1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Functions for writing log files. The code for maintaining datestamped
10 log files was originally contributed by Tony Sheen. */
15 #define MAX_SYSLOG_LEN 870
17 #define LOG_MODE_FILE 1
18 #define LOG_MODE_SYSLOG 2
20 enum { lt_main, lt_reject, lt_panic, lt_debug };
22 static uschar *log_names[] = { US"main", US"reject", US"panic", US"debug" };
26 /*************************************************
27 * Local static variables *
28 *************************************************/
30 static uschar mainlog_name[LOG_NAME_SIZE];
31 static uschar rejectlog_name[LOG_NAME_SIZE];
33 static uschar *mainlog_datestamp = NULL;
34 static uschar *rejectlog_datestamp = NULL;
36 static int mainlogfd = -1;
37 static int rejectlogfd = -1;
38 static ino_t mainlog_inode = 0;
39 static ino_t rejectlog_inode = 0;
41 static uschar *panic_save_buffer = NULL;
42 static BOOL panic_recurseflag = FALSE;
44 static BOOL syslog_open = FALSE;
45 static BOOL path_inspected = FALSE;
46 static int logging_mode = LOG_MODE_FILE;
47 static uschar *file_path = US"";
49 static size_t pid_position[2];
52 /* These should be kept in-step with the private delivery error
53 number definitions in macros.h */
55 static const uschar * exim_errstrings[] = {
57 [- ERRNO_UNKNOWNERROR] = US"unknown error",
58 [- ERRNO_USERSLASH] = US"user slash",
59 [- ERRNO_EXISTRACE] = US"exist race",
60 [- ERRNO_NOTREGULAR] = US"not regular",
61 [- ERRNO_NOTDIRECTORY] = US"not directory",
62 [- ERRNO_BADUGID] = US"bad ugid",
63 [- ERRNO_BADMODE] = US"bad mode",
64 [- ERRNO_INODECHANGED] = US"inode changed",
65 [- ERRNO_LOCKFAILED] = US"lock failed",
66 [- ERRNO_BADADDRESS2] = US"bad address2",
67 [- ERRNO_FORBIDPIPE] = US"forbid pipe",
68 [- ERRNO_FORBIDFILE] = US"forbid file",
69 [- ERRNO_FORBIDREPLY] = US"forbid reply",
70 [- ERRNO_MISSINGPIPE] = US"missing pipe",
71 [- ERRNO_MISSINGFILE] = US"missing file",
72 [- ERRNO_MISSINGREPLY] = US"missing reply",
73 [- ERRNO_BADREDIRECT] = US"bad redirect",
74 [- ERRNO_SMTPCLOSED] = US"smtp closed",
75 [- ERRNO_SMTPFORMAT] = US"smtp format",
76 [- ERRNO_SPOOLFORMAT] = US"spool format",
77 [- ERRNO_NOTABSOLUTE] = US"not absolute",
78 [- ERRNO_EXIMQUOTA] = US"Exim-imposed quota",
79 [- ERRNO_HELD] = US"held",
80 [- ERRNO_FILTER_FAIL] = US"Delivery filter process failure",
81 [- ERRNO_CHHEADER_FAIL] = US"Delivery add/remove header failure",
82 [- ERRNO_WRITEINCOMPLETE] = US"Delivery write incomplete error",
83 [- ERRNO_EXPANDFAIL] = US"Some expansion failed",
84 [- ERRNO_GIDFAIL] = US"Failed to get gid",
85 [- ERRNO_UIDFAIL] = US"Failed to get uid",
86 [- ERRNO_BADTRANSPORT] = US"Unset or non-existent transport",
87 [- ERRNO_MBXLENGTH] = US"MBX length mismatch",
88 [- ERRNO_UNKNOWNHOST] = US"Lookup failed routing or in smtp tpt",
89 [- ERRNO_FORMATUNKNOWN] = US"Can't match format in appendfile",
90 [- ERRNO_BADCREATE] = US"Creation outside home in appendfile",
91 [- ERRNO_LISTDEFER] = US"Can't check a list; lookup defer",
92 [- ERRNO_DNSDEFER] = US"DNS lookup defer",
93 [- ERRNO_TLSFAILURE] = US"Failed to start TLS session",
94 [- ERRNO_TLSREQUIRED] = US"Mandatory TLS session not started",
95 [- ERRNO_CHOWNFAIL] = US"Failed to chown a file",
96 [- ERRNO_PIPEFAIL] = US"Failed to create a pipe",
97 [- ERRNO_CALLOUTDEFER] = US"When verifying",
98 [- ERRNO_AUTHFAIL] = US"When required by client",
99 [- ERRNO_CONNECTTIMEOUT] = US"Used internally in smtp transport",
100 [- ERRNO_RCPT4XX] = US"RCPT gave 4xx error",
101 [- ERRNO_MAIL4XX] = US"MAIL gave 4xx error",
102 [- ERRNO_DATA4XX] = US"DATA gave 4xx error",
103 [- ERRNO_PROXYFAIL] = US"Negotiation failed for proxy configured host",
104 [- ERRNO_AUTHPROB] = US"Authenticator 'other' failure",
105 [- ERRNO_UTF8_FWD] = US"target not supporting SMTPUTF8",
106 [- ERRNO_HOST_IS_LOCAL] = US"host is local",
107 [- ERRNO_TAINT] = US"tainted filename",
109 [- ERRNO_RRETRY] = US"Not time for routing",
111 [- ERRNO_LRETRY] = US"Not time for local delivery",
112 [- ERRNO_HRETRY] = US"Not time for any remote host",
113 [- ERRNO_LOCAL_ONLY] = US"Local-only delivery",
114 [- ERRNO_QUEUE_DOMAIN] = US"Domain in queue_domains",
115 [- ERRNO_TRETRY] = US"Transport concurrency limit",
117 [- ERRNO_EVENT] = US"Event requests alternate response",
121 /************************************************/
125 return err < 0 ? exim_errstrings[-err] : CUS strerror(err);
128 /*************************************************
130 *************************************************/
132 /* The given string is split into sections according to length, or at embedded
133 newlines, and syslogged as a numbered sequence if it is overlong or if there is
134 more than one line. However, if we are running in the test harness, do not do
135 anything. (The test harness doesn't use syslog - for obvious reasons - but we
136 can get here if there is a failure to open the panic log.)
139 priority syslog priority
140 s the string to be written
146 write_syslog(int priority, const uschar *s)
151 if (!syslog_pid && LOGGING(pid))
152 s = string_sprintf("%.*s%s", (int)pid_position[0], s, s + pid_position[1]);
153 if (!syslog_timestamp)
155 len = log_timezone ? 26 : 20;
156 if (LOGGING(millisec)) len += 4;
163 if (!syslog_open && !f.running_in_test_harness)
165 # ifdef SYSLOG_LOG_PID
166 openlog(CS syslog_processname, LOG_PID|LOG_CONS, syslog_facility);
168 openlog(CS syslog_processname, LOG_CONS, syslog_facility);
174 /* First do a scan through the message in order to determine how many lines
175 it is going to end up as. Then rescan to output it. */
177 for (int pass = 0; pass < 2; pass++)
179 const uschar * ss = s;
180 for (int i = 1, tlen = len; tlen > 0; i++)
183 uschar *nlptr = Ustrchr(ss, '\n');
184 if (nlptr != NULL) plen = nlptr - ss;
185 #ifndef SYSLOG_LONG_LINES
186 if (plen > MAX_SYSLOG_LEN) plen = MAX_SYSLOG_LEN;
189 if (ss[plen] == '\n') tlen--; /* chars left */
193 else if (f.running_in_test_harness)
195 fprintf(stderr, "SYSLOG: '%.*s'\n", plen, ss);
197 fprintf(stderr, "SYSLOG: '[%d%c%d] %.*s'\n", i,
198 ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
199 linecount, plen, ss);
202 syslog(priority, "%.*s", plen, ss);
204 syslog(priority, "[%d%c%d] %.*s", i,
205 ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
206 linecount, plen, ss);
209 if (*ss == '\n') ss++;
216 /*************************************************
218 *************************************************/
220 /* This is called when Exim is dying as a result of something going wrong in
221 the logging, or after a log call with LOG_PANIC_DIE set. Optionally write a
222 message to debug_file or a stderr file, if they exist. Then, if in the middle
223 of accepting a message, throw it away tidily by calling receive_bomb_out();
224 this will attempt to send an SMTP response if appropriate. Passing NULL as the
225 first argument stops it trying to run the NOTQUIT ACL (which might try further
226 logging and thus cause problems). Otherwise, try to close down an outstanding
230 s1 Error message to write to debug_file and/or stderr and syslog
231 s2 Error message for any SMTP call that is in progress
232 Returns: The function does not return
236 die(uschar *s1, uschar *s2)
240 write_syslog(LOG_CRIT, s1);
241 if (debug_file) debug_printf("%s\n", s1);
242 if (log_stderr && log_stderr != debug_file)
243 fprintf(log_stderr, "%s\n", s1);
245 if (f.receive_call_bombout) receive_bomb_out(NULL, s2); /* does not return */
246 if (smtp_input) smtp_closedown(s2);
247 exim_exit(EXIT_FAILURE);
252 /*************************************************
253 * Create a log file *
254 *************************************************/
256 /* This function is called to create and open a log file. It may be called in a
257 subprocess when the original process is root.
262 The file name has been build in a working buffer, so it is permissible to
263 overwrite it temporarily if it is necessary to create the directory.
265 Returns: a file descriptor, or < 0 on failure (errno set)
269 log_open_already_exim(const uschar * const name)
272 const int flags = O_WRONLY | O_APPEND | O_CREAT | O_NONBLOCK;
274 if (geteuid() != exim_uid)
280 fd = Uopen(name, flags, LOG_MODE);
282 /* If creation failed, attempt to build a log directory in case that is the
285 if (fd < 0 && errno == ENOENT)
288 uschar *lastslash = Ustrrchr(name, '/');
290 created = directory_make(NULL, name, LOG_DIRECTORY_MODE, FALSE);
293 debug_printf("created log directory %s\n", name);
295 debug_printf("failed to create log directory %s: %s\n", name, strerror(errno));
297 if (created) fd = Uopen(name, flags, LOG_MODE);
305 /* Inspired by OpenSSH's mm_send_fd(). Thanks!
306 Send fd over socketpair.
307 Return: true iff good.
311 log_send_fd(const int sock, const int fd)
316 char buf[CMSG_SPACE(sizeof(int))];
318 struct cmsghdr *cmsg;
320 struct iovec vec = {.iov_base = &ch, .iov_len = 1};
323 memset(&msg, 0, sizeof(msg));
324 memset(&cmsgbuf, 0, sizeof(cmsgbuf));
325 msg.msg_control = &cmsgbuf.buf;
326 msg.msg_controllen = sizeof(cmsgbuf.buf);
328 cmsg = CMSG_FIRSTHDR(&msg);
329 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
330 cmsg->cmsg_level = SOL_SOCKET;
331 cmsg->cmsg_type = SCM_RIGHTS;
332 *(int *)CMSG_DATA(cmsg) = fd;
337 while ((n = sendmsg(sock, &msg, 0)) == -1 && errno == EINTR);
341 /* Inspired by OpenSSH's mm_receive_fd(). Thanks!
342 Return fd passed over socketpair, or -1 on error.
346 log_recv_fd(const int sock)
351 char buf[CMSG_SPACE(sizeof(int))];
353 struct cmsghdr *cmsg;
355 struct iovec vec = {.iov_base = &ch, .iov_len = 1};
359 memset(&msg, 0, sizeof(msg));
363 memset(&cmsgbuf, 0, sizeof(cmsgbuf));
364 msg.msg_control = &cmsgbuf.buf;
365 msg.msg_controllen = sizeof(cmsgbuf.buf);
367 while ((n = recvmsg(sock, &msg, 0)) == -1 && errno == EINTR) ;
368 if (n != 1 || ch != 'A') return -1;
370 if (!(cmsg = CMSG_FIRSTHDR(&msg))) return -1;
371 if (cmsg->cmsg_type != SCM_RIGHTS) return -1;
372 if ((fd = *(const int *)CMSG_DATA(cmsg)) < 0) return -1;
378 /*************************************************
379 * Create a log file as the exim user *
380 *************************************************/
382 /* This function is called when we are root to spawn an exim:exim subprocess
383 in which we can create a log file. It must be signal-safe since it is called
384 by the usr1_handler().
389 Returns: a file descriptor, or < 0 on failure (errno set)
393 log_open_as_exim(const uschar * const name)
396 const uid_t euid = geteuid();
398 if (euid == exim_uid)
399 fd = log_open_already_exim(name);
400 else if (euid == root_uid)
403 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sock) == 0)
405 const pid_t pid = fork();
408 (void)close(sock[0]);
409 if ( setgroups(1, &exim_gid) != 0
410 || setgid(exim_gid) != 0
411 || setuid(exim_uid) != 0
413 || getuid() != exim_uid || geteuid() != exim_uid
414 || getgid() != exim_gid || getegid() != exim_gid
416 || (fd = log_open_already_exim(name)) < 0
417 || !log_send_fd(sock[1], fd)
418 ) _exit(EXIT_FAILURE);
419 (void)close(sock[1]);
423 (void)close(sock[1]);
426 fd = log_recv_fd(sock[0]);
427 while (waitpid(pid, NULL, 0) == -1 && errno == EINTR);
429 (void)close(sock[0]);
436 flags = fcntl(fd, F_GETFD);
437 if (flags != -1) (void)fcntl(fd, F_SETFD, flags | FD_CLOEXEC);
438 flags = fcntl(fd, F_GETFL);
439 if (flags != -1) (void)fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
450 /*************************************************
452 *************************************************/
454 /* This function opens one of a number of logs, creating the log directory if
455 it does not exist. This may be called recursively on failure, in order to open
458 The directory is in the static variable file_path. This is static so that
459 the work of sorting out the path is done just once per Exim process.
461 Exim is normally configured to avoid running as root wherever possible, the log
462 files must be owned by the non-privileged exim user. To ensure this, first try
463 an open without O_CREAT - most of the time this will succeed. If it fails, try
464 to create the file; if running as root, this must be done in a subprocess to
468 fd where to return the resulting file descriptor
469 type lt_main, lt_reject, lt_panic, or lt_debug
470 tag optional tag to include in the name (only hooked up for debug)
476 open_log(int * fd, int type, const uschar * tag)
480 uschar buffer[LOG_NAME_SIZE];
482 /* The names of the log files are controlled by file_path. The panic log is
483 written to the same directory as the main and reject logs, but its name does
484 not have a datestamp. The use of datestamps is indicated by %D/%M in file_path.
485 When opening the panic log, if %D or %M is present, we remove the datestamp
486 from the generated name; if it is at the start, remove a following
487 non-alphanumeric character as well; otherwise, remove a preceding
488 non-alphanumeric character. This is definitely kludgy, but it sort of does what
489 people want, I hope. */
491 ok = string_format(buffer, sizeof(buffer), CS file_path, log_names[type]);
496 /* Save the name of the mainlog for rollover processing. Without a datestamp,
497 it gets statted to see if it has been cycled. With a datestamp, the datestamp
498 will be compared. The static slot for saving it is the same size as buffer,
499 and the text has been checked above to fit, so this use of strcpy() is OK. */
500 Ustrcpy(mainlog_name, buffer);
501 if (string_datestamp_offset > 0)
502 mainlog_datestamp = mainlog_name + string_datestamp_offset;
506 /* Ditto for the reject log */
507 Ustrcpy(rejectlog_name, buffer);
508 if (string_datestamp_offset > 0)
509 rejectlog_datestamp = rejectlog_name + string_datestamp_offset;
513 /* and deal with the debug log (which keeps the datestamp, but does not
515 Ustrcpy(debuglog_name, buffer);
519 die(US"exim: tainted tag for debug log filename",
520 US"Logging failure; please try later");
522 /* this won't change the offset of the datestamp */
523 ok2 = string_format(buffer, sizeof(buffer), "%s%s",
526 Ustrcpy(debuglog_name, buffer);
531 /* Remove any datestamp if this is the panic log. This is rare, so there's no
532 need to optimize getting the datestamp length. We remove one non-alphanumeric
533 char afterwards if at the start, otherwise one before. */
534 if (string_datestamp_offset >= 0)
536 uschar * from = buffer + string_datestamp_offset;
537 uschar * to = from + string_datestamp_length;
539 if (from == buffer || from[-1] == '/')
541 if (!isalnum(*to)) to++;
544 if (!isalnum(from[-1])) from--;
546 /* This copy is ok, because we know that to is a substring of from. But
547 due to overlap we must use memmove() not Ustrcpy(). */
548 memmove(from, to, Ustrlen(to)+1);
553 /* If the file name is too long, it is an unrecoverable disaster */
556 die(US"exim: log file path too long: aborting",
557 US"Logging failure; please try later");
559 /* We now have the file name. After a successful open, return. */
561 if ((*fd = log_open_as_exim(buffer)) >= 0)
566 /* Creation failed. There are some circumstances in which we get here when
567 the effective uid is not root or exim, which is the problem. (For example, a
568 non-setuid binary with log_arguments set, called in certain ways.) Rather than
569 just bombing out, force the log to stderr and carry on if stderr is available.
572 if (euid != root_uid && euid != exim_uid && log_stderr)
574 *fd = fileno(log_stderr);
578 /* Otherwise this is a disaster. This call is deliberately ONLY to the panic
579 log. If possible, save a copy of the original line that was being logged. If we
580 are recursing (can't open the panic log either), the pointer will already be
581 set. Also, when we had to use a subprocess for the create we didn't retrieve
582 errno from it, so get the error from the open attempt above (which is often
583 meaningful enough, so leave it). */
585 if (!panic_save_buffer)
586 if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
587 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
589 log_write(0, LOG_PANIC_DIE, "Cannot open %s log file \"%s\": %s: "
590 "euid=%d egid=%d", log_names[type], buffer, strerror(errno), euid, getegid());
598 if (type == lt_debug) unlink(CS debuglog_name);
603 /*************************************************
604 * Add configuration file info to log line *
605 *************************************************/
607 /* This is put in a function because it's needed twice (once for debugging,
611 ptr pointer to the end of the line we are building
614 Returns: updated pointer
618 log_config_info(gstring * g, int flags)
620 g = string_cat(g, US"Exim configuration error");
622 if (flags & (LOG_CONFIG_FOR & ~LOG_CONFIG))
623 return string_cat(g, US" for ");
625 if (flags & (LOG_CONFIG_IN & ~LOG_CONFIG))
626 g = string_fmt_append(g, " in line %d of %s", config_lineno, config_filename);
628 return string_catn(g, US":\n ", 4);
632 /*************************************************
633 * A write() operation failed *
634 *************************************************/
636 /* This function is called when write() fails on anything other than the panic
637 log, which can happen if a disk gets full or a file gets too large or whatever.
638 We try to save the relevant message in the panic_save buffer before crashing
641 The potential invoker should probably not call us for EINTR -1 writes. But
642 otherwise, short writes are bad as we don't do non-blocking writes to fds
643 subject to flow control. (If we do, that's new and the logic of this should
647 name the name of the log being written
648 length the string length being written
649 rc the return value from write()
651 Returns: does not return
655 log_write_failed(uschar *name, int length, int rc)
657 int save_errno = errno;
659 if (!panic_save_buffer)
660 if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
661 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
663 log_write(0, LOG_PANIC_DIE, "failed to write to %s: length=%d result=%d "
664 "errno=%d (%s)", name, length, rc, save_errno,
665 (save_errno == 0)? "write incomplete" : strerror(save_errno));
671 /*************************************************
672 * Write to an fd, retrying after signals *
673 *************************************************/
675 /* Basic write to fd for logs, handling EINTR.
678 fd the fd to write to
679 buf the string to write
680 length the string length being written
683 length actually written, persisting an errno from write()
686 write_to_fd_buf(int fd, const uschar *buf, size_t length)
689 size_t total_written = 0;
690 const uschar *p = buf;
691 size_t left = length;
695 wrote = write(fd, p, left);
696 if (wrote == (ssize_t)-1)
698 if (errno == EINTR) continue;
701 total_written += wrote;
710 return total_written;
718 int sep = ':'; /* Fixed separator - outside use */
720 const uschar *tt = US LOG_FILE_PATH;
721 while ((t = string_nextinlist(&tt, &sep, log_buffer, LOG_BUFFER_SIZE)))
723 if (Ustrcmp(t, "syslog") == 0 || t[0] == 0) continue;
724 file_path = string_copy(t);
730 /* Close mainlog, unless we do not see a chance to open the file mainlog later
731 again. This will happen if we log from a transport process (which has dropped
732 privs); something we traditionally avoid, but the introduction of taint-tracking
733 and resulting detection of errors is makinng harder. */
739 || !(geteuid() == 0 || geteuid() == exim_uid))
741 (void)close(mainlogfd);
746 /*************************************************
747 * Write message to log file *
748 *************************************************/
750 /* Exim can be configured to log to local files, or use syslog, or both. This
751 is controlled by the setting of log_file_path. The following cases are
754 log_file_path = "" write files in the spool/log directory
755 log_file_path = "xxx" write files in the xxx directory
756 log_file_path = "syslog" write to syslog
757 log_file_path = "syslog : xxx" write to syslog and to files (any order)
759 The message always gets '\n' added on the end of it, since more than one
760 process may be writing to the log at once and we don't want intermingling to
761 happen in the middle of lines. To be absolutely sure of this we write the data
762 into a private buffer and then put it out in a single write() call.
764 The flags determine which log(s) the message is written to, or for syslogging,
765 which priority to use, and in the case of the panic log, whether the process
766 should die afterwards.
768 The variable really_exim is TRUE only when exim is running in privileged state
769 (i.e. not with a changed configuration or with testing options such as -brw).
770 If it is not, don't try to write to the log because permission will probably be
773 Avoid actually writing to the logs when exim is called with -bv or -bt to
774 test an address, but take other actions, such as panicking.
776 In Exim proper, the buffer for building the message is got at start-up, so that
777 nothing gets done if it can't be got. However, some functions that are also
778 used in utilities occasionally obey log_write calls in error situations, and it
779 is simplest to put a single malloc() here rather than put one in each utility.
780 Malloc is used directly because the store functions may call log_write().
782 If a message_id exists, we include it after the timestamp.
785 selector write to main log or LOG_INFO only if this value is zero, or if
786 its bit is set in log_selector[0]
787 flags each bit indicates some independent action:
788 LOG_SENDER add raw sender to the message
789 LOG_RECIPIENTS add raw recipients list to message
790 LOG_CONFIG add "Exim configuration error"
791 LOG_CONFIG_FOR add " for " instead of ":\n "
792 LOG_CONFIG_IN add " in line x[ of file y]"
793 LOG_MAIN write to main log or syslog LOG_INFO
794 LOG_REJECT write to reject log or syslog LOG_NOTICE
795 LOG_PANIC write to panic log or syslog LOG_ALERT
796 LOG_PANIC_DIE write to panic log or LOG_ALERT and then crash
797 format a printf() format
798 ... arguments for format
804 log_write(unsigned int selector, int flags, const char *format, ...)
808 gstring gs = { .size = LOG_BUFFER_SIZE-1, .ptr = 0, .s = log_buffer };
812 /* If panic_recurseflag is set, we have failed to open the panic log. This is
813 the ultimate disaster. First try to write the message to a debug file and/or
814 stderr and also to syslog. If panic_save_buffer is not NULL, it contains the
815 original log line that caused the problem. Afterwards, expire. */
817 if (panic_recurseflag)
819 uschar *extra = panic_save_buffer ? panic_save_buffer : US"";
820 if (debug_file) debug_printf("%s%s", extra, log_buffer);
821 if (log_stderr && log_stderr != debug_file)
822 fprintf(log_stderr, "%s%s", extra, log_buffer);
823 if (*extra) write_syslog(LOG_CRIT, extra);
824 write_syslog(LOG_CRIT, log_buffer);
825 die(US"exim: could not open panic log - aborting: see message(s) above",
826 US"Unexpected log failure, please try later");
829 /* Ensure we have a buffer (see comment above); this should never be obeyed
830 when running Exim proper, only when running utilities. */
833 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
835 fprintf(stderr, "exim: failed to get store for log buffer\n");
836 exim_exit(EXIT_FAILURE);
839 /* If we haven't already done so, inspect the setting of log_file_path to
840 determine whether to log to files and/or to syslog. Bits in logging_mode
841 control this, and for file logging, the path must end up in file_path. This
842 variable must be in permanent store because it may be required again later in
847 BOOL multiple = FALSE;
848 int old_pool = store_pool;
850 store_pool = POOL_PERM;
852 /* If nothing has been set, don't waste effort... the default values for the
853 statics are file_path="" and logging_mode = LOG_MODE_FILE. */
857 int sep = ':'; /* Fixed separator - outside use */
859 const uschar *ss = log_file_path;
862 while ((s = string_nextinlist(&ss, &sep, log_buffer, LOG_BUFFER_SIZE)))
864 if (Ustrcmp(s, "syslog") == 0)
865 logging_mode |= LOG_MODE_SYSLOG;
866 else if (logging_mode & LOG_MODE_FILE)
870 logging_mode |= LOG_MODE_FILE;
872 /* If a non-empty path is given, use it */
875 file_path = string_copy(s);
877 /* If the path is empty, we want to use the first non-empty, non-
878 syslog item in LOG_FILE_PATH, if there is one, since the value of
879 log_file_path may have been set at runtime. If there is no such item,
880 use the ultimate default in the spool directory. */
883 set_file_path(); /* Empty item in log_file_path */
884 } /* First non-syslog item in log_file_path */
885 } /* Scan of log_file_path */
888 /* If no modes have been selected, it is a major disaster */
890 if (logging_mode == 0)
891 die(US"Neither syslog nor file logging set in log_file_path",
892 US"Unexpected logging failure");
894 /* Set up the ultimate default if necessary. Then revert to the old store
895 pool, and record that we've sorted out the path. */
897 if (logging_mode & LOG_MODE_FILE && !file_path[0])
898 file_path = string_sprintf("%s/log/%%slog", spool_directory);
899 store_pool = old_pool;
900 path_inspected = TRUE;
902 /* If more than one file path was given, log a complaint. This recursive call
903 should work since we have now set up the routing. */
906 log_write(0, LOG_MAIN|LOG_PANIC,
907 "More than one path given in log_file_path: using %s", file_path);
910 /* Optionally trigger debug */
912 if (flags & LOG_PANIC && dtrigger_selector & BIT(DTi_panictrigger))
913 debug_trigger_fire();
915 /* If debugging, show all log entries, but don't show headers. Do it all
916 in one go so that it doesn't get split when multi-processing. */
922 g = string_catn(&gs, US"LOG:", 4);
924 /* Show the selector that was passed into the call. */
926 for (i = 0; i < log_options_count; i++)
928 unsigned int bitnum = log_options[i].bit;
929 if (bitnum < BITWORDSIZE && selector == BIT(bitnum))
930 g = string_fmt_append(g, " %s", log_options[i].name);
933 g = string_fmt_append(g, "%s%s%s%s\n ",
934 flags & LOG_MAIN ? " MAIN" : "",
935 flags & LOG_PANIC ? " PANIC" : "",
936 (flags & LOG_PANIC_DIE) == LOG_PANIC_DIE ? " DIE" : "",
937 flags & LOG_REJECT ? " REJECT" : "");
939 if (flags & LOG_CONFIG) g = log_config_info(g, flags);
941 /* We want to be able to log tainted info, but log_buffer is directly
942 malloc'd. So use deliberately taint-nonchecking routines to build into
943 it, trusting that we will never expand the results. */
945 va_start(ap, format);
947 if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap))
950 g = string_cat(g, US"**** log string overflowed log buffer ****");
954 g->size = LOG_BUFFER_SIZE;
955 g = string_catn(g, US"\n", 1);
956 debug_printf("%s", string_from_gstring(g));
958 gs.size = LOG_BUFFER_SIZE-1; /* Having used the buffer for debug output, */
959 gs.ptr = 0; /* reset it for the real use. */
962 /* If no log file is specified, we are in a mess. */
964 if (!(flags & (LOG_MAIN|LOG_PANIC|LOG_REJECT)))
965 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_write called with no log "
968 /* There are some weird circumstances in which logging is disabled. */
970 if (f.disable_logging)
972 DEBUG(D_any) debug_printf("log writing disabled\n");
973 if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE);
977 /* Handle disabled reject log */
979 if (!write_rejectlog) flags &= ~LOG_REJECT;
981 /* Create the main message in the log buffer. Do not include the message id
982 when called by a utility. */
984 g = string_fmt_append(&gs, "%s ", tod_stamp(tod_log));
988 if (!syslog_pid) pid_position[0] = g->ptr; /* remember begin … */
989 g = string_fmt_append(g, "[%d] ", (int)getpid());
990 if (!syslog_pid) pid_position[1] = g->ptr; /* … and end+1 of the PID */
993 if (f.really_exim && message_id[0] != 0)
994 g = string_fmt_append(g, "%s ", message_id);
996 if (flags & LOG_CONFIG)
997 g = log_config_info(g, flags);
999 va_start(ap, format);
1003 /* We want to be able to log tainted info, but log_buffer is directly
1004 malloc'd. So use deliberately taint-nonchecking routines to build into
1005 it, trusting that we will never expand the results. */
1007 if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap))
1010 g = string_cat(g, US"**** log string overflowed log buffer ****\n");
1015 /* Add the raw, unrewritten, sender to the message if required. This is done
1016 this way because it kind of fits with LOG_RECIPIENTS. */
1018 if ( flags & LOG_SENDER
1019 && g->ptr < LOG_BUFFER_SIZE - 10 - Ustrlen(raw_sender))
1020 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " from <%s>", raw_sender);
1022 /* Add list of recipients to the message if required; the raw list,
1023 before rewriting, was saved in raw_recipients. There may be none, if an ACL
1024 discarded them all. */
1026 if ( flags & LOG_RECIPIENTS
1027 && g->ptr < LOG_BUFFER_SIZE - 6
1028 && raw_recipients_count > 0)
1031 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " for", NULL);
1032 for (i = 0; i < raw_recipients_count; i++)
1034 uschar * s = raw_recipients[i];
1035 if (LOG_BUFFER_SIZE - g->ptr < Ustrlen(s) + 3) break;
1036 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " %s", s);
1040 g = string_catn(g, US"\n", 1);
1041 string_from_gstring(g);
1043 /* Handle loggable errors when running a utility, or when address testing.
1044 Write to log_stderr unless debugging (when it will already have been written),
1045 or unless there is no log_stderr (expn called from daemon, for example). */
1047 if (!f.really_exim || f.log_testing_mode)
1049 if ( !debug_selector
1051 && (selector == 0 || (selector & log_selector[0]) != 0)
1054 fprintf(log_stderr, "LOG: %s", CS(log_buffer + 20)); /* no timestamp */
1056 fprintf(log_stderr, "%s", CS log_buffer);
1058 if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE);
1062 /* Handle the main log. We know that either syslog or file logging (or both) is
1063 set up. A real file gets left open during reception or delivery once it has
1064 been opened, but we don't want to keep on writing to it for too long after it
1065 has been renamed. Therefore, do a stat() and see if the inode has changed, and
1068 if ( flags & LOG_MAIN
1069 && (!selector || selector & log_selector[0]))
1071 if ( logging_mode & LOG_MODE_SYSLOG
1072 && (syslog_duplication || !(flags & (LOG_REJECT|LOG_PANIC))))
1073 write_syslog(LOG_INFO, log_buffer);
1075 if (logging_mode & LOG_MODE_FILE)
1077 struct stat statbuf;
1079 /* Check for a change to the mainlog file name when datestamping is in
1080 operation. This happens at midnight, at which point we want to roll over
1081 the file. Closing it has the desired effect. */
1083 if (mainlog_datestamp)
1085 uschar *nowstamp = tod_stamp(string_datestamp_type);
1086 if (Ustrncmp (mainlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1088 (void)close(mainlogfd); /* Close the file */
1089 mainlogfd = -1; /* Clear the file descriptor */
1090 mainlog_inode = 0; /* Unset the inode */
1091 mainlog_datestamp = NULL; /* Clear the datestamp */
1095 /* Otherwise, we want to check whether the file has been renamed by a
1096 cycling script. This could be "if else", but for safety's sake, leave it as
1097 "if" so that renaming the log starts a new file even when datestamping is
1101 if (Ustat(mainlog_name, &statbuf) < 0 || statbuf.st_ino != mainlog_inode)
1104 /* If the log is closed, open it. Then write the line. */
1108 open_log(&mainlogfd, lt_main, NULL); /* No return on error */
1109 if (fstat(mainlogfd, &statbuf) >= 0) mainlog_inode = statbuf.st_ino;
1112 /* Failing to write to the log is disastrous */
1114 written_len = write_to_fd_buf(mainlogfd, g->s, g->ptr);
1115 if (written_len != g->ptr)
1117 log_write_failed(US"main log", g->ptr, written_len);
1118 /* That function does not return */
1123 /* Handle the log for rejected messages. This can be globally disabled, in
1124 which case the flags are altered above. If there are any header lines (i.e. if
1125 the rejection is happening after the DATA phase), log the recipients and the
1128 if (flags & LOG_REJECT)
1130 if (header_list && LOGGING(rejected_header))
1135 if (recipients_count > 0)
1137 /* List the sender */
1139 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1140 "Envelope-from: <%s>\n", sender_address);
1143 /* List up to 5 recipients */
1145 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1146 "Envelope-to: <%s>\n", recipients_list[0].address);
1149 for (i = 1; i < recipients_count && i < 5; i++)
1151 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1152 " <%s>\n", recipients_list[i].address);
1156 if (i < recipients_count)
1158 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " ...\n", NULL);
1163 /* A header with a NULL text is an unfilled in Received: header */
1165 for (header_line * h = header_list; h; h = h->next) if (h->text)
1167 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1168 "%c %s", h->type, h->text);
1171 else /* Buffer is full; truncate */
1173 g->ptr -= 100; /* For message and separator */
1174 if (g->s[g->ptr-1] == '\n') g->ptr--;
1175 g = string_cat(g, US"\n*** truncated ***\n");
1181 /* Write to syslog or to a log file */
1183 if ( logging_mode & LOG_MODE_SYSLOG
1184 && (syslog_duplication || !(flags & LOG_PANIC)))
1185 write_syslog(LOG_NOTICE, string_from_gstring(g));
1187 /* Check for a change to the rejectlog file name when datestamping is in
1188 operation. This happens at midnight, at which point we want to roll over
1189 the file. Closing it has the desired effect. */
1191 if (logging_mode & LOG_MODE_FILE)
1193 struct stat statbuf;
1195 if (rejectlog_datestamp)
1197 uschar *nowstamp = tod_stamp(string_datestamp_type);
1198 if (Ustrncmp (rejectlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1200 (void)close(rejectlogfd); /* Close the file */
1201 rejectlogfd = -1; /* Clear the file descriptor */
1202 rejectlog_inode = 0; /* Unset the inode */
1203 rejectlog_datestamp = NULL; /* Clear the datestamp */
1207 /* Otherwise, we want to check whether the file has been renamed by a
1208 cycling script. This could be "if else", but for safety's sake, leave it as
1209 "if" so that renaming the log starts a new file even when datestamping is
1212 if (rejectlogfd >= 0)
1213 if (Ustat(rejectlog_name, &statbuf) < 0 ||
1214 statbuf.st_ino != rejectlog_inode)
1216 (void)close(rejectlogfd);
1218 rejectlog_inode = 0;
1221 /* Open the file if necessary, and write the data */
1223 if (rejectlogfd < 0)
1225 open_log(&rejectlogfd, lt_reject, NULL); /* No return on error */
1226 if (fstat(rejectlogfd, &statbuf) >= 0) rejectlog_inode = statbuf.st_ino;
1229 written_len = write_to_fd_buf(rejectlogfd, g->s, g->ptr);
1230 if (written_len != g->ptr)
1232 log_write_failed(US"reject log", g->ptr, written_len);
1233 /* That function does not return */
1239 /* Handle the panic log, which is not kept open like the others. If it fails to
1240 open, there will be a recursive call to log_write(). We detect this above and
1241 attempt to write to the system log as a last-ditch try at telling somebody. In
1242 all cases except mua_wrapper, try to write to log_stderr. */
1244 if (flags & LOG_PANIC)
1246 if (log_stderr && log_stderr != debug_file && !mua_wrapper)
1247 fprintf(log_stderr, "%s", CS string_from_gstring(g));
1249 if (logging_mode & LOG_MODE_SYSLOG)
1250 write_syslog(LOG_ALERT, log_buffer);
1252 /* If this panic logging was caused by a failure to open the main log,
1253 the original log line is in panic_save_buffer. Make an attempt to write it. */
1255 if (logging_mode & LOG_MODE_FILE)
1257 panic_recurseflag = TRUE;
1258 open_log(&paniclogfd, lt_panic, NULL); /* Won't return on failure */
1259 panic_recurseflag = FALSE;
1261 if (panic_save_buffer)
1262 (void) write(paniclogfd, panic_save_buffer, Ustrlen(panic_save_buffer));
1264 written_len = write_to_fd_buf(paniclogfd, g->s, g->ptr);
1265 if (written_len != g->ptr)
1267 int save_errno = errno;
1268 write_syslog(LOG_CRIT, log_buffer);
1269 sprintf(CS log_buffer, "write failed on panic log: length=%d result=%d "
1270 "errno=%d (%s)", g->ptr, (int)written_len, save_errno, strerror(save_errno));
1271 write_syslog(LOG_CRIT, string_from_gstring(g));
1272 flags |= LOG_PANIC_DIE;
1275 (void)close(paniclogfd);
1278 /* Give up if the DIE flag is set */
1280 if ((flags & LOG_PANIC_DIE) != LOG_PANIC)
1281 die(NULL, US"Unexpected failure, please try later");
1287 /*************************************************
1288 * Close any open log files *
1289 *************************************************/
1295 { (void)close(mainlogfd); mainlogfd = -1; }
1296 if (rejectlogfd >= 0)
1297 { (void)close(rejectlogfd); rejectlogfd = -1; }
1299 syslog_open = FALSE;
1304 /*************************************************
1305 * Multi-bit set or clear *
1306 *************************************************/
1308 /* These functions take a list of bit indexes (terminated by -1) and
1309 clear or set the corresponding bits in the selector.
1312 selector address of the bit string
1313 selsize number of words in the bit string
1314 bits list of bits to set
1318 bits_clear(unsigned int *selector, size_t selsize, int *bits)
1320 for(; *bits != -1; ++bits)
1321 BIT_CLEAR(selector, selsize, *bits);
1325 bits_set(unsigned int *selector, size_t selsize, int *bits)
1327 for(; *bits != -1; ++bits)
1328 BIT_SET(selector, selsize, *bits);
1333 /*************************************************
1334 * Decode bit settings for log/debug *
1335 *************************************************/
1337 /* This function decodes a string containing bit settings in the form of +name
1338 and/or -name sequences, and sets/unsets bits in a bit string accordingly. It
1339 also recognizes a numeric setting of the form =<number>, but this is not
1340 intended for user use. It's an easy way for Exim to pass the debug settings
1341 when it is re-exec'ed.
1343 The option table is a list of names and bit indexes. The index -1
1344 means "set all bits, except for those listed in notall". The notall
1345 list is terminated by -1.
1347 The action taken for bad values varies depending upon why we're here.
1348 For log messages, or if the debugging is triggered from config, then we write
1349 to the log on the way out. For debug setting triggered from the command-line,
1350 we treat it as an unknown option: error message to stderr and die.
1353 selector address of the bit string
1354 selsize number of words in the bit string
1355 notall list of bits to exclude from "all"
1356 string the configured string
1357 options the table of option names
1359 which "log" or "debug"
1360 flags DEBUG_FROM_CONFIG
1362 Returns: nothing on success - bomb out on failure
1366 decode_bits(unsigned int * selector, size_t selsize, int * notall,
1367 const uschar * string, bit_table * options, int count, uschar * which,
1371 if (!string) return;
1375 char *end; /* Not uschar */
1376 memset(selector, 0, sizeof(*selector)*selsize);
1377 *selector = strtoul(CCS string+1, &end, 0);
1379 errmsg = string_sprintf("malformed numeric %s_selector setting: %s", which,
1384 /* Handle symbolic setting */
1391 bit_table * start, * end;
1393 Uskip_whitespace(&string);
1394 if (!*string) return;
1396 if (*string != '+' && *string != '-')
1398 errmsg = string_sprintf("malformed %s_selector setting: "
1399 "+ or - expected but found \"%s\"", which, string);
1403 adding = *string++ == '+';
1405 while (isalnum(*string) || *string == '_') string++;
1409 end = options + count;
1413 bit_table *middle = start + (end - start)/2;
1414 int c = Ustrncmp(s, middle->name, len);
1416 if (middle->name[len] != 0) c = -1; else
1418 unsigned int bit = middle->bit;
1424 memset(selector, -1, sizeof(*selector)*selsize);
1425 bits_clear(selector, selsize, notall);
1428 memset(selector, 0, sizeof(*selector)*selsize);
1431 BIT_SET(selector, selsize, bit);
1433 BIT_CLEAR(selector, selsize, bit);
1435 break; /* Out of loop to match selector name */
1437 if (c < 0) end = middle; else start = middle + 1;
1438 } /* Loop to match selector name */
1442 errmsg = string_sprintf("unknown %s_selector setting: %c%.*s", which,
1443 adding? '+' : '-', len, s);
1446 } /* Loop for selector names */
1448 /* Handle disasters */
1451 if (Ustrcmp(which, "debug") == 0)
1453 if (flags & DEBUG_FROM_CONFIG)
1455 log_write(0, LOG_CONFIG|LOG_PANIC, "%s", errmsg);
1458 fprintf(stderr, "exim: %s\n", errmsg);
1461 else log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "%s", errmsg);
1466 /*************************************************
1467 * Activate a debug logfile (late) *
1468 *************************************************/
1470 /* Normally, debugging is activated from the command-line; it may be useful
1471 within the configuration to activate debugging later, based on certain
1472 conditions. If debugging is already in progress, we return early, no action
1473 taken (besides debug-logging that we wanted debug-logging).
1475 Failures in options are not fatal but will result in paniclog entries for the
1478 The first use of this is in ACL logic, "control = debug/tag=foo/opts=+expand"
1479 which can be combined with conditions, etc, to activate extra logging only
1480 for certain sources. The second use is inetd wait mode debug preservation.
1482 It might be nice, in ACL-initiated pretrigger mode, to not create the file
1483 immediately but only upon a trigger - but we'd need another cmdline option
1484 to pass the name through child_exxec_exim(). */
1487 debug_logging_activate(const uschar * tag_name, const uschar * opts)
1491 debug_printf("DEBUGGING ACTIVATED FROM WITHIN CONFIG.\n"
1492 "DEBUG: Tag=\"%s\" opts=\"%s\"\n", tag_name, opts ? opts : US"");
1496 if (tag_name && (Ustrchr(tag_name, '/') != NULL))
1498 log_write(0, LOG_MAIN|LOG_PANIC, "debug tag may not contain a '/' in: %s",
1503 debug_selector = D_default;
1505 decode_bits(&debug_selector, 1, debug_notall, opts,
1506 debug_options, debug_options_count, US"debug", DEBUG_FROM_CONFIG);
1508 /* When activating from a transport process we may never have logged at all
1509 resulting in certain setup not having been done. Hack this for now so we
1510 do not segfault; note that nondefault log locations will not work */
1512 if (!*file_path) set_file_path();
1514 open_log(&debug_fd, lt_debug, tag_name);
1517 debug_file = fdopen(debug_fd, "w");
1519 log_write(0, LOG_MAIN|LOG_PANIC, "unable to open debug log");
1524 debug_logging_from_spool(const uschar * filename)
1528 Ustrncpy(debuglog_name, filename, sizeof(debuglog_name));
1529 if ((debug_fd = log_open_as_exim(filename)) >= 0)
1530 debug_file = fdopen(debug_fd, "w");
1531 DEBUG(D_deliver) debug_printf("debug enabled by spoolfile\n");
1534 else DEBUG(D_deliver)
1535 debug_printf("debug already active; ignoring spoolfile '%s'\n", filename);
1541 debug_logging_stop(BOOL kill)
1543 debug_pretrigger_discard();
1544 if (!debug_file || !debuglog_name[0]) return;
1550 if (kill) unlink_log(lt_debug);