid_t   uid;                    /* Fixed uid value */
+  gid_t   gid;                    /* Fixed gid value */
+
+  host_item *fallback_hostlist;   /* For remote transport (block chain) */
+  transport_instance *transport;  /* Transport block (when found) */
+  struct router_instance *pass_router; /* Actual router for passed address */
+  struct router_instance *redirect_router; /* Actual router for generated address */
+
+  dnssec_domains dnssec;
+} router_instance;
+
+
+/* Structure for holding information about a type of router. The first six
+fields must match driver_info above. */
+
+typedef struct router_info {
+  uschar *driver_name;
+  optionlist *options;            /* Table of private options names */
+  int    *options_count;          /* -> Number of entries in table */
+  void   *options_block;          /* Points to default private block */
+  int     options_len;            /* Length of same in bytes */
+  void (*init)(                   /* Initialization function */
+    struct router_instance *);
+/****/
+  int (*code)(                    /* Main entry point */
+    router_instance *,
+    struct address_item *,
+    struct passwd *,
+    int,
+    struct address_item **,
+    struct address_item **,
+    struct address_item **,
+    struct address_item **);
+  void (*tidyup)(                 /* Tidyup function */
+    struct router_instance *);
+  int     ri_flags;               /* Descriptive flags */
+} router_info;
+
+
+/* Structure for holding information about a lookup type. */
+
+#include "lookupapi.h"
+
+
+/* Structure for holding information about the configured authentication
+mechanisms */
+
+typedef struct auth_instance {
+  struct auth_instance *next;
+  uschar *name;                   /* Exim instance name */
+  struct auth_info *info;         /* Pointer to driver info block */
+  void   *options_block;          /* Pointer to private options */
+  uschar *driver_name;            /* Must be first */
+  const uschar *srcfile;
+  int	  srcline;
+
+  uschar *advertise_condition;    /* Are we going to advertise this?*/
+  uschar *client_condition;       /* Should the client try this? */
+  uschar *public_name;            /* Advertised name */
+  uschar *set_id;                 /* String to set when server as authenticated id */
+  uschar *set_client_id;          /* String to set when client as client_authenticated id */
+  uschar *mail_auth_condition;    /* Condition for AUTH on MAIL command */
+  uschar *server_debug_string;    /* Debugging output */
+  uschar *server_condition;       /* Authorization condition */
+  BOOL    client;                 /* TRUE if client option(s) set */
+  BOOL    server;                 /* TRUE if server options(s) set */
+  BOOL    advertised;             /* Set TRUE when advertised */
+} auth_instance;
+
+
+/* Structure for holding information about an authentication mechanism. The
+first six fields must match driver_info above. */
+
+typedef struct auth_info {
+  uschar *driver_name;            /* e.g. "condition" */
+  optionlist *options;            /* Table of private options names */
+  int    *options_count;          /* -> Number of entries in table */
+  void   *options_block;          /* Points to default private block */
+  int     options_len;            /* Length of same in bytes */
+  void (*init)(                   /* initialization function */
+    struct auth_instance *);
+/****/
+  int (*servercode)(              /* server function */
+    auth_instance *,              /* the instance data */
+    uschar *);                    /* rest of AUTH command */
+  int (*clientcode)(              /* client function */
+    struct auth_instance *,
+    void *,			  /* smtp conn, with socket, output and input buffers */
+    int,                          /* command timeout */
+    uschar *,                     /* buffer for reading response */
+    int);                         /* sizeof buffer */
+  gstring * (*version_report)(    /* diagnostic version reporting */
+    gstring *);                   /* string to append to */
+  void (*macros_create)(void);	  /* feature-macro creation */
+} auth_info;
+
+
+/* Structure for holding a single IP address and port; used for the chain of
+addresses and ports for the local host. Make the char string large enough to
+hold an IPv6 address. */
+
+typedef struct ip_address_item {
+  struct ip_address_item *next;
+  int    port;
+  BOOL   v6_include_v4;            /* Used in the daemon */
+  uschar address[46];
+  uschar * log;			   /* portion of "listening on" log line */
+} ip_address_item;
+
+/* Structure for chaining together arbitrary strings. */
+
+typedef struct string_item {
+  struct string_item *next;
+  uschar *text;
+} string_item;
+
+/* Information about a soft delivery failure, for use when calculating
+retry information. It's separate from the address block, because there
+can be a chain of them for SMTP deliveries where multiple IP addresses
+can be tried. */
+
+typedef struct retry_item {
+  struct retry_item *next;        /* for chaining */
+  uschar *key;                    /* string identifying host/address/message */
+  int     basic_errno;            /* error code for this destination */
+  int     more_errno;             /* additional error information */
+  uschar *message;                /* local error message */
+  int     flags;                  /* see below */
+} retry_item;
+
+/* Retry data flags */
+
+#define rf_delete   0x0001        /* retry info is to be deleted */
+#define rf_host     0x0002        /* retry info is for a remote host */
+#define rf_message  0x0004        /* retry info is for a host+message */
+
+/* Information about a constructed message that is to be sent using the
+autoreply transport. This is pointed to from the address block. */
+
+typedef struct reply_item {
+  uschar *from;                   /* ) */
+  uschar *reply_to;               /* ) */
+  uschar *to;                     /* ) */
+  uschar *cc;                     /* ) specific header fields */
+  uschar *bcc;                    /* ) */
+  uschar *subject;                /* ) */
+  uschar *headers;                /* misc other headers, concatenated */
+  uschar *text;                   /* text string body */
+  uschar *file;                   /* file body */
+  BOOL    file_expand;            /* expand the body */
+  int     expand_forbid;          /* expansion lockout flags */
+  uschar *logfile;                /* file to keep a log in */
+  uschar *oncelog;                /* file to keep records in for once only */
+  time_t  once_repeat;            /* time to repeat "once only" */
+  BOOL    return_message;         /* send back the original message */
+} reply_item;
+
+
+/* The address_item structure contains many fields which are used at various
+times while delivering a message. Some are used only for remote deliveries;
+some only for local. A particular set of fields is copied whenever a child
+address is created. For convenience, we keep those fields in a separate
+sub-structure so they can be copied in one go. This also means I won't forget
+to edit the various copying places when new to-be-copied fields are added. */
+
+typedef struct address_item_propagated {
+  uschar *address_data;           /* arbitrary data to keep with the address */
+  uschar *domain_data;            /* from "domains" lookup */
+  uschar *localpart_data;         /* from "local_parts" lookup */
+  uschar *errors_address;         /* where to send errors (NULL => sender) */
+  header_line *extra_headers;     /* additional headers */
+  uschar *remove_headers;         /* list of those to remove */
+  void   *variables;		  /* router-vasriables */
+
+  BOOL    ignore_error:1;	  /* ignore delivery error */
+#ifdef SUPPORT_I18N
+  BOOL    utf8_msg:1;		  /* requires SMTPUTF8 processing */
+  BOOL	  utf8_downcvt:1;	  /* mandatory downconvert on delivery */
+  BOOL	  utf8_downcvt_maybe:1;	  /* optional downconvert on delivery */
+#endif
+} address_item_propagated;
+
+
+/* The main address structure. Note that fields that are to be copied to
+generated addresses should be put in the address_item_propagated structure (see
+above) rather than directly into the address_item structure. */
+
+typedef struct address_item {
+  struct address_item *next;      /* for chaining addresses */
+  struct address_item *parent;    /* parent address */
+  struct address_item *first;     /* points to first after group delivery */
+  struct address_item *dupof;     /* points to address this is a duplicate of */
+
+  router_instance *start_router;  /* generated address starts here */
+  router_instance *router;        /* the router that routed */
+  transport_instance *transport;  /* the transport to use */
+
+  host_item *host_list;           /* host data for the transport */
+  host_item *host_used;           /* host that took delivery or failed hard */
+  host_item *fallback_hosts;      /* to try if delivery defers */
+
+  reply_item *reply;              /* data for autoreply */
+  retry_item *retries;            /* chain of retry information */
+
+  uschar *address;                /* address being delivered or routed */
+  uschar *unique;                 /* used for disambiguating */
+  uschar *cc_local_part;          /* caseful local part */
+  uschar *lc_local_part;          /* lowercased local part */
+  uschar *local_part;             /* points to cc or lc version */
+  uschar *prefix;                 /* stripped prefix of local part */
+  uschar *prefix_v;		  /*  variable part of above */
+  uschar *suffix;                 /* stripped suffix of local part */
+  uschar *suffix_v;		  /*  variable part of above */
+  const uschar *domain;           /* working domain (lower cased) */
+
+  uschar *address_retry_key;      /* retry key including full address */
+  uschar *domain_retry_key;       /* retry key for domain only */
+
+  uschar *current_dir;            /* current directory for transporting */
+  uschar *home_dir;               /* home directory for transporting */
+  uschar *message;                /* error message */
+  uschar *user_message;           /* error message that can be sent over SMTP
+                                     or quoted in bounce message */
+  uschar *onetime_parent;         /* saved original parent for onetime */
+  uschar **pipe_expandn;          /* numeric expansions for pipe from filter */
+  uschar *return_filename;        /* name of return file */
+  uschar *self_hostname;          /* after self=pass */
+  uschar *shadow_message;         /* info about shadow transporting */
+
+#ifndef DISABLE_TLS
+  const uschar *tlsver;           /* version used for transport */
+  uschar *cipher;                 /* Cipher used for transport */
+  void   *ourcert;                /* Certificate offered to peer, binary */
+  void   *peercert;               /* Certificate from peer, binary */
+  uschar *peerdn;                 /* DN of server's certificate */
+  int    ocsp;			  /* OCSP status of peer cert */
+#endif
+
+#ifdef EXPERIMENTAL_DSN_INFO
+  const uschar *smtp_greeting;	  /* peer self-identification */
+  const uschar *helo_response;	  /* peer message */
+#endif
+
+  uschar *authenticator;	  /* auth driver name used by transport */
+  uschar *auth_id;		  /* auth "login" name used by transport */
+  uschar *auth_sndr;		  /* AUTH arg to SMTP MAIL, used by transport */
+
+  uschar *dsn_orcpt;              /* DSN orcpt value */
+  int     dsn_flags;              /* DSN flags */
+  int     dsn_aware;              /* DSN aware flag */
+
+  uid_t   uid;                    /* uid for transporting */
+  gid_t   gid;                    /* gid for transporting */
+
+  				  /* flags */
+  struct {
+    BOOL af_allow_file:1;		/* allow file in generated address */
+    BOOL af_allow_pipe:1;		/* allow pipe in generated address */
+    BOOL af_allow_reply:1;		/* allow autoreply in generated address */
+    BOOL af_dr_retry_exists:1;		/* router retry record exists */
+    BOOL af_expand_pipe:1;		/* expand pipe arguments */
+    BOOL af_file:1;			/* file delivery; always with pfr */
+    BOOL af_gid_set:1;			/* gid field is set */
+    BOOL af_home_expanded:1;		/* home_dir is already expanded */
+    BOOL af_initgroups:1;		/* use initgroups() for local transporting */
+    BOOL af_local_host_removed:1;	/* local host was backup */
+    BOOL af_lt_retry_exists:1;		/* local transport retry exists */
+    BOOL af_pfr:1;			/* pipe or file or reply delivery */
+    BOOL af_retry_skipped:1;		/* true if retry caused some skipping */
+    BOOL af_retry_timedout:1;		/* true if retry timed out */
+    BOOL af_uid_set:1;			/* uid field is set */
+    BOOL af_hide_child:1;		/* hide child in bounce/defer msgs */
+    BOOL af_sverify_told:1;		/* sender verify failure notified */
+    BOOL af_verify_pmfail:1;		/* verify failure was postmaster callout */
+    BOOL af_verify_nsfail:1;		/* verify failure was null sender callout */
+    BOOL af_homonym:1;			/* an ancestor has same address */
+    BOOL af_verify_routed:1;		/* for cached sender verify: routed OK */
+    BOOL af_verify_callout:1;		/* for cached sender verify: callout was specified */
+    BOOL af_include_affixes:1;		/* delivered with affixes in RCPT */
+    BOOL af_new_conn:1;			/* delivered on an fresh TCP conn */
+    BOOL af_cont_conn:1;		/* delivered (with new MAIL cmd) on an existing TCP conn */
+    BOOL af_cert_verified:1;		/* delivered with verified TLS cert */
+    BOOL af_pass_message:1;		/* pass message in bounces */
+    BOOL af_bad_reply:1;		/* filter could not generate autoreply */
+    BOOL af_tcp_fastopen_conn:1;	/* delivery connection used TCP Fast Open */
+    BOOL af_tcp_fastopen:1;		/* delivery usefully used TCP Fast Open */
+    BOOL af_tcp_fastopen_data:1;	/* delivery sent SMTP commands on TCP Fast Open */
+    BOOL af_pipelining:1;		/* delivery used (traditional) pipelining */
+#ifndef DISABLE_PIPE_CONNECT
+    BOOL af_early_pipe:1;		/* delivery used connect-time pipelining */
+#endif
+#ifndef DISABLE_PRDR
+    BOOL af_prdr_used:1;		/* delivery used SMTP PRDR */
+#endif
+    BOOL af_chunking_used:1;		/* delivery used SMTP CHUNKING */
+    BOOL af_force_command:1;		/* force_command in pipe transport */
+#ifdef SUPPORT_DANE
+    BOOL af_dane_verified:1;		/* TLS cert verify done with DANE */
+#endif
+#ifdef SUPPORT_I18N
+    BOOL af_utf8_downcvt:1;		/* downconvert was done for delivery */
+#endif
+#ifndef DISABLE_TLS_RESUME
+    BOOL af_tls_resume:1;		/* TLS used a resumed session */
+#endif
+  } flags;
+
+  unsigned int domain_cache[(MAX_NAMED_LIST * 2)/32];
+  unsigned int localpart_cache[(MAX_NAMED_LIST * 2)/32];
+  int     mode;                   /* mode for local transporting to a file */
+  int	  basic_errno;		  /* status after failure */
+  int     more_errno;             /* additional error information */
+  struct timeval delivery_time;   /* time taken to do delivery/attempt */
+
+  unsigned short child_count;     /* number of child addresses */
+  short int return_file;          /* fileno of return data file */
+  short int special_action;       /* ( used when when deferred or failed */
+                                  /* (  also  */
+                                  /* ( contains = or - when successful SMTP delivered */
+                                  /* (  also  */
+                                  /* ( contains verify rc in sender verify cache */
+  short int transport_return;     /* result of delivery attempt */
+  address_item_propagated prop;   /* fields that are propagated to children */
+} address_item;
+
+/* The table of header names consists of items of this type */
+
+typedef struct {
+  uschar *name;
+  int     len;
+  BOOL    allow_resent;
+  int     htype;
+} header_name;
+
+/* Chain of information about errors (e.g. bad addresses) */
+
+typedef struct error_block {
+  struct error_block *next;
+  const uschar *text1;
+  uschar *text2;
+} error_block;
+
+/* Chain of file names when processing the queue */
+
+typedef struct queue_filename {
+  struct queue_filename *next;
+  uschar dir_uschar;
+  uschar text[1];
+} queue_filename;
+
+/* Chain of items of retry information, read from the retry config. */
+
+typedef struct retry_rule {
+  struct retry_rule *next;
+  int    rule;
+  int    timeout;
+  int    p1;
+  int    p2;
+} retry_rule;
+
+typedef struct retry_config {
+  struct retry_config *next;
+  uschar *pattern;
+  int     basic_errno;
+  int     more_errno;
+  uschar *senders;
+  retry_rule *rules;
+} retry_config;
+
+/* Structure for each node in a tree, of which there are various kinds */
+
+typedef struct tree_node {
+  struct tree_node *left;         /* pointer to left child */
+  struct tree_node *right;        /* pointer to right child */
+  union
+    {
+    void  *ptr;                   /* pointer to data */
+    int val;                      /* or integer data */
+    } data;
+  uschar  balance;                /* balancing factor */
+  uschar  name[1];                /* node name - variable length */
+} tree_node;
+
+/* Structure for holding time-limited data such as DNS returns.
+We use this rather than extending tree_node to avoid wasting
+space for most tree use (variables...) at the cost of complexity
+for the lookups cache.
+We also store any options used for the lookup. */
+
+typedef struct expiring_data {
+  time_t	expiry;		/* if nonzero, data invalid after this time */
+  const uschar * opts;		/* options, or NULL */
+  union
+    {
+    void  *	ptr;		/* pointer to data */
+    int		val;		/* or integer data */
+    } data;
+} expiring_data;
+
+/* Structure for holding the handle and the cached last lookup for searches.
+This block is pointed to by the tree entry for the file. The file can get
+closed if too many are opened at once. There is a LRU chain for deciding which
+to close. */
+
+typedef struct search_cache {
+  void   *handle;                 /* lookup handle, or NULL if closed */
+  int search_type;                /* search type */
+  tree_node *up;                  /* LRU up pointer */
+  tree_node *down;                /* LRU down pointer */
+  tree_node *item_cache;          /* tree of cached results */
+} search_cache;
+
+/* Structure for holding a partially decoded DNS record; the name has been
+uncompressed, but the data pointer is into the raw data. */
+
+typedef struct {
+  uschar        name[DNS_MAXNAME];      /* domain name */
+  int           type;                   /* record type */
+  unsigned short ttl;		        /* time-to-live, seconds */
+  int           size;                   /* size of data */
+  const uschar *data;                   /* pointer to data */
+} dns_record;
+
+/* Structure for holding the result of a DNS query.  A touch over
+64k big, so take care to release as soon as possible. */
+
+typedef struct {
+  int     answerlen;              /* length of the answer */
+  uschar  answer[NS_MAXMSG];      /* the answer itself */
+} dns_answer;
+
+/* Structure for holding the intermediate data while scanning a DNS answer
+block. */
+
+typedef struct {
+  int            rrcount;         /* count of RRs in the answer */
+  const uschar *aptr;             /* pointer in the answer while scanning */
+  dns_record     srr;             /* data from current record in scan */
+} dns_scan;
+
+/* Structure for holding a chain of IP addresses that are extracted from
+an A, AAAA, or A6 record. For the first two, there is only ever one address,
+but the chaining feature of A6 allows for several addresses to be realized from
+a single initial A6 record. The structure defines the address field of length
+1. In use, a suitable sized block is obtained to hold the complete textual
+address. */
+
+typedef struct dns_address {
+  struct dns_address *next;
+  uschar  address[1];
+} dns_address;
+
+/* Structure used for holding intermediate data during MD5 computations. */
+
+typedef struct md5 {
+  unsigned int length;
+  unsigned int abcd[4];
+  }
+md5;
+
+/* Structure used for holding intermediate data during SHA-1 computations. */
+
+typedef struct sha1 {
+  unsigned int H[5];
+  unsigned int length;
+} sha1;
+
+/* Information for making an smtp connection */
+typedef struct {
+  transport_instance *  tblock;
+  void *		ob;	/* smtp_transport_options_block * */
+  host_item *           host;
+  int                   host_af;
+  uschar *              interface;
+
+  int			sock;	/* used for a bound but not connected socket */
+  uschar *		sending_ip_address;	/* used for TLS resumption */
+  const uschar *	host_lbserver;		/* ditto, for server-behind LB */
+  BOOL			have_lbserver:1;	/* host_lbserver is valid */
+
+#ifdef SUPPORT_DANE
+  BOOL dane:1;			/* connection must do dane */
+  dns_answer		tlsa_dnsa;	/* strictly, this should use tainted mem */
+#endif
+} smtp_connect_args;
+
+/* A client-initiated connection. If TLS, the second element is non-NULL */
+typedef struct {
+  int	sock;
+  void * tls_ctx;
+} client_conn_ctx;
+
+
+/* Structure used to hold incoming packets of SMTP responses for a specific
+socket. The packets which may contain multiple lines (and in some cases,
+multiple responses). */
+
+typedef struct smtp_inblock {
+  client_conn_ctx * cctx;	  /* the connection */
+  int     buffersize;             /* the size of the buffer */
+  uschar *ptr;                    /* current position in the buffer */
+  uschar *ptrend;                 /* end of data in the buffer */
+  uschar *buffer;                 /* the buffer itself */
+} smtp_inblock;
+
+/* Structure used to hold buffered outgoing packets of SMTP commands for a
+specific socket. The packets which may contain multiple lines when pipelining
+is in use. */
+
+typedef struct smtp_outblock {
+  client_conn_ctx * cctx;	  /* the connection */
+  int     cmd_count;              /* count of buffered commands */
+  int     buffersize;             /* the size of the buffer */
+  BOOL    authenticating;         /* TRUE when authenticating */
+  uschar *ptr;                    /* current position in the buffer */
+  uschar *buffer;                 /* the buffer itself */
+
+  smtp_connect_args * conn_args;  /* to make connection, if not yet made */
+} smtp_outblock;
+
+/* Structure to hold information about the source of redirection information */
+
+typedef struct redirect_block {
+  uschar *string;                 /* file name or string */
+  uid_t  *owners;                 /* allowed file owners */
+  gid_t  *owngroups;              /* allowed file groups */
+  struct passwd *pw;              /* possible owner if not NULL */
+  int     modemask;               /* forbidden bits */
+  BOOL    isfile;                 /* TRUE if string is a file name */
+  BOOL    check_owner;            /* TRUE, FALSE, or TRUE_UNSET */
+  BOOL    check_group;            /* TRUE, FALSE, or TRUE_UNSET */
+} redirect_block;
+
+/* Structure for passing arguments to check_host() */
+
+typedef struct check_host_block {
+  const uschar *host_name;
+  const uschar *host_address;
+  const uschar *host_ipv4;
+  BOOL   negative;
+} check_host_block;
+
+/* Structure for remembering lookup data when caching the result of
+a lookup in a named list. */
+
+typedef struct namedlist_cacheblock {
+  struct namedlist_cacheblock *next;
+  uschar *key;
+  uschar *data;
+} namedlist_cacheblock;
+
+/* Structure for holding data for an entry in a named list */
+
+typedef struct namedlist_block {
+  const uschar *string;			/* the list string */
+  namedlist_cacheblock *cache_data;	/* cached domain_data or localpart_data */
+  short		number;			/* the number of the list for caching */
+  BOOL		hide;			/* -bP does not display value */
+} namedlist_block;
+
+/* Structures for Access Control Lists */
+
+typedef struct acl_condition_block {
+  struct acl_condition_block *	next;
+  uschar *			arg;
+  int				type;
+  union {
+    BOOL	negated;
+    uschar *	varname;
+  } u;
+} acl_condition_block;
+
+typedef struct acl_block {
+  struct acl_block *	next;
+  acl_condition_block *	condition;
+  int			verb;
+  int			srcline;
+  const uschar *	srcfile;
+} acl_block;
+
+/* smtp transport calc outbound_ip */
+typedef BOOL (*oicf) (uschar *message_id, void *data);
+
+/* DKIM information for transport */
+struct ob_dkim {
+  uschar *dkim_domain;
+  uschar *dkim_identity;
+  uschar *dkim_private_key;
+  uschar *dkim_selector;
+  uschar *dkim_canon;
+  uschar *dkim_sign_headers;
+  uschar *dkim_strict;
+  uschar *dkim_hash;
+  uschar *dkim_timestamps;
+  BOOL    dot_stuffed;
+  BOOL    force_bodyhash;
+#ifdef EXPERIMENTAL_ARC
+  uschar *arc_signspec;
+#endif
+};
+
+/* End of structs.h */
diff --git a/src/tls-cipher-stdname.c b/src/tls-cipher-stdname.c
new file mode 100644
index 0000000..ab973af
--- /dev/null
+++ b/src/tls-cipher-stdname.c
@@ -0,0 +1,393 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Jeremy Harris 2019 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Translate an IETF TLS ciphersuite code to an IETF ciphersuite name,
+for use when the TLS library do not provide such names.
+This file is #included by the tls-<library>.c file.
+
+Values for these tables pulled on 2019/02/03 from
+https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
+
+
+
+static const uschar * ctb_00[] = {
+[0x00] = US "TLS_NULL_WITH_NULL_NULL",
+[0x01] = US "TLS_RSA_WITH_NULL_MD5",
+[0x02] = US "TLS_RSA_WITH_NULL_SHA",
+[0x03] = US "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
+[0x04] = US "TLS_RSA_WITH_RC4_128_MD5",
+[0x05] = US "TLS_RSA_WITH_RC4_128_SHA",
+[0x06] = US "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
+[0x07] = US "TLS_RSA_WITH_IDEA_CBC_SHA",
+[0x08] = US "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
+[0x09] = US "TLS_RSA_WITH_DES_CBC_SHA",
+[0x0A] = US "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x0B] = US "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
+[0x0C] = US "TLS_DH_DSS_WITH_DES_CBC_SHA",
+[0x0D] = US "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
+[0x0E] = US "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
+[0x0F] = US "TLS_DH_RSA_WITH_DES_CBC_SHA",
+[0x10] = US "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x11] = US "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+[0x12] = US "TLS_DHE_DSS_WITH_DES_CBC_SHA",
+[0x13] = US "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+[0x14] = US "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+[0x15] = US "TLS_DHE_RSA_WITH_DES_CBC_SHA",
+[0x16] = US "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x17] = US "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
+[0x18] = US "TLS_DH_anon_WITH_RC4_128_MD5",
+[0x19] = US "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
+[0x1A] = US "TLS_DH_anon_WITH_DES_CBC_SHA",
+[0x1B] = US "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA",
+
+[0x1E] = US "TLS_KRB5_WITH_DES_CBC_SHA",
+[0x1F] = US "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
+[0x20] = US "TLS_KRB5_WITH_RC4_128_SHA",
+[0x21] = US "TLS_KRB5_WITH_IDEA_CBC_SHA",
+[0x22] = US "TLS_KRB5_WITH_DES_CBC_MD5",
+[0x23] = US "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
+[0x24] = US "TLS_KRB5_WITH_RC4_128_MD5",
+[0x25] = US "TLS_KRB5_WITH_IDEA_CBC_MD5",
+[0x26] = US "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
+[0x27] = US "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
+[0x28] = US "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
+[0x29] = US "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
+[0x2A] = US "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
+[0x2B] = US "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
+[0x2C] = US "TLS_PSK_WITH_NULL_SHA",
+[0x2D] = US "TLS_DHE_PSK_WITH_NULL_SHA",
+[0x2E] = US "TLS_RSA_PSK_WITH_NULL_SHA",
+[0x2F] = US "TLS_RSA_WITH_AES_128_CBC_SHA",
+[0x30] = US "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
+[0x31] = US "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
+[0x32] = US "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+[0x33] = US "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+[0x34] = US "TLS_DH_anon_WITH_AES_128_CBC_SHA",
+[0x35] = US "TLS_RSA_WITH_AES_256_CBC_SHA",
+[0x36] = US "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
+[0x37] = US "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
+[0x38] = US "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+[0x39] = US "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+[0x3A] = US "TLS_DH_anon_WITH_AES_256_CBC_SHA",
+[0x3B] = US "TLS_RSA_WITH_NULL_SHA256",
+[0x3C] = US "TLS_RSA_WITH_AES_128_CBC_SHA256",
+[0x3D] = US "TLS_RSA_WITH_AES_256_CBC_SHA256",
+[0x3E] = US "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
+[0x3F] = US "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
+[0x40] = US "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+[0x41] = US "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
+[0x42] = US "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
+[0x43] = US "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
+[0x44] = US "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
+[0x45] = US "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
+[0x46] = US "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",
+
+[0x67] = US "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+[0x68] = US "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
+[0x69] = US "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
+[0x6A] = US "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+[0x6B] = US "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+[0x6C] = US "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
+[0x6D] = US "TLS_DH_anon_WITH_AES_256_CBC_SHA256",
+
+[0x84] = US "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
+[0x85] = US "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
+[0x86] = US "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
+[0x87] = US "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
+[0x88] = US "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
+[0x89] = US "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
+[0x8A] = US "TLS_PSK_WITH_RC4_128_SHA",
+[0x8B] = US "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
+[0x8C] = US "TLS_PSK_WITH_AES_128_CBC_SHA",
+[0x8D] = US "TLS_PSK_WITH_AES_256_CBC_SHA",
+[0x8E] = US "TLS_DHE_PSK_WITH_RC4_128_SHA",
+[0x8F] = US "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
+[0x90] = US "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
+[0x91] = US "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
+[0x92] = US "TLS_RSA_PSK_WITH_RC4_128_SHA",
+[0x93] = US "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
+[0x94] = US "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
+[0x95] = US "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
+[0x96] = US "TLS_RSA_WITH_SEED_CBC_SHA",
+[0x97] = US "TLS_DH_DSS_WITH_SEED_CBC_SHA",
+[0x98] = US "TLS_DH_RSA_WITH_SEED_CBC_SHA",
+[0x99] = US "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
+[0x9A] = US "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
+[0x9B] = US "TLS_DH_anon_WITH_SEED_CBC_SHA",
+[0x9C] = US "TLS_RSA_WITH_AES_128_GCM_SHA256",
+[0x9D] = US "TLS_RSA_WITH_AES_256_GCM_SHA384",
+[0x9E] = US "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+[0x9F] = US "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+[0xA0] = US "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
+[0xA1] = US "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
+[0xA2] = US "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+[0xA3] = US "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
+[0xA4] = US "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
+[0xA5] = US "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
+[0xA6] = US "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
+[0xA7] = US "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
+[0xA8] = US "TLS_PSK_WITH_AES_128_GCM_SHA256",
+[0xA9] = US "TLS_PSK_WITH_AES_256_GCM_SHA384",
+[0xAA] = US "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
+[0xAB] = US "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
+[0xAC] = US "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
+[0xAD] = US "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
+[0xAE] = US "TLS_PSK_WITH_AES_128_CBC_SHA256",
+[0xAF] = US "TLS_PSK_WITH_AES_256_CBC_SHA384",
+[0xB0] = US "TLS_PSK_WITH_NULL_SHA256",
+[0xB1] = US "TLS_PSK_WITH_NULL_SHA384",
+[0xB2] = US "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
+[0xB3] = US "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
+[0xB4] = US "TLS_DHE_PSK_WITH_NULL_SHA256",
+[0xB5] = US "TLS_DHE_PSK_WITH_NULL_SHA384",
+[0xB6] = US "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
+[0xB7] = US "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
+[0xB8] = US "TLS_RSA_PSK_WITH_NULL_SHA256",
+[0xB9] = US "TLS_RSA_PSK_WITH_NULL_SHA384",
+[0xBA] = US "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBB] = US "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBC] = US "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBD] = US "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBE] = US "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBF] = US "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
+[0xC0] = US "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC1] = US "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC2] = US "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC3] = US "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC4] = US "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC5] = US "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256",
+};
+static const uschar * ctb_13[] = {
+[0x01] = US "TLS_AES_128_GCM_SHA256",
+[0x02] = US "TLS_AES_256_GCM_SHA384",
+[0x03] = US "TLS_CHACHA20_POLY1305_SHA256",
+[0x04] = US "TLS_AES_128_CCM_SHA256",
+[0x05] = US "TLS_AES_128_CCM_8_SHA256",
+};
+static const uschar * ctb_c0[] = {
+[0x01] = US "TLS_ECDH_ECDSA_WITH_NULL_SHA",
+[0x02] = US "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+[0x03] = US "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+[0x04] = US "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+[0x05] = US "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+[0x06] = US "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+[0x07] = US "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+[0x08] = US "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+[0x09] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+[0x0A] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+[0x0B] = US "TLS_ECDH_RSA_WITH_NULL_SHA",
+[0x0C] = US "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+[0x0D] = US "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x0E] = US "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+[0x0F] = US "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+[0x10] = US "TLS_ECDHE_RSA_WITH_NULL_SHA",
+[0x11] = US "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+[0x12] = US "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x13] = US "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+[0x14] = US "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+[0x15] = US "TLS_ECDH_anon_WITH_NULL_SHA",
+[0x16] = US "TLS_ECDH_anon_WITH_RC4_128_SHA",
+[0x17] = US "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+[0x18] = US "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+[0x19] = US "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
+[0x1A] = US "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
+[0x1B] = US "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x1C] = US "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
+[0x1D] = US "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
+[0x1E] = US "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
+[0x1F] = US "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
+[0x20] = US "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
+[0x21] = US "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
+[0x22] = US "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
+[0x23] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+[0x24] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+[0x25] = US "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
+[0x26] = US "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
+[0x27] = US "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+[0x28] = US "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+[0x29] = US "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
+[0x2A] = US "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
+[0x2B] = US "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+[0x2C] = US "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+[0x2D] = US "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+[0x2E] = US "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
+[0x2F] = US "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+[0x30] = US "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+[0x31] = US "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+[0x32] = US "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
+[0x33] = US "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
+[0x34] = US "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
+[0x35] = US "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
+[0x36] = US "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
+[0x37] = US "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
+[0x38] = US "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
+[0x39] = US "TLS_ECDHE_PSK_WITH_NULL_SHA",
+[0x3A] = US "TLS_ECDHE_PSK_WITH_NULL_SHA256",
+[0x3B] = US "TLS_ECDHE_PSK_WITH_NULL_SHA384",
+[0x3C] = US "TLS_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x3D] = US "TLS_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x3E] = US "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256",
+[0x3F] = US "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384",
+[0x40] = US "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x41] = US "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x42] = US "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256",
+[0x43] = US "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384",
+[0x44] = US "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x45] = US "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x46] = US "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256",
+[0x47] = US "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384",
+[0x48] = US "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256",
+[0x49] = US "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384",
+[0x4A] = US "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256",
+[0x4B] = US "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384",
+[0x4C] = US "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x4D] = US "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x4E] = US "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x4F] = US "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x50] = US "TLS_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x51] = US "TLS_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x52] = US "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x53] = US "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x54] = US "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x55] = US "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x56] = US "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256",
+[0x57] = US "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384",
+[0x58] = US "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256",
+[0x59] = US "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384",
+[0x5A] = US "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256",
+[0x5B] = US "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384",
+[0x5C] = US "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256",
+[0x5D] = US "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384",
+[0x5E] = US "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256",
+[0x5F] = US "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384",
+[0x60] = US "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x61] = US "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x62] = US "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x63] = US "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x64] = US "TLS_PSK_WITH_ARIA_128_CBC_SHA256",
+[0x65] = US "TLS_PSK_WITH_ARIA_256_CBC_SHA384",
+[0x66] = US "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256",
+[0x67] = US "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384",
+[0x68] = US "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256",
+[0x69] = US "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384",
+[0x6A] = US "TLS_PSK_WITH_ARIA_128_GCM_SHA256",
+[0x6B] = US "TLS_PSK_WITH_ARIA_256_GCM_SHA384",
+[0x6C] = US "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256",
+[0x6D] = US "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384",
+[0x6E] = US "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256",
+[0x6F] = US "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384",
+[0x70] = US "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256",
+[0x71] = US "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384",
+[0x72] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0x73] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
+[0x74] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0x75] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
+[0x76] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0x77] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
+[0x78] = US "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0x79] = US "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384",
+[0x7A] = US "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x7B] = US "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x7C] = US "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x7D] = US "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x7E] = US "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x7F] = US "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x80] = US "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256",
+[0x81] = US "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384",
+[0x82] = US "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256",
+[0x83] = US "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384",
+[0x84] = US "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256",
+[0x85] = US "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384",
+[0x86] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x87] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x88] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x89] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x8A] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x8B] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x8C] = US "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x8D] = US "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x8E] = US "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+[0x8F] = US "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+[0x90] = US "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+[0x91] = US "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+[0x92] = US "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+[0x93] = US "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+[0x94] = US "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+[0x95] = US "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+[0x96] = US "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+[0x97] = US "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+[0x98] = US "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+[0x99] = US "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+[0x9A] = US "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+[0x9B] = US "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+[0x9C] = US "TLS_RSA_WITH_AES_128_CCM",
+[0x9D] = US "TLS_RSA_WITH_AES_256_CCM",
+[0x9E] = US "TLS_DHE_RSA_WITH_AES_128_CCM",
+[0x9F] = US "TLS_DHE_RSA_WITH_AES_256_CCM",
+[0xA0] = US "TLS_RSA_WITH_AES_128_CCM_8",
+[0xA1] = US "TLS_RSA_WITH_AES_256_CCM_8",
+[0xA2] = US "TLS_DHE_RSA_WITH_AES_128_CCM_8",
+[0xA3] = US "TLS_DHE_RSA_WITH_AES_256_CCM_8",
+[0xA4] = US "TLS_PSK_WITH_AES_128_CCM",
+[0xA5] = US "TLS_PSK_WITH_AES_256_CCM",
+[0xA6] = US "TLS_DHE_PSK_WITH_AES_128_CCM",
+[0xA7] = US "TLS_DHE_PSK_WITH_AES_256_CCM",
+[0xA8] = US "TLS_PSK_WITH_AES_128_CCM_8",
+[0xA9] = US "TLS_PSK_WITH_AES_256_CCM_8",
+[0xAA] = US "TLS_PSK_DHE_WITH_AES_128_CCM_8",
+[0xAB] = US "TLS_PSK_DHE_WITH_AES_256_CCM_8",
+[0xAC] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
+[0xAD] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CCM",
+[0xAE] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",
+[0xAF] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
+[0xB0] = US "TLS_ECCPWD_WITH_AES_128_GCM_SHA256",
+[0xB1] = US "TLS_ECCPWD_WITH_AES_256_GCM_SHA384",
+[0xB2] = US "TLS_ECCPWD_WITH_AES_128_CCM_SHA256",
+[0xB3] = US "TLS_ECCPWD_WITH_AES_256_CCM_SHA384",
+[0xB4] = US "TLS_SHA256_SHA256",
+[0xB5] = US "TLS_SHA384_SHA384",
+};
+static const uschar * ctb_cc[] = {
+[0xA8] = US "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+[0xA9] = US "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+[0xAA] = US "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+[0xAB] = US "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256",
+[0xAC] = US "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
+[0xAD] = US "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
+[0xAE] = US "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256",
+};
+static const uschar * ctb_d0[] = {
+[0x01] = US "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256",
+[0x02] = US "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384",
+[0x03] = US "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256",
+
+[0x05] = US "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256",
+};
+
+static const uschar *
+cipher_stdname_tb(uschar idx, const uschar ** tb, int lim)
+{
+return idx >= lim ? NULL : tb[idx];
+}
+
+static const uschar *
+cipher_stdname(uschar id0, uschar id1)
+{
+switch (id0)
+  {
+  case 0x00:	return cipher_stdname_tb(id1, ctb_00, nelem(ctb_00));
+  case 0x13:	return cipher_stdname_tb(id1, ctb_13, nelem(ctb_00));
+  case 0xc0:	return cipher_stdname_tb(id1, ctb_c0, nelem(ctb_c0));
+  case 0xcc:	return cipher_stdname_tb(id1, ctb_cc, nelem(ctb_cc));
+  case 0xd0:	return cipher_stdname_tb(id1, ctb_d0, nelem(ctb_d0));
+  default:	return NULL;
+  }
+}
+
+/* vi: aw ai sw=2
+*/
+/* End of tls-cipher-stdname.c */
diff --git a/src/tls-gnu.c b/src/tls-gnu.c
new file mode 100644
index 0000000..fcb8f7a
--- /dev/null
+++ b/src/tls-gnu.c
@@ -0,0 +1,4280 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) Phil Pennock 2012 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This file provides TLS/SSL support for Exim using the GnuTLS library,
+one of the available supported implementations.  This file is #included into
+tls.c when USE_GNUTLS has been set.
+
+The code herein is a revamp of GnuTLS integration using the current APIs; the
+original tls-gnu.c was based on a patch which was contributed by Nikos
+Mavrogiannopoulos.  The revamp is partially a rewrite, partially cut&paste as
+appropriate.
+
+APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
+which is not widely deployed by OS vendors.  Will note issues below, which may
+assist in updating the code in the future.  Another sources of hints is
+mod_gnutls for Apache (SNI callback registration and handling).
+
+Keeping client and server variables more split than before and is currently
+the norm, in anticipation of TLS in ACL callouts.
+
+I wanted to switch to gnutls_certificate_set_verify_function() so that
+certificate rejection could happen during handshake where it belongs, rather
+than being dropped afterwards, but that was introduced in 2.10.0 and Debian
+(6.0.5) is still on 2.8.6.  So for now we have to stick with sub-par behaviour.
+
+(I wasn't looking for libraries quite that old, when updating to get rid of
+compiler warnings of deprecated APIs.  If it turns out that a lot of the rest
+require current GnuTLS, then we'll drop support for the ancient libraries).
+*/
+
+#include <gnutls/gnutls.h>
+/* needed for cert checks in verification and DN extraction: */
+#include <gnutls/x509.h>
+/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
+#include <gnutls/crypto.h>
+
+/* needed to disable PKCS11 autoload unless requested */
+#if GNUTLS_VERSION_NUMBER >= 0x020c00
+# include <gnutls/pkcs11.h>
+# define SUPPORT_PARAM_TO_PK_BITS
+#endif
+#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
+# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
+# define DISABLE_OCSP
+#endif
+#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
+# warning "GnuTLS library version too old; tls:cert event unsupported"
+# define DISABLE_EVENT
+#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030000
+# define SUPPORT_SELFSIGN	/* Uncertain what version is first usable but 2.12.23 is not */
+#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030306
+# define SUPPORT_CA_DIR
+#else
+# undef  SUPPORT_CA_DIR
+#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030014
+# define SUPPORT_SYSDEFAULT_CABUNDLE
+#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030104
+# define GNUTLS_CERT_VFY_STATUS_PRINT
+#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030109
+# define SUPPORT_CORK
+#endif
+#if GNUTLS_VERSION_NUMBER >= 0x03010a
+# define SUPPORT_GNUTLS_SESS_DESC
+#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030300
+# define GNUTLS_AUTO_GLOBAL_INIT
+# define GNUTLS_AUTO_PKCS11_MANUAL
+#endif
+#if (GNUTLS_VERSION_NUMBER >= 0x030404) \
+  || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
+# ifndef DISABLE_OCSP
+#  define EXIM_HAVE_OCSP
+# endif
+#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030500
+# define SUPPORT_GNUTLS_KEYLOG
+#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
+# define SUPPORT_SRV_OCSP_STACK
+#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+# define EXIM_HAVE_TLS1_3
+# define SUPPORT_GNUTLS_EXT_RAW_PARSE
+# define GNUTLS_OCSP_STATUS_REQUEST_GET2
+#endif
+
+#ifdef SUPPORT_DANE
+# if GNUTLS_VERSION_NUMBER >= 0x030000
+#  define DANESSL_USAGE_DANE_TA 2
+#  define DANESSL_USAGE_DANE_EE 3
+# else
+#  error GnuTLS version too early for DANE
+# endif
+# if GNUTLS_VERSION_NUMBER < 0x999999
+#  define GNUTLS_BROKEN_DANE_VALIDATION
+# endif
+#endif
+
+#ifndef DISABLE_TLS_RESUME
+# if GNUTLS_VERSION_NUMBER >= 0x030603
+#  define EXIM_HAVE_TLS_RESUME
+# else
+#  warning "GnuTLS library version too old; resumption unsupported"
+# endif
+#endif
+
+#if GNUTLS_VERSION_NUMBER >= 0x030200
+# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+#  define EXIM_HAVE_ALPN
+# endif
+#endif
+
+#ifndef DISABLE_OCSP
+# include <gnutls/ocsp.h>
+#endif
+#ifdef SUPPORT_DANE
+# include <gnutls/dane.h>
+#endif
+
+#include "tls-cipher-stdname.c"
+
+
+#ifdef MACRO_PREDEF
+void
+options_tls(void)
+{
+# ifndef DISABLE_TLS_RESUME
+builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
+# endif
+# ifdef EXIM_HAVE_TLS1_3
+builtin_macro_create(US"_HAVE_TLS1_3");
+# endif
+# ifdef EXIM_HAVE_OCSP
+builtin_macro_create(US"_HAVE_TLS_OCSP");
+# endif
+# ifdef SUPPORT_SRV_OCSP_STACK
+builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
+# endif
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+builtin_macro_create(US"_HAVE_TLS_CA_CACHE");
+# endif
+# ifdef EXIM_HAVE_ALPN
+builtin_macro_create(US"_HAVE_TLS_ALPN");
+# endif
+}
+#else
+
+
+/* GnuTLS 2 vs 3
+
+GnuTLS 3 only:
+  gnutls_global_set_audit_log_function()
+
+Changes:
+  gnutls_certificate_verify_peers2(): is new, drop the 2 for old version
+*/
+
+/* Local static variables for GnuTLS */
+
+/* Values for verify_requirement */
+
+enum peer_verify_requirement
+  { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE };
+
+/* This holds most state for server or client; with this, we can set up an
+outbound TLS-enabled connection in an ACL callout, while not stomping all
+over the TLS variables available for expansion.
+
+Some of these correspond to variables in globals.c; those variables will
+be set to point to content in one of these instances, as appropriate for
+the stage of the process lifetime.
+
+Not handled here: global tlsp->tls_channelbinding.
+*/
+
+typedef struct exim_gnutls_state {
+  gnutls_session_t	session;
+
+  exim_tlslib_state	lib_state;
+#define x509_cred		libdata0
+#define pri_cache		libdata1
+
+  enum peer_verify_requirement verify_requirement;
+  int			fd_in;
+  int			fd_out;
+
+  BOOL			peer_cert_verified:1;
+  BOOL			peer_dane_verified:1;
+  BOOL			trigger_sni_changes:1;
+  BOOL			have_set_peerdn:1;
+  BOOL			xfer_eof:1;	/*XXX never gets set! */
+  BOOL			xfer_error:1;
+#ifdef SUPPORT_CORK
+  BOOL			corked:1;
+#endif
+
+  const struct host_item *host;		/* NULL if server */
+  gnutls_x509_crt_t	peercert;
+  uschar		*peerdn;
+  uschar		*ciphersuite;
+  uschar		*received_sni;
+
+  const uschar *tls_certificate;
+  const uschar *tls_privatekey;
+  const uschar *tls_sni; /* client send only, not received */
+  const uschar *tls_verify_certificates;
+  const uschar *tls_crl;
+  const uschar *tls_require_ciphers;
+
+  uschar *exp_tls_certificate;
+  uschar *exp_tls_privatekey;
+  uschar *exp_tls_verify_certificates;
+  uschar *exp_tls_crl;
+  uschar *exp_tls_require_ciphers;
+  const uschar *exp_tls_verify_cert_hostnames;
+#ifndef DISABLE_EVENT
+  uschar *event_action;
+#endif
+#ifdef SUPPORT_DANE
+  char * const *	dane_data;
+  const int *		dane_data_len;
+#endif
+
+  tls_support *tlsp;	/* set in tls_init() */
+
+  uschar *xfer_buffer;
+  int xfer_buffer_lwm;
+  int xfer_buffer_hwm;
+} exim_gnutls_state_st;
+
+static const exim_gnutls_state_st exim_gnutls_state_init = {
+  /* all elements not explicitly intialised here get 0/NULL/FALSE */
+  .fd_in =		-1,
+  .fd_out =		-1,
+};
+
+/* Not only do we have our own APIs which don't pass around state, assuming
+it's held in globals, GnuTLS doesn't appear to let us register callback data
+for callbacks, or as part of the session, so we have to keep a "this is the
+context we're currently dealing with" pointer and rely upon being
+single-threaded to keep from processing data on an inbound TLS connection while
+talking to another TLS connection for an outbound check.  This does mean that
+there's no way for heart-beats to be responded to, for the duration of the
+second connection.
+XXX But see gnutls_session_get_ptr()
+*/
+
+static exim_gnutls_state_st state_server = {
+  /* all elements not explicitly intialised here get 0/NULL/FALSE */
+  .fd_in =		-1,
+  .fd_out =		-1,
+};
+
+/* dh_params are initialised once within the lifetime of a process using TLS;
+if we used TLS in a long-lived daemon, we'd have to reconsider this.  But we
+don't want to repeat this. */
+
+static gnutls_dh_params_t dh_server_params = NULL;
+
+static int ssl_session_timeout = 7200;	/* Two hours */
+
+static const uschar * const exim_default_gnutls_priority = US"NORMAL";
+
+/* Guard library core initialisation */
+
+static BOOL exim_gnutls_base_init_done = FALSE;
+
+#ifndef DISABLE_OCSP
+static BOOL gnutls_buggy_ocsp = FALSE;
+static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
+#endif
+
+#ifdef EXIM_HAVE_ALPN
+static int server_seen_alpn = -1;	/* count of names */
+#endif
+#ifdef EXIM_HAVE_TLS_RESUME
+static gnutls_datum_t server_sessticket_key;
+#endif
+
+
+/* ------------------------------------------------------------------------ */
+/* macros */
+
+#define MAX_HOST_LEN 255
+
+/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
+the library logging; a value less than 0 disables the calls to set up logging
+callbacks.  GNuTLS also looks for an environment variable - except not for
+setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
+Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
+but the env var must be added to /etc/sudoers too. */
+#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
+# define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
+#endif
+
+#ifndef EXIM_CLIENT_DH_MIN_BITS
+# define EXIM_CLIENT_DH_MIN_BITS 1024
+#endif
+
+/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
+can ask for a bit-strength.  Without that, we stick to the constant we had
+before, for now. */
+#ifndef EXIM_SERVER_DH_BITS_PRE2_12
+# define EXIM_SERVER_DH_BITS_PRE2_12 1024
+#endif
+
+#define Expand_check_tlsvar(Varname, errstr) \
+  expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
+
+#if GNUTLS_VERSION_NUMBER >= 0x020c00
+# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
+# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
+# define HAVE_GNUTLS_RND
+/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
+ * (4.82 PP/09) introduces a compatibility regression. The symbol simply
+ * isn't available sometimes, so this needs to become a conditional
+ * compilation; the sanest way to deal with this being a problem on
+ * older OSes is to block it in the Local/Makefile with this compiler
+ * definition  */
+# ifndef AVOID_GNUTLS_PKCS11
+#  define HAVE_GNUTLS_PKCS11
+# endif /* AVOID_GNUTLS_PKCS11 */
+#endif
+
+#if GNUTLS_VERSION_NUMBER >= 0x030404
+# define HAVE_GNUTLS_PRF_RFC5705
+#endif
+
+
+
+/* ------------------------------------------------------------------------ */
+/* Callback declarations */
+
+#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
+static void exim_gnutls_logger_cb(int level, const char *message);
+#endif
+
+static int exim_sni_handling_cb(gnutls_session_t session);
+
+#ifdef EXIM_HAVE_TLS_RESUME
+static int
+tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
+  unsigned incoming, const gnutls_datum_t * msg);
+#endif
+
+
+/*************************************************
+*               Handle TLS error                 *
+*************************************************/
+
+/* Called from lots of places when errors occur before actually starting to do
+the TLS handshake, that is, while the session is still in clear. Always returns
+DEFER for a server and FAIL for a client so that most calls can use "return
+tls_error(...)" to do this processing and then give an appropriate return. A
+single function is used for both server and client, because it is called from
+some shared functions.
+
+Argument:
+  prefix    text to include in the logged error
+  msg       additional error string (may be NULL)
+            usually obtained from gnutls_strerror()
+  host      NULL if setting up a server;
+            the connected host if setting up a client
+  errstr    pointer to returned error string
+
+Returns:    OK/DEFER/FAIL
+*/
+
+static int
+tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
+  uschar ** errstr)
+{
+if (errstr)
+  *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
+return host ? FAIL : DEFER;
+}
+
+
+static int
+tls_error_gnu(exim_gnutls_state_st * state, const uschar *prefix, int err,
+  uschar ** errstr)
+{
+return tls_error(prefix,
+  state && err == GNUTLS_E_FATAL_ALERT_RECEIVED
+  ? US gnutls_alert_get_name(gnutls_alert_get(state->session))
+  : US gnutls_strerror(err),
+  state ? state->host : NULL,
+  errstr);
+}
+
+static int
+tls_error_sys(const uschar *prefix, int err, const host_item *host,
+  uschar ** errstr)
+{
+return tls_error(prefix, US strerror(err), host, errstr);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Initialisation */
+
+#ifndef DISABLE_OCSP
+
+static BOOL
+tls_is_buggy_ocsp(void)
+{
+const uschar * s;
+uschar maj, mid, mic;
+
+s = CUS gnutls_check_version(NULL);
+maj = atoi(CCS s);
+if (maj == 3)
+  {
+  while (*s && *s != '.') s++;
+  mid = atoi(CCS ++s);
+  if (mid <= 2)
+    return TRUE;
+  else if (mid >= 5)
+    return FALSE;
+  else
+    {
+    while (*s && *s != '.') s++;
+    mic = atoi(CCS ++s);
+    return mic <= (mid == 3 ? 16 : 3);
+    }
+  }
+return FALSE;
+}
+
+#endif
+
+
+static int
+tls_g_init(uschar ** errstr)
+{
+int rc;
+DEBUG(D_tls) debug_printf("GnuTLS global init required\n");
+
+#if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
+/* By default, gnutls_global_init will init PKCS11 support in auto mode,
+which loads modules from a config file, which sounds good and may be wanted
+by some sysadmin, but also means in common configurations that GNOME keyring
+environment variables are used and so breaks for users calling mailq.
+To prevent this, we init PKCS11 first, which is the documented approach. */
+
+if (!gnutls_allow_auto_pkcs11)
+  if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
+    return tls_error_gnu(NULL, US"gnutls_pkcs11_init", rc, errstr);
+#endif
+
+#ifndef GNUTLS_AUTO_GLOBAL_INIT
+if ((rc = gnutls_global_init()))
+  return tls_error_gnu(NULL, US"gnutls_global_init", rc, errstr);
+#endif
+
+#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
+DEBUG(D_tls)
+  {
+  gnutls_global_set_log_function(exim_gnutls_logger_cb);
+  /* arbitrarily chosen level; bump up to 9 for more */
+  gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
+  }
+#endif
+
+#ifndef DISABLE_OCSP
+if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
+  log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
+#endif
+
+exim_gnutls_base_init_done = TRUE;
+return OK;
+}
+
+
+
+/* Daemon-call before each connection.  Nothing to do for GnuTLS. */
+
+static void
+tls_per_lib_daemon_tick(void)
+{
+}
+
+/* Daemon one-time initialisation */
+
+static void
+tls_per_lib_daemon_init(void)
+{
+uschar * dummy_errstr;
+static BOOL once = FALSE;
+
+if (!exim_gnutls_base_init_done)
+  tls_g_init(&dummy_errstr);
+
+if (!once)
+  {
+  once = TRUE;
+
+#ifdef EXIM_HAVE_TLS_RESUME
+  /* We are dependent on the GnuTLS implementation of the Session Ticket
+  encryption; both the strength and the key rotation period.  We hope that
+  the strength at least matches that of the ciphersuite (but GnuTLS does not
+  document this). */
+
+  gnutls_session_ticket_key_generate(&server_sessticket_key);	/* >= 2.10.0 */
+  if (f.running_in_test_harness) ssl_session_timeout = 6;
+#endif
+
+  tls_daemon_creds_reload();
+  }
+}
+
+/* ------------------------------------------------------------------------ */
+
+/*************************************************
+*    Deal with logging errors during I/O         *
+*************************************************/
+
+/* We have to get the identity of the peer from saved data.
+
+Argument:
+  state    the current GnuTLS exim state container
+  rc       the GnuTLS error code, or 0 if it's a local error
+  when     text identifying read or write
+  text     local error text when rc is 0
+
+Returns:   nothing
+*/
+
+static void
+record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
+{
+const uschar * msg;
+uschar * errstr;
+
+msg = rc == GNUTLS_E_FATAL_ALERT_RECEIVED
+  ? string_sprintf("A TLS fatal alert has been received: %s",
+      US gnutls_alert_get_name(gnutls_alert_get(state->session)))
+#ifdef GNUTLS_E_PREMATURE_TERMINATION
+  : rc == GNUTLS_E_PREMATURE_TERMINATION && errno
+  ? string_sprintf("%s: syscall: %s", US gnutls_strerror(rc), strerror(errno))
+#endif
+  : US gnutls_strerror(rc);
+
+(void) tls_error(when, msg, state->host, &errstr);
+
+if (state->host)
+  log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
+    state->host->name, state->host->address, errstr);
+else
+  {
+  uschar * conn_info = smtp_get_connection_info();
+  if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
+  /* I'd like to get separated H= here, but too hard for now */
+  log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
+  }
+}
+
+
+
+
+/*************************************************
+*        Set various Exim expansion vars         *
+*************************************************/
+
+#define exim_gnutls_cert_err(Label) \
+  do \
+    { \
+    if (rc != GNUTLS_E_SUCCESS) \
+      { \
+      DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
+	(Label), gnutls_strerror(rc)); \
+      return rc; \
+      } \
+    } while (0)
+
+static int
+import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
+{
+int rc;
+
+rc = gnutls_x509_crt_init(crtp);
+exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
+
+rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
+exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
+
+return rc;
+}
+
+#undef exim_gnutls_cert_err
+
+
+/* We set various Exim global variables from the state, once a session has
+been established.  With TLS callouts, may need to change this to stack
+variables, or just re-call it with the server state after client callout
+has finished.
+
+Make sure anything set here is unset in tls_getc().
+
+Sets:
+  tls_active                fd
+  tls_bits                  strength indicator
+  tls_certificate_verified  bool indicator
+  tls_channelbinding        for some SASL mechanisms
+  tls_ver                   a string
+  tls_cipher                a string
+  tls_peercert              pointer to library internal
+  tls_peerdn                a string
+  tls_sni                   a (UTF-8) string
+  tls_ourcert               pointer to library internal
+
+Argument:
+  state      the relevant exim_gnutls_state_st *
+*/
+
+static void
+extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
+{
+tls_support * tlsp = state->tlsp;
+
+tlsp->active.sock = state->fd_out;
+tlsp->active.tls_ctx = state;
+
+DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
+
+tlsp->certificate_verified = state->peer_cert_verified;
+#ifdef SUPPORT_DANE
+tlsp->dane_verified = state->peer_dane_verified;
+#endif
+
+/* note that tls_channelbinding is not saved to the spool file, since it's
+only available for use for authenticators while this TLS session is running. */
+
+tlsp->channelbinding = NULL;
+#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
+  {
+  gnutls_datum_t channel = {.data = NULL, .size = 0};
+  uschar * buf;
+  int rc;
+
+# ifdef HAVE_GNUTLS_PRF_RFC5705
+  /* Older libraries may not have GNUTLS_TLS1_3 defined! */
+  if (gnutls_protocol_get_version(state->session) > GNUTLS_TLS1_2)
+    {
+    buf = store_get(32, state->host ? GET_TAINTED : GET_UNTAINTED);
+    rc = gnutls_prf_rfc5705(state->session,
+				(size_t)24,  "EXPORTER-Channel-Binding", (size_t)0, "",
+				32, CS buf);
+    channel.data = buf;
+    channel.size = 32;
+    }
+  else
+# endif
+    rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
+
+  if (rc)
+    { DEBUG(D_tls) debug_printf("extracting channel binding: %s\n", gnutls_strerror(rc)); }
+  else
+    {
+    int old_pool = store_pool;
+    /* Declare the taintedness of the binding info.  On server, untainted; on
+    client, tainted - being the Finish msg from the server. */
+
+    store_pool = POOL_PERM;
+    tlsp->channelbinding = b64encode_taint(CUS channel.data, (int)channel.size,
+					    state->host ? GET_TAINTED : GET_UNTAINTED);
+    store_pool = old_pool;
+    DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage\n");
+    }
+  }
+#endif
+
+/* peercert is set in peer_status() */
+tlsp->peerdn = state->peerdn;
+
+/* do not corrupt sni sent by client; record sni rxd by server */
+if (!state->host)
+  tlsp->sni = state->received_sni;
+
+/* record our certificate */
+  {
+  const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
+  gnutls_x509_crt_t crt;
+
+  tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
+  }
+}
+
+
+
+
+/*************************************************
+*            Setup up DH parameters              *
+*************************************************/
+
+/* Generating the D-H parameters may take a long time. They only need to
+be re-generated every so often, depending on security policy. What we do is to
+keep these parameters in a file in the spool directory. If the file does not
+exist, we generate them. This means that it is easy to cause a regeneration.
+
+The new file is written as a temporary file and renamed, so that an incomplete
+file is never present. If two processes both compute some new parameters, you
+waste a bit of effort, but it doesn't seem worth messing around with locking to
+prevent this.
+
+Returns:     OK/DEFER/FAIL
+*/
+
+static int
+init_server_dh(uschar ** errstr)
+{
+int fd, rc;
+unsigned int dh_bits;
+gnutls_datum_t m;
+uschar filename_buf[PATH_MAX];
+uschar *filename = NULL;
+size_t sz;
+uschar *exp_tls_dhparam;
+BOOL use_file_in_spool = FALSE;
+host_item *host = NULL; /* dummy for macros */
+
+DEBUG(D_tls) debug_printf("Initialising GnuTLS server params\n");
+
+if ((rc = gnutls_dh_params_init(&dh_server_params)))
+  return tls_error_gnu(NULL, US"gnutls_dh_params_init", rc, errstr);
+
+m.data = NULL;
+m.size = 0;
+
+if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))
+  return DEFER;
+
+if (!exp_tls_dhparam)
+  {
+  DEBUG(D_tls) debug_printf("Loading default hard-coded DH params\n");
+  m.data = US std_dh_prime_default();
+  m.size = Ustrlen(m.data);
+  }
+else if (Ustrcmp(exp_tls_dhparam, "historic") == 0)
+  use_file_in_spool = TRUE;
+else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
+  {
+  DEBUG(D_tls) debug_printf("Requested no DH parameters\n");
+  return OK;
+  }
+else if (exp_tls_dhparam[0] != '/')
+  {
+  if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
+    return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
+  m.size = Ustrlen(m.data);
+  }
+else
+  filename = exp_tls_dhparam;
+
+if (m.data)
+  {
+  if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
+    return tls_error_gnu(NULL, US"gnutls_dh_params_import_pkcs3", rc, errstr);
+  DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
+  return OK;
+  }
+
+#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
+/* If you change this constant, also change dh_param_fn_ext so that we can use a
+different filename and ensure we have sufficient bits. */
+
+if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
+  return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
+DEBUG(D_tls)
+  debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits\n",
+      dh_bits);
+#else
+dh_bits = EXIM_SERVER_DH_BITS_PRE2_12;
+DEBUG(D_tls)
+  debug_printf("GnuTLS lacks gnutls_sec_param_to_pk_bits(), using %d bits\n",
+      dh_bits);
+#endif
+
+/* Some clients have hard-coded limits. */
+if (dh_bits > tls_dh_max_bits)
+  {
+  DEBUG(D_tls)
+    debug_printf("tls_dh_max_bits clamping override, using %d bits instead\n",
+        tls_dh_max_bits);
+  dh_bits = tls_dh_max_bits;
+  }
+
+if (use_file_in_spool)
+  {
+  if (!string_format(filename_buf, sizeof(filename_buf),
+        "%s/gnutls-params-%d", spool_directory, dh_bits))
+    return tls_error(US"overlong filename", NULL, NULL, errstr);
+  filename = filename_buf;
+  }
+
+/* Open the cache file for reading and if successful, read it and set up the
+parameters. */
+
+if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
+  {
+  struct stat statbuf;
+  FILE *fp;
+  int saved_errno;
+
+  if (fstat(fd, &statbuf) < 0)  /* EIO */
+    {
+    saved_errno = errno;
+    (void)close(fd);
+    return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
+    }
+  if (!S_ISREG(statbuf.st_mode))
+    {
+    (void)close(fd);
+    return tls_error(US"TLS cache not a file", NULL, NULL, errstr);
+    }
+  if (!(fp = fdopen(fd, "rb")))
+    {
+    saved_errno = errno;
+    (void)close(fd);
+    return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
+        saved_errno, NULL, errstr);
+    }
+
+  m.size = statbuf.st_size;
+  if (!(m.data = store_malloc(m.size)))
+    {
+    fclose(fp);
+    return tls_error_sys(US"malloc failed", errno, NULL, errstr);
+    }
+  if (!(sz = fread(m.data, m.size, 1, fp)))
+    {
+    saved_errno = errno;
+    fclose(fp);
+    store_free(m.data);
+    return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
+    }
+  fclose(fp);
+
+  rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
+  store_free(m.data);
+  if (rc)
+    return tls_error_gnu(NULL, US"gnutls_dh_params_import_pkcs3", rc, errstr);
+  DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
+  }
+
+/* If the file does not exist, fall through to compute new data and cache it.
+If there was any other opening error, it is serious. */
+
+else if (errno == ENOENT)
+  {
+  rc = -1;
+  DEBUG(D_tls)
+    debug_printf("D-H parameter cache file \"%s\" does not exist\n", filename);
+  }
+else
+  return tls_error(string_open_failed("\"%s\" for reading", filename),
+      NULL, NULL, errstr);
+
+/* If ret < 0, either the cache file does not exist, or the data it contains
+is not useful. One particular case of this is when upgrading from an older
+release of Exim in which the data was stored in a different format. We don't
+try to be clever and support both formats; we just regenerate new data in this
+case. */
+
+if (rc < 0)
+  {
+  uschar *temp_fn;
+  unsigned int dh_bits_gen = dh_bits;
+
+  if ((PATH_MAX - Ustrlen(filename)) < 10)
+    return tls_error(US"Filename too long to generate replacement",
+        filename, NULL, errstr);
+
+  temp_fn = string_copy(US"exim-dh.XXXXXXX");
+  if ((fd = mkstemp(CS temp_fn)) < 0)	/* modifies temp_fn */
+    return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
+  (void)exim_chown(temp_fn, exim_uid, exim_gid);   /* Probably not necessary */
+
+  /* GnuTLS overshoots!
+   * If we ask for 2236, we might get 2237 or more.
+   * But there's no way to ask GnuTLS how many bits there really are.
+   * We can ask how many bits were used in a TLS session, but that's it!
+   * The prime itself is hidden behind too much abstraction.
+   * So we ask for less, and proceed on a wing and a prayer.
+   * First attempt, subtracted 3 for 2233 and got 2240.
+   */
+  if (dh_bits >= EXIM_CLIENT_DH_MIN_BITS + 10)
+    {
+    dh_bits_gen = dh_bits - 10;
+    DEBUG(D_tls)
+      debug_printf("being paranoid about DH generation, make it '%d' bits'\n",
+          dh_bits_gen);
+    }
+
+  DEBUG(D_tls)
+    debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
+        dh_bits_gen);
+  if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
+    return tls_error_gnu(NULL, US"gnutls_dh_params_generate2", rc, errstr);
+
+  /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
+  and I confirmed that a NULL call to get the size first is how the GnuTLS
+  sample apps handle this. */
+
+  sz = 0;
+  m.data = NULL;
+  if (  (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
+		GNUTLS_X509_FMT_PEM, m.data, &sz))
+     && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
+    return tls_error_gnu(NULL, US"gnutls_dh_params_export_pkcs3(NULL) sizing",
+	      rc, errstr);
+  m.size = sz;
+  if (!(m.data = store_malloc(m.size)))
+    return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
+
+  /* this will return a size 1 less than the allocation size above */
+  if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
+      m.data, &sz)))
+    {
+    store_free(m.data);
+    return tls_error_gnu(NULL, US"gnutls_dh_params_export_pkcs3() real", rc, errstr);
+    }
+  m.size = sz; /* shrink by 1, probably */
+
+  if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
+    {
+    store_free(m.data);
+    return tls_error_sys(US"TLS cache write D-H params failed",
+        errno, NULL, errstr);
+    }
+  store_free(m.data);
+  if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
+    return tls_error_sys(US"TLS cache write D-H params final newline failed",
+        errno, NULL, errstr);
+
+  if ((rc = close(fd)))
+    return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
+
+  if (Urename(temp_fn, filename) < 0)
+    return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
+          temp_fn, filename), errno, NULL, errstr);
+
+  DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
+  }
+
+DEBUG(D_tls) debug_printf("initialized server D-H parameters\n");
+return OK;
+}
+
+
+
+
+/* Create and install a selfsigned certificate, for use in server mode. */
+
+static int
+tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)
+{
+gnutls_x509_crt_t cert = NULL;
+time_t now;
+gnutls_x509_privkey_t pkey = NULL;
+const uschar * where;
+int rc;
+
+#ifndef SUPPORT_SELFSIGN
+where = US"library too old";
+rc = GNUTLS_E_NO_CERTIFICATE_FOUND;
+if (TRUE) goto err;
+#endif
+
+DEBUG(D_tls) debug_printf("TLS: generating selfsigned server cert\n");
+where = US"initialising pkey";
+if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
+
+where = US"initialising cert";
+if ((rc = gnutls_x509_crt_init(&cert))) goto err;
+
+where = US"generating pkey";	/* Hangs on 2.12.23 */
+if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
+#ifdef SUPPORT_PARAM_TO_PK_BITS
+# ifndef GNUTLS_SEC_PARAM_MEDIUM
+#  define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
+# endif
+	    gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
+#else
+	    2048,
+#endif
+	    0)))
+  goto err;
+
+where = US"configuring cert";
+now = 1;
+if (  (rc = gnutls_x509_crt_set_version(cert, 3))
+   || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
+   || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
+   || (rc = gnutls_x509_crt_set_expiration_time(cert, (long)2 * 60 * 60))	/* 2 hour */
+   || (rc = gnutls_x509_crt_set_key(cert, pkey))
+
+   || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
+	      GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
+   || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
+	      GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
+   || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
+	      GNUTLS_OID_X520_COMMON_NAME, 0,
+	      smtp_active_hostname, Ustrlen(smtp_active_hostname)))
+   )
+  goto err;
+
+where = US"signing cert";
+if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
+
+where = US"installing selfsign cert";
+					/* Since: 2.4.0 */
+if ((rc = gnutls_certificate_set_x509_key(state->lib_state.x509_cred,
+    &cert, 1, pkey)))
+  goto err;
+
+rc = OK;
+
+out:
+  if (cert) gnutls_x509_crt_deinit(cert);
+  if (pkey) gnutls_x509_privkey_deinit(pkey);
+  return rc;
+
+err:
+  rc = tls_error_gnu(state, where, rc, errstr);
+  goto out;
+}
+
+
+
+
+/* Add certificate and key, from files.
+
+Return:
+  Zero or negative: good.  Negate value for certificate index if < 0.
+  Greater than zero: FAIL or DEFER code.
+*/
+
+static int
+tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
+  const uschar * certfile, const uschar * keyfile, uschar ** errstr)
+{
+int rc = gnutls_certificate_set_x509_key_file(state->lib_state.x509_cred,
+    CCS certfile, CCS keyfile, GNUTLS_X509_FMT_PEM);
+if (rc < 0)
+  return tls_error_gnu(state,
+    string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
+    rc, errstr);
+return -rc;
+}
+
+
+#if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+/* Load an OCSP proof from file for sending by the server.  Called
+on getting a status-request handshake message, for earlier versions
+of GnuTLS. */
+
+static int
+server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
+  gnutls_datum_t * ocsp_response)
+{
+int ret;
+DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
+
+if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
+  {
+  DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
+			      CS ptr);
+  tls_in.ocsp = OCSP_NOT_RESP;
+  return GNUTLS_E_NO_CERTIFICATE_STATUS;
+  }
+
+tls_in.ocsp = OCSP_VFY_NOT_TRIED;
+return 0;
+}
+#endif
+
+
+#ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+/* Make a note that we saw a status-request */
+static int
+tls_server_clienthello_ext(void * ctx, unsigned tls_id,
+  const uschar * data, unsigned size)
+{
+/* The values for tls_id are documented here:
+https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
+switch (tls_id)
+  {
+  case 5:	/* Status Request */
+    DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
+    tls_in.ocsp = OCSP_NOT_RESP;
+    break;
+#ifdef EXIM_HAVE_ALPN
+  case 16:	/* Application Layer Protocol Notification */
+    /* The format of "data" here doesn't seem to be documented, but appears
+    to be a 2-byte field with a (redundant, given the "size" arg) total length
+    then a sequence of one-byte size then string (not nul-term) names.  The
+    latter is as described in OpenSSL documentation. */
+
+    DEBUG(D_tls) debug_printf("Seen ALPN extension from client (s=%u):", size);
+    for (const uschar * s = data+2; s-data < size-1; s += *s + 1)
+      {
+      server_seen_alpn++;
+      DEBUG(D_tls) debug_printf(" '%.*s'", (int)*s, s+1);
+      }
+    DEBUG(D_tls) debug_printf("\n");
+    if (server_seen_alpn > 1)
+      {
+      DEBUG(D_tls) debug_printf("TLS: too many ALPNs presented in handshake\n");
+      return GNUTLS_E_NO_APPLICATION_PROTOCOL;
+      }
+    break;
+#endif
+  }
+return 0;
+}
+
+/* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
+static int
+tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
+  unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+/* Call fn for each extension seen.  3.6.3 onwards */
+return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
+			   GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
+}
+
+
+# ifdef notdef_crashes
+/* Make a note that we saw a status-response */
+static int
+tls_server_servercerts_ext(void * ctx, unsigned tls_id,
+  const unsigned char *data, unsigned size)
+{
+/* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
+/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
+if (FALSE && tls_id == 5)	/* status_request */
+  {
+  DEBUG(D_tls) debug_printf("Seen status_request extension\n");
+  tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
+    ? OCSP_VFY_NOT_TRIED : OCSP_VFIED;	/* We know that GnuTLS verifies responses */
+  }
+return 0;
+}
+# endif
+
+/* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
+static int
+tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
+  unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+/* Call fn for each extension seen.  3.6.3 onwards */
+# ifdef notdef_crashes
+				/*XXX crashes */
+return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
+# endif
+}
+#endif /*SUPPORT_GNUTLS_EXT_RAW_PARSE*/
+
+/*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
+ "Handshake Protocol: Certificate" record.
+So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
+
+This is different to tls1.2 - where it is a separate record (wireshark term) / handshake message (gnutls term).
+*/
+
+#if defined(EXIM_HAVE_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+/* Callback for certificate-status, on server. We sent stapled OCSP. */
+static int
+tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
+  unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+DEBUG(D_tls) debug_printf("Sending certificate-status\n");		/*XXX we get this for tls1.2 but not for 1.3 */
+# ifdef SUPPORT_SRV_OCSP_STACK
+tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
+  ? OCSP_VFY_NOT_TRIED : OCSP_VFIED;	/* We know that GnuTLS verifies responses */
+# else
+tls_in.ocsp = OCSP_VFY_NOT_TRIED;
+# endif
+return 0;
+}
+
+/* Callback for handshake messages, on server */
+static int
+tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
+  unsigned incoming, const gnutls_datum_t * msg)
+{
+/* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
+switch (htype)
+  {
+# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+  case GNUTLS_HANDSHAKE_CLIENT_HELLO:
+    return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
+  case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
+    return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
+# endif
+  case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
+    return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
+# ifdef EXIM_HAVE_TLS_RESUME
+  case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
+    return tls_server_ticket_cb(sess, htype, when, incoming, msg);
+# endif
+  default:
+    return 0;
+  }
+}
+#endif
+
+
+#if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+static void
+tls_server_testharness_ocsp_fiddle(void)
+{
+extern char ** environ;
+if (environ) for (uschar ** p = USS environ; *p; p++)
+  if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
+    {
+    DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
+    exim_testharness_disable_ocsp_validity_check = TRUE;
+    }
+}
+#endif
+
+/**************************************************
+* One-time init credentials for server and client *
+**************************************************/
+
+static void
+creds_basic_init(gnutls_certificate_credentials_t x509_cred, BOOL server)
+{
+#ifdef SUPPORT_SRV_OCSP_STACK
+gnutls_certificate_set_flags(x509_cred, GNUTLS_CERTIFICATE_API_V2);
+
+# if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+if (server && tls_ocsp_file)
+  {
+  if (f.running_in_test_harness)
+    tls_server_testharness_ocsp_fiddle();
+
+  if (exim_testharness_disable_ocsp_validity_check)
+    gnutls_certificate_set_flags(x509_cred,
+      GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
+  }
+# endif
+#endif
+DEBUG(D_tls)
+  debug_printf("TLS: basic cred init, %s\n", server ? "server" : "client");
+}
+
+static int
+creds_load_server_certs(exim_gnutls_state_st * state, const uschar * cert,
+  const uschar * pkey, const uschar * ocsp, uschar ** errstr)
+{
+const uschar * clist = cert;
+const uschar * klist = pkey;
+const uschar * olist;
+int csep = 0, ksep = 0, osep = 0, cnt = 0, rc;
+uschar * cfile, * kfile, * ofile;
+#ifndef DISABLE_OCSP
+# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
+# endif
+
+if (!expand_check(ocsp, US"tls_ocsp_file", &ofile, errstr))
+  return DEFER;
+olist = ofile;
+#endif
+
+while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
+
+  if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
+    return tls_error(US"cert/key setup: out of keys", NULL, NULL, errstr);
+  else if ((rc = tls_add_certfile(state, NULL, cfile, kfile, errstr)) > 0)
+    return rc;
+  else
+    {
+    int gnutls_cert_index = -rc;
+    DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
+			      gnutls_cert_index, cfile);
+
+#ifndef DISABLE_OCSP
+    if (ocsp)
+      {
+      /* Set the OCSP stapling server info */
+      if (gnutls_buggy_ocsp)
+	{
+	DEBUG(D_tls)
+	  debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
+	}
+      else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
+	{
+	DEBUG(D_tls) debug_printf("OCSP response file %d  = %s\n",
+				  gnutls_cert_index, ofile);
+# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+	if (Ustrncmp(ofile, US"PEM ", 4) == 0)
+	  {
+	  ocsp_fmt = GNUTLS_X509_FMT_PEM;
+	  ofile += 4;
+	  }
+	else if (Ustrncmp(ofile, US"DER ", 4) == 0)
+	  {
+	  ocsp_fmt = GNUTLS_X509_FMT_DER;
+	  ofile += 4;
+	  }
+
+	if  ((rc = gnutls_certificate_set_ocsp_status_request_file2(
+		  state->lib_state.x509_cred, CCS ofile, gnutls_cert_index,
+		  ocsp_fmt)) < 0)
+	  return tls_error_gnu(state,
+		  US"gnutls_certificate_set_ocsp_status_request_file2",
+		  rc, errstr);
+	DEBUG(D_tls)
+	  debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
+
+	/* Arrange callbacks for OCSP request observability */
+
+	if (state->session)
+	  gnutls_handshake_set_hook_function(state->session,
+	    GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
+	else
+	  state->lib_state.ocsp_hook = TRUE;
+
+
+# else
+#  if defined(SUPPORT_SRV_OCSP_STACK)
+	if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
+		     state->lib_state.x509_cred, gnutls_cert_index,
+		     server_ocsp_stapling_cb, ofile)))
+	    return tls_error_gnu(state,
+		  US"gnutls_certificate_set_ocsp_status_request_function2",
+		  rc, errstr);
+	else
+#  endif
+	  {
+	  if (cnt++ > 0)
+	    {
+	    DEBUG(D_tls)
+	      debug_printf("oops; multiple OCSP files not supported\n");
+	    break;
+	    }
+	  gnutls_certificate_set_ocsp_status_request_function(
+	    state->lib_state.x509_cred, server_ocsp_stapling_cb, ofile);
+	  }
+# endif	/* SUPPORT_GNUTLS_EXT_RAW_PARSE */
+	}
+      else
+	DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
+      }
+#endif /* DISABLE_OCSP */
+    }
+return 0;
+}
+
+static int
+creds_load_client_certs(exim_gnutls_state_st * state, const host_item * host,
+  const uschar * cert, const uschar * pkey, uschar ** errstr)
+{
+int rc = tls_add_certfile(state, host, cert, pkey, errstr);
+if (rc > 0) return rc;
+DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
+return 0;
+}
+
+static int
+creds_load_cabundle(exim_gnutls_state_st * state, const uschar * bundle,
+  const host_item * host, uschar ** errstr)
+{
+int cert_count;
+struct stat statbuf;
+
+#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
+if (Ustrcmp(bundle, "system") == 0 || Ustrncmp(bundle, "system,", 7) == 0)
+  cert_count = gnutls_certificate_set_x509_system_trust(state->lib_state.x509_cred);
+else
+#endif
+  {
+  if (Ustat(bundle, &statbuf) < 0)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
+	"(tls_verify_certificates): %s", bundle, strerror(errno));
+    return DEFER;
+    }
+
+#ifndef SUPPORT_CA_DIR
+  /* The test suite passes in /dev/null; we could check for that path explicitly,
+  but who knows if someone has some weird FIFO which always dumps some certs, or
+  other weirdness.  The thing we really want to check is that it's not a
+  directory, since while OpenSSL supports that, GnuTLS does not.
+  So s/!S_ISREG/S_ISDIR/ and change some messaging ... */
+  if (S_ISDIR(statbuf.st_mode))
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC,
+	"tls_verify_certificates \"%s\" is a directory", bundle);
+    return DEFER;
+    }
+#endif
+
+  DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
+	  bundle, statbuf.st_size);
+
+  if (statbuf.st_size == 0)
+    {
+    DEBUG(D_tls)
+      debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
+    return OK;
+    }
+
+  cert_count =
+
+#ifdef SUPPORT_CA_DIR
+    (statbuf.st_mode & S_IFMT) == S_IFDIR
+    ?
+    gnutls_certificate_set_x509_trust_dir(state->lib_state.x509_cred,
+      CS bundle, GNUTLS_X509_FMT_PEM)
+    :
+#endif
+    gnutls_certificate_set_x509_trust_file(state->lib_state.x509_cred,
+      CS bundle, GNUTLS_X509_FMT_PEM);
+
+#ifdef SUPPORT_CA_DIR
+  /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
+  when using the directory-of-certs config model. */
+
+  if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+    if (state->session)
+      gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
+    else
+      state->lib_state.ca_rdn_emulate = TRUE;
+#endif
+  }
+
+if (cert_count < 0)
+  return tls_error_gnu(state, US"setting certificate trust", cert_count, errstr);
+DEBUG(D_tls)
+  debug_printf("Added %d certificate authorities\n", cert_count);
+
+return OK;
+}
+
+
+static int
+creds_load_crl(exim_gnutls_state_st * state, const uschar * crl, uschar ** errstr)
+{
+int cert_count;
+DEBUG(D_tls) debug_printf("loading CRL file = %s\n", crl);
+if ((cert_count = gnutls_certificate_set_x509_crl_file(state->lib_state.x509_cred,
+    CS crl, GNUTLS_X509_FMT_PEM)) < 0)
+  return tls_error_gnu(state, US"gnutls_certificate_set_x509_crl_file",
+	    cert_count, errstr);
+
+DEBUG(D_tls) debug_printf("Processed %d CRLs\n", cert_count);
+return OK;
+}
+
+
+static int
+creds_load_pristring(exim_gnutls_state_st * state, const uschar * p,
+  const char ** errpos)
+{
+if (!p)
+  {
+  p = exim_default_gnutls_priority;
+  DEBUG(D_tls)
+    debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
+  }
+return gnutls_priority_init( (gnutls_priority_t *) &state->lib_state.pri_cache,
+  CCS p, errpos);
+}
+
+static unsigned
+tls_server_creds_init(void)
+{
+uschar * dummy_errstr;
+unsigned lifetime = 0;
+
+state_server.lib_state = null_tls_preload;
+if (gnutls_certificate_allocate_credentials(
+      (gnutls_certificate_credentials_t *) &state_server.lib_state.x509_cred))
+  {
+  state_server.lib_state.x509_cred = NULL;
+  return lifetime;
+  }
+creds_basic_init(state_server.lib_state.x509_cred, TRUE);
+
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+/* If tls_certificate has any $ indicating expansions, it is not good.
+If tls_privatekey is set but has $, not good.  Likewise for tls_ocsp_file.
+If all good (and tls_certificate set), load the cert(s). */
+
+if (  opt_set_and_noexpand(tls_certificate)
+# ifndef DISABLE_OCSP
+   && opt_unset_or_noexpand(tls_ocsp_file)
+# endif
+   && opt_unset_or_noexpand(tls_privatekey))
+  {
+  /* Set watches on the filenames.  The implementation does de-duplication
+  so we can just blindly do them all.
+  */
+
+  if (  tls_set_watch(tls_certificate, TRUE)
+# ifndef DISABLE_OCSP
+     && tls_set_watch(tls_ocsp_file, TRUE)
+# endif
+     && tls_set_watch(tls_privatekey, TRUE))
+    {
+    DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
+    if (creds_load_server_certs(&state_server, tls_certificate,
+	  tls_privatekey && *tls_privatekey ? tls_privatekey : tls_certificate,
+# ifdef DISABLE_OCSP
+	  NULL,
+# else
+	  tls_ocsp_file,
+# endif
+	  &dummy_errstr) == 0)
+      state_server.lib_state.conn_certs = TRUE;
+    }
+  }
+else if (  !tls_certificate && !tls_privatekey
+# ifndef DISABLE_OCSP
+	&& !tls_ocsp_file
+# endif
+	)
+  {		/* Generate & preload a selfsigned cert. No files to watch. */
+  if ((tls_install_selfsign(&state_server, &dummy_errstr)) == OK)
+    {
+    state_server.lib_state.conn_certs = TRUE;
+    lifetime = f.running_in_test_harness ? 2 : 60 * 60;		/* 1 hour */
+    }
+  }
+else
+  DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
+
+/* If tls_verify_certificates is non-empty and has no $, load CAs.
+If none was configured and we can't handle "system", treat as empty. */
+
+if (  opt_set_and_noexpand(tls_verify_certificates)
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+   && Ustrcmp(tls_verify_certificates, "system") != 0
+#endif
+   )
+  {
+  if (tls_set_watch(tls_verify_certificates, FALSE))
+    {
+    DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n");
+    if (creds_load_cabundle(&state_server, tls_verify_certificates,
+			    NULL, &dummy_errstr) != OK)
+      return lifetime;
+    state_server.lib_state.cabundle = TRUE;
+
+    /* If CAs loaded and tls_crl is non-empty and has no $, load it */
+
+    if (opt_set_and_noexpand(tls_crl))
+      {
+      if (tls_set_watch(tls_crl, FALSE))
+	{
+	DEBUG(D_tls) debug_printf("TLS: preloading CRL for server\n");
+	if (creds_load_crl(&state_server, tls_crl, &dummy_errstr) != OK)
+	  return lifetime;
+	state_server.lib_state.crl = TRUE;
+	}
+      }
+    else
+      DEBUG(D_tls) debug_printf("TLS: not preloading CRL for server\n");
+    }
+  }
+else
+  DEBUG(D_tls) debug_printf("TLS: not preloading CA bundle for server\n");
+#endif	/* EXIM_HAVE_INOTIFY */
+
+/* If tls_require_ciphers is non-empty and has no $, load the
+ciphers priority cache.  If unset, load with the default.
+(server-only as the client one depends on non/DANE) */
+
+if (!tls_require_ciphers || opt_set_and_noexpand(tls_require_ciphers))
+  {
+  const char * dummy_errpos;
+  DEBUG(D_tls) debug_printf("TLS: preloading cipher list for server: %s\n",
+		  tls_require_ciphers);
+  if (  creds_load_pristring(&state_server, tls_require_ciphers, &dummy_errpos)
+     == OK)
+    state_server.lib_state.pri_string = TRUE;
+  }
+else
+  DEBUG(D_tls) debug_printf("TLS: not preloading cipher list for server\n");
+return lifetime;
+}
+
+
+/* Preload whatever creds are static, onto a transport.  The client can then
+just copy the pointer as it starts up. */
+
+/*XXX this is not called for a cmdline send. But one needing to use >1 conn would benefit,
+and there seems little downside. */
+
+static void
+tls_client_creds_init(transport_instance * t, BOOL watch)
+{
+smtp_transport_options_block * ob = t->options_block;
+exim_gnutls_state_st tpt_dummy_state;
+host_item * dummy_host = (host_item *)1;
+uschar * dummy_errstr;
+
+if (  !exim_gnutls_base_init_done
+   && tls_g_init(&dummy_errstr) != OK)
+  return;
+
+ob->tls_preload = null_tls_preload;
+if (gnutls_certificate_allocate_credentials(
+  (struct gnutls_certificate_credentials_st **)&ob->tls_preload.x509_cred))
+  {
+  ob->tls_preload.x509_cred = NULL;
+  return;
+  }
+creds_basic_init(ob->tls_preload.x509_cred, FALSE);
+
+tpt_dummy_state.session = NULL;
+tpt_dummy_state.lib_state = ob->tls_preload;
+
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+if (  opt_set_and_noexpand(ob->tls_certificate)
+   && opt_unset_or_noexpand(ob->tls_privatekey))
+  {
+  if (  !watch
+     || (  tls_set_watch(ob->tls_certificate, FALSE)
+	&& tls_set_watch(ob->tls_privatekey, FALSE)
+     )  )
+    {
+    const uschar * pkey = ob->tls_privatekey;
+
+    DEBUG(D_tls)
+      debug_printf("TLS: preloading client certs for transport '%s'\n", t->name);
+
+    /* The state->lib_state.x509_cred is used for the certs load, and is the sole
+    structure element used.  So we can set up a dummy.  The hoat arg only
+    selects a retcode in case of fail, so any value */
+
+    if (creds_load_client_certs(&tpt_dummy_state, dummy_host,
+	  ob->tls_certificate, pkey ? pkey : ob->tls_certificate,
+	  &dummy_errstr) == OK)
+      ob->tls_preload.conn_certs = TRUE;
+    }
+  }
+else
+  DEBUG(D_tls)
+    debug_printf("TLS: not preloading client certs, for transport '%s'\n", t->name);
+
+/* If tls_verify_certificates is non-empty and has no $, load CAs.
+If none was configured and we can't handle "system", treat as empty. */
+
+if (  opt_set_and_noexpand(ob->tls_verify_certificates)
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+   && Ustrcmp(ob->tls_verify_certificates, "system") != 0
+#endif
+   )
+  {
+  if (!watch || tls_set_watch(ob->tls_verify_certificates, FALSE))
+    {
+    DEBUG(D_tls)
+      debug_printf("TLS: preloading CA bundle for transport '%s'\n", t->name);
+    if (creds_load_cabundle(&tpt_dummy_state, ob->tls_verify_certificates,
+			    dummy_host, &dummy_errstr) != OK)
+      return;
+    ob->tls_preload.cabundle = TRUE;
+
+    if (opt_set_and_noexpand(ob->tls_crl))
+      {
+      if (!watch || tls_set_watch(ob->tls_crl, FALSE))
+	{
+	DEBUG(D_tls) debug_printf("TLS: preloading CRL for transport '%s'\n", t->name);
+	if (creds_load_crl(&tpt_dummy_state, ob->tls_crl, &dummy_errstr) != OK)
+	  return;
+	ob->tls_preload.crl = TRUE;
+	}
+      }
+    else
+      DEBUG(D_tls) debug_printf("TLS: not preloading CRL, for transport '%s'\n", t->name);
+    }
+  }
+else
+  DEBUG(D_tls)
+      debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", t->name);
+
+/* We do not preload tls_require_ciphers to to the transport as it implicitly
+depends on DANE or plain usage. */
+
+#endif
+}
+
+
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+/* Invalidate the creds cached, by dropping the current ones.
+Call when we notice one of the source files has changed. */
+ 
+static void
+tls_server_creds_invalidate(void)
+{
+if (state_server.lib_state.pri_cache)
+  gnutls_priority_deinit(state_server.lib_state.pri_cache);
+state_server.lib_state.pri_cache = NULL;
+
+if (state_server.lib_state.x509_cred)
+  gnutls_certificate_free_credentials(state_server.lib_state.x509_cred);
+state_server.lib_state = null_tls_preload;
+}
+
+
+static void
+tls_client_creds_invalidate(transport_instance * t)
+{
+smtp_transport_options_block * ob = t->options_block;
+if (ob->tls_preload.x509_cred)
+  gnutls_certificate_free_credentials(ob->tls_preload.x509_cred);
+ob->tls_preload = null_tls_preload;
+}
+#endif
+
+
+/*************************************************
+*       Variables re-expanded post-SNI           *
+*************************************************/
+
+/* Called from both server and client code, via tls_init(), and also from
+the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
+
+We can tell the two apart by state->received_sni being non-NULL in callback.
+
+The callback should not call us unless state->trigger_sni_changes is true,
+which we are responsible for setting on the first pass through.
+
+Arguments:
+  state           exim_gnutls_state_st *
+  errstr	  error string pointer
+
+Returns:          OK/DEFER/FAIL
+*/
+
+static int
+tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
+{
+int rc;
+const host_item *host = state->host;  /* macro should be reconsidered? */
+const uschar *saved_tls_certificate = NULL;
+const uschar *saved_tls_privatekey = NULL;
+const uschar *saved_tls_verify_certificates = NULL;
+const uschar *saved_tls_crl = NULL;
+int cert_count;
+
+/* We check for tls_sni *before* expansion. */
+if (!host)	/* server */
+  if (!state->received_sni)
+    {
+    if (  state->tls_certificate
+       && (  Ustrstr(state->tls_certificate, US"tls_sni")
+	  || Ustrstr(state->tls_certificate, US"tls_in_sni")
+	  || Ustrstr(state->tls_certificate, US"tls_out_sni")
+       )  )
+      {
+      DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI\n");
+      state->trigger_sni_changes = TRUE;
+      }
+    }
+  else	/* SNI callback case */
+    {
+    /* useful for debugging */
+    saved_tls_certificate = state->exp_tls_certificate;
+    saved_tls_privatekey = state->exp_tls_privatekey;
+    saved_tls_verify_certificates = state->exp_tls_verify_certificates;
+    saved_tls_crl = state->exp_tls_crl;
+    }
+
+if (!state->lib_state.x509_cred)
+  {
+  if ((rc = gnutls_certificate_allocate_credentials(
+	(gnutls_certificate_credentials_t *) &state->lib_state.x509_cred)))
+    return tls_error_gnu(state, US"gnutls_certificate_allocate_credentials",
+	    rc, errstr);
+  creds_basic_init(state->lib_state.x509_cred, !host);
+  }
+
+
+/* remember: Expand_check_tlsvar() is expand_check() but fiddling with
+state members, assuming consistent naming; and expand_check() returns
+false if expansion failed, unless expansion was forced to fail. */
+
+/* check if we at least have a certificate, before doing expensive
+D-H generation. */
+
+if (!state->lib_state.conn_certs)
+  {
+  if (!Expand_check_tlsvar(tls_certificate, errstr))
+    return DEFER;
+
+  /* certificate is mandatory in server, optional in client */
+
+  if (  !state->exp_tls_certificate
+     || !*state->exp_tls_certificate
+     )
+    if (!host)
+      return tls_install_selfsign(state, errstr);
+    else
+      DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
+
+  if (state->tls_privatekey && !Expand_check_tlsvar(tls_privatekey, errstr))
+    return DEFER;
+
+  /* tls_privatekey is optional, defaulting to same file as certificate */
+
+  if (!state->tls_privatekey || !*state->tls_privatekey)
+    {
+    state->tls_privatekey = state->tls_certificate;
+    state->exp_tls_privatekey = state->exp_tls_certificate;
+    }
+
+  if (state->exp_tls_certificate && *state->exp_tls_certificate)
+    {
+    BOOL load = TRUE;
+    DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
+	state->exp_tls_certificate, state->exp_tls_privatekey);
+
+    if (state->received_sni)
+      if (  Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
+	 && Ustrcmp(state->exp_tls_privatekey,  saved_tls_privatekey)  == 0
+	 )
+	{
+	DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
+	load = FALSE;	/* avoid re-loading the same certs */
+	}
+      else		/* unload the pre-SNI certs before loading new ones */
+	{
+	DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair\n");
+	gnutls_certificate_free_keys(state->lib_state.x509_cred);
+	}
+
+    if (  load
+       && (rc = host
+	  ? creds_load_client_certs(state, host, state->exp_tls_certificate,
+			      state->exp_tls_privatekey, errstr)
+	  : creds_load_server_certs(state, state->exp_tls_certificate,
+			      state->exp_tls_privatekey,
+#ifdef DISABLE_OCSP
+			      NULL,
+#else
+			      tls_ocsp_file,
+#endif
+			      errstr)
+       )  ) return rc;
+    }
+  }
+else
+  {
+  DEBUG(D_tls)
+    debug_printf("%s certs were preloaded\n", host ? "client" : "server");
+
+  if (!state->tls_privatekey) state->tls_privatekey = state->tls_certificate;
+  state->exp_tls_certificate = US state->tls_certificate;
+  state->exp_tls_privatekey = US state->tls_privatekey;
+
+#ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+  if (state->lib_state.ocsp_hook)
+     gnutls_handshake_set_hook_function(state->session,
+       GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
+#endif
+  }
+
+
+/* Set the trusted CAs file if one is provided, and then add the CRL if one is
+provided. Experiment shows that, if the certificate file is empty, an unhelpful
+error message is provided. However, if we just refrain from setting anything up
+in that case, certificate verification fails, which seems to be the correct
+behaviour.
+If none was configured and we can't handle "system", treat as empty. */
+
+if (!state->lib_state.cabundle)
+  {
+  if (state->tls_verify_certificates && *state->tls_verify_certificates)
+    {
+    if (!Expand_check_tlsvar(tls_verify_certificates, errstr))
+      return DEFER;
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+    if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
+      state->exp_tls_verify_certificates = NULL;
+#endif
+    if (state->tls_crl && *state->tls_crl)
+      if (!Expand_check_tlsvar(tls_crl, errstr))
+	return DEFER;
+
+    if (!(state->exp_tls_verify_certificates &&
+	  *state->exp_tls_verify_certificates))
+      {
+      DEBUG(D_tls)
+	debug_printf("TLS: tls_verify_certificates expanded empty, ignoring\n");
+      /* With no tls_verify_certificates, we ignore tls_crl too */
+      return OK;
+      }
+    }
+  else
+    {
+    DEBUG(D_tls)
+      debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
+    return OK;
+    }
+  rc = creds_load_cabundle(state, state->exp_tls_verify_certificates, host, errstr);
+  if (rc != OK) return rc;
+  }
+else
+  {
+  DEBUG(D_tls)
+    debug_printf("%s CA bundle was preloaded\n", host ? "client" : "server");
+  state->exp_tls_verify_certificates = US state->tls_verify_certificates;
+
+#ifdef SUPPORT_CA_DIR
+/* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
+when using the directory-of-certs config model. */
+    if (state->lib_state.ca_rdn_emulate)
+      gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
+#endif
+  }
+
+
+if (!state->lib_state.crl)
+  {
+  if (  state->tls_crl && *state->tls_crl
+     && state->exp_tls_crl && *state->exp_tls_crl)
+    return creds_load_crl(state, state->exp_tls_crl, errstr);
+  }
+else
+  {
+  DEBUG(D_tls)
+      debug_printf("%s CRL was preloaded\n", host ? "client" : "server");
+  state->exp_tls_crl = US state->tls_crl;
+  }
+
+return OK;
+}
+
+
+
+
+/*************************************************
+*          Set X.509 state variables             *
+*************************************************/
+
+/* In GnuTLS, the registered cert/key are not replaced by a later
+set of a cert/key, so for SNI support we need a whole new x509_cred
+structure.  Which means various other non-re-expanded pieces of state
+need to be re-set in the new struct, so the setting logic is pulled
+out to this.
+
+Arguments:
+  state           exim_gnutls_state_st *
+  errstr	  error string pointer
+
+Returns:          OK/DEFER/FAIL
+*/
+
+static int
+tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)
+{
+int rc;
+const host_item *host = state->host;  /* macro should be reconsidered? */
+
+/* Create D-H parameters, or read them from the cache file. This function does
+its own SMTP error messaging. This only happens for the server, TLS D-H ignores
+client-side params. */
+
+if (!state->host)
+  {
+  if (!dh_server_params)
+    if ((rc = init_server_dh(errstr)) != OK) return rc;
+
+  /* Unnecessary & discouraged with 3.6.0 or later, according to docs.  But without it,
+  no DHE- ciphers are advertised. */
+  gnutls_certificate_set_dh_params(state->lib_state.x509_cred, dh_server_params);
+  }
+
+/* Link the credentials to the session. */
+
+if ((rc = gnutls_credentials_set(state->session,
+	    GNUTLS_CRD_CERTIFICATE, state->lib_state.x509_cred)))
+  return tls_error_gnu(state, US"gnutls_credentials_set", rc, errstr);
+
+return OK;
+}
+
+/*************************************************
+*            Initialize for GnuTLS               *
+*************************************************/
+
+
+/* Called from both server and client code. In the case of a server, errors
+before actual TLS negotiation return DEFER.
+
+Arguments:
+  host            connected host, if client; NULL if server
+  ob		  tranport options block, if client; NULL if server
+  require_ciphers tls_require_ciphers setting
+  caller_state    returned state-info structure
+  errstr	  error string pointer
+
+Returns:          OK/DEFER/FAIL
+*/
+
+static int
+tls_init(
+    const host_item *host,
+    smtp_transport_options_block * ob,
+    const uschar * require_ciphers,
+    exim_gnutls_state_st **caller_state,
+    tls_support * tlsp,
+    uschar ** errstr)
+{
+exim_gnutls_state_st * state;
+int rc;
+size_t sz;
+
+if (  !exim_gnutls_base_init_done
+   && (rc = tls_g_init(errstr)) != OK)
+  return rc;
+
+if (host)
+  {
+  /* For client-side sessions we allocate a context. This lets us run
+  several in parallel. */
+
+  int old_pool = store_pool;
+  store_pool = POOL_PERM;
+  state = store_get(sizeof(exim_gnutls_state_st), GET_UNTAINTED);
+  store_pool = old_pool;
+
+  memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
+  state->lib_state = ob->tls_preload;
+  state->tlsp = tlsp;
+  DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
+  rc = gnutls_init(&state->session, GNUTLS_CLIENT);
+
+  state->tls_certificate =	ob->tls_certificate;
+  state->tls_privatekey =	ob->tls_privatekey;
+  state->tls_sni =		ob->tls_sni;
+  state->tls_verify_certificates = ob->tls_verify_certificates;
+  state->tls_crl =		ob->tls_crl;
+  }
+else
+  {
+  /* Server operations always use the one state_server context.  It is not
+  shared because we have forked a fresh process for every receive.  However it
+  can get re-used for successive TLS sessions on a single TCP connection. */
+
+  state = &state_server;
+  state->tlsp = tlsp;
+  DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
+  rc = gnutls_init(&state->session, GNUTLS_SERVER);
+
+  state->tls_certificate =	tls_certificate;
+  state->tls_privatekey =	tls_privatekey;
+  state->tls_sni =		NULL;
+  state->tls_verify_certificates = tls_verify_certificates;
+  state->tls_crl =		tls_crl;
+  }
+if (rc)
+  return tls_error_gnu(state, US"gnutls_init", rc, errstr);
+
+state->tls_require_ciphers =	require_ciphers;
+state->host = host;
+
+/* This handles the variables that might get re-expanded after TLS SNI;
+tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
+
+DEBUG(D_tls)
+  debug_printf("Expanding various TLS configuration options for session credentials\n");
+if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;
+
+/* These are all other parts of the x509_cred handling, since SNI in GnuTLS
+requires a new structure afterwards. */
+
+if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;
+
+/* set SNI in client, only */
+if (host)
+  {
+  if (!expand_check(state->tls_sni, US"tls_out_sni", &state->tlsp->sni, errstr))
+    return DEFER;
+  if (state->tlsp->sni && *state->tlsp->sni)
+    {
+    DEBUG(D_tls)
+      debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
+    sz = Ustrlen(state->tlsp->sni);
+    if ((rc = gnutls_server_name_set(state->session,
+	  GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
+      return tls_error_gnu(state, US"gnutls_server_name_set", rc, errstr);
+    }
+  }
+else if (state->tls_sni)
+  DEBUG(D_tls) debug_printf("*** PROBABLY A BUG *** " \
+      "have an SNI set for a server [%s]\n", state->tls_sni);
+
+if (!state->lib_state.pri_string)
+  {
+  const uschar * p = NULL;
+  const char * errpos;
+
+  /* This is the priority string support,
+  http://www.gnutls.org/manual/html_node/Priority-Strings.html
+  and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
+  This was backwards incompatible, but means Exim no longer needs to track
+  all algorithms and provide string forms for them. */
+
+  if (state->tls_require_ciphers && *state->tls_require_ciphers)
+    {
+    if (!Expand_check_tlsvar(tls_require_ciphers, errstr))
+      return DEFER;
+    if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
+      {
+      p = state->exp_tls_require_ciphers;
+      DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
+      }
+    }
+
+  if ((rc = creds_load_pristring(state, p, &errpos)))
+    return tls_error_gnu(state, string_sprintf(
+			"gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
+			p, (long)(errpos - CS p), errpos),
+		    rc, errstr);
+  }
+else
+  {
+  DEBUG(D_tls) debug_printf("cipher list preloaded\n");
+  state->exp_tls_require_ciphers = US state->tls_require_ciphers;
+  }
+
+
+if ((rc = gnutls_priority_set(state->session, state->lib_state.pri_cache)))
+  return tls_error_gnu(state, US"gnutls_priority_set", rc, errstr);
+
+/* This also sets the server ticket expiration time to the same, and
+the STEK rotation time to 3x. */
+
+gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
+
+/* Reduce security in favour of increased compatibility, if the admin
+decides to make that trade-off. */
+if (gnutls_compat_mode)
+  {
+#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
+  DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
+  gnutls_session_enable_compatibility_mode(state->session);
+#else
+  DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
+#endif
+  }
+
+*caller_state = state;
+return OK;
+}
+
+
+
+/*************************************************
+*            Extract peer information            *
+*************************************************/
+
+static const uschar *
+cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
+  gnutls_mac_algorithm_t mac)
+{
+uschar cs_id[2];
+gnutls_kx_algorithm_t kx_i;
+gnutls_cipher_algorithm_t cipher_i;
+gnutls_mac_algorithm_t mac_i;
+
+for (size_t i = 0;
+     gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
+     i++)
+  if (kx_i == kx && cipher_i == cipher && mac_i == mac)
+    return cipher_stdname(cs_id[0], cs_id[1]);
+return NULL;
+}
+
+
+
+/* Called from both server and client code.
+Only this is allowed to set state->peerdn and state->have_set_peerdn
+and we use that to detect double-calls.
+
+NOTE: the state blocks last while the TLS connection is up, which is fine
+for logging in the server side, but for the client side, we log after teardown
+in src/deliver.c.  While the session is up, we can twist about states and
+repoint tls_* globals, but those variables used for logging or other variable
+expansion that happens _after_ delivery need to have a longer life-time.
+
+So for those, we get the data from POOL_PERM; the re-invoke guard keeps us from
+doing this more than once per generation of a state context.  We set them in
+the state context, and repoint tls_* to them.  After the state goes away, the
+tls_* copies of the pointers remain valid and client delivery logging is happy.
+
+tls_certificate_verified is a BOOL, so the tls_peerdn and tls_cipher issues
+don't apply.
+
+Arguments:
+  state           exim_gnutls_state_st *
+  errstr	  pointer to error string
+
+Returns:          OK/DEFER/FAIL
+*/
+
+static int
+peer_status(exim_gnutls_state_st * state, uschar ** errstr)
+{
+gnutls_session_t session = state->session;
+const gnutls_datum_t * cert_list;
+int old_pool, rc;
+unsigned int cert_list_size = 0;
+gnutls_protocol_t protocol;
+gnutls_cipher_algorithm_t cipher;
+gnutls_kx_algorithm_t kx;
+gnutls_mac_algorithm_t mac;
+gnutls_certificate_type_t ct;
+gnutls_x509_crt_t crt;
+uschar * dn_buf;
+size_t sz;
+
+if (state->have_set_peerdn)
+  return OK;
+state->have_set_peerdn = TRUE;
+
+state->peerdn = NULL;
+
+/* tls_cipher */
+cipher = gnutls_cipher_get(session);
+protocol = gnutls_protocol_get_version(session);
+mac = gnutls_mac_get(session);
+kx =
+#ifdef GNUTLS_TLS1_3
+    protocol >= GNUTLS_TLS1_3 ? 0 :
+#endif
+  gnutls_kx_get(session);
+
+old_pool = store_pool;
+  {
+  tls_support * tlsp = state->tlsp;
+  store_pool = POOL_PERM;
+
+#ifdef SUPPORT_GNUTLS_SESS_DESC
+    {
+    gstring * g = NULL;
+    uschar * s = US gnutls_session_get_desc(session), c;
+
+    /* Nikos M suggests we use this by preference.  It returns like:
+    (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
+
+    For partial back-compat, put a colon after the TLS version, replace the
+    )-( grouping with __, replace in-group - with _ and append the :keysize. */
+
+    /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
+
+    for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
+
+    tlsp->ver = string_copyn(g->s, g->ptr);
+    for (uschar * p = US tlsp->ver; *p; p++)
+      if (*p == '-') { *p = '\0'; break; }	/* TLS1.0-PKIX -> TLS1.0 */
+
+    g = string_catn(g, US":", 1);
+    if (*s) s++;		/* now on _ between groups */
+    while ((c = *s))
+      {
+      for (*++s && ++s; (c = *s) && c != ')'; s++)
+	g = string_catn(g, c == '-' ? US"_" : s, 1);
+      /* now on ) closing group */
+      if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
+      /* now on _ between groups */
+      }
+    g = string_catn(g, US":", 1);
+    g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
+    state->ciphersuite = string_from_gstring(g);
+    }
+#else
+  state->ciphersuite = string_sprintf("%s:%s:%d",
+      gnutls_protocol_get_name(protocol),
+      gnutls_cipher_suite_get_name(kx, cipher, mac),
+      (int) gnutls_cipher_get_key_size(cipher) * 8);
+
+  /* I don't see a way that spaces could occur, in the current GnuTLS
+  code base, but it was a concern in the old code and perhaps older GnuTLS
+  releases did return "TLS 1.0"; play it safe, just in case. */
+
+  for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
+  tlsp->ver = string_copyn(state->ciphersuite,
+			Ustrchr(state->ciphersuite, ':') - state->ciphersuite);
+#endif
+
+/* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
+
+  tlsp->cipher = state->ciphersuite;
+  tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
+
+  tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
+  }
+store_pool = old_pool;
+
+/* tls_peerdn */
+cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
+
+if (!cert_list || cert_list_size == 0)
+  {
+  DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
+      cert_list, cert_list_size);
+  if (state->verify_requirement >= VERIFY_REQUIRED)
+    return tls_error(US"certificate verification failed",
+        US"no certificate received from peer", state->host, errstr);
+  return OK;
+  }
+
+if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
+  {
+  const uschar * ctn = US gnutls_certificate_type_get_name(ct);
+  DEBUG(D_tls)
+    debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
+  if (state->verify_requirement >= VERIFY_REQUIRED)
+    return tls_error(US"certificate verification not possible, unhandled type",
+        ctn, state->host, errstr);
+  return OK;
+  }
+
+#define exim_gnutls_peer_err(Label) \
+  do { \
+    if (rc != GNUTLS_E_SUCCESS) \
+      { \
+      DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
+	(Label), gnutls_strerror(rc)); \
+      if (state->verify_requirement >= VERIFY_REQUIRED) \
+	return tls_error_gnu(state, (Label), rc, errstr); \
+      return OK; \
+      } \
+    } while (0)
+
+rc = import_cert(&cert_list[0], &crt);
+exim_gnutls_peer_err(US"cert 0");
+
+state->tlsp->peercert = state->peercert = crt;
+
+sz = 0;
+rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
+if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
+  {
+  exim_gnutls_peer_err(US"getting size for cert DN failed");
+  return FAIL; /* should not happen */
+  }
+dn_buf = store_get_perm(sz, GET_TAINTED);
+rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
+exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
+
+state->peerdn = dn_buf;
+
+return OK;
+#undef exim_gnutls_peer_err
+}
+
+
+
+
+/*************************************************
+*            Verify peer certificate             *
+*************************************************/
+
+/* Called from both server and client code.
+*Should* be using a callback registered with
+gnutls_certificate_set_verify_function() to fail the handshake if we dislike
+the peer information, but that's too new for some OSes.
+
+Arguments:
+  state		exim_gnutls_state_st *
+  errstr	where to put an error message
+
+Returns:
+  FALSE     if the session should be rejected
+  TRUE      if the cert is okay or we just don't care
+*/
+
+static BOOL
+verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
+{
+int rc;
+uint verify;
+
+DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
+*errstr = NULL;
+rc = peer_status(state, errstr);
+
+if (state->verify_requirement == VERIFY_NONE)
+  return TRUE;
+
+if (rc != OK || !state->peerdn)
+  {
+  verify = GNUTLS_CERT_INVALID;
+  *errstr = US"certificate not supplied";
+  }
+else
+
+  {
+#ifdef SUPPORT_DANE
+  if (state->verify_requirement == VERIFY_DANE && state->host)
+    {
+    /* Using dane_verify_session_crt() would be easy, as it does it all for us
+    including talking to a DNS resolver.  But we want to do that bit ourselves
+    as the testsuite intercepts and fakes its own DNS environment. */
+
+    dane_state_t s;
+    dane_query_t r;
+    uint lsize;
+    const gnutls_datum_t * certlist =
+      gnutls_certificate_get_peers(state->session, &lsize);
+    int usage = tls_out.tlsa_usage;
+
+# ifdef GNUTLS_BROKEN_DANE_VALIDATION
+    /* Split the TLSA records into two sets, TA and EE selectors.  Run the
+    dane-verification separately so that we know which selector verified;
+    then we know whether to do name-verification (needed for TA but not EE). */
+
+    if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
+      {						/* a mixed-usage bundle */
+      int i, j, nrec;
+      const char ** dd;
+      int * ddl;
+
+      for (nrec = 0; state->dane_data_len[nrec]; ) nrec++;
+      nrec++;
+
+      dd = store_get(nrec * sizeof(uschar *), GET_UNTAINTED);
+      ddl = store_get(nrec * sizeof(int), GET_UNTAINTED);
+      nrec--;
+
+      if ((rc = dane_state_init(&s, 0)))
+	goto tlsa_prob;
+
+      for (usage = DANESSL_USAGE_DANE_EE;
+	   usage >= DANESSL_USAGE_DANE_TA; usage--)
+	{				/* take records with this usage */
+	for (j = i = 0; i < nrec; i++)
+	  if (state->dane_data[i][0] == usage)
+	    {
+	    dd[j] = state->dane_data[i];
+	    ddl[j++] = state->dane_data_len[i];
+	    }
+	if (j)
+	  {
+	  dd[j] = NULL;
+	  ddl[j] = 0;
+
+	  if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
+	    goto tlsa_prob;
+
+	  if ((rc = dane_verify_crt_raw(s, certlist, lsize,
+			    gnutls_certificate_type_get(state->session),
+			    r, 0,
+			    usage == DANESSL_USAGE_DANE_EE
+			    ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
+			    &verify)))
+	    {
+	    DEBUG(D_tls)
+	      debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
+	    }
+	  else if (verify == 0)	/* verification passed */
+	    {
+	    usage = 1 << usage;
+	    break;
+	    }
+	  }
+	}
+
+	if (rc) goto tlsa_prob;
+      }
+    else
+# endif
+      {
+      if (  (rc = dane_state_init(&s, 0))
+	 || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
+			1, 0))
+	 || (rc = dane_verify_crt_raw(s, certlist, lsize,
+			gnutls_certificate_type_get(state->session),
+			r, 0,
+# ifdef GNUTLS_BROKEN_DANE_VALIDATION
+			usage == (1 << DANESSL_USAGE_DANE_EE)
+			? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
+# else
+			0,
+# endif
+			&verify))
+	 )
+	goto tlsa_prob;
+      }
+
+    if (verify != 0)		/* verification failed */
+      {
+      gnutls_datum_t str;
+      (void) dane_verification_status_print(verify, &str, 0);
+      *errstr = US str.data;	/* don't bother to free */
+      goto badcert;
+      }
+
+# ifdef GNUTLS_BROKEN_DANE_VALIDATION
+    /* If a TA-mode TLSA record was used for verification we must additionally
+    verify the cert name (but not the CA chain).  For EE-mode, skip it. */
+
+    if (usage & (1 << DANESSL_USAGE_DANE_EE))
+# endif
+      {
+      state->peer_dane_verified = state->peer_cert_verified = TRUE;
+      goto goodcert;
+      }
+# ifdef GNUTLS_BROKEN_DANE_VALIDATION
+    /* Assume that the name on the A-record is the one that should be matching
+    the cert.  An alternate view is that the domain part of the email address
+    is also permissible. */
+
+    if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
+	  CS state->host->name))
+      {
+      state->peer_dane_verified = state->peer_cert_verified = TRUE;
+      goto goodcert;
+      }
+# endif
+    }
+#endif	/*SUPPORT_DANE*/
+
+  rc = gnutls_certificate_verify_peers2(state->session, &verify);
+  }
+
+/* Handle the result of verification. INVALID is set if any others are. */
+
+if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
+  {
+  state->peer_cert_verified = FALSE;
+  if (!*errstr)
+    {
+#ifdef GNUTLS_CERT_VFY_STATUS_PRINT
+    DEBUG(D_tls)
+      {
+      gnutls_datum_t txt;
+
+      if (gnutls_certificate_verification_status_print(verify,
+	    gnutls_certificate_type_get(state->session), &txt, 0)
+	  == GNUTLS_E_SUCCESS)
+	{
+	debug_printf("%s\n", txt.data);
+	gnutls_free(txt.data);
+	}
+      }
+#endif
+    *errstr = verify & GNUTLS_CERT_REVOKED
+      ? US"certificate revoked" : US"certificate invalid";
+    }
+
+  DEBUG(D_tls)
+    debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
+        *errstr, state->peerdn ? state->peerdn : US"<unset>");
+
+  if (state->verify_requirement >= VERIFY_REQUIRED)
+    goto badcert;
+  DEBUG(D_tls)
+    debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
+  }
+
+else
+  {
+  /* Client side, check the server's certificate name versus the name on the
+  A-record for the connection we made.  What to do for server side - what name
+  to use for client?  We document that there is no such checking for server
+  side. */
+
+  if (  state->exp_tls_verify_cert_hostnames
+     && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
+		CS state->exp_tls_verify_cert_hostnames)
+     )
+    {
+    DEBUG(D_tls)
+      debug_printf("TLS certificate verification failed: cert name mismatch\n");
+    if (state->verify_requirement >= VERIFY_REQUIRED)
+      goto badcert;
+    return TRUE;
+    }
+
+  state->peer_cert_verified = TRUE;
+  DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
+      state->peerdn ? state->peerdn : US"<unset>");
+  }
+
+goodcert:
+  state->tlsp->peerdn = state->peerdn;
+  return TRUE;
+
+#ifdef SUPPORT_DANE
+tlsa_prob:
+  *errstr = string_sprintf("TLSA record problem: %s",
+    rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
+#endif
+
+badcert:
+  gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
+  return FALSE;
+}
+
+
+
+
+/* ------------------------------------------------------------------------ */
+/* Callbacks */
+
+/* Logging function which can be registered with
+ *   gnutls_global_set_log_function()
+ *   gnutls_global_set_log_level() 0..9
+ */
+#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
+static void
+exim_gnutls_logger_cb(int level, const char *message)
+{
+  size_t len = strlen(message);
+  if (len < 1)
+    {
+    DEBUG(D_tls) debug_printf("GnuTLS<%d> empty debug message\n", level);
+    return;
+    }
+  DEBUG(D_tls) debug_printf("GnuTLS<%d>: %s%s", level, message,
+      message[len-1] == '\n' ? "" : "\n");
+}
+#endif
+
+
+/* Called after client hello, should handle SNI work.
+This will always set tls_sni (state->received_sni) if available,
+and may trigger presenting different certificates,
+if state->trigger_sni_changes is TRUE.
+
+Should be registered with
+  gnutls_handshake_set_post_client_hello_function()
+
+"This callback must return 0 on success or a gnutls error code to terminate the
+handshake.".
+
+For inability to get SNI information, we return 0.
+We only return non-zero if re-setup failed.
+Only used for server-side TLS.
+*/
+
+static int
+exim_sni_handling_cb(gnutls_session_t session)
+{
+char sni_name[MAX_HOST_LEN];
+size_t data_len = MAX_HOST_LEN;
+exim_gnutls_state_st *state = &state_server;
+unsigned int sni_type;
+int rc, old_pool;
+uschar * dummy_errstr;
+
+rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
+if (rc != GNUTLS_E_SUCCESS)
+  {
+  DEBUG(D_tls)
+    if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+      debug_printf("TLS: no SNI presented in handshake\n");
+    else
+      debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
+        gnutls_strerror(rc), rc);
+  return 0;
+  }
+
+if (sni_type != GNUTLS_NAME_DNS)
+  {
+  DEBUG(D_tls) debug_printf("TLS: ignoring SNI of unhandled type %u\n", sni_type);
+  return 0;
+  }
+
+/* We now have a UTF-8 string in sni_name */
+old_pool = store_pool;
+store_pool = POOL_PERM;
+state->received_sni = string_copy_taint(US sni_name, GET_TAINTED);
+store_pool = old_pool;
+
+/* We set this one now so that variable expansions below will work */
+state->tlsp->sni = state->received_sni;
+
+DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
+    state->trigger_sni_changes ? "" : " (unused for certificate selection)");
+
+if (!state->trigger_sni_changes)
+  return 0;
+
+if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
+  {
+  /* If the setup of certs/etc failed before handshake, TLS would not have
+  been offered.  The best we can do now is abort. */
+  return GNUTLS_E_APPLICATION_ERROR_MIN;
+  }
+
+rc = tls_set_remaining_x509(state, &dummy_errstr);
+if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
+
+return 0;
+}
+
+
+
+#ifndef DISABLE_EVENT
+/*
+We use this callback to get observability and detail-level control
+for an exim TLS connection (either direction), raising a tls:cert event
+for each cert in the chain presented by the peer.  Any event
+can deny verification.
+
+Return 0 for the handshake to continue or non-zero to terminate.
+*/
+
+static int
+verify_cb(gnutls_session_t session)
+{
+const gnutls_datum_t * cert_list;
+unsigned int cert_list_size = 0;
+gnutls_x509_crt_t crt;
+int rc;
+uschar * yield;
+exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
+
+if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
+  while (cert_list_size--)
+  {
+  if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
+    {
+    DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
+      cert_list_size, gnutls_strerror(rc));
+    break;
+    }
+
+  state->tlsp->peercert = crt;
+  if ((yield = event_raise(state->event_action,
+	      US"tls:cert", string_sprintf("%d", cert_list_size), &errno)))
+    {
+    log_write(0, LOG_MAIN,
+	      "SSL verify denied by event-action: depth=%d: %s",
+	      cert_list_size, yield);
+    return 1;                     /* reject */
+    }
+  state->tlsp->peercert = NULL;
+  }
+
+return 0;
+}
+
+#endif
+
+
+static gstring *
+ddump(gnutls_datum_t * d)
+{
+gstring * g = string_get((d->size+1) * 2);
+uschar * s = d->data;
+for (unsigned i = d->size; i > 0; i--, s++)
+  {
+  g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
+  g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
+  }
+return g;
+}
+
+static void
+post_handshake_debug(exim_gnutls_state_st * state)
+{
+#ifdef SUPPORT_GNUTLS_SESS_DESC
+debug_printf("%s\n", gnutls_session_get_desc(state->session));
+#endif
+
+#ifdef SUPPORT_GNUTLS_KEYLOG
+# ifdef EXIM_HAVE_TLS1_3
+if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
+# else
+if (TRUE)
+# endif
+  {
+  gnutls_datum_t c, s;
+  gstring * gc, * gs;
+  /* For TLS1.2 we only want the client random and the master secret */
+  gnutls_session_get_random(state->session, &c, &s);
+  gnutls_session_get_master_secret(state->session, &s);
+  gc = ddump(&c);
+  gs = ddump(&s);
+  debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
+  }
+else
+  debug_printf("To get keying info for TLS1.3 is hard:\n"
+    " Set environment variable SSLKEYLOGFILE to a filename relative to the spool directory,\n"
+    " and make sure it is writable by the Exim runtime user.\n"
+    " Add SSLKEYLOGFILE to keep_environment in the exim config.\n"
+    " Start Exim as root.\n"
+    " If using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
+    " (works for TLS1.2 also, and saves cut-paste into file).\n"
+    " Trying to use add_environment for this will not work\n");
+#endif
+}
+
+
+#ifdef EXIM_HAVE_TLS_RESUME
+static int
+tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
+  unsigned incoming, const gnutls_datum_t * msg)
+{
+DEBUG(D_tls) debug_printf("newticket cb\n");
+tls_in.resumption |= RESUME_CLIENT_REQUESTED;
+return 0;
+}
+
+static void
+tls_server_resume_prehandshake(exim_gnutls_state_st * state)
+{
+/* Should the server offer session resumption? */
+tls_in.resumption = RESUME_SUPPORTED;
+if (verify_check_host(&tls_resumption_hosts) == OK)
+  {
+  int rc;
+  /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
+  an offered resumption is unacceptable.  We lose one resumption per ticket
+  lifetime, and sessions cannot be indefinitely re-used.  There seems to be no
+  way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
+  least they go out in a single packet. */
+
+  if (!(rc = gnutls_session_ticket_enable_server(state->session,
+	      &server_sessticket_key)))
+    tls_in.resumption |= RESUME_SERVER_TICKET;
+  else
+    DEBUG(D_tls)
+      debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
+
+  /* Try to tell if we see a ticket request */
+  gnutls_handshake_set_hook_function(state->session,
+    GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
+  }
+}
+
+static void
+tls_server_resume_posthandshake(exim_gnutls_state_st * state)
+{
+if (gnutls_session_resumption_requested(state->session))
+  {
+  /* This tells us the client sent a full ticket.  We use a
+  callback on session-ticket request, elsewhere, to tell
+  if a client asked for a ticket. */
+
+  tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
+  DEBUG(D_tls) debug_printf("client requested resumption\n");
+  }
+if (gnutls_session_is_resumed(state->session))
+  {
+  tls_in.resumption |= RESUME_USED;
+  DEBUG(D_tls) debug_printf("Session resumed\n");
+  }
+}
+#endif	/* EXIM_HAVE_TLS_RESUME */
+
+
+#ifdef EXIM_HAVE_ALPN
+/* Expand and convert an Exim list to a gnutls_datum list.  False return for fail.
+NULL plist return for silent no-ALPN.
+*/
+
+static BOOL
+tls_alpn_plist(uschar ** tls_alpn, const gnutls_datum_t ** plist, unsigned * plen,
+  uschar ** errstr)
+{
+uschar * exp_alpn;
+
+if (!expand_check(*tls_alpn, US"tls_alpn", &exp_alpn, errstr))
+  return FALSE;
+
+if (!exp_alpn)
+  {
+  DEBUG(D_tls) debug_printf("Setting TLS ALPN forced to fail, not sending\n");
+  *plist = NULL;
+  }
+else
+  {
+  const uschar * list = exp_alpn;
+  int sep = 0;
+  unsigned cnt = 0;
+  gnutls_datum_t * p;
+  uschar * s;
+
+  while (string_nextinlist(&list, &sep, NULL, 0)) cnt++;
+
+  p = store_get(sizeof(gnutls_datum_t) * cnt, exp_alpn);
+  list = exp_alpn;
+  for (int i = 0; s = string_nextinlist(&list, &sep, NULL, 0); i++)
+    { p[i].data = s; p[i].size = Ustrlen(s); }
+  *plist = (*plen = cnt) ? p : NULL;
+  }
+return TRUE;
+}
+
+static void
+tls_server_set_acceptable_alpns(exim_gnutls_state_st * state, uschar ** errstr)
+{
+uschar * local_alpn = string_copy(tls_alpn);
+int rc;
+const gnutls_datum_t * plist;
+unsigned plen;
+
+if (tls_alpn_plist(&local_alpn, &plist, &plen, errstr) && plist)
+  {
+  /* This seems to be only mandatory if the client sends an ALPN extension;
+  not trying ALPN is ok. Need to decide how to support server-side must-alpn. */
+
+  server_seen_alpn = 0;
+  if (!(rc = gnutls_alpn_set_protocols(state->session, plist, plen,
+					GNUTLS_ALPN_MANDATORY)))
+    gnutls_handshake_set_hook_function(state->session,
+      GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
+  else
+    DEBUG(D_tls)
+      debug_printf("setting alpn protocols: %s\n", US gnutls_strerror(rc));
+  }
+}
+#endif	/* EXIM_HAVE_ALPN */
+
+/* ------------------------------------------------------------------------ */
+/* Exported functions */
+
+
+
+
+/*************************************************
+*       Start a TLS session in a server          *
+*************************************************/
+
+/* This is called when Exim is running as a server, after having received
+the STARTTLS command. It must respond to that command, and then negotiate
+a TLS session.
+
+Arguments:
+  errstr	   pointer to error string
+
+Returns:           OK on success
+                   DEFER for errors before the start of the negotiation
+                   FAIL for errors during the negotiation; the server can't
+                     continue running.
+*/
+
+int
+tls_server_start(uschar ** errstr)
+{
+int rc;
+exim_gnutls_state_st * state = NULL;
+
+/* Check for previous activation */
+if (tls_in.active.sock >= 0)
+  {
+  tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
+  smtp_printf("554 Already in TLS\r\n", FALSE);
+  return FAIL;
+  }
+
+/* Initialize the library. If it fails, it will already have logged the error
+and sent an SMTP response. */
+
+DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
+
+  {
+#ifdef MEASURE_TIMING
+  struct timeval t0;
+  gettimeofday(&t0, NULL);
+#endif
+
+  if ((rc = tls_init(NULL, NULL,
+      tls_require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
+
+#ifdef MEASURE_TIMING
+  report_time_since(&t0, US"server tls_init (delta)");
+#endif
+  }
+
+#ifdef EXIM_HAVE_ALPN
+tls_server_set_acceptable_alpns(state, errstr);
+#endif
+
+#ifdef EXIM_HAVE_TLS_RESUME
+tls_server_resume_prehandshake(state);
+#endif
+
+/* If this is a host for which certificate verification is mandatory or
+optional, set up appropriately. */
+
+if (verify_check_host(&tls_verify_hosts) == OK)
+  {
+  DEBUG(D_tls)
+    debug_printf("TLS: a client certificate will be required\n");
+  state->verify_requirement = VERIFY_REQUIRED;
+  gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
+  }
+else if (verify_check_host(&tls_try_verify_hosts) == OK)
+  {
+  DEBUG(D_tls)
+    debug_printf("TLS: a client certificate will be requested but not required\n");
+  state->verify_requirement = VERIFY_OPTIONAL;
+  gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
+  }
+else
+  {
+  DEBUG(D_tls)
+    debug_printf("TLS: a client certificate will not be requested\n");
+  state->verify_requirement = VERIFY_NONE;
+  gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
+  }
+
+#ifndef DISABLE_EVENT
+if (event_action)
+  {
+  state->event_action = event_action;
+  gnutls_session_set_ptr(state->session, state);
+  gnutls_certificate_set_verify_function(state->lib_state.x509_cred, verify_cb);
+  }
+#endif
+
+/* Register SNI handling; always, even if not in tls_certificate, so that the
+expansion variable $tls_sni is always available. */
+
+gnutls_handshake_set_post_client_hello_function(state->session,
+    exim_sni_handling_cb);
+
+/* Set context and tell client to go ahead, except in the case of TLS startup
+on connection, where outputting anything now upsets the clients and tends to
+make them disconnect. We need to have an explicit fflush() here, to force out
+the response. Other smtp_printf() calls do not need it, because in non-TLS
+mode, the fflush() happens when smtp_getc() is called. */
+
+if (!state->tlsp->on_connect)
+  {
+  smtp_printf("220 TLS go ahead\r\n", FALSE);
+  fflush(smtp_out);
+  }
+
+/* Now negotiate the TLS session. We put our own timer on it, since it seems
+that the GnuTLS library doesn't.
+From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
+to set (and clear down afterwards) up a pull-timeout callback function that does
+a select, so we're no better off unless avoiding signals becomes an issue. */
+
+gnutls_transport_set_ptr2(state->session,
+    (gnutls_transport_ptr_t)(long) fileno(smtp_in),
+    (gnutls_transport_ptr_t)(long) fileno(smtp_out));
+state->fd_in = fileno(smtp_in);
+state->fd_out = fileno(smtp_out);
+
+sigalrm_seen = FALSE;
+if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
+do
+  rc = gnutls_handshake(state->session);
+while (rc == GNUTLS_E_AGAIN ||  rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
+ALARM_CLR(0);
+
+if (rc != GNUTLS_E_SUCCESS)
+  {
+  DEBUG(D_tls) debug_printf(" error %d from gnutls_handshake: %s\n",
+    rc, gnutls_strerror(rc));
+
+  /* It seems that, except in the case of a timeout, we have to close the
+  connection right here; otherwise if the other end is running OpenSSL it hangs
+  until the server times out. */
+
+  if (sigalrm_seen)
+    {
+    tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
+#ifndef DISABLE_EVENT
+    (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
+#endif
+    gnutls_db_remove_session(state->session);
+    }
+  else
+    {
+    tls_error_gnu(state, US"gnutls_handshake", rc, errstr);
+#ifndef DISABLE_EVENT
+    (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
+#endif
+    (void) gnutls_alert_send_appropriate(state->session, rc);
+    gnutls_deinit(state->session);
+    millisleep(500);
+    shutdown(state->fd_out, SHUT_WR);
+    for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--;	/* drain skt */
+    (void)fclose(smtp_out);
+    (void)fclose(smtp_in);
+    smtp_out = smtp_in = NULL;
+    }
+
+  return FAIL;
+  }
+
+#ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
+if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
+  tls_in.ext_master_secret = TRUE;
+#endif
+
+#ifdef EXIM_HAVE_TLS_RESUME
+tls_server_resume_posthandshake(state);
+#endif
+
+DEBUG(D_tls) post_handshake_debug(state);
+
+#ifdef EXIM_HAVE_ALPN
+if (server_seen_alpn > 0)
+  {
+  DEBUG(D_tls)
+    {		/* The client offered ALPN.  See what was negotiated. */
+    gnutls_datum_t p = {.size = 0};
+    int rc = gnutls_alpn_get_selected_protocol(state->session, &p);
+    if (!rc)
+	debug_printf("ALPN negotiated: %.*s\n", (int)p.size, p.data);
+    else
+	debug_printf("getting alpn protocol: %s\n", US gnutls_strerror(rc));
+
+    }
+  }
+else if (server_seen_alpn == 0)
+  if (verify_check_host(&hosts_require_alpn) == OK)
+    {
+    gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_NO_APPLICATION_PROTOCOL);
+    tls_error(US"handshake", US"ALPN required but not negotiated", NULL, errstr);
+    return FAIL;
+    }
+  else
+    DEBUG(D_tls) debug_printf("TLS: no ALPN presented in handshake\n");
+else
+  DEBUG(D_tls) debug_printf("TLS: was not watching for ALPN\n");
+#endif
+
+/* Verify after the fact */
+
+if (!verify_certificate(state, errstr))
+  {
+  if (state->verify_requirement != VERIFY_OPTIONAL)
+    {
+    (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);
+    return FAIL;
+    }
+  DEBUG(D_tls)
+    debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
+	*errstr);
+  }
+
+/* Sets various Exim expansion variables; always safe within server */
+
+extract_exim_vars_from_tls_state(state);
+
+/* TLS has been set up. Adjust the input functions to read via TLS,
+and initialize appropriately. */
+
+state->xfer_buffer = store_malloc(ssl_xfer_buffer_size);
+
+receive_getc = tls_getc;
+receive_getbuf = tls_getbuf;
+receive_get_cache = tls_get_cache;
+receive_hasc = tls_hasc;
+receive_ungetc = tls_ungetc;
+receive_feof = tls_feof;
+receive_ferror = tls_ferror;
+
+return OK;
+}
+
+
+
+
+static void
+tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
+  smtp_transport_options_block * ob)
+{
+if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
+  {
+  state->exp_tls_verify_cert_hostnames =
+#ifdef SUPPORT_I18N
+    string_domain_utf8_to_alabel(host->certname, NULL);
+#else
+    host->certname;
+#endif
+  DEBUG(D_tls)
+    debug_printf("TLS: server cert verification includes hostname: \"%s\"\n",
+		    state->exp_tls_verify_cert_hostnames);
+  }
+}
+
+
+
+
+#ifdef SUPPORT_DANE
+/* Given our list of RRs from the TLSA lookup, build a lookup block in
+GnuTLS-DANE's preferred format.  Hang it on the state str for later
+use in DANE verification.
+
+We point at the dnsa data not copy it, so it must remain valid until
+after verification is done.*/
+
+static BOOL
+dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
+{
+dns_scan dnss;
+int i;
+const char **	dane_data;
+int *		dane_data_len;
+
+i = 1;
+for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
+    ) if (rr->type == T_TLSA) i++;
+
+dane_data = store_get(i * sizeof(uschar *), GET_UNTAINTED);
+dane_data_len = store_get(i * sizeof(int), GET_UNTAINTED);
+
+i = 0;
+for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
+    ) if (rr->type == T_TLSA && rr->size > 3)
+  {
+  const uschar * p = rr->data;
+/*XXX need somehow to mark rr and its data as tainted.  Doues this mean copying it? */
+  uint8_t usage = p[0], sel = p[1], type = p[2];
+
+  DEBUG(D_tls)
+    debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
+
+  if (  (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
+     || (sel != 0 && sel != 1)
+     )
+    continue;
+  switch(type)
+    {
+    case 0:	/* Full: cannot check at present */
+		break;
+    case 1:	if (rr->size != 3 + 256/8) continue;	/* sha2-256 */
+		break;
+    case 2:	if (rr->size != 3 + 512/8) continue;	/* sha2-512 */
+		break;
+    default:	continue;
+    }
+
+  tls_out.tlsa_usage |= 1<<usage;
+  dane_data[i] = CS p;
+  dane_data_len[i++] = rr->size;
+  }
+
+if (!i) return FALSE;
+
+dane_data[i] = NULL;
+dane_data_len[i] = 0;
+
+state->dane_data = (char * const *)dane_data;
+state->dane_data_len = dane_data_len;
+return TRUE;
+}
+#endif
+
+
+
+#ifdef EXIM_HAVE_TLS_RESUME
+/* On the client, get any stashed session for the given IP from hints db
+and apply it to the ssl-connection for attempted resumption.  Although
+there is a gnutls_session_ticket_enable_client() interface it is
+documented as unnecessary (as of 3.6.7) as "session tickets are emabled
+by deafult".  There seems to be no way to disable them, so even hosts not
+enabled by the transport option will be sent a ticket request.  We will
+however avoid storing and retrieving session information. */
+
+static void
+tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
+  smtp_connect_args * conn_args, smtp_transport_options_block * ob)
+{
+tlsp->resumption = RESUME_SUPPORTED;
+
+if (!conn_args->have_lbserver)
+  { DEBUG(D_tls) debug_printf("resumption not supported on continued-connection\n"); }
+else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, conn_args->host) == OK)
+  {
+  dbdata_tls_session * dt;
+  int len, rc;
+  open_db dbblock, * dbm_file;
+
+  tlsp->host_resumable = TRUE;
+  tls_client_resmption_key(tlsp, conn_args, ob);
+
+  tlsp->resumption |= RESUME_CLIENT_REQUESTED;
+  if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
+    {
+    /* We'd like to filter the retrieved session for ticket advisory expiry,
+    but 3.6.1 seems to give no access to that */
+
+    if ((dt = dbfn_read_with_length(dbm_file, tlsp->resume_index, &len)))
+      if (!(rc = gnutls_session_set_data(session,
+		    CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
+	{
+	DEBUG(D_tls) debug_printf("good session\n");
+	tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
+	}
+      else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
+	    US gnutls_strerror(rc));
+    dbfn_close(dbm_file);
+    }
+  }
+}
+
+
+static void
+tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
+{
+/* TLS 1.2 - we get both the callback and the direct posthandshake call,
+but this flag is not set until the second.  TLS 1.3 it's the other way about.
+Keep both calls as the session data cannot be extracted before handshake
+completes. */
+
+if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
+  {
+  gnutls_datum_t tkt;
+  int rc;
+
+  DEBUG(D_tls) debug_printf("server offered session ticket\n");
+  tlsp->ticket_received = TRUE;
+  tlsp->resumption |= RESUME_SERVER_TICKET;
+
+  if (tlsp->host_resumable)
+    if (!(rc = gnutls_session_get_data2(session, &tkt)))
+      {
+      open_db dbblock, * dbm_file;
+      int dlen = sizeof(dbdata_tls_session) + tkt.size;
+      dbdata_tls_session * dt = store_get(dlen, GET_TAINTED);
+
+      DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
+      memcpy(dt->session, tkt.data, tkt.size);
+      gnutls_free(tkt.data);
+
+      if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
+	{
+	/* key for the db is the IP */
+	dbfn_write(dbm_file, tlsp->resume_index, dt, dlen);
+	dbfn_close(dbm_file);
+
+	DEBUG(D_tls)
+	  debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
+	}
+      }
+    else DEBUG(D_tls)
+      debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
+  }
+}
+
+
+/* With a TLS1.3 session, the ticket(s) are not seen until
+the first data read is attempted.  And there's often two of them.
+Pick them up with this callback.  We are also called for 1.2
+but we do nothing.
+*/
+static int
+tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
+  unsigned incoming, const gnutls_datum_t * msg)
+{
+exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
+tls_support * tlsp = state->tlsp;
+
+DEBUG(D_tls) debug_printf("newticket cb\n");
+
+if (!tlsp->ticket_received)
+  tls_save_session(tlsp, sess, state->host);
+return 0;
+}
+
+
+static void
+tls_client_resume_prehandshake(exim_gnutls_state_st * state,
+  tls_support * tlsp, smtp_connect_args * conn_args,
+  smtp_transport_options_block * ob)
+{
+gnutls_session_set_ptr(state->session, state);
+gnutls_handshake_set_hook_function(state->session,
+  GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
+
+tls_retrieve_session(tlsp, state->session, conn_args, ob);
+}
+
+static void
+tls_client_resume_posthandshake(exim_gnutls_state_st * state,
+  tls_support * tlsp, host_item * host)
+{
+if (gnutls_session_is_resumed(state->session))
+  {
+  DEBUG(D_tls) debug_printf("Session resumed\n");
+  tlsp->resumption |= RESUME_USED;
+  }
+
+tls_save_session(tlsp, state->session, host);
+}
+#endif	/* !DISABLE_TLS_RESUME */
+
+
+/*************************************************
+*    Start a TLS session in a client             *
+*************************************************/
+
+/* Called from the smtp transport after STARTTLS has been accepted.
+
+Arguments:
+  cctx		connection context
+  conn_args	connection details
+  cookie	datum for randomness (not used)
+  tlsp          record details of channel configuration here; must be non-NULL
+  errstr        error string pointer
+
+Returns:        TRUE for success with TLS session context set in smtp context,
+		FALSE on error
+*/
+
+BOOL
+tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
+  void * cookie ARG_UNUSED,
+  tls_support * tlsp, uschar ** errstr)
+{
+host_item * host = conn_args->host;          /* for msgs and option-tests */
+transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
+smtp_transport_options_block * ob = tb
+  ? (smtp_transport_options_block *)tb->options_block
+  : &smtp_transport_option_defaults;
+int rc;
+exim_gnutls_state_st * state = NULL;
+uschar * cipher_list = NULL;
+
+#ifndef DISABLE_OCSP
+BOOL require_ocsp =
+  verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
+BOOL request_ocsp = require_ocsp ? TRUE
+  : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
+#endif
+
+DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
+
+#ifdef SUPPORT_DANE
+/* If dane is flagged, have either request or require dane for this host, and
+a TLSA record found.  Therefore, dane verify required.  Which implies cert must
+be requested and supplied, dane verify must pass, and cert verify irrelevant
+(incl.  hostnames), and (caller handled) require_tls and sni=$domain */
+
+if (conn_args->dane && ob->dane_require_tls_ciphers)
+  {
+  /* not using Expand_check_tlsvar because not yet in state */
+  if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
+      &cipher_list, errstr))
+    return FALSE;
+  cipher_list = cipher_list && *cipher_list
+    ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
+  }
+#endif
+
+if (!cipher_list)
+  cipher_list = ob->tls_require_ciphers;
+
+  {
+#ifdef MEASURE_TIMING
+  struct timeval t0;
+  gettimeofday(&t0, NULL);
+#endif
+
+  if (tls_init(host, ob, cipher_list, &state, tlsp, errstr) != OK)
+    return FALSE;
+
+#ifdef MEASURE_TIMING
+  report_time_since(&t0, US"client tls_init (delta)");
+#endif
+  }
+
+if (ob->tls_alpn)
+#ifdef EXIM_HAVE_ALPN
+  {
+  const gnutls_datum_t * plist;
+  unsigned plen;
+
+  if (!tls_alpn_plist(&ob->tls_alpn, &plist, &plen, errstr))
+    return FALSE;
+  if (plist)
+    if (gnutls_alpn_set_protocols(state->session, plist, plen, 0) != 0)
+      {
+      tls_error(US"alpn init", NULL, state->host, errstr);
+      return FALSE;
+      }
+    else
+      DEBUG(D_tls) debug_printf("Setting TLS ALPN '%s'\n", ob->tls_alpn);
+  }
+#else
+  log_write(0, LOG_MAIN, "ALPN unusable with this GnuTLS library version; ignoring \"%s\"\n",
+          ob->tls_alpn);
+#endif
+
+  {
+  int dh_min_bits = ob->tls_dh_min_bits;
+  if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
+    {
+    DEBUG(D_tls)
+      debug_printf("WARNING: tls_dh_min_bits far too low,"
+		    " clamping %d up to %d\n",
+	  dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
+    dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
+    }
+
+  DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
+		    " acceptable bits to %d\n",
+      dh_min_bits);
+  gnutls_dh_set_prime_bits(state->session, dh_min_bits);
+  }
+
+/* Stick to the old behaviour for compatibility if tls_verify_certificates is
+set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
+the specified host patterns if one of them is defined */
+
+#ifdef SUPPORT_DANE
+if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
+  {
+  DEBUG(D_tls)
+    debug_printf("TLS: server certificate DANE required\n");
+  state->verify_requirement = VERIFY_DANE;
+  gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
+  }
+else
+#endif
+    if (  (  state->exp_tls_verify_certificates
+	  && !ob->tls_verify_hosts
+	  && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
+	  )
+	|| verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
+       )
+  {
+  tls_client_setup_hostname_checks(host, state, ob);
+  DEBUG(D_tls)
+    debug_printf("TLS: server certificate verification required\n");
+  state->verify_requirement = VERIFY_REQUIRED;
+  gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
+  }
+else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
+  {
+  tls_client_setup_hostname_checks(host, state, ob);
+  DEBUG(D_tls)
+    debug_printf("TLS: server certificate verification optional\n");
+  state->verify_requirement = VERIFY_OPTIONAL;
+  gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
+  }
+else
+  {
+  DEBUG(D_tls)
+    debug_printf("TLS: server certificate verification not required\n");
+  state->verify_requirement = VERIFY_NONE;
+  gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
+  }
+
+#ifndef DISABLE_OCSP
+			/* supported since GnuTLS 3.1.3 */
+if (request_ocsp)
+  {
+  DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
+  if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
+		    NULL, 0, NULL)) != OK)
+    {
+    tls_error_gnu(state, US"cert-status-req", rc, errstr);
+    return FALSE;
+    }
+  tlsp->ocsp = OCSP_NOT_RESP;
+  }
+#endif
+
+#ifdef EXIM_HAVE_TLS_RESUME
+tls_client_resume_prehandshake(state, tlsp, conn_args, ob);
+#endif
+
+#ifndef DISABLE_EVENT
+if (tb && tb->event_action)
+  {
+  state->event_action = tb->event_action;
+  gnutls_session_set_ptr(state->session, state);
+  gnutls_certificate_set_verify_function(state->lib_state.x509_cred, verify_cb);
+  }
+#endif
+
+gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
+state->fd_in = cctx->sock;
+state->fd_out = cctx->sock;
+
+DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
+/* There doesn't seem to be a built-in timeout on connection. */
+
+sigalrm_seen = FALSE;
+ALARM(ob->command_timeout);
+do
+  rc = gnutls_handshake(state->session);
+while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
+ALARM_CLR(0);
+
+if (rc != GNUTLS_E_SUCCESS)
+  {
+  if (sigalrm_seen)
+    {
+    gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
+    tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
+    }
+  else
+    tls_error_gnu(state, US"gnutls_handshake", rc, errstr);
+  return FALSE;
+  }
+
+DEBUG(D_tls) post_handshake_debug(state);
+
+/* Verify late */
+
+if (!verify_certificate(state, errstr))
+  {
+  tls_error(US"certificate verification failed", *errstr, state->host, errstr);
+  return FALSE;
+  }
+
+#ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
+if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
+  tlsp->ext_master_secret = TRUE;
+#endif
+
+#ifndef DISABLE_OCSP
+if (request_ocsp)
+  {
+  DEBUG(D_tls)
+    {
+    gnutls_datum_t stapling;
+    gnutls_ocsp_resp_t resp;
+    gnutls_datum_t printed;
+    unsigned idx = 0;
+
+    for (;
+# ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
+	 (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
+#else
+	 (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
+#endif
+	 idx++)
+      if (  (rc= gnutls_ocsp_resp_init(&resp)) == 0
+	 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
+	 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
+	 )
+	{
+	debug_printf("%.4096s", printed.data);
+	gnutls_free(printed.data);
+	}
+      else
+	(void) tls_error_gnu(state, US"ocsp decode", rc, errstr);
+    if (idx == 0 && rc)
+      (void) tls_error_gnu(state, US"ocsp decode", rc, errstr);
+    }
+
+  if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
+    {
+    tlsp->ocsp = OCSP_FAILED;
+    tls_error(US"certificate status check failed", NULL, state->host, errstr);
+    if (require_ocsp)
+      return FALSE;
+    }
+  else
+    {
+    DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
+    tlsp->ocsp = OCSP_VFIED;
+    }
+  }
+#endif
+
+#ifdef EXIM_HAVE_TLS_RESUME
+tls_client_resume_posthandshake(state, tlsp, host);
+#endif
+
+#ifdef EXIM_HAVE_ALPN
+if (ob->tls_alpn)	/* We requested. See what was negotiated. */
+  {
+  gnutls_datum_t p = {.size = 0};
+
+  if (gnutls_alpn_get_selected_protocol(state->session, &p) == 0)
+    { DEBUG(D_tls) debug_printf("ALPN negotiated: '%.*s'\n", (int)p.size, p.data); }
+  else if (verify_check_given_host(CUSS &ob->hosts_require_alpn, host) == OK)
+    {
+    gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_NO_APPLICATION_PROTOCOL);
+    tls_error(US"handshake", US"ALPN required but not negotiated", state->host, errstr);
+    return FALSE;
+    }
+  else
+    DEBUG(D_tls) debug_printf("No ALPN negotiated");
+  }
+#endif
+
+/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
+
+extract_exim_vars_from_tls_state(state);
+
+cctx->tls_ctx = state;
+return TRUE;
+}
+
+
+
+
+/*
+Arguments:
+  ct_ctx	client TLS context pointer, or NULL for the one global server context
+*/
+
+void
+tls_shutdown_wr(void * ct_ctx)
+{
+exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
+tls_support * tlsp = state->tlsp;
+
+if (!tlsp || tlsp->active.sock < 0) return;  /* TLS was not active */
+
+tls_write(ct_ctx, NULL, 0, FALSE);	/* flush write buffer */
+
+HDEBUG(D_transport|D_tls|D_acl|D_v) debug_printf_indent("  SMTP(TLS shutdown)>>\n");
+gnutls_bye(state->session, GNUTLS_SHUT_WR);
+}
+
+/*************************************************
+*         Close down a TLS session               *
+*************************************************/
+
+/* This is also called from within a delivery subprocess forked from the
+daemon, to shut down the TLS library, without actually doing a shutdown (which
+would tamper with the TLS session in the parent process).
+
+Arguments:
+  ct_ctx	client context pointer, or NULL for the one global server context
+  do_shutdown	0 no data-flush or TLS close-alert
+		1 if TLS close-alert is to be sent,
+		2 if also response to be waited for (2s timeout)
+
+Returns:     nothing
+*/
+
+void
+tls_close(void * ct_ctx, int do_shutdown)
+{
+exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
+tls_support * tlsp = state->tlsp;
+
+if (!tlsp || tlsp->active.sock < 0) return;  /* TLS was not active */
+
+if (do_shutdown)
+  {
+  DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
+    do_shutdown > TLS_SHUTDOWN_NOWAIT ? " (with response-wait)" : "");
+
+  tls_write(ct_ctx, NULL, 0, FALSE);	/* flush write buffer */
+
+#ifdef EXIM_TCP_CORK
+  if (do_shutdown == TLS_SHUTDOWN_WAIT)
+    (void) setsockopt(tlsp->active.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &off, sizeof(off));
+#endif
+
+  /* The library seems to have no way to only wait for a peer's
+  shutdown, so handle the same as TLS_SHUTDOWN_WAIT */
+
+  ALARM(2);
+  gnutls_bye(state->session,
+      do_shutdown > TLS_SHUTDOWN_NOWAIT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
+  ALARM_CLR(0);
+  }
+
+if (!ct_ctx)	/* server */
+  {
+  receive_getc =	smtp_getc;
+  receive_getbuf =	smtp_getbuf;
+  receive_get_cache =	smtp_get_cache;
+  receive_hasc =	smtp_hasc;
+  receive_ungetc =	smtp_ungetc;
+  receive_feof =	smtp_feof;
+  receive_ferror =	smtp_ferror;
+  }
+
+gnutls_deinit(state->session);
+tlsp->active.sock = -1;
+tlsp->active.tls_ctx = NULL;
+/* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
+tlsp->channelbinding = NULL;
+
+
+if (state->xfer_buffer) store_free(state->xfer_buffer);
+}
+
+
+
+
+static BOOL
+tls_refill(unsigned lim)
+{
+exim_gnutls_state_st * state = &state_server;
+ssize_t inbytes;
+
+DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, buffersize=%u)\n",
+  state->session, state->xfer_buffer, ssl_xfer_buffer_size);
+
+sigalrm_seen = FALSE;
+if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
+
+errno = 0;
+do
+  inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
+    MIN(ssl_xfer_buffer_size, lim));
+while (inbytes == GNUTLS_E_AGAIN);
+
+if (smtp_receive_timeout > 0) ALARM_CLR(0);
+
+if (had_command_timeout)		/* set by signal handler */
+  smtp_command_timeout_exit();		/* does not return */
+if (had_command_sigterm)
+  smtp_command_sigterm_exit();
+if (had_data_timeout)
+  smtp_data_timeout_exit();
+if (had_data_sigint)
+  smtp_data_sigint_exit();
+
+/* Timeouts do not get this far.  A zero-byte return appears to mean that the
+TLS session has been closed down, not that the socket itself has been closed
+down. Revert to non-TLS handling. */
+
+if (sigalrm_seen)
+  {
+  DEBUG(D_tls) debug_printf("Got tls read timeout\n");
+  state->xfer_error = TRUE;
+  return FALSE;
+  }
+
+else if (inbytes == 0)
+  {
+  DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
+  tls_close(NULL, TLS_NO_SHUTDOWN);
+  return FALSE;
+  }
+
+/* Handle genuine errors */
+
+else if (inbytes < 0)
+  {
+  DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
+  record_io_error(state, (int) inbytes, US"recv", NULL);
+  state->xfer_error = TRUE;
+  return FALSE;
+  }
+#ifndef DISABLE_DKIM
+dkim_exim_verify_feed(state->xfer_buffer, inbytes);
+#endif
+state->xfer_buffer_hwm = (int) inbytes;
+state->xfer_buffer_lwm = 0;
+return TRUE;
+}
+
+/*************************************************
+*            TLS version of getc                 *
+*************************************************/
+
+/* This gets the next byte from the TLS input buffer. If the buffer is empty,
+it refills the buffer via the GnuTLS reading function.
+Only used by the server-side TLS.
+
+This feeds DKIM and should be used for all message-body reads.
+
+Arguments:  lim		Maximum amount to read/buffer
+Returns:    the next character or EOF
+*/
+
+int
+tls_getc(unsigned lim)
+{
+exim_gnutls_state_st * state = &state_server;
+
+if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
+  if (!tls_refill(lim))
+    return state->xfer_error ? EOF : smtp_getc(lim);
+
+/* Something in the buffer; return next uschar */
+
+return state->xfer_buffer[state->xfer_buffer_lwm++];
+}
+
+BOOL
+tls_hasc(void)
+{
+exim_gnutls_state_st * state = &state_server;
+return state->xfer_buffer_lwm < state->xfer_buffer_hwm;
+}
+
+uschar *
+tls_getbuf(unsigned * len)
+{
+exim_gnutls_state_st * state = &state_server;
+unsigned size;
+uschar * buf;
+
+if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
+  if (!tls_refill(*len))
+    {
+    if (!state->xfer_error) return smtp_getbuf(len);
+    *len = 0;
+    return NULL;
+    }
+
+if ((size = state->xfer_buffer_hwm - state->xfer_buffer_lwm) > *len)
+  size = *len;
+buf = &state->xfer_buffer[state->xfer_buffer_lwm];
+state->xfer_buffer_lwm += size;
+*len = size;
+return buf;
+}
+
+
+/* Get up to the given number of bytes from any cached data, and feed to dkim. */
+void
+tls_get_cache(unsigned lim)
+{
+#ifndef DISABLE_DKIM
+exim_gnutls_state_st * state = &state_server;
+int n = state->xfer_buffer_hwm - state->xfer_buffer_lwm;
+if (n > lim)
+  n = lim;
+if (n > 0)
+  dkim_exim_verify_feed(state->xfer_buffer+state->xfer_buffer_lwm, n);
+#endif
+}
+
+
+BOOL
+tls_could_getc(void)
+{
+return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
+ || gnutls_record_check_pending(state_server.session) > 0;
+}
+
+
+/*************************************************
+*          Read bytes from TLS channel           *
+*************************************************/
+
+/* This does not feed DKIM, so if the caller uses this for reading message body,
+then the caller must feed DKIM.
+
+Arguments:
+  ct_ctx    client context pointer, or NULL for the one global server context
+  buff      buffer of data
+  len       size of buffer
+
+Returns:    the number of bytes read
+            -1 after a failed read, including EOF
+*/
+
+int
+tls_read(void * ct_ctx, uschar *buff, size_t len)
+{
+exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
+ssize_t inbytes;
+
+if (len > INT_MAX)
+  len = INT_MAX;
+
+if (state->xfer_buffer_lwm < state->xfer_buffer_hwm)
+  DEBUG(D_tls)
+    debug_printf("*** PROBABLY A BUG *** " \
+        "tls_read() called with data in the tls_getc() buffer, %d ignored\n",
+        state->xfer_buffer_hwm - state->xfer_buffer_lwm);
+
+DEBUG(D_tls)
+  debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, len=" SIZE_T_FMT ")\n",
+      state->session, buff, len);
+
+errno = 0;
+do
+  inbytes = gnutls_record_recv(state->session, buff, len);
+while (inbytes == GNUTLS_E_AGAIN);
+
+if (inbytes > 0) return inbytes;
+if (inbytes == 0)
+  {
+  DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
+  }
+else
+  {
+  DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
+  record_io_error(state, (int)inbytes, US"recv", NULL);
+  }
+
+return -1;
+}
+
+
+
+
+/*************************************************
+*         Write bytes down TLS channel           *
+*************************************************/
+
+/*
+Arguments:
+  ct_ctx    client context pointer, or NULL for the one global server context
+  buff      buffer of data
+  len       number of bytes
+  more	    more data expected soon
+
+Calling with len zero and more unset will flush buffered writes.  The buff
+argument can be null for that case.
+
+Returns:    the number of bytes after a successful write,
+            -1 after a failed write
+*/
+
+int
+tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
+{
+ssize_t outbytes;
+size_t left = len;
+exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
+
+#ifdef SUPPORT_CORK
+if (more && !state->corked)
+  {
+  DEBUG(D_tls) debug_printf("gnutls_record_cork(session=%p)\n", state->session);
+  gnutls_record_cork(state->session);
+  state->corked = TRUE;
+  }
+#endif
+
+DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__,
+  buff, left, more ? ", more" : "");
+
+while (left > 0)
+  {
+  DEBUG(D_tls) debug_printf("gnutls_record_send(session=%p, buffer=%p, left=" SIZE_T_FMT ")\n",
+      state->session, buff, left);
+
+  errno = 0;
+  do
+    outbytes = gnutls_record_send(state->session, buff, left);
+  while (outbytes == GNUTLS_E_AGAIN);
+
+  DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
+
+  if (outbytes < 0)
+    {
+#ifdef GNUTLS_E_PREMATURE_TERMINATION
+    if (  outbytes == GNUTLS_E_PREMATURE_TERMINATION && errno == ECONNRESET
+       && !ct_ctx && f.smtp_in_quit
+       )
+      {					/* Outlook, dammit */
+      if (LOGGING(protocol_detail))
+	log_write(0, LOG_MAIN, "[%s] after QUIT, client reset TCP before"
+	  " SMTP response and TLS close\n", sender_host_address);
+      else
+	DEBUG(D_tls) debug_printf("[%s] SSL_write: after QUIT,"
+	  " client reset TCP before TLS close\n", sender_host_address);
+      }
+    else
+#endif
+      {
+      DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
+      record_io_error(state, outbytes, US"send", NULL);
+      }
+    return -1;
+    }
+  if (outbytes == 0)
+    {
+    record_io_error(state, 0, US"send", US"TLS channel closed on write");
+    return -1;
+    }
+
+  left -= outbytes;
+  buff += outbytes;
+  }
+
+if (len > INT_MAX)
+  {
+  DEBUG(D_tls)
+    debug_printf("Whoops!  Wrote more bytes (" SIZE_T_FMT ") than INT_MAX\n",
+        len);
+  len = INT_MAX;
+  }
+
+#ifdef SUPPORT_CORK
+if (!more && state->corked)
+  {
+  DEBUG(D_tls) debug_printf("gnutls_record_uncork(session=%p)\n", state->session);
+  do
+    /* We can't use GNUTLS_RECORD_WAIT here, as it retries on
+    GNUTLS_E_AGAIN || GNUTLS_E_INTR, which would break our timeout set by alarm().
+    The GNUTLS_E_AGAIN should not happen ever, as our sockets are blocking anyway.
+    But who knows. (That all relies on the fact that GNUTLS_E_INTR and GNUTLS_E_AGAIN
+    match the EINTR and EAGAIN errno values.) */
+    outbytes = gnutls_record_uncork(state->session, 0);
+  while (outbytes == GNUTLS_E_AGAIN);
+
+  if (outbytes < 0)
+    {
+    record_io_error(state, len, US"uncork", NULL);
+    return -1;
+    }
+
+  state->corked = FALSE;
+  }
+#endif
+
+return (int) len;
+}
+
+
+
+
+/*************************************************
+*            Random number generation            *
+*************************************************/
+
+/* Pseudo-random number generation.  The result is not expected to be
+cryptographically strong but not so weak that someone will shoot themselves
+in the foot using it as a nonce in input in some email header scheme or
+whatever weirdness they'll twist this into.  The result should handle fork()
+and avoid repeating sequences.  OpenSSL handles that for us.
+
+Arguments:
+  max       range maximum
+Returns     a random number in range [0, max-1]
+*/
+
+#ifdef HAVE_GNUTLS_RND
+int
+vaguely_random_number(int max)
+{
+unsigned int r;
+int i, needed_len;
+uschar smallbuf[sizeof(r)];
+
+if (max <= 1)
+  return 0;
+
+needed_len = sizeof(r);
+/* Don't take 8 times more entropy than needed if int is 8 octets and we were
+asked for a number less than 10. */
+
+for (r = max, i = 0; r; ++i)
+  r >>= 1;
+i = (i + 7) / 8;
+if (i < needed_len)
+  needed_len = i;
+
+i = gnutls_rnd(GNUTLS_RND_NONCE, smallbuf, needed_len);
+if (i < 0)
+  {
+  DEBUG(D_all) debug_printf("gnutls_rnd() failed, using fallback\n");
+  return vaguely_random_number_fallback(max);
+  }
+r = 0;
+for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
+  r = r * 256 + *p;
+
+/* We don't particularly care about weighted results; if someone wants
+ * smooth distribution and cares enough then they should submit a patch then. */
+return r % max;
+}
+#else /* HAVE_GNUTLS_RND */
+int
+vaguely_random_number(int max)
+{
+  return vaguely_random_number_fallback(max);
+}
+#endif /* HAVE_GNUTLS_RND */
+
+
+
+
+/*************************************************
+*  Let tls_require_ciphers be checked at startup *
+*************************************************/
+
+/* The tls_require_ciphers option, if set, must be something which the
+library can parse.
+
+Returns:     NULL on success, or error message
+*/
+
+uschar *
+tls_validate_require_cipher(void)
+{
+int rc;
+uschar *expciphers = NULL;
+gnutls_priority_t priority_cache;
+const char *errpos;
+uschar * dummy_errstr;
+
+#ifdef GNUTLS_AUTO_GLOBAL_INIT
+# define validate_check_rc(Label) do { \
+  if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) \
+    return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
+# define return_deinit(Label) do { return (Label); } while (0)
+#else
+# define validate_check_rc(Label) do { \
+  if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
+    return string_sprintf("%s failed: %s", (Label), gnutls_strerror(rc)); } } while (0)
+# define return_deinit(Label) do { gnutls_global_deinit(); return (Label); } while (0)
+#endif
+
+if (exim_gnutls_base_init_done)
+  log_write(0, LOG_MAIN|LOG_PANIC,
+      "already initialised GnuTLS, Exim developer bug");
+
+#if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
+if (!gnutls_allow_auto_pkcs11)
+  {
+  rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+  validate_check_rc(US"gnutls_pkcs11_init");
+  }
+#endif
+#ifndef GNUTLS_AUTO_GLOBAL_INIT
+rc = gnutls_global_init();
+validate_check_rc(US"gnutls_global_init()");
+#endif
+exim_gnutls_base_init_done = TRUE;
+
+if (!(tls_require_ciphers && *tls_require_ciphers))
+  return_deinit(NULL);
+
+if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
+		  &dummy_errstr))
+  return_deinit(US"failed to expand tls_require_ciphers");
+
+if (!(expciphers && *expciphers))
+  return_deinit(NULL);
+
+DEBUG(D_tls)
+  debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
+
+rc = gnutls_priority_init(&priority_cache, CS expciphers, &errpos);
+validate_check_rc(string_sprintf(
+      "gnutls_priority_init(%s) failed at offset %ld, \"%.8s..\"",
+      expciphers, (long)(errpos - CS expciphers), errpos));
+
+#undef return_deinit
+#undef validate_check_rc
+#ifndef GNUTLS_AUTO_GLOBAL_INIT
+gnutls_global_deinit();
+#endif
+
+return NULL;
+}
+
+
+
+
+/*************************************************
+*         Report the library versions.           *
+*************************************************/
+
+/* See a description in tls-openssl.c for an explanation of why this exists.
+
+Arguments:   string to append to
+Returns:     string
+*/
+
+gstring *
+tls_version_report(gstring * g)
+{
+return string_fmt_append(g,
+    "Library version: GnuTLS: Compile: %s\n"
+    "                         Runtime: %s\n",
+	     LIBGNUTLS_VERSION,
+	     gnutls_check_version(NULL));
+}
+
+#endif	/*!MACRO_PREDEF*/
+/* vi: aw ai sw=2
+*/
+/* End of tls-gnu.c */
diff --git a/src/tls-openssl.c b/src/tls-openssl.c
new file mode 100644
index 0000000..2b8a4e6
--- /dev/null
+++ b/src/tls-openssl.c
@@ -0,0 +1,4894 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2019 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Portions Copyright (c) The OpenSSL Project 1999 */
+
+/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
+library. It is #included into the tls.c file when that library is used. The
+code herein is based on a patch that was originally contributed by Steve
+Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
+
+No cryptographic code is included in Exim. All this module does is to call
+functions from the OpenSSL library. */
+
+
+/* Heading stuff */
+
+#include <openssl/lhash.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#ifndef OPENSSL_NO_ECDH
+# include <openssl/ec.h>
+#endif
+#ifndef DISABLE_OCSP
+# include <openssl/ocsp.h>
+#endif
+#ifdef SUPPORT_DANE
+# include "danessl.h"
+#endif
+
+
+#ifndef DISABLE_OCSP
+# define EXIM_OCSP_SKEW_SECONDS (300L)
+# define EXIM_OCSP_MAX_AGE (-1L)
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+# define EXIM_HAVE_OPENSSL_TLSEXT
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+# define EXIM_HAVE_RSA_GENKEY_EX
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+# define EXIM_HAVE_OCSP_RESP_COUNT
+# define OPENSSL_AUTO_SHA256
+#else
+# define EXIM_HAVE_EPHEM_RSA_KEX
+# define EXIM_HAVE_RAND_PSEUDO
+#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
+# define EXIM_HAVE_SHA256
+#endif
+
+/* X509_check_host provides sane certificate hostname checking, but was added
+to OpenSSL late, after other projects forked off the code-base.  So in
+addition to guarding against the base version number, beware that LibreSSL
+does not (at this time) support this function.
+
+If LibreSSL gains a different API, perhaps via libtls, then we'll probably
+opt to disentangle and ask a LibreSSL user to provide glue for a third
+crypto provider for libtls instead of continuing to tie the OpenSSL glue
+into even twistier knots.  If LibreSSL gains the same API, we can just
+change this guard and punt the issue for a while longer. */
+
+#ifndef LIBRESSL_VERSION_NUMBER
+# if OPENSSL_VERSION_NUMBER >= 0x010100000L
+#  define EXIM_HAVE_OPENSSL_CHECKHOST
+#  define EXIM_HAVE_OPENSSL_DH_BITS
+#  define EXIM_HAVE_OPENSSL_TLS_METHOD
+#  define EXIM_HAVE_OPENSSL_KEYLOG
+#  define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
+#  define EXIM_HAVE_SESSION_TICKET
+#  define EXIM_HAVE_OPESSL_TRACE
+#  define EXIM_HAVE_OPESSL_GET0_SERIAL
+#  ifndef DISABLE_OCSP
+#   define EXIM_HAVE_OCSP
+#  endif
+#  define EXIM_HAVE_ALPN /* fail ret from hshake-cb is ignored by LibreSSL */
+# else
+#  define EXIM_NEED_OPENSSL_INIT
+# endif
+# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
+    && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
+#  define EXIM_HAVE_OPENSSL_CHECKHOST
+# endif
+#endif
+
+#if LIBRESSL_VERSION_NUMBER >= 0x3040000fL
+# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
+#endif
+
+#if !defined(LIBRESSL_VERSION_NUMBER) \
+    || LIBRESSL_VERSION_NUMBER >= 0x20010000L
+# if !defined(OPENSSL_NO_ECDH)
+#  if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#   define EXIM_HAVE_ECDH
+#  endif
+#  if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#   define EXIM_HAVE_OPENSSL_EC_NIST2NID
+#  endif
+# endif
+#endif
+
+#ifndef LIBRESSL_VERSION_NUMBER
+# if OPENSSL_VERSION_NUMBER >= 0x010101000L
+#  define OPENSSL_HAVE_KEYLOG_CB
+#  define OPENSSL_HAVE_NUM_TICKETS
+#  define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
+# else
+#  define OPENSSL_BAD_SRVR_OURCERT
+# endif
+#endif
+
+#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
+# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
+# define DISABLE_OCSP
+#endif
+
+#ifndef DISABLE_TLS_RESUME
+# if OPENSSL_VERSION_NUMBER < 0x0101010L
+#  error OpenSSL version too old for session-resumption
+# endif
+#endif
+
+#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
+# include <openssl/x509v3.h>
+#endif
+
+#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
+# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
+#  define SSL_CIPHER_get_id(c) (c->id)
+# endif
+# ifndef MACRO_PREDEF
+#  include "tls-cipher-stdname.c"
+# endif
+#endif
+
+/*************************************************
+*        OpenSSL option parse                    *
+*************************************************/
+
+typedef struct exim_openssl_option {
+  uschar *name;
+  long    value;
+} exim_openssl_option;
+/* We could use a macro to expand, but we need the ifdef and not all the
+options document which version they were introduced in.  Policylet: include
+all options unless explicitly for DTLS, let the administrator choose which
+to apply.
+
+This list is current as of:
+  ==>  1.1.1c  <==
+
+XXX could we autobuild this list, as with predefined-macros?
+Seems just parsing ssl.h for SSL_OP_.* would be enough (except to exclude DTLS).
+Also allow a numeric literal?
+*/
+static exim_openssl_option exim_openssl_options[] = {
+/* KEEP SORTED ALPHABETICALLY! */
+#ifdef SSL_OP_ALL
+  { US"all", (long) SSL_OP_ALL },
+#endif
+#ifdef SSL_OP_ALLOW_NO_DHE_KEX
+  { US"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX },
+#endif
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+  { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
+#endif
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+  { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
+#endif
+#ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
+  { US"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG },
+#endif
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+  { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
+#endif
+#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
+  { US"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT },
+#endif
+#ifdef SSL_OP_EPHEMERAL_RSA
+  { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
+#endif
+#ifdef SSL_OP_LEGACY_SERVER_CONNECT
+  { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
+#endif
+#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+  { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
+#endif
+#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
+  { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
+#endif
+#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
+  { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
+#endif
+#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
+  { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
+#endif
+#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+  { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
+#endif
+#ifdef SSL_OP_NO_ANTI_REPLAY
+  { US"no_anti_replay", SSL_OP_NO_ANTI_REPLAY },
+#endif
+#ifdef SSL_OP_NO_COMPRESSION
+  { US"no_compression", SSL_OP_NO_COMPRESSION },
+#endif
+#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC
+  { US"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC },
+#endif
+#ifdef SSL_OP_NO_RENEGOTIATION
+  { US"no_renegotiation", SSL_OP_NO_RENEGOTIATION },
+#endif
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+  { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
+#endif
+#ifdef SSL_OP_NO_SSLv2
+  { US"no_sslv2", SSL_OP_NO_SSLv2 },
+#endif
+#ifdef SSL_OP_NO_SSLv3
+  { US"no_sslv3", SSL_OP_NO_SSLv3 },
+#endif
+#ifdef SSL_OP_NO_TICKET
+  { US"no_ticket", SSL_OP_NO_TICKET },
+#endif
+#ifdef SSL_OP_NO_TLSv1
+  { US"no_tlsv1", SSL_OP_NO_TLSv1 },
+#endif
+#ifdef SSL_OP_NO_TLSv1_1
+# if OPENSSL_VERSION_NUMBER < 0x30000000L
+#  if SSL_OP_NO_TLSv1_1 == 0x00000400L
+  /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
+#   warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
+#   define NO_SSL_OP_NO_TLSv1_1
+#  endif
+# endif
+# ifndef NO_SSL_OP_NO_TLSv1_1
+  { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
+# endif
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+  { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
+#endif
+#ifdef SSL_OP_NO_TLSv1_3
+  { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
+#endif
+#ifdef SSL_OP_PRIORITIZE_CHACHA
+  { US"prioritize_chacha", SSL_OP_PRIORITIZE_CHACHA },
+#endif
+#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
+  { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
+#endif
+#ifdef SSL_OP_SINGLE_DH_USE
+  { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
+#endif
+#ifdef SSL_OP_SINGLE_ECDH_USE
+  { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
+#endif
+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+  { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
+#endif
+#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+  { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
+#endif
+#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
+  { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
+#endif
+#ifdef SSL_OP_TLS_D5_BUG
+  { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
+#endif
+#ifdef SSL_OP_TLS_ROLLBACK_BUG
+  { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
+#endif
+#ifdef SSL_OP_TLSEXT_PADDING
+  { US"tlsext_padding", SSL_OP_TLSEXT_PADDING },
+#endif
+};
+
+#ifndef MACRO_PREDEF
+static int exim_openssl_options_size = nelem(exim_openssl_options);
+static long init_options = 0;
+#endif
+
+#ifdef MACRO_PREDEF
+void
+options_tls(void)
+{
+uschar buf[64];
+
+for (struct exim_openssl_option * o = exim_openssl_options;
+     o < exim_openssl_options + nelem(exim_openssl_options); o++)
+  {
+  /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
+  being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
+
+  spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
+  builtin_macro_create(buf);
+  }
+
+# ifndef DISABLE_TLS_RESUME
+builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
+# endif
+# ifdef SSL_OP_NO_TLSv1_3
+builtin_macro_create(US"_HAVE_TLS1_3");
+# endif
+# ifdef OPENSSL_BAD_SRVR_OURCERT
+builtin_macro_create(US"_TLS_BAD_MULTICERT_IN_OURCERT");
+# endif
+# ifdef EXIM_HAVE_OCSP
+builtin_macro_create(US"_HAVE_TLS_OCSP");
+builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
+# endif
+# ifdef EXIM_HAVE_ALPN
+builtin_macro_create(US"_HAVE_TLS_ALPN");
+# endif
+}
+#else
+
+/******************************************************************************/
+
+/* Structure for collecting random data for seeding. */
+
+typedef struct randstuff {
+  struct timeval tv;
+  pid_t          p;
+} randstuff;
+
+/* Local static variables */
+
+static BOOL client_verify_callback_called = FALSE;
+static BOOL server_verify_callback_called = FALSE;
+static const uschar *sid_ctx = US"exim";
+
+/* We have three different contexts to care about.
+
+Simple case: client, `client_ctx`
+ As a client, we can be doing a callout or cut-through delivery while receiving
+ a message.  So we have a client context, which should have options initialised
+ from the SMTP Transport.  We may also concurrently want to make TLS connections
+ to utility daemons, so client-contexts are allocated and passed around in call
+ args rather than using a gobal.
+
+Server:
+ There are two cases: with and without ServerNameIndication from the client.
+ Given TLS SNI, we can be using different keys, certs and various other
+ configuration settings, because they're re-expanded with $tls_sni set.  This
+ allows vhosting with TLS.  This SNI is sent in the handshake.
+ A client might not send SNI, so we need a fallback, and an initial setup too.
+ So as a server, we start out using `server_ctx`.
+ If SNI is sent by the client, then we as server, mid-negotiation, try to clone
+ `server_sni` from `server_ctx` and then initialise settings by re-expanding
+ configuration.
+*/
+
+typedef struct {
+  SSL_CTX *	ctx;
+  SSL *		ssl;
+  gstring *	corked;
+} exim_openssl_client_tls_ctx;
+
+
+/* static SSL_CTX *server_ctx = NULL; */
+/* static SSL     *server_ssl = NULL; */
+
+#ifdef EXIM_HAVE_OPENSSL_TLSEXT
+static SSL_CTX *server_sni = NULL;
+#endif
+#ifdef EXIM_HAVE_ALPN
+static BOOL server_seen_alpn = FALSE;
+#endif
+
+static char ssl_errstring[256];
+
+static int  ssl_session_timeout = 7200;		/* Two hours */
+static BOOL client_verify_optional = FALSE;
+static BOOL server_verify_optional = FALSE;
+
+static BOOL reexpand_tls_files_for_sni = FALSE;
+
+
+typedef struct ocsp_resp {
+  struct ocsp_resp *	next;
+  OCSP_RESPONSE *	resp;
+} ocsp_resplist;
+
+typedef struct exim_openssl_state {
+  exim_tlslib_state	lib_state;
+#define lib_ctx			libdata0
+#define lib_ssl			libdata1
+
+  tls_support *	tlsp;
+  uschar *	certificate;
+  uschar *	privatekey;
+  BOOL		is_server;
+#ifndef DISABLE_OCSP
+  STACK_OF(X509) *verify_stack;		/* chain for verifying the proof */
+  union {
+    struct {
+      uschar        *file;
+      const uschar  *file_expanded;
+      ocsp_resplist *olist;
+    } server;
+    struct {
+      X509_STORE    *verify_store;	/* non-null if status requested */
+      BOOL	    verify_required;
+    } client;
+  } u_ocsp;
+#endif
+  uschar *	dhparam;
+  /* these are cached from first expand */
+  uschar *	server_cipher_list;
+  /* only passed down to tls_error: */
+  host_item *	host;
+  const uschar * verify_cert_hostnames;
+#ifndef DISABLE_EVENT
+  uschar *	event_action;
+#endif
+} exim_openssl_state_st;
+
+/* should figure out a cleanup of API to handle state preserved per
+implementation, for various reasons, which can be void * in the APIs.
+For now, we hack around it. */
+exim_openssl_state_st *client_static_state = NULL;	/*XXX should not use static; multiple concurrent clients! */
+exim_openssl_state_st state_server = {.is_server = TRUE};
+
+static int
+setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host,
+    uschar ** errstr );
+
+/* Callbacks */
+#ifndef DISABLE_OCSP
+static int tls_server_stapling_cb(SSL *s, void *arg);
+#endif
+
+
+
+/* Daemon-called, before every connection, key create/rotate */
+#ifndef DISABLE_TLS_RESUME
+static void tk_init(void);
+static int tls_exdata_idx = -1;
+#endif
+
+static void
+tls_per_lib_daemon_tick(void)
+{
+#ifndef DISABLE_TLS_RESUME
+tk_init();
+#endif
+}
+
+/* Called once at daemon startup */
+
+static void
+tls_per_lib_daemon_init(void)
+{
+tls_daemon_creds_reload();
+}
+
+
+/*************************************************
+*               Handle TLS error                 *
+*************************************************/
+
+/* Called from lots of places when errors occur before actually starting to do
+the TLS handshake, that is, while the session is still in clear. Always returns
+DEFER for a server and FAIL for a client so that most calls can use "return
+tls_error(...)" to do this processing and then give an appropriate return. A
+single function is used for both server and client, because it is called from
+some shared functions.
+
+Argument:
+  prefix    text to include in the logged error
+  host      NULL if setting up a server;
+            the connected host if setting up a client
+  msg       error message or NULL if we should ask OpenSSL
+  errstr    pointer to output error message
+
+Returns:    OK/DEFER/FAIL
+*/
+
+static int
+tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
+{
+if (!msg)
+  {
+  ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
+  msg = US ssl_errstring;
+  }
+
+msg = string_sprintf("(%s): %s", prefix, msg);
+DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
+if (errstr) *errstr = msg;
+return host ? FAIL : DEFER;
+}
+
+
+
+/**************************************************
+* General library initalisation                   *
+**************************************************/
+
+static BOOL
+lib_rand_init(void * addr)
+{
+randstuff r;
+if (!RAND_status()) return TRUE;
+
+gettimeofday(&r.tv, NULL);
+r.p = getpid();
+RAND_seed(US (&r), sizeof(r));
+RAND_seed(US big_buffer, big_buffer_size);
+if (addr) RAND_seed(US addr, sizeof(addr));
+
+return RAND_status();
+}
+
+
+static void
+tls_openssl_init(void)
+{
+static BOOL once = FALSE;
+if (once) return;
+once = TRUE;
+
+#ifdef EXIM_NEED_OPENSSL_INIT
+SSL_load_error_strings();          /* basic set up */
+OpenSSL_add_ssl_algorithms();
+#endif
+
+#if defined(EXIM_HAVE_SHA256) && !defined(OPENSSL_AUTO_SHA256)
+/* SHA256 is becoming ever more popular. This makes sure it gets added to the
+list of available digests. */
+EVP_add_digest(EVP_sha256());
+#endif
+
+(void) lib_rand_init(NULL);
+(void) tls_openssl_options_parse(openssl_options, &init_options);
+}
+
+
+
+/*************************************************
+*                Initialize for DH               *
+*************************************************/
+
+/* If dhparam is set, expand it, and load up the parameters for DH encryption.
+Server only.
+
+Arguments:
+  sctx      The current SSL CTX (inbound or outbound)
+  dhparam   DH parameter file or fixed parameter identity string
+  errstr    error string pointer
+
+Returns:    TRUE if OK (nothing to set up, or setup worked)
+*/
+
+static BOOL
+init_dh(SSL_CTX * sctx, uschar * dhparam, uschar ** errstr)
+{
+BIO * bio;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+DH * dh;
+#else
+EVP_PKEY * pkey;
+#endif
+uschar * dhexpanded;
+const char * pem;
+int dh_bitsize;
+
+if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
+  return FALSE;
+
+if (!dhexpanded || !*dhexpanded)
+  bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
+else if (dhexpanded[0] == '/')
+  {
+  if (!(bio = BIO_new_file(CS dhexpanded, "r")))
+    {
+    tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
+          NULL, US strerror(errno), errstr);
+    return FALSE;
+    }
+  }
+else
+  {
+  if (Ustrcmp(dhexpanded, "none") == 0)
+    {
+    DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
+    return TRUE;
+    }
+
+  if (!(pem = std_dh_prime_named(dhexpanded)))
+    {
+    tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
+        NULL, US strerror(errno), errstr);
+    return FALSE;
+    }
+  bio = BIO_new_mem_buf(CS pem, -1);
+  }
+
+if (!(
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+      dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)
+#else
+      pkey = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL)
+#endif
+   ) )
+  {
+  BIO_free(bio);
+  tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
+      NULL, NULL, errstr);
+  return FALSE;
+  }
+
+/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
+an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with 2236.
+But older OpenSSL can only report in bytes (octets), not bits.  If someone wants
+to dance at the edge, then they can raise the limit or use current libraries. */
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+# ifdef EXIM_HAVE_OPENSSL_DH_BITS
+/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
+This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
+dh_bitsize = DH_bits(dh);
+# else
+dh_bitsize = 8 * DH_size(dh);
+# endif
+#else	/* 3.0.0 + */
+dh_bitsize = EVP_PKEY_get_bits(pkey);
+#endif
+
+/* Even if it is larger, we silently return success rather than cause things to
+fail out, so that a too-large DH will not knock out all TLS; it's a debatable
+choice.  Likewise for a failing attempt to set one. */
+
+if (dh_bitsize <= tls_dh_max_bits)
+  {
+  if (
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+      SSL_CTX_set_tmp_dh(sctx, dh)
+#else
+      SSL_CTX_set0_tmp_dh_pkey(sctx, pkey)
+#endif
+      == 0)
+    {
+    ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
+    log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (D-H param setting '%s'): %s",
+	dhexpanded ? dhexpanded : US"default", ssl_errstring);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+    /* EVP_PKEY_free(pkey);  crashes */
+#endif
+    }
+  else
+    DEBUG(D_tls)
+      debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
+	dhexpanded ? dhexpanded : US"default", dh_bitsize);
+  }
+else
+  DEBUG(D_tls)
+    debug_printf("dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n",
+	dhexpanded ? dhexpanded : US"default", dh_bitsize, tls_dh_max_bits);
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+DH_free(dh);
+#endif
+/* The EVP_PKEY ownership stays with the ctx; do not free it */
+
+BIO_free(bio);
+return TRUE;
+}
+
+
+
+
+/*************************************************
+*               Initialize for ECDH              *
+*************************************************/
+
+/* Load parameters for ECDH encryption.  Server only.
+
+For now, we stick to NIST P-256 because: it's simple and easy to configure;
+it avoids any patent issues that might bite redistributors; despite events in
+the news and concerns over curve choices, we're not cryptographers, we're not
+pretending to be, and this is "good enough" to be better than no support,
+protecting against most adversaries.  Given another year or two, there might
+be sufficient clarity about a "right" way forward to let us make an informed
+decision, instead of a knee-jerk reaction.
+
+Longer-term, we should look at supporting both various named curves and
+external files generated with "openssl ecparam", much as we do for init_dh().
+We should also support "none" as a value, to explicitly avoid initialisation.
+
+Patches welcome.
+
+Arguments:
+  sctx      The current SSL CTX (inbound or outbound)
+  errstr    error string pointer
+
+Returns:    TRUE if OK (nothing to set up, or setup worked)
+*/
+
+static BOOL
+init_ecdh(SSL_CTX * sctx, uschar ** errstr)
+{
+#ifdef OPENSSL_NO_ECDH
+return TRUE;
+#else
+
+uschar * exp_curve;
+int nid;
+BOOL rv;
+
+# ifndef EXIM_HAVE_ECDH
+DEBUG(D_tls)
+  debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
+return TRUE;
+# else
+
+if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
+  return FALSE;
+if (!exp_curve || !*exp_curve)
+  return TRUE;
+
+/* "auto" needs to be handled carefully.
+ * OpenSSL <  1.0.2: we do not select anything, but fallback to prime256v1
+ * OpenSSL <  1.1.0: we have to call SSL_CTX_set_ecdh_auto
+ *                   (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
+ * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
+ *                   https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
+ */
+if (Ustrcmp(exp_curve, "auto") == 0)
+  {
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+  DEBUG(D_tls) debug_printf(
+    "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
+  exp_curve = US"prime256v1";
+#else
+# if defined SSL_CTRL_SET_ECDH_AUTO
+  DEBUG(D_tls) debug_printf(
+    "ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n");
+  SSL_CTX_set_ecdh_auto(sctx, 1);
+  return TRUE;
+# else
+  DEBUG(D_tls) debug_printf(
+    "ECDH OpenSSL 1.1.0+: temp key parameter settings: default selection\n");
+  return TRUE;
+# endif
+#endif
+  }
+
+DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
+if (  (nid = OBJ_sn2nid       (CCS exp_curve)) == NID_undef
+#   ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
+   && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
+#   endif
+   )
+  {
+  tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
+    NULL, NULL, errstr);
+  return FALSE;
+  }
+
+# if OPENSSL_VERSION_NUMBER < 0x30000000L
+ {
+  EC_KEY * ecdh;
+  if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
+    {
+    tls_error(US"Unable to create ec curve", NULL, NULL, errstr);
+    return FALSE;
+    }
+
+  /* The "tmp" in the name here refers to setting a temporary key
+  not to the stability of the interface. */
+
+  if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
+    tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr);
+  else
+    DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
+  EC_KEY_free(ecdh);
+ }
+
+#else	/* v 3.0.0 + */
+
+if ((rv = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0)
+  tls_error(string_sprintf("Error enabling '%s' group", exp_curve), NULL, NULL, errstr);
+else
+  DEBUG(D_tls) debug_printf("ECDH: enabled '%s' group\n", exp_curve);
+
+#endif
+
+return !rv;
+
+# endif	/*EXIM_HAVE_ECDH*/
+#endif /*OPENSSL_NO_ECDH*/
+}
+
+
+
+/*************************************************
+*        Expand key and cert file specs          *
+*************************************************/
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+/*
+Arguments:
+  s          SSL connection (not used)
+  export     not used
+  keylength  keylength
+
+Returns:     pointer to generated key
+*/
+
+static RSA *
+rsa_callback(SSL *s, int export, int keylength)
+{
+RSA *rsa_key;
+#ifdef EXIM_HAVE_RSA_GENKEY_EX
+BIGNUM *bn = BN_new();
+#endif
+
+DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
+
+# ifdef EXIM_HAVE_RSA_GENKEY_EX
+if (  !BN_set_word(bn, (unsigned long)RSA_F4)
+   || !(rsa_key = RSA_new())
+   || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
+   )
+# else
+if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
+# endif
+
+  {
+  ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
+  log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
+    ssl_errstring);
+  return NULL;
+  }
+return rsa_key;
+}
+#endif	/* pre-3.0.0 */
+
+
+
+/* Create and install a selfsigned certificate, for use in server mode */
+/*XXX we could arrange to call this during prelo for a null tls_certificate option.
+The normal cache inval + relo will suffice.
+Just need a timer for inval. */
+
+static int
+tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
+{
+X509 * x509 = NULL;
+EVP_PKEY * pkey;
+X509_NAME * name;
+uschar * where;
+
+DEBUG(D_tls) debug_printf("TLS: generating selfsigned server cert\n");
+where = US"allocating pkey";
+if (!(pkey = EVP_PKEY_new()))
+  goto err;
+
+where = US"allocating cert";
+if (!(x509 = X509_new()))
+  goto err;
+
+where = US"generating pkey";
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ {
+  RSA * rsa;
+  if (!(rsa = rsa_callback(NULL, 0, 2048)))
+    goto err;
+
+  where = US"assigning pkey";
+  if (!EVP_PKEY_assign_RSA(pkey, rsa))
+    goto err;
+ }
+#else
+pkey = EVP_RSA_gen(2048);
+#endif
+
+X509_set_version(x509, 2);				/* N+1 - version 3 */
+ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
+X509_gmtime_adj(X509_get_notBefore(x509), 0);
+X509_gmtime_adj(X509_get_notAfter(x509), (long)2 * 60 * 60);	/* 2 hour */
+X509_set_pubkey(x509, pkey);
+
+name = X509_get_subject_name(x509);
+X509_NAME_add_entry_by_txt(name, "C",
+			  MBSTRING_ASC, CUS "UK", -1, -1, 0);
+X509_NAME_add_entry_by_txt(name, "O",
+			  MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
+X509_NAME_add_entry_by_txt(name, "CN",
+			  MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
+X509_set_issuer_name(x509, name);
+
+where = US"signing cert";
+if (!X509_sign(x509, pkey, EVP_md5()))
+  goto err;
+
+where = US"installing selfsign cert";
+if (!SSL_CTX_use_certificate(sctx, x509))
+  goto err;
+
+where = US"installing selfsign key";
+if (!SSL_CTX_use_PrivateKey(sctx, pkey))
+  goto err;
+
+return OK;
+
+err:
+  (void) tls_error(where, NULL, NULL, errstr);
+  if (x509) X509_free(x509);
+  if (pkey) EVP_PKEY_free(pkey);
+  return DEFER;
+}
+
+
+
+
+
+
+
+/*************************************************
+*           Information callback                 *
+*************************************************/
+
+/* The SSL library functions call this from time to time to indicate what they
+are doing. We copy the string to the debugging output when TLS debugging has
+been requested.
+
+Arguments:
+  s         the SSL connection
+  where
+  ret
+
+Returns:    nothing
+*/
+
+static void
+info_callback(SSL *s, int where, int ret)
+{
+DEBUG(D_tls)
+  {
+  const uschar * str;
+
+  if (where & SSL_ST_CONNECT)
+     str = US"SSL_connect";
+  else if (where & SSL_ST_ACCEPT)
+     str = US"SSL_accept";
+  else
+     str = US"SSL info (undefined)";
+
+  if (where & SSL_CB_LOOP)
+     debug_printf("%s: %s\n", str, SSL_state_string_long(s));
+  else if (where & SSL_CB_ALERT)
+    debug_printf("SSL3 alert %s:%s:%s\n",
+	  str = where & SSL_CB_READ ? US"read" : US"write",
+	  SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
+  else if (where & SSL_CB_EXIT)
+    {
+    if (ret == 0)
+      debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
+    else if (ret < 0)
+      debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
+    }
+  else if (where & SSL_CB_HANDSHAKE_START)
+     debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
+  else if (where & SSL_CB_HANDSHAKE_DONE)
+     debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
+  }
+}
+
+#ifdef OPENSSL_HAVE_KEYLOG_CB
+static void
+keylog_callback(const SSL *ssl, const char *line)
+{
+char * filename;
+FILE * fp;
+DEBUG(D_tls) debug_printf("%.200s\n", line);
+if (!(filename = getenv("SSLKEYLOGFILE"))) return;
+if (!(fp = fopen(filename, "a"))) return;
+fprintf(fp, "%s\n", line);
+fclose(fp);
+}
+#endif
+
+
+
+
+
+#ifndef DISABLE_EVENT
+static int
+verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
+  BOOL *calledp, const BOOL *optionalp, const uschar * what)
+{
+uschar * ev;
+uschar * yield;
+X509 * old_cert;
+
+ev = tlsp == &tls_out ? client_static_state->event_action : event_action;
+if (ev)
+  {
+  DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
+  old_cert = tlsp->peercert;
+  tlsp->peercert = X509_dup(cert);
+  /* NB we do not bother setting peerdn */
+  if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth), &errno)))
+    {
+    log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
+		"depth=%d cert=%s: %s",
+	      tlsp == &tls_out ? deliver_host_address : sender_host_address,
+	      what, depth, dn, yield);
+    *calledp = TRUE;
+    if (!*optionalp)
+      {
+      if (old_cert) tlsp->peercert = old_cert;	/* restore 1st failing cert */
+      return 1;			    /* reject (leaving peercert set) */
+      }
+    DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
+      "(host in tls_try_verify_hosts)\n");
+    tlsp->verify_override = TRUE;
+    }
+  X509_free(tlsp->peercert);
+  tlsp->peercert = old_cert;
+  }
+return 0;
+}
+#endif
+
+/*************************************************
+*        Callback for verification               *
+*************************************************/
+
+/* The SSL library does certificate verification if set up to do so. This
+callback has the current yes/no state is in "state". If verification succeeded,
+we set the certificate-verified flag. If verification failed, what happens
+depends on whether the client is required to present a verifiable certificate
+or not.
+
+If verification is optional, we change the state to yes, but still log the
+verification error. For some reason (it really would help to have proper
+documentation of OpenSSL), this callback function then gets called again, this
+time with state = 1.  We must take care not to set the private verified flag on
+the second time through.
+
+Note: this function is not called if the client fails to present a certificate
+when asked. We get here only if a certificate has been received. Handling of
+optional verification for this case is done when requesting SSL to verify, by
+setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
+
+May be called multiple times for different issues with a certificate, even
+for a given "depth" in the certificate chain.
+
+Arguments:
+  preverify_ok current yes/no state as 1/0
+  x509ctx      certificate information.
+  tlsp         per-direction (client vs. server) support data
+  calledp      has-been-called flag
+  optionalp    verification-is-optional flag
+
+Returns:     0 if verification should fail, otherwise 1
+*/
+
+static int
+verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
+  tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
+{
+X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
+int depth = X509_STORE_CTX_get_error_depth(x509ctx);
+uschar dn[256];
+
+if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
+  {
+  DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
+  log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
+    tlsp == &tls_out ? deliver_host_address : sender_host_address);
+  return 0;
+  }
+dn[sizeof(dn)-1] = '\0';
+
+tlsp->verify_override = FALSE;
+if (preverify_ok == 0)
+  {
+  uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
+      *verify_mode, sender_host_address)
+    : US"";
+  log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
+    tlsp == &tls_out ? deliver_host_address : sender_host_address,
+    extra, depth,
+    X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
+  *calledp = TRUE;
+  if (!*optionalp)
+    {
+    if (!tlsp->peercert)
+      tlsp->peercert = X509_dup(cert);	/* record failing cert */
+    return 0;				/* reject */
+    }
+  DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
+    "tls_try_verify_hosts)\n");
+  tlsp->verify_override = TRUE;
+  }
+
+else if (depth != 0)
+  {
+  DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
+#ifndef DISABLE_OCSP
+  if (tlsp == &tls_out && client_static_state->u_ocsp.client.verify_store)
+    {	/* client, wanting stapling  */
+    /* Add the server cert's signing chain as the one
+    for the verification of the OCSP stapled information. */
+
+    if (!X509_STORE_add_cert(client_static_state->u_ocsp.client.verify_store,
+                             cert))
+      ERR_clear_error();
+    sk_X509_push(client_static_state->verify_stack, cert);
+    }
+#endif
+#ifndef DISABLE_EVENT
+    if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
+      return 0;				/* reject, with peercert set */
+#endif
+  }
+else
+  {
+  const uschar * verify_cert_hostnames;
+
+  if (  tlsp == &tls_out
+     && ((verify_cert_hostnames = client_static_state->verify_cert_hostnames)))
+	/* client, wanting hostname check */
+    {
+
+#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
+# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
+#  define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
+# endif
+# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+#  define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
+# endif
+    int sep = 0;
+    const uschar * list = verify_cert_hostnames;
+    uschar * name;
+    int rc;
+    while ((name = string_nextinlist(&list, &sep, NULL, 0)))
+      if ((rc = X509_check_host(cert, CCS name, 0,
+		  X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
+		  | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
+		  NULL)))
+	{
+	if (rc < 0)
+	  {
+	  log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
+	    tlsp == &tls_out ? deliver_host_address : sender_host_address);
+	  name = NULL;
+	  }
+	break;
+	}
+    if (!name)
+#else
+    if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
+#endif
+      {
+      uschar * extra = verify_mode
+        ? string_sprintf(" (during %c-verify for [%s])",
+	  *verify_mode, sender_host_address)
+	: US"";
+      log_write(0, LOG_MAIN,
+	"[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
+	tlsp == &tls_out ? deliver_host_address : sender_host_address,
+	extra, dn, verify_cert_hostnames);
+      *calledp = TRUE;
+      if (!*optionalp)
+	{
+	if (!tlsp->peercert)
+	  tlsp->peercert = X509_dup(cert);	/* record failing cert */
+	return 0;				/* reject */
+	}
+      DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
+	"tls_try_verify_hosts)\n");
+      tlsp->verify_override = TRUE;
+      }
+    }
+
+#ifndef DISABLE_EVENT
+  if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
+    return 0;				/* reject, with peercert set */
+#endif
+
+  DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
+    *calledp ? "" : " authenticated", dn);
+  *calledp = TRUE;
+  }
+
+return 1;   /* accept, at least for this level */
+}
+
+static int
+verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
+{
+return verify_callback(preverify_ok, x509ctx, &tls_out,
+  &client_verify_callback_called, &client_verify_optional);
+}
+
+static int
+verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
+{
+return verify_callback(preverify_ok, x509ctx, &tls_in,
+  &server_verify_callback_called, &server_verify_optional);
+}
+
+
+#ifdef SUPPORT_DANE
+
+/* This gets called *by* the dane library verify callback, which interposes
+itself.
+*/
+static int
+verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
+{
+X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
+uschar dn[256];
+int depth = X509_STORE_CTX_get_error_depth(x509ctx);
+#ifndef DISABLE_EVENT
+BOOL dummy_called, optional = FALSE;
+#endif
+
+if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
+  {
+  DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
+  log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
+    deliver_host_address);
+  return 0;
+  }
+dn[sizeof(dn)-1] = '\0';
+
+DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
+  preverify_ok ? "ok":"BAD", depth, dn);
+
+#ifndef DISABLE_EVENT
+  if (verify_event(&tls_out, cert, depth, dn,
+	  &dummy_called, &optional, US"DANE"))
+    return 0;				/* reject, with peercert set */
+#endif
+
+if (preverify_ok == 1)
+  {
+  tls_out.dane_verified = TRUE;
+#ifndef DISABLE_OCSP
+  if (client_static_state->u_ocsp.client.verify_store)
+    {	/* client, wanting stapling  */
+    /* Add the server cert's signing chain as the one
+    for the verification of the OCSP stapled information. */
+
+    if (!X509_STORE_add_cert(client_static_state->u_ocsp.client.verify_store,
+                             cert))
+      ERR_clear_error();
+    sk_X509_push(client_static_state->verify_stack, cert);
+    }
+#endif
+  }
+else
+  {
+  int err = X509_STORE_CTX_get_error(x509ctx);
+  DEBUG(D_tls)
+    debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
+  if (err == X509_V_ERR_APPLICATION_VERIFICATION)
+    preverify_ok = 1;
+  }
+return preverify_ok;
+}
+
+#endif	/*SUPPORT_DANE*/
+
+
+#ifndef DISABLE_OCSP
+/*************************************************
+*       Load OCSP information into state         *
+*************************************************/
+/* Called to load the server OCSP response from the given file into memory, once
+caller has determined this is needed.  Checks validity.  Debugs a message
+if invalid.
+
+ASSUMES: single response, for single cert.
+
+Arguments:
+  state           various parts of session state
+  filename        the filename putatively holding an OCSP response
+  is_pem	  file is PEM format; otherwise is DER
+*/
+
+static void
+ocsp_load_response(exim_openssl_state_st * state, const uschar * filename,
+  BOOL is_pem)
+{
+BIO * bio;
+OCSP_RESPONSE * resp;
+OCSP_BASICRESP * basic_response;
+OCSP_SINGLERESP * single_response;
+ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
+STACK_OF(X509) * sk;
+unsigned long verify_flags;
+int status, reason, i;
+
+DEBUG(D_tls)
+  debug_printf("tls_ocsp_file (%s)  '%s'\n", is_pem ? "PEM" : "DER", filename);
+
+if (!filename || !*filename) return;
+
+ERR_clear_error();
+if (!(bio = BIO_new_file(CS filename, "rb")))
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "Failed to open OCSP response file \"%s\": %.100s",
+    filename, ERR_reason_error_string(ERR_get_error()));
+  return;
+  }
+
+if (is_pem)
+  {
+  uschar * data, * freep;
+  char * dummy;
+  long len;
+  if (!PEM_read_bio(bio, &dummy, &dummy, &data, &len))
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "Failed to read PEM file \"%s\": %.100s",
+      filename, ERR_reason_error_string(ERR_get_error()));
+    return;
+    }
+  freep = data;
+  resp = d2i_OCSP_RESPONSE(NULL, CUSS &data, len);
+  OPENSSL_free(freep);
+  }
+else
+  resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
+BIO_free(bio);
+
+if (!resp)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "Error reading OCSP response from \"%s\": %s",
+      filename, ERR_reason_error_string(ERR_get_error()));
+  return;
+  }
+
+if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
+  {
+  DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
+      OCSP_response_status_str(status), status);
+  goto bad;
+  }
+
+#ifdef notdef
+  {
+  BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
+  OCSP_RESPONSE_print(bp, resp, 0);  /* extreme debug: stapling content */
+  BIO_free(bp);
+  }
+#endif
+
+if (!(basic_response = OCSP_response_get1_basic(resp)))
+  {
+  DEBUG(D_tls)
+    debug_printf("OCSP response parse error: unable to extract basic response.\n");
+  goto bad;
+  }
+
+sk = state->verify_stack;
+verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
+
+/* May need to expose ability to adjust those flags?
+OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
+OCSP_TRUSTOTHER OCSP_NOINTERN */
+
+/* This does a full verify on the OCSP proof before we load it for serving
+up; possibly overkill - just date-checks might be nice enough.
+
+OCSP_basic_verify takes a "store" arg, but does not
+use it for the chain verification, which is all we do
+when OCSP_NOVERIFY is set.  The content from the wire
+"basic_response" and a cert-stack "sk" are all that is used.
+
+We have a stack, loaded in setup_certs() if tls_verify_certificates
+was a file (not a directory, or "system").  It is unfortunate we
+cannot used the connection context store, as that would neatly
+handle the "system" case too, but there seems to be no library
+function for getting a stack from a store.
+[ In OpenSSL 1.1 - ?  X509_STORE_CTX_get0_chain(ctx) ? ]
+We do not free the stack since it could be needed a second time for
+SNI handling.
+
+Separately we might try to replace using OCSP_basic_verify() - which seems to not
+be a public interface into the OpenSSL library (there's no manual entry) -
+But what with?  We also use OCSP_basic_verify in the client stapling callback.
+And there we NEED it; we must verify that status... unless the
+library does it for us anyway?  */
+
+if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
+  {
+  DEBUG(D_tls)
+    {
+    ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
+    debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
+    }
+  goto bad;
+  }
+
+/* Here's the simplifying assumption: there's only one response, for the
+one certificate we use, and nothing for anything else in a chain.  If this
+proves false, we need to extract a cert id from our issued cert
+(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
+right cert in the stack and then calls OCSP_single_get0_status()).
+
+I'm hoping to avoid reworking a bunch more of how we handle state here.
+
+XXX that will change when we add support for (TLS1.3) whole-chain stapling
+*/
+
+if (!(single_response = OCSP_resp_get0(basic_response, 0)))
+  {
+  DEBUG(D_tls)
+    debug_printf("Unable to get first response from OCSP basic response.\n");
+  goto bad;
+  }
+
+status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
+if (status != V_OCSP_CERTSTATUS_GOOD)
+  {
+  DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
+      OCSP_cert_status_str(status), status,
+      OCSP_crl_reason_str(reason), reason);
+  goto bad;
+  }
+
+if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
+  {
+  DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
+  goto bad;
+  }
+
+supply_response:
+  /* Add the resp to the list used by tls_server_stapling_cb() */
+  {
+  ocsp_resplist ** op = &state->u_ocsp.server.olist, * oentry;
+  while (oentry = *op)
+    op = &oentry->next;
+  *op = oentry = store_get(sizeof(ocsp_resplist), GET_UNTAINTED);
+  oentry->next = NULL;
+  oentry->resp = resp;
+  }
+return;
+
+bad:
+  if (f.running_in_test_harness)
+    {
+    extern char ** environ;
+    if (environ) for (uschar ** p = USS environ; *p; p++)
+      if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
+	{
+	DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
+	goto supply_response;
+	}
+    }
+return;
+}
+
+
+static void
+ocsp_free_response_list(exim_openssl_state_st * cbinfo)
+{
+for (ocsp_resplist * olist = cbinfo->u_ocsp.server.olist; olist;
+     olist = olist->next)
+  OCSP_RESPONSE_free(olist->resp);
+cbinfo->u_ocsp.server.olist = NULL;
+}
+#endif	/*!DISABLE_OCSP*/
+
+
+
+
+
+static int
+tls_add_certfile(SSL_CTX * sctx, exim_openssl_state_st * cbinfo, uschar * file,
+  uschar ** errstr)
+{
+DEBUG(D_tls) debug_printf("tls_certificate file '%s'\n", file);
+if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
+  return tls_error(string_sprintf(
+    "SSL_CTX_use_certificate_chain_file file=%s", file),
+      cbinfo->host, NULL, errstr);
+return 0;
+}
+
+static int
+tls_add_pkeyfile(SSL_CTX * sctx, exim_openssl_state_st * cbinfo, uschar * file,
+  uschar ** errstr)
+{
+DEBUG(D_tls) debug_printf("tls_privatekey file  '%s'\n", file);
+if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
+  return tls_error(string_sprintf(
+    "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
+return 0;
+}
+
+
+
+
+/* Called once during tls_init and possibly again during TLS setup, for a
+new context, if Server Name Indication was used and tls_sni was seen in
+the certificate string.
+
+Arguments:
+  sctx            the SSL_CTX* to update
+  state           various parts of session state
+  errstr	  error string pointer
+
+Returns:          OK/DEFER/FAIL
+*/
+
+static int
+tls_expand_session_files(SSL_CTX * sctx, exim_openssl_state_st * state,
+  uschar ** errstr)
+{
+uschar * expanded;
+
+if (!state->certificate)
+  {
+  if (!state->is_server)		/* client */
+    return OK;
+					/* server */
+  if (tls_install_selfsign(sctx, errstr) != OK)
+    return DEFER;
+  }
+else
+  {
+  int err;
+
+  if ( !reexpand_tls_files_for_sni
+     && (  Ustrstr(state->certificate, US"tls_sni")
+	|| Ustrstr(state->certificate, US"tls_in_sni")
+	|| Ustrstr(state->certificate, US"tls_out_sni")
+     )  )
+    reexpand_tls_files_for_sni = TRUE;
+
+  if (!expand_check(state->certificate, US"tls_certificate", &expanded, errstr))
+    return DEFER;
+
+  if (expanded)
+    if (state->is_server)
+      {
+      const uschar * file_list = expanded;
+      int sep = 0;
+      uschar * file;
+#ifndef DISABLE_OCSP
+      const uschar * olist = state->u_ocsp.server.file;
+      int osep = 0;
+      uschar * ofile;
+      BOOL fmt_pem = FALSE;
+
+      if (olist)
+	if (!expand_check(olist, US"tls_ocsp_file", USS &olist, errstr))
+	  return DEFER;
+      if (olist && !*olist)
+	olist = NULL;
+
+      if (  state->u_ocsp.server.file_expanded && olist
+	 && (Ustrcmp(olist, state->u_ocsp.server.file_expanded) == 0))
+	{
+	DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
+	olist = NULL;
+	}
+      else
+	{
+	ocsp_free_response_list(state);
+	state->u_ocsp.server.file_expanded = olist;
+	}
+#endif
+
+      while (file = string_nextinlist(&file_list, &sep, NULL, 0))
+	{
+	if ((err = tls_add_certfile(sctx, state, file, errstr)))
+	  return err;
+
+#ifndef DISABLE_OCSP
+	if (olist)
+	  if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
+	    {
+	    if (Ustrncmp(ofile, US"PEM ", 4) == 0)
+	      {
+	      fmt_pem = TRUE;
+	      ofile += 4;
+	      }
+	    else if (Ustrncmp(ofile, US"DER ", 4) == 0)
+	      {
+	      fmt_pem = FALSE;
+	      ofile += 4;
+	      }
+	    ocsp_load_response(state, ofile, fmt_pem);
+	    }
+	  else
+	    DEBUG(D_tls) debug_printf("ran out of ocsp file list\n");
+#endif
+	}
+      }
+    else	/* would there ever be a need for multiple client certs? */
+      if ((err = tls_add_certfile(sctx, state, expanded, errstr)))
+	return err;
+
+  if (  state->privatekey
+     && !expand_check(state->privatekey, US"tls_privatekey", &expanded, errstr))
+    return DEFER;
+
+  /* If expansion was forced to fail, key_expanded will be NULL. If the result
+  of the expansion is an empty string, ignore it also, and assume the private
+  key is in the same file as the certificate. */
+
+  if (expanded && *expanded)
+    if (state->is_server)
+      {
+      const uschar * file_list = expanded;
+      int sep = 0;
+      uschar * file;
+
+      while (file = string_nextinlist(&file_list, &sep, NULL, 0))
+	if ((err = tls_add_pkeyfile(sctx, state, file, errstr)))
+	  return err;
+      }
+    else	/* would there ever be a need for multiple client certs? */
+      if ((err = tls_add_pkeyfile(sctx, state, expanded, errstr)))
+	return err;
+  }
+
+return OK;
+}
+
+
+
+
+/**************************************************
+* One-time init credentials for server and client *
+**************************************************/
+
+static void
+normalise_ciphers(uschar ** ciphers, const uschar * pre_expansion_ciphers)
+{
+uschar * s = *ciphers;
+
+if (!s || !Ustrchr(s, '_')) return;	/* no change needed */
+
+if (s == pre_expansion_ciphers)
+  s = string_copy(s);			/* get writable copy */
+
+for (uschar * t = s; *t; t++) if (*t == '_') *t = '-';
+*ciphers = s;
+}
+
+static int
+server_load_ciphers(SSL_CTX * ctx, exim_openssl_state_st * state,
+  uschar * ciphers, uschar ** errstr)
+{
+DEBUG(D_tls) debug_printf("required ciphers: %s\n", ciphers);
+if (!SSL_CTX_set_cipher_list(ctx, CS ciphers))
+  return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
+state->server_cipher_list = ciphers;
+return OK;
+}
+
+
+
+static int
+lib_ctx_new(SSL_CTX ** ctxp, host_item * host, uschar ** errstr)
+{
+SSL_CTX * ctx;
+#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
+if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
+#else
+if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
+#endif
+  return tls_error(US"SSL_CTX_new", host, NULL, errstr);
+
+/* Set up the information callback, which outputs if debugging is at a suitable
+level. */
+
+DEBUG(D_tls)
+  {
+  SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
+#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
+  /* this needs a debug build of OpenSSL */
+  SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
+#endif
+#ifdef OPENSSL_HAVE_KEYLOG_CB
+  SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
+#endif
+  }
+
+/* Automatically re-try reads/writes after renegotiation. */
+(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
+*ctxp = ctx;
+return OK;
+}
+
+
+static unsigned
+tls_server_creds_init(void)
+{
+SSL_CTX * ctx;
+uschar * dummy_errstr;
+unsigned lifetime = 0;
+
+tls_openssl_init();
+
+state_server.lib_state = null_tls_preload;
+
+if (lib_ctx_new(&ctx, NULL, &dummy_errstr) != OK)
+  return 0;
+state_server.lib_state.lib_ctx = ctx;
+
+/* Preload DH params and EC curve */
+
+if (opt_unset_or_noexpand(tls_dhparam))
+  {
+  DEBUG(D_tls) debug_printf("TLS: preloading DH params for server\n");
+  if (init_dh(ctx, tls_dhparam, &dummy_errstr))
+    state_server.lib_state.dh = TRUE;
+  }
+else
+  DEBUG(D_tls) debug_printf("TLS: not preloading DH params for server\n");
+if (opt_unset_or_noexpand(tls_eccurve))
+  {
+  DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve for server\n");
+  if (init_ecdh(ctx, &dummy_errstr))
+    state_server.lib_state.ecdh = TRUE;
+  }
+else
+  DEBUG(D_tls) debug_printf("TLS: not preloading ECDH curve for server\n");
+
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+/* If we can, preload the server-side cert, key and ocsp */
+
+if (  opt_set_and_noexpand(tls_certificate)
+# ifndef DISABLE_OCSP
+   && opt_unset_or_noexpand(tls_ocsp_file)
+#endif
+   && opt_unset_or_noexpand(tls_privatekey))
+  {
+  /* Set watches on the filenames.  The implementation does de-duplication
+  so we can just blindly do them all.  */
+
+  if (  tls_set_watch(tls_certificate, TRUE)
+# ifndef DISABLE_OCSP
+     && tls_set_watch(tls_ocsp_file, TRUE)
+#endif
+     && tls_set_watch(tls_privatekey, TRUE))
+    {
+    state_server.certificate = tls_certificate;
+    state_server.privatekey = tls_privatekey;
+#ifndef DISABLE_OCSP
+    state_server.u_ocsp.server.file = tls_ocsp_file;
+#endif
+
+    DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
+    if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
+      state_server.lib_state.conn_certs = TRUE;
+    }
+  }
+else if (  !tls_certificate && !tls_privatekey
+# ifndef DISABLE_OCSP
+	&& !tls_ocsp_file
+#endif
+   )
+  {		/* Generate & preload a selfsigned cert. No files to watch. */
+  if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
+    {
+    state_server.lib_state.conn_certs = TRUE;
+    lifetime = f.running_in_test_harness ? 2 : 60 * 60;		/* 1 hour */
+    }
+  }
+else
+  DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
+
+
+/* If we can, preload the Authorities for checking client certs against.
+Actual choice to do verify is made (tls_{,try_}verify_hosts)
+at TLS conn startup */
+
+if (  opt_set_and_noexpand(tls_verify_certificates)
+   && opt_unset_or_noexpand(tls_crl))
+  {
+  /* Watch the default dir also as they are always included */
+
+  if (  tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
+     && tls_set_watch(tls_verify_certificates, FALSE)
+     && tls_set_watch(tls_crl, FALSE))
+    {
+    DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n");
+
+    if (setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, &dummy_errstr)
+	== OK)
+      state_server.lib_state.cabundle = TRUE;
+    }
+  }
+else
+  DEBUG(D_tls) debug_printf("TLS: not preloading CA bundle for server\n");
+#endif	/* EXIM_HAVE_INOTIFY */
+
+
+/* If we can, preload the ciphers control string */
+
+if (opt_set_and_noexpand(tls_require_ciphers))
+  {
+  DEBUG(D_tls) debug_printf("TLS: preloading cipher list for server\n");
+  normalise_ciphers(&tls_require_ciphers, tls_require_ciphers);
+  if (server_load_ciphers(ctx, &state_server, tls_require_ciphers,
+			  &dummy_errstr) == OK)
+    state_server.lib_state.pri_string = TRUE;
+  }
+else
+  DEBUG(D_tls) debug_printf("TLS: not preloading cipher list for server\n");
+return lifetime;
+}
+
+
+
+
+/* Preload whatever creds are static, onto a transport.  The client can then
+just copy the pointer as it starts up.
+Called from the daemon after a cache-invalidate with watch set; called from
+a queue-run startup with watch clear. */
+
+static void
+tls_client_creds_init(transport_instance * t, BOOL watch)
+{
+smtp_transport_options_block * ob = t->options_block;
+exim_openssl_state_st tpt_dummy_state;
+host_item * dummy_host = (host_item *)1;
+uschar * dummy_errstr;
+SSL_CTX * ctx;
+
+tls_openssl_init();
+
+ob->tls_preload = null_tls_preload;
+if (lib_ctx_new(&ctx, dummy_host, &dummy_errstr) != OK)
+  return;
+ob->tls_preload.lib_ctx = ctx;
+
+tpt_dummy_state.lib_state = ob->tls_preload;
+
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+if (  opt_set_and_noexpand(ob->tls_certificate)
+   && opt_unset_or_noexpand(ob->tls_privatekey))
+  {
+  if (  !watch
+     || (  tls_set_watch(ob->tls_certificate, FALSE)
+	&& tls_set_watch(ob->tls_privatekey, FALSE)
+     )  )
+    {
+    uschar * pkey = ob->tls_privatekey;
+
+    DEBUG(D_tls)
+      debug_printf("TLS: preloading client certs for transport '%s'\n",t->name);
+
+    if (  tls_add_certfile(ctx, &tpt_dummy_state, ob->tls_certificate,
+				    &dummy_errstr) == 0
+       && tls_add_pkeyfile(ctx, &tpt_dummy_state,
+				    pkey ? pkey : ob->tls_certificate,
+				    &dummy_errstr) == 0
+       )
+      ob->tls_preload.conn_certs = TRUE;
+    }
+  }
+else
+  DEBUG(D_tls)
+    debug_printf("TLS: not preloading client certs, for transport '%s'\n", t->name);
+
+
+if (  opt_set_and_noexpand(ob->tls_verify_certificates)
+   && opt_unset_or_noexpand(ob->tls_crl))
+  {
+  if (  !watch
+     ||    tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
+        && tls_set_watch(ob->tls_verify_certificates, FALSE)
+	&& tls_set_watch(ob->tls_crl, FALSE)
+     )
+    {
+    DEBUG(D_tls)
+      debug_printf("TLS: preloading CA bundle for transport '%s'\n", t->name);
+
+    if (setup_certs(ctx, ob->tls_verify_certificates,
+	  ob->tls_crl, dummy_host, &dummy_errstr) == OK)
+      ob->tls_preload.cabundle = TRUE;
+    }
+  }
+else
+  DEBUG(D_tls)
+      debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", t->name);
+
+#endif /*EXIM_HAVE_INOTIFY*/
+}
+
+
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+/* Invalidate the creds cached, by dropping the current ones.
+Call when we notice one of the source files has changed. */
+ 
+static void
+tls_server_creds_invalidate(void)
+{
+SSL_CTX_free(state_server.lib_state.lib_ctx);
+state_server.lib_state = null_tls_preload;
+}
+
+
+static void
+tls_client_creds_invalidate(transport_instance * t)
+{
+smtp_transport_options_block * ob = t->options_block;
+SSL_CTX_free(ob->tls_preload.lib_ctx);
+ob->tls_preload = null_tls_preload;
+}
+
+#else
+
+static void
+tls_server_creds_invalidate(void)
+{ return; }
+
+static void
+tls_client_creds_invalidate(transport_instance * t)
+{ return; }
+
+#endif	/*EXIM_HAVE_INOTIFY*/
+
+
+/* Extreme debug
+#ifndef DISABLE_OCSP
+void
+x509_store_dump_cert_s_names(X509_STORE * store)
+{
+STACK_OF(X509_OBJECT) * roots= store->objs;
+static uschar name[256];
+
+for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
+  {
+  X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
+  if(tmp_obj->type == X509_LU_X509)
+    {
+    X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
+    if (X509_NAME_oneline(sn, CS name, sizeof(name)))
+      {
+      name[sizeof(name)-1] = '\0';
+      debug_printf(" %s\n", name);
+      }
+    }
+  }
+}
+#endif
+*/
+
+
+#ifndef DISABLE_TLS_RESUME
+/* Manage the keysets used for encrypting the session tickets, on the server. */
+
+typedef struct {			/* Session ticket encryption key */
+  uschar 	name[16];
+
+  const EVP_CIPHER *	aes_cipher;
+  uschar		aes_key[32];	/* size needed depends on cipher. aes_128 implies 128/8 = 16? */
+# if OPENSSL_VERSION_NUMBER < 0x30000000L
+  const EVP_MD *	hmac_hash;
+# else
+  const uschar *	hmac_hashname;
+# endif
+  uschar		hmac_key[16];
+  time_t		renew;
+  time_t		expire;
+} exim_stek;
+
+static exim_stek exim_tk;	/* current key */
+static exim_stek exim_tk_old;	/* previous key */
+
+static void
+tk_init(void)
+{
+time_t t = time(NULL);
+
+if (exim_tk.name[0])
+  {
+  if (exim_tk.renew >= t) return;
+  exim_tk_old = exim_tk;
+  }
+
+if (f.running_in_test_harness) ssl_session_timeout = 6;
+
+DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
+if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
+if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
+if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
+
+exim_tk.name[0] = 'E';
+exim_tk.aes_cipher = EVP_aes_256_cbc();
+# if OPENSSL_VERSION_NUMBER < 0x30000000L
+exim_tk.hmac_hash = EVP_sha256();
+# else
+exim_tk.hmac_hashname = US "sha256";
+# endif
+exim_tk.expire = t + ssl_session_timeout;
+exim_tk.renew = t + ssl_session_timeout/2;
+}
+
+static exim_stek *
+tk_current(void)
+{
+if (!exim_tk.name[0]) return NULL;
+return &exim_tk;
+}
+
+static exim_stek *
+tk_find(const uschar * name)
+{
+return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
+  : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
+  : NULL;
+}
+
+
+static int
+tk_hmac_init(
+# if OPENSSL_VERSION_NUMBER < 0x30000000L
+  HMAC_CTX * hctx,
+#else
+  EVP_MAC_CTX * hctx,
+#endif
+  exim_stek * key
+  )
+{
+/*XXX will want these dependent on the ssl session strength */
+# if OPENSSL_VERSION_NUMBER < 0x30000000L
+  HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
+		key->hmac_hash, NULL);
+#else
+ {
+  OSSL_PARAM params[3];
+  uschar * hk = string_copy(key->hmac_hashname);	/* need nonconst */
+  params[0] = OSSL_PARAM_construct_octet_string("key", key->hmac_key, sizeof(key->hmac_key));
+  params[1] = OSSL_PARAM_construct_utf8_string("digest", CS hk, 0);
+  params[2] = OSSL_PARAM_construct_end();
+  if (EVP_MAC_CTX_set_params(hctx, params) == 0)
+    {
+    DEBUG(D_tls) debug_printf("EVP_MAC_CTX_set_params: %s\n",
+      ERR_reason_error_string(ERR_get_error()));
+    return 0; /* error in mac initialisation */
+    }
+}
+#endif
+return 1;
+}
+
+/* Callback for session tickets, on server */
+static int
+ticket_key_callback(SSL * ssl, uschar key_name[16],
+  uschar * iv, EVP_CIPHER_CTX * c_ctx,
+# if OPENSSL_VERSION_NUMBER < 0x30000000L
+  HMAC_CTX * hctx,
+#else
+  EVP_MAC_CTX * hctx,
+#endif
+  int enc)
+{
+tls_support * tlsp = state_server.tlsp;
+exim_stek * key;
+
+if (enc)
+  {
+  DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
+  tlsp->resumption |= RESUME_CLIENT_REQUESTED;
+
+  if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
+    return -1; /* insufficient random */
+
+  if (!(key = tk_current()))	/* current key doesn't exist or isn't valid */
+     return 0;			/* key couldn't be created */
+  memcpy(key_name, key->name, 16);
+  DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
+
+  if (tk_hmac_init(hctx, key) == 0) return 0;
+  EVP_EncryptInit_ex(c_ctx, key->aes_cipher, NULL, key->aes_key, iv);
+
+  DEBUG(D_tls) debug_printf("ticket created\n");
+  return 1;
+  }
+else
+  {
+  time_t now = time(NULL);
+
+  DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
+  tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
+
+  if (!(key = tk_find(key_name)) || key->expire < now)
+    {
+    DEBUG(D_tls)
+      {
+      debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
+      if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
+      }
+    return 0;
+    }
+
+  if (tk_hmac_init(hctx, key) == 0) return 0;
+  EVP_DecryptInit_ex(c_ctx, key->aes_cipher, NULL, key->aes_key, iv);
+
+  DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
+
+  /* The ticket lifetime and renewal are the same as the STEK lifetime and
+  renewal, which is overenthusiastic.  A factor of, say, 3x longer STEK would
+  be better.  To do that we'd have to encode ticket lifetime in the name as
+  we don't yet see the restored session.  Could check posthandshake for TLS1.3
+  and trigger a new ticket then, but cannot do that for TLS1.2 */
+  return key->renew < now ? 2 : 1;
+  }
+}
+#endif	/* !DISABLE_TLS_RESUME */
+
+
+
+static void
+setup_cert_verify(SSL_CTX * ctx, BOOL optional,
+    int (*cert_vfy_cb)(int, X509_STORE_CTX *))
+{
+/* If verification is optional, don't fail if no certificate */
+
+SSL_CTX_set_verify(ctx,
+    SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
+    cert_vfy_cb);
+}
+
+
+/*************************************************
+*            Callback to handle SNI              *
+*************************************************/
+
+/* Called when acting as server during the TLS session setup if a Server Name
+Indication extension was sent by the client.
+
+API documentation is OpenSSL s_server.c implementation.
+
+Arguments:
+  s               SSL* of the current session
+  ad              unknown (part of OpenSSL API) (unused)
+  arg             Callback of "our" registered data
+
+Returns:          SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
+
+XXX might need to change to using ClientHello callback,
+per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
+*/
+
+#ifdef EXIM_HAVE_OPENSSL_TLSEXT
+static int
+tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
+{
+const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
+exim_openssl_state_st *state = (exim_openssl_state_st *) arg;
+int rc;
+int old_pool = store_pool;
+uschar * dummy_errstr;
+
+if (!servername)
+  return SSL_TLSEXT_ERR_OK;
+
+DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
+    reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
+
+/* Make the extension value available for expansion */
+store_pool = POOL_PERM;
+tls_in.sni = string_copy_taint(US servername, GET_TAINTED);
+store_pool = old_pool;
+
+if (!reexpand_tls_files_for_sni)
+  return SSL_TLSEXT_ERR_OK;
+
+/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
+not confident that memcpy wouldn't break some internal reference counting.
+Especially since there's a references struct member, which would be off. */
+
+if (lib_ctx_new(&server_sni, NULL, &dummy_errstr) != OK)
+  goto bad;
+
+/* Not sure how many of these are actually needed, since SSL object
+already exists.  Might even need this selfsame callback, for reneg? */
+
+  {
+  SSL_CTX * ctx = state_server.lib_state.lib_ctx;
+  SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(ctx));
+  SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(ctx));
+  SSL_CTX_set_options(server_sni, SSL_CTX_get_options(ctx));
+  SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(ctx));
+  SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
+  SSL_CTX_set_tlsext_servername_arg(server_sni, state);
+  }
+
+if (  !init_dh(server_sni, state->dhparam, &dummy_errstr)
+   || !init_ecdh(server_sni, &dummy_errstr)
+   )
+  goto bad;
+
+if (  state->server_cipher_list
+   && !SSL_CTX_set_cipher_list(server_sni, CS state->server_cipher_list))
+  goto bad;
+
+#ifndef DISABLE_OCSP
+if (state->u_ocsp.server.file)
+  {
+  SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
+  SSL_CTX_set_tlsext_status_arg(server_sni, state);
+  }
+#endif
+
+  {
+  uschar * expcerts;
+  if (  !expand_check(tls_verify_certificates, US"tls_verify_certificates",
+		  &expcerts, &dummy_errstr)
+     || (rc = setup_certs(server_sni, expcerts, tls_crl, NULL,
+			&dummy_errstr)) != OK)
+    goto bad;
+
+  if (expcerts && *expcerts)
+    setup_cert_verify(server_sni, FALSE, verify_callback_server);
+  }
+
+/* do this after setup_certs, because this can require the certs for verifying
+OCSP information. */
+if ((rc = tls_expand_session_files(server_sni, state, &dummy_errstr)) != OK)
+  goto bad;
+
+DEBUG(D_tls) debug_printf("Switching SSL context.\n");
+SSL_set_SSL_CTX(s, server_sni);
+return SSL_TLSEXT_ERR_OK;
+
+bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
+}
+#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
+
+
+
+
+#ifdef EXIM_HAVE_ALPN
+/*************************************************
+*        Callback to handle ALPN                 *
+*************************************************/
+
+/* Called on server if tls_alpn nonblank after expansion,
+when client offers ALPN, after the SNI callback.
+If set and not matching the list then we dump the connection */
+
+static int
+tls_server_alpn_cb(SSL *ssl, const uschar ** out, uschar * outlen,
+  const uschar * in, unsigned int inlen, void * arg)
+{
+server_seen_alpn = TRUE;
+DEBUG(D_tls)
+  {
+  debug_printf("Received TLS ALPN offer:");
+  for (int pos = 0, siz; pos < inlen; pos += siz+1)
+    {
+    siz = in[pos];
+    if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
+    debug_printf(" '%.*s'", siz, in + pos + 1);
+    }
+  debug_printf(".  Our list: '%s'\n", tls_alpn);
+  }
+
+/* Look for an acceptable ALPN */
+
+if (  inlen > 1		/* at least one name */
+   && in[0]+1 == inlen	/* filling the vector, so exactly one name */
+   )
+  {
+  const uschar * list = tls_alpn;
+  int sep = 0;
+  for (uschar * name; name = string_nextinlist(&list, &sep, NULL, 0); )
+    if (Ustrncmp(in+1, name, in[0]) == 0)
+      {
+      *out = in+1;			/* we checked for exactly one, so can just point to it */
+      *outlen = inlen;
+      return SSL_TLSEXT_ERR_OK;		/* use ALPN */
+      }
+  }
+
+/* More than one name from clilent, or name did not match our list. */
+
+/* This will be fatal to the TLS conn; would be nice to kill TCP also.
+Maybe as an option in future; for now leave control to the config (must-tls). */
+
+DEBUG(D_tls) debug_printf("TLS ALPN rejected\n");
+return SSL_TLSEXT_ERR_ALERT_FATAL;
+}
+#endif	/* EXIM_HAVE_ALPN */
+
+
+
+#ifndef DISABLE_OCSP
+
+/*************************************************
+*        Callback to handle OCSP Stapling        *
+*************************************************/
+
+/* Called when acting as server during the TLS session setup if the client
+requests OCSP information with a Certificate Status Request.
+
+Documentation via openssl s_server.c and the Apache patch from the OpenSSL
+project.
+
+*/
+
+static int
+tls_server_stapling_cb(SSL *s, void *arg)
+{
+const exim_openssl_state_st * state = arg;
+ocsp_resplist * olist = state->u_ocsp.server.olist;
+uschar * response_der;	/*XXX blob */
+int response_der_len;
+
+DEBUG(D_tls)
+  debug_printf("Received TLS status request (OCSP stapling); %s response list\n",
+    olist ? "have" : "lack");
+
+tls_in.ocsp = OCSP_NOT_RESP;
+if (!olist)
+  return SSL_TLSEXT_ERR_NOACK;
+
+#ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
+ {
+  const X509 * cert_sent = SSL_get_certificate(s);
+  const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
+  const BIGNUM * cert_bn = ASN1_INTEGER_to_BN(cert_serial, NULL);
+
+  for (; olist; olist = olist->next)
+    {
+    OCSP_BASICRESP * bs = OCSP_response_get1_basic(olist->resp);
+    const OCSP_SINGLERESP * single = OCSP_resp_get0(bs, 0);
+    const OCSP_CERTID * cid = OCSP_SINGLERESP_get0_id(single);
+    ASN1_INTEGER * res_cert_serial;
+    const BIGNUM * resp_bn;
+    ASN1_OCTET_STRING * res_cert_iNameHash;
+
+
+    (void) OCSP_id_get0_info(&res_cert_iNameHash, NULL, NULL, &res_cert_serial,
+      (OCSP_CERTID *) cid);
+    resp_bn = ASN1_INTEGER_to_BN(res_cert_serial, NULL);
+
+    DEBUG(D_tls)
+      {
+      debug_printf("cert serial: %s\n", BN_bn2hex(cert_bn));
+      debug_printf("resp serial: %s\n", BN_bn2hex(resp_bn));
+      }
+
+    if (BN_cmp(cert_bn, resp_bn) == 0)
+      {
+      DEBUG(D_tls) debug_printf("matched serial for ocsp\n");
+
+      /*XXX TODO: check the rest of the list for duplicate matches.
+      If any, need to also check the Issuer Name hash.
+      Without this, we will provide the wrong status in the case of
+      duplicate id. */
+
+      break;
+      }
+    DEBUG(D_tls) debug_printf("not match serial for ocsp\n");
+    }
+  if (!olist)
+    {
+    DEBUG(D_tls) debug_printf("failed to find match for ocsp\n");
+    return SSL_TLSEXT_ERR_NOACK;
+    }
+ }
+#else
+if (olist->next)
+  {
+  DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
+  return SSL_TLSEXT_ERR_NOACK;
+  }
+#endif
+
+/*XXX could we do the i2d earlier, rather than during the callback? */
+response_der = NULL;
+response_der_len = i2d_OCSP_RESPONSE(olist->resp, &response_der);
+if (response_der_len <= 0)
+  return SSL_TLSEXT_ERR_NOACK;
+
+SSL_set_tlsext_status_ocsp_resp(state_server.lib_state.lib_ssl,
+				response_der, response_der_len);
+tls_in.ocsp = OCSP_VFIED;
+return SSL_TLSEXT_ERR_OK;
+}
+
+
+static void
+time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
+{
+BIO_printf(bp, "\t%s: ", str);
+ASN1_GENERALIZEDTIME_print(bp, time);
+BIO_puts(bp, "\n");
+}
+
+static int
+tls_client_stapling_cb(SSL *s, void *arg)
+{
+exim_openssl_state_st * cbinfo = arg;
+const unsigned char * p;
+int len;
+OCSP_RESPONSE * rsp;
+OCSP_BASICRESP * bs;
+int i;
+
+DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
+len = SSL_get_tlsext_status_ocsp_resp(s, &p);
+if(!p)
+ {				/* Expect this when we requested ocsp but got none */
+  if (SSL_session_reused(s) && tls_out.ocsp == OCSP_VFIED)
+    {
+    DEBUG(D_tls) debug_printf(" null, but resumed; ocsp vfy stored with session is good\n");
+    return 1;
+    }
+  if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
+    log_write(0, LOG_MAIN, "Required TLS certificate status not received");
+  else
+    DEBUG(D_tls) debug_printf(" null\n");
+  return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
+ }
+
+if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
+  {
+  tls_out.ocsp = OCSP_FAILED;	/*XXX should use tlsp-> to permit concurrent outbound */
+  if (LOGGING(tls_cipher))
+    log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
+  else
+    DEBUG(D_tls) debug_printf(" parse error\n");
+  return 0;
+  }
+
+if (!(bs = OCSP_response_get1_basic(rsp)))
+  {
+  tls_out.ocsp = OCSP_FAILED;
+  if (LOGGING(tls_cipher))
+    log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
+  else
+    DEBUG(D_tls) debug_printf(" error parsing response\n");
+  OCSP_RESPONSE_free(rsp);
+  return 0;
+  }
+
+/* We'd check the nonce here if we'd put one in the request. */
+/* However that would defeat cacheability on the server so we don't. */
+
+/* This section of code reworked from OpenSSL apps source;
+   The OpenSSL Project retains copyright:
+   Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+*/
+  {
+    BIO * bp = NULL;
+#ifndef EXIM_HAVE_OCSP_RESP_COUNT
+    STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
+#endif
+
+    DEBUG(D_tls) bp = BIO_new(BIO_s_mem());
+
+    /*OCSP_RESPONSE_print(bp, rsp, 0);   extreme debug: stapling content */
+
+    /* Use the chain that verified the server cert to verify the stapled info */
+    /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
+
+    if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
+	      cbinfo->u_ocsp.client.verify_store, OCSP_NOEXPLICIT)) <= 0)
+      if (ERR_peek_error())
+	{
+	tls_out.ocsp = OCSP_FAILED;
+	if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
+		"Received TLS cert status response, itself unverifiable: %s",
+		ERR_reason_error_string(ERR_peek_error()));
+	DEBUG(D_tls)
+	  {
+	  BIO_printf(bp, "OCSP response verify failure\n");
+	  ERR_print_errors(bp);
+	  OCSP_RESPONSE_print(bp, rsp, 0);
+	  }
+	goto failed;
+	}
+      else
+	DEBUG(D_tls) debug_printf("no explicit trust for OCSP signing"
+	  " in the root CA certificate; ignoring\n");
+
+    DEBUG(D_tls) debug_printf("OCSP response well-formed and signed OK\n");
+
+    /*XXX So we have a good stapled OCSP status.  How do we know
+    it is for the cert of interest?  OpenSSL 1.1.0 has a routine
+    OCSP_resp_find_status() which matches on a cert id, which presumably
+    we should use. Making an id needs OCSP_cert_id_new(), which takes
+    issuerName, issuerKey, serialNumber.  Are they all in the cert?
+
+    For now, carry on blindly accepting the resp. */
+
+    for (int idx =
+#ifdef EXIM_HAVE_OCSP_RESP_COUNT
+	    OCSP_resp_count(bs) - 1;
+#else
+	    sk_OCSP_SINGLERESP_num(sresp) - 1;
+#endif
+	 idx >= 0; idx--)
+      {
+      OCSP_SINGLERESP * single = OCSP_resp_get0(bs, idx);
+      int status, reason;
+      ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
+
+  /*XXX so I can see putting a loop in here to handle a rsp with >1 singleresp
+  - but what happens with a GnuTLS-style input?
+
+  we could do with a debug label for each singleresp
+  - it has a certID with a serialNumber, but I see no API to get that
+  */
+      status = OCSP_single_get0_status(single, &reason, &rev,
+		  &thisupd, &nextupd);
+
+      DEBUG(D_tls)
+	{
+	time_print(bp, "This OCSP Update", thisupd);
+	if (nextupd) time_print(bp, "Next OCSP Update", nextupd);
+	}
+      if (!OCSP_check_validity(thisupd, nextupd,
+	    EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
+	{
+	tls_out.ocsp = OCSP_FAILED;
+	DEBUG(D_tls) ERR_print_errors(bp);
+	log_write(0, LOG_MAIN, "OCSP dates invalid");
+	goto failed;
+	}
+
+      DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
+		    OCSP_cert_status_str(status));
+      switch(status)
+	{
+	case V_OCSP_CERTSTATUS_GOOD:
+	  continue;	/* the idx loop */
+	case V_OCSP_CERTSTATUS_REVOKED:
+	  log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
+	      reason != -1 ? "; reason: " : "",
+	      reason != -1 ? OCSP_crl_reason_str(reason) : "");
+	  DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
+	  break;
+	default:
+	  log_write(0, LOG_MAIN,
+	      "Server certificate status unknown, in OCSP stapling");
+	  break;
+	}
+
+      goto failed;
+      }
+
+    i = 1;
+    tls_out.ocsp = OCSP_VFIED;
+    goto good;
+
+  failed:
+    tls_out.ocsp = OCSP_FAILED;
+    i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
+  good:
+    {
+    uschar * s = NULL;
+    int len = (int) BIO_get_mem_data(bp, CSS &s);
+    if (len > 0) debug_printf("%.*s", len, s);
+    }
+    BIO_free(bp);
+  }
+
+OCSP_RESPONSE_free(rsp);
+return i;
+}
+#endif	/*!DISABLE_OCSP*/
+
+
+/*************************************************
+*            Initialize for TLS                  *
+*************************************************/
+/* Called from both server and client code, to do preliminary initialization
+of the library.  We allocate and return a context structure.
+
+Arguments:
+  host            connected host, if client; NULL if server
+  ob		  transport options block, if client; NULL if server
+  ocsp_file       file of stapling info (server); flag for require ocsp (client)
+  addr            address if client; NULL if server (for some randomness)
+  caller_state    place to put pointer to allocated state-struct
+  errstr	  error string pointer
+
+Returns:          OK/DEFER/FAIL
+*/
+
+static int
+tls_init(host_item * host, smtp_transport_options_block * ob,
+#ifndef DISABLE_OCSP
+  uschar *ocsp_file,
+#endif
+  address_item *addr, exim_openssl_state_st ** caller_state,
+  tls_support * tlsp,
+  uschar ** errstr)
+{
+SSL_CTX * ctx;
+exim_openssl_state_st * state;
+int rc;
+
+if (host)			/* client */
+  {
+  state = store_malloc(sizeof(exim_openssl_state_st));
+  memset(state, 0, sizeof(*state));
+  state->certificate = ob->tls_certificate;
+  state->privatekey =  ob->tls_privatekey;
+  state->is_server = FALSE;
+  state->dhparam = NULL;
+  state->lib_state = ob->tls_preload;
+  }
+else				/* server */
+  {
+  state = &state_server;
+  state->certificate = tls_certificate;
+  state->privatekey =  tls_privatekey;
+  state->is_server = TRUE;
+  state->dhparam = tls_dhparam;
+  state->lib_state = state_server.lib_state;
+  }
+
+state->tlsp = tlsp;
+state->host = host;
+
+if (!state->lib_state.pri_string)
+  state->server_cipher_list = NULL;
+
+#ifndef DISABLE_EVENT
+state->event_action = NULL;
+#endif
+
+tls_openssl_init();
+
+/* It turns out that we need to seed the random number generator this early in
+order to get the full complement of ciphers to work. It took me roughly a day
+of work to discover this by experiment.
+
+On systems that have /dev/urandom, SSL may automatically seed itself from
+there. Otherwise, we have to make something up as best we can. Double check
+afterwards.
+
+Although we likely called this before, at daemon startup, this is a chance
+to mix in further variable info (time, pid) if needed. */
+
+if (!lib_rand_init(addr))
+  return tls_error(US"RAND_status", host,
+    US"unable to seed random number generator", errstr);
+
+/* Apply administrator-supplied work-arounds.
+Historically we applied just one requested option,
+SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
+moved to an administrator-controlled list of options to specify and
+grandfathered in the first one as the default value for "openssl_options".
+
+No OpenSSL version number checks: the options we accept depend upon the
+availability of the option value macros from OpenSSL.  */
+
+if (!init_options)
+  if (!tls_openssl_options_parse(openssl_options, &init_options))
+    return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
+
+/* Create a context.
+The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
+negotiation in the different methods; as far as I can tell, the only
+*_{server,client}_method which allows negotiation is SSLv23, which exists even
+when OpenSSL is built without SSLv2 support.
+By disabling with openssl_options, we can let admins re-enable with the
+existing knob. */
+
+if (!(ctx = state->lib_state.lib_ctx))
+  {
+  if ((rc = lib_ctx_new(&ctx, host, errstr)) != OK)
+    return rc;
+  state->lib_state.lib_ctx = ctx;
+  }
+
+#ifndef DISABLE_TLS_RESUME
+tlsp->resumption = RESUME_SUPPORTED;
+#endif
+if (init_options)
+  {
+#ifndef DISABLE_TLS_RESUME
+  /* Should the server offer session resumption? */
+  if (!host && verify_check_host(&tls_resumption_hosts) == OK)
+    {
+    DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
+    init_options &= ~SSL_OP_NO_TICKET;
+    tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
+    tlsp->host_resumable = TRUE;
+    }
+#endif
+
+  DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
+  if (!(SSL_CTX_set_options(ctx, init_options)))
+    return tls_error(string_sprintf(
+          "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
+  }
+else
+  DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
+
+/* We'd like to disable session cache unconditionally, but foolish Outlook
+Express clients then give up the first TLS connection and make a second one
+(which works).  Only when there is an IMAP service on the same machine.
+Presumably OE is trying to use the cache for A on B.  Leave it enabled for
+now, until we work out a decent way of presenting control to the config.  It
+will never be used because we use a new context every time. */
+#ifdef notdef
+(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+#endif
+
+/* Initialize with DH parameters if supplied */
+/* Initialize ECDH temp key parameter selection */
+
+if (!host)
+  {
+  if (state->lib_state.dh)
+    { DEBUG(D_tls) debug_printf("TLS: DH params were preloaded\n"); }
+  else
+    if (!init_dh(ctx, state->dhparam, errstr)) return DEFER;
+
+  if (state->lib_state.ecdh)
+    { DEBUG(D_tls) debug_printf("TLS: ECDH curve was preloaded\n"); }
+  else
+    if (!init_ecdh(ctx, errstr)) return DEFER;
+  }
+
+/* Set up certificate and key (and perhaps OCSP info) */
+
+if (state->lib_state.conn_certs)
+  {
+  DEBUG(D_tls)
+    debug_printf("TLS: %s certs were preloaded\n", host ? "client":"server");
+  }
+else
+  {
+#ifndef DISABLE_OCSP
+  if (!host)
+    {
+    state->u_ocsp.server.file = ocsp_file;
+    state->u_ocsp.server.file_expanded = NULL;
+    state->u_ocsp.server.olist = NULL;
+    }
+#endif
+  if ((rc = tls_expand_session_files(ctx, state, errstr)) != OK) return rc;
+  }
+
+/* If we need to handle SNI or OCSP, do so */
+
+#ifdef EXIM_HAVE_OPENSSL_TLSEXT
+# ifndef DISABLE_OCSP
+  if (!(state->verify_stack = sk_X509_new_null()))
+    {
+    DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
+    return FAIL;
+    }
+# endif
+
+if (!host)		/* server */
+  {
+# ifndef DISABLE_OCSP
+  /* We check u_ocsp.server.file, not server.olist, because we care about if
+  the option exists, not what the current expansion might be, as SNI might
+  change the certificate and OCSP file in use between now and the time the
+  callback is invoked. */
+  if (state->u_ocsp.server.file)
+    {
+    SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
+    SSL_CTX_set_tlsext_status_arg(ctx, state);
+    }
+# endif
+  /* We always do this, so that $tls_sni is available even if not used in
+  tls_certificate */
+  SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
+  SSL_CTX_set_tlsext_servername_arg(ctx, state);
+
+# ifdef EXIM_HAVE_ALPN
+  if (tls_alpn && *tls_alpn)
+    {
+    uschar * exp_alpn;
+    if (  expand_check(tls_alpn, US"tls_alpn", &exp_alpn, errstr)
+       && *exp_alpn && !isblank(*exp_alpn))
+      {
+      tls_alpn = exp_alpn;	/* subprocess so ok to overwrite */
+      SSL_CTX_set_alpn_select_cb(ctx, tls_server_alpn_cb, state);
+      }
+    else
+      tls_alpn = NULL;
+    }
+# endif
+  }
+# ifndef DISABLE_OCSP
+else			/* client */
+  if(ocsp_file)		/* wanting stapling */
+    {
+    if (!(state->u_ocsp.client.verify_store = X509_STORE_new()))
+      {
+      DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
+      return FAIL;
+      }
+    SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
+    SSL_CTX_set_tlsext_status_arg(ctx, state);
+    }
+# endif
+#endif
+
+state->verify_cert_hostnames = NULL;
+
+#ifdef EXIM_HAVE_EPHEM_RSA_KEX
+/* Set up the RSA callback */
+SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
+#endif
+
+/* Finally, set the session cache timeout, and we are done.
+The period appears to be also used for (server-generated) session tickets */
+
+SSL_CTX_set_timeout(ctx, ssl_session_timeout);
+DEBUG(D_tls) debug_printf("Initialized TLS\n");
+
+*caller_state = state;
+
+return OK;
+}
+
+
+
+
+/*************************************************
+*           Get name of cipher in use            *
+*************************************************/
+
+/*
+Argument:   pointer to an SSL structure for the connection
+	    pointer to number of bits for cipher
+Returns:    pointer to allocated string in perm-pool
+*/
+
+static uschar *
+construct_cipher_name(SSL * ssl, const uschar * ver, int * bits)
+{
+int pool = store_pool;
+/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
+yet reflect that.  It should be a safe change anyway, even 0.9.8 versions have
+the accessor functions use const in the prototype. */
+
+const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
+uschar * s;
+
+SSL_CIPHER_get_bits(c, bits);
+
+store_pool = POOL_PERM;
+s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
+store_pool = pool;
+DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
+return s;
+}
+
+
+/* Get IETF-standard name for ciphersuite.
+Argument:   pointer to an SSL structure for the connection
+Returns:    pointer to string
+*/
+
+static const uschar *
+cipher_stdname_ssl(SSL * ssl)
+{
+#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
+return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
+#else
+ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
+return cipher_stdname(id >> 8, id & 0xff);
+#endif
+}
+
+
+static const uschar *
+tlsver_name(SSL * ssl)
+{
+uschar * s, * p;
+int pool = store_pool;
+
+store_pool = POOL_PERM;
+s = string_copy(US SSL_get_version(ssl));
+store_pool = pool;
+if ((p = Ustrchr(s, 'v')))	/* TLSv1.2 -> TLS1.2 */
+  for (;; p++) if (!(*p = p[1])) break;
+return CUS s;
+}
+
+
+static void
+peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
+{
+/*XXX we might consider a list-of-certs variable for the cert chain.
+SSL_get_peer_cert_chain(SSL*).  We'd need a new variable type and support
+in list-handling functions, also consider the difference between the entire
+chain and the elements sent by the peer. */
+
+tlsp->peerdn = NULL;
+
+/* Will have already noted peercert on a verify fail; possibly not the leaf */
+if (!tlsp->peercert)
+  tlsp->peercert = SSL_get_peer_certificate(ssl);
+/* Beware anonymous ciphers which lead to server_cert being NULL */
+if (tlsp->peercert)
+  if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
+    { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
+  else
+    {
+    int oldpool = store_pool;
+
+    peerdn[siz-1] = '\0';		/* paranoia */
+    store_pool = POOL_PERM;
+    tlsp->peerdn = string_copy(peerdn);
+    store_pool = oldpool;
+
+    /* We used to set CV in the cert-verify callbacks (either plain or dane)
+    but they don't get called on session-resumption.  So use the official
+    interface, which uses the resumed value.  Unfortunately this claims verified
+    when it actually failed but we're in try-verify mode, due to us wanting the
+    knowlege that it failed so needing to have the callback and forcing a
+    permissive return.  If we don't force it, the TLS startup is failed.
+    The extra bit of information is set in verify_override in the cb, stashed
+    for resumption next to the TLS session, and used here. */
+
+    if (!tlsp->verify_override)
+      tlsp->certificate_verified =
+#ifdef SUPPORT_DANE
+	tlsp->dane_verified ||
+#endif
+	SSL_get_verify_result(ssl) == X509_V_OK;
+    }
+}
+
+
+
+
+
+/*************************************************
+*        Set up for verifying certificates       *
+*************************************************/
+
+#ifndef DISABLE_OCSP
+/* Load certs from file, return TRUE on success */
+
+static BOOL
+chain_from_pem_file(const uschar * file, STACK_OF(X509) ** vp)
+{
+BIO * bp;
+STACK_OF(X509) * verify_stack = *vp;
+
+if (verify_stack)
+  while (sk_X509_num(verify_stack) > 0)
+    X509_free(sk_X509_pop(verify_stack));
+else
+  verify_stack = sk_X509_new_null();
+
+if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
+for (X509 * x; x = PEM_read_bio_X509(bp, NULL, 0, NULL); )
+  sk_X509_push(verify_stack, x);
+BIO_free(bp);
+*vp = verify_stack;
+return TRUE;
+}
+#endif
+
+
+
+/* Called by both client and server startup; on the server possibly
+repeated after a Server Name Indication.
+
+Arguments:
+  sctx          SSL_CTX* to initialise
+  certs         certs file, expanded
+  crl           CRL file or NULL
+  host          NULL in a server; the remote host in a client
+  errstr	error string pointer
+
+Returns:        OK/DEFER/FAIL
+*/
+
+static int
+setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host,
+    uschar ** errstr)
+{
+uschar *expcerts, *expcrl;
+
+if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
+  return DEFER;
+DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
+
+if (expcerts && *expcerts)
+  {
+  /* Tell the library to use its compiled-in location for the system default
+  CA bundle. Then add the ones specified in the config, if any. */
+
+  if (!SSL_CTX_set_default_verify_paths(sctx))
+    return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
+
+  if (Ustrcmp(expcerts, "system") != 0 && Ustrncmp(expcerts, "system,", 7) != 0)
+    {
+    struct stat statbuf;
+
+    if (Ustat(expcerts, &statbuf) < 0)
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC,
+	"failed to stat %s for certificates", expcerts);
+      return DEFER;
+      }
+    else
+      {
+      uschar *file, *dir;
+      if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+	{ file = NULL; dir = expcerts; }
+      else
+	{
+	STACK_OF(X509) * verify_stack =
+#ifndef DISABLE_OCSP
+	  !host ? state_server.verify_stack :
+#endif
+	  NULL;
+	STACK_OF(X509) ** vp = &verify_stack;
+
+	file = expcerts; dir = NULL;
+#ifndef DISABLE_OCSP
+	/* In the server if we will be offering an OCSP proof, load chain from
+	file for verifying the OCSP proof at load time. */
+
+/*XXX Glitch!   The file here is tls_verify_certs: the chain for verifying the client cert.
+This is inconsistent with the need to verify the OCSP proof of the server cert.
+*/
+	if (  !host
+	   && statbuf.st_size > 0
+	   && state_server.u_ocsp.server.file
+	   && !chain_from_pem_file(file, vp)
+	   )
+	  {
+	  log_write(0, LOG_MAIN|LOG_PANIC,
+	    "failed to load cert chain from %s", file);
+	  return DEFER;
+	  }
+#endif
+	}
+
+      /* If a certificate file is empty, the load function fails with an
+      unhelpful error message. If we skip it, we get the correct behaviour (no
+      certificates are recognized, but the error message is still misleading (it
+      says no certificate was supplied).  But this is better. */
+
+      if (  (!file || statbuf.st_size > 0)
+         && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
+	  return tls_error(US"SSL_CTX_load_verify_locations",
+			    host, NULL, errstr);
+
+      /* On the server load the list of CAs for which we will accept certs, for
+      sending to the client.  This is only for the one-file
+      tls_verify_certificates variant.
+      If a list isn't loaded into the server, but some verify locations are set,
+      the server end appears to make a wildcard request for client certs.
+      Meanwhile, the client library as default behaviour *ignores* the list
+      we send over the wire - see man SSL_CTX_set_client_cert_cb.
+      Because of this, and that the dir variant is likely only used for
+      the public-CA bundle (not for a private CA), not worth fixing.  */
+
+      if (file)
+	{
+	STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
+	int i = sk_X509_NAME_num(names);
+
+	if (!host) SSL_CTX_set_client_CA_list(sctx, names);
+	DEBUG(D_tls) debug_printf("Added %d additional certificate authorit%s\n",
+				    i, i>1 ? "ies":"y");
+	}
+      else
+	DEBUG(D_tls)
+	  debug_printf("Added dir for additional certificate authorities\n");
+      }
+    }
+
+  /* Handle a certificate revocation list. */
+
+#if OPENSSL_VERSION_NUMBER > 0x00907000L
+
+  /* This bit of code is now the version supplied by Lars Mainka. (I have
+  merely reformatted it into the Exim code style.)
+
+  "From here I changed the code to add support for multiple crl's
+  in pem format in one file or to support hashed directory entries in
+  pem format instead of a file. This method now uses the library function
+  X509_STORE_load_locations to add the CRL location to the SSL context.
+  OpenSSL will then handle the verify against CA certs and CRLs by
+  itself in the verify callback." */
+
+  if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
+  if (expcrl && *expcrl)
+    {
+    struct stat statbufcrl;
+    if (Ustat(expcrl, &statbufcrl) < 0)
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC,
+        "failed to stat %s for certificates revocation lists", expcrl);
+      return DEFER;
+      }
+    else
+      {
+      /* is it a file or directory? */
+      uschar *file, *dir;
+      X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
+      if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
+        {
+        file = NULL;
+        dir = expcrl;
+        DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
+        }
+      else
+        {
+        file = expcrl;
+        dir = NULL;
+        DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
+        }
+      if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
+        return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
+
+      /* setting the flags to check against the complete crl chain */
+
+      X509_STORE_set_flags(cvstore,
+        X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+      }
+    }
+
+#endif  /* OPENSSL_VERSION_NUMBER > 0x00907000L */
+  }
+
+return OK;
+}
+
+
+
+static void
+tls_dump_keylog(SSL * ssl)
+{
+#ifdef EXIM_HAVE_OPENSSL_KEYLOG
+  BIO * bp = BIO_new(BIO_s_mem());
+  uschar * s = NULL;
+  int len;
+  SSL_SESSION_print_keylog(bp, SSL_get_session(ssl));
+  len = (int) BIO_get_mem_data(bp, CSS &s);
+  if (len > 0) debug_printf("%.*s", len, s);
+  BIO_free(bp);
+#endif
+}
+
+
+/*************************************************
+*       Start a TLS session in a server          *
+*************************************************/
+/* This is called when Exim is running as a server, after having received
+the STARTTLS command. It must respond to that command, and then negotiate
+a TLS session.
+
+Arguments:
+  errstr	    pointer to error message
+
+Returns:            OK on success
+                    DEFER for errors before the start of the negotiation
+                    FAIL for errors during the negotiation; the server can't
+                      continue running.
+*/
+
+int
+tls_server_start(uschar ** errstr)
+{
+int rc;
+uschar * expciphers;
+exim_openssl_state_st * dummy_statep;
+SSL_CTX * ctx;
+SSL * ssl;
+static uschar peerdn[256];
+
+/* Check for previous activation */
+
+if (tls_in.active.sock >= 0)
+  {
+  tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
+  smtp_printf("554 Already in TLS\r\n", FALSE);
+  return FAIL;
+  }
+
+/* Initialize the SSL library. If it fails, it will already have logged
+the error. */
+
+rc = tls_init(NULL, NULL,
+#ifndef DISABLE_OCSP
+    tls_ocsp_file,
+#endif
+    NULL, &dummy_statep, &tls_in, errstr);
+if (rc != OK) return rc;
+ctx = state_server.lib_state.lib_ctx;
+
+/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
+were historically separated by underscores. So that I can use either form in my
+tests, and also for general convenience, we turn underscores into hyphens here.
+
+XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
+for TLS 1.3 .  Since we do not call it at present we get the default list:
+TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+*/
+
+if (state_server.lib_state.pri_string)
+  { DEBUG(D_tls) debug_printf("TLS: cipher list was preloaded\n"); }
+else 
+  {
+  if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
+    return FAIL;
+
+  if (expciphers)
+    {
+    normalise_ciphers(&expciphers, tls_require_ciphers);
+    if ((rc = server_load_ciphers(ctx, &state_server, expciphers, errstr)) != OK)
+      return rc;
+    }
+  }
+
+/* If this is a host for which certificate verification is mandatory or
+optional, set up appropriately. */
+
+tls_in.certificate_verified = FALSE;
+#ifdef SUPPORT_DANE
+tls_in.dane_verified = FALSE;
+#endif
+server_verify_callback_called = FALSE;
+
+if (verify_check_host(&tls_verify_hosts) == OK)
+  server_verify_optional = FALSE;
+else if (verify_check_host(&tls_try_verify_hosts) == OK)
+  server_verify_optional = TRUE;
+else
+  goto skip_certs;
+
+ {
+  uschar * expcerts;
+  if (!expand_check(tls_verify_certificates, US"tls_verify_certificates",
+		    &expcerts, errstr))
+    return DEFER;
+  DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
+
+  if (state_server.lib_state.cabundle)
+    { DEBUG(D_tls) debug_printf("TLS: CA bundle for server was preloaded\n"); }
+  else
+    if ((rc = setup_certs(ctx, expcerts, tls_crl, NULL, errstr)) != OK)
+      return rc;
+
+  if (expcerts && *expcerts)
+    setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
+ }
+skip_certs: ;
+
+#ifndef DISABLE_TLS_RESUME
+# if OPENSSL_VERSION_NUMBER < 0x30000000L
+SSL_CTX_set_tlsext_ticket_key_cb(ctx, ticket_key_callback);
+/* despite working, appears to always return failure, so ignoring */
+# else
+SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ticket_key_callback);
+/* despite working, appears to always return failure, so ignoring */
+# endif
+#endif
+
+#ifdef OPENSSL_HAVE_NUM_TICKETS
+# ifndef DISABLE_TLS_RESUME
+SSL_CTX_set_num_tickets(ctx, tls_in.host_resumable ? 1 : 0);
+# else
+SSL_CTX_set_num_tickets(ctx, 0);	/* send no TLS1.3 stateful-tickets */
+# endif
+#endif
+
+
+/* Prepare for new connection */
+
+if (!(ssl = SSL_new(ctx)))
+  return tls_error(US"SSL_new", NULL, NULL, errstr);
+state_server.lib_state.lib_ssl = ssl;
+
+/* Warning: we used to SSL_clear(ssl) here, it was removed.
+ *
+ * With the SSL_clear(), we get strange interoperability bugs with
+ * OpenSSL 1.0.1b and TLS1.1/1.2.  It looks as though this may be a bug in
+ * OpenSSL itself, as a clear should not lead to inability to follow protocols.
+ *
+ * The SSL_clear() call is to let an existing SSL* be reused, typically after
+ * session shutdown.  In this case, we have a brand new object and there's no
+ * obvious reason to immediately clear it.  I'm guessing that this was
+ * originally added because of incomplete initialisation which the clear fixed,
+ * in some historic release.
+ */
+
+/* Set context and tell client to go ahead, except in the case of TLS startup
+on connection, where outputting anything now upsets the clients and tends to
+make them disconnect. We need to have an explicit fflush() here, to force out
+the response. Other smtp_printf() calls do not need it, because in non-TLS
+mode, the fflush() happens when smtp_getc() is called. */
+
+SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
+if (!tls_in.on_connect)
+  {
+  smtp_printf("220 TLS go ahead\r\n", FALSE);
+  fflush(smtp_out);
+  }
+
+/* Now negotiate the TLS session. We put our own timer on it, since it seems
+that the OpenSSL library doesn't. */
+
+SSL_set_wfd(ssl, fileno(smtp_out));
+SSL_set_rfd(ssl, fileno(smtp_in));
+SSL_set_accept_state(ssl);
+
+DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
+
+ERR_clear_error();
+sigalrm_seen = FALSE;
+if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
+rc = SSL_accept(ssl);
+ALARM_CLR(0);
+
+if (rc <= 0)
+  {
+  int error = SSL_get_error(ssl, rc);
+  switch(error)
+    {
+    case SSL_ERROR_NONE:
+      break;
+
+    case SSL_ERROR_ZERO_RETURN:
+      DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
+      (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
+#ifndef DISABLE_EVENT
+      (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
+#endif
+      if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
+	SSL_shutdown(ssl);
+
+      tls_close(NULL, TLS_NO_SHUTDOWN);
+      return FAIL;
+
+    /* Handle genuine errors */
+    case SSL_ERROR_SSL:
+      {
+      uschar * s = NULL;
+      int r = ERR_GET_REASON(ERR_peek_error());
+      if (  r == SSL_R_WRONG_VERSION_NUMBER
+#ifdef SSL_R_VERSION_TOO_LOW
+         || r == SSL_R_VERSION_TOO_LOW
+#endif
+         || r == SSL_R_UNKNOWN_PROTOCOL || r == SSL_R_UNSUPPORTED_PROTOCOL)
+	s = string_sprintf("(%s)", SSL_get_version(ssl));
+      (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : s, errstr);
+#ifndef DISABLE_EVENT
+      (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
+#endif
+      return FAIL;
+      }
+
+    default:
+      DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
+      if (error == SSL_ERROR_SYSCALL)
+	{
+	if (!errno)
+	  {
+	  *errstr = US"SSL_accept: TCP connection closed by peer";
+#ifndef DISABLE_EVENT
+	  (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
+#endif
+	  return FAIL;
+	  }
+	DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno));
+	}
+      (void) tls_error(US"SSL_accept", NULL,
+		      sigalrm_seen ? US"timed out"
+		      : ERR_peek_error() ? NULL : string_sprintf("ret %d", error),
+		      errstr);
+#ifndef DISABLE_EVENT
+      (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
+#endif
+      return FAIL;
+    }
+  }
+
+DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
+ERR_clear_error();	/* Even success can leave errors in the stack. Seen with
+			anon-authentication ciphersuite negotiated. */
+
+#ifndef DISABLE_TLS_RESUME
+if (SSL_session_reused(ssl))
+  {
+  tls_in.resumption |= RESUME_USED;
+  DEBUG(D_tls) debug_printf("Session reused\n");
+  }
+#endif
+
+#ifdef EXIM_HAVE_ALPN
+/* If require-alpn, check server_seen_alpn here.  Else abort TLS */
+if (!tls_alpn || !*tls_alpn)
+  { DEBUG(D_tls) debug_printf("TLS: was not watching for ALPN\n"); }
+else if (!server_seen_alpn)
+  if (verify_check_host(&hosts_require_alpn) == OK)
+    {
+    /* We'd like to send a definitive Alert but OpenSSL provides no facility */
+    SSL_shutdown(ssl);
+    tls_error(US"handshake", NULL, US"ALPN required but not negotiated", errstr);
+    return FAIL;
+    }
+  else
+    { DEBUG(D_tls) debug_printf("TLS: no ALPN presented in handshake\n"); }
+else DEBUG(D_tls)
+  {
+  const uschar * name;
+  unsigned len;
+  SSL_get0_alpn_selected(ssl, &name, &len);
+  if (len && name)
+    debug_printf("ALPN negotiated: '%.*s'\n", (int)*name, name+1);
+  else
+    debug_printf("ALPN: no protocol negotiated\n");
+  }
+#endif
+
+
+/* TLS has been set up. Record data for the connection,
+adjust the input functions to read via TLS, and initialize things. */
+
+#ifdef SSL_get_extms_support
+tls_in.ext_master_secret = SSL_get_extms_support(ssl) == 1;
+#endif
+peer_cert(ssl, &tls_in, peerdn, sizeof(peerdn));
+
+tls_in.ver = tlsver_name(ssl);
+tls_in.cipher = construct_cipher_name(ssl, tls_in.ver, &tls_in.bits);
+tls_in.cipher_stdname = cipher_stdname_ssl(ssl);
+
+DEBUG(D_tls)
+  {
+  uschar buf[2048];
+  if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)))
+    debug_printf("Shared ciphers: %s\n", buf);
+
+  tls_dump_keylog(ssl);
+
+#ifdef EXIM_HAVE_SESSION_TICKET
+  {
+  SSL_SESSION * ss = SSL_get_session(ssl);
+  if (SSL_SESSION_has_ticket(ss))	/* 1.1.0 */
+    debug_printf("The session has a ticket, life %lu seconds\n",
+      SSL_SESSION_get_ticket_lifetime_hint(ss));
+  }
+#endif
+  }
+
+/* Record the certificate we presented */
+  {
+  X509 * crt = SSL_get_certificate(ssl);
+  tls_in.ourcert = crt ? X509_dup(crt) : NULL;
+  }
+
+/* Channel-binding info for authenticators
+See description in https://paquier.xyz/postgresql-2/channel-binding-openssl/ */
+  {
+  uschar c, * s;
+  size_t len = SSL_get_peer_finished(ssl, &c, 0);
+  int old_pool = store_pool;
+
+  SSL_get_peer_finished(ssl, s = store_get((int)len, GET_UNTAINTED), len);
+  store_pool = POOL_PERM;
+    tls_in.channelbinding = b64encode_taint(CUS s, (int)len, GET_UNTAINTED);
+  store_pool = old_pool;
+  DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage %p\n", tls_in.channelbinding);
+  }
+
+/* Only used by the server-side tls (tls_in), including tls_getc.
+   Client-side (tls_out) reads (seem to?) go via
+   smtp_read_response()/ip_recv().
+   Hence no need to duplicate for _in and _out.
+ */
+if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
+ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
+ssl_xfer_eof = ssl_xfer_error = FALSE;
+
+receive_getc = tls_getc;
+receive_getbuf = tls_getbuf;
+receive_get_cache = tls_get_cache;
+receive_hasc = tls_hasc;
+receive_ungetc = tls_ungetc;
+receive_feof = tls_feof;
+receive_ferror = tls_ferror;
+
+tls_in.active.sock = fileno(smtp_out);
+tls_in.active.tls_ctx = NULL;	/* not using explicit ctx for server-side */
+return OK;
+}
+
+
+
+
+static int
+tls_client_basic_ctx_init(SSL_CTX * ctx,
+    host_item * host, smtp_transport_options_block * ob, exim_openssl_state_st * state,
+    uschar ** errstr)
+{
+int rc;
+
+/* Back-compatible old behaviour if tls_verify_certificates is set but both
+tls_verify_hosts and tls_try_verify_hosts are not set. Check only the specified
+host patterns if one of them is set with content. */
+
+if (  (  (  !ob->tls_verify_hosts || !ob->tls_verify_hosts
+	 || Ustrcmp(ob->tls_try_verify_hosts, ":") == 0
+	 )
+      && (  !ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts
+	 || Ustrcmp(ob->tls_try_verify_hosts, ":") == 0
+         )
+      )
+   || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
+   )
+  client_verify_optional = FALSE;
+else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
+  client_verify_optional = TRUE;
+else
+  return OK;
+
+ {
+  uschar * expcerts;
+  if (!expand_check(ob->tls_verify_certificates, US"tls_verify_certificates",
+		    &expcerts, errstr))
+    return DEFER;
+  DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
+
+  if (state->lib_state.cabundle)
+    { DEBUG(D_tls) debug_printf("TLS: CA bundle was preloaded\n"); }
+  else
+    if ((rc = setup_certs(ctx, expcerts, ob->tls_crl, host, errstr)) != OK)
+      return rc;
+
+  if (expcerts && *expcerts)
+    setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
+ }
+
+if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
+  {
+  state->verify_cert_hostnames =
+#ifdef SUPPORT_I18N
+    string_domain_utf8_to_alabel(host->certname, NULL);
+#else
+    host->certname;
+#endif
+  DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
+		    state->verify_cert_hostnames);
+  }
+return OK;
+}
+
+
+#ifdef SUPPORT_DANE
+static int
+dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
+{
+dns_scan dnss;
+const char * hostnames[2] = { CS host->name, NULL };
+int found = 0;
+
+if (DANESSL_init(ssl, NULL, hostnames) != 1)
+  return tls_error(US"hostnames load", host, NULL, errstr);
+
+for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
+    ) if (rr->type == T_TLSA && rr->size > 3)
+  {
+  const uschar * p = rr->data;
+  uint8_t usage, selector, mtype;
+  const char * mdname;
+
+  usage = *p++;
+
+  /* Only DANE-TA(2) and DANE-EE(3) are supported */
+  if (usage != 2 && usage != 3) continue;
+
+  selector = *p++;
+  mtype = *p++;
+
+  switch (mtype)
+    {
+    default: continue;	/* Only match-types 0, 1, 2 are supported */
+    case 0:  mdname = NULL; break;
+    case 1:  mdname = "sha256"; break;
+    case 2:  mdname = "sha512"; break;
+    }
+
+  found++;
+  switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
+    {
+    default:
+      return tls_error(US"tlsa load", host, NULL, errstr);
+    case 0:	/* action not taken */
+    case 1:	break;
+    }
+
+  tls_out.tlsa_usage |= 1<<usage;
+  }
+
+if (found)
+  return OK;
+
+log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
+return DEFER;
+}
+#endif	/*SUPPORT_DANE*/
+
+
+
+#ifndef DISABLE_TLS_RESUME
+/* On the client, get any stashed session for the given IP from hints db
+and apply it to the ssl-connection for attempted resumption. */
+
+static void
+tls_retrieve_session(tls_support * tlsp, SSL * ssl)
+{
+if (tlsp->host_resumable)
+  {
+  const uschar * key = tlsp->resume_index;
+  dbdata_tls_session * dt;
+  int len;
+  open_db dbblock, * dbm_file;
+
+  tlsp->resumption |= RESUME_CLIENT_REQUESTED;
+  DEBUG(D_tls)
+    debug_printf("checking for resumable session for %s\n", tlsp->resume_index);
+  if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
+    {
+    if ((dt = dbfn_read_with_length(dbm_file, tlsp->resume_index, &len)))
+      {
+      SSL_SESSION * ss = NULL;
+      const uschar * sess_asn1 = dt->session;
+
+      len -= sizeof(dbdata_tls_session);
+      if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
+	{
+	DEBUG(D_tls)
+	  {
+	  ERR_error_string_n(ERR_get_error(),
+	    ssl_errstring, sizeof(ssl_errstring));
+	  debug_printf("decoding session: %s\n", ssl_errstring);
+	  }
+	}
+      else
+	{
+	unsigned long lifetime =
+#ifdef EXIM_HAVE_SESSION_TICKET
+	  SSL_SESSION_get_ticket_lifetime_hint(ss);
+#else			/* Use, fairly arbitrilarily, what we as server would */
+	  f.running_in_test_harness ? 6 : ssl_session_timeout;
+#endif
+	if (lifetime + dt->time_stamp < time(NULL))
+	  {
+	  DEBUG(D_tls) debug_printf("session expired\n");
+	  dbfn_delete(dbm_file, tlsp->resume_index);
+	  }
+	else if (SSL_set_session(ssl, ss))
+	  {
+	  DEBUG(D_tls) debug_printf("good session\n");
+	  tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
+	  tlsp->verify_override = dt->verify_override;
+	  tlsp->ocsp = dt->ocsp;
+	  }
+	else DEBUG(D_tls)
+	  {
+	  ERR_error_string_n(ERR_get_error(),
+	    ssl_errstring, sizeof(ssl_errstring));
+	  debug_printf("applying session to ssl: %s\n", ssl_errstring);
+	  }
+	}
+      }
+    else
+      DEBUG(D_tls) debug_printf("no session record\n");
+    dbfn_close(dbm_file);
+    }
+  }
+}
+
+
+/* On the client, save the session for later resumption */
+
+static int
+tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
+{
+exim_openssl_state_st * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
+tls_support * tlsp;
+
+DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
+
+if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
+
+# ifdef OPENSSL_HAVE_NUM_TICKETS
+if (SSL_SESSION_is_resumable(ss)) 	/* 1.1.1 */
+# endif
+  {
+  int len = i2d_SSL_SESSION(ss, NULL);
+  int dlen = sizeof(dbdata_tls_session) + len;
+  dbdata_tls_session * dt = store_get(dlen, GET_TAINTED);
+  uschar * s = dt->session;
+  open_db dbblock, * dbm_file;
+
+  DEBUG(D_tls) debug_printf("session is resumable\n");
+  tlsp->resumption |= RESUME_SERVER_TICKET;	/* server gave us a ticket */
+
+  dt->verify_override = tlsp->verify_override;
+  dt->ocsp = tlsp->ocsp;
+  (void) i2d_SSL_SESSION(ss, &s);		/* s gets bumped to end */
+
+  if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
+    {
+    dbfn_write(dbm_file, tlsp->resume_index, dt, dlen);
+    dbfn_close(dbm_file);
+    DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
+		  (unsigned)dlen);
+    }
+  }
+return 1;
+}
+
+
+/* Construct a key for session DB lookup, and setup the SSL_CTX for resumption */
+
+static void
+tls_client_ctx_resume_prehandshake(
+  exim_openssl_client_tls_ctx * exim_client_ctx, smtp_connect_args * conn_args,
+  tls_support * tlsp, smtp_transport_options_block * ob)
+{
+tlsp->host_resumable = TRUE;
+tls_client_resmption_key(tlsp, conn_args, ob);
+
+SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
+      SSL_SESS_CACHE_CLIENT
+      | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
+SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
+}
+
+static BOOL
+tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
+  host_item * host, uschar ** errstr)
+{
+if (tlsp->host_resumable)
+  {
+  DEBUG(D_tls)
+    debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
+  SSL_clear_options(ssl, SSL_OP_NO_TICKET);
+
+  tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
+  if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_state))
+    {
+    tls_error(US"set ex_data", host, NULL, errstr);
+    return FALSE;
+    }
+  debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_state);
+  }
+
+tlsp->resumption = RESUME_SUPPORTED;
+/* Pick up a previous session, saved on an old ticket */
+tls_retrieve_session(tlsp, ssl);
+return TRUE;
+}
+
+static void
+tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
+  tls_support * tlsp)
+{
+if (SSL_session_reused(exim_client_ctx->ssl))
+  {
+  DEBUG(D_tls) debug_printf("The session was reused\n");
+  tlsp->resumption |= RESUME_USED;
+  }
+}
+#endif	/* !DISABLE_TLS_RESUME */
+
+
+#ifdef EXIM_HAVE_ALPN
+/* Expand and convert an Exim list to an ALPN list.  False return for fail.
+NULL plist return for silent no-ALPN.
+
+Overwite the passed-in list with the expanded version.
+*/
+
+static BOOL
+tls_alpn_plist(uschar ** tls_alpn, const uschar ** plist, unsigned * plen,
+  uschar ** errstr)
+{
+uschar * exp_alpn;
+
+if (!expand_check(*tls_alpn, US"tls_alpn", &exp_alpn, errstr))
+  return FALSE;
+*tls_alpn = exp_alpn;
+
+if (!exp_alpn)
+  {
+  DEBUG(D_tls) debug_printf("Setting TLS ALPN forced to fail, not sending\n");
+  *plist = NULL;
+  }
+else
+  {
+  /* The server implementation only accepts exactly one protocol name
+  but it's little extra code complexity in the client. */
+
+  const uschar * list = exp_alpn;
+  uschar * p = store_get(Ustrlen(exp_alpn), exp_alpn), * s, * t;
+  int sep = 0;
+  uschar len;
+
+  for (t = p; s = string_nextinlist(&list, &sep, NULL, 0); t += len)
+    {
+    *t++ = len = (uschar) Ustrlen(s);
+    memcpy(t, s, len);
+    }
+  *plist = (*plen = t - p) ? p : NULL;
+  }
+return TRUE;
+}
+#endif	/* EXIM_HAVE_ALPN */
+
+
+/*************************************************
+*    Start a TLS session in a client             *
+*************************************************/
+
+/* Called from the smtp transport after STARTTLS has been accepted.
+
+Arguments:
+  cctx		connection context
+  conn_args	connection details
+  cookie	datum for randomness; can be NULL
+  tlsp		record details of TLS channel configuration here; must be non-NULL
+  errstr	error string pointer
+
+Returns:	TRUE for success with TLS session context set in connection context,
+		FALSE on error
+*/
+
+BOOL
+tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
+  void * cookie, tls_support * tlsp, uschar ** errstr)
+{
+host_item * host = conn_args->host;		/* for msgs and option-tests */
+transport_instance * tb = conn_args->tblock;	/* always smtp or NULL */
+smtp_transport_options_block * ob = tb
+  ? (smtp_transport_options_block *)tb->options_block
+  : &smtp_transport_option_defaults;
+exim_openssl_client_tls_ctx * exim_client_ctx;
+uschar * expciphers;
+int rc;
+static uschar peerdn[256];
+
+#ifndef DISABLE_OCSP
+BOOL request_ocsp = FALSE;
+BOOL require_ocsp = FALSE;
+#endif
+
+rc = store_pool;
+store_pool = POOL_PERM;
+exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), GET_UNTAINTED);
+exim_client_ctx->corked = NULL;
+store_pool = rc;
+
+#ifdef SUPPORT_DANE
+tlsp->tlsa_usage = 0;
+#endif
+
+#ifndef DISABLE_OCSP
+  {
+# ifdef SUPPORT_DANE
+  /*XXX this should be moved to caller, to be common across gnutls/openssl */
+  if (  conn_args->dane
+     && ob->hosts_request_ocsp[0] == '*'
+     && ob->hosts_request_ocsp[1] == '\0'
+     )
+    {
+    /* Unchanged from default.  Use a safer one under DANE */
+    request_ocsp = TRUE;
+    ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
+				      "   {= {4}{$tls_out_tlsa_usage}} } "
+				 " {*}{}}";
+    }
+# endif
+
+  if ((require_ocsp =
+	verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
+    request_ocsp = TRUE;
+  else
+# ifdef SUPPORT_DANE
+    if (!request_ocsp)
+# endif
+      request_ocsp =
+	verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
+  }
+#endif
+
+rc = tls_init(host, ob,
+#ifndef DISABLE_OCSP
+    (void *)(long)request_ocsp,
+#endif
+    cookie, &client_static_state, tlsp, errstr);
+if (rc != OK) return FALSE;
+
+exim_client_ctx->ctx = client_static_state->lib_state.lib_ctx;
+
+tlsp->certificate_verified = FALSE;
+client_verify_callback_called = FALSE;
+
+expciphers = NULL;
+#ifdef SUPPORT_DANE
+if (conn_args->dane)
+  {
+  /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
+  other failures should be treated as problems. */
+  if (ob->dane_require_tls_ciphers &&
+      !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
+        &expciphers, errstr))
+    return FALSE;
+  if (expciphers && *expciphers == '\0')
+    expciphers = NULL;
+
+  normalise_ciphers(&expciphers, ob->dane_require_tls_ciphers);
+  }
+#endif
+if (!expciphers)
+  {
+  if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
+      &expciphers, errstr))
+    return FALSE;
+
+  /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
+  are separated by underscores. So that I can use either form in my tests, and
+  also for general convenience, we turn underscores into hyphens here. */
+
+  normalise_ciphers(&expciphers, ob->tls_require_ciphers);
+  }
+
+if (expciphers)
+  {
+  DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
+  if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
+    {
+    tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
+    return FALSE;
+    }
+  }
+
+#ifdef SUPPORT_DANE
+if (conn_args->dane)
+  {
+  SSL_CTX_set_verify(exim_client_ctx->ctx,
+    SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+    verify_callback_client_dane);
+
+  if (!DANESSL_library_init())
+    {
+    tls_error(US"library init", host, NULL, errstr);
+    return FALSE;
+    }
+  if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
+    {
+    tls_error(US"context init", host, NULL, errstr);
+    return FALSE;
+    }
+  }
+else
+
+#endif
+
+if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
+      client_static_state, errstr) != OK)
+  return FALSE;
+
+if (ob->tls_sni)
+  {
+  if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
+    return FALSE;
+  if (!tlsp->sni)
+    { DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n"); }
+  else if (!Ustrlen(tlsp->sni))
+    tlsp->sni = NULL;
+  else
+    {
+#ifndef EXIM_HAVE_OPENSSL_TLSEXT
+    log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
+          tlsp->sni);
+    tlsp->sni = NULL;
+#endif
+    }
+  }
+
+if (ob->tls_alpn)
+#ifdef EXIM_HAVE_ALPN
+  {
+  const uschar * plist;
+  unsigned plen;
+
+  if (!tls_alpn_plist(&ob->tls_alpn, &plist, &plen, errstr))
+    return FALSE;
+  if (plist)
+    if (SSL_CTX_set_alpn_protos(exim_client_ctx->ctx, plist, plen) != 0)
+      {
+      tls_error(US"alpn init", host, NULL, errstr);
+      return FALSE;
+      }
+    else
+      DEBUG(D_tls) debug_printf("Setting TLS ALPN '%s'\n", ob->tls_alpn);
+  }
+#else
+  log_write(0, LOG_MAIN, "ALPN unusable with this OpenSSL library version; ignoring \"%s\"\n",
+          ob->tls_alpn);
+#endif
+
+#ifndef DISABLE_TLS_RESUME
+/*XXX have_lbserver: another cmdline arg possibly, for continued-conn, but use
+will be very low. */
+
+if (!conn_args->have_lbserver)	/* wanted for tls_client_resmption_key() */
+  { DEBUG(D_tls) debug_printf("resumption not supported on continued-connection\n"); }
+else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
+  tls_client_ctx_resume_prehandshake(exim_client_ctx, conn_args, tlsp, ob);
+#endif
+
+
+if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
+  {
+  tls_error(US"SSL_new", host, NULL, errstr);
+  return FALSE;
+  }
+SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
+SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
+SSL_set_connect_state(exim_client_ctx->ssl);
+
+#ifdef EXIM_HAVE_OPENSSL_TLSEXT
+if (tlsp->sni)
+  {
+  DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
+  SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
+  }
+#endif
+
+#ifdef SUPPORT_DANE
+if (conn_args->dane)
+  if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
+    return FALSE;
+#endif
+
+#ifndef DISABLE_OCSP
+/* Request certificate status at connection-time.  If the server
+does OCSP stapling we will get the callback (set in tls_init()) */
+# ifdef SUPPORT_DANE
+if (request_ocsp)
+  {
+  const uschar * s;
+  if (  ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
+     || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
+     )
+    {	/* Re-eval now $tls_out_tlsa_usage is populated.  If
+    	this means we avoid the OCSP request, we wasted the setup
+	cost in tls_init(). */
+    require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
+    request_ocsp = require_ocsp
+      || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
+    }
+  }
+# endif
+
+if (request_ocsp)
+  {
+  SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
+  client_static_state->u_ocsp.client.verify_required = require_ocsp;
+  tlsp->ocsp = OCSP_NOT_RESP;
+  }
+#endif
+
+#ifndef DISABLE_TLS_RESUME
+if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
+      errstr))
+  return FALSE;
+#endif
+
+#ifndef DISABLE_EVENT
+client_static_state->event_action = tb ? tb->event_action : NULL;
+#endif
+
+/* There doesn't seem to be a built-in timeout on connection. */
+
+DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
+sigalrm_seen = FALSE;
+ALARM(ob->command_timeout);
+rc = SSL_connect(exim_client_ctx->ssl);
+ALARM_CLR(0);
+
+#ifdef SUPPORT_DANE
+if (conn_args->dane)
+  DANESSL_cleanup(exim_client_ctx->ssl);
+#endif
+
+if (rc <= 0)
+  {
+  tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
+  return FALSE;
+  }
+
+DEBUG(D_tls)
+  {
+  debug_printf("SSL_connect succeeded\n");
+  tls_dump_keylog(exim_client_ctx->ssl);
+  }
+
+#ifndef DISABLE_TLS_RESUME
+tls_client_resume_posthandshake(exim_client_ctx, tlsp);
+#endif
+
+#ifdef EXIM_HAVE_ALPN
+if (ob->tls_alpn)	/* We requested. See what was negotiated. */
+  {
+  const uschar * name;
+  unsigned len;
+
+  SSL_get0_alpn_selected(exim_client_ctx->ssl, &name, &len);
+  if (len > 0)
+    { DEBUG(D_tls) debug_printf("ALPN negotiated %u: '%.*s'\n", len, (int)*name, name+1); }
+  else if (verify_check_given_host(CUSS &ob->hosts_require_alpn, host) == OK)
+    {
+    /* Would like to send a relevant fatal Alert, but OpenSSL has no API */
+    tls_error(US"handshake", host, US"ALPN required but not negotiated", errstr);
+    return FALSE;
+    }
+  }
+#endif
+
+#ifdef SSL_get_extms_support
+tlsp->ext_master_secret = SSL_get_extms_support(exim_client_ctx->ssl) == 1;
+#endif
+peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
+
+tlsp->ver = tlsver_name(exim_client_ctx->ssl);
+tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, tlsp->ver, &tlsp->bits);
+tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
+
+/* Record the certificate we presented */
+  {
+  X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
+  tlsp->ourcert = crt ? X509_dup(crt) : NULL;
+  }
+
+/*XXX will this work with continued-TLS? */
+/* Channel-binding info for authenticators */
+  {
+  uschar c, * s;
+  size_t len = SSL_get_finished(exim_client_ctx->ssl, &c, 0);
+  int old_pool = store_pool;
+
+  SSL_get_finished(exim_client_ctx->ssl, s = store_get((int)len, GET_TAINTED), len);
+  store_pool = POOL_PERM;
+    tlsp->channelbinding = b64encode_taint(CUS s, (int)len, GET_TAINTED);
+  store_pool = old_pool;
+  DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage %p %p\n", tlsp->channelbinding, tlsp);
+  }
+
+tlsp->active.sock = cctx->sock;
+tlsp->active.tls_ctx = exim_client_ctx;
+cctx->tls_ctx = exim_client_ctx;
+return TRUE;
+}
+
+
+
+
+
+static BOOL
+tls_refill(unsigned lim)
+{
+SSL * ssl = state_server.lib_state.lib_ssl;
+int error;
+int inbytes;
+
+DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
+  ssl_xfer_buffer, ssl_xfer_buffer_size);
+
+ERR_clear_error();
+if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
+inbytes = SSL_read(ssl, CS ssl_xfer_buffer,
+		  MIN(ssl_xfer_buffer_size, lim));
+error = SSL_get_error(ssl, inbytes);
+if (smtp_receive_timeout > 0) ALARM_CLR(0);
+
+if (had_command_timeout)		/* set by signal handler */
+  smtp_command_timeout_exit();		/* does not return */
+if (had_command_sigterm)
+  smtp_command_sigterm_exit();
+if (had_data_timeout)
+  smtp_data_timeout_exit();
+if (had_data_sigint)
+  smtp_data_sigint_exit();
+
+/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
+closed down, not that the socket itself has been closed down. Revert to
+non-SSL handling. */
+
+switch(error)
+  {
+  case SSL_ERROR_NONE:
+    break;
+
+  case SSL_ERROR_ZERO_RETURN:
+    DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
+
+    if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
+	  SSL_shutdown(ssl);
+
+    tls_close(NULL, TLS_NO_SHUTDOWN);
+    return FALSE;
+
+  /* Handle genuine errors */
+  case SSL_ERROR_SSL:
+    ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
+    log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
+    ssl_xfer_error = TRUE;
+    return FALSE;
+
+  default:
+    DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
+    DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
+      debug_printf(" - syscall %s\n", strerror(errno));
+    ssl_xfer_error = TRUE;
+    return FALSE;
+  }
+
+#ifndef DISABLE_DKIM
+dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
+#endif
+ssl_xfer_buffer_hwm = inbytes;
+ssl_xfer_buffer_lwm = 0;
+return TRUE;
+}
+
+
+/*************************************************
+*            TLS version of getc                 *
+*************************************************/
+
+/* This gets the next byte from the TLS input buffer. If the buffer is empty,
+it refills the buffer via the SSL reading function.
+
+Arguments:  lim		Maximum amount to read/buffer
+Returns:    the next character or EOF
+
+Only used by the server-side TLS.
+*/
+
+int
+tls_getc(unsigned lim)
+{
+if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
+  if (!tls_refill(lim))
+    return ssl_xfer_error ? EOF : smtp_getc(lim);
+
+/* Something in the buffer; return next uschar */
+
+return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
+}
+
+BOOL
+tls_hasc(void)
+{
+return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
+}
+
+uschar *
+tls_getbuf(unsigned * len)
+{
+unsigned size;
+uschar * buf;
+
+if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
+  if (!tls_refill(*len))
+    {
+    if (!ssl_xfer_error) return smtp_getbuf(len);
+    *len = 0;
+    return NULL;
+    }
+
+if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
+  size = *len;
+buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
+ssl_xfer_buffer_lwm += size;
+*len = size;
+return buf;
+}
+
+
+void
+tls_get_cache(unsigned lim)
+{
+#ifndef DISABLE_DKIM
+int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
+debug_printf("tls_get_cache\n");
+if (n > lim)
+  n = lim;
+if (n > 0)
+  dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
+#endif
+}
+
+
+BOOL
+tls_could_getc(void)
+{
+return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm
+    || SSL_pending(state_server.lib_state.lib_ssl) > 0;
+}
+
+
+/*************************************************
+*          Read bytes from TLS channel           *
+*************************************************/
+
+/*
+Arguments:
+  ct_ctx    client context pointer, or NULL for the one global server context
+  buff      buffer of data
+  len       size of buffer
+
+Returns:    the number of bytes read
+            -1 after a failed read, including EOF
+
+Only used by the client-side TLS.
+*/
+
+int
+tls_read(void * ct_ctx, uschar *buff, size_t len)
+{
+SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl
+		  : state_server.lib_state.lib_ssl;
+int inbytes;
+int error;
+
+DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
+  buff, (unsigned int)len);
+
+ERR_clear_error();
+inbytes = SSL_read(ssl, CS buff, len);
+error = SSL_get_error(ssl, inbytes);
+
+if (error == SSL_ERROR_ZERO_RETURN)
+  {
+  DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
+  return -1;
+  }
+else if (error != SSL_ERROR_NONE)
+  return -1;
+
+return inbytes;
+}
+
+
+
+
+
+/*************************************************
+*         Write bytes down TLS channel           *
+*************************************************/
+
+/*
+Arguments:
+  ct_ctx    client context pointer, or NULL for the one global server context
+  buff      buffer of data
+  len       number of bytes
+  more	    further data expected soon
+
+Returns:    the number of bytes after a successful write,
+            -1 after a failed write
+
+Used by both server-side and client-side TLS.  Calling with len zero and more unset
+will flush buffered writes; buff can be null for this case.
+*/
+
+int
+tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
+{
+size_t olen = len;
+int outbytes, error;
+SSL * ssl = ct_ctx
+  ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl
+  : state_server.lib_state.lib_ssl;
+static gstring * server_corked = NULL;
+gstring ** corkedp = ct_ctx
+  ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
+gstring * corked = *corkedp;
+
+DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
+  buff, (unsigned long)len, more ? ", more" : "");
+
+/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
+"more" is notified.  This hack is only ok if small amounts are involved AND only
+one stream does it, in one context (i.e. no store reset).  Currently it is used
+for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
+We support callouts done by the server process by using a separate client
+context for the stashed information. */
+/* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
+a store reset there, so use POOL_PERM. */
+/* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
+
+if (more || corked)
+  {
+  if (!len) buff = US &error;	/* dummy just so that string_catn is ok */
+
+  int save_pool = store_pool;
+  store_pool = POOL_PERM;
+
+  corked = string_catn(corked, buff, len);
+
+  store_pool = save_pool;
+
+  if (more)
+    {
+    *corkedp = corked;
+    return len;
+    }
+  buff = CUS corked->s;
+  len = corked->ptr;
+  *corkedp = NULL;
+  }
+
+for (int left = len; left > 0;)
+  {
+  DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
+  ERR_clear_error();
+  outbytes = SSL_write(ssl, CS buff, left);
+  error = SSL_get_error(ssl, outbytes);
+  DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
+  switch (error)
+    {
+    case SSL_ERROR_NONE:	/* the usual case */
+      left -= outbytes;
+      buff += outbytes;
+      break;
+
+    case SSL_ERROR_SSL:
+      ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
+      log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
+      return -1;
+
+    case SSL_ERROR_ZERO_RETURN:
+      log_write(0, LOG_MAIN, "SSL channel closed on write");
+      return -1;
+
+    case SSL_ERROR_SYSCALL:
+      if (ct_ctx || errno != ECONNRESET || !f.smtp_in_quit)
+	log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
+	  sender_fullhost ? sender_fullhost : US"<unknown>",
+	  strerror(errno));
+      else if (LOGGING(protocol_detail))
+	log_write(0, LOG_MAIN, "[%s] after QUIT, client reset TCP before"
+	  " SMTP response and TLS close\n", sender_host_address);
+      else
+	DEBUG(D_tls) debug_printf("[%s] SSL_write: after QUIT,"
+	  " client reset TCP before TLS close\n", sender_host_address);
+      return -1;
+
+    default:
+      log_write(0, LOG_MAIN, "SSL_write error %d", error);
+      return -1;
+    }
+  }
+return olen;
+}
+
+
+
+/*
+Arguments:
+  ct_ctx	client TLS context pointer, or NULL for the one global server context
+*/
+
+void
+tls_shutdown_wr(void * ct_ctx)
+{
+exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
+SSL ** sslp = o_ctx ? &o_ctx->ssl : (SSL **) &state_server.lib_state.lib_ssl;
+int * fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
+int rc;
+
+if (*fdp < 0) return;  /* TLS was not active */
+
+tls_write(ct_ctx, NULL, 0, FALSE);	/* flush write buffer */
+
+HDEBUG(D_transport|D_tls|D_acl|D_v) debug_printf_indent("  SMTP(TLS shutdown)>>\n");
+rc = SSL_shutdown(*sslp);
+if (rc < 0) DEBUG(D_tls)
+  {
+  ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
+  debug_printf("SSL_shutdown: %s\n", ssl_errstring);
+  }
+}
+
+/*************************************************
+*         Close down a TLS session               *
+*************************************************/
+
+/* This is also called from within a delivery subprocess forked from the
+daemon, to shut down the TLS library, without actually doing a shutdown (which
+would tamper with the SSL session in the parent process).
+
+Arguments:
+  ct_ctx	client TLS context pointer, or NULL for the one global server context
+  do_shutdown	0 no data-flush or TLS close-alert
+		1 if TLS close-alert is to be sent,
+ 		2 if also response to be waited for
+
+Returns:     nothing
+
+Used by both server-side and client-side TLS.
+*/
+
+void
+tls_close(void * ct_ctx, int do_shutdown)
+{
+exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
+SSL ** sslp = o_ctx ? &o_ctx->ssl : (SSL **) &state_server.lib_state.lib_ssl;
+int * fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
+
+if (*fdp < 0) return;  /* TLS was not active */
+
+if (do_shutdown > TLS_NO_SHUTDOWN)
+  {
+  int rc;
+  DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
+    do_shutdown > TLS_SHUTDOWN_NOWAIT ? " (with response-wait)" : "");
+
+  tls_write(ct_ctx, NULL, 0, FALSE);	/* flush write buffer */
+
+  if (  (  do_shutdown >= TLS_SHUTDOWN_WONLY
+	|| (rc = SSL_shutdown(*sslp)) == 0	/* send "close notify" alert */
+	)
+     && do_shutdown > TLS_SHUTDOWN_NOWAIT
+     )
+    {
+#ifdef EXIM_TCP_CORK
+    (void) setsockopt(*fdp, IPPROTO_TCP, EXIM_TCP_CORK, US &off, sizeof(off));
+#endif
+    ALARM(2);
+    rc = SSL_shutdown(*sslp);			/* wait for response */
+    ALARM_CLR(0);
+    }
+
+  if (rc < 0) DEBUG(D_tls)
+    {
+    ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
+    debug_printf("SSL_shutdown: %s\n", ssl_errstring);
+    }
+  }
+
+if (!o_ctx)		/* server side */
+  {
+#ifndef DISABLE_OCSP
+  sk_X509_pop_free(state_server.verify_stack, X509_free);
+  state_server.verify_stack = NULL;
+#endif
+
+  receive_getc =	smtp_getc;
+  receive_getbuf =	smtp_getbuf;
+  receive_get_cache =	smtp_get_cache;
+  receive_hasc =	smtp_hasc;
+  receive_ungetc =	smtp_ungetc;
+  receive_feof =	smtp_feof;
+  receive_ferror =	smtp_ferror;
+  tls_in.active.tls_ctx = NULL;
+  tls_in.sni = NULL;
+  /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
+  }
+
+SSL_free(*sslp);
+*sslp = NULL;
+*fdp = -1;
+}
+
+
+
+
+/*************************************************
+*  Let tls_require_ciphers be checked at startup *
+*************************************************/
+
+/* The tls_require_ciphers option, if set, must be something which the
+library can parse.
+
+Returns:     NULL on success, or error message
+*/
+
+uschar *
+tls_validate_require_cipher(void)
+{
+SSL_CTX * ctx;
+uschar * expciphers, * err;
+
+tls_openssl_init();
+
+if (!(tls_require_ciphers && *tls_require_ciphers))
+  return NULL;
+
+if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
+		  &err))
+  return US"failed to expand tls_require_ciphers";
+
+if (!(expciphers && *expciphers))
+  return NULL;
+
+normalise_ciphers(&expciphers, tls_require_ciphers);
+
+err = NULL;
+if (lib_ctx_new(&ctx, NULL, &err) == OK)
+  {
+  DEBUG(D_tls)
+    debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
+
+  if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
+    {
+    ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
+    err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
+			expciphers, ssl_errstring);
+    }
+
+  SSL_CTX_free(ctx);
+  }
+return err;
+}
+
+
+
+
+/*************************************************
+*         Report the library versions.           *
+*************************************************/
+
+/* There have historically been some issues with binary compatibility in
+OpenSSL libraries; if Exim (like many other applications) is built against
+one version of OpenSSL but the run-time linker picks up another version,
+it can result in serious failures, including crashing with a SIGSEGV.  So
+report the version found by the compiler and the run-time version.
+
+Note: some OS vendors backport security fixes without changing the version
+number/string, and the version date remains unchanged.  The _build_ date
+will change, so we can more usefully assist with version diagnosis by also
+reporting the build date.
+
+Arguments:   string to append to
+Returns:     string
+*/
+
+gstring *
+tls_version_report(gstring * g)
+{
+return string_fmt_append(g,
+    "Library version: OpenSSL: Compile: %s\n"
+    "                          Runtime: %s\n"
+    "                                 : %s\n",
+	     OPENSSL_VERSION_TEXT,
+	     SSLeay_version(SSLEAY_VERSION),
+	     SSLeay_version(SSLEAY_BUILT_ON));
+  /* third line is 38 characters for the %s and the line is 73 chars long;
+  the OpenSSL output includes a "built on: " prefix already. */
+}
+
+
+
+
+/*************************************************
+*            Random number generation            *
+*************************************************/
+
+/* Pseudo-random number generation.  The result is not expected to be
+cryptographically strong but not so weak that someone will shoot themselves
+in the foot using it as a nonce in input in some email header scheme or
+whatever weirdness they'll twist this into.  The result should handle fork()
+and avoid repeating sequences.  OpenSSL handles that for us.
+
+Arguments:
+  max       range maximum
+Returns     a random number in range [0, max-1]
+*/
+
+int
+vaguely_random_number(int max)
+{
+unsigned int r;
+int i, needed_len;
+static pid_t pidlast = 0;
+pid_t pidnow;
+uschar smallbuf[sizeof(r)];
+
+if (max <= 1)
+  return 0;
+
+pidnow = getpid();
+if (pidnow != pidlast)
+  {
+  /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
+  is unique for each thread", this doesn't apparently apply across processes,
+  so our own warning from vaguely_random_number_fallback() applies here too.
+  Fix per PostgreSQL. */
+  if (pidlast != 0)
+    RAND_cleanup();
+  pidlast = pidnow;
+  }
+
+/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
+if (!RAND_status())
+  {
+  randstuff r;
+  gettimeofday(&r.tv, NULL);
+  r.p = getpid();
+
+  RAND_seed(US (&r), sizeof(r));
+  }
+/* We're after pseudo-random, not random; if we still don't have enough data
+in the internal PRNG then our options are limited.  We could sleep and hope
+for entropy to come along (prayer technique) but if the system is so depleted
+in the first place then something is likely to just keep taking it.  Instead,
+we'll just take whatever little bit of pseudo-random we can still manage to
+get. */
+
+needed_len = sizeof(r);
+/* Don't take 8 times more entropy than needed if int is 8 octets and we were
+asked for a number less than 10. */
+for (r = max, i = 0; r; ++i)
+  r >>= 1;
+i = (i + 7) / 8;
+if (i < needed_len)
+  needed_len = i;
+
+#ifdef EXIM_HAVE_RAND_PSEUDO
+/* We do not care if crypto-strong */
+i = RAND_pseudo_bytes(smallbuf, needed_len);
+#else
+i = RAND_bytes(smallbuf, needed_len);
+#endif
+
+if (i < 0)
+  {
+  DEBUG(D_all)
+    debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
+  return vaguely_random_number_fallback(max);
+  }
+
+r = 0;
+for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
+  r = 256 * r + *p;
+
+/* We don't particularly care about weighted results; if someone wants
+smooth distribution and cares enough then they should submit a patch then. */
+return r % max;
+}
+
+
+
+
+/*************************************************
+*        OpenSSL option parse                    *
+*************************************************/
+
+/* Parse one option for tls_openssl_options_parse below
+
+Arguments:
+  name    one option name
+  value   place to store a value for it
+Returns   success or failure in parsing
+*/
+
+
+
+static BOOL
+tls_openssl_one_option_parse(uschar *name, long *value)
+{
+int first = 0;
+int last = exim_openssl_options_size;
+while (last > first)
+  {
+  int middle = (first + last)/2;
+  int c = Ustrcmp(name, exim_openssl_options[middle].name);
+  if (c == 0)
+    {
+    *value = exim_openssl_options[middle].value;
+    return TRUE;
+    }
+  else if (c > 0)
+    first = middle + 1;
+  else
+    last = middle;
+  }
+return FALSE;
+}
+
+
+
+
+/*************************************************
+*        OpenSSL option parsing logic            *
+*************************************************/
+
+/* OpenSSL has a number of compatibility options which an administrator might
+reasonably wish to set.  Interpret a list similarly to decode_bits(), so that
+we look like log_selector.
+
+Arguments:
+  option_spec  the administrator-supplied string of options
+  results      ptr to long storage for the options bitmap
+Returns        success or failure
+*/
+
+BOOL
+tls_openssl_options_parse(uschar *option_spec, long *results)
+{
+long result, item;
+uschar * exp, * end;
+BOOL adding, item_parsed;
+
+/* Server: send no (<= TLS1.2) session tickets */
+result = SSL_OP_NO_TICKET;
+
+/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
+from default because it increases BEAST susceptibility. */
+#ifdef SSL_OP_NO_SSLv2
+result |= SSL_OP_NO_SSLv2;
+#endif
+#ifdef SSL_OP_NO_SSLv3
+result |= SSL_OP_NO_SSLv3;
+#endif
+#ifdef SSL_OP_SINGLE_DH_USE
+result |= SSL_OP_SINGLE_DH_USE;
+#endif
+#ifdef SSL_OP_NO_RENEGOTIATION
+result |= SSL_OP_NO_RENEGOTIATION;
+#endif
+
+if (!option_spec)
+  {
+  *results = result;
+  return TRUE;
+  }
+
+if (!expand_check(option_spec, US"openssl_options", &exp, &end))
+  return FALSE;
+
+for (uschar * s = exp; *s; /**/)
+  {
+  while (isspace(*s)) ++s;
+  if (*s == '\0')
+    break;
+  if (*s != '+' && *s != '-')
+    {
+    DEBUG(D_tls) debug_printf("malformed openssl option setting: "
+        "+ or - expected but found \"%s\"\n", s);
+    return FALSE;
+    }
+  adding = *s++ == '+';
+  for (end = s; *end && !isspace(*end); ) end++;
+  item_parsed = tls_openssl_one_option_parse(string_copyn(s, end-s), &item);
+  if (!item_parsed)
+    {
+    DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
+    return FALSE;
+    }
+  DEBUG(D_tls) debug_printf("openssl option, %s %08lx: %08lx (%s)\n",
+      adding ? "adding to    " : "removing from", result, item, s);
+  if (adding)
+    result |= item;
+  else
+    result &= ~item;
+  s = end;
+  }
+
+*results = result;
+return TRUE;
+}
+
+#endif	/*!MACRO_PREDEF*/
+/* vi: aw ai sw=2
+*/
+/* End of tls-openssl.c */
diff --git a/src/tls.c b/src/tls.c
new file mode 100644
index 0000000..3ed37bb
--- /dev/null
+++ b/src/tls.c
@@ -0,0 +1,843 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is
+based on a patch that was originally contributed by Steve Haslam. It was
+adapted from stunnel, a GPL program by Michal Trojnara. The code for GNU TLS is
+based on a patch contributed by Nikos Mavrogiannopoulos. Because these packages
+are so very different, the functions for each are kept in separate files. The
+relevant file is #included as required, after any any common functions.
+
+No cryptographic code is included in Exim. All this module does is to call
+functions from the OpenSSL or GNU TLS libraries. */
+
+
+#include "exim.h"
+#include "transports/smtp.h"
+
+#if !defined(DISABLE_TLS) && !defined(USE_OPENSSL) && !defined(USE_GNUTLS)
+# error One of USE_OPENSSL or USE_GNUTLS must be defined for a TLS build
+#endif
+
+
+/* Forward decl. */
+static void tls_client_resmption_key(tls_support *, smtp_connect_args *,
+  smtp_transport_options_block *);
+
+
+#if defined(MACRO_PREDEF) && !defined(DISABLE_TLS)
+# include "macro_predef.h"
+# ifdef USE_GNUTLS
+#  include "tls-gnu.c"
+# else
+#  include "tls-openssl.c"
+# endif
+#endif
+
+#ifndef MACRO_PREDEF
+
+static void tls_per_lib_daemon_init(void);
+static void tls_per_lib_daemon_tick(void);
+static unsigned  tls_server_creds_init(void);
+static void tls_server_creds_invalidate(void);
+static void tls_client_creds_init(transport_instance *, BOOL);
+static void tls_client_creds_invalidate(transport_instance *);
+static void tls_daemon_creds_reload(void);
+static BOOL opt_set_and_noexpand(const uschar *);
+static BOOL opt_unset_or_noexpand(const uschar *);
+
+
+
+/* This module is compiled only when it is specifically requested in the
+build-time configuration. However, some compilers don't like compiling empty
+modules, so keep them happy with a dummy when skipping the rest. Make it
+reference itself to stop picky compilers complaining that it is unused, and put
+in a dummy argument to stop even pickier compilers complaining about infinite
+loops. */
+
+#ifdef DISABLE_TLS
+static void dummy(int x) { dummy(x-1); }
+#else	/* most of the rest of the file */
+
+const exim_tlslib_state	null_tls_preload = {0};
+
+/* Static variables that are used for buffering data by both sets of
+functions and the common functions below.
+
+We're moving away from this; GnuTLS is already using a state, which
+can switch, so we can do TLS callouts during ACLs. */
+
+static const int ssl_xfer_buffer_size = 4096;
+#ifdef USE_OPENSSL
+static uschar *ssl_xfer_buffer = NULL;
+static int ssl_xfer_buffer_lwm = 0;
+static int ssl_xfer_buffer_hwm = 0;
+static int ssl_xfer_eof = FALSE;
+static BOOL ssl_xfer_error = FALSE;
+#endif
+
+#ifdef EXIM_HAVE_KEVENT
+# define KEV_SIZE 16	/* Eight file,dir pairs */
+static struct kevent kev[KEV_SIZE];
+static int kev_used = 0;
+#endif
+
+static unsigned tls_creds_expire = 0;
+
+/*************************************************
+*       Expand string; give error on failure     *
+*************************************************/
+
+/* If expansion is forced to fail, set the result NULL and return TRUE.
+Other failures return FALSE. For a server, an SMTP response is given.
+
+Arguments:
+  s         the string to expand; if NULL just return TRUE
+  name      name of string being expanded (for error)
+  result    where to put the result
+
+Returns:    TRUE if OK; result may still be NULL after forced failure
+*/
+
+static BOOL
+expand_check(const uschar *s, const uschar *name, uschar **result, uschar ** errstr)
+{
+if (!s)
+  *result = NULL;
+else if (  !(*result = expand_string(US s)) /* need to clean up const more */
+	&& !f.expand_string_forcedfail
+	)
+  {
+  *errstr = US"Internal error";
+  log_write(0, LOG_MAIN|LOG_PANIC, "expansion of %s failed: %s", name,
+    expand_string_message);
+  return FALSE;
+  }
+return TRUE;
+}
+
+
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+/* Add the directory for a filename to the inotify handle, creating that if
+needed.  This is enough to see changes to files in that dir.
+Return boolean success.
+
+The word "system" fails, which is on the safe side as we don't know what
+directory it implies nor if the TLS library handles a watch for us.
+
+The string "system,cache" is recognised and explicitly accepted without
+setting a watch.  This permits the system CA bundle to be cached even though
+we have no way to tell when it gets modified by an update.
+The call chain for OpenSSL uses a (undocumented) call into the library
+to discover the actual file.  We don't know what GnuTLS uses.
+
+A full set of caching including the CAs takes 35ms output off of the
+server tls_init() (GnuTLS, Fedora 32, 2018-class x86_64 laptop hardware).
+*/
+static BOOL
+tls_set_one_watch(const uschar * filename)
+# ifdef EXIM_HAVE_INOTIFY
+{
+uschar * s;
+
+if (Ustrcmp(filename, "system,cache") == 0) return TRUE;
+
+if (!(s = Ustrrchr(filename, '/'))) return FALSE;
+s = string_copyn(filename, s - filename);	/* mem released by tls_set_watch */
+DEBUG(D_tls) debug_printf("watch dir '%s'\n", s);
+
+/*XXX unclear what effect symlinked files will have for inotify */
+
+if (inotify_add_watch(tls_watch_fd, CCS s,
+      IN_ONESHOT | IN_CLOSE_WRITE | IN_DELETE | IN_DELETE_SELF
+      | IN_MOVED_FROM | IN_MOVED_TO | IN_MOVE_SELF) >= 0)
+  return TRUE;
+DEBUG(D_tls) debug_printf("notify_add_watch: %s\n", strerror(errno));
+return FALSE;
+}
+# endif
+# ifdef EXIM_HAVE_KEVENT
+{
+uschar * s, * t;
+int fd1, fd2, i, j, cnt = 0;
+struct stat sb;
+#ifdef OpenBSD
+struct kevent k_dummy;
+struct timespec ts = {0};
+#endif
+
+errno = 0;
+if (Ustrcmp(filename, "system,cache") == 0) return TRUE;
+
+for (;;)
+  {
+  if (kev_used > KEV_SIZE-2) { s = US"out of kev space"; goto bad; }
+  if (!(s = Ustrrchr(filename, '/'))) return FALSE;
+  s = string_copyn(filename, s - filename);	/* mem released by tls_set_watch */
+
+  /* The dir open will fail if there is a symlink on the path. Fine; it's too
+  much effort to handle all possible cases; just refuse the preload. */
+
+  if ((fd2 = open(CCS s, O_RDONLY | O_NOFOLLOW)) < 0) { s = US"open dir"; goto bad; }
+
+  if ((lstat(CCS filename, &sb)) < 0) { s = US"lstat"; goto bad; }
+  if (!S_ISLNK(sb.st_mode))
+    {
+    if ((fd1 = open(CCS filename, O_RDONLY | O_NOFOLLOW)) < 0)
+      { s = US"open file"; goto bad; }
+    DEBUG(D_tls) debug_printf("watch file '%s':\t%d\n", filename, fd1);
+    EV_SET(&kev[kev_used++],
+	(uintptr_t)fd1,
+	EVFILT_VNODE,
+	EV_ADD | EV_ENABLE | EV_ONESHOT,
+	NOTE_DELETE | NOTE_WRITE | NOTE_EXTEND
+	| NOTE_ATTRIB | NOTE_RENAME | NOTE_REVOKE,
+	0,
+	NULL);
+    cnt++;
+    }
+  DEBUG(D_tls) debug_printf("watch dir  '%s':\t%d\n", s, fd2);
+  EV_SET(&kev[kev_used++],
+	(uintptr_t)fd2,
+	EVFILT_VNODE,
+	EV_ADD | EV_ENABLE | EV_ONESHOT,
+	NOTE_DELETE | NOTE_WRITE | NOTE_EXTEND
+	| NOTE_ATTRIB | NOTE_RENAME | NOTE_REVOKE,
+	0,
+	NULL);
+  cnt++;
+
+  if (!(S_ISLNK(sb.st_mode))) break;
+
+  t = store_get(1024, GET_UNTAINTED);
+  Ustrncpy(t, s, 1022);
+  j = Ustrlen(s);
+  t[j++] = '/';
+  if ((i = readlink(CCS filename, (void *)(t+j), 1023-j)) < 0) { s = US"readlink"; goto bad; }
+  filename = t;
+  *(t += i+j) = '\0';
+  store_release_above(t+1);
+  }
+
+#ifdef OpenBSD
+if (kevent(tls_watch_fd, &kev[kev_used-cnt], cnt, &k_dummy, 1, &ts) >= 0)
+  return TRUE;
+#else
+if (kevent(tls_watch_fd, &kev[kev_used-cnt], cnt, NULL, 0, NULL) >= 0)
+  return TRUE;
+#endif
+s = US"kevent";
+
+bad:
+DEBUG(D_tls)
+  if (errno)
+    debug_printf("%s: %s: %s\n", __FUNCTION__, s, strerror(errno));
+  else
+    debug_printf("%s: %s\n", __FUNCTION__, s);
+return FALSE;
+}
+# endif	/*EXIM_HAVE_KEVENT*/
+
+
+/* Create an inotify facility if needed.
+Then set watches on the dir containing the given file or (optionally)
+list of files.  Return boolean success. */
+
+static BOOL
+tls_set_watch(const uschar * filename, BOOL list)
+{
+rmark r;
+BOOL rc = FALSE;
+
+if (!filename || !*filename) return TRUE;
+if (Ustrncmp(filename, "system", 6) == 0) return TRUE;
+
+DEBUG(D_tls) debug_printf("tls_set_watch: '%s'\n", filename);
+
+if (  tls_watch_fd < 0
+# ifdef EXIM_HAVE_INOTIFY
+   && (tls_watch_fd = inotify_init1(O_CLOEXEC)) < 0
+# endif
+# ifdef EXIM_HAVE_KEVENT
+   && (tls_watch_fd = kqueue()) < 0
+# endif
+   )
+    {
+    DEBUG(D_tls) debug_printf("inotify_init: %s\n", strerror(errno));
+    return FALSE;
+    }
+
+r = store_mark();
+
+if (list)
+  {
+  int sep = 0;
+  for (uschar * s; s = string_nextinlist(&filename, &sep, NULL, 0); )
+    if (!(rc = tls_set_one_watch(s))) break;
+  }
+else
+  rc = tls_set_one_watch(filename);
+
+store_reset(r);
+if (!rc) DEBUG(D_tls) debug_printf("tls_set_watch() fail on '%s': %s\n", filename, strerror(errno));
+return rc;
+}
+
+
+void
+tls_watch_discard_event(int fd)
+{
+#ifdef EXIM_HAVE_INOTIFY
+(void) read(fd, big_buffer, big_buffer_size);
+#endif
+#ifdef EXIM_HAVE_KEVENT
+struct kevent kev;
+struct timespec t = {0};
+(void) kevent(fd, NULL, 0, &kev, 1, &t);
+#endif
+}
+#endif	/*EXIM_HAVE_INOTIFY*/
+
+
+void
+tls_client_creds_reload(BOOL watch)
+{
+for(transport_instance * t = transports; t; t = t->next)
+  if (Ustrcmp(t->driver_name, "smtp") == 0)
+    {
+    tls_client_creds_invalidate(t);
+    tls_client_creds_init(t, watch);
+    }
+}
+
+
+void
+tls_watch_invalidate(void)
+{
+if (tls_watch_fd < 0) return;
+
+#ifdef EXIM_HAVE_KEVENT
+/* Close the files we had open for kevent */
+for (int i = 0; i < kev_used; i++)
+  {
+  DEBUG(D_tls) debug_printf("closing watch fd: %d\n", (int) kev[i].ident);
+  (void) close((int) kev[i].ident);
+  kev[i].ident = (uintptr_t)-1;
+  }
+kev_used = 0;
+#endif
+
+close(tls_watch_fd);
+tls_watch_fd = -1;
+}
+
+
+static void
+tls_daemon_creds_reload(void)
+{
+unsigned lifetime;
+
+#ifdef EXIM_HAVE_KEVENT
+tls_watch_invalidate();
+#endif
+
+tls_server_creds_invalidate();
+tls_creds_expire = (lifetime = tls_server_creds_init())
+  ? time(NULL) + lifetime : 0;
+
+tls_client_creds_reload(TRUE);
+}
+
+
+/* Utility predicates for use by the per-library code */
+static BOOL
+opt_set_and_noexpand(const uschar * opt)
+{ return opt && *opt && Ustrchr(opt, '$') == NULL; }
+
+static BOOL
+opt_unset_or_noexpand(const uschar * opt)
+{ return !opt || Ustrchr(opt, '$') == NULL; }
+
+
+
+/* Called every time round the daemon loop.
+
+If we reloaded fd-watcher, return the old watch fd
+having modified the global for the new one. Otherwise
+return -1.
+*/
+
+int
+tls_daemon_tick(void)
+{
+int old_watch_fd = tls_watch_fd;
+
+tls_per_lib_daemon_tick();
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+if (tls_creds_expire && time(NULL) >= tls_creds_expire)
+  {
+  /* The server cert is a selfsign, with limited lifetime.  Dump it and
+  generate a new one.  Reload the rest of the creds also as the machinery
+  is all there. */
+
+  DEBUG(D_tls) debug_printf("selfsign cert rotate\n");
+  tls_creds_expire = 0;
+  tls_daemon_creds_reload();
+  return old_watch_fd;
+  }
+else if (tls_watch_trigger_time && time(NULL) >= tls_watch_trigger_time + 5)
+  {
+  /* Called, after a delay for multiple file ops to get done, from
+  the daemon when any of the watches added (above) fire.
+  Dump the set of watches and arrange to reload cached creds (which
+  will set up new watches). */
+
+  DEBUG(D_tls) debug_printf("watch triggered\n");
+  tls_watch_trigger_time = tls_creds_expire = 0;
+  tls_daemon_creds_reload();
+  return old_watch_fd;
+  }
+#endif
+return -1;
+}
+
+/* Called once at daemon startup */
+
+void
+tls_daemon_init(void)
+{
+tls_per_lib_daemon_init();
+}
+
+
+/*************************************************
+*        Timezone environment flipping           *
+*************************************************/
+
+static uschar *
+to_tz(uschar * tz)
+{
+uschar * old = US getenv("TZ");
+(void) setenv("TZ", CCS tz, 1);
+tzset();
+return old;
+}
+
+static void
+restore_tz(uschar * tz)
+{
+if (tz)
+  (void) setenv("TZ", CCS tz, 1);
+else
+  (void) os_unsetenv(US"TZ");
+tzset();
+}
+
+/*************************************************
+*        Many functions are package-specific     *
+*************************************************/
+
+#ifdef USE_GNUTLS
+# include "tls-gnu.c"
+# include "tlscert-gnu.c"
+# define ssl_xfer_buffer (state_server.xfer_buffer)
+# define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
+# define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
+# define ssl_xfer_eof (state_server.xfer_eof)
+# define ssl_xfer_error (state_server.xfer_error)
+#endif
+
+#ifdef USE_OPENSSL
+# include "tls-openssl.c"
+# include "tlscert-openssl.c"
+#endif
+
+
+
+/*************************************************
+*           TLS version of ungetc                *
+*************************************************/
+
+/* Puts a character back in the input buffer. Only ever
+called once.
+Only used by the server-side TLS.
+
+Arguments:
+  ch           the character
+
+Returns:       the character
+*/
+
+int
+tls_ungetc(int ch)
+{
+if (ssl_xfer_buffer_lwm <= 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in tls_ungetc");
+
+ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch;
+return ch;
+}
+
+
+
+/*************************************************
+*           TLS version of feof                  *
+*************************************************/
+
+/* Tests for a previous EOF
+Only used by the server-side TLS.
+
+Arguments:     none
+Returns:       non-zero if the eof flag is set
+*/
+
+int
+tls_feof(void)
+{
+return (int)ssl_xfer_eof;
+}
+
+
+
+/*************************************************
+*              TLS version of ferror             *
+*************************************************/
+
+/* Tests for a previous read error, and returns with errno
+restored to what it was when the error was detected.
+Only used by the server-side TLS.
+
+>>>>> Hmm. Errno not handled yet. Where do we get it from?  >>>>>
+
+Arguments:     none
+Returns:       non-zero if the error flag is set
+*/
+
+int
+tls_ferror(void)
+{
+return (int)ssl_xfer_error;
+}
+
+
+/*************************************************
+*           TLS version of smtp_buffered         *
+*************************************************/
+
+/* Tests for unused chars in the TLS input buffer.
+Only used by the server-side TLS.
+
+Arguments:     none
+Returns:       TRUE/FALSE
+*/
+
+BOOL
+tls_smtp_buffered(void)
+{
+return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
+}
+
+
+#endif  /*DISABLE_TLS*/
+
+void
+tls_modify_variables(tls_support * dest_tsp)
+{
+modify_variable(US"tls_bits",                 &dest_tsp->bits);
+modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
+modify_variable(US"tls_cipher",               &dest_tsp->cipher);
+modify_variable(US"tls_peerdn",               &dest_tsp->peerdn);
+#ifdef USE_OPENSSL
+modify_variable(US"tls_sni",                  &dest_tsp->sni);
+#endif
+}
+
+
+#ifndef DISABLE_TLS
+/************************************************
+*	TLS certificate name operations         *
+************************************************/
+
+/* Convert an rfc4514 DN to an exim comma-sep list.
+Backslashed commas need to be replaced by doublecomma
+for Exim's list quoting.  We modify the given string
+inplace.
+*/
+
+static void
+dn_to_list(uschar * dn)
+{
+for (uschar * cp = dn; *cp; cp++)
+  if (cp[0] == '\\' && cp[1] == ',')
+    *cp++ = ',';
+}
+
+
+/* Extract fields of a given type from an RFC4514-
+format Distinguished Name.  Return an Exim list.
+NOTE: We modify the supplied dn string during operation.
+
+Arguments:
+	dn	Distinguished Name string
+	mod	list containing optional output list-sep and
+		field selector match, comma-separated
+Return:
+	allocated string with list of matching fields,
+	field type stripped
+*/
+
+uschar *
+tls_field_from_dn(uschar * dn, const uschar * mod)
+{
+int insep = ',';
+uschar outsep = '\n';
+uschar * ele;
+uschar * match = NULL;
+int len;
+gstring * list = NULL;
+
+while ((ele = string_nextinlist(&mod, &insep, NULL, 0)))
+  if (ele[0] != '>')
+    match = ele;	/* field tag to match */
+  else if (ele[1])
+    outsep = ele[1];	/* nondefault output separator */
+
+dn_to_list(dn);
+insep = ',';
+len = match ? Ustrlen(match) : -1;
+while ((ele = string_nextinlist(CUSS &dn, &insep, NULL, 0)))
+  if (  !match
+     || Ustrncmp(ele, match, len) == 0 && ele[len] == '='
+     )
+    list = string_append_listele(list, outsep, ele+len+1);
+return string_from_gstring(list);
+}
+
+
+/* Compare a domain name with a possibly-wildcarded name. Wildcards
+are restricted to a single one, as the first element of patterns
+having at least three dot-separated elements.  Case-independent.
+Return TRUE for a match
+*/
+static BOOL
+is_name_match(const uschar * name, const uschar * pat)
+{
+uschar * cp;
+return *pat == '*'		/* possible wildcard match */
+  ?    *++pat == '.'		/* starts star, dot              */
+    && !Ustrchr(++pat, '*')	/* has no more stars             */
+    && Ustrchr(pat, '.')	/* and has another dot.          */
+    && (cp = Ustrchr(name, '.'))/* The name has at least one dot */
+    && strcmpic(++cp, pat) == 0 /* and we only compare after it. */
+  :    !Ustrchr(pat+1, '*')
+    && strcmpic(name, pat) == 0;
+}
+
+/* Compare a list of names with the dnsname elements
+of the Subject Alternate Name, if any, and the
+Subject otherwise.
+
+Arguments:
+	namelist names to compare
+	cert	 certificate
+
+Returns:
+	TRUE/FALSE
+*/
+
+BOOL
+tls_is_name_for_cert(const uschar * namelist, void * cert)
+{
+uschar * altnames = tls_cert_subject_altname(cert, US"dns");
+uschar * subjdn;
+uschar * certname;
+int cmp_sep = 0;
+uschar * cmpname;
+
+if ((altnames = tls_cert_subject_altname(cert, US"dns")))
+  {
+  int alt_sep = '\n';
+  while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
+    {
+    const uschar * an = altnames;
+    while ((certname = string_nextinlist(&an, &alt_sep, NULL, 0)))
+      if (is_name_match(cmpname, certname))
+	return TRUE;
+    }
+  }
+
+else if ((subjdn = tls_cert_subject(cert, NULL)))
+  {
+  int sn_sep = ',';
+
+  dn_to_list(subjdn);
+  while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
+    {
+    const uschar * sn = subjdn;
+    while ((certname = string_nextinlist(&sn, &sn_sep, NULL, 0)))
+      if (  *certname++ == 'C'
+	 && *certname++ == 'N'
+	 && *certname++ == '='
+	 && is_name_match(cmpname, certname)
+	 )
+	return TRUE;
+    }
+  }
+return FALSE;
+}
+
+/* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment
+and writes a file by that name.  Our OpenSSL code does the same, using keying
+info from the library API.
+The GnuTLS support only works if exim is run by root, not taking advantage of
+the setuid bit.
+You can use either the external environment (modulo the keep_environment config)
+or the add_environment config option for SSLKEYLOGFILE; the latter takes
+precedence.
+
+If the path is absolute, require it starts with the spooldir; otherwise delete
+the env variable.  If relative, prefix the spooldir.
+*/
+void
+tls_clean_env(void)
+{
+uschar * path = US getenv("SSLKEYLOGFILE");
+if (path)
+  if (!*path)
+    unsetenv("SSLKEYLOGFILE");
+  else if (*path != '/')
+    {
+    DEBUG(D_tls)
+      debug_printf("prepending spooldir to  env SSLKEYLOGFILE\n");
+    setenv("SSLKEYLOGFILE", CCS string_sprintf("%s/%s", spool_directory, path), 1);
+    }
+  else if (Ustrncmp(path, spool_directory, Ustrlen(spool_directory)) != 0)
+    {
+    DEBUG(D_tls)
+      debug_printf("removing env SSLKEYLOGFILE=%s: not under spooldir\n", path);
+    unsetenv("SSLKEYLOGFILE");
+    }
+}
+
+/*************************************************
+*       Drop privs for checking TLS config      *
+*************************************************/
+
+/* We want to validate TLS options during readconf, but do not want to be
+root when we call into the TLS library, in case of library linkage errors
+which cause segfaults; before this check, those were always done as the Exim
+runtime user and it makes sense to continue with that.
+
+Assumes:  tls_require_ciphers has been set, if it will be
+          exim_user has been set, if it will be
+          exim_group has been set, if it will be
+
+Returns:  bool for "okay"; false will cause caller to immediately exit.
+*/
+
+BOOL
+tls_dropprivs_validate_require_cipher(BOOL nowarn)
+{
+const uschar *errmsg;
+pid_t pid;
+int rc, status;
+void (*oldsignal)(int);
+
+/* If TLS will never be used, no point checking ciphers */
+
+if (  !tls_advertise_hosts
+   || !*tls_advertise_hosts
+   || Ustrcmp(tls_advertise_hosts, ":") == 0
+   )
+  return TRUE;
+else if (!nowarn && !tls_certificate)
+  log_write(0, LOG_MAIN,
+    "Warning: No server certificate defined; will use a selfsigned one.\n"
+    " Suggested action: either install a certificate or change tls_advertise_hosts option");
+
+oldsignal = signal(SIGCHLD, SIG_DFL);
+
+fflush(NULL);
+if ((pid = exim_fork(US"cipher-validate")) < 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for TLS check");
+
+if (pid == 0)
+  {
+  /* in some modes, will have dropped privilege already */
+  if (!geteuid())
+    exim_setugid(exim_uid, exim_gid, FALSE,
+        US"calling tls_validate_require_cipher");
+
+  if ((errmsg = tls_validate_require_cipher()))
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+        "tls_require_ciphers invalid: %s", errmsg);
+  fflush(NULL);
+  exim_underbar_exit(EXIT_SUCCESS);
+  }
+
+do {
+  rc = waitpid(pid, &status, 0);
+} while (rc < 0 && errno == EINTR);
+
+DEBUG(D_tls)
+  debug_printf("tls_validate_require_cipher child %d ended: status=0x%x\n",
+      (int)pid, status);
+
+signal(SIGCHLD, oldsignal);
+
+return status == 0;
+}
+
+
+
+
+static void
+tls_client_resmption_key(tls_support * tlsp, smtp_connect_args * conn_args,
+  smtp_transport_options_block * ob)
+{
+#ifndef DISABLE_TLS_RESUME
+hctx * h = &tlsp->resume_hctx;
+blob b;
+gstring * g;
+
+DEBUG(D_tls) if (conn_args->host_lbserver)
+  debug_printf("TLS: lbserver '%s'\n", conn_args->host_lbserver);
+
+# ifdef EXIM_HAVE_SHA2
+exim_sha_init(h, HASH_SHA2_256);
+# else
+exim_sha_init(h, HASH_SHA1);
+# endif
+exim_sha_update_string(h, conn_args->host_lbserver);
+# ifdef SUPPORT_DANE
+if (conn_args->dane)
+  exim_sha_update(h,  CUS &conn_args->tlsa_dnsa, sizeof(dns_answer));
+# endif
+exim_sha_update_string(h, conn_args->host->address);
+exim_sha_update(h,   CUS &conn_args->host->port, sizeof(conn_args->host->port));
+exim_sha_update_string(h, conn_args->sending_ip_address);
+exim_sha_update_string(h, openssl_options);
+exim_sha_update_string(h, ob->tls_require_ciphers);
+exim_sha_update_string(h, tlsp->sni);
+# ifdef EXIM_HAVE_ALPN
+exim_sha_update_string(h, ob->tls_alpn);
+# endif
+exim_sha_finish(h, &b);
+for (g = string_get(b.len*2+1); b.len-- > 0; )
+  g = string_fmt_append(g, "%02x", *b.data++);
+tlsp->resume_index = string_from_gstring(g);
+DEBUG(D_tls) debug_printf("TLS: resume session index %s\n", tlsp->resume_index);
+#endif
+}
+
+#endif	/*!DISABLE_TLS*/
+#endif	/*!MACRO_PREDEF*/
+
+/* vi: aw ai sw=2
+*/
+/* End of tls.c */
diff --git a/src/tlscert-gnu.c b/src/tlscert-gnu.c
new file mode 100644
index 0000000..a40bb30
--- /dev/null
+++ b/src/tlscert-gnu.c
@@ -0,0 +1,482 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) Jeremy Harris 2014 - 2018 */
+
+/* This file provides TLS/SSL support for Exim using the GnuTLS library,
+one of the available supported implementations.  This file is #included into
+tls.c when USE_GNUTLS has been set.
+*/
+
+#include <gnutls/gnutls.h>
+/* needed for cert checks in verification and DN extraction: */
+#include <gnutls/x509.h>
+/* needed to disable PKCS11 autoload unless requested */
+#if GNUTLS_VERSION_NUMBER >= 0x020c00
+# include <gnutls/pkcs11.h>
+#endif
+
+
+/*****************************************************
+*  Export/import a certificate, binary/printable
+******************************************************
+Return: boolean success
+*/
+
+BOOL
+tls_export_cert(uschar * buf, size_t buflen, void * cert)
+{
+size_t sz = buflen;
+rmark reset_point = store_mark();
+BOOL fail;
+const uschar * cp;
+
+if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
+    GNUTLS_X509_FMT_PEM, buf, &sz)))
+  {
+  log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
+    gnutls_strerror(fail));
+  return FALSE;
+  }
+if ((cp = string_printing(buf)) != buf)
+  {
+  Ustrncpy(buf, cp, buflen);
+  if (buf[buflen-1])
+    fail = 1;
+  }
+store_reset(reset_point);
+return !fail;
+}
+
+/* On error, NULL out the destination */
+BOOL
+tls_import_cert(const uschar * buf, void ** cert)
+{
+rmark reset_point = store_mark();
+gnutls_datum_t datum;
+gnutls_x509_crt_t crt = *(gnutls_x509_crt_t *)cert;
+int rc;
+
+if (crt)
+  gnutls_x509_crt_deinit(crt);
+else
+  gnutls_global_init();
+
+gnutls_x509_crt_init(&crt);
+
+datum.data = string_unprinting(US buf);
+datum.size = Ustrlen(datum.data);
+if ((rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM)))
+  {
+  log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
+    gnutls_strerror(rc));
+  crt = NULL;
+  }
+*cert = (void *)crt;
+store_reset(reset_point);
+return rc != 0;
+}
+
+void
+tls_free_cert(void ** cert)
+{
+gnutls_x509_crt_t crt = *(gnutls_x509_crt_t *)cert;
+if (crt)
+  {
+  gnutls_x509_crt_deinit(crt);
+  gnutls_global_deinit();
+  *cert = NULL;
+  }
+}
+
+/*****************************************************
+*  Certificate field extraction routines
+*****************************************************/
+
+/* First, some internal service functions */
+
+static uschar *
+g_err(const char * tag, const char * from, int gnutls_err)
+{
+expand_string_message = string_sprintf("%s: %s fail: %s\n",
+  from, tag, gnutls_strerror(gnutls_err));
+return NULL;
+}
+
+
+static uschar *
+time_copy(time_t t, uschar * mod)
+{
+uschar * cp;
+size_t len = 32;
+
+if (mod && Ustrcmp(mod, "int") == 0)
+  return string_sprintf("%u", (unsigned)t);
+
+cp = store_get(len, GET_UNTAINTED);
+if (f.timestamps_utc)
+  {
+  uschar * tz = to_tz(US"GMT0");
+  len = strftime(CS cp, len, "%b %e %T %Y %Z", gmtime(&t));
+  restore_tz(tz);
+  }
+else
+  len = strftime(CS cp, len, "%b %e %T %Y %Z", localtime(&t));
+return len > 0 ? cp : NULL;
+}
+
+
+/**/
+/* Now the extractors, called from expand.c
+Arguments:
+  cert		The certificate
+  mod		Optional modifiers for the operator
+
+Return:
+  Allocated string with extracted value
+*/
+
+uschar *
+tls_cert_issuer(void * cert, uschar * mod)
+{
+uschar * cp = NULL;
+int ret;
+size_t siz = 0;
+
+if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz))
+    != GNUTLS_E_SHORT_MEMORY_BUFFER)
+  return g_err("gi0", __FUNCTION__, ret);
+
+cp = store_get(siz, GET_TAINTED);
+if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz)) < 0)
+  return g_err("gi1", __FUNCTION__, ret);
+
+return mod ? tls_field_from_dn(cp, mod) : cp;
+}
+
+uschar *
+tls_cert_not_after(void * cert, uschar * mod)
+{
+return time_copy(
+  gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert),
+  mod);
+}
+
+uschar *
+tls_cert_not_before(void * cert, uschar * mod)
+{
+return time_copy(
+  gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert),
+  mod);
+}
+
+uschar *
+tls_cert_serial_number(void * cert, uschar * mod)
+{
+uschar bin[50], txt[150];
+uschar * sp = bin;
+size_t sz = sizeof(bin);
+int ret;
+
+if ((ret = gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
+    bin, &sz)))
+  return g_err("gs0", __FUNCTION__, ret);
+
+for(uschar * dp = txt; sz; sz--)
+  dp += sprintf(CS dp, "%.2x", *sp++);
+for(sp = txt; sp[0]=='0' && sp[1]; ) sp++;	/* leading zeroes */
+return string_copy(sp);
+}
+
+uschar *
+tls_cert_signature(void * cert, uschar * mod)
+{
+uschar * cp1 = NULL;
+uschar * cp2;
+uschar * cp3;
+size_t len = 0;
+int ret;
+
+if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len))
+    != GNUTLS_E_SHORT_MEMORY_BUFFER)
+  return g_err("gs0", __FUNCTION__, ret);
+
+cp1 = store_get(len*4+1, GET_TAINTED);
+if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len) != 0)
+  return g_err("gs1", __FUNCTION__, ret);
+
+for(cp3 = cp2 = cp1+len; cp1 < cp2; cp1++)
+  cp3 += sprintf(CS cp3, "%.2x ", *cp1);
+cp3[-1]= '\0';
+
+return cp2;
+}
+
+uschar *
+tls_cert_signature_algorithm(void * cert, uschar * mod)
+{
+gnutls_sign_algorithm_t algo =
+  gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert);
+return algo < 0 ? NULL : string_copy(US gnutls_sign_get_name(algo));
+}
+
+uschar *
+tls_cert_subject(void * cert, uschar * mod)
+{
+uschar * cp = NULL;
+int ret;
+size_t siz = 0;
+
+if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz))
+    != GNUTLS_E_SHORT_MEMORY_BUFFER)
+  return g_err("gs0", __FUNCTION__, ret);
+
+cp = store_get(siz, GET_TAINTED);
+if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz)) < 0)
+  return g_err("gs1", __FUNCTION__, ret);
+
+return mod ? tls_field_from_dn(cp, mod) : cp;
+}
+
+uschar *
+tls_cert_version(void * cert, uschar * mod)
+{
+return string_sprintf("%d", gnutls_x509_crt_get_version(cert));
+}
+
+uschar *
+tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
+{
+uschar * cp1 = NULL;
+uschar * cp2;
+uschar * cp3;
+size_t siz = 0;
+unsigned int crit;
+int ret;
+
+ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
+  CS oid, idx, CS cp1, &siz, &crit);
+if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
+  return g_err("ge0", __FUNCTION__, ret);
+
+cp1 = store_get(siz*4 + 1, GET_TAINTED);
+
+ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
+  CS oid, idx, CS cp1, &siz, &crit);
+if (ret < 0)
+  return g_err("ge1", __FUNCTION__, ret);
+
+/* binary data, DER encoded */
+
+/* just dump for now */
+for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp1++)
+  cp3 += sprintf(CS cp3, "%.2x ", *cp1);
+cp3[-1]= '\0';
+
+return cp2;
+}
+
+uschar *
+tls_cert_subject_altname(void * cert, uschar * mod)
+{
+gstring * list = NULL;
+size_t siz;
+int ret;
+uschar sep = '\n';
+uschar * tag = US"";
+uschar * ele;
+int match = -1;
+
+if (mod) while (*mod)
+  {
+  if (*mod == '>' && *++mod) sep = *mod++;
+  else if (Ustrncmp(mod, "dns", 3)==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; }
+  else if (Ustrncmp(mod, "uri", 3)==0) { match = GNUTLS_SAN_URI; mod += 3; }
+  else if (Ustrncmp(mod, "mail", 4)==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; }
+  else break;
+
+  if (*mod++ != ',')
+    break;
+  }
+
+for (int index = 0;; index++)
+  {
+  siz = 0;
+  switch(ret = gnutls_x509_crt_get_subject_alt_name(
+      (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL))
+    {
+    case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
+      return string_from_gstring(list);	/* no more elements; normal exit */
+
+    case GNUTLS_E_SHORT_MEMORY_BUFFER:
+      break;
+
+    default:
+      return g_err("gs0", __FUNCTION__, ret);
+    }
+
+  ele = store_get(siz+1, GET_TAINTED);
+  if ((ret = gnutls_x509_crt_get_subject_alt_name(
+    (gnutls_x509_crt_t)cert, index, ele, &siz, NULL)) < 0)
+    return g_err("gs1", __FUNCTION__, ret);
+  ele[siz] = '\0';
+
+  if (  match != -1 && match != ret	/* wrong type of SAN */
+     || Ustrlen(ele) != siz)		/* contains a NUL */
+    continue;
+  switch (ret)
+    {
+    case GNUTLS_SAN_DNSNAME:    tag = US"DNS";  break;
+    case GNUTLS_SAN_URI:        tag = US"URI";  break;
+    case GNUTLS_SAN_RFC822NAME: tag = US"MAIL"; break;
+    default: continue;        /* ignore unrecognised types */
+    }
+  list = string_append_listele(list, sep,
+          match == -1 ? string_sprintf("%s=%s", tag, ele) : ele);
+  }
+/*NOTREACHED*/
+}
+
+uschar *
+tls_cert_ocsp_uri(void * cert, uschar * mod)
+{
+#if GNUTLS_VERSION_NUMBER >= 0x030000
+gnutls_datum_t uri;
+int ret;
+uschar sep = '\n';
+gstring * list = NULL;
+
+if (mod)
+  if (*mod == '>' && *++mod) sep = *mod++;
+
+for (int index = 0;; index++)
+  {
+  ret = gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t)cert,
+	  index, GNUTLS_IA_OCSP_URI, &uri, NULL);
+
+  if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+    return string_from_gstring(list);
+  if (ret < 0)
+    return g_err("gai", __FUNCTION__, ret);
+
+  list = string_append_listele_n(list, sep, uri.data, uri.size);
+  }
+/*NOTREACHED*/
+
+#else
+
+expand_string_message =
+  string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
+    __FUNCTION__);
+return NULL;
+
+#endif
+}
+
+uschar *
+tls_cert_crl_uri(void * cert, uschar * mod)
+{
+int ret;
+uschar sep = '\n';
+gstring * list = NULL;
+uschar * ele;
+
+if (mod)
+  if (*mod == '>' && *++mod) sep = *mod++;
+
+for (int index = 0;; index++)
+  {
+  size_t siz = 0;
+  switch(ret = gnutls_x509_crt_get_crl_dist_points(
+    (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL, NULL))
+    {
+    case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
+      return string_from_gstring(list);
+    case GNUTLS_E_SHORT_MEMORY_BUFFER:
+      break;
+    default:
+      return g_err("gc0", __FUNCTION__, ret);
+    }
+
+  ele = store_get(siz, GET_TAINTED);
+  if ((ret = gnutls_x509_crt_get_crl_dist_points(
+      (gnutls_x509_crt_t)cert, index, ele, &siz, NULL, NULL)) < 0)
+    return g_err("gc1", __FUNCTION__, ret);
+
+  list = string_append_listele_n(list, sep, ele, siz);
+  }
+/*NOTREACHED*/
+}
+
+
+/*****************************************************
+*  Certificate operator routines
+*****************************************************/
+uschar *
+tls_cert_der_b64(void * cert)
+{
+size_t len = 0;
+uschar * cp = NULL;
+int fail;
+
+if (  (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
+	GNUTLS_X509_FMT_DER, cp, &len)) != GNUTLS_E_SHORT_MEMORY_BUFFER
+   || !(cp = store_get((int)len, GET_TAINTED), TRUE)	/* tainted */
+   || (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
+        GNUTLS_X509_FMT_DER, cp, &len))
+   )
+  {
+  log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
+    gnutls_strerror(fail));
+  return NULL;
+  }
+return b64encode(CUS cp, (int)len);
+}
+
+
+static uschar *
+fingerprint(gnutls_x509_crt_t cert, gnutls_digest_algorithm_t algo)
+{
+int ret;
+size_t siz = 0;
+uschar * cp;
+uschar * cp2;
+
+if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, NULL, &siz))
+    != GNUTLS_E_SHORT_MEMORY_BUFFER)
+  return g_err("gf0", __FUNCTION__, ret);
+
+cp = store_get(siz*3+1, GET_TAINTED);
+if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, cp, &siz)) < 0)
+  return g_err("gf1", __FUNCTION__, ret);
+
+for (uschar * cp3 = cp2 = cp+siz; cp < cp2; cp++)
+  cp3 += sprintf(CS cp3, "%02X", *cp);
+return cp2;
+}
+
+
+uschar *
+tls_cert_fprt_md5(void * cert)
+{
+return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_MD5);
+}
+
+uschar *
+tls_cert_fprt_sha1(void * cert)
+{
+return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA1);
+}
+
+uschar *
+tls_cert_fprt_sha256(void * cert)
+{
+return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA256);
+}
+
+
+/* vi: aw ai sw=2
+*/
+/* End of tlscert-gnu.c */
diff --git a/src/tlscert-openssl.c b/src/tlscert-openssl.c
new file mode 100644
index 0000000..168e35b
--- /dev/null
+++ b/src/tlscert-openssl.c
@@ -0,0 +1,532 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) Jeremy Harris 2014 - 2019 */
+
+/* This module provides TLS (aka SSL) support for Exim using the OpenSSL
+library. It is #included into the tls.c file when that library is used.
+*/
+
+
+/* Heading stuff */
+
+#include <openssl/lhash.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/x509v3.h>
+
+#ifdef LIBRESSL_VERSION_NUMBER	/* LibreSSL */
+# if LIBRESSL_VERSION_NUMBER >= 0x2090000fL
+#  define EXIM_HAVE_ASN1_MACROS
+# endif
+#else				/* OpenSSL */
+# if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#  define EXIM_HAVE_ASN1_MACROS
+# endif
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+# define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
+
+/*****************************************************
+*  Export/import a certificate, binary/printable
+******************************************************
+Return booolean success
+*/
+BOOL
+tls_export_cert(uschar * buf, size_t buflen, void * cert)
+{
+BIO * bp = BIO_new(BIO_s_mem());
+BOOL fail;
+
+if ((fail = PEM_write_bio_X509(bp, (X509 *)cert) ? 0 : 1))
+  log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
+    ERR_error_string(ERR_get_error(), NULL));
+else
+  {
+  char * cp = CS buf;
+  int n;
+  buflen -= 2;
+  for(;;)
+    {
+    if ((n = BIO_gets(bp, cp, (int)buflen)) <= 0) break;
+    cp += n+1;
+    buflen -= n+1;
+    cp[-2] = '\\'; cp[-1] = 'n'; /* newline->"\n" */
+    }				 /* compat with string_printing() */
+  *cp = '\0';
+  }
+
+BIO_free(bp);
+return !fail;
+}
+
+/* On error, NULL out the destination */
+BOOL
+tls_import_cert(const uschar * buf, void ** cert)
+{
+rmark reset_point = store_mark();
+const uschar * cp = string_unprinting(US buf);
+BIO * bp;
+X509 * x = *(X509 **)cert;
+
+if (x) X509_free(x);
+
+bp = BIO_new_mem_buf(US cp, -1);
+if (!(x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
+  log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
+    ERR_error_string(ERR_get_error(), NULL));
+
+*cert = (void *)x;
+BIO_free(bp);
+store_reset(reset_point);
+return !!x;
+}
+
+void
+tls_free_cert(void ** cert)
+{
+X509 * x = *(X509 **)cert;
+if (x)
+  {
+  X509_free(x);
+  *cert = NULL;
+  }
+}
+
+
+/*****************************************************
+*  Certificate field extraction routines
+*****************************************************/
+
+/* First, some internal service functions */
+
+static uschar *
+badalloc(void)
+{
+expand_string_message = US"allocation failure";
+return NULL;
+}
+
+static uschar *
+bio_string_copy(BIO * bp, int len)
+{
+uschar * cp = US"";
+len = len > 0 ? (int) BIO_get_mem_data(bp, &cp) : 0;
+cp = string_copyn(cp, len);
+BIO_free(bp);
+return cp;
+}
+
+static uschar *
+asn1_time_copy(const ASN1_TIME * asntime, uschar * mod)
+{
+uschar * s = NULL;
+BIO * bp = BIO_new(BIO_s_mem());
+int len;
+
+if (!bp)
+  return badalloc();
+len = ASN1_TIME_print(bp, asntime);
+len = len > 0 ? (int) BIO_get_mem_data(bp, CSS &s) : 0;
+
+if (mod && Ustrcmp(mod, "raw") == 0)		/* native ASN */
+  s = string_copyn(s, len);
+else
+  {
+  struct tm tm;
+  struct tm * tm_p = &tm;
+  BOOL mod_tz = TRUE;
+  uschar * tz = to_tz(US"GMT0");    /* need to call strptime with baseline TZ */
+
+  /* Parse OpenSSL ASN1_TIME_print output.  A shame there seems to
+  be no other interface for the times.
+  */
+
+  /*XXX %Z might be glibc-specific?  Solaris has it, at least*/
+  /*XXX should we switch to POSIX locale for this? */
+  tm.tm_isdst = 0;
+  if (!len || !strptime(CCS s, "%b %e %T %Y %Z", &tm))
+    expand_string_message = US"failed time conversion";
+
+  else
+    {
+    time_t t = mktime(&tm);	/* make the tm self-consistent */
+
+    if (mod && Ustrcmp(mod, "int") == 0)	/* seconds since epoch */
+      s = string_sprintf(TIME_T_FMT, t);
+
+    else
+      {
+      if (!f.timestamps_utc)	/* decoded string in local TZ */
+	{				/* shift to local TZ */
+	restore_tz(tz);
+	mod_tz = FALSE;
+	tm_p = localtime(&t);
+	}
+      /* "utc" is default, and rfc5280 says cert times should be Zulu */
+
+      /* convert to string in our format */
+      len = 32;
+      s = store_get(len, GET_UNTAINTED);
+      strftime(CS s, (size_t)len, "%b %e %T %Y %z", tm_p);
+      }
+    }
+
+  if (mod_tz)
+    restore_tz(tz);
+  }
+BIO_free(bp);
+return s;
+}
+
+static uschar *
+x509_name_copy(X509_NAME * name)
+{
+BIO * bp = BIO_new(BIO_s_mem());
+int len_good;
+
+if (!bp) return badalloc();
+
+len_good =
+  X509_NAME_print_ex(bp, name, 0, XN_FLAG_RFC2253) >= 0
+  ? 1 : 0;
+return bio_string_copy(bp, len_good);
+}
+
+/**/
+/* Now the extractors, called from expand.c
+Arguments:
+  cert		The certificate
+  mod		Optional modifiers for the operator
+
+Return:
+  Allocated string with extracted value
+*/
+
+uschar *
+tls_cert_issuer(void * cert, uschar * mod)
+{
+uschar * cp = x509_name_copy(X509_get_issuer_name((X509 *)cert));
+return mod ? tls_field_from_dn(cp, mod) : cp;
+}
+
+uschar *
+tls_cert_not_before(void * cert, uschar * mod)
+{
+return asn1_time_copy(X509_get_notBefore((X509 *)cert), mod);
+}
+
+uschar *
+tls_cert_not_after(void * cert, uschar * mod)
+{
+return asn1_time_copy(X509_get_notAfter((X509 *)cert), mod);
+}
+
+uschar *
+tls_cert_serial_number(void * cert, uschar * mod)
+{
+uschar txt[256];
+BIO * bp = BIO_new(BIO_s_mem());
+int len;
+
+if (!bp) return badalloc();
+
+len = i2a_ASN1_INTEGER(bp, X509_get_serialNumber((X509 *)cert));
+if (len < sizeof(txt))
+  BIO_read(bp, txt, len);
+else
+  len = 0;
+BIO_free(bp);
+return string_copynlc(txt, len);	/* lowercase */
+}
+
+uschar *
+tls_cert_signature(void * cert, uschar * mod)
+{
+uschar * cp = NULL;
+BIO * bp = BIO_new(BIO_s_mem());
+
+if (!bp) return badalloc();
+
+if (X509_print_ex(bp, (X509 *)cert, 0,
+  X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION | X509_FLAG_NO_SERIAL |
+  X509_FLAG_NO_SIGNAME | X509_FLAG_NO_ISSUER | X509_FLAG_NO_VALIDITY |
+  X509_FLAG_NO_SUBJECT | X509_FLAG_NO_PUBKEY | X509_FLAG_NO_EXTENSIONS |
+  /* X509_FLAG_NO_SIGDUMP is the missing one */
+  X509_FLAG_NO_AUX) == 1)
+  {
+  long len = BIO_get_mem_data(bp, &cp);
+
+  /* Strip leading "Signature Algorithm" line */
+  while (*cp && *cp != '\n') { cp++; len--; }
+
+  cp = string_copyn(cp+1, len-1);
+  }
+BIO_free(bp);
+return cp;
+}
+
+uschar *
+tls_cert_signature_algorithm(void * cert, uschar * mod)
+{
+uschar * cp = NULL;
+BIO * bp = BIO_new(BIO_s_mem());
+
+if (!bp) return badalloc();
+
+if (X509_print_ex(bp, (X509 *)cert, 0,
+  X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION | X509_FLAG_NO_SERIAL |
+  /* X509_FLAG_NO_SIGNAME is the missing one */
+  X509_FLAG_NO_ISSUER | X509_FLAG_NO_VALIDITY |
+  X509_FLAG_NO_SUBJECT | X509_FLAG_NO_PUBKEY | X509_FLAG_NO_EXTENSIONS |
+  X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_AUX) == 1)
+  {
+  long len = BIO_get_mem_data(bp, &cp);
+
+  /* Strip leading "    Signature Algorithm: " and trailing newline */
+  while (*cp && *cp != ':') { cp++; len--; }
+  do { cp++; len--; } while (*cp && *cp == ' ');
+  if (cp[len-1] == '\n') len--;
+
+  cp = string_copyn(cp, len);
+  }
+BIO_free(bp);
+return cp;
+}
+
+uschar *
+tls_cert_subject(void * cert, uschar * mod)
+{
+uschar * cp = x509_name_copy(X509_get_subject_name((X509 *)cert));
+return mod ? tls_field_from_dn(cp, mod) : cp;
+}
+
+uschar *
+tls_cert_version(void * cert, uschar * mod)
+{
+return string_sprintf("%ld", X509_get_version((X509 *)cert));
+}
+
+uschar *
+tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
+{
+int nid = OBJ_create(CS oid, "", "");
+int nidx = X509_get_ext_by_NID((X509 *)cert, nid, idx);
+X509_EXTENSION * ex = X509_get_ext((X509 *)cert, nidx);
+ASN1_OCTET_STRING * adata = X509_EXTENSION_get_data(ex);
+BIO * bp = BIO_new(BIO_s_mem());
+long len;
+uschar * cp1;
+uschar * cp2;
+uschar * cp3;
+
+if (!bp) return badalloc();
+
+#ifdef EXIM_HAVE_ASN1_MACROS
+ASN1_STRING_print(bp, adata);
+#else
+M_ASN1_OCTET_STRING_print(bp, adata);
+#endif
+
+/* binary data, DER encoded */
+/* just dump for now */
+len = BIO_get_mem_data(bp, &cp1);
+cp3 = cp2 = store_get(len*3+1, GET_TAINTED);
+
+while(len)
+  {
+  cp2 += sprintf(CS cp2, "%.2x ", *cp1++);
+  len--;
+  }
+cp2[-1] = '\0';
+
+return cp3;
+}
+
+uschar *
+tls_cert_subject_altname(void * cert, uschar * mod)
+{
+gstring * list = NULL;
+STACK_OF(GENERAL_NAME) * san = (STACK_OF(GENERAL_NAME) *)
+  X509_get_ext_d2i((X509 *)cert, NID_subject_alt_name, NULL, NULL);
+uschar osep = '\n';
+uschar * tag = US"";
+uschar * ele;
+int match = -1;
+int len;
+
+if (!san) return NULL;
+
+while (mod && *mod)
+  {
+  if (*mod == '>' && *++mod) osep = *mod++;
+  else if (Ustrncmp(mod,"dns",3)==0) { match = GEN_DNS; mod += 3; }
+  else if (Ustrncmp(mod,"uri",3)==0) { match = GEN_URI; mod += 3; }
+  else if (Ustrncmp(mod,"mail",4)==0) { match = GEN_EMAIL; mod += 4; }
+  else mod++;
+
+  if (*mod == ',') mod++;
+  }
+
+while (sk_GENERAL_NAME_num(san) > 0)
+  {
+  GENERAL_NAME * namePart = sk_GENERAL_NAME_pop(san);
+  if (match != -1 && match != namePart->type)
+    continue;
+  switch (namePart->type)
+    {
+    case GEN_DNS:
+      tag = US"DNS";
+      ele = US ASN1_STRING_get0_data(namePart->d.dNSName);
+      len = ASN1_STRING_length(namePart->d.dNSName);
+      break;
+    case GEN_URI:
+      tag = US"URI";
+      ele = US ASN1_STRING_get0_data(namePart->d.uniformResourceIdentifier);
+      len = ASN1_STRING_length(namePart->d.uniformResourceIdentifier);
+      break;
+    case GEN_EMAIL:
+      tag = US"MAIL";
+      ele = US ASN1_STRING_get0_data(namePart->d.rfc822Name);
+      len = ASN1_STRING_length(namePart->d.rfc822Name);
+      break;
+    default:
+      continue;	/* ignore unrecognised types */
+    }
+  if (ele[len])	/* not nul-terminated */
+    ele = string_copyn(ele, len);
+
+  if (Ustrlen(ele) == len)	/* ignore any with embedded nul */
+    list = string_append_listele(list, osep,
+	  match == -1 ? string_sprintf("%s=%s", tag, ele) : ele);
+  }
+
+sk_GENERAL_NAME_free(san);
+return string_from_gstring(list);
+}
+
+uschar *
+tls_cert_ocsp_uri(void * cert, uschar * mod)
+{
+STACK_OF(ACCESS_DESCRIPTION) * ads = (STACK_OF(ACCESS_DESCRIPTION) *)
+  X509_get_ext_d2i((X509 *)cert, NID_info_access, NULL, NULL);
+int adsnum = sk_ACCESS_DESCRIPTION_num(ads);
+uschar sep = '\n';
+gstring * list = NULL;
+
+if (mod)
+  if (*mod == '>' && *++mod) sep = *mod++;
+
+for (int i = 0; i < adsnum; i++)
+  {
+  ACCESS_DESCRIPTION * ad = sk_ACCESS_DESCRIPTION_value(ads, i);
+
+  if (ad && OBJ_obj2nid(ad->method) == NID_ad_OCSP)
+    list = string_append_listele_n(list, sep,
+      US ASN1_STRING_get0_data(ad->location->d.ia5),
+      ASN1_STRING_length(ad->location->d.ia5));
+  }
+sk_ACCESS_DESCRIPTION_free(ads);
+return string_from_gstring(list);
+}
+
+uschar *
+tls_cert_crl_uri(void * cert, uschar * mod)
+{
+STACK_OF(DIST_POINT) * dps = (STACK_OF(DIST_POINT) *)
+  X509_get_ext_d2i((X509 *)cert,  NID_crl_distribution_points,
+    NULL, NULL);
+DIST_POINT * dp;
+uschar sep = '\n';
+gstring * list = NULL;
+
+if (mod)
+  if (*mod == '>' && *++mod) sep = *mod++;
+
+if (dps) for (int i = 0, dpsnum = sk_DIST_POINT_num(dps); i < dpsnum; i++)
+  if ((dp = sk_DIST_POINT_value(dps, i)))
+    {
+    STACK_OF(GENERAL_NAME) * names = dp->distpoint->name.fullname;
+    GENERAL_NAME * np;
+
+    for (int j = 0, nnum = sk_GENERAL_NAME_num(names); j < nnum; j++)
+      if (  (np = sk_GENERAL_NAME_value(names, j))
+	 && np->type == GEN_URI
+	 )
+	list = string_append_listele_n(list, sep,
+	  US ASN1_STRING_get0_data(np->d.uniformResourceIdentifier),
+	  ASN1_STRING_length(np->d.uniformResourceIdentifier));
+    }
+sk_DIST_POINT_free(dps);
+return string_from_gstring(list);
+}
+
+
+
+/*****************************************************
+*  Certificate operator routines
+*****************************************************/
+uschar *
+tls_cert_der_b64(void * cert)
+{
+BIO * bp = BIO_new(BIO_s_mem());
+uschar * cp = NULL;
+
+if (!i2d_X509_bio(bp, (X509 *)cert))
+  log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
+    ERR_error_string(ERR_get_error(), NULL));
+else
+  {
+  long len = BIO_get_mem_data(bp, &cp);
+  cp = b64encode(CUS cp, (int)len);
+  }
+
+BIO_free(bp);
+return cp;
+}
+
+
+static uschar *
+fingerprint(X509 * cert, const EVP_MD * fdig)
+{
+unsigned int n;
+uschar md[EVP_MAX_MD_SIZE];
+uschar * cp;
+
+if (!X509_digest(cert,fdig,md,&n))
+  {
+  expand_string_message = US"tls_cert_fprt: out of mem\n";
+  return NULL;
+  }
+cp = store_get(n*2+1, GET_TAINTED);
+for (int j = 0; j < (int)n; j++) sprintf(CS cp+2*j, "%02X", md[j]);
+return(cp);
+}
+
+uschar *
+tls_cert_fprt_md5(void * cert)
+{
+return fingerprint((X509 *)cert, EVP_md5());
+}
+
+uschar *
+tls_cert_fprt_sha1(void * cert)
+{
+return fingerprint((X509 *)cert, EVP_sha1());
+}
+
+uschar *
+tls_cert_fprt_sha256(void * cert)
+{
+return fingerprint((X509 *)cert, EVP_sha256());
+}
+
+
+/* vi: aw ai sw=2
+*/
+/* End of tlscert-openssl.c */
diff --git a/src/tod.c b/src/tod.c
new file mode 100644
index 0000000..1f0bcc0
--- /dev/null
+++ b/src/tod.c
@@ -0,0 +1,239 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* A function for returning the time of day in various formats */
+
+
+#include "exim.h"
+
+/* #define TESTING_LOG_DATESTAMP */
+
+
+static uschar timebuf[sizeof("www, dd-mmm-yyyy hh:mm:ss.ddd +zzzz")];
+
+
+/*************************************************
+*                Return timestamp                *
+*************************************************/
+
+/* The log timestamp format is dd-mmm-yy so as to be non-confusing on both
+sides of the Atlantic. We calculate an explicit numerical offset from GMT for
+the full datestamp and BSD inbox datestamp. Note that on some systems
+localtime() and gmtime() re-use the same store, so we must save the local time
+values before calling gmtime(). If timestamps_utc is set, don't use
+localtime(); all times are then in UTC (with offset +0000).
+
+There are also some contortions to get the day of the month without
+a leading zero for the full stamp, since Ustrftime() doesn't provide this
+option.
+
+Argument:  type of timestamp required:
+             tod_bsdin                  BSD inbox format
+             tod_epoch                  Unix epoch format
+             tod_epochl                 Unix epoch/usec format
+             tod_full                   full date and time
+             tod_log                    log file data line format,
+                                          with zone if log_timezone is TRUE
+             tod_log_bare               always without zone
+             tod_log_datestamp_daily    for log file names when datestamped daily
+             tod_log_datestamp_monthly  for log file names when datestamped monthly
+             tod_log_zone               always with zone
+             tod_mbx                    MBX inbox format
+             tod_zone                   just the timezone offset
+             tod_zulu                   time in 8601 zulu format
+
+Returns:   pointer to fixed buffer containing the timestamp
+*/
+
+uschar *
+tod_stamp(int type)
+{
+struct timeval now;
+struct tm * t;
+
+gettimeofday(&now, NULL);
+
+/* Styles that don't need local time */
+
+switch(type)
+  {
+  case tod_epoch:
+    (void) snprintf(CS timebuf, sizeof(timebuf), TIME_T_FMT, now.tv_sec);  /* Unix epoch format */
+    return timebuf;	/* NB the above will be wrong if time_t is FP */
+
+  case tod_epoch_l:
+    /* Unix epoch/usec format */
+    (void) snprintf(CS timebuf, sizeof(timebuf), TIME_T_FMT "%06ld", now.tv_sec, (long) now.tv_usec );
+    return timebuf;
+
+  case tod_zulu:
+    t = gmtime(&now.tv_sec);
+    (void) snprintf(CS timebuf, sizeof(timebuf), "%04u%02u%02u%02u%02u%02uZ",
+      1900 + (uint)t->tm_year, 1 + (uint)t->tm_mon, (uint)t->tm_mday, (uint)t->tm_hour, (uint)t->tm_min,
+      (uint)t->tm_sec);
+    return timebuf;
+  }
+
+/* Vary log type according to timezone requirement */
+
+if (type == tod_log) type = log_timezone ? tod_log_zone : tod_log_bare;
+
+/* Convert to local time or UTC */
+
+t = f.timestamps_utc ? gmtime(&now.tv_sec) : localtime(&now.tv_sec);
+
+switch(type)
+  {
+  case tod_log_bare:          /* Format used in logging without timezone */
+#ifndef COMPILE_UTILITY
+    if (LOGGING(millisec))
+      snprintf(CS timebuf, sizeof(timebuf), "%04u-%02u-%02u %02u:%02u:%02u.%03u",
+	1900 + (uint)t->tm_year, 1 + (uint)t->tm_mon, (uint)t->tm_mday,
+	(uint)t->tm_hour, (uint)t->tm_min, (uint)t->tm_sec,
+	(uint)(now.tv_usec/1000));
+    else
+#endif
+      snprintf(CS timebuf, sizeof(timebuf), "%04u-%02u-%02u %02u:%02u:%02u",
+	1900 + (uint)t->tm_year, 1 + (uint)t->tm_mon, (uint)t->tm_mday,
+	(uint)t->tm_hour, (uint)t->tm_min, (uint)t->tm_sec);
+
+    break;
+
+    /* Format used as suffix of log file name when 'log_datestamp' is active. For
+    testing purposes, it changes the file every second. */
+
+#ifdef TESTING_LOG_DATESTAMP
+  case tod_log_datestamp_daily:
+  case tod_log_datestamp_monthly:
+    snprintf(CS timebuf, sizeof(timebuf), "%04u%02u%02u%02u%02u",
+      1900 + (uint)t->tm_year, 1 + (uint)t->tm_mon, (uint)t->tm_mday,
+      (uint)t->tm_hour, (uint)t->tm_min);
+    break;
+
+#else
+  case tod_log_datestamp_daily:
+    snprintf(CS timebuf, sizeof(timebuf), "%04u%02u%02u",
+      1900 + (uint)t->tm_year, 1 + (uint)t->tm_mon, (uint)t->tm_mday);
+    break;
+
+  case tod_log_datestamp_monthly:
+#ifndef COMPILE_UTILITY
+    snprintf(CS timebuf, sizeof(timebuf), "%04u%02u",
+      1900 + (uint)t->tm_year, 1 + (uint)t->tm_mon);
+#endif
+    break;
+#endif
+
+    /* Format used in BSD inbox separator lines. Sort-of documented in RFC 976
+    ("UUCP Mail Interchange Format Standard") but only by example, not by
+    explicit definition. The examples show no timezone offsets, and some MUAs
+    appear to be sensitive to this, so Exim has been changed to remove the
+    timezone offsets that originally appeared. */
+
+  case tod_bsdin:
+      {
+      int len = Ustrftime(timebuf, sizeof(timebuf), "%a %b %d %H:%M:%S", t);
+      Ustrftime(timebuf + len, sizeof(timebuf) - len, " %Y", t);
+      }
+    break;
+
+    /* Other types require the GMT offset to be calculated, or just set up in the
+    case of UTC timestamping. We need to take a copy of the local time first. */
+
+  default:
+      {
+      int diff_hour, diff_min;
+      struct tm local;
+      struct tm * lp = &local;
+      memcpy(lp, t, sizeof(struct tm));
+
+      if (f.timestamps_utc)
+	diff_hour = diff_min = 0;
+      else
+	{
+	struct tm * gmt = gmtime(&now.tv_sec);
+
+	if (local.tm_sec == gmt->tm_sec)	/* usual case */
+	  {
+	  diff_min = 60 * (local.tm_hour - gmt->tm_hour)
+		    + local.tm_min - gmt->tm_min;
+	  if (local.tm_year != gmt->tm_year)
+	    diff_min += (local.tm_year > gmt->tm_year) ? 1440 : -1440;
+	  else if (local.tm_yday != gmt->tm_yday)
+	    diff_min += (local.tm_yday > gmt->tm_yday) ? 1440 : -1440;
+	  diff_hour = diff_min/60;
+	  diff_min  = abs(diff_min - diff_hour*60);
+	  }
+	else					/* subminute offset, eg. TAI */
+	  {
+	  lp = gmt;				/* pretend we're in UTC */
+	  diff_min = diff_hour = 0;
+	  }
+	}
+
+      switch(type)
+	{
+	case tod_log_zone:          /* Format used in logging with timezone */
+#ifndef COMPILE_UTILITY
+	  if (LOGGING(millisec))
+	    (void) snprintf(CS timebuf, sizeof(timebuf),
+	      "%04u-%02u-%02u %02u:%02u:%02u.%03u %+03d%02d",
+	      1900 + (uint)lp->tm_year, 1 + (uint)lp->tm_mon, (uint)lp->tm_mday,
+	      (uint)lp->tm_hour, (uint)lp->tm_min, (uint)lp->tm_sec, (uint)(now.tv_usec/1000),
+	      diff_hour, diff_min);
+	  else
+#endif
+	    (void) snprintf(CS timebuf, sizeof(timebuf),
+	      "%04u-%02u-%02u %02u:%02u:%02u %+03d%02d",
+	      1900 + (uint)lp->tm_year, 1 + (uint)lp->tm_mon, (uint)lp->tm_mday,
+	      (uint)lp->tm_hour, (uint)lp->tm_min, (uint)lp->tm_sec,
+	      diff_hour, diff_min);
+	  break;
+
+	case tod_zone:              /* Just the timezone offset */
+	  (void) snprintf(CS timebuf, sizeof(timebuf), "%+03d%02d", diff_hour, diff_min);
+	  break;
+
+	/* tod_mbx: format used in MBX mailboxes - subtly different to tod_full */
+
+#ifdef SUPPORT_MBX
+	case tod_mbx:
+	  {
+	  int len = snprintf(CS timebuf, sizeof(timebuf),
+	    "%02u-", (uint)lp->tm_mday);
+	  len += Ustrftime(timebuf + len, sizeof(timebuf) - len,
+	    "%b-%Y %H:%M:%S", lp);
+	  (void) snprintf(CS timebuf + len, sizeof(timebuf)-len,
+	    " %+03d%02d", diff_hour, diff_min);
+	  }
+	  break;
+#endif
+
+	/* tod_full: format used in Received: headers (use as default just in case
+	called with a junk type value) */
+
+	default:
+	  {
+	  int len = Ustrftime(timebuf, sizeof(timebuf), "%a, ", lp);
+	  len += snprintf(CS timebuf + len, sizeof(timebuf)-len,
+	    "%02u ", (uint)lp->tm_mday);
+	  len += Ustrftime(timebuf + len, sizeof(timebuf) - len,
+	    "%b %Y %H:%M:%S", lp);
+	  (void) snprintf(CS timebuf + len, sizeof(timebuf)-len,
+	    " %+03d%02d", diff_hour, diff_min);
+	  }
+	  break;
+	}
+      }
+    break;
+  }
+
+return timebuf;
+}
+
+/* End of tod.c */
diff --git a/src/transport-filter.src b/src/transport-filter.src
new file mode 100644
index 0000000..db00d87
--- /dev/null
+++ b/src/transport-filter.src
@@ -0,0 +1,93 @@
+#! PERL_COMMAND
+
+# This is a Perl script to demonstrate the possibilities of on-the-fly
+# delivery filtering in Exim. It is presented with a message on its standard
+# input, and must copy it to the standard output, transforming it as it
+# pleases, but of course it must keep to the syntax of RFC 822 for the headers.
+
+# The filter is run before any SMTP-specific processing, such as turning
+# \n into \r\n and escaping lines beginning with a dot.
+#
+# Philip Hazel, May 1997
+#############################################################################
+
+use warnings;
+BEGIN { pop @INC if $INC[-1] eq '.' };
+use File::Basename;
+
+if ($ARGV[0] eq '--version') {
+    print basename($0) . ": $0\n",
+        "build: EXIM_RELEASE_VERSIONEXIM_VARIANT_VERSION\n",
+        "perl(runtime): $]\n";
+        exit 0;
+}
+
+# If the filter is called with any arguments, insert them into the message
+# as X-Arg headers, just to verify what they are.
+
+for ($ac = 0; $ac < @ARGV; $ac++)
+  {
+  printf("X-Arg%d: %s\n", $ac, $ARGV[$ac]);
+  }
+
+# Now read the header portion of the message; this is easy to do in Perl
+
+$/ = "";                    # set paragraph mode
+chomp($headers = <STDIN>);  # read a paragraph, remove trailing newlines
+$/ = "\n";                  # unset paragraph mode
+
+# Splitting up a sequence of unique headers is easy to do in Perl, but a
+# message may contain duplicate headers of various kinds. It is better
+# to extract the headers one wants from the whole paragraph, do any appropriate
+# munging, and then put them back (unless removing them altogether). Messing
+# with "Received:" headers is not in any case to be encouraged.
+
+# As a demonstration, we extract the "From:" header, add a textual comment
+# to it, and put it back.
+
+($pre, $from, $post) =
+  $headers =~ /^(|(?:.|\n)+\n)   (?# Stuff preceding the From header,
+                                     which is either null, or any number
+                                     of characters, including \n, ending
+                                     with \n.)
+               From:[\s\t]*      (?# Header name, with optional space or tab.)
+               ((?:.|\n)*?)      (?# Header body, which contains any chars,
+                                     including \n, but we want to make it as
+                                     short as possible so as not to include
+                                     following headers by mistake.)
+               (|\n\S(?:.|\n)*)$ (?# Header terminates at end or at \n followed
+                                     by a non-whitespace character and
+                                     remaining headers.)
+              /ix;                #  case independent, regular expression,
+                                  #  use extended features (ignore whitespace)
+
+# Only do something if there was a From: header, of course. It has been
+# extracted without the final \n, which is on the front of the $post
+# variable.
+
+if ($pre)
+  {
+  $headers = $pre . "From: $from (this is an added comment)" . $post;
+  }
+
+# Add a new header to the end of the headers; remember that the final
+# \n isn't there.
+
+$headers .= "\nX-Comment: Message munged";
+
+# Write out the processed headers, plus a blank line to separate them from
+# the body.
+
+printf(STDOUT "%s\n\n", $headers);
+
+# As a demonstration of munging the body of a message, reverse all the
+# characters in each line.
+
+while (<STDIN>)
+  {
+  chomp;
+  $_ = reverse($_);
+  printf(STDOUT "%s\n", $_);
+  }
+
+# End
diff --git a/src/transport.c b/src/transport.c
new file mode 100644
index 0000000..cce1c46
--- /dev/null
+++ b/src/transport.c
@@ -0,0 +1,2409 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* General functions concerned with transportation, and generic options for all
+transports. */
+
+
+#include "exim.h"
+
+/* Generic options for transports, all of which live inside transport_instance
+data blocks and which therefore have the opt_public flag set. Note that there
+are other options living inside this structure which can be set only from
+certain transports. */
+#define LOFF(field) OPT_OFF(transport_instance, field)
+
+optionlist optionlist_transports[] = {
+  /*	name		type					value */
+  { "*expand_group",    opt_stringptr|opt_hidden|opt_public,
+                 LOFF(expand_gid) },
+  { "*expand_user",     opt_stringptr|opt_hidden|opt_public,
+                 LOFF(expand_uid) },
+  { "*headers_rewrite_flags", opt_int|opt_public|opt_hidden,
+                 LOFF(rewrite_existflags) },
+  { "*headers_rewrite_rules", opt_void|opt_public|opt_hidden,
+                 LOFF(rewrite_rules) },
+  { "*set_group",       opt_bool|opt_hidden|opt_public,
+                 LOFF(gid_set) },
+  { "*set_user",        opt_bool|opt_hidden|opt_public,
+                 LOFF(uid_set) },
+  { "body_only",        opt_bool|opt_public,
+                 LOFF(body_only) },
+  { "current_directory", opt_stringptr|opt_public,
+                 LOFF(current_dir) },
+  { "debug_print",      opt_stringptr | opt_public,
+                 LOFF(debug_string) },
+  { "delivery_date_add", opt_bool|opt_public,
+                 LOFF(delivery_date_add) },
+  { "disable_logging",  opt_bool|opt_public,
+                 LOFF(disable_logging) },
+  { "driver",           opt_stringptr|opt_public,
+                 LOFF(driver_name) },
+  { "envelope_to_add",   opt_bool|opt_public,
+                 LOFF(envelope_to_add) },
+#ifndef DISABLE_EVENT
+  { "event_action",     opt_stringptr | opt_public,
+                 LOFF(event_action) },
+#endif
+  { "group",             opt_expand_gid|opt_public,
+                 LOFF(gid) },
+  { "headers_add",      opt_stringptr|opt_public|opt_rep_str,
+                 LOFF(add_headers) },
+  { "headers_only",     opt_bool|opt_public,
+                 LOFF(headers_only) },
+  { "headers_remove",   opt_stringptr|opt_public|opt_rep_str,
+                 LOFF(remove_headers) },
+  { "headers_rewrite",  opt_rewrite|opt_public,
+                 LOFF(headers_rewrite) },
+  { "home_directory",   opt_stringptr|opt_public,
+                 LOFF(home_dir) },
+  { "initgroups",       opt_bool|opt_public,
+                 LOFF(initgroups) },
+  { "max_parallel",     opt_stringptr|opt_public,
+                 LOFF(max_parallel) },
+  { "message_size_limit", opt_stringptr|opt_public,
+                 LOFF(message_size_limit) },
+  { "rcpt_include_affixes", opt_bool|opt_public,
+                 LOFF(rcpt_include_affixes) },
+  { "retry_use_local_part", opt_bool|opt_public,
+                 LOFF(retry_use_local_part) },
+  { "return_path",      opt_stringptr|opt_public,
+                 LOFF(return_path) },
+  { "return_path_add",   opt_bool|opt_public,
+                 LOFF(return_path_add) },
+  { "shadow_condition", opt_stringptr|opt_public,
+                 LOFF(shadow_condition) },
+  { "shadow_transport", opt_stringptr|opt_public,
+                 LOFF(shadow) },
+  { "transport_filter", opt_stringptr|opt_public,
+                 LOFF(filter_command) },
+  { "transport_filter_timeout", opt_time|opt_public,
+                 LOFF(filter_timeout) },
+  { "user",             opt_expand_uid|opt_public,
+                 LOFF(uid) }
+};
+
+int optionlist_transports_size = nelem(optionlist_transports);
+
+#ifdef MACRO_PREDEF
+
+# include "macro_predef.h"
+
+void
+options_transports(void)
+{
+uschar buf[64];
+
+options_from_list(optionlist_transports, nelem(optionlist_transports), US"TRANSPORTS", NULL);
+
+for (transport_info * ti = transports_available; ti->driver_name[0]; ti++)
+  {
+  spf(buf, sizeof(buf), US"_DRIVER_TRANSPORT_%T", ti->driver_name);
+  builtin_macro_create(buf);
+  options_from_list(ti->options, (unsigned)*ti->options_count, US"TRANSPORT", ti->driver_name);
+  }
+}
+
+#else	/*!MACRO_PREDEF*/
+
+/* Structure for keeping list of addresses that have been added to
+Envelope-To:, in order to avoid duplication. */
+
+struct aci {
+  struct aci *next;
+  address_item *ptr;
+  };
+
+
+/* Static data for write_chunk() */
+
+static uschar *chunk_ptr;           /* chunk pointer */
+static uschar *nl_check;            /* string to look for at line start */
+static int     nl_check_length;     /* length of same */
+static uschar *nl_escape;           /* string to insert */
+static int     nl_escape_length;    /* length of same */
+static int     nl_partial_match;    /* length matched at chunk end */
+
+
+/*************************************************
+*             Initialize transport list           *
+*************************************************/
+
+/* Read the transports section of the configuration file, and set up a chain of
+transport instances according to its contents. Each transport has generic
+options and may also have its own private options. This function is only ever
+called when transports == NULL. We use generic code in readconf to do most of
+the work. */
+
+void
+transport_init(void)
+{
+readconf_driver_init(US"transport",
+  (driver_instance **)(&transports),     /* chain anchor */
+  (driver_info *)transports_available,   /* available drivers */
+  sizeof(transport_info),                /* size of info block */
+  &transport_defaults,                   /* default values for generic options */
+  sizeof(transport_instance),            /* size of instance block */
+  optionlist_transports,                 /* generic options */
+  optionlist_transports_size);
+
+/* Now scan the configured transports and check inconsistencies. A shadow
+transport is permitted only for local transports. */
+
+for (transport_instance * t = transports; t; t = t->next)
+  {
+  if (!t->info->local && t->shadow)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+      "shadow transport not allowed on non-local transport %s", t->name);
+
+  if (t->body_only && t->headers_only)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+      "%s transport: body_only and headers_only are mutually exclusive",
+      t->name);
+  }
+}
+
+
+
+/*************************************************
+*             Write block of data                *
+*************************************************/
+
+static int
+tpt_write(int fd, uschar * block, int len, BOOL more, int options)
+{
+return
+#ifndef DISABLE_TLS
+  tls_out.active.sock == fd
+    ? tls_write(tls_out.active.tls_ctx, block, len, more) :
+#endif
+#ifdef MSG_MORE
+  more && !(options & topt_not_socket) ? send(fd, block, len, MSG_MORE) :
+#endif
+  write(fd, block, len);
+}
+
+/* Subroutine called by write_chunk() and at the end of the message actually
+to write a data block. Also called directly by some transports to write
+additional data to the file descriptor (e.g. prefix, suffix).
+
+If a transport wants data transfers to be timed, it sets a non-zero value in
+transport_write_timeout. A non-zero transport_write_timeout causes a timer to
+be set for each block of data written from here. If time runs out, then write()
+fails and provokes an error return. The caller can then inspect sigalrm_seen to
+check for a timeout.
+
+On some systems, if a quota is exceeded during the write, the yield is the
+number of bytes written rather than an immediate error code. This also happens
+on some systems in other cases, for example a pipe that goes away because the
+other end's process terminates (Linux). On other systems, (e.g. Solaris 2) you
+get the error codes the first time.
+
+The write() function is also interruptible; the Solaris 2.6 man page says:
+
+     If write() is interrupted by a signal before it writes any
+     data, it will return -1 with errno set to EINTR.
+
+     If write() is interrupted by a signal after it successfully
+     writes some data, it will return the number of bytes written.
+
+To handle these cases, we want to restart the write() to output the remainder
+of the data after a non-negative return from write(), except after a timeout.
+In the error cases (EDQUOT, EPIPE) no bytes get written the second time, and a
+proper error then occurs. In principle, after an interruption, the second
+write() could suffer the same fate, but we do not want to continue for
+evermore, so stick a maximum repetition count on the loop to act as a
+longstop.
+
+Arguments:
+  tctx      transport context: file descriptor or string to write to
+  block     block of bytes to write
+  len       number of bytes to write
+  more	    further data expected soon
+
+Returns:    TRUE on success, FALSE on failure (with errno preserved);
+              transport_count is incremented by the number of bytes written
+*/
+
+static BOOL
+transport_write_block_fd(transport_ctx * tctx, uschar * block, int len, BOOL more)
+{
+int rc, save_errno;
+int local_timeout = transport_write_timeout;
+int connretry = 1;
+int fd = tctx->u.fd;
+
+/* This loop is for handling incomplete writes and other retries. In most
+normal cases, it is only ever executed once. */
+
+for (int i = 0; i < 100; i++)
+  {
+  DEBUG(D_transport)
+    debug_printf("writing data block fd=%d size=%d timeout=%d%s\n",
+      fd, len, local_timeout, more ? " (more expected)" : "");
+
+  /* When doing TCP Fast Open we may get this far before the 3-way handshake
+  is complete, and write returns ENOTCONN.  Detect that, wait for the socket
+  to become writable, and retry once only. */
+
+  for(;;)
+    {
+    /* This code makes use of alarm() in order to implement the timeout. This
+    isn't a very tidy way of doing things. Using non-blocking I/O with select()
+    provides a neater approach. However, I don't know how to do this when TLS is
+    in use. */
+
+    if (transport_write_timeout <= 0)   /* No timeout wanted */
+      {
+      rc = tpt_write(fd, block, len, more, tctx->options);
+      save_errno = errno;
+      }
+    else				/* Timeout wanted. */
+      {
+      sigalrm_seen = FALSE;
+      ALARM(local_timeout);
+	rc = tpt_write(fd, block, len, more, tctx->options);
+	save_errno = errno;
+      local_timeout = ALARM_CLR(0);
+      if (sigalrm_seen)
+	{
+	errno = ETIMEDOUT;
+	return FALSE;
+	}
+      }
+
+    if (rc >= 0 || errno != ENOTCONN || connretry <= 0)
+      break;
+
+    poll_one_fd(fd, POLLOUT, -1);		/* could set timeout? retval check? */
+    connretry--;
+    }
+
+  /* Hopefully, the most common case is success, so test that first. */
+
+  if (rc == len) { transport_count += len; return TRUE; }
+
+  /* A non-negative return code is an incomplete write. Try again for the rest
+  of the block. If we have exactly hit the timeout, give up. */
+
+  if (rc >= 0)
+    {
+    len -= rc;
+    block += rc;
+    transport_count += rc;
+    DEBUG(D_transport) debug_printf("write incomplete (%d)\n", rc);
+    goto CHECK_TIMEOUT;   /* A few lines below */
+    }
+
+  /* A negative return code with an EINTR error is another form of
+  incomplete write, zero bytes having been written */
+
+  if (save_errno == EINTR)
+    {
+    DEBUG(D_transport)
+      debug_printf("write interrupted before anything written\n");
+    goto CHECK_TIMEOUT;   /* A few lines below */
+    }
+
+  /* A response of EAGAIN from write() is likely only in the case of writing
+  to a FIFO that is not swallowing the data as fast as Exim is writing it. */
+
+  if (save_errno == EAGAIN)
+    {
+    DEBUG(D_transport)
+      debug_printf("write temporarily locked out, waiting 1 sec\n");
+    sleep(1);
+
+    /* Before continuing to try another write, check that we haven't run out of
+    time. */
+
+    CHECK_TIMEOUT:
+    if (transport_write_timeout > 0 && local_timeout <= 0)
+      {
+      errno = ETIMEDOUT;
+      return FALSE;
+      }
+    continue;
+    }
+
+  /* Otherwise there's been an error */
+
+  DEBUG(D_transport) debug_printf("writing error %d: %s\n", save_errno,
+    strerror(save_errno));
+  errno = save_errno;
+  return FALSE;
+  }
+
+/* We've tried and tried and tried but still failed */
+
+errno = ERRNO_WRITEINCOMPLETE;
+return FALSE;
+}
+
+
+BOOL
+transport_write_block(transport_ctx * tctx, uschar *block, int len, BOOL more)
+{
+if (!(tctx->options & topt_output_string))
+  return transport_write_block_fd(tctx, block, len, more);
+
+/* Write to expanding-string.  NOTE: not NUL-terminated */
+
+if (!tctx->u.msg)
+  tctx->u.msg = string_get(1024);
+
+tctx->u.msg = string_catn(tctx->u.msg, block, len);
+return TRUE;
+}
+
+
+
+
+/*************************************************
+*             Write formatted string             *
+*************************************************/
+
+/* This is called by various transports. It is a convenience function.
+
+Arguments:
+  fd          file descriptor
+  format      string format
+  ...         arguments for format
+
+Returns:      the yield of transport_write_block()
+*/
+
+BOOL
+transport_write_string(int fd, const char *format, ...)
+{
+transport_ctx tctx = {{0}};
+gstring gs = { .size = big_buffer_size, .ptr = 0, .s = big_buffer };
+va_list ap;
+
+/* Use taint-unchecked routines for writing into big_buffer, trusting
+that the result will never be expanded. */
+
+va_start(ap, format);
+if (!string_vformat(&gs, SVFMT_TAINT_NOCHK, format, ap))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "overlong formatted string in transport");
+va_end(ap);
+tctx.u.fd = fd;
+return transport_write_block(&tctx, gs.s, gs.ptr, FALSE);
+}
+
+
+
+
+void
+transport_write_reset(int options)
+{
+if (!(options & topt_continuation)) chunk_ptr = deliver_out_buffer;
+nl_partial_match = -1;
+nl_check_length = nl_escape_length = 0;
+}
+
+
+
+/*************************************************
+*              Write character chunk             *
+*************************************************/
+
+/* Subroutine used by transport_write_message() to scan character chunks for
+newlines and act appropriately. The object is to minimise the number of writes.
+The output byte stream is buffered up in deliver_out_buffer, which is written
+only when it gets full, thus minimizing write operations and TCP packets.
+
+Static data is used to handle the case when the last character of the previous
+chunk was NL, or matched part of the data that has to be escaped.
+
+Arguments:
+  tctx       transport context - processing to be done during output,
+		and file descriptor to write to
+  chunk      pointer to data to write
+  len        length of data to write
+
+In addition, the static nl_xxx variables must be set as required.
+
+Returns:     TRUE on success, FALSE on failure (with errno preserved)
+*/
+
+BOOL
+write_chunk(transport_ctx * tctx, uschar *chunk, int len)
+{
+uschar *start = chunk;
+uschar *end = chunk + len;
+int mlen = DELIVER_OUT_BUFFER_SIZE - nl_escape_length - 2;
+
+/* The assumption is made that the check string will never stretch over move
+than one chunk since the only time there are partial matches is when copying
+the body in large buffers. There is always enough room in the buffer for an
+escape string, since the loop below ensures this for each character it
+processes, and it won't have stuck in the escape string if it left a partial
+match. */
+
+if (nl_partial_match >= 0)
+  {
+  if (nl_check_length > 0 && len >= nl_check_length &&
+      Ustrncmp(start, nl_check + nl_partial_match,
+        nl_check_length - nl_partial_match) == 0)
+    {
+    Ustrncpy(chunk_ptr, nl_escape, nl_escape_length);
+    chunk_ptr += nl_escape_length;
+    start += nl_check_length - nl_partial_match;
+    }
+
+  /* The partial match was a false one. Insert the characters carried over
+  from the previous chunk. */
+
+  else if (nl_partial_match > 0)
+    {
+    Ustrncpy(chunk_ptr, nl_check, nl_partial_match);
+    chunk_ptr += nl_partial_match;
+    }
+
+  nl_partial_match = -1;
+  }
+
+/* Now process the characters in the chunk. Whenever we hit a newline we check
+for possible escaping. The code for the non-NL route should be as fast as
+possible. */
+
+for (uschar * ptr = start; ptr < end; ptr++)
+  {
+  int ch, len;
+
+  /* Flush the buffer if it has reached the threshold - we want to leave enough
+  room for the next uschar, plus a possible extra CR for an LF, plus the escape
+  string. */
+
+  if ((len = chunk_ptr - deliver_out_buffer) > mlen)
+    {
+    DEBUG(D_transport) debug_printf("flushing headers buffer\n");
+
+    /* If CHUNKING, prefix with BDAT (size) NON-LAST.  Also, reap responses
+    from previous SMTP commands. */
+
+    if (tctx->options & topt_use_bdat  &&  tctx->chunk_cb)
+      {
+      if (  tctx->chunk_cb(tctx, (unsigned)len, 0) != OK
+	 || !transport_write_block(tctx, deliver_out_buffer, len, FALSE)
+	 || tctx->chunk_cb(tctx, 0, tc_reap_prev) != OK
+	 )
+	return FALSE;
+      }
+    else
+      if (!transport_write_block(tctx, deliver_out_buffer, len, FALSE))
+	return FALSE;
+    chunk_ptr = deliver_out_buffer;
+    }
+
+  /* Remove CR before NL if required */
+
+  if (  *ptr == '\r' && ptr[1] == '\n'
+     && !(tctx->options & topt_use_crlf)
+     && f.spool_file_wireformat
+     )
+    ptr++;
+
+  if ((ch = *ptr) == '\n')
+    {
+    int left = end - ptr - 1;  /* count of chars left after NL */
+
+    /* Insert CR before NL if required */
+
+    if (tctx->options & topt_use_crlf && !f.spool_file_wireformat)
+      *chunk_ptr++ = '\r';
+    *chunk_ptr++ = '\n';
+    transport_newlines++;
+
+    /* The check_string test (formerly "from hack") replaces the specific
+    string at the start of a line with an escape string (e.g. "From " becomes
+    ">From " or "." becomes "..". It is a case-sensitive test. The length
+    check above ensures there is always enough room to insert this string. */
+
+    if (nl_check_length > 0)
+      {
+      if (left >= nl_check_length &&
+          Ustrncmp(ptr+1, nl_check, nl_check_length) == 0)
+        {
+        Ustrncpy(chunk_ptr, nl_escape, nl_escape_length);
+        chunk_ptr += nl_escape_length;
+        ptr += nl_check_length;
+        }
+
+      /* Handle the case when there isn't enough left to match the whole
+      check string, but there may be a partial match. We remember how many
+      characters matched, and finish processing this chunk. */
+
+      else if (left <= 0) nl_partial_match = 0;
+
+      else if (Ustrncmp(ptr+1, nl_check, left) == 0)
+        {
+        nl_partial_match = left;
+        ptr = end;
+        }
+      }
+    }
+
+  /* Not a NL character */
+
+  else *chunk_ptr++ = ch;
+  }
+
+return TRUE;
+}
+
+
+
+
+/*************************************************
+*        Generate address for RCPT TO            *
+*************************************************/
+
+/* This function puts together an address for RCPT to, using the caseful
+version of the local part and the caseful version of the domain. If there is no
+prefix or suffix, or if affixes are to be retained, we can just use the
+original address. Otherwise, if there is a prefix but no suffix we can use a
+pointer into the original address. If there is a suffix, however, we have to
+build a new string.
+
+Arguments:
+  addr              the address item
+  include_affixes   TRUE if affixes are to be included
+
+Returns:            a string
+*/
+
+uschar *
+transport_rcpt_address(address_item *addr, BOOL include_affixes)
+{
+uschar *at;
+int plen, slen;
+
+if (include_affixes)
+  {
+  setflag(addr, af_include_affixes);  /* Affects logged => line */
+  return addr->address;
+  }
+
+if (!addr->suffix)
+  {
+  if (!addr->prefix) return addr->address;
+  return addr->address + Ustrlen(addr->prefix);
+  }
+
+at = Ustrrchr(addr->address, '@');
+plen = addr->prefix ? Ustrlen(addr->prefix) : 0;
+slen = Ustrlen(addr->suffix);
+
+return string_sprintf("%.*s@%s", (int)(at - addr->address - plen - slen),
+   addr->address + plen, at + 1);
+}
+
+
+/*************************************************
+*  Output Envelope-To: address & scan duplicates *
+*************************************************/
+
+/* This function is called from internal_transport_write_message() below, when
+generating an Envelope-To: header line. It checks for duplicates of the given
+address and its ancestors. When one is found, this function calls itself
+recursively, to output the envelope address of the duplicate.
+
+We want to avoid duplication in the list, which can arise for example when
+A->B,C and then both B and C alias to D. This can also happen when there are
+unseen drivers in use. So a list of addresses that have been output is kept in
+the plist variable.
+
+It is also possible to have loops in the address ancestry/duplication graph,
+for example if there are two top level addresses A and B and we have A->B,C and
+B->A. To break the loop, we use a list of processed addresses in the dlist
+variable.
+
+After handling duplication, this function outputs the progenitor of the given
+address.
+
+Arguments:
+  p         the address we are interested in
+  pplist    address of anchor of the list of addresses not to output
+  pdlist    address of anchor of the list of processed addresses
+  first     TRUE if this is the first address; set it FALSE afterwards
+  tctx      transport context - processing to be done during output
+	      and the file descriptor to write to
+
+Returns:    FALSE if writing failed
+*/
+
+static BOOL
+write_env_to(address_item *p, struct aci **pplist, struct aci **pdlist,
+  BOOL *first, transport_ctx * tctx)
+{
+address_item *pp;
+struct aci *ppp;
+
+/* Do nothing if we have already handled this address. If not, remember it
+so that we don't handle it again. */
+
+for (ppp = *pdlist; ppp; ppp = ppp->next) if (p == ppp->ptr) return TRUE;
+
+ppp = store_get(sizeof(struct aci), GET_UNTAINTED);
+ppp->next = *pdlist;
+*pdlist = ppp;
+ppp->ptr = p;
+
+/* Now scan up the ancestry, checking for duplicates at each generation. */
+
+for (pp = p;; pp = pp->parent)
+  {
+  address_item *dup;
+  for (dup = addr_duplicate; dup; dup = dup->next)
+    if (dup->dupof == pp)   /* a dup of our address */
+      if (!write_env_to(dup, pplist, pdlist, first, tctx))
+	return FALSE;
+  if (!pp->parent) break;
+  }
+
+/* Check to see if we have already output the progenitor. */
+
+for (ppp = *pplist; ppp; ppp = ppp->next) if (pp == ppp->ptr) break;
+if (ppp) return TRUE;
+
+/* Remember what we have output, and output it. */
+
+ppp = store_get(sizeof(struct aci), GET_UNTAINTED);
+ppp->next = *pplist;
+*pplist = ppp;
+ppp->ptr = pp;
+
+if (!*first && !write_chunk(tctx, US",\n ", 3)) return FALSE;
+*first = FALSE;
+return write_chunk(tctx, pp->address, Ustrlen(pp->address));
+}
+
+
+
+
+/* Add/remove/rewrite headers, and send them plus the empty-line separator.
+
+Globals:
+  header_list
+
+Arguments:
+  addr                  (chain of) addresses (for extra headers), or NULL;
+                          only the first address is used
+  tctx                  transport context
+  sendfn		function for output (transport or verify)
+
+Returns:                TRUE on success; FALSE on failure.
+*/
+BOOL
+transport_headers_send(transport_ctx * tctx,
+  BOOL (*sendfn)(transport_ctx * tctx, uschar * s, int len))
+{
+const uschar *list;
+transport_instance * tblock = tctx ? tctx->tblock : NULL;
+address_item * addr = tctx ? tctx->addr : NULL;
+
+/* Then the message's headers. Don't write any that are flagged as "old";
+that means they were rewritten, or are a record of envelope rewriting, or
+were removed (e.g. Bcc). If remove_headers is not null, skip any headers that
+match any entries therein.  It is a colon-sep list; expand the items
+separately and squash any empty ones.
+Then check addr->prop.remove_headers too, provided that addr is not NULL. */
+
+for (header_line * h = header_list; h; h = h->next) if (h->type != htype_old)
+  {
+  BOOL include_header = TRUE;
+
+  list = tblock ? tblock->remove_headers : NULL;
+  for (int i = 0; i < 2; i++)    /* For remove_headers && addr->prop.remove_headers */
+    {
+    if (list)
+      {
+      int sep = ':';         /* This is specified as a colon-separated list */
+      uschar *s, *ss;
+      while ((s = string_nextinlist(&list, &sep, NULL, 0)))
+	{
+	int len;
+
+	if (i == 0)
+	  if (!(s = expand_string(s)) && !f.expand_string_forcedfail)
+	    {
+	    errno = ERRNO_CHHEADER_FAIL;
+	    return FALSE;
+	    }
+	len = s ? Ustrlen(s) : 0;
+	if (len && s[len-1] == '*')	/* trailing glob */
+	  {
+	  if (strncmpic(h->text, s, len-1) == 0) break;
+	  }
+	else
+	  {
+	  if (strncmpic(h->text, s, len) != 0) continue;
+	  ss = h->text + len;
+	  while (*ss == ' ' || *ss == '\t') ss++;
+	  if (*ss == ':') break;
+	  }
+	}
+      if (s) { include_header = FALSE; break; }
+      }
+    if (addr) list = addr->prop.remove_headers;
+    }
+
+  /* If this header is to be output, try to rewrite it if there are rewriting
+  rules. */
+
+  if (include_header)
+    {
+    if (tblock && tblock->rewrite_rules)
+      {
+      rmark reset_point = store_mark();
+      header_line *hh;
+
+      if ((hh = rewrite_header(h, NULL, NULL, tblock->rewrite_rules,
+		  tblock->rewrite_existflags, FALSE)))
+	{
+	if (!sendfn(tctx, hh->text, hh->slen)) return FALSE;
+	store_reset(reset_point);
+	continue;     /* With the next header line */
+	}
+      }
+
+    /* Either no rewriting rules, or it didn't get rewritten */
+
+    if (!sendfn(tctx, h->text, h->slen)) return FALSE;
+    }
+
+  /* Header removed */
+
+  else
+    DEBUG(D_transport) debug_printf("removed header line:\n %s---\n", h->text);
+  }
+
+/* Add on any address-specific headers. If there are multiple addresses,
+they will all have the same headers in order to be batched. The headers
+are chained in reverse order of adding (so several addresses from the
+same alias might share some of them) but we want to output them in the
+opposite order. This is a bit tedious, but there shouldn't be very many
+of them. We just walk the list twice, reversing the pointers each time,
+but on the second time, write out the items.
+
+Headers added to an address by a router are guaranteed to end with a newline.
+*/
+
+if (addr)
+  {
+  header_line * hprev = addr->prop.extra_headers, * hnext, * h;
+
+  for (int i = 0; i < 2; i++)
+    for (h = hprev, hprev = NULL; h; h = hnext)
+      {
+      hnext = h->next;
+      h->next = hprev;
+      hprev = h;
+      if (i == 1)
+	{
+	if (!sendfn(tctx, h->text, h->slen)) return FALSE;
+	DEBUG(D_transport)
+	  debug_printf("added header line(s):\n %s---\n", h->text);
+	}
+      }
+  }
+
+/* If a string containing additional headers exists it is a newline-sep
+list.  Expand each item and write out the result.  This is done last so that
+if it (deliberately or accidentally) isn't in header format, it won't mess
+up any other headers. An empty string or a forced expansion failure are
+noops. An added header string from a transport may not end with a newline;
+add one if it does not. */
+
+if (tblock && (list = CUS tblock->add_headers))
+  {
+  int sep = '\n';
+  uschar * s;
+
+  while ((s = string_nextinlist(&list, &sep, NULL, 0)))
+    if ((s = expand_string(s)))
+      {
+      int len = Ustrlen(s);
+      if (len > 0)
+	{
+	if (!sendfn(tctx, s, len)) return FALSE;
+	if (s[len-1] != '\n' && !sendfn(tctx, US"\n", 1))
+	  return FALSE;
+	DEBUG(D_transport)
+	  {
+	  debug_printf("added header line:\n %s", s);
+	  if (s[len-1] != '\n') debug_printf("\n");
+	  debug_printf("---\n");
+	  }
+	}
+      }
+    else if (!f.expand_string_forcedfail)
+      { errno = ERRNO_CHHEADER_FAIL; return FALSE; }
+  }
+
+/* Separate headers from body with a blank line */
+
+return sendfn(tctx, US"\n", 1);
+}
+
+
+/*************************************************
+*                Write the message               *
+*************************************************/
+
+/* This function writes the message to the given file descriptor. The headers
+are in the in-store data structure, and the rest of the message is in the open
+file descriptor deliver_datafile. Make sure we start it at the beginning.
+
+. If add_return_path is TRUE, a "return-path:" header is added to the message,
+  containing the envelope sender's address.
+
+. If add_envelope_to is TRUE, a "envelope-to:" header is added to the message,
+  giving the top-level envelope address that caused this delivery to happen.
+
+. If add_delivery_date is TRUE, a "delivery-date:" header is added to the
+  message. It gives the time and date that delivery took place.
+
+. If check_string is not null, the start of each line is checked for that
+  string. If it is found, it is replaced by escape_string. This used to be
+  the "from hack" for files, and "smtp_dots" for escaping SMTP dots.
+
+. If use_crlf is true, newlines are turned into CRLF (SMTP output).
+
+The yield is TRUE if all went well, and FALSE if not. Exit *immediately* after
+any writing or reading error, leaving the code in errno intact. Error exits
+can include timeouts for certain transports, which are requested by setting
+transport_write_timeout non-zero.
+
+Arguments:
+  tctx
+    (fd, msg)		Either an fd, to write the message to,
+			or a string: if null write message to allocated space
+			otherwire take content as headers.
+    addr                (chain of) addresses (for extra headers), or NULL;
+                          only the first address is used
+    tblock          	optional transport instance block (NULL signifies NULL/0):
+      add_headers           a string containing one or more headers to add; it is
+                            expanded, and must be in correct RFC 822 format as
+                            it is transmitted verbatim; NULL => no additions,
+                            and so does empty string or forced expansion fail
+      remove_headers        a colon-separated list of headers to remove, or NULL
+      rewrite_rules         chain of header rewriting rules
+      rewrite_existflags    flags for the rewriting rules
+    options               bit-wise options:
+      add_return_path       if TRUE, add a "return-path" header
+      add_envelope_to       if TRUE, add a "envelope-to" header
+      add_delivery_date     if TRUE, add a "delivery-date" header
+      use_crlf              if TRUE, turn NL into CR LF
+      end_dot               if TRUE, send a terminating "." line at the end
+      no_flush		    if TRUE, do not flush at end
+      no_headers            if TRUE, omit the headers
+      no_body               if TRUE, omit the body
+    check_string          a string to check for at the start of lines, or NULL
+    escape_string         a string to insert in front of any check string
+  size_limit              if > 0, this is a limit to the size of message written;
+                            it is used when returning messages to their senders,
+                            and is approximate rather than exact, owing to chunk
+                            buffering
+
+Returns:                TRUE on success; FALSE (with errno) on failure.
+                        In addition, the global variable transport_count
+                        is incremented by the number of bytes written.
+*/
+
+static BOOL
+internal_transport_write_message(transport_ctx * tctx, int size_limit)
+{
+int len, size = 0;
+
+/* Initialize pointer in output buffer. */
+
+transport_write_reset(tctx->options);
+
+/* Set up the data for start-of-line data checking and escaping */
+
+if (tctx->check_string && tctx->escape_string)
+  {
+  nl_check = tctx->check_string;
+  nl_check_length = Ustrlen(nl_check);
+  nl_escape = tctx->escape_string;
+  nl_escape_length = Ustrlen(nl_escape);
+  }
+
+/* Whether the escaping mechanism is applied to headers or not is controlled by
+an option (set for SMTP, not otherwise). Negate the length if not wanted till
+after the headers. */
+
+if (!(tctx->options & topt_escape_headers))
+  nl_check_length = -nl_check_length;
+
+/* Write the headers if required, including any that have to be added. If there
+are header rewriting rules, apply them.  The datasource is not the -D spoolfile
+so temporarily hide the global that adjusts for its format. */
+
+if (!(tctx->options & topt_no_headers))
+  {
+  BOOL save_wireformat = f.spool_file_wireformat;
+  f.spool_file_wireformat = FALSE;
+
+  /* Add return-path: if requested. */
+
+  if (tctx->options & topt_add_return_path)
+    {
+    int n;
+    uschar * s = string_sprintf("Return-path: <%.*s>\n%n",
+                          EXIM_EMAILADDR_MAX, return_path, &n);
+    if (!write_chunk(tctx, s, n)) goto bad;
+    }
+
+  /* Add envelope-to: if requested */
+
+  if (tctx->options & topt_add_envelope_to)
+    {
+    BOOL first = TRUE;
+    struct aci *plist = NULL;
+    struct aci *dlist = NULL;
+    rmark reset_point = store_mark();
+
+    if (!write_chunk(tctx, US"Envelope-to: ", 13)) goto bad;
+
+    /* Pick up from all the addresses. The plist and dlist variables are
+    anchors for lists of addresses already handled; they have to be defined at
+    this level because write_env_to() calls itself recursively. */
+
+    for (address_item * p = tctx->addr; p; p = p->next)
+      if (!write_env_to(p, &plist, &dlist, &first, tctx))
+	goto bad;
+
+    /* Add a final newline and reset the store used for tracking duplicates */
+
+    if (!write_chunk(tctx, US"\n", 1)) goto bad;
+    store_reset(reset_point);
+    }
+
+  /* Add delivery-date: if requested. */
+
+  if (tctx->options & topt_add_delivery_date)
+    {
+    uschar * s = tod_stamp(tod_full);
+
+    if (  !write_chunk(tctx, US"Delivery-date: ", 15)
+       || !write_chunk(tctx, s, Ustrlen(s))
+       || !write_chunk(tctx, US"\n", 1)) goto bad;
+    }
+
+  /* Then the message's headers. Don't write any that are flagged as "old";
+  that means they were rewritten, or are a record of envelope rewriting, or
+  were removed (e.g. Bcc). If remove_headers is not null, skip any headers that
+  match any entries therein. Then check addr->prop.remove_headers too, provided that
+  addr is not NULL. */
+
+  if (!transport_headers_send(tctx, &write_chunk))
+    {
+bad:
+    f.spool_file_wireformat = save_wireformat;
+    return FALSE;
+    }
+
+  f.spool_file_wireformat = save_wireformat;
+  }
+
+/* When doing RFC3030 CHUNKING output, work out how much data would be in a
+last-BDAT, consisting of the current write_chunk() output buffer fill
+(optimally, all of the headers - but it does not matter if we already had to
+flush that buffer with non-last BDAT prependix) plus the amount of body data
+(as expanded for CRLF lines).  Then create and write BDAT(s), and ensure
+that further use of write_chunk() will not prepend BDATs.
+The first BDAT written will also first flush any outstanding MAIL and RCPT
+commands which were buffered thans to PIPELINING.
+Commands go out (using a send()) from a different buffer to data (using a
+write()).  They might not end up in the same TCP segment, which is
+suboptimal. */
+
+if (tctx->options & topt_use_bdat)
+  {
+  off_t fsize;
+  int hsize;
+
+  if ((hsize = chunk_ptr - deliver_out_buffer) < 0)
+    hsize = 0;
+  if (!(tctx->options & topt_no_body))
+    {
+    if ((fsize = lseek(deliver_datafile, 0, SEEK_END)) < 0) return FALSE;
+    fsize -= SPOOL_DATA_START_OFFSET;
+    if (size_limit > 0  &&  fsize > size_limit)
+      fsize = size_limit;
+    size = hsize + fsize;
+    if (tctx->options & topt_use_crlf  &&  !f.spool_file_wireformat)
+      size += body_linecount;	/* account for CRLF-expansion */
+
+    /* With topt_use_bdat we never do dot-stuffing; no need to
+    account for any expansion due to that. */
+    }
+
+  /* If the message is large, emit first a non-LAST chunk with just the
+  headers, and reap the command responses.  This lets us error out early
+  on RCPT rejects rather than sending megabytes of data.  Include headers
+  on the assumption they are cheap enough and some clever implementations
+  might errorcheck them too, on-the-fly, and reject that chunk. */
+
+  if (size > DELIVER_OUT_BUFFER_SIZE && hsize > 0)
+    {
+    DEBUG(D_transport)
+      debug_printf("sending small initial BDAT; hsize=%d\n", hsize);
+    if (  tctx->chunk_cb(tctx, hsize, 0) != OK
+       || !transport_write_block(tctx, deliver_out_buffer, hsize, FALSE)
+       || tctx->chunk_cb(tctx, 0, tc_reap_prev) != OK
+       )
+      return FALSE;
+    chunk_ptr = deliver_out_buffer;
+    size -= hsize;
+    }
+
+  /* Emit a LAST datachunk command, and unmark the context for further
+  BDAT commands. */
+
+  if (tctx->chunk_cb(tctx, size, tc_chunk_last) != OK)
+    return FALSE;
+  tctx->options &= ~topt_use_bdat;
+  }
+
+/* If the body is required, ensure that the data for check strings (formerly
+the "from hack") is enabled by negating the length if necessary. (It will be
+negative in cases where it isn't to apply to the headers). Then ensure the body
+is positioned at the start of its file (following the message id), then write
+it, applying the size limit if required. */
+
+/* If we have a wireformat -D file (CRNL lines, non-dotstuffed, no ending dot)
+and we want to send a body without dotstuffing or ending-dot, in-clear,
+then we can just dump it using sendfile.
+This should get used for CHUNKING output and also for writing the -K file for
+dkim signing,  when we had CHUNKING input.  */
+
+#ifdef OS_SENDFILE
+if (  f.spool_file_wireformat
+   && !(tctx->options & (topt_no_body | topt_end_dot))
+   && !nl_check_length
+   && tls_out.active.sock != tctx->u.fd
+   )
+  {
+  ssize_t copied = 0;
+  off_t offset = SPOOL_DATA_START_OFFSET;
+
+  /* Write out any header data in the buffer */
+
+  if ((len = chunk_ptr - deliver_out_buffer) > 0)
+    {
+    if (!transport_write_block(tctx, deliver_out_buffer, len, TRUE))
+      return FALSE;
+    size -= len;
+    }
+
+  DEBUG(D_transport) debug_printf("using sendfile for body\n");
+
+  while(size > 0)
+    {
+    if ((copied = os_sendfile(tctx->u.fd, deliver_datafile, &offset, size)) <= 0) break;
+    size -= copied;
+    }
+  return copied >= 0;
+  }
+#else
+DEBUG(D_transport) debug_printf("cannot use sendfile for body: no support\n");
+#endif
+
+DEBUG(D_transport)
+  if (!(tctx->options & topt_no_body))
+    debug_printf("cannot use sendfile for body: %s\n",
+      !f.spool_file_wireformat ? "spoolfile not wireformat"
+      : tctx->options & topt_end_dot ? "terminating dot wanted"
+      : nl_check_length ? "dot- or From-stuffing wanted"
+      : "TLS output wanted");
+
+if (!(tctx->options & topt_no_body))
+  {
+  unsigned long size = size_limit > 0 ? size_limit : ULONG_MAX;
+
+  nl_check_length = abs(nl_check_length);
+  nl_partial_match = 0;
+  if (lseek(deliver_datafile, SPOOL_DATA_START_OFFSET, SEEK_SET) < 0)
+    return FALSE;
+  while (  (len = MIN(DELIVER_IN_BUFFER_SIZE, size)) > 0
+	&& (len = read(deliver_datafile, deliver_in_buffer, len)) > 0)
+    {
+    if (!write_chunk(tctx, deliver_in_buffer, len))
+      return FALSE;
+    size -= len;
+    }
+
+  /* A read error on the body will have left len == -1 and errno set. */
+
+  if (len != 0) return FALSE;
+  }
+
+/* Finished with the check string, and spool-format consideration */
+
+nl_check_length = nl_escape_length = 0;
+f.spool_file_wireformat = FALSE;
+
+/* If requested, add a terminating "." line (SMTP output). */
+
+if (tctx->options & topt_end_dot)
+  {
+  smtp_debug_cmd(US".", 0);
+  if (!write_chunk(tctx, US".\n", 2))
+    return FALSE;
+  }
+
+/* Write out any remaining data in the buffer before returning. */
+
+return (len = chunk_ptr - deliver_out_buffer) <= 0
+  || transport_write_block(tctx, deliver_out_buffer, len,
+			    !!(tctx->options & topt_no_flush));
+}
+
+
+
+
+/*************************************************
+*    External interface to write the message     *
+*************************************************/
+
+/* If there is no filtering required, call the internal function above to do
+the real work, passing over all the arguments from this function. Otherwise,
+set up a filtering process, fork another process to call the internal function
+to write to the filter, and in this process just suck from the filter and write
+down the fd in the transport context. At the end, tidy up the pipes and the
+processes.
+
+Arguments:     as for internal_transport_write_message() above
+
+Returns:       TRUE on success; FALSE (with errno) for any failure
+               transport_count is incremented by the number of bytes written
+*/
+
+BOOL
+transport_write_message(transport_ctx * tctx, int size_limit)
+{
+BOOL last_filter_was_NL = TRUE;
+BOOL save_spool_file_wireformat = f.spool_file_wireformat;
+BOOL yield;
+int rc, len, fd_read, fd_write, save_errno;
+int pfd[2] = {-1, -1};
+pid_t filter_pid, write_pid;
+
+f.transport_filter_timed_out = FALSE;
+
+/* If there is no filter command set up, call the internal function that does
+the actual work, passing it the incoming fd, and return its result. */
+
+if (  !transport_filter_argv
+   || !*transport_filter_argv
+   || !**transport_filter_argv
+   )
+  return internal_transport_write_message(tctx, size_limit);
+
+/* Otherwise the message must be written to a filter process and read back
+before being written to the incoming fd. First set up the special processing to
+be done during the copying. */
+
+nl_partial_match = -1;
+
+if (tctx->check_string && tctx->escape_string)
+  {
+  nl_check = tctx->check_string;
+  nl_check_length = Ustrlen(nl_check);
+  nl_escape = tctx->escape_string;
+  nl_escape_length = Ustrlen(nl_escape);
+  }
+else nl_check_length = nl_escape_length = 0;
+
+/* Start up a subprocess to run the command. Ensure that our main fd will
+be closed when the subprocess execs, but remove the flag afterwards.
+(Otherwise, if this is a TCP/IP socket, it can't get passed on to another
+process to deliver another message.) We get back stdin/stdout file descriptors.
+If the process creation failed, give an error return. */
+
+fd_read = -1;
+fd_write = -1;
+save_errno = 0;
+yield = FALSE;
+write_pid = (pid_t)(-1);
+
+  {
+  int bits = fcntl(tctx->u.fd, F_GETFD);
+  (void) fcntl(tctx->u.fd, F_SETFD, bits | FD_CLOEXEC);
+  filter_pid = child_open(USS transport_filter_argv, NULL, 077,
+			  &fd_write, &fd_read, FALSE, US"transport-filter");
+  (void) fcntl(tctx->u.fd, F_SETFD, bits & ~FD_CLOEXEC);
+  }
+if (filter_pid < 0) goto TIDY_UP;      /* errno set */
+
+DEBUG(D_transport)
+  debug_printf("process %d running as transport filter: fd_write=%d fd_read=%d\n",
+    (int)filter_pid, fd_write, fd_read);
+
+/* Fork subprocess to write the message to the filter, and return the result
+via a(nother) pipe. While writing to the filter, we do not do the CRLF,
+smtp dots, or check string processing. */
+
+if (pipe(pfd) != 0) goto TIDY_UP;      /* errno set */
+if ((write_pid = exim_fork(US"tpt-filter-writer")) == 0)
+  {
+  BOOL rc;
+  (void)close(fd_read);
+  (void)close(pfd[pipe_read]);
+  nl_check_length = nl_escape_length = 0;
+
+  tctx->u.fd = fd_write;
+  tctx->check_string = tctx->escape_string = NULL;
+  tctx->options &= ~(topt_use_crlf | topt_end_dot | topt_use_bdat | topt_no_flush);
+
+  rc = internal_transport_write_message(tctx, size_limit);
+
+  save_errno = errno;
+  if (  write(pfd[pipe_write], (void *)&rc, sizeof(BOOL))
+        != sizeof(BOOL)
+     || write(pfd[pipe_write], (void *)&save_errno, sizeof(int))
+        != sizeof(int)
+     || write(pfd[pipe_write], (void *)&tctx->addr->more_errno, sizeof(int))
+        != sizeof(int)
+     || write(pfd[pipe_write], (void *)&tctx->addr->delivery_time, sizeof(struct timeval))
+        != sizeof(struct timeval)
+     )
+    rc = FALSE;	/* compiler quietening */
+  exim_underbar_exit(EXIT_SUCCESS);
+  }
+save_errno = errno;
+
+/* Parent process: close our copy of the writing subprocess' pipes. */
+
+(void)close(pfd[pipe_write]);
+(void)close(fd_write);
+fd_write = -1;
+
+/* Writing process creation failed */
+
+if (write_pid < 0)
+  {
+  errno = save_errno;    /* restore */
+  goto TIDY_UP;
+  }
+
+/* When testing, let the subprocess get going */
+
+testharness_pause_ms(250);
+
+DEBUG(D_transport)
+  debug_printf("process %d writing to transport filter\n", (int)write_pid);
+
+/* Copy the message from the filter to the output fd. A read error leaves len
+== -1 and errno set. We need to apply a timeout to the read, to cope with
+the case when the filter gets stuck, but it can be quite a long one. The
+default is 5m, but this is now configurable. */
+
+DEBUG(D_transport) debug_printf("copying from the filter\n");
+
+/* Copy the output of the filter, remembering if the last character was NL. If
+no data is returned, that counts as "ended with NL" (default setting of the
+variable is TRUE).  The output should always be unix-format as we converted
+any wireformat source on writing input to the filter. */
+
+f.spool_file_wireformat = FALSE;
+chunk_ptr = deliver_out_buffer;
+
+for (;;)
+  {
+  sigalrm_seen = FALSE;
+  ALARM(transport_filter_timeout);
+  len = read(fd_read, deliver_in_buffer, DELIVER_IN_BUFFER_SIZE);
+  ALARM_CLR(0);
+  if (sigalrm_seen)
+    {
+    DEBUG(D_transport) debug_printf("timed out reading from filter\n");
+    errno = ETIMEDOUT;
+    f.transport_filter_timed_out = TRUE;
+    goto TIDY_UP;
+    }
+
+  /* If the read was successful, write the block down the original fd,
+  remembering whether it ends in \n or not. */
+
+  if (len > 0)
+    {
+    if (!write_chunk(tctx, deliver_in_buffer, len)) goto TIDY_UP;
+    last_filter_was_NL = (deliver_in_buffer[len-1] == '\n');
+    }
+
+  /* Otherwise, break the loop. If we have hit EOF, set yield = TRUE. */
+
+  else
+    {
+    if (len == 0) yield = TRUE;
+    break;
+    }
+  }
+
+/* Tidying up code. If yield = FALSE there has been an error and errno is set
+to something. Ensure the pipes are all closed and the processes are removed. If
+there has been an error, kill the processes before waiting for them, just to be
+sure. Also apply a paranoia timeout. */
+
+TIDY_UP:
+f.spool_file_wireformat = save_spool_file_wireformat;
+save_errno = errno;
+
+(void)close(fd_read);
+if (fd_write > 0) (void)close(fd_write);
+
+if (!yield)
+  {
+  if (filter_pid > 0) kill(filter_pid, SIGKILL);
+  if (write_pid > 0)  kill(write_pid, SIGKILL);
+  }
+
+/* Wait for the filter process to complete. */
+
+DEBUG(D_transport) debug_printf("waiting for filter process\n");
+if (filter_pid > 0 && (rc = child_close(filter_pid, 30)) != 0 && yield)
+  {
+  yield = FALSE;
+  save_errno = ERRNO_FILTER_FAIL;
+  tctx->addr->more_errno = rc;
+  DEBUG(D_transport) debug_printf("filter process returned %d\n", rc);
+  }
+
+/* Wait for the writing process to complete. If it ends successfully,
+read the results from its pipe, provided we haven't already had a filter
+process failure. */
+
+DEBUG(D_transport) debug_printf("waiting for writing process\n");
+if (write_pid > 0)
+  {
+  rc = child_close(write_pid, 30);
+  if (yield)
+    if (rc == 0)
+      {
+      BOOL ok;
+      if (read(pfd[pipe_read], (void *)&ok, sizeof(BOOL)) != sizeof(BOOL))
+	{
+	DEBUG(D_transport)
+	  debug_printf("pipe read from writing process: %s\n", strerror(errno));
+	save_errno = ERRNO_FILTER_FAIL;
+        yield = FALSE;
+	}
+      else if (!ok)
+        {		/* Try to drain the pipe; read fails are don't care */
+	int dummy = read(pfd[pipe_read], (void *)&save_errno, sizeof(int));
+        dummy = read(pfd[pipe_read], (void *)&tctx->addr->more_errno, sizeof(int));
+        dummy = read(pfd[pipe_read], (void *)&tctx->addr->delivery_time, sizeof(struct timeval));
+        yield = FALSE;
+        }
+      }
+    else
+      {
+      yield = FALSE;
+      save_errno = ERRNO_FILTER_FAIL;
+      tctx->addr->more_errno = rc;
+      DEBUG(D_transport) debug_printf("writing process returned %d\n", rc);
+      }
+  }
+(void)close(pfd[pipe_read]);
+
+/* If there have been no problems we can now add the terminating "." if this is
+SMTP output, turning off escaping beforehand. If the last character from the
+filter was not NL, insert a NL to make the SMTP protocol work. */
+
+if (yield)
+  {
+  nl_check_length = nl_escape_length = 0;
+  f.spool_file_wireformat = FALSE;
+  if (  tctx->options & topt_end_dot
+     && ( last_filter_was_NL
+        ? !write_chunk(tctx, US".\n", 2)
+	: !write_chunk(tctx, US"\n.\n", 3)
+     )  )
+    { smtp_debug_cmd(US".", 0); yield = FALSE; }
+
+  /* Write out any remaining data in the buffer. */
+
+  else
+    yield = (len = chunk_ptr - deliver_out_buffer) <= 0
+	  || transport_write_block(tctx, deliver_out_buffer, len, FALSE);
+  }
+else
+  errno = save_errno;      /* From some earlier error */
+
+DEBUG(D_transport)
+  {
+  debug_printf("end of filtering transport writing: yield=%d\n", yield);
+  if (!yield)
+    debug_printf(" errno=%d more_errno=%d\n", errno, tctx->addr->more_errno);
+  }
+
+return yield;
+}
+
+
+
+
+
+/*************************************************
+*            Update waiting database             *
+*************************************************/
+
+/* This is called when an address is deferred by remote transports that are
+capable of sending more than one message over one connection. A database is
+maintained for each transport, keeping track of which messages are waiting for
+which hosts. The transport can then consult this when eventually a successful
+delivery happens, and if it finds that another message is waiting for the same
+host, it can fire up a new process to deal with it using the same connection.
+
+The database records are keyed by host name. They can get full if there are
+lots of messages waiting, and so there is a continuation mechanism for them.
+
+Each record contains a list of message ids, packed end to end without any
+zeros. Each one is MESSAGE_ID_LENGTH bytes long. The count field says how many
+in this record, and the sequence field says if there are any other records for
+this host. If the sequence field is 0, there are none. If it is 1, then another
+record with the name <hostname>:0 exists; if it is 2, then two other records
+with sequence numbers 0 and 1 exist, and so on.
+
+Currently, an exhaustive search of all continuation records has to be done to
+determine whether to add a message id to a given record. This shouldn't be
+too bad except in extreme cases. I can't figure out a *simple* way of doing
+better.
+
+Old records should eventually get swept up by the exim_tidydb utility.
+
+Arguments:
+  hostlist  list of hosts that this message could be sent to
+  tpname    name of the transport
+
+Returns:    nothing
+*/
+
+void
+transport_update_waiting(host_item *hostlist, uschar *tpname)
+{
+const uschar *prevname = US"";
+open_db dbblock;
+open_db *dbm_file;
+
+DEBUG(D_transport) debug_printf("updating wait-%s database\n", tpname);
+
+/* Open the database for this transport */
+
+if (!(dbm_file = dbfn_open(string_sprintf("wait-%.200s", tpname),
+		      O_RDWR, &dbblock, TRUE, TRUE)))
+  return;
+
+/* Scan the list of hosts for which this message is waiting, and ensure
+that the message id is in each host record. */
+
+for (host_item * host = hostlist; host; host = host->next)
+  {
+  BOOL already = FALSE;
+  dbdata_wait *host_record;
+  int host_length;
+  uschar buffer[256];
+
+  /* Skip if this is the same host as we just processed; otherwise remember
+  the name for next time. */
+
+  if (Ustrcmp(prevname, host->name) == 0) continue;
+  prevname = host->name;
+
+  /* Look up the host record; if there isn't one, make an empty one. */
+
+  if (!(host_record = dbfn_read(dbm_file, host->name)))
+    {
+    host_record = store_get(sizeof(dbdata_wait) + MESSAGE_ID_LENGTH, GET_UNTAINTED);
+    host_record->count = host_record->sequence = 0;
+    }
+
+  /* Compute the current length */
+
+  host_length = host_record->count * MESSAGE_ID_LENGTH;
+
+  /* Search the record to see if the current message is already in it. */
+
+  for (uschar * s = host_record->text; s < host_record->text + host_length;
+       s += MESSAGE_ID_LENGTH)
+    if (Ustrncmp(s, message_id, MESSAGE_ID_LENGTH) == 0)
+      { already = TRUE; break; }
+
+  /* If we haven't found this message in the main record, search any
+  continuation records that exist. */
+
+  for (int i = host_record->sequence - 1; i >= 0 && !already; i--)
+    {
+    dbdata_wait *cont;
+    sprintf(CS buffer, "%.200s:%d", host->name, i);
+    if ((cont = dbfn_read(dbm_file, buffer)))
+      {
+      int clen = cont->count * MESSAGE_ID_LENGTH;
+      for (uschar * s = cont->text; s < cont->text + clen; s += MESSAGE_ID_LENGTH)
+        if (Ustrncmp(s, message_id, MESSAGE_ID_LENGTH) == 0)
+          { already = TRUE; break; }
+      }
+    }
+
+  /* If this message is already in a record, no need to update. */
+
+  if (already)
+    {
+    DEBUG(D_transport) debug_printf("already listed for %s\n", host->name);
+    continue;
+    }
+
+
+  /* If this record is full, write it out with a new name constructed
+  from the sequence number, increase the sequence number, and empty
+  the record.  If we're doing a two-phase queue run initial phase, ping the
+  daemon to consider running a delivery on this host. */
+
+  if (host_record->count >= WAIT_NAME_MAX)
+    {
+    sprintf(CS buffer, "%.200s:%d", host->name, host_record->sequence);
+    dbfn_write(dbm_file, buffer, host_record, sizeof(dbdata_wait) + host_length);
+#ifndef DISABLE_QUEUE_RAMP
+    if (f.queue_2stage && queue_fast_ramp && !queue_run_in_order)
+      queue_notify_daemon(message_id);
+#endif
+    host_record->sequence++;
+    host_record->count = 0;
+    host_length = 0;
+    }
+
+  /* If this record is not full, increase the size of the record to
+  allow for one new message id. */
+
+  else
+    {
+    dbdata_wait *newr =
+      store_get(sizeof(dbdata_wait) + host_length + MESSAGE_ID_LENGTH, GET_UNTAINTED);
+    memcpy(newr, host_record, sizeof(dbdata_wait) + host_length);
+    host_record = newr;
+    }
+
+  /* Now add the new name on the end */
+
+  memcpy(host_record->text + host_length, message_id, MESSAGE_ID_LENGTH);
+  host_record->count++;
+  host_length += MESSAGE_ID_LENGTH;
+
+  /* Update the database */
+
+  dbfn_write(dbm_file, host->name, host_record, sizeof(dbdata_wait) + host_length);
+  DEBUG(D_transport) debug_printf("added %.*s to queue for %s\n",
+				  MESSAGE_ID_LENGTH, message_id, host->name);
+  }
+
+/* All now done */
+
+dbfn_close(dbm_file);
+}
+
+
+
+
+/*************************************************
+*         Test for waiting messages              *
+*************************************************/
+
+/* This function is called by a remote transport which uses the previous
+function to remember which messages are waiting for which remote hosts. It's
+called after a successful delivery and its job is to check whether there is
+another message waiting for the same host. However, it doesn't do this if the
+current continue sequence is greater than the maximum supplied as an argument,
+or greater than the global connection_max_messages, which, if set, overrides.
+
+Arguments:
+  transport_name     name of the transport
+  hostname           name of the host
+  local_message_max  maximum number of messages down one connection
+                       as set by the caller transport
+  new_message_id     set to the message id of a waiting message
+  oicf_func          function to call to validate if it is ok to send
+                     to this message_id from the current instance.
+  oicf_data          opaque data for oicf_func
+
+Returns:             TRUE if new_message_id set; FALSE otherwise
+*/
+
+typedef struct msgq_s
+{
+    uschar  message_id [MESSAGE_ID_LENGTH + 1];
+    BOOL    bKeep;
+} msgq_t;
+
+BOOL
+transport_check_waiting(const uschar *transport_name, const uschar *hostname,
+  int local_message_max, uschar *new_message_id, oicf oicf_func, void *oicf_data)
+{
+dbdata_wait *host_record;
+int host_length;
+open_db dbblock;
+open_db *dbm_file;
+
+int         i;
+struct stat statbuf;
+
+DEBUG(D_transport)
+  {
+  debug_printf("transport_check_waiting entered\n");
+  debug_printf("  sequence=%d local_max=%d global_max=%d\n",
+    continue_sequence, local_message_max, connection_max_messages);
+  acl_level++;
+  }
+
+/* Do nothing if we have hit the maximum number that can be send down one
+connection. */
+
+if (connection_max_messages >= 0) local_message_max = connection_max_messages;
+if (local_message_max > 0 && continue_sequence >= local_message_max)
+  {
+  DEBUG(D_transport)
+    debug_printf_indent("max messages for one connection reached: returning\n");
+  goto retfalse;
+  }
+
+/* Open the waiting information database. */
+
+if (!(dbm_file = dbfn_open(string_sprintf("wait-%.200s", transport_name),
+			  O_RDWR, &dbblock, TRUE, TRUE)))
+  goto retfalse;
+
+/* See if there is a record for this host; if not, there's nothing to do. */
+
+if (!(host_record = dbfn_read(dbm_file, hostname)))
+  {
+  dbfn_close(dbm_file);
+  DEBUG(D_transport) debug_printf_indent("no messages waiting for %s\n", hostname);
+  goto retfalse;
+  }
+
+/* If the data in the record looks corrupt, just log something and
+don't try to use it. */
+
+if (host_record->count > WAIT_NAME_MAX)
+  {
+  dbfn_close(dbm_file);
+  log_write(0, LOG_MAIN|LOG_PANIC, "smtp-wait database entry for %s has bad "
+    "count=%d (max=%d)", hostname, host_record->count, WAIT_NAME_MAX);
+  goto retfalse;
+  }
+
+/* Scan the message ids in the record from the end towards the beginning,
+until one is found for which a spool file actually exists. If the record gets
+emptied, delete it and continue with any continuation records that may exist.
+*/
+
+/* For Bug 1141, I refactored this major portion of the routine, it is risky
+but the 1 off will remain without it.  This code now allows me to SKIP over
+a message I do not want to send out on this run.  */
+
+host_length = host_record->count * MESSAGE_ID_LENGTH;
+
+while (1)
+  {
+  msgq_t      *msgq;
+  int         msgq_count = 0;
+  int         msgq_actual = 0;
+  BOOL        bFound = FALSE;
+  BOOL        bContinuation = FALSE;
+
+  /* create an array to read entire message queue into memory for processing  */
+
+  msgq = store_get(sizeof(msgq_t) * host_record->count, GET_UNTAINTED);
+  msgq_count = host_record->count;
+  msgq_actual = msgq_count;
+
+  for (i = 0; i < host_record->count; ++i)
+    {
+    msgq[i].bKeep = TRUE;
+
+    Ustrncpy_nt(msgq[i].message_id, host_record->text + (i * MESSAGE_ID_LENGTH),
+      MESSAGE_ID_LENGTH);
+    msgq[i].message_id[MESSAGE_ID_LENGTH] = 0;
+    }
+
+  /* first thing remove current message id if it exists */
+  /*XXX but what if it has un-sent addrs? */
+
+  for (i = 0; i < msgq_count; ++i)
+    if (Ustrcmp(msgq[i].message_id, message_id) == 0)
+      {
+      msgq[i].bKeep = FALSE;
+      break;
+      }
+
+  /* now find the next acceptable message_id */
+
+  for (i = msgq_count - 1; i >= 0; --i) if (msgq[i].bKeep)
+    {
+    uschar subdir[2];
+    uschar * mid = msgq[i].message_id;
+
+    set_subdir_str(subdir, mid, 0);
+    if (Ustat(spool_fname(US"input", subdir, mid, US"-D"), &statbuf) != 0)
+      msgq[i].bKeep = FALSE;
+    else if (!oicf_func || oicf_func(mid, oicf_data))
+      {
+      Ustrcpy_nt(new_message_id, mid);
+      msgq[i].bKeep = FALSE;
+      bFound = TRUE;
+      break;
+      }
+    }
+
+  /* re-count */
+  for (msgq_actual = 0, i = 0; i < msgq_count; ++i)
+    if (msgq[i].bKeep)
+      msgq_actual++;
+
+  /* reassemble the host record, based on removed message ids, from in
+  memory queue  */
+
+  if (msgq_actual <= 0)
+    {
+    host_length = 0;
+    host_record->count = 0;
+    }
+  else
+    {
+    host_length = msgq_actual * MESSAGE_ID_LENGTH;
+    host_record->count = msgq_actual;
+
+    if (msgq_actual < msgq_count)
+      {
+      int new_count;
+      for (new_count = 0, i = 0; i < msgq_count; ++i)
+	if (msgq[i].bKeep)
+	  Ustrncpy(&host_record->text[new_count++ * MESSAGE_ID_LENGTH],
+	    msgq[i].message_id, MESSAGE_ID_LENGTH);
+
+      host_record->text[new_count * MESSAGE_ID_LENGTH] = 0;
+      }
+    }
+
+  /* Check for a continuation record. */
+
+  while (host_length <= 0)
+    {
+    dbdata_wait * newr = NULL;
+    uschar buffer[256];
+
+    /* Search for a continuation */
+
+    for (int i = host_record->sequence - 1; i >= 0 && !newr; i--)
+      {
+      sprintf(CS buffer, "%.200s:%d", hostname, i);
+      newr = dbfn_read(dbm_file, buffer);
+      }
+
+    /* If no continuation, delete the current and break the loop */
+
+    if (!newr)
+      {
+      dbfn_delete(dbm_file, hostname);
+      break;
+      }
+
+    /* Else replace the current with the continuation */
+
+    dbfn_delete(dbm_file, buffer);
+    host_record = newr;
+    host_length = host_record->count * MESSAGE_ID_LENGTH;
+
+    bContinuation = TRUE;
+    }
+
+  if (bFound)		/* Usual exit from main loop */
+    break;
+
+  /* If host_length <= 0 we have emptied a record and not found a good message,
+  and there are no continuation records. Otherwise there is a continuation
+  record to process. */
+
+  if (host_length <= 0)
+    {
+    dbfn_close(dbm_file);
+    DEBUG(D_transport) debug_printf_indent("waiting messages already delivered\n");
+    goto retfalse;
+    }
+
+  /* we were not able to find an acceptable message, nor was there a
+   * continuation record.  So bug out, outer logic will clean this up.
+   */
+
+  if (!bContinuation)
+    {
+    Ustrcpy(new_message_id, message_id);
+    dbfn_close(dbm_file);
+    goto retfalse;
+    }
+  }		/* we need to process a continuation record */
+
+/* Control gets here when an existing message has been encountered; its
+id is in new_message_id, and host_length is the revised length of the
+host record. If it is zero, the record has been removed. Update the
+record if required, close the database, and return TRUE. */
+
+if (host_length > 0)
+  {
+  host_record->count = host_length/MESSAGE_ID_LENGTH;
+  dbfn_write(dbm_file, hostname, host_record, (int)sizeof(dbdata_wait) + host_length);
+  }
+
+dbfn_close(dbm_file);
+DEBUG(D_transport) {acl_level--; debug_printf("transport_check_waiting: TRUE\n"); }
+return TRUE;
+
+retfalse:
+DEBUG(D_transport) {acl_level--; debug_printf("transport_check_waiting: FALSE\n"); }
+return FALSE;
+}
+
+/*************************************************
+*    Deliver waiting message down same socket    *
+*************************************************/
+
+/* Just the regain-root-privilege exec portion */
+void
+transport_do_pass_socket(const uschar *transport_name, const uschar *hostname,
+  const uschar *hostaddress, uschar *id, int socket_fd)
+{
+int i = 13;
+const uschar **argv;
+
+#ifndef DISABLE_TLS
+if (smtp_peer_options & OPTION_TLS) i += 6;
+#endif
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+if (continue_limit_mail || continue_limit_rcpt || continue_limit_rcptdom)
+				    i += 4;
+#endif
+if (queue_run_pid != (pid_t)0)	    i += 3;
+#ifdef SUPPORT_SOCKS
+if (proxy_session)		    i += 5;
+#endif
+
+/* Set up the calling arguments; use the standard function for the basics,
+but we have a number of extras that may be added. */
+
+argv = CUSS child_exec_exim(CEE_RETURN_ARGV, TRUE, &i, FALSE, 0);
+
+if (f.smtp_authenticated)			argv[i++] = US"-MCA";
+if (smtp_peer_options & OPTION_CHUNKING)	argv[i++] = US"-MCK";
+if (smtp_peer_options & OPTION_DSN)		argv[i++] = US"-MCD";
+if (smtp_peer_options & OPTION_PIPE)		argv[i++] = US"-MCP";
+if (smtp_peer_options & OPTION_SIZE)		argv[i++] = US"-MCS";
+#ifndef DISABLE_TLS
+if (smtp_peer_options & OPTION_TLS)
+  if (tls_out.active.sock >= 0 || continue_proxy_cipher)
+    {
+    argv[i++] = US"-MCt";
+    argv[i++] = sending_ip_address;
+    argv[i++] = string_sprintf("%d", sending_port);
+    argv[i++] = tls_out.active.sock >= 0 ? tls_out.cipher : continue_proxy_cipher;
+
+    if (tls_out.sni)
+      {
+      argv[i++] =
+#ifdef SUPPORT_DANE
+        tls_out.dane_verified ? US"-MCr" :
+#endif
+        US"-MCs";
+      argv[i++] = tls_out.sni;
+      }
+    }
+  else
+    argv[i++] = US"-MCT";
+#endif
+
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+if (continue_limit_rcpt || continue_limit_rcptdom)
+  {
+  argv[i++] = US"-MCL";
+  argv[i++] = string_sprintf("%u", continue_limit_mail);
+  argv[i++] = string_sprintf("%u", continue_limit_rcpt);
+  argv[i++] = string_sprintf("%u", continue_limit_rcptdom);
+  }
+#endif
+
+if (queue_run_pid != (pid_t)0)
+  {
+  argv[i++] = US"-MCQ";
+  argv[i++] = string_sprintf("%d", queue_run_pid);
+  argv[i++] = string_sprintf("%d", queue_run_pipe);
+  }
+
+#ifdef SUPPORT_SOCKS
+if (proxy_session)
+  {
+  argv[i++] = US"-MCp";
+  argv[i++] = proxy_local_address;
+  argv[i++] = string_sprintf("%d", proxy_local_port);
+  argv[i++] = proxy_external_address;
+  argv[i++] = string_sprintf("%d", proxy_external_port);
+  }
+#endif
+
+argv[i++] = US"-MC";
+argv[i++] = US transport_name;
+argv[i++] = US hostname;
+argv[i++] = US hostaddress;
+argv[i++] = string_sprintf("%d", continue_sequence + 1);
+argv[i++] = id;
+argv[i++] = NULL;
+
+/* Arrange for the channel to be on stdin. */
+
+if (socket_fd != 0)
+  {
+  (void)dup2(socket_fd, 0);
+  (void)close(socket_fd);
+  }
+
+DEBUG(D_exec) debug_print_argv(argv);
+exim_nullstd();                          /* Ensure std{out,err} exist */
+/* argv[0] should be untainted, from child_exec_exim() */
+execv(CS argv[0], (char *const *)argv);
+
+DEBUG(D_any) debug_printf("execv failed: %s\n", strerror(errno));
+_exit(errno);         /* Note: must be _exit(), NOT exit() */
+}
+
+
+
+/* Fork a new exim process to deliver the message, and do a re-exec, both to
+get a clean delivery process, and to regain root privilege in cases where it
+has been given away.
+
+Arguments:
+  transport_name  to pass to the new process
+  hostname        ditto
+  hostaddress     ditto
+  id              the new message to process
+  socket_fd       the connected socket
+
+Returns:          FALSE if fork fails; TRUE otherwise
+*/
+
+BOOL
+transport_pass_socket(const uschar *transport_name, const uschar *hostname,
+  const uschar *hostaddress, uschar *id, int socket_fd
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+  , unsigned peer_limit_mail, unsigned peer_limit_rcpt, unsigned peer_limit_rcptdom
+#endif
+  )
+{
+pid_t pid;
+int status;
+
+DEBUG(D_transport) debug_printf("transport_pass_socket entered\n");
+
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+continue_limit_mail = peer_limit_mail;
+continue_limit_rcpt = peer_limit_rcpt;
+continue_limit_rcptdom = peer_limit_rcptdom;
+#endif
+
+if ((pid = exim_fork(US"continued-transport-interproc")) == 0)
+  {
+  /* Disconnect entirely from the parent process. If we are running in the
+  test harness, wait for a bit to allow the previous process time to finish,
+  write the log, etc., so that the output is always in the same order for
+  automatic comparison. */
+
+  if ((pid = exim_fork(US"continued-transport")) != 0)
+    _exit(EXIT_SUCCESS);
+  testharness_pause_ms(1000);
+
+  transport_do_pass_socket(transport_name, hostname, hostaddress,
+    id, socket_fd);
+  }
+
+/* If the process creation succeeded, wait for the first-level child, which
+immediately exits, leaving the second level process entirely disconnected from
+this one. */
+
+if (pid > 0)
+  {
+  int rc;
+  while ((rc = wait(&status)) != pid && (rc >= 0 || errno != ECHILD));
+  return TRUE;
+  }
+else
+  {
+  DEBUG(D_transport) debug_printf("transport_pass_socket failed to fork: %s\n",
+    strerror(errno));
+  return FALSE;
+  }
+}
+
+
+
+/* Enforce all args untainted, for consistency with a router-sourced pipe
+command, where (because the whole line is passed as one to the tpt) a
+tainted arg taints the executable name.  It's unclear also that letting an
+attacker supply command arguments is wise. */
+
+static BOOL
+arg_is_tainted(const uschar * s, int argn, address_item * addr,
+  const uschar * etext, uschar ** errptr)
+{
+if (is_tainted(s))
+  {
+  uschar * msg = string_sprintf("Tainted arg %d for %s command: '%s'",
+				argn, etext, s);
+  if (addr)
+    {
+    addr->transport_return = FAIL;
+    addr->message = msg;
+    }
+  else *errptr = msg;
+  return TRUE;
+  }
+return FALSE;
+}
+
+
+/*************************************************
+*          Set up direct (non-shell) command     *
+*************************************************/
+
+/* This function is called when a command line is to be parsed and executed
+directly, without the use of /bin/sh. It is called by the pipe transport,
+the queryprogram router, and also from the main delivery code when setting up a
+transport filter process. The code for ETRN also makes use of this; in that
+case, no addresses are passed.
+
+Arguments:
+  argvptr            pointer to anchor for argv vector
+  cmd                points to the command string (modified IN PLACE)
+  expand_arguments   true if expansion is to occur
+  expand_failed      error value to set if expansion fails; not relevant if
+                     addr == NULL
+  addr               chain of addresses, or NULL
+  allow_tainted_args as it says; used for ${run}
+  etext              text for use in error messages
+  errptr             where to put error message if addr is NULL;
+                     otherwise it is put in the first address
+
+Returns:             TRUE if all went well; otherwise an error will be
+                     set in the first address and FALSE returned
+*/
+
+BOOL
+transport_set_up_command(const uschar *** argvptr, const uschar * cmd,
+  BOOL expand_arguments, int expand_failed, address_item * addr,
+  BOOL allow_tainted_args, const uschar * etext, uschar ** errptr)
+{
+const uschar ** argv, * s;
+int address_count = 0, argcount = 0, max_args;
+
+/* Get store in which to build an argument list. Count the number of addresses
+supplied, and allow for that many arguments, plus an additional 60, which
+should be enough for anybody. Multiple addresses happen only when the local
+delivery batch option is set. */
+
+for (address_item * ad = addr; ad; ad = ad->next) address_count++;
+max_args = address_count + 60;
+*argvptr = argv = store_get((max_args+1)*sizeof(uschar *), GET_UNTAINTED);
+
+/* Split the command up into arguments terminated by white space. Lose
+trailing space at the start and end. Double-quoted arguments can contain \\ and
+\" escapes and so can be handled by the standard function; single-quoted
+arguments are verbatim. Copy each argument into a new string. */
+
+s = cmd;
+Uskip_whitespace(&s);
+
+for (; *s && argcount < max_args; argcount++)
+  {
+  if (*s == '\'')
+    {
+    int n = Ustrcspn(++s, "'");
+    argv[argcount] = string_copyn(s, n);
+    if (*(s += n) == '\'') s++;
+    }
+  else
+    argv[argcount] = string_dequote(CUSS &s);
+  Uskip_whitespace(&s);
+  }
+
+argv[argcount] = NULL;
+
+/* If *s != 0 we have run out of argument slots. */
+
+if (*s)
+  {
+  uschar *msg = string_sprintf("Too many arguments in command \"%s\" in "
+    "%s", cmd, etext);
+  if (addr)
+    {
+    addr->transport_return = FAIL;
+    addr->message = msg;
+    }
+  else *errptr = msg;
+  return FALSE;
+  }
+
+/* Expand each individual argument if required. Expansion happens for pipes set
+up in filter files and with directly-supplied commands. It does not happen if
+the pipe comes from a traditional .forward file. A failing expansion is a big
+disaster if the command came from Exim's configuration; if it came from a user
+it is just a normal failure. The expand_failed value is used as the error value
+to cater for these two cases.
+
+An argument consisting just of the text "$pipe_addresses" is treated specially.
+It is not passed to the general expansion function. Instead, it is replaced by
+a number of arguments, one for each address. This avoids problems with shell
+metacharacters and spaces in addresses.
+
+If the parent of the top address has an original part of "system-filter", this
+pipe was set up by the system filter, and we can permit the expansion of
+$recipients. */
+
+DEBUG(D_transport)
+  {
+  debug_printf("direct command:\n");
+  for (int i = 0; argv[i]; i++)
+    debug_printf("  argv[%d] = '%s'\n", i, string_printing(argv[i]));
+  }
+
+if (expand_arguments)
+  {
+  BOOL allow_dollar_recipients = addr && addr->parent
+    && Ustrcmp(addr->parent->address, "system-filter") == 0;
+
+  for (int i = 0; argv[i]; i++)
+    {
+    /* Handle special fudge for passing an address list */
+
+    if (addr &&
+        (Ustrcmp(argv[i], "$pipe_addresses") == 0 ||
+         Ustrcmp(argv[i], "${pipe_addresses}") == 0))
+      {
+      int additional;
+
+      if (argcount + address_count - 1 > max_args)
+        {
+        addr->transport_return = FAIL;
+        addr->message = string_sprintf("Too many arguments to command \"%s\" "
+          "in %s", cmd, etext);
+        return FALSE;
+        }
+
+      additional = address_count - 1;
+      if (additional > 0)
+        memmove(argv + i + 1 + additional, argv + i + 1,
+          (argcount - i)*sizeof(uschar *));
+
+      for (address_item * ad = addr; ad; ad = ad->next)
+        {
+	/* $pipe_addresses is spefically not checked for taint, because there is
+	a testcase (321) depending on it.  It's unclear if the exact thing being
+	done really needs to be legitimate, though I suspect it reflects an
+	actual use-case that showed up a bug.
+	This is a hole in the taint-pretection, mitigated only in that
+	shell-syntax metachars cannot be injected via this route. */
+
+	DEBUG(D_transport) if (is_tainted(ad->address))
+	  debug_printf("tainted element '%s' from $pipe_addresses\n", ad->address);
+
+	argv[i++] = ad->address;
+	argcount++;
+	}
+
+      /* Subtract one since we replace $pipe_addresses */
+      argcount--;
+      i--;
+      }
+
+      /* Handle special case of $address_pipe when af_force_command is set */
+
+    else if (addr && testflag(addr,af_force_command) &&
+        (Ustrcmp(argv[i], "$address_pipe") == 0 ||
+         Ustrcmp(argv[i], "${address_pipe}") == 0))
+      {
+      int address_pipe_argcount = 0;
+      int address_pipe_max_args;
+      uschar **address_pipe_argv;
+
+      /* We can never have more then the argv we will be loading into */
+      address_pipe_max_args = max_args - argcount + 1;
+
+      DEBUG(D_transport)
+        debug_printf("address_pipe_max_args=%d\n", address_pipe_max_args);
+
+      /* We allocate an additional for (uschar *)0 */
+      address_pipe_argv = store_get((address_pipe_max_args+1)*sizeof(uschar *), GET_UNTAINTED);
+
+      /* +1 because addr->local_part[0] == '|' since af_force_command is set */
+      s = expand_string(addr->local_part + 1);
+
+      if (!s || !*s)
+        {
+        addr->transport_return = FAIL;
+        addr->message = string_sprintf("Expansion of \"%s\" "
+           "from command \"%s\" in %s failed: %s",
+           (addr->local_part + 1), cmd, etext, expand_string_message);
+        return FALSE;
+        }
+
+      Uskip_whitespace(&s);			/* strip leading space */
+
+      while (*s && address_pipe_argcount < address_pipe_max_args)
+        {
+        if (*s == '\'')
+	  {
+	  int n = Ustrcspn(++s, "'");
+	  argv[argcount] = string_copyn(s, n);
+	  if (*(s += n) == '\'') s++;
+	  }
+        else
+	  address_pipe_argv[address_pipe_argcount++] = string_dequote(CUSS &s);
+	Uskip_whitespace(&s);			/* strip space after arg */
+        }
+
+      address_pipe_argv[address_pipe_argcount] = NULL;
+
+      /* If *s != 0 we have run out of argument slots. */
+      if (*s)
+        {
+        uschar *msg = string_sprintf("Too many arguments in $address_pipe "
+          "\"%s\" in %s", addr->local_part + 1, etext);
+        if (addr)
+          {
+          addr->transport_return = FAIL;
+          addr->message = msg;
+          }
+        else *errptr = msg;
+        return FALSE;
+        }
+
+      /* address_pipe_argcount - 1
+      because we are replacing $address_pipe in the argument list
+      with the first thing it expands to */
+
+      if (argcount + address_pipe_argcount - 1 > max_args)
+        {
+        addr->transport_return = FAIL;
+        addr->message = string_sprintf("Too many arguments to command "
+          "\"%s\" after expanding $address_pipe in %s", cmd, etext);
+        return FALSE;
+        }
+
+      /* If we are not just able to replace the slot that contained
+      $address_pipe (address_pipe_argcount == 1)
+      We have to move the existing argv by address_pipe_argcount - 1
+      Visually if address_pipe_argcount == 2:
+      [argv 0][argv 1][argv 2($address_pipe)][argv 3][0]
+      [argv 0][argv 1][ap_arg0][ap_arg1][old argv 3][0] */
+
+      if (address_pipe_argcount > 1)
+        memmove(
+          /* current position + additional args */
+          argv + i + address_pipe_argcount,
+          /* current position + 1 (for the (uschar *)0 at the end) */
+          argv + i + 1,
+          /* -1 for the (uschar *)0 at the end)*/
+          (argcount - i)*sizeof(uschar *)
+        );
+
+      /* Now we fill in the slots we just moved argv out of
+      [argv 0][argv 1][argv 2=pipeargv[0]][argv 3=pipeargv[1]][old argv 3][0] */
+
+      for (int address_pipe_i = 0;
+           address_pipe_argv[address_pipe_i];
+           address_pipe_i++, argcount++)
+	{
+        uschar * s = address_pipe_argv[address_pipe_i];
+	if (arg_is_tainted(s, i, addr, etext, errptr)) return FALSE;
+        argv[i++] = s;
+	}
+
+      /* Subtract one since we replace $address_pipe */
+      argcount--;
+      i--;
+      }
+
+    /* Handle normal expansion string */
+
+    else
+      {
+      const uschar *expanded_arg;
+      f.enable_dollar_recipients = allow_dollar_recipients;
+      expanded_arg = expand_cstring(argv[i]);
+      f.enable_dollar_recipients = FALSE;
+
+      if (!expanded_arg)
+        {
+        uschar *msg = string_sprintf("Expansion of \"%s\" "
+          "from command \"%s\" in %s failed: %s",
+          argv[i], cmd, etext, expand_string_message);
+        if (addr)
+          {
+          addr->transport_return = expand_failed;
+          addr->message = msg;
+          }
+        else *errptr = msg;
+        return FALSE;
+        }
+
+      if ( f.running_in_test_harness && is_tainted(expanded_arg)
+	 && Ustrcmp(etext, "queryprogram router") == 0)
+	{			/* hack, would be good to not need it */
+	DEBUG(D_transport)
+	  debug_printf("SPECIFIC TESTSUITE EXEMPTION: tainted arg '%s'\n",
+		      expanded_arg);
+	}
+      else if (  !allow_tainted_args
+	      && arg_is_tainted(expanded_arg, i, addr, etext, errptr))
+	return FALSE;
+      argv[i] = expanded_arg;
+      }
+    }
+
+  DEBUG(D_transport)
+    {
+    debug_printf("direct command after expansion:\n");
+    for (int i = 0; argv[i]; i++)
+      {
+      debug_printf("  argv[%d] = '%s'\n", i, string_printing(argv[i]));
+      debug_print_taint(argv[i]);
+      }
+    }
+  }
+
+return TRUE;
+}
+
+
+
+/* For error messages, a string describing the config location associated
+with current processing.  NULL if we are not in a transport. */
+/* Name only, for now */
+
+uschar *
+transport_current_name(void)
+{
+if (!transport_name) return NULL;
+return string_sprintf(" (transport %s, %s %d)", transport_name, driver_srcfile, driver_srcline);
+}
+
+#endif	/*!MACRO_PREDEF*/
+/* vi: aw ai sw=2
+*/
+/* End of transport.c */
diff --git a/src/transports/Makefile b/src/transports/Makefile
new file mode 100644
index 0000000..4eea141
--- /dev/null
+++ b/src/transports/Makefile
@@ -0,0 +1,27 @@
+# Make file for building a library containing all the available transports and
+# calling it transports.a. This is called from the main make file, after cd'ing
+# to the transports subdirectory.
+
+OBJ = appendfile.o autoreply.o lmtp.o pipe.o queuefile.o smtp.o smtp_socks.o tf_maildir.o
+
+transports.a:    $(OBJ)
+		 @$(RM_COMMAND) -f transports.a
+		 @echo "$(AR) transports.a"
+		 @$(AR) transports.a $(OBJ)
+		 $(RANLIB) $@
+
+.SUFFIXES:       .o .c
+.c.o:;           @echo "$(CC) $*.c"
+		 $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c
+
+appendfile.o:    $(HDRS) appendfile.c appendfile.h tf_maildir.h
+autoreply.o:     $(HDRS) autoreply.c autoreply.h
+lmtp.o:          $(HDRS) lmtp.c lmtp.h
+pipe.o:          $(HDRS) pipe.c pipe.h
+queuefile.o:     $(HDRS) queuefile.c queuefile.h
+smtp.o:          $(HDRS) smtp.c smtp.h
+smtp_socks.o:    $(HDRS) smtp_socks.c smtp.h
+
+tf_maildir.o:    $(HDRS) tf_maildir.c tf_maildir.h appendfile.h
+
+# End
diff --git a/src/transports/README b/src/transports/README
new file mode 100644
index 0000000..9ea29fb
--- /dev/null
+++ b/src/transports/README
@@ -0,0 +1,41 @@
+TRANSPORTS:
+
+A delivery attempt results in one of the following values being placed in
+addr->transport_return:
+
+    OK          success
+    DEFER       temporary failure
+    FAIL        permanent failure
+    PANIC       disaster - causes exim to bomb
+
+The field is initialized to DEFER when the address is created, in order that
+unexpected process crashes or other problems don't cause the message to be
+deleted.
+
+For non-OK values, additional information is placed in addr->errno,
+addr->more_errno, and optionally in addr->message. These are inspected only if
+the status is not OK, with one exception (see below).
+
+In addition, the addr->special_action field can be set to request a non-default
+action. The default action after FAIL is to return to sender; the default
+action after DEFER is nothing. The alternatives are:
+
+  SPECIAL_NONE       (default) no special action
+  SPECIAL_FREEZE     freeze the message
+  SPECIAL_WARN       send warning message
+
+The SPECIAL_WARN action is the exception referred to above. It is picked up
+only after a *successful* delivery; it causes a warning message to be sent
+containing the text of warn_message to warn_to. It can be used in appendfile,
+for example, to send a warning message when the mailbox size crosses a given
+threshold.
+
+If the transport is handling a batch of several addresses, it may either put an
+individual value in each address structure, and return TRUE, or it may put a
+common value in the first address, and return FALSE.
+
+Remote transports usually return TRUE and local transports usually return
+FALSE; however, the lmtp transport may return either value, depending on what
+happens inside it.
+
+****
diff --git a/src/transports/appendfile.c b/src/transports/appendfile.c
new file mode 100644
index 0000000..93281ef
--- /dev/null
+++ b/src/transports/appendfile.c
@@ -0,0 +1,3317 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2020 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "appendfile.h"
+
+#ifdef SUPPORT_MAILDIR
+#include "tf_maildir.h"
+#endif
+
+
+/* Options specific to the appendfile transport. They must be in alphabetic
+order (note that "_" comes before the lower case letters). Some of them are
+stored in the publicly visible instance block - these are flagged with the
+opt_public flag. */
+#define LOFF(field) OPT_OFF(appendfile_transport_options_block, field)
+
+optionlist appendfile_transport_options[] = {
+#ifdef SUPPORT_MAILDIR
+  { "*expand_maildir_use_size_file", opt_stringptr, LOFF(expand_maildir_use_size_file) },
+#endif
+  { "*set_use_fcntl_lock",opt_bool | opt_hidden, LOFF(set_use_fcntl) },
+  { "*set_use_flock_lock",opt_bool | opt_hidden, LOFF(set_use_flock) },
+  { "*set_use_lockfile", opt_bool | opt_hidden,	LOFF(set_use_lockfile) },
+#ifdef SUPPORT_MBX
+  { "*set_use_mbx_lock", opt_bool | opt_hidden,	LOFF(set_use_mbx_lock) },
+#endif
+  { "allow_fifo",        opt_bool,	LOFF(allow_fifo) },
+  { "allow_symlink",     opt_bool,	LOFF(allow_symlink) },
+  { "batch_id",          opt_stringptr | opt_public, OPT_OFF(transport_instance, batch_id) },
+  { "batch_max",         opt_int | opt_public, OPT_OFF(transport_instance, batch_max) },
+  { "check_group",       opt_bool,	LOFF(check_group) },
+  { "check_owner",       opt_bool,	LOFF(check_owner) },
+  { "check_string",      opt_stringptr,	LOFF(check_string) },
+  { "create_directory",  opt_bool,	LOFF(create_directory) },
+  { "create_file",       opt_stringptr,	LOFF(create_file_string) },
+  { "directory",         opt_stringptr,	LOFF(dirname) },
+  { "directory_file",    opt_stringptr,	LOFF(dirfilename) },
+  { "directory_mode",    opt_octint,	LOFF(dirmode) },
+  { "escape_string",     opt_stringptr,	LOFF(escape_string) },
+  { "file",              opt_stringptr,	LOFF(filename) },
+  { "file_format",       opt_stringptr,	LOFF(file_format) },
+  { "file_must_exist",   opt_bool,	LOFF(file_must_exist) },
+  { "lock_fcntl_timeout", opt_time,	LOFF(lock_fcntl_timeout) },
+  { "lock_flock_timeout", opt_time,	LOFF(lock_flock_timeout) },
+  { "lock_interval",     opt_time,	LOFF(lock_interval) },
+  { "lock_retries",      opt_int,	LOFF(lock_retries) },
+  { "lockfile_mode",     opt_octint,	LOFF(lockfile_mode) },
+  { "lockfile_timeout",  opt_time,	LOFF(lockfile_timeout) },
+  { "mailbox_filecount", opt_stringptr,	LOFF(mailbox_filecount_string) },
+  { "mailbox_size",      opt_stringptr,	LOFF(mailbox_size_string) },
+#ifdef SUPPORT_MAILDIR
+  { "maildir_format",    opt_bool,	LOFF(maildir_format ) } ,
+  { "maildir_quota_directory_regex", opt_stringptr, LOFF(maildir_dir_regex) },
+  { "maildir_retries",   opt_int,	LOFF(maildir_retries) },
+  { "maildir_tag",       opt_stringptr,	LOFF(maildir_tag) },
+  { "maildir_use_size_file", opt_expand_bool, LOFF(maildir_use_size_file ) } ,
+  { "maildirfolder_create_regex", opt_stringptr, LOFF(maildirfolder_create_regex ) },
+#endif  /* SUPPORT_MAILDIR */
+#ifdef SUPPORT_MAILSTORE
+  { "mailstore_format",  opt_bool,	LOFF(mailstore_format ) },
+  { "mailstore_prefix",  opt_stringptr,	LOFF(mailstore_prefix ) },
+  { "mailstore_suffix",  opt_stringptr,	LOFF(mailstore_suffix ) },
+#endif  /* SUPPORT_MAILSTORE */
+#ifdef SUPPORT_MBX
+  { "mbx_format",        opt_bool,	LOFF(mbx_format ) } ,
+#endif  /* SUPPORT_MBX */
+  { "message_prefix",    opt_stringptr,	LOFF(message_prefix) },
+  { "message_suffix",    opt_stringptr,	LOFF(message_suffix) },
+  { "mode",              opt_octint,	LOFF(mode) },
+  { "mode_fail_narrower",opt_bool,	LOFF(mode_fail_narrower) },
+  { "notify_comsat",     opt_bool,	LOFF(notify_comsat) },
+  { "quota",             opt_stringptr,	LOFF(quota) },
+  { "quota_directory",   opt_stringptr,	LOFF(quota_directory) },
+  { "quota_filecount",   opt_stringptr,	LOFF(quota_filecount) },
+  { "quota_is_inclusive", opt_bool,	LOFF(quota_is_inclusive) },
+  { "quota_size_regex",   opt_stringptr, LOFF(quota_size_regex) },
+  { "quota_warn_message", opt_stringptr | opt_public, OPT_OFF(transport_instance, warn_message) },
+  { "quota_warn_threshold", opt_stringptr, LOFF(quota_warn_threshold) },
+  { "use_bsmtp",         opt_bool,	LOFF(use_bsmtp) },
+  { "use_crlf",          opt_bool,	LOFF(use_crlf) },
+  { "use_fcntl_lock",    opt_bool_set,	LOFF(use_fcntl) },
+  { "use_flock_lock",    opt_bool_set,	LOFF(use_flock) },
+  { "use_lockfile",      opt_bool_set,	LOFF(use_lockfile) },
+#ifdef SUPPORT_MBX
+  { "use_mbx_lock",      opt_bool_set,	LOFF(use_mbx_lock) },
+#endif  /* SUPPORT_MBX */
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int appendfile_transport_options_count =
+  sizeof(appendfile_transport_options)/sizeof(optionlist);
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+appendfile_transport_options_block appendfile_transport_option_defaults = {0};
+void appendfile_transport_init(transport_instance *tblock) {}
+BOOL appendfile_transport_entry(transport_instance *tblock, address_item *addr) {return FALSE;}
+
+#else	/*!MACRO_PREDEF*/
+
+/* Default private options block for the appendfile transport. */
+
+appendfile_transport_options_block appendfile_transport_option_defaults = {
+  /* all non-mentioned members zero/null/false */
+  .dirfilename = US"q${base62:$tod_epoch}-$inode",
+  .create_file_string = US"anywhere",
+  .maildir_dir_regex = US"^(?:cur|new|\\..*)$",
+  .mailbox_size_value = -1,
+  .mailbox_filecount_value = -1,
+  .mode = APPENDFILE_MODE,
+  .dirmode = APPENDFILE_DIRECTORY_MODE,
+  .lockfile_mode = APPENDFILE_LOCKFILE_MODE,
+  .lockfile_timeout = 30*60,
+  .lock_retries = 10,
+   .lock_interval = 3,
+  .maildir_retries = 10,
+  .create_file = create_anywhere,
+  .check_owner = TRUE,
+  .create_directory = TRUE,
+  .notify_comsat = FALSE,
+  .use_lockfile = TRUE,
+  .use_fcntl = TRUE,
+  .mode_fail_narrower = TRUE,
+  .quota_is_inclusive = TRUE,
+};
+
+
+/* Encodings for mailbox formats, and their names. MBX format is actually
+supported only if SUPPORT_MBX is set. */
+
+enum { mbf_unix, mbf_mbx, mbf_smail, mbf_maildir, mbf_mailstore };
+
+static const char *mailbox_formats[] = {
+  "unix", "mbx", "smail", "maildir", "mailstore" };
+
+
+/* Check warn threshold only if quota size set or not a percentage threshold
+   percentage check should only be done if quota > 0 */
+
+#define THRESHOLD_CHECK  (ob->quota_warn_threshold_value > 0 && \
+  (!ob->quota_warn_threshold_is_percent || ob->quota_value > 0))
+
+
+
+/*************************************************
+*              Setup entry point                 *
+*************************************************/
+
+/* Called for each delivery in the privileged state, just before the uid/gid
+are changed and the main entry point is called. We use this function to
+expand any quota settings, so that it can access files that may not be readable
+by the user. It is also used to pick up external mailbox size information, if
+set.
+
+Arguments:
+  tblock     points to the transport instance
+  addrlist   addresses about to be delivered (not used)
+  dummy      not used (doesn't pass back data)
+  uid        the uid that will be set (not used)
+  gid        the gid that will be set (not used)
+  errmsg     where to put an error message
+
+Returns:     OK, FAIL, or DEFER
+*/
+
+static int
+appendfile_transport_setup(transport_instance *tblock, address_item *addrlist,
+  transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg)
+{
+appendfile_transport_options_block *ob =
+  (appendfile_transport_options_block *)(tblock->options_block);
+uschar *q = ob->quota;
+double default_value = 0.0;
+
+if (ob->expand_maildir_use_size_file)
+	ob->maildir_use_size_file = expand_check_condition(ob->expand_maildir_use_size_file,
+		US"`maildir_use_size_file` in transport", tblock->name);
+
+/* Loop for quota, quota_filecount, quota_warn_threshold, mailbox_size,
+mailbox_filecount */
+
+for (int i = 0; i < 5; i++)
+  {
+  double d = default_value;
+  int no_check = 0;
+  uschar *which = NULL;
+
+  if (q)
+    {
+    uschar * rest, * s;
+
+    if (!(s =  expand_string(q)))
+      {
+      *errmsg = string_sprintf("Expansion of \"%s\" in %s transport failed: "
+        "%s", q, tblock->name, expand_string_message);
+      return f.search_find_defer ? DEFER : FAIL;
+      }
+
+    d = Ustrtod(s, &rest);
+
+    /* Handle following characters K, M, G, %, the latter being permitted
+    for quota_warn_threshold only. A threshold with no quota setting is
+    just ignored. */
+
+    if (tolower(*rest) == 'k') { d *= 1024.0; rest++; }
+    else if (tolower(*rest) == 'm') { d *= 1024.0*1024.0; rest++; }
+    else if (tolower(*rest) == 'g') { d *= 1024.0*1024.0*1024.0; rest++; }
+    else if (*rest == '%' && i == 2)
+      {
+      if (ob->quota_value <= 0 && !ob->maildir_use_size_file)
+	d = 0;
+      else if ((int)d < 0 || (int)d > 100)
+        {
+        *errmsg = string_sprintf("Invalid quota_warn_threshold percentage (%d)"
+          " for %s transport", (int)d, tblock->name);
+        return FAIL;
+        }
+      ob->quota_warn_threshold_is_percent = TRUE;
+      rest++;
+      }
+
+
+    /* For quota and quota_filecount there may be options
+    appended. Currently only "no_check", so we can be lazy parsing it */
+    if (i < 2 && Ustrstr(rest, "/no_check") == rest)
+      {
+       no_check = 1;
+       rest += sizeof("/no_check") - 1;
+      }
+
+    Uskip_whitespace(&rest);
+
+    if (*rest)
+      {
+      *errmsg = string_sprintf("Malformed value \"%s\" (expansion of \"%s\") "
+        "in %s transport", s, q, tblock->name);
+      return FAIL;
+      }
+    }
+
+  /* Set each value, checking for possible overflow. */
+
+  switch (i)
+    {
+    case 0:
+      if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
+	which = US"quota";
+      ob->quota_value = (off_t)d;
+      ob->quota_no_check = no_check;
+      q = ob->quota_filecount;
+      break;
+
+    case 1:
+      if (d >= 2.0*1024.0*1024.0*1024.0)
+	which = US"quota_filecount";
+      ob->quota_filecount_value = (int)d;
+      ob->quota_filecount_no_check = no_check;
+      q = ob->quota_warn_threshold;
+      break;
+
+    case 2:
+      if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
+	  which = US"quota_warn_threshold";
+      ob->quota_warn_threshold_value = (off_t)d;
+      q = ob->mailbox_size_string;
+      default_value = -1.0;
+      break;
+
+    case 3:
+      if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
+	which = US"mailbox_size";;
+      ob->mailbox_size_value = (off_t)d;
+      q = ob->mailbox_filecount_string;
+      break;
+
+    case 4:
+      if (d >= 2.0*1024.0*1024.0*1024.0)
+	which = US"mailbox_filecount";
+      ob->mailbox_filecount_value = (int)d;
+      break;
+    }
+
+  if (which)
+    {
+    *errmsg = string_sprintf("%s value %.10g is too large (overflow) in "
+      "%s transport", which, d, tblock->name);
+    return FAIL;
+    }
+  }
+
+return OK;
+}
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up. */
+
+void
+appendfile_transport_init(transport_instance *tblock)
+{
+appendfile_transport_options_block *ob =
+  (appendfile_transport_options_block *)(tblock->options_block);
+uschar * s;
+
+/* Set up the setup entry point, to be called in the privileged state */
+
+tblock->setup = appendfile_transport_setup;
+
+/* Lock_retries must be greater than zero */
+
+if (ob->lock_retries == 0) ob->lock_retries = 1;
+
+/* Only one of a file name or directory name must be given. */
+
+if (ob->filename && ob->dirname)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n  "
+  "only one of \"file\" or \"directory\" can be specified", tblock->name);
+
+/* If a file name was specified, neither quota_filecount nor quota_directory
+must be given. */
+
+if (ob->filename)
+  {
+  if (ob->quota_filecount)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n  "
+      "quota_filecount must not be set without \"directory\"", tblock->name);
+  if (ob->quota_directory)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n  "
+      "quota_directory must not be set without \"directory\"", tblock->name);
+  }
+
+/* The default locking depends on whether MBX is set or not. Change the
+built-in default if none of the lock options has been explicitly set. At least
+one form of locking is required in all cases, but mbx locking changes the
+meaning of fcntl and flock locking. */
+
+/* Not all operating systems provide flock(). For those that do, if flock is
+requested, the default for fcntl is FALSE. */
+
+if (ob->use_flock)
+  {
+  #ifdef NO_FLOCK
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n  "
+    "flock() support was not available in the operating system when this "
+    "binary was built", tblock->name);
+  #endif  /* NO_FLOCK */
+  if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
+  }
+
+#ifdef SUPPORT_MBX
+if (ob->mbx_format)
+  if (!ob->set_use_lockfile && !ob->set_use_fcntl && !ob->set_use_flock &&
+      !ob->set_use_mbx_lock)
+    {
+    ob->use_lockfile = ob->use_flock = FALSE;
+    ob->use_mbx_lock = ob->use_fcntl = TRUE;
+    }
+  else if (ob->use_mbx_lock)
+    {
+    if (!ob->set_use_lockfile) ob->use_lockfile = FALSE;
+    if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
+    if (!ob->set_use_flock) ob->use_flock = FALSE;
+    if (!ob->use_fcntl && !ob->use_flock) ob->use_fcntl = TRUE;
+    }
+#endif  /* SUPPORT_MBX */
+
+if (!ob->use_fcntl && !ob->use_flock && !ob->use_lockfile && !ob->use_mbx_lock)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n  "
+    "no locking configured", tblock->name);
+
+/* Unset timeouts for non-used locking types */
+
+if (!ob->use_fcntl) ob->lock_fcntl_timeout = 0;
+if (!ob->use_flock) ob->lock_flock_timeout = 0;
+
+/* If a directory name was specified, only one of maildir or mailstore may be
+specified, and if quota_filecount or quota_directory is given, quota must
+be set. */
+
+if (ob->dirname)
+  {
+  if (ob->maildir_format && ob->mailstore_format)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n  "
+      "only one of maildir and mailstore may be specified", tblock->name);
+  if (ob->quota_filecount != NULL && ob->quota == NULL)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n  "
+      "quota must be set if quota_filecount is set", tblock->name);
+  if (ob->quota_directory != NULL && ob->quota == NULL)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n  "
+      "quota must be set if quota_directory is set", tblock->name);
+  }
+
+/* If a fixed uid field is set, then a gid field must also be set. */
+
+if (tblock->uid_set && !tblock->gid_set && !tblock->expand_gid)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "user set without group for the %s transport", tblock->name);
+
+/* If "create_file" is set, check that a valid option is given, and set the
+integer variable. */
+
+if ((s = ob->create_file_string ) && *s)
+  {
+  int val = 0;
+  if (Ustrcmp(s, "anywhere") == 0)			val = create_anywhere;
+  else if (*s == '/' || Ustrcmp(s, "belowhome") == 0)	val = create_belowhome;
+  else if (Ustrcmp(s, "inhome") == 0)			val = create_inhome;
+  else
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+      "invalid value given for \"create_file\" for the %s transport: '%s'",
+      tblock->name, s);
+  ob->create_file = val;
+  }
+
+/* If quota_warn_threshold is set, set up default for warn_message. It may
+not be used if the actual threshold for a given delivery ends up as zero,
+of if it's given as a percentage and there's no quota setting. */
+
+if (ob->quota_warn_threshold)
+  {
+  if (!tblock->warn_message) tblock->warn_message = US
+    "To: $local_part@$domain\n"
+    "Subject: Your mailbox\n\n"
+    "This message is automatically created by mail delivery software (Exim).\n\n"
+    "The size of your mailbox has exceeded a warning threshold that is\n"
+    "set by the system administrator.\n";
+  }
+
+/* If batch SMTP is set, force the check and escape strings, and arrange that
+headers are also escaped. */
+
+if (ob->use_bsmtp)
+  {
+  ob->check_string = US".";
+  ob->escape_string = US"..";
+  ob->options |= topt_escape_headers;
+  }
+
+/* If not batch SMTP, not maildir, not mailstore, and directory is not set,
+insert default values for for the affixes and the check/escape strings. */
+
+else if (!ob->dirname && !ob->maildir_format && !ob->mailstore_format)
+  {
+  if (!ob->message_prefix) ob->message_prefix =
+    US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n";
+  if (!ob->message_suffix) ob->message_suffix = US"\n";
+  if (!ob->check_string) ob->check_string = US"From ";
+  if (!ob->escape_string) ob->escape_string = US">From ";
+
+  }
+
+/* Set up the bitwise options for transport_write_message from the various
+driver options. Only one of body_only and headers_only can be set. */
+
+ob->options |=
+  (tblock->body_only ? topt_no_headers : 0) |
+  (tblock->headers_only ? topt_no_body : 0) |
+  (tblock->return_path_add ? topt_add_return_path : 0) |
+  (tblock->delivery_date_add ? topt_add_delivery_date : 0) |
+  (tblock->envelope_to_add ? topt_add_envelope_to : 0) |
+  ((ob->use_crlf || ob->mbx_format) ? topt_use_crlf : 0);
+}
+
+
+
+/*************************************************
+*                  Notify comsat                 *
+*************************************************/
+
+/* The comsat daemon is the thing that provides asynchronous notification of
+the arrival of local messages, if requested by the user by "biff y". It is a
+BSD thing that uses a TCP/IP protocol for communication. A message consisting
+of the text "user@offset" must be sent, where offset is the place in the
+mailbox where new mail starts. There is no scope for telling it which file to
+look at, which makes it a less than useful if mail is being delivered into a
+non-standard place such as the user's home directory. In fact, it doesn't seem
+to pay much attention to the offset.
+
+Arguments:
+  user       user name
+  offset     offset in mailbox
+
+Returns:     nothing
+*/
+
+static void
+notify_comsat(uschar *user, off_t offset)
+{
+struct servent *sp;
+host_item host;
+uschar * s;
+
+DEBUG(D_transport) debug_printf("notify_comsat called\n");
+
+s = string_sprintf("%.200s@" OFF_T_FMT "\n", user, offset);
+
+if ((sp = getservbyname("biff", "udp")) == NULL)
+  {
+  DEBUG(D_transport) debug_printf("biff/udp is an unknown service");
+  return;
+  }
+
+host.name = US"localhost";
+host.next = NULL;
+
+
+/* This code is all set up to look up "localhost" and use all its addresses
+until one succeeds. However, it appears that at least on some systems, comsat
+doesn't listen on the ::1 address. So for the moment, just force the address to
+be 127.0.0.1. At some future stage, when IPv6 really is superseding IPv4, this
+can be changed. (But actually, comsat is probably dying out anyway.) */
+
+/******
+if (host_find_byname(&host, NULL, 0, NULL, FALSE) == HOST_FIND_FAILED)
+  {
+  DEBUG(D_transport) debug_printf("\"localhost\" unknown\n");
+  return;
+  }
+******/
+
+host.address = US"127.0.0.1";
+
+
+for (host_item * h = &host; h; h = h->next)
+  {
+  int sock, rc;
+  int host_af = Ustrchr(h->address, ':') != NULL ? AF_INET6 : AF_INET;
+
+  DEBUG(D_transport) debug_printf("calling comsat on %s\n", h->address);
+
+  if ((sock = ip_socket(SOCK_DGRAM, host_af)) < 0) continue;
+
+  /* Connect never fails for a UDP socket, so don't set a timeout. */
+
+  (void)ip_connect(sock, host_af, h->address, ntohs(sp->s_port), 0, NULL);
+  rc = send(sock, s, Ustrlen(s) + 1, 0);
+  (void)close(sock);
+
+  if (rc >= 0) break;
+  DEBUG(D_transport)
+    debug_printf("send to comsat failed for %s: %s\n", strerror(errno),
+      h->address);
+  }
+}
+
+
+
+/*************************************************
+*     Check the format of a file                 *
+*************************************************/
+
+/* This function is called when file_format is set, to check that an existing
+file has the right format. The format string contains text/transport pairs. The
+string matching is literal. we just read big_buffer_size bytes, because this is
+all about the first few bytes of a file.
+
+Arguments:
+  cfd          the open file
+  tblock       the transport block
+  addr         the address block - for inserting error data
+
+Returns:       pointer to the required transport, or NULL
+*/
+
+transport_instance *
+check_file_format(int cfd, transport_instance *tblock, address_item *addr)
+{
+const uschar *format =
+  ((appendfile_transport_options_block *)(tblock->options_block))->file_format;
+uschar data[256];
+int len = read(cfd, data, sizeof(data));
+int sep = 0;
+uschar *s;
+
+DEBUG(D_transport) debug_printf("checking file format\n");
+
+/* An empty file matches the current transport */
+
+if (len == 0) return tblock;
+
+/* Search the formats for a match */
+
+/* not expanded so cannot be tainted */
+while ((s = string_nextinlist(&format, &sep, big_buffer, big_buffer_size)))
+  {
+  int slen = Ustrlen(s);
+  BOOL match = len >= slen && Ustrncmp(data, s, slen) == 0;
+  uschar *tp = string_nextinlist(&format, &sep, big_buffer, big_buffer_size);
+
+  if (match && tp)
+    {
+    for (transport_instance * tt = transports; tt; tt = tt->next)
+      if (Ustrcmp(tp, tt->name) == 0)
+        {
+        DEBUG(D_transport)
+          debug_printf("file format -> %s transport\n", tt->name);
+        return tt;
+        }
+    addr->basic_errno = ERRNO_BADTRANSPORT;
+    addr->message = string_sprintf("%s transport (for %.*s format) not found",
+      tp, slen, data);
+    return NULL;
+    }
+  }
+
+/* Failed to find a match */
+
+addr->basic_errno = ERRNO_FORMATUNKNOWN;
+addr->message = US"mailbox file format unrecognized";
+return NULL;
+}
+
+
+
+
+/*************************************************
+*       Check directory's files for quota        *
+*************************************************/
+
+/* This function is called if quota is set for one of the delivery modes that
+delivers into a specific directory. It scans the directory and stats all the
+files in order to get a total size and count. This is an expensive thing to do,
+but some people are prepared to bear the cost. Alternatively, if size_regex is
+set, it is used as a regex to try to extract the size from the file name, a
+strategy that some people use on maildir files on systems where the users have
+no shell access.
+
+The function is global, because it is also called from tf_maildir.c for maildir
+folders (which should contain only regular files).
+
+Note: Any problems can be written to debugging output, but cannot be written to
+the log, because we are running as an unprivileged user here.
+
+Arguments:
+  dirname       the name of the directory
+  countptr      where to add the file count (because this function recurses)
+  re            a compiled regex to get the size from a name
+
+Returns:        the sum of the sizes of the stattable files
+                zero if the directory cannot be opened
+*/
+
+off_t
+check_dir_size(const uschar * dirname, int * countptr, const pcre2_code * re)
+{
+DIR *dir;
+off_t sum = 0;
+int count = *countptr;
+
+if (!(dir = exim_opendir(dirname))) return 0;
+
+for (struct dirent *ent; ent = readdir(dir); )
+  {
+  uschar * path, * name = US ent->d_name;
+  struct stat statbuf;
+
+  if (Ustrcmp(name, ".") == 0 || Ustrcmp(name, "..") == 0) continue;
+
+  count++;
+
+  /* If there's a regex, try to find the size using it */
+
+  if (re)
+    {
+    pcre2_match_data * md = pcre2_match_data_create(2, pcre_gen_ctx);
+    int rc = pcre2_match(re, (PCRE2_SPTR)name, PCRE2_ZERO_TERMINATED,
+			  0, 0, md, pcre_mtc_ctx);
+    PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
+    if (  rc >= 0
+       && (rc = pcre2_get_ovector_count(md)) >= 2)
+      {
+      uschar *endptr;
+      off_t size = (off_t)Ustrtod(name + ovec[2], &endptr);
+      if (endptr == name + ovec[3])
+        {
+        sum += size;
+        DEBUG(D_transport)
+          debug_printf("check_dir_size: size from %s is " OFF_T_FMT "\n", name,
+            size);
+        continue;
+        }
+      }
+    DEBUG(D_transport)
+      debug_printf("check_dir_size: regex did not match %s\n", name);
+    }
+
+  /* No regex or no match for the regex, or captured non-digits */
+
+  path = string_sprintf("%s/%s", dirname, name);
+
+  if (Ustat(path, &statbuf) < 0)
+    {
+    DEBUG(D_transport)
+      debug_printf("check_dir_size: stat error %d for %s: %s\n", errno, path,
+        strerror(errno));
+    }
+  else
+    if ((statbuf.st_mode & S_IFMT) == S_IFREG)
+      sum += statbuf.st_size / statbuf.st_nlink;
+    else if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+      sum += check_dir_size(path, &count, re);
+  }
+
+closedir(dir);
+DEBUG(D_transport)
+  debug_printf("check_dir_size: dir=%s sum=" OFF_T_FMT " count=%d\n", dirname,
+    sum, count);
+
+*countptr = count;
+return sum;
+}
+
+
+
+
+/*************************************************
+*         Apply a lock to a file descriptor      *
+*************************************************/
+
+/* This function applies a lock to a file descriptor, using a blocking or
+non-blocking lock, depending on the timeout value. It can apply either or
+both of a fcntl() and a flock() lock. However, not all OS support flock();
+for those that don't, the use_flock option cannot be set.
+
+Arguments:
+  fd          the file descriptor
+  fcntltype   type of lock, specified as F_WRLCK or F_RDLCK (that is, in
+                fcntl() format); the flock() type is deduced if needed
+  dofcntl     do fcntl() locking
+  fcntltime   non-zero to use blocking fcntl()
+  doflock     do flock() locking
+  flocktime   non-zero to use blocking flock()
+
+Returns:      yield of the fcntl() or flock() call, with errno preserved;
+              sigalrm_seen set if there has been a timeout
+*/
+
+static int
+apply_lock(int fd, int fcntltype, BOOL dofcntl, int fcntltime, BOOL doflock,
+    int flocktime)
+{
+int yield = 0;
+int save_errno;
+struct flock lock_data;
+lock_data.l_type = fcntltype;
+lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
+
+sigalrm_seen = FALSE;
+
+if (dofcntl)
+  {
+  if (fcntltime > 0)
+    {
+    ALARM(fcntltime);
+    yield = fcntl(fd, F_SETLKW, &lock_data);
+    save_errno = errno;
+    ALARM_CLR(0);
+    errno = save_errno;
+    }
+  else yield = fcntl(fd, F_SETLK, &lock_data);
+  }
+
+#ifndef NO_FLOCK
+if (doflock && (yield >= 0))
+  {
+  int flocktype = (fcntltype == F_WRLCK) ? LOCK_EX : LOCK_SH;
+  if (flocktime > 0)
+    {
+    ALARM(flocktime);
+    yield = flock(fd, flocktype);
+    save_errno = errno;
+    ALARM_CLR(0);
+    errno = save_errno;
+    }
+  else yield = flock(fd, flocktype | LOCK_NB);
+  }
+#endif  /* NO_FLOCK */
+
+return yield;
+}
+
+
+
+
+#ifdef SUPPORT_MBX
+/*************************************************
+*         Copy message into MBX mailbox          *
+*************************************************/
+
+/* This function is called when a message intended for a MBX mailbox has been
+written to a temporary file. We can now get the size of the message and then
+copy it in MBX format to the mailbox.
+
+Arguments:
+  to_fd        fd to write to (the real mailbox)
+  from_fd      fd to read from (the temporary file)
+  saved_size   current size of mailbox
+
+Returns:       OK if all went well, DEFER otherwise, with errno preserved
+               the number of bytes written are added to transport_count
+                 by virtue of calling transport_write_block()
+*/
+
+/* Values taken from c-client */
+
+#define MBX_HDRSIZE            2048
+#define MBX_NUSERFLAGS           30
+
+static int
+copy_mbx_message(int to_fd, int from_fd, off_t saved_size)
+{
+int used;
+off_t size;
+struct stat statbuf;
+transport_ctx tctx = { .u={.fd = to_fd}, .options = topt_not_socket };
+
+/* If the current mailbox size is zero, write a header block */
+
+if (saved_size == 0)
+  {
+  uschar *s;
+  memset (deliver_out_buffer, '\0', MBX_HDRSIZE);
+  sprintf(CS(s = deliver_out_buffer), "*mbx*\015\012%08lx00000000\015\012",
+    (long int)time(NULL));
+  for (int i = 0; i < MBX_NUSERFLAGS; i++)
+    sprintf (CS(s += Ustrlen(s)), "\015\012");
+  if (!transport_write_block (&tctx, deliver_out_buffer, MBX_HDRSIZE, FALSE))
+    return DEFER;
+  }
+
+DEBUG(D_transport) debug_printf("copying MBX message from temporary file\n");
+
+/* Now construct the message's header from the time and the RFC822 file
+size, including CRLFs, which is the size of the input (temporary) file. */
+
+if (fstat(from_fd, &statbuf) < 0) return DEFER;
+size = statbuf.st_size;
+
+sprintf (CS deliver_out_buffer, "%s," OFF_T_FMT ";%08lx%04x-%08x\015\012",
+  tod_stamp(tod_mbx), size, 0L, 0, 0);
+used = Ustrlen(deliver_out_buffer);
+
+/* Rewind the temporary file, and copy it over in chunks. */
+
+if (lseek(from_fd, 0 , SEEK_SET) < 0) return DEFER;
+
+while (size > 0)
+  {
+  int len = read(from_fd, deliver_out_buffer + used,
+    DELIVER_OUT_BUFFER_SIZE - used);
+  if (len <= 0)
+    {
+    if (len == 0) errno = ERRNO_MBXLENGTH;
+    return DEFER;
+    }
+  if (!transport_write_block(&tctx, deliver_out_buffer, used + len, FALSE))
+    return DEFER;
+  size -= len;
+  used = 0;
+  }
+
+return OK;
+}
+#endif  /* SUPPORT_MBX */
+
+
+
+/*************************************************
+*            Check creation is permitted         *
+*************************************************/
+
+/* This function checks whether a given file name is permitted to be created,
+as controlled by the create_file option. If no home directory is set, however,
+we can't do any tests.
+
+Arguments:
+  filename     the file name
+  create_file  the ob->create_file option
+  deliver_dir  the delivery directory
+
+Returns:       TRUE if creation is permitted
+*/
+
+static BOOL
+check_creation(uschar *filename, int create_file, const uschar * deliver_dir)
+{
+BOOL yield = TRUE;
+
+if (deliver_dir  &&  create_file != create_anywhere)
+  {
+  int len = Ustrlen(deliver_dir);
+  uschar *file = filename;
+
+  while (file[0] == '/' && file[1] == '/') file++;
+  if (  Ustrncmp(file, deliver_dir, len) != 0
+     || file[len] != '/'
+     ||    Ustrchr(file+len+2, '/') != NULL
+	&& (  create_file != create_belowhome
+	   || Ustrstr(file+len, "/../") != NULL
+	   )
+     ) yield = FALSE;
+
+  /* If yield is TRUE, the file name starts with the home directory, and does
+  not contain any instances of "/../" in the "belowhome" case. However, it may
+  still contain symbolic links. We can check for this by making use of
+  realpath(), which most Unixes seem to have (but make it possible to cut this
+  out). We can't just use realpath() on the whole file name, because we know
+  the file itself doesn't exist, and intermediate directories may also not
+  exist. What we want to know is the real path of the longest existing part of
+  the path. That must match the home directory's beginning, whichever is the
+  shorter. */
+
+  #ifndef NO_REALPATH
+  if (yield && create_file == create_belowhome)
+    {
+    uschar *next;
+    uschar *rp = NULL;
+    for (uschar * slash = Ustrrchr(file, '/');  /* There is known to be one */
+         !rp && slash > file;			/* Stop if reached beginning */
+         slash = next)
+      {
+      *slash = 0;
+      rp = US realpath(CS file, CS big_buffer);
+      next = Ustrrchr(file, '/');
+      *slash = '/';
+      }
+
+    /* If rp == NULL it means that none of the relevant directories exist.
+    This is not a problem here - it means that no symbolic links can exist,
+    which is all we are worried about. Otherwise, we must compare it
+    against the start of the home directory. However, that may itself
+    contain symbolic links, so we have to "realpath" it as well, if
+    possible. */
+
+    if (rp)
+      {
+      uschar hdbuffer[PATH_MAX+1];
+      const uschar * rph = deliver_dir;
+      int rlen = Ustrlen(big_buffer);
+
+      if ((rp = US realpath(CS deliver_dir, CS hdbuffer)))
+        {
+        rph = hdbuffer;
+        len = Ustrlen(rph);
+        }
+
+      if (rlen > len) rlen = len;
+      if (Ustrncmp(rph, big_buffer, rlen) != 0)
+        {
+        yield = FALSE;
+        DEBUG(D_transport) debug_printf("Real path \"%s\" does not match \"%s\"\n",
+          big_buffer, deliver_dir);
+        }
+      }
+    }
+  #endif  /* NO_REALPATH */
+  }
+
+return yield;
+}
+
+
+
+/*************************************************
+*              Main entry point                  *
+*************************************************/
+
+/* See local README for general interface details. This transport always
+returns FALSE, indicating that the status which has been placed in the first
+address should be copied to any other addresses in a batch.
+
+Appendfile delivery is tricky and has led to various security problems in other
+mailers. The logic used here is therefore laid out in some detail. When this
+function is called, we are running in a subprocess which has had its gid and
+uid set to the appropriate values. Therefore, we cannot write directly to the
+exim logs. Any errors must be handled by setting appropriate return codes.
+Note that the default setting for addr->transport_return is DEFER, so it need
+not be set unless some other value is required.
+
+The code below calls geteuid() rather than getuid() to get the current uid
+because in weird configurations not running setuid root there may be a
+difference. In the standard configuration, where setuid() has been used in the
+delivery process, there will be no difference between the uid and the euid.
+
+(1)  If the af_file flag is set, this is a delivery to a file after .forward or
+     alias expansion. Otherwise, there must be a configured file name or
+     directory name.
+
+The following items apply in the case when a file name (as opposed to a
+directory name) is given, that is, when appending to a single file:
+
+(2f) Expand the file name.
+
+(3f) If the file name is /dev/null, return success (optimization).
+
+(4f) If the file_format options is set, open the file for reading, and check
+     that the bytes at the start of the file match one of the given strings.
+     If the check indicates a transport other than the current one should be
+     used, pass control to that other transport. Otherwise continue. An empty
+     or non-existent file matches the current transport. The file is closed
+     after the check.
+
+(5f) If a lock file is required, create it (see extensive separate comments
+     below about the algorithm for doing this). It is important to do this
+     before opening the mailbox if NFS is in use.
+
+(6f) Stat the file, using lstat() rather than stat(), in order to pick up
+     details of any symbolic link.
+
+(7f) If the file already exists:
+
+     Check the owner and group if necessary, and defer if they are wrong.
+
+     If it is a symbolic link AND the allow_symlink option is set (NOT the
+     default), go back to (6f) but this time use stat() instead of lstat().
+
+     If it's not a regular file (or FIFO when permitted), defer delivery.
+
+     Check permissions. If the required permissions are *less* than the
+     existing ones, or supplied by the address (often by the user via filter),
+     chmod() the file. Otherwise, defer.
+
+     Save the inode number.
+
+     Open with O_RDRW + O_APPEND, thus failing if the file has vanished.
+
+     If open fails because the file does not exist, go to (6f); on any other
+     failure, defer.
+
+     Check the inode number hasn't changed - I realize this isn't perfect (an
+     inode can be reused) but it's cheap and will catch some of the races.
+
+     Check it's still a regular file (or FIFO if permitted).
+
+     Check that the owner and permissions haven't changed.
+
+     If file_format is set, check that the file still matches the format for
+     the current transport. If not, defer delivery.
+
+(8f) If file does not exist initially:
+
+     Open with O_WRONLY + O_EXCL + O_CREAT with configured mode, unless we know
+     this is via a symbolic link (only possible if allow_symlinks is set), in
+     which case don't use O_EXCL, as it doesn't work.
+
+     If open fails because the file already exists, go to (6f). To avoid
+     looping for ever in a situation where the file is continuously being
+     created and deleted, all of this happens inside a loop that operates
+     lock_retries times and includes the fcntl and flock locking. If the
+     loop completes without the file getting opened, defer and request
+     freezing, because something really weird is happening.
+
+     If open fails for any other reason, defer for subsequent delivery except
+     when this is a file delivery resulting from an alias or forward expansion
+     and the error is EPERM or ENOENT or EACCES, in which case FAIL as this is
+     most likely a user rather than a configuration error.
+
+(9f) We now have the file checked and open for writing. If so configured, lock
+     it using fcntl, flock, or MBX locking rules. If this fails, close the file
+     and goto (6f), up to lock_retries times, after sleeping for a while. If it
+     still fails, give up and defer delivery.
+
+(10f)Save the access time (for subsequent restoration) and the size of the
+     file, for comsat and for re-setting if delivery fails in the middle -
+     e.g. for quota exceeded.
+
+The following items apply in the case when a directory name is given:
+
+(2d) Create a new file in the directory using a temporary name, by opening for
+     writing and with O_CREAT. If maildir format is being used, the file
+     is created in a temporary subdirectory with a prescribed name. If
+     mailstore format is being used, the envelope file is first created with a
+     temporary name, then the data file.
+
+The following items apply in all cases:
+
+(11) We now have the file open for writing, and locked if it was given as a
+     file name. Write the message and flush the file, unless there is a setting
+     of the local quota option, in which case we can check for its excession
+     without doing any writing.
+
+     In the case of MBX format mailboxes, the message is first written to a
+     temporary file, in order to get its correct length. This is then copied to
+     the real file, preceded by an MBX header.
+
+     If there is a quota error on writing, defer the address. Timeout logic
+     will determine for how long retries are attempted. We restore the mailbox
+     to its original length if it's a single file. There doesn't seem to be a
+     uniform error code for quota excession (it even differs between SunOS4
+     and some versions of SunOS5) so a system-dependent macro called
+     ERRNO_QUOTA is used for it, and the value gets put into errno_quota at
+     compile time.
+
+     For any other error (most commonly disk full), do the same.
+
+The following applies after appending to a file:
+
+(12f)Restore the atime; notify_comsat if required; close the file (which
+     unlocks it if it was locked). Delete the lock file if it exists.
+
+The following applies after writing a unique file in a directory:
+
+(12d)For maildir format, rename the file into the new directory. For mailstore
+     format, rename the envelope file to its correct name. Otherwise, generate
+     a unique name from the directory_file option, and rename to that, possibly
+     trying a few times if the file exists and re-expanding the name gives a
+     different string.
+
+This transport yields FAIL only when a file name is generated by an alias or
+forwarding operation and attempting to open it gives EPERM, ENOENT, or EACCES.
+All other failures return DEFER (in addr->transport_return). */
+
+
+BOOL
+appendfile_transport_entry(
+  transport_instance *tblock,      /* data for this instantiation */
+  address_item *addr)              /* address we are working on */
+{
+appendfile_transport_options_block *ob =
+  (appendfile_transport_options_block *)(tblock->options_block);
+struct stat statbuf;
+const uschar * deliver_dir;
+uschar *fdname = NULL;
+uschar *filename = NULL;
+uschar *hitchname = NULL;
+uschar *dataname = NULL;
+uschar *lockname = NULL;
+uschar *newname = NULL;
+uschar *nametag = NULL;
+uschar *cr = US"";
+uschar *filecount_msg = US"";
+uschar *path;
+struct utimbuf times;
+struct timeval msg_tv;
+BOOL disable_quota = FALSE;
+BOOL isdirectory = FALSE;
+BOOL isfifo = FALSE;
+BOOL wait_for_tick = FALSE;
+uid_t uid = geteuid();     /* See note above */
+gid_t gid = getegid();
+int mbformat;
+int mode = (addr->mode > 0) ? addr->mode : ob->mode;
+off_t saved_size = -1;
+off_t mailbox_size = ob->mailbox_size_value;
+int mailbox_filecount = ob->mailbox_filecount_value;
+int hd = -1;
+int fd = -1;
+int yield = FAIL;
+int i;
+
+#ifdef SUPPORT_MBX
+int save_fd = 0;
+int mbx_lockfd = -1;
+uschar mbx_lockname[40];
+FILE *temp_file = NULL;
+#endif  /* SUPPORT_MBX */
+
+#ifdef SUPPORT_MAILDIR
+int maildirsize_fd = -1;      /* fd for maildirsize file */
+int maildir_save_errno;
+#endif
+
+
+DEBUG(D_transport) debug_printf("appendfile transport entered\n");
+
+/* An "address_file" or "address_directory" transport is used to deliver to
+files specified via .forward or an alias file. Prior to release 4.20, the
+"file" and "directory" options were ignored in this case. This has been changed
+to allow the redirection data to specify what is in effect a folder, whose
+location is determined by the options on the transport.
+
+Compatibility with the case when neither option is set is retained by forcing a
+value for the file or directory name. A directory delivery is assumed if the
+last character of the path from the router is '/'.
+
+The file path is in the local part of the address, but not in the $local_part
+variable (that holds the parent local part). It is, however, in the
+$address_file variable. Below, we update the local part in the address if it
+changes by expansion, so that the final path ends up in the log. */
+
+if (testflag(addr, af_file) && !ob->filename && !ob->dirname)
+  {
+  fdname = US"$address_file";
+  if (address_file[Ustrlen(address_file)-1] == '/' ||
+      ob->maildir_format ||
+      ob->mailstore_format)
+    isdirectory = TRUE;
+  }
+
+/* Handle (a) an "address file" delivery where "file" or "directory" is
+explicitly set and (b) a non-address_file delivery, where one of "file" or
+"directory" must be set; initialization ensures that they are not both set. */
+
+if (!fdname)
+  {
+  if (!(fdname = ob->filename))
+    {
+    fdname = ob->dirname;
+    isdirectory = TRUE;
+    }
+  if (!fdname)
+    {
+    addr->message = string_sprintf("Mandatory file or directory option "
+      "missing from %s transport", tblock->name);
+    goto ret_panic;
+    }
+  }
+
+/* Maildir and mailstore require a directory */
+
+if ((ob->maildir_format || ob->mailstore_format) && !isdirectory)
+  {
+  addr->message = string_sprintf("mail%s_format requires \"directory\" "
+    "to be specified for the %s transport",
+    ob->maildir_format ? "dir" : "store", tblock->name);
+  goto ret_panic;
+  }
+
+if (!(path = expand_string(fdname)))
+  {
+  addr->message = string_sprintf("Expansion of \"%s\" (file or directory "
+    "name for %s transport) failed: %s", fdname, tblock->name,
+    expand_string_message);
+  goto ret_panic;
+  }
+
+if (path[0] != '/')
+  {
+  addr->message = string_sprintf("appendfile: file or directory name "
+    "\"%s\" is not absolute", path);
+  addr->basic_errno = ERRNO_NOTABSOLUTE;
+  return FALSE;
+  }
+
+/* For a file delivery, make sure the local part in the address(es) is updated
+to the true local part. */
+
+if (testflag(addr, af_file))
+  for (address_item * addr2 = addr; addr2; addr2 = addr2->next)
+    addr2->local_part = string_copy(path);
+
+/* The available mailbox formats depend on whether it is a directory or a file
+delivery. */
+
+if (isdirectory)
+  {
+  mbformat =
+  #ifdef SUPPORT_MAILDIR
+    ob->maildir_format ? mbf_maildir :
+  #endif
+  #ifdef SUPPORT_MAILSTORE
+    ob->mailstore_format ? mbf_mailstore :
+  #endif
+    mbf_smail;
+  }
+else
+  {
+  mbformat =
+  #ifdef SUPPORT_MBX
+    ob->mbx_format ? mbf_mbx :
+  #endif
+    mbf_unix;
+  }
+
+DEBUG(D_transport)
+  {
+  debug_printf("appendfile: mode=%o notify_comsat=%d quota=" OFF_T_FMT
+    "%s%s"
+    " warning=" OFF_T_FMT "%s\n"
+    "  %s=%s format=%s\n  message_prefix=%s\n  message_suffix=%s\n  "
+    "maildir_use_size_file=%s\n",
+    mode, ob->notify_comsat, ob->quota_value,
+    ob->quota_no_check ? " (no_check)" : "",
+    ob->quota_filecount_no_check ? " (no_check_filecount)" : "",
+    ob->quota_warn_threshold_value,
+    ob->quota_warn_threshold_is_percent ? "%" : "",
+    isdirectory ? "directory" : "file",
+    path, mailbox_formats[mbformat],
+    !ob->message_prefix ? US"null" : string_printing(ob->message_prefix),
+    !ob->message_suffix ? US"null" : string_printing(ob->message_suffix),
+    ob->maildir_use_size_file ? "yes" : "no");
+
+  if (!isdirectory) debug_printf("  locking by %s%s%s%s%s\n",
+    ob->use_lockfile ? "lockfile " : "",
+    ob->use_mbx_lock ? "mbx locking (" : "",
+    ob->use_fcntl ? "fcntl " : "",
+    ob->use_flock ? "flock" : "",
+    ob->use_mbx_lock ? ")" : "");
+  }
+
+/* If the -N option is set, can't do any more. */
+
+if (f.dont_deliver)
+  {
+  DEBUG(D_transport)
+    debug_printf("*** delivery by %s transport bypassed by -N option\n",
+      tblock->name);
+  addr->transport_return = OK;
+  return FALSE;
+  }
+
+/* If an absolute path was given for create_file the it overrides deliver_home
+(here) and de-taints the filename (below, after check_creation() */
+
+deliver_dir = *ob->create_file_string == '/'
+  ? ob->create_file_string : deliver_home;
+
+/* Handle the case of a file name. If the file name is /dev/null, we can save
+ourselves some effort and just give a success return right away. */
+
+if (!isdirectory)
+  {
+  BOOL use_lstat = TRUE;
+  BOOL file_opened = FALSE;
+  BOOL allow_creation_here = TRUE;
+
+  if (Ustrcmp(path, "/dev/null") == 0)
+    {
+    addr->transport_return = OK;
+    return FALSE;
+    }
+
+  /* Set the name of the file to be opened, and the file to which the data
+  is written, and find out if we are permitted to create a non-existent file.
+  If the create_file option is an absolute path and the file was within it,
+  de-taint.  Chaeck for a tainted path. */
+
+  if (  (allow_creation_here = check_creation(path, ob->create_file, deliver_dir))
+     && ob->create_file == create_belowhome)
+    if (is_tainted(path))
+      {
+      DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path);
+      path = string_copy_taint(path, GET_UNTAINTED);
+      }
+
+  if (is_tainted(path)) goto tainted_ret_panic;
+  dataname = filename = path;
+
+  /* If ob->create_directory is set, attempt to create the directories in
+  which this mailbox lives, but only if we are permitted to create the file
+  itself. We know we are dealing with an absolute path, because this was
+  checked above. */
+
+  if (ob->create_directory && allow_creation_here)
+    {
+    uschar *p = Ustrrchr(path, '/');
+    p = string_copyn(path, p - path);
+    if (!directory_make(NULL, p, ob->dirmode, FALSE))
+      {
+      addr->basic_errno = errno;
+      addr->message =
+        string_sprintf("failed to create directories for %s: %s", path,
+          exim_errstr(errno));
+      DEBUG(D_transport) debug_printf("%s transport: %s\n", tblock->name, path);
+      return FALSE;
+      }
+    }
+
+  /* If file_format is set we must check that any existing file matches one of
+  the configured formats by checking the bytes it starts with. A match then
+  indicates a specific transport - if it is not this one, pass control to it.
+  Otherwise carry on here. An empty or non-existent file matches the current
+  transport. We don't need to distinguish between non-existence and other open
+  failures because if an existing file fails to open here, it will also fail
+  again later when O_RDWR is used. */
+
+  if (ob->file_format)
+    {
+    int cfd = Uopen(path, O_RDONLY, 0);
+    if (cfd >= 0)
+      {
+      transport_instance *tt = check_file_format(cfd, tblock, addr);
+      (void)close(cfd);
+
+      /* If another transport is indicated, call it and return; if no transport
+      was found, just return - the error data will have been set up.*/
+
+      if (tt != tblock)
+        {
+        if (tt)
+          {
+          set_process_info("delivering %s to %s using %s", message_id,
+            addr->local_part, tt->name);
+          debug_print_string(tt->debug_string);
+          addr->transport = tt;
+          (tt->info->code)(tt, addr);
+          }
+        return FALSE;
+        }
+      }
+    }
+
+  /* The locking of mailbox files is worse than the naming of cats, which is
+  known to be "a difficult matter" (T.S. Eliot) and just as cats must have
+  three different names, so several different styles of locking are used.
+
+  Research in other programs that lock mailboxes shows that there is no
+  universally standard method. Having mailboxes NFS-mounted on the system that
+  is delivering mail is not the best thing, but people do run like this,
+  and so the code must do its best to cope.
+
+  Three different locking mechanisms are supported. The initialization function
+  checks that at least one is configured.
+
+  LOCK FILES
+
+  Unless no_use_lockfile is set, we attempt to build a lock file in a way that
+  will work over NFS. Only after that is done do we actually open the mailbox
+  and apply locks to it (if configured).
+
+  Originally, Exim got the file opened before doing anything about locking.
+  However, a very occasional problem was observed on Solaris 2 when delivering
+  over NFS. It is seems that when a file is opened with O_APPEND, the file size
+  gets remembered at open time. If another process on another host (that's
+  important) has the file open and locked and writes to it and then releases
+  the lock while the first process is waiting to get the lock, the first
+  process may fail to write at the new end point of the file - despite the very
+  definite statement about O_APPEND in the man page for write(). Experiments
+  have reproduced this problem, but I do not know any way of forcing a host to
+  update its attribute cache for an open NFS file. It would be nice if it did
+  so when a lock was taken out, but this does not seem to happen. Anyway, to
+  reduce the risk of this problem happening, we now create the lock file
+  (if configured) *before* opening the mailbox. That will prevent two different
+  Exims opening the file simultaneously. It may not prevent clashes with MUAs,
+  however, but Pine at least seems to operate in the same way.
+
+  Lockfiles should normally be used when NFS is involved, because of the above
+  problem.
+
+  The logic for creating the lock file is:
+
+  . The name of the lock file is <mailbox-name>.lock
+
+  . First, create a "hitching post" name by adding the primary host name,
+    current time and pid to the lock file name. This should be unique.
+
+  . Create the hitching post file using WRONLY + CREAT + EXCL.
+
+  . If that fails EACCES, we assume it means that the user is unable to create
+    files in the mail spool directory. Some installations might operate in this
+    manner, so there is a configuration option to allow this state not to be an
+    error - we proceed to lock using fcntl only, after the file is open.
+
+  . Otherwise, an error causes a deferment of the address.
+
+  . Hard link the hitching post to the lock file name.
+
+  . If the link succeeds, we have successfully created the lock file. Simply
+    close and unlink the hitching post file.
+
+  . If the link does not succeed, proceed as follows:
+
+    o Fstat the hitching post file, and then close and unlink it.
+
+    o Now examine the stat data. If the number of links to the file is exactly
+      2, the linking succeeded but for some reason, e.g. an NFS server crash,
+      the return never made it back, so the link() function gave a failure
+      return.
+
+  . This method allows for the lock file to be created by some other process
+    right up to the moment of the attempt to hard link it, and is also robust
+    against NFS server crash-reboots, which would probably result in timeouts
+    in the middle of link().
+
+  . System crashes may cause lock files to get left lying around, and some means
+    of flushing them is required. The approach of writing a pid (used by smail
+    and by elm) into the file isn't useful when NFS may be in use. Pine uses a
+    timeout, which seems a better approach. Since any program that writes to a
+    mailbox using a lock file should complete its task very quickly, Pine
+    removes lock files that are older than 5 minutes. We allow the value to be
+    configurable on the transport.
+
+  FCNTL LOCKING
+
+  If use_fcntl_lock is set, then Exim gets an exclusive fcntl() lock on the
+  mailbox once it is open. This is done by default with a non-blocking lock.
+  Failures to lock cause retries after a sleep, but only for a certain number
+  of tries. A blocking lock is deliberately not used so that we don't hold the
+  mailbox open. This minimizes the possibility of the NFS problem described
+  under LOCK FILES above, if for some reason NFS deliveries are happening
+  without lock files. However, the use of a non-blocking lock and sleep, though
+  the safest approach, does not give the best performance on very busy systems.
+  A blocking lock plus timeout does better. Therefore Exim has an option to
+  allow it to work this way. If lock_fcntl_timeout is set greater than zero, it
+  enables the use of blocking fcntl() calls.
+
+  FLOCK LOCKING
+
+  If use_flock_lock is set, then Exim gets an exclusive flock() lock in the
+  same manner as for fcntl locking above. No-blocking/timeout is also set as
+  above in lock_flock_timeout. Not all operating systems provide or support
+  flock(). For those that don't (as determined by the definition of LOCK_SH in
+  /usr/include/sys/file.h), use_flock_lock may not be set. For some OS, flock()
+  is implemented (not precisely) on top of fcntl(), which means there's no
+  point in actually using it.
+
+  MBX LOCKING
+
+  If use_mbx_lock is set (this is supported only if SUPPORT_MBX is defined)
+  then the rules used for locking in c-client are used. Exim takes out a shared
+  lock on the mailbox file, and an exclusive lock on the file whose name is
+  /tmp/.<device-number>.<inode-number>. The shared lock on the mailbox stops
+  any other MBX client from getting an exclusive lock on it and expunging it.
+  It also stops any other MBX client from unlinking the /tmp lock when it has
+  finished with it.
+
+  The exclusive lock on the /tmp file prevents any other MBX client from
+  updating the mailbox in any way. When writing is finished, if an exclusive
+  lock on the mailbox can be obtained, indicating there are no current sharers,
+  the /tmp file is unlinked.
+
+  MBX locking can use either fcntl() or flock() locking. If neither
+  use_fcntl_lock or use_flock_lock is set, it defaults to using fcntl() only.
+  The calls for getting these locks are by default non-blocking, as for non-mbx
+  locking, but can be made blocking by setting lock_fcntl_timeout and/or
+  lock_flock_timeout as appropriate.  As MBX delivery doesn't work over NFS, it
+  probably makes sense to set timeouts for any MBX deliveries. */
+
+
+  /* Build a lock file if configured to do so - the existence of a lock
+  file is subsequently checked by looking for a non-negative value of the
+  file descriptor hd - even though the file is no longer open. */
+
+  if (ob->use_lockfile)
+    {
+    /* cf. exim_lock.c */
+    lockname = string_sprintf("%s.lock", filename);
+    hitchname = string_sprintf( "%s.%s.%08x.%08x", lockname, primary_hostname,
+      (unsigned int)(time(NULL)), (unsigned int)getpid());
+
+    DEBUG(D_transport) debug_printf("lock name: %s\nhitch name: %s\n", lockname,
+      hitchname);
+
+    /* Lock file creation retry loop */
+
+    for (i = 0; i < ob->lock_retries; sleep(ob->lock_interval), i++)
+      {
+      int rc;
+
+      hd = Uopen(hitchname, O_WRONLY | O_CREAT | O_EXCL, ob->lockfile_mode);
+      if (hd < 0)
+        {
+        addr->basic_errno = errno;
+        addr->message =
+          string_sprintf("creating lock file hitching post %s "
+            "(euid=%ld egid=%ld)", hitchname, (long int)geteuid(),
+            (long int)getegid());
+        return FALSE;
+        }
+
+      /* Attempt to hitch the hitching post to the lock file. If link()
+      succeeds (the common case, we hope) all is well. Otherwise, fstat the
+      file, and get rid of the hitching post. If the number of links was 2,
+      the link was created, despite the failure of link(). If the hitch was
+      not successful, try again, having unlinked the lock file if it is too
+      old.
+
+      There's a version of Linux (2.0.27) which doesn't update its local cache
+      of the inode after link() by default - which many think is a bug - but
+      if the link succeeds, this code will be OK. It just won't work in the
+      case when link() fails after having actually created the link. The Linux
+      NFS person is fixing this; a temporary patch is available if anyone is
+      sufficiently worried. */
+
+      if ((rc = Ulink(hitchname, lockname)) != 0) fstat(hd, &statbuf);
+      (void)close(hd);
+      Uunlink(hitchname);
+      if (rc != 0 && statbuf.st_nlink != 2)
+        {
+        if (ob->lockfile_timeout > 0 && Ustat(lockname, &statbuf) == 0 &&
+            time(NULL) - statbuf.st_ctime > ob->lockfile_timeout)
+          {
+          DEBUG(D_transport) debug_printf("unlinking timed-out lock file\n");
+          Uunlink(lockname);
+          }
+        DEBUG(D_transport) debug_printf("link of hitching post failed - retrying\n");
+        continue;
+        }
+
+      DEBUG(D_transport) debug_printf("lock file created\n");
+      break;
+      }
+
+    /* Check for too many tries at creating the lock file */
+
+    if (i >= ob->lock_retries)
+      {
+      addr->basic_errno = ERRNO_LOCKFAILED;
+      addr->message = string_sprintf("failed to lock mailbox %s (lock file)",
+        filename);
+      return FALSE;
+      }
+    }
+
+
+  /* We now have to get the file open. First, stat() it and act on existence or
+  non-existence. This is in a loop to handle the case of a file's being created
+  or deleted as we watch, and also to handle retries when the locking fails.
+  Rather than holding the file open while waiting for the fcntl() and/or
+  flock() lock, we close and do the whole thing again. This should be safer,
+  especially for NFS files, which might get altered from other hosts, making
+  their cached sizes incorrect.
+
+  With the default settings, no symlinks are permitted, but there is an option
+  to permit symlinks for those sysadmins that know what they are doing.
+  Shudder. However, insist that the initial symlink is owned by the right user.
+  Thus lstat() is used initially; if a symlink is discovered, the loop is
+  repeated such that stat() is used, to look at the end file. */
+
+  for (i = 0; i < ob->lock_retries; i++)
+    {
+    int sleep_before_retry = TRUE;
+    file_opened = FALSE;
+
+    if ((use_lstat ? Ulstat(filename, &statbuf) : Ustat(filename, &statbuf)) != 0)
+      {
+      /* Let's hope that failure to stat (other than non-existence) is a
+      rare event. */
+
+      if (errno != ENOENT)
+        {
+        addr->basic_errno = errno;
+        addr->message = string_sprintf("attempting to stat mailbox %s",
+          filename);
+        goto RETURN;
+        }
+
+      /* File does not exist. If it is required to pre-exist this state is an
+      error. */
+
+      if (ob->file_must_exist)
+        {
+        addr->basic_errno = errno;
+        addr->message = string_sprintf("mailbox %s does not exist, "
+          "but file_must_exist is set", filename);
+        goto RETURN;
+        }
+
+      /* If not permitted to create this file because it isn't in or below
+      the home directory, generate an error. */
+
+      if (!allow_creation_here)
+        {
+        addr->basic_errno = ERRNO_BADCREATE;
+        addr->message = string_sprintf("mailbox %s does not exist, "
+          "but creation outside the home directory is not permitted",
+          filename);
+        goto RETURN;
+        }
+
+      /* Attempt to create and open the file. If open fails because of
+      pre-existence, go round the loop again. For any other error, defer the
+      address, except for an alias or forward generated file name with EPERM,
+      ENOENT, or EACCES, as those are most likely to be user errors rather
+      than Exim config errors. When a symbolic link is permitted and points
+      to a non-existent file, we get here with use_lstat = FALSE. In this case
+      we mustn't use O_EXCL, since it doesn't work. The file is opened RDRW for
+      consistency and because MBX locking requires it in order to be able to
+      get a shared lock. */
+
+      fd = Uopen(filename, O_RDWR | O_APPEND | O_CREAT |
+        (use_lstat ? O_EXCL : 0), mode);
+      if (fd < 0)
+        {
+        if (errno == EEXIST) continue;
+        addr->basic_errno = errno;
+        addr->message = string_sprintf("while creating mailbox %s",
+          filename);
+        if (testflag(addr, af_file) &&
+            (errno == EPERM || errno == ENOENT || errno == EACCES))
+          addr->transport_return = FAIL;
+        goto RETURN;
+        }
+
+      /* We have successfully created and opened the file. Ensure that the group
+      and the mode are correct. */
+
+      if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
+        {
+        addr->basic_errno = errno;
+        addr->message = string_sprintf("while setting perms on mailbox %s",
+          filename);
+        addr->transport_return = FAIL;
+        goto RETURN;
+        }
+      }
+
+
+    /* The file already exists. Test its type, ownership, and permissions, and
+    save the inode for checking later. If symlinks are permitted (not the
+    default or recommended state) it may be a symlink that already exists.
+    Check its ownership and then look for the file at the end of the link(s).
+    This at least prevents one user creating a symlink for another user in
+    a sticky directory. */
+
+    else
+      {
+      int oldmode = (int)statbuf.st_mode;
+      ino_t inode = statbuf.st_ino;
+      BOOL islink = (oldmode & S_IFMT) == S_IFLNK;
+
+      isfifo = FALSE;        /* In case things are changing */
+
+      /* Check owner if required - the default. */
+
+      if (ob->check_owner && statbuf.st_uid != uid)
+        {
+        addr->basic_errno = ERRNO_BADUGID;
+        addr->message = string_sprintf("mailbox %s%s has wrong uid "
+          "(%ld != %ld)", filename,
+          islink ? " (symlink)" : "",
+          (long int)(statbuf.st_uid), (long int)uid);
+        goto RETURN;
+        }
+
+      /* Group is checked only if check_group is set. */
+
+      if (ob->check_group && statbuf.st_gid != gid)
+        {
+        addr->basic_errno = ERRNO_BADUGID;
+        addr->message = string_sprintf("mailbox %s%s has wrong gid (%d != %d)",
+          filename, islink ? " (symlink)" : "", statbuf.st_gid, gid);
+        goto RETURN;
+        }
+
+      /* Just in case this is a sticky-bit mail directory, we don't want
+      users to be able to create hard links to other users' files. */
+
+      if (statbuf.st_nlink != 1)
+        {
+        addr->basic_errno = ERRNO_NOTREGULAR;
+        addr->message = string_sprintf("mailbox %s%s has too many links (%lu)",
+          filename, islink ? " (symlink)" : "", (unsigned long)statbuf.st_nlink);
+        goto RETURN;
+
+        }
+
+      /* If symlinks are permitted (not recommended), the lstat() above will
+      have found the symlink. Its ownership has just been checked; go round
+      the loop again, using stat() instead of lstat(). That will never yield a
+      mode of S_IFLNK. */
+
+      if (islink && ob->allow_symlink)
+        {
+        use_lstat = FALSE;
+        i--;                   /* Don't count this time round */
+        continue;
+        }
+
+      /* An actual file exists. Check that it is a regular file, or FIFO
+      if permitted. */
+
+      if (ob->allow_fifo && (oldmode & S_IFMT) == S_IFIFO) isfifo = TRUE;
+
+      else if ((oldmode & S_IFMT) != S_IFREG)
+        {
+        addr->basic_errno = ERRNO_NOTREGULAR;
+        addr->message = string_sprintf("mailbox %s is not a regular file%s",
+          filename, ob->allow_fifo ? " or named pipe" : "");
+        goto RETURN;
+        }
+
+      /* If the mode is not what it would be for a newly created file, change
+      the permissions if the mode is supplied for the address. Otherwise,
+      reduce but do not extend the permissions. If the newly created
+      permissions are greater than the existing permissions, don't change
+      things when the mode is not from the address. */
+
+      if ((oldmode &= 07777) != mode)
+        {
+        int diffs = oldmode ^ mode;
+        if (addr->mode > 0 || (diffs & oldmode) == diffs)
+          {
+          DEBUG(D_transport) debug_printf("chmod %o %s\n", mode, filename);
+          if (Uchmod(filename, mode) < 0)
+            {
+            addr->basic_errno = errno;
+            addr->message = string_sprintf("attempting to chmod mailbox %s",
+              filename);
+            goto RETURN;
+            }
+          oldmode = mode;
+          }
+
+        /* Mode not from address, and newly-created permissions are greater
+        than existing permissions. Default is to complain, but it can be
+        configured to go ahead and try to deliver anyway if that's what
+        the administration wants. */
+
+        else if (ob->mode_fail_narrower)
+          {
+          addr->basic_errno = ERRNO_BADMODE;
+          addr->message = string_sprintf("mailbox %s has the wrong mode %o "
+            "(%o expected)", filename, oldmode, mode);
+          goto RETURN;
+          }
+        }
+
+      /* We are happy with the existing file. Open it, and then do further
+      tests to ensure that it is the same file that we were just looking at.
+      If the file does not now exist, restart this loop, going back to using
+      lstat again. For an NFS error, just defer; other opening errors are
+      more serious. The file is opened RDWR so that its format can be checked,
+      and also MBX locking requires the use of a shared (read) lock. However,
+      a FIFO is opened WRONLY + NDELAY so that it fails if there is no process
+      reading the pipe. */
+
+      fd = Uopen(filename, isfifo ? (O_WRONLY|O_NDELAY) : (O_RDWR|O_APPEND),
+        mode);
+      if (fd < 0)
+        {
+        if (errno == ENOENT)
+          {
+          use_lstat = TRUE;
+          continue;
+          }
+        addr->basic_errno = errno;
+        if (isfifo)
+          addr->message = string_sprintf("while opening named pipe %s "
+            "(could mean no process is reading it)", filename);
+        else if (errno != EWOULDBLOCK)
+          addr->message = string_sprintf("while opening mailbox %s", filename);
+        goto RETURN;
+        }
+
+      /* This fstat really shouldn't fail, as we have an open file! There's a
+      dilemma here. We use fstat in order to be sure we are peering at the file
+      we have got open. However, that won't tell us if the file was reached
+      via a symbolic link. We checked this above, but there is a race exposure
+      if the link was created between the previous lstat and the open. However,
+      it would have to be created with the same inode in order to pass the
+      check below. If ob->allow_symlink is set, causing the use of stat rather
+      than lstat above, symbolic links may be there anyway, and the checking is
+      weaker. */
+
+      if (fstat(fd, &statbuf) < 0)
+        {
+        addr->basic_errno = errno;
+        addr->message = string_sprintf("attempting to stat open mailbox %s",
+          filename);
+        goto RETURN;
+        }
+
+      /* Check the inode; this is isn't a perfect check, but gives some
+      confidence. */
+
+      if (inode != statbuf.st_ino)
+        {
+        addr->basic_errno = ERRNO_INODECHANGED;
+        addr->message = string_sprintf("opened mailbox %s inode number changed "
+          "from " INO_T_FMT " to " INO_T_FMT, filename, inode, statbuf.st_ino);
+        addr->special_action = SPECIAL_FREEZE;
+        goto RETURN;
+        }
+
+      /* Check it's still a regular file or FIFO, and the uid, gid, and
+      permissions have not changed. */
+
+      if ((!isfifo && (statbuf.st_mode & S_IFMT) != S_IFREG) ||
+          (isfifo && (statbuf.st_mode & S_IFMT) != S_IFIFO))
+        {
+        addr->basic_errno = ERRNO_NOTREGULAR;
+        addr->message =
+          string_sprintf("opened mailbox %s is no longer a %s", filename,
+            isfifo ? "named pipe" : "regular file");
+        addr->special_action = SPECIAL_FREEZE;
+        goto RETURN;
+        }
+
+      if ((ob->check_owner && statbuf.st_uid != uid) ||
+          (ob->check_group && statbuf.st_gid != gid))
+        {
+        addr->basic_errno = ERRNO_BADUGID;
+        addr->message =
+          string_sprintf("opened mailbox %s has wrong uid or gid", filename);
+        addr->special_action = SPECIAL_FREEZE;
+        goto RETURN;
+        }
+
+      if ((statbuf.st_mode & 07777) != oldmode)
+        {
+        addr->basic_errno = ERRNO_BADMODE;
+        addr->message = string_sprintf("opened mailbox %s has wrong mode %o "
+          "(%o expected)", filename, statbuf.st_mode & 07777, mode);
+        addr->special_action = SPECIAL_FREEZE;
+        goto RETURN;
+        }
+
+      /* If file_format is set, check that the format of the file has not
+      changed. Error data is set by the testing function. */
+
+      if (ob->file_format  &&  check_file_format(fd, tblock, addr) != tblock)
+        {
+        addr->message = US"open mailbox has changed format";
+        goto RETURN;
+        }
+
+      /* The file is OK. Carry on to do the locking. */
+      }
+
+    /* We now have an open file, and must lock it using fcntl(), flock() or MBX
+    locking rules if configured to do so. If a lock file is also required, it
+    was created above and hd was left >= 0. At least one form of locking is
+    required by the initialization function. If locking fails here, close the
+    file and go round the loop all over again, after waiting for a bit, unless
+    blocking locking was used. */
+
+    file_opened = TRUE;
+    if ((ob->lock_fcntl_timeout > 0) || (ob->lock_flock_timeout > 0))
+      sleep_before_retry = FALSE;
+
+    /* Simple fcntl() and/or flock() locking */
+
+    if (!ob->use_mbx_lock && (ob->use_fcntl || ob->use_flock))
+      {
+      if (apply_lock(fd, F_WRLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
+         ob->use_flock, ob->lock_flock_timeout) >= 0) break;
+      }
+
+    /* MBX locking rules */
+
+    #ifdef SUPPORT_MBX
+    else if (ob->use_mbx_lock)
+      {
+      int mbx_tmp_oflags;
+      struct stat lstatbuf, statbuf2;
+      if (apply_lock(fd, F_RDLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
+           ob->use_flock, ob->lock_flock_timeout) >= 0 &&
+           fstat(fd, &statbuf) >= 0)
+        {
+        sprintf(CS mbx_lockname, "/tmp/.%lx.%lx", (long)statbuf.st_dev,
+          (long)statbuf.st_ino);
+
+        /*
+         * 2010-05-29: SECURITY
+         * Dan Rosenberg reported the presence of a race-condition in the
+         * original code here.  Beware that many systems still allow symlinks
+         * to be followed in /tmp so an attacker can create a symlink pointing
+         * elsewhere between a stat and an open, which we should avoid
+         * following.
+         *
+         * It's unfortunate that we can't just use all the heavily debugged
+         * locking from above.
+         *
+         * Also: remember to mirror changes into exim_lock.c */
+
+        /* first leave the old pre-check in place, it provides better
+         * diagnostics for common cases */
+        if (Ulstat(mbx_lockname, &statbuf) >= 0)
+          {
+          if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
+            {
+            addr->basic_errno = ERRNO_LOCKFAILED;
+            addr->message = string_sprintf("symbolic link on MBX lock file %s",
+              mbx_lockname);
+            goto RETURN;
+            }
+          if (statbuf.st_nlink > 1)
+            {
+            addr->basic_errno = ERRNO_LOCKFAILED;
+            addr->message = string_sprintf("hard link to MBX lock file %s",
+              mbx_lockname);
+            goto RETURN;
+            }
+          }
+
+        /* If we could just declare "we must be the ones who create this
+         * file" then a hitching post in a subdir would work, since a
+         * subdir directly in /tmp/ which we create wouldn't follow links
+         * but this isn't our locking logic, so we can't safely change the
+         * file existence rules. */
+
+        /* On systems which support O_NOFOLLOW, it's the easiest and most
+         * obviously correct security fix */
+        mbx_tmp_oflags = O_RDWR | O_CREAT;
+#ifdef O_NOFOLLOW
+        mbx_tmp_oflags |= O_NOFOLLOW;
+#endif
+        mbx_lockfd = Uopen(mbx_lockname, mbx_tmp_oflags, ob->lockfile_mode);
+        if (mbx_lockfd < 0)
+          {
+          addr->basic_errno = ERRNO_LOCKFAILED;
+          addr->message = string_sprintf("failed to open MBX lock file %s :%s",
+            mbx_lockname, strerror(errno));
+          goto RETURN;
+          }
+
+        if (Ulstat(mbx_lockname, &lstatbuf) < 0)
+          {
+          addr->basic_errno = ERRNO_LOCKFAILED;
+          addr->message = string_sprintf("attempting to lstat open MBX "
+             "lock file %s: %s", mbx_lockname, strerror(errno));
+          goto RETURN;
+          }
+        if (fstat(mbx_lockfd, &statbuf2) < 0)
+          {
+          addr->basic_errno = ERRNO_LOCKFAILED;
+          addr->message = string_sprintf("attempting to stat fd of open MBX "
+              "lock file %s: %s", mbx_lockname, strerror(errno));
+          goto RETURN;
+          }
+
+        /*
+         * At this point:
+         *  statbuf: if exists, is file which existed prior to opening the
+         *           lockfile, might have been replaced since then
+         *  statbuf2: result of stat'ing the open fd, is what was actually
+         *            opened
+         *  lstatbuf: result of lstat'ing the filename immediately after
+         *            the open but there's a race condition again between
+         *            those two steps: before open, symlink to foo, after
+         *            open but before lstat have one of:
+         *             * was no symlink, so is the opened file
+         *               (we created it, no messing possible after that point)
+         *             * hardlink to foo
+         *             * symlink elsewhere
+         *             * hardlink elsewhere
+         *             * new file/other
+         * Don't want to compare to device of /tmp because some modern systems
+         * have regressed to having /tmp be the safe actual filesystem as
+         * valuable data, so is mostly worthless, unless we assume that *only*
+         * Linux systems do this and that all Linux has O_NOFOLLOW.  Something
+         * for further consideration.
+         * No point in doing a readlink on the lockfile as that will always be
+         * at a different point in time from when we open it, so tells us
+         * nothing; attempts to clean up and delete after ourselves would risk
+         * deleting a *third* filename.
+         */
+        if ((statbuf2.st_nlink > 1) ||
+            (lstatbuf.st_nlink > 1) ||
+            (!S_ISREG(lstatbuf.st_mode)) ||
+            (lstatbuf.st_dev != statbuf2.st_dev) ||
+            (lstatbuf.st_ino != statbuf2.st_ino))
+          {
+          addr->basic_errno = ERRNO_LOCKFAILED;
+          addr->message = string_sprintf("RACE CONDITION detected: "
+              "mismatch post-initial-checks between \"%s\" and opened "
+              "fd lead us to abort!", mbx_lockname);
+          goto RETURN;
+          }
+
+        (void)Uchmod(mbx_lockname, ob->lockfile_mode);
+
+        if (apply_lock(mbx_lockfd, F_WRLCK, ob->use_fcntl,
+            ob->lock_fcntl_timeout, ob->use_flock, ob->lock_flock_timeout) >= 0)
+          {
+          struct stat ostatbuf;
+
+          /* This tests for a specific race condition. Ensure that we still
+          have the same file. */
+
+          if (Ulstat(mbx_lockname, &statbuf) == 0 &&
+              fstat(mbx_lockfd, &ostatbuf) == 0 &&
+              statbuf.st_dev == ostatbuf.st_dev &&
+              statbuf.st_ino == ostatbuf.st_ino)
+            break;
+          DEBUG(D_transport) debug_printf("MBX lockfile %s changed "
+            "between creation and locking\n", mbx_lockname);
+          }
+
+        DEBUG(D_transport) debug_printf("failed to lock %s: %s\n", mbx_lockname,
+          strerror(errno));
+        (void)close(mbx_lockfd);
+        mbx_lockfd = -1;
+        }
+      else
+        {
+        DEBUG(D_transport) debug_printf("failed to fstat or get read lock on %s: %s\n",
+          filename, strerror(errno));
+        }
+      }
+    #endif  /* SUPPORT_MBX */
+
+    else break;   /* No on-file locking required; break the open/lock loop */
+
+    DEBUG(D_transport)
+      debug_printf("fcntl(), flock(), or MBX locking failed - retrying\n");
+
+    (void)close(fd);
+    fd = -1;
+    use_lstat = TRUE;             /* Reset to use lstat first */
+
+
+    /* If a blocking call timed out, break the retry loop if the total time
+    so far is not less than than retries * interval. Use the larger of the
+    flock() and fcntl() timeouts. */
+
+    if (sigalrm_seen &&
+        (i+1) * ((ob->lock_fcntl_timeout > ob->lock_flock_timeout)?
+          ob->lock_fcntl_timeout : ob->lock_flock_timeout) >=
+          ob->lock_retries * ob->lock_interval)
+      i = ob->lock_retries;
+
+    /* Wait a bit before retrying, except when it was a blocked fcntl() or
+    flock() that caused the problem. */
+
+    if (i < ob->lock_retries && sleep_before_retry) sleep(ob->lock_interval);
+    }
+
+  /* Test for exceeding the maximum number of tries. Either the file remains
+  locked, or, if we haven't got it open, something is terribly wrong... */
+
+  if (i >= ob->lock_retries)
+    {
+    if (!file_opened)
+      {
+      addr->basic_errno = ERRNO_EXISTRACE;
+      addr->message = string_sprintf("mailbox %s: existence unclear", filename);
+      addr->special_action = SPECIAL_FREEZE;
+      }
+    else
+      {
+      addr->basic_errno = ERRNO_LOCKFAILED;
+      addr->message = string_sprintf("failed to lock mailbox %s (fcntl/flock)",
+        filename);
+      }
+    goto RETURN;
+    }
+
+  DEBUG(D_transport) debug_printf("mailbox %s is locked\n", filename);
+
+  /* Save access time (for subsequent restoration), modification time (for
+  restoration if updating fails), size of file (for comsat and for re-setting if
+  delivery fails in the middle - e.g. for quota exceeded). */
+
+  if (fstat(fd, &statbuf) < 0)
+    {
+    addr->basic_errno = errno;
+    addr->message = string_sprintf("while fstatting opened mailbox %s",
+      filename);
+    goto RETURN;
+    }
+
+  times.actime = statbuf.st_atime;
+  times.modtime = statbuf.st_mtime;
+  saved_size = statbuf.st_size;
+  if (mailbox_size < 0) mailbox_size = saved_size;
+  mailbox_filecount = 0;  /* Not actually relevant for single-file mailbox */
+  }
+
+/* Prepare for writing to a new file (as opposed to appending to an old one).
+There are several different formats, but there is preliminary stuff concerned
+with quotas that applies to all of them. Finding the current size by directory
+scanning is expensive; for maildirs some fudges have been invented:
+
+  (1) A regex can be used to extract a file size from its name;
+  (2) If maildir_use_size is set, a maildirsize file is used to cache the
+      mailbox size.
+*/
+
+else
+  {
+  uschar *check_path;		/* Default quota check path */
+  const pcre2_code * re = NULL;     /* Regex for file size from file name */
+
+  if (!check_creation(string_sprintf("%s/any", path),
+		      ob->create_file, deliver_dir))
+    {
+    addr->basic_errno = ERRNO_BADCREATE;
+    addr->message = string_sprintf("tried to create file in %s, but "
+      "file creation outside the home directory is not permitted", path);
+    goto RETURN;
+    }
+
+  /* If the create_file option is an absolute path and the file was within
+  it, de-taint. Otherwise check for taint. */
+
+  if (is_tainted(path))
+    if (ob->create_file == create_belowhome)
+      {
+      DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path);
+      path = string_copy_taint(path, GET_UNTAINTED);
+      }
+    else
+      goto tainted_ret_panic;
+
+  check_path = path;
+
+  #ifdef SUPPORT_MAILDIR
+  /* For a maildir delivery, ensure that all the relevant directories exist,
+  and a maildirfolder file if necessary. */
+
+  if (mbformat == mbf_maildir && !maildir_ensure_directories(path, addr,
+    ob->create_directory, ob->dirmode, ob->maildirfolder_create_regex))
+      return FALSE;
+  #endif  /* SUPPORT_MAILDIR */
+
+  /* If we are going to do a quota check, of if maildir_use_size_file is set
+  for a maildir delivery, compile the regular expression if there is one. We
+  may also need to adjust the path that is used. We need to do this for
+  maildir_use_size_file even if the quota is unset, because we still want to
+  create the file. When maildir support is not compiled,
+  ob->maildir_use_size_file is always FALSE. */
+
+  if (ob->quota_value > 0 || THRESHOLD_CHECK || ob->maildir_use_size_file)
+    {
+    PCRE2_SIZE offset;
+    int err;
+
+    /* Compile the regex if there is one. */
+
+    if (ob->quota_size_regex)
+      {
+      if (!(re = pcre2_compile((PCRE2_SPTR)ob->quota_size_regex,
+		  PCRE2_ZERO_TERMINATED, PCRE_COPT, &err, &offset, pcre_cmp_ctx)))
+        {
+	uschar errbuf[128];
+	pcre2_get_error_message(err, errbuf, sizeof(errbuf));
+        addr->message = string_sprintf("appendfile: regular expression "
+          "error: %s at offset %ld while compiling %s", errbuf, (long)offset,
+          ob->quota_size_regex);
+        return FALSE;
+        }
+      DEBUG(D_transport) debug_printf("using regex for file sizes: %s\n",
+        ob->quota_size_regex);
+      }
+
+    /* Use an explicitly configured directory if set */
+
+    if (ob->quota_directory)
+      {
+      if (!(check_path = expand_string(ob->quota_directory)))
+        {
+        addr->message = string_sprintf("Expansion of \"%s\" (quota_directory "
+         "name for %s transport) failed: %s", ob->quota_directory,
+          tblock->name, expand_string_message);
+        goto ret_panic;
+        }
+
+      if (check_path[0] != '/')
+        {
+        addr->message = string_sprintf("appendfile: quota_directory name "
+          "\"%s\" is not absolute", check_path);
+        addr->basic_errno = ERRNO_NOTABSOLUTE;
+        return FALSE;
+        }
+      }
+
+    #ifdef SUPPORT_MAILDIR
+    /* Otherwise, if we are handling a maildir delivery, and the directory
+    contains a file called maildirfolder, this is a maildir++ feature telling
+    us that this is a sub-directory of the real inbox. We should therefore do
+    the quota check on the parent directory. Beware of the special case when
+    the directory name itself ends in a slash. */
+
+    else if (mbformat == mbf_maildir)
+      {
+      struct stat statbuf;
+      if (Ustat(string_sprintf("%s/maildirfolder", path), &statbuf) >= 0)
+        {
+        uschar *new_check_path = string_copy(check_path);
+        uschar *slash = Ustrrchr(new_check_path, '/');
+        if (slash)
+          {
+          if (!slash[1])
+            {
+            *slash = 0;
+            slash = Ustrrchr(new_check_path, '/');
+            }
+          if (slash)
+            {
+            *slash = 0;
+            check_path = new_check_path;
+            DEBUG(D_transport) debug_printf("maildirfolder file exists: "
+              "quota check directory changed to %s\n", check_path);
+            }
+          }
+        }
+      }
+    #endif  /* SUPPORT_MAILDIR */
+    }
+
+  /* If we are using maildirsize files, we need to ensure that such a file
+  exists and, if necessary, recalculate its contents. As a byproduct of this,
+  we obtain the current size of the maildir. If no quota is to be enforced
+  (ob->quota_value == 0), we still need the size if a threshold check will
+  happen later.
+
+  Another regular expression is used to determine which directories inside the
+  maildir are going to be counted. */
+
+  #ifdef SUPPORT_MAILDIR
+  if (ob->maildir_use_size_file)
+    {
+    const pcre2_code * dir_regex = NULL;
+    PCRE2_SIZE offset;
+    int err;
+
+    if (ob->maildir_dir_regex)
+      {
+      int check_path_len = Ustrlen(check_path);
+
+      if (!(dir_regex = pcre2_compile((PCRE2_SPTR)ob->maildir_dir_regex,
+	    PCRE2_ZERO_TERMINATED, PCRE_COPT, &err, &offset, pcre_cmp_ctx)))
+        {
+	uschar errbuf[128];
+	pcre2_get_error_message(err, errbuf, sizeof(errbuf));
+        addr->message = string_sprintf("appendfile: regular expression "
+          "error: %s at offset %ld while compiling %s", errbuf, (long)offset,
+          ob->maildir_dir_regex);
+        return FALSE;
+        }
+
+      DEBUG(D_transport)
+        debug_printf("using regex for maildir directory selection: %s\n",
+          ob->maildir_dir_regex);
+
+      /* Check to see if we are delivering into an ignored directory, that is,
+      if the delivery path starts with the quota check path, and the rest
+      of the deliver path matches the regex; if so, set a flag to disable quota
+      checking and maildirsize updating. */
+
+      if (Ustrncmp(path, check_path, check_path_len) == 0)
+        {
+        uschar *s = path + check_path_len;
+        while (*s == '/') s++;
+        s = *s ? string_sprintf("%s/new", s) : US"new";
+	if (!regex_match(dir_regex, s, -1, NULL))
+          {
+          disable_quota = TRUE;
+          DEBUG(D_transport) debug_printf("delivery directory does not match "
+            "maildir_quota_directory_regex: disabling quota\n");
+          }
+        }
+      }
+
+    /* Quota enforcement; create and check the file. There is some discussion
+    about whether this should happen if the quota is unset. At present, Exim
+    always creates the file. If we ever want to change this, uncomment
+    appropriate lines below, possibly doing a check on some option. */
+
+/*  if (???? || ob->quota_value > 0) */
+
+    if (!disable_quota)
+      {
+      off_t size;
+      int filecount;
+
+      if ((maildirsize_fd = maildir_ensure_sizefile(check_path, ob,  re, dir_regex,
+	  &size, &filecount)) == -1)
+        {
+        addr->basic_errno = errno;
+        addr->message = string_sprintf("while opening or reading "
+          "%s/maildirsize", check_path);
+        return FALSE;
+        }
+      /* can also return -2, which means that the file was removed because of
+      raciness; but in this case, the size & filecount will still have been
+      updated. */
+
+      if (mailbox_size < 0) mailbox_size = size;
+      if (mailbox_filecount < 0) mailbox_filecount = filecount;
+      }
+
+    /* No quota enforcement; ensure file does *not* exist; calculate size if
+    needed. */
+
+/*  else
+ *    {
+ *    time_t old_latest;
+ *    (void)unlink(CS string_sprintf("%s/maildirsize", check_path));
+ *    if (THRESHOLD_CHECK)
+ *      mailbox_size = maildir_compute_size(check_path, &mailbox_filecount, &old_latest,
+ *         re, dir_regex, FALSE);
+ *    }
+*/
+
+    }
+  #endif  /* SUPPORT_MAILDIR */
+
+  /* Otherwise if we are going to do a quota check later on, and the mailbox
+  size is not set, find the current size of the mailbox. Ditto for the file
+  count. Note that ob->quota_filecount_value cannot be set without
+  ob->quota_value being set. */
+
+  if (  !disable_quota
+     && (ob->quota_value > 0 || THRESHOLD_CHECK)
+     && (  mailbox_size < 0
+	|| mailbox_filecount < 0 && ob->quota_filecount_value > 0
+    )   )
+    {
+    off_t size;
+    int filecount = 0;
+    DEBUG(D_transport)
+      debug_printf("quota checks on directory %s\n", check_path);
+    size = check_dir_size(check_path, &filecount,  re);
+    if (mailbox_size < 0) mailbox_size = size;
+    if (mailbox_filecount < 0) mailbox_filecount = filecount;
+    }
+
+  /* Handle the case of creating a unique file in a given directory (not in
+  maildir or mailstore format - this is how smail did it). A temporary name is
+  used to create the file. Later, when it is written, the name is changed to a
+  unique one. There is no need to lock the file. An attempt is made to create
+  the directory if it does not exist. */
+
+  if (mbformat == mbf_smail)
+    {
+    DEBUG(D_transport)
+      debug_printf("delivering to new file in %s\n", path);
+    filename = dataname =
+      string_sprintf("%s/temp.%d.%s", path, (int)getpid(), primary_hostname);
+    fd = Uopen(filename, O_WRONLY|O_CREAT, mode);
+    if (fd < 0 &&                                 /* failed to open, and */
+        (errno != ENOENT ||                       /* either not non-exist */
+         !ob->create_directory ||                 /* or not allowed to make */
+         !directory_make(NULL, path, ob->dirmode, FALSE) ||  /* or failed to create dir */
+         (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */
+      {
+      addr->basic_errno = errno;
+      addr->message = string_sprintf("while creating file %s", filename);
+      return FALSE;
+      }
+    }
+
+  #ifdef SUPPORT_MAILDIR
+
+  /* Handle the case of a unique file in maildir format. The file is written to
+  the tmp subdirectory, with a prescribed form of name. */
+
+  else if (mbformat == mbf_maildir)
+    {
+    DEBUG(D_transport)
+      debug_printf("delivering in maildir format in %s\n", path);
+
+    nametag = ob->maildir_tag;
+
+    /* Check that nametag expands successfully; a hard failure causes a panic
+    return. The actual expansion for use happens again later, when
+    $message_size is accurately known. */
+
+    if (nametag && !expand_string(nametag) && !f.expand_string_forcedfail)
+      {
+      addr->message = string_sprintf("Expansion of \"%s\" (maildir_tag "
+        "for %s transport) failed: %s", nametag, tblock->name,
+        expand_string_message);
+      goto ret_panic;
+      }
+
+    /* We ensured the existence of all the relevant directories above. Attempt
+    to open the temporary file a limited number of times. I think this rather
+    scary-looking for statement is actually OK. If open succeeds, the loop is
+    broken; if not, there is a test on the value of i. Get the time again
+    afresh each time round the loop. Its value goes into a variable that is
+    checked at the end, to make sure we don't release this process until the
+    clock has ticked. */
+
+    for (int i = 1;; i++)
+      {
+      uschar *basename;
+
+      (void)gettimeofday(&msg_tv, NULL);
+      basename = string_sprintf(TIME_T_FMT ".M%luP" PID_T_FMT ".%s",
+       	msg_tv.tv_sec, msg_tv.tv_usec, getpid(), primary_hostname);
+
+      filename = dataname = string_sprintf("tmp/%s", basename);
+      newname = string_sprintf("new/%s", basename);
+
+      if (Ustat(filename, &statbuf) == 0)
+        errno = EEXIST;
+      else if (errno == ENOENT)
+        {
+        if ((fd = Uopen(filename, O_WRONLY | O_CREAT | O_EXCL, mode)) >= 0)
+	  break;
+        DEBUG (D_transport) debug_printf ("open failed for %s: %s\n",
+          filename, strerror(errno));
+        }
+
+      /* Too many retries - give up */
+
+      if (i >= ob->maildir_retries)
+        {
+        addr->message = string_sprintf ("failed to open %s (%d tr%s)",
+          filename, i, (i == 1) ? "y" : "ies");
+        addr->basic_errno = errno;
+        if (errno == errno_quota || errno == ENOSPC)
+          addr->user_message = US"mailbox is full";
+        return FALSE;
+        }
+
+      /* Open or stat failed but we haven't tried too many times yet. */
+
+      sleep(2);
+      }
+
+    /* Note that we have to ensure the clock has ticked before leaving */
+
+    wait_for_tick = TRUE;
+
+    /* Why are these here? Put in because they are present in the non-maildir
+    directory case above. */
+
+    if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
+      {
+      addr->basic_errno = errno;
+      addr->message = string_sprintf("while setting perms on maildir %s",
+        filename);
+      return FALSE;
+      }
+    }
+
+  #endif  /* SUPPORT_MAILDIR */
+
+  #ifdef SUPPORT_MAILSTORE
+
+  /* Handle the case of a unique file in mailstore format. First write the
+  envelope to a temporary file, then open the main file. The unique base name
+  for the files consists of the message id plus the pid of this delivery
+  process. */
+
+  else
+    {
+    FILE *env_file;
+    mailstore_basename = string_sprintf("%s/%s-%s", path, message_id,
+      string_base62((long int)getpid()));
+
+    DEBUG(D_transport)
+      debug_printf("delivering in mailstore format in %s\n", path);
+
+    filename = string_sprintf("%s.tmp", mailstore_basename);
+    newname  = string_sprintf("%s.env", mailstore_basename);
+    dataname = string_sprintf("%s.msg", mailstore_basename);
+
+    fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
+    if (  fd < 0				/* failed to open, and */
+       && (   errno != ENOENT			/* either not non-exist */
+	  || !ob->create_directory		/* or not allowed to make */
+	  || !directory_make(NULL, path, ob->dirmode, FALSE)  /* or failed to create dir */
+	  || (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0 /* or then failed to open */
+       )  )
+      {
+      addr->basic_errno = errno;
+      addr->message = string_sprintf("while creating file %s", filename);
+      return FALSE;
+      }
+
+    /* Why are these here? Put in because they are present in the non-maildir
+    directory case above. */
+
+    if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
+      {
+      addr->basic_errno = errno;
+      addr->message = string_sprintf("while setting perms on file %s",
+        filename);
+      return FALSE;
+      }
+
+    /* Built a C stream from the open file descriptor. */
+
+    if (!(env_file = fdopen(fd, "wb")))
+      {
+      addr->basic_errno = errno;
+      addr->message = string_sprintf("fdopen of %s ("
+        "for %s transport) failed", filename, tblock->name);
+      (void)close(fd);
+      Uunlink(filename);
+      goto ret_panic;
+      }
+
+    /* Write the envelope file, then close it. */
+
+    if (ob->mailstore_prefix)
+      {
+      uschar *s = expand_string(ob->mailstore_prefix);
+      if (!s)
+        {
+        if (!f.expand_string_forcedfail)
+          {
+          addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
+            "prefix for %s transport) failed: %s", ob->mailstore_prefix,
+            tblock->name, expand_string_message);
+          (void)fclose(env_file);
+          Uunlink(filename);
+          goto ret_panic;
+          }
+        }
+      else
+        {
+        int n = Ustrlen(s);
+        fprintf(env_file, "%s", CS s);
+        if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
+        }
+      }
+
+    fprintf(env_file, "%s\n", sender_address);
+
+    for (address_item * taddr = addr; taddr; taddr = taddr->next)
+      fprintf(env_file, "%s@%s\n", taddr->local_part, taddr->domain);
+
+    if (ob->mailstore_suffix)
+      {
+      uschar *s = expand_string(ob->mailstore_suffix);
+      if (!s)
+        {
+        if (!f.expand_string_forcedfail)
+          {
+          addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
+            "suffix for %s transport) failed: %s", ob->mailstore_suffix,
+            tblock->name, expand_string_message);
+          (void)fclose(env_file);
+          Uunlink(filename);
+          goto ret_panic;
+          }
+        }
+      else
+        {
+        int n = Ustrlen(s);
+        fprintf(env_file, "%s", CS s);
+        if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
+        }
+      }
+
+    if (fclose(env_file) != 0)
+      {
+      addr->basic_errno = errno;
+      addr->message = string_sprintf("while closing %s", filename);
+      Uunlink(filename);
+      return FALSE;
+      }
+
+    DEBUG(D_transport) debug_printf("Envelope file %s written\n", filename);
+
+    /* Now open the data file, and ensure that it has the correct ownership and
+    mode. */
+
+    if ((fd = Uopen(dataname, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)
+      {
+      addr->basic_errno = errno;
+      addr->message = string_sprintf("while creating file %s", dataname);
+      Uunlink(filename);
+      return FALSE;
+      }
+    if (exim_chown(dataname, uid, gid) || Uchmod(dataname, mode))
+      {
+      addr->basic_errno = errno;
+      addr->message = string_sprintf("while setting perms on file %s",
+        dataname);
+      return FALSE;
+      }
+    }
+
+  #endif  /* SUPPORT_MAILSTORE */
+
+
+  /* In all cases of writing to a new file, ensure that the file which is
+  going to be renamed has the correct ownership and mode. */
+
+  if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
+    {
+    addr->basic_errno = errno;
+    addr->message = string_sprintf("while setting perms on file %s",
+      filename);
+    return FALSE;
+    }
+  }
+
+
+/* At last we can write the message to the file, preceded by any configured
+prefix line, and followed by any configured suffix line. If there are any
+writing errors, we must defer. */
+
+DEBUG(D_transport) debug_printf("writing to file %s\n", dataname);
+
+yield = OK;
+errno = 0;
+
+/* If there is a local quota setting, check that we are not going to exceed it
+with this message if quota_is_inclusive is set; if it is not set, the check
+is for the mailbox already being over quota (i.e. the current message is not
+included in the check). */
+
+if (!disable_quota && ob->quota_value > 0)
+  {
+  DEBUG(D_transport)
+    {
+    debug_printf("Exim quota = " OFF_T_FMT " old size = " OFF_T_FMT
+      " this message = %d (%sincluded)\n",
+      ob->quota_value, mailbox_size, message_size,
+      ob->quota_is_inclusive ? "" : "not ");
+    debug_printf("  file count quota = %d count = %d\n",
+      ob->quota_filecount_value, mailbox_filecount);
+    }
+
+  if (mailbox_size + (ob->quota_is_inclusive ? message_size:0) > ob->quota_value)
+    if (!ob->quota_no_check)
+      {
+      DEBUG(D_transport) debug_printf("mailbox quota exceeded\n");
+      yield = DEFER;
+      errno = ERRNO_EXIMQUOTA;
+      }
+    else
+      DEBUG(D_transport) debug_printf("mailbox quota exceeded but ignored\n");
+
+  if (ob->quota_filecount_value > 0
+           && mailbox_filecount + (ob->quota_is_inclusive ? 1:0) >
+              ob->quota_filecount_value)
+    if (!ob->quota_filecount_no_check)
+      {
+      DEBUG(D_transport) debug_printf("mailbox file count quota exceeded\n");
+      yield = DEFER;
+      errno = ERRNO_EXIMQUOTA;
+      filecount_msg = US" filecount";
+      }
+    else DEBUG(D_transport) if (ob->quota_filecount_no_check)
+      debug_printf("mailbox file count quota exceeded but ignored\n");
+
+  }
+
+if (verify_mode)
+  {
+  addr->basic_errno = errno;
+  addr->message = US"Over quota";
+  addr->transport_return = yield;
+  DEBUG(D_transport)
+    debug_printf("appendfile (verify) yields %d with errno=%d more_errno=%d\n",
+      yield, addr->basic_errno, addr->more_errno);
+
+  goto RETURN;
+  }
+
+/* If we are writing in MBX format, what we actually do is to write the message
+to a temporary file, and then copy it to the real file once we know its size.
+This is the most straightforward way of getting the correct length in the
+separator line. So, what we do here is to save the real file descriptor, and
+replace it with one for a temporary file. The temporary file gets unlinked once
+opened, so that it goes away on closure. */
+
+#ifdef SUPPORT_MBX
+if (yield == OK && ob->mbx_format)
+  {
+  if (!(temp_file = tmpfile()))
+    {
+    addr->basic_errno = errno;
+    addr->message = US"while setting up temporary file";
+    yield = DEFER;
+    goto RETURN;
+    }
+  save_fd = fd;
+  fd = fileno(temp_file);
+  DEBUG(D_transport) debug_printf("writing to temporary file\n");
+  }
+#endif  /* SUPPORT_MBX */
+
+/* Zero the count of bytes written. It is incremented by the transport_xxx()
+functions. */
+
+transport_count = 0;
+transport_newlines = 0;
+
+/* Write any configured prefix text first */
+
+if (yield == OK && ob->message_prefix && *ob->message_prefix)
+  {
+  uschar *prefix = expand_string(ob->message_prefix);
+  if (!prefix)
+    {
+    errno = ERRNO_EXPANDFAIL;
+    addr->transport_return = PANIC;
+    addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s "
+      "transport) failed", ob->message_prefix, tblock->name);
+    yield = DEFER;
+    }
+  else if (!transport_write_string(fd, "%s", prefix)) yield = DEFER;
+  }
+
+/* If the use_bsmtp option is on, we need to write SMTP prefix information. The
+various different values for batching are handled outside; if there is more
+than one address available here, all must be included. If any address is a
+file, use its parent in the RCPT TO. */
+
+if (yield == OK && ob->use_bsmtp)
+  {
+  transport_count = 0;
+  transport_newlines = 0;
+  if (ob->use_crlf) cr = US"\r";
+  if (!transport_write_string(fd, "MAIL FROM:<%s>%s\n", return_path, cr))
+    yield = DEFER;
+  else
+    {
+    transport_newlines++;
+    for (address_item * a = addr; a; a = a->next)
+      {
+      address_item * b = testflag(a, af_pfr) ? a->parent : a;
+      if (!transport_write_string(fd, "RCPT TO:<%s>%s\n",
+        transport_rcpt_address(b, tblock->rcpt_include_affixes), cr))
+          { yield = DEFER; break; }
+      transport_newlines++;
+      }
+    if (yield == OK && !transport_write_string(fd, "DATA%s\n", cr))
+      yield = DEFER;
+    else
+      transport_newlines++;
+    }
+  }
+
+/* Now the message itself. The options for transport_write_message were set up
+at initialization time. */
+
+if (yield == OK)
+  {
+  transport_ctx tctx = {
+    .u = {.fd=fd},
+    .tblock = tblock,
+    .addr = addr,
+    .check_string = ob->check_string,
+    .escape_string = ob->escape_string,
+    .options =  ob->options | topt_not_socket
+  };
+  if (!transport_write_message(&tctx, 0))
+    yield = DEFER;
+  }
+
+/* Now a configured suffix. */
+
+if (yield == OK && ob->message_suffix && *ob->message_suffix)
+  {
+  uschar *suffix = expand_string(ob->message_suffix);
+  if (!suffix)
+    {
+    errno = ERRNO_EXPANDFAIL;
+    addr->transport_return = PANIC;
+    addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s "
+      "transport) failed", ob->message_suffix, tblock->name);
+    yield = DEFER;
+    }
+  else if (!transport_write_string(fd, "%s", suffix)) yield = DEFER;
+  }
+
+/* If batch smtp, write the terminating dot. */
+
+if (yield == OK && ob->use_bsmtp)
+  if (!transport_write_string(fd, ".%s\n", cr)) yield = DEFER;
+  else transport_newlines++;
+
+/* If MBX format is being used, all that writing was to the temporary file.
+However, if there was an earlier failure (Exim quota exceeded, for example),
+the temporary file won't have got opened - and no writing will have been done.
+If writing was OK, we restore the fd, and call a function that copies the
+message in MBX format into the real file. Otherwise use the temporary name in
+any messages. */
+
+#ifdef SUPPORT_MBX
+if (temp_file && ob->mbx_format)
+  {
+  int mbx_save_errno;
+  fd = save_fd;
+
+  if (yield == OK)
+    {
+    transport_count = 0;   /* Reset transport count for actual write */
+    /* No need to reset transport_newlines as we're just using a block copy
+     * routine so the number won't be affected */
+    yield = copy_mbx_message(fd, fileno(temp_file), saved_size);
+    }
+  else if (errno >= 0) dataname = US"temporary file";
+
+  /* Preserve errno while closing the temporary file. */
+
+  mbx_save_errno = errno;
+  (void)fclose(temp_file);
+  errno = mbx_save_errno;
+  }
+#endif  /* SUPPORT_MBX */
+
+/* Force out the remaining data to check for any errors; some OS don't allow
+fsync() to be called for a FIFO. */
+
+if (yield == OK && !isfifo && EXIMfsync(fd) < 0) yield = DEFER;
+
+/* Update message_size and message_linecount to the accurate count of bytes
+written, including added headers. Note; we subtract 1 from message_linecount as
+this variable doesn't count the new line between the header and the body of the
+message. */
+
+message_size = transport_count;
+message_linecount = transport_newlines - 1;
+
+/* If using a maildir++ quota file, add this message's size to it, and
+close the file descriptor, except when the quota has been disabled because we
+are delivering into an uncounted folder. */
+
+#ifdef SUPPORT_MAILDIR
+if (!disable_quota)
+  {
+  if (yield == OK && maildirsize_fd >= 0)
+    maildir_record_length(maildirsize_fd, message_size);
+  maildir_save_errno = errno;    /* Preserve errno while closing the file */
+  if (maildirsize_fd >= 0)
+    (void)close(maildirsize_fd);
+  errno = maildir_save_errno;
+  }
+#endif  /* SUPPORT_MAILDIR */
+
+/* If there is a quota warning threshold and we are have crossed it with this
+message, set the SPECIAL_WARN flag in the address, to cause a warning message
+to be sent. */
+
+if (!disable_quota && THRESHOLD_CHECK)
+  {
+  off_t threshold = ob->quota_warn_threshold_value;
+  if (ob->quota_warn_threshold_is_percent)
+    threshold = (off_t)(((double)ob->quota_value * threshold) / 100);
+  DEBUG(D_transport)
+    debug_printf("quota = " OFF_T_FMT
+      " threshold = " OFF_T_FMT
+      " old size = " OFF_T_FMT
+      " message size = %d\n",
+      ob->quota_value, threshold, mailbox_size,
+      message_size);
+  if (mailbox_size <= threshold && mailbox_size + message_size > threshold)
+    addr->special_action = SPECIAL_WARN;
+
+  /******* You might think that the test ought to be this:
+  *
+  * if (ob->quota_value > 0 && threshold > 0 && mailbox_size > 0 &&
+  *     mailbox_size <= threshold && mailbox_size + message_size > threshold)
+  *
+  * (indeed, I was sent a patch with that in). However, it is possible to
+  * have a warning threshold without actually imposing a quota, and I have
+  * therefore kept Exim backwards compatible.
+  ********/
+
+  }
+
+/* Handle error while writing the file. Control should come here directly after
+the error, with the reason in errno. In the case of expansion failure in prefix
+or suffix, it will be ERRNO_EXPANDFAIL. */
+
+if (yield != OK)
+  {
+  addr->special_action = SPECIAL_NONE;     /* Cancel any quota warning */
+
+  /* Save the error number. If positive, it will ultimately cause a strerror()
+  call to generate some text. */
+
+  addr->basic_errno = errno;
+
+  /* For system or Exim quota excession, or disk full, set more_errno to the
+  time since the file was last read. If delivery was into a directory, the
+  time since last read logic is not relevant, in general. However, for maildir
+  deliveries we can approximate it by looking at the last modified time of the
+  "new" subdirectory. Since Exim won't be adding new messages, a change to the
+  "new" subdirectory implies that an MUA has moved a message from there to the
+  "cur" directory. */
+
+  if (errno == errno_quota || errno == ERRNO_EXIMQUOTA || errno == ENOSPC)
+    {
+    addr->more_errno = 0;
+    if (!isdirectory) addr->more_errno = (int)(time(NULL) - times.actime);
+
+    #ifdef SUPPORT_MAILDIR
+    else if (mbformat == mbf_maildir)
+      {
+      struct stat statbuf;
+      if (Ustat("new", &statbuf) < 0)
+        {
+        DEBUG(D_transport) debug_printf("maildir quota exceeded: "
+          "stat error %d for \"new\": %s\n", errno, strerror(errno));
+        }
+      else   /* Want a repeatable time when in test harness */
+        addr->more_errno = f.running_in_test_harness ? 10 :
+          (int)time(NULL) - statbuf.st_mtime;
+
+      DEBUG(D_transport)
+        debug_printf("maildir: time since \"new\" directory modified = %s\n",
+        readconf_printtime(addr->more_errno));
+      }
+    #endif /* SUPPORT_MAILDIR */
+    }
+
+  /* Handle system quota excession. Add an explanatory phrase for the error
+  message, since some systems don't have special quota-excession errors,
+  and on those that do, "quota" doesn't always mean anything to the user. */
+
+  if (errno == errno_quota)
+    {
+    #ifndef EDQUOT
+    addr->message = string_sprintf("mailbox is full "
+      "(quota exceeded while writing to file %s)", filename);
+    #else
+    addr->message = US"mailbox is full";
+    #endif  /* EDQUOT */
+    addr->user_message = US"mailbox is full";
+    DEBUG(D_transport) debug_printf("System quota exceeded for %s%s%s\n",
+      dataname,
+      isdirectory ? US"" : US": time since file read = ",
+      isdirectory ? US"" : readconf_printtime(addr->more_errno));
+    }
+
+  /* Handle Exim's own quota-imposition */
+
+  else if (errno == ERRNO_EXIMQUOTA)
+    {
+    addr->message = string_sprintf("mailbox is full "
+      "(MTA-imposed%s quota exceeded while writing to %s)", filecount_msg,
+        dataname);
+    addr->user_message = US"mailbox is full";
+    DEBUG(D_transport) debug_printf("Exim%s quota exceeded for %s%s%s\n",
+      filecount_msg, dataname,
+      isdirectory ? US"" : US": time since file read = ",
+      isdirectory ? US"" : readconf_printtime(addr->more_errno));
+    }
+
+  /* Handle a process failure while writing via a filter; the return
+  from child_close() is in more_errno. */
+
+  else if (errno == ERRNO_FILTER_FAIL)
+    {
+    yield = PANIC;
+    addr->message = string_sprintf("transport filter process failed (%d) "
+      "while writing to %s%s", addr->more_errno, dataname,
+      (addr->more_errno == EX_EXECFAILED) ? ": unable to execute command" : "");
+    }
+
+  /* Handle failure to expand header changes */
+
+  else if (errno == ERRNO_CHHEADER_FAIL)
+    {
+    yield = PANIC;
+    addr->message =
+      string_sprintf("failed to expand headers_add or headers_remove while "
+        "writing to %s: %s", dataname, expand_string_message);
+    }
+
+  /* Handle failure to complete writing of a data block */
+
+  else if (errno == ERRNO_WRITEINCOMPLETE)
+    addr->message = string_sprintf("failed to write data block while "
+      "writing to %s", dataname);
+
+  /* Handle length mismatch on MBX copying */
+
+  #ifdef SUPPORT_MBX
+  else if (errno == ERRNO_MBXLENGTH)
+    addr->message = string_sprintf("length mismatch while copying MBX "
+      "temporary file to %s", dataname);
+  #endif  /* SUPPORT_MBX */
+
+  /* For other errors, a general-purpose explanation, if the message is
+  not already set. */
+
+  else if (addr->message == NULL)
+    addr->message = string_sprintf("error while writing to %s", dataname);
+
+  /* For a file, reset the file size to what it was before we started, leaving
+  the last modification time unchanged, so it will get reset also. All systems
+  investigated so far have ftruncate(), whereas not all have the F_FREESP
+  fcntl() call (BSDI & FreeBSD do not). */
+
+  if (!isdirectory && ftruncate(fd, saved_size))
+    DEBUG(D_transport) debug_printf("Error resetting file size\n");
+  }
+
+/* Handle successful writing - we want the modification time to be now for
+appended files. Remove the default backstop error number. For a directory, now
+is the time to rename the file with a unique name. As soon as such a name
+appears it may get used by another process, so we close the file first and
+check that all is well. */
+
+else
+  {
+  times.modtime = time(NULL);
+  addr->basic_errno = 0;
+
+  /* Handle the case of writing to a new file in a directory. This applies
+  to all single-file formats - maildir, mailstore, and "smail format". */
+
+  if (isdirectory)
+    {
+    if (fstat(fd, &statbuf) < 0)
+      {
+      addr->basic_errno = errno;
+      addr->message = string_sprintf("while fstatting opened message file %s",
+        filename);
+      yield = DEFER;
+      }
+
+    else if (close(fd) < 0)
+      {
+      addr->basic_errno = errno;
+      addr->message = string_sprintf("close() error for %s",
+        (ob->mailstore_format) ? dataname : filename);
+      yield = DEFER;
+      }
+
+    /* File is successfully written and closed. Arrange to rename it. For the
+    different kinds of single-file delivery, some games can be played with the
+    name. The message size is by this time set to the accurate value so that
+    its value can be used in expansions. */
+
+    else
+      {
+      uschar *renamename = newname;
+      fd = -1;
+
+      DEBUG(D_transport) debug_printf("renaming temporary file\n");
+
+      /* If there is no rename name set, we are in a non-maildir, non-mailstore
+      situation. The name is built by expanding the directory_file option, and
+      we make the inode number available for use in this. The expansion was
+      checked for syntactic validity above, before we wrote the file.
+
+      We have to be careful here, in case the file name exists. (In the other
+      cases, the names used are constructed to be unique.) The rename()
+      function just replaces an existing file - we don't want that! So instead
+      of calling rename(), we must use link() and unlink().
+
+      In this case, if the link fails because of an existing file, we wait
+      for one second and try the expansion again, to see if it produces a
+      different value. Do this up to 5 times unless the name stops changing.
+      This makes it possible to build values that are based on the time, and
+      still cope with races from multiple simultaneous deliveries. */
+
+      if (!newname)
+        {
+        uschar *renameleaf;
+        uschar *old_renameleaf = US"";
+
+        for (int i = 0; ; sleep(1), i++)
+          {
+          deliver_inode = statbuf.st_ino;
+          renameleaf = expand_string(ob->dirfilename);
+          deliver_inode = 0;
+
+          if (!renameleaf)
+            {
+            addr->transport_return = PANIC;
+            addr->message = string_sprintf("Expansion of \"%s\" "
+              "(directory_file for %s transport) failed: %s",
+              ob->dirfilename, tblock->name, expand_string_message);
+            goto RETURN;
+            }
+
+          renamename = string_sprintf("%s/%s", path, renameleaf);
+          if (Ulink(filename, renamename) < 0)
+            {
+            DEBUG(D_transport) debug_printf("link failed: %s\n",
+              strerror(errno));
+            if (errno != EEXIST || i >= 4 ||
+                Ustrcmp(renameleaf, old_renameleaf) == 0)
+              {
+              addr->basic_errno = errno;
+              addr->message = string_sprintf("while renaming %s as %s",
+                filename, renamename);
+              yield = DEFER;
+              break;
+              }
+            old_renameleaf = renameleaf;
+            DEBUG(D_transport) debug_printf("%s exists - trying again\n",
+              renamename);
+            }
+          else
+            {
+            Uunlink(filename);
+            filename = NULL;
+            break;
+            }
+          }        /* re-expand loop */
+        }          /* not mailstore or maildir */
+
+      /* For maildir and mailstore formats, the new name was created earlier,
+      except that for maildir, there is the possibility of adding a "tag" on
+      the end of the name by expanding the value of nametag. This usually
+      includes a reference to the message size. The expansion of nametag was
+      checked above, before the file was opened. It either succeeded, or
+      provoked a soft failure. So any failure here can be treated as soft.
+      Ignore non-printing characters and / and put a colon at the start if the
+      first character is alphanumeric. */
+
+      else
+        {
+        if (nametag)
+          {
+          uschar *iptr = expand_string(nametag);
+          if (iptr)
+            {
+            uschar *etag = store_get(Ustrlen(iptr) + 2, iptr);
+            uschar *optr = etag;
+            for ( ; *iptr; iptr++)
+              if (mac_isgraph(*iptr) && *iptr != '/')
+                {
+                if (optr == etag && isalnum(*iptr)) *optr++ = ':';
+                *optr++ = *iptr;
+                }
+            *optr = 0;
+            renamename = string_sprintf("%s%s", newname, etag);
+            }
+          }
+
+        /* Do the rename. If the name is too long and a tag exists, try again
+        without the tag. */
+
+        if (Urename(filename, renamename) < 0 &&
+               (nametag == NULL || errno != ENAMETOOLONG ||
+               (renamename = newname, Urename(filename, renamename) < 0)))
+          {
+          addr->basic_errno = errno;
+          addr->message = string_sprintf("while renaming %s as %s",
+            filename, renamename);
+          yield = DEFER;
+          }
+
+        /* Rename succeeded */
+
+        else
+          {
+          DEBUG(D_transport) debug_printf("renamed %s as %s\n", filename,
+            renamename);
+          filename = dataname = NULL;   /* Prevents attempt to unlink at end */
+          }
+        }        /* maildir or mailstore */
+      }          /* successful write + close */
+    }            /* isdirectory */
+  }              /* write success */
+
+
+/* For a file, restore the last access time (atime), and set the modification
+time as required - changed if write succeeded, unchanged if not. */
+
+if (!isdirectory) utime(CS filename, &times);
+
+/* Notify comsat if configured to do so. It only makes sense if the configured
+file is the one that the comsat daemon knows about. */
+
+if (ob->notify_comsat && yield == OK && deliver_localpart)
+  notify_comsat(deliver_localpart, saved_size);
+
+/* Pass back the final return code in the address structure */
+
+DEBUG(D_transport)
+  debug_printf("appendfile yields %d with errno=%d more_errno=%d\n",
+    yield, addr->basic_errno, addr->more_errno);
+
+addr->transport_return = yield;
+
+/* Close the file, which will release the fcntl lock. For a directory write it
+is closed above, except in cases of error which goto RETURN, when we also need
+to remove the original file(s). For MBX locking, if all has gone well, before
+closing the file, see if we can get an exclusive lock on it, in which case we
+can unlink the /tmp lock file before closing it. This is always a non-blocking
+lock; there's no need to wait if we can't get it. If everything has gone right
+but close fails, defer the message. Then unlink the lock file, if present. This
+point in the code is jumped to from a number of places when errors are
+detected, in order to get the file closed and the lock file tidied away. */
+
+RETURN:
+
+#ifdef SUPPORT_MBX
+if (mbx_lockfd >= 0)
+  {
+  if (yield == OK && apply_lock(fd, F_WRLCK, ob->use_fcntl, 0,
+      ob->use_flock, 0) >= 0)
+    {
+    DEBUG(D_transport)
+      debug_printf("unlinking MBX lock file %s\n", mbx_lockname);
+    Uunlink(mbx_lockname);
+    }
+  (void)close(mbx_lockfd);
+  }
+#endif  /* SUPPORT_MBX */
+
+if (fd >= 0 && close(fd) < 0 && yield == OK)
+  {
+  addr->basic_errno = errno;
+  addr->message = string_sprintf("while closing %s", filename);
+  addr->transport_return = DEFER;
+  }
+
+if (hd >= 0) Uunlink(lockname);
+
+/* We get here with isdirectory and filename set only in error situations. */
+
+if (isdirectory && filename)
+  {
+  Uunlink(filename);
+  if (dataname != filename) Uunlink(dataname);
+  }
+
+/* If wait_for_tick is TRUE, we have done a delivery where the uniqueness of a
+file name relies on time + pid. We must not allow the process to finish until
+the clock has move on by at least one microsecond. Usually we expect this
+already to be the case, but machines keep getting faster... */
+
+if (wait_for_tick) exim_wait_tick(&msg_tv, 1);
+
+/* A return of FALSE means that if there was an error, a common error was
+put in the first address of a batch. */
+
+return FALSE;
+
+tainted_ret_panic:
+  addr->message = string_sprintf("Tainted '%s' (file or directory "
+      "name for %s transport) not permitted", path, tblock->name);
+ret_panic:
+  addr->transport_return = PANIC;
+  return FALSE;
+}
+
+#endif	/*!MACRO_PREDEF*/
+/* End of transport/appendfile.c */
diff --git a/src/transports/appendfile.h b/src/transports/appendfile.h
new file mode 100644
index 0000000..3fd2f46
--- /dev/null
+++ b/src/transports/appendfile.h
@@ -0,0 +1,100 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Private structure for the private options. */
+
+typedef struct {
+  uschar *filename;
+  uschar *dirname;
+  uschar *dirfilename;
+  uschar *message_prefix;
+  uschar *message_suffix;
+  uschar *create_file_string;
+  uschar *quota;
+  uschar *quota_directory;
+  uschar *quota_filecount;
+  uschar *quota_size_regex;
+  uschar *quota_warn_threshold;
+  uschar *mailbox_size_string;
+  uschar *mailbox_filecount_string;
+  uschar *expand_maildir_use_size_file;
+  uschar *maildir_dir_regex;
+  uschar *maildir_tag;
+  uschar *maildirfolder_create_regex;
+  uschar *mailstore_prefix;
+  uschar *mailstore_suffix;
+  uschar *check_string;
+  uschar *escape_string;
+  uschar *file_format;
+  off_t quota_value;
+  off_t quota_warn_threshold_value;
+  off_t mailbox_size_value;
+  int   mailbox_filecount_value;
+  int   quota_filecount_value;
+  int   mode;
+  int   dirmode;
+  int   lockfile_mode;
+  int   lockfile_timeout;
+  int   lock_fcntl_timeout;
+  int   lock_flock_timeout;
+  int   lock_retries;
+  int   lock_interval;
+  int   maildir_retries;
+  int   create_file;
+  int   options;
+  BOOL  allow_fifo;
+  BOOL  allow_symlink;
+  BOOL  check_group;
+  BOOL  check_owner;
+  BOOL  create_directory;
+  BOOL  notify_comsat;
+  BOOL  use_lockfile;
+  BOOL  set_use_lockfile;
+  BOOL  use_fcntl;
+  BOOL  set_use_fcntl;
+  BOOL  use_flock;
+  BOOL  set_use_flock;
+  BOOL  use_mbx_lock;
+  BOOL  set_use_mbx_lock;
+  BOOL  use_bsmtp;
+  BOOL  use_crlf;
+  BOOL  file_must_exist;
+  BOOL  mode_fail_narrower;
+  BOOL  maildir_format;
+  BOOL  maildir_use_size_file;
+  BOOL  mailstore_format;
+  BOOL  mbx_format;
+  BOOL  quota_warn_threshold_is_percent;
+  BOOL  quota_is_inclusive;
+  BOOL  quota_no_check;
+  BOOL  quota_filecount_no_check;
+} appendfile_transport_options_block;
+
+/* Restricted creation options */
+
+enum { create_anywhere, create_belowhome, create_inhome };
+
+/* Data for reading the private options. */
+
+extern optionlist appendfile_transport_options[];
+extern int appendfile_transport_options_count;
+
+/* Block containing default values. */
+
+extern appendfile_transport_options_block appendfile_transport_option_defaults;
+
+/* The main and init entry points for the transport */
+
+extern BOOL appendfile_transport_entry(transport_instance *, address_item *);
+extern void appendfile_transport_init(transport_instance *);
+
+/* Function that is shared with tf_maildir.c */
+
+extern off_t  check_dir_size(const uschar *, int *, const pcre2_code *);
+
+/* End of transports/appendfile.h */
diff --git a/src/transports/autoreply.c b/src/transports/autoreply.c
new file mode 100644
index 0000000..211e328
--- /dev/null
+++ b/src/transports/autoreply.c
@@ -0,0 +1,821 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "autoreply.h"
+
+
+
+/* Options specific to the autoreply transport. They must be in alphabetic
+order (note that "_" comes before the lower case letters). Those starting
+with "*" are not settable by the user but are used by the option-reading
+software for alternative value types. Some options are publicly visible and so
+are stored in the driver instance block. These are flagged with opt_public. */
+#define LOFF(field) OPT_OFF(autoreply_transport_options_block, field)
+
+optionlist autoreply_transport_options[] = {
+  { "bcc",               opt_stringptr,	LOFF(bcc) },
+  { "cc",                opt_stringptr,	LOFF(cc) },
+  { "file",              opt_stringptr,	LOFF(file) },
+  { "file_expand",     opt_bool,	LOFF(file_expand) },
+  { "file_optional",     opt_bool,	LOFF(file_optional) },
+  { "from",              opt_stringptr,	LOFF(from) },
+  { "headers",           opt_stringptr,	LOFF(headers) },
+  { "log",               opt_stringptr,	LOFF(logfile) },
+  { "mode",              opt_octint,	LOFF(mode) },
+  { "never_mail",        opt_stringptr,	LOFF(never_mail) },
+  { "once",              opt_stringptr,	LOFF(oncelog) },
+  { "once_file_size",    opt_int,	LOFF(once_file_size) },
+  { "once_repeat",       opt_stringptr,	LOFF(once_repeat) },
+  { "reply_to",          opt_stringptr,	LOFF(reply_to) },
+  { "return_message",    opt_bool,	LOFF(return_message) },
+  { "subject",           opt_stringptr,	LOFF(subject) },
+  { "text",              opt_stringptr,	LOFF(text) },
+  { "to",                opt_stringptr,	LOFF(to) },
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int autoreply_transport_options_count =
+  sizeof(autoreply_transport_options)/sizeof(optionlist);
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+autoreply_transport_options_block autoreply_transport_option_defaults = {0};
+void autoreply_transport_init(transport_instance *tblock) {}
+BOOL autoreply_transport_entry(transport_instance *tblock, address_item *addr) {return FALSE;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+/* Default private options block for the autoreply transport.
+All non-mentioned lements zero/null/false. */
+
+autoreply_transport_options_block autoreply_transport_option_defaults = {
+  .mode = 0600,
+};
+
+
+
+/* Type of text for the checkexpand() function */
+
+enum { cke_text, cke_hdr, cke_file };
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up. */
+
+void
+autoreply_transport_init(transport_instance *tblock)
+{
+/*
+autoreply_transport_options_block *ob =
+  (autoreply_transport_options_block *)(tblock->options_block);
+*/
+
+/* If a fixed uid field is set, then a gid field must also be set. */
+
+if (tblock->uid_set && !tblock->gid_set && tblock->expand_gid == NULL)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "user set without group for the %s transport", tblock->name);
+}
+
+
+
+
+/*************************************************
+*          Expand string and check               *
+*************************************************/
+
+/* If the expansion fails, the error is set up in the address. Expanded
+strings must be checked to ensure they contain only printing characters
+and white space. If not, the function fails.
+
+Arguments:
+   s         string to expand
+   addr      address that is being worked on
+   name      transport name, for error text
+   type      type, for checking content:
+               cke_text => no check
+               cke_hdr  => header, allow \n + whitespace
+               cke_file => file name, no non-printers allowed
+
+Returns:     expanded string if expansion succeeds;
+             NULL otherwise
+*/
+
+static uschar *
+checkexpand(uschar *s, address_item *addr, uschar *name, int type)
+{
+uschar *ss = expand_string(s);
+
+if (!ss)
+  {
+  addr->transport_return = FAIL;
+  addr->message = string_sprintf("Expansion of \"%s\" failed in %s transport: "
+    "%s", s, name, expand_string_message);
+  return NULL;
+  }
+
+if (type != cke_text) for (uschar * t = ss; *t != 0; t++)
+  {
+  int c = *t;
+  const uschar * sp;
+  if (mac_isprint(c)) continue;
+  if (type == cke_hdr && c == '\n' && (t[1] == ' ' || t[1] == '\t')) continue;
+  sp = string_printing(s);
+  addr->transport_return = FAIL;
+  addr->message = string_sprintf("Expansion of \"%s\" in %s transport "
+    "contains non-printing character %d", sp, name, c);
+  return NULL;
+  }
+
+return ss;
+}
+
+
+
+
+/*************************************************
+*          Check a header line for never_mail    *
+*************************************************/
+
+/* This is called to check to, cc, and bcc for addresses in the never_mail
+list. Any that are found are removed.
+
+Arguments:
+  list        list of addresses to be checked
+  never_mail  an address list, already expanded
+
+Returns:      edited replacement address list, or NULL, or original
+*/
+
+static uschar *
+check_never_mail(uschar * list, const uschar * never_mail)
+{
+rmark reset_point = store_mark();
+uschar * newlist = string_copy(list);
+uschar * s = newlist;
+BOOL hit = FALSE;
+
+while (*s)
+  {
+  uschar *error, *next;
+  uschar *e = parse_find_address_end(s, FALSE);
+  int terminator = *e;
+  int start, end, domain, rc;
+
+  /* Temporarily terminate the string at the address end while extracting
+  the operative address within. */
+
+  *e = 0;
+  next = parse_extract_address(s, &error, &start, &end, &domain, FALSE);
+  *e = terminator;
+
+  /* If there is some kind of syntax error, just give up on this header
+  line. */
+
+  if (!next) break;
+
+  /* See if the address is on the never_mail list */
+
+  rc = match_address_list(next,         /* address to check */
+                          TRUE,         /* start caseless */
+                          FALSE,        /* don't expand the list */
+                          &never_mail,  /* the list */
+                          NULL,         /* no caching */
+                          -1,           /* no expand setup */
+                          0,            /* separator from list */
+                          NULL);        /* no lookup value return */
+
+  if (rc == OK)                         /* Remove this address */
+    {
+    DEBUG(D_transport)
+      debug_printf("discarding recipient %s (matched never_mail)\n", next);
+    hit = TRUE;
+    if (terminator == ',') e++;
+    memmove(s, e, Ustrlen(e) + 1);
+    }
+  else                                  /* Skip over this address */
+    {
+    s = e;
+    if (terminator == ',') s++;
+    }
+  }
+
+/* If no addresses were removed, retrieve the memory used and return
+the original. */
+
+if (!hit)
+  {
+  store_reset(reset_point);
+  return list;
+  }
+
+/* Check to see if we removed the last address, leaving a terminating comma
+that needs to be removed */
+
+s = newlist + Ustrlen(newlist);
+while (s > newlist && (isspace(s[-1]) || s[-1] == ',')) s--;
+*s = 0;
+
+/* Check to see if there any addresses left; if not, return NULL */
+
+s = newlist;
+while (s && isspace(*s)) s++;
+if (*s)
+  return newlist;
+
+store_reset(reset_point);
+return NULL;
+}
+
+
+
+/*************************************************
+*              Main entry point                  *
+*************************************************/
+
+/* See local README for interface details. This transport always returns
+FALSE, indicating that the top address has the status for all - though in fact
+this transport can handle only one address at at time anyway. */
+
+BOOL
+autoreply_transport_entry(
+  transport_instance *tblock,      /* data for this instantiation */
+  address_item *addr)              /* address we are working on */
+{
+int fd, pid, rc;
+int cache_fd = -1;
+int cache_size = 0;
+int add_size = 0;
+EXIM_DB * dbm_file = NULL;
+BOOL file_expand, return_message;
+uschar *from, *reply_to, *to, *cc, *bcc, *subject, *headers, *text, *file;
+uschar *logfile, *oncelog;
+uschar *cache_buff = NULL;
+uschar *cache_time = NULL;
+uschar *message_id = NULL;
+header_line *h;
+time_t now = time(NULL);
+time_t once_repeat_sec = 0;
+FILE *fp;
+FILE *ff = NULL;
+
+autoreply_transport_options_block *ob =
+  (autoreply_transport_options_block *)(tblock->options_block);
+
+DEBUG(D_transport) debug_printf("%s transport entered\n", tblock->name);
+
+/* Set up for the good case */
+
+addr->transport_return = OK;
+addr->basic_errno = 0;
+
+/* If the address is pointing to a reply block, then take all the data
+from that block. It has typically been set up by a mail filter processing
+router. Otherwise, the data must be supplied by this transport, and
+it has to be expanded here. */
+
+if (addr->reply)
+  {
+  DEBUG(D_transport) debug_printf("taking data from address\n");
+  from = addr->reply->from;
+  reply_to = addr->reply->reply_to;
+  to = addr->reply->to;
+  cc = addr->reply->cc;
+  bcc = addr->reply->bcc;
+  subject = addr->reply->subject;
+  headers = addr->reply->headers;
+  text = addr->reply->text;
+  file = addr->reply->file;
+  logfile = addr->reply->logfile;
+  oncelog = addr->reply->oncelog;
+  once_repeat_sec = addr->reply->once_repeat;
+  file_expand = addr->reply->file_expand;
+  expand_forbid = addr->reply->expand_forbid;
+  return_message = addr->reply->return_message;
+  }
+else
+  {
+  uschar *oncerepeat = ob->once_repeat;
+
+  DEBUG(D_transport) debug_printf("taking data from transport\n");
+  from = ob->from;
+  reply_to = ob->reply_to;
+  to = ob->to;
+  cc = ob->cc;
+  bcc = ob->bcc;
+  subject = ob->subject;
+  headers = ob->headers;
+  text = ob->text;
+  file = ob->file;
+  logfile = ob->logfile;
+  oncelog = ob->oncelog;
+  file_expand = ob->file_expand;
+  return_message = ob->return_message;
+
+  if (  from && !(from = checkexpand(from, addr, tblock->name, cke_hdr))
+     || reply_to && !(reply_to = checkexpand(reply_to, addr, tblock->name, cke_hdr))
+     || to && !(to = checkexpand(to, addr, tblock->name, cke_hdr))
+     || cc && !(cc = checkexpand(cc, addr, tblock->name, cke_hdr))
+     || bcc && !(bcc = checkexpand(bcc, addr, tblock->name, cke_hdr))
+     || subject && !(subject = checkexpand(subject, addr, tblock->name, cke_hdr))
+     || headers && !(headers = checkexpand(headers, addr, tblock->name, cke_text))
+     || text && !(text = checkexpand(text, addr, tblock->name, cke_text))
+     || file && !(file = checkexpand(file, addr, tblock->name, cke_file))
+     || logfile && !(logfile = checkexpand(logfile, addr, tblock->name, cke_file))
+     || oncelog && !(oncelog = checkexpand(oncelog, addr, tblock->name, cke_file))
+     || oncerepeat && !(oncerepeat = checkexpand(oncerepeat, addr, tblock->name, cke_file))
+     )
+    return FALSE;
+
+  if (oncerepeat)
+    if ((once_repeat_sec = readconf_readtime(oncerepeat, 0, FALSE)) < 0)
+      {
+      addr->transport_return = FAIL;
+      addr->message = string_sprintf("Invalid time value \"%s\" for "
+        "\"once_repeat\" in %s transport", oncerepeat, tblock->name);
+      return FALSE;
+      }
+  }
+
+/* If the never_mail option is set, we have to scan all the recipients and
+remove those that match. */
+
+if (ob->never_mail)
+  {
+  const uschar *never_mail = expand_string(ob->never_mail);
+
+  if (!never_mail)
+    {
+    addr->transport_return = FAIL;
+    addr->message = string_sprintf("Failed to expand \"%s\" for "
+      "\"never_mail\" in %s transport", ob->never_mail, tblock->name);
+    return FALSE;
+    }
+
+  if (to) to = check_never_mail(to, never_mail);
+  if (cc) cc = check_never_mail(cc, never_mail);
+  if (bcc) bcc = check_never_mail(bcc, never_mail);
+
+  if (!to && !cc && !bcc)
+    {
+    DEBUG(D_transport)
+      debug_printf("*** all recipients removed by never_mail\n");
+    return OK;
+    }
+  }
+
+/* If the -N option is set, can't do any more. */
+
+if (f.dont_deliver)
+  {
+  DEBUG(D_transport)
+    debug_printf("*** delivery by %s transport bypassed by -N option\n",
+      tblock->name);
+  return FALSE;
+  }
+
+
+/* If the oncelog field is set, we send want to send only one message to the
+given recipient(s). This works only on the "To" field. If there is no "To"
+field, the message is always sent. If the To: field contains more than one
+recipient, the effect might not be quite as envisaged. If once_file_size is
+set, instead of a dbm file, we use a regular file containing a circular buffer
+recipient cache. */
+
+if (oncelog && *oncelog && to)
+  {
+  time_t then = 0;
+
+  if (is_tainted(oncelog))
+    {
+    addr->transport_return = DEFER;
+    addr->basic_errno = EACCES;
+    addr->message = string_sprintf("Tainted '%s' (once file for %s transport)"
+      " not permitted", oncelog, tblock->name);
+    goto END_OFF;
+    }
+
+  /* Handle fixed-size cache file. */
+
+  if (ob->once_file_size > 0)
+    {
+    uschar * nextp;
+    struct stat statbuf;
+
+    cache_fd = Uopen(oncelog, O_CREAT|O_RDWR, ob->mode);
+    if (cache_fd < 0 || fstat(cache_fd, &statbuf) != 0)
+      {
+      addr->transport_return = DEFER;
+      addr->basic_errno = errno;
+      addr->message = string_sprintf("Failed to %s \"once\" file %s when "
+        "sending message from %s transport: %s",
+        cache_fd < 0 ? "open" : "stat", oncelog, tblock->name, strerror(errno));
+      goto END_OFF;
+      }
+
+    /* Get store in the temporary pool and read the entire file into it. We get
+    an amount of store that is big enough to add the new entry on the end if we
+    need to do that. */
+
+    cache_size = statbuf.st_size;
+    add_size = sizeof(time_t) + Ustrlen(to) + 1;
+    cache_buff = store_get(cache_size + add_size, oncelog);
+
+    if (read(cache_fd, cache_buff, cache_size) != cache_size)
+      {
+      addr->transport_return = DEFER;
+      addr->basic_errno = errno;
+      addr->message = US"error while reading \"once\" file";
+      goto END_OFF;
+      }
+
+    DEBUG(D_transport) debug_printf("%d bytes read from %s\n", cache_size, oncelog);
+
+    /* Scan the data for this recipient. Each entry in the file starts with
+    a time_t sized time value, followed by the address, followed by a binary
+    zero. If we find a match, put the time into "then", and the place where it
+    was found into "cache_time". Otherwise, "then" is left at zero. */
+
+    for (uschar * p = cache_buff; p < cache_buff + cache_size; p = nextp)
+      {
+      uschar *s = p + sizeof(time_t);
+      nextp = s + Ustrlen(s) + 1;
+      if (Ustrcmp(to, s) == 0)
+        {
+        memcpy(&then, p, sizeof(time_t));
+        cache_time = p;
+        break;
+        }
+      }
+    }
+
+  /* Use a DBM file for the list of previous recipients. */
+
+  else
+    {
+    EXIM_DATUM key_datum, result_datum;
+    uschar * dirname, * s;
+
+    dirname = (s = Ustrrchr(oncelog, '/'))
+      ? string_copyn(oncelog, s - oncelog) : NULL;
+    if (!(dbm_file = exim_dbopen(oncelog, dirname, O_RDWR|O_CREAT, ob->mode)))
+      {
+      addr->transport_return = DEFER;
+      addr->basic_errno = errno;
+      addr->message = string_sprintf("Failed to open %s file %s when sending "
+        "message from %s transport: %s", EXIM_DBTYPE, oncelog, tblock->name,
+        strerror(errno));
+      goto END_OFF;
+      }
+
+    exim_datum_init(&key_datum);        /* Some DBM libraries need datums */
+    exim_datum_init(&result_datum);     /* to be cleared */
+    exim_datum_data_set(&key_datum, (void *) to);
+    exim_datum_size_set(&key_datum, Ustrlen(to) + 1);
+
+    if (exim_dbget(dbm_file, &key_datum, &result_datum))
+      {
+      /* If the datum size is that of a binary time, we are in the new world
+      where messages are sent periodically. Otherwise the file is an old one,
+      where the datum was filled with a tod_log time, which is assumed to be
+      different in size. For that, only one message is ever sent. This change
+      introduced at Exim 3.00. In a couple of years' time the test on the size
+      can be abolished. */
+
+      if (exim_datum_size_get(&result_datum) == sizeof(time_t))
+        memcpy(&then, exim_datum_data_get(&result_datum), sizeof(time_t));
+      else
+        then = now;
+      }
+    }
+
+  /* Either "then" is set zero, if no message has yet been sent, or it
+  is set to the time of the last sending. */
+
+  if (then != 0 && (once_repeat_sec <= 0 || now - then < once_repeat_sec))
+    {
+    int log_fd;
+    if (is_tainted(logfile))
+      {
+      addr->transport_return = DEFER;
+      addr->basic_errno = EACCES;
+      addr->message = string_sprintf("Tainted '%s' (logfile for %s transport)"
+	" not permitted", logfile, tblock->name);
+      goto END_OFF;
+      }
+
+    DEBUG(D_transport) debug_printf("message previously sent to %s%s\n", to,
+      (once_repeat_sec > 0)? " and repeat time not reached" : "");
+    log_fd = logfile ? Uopen(logfile, O_WRONLY|O_APPEND|O_CREAT, ob->mode) : -1;
+    if (log_fd >= 0)
+      {
+      uschar *ptr = log_buffer;
+      sprintf(CS ptr, "%s\n  previously sent to %.200s\n", tod_stamp(tod_log), to);
+      while(*ptr) ptr++;
+      if(write(log_fd, log_buffer, ptr - log_buffer) != ptr-log_buffer
+        || close(log_fd))
+        DEBUG(D_transport) debug_printf("Problem writing log file %s for %s "
+          "transport\n", logfile, tblock->name);
+      }
+    goto END_OFF;
+    }
+
+  DEBUG(D_transport) debug_printf("%s %s\n", (then <= 0)?
+    "no previous message sent to" : "repeat time reached for", to);
+  }
+
+/* We are going to send a message. Ensure any requested file is available. */
+if (file)
+  {
+  if (is_tainted(file))
+    {
+    addr->transport_return = DEFER;
+    addr->basic_errno = EACCES;
+    addr->message = string_sprintf("Tainted '%s' (file for %s transport)"
+      " not permitted", file, tblock->name);
+    return FALSE;
+    }
+  if (!(ff = Ufopen(file, "rb")) && !ob->file_optional)
+    {
+    addr->transport_return = DEFER;
+    addr->basic_errno = errno;
+    addr->message = string_sprintf("Failed to open file %s when sending "
+      "message from %s transport: %s", file, tblock->name, strerror(errno));
+    return FALSE;
+    }
+  }
+
+/* Make a subprocess to send the message */
+
+if ((pid = child_open_exim(&fd, US"autoreply")) < 0)
+  {
+  /* Creation of child failed; defer this delivery. */
+
+  addr->transport_return = DEFER;
+  addr->basic_errno = errno;
+  addr->message = string_sprintf("Failed to create child process to send "
+    "message from %s transport: %s", tblock->name, strerror(errno));
+  DEBUG(D_transport) debug_printf("%s\n", addr->message);
+  if (dbm_file) exim_dbclose(dbm_file);
+  return FALSE;
+  }
+
+/* Create the message to be sent - recipients are taken from the headers,
+as the -t option is used. The "headers" stuff *must* be last in case there
+are newlines in it which might, if placed earlier, screw up other headers. */
+
+fp = fdopen(fd, "wb");
+
+if (from) fprintf(fp, "From: %s\n", from);
+if (reply_to) fprintf(fp, "Reply-To: %s\n", reply_to);
+if (to) fprintf(fp, "To: %s\n", to);
+if (cc) fprintf(fp, "Cc: %s\n", cc);
+if (bcc) fprintf(fp, "Bcc: %s\n", bcc);
+if (subject) fprintf(fp, "Subject: %s\n", subject);
+
+/* Generate In-Reply-To from the message_id header; there should
+always be one, but code defensively. */
+
+for (h = header_list; h; h = h->next)
+  if (h->type == htype_id) break;
+
+if (h)
+  {
+  message_id = Ustrchr(h->text, ':') + 1;
+  while (isspace(*message_id)) message_id++;
+  fprintf(fp, "In-Reply-To: %s", message_id);
+  }
+
+moan_write_references(fp, message_id);
+
+/* Add an Auto-Submitted: header */
+
+fprintf(fp, "Auto-Submitted: auto-replied\n");
+
+/* Add any specially requested headers */
+
+if (headers) fprintf(fp, "%s\n", headers);
+fprintf(fp, "\n");
+
+if (text)
+  {
+  fprintf(fp, "%s", CS text);
+  if (text[Ustrlen(text)-1] != '\n') fprintf(fp, "\n");
+  }
+
+if (ff)
+  {
+  while (Ufgets(big_buffer, big_buffer_size, ff) != NULL)
+    {
+    if (file_expand)
+      {
+      uschar *s = expand_string(big_buffer);
+      DEBUG(D_transport)
+        {
+        if (!s)
+          debug_printf("error while expanding line from file:\n  %s\n  %s\n",
+            big_buffer, expand_string_message);
+        }
+      fprintf(fp, "%s", s ? CS s : CS big_buffer);
+      }
+    else fprintf(fp, "%s", CS big_buffer);
+    }
+  (void) fclose(ff);
+  }
+
+/* Copy the original message if required, observing the return size
+limit if we are returning the body. */
+
+if (return_message)
+  {
+  uschar *rubric = tblock->headers_only
+    ? US"------ This is a copy of the message's header lines.\n"
+    : tblock->body_only
+    ? US"------ This is a copy of the body of the message, without the headers.\n"
+    : US"------ This is a copy of the message, including all the headers.\n";
+  transport_ctx tctx = {
+    .u = {.fd = fileno(fp)},
+    .tblock = tblock,
+    .addr = addr,
+    .check_string = NULL,
+    .escape_string =  NULL,
+    .options = (tblock->body_only ? topt_no_headers : 0)
+    	| (tblock->headers_only ? topt_no_body : 0)
+    	| (tblock->return_path_add ? topt_add_return_path : 0)
+    	| (tblock->delivery_date_add ? topt_add_delivery_date : 0)
+    	| (tblock->envelope_to_add ? topt_add_envelope_to : 0)
+	| topt_not_socket
+  };
+
+  if (bounce_return_size_limit > 0 && !tblock->headers_only)
+    {
+    struct stat statbuf;
+    int max = (bounce_return_size_limit/DELIVER_IN_BUFFER_SIZE + 1) *
+      DELIVER_IN_BUFFER_SIZE;
+    if (fstat(deliver_datafile, &statbuf) == 0 && statbuf.st_size > max)
+      {
+      fprintf(fp, "\n%s"
+"------ The body of the message is " OFF_T_FMT " characters long; only the first\n"
+"------ %d or so are included here.\n\n", rubric, statbuf.st_size,
+        (max/1000)*1000);
+      }
+    else fprintf(fp, "\n%s\n", rubric);
+    }
+  else fprintf(fp, "\n%s\n", rubric);
+
+  fflush(fp);
+  transport_count = 0;
+  transport_write_message(&tctx, bounce_return_size_limit);
+  }
+
+/* End the message and wait for the child process to end; no timeout. */
+
+(void)fclose(fp);
+rc = child_close(pid, 0);
+
+/* Update the "sent to" log whatever the yield. This errs on the side of
+missing out a message rather than risking sending more than one. We either have
+cache_fd set to a fixed size, circular buffer file, or dbm_file set to an open
+DBM file (or neither, if "once" is not set). */
+
+/* Update fixed-size cache file. If cache_time is set, we found a previous
+entry; that is the spot into which to put the current time. Otherwise we have
+to add a new record; remove the first one in the file if the file is too big.
+We always rewrite the entire file in a single write operation. This is
+(hopefully) going to be the safest thing because there is no interlocking
+between multiple simultaneous deliveries. */
+
+if (cache_fd >= 0)
+  {
+  uschar *from = cache_buff;
+  int size = cache_size;
+
+  if (lseek(cache_fd, 0, SEEK_SET) == 0)
+    {
+    if (!cache_time)
+      {
+      cache_time = from + size;
+      memcpy(cache_time + sizeof(time_t), to, add_size - sizeof(time_t));
+      size += add_size;
+
+      if (cache_size > 0 && size > ob->once_file_size)
+	{
+	from += sizeof(time_t) + Ustrlen(from + sizeof(time_t)) + 1;
+	size -= (from - cache_buff);
+	}
+      }
+
+    memcpy(cache_time, &now, sizeof(time_t));
+    if(write(cache_fd, from, size) != size)
+      DEBUG(D_transport) debug_printf("Problem writing cache file %s for %s "
+	"transport\n", oncelog, tblock->name);
+    }
+  }
+
+/* Update DBM file */
+
+else if (dbm_file)
+  {
+  EXIM_DATUM key_datum, value_datum;
+  exim_datum_init(&key_datum);          /* Some DBM libraries need to have */
+  exim_datum_init(&value_datum);        /* cleared datums. */
+  exim_datum_data_set(&key_datum, to);
+  exim_datum_size_set(&key_datum, Ustrlen(to) + 1);
+
+  /* Many OS define the datum value, sensibly, as a void *. However, there
+  are some which still have char *. By casting this address to a char * we
+  can avoid warning messages from the char * systems. */
+
+  exim_datum_data_set(&value_datum, &now);
+  exim_datum_size_set(&value_datum, sizeof(time_t));
+  exim_dbput(dbm_file, &key_datum, &value_datum);
+  }
+
+/* If sending failed, defer to try again - but if once is set the next
+try will skip, of course. However, if there were no recipients in the
+message, we do not fail. */
+
+if (rc != 0)
+  if (rc == EXIT_NORECIPIENTS)
+    {
+    DEBUG(D_any) debug_printf("%s transport: message contained no recipients\n",
+      tblock->name);
+    }
+  else
+    {
+    addr->transport_return = DEFER;
+    addr->message = string_sprintf("Failed to send message from %s "
+      "transport (%d)", tblock->name, rc);
+    goto END_OFF;
+    }
+
+/* Log the sending of the message if successful and required. If the file
+fails to open, it's hard to know what to do. We cannot write to the Exim
+log from here, since we may be running under an unprivileged uid. We don't
+want to fail the delivery, since the message has been successfully sent. For
+the moment, ignore open failures. Write the log entry as a single write() to a
+file opened for appending, in order to avoid interleaving of output from
+different processes. The log_buffer can be used exactly as for main log
+writing. */
+
+if (logfile)
+  {
+  int log_fd = Uopen(logfile, O_WRONLY|O_APPEND|O_CREAT, ob->mode);
+  if (log_fd >= 0)
+    {
+    gstring gs = { .size = LOG_BUFFER_SIZE, .ptr = 0, .s = log_buffer }, *g = &gs;
+
+    /* Use taint-unchecked routines for writing into log_buffer, trusting
+    that we'll never expand it. */
+
+    DEBUG(D_transport) debug_printf("logging message details\n");
+    g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, "%s\n", tod_stamp(tod_log));
+    if (from)
+      g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, "  From: %s\n", from);
+    if (to)
+      g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, "  To: %s\n", to);
+    if (cc)
+      g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, "  Cc: %s\n", cc);
+    if (bcc)
+      g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, "  Bcc: %s\n", bcc);
+    if (subject)
+      g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, "  Subject: %s\n", subject);
+    if (headers)
+      g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, "  %s\n", headers);
+    if(write(log_fd, g->s, g->ptr) != g->ptr || close(log_fd))
+      DEBUG(D_transport) debug_printf("Problem writing log file %s for %s "
+        "transport\n", logfile, tblock->name);
+    }
+  else DEBUG(D_transport) debug_printf("Failed to open log file %s for %s "
+    "transport: %s\n", logfile, tblock->name, strerror(errno));
+  }
+
+END_OFF:
+if (dbm_file) exim_dbclose(dbm_file);
+if (cache_fd > 0) (void)close(cache_fd);
+
+DEBUG(D_transport) debug_printf("%s transport succeeded\n", tblock->name);
+
+return FALSE;
+}
+
+#endif	/*!MACRO_PREDEF*/
+/* End of transport/autoreply.c */
diff --git a/src/transports/autoreply.h b/src/transports/autoreply.h
new file mode 100644
index 0000000..fcfd981
--- /dev/null
+++ b/src/transports/autoreply.h
@@ -0,0 +1,45 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Private structure for the private options. */
+
+typedef struct {
+  uschar *from;
+  uschar *reply_to;
+  uschar *to;
+  uschar *cc;
+  uschar *bcc;
+  uschar *subject;
+  uschar *headers;
+  uschar *text;
+  uschar *file;
+  uschar *logfile;
+  uschar *oncelog;
+  uschar *once_repeat;
+  uschar *never_mail;
+  int   mode;
+  off_t once_file_size;
+  BOOL  file_expand;
+  BOOL  file_optional;
+  BOOL  return_message;
+} autoreply_transport_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist autoreply_transport_options[];
+extern int autoreply_transport_options_count;
+
+/* Block containing default values. */
+
+extern autoreply_transport_options_block autoreply_transport_option_defaults;
+
+/* The main and init entry points for the transport */
+
+extern BOOL autoreply_transport_entry(transport_instance *, address_item *);
+extern void autoreply_transport_init(transport_instance *);
+
+/* End of transports/autoreply.h */
diff --git a/src/transports/lmtp.c b/src/transports/lmtp.c
new file mode 100644
index 0000000..f751771
--- /dev/null
+++ b/src/transports/lmtp.c
@@ -0,0 +1,809 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "lmtp.h"
+
+#define PENDING_OK 256
+
+
+/* Options specific to the lmtp transport. They must be in alphabetic
+order (note that "_" comes before the lower case letters). Those starting
+with "*" are not settable by the user but are used by the option-reading
+software for alternative value types. Some options are stored in the transport
+instance block so as to be publicly visible; these are flagged with opt_public.
+*/
+
+optionlist lmtp_transport_options[] = {
+  { "batch_id",          opt_stringptr | opt_public,
+      OPT_OFF(transport_instance, batch_id) },
+  { "batch_max",         opt_int | opt_public,
+      OPT_OFF(transport_instance, batch_max) },
+  { "command",           opt_stringptr,
+      OPT_OFF(lmtp_transport_options_block, cmd) },
+  { "ignore_quota",      opt_bool,
+      OPT_OFF(lmtp_transport_options_block, ignore_quota) },
+  { "socket",            opt_stringptr,
+      OPT_OFF(lmtp_transport_options_block, skt) },
+  { "timeout",           opt_time,
+      OPT_OFF(lmtp_transport_options_block, timeout) }
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int lmtp_transport_options_count =
+  sizeof(lmtp_transport_options)/sizeof(optionlist);
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+lmtp_transport_options_block lmtp_transport_option_defaults = {0};
+void lmtp_transport_init(transport_instance *tblock) {}
+BOOL lmtp_transport_entry(transport_instance *tblock, address_item *addr) {return FALSE;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+/* Default private options block for the lmtp transport. */
+
+lmtp_transport_options_block lmtp_transport_option_defaults = {
+  NULL,           /* cmd */
+  NULL,           /* skt */
+  5*60,           /* timeout */
+  0,              /* options */
+  FALSE           /* ignore_quota */
+};
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up. */
+
+void
+lmtp_transport_init(transport_instance *tblock)
+{
+lmtp_transport_options_block *ob =
+  (lmtp_transport_options_block *)(tblock->options_block);
+
+/* Either the command field or the socket field must be set */
+
+if ((ob->cmd == NULL) == (ob->skt == NULL))
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "one (and only one) of command or socket must be set for the %s transport",
+    tblock->name);
+
+/* If a fixed uid field is set, then a gid field must also be set. */
+
+if (tblock->uid_set && !tblock->gid_set && tblock->expand_gid == NULL)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "user set without group for the %s transport", tblock->name);
+
+/* Set up the bitwise options for transport_write_message from the various
+driver options. Only one of body_only and headers_only can be set. */
+
+ob->options |=
+  (tblock->body_only? topt_no_headers : 0) |
+  (tblock->headers_only? topt_no_body : 0) |
+  (tblock->return_path_add? topt_add_return_path : 0) |
+  (tblock->delivery_date_add? topt_add_delivery_date : 0) |
+  (tblock->envelope_to_add? topt_add_envelope_to : 0) |
+  topt_use_crlf | topt_end_dot;
+}
+
+
+/*************************************************
+*          Check an LMTP response                *
+*************************************************/
+
+/* This function is given an errno code and the LMTP response buffer to
+analyse. It sets an appropriate message and puts the first digit of the
+response code into the yield variable. If no response was actually read, a
+suitable digit is chosen.
+
+Arguments:
+  errno_value  pointer to the errno value
+  more_errno   from the top address for use with ERRNO_FILTER_FAIL
+  buffer       the LMTP response buffer
+  yield        where to put a one-digit LMTP response code
+  message      where to put an error message
+
+Returns:       TRUE if a "QUIT" command should be sent, else FALSE
+*/
+
+static BOOL
+check_response(int *errno_value, int more_errno, uschar *buffer,
+  int *yield, uschar **message)
+{
+*yield = '4';    /* Default setting is to give a temporary error */
+
+/* Handle response timeout */
+
+if (*errno_value == ETIMEDOUT)
+  {
+  *message = string_sprintf("LMTP timeout after %s", big_buffer);
+  if (transport_count > 0)
+    *message = string_sprintf("%s (%d bytes written)", *message,
+      transport_count);
+  *errno_value = 0;
+  return FALSE;
+  }
+
+/* Handle malformed LMTP response */
+
+if (*errno_value == ERRNO_SMTPFORMAT)
+  {
+  *message = string_sprintf("Malformed LMTP response after %s: %s",
+    big_buffer, string_printing(buffer));
+  return FALSE;
+  }
+
+/* Handle a failed filter process error; can't send QUIT as we mustn't
+end the DATA. */
+
+if (*errno_value == ERRNO_FILTER_FAIL)
+  {
+  *message = string_sprintf("transport filter process failed (%d)%s",
+    more_errno,
+    (more_errno == EX_EXECFAILED)? ": unable to execute command" : "");
+  return FALSE;
+  }
+
+/* Handle a failed add_headers expansion; can't send QUIT as we mustn't
+end the DATA. */
+
+if (*errno_value == ERRNO_CHHEADER_FAIL)
+  {
+  *message =
+    string_sprintf("failed to expand headers_add or headers_remove: %s",
+      expand_string_message);
+  return FALSE;
+  }
+
+/* Handle failure to write a complete data block */
+
+if (*errno_value == ERRNO_WRITEINCOMPLETE)
+  {
+  *message = US"failed to write a data block";
+  return FALSE;
+  }
+
+/* Handle error responses from the remote process. */
+
+if (buffer[0] != 0)
+  {
+  const uschar *s = string_printing(buffer);
+  *message = string_sprintf("LMTP error after %s: %s", big_buffer, s);
+  *yield = buffer[0];
+  return TRUE;
+  }
+
+/* No data was read. If there is no errno, this must be the EOF (i.e.
+connection closed) case, which causes deferral. Otherwise, leave the errno
+value to be interpreted. In all cases, we have to assume the connection is now
+dead. */
+
+if (*errno_value == 0)
+  {
+  *errno_value = ERRNO_SMTPCLOSED;
+  *message = string_sprintf("LMTP connection closed after %s", big_buffer);
+  }
+
+return FALSE;
+}
+
+
+
+/*************************************************
+*             Write LMTP command                 *
+*************************************************/
+
+/* The formatted command is left in big_buffer so that it can be reflected in
+any error message.
+
+Arguments:
+  fd         the fd to write to
+  format     a format, starting with one of
+             of HELO, MAIL FROM, RCPT TO, DATA, ".", or QUIT.
+  ...        data for the format
+
+Returns:     TRUE if successful, FALSE if not, with errno set
+*/
+
+static BOOL
+lmtp_write_command(int fd, const char *format, ...)
+{
+gstring gs = { .size = big_buffer_size, .ptr = 0, .s = big_buffer };
+int rc;
+va_list ap;
+
+/*XXX see comment in smtp_write_command() regarding leaving stuff in
+big_buffer */
+
+va_start(ap, format);
+if (!string_vformat(&gs, SVFMT_TAINT_NOCHK, CS format, ap))
+  {
+  va_end(ap);
+  errno = ERRNO_SMTPFORMAT;
+  return FALSE;
+  }
+va_end(ap);
+DEBUG(D_transport|D_v) debug_printf("  LMTP>> %s", string_from_gstring(&gs));
+rc = write(fd, gs.s, gs.ptr);
+gs.ptr -= 2; string_from_gstring(&gs); /* remove \r\n for debug and error message */
+if (rc > 0) return TRUE;
+DEBUG(D_transport) debug_printf("write failed: %s\n", strerror(errno));
+return FALSE;
+}
+
+
+
+
+/*************************************************
+*              Read LMTP response                *
+*************************************************/
+
+/* This function reads an LMTP response with a timeout, and returns the
+response in the given buffer. It also analyzes the first digit of the reply
+code and returns FALSE if it is not acceptable.
+
+FALSE is also returned after a reading error. In this case buffer[0] will be
+zero, and the error code will be in errno.
+
+Arguments:
+  f         a file to read from
+  buffer    where to put the response
+  size      the size of the buffer
+  okdigit   the expected first digit of the response
+  timeout   the timeout to use
+
+Returns:    TRUE if a valid, non-error response was received; else FALSE
+*/
+
+static BOOL
+lmtp_read_response(FILE *f, uschar *buffer, int size, int okdigit, int timeout)
+{
+int count;
+uschar *ptr = buffer;
+uschar *readptr = buffer;
+
+/* Ensure errno starts out zero */
+
+errno = 0;
+
+/* Loop for handling LMTP responses that do not all come in one line. */
+
+for (;;)
+  {
+  /* If buffer is too full, something has gone wrong. */
+
+  if (size < 10)
+    {
+    *readptr = 0;
+    errno = ERRNO_SMTPFORMAT;
+    return FALSE;
+    }
+
+  /* Loop to cover the read getting interrupted. */
+
+  for (;;)
+    {
+    char *rc;
+    int save_errno;
+
+    *readptr = 0;           /* In case nothing gets read */
+    sigalrm_seen = FALSE;
+    ALARM(timeout);
+    rc = Ufgets(readptr, size-1, f);
+    save_errno = errno;
+    ALARM_CLR(0);
+    errno = save_errno;
+
+    if (rc != NULL) break;  /* A line has been read */
+
+    /* Handle timeout; must do this first because it uses EINTR */
+
+    if (sigalrm_seen) errno = ETIMEDOUT;
+
+    /* If some other interrupt arrived, just retry. We presume this to be rare,
+    but it can happen (e.g. the SIGUSR1 signal sent by exiwhat causes
+    read() to exit). */
+
+    else if (errno == EINTR)
+      {
+      DEBUG(D_transport) debug_printf("EINTR while reading LMTP response\n");
+      continue;
+      }
+
+    /* Handle other errors, including EOF; ensure buffer is completely empty. */
+
+    buffer[0] = 0;
+    return FALSE;
+    }
+
+  /* Adjust size in case we have to read another line, and adjust the
+  count to be the length of the line we are about to inspect. */
+
+  count = Ustrlen(readptr);
+  size -= count;
+  count += readptr - ptr;
+
+  /* See if the final two characters in the buffer are \r\n. If not, we
+  have to read some more. At least, that is what we should do on a strict
+  interpretation of the RFC. But accept LF as well, as we do for SMTP. */
+
+  if (ptr[count-1] != '\n')
+    {
+    DEBUG(D_transport)
+      {
+      debug_printf("LMTP input line incomplete in one buffer:\n  ");
+      for (int i = 0; i < count; i++)
+        {
+        int c = (ptr[i]);
+        if (mac_isprint(c)) debug_printf("%c", c); else debug_printf("<%d>", c);
+        }
+      debug_printf("\n");
+      }
+    readptr = ptr + count;
+    continue;
+    }
+
+  /* Remove any whitespace at the end of the buffer. This gets rid of CR, LF
+  etc. at the end. Show it, if debugging, formatting multi-line responses. */
+
+  while (count > 0 && isspace(ptr[count-1])) count--;
+  ptr[count] = 0;
+
+  DEBUG(D_transport|D_v)
+    {
+    uschar *s = ptr;
+    uschar *t = ptr;
+    while (*t != 0)
+      {
+      while (*t != 0 && *t != '\n') t++;
+      debug_printf("  %s %*s\n", (s == ptr)? "LMTP<<" : "      ",
+        (int)(t-s), s);
+      if (*t == 0) break;
+      s = t = t + 1;
+      }
+    }
+
+  /* Check the format of the response: it must start with three digits; if
+  these are followed by a space or end of line, the response is complete. If
+  they are followed by '-' this is a multi-line response and we must look for
+  another line until the final line is reached. The only use made of multi-line
+  responses is to pass them back as error messages. We therefore just
+  concatenate them all within the buffer, which should be large enough to
+  accept any reasonable number of lines. A multiline response may already
+  have been read in one go - hence the loop here. */
+
+  for(;;)
+    {
+    uschar *p;
+    if (count < 3 ||
+       !isdigit(ptr[0]) ||
+       !isdigit(ptr[1]) ||
+       !isdigit(ptr[2]) ||
+       (ptr[3] != '-' && ptr[3] != ' ' && ptr[3] != 0))
+      {
+      errno = ERRNO_SMTPFORMAT;    /* format error */
+      return FALSE;
+      }
+
+    /* If a single-line response, exit the loop */
+
+    if (ptr[3] != '-') break;
+
+    /* For a multi-line response see if the next line is already read, and if
+    so, stay in this loop to check it. */
+
+    p = ptr + 3;
+    while (*(++p) != 0)
+      {
+      if (*p == '\n')
+        {
+        ptr = ++p;
+        break;
+        }
+      }
+    if (*p == 0) break;   /* No more lines to check */
+    }
+
+  /* End of response. If the last of the lines we are looking at is the final
+  line, we are done. Otherwise more data has to be read. */
+
+  if (ptr[3] != '-') break;
+
+  /* Move the reading pointer upwards in the buffer and insert \n in case this
+  is an error message that subsequently gets printed. Set the scanning pointer
+  to the reading pointer position. */
+
+  ptr += count;
+  *ptr++ = '\n';
+  size--;
+  readptr = ptr;
+  }
+
+/* Return a value that depends on the LMTP return code. Ensure that errno is
+zero, because the caller of this function looks at errno when FALSE is
+returned, to distinguish between an unexpected return code and other errors
+such as timeouts, lost connections, etc. */
+
+errno = 0;
+return buffer[0] == okdigit;
+}
+
+
+
+
+
+
+/*************************************************
+*              Main entry point                  *
+*************************************************/
+
+/* See local README for interface details. For setup-errors, this transport
+returns FALSE, indicating that the first address has the status for all; in
+normal cases it returns TRUE, indicating that each address has its own status
+set. */
+
+BOOL
+lmtp_transport_entry(
+  transport_instance *tblock,      /* data for this instantiation */
+  address_item *addrlist)          /* address(es) we are working on */
+{
+pid_t pid = 0;
+FILE *out;
+lmtp_transport_options_block *ob =
+  (lmtp_transport_options_block *)(tblock->options_block);
+struct sockaddr_un sockun;         /* don't call this "sun" ! */
+int timeout = ob->timeout;
+int fd_in = -1, fd_out = -1;
+int code, save_errno;
+BOOL send_data;
+BOOL yield = FALSE;
+uschar *igquotstr = US"";
+uschar *sockname = NULL;
+const uschar **argv;
+uschar buffer[256];
+
+DEBUG(D_transport) debug_printf("%s transport entered\n", tblock->name);
+
+/* Initialization ensures that either a command or a socket is specified, but
+not both. When a command is specified, call the common function for creating an
+argument list and expanding the items. */
+
+if (ob->cmd)
+  {
+  DEBUG(D_transport) debug_printf("using command %s\n", ob->cmd);
+  sprintf(CS buffer, "%.50s transport", tblock->name);
+  if (!transport_set_up_command(&argv, ob->cmd, TRUE, PANIC, addrlist, FALSE,
+	buffer, NULL))
+    return FALSE;
+
+  /* If the -N option is set, can't do any more. Presume all has gone well. */
+  if (f.dont_deliver)
+    goto MINUS_N;
+
+/* As this is a local transport, we are already running with the required
+uid/gid and current directory. Request that the new process be a process group
+leader, so we can kill it and all its children on an error. */
+
+  if ((pid = child_open(USS argv, NULL, 0, &fd_in, &fd_out, TRUE,
+			US"lmtp-tpt-cmd")) < 0)
+    {
+    addrlist->message = string_sprintf(
+      "Failed to create child process for %s transport: %s", tblock->name,
+        strerror(errno));
+    return FALSE;
+    }
+  }
+
+/* When a socket is specified, expand the string and create a socket. */
+
+else
+  {
+  DEBUG(D_transport) debug_printf("using socket %s\n", ob->skt);
+  if (!(sockname = expand_string(ob->skt)))
+    {
+    addrlist->message = string_sprintf("Expansion of \"%s\" (socket setting "
+      "for %s transport) failed: %s", ob->skt, tblock->name,
+      expand_string_message);
+    return FALSE;
+    }
+  if ((fd_in = fd_out = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
+    {
+    addrlist->message = string_sprintf(
+      "Failed to create socket %s for %s transport: %s",
+        ob->skt, tblock->name, strerror(errno));
+    return FALSE;
+    }
+
+  /* If the -N option is set, can't do any more. Presume all has gone well. */
+  if (f.dont_deliver)
+    goto MINUS_N;
+
+  sockun.sun_family = AF_UNIX;
+  sprintf(sockun.sun_path, "%.*s", (int)(sizeof(sockun.sun_path)-1), sockname);
+  if(connect(fd_out, (struct sockaddr *)(&sockun), sizeof(sockun)) == -1)
+    {
+    addrlist->message = string_sprintf(
+      "Failed to connect to socket %s for %s transport: %s",
+        sockun.sun_path, tblock->name, strerror(errno));
+    return FALSE;
+    }
+  }
+
+
+/* Make the output we are going to read into a file. */
+
+out = fdopen(fd_out, "rb");
+
+/* Now we must implement the LMTP protocol. It is like SMTP, except that after
+the end of the message, a return code for every accepted RCPT TO is sent. This
+allows for message+recipient checks after the message has been received. */
+
+/* First thing is to wait for an initial greeting. */
+
+Ustrcpy(big_buffer, US"initial connection");
+if (!lmtp_read_response(out, buffer, sizeof(buffer), '2', timeout))
+  goto RESPONSE_FAILED;
+
+/* Next, we send a LHLO command, and expect a positive response */
+
+if (!lmtp_write_command(fd_in, "%s %s\r\n", "LHLO", primary_hostname))
+  goto WRITE_FAILED;
+
+if (!lmtp_read_response(out, buffer, sizeof(buffer), '2', timeout))
+  goto RESPONSE_FAILED;
+
+/* If the ignore_quota option is set, note whether the server supports the
+IGNOREQUOTA option, and if so, set an appropriate addition for RCPT. */
+
+if (ob->ignore_quota)
+  igquotstr = regex_match(regex_IGNOREQUOTA, buffer, -1, NULL)
+    ? US" IGNOREQUOTA" : US"";
+
+/* Now the envelope sender */
+
+if (!lmtp_write_command(fd_in, "MAIL FROM:<%s>\r\n", return_path))
+  goto WRITE_FAILED;
+
+if (!lmtp_read_response(out, buffer, sizeof(buffer), '2', timeout))
+  {
+  if (errno == 0 && buffer[0] == '4')
+    {
+    errno = ERRNO_MAIL4XX;
+    addrlist->more_errno |= ((buffer[1] - '0')*10 + buffer[2] - '0') << 8;
+    }
+  goto RESPONSE_FAILED;
+  }
+
+/* Next, we hand over all the recipients. Some may be permanently or
+temporarily rejected; others may be accepted, for now. */
+
+send_data = FALSE;
+for (address_item * addr = addrlist; addr; addr = addr->next)
+  {
+  if (!lmtp_write_command(fd_in, "RCPT TO:<%s>%s\r\n",
+       transport_rcpt_address(addr, tblock->rcpt_include_affixes), igquotstr))
+    goto WRITE_FAILED;
+  if (lmtp_read_response(out, buffer, sizeof(buffer), '2', timeout))
+    {
+    send_data = TRUE;
+    addr->transport_return = PENDING_OK;
+    }
+  else
+    {
+    if (errno != 0 || buffer[0] == 0) goto RESPONSE_FAILED;
+    addr->message = string_sprintf("LMTP error after %s: %s", big_buffer,
+      string_printing(buffer));
+    setflag(addr, af_pass_message);   /* Allow message to go to user */
+    if (buffer[0] == '5') addr->transport_return = FAIL; else
+      {
+      addr->basic_errno = ERRNO_RCPT4XX;
+      addr->more_errno |= ((buffer[1] - '0')*10 + buffer[2] - '0') << 8;
+      }
+    }
+  }
+
+/* Now send the text of the message if there were any good recipients. */
+
+if (send_data)
+  {
+  BOOL ok;
+  transport_ctx tctx = {
+    {fd_in},
+    tblock,
+    addrlist,
+    US".", US"..",
+    ob->options
+  };
+
+  if (!lmtp_write_command(fd_in, "DATA\r\n")) goto WRITE_FAILED;
+  if (!lmtp_read_response(out, buffer, sizeof(buffer), '3', timeout))
+    {
+    if (errno == 0 && buffer[0] == '4')
+      {
+      errno = ERRNO_DATA4XX;
+      addrlist->more_errno |= ((buffer[1] - '0')*10 + buffer[2] - '0') << 8;
+      }
+    goto RESPONSE_FAILED;
+    }
+
+  sigalrm_seen = FALSE;
+  transport_write_timeout = timeout;
+  Ustrcpy(big_buffer, US"sending data block");   /* For error messages */
+  DEBUG(D_transport|D_v)
+    debug_printf("  LMTP>> writing message and terminating \".\"\n");
+
+  transport_count = 0;
+  ok = transport_write_message(&tctx, 0);
+
+  /* Failure can either be some kind of I/O disaster (including timeout),
+  or the failure of a transport filter or the expansion of added headers. */
+
+  if (!ok)
+    {
+    buffer[0] = 0;              /* There hasn't been a response */
+    goto RESPONSE_FAILED;
+    }
+
+  Ustrcpy(big_buffer, US"end of data");   /* For error messages */
+
+  /* We now expect a response for every address that was accepted above,
+  in the same order. For those that get a response, their status is fixed;
+  any that are accepted have been handed over, even if later responses crash -
+  at least, that's how I read RFC 2033. */
+
+  for (address_item * addr = addrlist; addr; addr = addr->next)
+    {
+    if (addr->transport_return != PENDING_OK) continue;
+
+    if (lmtp_read_response(out, buffer, sizeof(buffer), '2', timeout))
+      {
+      addr->transport_return = OK;
+      if (LOGGING(smtp_confirmation))
+        {
+        const uschar *s = string_printing(buffer);
+	/* de-const safe here as string_printing known to have alloc'n'copied */
+        addr->message = (s == buffer)? US string_copy(s) : US s;
+        }
+      }
+    /* If the response has failed badly, use it for all the remaining pending
+    addresses and give up. */
+
+    else if (errno != 0 || buffer[0] == 0)
+      {
+      save_errno = errno;
+      check_response(&save_errno, addr->more_errno, buffer, &code,
+        &(addr->message));
+      addr->transport_return = (code == '5')? FAIL : DEFER;
+      for (address_item * a = addr->next; a; a = a->next)
+        {
+        if (a->transport_return != PENDING_OK) continue;
+        a->basic_errno = addr->basic_errno;
+        a->message = addr->message;
+        a->transport_return = addr->transport_return;
+        }
+      break;
+      }
+
+    /* Otherwise, it's an LMTP error code return for one address */
+
+    else
+      {
+      if (buffer[0] == '4')
+        {
+        addr->basic_errno = ERRNO_DATA4XX;
+        addr->more_errno |= ((buffer[1] - '0')*10 + buffer[2] - '0') << 8;
+        }
+      addr->message = string_sprintf("LMTP error after %s: %s", big_buffer,
+        string_printing(buffer));
+      addr->transport_return = (buffer[0] == '5')? FAIL : DEFER;
+      setflag(addr, af_pass_message);   /* Allow message to go to user */
+      }
+    }
+  }
+
+/* The message transaction has completed successfully - this doesn't mean that
+all the addresses have necessarily been transferred, but each has its status
+set, so we change the yield to TRUE. */
+
+yield = TRUE;
+(void) lmtp_write_command(fd_in, "QUIT\r\n");
+(void) lmtp_read_response(out, buffer, sizeof(buffer), '2', 1);
+
+goto RETURN;
+
+
+/* Come here if any call to read_response, other than a response after the data
+phase, failed. Put the error in the top address - this will be replicated
+because the yield is still FALSE. (But omit ETIMEDOUT, as there will already be
+a suitable message.) Analyse the error, and if if isn't too bad, send a QUIT
+command. Wait for the response with a short timeout, so we don't wind up this
+process before the far end has had time to read the QUIT. */
+
+RESPONSE_FAILED:
+
+save_errno = errno;
+if (errno != ETIMEDOUT && errno != 0) addrlist->basic_errno = errno;
+addrlist->message = NULL;
+
+if (check_response(&save_errno, addrlist->more_errno,
+    buffer, &code, &(addrlist->message)))
+  {
+  (void) lmtp_write_command(fd_in, "QUIT\r\n");
+  (void) lmtp_read_response(out, buffer, sizeof(buffer), '2', 1);
+  }
+
+addrlist->transport_return = (code == '5')? FAIL : DEFER;
+if (code == '4' && save_errno > 0)
+  addrlist->message = string_sprintf("%s: %s", addrlist->message,
+    strerror(save_errno));
+goto KILL_AND_RETURN;
+
+/* Come here if there are errors during writing of a command or the message
+itself. This error will be applied to all the addresses. */
+
+WRITE_FAILED:
+
+addrlist->transport_return = PANIC;
+addrlist->basic_errno = errno;
+if (errno == ERRNO_CHHEADER_FAIL)
+  addrlist->message =
+    string_sprintf("Failed to expand headers_add or headers_remove: %s",
+      expand_string_message);
+else if (errno == ERRNO_FILTER_FAIL)
+  addrlist->message = US"Filter process failure";
+else if (errno == ERRNO_WRITEINCOMPLETE)
+  addrlist->message = US"Failed repeatedly to write data";
+else if (errno == ERRNO_SMTPFORMAT)
+  addrlist->message = US"overlong LMTP command generated";
+else
+  addrlist->message = string_sprintf("Error %d", errno);
+
+/* Come here after errors. Kill off the process. */
+
+KILL_AND_RETURN:
+
+if (pid > 0) killpg(pid, SIGKILL);
+
+/* Come here from all paths after the subprocess is created. Wait for the
+process, but with a timeout. */
+
+RETURN:
+
+(void)child_close(pid, timeout);
+
+if (fd_in >= 0) (void)close(fd_in);
+if (fd_out >= 0) (void)fclose(out);
+
+DEBUG(D_transport)
+  debug_printf("%s transport yields %d\n", tblock->name, yield);
+
+return yield;
+
+
+MINUS_N:
+  DEBUG(D_transport)
+    debug_printf("*** delivery by %s transport bypassed by -N option",
+      tblock->name);
+  addrlist->transport_return = OK;
+  return FALSE;
+}
+
+#endif	/*!MACRO_PREDEF*/
+/* End of transport/lmtp.c */
diff --git a/src/transports/lmtp.h b/src/transports/lmtp.h
new file mode 100644
index 0000000..93f0f89
--- /dev/null
+++ b/src/transports/lmtp.h
@@ -0,0 +1,32 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Private structure for the private options. */
+
+typedef struct {
+  uschar *cmd;
+  uschar *skt;
+  int   timeout;
+  int   options;
+  BOOL  ignore_quota;
+} lmtp_transport_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist lmtp_transport_options[];
+extern int lmtp_transport_options_count;
+
+/* Block containing default values. */
+
+extern lmtp_transport_options_block lmtp_transport_option_defaults;
+
+/* The main and init entry points for the transport */
+
+extern BOOL lmtp_transport_entry(transport_instance *, address_item *);
+extern void lmtp_transport_init(transport_instance *);
+
+/* End of transports/lmtp.h */
diff --git a/src/transports/pipe.c b/src/transports/pipe.c
new file mode 100644
index 0000000..bdbe27d
--- /dev/null
+++ b/src/transports/pipe.c
@@ -0,0 +1,1124 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "../exim.h"
+#include "pipe.h"
+
+#ifdef HAVE_SETCLASSRESOURCES
+#include <login_cap.h>
+#endif
+
+
+
+/* Options specific to the pipe transport. They must be in alphabetic
+order (note that "_" comes before the lower case letters). Those starting
+with "*" are not settable by the user but are used by the option-reading
+software for alternative value types. Some options are stored in the transport
+instance block so as to be publicly visible; these are flagged with opt_public.
+*/
+#define LOFF(field) OPT_OFF(pipe_transport_options_block, field)
+
+optionlist pipe_transport_options[] = {
+  { "allow_commands",    opt_stringptr,	LOFF(allow_commands) },
+  { "batch_id",          opt_stringptr | opt_public,
+      OPT_OFF(transport_instance, batch_id) },
+  { "batch_max",         opt_int | opt_public,
+      OPT_OFF(transport_instance, batch_max) },
+  { "check_string",      opt_stringptr,	LOFF(check_string) },
+  { "command",           opt_stringptr,	LOFF(cmd) },
+  { "environment",       opt_stringptr,	LOFF(environment) },
+  { "escape_string",     opt_stringptr,	LOFF(escape_string) },
+  { "force_command",         opt_bool,	LOFF(force_command) },
+  { "freeze_exec_fail",  opt_bool,	LOFF(freeze_exec_fail) },
+  { "freeze_signal",     opt_bool,	LOFF(freeze_signal) },
+  { "ignore_status",     opt_bool,	LOFF(ignore_status) },
+  { "log_defer_output",  opt_bool | opt_public,
+      OPT_OFF(transport_instance, log_defer_output) },
+  { "log_fail_output",   opt_bool | opt_public,
+      OPT_OFF(transport_instance, log_fail_output) },
+  { "log_output",        opt_bool | opt_public,
+      OPT_OFF(transport_instance, log_output) },
+  { "max_output",        opt_mkint,	LOFF(max_output) },
+  { "message_prefix",    opt_stringptr,	LOFF(message_prefix) },
+  { "message_suffix",    opt_stringptr,	LOFF(message_suffix) },
+  { "path",              opt_stringptr,	LOFF(path) },
+  { "permit_coredump",   opt_bool,	LOFF(permit_coredump) },
+  { "pipe_as_creator",   opt_bool | opt_public,
+      OPT_OFF(transport_instance, deliver_as_creator) },
+  { "restrict_to_path",  opt_bool,	LOFF(restrict_to_path) },
+  { "return_fail_output",opt_bool | opt_public,
+      OPT_OFF(transport_instance, return_fail_output) },
+  { "return_output",     opt_bool | opt_public,
+      OPT_OFF(transport_instance, return_output) },
+  { "temp_errors",       opt_stringptr,	LOFF(temp_errors) },
+  { "timeout",           opt_time,	LOFF(timeout) },
+  { "timeout_defer",     opt_bool,	LOFF(timeout_defer) },
+  { "umask",             opt_octint,	LOFF(umask) },
+  { "use_bsmtp",         opt_bool,	LOFF(use_bsmtp) },
+  #ifdef HAVE_SETCLASSRESOURCES
+  { "use_classresources", opt_bool,	LOFF(use_classresources) },
+  #endif
+  { "use_crlf",          opt_bool,	LOFF(use_crlf) },
+  { "use_shell",         opt_bool,	LOFF(use_shell) },
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int pipe_transport_options_count =
+  sizeof(pipe_transport_options)/sizeof(optionlist);
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+pipe_transport_options_block pipe_transport_option_defaults = {0};
+void pipe_transport_init(transport_instance *tblock) {}
+BOOL pipe_transport_entry(transport_instance *tblock, address_item *addr) {return FALSE;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+/* Default private options block for the pipe transport. */
+
+pipe_transport_options_block pipe_transport_option_defaults = {
+  .path =	US"/bin:/usr/bin",
+  .temp_errors = US mac_expanded_string(EX_TEMPFAIL) ":"
+		   mac_expanded_string(EX_CANTCREAT),
+  .umask =	022,
+  .max_output = 20480,
+  .timeout =	60*60,
+  /* all others null/zero/false */
+};
+
+
+
+/*************************************************
+*              Setup entry point                 *
+*************************************************/
+
+/* Called for each delivery in the privileged state, just before the uid/gid
+are changed and the main entry point is called. In a system that supports the
+login_cap facilities, this function is used to set the class resource limits
+for the user.  It may also re-enable coredumps.
+
+Arguments:
+  tblock     points to the transport instance
+  addrlist   addresses about to be delivered (not used)
+  dummy      not used (doesn't pass back data)
+  uid        the uid that will be set (not used)
+  gid        the gid that will be set (not used)
+  errmsg     where to put an error message
+
+Returns:     OK, FAIL, or DEFER
+*/
+
+static int
+pipe_transport_setup(transport_instance *tblock, address_item *addrlist,
+  transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg)
+{
+pipe_transport_options_block *ob =
+  (pipe_transport_options_block *)(tblock->options_block);
+
+#ifdef HAVE_SETCLASSRESOURCES
+if (ob->use_classresources)
+  {
+  struct passwd *pw = getpwuid(uid);
+  if (pw != NULL)
+    {
+    login_cap_t *lc = login_getpwclass(pw);
+    if (lc != NULL)
+      {
+      setclassresources(lc);
+      login_close(lc);
+      }
+    }
+  }
+#endif
+
+#ifdef RLIMIT_CORE
+if (ob->permit_coredump)
+  {
+  struct rlimit rl;
+  rl.rlim_cur = RLIM_INFINITY;
+  rl.rlim_max = RLIM_INFINITY;
+  if (setrlimit(RLIMIT_CORE, &rl) < 0)
+    {
+#ifdef SETRLIMIT_NOT_SUPPORTED
+    if (errno != ENOSYS && errno != ENOTSUP)
+#endif
+      log_write(0, LOG_MAIN,
+          "delivery setrlimit(RLIMIT_CORE, RLIM_INFINITY) failed: %s",
+          strerror(errno));
+    }
+  }
+#endif
+
+return OK;
+}
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up. */
+
+void
+pipe_transport_init(transport_instance *tblock)
+{
+pipe_transport_options_block *ob =
+  (pipe_transport_options_block *)(tblock->options_block);
+
+/* Set up the setup entry point, to be called in the privileged state */
+
+tblock->setup = pipe_transport_setup;
+
+/* If pipe_as_creator is set, then uid/gid should not be set. */
+
+if (tblock->deliver_as_creator && (tblock->uid_set || tblock->gid_set ||
+  tblock->expand_uid != NULL || tblock->expand_gid != NULL))
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+      "both pipe_as_creator and an explicit uid/gid are set for the %s "
+        "transport", tblock->name);
+
+/* If a fixed uid field is set, then a gid field must also be set. */
+
+if (tblock->uid_set && !tblock->gid_set && tblock->expand_gid == NULL)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "user set without group for the %s transport", tblock->name);
+
+/* Temp_errors must consist only of digits and colons, but there can be
+spaces round the colons, so allow them too. */
+
+if (ob->temp_errors != NULL && Ustrcmp(ob->temp_errors, "*") != 0)
+  {
+  size_t p = Ustrspn(ob->temp_errors, "0123456789: ");
+  if (ob->temp_errors[p] != 0)
+    log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+      "temp_errors must be a list of numbers or an asterisk for the %s "
+      "transport", tblock->name);
+  }
+
+/* Only one of return_output/return_fail_output or log_output/log_fail_output
+should be set. */
+
+if (tblock->return_output && tblock->return_fail_output)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "both return_output and return_fail_output set for %s transport",
+    tblock->name);
+
+if (tblock->log_output && tblock->log_fail_output)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "both log_output and log_fail_output set for the %s transport",
+    tblock->name);
+
+/* If batch SMTP is set, force the check and escape strings, and arrange that
+headers are also escaped. */
+
+if (ob->use_bsmtp)
+  {
+  ob->check_string = US".";
+  ob->escape_string = US"..";
+  ob->options |= topt_escape_headers;
+  }
+
+/* If not batch SMTP, and message_prefix or message_suffix are unset, insert
+default values for them. */
+
+else
+  {
+  if (ob->message_prefix == NULL) ob->message_prefix =
+    US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n";
+  if (ob->message_suffix == NULL) ob->message_suffix = US"\n";
+  }
+
+/* The restrict_to_path  and use_shell options are incompatible */
+
+if (ob->restrict_to_path && ob->use_shell)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "both restrict_to_path and use_shell set for %s transport",
+    tblock->name);
+
+/* The allow_commands and use_shell options are incompatible */
+
+if (ob->allow_commands && ob->use_shell)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "both allow_commands and use_shell set for %s transport",
+    tblock->name);
+
+/* Set up the bitwise options for transport_write_message from the various
+driver options. Only one of body_only and headers_only can be set. */
+
+ob->options |=
+    (tblock->body_only ? topt_no_headers : 0)
+  | (tblock->headers_only ? topt_no_body : 0)
+  | (tblock->return_path_add ? topt_add_return_path : 0)
+  | (tblock->delivery_date_add ? topt_add_delivery_date : 0)
+  | (tblock->envelope_to_add ? topt_add_envelope_to : 0)
+  | (ob->use_crlf ? topt_use_crlf : 0);
+}
+
+
+
+/*************************************************
+*          Set up direct (non-shell) command     *
+*************************************************/
+
+/* This function is called when a command line is to be parsed by the transport
+and executed directly, without the use of /bin/sh.
+
+Arguments:
+  argvptr            pointer to anchor for argv vector
+  cmd                points to the command string
+  expand_arguments   true if expansion is to occur
+  expand_fail        error if expansion fails
+  addr               chain of addresses
+  tname              the transport name
+  ob                 the transport options block
+
+Returns:             TRUE if all went well; otherwise an error will be
+                     set in the first address and FALSE returned
+*/
+
+static BOOL
+set_up_direct_command(const uschar ***argvptr, uschar *cmd,
+  BOOL expand_arguments, int expand_fail, address_item *addr, uschar *tname,
+  pipe_transport_options_block *ob)
+{
+BOOL permitted = FALSE;
+const uschar **argv;
+
+/* Set up "transport <name>" to be put in any error messages, and then
+call the common function for creating an argument list and expanding
+the items if necessary. If it fails, this function fails (error information
+is in the addresses). */
+
+if (!transport_set_up_command(argvptr, cmd, expand_arguments, expand_fail,
+      addr, FALSE, string_sprintf("%.50s transport", tname), NULL))
+  return FALSE;
+
+/* Point to the set-up arguments. */
+
+argv = *argvptr;
+
+/* If allow_commands is set, see if the command is in the permitted list. */
+
+if (ob->allow_commands)
+  {
+  int sep = 0;
+  const uschar *s;
+  uschar *p;
+
+  if (!(s = expand_string(ob->allow_commands)))
+    {
+    addr->transport_return = DEFER;
+    addr->message = string_sprintf("failed to expand string \"%s\" "
+      "for %s transport: %s", ob->allow_commands, tname, expand_string_message);
+    return FALSE;
+    }
+
+  while ((p = string_nextinlist(&s, &sep, NULL, 0)))
+    if (Ustrcmp(p, argv[0]) == 0) { permitted = TRUE; break; }
+  }
+
+/* If permitted is TRUE it means the command was found in the allowed list, and
+no further checks are done. If permitted = FALSE, it either means
+allow_commands wasn't set, or that the command didn't match anything in the
+list. In both cases, if restrict_to_path is set, we fail if the command
+contains any slashes, but if restrict_to_path is not set, we must fail the
+command only if allow_commands is set. */
+
+if (!permitted)
+  {
+  if (ob->restrict_to_path)
+    {
+    if (Ustrchr(argv[0], '/') != NULL)
+      {
+      addr->transport_return = FAIL;
+      addr->message = string_sprintf("\"/\" found in \"%s\" (command for %s "
+        "transport) - failed for security reasons", cmd, tname);
+      return FALSE;
+      }
+    }
+
+  else if (ob->allow_commands)
+    {
+    addr->transport_return = FAIL;
+    addr->message = string_sprintf("\"%s\" command not permitted by %s "
+      "transport", argv[0], tname);
+    return FALSE;
+    }
+  }
+
+/* If the command is not an absolute path, search the PATH directories
+for it. */
+
+if (argv[0][0] != '/')
+  {
+  int sep = 0;
+  uschar *p;
+  const uschar *listptr = expand_string(ob->path);
+
+  while ((p = string_nextinlist(&listptr, &sep, NULL, 0)))
+    {
+    struct stat statbuf;
+    sprintf(CS big_buffer, "%.256s/%.256s", p, argv[0]);
+    if (Ustat(big_buffer, &statbuf) == 0)
+      {
+      argv[0] = string_copy(big_buffer);
+      break;
+      }
+    }
+  if (!p)
+    {
+    addr->transport_return = FAIL;
+    addr->message = string_sprintf("\"%s\" command not found for %s transport",
+      argv[0], tname);
+    return FALSE;
+    }
+  }
+
+return TRUE;
+}
+
+
+/*************************************************
+*               Set up shell command             *
+*************************************************/
+
+/* This function is called when a command line is to be passed to /bin/sh
+without parsing inside the transport.
+
+Arguments:
+  argvptr            pointer to anchor for argv vector
+  cmd                points to the command string
+  expand_arguments   true if expansion is to occur
+  expand_fail        error if expansion fails
+  addr               chain of addresses
+  tname              the transport name
+
+Returns:             TRUE if all went well; otherwise an error will be
+                     set in the first address and FALSE returned
+*/
+
+static BOOL
+set_up_shell_command(const uschar ***argvptr, uschar *cmd,
+  BOOL expand_arguments, int expand_fail, address_item *addr, uschar *tname)
+{
+const uschar **argv;
+
+*argvptr = argv = store_get((4)*sizeof(uschar *), GET_UNTAINTED);
+
+argv[0] = US"/bin/sh";
+argv[1] = US"-c";
+
+/* We have to take special action to handle the special "variable" called
+$pipe_addresses, which is not recognized by the normal expansion function. */
+
+if (expand_arguments)
+  {
+  uschar * p = Ustrstr(cmd, "pipe_addresses");
+  gstring * g = NULL;
+
+  DEBUG(D_transport)
+    debug_printf("shell pipe command before expansion:\n  %s\n", cmd);
+
+  /* Allow $recipients in the expansion iff it comes from a system filter */
+
+  f.enable_dollar_recipients = addr && addr->parent &&
+    Ustrcmp(addr->parent->address, "system-filter") == 0;
+
+  if (p != NULL && (
+         (p > cmd && p[-1] == '$') ||
+         (p > cmd + 1 && p[-2] == '$' && p[-1] == '{' && p[14] == '}')))
+    {
+    uschar *q = p + 14;
+
+    if (p[-1] == '{') { q++; p--; }
+
+    g = string_get(Ustrlen(cmd) + 64);
+    g = string_catn(g, cmd, p - cmd - 1);
+
+    for (address_item * ad = addr; ad; ad = ad->next)
+      {
+      DEBUG(D_transport) if (is_tainted(ad->address))
+	debug_printf("tainted element '%s' from $pipe_addresses\n", ad->address);
+
+      /*XXX string_append_listele() ? */
+      if (ad != addr) g = string_catn(g, US" ", 1);
+      g = string_cat(g, ad->address);
+      }
+
+    g = string_cat(g, q);
+    argv[2] = (cmd = string_from_gstring(g)) ? expand_string(cmd) : NULL;
+    }
+  else
+    argv[2] = expand_string(cmd);
+
+  f.enable_dollar_recipients = FALSE;
+
+  if (!argv[2])
+    {
+    addr->transport_return = f.search_find_defer ? DEFER : expand_fail;
+    addr->message = string_sprintf("Expansion of command \"%s\" "
+      "in %s transport failed: %s",
+      cmd, tname, expand_string_message);
+    return FALSE;
+    }
+
+  DEBUG(D_transport)
+    debug_printf("shell pipe command after expansion:\n  %s\n", argv[2]);
+  }
+else
+  {
+  DEBUG(D_transport)
+    debug_printf("shell pipe command (no expansion):\n  %s\n", cmd);
+  argv[2] = cmd;
+  }
+
+argv[3] = US 0;
+return TRUE;
+}
+
+
+
+
+/*************************************************
+*              Main entry point                  *
+*************************************************/
+
+/* See local README for interface details. This transport always returns FALSE,
+indicating that the status in the first address is the status for all addresses
+in a batch. */
+
+BOOL
+pipe_transport_entry(
+  transport_instance *tblock,      /* data for this instantiation */
+  address_item *addr)              /* address(es) we are working on */
+{
+pid_t pid, outpid;
+int fd_in, fd_out, rc;
+int envcount = 0;
+int envsep = 0;
+int expand_fail;
+pipe_transport_options_block *ob =
+  (pipe_transport_options_block *)(tblock->options_block);
+int timeout = ob->timeout;
+BOOL written_ok = FALSE;
+BOOL expand_arguments;
+const uschar **argv;
+uschar *envp[50];
+const uschar *envlist = ob->environment;
+uschar *cmd, *ss;
+uschar *eol = ob->use_crlf ? US"\r\n" : US"\n";
+transport_ctx tctx = {
+  .tblock = tblock,
+  .addr = addr,
+  .check_string = ob->check_string,
+  .escape_string = ob->escape_string,
+  ob->options | topt_not_socket /* set at initialization time */
+};
+
+DEBUG(D_transport) debug_printf("%s transport entered\n", tblock->name);
+
+/* Set up for the good case */
+
+addr->transport_return = OK;
+addr->basic_errno = 0;
+
+/* Pipes are not accepted as general addresses, but they can be generated from
+.forward files or alias files. In those cases, the pfr flag is set, and the
+command to be obeyed is pointed to by addr->local_part; it starts with the pipe
+symbol. In other cases, the command is supplied as one of the pipe transport's
+options. */
+
+if (testflag(addr, af_pfr) && addr->local_part[0] == '|')
+  if (ob->force_command)
+    {
+    /* Enables expansion of $address_pipe into separate arguments */
+    setflag(addr, af_force_command);
+    cmd = ob->cmd;
+    expand_arguments = TRUE;
+    expand_fail = PANIC;
+    }
+  else
+    {
+    cmd = addr->local_part + 1;
+    while (isspace(*cmd)) cmd++;
+    expand_arguments = testflag(addr, af_expand_pipe);
+    expand_fail = FAIL;
+    }
+else
+  {
+  cmd = ob->cmd;
+  expand_arguments = TRUE;
+  expand_fail = PANIC;
+  }
+
+/* If no command has been supplied, we are in trouble.
+We also check for an empty string since it may be
+coming from addr->local_part[0] == '|' */
+
+if (!cmd || !*cmd)
+  {
+  addr->transport_return = DEFER;
+  addr->message = string_sprintf("no command specified for %s transport",
+    tblock->name);
+  return FALSE;
+  }
+if (is_tainted(cmd))
+  {
+  DEBUG(D_transport) debug_printf("cmd '%s' is tainted\n", cmd);
+  addr->message = string_sprintf("Tainted '%s' (command "
+    "for %s transport) not permitted", cmd, tblock->name);
+  addr->transport_return = PANIC;
+  return FALSE;
+  }
+
+/* When a pipe is set up by a filter file, there may be values for $thisaddress
+and numerical the variables in existence. These are passed in
+addr->pipe_expandn for use here. */
+
+if (expand_arguments && addr->pipe_expandn)
+  {
+  uschar **ss = addr->pipe_expandn;
+  expand_nmax = -1;
+  if (*ss) filter_thisaddress = *ss++;
+  while (*ss)
+    {
+    expand_nstring[++expand_nmax] = *ss;
+    expand_nlength[expand_nmax] = Ustrlen(*ss++);
+    }
+  }
+
+/* The default way of processing the command is to split it up into arguments
+here, and run it directly. This offers some security advantages. However, there
+are installations that want by default to run commands under /bin/sh always, so
+there is an option to do that. */
+
+if (ob->use_shell)
+  {
+  if (!set_up_shell_command(&argv, cmd, expand_arguments, expand_fail, addr,
+    tblock->name)) return FALSE;
+  }
+else if (!set_up_direct_command(&argv, cmd, expand_arguments, expand_fail, addr,
+  tblock->name, ob)) return FALSE;
+
+expand_nmax = -1;           /* Reset */
+filter_thisaddress = NULL;
+
+/* Set up the environment for the command. */
+
+envp[envcount++] = string_sprintf("LOCAL_PART=%s", deliver_localpart);
+envp[envcount++] = string_sprintf("LOGNAME=%s", deliver_localpart);
+envp[envcount++] = string_sprintf("USER=%s", deliver_localpart);
+envp[envcount++] = string_sprintf("LOCAL_PART_PREFIX=%#s",
+  deliver_localpart_prefix);
+envp[envcount++] = string_sprintf("LOCAL_PART_SUFFIX=%#s",
+  deliver_localpart_suffix);
+envp[envcount++] = string_sprintf("DOMAIN=%s", deliver_domain);
+envp[envcount++] = string_sprintf("HOME=%#s", deliver_home);
+envp[envcount++] = string_sprintf("MESSAGE_ID=%s", message_id);
+envp[envcount++] = string_sprintf("PATH=%s", expand_string(ob->path));
+envp[envcount++] = string_sprintf("RECIPIENT=%#s%#s%#s@%#s",
+  deliver_localpart_prefix, deliver_localpart, deliver_localpart_suffix,
+  deliver_domain);
+envp[envcount++] = string_sprintf("QUALIFY_DOMAIN=%s", qualify_domain_sender);
+envp[envcount++] = string_sprintf("SENDER=%s", sender_address);
+envp[envcount++] = US"SHELL=/bin/sh";
+
+if (addr->host_list)
+  envp[envcount++] = string_sprintf("HOST=%s", addr->host_list->name);
+
+if (f.timestamps_utc)
+  envp[envcount++] = US"TZ=UTC";
+else if (timezone_string && timezone_string[0])
+  envp[envcount++] = string_sprintf("TZ=%s", timezone_string);
+
+/* Add any requested items */
+
+if (envlist)
+  if (!(envlist = expand_cstring(envlist)))
+    {
+    addr->transport_return = DEFER;
+    addr->message = string_sprintf("failed to expand string \"%s\" "
+      "for %s transport: %s", ob->environment, tblock->name,
+      expand_string_message);
+    return FALSE;
+    }
+
+while ((ss = string_nextinlist(&envlist, &envsep, NULL, 0)))
+   {
+   if (envcount > nelem(envp) - 2)
+     {
+     addr->transport_return = DEFER;
+     addr->basic_errno = E2BIG;
+     addr->message = string_sprintf("too many environment settings for "
+       "%s transport", tblock->name);
+     return FALSE;
+     }
+   envp[envcount++] = string_copy(ss);
+   }
+
+envp[envcount] = NULL;
+
+/* If the -N option is set, can't do any more. */
+
+if (f.dont_deliver)
+  {
+  DEBUG(D_transport)
+    debug_printf("*** delivery by %s transport bypassed by -N option",
+      tblock->name);
+  return FALSE;
+  }
+
+
+/* Handling the output from the pipe is tricky. If a file for catching this
+output is provided, we could in theory just hand that fd over to the process,
+but this isn't very safe because it might loop and carry on writing for
+ever (which is exactly what happened in early versions of Exim). Therefore we
+use the standard child_open() function, which creates pipes. We can then read
+our end of the output pipe and count the number of bytes that come through,
+chopping the sub-process if it exceeds some limit.
+
+However, this means we want to run a sub-process with both its input and output
+attached to pipes. We can't handle that easily from a single parent process
+using straightforward code such as the transport_write_message() function
+because the subprocess might not be reading its input because it is trying to
+write to a full output pipe. The complication of redesigning the world to
+handle this is too great - simpler just to run another process to do the
+reading of the output pipe. */
+
+
+/* As this is a local transport, we are already running with the required
+uid/gid and current directory. Request that the new process be a process group
+leader, so we can kill it and all its children on a timeout. */
+
+if ((pid = child_open(USS argv, envp, ob->umask, &fd_in, &fd_out, TRUE,
+			US"pipe-tpt-cmd")) < 0)
+  {
+  addr->transport_return = DEFER;
+  addr->message = string_sprintf(
+    "Failed to create child process for %s transport: %s", tblock->name,
+      strerror(errno));
+  return FALSE;
+  }
+tctx.u.fd = fd_in;
+
+/* Now fork a process to handle the output that comes down the pipe. */
+
+if ((outpid = exim_fork(US"pipe-tpt-output")) < 0)
+  {
+  addr->basic_errno = errno;
+  addr->transport_return = DEFER;
+  addr->message = string_sprintf(
+    "Failed to create process for handling output in %s transport",
+      tblock->name);
+  (void)close(fd_in);
+  (void)close(fd_out);
+  return FALSE;
+  }
+
+/* This is the code for the output-handling subprocess. Read from the pipe
+in chunks, and write to the return file if one is provided. Keep track of
+the number of bytes handled. If the limit is exceeded, try to kill the
+subprocess group, and in any case close the pipe and exit, which should cause
+the subprocess to fail. */
+
+if (outpid == 0)
+  {
+  int count = 0;
+  (void)close(fd_in);
+  set_process_info("reading output from |%s", cmd);
+  while ((rc = read(fd_out, big_buffer, big_buffer_size)) > 0)
+    {
+    if (addr->return_file >= 0)
+      if(write(addr->return_file, big_buffer, rc) != rc)
+        DEBUG(D_transport) debug_printf("Problem writing to return_file\n");
+    count += rc;
+    if (count > ob->max_output)
+      {
+      DEBUG(D_transport) debug_printf("Too much output from pipe - killed\n");
+      if (addr->return_file >= 0)
+	{
+        uschar *message = US"\n\n*** Too much output - remainder discarded ***\n";
+        rc = Ustrlen(message);
+        if(write(addr->return_file, message, rc) != rc)
+          DEBUG(D_transport) debug_printf("Problem writing to return_file\n");
+	}
+      killpg(pid, SIGKILL);
+      break;
+      }
+    }
+  (void)close(fd_out);
+  _exit(0);
+  }
+
+(void)close(fd_out);  /* Not used in this process */
+
+
+/* Carrying on now with the main parent process. Attempt to write the message
+to it down the pipe. It is a fallacy to think that you can detect write errors
+when the sub-process fails to read the pipe. The parent process may complete
+writing and close the pipe before the sub-process completes. We could sleep a
+bit here to let the sub-process get going, but it may still not complete. So we
+ignore all writing errors. (When in the test harness, we do do a short sleep so
+any debugging output is likely to be in the same order.) */
+
+testharness_pause_ms(500);
+
+DEBUG(D_transport) debug_printf("Writing message to pipe\n");
+
+/* Arrange to time out writes if there is a timeout set. */
+
+if (timeout > 0)
+  {
+  sigalrm_seen = FALSE;
+  transport_write_timeout = timeout;
+  }
+
+/* Reset the counter of bytes written */
+
+transport_count = 0;
+
+/* First write any configured prefix information */
+
+if (ob->message_prefix)
+  {
+  uschar *prefix = expand_string(ob->message_prefix);
+  if (!prefix)
+    {
+    addr->transport_return = f.search_find_defer? DEFER : PANIC;
+    addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s "
+      "transport) failed: %s", ob->message_prefix, tblock->name,
+      expand_string_message);
+    return FALSE;
+    }
+  if (!transport_write_block(&tctx, prefix, Ustrlen(prefix), FALSE))
+    goto END_WRITE;
+  }
+
+/* If the use_bsmtp option is set, we need to write SMTP prefix information.
+The various different values for batching are handled outside; if there is more
+than one address available here, all must be included. Force SMTP dot-handling.
+*/
+
+if (ob->use_bsmtp)
+  {
+  if (!transport_write_string(fd_in, "MAIL FROM:<%s>%s", return_path, eol))
+    goto END_WRITE;
+
+  for (address_item * a = addr; a; a = a->next)
+    if (!transport_write_string(fd_in,
+        "RCPT TO:<%s>%s",
+        transport_rcpt_address(a, tblock->rcpt_include_affixes),
+        eol))
+      goto END_WRITE;
+
+  if (!transport_write_string(fd_in, "DATA%s", eol)) goto END_WRITE;
+  }
+
+/* Now the actual message */
+
+if (!transport_write_message(&tctx, 0))
+    goto END_WRITE;
+
+/* Now any configured suffix */
+
+if (ob->message_suffix)
+  {
+  uschar *suffix = expand_string(ob->message_suffix);
+  if (!suffix)
+    {
+    addr->transport_return = f.search_find_defer? DEFER : PANIC;
+    addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s "
+      "transport) failed: %s", ob->message_suffix, tblock->name,
+      expand_string_message);
+    return FALSE;
+    }
+  if (!transport_write_block(&tctx, suffix, Ustrlen(suffix), FALSE))
+    goto END_WRITE;
+  }
+
+/* If local_smtp, write the terminating dot. */
+
+if (ob->use_bsmtp && !transport_write_string(fd_in, ".%s", eol))
+  goto END_WRITE;
+
+/* Flag all writing completed successfully. */
+
+written_ok = TRUE;
+
+/* Come here if there are errors during writing. */
+
+END_WRITE:
+
+/* OK, the writing is now all done. Close the pipe. */
+
+(void) close(fd_in);
+
+/* Handle errors during writing. For timeouts, set the timeout for waiting for
+the child process to 1 second. If the process at the far end of the pipe died
+without reading all of it, we expect an EPIPE error, which should be ignored.
+We used also to ignore WRITEINCOMPLETE but the writing function is now cleverer
+at handling OS where the death of a pipe doesn't give EPIPE immediately. See
+comments therein. */
+
+if (!written_ok)
+  {
+  if (errno == ETIMEDOUT)
+    {
+    addr->message = string_sprintf("%stimeout while writing to pipe",
+      f.transport_filter_timed_out ? "transport filter " : "");
+    addr->transport_return = ob->timeout_defer? DEFER : FAIL;
+    timeout = 1;
+    }
+  else if (errno == EPIPE)
+    {
+    debug_printf("transport error EPIPE ignored\n");
+    }
+  else
+    {
+    addr->transport_return = PANIC;
+    addr->basic_errno = errno;
+    if (errno == ERRNO_CHHEADER_FAIL)
+      addr->message =
+        string_sprintf("Failed to expand headers_add or headers_remove: %s",
+          expand_string_message);
+    else if (errno == ERRNO_FILTER_FAIL)
+      addr->message = string_sprintf("Transport filter process failed (%d)%s",
+      addr->more_errno,
+      (addr->more_errno == EX_EXECFAILED)? ": unable to execute command" : "");
+    else if (errno == ERRNO_WRITEINCOMPLETE)
+      addr->message = US"Failed repeatedly to write data";
+    else
+      addr->message = string_sprintf("Error %d", errno);
+    return FALSE;
+    }
+  }
+
+/* Wait for the child process to complete and take action if the returned
+status is nonzero. The timeout will be just 1 second if any of the writes
+above timed out. */
+
+if ((rc = child_close(pid, timeout)) != 0)
+  {
+  uschar * tmsg = addr->message
+    ? string_sprintf(" (preceded by %s)", addr->message) : US"";
+
+  /* The process did not complete in time; kill its process group and fail
+  the delivery. It appears to be necessary to kill the output process too, as
+  otherwise it hangs on for some time if the actual pipe process is sleeping.
+  (At least, that's what I observed on Solaris 2.5.1.) Since we are failing
+  the delivery, that shouldn't cause any problem. */
+
+  if (rc == -256)
+    {
+    killpg(pid, SIGKILL);
+    kill(outpid, SIGKILL);
+    addr->transport_return = ob->timeout_defer? DEFER : FAIL;
+    addr->message = string_sprintf("pipe delivery process timed out%s", tmsg);
+    }
+
+  /* Wait() failed. */
+
+  else if (rc == -257)
+    {
+    addr->transport_return = PANIC;
+    addr->message = string_sprintf("Wait() failed for child process of %s "
+      "transport: %s%s", tblock->name, strerror(errno), tmsg);
+    }
+
+  /* Since the transport_filter timed out we assume it has sent the child process
+  a malformed or incomplete data stream.  Kill off the child process
+  and prevent checking its exit status as it will has probably exited in error.
+  This prevents the transport_filter timeout message from getting overwritten
+  by the exit error which is not the cause of the problem. */
+
+  else if (f.transport_filter_timed_out)
+    {
+    killpg(pid, SIGKILL);
+    kill(outpid, SIGKILL);
+    }
+
+  /* Either the process completed, but yielded a non-zero (necessarily
+  positive) status, or the process was terminated by a signal (rc will contain
+  the negation of the signal number). Treat killing by signal as failure unless
+  status is being ignored. By default, the message is bounced back, unless
+  freeze_signal is set, in which case it is frozen instead. */
+
+  else if (rc < 0)
+    {
+    if (ob->freeze_signal)
+      {
+      addr->transport_return = DEFER;
+      addr->special_action = SPECIAL_FREEZE;
+      addr->message = string_sprintf("Child process of %s transport (running "
+        "command \"%s\") was terminated by signal %d (%s)%s", tblock->name, cmd,
+        -rc, os_strsignal(-rc), tmsg);
+      }
+    else if (!ob->ignore_status)
+      {
+      addr->transport_return = FAIL;
+      addr->message = string_sprintf("Child process of %s transport (running "
+        "command \"%s\") was terminated by signal %d (%s)%s", tblock->name, cmd,
+        -rc, os_strsignal(-rc), tmsg);
+      }
+    }
+
+  /* For positive values (process terminated with non-zero status), we need a
+  status code to request deferral. A number of systems contain the following
+  line in sysexits.h:
+
+      #define EX_TEMPFAIL 75
+
+  with the description
+
+      EX_TEMPFAIL -- temporary failure, indicating something that
+         is not really an error.  In sendmail, this means
+         that a mailer (e.g.) could not create a connection,
+         and the request should be reattempted later.
+
+  Based on this, we use exit code EX_TEMPFAIL as a default to mean "defer" when
+  not ignoring the returned status. However, there is now an option that
+  contains a list of temporary codes, with TEMPFAIL and CANTCREAT as defaults.
+
+  Another case that needs special treatment is if execve() failed (typically
+  the command that was given is a non-existent path). By default this is
+  treated as just another failure, but if freeze_exec_fail is set, the reaction
+  is to freeze the message rather than bounce the address. Exim used to signal
+  this failure with EX_UNAVAILABLE, which is defined in many systems as
+
+      #define EX_UNAVAILABLE  69
+
+  with the description
+
+      EX_UNAVAILABLE -- A service is unavailable.  This can occur
+            if a support program or file does not exist.  This
+            can also be used as a catchall message when something
+            you wanted to do doesn't work, but you don't know why.
+
+  However, this can be confused with a command that actually returns 69 because
+  something *it* wanted is unavailable. At release 4.21, Exim was changed to
+  use return code 127 instead, because this is what the shell returns when it
+  is unable to exec a command. We define it as EX_EXECFAILED, and use it in
+  child.c to signal execve() failure and other unexpected failures such as
+  setuid() not working - though that won't be the case here because we aren't
+  changing uid. */
+
+  else
+    {
+    /* Always handle execve() failure specially if requested to */
+
+    if (ob->freeze_exec_fail  &&  rc == EX_EXECFAILED)
+      {
+      addr->transport_return = DEFER;
+      addr->special_action = SPECIAL_FREEZE;
+      addr->message = string_sprintf("pipe process failed to exec \"%s\"%s",
+        cmd, tmsg);
+      }
+
+    /* Otherwise take action only if not ignoring status */
+
+    else if (!ob->ignore_status)
+      {
+      uschar *ss;
+      gstring * g;
+
+      /* If temp_errors is "*" all codes are temporary. Initialization checks
+      that it's either "*" or a list of numbers. If not "*", scan the list of
+      temporary failure codes; if any match, the result is DEFER. */
+
+      if (ob->temp_errors[0] == '*')
+        addr->transport_return = DEFER;
+
+      else
+        {
+        const uschar *s = ob->temp_errors;
+        uschar *p;
+        int sep = 0;
+
+        addr->transport_return = FAIL;
+        while ((p = string_nextinlist(&s,&sep,NULL,0)))
+          if (rc == Uatoi(p)) { addr->transport_return = DEFER; break; }
+        }
+
+      /* Ensure the message contains the expanded command and arguments. This
+      doesn't have to be brilliantly efficient - it is an error situation. */
+
+      addr->message = string_sprintf("Child process of %s transport returned "
+        "%d", tblock->name, rc);
+      g = string_cat(NULL, addr->message);
+
+      /* If the return code is > 128, it often means that a shell command
+      was terminated by a signal. */
+
+      ss = (rc > 128)?
+        string_sprintf("(could mean shell command ended by signal %d (%s))",
+          rc-128, os_strsignal(rc-128)) :
+        US os_strexit(rc);
+
+      if (*ss)
+        {
+        g = string_catn(g, US" ", 1);
+        g = string_cat (g, ss);
+        }
+
+      /* Now add the command and arguments */
+
+      g = string_catn(g, US" from command:", 14);
+
+      for (int i = 0; i < sizeof(argv)/sizeof(int *) && argv[i] != NULL; i++)
+        {
+        BOOL quote = FALSE;
+        g = string_catn(g, US" ", 1);
+        if (Ustrpbrk(argv[i], " \t") != NULL)
+          {
+          quote = TRUE;
+          g = string_catn(g, US"\"", 1);
+          }
+        g = string_cat(g, argv[i]);
+        if (quote)
+          g = string_catn(g, US"\"", 1);
+        }
+
+      /* Add previous filter timeout message, if present. */
+
+      if (*tmsg)
+        g = string_cat(g, tmsg);
+
+      addr->message = string_from_gstring(g);
+      }
+    }
+  }
+
+/* Ensure all subprocesses (in particular, the output handling process)
+are complete before we pass this point. */
+
+while (wait(&rc) >= 0);
+
+DEBUG(D_transport) debug_printf("%s transport yielded %d\n", tblock->name,
+  addr->transport_return);
+
+/* If there has been a problem, the message in addr->message contains details
+of the pipe command. We don't want to expose these to the world, so we set up
+something bland to return to the sender. */
+
+if (addr->transport_return != OK)
+  addr->user_message = US"local delivery failed";
+
+return FALSE;
+}
+
+#endif	/*!MACRO_PREDEF*/
+/* End of transport/pipe.c */
diff --git a/src/transports/pipe.h b/src/transports/pipe.h
new file mode 100644
index 0000000..ed5c142
--- /dev/null
+++ b/src/transports/pipe.h
@@ -0,0 +1,51 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2014 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Private structure for the private options. */
+
+typedef struct {
+  uschar *cmd;
+  uschar *allow_commands;
+  uschar *environment;
+  uschar *path;
+  uschar *message_prefix;
+  uschar *message_suffix;
+  uschar *temp_errors;
+  uschar *check_string;
+  uschar *escape_string;
+  int   umask;
+  int   max_output;
+  int   timeout;
+  int   options;
+  BOOL  force_command;
+  BOOL  freeze_exec_fail;
+  BOOL  freeze_signal;
+  BOOL  ignore_status;
+  BOOL  permit_coredump;
+  BOOL  restrict_to_path;
+  BOOL  timeout_defer;
+  BOOL  use_shell;
+  BOOL  use_bsmtp;
+  BOOL  use_classresources;
+  BOOL  use_crlf;
+} pipe_transport_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist pipe_transport_options[];
+extern int pipe_transport_options_count;
+
+/* Block containing default values. */
+
+extern pipe_transport_options_block pipe_transport_option_defaults;
+
+/* The main and init entry points for the transport */
+
+extern BOOL pipe_transport_entry(transport_instance *, address_item *);
+extern void pipe_transport_init(transport_instance *);
+
+/* End of transports/pipe.h */
diff --git a/src/transports/queuefile.c b/src/transports/queuefile.c
new file mode 100644
index 0000000..74131cc
--- /dev/null
+++ b/src/transports/queuefile.c
@@ -0,0 +1,286 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Andrew Colin Kissa <andrew@topdog.za.net> 2016 */
+/* Copyright (c) University of Cambridge 2016 */
+/* Copyright (c) The Exim Maintainers 1995 - 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+
+#include "../exim.h"
+
+#ifdef EXPERIMENTAL_QUEUEFILE	/* whole file */
+#include "queuefile.h"
+
+#ifndef EXIM_HAVE_OPENAT
+# error queuefile transport reqires openat() support
+#endif
+
+/* Options specific to the appendfile transport. They must be in alphabetic
+order (note that "_" comes before the lower case letters). Some of them are
+stored in the publicly visible instance block - these are flagged with the
+opt_public flag. */
+
+optionlist queuefile_transport_options[] = {
+  { "directory", opt_stringptr,
+    OPT_OFF(queuefile_transport_options_block, dirname) },
+};
+
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int queuefile_transport_options_count =
+  sizeof(queuefile_transport_options) / sizeof(optionlist);
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+queuefile_transport_options_block queuefile_transport_option_defaults = {0};
+void queuefile_transport_init(transport_instance *tblock) {}
+BOOL queuefile_transport_entry(transport_instance *tblock, address_item *addr) {return FALSE;}
+
+#else   /*!MACRO_PREDEF*/
+
+
+
+/* Default private options block for the appendfile transport. */
+
+queuefile_transport_options_block queuefile_transport_option_defaults = {
+  NULL,           /* dirname */
+};
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+void queuefile_transport_init(transport_instance *tblock)
+{
+queuefile_transport_options_block *ob =
+  (queuefile_transport_options_block *) tblock->options_block;
+
+if (!ob->dirname)
+  log_write(0, LOG_PANIC_DIE | LOG_CONFIG,
+    "directory must be set for the %s transport", tblock->name);
+}
+
+/* This function will copy from a file to another
+
+Arguments:
+  dst        fd to write to (the destination queue file)
+  src        fd to read from (the spool queue file)
+
+Returns:       TRUE if all went well, FALSE otherwise with errno set
+*/
+
+static BOOL
+copy_spool_file(int dst, int src)
+{
+int i, j;
+uschar buffer[16384];
+
+if (lseek(src, 0, SEEK_SET) != 0)
+  return FALSE;
+
+do
+  if ((j = read(src, buffer, sizeof(buffer))) > 0)
+    for (uschar * s = buffer; (i = write(dst, s, j)) != j; s += i, j -= i)
+      if (i < 0)
+	return FALSE;
+  else if (j < 0)
+    return FALSE;
+while (j > 0);
+return TRUE;
+}
+
+/* This function performs the actual copying of the header
+and data files to the destination directory
+
+Arguments:
+  tb		the transport block
+  addr          address_item being processed
+  dstpath	destination directory name
+  sdfd          int Source directory fd
+  ddfd          int Destination directory fd
+  link_file     BOOL use linkat instead of data copy
+  srcfd		fd for data file, or -1 for header file
+
+Returns:       TRUE if all went well, FALSE otherwise
+*/
+
+static BOOL
+copy_spool_files(transport_instance * tb, address_item * addr,
+  const uschar * dstpath, int sdfd, int ddfd, BOOL link_file, int srcfd)
+{
+BOOL is_hdr_file = srcfd < 0;
+const uschar * suffix = srcfd < 0 ? US"H" : US"D";
+int dstfd;
+const uschar * filename = string_sprintf("%s-%s", message_id, suffix);
+const uschar * srcpath = spool_fname(US"input", message_subdir, message_id, suffix);
+const uschar * s, * op;
+
+dstpath = string_sprintf("%s/%s-%s", dstpath, message_id, suffix);
+
+if (link_file)
+  {
+  DEBUG(D_transport) debug_printf("%s transport, linking %s => %s\n",
+    tb->name, srcpath, dstpath);
+
+  if (linkat(sdfd, CCS filename, ddfd, CCS filename, 0) >= 0)
+    return TRUE;
+
+  op = US"linking";
+  s = dstpath;
+  }
+else					/* use data copy */
+  {
+  DEBUG(D_transport) debug_printf("%s transport, copying %s => %s\n",
+    tb->name, srcpath, dstpath);
+
+  if (  (s = dstpath,
+	 (dstfd = exim_openat4(ddfd, CCS filename, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE))
+	 < 0
+	)
+     ||    is_hdr_file
+	&& (s = srcpath, (srcfd = exim_openat(sdfd, CCS filename, O_RDONLY)) < 0)
+     )
+    op = US"opening";
+
+  else
+    if (s = dstpath, fchmod(dstfd, SPOOL_MODE) != 0)
+      op = US"setting perms on";
+    else
+      if (!copy_spool_file(dstfd, srcfd))
+	op = US"creating";
+      else
+	return TRUE;
+  }
+
+addr->basic_errno = errno;
+addr->message = string_sprintf("%s transport %s file: %s failed with error: %s",
+  tb->name, op, s, strerror(errno));
+addr->transport_return = DEFER;
+return FALSE;
+}
+
+/*************************************************
+*              Main entry point                  *
+*************************************************/
+
+/* This transport always returns FALSE, indicating that the status in
+the first address is the status for all addresses in a batch. */
+
+BOOL
+queuefile_transport_entry(transport_instance * tblock, address_item * addr)
+{
+queuefile_transport_options_block * ob =
+  (queuefile_transport_options_block *) tblock->options_block;
+BOOL can_link;
+uschar * sourcedir = spool_dname(US"input", message_subdir);
+uschar * s, * dstdir;
+struct stat dstatbuf, sstatbuf;
+int ddfd = -1, sdfd = -1;
+
+DEBUG(D_transport)
+  debug_printf("%s transport entered\n", tblock->name);
+
+#ifndef O_DIRECTORY
+# define O_DIRECTORY 0
+#endif
+#ifndef O_NOFOLLOW
+# define O_NOFOLLOW 0
+#endif
+
+if (!(dstdir = expand_string(ob->dirname)))
+  {
+  addr->message = string_sprintf("%s transport: failed to expand dirname option",
+    tblock->name);
+  addr->transport_return = DEFER;
+  return FALSE;
+  }
+if (*dstdir != '/')
+  {
+  addr->transport_return = PANIC;
+  addr->message = string_sprintf("%s transport directory: "
+    "%s is not absolute", tblock->name, dstdir);
+  return FALSE;
+  }
+
+/* Open the source and destination directories and check if they are
+on the same filesystem, so we can hard-link files rather than copying. */
+
+if (  (s = dstdir,
+       (ddfd = Uopen(s, O_RDONLY | O_DIRECTORY | O_NOFOLLOW, 0)) < 0)
+   || (s = sourcedir,
+       (sdfd = Uopen(sourcedir, O_RDONLY | O_DIRECTORY | O_NOFOLLOW, 0)) < 0)
+   )
+  {
+  addr->transport_return = PANIC;
+  addr->basic_errno = errno;
+  addr->message = string_sprintf("%s transport accessing directory: %s "
+    "failed with error: %s", tblock->name, s, strerror(errno));
+  if (ddfd >= 0) (void) close(ddfd);
+  return FALSE;
+  }
+
+if (  (s = dstdir,    fstat(ddfd, &dstatbuf) < 0)
+   || (s = sourcedir, fstat(sdfd, &sstatbuf) < 0)
+   )
+  {
+  addr->transport_return = PANIC;
+  addr->basic_errno = errno;
+  addr->message = string_sprintf("%s transport fstat on directory fd: "
+    "%s failed with error: %s", tblock->name, s, strerror(errno));
+  goto RETURN;
+  }
+can_link = (dstatbuf.st_dev == sstatbuf.st_dev);
+
+if (f.dont_deliver)
+  {
+  DEBUG(D_transport)
+    debug_printf("*** delivery by %s transport bypassed by -N option\n",
+      tblock->name);
+  addr->transport_return = OK;
+  goto RETURN;
+  }
+
+/* Link or copy the header and data spool files */
+
+DEBUG(D_transport)
+  debug_printf("%s transport, copying header file\n", tblock->name);
+
+if (!copy_spool_files(tblock, addr, dstdir, sdfd, ddfd, can_link, -1))
+  goto RETURN;
+
+DEBUG(D_transport)
+  debug_printf("%s transport, copying data file\n", tblock->name);
+
+if (!copy_spool_files(tblock, addr, dstdir, sdfd, ddfd, can_link,
+	deliver_datafile))
+  {
+  DEBUG(D_transport)
+    debug_printf("%s transport, copying data file failed, "
+      "unlinking the header file\n", tblock->name);
+  Uunlink(string_sprintf("%s/%s-H", dstdir, message_id));
+  goto RETURN;
+  }
+
+DEBUG(D_transport)
+  debug_printf("%s transport succeeded\n", tblock->name);
+
+addr->transport_return = OK;
+
+RETURN:
+if (ddfd >= 0) (void) close(ddfd);
+if (sdfd >= 0) (void) close(sdfd);
+
+/* A return of FALSE means that if there was an error, a common error was
+put in the first address of a batch. */
+return FALSE;
+}
+
+#endif /*!MACRO_PREDEF*/
+#endif /*EXPERIMENTAL_QUEUEFILE*/
diff --git a/src/transports/queuefile.h b/src/transports/queuefile.h
new file mode 100644
index 0000000..0e45b51
--- /dev/null
+++ b/src/transports/queuefile.h
@@ -0,0 +1,29 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Andrew Colin Kissa <andrew@topdog.za.net> 2016 */
+/* Copyright (c) University of Cambridge 2016 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Private structure for the private options. */
+
+typedef struct {
+    uschar *dirname;
+} queuefile_transport_options_block;
+
+/* Data for reading the private options. */
+
+extern optionlist queuefile_transport_options[];
+extern int queuefile_transport_options_count;
+
+/* Block containing default values. */
+
+extern queuefile_transport_options_block queuefile_transport_option_defaults;
+
+/* The main and init entry points for the transport */
+
+extern BOOL queuefile_transport_entry(transport_instance *, address_item *);
+extern void queuefile_transport_init(transport_instance *);
+
+/* End of transports/queuefile.h */
diff --git a/src/transports/smtp.c b/src/transports/smtp.c
new file mode 100644
index 0000000..7f529b7
--- /dev/null
+++ b/src/transports/smtp.c
@@ -0,0 +1,6071 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#include "../exim.h"
+#include "smtp.h"
+
+#if defined(SUPPORT_DANE) && defined(DISABLE_TLS)
+# error TLS is required for DANE
+#endif
+
+
+/* Options specific to the smtp transport. This transport also supports LMTP
+over TCP/IP. The options must be in alphabetic order (note that "_" comes
+before the lower case letters). Some live in the transport_instance block so as
+to be publicly visible; these are flagged with opt_public. */
+
+#define LOFF(field) OPT_OFF(smtp_transport_options_block, field)
+
+optionlist smtp_transport_options[] = {
+  { "*expand_multi_domain",             opt_stringptr | opt_hidden | opt_public,
+      OPT_OFF(transport_instance, expand_multi_domain) },
+  { "*expand_retry_include_ip_address", opt_stringptr | opt_hidden,
+      LOFF(expand_retry_include_ip_address) },
+
+  { "address_retry_include_sender", opt_bool,
+      LOFF(address_retry_include_sender) },
+  { "allow_localhost",      opt_bool,	   LOFF(allow_localhost) },
+#ifdef EXPERIMENTAL_ARC
+  { "arc_sign", opt_stringptr,		   LOFF(arc_sign) },
+#endif
+  { "authenticated_sender", opt_stringptr, LOFF(authenticated_sender) },
+  { "authenticated_sender_force", opt_bool, LOFF(authenticated_sender_force) },
+  { "command_timeout",      opt_time,	   LOFF(command_timeout) },
+  { "connect_timeout",      opt_time,	   LOFF(connect_timeout) },
+  { "connection_max_messages", opt_int | opt_public,
+      OPT_OFF(transport_instance, connection_max_messages) },
+# ifdef SUPPORT_DANE
+  { "dane_require_tls_ciphers", opt_stringptr, LOFF(dane_require_tls_ciphers) },
+# endif
+  { "data_timeout",         opt_time,	   LOFF(data_timeout) },
+  { "delay_after_cutoff",   opt_bool,	   LOFF(delay_after_cutoff) },
+#ifndef DISABLE_DKIM
+  { "dkim_canon", opt_stringptr,	   LOFF(dkim.dkim_canon) },
+  { "dkim_domain", opt_stringptr,	   LOFF(dkim.dkim_domain) },
+  { "dkim_hash", opt_stringptr,		   LOFF(dkim.dkim_hash) },
+  { "dkim_identity", opt_stringptr,	   LOFF(dkim.dkim_identity) },
+  { "dkim_private_key", opt_stringptr,	   LOFF(dkim.dkim_private_key) },
+  { "dkim_selector", opt_stringptr,	   LOFF(dkim.dkim_selector) },
+  { "dkim_sign_headers", opt_stringptr,	   LOFF(dkim.dkim_sign_headers) },
+  { "dkim_strict", opt_stringptr,	   LOFF(dkim.dkim_strict) },
+  { "dkim_timestamps", opt_stringptr,	   LOFF(dkim.dkim_timestamps) },
+#endif
+  { "dns_qualify_single",   opt_bool,	   LOFF(dns_qualify_single) },
+  { "dns_search_parents",   opt_bool,	   LOFF(dns_search_parents) },
+  { "dnssec_request_domains", opt_stringptr, LOFF(dnssec.request) },
+  { "dnssec_require_domains", opt_stringptr, LOFF(dnssec.require) },
+  { "dscp",                 opt_stringptr, LOFF(dscp) },
+  { "fallback_hosts",       opt_stringptr, LOFF(fallback_hosts) },
+  { "final_timeout",        opt_time,	   LOFF(final_timeout) },
+  { "gethostbyname",        opt_bool,	   LOFF(gethostbyname) },
+  { "helo_data",            opt_stringptr, LOFF(helo_data) },
+#if !defined(DISABLE_TLS) && !defined(DISABLE_TLS_RESUME)
+  { "host_name_extract",    opt_stringptr, LOFF(host_name_extract) },
+# endif
+  { "hosts",                opt_stringptr, LOFF(hosts) },
+  { "hosts_avoid_esmtp",    opt_stringptr, LOFF(hosts_avoid_esmtp) },
+  { "hosts_avoid_pipelining", opt_stringptr, LOFF(hosts_avoid_pipelining) },
+#ifndef DISABLE_TLS
+  { "hosts_avoid_tls",      opt_stringptr, LOFF(hosts_avoid_tls) },
+#endif
+  { "hosts_max_try",        opt_int,	   LOFF(hosts_max_try) },
+  { "hosts_max_try_hardlimit", opt_int,	   LOFF(hosts_max_try_hardlimit) },
+#ifndef DISABLE_TLS
+  { "hosts_nopass_tls",     opt_stringptr, LOFF(hosts_nopass_tls) },
+  { "hosts_noproxy_tls",    opt_stringptr, LOFF(hosts_noproxy_tls) },
+#endif
+  { "hosts_override",       opt_bool,	   LOFF(hosts_override) },
+#ifndef DISABLE_PIPE_CONNECT
+  { "hosts_pipe_connect",   opt_stringptr, LOFF(hosts_pipe_connect) },
+#endif
+  { "hosts_randomize",      opt_bool,	   LOFF(hosts_randomize) },
+#if !defined(DISABLE_TLS) && !defined(DISABLE_OCSP)
+  { "hosts_request_ocsp",   opt_stringptr, LOFF(hosts_request_ocsp) },
+#endif
+  { "hosts_require_alpn",   opt_stringptr, LOFF(hosts_require_alpn) },
+  { "hosts_require_auth",   opt_stringptr, LOFF(hosts_require_auth) },
+#ifndef DISABLE_TLS
+# ifdef SUPPORT_DANE
+  { "hosts_require_dane",   opt_stringptr, LOFF(hosts_require_dane) },
+# endif
+# ifndef DISABLE_OCSP
+  { "hosts_require_ocsp",   opt_stringptr, LOFF(hosts_require_ocsp) },
+# endif
+  { "hosts_require_tls",    opt_stringptr, LOFF(hosts_require_tls) },
+#endif
+  { "hosts_try_auth",       opt_stringptr, LOFF(hosts_try_auth) },
+  { "hosts_try_chunking",   opt_stringptr, LOFF(hosts_try_chunking) },
+#ifdef SUPPORT_DANE
+  { "hosts_try_dane",       opt_stringptr, LOFF(hosts_try_dane) },
+#endif
+  { "hosts_try_fastopen",   opt_stringptr, LOFF(hosts_try_fastopen) },
+#ifndef DISABLE_PRDR
+  { "hosts_try_prdr",       opt_stringptr, LOFF(hosts_try_prdr) },
+#endif
+#ifndef DISABLE_TLS
+  { "hosts_verify_avoid_tls", opt_stringptr, LOFF(hosts_verify_avoid_tls) },
+#endif
+  { "interface",            opt_stringptr, LOFF(interface) },
+  { "keepalive",            opt_bool,	   LOFF(keepalive) },
+  { "lmtp_ignore_quota",    opt_bool,	   LOFF(lmtp_ignore_quota) },
+  { "max_rcpt",             opt_int | opt_public,
+      OPT_OFF(transport_instance, max_addresses) },
+  { "message_linelength_limit", opt_int,   LOFF(message_linelength_limit) },
+  { "multi_domain",         opt_expand_bool | opt_public,
+      OPT_OFF(transport_instance, multi_domain) },
+  { "port",                 opt_stringptr, LOFF(port) },
+  { "protocol",             opt_stringptr, LOFF(protocol) },
+  { "retry_include_ip_address", opt_expand_bool, LOFF(retry_include_ip_address) },
+  { "serialize_hosts",      opt_stringptr, LOFF(serialize_hosts) },
+  { "size_addition",        opt_int,	   LOFF(size_addition) },
+#ifdef SUPPORT_SOCKS
+  { "socks_proxy",          opt_stringptr, LOFF(socks_proxy) },
+#endif
+#ifndef DISABLE_TLS
+  { "tls_alpn",             opt_stringptr, LOFF(tls_alpn) },
+  { "tls_certificate",      opt_stringptr, LOFF(tls_certificate) },
+  { "tls_crl",              opt_stringptr, LOFF(tls_crl) },
+  { "tls_dh_min_bits",      opt_int,	   LOFF(tls_dh_min_bits) },
+  { "tls_privatekey",       opt_stringptr, LOFF(tls_privatekey) },
+  { "tls_require_ciphers",  opt_stringptr, LOFF(tls_require_ciphers) },
+# ifndef DISABLE_TLS_RESUME
+  { "tls_resumption_hosts", opt_stringptr, LOFF(tls_resumption_hosts) },
+# endif
+  { "tls_sni",              opt_stringptr, LOFF(tls_sni) },
+  { "tls_tempfail_tryclear", opt_bool, LOFF(tls_tempfail_tryclear) },
+  { "tls_try_verify_hosts", opt_stringptr, LOFF(tls_try_verify_hosts) },
+  { "tls_verify_cert_hostnames", opt_stringptr, LOFF(tls_verify_cert_hostnames)},
+  { "tls_verify_certificates", opt_stringptr, LOFF(tls_verify_certificates) },
+  { "tls_verify_hosts",     opt_stringptr, LOFF(tls_verify_hosts) },
+#endif
+#ifdef SUPPORT_I18N
+  { "utf8_downconvert",	    opt_stringptr, LOFF(utf8_downconvert) },
+#endif
+};
+
+/* Size of the options list. An extern variable has to be used so that its
+address can appear in the tables drtables.c. */
+
+int smtp_transport_options_count = nelem(smtp_transport_options);
+
+
+#ifdef MACRO_PREDEF
+
+/* Dummy values */
+smtp_transport_options_block smtp_transport_option_defaults = {0};
+void smtp_transport_init(transport_instance *tblock) {}
+BOOL smtp_transport_entry(transport_instance *tblock, address_item *addr) {return FALSE;}
+void smtp_transport_closedown(transport_instance *tblock) {}
+
+#else   /*!MACRO_PREDEF*/
+
+
+/* Default private options block for the smtp transport. */
+
+smtp_transport_options_block smtp_transport_option_defaults = {
+  /* All non-mentioned elements 0/NULL/FALSE */
+  .helo_data =			US"$primary_hostname",
+  .protocol =			US"smtp",
+  .hosts_try_chunking =		US"*",
+#ifdef SUPPORT_DANE
+  .hosts_try_dane =		US"*",
+#endif
+  .hosts_try_fastopen =		US"*",
+#ifndef DISABLE_PRDR
+  .hosts_try_prdr =		US"*",
+#endif
+#ifndef DISABLE_OCSP
+  .hosts_request_ocsp =		US"*",               /* hosts_request_ocsp (except under DANE; tls_client_start()) */
+#endif
+  .command_timeout =		5*60,
+  .connect_timeout =		5*60,
+  .data_timeout =		5*60,
+  .final_timeout =		10*60,
+  .size_addition =		1024,
+  .hosts_max_try =		5,
+  .hosts_max_try_hardlimit =	50,
+  .message_linelength_limit =	998,
+  .address_retry_include_sender = TRUE,
+  .dns_qualify_single =		TRUE,
+  .dnssec = { .request= US"*", .require=NULL },
+  .delay_after_cutoff =		TRUE,
+  .keepalive =			TRUE,
+  .retry_include_ip_address =	TRUE,
+#ifndef DISABLE_TLS
+  .tls_verify_certificates =	US"system",
+  .tls_dh_min_bits =		EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
+  .tls_tempfail_tryclear =	TRUE,
+  .tls_try_verify_hosts =	US"*",
+  .tls_verify_cert_hostnames =	US"*",
+# ifndef DISABLE_TLS_RESUME
+  .host_name_extract =		US"${if and {{match{$host}{.outlook.com\\$}} {match{$item}{\\N^250-([\\w.]+)\\s\\N}}} {$1}}",
+# endif
+#endif
+#ifdef SUPPORT_I18N
+  .utf8_downconvert =		US"-1",
+#endif
+#ifndef DISABLE_DKIM
+ .dkim =
+   { .dkim_hash =		US"sha256", },
+#endif
+};
+
+/* some DSN flags for use later */
+
+static int     rf_list[] = {rf_notify_never, rf_notify_success,
+                            rf_notify_failure, rf_notify_delay };
+
+static uschar *rf_names[] = { US"NEVER", US"SUCCESS", US"FAILURE", US"DELAY" };
+
+
+
+/* Local statics */
+
+static uschar *smtp_command;		/* Points to last cmd for error messages */
+static uschar *mail_command;		/* Points to MAIL cmd for error messages */
+static uschar *data_command = US"";	/* Points to DATA cmd for error messages */
+static BOOL    update_waiting;		/* TRUE to update the "wait" database */
+
+/*XXX move to smtp_context */
+static BOOL    pipelining_active;	/* current transaction is in pipe mode */
+
+
+static unsigned ehlo_response(uschar * buf, unsigned checks);
+
+
+/******************************************************************************/
+
+void
+smtp_deliver_init(void)
+{
+struct list
+  {
+  const pcre2_code **	re;
+  const uschar *	string;
+  } list[] =
+  {
+    { &regex_AUTH,		AUTHS_REGEX },
+    { &regex_CHUNKING,		US"\\n250[\\s\\-]CHUNKING(\\s|\\n|$)" },
+    { &regex_DSN,		US"\\n250[\\s\\-]DSN(\\s|\\n|$)" },
+    { &regex_IGNOREQUOTA,	US"\\n250[\\s\\-]IGNOREQUOTA(\\s|\\n|$)" },
+    { &regex_PIPELINING,	US"\\n250[\\s\\-]PIPELINING(\\s|\\n|$)" },
+    { &regex_SIZE,		US"\\n250[\\s\\-]SIZE(\\s|\\n|$)" },
+
+#ifndef DISABLE_TLS
+    { &regex_STARTTLS,		US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)" },
+#endif
+#ifndef DISABLE_PRDR
+    { &regex_PRDR,		US"\\n250[\\s\\-]PRDR(\\s|\\n|$)" },
+#endif
+#ifdef SUPPORT_I18N
+    { &regex_UTF8,		US"\\n250[\\s\\-]SMTPUTF8(\\s|\\n|$)" },
+#endif
+#ifndef DISABLE_PIPE_CONNECT
+    { &regex_EARLY_PIPE,  	US"\\n250[\\s\\-]" EARLY_PIPE_FEATURE_NAME "(\\s|\\n|$)" },
+#endif
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+    { &regex_LIMITS,		US"\\n250[\\s\\-]LIMITS\\s" },
+#endif
+  };
+
+for (struct list * l = list; l < list + nelem(list); l++)
+  if (!*l->re)
+    *l->re = regex_must_compile(l->string, FALSE, TRUE);
+}
+
+
+/*************************************************
+*             Setup entry point                  *
+*************************************************/
+
+/* This function is called when the transport is about to be used,
+but before running it in a sub-process. It is used for two things:
+
+  (1) To set the fallback host list in addresses, when delivering.
+  (2) To pass back the interface, port, protocol, and other options, for use
+      during callout verification.
+
+Arguments:
+  tblock    pointer to the transport instance block
+  addrlist  list of addresses about to be transported
+  tf        if not NULL, pointer to block in which to return options
+  uid       the uid that will be set (not used)
+  gid       the gid that will be set (not used)
+  errmsg    place for error message (not used)
+
+Returns:  OK always (FAIL, DEFER not used)
+*/
+
+static int
+smtp_transport_setup(transport_instance *tblock, address_item *addrlist,
+  transport_feedback *tf, uid_t uid, gid_t gid, uschar **errmsg)
+{
+smtp_transport_options_block *ob = SOB tblock->options_block;
+
+/* Pass back options if required. This interface is getting very messy. */
+
+if (tf)
+  {
+  tf->interface = ob->interface;
+  tf->port = ob->port;
+  tf->protocol = ob->protocol;
+  tf->hosts = ob->hosts;
+  tf->hosts_override = ob->hosts_override;
+  tf->hosts_randomize = ob->hosts_randomize;
+  tf->gethostbyname = ob->gethostbyname;
+  tf->qualify_single = ob->dns_qualify_single;
+  tf->search_parents = ob->dns_search_parents;
+  tf->helo_data = ob->helo_data;
+  }
+
+/* Set the fallback host list for all the addresses that don't have fallback
+host lists, provided that the local host wasn't present in the original host
+list. */
+
+if (!testflag(addrlist, af_local_host_removed))
+  for (; addrlist; addrlist = addrlist->next)
+    if (!addrlist->fallback_hosts) addrlist->fallback_hosts = ob->fallback_hostlist;
+
+return OK;
+}
+
+
+
+/*************************************************
+*          Initialization entry point            *
+*************************************************/
+
+/* Called for each instance, after its options have been read, to
+enable consistency checks to be done, or anything else that needs
+to be set up.
+
+Argument:   pointer to the transport instance block
+Returns:    nothing
+*/
+
+void
+smtp_transport_init(transport_instance *tblock)
+{
+smtp_transport_options_block *ob = SOB tblock->options_block;
+int old_pool = store_pool;
+
+/* Retry_use_local_part defaults FALSE if unset */
+
+if (tblock->retry_use_local_part == TRUE_UNSET)
+  tblock->retry_use_local_part = FALSE;
+
+/* Set the default port according to the protocol */
+
+if (!ob->port)
+  ob->port = strcmpic(ob->protocol, US"lmtp") == 0
+  ? US"lmtp"
+  : strcmpic(ob->protocol, US"smtps") == 0
+  ? US"smtps" : US"smtp";
+
+/* Set up the setup entry point, to be called before subprocesses for this
+transport. */
+
+tblock->setup = smtp_transport_setup;
+
+/* Complain if any of the timeouts are zero. */
+
+if (ob->command_timeout <= 0 || ob->data_timeout <= 0 ||
+    ob->final_timeout <= 0)
+  log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
+    "command, data, or final timeout value is zero for %s transport",
+      tblock->name);
+
+/* If hosts_override is set and there are local hosts, set the global
+flag that stops verify from showing router hosts. */
+
+if (ob->hosts_override && ob->hosts) tblock->overrides_hosts = TRUE;
+
+/* If there are any fallback hosts listed, build a chain of host items
+for them, but do not do any lookups at this time. */
+
+store_pool = POOL_PERM;
+host_build_hostlist(&ob->fallback_hostlist, ob->fallback_hosts, FALSE);
+store_pool = old_pool;
+}
+
+
+
+
+
+/*************************************************
+*   Set delivery info into all active addresses  *
+*************************************************/
+
+/* Only addresses whose status is >= PENDING are relevant. A lesser
+status means that an address is not currently being processed.
+
+Arguments:
+  addrlist       points to a chain of addresses
+  errno_value    to put in each address's errno field
+  msg            to put in each address's message field
+  rc             to put in each address's transport_return field
+  pass_message   if TRUE, set the "pass message" flag in the address
+  host           if set, mark addrs as having used this host
+  smtp_greeting  from peer
+  helo_response  from peer
+  start		 points to timestamp of delivery start
+
+If errno_value has the special value ERRNO_CONNECTTIMEOUT, ETIMEDOUT is put in
+the errno field, and RTEF_CTOUT is ORed into the more_errno field, to indicate
+this particular type of timeout.
+
+Returns:       nothing
+*/
+
+static void
+set_errno(address_item *addrlist, int errno_value, uschar *msg, int rc,
+  BOOL pass_message, host_item * host,
+#ifdef EXPERIMENTAL_DSN_INFO
+  const uschar * smtp_greeting, const uschar * helo_response,
+#endif
+  struct timeval * start
+  )
+{
+int orvalue = 0;
+struct timeval deliver_time;
+
+if (errno_value == ERRNO_CONNECTTIMEOUT)
+  {
+  errno_value = ETIMEDOUT;
+  orvalue = RTEF_CTOUT;
+  }
+timesince(&deliver_time, start);
+
+for (address_item * addr = addrlist; addr; addr = addr->next)
+  if (addr->transport_return >= PENDING)
+    {
+    addr->basic_errno = errno_value;
+    addr->more_errno |= orvalue;
+    addr->delivery_time = deliver_time;
+    if (msg)
+      {
+      addr->message = msg;
+      if (pass_message) setflag(addr, af_pass_message);
+      }
+    addr->transport_return = rc;
+    if (host)
+      {
+      addr->host_used = host;
+#ifdef EXPERIMENTAL_DSN_INFO
+      if (smtp_greeting)
+	{uschar * s = Ustrchr(smtp_greeting, '\n'); if (s) *s = '\0';}
+      addr->smtp_greeting = smtp_greeting;
+
+      if (helo_response)
+	{uschar * s = Ustrchr(helo_response, '\n'); if (s) *s = '\0';}
+      addr->helo_response = helo_response;
+#endif
+      }
+    }
+}
+
+static void
+set_errno_nohost(address_item * addrlist, int errno_value, uschar * msg, int rc,
+  BOOL pass_message, struct timeval * start)
+{
+set_errno(addrlist, errno_value, msg, rc, pass_message, NULL,
+#ifdef EXPERIMENTAL_DSN_INFO
+	  NULL, NULL,
+#endif
+	  start);
+}
+
+
+/*************************************************
+*          Check an SMTP response                *
+*************************************************/
+
+/* This function is given an errno code and the SMTP response buffer
+to analyse, together with the host identification for generating messages. It
+sets an appropriate message and puts the first digit of the response code into
+the yield variable. If no response was actually read, a suitable digit is
+chosen.
+
+Arguments:
+  host           the current host, to get its name for messages
+  errno_value    pointer to the errno value
+  more_errno     from the top address for use with ERRNO_FILTER_FAIL
+  buffer         the SMTP response buffer
+  yield          where to put a one-digit SMTP response code
+  message        where to put an error message
+  pass_message   set TRUE if message is an SMTP response
+
+Returns:         TRUE if an SMTP "QUIT" command should be sent, else FALSE
+*/
+
+static BOOL
+check_response(host_item *host, int *errno_value, int more_errno,
+  uschar *buffer, int *yield, uschar **message, BOOL *pass_message)
+{
+uschar * pl = pipelining_active ? US"pipelined " : US"";
+const uschar * s;
+
+*yield = '4';    /* Default setting is to give a temporary error */
+
+switch(*errno_value)
+  {
+  case ETIMEDOUT:		/* Handle response timeout */
+    *message = US string_sprintf("SMTP timeout after %s%s",
+	pl, smtp_command);
+    if (transport_count > 0)
+      *message = US string_sprintf("%s (%d bytes written)", *message,
+	transport_count);
+    return FALSE;
+
+  case ERRNO_SMTPFORMAT:	/* Handle malformed SMTP response */
+    s = string_printing(buffer);
+    while (isspace(*s)) s++;
+    *message = *s == 0
+      ? string_sprintf("Malformed SMTP reply (an empty line) "
+	  "in response to %s%s", pl, smtp_command)
+      : string_sprintf("Malformed SMTP reply in response to %s%s: %s",
+	  pl, smtp_command, s);
+    return FALSE;
+
+  case ERRNO_TLSFAILURE:	/* Handle bad first read; can happen with
+				GnuTLS and TLS1.3 */
+    *message = US"bad first read from TLS conn";
+    return TRUE;
+
+  case ERRNO_FILTER_FAIL:	/* Handle a failed filter process error;
+			  can't send QUIT as we mustn't end the DATA. */
+    *message = string_sprintf("transport filter process failed (%d)%s",
+      more_errno,
+      more_errno == EX_EXECFAILED ? ": unable to execute command" : "");
+    return FALSE;
+
+  case ERRNO_CHHEADER_FAIL:	/* Handle a failed add_headers expansion;
+			    can't send QUIT as we mustn't end the DATA. */
+    *message =
+      string_sprintf("failed to expand headers_add or headers_remove: %s",
+	expand_string_message);
+    return FALSE;
+
+  case ERRNO_WRITEINCOMPLETE:	/* failure to write a complete data block */
+    *message = US"failed to write a data block";
+    return FALSE;
+
+#ifdef SUPPORT_I18N
+  case ERRNO_UTF8_FWD: /* no advertised SMTPUTF8, for international message */
+    *message = US"utf8 support required but not offered for forwarding";
+    DEBUG(D_deliver|D_transport) debug_printf("%s\n", *message);
+    return TRUE;
+#endif
+  }
+
+/* Handle error responses from the remote mailer. */
+
+if (buffer[0] != 0)
+  {
+  *message = string_sprintf("SMTP error from remote mail server after %s%s: "
+    "%s", pl, smtp_command, s = string_printing(buffer));
+  *pass_message = TRUE;
+  *yield = buffer[0];
+  return TRUE;
+  }
+
+/* No data was read. If there is no errno, this must be the EOF (i.e.
+connection closed) case, which causes deferral. An explicit connection reset
+error has the same effect. Otherwise, put the host's identity in the message,
+leaving the errno value to be interpreted as well. In all cases, we have to
+assume the connection is now dead. */
+
+if (*errno_value == 0 || *errno_value == ECONNRESET)
+  {
+  *errno_value = ERRNO_SMTPCLOSED;
+  *message = US string_sprintf("Remote host closed connection "
+    "in response to %s%s", pl, smtp_command);
+  }
+else
+  *message = US string_sprintf("%s [%s]", host->name, host->address);
+
+return FALSE;
+}
+
+
+
+/*************************************************
+*          Write error message to logs           *
+*************************************************/
+
+/* This writes to the main log and to the message log.
+
+Arguments:
+  host     the current host
+  detail  the current message (addr_item->message)
+  basic_errno the errno (addr_item->basic_errno)
+
+Returns:   nothing
+*/
+
+static void
+write_logs(const host_item *host, const uschar *suffix, int basic_errno)
+{
+gstring * message = LOGGING(outgoing_port)
+  ? string_fmt_append(NULL, "H=%s [%s]:%d", host->name, host->address,
+		    host->port == PORT_NONE ? 25 : host->port)
+  : string_fmt_append(NULL, "H=%s [%s]", host->name, host->address);
+
+if (suffix)
+  {
+  message = string_fmt_append(message, ": %s", suffix);
+  if (basic_errno > 0)
+    message = string_fmt_append(message, ": %s", strerror(basic_errno));
+  }
+else
+  message = string_fmt_append(message, " %s", exim_errstr(basic_errno));
+
+log_write(0, LOG_MAIN, "%s", string_from_gstring(message));
+deliver_msglog("%s %s\n", tod_stamp(tod_log), message->s);
+}
+
+static void
+msglog_line(host_item * host, uschar * message)
+{
+deliver_msglog("%s H=%s [%s] %s\n", tod_stamp(tod_log),
+  host->name, host->address, message);
+}
+
+
+
+#ifndef DISABLE_EVENT
+/*************************************************
+*   Post-defer action                            *
+*************************************************/
+
+/* This expands an arbitrary per-transport string.
+   It might, for example, be used to write to the database log.
+
+Arguments:
+  addr                  the address item containing error information
+  host                  the current host
+  evstr			the event
+
+Returns:   nothing
+*/
+
+static void
+deferred_event_raise(address_item * addr, host_item * host, uschar * evstr)
+{
+uschar * action = addr->transport->event_action;
+const uschar * save_domain;
+uschar * save_local;
+
+if (!action)
+  return;
+
+save_domain = deliver_domain;
+save_local = deliver_localpart;
+
+/*XXX would ip & port already be set up? */
+deliver_host_address = string_copy(host->address);
+deliver_host_port =    host->port == PORT_NONE ? 25 : host->port;
+event_defer_errno =    addr->basic_errno;
+
+router_name =    addr->router->name;
+transport_name = addr->transport->name;
+deliver_domain = addr->domain;
+deliver_localpart = addr->local_part;
+
+(void) event_raise(action, evstr,
+    addr->message
+      ? addr->basic_errno > 0
+	? string_sprintf("%s: %s", addr->message, strerror(addr->basic_errno))
+	: string_copy(addr->message)
+      : addr->basic_errno > 0
+	? string_copy(US strerror(addr->basic_errno))
+	: NULL,
+      NULL);
+
+deliver_localpart = save_local;
+deliver_domain =    save_domain;
+router_name = transport_name = NULL;
+}
+#endif
+
+/*************************************************
+*           Reap SMTP specific responses         *
+*************************************************/
+static int
+smtp_discard_responses(smtp_context * sx, smtp_transport_options_block * ob,
+  int count)
+{
+uschar flushbuffer[4096];
+
+while (count-- > 0)
+  {
+  if (!smtp_read_response(sx, flushbuffer, sizeof(flushbuffer),
+	     '2', ob->command_timeout)
+      && (errno != 0 || flushbuffer[0] == 0))
+    break;
+  }
+return count;
+}
+
+
+/* Return boolean success */
+
+static BOOL
+smtp_reap_banner(smtp_context * sx)
+{
+BOOL good_response;
+#if defined(__linux__) && defined(TCP_QUICKACK)
+  {	/* Hack to get QUICKACK disabled; has to be right after 3whs, and has to on->off */
+  int sock = sx->cctx.sock;
+  struct pollfd p = {.fd = sock, .events = POLLOUT};
+  if (poll(&p, 1, 1000) >= 0)	/* retval test solely for compiler quitening */
+    {
+    (void) setsockopt(sock, IPPROTO_TCP, TCP_QUICKACK, US &on, sizeof(on));
+    (void) setsockopt(sock, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
+    }
+  }
+#endif
+good_response = smtp_read_response(sx, sx->buffer, sizeof(sx->buffer),
+  '2', (SOB sx->conn_args.ob)->command_timeout);
+#ifdef EXPERIMENTAL_DSN_INFO
+sx->smtp_greeting = string_copy(sx->buffer);
+#endif
+return good_response;
+}
+
+static BOOL
+smtp_reap_ehlo(smtp_context * sx)
+{
+if (!smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2',
+       (SOB sx->conn_args.ob)->command_timeout))
+  {
+  if (errno != 0 || sx->buffer[0] == 0 || sx->lmtp)
+    {
+#ifdef EXPERIMENTAL_DSN_INFO
+    sx->helo_response = string_copy(sx->buffer);
+#endif
+    return FALSE;
+    }
+  sx->esmtp = FALSE;
+  }
+#ifdef EXPERIMENTAL_DSN_INFO
+sx->helo_response = string_copy(sx->buffer);
+#endif
+#ifndef DISABLE_EVENT
+(void) event_raise(sx->conn_args.tblock->event_action,
+  US"smtp:ehlo", sx->buffer, NULL);
+#endif
+return TRUE;
+}
+
+
+/* Grab a string differentiating server behind a loadbalancer, for TLS
+resumption when such servers do not share a session-cache */
+
+static void
+ehlo_response_lbserver(smtp_context * sx, smtp_transport_options_block * ob)
+{
+#if !defined(DISABLE_TLS) && !defined(DISABLE_TLS_RESUME)
+const uschar * s;
+uschar * save_item = iterate_item;
+
+if (sx->conn_args.have_lbserver)
+  return;
+iterate_item = sx->buffer;
+s = expand_cstring(ob->host_name_extract);
+iterate_item = save_item;
+sx->conn_args.host_lbserver = s && !*s ? NULL : s;
+sx->conn_args.have_lbserver = TRUE;
+#endif
+}
+
+
+
+/******************************************************************************/
+
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+/* If TLS, or TLS not offered, called with the EHLO response in the buffer.
+Check it for a LIMITS keyword and parse values into the smtp context structure.
+
+We don't bother with peers that we won't talk TLS to, even though they can,
+just ignore their LIMITS advice (if any) and treat them as if they do not.
+This saves us dealing with a duplicate set of values. */
+
+static void
+ehlo_response_limits_read(smtp_context * sx)
+{
+uschar * match;
+
+/* matches up to just after the first space after the keyword */
+
+if (regex_match(regex_LIMITS, sx->buffer, -1, &match))
+  for (const uschar * s = sx->buffer + Ustrlen(match); *s; )
+    {
+    while (isspace(*s)) s++;
+    if (*s == '\n') break;
+
+    if (strncmpic(s, US"MAILMAX=", 8) == 0)
+      {
+      sx->peer_limit_mail = atoi(CS (s += 8));
+      while (isdigit(*s)) s++;
+      }
+    else if (strncmpic(s, US"RCPTMAX=", 8) == 0)
+      {
+      sx->peer_limit_rcpt = atoi(CS (s += 8));
+      while (isdigit(*s)) s++;
+      }
+    else if (strncmpic(s, US"RCPTDOMAINMAX=", 14) == 0)
+      {
+      sx->peer_limit_rcptdom = atoi(CS (s += 14));
+      while (isdigit(*s)) s++;
+      }
+    else
+      while (*s && !isspace(*s)) s++;
+    }
+}
+
+/* Apply given values to the current connection */
+static void
+ehlo_limits_apply(smtp_context * sx,
+  unsigned limit_mail, unsigned limit_rcpt, unsigned limit_rcptdom)
+{
+if (limit_mail && limit_mail < sx->max_mail) sx->max_mail = limit_mail;
+if (limit_rcpt && limit_rcpt < sx->max_rcpt) sx->max_rcpt = limit_rcpt;
+if (limit_rcptdom)
+  {
+  DEBUG(D_transport) debug_printf("will treat as !multi_domain\n");
+  sx->single_rcpt_domain = TRUE;
+  }
+}
+
+/* Apply values from EHLO-resp to the current connection */
+static void
+ehlo_response_limits_apply(smtp_context * sx)
+{
+ehlo_limits_apply(sx, sx->peer_limit_mail, sx->peer_limit_rcpt,
+  sx->peer_limit_rcptdom);
+}
+
+/* Apply values read from cache to the current connection */
+static void
+ehlo_cache_limits_apply(smtp_context * sx)
+{
+# ifndef DISABLE_PIPE_CONNECT
+ehlo_limits_apply(sx, sx->ehlo_resp.limit_mail, sx->ehlo_resp.limit_rcpt,
+  sx->ehlo_resp.limit_rcptdom);
+# endif
+}
+#endif	/*EXPERIMENTAL_ESMTP_LIMITS*/
+
+/******************************************************************************/
+
+#ifndef DISABLE_PIPE_CONNECT
+static uschar *
+ehlo_cache_key(const smtp_context * sx)
+{
+host_item * host = sx->conn_args.host;
+return Ustrchr(host->address, ':')
+  ? string_sprintf("[%s]:%d.EHLO", host->address,
+    host->port == PORT_NONE ? sx->port : host->port)
+  : string_sprintf("%s:%d.EHLO", host->address,
+    host->port == PORT_NONE ? sx->port : host->port);
+}
+
+/* Cache EHLO-response info for use by early-pipe.
+Called
+- During a normal flow on EHLO response (either cleartext or under TLS),
+  when we are willing to do PIPECONNECT and it is offered
+- During an early-pipe flow on receiving the actual EHLO response and noting
+  disparity versus the cached info used, when PIPECONNECT is still being offered
+
+We assume that suitable values have been set in the sx.ehlo_resp structure for
+features and auths; we handle the copy of limits. */
+
+static void
+write_ehlo_cache_entry(smtp_context * sx)
+{
+open_db dbblock, * dbm_file;
+
+# ifdef EXPERIMENTAL_ESMTP_LIMITS
+sx->ehlo_resp.limit_mail = sx->peer_limit_mail;
+sx->ehlo_resp.limit_rcpt = sx->peer_limit_rcpt;
+sx->ehlo_resp.limit_rcptdom = sx->peer_limit_rcptdom;
+# endif
+
+if ((dbm_file = dbfn_open(US"misc", O_RDWR, &dbblock, TRUE, TRUE)))
+  {
+  uschar * ehlo_resp_key = ehlo_cache_key(sx);
+  dbdata_ehlo_resp er = { .data = sx->ehlo_resp };
+
+  HDEBUG(D_transport)
+# ifdef EXPERIMENTAL_ESMTP_LIMITS
+    if (sx->ehlo_resp.limit_mail || sx->ehlo_resp.limit_rcpt || sx->ehlo_resp.limit_rcptdom)
+      debug_printf("writing clr %04x/%04x cry %04x/%04x lim %05d/%05d/%05d\n",
+	sx->ehlo_resp.cleartext_features, sx->ehlo_resp.cleartext_auths,
+	sx->ehlo_resp.crypted_features, sx->ehlo_resp.crypted_auths,
+	sx->ehlo_resp.limit_mail, sx->ehlo_resp.limit_rcpt,
+	sx->ehlo_resp.limit_rcptdom);
+    else
+# endif
+      debug_printf("writing clr %04x/%04x cry %04x/%04x\n",
+	sx->ehlo_resp.cleartext_features, sx->ehlo_resp.cleartext_auths,
+	sx->ehlo_resp.crypted_features, sx->ehlo_resp.crypted_auths);
+
+  dbfn_write(dbm_file, ehlo_resp_key, &er, (int)sizeof(er));
+  dbfn_close(dbm_file);
+  }
+}
+
+static void
+invalidate_ehlo_cache_entry(smtp_context * sx)
+{
+open_db dbblock, * dbm_file;
+
+if (  sx->early_pipe_active
+   && (dbm_file = dbfn_open(US"misc", O_RDWR, &dbblock, TRUE, TRUE)))
+  {
+  uschar * ehlo_resp_key = ehlo_cache_key(sx);
+  dbfn_delete(dbm_file, ehlo_resp_key);
+  dbfn_close(dbm_file);
+  }
+}
+
+static BOOL
+read_ehlo_cache_entry(smtp_context * sx)
+{
+open_db dbblock;
+open_db * dbm_file;
+
+if (!(dbm_file = dbfn_open(US"misc", O_RDONLY, &dbblock, FALSE, TRUE)))
+  { DEBUG(D_transport) debug_printf("ehlo-cache: no misc DB\n"); }
+else
+  {
+  uschar * ehlo_resp_key = ehlo_cache_key(sx);
+  dbdata_ehlo_resp * er;
+
+  if (!(er = dbfn_read_enforce_length(dbm_file, ehlo_resp_key, sizeof(dbdata_ehlo_resp))))
+    { DEBUG(D_transport) debug_printf("no ehlo-resp record\n"); }
+  else if (time(NULL) - er->time_stamp > retry_data_expire)
+    {
+    DEBUG(D_transport) debug_printf("ehlo-resp record too old\n");
+    dbfn_close(dbm_file);
+    if ((dbm_file = dbfn_open(US"misc", O_RDWR, &dbblock, TRUE, TRUE)))
+      dbfn_delete(dbm_file, ehlo_resp_key);
+    }
+  else
+    {
+    DEBUG(D_transport)
+# ifdef EXPERIMENTAL_ESMTP_LIMITS
+      if (er->data.limit_mail || er->data.limit_rcpt || er->data.limit_rcptdom)
+	debug_printf("EHLO response bits from cache:"
+	  " cleartext 0x%04x/0x%04x crypted 0x%04x/0x%04x lim %05d/%05d/%05d\n",
+	  er->data.cleartext_features, er->data.cleartext_auths,
+	  er->data.crypted_features, er->data.crypted_auths,
+	  er->data.limit_mail, er->data.limit_rcpt, er->data.limit_rcptdom);
+      else
+# endif
+	debug_printf("EHLO response bits from cache:"
+	  " cleartext 0x%04x/0x%04x crypted 0x%04x/0x%04x\n",
+	  er->data.cleartext_features, er->data.cleartext_auths,
+	  er->data.crypted_features, er->data.crypted_auths);
+
+    sx->ehlo_resp = er->data;
+# ifdef EXPERIMENTAL_ESMTP_LIMITS
+    ehlo_cache_limits_apply(sx);
+# endif
+    dbfn_close(dbm_file);
+    return TRUE;
+    }
+  dbfn_close(dbm_file);
+  }
+return FALSE;
+}
+
+
+
+/* Return an auths bitmap for the set of AUTH methods offered by the server
+which match our authenticators. */
+
+static unsigned short
+study_ehlo_auths(smtp_context * sx)
+{
+uschar * names;
+auth_instance * au;
+uschar authnum;
+unsigned short authbits = 0;
+
+if (!sx->esmtp) return 0;
+if (!regex_AUTH) regex_AUTH = regex_must_compile(AUTHS_REGEX, FALSE, TRUE);
+if (!regex_match_and_setup(regex_AUTH, sx->buffer, 0, -1)) return 0;
+expand_nmax = -1;						/* reset */
+names = string_copyn(expand_nstring[1], expand_nlength[1]);
+
+for (au = auths, authnum = 0; au; au = au->next, authnum++) if (au->client)
+  {
+  const uschar * list = names;
+  uschar * s;
+  for (int sep = ' '; s = string_nextinlist(&list, &sep, NULL, 0); )
+    if (strcmpic(au->public_name, s) == 0)
+      { authbits |= BIT(authnum); break; }
+  }
+
+DEBUG(D_transport)
+  debug_printf("server offers %s AUTH, methods '%s', bitmap 0x%04x\n",
+    tls_out.active.sock >= 0 ? "crypted" : "plaintext", names, authbits);
+
+if (tls_out.active.sock >= 0)
+  sx->ehlo_resp.crypted_auths = authbits;
+else
+  sx->ehlo_resp.cleartext_auths = authbits;
+return authbits;
+}
+
+
+
+
+/* Wait for and check responses for early-pipelining.
+
+Called from the lower-level smtp_read_response() function
+used for general code that assume synchronisation, if context
+flags indicate outstanding early-pipelining commands.  Also
+called fom sync_responses() which handles pipelined commands.
+
+Arguments:
+ sx	smtp connection context
+ countp	number of outstanding responses, adjusted on return
+
+Return:
+ OK	all well
+ DEFER	error on first read of TLS'd conn
+ FAIL	SMTP error in response
+*/
+int
+smtp_reap_early_pipe(smtp_context * sx, int * countp)
+{
+BOOL pending_BANNER = sx->pending_BANNER;
+BOOL pending_EHLO = sx->pending_EHLO;
+int rc = FAIL;
+
+sx->pending_BANNER = FALSE;	/* clear early to avoid recursion */
+sx->pending_EHLO = FALSE;
+
+if (pending_BANNER)
+  {
+  DEBUG(D_transport) debug_printf("%s expect banner\n", __FUNCTION__);
+  (*countp)--;
+  if (!smtp_reap_banner(sx))
+    {
+    DEBUG(D_transport) debug_printf("bad banner\n");
+    if (tls_out.active.sock >= 0) rc = DEFER;
+    goto fail;
+    }
+  /*XXX EXPERIMENTAL_ESMTP_LIMITS ? */
+  ehlo_response_lbserver(sx, sx->conn_args.ob);
+  }
+
+if (pending_EHLO)
+  {
+  unsigned peer_offered;
+  unsigned short authbits = 0, * ap;
+
+  DEBUG(D_transport) debug_printf("%s expect ehlo\n", __FUNCTION__);
+  (*countp)--;
+  if (!smtp_reap_ehlo(sx))
+    {
+    DEBUG(D_transport) debug_printf("bad response for EHLO\n");
+    if (tls_out.active.sock >= 0) rc = DEFER;
+    goto fail;
+    }
+
+  /* Compare the actual EHLO response extensions and AUTH methods to the cached
+  value we assumed; on difference, dump or rewrite the cache and arrange for a
+  retry. */
+
+  ap = tls_out.active.sock < 0
+      ? &sx->ehlo_resp.cleartext_auths : &sx->ehlo_resp.crypted_auths;
+
+  peer_offered = ehlo_response(sx->buffer,
+	  (tls_out.active.sock < 0 ?  OPTION_TLS : 0)
+	| OPTION_CHUNKING | OPTION_PRDR | OPTION_DSN | OPTION_PIPE | OPTION_SIZE
+	| OPTION_UTF8 | OPTION_EARLY_PIPE
+	);
+# ifdef EXPERIMENTAL_ESMTP_LIMITS
+  if (tls_out.active.sock >= 0 || !(peer_offered & OPTION_TLS))
+    ehlo_response_limits_read(sx);
+# endif
+  if (  peer_offered != sx->peer_offered
+     || (authbits = study_ehlo_auths(sx)) != *ap)
+    {
+    HDEBUG(D_transport)
+      debug_printf("EHLO %s extensions changed, 0x%04x/0x%04x -> 0x%04x/0x%04x\n",
+		    tls_out.active.sock < 0 ? "cleartext" : "crypted",
+		    sx->peer_offered, *ap, peer_offered, authbits);
+    if (peer_offered & OPTION_EARLY_PIPE)
+      {
+      *(tls_out.active.sock < 0
+	? &sx->ehlo_resp.cleartext_features : &sx->ehlo_resp.crypted_features) =
+	  peer_offered;
+      *ap = authbits;
+      write_ehlo_cache_entry(sx);
+      }
+    else
+      invalidate_ehlo_cache_entry(sx);
+
+    return OK;		/* just carry on */
+    }
+# ifdef EXPERIMENTAL_ESMTP_LIMITS
+    /* If we are handling LIMITS, compare the actual EHLO LIMITS values with the
+    cached values and invalidate cache if different.  OK to carry on with
+    connect since values are advisory. */
+    {
+    if (  (tls_out.active.sock >= 0 || !(peer_offered & OPTION_TLS))
+       && (  sx->peer_limit_mail != sx->ehlo_resp.limit_mail
+          || sx->peer_limit_rcpt != sx->ehlo_resp.limit_rcpt
+          || sx->peer_limit_rcptdom != sx->ehlo_resp.limit_rcptdom
+       )  )
+      {
+      HDEBUG(D_transport)
+	{
+	debug_printf("EHLO LIMITS changed:");
+	if (sx->peer_limit_mail != sx->ehlo_resp.limit_mail)
+	  debug_printf(" MAILMAX %u -> %u\n", sx->ehlo_resp.limit_mail, sx->peer_limit_mail);
+	else if (sx->peer_limit_rcpt != sx->ehlo_resp.limit_rcpt)
+	  debug_printf(" RCPTMAX %u -> %u\n", sx->ehlo_resp.limit_rcpt, sx->peer_limit_rcpt);
+	else
+	  debug_printf(" RCPTDOMAINMAX %u -> %u\n", sx->ehlo_resp.limit_rcptdom, sx->peer_limit_rcptdom);
+	}
+      invalidate_ehlo_cache_entry(sx);
+      }
+    }
+# endif
+  }
+return OK;
+
+fail:
+  invalidate_ehlo_cache_entry(sx);
+  (void) smtp_discard_responses(sx, sx->conn_args.ob, *countp);
+  return rc;
+}
+#endif	/*!DISABLE_PIPE_CONNECT*/
+
+
+/*************************************************
+*           Synchronize SMTP responses           *
+*************************************************/
+
+/* This function is called from smtp_deliver() to receive SMTP responses from
+the server, and match them up with the commands to which they relate. When
+PIPELINING is not in use, this function is called after every command, and is
+therefore somewhat over-engineered, but it is simpler to use a single scheme
+that works both with and without PIPELINING instead of having two separate sets
+of code.
+
+The set of commands that are buffered up with pipelining may start with MAIL
+and may end with DATA; in between are RCPT commands that correspond to the
+addresses whose status is PENDING_DEFER. All other commands (STARTTLS, AUTH,
+etc.) are never buffered.
+
+Errors after MAIL or DATA abort the whole process leaving the response in the
+buffer. After MAIL, pending responses are flushed, and the original command is
+re-instated in big_buffer for error messages. For RCPT commands, the remote is
+permitted to reject some recipient addresses while accepting others. However
+certain errors clearly abort the whole process. Set the value in
+transport_return to PENDING_OK if the address is accepted. If there is a
+subsequent general error, it will get reset accordingly. If not, it will get
+converted to OK at the end.
+
+Arguments:
+  sx		    smtp connection context
+  count             the number of responses to read
+  pending_DATA      0 if last command sent was not DATA
+                   +1 if previously had a good recipient
+                   -1 if not previously had a good recipient
+
+Returns:      3 if at least one address had 2xx and one had 5xx
+              2 if at least one address had 5xx but none had 2xx
+              1 if at least one host had a 2xx response, but none had 5xx
+              0 no address had 2xx or 5xx but no errors (all 4xx, or just DATA)
+             -1 timeout while reading RCPT response
+             -2 I/O or other non-response error for RCPT
+             -3 DATA or MAIL failed - errno and buffer set
+	     -4 banner or EHLO failed (early-pipelining)
+	     -5 banner or EHLO failed (early-pipelining, TLS)
+*/
+
+static int
+sync_responses(smtp_context * sx, int count, int pending_DATA)
+{
+address_item * addr = sx->sync_addr;
+smtp_transport_options_block * ob = sx->conn_args.ob;
+int yield = 0;
+
+#ifndef DISABLE_PIPE_CONNECT
+int rc;
+if ((rc = smtp_reap_early_pipe(sx, &count)) != OK)
+  return rc == FAIL ? -4 : -5;
+#endif
+
+/* Handle the response for a MAIL command. On error, reinstate the original
+command in big_buffer for error message use, and flush any further pending
+responses before returning, except after I/O errors and timeouts. */
+
+if (sx->pending_MAIL)
+  {
+  DEBUG(D_transport) debug_printf("%s expect mail\n", __FUNCTION__);
+  count--;
+  sx->pending_MAIL = sx->RCPT_452 = FALSE;
+  if (!smtp_read_response(sx, sx->buffer, sizeof(sx->buffer),
+			  '2', ob->command_timeout))
+    {
+    DEBUG(D_transport) debug_printf("bad response for MAIL\n");
+    Ustrcpy(big_buffer, mail_command);  /* Fits, because it came from there! */
+    if (errno == ERRNO_TLSFAILURE)
+      return -5;
+    if (errno == 0 && sx->buffer[0] != 0)
+      {
+      int save_errno = 0;
+      if (sx->buffer[0] == '4')
+        {
+        save_errno = ERRNO_MAIL4XX;
+        addr->more_errno |= ((sx->buffer[1] - '0')*10 + sx->buffer[2] - '0') << 8;
+        }
+      count = smtp_discard_responses(sx, ob, count);
+      errno = save_errno;
+      }
+
+    if (pending_DATA) count--;  /* Number of RCPT responses to come */
+    while (count-- > 0)		/* Mark any pending addrs with the host used */
+      {
+      while (addr->transport_return != PENDING_DEFER) addr = addr->next;
+      addr->host_used = sx->conn_args.host;
+      addr = addr->next;
+      }
+    return -3;
+    }
+  }
+
+if (pending_DATA) count--;  /* Number of RCPT responses to come */
+
+/* Read and handle the required number of RCPT responses, matching each one up
+with an address by scanning for the next address whose status is PENDING_DEFER.
+*/
+
+while (count-- > 0)
+  {
+  while (addr->transport_return != PENDING_DEFER)
+    if (!(addr = addr->next))
+      return -2;
+
+  /* The address was accepted */
+  addr->host_used = sx->conn_args.host;
+
+  DEBUG(D_transport) debug_printf("%s expect rcpt for %s\n", __FUNCTION__, addr->address);
+  if (smtp_read_response(sx, sx->buffer, sizeof(sx->buffer),
+			  '2', ob->command_timeout))
+    {
+    yield |= 1;
+    addr->transport_return = PENDING_OK;
+
+    /* If af_dr_retry_exists is set, there was a routing delay on this address;
+    ensure that any address-specific retry record is expunged. We do this both
+    for the basic key and for the version that also includes the sender. */
+
+    if (testflag(addr, af_dr_retry_exists))
+      {
+      uschar *altkey = string_sprintf("%s:<%s>", addr->address_retry_key,
+        sender_address);
+      retry_add_item(addr, altkey, rf_delete);
+      retry_add_item(addr, addr->address_retry_key, rf_delete);
+      }
+    }
+
+  /* Error on first TLS read */
+
+  else if (errno == ERRNO_TLSFAILURE)
+    return -5;
+
+  /* Timeout while reading the response */
+
+  else if (errno == ETIMEDOUT)
+    {
+    uschar *message = string_sprintf("SMTP timeout after RCPT TO:<%s>",
+		transport_rcpt_address(addr, sx->conn_args.tblock->rcpt_include_affixes));
+    set_errno_nohost(sx->first_addr, ETIMEDOUT, message, DEFER, FALSE, &sx->delivery_start);
+    retry_add_item(addr, addr->address_retry_key, 0);
+    update_waiting = FALSE;
+    return -1;
+    }
+
+  /* Handle other errors in obtaining an SMTP response by returning -1. This
+  will cause all the addresses to be deferred. Restore the SMTP command in
+  big_buffer for which we are checking the response, so the error message
+  makes sense. */
+
+  else if (errno != 0 || sx->buffer[0] == 0)
+    {
+    gstring gs = { .size = big_buffer_size, .ptr = 0, .s = big_buffer }, * g = &gs;
+
+    /* Use taint-unchecked routines for writing into big_buffer, trusting
+    that we'll never expand it. */
+
+    g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, "RCPT TO:<%s>",
+      transport_rcpt_address(addr, sx->conn_args.tblock->rcpt_include_affixes));
+    string_from_gstring(g);
+    return -2;
+    }
+
+  /* Handle SMTP permanent and temporary response codes. */
+
+  else
+    {
+    addr->message =
+      string_sprintf("SMTP error from remote mail server after RCPT TO:<%s>: "
+	"%s", transport_rcpt_address(addr, sx->conn_args.tblock->rcpt_include_affixes),
+	string_printing(sx->buffer));
+    setflag(addr, af_pass_message);
+    if (!sx->verify)
+      msglog_line(sx->conn_args.host, addr->message);
+
+    /* The response was 5xx */
+
+    if (sx->buffer[0] == '5')
+      {
+      addr->transport_return = FAIL;
+      yield |= 2;
+      }
+
+    /* The response was 4xx */
+
+    else
+      {
+      addr->transport_return = DEFER;
+      addr->basic_errno = ERRNO_RCPT4XX;
+      addr->more_errno |= ((sx->buffer[1] - '0')*10 + sx->buffer[2] - '0') << 8;
+
+      if (!sx->verify)
+	{
+#ifndef DISABLE_EVENT
+	event_defer_errno = addr->more_errno;
+	msg_event_raise(US"msg:rcpt:host:defer", addr);
+#endif
+	/* If a 452 and we've had at least one 2xx or 5xx, set next_addr to the
+	start point for another MAIL command. */
+
+	if (addr->more_errno >> 8 == 52  &&  yield & 3)
+	  {
+	  if (!sx->RCPT_452)		/* initialised at MAIL-ack above */
+	    {
+	    DEBUG(D_transport)
+	      debug_printf("%s: seen first 452 too-many-rcpts\n", __FUNCTION__);
+	    sx->RCPT_452 = TRUE;
+	    sx->next_addr = addr;
+	    }
+	  addr->transport_return = PENDING_DEFER;
+	  addr->basic_errno = 0;
+	  }
+	else
+	  {
+	  /* Log temporary errors if there are more hosts to be tried.
+	  If not, log this last one in the == line. */
+
+	  if (sx->conn_args.host->next)
+	    if (LOGGING(outgoing_port))
+	      log_write(0, LOG_MAIN, "H=%s [%s]:%d %s", sx->conn_args.host->name,
+		sx->conn_args.host->address,
+		sx->port == PORT_NONE ? 25 : sx->port, addr->message);
+	    else
+	      log_write(0, LOG_MAIN, "H=%s [%s]: %s", sx->conn_args.host->name,
+		sx->conn_args.host->address, addr->message);
+
+#ifndef DISABLE_EVENT
+	  else
+	    msg_event_raise(US"msg:rcpt:defer", addr);
+#endif
+
+	  /* Do not put this message on the list of those waiting for specific
+	  hosts, as otherwise it is likely to be tried too often. */
+
+	  update_waiting = FALSE;
+
+	  /* Add a retry item for the address so that it doesn't get tried again
+	  too soon. If address_retry_include_sender is true, add the sender address
+	  to the retry key. */
+
+	  retry_add_item(addr,
+	    ob->address_retry_include_sender
+	      ? string_sprintf("%s:<%s>", addr->address_retry_key, sender_address)
+	      : addr->address_retry_key,
+	    0);
+	  }
+	}
+      }
+    }
+  if (count && !(addr = addr->next))
+    return -2;
+  }       /* Loop for next RCPT response */
+
+/* Update where to start at for the next block of responses, unless we
+have already handled all the addresses. */
+
+if (addr) sx->sync_addr = addr->next;
+
+/* Handle a response to DATA. If we have not had any good recipients, either
+previously or in this block, the response is ignored. */
+
+if (pending_DATA != 0)
+  {
+  DEBUG(D_transport) debug_printf("%s expect data\n", __FUNCTION__);
+  if (!smtp_read_response(sx, sx->buffer, sizeof(sx->buffer),
+			'3', ob->command_timeout))
+    {
+    int code;
+    uschar *msg;
+    BOOL pass_message;
+
+    if (errno == ERRNO_TLSFAILURE)	/* Error on first TLS read */
+      return -5;
+
+    if (pending_DATA > 0 || (yield & 1) != 0)
+      {
+      if (errno == 0 && sx->buffer[0] == '4')
+	{
+	errno = ERRNO_DATA4XX;
+	sx->first_addr->more_errno |= ((sx->buffer[1] - '0')*10 + sx->buffer[2] - '0') << 8;
+	}
+      return -3;
+      }
+    (void)check_response(sx->conn_args.host, &errno, 0, sx->buffer, &code, &msg, &pass_message);
+    DEBUG(D_transport) debug_printf("%s\nerror for DATA ignored: pipelining "
+      "is in use and there were no good recipients\n", msg);
+    }
+  }
+
+/* All responses read and handled; MAIL (if present) received 2xx and DATA (if
+present) received 3xx. If any RCPTs were handled and yielded anything other
+than 4xx, yield will be set non-zero. */
+
+return yield;
+}
+
+
+
+
+
+/* Try an authenticator's client entry */
+
+static int
+try_authenticator(smtp_context * sx, auth_instance * au)
+{
+smtp_transport_options_block * ob = sx->conn_args.ob;	/* transport options */
+host_item * host = sx->conn_args.host;			/* host to deliver to */
+int rc;
+
+/* Set up globals for error messages */
+
+authenticator_name = au->name;
+driver_srcfile = au->srcfile;
+driver_srcline = au->srcline;
+
+sx->outblock.authenticating = TRUE;
+rc = (au->info->clientcode)(au, sx, ob->command_timeout,
+			    sx->buffer, sizeof(sx->buffer));
+sx->outblock.authenticating = FALSE;
+driver_srcfile = authenticator_name = NULL; driver_srcline = 0;
+DEBUG(D_transport) debug_printf("%s authenticator yielded %d\n", au->name, rc);
+
+/* A temporary authentication failure must hold up delivery to
+this host. After a permanent authentication failure, we carry on
+to try other authentication methods. If all fail hard, try to
+deliver the message unauthenticated unless require_auth was set. */
+
+switch(rc)
+  {
+  case OK:
+    f.smtp_authenticated = TRUE;   /* stops the outer loop */
+    client_authenticator = au->name;
+    if (au->set_client_id)
+      client_authenticated_id = expand_string(au->set_client_id);
+    break;
+
+  /* Failure after writing a command */
+
+  case FAIL_SEND:
+    return FAIL_SEND;
+
+  /* Failure after reading a response */
+
+  case FAIL:
+    if (errno != 0 || sx->buffer[0] != '5') return FAIL;
+    log_write(0, LOG_MAIN, "%s authenticator failed H=%s [%s] %s",
+      au->name, host->name, host->address, sx->buffer);
+    break;
+
+  /* Failure by some other means. In effect, the authenticator
+  decided it wasn't prepared to handle this case. Typically this
+  is the result of "fail" in an expansion string. Do we need to
+  log anything here? Feb 2006: a message is now put in the buffer
+  if logging is required. */
+
+  case CANCELLED:
+    if (*sx->buffer != 0)
+      log_write(0, LOG_MAIN, "%s authenticator cancelled "
+	"authentication H=%s [%s] %s", au->name, host->name,
+	host->address, sx->buffer);
+    break;
+
+  /* Internal problem, message in buffer. */
+
+  case ERROR:
+    set_errno_nohost(sx->addrlist, ERRNO_AUTHPROB, string_copy(sx->buffer),
+	      DEFER, FALSE, &sx->delivery_start);
+    return ERROR;
+  }
+return OK;
+}
+
+
+
+
+/* Do the client side of smtp-level authentication.
+
+Arguments:
+  sx		smtp connection context
+
+sx->buffer should have the EHLO response from server (gets overwritten)
+
+Returns:
+  OK			Success, or failed (but not required): global "smtp_authenticated" set
+  DEFER			Failed authentication (and was required)
+  ERROR			Internal problem
+
+  FAIL_SEND		Failed communications - transmit
+  FAIL			- response
+*/
+
+static int
+smtp_auth(smtp_context * sx)
+{
+host_item * host = sx->conn_args.host;			/* host to deliver to */
+smtp_transport_options_block * ob = sx->conn_args.ob;	/* transport options */
+int require_auth = verify_check_given_host(CUSS &ob->hosts_require_auth, host);
+#ifndef DISABLE_PIPE_CONNECT
+unsigned short authbits = tls_out.active.sock >= 0
+      ? sx->ehlo_resp.crypted_auths : sx->ehlo_resp.cleartext_auths;
+#endif
+uschar * fail_reason = US"server did not advertise AUTH support";
+
+f.smtp_authenticated = FALSE;
+client_authenticator = client_authenticated_id = client_authenticated_sender = NULL;
+
+if (!regex_AUTH)
+  regex_AUTH = regex_must_compile(AUTHS_REGEX, FALSE, TRUE);
+
+/* Is the server offering AUTH? */
+
+if (  sx->esmtp
+   &&
+#ifndef DISABLE_PIPE_CONNECT
+      sx->early_pipe_active ? authbits
+      :
+#endif
+	regex_match_and_setup(regex_AUTH, sx->buffer, 0, -1)
+   )
+  {
+  uschar * names = NULL;
+  expand_nmax = -1;                          /* reset */
+
+#ifndef DISABLE_PIPE_CONNECT
+  if (!sx->early_pipe_active)
+#endif
+    names = string_copyn(expand_nstring[1], expand_nlength[1]);
+
+  /* Must not do this check until after we have saved the result of the
+  regex match above as the check could be another RE. */
+
+  if (  require_auth == OK
+     || verify_check_given_host(CUSS &ob->hosts_try_auth, host) == OK)
+    {
+    DEBUG(D_transport) debug_printf("scanning authentication mechanisms\n");
+    fail_reason = US"no common mechanisms were found";
+
+#ifndef DISABLE_PIPE_CONNECT
+    if (sx->early_pipe_active)
+      {
+      /* Scan our authenticators (which support use by a client and were offered
+      by the server (checked at cache-write time)), not suppressed by
+      client_condition.  If one is found, attempt to authenticate by calling its
+      client function.  We are limited to supporting up to 16 authenticator
+      public-names by the number of bits in a short. */
+
+      auth_instance * au;
+      uschar bitnum;
+      int rc;
+
+      for (bitnum = 0, au = auths;
+	   !f.smtp_authenticated && au && bitnum < 16;
+	   bitnum++, au = au->next) if (authbits & BIT(bitnum))
+	{
+	if (  au->client_condition
+	   && !expand_check_condition(au->client_condition, au->name,
+                   US"client authenticator"))
+	  {
+	  DEBUG(D_transport) debug_printf("skipping %s authenticator: %s\n",
+	    au->name, "client_condition is false");
+	  continue;
+	  }
+
+	/* Found data for a listed mechanism. Call its client entry. Set
+	a flag in the outblock so that data is overwritten after sending so
+	that reflections don't show it. */
+
+	fail_reason = US"authentication attempt(s) failed";
+
+	if ((rc = try_authenticator(sx, au)) != OK)
+	  return rc;
+	}
+      }
+    else
+#endif
+
+    /* Scan the configured authenticators looking for one which is configured
+    for use as a client, which is not suppressed by client_condition, and
+    whose name matches an authentication mechanism supported by the server.
+    If one is found, attempt to authenticate by calling its client function.
+    */
+
+    for (auth_instance * au = auths; !f.smtp_authenticated && au; au = au->next)
+      {
+      uschar *p = names;
+
+      if (  !au->client
+         || (   au->client_condition
+	    &&  !expand_check_condition(au->client_condition, au->name,
+		   US"client authenticator")))
+	{
+	DEBUG(D_transport) debug_printf("skipping %s authenticator: %s\n",
+	  au->name,
+	  (au->client)? "client_condition is false" :
+			"not configured as a client");
+	continue;
+	}
+
+      /* Loop to scan supported server mechanisms */
+
+      while (*p)
+	{
+	int len = Ustrlen(au->public_name);
+	int rc;
+
+	while (isspace(*p)) p++;
+
+	if (strncmpic(au->public_name, p, len) != 0 ||
+	    (p[len] != 0 && !isspace(p[len])))
+	  {
+	  while (*p != 0 && !isspace(*p)) p++;
+	  continue;
+	  }
+
+	/* Found data for a listed mechanism. Call its client entry. Set
+	a flag in the outblock so that data is overwritten after sending so
+	that reflections don't show it. */
+
+	fail_reason = US"authentication attempt(s) failed";
+
+	if ((rc = try_authenticator(sx, au)) != OK)
+	  return rc;
+
+	break;  /* If not authenticated, try next authenticator */
+	}       /* Loop for scanning supported server mechanisms */
+      }         /* Loop for further authenticators */
+    }
+  }
+
+/* If we haven't authenticated, but are required to, give up. */
+
+if (require_auth == OK && !f.smtp_authenticated)
+  {
+#ifndef DISABLE_PIPE_CONNECT
+  invalidate_ehlo_cache_entry(sx);
+#endif
+  set_errno_nohost(sx->addrlist, ERRNO_AUTHFAIL,
+    string_sprintf("authentication required but %s", fail_reason), DEFER,
+    FALSE, &sx->delivery_start);
+  return DEFER;
+  }
+
+return OK;
+}
+
+
+/* Construct AUTH appendix string for MAIL TO */
+/*
+Arguments
+  sx		context for smtp connection
+  p		point in sx->buffer to build string
+  addrlist      chain of potential addresses to deliver
+
+Globals		f.smtp_authenticated
+		client_authenticated_sender
+Return	True on error, otherwise buffer has (possibly empty) terminated string
+*/
+
+static BOOL
+smtp_mail_auth_str(smtp_context * sx, uschar * p, address_item * addrlist)
+{
+smtp_transport_options_block * ob = sx->conn_args.ob;
+uschar * local_authenticated_sender = authenticated_sender;
+
+#ifdef notdef
+  debug_printf("smtp_mail_auth_str: as<%s> os<%s> SA<%s>\n",
+    authenticated_sender, ob->authenticated_sender, f.smtp_authenticated?"Y":"N");
+#endif
+
+if (ob->authenticated_sender)
+  {
+  uschar * new = expand_string(ob->authenticated_sender);
+  if (!new)
+    {
+    if (!f.expand_string_forcedfail)
+      {
+      uschar *message = string_sprintf("failed to expand "
+        "authenticated_sender: %s", expand_string_message);
+      set_errno_nohost(addrlist, ERRNO_EXPANDFAIL, message, DEFER, FALSE, &sx->delivery_start);
+      return TRUE;
+      }
+    }
+  else if (*new)
+    local_authenticated_sender = new;
+  }
+
+/* Add the authenticated sender address if present */
+
+if (  (f.smtp_authenticated || ob->authenticated_sender_force)
+   && local_authenticated_sender)
+  {
+  string_format_nt(p, sizeof(sx->buffer) - (p-sx->buffer), " AUTH=%s",
+    auth_xtextencode(local_authenticated_sender,
+      Ustrlen(local_authenticated_sender)));
+  client_authenticated_sender = string_copy(local_authenticated_sender);
+  }
+else
+  *p = 0;
+
+return FALSE;
+}
+
+
+
+typedef struct smtp_compare_s
+{
+    uschar *			current_sender_address;
+    struct transport_instance *	tblock;
+} smtp_compare_t;
+
+
+/* Create a unique string that identifies this message, it is based on
+sender_address, helo_data and tls_certificate if enabled.
+*/
+
+static uschar *
+smtp_local_identity(uschar * sender, struct transport_instance * tblock)
+{
+address_item * addr1;
+uschar * if1 = US"";
+uschar * helo1 = US"";
+#ifndef DISABLE_TLS
+uschar * tlsc1 = US"";
+#endif
+uschar * save_sender_address = sender_address;
+uschar * local_identity = NULL;
+smtp_transport_options_block * ob = SOB tblock->options_block;
+
+sender_address = sender;
+
+addr1 = deliver_make_addr (sender, TRUE);
+deliver_set_expansions(addr1);
+
+if (ob->interface)
+  if1 = expand_string(ob->interface);
+
+if (ob->helo_data)
+  helo1 = expand_string(ob->helo_data);
+
+#ifndef DISABLE_TLS
+if (ob->tls_certificate)
+  tlsc1 = expand_string(ob->tls_certificate);
+local_identity = string_sprintf ("%s^%s^%s", if1, helo1, tlsc1);
+#else
+local_identity = string_sprintf ("%s^%s", if1, helo1);
+#endif
+
+deliver_set_expansions(NULL);
+sender_address = save_sender_address;
+
+return local_identity;
+}
+
+
+
+/* This routine is a callback that is called from transport_check_waiting.
+This function will evaluate the incoming message versus the previous
+message.  If the incoming message is using a different local identity then
+we will veto this new message.  */
+
+static BOOL
+smtp_are_same_identities(uschar * message_id, smtp_compare_t * s_compare)
+{
+uschar * message_local_identity,
+       * current_local_identity,
+       * new_sender_address;
+
+current_local_identity =
+  smtp_local_identity(s_compare->current_sender_address, s_compare->tblock);
+
+if (!(new_sender_address = spool_sender_from_msgid(message_id)))
+  return FALSE;
+
+
+message_local_identity =
+  smtp_local_identity(new_sender_address, s_compare->tblock);
+
+return Ustrcmp(current_local_identity, message_local_identity) == 0;
+}
+
+
+
+static unsigned
+ehlo_response(uschar * buf, unsigned checks)
+{
+PCRE2_SIZE bsize = Ustrlen(buf);
+pcre2_match_data * md = pcre2_match_data_create(1, pcre_gen_ctx);
+
+/* debug_printf("%s: check for 0x%04x\n", __FUNCTION__, checks); */
+
+#ifndef DISABLE_TLS
+if (  checks & OPTION_TLS
+   && pcre2_match(regex_STARTTLS,
+		  (PCRE2_SPTR)buf, bsize, 0, PCRE_EOPT, md, pcre_mtc_ctx) < 0)
+#endif
+  checks &= ~OPTION_TLS;
+
+if (  checks & OPTION_IGNQ
+   && pcre2_match(regex_IGNOREQUOTA,
+		  (PCRE2_SPTR)buf, bsize, 0, PCRE_EOPT, md, pcre_mtc_ctx) < 0)
+  checks &= ~OPTION_IGNQ;
+
+if (  checks & OPTION_CHUNKING
+   && pcre2_match(regex_CHUNKING,
+		  (PCRE2_SPTR)buf, bsize, 0, PCRE_EOPT, md, pcre_mtc_ctx) < 0)
+  checks &= ~OPTION_CHUNKING;
+
+#ifndef DISABLE_PRDR
+if (  checks & OPTION_PRDR
+   && pcre2_match(regex_PRDR,
+		  (PCRE2_SPTR)buf, bsize, 0, PCRE_EOPT, md, pcre_mtc_ctx) < 0)
+#endif
+  checks &= ~OPTION_PRDR;
+
+#ifdef SUPPORT_I18N
+if (  checks & OPTION_UTF8
+   && pcre2_match(regex_UTF8,
+		  (PCRE2_SPTR)buf, bsize, 0, PCRE_EOPT, md, pcre_mtc_ctx) < 0)
+#endif
+  checks &= ~OPTION_UTF8;
+
+if (  checks & OPTION_DSN
+   && pcre2_match(regex_DSN,
+		  (PCRE2_SPTR)buf, bsize, 0, PCRE_EOPT, md, pcre_mtc_ctx) < 0)
+  checks &= ~OPTION_DSN;
+
+if (  checks & OPTION_PIPE
+   && pcre2_match(regex_PIPELINING,
+		  (PCRE2_SPTR)buf, bsize, 0, PCRE_EOPT, md, pcre_mtc_ctx) < 0)
+  checks &= ~OPTION_PIPE;
+
+if (  checks & OPTION_SIZE
+   && pcre2_match(regex_SIZE,
+		  (PCRE2_SPTR)buf, bsize, 0, PCRE_EOPT, md, pcre_mtc_ctx) < 0)
+  checks &= ~OPTION_SIZE;
+
+#ifndef DISABLE_PIPE_CONNECT
+if (  checks & OPTION_EARLY_PIPE
+   && pcre2_match(regex_EARLY_PIPE,
+		  (PCRE2_SPTR)buf, bsize, 0, PCRE_EOPT, md, pcre_mtc_ctx) < 0)
+#endif
+  checks &= ~OPTION_EARLY_PIPE;
+
+pcre2_match_data_free(md);
+/* debug_printf("%s: found     0x%04x\n", __FUNCTION__, checks); */
+return checks;
+}
+
+
+
+/* Callback for emitting a BDAT data chunk header.
+
+If given a nonzero size, first flush any buffered SMTP commands
+then emit the command.
+
+Reap previous SMTP command responses if requested, and always reap
+the response from a previous BDAT command.
+
+Args:
+ tctx		transport context
+ chunk_size	value for SMTP BDAT command
+ flags
+   tc_chunk_last	add LAST option to SMTP BDAT command
+   tc_reap_prev		reap response to previous SMTP commands
+
+Returns:
+  OK or ERROR
+  DEFER			TLS error on first read (EHLO-resp); errno set
+*/
+
+static int
+smtp_chunk_cmd_callback(transport_ctx * tctx, unsigned chunk_size,
+  unsigned flags)
+{
+smtp_transport_options_block * ob = SOB tctx->tblock->options_block;
+smtp_context * sx = tctx->smtp_context;
+int cmd_count = 0;
+int prev_cmd_count;
+
+/* Write SMTP chunk header command.  If not reaping responses, note that
+there may be more writes (like, the chunk data) done soon. */
+
+if (chunk_size > 0)
+  {
+#ifndef DISABLE_PIPE_CONNECT
+  BOOL new_conn = !!(sx->outblock.conn_args);
+#endif
+  if((cmd_count = smtp_write_command(sx,
+	      flags & tc_reap_prev ? SCMD_FLUSH : SCMD_MORE,
+	      "BDAT %u%s\r\n", chunk_size, flags & tc_chunk_last ? " LAST" : "")
+     ) < 0) return ERROR;
+  if (flags & tc_chunk_last)
+    data_command = string_copy(big_buffer);  /* Save for later error message */
+#ifndef DISABLE_PIPE_CONNECT
+  /* That command write could have been the one that made the connection.
+  Copy the fd from the client conn ctx (smtp transport specific) to the
+  generic transport ctx. */
+
+  if (new_conn)
+    tctx->u.fd = sx->outblock.cctx->sock;
+#endif
+  }
+
+prev_cmd_count = cmd_count += sx->cmd_count;
+
+/* Reap responses for any previous, but not one we just emitted */
+
+if (chunk_size > 0)
+  prev_cmd_count--;
+if (sx->pending_BDAT)
+  prev_cmd_count--;
+
+if (flags & tc_reap_prev  &&  prev_cmd_count > 0)
+  {
+  DEBUG(D_transport) debug_printf("look for %d responses"
+    " for previous pipelined cmds\n", prev_cmd_count);
+
+  switch(sync_responses(sx, prev_cmd_count, 0))
+    {
+    case 1:				/* 2xx (only) => OK */
+    case 3: sx->good_RCPT = TRUE;	/* 2xx & 5xx => OK & progress made */
+    case 2: sx->completed_addr = TRUE;	/* 5xx (only) => progress made */
+    case 0: break;			/* No 2xx or 5xx, but no probs */
+
+    case -5: errno = ERRNO_TLSFAILURE;
+	     return DEFER;
+#ifndef DISABLE_PIPE_CONNECT
+    case -4:				/* non-2xx for pipelined banner or EHLO */
+#endif
+    case -1:				/* Timeout on RCPT */
+    default: return ERROR;		/* I/O error, or any MAIL/DATA error */
+    }
+  cmd_count = 1;
+  if (!sx->pending_BDAT)
+    pipelining_active = FALSE;
+  }
+
+/* Reap response for an outstanding BDAT */
+
+if (sx->pending_BDAT)
+  {
+  DEBUG(D_transport) debug_printf("look for one response for BDAT\n");
+
+  if (!smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2',
+       ob->command_timeout))
+    {
+    if (errno == 0 && sx->buffer[0] == '4')
+      {
+      errno = ERRNO_DATA4XX;	/*XXX does this actually get used? */
+      sx->addrlist->more_errno |=
+	((sx->buffer[1] - '0')*10 + sx->buffer[2] - '0') << 8;
+      }
+    return ERROR;
+    }
+  cmd_count--;
+  sx->pending_BDAT = FALSE;
+  pipelining_active = FALSE;
+  }
+else if (chunk_size > 0)
+  sx->pending_BDAT = TRUE;
+
+
+sx->cmd_count = cmd_count;
+return OK;
+}
+
+
+
+#ifdef SUPPORT_DANE
+static int
+check_force_dane_conn(smtp_context * sx, smtp_transport_options_block * ob)
+{
+int rc;
+if(  sx->dane_required
+  || verify_check_given_host(CUSS &ob->hosts_try_dane, sx->conn_args.host) == OK
+  )
+  switch (rc = tlsa_lookup(sx->conn_args.host, &sx->conn_args.tlsa_dnsa, sx->dane_required))
+    {
+    case OK:		sx->conn_args.dane = TRUE;
+			ob->tls_tempfail_tryclear = FALSE;	/* force TLS */
+			ob->tls_sni = sx->conn_args.host->name; /* force SNI */
+			break;
+    case FAIL_FORCED:	break;
+    default:		set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER,
+			    string_sprintf("DANE error: tlsa lookup %s",
+			      rc_to_string(rc)),
+			    rc, FALSE, &sx->delivery_start);
+# ifndef DISABLE_EVENT
+			(void) event_raise(sx->conn_args.tblock->event_action,
+			  US"dane:fail", sx->dane_required
+			    ?  US"dane-required" : US"dnssec-invalid",
+			  NULL);
+# endif
+			return rc;
+    }
+return OK;
+}
+#endif
+
+
+/*************************************************
+*       Make connection for given message        *
+*************************************************/
+
+/*
+Arguments:
+  sx		  connection context
+  suppress_tls    if TRUE, don't attempt a TLS connection - this is set for
+                    a second attempt after TLS initialization fails
+
+Returns:          OK    - the connection was made and the delivery attempted;
+                          fd is set in the conn context, tls_out set up.
+                  DEFER - the connection could not be made, or something failed
+                          while setting up the SMTP session, or there was a
+                          non-message-specific error, such as a timeout.
+                  ERROR - helo_data or add_headers or authenticated_sender is
+			  specified for this transport, and the string failed
+			  to expand
+*/
+int
+smtp_setup_conn(smtp_context * sx, BOOL suppress_tls)
+{
+smtp_transport_options_block * ob = sx->conn_args.tblock->options_block;
+BOOL pass_message = FALSE;
+uschar * message = NULL;
+int yield = OK;
+#ifndef DISABLE_TLS
+uschar * tls_errstr;
+#endif
+
+/* Many lines of clearing individual elements of *sx that used to
+be here have been replaced by a full memset to zero (de41aff051).
+There are two callers, this file and verify.c .  Now we only set
+up nonzero elements. */
+
+sx->conn_args.ob = ob;
+
+sx->lmtp = strcmpic(ob->protocol, US"lmtp") == 0;
+sx->smtps = strcmpic(ob->protocol, US"smtps") == 0;
+sx->send_rset = TRUE;
+sx->send_quit = TRUE;
+sx->setting_up = TRUE;
+sx->esmtp = TRUE;
+sx->dsn_all_lasthop = TRUE;
+#ifdef SUPPORT_DANE
+sx->dane_required =
+  verify_check_given_host(CUSS &ob->hosts_require_dane, sx->conn_args.host) == OK;
+#endif
+
+if ((sx->max_mail = sx->conn_args.tblock->connection_max_messages) == 0) sx->max_mail = 999999;
+if ((sx->max_rcpt = sx->conn_args.tblock->max_addresses) == 0)           sx->max_rcpt = 999999;
+sx->igquotstr = US"";
+if (!sx->helo_data) sx->helo_data = ob->helo_data;
+
+smtp_command = US"initial connection";
+
+/* Set up the buffer for reading SMTP response packets. */
+
+sx->inblock.buffer = sx->inbuffer;
+sx->inblock.buffersize = sizeof(sx->inbuffer);
+sx->inblock.ptr = sx->inbuffer;
+sx->inblock.ptrend = sx->inbuffer;
+
+/* Set up the buffer for holding SMTP commands while pipelining */
+
+sx->outblock.buffer = sx->outbuffer;
+sx->outblock.buffersize = sizeof(sx->outbuffer);
+sx->outblock.ptr = sx->outbuffer;
+
+/* Reset the parameters of a TLS session. */
+
+tls_out.bits = 0;
+tls_out.cipher = NULL;	/* the one we may use for this transport */
+tls_out.ourcert = NULL;
+tls_out.peercert = NULL;
+tls_out.peerdn = NULL;
+#ifdef USE_OPENSSL
+tls_out.sni = NULL;
+#endif
+tls_out.ocsp = OCSP_NOT_REQ;
+#ifndef DISABLE_TLS_RESUME
+tls_out.resumption = 0;
+#endif
+tls_out.ver = NULL;
+
+/* Flip the legacy TLS-related variables over to the outbound set in case
+they're used in the context of the transport.  Don't bother resetting
+afterward (when being used by a transport) as we're in a subprocess.
+For verify, unflipped once the callout is dealt with */
+
+tls_modify_variables(&tls_out);
+
+#ifdef DISABLE_TLS
+if (sx->smtps)
+  {
+  set_errno_nohost(sx->addrlist, ERRNO_TLSFAILURE, US"TLS support not available",
+	    DEFER, FALSE, &sx->delivery_start);
+  return ERROR;
+  }
+#else
+
+/* If we have a proxied TLS connection, check usability for this message */
+
+if (continue_hostname && continue_proxy_cipher)
+  {
+  int rc;
+  const uschar * sni = US"";
+
+# ifdef SUPPORT_DANE
+  /* Check if the message will be DANE-verified; if so force TLS and its SNI */
+
+  tls_out.dane_verified = FALSE;
+  smtp_port_for_connect(sx->conn_args.host, sx->port);
+  if (  sx->conn_args.host->dnssec == DS_YES
+     && (rc = check_force_dane_conn(sx, ob)) != OK
+     )
+    return rc;
+# endif
+
+  /* If the SNI or the DANE status required for the new message differs from the
+  existing conn drop the connection to force a new one. */
+
+  if (ob->tls_sni && !(sni = expand_cstring(ob->tls_sni)))
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "<%s>: failed to expand transport's tls_sni value: %s",
+      sx->addrlist->address, expand_string_message);
+
+# ifdef SUPPORT_DANE
+  if (  (continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni)
+     && continue_proxy_dane == sx->conn_args.dane)
+    {
+    tls_out.sni = US sni;
+    if ((tls_out.dane_verified = continue_proxy_dane))
+      sx->conn_args.host->dnssec = DS_YES;
+    }
+# else
+  if ((continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni))
+    tls_out.sni = US sni;
+# endif
+  else
+    {
+    DEBUG(D_transport)
+      debug_printf("Closing proxied-TLS connection due to SNI mismatch\n");
+
+    smtp_debug_cmd(US"QUIT", 0);
+    write(0, "QUIT\r\n", 6);
+    close(0);
+    continue_hostname = continue_proxy_cipher = NULL;
+    f.continue_more = FALSE;
+    continue_sequence = 1;	/* Unfortunately, this process cannot affect success log
+    				which is done by delivery proc.  Would have to pass this
+				back through reporting pipe. */
+    }
+  }
+#endif	/*!DISABLE_TLS*/
+
+/* Make a connection to the host if this isn't a continued delivery, and handle
+the initial interaction and HELO/EHLO/LHLO. Connect timeout errors are handled
+specially so they can be identified for retries. */
+
+if (!continue_hostname)
+  {
+  if (sx->verify)
+    HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", sx->conn_args.interface, sx->port);
+
+  /* Arrange to report to calling process this is a new connection */
+
+  clearflag(sx->first_addr, af_cont_conn);
+  setflag(sx->first_addr, af_new_conn);
+
+  /* Get the actual port the connection will use, into sx->conn_args.host */
+
+  smtp_port_for_connect(sx->conn_args.host, sx->port);
+
+#ifdef SUPPORT_DANE
+    /* Do TLSA lookup for DANE */
+    {
+    tls_out.dane_verified = FALSE;
+    tls_out.tlsa_usage = 0;
+
+    if (sx->conn_args.host->dnssec == DS_YES)
+      {
+      int rc;
+      if ((rc = check_force_dane_conn(sx, ob)) != OK)
+	return rc;
+      }
+    else if (sx->dane_required)
+      {
+      set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER,
+	string_sprintf("DANE error: %s lookup not DNSSEC", sx->conn_args.host->name),
+	FAIL, FALSE, &sx->delivery_start);
+# ifndef DISABLE_EVENT
+      (void) event_raise(sx->conn_args.tblock->event_action,
+	US"dane:fail", US"dane-required", NULL);
+# endif
+      return FAIL;
+      }
+    }
+#endif	/*DANE*/
+
+  /* Make the TCP connection */
+
+  sx->cctx.tls_ctx = NULL;
+  sx->inblock.cctx = sx->outblock.cctx = &sx->cctx;
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+  sx->peer_limit_mail = sx->peer_limit_rcpt = sx->peer_limit_rcptdom =
+#endif
+  sx->avoid_option = sx->peer_offered = smtp_peer_options = 0;
+#ifndef DISABLE_CLIENT_CMD_LOG
+  client_cmd_log = NULL;
+#endif
+
+#ifndef DISABLE_PIPE_CONNECT
+  if (  verify_check_given_host(CUSS &ob->hosts_pipe_connect,
+					    sx->conn_args.host) == OK)
+
+    /* We don't find out the local ip address until the connect, so if
+    the helo string might use it avoid doing early-pipelining. */
+
+    if (  !sx->helo_data
+       || sx->conn_args.interface
+       || !Ustrstr(sx->helo_data, "$sending_ip_address")
+       || Ustrstr(sx->helo_data, "def:sending_ip_address")
+       )
+      {
+      sx->early_pipe_ok = TRUE;
+      if (  read_ehlo_cache_entry(sx)
+	 && sx->ehlo_resp.cleartext_features & OPTION_EARLY_PIPE)
+	{
+	DEBUG(D_transport)
+	  debug_printf("Using cached cleartext PIPECONNECT\n");
+	sx->early_pipe_active = TRUE;
+	sx->peer_offered = sx->ehlo_resp.cleartext_features;
+	}
+      }
+    else DEBUG(D_transport)
+      debug_printf("helo needs $sending_ip_address; avoid early-pipelining\n");
+
+PIPE_CONNECT_RETRY:
+  if (sx->early_pipe_active)
+    {
+    sx->outblock.conn_args = &sx->conn_args;
+    (void) smtp_boundsock(&sx->conn_args);
+    }
+  else
+#endif
+    {
+    blob lazy_conn = {.data = NULL};
+    /* For TLS-connect, a TFO lazy-connect is useful since the Client Hello
+    can go on the TCP SYN. */
+
+    if ((sx->cctx.sock = smtp_connect(&sx->conn_args,
+			    sx->smtps ? &lazy_conn : NULL)) < 0)
+      {
+      set_errno_nohost(sx->addrlist,
+	errno == ETIMEDOUT ? ERRNO_CONNECTTIMEOUT : errno,
+	sx->verify ? US strerror(errno) : NULL,
+	DEFER, FALSE, &sx->delivery_start);
+      sx->send_quit = FALSE;
+      return DEFER;
+      }
+#ifdef TCP_QUICKACK
+    (void) setsockopt(sx->cctx.sock, IPPROTO_TCP, TCP_QUICKACK, US &off,
+			sizeof(off));
+#endif
+    }
+  /* Expand the greeting message while waiting for the initial response. (Makes
+  sense if helo_data contains ${lookup dnsdb ...} stuff). The expansion is
+  delayed till here so that $sending_ip_address and $sending_port are set.
+  Those will be known even for a TFO lazy-connect, having been set by the bind().
+  For early-pipe, we are ok if binding to a local interface; otherwise (if
+  $sending_ip_address is seen in helo_data) we disabled early-pipe above. */
+
+  if (sx->helo_data)
+    if (!(sx->helo_data = expand_string(sx->helo_data)))
+      if (sx->verify)
+	log_write(0, LOG_MAIN|LOG_PANIC,
+	  "<%s>: failed to expand transport's helo_data value for callout: %s",
+	  sx->addrlist->address, expand_string_message);
+
+#ifdef SUPPORT_I18N
+  if (sx->helo_data)
+    {
+    expand_string_message = NULL;
+    if ((sx->helo_data = string_domain_utf8_to_alabel(sx->helo_data,
+					      &expand_string_message)),
+	expand_string_message)
+      if (sx->verify)
+	log_write(0, LOG_MAIN|LOG_PANIC,
+	  "<%s>: failed to expand transport's helo_data value for callout: %s",
+	  sx->addrlist->address, expand_string_message);
+      else
+	sx->helo_data = NULL;
+    }
+#endif
+
+  /* The first thing is to wait for an initial OK response. The dreaded "goto"
+  is nevertheless a reasonably clean way of programming this kind of logic,
+  where you want to escape on any error. */
+
+  if (!sx->smtps)
+    {
+#ifndef DISABLE_PIPE_CONNECT
+    if (sx->early_pipe_active)
+      {
+      sx->pending_BANNER = TRUE;	/* sync_responses() must eventually handle */
+      sx->outblock.cmd_count = 1;
+      }
+    else
+#endif
+      {
+      if (!smtp_reap_banner(sx))
+	goto RESPONSE_FAILED;
+      }
+
+#ifndef DISABLE_EVENT
+      {
+      uschar * s;
+      lookup_dnssec_authenticated = sx->conn_args.host->dnssec==DS_YES ? US"yes"
+	: sx->conn_args.host->dnssec==DS_NO ? US"no" : NULL;
+      s = event_raise(sx->conn_args.tblock->event_action, US"smtp:connect", sx->buffer, NULL);
+      if (s)
+	{
+	set_errno_nohost(sx->addrlist, ERRNO_EXPANDFAIL,
+	  string_sprintf("deferred by smtp:connect event expansion: %s", s),
+	  DEFER, FALSE, &sx->delivery_start);
+	yield = DEFER;
+	goto SEND_QUIT;
+	}
+      }
+#endif
+
+    /* Now check if the helo_data expansion went well, and sign off cleanly if
+    it didn't. */
+
+    if (!sx->helo_data)
+      {
+      message = string_sprintf("failed to expand helo_data: %s",
+        expand_string_message);
+      set_errno_nohost(sx->addrlist, ERRNO_EXPANDFAIL, message, DEFER, FALSE, &sx->delivery_start);
+      yield = DEFER;
+      goto SEND_QUIT;
+      }
+    }
+
+/** Debugging without sending a message
+sx->addrlist->transport_return = DEFER;
+goto SEND_QUIT;
+**/
+
+  /* Errors that occur after this point follow an SMTP command, which is
+  left in big_buffer by smtp_write_command() for use in error messages. */
+
+  smtp_command = big_buffer;
+
+  /* Tell the remote who we are...
+
+  February 1998: A convention has evolved that ESMTP-speaking MTAs include the
+  string "ESMTP" in their greeting lines, so make Exim send EHLO if the
+  greeting is of this form. The assumption was that the far end supports it
+  properly... but experience shows that there are some that give 5xx responses,
+  even though the banner includes "ESMTP" (there's a bloody-minded one that
+  says "ESMTP not spoken here"). Cope with that case.
+
+  September 2000: Time has passed, and it seems reasonable now to always send
+  EHLO at the start. It is also convenient to make the change while installing
+  the TLS stuff.
+
+  July 2003: Joachim Wieland met a broken server that advertises "PIPELINING"
+  but times out after sending MAIL FROM, RCPT TO and DATA all together. There
+  would be no way to send out the mails, so there is now a host list
+  "hosts_avoid_esmtp" that disables ESMTP for special hosts and solves the
+  PIPELINING problem as well. Maybe it can also be useful to cure other
+  problems with broken servers.
+
+  Exim originally sent "Helo" at this point and ran for nearly a year that way.
+  Then somebody tried it with a Microsoft mailer... It seems that all other
+  mailers use upper case for some reason (the RFC is quite clear about case
+  independence) so, for peace of mind, I gave in. */
+
+  sx->esmtp = verify_check_given_host(CUSS &ob->hosts_avoid_esmtp, sx->conn_args.host) != OK;
+
+  /* Alas; be careful, since this goto is not an error-out, so conceivably
+  we might set data between here and the target which we assume to exist
+  and be usable.  I can see this coming back to bite us. */
+#ifndef DISABLE_TLS
+  if (sx->smtps)
+    {
+    smtp_peer_options |= OPTION_TLS;
+    suppress_tls = FALSE;
+    ob->tls_tempfail_tryclear = FALSE;
+    smtp_command = US"SSL-on-connect";
+    goto TLS_NEGOTIATE;
+    }
+#endif
+
+  if (sx->esmtp)
+    {
+    if (smtp_write_command(sx,
+#ifndef DISABLE_PIPE_CONNECT
+	  sx->early_pipe_active ? SCMD_BUFFER :
+#endif
+	    SCMD_FLUSH,
+	  "%s %s\r\n", sx->lmtp ? "LHLO" : "EHLO", sx->helo_data) < 0)
+      goto SEND_FAILED;
+    sx->esmtp_sent = TRUE;
+
+#ifndef DISABLE_PIPE_CONNECT
+    if (sx->early_pipe_active)
+      {
+      sx->pending_EHLO = TRUE;
+
+      /* If we have too many authenticators to handle and might need to AUTH
+      for this transport, pipeline no further as we will need the
+      list of auth methods offered.  Reap the banner and EHLO. */
+
+      if (  (ob->hosts_require_auth || ob->hosts_try_auth)
+	 && f.smtp_in_early_pipe_no_auth)
+	{
+	DEBUG(D_transport) debug_printf("may need to auth, so pipeline no further\n");
+	if (smtp_write_command(sx, SCMD_FLUSH, NULL) < 0)
+	  goto SEND_FAILED;
+	if (sync_responses(sx, 2, 0) != 0)
+	  {
+	  HDEBUG(D_transport)
+	    debug_printf("failed reaping pipelined cmd responses\n");
+	  goto RESPONSE_FAILED;
+	  }
+	sx->early_pipe_active = FALSE;
+	}
+      }
+    else
+#endif
+      if (!smtp_reap_ehlo(sx))
+	goto RESPONSE_FAILED;
+    }
+  else
+    DEBUG(D_transport)
+      debug_printf("not sending EHLO (host matches hosts_avoid_esmtp)\n");
+
+#ifndef DISABLE_PIPE_CONNECT
+  if (!sx->early_pipe_active)
+#endif
+    if (!sx->esmtp)
+      {
+      BOOL good_response;
+      int n = sizeof(sx->buffer);
+      uschar * rsp = sx->buffer;
+
+      if (sx->esmtp_sent && (n = Ustrlen(sx->buffer) + 1) < sizeof(sx->buffer)/2)
+	{ rsp = sx->buffer + n; n = sizeof(sx->buffer) - n; }
+
+      if (smtp_write_command(sx, SCMD_FLUSH, "HELO %s\r\n", sx->helo_data) < 0)
+	goto SEND_FAILED;
+      good_response = smtp_read_response(sx, rsp, n, '2', ob->command_timeout);
+#ifdef EXPERIMENTAL_DSN_INFO
+      sx->helo_response = string_copy(rsp);
+#endif
+      if (!good_response)
+	{
+	/* Handle special logging for a closed connection after HELO
+	when had previously sent EHLO */
+
+	if (rsp != sx->buffer && rsp[0] == 0 && (errno == 0 || errno == ECONNRESET))
+	  {
+	  errno = ERRNO_SMTPCLOSED;
+	  goto EHLOHELO_FAILED;
+	  }
+	memmove(sx->buffer, rsp, Ustrlen(rsp));
+	goto RESPONSE_FAILED;
+	}
+      }
+
+  if (sx->esmtp || sx->lmtp)
+    {
+#ifndef DISABLE_PIPE_CONNECT
+    if (!sx->early_pipe_active)
+#endif
+      {
+      sx->peer_offered = ehlo_response(sx->buffer,
+	OPTION_TLS	/* others checked later */
+#ifndef DISABLE_PIPE_CONNECT
+	| (sx->early_pipe_ok
+	  ?   OPTION_IGNQ
+	    | OPTION_CHUNKING | OPTION_PRDR | OPTION_DSN | OPTION_PIPE | OPTION_SIZE
+#ifdef SUPPORT_I18N
+	    | OPTION_UTF8
+#endif
+	    | OPTION_EARLY_PIPE
+	  : 0
+	  )
+#endif
+	);
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+      if (tls_out.active.sock >= 0 || !(sx->peer_offered & OPTION_TLS))
+	{
+	ehlo_response_limits_read(sx);
+	ehlo_response_limits_apply(sx);
+	}
+#endif
+#ifndef DISABLE_PIPE_CONNECT
+      if (sx->early_pipe_ok)
+	{
+	sx->ehlo_resp.cleartext_features = sx->peer_offered;
+
+	if (  (sx->peer_offered & (OPTION_PIPE | OPTION_EARLY_PIPE))
+	   == (OPTION_PIPE | OPTION_EARLY_PIPE))
+	  {
+	  DEBUG(D_transport) debug_printf("PIPECONNECT usable in future for this IP\n");
+	  sx->ehlo_resp.cleartext_auths = study_ehlo_auths(sx);
+	  write_ehlo_cache_entry(sx);
+	  }
+	}
+#endif
+      ehlo_response_lbserver(sx, ob);
+      }
+
+  /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
+
+#ifndef DISABLE_TLS
+    smtp_peer_options |= sx->peer_offered & OPTION_TLS;
+#endif
+    }
+  }
+
+/* For continuing deliveries down the same channel, having re-exec'd  the socket
+is the standard input; for a socket held open from verify it is recorded
+in the cutthrough context block.  Either way we don't need to redo EHLO here
+(but may need to do so for TLS - see below).
+Set up the pointer to where subsequent commands will be left, for
+error messages. Note that smtp_peer_options will have been
+set from the command line if they were set in the process that passed the
+connection on. */
+
+/*XXX continue case needs to propagate DSN_INFO, prob. in deliver.c
+as the continue goes via transport_pass_socket() and doublefork and exec.
+It does not wait.  Unclear how we keep separate host's responses
+separate - we could match up by host ip+port as a bodge. */
+
+else
+  {
+  if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
+    {
+    sx->cctx = cutthrough.cctx;
+    sx->conn_args.host->port = sx->port = cutthrough.host.port;
+    }
+  else
+    {
+    sx->cctx.sock = 0;				/* stdin */
+    sx->cctx.tls_ctx = NULL;
+    smtp_port_for_connect(sx->conn_args.host, sx->port);	/* Record the port that was used */
+    }
+  sx->inblock.cctx = sx->outblock.cctx = &sx->cctx;
+  smtp_command = big_buffer;
+  sx->peer_offered = smtp_peer_options;
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+  /* Limits passed by cmdline over exec. */
+  ehlo_limits_apply(sx,
+		    sx->peer_limit_mail = continue_limit_mail,
+		    sx->peer_limit_rcpt = continue_limit_rcpt,
+		    sx->peer_limit_rcptdom = continue_limit_rcptdom);
+#endif
+  sx->helo_data = NULL;		/* ensure we re-expand ob->helo_data */
+
+  /* For a continued connection with TLS being proxied for us, or a
+  held-open verify connection with TLS, nothing more to do. */
+
+  if (  continue_proxy_cipher
+     || (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only
+         && cutthrough.is_tls)
+     )
+    {
+    sx->pipelining_used = pipelining_active = !!(smtp_peer_options & OPTION_PIPE);
+    HDEBUG(D_transport) debug_printf("continued connection, %s TLS\n",
+      continue_proxy_cipher ? "proxied" : "verify conn with");
+    return OK;
+    }
+  HDEBUG(D_transport) debug_printf("continued connection, no TLS\n");
+  }
+
+/* If TLS is available on this connection, whether continued or not, attempt to
+start up a TLS session, unless the host is in hosts_avoid_tls. If successful,
+send another EHLO - the server may give a different answer in secure mode. We
+use a separate buffer for reading the response to STARTTLS so that if it is
+negative, the original EHLO data is available for subsequent analysis, should
+the client not be required to use TLS. If the response is bad, copy the buffer
+for error analysis. */
+
+#ifndef DISABLE_TLS
+if (  smtp_peer_options & OPTION_TLS
+   && !suppress_tls
+   && verify_check_given_host(CUSS &ob->hosts_avoid_tls, sx->conn_args.host) != OK
+   && (  !sx->verify
+      || verify_check_given_host(CUSS &ob->hosts_verify_avoid_tls, sx->conn_args.host) != OK
+   )  )
+  {
+  uschar buffer2[4096];
+
+  if (smtp_write_command(sx, SCMD_FLUSH, "STARTTLS\r\n") < 0)
+    goto SEND_FAILED;
+
+#ifndef DISABLE_PIPE_CONNECT
+  /* If doing early-pipelining reap the banner and EHLO-response but leave
+  the response for the STARTTLS we just sent alone.  On fail, assume wrong
+  cached capability and retry with the pipelining disabled. */
+
+  if (sx->early_pipe_active)
+    {
+    if (sync_responses(sx, 2, 0) != 0)
+      {
+      HDEBUG(D_transport)
+	debug_printf("failed reaping pipelined cmd responses\n");
+      close(sx->cctx.sock);
+      sx->cctx.sock = -1;
+      sx->early_pipe_active = FALSE;
+      goto PIPE_CONNECT_RETRY;
+      }
+    }
+#endif
+
+  /* If there is an I/O error, transmission of this message is deferred. If
+  there is a temporary rejection of STARRTLS and tls_tempfail_tryclear is
+  false, we also defer. However, if there is a temporary rejection of STARTTLS
+  and tls_tempfail_tryclear is true, or if there is an outright rejection of
+  STARTTLS, we carry on. This means we will try to send the message in clear,
+  unless the host is in hosts_require_tls (tested below). */
+
+  if (!smtp_read_response(sx, buffer2, sizeof(buffer2), '2', ob->command_timeout))
+    {
+    if (  errno != 0
+       || buffer2[0] == 0
+       || (buffer2[0] == '4' && !ob->tls_tempfail_tryclear)
+       )
+      {
+      Ustrncpy(sx->buffer, buffer2, sizeof(sx->buffer));
+      sx->buffer[sizeof(sx->buffer)-1] = '\0';
+      goto RESPONSE_FAILED;
+      }
+    }
+
+  /* STARTTLS accepted: try to negotiate a TLS session. */
+
+  else
+  TLS_NEGOTIATE:
+    {
+    sx->conn_args.sending_ip_address = sending_ip_address;
+    if (!tls_client_start(&sx->cctx, &sx->conn_args, sx->addrlist, &tls_out, &tls_errstr))
+      {
+      /* TLS negotiation failed; give an error. From outside, this function may
+      be called again to try in clear on a new connection, if the options permit
+      it for this host. */
+  TLS_CONN_FAILED:
+      DEBUG(D_tls) debug_printf("TLS session fail: %s\n", tls_errstr);
+
+# ifdef SUPPORT_DANE
+      if (sx->conn_args.dane)
+        {
+	log_write(0, LOG_MAIN,
+	  "DANE attempt failed; TLS connection to %s [%s]: %s",
+	  sx->conn_args.host->name, sx->conn_args.host->address, tls_errstr);
+#  ifndef DISABLE_EVENT
+	(void) event_raise(sx->conn_args.tblock->event_action,
+	  US"dane:fail", US"validation-failure", NULL);	/* could do with better detail */
+#  endif
+	}
+# endif
+
+      errno = ERRNO_TLSFAILURE;
+      message = string_sprintf("TLS session: %s", tls_errstr);
+      sx->send_quit = FALSE;
+      goto TLS_FAILED;
+      }
+    sx->send_tlsclose = TRUE;
+
+    /* TLS session is set up.  Check the inblock fill level.  If there is
+    content then as we have not yet done a tls read it must have arrived before
+    the TLS handshake, in-clear.  That violates the sync requirement of the
+    STARTTLS RFC, so fail. */
+
+    if (sx->inblock.ptr != sx->inblock.ptrend)
+      {
+      DEBUG(D_tls)
+	{
+	int i = sx->inblock.ptrend - sx->inblock.ptr;
+	debug_printf("unused data in input buffer after ack for STARTTLS:\n"
+	  "'%.*s'%s\n",
+	  i > 100 ? 100 : i, sx->inblock.ptr, i > 100 ? "..." : "");
+	}
+      tls_errstr = US"synch error before connect";
+      goto TLS_CONN_FAILED;
+      }
+
+    smtp_peer_options_wrap = smtp_peer_options;
+    for (address_item * addr = sx->addrlist; addr; addr = addr->next)
+      if (addr->transport_return == PENDING_DEFER)
+        {
+        addr->cipher = tls_out.cipher;
+        addr->ourcert = tls_out.ourcert;
+        addr->peercert = tls_out.peercert;
+        addr->peerdn = tls_out.peerdn;
+	addr->ocsp = tls_out.ocsp;
+        addr->tlsver = tls_out.ver;
+        }
+    }
+  }
+
+/* if smtps, we'll have smtp_command set to something else; always safe to
+reset it here. */
+smtp_command = big_buffer;
+
+/* If we started TLS, redo the EHLO/LHLO exchange over the secure channel. If
+helo_data is null, we are dealing with a connection that was passed from
+another process, and so we won't have expanded helo_data above. We have to
+expand it here. $sending_ip_address and $sending_port are set up right at the
+start of the Exim process (in exim.c). */
+
+if (tls_out.active.sock >= 0)
+  {
+  uschar * greeting_cmd;
+
+  if (!sx->helo_data && !(sx->helo_data = expand_string(ob->helo_data)))
+    {
+    uschar *message = string_sprintf("failed to expand helo_data: %s",
+      expand_string_message);
+    set_errno_nohost(sx->addrlist, ERRNO_EXPANDFAIL, message, DEFER, FALSE, &sx->delivery_start);
+    yield = DEFER;
+    goto SEND_QUIT;
+    }
+
+#ifndef DISABLE_PIPE_CONNECT
+  /* For SMTPS there is no cleartext early-pipe; use the crypted permission bit.
+  We're unlikely to get the group sent and delivered before the server sends its
+  banner, but it's still worth sending as a group.
+  For STARTTLS allow for cleartext early-pipe but no crypted early-pipe, but not
+  the reverse.  */
+
+  if (sx->smtps ? sx->early_pipe_ok : sx->early_pipe_active)
+    {
+    sx->peer_offered = sx->ehlo_resp.crypted_features;
+    if ((sx->early_pipe_active =
+	 !!(sx->ehlo_resp.crypted_features & OPTION_EARLY_PIPE)))
+      DEBUG(D_transport) debug_printf("Using cached crypted PIPECONNECT\n");
+    }
+#endif
+#ifdef EXPERIMMENTAL_ESMTP_LIMITS
+  /* As we are about to send another EHLO, forget any LIMITS received so far. */
+  sx->peer_limit_mail = sx->peer_limit_rcpt = sx->peer_limit_rcptdom = 0;
+  if ((sx->max_mail = sx->conn_args.tblock->connection_max_message) == 0) sx->max_mail = 999999;
+  if ((sx->max_rcpt = sx->conn_args.tblock->max_addresses) == 0)          sx->max_rcpt = 999999;
+  sx->single_rcpt_domain = FALSE;
+#endif
+
+  /* For SMTPS we need to wait for the initial OK response. */
+  if (sx->smtps)
+#ifndef DISABLE_PIPE_CONNECT
+    if (sx->early_pipe_active)
+      {
+      sx->pending_BANNER = TRUE;
+      sx->outblock.cmd_count = 1;
+      }
+    else
+#endif
+      if (!smtp_reap_banner(sx))
+	goto RESPONSE_FAILED;
+
+  if (sx->lmtp)
+    greeting_cmd = US"LHLO";
+  else if (sx->esmtp)
+    greeting_cmd = US"EHLO";
+  else
+    {
+    greeting_cmd = US"HELO";
+    DEBUG(D_transport)
+      debug_printf("not sending EHLO (host matches hosts_avoid_esmtp)\n");
+    }
+
+  if (smtp_write_command(sx,
+#ifndef DISABLE_PIPE_CONNECT
+	sx->early_pipe_active ? SCMD_BUFFER :
+#endif
+	  SCMD_FLUSH,
+	"%s %s\r\n", greeting_cmd, sx->helo_data) < 0)
+    goto SEND_FAILED;
+
+#ifndef DISABLE_PIPE_CONNECT
+  if (sx->early_pipe_active)
+    sx->pending_EHLO = TRUE;
+  else
+#endif
+    {
+    if (!smtp_reap_ehlo(sx))
+#ifdef USE_GNUTLS
+      {
+      /* The GnuTLS layer in Exim only spots a server-rejection of a client
+      cert late, under TLS1.3 - which means here; the first time we try to
+      receive crypted data.  Treat it as if it was a connect-time failure.
+      See also the early-pipe equivalent... which will be hard; every call
+      to sync_responses will need to check the result.
+      It would be nicer to have GnuTLS check the cert during the handshake.
+      Can it do that, with all the flexibility we need? */
+
+      tls_errstr = US"error on first read";
+      goto TLS_CONN_FAILED;
+      }
+#else
+      goto RESPONSE_FAILED;
+#endif
+    smtp_peer_options = 0;
+    }
+  }
+
+/* If the host is required to use a secure channel, ensure that we
+have one. */
+
+else if (  sx->smtps
+# ifdef SUPPORT_DANE
+	|| sx->conn_args.dane
+# endif
+	|| verify_check_given_host(CUSS &ob->hosts_require_tls, sx->conn_args.host) == OK
+	)
+  {
+  errno = ERRNO_TLSREQUIRED;
+  message = string_sprintf("a TLS session is required, but %s",
+    smtp_peer_options & OPTION_TLS
+    ? "an attempt to start TLS failed" : "the server did not offer TLS support");
+# if defined(SUPPORT_DANE) && !defined(DISABLE_EVENT)
+  if (sx->conn_args.dane)
+    (void) event_raise(sx->conn_args.tblock->event_action, US"dane:fail",
+      smtp_peer_options & OPTION_TLS
+      ? US"validation-failure"		/* could do with better detail */
+      : US"starttls-not-supported",
+      NULL);
+# endif
+  goto TLS_FAILED;
+  }
+#endif	/*DISABLE_TLS*/
+
+/* If TLS is active, we have just started it up and re-done the EHLO command,
+so its response needs to be analyzed. If TLS is not active and this is a
+continued session down a previously-used socket, we haven't just done EHLO, so
+we skip this. */
+
+if (   !continue_hostname
+#ifndef DISABLE_TLS
+    || tls_out.active.sock >= 0
+#endif
+    )
+  {
+  if (sx->esmtp || sx->lmtp)
+    {
+#ifndef DISABLE_PIPE_CONNECT
+  if (!sx->early_pipe_active)
+#endif
+    {
+    sx->peer_offered = ehlo_response(sx->buffer,
+	0 /* no TLS */
+#ifndef DISABLE_PIPE_CONNECT
+	| (sx->lmtp && ob->lmtp_ignore_quota ? OPTION_IGNQ : 0)
+	| OPTION_DSN | OPTION_PIPE | OPTION_SIZE
+	| OPTION_CHUNKING | OPTION_PRDR | OPTION_UTF8
+	| (tls_out.active.sock >= 0 ? OPTION_EARLY_PIPE : 0) /* not for lmtp */
+
+#else
+
+	| (sx->lmtp && ob->lmtp_ignore_quota ? OPTION_IGNQ : 0)
+	| OPTION_CHUNKING
+	| OPTION_PRDR
+# ifdef SUPPORT_I18N
+	| (sx->addrlist->prop.utf8_msg ? OPTION_UTF8 : 0)
+	  /*XXX if we hand peercaps on to continued-conn processes,
+		must not depend on this addr */
+# endif
+	| OPTION_DSN
+	| OPTION_PIPE
+	| (ob->size_addition >= 0 ? OPTION_SIZE : 0)
+#endif
+      );
+#ifndef DISABLE_PIPE_CONNECT
+    if (tls_out.active.sock >= 0)
+      sx->ehlo_resp.crypted_features = sx->peer_offered;
+#endif
+
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+    if (tls_out.active.sock >= 0 || !(sx->peer_offered & OPTION_TLS))
+      {
+      ehlo_response_limits_read(sx);
+      ehlo_response_limits_apply(sx);
+      }
+#endif
+    }
+
+    /* Set for IGNOREQUOTA if the response to LHLO specifies support and the
+    lmtp_ignore_quota option was set. */
+
+    sx->igquotstr = sx->peer_offered & OPTION_IGNQ ? US" IGNOREQUOTA" : US"";
+
+    /* If the response to EHLO specified support for the SIZE parameter, note
+    this, provided size_addition is non-negative. */
+
+    smtp_peer_options |= sx->peer_offered & OPTION_SIZE;
+
+    /* Note whether the server supports PIPELINING. If hosts_avoid_esmtp matched
+    the current host, esmtp will be false, so PIPELINING can never be used. If
+    the current host matches hosts_avoid_pipelining, don't do it. */
+
+    if (  sx->peer_offered & OPTION_PIPE
+       && verify_check_given_host(CUSS &ob->hosts_avoid_pipelining, sx->conn_args.host) != OK)
+      smtp_peer_options |= OPTION_PIPE;
+
+    DEBUG(D_transport) debug_printf("%susing PIPELINING\n",
+      smtp_peer_options & OPTION_PIPE ? "" : "not ");
+
+    if (  sx->peer_offered & OPTION_CHUNKING
+       && verify_check_given_host(CUSS &ob->hosts_try_chunking, sx->conn_args.host) == OK)
+      smtp_peer_options |= OPTION_CHUNKING;
+
+    if (smtp_peer_options & OPTION_CHUNKING)
+      DEBUG(D_transport) debug_printf("CHUNKING usable\n");
+
+#ifndef DISABLE_PRDR
+    if (  sx->peer_offered & OPTION_PRDR
+       && verify_check_given_host(CUSS &ob->hosts_try_prdr, sx->conn_args.host) == OK)
+      smtp_peer_options |= OPTION_PRDR;
+
+    if (smtp_peer_options & OPTION_PRDR)
+      DEBUG(D_transport) debug_printf("PRDR usable\n");
+#endif
+
+    /* Note if the server supports DSN */
+    smtp_peer_options |= sx->peer_offered & OPTION_DSN;
+    DEBUG(D_transport) debug_printf("%susing DSN\n",
+			sx->peer_offered & OPTION_DSN ? "" : "not ");
+
+#ifndef DISABLE_PIPE_CONNECT
+    if (  sx->early_pipe_ok
+       && !sx->early_pipe_active
+       && tls_out.active.sock >= 0
+       && smtp_peer_options & OPTION_PIPE
+       && ( sx->ehlo_resp.cleartext_features | sx->ehlo_resp.crypted_features)
+	  & OPTION_EARLY_PIPE)
+      {
+      DEBUG(D_transport) debug_printf("PIPECONNECT usable in future for this IP\n");
+      sx->ehlo_resp.crypted_auths = study_ehlo_auths(sx);
+      write_ehlo_cache_entry(sx);
+      }
+#endif
+
+    /* Note if the response to EHLO specifies support for the AUTH extension.
+    If it has, check that this host is one we want to authenticate to, and do
+    the business. The host name and address must be available when the
+    authenticator's client driver is running. */
+
+    switch (yield = smtp_auth(sx))
+      {
+      default:		goto SEND_QUIT;
+      case OK:		break;
+      case FAIL_SEND:	goto SEND_FAILED;
+      case FAIL:	goto RESPONSE_FAILED;
+      }
+    }
+  }
+sx->pipelining_used = pipelining_active = !!(smtp_peer_options & OPTION_PIPE);
+
+/* The setting up of the SMTP call is now complete. Any subsequent errors are
+message-specific. */
+
+sx->setting_up = FALSE;
+
+#ifdef SUPPORT_I18N
+if (sx->addrlist->prop.utf8_msg)
+  {
+  uschar * s;
+
+  /* If the transport sets a downconversion mode it overrides any set by ACL
+  for the message. */
+
+  if ((s = ob->utf8_downconvert))
+    {
+    if (!(s = expand_string(s)))
+      {
+      message = string_sprintf("failed to expand utf8_downconvert: %s",
+        expand_string_message);
+      set_errno_nohost(sx->addrlist, ERRNO_EXPANDFAIL, message, DEFER, FALSE, &sx->delivery_start);
+      yield = DEFER;
+      goto SEND_QUIT;
+      }
+    switch (*s)
+      {
+      case '1':	sx->addrlist->prop.utf8_downcvt = TRUE;
+		sx->addrlist->prop.utf8_downcvt_maybe = FALSE;
+		break;
+      case '0':	sx->addrlist->prop.utf8_downcvt = FALSE;
+		sx->addrlist->prop.utf8_downcvt_maybe = FALSE;
+		break;
+      case '-':	if (s[1] == '1')
+		  {
+		  sx->addrlist->prop.utf8_downcvt = FALSE;
+		  sx->addrlist->prop.utf8_downcvt_maybe = TRUE;
+		  }
+		break;
+      }
+    }
+
+  sx->utf8_needed = !sx->addrlist->prop.utf8_downcvt
+		    && !sx->addrlist->prop.utf8_downcvt_maybe;
+  DEBUG(D_transport) if (!sx->utf8_needed)
+    debug_printf("utf8: %s downconvert\n",
+      sx->addrlist->prop.utf8_downcvt ? "mandatory" : "optional");
+  }
+
+/* If this is an international message we need the host to speak SMTPUTF8 */
+if (sx->utf8_needed && !(sx->peer_offered & OPTION_UTF8))
+  {
+  errno = ERRNO_UTF8_FWD;
+  goto RESPONSE_FAILED;
+  }
+#endif	/*SUPPORT_I18N*/
+
+return OK;
+
+
+  {
+  int code;
+
+  RESPONSE_FAILED:
+    if (errno == ECONNREFUSED)	/* first-read error on a TFO conn */
+      {
+      /* There is a testing facility for simulating a connection timeout, as I
+      can't think of any other way of doing this. It converts a connection
+      refused into a timeout if the timeout is set to 999999.  This is done for
+      a 3whs connection in ip_connect(), but a TFO connection does not error
+      there - instead it gets ECONNREFUSED on the first data read.  Tracking
+      that a TFO really was done is too hard, or we would set a
+      sx->pending_conn_done bit and test that in smtp_reap_banner() and
+      smtp_reap_ehlo().  That would let us also add the conn-timeout to the
+      cmd-timeout. */
+
+      if (f.running_in_test_harness && ob->connect_timeout == 999999)
+	errno = ETIMEDOUT;
+      set_errno_nohost(sx->addrlist,
+	errno == ETIMEDOUT ? ERRNO_CONNECTTIMEOUT : errno,
+	sx->verify ? US strerror(errno) : NULL,
+	DEFER, FALSE, &sx->delivery_start);
+      sx->send_quit = FALSE;
+      return DEFER;
+      }
+
+    /* really an error on an SMTP read */
+    message = NULL;
+    sx->send_quit = check_response(sx->conn_args.host, &errno, sx->addrlist->more_errno,
+      sx->buffer, &code, &message, &pass_message);
+    yield = DEFER;
+    goto FAILED;
+
+  SEND_FAILED:
+    code = '4';
+    message = US string_sprintf("smtp send to %s [%s] failed: %s",
+      sx->conn_args.host->name, sx->conn_args.host->address, strerror(errno));
+    sx->send_quit = FALSE;
+    yield = DEFER;
+    goto FAILED;
+
+  EHLOHELO_FAILED:
+    code = '4';
+    message = string_sprintf("Remote host closed connection in response to %s"
+      " (EHLO response was: %s)", smtp_command, sx->buffer);
+    sx->send_quit = FALSE;
+    yield = DEFER;
+    goto FAILED;
+
+  /* This label is jumped to directly when a TLS negotiation has failed,
+  or was not done for a host for which it is required. Values will be set
+  in message and errno, and setting_up will always be true. Treat as
+  a temporary error. */
+
+#ifndef DISABLE_TLS
+  TLS_FAILED:
+    code = '4', yield = DEFER;
+    goto FAILED;
+#endif
+
+  /* The failure happened while setting up the call; see if the failure was
+  a 5xx response (this will either be on connection, or following HELO - a 5xx
+  after EHLO causes it to try HELO). If so, and there are no more hosts to try,
+  fail all addresses, as this host is never going to accept them. For other
+  errors during setting up (timeouts or whatever), defer all addresses, and
+  yield DEFER, so that the host is not tried again for a while.
+
+  XXX This peeking for another host feels like a layering violation. We want
+  to note the host as unusable, but down here we shouldn't know if this was
+  the last host to try for the addr(list).  Perhaps the upper layer should be
+  the one to do set_errno() ?  The problem is that currently the addr is where
+  errno etc. are stashed, but until we run out of hosts to try the errors are
+  host-specific.  Maybe we should enhance the host_item definition? */
+
+FAILED:
+  sx->ok = FALSE;                /* For when reached by GOTO */
+  set_errno(sx->addrlist, errno, message,
+	    sx->conn_args.host->next
+	    ? DEFER
+	    : code == '5'
+#ifdef SUPPORT_I18N
+			|| errno == ERRNO_UTF8_FWD
+#endif
+	    ? FAIL : DEFER,
+	    pass_message,
+	    errno == ECONNREFUSED ? NULL : sx->conn_args.host,
+#ifdef EXPERIMENTAL_DSN_INFO
+	    sx->smtp_greeting, sx->helo_response,
+#endif
+	    &sx->delivery_start);
+  }
+
+
+SEND_QUIT:
+
+if (sx->send_quit)
+  (void)smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n");
+
+#ifndef DISABLE_TLS
+if (sx->cctx.tls_ctx)
+  {
+  if (sx->send_tlsclose)
+    {
+    tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
+    sx->send_tlsclose = FALSE;
+    }
+  sx->cctx.tls_ctx = NULL;
+  }
+#endif
+
+/* Close the socket, and return the appropriate value, first setting
+works because the NULL setting is passed back to the calling process, and
+remote_max_parallel is forced to 1 when delivering over an existing connection,
+*/
+
+HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP(close)>>\n");
+if (sx->send_quit)
+  {
+  shutdown(sx->cctx.sock, SHUT_WR);
+  if (fcntl(sx->cctx.sock, F_SETFL, O_NONBLOCK) == 0)
+    for (int i = 16; read(sx->cctx.sock, sx->inbuffer, sizeof(sx->inbuffer)) > 0 && i > 0;)
+      i--;				/* drain socket */
+  sx->send_quit = FALSE;
+  }
+(void)close(sx->cctx.sock);
+sx->cctx.sock = -1;
+
+#ifndef DISABLE_EVENT
+(void) event_raise(sx->conn_args.tblock->event_action, US"tcp:close", NULL, NULL);
+#endif
+
+smtp_debug_cmd_report();
+continue_transport = NULL;
+continue_hostname = NULL;
+return yield;
+}
+
+
+
+
+/* Create the string of options that will be appended to the MAIL FROM:
+in the connection context buffer */
+
+static int
+build_mailcmd_options(smtp_context * sx, address_item * addrlist)
+{
+uschar * p = sx->buffer;
+address_item * addr;
+int address_count;
+
+*p = 0;
+
+/* If we know the receiving MTA supports the SIZE qualification, and we know it,
+send it, adding something to the message size to allow for imprecision
+and things that get added en route. Exim keeps the number of lines
+in a message, so we can give an accurate value for the original message, but we
+need some additional to handle added headers. (Double "." characters don't get
+included in the count.) */
+
+if (  message_size > 0
+   && sx->peer_offered & OPTION_SIZE && !(sx->avoid_option & OPTION_SIZE))
+  {
+/*XXX problem here under spool_files_wireformat?
+Or just forget about lines?  Or inflate by a fixed proportion? */
+
+  sprintf(CS p, " SIZE=%d", message_size+message_linecount+(SOB sx->conn_args.ob)->size_addition);
+  while (*p) p++;
+  }
+
+#ifndef DISABLE_PRDR
+/* If it supports Per-Recipient Data Responses, and we have more than one recipient,
+request that */
+
+sx->prdr_active = FALSE;
+if (smtp_peer_options & OPTION_PRDR)
+  for (address_item * addr = addrlist; addr; addr = addr->next)
+    if (addr->transport_return == PENDING_DEFER)
+      {
+      for (addr = addr->next; addr; addr = addr->next)
+        if (addr->transport_return == PENDING_DEFER)
+	  {			/* at least two recipients to send */
+	  sx->prdr_active = TRUE;
+	  sprintf(CS p, " PRDR"); p += 5;
+	  break;
+	  }
+      break;
+      }
+#endif
+
+#ifdef SUPPORT_I18N
+/* If it supports internationalised messages, and this meesage need that,
+request it */
+
+if (  sx->peer_offered & OPTION_UTF8
+   && addrlist->prop.utf8_msg
+   && !addrlist->prop.utf8_downcvt
+   )
+  Ustrcpy(p, US" SMTPUTF8"), p += 9;
+#endif
+
+/* check if all addresses have DSN-lasthop flag; do not send RET and ENVID if so */
+for (sx->dsn_all_lasthop = TRUE, addr = addrlist, address_count = 0;
+     addr && address_count < sx->max_rcpt;	/*XXX maybe also || sx->single_rcpt_domain ? */
+     addr = addr->next) if (addr->transport_return == PENDING_DEFER)
+  {
+  address_count++;
+  if (!(addr->dsn_flags & rf_dsnlasthop))
+    {
+    sx->dsn_all_lasthop = FALSE;
+    break;
+    }
+  }
+
+/* Add any DSN flags to the mail command */
+
+if (sx->peer_offered & OPTION_DSN && !sx->dsn_all_lasthop)
+  {
+  if (dsn_ret == dsn_ret_hdrs)
+    { Ustrcpy(p, US" RET=HDRS"); p += 9; }
+  else if (dsn_ret == dsn_ret_full)
+    { Ustrcpy(p, US" RET=FULL"); p += 9; }
+
+  if (dsn_envid)
+    {
+    string_format(p, sizeof(sx->buffer) - (p-sx->buffer), " ENVID=%s", dsn_envid);
+    while (*p) p++;
+    }
+  }
+
+/* If an authenticated_sender override has been specified for this transport
+instance, expand it. If the expansion is forced to fail, and there was already
+an authenticated_sender for this message, the original value will be used.
+Other expansion failures are serious. An empty result is ignored, but there is
+otherwise no check - this feature is expected to be used with LMTP and other
+cases where non-standard addresses (e.g. without domains) might be required. */
+
+return smtp_mail_auth_str(sx, p, addrlist) ? ERROR : OK;
+}
+
+
+static void
+build_rcptcmd_options(smtp_context * sx, const address_item * addr)
+{
+uschar * p = sx->buffer;
+*p = 0;
+
+/* Add any DSN flags to the rcpt command */
+
+if (sx->peer_offered & OPTION_DSN && !(addr->dsn_flags & rf_dsnlasthop))
+  {
+  if (addr->dsn_flags & rf_dsnflags)
+    {
+    BOOL first = TRUE;
+
+    Ustrcpy(p, US" NOTIFY=");
+    while (*p) p++;
+    for (int i = 0; i < nelem(rf_list); i++) if (addr->dsn_flags & rf_list[i])
+      {
+      if (!first) *p++ = ',';
+      first = FALSE;
+      Ustrcpy(p, rf_names[i]);
+      while (*p) p++;
+      }
+    }
+
+  if (addr->dsn_orcpt)
+    {
+    string_format(p, sizeof(sx->buffer) - (p-sx->buffer), " ORCPT=%s",
+      addr->dsn_orcpt);
+    while (*p) p++;
+    }
+  }
+}
+
+
+
+/*
+Return:
+ 0	good, rcpt results in addr->transport_return (PENDING_OK, DEFER, FAIL)
+ -1	MAIL response error
+ -2	any non-MAIL read i/o error
+ -3	non-MAIL response timeout
+ -4	internal error; channel still usable
+ -5	transmit failed
+ */
+
+int
+smtp_write_mail_and_rcpt_cmds(smtp_context * sx, int * yield)
+{
+address_item * addr;
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+address_item * restart_addr = NULL;
+#endif
+int address_count, pipe_limit;
+int rc;
+
+if (build_mailcmd_options(sx, sx->first_addr) != OK)
+  {
+  *yield = ERROR;
+  return -4;
+  }
+
+/* From here until we send the DATA command, we can make use of PIPELINING
+if the server host supports it. The code has to be able to check the responses
+at any point, for when the buffer fills up, so we write it totally generally.
+When PIPELINING is off, each command written reports that it has flushed the
+buffer. */
+
+sx->pending_MAIL = TRUE;     /* The block starts with MAIL */
+
+  {
+  uschar * s = sx->from_addr;
+#ifdef SUPPORT_I18N
+  uschar * errstr = NULL;
+
+  /* If we must downconvert, do the from-address here.  Remember we had to
+  for the to-addresses (done below), and also (ugly) for re-doing when building
+  the delivery log line. */
+
+  if (  sx->addrlist->prop.utf8_msg
+     && (sx->addrlist->prop.utf8_downcvt || !(sx->peer_offered & OPTION_UTF8))
+     )
+    {
+    if (s = string_address_utf8_to_alabel(s, &errstr), errstr)
+      {
+      set_errno_nohost(sx->addrlist, ERRNO_EXPANDFAIL, errstr, DEFER, FALSE, &sx->delivery_start);
+      *yield = ERROR;
+      return -4;
+      }
+    setflag(sx->addrlist, af_utf8_downcvt);
+    }
+#endif
+
+  rc = smtp_write_command(sx, pipelining_active ? SCMD_BUFFER : SCMD_FLUSH,
+	  "MAIL FROM:<%s>%s\r\n", s, sx->buffer);
+  }
+
+mail_command = string_copy(big_buffer);  /* Save for later error message */
+
+switch(rc)
+  {
+  case -1:                /* Transmission error */
+    return -5;
+
+  case +1:                /* Cmd was sent */
+    if (!smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2',
+       (SOB sx->conn_args.ob)->command_timeout))
+      {
+      if (errno == 0 && sx->buffer[0] == '4')
+	{
+	errno = ERRNO_MAIL4XX;
+	sx->addrlist->more_errno |= ((sx->buffer[1] - '0')*10 + sx->buffer[2] - '0') << 8;
+	}
+      return -1;
+      }
+    sx->pending_MAIL = FALSE;
+    break;
+
+  /* otherwise zero: command queued for pipeline */
+  }
+
+/* Pass over all the relevant recipient addresses for this host, which are the
+ones that have status PENDING_DEFER. If we are using PIPELINING, we can send
+several before we have to read the responses for those seen so far. This
+checking is done by a subroutine because it also needs to be done at the end.
+Send only up to max_rcpt addresses at a time, leaving next_addr pointing to
+the next one if not all are sent.
+
+In the MUA wrapper situation, we want to flush the PIPELINING buffer for the
+last address because we want to abort if any recipients have any kind of
+problem, temporary or permanent. We know that all recipient addresses will have
+the PENDING_DEFER status, because only one attempt is ever made, and we know
+that max_rcpt will be large, so all addresses will be done at once.
+
+For verify we flush the pipeline after any (the only) rcpt address. */
+
+for (addr = sx->first_addr, address_count = 0, pipe_limit = 100;
+     addr &&  address_count < sx->max_rcpt;
+     addr = addr->next) if (addr->transport_return == PENDING_DEFER)
+  {
+  int cmds_sent;
+  BOOL no_flush;
+  uschar * rcpt_addr;
+
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+  if (  sx->single_rcpt_domain					/* restriction on domains */
+     && address_count > 0					/* not first being sent */
+     && Ustrcmp(addr->domain, sx->first_addr->domain) != 0	/* dom diff from first */
+     )
+    {
+    DEBUG(D_transport) debug_printf("skipping different domain %s\n", addr->domain);
+
+    /* Ensure the smtp-response reaper does not think the address had a RCPT
+    command sent for it.  Reset to PENDING_DEFER in smtp_deliver(), where we
+    goto SEND_MESSAGE.  */
+
+    addr->transport_return = SKIP;
+    if (!restart_addr) restart_addr = addr;	/* note restart point */
+    continue;					/* skip this one */
+    }
+#endif
+
+  addr->dsn_aware = sx->peer_offered & OPTION_DSN
+    ? dsn_support_yes : dsn_support_no;
+
+  address_count++;
+  if (pipe_limit-- <= 0)
+    { no_flush = FALSE; pipe_limit = 100; }
+  else
+    no_flush = pipelining_active && !sx->verify
+	  && (!mua_wrapper || addr->next && address_count < sx->max_rcpt);
+
+  build_rcptcmd_options(sx, addr);
+
+  /* Now send the RCPT command, and process outstanding responses when
+  necessary. After a timeout on RCPT, we just end the function, leaving the
+  yield as OK, because this error can often mean that there is a problem with
+  just one address, so we don't want to delay the host. */
+
+  rcpt_addr = transport_rcpt_address(addr, sx->conn_args.tblock->rcpt_include_affixes);
+
+#ifdef SUPPORT_I18N
+  if (  testflag(sx->addrlist, af_utf8_downcvt)
+     && !(rcpt_addr = string_address_utf8_to_alabel(rcpt_addr, NULL))
+     )
+    {
+    /*XXX could we use a per-address errstr here? Not fail the whole send? */
+    errno = ERRNO_EXPANDFAIL;
+    return -5;		/*XXX too harsh? */
+    }
+#endif
+
+  cmds_sent = smtp_write_command(sx, no_flush ? SCMD_BUFFER : SCMD_FLUSH,
+    "RCPT TO:<%s>%s%s\r\n", rcpt_addr, sx->igquotstr, sx->buffer);
+
+  if (cmds_sent < 0) return -5;
+  if (cmds_sent > 0)
+    {
+    switch(sync_responses(sx, cmds_sent, 0))
+      {
+      case 3: sx->ok = TRUE;			/* 2xx & 5xx => OK & progress made */
+      case 2: sx->completed_addr = TRUE;	/* 5xx (only) => progress made */
+	      break;
+
+      case 1: sx->ok = TRUE;			/* 2xx (only) => OK, but if LMTP, */
+	      if (!sx->lmtp)			/*  can't tell about progress yet */
+		sx->completed_addr = TRUE;
+      case 0:					/* No 2xx or 5xx, but no probs */
+	      /* If any RCPT got a 452 response then next_addr has been updated
+	      for restarting with a new MAIL on the same connection.  Send no more
+	      RCPTs for this MAIL. */
+
+	      if (sx->RCPT_452)
+		{
+		DEBUG(D_transport) debug_printf("seen 452 too-many-rcpts\n");
+		sx->RCPT_452 = FALSE;
+		/* sx->next_addr has been reset for fast_retry */
+		return 0;
+		}
+	      break;
+
+      case -1: return -3;			/* Timeout on RCPT */
+      case -2: return -2;			/* non-MAIL read i/o error */
+      default: return -1;			/* any MAIL error */
+
+#ifndef DISABLE_PIPE_CONNECT
+      case -4: return -1;			/* non-2xx for pipelined banner or EHLO */
+      case -5: return -1;			/* TLS first-read error */
+#endif
+      }
+    }
+  }      /* Loop for next address */
+
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+sx->next_addr = restart_addr ? restart_addr : addr;
+#else
+sx->next_addr = addr;
+#endif
+return 0;
+}
+
+
+#ifndef DISABLE_TLS
+/*****************************************************
+* Proxy TLS connection for another transport process *
+******************************************************/
+/*
+Close the unused end of the pipe, fork once more, then use the given buffer
+as a staging area, and select on both the given fd and the TLS'd client-fd for
+data to read (per the coding in ip_recv() and fd_ready() this is legitimate).
+Do blocking full-size writes, and reads under a timeout.  Once both input
+channels are closed, exit the process.
+
+Arguments:
+  ct_ctx	tls context
+  buf		space to use for buffering
+  bufsiz	size of buffer
+  pfd		pipe filedescriptor array; [0] is comms to proxied process
+  timeout	per-read timeout, seconds
+  host		hostname of remote
+
+Does not return.
+*/
+
+void
+smtp_proxy_tls(void * ct_ctx, uschar * buf, size_t bsize, int * pfd,
+  int timeout, const uschar * host)
+{
+struct pollfd p[2] = {{.fd = tls_out.active.sock, .events = POLLIN},
+		      {.fd = pfd[0], .events = POLLIN}};
+int rc, i;
+BOOL send_tls_shutdown = TRUE;
+
+close(pfd[1]);
+if ((rc = exim_fork(US"tls-proxy")))
+  _exit(rc < 0 ? EXIT_FAILURE : EXIT_SUCCESS);
+
+set_process_info("proxying TLS connection for continued transport to %s\n", host);
+
+do
+  {
+  time_t time_left = timeout;
+  time_t time_start = time(NULL);
+
+  /* wait for data */
+  do
+    {
+    rc = poll(p, 2, time_left * 1000);
+
+    if (rc < 0 && errno == EINTR)
+      if ((time_left -= time(NULL) - time_start) > 0) continue;
+
+    if (rc <= 0)
+      {
+      DEBUG(D_transport) if (rc == 0) debug_printf("%s: timed out\n", __FUNCTION__);
+      goto done;
+      }
+
+    /* For errors where not readable, bomb out */
+
+    if (p[0].revents & POLLERR || p[1].revents & POLLERR)
+      {
+      DEBUG(D_transport) debug_printf("select: exceptional cond on %s fd\n",
+	p[0].revents & POLLERR ? "tls" : "proxy");
+      if (!(p[0].revents & POLLIN || p[1].events & POLLIN))
+	goto done;
+      DEBUG(D_transport) debug_printf("- but also readable; no exit yet\n");
+      }
+    }
+  while (rc < 0 || !(p[0].revents & POLLIN || p[1].revents & POLLIN));
+
+  /* handle inbound data */
+  if (p[0].revents & POLLIN)
+    if ((rc = tls_read(ct_ctx, buf, bsize)) <= 0)	/* Expect -1 for EOF; */
+    {				    /* that reaps the TLS Close Notify record */
+      p[0].fd = -1;
+      shutdown(pfd[0], SHUT_WR);
+      timeout = 5;
+      }
+    else
+      for (int nbytes = 0; rc - nbytes > 0; nbytes += i)
+	if ((i = write(pfd[0], buf + nbytes, rc - nbytes)) < 0) goto done;
+
+  /* Handle outbound data.  We cannot combine payload and the TLS-close
+  due to the limitations of the (pipe) channel feeding us.  Maybe use a unix-domain
+  socket? */
+  if (p[1].revents & POLLIN)
+    if ((rc = read(pfd[0], buf, bsize)) <= 0)
+      {
+      p[1].fd = -1;
+
+# ifdef EXIM_TCP_CORK  /* Use _CORK to get TLS Close Notify in FIN segment */
+      (void) setsockopt(tls_out.active.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &on, sizeof(on));
+# endif
+      tls_shutdown_wr(ct_ctx);
+      send_tls_shutdown = FALSE;
+      shutdown(tls_out.active.sock, SHUT_WR);
+      }
+    else
+      for (int nbytes = 0; rc - nbytes > 0; nbytes += i)
+	if ((i = tls_write(ct_ctx, buf + nbytes, rc - nbytes, FALSE)) < 0)
+	  goto done;
+  }
+while (p[0].fd >= 0 || p[1].fd >= 0);
+
+done:
+  if (send_tls_shutdown) tls_close(ct_ctx, TLS_SHUTDOWN_NOWAIT);
+  ct_ctx = NULL;
+  testharness_pause_ms(100);	/* let logging complete */
+  exim_exit(EXIT_SUCCESS);
+}
+#endif
+
+
+/*************************************************
+*       Deliver address list to given host       *
+*************************************************/
+
+/* If continue_hostname is not null, we get here only when continuing to
+deliver down an existing channel. The channel was passed as the standard
+input. TLS is never active on a passed channel; the previous process either
+closes it down before passing the connection on, or inserts a TLS-proxy
+process and passes on a cleartext conection.
+
+Otherwise, we have to make a connection to the remote host, and do the
+initial protocol exchange.
+
+When running as an MUA wrapper, if the sender or any recipient is rejected,
+temporarily or permanently, we force failure for all recipients.
+
+Arguments:
+  addrlist        chain of potential addresses to deliver; only those whose
+                  transport_return field is set to PENDING_DEFER are currently
+                  being processed; others should be skipped - they have either
+                  been delivered to an earlier host or IP address, or been
+                  failed by one of them.
+  host            host to deliver to
+  host_af         AF_INET or AF_INET6
+  defport         default TCP/IP port to use if host does not specify, in host
+		  byte order
+  interface       interface to bind to, or NULL
+  tblock          transport instance block
+  message_defer   set TRUE if yield is OK, but all addresses were deferred
+                    because of a non-recipient, non-host failure, that is, a
+                    4xx response to MAIL FROM, DATA, or ".". This is a defer
+                    that is specific to the message.
+  suppress_tls    if TRUE, don't attempt a TLS connection - this is set for
+                    a second attempt after TLS initialization fails
+
+Returns:          OK    - the connection was made and the delivery attempted;
+                          the result for each address is in its data block.
+                  DEFER - the connection could not be made, or something failed
+                          while setting up the SMTP session, or there was a
+                          non-message-specific error, such as a timeout.
+                  ERROR - a filter command is specified for this transport,
+                          and there was a problem setting it up; OR helo_data
+                          or add_headers or authenticated_sender is specified
+                          for this transport, and the string failed to expand
+
+		For all non-OK returns the first addr of the list carries the
+		time taken for the attempt.
+*/
+
+static int
+smtp_deliver(address_item *addrlist, host_item *host, int host_af, int defport,
+  uschar *interface, transport_instance *tblock,
+  BOOL *message_defer, BOOL suppress_tls)
+{
+smtp_transport_options_block * ob = SOB tblock->options_block;
+int yield = OK;
+int save_errno;
+int rc;
+
+uschar *message = NULL;
+uschar new_message_id[MESSAGE_ID_LENGTH + 1];
+smtp_context * sx = store_get(sizeof(*sx), GET_TAINTED);	/* tainted, for the data buffers */
+BOOL pass_message = FALSE;
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+BOOL mail_limit = FALSE;
+#endif
+#ifdef SUPPORT_DANE
+BOOL dane_held;
+#endif
+BOOL tcw_done = FALSE, tcw = FALSE;
+
+*message_defer = FALSE;
+
+memset(sx, 0, sizeof(*sx));
+sx->addrlist = addrlist;
+sx->conn_args.host = host;
+sx->conn_args.host_af = host_af;
+sx->port = defport;
+sx->conn_args.interface = interface;
+sx->helo_data = NULL;
+sx->conn_args.tblock = tblock;
+sx->conn_args.sock = -1;
+gettimeofday(&sx->delivery_start, NULL);
+sx->sync_addr = sx->first_addr = addrlist;
+
+REPEAT_CONN:
+#ifdef SUPPORT_DANE
+dane_held = FALSE;
+#endif
+
+/* Get the channel set up ready for a message, MAIL FROM being the next
+SMTP command to send. */
+
+if ((rc = smtp_setup_conn(sx, suppress_tls)) != OK)
+  {
+  timesince(&addrlist->delivery_time, &sx->delivery_start);
+  yield = rc;
+  goto TIDYUP;
+  }
+
+#ifdef SUPPORT_DANE
+/* If the connection used DANE, ignore for now any addresses with incompatible
+domains.  The SNI has to be the domain.  Arrange a whole new TCP conn later,
+just in case only TLS isn't enough. */
+
+if (sx->conn_args.dane)
+  {
+  const uschar * dane_domain = sx->first_addr->domain;
+
+  for (address_item * a = sx->first_addr->next; a; a = a->next)
+    if (  a->transport_return == PENDING_DEFER
+       && Ustrcmp(dane_domain, a->domain) != 0)
+      {
+      DEBUG(D_transport) debug_printf("DANE: holding %s for later\n", a->domain);
+      dane_held = TRUE;
+      a->transport_return = DANE;
+      }
+  }
+#endif
+
+/* If there is a filter command specified for this transport, we can now
+set it up. This cannot be done until the identity of the host is known. */
+
+if (tblock->filter_command)
+  {
+  transport_filter_timeout = tblock->filter_timeout;
+
+  /* On failure, copy the error to all addresses, abandon the SMTP call, and
+  yield ERROR. */
+
+  if (!transport_set_up_command(&transport_filter_argv,
+	tblock->filter_command, TRUE, DEFER, addrlist, FALSE,
+	string_sprintf("%.50s transport filter", tblock->name), NULL))
+    {
+    set_errno_nohost(addrlist->next, addrlist->basic_errno, addrlist->message, DEFER,
+      FALSE, &sx->delivery_start);
+    yield = ERROR;
+    goto SEND_QUIT;
+    }
+
+  if (  transport_filter_argv
+     && *transport_filter_argv
+     && **transport_filter_argv
+     && smtp_peer_options & OPTION_CHUNKING
+#ifndef DISABLE_DKIM
+    /* When dkim signing, chunking is handled even with a transport-filter */
+     && !(ob->dkim.dkim_private_key && ob->dkim.dkim_domain && ob->dkim.dkim_selector)
+     && !ob->dkim.force_bodyhash
+#endif
+     )
+    {
+    smtp_peer_options &= ~OPTION_CHUNKING;
+    DEBUG(D_transport) debug_printf("CHUNKING not usable due to transport filter\n");
+    }
+  }
+
+/* For messages that have more than the maximum number of envelope recipients,
+we want to send several transactions down the same SMTP connection. (See
+comments in deliver.c as to how this reconciles, heuristically, with
+remote_max_parallel.) This optimization was added to Exim after the following
+code was already working. The simplest way to put it in without disturbing the
+code was to use a goto to jump back to this point when there is another
+transaction to handle. */
+
+SEND_MESSAGE:
+sx->from_addr = return_path;
+sx->sync_addr = sx->first_addr;
+sx->ok = FALSE;
+sx->send_rset = TRUE;
+sx->completed_addr = FALSE;
+
+
+/* If we are a continued-connection-after-verify the MAIL and RCPT
+commands were already sent; do not re-send but do mark the addrs as
+having been accepted up to RCPT stage.  A traditional cont-conn
+always has a sequence number greater than one. */
+
+if (continue_hostname && continue_sequence == 1)
+  {
+  /* sx->pending_MAIL = FALSE; */
+  sx->ok = TRUE;
+  /* sx->next_addr = NULL; */
+
+  for (address_item * addr = addrlist; addr; addr = addr->next)
+    addr->transport_return = PENDING_OK;
+  }
+else
+  {
+  /* Initiate a message transfer. */
+
+  switch(smtp_write_mail_and_rcpt_cmds(sx, &yield))
+    {
+    case 0:		break;
+    case -1: case -2:	goto RESPONSE_FAILED;
+    case -3:		goto END_OFF;
+    case -4:		goto SEND_QUIT;
+    default:		goto SEND_FAILED;
+    }
+
+  /* If we are an MUA wrapper, abort if any RCPTs were rejected, either
+  permanently or temporarily. We should have flushed and synced after the last
+  RCPT. */
+
+  if (mua_wrapper)
+    {
+    address_item * a;
+    unsigned cnt;
+
+    for (a = sx->first_addr, cnt = 0; a && cnt < sx->max_rcpt; a = a->next, cnt++)
+      if (a->transport_return != PENDING_OK)
+	{
+	/*XXX could we find a better errno than 0 here? */
+	set_errno_nohost(addrlist, 0, a->message, FAIL,
+	  testflag(a, af_pass_message), &sx->delivery_start);
+	sx->ok = FALSE;
+	break;
+	}
+    }
+  }
+
+/* If ok is TRUE, we know we have got at least one good recipient, and must now
+send DATA, but if it is FALSE (in the normal, non-wrapper case), we may still
+have a good recipient buffered up if we are pipelining. We don't want to waste
+time sending DATA needlessly, so we only send it if either ok is TRUE or if we
+are pipelining. The responses are all handled by sync_responses().
+If using CHUNKING, do not send a BDAT until we know how big a chunk we want
+to send is. */
+
+if (  !(smtp_peer_options & OPTION_CHUNKING)
+   && (sx->ok || (pipelining_active && !mua_wrapper)))
+  {
+  int count = smtp_write_command(sx, SCMD_FLUSH, "DATA\r\n");
+
+  if (count < 0) goto SEND_FAILED;
+  switch(sync_responses(sx, count, sx->ok ? +1 : -1))
+    {
+    case 3: sx->ok = TRUE;            /* 2xx & 5xx => OK & progress made */
+    case 2: sx->completed_addr = TRUE;    /* 5xx (only) => progress made */
+    break;
+
+    case 1: sx->ok = TRUE;            /* 2xx (only) => OK, but if LMTP, */
+    if (!sx->lmtp) sx->completed_addr = TRUE; /* can't tell about progress yet */
+    case 0: break;			/* No 2xx or 5xx, but no probs */
+
+    case -1: goto END_OFF;		/* Timeout on RCPT */
+
+#ifndef DISABLE_PIPE_CONNECT
+    case -5:				/* TLS first-read error */
+    case -4:  HDEBUG(D_transport)
+		debug_printf("failed reaping pipelined cmd responses\n");
+#endif
+    default: goto RESPONSE_FAILED;       /* I/O error, or any MAIL/DATA error */
+    }
+  pipelining_active = FALSE;
+  data_command = string_copy(big_buffer);  /* Save for later error message */
+  }
+
+/* If there were no good recipients (but otherwise there have been no
+problems), just set ok TRUE, since we have handled address-specific errors
+already. Otherwise, it's OK to send the message. Use the check/escape mechanism
+for handling the SMTP dot-handling protocol, flagging to apply to headers as
+well as body. Set the appropriate timeout value to be used for each chunk.
+(Haven't been able to make it work using select() for writing yet.) */
+
+if (  !sx->ok
+   && (!(smtp_peer_options & OPTION_CHUNKING) || !pipelining_active))
+  {
+  /* Save the first address of the next batch. */
+  sx->first_addr = sx->next_addr;
+
+  sx->ok = TRUE;
+  }
+else
+  {
+  transport_ctx tctx = {
+    .u = {.fd = sx->cctx.sock},	/*XXX will this need TLS info? */
+    .tblock =	tblock,
+    .addr =	addrlist,
+    .check_string = US".",
+    .escape_string = US"..",	/* Escaping strings */
+    .options =
+      topt_use_crlf | topt_escape_headers
+    | (tblock->body_only	? topt_no_headers : 0)
+    | (tblock->headers_only	? topt_no_body : 0)
+    | (tblock->return_path_add	? topt_add_return_path : 0)
+    | (tblock->delivery_date_add ? topt_add_delivery_date : 0)
+    | (tblock->envelope_to_add	? topt_add_envelope_to : 0)
+  };
+
+  /* If using CHUNKING we need a callback from the generic transport
+  support to us, for the sending of BDAT smtp commands and the reaping
+  of responses.  The callback needs a whole bunch of state so set up
+  a transport-context structure to be passed around. */
+
+  if (smtp_peer_options & OPTION_CHUNKING)
+    {
+    tctx.check_string = tctx.escape_string = NULL;
+    tctx.options |= topt_use_bdat;
+    tctx.chunk_cb = smtp_chunk_cmd_callback;
+    sx->pending_BDAT = FALSE;
+    sx->good_RCPT = sx->ok;
+    sx->cmd_count = 0;
+    tctx.smtp_context = sx;
+    }
+  else
+    tctx.options |= topt_end_dot;
+
+  /* Save the first address of the next batch. */
+  sx->first_addr = sx->next_addr;
+
+  /* Responses from CHUNKING commands go in buffer.  Otherwise,
+  there has not been a response. */
+
+  sx->buffer[0] = 0;
+
+  sigalrm_seen = FALSE;
+  transport_write_timeout = ob->data_timeout;
+  smtp_command = US"sending data block";   /* For error messages */
+  DEBUG(D_transport|D_v)
+    if (smtp_peer_options & OPTION_CHUNKING)
+      debug_printf("         will write message using CHUNKING\n");
+    else
+      debug_printf("  SMTP>> (writing message)\n");
+  transport_count = 0;
+
+#ifndef DISABLE_DKIM
+  {
+# ifdef MEASURE_TIMING
+  struct timeval t0;
+  gettimeofday(&t0, NULL);
+# endif
+  dkim_exim_sign_init();
+# ifdef EXPERIMENTAL_ARC
+    {
+    uschar * s = ob->arc_sign;
+    if (s)
+      {
+      if (!(ob->dkim.arc_signspec = s = expand_string(s)))
+	{
+	if (!f.expand_string_forcedfail)
+	  {
+	  message = US"failed to expand arc_sign";
+	  sx->ok = FALSE;
+	  goto SEND_FAILED;
+	  }
+	}
+      else if (*s)
+	{
+	/* Ask dkim code to hash the body for ARC */
+	(void) arc_ams_setup_sign_bodyhash();
+	ob->dkim.force_bodyhash = TRUE;
+	}
+      }
+    }
+# endif
+# ifdef MEASURE_TIMING
+  report_time_since(&t0, US"dkim_exim_sign_init (delta)");
+# endif
+  }
+#endif
+
+  /* See if we can pipeline QUIT.  Reasons not to are
+  - pipelining not active
+  - not ok to send quit
+  - errors in amtp transation responses
+  - more addrs to send for this message or this host
+  - this message was being retried
+  - more messages for this host
+  If we can, we want the message-write to not flush (the tail end of) its data out.  */
+
+  if (  sx->pipelining_used
+     && (sx->ok && sx->completed_addr || smtp_peer_options & OPTION_CHUNKING)
+     && sx->send_quit
+     && !(sx->first_addr || f.continue_more)
+     && f.deliver_firsttime
+     )
+    {
+    smtp_compare_t t_compare =
+      {.tblock = tblock, .current_sender_address = sender_address};
+
+    tcw_done = TRUE;
+    tcw =
+#ifndef DISABLE_TLS
+	   (  tls_out.active.sock < 0  &&  !continue_proxy_cipher
+           || verify_check_given_host(CUSS &ob->hosts_nopass_tls, host) != OK
+	   )
+        &&
+#endif
+           transport_check_waiting(tblock->name, host->name,
+             tblock->connection_max_messages, new_message_id,
+	     (oicf)smtp_are_same_identities, (void*)&t_compare);
+    if (!tcw)
+      {
+      HDEBUG(D_transport) debug_printf("will pipeline QUIT\n");
+      tctx.options |= topt_no_flush;
+      }
+    }
+
+#ifndef DISABLE_DKIM
+  sx->ok = dkim_transport_write_message(&tctx, &ob->dkim, CUSS &message);
+#else
+  sx->ok = transport_write_message(&tctx, 0);
+#endif
+
+  /* transport_write_message() uses write() because it is called from other
+  places to write to non-sockets. This means that under some OS (e.g. Solaris)
+  it can exit with "Broken pipe" as its error. This really means that the
+  socket got closed at the far end. */
+
+  transport_write_timeout = 0;   /* for subsequent transports */
+
+  /* Failure can either be some kind of I/O disaster (including timeout),
+  or the failure of a transport filter or the expansion of added headers.
+  Or, when CHUNKING, it can be a protocol-detected failure. */
+
+  if (!sx->ok)
+    if (message) goto SEND_FAILED;
+    else         goto RESPONSE_FAILED;
+
+  /* We used to send the terminating "." explicitly here, but because of
+  buffering effects at both ends of TCP/IP connections, you don't gain
+  anything by keeping it separate, so it might as well go in the final
+  data buffer for efficiency. This is now done by setting the topt_end_dot
+  flag above. */
+
+  smtp_command = US"end of data";
+
+  /* If we can pipeline a QUIT with the data them send it now.  If a new message
+  for this host appeared in the queue while data was being sent, we will not see
+  it and it will have to wait for a queue run.  If there was one but another
+  thread took it, we might attempt to send it - but locking of spoolfiles will
+  detect that. Use _MORE to get QUIT in FIN segment. */
+
+  if (tcw_done && !tcw)
+    {
+    /*XXX jgh 2021/03/10 google et. al screwup.  G, at least, sends TCP FIN in response to TLS
+    close-notify.  Under TLS 1.3, violating RFC.
+    However, TLS 1.2 does not have half-close semantics. */
+
+    if (     sx->cctx.tls_ctx
+#if 0 && !defined(DISABLE_TLS)
+          && Ustrcmp(tls_out.ver, "TLS1.3") != 0
+#endif
+       || !f.deliver_firsttime
+       )
+      {				/* Send QUIT now and not later */
+      (void)smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n");
+      sx->send_quit = FALSE;
+      }
+    else
+      {				/* add QUIT to the output buffer */
+      (void)smtp_write_command(sx, SCMD_MORE, "QUIT\r\n");
+      sx->send_quit = FALSE;	/* avoid sending it later */
+
+#ifndef DISABLE_TLS
+      if (sx->cctx.tls_ctx && sx->send_tlsclose)	/* need to send TLS Close Notify */
+	{
+# ifdef EXIM_TCP_CORK		/* Use _CORK to get Close Notify in FIN segment */
+	(void) setsockopt(sx->cctx.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &on, sizeof(on));
+# endif
+	tls_shutdown_wr(sx->cctx.tls_ctx);
+	sx->send_tlsclose = FALSE;	/* avoid later repeat */
+	}
+#endif
+      HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP(shutdown)>>\n");
+      shutdown(sx->cctx.sock, SHUT_WR);	/* flush output buffer, with TCP FIN */
+      }
+    }
+
+  if (smtp_peer_options & OPTION_CHUNKING && sx->cmd_count > 1)
+    {
+    /* Reap any outstanding MAIL & RCPT commands, but not a DATA-go-ahead */
+    switch(sync_responses(sx, sx->cmd_count-1, 0))
+      {
+      case 3: sx->ok = TRUE;            /* 2xx & 5xx => OK & progress made */
+      case 2: sx->completed_addr = TRUE;    /* 5xx (only) => progress made */
+	      break;
+
+      case 1: sx->ok = TRUE;		/* 2xx (only) => OK, but if LMTP, */
+      if (!sx->lmtp) sx->completed_addr = TRUE; /* can't tell about progress yet */
+      case 0: break;			/* No 2xx or 5xx, but no probs */
+
+      case -1: goto END_OFF;		/* Timeout on RCPT */
+
+#ifndef DISABLE_PIPE_CONNECT
+      case -5:				/* TLS first-read error */
+      case -4:  HDEBUG(D_transport)
+		  debug_printf("failed reaping pipelined cmd responses\n");
+#endif
+      default: goto RESPONSE_FAILED;	/* I/O error, or any MAIL/DATA error */
+      }
+    }
+
+#ifndef DISABLE_PRDR
+  /* For PRDR we optionally get a partial-responses warning followed by the
+  individual responses, before going on with the overall response.  If we don't
+  get the warning then deal with per non-PRDR. */
+
+  if(sx->prdr_active)
+    {
+    sx->ok = smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '3', ob->final_timeout);
+    if (!sx->ok && errno == 0) switch(sx->buffer[0])
+      {
+      case '2': sx->prdr_active = FALSE;
+		sx->ok = TRUE;
+		break;
+      case '4': errno = ERRNO_DATA4XX;
+		addrlist->more_errno |=
+		  ((sx->buffer[1] - '0')*10 + sx->buffer[2] - '0') << 8;
+		break;
+      }
+    }
+  else
+#endif
+
+  /* For non-PRDR SMTP, we now read a single response that applies to the
+  whole message.  If it is OK, then all the addresses have been delivered. */
+
+  if (!sx->lmtp)
+    {
+    sx->ok = smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2',
+      ob->final_timeout);
+    if (!sx->ok && errno == 0 && sx->buffer[0] == '4')
+      {
+      errno = ERRNO_DATA4XX;
+      addrlist->more_errno |= ((sx->buffer[1] - '0')*10 + sx->buffer[2] - '0') << 8;
+      }
+    }
+
+  /* For LMTP, we get back a response for every RCPT command that we sent;
+  some may be accepted and some rejected. For those that get a response, their
+  status is fixed; any that are accepted have been handed over, even if later
+  responses crash - at least, that's how I read RFC 2033.
+
+  If all went well, mark the recipient addresses as completed, record which
+  host/IPaddress they were delivered to, and cut out RSET when sending another
+  message down the same channel. Write the completed addresses to the journal
+  now so that they are recorded in case there is a crash of hardware or
+  software before the spool gets updated. Also record the final SMTP
+  confirmation if needed (for SMTP only). */
+
+  if (sx->ok)
+    {
+    int flag = '=';
+    struct timeval delivery_time;
+    int len;
+    uschar * conf = NULL;
+
+    timesince(&delivery_time, &sx->delivery_start);
+    sx->send_rset = FALSE;
+    pipelining_active = FALSE;
+
+    /* Set up confirmation if needed - applies only to SMTP */
+
+    if (
+#ifdef DISABLE_EVENT
+          LOGGING(smtp_confirmation) &&
+#endif
+          !sx->lmtp
+       )
+      {
+      const uschar * s = string_printing(sx->buffer);
+      /* deconst cast ok here as string_printing was checked to have alloc'n'copied */
+      conf = s == sx->buffer ? US string_copy(s) : US s;
+      }
+
+    /* Process all transported addresses - for LMTP or PRDR, read a status for
+    each one. We used to drop out at first_addr, until someone returned a 452
+    followed by a 250... and we screwed up the accepted addresses. */
+
+    for (address_item * addr = addrlist; addr; addr = addr->next)
+      {
+      if (addr->transport_return != PENDING_OK) continue;
+
+      /* LMTP - if the response fails badly (e.g. timeout), use it for all the
+      remaining addresses. Otherwise, it's a return code for just the one
+      address. For temporary errors, add a retry item for the address so that
+      it doesn't get tried again too soon. */
+
+#ifndef DISABLE_PRDR
+      if (sx->lmtp || sx->prdr_active)
+#else
+      if (sx->lmtp)
+#endif
+        {
+        if (!smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2',
+            ob->final_timeout))
+          {
+          if (errno != 0 || sx->buffer[0] == 0) goto RESPONSE_FAILED;
+          addr->message = string_sprintf(
+#ifndef DISABLE_PRDR
+	    "%s error after %s: %s", sx->prdr_active ? "PRDR":"LMTP",
+#else
+	    "LMTP error after %s: %s",
+#endif
+	    data_command, string_printing(sx->buffer));
+          setflag(addr, af_pass_message);   /* Allow message to go to user */
+          if (sx->buffer[0] == '5')
+            addr->transport_return = FAIL;
+          else
+            {
+            errno = ERRNO_DATA4XX;
+            addr->more_errno |= ((sx->buffer[1] - '0')*10 + sx->buffer[2] - '0') << 8;
+            addr->transport_return = DEFER;
+#ifndef DISABLE_PRDR
+            if (!sx->prdr_active)
+#endif
+              retry_add_item(addr, addr->address_retry_key, 0);
+            }
+          continue;
+          }
+        sx->completed_addr = TRUE;   /* NOW we can set this flag */
+        if (LOGGING(smtp_confirmation))
+          {
+          const uschar *s = string_printing(sx->buffer);
+	  /* deconst cast ok here as string_printing was checked to have alloc'n'copied */
+          conf = (s == sx->buffer) ? US string_copy(s) : US s;
+          }
+        }
+
+      /* SMTP, or success return from LMTP for this address. Pass back the
+      actual host that was used. */
+
+      addr->transport_return = OK;
+      addr->host_used = host;
+      addr->delivery_time = delivery_time;
+      addr->special_action = flag;
+      addr->message = conf;
+
+      if (tcp_out_fastopen)
+	{
+	setflag(addr, af_tcp_fastopen_conn);
+	if (tcp_out_fastopen >= TFO_USED_NODATA) setflag(addr, af_tcp_fastopen);
+	if (tcp_out_fastopen >= TFO_USED_DATA) setflag(addr, af_tcp_fastopen_data);
+	}
+      if (sx->pipelining_used) setflag(addr, af_pipelining);
+#ifndef DISABLE_PIPE_CONNECT
+      if (sx->early_pipe_active) setflag(addr, af_early_pipe);
+#endif
+#ifndef DISABLE_PRDR
+      if (sx->prdr_active) setflag(addr, af_prdr_used);
+#endif
+      if (smtp_peer_options & OPTION_CHUNKING) setflag(addr, af_chunking_used);
+      flag = '-';
+
+#ifndef DISABLE_PRDR
+      if (!sx->prdr_active)
+#endif
+        {
+        /* Update the journal. For homonymic addresses, use the base address plus
+        the transport name. See lots of comments in deliver.c about the reasons
+        for the complications when homonyms are involved. Just carry on after
+        write error, as it may prove possible to update the spool file later. */
+
+        if (testflag(addr, af_homonym))
+          sprintf(CS sx->buffer, "%.500s/%s\n", addr->unique + 3, tblock->name);
+        else
+          sprintf(CS sx->buffer, "%.500s\n", addr->unique);
+
+        DEBUG(D_deliver) debug_printf("S:journalling %s", sx->buffer);
+        len = Ustrlen(CS sx->buffer);
+        if (write(journal_fd, sx->buffer, len) != len)
+          log_write(0, LOG_MAIN|LOG_PANIC, "failed to write journal for "
+            "%s: %s", sx->buffer, strerror(errno));
+        }
+      }
+
+#ifndef DISABLE_PRDR
+    if (sx->prdr_active)
+      {
+      const uschar * overall_message;
+
+      /* PRDR - get the final, overall response.  For any non-success
+      upgrade all the address statuses. */
+
+      sx->ok = smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2',
+	ob->final_timeout);
+      if (!sx->ok)
+	{
+	if(errno == 0 && sx->buffer[0] == '4')
+	  {
+	  errno = ERRNO_DATA4XX;
+	  addrlist->more_errno |= ((sx->buffer[1] - '0')*10 + sx->buffer[2] - '0') << 8;
+	  }
+	for (address_item * addr = addrlist; addr != sx->first_addr; addr = addr->next)
+	  if (sx->buffer[0] == '5' || addr->transport_return == OK)
+	    addr->transport_return = PENDING_OK; /* allow set_errno action */
+	goto RESPONSE_FAILED;
+	}
+
+      /* Append the overall response to the individual PRDR response for logging
+      and update the journal, or setup retry. */
+
+      overall_message = string_printing(sx->buffer);
+      for (address_item * addr = addrlist; addr != sx->first_addr; addr = addr->next)
+	if (addr->transport_return == OK)
+	  addr->message = string_sprintf("%s\\n%s", addr->message, overall_message);
+
+      for (address_item * addr = addrlist; addr != sx->first_addr; addr = addr->next)
+	if (addr->transport_return == OK)
+	  {
+	  if (testflag(addr, af_homonym))
+	    sprintf(CS sx->buffer, "%.500s/%s\n", addr->unique + 3, tblock->name);
+	  else
+	    sprintf(CS sx->buffer, "%.500s\n", addr->unique);
+
+	  DEBUG(D_deliver) debug_printf("journalling(PRDR) %s\n", sx->buffer);
+	  len = Ustrlen(CS sx->buffer);
+	  if (write(journal_fd, sx->buffer, len) != len)
+	    log_write(0, LOG_MAIN|LOG_PANIC, "failed to write journal for "
+	      "%s: %s", sx->buffer, strerror(errno));
+	  }
+	else if (addr->transport_return == DEFER)
+	  /*XXX magic value -2 ? maybe host+message ? */
+	  retry_add_item(addr, addr->address_retry_key, -2);
+      }
+#endif
+
+    /* Ensure the journal file is pushed out to disk. */
+
+    if (EXIMfsync(journal_fd) < 0)
+      log_write(0, LOG_MAIN|LOG_PANIC, "failed to fsync journal: %s",
+        strerror(errno));
+    }
+  }
+
+
+/* Handle general (not specific to one address) failures here. The value of ok
+is used to skip over this code on the falling through case. A timeout causes a
+deferral. Other errors may defer or fail according to the response code, and
+may set up a special errno value, e.g. after connection chopped, which is
+assumed if errno == 0 and there is no text in the buffer. If control reaches
+here during the setting up phase (i.e. before MAIL FROM) then always defer, as
+the problem is not related to this specific message. */
+
+if (!sx->ok)
+  {
+  int code, set_rc;
+  uschar * set_message;
+
+  RESPONSE_FAILED:
+    {
+    save_errno = errno;
+    message = NULL;
+    /* Clear send_quit flag if needed.  Do not set. */
+    sx->send_quit &= check_response(host, &save_errno, addrlist->more_errno,
+      sx->buffer, &code, &message, &pass_message);
+    goto FAILED;
+    }
+
+  SEND_FAILED:
+    {
+    save_errno = errno;
+    code = '4';
+    message = string_sprintf("smtp send to %s [%s] failed: %s",
+      host->name, host->address, message ? message : US strerror(save_errno));
+    sx->send_quit = FALSE;
+    goto FAILED;
+    }
+
+  FAILED:
+    {
+    BOOL message_error;
+
+    sx->ok = FALSE;                /* For when reached by GOTO */
+    set_message = message;
+
+  /* We want to handle timeouts after MAIL or "." and loss of connection after
+  "." specially. They can indicate a problem with the sender address or with
+  the contents of the message rather than a real error on the connection. These
+  cases are treated in the same way as a 4xx response. This next bit of code
+  does the classification. */
+
+    switch(save_errno)
+      {
+      case 0:
+      case ERRNO_MAIL4XX:
+      case ERRNO_DATA4XX:
+	message_error = TRUE;
+	break;
+
+      case ETIMEDOUT:
+	message_error = Ustrncmp(smtp_command,"MAIL",4) == 0 ||
+			Ustrncmp(smtp_command,"end ",4) == 0;
+	break;
+
+      case ERRNO_SMTPCLOSED:
+	message_error = Ustrncmp(smtp_command,"end ",4) == 0;
+	break;
+
+#ifndef DISABLE_DKIM
+      case EACCES:
+	/* DKIM signing failure: avoid thinking we pipelined quit,
+	just abandon the message and close the socket. */
+
+	message_error = FALSE;
+# ifndef DISABLE_TLS
+	if (sx->cctx.tls_ctx)
+	  {
+	  tls_close(sx->cctx.tls_ctx,
+		    sx->send_tlsclose ? TLS_SHUTDOWN_WAIT : TLS_SHUTDOWN_WONLY);
+	  sx->cctx.tls_ctx = NULL;
+	  }
+# endif
+	break;
+#endif
+      default:
+	message_error = FALSE;
+	break;
+      }
+
+    /* Handle the cases that are treated as message errors. These are:
+
+      (a) negative response or timeout after MAIL
+      (b) negative response after DATA
+      (c) negative response or timeout or dropped connection after "."
+      (d) utf8 support required and not offered
+
+    It won't be a negative response or timeout after RCPT, as that is dealt
+    with separately above. The action in all cases is to set an appropriate
+    error code for all the addresses, but to leave yield set to OK because the
+    host itself has not failed. Of course, it might in practice have failed
+    when we've had a timeout, but if so, we'll discover that at the next
+    delivery attempt. For a temporary error, set the message_defer flag, and
+    write to the logs for information if this is not the last host. The error
+    for the last host will be logged as part of the address's log line. */
+
+    if (message_error)
+      {
+      if (mua_wrapper) code = '5';  /* Force hard failure in wrapper mode */
+
+      /* If there's an errno, the message contains just the identity of
+      the host. */
+
+      if (code == '5')
+	set_rc = FAIL;
+      else		/* Anything other than 5 is treated as temporary */
+        {
+	set_rc = DEFER;
+        if (save_errno > 0)
+          message = US string_sprintf("%s: %s", message, strerror(save_errno));
+
+        write_logs(host, message, sx->first_addr ? sx->first_addr->basic_errno : 0);
+
+        *message_defer = TRUE;
+        }
+#ifdef TIOCOUTQ
+      DEBUG(D_transport) if (sx->cctx.sock >= 0)
+	{
+	int n;
+	if (ioctl(sx->cctx.sock, TIOCOUTQ, &n) == 0)
+	  debug_printf("%d bytes remain in socket output buffer\n", n);
+	}
+#endif
+      }
+    /* Otherwise, we have an I/O error or a timeout other than after MAIL or
+    ".", or some other transportation error. We defer all addresses and yield
+    DEFER, except for the case of failed add_headers expansion, or a transport
+    filter failure, when the yield should be ERROR, to stop it trying other
+    hosts. */
+
+    else
+      {
+#ifndef DISABLE_PIPE_CONNECT
+      /* If we were early-pipelinng and the actual EHLO response did not match
+      the cached value we assumed, we could have detected it and passed a
+      custom errno through to here.  It would be nice to RSET and retry right
+      away, but to reliably do that we eould need an extra synch point before
+      we committed to data and that would discard half the gained roundrips.
+      Or we could summarily drop the TCP connection. but that is also ugly.
+      Instead, we ignore the possibility (having freshened the cache) and rely
+      on the server telling us with a nonmessage error if we have tried to
+      do something it no longer supports. */
+#endif
+      set_rc = DEFER;
+      yield = (save_errno == ERRNO_CHHEADER_FAIL ||
+               save_errno == ERRNO_FILTER_FAIL) ? ERROR : DEFER;
+      }
+    }
+
+  set_errno(addrlist, save_errno, set_message, set_rc, pass_message, host,
+#ifdef EXPERIMENTAL_DSN_INFO
+	    sx->smtp_greeting, sx->helo_response,
+#endif
+	    &sx->delivery_start);
+  }
+
+/* If all has gone well, send_quit will be set TRUE, implying we can end the
+SMTP session tidily. However, if there were too many addresses to send in one
+message (indicated by first_addr being non-NULL) we want to carry on with the
+rest of them. Also, it is desirable to send more than one message down the SMTP
+connection if there are several waiting, provided we haven't already sent so
+many as to hit the configured limit. The function transport_check_waiting looks
+for a waiting message and returns its id. Then transport_pass_socket tries to
+set up a continued delivery by passing the socket on to another process. The
+variable send_rset is FALSE if a message has just been successfully transferred.
+
+If we are already sending down a continued channel, there may be further
+addresses not yet delivered that are aimed at the same host, but which have not
+been passed in this run of the transport. In this case, continue_more will be
+true, and all we should do is send RSET if necessary, and return, leaving the
+channel open.
+
+However, if no address was disposed of, i.e. all addresses got 4xx errors, we
+do not want to continue with other messages down the same channel, because that
+can lead to looping between two or more messages, all with the same,
+temporarily failing address(es). [The retry information isn't updated yet, so
+new processes keep on trying.] We probably also don't want to try more of this
+message's addresses either.
+
+If we have started a TLS session, we have to end it before passing the
+connection to a new process. However, not all servers can handle this (Exim
+can), so we do not pass such a connection on if the host matches
+hosts_nopass_tls. */
+
+DEBUG(D_transport)
+  debug_printf("ok=%d send_quit=%d send_rset=%d continue_more=%d "
+    "yield=%d first_address is %sNULL\n", sx->ok, sx->send_quit,
+    sx->send_rset, f.continue_more, yield, sx->first_addr ? "not " : "");
+
+if (sx->completed_addr && sx->ok && sx->send_quit)
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+  if (mail_limit = continue_sequence >= sx->max_mail)
+    {
+    DEBUG(D_transport)
+      debug_printf("reached limit %u for MAILs per conn\n", sx->max_mail);
+    }
+  else
+#endif
+    {
+    smtp_compare_t t_compare =
+      {.tblock = tblock, .current_sender_address = sender_address};
+
+    if (  sx->first_addr			/* more addrs for this message */
+       || f.continue_more			/* more addrs for continued-host */
+       || tcw_done && tcw			/* more messages for host */
+       || (
+#ifndef DISABLE_TLS
+	     (  tls_out.active.sock < 0  &&  !continue_proxy_cipher
+	     || verify_check_given_host(CUSS &ob->hosts_nopass_tls, host) != OK
+	     )
+	  &&
+#endif
+	     transport_check_waiting(tblock->name, host->name,
+	       sx->max_mail, new_message_id,
+	       (oicf)smtp_are_same_identities, (void*)&t_compare)
+       )  )
+      {
+      uschar *msg;
+      BOOL pass_message;
+
+      if (sx->send_rset)
+	if (! (sx->ok = smtp_write_command(sx, SCMD_FLUSH, "RSET\r\n") >= 0))
+	  {
+	  msg = US string_sprintf("smtp send to %s [%s] failed: %s", host->name,
+	    host->address, strerror(errno));
+	  sx->send_quit = FALSE;
+	  }
+	else if (! (sx->ok = smtp_read_response(sx, sx->buffer, sizeof(sx->buffer),
+		    '2', ob->command_timeout)))
+	  {
+	  int code;
+	  sx->send_quit = check_response(host, &errno, 0, sx->buffer, &code, &msg,
+	    &pass_message);
+	  if (!sx->send_quit)
+	    {
+	    DEBUG(D_transport) debug_printf("H=%s [%s] %s\n",
+	      host->name, host->address, msg);
+	    }
+	  }
+
+      /* Either RSET was not needed, or it succeeded */
+
+      if (sx->ok)
+	{
+#ifndef DISABLE_TLS
+	int pfd[2];
+#endif
+	int socket_fd = sx->cctx.sock;
+
+	if (sx->first_addr)		/* More addresses still to be sent */
+	  {				/*   for this message              */
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+	  /* Any that we marked as skipped, reset to do now */
+	  for (address_item * a = sx->first_addr; a; a = a->next)
+	    if (a->transport_return == SKIP)
+	      a->transport_return = PENDING_DEFER;
+#endif
+	  continue_sequence++;				/* for consistency */
+	  clearflag(sx->first_addr, af_new_conn);
+	  setflag(sx->first_addr, af_cont_conn);	/* Causes * in logging */
+	  pipelining_active = sx->pipelining_used;	/* was cleared at DATA */
+	  goto SEND_MESSAGE;
+	  }
+
+	/* Unless caller said it already has more messages listed for this host,
+	pass the connection on to a new Exim process (below, the call to
+	transport_pass_socket).  If the caller has more ready, just return with
+	the connection still open. */
+
+#ifndef DISABLE_TLS
+	if (tls_out.active.sock >= 0)
+	  if (  f.continue_more
+	     || verify_check_given_host(CUSS &ob->hosts_noproxy_tls, host) == OK)
+	    {
+	    /* Before passing the socket on, or returning to caller with it still
+	    open, we must shut down TLS.  Not all MTAs allow for the continuation
+	    of the SMTP session when TLS is shut down. We test for this by sending
+	    a new EHLO. If we don't get a good response, we don't attempt to pass
+	    the socket on. */
+
+	  tls_close(sx->cctx.tls_ctx,
+	    sx->send_tlsclose ? TLS_SHUTDOWN_WAIT : TLS_SHUTDOWN_WONLY);
+	  sx->send_tlsclose = FALSE;
+	  sx->cctx.tls_ctx = NULL;
+	  tls_out.active.sock = -1;
+	  smtp_peer_options = smtp_peer_options_wrap;
+	  sx->ok = !sx->smtps
+	    && smtp_write_command(sx, SCMD_FLUSH, "EHLO %s\r\n", sx->helo_data)
+		>= 0
+	    && smtp_read_response(sx, sx->buffer, sizeof(sx->buffer),
+				      '2', ob->command_timeout);
+
+	    if (sx->ok && f.continue_more)
+	      goto TIDYUP;		/* More addresses for another run */
+	    }
+	  else
+	    {
+	    /* Set up a pipe for proxying TLS for the new transport process */
+
+	    smtp_peer_options |= OPTION_TLS;
+	    if ((sx->ok = socketpair(AF_UNIX, SOCK_STREAM, 0, pfd) == 0))
+	      socket_fd = pfd[1];
+	    else
+	      set_errno(sx->first_addr, errno, US"internal allocation problem",
+		      DEFER, FALSE, host,
+# ifdef EXPERIMENTAL_DSN_INFO
+		      sx->smtp_greeting, sx->helo_response,
+# endif
+		      &sx->delivery_start);
+	    }
+	else
+#endif
+	  if (f.continue_more)
+	    goto TIDYUP;			/* More addresses for another run */
+
+	/* If the socket is successfully passed, we mustn't send QUIT (or
+	indeed anything!) from here. */
+
+  /*XXX DSN_INFO: assume likely to do new HELO; but for greet we'll want to
+  propagate it from the initial
+  */
+	if (sx->ok && transport_pass_socket(tblock->name, host->name,
+	      host->address, new_message_id, socket_fd
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+	      , sx->peer_limit_mail, sx->peer_limit_rcpt, sx->peer_limit_rcptdom
+#endif
+	      ))
+	  {
+	  sx->send_quit = FALSE;
+
+	  /* We have passed the client socket to a fresh transport process.
+	  If TLS is still active, we need to proxy it for the transport we
+	  just passed the baton to.  Fork a child to to do it, and return to
+	  get logging done asap.  Which way to place the work makes assumptions
+	  about post-fork prioritisation which may not hold on all platforms. */
+#ifndef DISABLE_TLS
+	  if (tls_out.active.sock >= 0)
+	    {
+	    int pid = exim_fork(US"tls-proxy-interproc");
+	    if (pid == 0)		/* child; fork again to disconnect totally */
+	      {
+	      /* does not return */
+	      smtp_proxy_tls(sx->cctx.tls_ctx, sx->buffer, sizeof(sx->buffer), pfd,
+			      ob->command_timeout, host->name);
+	      }
+
+	    if (pid > 0)		/* parent */
+	      {
+	      close(pfd[0]);
+	      /* tidy the inter-proc to disconn the proxy proc */
+	      waitpid(pid, NULL, 0);
+	      tls_close(sx->cctx.tls_ctx, TLS_NO_SHUTDOWN);
+	      sx->cctx.tls_ctx = NULL;
+	      (void)close(sx->cctx.sock);
+	      sx->cctx.sock = -1;
+	      continue_transport = NULL;
+	      continue_hostname = NULL;
+	      goto TIDYUP;
+	      }
+	    log_write(0, LOG_PANIC_DIE, "fork failed");
+	    }
+#endif
+	  }
+	}
+
+      /* If RSET failed and there are addresses left, they get deferred. */
+      else
+	set_errno(sx->first_addr, errno, msg, DEFER, FALSE, host,
+#ifdef EXPERIMENTAL_DSN_INFO
+		    sx->smtp_greeting, sx->helo_response,
+#endif
+		    &sx->delivery_start);
+      }
+    }
+
+/* End off tidily with QUIT unless the connection has died or the socket has
+been passed to another process. */
+
+SEND_QUIT:
+if (sx->send_quit)
+  {			/* Use _MORE to get QUIT in FIN segment */
+  (void)smtp_write_command(sx, SCMD_MORE, "QUIT\r\n");
+#ifndef DISABLE_TLS
+  if (sx->cctx.tls_ctx && sx->send_tlsclose)
+    {
+# ifdef EXIM_TCP_CORK	/* Use _CORK to get TLS Close Notify in FIN segment */
+    (void) setsockopt(sx->cctx.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &on, sizeof(on));
+# endif
+    tls_shutdown_wr(sx->cctx.tls_ctx);
+    sx->send_tlsclose = FALSE;
+    }
+#endif
+  }
+
+END_OFF:
+
+/* Close the socket, and return the appropriate value, first setting
+works because the NULL setting is passed back to the calling process, and
+remote_max_parallel is forced to 1 when delivering over an existing connection,
+
+If all went well and continue_more is set, we shouldn't actually get here if
+there are further addresses, as the return above will be taken. However,
+writing RSET might have failed, or there may be other addresses whose hosts are
+specified in the transports, and therefore not visible at top level, in which
+case continue_more won't get set. */
+
+if (sx->send_quit)
+  {
+  /* This flushes data queued in the socket, being the QUIT and any TLS Close,
+  sending them along with the client FIN flag.  Us (we hope) sending FIN first
+  means we (client) take the TIME_WAIT state, so the server (which likely has a
+  higher connection rate) does not have to. */
+
+  HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP(shutdown)>>\n");
+  shutdown(sx->cctx.sock, SHUT_WR);
+  }
+
+if (sx->send_quit || tcw_done && !tcw)
+  {
+  /* Wait for (we hope) ack of our QUIT, and a server FIN.  Discard any data
+  received, then discard the socket.  Any packet received after then, or receive
+  data still in the socket, will get a RST - hence the pause/drain. */
+
+  /* Reap the response to QUIT, timing out after one second */
+  (void) smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', 1);
+#ifndef DISABLE_TLS
+  if (sx->cctx.tls_ctx)
+    {
+    int n;
+
+    /* Reap the TLS Close Notify from the server, timing out after one second */
+    sigalrm_seen = FALSE;
+    ALARM(1);
+    do
+      n = tls_read(sx->cctx.tls_ctx, sx->inbuffer, sizeof(sx->inbuffer));
+    while (!sigalrm_seen && n > 0);
+    ALARM_CLR(0);
+
+    if (sx->send_tlsclose)
+      {
+# ifdef EXIM_TCP_CORK
+      (void) setsockopt(sx->cctx.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &on, sizeof(on));
+# endif
+      tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_WAIT);
+      }
+    else
+      tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_WONLY);
+    sx->cctx.tls_ctx = NULL;
+    }
+#endif
+
+  /* Drain any trailing data from the socket before close, to avoid sending a RST */
+
+  if (  poll_one_fd(sx->cctx.sock, POLLIN, 20) != 0		/* 20ms */
+     && fcntl(sx->cctx.sock, F_SETFL, O_NONBLOCK) == 0)
+    for (int i = 16, n;						/* drain socket */
+	 (n = read(sx->cctx.sock, sx->inbuffer, sizeof(sx->inbuffer))) > 0 && i > 0;
+	 i--) HDEBUG(D_transport|D_acl|D_v)
+      {
+      int m = MIN(n, 64);
+      debug_printf_indent("  SMTP(drain %d bytes)<< %.*s\n", n, m, sx->inbuffer);
+      for (m = 0; m < n; m++)
+	debug_printf("0x%02x\n", sx->inbuffer[m]);
+      }
+  }
+HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP(close)>>\n");
+(void)close(sx->cctx.sock);
+sx->cctx.sock = -1;
+continue_transport = NULL;
+continue_hostname = NULL;
+smtp_debug_cmd_report();
+
+#ifndef DISABLE_EVENT
+(void) event_raise(tblock->event_action, US"tcp:close", NULL, NULL);
+#endif
+
+#ifdef SUPPORT_DANE
+if (dane_held)
+  {
+  sx->first_addr = NULL;
+  for (address_item * a = sx->addrlist->next; a; a = a->next)
+    if (a->transport_return == DANE)
+      {
+      a->transport_return = PENDING_DEFER;
+      if (!sx->first_addr)
+	{
+	/* Remember the new start-point in the addrlist, for smtp_setup_conn()
+	to get the domain string for SNI */
+
+	sx->first_addr = a;
+	clearflag(a, af_cont_conn);
+	setflag(a, af_new_conn);		/* clear * from logging */
+	DEBUG(D_transport) debug_printf("DANE: go-around for %s\n", a->domain);
+	}
+      }
+  continue_sequence = 1;			/* for consistency */
+  goto REPEAT_CONN;
+  }
+#endif
+
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+if (mail_limit && sx->first_addr)
+  {
+  /* Reset the sequence count since we closed the connection.  This is flagged
+  on the pipe back to the delivery process so that a non-continued-conn delivery
+  is logged. */
+
+  continue_sequence = 1;			/* for consistency */
+  clearflag(sx->first_addr, af_cont_conn);
+  setflag(sx->first_addr, af_new_conn);		/* clear  * from logging */
+  goto REPEAT_CONN;
+  }
+#endif
+
+return yield;
+
+TIDYUP:
+#ifdef SUPPORT_DANE
+if (dane_held) for (address_item * a = sx->addrlist->next; a; a = a->next)
+  if (a->transport_return == DANE)
+    a->transport_return = PENDING_DEFER;
+#endif
+return yield;
+}
+
+
+
+
+/*************************************************
+*              Closedown entry point             *
+*************************************************/
+
+/* This function is called when exim is passed an open smtp channel
+from another incarnation, but the message which it has been asked
+to deliver no longer exists. The channel is on stdin.
+
+We might do fancy things like looking for another message to send down
+the channel, but if the one we sought has gone, it has probably been
+delivered by some other process that itself will seek further messages,
+so just close down our connection.
+
+Argument:   pointer to the transport instance block
+Returns:    nothing
+*/
+
+void
+smtp_transport_closedown(transport_instance *tblock)
+{
+smtp_transport_options_block * ob = SOB tblock->options_block;
+client_conn_ctx cctx;
+smtp_context sx;
+uschar buffer[256];
+uschar inbuffer[4096];
+uschar outbuffer[16];
+
+/*XXX really we need an active-smtp-client ctx, rather than assuming stdout */
+cctx.sock = fileno(stdin);
+cctx.tls_ctx = cctx.sock == tls_out.active.sock ? tls_out.active.tls_ctx : NULL;
+
+sx.inblock.cctx = &cctx;
+sx.inblock.buffer = inbuffer;
+sx.inblock.buffersize = sizeof(inbuffer);
+sx.inblock.ptr = inbuffer;
+sx.inblock.ptrend = inbuffer;
+
+sx.outblock.cctx = &cctx;
+sx.outblock.buffersize = sizeof(outbuffer);
+sx.outblock.buffer = outbuffer;
+sx.outblock.ptr = outbuffer;
+sx.outblock.cmd_count = 0;
+sx.outblock.authenticating = FALSE;
+
+(void)smtp_write_command(&sx, SCMD_FLUSH, "QUIT\r\n");
+(void)smtp_read_response(&sx, buffer, sizeof(buffer), '2', ob->command_timeout);
+(void)close(cctx.sock);
+}
+
+
+
+/*************************************************
+*            Prepare addresses for delivery      *
+*************************************************/
+
+/* This function is called to flush out error settings from previous delivery
+attempts to other hosts. It also records whether we got here via an MX record
+or not in the more_errno field of the address. We are interested only in
+addresses that are still marked DEFER - others may have got delivered to a
+previously considered IP address. Set their status to PENDING_DEFER to indicate
+which ones are relevant this time.
+
+Arguments:
+  addrlist     the list of addresses
+  host         the host we are delivering to
+
+Returns:       the first address for this delivery
+*/
+
+static address_item *
+prepare_addresses(address_item *addrlist, host_item *host)
+{
+address_item *first_addr = NULL;
+for (address_item * addr = addrlist; addr; addr = addr->next)
+  if (addr->transport_return == DEFER)
+    {
+    if (!first_addr) first_addr = addr;
+    addr->transport_return = PENDING_DEFER;
+    addr->basic_errno = 0;
+    addr->more_errno = (host->mx >= 0)? 'M' : 'A';
+    addr->message = NULL;
+#ifndef DISABLE_TLS
+    addr->cipher = NULL;
+    addr->ourcert = NULL;
+    addr->peercert = NULL;
+    addr->peerdn = NULL;
+    addr->ocsp = OCSP_NOT_REQ;
+    addr->tlsver = NULL;
+#endif
+#ifdef EXPERIMENTAL_DSN_INFO
+    addr->smtp_greeting = NULL;
+    addr->helo_response = NULL;
+#endif
+    }
+return first_addr;
+}
+
+
+
+/*************************************************
+*              Main entry point                  *
+*************************************************/
+
+/* See local README for interface details. As this is a remote transport, it is
+given a chain of addresses to be delivered in one connection, if possible. It
+always returns TRUE, indicating that each address has its own independent
+status set, except if there is a setting up problem, in which case it returns
+FALSE. */
+
+BOOL
+smtp_transport_entry(
+  transport_instance *tblock,      /* data for this instantiation */
+  address_item *addrlist)          /* addresses we are working on */
+{
+int defport;
+int hosts_defer = 0;
+int hosts_fail  = 0;
+int hosts_looked_up = 0;
+int hosts_retry = 0;
+int hosts_serial = 0;
+int hosts_total = 0;
+int total_hosts_tried = 0;
+BOOL expired = TRUE;
+uschar *expanded_hosts = NULL;
+uschar *pistring;
+uschar *tid = string_sprintf("%s transport", tblock->name);
+smtp_transport_options_block *ob = SOB tblock->options_block;
+host_item *hostlist = addrlist->host_list;
+host_item *host = NULL;
+
+DEBUG(D_transport)
+  {
+  debug_printf("%s transport entered\n", tblock->name);
+  for (address_item * addr = addrlist; addr; addr = addr->next)
+    debug_printf("  %s\n", addr->address);
+  if (hostlist)
+    {
+    debug_printf("hostlist:\n");
+    for (host_item * host = hostlist; host; host = host->next)
+      debug_printf("  '%s' IP %s port %d\n", host->name, host->address, host->port);
+    }
+  if (continue_hostname)
+    debug_printf("already connected to %s [%s] (on fd %d)\n",
+      continue_hostname, continue_host_address,
+      cutthrough.cctx.sock >= 0 ? cutthrough.cctx.sock : 0);
+  }
+
+/* Check the restrictions on line length */
+
+if (max_received_linelength > ob->message_linelength_limit)
+  {
+  struct timeval now;
+  gettimeofday(&now, NULL);
+
+  for (address_item * addr = addrlist; addr; addr = addr->next)
+    if (addr->transport_return == DEFER)
+      addr->transport_return = PENDING_DEFER;
+
+  set_errno_nohost(addrlist, ERRNO_SMTPFORMAT,
+    US"message has lines too long for transport", FAIL, TRUE, &now);
+  goto END_TRANSPORT;
+  }
+
+/* Set the flag requesting that these hosts be added to the waiting
+database if the delivery fails temporarily or if we are running with
+queue_smtp or a 2-stage queue run. This gets unset for certain
+kinds of error, typically those that are specific to the message. */
+
+update_waiting =  TRUE;
+
+/* If a host list is not defined for the addresses - they must all have the
+same one in order to be passed to a single transport - or if the transport has
+a host list with hosts_override set, use the host list supplied with the
+transport. It is an error for this not to exist. */
+
+if (!hostlist || (ob->hosts_override && ob->hosts))
+  {
+  if (!ob->hosts)
+    {
+    addrlist->message = string_sprintf("%s transport called with no hosts set",
+      tblock->name);
+    addrlist->transport_return = PANIC;
+    return FALSE;   /* Only top address has status */
+    }
+
+  DEBUG(D_transport) debug_printf("using the transport's hosts: %s\n",
+    ob->hosts);
+
+  /* If the transport's host list contains no '$' characters, and we are not
+  randomizing, it is fixed and therefore a chain of hosts can be built once
+  and for all, and remembered for subsequent use by other calls to this
+  transport. If, on the other hand, the host list does contain '$', or we are
+  randomizing its order, we have to rebuild it each time. In the fixed case,
+  as the hosts string will never be used again, it doesn't matter that we
+  replace all the : characters with zeros. */
+
+  if (!ob->hostlist)
+    {
+    uschar *s = ob->hosts;
+
+    if (Ustrchr(s, '$'))
+      {
+      if (!(expanded_hosts = expand_string(s)))
+        {
+        addrlist->message = string_sprintf("failed to expand list of hosts "
+          "\"%s\" in %s transport: %s", s, tblock->name, expand_string_message);
+        addrlist->transport_return = f.search_find_defer ? DEFER : PANIC;
+        return FALSE;     /* Only top address has status */
+        }
+      DEBUG(D_transport) debug_printf("expanded list of hosts \"%s\" to "
+        "\"%s\"\n", s, expanded_hosts);
+      s = expanded_hosts;
+      }
+    else
+      if (ob->hosts_randomize) s = expanded_hosts = string_copy(s);
+
+    if (is_tainted(s))
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC,
+	"attempt to use tainted host list '%s' from '%s' in transport %s",
+	s, ob->hosts, tblock->name);
+      /* Avoid leaking info to an attacker */
+      addrlist->message = US"internal configuration error";
+      addrlist->transport_return = PANIC;
+      return FALSE;
+      }
+
+    host_build_hostlist(&hostlist, s, ob->hosts_randomize);
+
+    /* Check that the expansion yielded something useful. */
+    if (!hostlist)
+      {
+      addrlist->message =
+        string_sprintf("%s transport has empty hosts setting", tblock->name);
+      addrlist->transport_return = PANIC;
+      return FALSE;   /* Only top address has status */
+      }
+
+    /* If there was no expansion of hosts, save the host list for
+    next time. */
+
+    if (!expanded_hosts) ob->hostlist = hostlist;
+    }
+
+  /* This is not the first time this transport has been run in this delivery;
+  the host list was built previously. */
+
+  else
+    hostlist = ob->hostlist;
+  }
+
+/* The host list was supplied with the address. If hosts_randomize is set, we
+must sort it into a random order if it did not come from MX records and has not
+already been randomized (but don't bother if continuing down an existing
+connection). */
+
+else if (ob->hosts_randomize && hostlist->mx == MX_NONE && !continue_hostname)
+  {
+  host_item *newlist = NULL;
+  while (hostlist)
+    {
+    host_item *h = hostlist;
+    hostlist = hostlist->next;
+
+    h->sort_key = random_number(100);
+
+    if (!newlist)
+      {
+      h->next = NULL;
+      newlist = h;
+      }
+    else if (h->sort_key < newlist->sort_key)
+      {
+      h->next = newlist;
+      newlist = h;
+      }
+    else
+      {
+      host_item *hh = newlist;
+      while (hh->next)
+        {
+        if (h->sort_key < hh->next->sort_key) break;
+        hh = hh->next;
+        }
+      h->next = hh->next;
+      hh->next = h;
+      }
+    }
+
+  hostlist = addrlist->host_list = newlist;
+  }
+
+/* Sort out the default port.  */
+
+if (!smtp_get_port(ob->port, addrlist, &defport, tid)) return FALSE;
+
+/* For each host-plus-IP-address on the list:
+
+.  If this is a continued delivery and the host isn't the one with the
+   current connection, skip.
+
+.  If the status is unusable (i.e. previously failed or retry checked), skip.
+
+.  If no IP address set, get the address, either by turning the name into
+   an address, calling gethostbyname if gethostbyname is on, or by calling
+   the DNS. The DNS may yield multiple addresses, in which case insert the
+   extra ones into the list.
+
+.  Get the retry data if not previously obtained for this address and set the
+   field which remembers the state of this address. Skip if the retry time is
+   not reached. If not, remember whether retry data was found. The retry string
+   contains both the name and the IP address.
+
+.  Scan the list of addresses and mark those whose status is DEFER as
+   PENDING_DEFER. These are the only ones that will be processed in this cycle
+   of the hosts loop.
+
+.  Make a delivery attempt - addresses marked PENDING_DEFER will be tried.
+   Some addresses may be successfully delivered, others may fail, and yet
+   others may get temporary errors and so get marked DEFER.
+
+.  The return from the delivery attempt is OK if a connection was made and a
+   valid SMTP dialogue was completed. Otherwise it is DEFER.
+
+.  If OK, add a "remove" retry item for this host/IPaddress, if any.
+
+.  If fail to connect, or other defer state, add a retry item.
+
+.  If there are any addresses whose status is still DEFER, carry on to the
+   next host/IPaddress, unless we have tried the number of hosts given
+   by hosts_max_try or hosts_max_try_hardlimit; otherwise return. Note that
+   there is some fancy logic for hosts_max_try that means its limit can be
+   overstepped in some circumstances.
+
+If we get to the end of the list, all hosts have deferred at least one address,
+or not reached their retry times. If delay_after_cutoff is unset, it requests a
+delivery attempt to those hosts whose last try was before the arrival time of
+the current message. To cope with this, we have to go round the loop a second
+time. After that, set the status and error data for any addresses that haven't
+had it set already. */
+
+for (int cutoff_retry = 0;
+     expired && cutoff_retry < (ob->delay_after_cutoff ? 1 : 2);
+     cutoff_retry++)
+  {
+  host_item *nexthost = NULL;
+  int unexpired_hosts_tried = 0;
+  BOOL continue_host_tried = FALSE;
+
+retry_non_continued:
+  for (host = hostlist;
+          host
+       && unexpired_hosts_tried < ob->hosts_max_try
+       && total_hosts_tried < ob->hosts_max_try_hardlimit;
+       host = nexthost)
+    {
+    int rc;
+    int host_af;
+    BOOL host_is_expired = FALSE;
+    BOOL message_defer = FALSE;
+    BOOL some_deferred = FALSE;
+    address_item *first_addr = NULL;
+    uschar *interface = NULL;
+    uschar *retry_host_key = NULL;
+    uschar *retry_message_key = NULL;
+    uschar *serialize_key = NULL;
+
+    /* Default next host is next host. :-) But this can vary if the
+    hosts_max_try limit is hit (see below). It may also be reset if a host
+    address is looked up here (in case the host was multihomed). */
+
+    nexthost = host->next;
+
+    /* If the address hasn't yet been obtained from the host name, look it up
+    now, unless the host is already marked as unusable. If it is marked as
+    unusable, it means that the router was unable to find its IP address (in
+    the DNS or wherever) OR we are in the 2nd time round the cutoff loop, and
+    the lookup failed last time. We don't get this far if *all* MX records
+    point to non-existent hosts; that is treated as a hard error.
+
+    We can just skip this host entirely. When the hosts came from the router,
+    the address will timeout based on the other host(s); when the address is
+    looked up below, there is an explicit retry record added.
+
+    Note that we mustn't skip unusable hosts if the address is not unset; they
+    may be needed as expired hosts on the 2nd time round the cutoff loop. */
+
+    if (!host->address)
+      {
+      int new_port, flags;
+
+      if (host->status >= hstatus_unusable)
+        {
+        DEBUG(D_transport) debug_printf("%s has no address and is unusable - skipping\n",
+          host->name);
+        continue;
+        }
+
+      DEBUG(D_transport) debug_printf("getting address for %s\n", host->name);
+
+      /* The host name is permitted to have an attached port. Find it, and
+      strip it from the name. Just remember it for now. */
+
+      new_port = host_item_get_port(host);
+
+      /* Count hosts looked up */
+
+      hosts_looked_up++;
+
+      /* Find by name if so configured, or if it's an IP address. We don't
+      just copy the IP address, because we need the test-for-local to happen. */
+
+      flags = HOST_FIND_BY_A | HOST_FIND_BY_AAAA;
+      if (ob->dns_qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
+      if (ob->dns_search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
+
+      if (ob->gethostbyname || string_is_ip_address(host->name, NULL) != 0)
+        rc = host_find_byname(host, NULL, flags, NULL, TRUE);
+      else
+        rc = host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
+	  &ob->dnssec,		/* domains for request/require */
+          NULL, NULL);
+
+      /* Update the host (and any additional blocks, resulting from
+      multihoming) with a host-specific port, if any. */
+
+      for (host_item * hh = host; hh != nexthost; hh = hh->next) hh->port = new_port;
+
+      /* Failure to find the host at this time (usually DNS temporary failure)
+      is really a kind of routing failure rather than a transport failure.
+      Therefore we add a retry item of the routing kind, not to stop us trying
+      to look this name up here again, but to ensure the address gets timed
+      out if the failures go on long enough. A complete failure at this point
+      commonly points to a configuration error, but the best action is still
+      to carry on for the next host. */
+
+      if (rc == HOST_FIND_AGAIN || rc == HOST_FIND_SECURITY || rc == HOST_FIND_FAILED)
+        {
+        retry_add_item(addrlist, string_sprintf("R:%s", host->name), 0);
+        expired = FALSE;
+        if (rc == HOST_FIND_AGAIN) hosts_defer++; else hosts_fail++;
+        DEBUG(D_transport) debug_printf("rc = %s for %s\n", (rc == HOST_FIND_AGAIN)?
+          "HOST_FIND_AGAIN" : "HOST_FIND_FAILED", host->name);
+        host->status = hstatus_unusable;
+
+        for (address_item * addr = addrlist; addr; addr = addr->next)
+          {
+          if (addr->transport_return != DEFER) continue;
+          addr->basic_errno = ERRNO_UNKNOWNHOST;
+          addr->message = string_sprintf(
+	    rc == HOST_FIND_SECURITY
+	      ? "lookup of IP address for %s was insecure"
+	      : "failed to lookup IP address for %s",
+	    host->name);
+          }
+        continue;
+        }
+
+      /* If the host is actually the local host, we may have a problem, or
+      there may be some cunning configuration going on. In the problem case,
+      log things and give up. The default transport status is already DEFER. */
+
+      if (rc == HOST_FOUND_LOCAL && !ob->allow_localhost)
+        {
+        for (address_item * addr = addrlist; addr; addr = addr->next)
+          {
+          addr->basic_errno = ERRNO_HOST_IS_LOCAL;
+          addr->message = string_sprintf("%s transport found host %s to be "
+            "local", tblock->name, host->name);
+          }
+        goto END_TRANSPORT;
+        }
+      }   /* End of block for IP address lookup */
+
+    /* If this is a continued delivery, we are interested only in the host
+    which matches the name of the existing open channel. The check is put
+    here after the local host lookup, in case the name gets expanded as a
+    result of the lookup. Set expired FALSE, to save the outer loop executing
+    twice. */
+
+    if (continue_hostname)
+      if (  Ustrcmp(continue_hostname, host->name) != 0
+         || Ustrcmp(continue_host_address, host->address) != 0
+	 )
+	{
+	expired = FALSE;
+	continue;      /* With next host */
+	}
+      else
+	continue_host_tried = TRUE;
+
+    /* Reset the default next host in case a multihomed host whose addresses
+    are not looked up till just above added to the host list. */
+
+    nexthost = host->next;
+
+    /* If queue_smtp is set (-odqs or the first part of a 2-stage run), or the
+    domain is in queue_smtp_domains, we don't actually want to attempt any
+    deliveries. When doing a queue run, queue_smtp_domains is always unset. If
+    there is a lookup defer in queue_smtp_domains, proceed as if the domain
+    were not in it. We don't want to hold up all SMTP deliveries! Except when
+    doing a two-stage queue run, don't do this if forcing. */
+
+    if (  (!f.deliver_force || f.queue_2stage)
+       && (  f.queue_smtp
+	  || match_isinlist(addrlist->domain,
+	      CUSS &queue_smtp_domains, 0,
+	      &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK)
+       )
+      {
+      DEBUG(D_transport) debug_printf("first-pass routing only\n");
+      expired = FALSE;
+      for (address_item * addr = addrlist; addr; addr = addr->next)
+        if (addr->transport_return == DEFER)
+	  addr->message = US"first-pass only routing due to -odqs, "
+			    "queue_smtp_domains or control=queue";
+      continue;      /* With next host */
+      }
+
+    /* Count hosts being considered - purely for an intelligent comment
+    if none are usable. */
+
+    hosts_total++;
+
+    /* Set $host and $host address now in case they are needed for the
+    interface expansion or the serialize_hosts check; they remain set if an
+    actual delivery happens. */
+
+    deliver_host = host->name;
+    deliver_host_address = host->address;
+    lookup_dnssec_authenticated = host->dnssec == DS_YES ? US"yes"
+				: host->dnssec == DS_NO ? US"no"
+				: US"";
+
+    /* Set up a string for adding to the retry key if the port number is not
+    the standard SMTP port. A host may have its own port setting that overrides
+    the default. */
+
+    pistring = string_sprintf(":%d", host->port == PORT_NONE
+      ? defport : host->port);
+    if (Ustrcmp(pistring, ":25") == 0) pistring = US"";
+
+    /* Select IPv4 or IPv6, and choose an outgoing interface. If the interface
+    string is set, even if constant (as different transports can have different
+    constant settings), we must add it to the key that is used for retries,
+    because connections to the same host from a different interface should be
+    treated separately. */
+
+    host_af = Ustrchr(host->address, ':') ? AF_INET6 : AF_INET;
+      {
+      uschar * s = ob->interface;
+      if (s && *s)
+	{
+	if (!smtp_get_interface(s, host_af, addrlist, &interface, tid))
+	  return FALSE;
+	pistring = string_sprintf("%s/%s", pistring, interface);
+	}
+      }
+
+    /* The first time round the outer loop, check the status of the host by
+    inspecting the retry data. The second time round, we are interested only
+    in expired hosts that haven't been tried since this message arrived. */
+
+    if (cutoff_retry == 0)
+      {
+      BOOL incl_ip;
+      /* Ensure the status of the address is set by checking retry data if
+      necessary. There may be host-specific retry data (applicable to all
+      messages) and also data for retries of a specific message at this host.
+      If either of these retry records are actually read, the keys used are
+      returned to save recomputing them later. */
+
+      if (exp_bool(addrlist, US"transport", tblock->name, D_transport,
+		US"retry_include_ip_address", ob->retry_include_ip_address,
+		ob->expand_retry_include_ip_address, &incl_ip) != OK)
+	continue;	/* with next host */
+
+      host_is_expired = retry_check_address(addrlist->domain, host, pistring,
+        incl_ip, &retry_host_key, &retry_message_key);
+
+      DEBUG(D_transport) debug_printf("%s [%s]%s retry-status = %s\n", host->name,
+        host->address ? host->address : US"", pistring,
+        host->status == hstatus_usable ? "usable"
+        : host->status == hstatus_unusable ? "unusable"
+        : host->status == hstatus_unusable_expired ? "unusable (expired)" : "?");
+
+      /* Skip this address if not usable at this time, noting if it wasn't
+      actually expired, both locally and in the address. */
+
+      switch (host->status)
+        {
+        case hstatus_unusable:
+	  expired = FALSE;
+	  setflag(addrlist, af_retry_skipped);
+	  /* Fall through */
+
+        case hstatus_unusable_expired:
+	  switch (host->why)
+	    {
+	    case hwhy_retry: hosts_retry++; break;
+	    case hwhy_failed:  hosts_fail++; break;
+	    case hwhy_insecure:
+	    case hwhy_deferred: hosts_defer++; break;
+	    }
+
+	  /* If there was a retry message key, implying that previously there
+	  was a message-specific defer, we don't want to update the list of
+	  messages waiting for these hosts. */
+
+	  if (retry_message_key) update_waiting = FALSE;
+	  continue;   /* With the next host or IP address */
+        }
+      }
+
+    /* Second time round the loop: if the address is set but expired, and
+    the message is newer than the last try, let it through. */
+
+    else
+      {
+      if (  !host->address
+         || host->status != hstatus_unusable_expired
+	 || host->last_try > received_time.tv_sec)
+        continue;
+      DEBUG(D_transport) debug_printf("trying expired host %s [%s]%s\n",
+          host->name, host->address, pistring);
+      host_is_expired = TRUE;
+      }
+
+    /* Setting "expired=FALSE" doesn't actually mean not all hosts are expired;
+    it remains TRUE only if all hosts are expired and none are actually tried.
+    */
+
+    expired = FALSE;
+
+    /* If this host is listed as one to which access must be serialized,
+    see if another Exim process has a connection to it, and if so, skip
+    this host. If not, update the database to record our connection to it
+    and remember this for later deletion. Do not do any of this if we are
+    sending the message down a pre-existing connection. */
+
+    if (  !continue_hostname
+       && verify_check_given_host(CUSS &ob->serialize_hosts, host) == OK)
+      {
+      serialize_key = string_sprintf("host-serialize-%s", host->name);
+      if (!enq_start(serialize_key, 1))
+        {
+        DEBUG(D_transport)
+          debug_printf("skipping host %s because another Exim process "
+            "is connected to it\n", host->name);
+        hosts_serial++;
+        continue;
+        }
+      }
+
+    /* OK, we have an IP address that is not waiting for its retry time to
+    arrive (it might be expired) OR (second time round the loop) we have an
+    expired host that hasn't been tried since the message arrived. Have a go
+    at delivering the message to it. First prepare the addresses by flushing
+    out the result of previous attempts, and finding the first address that
+    is still to be delivered. */
+
+    first_addr = prepare_addresses(addrlist, host);
+
+    DEBUG(D_transport) debug_printf("delivering %s to %s [%s] (%s%s)\n",
+      message_id, host->name, host->address, addrlist->address,
+      addrlist->next ? ", ..." : "");
+
+    set_process_info("delivering %s to %s [%s]%s (%s%s)",
+      message_id, host->name, host->address, pistring, addrlist->address,
+      addrlist->next ? ", ..." : "");
+
+    /* This is not for real; don't do the delivery. If there are
+    any remaining hosts, list them. */
+
+    if (f.dont_deliver)
+      {
+      struct timeval now;
+      gettimeofday(&now, NULL);
+      set_errno_nohost(addrlist, 0, NULL, OK, FALSE, &now);
+      for (address_item * addr = addrlist; addr; addr = addr->next)
+        {
+        addr->host_used = host;
+        addr->special_action = '*';
+        addr->message = US"delivery bypassed by -N option";
+        }
+      DEBUG(D_transport)
+        {
+        debug_printf("*** delivery by %s transport bypassed by -N option\n"
+                     "*** host and remaining hosts:\n", tblock->name);
+        for (host_item * host2 = host; host2; host2 = host2->next)
+          debug_printf("    %s [%s]\n", host2->name,
+            host2->address ? host2->address : US"unset");
+        }
+      rc = OK;
+      }
+
+    /* This is for real. If the host is expired, we don't count it for
+    hosts_max_retry. This ensures that all hosts must expire before an address
+    is timed out, unless hosts_max_try_hardlimit (which protects against
+    lunatic DNS configurations) is reached.
+
+    If the host is not expired and we are about to hit the hosts_max_retry
+    limit, check to see if there is a subsequent hosts with a different MX
+    value. If so, make that the next host, and don't count this one. This is a
+    heuristic to make sure that different MXs do get tried. With a normal kind
+    of retry rule, they would get tried anyway when the earlier hosts were
+    delayed, but if the domain has a "retry every time" type of rule - as is
+    often used for the the very large ISPs, that won't happen. */
+
+    else
+      {
+      host_item * thost;
+      /* Make a copy of the host if it is local to this invocation
+       of the transport. */
+
+      if (expanded_hosts)
+	{
+	thost = store_get(sizeof(host_item), GET_UNTAINTED);
+	*thost = *host;
+	thost->name = string_copy(host->name);
+	thost->address = string_copy(host->address);
+	}
+      else
+        thost = host;
+
+      if (!host_is_expired && ++unexpired_hosts_tried >= ob->hosts_max_try)
+        {
+        DEBUG(D_transport)
+          debug_printf("hosts_max_try limit reached with this host\n");
+        for (host_item * h = host; h; h = h->next) if (h->mx != host->mx)
+	  {
+	  nexthost = h;
+	  unexpired_hosts_tried--;
+	  DEBUG(D_transport) debug_printf("however, a higher MX host exists "
+	    "and will be tried\n");
+	  break;
+	  }
+        }
+
+      /* Attempt the delivery. */
+
+      total_hosts_tried++;
+      rc = smtp_deliver(addrlist, thost, host_af, defport, interface, tblock,
+        &message_defer, FALSE);
+
+      /* Yield is one of:
+         OK     => connection made, each address contains its result;
+                     message_defer is set for message-specific defers (when all
+                     recipients are marked defer)
+         DEFER  => there was a non-message-specific delivery problem;
+         ERROR  => there was a problem setting up the arguments for a filter,
+                   or there was a problem with expanding added headers
+      */
+
+      /* If the result is not OK, there was a non-message-specific problem.
+      If the result is DEFER, we need to write to the logs saying what happened
+      for this particular host, except in the case of authentication and TLS
+      failures, where the log has already been written. If all hosts defer a
+      general message is written at the end. */
+
+      if (rc == DEFER && first_addr->basic_errno != ERRNO_AUTHFAIL
+		      && first_addr->basic_errno != ERRNO_TLSFAILURE)
+        write_logs(host, first_addr->message, first_addr->basic_errno);
+
+#ifndef DISABLE_EVENT
+      if (rc == DEFER)
+	deferred_event_raise(first_addr, host, US"msg:host:defer");
+#endif
+
+      /* If STARTTLS was accepted, but there was a failure in setting up the
+      TLS session (usually a certificate screwup), and the host is not in
+      hosts_require_tls, and tls_tempfail_tryclear is true, try again, with
+      TLS forcibly turned off. We have to start from scratch with a new SMTP
+      connection. That's why the retry is done from here, not from within
+      smtp_deliver(). [Rejections of STARTTLS itself don't screw up the
+      session, so the in-clear transmission after those errors, if permitted,
+      happens inside smtp_deliver().] */
+
+#ifndef DISABLE_TLS
+      if (  rc == DEFER
+	 && first_addr->basic_errno == ERRNO_TLSFAILURE
+	 && ob->tls_tempfail_tryclear
+	 && verify_check_given_host(CUSS &ob->hosts_require_tls, host) != OK
+	 )
+        {
+        log_write(0, LOG_MAIN,
+	  "%s: delivering unencrypted to H=%s [%s] (not in hosts_require_tls)",
+	  first_addr->message, host->name, host->address);
+        first_addr = prepare_addresses(addrlist, host);
+        rc = smtp_deliver(addrlist, thost, host_af, defport, interface, tblock,
+          &message_defer, TRUE);
+        if (rc == DEFER && first_addr->basic_errno != ERRNO_AUTHFAIL)
+          write_logs(host, first_addr->message, first_addr->basic_errno);
+# ifndef DISABLE_EVENT
+	if (rc == DEFER)
+	  deferred_event_raise(first_addr, host, US"msg:host:defer");
+# endif
+        }
+#endif	/*DISABLE_TLS*/
+
+#ifndef DISABLE_EVENT
+      /* If the last host gave a defer raise a per-message event */
+
+      if (  !(  nexthost
+	     && unexpired_hosts_tried < ob->hosts_max_try
+	     && total_hosts_tried < ob->hosts_max_try_hardlimit
+	     )
+         && (message_defer || rc == DEFER)
+	 )
+	deferred_event_raise(first_addr, host, US"msg:defer");
+#endif
+      }
+
+    /* Delivery attempt finished */
+
+    set_process_info("delivering %s: just tried %s [%s]%s for %s%s: result %s",
+      message_id, host->name, host->address, pistring, addrlist->address,
+      addrlist->next ? " (& others)" : "", rc_to_string(rc));
+
+    /* Release serialization if set up */
+
+    if (serialize_key) enq_end(serialize_key);
+
+    /* If the result is DEFER, or if a host retry record is known to exist, we
+    need to add an item to the retry chain for updating the retry database
+    at the end of delivery. We only need to add the item to the top address,
+    of course. Also, if DEFER, we mark the IP address unusable so as to skip it
+    for any other delivery attempts using the same address. (It is copied into
+    the unusable tree at the outer level, so even if different address blocks
+    contain the same address, it still won't get tried again.) */
+
+    if (rc == DEFER || retry_host_key)
+      {
+      int delete_flag = rc != DEFER ? rf_delete : 0;
+      if (!retry_host_key)
+        {
+	BOOL incl_ip;
+	if (exp_bool(addrlist, US"transport", tblock->name, D_transport,
+		  US"retry_include_ip_address", ob->retry_include_ip_address,
+		  ob->expand_retry_include_ip_address, &incl_ip) != OK)
+	  incl_ip = TRUE;	/* error; use most-specific retry record */
+
+        retry_host_key = incl_ip
+	  ? string_sprintf("T:%S:%s%s", host->name, host->address, pistring)
+	  : string_sprintf("T:%S%s", host->name, pistring);
+        }
+
+      /* If a delivery of another message over an existing SMTP connection
+      yields DEFER, we do NOT set up retry data for the host. This covers the
+      case when there are delays in routing the addresses in the second message
+      that are so long that the server times out. This is alleviated by not
+      routing addresses that previously had routing defers when handling an
+      existing connection, but even so, this case may occur (e.g. if a
+      previously happily routed address starts giving routing defers). If the
+      host is genuinely down, another non-continued message delivery will
+      notice it soon enough. */
+
+      if (delete_flag != 0 || !continue_hostname)
+        retry_add_item(first_addr, retry_host_key, rf_host | delete_flag);
+
+      /* We may have tried an expired host, if its retry time has come; ensure
+      the status reflects the expiry for the benefit of any other addresses. */
+
+      if (rc == DEFER)
+        {
+        host->status = host_is_expired
+	  ? hstatus_unusable_expired : hstatus_unusable;
+        host->why = hwhy_deferred;
+        }
+      }
+
+    /* If message_defer is set (host was OK, but every recipient got deferred
+    because of some message-specific problem), or if that had happened
+    previously so that a message retry key exists, add an appropriate item
+    to the retry chain. Note that if there was a message defer but now there is
+    a host defer, the message defer record gets deleted. That seems perfectly
+    reasonable. Also, stop the message from being remembered as waiting
+    for specific hosts. */
+
+    if (message_defer || retry_message_key)
+      {
+      int delete_flag = message_defer ? 0 : rf_delete;
+      if (!retry_message_key)
+        {
+	BOOL incl_ip;
+	if (exp_bool(addrlist, US"transport", tblock->name, D_transport,
+		  US"retry_include_ip_address", ob->retry_include_ip_address,
+		  ob->expand_retry_include_ip_address, &incl_ip) != OK)
+	  incl_ip = TRUE;	/* error; use most-specific retry record */
+
+        retry_message_key = incl_ip
+	  ? string_sprintf("T:%S:%s%s:%s", host->name, host->address, pistring,
+	      message_id)
+	  : string_sprintf("T:%S%s:%s", host->name, pistring, message_id);
+        }
+      retry_add_item(addrlist, retry_message_key,
+        rf_message | rf_host | delete_flag);
+      update_waiting = FALSE;
+      }
+
+    /* Any return other than DEFER (that is, OK or ERROR) means that the
+    addresses have got their final statuses filled in for this host. In the OK
+    case, see if any of them are deferred. */
+
+    if (rc == OK)
+      for (address_item * addr = addrlist; addr; addr = addr->next)
+        if (addr->transport_return == DEFER)
+          {
+          some_deferred = TRUE;
+          break;
+          }
+
+    /* If no addresses deferred or the result was ERROR, return. We do this for
+    ERROR because a failing filter set-up or add_headers expansion is likely to
+    fail for any host we try. */
+
+    if (rc == ERROR || (rc == OK && !some_deferred))
+      {
+      DEBUG(D_transport) debug_printf("Leaving %s transport\n", tblock->name);
+      return TRUE;    /* Each address has its status */
+      }
+
+    /* If the result was DEFER or some individual addresses deferred, let
+    the loop run to try other hosts with the deferred addresses, except for the
+    case when we were trying to deliver down an existing channel and failed.
+    Don't try any other hosts in this case. */
+
+    if (continue_hostname) break;
+
+    /* If the whole delivery, or some individual addresses, were deferred and
+    there are more hosts that could be tried, do not count this host towards
+    the hosts_max_try limit if the age of the message is greater than the
+    maximum retry time for this host. This means we may try try all hosts,
+    ignoring the limit, when messages have been around for some time. This is
+    important because if we don't try all hosts, the address will never time
+    out. NOTE: this does not apply to hosts_max_try_hardlimit. */
+
+    if ((rc == DEFER || some_deferred) && nexthost)
+      {
+      BOOL timedout;
+      retry_config *retry = retry_find_config(host->name, NULL, 0, 0);
+
+      if (retry && retry->rules)
+        {
+        retry_rule *last_rule;
+        for (last_rule = retry->rules;
+             last_rule->next;
+             last_rule = last_rule->next);
+        timedout = time(NULL) - received_time.tv_sec > last_rule->timeout;
+        }
+      else timedout = TRUE;    /* No rule => timed out */
+
+      if (timedout)
+        {
+        unexpired_hosts_tried--;
+        DEBUG(D_transport) debug_printf("temporary delivery error(s) override "
+          "hosts_max_try (message older than host's retry time)\n");
+        }
+      }
+
+    DEBUG(D_transport)
+      {
+      if (unexpired_hosts_tried >= ob->hosts_max_try)
+	debug_printf("reached transport hosts_max_try limit %d\n",
+	  ob->hosts_max_try);
+      if (total_hosts_tried >= ob->hosts_max_try_hardlimit)
+	debug_printf("reached transport hosts_max_try_hardlimit limit %d\n",
+	  ob->hosts_max_try_hardlimit);
+      }
+
+    testharness_pause_ms(500); /* let server debug out */
+    }   /* End of loop for trying multiple hosts. */
+
+  /* If we failed to find a matching host in the list, for an already-open
+  connection, just close it and start over with the list.  This can happen
+  for routing that changes from run to run, or big multi-IP sites with
+  round-robin DNS. */
+
+  if (continue_hostname && !continue_host_tried)
+    {
+    int fd = cutthrough.cctx.sock >= 0 ? cutthrough.cctx.sock : 0;
+
+    DEBUG(D_transport) debug_printf("no hosts match already-open connection\n");
+#ifndef DISABLE_TLS
+    /* A TLS conn could be open for a cutthrough, but not for a plain continued-
+    transport */
+/*XXX doublecheck that! */
+
+    if (cutthrough.cctx.sock >= 0 && cutthrough.is_tls)
+      {
+      (void) tls_write(cutthrough.cctx.tls_ctx, US"QUIT\r\n", 6, FALSE);
+      tls_close(cutthrough.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
+      cutthrough.cctx.tls_ctx = NULL;
+      cutthrough.is_tls = FALSE;
+      }
+    else
+#else
+      (void) write(fd, US"QUIT\r\n", 6);
+#endif
+    (void) close(fd);
+    cutthrough.cctx.sock = -1;
+    continue_hostname = NULL;
+    goto retry_non_continued;
+    }
+
+  /* This is the end of the loop that repeats iff expired is TRUE and
+  ob->delay_after_cutoff is FALSE. The second time round we will
+  try those hosts that haven't been tried since the message arrived. */
+
+  DEBUG(D_transport)
+    {
+    debug_printf("all IP addresses skipped or deferred at least one address\n");
+    if (expired && !ob->delay_after_cutoff && cutoff_retry == 0)
+      debug_printf("retrying IP addresses not tried since message arrived\n");
+    }
+  }
+
+
+/* Get here if all IP addresses are skipped or defer at least one address. In
+MUA wrapper mode, this will happen only for connection or other non-message-
+specific failures. Force the delivery status for all addresses to FAIL. */
+
+if (mua_wrapper)
+  {
+  for (address_item * addr = addrlist; addr; addr = addr->next)
+    addr->transport_return = FAIL;
+  goto END_TRANSPORT;
+  }
+
+/* In the normal, non-wrapper case, add a standard message to each deferred
+address if there hasn't been an error, that is, if it hasn't actually been
+tried this time. The variable "expired" will be FALSE if any deliveries were
+actually tried, or if there was at least one host that was not expired. That
+is, it is TRUE only if no deliveries were tried and all hosts were expired. If
+a delivery has been tried, an error code will be set, and the failing of the
+message is handled by the retry code later.
+
+If queue_smtp is set, or this transport was called to send a subsequent message
+down an existing TCP/IP connection, and something caused the host not to be
+found, we end up here, but can detect these cases and handle them specially. */
+
+for (address_item * addr = addrlist; addr; addr = addr->next)
+  {
+  /* If host is not NULL, it means that we stopped processing the host list
+  because of hosts_max_try or hosts_max_try_hardlimit. In the former case, this
+  means we need to behave as if some hosts were skipped because their retry
+  time had not come. Specifically, this prevents the address from timing out.
+  However, if we have hit hosts_max_try_hardlimit, we want to behave as if all
+  hosts were tried. */
+
+  if (host)
+    if (total_hosts_tried >= ob->hosts_max_try_hardlimit)
+      {
+      DEBUG(D_transport)
+        debug_printf("hosts_max_try_hardlimit reached: behave as if all "
+          "hosts were tried\n");
+      }
+    else
+      {
+      DEBUG(D_transport)
+        debug_printf("hosts_max_try limit caused some hosts to be skipped\n");
+      setflag(addr, af_retry_skipped);
+      }
+
+  if (f.queue_smtp)    /* no deliveries attempted */
+    {
+    addr->transport_return = DEFER;
+    addr->basic_errno = 0;
+    addr->message = US"SMTP delivery explicitly queued";
+    }
+
+  else if (  addr->transport_return == DEFER
+	  && (addr->basic_errno == ERRNO_UNKNOWNERROR || addr->basic_errno == 0)
+	  && !addr->message
+	  )
+    {
+    addr->basic_errno = ERRNO_HRETRY;
+    if (continue_hostname)
+      addr->message = US"no host found for existing SMTP connection";
+    else if (expired)
+      {
+      setflag(addr, af_pass_message);   /* This is not a security risk */
+      addr->message = string_sprintf(
+	"all hosts%s have been failing for a long time %s",
+	addr->domain ? string_sprintf(" for '%s'", addr->domain) : US"",
+        ob->delay_after_cutoff
+	? US"(and retry time not reached)"
+	: US"and were last tried after this message arrived");
+
+      /* If we are already using fallback hosts, or there are no fallback hosts
+      defined, convert the result to FAIL to cause a bounce. */
+
+      if (addr->host_list == addr->fallback_hosts || !addr->fallback_hosts)
+        addr->transport_return = FAIL;
+      }
+    else
+      {
+      const char * s;
+      if (hosts_retry == hosts_total)
+        s = "retry time not reached for any host%s";
+      else if (hosts_fail == hosts_total)
+        s = "all host address lookups%s failed permanently";
+      else if (hosts_defer == hosts_total)
+        s = "all host address lookups%s failed temporarily";
+      else if (hosts_serial == hosts_total)
+        s = "connection limit reached for all hosts%s";
+      else if (hosts_fail+hosts_defer == hosts_total)
+        s = "all host address lookups%s failed";
+      else
+        s = "some host address lookups failed and retry time "
+        "not reached for other hosts or connection limit reached%s";
+
+      addr->message = string_sprintf(s,
+	addr->domain ? string_sprintf(" for '%s'", addr->domain) : US"");
+      }
+    }
+  }
+
+/* Update the database which keeps information about which messages are waiting
+for which hosts to become available. For some message-specific errors, the
+update_waiting flag is turned off because we don't want follow-on deliveries in
+those cases.  If this transport instance is explicitly limited to one message
+per connection then follow-on deliveries are not possible and there's no need
+to create/update the per-transport wait-<transport_name> database. */
+
+if (update_waiting && tblock->connection_max_messages != 1)
+  transport_update_waiting(hostlist, tblock->name);
+
+END_TRANSPORT:
+
+DEBUG(D_transport) debug_printf("Leaving %s transport\n", tblock->name);
+
+return TRUE;   /* Each address has its status */
+}
+
+#endif	/*!MACRO_PREDEF*/
+/* vi: aw ai sw=2
+*/
+/* End of transport/smtp.c */
diff --git a/src/transports/smtp.h b/src/transports/smtp.h
new file mode 100644
index 0000000..319e849
--- /dev/null
+++ b/src/transports/smtp.h
@@ -0,0 +1,252 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+#define DELIVER_BUFFER_SIZE 4096
+
+#define PENDING          256
+#define PENDING_DEFER   (PENDING + DEFER)
+#define PENDING_OK      (PENDING + OK)
+
+
+#ifndef DISABLE_TLS
+/* Flags structure for validity of TLS configuration */
+
+typedef struct {
+  BOOL conn_certs:1;		/* certificates etc. loaded */
+  BOOL cabundle:1;		/* CA certificates loaded */
+  BOOL crl:1;			/* CRL loaded */
+  BOOL pri_string:1;		/* cipher priority-string cache loaded */
+  BOOL dh:1;			/* Diffie-Helman params loaded */
+  BOOL ecdh:1;			/* EC Diffie-Helman params loaded */
+
+  BOOL ca_rdn_emulate:1;	/* do not advertise usable-cert list */
+  BOOL ocsp_hook:1;		/* need hshake callback on session */
+
+  void * libdata0;		/* library-dependent preloaded data */
+  void * libdata1;		/* library-dependent preloaded data */
+} exim_tlslib_state;
+#endif
+
+
+/* Private structure for the private options and other private data. */
+
+typedef struct {
+  uschar	*hosts;
+  uschar	*fallback_hosts;
+  host_item	*hostlist;
+  host_item	*fallback_hostlist;
+  uschar	*authenticated_sender;
+  uschar	*helo_data;
+  uschar	*interface;
+  uschar	*port;
+  uschar	*protocol;
+  uschar	*dscp;
+  uschar	*serialize_hosts;
+  uschar	*hosts_try_auth;
+  uschar	*hosts_require_alpn;
+  uschar	*hosts_require_auth;
+  uschar	*hosts_try_chunking;
+#ifdef SUPPORT_DANE
+  uschar	*hosts_try_dane;
+  uschar	*hosts_require_dane;
+  uschar	*dane_require_tls_ciphers;
+#endif
+  uschar	*hosts_try_fastopen;
+#ifndef DISABLE_PRDR
+  uschar	*hosts_try_prdr;
+#endif
+#ifndef DISABLE_OCSP
+  uschar	*hosts_request_ocsp;
+  uschar	*hosts_require_ocsp;
+#endif
+  uschar	*hosts_require_tls;
+  uschar	*hosts_avoid_tls;
+  uschar	*hosts_verify_avoid_tls;
+  uschar	*hosts_avoid_pipelining;
+#ifndef DISABLE_PIPE_CONNECT
+  uschar	*hosts_pipe_connect;
+#endif
+  uschar	*hosts_avoid_esmtp;
+#ifndef DISABLE_TLS
+  uschar	*hosts_nopass_tls;
+  uschar	*hosts_noproxy_tls;
+#endif
+  int		command_timeout;
+  int		connect_timeout;
+  int		data_timeout;
+  int		final_timeout;
+  int		size_addition;
+  int		hosts_max_try;
+  int		hosts_max_try_hardlimit;
+  int		message_linelength_limit;
+  BOOL		address_retry_include_sender;
+  BOOL		allow_localhost;
+  BOOL		authenticated_sender_force;
+  BOOL		gethostbyname;
+  BOOL		dns_qualify_single;
+  BOOL		dns_search_parents;
+  dnssec_domains dnssec;
+  BOOL		delay_after_cutoff;
+  BOOL		hosts_override;
+  BOOL		hosts_randomize;
+  BOOL		keepalive;
+  BOOL		lmtp_ignore_quota;
+  uschar	*expand_retry_include_ip_address;
+  BOOL		retry_include_ip_address;
+#ifdef SUPPORT_SOCKS
+  uschar	*socks_proxy;
+#endif
+#ifndef DISABLE_TLS
+  uschar	*tls_alpn;
+  uschar	*tls_certificate;
+  uschar	*tls_crl;
+  uschar	*tls_privatekey;
+  uschar	*tls_require_ciphers;
+# ifndef DISABLE_TLS_RESUME
+  uschar	*host_name_extract;
+  uschar	*tls_resumption_hosts;
+# endif
+  const uschar	*tls_sni;
+  uschar	*tls_verify_certificates;
+  int		tls_dh_min_bits;
+  BOOL		tls_tempfail_tryclear;
+  uschar	*tls_verify_hosts;
+  uschar	*tls_try_verify_hosts;
+  uschar	*tls_verify_cert_hostnames;
+#endif
+#ifdef SUPPORT_I18N
+  uschar	*utf8_downconvert;
+#endif
+#ifndef DISABLE_DKIM
+  struct ob_dkim dkim;
+#endif
+#ifdef EXPERIMENTAL_ARC
+  uschar	*arc_sign;
+#endif
+#ifndef DISABLE_TLS
+  exim_tlslib_state tls_preload;
+#endif
+} smtp_transport_options_block;
+
+#define SOB (smtp_transport_options_block *)
+
+
+/* smtp connect context */
+typedef struct {
+  uschar *		from_addr;
+  address_item *	addrlist;
+
+  smtp_connect_args	conn_args;
+  int			port;
+
+  BOOL verify:1;
+  BOOL lmtp:1;
+  BOOL smtps:1;
+  BOOL ok:1;
+  BOOL setting_up:1;
+#ifndef DISABLE_PIPE_CONNECT
+  BOOL early_pipe_ok:1;
+  BOOL early_pipe_active:1;
+#endif
+  BOOL esmtp:1;
+  BOOL esmtp_sent:1;
+  BOOL pipelining_used:1;
+#ifndef DISABLE_PRDR
+  BOOL prdr_active:1;
+#endif
+#ifdef SUPPORT_I18N
+  BOOL utf8_needed:1;
+#endif
+  BOOL dsn_all_lasthop:1;
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
+  BOOL dane_required:1;
+#endif
+#ifndef DISABLE_PIPE_CONNECT
+  BOOL pending_BANNER:1;
+  BOOL pending_EHLO:1;
+#endif
+  BOOL pending_MAIL:1;
+  BOOL pending_BDAT:1;
+  BOOL RCPT_452:1;
+  BOOL good_RCPT:1;
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+  BOOL single_rcpt_domain:1;
+#endif
+  BOOL completed_addr:1;
+  BOOL send_rset:1;
+  BOOL send_quit:1;
+  BOOL send_tlsclose:1;
+
+  unsigned	peer_offered;
+#ifdef EXPERIMENTAL_ESMTP_LIMITS
+  unsigned	peer_limit_mail;
+  unsigned	peer_limit_rcpt;
+  unsigned	peer_limit_rcptdom;
+#endif
+
+  unsigned	max_mail;
+  int		max_rcpt;
+  int		cmd_count;
+
+  unsigned	avoid_option;
+  uschar *	igquotstr;
+  uschar *	helo_data;
+#ifdef EXPERIMENTAL_DSN_INFO
+  uschar *	smtp_greeting;
+  uschar *	helo_response;
+#endif
+#ifndef DISABLE_PIPE_CONNECT
+  /* Info about the EHLO response stored to / retrieved from cache.  When
+  operating early-pipe, we use the cached values.  For each of plaintext and
+  crypted we store bitmaps for ESMTP features and AUTH methods.  If the LIMITS
+  extension is built and usable them at least one of the limits values cached
+  is nonzero, and we use the values to constrain the connection. */
+  ehlo_resp_precis	ehlo_resp;
+#endif
+
+  struct timeval	delivery_start;
+  address_item *	first_addr;
+  address_item *	next_addr;
+  address_item *	sync_addr;
+
+  client_conn_ctx	cctx;
+  smtp_inblock		inblock;
+  smtp_outblock		outblock;
+  uschar	buffer[DELIVER_BUFFER_SIZE];
+  uschar	inbuffer[4096];
+  uschar	outbuffer[4096];
+} smtp_context;
+
+extern int smtp_setup_conn(smtp_context *, BOOL);
+extern int smtp_write_mail_and_rcpt_cmds(smtp_context *, int *);
+extern int smtp_reap_early_pipe(smtp_context *, int *);
+
+
+/* Data for reading the private options. */
+
+extern optionlist smtp_transport_options[];
+extern int smtp_transport_options_count;
+
+/* Block containing default values. */
+
+extern smtp_transport_options_block smtp_transport_option_defaults;
+
+/* The main, init, and closedown entry points for the transport */
+
+extern BOOL smtp_transport_entry(transport_instance *, address_item *);
+extern void smtp_transport_init(transport_instance *);
+extern void smtp_transport_closedown(transport_instance *);
+
+
+
+#ifdef SUPPORT_SOCKS
+extern int     socks_sock_connect(host_item *, int, int, uschar *,
+	         transport_instance *, int);
+#endif
+
+/* End of transports/smtp.h */
diff --git a/src/transports/smtp_socks.c b/src/transports/smtp_socks.c
new file mode 100644
index 0000000..0e58732
--- /dev/null
+++ b/src/transports/smtp_socks.c
@@ -0,0 +1,415 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) Jeremy Harris 2015 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* SOCKS version 5 proxy, client-mode */
+
+#include "../exim.h"
+#include "smtp.h"
+
+#ifdef SUPPORT_SOCKS /* entire file */
+
+#ifndef nelem
+# define nelem(arr) (sizeof(arr)/sizeof(*arr))
+#endif
+
+
+/* Defaults */
+#define SOCKS_PORT	1080
+#define SOCKS_TIMEOUT	5
+#define SOCKS_WEIGHT	1
+#define SOCKS_PRIORITY	1
+
+#define AUTH_NONE	0
+#define AUTH_NAME	2		/* user/password per RFC 1929 */
+#define AUTH_NAME_VER	1
+
+struct socks_err
+  {
+  uschar *	reason;
+  int		errcode;
+  } socks_errs[] =
+  {
+    {NULL, 0},
+    {US"general SOCKS server failure",		EIO},
+    {US"connection not allowed by ruleset",	EACCES},
+    {US"Network unreachable",			ENETUNREACH},
+    {US"Host unreachable",			EHOSTUNREACH},
+    {US"Connection refused",			ECONNREFUSED},
+    {US"TTL expired",				ECANCELED},
+    {US"Command not supported",			EOPNOTSUPP},
+    {US"Address type not supported",		EAFNOSUPPORT}
+  };
+
+typedef struct
+  {
+  const uschar *	proxy_host;
+  uschar		auth_type;	/* RFC 1928 encoding */
+  const uschar *	auth_name;
+  const uschar *	auth_pwd;
+  short			port;
+  BOOL			is_failed;
+  unsigned		timeout;
+  unsigned		weight;
+  unsigned		priority;
+  } socks_opts;
+
+static void
+socks_option_defaults(socks_opts * sob)
+{
+sob->proxy_host = NULL;
+sob->auth_type =  AUTH_NONE;
+sob->auth_name =  US"";
+sob->auth_pwd =   US"";
+sob->is_failed =  FALSE;
+sob->port =	  SOCKS_PORT;
+sob->timeout =	  SOCKS_TIMEOUT;
+sob->weight =	  SOCKS_WEIGHT;
+sob->priority =   SOCKS_PRIORITY;
+}
+
+static void
+socks_option(socks_opts * sob, const uschar * opt)
+{
+if (Ustrncmp(opt, "auth=", 5) == 0)
+  {
+  opt += 5;
+  if (Ustrcmp(opt, "none") == 0) 	sob->auth_type = AUTH_NONE;
+  else if (Ustrcmp(opt, "name") == 0)	sob->auth_type = AUTH_NAME;
+  }
+else if (Ustrncmp(opt, "name=", 5) == 0)
+  sob->auth_name = opt + 5;
+else if (Ustrncmp(opt, "pass=", 5) == 0)
+  sob->auth_pwd = opt + 5;
+else if (Ustrncmp(opt, "port=", 5) == 0)
+  sob->port = atoi(CCS opt + 5);
+else if (Ustrncmp(opt, "tmo=", 4) == 0)
+  sob->timeout = atoi(CCS opt + 4);
+else if (Ustrncmp(opt, "pri=", 4) == 0)
+  sob->priority = atoi(CCS opt + 4);
+else if (Ustrncmp(opt, "weight=", 7) == 0)
+  sob->weight = atoi(CCS opt + 7);
+return;
+}
+
+static int
+socks_auth(int fd, int method, socks_opts * sob, time_t tmo)
+{
+uschar * s;
+int len, i, j;
+
+switch(method)
+  {
+  default:
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "Unrecognised socks auth method %d", method);
+    return FAIL;
+  case AUTH_NONE:
+    return OK;
+  case AUTH_NAME:
+    HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  socks auth NAME '%s' '%s'\n",
+      sob->auth_name, sob->auth_pwd);
+    i = Ustrlen(sob->auth_name);
+    j = Ustrlen(sob->auth_pwd);
+    s = string_sprintf("%c%c%.255s%c%.255s", AUTH_NAME_VER,
+      i, sob->auth_name, j, sob->auth_pwd);
+    len = i + j + 3;
+    HDEBUG(D_transport|D_acl|D_v)
+      {
+      debug_printf_indent("  SOCKS>>");
+      for (int i = 0; i<len; i++) debug_printf(" %02x", s[i]);
+      debug_printf("\n");
+      }
+    if (send(fd, s, len, 0) < 0)
+      return FAIL;
+#ifdef TCP_QUICKACK
+    (void) setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
+#endif
+    if (!fd_ready(fd, tmo) || read(fd, s, 2) != 2)
+      return FAIL;
+    HDEBUG(D_transport|D_acl|D_v)
+      debug_printf_indent("  SOCKS<< %02x %02x\n", s[0], s[1]);
+    if (s[0] == AUTH_NAME_VER && s[1] == 0)
+      {
+      HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  socks auth OK\n");
+      return OK;
+      }
+
+    log_write(0, LOG_MAIN|LOG_PANIC, "socks auth failed");
+    errno = EPROTO;
+    return FAIL;
+  }
+}
+
+
+
+/* Find a suitable proxy to use from the list.
+Possible common code with spamd_get_server() ?
+
+Return: index into proxy spec array, or -1
+*/
+
+static int
+socks_get_proxy(socks_opts * proxies, unsigned nproxies)
+{
+unsigned int i;
+socks_opts * sd;
+socks_opts * lim = &proxies[nproxies];
+long rnd, weights;
+unsigned pri;
+
+if (nproxies == 1)		/* shortcut, if we have only 1 server */
+  return (proxies[0].is_failed ? -1 : 0);
+
+/* scan for highest pri */
+for (pri = 0, sd = proxies; sd < lim; sd++)
+  if (!sd->is_failed && sd->priority > pri)
+    pri = sd->priority;
+
+/* get sum of weights at this pri */
+for (weights = 0, sd = proxies; sd < lim; sd++)
+  if (!sd->is_failed && sd->priority == pri)
+    weights += sd->weight;
+if (weights == 0)       /* all servers failed */
+  return -1;
+
+for (rnd = random_number(weights), i = 0; i < nproxies; i++)
+  {
+  sd = &proxies[i];
+  if (!sd->is_failed && sd->priority == pri)
+    if ((rnd -= sd->weight) < 0)
+      return i;
+  }
+
+log_write(0, LOG_MAIN|LOG_PANIC,
+  "%s unknown error (memory/cpu corruption?)", __FUNCTION__);
+return -1;
+}
+
+
+
+/* Make a connection via a socks proxy
+
+Arguments:
+ host		smtp target host
+ host_af	address family
+ port		remote tcp port number
+ interface	local interface
+ tb		transport
+ timeout	connection timeout (zero for indefinite)
+
+Return value:
+ 0 on success; -1 on failure, with errno set
+*/
+
+int
+socks_sock_connect(host_item * host, int host_af, int port, uschar * interface,
+  transport_instance * tb, int timeout)
+{
+smtp_transport_options_block * ob =
+  (smtp_transport_options_block *)tb->options_block;
+const uschar * proxy_list;
+const uschar * proxy_spec;
+int sep = 0;
+int fd;
+time_t tmo;
+const uschar * state;
+uschar buf[24];
+socks_opts proxies[32];			/* max #proxies handled */
+unsigned nproxies;
+socks_opts * sob = NULL;
+unsigned size;
+blob early_data;
+
+if (!timeout) timeout = 24*60*60;	/* use 1 day for "indefinite" */
+tmo = time(NULL) + timeout;
+
+if (!(proxy_list = expand_string(ob->socks_proxy)))
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC, "Bad expansion for socks_proxy in %s",
+    tb->name);
+  return -1;
+  }
+
+/* Read proxy list */
+
+for (nproxies = 0;
+        nproxies < nelem(proxies)
+     && (proxy_spec = string_nextinlist(&proxy_list, &sep, NULL, 0));
+     nproxies++)
+  {
+  int subsep = -' ';
+  const uschar * option;
+
+  socks_option_defaults(sob = &proxies[nproxies]);
+
+  if (!(sob->proxy_host = string_nextinlist(&proxy_spec, &subsep, NULL, 0)))
+    {
+    /* paniclog config error */
+    return -1;
+    }
+
+  /*XXX consider global options eg. "hide socks_password = wibble" on the tpt */
+  /* extract any further per-proxy options */
+  while ((option = string_nextinlist(&proxy_spec, &subsep, NULL, 0)))
+    socks_option(sob, option);
+  }
+if (!sob) return -1;
+
+/* Set up the socks protocol method-selection message,
+for sending on connection */
+
+state = US"method select";
+buf[0] = 5; buf[1] = 1; buf[2] = sob->auth_type;
+early_data.data = buf;
+early_data.len = 3;
+
+/* Try proxies until a connection succeeds */
+
+for(;;)
+  {
+  int idx;
+  host_item proxy;
+  smtp_connect_args sc = {.sock = -1};
+
+  if ((idx = socks_get_proxy(proxies, nproxies)) < 0)
+    {
+    HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  no proxies left\n");
+    errno = EBUSY;
+    return -1;
+    }
+  sob = &proxies[idx];
+
+  /* bodge up a host struct for the proxy */
+  proxy.address = proxy.name = sob->proxy_host;
+  proxy.port = sob->port;
+
+  sc.tblock = tb;
+  sc.ob = ob;
+  sc.host = &proxy;
+  sc.host_af = Ustrchr(sob->proxy_host, ':') ? AF_INET6 : AF_INET;
+  sc.interface = interface;
+
+  /*XXX we trust that the method-select command is idempotent */
+  if ((fd = smtp_sock_connect(&sc, sob->timeout, &early_data)) >= 0)
+    {
+    proxy_local_address = string_copy(proxy.address);
+    proxy_local_port = sob->port;
+    break;
+    }
+
+  log_write(0, LOG_MAIN, "%s: %s", __FUNCTION__, strerror(errno));
+  sob->is_failed = TRUE;
+  }
+
+/* Do the socks protocol stuff */
+
+HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SOCKS>> 05 01 %02x\n", sob->auth_type);
+
+/* expect method response */
+
+#ifdef TCP_QUICKACK
+(void) setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
+#endif
+
+if (  !fd_ready(fd, tmo)
+   || read(fd, buf, 2) != 2
+   )
+  goto rcv_err;
+HDEBUG(D_transport|D_acl|D_v)
+  debug_printf_indent("  SOCKS<< %02x %02x\n", buf[0], buf[1]);
+if (  buf[0] != 5
+   || socks_auth(fd, buf[1], sob, tmo) != OK
+   )
+  goto proxy_err;
+
+ {
+  union sockaddr_46 sin;
+  (void) ip_addr(&sin, host_af, host->address, port);
+
+  /* send connect (ipver, ipaddr, port) */
+
+  buf[0] = 5; buf[1] = 1; buf[2] = 0; buf[3] = host_af == AF_INET6 ? 4 : 1;
+  #if HAVE_IPV6
+  if (host_af == AF_INET6)
+    {
+    memcpy(buf+4, &sin.v6.sin6_addr,       sizeof(sin.v6.sin6_addr));
+    memcpy(buf+4+sizeof(sin.v6.sin6_addr),
+      &sin.v6.sin6_port, sizeof(sin.v6.sin6_port));
+    size = 4+sizeof(sin.v6.sin6_addr)+sizeof(sin.v6.sin6_port);
+    }
+  else
+  #endif
+    {
+    memcpy(buf+4, &sin.v4.sin_addr.s_addr, sizeof(sin.v4.sin_addr.s_addr));
+    memcpy(buf+4+sizeof(sin.v4.sin_addr.s_addr),
+      &sin.v4.sin_port, sizeof(sin.v4.sin_port));
+    size = 4+sizeof(sin.v4.sin_addr.s_addr)+sizeof(sin.v4.sin_port);
+    }
+ }
+
+state = US"connect";
+HDEBUG(D_transport|D_acl|D_v)
+  {
+  debug_printf_indent("  SOCKS>>");
+  for (int i = 0; i<size; i++) debug_printf(" %02x", buf[i]);
+  debug_printf("\n");
+  }
+if (send(fd, buf, size, 0) < 0)
+  goto snd_err;
+
+/* expect conn-reply (success, local(ipver, addr, port))
+of same length as conn-request, or non-success fail code */
+
+if (  !fd_ready(fd, tmo)
+   || (size = read(fd, buf, size)) < 2
+   )
+  goto rcv_err;
+HDEBUG(D_transport|D_acl|D_v)
+  {
+  debug_printf_indent("  SOCKS>>");
+  for (int i = 0; i<size; i++) debug_printf(" %02x", buf[i]);
+  debug_printf("\n");
+  }
+if (  buf[0] != 5
+   || buf[1] != 0
+   )
+  goto proxy_err;
+
+proxy_external_address = string_copy(
+  host_ntoa(buf[3] == 4 ? AF_INET6 : AF_INET, buf+4, NULL, NULL));
+proxy_external_port = ntohs(*((uint16_t *)(buf + (buf[3] == 4 ? 20 : 8))));
+proxy_session = TRUE;
+
+HDEBUG(D_transport|D_acl|D_v)
+  debug_printf_indent("  proxy farside: [%s]:%d\n", proxy_external_address, proxy_external_port);
+
+return fd;
+
+snd_err:
+  HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  proxy snd_err %s: %s\n", state, strerror(errno));
+  return -1;
+
+proxy_err:
+  {
+  struct socks_err * se =
+    buf[1] > nelem(socks_errs) ? NULL : socks_errs + buf[1];
+  HDEBUG(D_transport|D_acl|D_v)
+    debug_printf_indent("  proxy %s: %s\n", state, se ? se->reason : US"unknown error code received");
+  errno = se ? se->errcode : EPROTO;
+  }
+
+rcv_err:
+  HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  proxy rcv_err %s: %s\n", state, strerror(errno));
+  if (!errno) errno = EPROTO;
+  else if (errno == ENOENT) errno = ECONNABORTED;
+  return -1;
+}
+
+#endif	/* entire file */
+/* vi: aw ai sw=2
+*/
diff --git a/src/transports/tf_maildir.c b/src/transports/tf_maildir.c
new file mode 100644
index 0000000..a83fc6f
--- /dev/null
+++ b/src/transports/tf_maildir.c
@@ -0,0 +1,585 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 - 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions in support of the use of maildirsize files for handling quotas in
+maildir directories. Some of the rules are a bit baroque:
+
+http://www.inter7.com/courierimap/README.maildirquota.html
+
+We try to follow most of that, except that the directories to skip for quota
+calculations are not hard wired in, but are supplied as a regex. */
+
+
+#include "../exim.h"
+#include "appendfile.h"
+#include "tf_maildir.h"
+
+#define MAX_FILE_SIZE  5120
+
+
+
+/*************************************************
+*      Ensure maildir directories exist          *
+*************************************************/
+
+/* This function is called at the start of a maildir delivery, to ensure that
+all the relevant directories exist. It also creates a maildirfolder file if the
+base directory matches a given pattern.
+
+Argument:
+  path              the base directory name
+  addr              the address item (for setting an error message)
+  create_directory  true if we are allowed to create missing directories
+  dirmode           the mode for created directories
+  maildirfolder_create_regex
+                    the pattern to match for maildirfolder creation
+
+Returns:            TRUE on success; FALSE on failure
+*/
+
+BOOL maildir_ensure_directories(uschar *path, address_item *addr,
+  BOOL create_directory, int dirmode, uschar *maildirfolder_create_regex)
+{
+int i;
+struct stat statbuf;
+const char *subdirs[] = { "/tmp", "/new", "/cur" };
+
+DEBUG(D_transport)
+  debug_printf("ensuring maildir directories exist in %s\n", path);
+
+/* First ensure that the path we have is a directory; if it does not exist,
+create it. Then make sure the tmp, new & cur subdirs of the maildir are
+there. If not, fail. This aborts the delivery (even though the cur subdir is
+not actually needed for delivery). Handle all 4 directory tests/creates in a
+loop so that code can be shared. */
+
+for (i = 0; i < 4; i++)
+  {
+  int j;
+  const uschar *dir, *mdir;
+
+  if (i == 0)
+    {
+    mdir = CUS"";
+    dir = path;
+    }
+  else
+    {
+    mdir = CUS subdirs[i-1];
+    dir = mdir + 1;
+    }
+
+  /* Check an existing path is a directory. This is inside a loop because
+  there is a potential race condition when creating the directory - some
+  other process may get there first. Give up after trying several times,
+  though. */
+
+  for (j = 0; j < 10; j++)
+    {
+    if (Ustat(dir, &statbuf) == 0)
+      {
+      if (S_ISDIR(statbuf.st_mode)) break;   /* out of the race loop */
+      addr->message = string_sprintf("%s%s is not a directory", path,
+        mdir);
+      addr->basic_errno = ERRNO_NOTDIRECTORY;
+      return FALSE;
+      }
+
+    /* Try to make if non-existent and configured to do so */
+
+    if (errno == ENOENT && create_directory)
+      {
+      if (!directory_make(NULL, dir, dirmode, FALSE))
+        {
+        if (errno == EEXIST) continue;     /* repeat the race loop */
+        addr->message = string_sprintf("cannot create %s%s", path, mdir);
+        addr->basic_errno = errno;
+        return FALSE;
+        }
+      DEBUG(D_transport)
+        debug_printf("created directory %s%s\n", path, mdir);
+      break;   /* out of the race loop */
+      }
+
+    /* stat() error other than ENOENT, or ENOENT and not creatable */
+
+    addr->message = string_sprintf("stat() error for %s%s: %s", path, mdir,
+      strerror(errno));
+    addr->basic_errno = errno;
+    return FALSE;
+    }
+
+  /* If we went round the loop 10 times, the directory was flickering in
+  and out of existence like someone in a malfunctioning Star Trek
+  transporter. */
+
+  if (j >= 10)
+    {
+    addr->message = string_sprintf("existence of %s%s unclear\n", path,
+      mdir);
+    addr->basic_errno = errno;
+    addr->special_action = SPECIAL_FREEZE;
+    return FALSE;
+    }
+
+  /* First time through the directories loop, cd to the main directory */
+
+  if (i == 0 && Uchdir(path) != 0)
+    {
+    addr->message = string_sprintf ("cannot chdir to %s", path);
+    addr->basic_errno = errno;
+    return FALSE;
+    }
+  }
+
+/* If the basic path matches maildirfolder_create_regex, we are dealing with
+a subfolder, and should ensure that a maildirfolder file exists. */
+
+if (maildirfolder_create_regex)
+  {
+  int err;
+  PCRE2_SIZE offset;
+  const pcre2_code * re;
+
+  DEBUG(D_transport) debug_printf("checking for maildirfolder requirement\n");
+
+  if (!(re = pcre2_compile((PCRE2_SPTR)maildirfolder_create_regex,
+	      PCRE2_ZERO_TERMINATED, PCRE_COPT, &err, &offset, pcre_cmp_ctx)))
+    {
+    uschar errbuf[128];
+    pcre2_get_error_message(err, errbuf, sizeof(errbuf));
+    addr->message = string_sprintf("appendfile: regular expression "
+      "error: %s at offset %ld while compiling %s", errbuf, (long)offset,
+      maildirfolder_create_regex);
+    return FALSE;
+    }
+
+  if (regex_match(re, path, -1, NULL))
+    {
+    uschar *fname = string_sprintf("%s/maildirfolder", path);
+    if (Ustat(fname, &statbuf) == 0)
+      {
+      DEBUG(D_transport) debug_printf("maildirfolder already exists\n");
+      }
+    else
+      {
+      int fd = Uopen(fname, O_WRONLY|O_APPEND|O_CREAT, 0600);
+      if (fd < 0)
+        {
+        addr->message = string_sprintf("appendfile: failed to create "
+          "maildirfolder file in %s directory: %s", path, strerror(errno));
+        return FALSE;
+        }
+      (void)close(fd);
+      DEBUG(D_transport) debug_printf("created maildirfolder file\n");
+      }
+    }
+  else
+    {
+    DEBUG(D_transport) debug_printf("maildirfolder file not required\n");
+    }
+  }
+
+return TRUE;   /* Everything exists that should exist */
+}
+
+
+
+
+/*************************************************
+*       Update maildirsizefile for new file      *
+*************************************************/
+
+/* This function is called to add a new line to the file, recording the length
+of the newly added message. There isn't much we can do on failure...
+
+Arguments:
+  fd           the open file descriptor
+  size         the size of the message
+
+Returns:       nothing
+*/
+
+void
+maildir_record_length(int fd, int size)
+{
+int len;
+uschar buffer[256];
+sprintf(CS buffer, "%d 1\n", size);
+len = Ustrlen(buffer);
+if (lseek(fd, 0, SEEK_END) >= 0)
+  {
+  len = write(fd, buffer, len);
+  DEBUG(D_transport)
+    debug_printf("added '%.*s' to maildirsize file\n", len-1, buffer);
+  }
+}
+
+
+
+/*************************************************
+*          Find the size of a maildir            *
+*************************************************/
+
+/* This function is called when we have to recalculate the size of a maildir by
+scanning all the files and directories therein. There are rules and conventions
+about which files or directories are included. We support this by the use of a
+regex to match directories that are to be included.
+
+Maildirs can only be one level deep. However, this function recurses, so it
+might cope with deeper nestings. We use the existing check_dir_size() function
+to add up the sizes of the files in a directory that contains messages.
+
+The function returns the most recent timestamp encountered. It can also be run
+in a dummy mode in which it does not scan for sizes, but just returns the
+timestamp.
+
+Arguments:
+  path            the path to the maildir
+  filecount       where to store the count of messages
+  latest          where to store the latest timestamp encountered
+  regex           a regex for getting files sizes from file names
+  dir_regex       a regex for matching directories to be included
+  timestamp_only  don't actually compute any sizes
+
+Returns:      the sum of the sizes of the messages
+*/
+
+off_t
+maildir_compute_size(uschar *path, int *filecount, time_t *latest,
+  const pcre2_code *regex, const pcre2_code *dir_regex, BOOL timestamp_only)
+{
+DIR *dir;
+off_t sum = 0;
+
+if (!(dir = exim_opendir(path)))
+  return 0;
+
+for (struct dirent *ent; ent = readdir(dir); )
+  {
+  uschar * s, * name = US ent->d_name;
+  struct stat statbuf;
+
+  if (Ustrcmp(name, ".") == 0 || Ustrcmp(name, "..") == 0) continue;
+
+  /* We are normally supplied with a regex for choosing which directories to
+  scan. We do the regex match first, because that avoids a stat() for names
+  we aren't interested in. */
+
+  if (dir_regex && !regex_match(dir_regex, name, -1, NULL))
+    {
+    DEBUG(D_transport)
+      debug_printf("skipping %s/%s: dir_regex does not match\n", path, name);
+    continue;
+    }
+
+  /* The name is OK; stat it. */
+
+  s = string_sprintf("%s/%s", path, name);
+  if (Ustat(s, &statbuf) < 0)
+    {
+    DEBUG(D_transport)
+      debug_printf("maildir_compute_size: stat error %d for %s: %s\n", errno,
+        s, strerror(errno));
+    continue;
+    }
+
+  if ((statbuf.st_mode & S_IFMT) != S_IFDIR)
+    {
+    DEBUG(D_transport)
+      debug_printf("skipping %s/%s: not a directory\n", s, name);
+    continue;
+    }
+
+  /* Keep the latest timestamp encountered */
+
+  if (statbuf.st_mtime > *latest) *latest = statbuf.st_mtime;
+
+  /* If this is a maildir folder, call this function recursively. */
+
+  if (name[0] == '.')
+    sum += maildir_compute_size(s, filecount, latest, regex, dir_regex,
+      timestamp_only);
+
+  /* Otherwise it must be a folder that contains messages (e.g. new or cur), so
+  we need to get its size, unless all we are interested in is the timestamp. */
+
+  else if (!timestamp_only)
+    sum += check_dir_size(s, filecount, regex);
+  }
+
+closedir(dir);
+DEBUG(D_transport)
+  {
+  if (timestamp_only)
+    debug_printf("maildir_compute_size (timestamp_only): %ld\n",
+    (long int) *latest);
+  else
+    debug_printf("maildir_compute_size: path=%s\n  sum=" OFF_T_FMT
+      " filecount=%d timestamp=%ld\n",
+      path, sum, *filecount, (long int) *latest);
+  }
+return sum;
+}
+
+
+
+/*************************************************
+*        Create or update maildirsizefile        *
+*************************************************/
+
+/* This function is called before a delivery if the option to use
+maildirsizefile is enabled. Its function is to create the file if it does not
+exist, or to update it if that is necessary.
+
+The logic in this function follows the rules that are described in
+
+  http://www.inter7.com/courierimap/README.maildirquota.html
+
+Or, at least, it is supposed to!
+
+Arguments:
+  path             the path to the maildir directory; this is already backed-up
+                     to the parent if the delivery directory is a maildirfolder
+  ob               the appendfile options block
+  regex            a compiled regex for getting a file's size from its name
+  dir_regex        a compiled regex for selecting maildir directories
+  returned_size    where to return the current size of the maildir, even if
+                     the maildirsizefile is removed because of a race
+
+Returns:           >=0  a file descriptor for an open maildirsize file
+                   -1   there was an error opening or accessing the file
+                   -2   the file was removed because of a race
+*/
+
+int
+maildir_ensure_sizefile(uschar *path, appendfile_transport_options_block *ob,
+  const pcre2_code *regex, const pcre2_code *dir_regex, off_t *returned_size,
+  int *returned_filecount)
+{
+int count, fd;
+off_t cached_quota = 0;
+int cached_quota_filecount = 0;
+int filecount = 0;
+int linecount = 0;
+off_t size = 0;
+uschar *filename;
+uschar buffer[MAX_FILE_SIZE];
+uschar *ptr = buffer;
+uschar *endptr;
+
+/* Try a few times to open or create the file, in case another process is doing
+the same thing. */
+
+filename = string_sprintf("%s/maildirsize", path);
+
+DEBUG(D_transport) debug_printf("looking for maildirsize in %s\n", path);
+if ((fd = Uopen(filename, O_RDWR|O_APPEND, ob->mode ? ob->mode : 0600)) < 0)
+  {
+  if (errno != ENOENT) return -1;
+  DEBUG(D_transport)
+    debug_printf("%s does not exist: recalculating\n", filename);
+  goto RECALCULATE;
+  }
+
+/* The file has been successfully opened. Check that the cached quota value is
+still correct, and that the size of the file is still small enough. If so,
+compute the maildir size from the file. */
+
+if ((count = read(fd, buffer, sizeof(buffer))) >= sizeof(buffer))
+  {
+  DEBUG(D_transport)
+    debug_printf("maildirsize file too big (%d): recalculating\n", count);
+  goto RECALCULATE;
+  }
+buffer[count] = 0;   /* Ensure string terminated */
+
+/* Read the quota parameters from the first line of the data. */
+
+DEBUG(D_transport)
+  debug_printf("reading quota parameters from maildirsize data\n");
+
+for (;;)
+  {
+  off_t n = (off_t)Ustrtod(ptr, &endptr);
+
+  /* Only two data items are currently defined; ignore any others that
+  may be present. The spec is for a number followed by a letter. Anything
+  else we reject and recalculate. */
+
+  if (*endptr == 'S') cached_quota = n;
+    else if (*endptr == 'C') cached_quota_filecount = (int)n;
+  if (!isalpha(*endptr++))
+    {
+    DEBUG(D_transport)
+      debug_printf("quota parameter number not followed by letter in "
+        "\"%.*s\": recalculating maildirsize\n", (int)(endptr - buffer),
+        buffer);
+    goto RECALCULATE;
+    }
+  if (*endptr == '\n' || *endptr == 0) break;
+  if (*endptr++ != ',')
+    {
+    DEBUG(D_transport)
+      debug_printf("quota parameter not followed by comma in "
+        "\"%.*s\": recalculating maildirsize\n", (int)(endptr - buffer),
+        buffer);
+    goto RECALCULATE;
+    }
+  ptr = endptr;
+  }
+
+/* Check the cached values against the current settings */
+
+if (cached_quota != ob->quota_value ||
+    cached_quota_filecount != ob->quota_filecount_value)
+  {
+  DEBUG(D_transport)
+    debug_printf("cached quota is out of date: recalculating\n"
+      "  quota=" OFF_T_FMT " cached_quota=" OFF_T_FMT " filecount_quota=%d "
+      "cached_quota_filecount=%d\n", ob->quota_value,
+      cached_quota, ob->quota_filecount_value, cached_quota_filecount);
+  goto RECALCULATE;
+  }
+
+/* Quota values agree; parse the rest of the data to get the sizes. At this
+stage, *endptr points either to 0 or to '\n'.  */
+
+DEBUG(D_transport)
+  debug_printf("computing maildir size from maildirsize data\n");
+
+while (*endptr++ == '\n')
+  {
+  if (*endptr == 0) break;
+  linecount++;
+  ptr = endptr;
+  size += (off_t)Ustrtod(ptr, &endptr);
+  if (*endptr != ' ') break;
+  ptr = endptr + 1;
+  filecount += Ustrtol(ptr, &endptr, 10);
+  }
+
+/* If *endptr is zero, we have successfully parsed the file, and we now have
+the size of the mailbox as cached in the file. The "rules" say that if this
+value indicates that the mailbox is over quota, we must recalculate if there is
+more than one entry in the file, or if the file is older than 15 minutes. Also,
+just in case there are weird values in the file, recalculate if either of the
+values is negative. */
+
+if (*endptr == 0)
+  {
+  if (size < 0 || filecount < 0)
+    {
+    DEBUG(D_transport) debug_printf("negative value in maildirsize "
+      "(size=" OFF_T_FMT " count=%d): recalculating\n", size, filecount);
+    goto RECALCULATE;
+    }
+
+  if (ob->quota_value > 0 &&
+      (size + (ob->quota_is_inclusive? message_size : 0) > ob->quota_value ||
+        (ob->quota_filecount_value > 0 &&
+          filecount + (ob->quota_is_inclusive ? 1:0) >
+            ob->quota_filecount_value)
+      ))
+    {
+    struct stat statbuf;
+    if (linecount > 1)
+      {
+      DEBUG(D_transport) debug_printf("over quota and maildirsize has "
+        "more than 1 entry: recalculating\n");
+      goto RECALCULATE;
+      }
+
+    if (fstat(fd, &statbuf) < 0) goto RECALCULATE;  /* Should never occur */
+
+    if (time(NULL) - statbuf.st_mtime > 15*60)
+      {
+      DEBUG(D_transport) debug_printf("over quota and maildirsize is older "
+        "than 15 minutes: recalculating\n");
+      goto RECALCULATE;
+      }
+    }
+  }
+
+
+/* If *endptr is not zero, there was a syntax error in the file. */
+
+else
+  {
+  int len;
+  time_t old_latest, new_latest;
+  uschar *tempname;
+  struct timeval tv;
+
+  DEBUG(D_transport)
+    {
+    uschar *p = endptr;
+    while (p > buffer && p[-1] != '\n') p--;
+    endptr[1] = 0;
+
+    debug_printf("error in maildirsizefile: unexpected character %d in "
+      "line %d (starting '%s'): recalculating\n",
+      *endptr, linecount + 1, string_printing(p));
+    }
+
+  /* Either there is no file, or the quota value has changed, or the file has
+  got too big, or there was some format error in the file. Recalculate the size
+  and write new contents to a temporary file; then rename it. After any
+  error, just return -1 as the file descriptor. */
+
+  RECALCULATE:
+
+  if (fd >= 0) (void)close(fd);
+  old_latest = 0;
+  filecount = 0;
+  size = maildir_compute_size(path, &filecount, &old_latest, regex, dir_regex,
+    FALSE);
+
+  (void)gettimeofday(&tv, NULL);
+  tempname = string_sprintf("%s/tmp/" TIME_T_FMT ".H%luP%lu.%s",
+    path, tv.tv_sec, tv.tv_usec, (long unsigned) getpid(), primary_hostname);
+
+  fd = Uopen(tempname, O_RDWR|O_CREAT|O_EXCL, ob->mode ? ob->mode : 0600);
+  if (fd >= 0)
+    {
+    (void)sprintf(CS buffer, OFF_T_FMT "S,%dC\n" OFF_T_FMT " %d\n",
+      ob->quota_value, ob->quota_filecount_value, size, filecount);
+    len = Ustrlen(buffer);
+    if (write(fd, buffer, len) != len || Urename(tempname, filename) < 0)
+      {
+      (void)close(fd);
+      fd = -1;
+      }
+    }
+
+  /* If any of the directories have been modified since the last timestamp we
+  saw, we have to junk this maildirsize file. */
+
+  DEBUG(D_transport) debug_printf("checking subdirectory timestamps\n");
+  new_latest = 0;
+  (void)maildir_compute_size(path, NULL, &new_latest , NULL, dir_regex, TRUE);
+  if (new_latest > old_latest)
+    {
+    DEBUG(D_transport) debug_printf("abandoning maildirsize because of "
+      "a later subdirectory modification\n");
+    (void)Uunlink(filename);
+    (void)close(fd);
+    fd = -2;
+    }
+  }
+
+/* Return the sizes and the file descriptor, if any */
+
+DEBUG(D_transport) debug_printf("returning maildir size=" OFF_T_FMT
+  " filecount=%d\n", size, filecount);
+*returned_size = size;
+*returned_filecount = filecount;
+return fd;
+}
+
+/* End of tf_maildir.c */
diff --git a/src/transports/tf_maildir.h b/src/transports/tf_maildir.h
new file mode 100644
index 0000000..b3707b1
--- /dev/null
+++ b/src/transports/tf_maildir.h
@@ -0,0 +1,21 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) The Exim Maintainers 2021 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Header file for the functions that are used to support the use of
+maildirsize files for quota handling in maildir directories. */
+
+extern off_t  maildir_compute_size(uschar *, int *, time_t *, const pcre2_code *,
+                const pcre2_code *, BOOL);
+extern BOOL   maildir_ensure_directories(uschar *, address_item *, BOOL, int,
+                uschar *);
+extern int    maildir_ensure_sizefile(uschar *,
+                appendfile_transport_options_block *, const pcre2_code *,
+                const pcre2_code *, off_t *, int *);
+extern void   maildir_record_length(int, int);
+
+/* End of tf_maildir.h */
diff --git a/src/tree.c b/src/tree.c
new file mode 100644
index 0000000..bb8ad44
--- /dev/null
+++ b/src/tree.c
@@ -0,0 +1,393 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions for maintaining binary balanced trees and some associated
+functions as well. */
+
+
+#include "exim.h"
+
+
+
+
+/*************************************************
+*        Add entry to non-recipients tree        *
+*************************************************/
+
+/* Duplicates are just discarded.
+
+Arguments:
+  s       string to add
+
+Returns:  nothing
+*/
+
+void
+tree_add_nonrecipient(const uschar *s)
+{
+rmark rpoint = store_mark();
+tree_node * node = store_get(sizeof(tree_node) + Ustrlen(s), s);
+Ustrcpy(node->name, s);
+node->data.ptr = NULL;
+if (!tree_insertnode(&tree_nonrecipients, node)) store_reset(rpoint);
+}
+
+
+
+/*************************************************
+*        Add entry to duplicates tree            *
+*************************************************/
+
+/* Duplicates are just discarded.
+
+Argument:
+  s       string to add
+  addr    the address is is a duplicate of
+
+Returns:  nothing
+*/
+
+void
+tree_add_duplicate(const uschar *s, address_item *addr)
+{
+rmark rpoint = store_mark();
+tree_node * node = store_get(sizeof(tree_node) + Ustrlen(s), s);
+Ustrcpy(node->name, s);
+node->data.ptr = addr;
+if (!tree_insertnode(&tree_duplicates, node)) store_reset(rpoint);
+}
+
+
+
+/*************************************************
+*    Add entry to unusable addresses tree        *
+*************************************************/
+
+/* Duplicates are simply discarded.
+
+Argument:    the host item
+Returns:     nothing
+*/
+
+void
+tree_add_unusable(const host_item *h)
+{
+rmark rpoint = store_mark();
+tree_node *node;
+uschar s[256];
+sprintf(CS s, "T:%.200s:%s", h->name, h->address);
+node = store_get(sizeof(tree_node) + Ustrlen(s),
+	    is_tainted(h->name) || is_tainted(h->address) ? GET_TAINTED : GET_UNTAINTED);
+Ustrcpy(node->name, s);
+node->data.val = h->why;
+if (h->status == hstatus_unusable_expired) node->data.val += 256;
+if (!tree_insertnode(&tree_unusable, node)) store_reset(rpoint);
+}
+
+
+
+/*************************************************
+*        Write a tree in re-readable form        *
+*************************************************/
+
+/* This function writes out a tree in a form in which it can
+easily be re-read. It is used for writing out the non-recipients
+tree onto the spool, for retrieval at the next retry time.
+
+The format is as follows:
+
+   . If the tree is empty, write one line containing XX.
+
+   . Otherwise, each node is written, preceded by two letters
+     (Y/N) indicating whether it has left or right children.
+
+   . The left subtree (if any) then follows, then the right subtree.
+
+First, there's an internal recursive subroutine.
+
+Arguments:
+  p          current node
+  f          FILE to write to
+
+Returns:     nothing
+*/
+
+static void
+write_tree(tree_node *p, FILE *f)
+{
+fprintf(f, "%c%c %s\n",
+  (p->left == NULL)? 'N':'Y', (p->right == NULL)? 'N':'Y', p->name);
+if (p->left != NULL) write_tree(p->left, f);
+if (p->right != NULL) write_tree(p->right, f);
+}
+
+/* This is the top-level function, with the same arguments. */
+
+void
+tree_write(tree_node *p, FILE *f)
+{
+if (p == NULL)
+  {
+  fprintf(f, "XX\n");
+  return;
+  }
+write_tree(p, f);
+}
+
+
+
+
+
+/***********************************************************
+*          Binary Balanced Tree Management Routines        *
+***********************************************************/
+
+/* This set of routines maintains a balanced binary tree using
+the algorithm given in Knuth Vol 3 page 455.
+
+The routines make use of uschar * pointers as byte pointers,
+so as to be able to do arithmetic on them, since ANSI Standard
+C does not permit additions and subtractions on void pointers. */
+
+
+/*************************************************
+*              Flags and Parameters              *
+*************************************************/
+
+#define tree_lbal      1         /* left subtree is longer */
+#define tree_rbal      2         /* right subtree is longer */
+#define tree_bmask     3         /* mask for flipping bits */
+
+
+/*************************************************
+*         Insert a new node into a tree          *
+*************************************************/
+
+/* The node->name field must (obviously) be set, but the other
+fields need not be initialized.
+
+Arguments:
+  treebase   pointer to the root of the tree
+  node       the note to insert, with name field set
+
+Returns:     TRUE if node inserted; FALSE if not (duplicate)
+*/
+
+int
+tree_insertnode(tree_node **treebase, tree_node *node)
+{
+tree_node *p = *treebase;
+tree_node **q, *r, *s, **t;
+int a;
+
+node->left = node->right = NULL;
+node->balance = 0;
+
+/* Deal with an empty tree */
+
+if (p == NULL)
+  {
+  *treebase = node;
+  return TRUE;
+  }
+
+/* The tree is not empty. While finding the insertion point,
+q points to the pointer to p, and t points to the pointer to
+the potential re-balancing point. */
+
+q = treebase;
+t = q;
+
+/* Loop to search tree for place to insert new node */
+
+for (;;)
+  {
+  int c = Ustrcmp(node->name, p->name);
+  if (c == 0) return FALSE;              /* Duplicate node encountered */
+
+  /* Deal with climbing down the tree, exiting from the loop
+  when we reach a leaf. */
+
+  q = (c > 0)? &(p->right) : &(p->left);
+  p = *q;
+  if (p == NULL) break;
+
+  /* Save the address of the pointer to the last node en route
+  which has a non-zero balance factor. */
+
+  if (p->balance != 0) t = q;
+  }
+
+/* When the above loop completes, q points to the pointer to NULL;
+that is the place at which the new node must be inserted. */
+
+*q = node;
+
+/* Set up s as the potential re-balancing point, and r as the
+next node after it along the route. */
+
+s = *t;
+r = (Ustrcmp(node->name, s->name) > 0)? s->right : s->left;
+
+/* Adjust balance factors along the route from s to node. */
+
+p = r;
+
+while (p != node)
+  {
+  if (Ustrcmp(node->name, p->name) < 0)
+    {
+    p->balance = tree_lbal;
+    p = p->left;
+    }
+  else
+    {
+    p->balance = tree_rbal;
+    p = p->right;
+    }
+  }
+
+/* Now the World-Famous Balancing Act */
+
+a = (Ustrcmp(node->name, s->name) < 0)? tree_lbal : tree_rbal;
+
+if (s->balance == 0) s->balance = (uschar)a;        /* The tree has grown higher */
+  else if (s->balance != (uschar)a) s->balance = 0; /* It's become more balanced */
+else                                              /* It's got out of balance */
+  {
+  /* Perform a single rotation */
+
+  if (r->balance == (uschar)a)
+    {
+    p = r;
+    if (a == tree_rbal)
+      {
+      s->right = r->left;
+      r->left = s;
+      }
+    else
+      {
+      s->left = r->right;
+      r->right = s;
+      }
+    s->balance = 0;
+    r->balance = 0;
+    }
+
+  /* Perform a double rotation There was an occasion when the balancing
+  factors were screwed up by a bug in the code that reads a tree from
+  the spool. In case this ever happens again, check for changing p to NULL
+  and don't do it. It is better to have an unbalanced tree than a crash. */
+
+  else
+    {
+    if (a == tree_rbal)
+      {
+      if (r->left == NULL) return TRUE;   /* Bail out if tree corrupt */
+      p = r->left;
+      r->left = p->right;
+      p->right = r;
+      s->right = p->left;
+      p->left = s;
+      }
+    else
+      {
+      if (r->right == NULL) return TRUE;  /* Bail out if tree corrupt */
+      p = r->right;
+      r->right = p->left;
+      p->left = r;
+      s->left = p->right;
+      p->right = s;
+      }
+
+    s->balance = (p->balance == (uschar)a)? (uschar)(a^tree_bmask) : 0;
+    r->balance = (p->balance == (uschar)(a^tree_bmask))? (uschar)a : 0;
+    p->balance = 0;
+    }
+
+  /* Finishing touch */
+
+  *t = p;
+  }
+
+return TRUE;     /* Successful insertion */
+}
+
+
+
+/*************************************************
+*          Search tree for node by name          *
+*************************************************/
+
+/*
+Arguments:
+  p         root of tree
+  name      key to search for
+
+Returns:    pointer to node, or NULL if not found
+*/
+
+tree_node *
+tree_search(tree_node *p, const uschar *name)
+{
+while (p)
+  {
+  int c = Ustrcmp(name, p->name);
+  if (c == 0) return p;
+  p = c < 0 ? p->left : p->right;
+  }
+return NULL;
+}
+
+
+
+/*************************************************
+*   Walk tree recursively and execute function   *
+*************************************************/
+
+/*
+Arguments:
+  p       root of the tree
+  f       function to execute for each name-value-pair
+  ctx     context data for f
+*/
+
+void
+tree_walk(tree_node *p, void (*f)(uschar*, uschar*, void*), void *ctx)
+{
+if (!p) return;
+f(p->name, p->data.ptr, ctx);
+tree_walk(p->left, f, ctx);
+tree_walk(p->right, f, ctx);
+}
+
+
+
+/* Add a node to a tree, ignoring possibility of duplicates */
+
+static void
+tree_add_var(uschar * name, uschar * val, void * ctx)
+{
+tree_node ** root = ctx;
+tree_node * node = store_get(sizeof(tree_node) + Ustrlen(name), name);
+Ustrcpy(node->name, name);
+node->data.ptr = val;
+(void) tree_insertnode(root, node);
+}
+
+/* Duplicate a tree */
+
+void
+tree_dup(tree_node ** dstp, tree_node * src)
+{
+tree_walk(src, tree_add_var, dstp);
+}
+
+
+
+/* End of tree.c */
diff --git a/src/utf8.c b/src/utf8.c
new file mode 100644
index 0000000..bc7adb8
--- /dev/null
+++ b/src/utf8.c
@@ -0,0 +1,278 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) Jeremy Harris 2015 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "exim.h"
+
+#ifdef SUPPORT_I18N
+
+#ifdef SUPPORT_I18N_2008
+# include <idn2.h>
+#else
+# include <idna.h>
+#endif
+
+#include <punycode.h>
+#include <stringprep.h>
+
+static uschar *
+string_localpart_alabel_to_utf8_(const uschar * alabel, uschar ** err);
+
+/**************************************************/
+
+BOOL
+string_is_utf8(const uschar * s)
+{
+uschar c;
+if (s) while ((c = *s++)) if (c & 0x80) return TRUE;
+return FALSE;
+}
+
+static BOOL
+string_is_alabel(const uschar * s)
+{
+return s[0] == 'x' && s[1] == 'n' && s[2] == '-' && s[3] == '-';
+}
+
+/**************************************************/
+/* Domain conversions.
+The *err string pointer should be null before the call
+
+Return NULL for error, with optional errstr pointer filled in
+*/
+
+uschar *
+string_domain_utf8_to_alabel(const uschar * utf8, uschar ** err)
+{
+uschar * s1, * s;
+int rc;
+
+#ifdef SUPPORT_I18N_2008
+/* Avoid lowercasing plain-ascii domains */
+if (!string_is_utf8(utf8))
+  return string_copy(utf8);
+
+/* Only lowercase is accepted by the library call.  A pity since we lose
+any mixed-case annotation.  This does not really matter for a domain. */
+  {
+  uschar c;
+  for (s1 = s = US utf8; (c = *s1); s1++) if (!(c & 0x80) && isupper(c))
+    {
+    s = string_copy(utf8);
+    for (s1 = s + (s1 - utf8); (c = *s1); s1++) if (!(c & 0x80) && isupper(c))
+      *s1 = tolower(c);
+    break;
+    }
+  }
+if ((rc = idn2_lookup_u8((const uint8_t *) s, &s1, IDN2_NFC_INPUT)) != IDN2_OK)
+  {
+  if (err) *err = US idn2_strerror(rc);
+  return NULL;
+  }
+#else
+s = US stringprep_utf8_nfkc_normalize(CCS utf8, -1);
+if (  (rc = idna_to_ascii_8z(CCS s, CSS &s1, IDNA_ALLOW_UNASSIGNED))
+   != IDNA_SUCCESS)
+  {
+  free(s);
+  if (err) *err = US idna_strerror(rc);
+  return NULL;
+  }
+free(s);
+#endif
+s = string_copy(s1);
+free(s1);
+return s;
+}
+
+
+
+uschar *
+string_domain_alabel_to_utf8(const uschar * alabel, uschar ** err)
+{
+#ifdef SUPPORT_I18N_2008
+const uschar * label;
+int sep = '.';
+gstring * g = NULL;
+
+while (label = string_nextinlist(&alabel, &sep, NULL, 0))
+  if (  string_is_alabel(label)
+     && !(label = string_localpart_alabel_to_utf8_(label, err))
+     )
+    return NULL;
+  else
+    g = string_append_listele(g, '.', label);
+return string_from_gstring(g);
+
+#else
+
+uschar * s1, * s;
+int rc;
+
+if (  (rc = idna_to_unicode_8z8z(CCS alabel, CSS &s1, IDNA_USE_STD3_ASCII_RULES))
+   != IDNA_SUCCESS)
+  {
+  if (err) *err = US idna_strerror(rc);
+  return NULL;
+  }
+s = string_copy(s1);
+free(s1);
+return s;
+#endif
+}
+
+/**************************************************/
+/* localpart conversions */
+/* the *err string pointer should be null before the call */
+
+
+uschar *
+string_localpart_utf8_to_alabel(const uschar * utf8, uschar ** err)
+{
+size_t ucs4_len = 0;
+punycode_uint * p;
+size_t p_len;
+uschar * res;
+int rc;
+
+if (!string_is_utf8(utf8)) return string_copy(utf8);
+
+p = (punycode_uint *) stringprep_utf8_to_ucs4(CCS utf8, -1, &ucs4_len);
+if (!p || !ucs4_len)
+  {
+  if (err) *err = US"l_u2a: bad UTF-8 input";
+  return NULL;
+  }
+p_len = ucs4_len*4;	/* this multiplier is pure guesswork */
+res = store_get(p_len+5, utf8);
+
+res[0] = 'x'; res[1] = 'n'; res[2] = res[3] = '-';
+
+if ((rc = punycode_encode(ucs4_len, p, NULL, &p_len, CS res+4)) != PUNYCODE_SUCCESS)
+  {
+  DEBUG(D_expand) debug_printf("l_u2a: bad '%s'\n", punycode_strerror(rc));
+  free(p);
+  if (err) *err = US punycode_strerror(rc);
+  return NULL;
+  }
+p_len += 4;
+free(p);
+res[p_len] = '\0';
+return res;
+}
+
+
+static uschar *
+string_localpart_alabel_to_utf8_(const uschar * alabel, uschar ** err)
+{
+size_t p_len;
+punycode_uint * p;
+int rc;
+uschar * s, * res;
+
+DEBUG(D_expand) debug_printf("l_a2u: '%s'\n", alabel);
+alabel += 4;
+p_len = Ustrlen(alabel);
+p = store_get((p_len+1) * sizeof(*p), alabel);
+
+if ((rc = punycode_decode(p_len, CCS alabel, &p_len, p, NULL)) != PUNYCODE_SUCCESS)
+  {
+  if (err) *err = US punycode_strerror(rc);
+  return NULL;
+  }
+
+s = US stringprep_ucs4_to_utf8(p, p_len, NULL, &p_len);
+res = string_copyn(s, p_len);
+free(s);
+return res;
+}
+
+
+uschar *
+string_localpart_alabel_to_utf8(const uschar * alabel, uschar ** err)
+{
+if (string_is_alabel(alabel))
+  return string_localpart_alabel_to_utf8_(alabel, err);
+
+if (err) *err = US"bad alabel prefix";
+return NULL;
+}
+
+
+/**************************************************/
+/* Whole address conversion.
+The *err string pointer should be null before the call.
+
+Return NULL on error, with (optional) errstring pointer filled in
+*/
+
+uschar *
+string_address_utf8_to_alabel(const uschar * utf8, uschar ** err)
+{
+uschar * l, * d;
+
+if (!*utf8) return string_copy(utf8);
+
+DEBUG(D_expand) debug_printf("addr from utf8 <%s>", utf8);
+
+for (const uschar * s = utf8; *s; s++)
+  if (*s == '@')
+    {
+    l = string_copyn(utf8, s - utf8);
+    if (  !(l = string_localpart_utf8_to_alabel(l, err))
+       || !(d = string_domain_utf8_to_alabel(++s, err))
+       )
+      return NULL;
+    l = string_sprintf("%s@%s", l, d);
+    DEBUG(D_expand) debug_printf(" -> <%s>\n", l);
+    return l;
+    }
+
+l =  string_localpart_utf8_to_alabel(utf8, err);
+DEBUG(D_expand) debug_printf(" -> <%s>\n", l);
+return l;
+}
+
+
+
+/*************************************************
+*         Report the library versions.           *
+*************************************************/
+
+/* See a description in tls-openssl.c for an explanation of why this exists.
+
+Arguments:   string to append to
+Returns:     string
+*/
+
+gstring *
+utf8_version_report(gstring * g)
+{
+#ifdef SUPPORT_I18N_2008
+g = string_fmt_append(g, "Library version: IDN2: Compile: %s\n"
+           "                       Runtime: %s\n",
+	IDN2_VERSION,
+	idn2_check_version(NULL));
+g = string_fmt_append(g, "Library version: Stringprep: Compile: %s\n"
+           "                             Runtime: %s\n",
+	STRINGPREP_VERSION,
+	stringprep_check_version(NULL));
+#else
+g = string_fmt_append(g, "Library version: IDN: Compile: %s\n"
+           "                      Runtime: %s\n",
+	STRINGPREP_VERSION,
+	stringprep_check_version(NULL));
+#endif
+return g;
+}
+
+#endif	/* whole file */
+
+/* vi: aw ai sw=2
+*/
+/* End of utf8.c */
diff --git a/src/valgrind.h b/src/valgrind.h
new file mode 100644
index 0000000..01c49da
--- /dev/null
+++ b/src/valgrind.h
@@ -0,0 +1,4797 @@
+/* -*- c -*-
+   ----------------------------------------------------------------
+
+   Notice that the following BSD-style license applies to this one
+   file (valgrind.h) only.  The rest of Valgrind is licensed under the
+   terms of the GNU General Public License, version 2, unless
+   otherwise indicated.  See the COPYING file in the source
+   distribution for details.
+
+   ----------------------------------------------------------------
+
+   This file is part of Valgrind, a dynamic binary instrumentation
+   framework.
+
+   Copyright (C) 2000-2010 Julian Seward.  All rights reserved.
+
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions
+   are met:
+
+   1. Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+
+   2. The origin of this software must not be misrepresented; you must
+      not claim that you wrote the original software.  If you use this
+      software in a product, an acknowledgment in the product
+      documentation would be appreciated but is not required.
+
+   3. Altered source versions must be plainly marked as such, and must
+      not be misrepresented as being the original software.
+
+   4. The name of the author may not be used to endorse or promote
+      products derived from this software without specific prior written
+      permission.
+
+   THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
+   OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+   WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+   ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+   DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+   GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+   INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+   WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+   SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+   ----------------------------------------------------------------
+
+   Notice that the above BSD-style license applies to this one file
+   (valgrind.h) only.  The entire rest of Valgrind is licensed under
+   the terms of the GNU General Public License, version 2.  See the
+   COPYING file in the source distribution for details.
+
+   ----------------------------------------------------------------
+*/
+
+
+/* This file is for inclusion into client (your!) code.
+
+   You can use these macros to manipulate and query Valgrind's
+   execution inside your own programs.
+
+   The resulting executables will still run without Valgrind, just a
+   little bit more slowly than they otherwise would, but otherwise
+   unchanged.  When not running on valgrind, each client request
+   consumes very few (eg. 7) instructions, so the resulting performance
+   loss is negligible unless you plan to execute client requests
+   millions of times per second.  Nevertheless, if that is still a
+   problem, you can compile with the NVALGRIND symbol defined (gcc
+   -DNVALGRIND) so that client requests are not even compiled in.  */
+
+#ifndef __VALGRIND_H
+#define __VALGRIND_H
+
+
+/* ------------------------------------------------------------------ */
+/* VERSION NUMBER OF VALGRIND                                         */
+/* ------------------------------------------------------------------ */
+
+/* Specify Valgrind's version number, so that user code can
+   conditionally compile based on our version number.  Note that these
+   were introduced at version 3.6 and so do not exist in version 3.5
+   or earlier.  The recommended way to use them to check for "version
+   X.Y or later" is (eg)
+
+#if defined(__VALGRIND_MAJOR__) && defined(__VALGRIND_MINOR__)   \
+    && (__VALGRIND_MAJOR__ > 3                                   \
+        || (__VALGRIND_MAJOR__ == 3 && __VALGRIND_MINOR__ >= 6))
+*/
+#define __VALGRIND_MAJOR__    3
+#define __VALGRIND_MINOR__    6
+
+
+#include <stdarg.h>
+
+/* Nb: this file might be included in a file compiled with -ansi.  So
+   we can't use C++ style "//" comments nor the "asm" keyword (instead
+   use "__asm__"). */
+
+/* Derive some tags indicating what the target platform is.  Note
+   that in this file we're using the compiler's CPP symbols for
+   identifying architectures, which are different to the ones we use
+   within the rest of Valgrind.  Note, __powerpc__ is active for both
+   32 and 64-bit PPC, whereas __powerpc64__ is only active for the
+   latter (on Linux, that is).
+
+   Misc note: how to find out what's predefined in gcc by default:
+   gcc -Wp,-dM somefile.c
+*/
+#undef PLAT_ppc64_aix5
+#undef PLAT_ppc32_aix5
+#undef PLAT_x86_darwin
+#undef PLAT_amd64_darwin
+#undef PLAT_x86_win32
+#undef PLAT_x86_linux
+#undef PLAT_amd64_linux
+#undef PLAT_ppc32_linux
+#undef PLAT_ppc64_linux
+#undef PLAT_arm_linux
+
+#if defined(_AIX) && defined(__64BIT__)
+#  define PLAT_ppc64_aix5 1
+#elif defined(_AIX) && !defined(__64BIT__)
+#  define PLAT_ppc32_aix5 1
+#elif defined(__APPLE__) && defined(__i386__)
+#  define PLAT_x86_darwin 1
+#elif defined(__APPLE__) && defined(__x86_64__)
+#  define PLAT_amd64_darwin 1
+#elif defined(__MINGW32__) || defined(__CYGWIN32__) || defined(_WIN32) && defined(_M_IX86)
+#  define PLAT_x86_win32 1
+#elif defined(__linux__) && defined(__i386__)
+#  define PLAT_x86_linux 1
+#elif defined(__linux__) && defined(__x86_64__)
+#  define PLAT_amd64_linux 1
+#elif defined(__linux__) && defined(__powerpc__) && !defined(__powerpc64__)
+#  define PLAT_ppc32_linux 1
+#elif defined(__linux__) && defined(__powerpc__) && defined(__powerpc64__)
+#  define PLAT_ppc64_linux 1
+#elif defined(__linux__) && defined(__arm__)
+#  define PLAT_arm_linux 1
+#else
+/* If we're not compiling for our target platform, don't generate
+   any inline asms.  */
+#  if !defined(NVALGRIND)
+#    define NVALGRIND 1
+#  endif
+#endif
+
+
+/* ------------------------------------------------------------------ */
+/* ARCHITECTURE SPECIFICS for SPECIAL INSTRUCTIONS.  There is nothing */
+/* in here of use to end-users -- skip to the next section.           */
+/* ------------------------------------------------------------------ */
+
+#if defined(NVALGRIND)
+
+/* Define NVALGRIND to completely remove the Valgrind magic sequence
+   from the compiled code (analogous to NDEBUG's effects on
+   assert()) */
+#define VALGRIND_DO_CLIENT_REQUEST(                               \
+        _zzq_rlval, _zzq_default, _zzq_request,                   \
+        _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5)    \
+   {                                                              \
+      (_zzq_rlval) = (_zzq_default);                              \
+   }
+
+#else  /* ! NVALGRIND */
+
+/* The following defines the magic code sequences which the JITter
+   spots and handles magically.  Don't look too closely at them as
+   they will rot your brain.
+
+   The assembly code sequences for all architectures is in this one
+   file.  This is because this file must be stand-alone, and we don't
+   want to have multiple files.
+
+   For VALGRIND_DO_CLIENT_REQUEST, we must ensure that the default
+   value gets put in the return slot, so that everything works when
+   this is executed not under Valgrind.  Args are passed in a memory
+   block, and so there's no intrinsic limit to the number that could
+   be passed, but it's currently five.
+
+   The macro args are:
+      _zzq_rlval    result lvalue
+      _zzq_default  default value (result returned when running on real CPU)
+      _zzq_request  request code
+      _zzq_arg1..5  request params
+
+   The other two macros are used to support function wrapping, and are
+   a lot simpler.  VALGRIND_GET_NR_CONTEXT returns the value of the
+   guest's NRADDR pseudo-register and whatever other information is
+   needed to safely run the call original from the wrapper: on
+   ppc64-linux, the R2 value at the divert point is also needed.  This
+   information is abstracted into a user-visible type, OrigFn.
+
+   VALGRIND_CALL_NOREDIR_* behaves the same as the following on the
+   guest, but guarantees that the branch instruction will not be
+   redirected: x86: call *%eax, amd64: call *%rax, ppc32/ppc64:
+   branch-and-link-to-r11.  VALGRIND_CALL_NOREDIR is just text, not a
+   complete inline asm, since it needs to be combined with more magic
+   inline asm stuff to be useful.
+*/
+
+/* ------------------------- x86-{linux,darwin} ---------------- */
+
+#if defined(PLAT_x86_linux)  ||  defined(PLAT_x86_darwin)  \
+    ||  (defined(PLAT_x86_win32) && defined(__GNUC__))
+
+typedef
+   struct {
+      unsigned int nraddr; /* where's the code? */
+   }
+   OrigFn;
+
+#define __SPECIAL_INSTRUCTION_PREAMBLE                            \
+                     "roll $3,  %%edi ; roll $13, %%edi\n\t"      \
+                     "roll $29, %%edi ; roll $19, %%edi\n\t"
+
+#define VALGRIND_DO_CLIENT_REQUEST(                               \
+        _zzq_rlval, _zzq_default, _zzq_request,                   \
+        _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5)    \
+  { volatile unsigned int _zzq_args[6];                           \
+    volatile unsigned int _zzq_result;                            \
+    _zzq_args[0] = (unsigned int)(_zzq_request);                  \
+    _zzq_args[1] = (unsigned int)(_zzq_arg1);                     \
+    _zzq_args[2] = (unsigned int)(_zzq_arg2);                     \
+    _zzq_args[3] = (unsigned int)(_zzq_arg3);                     \
+    _zzq_args[4] = (unsigned int)(_zzq_arg4);                     \
+    _zzq_args[5] = (unsigned int)(_zzq_arg5);                     \
+    __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %EDX = client_request ( %EAX ) */         \
+                     "xchgl %%ebx,%%ebx"                          \
+                     : "=d" (_zzq_result)                         \
+                     : "a" (&_zzq_args[0]), "0" (_zzq_default)    \
+                     : "cc", "memory"                             \
+                    );                                            \
+    _zzq_rlval = _zzq_result;                                     \
+  }
+
+#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval)                       \
+  { volatile OrigFn* _zzq_orig = &(_zzq_rlval);                   \
+    volatile unsigned int __addr;                                 \
+    __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %EAX = guest_NRADDR */                    \
+                     "xchgl %%ecx,%%ecx"                          \
+                     : "=a" (__addr)                              \
+                     :                                            \
+                     : "cc", "memory"                             \
+                    );                                            \
+    _zzq_orig->nraddr = __addr;                                   \
+  }
+
+#define VALGRIND_CALL_NOREDIR_EAX                                 \
+                     __SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* call-noredir *%EAX */                     \
+                     "xchgl %%edx,%%edx\n\t"
+#endif /* PLAT_x86_linux || PLAT_x86_darwin || (PLAT_x86_win32 && __GNUC__) */
+
+/* ------------------------- x86-Win32 ------------------------- */
+
+#if defined(PLAT_x86_win32) && !defined(__GNUC__)
+
+typedef
+   struct {
+      unsigned int nraddr; /* where's the code? */
+   }
+   OrigFn;
+
+#if defined(_MSC_VER)
+
+#define __SPECIAL_INSTRUCTION_PREAMBLE                            \
+                     __asm rol edi, 3  __asm rol edi, 13          \
+                     __asm rol edi, 29 __asm rol edi, 19
+
+#define VALGRIND_DO_CLIENT_REQUEST(                               \
+        _zzq_rlval, _zzq_default, _zzq_request,                   \
+        _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5)    \
+  { volatile uintptr_t _zzq_args[6];                              \
+    volatile unsigned int _zzq_result;                            \
+    _zzq_args[0] = (uintptr_t)(_zzq_request);                     \
+    _zzq_args[1] = (uintptr_t)(_zzq_arg1);                        \
+    _zzq_args[2] = (uintptr_t)(_zzq_arg2);                        \
+    _zzq_args[3] = (uintptr_t)(_zzq_arg3);                        \
+    _zzq_args[4] = (uintptr_t)(_zzq_arg4);                        \
+    _zzq_args[5] = (uintptr_t)(_zzq_arg5);                        \
+    __asm { __asm lea eax, _zzq_args __asm mov edx, _zzq_default  \
+            __SPECIAL_INSTRUCTION_PREAMBLE                        \
+            /* %EDX = client_request ( %EAX ) */                  \
+            __asm xchg ebx,ebx                                    \
+            __asm mov _zzq_result, edx                            \
+    }                                                             \
+    _zzq_rlval = _zzq_result;                                     \
+  }
+
+#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval)                       \
+  { volatile OrigFn* _zzq_orig = &(_zzq_rlval);                   \
+    volatile unsigned int __addr;                                 \
+    __asm { __SPECIAL_INSTRUCTION_PREAMBLE                        \
+            /* %EAX = guest_NRADDR */                             \
+            __asm xchg ecx,ecx                                    \
+            __asm mov __addr, eax                                 \
+    }                                                             \
+    _zzq_orig->nraddr = __addr;                                   \
+  }
+
+#define VALGRIND_CALL_NOREDIR_EAX ERROR
+
+#else
+#error Unsupported compiler.
+#endif
+
+#endif /* PLAT_x86_win32 */
+
+/* ------------------------ amd64-{linux,darwin} --------------- */
+
+#if defined(PLAT_amd64_linux)  ||  defined(PLAT_amd64_darwin)
+
+typedef
+   struct {
+      unsigned long long int nraddr; /* where's the code? */
+   }
+   OrigFn;
+
+#define __SPECIAL_INSTRUCTION_PREAMBLE                            \
+                     "rolq $3,  %%rdi ; rolq $13, %%rdi\n\t"      \
+                     "rolq $61, %%rdi ; rolq $51, %%rdi\n\t"
+
+#define VALGRIND_DO_CLIENT_REQUEST(                               \
+        _zzq_rlval, _zzq_default, _zzq_request,                   \
+        _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5)    \
+  { volatile unsigned long long int _zzq_args[6];                 \
+    volatile unsigned long long int _zzq_result;                  \
+    _zzq_args[0] = (unsigned long long int)(_zzq_request);        \
+    _zzq_args[1] = (unsigned long long int)(_zzq_arg1);           \
+    _zzq_args[2] = (unsigned long long int)(_zzq_arg2);           \
+    _zzq_args[3] = (unsigned long long int)(_zzq_arg3);           \
+    _zzq_args[4] = (unsigned long long int)(_zzq_arg4);           \
+    _zzq_args[5] = (unsigned long long int)(_zzq_arg5);           \
+    __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %RDX = client_request ( %RAX ) */         \
+                     "xchgq %%rbx,%%rbx"                          \
+                     : "=d" (_zzq_result)                         \
+                     : "a" (&_zzq_args[0]), "0" (_zzq_default)    \
+                     : "cc", "memory"                             \
+                    );                                            \
+    _zzq_rlval = _zzq_result;                                     \
+  }
+
+#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval)                       \
+  { volatile OrigFn* _zzq_orig = &(_zzq_rlval);                   \
+    volatile unsigned long long int __addr;                       \
+    __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %RAX = guest_NRADDR */                    \
+                     "xchgq %%rcx,%%rcx"                          \
+                     : "=a" (__addr)                              \
+                     :                                            \
+                     : "cc", "memory"                             \
+                    );                                            \
+    _zzq_orig->nraddr = __addr;                                   \
+  }
+
+#define VALGRIND_CALL_NOREDIR_RAX                                 \
+                     __SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* call-noredir *%RAX */                     \
+                     "xchgq %%rdx,%%rdx\n\t"
+#endif /* PLAT_amd64_linux || PLAT_amd64_darwin */
+
+/* ------------------------ ppc32-linux ------------------------ */
+
+#if defined(PLAT_ppc32_linux)
+
+typedef
+   struct {
+      unsigned int nraddr; /* where's the code? */
+   }
+   OrigFn;
+
+#define __SPECIAL_INSTRUCTION_PREAMBLE                            \
+                     "rlwinm 0,0,3,0,0  ; rlwinm 0,0,13,0,0\n\t"  \
+                     "rlwinm 0,0,29,0,0 ; rlwinm 0,0,19,0,0\n\t"
+
+#define VALGRIND_DO_CLIENT_REQUEST(                               \
+        _zzq_rlval, _zzq_default, _zzq_request,                   \
+        _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5)    \
+                                                                  \
+  {          unsigned int  _zzq_args[6];                          \
+             unsigned int  _zzq_result;                           \
+             unsigned int* _zzq_ptr;                              \
+    _zzq_args[0] = (unsigned int)(_zzq_request);                  \
+    _zzq_args[1] = (unsigned int)(_zzq_arg1);                     \
+    _zzq_args[2] = (unsigned int)(_zzq_arg2);                     \
+    _zzq_args[3] = (unsigned int)(_zzq_arg3);                     \
+    _zzq_args[4] = (unsigned int)(_zzq_arg4);                     \
+    _zzq_args[5] = (unsigned int)(_zzq_arg5);                     \
+    _zzq_ptr = _zzq_args;                                         \
+    __asm__ volatile("mr 3,%1\n\t" /*default*/                    \
+                     "mr 4,%2\n\t" /*ptr*/                        \
+                     __SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %R3 = client_request ( %R4 ) */           \
+                     "or 1,1,1\n\t"                               \
+                     "mr %0,3"     /*result*/                     \
+                     : "=b" (_zzq_result)                         \
+                     : "b" (_zzq_default), "b" (_zzq_ptr)         \
+                     : "cc", "memory", "r3", "r4");               \
+    _zzq_rlval = _zzq_result;                                     \
+  }
+
+#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval)                       \
+  { volatile OrigFn* _zzq_orig = &(_zzq_rlval);                   \
+    unsigned int __addr;                                          \
+    __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %R3 = guest_NRADDR */                     \
+                     "or 2,2,2\n\t"                               \
+                     "mr %0,3"                                    \
+                     : "=b" (__addr)                              \
+                     :                                            \
+                     : "cc", "memory", "r3"                       \
+                    );                                            \
+    _zzq_orig->nraddr = __addr;                                   \
+  }
+
+#define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                   \
+                     __SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* branch-and-link-to-noredir *%R11 */       \
+                     "or 3,3,3\n\t"
+#endif /* PLAT_ppc32_linux */
+
+/* ------------------------ ppc64-linux ------------------------ */
+
+#if defined(PLAT_ppc64_linux)
+
+typedef
+   struct {
+      unsigned long long int nraddr; /* where's the code? */
+      unsigned long long int r2;  /* what tocptr do we need? */
+   }
+   OrigFn;
+
+#define __SPECIAL_INSTRUCTION_PREAMBLE                            \
+                     "rotldi 0,0,3  ; rotldi 0,0,13\n\t"          \
+                     "rotldi 0,0,61 ; rotldi 0,0,51\n\t"
+
+#define VALGRIND_DO_CLIENT_REQUEST(                               \
+        _zzq_rlval, _zzq_default, _zzq_request,                   \
+        _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5)    \
+                                                                  \
+  {          unsigned long long int  _zzq_args[6];                \
+    register unsigned long long int  _zzq_result __asm__("r3");   \
+    register unsigned long long int* _zzq_ptr __asm__("r4");      \
+    _zzq_args[0] = (unsigned long long int)(_zzq_request);        \
+    _zzq_args[1] = (unsigned long long int)(_zzq_arg1);           \
+    _zzq_args[2] = (unsigned long long int)(_zzq_arg2);           \
+    _zzq_args[3] = (unsigned long long int)(_zzq_arg3);           \
+    _zzq_args[4] = (unsigned long long int)(_zzq_arg4);           \
+    _zzq_args[5] = (unsigned long long int)(_zzq_arg5);           \
+    _zzq_ptr = _zzq_args;                                         \
+    __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %R3 = client_request ( %R4 ) */           \
+                     "or 1,1,1"                                   \
+                     : "=r" (_zzq_result)                         \
+                     : "0" (_zzq_default), "r" (_zzq_ptr)         \
+                     : "cc", "memory");                           \
+    _zzq_rlval = _zzq_result;                                     \
+  }
+
+#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval)                       \
+  { volatile OrigFn* _zzq_orig = &(_zzq_rlval);                   \
+    register unsigned long long int __addr __asm__("r3");         \
+    __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %R3 = guest_NRADDR */                     \
+                     "or 2,2,2"                                   \
+                     : "=r" (__addr)                              \
+                     :                                            \
+                     : "cc", "memory"                             \
+                    );                                            \
+    _zzq_orig->nraddr = __addr;                                   \
+    __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %R3 = guest_NRADDR_GPR2 */                \
+                     "or 4,4,4"                                   \
+                     : "=r" (__addr)                              \
+                     :                                            \
+                     : "cc", "memory"                             \
+                    );                                            \
+    _zzq_orig->r2 = __addr;                                       \
+  }
+
+#define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                   \
+                     __SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* branch-and-link-to-noredir *%R11 */       \
+                     "or 3,3,3\n\t"
+
+#endif /* PLAT_ppc64_linux */
+
+/* ------------------------- arm-linux ------------------------- */
+
+#if defined(PLAT_arm_linux)
+
+typedef
+   struct {
+      unsigned int nraddr; /* where's the code? */
+   }
+   OrigFn;
+
+#define __SPECIAL_INSTRUCTION_PREAMBLE                            \
+            "mov r12, r12, ror #3  ; mov r12, r12, ror #13 \n\t"  \
+            "mov r12, r12, ror #29 ; mov r12, r12, ror #19 \n\t"
+
+#define VALGRIND_DO_CLIENT_REQUEST(                               \
+        _zzq_rlval, _zzq_default, _zzq_request,                   \
+        _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5)    \
+                                                                  \
+  { volatile unsigned int  _zzq_args[6];                          \
+    volatile unsigned int  _zzq_result;                           \
+    _zzq_args[0] = (unsigned int)(_zzq_request);                  \
+    _zzq_args[1] = (unsigned int)(_zzq_arg1);                     \
+    _zzq_args[2] = (unsigned int)(_zzq_arg2);                     \
+    _zzq_args[3] = (unsigned int)(_zzq_arg3);                     \
+    _zzq_args[4] = (unsigned int)(_zzq_arg4);                     \
+    _zzq_args[5] = (unsigned int)(_zzq_arg5);                     \
+    __asm__ volatile("mov r3, %1\n\t" /*default*/                 \
+                     "mov r4, %2\n\t" /*ptr*/                     \
+                     __SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* R3 = client_request ( R4 ) */             \
+                     "orr r10, r10, r10\n\t"                      \
+                     "mov %0, r3"     /*result*/                  \
+                     : "=r" (_zzq_result)                         \
+                     : "r" (_zzq_default), "r" (&_zzq_args[0])    \
+                     : "cc","memory", "r3", "r4");                \
+    _zzq_rlval = _zzq_result;                                     \
+  }
+
+#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval)                       \
+  { volatile OrigFn* _zzq_orig = &(_zzq_rlval);                   \
+    unsigned int __addr;                                          \
+    __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* R3 = guest_NRADDR */                      \
+                     "orr r11, r11, r11\n\t"                      \
+                     "mov %0, r3"                                 \
+                     : "=r" (__addr)                              \
+                     :                                            \
+                     : "cc", "memory", "r3"                       \
+                    );                                            \
+    _zzq_orig->nraddr = __addr;                                   \
+  }
+
+#define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4                    \
+                     __SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* branch-and-link-to-noredir *%R4 */        \
+                     "orr r12, r12, r12\n\t"
+
+#endif /* PLAT_arm_linux */
+
+/* ------------------------ ppc32-aix5 ------------------------- */
+
+#if defined(PLAT_ppc32_aix5)
+
+typedef
+   struct {
+      unsigned int nraddr; /* where's the code? */
+      unsigned int r2;  /* what tocptr do we need? */
+   }
+   OrigFn;
+
+#define __SPECIAL_INSTRUCTION_PREAMBLE                            \
+                     "rlwinm 0,0,3,0,0  ; rlwinm 0,0,13,0,0\n\t"  \
+                     "rlwinm 0,0,29,0,0 ; rlwinm 0,0,19,0,0\n\t"
+
+#define VALGRIND_DO_CLIENT_REQUEST(                               \
+        _zzq_rlval, _zzq_default, _zzq_request,                   \
+        _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5)    \
+                                                                  \
+  {          unsigned int  _zzq_args[7];                          \
+    register unsigned int  _zzq_result;                           \
+    register unsigned int* _zzq_ptr;                              \
+    _zzq_args[0] = (unsigned int)(_zzq_request);                  \
+    _zzq_args[1] = (unsigned int)(_zzq_arg1);                     \
+    _zzq_args[2] = (unsigned int)(_zzq_arg2);                     \
+    _zzq_args[3] = (unsigned int)(_zzq_arg3);                     \
+    _zzq_args[4] = (unsigned int)(_zzq_arg4);                     \
+    _zzq_args[5] = (unsigned int)(_zzq_arg5);                     \
+    _zzq_args[6] = (unsigned int)(_zzq_default);                  \
+    _zzq_ptr = _zzq_args;                                         \
+    __asm__ volatile("mr 4,%1\n\t"                                \
+                     "lwz 3, 24(4)\n\t"                           \
+                     __SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %R3 = client_request ( %R4 ) */           \
+                     "or 1,1,1\n\t"                               \
+                     "mr %0,3"                                    \
+                     : "=b" (_zzq_result)                         \
+                     : "b" (_zzq_ptr)                             \
+                     : "r3", "r4", "cc", "memory");               \
+    _zzq_rlval = _zzq_result;                                     \
+  }
+
+#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval)                       \
+  { volatile OrigFn* _zzq_orig = &(_zzq_rlval);                   \
+    register unsigned int __addr;                                 \
+    __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %R3 = guest_NRADDR */                     \
+                     "or 2,2,2\n\t"                               \
+                     "mr %0,3"                                    \
+                     : "=b" (__addr)                              \
+                     :                                            \
+                     : "r3", "cc", "memory"                       \
+                    );                                            \
+    _zzq_orig->nraddr = __addr;                                   \
+    __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %R3 = guest_NRADDR_GPR2 */                \
+                     "or 4,4,4\n\t"                               \
+                     "mr %0,3"                                    \
+                     : "=b" (__addr)                              \
+                     :                                            \
+                     : "r3", "cc", "memory"                       \
+                    );                                            \
+    _zzq_orig->r2 = __addr;                                       \
+  }
+
+#define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                   \
+                     __SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* branch-and-link-to-noredir *%R11 */       \
+                     "or 3,3,3\n\t"
+
+#endif /* PLAT_ppc32_aix5 */
+
+/* ------------------------ ppc64-aix5 ------------------------- */
+
+#if defined(PLAT_ppc64_aix5)
+
+typedef
+   struct {
+      unsigned long long int nraddr; /* where's the code? */
+      unsigned long long int r2;  /* what tocptr do we need? */
+   }
+   OrigFn;
+
+#define __SPECIAL_INSTRUCTION_PREAMBLE                            \
+                     "rotldi 0,0,3  ; rotldi 0,0,13\n\t"          \
+                     "rotldi 0,0,61 ; rotldi 0,0,51\n\t"
+
+#define VALGRIND_DO_CLIENT_REQUEST(                               \
+        _zzq_rlval, _zzq_default, _zzq_request,                   \
+        _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5)    \
+                                                                  \
+  {          unsigned long long int  _zzq_args[7];                \
+    register unsigned long long int  _zzq_result;                 \
+    register unsigned long long int* _zzq_ptr;                    \
+    _zzq_args[0] = (unsigned int long long)(_zzq_request);        \
+    _zzq_args[1] = (unsigned int long long)(_zzq_arg1);           \
+    _zzq_args[2] = (unsigned int long long)(_zzq_arg2);           \
+    _zzq_args[3] = (unsigned int long long)(_zzq_arg3);           \
+    _zzq_args[4] = (unsigned int long long)(_zzq_arg4);           \
+    _zzq_args[5] = (unsigned int long long)(_zzq_arg5);           \
+    _zzq_args[6] = (unsigned int long long)(_zzq_default);        \
+    _zzq_ptr = _zzq_args;                                         \
+    __asm__ volatile("mr 4,%1\n\t"                                \
+                     "ld 3, 48(4)\n\t"                            \
+                     __SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %R3 = client_request ( %R4 ) */           \
+                     "or 1,1,1\n\t"                               \
+                     "mr %0,3"                                    \
+                     : "=b" (_zzq_result)                         \
+                     : "b" (_zzq_ptr)                             \
+                     : "r3", "r4", "cc", "memory");               \
+    _zzq_rlval = _zzq_result;                                     \
+  }
+
+#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval)                       \
+  { volatile OrigFn* _zzq_orig = &(_zzq_rlval);                   \
+    register unsigned long long int __addr;                       \
+    __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %R3 = guest_NRADDR */                     \
+                     "or 2,2,2\n\t"                               \
+                     "mr %0,3"                                    \
+                     : "=b" (__addr)                              \
+                     :                                            \
+                     : "r3", "cc", "memory"                       \
+                    );                                            \
+    _zzq_orig->nraddr = __addr;                                   \
+    __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* %R3 = guest_NRADDR_GPR2 */                \
+                     "or 4,4,4\n\t"                               \
+                     "mr %0,3"                                    \
+                     : "=b" (__addr)                              \
+                     :                                            \
+                     : "r3", "cc", "memory"                       \
+                    );                                            \
+    _zzq_orig->r2 = __addr;                                       \
+  }
+
+#define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                   \
+                     __SPECIAL_INSTRUCTION_PREAMBLE               \
+                     /* branch-and-link-to-noredir *%R11 */       \
+                     "or 3,3,3\n\t"
+
+#endif /* PLAT_ppc64_aix5 */
+
+/* Insert assembly code for other platforms here... */
+
+#endif /* NVALGRIND */
+
+
+/* ------------------------------------------------------------------ */
+/* PLATFORM SPECIFICS for FUNCTION WRAPPING.  This is all very        */
+/* ugly.  It's the least-worst tradeoff I can think of.               */
+/* ------------------------------------------------------------------ */
+
+/* This section defines magic (a.k.a appalling-hack) macros for doing
+   guaranteed-no-redirection macros, so as to get from function
+   wrappers to the functions they are wrapping.  The whole point is to
+   construct standard call sequences, but to do the call itself with a
+   special no-redirect call pseudo-instruction that the JIT
+   understands and handles specially.  This section is long and
+   repetitious, and I can't see a way to make it shorter.
+
+   The naming scheme is as follows:
+
+      CALL_FN_{W,v}_{v,W,WW,WWW,WWWW,5W,6W,7W,etc}
+
+   'W' stands for "word" and 'v' for "void".  Hence there are
+   different macros for calling arity 0, 1, 2, 3, 4, etc, functions,
+   and for each, the possibility of returning a word-typed result, or
+   no result.
+*/
+
+/* Use these to write the name of your wrapper.  NOTE: duplicates
+   VG_WRAP_FUNCTION_Z{U,Z} in pub_tool_redir.h. */
+
+/* Use an extra level of macroisation so as to ensure the soname/fnname
+   args are fully macro-expanded before pasting them together. */
+#define VG_CONCAT4(_aa,_bb,_cc,_dd) _aa##_bb##_cc##_dd
+
+#define I_WRAP_SONAME_FNNAME_ZU(soname,fnname)                    \
+   VG_CONCAT4(_vgwZU_,soname,_,fnname)
+
+#define I_WRAP_SONAME_FNNAME_ZZ(soname,fnname)                    \
+   VG_CONCAT4(_vgwZZ_,soname,_,fnname)
+
+/* Use this macro from within a wrapper function to collect the
+   context (address and possibly other info) of the original function.
+   Once you have that you can then use it in one of the CALL_FN_
+   macros.  The type of the argument _lval is OrigFn. */
+#define VALGRIND_GET_ORIG_FN(_lval)  VALGRIND_GET_NR_CONTEXT(_lval)
+
+/* Derivatives of the main macros below, for calling functions
+   returning void. */
+
+#define CALL_FN_v_v(fnptr)                                        \
+   do { volatile unsigned long _junk;                             \
+        CALL_FN_W_v(_junk,fnptr); } while (0)
+
+#define CALL_FN_v_W(fnptr, arg1)                                  \
+   do { volatile unsigned long _junk;                             \
+        CALL_FN_W_W(_junk,fnptr,arg1); } while (0)
+
+#define CALL_FN_v_WW(fnptr, arg1,arg2)                            \
+   do { volatile unsigned long _junk;                             \
+        CALL_FN_W_WW(_junk,fnptr,arg1,arg2); } while (0)
+
+#define CALL_FN_v_WWW(fnptr, arg1,arg2,arg3)                      \
+   do { volatile unsigned long _junk;                             \
+        CALL_FN_W_WWW(_junk,fnptr,arg1,arg2,arg3); } while (0)
+
+#define CALL_FN_v_WWWW(fnptr, arg1,arg2,arg3,arg4)                \
+   do { volatile unsigned long _junk;                             \
+        CALL_FN_W_WWWW(_junk,fnptr,arg1,arg2,arg3,arg4); } while (0)
+
+#define CALL_FN_v_5W(fnptr, arg1,arg2,arg3,arg4,arg5)             \
+   do { volatile unsigned long _junk;                             \
+        CALL_FN_W_5W(_junk,fnptr,arg1,arg2,arg3,arg4,arg5); } while (0)
+
+#define CALL_FN_v_6W(fnptr, arg1,arg2,arg3,arg4,arg5,arg6)        \
+   do { volatile unsigned long _junk;                             \
+        CALL_FN_W_6W(_junk,fnptr,arg1,arg2,arg3,arg4,arg5,arg6); } while (0)
+
+#define CALL_FN_v_7W(fnptr, arg1,arg2,arg3,arg4,arg5,arg6,arg7)   \
+   do { volatile unsigned long _junk;                             \
+        CALL_FN_W_7W(_junk,fnptr,arg1,arg2,arg3,arg4,arg5,arg6,arg7); } while (0)
+
+/* ------------------------- x86-{linux,darwin} ---------------- */
+
+#if defined(PLAT_x86_linux)  ||  defined(PLAT_x86_darwin)
+
+/* These regs are trashed by the hidden call.  No need to mention eax
+   as gcc can already see that, plus causes gcc to bomb. */
+#define __CALLER_SAVED_REGS /*"eax"*/ "ecx", "edx"
+
+/* These CALL_FN_ macros assume that on x86-linux, sizeof(unsigned
+   long) == 4. */
+
+#define CALL_FN_W_v(lval, orig)                                   \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[1];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      __asm__ volatile(                                           \
+         "movl (%%eax), %%eax\n\t"  /* target->%eax */            \
+         VALGRIND_CALL_NOREDIR_EAX                                \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_W(lval, orig, arg1)                             \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[2];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      __asm__ volatile(                                           \
+         "subl $12, %%esp\n\t"                                    \
+         "pushl 4(%%eax)\n\t"                                     \
+         "movl (%%eax), %%eax\n\t"  /* target->%eax */            \
+         VALGRIND_CALL_NOREDIR_EAX                                \
+         "addl $16, %%esp\n"                                      \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WW(lval, orig, arg1,arg2)                       \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      __asm__ volatile(                                           \
+         "subl $8, %%esp\n\t"                                     \
+         "pushl 8(%%eax)\n\t"                                     \
+         "pushl 4(%%eax)\n\t"                                     \
+         "movl (%%eax), %%eax\n\t"  /* target->%eax */            \
+         VALGRIND_CALL_NOREDIR_EAX                                \
+         "addl $16, %%esp\n"                                      \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3)                 \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[4];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      __asm__ volatile(                                           \
+         "subl $4, %%esp\n\t"                                     \
+         "pushl 12(%%eax)\n\t"                                    \
+         "pushl 8(%%eax)\n\t"                                     \
+         "pushl 4(%%eax)\n\t"                                     \
+         "movl (%%eax), %%eax\n\t"  /* target->%eax */            \
+         VALGRIND_CALL_NOREDIR_EAX                                \
+         "addl $16, %%esp\n"                                      \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4)           \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[5];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      __asm__ volatile(                                           \
+         "pushl 16(%%eax)\n\t"                                    \
+         "pushl 12(%%eax)\n\t"                                    \
+         "pushl 8(%%eax)\n\t"                                     \
+         "pushl 4(%%eax)\n\t"                                     \
+         "movl (%%eax), %%eax\n\t"  /* target->%eax */            \
+         VALGRIND_CALL_NOREDIR_EAX                                \
+         "addl $16, %%esp\n"                                      \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5)        \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[6];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      __asm__ volatile(                                           \
+         "subl $12, %%esp\n\t"                                    \
+         "pushl 20(%%eax)\n\t"                                    \
+         "pushl 16(%%eax)\n\t"                                    \
+         "pushl 12(%%eax)\n\t"                                    \
+         "pushl 8(%%eax)\n\t"                                     \
+         "pushl 4(%%eax)\n\t"                                     \
+         "movl (%%eax), %%eax\n\t"  /* target->%eax */            \
+         VALGRIND_CALL_NOREDIR_EAX                                \
+         "addl $32, %%esp\n"                                      \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6)   \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[7];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      __asm__ volatile(                                           \
+         "subl $8, %%esp\n\t"                                     \
+         "pushl 24(%%eax)\n\t"                                    \
+         "pushl 20(%%eax)\n\t"                                    \
+         "pushl 16(%%eax)\n\t"                                    \
+         "pushl 12(%%eax)\n\t"                                    \
+         "pushl 8(%%eax)\n\t"                                     \
+         "pushl 4(%%eax)\n\t"                                     \
+         "movl (%%eax), %%eax\n\t"  /* target->%eax */            \
+         VALGRIND_CALL_NOREDIR_EAX                                \
+         "addl $32, %%esp\n"                                      \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7)                            \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[8];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      __asm__ volatile(                                           \
+         "subl $4, %%esp\n\t"                                     \
+         "pushl 28(%%eax)\n\t"                                    \
+         "pushl 24(%%eax)\n\t"                                    \
+         "pushl 20(%%eax)\n\t"                                    \
+         "pushl 16(%%eax)\n\t"                                    \
+         "pushl 12(%%eax)\n\t"                                    \
+         "pushl 8(%%eax)\n\t"                                     \
+         "pushl 4(%%eax)\n\t"                                     \
+         "movl (%%eax), %%eax\n\t"  /* target->%eax */            \
+         VALGRIND_CALL_NOREDIR_EAX                                \
+         "addl $32, %%esp\n"                                      \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7,arg8)                       \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[9];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      __asm__ volatile(                                           \
+         "pushl 32(%%eax)\n\t"                                    \
+         "pushl 28(%%eax)\n\t"                                    \
+         "pushl 24(%%eax)\n\t"                                    \
+         "pushl 20(%%eax)\n\t"                                    \
+         "pushl 16(%%eax)\n\t"                                    \
+         "pushl 12(%%eax)\n\t"                                    \
+         "pushl 8(%%eax)\n\t"                                     \
+         "pushl 4(%%eax)\n\t"                                     \
+         "movl (%%eax), %%eax\n\t"  /* target->%eax */            \
+         VALGRIND_CALL_NOREDIR_EAX                                \
+         "addl $32, %%esp\n"                                      \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7,arg8,arg9)                  \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[10];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      _argvec[9] = (unsigned long)(arg9);                         \
+      __asm__ volatile(                                           \
+         "subl $12, %%esp\n\t"                                    \
+         "pushl 36(%%eax)\n\t"                                    \
+         "pushl 32(%%eax)\n\t"                                    \
+         "pushl 28(%%eax)\n\t"                                    \
+         "pushl 24(%%eax)\n\t"                                    \
+         "pushl 20(%%eax)\n\t"                                    \
+         "pushl 16(%%eax)\n\t"                                    \
+         "pushl 12(%%eax)\n\t"                                    \
+         "pushl 8(%%eax)\n\t"                                     \
+         "pushl 4(%%eax)\n\t"                                     \
+         "movl (%%eax), %%eax\n\t"  /* target->%eax */            \
+         VALGRIND_CALL_NOREDIR_EAX                                \
+         "addl $48, %%esp\n"                                      \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                  arg7,arg8,arg9,arg10)           \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[11];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      _argvec[9] = (unsigned long)(arg9);                         \
+      _argvec[10] = (unsigned long)(arg10);                       \
+      __asm__ volatile(                                           \
+         "subl $8, %%esp\n\t"                                     \
+         "pushl 40(%%eax)\n\t"                                    \
+         "pushl 36(%%eax)\n\t"                                    \
+         "pushl 32(%%eax)\n\t"                                    \
+         "pushl 28(%%eax)\n\t"                                    \
+         "pushl 24(%%eax)\n\t"                                    \
+         "pushl 20(%%eax)\n\t"                                    \
+         "pushl 16(%%eax)\n\t"                                    \
+         "pushl 12(%%eax)\n\t"                                    \
+         "pushl 8(%%eax)\n\t"                                     \
+         "pushl 4(%%eax)\n\t"                                     \
+         "movl (%%eax), %%eax\n\t"  /* target->%eax */            \
+         VALGRIND_CALL_NOREDIR_EAX                                \
+         "addl $48, %%esp\n"                                      \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,       \
+                                  arg6,arg7,arg8,arg9,arg10,      \
+                                  arg11)                          \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[12];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      _argvec[9] = (unsigned long)(arg9);                         \
+      _argvec[10] = (unsigned long)(arg10);                       \
+      _argvec[11] = (unsigned long)(arg11);                       \
+      __asm__ volatile(                                           \
+         "subl $4, %%esp\n\t"                                     \
+         "pushl 44(%%eax)\n\t"                                    \
+         "pushl 40(%%eax)\n\t"                                    \
+         "pushl 36(%%eax)\n\t"                                    \
+         "pushl 32(%%eax)\n\t"                                    \
+         "pushl 28(%%eax)\n\t"                                    \
+         "pushl 24(%%eax)\n\t"                                    \
+         "pushl 20(%%eax)\n\t"                                    \
+         "pushl 16(%%eax)\n\t"                                    \
+         "pushl 12(%%eax)\n\t"                                    \
+         "pushl 8(%%eax)\n\t"                                     \
+         "pushl 4(%%eax)\n\t"                                     \
+         "movl (%%eax), %%eax\n\t"  /* target->%eax */            \
+         VALGRIND_CALL_NOREDIR_EAX                                \
+         "addl $48, %%esp\n"                                      \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,       \
+                                  arg6,arg7,arg8,arg9,arg10,      \
+                                  arg11,arg12)                    \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[13];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      _argvec[9] = (unsigned long)(arg9);                         \
+      _argvec[10] = (unsigned long)(arg10);                       \
+      _argvec[11] = (unsigned long)(arg11);                       \
+      _argvec[12] = (unsigned long)(arg12);                       \
+      __asm__ volatile(                                           \
+         "pushl 48(%%eax)\n\t"                                    \
+         "pushl 44(%%eax)\n\t"                                    \
+         "pushl 40(%%eax)\n\t"                                    \
+         "pushl 36(%%eax)\n\t"                                    \
+         "pushl 32(%%eax)\n\t"                                    \
+         "pushl 28(%%eax)\n\t"                                    \
+         "pushl 24(%%eax)\n\t"                                    \
+         "pushl 20(%%eax)\n\t"                                    \
+         "pushl 16(%%eax)\n\t"                                    \
+         "pushl 12(%%eax)\n\t"                                    \
+         "pushl 8(%%eax)\n\t"                                     \
+         "pushl 4(%%eax)\n\t"                                     \
+         "movl (%%eax), %%eax\n\t"  /* target->%eax */            \
+         VALGRIND_CALL_NOREDIR_EAX                                \
+         "addl $48, %%esp\n"                                      \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#endif /* PLAT_x86_linux || PLAT_x86_darwin */
+
+/* ------------------------ amd64-{linux,darwin} --------------- */
+
+#if defined(PLAT_amd64_linux)  ||  defined(PLAT_amd64_darwin)
+
+/* ARGREGS: rdi rsi rdx rcx r8 r9 (the rest on stack in R-to-L order) */
+
+/* These regs are trashed by the hidden call. */
+#define __CALLER_SAVED_REGS /*"rax",*/ "rcx", "rdx", "rsi",       \
+                            "rdi", "r8", "r9", "r10", "r11"
+
+/* This is all pretty complex.  It's so as to make stack unwinding
+   work reliably.  See bug 243270.  The basic problem is the sub and
+   add of 128 of %rsp in all of the following macros.  If gcc believes
+   the CFA is in %rsp, then unwinding may fail, because what's at the
+   CFA is not what gcc "expected" when it constructs the CFIs for the
+   places where the macros are instantiated.
+
+   But we can't just add a CFI annotation to increase the CFA offset
+   by 128, to match the sub of 128 from %rsp, because we don't know
+   whether gcc has chosen %rsp as the CFA at that point, or whether it
+   has chosen some other register (eg, %rbp).  In the latter case,
+   adding a CFI annotation to change the CFA offset is simply wrong.
+
+   So the solution is to get hold of the CFA using
+   __builtin_dwarf_cfa(), put it in a known register, and add a
+   CFI annotation to say what the register is.  We choose %rbp for
+   this (perhaps perversely), because:
+
+   (1) %rbp is already subject to unwinding.  If a new register was
+       chosen then the unwinder would have to unwind it in all stack
+       traces, which is expensive, and
+
+   (2) %rbp is already subject to precise exception updates in the
+       JIT.  If a new register was chosen, we'd have to have precise
+       exceptions for it too, which reduces performance of the
+       generated code.
+
+   However .. one extra complication.  We can't just whack the result
+   of __builtin_dwarf_cfa() into %rbp and then add %rbp to the
+   list of trashed registers at the end of the inline assembly
+   fragments; gcc won't allow %rbp to appear in that list.  Hence
+   instead we need to stash %rbp in %r15 for the duration of the asm,
+   and say that %r15 is trashed instead.  gcc seems happy to go with
+   that.
+
+   Oh .. and this all needs to be conditionalised so that it is
+   unchanged from before this commit, when compiled with older gccs
+   that don't support __builtin_dwarf_cfa.  Furthermore, since
+   this header file is freestanding, it has to be independent of
+   config.h, and so the following conditionalisation cannot depend on
+   configure time checks.
+
+   Although it's not clear from
+   'defined(__GNUC__) && defined(__GCC_HAVE_DWARF2_CFI_ASM)',
+   this expression excludes Darwin.
+   .cfi directives in Darwin assembly appear to be completely
+   different and I haven't investigated how they work.
+
+   For even more entertainment value, note we have to use the
+   completely undocumented __builtin_dwarf_cfa(), which appears to
+   really compute the CFA, whereas __builtin_frame_address(0) claims
+   to but actually doesn't.  See
+   https://bugs.kde.org/show_bug.cgi?id=243270#c47
+*/
+#if defined(__GNUC__) && defined(__GCC_HAVE_DWARF2_CFI_ASM)
+#  define __FRAME_POINTER                                         \
+      ,"r"(__builtin_dwarf_cfa())
+#  define VALGRIND_CFI_PROLOGUE                                   \
+      "movq %%rbp, %%r15\n\t"                                     \
+      "movq %2, %%rbp\n\t"                                        \
+      ".cfi_remember_state\n\t"                                   \
+      ".cfi_def_cfa rbp, 0\n\t"
+#  define VALGRIND_CFI_EPILOGUE                                   \
+      "movq %%r15, %%rbp\n\t"                                     \
+      ".cfi_restore_state\n\t"
+#else
+#  define __FRAME_POINTER
+#  define VALGRIND_CFI_PROLOGUE
+#  define VALGRIND_CFI_EPILOGUE
+#endif
+
+
+/* These CALL_FN_ macros assume that on amd64-linux, sizeof(unsigned
+   long) == 8. */
+
+/* NB 9 Sept 07.  There is a nasty kludge here in all these CALL_FN_
+   macros.  In order not to trash the stack redzone, we need to drop
+   %rsp by 128 before the hidden call, and restore afterwards.  The
+   nastiness is that it is only by luck that the stack still appears
+   to be unwindable during the hidden call - since then the behaviour
+   of any routine using this macro does not match what the CFI data
+   says.  Sigh.
+
+   Why is this important?  Imagine that a wrapper has a stack
+   allocated local, and passes to the hidden call, a pointer to it.
+   Because gcc does not know about the hidden call, it may allocate
+   that local in the redzone.  Unfortunately the hidden call may then
+   trash it before it comes to use it.  So we must step clear of the
+   redzone, for the duration of the hidden call, to make it safe.
+
+   Probably the same problem afflicts the other redzone-style ABIs too
+   (ppc64-linux, ppc32-aix5, ppc64-aix5); but for those, the stack is
+   self describing (none of this CFI nonsense) so at least messing
+   with the stack pointer doesn't give a danger of non-unwindable
+   stack. */
+
+#define CALL_FN_W_v(lval, orig)                                   \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[1];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      __asm__ volatile(                                           \
+         VALGRIND_CFI_PROLOGUE                                    \
+         "subq $128,%%rsp\n\t"                                    \
+         "movq (%%rax), %%rax\n\t"  /* target->%rax */            \
+         VALGRIND_CALL_NOREDIR_RAX                                \
+         "addq $128,%%rsp\n\t"                                    \
+         VALGRIND_CFI_EPILOGUE                                    \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0]) __FRAME_POINTER            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15"   \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_W(lval, orig, arg1)                             \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[2];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      __asm__ volatile(                                           \
+         VALGRIND_CFI_PROLOGUE                                    \
+         "subq $128,%%rsp\n\t"                                    \
+         "movq 8(%%rax), %%rdi\n\t"                               \
+         "movq (%%rax), %%rax\n\t"  /* target->%rax */            \
+         VALGRIND_CALL_NOREDIR_RAX                                \
+         "addq $128,%%rsp\n\t"                                    \
+         VALGRIND_CFI_EPILOGUE                                    \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0]) __FRAME_POINTER            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15"   \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WW(lval, orig, arg1,arg2)                       \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      __asm__ volatile(                                           \
+         VALGRIND_CFI_PROLOGUE                                    \
+         "subq $128,%%rsp\n\t"                                    \
+         "movq 16(%%rax), %%rsi\n\t"                              \
+         "movq 8(%%rax), %%rdi\n\t"                               \
+         "movq (%%rax), %%rax\n\t"  /* target->%rax */            \
+         VALGRIND_CALL_NOREDIR_RAX                                \
+         "addq $128,%%rsp\n\t"                                    \
+         VALGRIND_CFI_EPILOGUE                                    \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0]) __FRAME_POINTER            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15"   \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3)                 \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[4];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      __asm__ volatile(                                           \
+         VALGRIND_CFI_PROLOGUE                                    \
+         "subq $128,%%rsp\n\t"                                    \
+         "movq 24(%%rax), %%rdx\n\t"                              \
+         "movq 16(%%rax), %%rsi\n\t"                              \
+         "movq 8(%%rax), %%rdi\n\t"                               \
+         "movq (%%rax), %%rax\n\t"  /* target->%rax */            \
+         VALGRIND_CALL_NOREDIR_RAX                                \
+         "addq $128,%%rsp\n\t"                                    \
+         VALGRIND_CFI_EPILOGUE                                    \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0]) __FRAME_POINTER            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15"   \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4)           \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[5];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      __asm__ volatile(                                           \
+         VALGRIND_CFI_PROLOGUE                                    \
+         "subq $128,%%rsp\n\t"                                    \
+         "movq 32(%%rax), %%rcx\n\t"                              \
+         "movq 24(%%rax), %%rdx\n\t"                              \
+         "movq 16(%%rax), %%rsi\n\t"                              \
+         "movq 8(%%rax), %%rdi\n\t"                               \
+         "movq (%%rax), %%rax\n\t"  /* target->%rax */            \
+         VALGRIND_CALL_NOREDIR_RAX                                \
+         "addq $128,%%rsp\n\t"                                    \
+         VALGRIND_CFI_EPILOGUE                                    \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0]) __FRAME_POINTER            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15"   \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5)        \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[6];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      __asm__ volatile(                                           \
+         VALGRIND_CFI_PROLOGUE                                    \
+         "subq $128,%%rsp\n\t"                                    \
+         "movq 40(%%rax), %%r8\n\t"                               \
+         "movq 32(%%rax), %%rcx\n\t"                              \
+         "movq 24(%%rax), %%rdx\n\t"                              \
+         "movq 16(%%rax), %%rsi\n\t"                              \
+         "movq 8(%%rax), %%rdi\n\t"                               \
+         "movq (%%rax), %%rax\n\t"  /* target->%rax */            \
+         VALGRIND_CALL_NOREDIR_RAX                                \
+         "addq $128,%%rsp\n\t"                                    \
+         VALGRIND_CFI_EPILOGUE                                    \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0]) __FRAME_POINTER            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15"   \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6)   \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[7];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      __asm__ volatile(                                           \
+         VALGRIND_CFI_PROLOGUE                                    \
+         "subq $128,%%rsp\n\t"                                    \
+         "movq 48(%%rax), %%r9\n\t"                               \
+         "movq 40(%%rax), %%r8\n\t"                               \
+         "movq 32(%%rax), %%rcx\n\t"                              \
+         "movq 24(%%rax), %%rdx\n\t"                              \
+         "movq 16(%%rax), %%rsi\n\t"                              \
+         "movq 8(%%rax), %%rdi\n\t"                               \
+         "movq (%%rax), %%rax\n\t"  /* target->%rax */            \
+         VALGRIND_CALL_NOREDIR_RAX                                \
+         "addq $128,%%rsp\n\t"                                    \
+         VALGRIND_CFI_EPILOGUE                                    \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0]) __FRAME_POINTER            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15"   \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7)                            \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[8];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      __asm__ volatile(                                           \
+         VALGRIND_CFI_PROLOGUE                                    \
+         "subq $136,%%rsp\n\t"                                    \
+         "pushq 56(%%rax)\n\t"                                    \
+         "movq 48(%%rax), %%r9\n\t"                               \
+         "movq 40(%%rax), %%r8\n\t"                               \
+         "movq 32(%%rax), %%rcx\n\t"                              \
+         "movq 24(%%rax), %%rdx\n\t"                              \
+         "movq 16(%%rax), %%rsi\n\t"                              \
+         "movq 8(%%rax), %%rdi\n\t"                               \
+         "movq (%%rax), %%rax\n\t"  /* target->%rax */            \
+         VALGRIND_CALL_NOREDIR_RAX                                \
+         "addq $8, %%rsp\n"                                       \
+         "addq $136,%%rsp\n\t"                                    \
+         VALGRIND_CFI_EPILOGUE                                    \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0]) __FRAME_POINTER            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15"   \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7,arg8)                       \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[9];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      __asm__ volatile(                                           \
+         VALGRIND_CFI_PROLOGUE                                    \
+         "subq $128,%%rsp\n\t"                                    \
+         "pushq 64(%%rax)\n\t"                                    \
+         "pushq 56(%%rax)\n\t"                                    \
+         "movq 48(%%rax), %%r9\n\t"                               \
+         "movq 40(%%rax), %%r8\n\t"                               \
+         "movq 32(%%rax), %%rcx\n\t"                              \
+         "movq 24(%%rax), %%rdx\n\t"                              \
+         "movq 16(%%rax), %%rsi\n\t"                              \
+         "movq 8(%%rax), %%rdi\n\t"                               \
+         "movq (%%rax), %%rax\n\t"  /* target->%rax */            \
+         VALGRIND_CALL_NOREDIR_RAX                                \
+         "addq $16, %%rsp\n"                                      \
+         "addq $128,%%rsp\n\t"                                    \
+         VALGRIND_CFI_EPILOGUE                                    \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0]) __FRAME_POINTER            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15"   \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7,arg8,arg9)                  \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[10];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      _argvec[9] = (unsigned long)(arg9);                         \
+      __asm__ volatile(                                           \
+         VALGRIND_CFI_PROLOGUE                                    \
+         "subq $136,%%rsp\n\t"                                    \
+         "pushq 72(%%rax)\n\t"                                    \
+         "pushq 64(%%rax)\n\t"                                    \
+         "pushq 56(%%rax)\n\t"                                    \
+         "movq 48(%%rax), %%r9\n\t"                               \
+         "movq 40(%%rax), %%r8\n\t"                               \
+         "movq 32(%%rax), %%rcx\n\t"                              \
+         "movq 24(%%rax), %%rdx\n\t"                              \
+         "movq 16(%%rax), %%rsi\n\t"                              \
+         "movq 8(%%rax), %%rdi\n\t"                               \
+         "movq (%%rax), %%rax\n\t"  /* target->%rax */            \
+         VALGRIND_CALL_NOREDIR_RAX                                \
+         "addq $24, %%rsp\n"                                      \
+         "addq $136,%%rsp\n\t"                                    \
+         VALGRIND_CFI_EPILOGUE                                    \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0]) __FRAME_POINTER            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15"   \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                  arg7,arg8,arg9,arg10)           \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[11];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      _argvec[9] = (unsigned long)(arg9);                         \
+      _argvec[10] = (unsigned long)(arg10);                       \
+      __asm__ volatile(                                           \
+         VALGRIND_CFI_PROLOGUE                                    \
+         "subq $128,%%rsp\n\t"                                    \
+         "pushq 80(%%rax)\n\t"                                    \
+         "pushq 72(%%rax)\n\t"                                    \
+         "pushq 64(%%rax)\n\t"                                    \
+         "pushq 56(%%rax)\n\t"                                    \
+         "movq 48(%%rax), %%r9\n\t"                               \
+         "movq 40(%%rax), %%r8\n\t"                               \
+         "movq 32(%%rax), %%rcx\n\t"                              \
+         "movq 24(%%rax), %%rdx\n\t"                              \
+         "movq 16(%%rax), %%rsi\n\t"                              \
+         "movq 8(%%rax), %%rdi\n\t"                               \
+         "movq (%%rax), %%rax\n\t"  /* target->%rax */            \
+         VALGRIND_CALL_NOREDIR_RAX                                \
+         "addq $32, %%rsp\n"                                      \
+         "addq $128,%%rsp\n\t"                                    \
+         VALGRIND_CFI_EPILOGUE                                    \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0]) __FRAME_POINTER            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15"   \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                  arg7,arg8,arg9,arg10,arg11)     \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[12];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      _argvec[9] = (unsigned long)(arg9);                         \
+      _argvec[10] = (unsigned long)(arg10);                       \
+      _argvec[11] = (unsigned long)(arg11);                       \
+      __asm__ volatile(                                           \
+         VALGRIND_CFI_PROLOGUE                                    \
+         "subq $136,%%rsp\n\t"                                    \
+         "pushq 88(%%rax)\n\t"                                    \
+         "pushq 80(%%rax)\n\t"                                    \
+         "pushq 72(%%rax)\n\t"                                    \
+         "pushq 64(%%rax)\n\t"                                    \
+         "pushq 56(%%rax)\n\t"                                    \
+         "movq 48(%%rax), %%r9\n\t"                               \
+         "movq 40(%%rax), %%r8\n\t"                               \
+         "movq 32(%%rax), %%rcx\n\t"                              \
+         "movq 24(%%rax), %%rdx\n\t"                              \
+         "movq 16(%%rax), %%rsi\n\t"                              \
+         "movq 8(%%rax), %%rdi\n\t"                               \
+         "movq (%%rax), %%rax\n\t"  /* target->%rax */            \
+         VALGRIND_CALL_NOREDIR_RAX                                \
+         "addq $40, %%rsp\n"                                      \
+         "addq $136,%%rsp\n\t"                                    \
+         VALGRIND_CFI_EPILOGUE                                    \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0]) __FRAME_POINTER            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15"   \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                arg7,arg8,arg9,arg10,arg11,arg12) \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[13];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      _argvec[9] = (unsigned long)(arg9);                         \
+      _argvec[10] = (unsigned long)(arg10);                       \
+      _argvec[11] = (unsigned long)(arg11);                       \
+      _argvec[12] = (unsigned long)(arg12);                       \
+      __asm__ volatile(                                           \
+         VALGRIND_CFI_PROLOGUE                                    \
+         "subq $128,%%rsp\n\t"                                    \
+         "pushq 96(%%rax)\n\t"                                    \
+         "pushq 88(%%rax)\n\t"                                    \
+         "pushq 80(%%rax)\n\t"                                    \
+         "pushq 72(%%rax)\n\t"                                    \
+         "pushq 64(%%rax)\n\t"                                    \
+         "pushq 56(%%rax)\n\t"                                    \
+         "movq 48(%%rax), %%r9\n\t"                               \
+         "movq 40(%%rax), %%r8\n\t"                               \
+         "movq 32(%%rax), %%rcx\n\t"                              \
+         "movq 24(%%rax), %%rdx\n\t"                              \
+         "movq 16(%%rax), %%rsi\n\t"                              \
+         "movq 8(%%rax), %%rdi\n\t"                               \
+         "movq (%%rax), %%rax\n\t"  /* target->%rax */            \
+         VALGRIND_CALL_NOREDIR_RAX                                \
+         "addq $48, %%rsp\n"                                      \
+         "addq $128,%%rsp\n\t"                                    \
+         VALGRIND_CFI_EPILOGUE                                    \
+         : /*out*/   "=a" (_res)                                  \
+         : /*in*/    "a" (&_argvec[0]) __FRAME_POINTER            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15"   \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#endif /* PLAT_amd64_linux || PLAT_amd64_darwin */
+
+/* ------------------------ ppc32-linux ------------------------ */
+
+#if defined(PLAT_ppc32_linux)
+
+/* This is useful for finding out about the on-stack stuff:
+
+   extern int f9  ( int,int,int,int,int,int,int,int,int );
+   extern int f10 ( int,int,int,int,int,int,int,int,int,int );
+   extern int f11 ( int,int,int,int,int,int,int,int,int,int,int );
+   extern int f12 ( int,int,int,int,int,int,int,int,int,int,int,int );
+
+   int g9 ( void ) {
+      return f9(11,22,33,44,55,66,77,88,99);
+   }
+   int g10 ( void ) {
+      return f10(11,22,33,44,55,66,77,88,99,110);
+   }
+   int g11 ( void ) {
+      return f11(11,22,33,44,55,66,77,88,99,110,121);
+   }
+   int g12 ( void ) {
+      return f12(11,22,33,44,55,66,77,88,99,110,121,132);
+   }
+*/
+
+/* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */
+
+/* These regs are trashed by the hidden call. */
+#define __CALLER_SAVED_REGS                                       \
+   "lr", "ctr", "xer",                                            \
+   "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7",        \
+   "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10",   \
+   "r11", "r12", "r13"
+
+/* These CALL_FN_ macros assume that on ppc32-linux,
+   sizeof(unsigned long) == 4. */
+
+#define CALL_FN_W_v(lval, orig)                                   \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[1];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "lwz 11,0(11)\n\t"  /* target->r11 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr %0,3"                                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_W(lval, orig, arg1)                             \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[2];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)arg1;                           \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "lwz 3,4(11)\n\t"   /* arg1->r3 */                       \
+         "lwz 11,0(11)\n\t"  /* target->r11 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr %0,3"                                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WW(lval, orig, arg1,arg2)                       \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)arg1;                           \
+      _argvec[2] = (unsigned long)arg2;                           \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "lwz 3,4(11)\n\t"   /* arg1->r3 */                       \
+         "lwz 4,8(11)\n\t"                                        \
+         "lwz 11,0(11)\n\t"  /* target->r11 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr %0,3"                                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3)                 \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[4];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)arg1;                           \
+      _argvec[2] = (unsigned long)arg2;                           \
+      _argvec[3] = (unsigned long)arg3;                           \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "lwz 3,4(11)\n\t"   /* arg1->r3 */                       \
+         "lwz 4,8(11)\n\t"                                        \
+         "lwz 5,12(11)\n\t"                                       \
+         "lwz 11,0(11)\n\t"  /* target->r11 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr %0,3"                                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4)           \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[5];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)arg1;                           \
+      _argvec[2] = (unsigned long)arg2;                           \
+      _argvec[3] = (unsigned long)arg3;                           \
+      _argvec[4] = (unsigned long)arg4;                           \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "lwz 3,4(11)\n\t"   /* arg1->r3 */                       \
+         "lwz 4,8(11)\n\t"                                        \
+         "lwz 5,12(11)\n\t"                                       \
+         "lwz 6,16(11)\n\t"  /* arg4->r6 */                       \
+         "lwz 11,0(11)\n\t"  /* target->r11 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr %0,3"                                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5)        \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[6];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)arg1;                           \
+      _argvec[2] = (unsigned long)arg2;                           \
+      _argvec[3] = (unsigned long)arg3;                           \
+      _argvec[4] = (unsigned long)arg4;                           \
+      _argvec[5] = (unsigned long)arg5;                           \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "lwz 3,4(11)\n\t"   /* arg1->r3 */                       \
+         "lwz 4,8(11)\n\t"                                        \
+         "lwz 5,12(11)\n\t"                                       \
+         "lwz 6,16(11)\n\t"  /* arg4->r6 */                       \
+         "lwz 7,20(11)\n\t"                                       \
+         "lwz 11,0(11)\n\t"  /* target->r11 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr %0,3"                                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6)   \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[7];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)arg1;                           \
+      _argvec[2] = (unsigned long)arg2;                           \
+      _argvec[3] = (unsigned long)arg3;                           \
+      _argvec[4] = (unsigned long)arg4;                           \
+      _argvec[5] = (unsigned long)arg5;                           \
+      _argvec[6] = (unsigned long)arg6;                           \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "lwz 3,4(11)\n\t"   /* arg1->r3 */                       \
+         "lwz 4,8(11)\n\t"                                        \
+         "lwz 5,12(11)\n\t"                                       \
+         "lwz 6,16(11)\n\t"  /* arg4->r6 */                       \
+         "lwz 7,20(11)\n\t"                                       \
+         "lwz 8,24(11)\n\t"                                       \
+         "lwz 11,0(11)\n\t"  /* target->r11 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr %0,3"                                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7)                            \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[8];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)arg1;                           \
+      _argvec[2] = (unsigned long)arg2;                           \
+      _argvec[3] = (unsigned long)arg3;                           \
+      _argvec[4] = (unsigned long)arg4;                           \
+      _argvec[5] = (unsigned long)arg5;                           \
+      _argvec[6] = (unsigned long)arg6;                           \
+      _argvec[7] = (unsigned long)arg7;                           \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "lwz 3,4(11)\n\t"   /* arg1->r3 */                       \
+         "lwz 4,8(11)\n\t"                                        \
+         "lwz 5,12(11)\n\t"                                       \
+         "lwz 6,16(11)\n\t"  /* arg4->r6 */                       \
+         "lwz 7,20(11)\n\t"                                       \
+         "lwz 8,24(11)\n\t"                                       \
+         "lwz 9,28(11)\n\t"                                       \
+         "lwz 11,0(11)\n\t"  /* target->r11 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr %0,3"                                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7,arg8)                       \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[9];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)arg1;                           \
+      _argvec[2] = (unsigned long)arg2;                           \
+      _argvec[3] = (unsigned long)arg3;                           \
+      _argvec[4] = (unsigned long)arg4;                           \
+      _argvec[5] = (unsigned long)arg5;                           \
+      _argvec[6] = (unsigned long)arg6;                           \
+      _argvec[7] = (unsigned long)arg7;                           \
+      _argvec[8] = (unsigned long)arg8;                           \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "lwz 3,4(11)\n\t"   /* arg1->r3 */                       \
+         "lwz 4,8(11)\n\t"                                        \
+         "lwz 5,12(11)\n\t"                                       \
+         "lwz 6,16(11)\n\t"  /* arg4->r6 */                       \
+         "lwz 7,20(11)\n\t"                                       \
+         "lwz 8,24(11)\n\t"                                       \
+         "lwz 9,28(11)\n\t"                                       \
+         "lwz 10,32(11)\n\t" /* arg8->r10 */                      \
+         "lwz 11,0(11)\n\t"  /* target->r11 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr %0,3"                                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7,arg8,arg9)                  \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[10];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)arg1;                           \
+      _argvec[2] = (unsigned long)arg2;                           \
+      _argvec[3] = (unsigned long)arg3;                           \
+      _argvec[4] = (unsigned long)arg4;                           \
+      _argvec[5] = (unsigned long)arg5;                           \
+      _argvec[6] = (unsigned long)arg6;                           \
+      _argvec[7] = (unsigned long)arg7;                           \
+      _argvec[8] = (unsigned long)arg8;                           \
+      _argvec[9] = (unsigned long)arg9;                           \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "addi 1,1,-16\n\t"                                       \
+         /* arg9 */                                               \
+         "lwz 3,36(11)\n\t"                                       \
+         "stw 3,8(1)\n\t"                                         \
+         /* args1-8 */                                            \
+         "lwz 3,4(11)\n\t"   /* arg1->r3 */                       \
+         "lwz 4,8(11)\n\t"                                        \
+         "lwz 5,12(11)\n\t"                                       \
+         "lwz 6,16(11)\n\t"  /* arg4->r6 */                       \
+         "lwz 7,20(11)\n\t"                                       \
+         "lwz 8,24(11)\n\t"                                       \
+         "lwz 9,28(11)\n\t"                                       \
+         "lwz 10,32(11)\n\t" /* arg8->r10 */                      \
+         "lwz 11,0(11)\n\t"  /* target->r11 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "addi 1,1,16\n\t"                                        \
+         "mr %0,3"                                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                  arg7,arg8,arg9,arg10)           \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[11];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)arg1;                           \
+      _argvec[2] = (unsigned long)arg2;                           \
+      _argvec[3] = (unsigned long)arg3;                           \
+      _argvec[4] = (unsigned long)arg4;                           \
+      _argvec[5] = (unsigned long)arg5;                           \
+      _argvec[6] = (unsigned long)arg6;                           \
+      _argvec[7] = (unsigned long)arg7;                           \
+      _argvec[8] = (unsigned long)arg8;                           \
+      _argvec[9] = (unsigned long)arg9;                           \
+      _argvec[10] = (unsigned long)arg10;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "addi 1,1,-16\n\t"                                       \
+         /* arg10 */                                              \
+         "lwz 3,40(11)\n\t"                                       \
+         "stw 3,12(1)\n\t"                                        \
+         /* arg9 */                                               \
+         "lwz 3,36(11)\n\t"                                       \
+         "stw 3,8(1)\n\t"                                         \
+         /* args1-8 */                                            \
+         "lwz 3,4(11)\n\t"   /* arg1->r3 */                       \
+         "lwz 4,8(11)\n\t"                                        \
+         "lwz 5,12(11)\n\t"                                       \
+         "lwz 6,16(11)\n\t"  /* arg4->r6 */                       \
+         "lwz 7,20(11)\n\t"                                       \
+         "lwz 8,24(11)\n\t"                                       \
+         "lwz 9,28(11)\n\t"                                       \
+         "lwz 10,32(11)\n\t" /* arg8->r10 */                      \
+         "lwz 11,0(11)\n\t"  /* target->r11 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "addi 1,1,16\n\t"                                        \
+         "mr %0,3"                                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                  arg7,arg8,arg9,arg10,arg11)     \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[12];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)arg1;                           \
+      _argvec[2] = (unsigned long)arg2;                           \
+      _argvec[3] = (unsigned long)arg3;                           \
+      _argvec[4] = (unsigned long)arg4;                           \
+      _argvec[5] = (unsigned long)arg5;                           \
+      _argvec[6] = (unsigned long)arg6;                           \
+      _argvec[7] = (unsigned long)arg7;                           \
+      _argvec[8] = (unsigned long)arg8;                           \
+      _argvec[9] = (unsigned long)arg9;                           \
+      _argvec[10] = (unsigned long)arg10;                         \
+      _argvec[11] = (unsigned long)arg11;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "addi 1,1,-32\n\t"                                       \
+         /* arg11 */                                              \
+         "lwz 3,44(11)\n\t"                                       \
+         "stw 3,16(1)\n\t"                                        \
+         /* arg10 */                                              \
+         "lwz 3,40(11)\n\t"                                       \
+         "stw 3,12(1)\n\t"                                        \
+         /* arg9 */                                               \
+         "lwz 3,36(11)\n\t"                                       \
+         "stw 3,8(1)\n\t"                                         \
+         /* args1-8 */                                            \
+         "lwz 3,4(11)\n\t"   /* arg1->r3 */                       \
+         "lwz 4,8(11)\n\t"                                        \
+         "lwz 5,12(11)\n\t"                                       \
+         "lwz 6,16(11)\n\t"  /* arg4->r6 */                       \
+         "lwz 7,20(11)\n\t"                                       \
+         "lwz 8,24(11)\n\t"                                       \
+         "lwz 9,28(11)\n\t"                                       \
+         "lwz 10,32(11)\n\t" /* arg8->r10 */                      \
+         "lwz 11,0(11)\n\t"  /* target->r11 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "addi 1,1,32\n\t"                                        \
+         "mr %0,3"                                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                arg7,arg8,arg9,arg10,arg11,arg12) \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[13];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)arg1;                           \
+      _argvec[2] = (unsigned long)arg2;                           \
+      _argvec[3] = (unsigned long)arg3;                           \
+      _argvec[4] = (unsigned long)arg4;                           \
+      _argvec[5] = (unsigned long)arg5;                           \
+      _argvec[6] = (unsigned long)arg6;                           \
+      _argvec[7] = (unsigned long)arg7;                           \
+      _argvec[8] = (unsigned long)arg8;                           \
+      _argvec[9] = (unsigned long)arg9;                           \
+      _argvec[10] = (unsigned long)arg10;                         \
+      _argvec[11] = (unsigned long)arg11;                         \
+      _argvec[12] = (unsigned long)arg12;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "addi 1,1,-32\n\t"                                       \
+         /* arg12 */                                              \
+         "lwz 3,48(11)\n\t"                                       \
+         "stw 3,20(1)\n\t"                                        \
+         /* arg11 */                                              \
+         "lwz 3,44(11)\n\t"                                       \
+         "stw 3,16(1)\n\t"                                        \
+         /* arg10 */                                              \
+         "lwz 3,40(11)\n\t"                                       \
+         "stw 3,12(1)\n\t"                                        \
+         /* arg9 */                                               \
+         "lwz 3,36(11)\n\t"                                       \
+         "stw 3,8(1)\n\t"                                         \
+         /* args1-8 */                                            \
+         "lwz 3,4(11)\n\t"   /* arg1->r3 */                       \
+         "lwz 4,8(11)\n\t"                                        \
+         "lwz 5,12(11)\n\t"                                       \
+         "lwz 6,16(11)\n\t"  /* arg4->r6 */                       \
+         "lwz 7,20(11)\n\t"                                       \
+         "lwz 8,24(11)\n\t"                                       \
+         "lwz 9,28(11)\n\t"                                       \
+         "lwz 10,32(11)\n\t" /* arg8->r10 */                      \
+         "lwz 11,0(11)\n\t"  /* target->r11 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "addi 1,1,32\n\t"                                        \
+         "mr %0,3"                                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#endif /* PLAT_ppc32_linux */
+
+/* ------------------------ ppc64-linux ------------------------ */
+
+#if defined(PLAT_ppc64_linux)
+
+/* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */
+
+/* These regs are trashed by the hidden call. */
+#define __CALLER_SAVED_REGS                                       \
+   "lr", "ctr", "xer",                                            \
+   "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7",        \
+   "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10",   \
+   "r11", "r12", "r13"
+
+/* These CALL_FN_ macros assume that on ppc64-linux, sizeof(unsigned
+   long) == 8. */
+
+#define CALL_FN_W_v(lval, orig)                                   \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+0];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1] = (unsigned long)_orig.r2;                       \
+      _argvec[2] = (unsigned long)_orig.nraddr;                   \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "std 2,-16(11)\n\t"  /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)" /* restore tocptr */                      \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_W(lval, orig, arg1)                             \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+1];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "std 2,-16(11)\n\t"  /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)" /* restore tocptr */                      \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WW(lval, orig, arg1,arg2)                       \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+2];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "std 2,-16(11)\n\t"  /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)" /* restore tocptr */                      \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3)                 \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+3];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "std 2,-16(11)\n\t"  /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)" /* restore tocptr */                      \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4)           \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+4];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "std 2,-16(11)\n\t"  /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)" /* restore tocptr */                      \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5)        \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+5];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "std 2,-16(11)\n\t"  /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)" /* restore tocptr */                      \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6)   \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+6];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "std 2,-16(11)\n\t"  /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld   8, 48(11)\n\t" /* arg6->r8 */                      \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)" /* restore tocptr */                      \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7)                            \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+7];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "std 2,-16(11)\n\t"  /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld   8, 48(11)\n\t" /* arg6->r8 */                      \
+         "ld   9, 56(11)\n\t" /* arg7->r9 */                      \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)" /* restore tocptr */                      \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7,arg8)                       \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+8];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "std 2,-16(11)\n\t"  /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld   8, 48(11)\n\t" /* arg6->r8 */                      \
+         "ld   9, 56(11)\n\t" /* arg7->r9 */                      \
+         "ld  10, 64(11)\n\t" /* arg8->r10 */                     \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)" /* restore tocptr */                      \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7,arg8,arg9)                  \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+9];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      _argvec[2+9] = (unsigned long)arg9;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "std 2,-16(11)\n\t"  /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "addi 1,1,-128\n\t"  /* expand stack frame */            \
+         /* arg9 */                                               \
+         "ld  3,72(11)\n\t"                                       \
+         "std 3,112(1)\n\t"                                       \
+         /* args1-8 */                                            \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld   8, 48(11)\n\t" /* arg6->r8 */                      \
+         "ld   9, 56(11)\n\t" /* arg7->r9 */                      \
+         "ld  10, 64(11)\n\t" /* arg8->r10 */                     \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)\n\t" /* restore tocptr */                  \
+         "addi 1,1,128"     /* restore frame */                   \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                  arg7,arg8,arg9,arg10)           \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+10];                       \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      _argvec[2+9] = (unsigned long)arg9;                         \
+      _argvec[2+10] = (unsigned long)arg10;                       \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "std 2,-16(11)\n\t"  /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "addi 1,1,-128\n\t"  /* expand stack frame */            \
+         /* arg10 */                                              \
+         "ld  3,80(11)\n\t"                                       \
+         "std 3,120(1)\n\t"                                       \
+         /* arg9 */                                               \
+         "ld  3,72(11)\n\t"                                       \
+         "std 3,112(1)\n\t"                                       \
+         /* args1-8 */                                            \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld   8, 48(11)\n\t" /* arg6->r8 */                      \
+         "ld   9, 56(11)\n\t" /* arg7->r9 */                      \
+         "ld  10, 64(11)\n\t" /* arg8->r10 */                     \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)\n\t" /* restore tocptr */                  \
+         "addi 1,1,128"     /* restore frame */                   \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                  arg7,arg8,arg9,arg10,arg11)     \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+11];                       \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      _argvec[2+9] = (unsigned long)arg9;                         \
+      _argvec[2+10] = (unsigned long)arg10;                       \
+      _argvec[2+11] = (unsigned long)arg11;                       \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "std 2,-16(11)\n\t"  /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "addi 1,1,-144\n\t"  /* expand stack frame */            \
+         /* arg11 */                                              \
+         "ld  3,88(11)\n\t"                                       \
+         "std 3,128(1)\n\t"                                       \
+         /* arg10 */                                              \
+         "ld  3,80(11)\n\t"                                       \
+         "std 3,120(1)\n\t"                                       \
+         /* arg9 */                                               \
+         "ld  3,72(11)\n\t"                                       \
+         "std 3,112(1)\n\t"                                       \
+         /* args1-8 */                                            \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld   8, 48(11)\n\t" /* arg6->r8 */                      \
+         "ld   9, 56(11)\n\t" /* arg7->r9 */                      \
+         "ld  10, 64(11)\n\t" /* arg8->r10 */                     \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)\n\t" /* restore tocptr */                  \
+         "addi 1,1,144"     /* restore frame */                   \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                arg7,arg8,arg9,arg10,arg11,arg12) \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+12];                       \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      _argvec[2+9] = (unsigned long)arg9;                         \
+      _argvec[2+10] = (unsigned long)arg10;                       \
+      _argvec[2+11] = (unsigned long)arg11;                       \
+      _argvec[2+12] = (unsigned long)arg12;                       \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         "std 2,-16(11)\n\t"  /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "addi 1,1,-144\n\t"  /* expand stack frame */            \
+         /* arg12 */                                              \
+         "ld  3,96(11)\n\t"                                       \
+         "std 3,136(1)\n\t"                                       \
+         /* arg11 */                                              \
+         "ld  3,88(11)\n\t"                                       \
+         "std 3,128(1)\n\t"                                       \
+         /* arg10 */                                              \
+         "ld  3,80(11)\n\t"                                       \
+         "std 3,120(1)\n\t"                                       \
+         /* arg9 */                                               \
+         "ld  3,72(11)\n\t"                                       \
+         "std 3,112(1)\n\t"                                       \
+         /* args1-8 */                                            \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld   8, 48(11)\n\t" /* arg6->r8 */                      \
+         "ld   9, 56(11)\n\t" /* arg7->r9 */                      \
+         "ld  10, 64(11)\n\t" /* arg8->r10 */                     \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)\n\t" /* restore tocptr */                  \
+         "addi 1,1,144"     /* restore frame */                   \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#endif /* PLAT_ppc64_linux */
+
+/* ------------------------- arm-linux ------------------------- */
+
+#if defined(PLAT_arm_linux)
+
+/* These regs are trashed by the hidden call. */
+#define __CALLER_SAVED_REGS "r0", "r1", "r2", "r3","r4","r14"
+
+/* These CALL_FN_ macros assume that on arm-linux, sizeof(unsigned
+   long) == 4. */
+
+#define CALL_FN_W_v(lval, orig)                                   \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[1];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      __asm__ volatile(                                           \
+         "ldr r4, [%1] \n\t"  /* target->r4 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4                   \
+         "mov %0, r0\n"                                           \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "0" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_W(lval, orig, arg1)                             \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[2];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      __asm__ volatile(                                           \
+         "ldr r0, [%1, #4] \n\t"                                  \
+         "ldr r4, [%1] \n\t"  /* target->r4 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4                   \
+         "mov %0, r0\n"                                           \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "0" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory",  __CALLER_SAVED_REGS         \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WW(lval, orig, arg1,arg2)                       \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      __asm__ volatile(                                           \
+         "ldr r0, [%1, #4] \n\t"                                  \
+         "ldr r1, [%1, #8] \n\t"                                  \
+         "ldr r4, [%1] \n\t"  /* target->r4 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4                   \
+         "mov %0, r0\n"                                           \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "0" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3)                 \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[4];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      __asm__ volatile(                                           \
+         "ldr r0, [%1, #4] \n\t"                                  \
+         "ldr r1, [%1, #8] \n\t"                                  \
+         "ldr r2, [%1, #12] \n\t"                                 \
+         "ldr r4, [%1] \n\t"  /* target->r4 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4                   \
+         "mov %0, r0\n"                                           \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "0" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4)           \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[5];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      __asm__ volatile(                                           \
+         "ldr r0, [%1, #4] \n\t"                                  \
+         "ldr r1, [%1, #8] \n\t"                                  \
+         "ldr r2, [%1, #12] \n\t"                                 \
+         "ldr r3, [%1, #16] \n\t"                                 \
+         "ldr r4, [%1] \n\t"  /* target->r4 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4                   \
+         "mov %0, r0"                                             \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "0" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5)        \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[6];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      __asm__ volatile(                                           \
+         "ldr r0, [%1, #20] \n\t"                                 \
+         "push {r0} \n\t"                                         \
+         "ldr r0, [%1, #4] \n\t"                                  \
+         "ldr r1, [%1, #8] \n\t"                                  \
+         "ldr r2, [%1, #12] \n\t"                                 \
+         "ldr r3, [%1, #16] \n\t"                                 \
+         "ldr r4, [%1] \n\t"  /* target->r4 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4                   \
+         "add sp, sp, #4 \n\t"                                    \
+         "mov %0, r0"                                             \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "0" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6)   \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[7];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      __asm__ volatile(                                           \
+         "ldr r0, [%1, #20] \n\t"                                 \
+         "ldr r1, [%1, #24] \n\t"                                 \
+         "push {r0, r1} \n\t"                                     \
+         "ldr r0, [%1, #4] \n\t"                                  \
+         "ldr r1, [%1, #8] \n\t"                                  \
+         "ldr r2, [%1, #12] \n\t"                                 \
+         "ldr r3, [%1, #16] \n\t"                                 \
+         "ldr r4, [%1] \n\t"  /* target->r4 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4                   \
+         "add sp, sp, #8 \n\t"                                    \
+         "mov %0, r0"                                             \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "0" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7)                            \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[8];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      __asm__ volatile(                                           \
+         "ldr r0, [%1, #20] \n\t"                                 \
+         "ldr r1, [%1, #24] \n\t"                                 \
+         "ldr r2, [%1, #28] \n\t"                                 \
+         "push {r0, r1, r2} \n\t"                                 \
+         "ldr r0, [%1, #4] \n\t"                                  \
+         "ldr r1, [%1, #8] \n\t"                                  \
+         "ldr r2, [%1, #12] \n\t"                                 \
+         "ldr r3, [%1, #16] \n\t"                                 \
+         "ldr r4, [%1] \n\t"  /* target->r4 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4                   \
+         "add sp, sp, #12 \n\t"                                   \
+         "mov %0, r0"                                             \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "0" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7,arg8)                       \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[9];                          \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      __asm__ volatile(                                           \
+         "ldr r0, [%1, #20] \n\t"                                 \
+         "ldr r1, [%1, #24] \n\t"                                 \
+         "ldr r2, [%1, #28] \n\t"                                 \
+         "ldr r3, [%1, #32] \n\t"                                 \
+         "push {r0, r1, r2, r3} \n\t"                             \
+         "ldr r0, [%1, #4] \n\t"                                  \
+         "ldr r1, [%1, #8] \n\t"                                  \
+         "ldr r2, [%1, #12] \n\t"                                 \
+         "ldr r3, [%1, #16] \n\t"                                 \
+         "ldr r4, [%1] \n\t"  /* target->r4 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4                   \
+         "add sp, sp, #16 \n\t"                                   \
+         "mov %0, r0"                                             \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "0" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7,arg8,arg9)                  \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[10];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      _argvec[9] = (unsigned long)(arg9);                         \
+      __asm__ volatile(                                           \
+         "ldr r0, [%1, #20] \n\t"                                 \
+         "ldr r1, [%1, #24] \n\t"                                 \
+         "ldr r2, [%1, #28] \n\t"                                 \
+         "ldr r3, [%1, #32] \n\t"                                 \
+         "ldr r4, [%1, #36] \n\t"                                 \
+         "push {r0, r1, r2, r3, r4} \n\t"                         \
+         "ldr r0, [%1, #4] \n\t"                                  \
+         "ldr r1, [%1, #8] \n\t"                                  \
+         "ldr r2, [%1, #12] \n\t"                                 \
+         "ldr r3, [%1, #16] \n\t"                                 \
+         "ldr r4, [%1] \n\t"  /* target->r4 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4                   \
+         "add sp, sp, #20 \n\t"                                   \
+         "mov %0, r0"                                             \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "0" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                  arg7,arg8,arg9,arg10)           \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[11];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      _argvec[9] = (unsigned long)(arg9);                         \
+      _argvec[10] = (unsigned long)(arg10);                       \
+      __asm__ volatile(                                           \
+         "ldr r0, [%1, #40] \n\t"                                 \
+         "push {r0} \n\t"                                         \
+         "ldr r0, [%1, #20] \n\t"                                 \
+         "ldr r1, [%1, #24] \n\t"                                 \
+         "ldr r2, [%1, #28] \n\t"                                 \
+         "ldr r3, [%1, #32] \n\t"                                 \
+         "ldr r4, [%1, #36] \n\t"                                 \
+         "push {r0, r1, r2, r3, r4} \n\t"                         \
+         "ldr r0, [%1, #4] \n\t"                                  \
+         "ldr r1, [%1, #8] \n\t"                                  \
+         "ldr r2, [%1, #12] \n\t"                                 \
+         "ldr r3, [%1, #16] \n\t"                                 \
+         "ldr r4, [%1] \n\t"  /* target->r4 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4                   \
+         "add sp, sp, #24 \n\t"                                   \
+         "mov %0, r0"                                             \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "0" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,       \
+                                  arg6,arg7,arg8,arg9,arg10,      \
+                                  arg11)                          \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[12];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      _argvec[9] = (unsigned long)(arg9);                         \
+      _argvec[10] = (unsigned long)(arg10);                       \
+      _argvec[11] = (unsigned long)(arg11);                       \
+      __asm__ volatile(                                           \
+         "ldr r0, [%1, #40] \n\t"                                 \
+         "ldr r1, [%1, #44] \n\t"                                 \
+         "push {r0, r1} \n\t"                                     \
+         "ldr r0, [%1, #20] \n\t"                                 \
+         "ldr r1, [%1, #24] \n\t"                                 \
+         "ldr r2, [%1, #28] \n\t"                                 \
+         "ldr r3, [%1, #32] \n\t"                                 \
+         "ldr r4, [%1, #36] \n\t"                                 \
+         "push {r0, r1, r2, r3, r4} \n\t"                         \
+         "ldr r0, [%1, #4] \n\t"                                  \
+         "ldr r1, [%1, #8] \n\t"                                  \
+         "ldr r2, [%1, #12] \n\t"                                 \
+         "ldr r3, [%1, #16] \n\t"                                 \
+         "ldr r4, [%1] \n\t"  /* target->r4 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4                   \
+         "add sp, sp, #28 \n\t"                                   \
+         "mov %0, r0"                                             \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "0" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory",__CALLER_SAVED_REGS           \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,       \
+                                  arg6,arg7,arg8,arg9,arg10,      \
+                                  arg11,arg12)                    \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[13];                         \
+      volatile unsigned long _res;                                \
+      _argvec[0] = (unsigned long)_orig.nraddr;                   \
+      _argvec[1] = (unsigned long)(arg1);                         \
+      _argvec[2] = (unsigned long)(arg2);                         \
+      _argvec[3] = (unsigned long)(arg3);                         \
+      _argvec[4] = (unsigned long)(arg4);                         \
+      _argvec[5] = (unsigned long)(arg5);                         \
+      _argvec[6] = (unsigned long)(arg6);                         \
+      _argvec[7] = (unsigned long)(arg7);                         \
+      _argvec[8] = (unsigned long)(arg8);                         \
+      _argvec[9] = (unsigned long)(arg9);                         \
+      _argvec[10] = (unsigned long)(arg10);                       \
+      _argvec[11] = (unsigned long)(arg11);                       \
+      _argvec[12] = (unsigned long)(arg12);                       \
+      __asm__ volatile(                                           \
+         "ldr r0, [%1, #40] \n\t"                                 \
+         "ldr r1, [%1, #44] \n\t"                                 \
+         "ldr r2, [%1, #48] \n\t"                                 \
+         "push {r0, r1, r2} \n\t"                                 \
+         "ldr r0, [%1, #20] \n\t"                                 \
+         "ldr r1, [%1, #24] \n\t"                                 \
+         "ldr r2, [%1, #28] \n\t"                                 \
+         "ldr r3, [%1, #32] \n\t"                                 \
+         "ldr r4, [%1, #36] \n\t"                                 \
+         "push {r0, r1, r2, r3, r4} \n\t"                         \
+         "ldr r0, [%1, #4] \n\t"                                  \
+         "ldr r1, [%1, #8] \n\t"                                  \
+         "ldr r2, [%1, #12] \n\t"                                 \
+         "ldr r3, [%1, #16] \n\t"                                 \
+         "ldr r4, [%1] \n\t"  /* target->r4 */                    \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4                   \
+         "add sp, sp, #32 \n\t"                                   \
+         "mov %0, r0"                                             \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "0" (&_argvec[0])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#endif /* PLAT_arm_linux */
+
+/* ------------------------ ppc32-aix5 ------------------------- */
+
+#if defined(PLAT_ppc32_aix5)
+
+/* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */
+
+/* These regs are trashed by the hidden call. */
+#define __CALLER_SAVED_REGS                                       \
+   "lr", "ctr", "xer",                                            \
+   "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7",        \
+   "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10",   \
+   "r11", "r12", "r13"
+
+/* Expand the stack frame, copying enough info that unwinding
+   still works.  Trashes r3. */
+
+#define VG_EXPAND_FRAME_BY_trashes_r3(_n_fr)                      \
+         "addi 1,1,-" #_n_fr "\n\t"                               \
+         "lwz  3," #_n_fr "(1)\n\t"                               \
+         "stw  3,0(1)\n\t"
+
+#define VG_CONTRACT_FRAME_BY(_n_fr)                               \
+         "addi 1,1," #_n_fr "\n\t"
+
+/* These CALL_FN_ macros assume that on ppc32-aix5, sizeof(unsigned
+   long) == 4. */
+
+#define CALL_FN_W_v(lval, orig)                                   \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+0];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1] = (unsigned long)_orig.r2;                       \
+      _argvec[2] = (unsigned long)_orig.nraddr;                   \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "stw  2,-8(11)\n\t"  /* save tocptr */                   \
+         "lwz  2,-4(11)\n\t"  /* use nraddr's tocptr */           \
+         "lwz 11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "lwz 2,-8(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_W(lval, orig, arg1)                             \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+1];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "stw  2,-8(11)\n\t"  /* save tocptr */                   \
+         "lwz  2,-4(11)\n\t"  /* use nraddr's tocptr */           \
+         "lwz  3, 4(11)\n\t"  /* arg1->r3 */                      \
+         "lwz 11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "lwz 2,-8(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WW(lval, orig, arg1,arg2)                       \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+2];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "stw  2,-8(11)\n\t"  /* save tocptr */                   \
+         "lwz  2,-4(11)\n\t"  /* use nraddr's tocptr */           \
+         "lwz  3, 4(11)\n\t"  /* arg1->r3 */                      \
+         "lwz  4, 8(11)\n\t"  /* arg2->r4 */                      \
+         "lwz 11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "lwz 2,-8(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3)                 \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+3];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "stw  2,-8(11)\n\t"  /* save tocptr */                   \
+         "lwz  2,-4(11)\n\t"  /* use nraddr's tocptr */           \
+         "lwz  3, 4(11)\n\t"  /* arg1->r3 */                      \
+         "lwz  4, 8(11)\n\t"  /* arg2->r4 */                      \
+         "lwz  5, 12(11)\n\t" /* arg3->r5 */                      \
+         "lwz 11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "lwz 2,-8(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4)           \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+4];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "stw  2,-8(11)\n\t"  /* save tocptr */                   \
+         "lwz  2,-4(11)\n\t"  /* use nraddr's tocptr */           \
+         "lwz  3, 4(11)\n\t"  /* arg1->r3 */                      \
+         "lwz  4, 8(11)\n\t"  /* arg2->r4 */                      \
+         "lwz  5, 12(11)\n\t" /* arg3->r5 */                      \
+         "lwz  6, 16(11)\n\t" /* arg4->r6 */                      \
+         "lwz 11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "lwz 2,-8(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5)        \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+5];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "stw  2,-8(11)\n\t"  /* save tocptr */                   \
+         "lwz  2,-4(11)\n\t"  /* use nraddr's tocptr */           \
+         "lwz  3, 4(11)\n\t"  /* arg1->r3 */                      \
+         "lwz  4, 8(11)\n\t" /* arg2->r4 */                       \
+         "lwz  5, 12(11)\n\t" /* arg3->r5 */                      \
+         "lwz  6, 16(11)\n\t" /* arg4->r6 */                      \
+         "lwz  7, 20(11)\n\t" /* arg5->r7 */                      \
+         "lwz 11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "lwz 2,-8(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6)   \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+6];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "stw  2,-8(11)\n\t"  /* save tocptr */                   \
+         "lwz  2,-4(11)\n\t"  /* use nraddr's tocptr */           \
+         "lwz  3, 4(11)\n\t"  /* arg1->r3 */                      \
+         "lwz  4, 8(11)\n\t"  /* arg2->r4 */                      \
+         "lwz  5, 12(11)\n\t" /* arg3->r5 */                      \
+         "lwz  6, 16(11)\n\t" /* arg4->r6 */                      \
+         "lwz  7, 20(11)\n\t" /* arg5->r7 */                      \
+         "lwz  8, 24(11)\n\t" /* arg6->r8 */                      \
+         "lwz 11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "lwz 2,-8(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7)                            \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+7];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "stw  2,-8(11)\n\t"  /* save tocptr */                   \
+         "lwz  2,-4(11)\n\t"  /* use nraddr's tocptr */           \
+         "lwz  3, 4(11)\n\t"  /* arg1->r3 */                      \
+         "lwz  4, 8(11)\n\t"  /* arg2->r4 */                      \
+         "lwz  5, 12(11)\n\t" /* arg3->r5 */                      \
+         "lwz  6, 16(11)\n\t" /* arg4->r6 */                      \
+         "lwz  7, 20(11)\n\t" /* arg5->r7 */                      \
+         "lwz  8, 24(11)\n\t" /* arg6->r8 */                      \
+         "lwz  9, 28(11)\n\t" /* arg7->r9 */                      \
+         "lwz 11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "lwz 2,-8(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7,arg8)                       \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+8];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "stw  2,-8(11)\n\t"  /* save tocptr */                   \
+         "lwz  2,-4(11)\n\t"  /* use nraddr's tocptr */           \
+         "lwz  3, 4(11)\n\t"  /* arg1->r3 */                      \
+         "lwz  4, 8(11)\n\t"  /* arg2->r4 */                      \
+         "lwz  5, 12(11)\n\t" /* arg3->r5 */                      \
+         "lwz  6, 16(11)\n\t" /* arg4->r6 */                      \
+         "lwz  7, 20(11)\n\t" /* arg5->r7 */                      \
+         "lwz  8, 24(11)\n\t" /* arg6->r8 */                      \
+         "lwz  9, 28(11)\n\t" /* arg7->r9 */                      \
+         "lwz 10, 32(11)\n\t" /* arg8->r10 */                     \
+         "lwz 11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "lwz 2,-8(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7,arg8,arg9)                  \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+9];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      _argvec[2+9] = (unsigned long)arg9;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "stw  2,-8(11)\n\t"  /* save tocptr */                   \
+         "lwz  2,-4(11)\n\t"  /* use nraddr's tocptr */           \
+         VG_EXPAND_FRAME_BY_trashes_r3(64)                        \
+         /* arg9 */                                               \
+         "lwz 3,36(11)\n\t"                                       \
+         "stw 3,56(1)\n\t"                                        \
+         /* args1-8 */                                            \
+         "lwz  3, 4(11)\n\t"  /* arg1->r3 */                      \
+         "lwz  4, 8(11)\n\t"  /* arg2->r4 */                      \
+         "lwz  5, 12(11)\n\t" /* arg3->r5 */                      \
+         "lwz  6, 16(11)\n\t" /* arg4->r6 */                      \
+         "lwz  7, 20(11)\n\t" /* arg5->r7 */                      \
+         "lwz  8, 24(11)\n\t" /* arg6->r8 */                      \
+         "lwz  9, 28(11)\n\t" /* arg7->r9 */                      \
+         "lwz 10, 32(11)\n\t" /* arg8->r10 */                     \
+         "lwz 11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "lwz 2,-8(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(64)                                 \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                  arg7,arg8,arg9,arg10)           \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+10];                       \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      _argvec[2+9] = (unsigned long)arg9;                         \
+      _argvec[2+10] = (unsigned long)arg10;                       \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "stw  2,-8(11)\n\t"  /* save tocptr */                   \
+         "lwz  2,-4(11)\n\t"  /* use nraddr's tocptr */           \
+         VG_EXPAND_FRAME_BY_trashes_r3(64)                        \
+         /* arg10 */                                              \
+         "lwz 3,40(11)\n\t"                                       \
+         "stw 3,60(1)\n\t"                                        \
+         /* arg9 */                                               \
+         "lwz 3,36(11)\n\t"                                       \
+         "stw 3,56(1)\n\t"                                        \
+         /* args1-8 */                                            \
+         "lwz  3, 4(11)\n\t"  /* arg1->r3 */                      \
+         "lwz  4, 8(11)\n\t"  /* arg2->r4 */                      \
+         "lwz  5, 12(11)\n\t" /* arg3->r5 */                      \
+         "lwz  6, 16(11)\n\t" /* arg4->r6 */                      \
+         "lwz  7, 20(11)\n\t" /* arg5->r7 */                      \
+         "lwz  8, 24(11)\n\t" /* arg6->r8 */                      \
+         "lwz  9, 28(11)\n\t" /* arg7->r9 */                      \
+         "lwz 10, 32(11)\n\t" /* arg8->r10 */                     \
+         "lwz 11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "lwz 2,-8(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(64)                                 \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                  arg7,arg8,arg9,arg10,arg11)     \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+11];                       \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      _argvec[2+9] = (unsigned long)arg9;                         \
+      _argvec[2+10] = (unsigned long)arg10;                       \
+      _argvec[2+11] = (unsigned long)arg11;                       \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "stw  2,-8(11)\n\t"  /* save tocptr */                   \
+         "lwz  2,-4(11)\n\t"  /* use nraddr's tocptr */           \
+         VG_EXPAND_FRAME_BY_trashes_r3(72)                        \
+         /* arg11 */                                              \
+         "lwz 3,44(11)\n\t"                                       \
+         "stw 3,64(1)\n\t"                                        \
+         /* arg10 */                                              \
+         "lwz 3,40(11)\n\t"                                       \
+         "stw 3,60(1)\n\t"                                        \
+         /* arg9 */                                               \
+         "lwz 3,36(11)\n\t"                                       \
+         "stw 3,56(1)\n\t"                                        \
+         /* args1-8 */                                            \
+         "lwz  3, 4(11)\n\t"  /* arg1->r3 */                      \
+         "lwz  4, 8(11)\n\t"  /* arg2->r4 */                      \
+         "lwz  5, 12(11)\n\t" /* arg3->r5 */                      \
+         "lwz  6, 16(11)\n\t" /* arg4->r6 */                      \
+         "lwz  7, 20(11)\n\t" /* arg5->r7 */                      \
+         "lwz  8, 24(11)\n\t" /* arg6->r8 */                      \
+         "lwz  9, 28(11)\n\t" /* arg7->r9 */                      \
+         "lwz 10, 32(11)\n\t" /* arg8->r10 */                     \
+         "lwz 11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "lwz 2,-8(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(72)                                 \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                arg7,arg8,arg9,arg10,arg11,arg12) \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+12];                       \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      _argvec[2+9] = (unsigned long)arg9;                         \
+      _argvec[2+10] = (unsigned long)arg10;                       \
+      _argvec[2+11] = (unsigned long)arg11;                       \
+      _argvec[2+12] = (unsigned long)arg12;                       \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "stw  2,-8(11)\n\t"  /* save tocptr */                   \
+         "lwz  2,-4(11)\n\t"  /* use nraddr's tocptr */           \
+         VG_EXPAND_FRAME_BY_trashes_r3(72)                        \
+         /* arg12 */                                              \
+         "lwz 3,48(11)\n\t"                                       \
+         "stw 3,68(1)\n\t"                                        \
+         /* arg11 */                                              \
+         "lwz 3,44(11)\n\t"                                       \
+         "stw 3,64(1)\n\t"                                        \
+         /* arg10 */                                              \
+         "lwz 3,40(11)\n\t"                                       \
+         "stw 3,60(1)\n\t"                                        \
+         /* arg9 */                                               \
+         "lwz 3,36(11)\n\t"                                       \
+         "stw 3,56(1)\n\t"                                        \
+         /* args1-8 */                                            \
+         "lwz  3, 4(11)\n\t"  /* arg1->r3 */                      \
+         "lwz  4, 8(11)\n\t"  /* arg2->r4 */                      \
+         "lwz  5, 12(11)\n\t" /* arg3->r5 */                      \
+         "lwz  6, 16(11)\n\t" /* arg4->r6 */                      \
+         "lwz  7, 20(11)\n\t" /* arg5->r7 */                      \
+         "lwz  8, 24(11)\n\t" /* arg6->r8 */                      \
+         "lwz  9, 28(11)\n\t" /* arg7->r9 */                      \
+         "lwz 10, 32(11)\n\t" /* arg8->r10 */                     \
+         "lwz 11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "lwz 2,-8(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(72)                                 \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#endif /* PLAT_ppc32_aix5 */
+
+/* ------------------------ ppc64-aix5 ------------------------- */
+
+#if defined(PLAT_ppc64_aix5)
+
+/* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */
+
+/* These regs are trashed by the hidden call. */
+#define __CALLER_SAVED_REGS                                       \
+   "lr", "ctr", "xer",                                            \
+   "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7",        \
+   "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10",   \
+   "r11", "r12", "r13"
+
+/* Expand the stack frame, copying enough info that unwinding
+   still works.  Trashes r3. */
+
+#define VG_EXPAND_FRAME_BY_trashes_r3(_n_fr)                      \
+         "addi 1,1,-" #_n_fr "\n\t"                               \
+         "ld   3," #_n_fr "(1)\n\t"                               \
+         "std  3,0(1)\n\t"
+
+#define VG_CONTRACT_FRAME_BY(_n_fr)                               \
+         "addi 1,1," #_n_fr "\n\t"
+
+/* These CALL_FN_ macros assume that on ppc64-aix5, sizeof(unsigned
+   long) == 8. */
+
+#define CALL_FN_W_v(lval, orig)                                   \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+0];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1] = (unsigned long)_orig.r2;                       \
+      _argvec[2] = (unsigned long)_orig.nraddr;                   \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "std  2,-16(11)\n\t" /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_W(lval, orig, arg1)                             \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+1];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "std  2,-16(11)\n\t" /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld 2,-16(11)\n\t" /* restore tocptr */                  \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WW(lval, orig, arg1,arg2)                       \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+2];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "std  2,-16(11)\n\t" /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld  2,-16(11)\n\t" /* restore tocptr */                 \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3)                 \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+3];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "std  2,-16(11)\n\t" /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld  2,-16(11)\n\t" /* restore tocptr */                 \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4)           \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+4];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "std  2,-16(11)\n\t" /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld  2,-16(11)\n\t" /* restore tocptr */                 \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5)        \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+5];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "std  2,-16(11)\n\t" /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld  2,-16(11)\n\t" /* restore tocptr */                 \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6)   \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+6];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "std  2,-16(11)\n\t" /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld   8, 48(11)\n\t" /* arg6->r8 */                      \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld  2,-16(11)\n\t" /* restore tocptr */                 \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7)                            \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+7];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "std  2,-16(11)\n\t" /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld   8, 48(11)\n\t" /* arg6->r8 */                      \
+         "ld   9, 56(11)\n\t" /* arg7->r9 */                      \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld  2,-16(11)\n\t" /* restore tocptr */                 \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7,arg8)                       \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+8];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "std  2,-16(11)\n\t" /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld   8, 48(11)\n\t" /* arg6->r8 */                      \
+         "ld   9, 56(11)\n\t" /* arg7->r9 */                      \
+         "ld  10, 64(11)\n\t" /* arg8->r10 */                     \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld  2,-16(11)\n\t" /* restore tocptr */                 \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,   \
+                                 arg7,arg8,arg9)                  \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+9];                        \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      _argvec[2+9] = (unsigned long)arg9;                         \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "std  2,-16(11)\n\t" /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         VG_EXPAND_FRAME_BY_trashes_r3(128)                       \
+         /* arg9 */                                               \
+         "ld  3,72(11)\n\t"                                       \
+         "std 3,112(1)\n\t"                                       \
+         /* args1-8 */                                            \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld   8, 48(11)\n\t" /* arg6->r8 */                      \
+         "ld   9, 56(11)\n\t" /* arg7->r9 */                      \
+         "ld  10, 64(11)\n\t" /* arg8->r10 */                     \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld  2,-16(11)\n\t" /* restore tocptr */                 \
+         VG_CONTRACT_FRAME_BY(128)                                \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                  arg7,arg8,arg9,arg10)           \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+10];                       \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      _argvec[2+9] = (unsigned long)arg9;                         \
+      _argvec[2+10] = (unsigned long)arg10;                       \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "std  2,-16(11)\n\t" /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         VG_EXPAND_FRAME_BY_trashes_r3(128)                       \
+         /* arg10 */                                              \
+         "ld  3,80(11)\n\t"                                       \
+         "std 3,120(1)\n\t"                                       \
+         /* arg9 */                                               \
+         "ld  3,72(11)\n\t"                                       \
+         "std 3,112(1)\n\t"                                       \
+         /* args1-8 */                                            \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld   8, 48(11)\n\t" /* arg6->r8 */                      \
+         "ld   9, 56(11)\n\t" /* arg7->r9 */                      \
+         "ld  10, 64(11)\n\t" /* arg8->r10 */                     \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld  2,-16(11)\n\t" /* restore tocptr */                 \
+         VG_CONTRACT_FRAME_BY(128)                                \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                  arg7,arg8,arg9,arg10,arg11)     \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+11];                       \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      _argvec[2+9] = (unsigned long)arg9;                         \
+      _argvec[2+10] = (unsigned long)arg10;                       \
+      _argvec[2+11] = (unsigned long)arg11;                       \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "std  2,-16(11)\n\t" /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         VG_EXPAND_FRAME_BY_trashes_r3(144)                       \
+         /* arg11 */                                              \
+         "ld  3,88(11)\n\t"                                       \
+         "std 3,128(1)\n\t"                                       \
+         /* arg10 */                                              \
+         "ld  3,80(11)\n\t"                                       \
+         "std 3,120(1)\n\t"                                       \
+         /* arg9 */                                               \
+         "ld  3,72(11)\n\t"                                       \
+         "std 3,112(1)\n\t"                                       \
+         /* args1-8 */                                            \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld   8, 48(11)\n\t" /* arg6->r8 */                      \
+         "ld   9, 56(11)\n\t" /* arg7->r9 */                      \
+         "ld  10, 64(11)\n\t" /* arg8->r10 */                     \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld  2,-16(11)\n\t" /* restore tocptr */                 \
+         VG_CONTRACT_FRAME_BY(144)                                \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6,  \
+                                arg7,arg8,arg9,arg10,arg11,arg12) \
+   do {                                                           \
+      volatile OrigFn        _orig = (orig);                      \
+      volatile unsigned long _argvec[3+12];                       \
+      volatile unsigned long _res;                                \
+      /* _argvec[0] holds current r2 across the call */           \
+      _argvec[1]   = (unsigned long)_orig.r2;                     \
+      _argvec[2]   = (unsigned long)_orig.nraddr;                 \
+      _argvec[2+1] = (unsigned long)arg1;                         \
+      _argvec[2+2] = (unsigned long)arg2;                         \
+      _argvec[2+3] = (unsigned long)arg3;                         \
+      _argvec[2+4] = (unsigned long)arg4;                         \
+      _argvec[2+5] = (unsigned long)arg5;                         \
+      _argvec[2+6] = (unsigned long)arg6;                         \
+      _argvec[2+7] = (unsigned long)arg7;                         \
+      _argvec[2+8] = (unsigned long)arg8;                         \
+      _argvec[2+9] = (unsigned long)arg9;                         \
+      _argvec[2+10] = (unsigned long)arg10;                       \
+      _argvec[2+11] = (unsigned long)arg11;                       \
+      _argvec[2+12] = (unsigned long)arg12;                       \
+      __asm__ volatile(                                           \
+         "mr 11,%1\n\t"                                           \
+         VG_EXPAND_FRAME_BY_trashes_r3(512)                       \
+         "std  2,-16(11)\n\t" /* save tocptr */                   \
+         "ld   2,-8(11)\n\t"  /* use nraddr's tocptr */           \
+         VG_EXPAND_FRAME_BY_trashes_r3(144)                       \
+         /* arg12 */                                              \
+         "ld  3,96(11)\n\t"                                       \
+         "std 3,136(1)\n\t"                                       \
+         /* arg11 */                                              \
+         "ld  3,88(11)\n\t"                                       \
+         "std 3,128(1)\n\t"                                       \
+         /* arg10 */                                              \
+         "ld  3,80(11)\n\t"                                       \
+         "std 3,120(1)\n\t"                                       \
+         /* arg9 */                                               \
+         "ld  3,72(11)\n\t"                                       \
+         "std 3,112(1)\n\t"                                       \
+         /* args1-8 */                                            \
+         "ld   3, 8(11)\n\t"  /* arg1->r3 */                      \
+         "ld   4, 16(11)\n\t" /* arg2->r4 */                      \
+         "ld   5, 24(11)\n\t" /* arg3->r5 */                      \
+         "ld   6, 32(11)\n\t" /* arg4->r6 */                      \
+         "ld   7, 40(11)\n\t" /* arg5->r7 */                      \
+         "ld   8, 48(11)\n\t" /* arg6->r8 */                      \
+         "ld   9, 56(11)\n\t" /* arg7->r9 */                      \
+         "ld  10, 64(11)\n\t" /* arg8->r10 */                     \
+         "ld  11, 0(11)\n\t"  /* target->r11 */                   \
+         VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11                  \
+         "mr 11,%1\n\t"                                           \
+         "mr %0,3\n\t"                                            \
+         "ld  2,-16(11)\n\t" /* restore tocptr */                 \
+         VG_CONTRACT_FRAME_BY(144)                                \
+         VG_CONTRACT_FRAME_BY(512)                                \
+         : /*out*/   "=r" (_res)                                  \
+         : /*in*/    "r" (&_argvec[2])                            \
+         : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS          \
+      );                                                          \
+      lval = (__typeof__(lval)) _res;                             \
+   } while (0)
+
+#endif /* PLAT_ppc64_aix5 */
+
+
+/* ------------------------------------------------------------------ */
+/* ARCHITECTURE INDEPENDENT MACROS for CLIENT REQUESTS.               */
+/*                                                                    */
+/* ------------------------------------------------------------------ */
+
+/* Some request codes.  There are many more of these, but most are not
+   exposed to end-user view.  These are the public ones, all of the
+   form 0x1000 + small_number.
+
+   Core ones are in the range 0x00000000--0x0000ffff.  The non-public
+   ones start at 0x2000.
+*/
+
+/* These macros are used by tools -- they must be public, but don't
+   embed them into other programs. */
+#define VG_USERREQ_TOOL_BASE(a,b) \
+   ((unsigned int)(((a)&0xff) << 24 | ((b)&0xff) << 16))
+#define VG_IS_TOOL_USERREQ(a, b, v) \
+   (VG_USERREQ_TOOL_BASE(a,b) == ((v) & 0xffff0000))
+
+/* !! ABIWARNING !! ABIWARNING !! ABIWARNING !! ABIWARNING !!
+   This enum comprises an ABI exported by Valgrind to programs
+   which use client requests.  DO NOT CHANGE THE ORDER OF THESE
+   ENTRIES, NOR DELETE ANY -- add new ones at the end. */
+typedef
+   enum { VG_USERREQ__RUNNING_ON_VALGRIND  = 0x1001,
+          VG_USERREQ__DISCARD_TRANSLATIONS = 0x1002,
+
+          /* These allow any function to be called from the simulated
+             CPU but run on the real CPU.  Nb: the first arg passed to
+             the function is always the ThreadId of the running
+             thread!  So CLIENT_CALL0 actually requires a 1 arg
+             function, etc. */
+          VG_USERREQ__CLIENT_CALL0 = 0x1101,
+          VG_USERREQ__CLIENT_CALL1 = 0x1102,
+          VG_USERREQ__CLIENT_CALL2 = 0x1103,
+          VG_USERREQ__CLIENT_CALL3 = 0x1104,
+
+          /* Can be useful in regression testing suites -- eg. can
+             send Valgrind's output to /dev/null and still count
+             errors. */
+          VG_USERREQ__COUNT_ERRORS = 0x1201,
+
+          /* These are useful and can be interpreted by any tool that
+             tracks malloc() et al, by using vg_replace_malloc.c. */
+          VG_USERREQ__MALLOCLIKE_BLOCK = 0x1301,
+          VG_USERREQ__FREELIKE_BLOCK   = 0x1302,
+          /* Memory pool support. */
+          VG_USERREQ__CREATE_MEMPOOL   = 0x1303,
+          VG_USERREQ__DESTROY_MEMPOOL  = 0x1304,
+          VG_USERREQ__MEMPOOL_ALLOC    = 0x1305,
+          VG_USERREQ__MEMPOOL_FREE     = 0x1306,
+          VG_USERREQ__MEMPOOL_TRIM     = 0x1307,
+          VG_USERREQ__MOVE_MEMPOOL     = 0x1308,
+          VG_USERREQ__MEMPOOL_CHANGE   = 0x1309,
+          VG_USERREQ__MEMPOOL_EXISTS   = 0x130a,
+
+          /* Allow printfs to valgrind log. */
+          /* The first two pass the va_list argument by value, which
+             assumes it is the same size as or smaller than a UWord,
+             which generally isn't the case.  Hence are deprecated.
+             The second two pass the vargs by reference and so are
+             immune to this problem. */
+          /* both :: char* fmt, va_list vargs (DEPRECATED) */
+          VG_USERREQ__PRINTF           = 0x1401,
+          VG_USERREQ__PRINTF_BACKTRACE = 0x1402,
+          /* both :: char* fmt, va_list* vargs */
+          VG_USERREQ__PRINTF_VALIST_BY_REF = 0x1403,
+          VG_USERREQ__PRINTF_BACKTRACE_VALIST_BY_REF = 0x1404,
+
+          /* Stack support. */
+          VG_USERREQ__STACK_REGISTER   = 0x1501,
+          VG_USERREQ__STACK_DEREGISTER = 0x1502,
+          VG_USERREQ__STACK_CHANGE     = 0x1503,
+
+          /* Wine support */
+          VG_USERREQ__LOAD_PDB_DEBUGINFO = 0x1601,
+
+          /* Querying of debug info. */
+          VG_USERREQ__MAP_IP_TO_SRCLOC = 0x1701
+   } Vg_ClientRequest;
+
+#if !defined(__GNUC__)
+#  define __extension__ /* */
+#endif
+
+
+/*
+ * VALGRIND_DO_CLIENT_REQUEST_EXPR(): a C expression that invokes a Valgrind
+ * client request and whose value equals the client request result.
+ */
+
+#if defined(NVALGRIND)
+
+#define VALGRIND_DO_CLIENT_REQUEST_EXPR(                               \
+        _zzq_default, _zzq_request,                                    \
+        _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5)         \
+   (_zzq_default)
+
+#else /*defined(NVALGRIND)*/
+
+#if defined(_MSC_VER)
+
+#define VALGRIND_DO_CLIENT_REQUEST_EXPR(                                \
+        _zzq_default, _zzq_request,                                     \
+        _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5)          \
+   (vg_VALGRIND_DO_CLIENT_REQUEST_EXPR((uintptr_t)(_zzq_default),       \
+        (_zzq_request), (uintptr_t)(_zzq_arg1), (uintptr_t)(_zzq_arg2), \
+        (uintptr_t)(_zzq_arg3), (uintptr_t)(_zzq_arg4),                 \
+        (uintptr_t)(_zzq_arg5)))
+
+static __inline unsigned
+vg_VALGRIND_DO_CLIENT_REQUEST_EXPR(uintptr_t _zzq_default,
+                                   unsigned _zzq_request, uintptr_t _zzq_arg1,
+                                   uintptr_t _zzq_arg2, uintptr_t _zzq_arg3,
+                                   uintptr_t _zzq_arg4, uintptr_t _zzq_arg5)
+{
+    unsigned _zzq_rlval;
+    VALGRIND_DO_CLIENT_REQUEST(_zzq_rlval, _zzq_default, _zzq_request,
+                      _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5);
+    return _zzq_rlval;
+}
+
+#else /*defined(_MSC_VER)*/
+
+#define VALGRIND_DO_CLIENT_REQUEST_EXPR(                               \
+        _zzq_default, _zzq_request,                                    \
+        _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5)         \
+   (__extension__({unsigned int _zzq_rlval;                            \
+    VALGRIND_DO_CLIENT_REQUEST(_zzq_rlval, _zzq_default, _zzq_request, \
+                _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \
+    _zzq_rlval;                                                        \
+   }))
+
+#endif /*defined(_MSC_VER)*/
+
+#endif /*defined(NVALGRIND)*/
+
+
+/* Returns the number of Valgrinds this code is running under.  That
+   is, 0 if running natively, 1 if running under Valgrind, 2 if
+   running under Valgrind which is running under another Valgrind,
+   etc. */
+#define RUNNING_ON_VALGRIND                                           \
+    VALGRIND_DO_CLIENT_REQUEST_EXPR(0 /* if not */,                   \
+                                    VG_USERREQ__RUNNING_ON_VALGRIND,  \
+                                    0, 0, 0, 0, 0)                    \
+
+
+/* Discard translation of code in the range [_qzz_addr .. _qzz_addr +
+   _qzz_len - 1].  Useful if you are debugging a JITter or some such,
+   since it provides a way to make sure valgrind will retranslate the
+   invalidated area.  Returns no value. */
+#define VALGRIND_DISCARD_TRANSLATIONS(_qzz_addr,_qzz_len)         \
+   {unsigned int _qzz_res;                                        \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__DISCARD_TRANSLATIONS,  \
+                               _qzz_addr, _qzz_len, 0, 0, 0);     \
+   }
+
+
+/* These requests are for getting Valgrind itself to print something.
+   Possibly with a backtrace.  This is a really ugly hack.  The return value
+   is the number of characters printed, excluding the "**<pid>** " part at the
+   start and the backtrace (if present). */
+
+#if defined(NVALGRIND)
+
+/* In Exim the following two lines have been changed from the original
+   version for portability to C89 compilers that don't support variable
+   argument macros. We don't use these macros so it doesn't matter much what
+   we do with them, but the following will work OK in most situations though
+   it may cause complaints about expressions without side-effects. */
+#  define VALGRIND_PRINTF (void)
+#  define VALGRIND_PRINTF_BACKTRACE (void)
+
+#else /* NVALGRIND */
+
+#if !defined(_MSC_VER)
+/* Modern GCC will optimize the static routine out if unused,
+   and unused attribute will shut down warnings about it.  */
+static int VALGRIND_PRINTF(const char *format, ...)
+   __attribute__((format(__printf__, 1, 2), __unused__));
+#endif
+static int
+#if defined(_MSC_VER)
+__inline
+#endif
+VALGRIND_PRINTF(const char *format, ...)
+{
+   unsigned long _qzz_res;
+   va_list vargs;
+   va_start(vargs, format);
+#if defined(_MSC_VER)
+   VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,
+                              VG_USERREQ__PRINTF_VALIST_BY_REF,
+                              (uintptr_t)format,
+                              (uintptr_t)&vargs,
+                              0, 0, 0);
+#else
+   VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,
+                              VG_USERREQ__PRINTF_VALIST_BY_REF,
+                              (unsigned long)format,
+                              (unsigned long)&vargs,
+                              0, 0, 0);
+#endif
+   va_end(vargs);
+   return (int)_qzz_res;
+}
+
+#if !defined(_MSC_VER)
+static int VALGRIND_PRINTF_BACKTRACE(const char *format, ...)
+   __attribute__((format(__printf__, 1, 2), __unused__));
+#endif
+static int
+#if defined(_MSC_VER)
+__inline
+#endif
+VALGRIND_PRINTF_BACKTRACE(const char *format, ...)
+{
+   unsigned long _qzz_res;
+   va_list vargs;
+   va_start(vargs, format);
+#if defined(_MSC_VER)
+   VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,
+                              VG_USERREQ__PRINTF_BACKTRACE_VALIST_BY_REF,
+                              (uintptr_t)format,
+                              (uintptr_t)&vargs,
+                              0, 0, 0);
+#else
+   VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,
+                              VG_USERREQ__PRINTF_BACKTRACE_VALIST_BY_REF,
+                              (unsigned long)format,
+                              (unsigned long)&vargs,
+                              0, 0, 0);
+#endif
+   va_end(vargs);
+   return (int)_qzz_res;
+}
+
+#endif /* NVALGRIND */
+
+
+/* These requests allow control to move from the simulated CPU to the
+   real CPU, calling an arbitrary function.
+
+   Note that the current ThreadId is inserted as the first argument.
+   So this call:
+
+     VALGRIND_NON_SIMD_CALL2(f, arg1, arg2)
+
+   requires f to have this signature:
+
+     Word f(Word tid, Word arg1, Word arg2)
+
+   where "Word" is a word-sized type.
+
+   Note that these client requests are not entirely reliable.  For example,
+   if you call a function with them that subsequently calls printf(),
+   there's a high chance Valgrind will crash.  Generally, your prospects of
+   these working are made higher if the called function does not refer to
+   any global variables, and does not refer to any libc or other functions
+   (printf et al).  Any kind of entanglement with libc or dynamic linking is
+   likely to have a bad outcome, for tricky reasons which we've grappled
+   with a lot in the past.
+*/
+#define VALGRIND_NON_SIMD_CALL0(_qyy_fn)                          \
+   __extension__                                                  \
+   ({unsigned long _qyy_res;                                      \
+    VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */,  \
+                               VG_USERREQ__CLIENT_CALL0,          \
+                               _qyy_fn,                           \
+                               0, 0, 0, 0);                       \
+    _qyy_res;                                                     \
+   })
+
+#define VALGRIND_NON_SIMD_CALL1(_qyy_fn, _qyy_arg1)               \
+   __extension__                                                  \
+   ({unsigned long _qyy_res;                                      \
+    VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */,  \
+                               VG_USERREQ__CLIENT_CALL1,          \
+                               _qyy_fn,                           \
+                               _qyy_arg1, 0, 0, 0);               \
+    _qyy_res;                                                     \
+   })
+
+#define VALGRIND_NON_SIMD_CALL2(_qyy_fn, _qyy_arg1, _qyy_arg2)    \
+   __extension__                                                  \
+   ({unsigned long _qyy_res;                                      \
+    VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */,  \
+                               VG_USERREQ__CLIENT_CALL2,          \
+                               _qyy_fn,                           \
+                               _qyy_arg1, _qyy_arg2, 0, 0);       \
+    _qyy_res;                                                     \
+   })
+
+#define VALGRIND_NON_SIMD_CALL3(_qyy_fn, _qyy_arg1, _qyy_arg2, _qyy_arg3) \
+   __extension__                                                  \
+   ({unsigned long _qyy_res;                                      \
+    VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */,  \
+                               VG_USERREQ__CLIENT_CALL3,          \
+                               _qyy_fn,                           \
+                               _qyy_arg1, _qyy_arg2,              \
+                               _qyy_arg3, 0);                     \
+    _qyy_res;                                                     \
+   })
+
+
+/* Counts the number of errors that have been recorded by a tool.  Nb:
+   the tool must record the errors with VG_(maybe_record_error)() or
+   VG_(unique_error)() for them to be counted. */
+#define VALGRIND_COUNT_ERRORS                                     \
+   __extension__                                                  \
+   ({unsigned int _qyy_res;                                       \
+    VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */,  \
+                               VG_USERREQ__COUNT_ERRORS,          \
+                               0, 0, 0, 0, 0);                    \
+    _qyy_res;                                                     \
+   })
+
+/* Several Valgrind tools (Memcheck, Massif, Helgrind, DRD) rely on knowing
+   when heap blocks are allocated in order to give accurate results.  This
+   happens automatically for the standard allocator functions such as
+   malloc(), calloc(), realloc(), memalign(), new, new[], free(), delete,
+   delete[], etc.
+
+   But if your program uses a custom allocator, this doesn't automatically
+   happen, and Valgrind will not do as well.  For example, if you allocate
+   superblocks with mmap() and then allocates chunks of the superblocks, all
+   Valgrind's observations will be at the mmap() level and it won't know that
+   the chunks should be considered separate entities.  In Memcheck's case,
+   that means you probably won't get heap block overrun detection (because
+   there won't be redzones marked as unaddressable) and you definitely won't
+   get any leak detection.
+
+   The following client requests allow a custom allocator to be annotated so
+   that it can be handled accurately by Valgrind.
+
+   VALGRIND_MALLOCLIKE_BLOCK marks a region of memory as having been allocated
+   by a malloc()-like function.  For Memcheck (an illustrative case), this
+   does two things:
+
+   - It records that the block has been allocated.  This means any addresses
+     within the block mentioned in error messages will be
+     identified as belonging to the block.  It also means that if the block
+     isn't freed it will be detected by the leak checker.
+
+   - It marks the block as being addressable and undefined (if 'is_zeroed' is
+     not set), or addressable and defined (if 'is_zeroed' is set).  This
+     controls how accesses to the block by the program are handled.
+
+   'addr' is the start of the usable block (ie. after any
+   redzone), 'sizeB' is its size.  'rzB' is the redzone size if the allocator
+   can apply redzones -- these are blocks of padding at the start and end of
+   each block.  Adding redzones is recommended as it makes it much more likely
+   Valgrind will spot block overruns.  `is_zeroed' indicates if the memory is
+   zeroed (or filled with another predictable value), as is the case for
+   calloc().
+
+   VALGRIND_MALLOCLIKE_BLOCK should be put immediately after the point where a
+   heap block -- that will be used by the client program -- is allocated.
+   It's best to put it at the outermost level of the allocator if possible;
+   for example, if you have a function my_alloc() which calls
+   internal_alloc(), and the client request is put inside internal_alloc(),
+   stack traces relating to the heap block will contain entries for both
+   my_alloc() and internal_alloc(), which is probably not what you want.
+
+   For Memcheck users: if you use VALGRIND_MALLOCLIKE_BLOCK to carve out
+   custom blocks from within a heap block, B, that has been allocated with
+   malloc/calloc/new/etc, then block B will be *ignored* during leak-checking
+   -- the custom blocks will take precedence.
+
+   VALGRIND_FREELIKE_BLOCK is the partner to VALGRIND_MALLOCLIKE_BLOCK.  For
+   Memcheck, it does two things:
+
+   - It records that the block has been deallocated.  This assumes that the
+     block was annotated as having been allocated via
+     VALGRIND_MALLOCLIKE_BLOCK.  Otherwise, an error will be issued.
+
+   - It marks the block as being unaddressable.
+
+   VALGRIND_FREELIKE_BLOCK should be put immediately after the point where a
+   heap block is deallocated.
+
+   In many cases, these two client requests will not be enough to get your
+   allocator working well with Memcheck.  More specifically, if your allocator
+   writes to freed blocks in any way then a VALGRIND_MAKE_MEM_UNDEFINED call
+   will be necessary to mark the memory as addressable just before the zeroing
+   occurs, otherwise you'll get a lot of invalid write errors.  For example,
+   you'll need to do this if your allocator recycles freed blocks, but it
+   zeroes them before handing them back out (via VALGRIND_MALLOCLIKE_BLOCK).
+   Alternatively, if your allocator reuses freed blocks for allocator-internal
+   data structures, VALGRIND_MAKE_MEM_UNDEFINED calls will also be necessary.
+
+   Really, what's happening is a blurring of the lines between the client
+   program and the allocator... after VALGRIND_FREELIKE_BLOCK is called, the
+   memory should be considered unaddressable to the client program, but the
+   allocator knows more than the rest of the client program and so may be able
+   to safely access it.  Extra client requests are necessary for Valgrind to
+   understand the distinction between the allocator and the rest of the
+   program.
+
+   Note: there is currently no VALGRIND_REALLOCLIKE_BLOCK client request;  it
+   has to be emulated with MALLOCLIKE/FREELIKE and memory copying.
+
+   Ignored if addr == 0.
+*/
+#define VALGRIND_MALLOCLIKE_BLOCK(addr, sizeB, rzB, is_zeroed)    \
+   {unsigned int _qzz_res;                                        \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__MALLOCLIKE_BLOCK,      \
+                               addr, sizeB, rzB, is_zeroed, 0);   \
+   }
+
+/* See the comment for VALGRIND_MALLOCLIKE_BLOCK for details.
+   Ignored if addr == 0.
+*/
+#define VALGRIND_FREELIKE_BLOCK(addr, rzB)                        \
+   {unsigned int _qzz_res;                                        \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__FREELIKE_BLOCK,        \
+                               addr, rzB, 0, 0, 0);               \
+   }
+
+/* Create a memory pool. */
+#define VALGRIND_CREATE_MEMPOOL(pool, rzB, is_zeroed)             \
+   {unsigned int _qzz_res;                                        \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__CREATE_MEMPOOL,        \
+                               pool, rzB, is_zeroed, 0, 0);       \
+   }
+
+/* Destroy a memory pool. */
+#define VALGRIND_DESTROY_MEMPOOL(pool)                            \
+   {unsigned int _qzz_res;                                        \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__DESTROY_MEMPOOL,       \
+                               pool, 0, 0, 0, 0);                 \
+   }
+
+/* Associate a piece of memory with a memory pool. */
+#define VALGRIND_MEMPOOL_ALLOC(pool, addr, size)                  \
+   {unsigned int _qzz_res;                                        \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__MEMPOOL_ALLOC,         \
+                               pool, addr, size, 0, 0);           \
+   }
+
+/* Disassociate a piece of memory from a memory pool. */
+#define VALGRIND_MEMPOOL_FREE(pool, addr)                         \
+   {unsigned int _qzz_res;                                        \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__MEMPOOL_FREE,          \
+                               pool, addr, 0, 0, 0);              \
+   }
+
+/* Disassociate any pieces outside a particular range. */
+#define VALGRIND_MEMPOOL_TRIM(pool, addr, size)                   \
+   {unsigned int _qzz_res;                                        \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__MEMPOOL_TRIM,          \
+                               pool, addr, size, 0, 0);           \
+   }
+
+/* Resize and/or move a piece associated with a memory pool. */
+#define VALGRIND_MOVE_MEMPOOL(poolA, poolB)                       \
+   {unsigned int _qzz_res;                                        \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__MOVE_MEMPOOL,          \
+                               poolA, poolB, 0, 0, 0);            \
+   }
+
+/* Resize and/or move a piece associated with a memory pool. */
+#define VALGRIND_MEMPOOL_CHANGE(pool, addrA, addrB, size)         \
+   {unsigned int _qzz_res;                                        \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__MEMPOOL_CHANGE,        \
+                               pool, addrA, addrB, size, 0);      \
+   }
+
+/* Return 1 if a mempool exists, else 0. */
+#define VALGRIND_MEMPOOL_EXISTS(pool)                             \
+   __extension__                                                  \
+   ({unsigned int _qzz_res;                                       \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__MEMPOOL_EXISTS,        \
+                               pool, 0, 0, 0, 0);                 \
+    _qzz_res;                                                     \
+   })
+
+/* Mark a piece of memory as being a stack. Returns a stack id. */
+#define VALGRIND_STACK_REGISTER(start, end)                       \
+   __extension__                                                  \
+   ({unsigned int _qzz_res;                                       \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__STACK_REGISTER,        \
+                               start, end, 0, 0, 0);              \
+    _qzz_res;                                                     \
+   })
+
+/* Unmark the piece of memory associated with a stack id as being a
+   stack. */
+#define VALGRIND_STACK_DEREGISTER(id)                             \
+   {unsigned int _qzz_res;                                        \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__STACK_DEREGISTER,      \
+                               id, 0, 0, 0, 0);                   \
+   }
+
+/* Change the start and end address of the stack id. */
+#define VALGRIND_STACK_CHANGE(id, start, end)                     \
+   {unsigned int _qzz_res;                                        \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__STACK_CHANGE,          \
+                               id, start, end, 0, 0);             \
+   }
+
+/* Load PDB debug info for Wine PE image_map. */
+#define VALGRIND_LOAD_PDB_DEBUGINFO(fd, ptr, total_size, delta)   \
+   {unsigned int _qzz_res;                                        \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__LOAD_PDB_DEBUGINFO,    \
+                               fd, ptr, total_size, delta, 0);    \
+   }
+
+/* Map a code address to a source file name and line number.  buf64
+   must point to a 64-byte buffer in the caller's address space.  The
+   result will be dumped in there and is guaranteed to be zero
+   terminated.  If no info is found, the first byte is set to zero. */
+#define VALGRIND_MAP_IP_TO_SRCLOC(addr, buf64)                    \
+   {unsigned int _qzz_res;                                        \
+    VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,                       \
+                               VG_USERREQ__MAP_IP_TO_SRCLOC,      \
+                               addr, buf64, 0, 0, 0);             \
+   }
+
+
+#undef PLAT_x86_linux
+#undef PLAT_amd64_linux
+#undef PLAT_ppc32_linux
+#undef PLAT_ppc64_linux
+#undef PLAT_arm_linux
+#undef PLAT_ppc32_aix5
+#undef PLAT_ppc64_aix5
+
+#endif   /* __VALGRIND_H */
diff --git a/src/verify.c b/src/verify.c
new file mode 100644
index 0000000..b4c2b9a
--- /dev/null
+++ b/src/verify.c
@@ -0,0 +1,3610 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Functions concerned with verifying things. The original code for callout
+caching was contributed by Kevin Fleming (but I hacked it around a bit). */
+
+
+#include "exim.h"
+#include "transports/smtp.h"
+
+#define CUTTHROUGH_CMD_TIMEOUT  30	/* timeout for cutthrough-routing calls */
+#define CUTTHROUGH_DATA_TIMEOUT 60	/* timeout for cutthrough-routing calls */
+static smtp_context ctctx;
+uschar ctbuffer[8192];
+
+
+static uschar cutthrough_response(client_conn_ctx *, char, uschar **, int);
+
+
+
+/*************************************************
+*          Retrieve a callout cache record       *
+*************************************************/
+
+/* If a record exists, check whether it has expired.
+
+Arguments:
+  dbm_file          an open hints file
+  key               the record key
+  type              "address" or "domain"
+  positive_expire   expire time for positive records
+  negative_expire   expire time for negative records
+
+Returns:            the cache record if a non-expired one exists, else NULL
+*/
+
+static dbdata_callout_cache *
+get_callout_cache_record(open_db *dbm_file, const uschar *key, uschar *type,
+  int positive_expire, int negative_expire)
+{
+BOOL negative;
+int length, expire;
+time_t now;
+dbdata_callout_cache *cache_record;
+
+if (!(cache_record = dbfn_read_with_length(dbm_file, key, &length)))
+  {
+  HDEBUG(D_verify) debug_printf_indent("callout cache: no %s record found for %s\n", type, key);
+  return NULL;
+  }
+
+/* We treat a record as "negative" if its result field is not positive, or if
+it is a domain record and the postmaster field is negative. */
+
+negative = cache_record->result != ccache_accept ||
+  (type[0] == 'd' && cache_record->postmaster_result == ccache_reject);
+expire = negative? negative_expire : positive_expire;
+now = time(NULL);
+
+if (now - cache_record->time_stamp > expire)
+  {
+  HDEBUG(D_verify) debug_printf_indent("callout cache: %s record expired for %s\n", type, key);
+  return NULL;
+  }
+
+/* If this is a non-reject domain record, check for the obsolete format version
+that doesn't have the postmaster and random timestamps, by looking at the
+length. If so, copy it to a new-style block, replicating the record's
+timestamp. Then check the additional timestamps. (There's no point wasting
+effort if connections are rejected.) */
+
+if (type[0] == 'd' && cache_record->result != ccache_reject)
+  {
+  if (length == sizeof(dbdata_callout_cache_obs))
+    {
+    dbdata_callout_cache * new = store_get(sizeof(dbdata_callout_cache), GET_UNTAINTED);
+    memcpy(new, cache_record, length);
+    new->postmaster_stamp = new->random_stamp = new->time_stamp;
+    cache_record = new;
+    }
+
+  if (now - cache_record->postmaster_stamp > expire)
+    cache_record->postmaster_result = ccache_unknown;
+
+  if (now - cache_record->random_stamp > expire)
+    cache_record->random_result = ccache_unknown;
+  }
+
+HDEBUG(D_verify) debug_printf_indent("callout cache: found %s record for %s\n", type, key);
+return cache_record;
+}
+
+
+
+/* Check the callout cache.
+Options * pm_mailfrom may be modified by cache partial results.
+
+Return: TRUE if result found
+*/
+
+static BOOL
+cached_callout_lookup(address_item * addr, uschar * address_key,
+  uschar * from_address, int * opt_ptr, uschar ** pm_ptr,
+  int * yield, uschar ** failure_ptr,
+  dbdata_callout_cache * new_domain_record, int * old_domain_res)
+{
+int options = *opt_ptr;
+open_db dbblock;
+open_db *dbm_file = NULL;
+
+/* Open the callout cache database, if it exists, for reading only at this
+stage, unless caching has been disabled. */
+
+if (options & vopt_callout_no_cache)
+  {
+  HDEBUG(D_verify) debug_printf_indent("callout cache: disabled by no_cache\n");
+  }
+else if (!(dbm_file = dbfn_open(US"callout", O_RDWR, &dbblock, FALSE, TRUE)))
+  {
+  HDEBUG(D_verify) debug_printf_indent("callout cache: not available\n");
+  }
+else
+  {
+  /* If a cache database is available see if we can avoid the need to do an
+  actual callout by making use of previously-obtained data. */
+
+  dbdata_callout_cache_address * cache_address_record;
+  dbdata_callout_cache * cache_record = get_callout_cache_record(dbm_file,
+      addr->domain, US"domain",
+      callout_cache_domain_positive_expire, callout_cache_domain_negative_expire);
+
+  /* If an unexpired cache record was found for this domain, see if the callout
+  process can be short-circuited. */
+
+  if (cache_record)
+    {
+    /* In most cases, if an early command (up to and including MAIL FROM:<>)
+    was rejected, there is no point carrying on. The callout fails. However, if
+    we are doing a recipient verification with use_sender or use_postmaster
+    set, a previous failure of MAIL FROM:<> doesn't count, because this time we
+    will be using a non-empty sender. We have to remember this situation so as
+    not to disturb the cached domain value if this whole verification succeeds
+    (we don't want it turning into "accept"). */
+
+    *old_domain_res = cache_record->result;
+
+    if (  cache_record->result == ccache_reject
+       || *from_address == 0 && cache_record->result == ccache_reject_mfnull)
+      {
+      HDEBUG(D_verify)
+	debug_printf_indent("callout cache: domain gave initial rejection, or "
+	  "does not accept HELO or MAIL FROM:<>\n");
+      setflag(addr, af_verify_nsfail);
+      addr->user_message = US"(result of an earlier callout reused).";
+      *yield = FAIL;
+      *failure_ptr = US"mail";
+      dbfn_close(dbm_file);
+      return TRUE;
+      }
+
+    /* If a previous check on a "random" local part was accepted, we assume
+    that the server does not do any checking on local parts. There is therefore
+    no point in doing the callout, because it will always be successful. If a
+    random check previously failed, arrange not to do it again, but preserve
+    the data in the new record. If a random check is required but hasn't been
+    done, skip the remaining cache processing. */
+
+    if (options & vopt_callout_random) switch(cache_record->random_result)
+      {
+      case ccache_accept:
+	HDEBUG(D_verify)
+	  debug_printf_indent("callout cache: domain accepts random addresses\n");
+	*failure_ptr = US"random";
+	dbfn_close(dbm_file);
+	return TRUE;     /* Default yield is OK */
+
+      case ccache_reject:
+	HDEBUG(D_verify)
+	  debug_printf_indent("callout cache: domain rejects random addresses\n");
+	*opt_ptr = options & ~vopt_callout_random;
+	new_domain_record->random_result = ccache_reject;
+	new_domain_record->random_stamp = cache_record->random_stamp;
+	break;
+
+      default:
+	HDEBUG(D_verify)
+	  debug_printf_indent("callout cache: need to check random address handling "
+	    "(not cached or cache expired)\n");
+	dbfn_close(dbm_file);
+	return FALSE;
+      }
+
+    /* If a postmaster check is requested, but there was a previous failure,
+    there is again no point in carrying on. If a postmaster check is required,
+    but has not been done before, we are going to have to do a callout, so skip
+    remaining cache processing. */
+
+    if (*pm_ptr)
+      {
+      if (cache_record->postmaster_result == ccache_reject)
+	{
+	setflag(addr, af_verify_pmfail);
+	HDEBUG(D_verify)
+	  debug_printf_indent("callout cache: domain does not accept "
+	    "RCPT TO:<postmaster@domain>\n");
+	*yield = FAIL;
+	*failure_ptr = US"postmaster";
+	setflag(addr, af_verify_pmfail);
+	addr->user_message = US"(result of earlier verification reused).";
+	dbfn_close(dbm_file);
+	return TRUE;
+	}
+      if (cache_record->postmaster_result == ccache_unknown)
+	{
+	HDEBUG(D_verify)
+	  debug_printf_indent("callout cache: need to check RCPT "
+	    "TO:<postmaster@domain> (not cached or cache expired)\n");
+	dbfn_close(dbm_file);
+	return FALSE;
+	}
+
+      /* If cache says OK, set pm_mailfrom NULL to prevent a redundant
+      postmaster check if the address itself has to be checked. Also ensure
+      that the value in the cache record is preserved (with its old timestamp).
+      */
+
+      HDEBUG(D_verify) debug_printf_indent("callout cache: domain accepts RCPT "
+	"TO:<postmaster@domain>\n");
+      *pm_ptr = NULL;
+      new_domain_record->postmaster_result = ccache_accept;
+      new_domain_record->postmaster_stamp = cache_record->postmaster_stamp;
+      }
+    }
+
+  /* We can't give a result based on information about the domain. See if there
+  is an unexpired cache record for this specific address (combined with the
+  sender address if we are doing a recipient callout with a non-empty sender).
+  */
+
+  if (!(cache_address_record = (dbdata_callout_cache_address *)
+    get_callout_cache_record(dbm_file, address_key, US"address",
+      callout_cache_positive_expire, callout_cache_negative_expire)))
+    {
+    dbfn_close(dbm_file);
+    return FALSE;
+    }
+
+  if (cache_address_record->result == ccache_accept)
+    {
+    HDEBUG(D_verify)
+      debug_printf_indent("callout cache: address record is positive\n");
+    }
+  else
+    {
+    HDEBUG(D_verify)
+      debug_printf_indent("callout cache: address record is negative\n");
+    addr->user_message = US"Previous (cached) callout verification failure";
+    *failure_ptr = US"recipient";
+    *yield = FAIL;
+    }
+
+  /* Close the cache database while we actually do the callout for real. */
+
+  dbfn_close(dbm_file);
+  return TRUE;
+  }
+return FALSE;
+}
+
+
+/* Write results to callout cache
+*/
+static void
+cache_callout_write(dbdata_callout_cache * dom_rec, const uschar * domain,
+  int done, dbdata_callout_cache_address * addr_rec, uschar * address_key)
+{
+open_db dbblock;
+open_db *dbm_file = NULL;
+
+/* If we get here with done == TRUE, a successful callout happened, and yield
+will be set OK or FAIL according to the response to the RCPT command.
+Otherwise, we looped through the hosts but couldn't complete the business.
+However, there may be domain-specific information to cache in both cases.
+
+The value of the result field in the new_domain record is ccache_unknown if
+there was an error before or with MAIL FROM:, and errno was not zero,
+implying some kind of I/O error. We don't want to write the cache in that case.
+Otherwise the value is ccache_accept, ccache_reject, or ccache_reject_mfnull. */
+
+if (dom_rec->result != ccache_unknown)
+  if (!(dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE, TRUE)))
+    {
+    HDEBUG(D_verify) debug_printf_indent("callout cache: not available\n");
+    }
+  else
+    {
+    (void)dbfn_write(dbm_file, domain, dom_rec,
+      (int)sizeof(dbdata_callout_cache));
+    HDEBUG(D_verify) debug_printf_indent("wrote callout cache domain record for %s:\n"
+      "  result=%d postmaster=%d random=%d\n",
+      domain,
+      dom_rec->result,
+      dom_rec->postmaster_result,
+      dom_rec->random_result);
+    }
+
+/* If a definite result was obtained for the callout, cache it unless caching
+is disabled. */
+
+if (done  &&  addr_rec->result != ccache_unknown)
+  {
+  if (!dbm_file)
+    dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE, TRUE);
+  if (!dbm_file)
+    {
+    HDEBUG(D_verify) debug_printf_indent("no callout cache available\n");
+    }
+  else
+    {
+    (void)dbfn_write(dbm_file, address_key, addr_rec,
+      (int)sizeof(dbdata_callout_cache_address));
+    HDEBUG(D_verify) debug_printf_indent("wrote %s callout cache address record for %s\n",
+      addr_rec->result == ccache_accept ? "positive" : "negative",
+      address_key);
+    }
+  }
+
+if (dbm_file) dbfn_close(dbm_file);
+}
+
+
+/* Cutthrough-multi.  If the existing cached cutthrough connection matches
+the one we would make for a subsequent recipient, use it.  Send the RCPT TO
+and check the result, nonpipelined as it may be wanted immediately for
+recipient-verification.
+
+It seems simpler to deal with this case separately from the main callout loop.
+We will need to remember it has sent, or not, so that rcpt-acl tail code
+can do it there for the non-rcpt-verify case.  For this we keep an addresscount.
+
+Return: TRUE for a definitive result for the recipient
+*/
+static int
+cutthrough_multi(address_item * addr, host_item * host_list,
+  transport_feedback * tf, int * yield)
+{
+BOOL done = FALSE;
+
+if (addr->transport == cutthrough.addr.transport)
+  for (host_item * host = host_list; host; host = host->next)
+    if (Ustrcmp(host->address, cutthrough.host.address) == 0)
+      {
+      int host_af;
+      uschar *interface = NULL;  /* Outgoing interface to use; NULL => any */
+      int port = 25;
+
+      deliver_host = host->name;
+      deliver_host_address = host->address;
+      deliver_host_port = host->port;
+      deliver_domain = addr->domain;
+      transport_name = addr->transport->name;
+
+      host_af = Ustrchr(host->address, ':') ? AF_INET6 : AF_INET;
+
+      if (  !smtp_get_interface(tf->interface, host_af, addr, &interface,
+	      US"callout")
+	 || !smtp_get_port(tf->port, addr, &port, US"callout")
+	 )
+	log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
+	  addr->message);
+
+      smtp_port_for_connect(host, port);
+
+      if (  (  interface == cutthrough.interface
+	    || (  interface
+	       && cutthrough.interface
+	       && Ustrcmp(interface, cutthrough.interface) == 0
+	    )  )
+	 && host->port == cutthrough.host.port
+	 )
+	{
+	uschar * resp = NULL;
+
+	/* Match!  Send the RCPT TO, set done from the response */
+	done =
+	     smtp_write_command(&ctctx, SCMD_FLUSH, "RCPT TO:<%.1000s>\r\n",
+	      transport_rcpt_address(addr,
+		 addr->transport->rcpt_include_affixes)) >= 0
+	  && cutthrough_response(&cutthrough.cctx, '2', &resp,
+	      CUTTHROUGH_DATA_TIMEOUT) == '2';
+
+	/* This would go horribly wrong if a callout fail was ignored by ACL.
+	We punt by abandoning cutthrough on a reject, like the
+	first-rcpt does. */
+
+	if (done)
+	  {
+	  address_item * na = store_get(sizeof(address_item), GET_UNTAINTED);
+	  *na = cutthrough.addr;
+	  cutthrough.addr = *addr;
+	  cutthrough.addr.host_used = &cutthrough.host;
+	  cutthrough.addr.next = na;
+
+	  cutthrough.nrcpt++;
+	  }
+	else
+	  {
+	  cancel_cutthrough_connection(TRUE, US"recipient rejected");
+	  if (!resp || errno == ETIMEDOUT)
+	    {
+	    HDEBUG(D_verify) debug_printf("SMTP timeout\n");
+	    }
+	  else if (errno == 0)
+	    {
+	    if (*resp == 0)
+	      Ustrcpy(resp, US"connection dropped");
+
+	    addr->message =
+	      string_sprintf("response to \"%s\" was: %s",
+		big_buffer, string_printing(resp));
+
+	    addr->user_message =
+	      string_sprintf("Callout verification failed:\n%s", resp);
+
+	    /* Hard rejection ends the process */
+
+	    if (resp[0] == '5')   /* Address rejected */
+	      {
+	      *yield = FAIL;
+	      done = TRUE;
+	      }
+	    }
+	  }
+	}
+      break;	/* host_list */
+      }
+if (!done)
+  cancel_cutthrough_connection(TRUE, US"incompatible connection");
+return done;
+}
+
+
+
+
+/* A rcpt callout, or cached record of one, verified the address.
+Set $domain_data and $local_part_data to detainted versions.
+*/
+static void
+callout_verified_rcpt(const address_item * addr)
+{
+address_item a = {.address = addr->address};
+if (deliver_split_address(&a) != OK) return;
+deliver_localpart_data = string_copy_taint(a.local_part, GET_UNTAINTED);
+deliver_domain_data =    string_copy_taint(a.domain,     GET_UNTAINTED);
+}
+
+
+/*************************************************
+*      Do callout verification for an address    *
+*************************************************/
+
+/* This function is called from verify_address() when the address has routed to
+a host list, and a callout has been requested. Callouts are expensive; that is
+why a cache is used to improve the efficiency.
+
+Arguments:
+  addr              the address that's been routed
+  host_list         the list of hosts to try
+  tf                the transport feedback block
+
+  ifstring          "interface" option from transport, or NULL
+  portstring        "port" option from transport, or NULL
+  protocolstring    "protocol" option from transport, or NULL
+  callout           the per-command callout timeout
+  callout_overall   the overall callout timeout (if < 0 use 4*callout)
+  callout_connect   the callout connection timeout (if < 0 use callout)
+  options           the verification options - these bits are used:
+                      vopt_is_recipient => this is a recipient address
+                      vopt_callout_no_cache => don't use callout cache
+                      vopt_callout_fullpm => if postmaster check, do full one
+                      vopt_callout_random => do the "random" thing
+                      vopt_callout_recipsender => use real sender for recipient
+                      vopt_callout_recippmaster => use postmaster for recipient
+		      vopt_callout_hold         => lazy close connection
+  se_mailfrom         MAIL FROM address for sender verify; NULL => ""
+  pm_mailfrom         if non-NULL, do the postmaster check with this sender
+
+Returns:            OK/FAIL/DEFER
+*/
+
+static int
+do_callout(address_item *addr, host_item *host_list, transport_feedback *tf,
+  int callout, int callout_overall, int callout_connect, int options,
+  uschar *se_mailfrom, uschar *pm_mailfrom)
+{
+int yield = OK;
+int old_domain_cache_result = ccache_accept;
+BOOL done = FALSE;
+uschar *address_key;
+uschar *from_address;
+uschar *random_local_part = NULL;
+const uschar *save_deliver_domain = deliver_domain;
+uschar **failure_ptr = options & vopt_is_recipient
+  ? &recipient_verify_failure : &sender_verify_failure;
+dbdata_callout_cache new_domain_record;
+dbdata_callout_cache_address new_address_record;
+time_t callout_start_time;
+
+new_domain_record.result = ccache_unknown;
+new_domain_record.postmaster_result = ccache_unknown;
+new_domain_record.random_result = ccache_unknown;
+
+memset(&new_address_record, 0, sizeof(new_address_record));
+
+/* For a recipient callout, the key used for the address cache record must
+include the sender address if we are using the real sender in the callout,
+because that may influence the result of the callout. */
+
+if (options & vopt_is_recipient)
+  if (options & vopt_callout_recipsender)
+    {
+    from_address = sender_address;
+    address_key = string_sprintf("%s/<%s>", addr->address, sender_address);
+    if (cutthrough.delivery) options |= vopt_callout_no_cache;
+    }
+  else if (options & vopt_callout_recippmaster)
+    {
+    from_address = string_sprintf("postmaster@%s", qualify_domain_sender);
+    address_key = string_sprintf("%s/<postmaster@%s>", addr->address,
+      qualify_domain_sender);
+    }
+  else
+    {
+    from_address = US"";
+    address_key = addr->address;
+    }
+
+/* For a sender callout, we must adjust the key if the mailfrom address is not
+empty. */
+
+else
+  {
+  from_address = se_mailfrom ? se_mailfrom : US"";
+  address_key = *from_address
+    ? string_sprintf("%s/<%s>", addr->address, from_address) : addr->address;
+  }
+
+if (cached_callout_lookup(addr, address_key, from_address,
+      &options, &pm_mailfrom, &yield, failure_ptr,
+      &new_domain_record, &old_domain_cache_result))
+  {
+  cancel_cutthrough_connection(TRUE, US"cache-hit");
+  goto END_CALLOUT;
+  }
+
+if (!addr->transport)
+  {
+  HDEBUG(D_verify) debug_printf("cannot callout via null transport\n");
+  }
+
+else if (Ustrcmp(addr->transport->driver_name, "smtp") != 0)
+  log_write(0, LOG_MAIN|LOG_PANIC|LOG_CONFIG_FOR, "callout transport '%s': %s is non-smtp",
+    addr->transport->name, addr->transport->driver_name);
+else
+  {
+  smtp_transport_options_block *ob =
+    (smtp_transport_options_block *)addr->transport->options_block;
+  smtp_context * sx = NULL;
+
+  /* The information wasn't available in the cache, so we have to do a real
+  callout and save the result in the cache for next time, unless no_cache is set,
+  or unless we have a previously cached negative random result. If we are to test
+  with a random local part, ensure that such a local part is available. If not,
+  log the fact, but carry on without randomising. */
+
+  if (options & vopt_callout_random  &&  callout_random_local_part)
+    if (!(random_local_part = expand_string(callout_random_local_part)))
+      log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
+        "callout_random_local_part: %s", expand_string_message);
+
+  /* Compile regex' used by client-side smtp */
+
+  smtp_deliver_init();
+
+  /* Default the connect and overall callout timeouts if not set, and record the
+  time we are starting so that we can enforce it. */
+
+  if (callout_overall < 0) callout_overall = 4 * callout;
+  if (callout_connect < 0) callout_connect = callout;
+  callout_start_time = time(NULL);
+
+  /* Before doing a real callout, if this is an SMTP connection, flush the SMTP
+  output because a callout might take some time. When PIPELINING is active and
+  there are many recipients, the total time for doing lots of callouts can add up
+  and cause the client to time out. So in this case we forgo the PIPELINING
+  optimization. */
+
+  if (smtp_out && !f.disable_callout_flush) mac_smtp_fflush();
+
+  clearflag(addr, af_verify_pmfail);  /* postmaster callout flag */
+  clearflag(addr, af_verify_nsfail);  /* null sender callout flag */
+
+/* cutthrough-multi: if a nonfirst rcpt has the same routing as the first,
+and we are holding a cutthrough conn open, we can just append the rcpt to
+that conn for verification purposes (and later delivery also).  Simplest
+coding means skipping this whole loop and doing the append separately.  */
+
+  /* Can we re-use an open cutthrough connection? */
+  if (  cutthrough.cctx.sock >= 0
+     && (options & (vopt_callout_recipsender | vopt_callout_recippmaster))
+	== vopt_callout_recipsender
+     && !random_local_part
+     && !pm_mailfrom
+     )
+    done = cutthrough_multi(addr, host_list, tf, &yield);
+
+  /* If we did not use a cached connection, make connections to the hosts
+  and do real callouts. The list of hosts is passed in as an argument. */
+
+  for (host_item * host = host_list; host && !done; host = host->next)
+    {
+    int host_af;
+    int port = 25;
+    uschar * interface = NULL;  /* Outgoing interface to use; NULL => any */
+
+    if (!host->address)
+      {
+      DEBUG(D_verify) debug_printf("no IP address for host name %s: skipping\n",
+        host->name);
+      continue;
+      }
+
+    /* Check the overall callout timeout */
+
+    if (time(NULL) - callout_start_time >= callout_overall)
+      {
+      HDEBUG(D_verify) debug_printf("overall timeout for callout exceeded\n");
+      break;
+      }
+
+    /* Set IPv4 or IPv6 */
+
+    host_af = Ustrchr(host->address, ':') ? AF_INET6 : AF_INET;
+
+    /* Expand and interpret the interface and port strings. The latter will not
+    be used if there is a host-specific port (e.g. from a manualroute router).
+    This has to be delayed till now, because they may expand differently for
+    different hosts. If there's a failure, log it, but carry on with the
+    defaults. */
+
+    deliver_host = host->name;
+    deliver_host_address = host->address;
+    deliver_host_port = host->port;
+    deliver_domain = addr->domain;
+    transport_name = addr->transport->name;
+
+    if (  !smtp_get_interface(tf->interface, host_af, addr, &interface,
+            US"callout")
+       || !smtp_get_port(tf->port, addr, &port, US"callout")
+       )
+      log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
+        addr->message);
+
+    if (!sx) sx = store_get(sizeof(*sx), GET_TAINTED);	/* tainted buffers */
+    memset(sx, 0, sizeof(*sx));
+
+    sx->addrlist = sx->first_addr = addr;
+    sx->conn_args.host = host;
+    sx->conn_args.host_af = host_af,
+    sx->port = port;
+    sx->conn_args.interface = interface;
+    sx->helo_data = tf->helo_data;
+    sx->conn_args.tblock = addr->transport;
+    sx->conn_args.sock = -1;
+    sx->verify = TRUE;
+
+tls_retry_connection:
+    /* Set the address state so that errors are recorded in it */
+
+    addr->transport_return = PENDING_DEFER;
+    ob->connect_timeout = callout_connect;
+    ob->command_timeout = callout;
+
+    /* Get the channel set up ready for a message (MAIL FROM being the next
+    SMTP command to send.  If we tried TLS but it failed, try again without
+    if permitted */
+
+    yield = smtp_setup_conn(sx, FALSE);
+#ifndef DISABLE_TLS
+    if (  yield == DEFER
+       && addr->basic_errno == ERRNO_TLSFAILURE
+       && ob->tls_tempfail_tryclear
+       && verify_check_given_host(CUSS &ob->hosts_require_tls, host) != OK
+       )
+      {
+      log_write(0, LOG_MAIN,
+	"%s: callout unencrypted to %s [%s] (not in hosts_require_tls)",
+	addr->message, host->name, host->address);
+      addr->transport_return = PENDING_DEFER;
+      yield = smtp_setup_conn(sx, TRUE);
+      }
+#endif
+    if (yield != OK)
+      {
+      errno = addr->basic_errno;
+      transport_name = NULL;
+      deliver_host = deliver_host_address = NULL;
+      deliver_domain = save_deliver_domain;
+
+      /* Failure to accept HELO is cached; this blocks the whole domain for all
+      senders. I/O errors and defer responses are not cached. */
+
+      if (yield == FAIL && (errno == 0 || errno == ERRNO_SMTPCLOSED))
+	{
+	setflag(addr, af_verify_nsfail);
+	new_domain_record.result = ccache_reject;
+	done = TRUE;
+	}
+      else
+	done = FALSE;
+      goto no_conn;
+      }
+
+    /* If we needed to authenticate, smtp_setup_conn() did that.  Copy
+    the AUTH info for logging */
+
+    addr->authenticator = client_authenticator;
+    addr->auth_id = client_authenticated_id;
+
+    sx->from_addr = from_address;
+    sx->first_addr = sx->sync_addr = addr;
+    sx->ok = FALSE;			/*XXX these 3 last might not be needed for verify? */
+    sx->send_rset = TRUE;
+    sx->completed_addr = FALSE;
+
+    new_domain_record.result = old_domain_cache_result == ccache_reject_mfnull
+      ? ccache_reject_mfnull : ccache_accept;
+
+    /* Do the random local part check first. Temporarily replace the recipient
+    with the "random" value */
+
+    if (random_local_part)
+      {
+      uschar * main_address = addr->address;
+      const uschar * rcpt_domain = addr->domain;
+
+#ifdef SUPPORT_I18N
+      uschar * errstr = NULL;
+      if (  testflag(addr, af_utf8_downcvt)
+	 && (rcpt_domain = string_domain_utf8_to_alabel(rcpt_domain,
+				    &errstr), errstr)
+	 )
+	{
+	addr->message = errstr;
+	errno = ERRNO_EXPANDFAIL;
+	setflag(addr, af_verify_nsfail);
+	done = FALSE;
+	rcpt_domain = US"";  /*XXX errorhandling! */
+	}
+#endif
+
+      /* This would be ok for 1st rcpt of a cutthrough (the case handled here;
+      subsequents are done in cutthrough_multi()), but no way to
+      handle a subsequent because of the RSET vaporising the MAIL FROM.
+      So refuse to support any.  Most cutthrough use will not involve
+      random_local_part, so no loss. */
+      cancel_cutthrough_connection(TRUE, US"random-recipient");
+
+      addr->address = string_sprintf("%s@%.1000s",
+				    random_local_part, rcpt_domain);
+      done = FALSE;
+
+      /* If accepted, we aren't going to do any further tests below.
+      Otherwise, cache a real negative response, and get back to the right
+      state to send RCPT. Unless there's some problem such as a dropped
+      connection, we expect to succeed, because the commands succeeded above.
+      However, some servers drop the connection after responding to an
+      invalid recipient, so on (any) error we drop and remake the connection.
+      XXX We don't care about that for postmaster_full.  Should we?
+
+      XXX could we add another flag to the context, and have the common
+      code emit the RSET too?  Even pipelined after the RCPT...
+      Then the main-verify call could use it if there's to be a subsequent
+      postmaster-verify.
+      The sync_responses() would need to be taught about it and we'd
+      need another return code filtering out to here.
+
+      Avoid using a SIZE option on the MAIL for all random-rcpt checks.
+      */
+
+      sx->avoid_option = OPTION_SIZE;
+
+      /* Remember when we last did a random test */
+      new_domain_record.random_stamp = time(NULL);
+
+      if (smtp_write_mail_and_rcpt_cmds(sx, &yield) == 0)
+	switch(addr->transport_return)
+	  {
+	  case PENDING_OK:	/* random was accepted, unfortunately */
+	    new_domain_record.random_result = ccache_accept;
+	    yield = OK;		/* Only usable verify result we can return */
+	    done = TRUE;
+	    *failure_ptr = US"random";
+	    goto no_conn;
+	  case FAIL:		/* rejected: the preferred result */
+	    new_domain_record.random_result = ccache_reject;
+	    sx->avoid_option = 0;
+
+	    /* Between each check, issue RSET, because some servers accept only
+	    one recipient after MAIL FROM:<>.
+	    XXX We don't care about that for postmaster_full.  Should we? */
+
+	    if ((done =
+	      smtp_write_command(sx, SCMD_FLUSH, "RSET\r\n") >= 0 &&
+	      smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', callout)))
+	      break;
+
+	    HDEBUG(D_acl|D_v)
+	      debug_printf_indent("problem after random/rset/mfrom; reopen conn\n");
+	    random_local_part = NULL;
+#ifndef DISABLE_TLS
+	    tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
+#endif
+	    HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP(close)>>\n");
+	    (void)close(sx->cctx.sock);
+	    sx->cctx.sock = -1;
+#ifndef DISABLE_EVENT
+	    (void) event_raise(addr->transport->event_action,
+			      US"tcp:close", NULL, NULL);
+#endif
+	    addr->address = main_address;
+	    addr->transport_return = PENDING_DEFER;
+	    sx->first_addr = sx->sync_addr = addr;
+	    sx->ok = FALSE;
+	    sx->send_rset = TRUE;
+	    sx->completed_addr = FALSE;
+	    goto tls_retry_connection;
+	  case DEFER:		/* 4xx response to random */
+	    break;		/* Just to be clear. ccache_unknown, !done. */
+	  }
+
+      /* Re-setup for main verify, or for the error message when failing */
+      addr->address = main_address;
+      addr->transport_return = PENDING_DEFER;
+      sx->first_addr = sx->sync_addr = addr;
+      sx->ok = FALSE;
+      sx->send_rset = TRUE;
+      sx->completed_addr = FALSE;
+      }
+    else
+      done = TRUE;
+
+    /* Main verify.  For rcpt-verify use SIZE if we know it and we're not cacheing;
+    for sndr-verify never use it. */
+
+    if (done)
+      {
+      if (!(options & vopt_is_recipient  &&  options & vopt_callout_no_cache))
+	sx->avoid_option = OPTION_SIZE;
+
+      done = FALSE;
+      switch(smtp_write_mail_and_rcpt_cmds(sx, &yield))
+	{
+	case 0:  switch(addr->transport_return)	/* ok so far */
+		    {
+		    case PENDING_OK:  done = TRUE;
+				      new_address_record.result = ccache_accept;
+				      break;
+		    case FAIL:	      done = TRUE;
+				      yield = FAIL;
+				      *failure_ptr = US"recipient";
+				      new_address_record.result = ccache_reject;
+				      break;
+		    default:	      break;
+		    }
+		  break;
+
+	case -1:				/* MAIL response error */
+		  *failure_ptr = US"mail";
+		  if (errno == 0 && sx->buffer[0] == '5')
+		    {
+		    setflag(addr, af_verify_nsfail);
+		    if (from_address[0] == 0)
+		      new_domain_record.result = ccache_reject_mfnull;
+		    }
+		  break;
+						/* non-MAIL read i/o error */
+						/* non-MAIL response timeout */
+						/* internal error; channel still usable */
+	default:  break;			/* transmit failed */
+	}
+      }
+
+    addr->auth_sndr = client_authenticated_sender;
+
+    deliver_host = deliver_host_address = NULL;
+    deliver_domain = save_deliver_domain;
+
+    /* Do postmaster check if requested; if a full check is required, we
+    check for RCPT TO:<postmaster> (no domain) in accordance with RFC 821. */
+
+    if (done && pm_mailfrom)
+      {
+      /* Could possibly shift before main verify, just above, and be ok
+      for cutthrough.  But no way to handle a subsequent rcpt, so just
+      refuse any */
+      cancel_cutthrough_connection(TRUE, US"postmaster verify");
+      HDEBUG(D_acl|D_v) debug_printf_indent("Cutthrough cancelled by presence of postmaster verify\n");
+
+      done = smtp_write_command(sx, SCMD_FLUSH, "RSET\r\n") >= 0
+          && smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', callout);
+
+      if (done)
+	{
+	uschar * main_address = addr->address;
+
+	/*XXX oops, affixes */
+	addr->address = string_sprintf("postmaster@%.1000s", addr->domain);
+	addr->transport_return = PENDING_DEFER;
+
+	sx->from_addr = pm_mailfrom;
+	sx->first_addr = sx->sync_addr = addr;
+	sx->ok = FALSE;
+	sx->send_rset = TRUE;
+	sx->completed_addr = FALSE;
+	sx->avoid_option = OPTION_SIZE;
+
+	if(  smtp_write_mail_and_rcpt_cmds(sx, &yield) == 0
+	  && addr->transport_return == PENDING_OK
+	  )
+	  done = TRUE;
+	else
+	  done = (options & vopt_callout_fullpm) != 0
+	      && smtp_write_command(sx, SCMD_FLUSH,
+			    "RCPT TO:<postmaster>\r\n") >= 0
+	      && smtp_read_response(sx, sx->buffer,
+			    sizeof(sx->buffer), '2', callout);
+
+	/* Sort out the cache record */
+
+	new_domain_record.postmaster_stamp = time(NULL);
+
+	if (done)
+	  new_domain_record.postmaster_result = ccache_accept;
+	else if (errno == 0 && sx->buffer[0] == '5')
+	  {
+	  *failure_ptr = US"postmaster";
+	  setflag(addr, af_verify_pmfail);
+	  new_domain_record.postmaster_result = ccache_reject;
+	  }
+
+	addr->address = main_address;
+	}
+      }
+    /* For any failure of the main check, other than a negative response, we just
+    close the connection and carry on. We can identify a negative response by the
+    fact that errno is zero. For I/O errors it will be non-zero
+
+    Set up different error texts for logging and for sending back to the caller
+    as an SMTP response. Log in all cases, using a one-line format. For sender
+    callouts, give a full response to the caller, but for recipient callouts,
+    don't give the IP address because this may be an internal host whose identity
+    is not to be widely broadcast. */
+
+no_conn:
+    switch(errno)
+      {
+      case ETIMEDOUT:
+	HDEBUG(D_verify) debug_printf("SMTP timeout\n");
+	sx->send_quit = FALSE;
+	break;
+
+#ifdef SUPPORT_I18N
+      case ERRNO_UTF8_FWD:
+	{
+	extern int acl_where;	/* src/acl.c */
+	errno = 0;
+	addr->message = US"response to \"EHLO\" did not include SMTPUTF8";
+	addr->user_message = acl_where == ACL_WHERE_RCPT
+	  ? US"533 no support for internationalised mailbox name"
+	  : US"550 mailbox unavailable";
+	yield = FAIL;
+	done = TRUE;
+	}
+	break;
+#endif
+      case ECONNREFUSED:
+	sx->send_quit = FALSE;
+	break;
+
+      case 0:
+	if (*sx->buffer == 0) Ustrcpy(sx->buffer, US"connection dropped");
+
+	/*XXX test here is ugly; seem to have a split of responsibility for
+	building this message.  Need to rationalise.  Where is it done
+	before here, and when not?
+	Not == 5xx resp to MAIL on main-verify
+	*/
+	if (!addr->message) addr->message =
+	  string_sprintf("response to \"%s\" was: %s",
+			  big_buffer, string_printing(sx->buffer));
+
+	/* RFC 5321 section 4.2: the text portion of the response may have only
+	HT, SP, Printable US-ASCII.  Deal with awkward chars by cutting the
+	received message off before passing it onward.  Newlines are ok; they
+	just become a multiline response (but wrapped in the error code we
+	produce). */
+
+	for (uschar * s = sx->buffer;
+	     *s && s < sx->buffer + sizeof(sx->buffer);
+	     s++)
+	  {
+	  uschar c = *s;
+	  if (c != '\t' && c != '\n' && (c < ' ' || c > '~'))
+	    {
+	    if (s - sx->buffer < sizeof(sx->buffer) - 12)
+	      memcpy(s, "(truncated)", 12);
+	    else
+	      *s = '\0';
+	    break;
+	    }
+	  }
+	addr->user_message = options & vopt_is_recipient
+	  ? string_sprintf("Callout verification failed:\n%s", sx->buffer)
+	  : string_sprintf("Called:   %s\nSent:     %s\nResponse: %s",
+	    host->address, big_buffer, sx->buffer);
+
+	/* Hard rejection ends the process */
+
+	if (sx->buffer[0] == '5')   /* Address rejected */
+	  {
+	  yield = FAIL;
+	  done = TRUE;
+	  }
+	break;
+      }
+
+    /* End the SMTP conversation and close the connection. */
+
+    /* Cutthrough - on a successful connect and recipient-verify with
+    use-sender and we are 1st rcpt and have no cutthrough conn so far
+    here is where we want to leave the conn open.  Ditto for a lazy-close
+    verify. */
+
+    if (cutthrough.delivery)
+      {
+      if (addr->transport->filter_command)
+        {
+        cutthrough.delivery= FALSE;
+        HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n");
+        }
+#ifndef DISABLE_DKIM
+      if (ob->dkim.dkim_domain)
+        {
+        cutthrough.delivery= FALSE;
+        HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of DKIM signing\n");
+        }
+#endif
+#ifdef EXPERIMENTAL_ARC
+      if (ob->arc_sign)
+        {
+        cutthrough.delivery= FALSE;
+        HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of ARC signing\n");
+        }
+#endif
+      }
+
+    if (  (cutthrough.delivery || options & vopt_callout_hold)
+       && rcpt_count == 1
+       && done
+       && yield == OK
+       &&    (options & (vopt_callout_recipsender|vopt_callout_recippmaster|vopt_success_on_redirect))
+	   == vopt_callout_recipsender
+       && !random_local_part
+       && !pm_mailfrom
+       && cutthrough.cctx.sock < 0
+       && !sx->lmtp
+       )
+      {
+      HDEBUG(D_acl|D_v) debug_printf_indent("holding verify callout open for %s\n",
+	cutthrough.delivery
+	? "cutthrough delivery" : "potential further verifies and delivery");
+
+      cutthrough.callout_hold_only = !cutthrough.delivery;
+      cutthrough.is_tls =	tls_out.active.sock >= 0;
+      /* We assume no buffer in use in the outblock */
+      cutthrough.cctx =		sx->cctx;
+      cutthrough.nrcpt =	1;
+      cutthrough.transport =	addr->transport->name;
+      cutthrough.interface =	interface;
+      cutthrough.snd_port =	sending_port;
+      cutthrough.peer_options =	smtp_peer_options;
+      cutthrough.host =		*host;
+	{
+	int oldpool = store_pool;
+	store_pool = POOL_PERM;
+	cutthrough.snd_ip = string_copy(sending_ip_address);
+	cutthrough.host.name = string_copy(host->name);
+	cutthrough.host.address = string_copy(host->address);
+	store_pool = oldpool;
+	}
+
+      /* Save the address_item and parent chain for later logging */
+      cutthrough.addr =		*addr;
+      cutthrough.addr.next =	NULL;
+      cutthrough.addr.host_used = &cutthrough.host;
+      for (address_item * caddr = &cutthrough.addr, * parent = addr->parent;
+	   parent;
+	   caddr = caddr->parent, parent = parent->parent)
+        *(caddr->parent = store_get(sizeof(address_item), GET_UNTAINTED)) = *parent;
+
+      ctctx.outblock.buffer = ctbuffer;
+      ctctx.outblock.buffersize = sizeof(ctbuffer);
+      ctctx.outblock.ptr = ctbuffer;
+      /* ctctx.outblock.cmd_count = 0; ctctx.outblock.authenticating = FALSE; */
+      ctctx.outblock.cctx = &cutthrough.cctx;
+      }
+    else
+      {
+      /* Ensure no cutthrough on multiple verifies that were incompatible */
+      if (options & vopt_callout_recipsender)
+        cancel_cutthrough_connection(TRUE, US"not usable for cutthrough");
+      if (sx->send_quit)
+	if (smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n") != -1)
+	  /* Wait a short time for response, and discard it */
+	  smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', 1);
+
+      if (sx->cctx.sock >= 0)
+	{
+#ifndef DISABLE_TLS
+	if (sx->cctx.tls_ctx)
+	  {
+	  tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
+	  sx->cctx.tls_ctx = NULL;
+	  }
+#endif
+	HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP(close)>>\n");
+	(void)close(sx->cctx.sock);
+	sx->cctx.sock = -1;
+	smtp_debug_cmd_report();
+#ifndef DISABLE_EVENT
+	(void) event_raise(addr->transport->event_action, US"tcp:close", NULL, NULL);
+#endif
+	}
+      }
+
+    if (!done || yield != OK)
+      addr->message = string_sprintf("%s [%s] : %s", host->name, host->address,
+				    addr->message);
+    }    /* Loop through all hosts, while !done */
+  }
+
+/* If we get here with done == TRUE, a successful callout happened, and yield
+will be set OK or FAIL according to the response to the RCPT command.
+Otherwise, we looped through the hosts but couldn't complete the business.
+However, there may be domain-specific information to cache in both cases. */
+
+if (!(options & vopt_callout_no_cache))
+  cache_callout_write(&new_domain_record, addr->domain,
+    done, &new_address_record, address_key);
+
+/* Failure to connect to any host, or any response other than 2xx or 5xx is a
+temporary error. If there was only one host, and a response was received, leave
+it alone if supplying details. Otherwise, give a generic response. */
+
+if (!done)
+  {
+  uschar * dullmsg = string_sprintf("Could not complete %s verify callout",
+    options & vopt_is_recipient ? "recipient" : "sender");
+  yield = DEFER;
+
+  addr->message = host_list->next || !addr->message
+    ? dullmsg : string_sprintf("%s: %s", dullmsg, addr->message);
+
+  addr->user_message = smtp_return_error_details
+    ? string_sprintf("%s for <%s>.\n"
+      "The mail server(s) for the domain may be temporarily unreachable, or\n"
+      "they may be permanently unreachable from this server. In the latter case,\n%s",
+      dullmsg, addr->address,
+      options & vopt_is_recipient
+	? "the address will never be accepted."
+        : "you need to change the address or create an MX record for its domain\n"
+	  "if it is supposed to be generally accessible from the Internet.\n"
+	  "Talk to your mail administrator for details.")
+    : dullmsg;
+
+  /* Force a specific error code */
+
+  addr->basic_errno = ERRNO_CALLOUTDEFER;
+  }
+
+/* Come here from within the cache-reading code on fast-track exit. */
+
+END_CALLOUT:
+tls_modify_variables(&tls_in);	/* return variables to inbound values */
+return yield;
+}
+
+
+
+/* Called after recipient-acl to get a cutthrough connection open when
+   one was requested and a recipient-verify wasn't subsequently done.
+*/
+int
+open_cutthrough_connection(address_item * addr)
+{
+address_item addr2;
+int rc;
+
+/* Use a recipient-verify-callout to set up the cutthrough connection. */
+/* We must use a copy of the address for verification, because it might
+get rewritten. */
+
+addr2 = *addr;
+HDEBUG(D_acl) debug_printf_indent("----------- %s cutthrough setup ------------\n",
+  rcpt_count > 1 ? "more" : "start");
+rc = verify_address(&addr2, NULL,
+	vopt_is_recipient | vopt_callout_recipsender | vopt_callout_no_cache,
+	CUTTHROUGH_CMD_TIMEOUT, -1, -1,
+	NULL, NULL, NULL);
+addr->message = addr2.message;
+addr->user_message = addr2.user_message;
+HDEBUG(D_acl) debug_printf_indent("----------- end cutthrough setup ------------\n");
+return rc;
+}
+
+
+
+/* Send given number of bytes from the buffer */
+static BOOL
+cutthrough_send(int n)
+{
+if(cutthrough.cctx.sock < 0)
+  return TRUE;
+
+if(
+#ifndef DISABLE_TLS
+   cutthrough.is_tls
+   ? tls_write(cutthrough.cctx.tls_ctx, ctctx.outblock.buffer, n, FALSE)
+   :
+#endif
+     send(cutthrough.cctx.sock, ctctx.outblock.buffer, n, 0) > 0
+  )
+{
+  transport_count += n;
+  ctctx.outblock.ptr= ctctx.outblock.buffer;
+  return TRUE;
+}
+
+HDEBUG(D_transport|D_acl) debug_printf_indent("cutthrough_send failed: %s\n", strerror(errno));
+return FALSE;
+}
+
+
+
+static BOOL
+_cutthrough_puts(uschar * cp, int n)
+{
+while(n--)
+ {
+ if(ctctx.outblock.ptr >= ctctx.outblock.buffer+ctctx.outblock.buffersize)
+   if(!cutthrough_send(ctctx.outblock.buffersize))
+     return FALSE;
+
+ *ctctx.outblock.ptr++ = *cp++;
+ }
+return TRUE;
+}
+
+/* Buffered output of counted data block.   Return boolean success */
+static BOOL
+cutthrough_puts(uschar * cp, int n)
+{
+if (cutthrough.cctx.sock < 0) return TRUE;
+if (_cutthrough_puts(cp, n))  return TRUE;
+cancel_cutthrough_connection(TRUE, US"transmit failed");
+return FALSE;
+}
+
+void
+cutthrough_data_puts(uschar * cp, int n)
+{
+if (cutthrough.delivery) (void) cutthrough_puts(cp, n);
+return;
+}
+
+
+static BOOL
+_cutthrough_flush_send(void)
+{
+int n = ctctx.outblock.ptr - ctctx.outblock.buffer;
+
+if(n>0)
+  if(!cutthrough_send(n))
+    return FALSE;
+return TRUE;
+}
+
+
+/* Send out any bufferred output.  Return boolean success. */
+BOOL
+cutthrough_flush_send(void)
+{
+if (_cutthrough_flush_send()) return TRUE;
+cancel_cutthrough_connection(TRUE, US"transmit failed");
+return FALSE;
+}
+
+
+static BOOL
+cutthrough_put_nl(void)
+{
+return cutthrough_puts(US"\r\n", 2);
+}
+
+
+void
+cutthrough_data_put_nl(void)
+{
+cutthrough_data_puts(US"\r\n", 2);
+}
+
+
+/* Get and check response from cutthrough target */
+static uschar
+cutthrough_response(client_conn_ctx * cctx, char expect, uschar ** copy, int timeout)
+{
+smtp_context sx = {0};
+uschar inbuffer[4096];
+uschar responsebuffer[4096];
+
+sx.inblock.buffer = inbuffer;
+sx.inblock.buffersize = sizeof(inbuffer);
+sx.inblock.ptr = inbuffer;
+sx.inblock.ptrend = inbuffer;
+sx.inblock.cctx = cctx;
+if(!smtp_read_response(&sx, responsebuffer, sizeof(responsebuffer), expect, timeout))
+  cancel_cutthrough_connection(TRUE, US"target timeout on read");
+
+if(copy)
+  {
+  uschar * cp;
+  *copy = cp = string_copy(responsebuffer);
+  /* Trim the trailing end of line */
+  cp += Ustrlen(responsebuffer);
+  if(cp > *copy  &&  cp[-1] == '\n') *--cp = '\0';
+  if(cp > *copy  &&  cp[-1] == '\r') *--cp = '\0';
+  }
+
+return responsebuffer[0];
+}
+
+
+/* Negotiate dataphase with the cutthrough target, returning success boolean */
+BOOL
+cutthrough_predata(void)
+{
+if(cutthrough.cctx.sock < 0 || cutthrough.callout_hold_only)
+  return FALSE;
+
+smtp_debug_cmd(US"DATA", 0);
+cutthrough_puts(US"DATA\r\n", 6);
+cutthrough_flush_send();
+
+/* Assume nothing buffered.  If it was it gets ignored. */
+return cutthrough_response(&cutthrough.cctx, '3', NULL, CUTTHROUGH_DATA_TIMEOUT) == '3';
+}
+
+
+/* tctx arg only to match write_chunk() */
+static BOOL
+cutthrough_write_chunk(transport_ctx * tctx, uschar * s, int len)
+{
+uschar * s2;
+while(s && (s2 = Ustrchr(s, '\n')))
+ {
+ if(!cutthrough_puts(s, s2-s) || !cutthrough_put_nl())
+  return FALSE;
+ s = s2+1;
+ }
+return TRUE;
+}
+
+
+/* Buffered send of headers.  Return success boolean. */
+/* Expands newlines to wire format (CR,NL).           */
+/* Also sends header-terminating blank line.          */
+BOOL
+cutthrough_headers_send(void)
+{
+transport_ctx tctx;
+
+if(cutthrough.cctx.sock < 0 || cutthrough.callout_hold_only)
+  return FALSE;
+
+/* We share a routine with the mainline transport to handle header add/remove/rewrites,
+   but having a separate buffered-output function (for now)
+*/
+HDEBUG(D_acl) debug_printf_indent("----------- start cutthrough headers send -----------\n");
+
+tctx.u.fd = cutthrough.cctx.sock;
+tctx.tblock = cutthrough.addr.transport;
+tctx.addr = &cutthrough.addr;
+tctx.check_string = US".";
+tctx.escape_string = US"..";
+/*XXX check under spool_files_wireformat.  Might be irrelevant */
+tctx.options = topt_use_crlf;
+
+if (!transport_headers_send(&tctx, &cutthrough_write_chunk))
+  return FALSE;
+
+HDEBUG(D_acl) debug_printf_indent("----------- done cutthrough headers send ------------\n");
+return TRUE;
+}
+
+
+static void
+close_cutthrough_connection(const uschar * why)
+{
+int fd = cutthrough.cctx.sock;
+if(fd >= 0)
+  {
+  /* We could be sending this after a bunch of data, but that is ok as
+     the only way to cancel the transfer in dataphase is to drop the tcp
+     conn before the final dot.
+  */
+  client_conn_ctx tmp_ctx = cutthrough.cctx;
+  ctctx.outblock.ptr = ctbuffer;
+  smtp_debug_cmd(US"QUIT", 0);
+  _cutthrough_puts(US"QUIT\r\n", 6);	/* avoid recursion */
+  _cutthrough_flush_send();
+  cutthrough.cctx.sock = -1;		/* avoid recursion via read timeout */
+  cutthrough.nrcpt = 0;			/* permit re-cutthrough on subsequent message */
+
+  /* Wait a short time for response, and discard it */
+  cutthrough_response(&tmp_ctx, '2', NULL, 1);
+
+#ifndef DISABLE_TLS
+  if (cutthrough.is_tls)
+    {
+    tls_close(cutthrough.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
+    cutthrough.cctx.tls_ctx = NULL;
+    cutthrough.is_tls = FALSE;
+    }
+#endif
+  HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP(close)>>\n");
+  (void)close(fd);
+  smtp_debug_cmd_report();
+  HDEBUG(D_acl) debug_printf_indent("----------- cutthrough shutdown (%s) ------------\n", why);
+  }
+ctctx.outblock.ptr = ctbuffer;
+}
+
+void
+cancel_cutthrough_connection(BOOL close_noncutthrough_verifies, const uschar * why)
+{
+if (cutthrough.delivery || close_noncutthrough_verifies)
+  close_cutthrough_connection(why);
+cutthrough.delivery = cutthrough.callout_hold_only = FALSE;
+}
+
+
+void
+release_cutthrough_connection(const uschar * why)
+{
+if (cutthrough.cctx.sock < 0) return;
+HDEBUG(D_acl) debug_printf_indent("release cutthrough conn: %s\n", why);
+cutthrough.cctx.sock = -1;
+cutthrough.cctx.tls_ctx = NULL;
+cutthrough.delivery = cutthrough.callout_hold_only = FALSE;
+}
+
+
+
+
+/* Have senders final-dot.  Send one to cutthrough target, and grab the response.
+   Log an OK response as a transmission.
+   Close the connection.
+   Return smtp response-class digit.
+*/
+uschar *
+cutthrough_finaldot(void)
+{
+uschar res;
+HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP>> .\n");
+
+/* Assume data finshed with new-line */
+if(  !cutthrough_puts(US".", 1)
+  || !cutthrough_put_nl()
+  || !cutthrough_flush_send()
+  )
+  return cutthrough.addr.message;
+
+res = cutthrough_response(&cutthrough.cctx, '2', &cutthrough.addr.message,
+	CUTTHROUGH_DATA_TIMEOUT);
+for (address_item * addr = &cutthrough.addr; addr; addr = addr->next)
+  {
+  addr->message = cutthrough.addr.message;
+  switch(res)
+    {
+    case '2':
+      delivery_log(LOG_MAIN, addr, (int)'>', NULL);
+      close_cutthrough_connection(US"delivered");
+      break;
+
+    case '4':
+      delivery_log(LOG_MAIN, addr, 0,
+	US"tmp-reject from cutthrough after DATA:");
+      break;
+
+    case '5':
+      delivery_log(LOG_MAIN|LOG_REJECT, addr, 0,
+	US"rejected after DATA:");
+      break;
+
+    default:
+      break;
+    }
+  }
+return cutthrough.addr.message;
+}
+
+
+
+/*************************************************
+*           Copy error to toplevel address       *
+*************************************************/
+
+/* This function is used when a verify fails or defers, to ensure that the
+failure or defer information is in the original toplevel address. This applies
+when an address is redirected to a single new address, and the failure or
+deferral happens to the child address.
+
+Arguments:
+  vaddr       the verify address item
+  addr        the final address item
+  yield       FAIL or DEFER
+
+Returns:      the value of YIELD
+*/
+
+static int
+copy_error(address_item *vaddr, address_item *addr, int yield)
+{
+if (addr != vaddr)
+  {
+  vaddr->message = addr->message;
+  vaddr->user_message = addr->user_message;
+  vaddr->basic_errno = addr->basic_errno;
+  vaddr->more_errno = addr->more_errno;
+  vaddr->prop.address_data = addr->prop.address_data;
+  vaddr->prop.variables = NULL;
+  tree_dup((tree_node **)&vaddr->prop.variables, addr->prop.variables);
+  copyflag(vaddr, addr, af_pass_message);
+  }
+return yield;
+}
+
+
+
+
+/**************************************************
+* printf that automatically handles TLS if needed *
+***************************************************/
+
+/* This function is used by verify_address() as a substitute for all fprintf()
+calls; a direct fprintf() will not produce output in a TLS SMTP session, such
+as a response to an EXPN command.  smtp_in.c makes smtp_printf available but
+that assumes that we always use the smtp_out FILE* when not using TLS or the
+ssl buffer when we are.  Instead we take a FILE* parameter and check to see if
+that is smtp_out; if so, smtp_printf() with TLS support, otherwise regular
+fprintf().
+
+Arguments:
+  f           the candidate FILE* to write to
+  format      format string
+  ...         optional arguments
+
+Returns:
+              nothing
+*/
+
+static void PRINTF_FUNCTION(2,3)
+respond_printf(FILE *f, const char *format, ...)
+{
+va_list ap;
+
+va_start(ap, format);
+if (smtp_out && (f == smtp_out))
+  smtp_vprintf(format, FALSE, ap);
+else
+  vfprintf(f, format, ap);
+va_end(ap);
+}
+
+
+
+/*************************************************
+*            Verify an email address             *
+*************************************************/
+
+/* This function is used both for verification (-bv and at other times) and
+address testing (-bt), which is indicated by address_test_mode being set.
+
+Arguments:
+  vaddr            contains the address to verify; the next field in this block
+                     must be NULL
+  fp               if not NULL, write the result to this file
+  options          various option bits:
+                     vopt_fake_sender => this sender verify is not for the real
+                       sender (it was verify=sender=xxxx or an address from a
+                       header line) - rewriting must not change sender_address
+                     vopt_is_recipient => this is a recipient address, otherwise
+                       it's a sender address - this affects qualification and
+                       rewriting and messages from callouts
+                     vopt_qualify => qualify an unqualified address; else error
+                     vopt_expn => called from SMTP EXPN command
+                     vopt_success_on_redirect => when a new address is generated
+                       the verification instantly succeeds
+
+                     These ones are used by do_callout() -- the options variable
+                       is passed to it.
+
+                     vopt_callout_fullpm => if postmaster check, do full one
+                     vopt_callout_no_cache => don't use callout cache
+                     vopt_callout_random => do the "random" thing
+                     vopt_callout_recipsender => use real sender for recipient
+                     vopt_callout_recippmaster => use postmaster for recipient
+
+  callout          if > 0, specifies that callout is required, and gives timeout
+                     for individual commands
+  callout_overall  if > 0, gives overall timeout for the callout function;
+                   if < 0, a default is used (see do_callout())
+  callout_connect  the connection timeout for callouts
+  se_mailfrom      when callout is requested to verify a sender, use this
+                     in MAIL FROM; NULL => ""
+  pm_mailfrom      when callout is requested, if non-NULL, do the postmaster
+                     thing and use this as the sender address (may be "")
+
+  routed           if not NULL, set TRUE if routing succeeded, so we can
+                     distinguish between routing failed and callout failed
+
+Returns:           OK      address verified
+                   FAIL    address failed to verify
+                   DEFER   can't tell at present
+*/
+
+int
+verify_address(address_item * vaddr, FILE * fp, int options, int callout,
+  int callout_overall, int callout_connect, uschar * se_mailfrom,
+  uschar *pm_mailfrom, BOOL *routed)
+{
+BOOL allok = TRUE;
+BOOL full_info = fp ? debug_selector != 0 : FALSE;
+BOOL expn         = (options & vopt_expn) != 0;
+BOOL success_on_redirect = (options & vopt_success_on_redirect) != 0;
+int i;
+int yield = OK;
+int verify_type = expn ? v_expn :
+   f.address_test_mode ? v_none :
+          options & vopt_is_recipient ? v_recipient : v_sender;
+address_item *addr_list;
+address_item *addr_new = NULL;
+address_item *addr_remote = NULL;
+address_item *addr_local = NULL;
+address_item *addr_succeed = NULL;
+uschar **failure_ptr = options & vopt_is_recipient
+  ? &recipient_verify_failure : &sender_verify_failure;
+uschar *ko_prefix, *cr;
+uschar *address = vaddr->address;
+uschar *save_sender;
+uschar null_sender[] = { 0 };             /* Ensure writeable memory */
+
+/* Clear, just in case */
+
+*failure_ptr = NULL;
+
+/* Set up a prefix and suffix for error message which allow us to use the same
+output statements both in EXPN mode (where an SMTP response is needed) and when
+debugging with an output file. */
+
+if (expn)
+  {
+  ko_prefix = US"553 ";
+  cr = US"\r";
+  }
+else ko_prefix = cr = US"";
+
+/* Add qualify domain if permitted; otherwise an unqualified address fails. */
+
+if (parse_find_at(address) == NULL)
+  {
+  if (!(options & vopt_qualify))
+    {
+    if (fp)
+      respond_printf(fp, "%sA domain is required for \"%s\"%s\n",
+        ko_prefix, address, cr);
+    *failure_ptr = US"qualify";
+    return FAIL;
+    }
+  /* deconst ok as address was not const */
+  address = US rewrite_address_qualify(address, options & vopt_is_recipient);
+  }
+
+DEBUG(D_verify)
+  {
+  debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+  debug_printf("%s %s\n", f.address_test_mode? "Testing" : "Verifying", address);
+  }
+
+/* Rewrite and report on it. Clear the domain and local part caches - these
+may have been set by domains and local part tests during an ACL. */
+
+if (global_rewrite_rules)
+  {
+  uschar *old = address;
+  /* deconst ok as address was not const */
+  address = US rewrite_address(address, options & vopt_is_recipient, FALSE,
+    global_rewrite_rules, rewrite_existflags);
+  if (address != old)
+    {
+    for (int i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->localpart_cache[i] = 0;
+    for (int i = 0; i < (MAX_NAMED_LIST * 2)/32; i++) vaddr->domain_cache[i] = 0;
+    if (fp && !expn) fprintf(fp, "Address rewritten as: %s\n", address);
+    }
+  }
+
+/* If this is the real sender address, we must update sender_address at
+this point, because it may be referred to in the routers. */
+
+if (!(options & (vopt_fake_sender|vopt_is_recipient)))
+  sender_address = address;
+
+/* If the address was rewritten to <> no verification can be done, and we have
+to return OK. This rewriting is permitted only for sender addresses; for other
+addresses, such rewriting fails. */
+
+if (!address[0]) return OK;
+
+/* Flip the legacy TLS-related variables over to the outbound set in case
+they're used in the context of a transport used by verification. Reset them
+at exit from this routine (so no returns allowed from here on). */
+
+tls_modify_variables(&tls_out);
+
+/* Save a copy of the sender address for re-instating if we change it to <>
+while verifying a sender address (a nice bit of self-reference there). */
+
+save_sender = sender_address;
+
+/* Observability variable for router/transport use */
+
+verify_mode = options & vopt_is_recipient ? US"R" : US"S";
+
+/* Update the address structure with the possibly qualified and rewritten
+address. Set it up as the starting address on the chain of new addresses. */
+
+vaddr->address = address;
+addr_new = vaddr;
+
+/* We need a loop, because an address can generate new addresses. We must also
+cope with generated pipes and files at the top level. (See also the code and
+comment in deliver.c.) However, it is usually the case that the router for
+user's .forward files has its verify flag turned off.
+
+If an address generates more than one child, the loop is used only when
+full_info is set, and this can only be set locally. Remote enquiries just get
+information about the top level address, not anything that it generated. */
+
+while (addr_new)
+  {
+  int rc;
+  address_item *addr = addr_new;
+
+  addr_new = addr->next;
+  addr->next = NULL;
+
+  DEBUG(D_verify)
+    {
+    debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+    debug_printf("Considering %s\n", addr->address);
+    }
+
+  /* Handle generated pipe, file or reply addresses. We don't get these
+  when handling EXPN, as it does only one level of expansion. */
+
+  if (testflag(addr, af_pfr))
+    {
+    allok = FALSE;
+    if (fp)
+      {
+      BOOL allow;
+
+      if (addr->address[0] == '>')
+        {
+        allow = testflag(addr, af_allow_reply);
+        fprintf(fp, "%s -> mail %s", addr->parent->address, addr->address + 1);
+        }
+      else
+        {
+        allow = addr->address[0] == '|'
+          ? testflag(addr, af_allow_pipe) : testflag(addr, af_allow_file);
+        fprintf(fp, "%s -> %s", addr->parent->address, addr->address);
+        }
+
+      if (addr->basic_errno == ERRNO_BADTRANSPORT)
+        fprintf(fp, "\n*** Error in setting up pipe, file, or autoreply:\n"
+          "%s\n", addr->message);
+      else if (allow)
+        fprintf(fp, "\n  transport = %s\n", addr->transport->name);
+      else
+        fprintf(fp, " *** forbidden ***\n");
+      }
+    continue;
+    }
+
+  /* Just in case some router parameter refers to it. */
+
+  return_path = addr->prop.errors_address
+    ? addr->prop.errors_address : sender_address;
+
+  /* Split the address into domain and local part, handling the %-hack if
+  necessary, and then route it. While routing a sender address, set
+  $sender_address to <> because that is what it will be if we were trying to
+  send a bounce to the sender. */
+
+  if (routed) *routed = FALSE;
+  if ((rc = deliver_split_address(addr)) == OK)
+    {
+    if (!(options & vopt_is_recipient)) sender_address = null_sender;
+    rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
+      &addr_succeed, verify_type);
+    sender_address = save_sender;     /* Put back the real sender */
+    }
+
+  /* If routing an address succeeded, set the flag that remembers, for use when
+  an ACL cached a sender verify (in case a callout fails). Then if routing set
+  up a list of hosts or the transport has a host list, and the callout option
+  is set, and we aren't in a host checking run, do the callout verification,
+  and set another flag that notes that a callout happened. */
+
+  if (rc == OK)
+    {
+    BOOL local_verify = FALSE;
+
+    if (routed) *routed = TRUE;
+    if (callout > 0)
+      {
+      transport_instance * tp;
+      host_item * host_list = addr->host_list;
+
+      /* Make up some data for use in the case where there is no remote
+      transport. */
+
+      transport_feedback tf = {
+        .interface =		NULL,                       /* interface (=> any) */
+        .port =			US"smtp",
+        .protocol =		US"smtp",
+        .hosts =		NULL,
+        .helo_data =		US"$smtp_active_hostname",
+        .hosts_override =	FALSE,
+        .hosts_randomize =	FALSE,
+        .gethostbyname =	FALSE,
+        .qualify_single =	TRUE,
+        .search_parents =	FALSE
+        };
+
+      /* If verification yielded a remote transport, we want to use that
+      transport's options, so as to mimic what would happen if we were really
+      sending a message to this address. */
+
+      if ((tp = addr->transport))
+	if (!tp->info->local)
+	  {
+	  (void)(tp->setup)(tp, addr, &tf, 0, 0, NULL);
+
+	  /* If the transport has hosts and the router does not, or if the
+	  transport is configured to override the router's hosts, we must build a
+	  host list of the transport's hosts, and find the IP addresses */
+
+	  if (tf.hosts && (!host_list || tf.hosts_override))
+	    {
+	    uschar *s;
+	    const uschar *save_deliver_domain = deliver_domain;
+	    uschar *save_deliver_localpart = deliver_localpart;
+
+	    host_list = NULL;    /* Ignore the router's hosts */
+
+	    deliver_domain = addr->domain;
+	    deliver_localpart = addr->local_part;
+	    s = expand_string(tf.hosts);
+	    deliver_domain = save_deliver_domain;
+	    deliver_localpart = save_deliver_localpart;
+
+	    if (!s)
+	      {
+	      log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand list of hosts "
+		"\"%s\" in %s transport for callout: %s", tf.hosts,
+		tp->name, expand_string_message);
+	      }
+	    else
+	      {
+	      int flags;
+	      host_build_hostlist(&host_list, s, tf.hosts_randomize);
+
+	      /* Just ignore failures to find a host address. If we don't manage
+	      to find any addresses, the callout will defer. Note that more than
+	      one address may be found for a single host, which will result in
+	      additional host items being inserted into the chain. Hence we must
+	      save the next host first. */
+
+	      flags = HOST_FIND_BY_A | HOST_FIND_BY_AAAA;
+	      if (tf.qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
+	      if (tf.search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
+
+	      for (host_item * host = host_list, * nexthost; host; host = nexthost)
+		{
+		nexthost = host->next;
+		if (tf.gethostbyname ||
+		    string_is_ip_address(host->name, NULL) != 0)
+		  (void)host_find_byname(host, NULL, flags, NULL, TRUE);
+		else
+		  {
+		  const dnssec_domains * dsp = NULL;
+		  if (Ustrcmp(tp->driver_name, "smtp") == 0)
+		    {
+		    smtp_transport_options_block * ob =
+			(smtp_transport_options_block *) tp->options_block;
+		    dsp = &ob->dnssec;
+		    }
+
+		  (void) host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
+		    dsp, NULL, NULL);
+		  }
+		}
+	      }
+	    }
+	  }
+	else if (  options & vopt_quota
+		&& Ustrcmp(tp->driver_name, "appendfile") == 0)
+	  local_verify = TRUE;
+
+      /* Can only do a callout if we have at least one host! If the callout
+      fails, it will have set ${sender,recipient}_verify_failure. */
+
+      if (host_list)
+        {
+        HDEBUG(D_verify) debug_printf("Attempting full verification using callout\n");
+        if (host_checking && !f.host_checking_callout)
+          {
+          HDEBUG(D_verify)
+            debug_printf("... callout omitted by default when host testing\n"
+              "(Use -bhc if you want the callouts to happen.)\n");
+          }
+        else
+          {
+#ifndef DISABLE_TLS
+	  deliver_set_expansions(addr);
+#endif
+          rc = do_callout(addr, host_list, &tf, callout, callout_overall,
+            callout_connect, options, se_mailfrom, pm_mailfrom);
+#ifndef DISABLE_TLS
+	  deliver_set_expansions(NULL);
+#endif
+	  if (  options & vopt_is_recipient
+	     && rc == OK
+			 /* set to "random", with OK, for an accepted random */
+	     && !recipient_verify_failure
+	     )
+	    callout_verified_rcpt(addr);
+          }
+        }
+      else if (local_verify)
+	{
+        HDEBUG(D_verify) debug_printf("Attempting quota verification\n");
+
+	deliver_set_expansions(addr);
+	deliver_local(addr, TRUE);
+	rc = addr->transport_return;
+	}
+      else
+        HDEBUG(D_verify) debug_printf("Cannot do callout: neither router nor "
+          "transport provided a host list, or transport is not smtp\n");
+      }
+    }
+
+  /* Otherwise, any failure is a routing failure */
+
+  else *failure_ptr = US"route";
+
+  /* A router may return REROUTED if it has set up a child address as a result
+  of a change of domain name (typically from widening). In this case we always
+  want to continue to verify the new child. */
+
+  if (rc == REROUTED) continue;
+
+  /* Handle hard failures */
+
+  if (rc == FAIL)
+    {
+    allok = FALSE;
+    if (fp)
+      {
+      address_item *p = addr->parent;
+
+      respond_printf(fp, "%s%s %s", ko_prefix,
+        full_info ? addr->address : address,
+        f.address_test_mode ? "is undeliverable" : "failed to verify");
+      if (!expn && f.admin_user)
+        {
+        if (addr->basic_errno > 0)
+          respond_printf(fp, ": %s", strerror(addr->basic_errno));
+        if (addr->message)
+          respond_printf(fp, ": %s", addr->message);
+        }
+
+      /* Show parents iff doing full info */
+
+      if (full_info) while (p)
+        {
+        respond_printf(fp, "%s\n    <-- %s", cr, p->address);
+        p = p->parent;
+        }
+      respond_printf(fp, "%s\n", cr);
+      }
+    cancel_cutthrough_connection(TRUE, US"routing hard fail");
+
+    if (!full_info)
+      {
+      yield = copy_error(vaddr, addr, FAIL);
+      goto out;
+      }
+    yield = FAIL;
+    }
+
+  /* Soft failure */
+
+  else if (rc == DEFER)
+    {
+    allok = FALSE;
+    if (fp)
+      {
+      address_item *p = addr->parent;
+      respond_printf(fp, "%s%s cannot be resolved at this time", ko_prefix,
+        full_info? addr->address : address);
+      if (!expn && f.admin_user)
+        {
+        if (addr->basic_errno > 0)
+          respond_printf(fp, ": %s", strerror(addr->basic_errno));
+        if (addr->message)
+          respond_printf(fp, ": %s", addr->message);
+        else if (addr->basic_errno <= 0)
+          respond_printf(fp, ": unknown error");
+        }
+
+      /* Show parents iff doing full info */
+
+      if (full_info) while (p)
+        {
+        respond_printf(fp, "%s\n    <-- %s", cr, p->address);
+        p = p->parent;
+        }
+      respond_printf(fp, "%s\n", cr);
+      }
+    cancel_cutthrough_connection(TRUE, US"routing soft fail");
+
+    if (!full_info)
+      {
+      yield = copy_error(vaddr, addr, DEFER);
+      goto out;
+      }
+    if (yield == OK) yield = DEFER;
+    }
+
+  /* If we are handling EXPN, we do not want to continue to route beyond
+  the top level (whose address is in "address"). */
+
+  else if (expn)
+    {
+    uschar *ok_prefix = US"250-";
+
+    if (!addr_new)
+      if (!addr_local && !addr_remote)
+        respond_printf(fp, "250 mail to <%s> is discarded\r\n", address);
+      else
+        respond_printf(fp, "250 <%s>\r\n", address);
+
+    else do
+      {
+      address_item *addr2 = addr_new;
+      addr_new = addr2->next;
+      if (!addr_new) ok_prefix = US"250 ";
+      respond_printf(fp, "%s<%s>\r\n", ok_prefix, addr2->address);
+      } while (addr_new);
+    yield = OK;
+    goto out;
+    }
+
+  /* Successful routing other than EXPN. */
+
+  else
+    {
+    /* Handle successful routing when short info wanted. Otherwise continue for
+    other (generated) addresses. Short info is the operational case. Full info
+    can be requested only when debug_selector != 0 and a file is supplied.
+
+    There is a conflict between the use of aliasing as an alternate email
+    address, and as a sort of mailing list. If an alias turns the incoming
+    address into just one address (e.g. J.Caesar->jc44) you may well want to
+    carry on verifying the generated address to ensure it is valid when
+    checking incoming mail. If aliasing generates multiple addresses, you
+    probably don't want to do this. Exim therefore treats the generation of
+    just a single new address as a special case, and continues on to verify the
+    generated address. */
+
+    if (  !full_info			/* Stop if short info wanted AND */
+       && (  (  !addr_new		/* No new address OR */
+             || addr_new->next		/* More than one new address OR */
+	     || testflag(addr_new, af_pfr)	/* New address is pfr */
+	     )
+          ||				/* OR */
+             (  addr_new		/* At least one new address AND */
+             && success_on_redirect	/* success_on_redirect is set */
+	  )  )
+       )
+      {
+      if (fp) fprintf(fp, "%s %s\n",
+        address, f.address_test_mode ? "is deliverable" : "verified");
+
+      /* If we have carried on to verify a child address, we want the value
+      of $address_data to be that of the child */
+
+      vaddr->prop.address_data = addr->prop.address_data;
+      vaddr->prop.variables = NULL;
+      tree_dup((tree_node **)&vaddr->prop.variables, addr->prop.variables);
+
+      /* If stopped because more than one new address, cannot cutthrough */
+
+      if (addr_new && addr_new->next)
+	cancel_cutthrough_connection(TRUE, US"multiple addresses from routing");
+
+      yield = OK;
+      goto out;
+      }
+    }
+  }     /* Loop for generated addresses */
+
+/* Display the full results of the successful routing, including any generated
+addresses. Control gets here only when full_info is set, which requires fp not
+to be NULL, and this occurs only when a top-level verify is called with the
+debugging switch on.
+
+If there are no local and no remote addresses, and there were no pipes, files,
+or autoreplies, and there were no errors or deferments, the message is to be
+discarded, usually because of the use of :blackhole: in an alias file. */
+
+if (allok && !addr_local && !addr_remote)
+  {
+  fprintf(fp, "mail to %s is discarded\n", address);
+  goto out;
+  }
+
+for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
+  while (addr_list)
+    {
+    address_item *addr = addr_list;
+    transport_instance * tp = addr->transport;
+
+    addr_list = addr->next;
+
+    fprintf(fp, "%s", CS addr->address);
+
+    /* If the address is a duplicate, show something about it. */
+
+    if (!testflag(addr, af_pfr))
+      {
+      tree_node *tnode;
+      if ((tnode = tree_search(tree_duplicates, addr->unique)))
+        fprintf(fp, "   [duplicate, would not be delivered]");
+      else tree_add_duplicate(addr->unique, addr);
+      }
+
+    /* Now show its parents */
+
+    for (address_item * p = addr->parent; p; p = p->parent)
+      fprintf(fp, "\n    <-- %s", p->address);
+    fprintf(fp, "\n  ");
+
+    /* Show router, and transport */
+
+    fprintf(fp, "router = %s, transport = %s\n",
+      addr->router->name, tp ? tp->name : US"unset");
+
+    /* Show any hosts that are set up by a router unless the transport
+    is going to override them; fiddle a bit to get a nice format. */
+
+    if (addr->host_list && tp && !tp->overrides_hosts)
+      {
+      int maxlen = 0;
+      int maxaddlen = 0;
+      for (host_item * h = addr->host_list; h; h = h->next)
+        {				/* get max lengths of host names, addrs */
+        int len = Ustrlen(h->name);
+        if (len > maxlen) maxlen = len;
+        len = h->address ? Ustrlen(h->address) : 7;
+        if (len > maxaddlen) maxaddlen = len;
+        }
+      for (host_item * h = addr->host_list; h; h = h->next)
+	{
+	fprintf(fp, "  host %-*s ", maxlen, h->name);
+
+	if (h->address)
+	  fprintf(fp, "[%s%-*c", h->address, maxaddlen+1 - Ustrlen(h->address), ']');
+	else if (tp->info->local)
+	  fprintf(fp, " %-*s ", maxaddlen, "");  /* Omit [unknown] for local */
+	else
+	  fprintf(fp, "[%s%-*c", "unknown", maxaddlen+1 - 7, ']');
+
+        if (h->mx >= 0) fprintf(fp, " MX=%d", h->mx);
+        if (h->port != PORT_NONE) fprintf(fp, " port=%d", h->port);
+        if (f.running_in_test_harness  &&  h->dnssec == DS_YES) fputs(" AD", fp);
+        if (h->status == hstatus_unusable) fputs(" ** unusable **", fp);
+	fputc('\n', fp);
+        }
+      }
+    }
+
+/* Yield will be DEFER or FAIL if any one address has, only for full_info (which is
+the -bv or -bt case). */
+
+out:
+verify_mode = NULL;
+tls_modify_variables(&tls_in);	/* return variables to inbound values */
+
+return yield;
+}
+
+
+
+
+/*************************************************
+*      Check headers for syntax errors           *
+*************************************************/
+
+/* This function checks those header lines that contain addresses, and verifies
+that all the addresses therein are 5322-syntactially correct.
+
+Arguments:
+  msgptr     where to put an error message
+
+Returns:     OK
+             FAIL
+*/
+
+int
+verify_check_headers(uschar **msgptr)
+{
+uschar *colon, *s;
+int yield = OK;
+
+for (header_line * h = header_list; h && yield == OK; h = h->next)
+  {
+  if (h->type != htype_from &&
+      h->type != htype_reply_to &&
+      h->type != htype_sender &&
+      h->type != htype_to &&
+      h->type != htype_cc &&
+      h->type != htype_bcc)
+    continue;
+
+  colon = Ustrchr(h->text, ':');
+  s = colon + 1;
+  Uskip_whitespace(&s);
+
+  /* Loop for multiple addresses in the header, enabling group syntax. Note
+  that we have to reset this after the header has been scanned. */
+
+  f.parse_allow_group = TRUE;
+
+  while (*s)
+    {
+    uschar *ss = parse_find_address_end(s, FALSE);
+    uschar *recipient, *errmess;
+    int terminator = *ss;
+    int start, end, domain;
+
+    /* Temporarily terminate the string at this point, and extract the
+    operative address within, allowing group syntax. */
+
+    *ss = 0;
+    recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
+    *ss = terminator;
+
+    /* Permit an unqualified address only if the message is local, or if the
+    sending host is configured to be permitted to send them. */
+
+    if (recipient && !domain)
+      {
+      if (h->type == htype_from || h->type == htype_sender)
+        {
+        if (!f.allow_unqualified_sender) recipient = NULL;
+        }
+      else
+        {
+        if (!f.allow_unqualified_recipient) recipient = NULL;
+        }
+      if (!recipient) errmess = US"unqualified address not permitted";
+      }
+
+    /* It's an error if no address could be extracted, except for the special
+    case of an empty address. */
+
+    if (!recipient && Ustrcmp(errmess, "empty address") != 0)
+      {
+      uschar *verb = US"is";
+      uschar *t = ss;
+      uschar *tt = colon;
+      int len;
+
+      /* Arrange not to include any white space at the end in the
+      error message or the header name. */
+
+      while (t > s && isspace(t[-1])) t--;
+      while (tt > h->text && isspace(tt[-1])) tt--;
+
+      /* Add the address that failed to the error message, since in a
+      header with very many addresses it is sometimes hard to spot
+      which one is at fault. However, limit the amount of address to
+      quote - cases have been seen where, for example, a missing double
+      quote in a humungous To: header creates an "address" that is longer
+      than string_sprintf can handle. */
+
+      len = t - s;
+      if (len > 1024)
+        {
+        len = 1024;
+        verb = US"begins";
+        }
+
+      /* deconst cast ok as we're passing a non-const to string_printing() */
+      *msgptr = US string_printing(
+        string_sprintf("%s: failing address in \"%.*s:\" header %s: %.*s",
+          errmess, (int)(tt - h->text), h->text, verb, len, s));
+
+      yield = FAIL;
+      break;          /* Out of address loop */
+      }
+
+    /* Advance to the next address */
+
+    s = ss + (terminator ? 1 : 0);
+    Uskip_whitespace(&s);
+    }   /* Next address */
+
+  f.parse_allow_group = FALSE;
+  f.parse_found_group = FALSE;
+  }     /* Next header unless yield has been set FALSE */
+
+return yield;
+}
+
+
+/*************************************************
+*      Check header names for 8-bit characters   *
+*************************************************/
+
+/* This function checks for invalid characters in header names. See
+RFC 5322, 2.2. and RFC 6532, 3.
+
+Arguments:
+  msgptr     where to put an error message
+
+Returns:     OK
+             FAIL
+*/
+
+int
+verify_check_header_names_ascii(uschar **msgptr)
+{
+uschar *colon;
+
+for (header_line * h = header_list; h; h = h->next)
+  {
+  colon = Ustrchr(h->text, ':');
+  for(uschar * s = h->text; s < colon; s++)
+    if ((*s < 33) || (*s > 126))
+      {
+      *msgptr = string_sprintf("Invalid character in header \"%.*s\" found",
+			     (int)(colon - h->text), h->text);
+      return FAIL;
+      }
+  }
+return OK;
+}
+
+/*************************************************
+*          Check for blind recipients            *
+*************************************************/
+
+/* This function checks that every (envelope) recipient is mentioned in either
+the To: or Cc: header lines, thus detecting blind carbon copies.
+
+There are two ways of scanning that could be used: either scan the header lines
+and tick off the recipients, or scan the recipients and check the header lines.
+The original proposed patch did the former, but I have chosen to do the latter,
+because (a) it requires no memory and (b) will use fewer resources when there
+are many addresses in To: and/or Cc: and only one or two envelope recipients.
+
+Arguments:   case_sensitive   true if case sensitive matching should be used
+Returns:     OK    if there are no blind recipients
+             FAIL  if there is at least one blind recipient
+*/
+
+int
+verify_check_notblind(BOOL case_sensitive)
+{
+for (int i = 0; i < recipients_count; i++)
+  {
+  BOOL found = FALSE;
+  uschar *address = recipients_list[i].address;
+
+  for (header_line * h = header_list; !found && h; h = h->next)
+    {
+    uschar *colon, *s;
+
+    if (h->type != htype_to && h->type != htype_cc) continue;
+
+    colon = Ustrchr(h->text, ':');
+    s = colon + 1;
+    Uskip_whitespace(&s);
+
+    /* Loop for multiple addresses in the header, enabling group syntax. Note
+    that we have to reset this after the header has been scanned. */
+
+    f.parse_allow_group = TRUE;
+
+    while (*s)
+      {
+      uschar * ss = parse_find_address_end(s, FALSE);
+      uschar * recipient, * errmess;
+      int terminator = *ss;
+      int start, end, domain;
+
+      /* Temporarily terminate the string at this point, and extract the
+      operative address within, allowing group syntax. */
+
+      *ss = 0;
+      recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE);
+      *ss = terminator;
+
+      /* If we found a valid recipient that has a domain, compare it with the
+      envelope recipient. Local parts are compared with case-sensitivity
+      according to the routine arg, domains case-insensitively.
+      By comparing from the start with length "domain", we include the "@" at
+      the end, which ensures that we are comparing the whole local part of each
+      address. */
+
+      if (recipient && domain != 0)
+        if ((found = (case_sensitive
+		? Ustrncmp(recipient, address, domain) == 0
+		: strncmpic(recipient, address, domain) == 0)
+	      && strcmpic(recipient + domain, address + domain) == 0))
+	  break;
+
+      /* Advance to the next address */
+
+      s = ss + (terminator ? 1:0);
+      Uskip_whitespace(&s);
+      }   /* Next address */
+
+    f.parse_allow_group = FALSE;
+    f.parse_found_group = FALSE;
+    }     /* Next header (if found is false) */
+
+  if (!found) return FAIL;
+  }       /* Next recipient */
+
+return OK;
+}
+
+
+
+/*************************************************
+*          Find if verified sender               *
+*************************************************/
+
+/* Usually, just a single address is verified as the sender of the message.
+However, Exim can be made to verify other addresses as well (often related in
+some way), and this is useful in some environments. There may therefore be a
+chain of such addresses that have previously been tested. This function finds
+whether a given address is on the chain.
+
+Arguments:   the address to be verified
+Returns:     pointer to an address item, or NULL
+*/
+
+address_item *
+verify_checked_sender(uschar *sender)
+{
+for (address_item * addr = sender_verified_list; addr; addr = addr->next)
+  if (Ustrcmp(sender, addr->address) == 0) return addr;
+return NULL;
+}
+
+
+
+
+
+/*************************************************
+*             Get valid header address           *
+*************************************************/
+
+/* Scan the originator headers of the message, looking for an address that
+verifies successfully. RFC 822 says:
+
+    o   The "Sender" field mailbox should be sent  notices  of
+        any  problems in transport or delivery of the original
+        messages.  If there is no  "Sender"  field,  then  the
+        "From" field mailbox should be used.
+
+    o   If the "Reply-To" field exists, then the reply  should
+        go to the addresses indicated in that field and not to
+        the address(es) indicated in the "From" field.
+
+So we check a Sender field if there is one, else a Reply_to field, else a From
+field. As some strange messages may have more than one of these fields,
+especially if they are resent- fields, check all of them if there is more than
+one.
+
+Arguments:
+  user_msgptr      points to where to put a user error message
+  log_msgptr       points to where to put a log error message
+  callout          timeout for callout check (passed to verify_address())
+  callout_overall  overall callout timeout (ditto)
+  callout_connect  connect callout timeout (ditto)
+  se_mailfrom      mailfrom for verify; NULL => ""
+  pm_mailfrom      sender for pm callout check (passed to verify_address())
+  options          callout options (passed to verify_address())
+  verrno           where to put the address basic_errno
+
+If log_msgptr is set to something without setting user_msgptr, the caller
+normally uses log_msgptr for both things.
+
+Returns:           result of the verification attempt: OK, FAIL, or DEFER;
+                   FAIL is given if no appropriate headers are found
+*/
+
+int
+verify_check_header_address(uschar **user_msgptr, uschar **log_msgptr,
+  int callout, int callout_overall, int callout_connect, uschar *se_mailfrom,
+  uschar *pm_mailfrom, int options, int *verrno)
+{
+static int header_types[] = { htype_sender, htype_reply_to, htype_from };
+BOOL done = FALSE;
+int yield = FAIL;
+
+for (int i = 0; i < 3 && !done; i++)
+  for (header_line * h = header_list; h != NULL && !done; h = h->next)
+    {
+    int terminator, new_ok;
+    uschar *s, *ss, *endname;
+
+    if (h->type != header_types[i]) continue;
+    s = endname = Ustrchr(h->text, ':') + 1;
+
+    /* Scan the addresses in the header, enabling group syntax. Note that we
+    have to reset this after the header has been scanned. */
+
+    f.parse_allow_group = TRUE;
+
+    while (*s != 0)
+      {
+      address_item *vaddr;
+
+      while (isspace(*s) || *s == ',') s++;
+      if (*s == 0) break;        /* End of header */
+
+      ss = parse_find_address_end(s, FALSE);
+
+      /* The terminator is a comma or end of header, but there may be white
+      space preceding it (including newline for the last address). Move back
+      past any white space so we can check against any cached envelope sender
+      address verifications. */
+
+      while (isspace(ss[-1])) ss--;
+      terminator = *ss;
+      *ss = 0;
+
+      HDEBUG(D_verify) debug_printf("verifying %.*s header address %s\n",
+        (int)(endname - h->text), h->text, s);
+
+      /* See if we have already verified this address as an envelope sender,
+      and if so, use the previous answer. */
+
+      vaddr = verify_checked_sender(s);
+
+      if (vaddr != NULL &&                   /* Previously checked */
+           (callout <= 0 ||                  /* No callout needed; OR */
+            vaddr->special_action > 256))    /* Callout was done */
+        {
+        new_ok = vaddr->special_action & 255;
+        HDEBUG(D_verify) debug_printf("previously checked as envelope sender\n");
+        *ss = terminator;  /* Restore shortened string */
+        }
+
+      /* Otherwise we run the verification now. We must restore the shortened
+      string before running the verification, so the headers are correct, in
+      case there is any rewriting. */
+
+      else
+        {
+        int start, end, domain;
+        uschar *address = parse_extract_address(s, log_msgptr, &start, &end,
+          &domain, FALSE);
+
+        *ss = terminator;
+
+        /* If we found an empty address, just carry on with the next one, but
+        kill the message. */
+
+        if (!address && Ustrcmp(*log_msgptr, "empty address") == 0)
+          {
+          *log_msgptr = NULL;
+          s = ss;
+          continue;
+          }
+
+        /* If verification failed because of a syntax error, fail this
+        function, and ensure that the failing address gets added to the error
+        message. */
+
+        if (!address)
+          {
+          new_ok = FAIL;
+          while (ss > s && isspace(ss[-1])) ss--;
+          *log_msgptr = string_sprintf("syntax error in '%.*s' header when "
+            "scanning for sender: %s in \"%.*s\"",
+            (int)(endname - h->text), h->text, *log_msgptr, (int)(ss - s), s);
+          yield = FAIL;
+          done = TRUE;
+          break;
+          }
+
+        /* Else go ahead with the sender verification. But it isn't *the*
+        sender of the message, so set vopt_fake_sender to stop sender_address
+        being replaced after rewriting or qualification. */
+
+        else
+          {
+          vaddr = deliver_make_addr(address, FALSE);
+          new_ok = verify_address(vaddr, NULL, options | vopt_fake_sender,
+            callout, callout_overall, callout_connect, se_mailfrom,
+            pm_mailfrom, NULL);
+          }
+        }
+
+      /* We now have the result, either newly found, or cached. If we are
+      giving out error details, set a specific user error. This means that the
+      last of these will be returned to the user if all three fail. We do not
+      set a log message - the generic one below will be used. */
+
+      if (new_ok != OK)
+        {
+        *verrno = vaddr->basic_errno;
+        if (smtp_return_error_details)
+          *user_msgptr = string_sprintf("Rejected after DATA: "
+            "could not verify \"%.*s\" header address\n%s: %s",
+            (int)(endname - h->text), h->text, vaddr->address, vaddr->message);
+        }
+
+      /* Success or defer */
+
+      if (new_ok == OK)
+        {
+        yield = OK;
+        done = TRUE;
+        break;
+        }
+
+      if (new_ok == DEFER) yield = DEFER;
+
+      /* Move on to any more addresses in the header */
+
+      s = ss;
+      }     /* Next address */
+
+    f.parse_allow_group = FALSE;
+    f.parse_found_group = FALSE;
+    }       /* Next header, unless done */
+	    /* Next header type unless done */
+
+if (yield == FAIL && *log_msgptr == NULL)
+  *log_msgptr = US"there is no valid sender in any header line";
+
+if (yield == DEFER && *log_msgptr == NULL)
+  *log_msgptr = US"all attempts to verify a sender in a header line deferred";
+
+return yield;
+}
+
+
+
+
+/*************************************************
+*            Get RFC 1413 identification         *
+*************************************************/
+
+/* Attempt to get an id from the sending machine via the RFC 1413 protocol. If
+the timeout is set to zero, then the query is not done. There may also be lists
+of hosts and nets which are exempt. To guard against malefactors sending
+non-printing characters which could, for example, disrupt a message's headers,
+make sure the string consists of printing characters only.
+
+Argument:
+  port    the port to connect to; usually this is IDENT_PORT (113), but when
+          running in the test harness with -bh a different value is used.
+
+Returns:  nothing
+
+Side effect: any received ident value is put in sender_ident (NULL otherwise)
+*/
+
+void
+verify_get_ident(int port)
+{
+client_conn_ctx ident_conn_ctx = {0};
+int host_af, qlen;
+int received_sender_port, received_interface_port, n;
+uschar *p;
+blob early_data;
+uschar buffer[2048];
+
+/* Default is no ident. Check whether we want to do an ident check for this
+host. */
+
+sender_ident = NULL;
+if (rfc1413_query_timeout <= 0 || verify_check_host(&rfc1413_hosts) != OK)
+  return;
+
+DEBUG(D_ident) debug_printf("doing ident callback\n");
+
+/* Set up a connection to the ident port of the remote host. Bind the local end
+to the incoming interface address. If the sender host address is an IPv6
+address, the incoming interface address will also be IPv6. */
+
+host_af = Ustrchr(sender_host_address, ':') == NULL ? AF_INET : AF_INET6;
+if ((ident_conn_ctx.sock = ip_socket(SOCK_STREAM, host_af)) < 0) return;
+
+if (ip_bind(ident_conn_ctx.sock, host_af, interface_address, 0) < 0)
+  {
+  DEBUG(D_ident) debug_printf("bind socket for ident failed: %s\n",
+    strerror(errno));
+  goto END_OFF;
+  }
+
+/* Construct and send the query. */
+
+qlen = snprintf(CS buffer, sizeof(buffer), "%d , %d\r\n",
+  sender_host_port, interface_port);
+early_data.data = buffer;
+early_data.len = qlen;
+
+/*XXX we trust that the query is idempotent */
+if (ip_connect(ident_conn_ctx.sock, host_af, sender_host_address, port,
+		rfc1413_query_timeout, &early_data) < 0)
+  {
+  if (errno == ETIMEDOUT && LOGGING(ident_timeout))
+    log_write(0, LOG_MAIN, "ident connection to %s timed out",
+      sender_host_address);
+  else
+    DEBUG(D_ident) debug_printf("ident connection to %s failed: %s\n",
+      sender_host_address, strerror(errno));
+  goto END_OFF;
+  }
+
+/* Read a response line. We put it into the rest of the buffer, using several
+recv() calls if necessary. */
+
+p = buffer + qlen;
+
+for (;;)
+  {
+  uschar *pp;
+  int count;
+  int size = sizeof(buffer) - (p - buffer);
+
+  if (size <= 0) goto END_OFF;   /* Buffer filled without seeing \n. */
+  count = ip_recv(&ident_conn_ctx, p, size, time(NULL) + rfc1413_query_timeout);
+  if (count <= 0) goto END_OFF;  /* Read error or EOF */
+
+  /* Scan what we just read, to see if we have reached the terminating \r\n. Be
+  generous, and accept a plain \n terminator as well. The only illegal
+  character is 0. */
+
+  for (pp = p; pp < p + count; pp++)
+    {
+    if (*pp == 0) goto END_OFF;   /* Zero octet not allowed */
+    if (*pp == '\n')
+      {
+      if (pp[-1] == '\r') pp--;
+      *pp = 0;
+      goto GOT_DATA;             /* Break out of both loops */
+      }
+    }
+
+  /* Reached the end of the data without finding \n. Let the loop continue to
+  read some more, if there is room. */
+
+  p = pp;
+  }
+
+GOT_DATA:
+
+/* We have received a line of data. Check it carefully. It must start with the
+same two port numbers that we sent, followed by data as defined by the RFC. For
+example,
+
+  12345 , 25 : USERID : UNIX :root
+
+However, the amount of white space may be different to what we sent. In the
+"osname" field there may be several sub-fields, comma separated. The data we
+actually want to save follows the third colon. Some systems put leading spaces
+in it - we discard those. */
+
+if (sscanf(CS buffer + qlen, "%d , %d%n", &received_sender_port,
+      &received_interface_port, &n) != 2 ||
+    received_sender_port != sender_host_port ||
+    received_interface_port != interface_port)
+  goto END_OFF;
+
+p = buffer + qlen + n;
+while(isspace(*p)) p++;
+if (*p++ != ':') goto END_OFF;
+while(isspace(*p)) p++;
+if (Ustrncmp(p, "USERID", 6) != 0) goto END_OFF;
+p += 6;
+while(isspace(*p)) p++;
+if (*p++ != ':') goto END_OFF;
+while (*p != 0 && *p != ':') p++;
+if (*p++ == 0) goto END_OFF;
+while(isspace(*p)) p++;
+if (*p == 0) goto END_OFF;
+
+/* The rest of the line is the data we want. We turn it into printing
+characters when we save it, so that it cannot mess up the format of any logging
+or Received: lines into which it gets inserted. We keep a maximum of 127
+characters. The deconst cast is ok as we fed a nonconst to string_printing() */
+
+sender_ident = US string_printing(string_copyn(p, 127));
+DEBUG(D_ident) debug_printf("sender_ident = %s\n", sender_ident);
+
+END_OFF:
+(void)close(ident_conn_ctx.sock);
+return;
+}
+
+
+
+
+/*************************************************
+*      Match host to a single host-list item     *
+*************************************************/
+
+/* This function compares a host (name or address) against a single item
+from a host list. The host name gets looked up if it is needed and is not
+already known. The function is called from verify_check_this_host() via
+match_check_list(), which is why most of its arguments are in a single block.
+
+Arguments:
+  arg            the argument block (see below)
+  ss             the host-list item
+  valueptr       where to pass back looked up data, or NULL
+  error          for error message when returning ERROR
+
+The block contains:
+  host_name      (a) the host name, or
+                 (b) NULL, implying use sender_host_name and
+                       sender_host_aliases, looking them up if required, or
+                 (c) the empty string, meaning that only IP address matches
+                       are permitted
+  host_address   the host address
+  host_ipv4      the IPv4 address taken from an IPv6 one
+
+Returns:         OK      matched
+                 FAIL    did not match
+                 DEFER   lookup deferred
+                 ERROR   (a) failed to find the host name or IP address, or
+                         (b) unknown lookup type specified, or
+                         (c) host name encountered when only IP addresses are
+                               being matched
+*/
+
+int
+check_host(void * arg, const uschar * ss, const uschar ** valueptr, uschar ** error)
+{
+check_host_block * cb = (check_host_block *)arg;
+int mlen = -1;
+int maskoffset;
+BOOL iplookup = FALSE, isquery = FALSE;
+BOOL isiponly = cb->host_name && !cb->host_name[0];
+const uschar * t;
+uschar * semicolon, * endname, * opts;
+uschar ** aliases;
+
+/* Optimize for the special case when the pattern is "*". */
+
+if (*ss == '*' && !ss[1]) return OK;
+
+/* If the pattern is empty, it matches only in the case when there is no host -
+this can occur in ACL checking for SMTP input using the -bs option. In this
+situation, the host address is the empty string. */
+
+if (!cb->host_address[0]) return *ss ? FAIL : OK;
+if (!*ss) return FAIL;
+
+/* If the pattern is precisely "@" then match against the primary host name,
+provided that host name matching is permitted; if it's "@[]" match against the
+local host's IP addresses. */
+
+if (*ss == '@')
+  if (ss[1] == 0)
+    {
+    if (isiponly) return ERROR;
+    ss = primary_hostname;
+    }
+  else if (Ustrcmp(ss, "@[]") == 0)
+    {
+    for (ip_address_item * ip = host_find_interfaces(); ip; ip = ip->next)
+      if (Ustrcmp(ip->address, cb->host_address) == 0) return OK;
+    return FAIL;
+    }
+
+/* If the pattern is an IP address, optionally followed by a bitmask count, do
+a (possibly masked) comparison with the current IP address. */
+
+if (string_is_ip_address(ss, &maskoffset) != 0)
+  return (host_is_in_net(cb->host_address, ss, maskoffset)? OK : FAIL);
+
+/* The pattern is not an IP address. A common error that people make is to omit
+one component of an IPv4 address, either by accident, or believing that, for
+example, 1.2.3/24 is the same as 1.2.3.0/24, or 1.2.3 is the same as 1.2.3.0,
+which it isn't. (Those applications that do accept 1.2.3 as an IP address
+interpret it as 1.2.0.3 because the final component becomes 16-bit - this is an
+ancient specification.) To aid in debugging these cases, we give a specific
+error if the pattern contains only digits and dots or contains a slash preceded
+only by digits and dots (a slash at the start indicates a file name and of
+course slashes may be present in lookups, but not preceded only by digits and
+dots). */
+
+for (t = ss; isdigit(*t) || *t == '.'; ) t++;
+if (!*t  || (*t == '/' && t != ss))
+  {
+  *error = US"malformed IPv4 address or address mask";
+  return ERROR;
+  }
+
+/* See if there is a semicolon in the pattern, separating a searchtype
+prefix.  If there is one then check for comma-sep options. */
+
+if ((semicolon = Ustrchr(ss, ';')))
+  if ((opts = Ustrchr(ss, ',')) && opts < semicolon)
+    {
+    endname = opts++;
+    opts = string_copyn(opts, semicolon - opts);
+    }
+  else
+    {
+    endname = semicolon;
+    opts = NULL;
+    }
+
+/* If we are doing an IP address only match, then all lookups must be IP
+address lookups, even if there is no "net-". */
+
+if (isiponly)
+  iplookup = semicolon != NULL;
+
+/* Otherwise, if the item is of the form net[n]-lookup;<file|query> then it is
+a lookup on a masked IP network, in textual form. We obey this code even if we
+have already set iplookup, so as to skip over the "net-" prefix and to set the
+mask length. The net- stuff really only applies to single-key lookups where the
+key is implicit. For query-style lookups the key is specified in the query.
+From release 4.30, the use of net- for query style is no longer needed, but we
+retain it for backward compatibility. */
+
+if (Ustrncmp(ss, "net", 3) == 0 && semicolon)
+  {
+  mlen = 0;
+  for (t = ss + 3; isdigit(*t); t++) mlen = mlen * 10 + *t - '0';
+  if (mlen == 0 && t == ss+3) mlen = -1;  /* No mask supplied */
+  iplookup = *t++ == '-';
+  }
+else
+  t = ss;
+
+/* Do the IP address lookup if that is indeed what we have */
+
+if (iplookup)
+  {
+  int insize;
+  int search_type;
+  int incoming[4];
+  void *handle;
+  uschar *filename, *key, *result;
+  uschar buffer[64];
+
+  /* Find the search type */
+
+  search_type = search_findtype(t, endname - t);
+
+  if (search_type < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
+    search_error_message);
+
+  /* Adjust parameters for the type of lookup. For a query-style lookup, there
+  is no file name, and the "key" is just the query. For query-style with a file
+  name, we have to fish the file off the start of the query. For a single-key
+  lookup, the key is the current IP address, masked appropriately, and
+  reconverted to text form, with the mask appended. For IPv6 addresses, specify
+  dot separators instead of colons, except when the lookup type is "iplsearch".
+  */
+
+  if (mac_islookup(search_type, lookup_absfilequery))
+    {
+    filename = semicolon + 1;
+    key = filename;
+    while (*key != 0 && !isspace(*key)) key++;
+    filename = string_copyn(filename, key - filename);
+    while (isspace(*key)) key++;
+    }
+  else if (mac_islookup(search_type, lookup_querystyle))
+    {
+    filename = NULL;
+    key = semicolon + 1;
+    }
+  else   /* Single-key style */
+    {
+    int sep = (Ustrcmp(lookup_list[search_type]->name, "iplsearch") == 0)?
+      ':' : '.';
+    insize = host_aton(cb->host_address, incoming);
+    host_mask(insize, incoming, mlen);
+    (void)host_nmtoa(insize, incoming, mlen, buffer, sep);
+    key = buffer;
+    filename = semicolon + 1;
+    }
+
+  /* Now do the actual lookup; note that there is no search_close() because
+  of the caching arrangements. */
+
+  if (!(handle = search_open(filename, search_type, 0, NULL, NULL)))
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", search_error_message);
+
+  result = search_find(handle, filename, key, -1, NULL, 0, 0, NULL, opts);
+  if (valueptr) *valueptr = result;
+  return result ? OK : f.search_find_defer ? DEFER: FAIL;
+  }
+
+/* The pattern is not an IP address or network reference of any kind. That is,
+it is a host name pattern. If this is an IP only match, there's an error in the
+host list. */
+
+if (isiponly)
+  {
+  *error = US"cannot match host name in match_ip list";
+  return ERROR;
+  }
+
+/* Check the characters of the pattern to see if they comprise only letters,
+digits, full stops, and hyphens (the constituents of domain names). Allow
+underscores, as they are all too commonly found. Sigh. Also, if
+allow_utf8_domains is set, allow top-bit characters. */
+
+for (t = ss; *t != 0; t++)
+  if (!isalnum(*t) && *t != '.' && *t != '-' && *t != '_' &&
+      (!allow_utf8_domains || *t < 128)) break;
+
+/* If the pattern is a complete domain name, with no fancy characters, look up
+its IP address and match against that. Note that a multi-homed host will add
+items to the chain. */
+
+if (*t == 0)
+  {
+  int rc;
+  host_item h;
+  h.next = NULL;
+  h.name = ss;
+  h.address = NULL;
+  h.mx = MX_NONE;
+
+  /* Using byname rather than bydns here means we cannot determine dnssec
+  status.  On the other hand it is unclear how that could be either
+  propagated up or enforced. */
+
+  rc = host_find_byname(&h, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, FALSE);
+  if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
+    {
+    for (host_item * hh = &h; hh; hh = hh->next)
+      if (host_is_in_net(hh->address, cb->host_address, 0)) return OK;
+    return FAIL;
+    }
+  if (rc == HOST_FIND_AGAIN) return DEFER;
+  *error = string_sprintf("failed to find IP address for %s", ss);
+  return ERROR;
+  }
+
+/* Almost all subsequent comparisons require the host name, and can be done
+using the general string matching function. When this function is called for
+outgoing hosts, the name is always given explicitly. If it is NULL, it means we
+must use sender_host_name and its aliases, looking them up if necessary. */
+
+if (cb->host_name)   /* Explicit host name given */
+  return match_check_string(cb->host_name, ss, -1, TRUE, TRUE, TRUE,
+    valueptr);
+
+/* Host name not given; in principle we need the sender host name and its
+aliases. However, for query-style lookups, we do not need the name if the
+query does not contain $sender_host_name. From release 4.23, a reference to
+$sender_host_name causes it to be looked up, so we don't need to do the lookup
+on spec. */
+
+if ((semicolon = Ustrchr(ss, ';')))
+  {
+  const uschar * affix, * opts;
+  int partial, affixlen, starflags, id;
+
+  *semicolon = 0;
+  id = search_findtype_partial(ss, &partial, &affix, &affixlen, &starflags,
+	  &opts);
+  *semicolon=';';
+
+  if (id < 0)                           /* Unknown lookup type */
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "%s in host list item \"%s\"",
+      search_error_message, ss);
+    return DEFER;
+    }
+  isquery = mac_islookup(id, lookup_querystyle|lookup_absfilequery);
+  }
+
+if (isquery)
+  {
+  switch(match_check_string(US"", ss, -1, TRUE, TRUE, TRUE, valueptr))
+    {
+    case OK:    return OK;
+    case DEFER: return DEFER;
+    default:    return FAIL;
+    }
+  }
+
+/* Not a query-style lookup; must ensure the host name is present, and then we
+do a check on the name and all its aliases. */
+
+if (!sender_host_name)
+  {
+  HDEBUG(D_host_lookup)
+    debug_printf("sender host name required, to match against %s\n", ss);
+  if (host_lookup_failed || host_name_lookup() != OK)
+    {
+    *error = string_sprintf("failed to find host name for %s",
+      sender_host_address);;
+    return ERROR;
+    }
+  host_build_sender_fullhost();
+  }
+
+/* Match on the sender host name, using the general matching function */
+
+switch(match_check_string(sender_host_name, ss, -1, TRUE, TRUE, TRUE, valueptr))
+  {
+  case OK:    return OK;
+  case DEFER: return DEFER;
+  }
+
+/* If there are aliases, try matching on them. */
+
+aliases = sender_host_aliases;
+while (*aliases)
+  switch(match_check_string(*aliases++, ss, -1, TRUE, TRUE, TRUE, valueptr))
+    {
+    case OK:    return OK;
+    case DEFER: return DEFER;
+    }
+return FAIL;
+}
+
+
+
+
+/*************************************************
+*    Check a specific host matches a host list   *
+*************************************************/
+
+/* This function is passed a host list containing items in a number of
+different formats and the identity of a host. Its job is to determine whether
+the given host is in the set of hosts defined by the list. The host name is
+passed as a pointer so that it can be looked up if needed and not already
+known. This is commonly the case when called from verify_check_host() to check
+an incoming connection. When called from elsewhere the host name should usually
+be set.
+
+This function is now just a front end to match_check_list(), which runs common
+code for scanning a list. We pass it the check_host() function to perform a
+single test.
+
+Arguments:
+  listptr              pointer to the host list
+  cache_bits           pointer to cache for named lists, or NULL
+  host_name            the host name or NULL, implying use sender_host_name and
+                         sender_host_aliases, looking them up if required
+  host_address         the IP address
+  valueptr             if not NULL, data from a lookup is passed back here
+
+Returns:    OK    if the host is in the defined set
+            FAIL  if the host is not in the defined set,
+            DEFER if a data lookup deferred (not a host lookup)
+
+If the host name was needed in order to make a comparison, and could not be
+determined from the IP address, the result is FAIL unless the item
+"+allow_unknown" was met earlier in the list, in which case OK is returned. */
+
+int
+verify_check_this_host(const uschar **listptr, unsigned int *cache_bits,
+  const uschar *host_name, const uschar *host_address, const uschar **valueptr)
+{
+int rc;
+unsigned int *local_cache_bits = cache_bits;
+const uschar *save_host_address = deliver_host_address;
+check_host_block cb = { .host_name = host_name, .host_address = host_address };
+
+if (valueptr) *valueptr = NULL;
+
+/* If the host address starts off ::ffff: it is an IPv6 address in
+IPv4-compatible mode. Find the IPv4 part for checking against IPv4
+addresses. */
+
+cb.host_ipv4 = Ustrncmp(host_address, "::ffff:", 7) == 0
+  ? host_address + 7 : host_address;
+
+/* During the running of the check, put the IP address into $host_address. In
+the case of calls from the smtp transport, it will already be there. However,
+in other calls (e.g. when testing ignore_target_hosts), it won't. Just to be on
+the safe side, any existing setting is preserved, though as I write this
+(November 2004) I can't see any cases where it is actually needed. */
+
+deliver_host_address = host_address;
+rc = match_check_list(
+       listptr,                                /* the list */
+       0,                                      /* separator character */
+       &hostlist_anchor,                       /* anchor pointer */
+       &local_cache_bits,                      /* cache pointer */
+       check_host,                             /* function for testing */
+       &cb,                                    /* argument for function */
+       MCL_HOST,                               /* type of check */
+       (host_address == sender_host_address)?
+         US"host" : host_address,              /* text for debugging */
+       valueptr);                              /* where to pass back data */
+deliver_host_address = save_host_address;
+return rc;
+}
+
+
+
+
+/*************************************************
+*      Check the given host item matches a list  *
+*************************************************/
+int
+verify_check_given_host(const uschar **listptr, const host_item *host)
+{
+return verify_check_this_host(listptr, NULL, host->name, host->address, NULL);
+}
+
+/*************************************************
+*      Check the remote host matches a list      *
+*************************************************/
+
+/* This is a front end to verify_check_this_host(), created because checking
+the remote host is a common occurrence. With luck, a good compiler will spot
+the tail recursion and optimize it. If there's no host address, this is
+command-line SMTP input - check against an empty string for the address.
+
+Arguments:
+  listptr              pointer to the host list
+
+Returns:               the yield of verify_check_this_host(),
+                       i.e. OK, FAIL, or DEFER
+*/
+
+int
+verify_check_host(uschar **listptr)
+{
+return verify_check_this_host(CUSS listptr, sender_host_cache, NULL,
+  sender_host_address ? sender_host_address : US"", NULL);
+}
+
+
+
+
+
+/*************************************************
+*              Invert an IP address              *
+*************************************************/
+
+/* Originally just used for DNS xBL lists, now also used for the
+reverse_ip expansion operator.
+
+Arguments:
+  buffer         where to put the answer
+  address        the address to invert
+*/
+
+void
+invert_address(uschar *buffer, uschar *address)
+{
+int bin[4];
+uschar *bptr = buffer;
+
+/* If this is an IPv4 address mapped into IPv6 format, adjust the pointer
+to the IPv4 part only. */
+
+if (Ustrncmp(address, "::ffff:", 7) == 0) address += 7;
+
+/* Handle IPv4 address: when HAVE_IPV6 is false, the result of host_aton() is
+always 1. */
+
+if (host_aton(address, bin) == 1)
+  {
+  int x = bin[0];
+  for (int i = 0; i < 4; i++)
+    {
+    sprintf(CS bptr, "%d.", x & 255);
+    while (*bptr) bptr++;
+    x >>= 8;
+    }
+  }
+
+/* Handle IPv6 address. Actually, as far as I know, there are no IPv6 addresses
+in any DNS black lists, and the format in which they will be looked up is
+unknown. This is just a guess. */
+
+#if HAVE_IPV6
+else
+  for (int j = 3; j >= 0; j--)
+    {
+    int x = bin[j];
+    for (int i = 0; i < 8; i++)
+      {
+      sprintf(CS bptr, "%x.", x & 15);
+      while (*bptr) bptr++;
+      x >>= 4;
+      }
+    }
+#endif
+
+/* Remove trailing period -- this is needed so that both arbitrary
+dnsbl keydomains and inverted addresses may be combined with the
+same format string, "%s.%s" */
+
+*(--bptr) = 0;
+}
+
+
+
+/****************************************************
+  Verify a local user account for quota sufficiency
+****************************************************/
+
+/* The real work, done via a re-exec for privs, calls
+down to the transport for the quota check.
+
+Route and transport (in recipient-verify mode) the
+given recipient. 
+
+A routing result indicating any transport type other than appendfile
+results in a fail.
+
+Return, on stdout, a result string containing:
+- highlevel result code (OK, DEFER, FAIL)
+- errno
+- where string
+- message string
+*/
+
+void
+verify_quota(uschar * address)
+{
+address_item vaddr = {.address = address};
+BOOL routed;
+uschar * msg = US"\0";
+int rc, len = 1;
+
+if ((rc = verify_address(&vaddr, NULL, vopt_is_recipient | vopt_quota,
+    1, 0, 0, NULL, NULL, &routed)) != OK)
+  {
+  uschar * where = recipient_verify_failure;
+  msg = acl_verify_message ? acl_verify_message : vaddr.message;
+  if (!msg) msg = US"";
+  if (rc == DEFER && vaddr.basic_errno == ERRNO_EXIMQUOTA)
+    {
+    rc = FAIL;					/* DEFER -> FAIL */
+    where = US"quota";
+    vaddr.basic_errno = 0;
+    }
+  else if (!where) where = US"";
+
+  len = 5 + Ustrlen(msg) + 1 + Ustrlen(where);
+  msg = string_sprintf("%c%c%c%c%c%s%c%s", (uschar)rc,
+    (vaddr.basic_errno >> 24) & 0xff, (vaddr.basic_errno >> 16) & 0xff,
+    (vaddr.basic_errno >> 8) & 0xff, vaddr.basic_errno & 0xff,
+    where, '\0', msg);
+  }
+
+DEBUG(D_verify) debug_printf_indent("verify_quota: len %d\n", len);
+write(1, msg, len);
+return;
+}
+
+
+/******************************************************************************/
+
+/* Quota cache lookup.  We use the callout hints db also for the quota cache.
+Return TRUE if a nonexpired record was found, having filled in the yield
+argument.
+*/
+
+static BOOL
+cached_quota_lookup(const uschar * rcpt, int * yield,
+  int pos_cache, int neg_cache)
+{
+open_db dbblock, *dbm_file = NULL;
+dbdata_callout_cache_address * cache_address_record;
+
+if (!pos_cache && !neg_cache)
+  return FALSE;
+if (!(dbm_file = dbfn_open(US"callout", O_RDWR, &dbblock, FALSE, TRUE)))
+  {
+  HDEBUG(D_verify) debug_printf_indent("quota cache: not available\n");
+  return FALSE;
+  }
+if (!(cache_address_record = (dbdata_callout_cache_address *)
+    get_callout_cache_record(dbm_file, rcpt, US"address",
+      pos_cache, neg_cache)))
+  {
+  dbfn_close(dbm_file);
+  return FALSE;
+  }
+if (cache_address_record->result == ccache_accept)
+  *yield = OK;
+dbfn_close(dbm_file);
+return TRUE;
+}
+
+/* Quota cache write */
+
+static void
+cache_quota_write(const uschar * rcpt, int yield, int pos_cache, int neg_cache)
+{
+open_db dbblock, *dbm_file = NULL;
+dbdata_callout_cache_address cache_address_record;
+
+if (!pos_cache && !neg_cache)
+  return;
+if (!(dbm_file = dbfn_open(US"callout", O_RDWR|O_CREAT, &dbblock, FALSE, TRUE)))
+  {
+  HDEBUG(D_verify) debug_printf_indent("quota cache: not available\n");
+  return;
+  }
+
+cache_address_record.result = yield == OK ? ccache_accept : ccache_reject;
+
+(void)dbfn_write(dbm_file, rcpt, &cache_address_record,
+	(int)sizeof(dbdata_callout_cache_address));
+HDEBUG(D_verify) debug_printf_indent("wrote %s quota cache record for %s\n",
+      yield == OK ? "positive" : "negative", rcpt);
+
+dbfn_close(dbm_file);
+return;
+}
+
+
+/* To evaluate a local user's quota, starting in ACL, we need to
+fork & exec to regain privileges, to that we can change to the user's
+identity for access to their files.
+
+Arguments:
+ rcpt		Recipient account
+ pos_cache	Number of seconds to cache a positive result (delivery
+ 		to be accepted).  Zero to disable caching.
+ neg_cache	Number of seconds to cache a negative result.  Zero to disable.
+ msg		Pointer to result string pointer
+
+Return:		OK/DEFER/FAIL code
+*/
+
+int
+verify_quota_call(const uschar * rcpt, int pos_cache, int neg_cache,
+  uschar ** msg)
+{
+int pfd[2], pid, save_errno, yield = FAIL;
+void (*oldsignal)(int);
+const uschar * where = US"socketpair";
+
+*msg = NULL;
+
+if (cached_quota_lookup(rcpt, &yield, pos_cache, neg_cache))
+  {
+  HDEBUG(D_verify) debug_printf_indent("quota cache: address record is %s\n",
+    yield == OK ? "positive" : "negative");
+  if (yield != OK)
+    {
+    recipient_verify_failure = US"quota";
+    acl_verify_message = *msg =
+      US"Previous (cached) quota verification failure";
+    }
+  return yield;
+  }
+
+if (pipe(pfd) != 0)
+  goto fail;
+
+where = US"fork";
+oldsignal = signal(SIGCHLD, SIG_DFL);
+if ((pid = exim_fork(US"quota-verify")) < 0)
+  {
+  save_errno = errno;
+  close(pfd[pipe_write]);
+  close(pfd[pipe_read]);
+  errno = save_errno;
+  goto fail;
+  }
+
+if (pid == 0)		/* child */
+  {
+  close(pfd[pipe_read]);
+  force_fd(pfd[pipe_write], 1);		/* stdout to pipe */
+  close(pfd[pipe_write]);
+  dup2(1, 0);
+  if (debug_fd > 0) force_fd(debug_fd, 2);
+
+  child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 3,
+    US"-MCq", string_sprintf("%d", message_size), rcpt);
+  /*NOTREACHED*/
+  }
+
+save_errno = errno;
+close(pfd[pipe_write]);
+
+if (pid < 0)
+  {
+  DEBUG(D_verify) debug_printf_indent(" fork: %s\n", strerror(save_errno));
+  }
+else
+  {
+  uschar buf[128];
+  int n = read(pfd[pipe_read], buf, sizeof(buf));
+  int status;
+
+  waitpid(pid, &status, 0);
+  if (status == 0)
+    {
+    uschar * s;
+
+    if (n > 0) yield = buf[0];
+    if (n > 4)
+      save_errno = (buf[1] << 24) | (buf[2] << 16) | (buf[3] << 8) | buf[4];
+    if ((recipient_verify_failure = n > 5
+	? string_copyn_taint(buf+5, n-5, GET_UNTAINTED) : NULL))
+      {
+      int m;
+      s = buf + 5 + Ustrlen(recipient_verify_failure) + 1;
+      m = n - (s - buf);
+      acl_verify_message = *msg =
+	m > 0 ? string_copyn_taint(s, m, GET_UNTAINTED) : NULL;
+      }
+
+    DEBUG(D_verify) debug_printf_indent("verify call response:"
+      " len %d yield %s errno '%s' where '%s' msg '%s'\n",
+      n, rc_names[yield], strerror(save_errno), recipient_verify_failure, *msg);
+
+    if (  yield == OK
+       || save_errno == 0 && Ustrcmp(recipient_verify_failure, "quota") == 0)
+      cache_quota_write(rcpt, yield, pos_cache, neg_cache);
+    else DEBUG(D_verify)
+      debug_printf_indent("result not cacheable\n");
+    }
+  else
+    {
+    DEBUG(D_verify)
+      debug_printf_indent("verify call response: waitpid status 0x%04x\n", status);
+    }
+  }
+
+close(pfd[pipe_read]);
+signal(SIGCHLD, oldsignal);
+errno = save_errno;
+return yield;
+
+fail:
+DEBUG(D_verify) debug_printf_indent("verify_quota_call fail in %s\n", where);
+return yield;
+}
+
+
+/* vi: aw ai sw=2
+*/
+/* End of verify.c */
diff --git a/src/version.c b/src/version.c
new file mode 100644
index 0000000..118ebbd
--- /dev/null
+++ b/src/version.c
@@ -0,0 +1,68 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) The Exim Maintainers 2010 - 2018 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Function for setting up the version string. */
+
+#include "exim.h"
+
+#include "version.h"
+
+
+/* The header file cnumber.h contains a single line containing the
+compilation number, making it easy to have it updated automatically.
+Hence the fudgery below to get the number turned into a string, since
+we can't use #include inside a macro argument list */
+
+void
+version_init(void)
+{
+static uschar cnumber_buffer[24];
+static uschar date_buffer[32];
+
+uschar today[20];
+uschar *version_cnumber_format;
+
+int cnumber =
+#include "cnumber.h"
+;
+
+/* The odd magic after each of these is so they can be easily found
+for automatic patching to standard values when running regression tests.
+The reason that version_cnumber_format isn't just written inline in the
+sprintf() call is the gcc -Wall warns about a \0 in a format string. */
+
+version_cnumber = cnumber_buffer;
+version_cnumber_format = US"%d\0<<eximcnumber>>";
+sprintf(CS version_cnumber, CS version_cnumber_format, cnumber);
+version_string = US EXIM_VERSION_STR "\0<<eximversion>>";
+
+#ifdef EXIM_BUILD_DATE_OVERRIDE
+/* Reproducible build support; build tooling should have given us something looking like
+ * "25-Feb-2017 20:15:40" in EXIM_BUILD_DATE_OVERRIDE based on $SOURCE_DATE_EPOCH in environ
+ * per <https://reproducible-builds.org/specs/source-date-epoch/>
+ */
+version_date = date_buffer;
+version_date[0] = 0;
+Ustrncat(version_date, EXIM_BUILD_DATE_OVERRIDE, sizeof(date_buffer));
+
+#else
+Ustrcpy(today, US __DATE__);
+if (today[4] == ' ') today[4] = '0';
+today[3] = today[6] = '-';
+
+version_date = date_buffer;
+version_date[0] = 0;
+Ustrncat(version_date, today+4, 3);
+Ustrncat(version_date, today, 4);
+Ustrncat(version_date, today+7, 4);
+Ustrcat(version_date, US" ");
+Ustrcat(version_date, US __TIME__);
+#endif
+}
+
+/* End of version.c */
diff --git a/src/version.h b/src/version.h
new file mode 100644
index 0000000..26e1a81
--- /dev/null
+++ b/src/version.h
@@ -0,0 +1,7 @@
+/* automatically generated file - see ../scripts/reversion */
+#define EXIM_RELEASE_VERSION "4.96"
+#ifdef EXIM_VARIANT_VERSION
+#define EXIM_VERSION_STR EXIM_RELEASE_VERSION "-" EXIM_VARIANT_VERSION
+#else
+#define EXIM_VERSION_STR EXIM_RELEASE_VERSION
+#endif
diff --git a/src/version.sh b/src/version.sh
new file mode 100644
index 0000000..bd8c7f3
--- /dev/null
+++ b/src/version.sh
@@ -0,0 +1,3 @@
+# automatically generated file - see ../scripts/reversion
+EXIM_RELEASE_VERSION="4.96"
+EXIM_COMPILE_NUMBER="1"