1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
8
9 /* Functions concerned with running Exim as a daemon */
10
11
12 #include "exim.h"
13
14
15 /* Structure for holding data for each SMTP connection */
16
17 typedef struct smtp_slot {
18 pid_t pid; /* pid of the spawned reception process */
19 uschar *host_address; /* address of the client host */
20 } smtp_slot;
21
22 /* An empty slot for initializing (Standard C does not allow constructor
23 expressions in assignments except as initializers in declarations). */
24
25 static smtp_slot empty_smtp_slot = { .pid = 0, .host_address = NULL };
26
27
28
29 /*************************************************
30 * Local static variables *
31 *************************************************/
32
33 static SIGNAL_BOOL sigchld_seen;
34 static SIGNAL_BOOL sighup_seen;
35 static SIGNAL_BOOL sigterm_seen;
36
37 static int accept_retry_count = 0;
38 static int accept_retry_errno;
39 static BOOL accept_retry_select_failed;
40
41 static int queue_run_count = 0;
42 static pid_t *queue_pid_slots = NULL;
43 static smtp_slot *smtp_slots = NULL;
44
45 static BOOL write_pid = TRUE;
46
47
48
49 /*************************************************
50 * SIGHUP Handler *
51 *************************************************/
52
53 /* All this handler does is to set a flag and re-enable the signal.
54
55 Argument: the signal number
56 Returns: nothing
57 */
58
59 static void
sighup_handler(int sig)60 sighup_handler(int sig)
61 {
62 sighup_seen = TRUE;
63 signal(SIGHUP, sighup_handler);
64 }
65
66
67
68 /*************************************************
69 * SIGCHLD handler for main daemon process *
70 *************************************************/
71
72 /* Don't re-enable the handler here, since we aren't doing the
73 waiting here. If the signal is re-enabled, there will just be an
74 infinite sequence of calls to this handler. The SIGCHLD signal is
75 used just as a means of waking up the daemon so that it notices
76 terminated subprocesses as soon as possible.
77
78 Argument: the signal number
79 Returns: nothing
80 */
81
82 static void
main_sigchld_handler(int sig)83 main_sigchld_handler(int sig)
84 {
85 os_non_restarting_signal(SIGCHLD, SIG_DFL);
86 sigchld_seen = TRUE;
87 }
88
89
90 /* SIGTERM handler. Try to get the damon pid file removed
91 before exiting. */
92
93 static void
main_sigterm_handler(int sig)94 main_sigterm_handler(int sig)
95 {
96 sigterm_seen = TRUE;
97 }
98
99
100
101
102 /*************************************************
103 * Unexpected errors in SMTP calls *
104 *************************************************/
105
106 /* This function just saves a bit of repetitious coding.
107
108 Arguments:
109 log_msg Text of message to be logged
110 smtp_msg Text of SMTP error message
111 was_errno The failing errno
112
113 Returns: nothing
114 */
115
116 static void
never_error(uschar * log_msg,uschar * smtp_msg,int was_errno)117 never_error(uschar *log_msg, uschar *smtp_msg, int was_errno)
118 {
119 uschar *emsg = was_errno <= 0
120 ? US"" : string_sprintf(": %s", strerror(was_errno));
121 log_write(0, LOG_MAIN|LOG_PANIC, "%s%s", log_msg, emsg);
122 if (smtp_out) smtp_printf("421 %s\r\n", FALSE, smtp_msg);
123 }
124
125
126
127
128 /*************************************************
129 *************************************************/
130
131 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
132 static void
unlink_notifier_socket(void)133 unlink_notifier_socket(void)
134 {
135 uschar * s = expand_string(notifier_socket);
136 DEBUG(D_any) debug_printf("unlinking notifier socket %s\n", s);
137 Uunlink(s);
138 }
139 #endif
140
141
142 static void
close_daemon_sockets(int daemon_notifier_fd,struct pollfd * fd_polls,int listen_socket_count)143 close_daemon_sockets(int daemon_notifier_fd,
144 struct pollfd * fd_polls, int listen_socket_count)
145 {
146 if (daemon_notifier_fd >= 0)
147 {
148 (void) close(daemon_notifier_fd);
149 daemon_notifier_fd = -1;
150 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
151 unlink_notifier_socket();
152 #endif
153 }
154
155 for (int i = 0; i < listen_socket_count; i++) (void) close(fd_polls[i].fd);
156 }
157
158
159 /*************************************************
160 * Handle a connected SMTP call *
161 *************************************************/
162
163 /* This function is called when an SMTP connection has been accepted.
164 If there are too many, give an error message and close down. Otherwise
165 spin off a sub-process to handle the call. The list of listening sockets
166 is required so that they can be closed in the sub-process. Take care not to
167 leak store in this process - reset the stacking pool at the end.
168
169 Arguments:
170 fd_polls sockets which are listening for incoming calls
171 listen_socket_count count of listening sockets
172 accept_socket socket of the current accepted call
173 accepted socket information about the current call
174
175 Returns: nothing
176 */
177
178 static void
handle_smtp_call(struct pollfd * fd_polls,int listen_socket_count,int accept_socket,struct sockaddr * accepted)179 handle_smtp_call(struct pollfd *fd_polls, int listen_socket_count,
180 int accept_socket, struct sockaddr *accepted)
181 {
182 pid_t pid;
183 union sockaddr_46 interface_sockaddr;
184 EXIM_SOCKLEN_T ifsize = sizeof(interface_sockaddr);
185 int dup_accept_socket = -1;
186 int max_for_this_host = 0;
187 int save_log_selector = *log_selector;
188 gstring * whofrom;
189
190 rmark reset_point = store_mark();
191
192 /* Make the address available in ASCII representation, and also fish out
193 the remote port. */
194
195 sender_host_address = host_ntoa(-1, accepted, NULL, &sender_host_port);
196 DEBUG(D_any) debug_printf("Connection request from %s port %d\n",
197 sender_host_address, sender_host_port);
198
199 /* Set up the output stream, check the socket has duplicated, and set up the
200 input stream. These operations fail only the exceptional circumstances. Note
201 that never_error() won't use smtp_out if it is NULL. */
202
203 if (!(smtp_out = fdopen(accept_socket, "wb")))
204 {
205 never_error(US"daemon: fdopen() for smtp_out failed", US"", errno);
206 goto ERROR_RETURN;
207 }
208
209 if ((dup_accept_socket = dup(accept_socket)) < 0)
210 {
211 never_error(US"daemon: couldn't dup socket descriptor",
212 US"Connection setup failed", errno);
213 goto ERROR_RETURN;
214 }
215
216 if (!(smtp_in = fdopen(dup_accept_socket, "rb")))
217 {
218 never_error(US"daemon: fdopen() for smtp_in failed",
219 US"Connection setup failed", errno);
220 goto ERROR_RETURN;
221 }
222
223 /* Get the data for the local interface address. Panic for most errors, but
224 "connection reset by peer" just means the connection went away. */
225
226 if (getsockname(accept_socket, (struct sockaddr *)(&interface_sockaddr),
227 &ifsize) < 0)
228 {
229 log_write(0, LOG_MAIN | ((errno == ECONNRESET)? 0 : LOG_PANIC),
230 "getsockname() failed: %s", strerror(errno));
231 smtp_printf("421 Local problem: getsockname() failed; please try again later\r\n", FALSE);
232 goto ERROR_RETURN;
233 }
234
235 interface_address = host_ntoa(-1, &interface_sockaddr, NULL, &interface_port);
236 DEBUG(D_interface) debug_printf("interface address=%s port=%d\n",
237 interface_address, interface_port);
238
239 /* Build a string identifying the remote host and, if requested, the port and
240 the local interface data. This is for logging; at the end of this function the
241 memory is reclaimed. */
242
243 whofrom = string_append(NULL, 3, "[", sender_host_address, "]");
244
245 if (LOGGING(incoming_port))
246 whofrom = string_fmt_append(whofrom, ":%d", sender_host_port);
247
248 if (LOGGING(incoming_interface))
249 whofrom = string_fmt_append(whofrom, " I=[%s]:%d",
250 interface_address, interface_port);
251
252 (void) string_from_gstring(whofrom); /* Terminate the newly-built string */
253
254 /* Check maximum number of connections. We do not check for reserved
255 connections or unacceptable hosts here. That is done in the subprocess because
256 it might take some time. */
257
258 if (smtp_accept_max > 0 && smtp_accept_count >= smtp_accept_max)
259 {
260 DEBUG(D_any) debug_printf("rejecting SMTP connection: count=%d max=%d\n",
261 smtp_accept_count, smtp_accept_max);
262 smtp_printf("421 Too many concurrent SMTP connections; "
263 "please try again later.\r\n", FALSE);
264 log_write(L_connection_reject,
265 LOG_MAIN, "Connection from %s refused: too many connections",
266 whofrom->s);
267 goto ERROR_RETURN;
268 }
269
270 /* If a load limit above which only reserved hosts are acceptable is defined,
271 get the load average here, and if there are in fact no reserved hosts, do
272 the test right away (saves a fork). If there are hosts, do the check in the
273 subprocess because it might take time. */
274
275 if (smtp_load_reserve >= 0)
276 {
277 load_average = OS_GETLOADAVG();
278 if (!smtp_reserve_hosts && load_average > smtp_load_reserve)
279 {
280 DEBUG(D_any) debug_printf("rejecting SMTP connection: load average = %.2f\n",
281 (double)load_average/1000.0);
282 smtp_printf("421 Too much load; please try again later.\r\n", FALSE);
283 log_write(L_connection_reject,
284 LOG_MAIN, "Connection from %s refused: load average = %.2f",
285 whofrom->s, (double)load_average/1000.0);
286 goto ERROR_RETURN;
287 }
288 }
289
290 /* Check that one specific host (strictly, IP address) is not hogging
291 resources. This is done here to prevent a denial of service attack by someone
292 forcing you to fork lots of times before denying service. The value of
293 smtp_accept_max_per_host is a string which is expanded. This makes it possible
294 to provide host-specific limits according to $sender_host address, but because
295 this is in the daemon mainline, only fast expansions (such as inline address
296 checks) should be used. The documentation is full of warnings. */
297
298 if (smtp_accept_max_per_host)
299 {
300 uschar *expanded = expand_string(smtp_accept_max_per_host);
301 if (!expanded)
302 {
303 if (!f.expand_string_forcedfail)
304 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
305 "failed for %s: %s", whofrom->s, expand_string_message);
306 }
307 /* For speed, interpret a decimal number inline here */
308 else
309 {
310 uschar *s = expanded;
311 while (isdigit(*s))
312 max_for_this_host = max_for_this_host * 10 + *s++ - '0';
313 if (*s)
314 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
315 "for %s contains non-digit: %s", whofrom->s, expanded);
316 }
317 }
318
319 /* If we have fewer connections than max_for_this_host, we can skip the tedious
320 per host_address checks. Note that at this stage smtp_accept_count contains the
321 count of *other* connections, not including this one. */
322
323 if (max_for_this_host > 0 && smtp_accept_count >= max_for_this_host)
324 {
325 int host_accept_count = 0;
326 int other_host_count = 0; /* keep a count of non matches to optimise */
327
328 for (int i = 0; i < smtp_accept_max; ++i)
329 if (smtp_slots[i].host_address)
330 {
331 if (Ustrcmp(sender_host_address, smtp_slots[i].host_address) == 0)
332 host_accept_count++;
333 else
334 other_host_count++;
335
336 /* Testing all these strings is expensive - see if we can drop out
337 early, either by hitting the target, or finding there are not enough
338 connections left to make the target. */
339
340 if ( host_accept_count >= max_for_this_host
341 || smtp_accept_count - other_host_count < max_for_this_host)
342 break;
343 }
344
345 if (host_accept_count >= max_for_this_host)
346 {
347 DEBUG(D_any) debug_printf("rejecting SMTP connection: too many from this "
348 "IP address: count=%d max=%d\n",
349 host_accept_count, max_for_this_host);
350 smtp_printf("421 Too many concurrent SMTP connections "
351 "from this IP address; please try again later.\r\n", FALSE);
352 log_write(L_connection_reject,
353 LOG_MAIN, "Connection from %s refused: too many connections "
354 "from that IP address", whofrom->s);
355 search_tidyup();
356 goto ERROR_RETURN;
357 }
358 }
359
360 /* OK, the connection count checks have been passed. Before we can fork the
361 accepting process, we must first log the connection if requested. This logging
362 used to happen in the subprocess, but doing that means that the value of
363 smtp_accept_count can be out of step by the time it is logged. So we have to do
364 the logging here and accept the performance cost. Note that smtp_accept_count
365 hasn't yet been incremented to take account of this connection.
366
367 In order to minimize the cost (because this is going to happen for every
368 connection), do a preliminary selector test here. This saves ploughing through
369 the generalized logging code each time when the selector is false. If the
370 selector is set, check whether the host is on the list for logging. If not,
371 arrange to unset the selector in the subprocess. */
372
373 if (LOGGING(smtp_connection))
374 {
375 uschar *list = hosts_connection_nolog;
376 memset(sender_host_cache, 0, sizeof(sender_host_cache));
377 if (list && verify_check_host(&list) == OK)
378 save_log_selector &= ~L_smtp_connection;
379 else
380 log_write(L_smtp_connection, LOG_MAIN, "SMTP connection from %s "
381 "(TCP/IP connection count = %d)", whofrom->s, smtp_accept_count + 1);
382 }
383
384 /* Now we can fork the accepting process; do a lookup tidy, just in case any
385 expansion above did a lookup. */
386
387 search_tidyup();
388 pid = exim_fork(US"daemon-accept");
389
390 /* Handle the child process */
391
392 if (pid == 0)
393 {
394 int queue_only_reason = 0;
395 int old_pool = store_pool;
396 int save_debug_selector = debug_selector;
397 BOOL local_queue_only;
398 BOOL session_local_queue_only;
399 #ifdef SA_NOCLDWAIT
400 struct sigaction act;
401 #endif
402
403 smtp_accept_count++; /* So that it includes this process */
404
405 /* If the listen backlog was over the monitoring level, log it. */
406
407 if (smtp_listen_backlog > smtp_backlog_monitor)
408 log_write(0, LOG_MAIN, "listen backlog %d I=[%s]:%d",
409 smtp_listen_backlog, interface_address, interface_port);
410
411 /* May have been modified for the subprocess */
412
413 *log_selector = save_log_selector;
414
415 /* Get the local interface address into permanent store */
416
417 store_pool = POOL_PERM;
418 interface_address = string_copy(interface_address);
419 store_pool = old_pool;
420
421 /* Check for a tls-on-connect port */
422
423 if (host_is_tls_on_connect_port(interface_port)) tls_in.on_connect = TRUE;
424
425 /* Expand smtp_active_hostname if required. We do not do this any earlier,
426 because it may depend on the local interface address (indeed, that is most
427 likely what it depends on.) */
428
429 smtp_active_hostname = primary_hostname;
430 if (raw_active_hostname)
431 {
432 uschar * nah = expand_string(raw_active_hostname);
433 if (!nah)
434 {
435 if (!f.expand_string_forcedfail)
436 {
437 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" "
438 "(smtp_active_hostname): %s", raw_active_hostname,
439 expand_string_message);
440 smtp_printf("421 Local configuration error; "
441 "please try again later.\r\n", FALSE);
442 mac_smtp_fflush();
443 search_tidyup();
444 exim_underbar_exit(EXIT_FAILURE);
445 }
446 }
447 else if (*nah) smtp_active_hostname = nah;
448 }
449
450 /* Initialize the queueing flags */
451
452 queue_check_only();
453 session_local_queue_only = queue_only;
454
455 /* Close the listening sockets, and set the SIGCHLD handler to SIG_IGN.
456 We also attempt to set things up so that children are automatically reaped,
457 but just in case this isn't available, there's a paranoid waitpid() in the
458 loop too (except for systems where we are sure it isn't needed). See the more
459 extensive comment before the reception loop in exim.c for a fuller
460 explanation of this logic. */
461
462 close_daemon_sockets(daemon_notifier_fd, fd_polls, listen_socket_count);
463
464 /* Set FD_CLOEXEC on the SMTP socket. We don't want any rogue child processes
465 to be able to communicate with them, under any circumstances. */
466 (void)fcntl(accept_socket, F_SETFD,
467 fcntl(accept_socket, F_GETFD) | FD_CLOEXEC);
468 (void)fcntl(dup_accept_socket, F_SETFD,
469 fcntl(dup_accept_socket, F_GETFD) | FD_CLOEXEC);
470
471 #ifdef SA_NOCLDWAIT
472 act.sa_handler = SIG_IGN;
473 sigemptyset(&(act.sa_mask));
474 act.sa_flags = SA_NOCLDWAIT;
475 sigaction(SIGCHLD, &act, NULL);
476 #else
477 signal(SIGCHLD, SIG_IGN);
478 #endif
479 signal(SIGTERM, SIG_DFL);
480 signal(SIGINT, SIG_DFL);
481
482 /* Attempt to get an id from the sending machine via the RFC 1413
483 protocol. We do this in the sub-process in order not to hold up the
484 main process if there is any delay. Then set up the fullhost information
485 in case there is no HELO/EHLO.
486
487 If debugging is enabled only for the daemon, we must turn if off while
488 finding the id, but turn it on again afterwards so that information about the
489 incoming connection is output. */
490
491 if (f.debug_daemon) debug_selector = 0;
492 verify_get_ident(IDENT_PORT);
493 host_build_sender_fullhost();
494 debug_selector = save_debug_selector;
495
496 DEBUG(D_any)
497 debug_printf("Process %d is handling incoming connection from %s\n",
498 (int)getpid(), sender_fullhost);
499
500 /* Now disable debugging permanently if it's required only for the daemon
501 process. */
502
503 if (f.debug_daemon) debug_selector = 0;
504
505 /* If there are too many child processes for immediate delivery,
506 set the session_local_queue_only flag, which is initialized from the
507 configured value and may therefore already be TRUE. Leave logging
508 till later so it will have a message id attached. Note that there is no
509 possibility of re-calculating this per-message, because the value of
510 smtp_accept_count does not change in this subprocess. */
511
512 if (smtp_accept_queue > 0 && smtp_accept_count > smtp_accept_queue)
513 {
514 session_local_queue_only = TRUE;
515 queue_only_reason = 1;
516 }
517
518 /* Handle the start of the SMTP session, then loop, accepting incoming
519 messages from the SMTP connection. The end will come at the QUIT command,
520 when smtp_setup_msg() returns 0. A break in the connection causes the
521 process to die (see accept.c).
522
523 NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
524 because a log line has already been written for all its failure exists
525 (usually "connection refused: <reason>") and writing another one is
526 unnecessary clutter. */
527
528 if (!smtp_start_session())
529 {
530 mac_smtp_fflush();
531 search_tidyup();
532 exim_underbar_exit(EXIT_SUCCESS);
533 }
534
535 for (;;)
536 {
537 int rc;
538 message_id[0] = 0; /* Clear out any previous message_id */
539 reset_point = store_mark(); /* Save current store high water point */
540
541 DEBUG(D_any)
542 debug_printf("Process %d is ready for new message\n", (int)getpid());
543
544 /* Smtp_setup_msg() returns 0 on QUIT or if the call is from an
545 unacceptable host or if an ACL "drop" command was triggered, -1 on
546 connection lost, and +1 on validly reaching DATA. Receive_msg() almost
547 always returns TRUE when smtp_input is true; just retry if no message was
548 accepted (can happen for invalid message parameters). However, it can yield
549 FALSE if the connection was forcibly dropped by the DATA ACL. */
550
551 if ((rc = smtp_setup_msg()) > 0)
552 {
553 BOOL ok = receive_msg(FALSE);
554 search_tidyup(); /* Close cached databases */
555 if (!ok) /* Connection was dropped */
556 {
557 cancel_cutthrough_connection(TRUE, US"receive dropped");
558 mac_smtp_fflush();
559 smtp_log_no_mail(); /* Log no mail if configured */
560 exim_underbar_exit(EXIT_SUCCESS);
561 }
562 if (message_id[0] == 0) continue; /* No message was accepted */
563 }
564 else /* bad smtp_setup_msg() */
565 {
566 if (smtp_out)
567 {
568 int fd = fileno(smtp_in);
569 uschar buf[128];
570
571 mac_smtp_fflush();
572 /* drain socket, for clean TCP FINs */
573 if (fcntl(fd, F_SETFL, O_NONBLOCK) == 0)
574 for(int i = 16; read(fd, buf, sizeof(buf)) > 0 && i > 0; ) i--;
575 }
576 cancel_cutthrough_connection(TRUE, US"message setup dropped");
577 search_tidyup();
578 smtp_log_no_mail(); /* Log no mail if configured */
579
580 /*XXX should we pause briefly, hoping that the client will be the
581 active TCP closer hence get the TCP_WAIT endpoint? */
582 DEBUG(D_receive) debug_printf("SMTP>>(close on process exit)\n");
583 exim_underbar_exit(rc ? EXIT_FAILURE : EXIT_SUCCESS);
584 }
585
586 /* Show the recipients when debugging */
587
588 DEBUG(D_receive)
589 {
590 if (sender_address)
591 debug_printf("Sender: %s\n", sender_address);
592 if (recipients_list)
593 {
594 debug_printf("Recipients:\n");
595 for (int i = 0; i < recipients_count; i++)
596 debug_printf(" %s\n", recipients_list[i].address);
597 }
598 }
599
600 /* A message has been accepted. Clean up any previous delivery processes
601 that have completed and are defunct, on systems where they don't go away
602 by themselves (see comments when setting SIG_IGN above). On such systems
603 (if any) these delivery processes hang around after termination until
604 the next message is received. */
605
606 #ifndef SIG_IGN_WORKS
607 while (waitpid(-1, NULL, WNOHANG) > 0);
608 #endif
609
610 /* Reclaim up the store used in accepting this message */
611
612 {
613 int r = receive_messagecount;
614 BOOL q = f.queue_only_policy;
615 smtp_reset(reset_point);
616 reset_point = NULL;
617 f.queue_only_policy = q;
618 receive_messagecount = r;
619 }
620
621 /* If queue_only is set or if there are too many incoming connections in
622 existence, session_local_queue_only will be TRUE. If it is not, check
623 whether we have received too many messages in this session for immediate
624 delivery. */
625
626 if (!session_local_queue_only &&
627 smtp_accept_queue_per_connection > 0 &&
628 receive_messagecount > smtp_accept_queue_per_connection)
629 {
630 session_local_queue_only = TRUE;
631 queue_only_reason = 2;
632 }
633
634 /* Initialize local_queue_only from session_local_queue_only. If it is not
635 true, and queue_only_load is set, check that the load average is below it.
636 If local_queue_only is set by this means, we also set if for the session if
637 queue_only_load_latch is true (the default). This means that, once set,
638 local_queue_only remains set for any subsequent messages on the same SMTP
639 connection. This is a deliberate choice; even though the load average may
640 fall, it doesn't seem right to deliver later messages on the same call when
641 not delivering earlier ones. However, the are special circumstances such as
642 very long-lived connections from scanning appliances where this is not the
643 best strategy. In such cases, queue_only_load_latch should be set false. */
644
645 if ( !(local_queue_only = session_local_queue_only)
646 && queue_only_load >= 0
647 && (local_queue_only = (load_average = OS_GETLOADAVG()) > queue_only_load)
648 )
649 {
650 queue_only_reason = 3;
651 if (queue_only_load_latch) session_local_queue_only = TRUE;
652 }
653
654 /* Log the queueing here, when it will get a message id attached, but
655 not if queue_only is set (case 0). */
656
657 if (local_queue_only) switch(queue_only_reason)
658 {
659 case 1: log_write(L_delay_delivery,
660 LOG_MAIN, "no immediate delivery: too many connections "
661 "(%d, max %d)", smtp_accept_count, smtp_accept_queue);
662 break;
663
664 case 2: log_write(L_delay_delivery,
665 LOG_MAIN, "no immediate delivery: more than %d messages "
666 "received in one connection", smtp_accept_queue_per_connection);
667 break;
668
669 case 3: log_write(L_delay_delivery,
670 LOG_MAIN, "no immediate delivery: load average %.2f",
671 (double)load_average/1000.0);
672 break;
673 }
674
675 /* If a delivery attempt is required, spin off a new process to handle it.
676 If we are not root, we have to re-exec exim unless deliveries are being
677 done unprivileged. */
678
679 else if ( (!f.queue_only_policy || f.queue_smtp)
680 && !f.deliver_freeze)
681 {
682 pid_t dpid;
683
684 /* We used to flush smtp_out before forking so that buffered data was not
685 duplicated, but now we want to pipeline the responses for data and quit.
686 Instead, hard-close the fd underlying smtp_out right after fork to discard
687 the data buffer. */
688
689 if ((dpid = exim_fork(US"daemon-accept-delivery")) == 0)
690 {
691 (void)fclose(smtp_in);
692 (void)close(fileno(smtp_out));
693 (void)fclose(smtp_out);
694 smtp_in = smtp_out = NULL;
695
696 /* Don't ever molest the parent's SSL connection, but do clean up
697 the data structures if necessary. */
698
699 #ifndef DISABLE_TLS
700 tls_close(NULL, TLS_NO_SHUTDOWN);
701 #endif
702
703 /* Reset SIGHUP and SIGCHLD in the child in both cases. */
704
705 signal(SIGHUP, SIG_DFL);
706 signal(SIGCHLD, SIG_DFL);
707 signal(SIGTERM, SIG_DFL);
708 signal(SIGINT, SIG_DFL);
709
710 if (geteuid() != root_uid && !deliver_drop_privilege)
711 {
712 signal(SIGALRM, SIG_DFL);
713 delivery_re_exec(CEE_EXEC_PANIC);
714 /* Control does not return here. */
715 }
716
717 /* No need to re-exec; SIGALRM remains set to the default handler */
718
719 (void) deliver_message(message_id, FALSE, FALSE);
720 search_tidyup();
721 exim_underbar_exit(EXIT_SUCCESS);
722 }
723
724 if (dpid > 0)
725 {
726 release_cutthrough_connection(US"passed for delivery");
727 DEBUG(D_any) debug_printf("forked delivery process %d\n", (int)dpid);
728 }
729 else
730 {
731 cancel_cutthrough_connection(TRUE, US"delivery fork failed");
732 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: delivery process fork "
733 "failed: %s", strerror(errno));
734 }
735 }
736 }
737 }
738
739
740 /* Carrying on in the parent daemon process... Can't do much if the fork
741 failed. Otherwise, keep count of the number of accepting processes and
742 remember the pid for ticking off when the child completes. */
743
744 if (pid < 0)
745 never_error(US"daemon: accept process fork failed", US"Fork failed", errno);
746 else
747 {
748 for (int i = 0; i < smtp_accept_max; ++i)
749 if (smtp_slots[i].pid <= 0)
750 {
751 smtp_slots[i].pid = pid;
752 /* Connection closes come asyncronously, so we cannot stack this store */
753 if (smtp_accept_max_per_host)
754 smtp_slots[i].host_address = string_copy_malloc(sender_host_address);
755 smtp_accept_count++;
756 break;
757 }
758 DEBUG(D_any) debug_printf("%d SMTP accept process%s running\n",
759 smtp_accept_count, smtp_accept_count == 1 ? "" : "es");
760 }
761
762 /* Get here via goto in error cases */
763
764 ERROR_RETURN:
765
766 /* Close the streams associated with the socket which will also close the
767 socket fds in this process. We can't do anything if fclose() fails, but
768 logging brings it to someone's attention. However, "connection reset by peer"
769 isn't really a problem, so skip that one. On Solaris, a dropped connection can
770 manifest itself as a broken pipe, so drop that one too. If the streams don't
771 exist, something went wrong while setting things up. Make sure the socket
772 descriptors are closed, in order to drop the connection. */
773
774 if (smtp_out)
775 {
776 if (fclose(smtp_out) != 0 && errno != ECONNRESET && errno != EPIPE)
777 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_out) failed: %s",
778 strerror(errno));
779 smtp_out = NULL;
780 }
781 else (void)close(accept_socket);
782
783 if (smtp_in)
784 {
785 if (fclose(smtp_in) != 0 && errno != ECONNRESET && errno != EPIPE)
786 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_in) failed: %s",
787 strerror(errno));
788 smtp_in = NULL;
789 }
790 else (void)close(dup_accept_socket);
791
792 /* Release any store used in this process, including the store used for holding
793 the incoming host address and an expanded active_hostname. */
794
795 log_close_all();
796 interface_address =
797 sender_host_address = NULL;
798 store_reset(reset_point);
799 sender_host_address = NULL;
800 }
801
802
803
804
805 /*************************************************
806 * Check wildcard listen special cases *
807 *************************************************/
808
809 /* This function is used when binding and listening on lists of addresses and
810 ports. It tests for special cases of wildcard listening, when IPv4 and IPv6
811 sockets may interact in different ways in different operating systems. It is
812 passed an error number, the list of listening addresses, and the current
813 address. Two checks are available: for a previous wildcard IPv6 address, or for
814 a following wildcard IPv4 address, in both cases on the same port.
815
816 In practice, pairs of wildcard addresses should be adjacent in the address list
817 because they are sorted that way below.
818
819 Arguments:
820 eno the error number
821 addresses the list of addresses
822 ipa the current IP address
823 back if TRUE, check for previous wildcard IPv6 address
824 if FALSE, check for a following wildcard IPv4 address
825
826 Returns: TRUE or FALSE
827 */
828
829 static BOOL
check_special_case(int eno,ip_address_item * addresses,ip_address_item * ipa,BOOL back)830 check_special_case(int eno, ip_address_item *addresses, ip_address_item *ipa,
831 BOOL back)
832 {
833 ip_address_item *ipa2;
834
835 /* For the "back" case, if the failure was "address in use" for a wildcard IPv4
836 address, seek a previous IPv6 wildcard address on the same port. As it is
837 previous, it must have been successfully bound and be listening. Flag it as a
838 "6 including 4" listener. */
839
840 if (back)
841 {
842 if (eno != EADDRINUSE || ipa->address[0] != 0) return FALSE;
843 for (ipa2 = addresses; ipa2 != ipa; ipa2 = ipa2->next)
844 {
845 if (ipa2->address[1] == 0 && ipa2->port == ipa->port)
846 {
847 ipa2->v6_include_v4 = TRUE;
848 return TRUE;
849 }
850 }
851 }
852
853 /* For the "forward" case, if the current address is a wildcard IPv6 address,
854 we seek a following wildcard IPv4 address on the same port. */
855
856 else
857 {
858 if (ipa->address[0] != ':' || ipa->address[1] != 0) return FALSE;
859 for (ipa2 = ipa->next; ipa2 != NULL; ipa2 = ipa2->next)
860 if (ipa2->address[0] == 0 && ipa->port == ipa2->port) return TRUE;
861 }
862
863 return FALSE;
864 }
865
866
867
868
869 /*************************************************
870 * Handle terminating subprocesses *
871 *************************************************/
872
873 /* Handle the termination of child processes. Theoretically, this need be done
874 only when sigchld_seen is TRUE, but rumour has it that some systems lose
875 SIGCHLD signals at busy times, so to be on the safe side, this function is
876 called each time round. It shouldn't be too expensive.
877
878 Arguments: none
879 Returns: nothing
880 */
881
882 static void
handle_ending_processes(void)883 handle_ending_processes(void)
884 {
885 int status;
886 pid_t pid;
887
888 while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
889 {
890 DEBUG(D_any)
891 {
892 debug_printf("child %d ended: status=0x%x\n", (int)pid, status);
893 #ifdef WCOREDUMP
894 if (WIFEXITED(status))
895 debug_printf(" normal exit, %d\n", WEXITSTATUS(status));
896 else if (WIFSIGNALED(status))
897 debug_printf(" signal exit, signal %d%s\n", WTERMSIG(status),
898 WCOREDUMP(status) ? " (core dumped)" : "");
899 #endif
900 }
901
902 /* If it's a listening daemon for which we are keeping track of individual
903 subprocesses, deal with an accepting process that has terminated. */
904
905 if (smtp_slots)
906 {
907 int i;
908 for (i = 0; i < smtp_accept_max; i++)
909 if (smtp_slots[i].pid == pid)
910 {
911 if (smtp_slots[i].host_address)
912 store_free(smtp_slots[i].host_address);
913 smtp_slots[i] = empty_smtp_slot;
914 if (--smtp_accept_count < 0) smtp_accept_count = 0;
915 DEBUG(D_any) debug_printf("%d SMTP accept process%s now running\n",
916 smtp_accept_count, (smtp_accept_count == 1)? "" : "es");
917 break;
918 }
919 if (i < smtp_accept_max) continue; /* Found an accepting process */
920 }
921
922 /* If it wasn't an accepting process, see if it was a queue-runner
923 process that we are tracking. */
924
925 if (queue_pid_slots)
926 {
927 int max = atoi(CS expand_string(queue_run_max));
928 for (int i = 0; i < max; i++)
929 if (queue_pid_slots[i] == pid)
930 {
931 queue_pid_slots[i] = 0;
932 if (--queue_run_count < 0) queue_run_count = 0;
933 DEBUG(D_any) debug_printf("%d queue-runner process%s now running\n",
934 queue_run_count, (queue_run_count == 1)? "" : "es");
935 break;
936 }
937 }
938 }
939 }
940
941
942 static void
set_pid_file_path(void)943 set_pid_file_path(void)
944 {
945 if (override_pid_file_path)
946 pid_file_path = override_pid_file_path;
947
948 if (!*pid_file_path)
949 pid_file_path = string_sprintf("%s/exim-daemon.pid", spool_directory);
950
951 if (pid_file_path[0] != '/')
952 log_write(0, LOG_PANIC_DIE, "pid file path %s must be absolute\n", pid_file_path);
953 }
954
955
956 enum pid_op { PID_WRITE, PID_CHECK, PID_DELETE };
957
958 /* Do various pid file operations as safe as possible. Ideally we'd just
959 drop the privileges for creation of the pid file and not care at all about removal of
960 the file. FIXME.
961 Returns: true on success, false + errno==EACCES otherwise
962 */
963
964 static BOOL
operate_on_pid_file(const enum pid_op operation,const pid_t pid)965 operate_on_pid_file(const enum pid_op operation, const pid_t pid)
966 {
967 char pid_line[sizeof(int) * 3 + 2];
968 const int pid_len = snprintf(pid_line, sizeof(pid_line), "%d\n", (int)pid);
969 BOOL lines_match = FALSE;
970 uschar * path, * base, * dir;
971
972 const int dir_flags = O_RDONLY | O_NONBLOCK;
973 const int base_flags = O_NOFOLLOW | O_NONBLOCK;
974 const mode_t base_mode = 0644;
975 struct stat sb;
976 int cwd_fd = -1, dir_fd = -1, base_fd = -1;
977 BOOL success = FALSE;
978 errno = EACCES;
979
980 set_pid_file_path();
981 if (!f.running_in_test_harness && real_uid != root_uid && real_uid != exim_uid) goto cleanup;
982 if (pid_len < 2 || pid_len >= (int)sizeof(pid_line)) goto cleanup;
983
984 path = string_copy(pid_file_path);
985 if ((base = Ustrrchr(path, '/')) == NULL) /* should not happen, but who knows */
986 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid file path \"%s\" does not contain a '/'", pid_file_path);
987
988 dir = base != path ? path : US"/";
989 *base++ = '\0';
990
991 if (!dir || !*dir || *dir != '/') goto cleanup;
992 if (!base || !*base || Ustrchr(base, '/') != NULL) goto cleanup;
993
994 cwd_fd = open(".", dir_flags);
995 if (cwd_fd < 0 || fstat(cwd_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
996 dir_fd = open(CS dir, dir_flags);
997 if (dir_fd < 0 || fstat(dir_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
998
999 /* emulate openat */
1000 if (fchdir(dir_fd) != 0) goto cleanup;
1001 base_fd = open(CS base, O_RDONLY | base_flags);
1002 if (fchdir(cwd_fd) != 0)
1003 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1004
1005 if (base_fd >= 0)
1006 {
1007 char line[sizeof(pid_line)];
1008 ssize_t len = -1;
1009
1010 if (fstat(base_fd, &sb) != 0 || !S_ISREG(sb.st_mode)) goto cleanup;
1011 if ((sb.st_mode & 07777) != base_mode || sb.st_nlink != 1) goto cleanup;
1012 if (sb.st_size < 2 || sb.st_size >= (off_t)sizeof(line)) goto cleanup;
1013
1014 len = read(base_fd, line, sizeof(line));
1015 if (len != (ssize_t)sb.st_size) goto cleanup;
1016 line[len] = '\0';
1017
1018 if (strspn(line, "0123456789") != (size_t)len-1) goto cleanup;
1019 if (line[len-1] != '\n') goto cleanup;
1020 lines_match = len == pid_len && strcmp(line, pid_line) == 0;
1021 }
1022
1023 if (operation == PID_WRITE)
1024 {
1025 if (!lines_match)
1026 {
1027 if (base_fd >= 0)
1028 {
1029 int error = -1;
1030 /* emulate unlinkat */
1031 if (fchdir(dir_fd) != 0) goto cleanup;
1032 error = unlink(CS base);
1033 if (fchdir(cwd_fd) != 0)
1034 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1035 if (error) goto cleanup;
1036 (void)close(base_fd);
1037 base_fd = -1;
1038 }
1039 /* emulate openat */
1040 if (fchdir(dir_fd) != 0) goto cleanup;
1041 base_fd = open(CS base, O_WRONLY | O_CREAT | O_EXCL | base_flags, base_mode);
1042 if (fchdir(cwd_fd) != 0)
1043 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1044 if (base_fd < 0) goto cleanup;
1045 if (fchmod(base_fd, base_mode) != 0) goto cleanup;
1046 if (write(base_fd, pid_line, pid_len) != pid_len) goto cleanup;
1047 DEBUG(D_any) debug_printf("pid written to %s\n", pid_file_path);
1048 }
1049 }
1050 else
1051 {
1052 if (!lines_match) goto cleanup;
1053 if (operation == PID_DELETE)
1054 {
1055 int error = -1;
1056 /* emulate unlinkat */
1057 if (fchdir(dir_fd) != 0) goto cleanup;
1058 error = unlink(CS base);
1059 if (fchdir(cwd_fd) != 0)
1060 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1061 if (error) goto cleanup;
1062 }
1063 }
1064
1065 success = TRUE;
1066 errno = 0;
1067
1068 cleanup:
1069 if (cwd_fd >= 0) (void)close(cwd_fd);
1070 if (dir_fd >= 0) (void)close(dir_fd);
1071 if (base_fd >= 0) (void)close(base_fd);
1072 return success;
1073 }
1074
1075
1076 /* Remove the daemon's pidfile. Note: runs with root privilege,
1077 as a direct child of the daemon. Does not return. */
1078
1079 void
delete_pid_file(void)1080 delete_pid_file(void)
1081 {
1082 const BOOL success = operate_on_pid_file(PID_DELETE, getppid());
1083
1084 DEBUG(D_any)
1085 debug_printf("delete pid file %s %s: %s\n", pid_file_path,
1086 success ? "success" : "failure", strerror(errno));
1087
1088 exim_exit(EXIT_SUCCESS);
1089 }
1090
1091
1092 /* Called by the daemon; exec a child to get the pid file deleted
1093 since we may require privs for the containing directory */
1094
1095 static void
daemon_die(void)1096 daemon_die(void)
1097 {
1098 int pid;
1099
1100 DEBUG(D_any) debug_printf("SIGTERM/SIGINT seen\n");
1101 #if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
1102 tls_watch_invalidate();
1103 #endif
1104
1105 if (daemon_notifier_fd >= 0)
1106 {
1107 close(daemon_notifier_fd);
1108 daemon_notifier_fd = -1;
1109 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1110 unlink_notifier_socket();
1111 #endif
1112 }
1113
1114 if (f.running_in_test_harness || write_pid)
1115 {
1116 if ((pid = exim_fork(US"daemon-del-pidfile")) == 0)
1117 {
1118 if (override_pid_file_path)
1119 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 3,
1120 "-oP", override_pid_file_path, "-oPX");
1121 else
1122 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 1, "-oPX");
1123
1124 /* Control never returns here. */
1125 }
1126 if (pid > 0)
1127 child_close(pid, 1);
1128 }
1129 exim_exit(EXIT_SUCCESS);
1130 }
1131
1132
1133 /*************************************************
1134 * Listener socket for local work prompts *
1135 *************************************************/
1136
1137 static void
daemon_notifier_socket(void)1138 daemon_notifier_socket(void)
1139 {
1140 int fd;
1141 const uschar * where;
1142 struct sockaddr_un sa_un = {.sun_family = AF_UNIX};
1143 int len;
1144
1145 if (!notifier_socket || !*notifier_socket)
1146 {
1147 DEBUG(D_any) debug_printf("-oY used so not creating notifier socket\n");
1148 return;
1149 }
1150 if (override_local_interfaces && !override_pid_file_path)
1151 {
1152 DEBUG(D_any)
1153 debug_printf("-oX used without -oP so not creating notifier socket\n");
1154 return;
1155 }
1156
1157 DEBUG(D_any) debug_printf("creating notifier socket\n");
1158
1159 #ifdef SOCK_CLOEXEC
1160 if ((fd = socket(PF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0)) < 0)
1161 { where = US"socket"; goto bad; }
1162 #else
1163 if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) < 0)
1164 { where = US"socket"; goto bad; }
1165 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
1166 #endif
1167
1168 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1169 sa_un.sun_path[0] = 0; /* Abstract local socket addr - Linux-specific? */
1170 len = offsetof(struct sockaddr_un, sun_path) + 1
1171 + snprintf(sa_un.sun_path+1, sizeof(sa_un.sun_path)-1, "%s",
1172 expand_string(notifier_socket));
1173 DEBUG(D_any) debug_printf(" @%s\n", sa_un.sun_path+1);
1174 #else /* filesystem-visible and persistent; will neeed removal */
1175 len = offsetof(struct sockaddr_un, sun_path)
1176 + snprintf(sa_un.sun_path, sizeof(sa_un.sun_path), "%s",
1177 expand_string(notifier_socket));
1178 DEBUG(D_any) debug_printf(" %s\n", sa_un.sun_path);
1179 #endif
1180
1181 if (bind(fd, (const struct sockaddr *)&sa_un, len) < 0)
1182 { where = US"bind"; goto bad; }
1183
1184 #ifdef SO_PASSCRED /* Linux */
1185 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &on, sizeof(on)) < 0)
1186 { where = US"SO_PASSCRED"; goto bad2; }
1187 #elif defined(LOCAL_CREDS) /* FreeBSD-ish */
1188 if (setsockopt(fd, 0, LOCAL_CREDS, &on, sizeof(on)) < 0)
1189 { where = US"LOCAL_CREDS"; goto bad2; }
1190 #endif
1191
1192 /* debug_printf("%s: fd %d\n", __FUNCTION__, fd); */
1193 daemon_notifier_fd = fd;
1194 return;
1195
1196 bad2:
1197 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1198 Uunlink(sa_un.sun_path);
1199 #endif
1200 bad:
1201 log_write(0, LOG_MAIN|LOG_PANIC, "%s %s: %s",
1202 __FUNCTION__, where, strerror(errno));
1203 close(fd);
1204 return;
1205 }
1206
1207
1208 static uschar queuerun_msgid[MESSAGE_ID_LENGTH+1];
1209
1210 /* Return TRUE if a sigalrm should be emulated */
1211 static BOOL
daemon_notification(void)1212 daemon_notification(void)
1213 {
1214 uschar buf[256], cbuf[256];
1215 struct sockaddr_un sa_un;
1216 struct iovec iov = {.iov_base = buf, .iov_len = sizeof(buf)-1};
1217 struct msghdr msg = { .msg_name = &sa_un,
1218 .msg_namelen = sizeof(sa_un),
1219 .msg_iov = &iov,
1220 .msg_iovlen = 1,
1221 .msg_control = cbuf,
1222 .msg_controllen = sizeof(cbuf)
1223 };
1224 ssize_t sz;
1225
1226 buf[sizeof(buf)-1] = 0;
1227 if ((sz = recvmsg(daemon_notifier_fd, &msg, 0)) <= 0) return FALSE;
1228 if (sz >= sizeof(buf)) return FALSE;
1229
1230 #ifdef notdef
1231 debug_printf("addrlen %d\n", msg.msg_namelen);
1232 #endif
1233 DEBUG(D_queue_run) debug_printf("%s from addr '%s%.*s'\n", __FUNCTION__,
1234 *sa_un.sun_path ? "" : "@",
1235 (int)msg.msg_namelen - (*sa_un.sun_path ? 0 : 1),
1236 sa_un.sun_path + (*sa_un.sun_path ? 0 : 1));
1237
1238 /* Refuse to handle the item unless the peer has good credentials */
1239 #ifdef SCM_CREDENTIALS
1240 # define EXIM_SCM_CR_TYPE SCM_CREDENTIALS
1241 #elif defined(LOCAL_CREDS) && defined(SCM_CREDS)
1242 # define EXIM_SCM_CR_TYPE SCM_CREDS
1243 #else
1244 /* The OS has no way to get the creds of the caller (for a unix/datagram socket.
1245 Punt; don't try to check. */
1246 #endif
1247
1248 #ifdef EXIM_SCM_CR_TYPE
1249 for (struct cmsghdr * cp = CMSG_FIRSTHDR(&msg);
1250 cp;
1251 cp = CMSG_NXTHDR(&msg, cp))
1252 if (cp->cmsg_level == SOL_SOCKET && cp->cmsg_type == EXIM_SCM_CR_TYPE)
1253 {
1254 # ifdef SCM_CREDENTIALS /* Linux */
1255 struct ucred * cr = (struct ucred *) CMSG_DATA(cp);
1256 if (cr->uid && cr->uid != exim_uid)
1257 {
1258 DEBUG(D_queue_run) debug_printf("%s: sender creds pid %d uid %d gid %d\n",
1259 __FUNCTION__, (int)cr->pid, (int)cr->uid, (int)cr->gid);
1260 return FALSE;
1261 }
1262 # elif defined(LOCAL_CREDS) /* BSD-ish */
1263 struct sockcred * cr = (struct sockcred *) CMSG_DATA(cp);
1264 if (cr->sc_uid && cr->sc_uid != exim_uid)
1265 {
1266 DEBUG(D_queue_run) debug_printf("%s: sender creds pid ??? uid %d gid %d\n",
1267 __FUNCTION__, (int)cr->sc_uid, (int)cr->sc_gid);
1268 return FALSE;
1269 }
1270 # endif
1271 break;
1272 }
1273 #endif
1274
1275 buf[sz] = 0;
1276 switch (buf[0])
1277 {
1278 #ifndef DISABLE_QUEUE_RAMP
1279 case NOTIFY_MSG_QRUN:
1280 /* this should be a message_id */
1281 DEBUG(D_queue_run)
1282 debug_printf("%s: qrunner trigger: %s\n", __FUNCTION__, buf+1);
1283 memcpy(queuerun_msgid, buf+1, MESSAGE_ID_LENGTH+1);
1284 return TRUE;
1285 #endif
1286
1287 case NOTIFY_QUEUE_SIZE_REQ:
1288 {
1289 uschar buf[16];
1290 int len = snprintf(CS buf, sizeof(buf), "%u", queue_count_cached());
1291
1292 DEBUG(D_queue_run)
1293 debug_printf("%s: queue size request: %s\n", __FUNCTION__, buf);
1294
1295 if (sendto(daemon_notifier_fd, buf, len, 0,
1296 (const struct sockaddr *)&sa_un, msg.msg_namelen) < 0)
1297 log_write(0, LOG_MAIN|LOG_PANIC,
1298 "%s: sendto: %s\n", __FUNCTION__, strerror(errno));
1299 return FALSE;
1300 }
1301 }
1302 return FALSE;
1303 }
1304
1305
1306
1307
1308 /*************************************************
1309 * Exim Daemon Mainline *
1310 *************************************************/
1311
1312 /* The daemon can do two jobs, either of which is optional:
1313
1314 (1) Listens for incoming SMTP calls and spawns off a sub-process to handle
1315 each one. This is requested by the -bd option, with -oX specifying the SMTP
1316 port on which to listen (for testing).
1317
1318 (2) Spawns a queue-running process every so often. This is controlled by the
1319 -q option with a an interval time. (If no time is given, a single queue run
1320 is done from the main function, and control doesn't get here.)
1321
1322 Root privilege is required in order to attach to port 25. Some systems require
1323 it when calling socket() rather than bind(). To cope with all cases, we run as
1324 root for both socket() and bind(). Some systems also require root in order to
1325 write to the pid file directory. This function must therefore be called as root
1326 if it is to work properly in all circumstances. Once the socket is bound and
1327 the pid file written, root privilege is given up if there is an exim uid.
1328
1329 There are no arguments to this function, and it never returns. */
1330
1331 void
daemon_go(void)1332 daemon_go(void)
1333 {
1334 struct passwd * pw;
1335 struct pollfd * fd_polls, * tls_watch_poll = NULL, * dnotify_poll = NULL;
1336 int listen_socket_count = 0, poll_fd_count;
1337 ip_address_item * addresses = NULL;
1338 time_t last_connection_time = (time_t)0;
1339 int local_queue_run_max = atoi(CS expand_string(queue_run_max));
1340
1341 process_purpose = US"daemon";
1342
1343 /* If any debugging options are set, turn on the D_pid bit so that all
1344 debugging lines get the pid added. */
1345
1346 DEBUG(D_any|D_v) debug_selector |= D_pid;
1347
1348 /* Allocate enough pollstructs for inetd mode plus the ancillary sockets;
1349 also used when there are no listen sockets. */
1350
1351 fd_polls = store_get(sizeof(struct pollfd) * 3, FALSE);
1352
1353 if (f.inetd_wait_mode)
1354 {
1355 listen_socket_count = 1;
1356 (void) close(3);
1357 if (dup2(0, 3) == -1)
1358 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1359 "failed to dup inetd socket safely away: %s", strerror(errno));
1360
1361 fd_polls[0].fd = 3;
1362 fd_polls[0].events = POLLIN;
1363 (void) close(0);
1364 (void) close(1);
1365 (void) close(2);
1366 exim_nullstd();
1367
1368 if (debug_file == stderr)
1369 {
1370 /* need a call to log_write before call to open debug_file, so that
1371 log.c:file_path has been initialised. This is unfortunate. */
1372 log_write(0, LOG_MAIN, "debugging Exim in inetd wait mode starting");
1373
1374 fclose(debug_file);
1375 debug_file = NULL;
1376 exim_nullstd(); /* re-open fd2 after we just closed it again */
1377 debug_logging_activate(US"-wait", NULL);
1378 }
1379
1380 DEBUG(D_any) debug_printf("running in inetd wait mode\n");
1381
1382 /* As per below, when creating sockets ourselves, we handle tcp_nodelay for
1383 our own buffering; we assume though that inetd set the socket REUSEADDR. */
1384
1385 if (tcp_nodelay)
1386 if (setsockopt(3, IPPROTO_TCP, TCP_NODELAY, US &on, sizeof(on)))
1387 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to set socket NODELAY: %s",
1388 strerror(errno));
1389 }
1390
1391
1392 if (f.inetd_wait_mode || f.daemon_listen)
1393 {
1394 /* If any option requiring a load average to be available during the
1395 reception of a message is set, call os_getloadavg() while we are root
1396 for those OS for which this is necessary the first time it is called (in
1397 order to perform an "open" on the kernel memory file). */
1398
1399 #ifdef LOAD_AVG_NEEDS_ROOT
1400 if (queue_only_load >= 0 || smtp_load_reserve >= 0 ||
1401 (deliver_queue_load_max >= 0 && deliver_drop_privilege))
1402 (void)os_getloadavg();
1403 #endif
1404 }
1405
1406
1407 /* Do the preparation for setting up a listener on one or more interfaces, and
1408 possible on various ports. This is controlled by the combination of
1409 local_interfaces (which can set IP addresses and ports) and daemon_smtp_port
1410 (which is a list of default ports to use for those items in local_interfaces
1411 that do not specify a port). The -oX command line option can be used to
1412 override one or both of these options.
1413
1414 If local_interfaces is not set, the default is to listen on all interfaces.
1415 When it is set, it can include "all IPvx interfaces" as an item. This is useful
1416 when different ports are in use.
1417
1418 It turns out that listening on all interfaces is messy in an IPv6 world,
1419 because several different implementation approaches have been taken. This code
1420 is now supposed to work with all of them. The point of difference is whether an
1421 IPv6 socket that is listening on all interfaces will receive incoming IPv4
1422 calls or not. We also have to cope with the case when IPv6 libraries exist, but
1423 there is no IPv6 support in the kernel.
1424
1425 . On Solaris, an IPv6 socket will accept IPv4 calls, and give them as mapped
1426 addresses. However, if an IPv4 socket is also listening on all interfaces,
1427 calls are directed to the appropriate socket.
1428
1429 . On (some versions of) Linux, an IPv6 socket will accept IPv4 calls, and
1430 give them as mapped addresses, but an attempt also to listen on an IPv4
1431 socket on all interfaces causes an error.
1432
1433 . On OpenBSD, an IPv6 socket will not accept IPv4 calls. You have to set up
1434 two sockets if you want to accept both kinds of call.
1435
1436 . FreeBSD is like OpenBSD, but it has the IPV6_V6ONLY socket option, which
1437 can be turned off, to make it behave like the versions of Linux described
1438 above.
1439
1440 . I heard a report that the USAGI IPv6 stack for Linux has implemented
1441 IPV6_V6ONLY.
1442
1443 So, what we do when IPv6 is supported is as follows:
1444
1445 (1) After it is set up, the list of interfaces is scanned for wildcard
1446 addresses. If an IPv6 and an IPv4 wildcard are both found for the same
1447 port, the list is re-arranged so that they are together, with the IPv6
1448 wildcard first.
1449
1450 (2) If the creation of a wildcard IPv6 socket fails, we just log the error and
1451 carry on if an IPv4 wildcard socket for the same port follows later in the
1452 list. This allows Exim to carry on in the case when the kernel has no IPv6
1453 support.
1454
1455 (3) Having created an IPv6 wildcard socket, we try to set IPV6_V6ONLY if that
1456 option is defined. However, if setting fails, carry on regardless (but log
1457 the incident).
1458
1459 (4) If binding or listening on an IPv6 wildcard socket fails, it is a serious
1460 error.
1461
1462 (5) If binding or listening on an IPv4 wildcard socket fails with the error
1463 EADDRINUSE, and a previous interface was an IPv6 wildcard for the same
1464 port (which must have succeeded or we wouldn't have got this far), we
1465 assume we are in the situation where just a single socket is permitted,
1466 and ignore the error.
1467
1468 Phew!
1469
1470 The preparation code decodes options and sets up the relevant data. We do this
1471 first, so that we can return non-zero if there are any syntax errors, and also
1472 write to stderr. */
1473
1474 if (f.daemon_listen && !f.inetd_wait_mode)
1475 {
1476 int *default_smtp_port;
1477 int sep;
1478 int pct = 0;
1479 uschar *s;
1480 const uschar * list;
1481 uschar *local_iface_source = US"local_interfaces";
1482 ip_address_item *ipa;
1483 ip_address_item **pipa;
1484
1485 /* If -oX was used, disable the writing of a pid file unless -oP was
1486 explicitly used to force it. Then scan the string given to -oX. Any items
1487 that contain neither a dot nor a colon are used to override daemon_smtp_port.
1488 Any other items are used to override local_interfaces. */
1489
1490 if (override_local_interfaces)
1491 {
1492 gstring * new_smtp_port = NULL;
1493 gstring * new_local_interfaces = NULL;
1494
1495 if (!override_pid_file_path) write_pid = FALSE;
1496
1497 list = override_local_interfaces;
1498 sep = 0;
1499 while ((s = string_nextinlist(&list, &sep, NULL, 0)))
1500 {
1501 uschar joinstr[4];
1502 gstring ** gp = Ustrpbrk(s, ".:") ? &new_local_interfaces : &new_smtp_port;
1503
1504 if (!*gp)
1505 {
1506 joinstr[0] = sep;
1507 joinstr[1] = ' ';
1508 *gp = string_catn(*gp, US"<", 1);
1509 }
1510
1511 *gp = string_catn(*gp, joinstr, 2);
1512 *gp = string_cat (*gp, s);
1513 }
1514
1515 if (new_smtp_port)
1516 {
1517 daemon_smtp_port = string_from_gstring(new_smtp_port);
1518 DEBUG(D_any) debug_printf("daemon_smtp_port overridden by -oX:\n %s\n",
1519 daemon_smtp_port);
1520 }
1521
1522 if (new_local_interfaces)
1523 {
1524 local_interfaces = string_from_gstring(new_local_interfaces);
1525 local_iface_source = US"-oX data";
1526 DEBUG(D_any) debug_printf("local_interfaces overridden by -oX:\n %s\n",
1527 local_interfaces);
1528 }
1529 }
1530
1531 /* Create a list of default SMTP ports, to be used if local_interfaces
1532 contains entries without explicit ports. First count the number of ports, then
1533 build a translated list in a vector. */
1534
1535 list = daemon_smtp_port;
1536 sep = 0;
1537 while ((s = string_nextinlist(&list, &sep, NULL, 0)))
1538 pct++;
1539 default_smtp_port = store_get((pct+1) * sizeof(int), FALSE);
1540 list = daemon_smtp_port;
1541 sep = 0;
1542 for (pct = 0;
1543 (s = string_nextinlist(&list, &sep, NULL, 0));
1544 pct++)
1545 {
1546 if (isdigit(*s))
1547 {
1548 uschar *end;
1549 default_smtp_port[pct] = Ustrtol(s, &end, 0);
1550 if (end != s + Ustrlen(s))
1551 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "invalid SMTP port: %s", s);
1552 }
1553 else
1554 {
1555 struct servent *smtp_service = getservbyname(CS s, "tcp");
1556 if (!smtp_service)
1557 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
1558 default_smtp_port[pct] = ntohs(smtp_service->s_port);
1559 }
1560 }
1561 default_smtp_port[pct] = 0;
1562
1563 /* Check the list of TLS-on-connect ports and do name lookups if needed */
1564
1565 list = tls_in.on_connect_ports;
1566 sep = 0;
1567 /* the list isn't expanded so cannot be tainted. If it ever is we will trap here */
1568 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1569 if (!isdigit(*s))
1570 {
1571 gstring * g = NULL;
1572
1573 list = tls_in.on_connect_ports;
1574 tls_in.on_connect_ports = NULL;
1575 sep = 0;
1576 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1577 {
1578 if (!isdigit(*s))
1579 {
1580 struct servent * smtp_service = getservbyname(CS s, "tcp");
1581 if (!smtp_service)
1582 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
1583 s = string_sprintf("%d", (int)ntohs(smtp_service->s_port));
1584 }
1585 g = string_append_listele(g, ':', s);
1586 }
1587 if (g)
1588 tls_in.on_connect_ports = g->s;
1589 break;
1590 }
1591
1592 /* Create the list of local interfaces, possibly with ports included. This
1593 list may contain references to 0.0.0.0 and ::0 as wildcards. These special
1594 values are converted below. */
1595
1596 addresses = host_build_ifacelist(local_interfaces, local_iface_source);
1597
1598 /* In the list of IP addresses, convert 0.0.0.0 into an empty string, and ::0
1599 into the string ":". We use these to recognize wildcards in IPv4 and IPv6. In
1600 fact, many IP stacks recognize 0.0.0.0 and ::0 and handle them as wildcards
1601 anyway, but we need to know which are the wildcard addresses, and the shorter
1602 strings are neater.
1603
1604 In the same scan, fill in missing port numbers from the default list. When
1605 there is more than one item in the list, extra items are created. */
1606
1607 for (ipa = addresses; ipa; ipa = ipa->next)
1608 {
1609 if (Ustrcmp(ipa->address, "0.0.0.0") == 0)
1610 ipa->address[0] = 0;
1611 else if (Ustrcmp(ipa->address, "::0") == 0)
1612 {
1613 ipa->address[0] = ':';
1614 ipa->address[1] = 0;
1615 }
1616
1617 if (ipa->port > 0) continue;
1618
1619 if (daemon_smtp_port[0] <= 0)
1620 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "no port specified for interface "
1621 "%s and daemon_smtp_port is unset; cannot start daemon",
1622 ipa->address[0] == 0 ? US"\"all IPv4\"" :
1623 ipa->address[1] == 0 ? US"\"all IPv6\"" : ipa->address);
1624
1625 ipa->port = default_smtp_port[0];
1626 for (int i = 1; default_smtp_port[i] > 0; i++)
1627 {
1628 ip_address_item *new = store_get(sizeof(ip_address_item), FALSE);
1629
1630 memcpy(new->address, ipa->address, Ustrlen(ipa->address) + 1);
1631 new->port = default_smtp_port[i];
1632 new->next = ipa->next;
1633 ipa->next = new;
1634 ipa = new;
1635 }
1636 }
1637
1638 /* Scan the list of addresses for wildcards. If we find an IPv4 and an IPv6
1639 wildcard for the same port, ensure that (a) they are together and (b) the
1640 IPv6 address comes first. This makes handling the messy features easier, and
1641 also simplifies the construction of the "daemon started" log line. */
1642
1643 pipa = &addresses;
1644 for (ipa = addresses; ipa; pipa = &ipa->next, ipa = ipa->next)
1645 {
1646 ip_address_item *ipa2;
1647
1648 /* Handle an IPv4 wildcard */
1649
1650 if (ipa->address[0] == 0)
1651 for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
1652 {
1653 ip_address_item *ipa3 = ipa2->next;
1654 if (ipa3->address[0] == ':' &&
1655 ipa3->address[1] == 0 &&
1656 ipa3->port == ipa->port)
1657 {
1658 ipa2->next = ipa3->next;
1659 ipa3->next = ipa;
1660 *pipa = ipa3;
1661 break;
1662 }
1663 }
1664
1665 /* Handle an IPv6 wildcard. */
1666
1667 else if (ipa->address[0] == ':' && ipa->address[1] == 0)
1668 for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
1669 {
1670 ip_address_item *ipa3 = ipa2->next;
1671 if (ipa3->address[0] == 0 && ipa3->port == ipa->port)
1672 {
1673 ipa2->next = ipa3->next;
1674 ipa3->next = ipa->next;
1675 ipa->next = ipa3;
1676 ipa = ipa3;
1677 break;
1678 }
1679 }
1680 }
1681
1682 /* Get a vector to remember all the sockets in.
1683 Two extra elements for the ancillary sockets */
1684
1685 for (ipa = addresses; ipa; ipa = ipa->next)
1686 listen_socket_count++;
1687 fd_polls = store_get(sizeof(struct pollfd) * (listen_socket_count + 2),
1688 FALSE);
1689 for (struct pollfd * p = fd_polls; p < fd_polls + listen_socket_count + 2;
1690 p++)
1691 { p->fd = -1; p->events = POLLIN; }
1692
1693 } /* daemon_listen but not inetd_wait_mode */
1694
1695 if (f.daemon_listen)
1696 {
1697
1698 /* Do a sanity check on the max connects value just to save us from getting
1699 a huge amount of store. */
1700
1701 if (smtp_accept_max > 4095) smtp_accept_max = 4096;
1702
1703 /* There's no point setting smtp_accept_queue unless it is less than the max
1704 connects limit. The configuration reader ensures that the max is set if the
1705 queue-only option is set. */
1706
1707 if (smtp_accept_queue > smtp_accept_max) smtp_accept_queue = 0;
1708
1709 /* Get somewhere to keep the list of SMTP accepting pids if we are keeping
1710 track of them for total number and queue/host limits. */
1711
1712 if (smtp_accept_max > 0)
1713 {
1714 smtp_slots = store_get(smtp_accept_max * sizeof(smtp_slot), FALSE);
1715 for (int i = 0; i < smtp_accept_max; i++) smtp_slots[i] = empty_smtp_slot;
1716 }
1717 }
1718
1719 /* The variable background_daemon is always false when debugging, but
1720 can also be forced false in order to keep a non-debugging daemon in the
1721 foreground. If background_daemon is true, close all open file descriptors that
1722 we know about, but then re-open stdin, stdout, and stderr to /dev/null. Also
1723 do this for inetd_wait mode.
1724
1725 This is protection against any called functions (in libraries, or in
1726 Perl, or whatever) that think they can write to stderr (or stdout). Before this
1727 was added, it was quite likely that an SMTP connection would use one of these
1728 file descriptors, in which case writing random stuff to it caused chaos.
1729
1730 Then disconnect from the controlling terminal, Most modern Unixes seem to have
1731 setsid() for getting rid of the controlling terminal. For any OS that doesn't,
1732 setsid() can be #defined as a no-op, or as something else. */
1733
1734 if (f.background_daemon || f.inetd_wait_mode)
1735 {
1736 log_close_all(); /* Just in case anything was logged earlier */
1737 search_tidyup(); /* Just in case any were used in reading the config. */
1738 (void)close(0); /* Get rid of stdin/stdout/stderr */
1739 (void)close(1);
1740 (void)close(2);
1741 exim_nullstd(); /* Connect stdin/stdout/stderr to /dev/null */
1742 log_stderr = NULL; /* So no attempt to copy paniclog output */
1743 }
1744
1745 if (f.background_daemon)
1746 {
1747 /* If the parent process of this one has pid == 1, we are re-initializing the
1748 daemon as the result of a SIGHUP. In this case, there is no need to do
1749 anything, because the controlling terminal has long gone. Otherwise, fork, in
1750 case current process is a process group leader (see 'man setsid' for an
1751 explanation) before calling setsid(). */
1752
1753 if (getppid() != 1)
1754 {
1755 pid_t pid = exim_fork(US"daemon");
1756 if (pid < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1757 "fork() failed when starting daemon: %s", strerror(errno));
1758 if (pid > 0) exit(EXIT_SUCCESS); /* in parent process, just exit */
1759 (void)setsid(); /* release controlling terminal */
1760 }
1761 }
1762
1763 /* We are now in the disconnected, daemon process (unless debugging). Set up
1764 the listening sockets if required. */
1765
1766 daemon_notifier_socket();
1767
1768 if (f.daemon_listen && !f.inetd_wait_mode)
1769 {
1770 int sk;
1771 ip_address_item *ipa;
1772
1773 /* For each IP address, create a socket, bind it to the appropriate port, and
1774 start listening. See comments above about IPv6 sockets that may or may not
1775 accept IPv4 calls when listening on all interfaces. We also have to cope with
1776 the case of a system with IPv6 libraries, but no IPv6 support in the kernel.
1777 listening, provided a wildcard IPv4 socket for the same port follows. */
1778
1779 for (ipa = addresses, sk = 0; sk < listen_socket_count; ipa = ipa->next, sk++)
1780 {
1781 BOOL wildcard;
1782 ip_address_item * ipa2;
1783 int fd, af;
1784
1785 if (Ustrchr(ipa->address, ':') != NULL)
1786 {
1787 af = AF_INET6;
1788 wildcard = ipa->address[1] == 0;
1789 }
1790 else
1791 {
1792 af = AF_INET;
1793 wildcard = ipa->address[0] == 0;
1794 }
1795
1796 if ((fd_polls[sk].fd = fd = ip_socket(SOCK_STREAM, af)) < 0)
1797 {
1798 if (check_special_case(0, addresses, ipa, FALSE))
1799 {
1800 log_write(0, LOG_MAIN, "Failed to create IPv6 socket for wildcard "
1801 "listening (%s): will use IPv4", strerror(errno));
1802 goto SKIP_SOCKET;
1803 }
1804 log_write(0, LOG_PANIC_DIE, "IPv%c socket creation failed: %s",
1805 af == AF_INET6 ? '6' : '4', strerror(errno));
1806 }
1807
1808 /* If this is an IPv6 wildcard socket, set IPV6_V6ONLY if that option is
1809 available. Just log failure (can get protocol not available, just like
1810 socket creation can). */
1811
1812 #ifdef IPV6_V6ONLY
1813 if (af == AF_INET6 && wildcard &&
1814 setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
1815 log_write(0, LOG_MAIN, "Setting IPV6_V6ONLY on daemon's IPv6 wildcard "
1816 "socket failed (%s): carrying on without it", strerror(errno));
1817 #endif /* IPV6_V6ONLY */
1818
1819 /* Set SO_REUSEADDR so that the daemon can be restarted while a connection
1820 is being handled. Without this, a connection will prevent reuse of the
1821 smtp port for listening. */
1822
1823 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0)
1824 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "setting SO_REUSEADDR on socket "
1825 "failed when starting daemon: %s", strerror(errno));
1826
1827 /* Set TCP_NODELAY; Exim does its own buffering. There is a switch to
1828 disable this because it breaks some broken clients. */
1829
1830 if (tcp_nodelay) setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on));
1831
1832 /* Now bind the socket to the required port; if Exim is being restarted
1833 it may not always be possible to bind immediately, even with SO_REUSEADDR
1834 set, so try 10 times, waiting between each try. After 10 failures, we give
1835 up. In an IPv6 environment, if bind () fails with the error EADDRINUSE and
1836 we are doing wildcard IPv4 listening and there was a previous IPv6 wildcard
1837 address for the same port, ignore the error on the grounds that we must be
1838 in a system where the IPv6 socket accepts both kinds of call. This is
1839 necessary for (some release of) USAGI Linux; other IP stacks fail at the
1840 listen() stage instead. */
1841
1842 #ifdef TCP_FASTOPEN
1843 f.tcp_fastopen_ok = TRUE;
1844 #endif
1845 for(;;)
1846 {
1847 uschar *msg, *addr;
1848 if (ip_bind(fd, af, ipa->address, ipa->port) >= 0) break;
1849 if (check_special_case(errno, addresses, ipa, TRUE))
1850 {
1851 DEBUG(D_any) debug_printf("wildcard IPv4 bind() failed after IPv6 "
1852 "listen() success; EADDRINUSE ignored\n");
1853 (void)close(fd);
1854 goto SKIP_SOCKET;
1855 }
1856 msg = US strerror(errno);
1857 addr = wildcard
1858 ? af == AF_INET6
1859 ? US"(any IPv6)"
1860 : US"(any IPv4)"
1861 : ipa->address;
1862 if (daemon_startup_retries <= 0)
1863 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1864 "socket bind() to port %d for address %s failed: %s: "
1865 "daemon abandoned", ipa->port, addr, msg);
1866 log_write(0, LOG_MAIN, "socket bind() to port %d for address %s "
1867 "failed: %s: waiting %s before trying again (%d more %s)",
1868 ipa->port, addr, msg, readconf_printtime(daemon_startup_sleep),
1869 daemon_startup_retries, (daemon_startup_retries > 1)? "tries" : "try");
1870 daemon_startup_retries--;
1871 sleep(daemon_startup_sleep);
1872 }
1873
1874 DEBUG(D_any)
1875 if (wildcard)
1876 debug_printf("listening on all interfaces (IPv%c) port %d\n",
1877 af == AF_INET6 ? '6' : '4', ipa->port);
1878 else
1879 debug_printf("listening on %s port %d\n", ipa->address, ipa->port);
1880
1881 /* Start listening on the bound socket, establishing the maximum backlog of
1882 connections that is allowed. On success, add to the set of sockets for select
1883 and continue to the next address. */
1884
1885 #if defined(TCP_FASTOPEN) && !defined(__APPLE__)
1886 if ( f.tcp_fastopen_ok
1887 && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN,
1888 &smtp_connect_backlog, sizeof(smtp_connect_backlog)))
1889 {
1890 DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
1891 f.tcp_fastopen_ok = FALSE;
1892 }
1893 #endif
1894 if (listen(fd, smtp_connect_backlog) >= 0)
1895 {
1896 #if defined(TCP_FASTOPEN) && defined(__APPLE__)
1897 if ( f.tcp_fastopen_ok
1898 && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &on, sizeof(on)))
1899 {
1900 DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
1901 f.tcp_fastopen_ok = FALSE;
1902 }
1903 #endif
1904 fd_polls[sk].fd = fd;
1905 continue;
1906 }
1907
1908 /* Listening has failed. In an IPv6 environment, as for bind(), if listen()
1909 fails with the error EADDRINUSE and we are doing IPv4 wildcard listening
1910 and there was a previous successful IPv6 wildcard listen on the same port,
1911 we want to ignore the error on the grounds that we must be in a system
1912 where the IPv6 socket accepts both kinds of call. */
1913
1914 if (!check_special_case(errno, addresses, ipa, TRUE))
1915 log_write(0, LOG_PANIC_DIE, "listen() failed on interface %s: %s",
1916 wildcard
1917 ? af == AF_INET6 ? US"(any IPv6)" : US"(any IPv4)" : ipa->address,
1918 strerror(errno));
1919
1920 DEBUG(D_any) debug_printf("wildcard IPv4 listen() failed after IPv6 "
1921 "listen() success; EADDRINUSE ignored\n");
1922 (void)close(fd);
1923
1924 /* Come here if there has been a problem with the socket which we
1925 are going to ignore. We remove the address from the chain, and back up the
1926 counts. */
1927
1928 SKIP_SOCKET:
1929 sk--; /* Back up the count */
1930 listen_socket_count--; /* Reduce the total */
1931 if (ipa == addresses) addresses = ipa->next; else
1932 {
1933 for (ipa2 = addresses; ipa2->next != ipa; ipa2 = ipa2->next);
1934 ipa2->next = ipa->next;
1935 ipa = ipa2;
1936 }
1937 } /* End of bind/listen loop for each address */
1938 } /* End of setup for listening */
1939
1940
1941 /* If we are not listening, we want to write a pid file only if -oP was
1942 explicitly given. */
1943
1944 else if (!override_pid_file_path)
1945 write_pid = FALSE;
1946
1947 /* Write the pid to a known file for assistance in identification, if required.
1948 We do this before giving up root privilege, because on some systems it is
1949 necessary to be root in order to write into the pid file directory. There's
1950 nothing to stop multiple daemons running, as long as no more than one listens
1951 on a given TCP/IP port on the same interface(s). However, in these
1952 circumstances it gets far too complicated to mess with pid file names
1953 automatically. Consequently, Exim 4 writes a pid file only
1954
1955 (a) When running in the test harness, or
1956 (b) When -bd is used and -oX is not used, or
1957 (c) When -oP is used to supply a path.
1958
1959 The variable daemon_write_pid is used to control this. */
1960
1961 if (f.running_in_test_harness || write_pid)
1962 {
1963 const enum pid_op operation = (f.running_in_test_harness
1964 || real_uid == root_uid
1965 || (real_uid == exim_uid && !override_pid_file_path)) ? PID_WRITE : PID_CHECK;
1966 if (!operate_on_pid_file(operation, getpid()))
1967 DEBUG(D_any) debug_printf("%s pid file %s: %s\n", (operation == PID_WRITE) ? "write" : "check", pid_file_path, strerror(errno));
1968 }
1969
1970 /* Set up the handler for SIGHUP, which causes a restart of the daemon. */
1971
1972 sighup_seen = FALSE;
1973 signal(SIGHUP, sighup_handler);
1974
1975 /* Give up root privilege at this point (assuming that exim_uid and exim_gid
1976 are not root). The third argument controls the running of initgroups().
1977 Normally we do this, in order to set up the groups for the Exim user. However,
1978 if we are not root at this time - some odd installations run that way - we
1979 cannot do this. */
1980
1981 exim_setugid(exim_uid, exim_gid, geteuid()==root_uid, US"running as a daemon");
1982
1983 /* Update the originator_xxx fields so that received messages as listed as
1984 coming from Exim, not whoever started the daemon. */
1985
1986 originator_uid = exim_uid;
1987 originator_gid = exim_gid;
1988 originator_login = (pw = getpwuid(exim_uid))
1989 ? string_copy_perm(US pw->pw_name, FALSE) : US"exim";
1990
1991 /* Get somewhere to keep the list of queue-runner pids if we are keeping track
1992 of them (and also if we are doing queue runs). */
1993
1994 if (queue_interval > 0 && local_queue_run_max > 0)
1995 {
1996 queue_pid_slots = store_get(local_queue_run_max * sizeof(pid_t), FALSE);
1997 for (int i = 0; i < local_queue_run_max; i++) queue_pid_slots[i] = 0;
1998 }
1999
2000 /* Set up the handler for termination of child processes, and the one
2001 telling us to die. */
2002
2003 sigchld_seen = FALSE;
2004 os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
2005
2006 sigterm_seen = FALSE;
2007 os_non_restarting_signal(SIGTERM, main_sigterm_handler);
2008 os_non_restarting_signal(SIGINT, main_sigterm_handler);
2009
2010 /* If we are to run the queue periodically, pretend the alarm has just gone
2011 off. This will cause the first queue-runner to get kicked off straight away. */
2012
2013 sigalrm_seen = (queue_interval > 0);
2014
2015 /* Log the start up of a daemon - at least one of listening or queue running
2016 must be set up. */
2017
2018 if (f.inetd_wait_mode)
2019 {
2020 uschar *p = big_buffer;
2021
2022 if (inetd_wait_timeout >= 0)
2023 sprintf(CS p, "terminating after %d seconds", inetd_wait_timeout);
2024 else
2025 sprintf(CS p, "with no wait timeout");
2026
2027 log_write(0, LOG_MAIN,
2028 "exim %s daemon started: pid=%d, launched with listening socket, %s",
2029 version_string, getpid(), big_buffer);
2030 set_process_info("daemon(%s): pre-listening socket", version_string);
2031
2032 /* set up the timeout logic */
2033 sigalrm_seen = TRUE;
2034 }
2035
2036 else if (f.daemon_listen)
2037 {
2038 int smtp_ports = 0;
2039 int smtps_ports = 0;
2040 ip_address_item * ipa;
2041 uschar * p;
2042 uschar * qinfo = queue_interval > 0
2043 ? string_sprintf("-q%s%s",
2044 f.queue_2stage ? "q" : "", readconf_printtime(queue_interval))
2045 : US"no queue runs";
2046
2047 /* Build a list of listening addresses in big_buffer, but limit it to 10
2048 items. The style is for backwards compatibility.
2049
2050 It is now possible to have some ports listening for SMTPS (the old,
2051 deprecated protocol that starts TLS without using STARTTLS), and others
2052 listening for standard SMTP. Keep their listings separate. */
2053
2054 for (int j = 0, i; j < 2; j++)
2055 {
2056 for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
2057 {
2058 /* First time round, look for SMTP ports; second time round, look for
2059 SMTPS ports. Build IP+port strings. */
2060
2061 if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
2062 {
2063 if (j == 0)
2064 smtp_ports++;
2065 else
2066 smtps_ports++;
2067
2068 /* Now the information about the port (and sometimes interface) */
2069
2070 if (ipa->address[0] == ':' && ipa->address[1] == 0)
2071 { /* v6 wildcard */
2072 if (ipa->next && ipa->next->address[0] == 0 &&
2073 ipa->next->port == ipa->port)
2074 {
2075 ipa->log = string_sprintf(" port %d (IPv6 and IPv4)", ipa->port);
2076 (ipa = ipa->next)->log = NULL;
2077 }
2078 else if (ipa->v6_include_v4)
2079 ipa->log = string_sprintf(" port %d (IPv6 with IPv4)", ipa->port);
2080 else
2081 ipa->log = string_sprintf(" port %d (IPv6)", ipa->port);
2082 }
2083 else if (ipa->address[0] == 0) /* v4 wildcard */
2084 ipa->log = string_sprintf(" port %d (IPv4)", ipa->port);
2085 else /* check for previously-seen IP */
2086 {
2087 ip_address_item * i2;
2088 for (i2 = addresses; i2 != ipa; i2 = i2->next)
2089 if ( host_is_tls_on_connect_port(i2->port) == (j > 0)
2090 && Ustrcmp(ipa->address, i2->address) == 0
2091 )
2092 { /* found; append port to list */
2093 for (p = i2->log; *p; ) p++; /* end of existing string */
2094 if (*--p == '}') *p = '\0'; /* drop EOL */
2095 while (isdigit(*--p)) ; /* char before port */
2096
2097 i2->log = *p == ':' /* no list yet? */
2098 ? string_sprintf("%.*s{%s,%d}",
2099 (int)(p - i2->log + 1), i2->log, p+1, ipa->port)
2100 : string_sprintf("%s,%d}", i2->log, ipa->port);
2101 ipa->log = NULL;
2102 break;
2103 }
2104 if (i2 == ipa) /* first-time IP */
2105 ipa->log = string_sprintf(" [%s]:%d", ipa->address, ipa->port);
2106 }
2107 }
2108 }
2109 }
2110
2111 p = big_buffer;
2112 for (int j = 0, i; j < 2; j++)
2113 {
2114 /* First time round, look for SMTP ports; second time round, look for
2115 SMTPS ports. For the first one of each, insert leading text. */
2116
2117 if (j == 0)
2118 {
2119 if (smtp_ports > 0)
2120 p += sprintf(CS p, "SMTP on");
2121 }
2122 else
2123 if (smtps_ports > 0)
2124 p += sprintf(CS p, "%sSMTPS on",
2125 smtp_ports == 0 ? "" : " and for ");
2126
2127 /* Now the information about the port (and sometimes interface) */
2128
2129 for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
2130 if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
2131 if (ipa->log)
2132 p += sprintf(CS p, "%s", ipa->log);
2133
2134 if (ipa)
2135 p += sprintf(CS p, " ...");
2136 }
2137
2138 log_write(0, LOG_MAIN,
2139 "exim %s daemon started: pid=%d, %s, listening for %s",
2140 version_string, getpid(), qinfo, big_buffer);
2141 set_process_info("daemon(%s): %s, listening for %s",
2142 version_string, qinfo, big_buffer);
2143 }
2144
2145 else
2146 {
2147 uschar * s = *queue_name
2148 ? string_sprintf("-qG%s/%s", queue_name, readconf_printtime(queue_interval))
2149 : string_sprintf("-q%s", readconf_printtime(queue_interval));
2150 log_write(0, LOG_MAIN,
2151 "exim %s daemon started: pid=%d, %s, not listening for SMTP",
2152 version_string, getpid(), s);
2153 set_process_info("daemon(%s): %s, not listening", version_string, s);
2154 }
2155
2156 /* Do any work it might be useful to amortize over our children
2157 (eg: compile regex) */
2158
2159 dns_pattern_init();
2160 smtp_deliver_init(); /* Used for callouts */
2161
2162 #ifndef DISABLE_DKIM
2163 {
2164 # ifdef MEASURE_TIMING
2165 struct timeval t0;
2166 gettimeofday(&t0, NULL);
2167 # endif
2168 dkim_exim_init();
2169 # ifdef MEASURE_TIMING
2170 report_time_since(&t0, US"dkim_exim_init (delta)");
2171 # endif
2172 }
2173 #endif
2174
2175 #ifdef WITH_CONTENT_SCAN
2176 malware_init();
2177 #endif
2178 #ifdef SUPPORT_SPF
2179 spf_init();
2180 #endif
2181 #ifndef DISABLE_TLS
2182 tls_daemon_init();
2183 #endif
2184
2185 /* Add ancillary sockets to the set for select */
2186
2187 poll_fd_count = listen_socket_count;
2188 #ifndef DISABLE_TLS
2189 if (tls_watch_fd >= 0)
2190 {
2191 tls_watch_poll = &fd_polls[poll_fd_count++];
2192 tls_watch_poll->fd = tls_watch_fd;
2193 tls_watch_poll->events = POLLIN;
2194 }
2195 #endif
2196 if (daemon_notifier_fd >= 0)
2197 {
2198 dnotify_poll = &fd_polls[poll_fd_count++];
2199 dnotify_poll->fd = daemon_notifier_fd;
2200 dnotify_poll->events = POLLIN;
2201 }
2202
2203 /* Close the log so it can be renamed and moved. In the few cases below where
2204 this long-running process writes to the log (always exceptional conditions), it
2205 closes the log afterwards, for the same reason. */
2206
2207 log_close_all();
2208
2209 DEBUG(D_any) debug_print_ids(US"daemon running with");
2210
2211 /* Any messages accepted via this route are going to be SMTP. */
2212
2213 smtp_input = TRUE;
2214
2215 #ifdef MEASURE_TIMING
2216 report_time_since(×tamp_startup, US"daemon loop start"); /* testcase 0022 */
2217 #endif
2218
2219 /* Enter the never-ending loop... */
2220
2221 for (;;)
2222 {
2223 pid_t pid;
2224
2225 if (sigterm_seen)
2226 daemon_die(); /* Does not return */
2227
2228 /* This code is placed first in the loop, so that it gets obeyed at the
2229 start, before the first wait, for the queue-runner case, so that the first
2230 one can be started immediately.
2231
2232 The other option is that we have an inetd wait timeout specified to -bw. */
2233
2234 if (sigalrm_seen)
2235 {
2236 if (inetd_wait_timeout > 0)
2237 {
2238 time_t resignal_interval = inetd_wait_timeout;
2239
2240 if (last_connection_time == (time_t)0)
2241 {
2242 DEBUG(D_any)
2243 debug_printf("inetd wait timeout expired, but still not seen first message, ignoring\n");
2244 }
2245 else
2246 {
2247 time_t now = time(NULL);
2248 if (now == (time_t)-1)
2249 {
2250 DEBUG(D_any) debug_printf("failed to get time: %s\n", strerror(errno));
2251 }
2252 else
2253 {
2254 if ((now - last_connection_time) >= inetd_wait_timeout)
2255 {
2256 DEBUG(D_any)
2257 debug_printf("inetd wait timeout %d expired, ending daemon\n",
2258 inetd_wait_timeout);
2259 log_write(0, LOG_MAIN, "exim %s daemon terminating, inetd wait timeout reached.\n",
2260 version_string);
2261 exit(EXIT_SUCCESS);
2262 }
2263 else
2264 {
2265 resignal_interval -= (now - last_connection_time);
2266 }
2267 }
2268 }
2269
2270 sigalrm_seen = FALSE;
2271 ALARM(resignal_interval);
2272 }
2273
2274 else
2275 {
2276 DEBUG(D_any) debug_printf("%s received\n",
2277 #ifndef DISABLE_QUEUE_RAMP
2278 *queuerun_msgid ? "qrun notification" :
2279 #endif
2280 "SIGALRM");
2281
2282 /* Do a full queue run in a child process, if required, unless we already
2283 have enough queue runners on the go. If we are not running as root, a
2284 re-exec is required. */
2285
2286 if ( queue_interval > 0
2287 && (local_queue_run_max <= 0 || queue_run_count < local_queue_run_max))
2288 {
2289 if ((pid = exim_fork(US"queue-runner")) == 0)
2290 {
2291 /* Disable debugging if it's required only for the daemon process. We
2292 leave the above message, because it ties up with the "child ended"
2293 debugging messages. */
2294
2295 if (f.debug_daemon) debug_selector = 0;
2296
2297 /* Close any open listening sockets in the child */
2298
2299 close_daemon_sockets(daemon_notifier_fd,
2300 fd_polls, listen_socket_count);
2301
2302 /* Reset SIGHUP and SIGCHLD in the child in both cases. */
2303
2304 signal(SIGHUP, SIG_DFL);
2305 signal(SIGCHLD, SIG_DFL);
2306 signal(SIGTERM, SIG_DFL);
2307 signal(SIGINT, SIG_DFL);
2308
2309 /* Re-exec if privilege has been given up, unless deliver_drop_
2310 privilege is set. Reset SIGALRM before exec(). */
2311
2312 if (geteuid() != root_uid && !deliver_drop_privilege)
2313 {
2314 uschar opt[8];
2315 uschar *p = opt;
2316 uschar *extra[7];
2317 int extracount = 1;
2318
2319 signal(SIGALRM, SIG_DFL);
2320 *p++ = '-';
2321 *p++ = 'q';
2322 if ( f.queue_2stage
2323 #ifndef DISABLE_QUEUE_RAMP
2324 && !*queuerun_msgid
2325 #endif
2326 ) *p++ = 'q';
2327 if (f.queue_run_first_delivery) *p++ = 'i';
2328 if (f.queue_run_force) *p++ = 'f';
2329 if (f.deliver_force_thaw) *p++ = 'f';
2330 if (f.queue_run_local) *p++ = 'l';
2331 *p = 0;
2332 extra[0] = *queue_name
2333 ? string_sprintf("%sG%s", opt, queue_name) : opt;
2334
2335 #ifndef DISABLE_QUEUE_RAMP
2336 if (*queuerun_msgid)
2337 {
2338 log_write(0, LOG_MAIN, "notify triggered queue run");
2339 extra[extracount++] = queuerun_msgid; /* Trigger only the */
2340 extra[extracount++] = queuerun_msgid; /* one message */
2341 }
2342 #endif
2343
2344 /* If -R or -S were on the original command line, ensure they get
2345 passed on. */
2346
2347 if (deliver_selectstring)
2348 {
2349 extra[extracount++] = f.deliver_selectstring_regex ? US"-Rr" : US"-R";
2350 extra[extracount++] = deliver_selectstring;
2351 }
2352
2353 if (deliver_selectstring_sender)
2354 {
2355 extra[extracount++] = f.deliver_selectstring_sender_regex
2356 ? US"-Sr" : US"-S";
2357 extra[extracount++] = deliver_selectstring_sender;
2358 }
2359
2360 /* Overlay this process with a new execution. */
2361
2362 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, extracount,
2363 extra[0], extra[1], extra[2], extra[3], extra[4], extra[5], extra[6]);
2364
2365 /* Control never returns here. */
2366 }
2367
2368 /* No need to re-exec; SIGALRM remains set to the default handler */
2369
2370 #ifndef DISABLE_QUEUE_RAMP
2371 if (*queuerun_msgid)
2372 {
2373 log_write(0, LOG_MAIN, "notify triggered queue run");
2374 f.queue_2stage = FALSE;
2375 queue_run(queuerun_msgid, queuerun_msgid, FALSE);
2376 }
2377 else
2378 #endif
2379 queue_run(NULL, NULL, FALSE);
2380 exim_underbar_exit(EXIT_SUCCESS);
2381 }
2382
2383 if (pid < 0)
2384 {
2385 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fork of queue-runner "
2386 "process failed: %s", strerror(errno));
2387 log_close_all();
2388 }
2389 else
2390 {
2391 for (int i = 0; i < local_queue_run_max; ++i)
2392 if (queue_pid_slots[i] <= 0)
2393 {
2394 queue_pid_slots[i] = pid;
2395 queue_run_count++;
2396 break;
2397 }
2398 DEBUG(D_any) debug_printf("%d queue-runner process%s running\n",
2399 queue_run_count, queue_run_count == 1 ? "" : "es");
2400 }
2401 }
2402
2403 /* Reset the alarm clock */
2404
2405 sigalrm_seen = FALSE;
2406 #ifndef DISABLE_QUEUE_RAMP
2407 if (*queuerun_msgid)
2408 *queuerun_msgid = 0;
2409 else
2410 #endif
2411 ALARM(queue_interval);
2412 }
2413
2414 } /* sigalrm_seen */
2415
2416
2417 /* Sleep till a connection happens if listening, and handle the connection if
2418 that is why we woke up. The FreeBSD operating system requires the use of
2419 select() before accept() because the latter function is not interrupted by
2420 a signal, and we want to wake up for SIGCHLD and SIGALRM signals. Some other
2421 OS do notice signals in accept() but it does no harm to have the select()
2422 in for all of them - and it won't then be a lurking problem for ports to
2423 new OS. In fact, the later addition of listening on specific interfaces only
2424 requires this way of working anyway. */
2425
2426 if (f.daemon_listen)
2427 {
2428 int lcount;
2429 BOOL select_failed = FALSE;
2430
2431 DEBUG(D_any) debug_printf("Listening...\n");
2432
2433 /* In rare cases we may have had a SIGCHLD signal in the time between
2434 setting the handler (below) and getting back here. If so, pretend that the
2435 select() was interrupted so that we reap the child. This might still leave
2436 a small window when a SIGCHLD could get lost. However, since we use SIGCHLD
2437 only to do the reaping more quickly, it shouldn't result in anything other
2438 than a delay until something else causes a wake-up. */
2439
2440 if (sigchld_seen)
2441 {
2442 lcount = -1;
2443 errno = EINTR;
2444 }
2445 else
2446 lcount = poll(fd_polls, poll_fd_count, -1);
2447
2448 if (lcount < 0)
2449 {
2450 select_failed = TRUE;
2451 lcount = 1;
2452 }
2453
2454 /* Clean up any subprocesses that may have terminated. We need to do this
2455 here so that smtp_accept_max_per_host works when a connection to that host
2456 has completed, and we are about to accept a new one. When this code was
2457 later in the sequence, a new connection could be rejected, even though an
2458 old one had just finished. Preserve the errno from any select() failure for
2459 the use of the common select/accept error processing below. */
2460
2461 {
2462 int select_errno = errno;
2463 handle_ending_processes();
2464
2465 #ifndef DISABLE_TLS
2466 {
2467 int old_tfd;
2468 /* Create or rotate any required keys; handle (delayed) filewatch event */
2469
2470 if ((old_tfd = tls_daemon_tick()) >= 0)
2471 for (struct pollfd * p = &fd_polls[listen_socket_count];
2472 p < fd_polls + poll_fd_count; p++)
2473 if (p->fd == old_tfd) { p->fd = tls_watch_fd ; break; }
2474 }
2475 #endif
2476 errno = select_errno;
2477 }
2478
2479 /* Loop for all the sockets that are currently ready to go. If select
2480 actually failed, we have set the count to 1 and select_failed=TRUE, so as
2481 to use the common error code for select/accept below. */
2482
2483 while (lcount-- > 0)
2484 {
2485 int accept_socket = -1;
2486 #if HAVE_IPV6
2487 struct sockaddr_in6 accepted;
2488 #else
2489 struct sockaddr_in accepted;
2490 #endif
2491
2492 if (!select_failed)
2493 {
2494 #if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
2495 if (tls_watch_poll && tls_watch_poll->revents & POLLIN)
2496 {
2497 tls_watch_poll->revents = 0;
2498 tls_watch_trigger_time = time(NULL); /* Set up delayed event */
2499 tls_watch_discard_event(tls_watch_fd);
2500 break; /* to top of daemon loop */
2501 }
2502 #endif
2503 if (dnotify_poll && dnotify_poll->revents & POLLIN)
2504 {
2505 dnotify_poll->revents = 0;
2506 sigalrm_seen = daemon_notification();
2507 break; /* to top of daemon loop */
2508 }
2509 for (struct pollfd * p = fd_polls; p < fd_polls + listen_socket_count;
2510 p++)
2511 if (p->revents & POLLIN)
2512 {
2513 EXIM_SOCKLEN_T alen = sizeof(accepted);
2514 #ifdef TCP_INFO
2515 struct tcp_info ti;
2516 socklen_t tlen = sizeof(ti);
2517
2518 /* If monitoring the backlog is wanted, grab for later logging */
2519
2520 smtp_listen_backlog = 0;
2521 if ( smtp_backlog_monitor > 0
2522 && getsockopt(p->fd, IPPROTO_TCP, TCP_INFO, &ti, &tlen) == 0)
2523 {
2524 # ifdef EXIM_HAVE_TCPI_UNACKED
2525 DEBUG(D_interface) debug_printf("listen fd %d queue max %u curr %u\n",
2526 p->fd, ti.tcpi_sacked, ti.tcpi_unacked);
2527 smtp_listen_backlog = ti.tcpi_unacked;
2528 # elif defined(__FreeBSD__) /* This does not work. Investigate kernel sourcecode. */
2529 DEBUG(D_interface) debug_printf("listen fd %d queue max %u curr %u\n",
2530 p->fd, ti.__tcpi_sacked, ti.__tcpi_unacked);
2531 smtp_listen_backlog = ti.__tcpi_unacked;
2532 # endif
2533 }
2534 #endif
2535 p->revents = 0;
2536 accept_socket = accept(p->fd, (struct sockaddr *)&accepted, &alen);
2537 break;
2538 }
2539 }
2540
2541 /* If select or accept has failed and this was not caused by an
2542 interruption, log the incident and try again. With asymmetric TCP/IP
2543 routing errors such as "No route to network" have been seen here. Also
2544 "connection reset by peer" has been seen. These cannot be classed as
2545 disastrous errors, but they could fill up a lot of log. The code in smail
2546 crashes the daemon after 10 successive failures of accept, on the grounds
2547 that some OS fail continuously. Exim originally followed suit, but this
2548 appears to have caused problems. Now it just keeps going, but instead of
2549 logging each error, it batches them up when they are continuous. */
2550
2551 if (accept_socket < 0 && errno != EINTR)
2552 {
2553 if (accept_retry_count == 0)
2554 {
2555 accept_retry_errno = errno;
2556 accept_retry_select_failed = select_failed;
2557 }
2558 else if ( errno != accept_retry_errno
2559 || select_failed != accept_retry_select_failed
2560 || accept_retry_count >= 50)
2561 {
2562 log_write(0, LOG_MAIN | (accept_retry_count >= 50 ? LOG_PANIC : 0),
2563 "%d %s() failure%s: %s",
2564 accept_retry_count,
2565 accept_retry_select_failed ? "select" : "accept",
2566 accept_retry_count == 1 ? "" : "s",
2567 strerror(accept_retry_errno));
2568 log_close_all();
2569 accept_retry_count = 0;
2570 accept_retry_errno = errno;
2571 accept_retry_select_failed = select_failed;
2572 }
2573 accept_retry_count++;
2574 }
2575 else if (accept_retry_count > 0)
2576 {
2577 log_write(0, LOG_MAIN, "%d %s() failure%s: %s",
2578 accept_retry_count,
2579 accept_retry_select_failed ? "select" : "accept",
2580 accept_retry_count == 1 ? "" : "s",
2581 strerror(accept_retry_errno));
2582 log_close_all();
2583 accept_retry_count = 0;
2584 }
2585
2586 /* If select/accept succeeded, deal with the connection. */
2587
2588 if (accept_socket >= 0)
2589 {
2590 #ifdef TCP_QUICKACK /* Avoid pure-ACKs while in tls protocol pingpong phase */
2591 /* Unfortunately we cannot be certain to do this before a TLS-on-connect
2592 Client Hello arrives and is acked. We do it as early as possible. */
2593 (void) setsockopt(accept_socket, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
2594 #endif
2595 if (inetd_wait_timeout)
2596 last_connection_time = time(NULL);
2597 handle_smtp_call(fd_polls, listen_socket_count, accept_socket,
2598 (struct sockaddr *)&accepted);
2599 }
2600 }
2601 }
2602
2603 /* If not listening, then just sleep for the queue interval. If we woke
2604 up early the last time for some other signal, it won't matter because
2605 the alarm signal will wake at the right time. This code originally used
2606 sleep() but it turns out that on the FreeBSD system, sleep() is not inter-
2607 rupted by signals, so it wasn't waking up for SIGALRM or SIGCHLD. Luckily
2608 select() can be used as an interruptible sleep() on all versions of Unix. */
2609
2610 else
2611 {
2612 struct pollfd p;
2613 poll(&p, 0, queue_interval * 1000);
2614 handle_ending_processes();
2615 }
2616
2617 /* Re-enable the SIGCHLD handler if it has been run. It can't do it
2618 for itself, because it isn't doing the waiting itself. */
2619
2620 if (sigchld_seen)
2621 {
2622 sigchld_seen = FALSE;
2623 os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
2624 }
2625
2626 /* Handle being woken by SIGHUP. We know at this point that the result
2627 of accept() has been dealt with, so we can re-exec exim safely, first
2628 closing the listening sockets so that they can be reused. Cancel any pending
2629 alarm in case it is just about to go off, and set SIGHUP to be ignored so
2630 that another HUP in quick succession doesn't clobber the new daemon before it
2631 gets going. All log files get closed by the close-on-exec flag; however, if
2632 the exec fails, we need to close the logs. */
2633
2634 if (sighup_seen)
2635 {
2636 log_write(0, LOG_MAIN, "pid %d: SIGHUP received: re-exec daemon",
2637 getpid());
2638 close_daemon_sockets(daemon_notifier_fd, fd_polls, listen_socket_count);
2639 ALARM_CLR(0);
2640 signal(SIGHUP, SIG_IGN);
2641 sighup_argv[0] = exim_path;
2642 exim_nullstd();
2643 execv(CS exim_path, (char *const *)sighup_argv);
2644 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid %d: exec of %s failed: %s",
2645 getpid(), exim_path, strerror(errno));
2646 log_close_all();
2647 }
2648
2649 } /* End of main loop */
2650
2651 /* Control never reaches here */
2652 }
2653
2654 /* vi: aw ai sw=2
2655 */
2656 /* End of exim_daemon.c */
2657