1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Functions for writing log files. The code for maintaining datestamped
9 log files was originally contributed by Tony Sheen. */
14 #define LOG_NAME_SIZE 256
15 #define MAX_SYSLOG_LEN 870
17 #define LOG_MODE_FILE 1
18 #define LOG_MODE_SYSLOG 2
20 enum { lt_main, lt_reject, lt_panic, lt_debug };
22 static uschar *log_names[] = { US"main", US"reject", US"panic", US"debug" };
26 /*************************************************
27 * Local static variables *
28 *************************************************/
30 static uschar mainlog_name[LOG_NAME_SIZE];
31 static uschar rejectlog_name[LOG_NAME_SIZE];
32 static uschar debuglog_name[LOG_NAME_SIZE];
34 static uschar *mainlog_datestamp = NULL;
35 static uschar *rejectlog_datestamp = NULL;
37 static int mainlogfd = -1;
38 static int rejectlogfd = -1;
39 static ino_t mainlog_inode = 0;
40 static ino_t rejectlog_inode = 0;
42 static uschar *panic_save_buffer = NULL;
43 static BOOL panic_recurseflag = FALSE;
45 static BOOL syslog_open = FALSE;
46 static BOOL path_inspected = FALSE;
47 static int logging_mode = LOG_MODE_FILE;
48 static uschar *file_path = US"";
50 static size_t pid_position[2];
53 /* These should be kept in-step with the private delivery error
54 number definitions in macros.h */
56 static const uschar * exim_errstrings[] = {
79 US"Exim-imposed quota",
81 US"Delivery filter process failure",
82 US"Delivery add/remove header failure",
83 US"Delivery write incomplete error",
84 US"Some expansion failed",
85 US"Failed to get gid",
86 US"Failed to get uid",
87 US"Unset or non-existent transport",
88 US"MBX length mismatch",
89 US"Lookup failed routing or in smtp tpt",
90 US"Can't match format in appendfile",
91 US"Creation outside home in appendfile",
92 US"Can't check a list; lookup defer",
94 US"Failed to start TLS session",
95 US"Mandatory TLS session not started",
96 US"Failed to chown a file",
97 US"Failed to create a pipe",
99 US"When required by client",
100 US"Used internally in smtp transport",
101 US"RCPT gave 4xx error",
102 US"MAIL gave 4xx error",
103 US"DATA gave 4xx error",
104 US"Negotiation failed for proxy configured host",
105 US"Authenticator 'other' failure",
106 US"target not supporting SMTPUTF8",
109 US"Not time for routing",
110 US"Not time for local delivery",
111 US"Not time for any remote host",
112 US"Local-only delivery",
113 US"Domain in queue_domains",
114 US"Transport concurrency limit",
118 /************************************************/
122 return err < 0 ? exim_errstrings[-err] : CUS strerror(err);
125 /*************************************************
127 *************************************************/
129 /* The given string is split into sections according to length, or at embedded
130 newlines, and syslogged as a numbered sequence if it is overlong or if there is
131 more than one line. However, if we are running in the test harness, do not do
132 anything. (The test harness doesn't use syslog - for obvious reasons - but we
133 can get here if there is a failure to open the panic log.)
136 priority syslog priority
137 s the string to be written
143 write_syslog(int priority, const uschar *s)
148 if (!syslog_pid && LOGGING(pid))
149 s = string_sprintf("%.*s%s", (int)pid_position[0], s, s + pid_position[1]);
150 if (!syslog_timestamp)
152 len = log_timezone ? 26 : 20;
153 if (LOGGING(millisec)) len += 4;
160 if (!syslog_open && !f.running_in_test_harness)
162 # ifdef SYSLOG_LOG_PID
163 openlog(CS syslog_processname, LOG_PID|LOG_CONS, syslog_facility);
165 openlog(CS syslog_processname, LOG_CONS, syslog_facility);
171 /* First do a scan through the message in order to determine how many lines
172 it is going to end up as. Then rescan to output it. */
174 for (int pass = 0; pass < 2; pass++)
176 const uschar * ss = s;
177 for (int i = 1, tlen = len; tlen > 0; i++)
180 uschar *nlptr = Ustrchr(ss, '\n');
181 if (nlptr != NULL) plen = nlptr - ss;
182 #ifndef SYSLOG_LONG_LINES
183 if (plen > MAX_SYSLOG_LEN) plen = MAX_SYSLOG_LEN;
186 if (ss[plen] == '\n') tlen--; /* chars left */
190 else if (f.running_in_test_harness)
192 fprintf(stderr, "SYSLOG: '%.*s'\n", plen, ss);
194 fprintf(stderr, "SYSLOG: '[%d%c%d] %.*s'\n", i,
195 ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
196 linecount, plen, ss);
199 syslog(priority, "%.*s", plen, ss);
201 syslog(priority, "[%d%c%d] %.*s", i,
202 ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
203 linecount, plen, ss);
206 if (*ss == '\n') ss++;
213 /*************************************************
215 *************************************************/
217 /* This is called when Exim is dying as a result of something going wrong in
218 the logging, or after a log call with LOG_PANIC_DIE set. Optionally write a
219 message to debug_file or a stderr file, if they exist. Then, if in the middle
220 of accepting a message, throw it away tidily by calling receive_bomb_out();
221 this will attempt to send an SMTP response if appropriate. Passing NULL as the
222 first argument stops it trying to run the NOTQUIT ACL (which might try further
223 logging and thus cause problems). Otherwise, try to close down an outstanding
227 s1 Error message to write to debug_file and/or stderr and syslog
228 s2 Error message for any SMTP call that is in progress
229 Returns: The function does not return
233 die(uschar *s1, uschar *s2)
237 write_syslog(LOG_CRIT, s1);
238 if (debug_file) debug_printf("%s\n", s1);
239 if (log_stderr && log_stderr != debug_file)
240 fprintf(log_stderr, "%s\n", s1);
242 if (f.receive_call_bombout) receive_bomb_out(NULL, s2); /* does not return */
243 if (smtp_input) smtp_closedown(s2);
244 exim_exit(EXIT_FAILURE, NULL);
249 /*************************************************
250 * Create a log file *
251 *************************************************/
253 /* This function is called to create and open a log file. It may be called in a
254 subprocess when the original process is root.
259 The file name has been build in a working buffer, so it is permissible to
260 overwrite it temporarily if it is necessary to create the directory.
262 Returns: a file descriptor, or < 0 on failure (errno set)
266 log_create(uschar *name)
272 O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
274 /* If creation failed, attempt to build a log directory in case that is the
277 if (fd < 0 && errno == ENOENT)
280 uschar *lastslash = Ustrrchr(name, '/');
282 created = directory_make(NULL, name, LOG_DIRECTORY_MODE, FALSE);
283 DEBUG(D_any) debug_printf("%s log directory %s\n",
284 created ? "created" : "failed to create", name);
286 if (created) fd = Uopen(name,
290 O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
298 /*************************************************
299 * Create a log file as the exim user *
300 *************************************************/
302 /* This function is called when we are root to spawn an exim:exim subprocess
303 in which we can create a log file. It must be signal-safe since it is called
304 by the usr1_handler().
309 Returns: a file descriptor, or < 0 on failure (errno set)
313 log_create_as_exim(uschar *name)
319 /* In the subprocess, change uid/gid and do the creation. Return 0 from the
320 subprocess on success. If we don't check for setuid failures, then the file
321 can be created as root, so vulnerabilities which cause setuid to fail mean
322 that the Exim user can use symlinks to cause a file to be opened/created as
323 root. We always open for append, so can't nuke existing content but it would
324 still be Rather Bad. */
328 if (setgid(exim_gid) < 0)
329 die(US"exim: setgid for log-file creation failed, aborting",
330 US"Unexpected log failure, please try later");
331 if (setuid(exim_uid) < 0)
332 die(US"exim: setuid for log-file creation failed, aborting",
333 US"Unexpected log failure, please try later");
334 _exit((log_create(name) < 0)? 1 : 0);
337 /* If we created a subprocess, wait for it. If it succeeded, try the open. */
339 while (pid > 0 && waitpid(pid, &status, 0) != pid);
340 if (status == 0) fd = Uopen(name,
344 O_APPEND|O_WRONLY, LOG_MODE);
346 /* If we failed to create a subprocess, we are in a bad way. We return
347 with fd still < 0, and errno set, letting the caller handle the error. */
355 /*************************************************
357 *************************************************/
359 /* This function opens one of a number of logs, creating the log directory if
360 it does not exist. This may be called recursively on failure, in order to open
363 The directory is in the static variable file_path. This is static so that it
364 the work of sorting out the path is done just once per Exim process.
366 Exim is normally configured to avoid running as root wherever possible, the log
367 files must be owned by the non-privileged exim user. To ensure this, first try
368 an open without O_CREAT - most of the time this will succeed. If it fails, try
369 to create the file; if running as root, this must be done in a subprocess to
373 fd where to return the resulting file descriptor
374 type lt_main, lt_reject, lt_panic, or lt_debug
375 tag optional tag to include in the name (only hooked up for debug)
381 open_log(int *fd, int type, uschar *tag)
385 uschar buffer[LOG_NAME_SIZE];
387 /* The names of the log files are controlled by file_path. The panic log is
388 written to the same directory as the main and reject logs, but its name does
389 not have a datestamp. The use of datestamps is indicated by %D/%M in file_path.
390 When opening the panic log, if %D or %M is present, we remove the datestamp
391 from the generated name; if it is at the start, remove a following
392 non-alphanumeric character as well; otherwise, remove a preceding
393 non-alphanumeric character. This is definitely kludgy, but it sort of does what
394 people want, I hope. */
396 ok = string_format(buffer, sizeof(buffer), CS file_path, log_names[type]);
398 /* Save the name of the mainlog for rollover processing. Without a datestamp,
399 it gets statted to see if it has been cycled. With a datestamp, the datestamp
400 will be compared. The static slot for saving it is the same size as buffer,
401 and the text has been checked above to fit, so this use of strcpy() is OK. */
403 if (type == lt_main && string_datestamp_offset >= 0)
405 Ustrcpy(mainlog_name, buffer);
406 mainlog_datestamp = mainlog_name + string_datestamp_offset;
409 /* Ditto for the reject log */
411 else if (type == lt_reject && string_datestamp_offset >= 0)
413 Ustrcpy(rejectlog_name, buffer);
414 rejectlog_datestamp = rejectlog_name + string_datestamp_offset;
417 /* and deal with the debug log (which keeps the datestamp, but does not
420 else if (type == lt_debug)
422 Ustrcpy(debuglog_name, buffer);
425 /* this won't change the offset of the datestamp */
426 ok2 = string_format(buffer, sizeof(buffer), "%s%s",
429 Ustrcpy(debuglog_name, buffer);
433 /* Remove any datestamp if this is the panic log. This is rare, so there's no
434 need to optimize getting the datestamp length. We remove one non-alphanumeric
435 char afterwards if at the start, otherwise one before. */
437 else if (string_datestamp_offset >= 0)
439 uschar * from = buffer + string_datestamp_offset;
440 uschar * to = from + string_datestamp_length;
442 if (from == buffer || from[-1] == '/')
444 if (!isalnum(*to)) to++;
447 if (!isalnum(from[-1])) from--;
449 /* This copy is ok, because we know that to is a substring of from. But
450 due to overlap we must use memmove() not Ustrcpy(). */
451 memmove(from, to, Ustrlen(to)+1);
454 /* If the file name is too long, it is an unrecoverable disaster */
457 die(US"exim: log file path too long: aborting",
458 US"Logging failure; please try later");
460 /* We now have the file name. Try to open an existing file. After a successful
461 open, arrange for automatic closure on exec(), and then return. */
467 O_APPEND|O_WRONLY, LOG_MODE);
472 (void)fcntl(*fd, F_SETFD, fcntl(*fd, F_GETFD) | FD_CLOEXEC);
477 /* Open was not successful: try creating the file. If this is a root process,
478 we must do the creating in a subprocess set to exim:exim in order to ensure
479 that the file is created with the right ownership. Otherwise, there can be a
480 race if another Exim process is trying to write to the log at the same time.
481 The use of SIGUSR1 by the exiwhat utility can provoke a lot of simultaneous
486 /* If we are already running as the Exim user (even if that user is root),
487 we can go ahead and create in the current process. */
489 if (euid == exim_uid) *fd = log_create(buffer);
491 /* Otherwise, if we are root, do the creation in an exim:exim subprocess. If we
492 are neither exim nor root, creation is not attempted. */
494 else if (euid == root_uid) *fd = log_create_as_exim(buffer);
496 /* If we now have an open file, set the close-on-exec flag and return. */
501 (void)fcntl(*fd, F_SETFD, fcntl(*fd, F_GETFD) | FD_CLOEXEC);
506 /* Creation failed. There are some circumstances in which we get here when
507 the effective uid is not root or exim, which is the problem. (For example, a
508 non-setuid binary with log_arguments set, called in certain ways.) Rather than
509 just bombing out, force the log to stderr and carry on if stderr is available.
512 if (euid != root_uid && euid != exim_uid && log_stderr != NULL)
514 *fd = fileno(log_stderr);
518 /* Otherwise this is a disaster. This call is deliberately ONLY to the panic
519 log. If possible, save a copy of the original line that was being logged. If we
520 are recursing (can't open the panic log either), the pointer will already be
523 if (!panic_save_buffer)
524 if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
525 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
527 log_write(0, LOG_PANIC_DIE, "Cannot open %s log file \"%s\": %s: "
528 "euid=%d egid=%d", log_names[type], buffer, strerror(errno), euid, getegid());
536 if (type == lt_debug) unlink(CS debuglog_name);
541 /*************************************************
542 * Add configuration file info to log line *
543 *************************************************/
545 /* This is put in a function because it's needed twice (once for debugging,
549 ptr pointer to the end of the line we are building
552 Returns: updated pointer
556 log_config_info(gstring * g, int flags)
558 g = string_cat(g, US"Exim configuration error");
560 if (flags & (LOG_CONFIG_FOR & ~LOG_CONFIG))
561 return string_cat(g, US" for ");
563 if (flags & (LOG_CONFIG_IN & ~LOG_CONFIG))
564 g = string_fmt_append(g, " in line %d of %s", config_lineno, config_filename);
566 return string_catn(g, US":\n ", 4);
570 /*************************************************
571 * A write() operation failed *
572 *************************************************/
574 /* This function is called when write() fails on anything other than the panic
575 log, which can happen if a disk gets full or a file gets too large or whatever.
576 We try to save the relevant message in the panic_save buffer before crashing
579 The potential invoker should probably not call us for EINTR -1 writes. But
580 otherwise, short writes are bad as we don't do non-blocking writes to fds
581 subject to flow control. (If we do, that's new and the logic of this should
585 name the name of the log being written
586 length the string length being written
587 rc the return value from write()
589 Returns: does not return
593 log_write_failed(uschar *name, int length, int rc)
595 int save_errno = errno;
597 if (!panic_save_buffer)
598 if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
599 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
601 log_write(0, LOG_PANIC_DIE, "failed to write to %s: length=%d result=%d "
602 "errno=%d (%s)", name, length, rc, save_errno,
603 (save_errno == 0)? "write incomplete" : strerror(save_errno));
609 /*************************************************
610 * Write to an fd, retrying after signals *
611 *************************************************/
613 /* Basic write to fd for logs, handling EINTR.
616 fd the fd to write to
617 buf the string to write
618 length the string length being written
621 length actually written, persisting an errno from write()
624 write_to_fd_buf(int fd, const uschar *buf, size_t length)
627 size_t total_written = 0;
628 const uschar *p = buf;
629 size_t left = length;
633 wrote = write(fd, p, left);
634 if (wrote == (ssize_t)-1)
636 if (errno == EINTR) continue;
639 total_written += wrote;
648 return total_written;
656 int sep = ':'; /* Fixed separator - outside use */
658 const uschar *tt = US LOG_FILE_PATH;
659 while ((t = string_nextinlist(&tt, &sep, log_buffer, LOG_BUFFER_SIZE)))
661 if (Ustrcmp(t, "syslog") == 0 || t[0] == 0) continue;
662 file_path = string_copy(t);
671 if (mainlogfd < 0) return;
672 (void)close(mainlogfd);
677 /*************************************************
678 * Write message to log file *
679 *************************************************/
681 /* Exim can be configured to log to local files, or use syslog, or both. This
682 is controlled by the setting of log_file_path. The following cases are
685 log_file_path = "" write files in the spool/log directory
686 log_file_path = "xxx" write files in the xxx directory
687 log_file_path = "syslog" write to syslog
688 log_file_path = "syslog : xxx" write to syslog and to files (any order)
690 The message always gets '\n' added on the end of it, since more than one
691 process may be writing to the log at once and we don't want intermingling to
692 happen in the middle of lines. To be absolutely sure of this we write the data
693 into a private buffer and then put it out in a single write() call.
695 The flags determine which log(s) the message is written to, or for syslogging,
696 which priority to use, and in the case of the panic log, whether the process
697 should die afterwards.
699 The variable really_exim is TRUE only when exim is running in privileged state
700 (i.e. not with a changed configuration or with testing options such as -brw).
701 If it is not, don't try to write to the log because permission will probably be
704 Avoid actually writing to the logs when exim is called with -bv or -bt to
705 test an address, but take other actions, such as panicking.
707 In Exim proper, the buffer for building the message is got at start-up, so that
708 nothing gets done if it can't be got. However, some functions that are also
709 used in utilities occasionally obey log_write calls in error situations, and it
710 is simplest to put a single malloc() here rather than put one in each utility.
711 Malloc is used directly because the store functions may call log_write().
713 If a message_id exists, we include it after the timestamp.
716 selector write to main log or LOG_INFO only if this value is zero, or if
717 its bit is set in log_selector[0]
718 flags each bit indicates some independent action:
719 LOG_SENDER add raw sender to the message
720 LOG_RECIPIENTS add raw recipients list to message
721 LOG_CONFIG add "Exim configuration error"
722 LOG_CONFIG_FOR add " for " instead of ":\n "
723 LOG_CONFIG_IN add " in line x[ of file y]"
724 LOG_MAIN write to main log or syslog LOG_INFO
725 LOG_REJECT write to reject log or syslog LOG_NOTICE
726 LOG_PANIC write to panic log or syslog LOG_ALERT
727 LOG_PANIC_DIE write to panic log or LOG_ALERT and then crash
728 format a printf() format
729 ... arguments for format
735 log_write(unsigned int selector, int flags, const char *format, ...)
739 gstring gs = { .size = LOG_BUFFER_SIZE-1, .ptr = 0, .s = log_buffer };
743 /* If panic_recurseflag is set, we have failed to open the panic log. This is
744 the ultimate disaster. First try to write the message to a debug file and/or
745 stderr and also to syslog. If panic_save_buffer is not NULL, it contains the
746 original log line that caused the problem. Afterwards, expire. */
748 if (panic_recurseflag)
750 uschar *extra = panic_save_buffer ? panic_save_buffer : US"";
751 if (debug_file) debug_printf("%s%s", extra, log_buffer);
752 if (log_stderr && log_stderr != debug_file)
753 fprintf(log_stderr, "%s%s", extra, log_buffer);
754 if (*extra) write_syslog(LOG_CRIT, extra);
755 write_syslog(LOG_CRIT, log_buffer);
756 die(US"exim: could not open panic log - aborting: see message(s) above",
757 US"Unexpected log failure, please try later");
760 /* Ensure we have a buffer (see comment above); this should never be obeyed
761 when running Exim proper, only when running utilities. */
764 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
766 fprintf(stderr, "exim: failed to get store for log buffer\n");
767 exim_exit(EXIT_FAILURE, NULL);
770 /* If we haven't already done so, inspect the setting of log_file_path to
771 determine whether to log to files and/or to syslog. Bits in logging_mode
772 control this, and for file logging, the path must end up in file_path. This
773 variable must be in permanent store because it may be required again later in
778 BOOL multiple = FALSE;
779 int old_pool = store_pool;
781 store_pool = POOL_PERM;
783 /* If nothing has been set, don't waste effort... the default values for the
784 statics are file_path="" and logging_mode = LOG_MODE_FILE. */
788 int sep = ':'; /* Fixed separator - outside use */
790 const uschar *ss = log_file_path;
793 while ((s = string_nextinlist(&ss, &sep, log_buffer, LOG_BUFFER_SIZE)))
795 if (Ustrcmp(s, "syslog") == 0)
796 logging_mode |= LOG_MODE_SYSLOG;
797 else if (logging_mode & LOG_MODE_FILE)
801 logging_mode |= LOG_MODE_FILE;
803 /* If a non-empty path is given, use it */
806 file_path = string_copy(s);
808 /* If the path is empty, we want to use the first non-empty, non-
809 syslog item in LOG_FILE_PATH, if there is one, since the value of
810 log_file_path may have been set at runtime. If there is no such item,
811 use the ultimate default in the spool directory. */
814 set_file_path(); /* Empty item in log_file_path */
815 } /* First non-syslog item in log_file_path */
816 } /* Scan of log_file_path */
819 /* If no modes have been selected, it is a major disaster */
821 if (logging_mode == 0)
822 die(US"Neither syslog nor file logging set in log_file_path",
823 US"Unexpected logging failure");
825 /* Set up the ultimate default if necessary. Then revert to the old store
826 pool, and record that we've sorted out the path. */
828 if (logging_mode & LOG_MODE_FILE && !file_path[0])
829 file_path = string_sprintf("%s/log/%%slog", spool_directory);
830 store_pool = old_pool;
831 path_inspected = TRUE;
833 /* If more than one file path was given, log a complaint. This recursive call
834 should work since we have now set up the routing. */
837 log_write(0, LOG_MAIN|LOG_PANIC,
838 "More than one path given in log_file_path: using %s", file_path);
841 /* If debugging, show all log entries, but don't show headers. Do it all
842 in one go so that it doesn't get split when multi-processing. */
848 g = string_catn(&gs, US"LOG:", 4);
850 /* Show the selector that was passed into the call. */
852 for (i = 0; i < log_options_count; i++)
854 unsigned int bitnum = log_options[i].bit;
855 if (bitnum < BITWORDSIZE && selector == BIT(bitnum))
856 g = string_fmt_append(g, " %s", log_options[i].name);
859 g = string_fmt_append(g, "%s%s%s%s\n ",
860 flags & LOG_MAIN ? " MAIN" : "",
861 flags & LOG_PANIC ? " PANIC" : "",
862 (flags & LOG_PANIC_DIE) == LOG_PANIC_DIE ? " DIE" : "",
863 flags & LOG_REJECT ? " REJECT" : "");
865 if (flags & LOG_CONFIG) g = log_config_info(g, flags);
867 va_start(ap, format);
869 if (!string_vformat(g, FALSE, format, ap))
872 g = string_cat(g, US"**** log string overflowed log buffer ****");
876 g->size = LOG_BUFFER_SIZE;
877 g = string_catn(g, US"\n", 1);
878 debug_printf("%s", string_from_gstring(g));
880 gs.size = LOG_BUFFER_SIZE-1; /* Having used the buffer for debug output, */
881 gs.ptr = 0; /* reset it for the real use. */
884 /* If no log file is specified, we are in a mess. */
886 if (!(flags & (LOG_MAIN|LOG_PANIC|LOG_REJECT)))
887 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_write called with no log "
890 /* There are some weird circumstances in which logging is disabled. */
892 if (f.disable_logging)
894 DEBUG(D_any) debug_printf("log writing disabled\n");
898 /* Handle disabled reject log */
900 if (!write_rejectlog) flags &= ~LOG_REJECT;
902 /* Create the main message in the log buffer. Do not include the message id
903 when called by a utility. */
905 g = string_fmt_append(&gs, "%s ", tod_stamp(tod_log));
909 if (!syslog_pid) pid_position[0] = g->ptr; /* remember begin … */
910 g = string_fmt_append(g, "[%d] ", (int)getpid());
911 if (!syslog_pid) pid_position[1] = g->ptr; /* … and end+1 of the PID */
914 if (f.really_exim && message_id[0] != 0)
915 g = string_fmt_append(g, "%s ", message_id);
917 if (flags & LOG_CONFIG)
918 g = log_config_info(g, flags);
920 va_start(ap, format);
923 if (!string_vformat(g, FALSE, format, ap))
926 g = string_cat(g, US"**** log string overflowed log buffer ****\n");
931 /* Add the raw, unrewritten, sender to the message if required. This is done
932 this way because it kind of fits with LOG_RECIPIENTS. */
934 if ( flags & LOG_SENDER
935 && g->ptr < LOG_BUFFER_SIZE - 10 - Ustrlen(raw_sender))
936 g = string_fmt_append(g, " from <%s>", raw_sender);
938 /* Add list of recipients to the message if required; the raw list,
939 before rewriting, was saved in raw_recipients. There may be none, if an ACL
940 discarded them all. */
942 if ( flags & LOG_RECIPIENTS
943 && g->ptr < LOG_BUFFER_SIZE - 6
944 && raw_recipients_count > 0)
947 g = string_fmt_append(g, " for");
948 for (i = 0; i < raw_recipients_count; i++)
950 uschar * s = raw_recipients[i];
951 if (LOG_BUFFER_SIZE - g->ptr < Ustrlen(s) + 3) break;
952 g = string_fmt_append(g, " %s", s);
956 g = string_catn(g, US"\n", 1);
957 string_from_gstring(g);
959 /* Handle loggable errors when running a utility, or when address testing.
960 Write to log_stderr unless debugging (when it will already have been written),
961 or unless there is no log_stderr (expn called from daemon, for example). */
963 if (!f.really_exim || f.log_testing_mode)
967 && (selector == 0 || (selector & log_selector[0]) != 0)
970 fprintf(log_stderr, "LOG: %s", CS(log_buffer + 20)); /* no timestamp */
972 fprintf(log_stderr, "%s", CS log_buffer);
974 if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE, US"");
978 /* Handle the main log. We know that either syslog or file logging (or both) is
979 set up. A real file gets left open during reception or delivery once it has
980 been opened, but we don't want to keep on writing to it for too long after it
981 has been renamed. Therefore, do a stat() and see if the inode has changed, and
984 if ( flags & LOG_MAIN
985 && (!selector || selector & log_selector[0]))
987 if ( logging_mode & LOG_MODE_SYSLOG
988 && (syslog_duplication || !(flags & (LOG_REJECT|LOG_PANIC))))
989 write_syslog(LOG_INFO, log_buffer);
991 if (logging_mode & LOG_MODE_FILE)
995 /* Check for a change to the mainlog file name when datestamping is in
996 operation. This happens at midnight, at which point we want to roll over
997 the file. Closing it has the desired effect. */
999 if (mainlog_datestamp)
1001 uschar *nowstamp = tod_stamp(string_datestamp_type);
1002 if (Ustrncmp (mainlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1004 (void)close(mainlogfd); /* Close the file */
1005 mainlogfd = -1; /* Clear the file descriptor */
1006 mainlog_inode = 0; /* Unset the inode */
1007 mainlog_datestamp = NULL; /* Clear the datestamp */
1011 /* Otherwise, we want to check whether the file has been renamed by a
1012 cycling script. This could be "if else", but for safety's sake, leave it as
1013 "if" so that renaming the log starts a new file even when datestamping is
1017 if (Ustat(mainlog_name, &statbuf) < 0 || statbuf.st_ino != mainlog_inode)
1020 /* If the log is closed, open it. Then write the line. */
1024 open_log(&mainlogfd, lt_main, NULL); /* No return on error */
1025 if (fstat(mainlogfd, &statbuf) >= 0) mainlog_inode = statbuf.st_ino;
1028 /* Failing to write to the log is disastrous */
1030 written_len = write_to_fd_buf(mainlogfd, g->s, g->ptr);
1031 if (written_len != g->ptr)
1033 log_write_failed(US"main log", g->ptr, written_len);
1034 /* That function does not return */
1039 /* Handle the log for rejected messages. This can be globally disabled, in
1040 which case the flags are altered above. If there are any header lines (i.e. if
1041 the rejection is happening after the DATA phase), log the recipients and the
1044 if (flags & LOG_REJECT)
1046 if (header_list && LOGGING(rejected_header))
1048 uschar * p = g->s + g->ptr;
1051 if (recipients_count > 0)
1053 /* List the sender */
1055 string_format(p, LOG_BUFFER_SIZE - g->ptr,
1056 "Envelope-from: <%s>\n", sender_address);
1060 /* List up to 5 recipients */
1062 string_format(p, LOG_BUFFER_SIZE - g->ptr,
1063 "Envelope-to: <%s>\n", recipients_list[0].address);
1067 for (i = 1; i < recipients_count && i < 5; i++)
1069 string_format(p, LOG_BUFFER_SIZE - g->ptr, " <%s>\n",
1070 recipients_list[i].address);
1075 if (i < recipients_count)
1077 string_format(p, LOG_BUFFER_SIZE - g->ptr,
1084 /* A header with a NULL text is an unfilled in Received: header */
1086 for (header_line * h = header_list; h; h = h->next) if (h->text)
1088 BOOL fitted = string_format(p, LOG_BUFFER_SIZE - g->ptr,
1089 "%c %s", h->type, h->text);
1092 if (!fitted) /* Buffer is full; truncate */
1094 g->ptr -= 100; /* For message and separator */
1095 if (g->s[g->ptr-1] == '\n') g->ptr--;
1096 g = string_cat(g, US"\n*** truncated ***\n");
1102 /* Write to syslog or to a log file */
1104 if ( logging_mode & LOG_MODE_SYSLOG
1105 && (syslog_duplication || !(flags & LOG_PANIC)))
1106 write_syslog(LOG_NOTICE, string_from_gstring(g));
1108 /* Check for a change to the rejectlog file name when datestamping is in
1109 operation. This happens at midnight, at which point we want to roll over
1110 the file. Closing it has the desired effect. */
1112 if (logging_mode & LOG_MODE_FILE)
1114 struct stat statbuf;
1116 if (rejectlog_datestamp)
1118 uschar *nowstamp = tod_stamp(string_datestamp_type);
1119 if (Ustrncmp (rejectlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1121 (void)close(rejectlogfd); /* Close the file */
1122 rejectlogfd = -1; /* Clear the file descriptor */
1123 rejectlog_inode = 0; /* Unset the inode */
1124 rejectlog_datestamp = NULL; /* Clear the datestamp */
1128 /* Otherwise, we want to check whether the file has been renamed by a
1129 cycling script. This could be "if else", but for safety's sake, leave it as
1130 "if" so that renaming the log starts a new file even when datestamping is
1133 if (rejectlogfd >= 0)
1134 if (Ustat(rejectlog_name, &statbuf) < 0 ||
1135 statbuf.st_ino != rejectlog_inode)
1137 (void)close(rejectlogfd);
1139 rejectlog_inode = 0;
1142 /* Open the file if necessary, and write the data */
1144 if (rejectlogfd < 0)
1146 open_log(&rejectlogfd, lt_reject, NULL); /* No return on error */
1147 if (fstat(rejectlogfd, &statbuf) >= 0) rejectlog_inode = statbuf.st_ino;
1150 written_len = write_to_fd_buf(rejectlogfd, g->s, g->ptr);
1151 if (written_len != g->ptr)
1153 log_write_failed(US"reject log", g->ptr, written_len);
1154 /* That function does not return */
1160 /* Handle the panic log, which is not kept open like the others. If it fails to
1161 open, there will be a recursive call to log_write(). We detect this above and
1162 attempt to write to the system log as a last-ditch try at telling somebody. In
1163 all cases except mua_wrapper, try to write to log_stderr. */
1165 if (flags & LOG_PANIC)
1167 if (log_stderr && log_stderr != debug_file && !mua_wrapper)
1168 fprintf(log_stderr, "%s", CS string_from_gstring(g));
1170 if (logging_mode & LOG_MODE_SYSLOG)
1171 write_syslog(LOG_ALERT, log_buffer);
1173 /* If this panic logging was caused by a failure to open the main log,
1174 the original log line is in panic_save_buffer. Make an attempt to write it. */
1176 if (logging_mode & LOG_MODE_FILE)
1178 panic_recurseflag = TRUE;
1179 open_log(&paniclogfd, lt_panic, NULL); /* Won't return on failure */
1180 panic_recurseflag = FALSE;
1182 if (panic_save_buffer)
1184 int i = write(paniclogfd, panic_save_buffer, Ustrlen(panic_save_buffer));
1185 i = i; /* compiler quietening */
1188 written_len = write_to_fd_buf(paniclogfd, g->s, g->ptr);
1189 if (written_len != g->ptr)
1191 int save_errno = errno;
1192 write_syslog(LOG_CRIT, log_buffer);
1193 sprintf(CS log_buffer, "write failed on panic log: length=%d result=%d "
1194 "errno=%d (%s)", g->ptr, (int)written_len, save_errno, strerror(save_errno));
1195 write_syslog(LOG_CRIT, string_from_gstring(g));
1196 flags |= LOG_PANIC_DIE;
1199 (void)close(paniclogfd);
1202 /* Give up if the DIE flag is set */
1204 if ((flags & LOG_PANIC_DIE) != LOG_PANIC)
1205 die(NULL, US"Unexpected failure, please try later");
1211 /*************************************************
1212 * Close any open log files *
1213 *************************************************/
1219 { (void)close(mainlogfd); mainlogfd = -1; }
1220 if (rejectlogfd >= 0)
1221 { (void)close(rejectlogfd); rejectlogfd = -1; }
1223 syslog_open = FALSE;
1228 /*************************************************
1229 * Multi-bit set or clear *
1230 *************************************************/
1232 /* These functions take a list of bit indexes (terminated by -1) and
1233 clear or set the corresponding bits in the selector.
1236 selector address of the bit string
1237 selsize number of words in the bit string
1238 bits list of bits to set
1242 bits_clear(unsigned int *selector, size_t selsize, int *bits)
1244 for(; *bits != -1; ++bits)
1245 BIT_CLEAR(selector, selsize, *bits);
1249 bits_set(unsigned int *selector, size_t selsize, int *bits)
1251 for(; *bits != -1; ++bits)
1252 BIT_SET(selector, selsize, *bits);
1257 /*************************************************
1258 * Decode bit settings for log/debug *
1259 *************************************************/
1261 /* This function decodes a string containing bit settings in the form of +name
1262 and/or -name sequences, and sets/unsets bits in a bit string accordingly. It
1263 also recognizes a numeric setting of the form =<number>, but this is not
1264 intended for user use. It's an easy way for Exim to pass the debug settings
1265 when it is re-exec'ed.
1267 The option table is a list of names and bit indexes. The index -1
1268 means "set all bits, except for those listed in notall". The notall
1269 list is terminated by -1.
1271 The action taken for bad values varies depending upon why we're here.
1272 For log messages, or if the debugging is triggered from config, then we write
1273 to the log on the way out. For debug setting triggered from the command-line,
1274 we treat it as an unknown option: error message to stderr and die.
1277 selector address of the bit string
1278 selsize number of words in the bit string
1279 notall list of bits to exclude from "all"
1280 string the configured string
1281 options the table of option names
1283 which "log" or "debug"
1284 flags DEBUG_FROM_CONFIG
1286 Returns: nothing on success - bomb out on failure
1290 decode_bits(unsigned int *selector, size_t selsize, int *notall,
1291 uschar *string, bit_table *options, int count, uschar *which, int flags)
1294 if (string == NULL) return;
1298 char *end; /* Not uschar */
1299 memset(selector, 0, sizeof(*selector)*selsize);
1300 *selector = strtoul(CS string+1, &end, 0);
1301 if (*end == 0) return;
1302 errmsg = string_sprintf("malformed numeric %s_selector setting: %s", which,
1307 /* Handle symbolic setting */
1314 bit_table *start, *end;
1316 while (isspace(*string)) string++;
1317 if (*string == 0) return;
1319 if (*string != '+' && *string != '-')
1321 errmsg = string_sprintf("malformed %s_selector setting: "
1322 "+ or - expected but found \"%s\"", which, string);
1326 adding = *string++ == '+';
1328 while (isalnum(*string) || *string == '_') string++;
1332 end = options + count;
1336 bit_table *middle = start + (end - start)/2;
1337 int c = Ustrncmp(s, middle->name, len);
1340 if (middle->name[len] != 0) c = -1; else
1342 unsigned int bit = middle->bit;
1348 memset(selector, -1, sizeof(*selector)*selsize);
1349 bits_clear(selector, selsize, notall);
1352 memset(selector, 0, sizeof(*selector)*selsize);
1355 BIT_SET(selector, selsize, bit);
1357 BIT_CLEAR(selector, selsize, bit);
1359 break; /* Out of loop to match selector name */
1362 if (c < 0) end = middle; else start = middle + 1;
1363 } /* Loop to match selector name */
1367 errmsg = string_sprintf("unknown %s_selector setting: %c%.*s", which,
1368 adding? '+' : '-', len, s);
1371 } /* Loop for selector names */
1373 /* Handle disasters */
1376 if (Ustrcmp(which, "debug") == 0)
1378 if (flags & DEBUG_FROM_CONFIG)
1380 log_write(0, LOG_CONFIG|LOG_PANIC, "%s", errmsg);
1383 fprintf(stderr, "exim: %s\n", errmsg);
1386 else log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "%s", errmsg);
1391 /*************************************************
1392 * Activate a debug logfile (late) *
1393 *************************************************/
1395 /* Normally, debugging is activated from the command-line; it may be useful
1396 within the configuration to activate debugging later, based on certain
1397 conditions. If debugging is already in progress, we return early, no action
1398 taken (besides debug-logging that we wanted debug-logging).
1400 Failures in options are not fatal but will result in paniclog entries for the
1403 The first use of this is in ACL logic, "control = debug/tag=foo/opts=+expand"
1404 which can be combined with conditions, etc, to activate extra logging only
1405 for certain sources. The second use is inetd wait mode debug preservation. */
1408 debug_logging_activate(uschar *tag_name, uschar *opts)
1414 debug_printf("DEBUGGING ACTIVATED FROM WITHIN CONFIG.\n"
1415 "DEBUG: Tag=\"%s\" opts=\"%s\"\n", tag_name, opts ? opts : US"");
1419 if (tag_name != NULL && (Ustrchr(tag_name, '/') != NULL))
1421 log_write(0, LOG_MAIN|LOG_PANIC, "debug tag may not contain a '/' in: %s",
1426 debug_selector = D_default;
1428 decode_bits(&debug_selector, 1, debug_notall, opts,
1429 debug_options, debug_options_count, US"debug", DEBUG_FROM_CONFIG);
1431 /* When activating from a transport process we may never have logged at all
1432 resulting in certain setup not having been done. Hack this for now so we
1433 do not segfault; note that nondefault log locations will not work */
1435 if (!*file_path) set_file_path();
1437 open_log(&fd, lt_debug, tag_name);
1440 debug_file = fdopen(fd, "w");
1442 log_write(0, LOG_MAIN|LOG_PANIC, "unable to open debug log");
1447 debug_logging_stop(void)
1449 if (!debug_file || !debuglog_name[0]) return;
1454 unlink_log(lt_debug);