1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Functions for writing log files. The code for maintaining datestamped
10 log files was originally contributed by Tony Sheen. */
15 #define LOG_NAME_SIZE 256
16 #define MAX_SYSLOG_LEN 870
18 #define LOG_MODE_FILE 1
19 #define LOG_MODE_SYSLOG 2
21 enum { lt_main, lt_reject, lt_panic, lt_debug };
23 static uschar *log_names[] = { US"main", US"reject", US"panic", US"debug" };
27 /*************************************************
28 * Local static variables *
29 *************************************************/
31 static uschar mainlog_name[LOG_NAME_SIZE];
32 static uschar rejectlog_name[LOG_NAME_SIZE];
33 static uschar debuglog_name[LOG_NAME_SIZE];
35 static uschar *mainlog_datestamp = NULL;
36 static uschar *rejectlog_datestamp = NULL;
38 static int mainlogfd = -1;
39 static int rejectlogfd = -1;
40 static ino_t mainlog_inode = 0;
41 static ino_t rejectlog_inode = 0;
43 static uschar *panic_save_buffer = NULL;
44 static BOOL panic_recurseflag = FALSE;
46 static BOOL syslog_open = FALSE;
47 static BOOL path_inspected = FALSE;
48 static int logging_mode = LOG_MODE_FILE;
49 static uschar *file_path = US"";
51 static size_t pid_position[2];
54 /* These should be kept in-step with the private delivery error
55 number definitions in macros.h */
57 static const uschar * exim_errstrings[] = {
80 US"Exim-imposed quota",
82 US"Delivery filter process failure",
83 US"Delivery add/remove header failure",
84 US"Delivery write incomplete error",
85 US"Some expansion failed",
86 US"Failed to get gid",
87 US"Failed to get uid",
88 US"Unset or non-existent transport",
89 US"MBX length mismatch",
90 US"Lookup failed routing or in smtp tpt",
91 US"Can't match format in appendfile",
92 US"Creation outside home in appendfile",
93 US"Can't check a list; lookup defer",
95 US"Failed to start TLS session",
96 US"Mandatory TLS session not started",
97 US"Failed to chown a file",
98 US"Failed to create a pipe",
100 US"When required by client",
101 US"Used internally in smtp transport",
102 US"RCPT gave 4xx error",
103 US"MAIL gave 4xx error",
104 US"DATA gave 4xx error",
105 US"Negotiation failed for proxy configured host",
106 US"Authenticator 'other' failure",
107 US"target not supporting SMTPUTF8",
109 US"tainted filename",
111 US"Not time for routing",
112 US"Not time for local delivery",
113 US"Not time for any remote host",
114 US"Local-only delivery",
115 US"Domain in queue_domains",
116 US"Transport concurrency limit",
117 US"Event requests alternate response",
121 /************************************************/
125 return err < 0 ? exim_errstrings[-err] : CUS strerror(err);
128 /*************************************************
130 *************************************************/
132 /* The given string is split into sections according to length, or at embedded
133 newlines, and syslogged as a numbered sequence if it is overlong or if there is
134 more than one line. However, if we are running in the test harness, do not do
135 anything. (The test harness doesn't use syslog - for obvious reasons - but we
136 can get here if there is a failure to open the panic log.)
139 priority syslog priority
140 s the string to be written
146 write_syslog(int priority, const uschar *s)
151 if (!syslog_pid && LOGGING(pid))
152 s = string_sprintf("%.*s%s", (int)pid_position[0], s, s + pid_position[1]);
153 if (!syslog_timestamp)
155 len = log_timezone ? 26 : 20;
156 if (LOGGING(millisec)) len += 4;
163 if (!syslog_open && !f.running_in_test_harness)
165 # ifdef SYSLOG_LOG_PID
166 openlog(CS syslog_processname, LOG_PID|LOG_CONS, syslog_facility);
168 openlog(CS syslog_processname, LOG_CONS, syslog_facility);
174 /* First do a scan through the message in order to determine how many lines
175 it is going to end up as. Then rescan to output it. */
177 for (int pass = 0; pass < 2; pass++)
179 const uschar * ss = s;
180 for (int i = 1, tlen = len; tlen > 0; i++)
183 uschar *nlptr = Ustrchr(ss, '\n');
184 if (nlptr != NULL) plen = nlptr - ss;
185 #ifndef SYSLOG_LONG_LINES
186 if (plen > MAX_SYSLOG_LEN) plen = MAX_SYSLOG_LEN;
189 if (ss[plen] == '\n') tlen--; /* chars left */
193 else if (f.running_in_test_harness)
195 fprintf(stderr, "SYSLOG: '%.*s'\n", plen, ss);
197 fprintf(stderr, "SYSLOG: '[%d%c%d] %.*s'\n", i,
198 ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
199 linecount, plen, ss);
202 syslog(priority, "%.*s", plen, ss);
204 syslog(priority, "[%d%c%d] %.*s", i,
205 ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
206 linecount, plen, ss);
209 if (*ss == '\n') ss++;
216 /*************************************************
218 *************************************************/
220 /* This is called when Exim is dying as a result of something going wrong in
221 the logging, or after a log call with LOG_PANIC_DIE set. Optionally write a
222 message to debug_file or a stderr file, if they exist. Then, if in the middle
223 of accepting a message, throw it away tidily by calling receive_bomb_out();
224 this will attempt to send an SMTP response if appropriate. Passing NULL as the
225 first argument stops it trying to run the NOTQUIT ACL (which might try further
226 logging and thus cause problems). Otherwise, try to close down an outstanding
230 s1 Error message to write to debug_file and/or stderr and syslog
231 s2 Error message for any SMTP call that is in progress
232 Returns: The function does not return
236 die(uschar *s1, uschar *s2)
240 write_syslog(LOG_CRIT, s1);
241 if (debug_file) debug_printf("%s\n", s1);
242 if (log_stderr && log_stderr != debug_file)
243 fprintf(log_stderr, "%s\n", s1);
245 if (f.receive_call_bombout) receive_bomb_out(NULL, s2); /* does not return */
246 if (smtp_input) smtp_closedown(s2);
247 exim_exit(EXIT_FAILURE);
252 /*************************************************
253 * Create a log file *
254 *************************************************/
256 /* This function is called to create and open a log file. It may be called in a
257 subprocess when the original process is root.
262 The file name has been build in a working buffer, so it is permissible to
263 overwrite it temporarily if it is necessary to create the directory.
265 Returns: a file descriptor, or < 0 on failure (errno set)
269 log_create(uschar *name)
275 O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
277 /* If creation failed, attempt to build a log directory in case that is the
280 if (fd < 0 && errno == ENOENT)
283 uschar *lastslash = Ustrrchr(name, '/');
285 created = directory_make(NULL, name, LOG_DIRECTORY_MODE, FALSE);
286 DEBUG(D_any) debug_printf("%s log directory %s\n",
287 created ? "created" : "failed to create", name);
289 if (created) fd = Uopen(name,
293 O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
301 /*************************************************
302 * Create a log file as the exim user *
303 *************************************************/
305 /* This function is called when we are root to spawn an exim:exim subprocess
306 in which we can create a log file. It must be signal-safe since it is called
307 by the usr1_handler().
312 Returns: a file descriptor, or < 0 on failure (errno set)
316 log_create_as_exim(uschar *name)
318 pid_t pid = exim_fork(US"logfile-create");
322 /* In the subprocess, change uid/gid and do the creation. Return 0 from the
323 subprocess on success. If we don't check for setuid failures, then the file
324 can be created as root, so vulnerabilities which cause setuid to fail mean
325 that the Exim user can use symlinks to cause a file to be opened/created as
326 root. We always open for append, so can't nuke existing content but it would
327 still be Rather Bad. */
331 if (setgid(exim_gid) < 0)
332 die(US"exim: setgid for log-file creation failed, aborting",
333 US"Unexpected log failure, please try later");
334 if (setuid(exim_uid) < 0)
335 die(US"exim: setuid for log-file creation failed, aborting",
336 US"Unexpected log failure, please try later");
337 _exit((log_create(name) < 0)? 1 : 0);
340 /* If we created a subprocess, wait for it. If it succeeded, try the open. */
342 while (pid > 0 && waitpid(pid, &status, 0) != pid);
343 if (status == 0) fd = Uopen(name,
347 O_APPEND|O_WRONLY, LOG_MODE);
349 /* If we failed to create a subprocess, we are in a bad way. We return
350 with fd still < 0, and errno set, letting the caller handle the error. */
358 /*************************************************
360 *************************************************/
362 /* This function opens one of a number of logs, creating the log directory if
363 it does not exist. This may be called recursively on failure, in order to open
366 The directory is in the static variable file_path. This is static so that it
367 the work of sorting out the path is done just once per Exim process.
369 Exim is normally configured to avoid running as root wherever possible, the log
370 files must be owned by the non-privileged exim user. To ensure this, first try
371 an open without O_CREAT - most of the time this will succeed. If it fails, try
372 to create the file; if running as root, this must be done in a subprocess to
376 fd where to return the resulting file descriptor
377 type lt_main, lt_reject, lt_panic, or lt_debug
378 tag optional tag to include in the name (only hooked up for debug)
384 open_log(int *fd, int type, uschar *tag)
388 uschar buffer[LOG_NAME_SIZE];
390 /* The names of the log files are controlled by file_path. The panic log is
391 written to the same directory as the main and reject logs, but its name does
392 not have a datestamp. The use of datestamps is indicated by %D/%M in file_path.
393 When opening the panic log, if %D or %M is present, we remove the datestamp
394 from the generated name; if it is at the start, remove a following
395 non-alphanumeric character as well; otherwise, remove a preceding
396 non-alphanumeric character. This is definitely kludgy, but it sort of does what
397 people want, I hope. */
399 ok = string_format(buffer, sizeof(buffer), CS file_path, log_names[type]);
404 /* Save the name of the mainlog for rollover processing. Without a datestamp,
405 it gets statted to see if it has been cycled. With a datestamp, the datestamp
406 will be compared. The static slot for saving it is the same size as buffer,
407 and the text has been checked above to fit, so this use of strcpy() is OK. */
408 Ustrcpy(mainlog_name, buffer);
409 if (string_datestamp_offset > 0)
410 mainlog_datestamp = mainlog_name + string_datestamp_offset;
412 /* Ditto for the reject log */
413 Ustrcpy(rejectlog_name, buffer);
414 if (string_datestamp_offset > 0)
415 rejectlog_datestamp = rejectlog_name + string_datestamp_offset;
417 /* and deal with the debug log (which keeps the datestamp, but does not
419 Ustrcpy(debuglog_name, buffer);
422 /* this won't change the offset of the datestamp */
423 ok2 = string_format(buffer, sizeof(buffer), "%s%s",
426 Ustrcpy(debuglog_name, buffer);
429 /* Remove any datestamp if this is the panic log. This is rare, so there's no
430 need to optimize getting the datestamp length. We remove one non-alphanumeric
431 char afterwards if at the start, otherwise one before. */
432 if (string_datestamp_offset >= 0)
434 uschar * from = buffer + string_datestamp_offset;
435 uschar * to = from + string_datestamp_length;
437 if (from == buffer || from[-1] == '/')
439 if (!isalnum(*to)) to++;
442 if (!isalnum(from[-1])) from--;
444 /* This copy is ok, because we know that to is a substring of from. But
445 due to overlap we must use memmove() not Ustrcpy(). */
446 memmove(from, to, Ustrlen(to)+1);
450 /* If the file name is too long, it is an unrecoverable disaster */
453 die(US"exim: log file path too long: aborting",
454 US"Logging failure; please try later");
456 /* We now have the file name. Try to open an existing file. After a successful
457 open, arrange for automatic closure on exec(), and then return. */
463 O_APPEND|O_WRONLY, LOG_MODE);
468 (void)fcntl(*fd, F_SETFD, fcntl(*fd, F_GETFD) | FD_CLOEXEC);
473 /* Open was not successful: try creating the file. If this is a root process,
474 we must do the creating in a subprocess set to exim:exim in order to ensure
475 that the file is created with the right ownership. Otherwise, there can be a
476 race if another Exim process is trying to write to the log at the same time.
477 The use of SIGUSR1 by the exiwhat utility can provoke a lot of simultaneous
482 /* If we are already running as the Exim user (even if that user is root),
483 we can go ahead and create in the current process. */
485 if (euid == exim_uid) *fd = log_create(buffer);
487 /* Otherwise, if we are root, do the creation in an exim:exim subprocess. If we
488 are neither exim nor root, creation is not attempted. */
490 else if (euid == root_uid) *fd = log_create_as_exim(buffer);
492 /* If we now have an open file, set the close-on-exec flag and return. */
497 (void)fcntl(*fd, F_SETFD, fcntl(*fd, F_GETFD) | FD_CLOEXEC);
502 /* Creation failed. There are some circumstances in which we get here when
503 the effective uid is not root or exim, which is the problem. (For example, a
504 non-setuid binary with log_arguments set, called in certain ways.) Rather than
505 just bombing out, force the log to stderr and carry on if stderr is available.
508 if (euid != root_uid && euid != exim_uid && log_stderr)
510 *fd = fileno(log_stderr);
514 /* Otherwise this is a disaster. This call is deliberately ONLY to the panic
515 log. If possible, save a copy of the original line that was being logged. If we
516 are recursing (can't open the panic log either), the pointer will already be
517 set. Also, when we had to use a subprocess for the create we didn't retrieve
518 errno from it, so get the error from the open attempt above (which is often
519 meaningful enough, so leave it). */
521 if (!panic_save_buffer)
522 if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
523 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
525 log_write(0, LOG_PANIC_DIE, "Cannot open %s log file \"%s\": %s: "
526 "euid=%d egid=%d", log_names[type], buffer, strerror(errno), euid, getegid());
534 if (type == lt_debug) unlink(CS debuglog_name);
539 /*************************************************
540 * Add configuration file info to log line *
541 *************************************************/
543 /* This is put in a function because it's needed twice (once for debugging,
547 ptr pointer to the end of the line we are building
550 Returns: updated pointer
554 log_config_info(gstring * g, int flags)
556 g = string_cat(g, US"Exim configuration error");
558 if (flags & (LOG_CONFIG_FOR & ~LOG_CONFIG))
559 return string_cat(g, US" for ");
561 if (flags & (LOG_CONFIG_IN & ~LOG_CONFIG))
562 g = string_fmt_append(g, " in line %d of %s", config_lineno, config_filename);
564 return string_catn(g, US":\n ", 4);
568 /*************************************************
569 * A write() operation failed *
570 *************************************************/
572 /* This function is called when write() fails on anything other than the panic
573 log, which can happen if a disk gets full or a file gets too large or whatever.
574 We try to save the relevant message in the panic_save buffer before crashing
577 The potential invoker should probably not call us for EINTR -1 writes. But
578 otherwise, short writes are bad as we don't do non-blocking writes to fds
579 subject to flow control. (If we do, that's new and the logic of this should
583 name the name of the log being written
584 length the string length being written
585 rc the return value from write()
587 Returns: does not return
591 log_write_failed(uschar *name, int length, int rc)
593 int save_errno = errno;
595 if (!panic_save_buffer)
596 if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
597 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
599 log_write(0, LOG_PANIC_DIE, "failed to write to %s: length=%d result=%d "
600 "errno=%d (%s)", name, length, rc, save_errno,
601 (save_errno == 0)? "write incomplete" : strerror(save_errno));
607 /*************************************************
608 * Write to an fd, retrying after signals *
609 *************************************************/
611 /* Basic write to fd for logs, handling EINTR.
614 fd the fd to write to
615 buf the string to write
616 length the string length being written
619 length actually written, persisting an errno from write()
622 write_to_fd_buf(int fd, const uschar *buf, size_t length)
625 size_t total_written = 0;
626 const uschar *p = buf;
627 size_t left = length;
631 wrote = write(fd, p, left);
632 if (wrote == (ssize_t)-1)
634 if (errno == EINTR) continue;
637 total_written += wrote;
646 return total_written;
654 int sep = ':'; /* Fixed separator - outside use */
656 const uschar *tt = US LOG_FILE_PATH;
657 while ((t = string_nextinlist(&tt, &sep, log_buffer, LOG_BUFFER_SIZE)))
659 if (Ustrcmp(t, "syslog") == 0 || t[0] == 0) continue;
660 file_path = string_copy(t);
669 if (mainlogfd < 0) return;
670 (void)close(mainlogfd);
675 /*************************************************
676 * Write message to log file *
677 *************************************************/
679 /* Exim can be configured to log to local files, or use syslog, or both. This
680 is controlled by the setting of log_file_path. The following cases are
683 log_file_path = "" write files in the spool/log directory
684 log_file_path = "xxx" write files in the xxx directory
685 log_file_path = "syslog" write to syslog
686 log_file_path = "syslog : xxx" write to syslog and to files (any order)
688 The message always gets '\n' added on the end of it, since more than one
689 process may be writing to the log at once and we don't want intermingling to
690 happen in the middle of lines. To be absolutely sure of this we write the data
691 into a private buffer and then put it out in a single write() call.
693 The flags determine which log(s) the message is written to, or for syslogging,
694 which priority to use, and in the case of the panic log, whether the process
695 should die afterwards.
697 The variable really_exim is TRUE only when exim is running in privileged state
698 (i.e. not with a changed configuration or with testing options such as -brw).
699 If it is not, don't try to write to the log because permission will probably be
702 Avoid actually writing to the logs when exim is called with -bv or -bt to
703 test an address, but take other actions, such as panicking.
705 In Exim proper, the buffer for building the message is got at start-up, so that
706 nothing gets done if it can't be got. However, some functions that are also
707 used in utilities occasionally obey log_write calls in error situations, and it
708 is simplest to put a single malloc() here rather than put one in each utility.
709 Malloc is used directly because the store functions may call log_write().
711 If a message_id exists, we include it after the timestamp.
714 selector write to main log or LOG_INFO only if this value is zero, or if
715 its bit is set in log_selector[0]
716 flags each bit indicates some independent action:
717 LOG_SENDER add raw sender to the message
718 LOG_RECIPIENTS add raw recipients list to message
719 LOG_CONFIG add "Exim configuration error"
720 LOG_CONFIG_FOR add " for " instead of ":\n "
721 LOG_CONFIG_IN add " in line x[ of file y]"
722 LOG_MAIN write to main log or syslog LOG_INFO
723 LOG_REJECT write to reject log or syslog LOG_NOTICE
724 LOG_PANIC write to panic log or syslog LOG_ALERT
725 LOG_PANIC_DIE write to panic log or LOG_ALERT and then crash
726 format a printf() format
727 ... arguments for format
733 log_write(unsigned int selector, int flags, const char *format, ...)
737 gstring gs = { .size = LOG_BUFFER_SIZE-1, .ptr = 0, .s = log_buffer };
741 /* If panic_recurseflag is set, we have failed to open the panic log. This is
742 the ultimate disaster. First try to write the message to a debug file and/or
743 stderr and also to syslog. If panic_save_buffer is not NULL, it contains the
744 original log line that caused the problem. Afterwards, expire. */
746 if (panic_recurseflag)
748 uschar *extra = panic_save_buffer ? panic_save_buffer : US"";
749 if (debug_file) debug_printf("%s%s", extra, log_buffer);
750 if (log_stderr && log_stderr != debug_file)
751 fprintf(log_stderr, "%s%s", extra, log_buffer);
752 if (*extra) write_syslog(LOG_CRIT, extra);
753 write_syslog(LOG_CRIT, log_buffer);
754 die(US"exim: could not open panic log - aborting: see message(s) above",
755 US"Unexpected log failure, please try later");
758 /* Ensure we have a buffer (see comment above); this should never be obeyed
759 when running Exim proper, only when running utilities. */
762 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
764 fprintf(stderr, "exim: failed to get store for log buffer\n");
765 exim_exit(EXIT_FAILURE);
768 /* If we haven't already done so, inspect the setting of log_file_path to
769 determine whether to log to files and/or to syslog. Bits in logging_mode
770 control this, and for file logging, the path must end up in file_path. This
771 variable must be in permanent store because it may be required again later in
776 BOOL multiple = FALSE;
777 int old_pool = store_pool;
779 store_pool = POOL_PERM;
781 /* If nothing has been set, don't waste effort... the default values for the
782 statics are file_path="" and logging_mode = LOG_MODE_FILE. */
786 int sep = ':'; /* Fixed separator - outside use */
788 const uschar *ss = log_file_path;
791 while ((s = string_nextinlist(&ss, &sep, log_buffer, LOG_BUFFER_SIZE)))
793 if (Ustrcmp(s, "syslog") == 0)
794 logging_mode |= LOG_MODE_SYSLOG;
795 else if (logging_mode & LOG_MODE_FILE)
799 logging_mode |= LOG_MODE_FILE;
801 /* If a non-empty path is given, use it */
804 file_path = string_copy(s);
806 /* If the path is empty, we want to use the first non-empty, non-
807 syslog item in LOG_FILE_PATH, if there is one, since the value of
808 log_file_path may have been set at runtime. If there is no such item,
809 use the ultimate default in the spool directory. */
812 set_file_path(); /* Empty item in log_file_path */
813 } /* First non-syslog item in log_file_path */
814 } /* Scan of log_file_path */
817 /* If no modes have been selected, it is a major disaster */
819 if (logging_mode == 0)
820 die(US"Neither syslog nor file logging set in log_file_path",
821 US"Unexpected logging failure");
823 /* Set up the ultimate default if necessary. Then revert to the old store
824 pool, and record that we've sorted out the path. */
826 if (logging_mode & LOG_MODE_FILE && !file_path[0])
827 file_path = string_sprintf("%s/log/%%slog", spool_directory);
828 store_pool = old_pool;
829 path_inspected = TRUE;
831 /* If more than one file path was given, log a complaint. This recursive call
832 should work since we have now set up the routing. */
835 log_write(0, LOG_MAIN|LOG_PANIC,
836 "More than one path given in log_file_path: using %s", file_path);
839 /* If debugging, show all log entries, but don't show headers. Do it all
840 in one go so that it doesn't get split when multi-processing. */
846 g = string_catn(&gs, US"LOG:", 4);
848 /* Show the selector that was passed into the call. */
850 for (i = 0; i < log_options_count; i++)
852 unsigned int bitnum = log_options[i].bit;
853 if (bitnum < BITWORDSIZE && selector == BIT(bitnum))
854 g = string_fmt_append(g, " %s", log_options[i].name);
857 g = string_fmt_append(g, "%s%s%s%s\n ",
858 flags & LOG_MAIN ? " MAIN" : "",
859 flags & LOG_PANIC ? " PANIC" : "",
860 (flags & LOG_PANIC_DIE) == LOG_PANIC_DIE ? " DIE" : "",
861 flags & LOG_REJECT ? " REJECT" : "");
863 if (flags & LOG_CONFIG) g = log_config_info(g, flags);
865 /* We want to be able to log tainted info, but log_buffer is directly
866 malloc'd. So use deliberately taint-nonchecking routines to build into
867 it, trusting that we will never expand the results. */
869 va_start(ap, format);
871 if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap))
874 g = string_cat(g, US"**** log string overflowed log buffer ****");
878 g->size = LOG_BUFFER_SIZE;
879 g = string_catn(g, US"\n", 1);
880 debug_printf("%s", string_from_gstring(g));
882 gs.size = LOG_BUFFER_SIZE-1; /* Having used the buffer for debug output, */
883 gs.ptr = 0; /* reset it for the real use. */
886 /* If no log file is specified, we are in a mess. */
888 if (!(flags & (LOG_MAIN|LOG_PANIC|LOG_REJECT)))
889 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_write called with no log "
892 /* There are some weird circumstances in which logging is disabled. */
894 if (f.disable_logging)
896 DEBUG(D_any) debug_printf("log writing disabled\n");
900 /* Handle disabled reject log */
902 if (!write_rejectlog) flags &= ~LOG_REJECT;
904 /* Create the main message in the log buffer. Do not include the message id
905 when called by a utility. */
907 g = string_fmt_append(&gs, "%s ", tod_stamp(tod_log));
911 if (!syslog_pid) pid_position[0] = g->ptr; /* remember begin … */
912 g = string_fmt_append(g, "[%d] ", (int)getpid());
913 if (!syslog_pid) pid_position[1] = g->ptr; /* … and end+1 of the PID */
916 if (f.really_exim && message_id[0] != 0)
917 g = string_fmt_append(g, "%s ", message_id);
919 if (flags & LOG_CONFIG)
920 g = log_config_info(g, flags);
922 va_start(ap, format);
926 /* We want to be able to log tainted info, but log_buffer is directly
927 malloc'd. So use deliberately taint-nonchecking routines to build into
928 it, trusting that we will never expand the results. */
930 if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap))
933 g = string_cat(g, US"**** log string overflowed log buffer ****\n");
938 /* Add the raw, unrewritten, sender to the message if required. This is done
939 this way because it kind of fits with LOG_RECIPIENTS. */
941 if ( flags & LOG_SENDER
942 && g->ptr < LOG_BUFFER_SIZE - 10 - Ustrlen(raw_sender))
943 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " from <%s>", raw_sender);
945 /* Add list of recipients to the message if required; the raw list,
946 before rewriting, was saved in raw_recipients. There may be none, if an ACL
947 discarded them all. */
949 if ( flags & LOG_RECIPIENTS
950 && g->ptr < LOG_BUFFER_SIZE - 6
951 && raw_recipients_count > 0)
954 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " for", NULL);
955 for (i = 0; i < raw_recipients_count; i++)
957 uschar * s = raw_recipients[i];
958 if (LOG_BUFFER_SIZE - g->ptr < Ustrlen(s) + 3) break;
959 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " %s", s);
963 g = string_catn(g, US"\n", 1);
964 string_from_gstring(g);
966 /* Handle loggable errors when running a utility, or when address testing.
967 Write to log_stderr unless debugging (when it will already have been written),
968 or unless there is no log_stderr (expn called from daemon, for example). */
970 if (!f.really_exim || f.log_testing_mode)
974 && (selector == 0 || (selector & log_selector[0]) != 0)
977 fprintf(log_stderr, "LOG: %s", CS(log_buffer + 20)); /* no timestamp */
979 fprintf(log_stderr, "%s", CS log_buffer);
981 if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE);
985 /* Handle the main log. We know that either syslog or file logging (or both) is
986 set up. A real file gets left open during reception or delivery once it has
987 been opened, but we don't want to keep on writing to it for too long after it
988 has been renamed. Therefore, do a stat() and see if the inode has changed, and
991 if ( flags & LOG_MAIN
992 && (!selector || selector & log_selector[0]))
994 if ( logging_mode & LOG_MODE_SYSLOG
995 && (syslog_duplication || !(flags & (LOG_REJECT|LOG_PANIC))))
996 write_syslog(LOG_INFO, log_buffer);
998 if (logging_mode & LOG_MODE_FILE)
1000 struct stat statbuf;
1002 /* Check for a change to the mainlog file name when datestamping is in
1003 operation. This happens at midnight, at which point we want to roll over
1004 the file. Closing it has the desired effect. */
1006 if (mainlog_datestamp)
1008 uschar *nowstamp = tod_stamp(string_datestamp_type);
1009 if (Ustrncmp (mainlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1011 (void)close(mainlogfd); /* Close the file */
1012 mainlogfd = -1; /* Clear the file descriptor */
1013 mainlog_inode = 0; /* Unset the inode */
1014 mainlog_datestamp = NULL; /* Clear the datestamp */
1018 /* Otherwise, we want to check whether the file has been renamed by a
1019 cycling script. This could be "if else", but for safety's sake, leave it as
1020 "if" so that renaming the log starts a new file even when datestamping is
1024 if (Ustat(mainlog_name, &statbuf) < 0 || statbuf.st_ino != mainlog_inode)
1027 /* If the log is closed, open it. Then write the line. */
1031 open_log(&mainlogfd, lt_main, NULL); /* No return on error */
1032 if (fstat(mainlogfd, &statbuf) >= 0) mainlog_inode = statbuf.st_ino;
1035 /* Failing to write to the log is disastrous */
1037 written_len = write_to_fd_buf(mainlogfd, g->s, g->ptr);
1038 if (written_len != g->ptr)
1040 log_write_failed(US"main log", g->ptr, written_len);
1041 /* That function does not return */
1046 /* Handle the log for rejected messages. This can be globally disabled, in
1047 which case the flags are altered above. If there are any header lines (i.e. if
1048 the rejection is happening after the DATA phase), log the recipients and the
1051 if (flags & LOG_REJECT)
1053 if (header_list && LOGGING(rejected_header))
1058 if (recipients_count > 0)
1060 /* List the sender */
1062 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1063 "Envelope-from: <%s>\n", sender_address);
1066 /* List up to 5 recipients */
1068 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1069 "Envelope-to: <%s>\n", recipients_list[0].address);
1072 for (i = 1; i < recipients_count && i < 5; i++)
1074 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1075 " <%s>\n", recipients_list[i].address);
1079 if (i < recipients_count)
1081 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " ...\n", NULL);
1086 /* A header with a NULL text is an unfilled in Received: header */
1088 for (header_line * h = header_list; h; h = h->next) if (h->text)
1090 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1091 "%c %s", h->type, h->text);
1094 else /* Buffer is full; truncate */
1096 g->ptr -= 100; /* For message and separator */
1097 if (g->s[g->ptr-1] == '\n') g->ptr--;
1098 g = string_cat(g, US"\n*** truncated ***\n");
1104 /* Write to syslog or to a log file */
1106 if ( logging_mode & LOG_MODE_SYSLOG
1107 && (syslog_duplication || !(flags & LOG_PANIC)))
1108 write_syslog(LOG_NOTICE, string_from_gstring(g));
1110 /* Check for a change to the rejectlog file name when datestamping is in
1111 operation. This happens at midnight, at which point we want to roll over
1112 the file. Closing it has the desired effect. */
1114 if (logging_mode & LOG_MODE_FILE)
1116 struct stat statbuf;
1118 if (rejectlog_datestamp)
1120 uschar *nowstamp = tod_stamp(string_datestamp_type);
1121 if (Ustrncmp (rejectlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1123 (void)close(rejectlogfd); /* Close the file */
1124 rejectlogfd = -1; /* Clear the file descriptor */
1125 rejectlog_inode = 0; /* Unset the inode */
1126 rejectlog_datestamp = NULL; /* Clear the datestamp */
1130 /* Otherwise, we want to check whether the file has been renamed by a
1131 cycling script. This could be "if else", but for safety's sake, leave it as
1132 "if" so that renaming the log starts a new file even when datestamping is
1135 if (rejectlogfd >= 0)
1136 if (Ustat(rejectlog_name, &statbuf) < 0 ||
1137 statbuf.st_ino != rejectlog_inode)
1139 (void)close(rejectlogfd);
1141 rejectlog_inode = 0;
1144 /* Open the file if necessary, and write the data */
1146 if (rejectlogfd < 0)
1148 open_log(&rejectlogfd, lt_reject, NULL); /* No return on error */
1149 if (fstat(rejectlogfd, &statbuf) >= 0) rejectlog_inode = statbuf.st_ino;
1152 written_len = write_to_fd_buf(rejectlogfd, g->s, g->ptr);
1153 if (written_len != g->ptr)
1155 log_write_failed(US"reject log", g->ptr, written_len);
1156 /* That function does not return */
1162 /* Handle the panic log, which is not kept open like the others. If it fails to
1163 open, there will be a recursive call to log_write(). We detect this above and
1164 attempt to write to the system log as a last-ditch try at telling somebody. In
1165 all cases except mua_wrapper, try to write to log_stderr. */
1167 if (flags & LOG_PANIC)
1169 if (log_stderr && log_stderr != debug_file && !mua_wrapper)
1170 fprintf(log_stderr, "%s", CS string_from_gstring(g));
1172 if (logging_mode & LOG_MODE_SYSLOG)
1173 write_syslog(LOG_ALERT, log_buffer);
1175 /* If this panic logging was caused by a failure to open the main log,
1176 the original log line is in panic_save_buffer. Make an attempt to write it. */
1178 if (logging_mode & LOG_MODE_FILE)
1180 panic_recurseflag = TRUE;
1181 open_log(&paniclogfd, lt_panic, NULL); /* Won't return on failure */
1182 panic_recurseflag = FALSE;
1184 if (panic_save_buffer)
1185 (void) write(paniclogfd, panic_save_buffer, Ustrlen(panic_save_buffer));
1187 written_len = write_to_fd_buf(paniclogfd, g->s, g->ptr);
1188 if (written_len != g->ptr)
1190 int save_errno = errno;
1191 write_syslog(LOG_CRIT, log_buffer);
1192 sprintf(CS log_buffer, "write failed on panic log: length=%d result=%d "
1193 "errno=%d (%s)", g->ptr, (int)written_len, save_errno, strerror(save_errno));
1194 write_syslog(LOG_CRIT, string_from_gstring(g));
1195 flags |= LOG_PANIC_DIE;
1198 (void)close(paniclogfd);
1201 /* Give up if the DIE flag is set */
1203 if ((flags & LOG_PANIC_DIE) != LOG_PANIC)
1204 die(NULL, US"Unexpected failure, please try later");
1210 /*************************************************
1211 * Close any open log files *
1212 *************************************************/
1218 { (void)close(mainlogfd); mainlogfd = -1; }
1219 if (rejectlogfd >= 0)
1220 { (void)close(rejectlogfd); rejectlogfd = -1; }
1222 syslog_open = FALSE;
1227 /*************************************************
1228 * Multi-bit set or clear *
1229 *************************************************/
1231 /* These functions take a list of bit indexes (terminated by -1) and
1232 clear or set the corresponding bits in the selector.
1235 selector address of the bit string
1236 selsize number of words in the bit string
1237 bits list of bits to set
1241 bits_clear(unsigned int *selector, size_t selsize, int *bits)
1243 for(; *bits != -1; ++bits)
1244 BIT_CLEAR(selector, selsize, *bits);
1248 bits_set(unsigned int *selector, size_t selsize, int *bits)
1250 for(; *bits != -1; ++bits)
1251 BIT_SET(selector, selsize, *bits);
1256 /*************************************************
1257 * Decode bit settings for log/debug *
1258 *************************************************/
1260 /* This function decodes a string containing bit settings in the form of +name
1261 and/or -name sequences, and sets/unsets bits in a bit string accordingly. It
1262 also recognizes a numeric setting of the form =<number>, but this is not
1263 intended for user use. It's an easy way for Exim to pass the debug settings
1264 when it is re-exec'ed.
1266 The option table is a list of names and bit indexes. The index -1
1267 means "set all bits, except for those listed in notall". The notall
1268 list is terminated by -1.
1270 The action taken for bad values varies depending upon why we're here.
1271 For log messages, or if the debugging is triggered from config, then we write
1272 to the log on the way out. For debug setting triggered from the command-line,
1273 we treat it as an unknown option: error message to stderr and die.
1276 selector address of the bit string
1277 selsize number of words in the bit string
1278 notall list of bits to exclude from "all"
1279 string the configured string
1280 options the table of option names
1282 which "log" or "debug"
1283 flags DEBUG_FROM_CONFIG
1285 Returns: nothing on success - bomb out on failure
1289 decode_bits(unsigned int *selector, size_t selsize, int *notall,
1290 uschar *string, bit_table *options, int count, uschar *which, int flags)
1293 if (!string) return;
1297 char *end; /* Not uschar */
1298 memset(selector, 0, sizeof(*selector)*selsize);
1299 *selector = strtoul(CS string+1, &end, 0);
1301 errmsg = string_sprintf("malformed numeric %s_selector setting: %s", which,
1306 /* Handle symbolic setting */
1313 bit_table *start, *end;
1315 Uskip_whitespace(&string);
1316 if (!*string) return;
1318 if (*string != '+' && *string != '-')
1320 errmsg = string_sprintf("malformed %s_selector setting: "
1321 "+ or - expected but found \"%s\"", which, string);
1325 adding = *string++ == '+';
1327 while (isalnum(*string) || *string == '_') string++;
1331 end = options + count;
1335 bit_table *middle = start + (end - start)/2;
1336 int c = Ustrncmp(s, middle->name, len);
1338 if (middle->name[len] != 0) c = -1; else
1340 unsigned int bit = middle->bit;
1346 memset(selector, -1, sizeof(*selector)*selsize);
1347 bits_clear(selector, selsize, notall);
1350 memset(selector, 0, sizeof(*selector)*selsize);
1353 BIT_SET(selector, selsize, bit);
1355 BIT_CLEAR(selector, selsize, bit);
1357 break; /* Out of loop to match selector name */
1359 if (c < 0) end = middle; else start = middle + 1;
1360 } /* Loop to match selector name */
1364 errmsg = string_sprintf("unknown %s_selector setting: %c%.*s", which,
1365 adding? '+' : '-', len, s);
1368 } /* Loop for selector names */
1370 /* Handle disasters */
1373 if (Ustrcmp(which, "debug") == 0)
1375 if (flags & DEBUG_FROM_CONFIG)
1377 log_write(0, LOG_CONFIG|LOG_PANIC, "%s", errmsg);
1380 fprintf(stderr, "exim: %s\n", errmsg);
1383 else log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "%s", errmsg);
1388 /*************************************************
1389 * Activate a debug logfile (late) *
1390 *************************************************/
1392 /* Normally, debugging is activated from the command-line; it may be useful
1393 within the configuration to activate debugging later, based on certain
1394 conditions. If debugging is already in progress, we return early, no action
1395 taken (besides debug-logging that we wanted debug-logging).
1397 Failures in options are not fatal but will result in paniclog entries for the
1400 The first use of this is in ACL logic, "control = debug/tag=foo/opts=+expand"
1401 which can be combined with conditions, etc, to activate extra logging only
1402 for certain sources. The second use is inetd wait mode debug preservation. */
1405 debug_logging_activate(uschar *tag_name, uschar *opts)
1411 debug_printf("DEBUGGING ACTIVATED FROM WITHIN CONFIG.\n"
1412 "DEBUG: Tag=\"%s\" opts=\"%s\"\n", tag_name, opts ? opts : US"");
1416 if (tag_name != NULL && (Ustrchr(tag_name, '/') != NULL))
1418 log_write(0, LOG_MAIN|LOG_PANIC, "debug tag may not contain a '/' in: %s",
1423 debug_selector = D_default;
1425 decode_bits(&debug_selector, 1, debug_notall, opts,
1426 debug_options, debug_options_count, US"debug", DEBUG_FROM_CONFIG);
1428 /* When activating from a transport process we may never have logged at all
1429 resulting in certain setup not having been done. Hack this for now so we
1430 do not segfault; note that nondefault log locations will not work */
1432 if (!*file_path) set_file_path();
1434 open_log(&fd, lt_debug, tag_name);
1437 debug_file = fdopen(fd, "w");
1439 log_write(0, LOG_MAIN|LOG_PANIC, "unable to open debug log");
1444 debug_logging_stop(void)
1446 if (!debug_file || !debuglog_name[0]) return;
1451 unlink_log(lt_debug);