xref: /illumos-gate/usr/src/cmd/sendmail/src/deliver.c (revision e9af4bc0)
1 /*
2  * Copyright (c) 1998-2008 Sendmail, Inc. and its suppliers.
3  *	All rights reserved.
4  * Copyright (c) 1983, 1995-1997 Eric P. Allman.  All rights reserved.
5  * Copyright (c) 1988, 1993
6  *	The Regents of the University of California.  All rights reserved.
7  *
8  * By using this file, you agree to the terms and conditions set
9  * forth in the LICENSE file which can be found at the top level of
10  * the sendmail distribution.
11  *
12  */
13 
14 #include <sendmail.h>
15 #include <sm/time.h>
16 
17 SM_RCSID("@(#)$Id: deliver.c,v 8.1020 2009/12/18 17:08:01 ca Exp $")
18 
19 #if HASSETUSERCONTEXT
20 # include <login_cap.h>
21 #endif /* HASSETUSERCONTEXT */
22 
23 #if NETINET || NETINET6
24 # include <arpa/inet.h>
25 #endif /* NETINET || NETINET6 */
26 
27 #if STARTTLS || SASL
28 # include "sfsasl.h"
29 #endif /* STARTTLS || SASL */
30 
31 static int	deliver __P((ENVELOPE *, ADDRESS *));
32 static void	dup_queue_file __P((ENVELOPE *, ENVELOPE *, int));
33 static void	mailfiletimeout __P((int));
34 static void	endwaittimeout __P((int));
35 static int	parse_hostsignature __P((char *, char **, MAILER *));
36 static void	sendenvelope __P((ENVELOPE *, int));
37 static int	coloncmp __P((const char *, const char *));
38 
39 #if STARTTLS
40 static int	starttls __P((MAILER *, MCI *, ENVELOPE *));
41 static int	endtlsclt __P((MCI *));
42 #endif /* STARTTLS */
43 # if STARTTLS || SASL
44 static bool	iscltflgset __P((ENVELOPE *, int));
45 # endif /* STARTTLS || SASL */
46 
47 /*
48 **  SENDALL -- actually send all the messages.
49 **
50 **	Parameters:
51 **		e -- the envelope to send.
52 **		mode -- the delivery mode to use.  If SM_DEFAULT, use
53 **			the current e->e_sendmode.
54 **
55 **	Returns:
56 **		none.
57 **
58 **	Side Effects:
59 **		Scans the send lists and sends everything it finds.
60 **		Delivers any appropriate error messages.
61 **		If we are running in a non-interactive mode, takes the
62 **			appropriate action.
63 */
64 
65 void
sendall(e,mode)66 sendall(e, mode)
67 	ENVELOPE *e;
68 	int mode;
69 {
70 	register ADDRESS *q;
71 	char *owner;
72 	int otherowners;
73 	int save_errno;
74 	register ENVELOPE *ee;
75 	ENVELOPE *splitenv = NULL;
76 	int oldverbose = Verbose;
77 	bool somedeliveries = false, expensive = false;
78 	pid_t pid;
79 
80 	/*
81 	**  If this message is to be discarded, don't bother sending
82 	**  the message at all.
83 	*/
84 
85 	if (bitset(EF_DISCARD, e->e_flags))
86 	{
87 		if (tTd(13, 1))
88 			sm_dprintf("sendall: discarding id %s\n", e->e_id);
89 		e->e_flags |= EF_CLRQUEUE;
90 		if (LogLevel > 9)
91 			logundelrcpts(e, "discarded", 9, true);
92 		else if (LogLevel > 4)
93 			sm_syslog(LOG_INFO, e->e_id, "discarded");
94 		markstats(e, NULL, STATS_REJECT);
95 		return;
96 	}
97 
98 	/*
99 	**  If we have had global, fatal errors, don't bother sending
100 	**  the message at all if we are in SMTP mode.  Local errors
101 	**  (e.g., a single address failing) will still cause the other
102 	**  addresses to be sent.
103 	*/
104 
105 	if (bitset(EF_FATALERRS, e->e_flags) &&
106 	    (OpMode == MD_SMTP || OpMode == MD_DAEMON))
107 	{
108 		e->e_flags |= EF_CLRQUEUE;
109 		return;
110 	}
111 
112 	/* determine actual delivery mode */
113 	if (mode == SM_DEFAULT)
114 	{
115 		mode = e->e_sendmode;
116 		if (mode != SM_VERIFY && mode != SM_DEFER &&
117 		    shouldqueue(e->e_msgpriority, e->e_ctime))
118 			mode = SM_QUEUE;
119 	}
120 
121 	if (tTd(13, 1))
122 	{
123 		sm_dprintf("\n===== SENDALL: mode %c, id %s, e_from ",
124 			mode, e->e_id);
125 		printaddr(sm_debug_file(), &e->e_from, false);
126 		sm_dprintf("\te_flags = ");
127 		printenvflags(e);
128 		sm_dprintf("sendqueue:\n");
129 		printaddr(sm_debug_file(), e->e_sendqueue, true);
130 	}
131 
132 	/*
133 	**  Do any preprocessing necessary for the mode we are running.
134 	**	Check to make sure the hop count is reasonable.
135 	**	Delete sends to the sender in mailing lists.
136 	*/
137 
138 	CurEnv = e;
139 	if (tTd(62, 1))
140 		checkfds(NULL);
141 
142 	if (e->e_hopcount > MaxHopCount)
143 	{
144 		char *recip;
145 
146 		if (e->e_sendqueue != NULL &&
147 		    e->e_sendqueue->q_paddr != NULL)
148 			recip = e->e_sendqueue->q_paddr;
149 		else
150 			recip = "(nobody)";
151 
152 		errno = 0;
153 		queueup(e, WILL_BE_QUEUED(mode), false);
154 		e->e_flags |= EF_FATALERRS|EF_PM_NOTIFY|EF_CLRQUEUE;
155 		ExitStat = EX_UNAVAILABLE;
156 		syserr("554 5.4.6 Too many hops %d (%d max): from %s via %s, to %s",
157 		       e->e_hopcount, MaxHopCount, e->e_from.q_paddr,
158 		       RealHostName == NULL ? "localhost" : RealHostName,
159 		       recip);
160 		for (q = e->e_sendqueue; q != NULL; q = q->q_next)
161 		{
162 			if (QS_IS_DEAD(q->q_state))
163 				continue;
164 			q->q_state = QS_BADADDR;
165 			q->q_status = "5.4.6";
166 			q->q_rstatus = "554 5.4.6 Too many hops";
167 		}
168 		return;
169 	}
170 
171 	/*
172 	**  Do sender deletion.
173 	**
174 	**	If the sender should be queued up, skip this.
175 	**	This can happen if the name server is hosed when you
176 	**	are trying to send mail.  The result is that the sender
177 	**	is instantiated in the queue as a recipient.
178 	*/
179 
180 	if (!bitset(EF_METOO, e->e_flags) &&
181 	    !QS_IS_QUEUEUP(e->e_from.q_state))
182 	{
183 		if (tTd(13, 5))
184 		{
185 			sm_dprintf("sendall: QS_SENDER ");
186 			printaddr(sm_debug_file(), &e->e_from, false);
187 		}
188 		e->e_from.q_state = QS_SENDER;
189 		(void) recipient(&e->e_from, &e->e_sendqueue, 0, e);
190 	}
191 
192 	/*
193 	**  Handle alias owners.
194 	**
195 	**	We scan up the q_alias chain looking for owners.
196 	**	We discard owners that are the same as the return path.
197 	*/
198 
199 	for (q = e->e_sendqueue; q != NULL; q = q->q_next)
200 	{
201 		register struct address *a;
202 
203 		for (a = q; a != NULL && a->q_owner == NULL; a = a->q_alias)
204 			continue;
205 		if (a != NULL)
206 			q->q_owner = a->q_owner;
207 
208 		if (q->q_owner != NULL &&
209 		    !QS_IS_DEAD(q->q_state) &&
210 		    strcmp(q->q_owner, e->e_from.q_paddr) == 0)
211 			q->q_owner = NULL;
212 	}
213 
214 	if (tTd(13, 25))
215 	{
216 		sm_dprintf("\nAfter first owner pass, sendq =\n");
217 		printaddr(sm_debug_file(), e->e_sendqueue, true);
218 	}
219 
220 	owner = "";
221 	otherowners = 1;
222 	while (owner != NULL && otherowners > 0)
223 	{
224 		if (tTd(13, 28))
225 			sm_dprintf("owner = \"%s\", otherowners = %d\n",
226 				   owner, otherowners);
227 		owner = NULL;
228 		otherowners = bitset(EF_SENDRECEIPT, e->e_flags) ? 1 : 0;
229 
230 		for (q = e->e_sendqueue; q != NULL; q = q->q_next)
231 		{
232 			if (tTd(13, 30))
233 			{
234 				sm_dprintf("Checking ");
235 				printaddr(sm_debug_file(), q, false);
236 			}
237 			if (QS_IS_DEAD(q->q_state))
238 			{
239 				if (tTd(13, 30))
240 					sm_dprintf("    ... QS_IS_DEAD\n");
241 				continue;
242 			}
243 			if (tTd(13, 29) && !tTd(13, 30))
244 			{
245 				sm_dprintf("Checking ");
246 				printaddr(sm_debug_file(), q, false);
247 			}
248 
249 			if (q->q_owner != NULL)
250 			{
251 				if (owner == NULL)
252 				{
253 					if (tTd(13, 40))
254 						sm_dprintf("    ... First owner = \"%s\"\n",
255 							   q->q_owner);
256 					owner = q->q_owner;
257 				}
258 				else if (owner != q->q_owner)
259 				{
260 					if (strcmp(owner, q->q_owner) == 0)
261 					{
262 						if (tTd(13, 40))
263 							sm_dprintf("    ... Same owner = \"%s\"\n",
264 								   owner);
265 
266 						/* make future comparisons cheap */
267 						q->q_owner = owner;
268 					}
269 					else
270 					{
271 						if (tTd(13, 40))
272 							sm_dprintf("    ... Another owner \"%s\"\n",
273 								   q->q_owner);
274 						otherowners++;
275 					}
276 					owner = q->q_owner;
277 				}
278 				else if (tTd(13, 40))
279 					sm_dprintf("    ... Same owner = \"%s\"\n",
280 						   owner);
281 			}
282 			else
283 			{
284 				if (tTd(13, 40))
285 					sm_dprintf("    ... Null owner\n");
286 				otherowners++;
287 			}
288 
289 			if (QS_IS_BADADDR(q->q_state))
290 			{
291 				if (tTd(13, 30))
292 					sm_dprintf("    ... QS_IS_BADADDR\n");
293 				continue;
294 			}
295 
296 			if (QS_IS_QUEUEUP(q->q_state))
297 			{
298 				MAILER *m = q->q_mailer;
299 
300 				/*
301 				**  If we have temporary address failures
302 				**  (e.g., dns failure) and a fallback MX is
303 				**  set, send directly to the fallback MX host.
304 				*/
305 
306 				if (FallbackMX != NULL &&
307 				    !wordinclass(FallbackMX, 'w') &&
308 				    mode != SM_VERIFY &&
309 				    !bitnset(M_NOMX, m->m_flags) &&
310 				    strcmp(m->m_mailer, "[IPC]") == 0 &&
311 				    m->m_argv[0] != NULL &&
312 				    strcmp(m->m_argv[0], "TCP") == 0)
313 				{
314 					int len;
315 					char *p;
316 
317 					if (tTd(13, 30))
318 						sm_dprintf("    ... FallbackMX\n");
319 
320 					len = strlen(FallbackMX) + 1;
321 					p = sm_rpool_malloc_x(e->e_rpool, len);
322 					(void) sm_strlcpy(p, FallbackMX, len);
323 					q->q_state = QS_OK;
324 					q->q_host = p;
325 				}
326 				else
327 				{
328 					if (tTd(13, 30))
329 						sm_dprintf("    ... QS_IS_QUEUEUP\n");
330 					continue;
331 				}
332 			}
333 
334 			/*
335 			**  If this mailer is expensive, and if we don't
336 			**  want to make connections now, just mark these
337 			**  addresses and return.  This is useful if we
338 			**  want to batch connections to reduce load.  This
339 			**  will cause the messages to be queued up, and a
340 			**  daemon will come along to send the messages later.
341 			*/
342 
343 			if (NoConnect && !Verbose &&
344 			    bitnset(M_EXPENSIVE, q->q_mailer->m_flags))
345 			{
346 				if (tTd(13, 30))
347 					sm_dprintf("    ... expensive\n");
348 				q->q_state = QS_QUEUEUP;
349 				expensive = true;
350 			}
351 			else if (bitnset(M_HOLD, q->q_mailer->m_flags) &&
352 				 QueueLimitId == NULL &&
353 				 QueueLimitSender == NULL &&
354 				 QueueLimitRecipient == NULL)
355 			{
356 				if (tTd(13, 30))
357 					sm_dprintf("    ... hold\n");
358 				q->q_state = QS_QUEUEUP;
359 				expensive = true;
360 			}
361 			else if (QueueMode != QM_QUARANTINE &&
362 				 e->e_quarmsg != NULL)
363 			{
364 				if (tTd(13, 30))
365 					sm_dprintf("    ... quarantine: %s\n",
366 						   e->e_quarmsg);
367 				q->q_state = QS_QUEUEUP;
368 				expensive = true;
369 			}
370 			else
371 			{
372 				if (tTd(13, 30))
373 					sm_dprintf("    ... deliverable\n");
374 				somedeliveries = true;
375 			}
376 		}
377 
378 		if (owner != NULL && otherowners > 0)
379 		{
380 			/*
381 			**  Split this envelope into two.
382 			*/
383 
384 			ee = (ENVELOPE *) sm_rpool_malloc_x(e->e_rpool,
385 							    sizeof(*ee));
386 			STRUCTCOPY(*e, *ee);
387 			ee->e_message = NULL;
388 			ee->e_id = NULL;
389 			assign_queueid(ee);
390 
391 			if (tTd(13, 1))
392 				sm_dprintf("sendall: split %s into %s, owner = \"%s\", otherowners = %d\n",
393 					   e->e_id, ee->e_id, owner,
394 					   otherowners);
395 
396 			ee->e_header = copyheader(e->e_header, ee->e_rpool);
397 			ee->e_sendqueue = copyqueue(e->e_sendqueue,
398 						    ee->e_rpool);
399 			ee->e_errorqueue = copyqueue(e->e_errorqueue,
400 						     ee->e_rpool);
401 			ee->e_flags = e->e_flags & ~(EF_INQUEUE|EF_CLRQUEUE|EF_FATALERRS|EF_SENDRECEIPT|EF_RET_PARAM);
402 			ee->e_flags |= EF_NORECEIPT;
403 			setsender(owner, ee, NULL, '\0', true);
404 			if (tTd(13, 5))
405 			{
406 				sm_dprintf("sendall(split): QS_SENDER ");
407 				printaddr(sm_debug_file(), &ee->e_from, false);
408 			}
409 			ee->e_from.q_state = QS_SENDER;
410 			ee->e_dfp = NULL;
411 			ee->e_lockfp = NULL;
412 			ee->e_xfp = NULL;
413 			ee->e_qgrp = e->e_qgrp;
414 			ee->e_qdir = e->e_qdir;
415 			ee->e_errormode = EM_MAIL;
416 			ee->e_sibling = splitenv;
417 			ee->e_statmsg = NULL;
418 			if (e->e_quarmsg != NULL)
419 				ee->e_quarmsg = sm_rpool_strdup_x(ee->e_rpool,
420 								  e->e_quarmsg);
421 			splitenv = ee;
422 
423 			for (q = e->e_sendqueue; q != NULL; q = q->q_next)
424 			{
425 				if (q->q_owner == owner)
426 				{
427 					q->q_state = QS_CLONED;
428 					if (tTd(13, 6))
429 						sm_dprintf("\t... stripping %s from original envelope\n",
430 							   q->q_paddr);
431 				}
432 			}
433 			for (q = ee->e_sendqueue; q != NULL; q = q->q_next)
434 			{
435 				if (q->q_owner != owner)
436 				{
437 					q->q_state = QS_CLONED;
438 					if (tTd(13, 6))
439 						sm_dprintf("\t... dropping %s from cloned envelope\n",
440 							   q->q_paddr);
441 				}
442 				else
443 				{
444 					/* clear DSN parameters */
445 					q->q_flags &= ~(QHASNOTIFY|Q_PINGFLAGS);
446 					q->q_flags |= DefaultNotify & ~QPINGONSUCCESS;
447 					if (tTd(13, 6))
448 						sm_dprintf("\t... moving %s to cloned envelope\n",
449 							   q->q_paddr);
450 				}
451 			}
452 
453 			if (mode != SM_VERIFY && bitset(EF_HAS_DF, e->e_flags))
454 				dup_queue_file(e, ee, DATAFL_LETTER);
455 
456 			/*
457 			**  Give the split envelope access to the parent
458 			**  transcript file for errors obtained while
459 			**  processing the recipients (done before the
460 			**  envelope splitting).
461 			*/
462 
463 			if (e->e_xfp != NULL)
464 				ee->e_xfp = sm_io_dup(e->e_xfp);
465 
466 			/* failed to dup e->e_xfp, start a new transcript */
467 			if (ee->e_xfp == NULL)
468 				openxscript(ee);
469 
470 			if (mode != SM_VERIFY && LogLevel > 4)
471 				sm_syslog(LOG_INFO, e->e_id,
472 					  "%s: clone: owner=%s",
473 					  ee->e_id, owner);
474 		}
475 	}
476 
477 	if (owner != NULL)
478 	{
479 		setsender(owner, e, NULL, '\0', true);
480 		if (tTd(13, 5))
481 		{
482 			sm_dprintf("sendall(owner): QS_SENDER ");
483 			printaddr(sm_debug_file(), &e->e_from, false);
484 		}
485 		e->e_from.q_state = QS_SENDER;
486 		e->e_errormode = EM_MAIL;
487 		e->e_flags |= EF_NORECEIPT;
488 		e->e_flags &= ~EF_FATALERRS;
489 	}
490 
491 	/* if nothing to be delivered, just queue up everything */
492 	if (!somedeliveries && !WILL_BE_QUEUED(mode) &&
493 	    mode != SM_VERIFY)
494 	{
495 		time_t now;
496 
497 		if (tTd(13, 29))
498 			sm_dprintf("No deliveries: auto-queueing\n");
499 		mode = SM_QUEUE;
500 		now = curtime();
501 
502 		/* treat this as a delivery in terms of counting tries */
503 		e->e_dtime = now;
504 		if (!expensive)
505 			e->e_ntries++;
506 		for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
507 		{
508 			ee->e_dtime = now;
509 			if (!expensive)
510 				ee->e_ntries++;
511 		}
512 	}
513 
514 	if ((WILL_BE_QUEUED(mode) || mode == SM_FORK ||
515 	     (mode != SM_VERIFY &&
516 	      (SuperSafe == SAFE_REALLY ||
517 	       SuperSafe == SAFE_REALLY_POSTMILTER))) &&
518 	    (!bitset(EF_INQUEUE, e->e_flags) || splitenv != NULL))
519 	{
520 		bool msync;
521 
522 		/*
523 		**  Be sure everything is instantiated in the queue.
524 		**  Split envelopes first in case the machine crashes.
525 		**  If the original were done first, we may lose
526 		**  recipients.
527 		*/
528 
529 #if !HASFLOCK
530 		msync = false;
531 #else /* !HASFLOCK */
532 		msync = mode == SM_FORK;
533 #endif /* !HASFLOCK */
534 
535 		for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
536 			queueup(ee, WILL_BE_QUEUED(mode), msync);
537 		queueup(e, WILL_BE_QUEUED(mode), msync);
538 	}
539 
540 	if (tTd(62, 10))
541 		checkfds("after envelope splitting");
542 
543 	/*
544 	**  If we belong in background, fork now.
545 	*/
546 
547 	if (tTd(13, 20))
548 	{
549 		sm_dprintf("sendall: final mode = %c\n", mode);
550 		if (tTd(13, 21))
551 		{
552 			sm_dprintf("\n================ Final Send Queue(s) =====================\n");
553 			sm_dprintf("\n  *** Envelope %s, e_from=%s ***\n",
554 				   e->e_id, e->e_from.q_paddr);
555 			printaddr(sm_debug_file(), e->e_sendqueue, true);
556 			for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
557 			{
558 				sm_dprintf("\n  *** Envelope %s, e_from=%s ***\n",
559 					   ee->e_id, ee->e_from.q_paddr);
560 				printaddr(sm_debug_file(), ee->e_sendqueue, true);
561 			}
562 			sm_dprintf("==========================================================\n\n");
563 		}
564 	}
565 	switch (mode)
566 	{
567 	  case SM_VERIFY:
568 		Verbose = 2;
569 		break;
570 
571 	  case SM_QUEUE:
572 	  case SM_DEFER:
573 #if HASFLOCK
574   queueonly:
575 #endif /* HASFLOCK */
576 		if (e->e_nrcpts > 0)
577 			e->e_flags |= EF_INQUEUE;
578 		(void) dropenvelope(e, splitenv != NULL, true);
579 		for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
580 		{
581 			if (ee->e_nrcpts > 0)
582 				ee->e_flags |= EF_INQUEUE;
583 			(void) dropenvelope(ee, false, true);
584 		}
585 		return;
586 
587 	  case SM_FORK:
588 		if (e->e_xfp != NULL)
589 			(void) sm_io_flush(e->e_xfp, SM_TIME_DEFAULT);
590 
591 #if !HASFLOCK
592 		/*
593 		**  Since fcntl locking has the interesting semantic that
594 		**  the lock is owned by a process, not by an open file
595 		**  descriptor, we have to flush this to the queue, and
596 		**  then restart from scratch in the child.
597 		*/
598 
599 		{
600 			/* save id for future use */
601 			char *qid = e->e_id;
602 
603 			/* now drop the envelope in the parent */
604 			e->e_flags |= EF_INQUEUE;
605 			(void) dropenvelope(e, splitenv != NULL, false);
606 
607 			/* arrange to reacquire lock after fork */
608 			e->e_id = qid;
609 		}
610 
611 		for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
612 		{
613 			/* save id for future use */
614 			char *qid = ee->e_id;
615 
616 			/* drop envelope in parent */
617 			ee->e_flags |= EF_INQUEUE;
618 			(void) dropenvelope(ee, false, false);
619 
620 			/* and save qid for reacquisition */
621 			ee->e_id = qid;
622 		}
623 
624 #endif /* !HASFLOCK */
625 
626 		/*
627 		**  Since the delivery may happen in a child and the parent
628 		**  does not wait, the parent may close the maps thereby
629 		**  removing any shared memory used by the map.  Therefore,
630 		**  close the maps now so the child will dynamically open
631 		**  them if necessary.
632 		*/
633 
634 		closemaps(false);
635 
636 		pid = fork();
637 		if (pid < 0)
638 		{
639 			syserr("deliver: fork 1");
640 #if HASFLOCK
641 			goto queueonly;
642 #else /* HASFLOCK */
643 			e->e_id = NULL;
644 			for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
645 				ee->e_id = NULL;
646 			return;
647 #endif /* HASFLOCK */
648 		}
649 		else if (pid > 0)
650 		{
651 #if HASFLOCK
652 			/* be sure we leave the temp files to our child */
653 			/* close any random open files in the envelope */
654 			closexscript(e);
655 			if (e->e_dfp != NULL)
656 				(void) sm_io_close(e->e_dfp, SM_TIME_DEFAULT);
657 			e->e_dfp = NULL;
658 			e->e_flags &= ~EF_HAS_DF;
659 
660 			/* can't call unlockqueue to avoid unlink of xfp */
661 			if (e->e_lockfp != NULL)
662 				(void) sm_io_close(e->e_lockfp, SM_TIME_DEFAULT);
663 			else
664 				syserr("%s: sendall: null lockfp", e->e_id);
665 			e->e_lockfp = NULL;
666 #endif /* HASFLOCK */
667 
668 			/* make sure the parent doesn't own the envelope */
669 			e->e_id = NULL;
670 
671 #if USE_DOUBLE_FORK
672 			/* catch intermediate zombie */
673 			(void) waitfor(pid);
674 #endif /* USE_DOUBLE_FORK */
675 			return;
676 		}
677 
678 		/* Reset global flags */
679 		RestartRequest = NULL;
680 		RestartWorkGroup = false;
681 		ShutdownRequest = NULL;
682 		PendingSignal = 0;
683 
684 		/*
685 		**  Initialize exception stack and default exception
686 		**  handler for child process.
687 		*/
688 
689 		sm_exc_newthread(fatal_error);
690 
691 		/*
692 		**  Since we have accepted responsbility for the message,
693 		**  change the SIGTERM handler.  intsig() (the old handler)
694 		**  would remove the envelope if this was a command line
695 		**  message submission.
696 		*/
697 
698 		(void) sm_signal(SIGTERM, SIG_DFL);
699 
700 #if USE_DOUBLE_FORK
701 		/* double fork to avoid zombies */
702 		pid = fork();
703 		if (pid > 0)
704 			exit(EX_OK);
705 		save_errno = errno;
706 #endif /* USE_DOUBLE_FORK */
707 
708 		CurrentPid = getpid();
709 
710 		/* be sure we are immune from the terminal */
711 		disconnect(2, e);
712 		clearstats();
713 
714 		/* prevent parent from waiting if there was an error */
715 		if (pid < 0)
716 		{
717 			errno = save_errno;
718 			syserr("deliver: fork 2");
719 #if HASFLOCK
720 			e->e_flags |= EF_INQUEUE;
721 #else /* HASFLOCK */
722 			e->e_id = NULL;
723 #endif /* HASFLOCK */
724 			finis(true, true, ExitStat);
725 		}
726 
727 		/* be sure to give error messages in child */
728 		QuickAbort = false;
729 
730 		/*
731 		**  Close any cached connections.
732 		**
733 		**	We don't send the QUIT protocol because the parent
734 		**	still knows about the connection.
735 		**
736 		**	This should only happen when delivering an error
737 		**	message.
738 		*/
739 
740 		mci_flush(false, NULL);
741 
742 #if HASFLOCK
743 		break;
744 #else /* HASFLOCK */
745 
746 		/*
747 		**  Now reacquire and run the various queue files.
748 		*/
749 
750 		for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
751 		{
752 			ENVELOPE *sibling = ee->e_sibling;
753 
754 			(void) dowork(ee->e_qgrp, ee->e_qdir, ee->e_id,
755 				      false, false, ee);
756 			ee->e_sibling = sibling;
757 		}
758 		(void) dowork(e->e_qgrp, e->e_qdir, e->e_id,
759 			      false, false, e);
760 		finis(true, true, ExitStat);
761 #endif /* HASFLOCK */
762 	}
763 
764 	sendenvelope(e, mode);
765 	(void) dropenvelope(e, true, true);
766 	for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
767 	{
768 		CurEnv = ee;
769 		if (mode != SM_VERIFY)
770 			openxscript(ee);
771 		sendenvelope(ee, mode);
772 		(void) dropenvelope(ee, true, true);
773 	}
774 	CurEnv = e;
775 
776 	Verbose = oldverbose;
777 	if (mode == SM_FORK)
778 		finis(true, true, ExitStat);
779 }
780 
781 static void
sendenvelope(e,mode)782 sendenvelope(e, mode)
783 	register ENVELOPE *e;
784 	int mode;
785 {
786 	register ADDRESS *q;
787 	bool didany;
788 
789 	if (tTd(13, 10))
790 		sm_dprintf("sendenvelope(%s) e_flags=0x%lx\n",
791 			   e->e_id == NULL ? "[NOQUEUE]" : e->e_id,
792 			   e->e_flags);
793 	if (LogLevel > 80)
794 		sm_syslog(LOG_DEBUG, e->e_id,
795 			  "sendenvelope, flags=0x%lx",
796 			  e->e_flags);
797 
798 	/*
799 	**  If we have had global, fatal errors, don't bother sending
800 	**  the message at all if we are in SMTP mode.  Local errors
801 	**  (e.g., a single address failing) will still cause the other
802 	**  addresses to be sent.
803 	*/
804 
805 	if (bitset(EF_FATALERRS, e->e_flags) &&
806 	    (OpMode == MD_SMTP || OpMode == MD_DAEMON))
807 	{
808 		e->e_flags |= EF_CLRQUEUE;
809 		return;
810 	}
811 
812 	/*
813 	**  Don't attempt deliveries if we want to bounce now
814 	**  or if deliver-by time is exceeded.
815 	*/
816 
817 	if (!bitset(EF_RESPONSE, e->e_flags) &&
818 	    (TimeOuts.to_q_return[e->e_timeoutclass] == NOW ||
819 	     (IS_DLVR_RETURN(e) && e->e_deliver_by > 0 &&
820 	      curtime() > e->e_ctime + e->e_deliver_by)))
821 		return;
822 
823 	/*
824 	**  Run through the list and send everything.
825 	**
826 	**	Set EF_GLOBALERRS so that error messages during delivery
827 	**	result in returned mail.
828 	*/
829 
830 	e->e_nsent = 0;
831 	e->e_flags |= EF_GLOBALERRS;
832 
833 	macdefine(&e->e_macro, A_PERM, macid("{envid}"), e->e_envid);
834 	macdefine(&e->e_macro, A_PERM, macid("{bodytype}"), e->e_bodytype);
835 	didany = false;
836 
837 	if (!bitset(EF_SPLIT, e->e_flags))
838 	{
839 		ENVELOPE *oldsib;
840 		ENVELOPE *ee;
841 
842 		/*
843 		**  Save old sibling and set it to NULL to avoid
844 		**  queueing up the same envelopes again.
845 		**  This requires that envelopes in that list have
846 		**  been take care of before (or at some other place).
847 		*/
848 
849 		oldsib = e->e_sibling;
850 		e->e_sibling = NULL;
851 		if (!split_by_recipient(e) &&
852 		    bitset(EF_FATALERRS, e->e_flags))
853 		{
854 			if (OpMode == MD_SMTP || OpMode == MD_DAEMON)
855 				e->e_flags |= EF_CLRQUEUE;
856 			return;
857 		}
858 		for (ee = e->e_sibling; ee != NULL; ee = ee->e_sibling)
859 			queueup(ee, false, true);
860 
861 		/* clean up */
862 		for (ee = e->e_sibling; ee != NULL; ee = ee->e_sibling)
863 		{
864 			/* now unlock the job */
865 			closexscript(ee);
866 			unlockqueue(ee);
867 
868 			/* this envelope is marked unused */
869 			if (ee->e_dfp != NULL)
870 			{
871 				(void) sm_io_close(ee->e_dfp, SM_TIME_DEFAULT);
872 				ee->e_dfp = NULL;
873 			}
874 			ee->e_id = NULL;
875 			ee->e_flags &= ~EF_HAS_DF;
876 		}
877 		e->e_sibling = oldsib;
878 	}
879 
880 	/* now run through the queue */
881 	for (q = e->e_sendqueue; q != NULL; q = q->q_next)
882 	{
883 #if XDEBUG
884 		char wbuf[MAXNAME + 20];
885 
886 		(void) sm_snprintf(wbuf, sizeof(wbuf), "sendall(%.*s)",
887 				   MAXNAME, q->q_paddr);
888 		checkfd012(wbuf);
889 #endif /* XDEBUG */
890 		if (mode == SM_VERIFY)
891 		{
892 			e->e_to = q->q_paddr;
893 			if (QS_IS_SENDABLE(q->q_state))
894 			{
895 				if (q->q_host != NULL && q->q_host[0] != '\0')
896 					message("deliverable: mailer %s, host %s, user %s",
897 						q->q_mailer->m_name,
898 						q->q_host,
899 						q->q_user);
900 				else
901 					message("deliverable: mailer %s, user %s",
902 						q->q_mailer->m_name,
903 						q->q_user);
904 			}
905 		}
906 		else if (QS_IS_OK(q->q_state))
907 		{
908 			/*
909 			**  Checkpoint the send list every few addresses
910 			*/
911 
912 			if (CheckpointInterval > 0 &&
913 			    e->e_nsent >= CheckpointInterval)
914 			{
915 				queueup(e, false, false);
916 				e->e_nsent = 0;
917 			}
918 			(void) deliver(e, q);
919 			didany = true;
920 		}
921 	}
922 	if (didany)
923 	{
924 		e->e_dtime = curtime();
925 		e->e_ntries++;
926 	}
927 
928 #if XDEBUG
929 	checkfd012("end of sendenvelope");
930 #endif /* XDEBUG */
931 }
932 
933 #if REQUIRES_DIR_FSYNC
934 /*
935 **  SYNC_DIR -- fsync a directory based on a filename
936 **
937 **	Parameters:
938 **		filename -- path of file
939 **		panic -- panic?
940 **
941 **	Returns:
942 **		none
943 */
944 
945 void
sync_dir(filename,panic)946 sync_dir(filename, panic)
947 	char *filename;
948 	bool panic;
949 {
950 	int dirfd;
951 	char *dirp;
952 	char dir[MAXPATHLEN];
953 
954 	if (!RequiresDirfsync)
955 		return;
956 
957 	/* filesystems which require the directory be synced */
958 	dirp = strrchr(filename, '/');
959 	if (dirp != NULL)
960 	{
961 		if (sm_strlcpy(dir, filename, sizeof(dir)) >= sizeof(dir))
962 			return;
963 		dir[dirp - filename] = '\0';
964 		dirp = dir;
965 	}
966 	else
967 		dirp = ".";
968 	dirfd = open(dirp, O_RDONLY, 0700);
969 	if (tTd(40,32))
970 		sm_syslog(LOG_INFO, NOQID, "sync_dir: %s: fsync(%d)",
971 			  dirp, dirfd);
972 	if (dirfd >= 0)
973 	{
974 		if (fsync(dirfd) < 0)
975 		{
976 			if (panic)
977 				syserr("!sync_dir: cannot fsync directory %s",
978 				       dirp);
979 			else if (LogLevel > 1)
980 				sm_syslog(LOG_ERR, NOQID,
981 					  "sync_dir: cannot fsync directory %s: %s",
982 					  dirp, sm_errstring(errno));
983 		}
984 		(void) close(dirfd);
985 	}
986 }
987 #endif /* REQUIRES_DIR_FSYNC */
988 /*
989 **  DUP_QUEUE_FILE -- duplicate a queue file into a split queue
990 **
991 **	Parameters:
992 **		e -- the existing envelope
993 **		ee -- the new envelope
994 **		type -- the queue file type (e.g., DATAFL_LETTER)
995 **
996 **	Returns:
997 **		none
998 */
999 
1000 static void
dup_queue_file(e,ee,type)1001 dup_queue_file(e, ee, type)
1002 	ENVELOPE *e, *ee;
1003 	int type;
1004 {
1005 	char f1buf[MAXPATHLEN], f2buf[MAXPATHLEN];
1006 
1007 	ee->e_dfp = NULL;
1008 	ee->e_xfp = NULL;
1009 
1010 	/*
1011 	**  Make sure both are in the same directory.
1012 	*/
1013 
1014 	(void) sm_strlcpy(f1buf, queuename(e, type), sizeof(f1buf));
1015 	(void) sm_strlcpy(f2buf, queuename(ee, type), sizeof(f2buf));
1016 
1017 	/* Force the df to disk if it's not there yet */
1018 	if (type == DATAFL_LETTER && e->e_dfp != NULL &&
1019 	    sm_io_setinfo(e->e_dfp, SM_BF_COMMIT, NULL) < 0 &&
1020 	    errno != EINVAL)
1021 	{
1022 		syserr("!dup_queue_file: can't commit %s", f1buf);
1023 		/* NOTREACHED */
1024 	}
1025 
1026 	if (link(f1buf, f2buf) < 0)
1027 	{
1028 		int save_errno = errno;
1029 
1030 		syserr("sendall: link(%s, %s)", f1buf, f2buf);
1031 		if (save_errno == EEXIST)
1032 		{
1033 			if (unlink(f2buf) < 0)
1034 			{
1035 				syserr("!sendall: unlink(%s): permanent",
1036 				       f2buf);
1037 				/* NOTREACHED */
1038 			}
1039 			if (link(f1buf, f2buf) < 0)
1040 			{
1041 				syserr("!sendall: link(%s, %s): permanent",
1042 				       f1buf, f2buf);
1043 				/* NOTREACHED */
1044 			}
1045 		}
1046 	}
1047 	SYNC_DIR(f2buf, true);
1048 }
1049 /*
1050 **  DOFORK -- do a fork, retrying a couple of times on failure.
1051 **
1052 **	This MUST be a macro, since after a vfork we are running
1053 **	two processes on the same stack!!!
1054 **
1055 **	Parameters:
1056 **		none.
1057 **
1058 **	Returns:
1059 **		From a macro???  You've got to be kidding!
1060 **
1061 **	Side Effects:
1062 **		Modifies the ==> LOCAL <== variable 'pid', leaving:
1063 **			pid of child in parent, zero in child.
1064 **			-1 on unrecoverable error.
1065 **
1066 **	Notes:
1067 **		I'm awfully sorry this looks so awful.  That's
1068 **		vfork for you.....
1069 */
1070 
1071 #define NFORKTRIES	5
1072 
1073 #ifndef FORK
1074 # define FORK	fork
1075 #endif /* ! FORK */
1076 
1077 #define DOFORK(fORKfN) \
1078 {\
1079 	register int i;\
1080 \
1081 	for (i = NFORKTRIES; --i >= 0; )\
1082 	{\
1083 		pid = fORKfN();\
1084 		if (pid >= 0)\
1085 			break;\
1086 		if (i > 0)\
1087 			(void) sleep((unsigned) NFORKTRIES - i);\
1088 	}\
1089 }
1090 /*
1091 **  DOFORK -- simple fork interface to DOFORK.
1092 **
1093 **	Parameters:
1094 **		none.
1095 **
1096 **	Returns:
1097 **		pid of child in parent.
1098 **		zero in child.
1099 **		-1 on error.
1100 **
1101 **	Side Effects:
1102 **		returns twice, once in parent and once in child.
1103 */
1104 
1105 pid_t
dofork()1106 dofork()
1107 {
1108 	register pid_t pid = -1;
1109 
1110 	DOFORK(fork);
1111 	return pid;
1112 }
1113 
1114 /*
1115 **  COLONCMP -- compare host-signatures up to first ':' or EOS
1116 **
1117 **	This takes two strings which happen to be host-signatures and
1118 **	compares them. If the lowest preference portions of the MX-RR's
1119 **	match (up to ':' or EOS, whichever is first), then we have
1120 **	match. This is used for coattail-piggybacking messages during
1121 **	message delivery.
1122 **	If the signatures are the same up to the first ':' the remainder of
1123 **	the signatures are then compared with a normal strcmp(). This saves
1124 **	re-examining the first part of the signatures.
1125 **
1126 **	Parameters:
1127 **		a - first host-signature
1128 **		b - second host-signature
1129 **
1130 **	Returns:
1131 **		HS_MATCH_NO -- no "match".
1132 **		HS_MATCH_FIRST -- "match" for the first MX preference
1133 **			(up to the first colon (':')).
1134 **		HS_MATCH_FULL -- match for the entire MX record.
1135 **
1136 **	Side Effects:
1137 **		none.
1138 */
1139 
1140 #define HS_MATCH_NO	0
1141 #define HS_MATCH_FIRST	1
1142 #define HS_MATCH_FULL	2
1143 
1144 static int
coloncmp(a,b)1145 coloncmp(a, b)
1146 	register const char *a;
1147 	register const char *b;
1148 {
1149 	int ret = HS_MATCH_NO;
1150 	int braclev = 0;
1151 
1152 	while (*a == *b++)
1153 	{
1154 		/* Need to account for IPv6 bracketed addresses */
1155 		if (*a == '[')
1156 			braclev++;
1157 		else if (*a == ']' && braclev > 0)
1158 			braclev--;
1159 		else if (*a == ':' && braclev <= 0)
1160 		{
1161 			ret = HS_MATCH_FIRST;
1162 			a++;
1163 			break;
1164 		}
1165 		else if (*a == '\0')
1166 			return HS_MATCH_FULL; /* a full match */
1167 		a++;
1168 	}
1169 	if (ret == HS_MATCH_NO &&
1170 	    braclev <= 0 &&
1171 	    ((*a == '\0' && *(b - 1) == ':') ||
1172 	     (*a == ':' && *(b - 1) == '\0')))
1173 		return HS_MATCH_FIRST;
1174 	if (ret == HS_MATCH_FIRST && strcmp(a, b) == 0)
1175 		return HS_MATCH_FULL;
1176 
1177 	return ret;
1178 }
1179 
1180 /*
1181 **  SHOULD_TRY_FBSH -- Should try FallbackSmartHost?
1182 **
1183 **	Parameters:
1184 **		e -- envelope
1185 **		tried_fallbacksmarthost -- has been tried already? (in/out)
1186 **		hostbuf -- buffer for hostname (expand FallbackSmartHost) (out)
1187 **		hbsz -- size of hostbuf
1188 **		status -- current delivery status
1189 **
1190 **	Returns:
1191 **		true iff FallbackSmartHost should be tried.
1192 */
1193 
1194 static bool should_try_fbsh __P((ENVELOPE *, bool *, char *, size_t, int));
1195 
1196 static bool
should_try_fbsh(e,tried_fallbacksmarthost,hostbuf,hbsz,status)1197 should_try_fbsh(e, tried_fallbacksmarthost, hostbuf, hbsz, status)
1198 	ENVELOPE *e;
1199 	bool *tried_fallbacksmarthost;
1200 	char *hostbuf;
1201 	size_t hbsz;
1202 	int status;
1203 {
1204 	/*
1205 	**  If the host was not found or a temporary failure occurred
1206 	**  and a FallbackSmartHost is defined (and we have not yet
1207 	**  tried it), then make one last try with it as the host.
1208 	*/
1209 
1210 	if ((status == EX_NOHOST || status == EX_TEMPFAIL) &&
1211 	    FallbackSmartHost != NULL && !*tried_fallbacksmarthost)
1212 	{
1213 		*tried_fallbacksmarthost = true;
1214 		expand(FallbackSmartHost, hostbuf, hbsz, e);
1215 		if (!wordinclass(hostbuf, 'w'))
1216 		{
1217 			if (tTd(11, 1))
1218 				sm_dprintf("one last try with FallbackSmartHost %s\n",
1219 					   hostbuf);
1220 			return true;
1221 		}
1222 	}
1223 	return false;
1224 }
1225 /*
1226 **  DELIVER -- Deliver a message to a list of addresses.
1227 **
1228 **	This routine delivers to everyone on the same host as the
1229 **	user on the head of the list.  It is clever about mailers
1230 **	that don't handle multiple users.  It is NOT guaranteed
1231 **	that it will deliver to all these addresses however -- so
1232 **	deliver should be called once for each address on the
1233 **	list.
1234 **	Deliver tries to be as opportunistic as possible about piggybacking
1235 **	messages. Some definitions to make understanding easier follow below.
1236 **	Piggybacking occurs when an existing connection to a mail host can
1237 **	be used to send the same message to more than one recipient at the
1238 **	same time. So "no piggybacking" means one message for one recipient
1239 **	per connection. "Intentional piggybacking" happens when the
1240 **	recipients' host address (not the mail host address) is used to
1241 **	attempt piggybacking. Recipients with the same host address
1242 **	have the same mail host. "Coincidental piggybacking" relies on
1243 **	piggybacking based on all the mail host addresses in the MX-RR. This
1244 **	is "coincidental" in the fact it could not be predicted until the
1245 **	MX Resource Records for the hosts were obtained and examined. For
1246 **	example (preference order and equivalence is important, not values):
1247 **		domain1 IN MX 10 mxhost-A
1248 **			IN MX 20 mxhost-B
1249 **		domain2 IN MX  4 mxhost-A
1250 **			IN MX  8 mxhost-B
1251 **	Domain1 and domain2 can piggyback the same message to mxhost-A or
1252 **	mxhost-B (if mxhost-A cannot be reached).
1253 **	"Coattail piggybacking" relaxes the strictness of "coincidental
1254 **	piggybacking" in the hope that most significant (lowest value)
1255 **	MX preference host(s) can create more piggybacking. For example
1256 **	(again, preference order and equivalence is important, not values):
1257 **		domain3 IN MX 100 mxhost-C
1258 **			IN MX 100 mxhost-D
1259 **			IN MX 200 mxhost-E
1260 **		domain4 IN MX  50 mxhost-C
1261 **			IN MX  50 mxhost-D
1262 **			IN MX  80 mxhost-F
1263 **	A message for domain3 and domain4 can piggyback to mxhost-C if mxhost-C
1264 **	is available. Same with mxhost-D because in both RR's the preference
1265 **	value is the same as mxhost-C, respectively.
1266 **	So deliver attempts coattail piggybacking when possible. If the
1267 **	first MX preference level hosts cannot be used then the piggybacking
1268 **	reverts to coincidental piggybacking. Using the above example you
1269 **	cannot deliver to mxhost-F for domain3 regardless of preference value.
1270 **	("Coattail" from "riding on the coattails of your predecessor" meaning
1271 **	gaining benefit from a predecessor effort with no or little addition
1272 **	effort. The predecessor here being the preceding MX RR).
1273 **
1274 **	Parameters:
1275 **		e -- the envelope to deliver.
1276 **		firstto -- head of the address list to deliver to.
1277 **
1278 **	Returns:
1279 **		zero -- successfully delivered.
1280 **		else -- some failure, see ExitStat for more info.
1281 **
1282 **	Side Effects:
1283 **		The standard input is passed off to someone.
1284 */
1285 
1286 static int
deliver(e,firstto)1287 deliver(e, firstto)
1288 	register ENVELOPE *e;
1289 	ADDRESS *firstto;
1290 {
1291 	char *host;			/* host being sent to */
1292 	char *user;			/* user being sent to */
1293 	char **pvp;
1294 	register char **mvp;
1295 	register char *p;
1296 	register MAILER *m;		/* mailer for this recipient */
1297 	ADDRESS *volatile ctladdr;
1298 #if HASSETUSERCONTEXT
1299 	ADDRESS *volatile contextaddr = NULL;
1300 #endif /* HASSETUSERCONTEXT */
1301 	register MCI *volatile mci;
1302 	register ADDRESS *SM_NONVOLATILE to = firstto;
1303 	volatile bool clever = false;	/* running user smtp to this mailer */
1304 	ADDRESS *volatile tochain = NULL; /* users chain in this mailer call */
1305 	int rcode;			/* response code */
1306 	SM_NONVOLATILE int lmtp_rcode = EX_OK;
1307 	SM_NONVOLATILE int nummxhosts = 0; /* number of MX hosts available */
1308 	SM_NONVOLATILE int hostnum = 0;	/* current MX host index */
1309 	char *firstsig;			/* signature of firstto */
1310 	volatile pid_t pid = -1;
1311 	char *volatile curhost;
1312 	SM_NONVOLATILE unsigned short port = 0;
1313 	SM_NONVOLATILE time_t enough = 0;
1314 #if NETUNIX
1315 	char *SM_NONVOLATILE mux_path = NULL;	/* path to UNIX domain socket */
1316 #endif /* NETUNIX */
1317 	time_t xstart;
1318 	bool suidwarn;
1319 	bool anyok;			/* at least one address was OK */
1320 	SM_NONVOLATILE bool goodmxfound = false; /* at least one MX was OK */
1321 	bool ovr;
1322 	bool quarantine;
1323 	int strsize;
1324 	int rcptcount;
1325 	int ret;
1326 	static int tobufsize = 0;
1327 	static char *tobuf = NULL;
1328 	char *rpath;	/* translated return path */
1329 	int mpvect[2];
1330 	int rpvect[2];
1331 	char *mxhosts[MAXMXHOSTS + 1];
1332 	char *pv[MAXPV + 1];
1333 	char buf[MAXNAME + 1];
1334 	char cbuf[MAXPATHLEN];
1335 
1336 	errno = 0;
1337 	SM_REQUIRE(firstto != NULL);	/* same as to */
1338 	if (!QS_IS_OK(to->q_state))
1339 		return 0;
1340 
1341 	suidwarn = geteuid() == 0;
1342 
1343 	SM_REQUIRE(e != NULL);
1344 	m = to->q_mailer;
1345 	host = to->q_host;
1346 	CurEnv = e;			/* just in case */
1347 	e->e_statmsg = NULL;
1348 	SmtpError[0] = '\0';
1349 	xstart = curtime();
1350 
1351 	if (tTd(10, 1))
1352 		sm_dprintf("\n--deliver, id=%s, mailer=%s, host=`%s', first user=`%s'\n",
1353 			e->e_id, m->m_name, host, to->q_user);
1354 	if (tTd(10, 100))
1355 		printopenfds(false);
1356 
1357 	/*
1358 	**  Clear {client_*} macros if this is a bounce message to
1359 	**  prevent rejection by check_compat ruleset.
1360 	*/
1361 
1362 	if (bitset(EF_RESPONSE, e->e_flags))
1363 	{
1364 		macdefine(&e->e_macro, A_PERM, macid("{client_name}"), "");
1365 		macdefine(&e->e_macro, A_PERM, macid("{client_ptr}"), "");
1366 		macdefine(&e->e_macro, A_PERM, macid("{client_addr}"), "");
1367 		macdefine(&e->e_macro, A_PERM, macid("{client_port}"), "");
1368 		macdefine(&e->e_macro, A_PERM, macid("{client_resolve}"), "");
1369 	}
1370 
1371 	SM_TRY
1372 	{
1373 	ADDRESS *skip_back = NULL;
1374 
1375 	/*
1376 	**  Do initial argv setup.
1377 	**	Insert the mailer name.  Notice that $x expansion is
1378 	**	NOT done on the mailer name.  Then, if the mailer has
1379 	**	a picky -f flag, we insert it as appropriate.  This
1380 	**	code does not check for 'pv' overflow; this places a
1381 	**	manifest lower limit of 4 for MAXPV.
1382 	**		The from address rewrite is expected to make
1383 	**		the address relative to the other end.
1384 	*/
1385 
1386 	/* rewrite from address, using rewriting rules */
1387 	rcode = EX_OK;
1388 	SM_ASSERT(e->e_from.q_mailer != NULL);
1389 	if (bitnset(M_UDBENVELOPE, e->e_from.q_mailer->m_flags))
1390 		p = e->e_sender;
1391 	else
1392 		p = e->e_from.q_paddr;
1393 	rpath = remotename(p, m, RF_SENDERADDR|RF_CANONICAL, &rcode, e);
1394 	if (strlen(rpath) > MAXNAME)
1395 	{
1396 		rpath = shortenstring(rpath, MAXSHORTSTR);
1397 
1398 		/* avoid bogus errno */
1399 		errno = 0;
1400 		syserr("remotename: huge return path %s", rpath);
1401 	}
1402 	rpath = sm_rpool_strdup_x(e->e_rpool, rpath);
1403 	macdefine(&e->e_macro, A_PERM, 'g', rpath);
1404 	macdefine(&e->e_macro, A_PERM, 'h', host);
1405 	Errors = 0;
1406 	pvp = pv;
1407 	*pvp++ = m->m_argv[0];
1408 
1409 	/* ignore long term host status information if mailer flag W is set */
1410 	if (bitnset(M_NOHOSTSTAT, m->m_flags))
1411 		IgnoreHostStatus = true;
1412 
1413 	/* insert -f or -r flag as appropriate */
1414 	if (FromFlag &&
1415 	    (bitnset(M_FOPT, m->m_flags) ||
1416 	     bitnset(M_ROPT, m->m_flags)))
1417 	{
1418 		if (bitnset(M_FOPT, m->m_flags))
1419 			*pvp++ = "-f";
1420 		else
1421 			*pvp++ = "-r";
1422 		*pvp++ = rpath;
1423 	}
1424 
1425 	/*
1426 	**  Append the other fixed parts of the argv.  These run
1427 	**  up to the first entry containing "$u".  There can only
1428 	**  be one of these, and there are only a few more slots
1429 	**  in the pv after it.
1430 	*/
1431 
1432 	for (mvp = m->m_argv; (p = *++mvp) != NULL; )
1433 	{
1434 		/* can't use strchr here because of sign extension problems */
1435 		while (*p != '\0')
1436 		{
1437 			if ((*p++ & 0377) == MACROEXPAND)
1438 			{
1439 				if (*p == 'u')
1440 					break;
1441 			}
1442 		}
1443 
1444 		if (*p != '\0')
1445 			break;
1446 
1447 		/* this entry is safe -- go ahead and process it */
1448 		expand(*mvp, buf, sizeof(buf), e);
1449 		*pvp++ = sm_rpool_strdup_x(e->e_rpool, buf);
1450 		if (pvp >= &pv[MAXPV - 3])
1451 		{
1452 			syserr("554 5.3.5 Too many parameters to %s before $u",
1453 			       pv[0]);
1454 			rcode = -1;
1455 			goto cleanup;
1456 		}
1457 	}
1458 
1459 	/*
1460 	**  If we have no substitution for the user name in the argument
1461 	**  list, we know that we must supply the names otherwise -- and
1462 	**  SMTP is the answer!!
1463 	*/
1464 
1465 	if (*mvp == NULL)
1466 	{
1467 		/* running LMTP or SMTP */
1468 		clever = true;
1469 		*pvp = NULL;
1470 	}
1471 	else if (bitnset(M_LMTP, m->m_flags))
1472 	{
1473 		/* not running LMTP */
1474 		sm_syslog(LOG_ERR, NULL,
1475 			  "Warning: mailer %s: LMTP flag (F=z) turned off",
1476 			  m->m_name);
1477 		clrbitn(M_LMTP, m->m_flags);
1478 	}
1479 
1480 	/*
1481 	**  At this point *mvp points to the argument with $u.  We
1482 	**  run through our address list and append all the addresses
1483 	**  we can.  If we run out of space, do not fret!  We can
1484 	**  always send another copy later.
1485 	*/
1486 
1487 	e->e_to = NULL;
1488 	strsize = 2;
1489 	rcptcount = 0;
1490 	ctladdr = NULL;
1491 	if (firstto->q_signature == NULL)
1492 		firstto->q_signature = hostsignature(firstto->q_mailer,
1493 						     firstto->q_host);
1494 	firstsig = firstto->q_signature;
1495 
1496 	for (; to != NULL; to = to->q_next)
1497 	{
1498 		/* avoid sending multiple recipients to dumb mailers */
1499 		if (tochain != NULL && !bitnset(M_MUSER, m->m_flags))
1500 			break;
1501 
1502 		/* if already sent or not for this host, don't send */
1503 		if (!QS_IS_OK(to->q_state)) /* already sent; look at next */
1504 			continue;
1505 
1506 		/*
1507 		**  Must be same mailer to keep grouping rcpts.
1508 		**  If mailers don't match: continue; sendqueue is not
1509 		**  sorted by mailers, so don't break;
1510 		*/
1511 
1512 		if (to->q_mailer != firstto->q_mailer)
1513 			continue;
1514 
1515 		if (to->q_signature == NULL) /* for safety */
1516 			to->q_signature = hostsignature(to->q_mailer,
1517 							to->q_host);
1518 
1519 		/*
1520 		**  This is for coincidental and tailcoat piggybacking messages
1521 		**  to the same mail host. While the signatures are identical
1522 		**  (that's the MX-RR's are identical) we can do coincidental
1523 		**  piggybacking. We try hard for coattail piggybacking
1524 		**  with the same mail host when the next recipient has the
1525 		**  same host at lowest preference. It may be that this
1526 		**  won't work out, so 'skip_back' is maintained if a backup
1527 		**  to coincidental piggybacking or full signature must happen.
1528 		*/
1529 
1530 		ret = firstto == to ? HS_MATCH_FULL :
1531 				      coloncmp(to->q_signature, firstsig);
1532 		if (ret == HS_MATCH_FULL)
1533 			skip_back = to;
1534 		else if (ret == HS_MATCH_NO)
1535 			break;
1536 
1537 		if (!clever)
1538 		{
1539 			/* avoid overflowing tobuf */
1540 			strsize += strlen(to->q_paddr) + 1;
1541 			if (strsize > TOBUFSIZE)
1542 				break;
1543 		}
1544 
1545 		if (++rcptcount > to->q_mailer->m_maxrcpt)
1546 			break;
1547 
1548 		if (tTd(10, 1))
1549 		{
1550 			sm_dprintf("\nsend to ");
1551 			printaddr(sm_debug_file(), to, false);
1552 		}
1553 
1554 		/* compute effective uid/gid when sending */
1555 		if (bitnset(M_RUNASRCPT, to->q_mailer->m_flags))
1556 # if HASSETUSERCONTEXT
1557 			contextaddr = ctladdr = getctladdr(to);
1558 # else /* HASSETUSERCONTEXT */
1559 			ctladdr = getctladdr(to);
1560 # endif /* HASSETUSERCONTEXT */
1561 
1562 		if (tTd(10, 2))
1563 		{
1564 			sm_dprintf("ctladdr=");
1565 			printaddr(sm_debug_file(), ctladdr, false);
1566 		}
1567 
1568 		user = to->q_user;
1569 		e->e_to = to->q_paddr;
1570 
1571 		/*
1572 		**  Check to see that these people are allowed to
1573 		**  talk to each other.
1574 		**  Check also for overflow of e_msgsize.
1575 		*/
1576 
1577 		if (m->m_maxsize != 0 &&
1578 		    (e->e_msgsize > m->m_maxsize || e->e_msgsize < 0))
1579 		{
1580 			e->e_flags |= EF_NO_BODY_RETN;
1581 			if (bitnset(M_LOCALMAILER, to->q_mailer->m_flags))
1582 				to->q_status = "5.2.3";
1583 			else
1584 				to->q_status = "5.3.4";
1585 
1586 			/* set to->q_rstatus = NULL; or to the following? */
1587 			usrerrenh(to->q_status,
1588 				  "552 Message is too large; %ld bytes max",
1589 				  m->m_maxsize);
1590 			markfailure(e, to, NULL, EX_UNAVAILABLE, false);
1591 			giveresponse(EX_UNAVAILABLE, to->q_status, m,
1592 				     NULL, ctladdr, xstart, e, to);
1593 			continue;
1594 		}
1595 		SM_SET_H_ERRNO(0);
1596 		ovr = true;
1597 
1598 		/* do config file checking of compatibility */
1599 		quarantine = (e->e_quarmsg != NULL);
1600 		rcode = rscheck("check_compat", e->e_from.q_paddr, to->q_paddr,
1601 				e, RSF_RMCOMM|RSF_COUNT, 3, NULL,
1602 				e->e_id, NULL);
1603 		if (rcode == EX_OK)
1604 		{
1605 			/* do in-code checking if not discarding */
1606 			if (!bitset(EF_DISCARD, e->e_flags))
1607 			{
1608 				rcode = checkcompat(to, e);
1609 				ovr = false;
1610 			}
1611 		}
1612 		if (rcode != EX_OK)
1613 		{
1614 			markfailure(e, to, NULL, rcode, ovr);
1615 			giveresponse(rcode, to->q_status, m,
1616 				     NULL, ctladdr, xstart, e, to);
1617 			continue;
1618 		}
1619 		if (!quarantine && e->e_quarmsg != NULL)
1620 		{
1621 			/*
1622 			**  check_compat or checkcompat() has tried
1623 			**  to quarantine but that isn't supported.
1624 			**  Revert the attempt.
1625 			*/
1626 
1627 			e->e_quarmsg = NULL;
1628 			macdefine(&e->e_macro, A_PERM,
1629 				  macid("{quarantine}"), "");
1630 		}
1631 		if (bitset(EF_DISCARD, e->e_flags))
1632 		{
1633 			if (tTd(10, 5))
1634 			{
1635 				sm_dprintf("deliver: discarding recipient ");
1636 				printaddr(sm_debug_file(), to, false);
1637 			}
1638 
1639 			/* pretend the message was sent */
1640 			/* XXX should we log something here? */
1641 			to->q_state = QS_DISCARDED;
1642 
1643 			/*
1644 			**  Remove discard bit to prevent discard of
1645 			**  future recipients.  This is safe because the
1646 			**  true "global discard" has been handled before
1647 			**  we get here.
1648 			*/
1649 
1650 			e->e_flags &= ~EF_DISCARD;
1651 			continue;
1652 		}
1653 
1654 		/*
1655 		**  Strip quote bits from names if the mailer is dumb
1656 		**	about them.
1657 		*/
1658 
1659 		if (bitnset(M_STRIPQ, m->m_flags))
1660 		{
1661 			stripquotes(user);
1662 			stripquotes(host);
1663 		}
1664 
1665 		/*
1666 		**  Strip all leading backslashes if requested and the
1667 		**  next character is alphanumerical (the latter can
1668 		**  probably relaxed a bit, see RFC2821).
1669 		*/
1670 
1671 		if (bitnset(M_STRIPBACKSL, m->m_flags) && user[0] == '\\')
1672 			stripbackslash(user);
1673 
1674 		/* hack attack -- delivermail compatibility */
1675 		if (m == ProgMailer && *user == '|')
1676 			user++;
1677 
1678 		/*
1679 		**  If an error message has already been given, don't
1680 		**	bother to send to this address.
1681 		**
1682 		**	>>>>>>>>>> This clause assumes that the local mailer
1683 		**	>> NOTE >> cannot do any further aliasing; that
1684 		**	>>>>>>>>>> function is subsumed by sendmail.
1685 		*/
1686 
1687 		if (!QS_IS_OK(to->q_state))
1688 			continue;
1689 
1690 		/*
1691 		**  See if this user name is "special".
1692 		**	If the user name has a slash in it, assume that this
1693 		**	is a file -- send it off without further ado.  Note
1694 		**	that this type of addresses is not processed along
1695 		**	with the others, so we fudge on the To person.
1696 		*/
1697 
1698 		if (strcmp(m->m_mailer, "[FILE]") == 0)
1699 		{
1700 			macdefine(&e->e_macro, A_PERM, 'u', user);
1701 			p = to->q_home;
1702 			if (p == NULL && ctladdr != NULL)
1703 				p = ctladdr->q_home;
1704 			macdefine(&e->e_macro, A_PERM, 'z', p);
1705 			expand(m->m_argv[1], buf, sizeof(buf), e);
1706 			if (strlen(buf) > 0)
1707 				rcode = mailfile(buf, m, ctladdr, SFF_CREAT, e);
1708 			else
1709 			{
1710 				syserr("empty filename specification for mailer %s",
1711 				       m->m_name);
1712 				rcode = EX_CONFIG;
1713 			}
1714 			giveresponse(rcode, to->q_status, m, NULL,
1715 				     ctladdr, xstart, e, to);
1716 			markfailure(e, to, NULL, rcode, true);
1717 			e->e_nsent++;
1718 			if (rcode == EX_OK)
1719 			{
1720 				to->q_state = QS_SENT;
1721 				if (bitnset(M_LOCALMAILER, m->m_flags) &&
1722 				    bitset(QPINGONSUCCESS, to->q_flags))
1723 				{
1724 					to->q_flags |= QDELIVERED;
1725 					to->q_status = "2.1.5";
1726 					(void) sm_io_fprintf(e->e_xfp,
1727 							     SM_TIME_DEFAULT,
1728 							     "%s... Successfully delivered\n",
1729 							     to->q_paddr);
1730 				}
1731 			}
1732 			to->q_statdate = curtime();
1733 			markstats(e, to, STATS_NORMAL);
1734 			continue;
1735 		}
1736 
1737 		/*
1738 		**  Address is verified -- add this user to mailer
1739 		**  argv, and add it to the print list of recipients.
1740 		*/
1741 
1742 		/* link together the chain of recipients */
1743 		to->q_tchain = tochain;
1744 		tochain = to;
1745 		e->e_to = "[CHAIN]";
1746 
1747 		macdefine(&e->e_macro, A_PERM, 'u', user);  /* to user */
1748 		p = to->q_home;
1749 		if (p == NULL && ctladdr != NULL)
1750 			p = ctladdr->q_home;
1751 		macdefine(&e->e_macro, A_PERM, 'z', p);  /* user's home */
1752 
1753 		/* set the ${dsn_notify} macro if applicable */
1754 		if (bitset(QHASNOTIFY, to->q_flags))
1755 		{
1756 			char notify[MAXLINE];
1757 
1758 			notify[0] = '\0';
1759 			if (bitset(QPINGONSUCCESS, to->q_flags))
1760 				(void) sm_strlcat(notify, "SUCCESS,",
1761 						  sizeof(notify));
1762 			if (bitset(QPINGONFAILURE, to->q_flags))
1763 				(void) sm_strlcat(notify, "FAILURE,",
1764 						  sizeof(notify));
1765 			if (bitset(QPINGONDELAY, to->q_flags))
1766 				(void) sm_strlcat(notify, "DELAY,",
1767 						  sizeof(notify));
1768 
1769 			/* Set to NEVER or drop trailing comma */
1770 			if (notify[0] == '\0')
1771 				(void) sm_strlcat(notify, "NEVER",
1772 						  sizeof(notify));
1773 			else
1774 				notify[strlen(notify) - 1] = '\0';
1775 
1776 			macdefine(&e->e_macro, A_TEMP,
1777 				macid("{dsn_notify}"), notify);
1778 		}
1779 		else
1780 			macdefine(&e->e_macro, A_PERM,
1781 				macid("{dsn_notify}"), NULL);
1782 
1783 		/*
1784 		**  Expand out this user into argument list.
1785 		*/
1786 
1787 		if (!clever)
1788 		{
1789 			expand(*mvp, buf, sizeof(buf), e);
1790 			*pvp++ = sm_rpool_strdup_x(e->e_rpool, buf);
1791 			if (pvp >= &pv[MAXPV - 2])
1792 			{
1793 				/* allow some space for trailing parms */
1794 				break;
1795 			}
1796 		}
1797 	}
1798 
1799 	/* see if any addresses still exist */
1800 	if (tochain == NULL)
1801 	{
1802 		rcode = 0;
1803 		goto cleanup;
1804 	}
1805 
1806 	/* print out messages as full list */
1807 	strsize = 1;
1808 	for (to = tochain; to != NULL; to = to->q_tchain)
1809 		strsize += strlen(to->q_paddr) + 1;
1810 	if (strsize < TOBUFSIZE)
1811 		strsize = TOBUFSIZE;
1812 	if (strsize > tobufsize)
1813 	{
1814 		SM_FREE_CLR(tobuf);
1815 		tobuf = sm_pmalloc_x(strsize);
1816 		tobufsize = strsize;
1817 	}
1818 	p = tobuf;
1819 	*p = '\0';
1820 	for (to = tochain; to != NULL; to = to->q_tchain)
1821 	{
1822 		(void) sm_strlcpyn(p, tobufsize - (p - tobuf), 2,
1823 				   ",", to->q_paddr);
1824 		p += strlen(p);
1825 	}
1826 	e->e_to = tobuf + 1;
1827 
1828 	/*
1829 	**  Fill out any parameters after the $u parameter.
1830 	*/
1831 
1832 	if (!clever)
1833 	{
1834 		while (*++mvp != NULL)
1835 		{
1836 			expand(*mvp, buf, sizeof(buf), e);
1837 			*pvp++ = sm_rpool_strdup_x(e->e_rpool, buf);
1838 			if (pvp >= &pv[MAXPV])
1839 				syserr("554 5.3.0 deliver: pv overflow after $u for %s",
1840 				       pv[0]);
1841 		}
1842 	}
1843 	*pvp++ = NULL;
1844 
1845 	/*
1846 	**  Call the mailer.
1847 	**	The argument vector gets built, pipes
1848 	**	are created as necessary, and we fork & exec as
1849 	**	appropriate.
1850 	**	If we are running SMTP, we just need to clean up.
1851 	*/
1852 
1853 	/* XXX this seems a bit wierd */
1854 	if (ctladdr == NULL && m != ProgMailer && m != FileMailer &&
1855 	    bitset(QGOODUID, e->e_from.q_flags))
1856 		ctladdr = &e->e_from;
1857 
1858 #if NAMED_BIND
1859 	if (ConfigLevel < 2)
1860 		_res.options &= ~(RES_DEFNAMES | RES_DNSRCH);	/* XXX */
1861 #endif /* NAMED_BIND */
1862 
1863 	if (tTd(11, 1))
1864 	{
1865 		sm_dprintf("openmailer:");
1866 		printav(sm_debug_file(), pv);
1867 	}
1868 	errno = 0;
1869 	SM_SET_H_ERRNO(0);
1870 	CurHostName = NULL;
1871 
1872 	/*
1873 	**  Deal with the special case of mail handled through an IPC
1874 	**  connection.
1875 	**	In this case we don't actually fork.  We must be
1876 	**	running SMTP for this to work.  We will return a
1877 	**	zero pid to indicate that we are running IPC.
1878 	**  We also handle a debug version that just talks to stdin/out.
1879 	*/
1880 
1881 	curhost = NULL;
1882 	SmtpPhase = NULL;
1883 	mci = NULL;
1884 
1885 #if XDEBUG
1886 	{
1887 		char wbuf[MAXLINE];
1888 
1889 		/* make absolutely certain 0, 1, and 2 are in use */
1890 		(void) sm_snprintf(wbuf, sizeof(wbuf), "%s... openmailer(%s)",
1891 				   shortenstring(e->e_to, MAXSHORTSTR),
1892 				   m->m_name);
1893 		checkfd012(wbuf);
1894 	}
1895 #endif /* XDEBUG */
1896 
1897 	/* check for 8-bit available */
1898 	if (bitset(EF_HAS8BIT, e->e_flags) &&
1899 	    bitnset(M_7BITS, m->m_flags) &&
1900 	    (bitset(EF_DONT_MIME, e->e_flags) ||
1901 	     !(bitset(MM_MIME8BIT, MimeMode) ||
1902 	       (bitset(EF_IS_MIME, e->e_flags) &&
1903 		bitset(MM_CVTMIME, MimeMode)))))
1904 	{
1905 		e->e_status = "5.6.3";
1906 		usrerrenh(e->e_status,
1907 			  "554 Cannot send 8-bit data to 7-bit destination");
1908 		rcode = EX_DATAERR;
1909 		goto give_up;
1910 	}
1911 
1912 	if (tTd(62, 8))
1913 		checkfds("before delivery");
1914 
1915 	/* check for Local Person Communication -- not for mortals!!! */
1916 	if (strcmp(m->m_mailer, "[LPC]") == 0)
1917 	{
1918 		if (clever)
1919 		{
1920 			/* flush any expired connections */
1921 			(void) mci_scan(NULL);
1922 
1923 			/* try to get a cached connection or just a slot */
1924 			mci = mci_get(m->m_name, m);
1925 			if (mci->mci_host == NULL)
1926 				mci->mci_host = m->m_name;
1927 			CurHostName = mci->mci_host;
1928 			if (mci->mci_state != MCIS_CLOSED)
1929 			{
1930 				message("Using cached SMTP/LPC connection for %s...",
1931 					m->m_name);
1932 				mci->mci_deliveries++;
1933 				goto do_transfer;
1934 			}
1935 		}
1936 		else
1937 		{
1938 			mci = mci_new(e->e_rpool);
1939 		}
1940 		mci->mci_in = smioin;
1941 		mci->mci_out = smioout;
1942 		mci->mci_mailer = m;
1943 		mci->mci_host = m->m_name;
1944 		if (clever)
1945 		{
1946 			mci->mci_state = MCIS_OPENING;
1947 			mci_cache(mci);
1948 		}
1949 		else
1950 			mci->mci_state = MCIS_OPEN;
1951 	}
1952 	else if (strcmp(m->m_mailer, "[IPC]") == 0)
1953 	{
1954 		register int i;
1955 
1956 		if (pv[0] == NULL || pv[1] == NULL || pv[1][0] == '\0')
1957 		{
1958 			syserr("null destination for %s mailer", m->m_mailer);
1959 			rcode = EX_CONFIG;
1960 			goto give_up;
1961 		}
1962 
1963 # if NETUNIX
1964 		if (strcmp(pv[0], "FILE") == 0)
1965 		{
1966 			curhost = CurHostName = "localhost";
1967 			mux_path = pv[1];
1968 		}
1969 		else
1970 # endif /* NETUNIX */
1971 		{
1972 			CurHostName = pv[1];
1973 			curhost = hostsignature(m, pv[1]);
1974 		}
1975 
1976 		if (curhost == NULL || curhost[0] == '\0')
1977 		{
1978 			syserr("null host signature for %s", pv[1]);
1979 			rcode = EX_CONFIG;
1980 			goto give_up;
1981 		}
1982 
1983 		if (!clever)
1984 		{
1985 			syserr("554 5.3.5 non-clever IPC");
1986 			rcode = EX_CONFIG;
1987 			goto give_up;
1988 		}
1989 		if (pv[2] != NULL
1990 # if NETUNIX
1991 		    && mux_path == NULL
1992 # endif /* NETUNIX */
1993 		    )
1994 		{
1995 			port = htons((unsigned short) atoi(pv[2]));
1996 			if (port == 0)
1997 			{
1998 # ifdef NO_GETSERVBYNAME
1999 				syserr("Invalid port number: %s", pv[2]);
2000 # else /* NO_GETSERVBYNAME */
2001 				struct servent *sp = getservbyname(pv[2], "tcp");
2002 
2003 				if (sp == NULL)
2004 					syserr("Service %s unknown", pv[2]);
2005 				else
2006 					port = sp->s_port;
2007 # endif /* NO_GETSERVBYNAME */
2008 			}
2009 		}
2010 
2011 		nummxhosts = parse_hostsignature(curhost, mxhosts, m);
2012 		if (TimeOuts.to_aconnect > 0)
2013 			enough = curtime() + TimeOuts.to_aconnect;
2014 tryhost:
2015 		while (hostnum < nummxhosts)
2016 		{
2017 			char sep = ':';
2018 			char *endp;
2019 			static char hostbuf[MAXNAME + 1];
2020 			bool tried_fallbacksmarthost = false;
2021 
2022 # if NETINET6
2023 			if (*mxhosts[hostnum] == '[')
2024 			{
2025 				endp = strchr(mxhosts[hostnum] + 1, ']');
2026 				if (endp != NULL)
2027 					endp = strpbrk(endp + 1, ":,");
2028 			}
2029 			else
2030 				endp = strpbrk(mxhosts[hostnum], ":,");
2031 # else /* NETINET6 */
2032 			endp = strpbrk(mxhosts[hostnum], ":,");
2033 # endif /* NETINET6 */
2034 			if (endp != NULL)
2035 			{
2036 				sep = *endp;
2037 				*endp = '\0';
2038 			}
2039 
2040 			if (hostnum == 1 && skip_back != NULL)
2041 			{
2042 				/*
2043 				**  Coattail piggybacking is no longer an
2044 				**  option with the mail host next to be tried
2045 				**  no longer the lowest MX preference
2046 				**  (hostnum == 1 meaning we're on the second
2047 				**  preference). We do not try to coattail
2048 				**  piggyback more than the first MX preference.
2049 				**  Revert 'tochain' to last location for
2050 				**  coincidental piggybacking. This works this
2051 				**  easily because the q_tchain kept getting
2052 				**  added to the top of the linked list.
2053 				*/
2054 
2055 				tochain = skip_back;
2056 			}
2057 
2058 			if (*mxhosts[hostnum] == '\0')
2059 			{
2060 				syserr("deliver: null host name in signature");
2061 				hostnum++;
2062 				if (endp != NULL)
2063 					*endp = sep;
2064 				continue;
2065 			}
2066 			(void) sm_strlcpy(hostbuf, mxhosts[hostnum],
2067 					  sizeof(hostbuf));
2068 			hostnum++;
2069 			if (endp != NULL)
2070 				*endp = sep;
2071 
2072   one_last_try:
2073 			/* see if we already know that this host is fried */
2074 			CurHostName = hostbuf;
2075 			mci = mci_get(hostbuf, m);
2076 			if (mci->mci_state != MCIS_CLOSED)
2077 			{
2078 				char *type;
2079 
2080 				if (tTd(11, 1))
2081 				{
2082 					sm_dprintf("openmailer: ");
2083 					mci_dump(sm_debug_file(), mci, false);
2084 				}
2085 				CurHostName = mci->mci_host;
2086 				if (bitnset(M_LMTP, m->m_flags))
2087 					type = "L";
2088 				else if (bitset(MCIF_ESMTP, mci->mci_flags))
2089 					type = "ES";
2090 				else
2091 					type = "S";
2092 				message("Using cached %sMTP connection to %s via %s...",
2093 					type, hostbuf, m->m_name);
2094 				mci->mci_deliveries++;
2095 				break;
2096 			}
2097 			mci->mci_mailer = m;
2098 			if (mci->mci_exitstat != EX_OK)
2099 			{
2100 				if (mci->mci_exitstat == EX_TEMPFAIL)
2101 					goodmxfound = true;
2102 
2103 				/* Try FallbackSmartHost? */
2104 				if (should_try_fbsh(e, &tried_fallbacksmarthost,
2105 						    hostbuf, sizeof(hostbuf),
2106 						    mci->mci_exitstat))
2107 					goto one_last_try;
2108 
2109 				continue;
2110 			}
2111 
2112 			if (mci_lock_host(mci) != EX_OK)
2113 			{
2114 				mci_setstat(mci, EX_TEMPFAIL, "4.4.5", NULL);
2115 				goodmxfound = true;
2116 				continue;
2117 			}
2118 
2119 			/* try the connection */
2120 			sm_setproctitle(true, e, "%s %s: %s",
2121 					qid_printname(e),
2122 					hostbuf, "user open");
2123 # if NETUNIX
2124 			if (mux_path != NULL)
2125 			{
2126 				message("Connecting to %s via %s...",
2127 					mux_path, m->m_name);
2128 				i = makeconnection_ds((char *) mux_path, mci);
2129 			}
2130 			else
2131 # endif /* NETUNIX */
2132 			{
2133 				if (port == 0)
2134 					message("Connecting to %s via %s...",
2135 						hostbuf, m->m_name);
2136 				else
2137 					message("Connecting to %s port %d via %s...",
2138 						hostbuf, ntohs(port),
2139 						m->m_name);
2140 				i = makeconnection(hostbuf, port, mci, e,
2141 						   enough);
2142 			}
2143 			mci->mci_errno = errno;
2144 			mci->mci_lastuse = curtime();
2145 			mci->mci_deliveries = 0;
2146 			mci->mci_exitstat = i;
2147 # if NAMED_BIND
2148 			mci->mci_herrno = h_errno;
2149 # endif /* NAMED_BIND */
2150 
2151 			/*
2152 			**  Have we tried long enough to get a connection?
2153 			**	If yes, skip to the fallback MX hosts
2154 			**	(if existent).
2155 			*/
2156 
2157 			if (enough > 0 && mci->mci_lastuse >= enough)
2158 			{
2159 				int h;
2160 # if NAMED_BIND
2161 				extern int NumFallbackMXHosts;
2162 # else /* NAMED_BIND */
2163 				const int NumFallbackMXHosts = 0;
2164 # endif /* NAMED_BIND */
2165 
2166 				if (hostnum < nummxhosts && LogLevel > 9)
2167 					sm_syslog(LOG_INFO, e->e_id,
2168 						  "Timeout.to_aconnect occurred before exhausting all addresses");
2169 
2170 				/* turn off timeout if fallback available */
2171 				if (NumFallbackMXHosts > 0)
2172 					enough = 0;
2173 
2174 				/* skip to a fallback MX host */
2175 				h = nummxhosts - NumFallbackMXHosts;
2176 				if (hostnum < h)
2177 					hostnum = h;
2178 			}
2179 			if (i == EX_OK)
2180 			{
2181 				goodmxfound = true;
2182 				markstats(e, firstto, STATS_CONNECT);
2183 				mci->mci_state = MCIS_OPENING;
2184 				mci_cache(mci);
2185 				if (TrafficLogFile != NULL)
2186 					(void) sm_io_fprintf(TrafficLogFile,
2187 							     SM_TIME_DEFAULT,
2188 							     "%05d === CONNECT %s\n",
2189 							     (int) CurrentPid,
2190 							     hostbuf);
2191 				break;
2192 			}
2193 			else
2194 			{
2195 				/* Try FallbackSmartHost? */
2196 				if (should_try_fbsh(e, &tried_fallbacksmarthost,
2197 						    hostbuf, sizeof(hostbuf), i))
2198 					goto one_last_try;
2199 
2200 				if (tTd(11, 1))
2201 					sm_dprintf("openmailer: makeconnection => stat=%d, errno=%d\n",
2202 						   i, errno);
2203 				if (i == EX_TEMPFAIL)
2204 					goodmxfound = true;
2205 				mci_unlock_host(mci);
2206 			}
2207 
2208 			/* enter status of this host */
2209 			setstat(i);
2210 
2211 			/* should print some message here for -v mode */
2212 		}
2213 		if (mci == NULL)
2214 		{
2215 			syserr("deliver: no host name");
2216 			rcode = EX_SOFTWARE;
2217 			goto give_up;
2218 		}
2219 		mci->mci_pid = 0;
2220 	}
2221 	else
2222 	{
2223 		/* flush any expired connections */
2224 		(void) mci_scan(NULL);
2225 		mci = NULL;
2226 
2227 		if (bitnset(M_LMTP, m->m_flags))
2228 		{
2229 			/* try to get a cached connection */
2230 			mci = mci_get(m->m_name, m);
2231 			if (mci->mci_host == NULL)
2232 				mci->mci_host = m->m_name;
2233 			CurHostName = mci->mci_host;
2234 			if (mci->mci_state != MCIS_CLOSED)
2235 			{
2236 				message("Using cached LMTP connection for %s...",
2237 					m->m_name);
2238 				mci->mci_deliveries++;
2239 				goto do_transfer;
2240 			}
2241 		}
2242 
2243 		/* announce the connection to verbose listeners */
2244 		if (host == NULL || host[0] == '\0')
2245 			message("Connecting to %s...", m->m_name);
2246 		else
2247 			message("Connecting to %s via %s...", host, m->m_name);
2248 		if (TrafficLogFile != NULL)
2249 		{
2250 			char **av;
2251 
2252 			(void) sm_io_fprintf(TrafficLogFile, SM_TIME_DEFAULT,
2253 					     "%05d === EXEC", (int) CurrentPid);
2254 			for (av = pv; *av != NULL; av++)
2255 				(void) sm_io_fprintf(TrafficLogFile,
2256 						     SM_TIME_DEFAULT, " %s",
2257 						     *av);
2258 			(void) sm_io_fprintf(TrafficLogFile, SM_TIME_DEFAULT,
2259 					     "\n");
2260 		}
2261 
2262 #if XDEBUG
2263 		checkfd012("before creating mail pipe");
2264 #endif /* XDEBUG */
2265 
2266 		/* create a pipe to shove the mail through */
2267 		if (pipe(mpvect) < 0)
2268 		{
2269 			syserr("%s... openmailer(%s): pipe (to mailer)",
2270 			       shortenstring(e->e_to, MAXSHORTSTR), m->m_name);
2271 			if (tTd(11, 1))
2272 				sm_dprintf("openmailer: NULL\n");
2273 			rcode = EX_OSERR;
2274 			goto give_up;
2275 		}
2276 
2277 #if XDEBUG
2278 		/* make sure we didn't get one of the standard I/O files */
2279 		if (mpvect[0] < 3 || mpvect[1] < 3)
2280 		{
2281 			syserr("%s... openmailer(%s): bogus mpvect %d %d",
2282 			       shortenstring(e->e_to, MAXSHORTSTR), m->m_name,
2283 			       mpvect[0], mpvect[1]);
2284 			printopenfds(true);
2285 			if (tTd(11, 1))
2286 				sm_dprintf("openmailer: NULL\n");
2287 			rcode = EX_OSERR;
2288 			goto give_up;
2289 		}
2290 
2291 		/* make sure system call isn't dead meat */
2292 		checkfdopen(mpvect[0], "mpvect[0]");
2293 		checkfdopen(mpvect[1], "mpvect[1]");
2294 		if (mpvect[0] == mpvect[1] ||
2295 		    (e->e_lockfp != NULL &&
2296 		     (mpvect[0] == sm_io_getinfo(e->e_lockfp, SM_IO_WHAT_FD,
2297 						 NULL) ||
2298 		      mpvect[1] == sm_io_getinfo(e->e_lockfp, SM_IO_WHAT_FD,
2299 						 NULL))))
2300 		{
2301 			if (e->e_lockfp == NULL)
2302 				syserr("%s... openmailer(%s): overlapping mpvect %d %d",
2303 				       shortenstring(e->e_to, MAXSHORTSTR),
2304 				       m->m_name, mpvect[0], mpvect[1]);
2305 			else
2306 				syserr("%s... openmailer(%s): overlapping mpvect %d %d, lockfp = %d",
2307 				       shortenstring(e->e_to, MAXSHORTSTR),
2308 				       m->m_name, mpvect[0], mpvect[1],
2309 				       sm_io_getinfo(e->e_lockfp,
2310 						     SM_IO_WHAT_FD, NULL));
2311 		}
2312 #endif /* XDEBUG */
2313 
2314 		/* create a return pipe */
2315 		if (pipe(rpvect) < 0)
2316 		{
2317 			syserr("%s... openmailer(%s): pipe (from mailer)",
2318 			       shortenstring(e->e_to, MAXSHORTSTR),
2319 			       m->m_name);
2320 			(void) close(mpvect[0]);
2321 			(void) close(mpvect[1]);
2322 			if (tTd(11, 1))
2323 				sm_dprintf("openmailer: NULL\n");
2324 			rcode = EX_OSERR;
2325 			goto give_up;
2326 		}
2327 #if XDEBUG
2328 		checkfdopen(rpvect[0], "rpvect[0]");
2329 		checkfdopen(rpvect[1], "rpvect[1]");
2330 #endif /* XDEBUG */
2331 
2332 		/*
2333 		**  Actually fork the mailer process.
2334 		**	DOFORK is clever about retrying.
2335 		**
2336 		**	Dispose of SIGCHLD signal catchers that may be laying
2337 		**	around so that endmailer will get it.
2338 		*/
2339 
2340 		if (e->e_xfp != NULL)	/* for debugging */
2341 			(void) sm_io_flush(e->e_xfp, SM_TIME_DEFAULT);
2342 		(void) sm_io_flush(smioout, SM_TIME_DEFAULT);
2343 		(void) sm_signal(SIGCHLD, SIG_DFL);
2344 
2345 
2346 		DOFORK(FORK);
2347 		/* pid is set by DOFORK */
2348 
2349 		if (pid < 0)
2350 		{
2351 			/* failure */
2352 			syserr("%s... openmailer(%s): cannot fork",
2353 			       shortenstring(e->e_to, MAXSHORTSTR), m->m_name);
2354 			(void) close(mpvect[0]);
2355 			(void) close(mpvect[1]);
2356 			(void) close(rpvect[0]);
2357 			(void) close(rpvect[1]);
2358 			if (tTd(11, 1))
2359 				sm_dprintf("openmailer: NULL\n");
2360 			rcode = EX_OSERR;
2361 			goto give_up;
2362 		}
2363 		else if (pid == 0)
2364 		{
2365 			int save_errno;
2366 			int sff;
2367 			int new_euid = NO_UID;
2368 			int new_ruid = NO_UID;
2369 			int new_gid = NO_GID;
2370 			char *user = NULL;
2371 			struct stat stb;
2372 			extern int DtableSize;
2373 
2374 			CurrentPid = getpid();
2375 
2376 			/* clear the events to turn off SIGALRMs */
2377 			sm_clear_events();
2378 
2379 			/* Reset global flags */
2380 			RestartRequest = NULL;
2381 			RestartWorkGroup = false;
2382 			ShutdownRequest = NULL;
2383 			PendingSignal = 0;
2384 
2385 			if (e->e_lockfp != NULL)
2386 				(void) close(sm_io_getinfo(e->e_lockfp,
2387 							   SM_IO_WHAT_FD,
2388 							   NULL));
2389 
2390 			/* child -- set up input & exec mailer */
2391 			(void) sm_signal(SIGALRM, sm_signal_noop);
2392 			(void) sm_signal(SIGCHLD, SIG_DFL);
2393 			(void) sm_signal(SIGHUP, SIG_IGN);
2394 			(void) sm_signal(SIGINT, SIG_IGN);
2395 			(void) sm_signal(SIGTERM, SIG_DFL);
2396 # ifdef SIGUSR1
2397 			(void) sm_signal(SIGUSR1, sm_signal_noop);
2398 # endif /* SIGUSR1 */
2399 
2400 			if (m != FileMailer || stat(tochain->q_user, &stb) < 0)
2401 				stb.st_mode = 0;
2402 
2403 # if HASSETUSERCONTEXT
2404 			/*
2405 			**  Set user resources.
2406 			*/
2407 
2408 			if (contextaddr != NULL)
2409 			{
2410 				int sucflags;
2411 				struct passwd *pwd;
2412 
2413 				if (contextaddr->q_ruser != NULL)
2414 					pwd = sm_getpwnam(contextaddr->q_ruser);
2415 				else
2416 					pwd = sm_getpwnam(contextaddr->q_user);
2417 				sucflags = LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;
2418 #ifdef LOGIN_SETMAC
2419 				sucflags |= LOGIN_SETMAC;
2420 #endif /* LOGIN_SETMAC */
2421 				if (pwd != NULL &&
2422 				    setusercontext(NULL, pwd, pwd->pw_uid,
2423 						   sucflags) == -1 &&
2424 				    suidwarn)
2425 				{
2426 					syserr("openmailer: setusercontext() failed");
2427 					exit(EX_TEMPFAIL);
2428 				}
2429 			}
2430 # endif /* HASSETUSERCONTEXT */
2431 
2432 #if HASNICE
2433 			/* tweak niceness */
2434 			if (m->m_nice != 0)
2435 				(void) nice(m->m_nice);
2436 #endif /* HASNICE */
2437 
2438 			/* reset group id */
2439 			if (bitnset(M_SPECIFIC_UID, m->m_flags))
2440 			{
2441 				if (m->m_gid == NO_GID)
2442 					new_gid = RunAsGid;
2443 				else
2444 					new_gid = m->m_gid;
2445 			}
2446 			else if (bitset(S_ISGID, stb.st_mode))
2447 				new_gid = stb.st_gid;
2448 			else if (ctladdr != NULL && ctladdr->q_gid != 0)
2449 			{
2450 				if (!DontInitGroups)
2451 				{
2452 					user = ctladdr->q_ruser;
2453 					if (user == NULL)
2454 						user = ctladdr->q_user;
2455 
2456 					if (initgroups(user,
2457 						       ctladdr->q_gid) == -1
2458 					    && suidwarn)
2459 					{
2460 						syserr("openmailer: initgroups(%s, %d) failed",
2461 							user, ctladdr->q_gid);
2462 						exit(EX_TEMPFAIL);
2463 					}
2464 				}
2465 				else
2466 				{
2467 					GIDSET_T gidset[1];
2468 
2469 					gidset[0] = ctladdr->q_gid;
2470 					if (setgroups(1, gidset) == -1
2471 					    && suidwarn)
2472 					{
2473 						syserr("openmailer: setgroups() failed");
2474 						exit(EX_TEMPFAIL);
2475 					}
2476 				}
2477 				new_gid = ctladdr->q_gid;
2478 			}
2479 			else
2480 			{
2481 				if (!DontInitGroups)
2482 				{
2483 					user = DefUser;
2484 					if (initgroups(DefUser, DefGid) == -1 &&
2485 					    suidwarn)
2486 					{
2487 						syserr("openmailer: initgroups(%s, %d) failed",
2488 						       DefUser, DefGid);
2489 						exit(EX_TEMPFAIL);
2490 					}
2491 				}
2492 				else
2493 				{
2494 					GIDSET_T gidset[1];
2495 
2496 					gidset[0] = DefGid;
2497 					if (setgroups(1, gidset) == -1
2498 					    && suidwarn)
2499 					{
2500 						syserr("openmailer: setgroups() failed");
2501 						exit(EX_TEMPFAIL);
2502 					}
2503 				}
2504 				if (m->m_gid == NO_GID)
2505 					new_gid = DefGid;
2506 				else
2507 					new_gid = m->m_gid;
2508 			}
2509 			if (new_gid != NO_GID)
2510 			{
2511 				if (RunAsUid != 0 &&
2512 				    bitnset(M_SPECIFIC_UID, m->m_flags) &&
2513 				    new_gid != getgid() &&
2514 				    new_gid != getegid())
2515 				{
2516 					/* Only root can change the gid */
2517 					syserr("openmailer: insufficient privileges to change gid, RunAsUid=%d, new_gid=%d, gid=%d, egid=%d",
2518 					       (int) RunAsUid, (int) new_gid,
2519 					       (int) getgid(), (int) getegid());
2520 					exit(EX_TEMPFAIL);
2521 				}
2522 
2523 				if (setgid(new_gid) < 0 && suidwarn)
2524 				{
2525 					syserr("openmailer: setgid(%ld) failed",
2526 					       (long) new_gid);
2527 					exit(EX_TEMPFAIL);
2528 				}
2529 			}
2530 
2531 			/* change root to some "safe" directory */
2532 			if (m->m_rootdir != NULL)
2533 			{
2534 				expand(m->m_rootdir, cbuf, sizeof(cbuf), e);
2535 				if (tTd(11, 20))
2536 					sm_dprintf("openmailer: chroot %s\n",
2537 						   cbuf);
2538 				if (chroot(cbuf) < 0)
2539 				{
2540 					syserr("openmailer: Cannot chroot(%s)",
2541 					       cbuf);
2542 					exit(EX_TEMPFAIL);
2543 				}
2544 				if (chdir("/") < 0)
2545 				{
2546 					syserr("openmailer: cannot chdir(/)");
2547 					exit(EX_TEMPFAIL);
2548 				}
2549 			}
2550 
2551 			/* reset user id */
2552 			endpwent();
2553 			sm_mbdb_terminate();
2554 			if (bitnset(M_SPECIFIC_UID, m->m_flags))
2555 			{
2556 				if (m->m_uid == NO_UID)
2557 					new_euid = RunAsUid;
2558 				else
2559 					new_euid = m->m_uid;
2560 
2561 				/*
2562 				**  Undo the effects of the uid change in main
2563 				**  for signal handling.  The real uid may
2564 				**  be used by mailer in adding a "From "
2565 				**  line.
2566 				*/
2567 
2568 				if (RealUid != 0 && RealUid != getuid())
2569 				{
2570 # if MAILER_SETUID_METHOD == USE_SETEUID
2571 #  if HASSETREUID
2572 					if (setreuid(RealUid, geteuid()) < 0)
2573 					{
2574 						syserr("openmailer: setreuid(%d, %d) failed",
2575 						       (int) RealUid, (int) geteuid());
2576 						exit(EX_OSERR);
2577 					}
2578 #  endif /* HASSETREUID */
2579 # endif /* MAILER_SETUID_METHOD == USE_SETEUID */
2580 # if MAILER_SETUID_METHOD == USE_SETREUID
2581 					new_ruid = RealUid;
2582 # endif /* MAILER_SETUID_METHOD == USE_SETREUID */
2583 				}
2584 			}
2585 			else if (bitset(S_ISUID, stb.st_mode))
2586 				new_ruid = stb.st_uid;
2587 			else if (ctladdr != NULL && ctladdr->q_uid != 0)
2588 				new_ruid = ctladdr->q_uid;
2589 			else if (m->m_uid != NO_UID)
2590 				new_ruid = m->m_uid;
2591 			else
2592 				new_ruid = DefUid;
2593 
2594 # if _FFR_USE_SETLOGIN
2595 			/* run disconnected from terminal and set login name */
2596 			if (setsid() >= 0 &&
2597 			    ctladdr != NULL && ctladdr->q_uid != 0 &&
2598 			    new_euid == ctladdr->q_uid)
2599 			{
2600 				struct passwd *pwd;
2601 
2602 				pwd = sm_getpwuid(ctladdr->q_uid);
2603 				if (pwd != NULL && suidwarn)
2604 					(void) setlogin(pwd->pw_name);
2605 				endpwent();
2606 			}
2607 # endif /* _FFR_USE_SETLOGIN */
2608 
2609 			if (new_euid != NO_UID)
2610 			{
2611 				if (RunAsUid != 0 && new_euid != RunAsUid)
2612 				{
2613 					/* Only root can change the uid */
2614 					syserr("openmailer: insufficient privileges to change uid, new_euid=%d, RunAsUid=%d",
2615 					       (int) new_euid, (int) RunAsUid);
2616 					exit(EX_TEMPFAIL);
2617 				}
2618 
2619 				vendor_set_uid(new_euid);
2620 # if MAILER_SETUID_METHOD == USE_SETEUID
2621 				if (seteuid(new_euid) < 0 && suidwarn)
2622 				{
2623 					syserr("openmailer: seteuid(%ld) failed",
2624 					       (long) new_euid);
2625 					exit(EX_TEMPFAIL);
2626 				}
2627 # endif /* MAILER_SETUID_METHOD == USE_SETEUID */
2628 # if MAILER_SETUID_METHOD == USE_SETREUID
2629 				if (setreuid(new_ruid, new_euid) < 0 && suidwarn)
2630 				{
2631 					syserr("openmailer: setreuid(%ld, %ld) failed",
2632 					       (long) new_ruid, (long) new_euid);
2633 					exit(EX_TEMPFAIL);
2634 				}
2635 # endif /* MAILER_SETUID_METHOD == USE_SETREUID */
2636 # if MAILER_SETUID_METHOD == USE_SETUID
2637 				if (new_euid != geteuid() && setuid(new_euid) < 0 && suidwarn)
2638 				{
2639 					syserr("openmailer: setuid(%ld) failed",
2640 					       (long) new_euid);
2641 					exit(EX_TEMPFAIL);
2642 				}
2643 # endif /* MAILER_SETUID_METHOD == USE_SETUID */
2644 			}
2645 			else if (new_ruid != NO_UID)
2646 			{
2647 				vendor_set_uid(new_ruid);
2648 				if (setuid(new_ruid) < 0 && suidwarn)
2649 				{
2650 					syserr("openmailer: setuid(%ld) failed",
2651 					       (long) new_ruid);
2652 					exit(EX_TEMPFAIL);
2653 				}
2654 			}
2655 
2656 			if (tTd(11, 2))
2657 				sm_dprintf("openmailer: running as r/euid=%d/%d, r/egid=%d/%d\n",
2658 					   (int) getuid(), (int) geteuid(),
2659 					   (int) getgid(), (int) getegid());
2660 
2661 			/* move into some "safe" directory */
2662 			if (m->m_execdir != NULL)
2663 			{
2664 				char *q;
2665 
2666 				for (p = m->m_execdir; p != NULL; p = q)
2667 				{
2668 					q = strchr(p, ':');
2669 					if (q != NULL)
2670 						*q = '\0';
2671 					expand(p, cbuf, sizeof(cbuf), e);
2672 					if (q != NULL)
2673 						*q++ = ':';
2674 					if (tTd(11, 20))
2675 						sm_dprintf("openmailer: trydir %s\n",
2676 							   cbuf);
2677 					if (cbuf[0] != '\0' &&
2678 					    chdir(cbuf) >= 0)
2679 						break;
2680 				}
2681 			}
2682 
2683 			/* Check safety of program to be run */
2684 			sff = SFF_ROOTOK|SFF_EXECOK;
2685 			if (!bitnset(DBS_RUNWRITABLEPROGRAM,
2686 				     DontBlameSendmail))
2687 				sff |= SFF_NOGWFILES|SFF_NOWWFILES;
2688 			if (bitnset(DBS_RUNPROGRAMINUNSAFEDIRPATH,
2689 				    DontBlameSendmail))
2690 				sff |= SFF_NOPATHCHECK;
2691 			else
2692 				sff |= SFF_SAFEDIRPATH;
2693 			ret = safefile(m->m_mailer, getuid(), getgid(),
2694 				       user, sff, 0, NULL);
2695 			if (ret != 0)
2696 				sm_syslog(LOG_INFO, e->e_id,
2697 					  "Warning: program %s unsafe: %s",
2698 					  m->m_mailer, sm_errstring(ret));
2699 
2700 			/* arrange to filter std & diag output of command */
2701 			(void) close(rpvect[0]);
2702 			if (dup2(rpvect[1], STDOUT_FILENO) < 0)
2703 			{
2704 				syserr("%s... openmailer(%s): cannot dup pipe %d for stdout",
2705 				       shortenstring(e->e_to, MAXSHORTSTR),
2706 				       m->m_name, rpvect[1]);
2707 				_exit(EX_OSERR);
2708 			}
2709 			(void) close(rpvect[1]);
2710 
2711 			if (dup2(STDOUT_FILENO, STDERR_FILENO) < 0)
2712 			{
2713 				syserr("%s... openmailer(%s): cannot dup stdout for stderr",
2714 				       shortenstring(e->e_to, MAXSHORTSTR),
2715 				       m->m_name);
2716 				_exit(EX_OSERR);
2717 			}
2718 
2719 			/* arrange to get standard input */
2720 			(void) close(mpvect[1]);
2721 			if (dup2(mpvect[0], STDIN_FILENO) < 0)
2722 			{
2723 				syserr("%s... openmailer(%s): cannot dup pipe %d for stdin",
2724 				       shortenstring(e->e_to, MAXSHORTSTR),
2725 				       m->m_name, mpvect[0]);
2726 				_exit(EX_OSERR);
2727 			}
2728 			(void) close(mpvect[0]);
2729 
2730 			/* arrange for all the files to be closed */
2731 			sm_close_on_exec(STDERR_FILENO + 1, DtableSize);
2732 
2733 # if !_FFR_USE_SETLOGIN
2734 			/* run disconnected from terminal */
2735 			(void) setsid();
2736 # endif /* !_FFR_USE_SETLOGIN */
2737 
2738 			/* try to execute the mailer */
2739 			(void) execve(m->m_mailer, (ARGV_T) pv,
2740 				      (ARGV_T) UserEnviron);
2741 			save_errno = errno;
2742 			syserr("Cannot exec %s", m->m_mailer);
2743 			if (bitnset(M_LOCALMAILER, m->m_flags) ||
2744 			    transienterror(save_errno))
2745 				_exit(EX_OSERR);
2746 			_exit(EX_UNAVAILABLE);
2747 		}
2748 
2749 		/*
2750 		**  Set up return value.
2751 		*/
2752 
2753 		if (mci == NULL)
2754 		{
2755 			if (clever)
2756 			{
2757 				/*
2758 				**  Allocate from general heap, not
2759 				**  envelope rpool, because this mci
2760 				**  is going to be cached.
2761 				*/
2762 
2763 				mci = mci_new(NULL);
2764 			}
2765 			else
2766 			{
2767 				/*
2768 				**  Prevent a storage leak by allocating
2769 				**  this from the envelope rpool.
2770 				*/
2771 
2772 				mci = mci_new(e->e_rpool);
2773 			}
2774 		}
2775 		mci->mci_mailer = m;
2776 		if (clever)
2777 		{
2778 			mci->mci_state = MCIS_OPENING;
2779 			mci_cache(mci);
2780 		}
2781 		else
2782 		{
2783 			mci->mci_state = MCIS_OPEN;
2784 		}
2785 		mci->mci_pid = pid;
2786 		(void) close(mpvect[0]);
2787 		mci->mci_out = sm_io_open(SmFtStdiofd, SM_TIME_DEFAULT,
2788 					  (void *) &(mpvect[1]), SM_IO_WRONLY_B,
2789 					  NULL);
2790 		if (mci->mci_out == NULL)
2791 		{
2792 			syserr("deliver: cannot create mailer output channel, fd=%d",
2793 			       mpvect[1]);
2794 			(void) close(mpvect[1]);
2795 			(void) close(rpvect[0]);
2796 			(void) close(rpvect[1]);
2797 			rcode = EX_OSERR;
2798 			goto give_up;
2799 		}
2800 
2801 		(void) close(rpvect[1]);
2802 		mci->mci_in = sm_io_open(SmFtStdiofd, SM_TIME_DEFAULT,
2803 					 (void *) &(rpvect[0]), SM_IO_RDONLY_B,
2804 					 NULL);
2805 		if (mci->mci_in == NULL)
2806 		{
2807 			syserr("deliver: cannot create mailer input channel, fd=%d",
2808 			       mpvect[1]);
2809 			(void) close(rpvect[0]);
2810 			(void) sm_io_close(mci->mci_out, SM_TIME_DEFAULT);
2811 			mci->mci_out = NULL;
2812 			rcode = EX_OSERR;
2813 			goto give_up;
2814 		}
2815 	}
2816 
2817 	/*
2818 	**  If we are in SMTP opening state, send initial protocol.
2819 	*/
2820 
2821 	if (bitnset(M_7BITS, m->m_flags) &&
2822 	    (!clever || mci->mci_state == MCIS_OPENING))
2823 		mci->mci_flags |= MCIF_7BIT;
2824 	if (clever && mci->mci_state != MCIS_CLOSED)
2825 	{
2826 # if STARTTLS || SASL
2827 		int dotpos;
2828 		char *srvname;
2829 		extern SOCKADDR CurHostAddr;
2830 # endif /* STARTTLS || SASL */
2831 
2832 # if SASL
2833 #  define DONE_AUTH(f)		bitset(MCIF_AUTHACT, f)
2834 # endif /* SASL */
2835 # if STARTTLS
2836 #  define DONE_STARTTLS(f)	bitset(MCIF_TLSACT, f)
2837 # endif /* STARTTLS */
2838 # define ONLY_HELO(f)		bitset(MCIF_ONLY_EHLO, f)
2839 # define SET_HELO(f)		f |= MCIF_ONLY_EHLO
2840 # define CLR_HELO(f)		f &= ~MCIF_ONLY_EHLO
2841 
2842 # if STARTTLS || SASL
2843 		/* don't use CurHostName, it is changed in many places */
2844 		if (mci->mci_host != NULL)
2845 		{
2846 			srvname = mci->mci_host;
2847 			dotpos = strlen(srvname) - 1;
2848 			if (dotpos >= 0)
2849 			{
2850 				if (srvname[dotpos] == '.')
2851 					srvname[dotpos] = '\0';
2852 				else
2853 					dotpos = -1;
2854 			}
2855 		}
2856 		else if (mci->mci_mailer != NULL)
2857 		{
2858 			srvname = mci->mci_mailer->m_name;
2859 			dotpos = -1;
2860 		}
2861 		else
2862 		{
2863 			srvname = "local";
2864 			dotpos = -1;
2865 		}
2866 
2867 		/* don't set {server_name} to NULL or "": see getauth() */
2868 		macdefine(&mci->mci_macro, A_TEMP, macid("{server_name}"),
2869 			  srvname);
2870 
2871 		/* CurHostAddr is set by makeconnection() and mci_get() */
2872 		if (CurHostAddr.sa.sa_family != 0)
2873 		{
2874 			macdefine(&mci->mci_macro, A_TEMP,
2875 				  macid("{server_addr}"),
2876 				  anynet_ntoa(&CurHostAddr));
2877 		}
2878 		else if (mci->mci_mailer != NULL)
2879 		{
2880 			/* mailer name is unique, use it as address */
2881 			macdefine(&mci->mci_macro, A_PERM,
2882 				  macid("{server_addr}"),
2883 				  mci->mci_mailer->m_name);
2884 		}
2885 		else
2886 		{
2887 			/* don't set it to NULL or "": see getauth() */
2888 			macdefine(&mci->mci_macro, A_PERM,
2889 				  macid("{server_addr}"), "0");
2890 		}
2891 
2892 		/* undo change of srvname (mci->mci_host) */
2893 		if (dotpos >= 0)
2894 			srvname[dotpos] = '.';
2895 
2896 reconnect:	/* after switching to an encrypted connection */
2897 # endif /* STARTTLS || SASL */
2898 
2899 		/* set the current connection information */
2900 		e->e_mci = mci;
2901 # if SASL
2902 		mci->mci_saslcap = NULL;
2903 # endif /* SASL */
2904 		smtpinit(m, mci, e, ONLY_HELO(mci->mci_flags));
2905 		CLR_HELO(mci->mci_flags);
2906 
2907 		if (IS_DLVR_RETURN(e))
2908 		{
2909 			/*
2910 			**  Check whether other side can deliver e-mail
2911 			**  fast enough
2912 			*/
2913 
2914 			if (!bitset(MCIF_DLVR_BY, mci->mci_flags))
2915 			{
2916 				e->e_status = "5.4.7";
2917 				usrerrenh(e->e_status,
2918 					  "554 Server does not support Deliver By");
2919 				rcode = EX_UNAVAILABLE;
2920 				goto give_up;
2921 			}
2922 			if (e->e_deliver_by > 0 &&
2923 			    e->e_deliver_by - (curtime() - e->e_ctime) <
2924 			    mci->mci_min_by)
2925 			{
2926 				e->e_status = "5.4.7";
2927 				usrerrenh(e->e_status,
2928 					  "554 Message can't be delivered in time; %ld < %ld",
2929 					  e->e_deliver_by - (curtime() - e->e_ctime),
2930 					  mci->mci_min_by);
2931 				rcode = EX_UNAVAILABLE;
2932 				goto give_up;
2933 			}
2934 		}
2935 
2936 # if STARTTLS
2937 		/* first TLS then AUTH to provide a security layer */
2938 		if (mci->mci_state != MCIS_CLOSED &&
2939 		    !DONE_STARTTLS(mci->mci_flags))
2940 		{
2941 			int olderrors;
2942 			bool usetls;
2943 			bool saveQuickAbort = QuickAbort;
2944 			bool saveSuprErrs = SuprErrs;
2945 			char *host = NULL;
2946 
2947 			rcode = EX_OK;
2948 			usetls = bitset(MCIF_TLS, mci->mci_flags);
2949 			if (usetls)
2950 				usetls = !iscltflgset(e, D_NOTLS);
2951 
2952 			host = macvalue(macid("{server_name}"), e);
2953 			if (usetls)
2954 			{
2955 				olderrors = Errors;
2956 				QuickAbort = false;
2957 				SuprErrs = true;
2958 				if (rscheck("try_tls", host, NULL, e,
2959 					    RSF_RMCOMM, 7, host, NOQID, NULL)
2960 								!= EX_OK
2961 				    || Errors > olderrors)
2962 				{
2963 					usetls = false;
2964 				}
2965 				SuprErrs = saveSuprErrs;
2966 				QuickAbort = saveQuickAbort;
2967 			}
2968 
2969 			if (usetls)
2970 			{
2971 				if ((rcode = starttls(m, mci, e)) == EX_OK)
2972 				{
2973 					/* start again without STARTTLS */
2974 					mci->mci_flags |= MCIF_TLSACT;
2975 				}
2976 				else
2977 				{
2978 					char *s;
2979 
2980 					/*
2981 					**  TLS negotiation failed, what to do?
2982 					**  fall back to unencrypted connection
2983 					**  or abort? How to decide?
2984 					**  set a macro and call a ruleset.
2985 					*/
2986 
2987 					mci->mci_flags &= ~MCIF_TLS;
2988 					switch (rcode)
2989 					{
2990 					  case EX_TEMPFAIL:
2991 						s = "TEMP";
2992 						break;
2993 					  case EX_USAGE:
2994 						s = "USAGE";
2995 						break;
2996 					  case EX_PROTOCOL:
2997 						s = "PROTOCOL";
2998 						break;
2999 					  case EX_SOFTWARE:
3000 						s = "SOFTWARE";
3001 						break;
3002 					  case EX_UNAVAILABLE:
3003 						s = "NONE";
3004 						break;
3005 
3006 					  /* everything else is a failure */
3007 					  default:
3008 						s = "FAILURE";
3009 						rcode = EX_TEMPFAIL;
3010 					}
3011 					macdefine(&e->e_macro, A_PERM,
3012 						  macid("{verify}"), s);
3013 				}
3014 			}
3015 			else
3016 				macdefine(&e->e_macro, A_PERM,
3017 					  macid("{verify}"), "NONE");
3018 			olderrors = Errors;
3019 			QuickAbort = false;
3020 			SuprErrs = true;
3021 
3022 			/*
3023 			**  rcode == EX_SOFTWARE is special:
3024 			**  the TLS negotiation failed
3025 			**  we have to drop the connection no matter what
3026 			**  However, we call tls_server to give it the chance
3027 			**  to log the problem and return an appropriate
3028 			**  error code.
3029 			*/
3030 
3031 			if (rscheck("tls_server",
3032 				    macvalue(macid("{verify}"), e),
3033 				    NULL, e, RSF_RMCOMM|RSF_COUNT, 5,
3034 				    host, NOQID, NULL) != EX_OK ||
3035 			    Errors > olderrors ||
3036 			    rcode == EX_SOFTWARE)
3037 			{
3038 				char enhsc[ENHSCLEN];
3039 				extern char MsgBuf[];
3040 
3041 				if (ISSMTPCODE(MsgBuf) &&
3042 				    extenhsc(MsgBuf + 4, ' ', enhsc) > 0)
3043 				{
3044 					p = sm_rpool_strdup_x(e->e_rpool,
3045 							      MsgBuf);
3046 				}
3047 				else
3048 				{
3049 					p = "403 4.7.0 server not authenticated.";
3050 					(void) sm_strlcpy(enhsc, "4.7.0",
3051 							  sizeof(enhsc));
3052 				}
3053 				SuprErrs = saveSuprErrs;
3054 				QuickAbort = saveQuickAbort;
3055 
3056 				if (rcode == EX_SOFTWARE)
3057 				{
3058 					/* drop the connection */
3059 					mci->mci_state = MCIS_QUITING;
3060 					if (mci->mci_in != NULL)
3061 					{
3062 						(void) sm_io_close(mci->mci_in,
3063 								   SM_TIME_DEFAULT);
3064 						mci->mci_in = NULL;
3065 					}
3066 					mci->mci_flags &= ~MCIF_TLSACT;
3067 					(void) endmailer(mci, e, pv);
3068 				}
3069 				else
3070 				{
3071 					/* abort transfer */
3072 					smtpquit(m, mci, e);
3073 				}
3074 
3075 				/* avoid bogus error msg */
3076 				mci->mci_errno = 0;
3077 
3078 				/* temp or permanent failure? */
3079 				rcode = (*p == '4') ? EX_TEMPFAIL
3080 						    : EX_UNAVAILABLE;
3081 				mci_setstat(mci, rcode, enhsc, p);
3082 
3083 				/*
3084 				**  hack to get the error message into
3085 				**  the envelope (done in giveresponse())
3086 				*/
3087 
3088 				(void) sm_strlcpy(SmtpError, p,
3089 						  sizeof(SmtpError));
3090 			}
3091 			else if (mci->mci_state == MCIS_CLOSED)
3092 			{
3093 				/* connection close caused by 421 */
3094 				mci->mci_errno = 0;
3095 				rcode = EX_TEMPFAIL;
3096 				mci_setstat(mci, rcode, NULL, "421");
3097 			}
3098 			else
3099 				rcode = 0;
3100 
3101 			QuickAbort = saveQuickAbort;
3102 			SuprErrs = saveSuprErrs;
3103 			if (DONE_STARTTLS(mci->mci_flags) &&
3104 			    mci->mci_state != MCIS_CLOSED)
3105 			{
3106 				SET_HELO(mci->mci_flags);
3107 				mci->mci_flags &= ~MCIF_EXTENS;
3108 				goto reconnect;
3109 			}
3110 		}
3111 # endif /* STARTTLS */
3112 # if SASL
3113 		/* if other server supports authentication let's authenticate */
3114 		if (mci->mci_state != MCIS_CLOSED &&
3115 		    mci->mci_saslcap != NULL &&
3116 		    !DONE_AUTH(mci->mci_flags) && !iscltflgset(e, D_NOAUTH))
3117 		{
3118 			/* Should we require some minimum authentication? */
3119 			if ((ret = smtpauth(m, mci, e)) == EX_OK)
3120 			{
3121 				int result;
3122 				sasl_ssf_t *ssf = NULL;
3123 
3124 				/* Get security strength (features) */
3125 				result = sasl_getprop(mci->mci_conn, SASL_SSF,
3126 # if SASL >= 20000
3127 						      (const void **) &ssf);
3128 # else /* SASL >= 20000 */
3129 						      (void **) &ssf);
3130 # endif /* SASL >= 20000 */
3131 
3132 				/* XXX authid? */
3133 				if (LogLevel > 9)
3134 					sm_syslog(LOG_INFO, NOQID,
3135 						  "AUTH=client, relay=%.100s, mech=%.16s, bits=%d",
3136 						  mci->mci_host,
3137 						  macvalue(macid("{auth_type}"), e),
3138 						  result == SASL_OK ? *ssf : 0);
3139 
3140 				/*
3141 				**  Only switch to encrypted connection
3142 				**  if a security layer has been negotiated
3143 				*/
3144 
3145 				if (result == SASL_OK && *ssf > 0)
3146 				{
3147 					int tmo;
3148 
3149 					/*
3150 					**  Convert I/O layer to use SASL.
3151 					**  If the call fails, the connection
3152 					**  is aborted.
3153 					*/
3154 
3155 					tmo = DATA_PROGRESS_TIMEOUT * 1000;
3156 					if (sfdcsasl(&mci->mci_in,
3157 						     &mci->mci_out,
3158 						     mci->mci_conn, tmo) == 0)
3159 					{
3160 						mci->mci_flags &= ~MCIF_EXTENS;
3161 						mci->mci_flags |= MCIF_AUTHACT|
3162 								  MCIF_ONLY_EHLO;
3163 						goto reconnect;
3164 					}
3165 					syserr("AUTH TLS switch failed in client");
3166 				}
3167 				/* else? XXX */
3168 				mci->mci_flags |= MCIF_AUTHACT;
3169 
3170 			}
3171 			else if (ret == EX_TEMPFAIL)
3172 			{
3173 				if (LogLevel > 8)
3174 					sm_syslog(LOG_ERR, NOQID,
3175 						  "AUTH=client, relay=%.100s, temporary failure, connection abort",
3176 						  mci->mci_host);
3177 				smtpquit(m, mci, e);
3178 
3179 				/* avoid bogus error msg */
3180 				mci->mci_errno = 0;
3181 				rcode = EX_TEMPFAIL;
3182 				mci_setstat(mci, rcode, "4.3.0", p);
3183 
3184 				/*
3185 				**  hack to get the error message into
3186 				**  the envelope (done in giveresponse())
3187 				*/
3188 
3189 				(void) sm_strlcpy(SmtpError,
3190 						  "Temporary AUTH failure",
3191 						  sizeof(SmtpError));
3192 			}
3193 		}
3194 # endif /* SASL */
3195 	}
3196 
3197 
3198 do_transfer:
3199 	/* clear out per-message flags from connection structure */
3200 	mci->mci_flags &= ~(MCIF_CVT7TO8|MCIF_CVT8TO7);
3201 
3202 	if (bitset(EF_HAS8BIT, e->e_flags) &&
3203 	    !bitset(EF_DONT_MIME, e->e_flags) &&
3204 	    bitnset(M_7BITS, m->m_flags))
3205 		mci->mci_flags |= MCIF_CVT8TO7;
3206 
3207 #if MIME7TO8
3208 	if (bitnset(M_MAKE8BIT, m->m_flags) &&
3209 	    !bitset(MCIF_7BIT, mci->mci_flags) &&
3210 	    (p = hvalue("Content-Transfer-Encoding", e->e_header)) != NULL &&
3211 	     (sm_strcasecmp(p, "quoted-printable") == 0 ||
3212 	      sm_strcasecmp(p, "base64") == 0) &&
3213 	    (p = hvalue("Content-Type", e->e_header)) != NULL)
3214 	{
3215 		/* may want to convert 7 -> 8 */
3216 		/* XXX should really parse it here -- and use a class XXX */
3217 		if (sm_strncasecmp(p, "text/plain", 10) == 0 &&
3218 		    (p[10] == '\0' || p[10] == ' ' || p[10] == ';'))
3219 			mci->mci_flags |= MCIF_CVT7TO8;
3220 	}
3221 #endif /* MIME7TO8 */
3222 
3223 	if (tTd(11, 1))
3224 	{
3225 		sm_dprintf("openmailer: ");
3226 		mci_dump(sm_debug_file(), mci, false);
3227 	}
3228 
3229 #if _FFR_CLIENT_SIZE
3230 	/*
3231 	**  See if we know the maximum size and
3232 	**  abort if the message is too big.
3233 	**
3234 	**  NOTE: _FFR_CLIENT_SIZE is untested.
3235 	*/
3236 
3237 	if (bitset(MCIF_SIZE, mci->mci_flags) &&
3238 	    mci->mci_maxsize > 0 &&
3239 	    e->e_msgsize > mci->mci_maxsize)
3240 	{
3241 		e->e_flags |= EF_NO_BODY_RETN;
3242 		if (bitnset(M_LOCALMAILER, m->m_flags))
3243 			e->e_status = "5.2.3";
3244 		else
3245 			e->e_status = "5.3.4";
3246 
3247 		usrerrenh(e->e_status,
3248 			  "552 Message is too large; %ld bytes max",
3249 			  mci->mci_maxsize);
3250 		rcode = EX_DATAERR;
3251 
3252 		/* Need an e_message for error */
3253 		(void) sm_snprintf(SmtpError, sizeof(SmtpError),
3254 				   "Message is too large; %ld bytes max",
3255 				   mci->mci_maxsize);
3256 		goto give_up;
3257 	}
3258 #endif /* _FFR_CLIENT_SIZE */
3259 
3260 	if (mci->mci_state != MCIS_OPEN)
3261 	{
3262 		/* couldn't open the mailer */
3263 		rcode = mci->mci_exitstat;
3264 		errno = mci->mci_errno;
3265 		SM_SET_H_ERRNO(mci->mci_herrno);
3266 		if (rcode == EX_OK)
3267 		{
3268 			/* shouldn't happen */
3269 			syserr("554 5.3.5 deliver: mci=%lx rcode=%d errno=%d state=%d sig=%s",
3270 			       (unsigned long) mci, rcode, errno,
3271 			       mci->mci_state, firstsig);
3272 			mci_dump_all(smioout, true);
3273 			rcode = EX_SOFTWARE;
3274 		}
3275 		else if (nummxhosts > hostnum)
3276 		{
3277 			/* try next MX site */
3278 			goto tryhost;
3279 		}
3280 	}
3281 	else if (!clever)
3282 	{
3283 		bool ok;
3284 
3285 		/*
3286 		**  Format and send message.
3287 		*/
3288 
3289 		rcode = EX_OK;
3290 		errno = 0;
3291 		ok = putfromline(mci, e);
3292 		if (ok)
3293 			ok = (*e->e_puthdr)(mci, e->e_header, e, M87F_OUTER);
3294 		if (ok)
3295 			ok = (*e->e_putbody)(mci, e, NULL);
3296 		if (ok && bitset(MCIF_INLONGLINE, mci->mci_flags))
3297 			ok = putline("", mci);
3298 
3299 		/*
3300 		**  Ignore an I/O error that was caused by EPIPE.
3301 		**  Some broken mailers don't read the entire body
3302 		**  but just exit() thus causing an I/O error.
3303 		*/
3304 
3305 		if (!ok && (sm_io_error(mci->mci_out) && errno == EPIPE))
3306 			ok = true;
3307 
3308 		/* (always) get the exit status */
3309 		rcode = endmailer(mci, e, pv);
3310 		if (!ok)
3311 			rcode = EX_TEMPFAIL;
3312 		if (rcode == EX_TEMPFAIL && SmtpError[0] == '\0')
3313 		{
3314 			/*
3315 			**  Need an e_message for mailq display.
3316 			**  We set SmtpError as
3317 			*/
3318 
3319 			(void) sm_snprintf(SmtpError, sizeof(SmtpError),
3320 					   "%s mailer (%s) exited with EX_TEMPFAIL",
3321 					   m->m_name, m->m_mailer);
3322 		}
3323 	}
3324 	else
3325 	{
3326 		/*
3327 		**  Send the MAIL FROM: protocol
3328 		*/
3329 
3330 		/* XXX this isn't pipelined... */
3331 		rcode = smtpmailfrom(m, mci, e);
3332 		if (rcode == EX_OK)
3333 		{
3334 			register int i;
3335 # if PIPELINING
3336 			ADDRESS *volatile pchain;
3337 # endif /* PIPELINING */
3338 
3339 			/* send the recipient list */
3340 			tobuf[0] = '\0';
3341 			mci->mci_retryrcpt = false;
3342 			mci->mci_tolist = tobuf;
3343 # if PIPELINING
3344 			pchain = NULL;
3345 			mci->mci_nextaddr = NULL;
3346 # endif /* PIPELINING */
3347 
3348 			for (to = tochain; to != NULL; to = to->q_tchain)
3349 			{
3350 				if (!QS_IS_UNMARKED(to->q_state))
3351 					continue;
3352 
3353 				/* mark recipient state as "ok so far" */
3354 				to->q_state = QS_OK;
3355 				e->e_to = to->q_paddr;
3356 # if STARTTLS
3357 				i = rscheck("tls_rcpt", to->q_user, NULL, e,
3358 					    RSF_RMCOMM|RSF_COUNT, 3,
3359 					    mci->mci_host, e->e_id, NULL);
3360 				if (i != EX_OK)
3361 				{
3362 					markfailure(e, to, mci, i, false);
3363 					giveresponse(i, to->q_status,  m, mci,
3364 						     ctladdr, xstart, e, to);
3365 					if (i == EX_TEMPFAIL)
3366 					{
3367 						mci->mci_retryrcpt = true;
3368 						to->q_state = QS_RETRY;
3369 					}
3370 					continue;
3371 				}
3372 # endif /* STARTTLS */
3373 
3374 				i = smtprcpt(to, m, mci, e, ctladdr, xstart);
3375 # if PIPELINING
3376 				if (i == EX_OK &&
3377 				    bitset(MCIF_PIPELINED, mci->mci_flags))
3378 				{
3379 					/*
3380 					**  Add new element to list of
3381 					**  recipients for pipelining.
3382 					*/
3383 
3384 					to->q_pchain = NULL;
3385 					if (mci->mci_nextaddr == NULL)
3386 						mci->mci_nextaddr = to;
3387 					if (pchain == NULL)
3388 						pchain = to;
3389 					else
3390 					{
3391 						pchain->q_pchain = to;
3392 						pchain = pchain->q_pchain;
3393 					}
3394 				}
3395 # endif /* PIPELINING */
3396 				if (i != EX_OK)
3397 				{
3398 					markfailure(e, to, mci, i, false);
3399 					giveresponse(i, to->q_status, m, mci,
3400 						     ctladdr, xstart, e, to);
3401 					if (i == EX_TEMPFAIL)
3402 						to->q_state = QS_RETRY;
3403 				}
3404 			}
3405 
3406 			/* No recipients in list and no missing responses? */
3407 			if (tobuf[0] == '\0'
3408 # if PIPELINING
3409 			    && bitset(MCIF_PIPELINED, mci->mci_flags)
3410 			    && mci->mci_nextaddr == NULL
3411 # endif /* PIPELINING */
3412 			   )
3413 			{
3414 				rcode = EX_OK;
3415 				e->e_to = NULL;
3416 				if (bitset(MCIF_CACHED, mci->mci_flags))
3417 					smtprset(m, mci, e);
3418 			}
3419 			else
3420 			{
3421 				e->e_to = tobuf + 1;
3422 				rcode = smtpdata(m, mci, e, ctladdr, xstart);
3423 			}
3424 		}
3425 		if (rcode == EX_TEMPFAIL && nummxhosts > hostnum)
3426 		{
3427 			/* try next MX site */
3428 			goto tryhost;
3429 		}
3430 	}
3431 #if NAMED_BIND
3432 	if (ConfigLevel < 2)
3433 		_res.options |= RES_DEFNAMES | RES_DNSRCH;	/* XXX */
3434 #endif /* NAMED_BIND */
3435 
3436 	if (tTd(62, 1))
3437 		checkfds("after delivery");
3438 
3439 	/*
3440 	**  Do final status disposal.
3441 	**	We check for something in tobuf for the SMTP case.
3442 	**	If we got a temporary failure, arrange to queue the
3443 	**		addressees.
3444 	*/
3445 
3446   give_up:
3447 	if (bitnset(M_LMTP, m->m_flags))
3448 	{
3449 		lmtp_rcode = rcode;
3450 		tobuf[0] = '\0';
3451 		anyok = false;
3452 		strsize = 0;
3453 	}
3454 	else
3455 		anyok = rcode == EX_OK;
3456 
3457 	for (to = tochain; to != NULL; to = to->q_tchain)
3458 	{
3459 		/* see if address already marked */
3460 		if (!QS_IS_OK(to->q_state))
3461 			continue;
3462 
3463 		/* if running LMTP, get the status for each address */
3464 		if (bitnset(M_LMTP, m->m_flags))
3465 		{
3466 			if (lmtp_rcode == EX_OK)
3467 				rcode = smtpgetstat(m, mci, e);
3468 			if (rcode == EX_OK)
3469 			{
3470 				strsize += sm_strlcat2(tobuf + strsize, ",",
3471 						to->q_paddr,
3472 						tobufsize - strsize);
3473 				SM_ASSERT(strsize < tobufsize);
3474 				anyok = true;
3475 			}
3476 			else
3477 			{
3478 				e->e_to = to->q_paddr;
3479 				markfailure(e, to, mci, rcode, true);
3480 				giveresponse(rcode, to->q_status, m, mci,
3481 					     ctladdr, xstart, e, to);
3482 				e->e_to = tobuf + 1;
3483 				continue;
3484 			}
3485 		}
3486 		else
3487 		{
3488 			/* mark bad addresses */
3489 			if (rcode != EX_OK)
3490 			{
3491 				if (goodmxfound && rcode == EX_NOHOST)
3492 					rcode = EX_TEMPFAIL;
3493 				markfailure(e, to, mci, rcode, true);
3494 				continue;
3495 			}
3496 		}
3497 
3498 		/* successful delivery */
3499 		to->q_state = QS_SENT;
3500 		to->q_statdate = curtime();
3501 		e->e_nsent++;
3502 
3503 		/*
3504 		**  Checkpoint the send list every few addresses
3505 		*/
3506 
3507 		if (CheckpointInterval > 0 && e->e_nsent >= CheckpointInterval)
3508 		{
3509 			queueup(e, false, false);
3510 			e->e_nsent = 0;
3511 		}
3512 
3513 		if (bitnset(M_LOCALMAILER, m->m_flags) &&
3514 		    bitset(QPINGONSUCCESS, to->q_flags))
3515 		{
3516 			to->q_flags |= QDELIVERED;
3517 			to->q_status = "2.1.5";
3518 			(void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
3519 					     "%s... Successfully delivered\n",
3520 					     to->q_paddr);
3521 		}
3522 		else if (bitset(QPINGONSUCCESS, to->q_flags) &&
3523 			 bitset(QPRIMARY, to->q_flags) &&
3524 			 !bitset(MCIF_DSN, mci->mci_flags))
3525 		{
3526 			to->q_flags |= QRELAYED;
3527 			(void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
3528 					     "%s... relayed; expect no further notifications\n",
3529 					     to->q_paddr);
3530 		}
3531 		else if (IS_DLVR_NOTIFY(e) &&
3532 			 !bitset(MCIF_DLVR_BY, mci->mci_flags) &&
3533 			 bitset(QPRIMARY, to->q_flags) &&
3534 			 (!bitset(QHASNOTIFY, to->q_flags) ||
3535 			  bitset(QPINGONSUCCESS, to->q_flags) ||
3536 			  bitset(QPINGONFAILURE, to->q_flags) ||
3537 			  bitset(QPINGONDELAY, to->q_flags)))
3538 		{
3539 			/* RFC 2852, 4.1.4.2: no NOTIFY, or not NEVER */
3540 			to->q_flags |= QBYNRELAY;
3541 			(void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
3542 					     "%s... Deliver-by notify: relayed\n",
3543 					     to->q_paddr);
3544 		}
3545 		else if (IS_DLVR_TRACE(e) &&
3546 			 (!bitset(QHASNOTIFY, to->q_flags) ||
3547 			  bitset(QPINGONSUCCESS, to->q_flags) ||
3548 			  bitset(QPINGONFAILURE, to->q_flags) ||
3549 			  bitset(QPINGONDELAY, to->q_flags)) &&
3550 			 bitset(QPRIMARY, to->q_flags))
3551 		{
3552 			/* RFC 2852, 4.1.4: no NOTIFY, or not NEVER */
3553 			to->q_flags |= QBYTRACE;
3554 			(void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
3555 					     "%s... Deliver-By trace: relayed\n",
3556 					     to->q_paddr);
3557 		}
3558 	}
3559 
3560 	if (bitnset(M_LMTP, m->m_flags))
3561 	{
3562 		/*
3563 		**  Global information applies to the last recipient only;
3564 		**  clear it out to avoid bogus errors.
3565 		*/
3566 
3567 		rcode = EX_OK;
3568 		e->e_statmsg = NULL;
3569 
3570 		/* reset the mci state for the next transaction */
3571 		if (mci != NULL &&
3572 		    (mci->mci_state == MCIS_MAIL ||
3573 		     mci->mci_state == MCIS_RCPT ||
3574 		     mci->mci_state == MCIS_DATA))
3575 		{
3576 			mci->mci_state = MCIS_OPEN;
3577 			SmtpPhase = mci->mci_phase = "idle";
3578 			sm_setproctitle(true, e, "%s: %s", CurHostName,
3579 					mci->mci_phase);
3580 		}
3581 	}
3582 
3583 	if (tobuf[0] != '\0')
3584 	{
3585 		giveresponse(rcode, NULL, m, mci, ctladdr, xstart, e, tochain);
3586 #if 0
3587 		/*
3588 		**  This code is disabled for now because I am not
3589 		**  sure that copying status from the first recipient
3590 		**  to all non-status'ed recipients is a good idea.
3591 		*/
3592 
3593 		if (tochain->q_message != NULL &&
3594 		    !bitnset(M_LMTP, m->m_flags) && rcode != EX_OK)
3595 		{
3596 			for (to = tochain->q_tchain; to != NULL;
3597 			     to = to->q_tchain)
3598 			{
3599 				/* see if address already marked */
3600 				if (QS_IS_QUEUEUP(to->q_state) &&
3601 				    to->q_message == NULL)
3602 					to->q_message = sm_rpool_strdup_x(e->e_rpool,
3603 							tochain->q_message);
3604 			}
3605 		}
3606 #endif /* 0 */
3607 	}
3608 	if (anyok)
3609 		markstats(e, tochain, STATS_NORMAL);
3610 	mci_store_persistent(mci);
3611 
3612 	/* Some recipients were tempfailed, try them on the next host */
3613 	if (mci != NULL && mci->mci_retryrcpt && nummxhosts > hostnum)
3614 	{
3615 		/* try next MX site */
3616 		goto tryhost;
3617 	}
3618 
3619 	/* now close the connection */
3620 	if (clever && mci != NULL && mci->mci_state != MCIS_CLOSED &&
3621 	    !bitset(MCIF_CACHED, mci->mci_flags))
3622 		smtpquit(m, mci, e);
3623 
3624 cleanup: ;
3625 	}
3626 	SM_FINALLY
3627 	{
3628 		/*
3629 		**  Restore state and return.
3630 		*/
3631 #if XDEBUG
3632 		char wbuf[MAXLINE];
3633 
3634 		/* make absolutely certain 0, 1, and 2 are in use */
3635 		(void) sm_snprintf(wbuf, sizeof(wbuf),
3636 				   "%s... end of deliver(%s)",
3637 				   e->e_to == NULL ? "NO-TO-LIST"
3638 						   : shortenstring(e->e_to,
3639 								   MAXSHORTSTR),
3640 				  m->m_name);
3641 		checkfd012(wbuf);
3642 #endif /* XDEBUG */
3643 
3644 		errno = 0;
3645 
3646 		/*
3647 		**  It was originally necessary to set macro 'g' to NULL
3648 		**  because it previously pointed to an auto buffer.
3649 		**  We don't do this any more, so this may be unnecessary.
3650 		*/
3651 
3652 		macdefine(&e->e_macro, A_PERM, 'g', (char *) NULL);
3653 		e->e_to = NULL;
3654 	}
3655 	SM_END_TRY
3656 	return rcode;
3657 }
3658 
3659 /*
3660 **  MARKFAILURE -- mark a failure on a specific address.
3661 **
3662 **	Parameters:
3663 **		e -- the envelope we are sending.
3664 **		q -- the address to mark.
3665 **		mci -- mailer connection information.
3666 **		rcode -- the code signifying the particular failure.
3667 **		ovr -- override an existing code?
3668 **
3669 **	Returns:
3670 **		none.
3671 **
3672 **	Side Effects:
3673 **		marks the address (and possibly the envelope) with the
3674 **			failure so that an error will be returned or
3675 **			the message will be queued, as appropriate.
3676 */
3677 
3678 void
markfailure(e,q,mci,rcode,ovr)3679 markfailure(e, q, mci, rcode, ovr)
3680 	register ENVELOPE *e;
3681 	register ADDRESS *q;
3682 	register MCI *mci;
3683 	int rcode;
3684 	bool ovr;
3685 {
3686 	int save_errno = errno;
3687 	char *status = NULL;
3688 	char *rstatus = NULL;
3689 
3690 	switch (rcode)
3691 	{
3692 	  case EX_OK:
3693 		break;
3694 
3695 	  case EX_TEMPFAIL:
3696 	  case EX_IOERR:
3697 	  case EX_OSERR:
3698 		q->q_state = QS_QUEUEUP;
3699 		break;
3700 
3701 	  default:
3702 		q->q_state = QS_BADADDR;
3703 		break;
3704 	}
3705 
3706 	/* find most specific error code possible */
3707 	if (mci != NULL && mci->mci_status != NULL)
3708 	{
3709 		status = sm_rpool_strdup_x(e->e_rpool, mci->mci_status);
3710 		if (mci->mci_rstatus != NULL)
3711 			rstatus = sm_rpool_strdup_x(e->e_rpool,
3712 						    mci->mci_rstatus);
3713 		else
3714 			rstatus = NULL;
3715 	}
3716 	else if (e->e_status != NULL)
3717 	{
3718 		status = e->e_status;
3719 		rstatus = NULL;
3720 	}
3721 	else
3722 	{
3723 		switch (rcode)
3724 		{
3725 		  case EX_USAGE:
3726 			status = "5.5.4";
3727 			break;
3728 
3729 		  case EX_DATAERR:
3730 			status = "5.5.2";
3731 			break;
3732 
3733 		  case EX_NOUSER:
3734 			status = "5.1.1";
3735