1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 - 2021 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Functions for writing log files. The code for maintaining datestamped
10 log files was originally contributed by Tony Sheen. */
15 #define LOG_NAME_SIZE 256
16 #define MAX_SYSLOG_LEN 870
18 #define LOG_MODE_FILE 1
19 #define LOG_MODE_SYSLOG 2
21 enum { lt_main, lt_reject, lt_panic, lt_debug };
23 static uschar *log_names[] = { US"main", US"reject", US"panic", US"debug" };
27 /*************************************************
28 * Local static variables *
29 *************************************************/
31 static uschar mainlog_name[LOG_NAME_SIZE];
32 static uschar rejectlog_name[LOG_NAME_SIZE];
33 static uschar debuglog_name[LOG_NAME_SIZE];
35 static uschar *mainlog_datestamp = NULL;
36 static uschar *rejectlog_datestamp = NULL;
38 static int mainlogfd = -1;
39 static int rejectlogfd = -1;
40 static ino_t mainlog_inode = 0;
41 static ino_t rejectlog_inode = 0;
43 static uschar *panic_save_buffer = NULL;
44 static BOOL panic_recurseflag = FALSE;
46 static BOOL syslog_open = FALSE;
47 static BOOL path_inspected = FALSE;
48 static int logging_mode = LOG_MODE_FILE;
49 static uschar *file_path = US"";
51 static size_t pid_position[2];
54 /* These should be kept in-step with the private delivery error
55 number definitions in macros.h */
57 static const uschar * exim_errstrings[] = {
80 US"Exim-imposed quota",
82 US"Delivery filter process failure",
83 US"Delivery add/remove header failure",
84 US"Delivery write incomplete error",
85 US"Some expansion failed",
86 US"Failed to get gid",
87 US"Failed to get uid",
88 US"Unset or non-existent transport",
89 US"MBX length mismatch",
90 US"Lookup failed routing or in smtp tpt",
91 US"Can't match format in appendfile",
92 US"Creation outside home in appendfile",
93 US"Can't check a list; lookup defer",
95 US"Failed to start TLS session",
96 US"Mandatory TLS session not started",
97 US"Failed to chown a file",
98 US"Failed to create a pipe",
100 US"When required by client",
101 US"Used internally in smtp transport",
102 US"RCPT gave 4xx error",
103 US"MAIL gave 4xx error",
104 US"DATA gave 4xx error",
105 US"Negotiation failed for proxy configured host",
106 US"Authenticator 'other' failure",
107 US"target not supporting SMTPUTF8",
109 US"tainted filename",
111 US"Not time for routing",
112 US"Not time for local delivery",
113 US"Not time for any remote host",
114 US"Local-only delivery",
115 US"Domain in queue_domains",
116 US"Transport concurrency limit",
117 US"Event requests alternate response",
121 /************************************************/
125 return err < 0 ? exim_errstrings[-err] : CUS strerror(err);
128 /*************************************************
130 *************************************************/
132 /* The given string is split into sections according to length, or at embedded
133 newlines, and syslogged as a numbered sequence if it is overlong or if there is
134 more than one line. However, if we are running in the test harness, do not do
135 anything. (The test harness doesn't use syslog - for obvious reasons - but we
136 can get here if there is a failure to open the panic log.)
139 priority syslog priority
140 s the string to be written
146 write_syslog(int priority, const uschar *s)
151 if (!syslog_pid && LOGGING(pid))
152 s = string_sprintf("%.*s%s", (int)pid_position[0], s, s + pid_position[1]);
153 if (!syslog_timestamp)
155 len = log_timezone ? 26 : 20;
156 if (LOGGING(millisec)) len += 4;
163 if (!syslog_open && !f.running_in_test_harness)
165 # ifdef SYSLOG_LOG_PID
166 openlog(CS syslog_processname, LOG_PID|LOG_CONS, syslog_facility);
168 openlog(CS syslog_processname, LOG_CONS, syslog_facility);
174 /* First do a scan through the message in order to determine how many lines
175 it is going to end up as. Then rescan to output it. */
177 for (int pass = 0; pass < 2; pass++)
179 const uschar * ss = s;
180 for (int i = 1, tlen = len; tlen > 0; i++)
183 uschar *nlptr = Ustrchr(ss, '\n');
184 if (nlptr != NULL) plen = nlptr - ss;
185 #ifndef SYSLOG_LONG_LINES
186 if (plen > MAX_SYSLOG_LEN) plen = MAX_SYSLOG_LEN;
189 if (ss[plen] == '\n') tlen--; /* chars left */
193 else if (f.running_in_test_harness)
195 fprintf(stderr, "SYSLOG: '%.*s'\n", plen, ss);
197 fprintf(stderr, "SYSLOG: '[%d%c%d] %.*s'\n", i,
198 ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
199 linecount, plen, ss);
202 syslog(priority, "%.*s", plen, ss);
204 syslog(priority, "[%d%c%d] %.*s", i,
205 ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
206 linecount, plen, ss);
209 if (*ss == '\n') ss++;
216 /*************************************************
218 *************************************************/
220 /* This is called when Exim is dying as a result of something going wrong in
221 the logging, or after a log call with LOG_PANIC_DIE set. Optionally write a
222 message to debug_file or a stderr file, if they exist. Then, if in the middle
223 of accepting a message, throw it away tidily by calling receive_bomb_out();
224 this will attempt to send an SMTP response if appropriate. Passing NULL as the
225 first argument stops it trying to run the NOTQUIT ACL (which might try further
226 logging and thus cause problems). Otherwise, try to close down an outstanding
230 s1 Error message to write to debug_file and/or stderr and syslog
231 s2 Error message for any SMTP call that is in progress
232 Returns: The function does not return
236 die(uschar *s1, uschar *s2)
240 write_syslog(LOG_CRIT, s1);
241 if (debug_file) debug_printf("%s\n", s1);
242 if (log_stderr && log_stderr != debug_file)
243 fprintf(log_stderr, "%s\n", s1);
245 if (f.receive_call_bombout) receive_bomb_out(NULL, s2); /* does not return */
246 if (smtp_input) smtp_closedown(s2);
247 exim_exit(EXIT_FAILURE);
252 /*************************************************
253 * Create a log file *
254 *************************************************/
256 /* This function is called to create and open a log file. It may be called in a
257 subprocess when the original process is root.
262 The file name has been build in a working buffer, so it is permissible to
263 overwrite it temporarily if it is necessary to create the directory.
265 Returns: a file descriptor, or < 0 on failure (errno set)
269 log_open_already_exim(uschar * const name)
272 const int flags = O_WRONLY | O_APPEND | O_CREAT | O_NONBLOCK;
274 if (geteuid() != exim_uid)
280 fd = Uopen(name, flags, LOG_MODE);
282 /* If creation failed, attempt to build a log directory in case that is the
285 if (fd < 0 && errno == ENOENT)
288 uschar *lastslash = Ustrrchr(name, '/');
290 created = directory_make(NULL, name, LOG_DIRECTORY_MODE, FALSE);
291 DEBUG(D_any) debug_printf("%s log directory %s\n",
292 created ? "created" : "failed to create", name);
294 if (created) fd = Uopen(name, flags, LOG_MODE);
302 /* Inspired by OpenSSH's mm_send_fd(). Thanks!
303 Send fd over socketpair.
304 Return: true iff good.
308 log_send_fd(const int sock, const int fd)
313 char buf[CMSG_SPACE(sizeof(int))];
315 struct cmsghdr *cmsg;
317 struct iovec vec = {.iov_base = &ch, .iov_len = 1};
320 memset(&msg, 0, sizeof(msg));
321 memset(&cmsgbuf, 0, sizeof(cmsgbuf));
322 msg.msg_control = &cmsgbuf.buf;
323 msg.msg_controllen = sizeof(cmsgbuf.buf);
325 cmsg = CMSG_FIRSTHDR(&msg);
326 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
327 cmsg->cmsg_level = SOL_SOCKET;
328 cmsg->cmsg_type = SCM_RIGHTS;
329 *(int *)CMSG_DATA(cmsg) = fd;
334 while ((n = sendmsg(sock, &msg, 0)) == -1 && errno == EINTR);
338 /* Inspired by OpenSSH's mm_receive_fd(). Thanks!
339 Return fd passed over socketpair, or -1 on error.
343 log_recv_fd(const int sock)
348 char buf[CMSG_SPACE(sizeof(int))];
350 struct cmsghdr *cmsg;
352 struct iovec vec = {.iov_base = &ch, .iov_len = 1};
356 memset(&msg, 0, sizeof(msg));
360 memset(&cmsgbuf, 0, sizeof(cmsgbuf));
361 msg.msg_control = &cmsgbuf.buf;
362 msg.msg_controllen = sizeof(cmsgbuf.buf);
364 while ((n = recvmsg(sock, &msg, 0)) == -1 && errno == EINTR) ;
365 if (n != 1 || ch != 'A') return -1;
367 if (!(cmsg = CMSG_FIRSTHDR(&msg))) return -1;
368 if (cmsg->cmsg_type != SCM_RIGHTS) return -1;
369 if ((fd = *(const int *)CMSG_DATA(cmsg)) < 0) return -1;
375 /*************************************************
376 * Create a log file as the exim user *
377 *************************************************/
379 /* This function is called when we are root to spawn an exim:exim subprocess
380 in which we can create a log file. It must be signal-safe since it is called
381 by the usr1_handler().
386 Returns: a file descriptor, or < 0 on failure (errno set)
390 log_open_as_exim(uschar * const name)
393 const uid_t euid = geteuid();
395 if (euid == exim_uid)
396 fd = log_open_already_exim(name);
397 else if (euid == root_uid)
400 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sock) == 0)
402 const pid_t pid = fork();
405 (void)close(sock[0]);
406 if ( setgroups(1, &exim_gid) != 0
407 || setgid(exim_gid) != 0
408 || setuid(exim_uid) != 0
410 || getuid() != exim_uid || geteuid() != exim_uid
411 || getgid() != exim_gid || getegid() != exim_gid
413 || (fd = log_open_already_exim(name)) < 0
414 || !log_send_fd(sock[1], fd)
415 ) _exit(EXIT_FAILURE);
416 (void)close(sock[1]);
420 (void)close(sock[1]);
423 fd = log_recv_fd(sock[0]);
424 while (waitpid(pid, NULL, 0) == -1 && errno == EINTR);
426 (void)close(sock[0]);
433 flags = fcntl(fd, F_GETFD);
434 if (flags != -1) (void)fcntl(fd, F_SETFD, flags | FD_CLOEXEC);
435 flags = fcntl(fd, F_GETFL);
436 if (flags != -1) (void)fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
447 /*************************************************
449 *************************************************/
451 /* This function opens one of a number of logs, creating the log directory if
452 it does not exist. This may be called recursively on failure, in order to open
455 The directory is in the static variable file_path. This is static so that it
456 the work of sorting out the path is done just once per Exim process.
458 Exim is normally configured to avoid running as root wherever possible, the log
459 files must be owned by the non-privileged exim user. To ensure this, first try
460 an open without O_CREAT - most of the time this will succeed. If it fails, try
461 to create the file; if running as root, this must be done in a subprocess to
465 fd where to return the resulting file descriptor
466 type lt_main, lt_reject, lt_panic, or lt_debug
467 tag optional tag to include in the name (only hooked up for debug)
473 open_log(int *fd, int type, uschar *tag)
477 uschar buffer[LOG_NAME_SIZE];
479 /* The names of the log files are controlled by file_path. The panic log is
480 written to the same directory as the main and reject logs, but its name does
481 not have a datestamp. The use of datestamps is indicated by %D/%M in file_path.
482 When opening the panic log, if %D or %M is present, we remove the datestamp
483 from the generated name; if it is at the start, remove a following
484 non-alphanumeric character as well; otherwise, remove a preceding
485 non-alphanumeric character. This is definitely kludgy, but it sort of does what
486 people want, I hope. */
488 ok = string_format(buffer, sizeof(buffer), CS file_path, log_names[type]);
493 /* Save the name of the mainlog for rollover processing. Without a datestamp,
494 it gets statted to see if it has been cycled. With a datestamp, the datestamp
495 will be compared. The static slot for saving it is the same size as buffer,
496 and the text has been checked above to fit, so this use of strcpy() is OK. */
497 Ustrcpy(mainlog_name, buffer);
498 if (string_datestamp_offset > 0)
499 mainlog_datestamp = mainlog_name + string_datestamp_offset;
503 /* Ditto for the reject log */
504 Ustrcpy(rejectlog_name, buffer);
505 if (string_datestamp_offset > 0)
506 rejectlog_datestamp = rejectlog_name + string_datestamp_offset;
510 /* and deal with the debug log (which keeps the datestamp, but does not
512 Ustrcpy(debuglog_name, buffer);
515 /* this won't change the offset of the datestamp */
516 ok2 = string_format(buffer, sizeof(buffer), "%s%s",
519 Ustrcpy(debuglog_name, buffer);
524 /* Remove any datestamp if this is the panic log. This is rare, so there's no
525 need to optimize getting the datestamp length. We remove one non-alphanumeric
526 char afterwards if at the start, otherwise one before. */
527 if (string_datestamp_offset >= 0)
529 uschar * from = buffer + string_datestamp_offset;
530 uschar * to = from + string_datestamp_length;
532 if (from == buffer || from[-1] == '/')
534 if (!isalnum(*to)) to++;
537 if (!isalnum(from[-1])) from--;
539 /* This copy is ok, because we know that to is a substring of from. But
540 due to overlap we must use memmove() not Ustrcpy(). */
541 memmove(from, to, Ustrlen(to)+1);
546 /* If the file name is too long, it is an unrecoverable disaster */
549 die(US"exim: log file path too long: aborting",
550 US"Logging failure; please try later");
552 /* We now have the file name. After a successful open, return. */
554 if ((*fd = log_open_as_exim(buffer)) >= 0)
559 /* Creation failed. There are some circumstances in which we get here when
560 the effective uid is not root or exim, which is the problem. (For example, a
561 non-setuid binary with log_arguments set, called in certain ways.) Rather than
562 just bombing out, force the log to stderr and carry on if stderr is available.
565 if (euid != root_uid && euid != exim_uid && log_stderr)
567 *fd = fileno(log_stderr);
571 /* Otherwise this is a disaster. This call is deliberately ONLY to the panic
572 log. If possible, save a copy of the original line that was being logged. If we
573 are recursing (can't open the panic log either), the pointer will already be
574 set. Also, when we had to use a subprocess for the create we didn't retrieve
575 errno from it, so get the error from the open attempt above (which is often
576 meaningful enough, so leave it). */
578 if (!panic_save_buffer)
579 if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
580 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
582 log_write(0, LOG_PANIC_DIE, "Cannot open %s log file \"%s\": %s: "
583 "euid=%d egid=%d", log_names[type], buffer, strerror(errno), euid, getegid());
591 if (type == lt_debug) unlink(CS debuglog_name);
596 /*************************************************
597 * Add configuration file info to log line *
598 *************************************************/
600 /* This is put in a function because it's needed twice (once for debugging,
604 ptr pointer to the end of the line we are building
607 Returns: updated pointer
611 log_config_info(gstring * g, int flags)
613 g = string_cat(g, US"Exim configuration error");
615 if (flags & (LOG_CONFIG_FOR & ~LOG_CONFIG))
616 return string_cat(g, US" for ");
618 if (flags & (LOG_CONFIG_IN & ~LOG_CONFIG))
619 g = string_fmt_append(g, " in line %d of %s", config_lineno, config_filename);
621 return string_catn(g, US":\n ", 4);
625 /*************************************************
626 * A write() operation failed *
627 *************************************************/
629 /* This function is called when write() fails on anything other than the panic
630 log, which can happen if a disk gets full or a file gets too large or whatever.
631 We try to save the relevant message in the panic_save buffer before crashing
634 The potential invoker should probably not call us for EINTR -1 writes. But
635 otherwise, short writes are bad as we don't do non-blocking writes to fds
636 subject to flow control. (If we do, that's new and the logic of this should
640 name the name of the log being written
641 length the string length being written
642 rc the return value from write()
644 Returns: does not return
648 log_write_failed(uschar *name, int length, int rc)
650 int save_errno = errno;
652 if (!panic_save_buffer)
653 if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
654 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
656 log_write(0, LOG_PANIC_DIE, "failed to write to %s: length=%d result=%d "
657 "errno=%d (%s)", name, length, rc, save_errno,
658 (save_errno == 0)? "write incomplete" : strerror(save_errno));
664 /*************************************************
665 * Write to an fd, retrying after signals *
666 *************************************************/
668 /* Basic write to fd for logs, handling EINTR.
671 fd the fd to write to
672 buf the string to write
673 length the string length being written
676 length actually written, persisting an errno from write()
679 write_to_fd_buf(int fd, const uschar *buf, size_t length)
682 size_t total_written = 0;
683 const uschar *p = buf;
684 size_t left = length;
688 wrote = write(fd, p, left);
689 if (wrote == (ssize_t)-1)
691 if (errno == EINTR) continue;
694 total_written += wrote;
703 return total_written;
711 int sep = ':'; /* Fixed separator - outside use */
713 const uschar *tt = US LOG_FILE_PATH;
714 while ((t = string_nextinlist(&tt, &sep, log_buffer, LOG_BUFFER_SIZE)))
716 if (Ustrcmp(t, "syslog") == 0 || t[0] == 0) continue;
717 file_path = string_copy(t);
726 if (mainlogfd < 0) return;
727 (void)close(mainlogfd);
732 /*************************************************
733 * Write message to log file *
734 *************************************************/
736 /* Exim can be configured to log to local files, or use syslog, or both. This
737 is controlled by the setting of log_file_path. The following cases are
740 log_file_path = "" write files in the spool/log directory
741 log_file_path = "xxx" write files in the xxx directory
742 log_file_path = "syslog" write to syslog
743 log_file_path = "syslog : xxx" write to syslog and to files (any order)
745 The message always gets '\n' added on the end of it, since more than one
746 process may be writing to the log at once and we don't want intermingling to
747 happen in the middle of lines. To be absolutely sure of this we write the data
748 into a private buffer and then put it out in a single write() call.
750 The flags determine which log(s) the message is written to, or for syslogging,
751 which priority to use, and in the case of the panic log, whether the process
752 should die afterwards.
754 The variable really_exim is TRUE only when exim is running in privileged state
755 (i.e. not with a changed configuration or with testing options such as -brw).
756 If it is not, don't try to write to the log because permission will probably be
759 Avoid actually writing to the logs when exim is called with -bv or -bt to
760 test an address, but take other actions, such as panicking.
762 In Exim proper, the buffer for building the message is got at start-up, so that
763 nothing gets done if it can't be got. However, some functions that are also
764 used in utilities occasionally obey log_write calls in error situations, and it
765 is simplest to put a single malloc() here rather than put one in each utility.
766 Malloc is used directly because the store functions may call log_write().
768 If a message_id exists, we include it after the timestamp.
771 selector write to main log or LOG_INFO only if this value is zero, or if
772 its bit is set in log_selector[0]
773 flags each bit indicates some independent action:
774 LOG_SENDER add raw sender to the message
775 LOG_RECIPIENTS add raw recipients list to message
776 LOG_CONFIG add "Exim configuration error"
777 LOG_CONFIG_FOR add " for " instead of ":\n "
778 LOG_CONFIG_IN add " in line x[ of file y]"
779 LOG_MAIN write to main log or syslog LOG_INFO
780 LOG_REJECT write to reject log or syslog LOG_NOTICE
781 LOG_PANIC write to panic log or syslog LOG_ALERT
782 LOG_PANIC_DIE write to panic log or LOG_ALERT and then crash
783 format a printf() format
784 ... arguments for format
790 log_write(unsigned int selector, int flags, const char *format, ...)
794 gstring gs = { .size = LOG_BUFFER_SIZE-1, .ptr = 0, .s = log_buffer };
798 /* If panic_recurseflag is set, we have failed to open the panic log. This is
799 the ultimate disaster. First try to write the message to a debug file and/or
800 stderr and also to syslog. If panic_save_buffer is not NULL, it contains the
801 original log line that caused the problem. Afterwards, expire. */
803 if (panic_recurseflag)
805 uschar *extra = panic_save_buffer ? panic_save_buffer : US"";
806 if (debug_file) debug_printf("%s%s", extra, log_buffer);
807 if (log_stderr && log_stderr != debug_file)
808 fprintf(log_stderr, "%s%s", extra, log_buffer);
809 if (*extra) write_syslog(LOG_CRIT, extra);
810 write_syslog(LOG_CRIT, log_buffer);
811 die(US"exim: could not open panic log - aborting: see message(s) above",
812 US"Unexpected log failure, please try later");
815 /* Ensure we have a buffer (see comment above); this should never be obeyed
816 when running Exim proper, only when running utilities. */
819 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
821 fprintf(stderr, "exim: failed to get store for log buffer\n");
822 exim_exit(EXIT_FAILURE);
825 /* If we haven't already done so, inspect the setting of log_file_path to
826 determine whether to log to files and/or to syslog. Bits in logging_mode
827 control this, and for file logging, the path must end up in file_path. This
828 variable must be in permanent store because it may be required again later in
833 BOOL multiple = FALSE;
834 int old_pool = store_pool;
836 store_pool = POOL_PERM;
838 /* If nothing has been set, don't waste effort... the default values for the
839 statics are file_path="" and logging_mode = LOG_MODE_FILE. */
843 int sep = ':'; /* Fixed separator - outside use */
845 const uschar *ss = log_file_path;
848 while ((s = string_nextinlist(&ss, &sep, log_buffer, LOG_BUFFER_SIZE)))
850 if (Ustrcmp(s, "syslog") == 0)
851 logging_mode |= LOG_MODE_SYSLOG;
852 else if (logging_mode & LOG_MODE_FILE)
856 logging_mode |= LOG_MODE_FILE;
858 /* If a non-empty path is given, use it */
861 file_path = string_copy(s);
863 /* If the path is empty, we want to use the first non-empty, non-
864 syslog item in LOG_FILE_PATH, if there is one, since the value of
865 log_file_path may have been set at runtime. If there is no such item,
866 use the ultimate default in the spool directory. */
869 set_file_path(); /* Empty item in log_file_path */
870 } /* First non-syslog item in log_file_path */
871 } /* Scan of log_file_path */
874 /* If no modes have been selected, it is a major disaster */
876 if (logging_mode == 0)
877 die(US"Neither syslog nor file logging set in log_file_path",
878 US"Unexpected logging failure");
880 /* Set up the ultimate default if necessary. Then revert to the old store
881 pool, and record that we've sorted out the path. */
883 if (logging_mode & LOG_MODE_FILE && !file_path[0])
884 file_path = string_sprintf("%s/log/%%slog", spool_directory);
885 store_pool = old_pool;
886 path_inspected = TRUE;
888 /* If more than one file path was given, log a complaint. This recursive call
889 should work since we have now set up the routing. */
892 log_write(0, LOG_MAIN|LOG_PANIC,
893 "More than one path given in log_file_path: using %s", file_path);
896 /* Optionally trigger debug */
898 if (flags & LOG_PANIC && dtrigger_selector & BIT(DTi_panictrigger))
899 debug_trigger_fire();
901 /* If debugging, show all log entries, but don't show headers. Do it all
902 in one go so that it doesn't get split when multi-processing. */
908 g = string_catn(&gs, US"LOG:", 4);
910 /* Show the selector that was passed into the call. */
912 for (i = 0; i < log_options_count; i++)
914 unsigned int bitnum = log_options[i].bit;
915 if (bitnum < BITWORDSIZE && selector == BIT(bitnum))
916 g = string_fmt_append(g, " %s", log_options[i].name);
919 g = string_fmt_append(g, "%s%s%s%s\n ",
920 flags & LOG_MAIN ? " MAIN" : "",
921 flags & LOG_PANIC ? " PANIC" : "",
922 (flags & LOG_PANIC_DIE) == LOG_PANIC_DIE ? " DIE" : "",
923 flags & LOG_REJECT ? " REJECT" : "");
925 if (flags & LOG_CONFIG) g = log_config_info(g, flags);
927 /* We want to be able to log tainted info, but log_buffer is directly
928 malloc'd. So use deliberately taint-nonchecking routines to build into
929 it, trusting that we will never expand the results. */
931 va_start(ap, format);
933 if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap))
936 g = string_cat(g, US"**** log string overflowed log buffer ****");
940 g->size = LOG_BUFFER_SIZE;
941 g = string_catn(g, US"\n", 1);
942 debug_printf("%s", string_from_gstring(g));
944 gs.size = LOG_BUFFER_SIZE-1; /* Having used the buffer for debug output, */
945 gs.ptr = 0; /* reset it for the real use. */
948 /* If no log file is specified, we are in a mess. */
950 if (!(flags & (LOG_MAIN|LOG_PANIC|LOG_REJECT)))
951 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_write called with no log "
954 /* There are some weird circumstances in which logging is disabled. */
956 if (f.disable_logging)
958 DEBUG(D_any) debug_printf("log writing disabled\n");
959 if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE);
963 /* Handle disabled reject log */
965 if (!write_rejectlog) flags &= ~LOG_REJECT;
967 /* Create the main message in the log buffer. Do not include the message id
968 when called by a utility. */
970 g = string_fmt_append(&gs, "%s ", tod_stamp(tod_log));
974 if (!syslog_pid) pid_position[0] = g->ptr; /* remember begin … */
975 g = string_fmt_append(g, "[%d] ", (int)getpid());
976 if (!syslog_pid) pid_position[1] = g->ptr; /* … and end+1 of the PID */
979 if (f.really_exim && message_id[0] != 0)
980 g = string_fmt_append(g, "%s ", message_id);
982 if (flags & LOG_CONFIG)
983 g = log_config_info(g, flags);
985 va_start(ap, format);
989 /* We want to be able to log tainted info, but log_buffer is directly
990 malloc'd. So use deliberately taint-nonchecking routines to build into
991 it, trusting that we will never expand the results. */
993 if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap))
996 g = string_cat(g, US"**** log string overflowed log buffer ****\n");
1001 /* Add the raw, unrewritten, sender to the message if required. This is done
1002 this way because it kind of fits with LOG_RECIPIENTS. */
1004 if ( flags & LOG_SENDER
1005 && g->ptr < LOG_BUFFER_SIZE - 10 - Ustrlen(raw_sender))
1006 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " from <%s>", raw_sender);
1008 /* Add list of recipients to the message if required; the raw list,
1009 before rewriting, was saved in raw_recipients. There may be none, if an ACL
1010 discarded them all. */
1012 if ( flags & LOG_RECIPIENTS
1013 && g->ptr < LOG_BUFFER_SIZE - 6
1014 && raw_recipients_count > 0)
1017 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " for", NULL);
1018 for (i = 0; i < raw_recipients_count; i++)
1020 uschar * s = raw_recipients[i];
1021 if (LOG_BUFFER_SIZE - g->ptr < Ustrlen(s) + 3) break;
1022 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " %s", s);
1026 g = string_catn(g, US"\n", 1);
1027 string_from_gstring(g);
1029 /* Handle loggable errors when running a utility, or when address testing.
1030 Write to log_stderr unless debugging (when it will already have been written),
1031 or unless there is no log_stderr (expn called from daemon, for example). */
1033 if (!f.really_exim || f.log_testing_mode)
1035 if ( !debug_selector
1037 && (selector == 0 || (selector & log_selector[0]) != 0)
1040 fprintf(log_stderr, "LOG: %s", CS(log_buffer + 20)); /* no timestamp */
1042 fprintf(log_stderr, "%s", CS log_buffer);
1044 if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE);
1048 /* Handle the main log. We know that either syslog or file logging (or both) is
1049 set up. A real file gets left open during reception or delivery once it has
1050 been opened, but we don't want to keep on writing to it for too long after it
1051 has been renamed. Therefore, do a stat() and see if the inode has changed, and
1054 if ( flags & LOG_MAIN
1055 && (!selector || selector & log_selector[0]))
1057 if ( logging_mode & LOG_MODE_SYSLOG
1058 && (syslog_duplication || !(flags & (LOG_REJECT|LOG_PANIC))))
1059 write_syslog(LOG_INFO, log_buffer);
1061 if (logging_mode & LOG_MODE_FILE)
1063 struct stat statbuf;
1065 /* Check for a change to the mainlog file name when datestamping is in
1066 operation. This happens at midnight, at which point we want to roll over
1067 the file. Closing it has the desired effect. */
1069 if (mainlog_datestamp)
1071 uschar *nowstamp = tod_stamp(string_datestamp_type);
1072 if (Ustrncmp (mainlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1074 (void)close(mainlogfd); /* Close the file */
1075 mainlogfd = -1; /* Clear the file descriptor */
1076 mainlog_inode = 0; /* Unset the inode */
1077 mainlog_datestamp = NULL; /* Clear the datestamp */
1081 /* Otherwise, we want to check whether the file has been renamed by a
1082 cycling script. This could be "if else", but for safety's sake, leave it as
1083 "if" so that renaming the log starts a new file even when datestamping is
1087 if (Ustat(mainlog_name, &statbuf) < 0 || statbuf.st_ino != mainlog_inode)
1090 /* If the log is closed, open it. Then write the line. */
1094 open_log(&mainlogfd, lt_main, NULL); /* No return on error */
1095 if (fstat(mainlogfd, &statbuf) >= 0) mainlog_inode = statbuf.st_ino;
1098 /* Failing to write to the log is disastrous */
1100 written_len = write_to_fd_buf(mainlogfd, g->s, g->ptr);
1101 if (written_len != g->ptr)
1103 log_write_failed(US"main log", g->ptr, written_len);
1104 /* That function does not return */
1109 /* Handle the log for rejected messages. This can be globally disabled, in
1110 which case the flags are altered above. If there are any header lines (i.e. if
1111 the rejection is happening after the DATA phase), log the recipients and the
1114 if (flags & LOG_REJECT)
1116 if (header_list && LOGGING(rejected_header))
1121 if (recipients_count > 0)
1123 /* List the sender */
1125 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1126 "Envelope-from: <%s>\n", sender_address);
1129 /* List up to 5 recipients */
1131 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1132 "Envelope-to: <%s>\n", recipients_list[0].address);
1135 for (i = 1; i < recipients_count && i < 5; i++)
1137 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1138 " <%s>\n", recipients_list[i].address);
1142 if (i < recipients_count)
1144 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " ...\n", NULL);
1149 /* A header with a NULL text is an unfilled in Received: header */
1151 for (header_line * h = header_list; h; h = h->next) if (h->text)
1153 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1154 "%c %s", h->type, h->text);
1157 else /* Buffer is full; truncate */
1159 g->ptr -= 100; /* For message and separator */
1160 if (g->s[g->ptr-1] == '\n') g->ptr--;
1161 g = string_cat(g, US"\n*** truncated ***\n");
1167 /* Write to syslog or to a log file */
1169 if ( logging_mode & LOG_MODE_SYSLOG
1170 && (syslog_duplication || !(flags & LOG_PANIC)))
1171 write_syslog(LOG_NOTICE, string_from_gstring(g));
1173 /* Check for a change to the rejectlog file name when datestamping is in
1174 operation. This happens at midnight, at which point we want to roll over
1175 the file. Closing it has the desired effect. */
1177 if (logging_mode & LOG_MODE_FILE)
1179 struct stat statbuf;
1181 if (rejectlog_datestamp)
1183 uschar *nowstamp = tod_stamp(string_datestamp_type);
1184 if (Ustrncmp (rejectlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1186 (void)close(rejectlogfd); /* Close the file */
1187 rejectlogfd = -1; /* Clear the file descriptor */
1188 rejectlog_inode = 0; /* Unset the inode */
1189 rejectlog_datestamp = NULL; /* Clear the datestamp */
1193 /* Otherwise, we want to check whether the file has been renamed by a
1194 cycling script. This could be "if else", but for safety's sake, leave it as
1195 "if" so that renaming the log starts a new file even when datestamping is
1198 if (rejectlogfd >= 0)
1199 if (Ustat(rejectlog_name, &statbuf) < 0 ||
1200 statbuf.st_ino != rejectlog_inode)
1202 (void)close(rejectlogfd);
1204 rejectlog_inode = 0;
1207 /* Open the file if necessary, and write the data */
1209 if (rejectlogfd < 0)
1211 open_log(&rejectlogfd, lt_reject, NULL); /* No return on error */
1212 if (fstat(rejectlogfd, &statbuf) >= 0) rejectlog_inode = statbuf.st_ino;
1215 written_len = write_to_fd_buf(rejectlogfd, g->s, g->ptr);
1216 if (written_len != g->ptr)
1218 log_write_failed(US"reject log", g->ptr, written_len);
1219 /* That function does not return */
1225 /* Handle the panic log, which is not kept open like the others. If it fails to
1226 open, there will be a recursive call to log_write(). We detect this above and
1227 attempt to write to the system log as a last-ditch try at telling somebody. In
1228 all cases except mua_wrapper, try to write to log_stderr. */
1230 if (flags & LOG_PANIC)
1232 if (log_stderr && log_stderr != debug_file && !mua_wrapper)
1233 fprintf(log_stderr, "%s", CS string_from_gstring(g));
1235 if (logging_mode & LOG_MODE_SYSLOG)
1236 write_syslog(LOG_ALERT, log_buffer);
1238 /* If this panic logging was caused by a failure to open the main log,
1239 the original log line is in panic_save_buffer. Make an attempt to write it. */
1241 if (logging_mode & LOG_MODE_FILE)
1243 panic_recurseflag = TRUE;
1244 open_log(&paniclogfd, lt_panic, NULL); /* Won't return on failure */
1245 panic_recurseflag = FALSE;
1247 if (panic_save_buffer)
1248 (void) write(paniclogfd, panic_save_buffer, Ustrlen(panic_save_buffer));
1250 written_len = write_to_fd_buf(paniclogfd, g->s, g->ptr);
1251 if (written_len != g->ptr)
1253 int save_errno = errno;
1254 write_syslog(LOG_CRIT, log_buffer);
1255 sprintf(CS log_buffer, "write failed on panic log: length=%d result=%d "
1256 "errno=%d (%s)", g->ptr, (int)written_len, save_errno, strerror(save_errno));
1257 write_syslog(LOG_CRIT, string_from_gstring(g));
1258 flags |= LOG_PANIC_DIE;
1261 (void)close(paniclogfd);
1264 /* Give up if the DIE flag is set */
1266 if ((flags & LOG_PANIC_DIE) != LOG_PANIC)
1267 die(NULL, US"Unexpected failure, please try later");
1273 /*************************************************
1274 * Close any open log files *
1275 *************************************************/
1281 { (void)close(mainlogfd); mainlogfd = -1; }
1282 if (rejectlogfd >= 0)
1283 { (void)close(rejectlogfd); rejectlogfd = -1; }
1285 syslog_open = FALSE;
1290 /*************************************************
1291 * Multi-bit set or clear *
1292 *************************************************/
1294 /* These functions take a list of bit indexes (terminated by -1) and
1295 clear or set the corresponding bits in the selector.
1298 selector address of the bit string
1299 selsize number of words in the bit string
1300 bits list of bits to set
1304 bits_clear(unsigned int *selector, size_t selsize, int *bits)
1306 for(; *bits != -1; ++bits)
1307 BIT_CLEAR(selector, selsize, *bits);
1311 bits_set(unsigned int *selector, size_t selsize, int *bits)
1313 for(; *bits != -1; ++bits)
1314 BIT_SET(selector, selsize, *bits);
1319 /*************************************************
1320 * Decode bit settings for log/debug *
1321 *************************************************/
1323 /* This function decodes a string containing bit settings in the form of +name
1324 and/or -name sequences, and sets/unsets bits in a bit string accordingly. It
1325 also recognizes a numeric setting of the form =<number>, but this is not
1326 intended for user use. It's an easy way for Exim to pass the debug settings
1327 when it is re-exec'ed.
1329 The option table is a list of names and bit indexes. The index -1
1330 means "set all bits, except for those listed in notall". The notall
1331 list is terminated by -1.
1333 The action taken for bad values varies depending upon why we're here.
1334 For log messages, or if the debugging is triggered from config, then we write
1335 to the log on the way out. For debug setting triggered from the command-line,
1336 we treat it as an unknown option: error message to stderr and die.
1339 selector address of the bit string
1340 selsize number of words in the bit string
1341 notall list of bits to exclude from "all"
1342 string the configured string
1343 options the table of option names
1345 which "log" or "debug"
1346 flags DEBUG_FROM_CONFIG
1348 Returns: nothing on success - bomb out on failure
1352 decode_bits(unsigned int *selector, size_t selsize, int *notall,
1353 uschar *string, bit_table *options, int count, uschar *which, int flags)
1356 if (!string) return;
1360 char *end; /* Not uschar */
1361 memset(selector, 0, sizeof(*selector)*selsize);
1362 *selector = strtoul(CS string+1, &end, 0);
1364 errmsg = string_sprintf("malformed numeric %s_selector setting: %s", which,
1369 /* Handle symbolic setting */
1376 bit_table *start, *end;
1378 Uskip_whitespace(&string);
1379 if (!*string) return;
1381 if (*string != '+' && *string != '-')
1383 errmsg = string_sprintf("malformed %s_selector setting: "
1384 "+ or - expected but found \"%s\"", which, string);
1388 adding = *string++ == '+';
1390 while (isalnum(*string) || *string == '_') string++;
1394 end = options + count;
1398 bit_table *middle = start + (end - start)/2;
1399 int c = Ustrncmp(s, middle->name, len);
1401 if (middle->name[len] != 0) c = -1; else
1403 unsigned int bit = middle->bit;
1409 memset(selector, -1, sizeof(*selector)*selsize);
1410 bits_clear(selector, selsize, notall);
1413 memset(selector, 0, sizeof(*selector)*selsize);
1416 BIT_SET(selector, selsize, bit);
1418 BIT_CLEAR(selector, selsize, bit);
1420 break; /* Out of loop to match selector name */
1422 if (c < 0) end = middle; else start = middle + 1;
1423 } /* Loop to match selector name */
1427 errmsg = string_sprintf("unknown %s_selector setting: %c%.*s", which,
1428 adding? '+' : '-', len, s);
1431 } /* Loop for selector names */
1433 /* Handle disasters */
1436 if (Ustrcmp(which, "debug") == 0)
1438 if (flags & DEBUG_FROM_CONFIG)
1440 log_write(0, LOG_CONFIG|LOG_PANIC, "%s", errmsg);
1443 fprintf(stderr, "exim: %s\n", errmsg);
1446 else log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "%s", errmsg);
1451 /*************************************************
1452 * Activate a debug logfile (late) *
1453 *************************************************/
1455 /* Normally, debugging is activated from the command-line; it may be useful
1456 within the configuration to activate debugging later, based on certain
1457 conditions. If debugging is already in progress, we return early, no action
1458 taken (besides debug-logging that we wanted debug-logging).
1460 Failures in options are not fatal but will result in paniclog entries for the
1463 The first use of this is in ACL logic, "control = debug/tag=foo/opts=+expand"
1464 which can be combined with conditions, etc, to activate extra logging only
1465 for certain sources. The second use is inetd wait mode debug preservation.
1467 It might be nice, in ACL-initiated pretrigger mode, to not create the file
1468 immediately but only upon a trigger - but we'd need another cmdline option
1469 to pass the name through child_exxec_exim(). */
1472 debug_logging_activate(uschar *tag_name, uschar *opts)
1476 debug_printf("DEBUGGING ACTIVATED FROM WITHIN CONFIG.\n"
1477 "DEBUG: Tag=\"%s\" opts=\"%s\"\n", tag_name, opts ? opts : US"");
1481 if (tag_name && (Ustrchr(tag_name, '/') != NULL))
1483 log_write(0, LOG_MAIN|LOG_PANIC, "debug tag may not contain a '/' in: %s",
1488 debug_selector = D_default;
1490 decode_bits(&debug_selector, 1, debug_notall, opts,
1491 debug_options, debug_options_count, US"debug", DEBUG_FROM_CONFIG);
1493 /* When activating from a transport process we may never have logged at all
1494 resulting in certain setup not having been done. Hack this for now so we
1495 do not segfault; note that nondefault log locations will not work */
1497 if (!*file_path) set_file_path();
1499 open_log(&debug_fd, lt_debug, tag_name);
1502 debug_file = fdopen(debug_fd, "w");
1504 log_write(0, LOG_MAIN|LOG_PANIC, "unable to open debug log");
1509 debug_logging_stop(BOOL kill)
1511 debug_pretrigger_discard();
1512 if (!debug_file || !debuglog_name[0]) return;
1518 if (kill) unlink_log(lt_debug);