1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2017 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Functions concerned with running Exim as a daemon */
14 /* Structure for holding data for each SMTP connection */
16 typedef struct smtp_slot {
17 pid_t pid; /* pid of the spawned reception process */
18 uschar *host_address; /* address of the client host */
21 /* An empty slot for initializing (Standard C does not allow constructor
22 expressions in assignments except as initializers in declarations). */
24 static smtp_slot empty_smtp_slot = { 0, NULL };
28 /*************************************************
29 * Local static variables *
30 *************************************************/
32 static SIGNAL_BOOL sigchld_seen;
33 static SIGNAL_BOOL sighup_seen;
35 static int accept_retry_count = 0;
36 static int accept_retry_errno;
37 static BOOL accept_retry_select_failed;
39 static int queue_run_count = 0;
40 static pid_t *queue_pid_slots = NULL;
41 static smtp_slot *smtp_slots = NULL;
43 static BOOL write_pid = TRUE;
47 /*************************************************
49 *************************************************/
51 /* All this handler does is to set a flag and re-enable the signal.
53 Argument: the signal number
58 sighup_handler(int sig)
60 sig = sig; /* Keep picky compilers happy */
62 signal(SIGHUP, sighup_handler);
67 /*************************************************
68 * SIGCHLD handler for main daemon process *
69 *************************************************/
71 /* Don't re-enable the handler here, since we aren't doing the
72 waiting here. If the signal is re-enabled, there will just be an
73 infinite sequence of calls to this handler. The SIGCHLD signal is
74 used just as a means of waking up the daemon so that it notices
75 terminated subprocesses as soon as possible.
77 Argument: the signal number
82 main_sigchld_handler(int sig)
84 sig = sig; /* Keep picky compilers happy */
85 os_non_restarting_signal(SIGCHLD, SIG_DFL);
92 /*************************************************
93 * Unexpected errors in SMTP calls *
94 *************************************************/
96 /* This function just saves a bit of repetitious coding.
99 log_msg Text of message to be logged
100 smtp_msg Text of SMTP error message
101 was_errno The failing errno
107 never_error(uschar *log_msg, uschar *smtp_msg, int was_errno)
109 uschar *emsg = (was_errno <= 0)? US"" :
110 string_sprintf(": %s", strerror(was_errno));
111 log_write(0, LOG_MAIN|LOG_PANIC, "%s%s", log_msg, emsg);
112 if (smtp_out != NULL) smtp_printf("421 %s\r\n", smtp_msg);
118 /*************************************************
119 * Handle a connected SMTP call *
120 *************************************************/
122 /* This function is called when an SMTP connection has been accepted.
123 If there are too many, give an error message and close down. Otherwise
124 spin off a sub-process to handle the call. The list of listening sockets
125 is required so that they can be closed in the sub-process. Take care not to
126 leak store in this process - reset the stacking pool at the end.
129 listen_sockets sockets which are listening for incoming calls
130 listen_socket_count count of listening sockets
131 accept_socket socket of the current accepted call
132 accepted socket information about the current call
138 handle_smtp_call(int *listen_sockets, int listen_socket_count,
139 int accept_socket, struct sockaddr *accepted)
142 union sockaddr_46 interface_sockaddr;
143 EXIM_SOCKLEN_T ifsize = sizeof(interface_sockaddr);
144 int dup_accept_socket = -1;
145 int max_for_this_host = 0;
148 int save_log_selector = *log_selector;
149 uschar *whofrom = NULL;
151 void *reset_point = store_get(0);
153 /* Make the address available in ASCII representation, and also fish out
156 sender_host_address = host_ntoa(-1, accepted, NULL, &sender_host_port);
157 DEBUG(D_any) debug_printf("Connection request from %s port %d\n",
158 sender_host_address, sender_host_port);
160 /* Set up the output stream, check the socket has duplicated, and set up the
161 input stream. These operations fail only the exceptional circumstances. Note
162 that never_error() won't use smtp_out if it is NULL. */
164 if (!(smtp_out = fdopen(accept_socket, "wb")))
166 never_error(US"daemon: fdopen() for smtp_out failed", US"", errno);
170 if ((dup_accept_socket = dup(accept_socket)) < 0)
172 never_error(US"daemon: couldn't dup socket descriptor",
173 US"Connection setup failed", errno);
177 if (!(smtp_in = fdopen(dup_accept_socket, "rb")))
179 never_error(US"daemon: fdopen() for smtp_in failed",
180 US"Connection setup failed", errno);
184 /* Get the data for the local interface address. Panic for most errors, but
185 "connection reset by peer" just means the connection went away. */
187 if (getsockname(accept_socket, (struct sockaddr *)(&interface_sockaddr),
190 log_write(0, LOG_MAIN | ((errno == ECONNRESET)? 0 : LOG_PANIC),
191 "getsockname() failed: %s", strerror(errno));
192 smtp_printf("421 Local problem: getsockname() failed; please try again later\r\n");
196 interface_address = host_ntoa(-1, &interface_sockaddr, NULL, &interface_port);
197 DEBUG(D_interface) debug_printf("interface address=%s port=%d\n",
198 interface_address, interface_port);
200 /* Build a string identifying the remote host and, if requested, the port and
201 the local interface data. This is for logging; at the end of this function the
202 memory is reclaimed. */
204 whofrom = string_append(whofrom, &wfsize, &wfptr, 3, "[", sender_host_address, "]");
206 if (LOGGING(incoming_port))
207 whofrom = string_append(whofrom, &wfsize, &wfptr, 2, ":", string_sprintf("%d",
210 if (LOGGING(incoming_interface))
211 whofrom = string_append(whofrom, &wfsize, &wfptr, 4, " I=[",
212 interface_address, "]:", string_sprintf("%d", interface_port));
214 whofrom[wfptr] = 0; /* Terminate the newly-built string */
216 /* Check maximum number of connections. We do not check for reserved
217 connections or unacceptable hosts here. That is done in the subprocess because
218 it might take some time. */
220 if (smtp_accept_max > 0 && smtp_accept_count >= smtp_accept_max)
222 DEBUG(D_any) debug_printf("rejecting SMTP connection: count=%d max=%d\n",
223 smtp_accept_count, smtp_accept_max);
224 smtp_printf("421 Too many concurrent SMTP connections; "
225 "please try again later.\r\n");
226 log_write(L_connection_reject,
227 LOG_MAIN, "Connection from %s refused: too many connections",
232 /* If a load limit above which only reserved hosts are acceptable is defined,
233 get the load average here, and if there are in fact no reserved hosts, do
234 the test right away (saves a fork). If there are hosts, do the check in the
235 subprocess because it might take time. */
237 if (smtp_load_reserve >= 0)
239 load_average = OS_GETLOADAVG();
240 if (smtp_reserve_hosts == NULL && load_average > smtp_load_reserve)
242 DEBUG(D_any) debug_printf("rejecting SMTP connection: load average = %.2f\n",
243 (double)load_average/1000.0);
244 smtp_printf("421 Too much load; please try again later.\r\n");
245 log_write(L_connection_reject,
246 LOG_MAIN, "Connection from %s refused: load average = %.2f",
247 whofrom, (double)load_average/1000.0);
252 /* Check that one specific host (strictly, IP address) is not hogging
253 resources. This is done here to prevent a denial of service attack by someone
254 forcing you to fork lots of times before denying service. The value of
255 smtp_accept_max_per_host is a string which is expanded. This makes it possible
256 to provide host-specific limits according to $sender_host address, but because
257 this is in the daemon mainline, only fast expansions (such as inline address
258 checks) should be used. The documentation is full of warnings. */
260 if (smtp_accept_max_per_host != NULL)
262 uschar *expanded = expand_string(smtp_accept_max_per_host);
263 if (expanded == NULL)
265 if (!expand_string_forcedfail)
266 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
267 "failed for %s: %s", whofrom, expand_string_message);
269 /* For speed, interpret a decimal number inline here */
272 uschar *s = expanded;
274 max_for_this_host = max_for_this_host * 10 + *s++ - '0';
276 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
277 "for %s contains non-digit: %s", whofrom, expanded);
281 /* If we have fewer connections than max_for_this_host, we can skip the tedious
282 per host_address checks. Note that at this stage smtp_accept_count contains the
283 count of *other* connections, not including this one. */
285 if ((max_for_this_host > 0) &&
286 (smtp_accept_count >= max_for_this_host))
289 int host_accept_count = 0;
290 int other_host_count = 0; /* keep a count of non matches to optimise */
292 for (i = 0; i < smtp_accept_max; ++i)
293 if (smtp_slots[i].host_address)
295 if (Ustrcmp(sender_host_address, smtp_slots[i].host_address) == 0)
300 /* Testing all these strings is expensive - see if we can drop out
301 early, either by hitting the target, or finding there are not enough
302 connections left to make the target. */
304 if ((host_accept_count >= max_for_this_host) ||
305 ((smtp_accept_count - other_host_count) < max_for_this_host))
309 if (host_accept_count >= max_for_this_host)
311 DEBUG(D_any) debug_printf("rejecting SMTP connection: too many from this "
312 "IP address: count=%d max=%d\n",
313 host_accept_count, max_for_this_host);
314 smtp_printf("421 Too many concurrent SMTP connections "
315 "from this IP address; please try again later.\r\n");
316 log_write(L_connection_reject,
317 LOG_MAIN, "Connection from %s refused: too many connections "
318 "from that IP address", whofrom);
323 /* OK, the connection count checks have been passed. Before we can fork the
324 accepting process, we must first log the connection if requested. This logging
325 used to happen in the subprocess, but doing that means that the value of
326 smtp_accept_count can be out of step by the time it is logged. So we have to do
327 the logging here and accept the performance cost. Note that smtp_accept_count
328 hasn't yet been incremented to take account of this connection.
330 In order to minimize the cost (because this is going to happen for every
331 connection), do a preliminary selector test here. This saves ploughing through
332 the generalized logging code each time when the selector is false. If the
333 selector is set, check whether the host is on the list for logging. If not,
334 arrange to unset the selector in the subprocess. */
336 if (LOGGING(smtp_connection))
338 uschar *list = hosts_connection_nolog;
339 memset(sender_host_cache, 0, sizeof(sender_host_cache));
340 if (list != NULL && verify_check_host(&list) == OK)
341 save_log_selector &= ~L_smtp_connection;
343 log_write(L_smtp_connection, LOG_MAIN, "SMTP connection from %s "
344 "(TCP/IP connection count = %d)", whofrom, smtp_accept_count + 1);
347 /* Now we can fork the accepting process; do a lookup tidy, just in case any
348 expansion above did a lookup. */
353 /* Handle the child process */
358 int queue_only_reason = 0;
359 int old_pool = store_pool;
360 int save_debug_selector = debug_selector;
361 BOOL local_queue_only;
362 BOOL session_local_queue_only;
364 struct sigaction act;
367 smtp_accept_count++; /* So that it includes this process */
369 /* May have been modified for the subprocess */
371 *log_selector = save_log_selector;
373 /* Get the local interface address into permanent store */
375 store_pool = POOL_PERM;
376 interface_address = string_copy(interface_address);
377 store_pool = old_pool;
379 /* Check for a tls-on-connect port */
381 if (host_is_tls_on_connect_port(interface_port)) tls_in.on_connect = TRUE;
383 /* Expand smtp_active_hostname if required. We do not do this any earlier,
384 because it may depend on the local interface address (indeed, that is most
385 likely what it depends on.) */
387 smtp_active_hostname = primary_hostname;
388 if (raw_active_hostname)
390 uschar * nah = expand_string(raw_active_hostname);
393 if (!expand_string_forcedfail)
395 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" "
396 "(smtp_active_hostname): %s", raw_active_hostname,
397 expand_string_message);
398 smtp_printf("421 Local configuration error; "
399 "please try again later.\r\n");
405 else if (*nah) smtp_active_hostname = nah;
408 /* Initialize the queueing flags */
411 session_local_queue_only = queue_only;
413 /* Close the listening sockets, and set the SIGCHLD handler to SIG_IGN.
414 We also attempt to set things up so that children are automatically reaped,
415 but just in case this isn't available, there's a paranoid waitpid() in the
416 loop too (except for systems where we are sure it isn't needed). See the more
417 extensive comment before the reception loop in exim.c for a fuller
418 explanation of this logic. */
420 for (i = 0; i < listen_socket_count; i++) (void)close(listen_sockets[i]);
422 /* Set FD_CLOEXEC on the SMTP socket. We don't want any rogue child processes
423 to be able to communicate with them, under any circumstances. */
424 (void)fcntl(accept_socket, F_SETFD,
425 fcntl(accept_socket, F_GETFD) | FD_CLOEXEC);
426 (void)fcntl(dup_accept_socket, F_SETFD,
427 fcntl(dup_accept_socket, F_GETFD) | FD_CLOEXEC);
430 act.sa_handler = SIG_IGN;
431 sigemptyset(&(act.sa_mask));
432 act.sa_flags = SA_NOCLDWAIT;
433 sigaction(SIGCHLD, &act, NULL);
435 signal(SIGCHLD, SIG_IGN);
438 /* Attempt to get an id from the sending machine via the RFC 1413
439 protocol. We do this in the sub-process in order not to hold up the
440 main process if there is any delay. Then set up the fullhost information
441 in case there is no HELO/EHLO.
443 If debugging is enabled only for the daemon, we must turn if off while
444 finding the id, but turn it on again afterwards so that information about the
445 incoming connection is output. */
447 if (debug_daemon) debug_selector = 0;
448 verify_get_ident(IDENT_PORT);
449 host_build_sender_fullhost();
450 debug_selector = save_debug_selector;
453 debug_printf("Process %d is handling incoming connection from %s\n",
454 (int)getpid(), sender_fullhost);
456 /* Now disable debugging permanently if it's required only for the daemon
459 if (debug_daemon) debug_selector = 0;
461 /* If there are too many child processes for immediate delivery,
462 set the session_local_queue_only flag, which is initialized from the
463 configured value and may therefore already be TRUE. Leave logging
464 till later so it will have a message id attached. Note that there is no
465 possibility of re-calculating this per-message, because the value of
466 smtp_accept_count does not change in this subprocess. */
468 if (smtp_accept_queue > 0 && smtp_accept_count > smtp_accept_queue)
470 session_local_queue_only = TRUE;
471 queue_only_reason = 1;
474 /* Handle the start of the SMTP session, then loop, accepting incoming
475 messages from the SMTP connection. The end will come at the QUIT command,
476 when smtp_setup_msg() returns 0. A break in the connection causes the
477 process to die (see accept.c).
479 NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
480 because a log line has already been written for all its failure exists
481 (usually "connection refused: <reason>") and writing another one is
482 unnecessary clutter. */
484 if (!smtp_start_session())
494 message_id[0] = 0; /* Clear out any previous message_id */
495 reset_point = store_get(0); /* Save current store high water point */
498 debug_printf("Process %d is ready for new message\n", (int)getpid());
500 /* Smtp_setup_msg() returns 0 on QUIT or if the call is from an
501 unacceptable host or if an ACL "drop" command was triggered, -1 on
502 connection lost, and +1 on validly reaching DATA. Receive_msg() almost
503 always returns TRUE when smtp_input is true; just retry if no message was
504 accepted (can happen for invalid message parameters). However, it can yield
505 FALSE if the connection was forcibly dropped by the DATA ACL. */
507 if ((rc = smtp_setup_msg()) > 0)
509 BOOL ok = receive_msg(FALSE);
510 search_tidyup(); /* Close cached databases */
511 if (!ok) /* Connection was dropped */
513 cancel_cutthrough_connection(TRUE, US"receive dropped");
515 smtp_log_no_mail(); /* Log no mail if configured */
518 if (message_id[0] == 0) continue; /* No message was accepted */
524 int i, fd = fileno(smtp_in);
528 /* drain socket, for clean TCP FINs */
529 if (fcntl(fd, F_SETFL, O_NONBLOCK) == 0)
530 for(i = 16; read(fd, buf, sizeof(buf)) > 0 && i > 0; ) i--;
532 cancel_cutthrough_connection(TRUE, US"message setup dropped");
534 smtp_log_no_mail(); /* Log no mail if configured */
536 /*XXX should we pause briefly, hoping that the client will be the
537 active TCP closer hence get the TCP_WAIT endpoint? */
538 DEBUG(D_receive) debug_printf("SMTP>>(close on process exit)\n");
539 _exit(rc ? EXIT_FAILURE : EXIT_SUCCESS);
542 /* Show the recipients when debugging */
548 debug_printf("Sender: %s\n", sender_address);
551 debug_printf("Recipients:\n");
552 for (i = 0; i < recipients_count; i++)
553 debug_printf(" %s\n", recipients_list[i].address);
557 /* A message has been accepted. Clean up any previous delivery processes
558 that have completed and are defunct, on systems where they don't go away
559 by themselves (see comments when setting SIG_IGN above). On such systems
560 (if any) these delivery processes hang around after termination until
561 the next message is received. */
563 #ifndef SIG_IGN_WORKS
564 while (waitpid(-1, NULL, WNOHANG) > 0);
567 /* Reclaim up the store used in accepting this message */
569 return_path = sender_address = NULL;
570 authenticated_sender = NULL;
571 sending_ip_address = NULL;
572 deliver_host_address = deliver_host =
573 deliver_domain_orig = deliver_localpart_orig = NULL;
574 dnslist_domain = dnslist_matched = NULL;
575 callout_address = NULL;
577 dkim_cur_signer = NULL;
580 store_reset(reset_point);
582 /* If queue_only is set or if there are too many incoming connections in
583 existence, session_local_queue_only will be TRUE. If it is not, check
584 whether we have received too many messages in this session for immediate
587 if (!session_local_queue_only &&
588 smtp_accept_queue_per_connection > 0 &&
589 receive_messagecount > smtp_accept_queue_per_connection)
591 session_local_queue_only = TRUE;
592 queue_only_reason = 2;
595 /* Initialize local_queue_only from session_local_queue_only. If it is not
596 true, and queue_only_load is set, check that the load average is below it.
597 If local_queue_only is set by this means, we also set if for the session if
598 queue_only_load_latch is true (the default). This means that, once set,
599 local_queue_only remains set for any subsequent messages on the same SMTP
600 connection. This is a deliberate choice; even though the load average may
601 fall, it doesn't seem right to deliver later messages on the same call when
602 not delivering earlier ones. However, the are special circumstances such as
603 very long-lived connections from scanning appliances where this is not the
604 best strategy. In such cases, queue_only_load_latch should be set false. */
606 if ( !(local_queue_only = session_local_queue_only)
607 && queue_only_load >= 0
608 && (local_queue_only = (load_average = OS_GETLOADAVG()) > queue_only_load)
611 queue_only_reason = 3;
612 if (queue_only_load_latch) session_local_queue_only = TRUE;
615 /* Log the queueing here, when it will get a message id attached, but
616 not if queue_only is set (case 0). */
618 if (local_queue_only) switch(queue_only_reason)
620 case 1: log_write(L_delay_delivery,
621 LOG_MAIN, "no immediate delivery: too many connections "
622 "(%d, max %d)", smtp_accept_count, smtp_accept_queue);
625 case 2: log_write(L_delay_delivery,
626 LOG_MAIN, "no immediate delivery: more than %d messages "
627 "received in one connection", smtp_accept_queue_per_connection);
630 case 3: log_write(L_delay_delivery,
631 LOG_MAIN, "no immediate delivery: load average %.2f",
632 (double)load_average/1000.0);
636 /* If a delivery attempt is required, spin off a new process to handle it.
637 If we are not root, we have to re-exec exim unless deliveries are being
638 done unprivileged. */
640 else if (!queue_only_policy && !deliver_freeze)
644 /* Before forking, ensure that the C output buffer is flushed. Otherwise
645 anything that it in it will get duplicated, leading to duplicate copies
646 of the pending output. */
650 if ((dpid = fork()) == 0)
652 (void)fclose(smtp_in);
653 (void)fclose(smtp_out);
655 /* Don't ever molest the parent's SSL connection, but do clean up
656 the data structures if necessary. */
659 tls_close(TRUE, FALSE);
662 /* Reset SIGHUP and SIGCHLD in the child in both cases. */
664 signal(SIGHUP, SIG_DFL);
665 signal(SIGCHLD, SIG_DFL);
667 if (geteuid() != root_uid && !deliver_drop_privilege)
669 signal(SIGALRM, SIG_DFL);
670 delivery_re_exec(CEE_EXEC_PANIC);
671 /* Control does not return here. */
674 /* No need to re-exec; SIGALRM remains set to the default handler */
676 (void) deliver_message(message_id, FALSE, FALSE);
683 release_cutthrough_connection(US"passed for delivery");
684 DEBUG(D_any) debug_printf("forked delivery process %d\n", (int)dpid);
688 cancel_cutthrough_connection(TRUE, US"delivery fork failed");
689 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: delivery process fork "
690 "failed: %s", strerror(errno));
697 /* Carrying on in the parent daemon process... Can't do much if the fork
698 failed. Otherwise, keep count of the number of accepting processes and
699 remember the pid for ticking off when the child completes. */
702 never_error(US"daemon: accept process fork failed", US"Fork failed", errno);
706 for (i = 0; i < smtp_accept_max; ++i)
707 if (smtp_slots[i].pid <= 0)
709 smtp_slots[i].pid = pid;
710 if (smtp_accept_max_per_host != NULL)
711 smtp_slots[i].host_address = string_copy_malloc(sender_host_address);
715 DEBUG(D_any) debug_printf("%d SMTP accept process%s running\n",
716 smtp_accept_count, (smtp_accept_count == 1)? "" : "es");
719 /* Get here via goto in error cases */
723 /* Close the streams associated with the socket which will also close the
724 socket fds in this process. We can't do anything if fclose() fails, but
725 logging brings it to someone's attention. However, "connection reset by peer"
726 isn't really a problem, so skip that one. On Solaris, a dropped connection can
727 manifest itself as a broken pipe, so drop that one too. If the streams don't
728 exist, something went wrong while setting things up. Make sure the socket
729 descriptors are closed, in order to drop the connection. */
733 if (fclose(smtp_out) != 0 && errno != ECONNRESET && errno != EPIPE)
734 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_out) failed: %s",
738 else (void)close(accept_socket);
742 if (fclose(smtp_in) != 0 && errno != ECONNRESET && errno != EPIPE)
743 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_in) failed: %s",
747 else (void)close(dup_accept_socket);
749 /* Release any store used in this process, including the store used for holding
750 the incoming host address and an expanded active_hostname. */
754 sender_host_address = NULL;
755 store_reset(reset_point);
756 sender_host_address = NULL;
762 /*************************************************
763 * Check wildcard listen special cases *
764 *************************************************/
766 /* This function is used when binding and listening on lists of addresses and
767 ports. It tests for special cases of wildcard listening, when IPv4 and IPv6
768 sockets may interact in different ways in different operating systems. It is
769 passed an error number, the list of listening addresses, and the current
770 address. Two checks are available: for a previous wildcard IPv6 address, or for
771 a following wildcard IPv4 address, in both cases on the same port.
773 In practice, pairs of wildcard addresses should be adjacent in the address list
774 because they are sorted that way below.
778 addresses the list of addresses
779 ipa the current IP address
780 back if TRUE, check for previous wildcard IPv6 address
781 if FALSE, check for a following wildcard IPv4 address
783 Returns: TRUE or FALSE
787 check_special_case(int eno, ip_address_item *addresses, ip_address_item *ipa,
790 ip_address_item *ipa2;
792 /* For the "back" case, if the failure was "address in use" for a wildcard IPv4
793 address, seek a previous IPv6 wildcard address on the same port. As it is
794 previous, it must have been successfully bound and be listening. Flag it as a
795 "6 including 4" listener. */
799 if (eno != EADDRINUSE || ipa->address[0] != 0) return FALSE;
800 for (ipa2 = addresses; ipa2 != ipa; ipa2 = ipa2->next)
802 if (ipa2->address[1] == 0 && ipa2->port == ipa->port)
804 ipa2->v6_include_v4 = TRUE;
810 /* For the "forward" case, if the current address is a wildcard IPv6 address,
811 we seek a following wildcard IPv4 address on the same port. */
815 if (ipa->address[0] != ':' || ipa->address[1] != 0) return FALSE;
816 for (ipa2 = ipa->next; ipa2 != NULL; ipa2 = ipa2->next)
817 if (ipa2->address[0] == 0 && ipa->port == ipa2->port) return TRUE;
826 /*************************************************
827 * Handle terminating subprocesses *
828 *************************************************/
830 /* Handle the termination of child processes. Theoretically, this need be done
831 only when sigchld_seen is TRUE, but rumour has it that some systems lose
832 SIGCHLD signals at busy times, so to be on the safe side, this function is
833 called each time round. It shouldn't be too expensive.
840 handle_ending_processes(void)
845 while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
850 debug_printf("child %d ended: status=0x%x\n", (int)pid, status);
852 if (WIFEXITED(status))
853 debug_printf(" normal exit, %d\n", WEXITSTATUS(status));
854 else if (WIFSIGNALED(status))
855 debug_printf(" signal exit, signal %d%s\n", WTERMSIG(status),
856 WCOREDUMP(status) ? " (core dumped)" : "");
860 /* If it's a listening daemon for which we are keeping track of individual
861 subprocesses, deal with an accepting process that has terminated. */
865 for (i = 0; i < smtp_accept_max; i++)
866 if (smtp_slots[i].pid == pid)
868 if (smtp_slots[i].host_address)
869 store_free(smtp_slots[i].host_address);
870 smtp_slots[i] = empty_smtp_slot;
871 if (--smtp_accept_count < 0) smtp_accept_count = 0;
872 DEBUG(D_any) debug_printf("%d SMTP accept process%s now running\n",
873 smtp_accept_count, (smtp_accept_count == 1)? "" : "es");
876 if (i < smtp_accept_max) continue; /* Found an accepting process */
879 /* If it wasn't an accepting process, see if it was a queue-runner
880 process that we are tracking. */
884 int max = atoi(CS expand_string(queue_run_max));
885 for (i = 0; i < max; i++)
886 if (queue_pid_slots[i] == pid)
888 queue_pid_slots[i] = 0;
889 if (--queue_run_count < 0) queue_run_count = 0;
890 DEBUG(D_any) debug_printf("%d queue-runner process%s now running\n",
891 queue_run_count, (queue_run_count == 1)? "" : "es");
900 /*************************************************
901 * Exim Daemon Mainline *
902 *************************************************/
904 /* The daemon can do two jobs, either of which is optional:
906 (1) Listens for incoming SMTP calls and spawns off a sub-process to handle
907 each one. This is requested by the -bd option, with -oX specifying the SMTP
908 port on which to listen (for testing).
910 (2) Spawns a queue-running process every so often. This is controlled by the
911 -q option with a an interval time. (If no time is given, a single queue run
912 is done from the main function, and control doesn't get here.)
914 Root privilege is required in order to attach to port 25. Some systems require
915 it when calling socket() rather than bind(). To cope with all cases, we run as
916 root for both socket() and bind(). Some systems also require root in order to
917 write to the pid file directory. This function must therefore be called as root
918 if it is to work properly in all circumstances. Once the socket is bound and
919 the pid file written, root privilege is given up if there is an exim uid.
921 There are no arguments to this function, and it never returns. */
927 int *listen_sockets = NULL;
928 int listen_socket_count = 0;
929 ip_address_item *addresses = NULL;
930 time_t last_connection_time = (time_t)0;
931 int local_queue_run_max = atoi(CS expand_string(queue_run_max));
933 /* If any debugging options are set, turn on the D_pid bit so that all
934 debugging lines get the pid added. */
936 DEBUG(D_any|D_v) debug_selector |= D_pid;
940 listen_socket_count = 1;
941 listen_sockets = store_get(sizeof(int));
943 if (dup2(0, 3) == -1)
944 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
945 "failed to dup inetd socket safely away: %s", strerror(errno));
947 listen_sockets[0] = 3;
953 if (debug_file == stderr)
955 /* need a call to log_write before call to open debug_file, so that
956 log.c:file_path has been initialised. This is unfortunate. */
957 log_write(0, LOG_MAIN, "debugging Exim in inetd wait mode starting");
961 exim_nullstd(); /* re-open fd2 after we just closed it again */
962 debug_logging_activate(US"-wait", NULL);
965 DEBUG(D_any) debug_printf("running in inetd wait mode\n");
967 /* As per below, when creating sockets ourselves, we handle tcp_nodelay for
968 our own buffering; we assume though that inetd set the socket REUSEADDR. */
971 if (setsockopt(3, IPPROTO_TCP, TCP_NODELAY, US &on, sizeof(on)))
972 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to set socket NODELAY: %s",
977 if (inetd_wait_mode || daemon_listen)
979 /* If any option requiring a load average to be available during the
980 reception of a message is set, call os_getloadavg() while we are root
981 for those OS for which this is necessary the first time it is called (in
982 order to perform an "open" on the kernel memory file). */
984 #ifdef LOAD_AVG_NEEDS_ROOT
985 if (queue_only_load >= 0 || smtp_load_reserve >= 0 ||
986 (deliver_queue_load_max >= 0 && deliver_drop_privilege))
987 (void)os_getloadavg();
992 /* Do the preparation for setting up a listener on one or more interfaces, and
993 possible on various ports. This is controlled by the combination of
994 local_interfaces (which can set IP addresses and ports) and daemon_smtp_port
995 (which is a list of default ports to use for those items in local_interfaces
996 that do not specify a port). The -oX command line option can be used to
997 override one or both of these options.
999 If local_interfaces is not set, the default is to listen on all interfaces.
1000 When it is set, it can include "all IPvx interfaces" as an item. This is useful
1001 when different ports are in use.
1003 It turns out that listening on all interfaces is messy in an IPv6 world,
1004 because several different implementation approaches have been taken. This code
1005 is now supposed to work with all of them. The point of difference is whether an
1006 IPv6 socket that is listening on all interfaces will receive incoming IPv4
1007 calls or not. We also have to cope with the case when IPv6 libraries exist, but
1008 there is no IPv6 support in the kernel.
1010 . On Solaris, an IPv6 socket will accept IPv4 calls, and give them as mapped
1011 addresses. However, if an IPv4 socket is also listening on all interfaces,
1012 calls are directed to the appropriate socket.
1014 . On (some versions of) Linux, an IPv6 socket will accept IPv4 calls, and
1015 give them as mapped addresses, but an attempt also to listen on an IPv4
1016 socket on all interfaces causes an error.
1018 . On OpenBSD, an IPv6 socket will not accept IPv4 calls. You have to set up
1019 two sockets if you want to accept both kinds of call.
1021 . FreeBSD is like OpenBSD, but it has the IPV6_V6ONLY socket option, which
1022 can be turned off, to make it behave like the versions of Linux described
1025 . I heard a report that the USAGI IPv6 stack for Linux has implemented
1028 So, what we do when IPv6 is supported is as follows:
1030 (1) After it is set up, the list of interfaces is scanned for wildcard
1031 addresses. If an IPv6 and an IPv4 wildcard are both found for the same
1032 port, the list is re-arranged so that they are together, with the IPv6
1035 (2) If the creation of a wildcard IPv6 socket fails, we just log the error and
1036 carry on if an IPv4 wildcard socket for the same port follows later in the
1037 list. This allows Exim to carry on in the case when the kernel has no IPv6
1040 (3) Having created an IPv6 wildcard socket, we try to set IPV6_V6ONLY if that
1041 option is defined. However, if setting fails, carry on regardless (but log
1044 (4) If binding or listening on an IPv6 wildcard socket fails, it is a serious
1047 (5) If binding or listening on an IPv4 wildcard socket fails with the error
1048 EADDRINUSE, and a previous interface was an IPv6 wildcard for the same
1049 port (which must have succeeded or we wouldn't have got this far), we
1050 assume we are in the situation where just a single socket is permitted,
1051 and ignore the error.
1055 The preparation code decodes options and sets up the relevant data. We do this
1056 first, so that we can return non-zero if there are any syntax errors, and also
1059 if (daemon_listen && !inetd_wait_mode)
1061 int *default_smtp_port;
1065 const uschar * list;
1066 uschar *local_iface_source = US"local_interfaces";
1067 ip_address_item *ipa;
1068 ip_address_item **pipa;
1070 /* If -oX was used, disable the writing of a pid file unless -oP was
1071 explicitly used to force it. Then scan the string given to -oX. Any items
1072 that contain neither a dot nor a colon are used to override daemon_smtp_port.
1073 Any other items are used to override local_interfaces. */
1075 if (override_local_interfaces != NULL)
1077 uschar *new_smtp_port = NULL;
1078 uschar *new_local_interfaces = NULL;
1084 if (override_pid_file_path == NULL) write_pid = FALSE;
1086 list = override_local_interfaces;
1088 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1095 if (Ustrpbrk(s, ".:") == NULL)
1097 ptr = &new_smtp_port;
1098 sizeptr = &portsize;
1103 ptr = &new_local_interfaces;
1104 sizeptr = &ifacesize;
1112 *ptr = string_catn(*ptr, sizeptr, ptrptr, US"<", 1);
1115 *ptr = string_catn(*ptr, sizeptr, ptrptr, joinstr, 2);
1116 *ptr = string_cat (*ptr, sizeptr, ptrptr, s);
1119 if (new_smtp_port != NULL)
1121 new_smtp_port[portptr] = 0;
1122 daemon_smtp_port = new_smtp_port;
1123 DEBUG(D_any) debug_printf("daemon_smtp_port overridden by -oX:\n %s\n",
1127 if (new_local_interfaces != NULL)
1129 new_local_interfaces[ifaceptr] = 0;
1130 local_interfaces = new_local_interfaces;
1131 local_iface_source = US"-oX data";
1132 DEBUG(D_any) debug_printf("local_interfaces overridden by -oX:\n %s\n",
1137 /* Create a list of default SMTP ports, to be used if local_interfaces
1138 contains entries without explicit ports. First count the number of ports, then
1139 build a translated list in a vector. */
1141 list = daemon_smtp_port;
1143 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1145 default_smtp_port = store_get((pct+1) * sizeof(int));
1146 list = daemon_smtp_port;
1149 (s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size));
1155 default_smtp_port[pct] = Ustrtol(s, &end, 0);
1156 if (end != s + Ustrlen(s))
1157 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "invalid SMTP port: %s", s);
1161 struct servent *smtp_service = getservbyname(CS s, "tcp");
1163 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
1164 default_smtp_port[pct] = ntohs(smtp_service->s_port);
1167 default_smtp_port[pct] = 0;
1169 /* Check the list of TLS-on-connect ports and do name lookups if needed */
1171 list = tls_in.on_connect_ports;
1173 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1176 list = tls_in.on_connect_ports;
1177 tls_in.on_connect_ports = NULL;
1179 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1183 struct servent *smtp_service = getservbyname(CS s, "tcp");
1185 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
1186 s= string_sprintf("%d", (int)ntohs(smtp_service->s_port));
1188 tls_in.on_connect_ports = string_append_listele(tls_in.on_connect_ports,
1194 /* Create the list of local interfaces, possibly with ports included. This
1195 list may contain references to 0.0.0.0 and ::0 as wildcards. These special
1196 values are converted below. */
1198 addresses = host_build_ifacelist(local_interfaces, local_iface_source);
1200 /* In the list of IP addresses, convert 0.0.0.0 into an empty string, and ::0
1201 into the string ":". We use these to recognize wildcards in IPv4 and IPv6. In
1202 fact, many IP stacks recognize 0.0.0.0 and ::0 and handle them as wildcards
1203 anyway, but we need to know which are the wildcard addresses, and the shorter
1206 In the same scan, fill in missing port numbers from the default list. When
1207 there is more than one item in the list, extra items are created. */
1209 for (ipa = addresses; ipa; ipa = ipa->next)
1213 if (Ustrcmp(ipa->address, "0.0.0.0") == 0)
1214 ipa->address[0] = 0;
1215 else if (Ustrcmp(ipa->address, "::0") == 0)
1217 ipa->address[0] = ':';
1218 ipa->address[1] = 0;
1221 if (ipa->port > 0) continue;
1223 if (daemon_smtp_port[0] <= 0)
1224 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "no port specified for interface "
1225 "%s and daemon_smtp_port is unset; cannot start daemon",
1226 ipa->address[0] == 0 ? US"\"all IPv4\"" :
1227 ipa->address[1] == 0 ? US"\"all IPv6\"" : ipa->address);
1229 ipa->port = default_smtp_port[0];
1230 for (i = 1; default_smtp_port[i] > 0; i++)
1232 ip_address_item *new = store_get(sizeof(ip_address_item));
1234 memcpy(new->address, ipa->address, Ustrlen(ipa->address) + 1);
1235 new->port = default_smtp_port[i];
1236 new->next = ipa->next;
1242 /* Scan the list of addresses for wildcards. If we find an IPv4 and an IPv6
1243 wildcard for the same port, ensure that (a) they are together and (b) the
1244 IPv6 address comes first. This makes handling the messy features easier, and
1245 also simplifies the construction of the "daemon started" log line. */
1248 for (ipa = addresses; ipa; pipa = &ipa->next, ipa = ipa->next)
1250 ip_address_item *ipa2;
1252 /* Handle an IPv4 wildcard */
1254 if (ipa->address[0] == 0)
1255 for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
1257 ip_address_item *ipa3 = ipa2->next;
1258 if (ipa3->address[0] == ':' &&
1259 ipa3->address[1] == 0 &&
1260 ipa3->port == ipa->port)
1262 ipa2->next = ipa3->next;
1269 /* Handle an IPv6 wildcard. */
1271 else if (ipa->address[0] == ':' && ipa->address[1] == 0)
1272 for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
1274 ip_address_item *ipa3 = ipa2->next;
1275 if (ipa3->address[0] == 0 && ipa3->port == ipa->port)
1277 ipa2->next = ipa3->next;
1278 ipa3->next = ipa->next;
1286 /* Get a vector to remember all the sockets in */
1288 for (ipa = addresses; ipa; ipa = ipa->next)
1289 listen_socket_count++;
1290 listen_sockets = store_get(sizeof(int) * listen_socket_count);
1292 } /* daemon_listen but not inetd_wait_mode */
1297 /* Do a sanity check on the max connects value just to save us from getting
1298 a huge amount of store. */
1300 if (smtp_accept_max > 4095) smtp_accept_max = 4096;
1302 /* There's no point setting smtp_accept_queue unless it is less than the max
1303 connects limit. The configuration reader ensures that the max is set if the
1304 queue-only option is set. */
1306 if (smtp_accept_queue > smtp_accept_max) smtp_accept_queue = 0;
1308 /* Get somewhere to keep the list of SMTP accepting pids if we are keeping
1309 track of them for total number and queue/host limits. */
1311 if (smtp_accept_max > 0)
1314 smtp_slots = store_get(smtp_accept_max * sizeof(smtp_slot));
1315 for (i = 0; i < smtp_accept_max; i++) smtp_slots[i] = empty_smtp_slot;
1319 /* The variable background_daemon is always false when debugging, but
1320 can also be forced false in order to keep a non-debugging daemon in the
1321 foreground. If background_daemon is true, close all open file descriptors that
1322 we know about, but then re-open stdin, stdout, and stderr to /dev/null. Also
1323 do this for inetd_wait mode.
1325 This is protection against any called functions (in libraries, or in
1326 Perl, or whatever) that think they can write to stderr (or stdout). Before this
1327 was added, it was quite likely that an SMTP connection would use one of these
1328 file descriptors, in which case writing random stuff to it caused chaos.
1330 Then disconnect from the controlling terminal, Most modern Unixes seem to have
1331 setsid() for getting rid of the controlling terminal. For any OS that doesn't,
1332 setsid() can be #defined as a no-op, or as something else. */
1334 if (background_daemon || inetd_wait_mode)
1336 log_close_all(); /* Just in case anything was logged earlier */
1337 search_tidyup(); /* Just in case any were used in reading the config. */
1338 (void)close(0); /* Get rid of stdin/stdout/stderr */
1341 exim_nullstd(); /* Connect stdin/stdout/stderr to /dev/null */
1342 log_stderr = NULL; /* So no attempt to copy paniclog output */
1345 if (background_daemon)
1347 /* If the parent process of this one has pid == 1, we are re-initializing the
1348 daemon as the result of a SIGHUP. In this case, there is no need to do
1349 anything, because the controlling terminal has long gone. Otherwise, fork, in
1350 case current process is a process group leader (see 'man setsid' for an
1351 explanation) before calling setsid(). */
1356 if (pid < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1357 "fork() failed when starting daemon: %s", strerror(errno));
1358 if (pid > 0) exit(EXIT_SUCCESS); /* in parent process, just exit */
1359 (void)setsid(); /* release controlling terminal */
1363 /* We are now in the disconnected, daemon process (unless debugging). Set up
1364 the listening sockets if required. */
1366 if (daemon_listen && !inetd_wait_mode)
1369 ip_address_item *ipa;
1371 /* For each IP address, create a socket, bind it to the appropriate port, and
1372 start listening. See comments above about IPv6 sockets that may or may not
1373 accept IPv4 calls when listening on all interfaces. We also have to cope with
1374 the case of a system with IPv6 libraries, but no IPv6 support in the kernel.
1375 listening, provided a wildcard IPv4 socket for the same port follows. */
1377 for (ipa = addresses, sk = 0; sk < listen_socket_count; ipa = ipa->next, sk++)
1380 ip_address_item *ipa2;
1383 if (Ustrchr(ipa->address, ':') != NULL)
1386 wildcard = ipa->address[1] == 0;
1391 wildcard = ipa->address[0] == 0;
1394 if ((listen_sockets[sk] = ip_socket(SOCK_STREAM, af)) < 0)
1396 if (check_special_case(0, addresses, ipa, FALSE))
1398 log_write(0, LOG_MAIN, "Failed to create IPv6 socket for wildcard "
1399 "listening (%s): will use IPv4", strerror(errno));
1402 log_write(0, LOG_PANIC_DIE, "IPv%c socket creation failed: %s",
1403 (af == AF_INET6)? '6' : '4', strerror(errno));
1406 /* If this is an IPv6 wildcard socket, set IPV6_V6ONLY if that option is
1407 available. Just log failure (can get protocol not available, just like
1408 socket creation can). */
1411 if (af == AF_INET6 && wildcard &&
1412 setsockopt(listen_sockets[sk], IPPROTO_IPV6, IPV6_V6ONLY, (char *)(&on),
1414 log_write(0, LOG_MAIN, "Setting IPV6_V6ONLY on daemon's IPv6 wildcard "
1415 "socket failed (%s): carrying on without it", strerror(errno));
1416 #endif /* IPV6_V6ONLY */
1418 /* Set SO_REUSEADDR so that the daemon can be restarted while a connection
1419 is being handled. Without this, a connection will prevent reuse of the
1420 smtp port for listening. */
1422 if (setsockopt(listen_sockets[sk], SOL_SOCKET, SO_REUSEADDR,
1423 (uschar *)(&on), sizeof(on)) < 0)
1424 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "setting SO_REUSEADDR on socket "
1425 "failed when starting daemon: %s", strerror(errno));
1427 /* Set TCP_NODELAY; Exim does its own buffering. There is a switch to
1428 disable this because it breaks some broken clients. */
1430 if (tcp_nodelay) setsockopt(listen_sockets[sk], IPPROTO_TCP, TCP_NODELAY,
1431 (uschar *)(&on), sizeof(on));
1433 /* Now bind the socket to the required port; if Exim is being restarted
1434 it may not always be possible to bind immediately, even with SO_REUSEADDR
1435 set, so try 10 times, waiting between each try. After 10 failures, we give
1436 up. In an IPv6 environment, if bind () fails with the error EADDRINUSE and
1437 we are doing wildcard IPv4 listening and there was a previous IPv6 wildcard
1438 address for the same port, ignore the error on the grounds that we must be
1439 in a system where the IPv6 socket accepts both kinds of call. This is
1440 necessary for (some release of) USAGI Linux; other IP stacks fail at the
1441 listen() stage instead. */
1444 tcp_fastopen_ok = TRUE;
1449 if (ip_bind(listen_sockets[sk], af, ipa->address, ipa->port) >= 0) break;
1450 if (check_special_case(errno, addresses, ipa, TRUE))
1452 DEBUG(D_any) debug_printf("wildcard IPv4 bind() failed after IPv6 "
1453 "listen() success; EADDRINUSE ignored\n");
1454 (void)close(listen_sockets[sk]);
1457 msg = US strerror(errno);
1463 if (daemon_startup_retries <= 0)
1464 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1465 "socket bind() to port %d for address %s failed: %s: "
1466 "daemon abandoned", ipa->port, addr, msg);
1467 log_write(0, LOG_MAIN, "socket bind() to port %d for address %s "
1468 "failed: %s: waiting %s before trying again (%d more %s)",
1469 ipa->port, addr, msg, readconf_printtime(daemon_startup_sleep),
1470 daemon_startup_retries, (daemon_startup_retries > 1)? "tries" : "try");
1471 daemon_startup_retries--;
1472 sleep(daemon_startup_sleep);
1477 debug_printf("listening on all interfaces (IPv%c) port %d\n",
1478 af == AF_INET6 ? '6' : '4', ipa->port);
1480 debug_printf("listening on %s port %d\n", ipa->address, ipa->port);
1483 if (setsockopt(listen_sockets[sk], IPPROTO_TCP, TCP_FASTOPEN,
1484 &smtp_connect_backlog, sizeof(smtp_connect_backlog)))
1486 DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
1487 tcp_fastopen_ok = FALSE;
1491 /* Start listening on the bound socket, establishing the maximum backlog of
1492 connections that is allowed. On success, continue to the next address. */
1494 if (listen(listen_sockets[sk], smtp_connect_backlog) >= 0) continue;
1496 /* Listening has failed. In an IPv6 environment, as for bind(), if listen()
1497 fails with the error EADDRINUSE and we are doing IPv4 wildcard listening
1498 and there was a previous successful IPv6 wildcard listen on the same port,
1499 we want to ignore the error on the grounds that we must be in a system
1500 where the IPv6 socket accepts both kinds of call. */
1502 if (!check_special_case(errno, addresses, ipa, TRUE))
1503 log_write(0, LOG_PANIC_DIE, "listen() failed on interface %s: %s",
1505 ? af == AF_INET6 ? US"(any IPv6)" : US"(any IPv4)" : ipa->address,
1508 DEBUG(D_any) debug_printf("wildcard IPv4 listen() failed after IPv6 "
1509 "listen() success; EADDRINUSE ignored\n");
1510 (void)close(listen_sockets[sk]);
1512 /* Come here if there has been a problem with the socket which we
1513 are going to ignore. We remove the address from the chain, and back up the
1517 sk--; /* Back up the count */
1518 listen_socket_count--; /* Reduce the total */
1519 if (ipa == addresses) addresses = ipa->next; else
1521 for (ipa2 = addresses; ipa2->next != ipa; ipa2 = ipa2->next);
1522 ipa2->next = ipa->next;
1525 } /* End of bind/listen loop for each address */
1526 } /* End of setup for listening */
1529 /* If we are not listening, we want to write a pid file only if -oP was
1530 explicitly given. */
1532 else if (!override_pid_file_path)
1535 /* Write the pid to a known file for assistance in identification, if required.
1536 We do this before giving up root privilege, because on some systems it is
1537 necessary to be root in order to write into the pid file directory. There's
1538 nothing to stop multiple daemons running, as long as no more than one listens
1539 on a given TCP/IP port on the same interface(s). However, in these
1540 circumstances it gets far too complicated to mess with pid file names
1541 automatically. Consequently, Exim 4 writes a pid file only
1543 (a) When running in the test harness, or
1544 (b) When -bd is used and -oX is not used, or
1545 (c) When -oP is used to supply a path.
1547 The variable daemon_write_pid is used to control this. */
1549 if (running_in_test_harness || write_pid)
1553 if (override_pid_file_path)
1554 pid_file_path = override_pid_file_path;
1556 if (pid_file_path[0] == 0)
1557 pid_file_path = string_sprintf("%s/exim-daemon.pid", spool_directory);
1559 if ((f = modefopen(pid_file_path, "wb", 0644)))
1561 (void)fprintf(f, "%d\n", (int)getpid());
1563 DEBUG(D_any) debug_printf("pid written to %s\n", pid_file_path);
1567 debug_printf("%s\n", string_open_failed(errno, "pid file %s",
1571 /* Set up the handler for SIGHUP, which causes a restart of the daemon. */
1573 sighup_seen = FALSE;
1574 signal(SIGHUP, sighup_handler);
1576 /* Give up root privilege at this point (assuming that exim_uid and exim_gid
1577 are not root). The third argument controls the running of initgroups().
1578 Normally we do this, in order to set up the groups for the Exim user. However,
1579 if we are not root at this time - some odd installations run that way - we
1582 exim_setugid(exim_uid, exim_gid, geteuid()==root_uid, US"running as a daemon");
1584 /* Update the originator_xxx fields so that received messages as listed as
1585 coming from Exim, not whoever started the daemon. */
1587 originator_uid = exim_uid;
1588 originator_gid = exim_gid;
1589 originator_login = ((pw = getpwuid(exim_uid)) != NULL)?
1590 string_copy_malloc(US pw->pw_name) : US"exim";
1592 /* Get somewhere to keep the list of queue-runner pids if we are keeping track
1593 of them (and also if we are doing queue runs). */
1595 if (queue_interval > 0 && local_queue_run_max > 0)
1598 queue_pid_slots = store_get(local_queue_run_max * sizeof(pid_t));
1599 for (i = 0; i < local_queue_run_max; i++) queue_pid_slots[i] = 0;
1602 /* Set up the handler for termination of child processes. */
1604 sigchld_seen = FALSE;
1605 os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
1607 /* If we are to run the queue periodically, pretend the alarm has just gone
1608 off. This will cause the first queue-runner to get kicked off straight away. */
1610 sigalrm_seen = (queue_interval > 0);
1612 /* Log the start up of a daemon - at least one of listening or queue running
1615 if (inetd_wait_mode)
1617 uschar *p = big_buffer;
1619 if (inetd_wait_timeout >= 0)
1620 sprintf(CS p, "terminating after %d seconds", inetd_wait_timeout);
1622 sprintf(CS p, "with no wait timeout");
1624 log_write(0, LOG_MAIN,
1625 "exim %s daemon started: pid=%d, launched with listening socket, %s",
1626 version_string, getpid(), big_buffer);
1627 set_process_info("daemon(%s): pre-listening socket", version_string);
1629 /* set up the timeout logic */
1633 else if (daemon_listen)
1637 int smtps_ports = 0;
1638 ip_address_item * ipa, * i2;
1639 uschar * p = big_buffer;
1640 uschar * qinfo = queue_interval > 0
1641 ? string_sprintf("-q%s", readconf_printtime(queue_interval))
1642 : US"no queue runs";
1644 /* Build a list of listening addresses in big_buffer, but limit it to 10
1645 items. The style is for backwards compatibility.
1647 It is now possible to have some ports listening for SMTPS (the old,
1648 deprecated protocol that starts TLS without using STARTTLS), and others
1649 listening for standard SMTP. Keep their listings separate. */
1651 for (j = 0; j < 2; j++)
1653 for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
1655 /* First time round, look for SMTP ports; second time round, look for
1656 SMTPS ports. For the first one of each, insert leading text. */
1658 if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
1662 if (smtp_ports++ == 0)
1664 memcpy(p, "SMTP on", 8);
1669 if (smtps_ports++ == 0)
1670 p += sprintf(CS p, "%sSMTPS on",
1671 smtp_ports == 0 ? "" : " and for ");
1673 /* Now the information about the port (and sometimes interface) */
1675 if (ipa->address[0] == ':' && ipa->address[1] == 0)
1677 if (ipa->next && ipa->next->address[0] == 0 &&
1678 ipa->next->port == ipa->port)
1680 p += sprintf(CS p, " port %d (IPv6 and IPv4)", ipa->port);
1683 else if (ipa->v6_include_v4)
1684 p += sprintf(CS p, " port %d (IPv6 with IPv4)", ipa->port);
1686 p += sprintf(CS p, " port %d (IPv6)", ipa->port);
1688 else if (ipa->address[0] == 0) /* v4 wildcard */
1689 p += sprintf(CS p, " port %d (IPv4)", ipa->port);
1690 else /* check for previously-seen IP */
1692 for (i2 = addresses; i2 != ipa; i2 = i2->next)
1693 if ( host_is_tls_on_connect_port(i2->port) == (j > 0)
1694 && Ustrcmp(ipa->address, i2->address) == 0
1696 { /* found; append port to list */
1697 if (p[-1] == '}') p--;
1698 while (isdigit(*--p)) ;
1699 p += 1 + sprintf(CS p+1, "%s%d,%d}", *p == ',' ? "" : "{",
1700 i2->port, ipa->port);
1703 if (i2 == ipa) /* first-time IP */
1704 p += sprintf(CS p, " [%s]:%d", ipa->address, ipa->port);
1711 memcpy(p, " ...", 5);
1716 log_write(0, LOG_MAIN,
1717 "exim %s daemon started: pid=%d, %s, listening for %s",
1718 version_string, getpid(), qinfo, big_buffer);
1719 set_process_info("daemon(%s): %s, listening for %s",
1720 version_string, qinfo, big_buffer);
1725 uschar * s = *queue_name
1726 ? string_sprintf("-qG%s/%s", queue_name, readconf_printtime(queue_interval))
1727 : string_sprintf("-q%s", readconf_printtime(queue_interval));
1728 log_write(0, LOG_MAIN,
1729 "exim %s daemon started: pid=%d, %s, not listening for SMTP",
1730 version_string, getpid(), s);
1731 set_process_info("daemon(%s): %s, not listening", version_string, s);
1734 /* Do any work it might be useful to amortize over our children
1735 (eg: compile regex) */
1739 #ifdef WITH_CONTENT_SCAN
1743 /* Close the log so it can be renamed and moved. In the few cases below where
1744 this long-running process writes to the log (always exceptional conditions), it
1745 closes the log afterwards, for the same reason. */
1749 DEBUG(D_any) debug_print_ids(US"daemon running with");
1751 /* Any messages accepted via this route are going to be SMTP. */
1755 /* Enter the never-ending loop... */
1760 struct sockaddr_in6 accepted;
1762 struct sockaddr_in accepted;
1768 /* This code is placed first in the loop, so that it gets obeyed at the
1769 start, before the first wait, for the queue-runner case, so that the first
1770 one can be started immediately.
1772 The other option is that we have an inetd wait timeout specified to -bw. */
1776 if (inetd_wait_timeout > 0)
1778 time_t resignal_interval = inetd_wait_timeout;
1780 if (last_connection_time == (time_t)0)
1783 debug_printf("inetd wait timeout expired, but still not seen first message, ignoring\n");
1787 time_t now = time(NULL);
1788 if (now == (time_t)-1)
1790 DEBUG(D_any) debug_printf("failed to get time: %s\n", strerror(errno));
1794 if ((now - last_connection_time) >= inetd_wait_timeout)
1797 debug_printf("inetd wait timeout %d expired, ending daemon\n",
1798 inetd_wait_timeout);
1799 log_write(0, LOG_MAIN, "exim %s daemon terminating, inetd wait timeout reached.\n",
1805 resignal_interval -= (now - last_connection_time);
1810 sigalrm_seen = FALSE;
1811 alarm(resignal_interval);
1816 DEBUG(D_any) debug_printf("SIGALRM received\n");
1818 /* Do a full queue run in a child process, if required, unless we already
1819 have enough queue runners on the go. If we are not running as root, a
1820 re-exec is required. */
1822 if (queue_interval > 0 &&
1823 (local_queue_run_max <= 0 || queue_run_count < local_queue_run_max))
1825 if ((pid = fork()) == 0)
1829 DEBUG(D_any) debug_printf("Starting queue-runner: pid %d\n",
1832 /* Disable debugging if it's required only for the daemon process. We
1833 leave the above message, because it ties up with the "child ended"
1834 debugging messages. */
1836 if (debug_daemon) debug_selector = 0;
1838 /* Close any open listening sockets in the child */
1840 for (sk = 0; sk < listen_socket_count; sk++)
1841 (void)close(listen_sockets[sk]);
1843 /* Reset SIGHUP and SIGCHLD in the child in both cases. */
1845 signal(SIGHUP, SIG_DFL);
1846 signal(SIGCHLD, SIG_DFL);
1848 /* Re-exec if privilege has been given up, unless deliver_drop_
1849 privilege is set. Reset SIGALRM before exec(). */
1851 if (geteuid() != root_uid && !deliver_drop_privilege)
1858 signal(SIGALRM, SIG_DFL);
1861 if (queue_2stage) *p++ = 'q';
1862 if (queue_run_first_delivery) *p++ = 'i';
1863 if (queue_run_force) *p++ = 'f';
1864 if (deliver_force_thaw) *p++ = 'f';
1865 if (queue_run_local) *p++ = 'l';
1867 extra[0] = queue_name
1868 ? string_sprintf("%sG%s", opt, queue_name) : opt;
1870 /* If -R or -S were on the original command line, ensure they get
1873 if (deliver_selectstring)
1875 extra[extracount++] = deliver_selectstring_regex ? US"-Rr" : US"-R";
1876 extra[extracount++] = deliver_selectstring;
1879 if (deliver_selectstring_sender)
1881 extra[extracount++] = deliver_selectstring_sender_regex
1883 extra[extracount++] = deliver_selectstring_sender;
1886 /* Overlay this process with a new execution. */
1888 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, TRUE, extracount,
1889 extra[0], extra[1], extra[2], extra[3], extra[4]);
1891 /* Control never returns here. */
1894 /* No need to re-exec; SIGALRM remains set to the default handler */
1896 queue_run(NULL, NULL, FALSE);
1897 _exit(EXIT_SUCCESS);
1902 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fork of queue-runner "
1903 "process failed: %s", strerror(errno));
1909 for (i = 0; i < local_queue_run_max; ++i)
1910 if (queue_pid_slots[i] <= 0)
1912 queue_pid_slots[i] = pid;
1916 DEBUG(D_any) debug_printf("%d queue-runner process%s running\n",
1917 queue_run_count, (queue_run_count == 1)? "" : "es");
1921 /* Reset the alarm clock */
1923 sigalrm_seen = FALSE;
1924 alarm(queue_interval);
1927 } /* sigalrm_seen */
1930 /* Sleep till a connection happens if listening, and handle the connection if
1931 that is why we woke up. The FreeBSD operating system requires the use of
1932 select() before accept() because the latter function is not interrupted by
1933 a signal, and we want to wake up for SIGCHLD and SIGALRM signals. Some other
1934 OS do notice signals in accept() but it does no harm to have the select()
1935 in for all of them - and it won't then be a lurking problem for ports to
1936 new OS. In fact, the later addition of listening on specific interfaces only
1937 requires this way of working anyway. */
1941 int sk, lcount, select_errno;
1943 BOOL select_failed = FALSE;
1944 fd_set select_listen;
1946 FD_ZERO(&select_listen);
1947 for (sk = 0; sk < listen_socket_count; sk++)
1949 FD_SET(listen_sockets[sk], &select_listen);
1950 if (listen_sockets[sk] > max_socket) max_socket = listen_sockets[sk];
1953 DEBUG(D_any) debug_printf("Listening...\n");
1955 /* In rare cases we may have had a SIGCHLD signal in the time between
1956 setting the handler (below) and getting back here. If so, pretend that the
1957 select() was interrupted so that we reap the child. This might still leave
1958 a small window when a SIGCHLD could get lost. However, since we use SIGCHLD
1959 only to do the reaping more quickly, it shouldn't result in anything other
1960 than a delay until something else causes a wake-up. */
1968 lcount = select(max_socket + 1, (SELECT_ARG2_TYPE *)&select_listen,
1973 select_failed = TRUE;
1977 /* Clean up any subprocesses that may have terminated. We need to do this
1978 here so that smtp_accept_max_per_host works when a connection to that host
1979 has completed, and we are about to accept a new one. When this code was
1980 later in the sequence, a new connection could be rejected, even though an
1981 old one had just finished. Preserve the errno from any select() failure for
1982 the use of the common select/accept error processing below. */
1984 select_errno = errno;
1985 handle_ending_processes();
1986 errno = select_errno;
1988 /* Loop for all the sockets that are currently ready to go. If select
1989 actually failed, we have set the count to 1 and select_failed=TRUE, so as
1990 to use the common error code for select/accept below. */
1992 while (lcount-- > 0)
1994 int accept_socket = -1;
1997 for (sk = 0; sk < listen_socket_count; sk++)
1998 if (FD_ISSET(listen_sockets[sk], &select_listen))
2000 len = sizeof(accepted);
2001 accept_socket = accept(listen_sockets[sk],
2002 (struct sockaddr *)&accepted, &len);
2003 FD_CLR(listen_sockets[sk], &select_listen);
2007 /* If select or accept has failed and this was not caused by an
2008 interruption, log the incident and try again. With asymmetric TCP/IP
2009 routing errors such as "No route to network" have been seen here. Also
2010 "connection reset by peer" has been seen. These cannot be classed as
2011 disastrous errors, but they could fill up a lot of log. The code in smail
2012 crashes the daemon after 10 successive failures of accept, on the grounds
2013 that some OS fail continuously. Exim originally followed suit, but this
2014 appears to have caused problems. Now it just keeps going, but instead of
2015 logging each error, it batches them up when they are continuous. */
2017 if (accept_socket < 0 && errno != EINTR)
2019 if (accept_retry_count == 0)
2021 accept_retry_errno = errno;
2022 accept_retry_select_failed = select_failed;
2026 if (errno != accept_retry_errno ||
2027 select_failed != accept_retry_select_failed ||
2028 accept_retry_count >= 50)
2030 log_write(0, LOG_MAIN | ((accept_retry_count >= 50)? LOG_PANIC : 0),
2031 "%d %s() failure%s: %s",
2033 accept_retry_select_failed? "select" : "accept",
2034 (accept_retry_count == 1)? "" : "s",
2035 strerror(accept_retry_errno));
2037 accept_retry_count = 0;
2038 accept_retry_errno = errno;
2039 accept_retry_select_failed = select_failed;
2042 accept_retry_count++;
2047 if (accept_retry_count > 0)
2049 log_write(0, LOG_MAIN, "%d %s() failure%s: %s",
2051 accept_retry_select_failed? "select" : "accept",
2052 (accept_retry_count == 1)? "" : "s",
2053 strerror(accept_retry_errno));
2055 accept_retry_count = 0;
2059 /* If select/accept succeeded, deal with the connection. */
2061 if (accept_socket >= 0)
2063 if (inetd_wait_timeout)
2064 last_connection_time = time(NULL);
2065 handle_smtp_call(listen_sockets, listen_socket_count, accept_socket,
2066 (struct sockaddr *)&accepted);
2071 /* If not listening, then just sleep for the queue interval. If we woke
2072 up early the last time for some other signal, it won't matter because
2073 the alarm signal will wake at the right time. This code originally used
2074 sleep() but it turns out that on the FreeBSD system, sleep() is not inter-
2075 rupted by signals, so it wasn't waking up for SIGALRM or SIGCHLD. Luckily
2076 select() can be used as an interruptible sleep() on all versions of Unix. */
2081 tv.tv_sec = queue_interval;
2083 select(0, NULL, NULL, NULL, &tv);
2084 handle_ending_processes();
2087 /* Re-enable the SIGCHLD handler if it has been run. It can't do it
2088 for itself, because it isn't doing the waiting itself. */
2092 sigchld_seen = FALSE;
2093 os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
2096 /* Handle being woken by SIGHUP. We know at this point that the result
2097 of accept() has been dealt with, so we can re-exec exim safely, first
2098 closing the listening sockets so that they can be reused. Cancel any pending
2099 alarm in case it is just about to go off, and set SIGHUP to be ignored so
2100 that another HUP in quick succession doesn't clobber the new daemon before it
2101 gets going. All log files get closed by the close-on-exec flag; however, if
2102 the exec fails, we need to close the logs. */
2107 log_write(0, LOG_MAIN, "pid %d: SIGHUP received: re-exec daemon",
2109 for (sk = 0; sk < listen_socket_count; sk++)
2110 (void)close(listen_sockets[sk]);
2112 signal(SIGHUP, SIG_IGN);
2113 sighup_argv[0] = exim_path;
2115 execv(CS exim_path, (char *const *)sighup_argv);
2116 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid %d: exec of %s failed: %s",
2117 getpid(), exim_path, strerror(errno));
2121 } /* End of main loop */
2123 /* Control never reaches here */
2128 /* End of exim_daemon.c */