1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
11 #include "appendfile.h"
13 #ifdef SUPPORT_MAILDIR
14 #include "tf_maildir.h"
18 /* Options specific to the appendfile transport. They must be in alphabetic
19 order (note that "_" comes before the lower case letters). Some of them are
20 stored in the publicly visible instance block - these are flagged with the
22 #define LOFF(field) OPT_OFF(appendfile_transport_options_block, field)
24 optionlist appendfile_transport_options[] = {
25 #ifdef SUPPORT_MAILDIR
26 { "*expand_maildir_use_size_file", opt_stringptr, LOFF(expand_maildir_use_size_file) },
28 { "*set_use_fcntl_lock",opt_bool | opt_hidden, LOFF(set_use_fcntl) },
29 { "*set_use_flock_lock",opt_bool | opt_hidden, LOFF(set_use_flock) },
30 { "*set_use_lockfile", opt_bool | opt_hidden, LOFF(set_use_lockfile) },
32 { "*set_use_mbx_lock", opt_bool | opt_hidden, LOFF(set_use_mbx_lock) },
34 { "allow_fifo", opt_bool, LOFF(allow_fifo) },
35 { "allow_symlink", opt_bool, LOFF(allow_symlink) },
36 { "batch_id", opt_stringptr | opt_public, OPT_OFF(transport_instance, batch_id) },
37 { "batch_max", opt_int | opt_public, OPT_OFF(transport_instance, batch_max) },
38 { "check_group", opt_bool, LOFF(check_group) },
39 { "check_owner", opt_bool, LOFF(check_owner) },
40 { "check_string", opt_stringptr, LOFF(check_string) },
41 { "create_directory", opt_bool, LOFF(create_directory) },
42 { "create_file", opt_stringptr, LOFF(create_file_string) },
43 { "directory", opt_stringptr, LOFF(dirname) },
44 { "directory_file", opt_stringptr, LOFF(dirfilename) },
45 { "directory_mode", opt_octint, LOFF(dirmode) },
46 { "escape_string", opt_stringptr, LOFF(escape_string) },
47 { "file", opt_stringptr, LOFF(filename) },
48 { "file_format", opt_stringptr, LOFF(file_format) },
49 { "file_must_exist", opt_bool, LOFF(file_must_exist) },
50 { "lock_fcntl_timeout", opt_time, LOFF(lock_fcntl_timeout) },
51 { "lock_flock_timeout", opt_time, LOFF(lock_flock_timeout) },
52 { "lock_interval", opt_time, LOFF(lock_interval) },
53 { "lock_retries", opt_int, LOFF(lock_retries) },
54 { "lockfile_mode", opt_octint, LOFF(lockfile_mode) },
55 { "lockfile_timeout", opt_time, LOFF(lockfile_timeout) },
56 { "mailbox_filecount", opt_stringptr, LOFF(mailbox_filecount_string) },
57 { "mailbox_size", opt_stringptr, LOFF(mailbox_size_string) },
58 #ifdef SUPPORT_MAILDIR
59 { "maildir_format", opt_bool, LOFF(maildir_format ) } ,
60 { "maildir_quota_directory_regex", opt_stringptr, LOFF(maildir_dir_regex) },
61 { "maildir_retries", opt_int, LOFF(maildir_retries) },
62 { "maildir_tag", opt_stringptr, LOFF(maildir_tag) },
63 { "maildir_use_size_file", opt_expand_bool, LOFF(maildir_use_size_file ) } ,
64 { "maildirfolder_create_regex", opt_stringptr, LOFF(maildirfolder_create_regex ) },
65 #endif /* SUPPORT_MAILDIR */
66 #ifdef SUPPORT_MAILSTORE
67 { "mailstore_format", opt_bool, LOFF(mailstore_format ) },
68 { "mailstore_prefix", opt_stringptr, LOFF(mailstore_prefix ) },
69 { "mailstore_suffix", opt_stringptr, LOFF(mailstore_suffix ) },
70 #endif /* SUPPORT_MAILSTORE */
72 { "mbx_format", opt_bool, LOFF(mbx_format ) } ,
73 #endif /* SUPPORT_MBX */
74 { "message_prefix", opt_stringptr, LOFF(message_prefix) },
75 { "message_suffix", opt_stringptr, LOFF(message_suffix) },
76 { "mode", opt_octint, LOFF(mode) },
77 { "mode_fail_narrower",opt_bool, LOFF(mode_fail_narrower) },
78 { "notify_comsat", opt_bool, LOFF(notify_comsat) },
79 { "quota", opt_stringptr, LOFF(quota) },
80 { "quota_directory", opt_stringptr, LOFF(quota_directory) },
81 { "quota_filecount", opt_stringptr, LOFF(quota_filecount) },
82 { "quota_is_inclusive", opt_bool, LOFF(quota_is_inclusive) },
83 { "quota_size_regex", opt_stringptr, LOFF(quota_size_regex) },
84 { "quota_warn_message", opt_stringptr | opt_public, OPT_OFF(transport_instance, warn_message) },
85 { "quota_warn_threshold", opt_stringptr, LOFF(quota_warn_threshold) },
86 { "use_bsmtp", opt_bool, LOFF(use_bsmtp) },
87 { "use_crlf", opt_bool, LOFF(use_crlf) },
88 { "use_fcntl_lock", opt_bool_set, LOFF(use_fcntl) },
89 { "use_flock_lock", opt_bool_set, LOFF(use_flock) },
90 { "use_lockfile", opt_bool_set, LOFF(use_lockfile) },
92 { "use_mbx_lock", opt_bool_set, LOFF(use_mbx_lock) },
93 #endif /* SUPPORT_MBX */
96 /* Size of the options list. An extern variable has to be used so that its
97 address can appear in the tables drtables.c. */
99 int appendfile_transport_options_count =
100 sizeof(appendfile_transport_options)/sizeof(optionlist);
106 appendfile_transport_options_block appendfile_transport_option_defaults = {0};
107 void appendfile_transport_init(transport_instance *tblock) {}
108 BOOL appendfile_transport_entry(transport_instance *tblock, address_item *addr) {return FALSE;}
110 #else /*!MACRO_PREDEF*/
112 /* Default private options block for the appendfile transport. */
114 appendfile_transport_options_block appendfile_transport_option_defaults = {
117 US"q${base62:$tod_epoch}-$inode", /* dirfilename */
118 NULL, /* message_prefix (default reset in init if not bsmtp) */
119 NULL, /* message_suffix (ditto) */
120 US"anywhere", /* create_file_string (string value for create_file) */
122 NULL, /* quota_directory */
123 NULL, /* quota_filecount */
124 NULL, /* quota_size_regex */
125 NULL, /* quota_warn_threshold */
126 NULL, /* mailbox_size_string */
127 NULL, /* mailbox_filecount_string */
128 NULL, /* expand_maildir_use_size_file */
129 US"^(?:cur|new|\\..*)$", /* maildir_dir_regex */
130 NULL, /* maildir_tag */
131 NULL, /* maildirfolder_create_regex */
132 NULL, /* mailstore_prefix */
133 NULL, /* mailstore_suffix */
134 NULL, /* check_string (default changed for non-bsmtp file)*/
135 NULL, /* escape_string (ditto) */
136 NULL, /* file_format */
138 0, /* quota_warn_threshold_value */
139 -1, /* mailbox_size_value */
140 -1, /* mailbox_filecount_value */
141 0, /* quota_filecount_value */
142 APPENDFILE_MODE, /* mode */
143 APPENDFILE_DIRECTORY_MODE, /* dirmode */
144 APPENDFILE_LOCKFILE_MODE, /* lockfile_mode */
145 30*60, /* lockfile_timeout */
146 0, /* lock_fcntl_timeout */
147 0, /* lock_flock_timeout */
148 10, /* lock_retries */
149 3, /* lock_interval */
150 10, /* maildir_retries */
151 create_anywhere,/* create_file */
153 FALSE, /* allow_fifo */
154 FALSE, /* allow_symlink */
155 FALSE, /* check_group */
156 TRUE, /* check_owner */
157 TRUE, /* create_directory */
158 FALSE, /* notify_comsat */
159 TRUE, /* use_lockfile */
160 FALSE, /* set_use_lockfile */
161 TRUE, /* use_fcntl */
162 FALSE, /* set_use_fcntl */
163 FALSE, /* use_flock */
164 FALSE, /* set_use_flock */
165 FALSE, /* use_mbx_lock */
166 FALSE, /* set_use_mbx_lock */
167 FALSE, /* use_bsmtp */
168 FALSE, /* use_crlf */
169 FALSE, /* file_must_exist */
170 TRUE, /* mode_fail_narrower */
171 FALSE, /* maildir_format */
172 FALSE, /* maildir_use_size_file */
173 FALSE, /* mailstore_format */
174 FALSE, /* mbx_format */
175 FALSE, /* quota_warn_threshold_is_percent */
176 TRUE, /* quota_is_inclusive */
177 FALSE, /* quota_no_check */
178 FALSE /* quota_filecount_no_check */
182 /* Encodings for mailbox formats, and their names. MBX format is actually
183 supported only if SUPPORT_MBX is set. */
185 enum { mbf_unix, mbf_mbx, mbf_smail, mbf_maildir, mbf_mailstore };
187 static const char *mailbox_formats[] = {
188 "unix", "mbx", "smail", "maildir", "mailstore" };
191 /* Check warn threshold only if quota size set or not a percentage threshold
192 percentage check should only be done if quota > 0 */
194 #define THRESHOLD_CHECK (ob->quota_warn_threshold_value > 0 && \
195 (!ob->quota_warn_threshold_is_percent || ob->quota_value > 0))
199 /*************************************************
200 * Setup entry point *
201 *************************************************/
203 /* Called for each delivery in the privileged state, just before the uid/gid
204 are changed and the main entry point is called. We use this function to
205 expand any quota settings, so that it can access files that may not be readable
206 by the user. It is also used to pick up external mailbox size information, if
210 tblock points to the transport instance
211 addrlist addresses about to be delivered (not used)
212 dummy not used (doesn't pass back data)
213 uid the uid that will be set (not used)
214 gid the gid that will be set (not used)
215 errmsg where to put an error message
217 Returns: OK, FAIL, or DEFER
221 appendfile_transport_setup(transport_instance *tblock, address_item *addrlist,
222 transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg)
224 appendfile_transport_options_block *ob =
225 (appendfile_transport_options_block *)(tblock->options_block);
226 uschar *q = ob->quota;
227 double default_value = 0.0;
229 if (ob->expand_maildir_use_size_file)
230 ob->maildir_use_size_file = expand_check_condition(ob->expand_maildir_use_size_file,
231 US"`maildir_use_size_file` in transport", tblock->name);
233 /* Loop for quota, quota_filecount, quota_warn_threshold, mailbox_size,
236 for (int i = 0; i < 5; i++)
240 uschar *which = NULL;
242 if (q == NULL) d = default_value;
246 uschar *s = expand_string(q);
250 *errmsg = string_sprintf("Expansion of \"%s\" in %s transport failed: "
251 "%s", q, tblock->name, expand_string_message);
252 return f.search_find_defer ? DEFER : FAIL;
255 d = Ustrtod(s, &rest);
257 /* Handle following characters K, M, G, %, the latter being permitted
258 for quota_warn_threshold only. A threshold with no quota setting is
261 if (tolower(*rest) == 'k') { d *= 1024.0; rest++; }
262 else if (tolower(*rest) == 'm') { d *= 1024.0*1024.0; rest++; }
263 else if (tolower(*rest) == 'g') { d *= 1024.0*1024.0*1024.0; rest++; }
264 else if (*rest == '%' && i == 2)
266 if (ob->quota_value <= 0 && !ob->maildir_use_size_file)
268 else if ((int)d < 0 || (int)d > 100)
270 *errmsg = string_sprintf("Invalid quota_warn_threshold percentage (%d)"
271 " for %s transport", (int)d, tblock->name);
274 ob->quota_warn_threshold_is_percent = TRUE;
279 /* For quota and quota_filecount there may be options
280 appended. Currently only "no_check", so we can be lazy parsing it */
281 if (i < 2 && Ustrstr(rest, "/no_check") == rest)
284 rest += sizeof("/no_check") - 1;
287 Uskip_whitespace(&rest);
291 *errmsg = string_sprintf("Malformed value \"%s\" (expansion of \"%s\") "
292 "in %s transport", s, q, tblock->name);
297 /* Set each value, checking for possible overflow. */
302 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
304 ob->quota_value = (off_t)d;
305 ob->quota_no_check = no_check;
306 q = ob->quota_filecount;
310 if (d >= 2.0*1024.0*1024.0*1024.0)
311 which = US"quota_filecount";
312 ob->quota_filecount_value = (int)d;
313 ob->quota_filecount_no_check = no_check;
314 q = ob->quota_warn_threshold;
318 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
319 which = US"quota_warn_threshold";
320 ob->quota_warn_threshold_value = (off_t)d;
321 q = ob->mailbox_size_string;
322 default_value = -1.0;
326 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
327 which = US"mailbox_size";;
328 ob->mailbox_size_value = (off_t)d;
329 q = ob->mailbox_filecount_string;
333 if (d >= 2.0*1024.0*1024.0*1024.0)
334 which = US"mailbox_filecount";
335 ob->mailbox_filecount_value = (int)d;
341 *errmsg = string_sprintf("%s value %.10g is too large (overflow) in "
342 "%s transport", which, d, tblock->name);
352 /*************************************************
353 * Initialization entry point *
354 *************************************************/
356 /* Called for each instance, after its options have been read, to
357 enable consistency checks to be done, or anything else that needs
361 appendfile_transport_init(transport_instance *tblock)
363 appendfile_transport_options_block *ob =
364 (appendfile_transport_options_block *)(tblock->options_block);
366 /* Set up the setup entry point, to be called in the privileged state */
368 tblock->setup = appendfile_transport_setup;
370 /* Lock_retries must be greater than zero */
372 if (ob->lock_retries == 0) ob->lock_retries = 1;
374 /* Only one of a file name or directory name must be given. */
376 if (ob->filename && ob->dirname)
377 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
378 "only one of \"file\" or \"directory\" can be specified", tblock->name);
380 /* If a file name was specified, neither quota_filecount nor quota_directory
385 if (ob->quota_filecount)
386 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
387 "quota_filecount must not be set without \"directory\"", tblock->name);
388 if (ob->quota_directory)
389 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
390 "quota_directory must not be set without \"directory\"", tblock->name);
393 /* The default locking depends on whether MBX is set or not. Change the
394 built-in default if none of the lock options has been explicitly set. At least
395 one form of locking is required in all cases, but mbx locking changes the
396 meaning of fcntl and flock locking. */
398 /* Not all operating systems provide flock(). For those that do, if flock is
399 requested, the default for fcntl is FALSE. */
404 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
405 "flock() support was not available in the operating system when this "
406 "binary was built", tblock->name);
407 #endif /* NO_FLOCK */
408 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
413 if (!ob->set_use_lockfile && !ob->set_use_fcntl && !ob->set_use_flock &&
414 !ob->set_use_mbx_lock)
416 ob->use_lockfile = ob->use_flock = FALSE;
417 ob->use_mbx_lock = ob->use_fcntl = TRUE;
419 else if (ob->use_mbx_lock)
421 if (!ob->set_use_lockfile) ob->use_lockfile = FALSE;
422 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
423 if (!ob->set_use_flock) ob->use_flock = FALSE;
424 if (!ob->use_fcntl && !ob->use_flock) ob->use_fcntl = TRUE;
426 #endif /* SUPPORT_MBX */
428 if (!ob->use_fcntl && !ob->use_flock && !ob->use_lockfile && !ob->use_mbx_lock)
429 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
430 "no locking configured", tblock->name);
432 /* Unset timeouts for non-used locking types */
434 if (!ob->use_fcntl) ob->lock_fcntl_timeout = 0;
435 if (!ob->use_flock) ob->lock_flock_timeout = 0;
437 /* If a directory name was specified, only one of maildir or mailstore may be
438 specified, and if quota_filecount or quota_directory is given, quota must
443 if (ob->maildir_format && ob->mailstore_format)
444 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
445 "only one of maildir and mailstore may be specified", tblock->name);
446 if (ob->quota_filecount != NULL && ob->quota == NULL)
447 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
448 "quota must be set if quota_filecount is set", tblock->name);
449 if (ob->quota_directory != NULL && ob->quota == NULL)
450 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
451 "quota must be set if quota_directory is set", tblock->name);
454 /* If a fixed uid field is set, then a gid field must also be set. */
456 if (tblock->uid_set && !tblock->gid_set && !tblock->expand_gid)
457 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
458 "user set without group for the %s transport", tblock->name);
460 /* If "create_file" is set, check that a valid option is given, and set the
463 if (ob->create_file_string)
466 if (Ustrcmp(ob->create_file_string, "anywhere") == 0)
467 value = create_anywhere;
468 else if (Ustrcmp(ob->create_file_string, "belowhome") == 0)
469 value = create_belowhome;
470 else if (Ustrcmp(ob->create_file_string, "inhome") == 0)
471 value = create_inhome;
473 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
474 "invalid value given for \"file_create\" for the %s transport: %s",
475 tblock->name, ob->create_file_string);
476 ob->create_file = value;
479 /* If quota_warn_threshold is set, set up default for warn_message. It may
480 not be used if the actual threshold for a given delivery ends up as zero,
481 of if it's given as a percentage and there's no quota setting. */
483 if (ob->quota_warn_threshold)
485 if (!tblock->warn_message) tblock->warn_message = US
486 "To: $local_part@$domain\n"
487 "Subject: Your mailbox\n\n"
488 "This message is automatically created by mail delivery software (Exim).\n\n"
489 "The size of your mailbox has exceeded a warning threshold that is\n"
490 "set by the system administrator.\n";
493 /* If batch SMTP is set, force the check and escape strings, and arrange that
494 headers are also escaped. */
498 ob->check_string = US".";
499 ob->escape_string = US"..";
500 ob->options |= topt_escape_headers;
503 /* If not batch SMTP, not maildir, not mailstore, and directory is not set,
504 insert default values for for the affixes and the check/escape strings. */
506 else if (!ob->dirname && !ob->maildir_format && !ob->mailstore_format)
508 if (!ob->message_prefix) ob->message_prefix =
509 US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n";
510 if (!ob->message_suffix) ob->message_suffix = US"\n";
511 if (!ob->check_string) ob->check_string = US"From ";
512 if (!ob->escape_string) ob->escape_string = US">From ";
516 /* Set up the bitwise options for transport_write_message from the various
517 driver options. Only one of body_only and headers_only can be set. */
520 (tblock->body_only ? topt_no_headers : 0) |
521 (tblock->headers_only ? topt_no_body : 0) |
522 (tblock->return_path_add ? topt_add_return_path : 0) |
523 (tblock->delivery_date_add ? topt_add_delivery_date : 0) |
524 (tblock->envelope_to_add ? topt_add_envelope_to : 0) |
525 ((ob->use_crlf || ob->mbx_format) ? topt_use_crlf : 0);
530 /*************************************************
532 *************************************************/
534 /* The comsat daemon is the thing that provides asynchronous notification of
535 the arrival of local messages, if requested by the user by "biff y". It is a
536 BSD thing that uses a TCP/IP protocol for communication. A message consisting
537 of the text "user@offset" must be sent, where offset is the place in the
538 mailbox where new mail starts. There is no scope for telling it which file to
539 look at, which makes it a less than useful if mail is being delivered into a
540 non-standard place such as the user's home directory. In fact, it doesn't seem
541 to pay much attention to the offset.
545 offset offset in mailbox
551 notify_comsat(uschar *user, off_t offset)
557 DEBUG(D_transport) debug_printf("notify_comsat called\n");
559 s = string_sprintf("%.200s@" OFF_T_FMT "\n", user, offset);
561 if ((sp = getservbyname("biff", "udp")) == NULL)
563 DEBUG(D_transport) debug_printf("biff/udp is an unknown service");
567 host.name = US"localhost";
571 /* This code is all set up to look up "localhost" and use all its addresses
572 until one succeeds. However, it appears that at least on some systems, comsat
573 doesn't listen on the ::1 address. So for the moment, just force the address to
574 be 127.0.0.1. At some future stage, when IPv6 really is superseding IPv4, this
575 can be changed. (But actually, comsat is probably dying out anyway.) */
578 if (host_find_byname(&host, NULL, 0, NULL, FALSE) == HOST_FIND_FAILED)
580 DEBUG(D_transport) debug_printf("\"localhost\" unknown\n");
585 host.address = US"127.0.0.1";
588 for (host_item * h = &host; h; h = h->next)
591 int host_af = Ustrchr(h->address, ':') != NULL ? AF_INET6 : AF_INET;
593 DEBUG(D_transport) debug_printf("calling comsat on %s\n", h->address);
595 if ((sock = ip_socket(SOCK_DGRAM, host_af)) < 0) continue;
597 /* Connect never fails for a UDP socket, so don't set a timeout. */
599 (void)ip_connect(sock, host_af, h->address, ntohs(sp->s_port), 0, NULL);
600 rc = send(sock, s, Ustrlen(s) + 1, 0);
605 debug_printf("send to comsat failed for %s: %s\n", strerror(errno),
612 /*************************************************
613 * Check the format of a file *
614 *************************************************/
616 /* This function is called when file_format is set, to check that an existing
617 file has the right format. The format string contains text/transport pairs. The
618 string matching is literal. we just read big_buffer_size bytes, because this is
619 all about the first few bytes of a file.
623 tblock the transport block
624 addr the address block - for inserting error data
626 Returns: pointer to the required transport, or NULL
630 check_file_format(int cfd, transport_instance *tblock, address_item *addr)
632 const uschar *format =
633 ((appendfile_transport_options_block *)(tblock->options_block))->file_format;
635 int len = read(cfd, data, sizeof(data));
639 DEBUG(D_transport) debug_printf("checking file format\n");
641 /* An empty file matches the current transport */
643 if (len == 0) return tblock;
645 /* Search the formats for a match */
647 /* not expanded so cannot be tainted */
648 while ((s = string_nextinlist(&format, &sep, big_buffer, big_buffer_size)))
650 int slen = Ustrlen(s);
651 BOOL match = len >= slen && Ustrncmp(data, s, slen) == 0;
652 uschar *tp = string_nextinlist(&format, &sep, big_buffer, big_buffer_size);
656 for (transport_instance * tt = transports; tt; tt = tt->next)
657 if (Ustrcmp(tp, tt->name) == 0)
660 debug_printf("file format -> %s transport\n", tt->name);
663 addr->basic_errno = ERRNO_BADTRANSPORT;
664 addr->message = string_sprintf("%s transport (for %.*s format) not found",
670 /* Failed to find a match */
672 addr->basic_errno = ERRNO_FORMATUNKNOWN;
673 addr->message = US"mailbox file format unrecognized";
680 /*************************************************
681 * Check directory's files for quota *
682 *************************************************/
684 /* This function is called if quota is set for one of the delivery modes that
685 delivers into a specific directory. It scans the directory and stats all the
686 files in order to get a total size and count. This is an expensive thing to do,
687 but some people are prepared to bear the cost. Alternatively, if size_regex is
688 set, it is used as a regex to try to extract the size from the file name, a
689 strategy that some people use on maildir files on systems where the users have
692 The function is global, because it is also called from tf_maildir.c for maildir
693 folders (which should contain only regular files).
695 Note: Any problems can be written to debugging output, but cannot be written to
696 the log, because we are running as an unprivileged user here.
699 dirname the name of the directory
700 countptr where to add the file count (because this function recurses)
701 regex a compiled regex to get the size from a name
703 Returns: the sum of the sizes of the stattable files
704 zero if the directory cannot be opened
708 check_dir_size(const uschar * dirname, int *countptr, const pcre *regex)
712 int count = *countptr;
714 if (!(dir = exim_opendir(dirname))) return 0;
716 for (struct dirent *ent; ent = readdir(dir); )
718 uschar * path, * name = US ent->d_name;
721 if (Ustrcmp(name, ".") == 0 || Ustrcmp(name, "..") == 0) continue;
725 /* If there's a regex, try to find the size using it */
730 if (pcre_exec(regex, NULL, CS name, Ustrlen(name), 0, 0, ovector,6) >= 2)
733 off_t size = (off_t)Ustrtod(name + ovector[2], &endptr);
734 if (endptr == name + ovector[3])
738 debug_printf("check_dir_size: size from %s is " OFF_T_FMT "\n", name,
744 debug_printf("check_dir_size: regex did not match %s\n", name);
747 /* No regex or no match for the regex, or captured non-digits */
749 path = string_sprintf("%s/%s", dirname, name);
751 if (Ustat(path, &statbuf) < 0)
754 debug_printf("check_dir_size: stat error %d for %s: %s\n", errno, path,
758 if ((statbuf.st_mode & S_IFMT) == S_IFREG)
759 sum += statbuf.st_size / statbuf.st_nlink;
760 else if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
761 sum += check_dir_size(path, &count, regex);
766 debug_printf("check_dir_size: dir=%s sum=" OFF_T_FMT " count=%d\n", dirname,
776 /*************************************************
777 * Apply a lock to a file descriptor *
778 *************************************************/
780 /* This function applies a lock to a file descriptor, using a blocking or
781 non-blocking lock, depending on the timeout value. It can apply either or
782 both of a fcntl() and a flock() lock. However, not all OS support flock();
783 for those that don't, the use_flock option cannot be set.
786 fd the file descriptor
787 fcntltype type of lock, specified as F_WRLCK or F_RDLCK (that is, in
788 fcntl() format); the flock() type is deduced if needed
789 dofcntl do fcntl() locking
790 fcntltime non-zero to use blocking fcntl()
791 doflock do flock() locking
792 flocktime non-zero to use blocking flock()
794 Returns: yield of the fcntl() or flock() call, with errno preserved;
795 sigalrm_seen set if there has been a timeout
799 apply_lock(int fd, int fcntltype, BOOL dofcntl, int fcntltime, BOOL doflock,
804 struct flock lock_data;
805 lock_data.l_type = fcntltype;
806 lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
808 sigalrm_seen = FALSE;
815 yield = fcntl(fd, F_SETLKW, &lock_data);
820 else yield = fcntl(fd, F_SETLK, &lock_data);
824 if (doflock && (yield >= 0))
826 int flocktype = (fcntltype == F_WRLCK) ? LOCK_EX : LOCK_SH;
830 yield = flock(fd, flocktype);
835 else yield = flock(fd, flocktype | LOCK_NB);
837 #endif /* NO_FLOCK */
846 /*************************************************
847 * Copy message into MBX mailbox *
848 *************************************************/
850 /* This function is called when a message intended for a MBX mailbox has been
851 written to a temporary file. We can now get the size of the message and then
852 copy it in MBX format to the mailbox.
855 to_fd fd to write to (the real mailbox)
856 from_fd fd to read from (the temporary file)
857 saved_size current size of mailbox
859 Returns: OK if all went well, DEFER otherwise, with errno preserved
860 the number of bytes written are added to transport_count
861 by virtue of calling transport_write_block()
864 /* Values taken from c-client */
866 #define MBX_HDRSIZE 2048
867 #define MBX_NUSERFLAGS 30
870 copy_mbx_message(int to_fd, int from_fd, off_t saved_size)
875 transport_ctx tctx = { .u={.fd = to_fd}, .options = topt_not_socket };
877 /* If the current mailbox size is zero, write a header block */
882 memset (deliver_out_buffer, '\0', MBX_HDRSIZE);
883 sprintf(CS(s = deliver_out_buffer), "*mbx*\015\012%08lx00000000\015\012",
884 (long int)time(NULL));
885 for (int i = 0; i < MBX_NUSERFLAGS; i++)
886 sprintf (CS(s += Ustrlen(s)), "\015\012");
887 if (!transport_write_block (&tctx, deliver_out_buffer, MBX_HDRSIZE, FALSE))
891 DEBUG(D_transport) debug_printf("copying MBX message from temporary file\n");
893 /* Now construct the message's header from the time and the RFC822 file
894 size, including CRLFs, which is the size of the input (temporary) file. */
896 if (fstat(from_fd, &statbuf) < 0) return DEFER;
897 size = statbuf.st_size;
899 sprintf (CS deliver_out_buffer, "%s," OFF_T_FMT ";%08lx%04x-%08x\015\012",
900 tod_stamp(tod_mbx), size, 0L, 0, 0);
901 used = Ustrlen(deliver_out_buffer);
903 /* Rewind the temporary file, and copy it over in chunks. */
905 if (lseek(from_fd, 0 , SEEK_SET) < 0) return DEFER;
909 int len = read(from_fd, deliver_out_buffer + used,
910 DELIVER_OUT_BUFFER_SIZE - used);
913 if (len == 0) errno = ERRNO_MBXLENGTH;
916 if (!transport_write_block(&tctx, deliver_out_buffer, used + len, FALSE))
924 #endif /* SUPPORT_MBX */
928 /*************************************************
929 * Check creation is permitted *
930 *************************************************/
932 /* This function checks whether a given file name is permitted to be created,
933 as controlled by the create_file option. If no home directory is set, however,
934 we can't do any tests.
937 filename the file name
938 create_file the ob->create_file option
940 Returns: TRUE if creation is permitted
944 check_creation(uschar *filename, int create_file)
948 if (deliver_home && create_file != create_anywhere)
950 int len = Ustrlen(deliver_home);
951 uschar *file = filename;
953 while (file[0] == '/' && file[1] == '/') file++;
954 if (Ustrncmp(file, deliver_home, len) != 0 || file[len] != '/' ||
955 ( Ustrchr(file+len+2, '/') != NULL &&
957 create_file != create_belowhome ||
958 Ustrstr(file+len, "/../") != NULL
963 /* If yield is TRUE, the file name starts with the home directory, and does
964 not contain any instances of "/../" in the "belowhome" case. However, it may
965 still contain symbolic links. We can check for this by making use of
966 realpath(), which most Unixes seem to have (but make it possible to cut this
967 out). We can't just use realpath() on the whole file name, because we know
968 the file itself doesn't exist, and intermediate directories may also not
969 exist. What we want to know is the real path of the longest existing part of
970 the path. That must match the home directory's beginning, whichever is the
974 if (yield && create_file == create_belowhome)
978 for (uschar * slash = Ustrrchr(file, '/'); /* There is known to be one */
979 !rp && slash > file; /* Stop if reached beginning */
983 rp = US realpath(CS file, CS big_buffer);
984 next = Ustrrchr(file, '/');
988 /* If rp == NULL it means that none of the relevant directories exist.
989 This is not a problem here - it means that no symbolic links can exist,
990 which is all we are worried about. Otherwise, we must compare it
991 against the start of the home directory. However, that may itself
992 contain symbolic links, so we have to "realpath" it as well, if
997 uschar hdbuffer[PATH_MAX+1];
998 uschar *rph = deliver_home;
999 int rlen = Ustrlen(big_buffer);
1001 if ((rp = US realpath(CS deliver_home, CS hdbuffer)))
1007 if (rlen > len) rlen = len;
1008 if (Ustrncmp(rph, big_buffer, rlen) != 0)
1011 DEBUG(D_transport) debug_printf("Real path \"%s\" does not match \"%s\"\n",
1012 big_buffer, deliver_home);
1016 #endif /* NO_REALPATH */
1024 /*************************************************
1025 * Main entry point *
1026 *************************************************/
1028 /* See local README for general interface details. This transport always
1029 returns FALSE, indicating that the status which has been placed in the first
1030 address should be copied to any other addresses in a batch.
1032 Appendfile delivery is tricky and has led to various security problems in other
1033 mailers. The logic used here is therefore laid out in some detail. When this
1034 function is called, we are running in a subprocess which has had its gid and
1035 uid set to the appropriate values. Therefore, we cannot write directly to the
1036 exim logs. Any errors must be handled by setting appropriate return codes.
1037 Note that the default setting for addr->transport_return is DEFER, so it need
1038 not be set unless some other value is required.
1040 The code below calls geteuid() rather than getuid() to get the current uid
1041 because in weird configurations not running setuid root there may be a
1042 difference. In the standard configuration, where setuid() has been used in the
1043 delivery process, there will be no difference between the uid and the euid.
1045 (1) If the af_file flag is set, this is a delivery to a file after .forward or
1046 alias expansion. Otherwise, there must be a configured file name or
1049 The following items apply in the case when a file name (as opposed to a
1050 directory name) is given, that is, when appending to a single file:
1052 (2f) Expand the file name.
1054 (3f) If the file name is /dev/null, return success (optimization).
1056 (4f) If the file_format options is set, open the file for reading, and check
1057 that the bytes at the start of the file match one of the given strings.
1058 If the check indicates a transport other than the current one should be
1059 used, pass control to that other transport. Otherwise continue. An empty
1060 or non-existent file matches the current transport. The file is closed
1063 (5f) If a lock file is required, create it (see extensive separate comments
1064 below about the algorithm for doing this). It is important to do this
1065 before opening the mailbox if NFS is in use.
1067 (6f) Stat the file, using lstat() rather than stat(), in order to pick up
1068 details of any symbolic link.
1070 (7f) If the file already exists:
1072 Check the owner and group if necessary, and defer if they are wrong.
1074 If it is a symbolic link AND the allow_symlink option is set (NOT the
1075 default), go back to (6f) but this time use stat() instead of lstat().
1077 If it's not a regular file (or FIFO when permitted), defer delivery.
1079 Check permissions. If the required permissions are *less* than the
1080 existing ones, or supplied by the address (often by the user via filter),
1081 chmod() the file. Otherwise, defer.
1083 Save the inode number.
1085 Open with O_RDRW + O_APPEND, thus failing if the file has vanished.
1087 If open fails because the file does not exist, go to (6f); on any other
1090 Check the inode number hasn't changed - I realize this isn't perfect (an
1091 inode can be reused) but it's cheap and will catch some of the races.
1093 Check it's still a regular file (or FIFO if permitted).
1095 Check that the owner and permissions haven't changed.
1097 If file_format is set, check that the file still matches the format for
1098 the current transport. If not, defer delivery.
1100 (8f) If file does not exist initially:
1102 Open with O_WRONLY + O_EXCL + O_CREAT with configured mode, unless we know
1103 this is via a symbolic link (only possible if allow_symlinks is set), in
1104 which case don't use O_EXCL, as it doesn't work.
1106 If open fails because the file already exists, go to (6f). To avoid
1107 looping for ever in a situation where the file is continuously being
1108 created and deleted, all of this happens inside a loop that operates
1109 lock_retries times and includes the fcntl and flock locking. If the
1110 loop completes without the file getting opened, defer and request
1111 freezing, because something really weird is happening.
1113 If open fails for any other reason, defer for subsequent delivery except
1114 when this is a file delivery resulting from an alias or forward expansion
1115 and the error is EPERM or ENOENT or EACCES, in which case FAIL as this is
1116 most likely a user rather than a configuration error.
1118 (9f) We now have the file checked and open for writing. If so configured, lock
1119 it using fcntl, flock, or MBX locking rules. If this fails, close the file
1120 and goto (6f), up to lock_retries times, after sleeping for a while. If it
1121 still fails, give up and defer delivery.
1123 (10f)Save the access time (for subsequent restoration) and the size of the
1124 file, for comsat and for re-setting if delivery fails in the middle -
1125 e.g. for quota exceeded.
1127 The following items apply in the case when a directory name is given:
1129 (2d) Create a new file in the directory using a temporary name, by opening for
1130 writing and with O_CREAT. If maildir format is being used, the file
1131 is created in a temporary subdirectory with a prescribed name. If
1132 mailstore format is being used, the envelope file is first created with a
1133 temporary name, then the data file.
1135 The following items apply in all cases:
1137 (11) We now have the file open for writing, and locked if it was given as a
1138 file name. Write the message and flush the file, unless there is a setting
1139 of the local quota option, in which case we can check for its excession
1140 without doing any writing.
1142 In the case of MBX format mailboxes, the message is first written to a
1143 temporary file, in order to get its correct length. This is then copied to
1144 the real file, preceded by an MBX header.
1146 If there is a quota error on writing, defer the address. Timeout logic
1147 will determine for how long retries are attempted. We restore the mailbox
1148 to its original length if it's a single file. There doesn't seem to be a
1149 uniform error code for quota excession (it even differs between SunOS4
1150 and some versions of SunOS5) so a system-dependent macro called
1151 ERRNO_QUOTA is used for it, and the value gets put into errno_quota at
1154 For any other error (most commonly disk full), do the same.
1156 The following applies after appending to a file:
1158 (12f)Restore the atime; notify_comsat if required; close the file (which
1159 unlocks it if it was locked). Delete the lock file if it exists.
1161 The following applies after writing a unique file in a directory:
1163 (12d)For maildir format, rename the file into the new directory. For mailstore
1164 format, rename the envelope file to its correct name. Otherwise, generate
1165 a unique name from the directory_file option, and rename to that, possibly
1166 trying a few times if the file exists and re-expanding the name gives a
1169 This transport yields FAIL only when a file name is generated by an alias or
1170 forwarding operation and attempting to open it gives EPERM, ENOENT, or EACCES.
1171 All other failures return DEFER (in addr->transport_return). */
1175 appendfile_transport_entry(
1176 transport_instance *tblock, /* data for this instantiation */
1177 address_item *addr) /* address we are working on */
1179 appendfile_transport_options_block *ob =
1180 (appendfile_transport_options_block *)(tblock->options_block);
1181 struct stat statbuf;
1182 uschar *fdname = NULL;
1183 uschar *filename = NULL;
1184 uschar *hitchname = NULL;
1185 uschar *dataname = NULL;
1186 uschar *lockname = NULL;
1187 uschar *newname = NULL;
1188 uschar *nametag = NULL;
1190 uschar *filecount_msg = US"";
1192 struct utimbuf times;
1193 struct timeval msg_tv;
1194 BOOL disable_quota = FALSE;
1195 BOOL isdirectory = FALSE;
1196 BOOL isfifo = FALSE;
1197 BOOL wait_for_tick = FALSE;
1198 uid_t uid = geteuid(); /* See note above */
1199 gid_t gid = getegid();
1201 int mode = (addr->mode > 0) ? addr->mode : ob->mode;
1202 off_t saved_size = -1;
1203 off_t mailbox_size = ob->mailbox_size_value;
1204 int mailbox_filecount = ob->mailbox_filecount_value;
1212 int mbx_lockfd = -1;
1213 uschar mbx_lockname[40];
1214 FILE *temp_file = NULL;
1215 #endif /* SUPPORT_MBX */
1217 #ifdef SUPPORT_MAILDIR
1218 int maildirsize_fd = -1; /* fd for maildirsize file */
1219 int maildir_save_errno;
1223 DEBUG(D_transport) debug_printf("appendfile transport entered\n");
1225 /* An "address_file" or "address_directory" transport is used to deliver to
1226 files specified via .forward or an alias file. Prior to release 4.20, the
1227 "file" and "directory" options were ignored in this case. This has been changed
1228 to allow the redirection data to specify what is in effect a folder, whose
1229 location is determined by the options on the transport.
1231 Compatibility with the case when neither option is set is retained by forcing a
1232 value for the file or directory name. A directory delivery is assumed if the
1233 last character of the path from the router is '/'.
1235 The file path is in the local part of the address, but not in the $local_part
1236 variable (that holds the parent local part). It is, however, in the
1237 $address_file variable. Below, we update the local part in the address if it
1238 changes by expansion, so that the final path ends up in the log. */
1240 if (testflag(addr, af_file) && !ob->filename && !ob->dirname)
1242 fdname = US"$address_file";
1243 if (address_file[Ustrlen(address_file)-1] == '/' ||
1244 ob->maildir_format ||
1245 ob->mailstore_format)
1249 /* Handle (a) an "address file" delivery where "file" or "directory" is
1250 explicitly set and (b) a non-address_file delivery, where one of "file" or
1251 "directory" must be set; initialization ensures that they are not both set. */
1255 if (!(fdname = ob->filename))
1257 fdname = ob->dirname;
1262 addr->message = string_sprintf("Mandatory file or directory option "
1263 "missing from %s transport", tblock->name);
1268 /* Maildir and mailstore require a directory */
1270 if ((ob->maildir_format || ob->mailstore_format) && !isdirectory)
1272 addr->message = string_sprintf("mail%s_format requires \"directory\" "
1273 "to be specified for the %s transport",
1274 ob->maildir_format ? "dir" : "store", tblock->name);
1278 if (!(path = expand_string(fdname)))
1280 addr->message = string_sprintf("Expansion of \"%s\" (file or directory "
1281 "name for %s transport) failed: %s", fdname, tblock->name,
1282 expand_string_message);
1286 if (m = is_tainted2(path, 0, "Tainted '%s' (file or directory "
1287 "name for %s transport) not permitted", path, tblock->name))
1296 addr->message = string_sprintf("appendfile: file or directory name "
1297 "\"%s\" is not absolute", path);
1298 addr->basic_errno = ERRNO_NOTABSOLUTE;
1302 /* For a file delivery, make sure the local part in the address(es) is updated
1303 to the true local part. */
1305 if (testflag(addr, af_file))
1306 for (address_item * addr2 = addr; addr2; addr2 = addr2->next)
1307 addr2->local_part = string_copy(path);
1309 /* The available mailbox formats depend on whether it is a directory or a file
1315 #ifdef SUPPORT_MAILDIR
1316 ob->maildir_format ? mbf_maildir :
1318 #ifdef SUPPORT_MAILSTORE
1319 ob->mailstore_format ? mbf_mailstore :
1327 ob->mbx_format ? mbf_mbx :
1334 debug_printf("appendfile: mode=%o notify_comsat=%d quota=" OFF_T_FMT
1336 " warning=" OFF_T_FMT "%s\n"
1337 " %s=%s format=%s\n message_prefix=%s\n message_suffix=%s\n "
1338 "maildir_use_size_file=%s\n",
1339 mode, ob->notify_comsat, ob->quota_value,
1340 ob->quota_no_check ? " (no_check)" : "",
1341 ob->quota_filecount_no_check ? " (no_check_filecount)" : "",
1342 ob->quota_warn_threshold_value,
1343 ob->quota_warn_threshold_is_percent ? "%" : "",
1344 isdirectory ? "directory" : "file",
1345 path, mailbox_formats[mbformat],
1346 !ob->message_prefix ? US"null" : string_printing(ob->message_prefix),
1347 !ob->message_suffix ? US"null" : string_printing(ob->message_suffix),
1348 ob->maildir_use_size_file ? "yes" : "no");
1350 if (!isdirectory) debug_printf(" locking by %s%s%s%s%s\n",
1351 ob->use_lockfile ? "lockfile " : "",
1352 ob->use_mbx_lock ? "mbx locking (" : "",
1353 ob->use_fcntl ? "fcntl " : "",
1354 ob->use_flock ? "flock" : "",
1355 ob->use_mbx_lock ? ")" : "");
1358 /* If the -N option is set, can't do any more. */
1363 debug_printf("*** delivery by %s transport bypassed by -N option\n",
1365 addr->transport_return = OK;
1369 /* Handle the case of a file name. If the file name is /dev/null, we can save
1370 ourselves some effort and just give a success return right away. */
1374 BOOL use_lstat = TRUE;
1375 BOOL file_opened = FALSE;
1376 BOOL allow_creation_here = TRUE;
1378 if (Ustrcmp(path, "/dev/null") == 0)
1380 addr->transport_return = OK;
1384 /* Set the name of the file to be opened, and the file to which the data
1385 is written, and find out if we are permitted to create a non-existent file. */
1387 dataname = filename = path;
1388 allow_creation_here = check_creation(filename, ob->create_file);
1390 /* If ob->create_directory is set, attempt to create the directories in
1391 which this mailbox lives, but only if we are permitted to create the file
1392 itself. We know we are dealing with an absolute path, because this was
1395 if (ob->create_directory && allow_creation_here)
1397 uschar *p = Ustrrchr(path, '/');
1399 if (!directory_make(NULL, path, ob->dirmode, FALSE))
1401 addr->basic_errno = errno;
1403 string_sprintf("failed to create directories for %s: %s", path,
1405 DEBUG(D_transport) debug_printf("%s transport: %s\n", tblock->name, path);
1411 /* If file_format is set we must check that any existing file matches one of
1412 the configured formats by checking the bytes it starts with. A match then
1413 indicates a specific transport - if it is not this one, pass control to it.
1414 Otherwise carry on here. An empty or non-existent file matches the current
1415 transport. We don't need to distinguish between non-existence and other open
1416 failures because if an existing file fails to open here, it will also fail
1417 again later when O_RDWR is used. */
1419 if (ob->file_format)
1421 int cfd = Uopen(path, O_RDONLY, 0);
1424 transport_instance *tt = check_file_format(cfd, tblock, addr);
1427 /* If another transport is indicated, call it and return; if no transport
1428 was found, just return - the error data will have been set up.*/
1434 set_process_info("delivering %s to %s using %s", message_id,
1435 addr->local_part, tt->name);
1436 debug_print_string(tt->debug_string);
1437 addr->transport = tt;
1438 (tt->info->code)(tt, addr);
1445 /* The locking of mailbox files is worse than the naming of cats, which is
1446 known to be "a difficult matter" (T.S. Eliot) and just as cats must have
1447 three different names, so several different styles of locking are used.
1449 Research in other programs that lock mailboxes shows that there is no
1450 universally standard method. Having mailboxes NFS-mounted on the system that
1451 is delivering mail is not the best thing, but people do run like this,
1452 and so the code must do its best to cope.
1454 Three different locking mechanisms are supported. The initialization function
1455 checks that at least one is configured.
1459 Unless no_use_lockfile is set, we attempt to build a lock file in a way that
1460 will work over NFS. Only after that is done do we actually open the mailbox
1461 and apply locks to it (if configured).
1463 Originally, Exim got the file opened before doing anything about locking.
1464 However, a very occasional problem was observed on Solaris 2 when delivering
1465 over NFS. It is seems that when a file is opened with O_APPEND, the file size
1466 gets remembered at open time. If another process on another host (that's
1467 important) has the file open and locked and writes to it and then releases
1468 the lock while the first process is waiting to get the lock, the first
1469 process may fail to write at the new end point of the file - despite the very
1470 definite statement about O_APPEND in the man page for write(). Experiments
1471 have reproduced this problem, but I do not know any way of forcing a host to
1472 update its attribute cache for an open NFS file. It would be nice if it did
1473 so when a lock was taken out, but this does not seem to happen. Anyway, to
1474 reduce the risk of this problem happening, we now create the lock file
1475 (if configured) *before* opening the mailbox. That will prevent two different
1476 Exims opening the file simultaneously. It may not prevent clashes with MUAs,
1477 however, but Pine at least seems to operate in the same way.
1479 Lockfiles should normally be used when NFS is involved, because of the above
1482 The logic for creating the lock file is:
1484 . The name of the lock file is <mailbox-name>.lock
1486 . First, create a "hitching post" name by adding the primary host name,
1487 current time and pid to the lock file name. This should be unique.
1489 . Create the hitching post file using WRONLY + CREAT + EXCL.
1491 . If that fails EACCES, we assume it means that the user is unable to create
1492 files in the mail spool directory. Some installations might operate in this
1493 manner, so there is a configuration option to allow this state not to be an
1494 error - we proceed to lock using fcntl only, after the file is open.
1496 . Otherwise, an error causes a deferment of the address.
1498 . Hard link the hitching post to the lock file name.
1500 . If the link succeeds, we have successfully created the lock file. Simply
1501 close and unlink the hitching post file.
1503 . If the link does not succeed, proceed as follows:
1505 o Fstat the hitching post file, and then close and unlink it.
1507 o Now examine the stat data. If the number of links to the file is exactly
1508 2, the linking succeeded but for some reason, e.g. an NFS server crash,
1509 the return never made it back, so the link() function gave a failure
1512 . This method allows for the lock file to be created by some other process
1513 right up to the moment of the attempt to hard link it, and is also robust
1514 against NFS server crash-reboots, which would probably result in timeouts
1515 in the middle of link().
1517 . System crashes may cause lock files to get left lying around, and some means
1518 of flushing them is required. The approach of writing a pid (used by smail
1519 and by elm) into the file isn't useful when NFS may be in use. Pine uses a
1520 timeout, which seems a better approach. Since any program that writes to a
1521 mailbox using a lock file should complete its task very quickly, Pine
1522 removes lock files that are older than 5 minutes. We allow the value to be
1523 configurable on the transport.
1527 If use_fcntl_lock is set, then Exim gets an exclusive fcntl() lock on the
1528 mailbox once it is open. This is done by default with a non-blocking lock.
1529 Failures to lock cause retries after a sleep, but only for a certain number
1530 of tries. A blocking lock is deliberately not used so that we don't hold the
1531 mailbox open. This minimizes the possibility of the NFS problem described
1532 under LOCK FILES above, if for some reason NFS deliveries are happening
1533 without lock files. However, the use of a non-blocking lock and sleep, though
1534 the safest approach, does not give the best performance on very busy systems.
1535 A blocking lock plus timeout does better. Therefore Exim has an option to
1536 allow it to work this way. If lock_fcntl_timeout is set greater than zero, it
1537 enables the use of blocking fcntl() calls.
1541 If use_flock_lock is set, then Exim gets an exclusive flock() lock in the
1542 same manner as for fcntl locking above. No-blocking/timeout is also set as
1543 above in lock_flock_timeout. Not all operating systems provide or support
1544 flock(). For those that don't (as determined by the definition of LOCK_SH in
1545 /usr/include/sys/file.h), use_flock_lock may not be set. For some OS, flock()
1546 is implemented (not precisely) on top of fcntl(), which means there's no
1547 point in actually using it.
1551 If use_mbx_lock is set (this is supported only if SUPPORT_MBX is defined)
1552 then the rules used for locking in c-client are used. Exim takes out a shared
1553 lock on the mailbox file, and an exclusive lock on the file whose name is
1554 /tmp/.<device-number>.<inode-number>. The shared lock on the mailbox stops
1555 any other MBX client from getting an exclusive lock on it and expunging it.
1556 It also stops any other MBX client from unlinking the /tmp lock when it has
1559 The exclusive lock on the /tmp file prevents any other MBX client from
1560 updating the mailbox in any way. When writing is finished, if an exclusive
1561 lock on the mailbox can be obtained, indicating there are no current sharers,
1562 the /tmp file is unlinked.
1564 MBX locking can use either fcntl() or flock() locking. If neither
1565 use_fcntl_lock or use_flock_lock is set, it defaults to using fcntl() only.
1566 The calls for getting these locks are by default non-blocking, as for non-mbx
1567 locking, but can be made blocking by setting lock_fcntl_timeout and/or
1568 lock_flock_timeout as appropriate. As MBX delivery doesn't work over NFS, it
1569 probably makes sense to set timeouts for any MBX deliveries. */
1572 /* Build a lock file if configured to do so - the existence of a lock
1573 file is subsequently checked by looking for a non-negative value of the
1574 file descriptor hd - even though the file is no longer open. */
1576 if (ob->use_lockfile)
1578 /* cf. exim_lock.c */
1579 lockname = string_sprintf("%s.lock", filename);
1580 hitchname = string_sprintf( "%s.%s.%08x.%08x", lockname, primary_hostname,
1581 (unsigned int)(time(NULL)), (unsigned int)getpid());
1583 DEBUG(D_transport) debug_printf("lock name: %s\nhitch name: %s\n", lockname,
1586 /* Lock file creation retry loop */
1588 for (i = 0; i < ob->lock_retries; sleep(ob->lock_interval), i++)
1592 hd = Uopen(hitchname, O_WRONLY | O_CREAT | O_EXCL, ob->lockfile_mode);
1595 addr->basic_errno = errno;
1597 string_sprintf("creating lock file hitching post %s "
1598 "(euid=%ld egid=%ld)", hitchname, (long int)geteuid(),
1599 (long int)getegid());
1603 /* Attempt to hitch the hitching post to the lock file. If link()
1604 succeeds (the common case, we hope) all is well. Otherwise, fstat the
1605 file, and get rid of the hitching post. If the number of links was 2,
1606 the link was created, despite the failure of link(). If the hitch was
1607 not successful, try again, having unlinked the lock file if it is too
1610 There's a version of Linux (2.0.27) which doesn't update its local cache
1611 of the inode after link() by default - which many think is a bug - but
1612 if the link succeeds, this code will be OK. It just won't work in the
1613 case when link() fails after having actually created the link. The Linux
1614 NFS person is fixing this; a temporary patch is available if anyone is
1615 sufficiently worried. */
1617 if ((rc = Ulink(hitchname, lockname)) != 0) fstat(hd, &statbuf);
1620 if (rc != 0 && statbuf.st_nlink != 2)
1622 if (ob->lockfile_timeout > 0 && Ustat(lockname, &statbuf) == 0 &&
1623 time(NULL) - statbuf.st_ctime > ob->lockfile_timeout)
1625 DEBUG(D_transport) debug_printf("unlinking timed-out lock file\n");
1628 DEBUG(D_transport) debug_printf("link of hitching post failed - retrying\n");
1632 DEBUG(D_transport) debug_printf("lock file created\n");
1636 /* Check for too many tries at creating the lock file */
1638 if (i >= ob->lock_retries)
1640 addr->basic_errno = ERRNO_LOCKFAILED;
1641 addr->message = string_sprintf("failed to lock mailbox %s (lock file)",
1648 /* We now have to get the file open. First, stat() it and act on existence or
1649 non-existence. This is in a loop to handle the case of a file's being created
1650 or deleted as we watch, and also to handle retries when the locking fails.
1651 Rather than holding the file open while waiting for the fcntl() and/or
1652 flock() lock, we close and do the whole thing again. This should be safer,
1653 especially for NFS files, which might get altered from other hosts, making
1654 their cached sizes incorrect.
1656 With the default settings, no symlinks are permitted, but there is an option
1657 to permit symlinks for those sysadmins that know what they are doing.
1658 Shudder. However, insist that the initial symlink is owned by the right user.
1659 Thus lstat() is used initially; if a symlink is discovered, the loop is
1660 repeated such that stat() is used, to look at the end file. */
1662 for (i = 0; i < ob->lock_retries; i++)
1664 int sleep_before_retry = TRUE;
1665 file_opened = FALSE;
1667 if ((use_lstat ? Ulstat(filename, &statbuf) : Ustat(filename, &statbuf)) != 0)
1669 /* Let's hope that failure to stat (other than non-existence) is a
1672 if (errno != ENOENT)
1674 addr->basic_errno = errno;
1675 addr->message = string_sprintf("attempting to stat mailbox %s",
1680 /* File does not exist. If it is required to pre-exist this state is an
1683 if (ob->file_must_exist)
1685 addr->basic_errno = errno;
1686 addr->message = string_sprintf("mailbox %s does not exist, "
1687 "but file_must_exist is set", filename);
1691 /* If not permitted to create this file because it isn't in or below
1692 the home directory, generate an error. */
1694 if (!allow_creation_here)
1696 addr->basic_errno = ERRNO_BADCREATE;
1697 addr->message = string_sprintf("mailbox %s does not exist, "
1698 "but creation outside the home directory is not permitted",
1703 /* Attempt to create and open the file. If open fails because of
1704 pre-existence, go round the loop again. For any other error, defer the
1705 address, except for an alias or forward generated file name with EPERM,
1706 ENOENT, or EACCES, as those are most likely to be user errors rather
1707 than Exim config errors. When a symbolic link is permitted and points
1708 to a non-existent file, we get here with use_lstat = FALSE. In this case
1709 we mustn't use O_EXCL, since it doesn't work. The file is opened RDRW for
1710 consistency and because MBX locking requires it in order to be able to
1711 get a shared lock. */
1713 fd = Uopen(filename, O_RDWR | O_APPEND | O_CREAT |
1714 (use_lstat ? O_EXCL : 0), mode);
1717 if (errno == EEXIST) continue;
1718 addr->basic_errno = errno;
1719 addr->message = string_sprintf("while creating mailbox %s",
1721 if (testflag(addr, af_file) &&
1722 (errno == EPERM || errno == ENOENT || errno == EACCES))
1723 addr->transport_return = FAIL;
1727 /* We have successfully created and opened the file. Ensure that the group
1728 and the mode are correct. */
1730 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
1732 addr->basic_errno = errno;
1733 addr->message = string_sprintf("while setting perms on mailbox %s",
1735 addr->transport_return = FAIL;
1741 /* The file already exists. Test its type, ownership, and permissions, and
1742 save the inode for checking later. If symlinks are permitted (not the
1743 default or recommended state) it may be a symlink that already exists.
1744 Check its ownership and then look for the file at the end of the link(s).
1745 This at least prevents one user creating a symlink for another user in
1746 a sticky directory. */
1750 int oldmode = (int)statbuf.st_mode;
1751 ino_t inode = statbuf.st_ino;
1752 BOOL islink = (oldmode & S_IFMT) == S_IFLNK;
1754 isfifo = FALSE; /* In case things are changing */
1756 /* Check owner if required - the default. */
1758 if (ob->check_owner && statbuf.st_uid != uid)
1760 addr->basic_errno = ERRNO_BADUGID;
1761 addr->message = string_sprintf("mailbox %s%s has wrong uid "
1762 "(%ld != %ld)", filename,
1763 islink ? " (symlink)" : "",
1764 (long int)(statbuf.st_uid), (long int)uid);
1768 /* Group is checked only if check_group is set. */
1770 if (ob->check_group && statbuf.st_gid != gid)
1772 addr->basic_errno = ERRNO_BADUGID;
1773 addr->message = string_sprintf("mailbox %s%s has wrong gid (%d != %d)",
1774 filename, islink ? " (symlink)" : "", statbuf.st_gid, gid);
1778 /* Just in case this is a sticky-bit mail directory, we don't want
1779 users to be able to create hard links to other users' files. */
1781 if (statbuf.st_nlink != 1)
1783 addr->basic_errno = ERRNO_NOTREGULAR;
1784 addr->message = string_sprintf("mailbox %s%s has too many links (%lu)",
1785 filename, islink ? " (symlink)" : "", (unsigned long)statbuf.st_nlink);
1790 /* If symlinks are permitted (not recommended), the lstat() above will
1791 have found the symlink. Its ownership has just been checked; go round
1792 the loop again, using stat() instead of lstat(). That will never yield a
1795 if (islink && ob->allow_symlink)
1798 i--; /* Don't count this time round */
1802 /* An actual file exists. Check that it is a regular file, or FIFO
1805 if (ob->allow_fifo && (oldmode & S_IFMT) == S_IFIFO) isfifo = TRUE;
1807 else if ((oldmode & S_IFMT) != S_IFREG)
1809 addr->basic_errno = ERRNO_NOTREGULAR;
1810 addr->message = string_sprintf("mailbox %s is not a regular file%s",
1811 filename, ob->allow_fifo ? " or named pipe" : "");
1815 /* If the mode is not what it would be for a newly created file, change
1816 the permissions if the mode is supplied for the address. Otherwise,
1817 reduce but do not extend the permissions. If the newly created
1818 permissions are greater than the existing permissions, don't change
1819 things when the mode is not from the address. */
1821 if ((oldmode &= 07777) != mode)
1823 int diffs = oldmode ^ mode;
1824 if (addr->mode > 0 || (diffs & oldmode) == diffs)
1826 DEBUG(D_transport) debug_printf("chmod %o %s\n", mode, filename);
1827 if (Uchmod(filename, mode) < 0)
1829 addr->basic_errno = errno;
1830 addr->message = string_sprintf("attempting to chmod mailbox %s",
1837 /* Mode not from address, and newly-created permissions are greater
1838 than existing permissions. Default is to complain, but it can be
1839 configured to go ahead and try to deliver anyway if that's what
1840 the administration wants. */
1842 else if (ob->mode_fail_narrower)
1844 addr->basic_errno = ERRNO_BADMODE;
1845 addr->message = string_sprintf("mailbox %s has the wrong mode %o "
1846 "(%o expected)", filename, oldmode, mode);
1851 /* We are happy with the existing file. Open it, and then do further
1852 tests to ensure that it is the same file that we were just looking at.
1853 If the file does not now exist, restart this loop, going back to using
1854 lstat again. For an NFS error, just defer; other opening errors are
1855 more serious. The file is opened RDWR so that its format can be checked,
1856 and also MBX locking requires the use of a shared (read) lock. However,
1857 a FIFO is opened WRONLY + NDELAY so that it fails if there is no process
1858 reading the pipe. */
1860 fd = Uopen(filename, isfifo ? (O_WRONLY|O_NDELAY) : (O_RDWR|O_APPEND),
1864 if (errno == ENOENT)
1869 addr->basic_errno = errno;
1871 addr->message = string_sprintf("while opening named pipe %s "
1872 "(could mean no process is reading it)", filename);
1873 else if (errno != EWOULDBLOCK)
1874 addr->message = string_sprintf("while opening mailbox %s", filename);
1878 /* This fstat really shouldn't fail, as we have an open file! There's a
1879 dilemma here. We use fstat in order to be sure we are peering at the file
1880 we have got open. However, that won't tell us if the file was reached
1881 via a symbolic link. We checked this above, but there is a race exposure
1882 if the link was created between the previous lstat and the open. However,
1883 it would have to be created with the same inode in order to pass the
1884 check below. If ob->allow_symlink is set, causing the use of stat rather
1885 than lstat above, symbolic links may be there anyway, and the checking is
1888 if (fstat(fd, &statbuf) < 0)
1890 addr->basic_errno = errno;
1891 addr->message = string_sprintf("attempting to stat open mailbox %s",
1896 /* Check the inode; this is isn't a perfect check, but gives some
1899 if (inode != statbuf.st_ino)
1901 addr->basic_errno = ERRNO_INODECHANGED;
1902 addr->message = string_sprintf("opened mailbox %s inode number changed "
1903 "from " INO_T_FMT " to " INO_T_FMT, filename, inode, statbuf.st_ino);
1904 addr->special_action = SPECIAL_FREEZE;
1908 /* Check it's still a regular file or FIFO, and the uid, gid, and
1909 permissions have not changed. */
1911 if ((!isfifo && (statbuf.st_mode & S_IFMT) != S_IFREG) ||
1912 (isfifo && (statbuf.st_mode & S_IFMT) != S_IFIFO))
1914 addr->basic_errno = ERRNO_NOTREGULAR;
1916 string_sprintf("opened mailbox %s is no longer a %s", filename,
1917 isfifo ? "named pipe" : "regular file");
1918 addr->special_action = SPECIAL_FREEZE;
1922 if ((ob->check_owner && statbuf.st_uid != uid) ||
1923 (ob->check_group && statbuf.st_gid != gid))
1925 addr->basic_errno = ERRNO_BADUGID;
1927 string_sprintf("opened mailbox %s has wrong uid or gid", filename);
1928 addr->special_action = SPECIAL_FREEZE;
1932 if ((statbuf.st_mode & 07777) != oldmode)
1934 addr->basic_errno = ERRNO_BADMODE;
1935 addr->message = string_sprintf("opened mailbox %s has wrong mode %o "
1936 "(%o expected)", filename, statbuf.st_mode & 07777, mode);
1937 addr->special_action = SPECIAL_FREEZE;
1941 /* If file_format is set, check that the format of the file has not
1942 changed. Error data is set by the testing function. */
1944 if (ob->file_format && check_file_format(fd, tblock, addr) != tblock)
1946 addr->message = US"open mailbox has changed format";
1950 /* The file is OK. Carry on to do the locking. */
1953 /* We now have an open file, and must lock it using fcntl(), flock() or MBX
1954 locking rules if configured to do so. If a lock file is also required, it
1955 was created above and hd was left >= 0. At least one form of locking is
1956 required by the initialization function. If locking fails here, close the
1957 file and go round the loop all over again, after waiting for a bit, unless
1958 blocking locking was used. */
1961 if ((ob->lock_fcntl_timeout > 0) || (ob->lock_flock_timeout > 0))
1962 sleep_before_retry = FALSE;
1964 /* Simple fcntl() and/or flock() locking */
1966 if (!ob->use_mbx_lock && (ob->use_fcntl || ob->use_flock))
1968 if (apply_lock(fd, F_WRLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
1969 ob->use_flock, ob->lock_flock_timeout) >= 0) break;
1972 /* MBX locking rules */
1975 else if (ob->use_mbx_lock)
1978 struct stat lstatbuf, statbuf2;
1979 if (apply_lock(fd, F_RDLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
1980 ob->use_flock, ob->lock_flock_timeout) >= 0 &&
1981 fstat(fd, &statbuf) >= 0)
1983 sprintf(CS mbx_lockname, "/tmp/.%lx.%lx", (long)statbuf.st_dev,
1984 (long)statbuf.st_ino);
1987 * 2010-05-29: SECURITY
1988 * Dan Rosenberg reported the presence of a race-condition in the
1989 * original code here. Beware that many systems still allow symlinks
1990 * to be followed in /tmp so an attacker can create a symlink pointing
1991 * elsewhere between a stat and an open, which we should avoid
1994 * It's unfortunate that we can't just use all the heavily debugged
1995 * locking from above.
1997 * Also: remember to mirror changes into exim_lock.c */
1999 /* first leave the old pre-check in place, it provides better
2000 * diagnostics for common cases */
2001 if (Ulstat(mbx_lockname, &statbuf) >= 0)
2003 if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
2005 addr->basic_errno = ERRNO_LOCKFAILED;
2006 addr->message = string_sprintf("symbolic link on MBX lock file %s",
2010 if (statbuf.st_nlink > 1)
2012 addr->basic_errno = ERRNO_LOCKFAILED;
2013 addr->message = string_sprintf("hard link to MBX lock file %s",
2019 /* If we could just declare "we must be the ones who create this
2020 * file" then a hitching post in a subdir would work, since a
2021 * subdir directly in /tmp/ which we create wouldn't follow links
2022 * but this isn't our locking logic, so we can't safely change the
2023 * file existence rules. */
2025 /* On systems which support O_NOFOLLOW, it's the easiest and most
2026 * obviously correct security fix */
2027 mbx_tmp_oflags = O_RDWR | O_CREAT;
2029 mbx_tmp_oflags |= O_NOFOLLOW;
2031 mbx_lockfd = Uopen(mbx_lockname, mbx_tmp_oflags, ob->lockfile_mode);
2034 addr->basic_errno = ERRNO_LOCKFAILED;
2035 addr->message = string_sprintf("failed to open MBX lock file %s :%s",
2036 mbx_lockname, strerror(errno));
2040 if (Ulstat(mbx_lockname, &lstatbuf) < 0)
2042 addr->basic_errno = ERRNO_LOCKFAILED;
2043 addr->message = string_sprintf("attempting to lstat open MBX "
2044 "lock file %s: %s", mbx_lockname, strerror(errno));
2047 if (fstat(mbx_lockfd, &statbuf2) < 0)
2049 addr->basic_errno = ERRNO_LOCKFAILED;
2050 addr->message = string_sprintf("attempting to stat fd of open MBX "
2051 "lock file %s: %s", mbx_lockname, strerror(errno));
2057 * statbuf: if exists, is file which existed prior to opening the
2058 * lockfile, might have been replaced since then
2059 * statbuf2: result of stat'ing the open fd, is what was actually
2061 * lstatbuf: result of lstat'ing the filename immediately after
2062 * the open but there's a race condition again between
2063 * those two steps: before open, symlink to foo, after
2064 * open but before lstat have one of:
2065 * * was no symlink, so is the opened file
2066 * (we created it, no messing possible after that point)
2068 * * symlink elsewhere
2069 * * hardlink elsewhere
2071 * Don't want to compare to device of /tmp because some modern systems
2072 * have regressed to having /tmp be the safe actual filesystem as
2073 * valuable data, so is mostly worthless, unless we assume that *only*
2074 * Linux systems do this and that all Linux has O_NOFOLLOW. Something
2075 * for further consideration.
2076 * No point in doing a readlink on the lockfile as that will always be
2077 * at a different point in time from when we open it, so tells us
2078 * nothing; attempts to clean up and delete after ourselves would risk
2079 * deleting a *third* filename.
2081 if ((statbuf2.st_nlink > 1) ||
2082 (lstatbuf.st_nlink > 1) ||
2083 (!S_ISREG(lstatbuf.st_mode)) ||
2084 (lstatbuf.st_dev != statbuf2.st_dev) ||
2085 (lstatbuf.st_ino != statbuf2.st_ino))
2087 addr->basic_errno = ERRNO_LOCKFAILED;
2088 addr->message = string_sprintf("RACE CONDITION detected: "
2089 "mismatch post-initial-checks between \"%s\" and opened "
2090 "fd lead us to abort!", mbx_lockname);
2094 (void)Uchmod(mbx_lockname, ob->lockfile_mode);
2096 if (apply_lock(mbx_lockfd, F_WRLCK, ob->use_fcntl,
2097 ob->lock_fcntl_timeout, ob->use_flock, ob->lock_flock_timeout) >= 0)
2099 struct stat ostatbuf;
2101 /* This tests for a specific race condition. Ensure that we still
2102 have the same file. */
2104 if (Ulstat(mbx_lockname, &statbuf) == 0 &&
2105 fstat(mbx_lockfd, &ostatbuf) == 0 &&
2106 statbuf.st_dev == ostatbuf.st_dev &&
2107 statbuf.st_ino == ostatbuf.st_ino)
2109 DEBUG(D_transport) debug_printf("MBX lockfile %s changed "
2110 "between creation and locking\n", mbx_lockname);
2113 DEBUG(D_transport) debug_printf("failed to lock %s: %s\n", mbx_lockname,
2115 (void)close(mbx_lockfd);
2120 DEBUG(D_transport) debug_printf("failed to fstat or get read lock on %s: %s\n",
2121 filename, strerror(errno));
2124 #endif /* SUPPORT_MBX */
2126 else break; /* No on-file locking required; break the open/lock loop */
2129 debug_printf("fcntl(), flock(), or MBX locking failed - retrying\n");
2133 use_lstat = TRUE; /* Reset to use lstat first */
2136 /* If a blocking call timed out, break the retry loop if the total time
2137 so far is not less than than retries * interval. Use the larger of the
2138 flock() and fcntl() timeouts. */
2141 (i+1) * ((ob->lock_fcntl_timeout > ob->lock_flock_timeout)?
2142 ob->lock_fcntl_timeout : ob->lock_flock_timeout) >=
2143 ob->lock_retries * ob->lock_interval)
2144 i = ob->lock_retries;
2146 /* Wait a bit before retrying, except when it was a blocked fcntl() or
2147 flock() that caused the problem. */
2149 if (i < ob->lock_retries && sleep_before_retry) sleep(ob->lock_interval);
2152 /* Test for exceeding the maximum number of tries. Either the file remains
2153 locked, or, if we haven't got it open, something is terribly wrong... */
2155 if (i >= ob->lock_retries)
2159 addr->basic_errno = ERRNO_EXISTRACE;
2160 addr->message = string_sprintf("mailbox %s: existence unclear", filename);
2161 addr->special_action = SPECIAL_FREEZE;
2165 addr->basic_errno = ERRNO_LOCKFAILED;
2166 addr->message = string_sprintf("failed to lock mailbox %s (fcntl/flock)",
2172 DEBUG(D_transport) debug_printf("mailbox %s is locked\n", filename);
2174 /* Save access time (for subsequent restoration), modification time (for
2175 restoration if updating fails), size of file (for comsat and for re-setting if
2176 delivery fails in the middle - e.g. for quota exceeded). */
2178 if (fstat(fd, &statbuf) < 0)
2180 addr->basic_errno = errno;
2181 addr->message = string_sprintf("while fstatting opened mailbox %s",
2186 times.actime = statbuf.st_atime;
2187 times.modtime = statbuf.st_mtime;
2188 saved_size = statbuf.st_size;
2189 if (mailbox_size < 0) mailbox_size = saved_size;
2190 mailbox_filecount = 0; /* Not actually relevant for single-file mailbox */
2193 /* Prepare for writing to a new file (as opposed to appending to an old one).
2194 There are several different formats, but there is preliminary stuff concerned
2195 with quotas that applies to all of them. Finding the current size by directory
2196 scanning is expensive; for maildirs some fudges have been invented:
2198 (1) A regex can be used to extract a file size from its name;
2199 (2) If maildir_use_size is set, a maildirsize file is used to cache the
2205 uschar *check_path = path; /* Default quota check path */
2206 const pcre *regex = NULL; /* Regex for file size from file name */
2208 if (!check_creation(string_sprintf("%s/any", path), ob->create_file))
2210 addr->basic_errno = ERRNO_BADCREATE;
2211 addr->message = string_sprintf("tried to create file in %s, but "
2212 "file creation outside the home directory is not permitted", path);
2216 #ifdef SUPPORT_MAILDIR
2217 /* For a maildir delivery, ensure that all the relevant directories exist,
2218 and a maildirfolder file if necessary. */
2220 if (mbformat == mbf_maildir && !maildir_ensure_directories(path, addr,
2221 ob->create_directory, ob->dirmode, ob->maildirfolder_create_regex))
2223 #endif /* SUPPORT_MAILDIR */
2225 /* If we are going to do a quota check, of if maildir_use_size_file is set
2226 for a maildir delivery, compile the regular expression if there is one. We
2227 may also need to adjust the path that is used. We need to do this for
2228 maildir_use_size_file even if the quota is unset, because we still want to
2229 create the file. When maildir support is not compiled,
2230 ob->maildir_use_size_file is always FALSE. */
2232 if (ob->quota_value > 0 || THRESHOLD_CHECK || ob->maildir_use_size_file)
2234 const uschar *error;
2237 /* Compile the regex if there is one. */
2239 if (ob->quota_size_regex)
2241 if (!(regex = pcre_compile(CS ob->quota_size_regex, PCRE_COPT,
2242 CCSS &error, &offset, NULL)))
2244 addr->message = string_sprintf("appendfile: regular expression "
2245 "error: %s at offset %d while compiling %s", error, offset,
2246 ob->quota_size_regex);
2249 DEBUG(D_transport) debug_printf("using regex for file sizes: %s\n",
2250 ob->quota_size_regex);
2253 /* Use an explicitly configured directory if set */
2255 if (ob->quota_directory)
2257 if (!(check_path = expand_string(ob->quota_directory)))
2259 addr->message = string_sprintf("Expansion of \"%s\" (quota_directory "
2260 "name for %s transport) failed: %s", ob->quota_directory,
2261 tblock->name, expand_string_message);
2265 if (check_path[0] != '/')
2267 addr->message = string_sprintf("appendfile: quota_directory name "
2268 "\"%s\" is not absolute", check_path);
2269 addr->basic_errno = ERRNO_NOTABSOLUTE;
2274 #ifdef SUPPORT_MAILDIR
2275 /* Otherwise, if we are handling a maildir delivery, and the directory
2276 contains a file called maildirfolder, this is a maildir++ feature telling
2277 us that this is a sub-directory of the real inbox. We should therefore do
2278 the quota check on the parent directory. Beware of the special case when
2279 the directory name itself ends in a slash. */
2281 else if (mbformat == mbf_maildir)
2283 struct stat statbuf;
2284 if (Ustat(string_sprintf("%s/maildirfolder", path), &statbuf) >= 0)
2286 uschar *new_check_path = string_copy(check_path);
2287 uschar *slash = Ustrrchr(new_check_path, '/');
2293 slash = Ustrrchr(new_check_path, '/');
2298 check_path = new_check_path;
2299 DEBUG(D_transport) debug_printf("maildirfolder file exists: "
2300 "quota check directory changed to %s\n", check_path);
2305 #endif /* SUPPORT_MAILDIR */
2308 /* If we are using maildirsize files, we need to ensure that such a file
2309 exists and, if necessary, recalculate its contents. As a byproduct of this,
2310 we obtain the current size of the maildir. If no quota is to be enforced
2311 (ob->quota_value == 0), we still need the size if a threshold check will
2314 Another regular expression is used to determine which directories inside the
2315 maildir are going to be counted. */
2317 #ifdef SUPPORT_MAILDIR
2318 if (ob->maildir_use_size_file)
2320 const pcre *dir_regex = NULL;
2321 const uschar *error;
2324 if (ob->maildir_dir_regex)
2326 int check_path_len = Ustrlen(check_path);
2328 if (!(dir_regex = pcre_compile(CS ob->maildir_dir_regex, PCRE_COPT,
2329 CCSS &error, &offset, NULL)))
2331 addr->message = string_sprintf("appendfile: regular expression "
2332 "error: %s at offset %d while compiling %s", error, offset,
2333 ob->maildir_dir_regex);
2338 debug_printf("using regex for maildir directory selection: %s\n",
2339 ob->maildir_dir_regex);
2341 /* Check to see if we are delivering into an ignored directory, that is,
2342 if the delivery path starts with the quota check path, and the rest
2343 of the deliver path matches the regex; if so, set a flag to disable quota
2344 checking and maildirsize updating. */
2346 if (Ustrncmp(path, check_path, check_path_len) == 0)
2348 uschar *s = path + check_path_len;
2349 while (*s == '/') s++;
2350 s = *s ? string_sprintf("%s/new", s) : US"new";
2351 if (pcre_exec(dir_regex, NULL, CS s, Ustrlen(s), 0, 0, NULL, 0) < 0)
2353 disable_quota = TRUE;
2354 DEBUG(D_transport) debug_printf("delivery directory does not match "
2355 "maildir_quota_directory_regex: disabling quota\n");
2360 /* Quota enforcement; create and check the file. There is some discussion
2361 about whether this should happen if the quota is unset. At present, Exim
2362 always creates the file. If we ever want to change this, uncomment
2363 appropriate lines below, possibly doing a check on some option. */
2365 /* if (???? || ob->quota_value > 0) */
2372 if ((maildirsize_fd = maildir_ensure_sizefile(check_path, ob, regex, dir_regex,
2373 &size, &filecount)) == -1)
2375 addr->basic_errno = errno;
2376 addr->message = string_sprintf("while opening or reading "
2377 "%s/maildirsize", check_path);
2380 /* can also return -2, which means that the file was removed because of
2381 raciness; but in this case, the size & filecount will still have been
2384 if (mailbox_size < 0) mailbox_size = size;
2385 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2388 /* No quota enforcement; ensure file does *not* exist; calculate size if
2393 * time_t old_latest;
2394 * (void)unlink(CS string_sprintf("%s/maildirsize", check_path));
2395 * if (THRESHOLD_CHECK)
2396 * mailbox_size = maildir_compute_size(check_path, &mailbox_filecount, &old_latest,
2397 * regex, dir_regex, FALSE);
2402 #endif /* SUPPORT_MAILDIR */
2404 /* Otherwise if we are going to do a quota check later on, and the mailbox
2405 size is not set, find the current size of the mailbox. Ditto for the file
2406 count. Note that ob->quota_filecount_value cannot be set without
2407 ob->quota_value being set. */
2410 && (ob->quota_value > 0 || THRESHOLD_CHECK)
2411 && ( mailbox_size < 0
2412 || mailbox_filecount < 0 && ob->quota_filecount_value > 0
2418 debug_printf("quota checks on directory %s\n", check_path);
2419 size = check_dir_size(check_path, &filecount, regex);
2420 if (mailbox_size < 0) mailbox_size = size;
2421 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2424 /* Handle the case of creating a unique file in a given directory (not in
2425 maildir or mailstore format - this is how smail did it). A temporary name is
2426 used to create the file. Later, when it is written, the name is changed to a
2427 unique one. There is no need to lock the file. An attempt is made to create
2428 the directory if it does not exist. */
2430 if (mbformat == mbf_smail)
2433 debug_printf("delivering to new file in %s\n", path);
2434 filename = dataname =
2435 string_sprintf("%s/temp.%d.%s", path, (int)getpid(), primary_hostname);
2436 fd = Uopen(filename, O_WRONLY|O_CREAT, mode);
2437 if (fd < 0 && /* failed to open, and */
2438 (errno != ENOENT || /* either not non-exist */
2439 !ob->create_directory || /* or not allowed to make */
2440 !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */
2441 (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */
2443 addr->basic_errno = errno;
2444 addr->message = string_sprintf("while creating file %s", filename);
2449 #ifdef SUPPORT_MAILDIR
2451 /* Handle the case of a unique file in maildir format. The file is written to
2452 the tmp subdirectory, with a prescribed form of name. */
2454 else if (mbformat == mbf_maildir)
2457 debug_printf("delivering in maildir format in %s\n", path);
2459 nametag = ob->maildir_tag;
2461 /* Check that nametag expands successfully; a hard failure causes a panic
2462 return. The actual expansion for use happens again later, when
2463 $message_size is accurately known. */
2465 if (nametag && !expand_string(nametag) && !f.expand_string_forcedfail)
2467 addr->message = string_sprintf("Expansion of \"%s\" (maildir_tag "
2468 "for %s transport) failed: %s", nametag, tblock->name,
2469 expand_string_message);
2473 /* We ensured the existence of all the relevant directories above. Attempt
2474 to open the temporary file a limited number of times. I think this rather
2475 scary-looking for statement is actually OK. If open succeeds, the loop is
2476 broken; if not, there is a test on the value of i. Get the time again
2477 afresh each time round the loop. Its value goes into a variable that is
2478 checked at the end, to make sure we don't release this process until the
2479 clock has ticked. */
2481 for (int i = 1;; i++)
2485 (void)gettimeofday(&msg_tv, NULL);
2486 basename = string_sprintf(TIME_T_FMT ".M%luP" PID_T_FMT ".%s",
2487 msg_tv.tv_sec, msg_tv.tv_usec, getpid(), primary_hostname);
2489 filename = dataname = string_sprintf("tmp/%s", basename);
2490 newname = string_sprintf("new/%s", basename);
2492 if (Ustat(filename, &statbuf) == 0)
2494 else if (errno == ENOENT)
2496 if ((fd = Uopen(filename, O_WRONLY | O_CREAT | O_EXCL, mode)) >= 0)
2498 DEBUG (D_transport) debug_printf ("open failed for %s: %s\n",
2499 filename, strerror(errno));
2502 /* Too many retries - give up */
2504 if (i >= ob->maildir_retries)
2506 addr->message = string_sprintf ("failed to open %s (%d tr%s)",
2507 filename, i, (i == 1) ? "y" : "ies");
2508 addr->basic_errno = errno;
2509 if (errno == errno_quota || errno == ENOSPC)
2510 addr->user_message = US"mailbox is full";
2514 /* Open or stat failed but we haven't tried too many times yet. */
2519 /* Note that we have to ensure the clock has ticked before leaving */
2521 wait_for_tick = TRUE;
2523 /* Why are these here? Put in because they are present in the non-maildir
2524 directory case above. */
2526 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2528 addr->basic_errno = errno;
2529 addr->message = string_sprintf("while setting perms on maildir %s",
2535 #endif /* SUPPORT_MAILDIR */
2537 #ifdef SUPPORT_MAILSTORE
2539 /* Handle the case of a unique file in mailstore format. First write the
2540 envelope to a temporary file, then open the main file. The unique base name
2541 for the files consists of the message id plus the pid of this delivery
2547 mailstore_basename = string_sprintf("%s/%s-%s", path, message_id,
2548 string_base62((long int)getpid()));
2551 debug_printf("delivering in mailstore format in %s\n", path);
2553 filename = string_sprintf("%s.tmp", mailstore_basename);
2554 newname = string_sprintf("%s.env", mailstore_basename);
2555 dataname = string_sprintf("%s.msg", mailstore_basename);
2557 fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
2558 if ( fd < 0 /* failed to open, and */
2559 && ( errno != ENOENT /* either not non-exist */
2560 || !ob->create_directory /* or not allowed to make */
2561 || !directory_make(NULL, path, ob->dirmode, FALSE) /* or failed to create dir */
2562 || (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0 /* or then failed to open */
2565 addr->basic_errno = errno;
2566 addr->message = string_sprintf("while creating file %s", filename);
2570 /* Why are these here? Put in because they are present in the non-maildir
2571 directory case above. */
2573 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2575 addr->basic_errno = errno;
2576 addr->message = string_sprintf("while setting perms on file %s",
2581 /* Built a C stream from the open file descriptor. */
2583 if (!(env_file = fdopen(fd, "wb")))
2585 addr->basic_errno = errno;
2586 addr->message = string_sprintf("fdopen of %s ("
2587 "for %s transport) failed", filename, tblock->name);
2593 /* Write the envelope file, then close it. */
2595 if (ob->mailstore_prefix)
2597 uschar *s = expand_string(ob->mailstore_prefix);
2600 if (!f.expand_string_forcedfail)
2602 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2603 "prefix for %s transport) failed: %s", ob->mailstore_prefix,
2604 tblock->name, expand_string_message);
2605 (void)fclose(env_file);
2613 fprintf(env_file, "%s", CS s);
2614 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2618 fprintf(env_file, "%s\n", sender_address);
2620 for (address_item * taddr = addr; taddr; taddr = taddr->next)
2621 fprintf(env_file, "%s@%s\n", taddr->local_part, taddr->domain);
2623 if (ob->mailstore_suffix)
2625 uschar *s = expand_string(ob->mailstore_suffix);
2628 if (!f.expand_string_forcedfail)
2630 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2631 "suffix for %s transport) failed: %s", ob->mailstore_suffix,
2632 tblock->name, expand_string_message);
2633 (void)fclose(env_file);
2641 fprintf(env_file, "%s", CS s);
2642 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2646 if (fclose(env_file) != 0)
2648 addr->basic_errno = errno;
2649 addr->message = string_sprintf("while closing %s", filename);
2654 DEBUG(D_transport) debug_printf("Envelope file %s written\n", filename);
2656 /* Now open the data file, and ensure that it has the correct ownership and
2659 if ((fd = Uopen(dataname, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)
2661 addr->basic_errno = errno;
2662 addr->message = string_sprintf("while creating file %s", dataname);
2666 if (exim_chown(dataname, uid, gid) || Uchmod(dataname, mode))
2668 addr->basic_errno = errno;
2669 addr->message = string_sprintf("while setting perms on file %s",
2675 #endif /* SUPPORT_MAILSTORE */
2678 /* In all cases of writing to a new file, ensure that the file which is
2679 going to be renamed has the correct ownership and mode. */
2681 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2683 addr->basic_errno = errno;
2684 addr->message = string_sprintf("while setting perms on file %s",
2691 /* At last we can write the message to the file, preceded by any configured
2692 prefix line, and followed by any configured suffix line. If there are any
2693 writing errors, we must defer. */
2695 DEBUG(D_transport) debug_printf("writing to file %s\n", dataname);
2700 /* If there is a local quota setting, check that we are not going to exceed it
2701 with this message if quota_is_inclusive is set; if it is not set, the check
2702 is for the mailbox already being over quota (i.e. the current message is not
2703 included in the check). */
2705 if (!disable_quota && ob->quota_value > 0)
2709 debug_printf("Exim quota = " OFF_T_FMT " old size = " OFF_T_FMT
2710 " this message = %d (%sincluded)\n",
2711 ob->quota_value, mailbox_size, message_size,
2712 ob->quota_is_inclusive ? "" : "not ");
2713 debug_printf(" file count quota = %d count = %d\n",
2714 ob->quota_filecount_value, mailbox_filecount);
2717 if (mailbox_size + (ob->quota_is_inclusive ? message_size:0) > ob->quota_value)
2718 if (!ob->quota_no_check)
2720 DEBUG(D_transport) debug_printf("mailbox quota exceeded\n");
2722 errno = ERRNO_EXIMQUOTA;
2725 DEBUG(D_transport) debug_printf("mailbox quota exceeded but ignored\n");
2727 if (ob->quota_filecount_value > 0
2728 && mailbox_filecount + (ob->quota_is_inclusive ? 1:0) >
2729 ob->quota_filecount_value)
2730 if (!ob->quota_filecount_no_check)
2732 DEBUG(D_transport) debug_printf("mailbox file count quota exceeded\n");
2734 errno = ERRNO_EXIMQUOTA;
2735 filecount_msg = US" filecount";
2737 else DEBUG(D_transport) if (ob->quota_filecount_no_check)
2738 debug_printf("mailbox file count quota exceeded but ignored\n");
2744 addr->basic_errno = errno;
2745 addr->message = US"Over quota";
2746 addr->transport_return = yield;
2748 debug_printf("appendfile (verify) yields %d with errno=%d more_errno=%d\n",
2749 yield, addr->basic_errno, addr->more_errno);
2754 /* If we are writing in MBX format, what we actually do is to write the message
2755 to a temporary file, and then copy it to the real file once we know its size.
2756 This is the most straightforward way of getting the correct length in the
2757 separator line. So, what we do here is to save the real file descriptor, and
2758 replace it with one for a temporary file. The temporary file gets unlinked once
2759 opened, so that it goes away on closure. */
2762 if (yield == OK && ob->mbx_format)
2764 if (!(temp_file = tmpfile()))
2766 addr->basic_errno = errno;
2767 addr->message = US"while setting up temporary file";
2772 fd = fileno(temp_file);
2773 DEBUG(D_transport) debug_printf("writing to temporary file\n");
2775 #endif /* SUPPORT_MBX */
2777 /* Zero the count of bytes written. It is incremented by the transport_xxx()
2780 transport_count = 0;
2781 transport_newlines = 0;
2783 /* Write any configured prefix text first */
2785 if (yield == OK && ob->message_prefix && *ob->message_prefix)
2787 uschar *prefix = expand_string(ob->message_prefix);
2790 errno = ERRNO_EXPANDFAIL;
2791 addr->transport_return = PANIC;
2792 addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s "
2793 "transport) failed", ob->message_prefix, tblock->name);
2796 else if (!transport_write_string(fd, "%s", prefix)) yield = DEFER;
2799 /* If the use_bsmtp option is on, we need to write SMTP prefix information. The
2800 various different values for batching are handled outside; if there is more
2801 than one address available here, all must be included. If any address is a
2802 file, use its parent in the RCPT TO. */
2804 if (yield == OK && ob->use_bsmtp)
2806 transport_count = 0;
2807 transport_newlines = 0;
2808 if (ob->use_crlf) cr = US"\r";
2809 if (!transport_write_string(fd, "MAIL FROM:<%s>%s\n", return_path, cr))
2813 transport_newlines++;
2814 for (address_item * a = addr; a; a = a->next)
2816 address_item * b = testflag(a, af_pfr) ? a->parent : a;
2817 if (!transport_write_string(fd, "RCPT TO:<%s>%s\n",
2818 transport_rcpt_address(b, tblock->rcpt_include_affixes), cr))
2819 { yield = DEFER; break; }
2820 transport_newlines++;
2822 if (yield == OK && !transport_write_string(fd, "DATA%s\n", cr))
2825 transport_newlines++;
2829 /* Now the message itself. The options for transport_write_message were set up
2830 at initialization time. */
2834 transport_ctx tctx = {
2838 .check_string = ob->check_string,
2839 .escape_string = ob->escape_string,
2840 .options = ob->options | topt_not_socket
2842 if (!transport_write_message(&tctx, 0))
2846 /* Now a configured suffix. */
2848 if (yield == OK && ob->message_suffix && *ob->message_suffix)
2850 uschar *suffix = expand_string(ob->message_suffix);
2853 errno = ERRNO_EXPANDFAIL;
2854 addr->transport_return = PANIC;
2855 addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s "
2856 "transport) failed", ob->message_suffix, tblock->name);
2859 else if (!transport_write_string(fd, "%s", suffix)) yield = DEFER;
2862 /* If batch smtp, write the terminating dot. */
2864 if (yield == OK && ob->use_bsmtp)
2865 if (!transport_write_string(fd, ".%s\n", cr)) yield = DEFER;
2866 else transport_newlines++;
2868 /* If MBX format is being used, all that writing was to the temporary file.
2869 However, if there was an earlier failure (Exim quota exceeded, for example),
2870 the temporary file won't have got opened - and no writing will have been done.
2871 If writing was OK, we restore the fd, and call a function that copies the
2872 message in MBX format into the real file. Otherwise use the temporary name in
2876 if (temp_file && ob->mbx_format)
2883 transport_count = 0; /* Reset transport count for actual write */
2884 /* No need to reset transport_newlines as we're just using a block copy
2885 * routine so the number won't be affected */
2886 yield = copy_mbx_message(fd, fileno(temp_file), saved_size);
2888 else if (errno >= 0) dataname = US"temporary file";
2890 /* Preserve errno while closing the temporary file. */
2892 mbx_save_errno = errno;
2893 (void)fclose(temp_file);
2894 errno = mbx_save_errno;
2896 #endif /* SUPPORT_MBX */
2898 /* Force out the remaining data to check for any errors; some OS don't allow
2899 fsync() to be called for a FIFO. */
2901 if (yield == OK && !isfifo && EXIMfsync(fd) < 0) yield = DEFER;
2903 /* Update message_size and message_linecount to the accurate count of bytes
2904 written, including added headers. Note; we subtract 1 from message_linecount as
2905 this variable doesn't count the new line between the header and the body of the
2908 message_size = transport_count;
2909 message_linecount = transport_newlines - 1;
2911 /* If using a maildir++ quota file, add this message's size to it, and
2912 close the file descriptor, except when the quota has been disabled because we
2913 are delivering into an uncounted folder. */
2915 #ifdef SUPPORT_MAILDIR
2918 if (yield == OK && maildirsize_fd >= 0)
2919 maildir_record_length(maildirsize_fd, message_size);
2920 maildir_save_errno = errno; /* Preserve errno while closing the file */
2921 if (maildirsize_fd >= 0)
2922 (void)close(maildirsize_fd);
2923 errno = maildir_save_errno;
2925 #endif /* SUPPORT_MAILDIR */
2927 /* If there is a quota warning threshold and we are have crossed it with this
2928 message, set the SPECIAL_WARN flag in the address, to cause a warning message
2931 if (!disable_quota && THRESHOLD_CHECK)
2933 off_t threshold = ob->quota_warn_threshold_value;
2934 if (ob->quota_warn_threshold_is_percent)
2935 threshold = (off_t)(((double)ob->quota_value * threshold) / 100);
2937 debug_printf("quota = " OFF_T_FMT
2938 " threshold = " OFF_T_FMT
2939 " old size = " OFF_T_FMT
2940 " message size = %d\n",
2941 ob->quota_value, threshold, mailbox_size,
2943 if (mailbox_size <= threshold && mailbox_size + message_size > threshold)
2944 addr->special_action = SPECIAL_WARN;
2946 /******* You might think that the test ought to be this:
2948 * if (ob->quota_value > 0 && threshold > 0 && mailbox_size > 0 &&
2949 * mailbox_size <= threshold && mailbox_size + message_size > threshold)
2951 * (indeed, I was sent a patch with that in). However, it is possible to
2952 * have a warning threshold without actually imposing a quota, and I have
2953 * therefore kept Exim backwards compatible.
2958 /* Handle error while writing the file. Control should come here directly after
2959 the error, with the reason in errno. In the case of expansion failure in prefix
2960 or suffix, it will be ERRNO_EXPANDFAIL. */
2964 addr->special_action = SPECIAL_NONE; /* Cancel any quota warning */
2966 /* Save the error number. If positive, it will ultimately cause a strerror()
2967 call to generate some text. */
2969 addr->basic_errno = errno;
2971 /* For system or Exim quota excession, or disk full, set more_errno to the
2972 time since the file was last read. If delivery was into a directory, the
2973 time since last read logic is not relevant, in general. However, for maildir
2974 deliveries we can approximate it by looking at the last modified time of the
2975 "new" subdirectory. Since Exim won't be adding new messages, a change to the
2976 "new" subdirectory implies that an MUA has moved a message from there to the
2979 if (errno == errno_quota || errno == ERRNO_EXIMQUOTA || errno == ENOSPC)
2981 addr->more_errno = 0;
2982 if (!isdirectory) addr->more_errno = (int)(time(NULL) - times.actime);
2984 #ifdef SUPPORT_MAILDIR
2985 else if (mbformat == mbf_maildir)
2987 struct stat statbuf;
2988 if (Ustat("new", &statbuf) < 0)
2990 DEBUG(D_transport) debug_printf("maildir quota exceeded: "
2991 "stat error %d for \"new\": %s\n", errno, strerror(errno));
2993 else /* Want a repeatable time when in test harness */
2994 addr->more_errno = f.running_in_test_harness ? 10 :
2995 (int)time(NULL) - statbuf.st_mtime;
2998 debug_printf("maildir: time since \"new\" directory modified = %s\n",
2999 readconf_printtime(addr->more_errno));
3001 #endif /* SUPPORT_MAILDIR */
3004 /* Handle system quota excession. Add an explanatory phrase for the error
3005 message, since some systems don't have special quota-excession errors,
3006 and on those that do, "quota" doesn't always mean anything to the user. */
3008 if (errno == errno_quota)
3011 addr->message = string_sprintf("mailbox is full "
3012 "(quota exceeded while writing to file %s)", filename);
3014 addr->message = US"mailbox is full";
3016 addr->user_message = US"mailbox is full";
3017 DEBUG(D_transport) debug_printf("System quota exceeded for %s%s%s\n",
3019 isdirectory ? US"" : US": time since file read = ",
3020 isdirectory ? US"" : readconf_printtime(addr->more_errno));
3023 /* Handle Exim's own quota-imposition */
3025 else if (errno == ERRNO_EXIMQUOTA)
3027 addr->message = string_sprintf("mailbox is full "
3028 "(MTA-imposed%s quota exceeded while writing to %s)", filecount_msg,
3030 addr->user_message = US"mailbox is full";
3031 DEBUG(D_transport) debug_printf("Exim%s quota exceeded for %s%s%s\n",
3032 filecount_msg, dataname,
3033 isdirectory ? US"" : US": time since file read = ",
3034 isdirectory ? US"" : readconf_printtime(addr->more_errno));
3037 /* Handle a process failure while writing via a filter; the return
3038 from child_close() is in more_errno. */
3040 else if (errno == ERRNO_FILTER_FAIL)
3043 addr->message = string_sprintf("transport filter process failed (%d) "
3044 "while writing to %s%s", addr->more_errno, dataname,
3045 (addr->more_errno == EX_EXECFAILED) ? ": unable to execute command" : "");
3048 /* Handle failure to expand header changes */
3050 else if (errno == ERRNO_CHHEADER_FAIL)
3054 string_sprintf("failed to expand headers_add or headers_remove while "
3055 "writing to %s: %s", dataname, expand_string_message);
3058 /* Handle failure to complete writing of a data block */
3060 else if (errno == ERRNO_WRITEINCOMPLETE)
3061 addr->message = string_sprintf("failed to write data block while "
3062 "writing to %s", dataname);
3064 /* Handle length mismatch on MBX copying */
3067 else if (errno == ERRNO_MBXLENGTH)
3068 addr->message = string_sprintf("length mismatch while copying MBX "
3069 "temporary file to %s", dataname);
3070 #endif /* SUPPORT_MBX */
3072 /* For other errors, a general-purpose explanation, if the message is
3075 else if (addr->message == NULL)
3076 addr->message = string_sprintf("error while writing to %s", dataname);
3078 /* For a file, reset the file size to what it was before we started, leaving
3079 the last modification time unchanged, so it will get reset also. All systems
3080 investigated so far have ftruncate(), whereas not all have the F_FREESP
3081 fcntl() call (BSDI & FreeBSD do not). */
3083 if (!isdirectory && ftruncate(fd, saved_size))
3084 DEBUG(D_transport) debug_printf("Error resetting file size\n");
3087 /* Handle successful writing - we want the modification time to be now for
3088 appended files. Remove the default backstop error number. For a directory, now
3089 is the time to rename the file with a unique name. As soon as such a name
3090 appears it may get used by another process, so we close the file first and
3091 check that all is well. */
3095 times.modtime = time(NULL);
3096 addr->basic_errno = 0;
3098 /* Handle the case of writing to a new file in a directory. This applies
3099 to all single-file formats - maildir, mailstore, and "smail format". */
3103 if (fstat(fd, &statbuf) < 0)
3105 addr->basic_errno = errno;
3106 addr->message = string_sprintf("while fstatting opened message file %s",
3111 else if (close(fd) < 0)
3113 addr->basic_errno = errno;
3114 addr->message = string_sprintf("close() error for %s",
3115 (ob->mailstore_format) ? dataname : filename);
3119 /* File is successfully written and closed. Arrange to rename it. For the
3120 different kinds of single-file delivery, some games can be played with the
3121 name. The message size is by this time set to the accurate value so that
3122 its value can be used in expansions. */
3126 uschar *renamename = newname;
3129 DEBUG(D_transport) debug_printf("renaming temporary file\n");
3131 /* If there is no rename name set, we are in a non-maildir, non-mailstore
3132 situation. The name is built by expanding the directory_file option, and
3133 we make the inode number available for use in this. The expansion was
3134 checked for syntactic validity above, before we wrote the file.
3136 We have to be careful here, in case the file name exists. (In the other
3137 cases, the names used are constructed to be unique.) The rename()
3138 function just replaces an existing file - we don't want that! So instead
3139 of calling rename(), we must use link() and unlink().
3141 In this case, if the link fails because of an existing file, we wait
3142 for one second and try the expansion again, to see if it produces a
3143 different value. Do this up to 5 times unless the name stops changing.
3144 This makes it possible to build values that are based on the time, and
3145 still cope with races from multiple simultaneous deliveries. */
3150 uschar *old_renameleaf = US"";
3152 for (int i = 0; ; sleep(1), i++)
3154 deliver_inode = statbuf.st_ino;
3155 renameleaf = expand_string(ob->dirfilename);
3160 addr->transport_return = PANIC;
3161 addr->message = string_sprintf("Expansion of \"%s\" "
3162 "(directory_file for %s transport) failed: %s",
3163 ob->dirfilename, tblock->name, expand_string_message);
3167 renamename = string_sprintf("%s/%s", path, renameleaf);
3168 if (Ulink(filename, renamename) < 0)
3170 DEBUG(D_transport) debug_printf("link failed: %s\n",
3172 if (errno != EEXIST || i >= 4 ||
3173 Ustrcmp(renameleaf, old_renameleaf) == 0)
3175 addr->basic_errno = errno;
3176 addr->message = string_sprintf("while renaming %s as %s",
3177 filename, renamename);
3181 old_renameleaf = renameleaf;
3182 DEBUG(D_transport) debug_printf("%s exists - trying again\n",
3191 } /* re-expand loop */
3192 } /* not mailstore or maildir */
3194 /* For maildir and mailstore formats, the new name was created earlier,
3195 except that for maildir, there is the possibility of adding a "tag" on
3196 the end of the name by expanding the value of nametag. This usually
3197 includes a reference to the message size. The expansion of nametag was
3198 checked above, before the file was opened. It either succeeded, or
3199 provoked a soft failure. So any failure here can be treated as soft.
3200 Ignore non-printing characters and / and put a colon at the start if the
3201 first character is alphanumeric. */
3207 uschar *iptr = expand_string(nametag);
3210 uschar *etag = store_get(Ustrlen(iptr) + 2, is_tainted(iptr));
3211 uschar *optr = etag;
3212 for ( ; *iptr; iptr++)
3213 if (mac_isgraph(*iptr) && *iptr != '/')
3215 if (optr == etag && isalnum(*iptr)) *optr++ = ':';
3219 renamename = string_sprintf("%s%s", newname, etag);
3223 /* Do the rename. If the name is too long and a tag exists, try again
3226 if (Urename(filename, renamename) < 0 &&
3227 (nametag == NULL || errno != ENAMETOOLONG ||
3228 (renamename = newname, Urename(filename, renamename) < 0)))
3230 addr->basic_errno = errno;
3231 addr->message = string_sprintf("while renaming %s as %s",
3232 filename, renamename);
3236 /* Rename succeeded */
3240 DEBUG(D_transport) debug_printf("renamed %s as %s\n", filename,
3242 filename = dataname = NULL; /* Prevents attempt to unlink at end */
3244 } /* maildir or mailstore */
3245 } /* successful write + close */
3247 } /* write success */
3250 /* For a file, restore the last access time (atime), and set the modification
3251 time as required - changed if write succeeded, unchanged if not. */
3253 if (!isdirectory) utime(CS filename, ×);
3255 /* Notify comsat if configured to do so. It only makes sense if the configured
3256 file is the one that the comsat daemon knows about. */
3258 if (ob->notify_comsat && yield == OK && deliver_localpart)
3259 notify_comsat(deliver_localpart, saved_size);
3261 /* Pass back the final return code in the address structure */
3264 debug_printf("appendfile yields %d with errno=%d more_errno=%d\n",
3265 yield, addr->basic_errno, addr->more_errno);
3267 addr->transport_return = yield;
3269 /* Close the file, which will release the fcntl lock. For a directory write it
3270 is closed above, except in cases of error which goto RETURN, when we also need
3271 to remove the original file(s). For MBX locking, if all has gone well, before
3272 closing the file, see if we can get an exclusive lock on it, in which case we
3273 can unlink the /tmp lock file before closing it. This is always a non-blocking
3274 lock; there's no need to wait if we can't get it. If everything has gone right
3275 but close fails, defer the message. Then unlink the lock file, if present. This
3276 point in the code is jumped to from a number of places when errors are
3277 detected, in order to get the file closed and the lock file tidied away. */
3282 if (mbx_lockfd >= 0)
3284 if (yield == OK && apply_lock(fd, F_WRLCK, ob->use_fcntl, 0,
3285 ob->use_flock, 0) >= 0)
3288 debug_printf("unlinking MBX lock file %s\n", mbx_lockname);
3289 Uunlink(mbx_lockname);
3291 (void)close(mbx_lockfd);
3293 #endif /* SUPPORT_MBX */
3295 if (fd >= 0 && close(fd) < 0 && yield == OK)
3297 addr->basic_errno = errno;
3298 addr->message = string_sprintf("while closing %s", filename);
3299 addr->transport_return = DEFER;
3302 if (hd >= 0) Uunlink(lockname);
3304 /* We get here with isdirectory and filename set only in error situations. */
3306 if (isdirectory && filename)
3309 if (dataname != filename) Uunlink(dataname);
3312 /* If wait_for_tick is TRUE, we have done a delivery where the uniqueness of a
3313 file name relies on time + pid. We must not allow the process to finish until
3314 the clock has move on by at least one microsecond. Usually we expect this
3315 already to be the case, but machines keep getting faster... */
3317 if (wait_for_tick) exim_wait_tick(&msg_tv, 1);
3319 /* A return of FALSE means that if there was an error, a common error was
3320 put in the first address of a batch. */
3325 addr->transport_return = PANIC;
3329 #endif /*!MACRO_PREDEF*/
3330 /* End of transport/appendfile.c */