/*
 * Copyright (c) 1998-2008 Sendmail, Inc. and its suppliers.
 *      All rights reserved.
 * Copyright (c) 1983, 1995-1997 Eric P. Allman.  All rights reserved.
 * Copyright (c) 1988, 1993
 *      The Regents of the University of California.  All rights reserved.
 *
 * By using this file, you agree to the terms and conditions set
 * forth in the LICENSE file which can be found at the top level of
 * the sendmail distribution.
 *
 */

#include <sendmail.h>
#include <sm/time.h>

SM_RCSID("@(#)$Id: deliver.c,v 8.1020 2009/12/18 17:08:01 ca Exp $")

#if HASSETUSERCONTEXT
# include <login_cap.h>
#endif /* HASSETUSERCONTEXT */

#if NETINET || NETINET6
# include <arpa/inet.h>
#endif /* NETINET || NETINET6 */

#if STARTTLS || SASL
# include "sfsasl.h"
#endif /* STARTTLS || SASL */

static int      deliver __P((ENVELOPE *, ADDRESS *));
static void     dup_queue_file __P((ENVELOPE *, ENVELOPE *, int));
static void     mailfiletimeout __P((int));
static void     endwaittimeout __P((int));
static int      parse_hostsignature __P((char *, char **, MAILER *));
static void     sendenvelope __P((ENVELOPE *, int));
static int      coloncmp __P((const char *, const char *));

#if STARTTLS
static int      starttls __P((MAILER *, MCI *, ENVELOPE *));
static int      endtlsclt __P((MCI *));
#endif /* STARTTLS */
# if STARTTLS || SASL
static bool     iscltflgset __P((ENVELOPE *, int));
# endif /* STARTTLS || SASL */

/*
**  SENDALL -- actually send all the messages.
**
**      Parameters:
**              e -- the envelope to send.
**              mode -- the delivery mode to use.  If SM_DEFAULT, use
**                      the current e->e_sendmode.
**
**      Returns:
**              none.
**
**      Side Effects:
**              Scans the send lists and sends everything it finds.
**              Delivers any appropriate error messages.
**              If we are running in a non-interactive mode, takes the
**                      appropriate action.
*/

void
sendall(e, mode)
        ENVELOPE *e;
        int mode;
{
        register ADDRESS *q;
        char *owner;
        int otherowners;
        int save_errno;
        register ENVELOPE *ee;
        ENVELOPE *splitenv = NULL;
        int oldverbose = Verbose;
        bool somedeliveries = false, expensive = false;
        pid_t pid;

        /*
        **  If this message is to be discarded, don't bother sending
        **  the message at all.
        */

        if (bitset(EF_DISCARD, e->e_flags))
        {
                if (tTd(13, 1))
                        sm_dprintf("sendall: discarding id %s\n", e->e_id);
                e->e_flags |= EF_CLRQUEUE;
                if (LogLevel > 9)
                        logundelrcpts(e, "discarded", 9, true);
                else if (LogLevel > 4)
                        sm_syslog(LOG_INFO, e->e_id, "discarded");
                markstats(e, NULL, STATS_REJECT);
                return;
        }

        /*
        **  If we have had global, fatal errors, don't bother sending
        **  the message at all if we are in SMTP mode.  Local errors
        **  (e.g., a single address failing) will still cause the other
        **  addresses to be sent.
        */

        if (bitset(EF_FATALERRS, e->e_flags) &&
            (OpMode == MD_SMTP || OpMode == MD_DAEMON))
        {
                e->e_flags |= EF_CLRQUEUE;
                return;
        }

        /* determine actual delivery mode */
        if (mode == SM_DEFAULT)
        {
                mode = e->e_sendmode;
                if (mode != SM_VERIFY && mode != SM_DEFER &&
                    shouldqueue(e->e_msgpriority, e->e_ctime))
                        mode = SM_QUEUE;
        }

        if (tTd(13, 1))
        {
                sm_dprintf("\n===== SENDALL: mode %c, id %s, e_from ",
                        mode, e->e_id);
                printaddr(sm_debug_file(), &e->e_from, false);
                sm_dprintf("\te_flags = ");
                printenvflags(e);
                sm_dprintf("sendqueue:\n");
                printaddr(sm_debug_file(), e->e_sendqueue, true);
        }

        /*
        **  Do any preprocessing necessary for the mode we are running.
        **      Check to make sure the hop count is reasonable.
        **      Delete sends to the sender in mailing lists.
        */

        CurEnv = e;
        if (tTd(62, 1))
                checkfds(NULL);

        if (e->e_hopcount > MaxHopCount)
        {
                char *recip;

                if (e->e_sendqueue != NULL &&
                    e->e_sendqueue->q_paddr != NULL)
                        recip = e->e_sendqueue->q_paddr;
                else
                        recip = "(nobody)";

                errno = 0;
                queueup(e, WILL_BE_QUEUED(mode), false);
                e->e_flags |= EF_FATALERRS|EF_PM_NOTIFY|EF_CLRQUEUE;
                ExitStat = EX_UNAVAILABLE;
                syserr("554 5.4.6 Too many hops %d (%d max): from %s via %s, to %s",
                       e->e_hopcount, MaxHopCount, e->e_from.q_paddr,
                       RealHostName == NULL ? "localhost" : RealHostName,
                       recip);
                for (q = e->e_sendqueue; q != NULL; q = q->q_next)
                {
                        if (QS_IS_DEAD(q->q_state))
                                continue;
                        q->q_state = QS_BADADDR;
                        q->q_status = "5.4.6";
                        q->q_rstatus = "554 5.4.6 Too many hops";
                }
                return;
        }

        /*
        **  Do sender deletion.
        **
        **      If the sender should be queued up, skip this.
        **      This can happen if the name server is hosed when you
        **      are trying to send mail.  The result is that the sender
        **      is instantiated in the queue as a recipient.
        */

        if (!bitset(EF_METOO, e->e_flags) &&
            !QS_IS_QUEUEUP(e->e_from.q_state))
        {
                if (tTd(13, 5))
                {
                        sm_dprintf("sendall: QS_SENDER ");
                        printaddr(sm_debug_file(), &e->e_from, false);
                }
                e->e_from.q_state = QS_SENDER;
                (void) recipient(&e->e_from, &e->e_sendqueue, 0, e);
        }

        /*
        **  Handle alias owners.
        **
        **      We scan up the q_alias chain looking for owners.
        **      We discard owners that are the same as the return path.
        */

        for (q = e->e_sendqueue; q != NULL; q = q->q_next)
        {
                register struct address *a;

                for (a = q; a != NULL && a->q_owner == NULL; a = a->q_alias)
                        continue;
                if (a != NULL)
                        q->q_owner = a->q_owner;

                if (q->q_owner != NULL &&
                    !QS_IS_DEAD(q->q_state) &&
                    strcmp(q->q_owner, e->e_from.q_paddr) == 0)
                        q->q_owner = NULL;
        }

        if (tTd(13, 25))
        {
                sm_dprintf("\nAfter first owner pass, sendq =\n");
                printaddr(sm_debug_file(), e->e_sendqueue, true);
        }

        owner = "";
        otherowners = 1;
        while (owner != NULL && otherowners > 0)
        {
                if (tTd(13, 28))
                        sm_dprintf("owner = \"%s\", otherowners = %d\n",
                                   owner, otherowners);
                owner = NULL;
                otherowners = bitset(EF_SENDRECEIPT, e->e_flags) ? 1 : 0;

                for (q = e->e_sendqueue; q != NULL; q = q->q_next)
                {
                        if (tTd(13, 30))
                        {
                                sm_dprintf("Checking ");
                                printaddr(sm_debug_file(), q, false);
                        }
                        if (QS_IS_DEAD(q->q_state))
                        {
                                if (tTd(13, 30))
                                        sm_dprintf("    ... QS_IS_DEAD\n");
                                continue;
                        }
                        if (tTd(13, 29) && !tTd(13, 30))
                        {
                                sm_dprintf("Checking ");
                                printaddr(sm_debug_file(), q, false);
                        }

                        if (q->q_owner != NULL)
                        {
                                if (owner == NULL)
                                {
                                        if (tTd(13, 40))
                                                sm_dprintf("    ... First owner = \"%s\"\n",
                                                           q->q_owner);
                                        owner = q->q_owner;
                                }
                                else if (owner != q->q_owner)
                                {
                                        if (strcmp(owner, q->q_owner) == 0)
                                        {
                                                if (tTd(13, 40))
                                                        sm_dprintf("    ... Same owner = \"%s\"\n",
                                                                   owner);

                                                /* make future comparisons cheap */
                                                q->q_owner = owner;
                                        }
                                        else
                                        {
                                                if (tTd(13, 40))
                                                        sm_dprintf("    ... Another owner \"%s\"\n",
                                                                   q->q_owner);
                                                otherowners++;
                                        }
                                        owner = q->q_owner;
                                }
                                else if (tTd(13, 40))
                                        sm_dprintf("    ... Same owner = \"%s\"\n",
                                                   owner);
                        }
                        else
                        {
                                if (tTd(13, 40))
                                        sm_dprintf("    ... Null owner\n");
                                otherowners++;
                        }

                        if (QS_IS_BADADDR(q->q_state))
                        {
                                if (tTd(13, 30))
                                        sm_dprintf("    ... QS_IS_BADADDR\n");
                                continue;
                        }

                        if (QS_IS_QUEUEUP(q->q_state))
                        {
                                MAILER *m = q->q_mailer;

                                /*
                                **  If we have temporary address failures
                                **  (e.g., dns failure) and a fallback MX is
                                **  set, send directly to the fallback MX host.
                                */

                                if (FallbackMX != NULL &&
                                    !wordinclass(FallbackMX, 'w') &&
                                    mode != SM_VERIFY &&
                                    !bitnset(M_NOMX, m->m_flags) &&
                                    strcmp(m->m_mailer, "[IPC]") == 0 &&
                                    m->m_argv[0] != NULL &&
                                    strcmp(m->m_argv[0], "TCP") == 0)
                                {
                                        int len;
                                        char *p;

                                        if (tTd(13, 30))
                                                sm_dprintf("    ... FallbackMX\n");

                                        len = strlen(FallbackMX) + 1;
                                        p = sm_rpool_malloc_x(e->e_rpool, len);
                                        (void) sm_strlcpy(p, FallbackMX, len);
                                        q->q_state = QS_OK;
                                        q->q_host = p;
                                }
                                else
                                {
                                        if (tTd(13, 30))
                                                sm_dprintf("    ... QS_IS_QUEUEUP\n");
                                        continue;
                                }
                        }

                        /*
                        **  If this mailer is expensive, and if we don't
                        **  want to make connections now, just mark these
                        **  addresses and return.  This is useful if we
                        **  want to batch connections to reduce load.  This
                        **  will cause the messages to be queued up, and a
                        **  daemon will come along to send the messages later.
                        */

                        if (NoConnect && !Verbose &&
                            bitnset(M_EXPENSIVE, q->q_mailer->m_flags))
                        {
                                if (tTd(13, 30))
                                        sm_dprintf("    ... expensive\n");
                                q->q_state = QS_QUEUEUP;
                                expensive = true;
                        }
                        else if (bitnset(M_HOLD, q->q_mailer->m_flags) &&
                                 QueueLimitId == NULL &&
                                 QueueLimitSender == NULL &&
                                 QueueLimitRecipient == NULL)
                        {
                                if (tTd(13, 30))
                                        sm_dprintf("    ... hold\n");
                                q->q_state = QS_QUEUEUP;
                                expensive = true;
                        }
                        else if (QueueMode != QM_QUARANTINE &&
                                 e->e_quarmsg != NULL)
                        {
                                if (tTd(13, 30))
                                        sm_dprintf("    ... quarantine: %s\n",
                                                   e->e_quarmsg);
                                q->q_state = QS_QUEUEUP;
                                expensive = true;
                        }
                        else
                        {
                                if (tTd(13, 30))
                                        sm_dprintf("    ... deliverable\n");
                                somedeliveries = true;
                        }
                }

                if (owner != NULL && otherowners > 0)
                {
                        /*
                        **  Split this envelope into two.
                        */

                        ee = (ENVELOPE *) sm_rpool_malloc_x(e->e_rpool,
                                                            sizeof(*ee));
                        STRUCTCOPY(*e, *ee);
                        ee->e_message = NULL;
                        ee->e_id = NULL;
                        assign_queueid(ee);

                        if (tTd(13, 1))
                                sm_dprintf("sendall: split %s into %s, owner = \"%s\", otherowners = %d\n",
                                           e->e_id, ee->e_id, owner,
                                           otherowners);

                        ee->e_header = copyheader(e->e_header, ee->e_rpool);
                        ee->e_sendqueue = copyqueue(e->e_sendqueue,
                                                    ee->e_rpool);
                        ee->e_errorqueue = copyqueue(e->e_errorqueue,
                                                     ee->e_rpool);
                        ee->e_flags = e->e_flags & ~(EF_INQUEUE|EF_CLRQUEUE|EF_FATALERRS|EF_SENDRECEIPT|EF_RET_PARAM);
                        ee->e_flags |= EF_NORECEIPT;
                        setsender(owner, ee, NULL, '\0', true);
                        if (tTd(13, 5))
                        {
                                sm_dprintf("sendall(split): QS_SENDER ");
                                printaddr(sm_debug_file(), &ee->e_from, false);
                        }
                        ee->e_from.q_state = QS_SENDER;
                        ee->e_dfp = NULL;
                        ee->e_lockfp = NULL;
                        ee->e_xfp = NULL;
                        ee->e_qgrp = e->e_qgrp;
                        ee->e_qdir = e->e_qdir;
                        ee->e_errormode = EM_MAIL;
                        ee->e_sibling = splitenv;
                        ee->e_statmsg = NULL;
                        if (e->e_quarmsg != NULL)
                                ee->e_quarmsg = sm_rpool_strdup_x(ee->e_rpool,
                                                                  e->e_quarmsg);
                        splitenv = ee;

                        for (q = e->e_sendqueue; q != NULL; q = q->q_next)
                        {
                                if (q->q_owner == owner)
                                {
                                        q->q_state = QS_CLONED;
                                        if (tTd(13, 6))
                                                sm_dprintf("\t... stripping %s from original envelope\n",
                                                           q->q_paddr);
                                }
                        }
                        for (q = ee->e_sendqueue; q != NULL; q = q->q_next)
                        {
                                if (q->q_owner != owner)
                                {
                                        q->q_state = QS_CLONED;
                                        if (tTd(13, 6))
                                                sm_dprintf("\t... dropping %s from cloned envelope\n",
                                                           q->q_paddr);
                                }
                                else
                                {
                                        /* clear DSN parameters */
                                        q->q_flags &= ~(QHASNOTIFY|Q_PINGFLAGS);
                                        q->q_flags |= DefaultNotify & ~QPINGONSUCCESS;
                                        if (tTd(13, 6))
                                                sm_dprintf("\t... moving %s to cloned envelope\n",
                                                           q->q_paddr);
                                }
                        }

                        if (mode != SM_VERIFY && bitset(EF_HAS_DF, e->e_flags))
                                dup_queue_file(e, ee, DATAFL_LETTER);

                        /*
                        **  Give the split envelope access to the parent
                        **  transcript file for errors obtained while
                        **  processing the recipients (done before the
                        **  envelope splitting).
                        */

                        if (e->e_xfp != NULL)
                                ee->e_xfp = sm_io_dup(e->e_xfp);

                        /* failed to dup e->e_xfp, start a new transcript */
                        if (ee->e_xfp == NULL)
                                openxscript(ee);

                        if (mode != SM_VERIFY && LogLevel > 4)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "%s: clone: owner=%s",
                                          ee->e_id, owner);
                }
        }

        if (owner != NULL)
        {
                setsender(owner, e, NULL, '\0', true);
                if (tTd(13, 5))
                {
                        sm_dprintf("sendall(owner): QS_SENDER ");
                        printaddr(sm_debug_file(), &e->e_from, false);
                }
                e->e_from.q_state = QS_SENDER;
                e->e_errormode = EM_MAIL;
                e->e_flags |= EF_NORECEIPT;
                e->e_flags &= ~EF_FATALERRS;
        }

        /* if nothing to be delivered, just queue up everything */
        if (!somedeliveries && !WILL_BE_QUEUED(mode) &&
            mode != SM_VERIFY)
        {
                time_t now;

                if (tTd(13, 29))
                        sm_dprintf("No deliveries: auto-queueing\n");
                mode = SM_QUEUE;
                now = curtime();

                /* treat this as a delivery in terms of counting tries */
                e->e_dtime = now;
                if (!expensive)
                        e->e_ntries++;
                for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
                {
                        ee->e_dtime = now;
                        if (!expensive)
                                ee->e_ntries++;
                }
        }

        if ((WILL_BE_QUEUED(mode) || mode == SM_FORK ||
             (mode != SM_VERIFY &&
              (SuperSafe == SAFE_REALLY ||
               SuperSafe == SAFE_REALLY_POSTMILTER))) &&
            (!bitset(EF_INQUEUE, e->e_flags) || splitenv != NULL))
        {
                bool msync;

                /*
                **  Be sure everything is instantiated in the queue.
                **  Split envelopes first in case the machine crashes.
                **  If the original were done first, we may lose
                **  recipients.
                */

#if !HASFLOCK
                msync = false;
#else /* !HASFLOCK */
                msync = mode == SM_FORK;
#endif /* !HASFLOCK */

                for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
                        queueup(ee, WILL_BE_QUEUED(mode), msync);
                queueup(e, WILL_BE_QUEUED(mode), msync);
        }

        if (tTd(62, 10))
                checkfds("after envelope splitting");

        /*
        **  If we belong in background, fork now.
        */

        if (tTd(13, 20))
        {
                sm_dprintf("sendall: final mode = %c\n", mode);
                if (tTd(13, 21))
                {
                        sm_dprintf("\n================ Final Send Queue(s) =====================\n");
                        sm_dprintf("\n  *** Envelope %s, e_from=%s ***\n",
                                   e->e_id, e->e_from.q_paddr);
                        printaddr(sm_debug_file(), e->e_sendqueue, true);
                        for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
                        {
                                sm_dprintf("\n  *** Envelope %s, e_from=%s ***\n",
                                           ee->e_id, ee->e_from.q_paddr);
                                printaddr(sm_debug_file(), ee->e_sendqueue, true);
                        }
                        sm_dprintf("==========================================================\n\n");
                }
        }
        switch (mode)
        {
          case SM_VERIFY:
                Verbose = 2;
                break;

          case SM_QUEUE:
          case SM_DEFER:
#if HASFLOCK
  queueonly:
#endif /* HASFLOCK */
                if (e->e_nrcpts > 0)
                        e->e_flags |= EF_INQUEUE;
                (void) dropenvelope(e, splitenv != NULL, true);
                for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
                {
                        if (ee->e_nrcpts > 0)
                                ee->e_flags |= EF_INQUEUE;
                        (void) dropenvelope(ee, false, true);
                }
                return;

          case SM_FORK:
                if (e->e_xfp != NULL)
                        (void) sm_io_flush(e->e_xfp, SM_TIME_DEFAULT);

#if !HASFLOCK
                /*
                **  Since fcntl locking has the interesting semantic that
                **  the lock is owned by a process, not by an open file
                **  descriptor, we have to flush this to the queue, and
                **  then restart from scratch in the child.
                */

                {
                        /* save id for future use */
                        char *qid = e->e_id;

                        /* now drop the envelope in the parent */
                        e->e_flags |= EF_INQUEUE;
                        (void) dropenvelope(e, splitenv != NULL, false);

                        /* arrange to reacquire lock after fork */
                        e->e_id = qid;
                }

                for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
                {
                        /* save id for future use */
                        char *qid = ee->e_id;

                        /* drop envelope in parent */
                        ee->e_flags |= EF_INQUEUE;
                        (void) dropenvelope(ee, false, false);

                        /* and save qid for reacquisition */
                        ee->e_id = qid;
                }

#endif /* !HASFLOCK */

                /*
                **  Since the delivery may happen in a child and the parent
                **  does not wait, the parent may close the maps thereby
                **  removing any shared memory used by the map.  Therefore,
                **  close the maps now so the child will dynamically open
                **  them if necessary.
                */

                closemaps(false);

                pid = fork();
                if (pid < 0)
                {
                        syserr("deliver: fork 1");
#if HASFLOCK
                        goto queueonly;
#else /* HASFLOCK */
                        e->e_id = NULL;
                        for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
                                ee->e_id = NULL;
                        return;
#endif /* HASFLOCK */
                }
                else if (pid > 0)
                {
#if HASFLOCK
                        /* be sure we leave the temp files to our child */
                        /* close any random open files in the envelope */
                        closexscript(e);
                        if (e->e_dfp != NULL)
                                (void) sm_io_close(e->e_dfp, SM_TIME_DEFAULT);
                        e->e_dfp = NULL;
                        e->e_flags &= ~EF_HAS_DF;

                        /* can't call unlockqueue to avoid unlink of xfp */
                        if (e->e_lockfp != NULL)
                                (void) sm_io_close(e->e_lockfp, SM_TIME_DEFAULT);
                        else
                                syserr("%s: sendall: null lockfp", e->e_id);
                        e->e_lockfp = NULL;
#endif /* HASFLOCK */

                        /* make sure the parent doesn't own the envelope */
                        e->e_id = NULL;

#if USE_DOUBLE_FORK
                        /* catch intermediate zombie */
                        (void) waitfor(pid);
#endif /* USE_DOUBLE_FORK */
                        return;
                }

                /* Reset global flags */
                RestartRequest = NULL;
                RestartWorkGroup = false;
                ShutdownRequest = NULL;
                PendingSignal = 0;

                /*
                **  Initialize exception stack and default exception
                **  handler for child process.
                */

                sm_exc_newthread(fatal_error);

                /*
                **  Since we have accepted responsbility for the message,
                **  change the SIGTERM handler.  intsig() (the old handler)
                **  would remove the envelope if this was a command line
                **  message submission.
                */

                (void) sm_signal(SIGTERM, SIG_DFL);

#if USE_DOUBLE_FORK
                /* double fork to avoid zombies */
                pid = fork();
                if (pid > 0)
                        exit(EX_OK);
                save_errno = errno;
#endif /* USE_DOUBLE_FORK */

                CurrentPid = getpid();

                /* be sure we are immune from the terminal */
                disconnect(2, e);
                clearstats();

                /* prevent parent from waiting if there was an error */
                if (pid < 0)
                {
                        errno = save_errno;
                        syserr("deliver: fork 2");
#if HASFLOCK
                        e->e_flags |= EF_INQUEUE;
#else /* HASFLOCK */
                        e->e_id = NULL;
#endif /* HASFLOCK */
                        finis(true, true, ExitStat);
                }

                /* be sure to give error messages in child */
                QuickAbort = false;

                /*
                **  Close any cached connections.
                **
                **      We don't send the QUIT protocol because the parent
                **      still knows about the connection.
                **
                **      This should only happen when delivering an error
                **      message.
                */

                mci_flush(false, NULL);

#if HASFLOCK
                break;
#else /* HASFLOCK */

                /*
                **  Now reacquire and run the various queue files.
                */

                for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
                {
                        ENVELOPE *sibling = ee->e_sibling;

                        (void) dowork(ee->e_qgrp, ee->e_qdir, ee->e_id,
                                      false, false, ee);
                        ee->e_sibling = sibling;
                }
                (void) dowork(e->e_qgrp, e->e_qdir, e->e_id,
                              false, false, e);
                finis(true, true, ExitStat);
#endif /* HASFLOCK */
        }

        sendenvelope(e, mode);
        (void) dropenvelope(e, true, true);
        for (ee = splitenv; ee != NULL; ee = ee->e_sibling)
        {
                CurEnv = ee;
                if (mode != SM_VERIFY)
                        openxscript(ee);
                sendenvelope(ee, mode);
                (void) dropenvelope(ee, true, true);
        }
        CurEnv = e;

        Verbose = oldverbose;
        if (mode == SM_FORK)
                finis(true, true, ExitStat);
}

static void
sendenvelope(e, mode)
        register ENVELOPE *e;
        int mode;
{
        register ADDRESS *q;
        bool didany;

        if (tTd(13, 10))
                sm_dprintf("sendenvelope(%s) e_flags=0x%lx\n",
                           e->e_id == NULL ? "[NOQUEUE]" : e->e_id,
                           e->e_flags);
        if (LogLevel > 80)
                sm_syslog(LOG_DEBUG, e->e_id,
                          "sendenvelope, flags=0x%lx",
                          e->e_flags);

        /*
        **  If we have had global, fatal errors, don't bother sending
        **  the message at all if we are in SMTP mode.  Local errors
        **  (e.g., a single address failing) will still cause the other
        **  addresses to be sent.
        */

        if (bitset(EF_FATALERRS, e->e_flags) &&
            (OpMode == MD_SMTP || OpMode == MD_DAEMON))
        {
                e->e_flags |= EF_CLRQUEUE;
                return;
        }

        /*
        **  Don't attempt deliveries if we want to bounce now
        **  or if deliver-by time is exceeded.
        */

        if (!bitset(EF_RESPONSE, e->e_flags) &&
            (TimeOuts.to_q_return[e->e_timeoutclass] == NOW ||
             (IS_DLVR_RETURN(e) && e->e_deliver_by > 0 &&
              curtime() > e->e_ctime + e->e_deliver_by)))
                return;

        /*
        **  Run through the list and send everything.
        **
        **      Set EF_GLOBALERRS so that error messages during delivery
        **      result in returned mail.
        */

        e->e_nsent = 0;
        e->e_flags |= EF_GLOBALERRS;

        macdefine(&e->e_macro, A_PERM, macid("{envid}"), e->e_envid);
        macdefine(&e->e_macro, A_PERM, macid("{bodytype}"), e->e_bodytype);
        didany = false;

        if (!bitset(EF_SPLIT, e->e_flags))
        {
                ENVELOPE *oldsib;
                ENVELOPE *ee;

                /*
                **  Save old sibling and set it to NULL to avoid
                **  queueing up the same envelopes again.
                **  This requires that envelopes in that list have
                **  been take care of before (or at some other place).
                */

                oldsib = e->e_sibling;
                e->e_sibling = NULL;
                if (!split_by_recipient(e) &&
                    bitset(EF_FATALERRS, e->e_flags))
                {
                        if (OpMode == MD_SMTP || OpMode == MD_DAEMON)
                                e->e_flags |= EF_CLRQUEUE;
                        return;
                }
                for (ee = e->e_sibling; ee != NULL; ee = ee->e_sibling)
                        queueup(ee, false, true);

                /* clean up */
                for (ee = e->e_sibling; ee != NULL; ee = ee->e_sibling)
                {
                        /* now unlock the job */
                        closexscript(ee);
                        unlockqueue(ee);

                        /* this envelope is marked unused */
                        if (ee->e_dfp != NULL)
                        {
                                (void) sm_io_close(ee->e_dfp, SM_TIME_DEFAULT);
                                ee->e_dfp = NULL;
                        }
                        ee->e_id = NULL;
                        ee->e_flags &= ~EF_HAS_DF;
                }
                e->e_sibling = oldsib;
        }

        /* now run through the queue */
        for (q = e->e_sendqueue; q != NULL; q = q->q_next)
        {
#if XDEBUG
                char wbuf[MAXNAME + 20];

                (void) sm_snprintf(wbuf, sizeof(wbuf), "sendall(%.*s)",
                                   MAXNAME, q->q_paddr);
                checkfd012(wbuf);
#endif /* XDEBUG */
                if (mode == SM_VERIFY)
                {
                        e->e_to = q->q_paddr;
                        if (QS_IS_SENDABLE(q->q_state))
                        {
                                if (q->q_host != NULL && q->q_host[0] != '\0')
                                        message("deliverable: mailer %s, host %s, user %s",
                                                q->q_mailer->m_name,
                                                q->q_host,
                                                q->q_user);
                                else
                                        message("deliverable: mailer %s, user %s",
                                                q->q_mailer->m_name,
                                                q->q_user);
                        }
                }
                else if (QS_IS_OK(q->q_state))
                {
                        /*
                        **  Checkpoint the send list every few addresses
                        */

                        if (CheckpointInterval > 0 &&
                            e->e_nsent >= CheckpointInterval)
                        {
                                queueup(e, false, false);
                                e->e_nsent = 0;
                        }
                        (void) deliver(e, q);
                        didany = true;
                }
        }
        if (didany)
        {
                e->e_dtime = curtime();
                e->e_ntries++;
        }

#if XDEBUG
        checkfd012("end of sendenvelope");
#endif /* XDEBUG */
}

#if REQUIRES_DIR_FSYNC
/*
**  SYNC_DIR -- fsync a directory based on a filename
**
**      Parameters:
**              filename -- path of file
**              panic -- panic?
**
**      Returns:
**              none
*/

void
sync_dir(filename, panic)
        char *filename;
        bool panic;
{
        int dirfd;
        char *dirp;
        char dir[MAXPATHLEN];

        if (!RequiresDirfsync)
                return;

        /* filesystems which require the directory be synced */
        dirp = strrchr(filename, '/');
        if (dirp != NULL)
        {
                if (sm_strlcpy(dir, filename, sizeof(dir)) >= sizeof(dir))
                        return;
                dir[dirp - filename] = '\0';
                dirp = dir;
        }
        else
                dirp = ".";
        dirfd = open(dirp, O_RDONLY, 0700);
        if (tTd(40,32))
                sm_syslog(LOG_INFO, NOQID, "sync_dir: %s: fsync(%d)",
                          dirp, dirfd);
        if (dirfd >= 0)
        {
                if (fsync(dirfd) < 0)
                {
                        if (panic)
                                syserr("!sync_dir: cannot fsync directory %s",
                                       dirp);
                        else if (LogLevel > 1)
                                sm_syslog(LOG_ERR, NOQID,
                                          "sync_dir: cannot fsync directory %s: %s",
                                          dirp, sm_errstring(errno));
                }
                (void) close(dirfd);
        }
}
#endif /* REQUIRES_DIR_FSYNC */
/*
**  DUP_QUEUE_FILE -- duplicate a queue file into a split queue
**
**      Parameters:
**              e -- the existing envelope
**              ee -- the new envelope
**              type -- the queue file type (e.g., DATAFL_LETTER)
**
**      Returns:
**              none
*/

static void
dup_queue_file(e, ee, type)
        ENVELOPE *e, *ee;
        int type;
{
        char f1buf[MAXPATHLEN], f2buf[MAXPATHLEN];

        ee->e_dfp = NULL;
        ee->e_xfp = NULL;

        /*
        **  Make sure both are in the same directory.
        */

        (void) sm_strlcpy(f1buf, queuename(e, type), sizeof(f1buf));
        (void) sm_strlcpy(f2buf, queuename(ee, type), sizeof(f2buf));

        /* Force the df to disk if it's not there yet */
        if (type == DATAFL_LETTER && e->e_dfp != NULL &&
            sm_io_setinfo(e->e_dfp, SM_BF_COMMIT, NULL) < 0 &&
            errno != EINVAL)
        {
                syserr("!dup_queue_file: can't commit %s", f1buf);
                /* NOTREACHED */
        }

        if (link(f1buf, f2buf) < 0)
        {
                int save_errno = errno;

                syserr("sendall: link(%s, %s)", f1buf, f2buf);
                if (save_errno == EEXIST)
                {
                        if (unlink(f2buf) < 0)
                        {
                                syserr("!sendall: unlink(%s): permanent",
                                       f2buf);
                                /* NOTREACHED */
                        }
                        if (link(f1buf, f2buf) < 0)
                        {
                                syserr("!sendall: link(%s, %s): permanent",
                                       f1buf, f2buf);
                                /* NOTREACHED */
                        }
                }
        }
        SYNC_DIR(f2buf, true);
}
/*
**  DOFORK -- do a fork, retrying a couple of times on failure.
**
**      This MUST be a macro, since after a vfork we are running
**      two processes on the same stack!!!
**
**      Parameters:
**              none.
**
**      Returns:
**              From a macro???  You've got to be kidding!
**
**      Side Effects:
**              Modifies the ==> LOCAL <== variable 'pid', leaving:
**                      pid of child in parent, zero in child.
**                      -1 on unrecoverable error.
**
**      Notes:
**              I'm awfully sorry this looks so awful.  That's
**              vfork for you.....
*/

#define NFORKTRIES      5

#ifndef FORK
# define FORK   fork
#endif /* ! FORK */

#define DOFORK(fORKfN) \
{\
        register int i;\
\
        for (i = NFORKTRIES; --i >= 0; )\
        {\
                pid = fORKfN();\
                if (pid >= 0)\
                        break;\
                if (i > 0)\
                        (void) sleep((unsigned) NFORKTRIES - i);\
        }\
}
/*
**  DOFORK -- simple fork interface to DOFORK.
**
**      Parameters:
**              none.
**
**      Returns:
**              pid of child in parent.
**              zero in child.
**              -1 on error.
**
**      Side Effects:
**              returns twice, once in parent and once in child.
*/

pid_t
dofork()
{
        register pid_t pid = -1;

        DOFORK(fork);
        return pid;
}

/*
**  COLONCMP -- compare host-signatures up to first ':' or EOS
**
**      This takes two strings which happen to be host-signatures and
**      compares them. If the lowest preference portions of the MX-RR's
**      match (up to ':' or EOS, whichever is first), then we have
**      match. This is used for coattail-piggybacking messages during
**      message delivery.
**      If the signatures are the same up to the first ':' the remainder of
**      the signatures are then compared with a normal strcmp(). This saves
**      re-examining the first part of the signatures.
**
**      Parameters:
**              a - first host-signature
**              b - second host-signature
**
**      Returns:
**              HS_MATCH_NO -- no "match".
**              HS_MATCH_FIRST -- "match" for the first MX preference
**                      (up to the first colon (':')).
**              HS_MATCH_FULL -- match for the entire MX record.
**
**      Side Effects:
**              none.
*/

#define HS_MATCH_NO     0
#define HS_MATCH_FIRST  1
#define HS_MATCH_FULL   2

static int
coloncmp(a, b)
        register const char *a;
        register const char *b;
{
        int ret = HS_MATCH_NO;
        int braclev = 0;

        while (*a == *b++)
        {
                /* Need to account for IPv6 bracketed addresses */
                if (*a == '[')
                        braclev++;
                else if (*a == ']' && braclev > 0)
                        braclev--;
                else if (*a == ':' && braclev <= 0)
                {
                        ret = HS_MATCH_FIRST;
                        a++;
                        break;
                }
                else if (*a == '\0')
                        return HS_MATCH_FULL; /* a full match */
                a++;
        }
        if (ret == HS_MATCH_NO &&
            braclev <= 0 &&
            ((*a == '\0' && *(b - 1) == ':') ||
             (*a == ':' && *(b - 1) == '\0')))
                return HS_MATCH_FIRST;
        if (ret == HS_MATCH_FIRST && strcmp(a, b) == 0)
                return HS_MATCH_FULL;

        return ret;
}

/*
**  SHOULD_TRY_FBSH -- Should try FallbackSmartHost?
**
**      Parameters:
**              e -- envelope
**              tried_fallbacksmarthost -- has been tried already? (in/out)
**              hostbuf -- buffer for hostname (expand FallbackSmartHost) (out)
**              hbsz -- size of hostbuf
**              status -- current delivery status
**
**      Returns:
**              true iff FallbackSmartHost should be tried.
*/

static bool should_try_fbsh __P((ENVELOPE *, bool *, char *, size_t, int));

static bool
should_try_fbsh(e, tried_fallbacksmarthost, hostbuf, hbsz, status)
        ENVELOPE *e;
        bool *tried_fallbacksmarthost;
        char *hostbuf;
        size_t hbsz;
        int status;
{
        /*
        **  If the host was not found or a temporary failure occurred
        **  and a FallbackSmartHost is defined (and we have not yet
        **  tried it), then make one last try with it as the host.
        */

        if ((status == EX_NOHOST || status == EX_TEMPFAIL) &&
            FallbackSmartHost != NULL && !*tried_fallbacksmarthost)
        {
                *tried_fallbacksmarthost = true;
                expand(FallbackSmartHost, hostbuf, hbsz, e);
                if (!wordinclass(hostbuf, 'w'))
                {
                        if (tTd(11, 1))
                                sm_dprintf("one last try with FallbackSmartHost %s\n",
                                           hostbuf);
                        return true;
                }
        }
        return false;
}
/*
**  DELIVER -- Deliver a message to a list of addresses.
**
**      This routine delivers to everyone on the same host as the
**      user on the head of the list.  It is clever about mailers
**      that don't handle multiple users.  It is NOT guaranteed
**      that it will deliver to all these addresses however -- so
**      deliver should be called once for each address on the
**      list.
**      Deliver tries to be as opportunistic as possible about piggybacking
**      messages. Some definitions to make understanding easier follow below.
**      Piggybacking occurs when an existing connection to a mail host can
**      be used to send the same message to more than one recipient at the
**      same time. So "no piggybacking" means one message for one recipient
**      per connection. "Intentional piggybacking" happens when the
**      recipients' host address (not the mail host address) is used to
**      attempt piggybacking. Recipients with the same host address
**      have the same mail host. "Coincidental piggybacking" relies on
**      piggybacking based on all the mail host addresses in the MX-RR. This
**      is "coincidental" in the fact it could not be predicted until the
**      MX Resource Records for the hosts were obtained and examined. For
**      example (preference order and equivalence is important, not values):
**              domain1 IN MX 10 mxhost-A
**                      IN MX 20 mxhost-B
**              domain2 IN MX  4 mxhost-A
**                      IN MX  8 mxhost-B
**      Domain1 and domain2 can piggyback the same message to mxhost-A or
**      mxhost-B (if mxhost-A cannot be reached).
**      "Coattail piggybacking" relaxes the strictness of "coincidental
**      piggybacking" in the hope that most significant (lowest value)
**      MX preference host(s) can create more piggybacking. For example
**      (again, preference order and equivalence is important, not values):
**              domain3 IN MX 100 mxhost-C
**                      IN MX 100 mxhost-D
**                      IN MX 200 mxhost-E
**              domain4 IN MX  50 mxhost-C
**                      IN MX  50 mxhost-D
**                      IN MX  80 mxhost-F
**      A message for domain3 and domain4 can piggyback to mxhost-C if mxhost-C
**      is available. Same with mxhost-D because in both RR's the preference
**      value is the same as mxhost-C, respectively.
**      So deliver attempts coattail piggybacking when possible. If the
**      first MX preference level hosts cannot be used then the piggybacking
**      reverts to coincidental piggybacking. Using the above example you
**      cannot deliver to mxhost-F for domain3 regardless of preference value.
**      ("Coattail" from "riding on the coattails of your predecessor" meaning
**      gaining benefit from a predecessor effort with no or little addition
**      effort. The predecessor here being the preceding MX RR).
**
**      Parameters:
**              e -- the envelope to deliver.
**              firstto -- head of the address list to deliver to.
**
**      Returns:
**              zero -- successfully delivered.
**              else -- some failure, see ExitStat for more info.
**
**      Side Effects:
**              The standard input is passed off to someone.
*/

static int
deliver(e, firstto)
        register ENVELOPE *e;
        ADDRESS *firstto;
{
        char *host;                     /* host being sent to */
        char *user;                     /* user being sent to */
        char **pvp;
        register char **mvp;
        register char *p;
        register MAILER *m;             /* mailer for this recipient */
        ADDRESS *volatile ctladdr;
#if HASSETUSERCONTEXT
        ADDRESS *volatile contextaddr = NULL;
#endif /* HASSETUSERCONTEXT */
        register MCI *volatile mci;
        register ADDRESS *SM_NONVOLATILE to = firstto;
        volatile bool clever = false;   /* running user smtp to this mailer */
        ADDRESS *volatile tochain = NULL; /* users chain in this mailer call */
        int rcode;                      /* response code */
        SM_NONVOLATILE int lmtp_rcode = EX_OK;
        SM_NONVOLATILE int nummxhosts = 0; /* number of MX hosts available */
        SM_NONVOLATILE int hostnum = 0; /* current MX host index */
        char *firstsig;                 /* signature of firstto */
        volatile pid_t pid = -1;
        char *volatile curhost;
        SM_NONVOLATILE unsigned short port = 0;
        SM_NONVOLATILE time_t enough = 0;
#if NETUNIX
        char *SM_NONVOLATILE mux_path = NULL;   /* path to UNIX domain socket */
#endif /* NETUNIX */
        time_t xstart;
        bool suidwarn;
        bool anyok;                     /* at least one address was OK */
        SM_NONVOLATILE bool goodmxfound = false; /* at least one MX was OK */
        bool ovr;
        bool quarantine;
        int strsize;
        int rcptcount;
        int ret;
        static int tobufsize = 0;
        static char *tobuf = NULL;
        char *rpath;    /* translated return path */
        int mpvect[2];
        int rpvect[2];
        char *mxhosts[MAXMXHOSTS + 1];
        char *pv[MAXPV + 1];
        char buf[MAXNAME + 1];
        char cbuf[MAXPATHLEN];

        errno = 0;
        SM_REQUIRE(firstto != NULL);    /* same as to */
        if (!QS_IS_OK(to->q_state))
                return 0;

        suidwarn = geteuid() == 0;

        SM_REQUIRE(e != NULL);
        m = to->q_mailer;
        host = to->q_host;
        CurEnv = e;                     /* just in case */
        e->e_statmsg = NULL;
        SmtpError[0] = '\0';
        xstart = curtime();

        if (tTd(10, 1))
                sm_dprintf("\n--deliver, id=%s, mailer=%s, host=`%s', first user=`%s'\n",
                        e->e_id, m->m_name, host, to->q_user);
        if (tTd(10, 100))
                printopenfds(false);

        /*
        **  Clear {client_*} macros if this is a bounce message to
        **  prevent rejection by check_compat ruleset.
        */

        if (bitset(EF_RESPONSE, e->e_flags))
        {
                macdefine(&e->e_macro, A_PERM, macid("{client_name}"), "");
                macdefine(&e->e_macro, A_PERM, macid("{client_ptr}"), "");
                macdefine(&e->e_macro, A_PERM, macid("{client_addr}"), "");
                macdefine(&e->e_macro, A_PERM, macid("{client_port}"), "");
                macdefine(&e->e_macro, A_PERM, macid("{client_resolve}"), "");
        }

        SM_TRY
        {
        ADDRESS *skip_back = NULL;

        /*
        **  Do initial argv setup.
        **      Insert the mailer name.  Notice that $x expansion is
        **      NOT done on the mailer name.  Then, if the mailer has
        **      a picky -f flag, we insert it as appropriate.  This
        **      code does not check for 'pv' overflow; this places a
        **      manifest lower limit of 4 for MAXPV.
        **              The from address rewrite is expected to make
        **              the address relative to the other end.
        */

        /* rewrite from address, using rewriting rules */
        rcode = EX_OK;
        SM_ASSERT(e->e_from.q_mailer != NULL);
        if (bitnset(M_UDBENVELOPE, e->e_from.q_mailer->m_flags))
                p = e->e_sender;
        else
                p = e->e_from.q_paddr;
        rpath = remotename(p, m, RF_SENDERADDR|RF_CANONICAL, &rcode, e);
        if (strlen(rpath) > MAXNAME)
        {
                rpath = shortenstring(rpath, MAXSHORTSTR);

                /* avoid bogus errno */
                errno = 0;
                syserr("remotename: huge return path %s", rpath);
        }
        rpath = sm_rpool_strdup_x(e->e_rpool, rpath);
        macdefine(&e->e_macro, A_PERM, 'g', rpath);
        macdefine(&e->e_macro, A_PERM, 'h', host);
        Errors = 0;
        pvp = pv;
        *pvp++ = m->m_argv[0];

        /* ignore long term host status information if mailer flag W is set */
        if (bitnset(M_NOHOSTSTAT, m->m_flags))
                IgnoreHostStatus = true;

        /* insert -f or -r flag as appropriate */
        if (FromFlag &&
            (bitnset(M_FOPT, m->m_flags) ||
             bitnset(M_ROPT, m->m_flags)))
        {
                if (bitnset(M_FOPT, m->m_flags))
                        *pvp++ = "-f";
                else
                        *pvp++ = "-r";
                *pvp++ = rpath;
        }

        /*
        **  Append the other fixed parts of the argv.  These run
        **  up to the first entry containing "$u".  There can only
        **  be one of these, and there are only a few more slots
        **  in the pv after it.
        */

        for (mvp = m->m_argv; (p = *++mvp) != NULL; )
        {
                /* can't use strchr here because of sign extension problems */
                while (*p != '\0')
                {
                        if ((*p++ & 0377) == MACROEXPAND)
                        {
                                if (*p == 'u')
                                        break;
                        }
                }

                if (*p != '\0')
                        break;

                /* this entry is safe -- go ahead and process it */
                expand(*mvp, buf, sizeof(buf), e);
                *pvp++ = sm_rpool_strdup_x(e->e_rpool, buf);
                if (pvp >= &pv[MAXPV - 3])
                {
                        syserr("554 5.3.5 Too many parameters to %s before $u",
                               pv[0]);
                        rcode = -1;
                        goto cleanup;
                }
        }

        /*
        **  If we have no substitution for the user name in the argument
        **  list, we know that we must supply the names otherwise -- and
        **  SMTP is the answer!!
        */

        if (*mvp == NULL)
        {
                /* running LMTP or SMTP */
                clever = true;
                *pvp = NULL;
        }
        else if (bitnset(M_LMTP, m->m_flags))
        {
                /* not running LMTP */
                sm_syslog(LOG_ERR, NULL,
                          "Warning: mailer %s: LMTP flag (F=z) turned off",
                          m->m_name);
                clrbitn(M_LMTP, m->m_flags);
        }

        /*
        **  At this point *mvp points to the argument with $u.  We
        **  run through our address list and append all the addresses
        **  we can.  If we run out of space, do not fret!  We can
        **  always send another copy later.
        */

        e->e_to = NULL;
        strsize = 2;
        rcptcount = 0;
        ctladdr = NULL;
        if (firstto->q_signature == NULL)
                firstto->q_signature = hostsignature(firstto->q_mailer,
                                                     firstto->q_host);
        firstsig = firstto->q_signature;

        for (; to != NULL; to = to->q_next)
        {
                /* avoid sending multiple recipients to dumb mailers */
                if (tochain != NULL && !bitnset(M_MUSER, m->m_flags))
                        break;

                /* if already sent or not for this host, don't send */
                if (!QS_IS_OK(to->q_state)) /* already sent; look at next */
                        continue;

                /*
                **  Must be same mailer to keep grouping rcpts.
                **  If mailers don't match: continue; sendqueue is not
                **  sorted by mailers, so don't break;
                */

                if (to->q_mailer != firstto->q_mailer)
                        continue;

                if (to->q_signature == NULL) /* for safety */
                        to->q_signature = hostsignature(to->q_mailer,
                                                        to->q_host);

                /*
                **  This is for coincidental and tailcoat piggybacking messages
                **  to the same mail host. While the signatures are identical
                **  (that's the MX-RR's are identical) we can do coincidental
                **  piggybacking. We try hard for coattail piggybacking
                **  with the same mail host when the next recipient has the
                **  same host at lowest preference. It may be that this
                **  won't work out, so 'skip_back' is maintained if a backup
                **  to coincidental piggybacking or full signature must happen.
                */

                ret = firstto == to ? HS_MATCH_FULL :
                                      coloncmp(to->q_signature, firstsig);
                if (ret == HS_MATCH_FULL)
                        skip_back = to;
                else if (ret == HS_MATCH_NO)
                        break;

                if (!clever)
                {
                        /* avoid overflowing tobuf */
                        strsize += strlen(to->q_paddr) + 1;
                        if (strsize > TOBUFSIZE)
                                break;
                }

                if (++rcptcount > to->q_mailer->m_maxrcpt)
                        break;

                if (tTd(10, 1))
                {
                        sm_dprintf("\nsend to ");
                        printaddr(sm_debug_file(), to, false);
                }

                /* compute effective uid/gid when sending */
                if (bitnset(M_RUNASRCPT, to->q_mailer->m_flags))
# if HASSETUSERCONTEXT
                        contextaddr = ctladdr = getctladdr(to);
# else /* HASSETUSERCONTEXT */
                        ctladdr = getctladdr(to);
# endif /* HASSETUSERCONTEXT */

                if (tTd(10, 2))
                {
                        sm_dprintf("ctladdr=");
                        printaddr(sm_debug_file(), ctladdr, false);
                }

                user = to->q_user;
                e->e_to = to->q_paddr;

                /*
                **  Check to see that these people are allowed to
                **  talk to each other.
                **  Check also for overflow of e_msgsize.
                */

                if (m->m_maxsize != 0 &&
                    (e->e_msgsize > m->m_maxsize || e->e_msgsize < 0))
                {
                        e->e_flags |= EF_NO_BODY_RETN;
                        if (bitnset(M_LOCALMAILER, to->q_mailer->m_flags))
                                to->q_status = "5.2.3";
                        else
                                to->q_status = "5.3.4";

                        /* set to->q_rstatus = NULL; or to the following? */
                        usrerrenh(to->q_status,
                                  "552 Message is too large; %ld bytes max",
                                  m->m_maxsize);
                        markfailure(e, to, NULL, EX_UNAVAILABLE, false);
                        giveresponse(EX_UNAVAILABLE, to->q_status, m,
                                     NULL, ctladdr, xstart, e, to);
                        continue;
                }
                SM_SET_H_ERRNO(0);
                ovr = true;

                /* do config file checking of compatibility */
                quarantine = (e->e_quarmsg != NULL);
                rcode = rscheck("check_compat", e->e_from.q_paddr, to->q_paddr,
                                e, RSF_RMCOMM|RSF_COUNT, 3, NULL,
                                e->e_id, NULL);
                if (rcode == EX_OK)
                {
                        /* do in-code checking if not discarding */
                        if (!bitset(EF_DISCARD, e->e_flags))
                        {
                                rcode = checkcompat(to, e);
                                ovr = false;
                        }
                }
                if (rcode != EX_OK)
                {
                        markfailure(e, to, NULL, rcode, ovr);
                        giveresponse(rcode, to->q_status, m,
                                     NULL, ctladdr, xstart, e, to);
                        continue;
                }
                if (!quarantine && e->e_quarmsg != NULL)
                {
                        /*
                        **  check_compat or checkcompat() has tried
                        **  to quarantine but that isn't supported.
                        **  Revert the attempt.
                        */

                        e->e_quarmsg = NULL;
                        macdefine(&e->e_macro, A_PERM,
                                  macid("{quarantine}"), "");
                }
                if (bitset(EF_DISCARD, e->e_flags))
                {
                        if (tTd(10, 5))
                        {
                                sm_dprintf("deliver: discarding recipient ");
                                printaddr(sm_debug_file(), to, false);
                        }

                        /* pretend the message was sent */
                        /* XXX should we log something here? */
                        to->q_state = QS_DISCARDED;

                        /*
                        **  Remove discard bit to prevent discard of
                        **  future recipients.  This is safe because the
                        **  true "global discard" has been handled before
                        **  we get here.
                        */

                        e->e_flags &= ~EF_DISCARD;
                        continue;
                }

                /*
                **  Strip quote bits from names if the mailer is dumb
                **      about them.
                */

                if (bitnset(M_STRIPQ, m->m_flags))
                {
                        stripquotes(user);
                        stripquotes(host);
                }

                /*
                **  Strip all leading backslashes if requested and the
                **  next character is alphanumerical (the latter can
                **  probably relaxed a bit, see RFC2821).
                */

                if (bitnset(M_STRIPBACKSL, m->m_flags) && user[0] == '\\')
                        stripbackslash(user);

                /* hack attack -- delivermail compatibility */
                if (m == ProgMailer && *user == '|')
                        user++;

                /*
                **  If an error message has already been given, don't
                **      bother to send to this address.
                **
                **      >>>>>>>>>> This clause assumes that the local mailer
                **      >> NOTE >> cannot do any further aliasing; that
                **      >>>>>>>>>> function is subsumed by sendmail.
                */

                if (!QS_IS_OK(to->q_state))
                        continue;

                /*
                **  See if this user name is "special".
                **      If the user name has a slash in it, assume that this
                **      is a file -- send it off without further ado.  Note
                **      that this type of addresses is not processed along
                **      with the others, so we fudge on the To person.
                */

                if (strcmp(m->m_mailer, "[FILE]") == 0)
                {
                        macdefine(&e->e_macro, A_PERM, 'u', user);
                        p = to->q_home;
                        if (p == NULL && ctladdr != NULL)
                                p = ctladdr->q_home;
                        macdefine(&e->e_macro, A_PERM, 'z', p);
                        expand(m->m_argv[1], buf, sizeof(buf), e);
                        if (strlen(buf) > 0)
                                rcode = mailfile(buf, m, ctladdr, SFF_CREAT, e);
                        else
                        {
                                syserr("empty filename specification for mailer %s",
                                       m->m_name);
                                rcode = EX_CONFIG;
                        }
                        giveresponse(rcode, to->q_status, m, NULL,
                                     ctladdr, xstart, e, to);
                        markfailure(e, to, NULL, rcode, true);
                        e->e_nsent++;
                        if (rcode == EX_OK)
                        {
                                to->q_state = QS_SENT;
                                if (bitnset(M_LOCALMAILER, m->m_flags) &&
                                    bitset(QPINGONSUCCESS, to->q_flags))
                                {
                                        to->q_flags |= QDELIVERED;
                                        to->q_status = "2.1.5";
                                        (void) sm_io_fprintf(e->e_xfp,
                                                             SM_TIME_DEFAULT,
                                                             "%s... Successfully delivered\n",
                                                             to->q_paddr);
                                }
                        }
                        to->q_statdate = curtime();
                        markstats(e, to, STATS_NORMAL);
                        continue;
                }

                /*
                **  Address is verified -- add this user to mailer
                **  argv, and add it to the print list of recipients.
                */

                /* link together the chain of recipients */
                to->q_tchain = tochain;
                tochain = to;
                e->e_to = "[CHAIN]";

                macdefine(&e->e_macro, A_PERM, 'u', user);  /* to user */
                p = to->q_home;
                if (p == NULL && ctladdr != NULL)
                        p = ctladdr->q_home;
                macdefine(&e->e_macro, A_PERM, 'z', p);  /* user's home */

                /* set the ${dsn_notify} macro if applicable */
                if (bitset(QHASNOTIFY, to->q_flags))
                {
                        char notify[MAXLINE];

                        notify[0] = '\0';
                        if (bitset(QPINGONSUCCESS, to->q_flags))
                                (void) sm_strlcat(notify, "SUCCESS,",
                                                  sizeof(notify));
                        if (bitset(QPINGONFAILURE, to->q_flags))
                                (void) sm_strlcat(notify, "FAILURE,",
                                                  sizeof(notify));
                        if (bitset(QPINGONDELAY, to->q_flags))
                                (void) sm_strlcat(notify, "DELAY,",
                                                  sizeof(notify));

                        /* Set to NEVER or drop trailing comma */
                        if (notify[0] == '\0')
                                (void) sm_strlcat(notify, "NEVER",
                                                  sizeof(notify));
                        else
                                notify[strlen(notify) - 1] = '\0';

                        macdefine(&e->e_macro, A_TEMP,
                                macid("{dsn_notify}"), notify);
                }
                else
                        macdefine(&e->e_macro, A_PERM,
                                macid("{dsn_notify}"), NULL);

                /*
                **  Expand out this user into argument list.
                */

                if (!clever)
                {
                        expand(*mvp, buf, sizeof(buf), e);
                        *pvp++ = sm_rpool_strdup_x(e->e_rpool, buf);
                        if (pvp >= &pv[MAXPV - 2])
                        {
                                /* allow some space for trailing parms */
                                break;
                        }
                }
        }

        /* see if any addresses still exist */
        if (tochain == NULL)
        {
                rcode = 0;
                goto cleanup;
        }

        /* print out messages as full list */
        strsize = 1;
        for (to = tochain; to != NULL; to = to->q_tchain)
                strsize += strlen(to->q_paddr) + 1;
        if (strsize < TOBUFSIZE)
                strsize = TOBUFSIZE;
        if (strsize > tobufsize)
        {
                SM_FREE_CLR(tobuf);
                tobuf = sm_pmalloc_x(strsize);
                tobufsize = strsize;
        }
        p = tobuf;
        *p = '\0';
        for (to = tochain; to != NULL; to = to->q_tchain)
        {
                (void) sm_strlcpyn(p, tobufsize - (p - tobuf), 2,
                                   ",", to->q_paddr);
                p += strlen(p);
        }
        e->e_to = tobuf + 1;

        /*
        **  Fill out any parameters after the $u parameter.
        */

        if (!clever)
        {
                while (*++mvp != NULL)
                {
                        expand(*mvp, buf, sizeof(buf), e);
                        *pvp++ = sm_rpool_strdup_x(e->e_rpool, buf);
                        if (pvp >= &pv[MAXPV])
                                syserr("554 5.3.0 deliver: pv overflow after $u for %s",
                                       pv[0]);
                }
        }
        *pvp++ = NULL;

        /*
        **  Call the mailer.
        **      The argument vector gets built, pipes
        **      are created as necessary, and we fork & exec as
        **      appropriate.
        **      If we are running SMTP, we just need to clean up.
        */

        /* XXX this seems a bit wierd */
        if (ctladdr == NULL && m != ProgMailer && m != FileMailer &&
            bitset(QGOODUID, e->e_from.q_flags))
                ctladdr = &e->e_from;

#if NAMED_BIND
        if (ConfigLevel < 2)
                _res.options &= ~(RES_DEFNAMES | RES_DNSRCH);   /* XXX */
#endif /* NAMED_BIND */

        if (tTd(11, 1))
        {
                sm_dprintf("openmailer:");
                printav(sm_debug_file(), pv);
        }
        errno = 0;
        SM_SET_H_ERRNO(0);
        CurHostName = NULL;

        /*
        **  Deal with the special case of mail handled through an IPC
        **  connection.
        **      In this case we don't actually fork.  We must be
        **      running SMTP for this to work.  We will return a
        **      zero pid to indicate that we are running IPC.
        **  We also handle a debug version that just talks to stdin/out.
        */

        curhost = NULL;
        SmtpPhase = NULL;
        mci = NULL;

#if XDEBUG
        {
                char wbuf[MAXLINE];

                /* make absolutely certain 0, 1, and 2 are in use */
                (void) sm_snprintf(wbuf, sizeof(wbuf), "%s... openmailer(%s)",
                                   shortenstring(e->e_to, MAXSHORTSTR),
                                   m->m_name);
                checkfd012(wbuf);
        }
#endif /* XDEBUG */

        /* check for 8-bit available */
        if (bitset(EF_HAS8BIT, e->e_flags) &&
            bitnset(M_7BITS, m->m_flags) &&
            (bitset(EF_DONT_MIME, e->e_flags) ||
             !(bitset(MM_MIME8BIT, MimeMode) ||
               (bitset(EF_IS_MIME, e->e_flags) &&
                bitset(MM_CVTMIME, MimeMode)))))
        {
                e->e_status = "5.6.3";
                usrerrenh(e->e_status,
                          "554 Cannot send 8-bit data to 7-bit destination");
                rcode = EX_DATAERR;
                goto give_up;
        }

        if (tTd(62, 8))
                checkfds("before delivery");

        /* check for Local Person Communication -- not for mortals!!! */
        if (strcmp(m->m_mailer, "[LPC]") == 0)
        {
                if (clever)
                {
                        /* flush any expired connections */
                        (void) mci_scan(NULL);

                        /* try to get a cached connection or just a slot */
                        mci = mci_get(m->m_name, m);
                        if (mci->mci_host == NULL)
                                mci->mci_host = m->m_name;
                        CurHostName = mci->mci_host;
                        if (mci->mci_state != MCIS_CLOSED)
                        {
                                message("Using cached SMTP/LPC connection for %s...",
                                        m->m_name);
                                mci->mci_deliveries++;
                                goto do_transfer;
                        }
                }
                else
                {
                        mci = mci_new(e->e_rpool);
                }
                mci->mci_in = smioin;
                mci->mci_out = smioout;
                mci->mci_mailer = m;
                mci->mci_host = m->m_name;
                if (clever)
                {
                        mci->mci_state = MCIS_OPENING;
                        mci_cache(mci);
                }
                else
                        mci->mci_state = MCIS_OPEN;
        }
        else if (strcmp(m->m_mailer, "[IPC]") == 0)
        {
                register int i;

                if (pv[0] == NULL || pv[1] == NULL || pv[1][0] == '\0')
                {
                        syserr("null destination for %s mailer", m->m_mailer);
                        rcode = EX_CONFIG;
                        goto give_up;
                }

# if NETUNIX
                if (strcmp(pv[0], "FILE") == 0)
                {
                        curhost = CurHostName = "localhost";
                        mux_path = pv[1];
                }
                else
# endif /* NETUNIX */
                {
                        CurHostName = pv[1];
                        curhost = hostsignature(m, pv[1]);
                }

                if (curhost == NULL || curhost[0] == '\0')
                {
                        syserr("null host signature for %s", pv[1]);
                        rcode = EX_CONFIG;
                        goto give_up;
                }

                if (!clever)
                {
                        syserr("554 5.3.5 non-clever IPC");
                        rcode = EX_CONFIG;
                        goto give_up;
                }
                if (pv[2] != NULL
# if NETUNIX
                    && mux_path == NULL
# endif /* NETUNIX */
                    )
                {
                        port = htons((unsigned short) atoi(pv[2]));
                        if (port == 0)
                        {
# ifdef NO_GETSERVBYNAME
                                syserr("Invalid port number: %s", pv[2]);
# else /* NO_GETSERVBYNAME */
                                struct servent *sp = getservbyname(pv[2], "tcp");

                                if (sp == NULL)
                                        syserr("Service %s unknown", pv[2]);
                                else
                                        port = sp->s_port;
# endif /* NO_GETSERVBYNAME */
                        }
                }

                nummxhosts = parse_hostsignature(curhost, mxhosts, m);
                if (TimeOuts.to_aconnect > 0)
                        enough = curtime() + TimeOuts.to_aconnect;
tryhost:
                while (hostnum < nummxhosts)
                {
                        char sep = ':';
                        char *endp;
                        static char hostbuf[MAXNAME + 1];
                        bool tried_fallbacksmarthost = false;

# if NETINET6
                        if (*mxhosts[hostnum] == '[')
                        {
                                endp = strchr(mxhosts[hostnum] + 1, ']');
                                if (endp != NULL)
                                        endp = strpbrk(endp + 1, ":,");
                        }
                        else
                                endp = strpbrk(mxhosts[hostnum], ":,");
# else /* NETINET6 */
                        endp = strpbrk(mxhosts[hostnum], ":,");
# endif /* NETINET6 */
                        if (endp != NULL)
                        {
                                sep = *endp;
                                *endp = '\0';
                        }

                        if (hostnum == 1 && skip_back != NULL)
                        {
                                /*
                                **  Coattail piggybacking is no longer an
                                **  option with the mail host next to be tried
                                **  no longer the lowest MX preference
                                **  (hostnum == 1 meaning we're on the second
                                **  preference). We do not try to coattail
                                **  piggyback more than the first MX preference.
                                **  Revert 'tochain' to last location for
                                **  coincidental piggybacking. This works this
                                **  easily because the q_tchain kept getting
                                **  added to the top of the linked list.
                                */

                                tochain = skip_back;
                        }

                        if (*mxhosts[hostnum] == '\0')
                        {
                                syserr("deliver: null host name in signature");
                                hostnum++;
                                if (endp != NULL)
                                        *endp = sep;
                                continue;
                        }
                        (void) sm_strlcpy(hostbuf, mxhosts[hostnum],
                                          sizeof(hostbuf));
                        hostnum++;
                        if (endp != NULL)
                                *endp = sep;

  one_last_try:
                        /* see if we already know that this host is fried */
                        CurHostName = hostbuf;
                        mci = mci_get(hostbuf, m);
                        if (mci->mci_state != MCIS_CLOSED)
                        {
                                char *type;

                                if (tTd(11, 1))
                                {
                                        sm_dprintf("openmailer: ");
                                        mci_dump(sm_debug_file(), mci, false);
                                }
                                CurHostName = mci->mci_host;
                                if (bitnset(M_LMTP, m->m_flags))
                                        type = "L";
                                else if (bitset(MCIF_ESMTP, mci->mci_flags))
                                        type = "ES";
                                else
                                        type = "S";
                                message("Using cached %sMTP connection to %s via %s...",
                                        type, hostbuf, m->m_name);
                                mci->mci_deliveries++;
                                break;
                        }
                        mci->mci_mailer = m;
                        if (mci->mci_exitstat != EX_OK)
                        {
                                if (mci->mci_exitstat == EX_TEMPFAIL)
                                        goodmxfound = true;

                                /* Try FallbackSmartHost? */
                                if (should_try_fbsh(e, &tried_fallbacksmarthost,
                                                    hostbuf, sizeof(hostbuf),
                                                    mci->mci_exitstat))
                                        goto one_last_try;

                                continue;
                        }

                        if (mci_lock_host(mci) != EX_OK)
                        {
                                mci_setstat(mci, EX_TEMPFAIL, "4.4.5", NULL);
                                goodmxfound = true;
                                continue;
                        }

                        /* try the connection */
                        sm_setproctitle(true, e, "%s %s: %s",
                                        qid_printname(e),
                                        hostbuf, "user open");
# if NETUNIX
                        if (mux_path != NULL)
                        {
                                message("Connecting to %s via %s...",
                                        mux_path, m->m_name);
                                i = makeconnection_ds((char *) mux_path, mci);
                        }
                        else
# endif /* NETUNIX */
                        {
                                if (port == 0)
                                        message("Connecting to %s via %s...",
                                                hostbuf, m->m_name);
                                else
                                        message("Connecting to %s port %d via %s...",
                                                hostbuf, ntohs(port),
                                                m->m_name);
                                i = makeconnection(hostbuf, port, mci, e,
                                                   enough);
                        }
                        mci->mci_errno = errno;
                        mci->mci_lastuse = curtime();
                        mci->mci_deliveries = 0;
                        mci->mci_exitstat = i;
# if NAMED_BIND
                        mci->mci_herrno = h_errno;
# endif /* NAMED_BIND */

                        /*
                        **  Have we tried long enough to get a connection?
                        **      If yes, skip to the fallback MX hosts
                        **      (if existent).
                        */

                        if (enough > 0 && mci->mci_lastuse >= enough)
                        {
                                int h;
# if NAMED_BIND
                                extern int NumFallbackMXHosts;
# else /* NAMED_BIND */
                                const int NumFallbackMXHosts = 0;
# endif /* NAMED_BIND */

                                if (hostnum < nummxhosts && LogLevel > 9)
                                        sm_syslog(LOG_INFO, e->e_id,
                                                  "Timeout.to_aconnect occurred before exhausting all addresses");

                                /* turn off timeout if fallback available */
                                if (NumFallbackMXHosts > 0)
                                        enough = 0;

                                /* skip to a fallback MX host */
                                h = nummxhosts - NumFallbackMXHosts;
                                if (hostnum < h)
                                        hostnum = h;
                        }
                        if (i == EX_OK)
                        {
                                goodmxfound = true;
                                markstats(e, firstto, STATS_CONNECT);
                                mci->mci_state = MCIS_OPENING;
                                mci_cache(mci);
                                if (TrafficLogFile != NULL)
                                        (void) sm_io_fprintf(TrafficLogFile,
                                                             SM_TIME_DEFAULT,
                                                             "%05d === CONNECT %s\n",
                                                             (int) CurrentPid,
                                                             hostbuf);
                                break;
                        }
                        else
                        {
                                /* Try FallbackSmartHost? */
                                if (should_try_fbsh(e, &tried_fallbacksmarthost,
                                                    hostbuf, sizeof(hostbuf), i))
                                        goto one_last_try;

                                if (tTd(11, 1))
                                        sm_dprintf("openmailer: makeconnection => stat=%d, errno=%d\n",
                                                   i, errno);
                                if (i == EX_TEMPFAIL)
                                        goodmxfound = true;
                                mci_unlock_host(mci);
                        }

                        /* enter status of this host */
                        setstat(i);

                        /* should print some message here for -v mode */
                }
                if (mci == NULL)
                {
                        syserr("deliver: no host name");
                        rcode = EX_SOFTWARE;
                        goto give_up;
                }
                mci->mci_pid = 0;
        }
        else
        {
                /* flush any expired connections */
                (void) mci_scan(NULL);
                mci = NULL;

                if (bitnset(M_LMTP, m->m_flags))
                {
                        /* try to get a cached connection */
                        mci = mci_get(m->m_name, m);
                        if (mci->mci_host == NULL)
                                mci->mci_host = m->m_name;
                        CurHostName = mci->mci_host;
                        if (mci->mci_state != MCIS_CLOSED)
                        {
                                message("Using cached LMTP connection for %s...",
                                        m->m_name);
                                mci->mci_deliveries++;
                                goto do_transfer;
                        }
                }

                /* announce the connection to verbose listeners */
                if (host == NULL || host[0] == '\0')
                        message("Connecting to %s...", m->m_name);
                else
                        message("Connecting to %s via %s...", host, m->m_name);
                if (TrafficLogFile != NULL)
                {
                        char **av;

                        (void) sm_io_fprintf(TrafficLogFile, SM_TIME_DEFAULT,
                                             "%05d === EXEC", (int) CurrentPid);
                        for (av = pv; *av != NULL; av++)
                                (void) sm_io_fprintf(TrafficLogFile,
                                                     SM_TIME_DEFAULT, " %s",
                                                     *av);
                        (void) sm_io_fprintf(TrafficLogFile, SM_TIME_DEFAULT,
                                             "\n");
                }

#if XDEBUG
                checkfd012("before creating mail pipe");
#endif /* XDEBUG */

                /* create a pipe to shove the mail through */
                if (pipe(mpvect) < 0)
                {
                        syserr("%s... openmailer(%s): pipe (to mailer)",
                               shortenstring(e->e_to, MAXSHORTSTR), m->m_name);
                        if (tTd(11, 1))
                                sm_dprintf("openmailer: NULL\n");
                        rcode = EX_OSERR;
                        goto give_up;
                }

#if XDEBUG
                /* make sure we didn't get one of the standard I/O files */
                if (mpvect[0] < 3 || mpvect[1] < 3)
                {
                        syserr("%s... openmailer(%s): bogus mpvect %d %d",
                               shortenstring(e->e_to, MAXSHORTSTR), m->m_name,
                               mpvect[0], mpvect[1]);
                        printopenfds(true);
                        if (tTd(11, 1))
                                sm_dprintf("openmailer: NULL\n");
                        rcode = EX_OSERR;
                        goto give_up;
                }

                /* make sure system call isn't dead meat */
                checkfdopen(mpvect[0], "mpvect[0]");
                checkfdopen(mpvect[1], "mpvect[1]");
                if (mpvect[0] == mpvect[1] ||
                    (e->e_lockfp != NULL &&
                     (mpvect[0] == sm_io_getinfo(e->e_lockfp, SM_IO_WHAT_FD,
                                                 NULL) ||
                      mpvect[1] == sm_io_getinfo(e->e_lockfp, SM_IO_WHAT_FD,
                                                 NULL))))
                {
                        if (e->e_lockfp == NULL)
                                syserr("%s... openmailer(%s): overlapping mpvect %d %d",
                                       shortenstring(e->e_to, MAXSHORTSTR),
                                       m->m_name, mpvect[0], mpvect[1]);
                        else
                                syserr("%s... openmailer(%s): overlapping mpvect %d %d, lockfp = %d",
                                       shortenstring(e->e_to, MAXSHORTSTR),
                                       m->m_name, mpvect[0], mpvect[1],
                                       sm_io_getinfo(e->e_lockfp,
                                                     SM_IO_WHAT_FD, NULL));
                }
#endif /* XDEBUG */

                /* create a return pipe */
                if (pipe(rpvect) < 0)
                {
                        syserr("%s... openmailer(%s): pipe (from mailer)",
                               shortenstring(e->e_to, MAXSHORTSTR),
                               m->m_name);
                        (void) close(mpvect[0]);
                        (void) close(mpvect[1]);
                        if (tTd(11, 1))
                                sm_dprintf("openmailer: NULL\n");
                        rcode = EX_OSERR;
                        goto give_up;
                }
#if XDEBUG
                checkfdopen(rpvect[0], "rpvect[0]");
                checkfdopen(rpvect[1], "rpvect[1]");
#endif /* XDEBUG */

                /*
                **  Actually fork the mailer process.
                **      DOFORK is clever about retrying.
                **
                **      Dispose of SIGCHLD signal catchers that may be laying
                **      around so that endmailer will get it.
                */

                if (e->e_xfp != NULL)   /* for debugging */
                        (void) sm_io_flush(e->e_xfp, SM_TIME_DEFAULT);
                (void) sm_io_flush(smioout, SM_TIME_DEFAULT);
                (void) sm_signal(SIGCHLD, SIG_DFL);


                DOFORK(FORK);
                /* pid is set by DOFORK */

                if (pid < 0)
                {
                        /* failure */
                        syserr("%s... openmailer(%s): cannot fork",
                               shortenstring(e->e_to, MAXSHORTSTR), m->m_name);
                        (void) close(mpvect[0]);
                        (void) close(mpvect[1]);
                        (void) close(rpvect[0]);
                        (void) close(rpvect[1]);
                        if (tTd(11, 1))
                                sm_dprintf("openmailer: NULL\n");
                        rcode = EX_OSERR;
                        goto give_up;
                }
                else if (pid == 0)
                {
                        int save_errno;
                        int sff;
                        int new_euid = NO_UID;
                        int new_ruid = NO_UID;
                        int new_gid = NO_GID;
                        char *user = NULL;
                        struct stat stb;
                        extern int DtableSize;

                        CurrentPid = getpid();

                        /* clear the events to turn off SIGALRMs */
                        sm_clear_events();

                        /* Reset global flags */
                        RestartRequest = NULL;
                        RestartWorkGroup = false;
                        ShutdownRequest = NULL;
                        PendingSignal = 0;

                        if (e->e_lockfp != NULL)
                                (void) close(sm_io_getinfo(e->e_lockfp,
                                                           SM_IO_WHAT_FD,
                                                           NULL));

                        /* child -- set up input & exec mailer */
                        (void) sm_signal(SIGALRM, sm_signal_noop);
                        (void) sm_signal(SIGCHLD, SIG_DFL);
                        (void) sm_signal(SIGHUP, SIG_IGN);
                        (void) sm_signal(SIGINT, SIG_IGN);
                        (void) sm_signal(SIGTERM, SIG_DFL);
# ifdef SIGUSR1
                        (void) sm_signal(SIGUSR1, sm_signal_noop);
# endif /* SIGUSR1 */

                        if (m != FileMailer || stat(tochain->q_user, &stb) < 0)
                                stb.st_mode = 0;

# if HASSETUSERCONTEXT
                        /*
                        **  Set user resources.
                        */

                        if (contextaddr != NULL)
                        {
                                int sucflags;
                                struct passwd *pwd;

                                if (contextaddr->q_ruser != NULL)
                                        pwd = sm_getpwnam(contextaddr->q_ruser);
                                else
                                        pwd = sm_getpwnam(contextaddr->q_user);
                                sucflags = LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;
#ifdef LOGIN_SETMAC
                                sucflags |= LOGIN_SETMAC;
#endif /* LOGIN_SETMAC */
                                if (pwd != NULL &&
                                    setusercontext(NULL, pwd, pwd->pw_uid,
                                                   sucflags) == -1 &&
                                    suidwarn)
                                {
                                        syserr("openmailer: setusercontext() failed");
                                        exit(EX_TEMPFAIL);
                                }
                        }
# endif /* HASSETUSERCONTEXT */

#if HASNICE
                        /* tweak niceness */
                        if (m->m_nice != 0)
                                (void) nice(m->m_nice);
#endif /* HASNICE */

                        /* reset group id */
                        if (bitnset(M_SPECIFIC_UID, m->m_flags))
                        {
                                if (m->m_gid == NO_GID)
                                        new_gid = RunAsGid;
                                else
                                        new_gid = m->m_gid;
                        }
                        else if (bitset(S_ISGID, stb.st_mode))
                                new_gid = stb.st_gid;
                        else if (ctladdr != NULL && ctladdr->q_gid != 0)
                        {
                                if (!DontInitGroups)
                                {
                                        user = ctladdr->q_ruser;
                                        if (user == NULL)
                                                user = ctladdr->q_user;

                                        if (initgroups(user,
                                                       ctladdr->q_gid) == -1
                                            && suidwarn)
                                        {
                                                syserr("openmailer: initgroups(%s, %d) failed",
                                                        user, ctladdr->q_gid);
                                                exit(EX_TEMPFAIL);
                                        }
                                }
                                else
                                {
                                        GIDSET_T gidset[1];

                                        gidset[0] = ctladdr->q_gid;
                                        if (setgroups(1, gidset) == -1
                                            && suidwarn)
                                        {
                                                syserr("openmailer: setgroups() failed");
                                                exit(EX_TEMPFAIL);
                                        }
                                }
                                new_gid = ctladdr->q_gid;
                        }
                        else
                        {
                                if (!DontInitGroups)
                                {
                                        user = DefUser;
                                        if (initgroups(DefUser, DefGid) == -1 &&
                                            suidwarn)
                                        {
                                                syserr("openmailer: initgroups(%s, %d) failed",
                                                       DefUser, DefGid);
                                                exit(EX_TEMPFAIL);
                                        }
                                }
                                else
                                {
                                        GIDSET_T gidset[1];

                                        gidset[0] = DefGid;
                                        if (setgroups(1, gidset) == -1
                                            && suidwarn)
                                        {
                                                syserr("openmailer: setgroups() failed");
                                                exit(EX_TEMPFAIL);
                                        }
                                }
                                if (m->m_gid == NO_GID)
                                        new_gid = DefGid;
                                else
                                        new_gid = m->m_gid;
                        }
                        if (new_gid != NO_GID)
                        {
                                if (RunAsUid != 0 &&
                                    bitnset(M_SPECIFIC_UID, m->m_flags) &&
                                    new_gid != getgid() &&
                                    new_gid != getegid())
                                {
                                        /* Only root can change the gid */
                                        syserr("openmailer: insufficient privileges to change gid, RunAsUid=%d, new_gid=%d, gid=%d, egid=%d",
                                               (int) RunAsUid, (int) new_gid,
                                               (int) getgid(), (int) getegid());
                                        exit(EX_TEMPFAIL);
                                }

                                if (setgid(new_gid) < 0 && suidwarn)
                                {
                                        syserr("openmailer: setgid(%ld) failed",
                                               (long) new_gid);
                                        exit(EX_TEMPFAIL);
                                }
                        }

                        /* change root to some "safe" directory */
                        if (m->m_rootdir != NULL)
                        {
                                expand(m->m_rootdir, cbuf, sizeof(cbuf), e);
                                if (tTd(11, 20))
                                        sm_dprintf("openmailer: chroot %s\n",
                                                   cbuf);
                                if (chroot(cbuf) < 0)
                                {
                                        syserr("openmailer: Cannot chroot(%s)",
                                               cbuf);
                                        exit(EX_TEMPFAIL);
                                }
                                if (chdir("/") < 0)
                                {
                                        syserr("openmailer: cannot chdir(/)");
                                        exit(EX_TEMPFAIL);
                                }
                        }

                        /* reset user id */
                        endpwent();
                        sm_mbdb_terminate();
                        if (bitnset(M_SPECIFIC_UID, m->m_flags))
                        {
                                if (m->m_uid == NO_UID)
                                        new_euid = RunAsUid;
                                else
                                        new_euid = m->m_uid;

                                /*
                                **  Undo the effects of the uid change in main
                                **  for signal handling.  The real uid may
                                **  be used by mailer in adding a "From "
                                **  line.
                                */

                                if (RealUid != 0 && RealUid != getuid())
                                {
# if MAILER_SETUID_METHOD == USE_SETEUID
#  if HASSETREUID
                                        if (setreuid(RealUid, geteuid()) < 0)
                                        {
                                                syserr("openmailer: setreuid(%d, %d) failed",
                                                       (int) RealUid, (int) geteuid());
                                                exit(EX_OSERR);
                                        }
#  endif /* HASSETREUID */
# endif /* MAILER_SETUID_METHOD == USE_SETEUID */
# if MAILER_SETUID_METHOD == USE_SETREUID
                                        new_ruid = RealUid;
# endif /* MAILER_SETUID_METHOD == USE_SETREUID */
                                }
                        }
                        else if (bitset(S_ISUID, stb.st_mode))
                                new_ruid = stb.st_uid;
                        else if (ctladdr != NULL && ctladdr->q_uid != 0)
                                new_ruid = ctladdr->q_uid;
                        else if (m->m_uid != NO_UID)
                                new_ruid = m->m_uid;
                        else
                                new_ruid = DefUid;

# if _FFR_USE_SETLOGIN
                        /* run disconnected from terminal and set login name */
                        if (setsid() >= 0 &&
                            ctladdr != NULL && ctladdr->q_uid != 0 &&
                            new_euid == ctladdr->q_uid)
                        {
                                struct passwd *pwd;

                                pwd = sm_getpwuid(ctladdr->q_uid);
                                if (pwd != NULL && suidwarn)
                                        (void) setlogin(pwd->pw_name);
                                endpwent();
                        }
# endif /* _FFR_USE_SETLOGIN */

                        if (new_euid != NO_UID)
                        {
                                if (RunAsUid != 0 && new_euid != RunAsUid)
                                {
                                        /* Only root can change the uid */
                                        syserr("openmailer: insufficient privileges to change uid, new_euid=%d, RunAsUid=%d",
                                               (int) new_euid, (int) RunAsUid);
                                        exit(EX_TEMPFAIL);
                                }

                                vendor_set_uid(new_euid);
# if MAILER_SETUID_METHOD == USE_SETEUID
                                if (seteuid(new_euid) < 0 && suidwarn)
                                {
                                        syserr("openmailer: seteuid(%ld) failed",
                                               (long) new_euid);
                                        exit(EX_TEMPFAIL);
                                }
# endif /* MAILER_SETUID_METHOD == USE_SETEUID */
# if MAILER_SETUID_METHOD == USE_SETREUID
                                if (setreuid(new_ruid, new_euid) < 0 && suidwarn)
                                {
                                        syserr("openmailer: setreuid(%ld, %ld) failed",
                                               (long) new_ruid, (long) new_euid);
                                        exit(EX_TEMPFAIL);
                                }
# endif /* MAILER_SETUID_METHOD == USE_SETREUID */
# if MAILER_SETUID_METHOD == USE_SETUID
                                if (new_euid != geteuid() && setuid(new_euid) < 0 && suidwarn)
                                {
                                        syserr("openmailer: setuid(%ld) failed",
                                               (long) new_euid);
                                        exit(EX_TEMPFAIL);
                                }
# endif /* MAILER_SETUID_METHOD == USE_SETUID */
                        }
                        else if (new_ruid != NO_UID)
                        {
                                vendor_set_uid(new_ruid);
                                if (setuid(new_ruid) < 0 && suidwarn)
                                {
                                        syserr("openmailer: setuid(%ld) failed",
                                               (long) new_ruid);
                                        exit(EX_TEMPFAIL);
                                }
                        }

                        if (tTd(11, 2))
                                sm_dprintf("openmailer: running as r/euid=%d/%d, r/egid=%d/%d\n",
                                           (int) getuid(), (int) geteuid(),
                                           (int) getgid(), (int) getegid());

                        /* move into some "safe" directory */
                        if (m->m_execdir != NULL)
                        {
                                char *q;

                                for (p = m->m_execdir; p != NULL; p = q)
                                {
                                        q = strchr(p, ':');
                                        if (q != NULL)
                                                *q = '\0';
                                        expand(p, cbuf, sizeof(cbuf), e);
                                        if (q != NULL)
                                                *q++ = ':';
                                        if (tTd(11, 20))
                                                sm_dprintf("openmailer: trydir %s\n",
                                                           cbuf);
                                        if (cbuf[0] != '\0' &&
                                            chdir(cbuf) >= 0)
                                                break;
                                }
                        }

                        /* Check safety of program to be run */
                        sff = SFF_ROOTOK|SFF_EXECOK;
                        if (!bitnset(DBS_RUNWRITABLEPROGRAM,
                                     DontBlameSendmail))
                                sff |= SFF_NOGWFILES|SFF_NOWWFILES;
                        if (bitnset(DBS_RUNPROGRAMINUNSAFEDIRPATH,
                                    DontBlameSendmail))
                                sff |= SFF_NOPATHCHECK;
                        else
                                sff |= SFF_SAFEDIRPATH;
                        ret = safefile(m->m_mailer, getuid(), getgid(),
                                       user, sff, 0, NULL);
                        if (ret != 0)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Warning: program %s unsafe: %s",
                                          m->m_mailer, sm_errstring(ret));

                        /* arrange to filter std & diag output of command */
                        (void) close(rpvect[0]);
                        if (dup2(rpvect[1], STDOUT_FILENO) < 0)
                        {
                                syserr("%s... openmailer(%s): cannot dup pipe %d for stdout",
                                       shortenstring(e->e_to, MAXSHORTSTR),
                                       m->m_name, rpvect[1]);
                                _exit(EX_OSERR);
                        }
                        (void) close(rpvect[1]);

                        if (dup2(STDOUT_FILENO, STDERR_FILENO) < 0)
                        {
                                syserr("%s... openmailer(%s): cannot dup stdout for stderr",
                                       shortenstring(e->e_to, MAXSHORTSTR),
                                       m->m_name);
                                _exit(EX_OSERR);
                        }

                        /* arrange to get standard input */
                        (void) close(mpvect[1]);
                        if (dup2(mpvect[0], STDIN_FILENO) < 0)
                        {
                                syserr("%s... openmailer(%s): cannot dup pipe %d for stdin",
                                       shortenstring(e->e_to, MAXSHORTSTR),
                                       m->m_name, mpvect[0]);
                                _exit(EX_OSERR);
                        }
                        (void) close(mpvect[0]);

                        /* arrange for all the files to be closed */
                        sm_close_on_exec(STDERR_FILENO + 1, DtableSize);

# if !_FFR_USE_SETLOGIN
                        /* run disconnected from terminal */
                        (void) setsid();
# endif /* !_FFR_USE_SETLOGIN */

                        /* try to execute the mailer */
                        (void) execve(m->m_mailer, (ARGV_T) pv,
                                      (ARGV_T) UserEnviron);
                        save_errno = errno;
                        syserr("Cannot exec %s", m->m_mailer);
                        if (bitnset(M_LOCALMAILER, m->m_flags) ||
                            transienterror(save_errno))
                                _exit(EX_OSERR);
                        _exit(EX_UNAVAILABLE);
                }

                /*
                **  Set up return value.
                */

                if (mci == NULL)
                {
                        if (clever)
                        {
                                /*
                                **  Allocate from general heap, not
                                **  envelope rpool, because this mci
                                **  is going to be cached.
                                */

                                mci = mci_new(NULL);
                        }
                        else
                        {
                                /*
                                **  Prevent a storage leak by allocating
                                **  this from the envelope rpool.
                                */

                                mci = mci_new(e->e_rpool);
                        }
                }
                mci->mci_mailer = m;
                if (clever)
                {
                        mci->mci_state = MCIS_OPENING;
                        mci_cache(mci);
                }
                else
                {
                        mci->mci_state = MCIS_OPEN;
                }
                mci->mci_pid = pid;
                (void) close(mpvect[0]);
                mci->mci_out = sm_io_open(SmFtStdiofd, SM_TIME_DEFAULT,
                                          (void *) &(mpvect[1]), SM_IO_WRONLY_B,
                                          NULL);
                if (mci->mci_out == NULL)
                {
                        syserr("deliver: cannot create mailer output channel, fd=%d",
                               mpvect[1]);
                        (void) close(mpvect[1]);
                        (void) close(rpvect[0]);
                        (void) close(rpvect[1]);
                        rcode = EX_OSERR;
                        goto give_up;
                }

                (void) close(rpvect[1]);
                mci->mci_in = sm_io_open(SmFtStdiofd, SM_TIME_DEFAULT,
                                         (void *) &(rpvect[0]), SM_IO_RDONLY_B,
                                         NULL);
                if (mci->mci_in == NULL)
                {
                        syserr("deliver: cannot create mailer input channel, fd=%d",
                               mpvect[1]);
                        (void) close(rpvect[0]);
                        (void) sm_io_close(mci->mci_out, SM_TIME_DEFAULT);
                        mci->mci_out = NULL;
                        rcode = EX_OSERR;
                        goto give_up;
                }
        }

        /*
        **  If we are in SMTP opening state, send initial protocol.
        */

        if (bitnset(M_7BITS, m->m_flags) &&
            (!clever || mci->mci_state == MCIS_OPENING))
                mci->mci_flags |= MCIF_7BIT;
        if (clever && mci->mci_state != MCIS_CLOSED)
        {
# if STARTTLS || SASL
                int dotpos;
                char *srvname;
                extern SOCKADDR CurHostAddr;
# endif /* STARTTLS || SASL */

# if SASL
#  define DONE_AUTH(f)          bitset(MCIF_AUTHACT, f)
# endif /* SASL */
# if STARTTLS
#  define DONE_STARTTLS(f)      bitset(MCIF_TLSACT, f)
# endif /* STARTTLS */
# define ONLY_HELO(f)           bitset(MCIF_ONLY_EHLO, f)
# define SET_HELO(f)            f |= MCIF_ONLY_EHLO
# define CLR_HELO(f)            f &= ~MCIF_ONLY_EHLO

# if STARTTLS || SASL
                /* don't use CurHostName, it is changed in many places */
                if (mci->mci_host != NULL)
                {
                        srvname = mci->mci_host;
                        dotpos = strlen(srvname) - 1;
                        if (dotpos >= 0)
                        {
                                if (srvname[dotpos] == '.')
                                        srvname[dotpos] = '\0';
                                else
                                        dotpos = -1;
                        }
                }
                else if (mci->mci_mailer != NULL)
                {
                        srvname = mci->mci_mailer->m_name;
                        dotpos = -1;
                }
                else
                {
                        srvname = "local";
                        dotpos = -1;
                }

                /* don't set {server_name} to NULL or "": see getauth() */
                macdefine(&mci->mci_macro, A_TEMP, macid("{server_name}"),
                          srvname);

                /* CurHostAddr is set by makeconnection() and mci_get() */
                if (CurHostAddr.sa.sa_family != 0)
                {
                        macdefine(&mci->mci_macro, A_TEMP,
                                  macid("{server_addr}"),
                                  anynet_ntoa(&CurHostAddr));
                }
                else if (mci->mci_mailer != NULL)
                {
                        /* mailer name is unique, use it as address */
                        macdefine(&mci->mci_macro, A_PERM,
                                  macid("{server_addr}"),
                                  mci->mci_mailer->m_name);
                }
                else
                {
                        /* don't set it to NULL or "": see getauth() */
                        macdefine(&mci->mci_macro, A_PERM,
                                  macid("{server_addr}"), "0");
                }

                /* undo change of srvname (mci->mci_host) */
                if (dotpos >= 0)
                        srvname[dotpos] = '.';

reconnect:      /* after switching to an encrypted connection */
# endif /* STARTTLS || SASL */

                /* set the current connection information */
                e->e_mci = mci;
# if SASL
                mci->mci_saslcap = NULL;
# endif /* SASL */
                smtpinit(m, mci, e, ONLY_HELO(mci->mci_flags));
                CLR_HELO(mci->mci_flags);

                if (IS_DLVR_RETURN(e))
                {
                        /*
                        **  Check whether other side can deliver e-mail
                        **  fast enough
                        */

                        if (!bitset(MCIF_DLVR_BY, mci->mci_flags))
                        {
                                e->e_status = "5.4.7";
                                usrerrenh(e->e_status,
                                          "554 Server does not support Deliver By");
                                rcode = EX_UNAVAILABLE;
                                goto give_up;
                        }
                        if (e->e_deliver_by > 0 &&
                            e->e_deliver_by - (curtime() - e->e_ctime) <
                            mci->mci_min_by)
                        {
                                e->e_status = "5.4.7";
                                usrerrenh(e->e_status,
                                          "554 Message can't be delivered in time; %ld < %ld",
                                          e->e_deliver_by - (curtime() - e->e_ctime),
                                          mci->mci_min_by);
                                rcode = EX_UNAVAILABLE;
                                goto give_up;
                        }
                }

# if STARTTLS
                /* first TLS then AUTH to provide a security layer */
                if (mci->mci_state != MCIS_CLOSED &&
                    !DONE_STARTTLS(mci->mci_flags))
                {
                        int olderrors;
                        bool usetls;
                        bool saveQuickAbort = QuickAbort;
                        bool saveSuprErrs = SuprErrs;
                        char *host = NULL;

                        rcode = EX_OK;
                        usetls = bitset(MCIF_TLS, mci->mci_flags);
                        if (usetls)
                                usetls = !iscltflgset(e, D_NOTLS);

                        host = macvalue(macid("{server_name}"), e);
                        if (usetls)
                        {
                                olderrors = Errors;
                                QuickAbort = false;
                                SuprErrs = true;
                                if (rscheck("try_tls", host, NULL, e,
                                            RSF_RMCOMM, 7, host, NOQID, NULL)
                                                                != EX_OK
                                    || Errors > olderrors)
                                {
                                        usetls = false;
                                }
                                SuprErrs = saveSuprErrs;
                                QuickAbort = saveQuickAbort;
                        }

                        if (usetls)
                        {
                                if ((rcode = starttls(m, mci, e)) == EX_OK)
                                {
                                        /* start again without STARTTLS */
                                        mci->mci_flags |= MCIF_TLSACT;
                                }
                                else
                                {
                                        char *s;

                                        /*
                                        **  TLS negotiation failed, what to do?
                                        **  fall back to unencrypted connection
                                        **  or abort? How to decide?
                                        **  set a macro and call a ruleset.
                                        */

                                        mci->mci_flags &= ~MCIF_TLS;
                                        switch (rcode)
                                        {
                                          case EX_TEMPFAIL:
                                                s = "TEMP";
                                                break;
                                          case EX_USAGE:
                                                s = "USAGE";
                                                break;
                                          case EX_PROTOCOL:
                                                s = "PROTOCOL";
                                                break;
                                          case EX_SOFTWARE:
                                                s = "SOFTWARE";
                                                break;
                                          case EX_UNAVAILABLE:
                                                s = "NONE";
                                                break;

                                          /* everything else is a failure */
                                          default:
                                                s = "FAILURE";
                                                rcode = EX_TEMPFAIL;
                                        }
                                        macdefine(&e->e_macro, A_PERM,
                                                  macid("{verify}"), s);
                                }
                        }
                        else
                                macdefine(&e->e_macro, A_PERM,
                                          macid("{verify}"), "NONE");
                        olderrors = Errors;
                        QuickAbort = false;
                        SuprErrs = true;

                        /*
                        **  rcode == EX_SOFTWARE is special:
                        **  the TLS negotiation failed
                        **  we have to drop the connection no matter what
                        **  However, we call tls_server to give it the chance
                        **  to log the problem and return an appropriate
                        **  error code.
                        */

                        if (rscheck("tls_server",
                                    macvalue(macid("{verify}"), e),
                                    NULL, e, RSF_RMCOMM|RSF_COUNT, 5,
                                    host, NOQID, NULL) != EX_OK ||
                            Errors > olderrors ||
                            rcode == EX_SOFTWARE)
                        {
                                char enhsc[ENHSCLEN];
                                extern char MsgBuf[];

                                if (ISSMTPCODE(MsgBuf) &&
                                    extenhsc(MsgBuf + 4, ' ', enhsc) > 0)
                                {
                                        p = sm_rpool_strdup_x(e->e_rpool,
                                                              MsgBuf);
                                }
                                else
                                {
                                        p = "403 4.7.0 server not authenticated.";
                                        (void) sm_strlcpy(enhsc, "4.7.0",
                                                          sizeof(enhsc));
                                }
                                SuprErrs = saveSuprErrs;
                                QuickAbort = saveQuickAbort;

                                if (rcode == EX_SOFTWARE)
                                {
                                        /* drop the connection */
                                        mci->mci_state = MCIS_QUITING;
                                        if (mci->mci_in != NULL)
                                        {
                                                (void) sm_io_close(mci->mci_in,
                                                                   SM_TIME_DEFAULT);
                                                mci->mci_in = NULL;
                                        }
                                        mci->mci_flags &= ~MCIF_TLSACT;
                                        (void) endmailer(mci, e, pv);
                                }
                                else
                                {
                                        /* abort transfer */
                                        smtpquit(m, mci, e);
                                }

                                /* avoid bogus error msg */
                                mci->mci_errno = 0;

                                /* temp or permanent failure? */
                                rcode = (*p == '4') ? EX_TEMPFAIL
                                                    : EX_UNAVAILABLE;
                                mci_setstat(mci, rcode, enhsc, p);

                                /*
                                **  hack to get the error message into
                                **  the envelope (done in giveresponse())
                                */

                                (void) sm_strlcpy(SmtpError, p,
                                                  sizeof(SmtpError));
                        }
                        else if (mci->mci_state == MCIS_CLOSED)
                        {
                                /* connection close caused by 421 */
                                mci->mci_errno = 0;
                                rcode = EX_TEMPFAIL;
                                mci_setstat(mci, rcode, NULL, "421");
                        }
                        else
                                rcode = 0;

                        QuickAbort = saveQuickAbort;
                        SuprErrs = saveSuprErrs;
                        if (DONE_STARTTLS(mci->mci_flags) &&
                            mci->mci_state != MCIS_CLOSED)
                        {
                                SET_HELO(mci->mci_flags);
                                mci->mci_flags &= ~MCIF_EXTENS;
                                goto reconnect;
                        }
                }
# endif /* STARTTLS */
# if SASL
                /* if other server supports authentication let's authenticate */
                if (mci->mci_state != MCIS_CLOSED &&
                    mci->mci_saslcap != NULL &&
                    !DONE_AUTH(mci->mci_flags) && !iscltflgset(e, D_NOAUTH))
                {
                        /* Should we require some minimum authentication? */
                        if ((ret = smtpauth(m, mci, e)) == EX_OK)
                        {
                                int result;
                                sasl_ssf_t *ssf = NULL;

                                /* Get security strength (features) */
                                result = sasl_getprop(mci->mci_conn, SASL_SSF,
# if SASL >= 20000
                                                      (const void **) &ssf);
# else /* SASL >= 20000 */
                                                      (void **) &ssf);
# endif /* SASL >= 20000 */

                                /* XXX authid? */
                                if (LogLevel > 9)
                                        sm_syslog(LOG_INFO, NOQID,
                                                  "AUTH=client, relay=%.100s, mech=%.16s, bits=%d",
                                                  mci->mci_host,
                                                  macvalue(macid("{auth_type}"), e),
                                                  result == SASL_OK ? *ssf : 0);

                                /*
                                **  Only switch to encrypted connection
                                **  if a security layer has been negotiated
                                */

                                if (result == SASL_OK && *ssf > 0)
                                {
                                        int tmo;

                                        /*
                                        **  Convert I/O layer to use SASL.
                                        **  If the call fails, the connection
                                        **  is aborted.
                                        */

                                        tmo = DATA_PROGRESS_TIMEOUT * 1000;
                                        if (sfdcsasl(&mci->mci_in,
                                                     &mci->mci_out,
                                                     mci->mci_conn, tmo) == 0)
                                        {
                                                mci->mci_flags &= ~MCIF_EXTENS;
                                                mci->mci_flags |= MCIF_AUTHACT|
                                                                  MCIF_ONLY_EHLO;
                                                goto reconnect;
                                        }
                                        syserr("AUTH TLS switch failed in client");
                                }
                                /* else? XXX */
                                mci->mci_flags |= MCIF_AUTHACT;

                        }
                        else if (ret == EX_TEMPFAIL)
                        {
                                if (LogLevel > 8)
                                        sm_syslog(LOG_ERR, NOQID,
                                                  "AUTH=client, relay=%.100s, temporary failure, connection abort",
                                                  mci->mci_host);
                                smtpquit(m, mci, e);

                                /* avoid bogus error msg */
                                mci->mci_errno = 0;
                                rcode = EX_TEMPFAIL;
                                mci_setstat(mci, rcode, "4.3.0", p);

                                /*
                                **  hack to get the error message into
                                **  the envelope (done in giveresponse())
                                */

                                (void) sm_strlcpy(SmtpError,
                                                  "Temporary AUTH failure",
                                                  sizeof(SmtpError));
                        }
                }
# endif /* SASL */
        }


do_transfer:
        /* clear out per-message flags from connection structure */
        mci->mci_flags &= ~(MCIF_CVT7TO8|MCIF_CVT8TO7);

        if (bitset(EF_HAS8BIT, e->e_flags) &&
            !bitset(EF_DONT_MIME, e->e_flags) &&
            bitnset(M_7BITS, m->m_flags))
                mci->mci_flags |= MCIF_CVT8TO7;

#if MIME7TO8
        if (bitnset(M_MAKE8BIT, m->m_flags) &&
            !bitset(MCIF_7BIT, mci->mci_flags) &&
            (p = hvalue("Content-Transfer-Encoding", e->e_header)) != NULL &&
             (sm_strcasecmp(p, "quoted-printable") == 0 ||
              sm_strcasecmp(p, "base64") == 0) &&
            (p = hvalue("Content-Type", e->e_header)) != NULL)
        {
                /* may want to convert 7 -> 8 */
                /* XXX should really parse it here -- and use a class XXX */
                if (sm_strncasecmp(p, "text/plain", 10) == 0 &&
                    (p[10] == '\0' || p[10] == ' ' || p[10] == ';'))
                        mci->mci_flags |= MCIF_CVT7TO8;
        }
#endif /* MIME7TO8 */

        if (tTd(11, 1))
        {
                sm_dprintf("openmailer: ");
                mci_dump(sm_debug_file(), mci, false);
        }

#if _FFR_CLIENT_SIZE
        /*
        **  See if we know the maximum size and
        **  abort if the message is too big.
        **
        **  NOTE: _FFR_CLIENT_SIZE is untested.
        */

        if (bitset(MCIF_SIZE, mci->mci_flags) &&
            mci->mci_maxsize > 0 &&
            e->e_msgsize > mci->mci_maxsize)
        {
                e->e_flags |= EF_NO_BODY_RETN;
                if (bitnset(M_LOCALMAILER, m->m_flags))
                        e->e_status = "5.2.3";
                else
                        e->e_status = "5.3.4";

                usrerrenh(e->e_status,
                          "552 Message is too large; %ld bytes max",
                          mci->mci_maxsize);
                rcode = EX_DATAERR;

                /* Need an e_message for error */
                (void) sm_snprintf(SmtpError, sizeof(SmtpError),
                                   "Message is too large; %ld bytes max",
                                   mci->mci_maxsize);
                goto give_up;
        }
#endif /* _FFR_CLIENT_SIZE */

        if (mci->mci_state != MCIS_OPEN)
        {
                /* couldn't open the mailer */
                rcode = mci->mci_exitstat;
                errno = mci->mci_errno;
                SM_SET_H_ERRNO(mci->mci_herrno);
                if (rcode == EX_OK)
                {
                        /* shouldn't happen */
                        syserr("554 5.3.5 deliver: mci=%lx rcode=%d errno=%d state=%d sig=%s",
                               (unsigned long) mci, rcode, errno,
                               mci->mci_state, firstsig);
                        mci_dump_all(smioout, true);
                        rcode = EX_SOFTWARE;
                }
                else if (nummxhosts > hostnum)
                {
                        /* try next MX site */
                        goto tryhost;
                }
        }
        else if (!clever)
        {
                bool ok;

                /*
                **  Format and send message.
                */

                rcode = EX_OK;
                errno = 0;
                ok = putfromline(mci, e);
                if (ok)
                        ok = (*e->e_puthdr)(mci, e->e_header, e, M87F_OUTER);
                if (ok)
                        ok = (*e->e_putbody)(mci, e, NULL);
                if (ok && bitset(MCIF_INLONGLINE, mci->mci_flags))
                        ok = putline("", mci);

                /*
                **  Ignore an I/O error that was caused by EPIPE.
                **  Some broken mailers don't read the entire body
                **  but just exit() thus causing an I/O error.
                */

                if (!ok && (sm_io_error(mci->mci_out) && errno == EPIPE))
                        ok = true;

                /* (always) get the exit status */
                rcode = endmailer(mci, e, pv);
                if (!ok)
                        rcode = EX_TEMPFAIL;
                if (rcode == EX_TEMPFAIL && SmtpError[0] == '\0')
                {
                        /*
                        **  Need an e_message for mailq display.
                        **  We set SmtpError as
                        */

                        (void) sm_snprintf(SmtpError, sizeof(SmtpError),
                                           "%s mailer (%s) exited with EX_TEMPFAIL",
                                           m->m_name, m->m_mailer);
                }
        }
        else
        {
                /*
                **  Send the MAIL FROM: protocol
                */

                /* XXX this isn't pipelined... */
                rcode = smtpmailfrom(m, mci, e);
                if (rcode == EX_OK)
                {
                        register int i;
# if PIPELINING
                        ADDRESS *volatile pchain;
# endif /* PIPELINING */

                        /* send the recipient list */
                        tobuf[0] = '\0';
                        mci->mci_retryrcpt = false;
                        mci->mci_tolist = tobuf;
# if PIPELINING
                        pchain = NULL;
                        mci->mci_nextaddr = NULL;
# endif /* PIPELINING */

                        for (to = tochain; to != NULL; to = to->q_tchain)
                        {
                                if (!QS_IS_UNMARKED(to->q_state))
                                        continue;

                                /* mark recipient state as "ok so far" */
                                to->q_state = QS_OK;
                                e->e_to = to->q_paddr;
# if STARTTLS
                                i = rscheck("tls_rcpt", to->q_user, NULL, e,
                                            RSF_RMCOMM|RSF_COUNT, 3,
                                            mci->mci_host, e->e_id, NULL);
                                if (i != EX_OK)
                                {
                                        markfailure(e, to, mci, i, false);
                                        giveresponse(i, to->q_status,  m, mci,
                                                     ctladdr, xstart, e, to);
                                        if (i == EX_TEMPFAIL)
                                        {
                                                mci->mci_retryrcpt = true;
                                                to->q_state = QS_RETRY;
                                        }
                                        continue;
                                }
# endif /* STARTTLS */

                                i = smtprcpt(to, m, mci, e, ctladdr, xstart);
# if PIPELINING
                                if (i == EX_OK &&
                                    bitset(MCIF_PIPELINED, mci->mci_flags))
                                {
                                        /*
                                        **  Add new element to list of
                                        **  recipients for pipelining.
                                        */

                                        to->q_pchain = NULL;
                                        if (mci->mci_nextaddr == NULL)
                                                mci->mci_nextaddr = to;
                                        if (pchain == NULL)
                                                pchain = to;
                                        else
                                        {
                                                pchain->q_pchain = to;
                                                pchain = pchain->q_pchain;
                                        }
                                }
# endif /* PIPELINING */
                                if (i != EX_OK)
                                {
                                        markfailure(e, to, mci, i, false);
                                        giveresponse(i, to->q_status, m, mci,
                                                     ctladdr, xstart, e, to);
                                        if (i == EX_TEMPFAIL)
                                                to->q_state = QS_RETRY;
                                }
                        }

                        /* No recipients in list and no missing responses? */
                        if (tobuf[0] == '\0'
# if PIPELINING
                            && bitset(MCIF_PIPELINED, mci->mci_flags)
                            && mci->mci_nextaddr == NULL
# endif /* PIPELINING */
                           )
                        {
                                rcode = EX_OK;
                                e->e_to = NULL;
                                if (bitset(MCIF_CACHED, mci->mci_flags))
                                        smtprset(m, mci, e);
                        }
                        else
                        {
                                e->e_to = tobuf + 1;
                                rcode = smtpdata(m, mci, e, ctladdr, xstart);
                        }
                }
                if (rcode == EX_TEMPFAIL && nummxhosts > hostnum)
                {
                        /* try next MX site */
                        goto tryhost;
                }
        }
#if NAMED_BIND
        if (ConfigLevel < 2)
                _res.options |= RES_DEFNAMES | RES_DNSRCH;      /* XXX */
#endif /* NAMED_BIND */

        if (tTd(62, 1))
                checkfds("after delivery");

        /*
        **  Do final status disposal.
        **      We check for something in tobuf for the SMTP case.
        **      If we got a temporary failure, arrange to queue the
        **              addressees.
        */

  give_up:
        if (bitnset(M_LMTP, m->m_flags))
        {
                lmtp_rcode = rcode;
                tobuf[0] = '\0';
                anyok = false;
                strsize = 0;
        }
        else
                anyok = rcode == EX_OK;

        for (to = tochain; to != NULL; to = to->q_tchain)
        {
                /* see if address already marked */
                if (!QS_IS_OK(to->q_state))
                        continue;

                /* if running LMTP, get the status for each address */
                if (bitnset(M_LMTP, m->m_flags))
                {
                        if (lmtp_rcode == EX_OK)
                                rcode = smtpgetstat(m, mci, e);
                        if (rcode == EX_OK)
                        {
                                strsize += sm_strlcat2(tobuf + strsize, ",",
                                                to->q_paddr,
                                                tobufsize - strsize);
                                SM_ASSERT(strsize < tobufsize);
                                anyok = true;
                        }
                        else
                        {
                                e->e_to = to->q_paddr;
                                markfailure(e, to, mci, rcode, true);
                                giveresponse(rcode, to->q_status, m, mci,
                                             ctladdr, xstart, e, to);
                                e->e_to = tobuf + 1;
                                continue;
                        }
                }
                else
                {
                        /* mark bad addresses */
                        if (rcode != EX_OK)
                        {
                                if (goodmxfound && rcode == EX_NOHOST)
                                        rcode = EX_TEMPFAIL;
                                markfailure(e, to, mci, rcode, true);
                                continue;
                        }
                }

                /* successful delivery */
                to->q_state = QS_SENT;
                to->q_statdate = curtime();
                e->e_nsent++;

                /*
                **  Checkpoint the send list every few addresses
                */

                if (CheckpointInterval > 0 && e->e_nsent >= CheckpointInterval)
                {
                        queueup(e, false, false);
                        e->e_nsent = 0;
                }

                if (bitnset(M_LOCALMAILER, m->m_flags) &&
                    bitset(QPINGONSUCCESS, to->q_flags))
                {
                        to->q_flags |= QDELIVERED;
                        to->q_status = "2.1.5";
                        (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
                                             "%s... Successfully delivered\n",
                                             to->q_paddr);
                }
                else if (bitset(QPINGONSUCCESS, to->q_flags) &&
                         bitset(QPRIMARY, to->q_flags) &&
                         !bitset(MCIF_DSN, mci->mci_flags))
                {
                        to->q_flags |= QRELAYED;
                        (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
                                             "%s... relayed; expect no further notifications\n",
                                             to->q_paddr);
                }
                else if (IS_DLVR_NOTIFY(e) &&
                         !bitset(MCIF_DLVR_BY, mci->mci_flags) &&
                         bitset(QPRIMARY, to->q_flags) &&
                         (!bitset(QHASNOTIFY, to->q_flags) ||
                          bitset(QPINGONSUCCESS, to->q_flags) ||
                          bitset(QPINGONFAILURE, to->q_flags) ||
                          bitset(QPINGONDELAY, to->q_flags)))
                {
                        /* RFC 2852, 4.1.4.2: no NOTIFY, or not NEVER */
                        to->q_flags |= QBYNRELAY;
                        (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
                                             "%s... Deliver-by notify: relayed\n",
                                             to->q_paddr);
                }
                else if (IS_DLVR_TRACE(e) &&
                         (!bitset(QHASNOTIFY, to->q_flags) ||
                          bitset(QPINGONSUCCESS, to->q_flags) ||
                          bitset(QPINGONFAILURE, to->q_flags) ||
                          bitset(QPINGONDELAY, to->q_flags)) &&
                         bitset(QPRIMARY, to->q_flags))
                {
                        /* RFC 2852, 4.1.4: no NOTIFY, or not NEVER */
                        to->q_flags |= QBYTRACE;
                        (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
                                             "%s... Deliver-By trace: relayed\n",
                                             to->q_paddr);
                }
        }

        if (bitnset(M_LMTP, m->m_flags))
        {
                /*
                **  Global information applies to the last recipient only;
                **  clear it out to avoid bogus errors.
                */

                rcode = EX_OK;
                e->e_statmsg = NULL;

                /* reset the mci state for the next transaction */
                if (mci != NULL &&
                    (mci->mci_state == MCIS_MAIL ||
                     mci->mci_state == MCIS_RCPT ||
                     mci->mci_state == MCIS_DATA))
                {
                        mci->mci_state = MCIS_OPEN;
                        SmtpPhase = mci->mci_phase = "idle";
                        sm_setproctitle(true, e, "%s: %s", CurHostName,
                                        mci->mci_phase);
                }
        }

        if (tobuf[0] != '\0')
        {
                giveresponse(rcode, NULL, m, mci, ctladdr, xstart, e, tochain);
#if 0
                /*
                **  This code is disabled for now because I am not
                **  sure that copying status from the first recipient
                **  to all non-status'ed recipients is a good idea.
                */

                if (tochain->q_message != NULL &&
                    !bitnset(M_LMTP, m->m_flags) && rcode != EX_OK)
                {
                        for (to = tochain->q_tchain; to != NULL;
                             to = to->q_tchain)
                        {
                                /* see if address already marked */
                                if (QS_IS_QUEUEUP(to->q_state) &&
                                    to->q_message == NULL)
                                        to->q_message = sm_rpool_strdup_x(e->e_rpool,
                                                        tochain->q_message);
                        }
                }
#endif /* 0 */
        }
        if (anyok)
                markstats(e, tochain, STATS_NORMAL);
        mci_store_persistent(mci);

        /* Some recipients were tempfailed, try them on the next host */
        if (mci != NULL && mci->mci_retryrcpt && nummxhosts > hostnum)
        {
                /* try next MX site */
                goto tryhost;
        }

        /* now close the connection */
        if (clever && mci != NULL && mci->mci_state != MCIS_CLOSED &&
            !bitset(MCIF_CACHED, mci->mci_flags))
                smtpquit(m, mci, e);

cleanup: ;
        }
        SM_FINALLY
        {
                /*
                **  Restore state and return.
                */
#if XDEBUG
                char wbuf[MAXLINE];

                /* make absolutely certain 0, 1, and 2 are in use */
                (void) sm_snprintf(wbuf, sizeof(wbuf),
                                   "%s... end of deliver(%s)",
                                   e->e_to == NULL ? "NO-TO-LIST"
                                                   : shortenstring(e->e_to,
                                                                   MAXSHORTSTR),
                                  m->m_name);
                checkfd012(wbuf);
#endif /* XDEBUG */

                errno = 0;

                /*
                **  It was originally necessary to set macro 'g' to NULL
                **  because it previously pointed to an auto buffer.
                **  We don't do this any more, so this may be unnecessary.
                */

                macdefine(&e->e_macro, A_PERM, 'g', (char *) NULL);
                e->e_to = NULL;
        }
        SM_END_TRY
        return rcode;
}

/*
**  MARKFAILURE -- mark a failure on a specific address.
**
**      Parameters:
**              e -- the envelope we are sending.
**              q -- the address to mark.
**              mci -- mailer connection information.
**              rcode -- the code signifying the particular failure.
**              ovr -- override an existing code?
**
**      Returns:
**              none.
**
**      Side Effects:
**              marks the address (and possibly the envelope) with the
**                      failure so that an error will be returned or
**                      the message will be queued, as appropriate.
*/

void
markfailure(e, q, mci, rcode, ovr)
        register ENVELOPE *e;
        register ADDRESS *q;
        register MCI *mci;
        int rcode;
        bool ovr;
{
        int save_errno = errno;
        char *status = NULL;
        char *rstatus = NULL;

        switch (rcode)
        {
          case EX_OK:
                break;

          case EX_TEMPFAIL:
          case EX_IOERR:
          case EX_OSERR:
                q->q_state = QS_QUEUEUP;
                break;

          default:
                q->q_state = QS_BADADDR;
                break;
        }

        /* find most specific error code possible */
        if (mci != NULL && mci->mci_status != NULL)
        {
                status = sm_rpool_strdup_x(e->e_rpool, mci->mci_status);
                if (mci->mci_rstatus != NULL)
                        rstatus = sm_rpool_strdup_x(e->e_rpool,
                                                    mci->mci_rstatus);
                else
                        rstatus = NULL;
        }
        else if (e->e_status != NULL)
        {
                status = e->e_status;
                rstatus = NULL;
        }
        else
        {
                switch (rcode)
                {
                  case EX_USAGE:
                        status = "5.5.4";
                        break;

                  case EX_DATAERR:
                        status = "5.5.2";
                        break;

                  case EX_NOUSER:
                        status = "5.1.1";
                        break;

                  case EX_NOHOST:
                        status = "5.1.2";
                        break;

                  case EX_NOINPUT:
                  case EX_CANTCREAT:
                  case EX_NOPERM:
                        status = "5.3.0";
                        break;

                  case EX_UNAVAILABLE:
                  case EX_SOFTWARE:
                  case EX_OSFILE:
                  case EX_PROTOCOL:
                  case EX_CONFIG:
                        status = "5.5.0";
                        break;

                  case EX_OSERR:
                  case EX_IOERR:
                        status = "4.5.0";
                        break;

                  case EX_TEMPFAIL:
                        status = "4.2.0";
                        break;
                }
        }

        /* new status? */
        if (status != NULL && *status != '\0' && (ovr || q->q_status == NULL ||
            *q->q_status == '\0' || *q->q_status < *status))
        {
                q->q_status = status;
                q->q_rstatus = rstatus;
        }
        if (rcode != EX_OK && q->q_rstatus == NULL &&
            q->q_mailer != NULL && q->q_mailer->m_diagtype != NULL &&
            sm_strcasecmp(q->q_mailer->m_diagtype, "X-UNIX") == 0)
        {
                char buf[16];

                (void) sm_snprintf(buf, sizeof(buf), "%d", rcode);
                q->q_rstatus = sm_rpool_strdup_x(e->e_rpool, buf);
        }

        q->q_statdate = curtime();
        if (CurHostName != NULL && CurHostName[0] != '\0' &&
            mci != NULL && !bitset(M_LOCALMAILER, mci->mci_flags))
                q->q_statmta = sm_rpool_strdup_x(e->e_rpool, CurHostName);

        /* restore errno */
        errno = save_errno;
}
/*
**  ENDMAILER -- Wait for mailer to terminate.
**
**      We should never get fatal errors (e.g., segmentation
**      violation), so we report those specially.  For other
**      errors, we choose a status message (into statmsg),
**      and if it represents an error, we print it.
**
**      Parameters:
**              mci -- the mailer connection info.
**              e -- the current envelope.
**              pv -- the parameter vector that invoked the mailer
**                      (for error messages).
**
**      Returns:
**              exit code of mailer.
**
**      Side Effects:
**              none.
*/

static jmp_buf  EndWaitTimeout;

static void
endwaittimeout(ignore)
        int ignore;
{
        /*
        **  NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER.  DO NOT ADD
        **      ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE
        **      DOING.
        */

        errno = ETIMEDOUT;
        longjmp(EndWaitTimeout, 1);
}

int
endmailer(mci, e, pv)
        register MCI *mci;
        register ENVELOPE *e;
        char **pv;
{
        int st;
        int save_errno = errno;
        char buf[MAXLINE];
        SM_EVENT *ev = NULL;


        mci_unlock_host(mci);

        /* close output to mailer */
        if (mci->mci_out != NULL)
        {
                (void) sm_io_close(mci->mci_out, SM_TIME_DEFAULT);
                mci->mci_out = NULL;
        }

        /* copy any remaining input to transcript */
        if (mci->mci_in != NULL && mci->mci_state != MCIS_ERROR &&
            e->e_xfp != NULL)
        {
                while (sfgets(buf, sizeof(buf), mci->mci_in,
                              TimeOuts.to_quit, "Draining Input") != NULL)
                        (void) sm_io_fputs(e->e_xfp, SM_TIME_DEFAULT, buf);
        }

#if SASL
        /* close SASL connection */
        if (bitset(MCIF_AUTHACT, mci->mci_flags))
        {
                sasl_dispose(&mci->mci_conn);
                mci->mci_flags &= ~MCIF_AUTHACT;
        }
#endif /* SASL */

#if STARTTLS
        /* shutdown TLS */
        (void) endtlsclt(mci);
#endif /* STARTTLS */

        /* now close the input */
        if (mci->mci_in != NULL)
        {
                (void) sm_io_close(mci->mci_in, SM_TIME_DEFAULT);
                mci->mci_in = NULL;
        }
        mci->mci_state = MCIS_CLOSED;

        errno = save_errno;

        /* in the IPC case there is nothing to wait for */
        if (mci->mci_pid == 0)
                return EX_OK;

        /* put a timeout around the wait */
        if (mci->mci_mailer->m_wait > 0)
        {
                if (setjmp(EndWaitTimeout) == 0)
                        ev = sm_setevent(mci->mci_mailer->m_wait,
                                         endwaittimeout, 0);
                else
                {
                        syserr("endmailer %s: wait timeout (%ld)",
                               mci->mci_mailer->m_name,
                               (long) mci->mci_mailer->m_wait);
                        return EX_TEMPFAIL;
                }
        }

        /* wait for the mailer process, collect status */
        st = waitfor(mci->mci_pid);
        save_errno = errno;
        if (ev != NULL)
                sm_clrevent(ev);
        errno = save_errno;

        if (st == -1)
        {
                syserr("endmailer %s: wait", mci->mci_mailer->m_name);
                return EX_SOFTWARE;
        }

        if (WIFEXITED(st))
        {
                /* normal death -- return status */
                return (WEXITSTATUS(st));
        }

        /* it died a horrid death */
        syserr("451 4.3.0 mailer %s died with signal %d%s",
                mci->mci_mailer->m_name, WTERMSIG(st),
                WCOREDUMP(st) ? " (core dumped)" :
                (WIFSTOPPED(st) ? " (stopped)" : ""));

        /* log the arguments */
        if (pv != NULL && e->e_xfp != NULL)
        {
                register char **av;

                (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT, "Arguments:");
                for (av = pv; *av != NULL; av++)
                        (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT, " %s",
                                             *av);
                (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT, "\n");
        }

        ExitStat = EX_TEMPFAIL;
        return EX_TEMPFAIL;
}
/*
**  GIVERESPONSE -- Interpret an error response from a mailer
**
**      Parameters:
**              status -- the status code from the mailer (high byte
**                      only; core dumps must have been taken care of
**                      already).
**              dsn -- the DSN associated with the address, if any.
**              m -- the mailer info for this mailer.
**              mci -- the mailer connection info -- can be NULL if the
**                      response is given before the connection is made.
**              ctladdr -- the controlling address for the recipient
**                      address(es).
**              xstart -- the transaction start time, for computing
**                      transaction delays.
**              e -- the current envelope.
**              to -- the current recipient (NULL if none).
**
**      Returns:
**              none.
**
**      Side Effects:
**              Errors may be incremented.
**              ExitStat may be set.
*/

void
giveresponse(status, dsn, m, mci, ctladdr, xstart, e, to)
        int status;
        char *dsn;
        register MAILER *m;
        register MCI *mci;
        ADDRESS *ctladdr;
        time_t xstart;
        ENVELOPE *e;
        ADDRESS *to;
{
        register const char *statmsg;
        int errnum = errno;
        int off = 4;
        bool usestat = false;
        char dsnbuf[ENHSCLEN];
        char buf[MAXLINE];
        char *exmsg;

        if (e == NULL)
        {
                syserr("giveresponse: null envelope");
                /* NOTREACHED */
                SM_ASSERT(0);
        }

        /*
        **  Compute status message from code.
        */

        exmsg = sm_sysexmsg(status);
        if (status == 0)
        {
                statmsg = "250 2.0.0 Sent";
                if (e->e_statmsg != NULL)
                {
                        (void) sm_snprintf(buf, sizeof(buf), "%s (%s)",
                                           statmsg,
                                           shortenstring(e->e_statmsg, 403));
                        statmsg = buf;
                }
        }
        else if (exmsg == NULL)
        {
                (void) sm_snprintf(buf, sizeof(buf),
                                   "554 5.3.0 unknown mailer error %d",
                                   status);
                status = EX_UNAVAILABLE;
                statmsg = buf;
                usestat = true;
        }
        else if (status == EX_TEMPFAIL)
        {
                char *bp = buf;

                (void) sm_strlcpy(bp, exmsg + 1, SPACELEFT(buf, bp));
                bp += strlen(bp);
#if NAMED_BIND
                if (h_errno == TRY_AGAIN)
                        statmsg = sm_errstring(h_errno + E_DNSBASE);
                else
#endif /* NAMED_BIND */
                {
                        if (errnum != 0)
                                statmsg = sm_errstring(errnum);
                        else
                                statmsg = SmtpError;
                }
                if (statmsg != NULL && statmsg[0] != '\0')
                {
                        switch (errnum)
                        {
#ifdef ENETDOWN
                          case ENETDOWN:        /* Network is down */
#endif /* ENETDOWN */
#ifdef ENETUNREACH
                          case ENETUNREACH:     /* Network is unreachable */
#endif /* ENETUNREACH */
#ifdef ENETRESET
                          case ENETRESET:       /* Network dropped connection on reset */
#endif /* ENETRESET */
#ifdef ECONNABORTED
                          case ECONNABORTED:    /* Software caused connection abort */
#endif /* ECONNABORTED */
#ifdef EHOSTDOWN
                          case EHOSTDOWN:       /* Host is down */
#endif /* EHOSTDOWN */
#ifdef EHOSTUNREACH
                          case EHOSTUNREACH:    /* No route to host */
#endif /* EHOSTUNREACH */
                                if (mci != NULL && mci->mci_host != NULL)
                                {
                                        (void) sm_strlcpyn(bp,
                                                           SPACELEFT(buf, bp),
                                                           2, ": ",
                                                           mci->mci_host);
                                        bp += strlen(bp);
                                }
                                break;
                        }
                        (void) sm_strlcpyn(bp, SPACELEFT(buf, bp), 2, ": ",
                                           statmsg);
                        usestat = true;
                }
                statmsg = buf;
        }
#if NAMED_BIND
        else if (status == EX_NOHOST && h_errno != 0)
        {
                statmsg = sm_errstring(h_errno + E_DNSBASE);
                (void) sm_snprintf(buf, sizeof(buf), "%s (%s)", exmsg + 1,
                                   statmsg);
                statmsg = buf;
                usestat = true;
        }
#endif /* NAMED_BIND */
        else
        {
                statmsg = exmsg;
                if (*statmsg++ == ':' && errnum != 0)
                {
                        (void) sm_snprintf(buf, sizeof(buf), "%s: %s", statmsg,
                                           sm_errstring(errnum));
                        statmsg = buf;
                        usestat = true;
                }
                else if (bitnset(M_LMTP, m->m_flags) && e->e_statmsg != NULL)
                {
                        (void) sm_snprintf(buf, sizeof(buf), "%s (%s)", statmsg,
                                           shortenstring(e->e_statmsg, 403));
                        statmsg = buf;
                        usestat = true;
                }
        }

        /*
        **  Print the message as appropriate
        */

        if (status == EX_OK || status == EX_TEMPFAIL)
        {
                extern char MsgBuf[];

                if ((off = isenhsc(statmsg + 4, ' ')) > 0)
                {
                        if (dsn == NULL)
                        {
                                (void) sm_snprintf(dsnbuf, sizeof(dsnbuf),
                                                   "%.*s", off, statmsg + 4);
                                dsn = dsnbuf;
                        }
                        off += 5;
                }
                else
                {
                        off = 4;
                }
                message("%s", statmsg + off);
                if (status == EX_TEMPFAIL && e->e_xfp != NULL)
                        (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT, "%s\n",
                                             &MsgBuf[4]);
        }
        else
        {
                char mbuf[ENHSCLEN + 4];

                Errors++;
                if ((off = isenhsc(statmsg + 4, ' ')) > 0 &&
                    off < sizeof(mbuf) - 4)
                {
                        if (dsn == NULL)
                        {
                                (void) sm_snprintf(dsnbuf, sizeof(dsnbuf),
                                                   "%.*s", off, statmsg + 4);
                                dsn = dsnbuf;
                        }
                        off += 5;

                        /* copy only part of statmsg to mbuf */
                        (void) sm_strlcpy(mbuf, statmsg, off);
                        (void) sm_strlcat(mbuf, " %s", sizeof(mbuf));
                }
                else
                {
                        dsnbuf[0] = '\0';
                        (void) sm_snprintf(mbuf, sizeof(mbuf), "%.3s %%s",
                                           statmsg);
                        off = 4;
                }
                usrerr(mbuf, &statmsg[off]);
        }

        /*
        **  Final cleanup.
        **      Log a record of the transaction.  Compute the new
        **      ExitStat -- if we already had an error, stick with
        **      that.
        */

        if (OpMode != MD_VERIFY && !bitset(EF_VRFYONLY, e->e_flags) &&
            LogLevel > ((status == EX_TEMPFAIL) ? 8 : (status == EX_OK) ? 7 : 6))
                logdelivery(m, mci, dsn, statmsg + off, ctladdr, xstart, e);

        if (tTd(11, 2))
                sm_dprintf("giveresponse: status=%d, dsn=%s, e->e_message=%s, errnum=%d\n",
                           status,
                           dsn == NULL ? "<NULL>" : dsn,
                           e->e_message == NULL ? "<NULL>" : e->e_message,
                           errnum);

        if (status != EX_TEMPFAIL)
                setstat(status);
        if (status != EX_OK && (status != EX_TEMPFAIL || e->e_message == NULL))
                e->e_message = sm_rpool_strdup_x(e->e_rpool, statmsg + off);
        if (status != EX_OK && to != NULL && to->q_message == NULL)
        {
                if (!usestat && e->e_message != NULL)
                        to->q_message = sm_rpool_strdup_x(e->e_rpool,
                                                          e->e_message);
                else
                        to->q_message = sm_rpool_strdup_x(e->e_rpool,
                                                          statmsg + off);
        }
        errno = 0;
        SM_SET_H_ERRNO(0);
}
/*
**  LOGDELIVERY -- log the delivery in the system log
**
**      Care is taken to avoid logging lines that are too long, because
**      some versions of syslog have an unfortunate proclivity for core
**      dumping.  This is a hack, to be sure, that is at best empirical.
**
**      Parameters:
**              m -- the mailer info.  Can be NULL for initial queue.
**              mci -- the mailer connection info -- can be NULL if the
**                      log is occurring when no connection is active.
**              dsn -- the DSN attached to the status.
**              status -- the message to print for the status.
**              ctladdr -- the controlling address for the to list.
**              xstart -- the transaction start time, used for
**                      computing transaction delay.
**              e -- the current envelope.
**
**      Returns:
**              none
**
**      Side Effects:
**              none
*/

void
logdelivery(m, mci, dsn, status, ctladdr, xstart, e)
        MAILER *m;
        register MCI *mci;
        char *dsn;
        const char *status;
        ADDRESS *ctladdr;
        time_t xstart;
        register ENVELOPE *e;
{
        register char *bp;
        register char *p;
        int l;
        time_t now = curtime();
        char buf[1024];

#if (SYSLOG_BUFSIZE) >= 256
        /* ctladdr: max 106 bytes */
        bp = buf;
        if (ctladdr != NULL)
        {
                (void) sm_strlcpyn(bp, SPACELEFT(buf, bp), 2, ", ctladdr=",
                                   shortenstring(ctladdr->q_paddr, 83));
                bp += strlen(bp);
                if (bitset(QGOODUID, ctladdr->q_flags))
                {
                        (void) sm_snprintf(bp, SPACELEFT(buf, bp), " (%d/%d)",
                                           (int) ctladdr->q_uid,
                                           (int) ctladdr->q_gid);
                        bp += strlen(bp);
                }
        }

        /* delay & xdelay: max 41 bytes */
        (void) sm_strlcpyn(bp, SPACELEFT(buf, bp), 2, ", delay=",
                           pintvl(now - e->e_ctime, true));
        bp += strlen(bp);

        if (xstart != (time_t) 0)
        {
                (void) sm_strlcpyn(bp, SPACELEFT(buf, bp), 2, ", xdelay=",
                                   pintvl(now - xstart, true));
                bp += strlen(bp);
        }

        /* mailer: assume about 19 bytes (max 10 byte mailer name) */
        if (m != NULL)
        {
                (void) sm_strlcpyn(bp, SPACELEFT(buf, bp), 2, ", mailer=",
                                   m->m_name);
                bp += strlen(bp);
        }

        /* pri: changes with each delivery attempt */
        (void) sm_snprintf(bp, SPACELEFT(buf, bp), ", pri=%ld",
                e->e_msgpriority);
        bp += strlen(bp);

        /* relay: max 66 bytes for IPv4 addresses */
        if (mci != NULL && mci->mci_host != NULL)
        {
                extern SOCKADDR CurHostAddr;

                (void) sm_strlcpyn(bp, SPACELEFT(buf, bp), 2, ", relay=",
                                   shortenstring(mci->mci_host, 40));
                bp += strlen(bp);

                if (CurHostAddr.sa.sa_family != 0)
                {
                        (void) sm_snprintf(bp, SPACELEFT(buf, bp), " [%s]",
                                           anynet_ntoa(&CurHostAddr));
                }
        }
        else if (strcmp(status, "quarantined") == 0)
        {
                if (e->e_quarmsg != NULL)
                        (void) sm_snprintf(bp, SPACELEFT(buf, bp),
                                           ", quarantine=%s",
                                           shortenstring(e->e_quarmsg, 40));
        }
        else if (strcmp(status, "queued") != 0)
        {
                p = macvalue('h', e);
                if (p != NULL && p[0] != '\0')
                {
                        (void) sm_snprintf(bp, SPACELEFT(buf, bp),
                                           ", relay=%s", shortenstring(p, 40));
                }
        }
        bp += strlen(bp);

        /* dsn */
        if (dsn != NULL && *dsn != '\0')
        {
                (void) sm_strlcpyn(bp, SPACELEFT(buf, bp), 2, ", dsn=",
                                   shortenstring(dsn, ENHSCLEN));
                bp += strlen(bp);
        }

#if _FFR_LOG_NTRIES
        /* ntries */
        if (e->e_ntries >= 0)
        {
                (void) sm_snprintf(bp, SPACELEFT(buf, bp),
                                   ", ntries=%d", e->e_ntries + 1);
                bp += strlen(bp);
        }
#endif /* _FFR_LOG_NTRIES */

# define STATLEN                (((SYSLOG_BUFSIZE) - 100) / 4)
# if (STATLEN) < 63
#  undef STATLEN
#  define STATLEN       63
# endif /* (STATLEN) < 63 */
# if (STATLEN) > 203
#  undef STATLEN
#  define STATLEN       203
# endif /* (STATLEN) > 203 */

        /* stat: max 210 bytes */
        if ((bp - buf) > (sizeof(buf) - ((STATLEN) + 20)))
        {
                /* desperation move -- truncate data */
                bp = buf + sizeof(buf) - ((STATLEN) + 17);
                (void) sm_strlcpy(bp, "...", SPACELEFT(buf, bp));
                bp += 3;
        }

        (void) sm_strlcpy(bp, ", stat=", SPACELEFT(buf, bp));
        bp += strlen(bp);

        (void) sm_strlcpy(bp, shortenstring(status, STATLEN),
                          SPACELEFT(buf, bp));

        /* id, to: max 13 + TOBUFSIZE bytes */
        l = SYSLOG_BUFSIZE - 100 - strlen(buf);
        if (l < 0)
                l = 0;
        p = e->e_to == NULL ? "NO-TO-LIST" : e->e_to;
        while (strlen(p) >= l)
        {
                register char *q;

                for (q = p + l; q > p; q--)
                {
                        if (*q == ',')
                                break;
                }
                if (p == q)
                        break;
                sm_syslog(LOG_INFO, e->e_id, "to=%.*s [more]%s",
                          (int) (++q - p), p, buf);
                p = q;
        }
        sm_syslog(LOG_INFO, e->e_id, "to=%.*s%s", l, p, buf);

#else /* (SYSLOG_BUFSIZE) >= 256 */

        l = SYSLOG_BUFSIZE - 85;
        if (l < 0)
                l = 0;
        p = e->e_to == NULL ? "NO-TO-LIST" : e->e_to;
        while (strlen(p) >= l)
        {
                register char *q;

                for (q = p + l; q > p; q--)
                {
                        if (*q == ',')
                                break;
                }
                if (p == q)
                        break;

                sm_syslog(LOG_INFO, e->e_id, "to=%.*s [more]",
                          (int) (++q - p), p);
                p = q;
        }
        sm_syslog(LOG_INFO, e->e_id, "to=%.*s", l, p);

        if (ctladdr != NULL)
        {
                bp = buf;
                (void) sm_strlcpyn(bp, SPACELEFT(buf, bp), 2, "ctladdr=",
                                   shortenstring(ctladdr->q_paddr, 83));
                bp += strlen(bp);
                if (bitset(QGOODUID, ctladdr->q_flags))
                {
                        (void) sm_snprintf(bp, SPACELEFT(buf, bp), " (%d/%d)",
                                           ctladdr->q_uid, ctladdr->q_gid);
                        bp += strlen(bp);
                }
                sm_syslog(LOG_INFO, e->e_id, "%s", buf);
        }
        bp = buf;
        (void) sm_strlcpyn(bp, SPACELEFT(buf, bp), 2, "delay=",
                           pintvl(now - e->e_ctime, true));
        bp += strlen(bp);
        if (xstart != (time_t) 0)
        {
                (void) sm_strlcpyn(bp, SPACELEFT(buf, bp), 2, ", xdelay=",
                                   pintvl(now - xstart, true));
                bp += strlen(bp);
        }

        if (m != NULL)
        {
                (void) sm_strlcpyn(bp, SPACELEFT(buf, bp), 2, ", mailer=",
                                   m->m_name);
                bp += strlen(bp);
        }
        sm_syslog(LOG_INFO, e->e_id, "%.1000s", buf);

        buf[0] = '\0';
        bp = buf;
        if (mci != NULL && mci->mci_host != NULL)
        {
                extern SOCKADDR CurHostAddr;

                (void) sm_snprintf(bp, SPACELEFT(buf, bp), "relay=%.100s",
                                   mci->mci_host);
                bp += strlen(bp);

                if (CurHostAddr.sa.sa_family != 0)
                        (void) sm_snprintf(bp, SPACELEFT(buf, bp),
                                           " [%.100s]",
                                           anynet_ntoa(&CurHostAddr));
        }
        else if (strcmp(status, "quarantined") == 0)
        {
                if (e->e_quarmsg != NULL)
                        (void) sm_snprintf(bp, SPACELEFT(buf, bp),
                                           ", quarantine=%.100s",
                                           e->e_quarmsg);
        }
        else if (strcmp(status, "queued") != 0)
        {
                p = macvalue('h', e);
                if (p != NULL && p[0] != '\0')
                        (void) sm_snprintf(buf, sizeof(buf), "relay=%.100s", p);
        }
        if (buf[0] != '\0')
                sm_syslog(LOG_INFO, e->e_id, "%.1000s", buf);

        sm_syslog(LOG_INFO, e->e_id, "stat=%s", shortenstring(status, 63));
#endif /* (SYSLOG_BUFSIZE) >= 256 */
}
/*
**  PUTFROMLINE -- output a UNIX-style from line (or whatever)
**
**      This can be made an arbitrary message separator by changing $l
**
**      One of the ugliest hacks seen by human eyes is contained herein:
**      UUCP wants those stupid "remote from <host>" lines.  Why oh why
**      does a well-meaning programmer such as myself have to deal with
**      this kind of antique garbage????
**
**      Parameters:
**              mci -- the connection information.
**              e -- the envelope.
**
**      Returns:
**              true iff line was written successfully
**
**      Side Effects:
**              outputs some text to fp.
*/

bool
putfromline(mci, e)
        register MCI *mci;
        ENVELOPE *e;
{
        char *template = UnixFromLine;
        char buf[MAXLINE];
        char xbuf[MAXLINE];

        if (bitnset(M_NHDR, mci->mci_mailer->m_flags))
                return true;

        mci->mci_flags |= MCIF_INHEADER;

        if (bitnset(M_UGLYUUCP, mci->mci_mailer->m_flags))
        {
                char *bang;

                expand("\201g", buf, sizeof(buf), e);
                bang = strchr(buf, '!');
                if (bang == NULL)
                {
                        char *at;
                        char hname[MAXNAME];

                        /*
                        **  If we can construct a UUCP path, do so
                        */

                        at = strrchr(buf, '@');
                        if (at == NULL)
                        {
                                expand("\201k", hname, sizeof(hname), e);
                                at = hname;
                        }
                        else
                                *at++ = '\0';
                        (void) sm_snprintf(xbuf, sizeof(xbuf),
                                           "From %.800s  \201d remote from %.100s\n",
                                           buf, at);
                }
                else
                {
                        *bang++ = '\0';
                        (void) sm_snprintf(xbuf, sizeof(xbuf),
                                           "From %.800s  \201d remote from %.100s\n",
                                           bang, buf);
                        template = xbuf;
                }
        }
        expand(template, buf, sizeof(buf), e);
        return putxline(buf, strlen(buf), mci, PXLF_HEADER);
}

/*
**  PUTBODY -- put the body of a message.
**
**      Parameters:
**              mci -- the connection information.
**              e -- the envelope to put out.
**              separator -- if non-NULL, a message separator that must
**                      not be permitted in the resulting message.
**
**      Returns:
**              true iff message was written successfully
**
**      Side Effects:
**              The message is written onto fp.
*/

/* values for output state variable */
#define OSTATE_HEAD     0       /* at beginning of line */
#define OSTATE_CR       1       /* read a carriage return */
#define OSTATE_INLINE   2       /* putting rest of line */

bool
putbody(mci, e, separator)
        register MCI *mci;
        register ENVELOPE *e;
        char *separator;
{
        bool dead = false;
        bool ioerr = false;
        int save_errno;
        char buf[MAXLINE];
#if MIME8TO7
        char *boundaries[MAXMIMENESTING + 1];
#endif /* MIME8TO7 */

        /*
        **  Output the body of the message
        */

        if (e->e_dfp == NULL && bitset(EF_HAS_DF, e->e_flags))
        {
                char *df = queuename(e, DATAFL_LETTER);

                e->e_dfp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, df,
                                      SM_IO_RDONLY_B, NULL);
                if (e->e_dfp == NULL)
                {
                        char *msg = "!putbody: Cannot open %s for %s from %s";

                        if (errno == ENOENT)
                                msg++;
                        syserr(msg, df, e->e_to, e->e_from.q_paddr);
                }

        }
        if (e->e_dfp == NULL)
        {
                if (bitset(MCIF_INHEADER, mci->mci_flags))
                {
                        if (!putline("", mci))
                                goto writeerr;
                        mci->mci_flags &= ~MCIF_INHEADER;
                }
                if (!putline("<<< No Message Collected >>>", mci))
                        goto writeerr;
                goto endofmessage;
        }

        if (e->e_dfino == (ino_t) 0)
        {
                struct stat stbuf;

                if (fstat(sm_io_getinfo(e->e_dfp, SM_IO_WHAT_FD, NULL), &stbuf)
                    < 0)
                        e->e_dfino = -1;
                else
                {
                        e->e_dfdev = stbuf.st_dev;
                        e->e_dfino = stbuf.st_ino;
                }
        }

        /* paranoia: the data file should always be in a rewound state */
        (void) bfrewind(e->e_dfp);

        /* simulate an I/O timeout when used as source */
        if (tTd(84, 101))
                sleep(319);

#if MIME8TO7
        if (bitset(MCIF_CVT8TO7, mci->mci_flags))
        {
                /*
                **  Do 8 to 7 bit MIME conversion.
                */

                /* make sure it looks like a MIME message */
                if (hvalue("MIME-Version", e->e_header) == NULL &&
                    !putline("MIME-Version: 1.0", mci))
                        goto writeerr;

                if (hvalue("Content-Type", e->e_header) == NULL)
                {
                        (void) sm_snprintf(buf, sizeof(buf),
                                           "Content-Type: text/plain; charset=%s",
                                           defcharset(e));
                        if (!putline(buf, mci))
                                goto writeerr;
                }

                /* now do the hard work */
                boundaries[0] = NULL;
                mci->mci_flags |= MCIF_INHEADER;
                if (mime8to7(mci, e->e_header, e, boundaries, M87F_OUTER, 0) ==
                                                                SM_IO_EOF)
                        goto writeerr;
        }
# if MIME7TO8
        else if (bitset(MCIF_CVT7TO8, mci->mci_flags))
        {
                if (!mime7to8(mci, e->e_header, e))
                        goto writeerr;
        }
# endif /* MIME7TO8 */
        else if (MaxMimeHeaderLength > 0 || MaxMimeFieldLength > 0)
        {
                bool oldsuprerrs = SuprErrs;

                /* Use mime8to7 to check multipart for MIME header overflows */
                boundaries[0] = NULL;
                mci->mci_flags |= MCIF_INHEADER;

                /*
                **  If EF_DONT_MIME is set, we have a broken MIME message
                **  and don't want to generate a new bounce message whose
                **  body propagates the broken MIME.  We can't just not call
                **  mime8to7() as is done above since we need the security
                **  checks.  The best we can do is suppress the errors.
                */

                if (bitset(EF_DONT_MIME, e->e_flags))
                        SuprErrs = true;

                if (mime8to7(mci, e->e_header, e, boundaries,
                                M87F_OUTER|M87F_NO8TO7, 0) == SM_IO_EOF)
                        goto writeerr;

                /* restore SuprErrs */
                SuprErrs = oldsuprerrs;
        }
        else
#endif /* MIME8TO7 */
        {
                int ostate;
                register char *bp;
                register char *pbp;
                register int c;
                register char *xp;
                int padc;
                char *buflim;
                int pos = 0;
                char peekbuf[12];

                if (bitset(MCIF_INHEADER, mci->mci_flags))
                {
                        if (!putline("", mci))
                                goto writeerr;
                        mci->mci_flags &= ~MCIF_INHEADER;
                }

                /* determine end of buffer; allow for short mailer lines */
                buflim = &buf[sizeof(buf) - 1];
                if (mci->mci_mailer->m_linelimit > 0 &&
                    mci->mci_mailer->m_linelimit < sizeof(buf) - 1)
                        buflim = &buf[mci->mci_mailer->m_linelimit - 1];

                /* copy temp file to output with mapping */
                ostate = OSTATE_HEAD;
                bp = buf;
                pbp = peekbuf;
                while (!sm_io_error(mci->mci_out) && !dead)
                {
                        if (pbp > peekbuf)
                                c = *--pbp;
                        else if ((c = sm_io_getc(e->e_dfp, SM_TIME_DEFAULT))
                                 == SM_IO_EOF)
                                break;
                        if (bitset(MCIF_7BIT, mci->mci_flags))
                                c &= 0x7f;
                        switch (ostate)
                        {
                          case OSTATE_HEAD:
                                if (c == '\0' &&
                                    bitnset(M_NONULLS,
                                            mci->mci_mailer->m_flags))
                                        break;
                                if (c != '\r' && c != '\n' && bp < buflim)
                                {
                                        *bp++ = c;
                                        break;
                                }

                                /* check beginning of line for special cases */
                                *bp = '\0';
                                pos = 0;
                                padc = SM_IO_EOF;
                                if (buf[0] == 'F' &&
                                    bitnset(M_ESCFROM, mci->mci_mailer->m_flags)
                                    && strncmp(buf, "From ", 5) == 0)
                                {
                                        padc = '>';
                                }
                                if (buf[0] == '-' && buf[1] == '-' &&
                                    separator != NULL)
                                {
                                        /* possible separator */
                                        int sl = strlen(separator);

                                        if (strncmp(&buf[2], separator, sl)
                                            == 0)
                                                padc = ' ';
                                }
                                if (buf[0] == '.' &&
                                    bitnset(M_XDOT, mci->mci_mailer->m_flags))
                                {
                                        padc = '.';
                                }

                                /* now copy out saved line */
                                if (TrafficLogFile != NULL)
                                {
                                        (void) sm_io_fprintf(TrafficLogFile,
                                                             SM_TIME_DEFAULT,
                                                             "%05d >>> ",
                                                             (int) CurrentPid);
                                        if (padc != SM_IO_EOF)
                                                (void) sm_io_putc(TrafficLogFile,
                                                                  SM_TIME_DEFAULT,
                                                                  padc);
                                        for (xp = buf; xp < bp; xp++)
                                                (void) sm_io_putc(TrafficLogFile,
                                                                  SM_TIME_DEFAULT,
                                                                  (unsigned char) *xp);
                                        if (c == '\n')
                                                (void) sm_io_fputs(TrafficLogFile,
                                                                   SM_TIME_DEFAULT,
                                                                   mci->mci_mailer->m_eol);
                                }
                                if (padc != SM_IO_EOF)
                                {
                                        if (sm_io_putc(mci->mci_out,
                                                       SM_TIME_DEFAULT, padc)
                                            == SM_IO_EOF)
                                        {
                                                dead = true;
                                                continue;
                                        }
                                        pos++;
                                }
                                for (xp = buf; xp < bp; xp++)
                                {
                                        if (sm_io_putc(mci->mci_out,
                                                       SM_TIME_DEFAULT,
                                                       (unsigned char) *xp)
                                            == SM_IO_EOF)
                                        {
                                                dead = true;
                                                break;
                                        }
                                }
                                if (dead)
                                        continue;
                                if (c == '\n')
                                {
                                        if (sm_io_fputs(mci->mci_out,
                                                        SM_TIME_DEFAULT,
                                                        mci->mci_mailer->m_eol)
                                                        == SM_IO_EOF)
                                                break;
                                        pos = 0;
                                }
                                else
                                {
                                        pos += bp - buf;
                                        if (c != '\r')
                                        {
                                                SM_ASSERT(pbp < peekbuf +
                                                                sizeof(peekbuf));
                                                *pbp++ = c;
                                        }
                                }

                                bp = buf;

                                /* determine next state */
                                if (c == '\n')
                                        ostate = OSTATE_HEAD;
                                else if (c == '\r')
                                        ostate = OSTATE_CR;
                                else
                                        ostate = OSTATE_INLINE;
                                continue;

                          case OSTATE_CR:
                                if (c == '\n')
                                {
                                        /* got CRLF */
                                        if (sm_io_fputs(mci->mci_out,
                                                        SM_TIME_DEFAULT,
                                                        mci->mci_mailer->m_eol)
                                                        == SM_IO_EOF)
                                                continue;

                                        if (TrafficLogFile != NULL)
                                        {
                                                (void) sm_io_fputs(TrafficLogFile,
                                                                   SM_TIME_DEFAULT,
                                                                   mci->mci_mailer->m_eol);
                                        }
                                        pos = 0;
                                        ostate = OSTATE_HEAD;
                                        continue;
                                }

                                /* had a naked carriage return */
                                SM_ASSERT(pbp < peekbuf + sizeof(peekbuf));
                                *pbp++ = c;
                                c = '\r';
                                ostate = OSTATE_INLINE;
                                goto putch;

                          case OSTATE_INLINE:
                                if (c == '\r')
                                {
                                        ostate = OSTATE_CR;
                                        continue;
                                }
                                if (c == '\0' &&
                                    bitnset(M_NONULLS,
                                            mci->mci_mailer->m_flags))
                                        break;
putch:
                                if (mci->mci_mailer->m_linelimit > 0 &&
                                    pos >= mci->mci_mailer->m_linelimit - 1 &&
                                    c != '\n')
                                {
                                        int d;

                                        /* check next character for EOL */
                                        if (pbp > peekbuf)
                                                d = *(pbp - 1);
                                        else if ((d = sm_io_getc(e->e_dfp,
                                                                 SM_TIME_DEFAULT))
                                                 != SM_IO_EOF)
                                        {
                                                SM_ASSERT(pbp < peekbuf +
                                                                sizeof(peekbuf));
                                                *pbp++ = d;
                                        }

                                        if (d == '\n' || d == SM_IO_EOF)
                                        {
                                                if (TrafficLogFile != NULL)
                                                        (void) sm_io_putc(TrafficLogFile,
                                                                          SM_TIME_DEFAULT,
                                                                          (unsigned char) c);
                                                if (sm_io_putc(mci->mci_out,
                                                               SM_TIME_DEFAULT,
                                                               (unsigned char) c)
                                                               == SM_IO_EOF)
                                                {
                                                        dead = true;
                                                        continue;
                                                }
                                                pos++;
                                                continue;
                                        }

                                        if (sm_io_putc(mci->mci_out,
                                                       SM_TIME_DEFAULT, '!')
                                            == SM_IO_EOF ||
                                            sm_io_fputs(mci->mci_out,
                                                        SM_TIME_DEFAULT,
                                                        mci->mci_mailer->m_eol)
                                            == SM_IO_EOF)
                                        {
                                                dead = true;
                                                continue;
                                        }

                                        if (TrafficLogFile != NULL)
                                        {
                                                (void) sm_io_fprintf(TrafficLogFile,
                                                                     SM_TIME_DEFAULT,
                                                                     "!%s",
                                                                     mci->mci_mailer->m_eol);
                                        }
                                        ostate = OSTATE_HEAD;
                                        SM_ASSERT(pbp < peekbuf +
                                                        sizeof(peekbuf));
                                        *pbp++ = c;
                                        continue;
                                }
                                if (c == '\n')
                                {
                                        if (TrafficLogFile != NULL)
                                                (void) sm_io_fputs(TrafficLogFile,
                                                                   SM_TIME_DEFAULT,
                                                                   mci->mci_mailer->m_eol);
                                        if (sm_io_fputs(mci->mci_out,
                                                        SM_TIME_DEFAULT,
                                                        mci->mci_mailer->m_eol)
                                                        == SM_IO_EOF)
                                                continue;
                                        pos = 0;
                                        ostate = OSTATE_HEAD;
                                }
                                else
                                {
                                        if (TrafficLogFile != NULL)
                                                (void) sm_io_putc(TrafficLogFile,
                                                                  SM_TIME_DEFAULT,
                                                                  (unsigned char) c);
                                        if (sm_io_putc(mci->mci_out,
                                                       SM_TIME_DEFAULT,
                                                       (unsigned char) c)
                                            == SM_IO_EOF)
                                        {
                                                dead = true;
                                                continue;
                                        }
                                        pos++;
                                        ostate = OSTATE_INLINE;
                                }
                                break;
                        }
                }

                /* make sure we are at the beginning of a line */
                if (bp > buf)
                {
                        if (TrafficLogFile != NULL)
                        {
                                for (xp = buf; xp < bp; xp++)
                                        (void) sm_io_putc(TrafficLogFile,
                                                          SM_TIME_DEFAULT,
                                                          (unsigned char) *xp);
                        }
                        for (xp = buf; xp < bp; xp++)
                        {
                                if (sm_io_putc(mci->mci_out, SM_TIME_DEFAULT,
                                               (unsigned char) *xp)
                                    == SM_IO_EOF)
                                {
                                        dead = true;
                                        break;
                                }
                        }
                        pos += bp - buf;
                }
                if (!dead && pos > 0)
                {
                        if (TrafficLogFile != NULL)
                                (void) sm_io_fputs(TrafficLogFile,
                                                   SM_TIME_DEFAULT,
                                                   mci->mci_mailer->m_eol);
                        if (sm_io_fputs(mci->mci_out, SM_TIME_DEFAULT,
                                           mci->mci_mailer->m_eol) == SM_IO_EOF)
                                goto writeerr;
                }
        }

        if (sm_io_error(e->e_dfp))
        {
                syserr("putbody: %s/%cf%s: read error",
                       qid_printqueue(e->e_dfqgrp, e->e_dfqdir),
                       DATAFL_LETTER, e->e_id);
                ExitStat = EX_IOERR;
                ioerr = true;
        }

endofmessage:
        /*
        **  Since mailfile() uses e_dfp in a child process,
        **  the file offset in the stdio library for the
        **  parent process will not agree with the in-kernel
        **  file offset since the file descriptor is shared
        **  between the processes.  Therefore, it is vital
        **  that the file always be rewound.  This forces the
        **  kernel offset (lseek) and stdio library (ftell)
        **  offset to match.
        */

        save_errno = errno;
        if (e->e_dfp != NULL)
                (void) bfrewind(e->e_dfp);

        /* some mailers want extra blank line at end of message */
        if (!dead && bitnset(M_BLANKEND, mci->mci_mailer->m_flags) &&
            buf[0] != '\0' && buf[0] != '\n')
        {
                if (!putline("", mci))
                        goto writeerr;
        }

        if (!dead &&
            (sm_io_flush(mci->mci_out, SM_TIME_DEFAULT) == SM_IO_EOF ||
             (sm_io_error(mci->mci_out) && errno != EPIPE)))
        {
                save_errno = errno;
                syserr("putbody: write error");
                ExitStat = EX_IOERR;
                ioerr = true;
        }

        errno = save_errno;
        return !dead && !ioerr;

  writeerr:
        return false;
}

/*
**  MAILFILE -- Send a message to a file.
**
**      If the file has the set-user-ID/set-group-ID bits set, but NO
**      execute bits, sendmail will try to become the owner of that file
**      rather than the real user.  Obviously, this only works if
**      sendmail runs as root.
**
**      This could be done as a subordinate mailer, except that it
**      is used implicitly to save messages in ~/dead.letter.  We
**      view this as being sufficiently important as to include it
**      here.  For example, if the system is dying, we shouldn't have
**      to create another process plus some pipes to save the message.
**
**      Parameters:
**              filename -- the name of the file to send to.
**              mailer -- mailer definition for recipient -- if NULL,
**                      use FileMailer.
**              ctladdr -- the controlling address header -- includes
**                      the userid/groupid to be when sending.
**              sfflags -- flags for opening.
**              e -- the current envelope.
**
**      Returns:
**              The exit code associated with the operation.
**
**      Side Effects:
**              none.
*/

# define RETURN(st)                     exit(st);

static jmp_buf  CtxMailfileTimeout;

int
mailfile(filename, mailer, ctladdr, sfflags, e)
        char *volatile filename;
        MAILER *volatile mailer;
        ADDRESS *ctladdr;
        volatile long sfflags;
        register ENVELOPE *e;
{
        register SM_FILE_T *f;
        register pid_t pid = -1;
        volatile int mode;
        int len;
        off_t curoff;
        bool suidwarn = geteuid() == 0;
        char *p;
        char *volatile realfile;
        SM_EVENT *ev;
        char buf[MAXPATHLEN];
        char targetfile[MAXPATHLEN];

        if (tTd(11, 1))
        {
                sm_dprintf("mailfile %s\n  ctladdr=", filename);
                printaddr(sm_debug_file(), ctladdr, false);
        }

        if (mailer == NULL)
                mailer = FileMailer;

        if (e->e_xfp != NULL)
                (void) sm_io_flush(e->e_xfp, SM_TIME_DEFAULT);

        /*
        **  Special case /dev/null.  This allows us to restrict file
        **  delivery to regular files only.
        */

        if (sm_path_isdevnull(filename))
                return EX_OK;

        /* check for 8-bit available */
        if (bitset(EF_HAS8BIT, e->e_flags) &&
            bitnset(M_7BITS, mailer->m_flags) &&
            (bitset(EF_DONT_MIME, e->e_flags) ||
             !(bitset(MM_MIME8BIT, MimeMode) ||
               (bitset(EF_IS_MIME, e->e_flags) &&
                bitset(MM_CVTMIME, MimeMode)))))
        {
                e->e_status = "5.6.3";
                usrerrenh(e->e_status,
                          "554 Cannot send 8-bit data to 7-bit destination");
                errno = 0;
                return EX_DATAERR;
        }

        /* Find the actual file */
        if (SafeFileEnv != NULL && SafeFileEnv[0] != '\0')
        {
                len = strlen(SafeFileEnv);

                if (strncmp(SafeFileEnv, filename, len) == 0)
                        filename += len;

                if (len + strlen(filename) + 1 >= sizeof(targetfile))
                {
                        syserr("mailfile: filename too long (%s/%s)",
                               SafeFileEnv, filename);
                        return EX_CANTCREAT;
                }
                (void) sm_strlcpy(targetfile, SafeFileEnv, sizeof(targetfile));
                realfile = targetfile + len;
                if (*filename == '/')
                        filename++;
                if (*filename != '\0')
                {
                        /* paranoia: trailing / should be removed in readcf */
                        if (targetfile[len - 1] != '/')
                                (void) sm_strlcat(targetfile,
                                                  "/", sizeof(targetfile));
                        (void) sm_strlcat(targetfile, filename,
                                          sizeof(targetfile));
                }
        }
        else if (mailer->m_rootdir != NULL)
        {
                expand(mailer->m_rootdir, targetfile, sizeof(targetfile), e);
                len = strlen(targetfile);

                if (strncmp(targetfile, filename, len) == 0)
                        filename += len;

                if (len + strlen(filename) + 1 >= sizeof(targetfile))
                {
                        syserr("mailfile: filename too long (%s/%s)",
                               targetfile, filename);
                        return EX_CANTCREAT;
                }
                realfile = targetfile + len;
                if (targetfile[len - 1] != '/')
                        (void) sm_strlcat(targetfile, "/", sizeof(targetfile));
                if (*filename == '/')
                        (void) sm_strlcat(targetfile, filename + 1,
                                          sizeof(targetfile));
                else
                        (void) sm_strlcat(targetfile, filename,
                                          sizeof(targetfile));
        }
        else
        {
                if (sm_strlcpy(targetfile, filename, sizeof(targetfile)) >=
                    sizeof(targetfile))
                {
                        syserr("mailfile: filename too long (%s)", filename);
                        return EX_CANTCREAT;
                }
                realfile = targetfile;
        }

        /*
        **  Fork so we can change permissions here.
        **      Note that we MUST use fork, not vfork, because of
        **      the complications of calling subroutines, etc.
        */


        /*
        **  Dispose of SIGCHLD signal catchers that may be laying
        **  around so that the waitfor() below will get it.
        */

        (void) sm_signal(SIGCHLD, SIG_DFL);

        DOFORK(fork);

        if (pid < 0)
                return EX_OSERR;
        else if (pid == 0)
        {
                /* child -- actually write to file */
                struct stat stb;
                MCI mcibuf;
                int err;
                volatile int oflags = O_WRONLY|O_APPEND;

                /* Reset global flags */
                RestartRequest = NULL;
                RestartWorkGroup = false;
                ShutdownRequest = NULL;
                PendingSignal = 0;
                CurrentPid = getpid();

                if (e->e_lockfp != NULL)
                {
                        int fd;

                        fd = sm_io_getinfo(e->e_lockfp, SM_IO_WHAT_FD, NULL);
                        /* SM_ASSERT(fd >= 0); */
                        if (fd >= 0)
                                (void) close(fd);
                }

                (void) sm_signal(SIGINT, SIG_DFL);
                (void) sm_signal(SIGHUP, SIG_DFL);
                (void) sm_signal(SIGTERM, SIG_DFL);
                (void) umask(OldUmask);
                e->e_to = filename;
                ExitStat = EX_OK;

                if (setjmp(CtxMailfileTimeout) != 0)
                {
                        RETURN(EX_TEMPFAIL);
                }

                if (TimeOuts.to_fileopen > 0)
                        ev = sm_setevent(TimeOuts.to_fileopen, mailfiletimeout,
                                         0);
                else
                        ev = NULL;

                /* check file mode to see if set-user-ID */
                if (stat(targetfile, &stb) < 0)
                        mode = FileMode;
                else
                        mode = stb.st_mode;

                /* limit the errors to those actually caused in the child */
                errno = 0;
                ExitStat = EX_OK;

                /* Allow alias expansions to use the S_IS{U,G}ID bits */
                if ((ctladdr != NULL && !bitset(QALIAS, ctladdr->q_flags)) ||
                    bitset(SFF_RUNASREALUID, sfflags))
                {
                        /* ignore set-user-ID and set-group-ID bits */
                        mode &= ~(S_ISGID|S_ISUID);
                        if (tTd(11, 20))
                                sm_dprintf("mailfile: ignoring set-user-ID/set-group-ID bits\n");
                }

                /* we have to open the data file BEFORE setuid() */
                if (e->e_dfp == NULL && bitset(EF_HAS_DF, e->e_flags))
                {
                        char *df = queuename(e, DATAFL_LETTER);

                        e->e_dfp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, df,
                                              SM_IO_RDONLY_B, NULL);
                        if (e->e_dfp == NULL)
                        {
                                syserr("mailfile: Cannot open %s for %s from %s",
                                        df, e->e_to, e->e_from.q_paddr);
                        }
                }

                /* select a new user to run as */
                if (!bitset(SFF_RUNASREALUID, sfflags))
                {
                        if (bitnset(M_SPECIFIC_UID, mailer->m_flags))
                        {
                                RealUserName = NULL;
                                if (mailer->m_uid == NO_UID)
                                        RealUid = RunAsUid;
                                else
                                        RealUid = mailer->m_uid;
                                if (RunAsUid != 0 && RealUid != RunAsUid)
                                {
                                        /* Only root can change the uid */
                                        syserr("mailfile: insufficient privileges to change uid, RunAsUid=%d, RealUid=%d",
                                                (int) RunAsUid, (int) RealUid);
                                        RETURN(EX_TEMPFAIL);
                                }
                        }
                        else if (bitset(S_ISUID, mode))
                        {
                                RealUserName = NULL;
                                RealUid = stb.st_uid;
                        }
                        else if (ctladdr != NULL && ctladdr->q_uid != 0)
                        {
                                if (ctladdr->q_ruser != NULL)
                                        RealUserName = ctladdr->q_ruser;
                                else
                                        RealUserName = ctladdr->q_user;
                                RealUid = ctladdr->q_uid;
                        }
                        else if (mailer != NULL && mailer->m_uid != NO_UID)
                        {
                                RealUserName = DefUser;
                                RealUid = mailer->m_uid;
                        }
                        else
                        {
                                RealUserName = DefUser;
                                RealUid = DefUid;
                        }

                        /* select a new group to run as */
                        if (bitnset(M_SPECIFIC_UID, mailer->m_flags))
                        {
                                if (mailer->m_gid == NO_GID)
                                        RealGid = RunAsGid;
                                else
                                        RealGid = mailer->m_gid;
                                if (RunAsUid != 0 &&
                                    (RealGid != getgid() ||
                                     RealGid != getegid()))
                                {
                                        /* Only root can change the gid */
                                        syserr("mailfile: insufficient privileges to change gid, RealGid=%d, RunAsUid=%d, gid=%d, egid=%d",
                                               (int) RealGid, (int) RunAsUid,
                                               (int) getgid(), (int) getegid());
                                        RETURN(EX_TEMPFAIL);
                                }
                        }
                        else if (bitset(S_ISGID, mode))
                                RealGid = stb.st_gid;
                        else if (ctladdr != NULL &&
                                 ctladdr->q_uid == DefUid &&
                                 ctladdr->q_gid == 0)
                        {
                                /*
                                **  Special case:  This means it is an
                                **  alias and we should act as DefaultUser.
                                **  See alias()'s comments.
                                */

                                RealGid = DefGid;
                                RealUserName = DefUser;
                        }
                        else if (ctladdr != NULL && ctladdr->q_uid != 0)
                                RealGid = ctladdr->q_gid;
                        else if (mailer != NULL && mailer->m_gid != NO_GID)
                                RealGid = mailer->m_gid;
                        else
                                RealGid = DefGid;
                }

                /* last ditch */
                if (!bitset(SFF_ROOTOK, sfflags))
                {
                        if (RealUid == 0)
                                RealUid = DefUid;
                        if (RealGid == 0)
                                RealGid = DefGid;
                }

                /* set group id list (needs /etc/group access) */
                if (RealUserName != NULL && !DontInitGroups)
                {
                        if (initgroups(RealUserName, RealGid) == -1 && suidwarn)
                        {
                                syserr("mailfile: initgroups(%s, %d) failed",
                                        RealUserName, RealGid);
                                RETURN(EX_TEMPFAIL);
                        }
                }
                else
                {
                        GIDSET_T gidset[1];

                        gidset[0] = RealGid;
                        if (setgroups(1, gidset) == -1 && suidwarn)
                        {
                                syserr("mailfile: setgroups() failed");
                                RETURN(EX_TEMPFAIL);
                        }
                }

                /*
                **  If you have a safe environment, go into it.
                */

                if (realfile != targetfile)
                {
                        char save;

                        save = *realfile;
                        *realfile = '\0';
                        if (tTd(11, 20))
                                sm_dprintf("mailfile: chroot %s\n", targetfile);
                        if (chroot(targetfile) < 0)
                        {
                                syserr("mailfile: Cannot chroot(%s)",
                                       targetfile);
                                RETURN(EX_CANTCREAT);
                        }
                        *realfile = save;
                }

                if (tTd(11, 40))
                        sm_dprintf("mailfile: deliver to %s\n", realfile);

                if (chdir("/") < 0)
                {
                        syserr("mailfile: cannot chdir(/)");
                        RETURN(EX_CANTCREAT);
                }

                /* now reset the group and user ids */
                endpwent();
                sm_mbdb_terminate();
                if (setgid(RealGid) < 0 && suidwarn)
                {
                        syserr("mailfile: setgid(%ld) failed", (long) RealGid);
                        RETURN(EX_TEMPFAIL);
                }
                vendor_set_uid(RealUid);
                if (setuid(RealUid) < 0 && suidwarn)
                {
                        syserr("mailfile: setuid(%ld) failed", (long) RealUid);
                        RETURN(EX_TEMPFAIL);
                }

                if (tTd(11, 2))
                        sm_dprintf("mailfile: running as r/euid=%d/%d, r/egid=%d/%d\n",
                                (int) getuid(), (int) geteuid(),
                                (int) getgid(), (int) getegid());


                /* move into some "safe" directory */
                if (mailer->m_execdir != NULL)
                {
                        char *q;

                        for (p = mailer->m_execdir; p != NULL; p = q)
                        {
                                q = strchr(p, ':');
                                if (q != NULL)
                                        *q = '\0';
                                expand(p, buf, sizeof(buf), e);
                                if (q != NULL)
                                        *q++ = ':';
                                if (tTd(11, 20))
                                        sm_dprintf("mailfile: trydir %s\n",
                                                   buf);
                                if (buf[0] != '\0' && chdir(buf) >= 0)
                                        break;
                        }
                }

                /*
                **  Recheck the file after we have assumed the ID of the
                **  delivery user to make sure we can deliver to it as
                **  that user.  This is necessary if sendmail is running
                **  as root and the file is on an NFS mount which treats
                **  root as nobody.
                */

#if HASLSTAT
                if (bitnset(DBS_FILEDELIVERYTOSYMLINK, DontBlameSendmail))
                        err = stat(realfile, &stb);
                else
                        err = lstat(realfile, &stb);
#else /* HASLSTAT */
                err = stat(realfile, &stb);
#endif /* HASLSTAT */

                if (err < 0)
                {
                        stb.st_mode = ST_MODE_NOFILE;
                        mode = FileMode;
                        oflags |= O_CREAT|O_EXCL;
                }
                else if (bitset(S_IXUSR|S_IXGRP|S_IXOTH, mode) ||
                         (!bitnset(DBS_FILEDELIVERYTOHARDLINK,
                                   DontBlameSendmail) &&
                          stb.st_nlink != 1) ||
                         (realfile != targetfile && !S_ISREG(mode)))
                        exit(EX_CANTCREAT);
                else
                        mode = stb.st_mode;

                if (!bitnset(DBS_FILEDELIVERYTOSYMLINK, DontBlameSendmail))
                        sfflags |= SFF_NOSLINK;
                if (!bitnset(DBS_FILEDELIVERYTOHARDLINK, DontBlameSendmail))
                        sfflags |= SFF_NOHLINK;
                sfflags &= ~SFF_OPENASROOT;
                f = safefopen(realfile, oflags, mode, sfflags);
                if (f == NULL)
                {
                        if (transienterror(errno))
                        {
                                usrerr("454 4.3.0 cannot open %s: %s",
                                       shortenstring(realfile, MAXSHORTSTR),
                                       sm_errstring(errno));
                                RETURN(EX_TEMPFAIL);
                        }
                        else
                        {
                                usrerr("554 5.3.0 cannot open %s: %s",
                                       shortenstring(realfile, MAXSHORTSTR),
                                       sm_errstring(errno));
                                RETURN(EX_CANTCREAT);
                        }
                }
                if (filechanged(realfile, sm_io_getinfo(f, SM_IO_WHAT_FD, NULL),
                    &stb))
                {
                        syserr("554 5.3.0 file changed after open");
                        RETURN(EX_CANTCREAT);
                }
                if (fstat(sm_io_getinfo(f, SM_IO_WHAT_FD, NULL), &stb) < 0)
                {
                        syserr("554 5.3.0 cannot fstat %s",
                                sm_errstring(errno));
                        RETURN(EX_CANTCREAT);
                }

                curoff = stb.st_size;

                if (ev != NULL)
                        sm_clrevent(ev);

                memset(&mcibuf, '\0', sizeof(mcibuf));
                mcibuf.mci_mailer = mailer;
                mcibuf.mci_out = f;
                if (bitnset(M_7BITS, mailer->m_flags))
                        mcibuf.mci_flags |= MCIF_7BIT;

                /* clear out per-message flags from connection structure */
                mcibuf.mci_flags &= ~(MCIF_CVT7TO8|MCIF_CVT8TO7);

                if (bitset(EF_HAS8BIT, e->e_flags) &&
                    !bitset(EF_DONT_MIME, e->e_flags) &&
                    bitnset(M_7BITS, mailer->m_flags))
                        mcibuf.mci_flags |= MCIF_CVT8TO7;

#if MIME7TO8
                if (bitnset(M_MAKE8BIT, mailer->m_flags) &&
                    !bitset(MCIF_7BIT, mcibuf.mci_flags) &&
                    (p = hvalue("Content-Transfer-Encoding", e->e_header)) != NULL &&
                    (sm_strcasecmp(p, "quoted-printable") == 0 ||
                     sm_strcasecmp(p, "base64") == 0) &&
                    (p = hvalue("Content-Type", e->e_header)) != NULL)
                {
                        /* may want to convert 7 -> 8 */
                        /* XXX should really parse it here -- and use a class XXX */
                        if (sm_strncasecmp(p, "text/plain", 10) == 0 &&
                            (p[10] == '\0' || p[10] == ' ' || p[10] == ';'))
                                mcibuf.mci_flags |= MCIF_CVT7TO8;
                }
#endif /* MIME7TO8 */

                if (!putfromline(&mcibuf, e) ||
                    !(*e->e_puthdr)(&mcibuf, e->e_header, e, M87F_OUTER) ||
                    !(*e->e_putbody)(&mcibuf, e, NULL) ||
                    !putline("\n", &mcibuf) ||
                    (sm_io_flush(f, SM_TIME_DEFAULT) != 0 ||
                    (SuperSafe != SAFE_NO &&
                     fsync(sm_io_getinfo(f, SM_IO_WHAT_FD, NULL)) < 0) ||
                    sm_io_error(f)))
                {
                        setstat(EX_IOERR);
#if !NOFTRUNCATE
                        (void) ftruncate(sm_io_getinfo(f, SM_IO_WHAT_FD, NULL),
                                         curoff);
#endif /* !NOFTRUNCATE */
                }

                /* reset ISUID & ISGID bits for paranoid systems */
#if HASFCHMOD
                (void) fchmod(sm_io_getinfo(f, SM_IO_WHAT_FD, NULL),
                              (MODE_T) mode);
#else /* HASFCHMOD */
                (void) chmod(filename, (MODE_T) mode);
#endif /* HASFCHMOD */
                if (sm_io_close(f, SM_TIME_DEFAULT) < 0)
                        setstat(EX_IOERR);
                (void) sm_io_flush(smioout, SM_TIME_DEFAULT);
                (void) setuid(RealUid);
                exit(ExitStat);
                /* NOTREACHED */
        }
        else
        {
                /* parent -- wait for exit status */
                int st;

                st = waitfor(pid);
                if (st == -1)
                {
                        syserr("mailfile: %s: wait", mailer->m_name);
                        return EX_SOFTWARE;
                }
                if (WIFEXITED(st))
                {
                        errno = 0;
                        return (WEXITSTATUS(st));
                }
                else
                {
                        syserr("mailfile: %s: child died on signal %d",
                               mailer->m_name, st);
                        return EX_UNAVAILABLE;
                }
                /* NOTREACHED */
        }
        return EX_UNAVAILABLE;  /* avoid compiler warning on IRIX */
}

static void
mailfiletimeout(ignore)
        int ignore;
{
        /*
        **  NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER.  DO NOT ADD
        **      ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE
        **      DOING.
        */

        errno = ETIMEDOUT;
        longjmp(CtxMailfileTimeout, 1);
}
/*
**  HOSTSIGNATURE -- return the "signature" for a host.
**
**      The signature describes how we are going to send this -- it
**      can be just the hostname (for non-Internet hosts) or can be
**      an ordered list of MX hosts.
**
**      Parameters:
**              m -- the mailer describing this host.
**              host -- the host name.
**
**      Returns:
**              The signature for this host.
**
**      Side Effects:
**              Can tweak the symbol table.
*/

#define MAXHOSTSIGNATURE        8192    /* max len of hostsignature */

char *
hostsignature(m, host)
        register MAILER *m;
        char *host;
{
        register char *p;
        register STAB *s;
        time_t now;
#if NAMED_BIND
        char sep = ':';
        char prevsep = ':';
        int i;
        int len;
        int nmx;
        int hl;
        char *hp;
        char *endp;
        int oldoptions = _res.options;
        char *mxhosts[MAXMXHOSTS + 1];
        unsigned short mxprefs[MAXMXHOSTS + 1];
#endif /* NAMED_BIND */

        if (tTd(17, 3))
                sm_dprintf("hostsignature(%s)\n", host);

        /*
        **  If local delivery (and not remote), just return a constant.
        */

        if (bitnset(M_LOCALMAILER, m->m_flags) &&
            strcmp(m->m_mailer, "[IPC]") != 0 &&
            !(m->m_argv[0] != NULL && strcmp(m->m_argv[0], "TCP") == 0))
                return "localhost";

        /* an empty host does not have MX records */
        if (*host == '\0')
                return "_empty_";

        /*
        **  Check to see if this uses IPC -- if not, it can't have MX records.
        */

        if (strcmp(m->m_mailer, "[IPC]") != 0 ||
            CurEnv->e_sendmode == SM_DEFER)
        {
                /* just an ordinary mailer or deferred mode */
                return host;
        }
#if NETUNIX
        else if (m->m_argv[0] != NULL &&
                 strcmp(m->m_argv[0], "FILE") == 0)
        {
                /* rendezvous in the file system, no MX records */
                return host;
        }
#endif /* NETUNIX */

        /*
        **  Look it up in the symbol table.
        */

        now = curtime();
        s = stab(host, ST_HOSTSIG, ST_ENTER);
        if (s->s_hostsig.hs_sig != NULL)
        {
                if (s->s_hostsig.hs_exp >= now)
                {
                        if (tTd(17, 3))
                                sm_dprintf("hostsignature(): stab(%s) found %s\n", host,
                                           s->s_hostsig.hs_sig);
                        return s->s_hostsig.hs_sig;
                }

                /* signature is expired: clear it */
                sm_free(s->s_hostsig.hs_sig);
                s->s_hostsig.hs_sig = NULL;
        }

        /* set default TTL */
        s->s_hostsig.hs_exp = now + SM_DEFAULT_TTL;

        /*
        **  Not already there or expired -- create a signature.
        */

#if NAMED_BIND
        if (ConfigLevel < 2)
                _res.options &= ~(RES_DEFNAMES | RES_DNSRCH);   /* XXX */

        for (hp = host; hp != NULL; hp = endp)
        {
#if NETINET6
                if (*hp == '[')
                {
                        endp = strchr(hp + 1, ']');
                        if (endp != NULL)
                                endp = strpbrk(endp + 1, ":,");
                }
                else
                        endp = strpbrk(hp, ":,");
#else /* NETINET6 */
                endp = strpbrk(hp, ":,");
#endif /* NETINET6 */
                if (endp != NULL)
                {
                        sep = *endp;
                        *endp = '\0';
                }

                if (bitnset(M_NOMX, m->m_flags))
                {
                        /* skip MX lookups */
                        nmx = 1;
                        mxhosts[0] = hp;
                }
                else
                {
                        auto int rcode;
                        int ttl;

                        nmx = getmxrr(hp, mxhosts, mxprefs, true, &rcode, true,
                                      &ttl);
                        if (nmx <= 0)
                        {
                                int save_errno;
                                register MCI *mci;

                                /* update the connection info for this host */
                                save_errno = errno;
                                mci = mci_get(hp, m);
                                mci->mci_errno = save_errno;
                                mci->mci_herrno = h_errno;
                                mci->mci_lastuse = now;
                                if (rcode == EX_NOHOST)
                                        mci_setstat(mci, rcode, "5.1.2",
                                                    "550 Host unknown");
                                else
                                        mci_setstat(mci, rcode, NULL, NULL);

                                /* use the original host name as signature */
                                nmx = 1;
                                mxhosts[0] = hp;
                        }
                        if (tTd(17, 3))
                                sm_dprintf("hostsignature(): getmxrr() returned %d, mxhosts[0]=%s\n",
                                           nmx, mxhosts[0]);

                        /*
                        **  Set new TTL: we use only one!
                        **      We could try to use the minimum instead.
                        */

                        s->s_hostsig.hs_exp = now + SM_MIN(ttl, SM_DEFAULT_TTL);
                }

                len = 0;
                for (i = 0; i < nmx; i++)
                        len += strlen(mxhosts[i]) + 1;
                if (s->s_hostsig.hs_sig != NULL)
                        len += strlen(s->s_hostsig.hs_sig) + 1;
                if (len < 0 || len >= MAXHOSTSIGNATURE)
                {
                        sm_syslog(LOG_WARNING, NOQID, "hostsignature for host '%s' exceeds maxlen (%d): %d",
                                  host, MAXHOSTSIGNATURE, len);
                        len = MAXHOSTSIGNATURE;
                }
                p = sm_pmalloc_x(len);
                if (s->s_hostsig.hs_sig != NULL)
                {
                        (void) sm_strlcpy(p, s->s_hostsig.hs_sig, len);
                        sm_free(s->s_hostsig.hs_sig); /* XXX */
                        s->s_hostsig.hs_sig = p;
                        hl = strlen(p);
                        p += hl;
                        *p++ = prevsep;
                        len -= hl + 1;
                }
                else
                        s->s_hostsig.hs_sig = p;
                for (i = 0; i < nmx; i++)
                {
                        hl = strlen(mxhosts[i]);
                        if (len - 1 < hl || len <= 1)
                        {
                                /* force to drop out of outer loop */
                                len = -1;
                                break;
                        }
                        if (i != 0)
                        {
                                if (mxprefs[i] == mxprefs[i - 1])
                                        *p++ = ',';
                                else
                                        *p++ = ':';
                                len--;
                        }
                        (void) sm_strlcpy(p, mxhosts[i], len);
                        p += hl;
                        len -= hl;
                }

                /*
                **  break out of loop if len exceeded MAXHOSTSIGNATURE
                **  because we won't have more space for further hosts
                **  anyway (separated by : in the .cf file).
                */

                if (len < 0)
                        break;
                if (endp != NULL)
                        *endp++ = sep;
                prevsep = sep;
        }
        makelower(s->s_hostsig.hs_sig);
        if (ConfigLevel < 2)
                _res.options = oldoptions;
#else /* NAMED_BIND */
        /* not using BIND -- the signature is just the host name */
        /*
        **  'host' points to storage that will be freed after we are
        **  done processing the current envelope, so we copy it.
        */
        s->s_hostsig.hs_sig = sm_pstrdup_x(host);
#endif /* NAMED_BIND */
        if (tTd(17, 1))
                sm_dprintf("hostsignature(%s) = %s\n", host, s->s_hostsig.hs_sig);
        return s->s_hostsig.hs_sig;
}
/*
**  PARSE_HOSTSIGNATURE -- parse the "signature" and return MX host array.
**
**      The signature describes how we are going to send this -- it
**      can be just the hostname (for non-Internet hosts) or can be
**      an ordered list of MX hosts which must be randomized for equal
**      MX preference values.
**
**      Parameters:
**              sig -- the host signature.
**              mxhosts -- array to populate.
**              mailer -- mailer.
**
**      Returns:
**              The number of hosts inserted into mxhosts array.
**
**      Side Effects:
**              Randomizes equal MX preference hosts in mxhosts.
*/

static int
parse_hostsignature(sig, mxhosts, mailer)
        char *sig;
        char **mxhosts;
        MAILER *mailer;
{
        unsigned short curpref = 0;
        int nmx = 0, i, j;      /* NOTE: i, j, and nmx must have same type */
        char *hp, *endp;
        unsigned short prefer[MAXMXHOSTS];
        long rndm[MAXMXHOSTS];

        for (hp = sig; hp != NULL; hp = endp)
        {
                char sep = ':';

#if NETINET6
                if (*hp == '[')
                {
                        endp = strchr(hp + 1, ']');
                        if (endp != NULL)
                                endp = strpbrk(endp + 1, ":,");
                }
                else
                        endp = strpbrk(hp, ":,");
#else /* NETINET6 */
                endp = strpbrk(hp, ":,");
#endif /* NETINET6 */
                if (endp != NULL)
                {
                        sep = *endp;
                        *endp = '\0';
                }

                mxhosts[nmx] = hp;
                prefer[nmx] = curpref;
                if (mci_match(hp, mailer))
                        rndm[nmx] = 0;
                else
                        rndm[nmx] = get_random();

                if (endp != NULL)
                {
                        /*
                        **  Since we don't have the original MX prefs,
                        **  make our own.  If the separator is a ':', that
                        **  means the preference for the next host will be
                        **  higher than this one, so simply increment curpref.
                        */

                        if (sep == ':')
                                curpref++;

                        *endp++ = sep;
                }
                if (++nmx >= MAXMXHOSTS)
                        break;
        }

        /* sort the records using the random factor for equal preferences */
        for (i = 0; i < nmx; i++)
        {
                for (j = i + 1; j < nmx; j++)
                {
                        /*
                        **  List is already sorted by MX preference, only
                        **  need to look for equal preference MX records
                        */

                        if (prefer[i] < prefer[j])
                                break;

                        if (prefer[i] > prefer[j] ||
                            (prefer[i] == prefer[j] && rndm[i] > rndm[j]))
                        {
                                register unsigned short tempp;
                                register long tempr;
                                register char *temp1;

                                tempp = prefer[i];
                                prefer[i] = prefer[j];
                                prefer[j] = tempp;
                                temp1 = mxhosts[i];
                                mxhosts[i] = mxhosts[j];
                                mxhosts[j] = temp1;
                                tempr = rndm[i];
                                rndm[i] = rndm[j];
                                rndm[j] = tempr;
                        }
                }
        }
        return nmx;
}

# if STARTTLS
static SSL_CTX  *clt_ctx = NULL;
static bool     tls_ok_clt = true;

/*
**  SETCLTTLS -- client side TLS: allow/disallow.
**
**      Parameters:
**              tls_ok -- should tls be done?
**
**      Returns:
**              none.
**
**      Side Effects:
**              sets tls_ok_clt (static variable in this module)
*/

void
setclttls(tls_ok)
        bool tls_ok;
{
        tls_ok_clt = tls_ok;
        return;
}
/*
**  INITCLTTLS -- initialize client side TLS
**
**      Parameters:
**              tls_ok -- should tls initialization be done?
**
**      Returns:
**              succeeded?
**
**      Side Effects:
**              sets tls_ok_clt (static variable in this module)
*/

bool
initclttls(tls_ok)
        bool tls_ok;
{
        if (!tls_ok_clt)
                return false;
        tls_ok_clt = tls_ok;
        if (!tls_ok_clt)
                return false;
        if (clt_ctx != NULL)
                return true;    /* already done */
        tls_ok_clt = inittls(&clt_ctx, TLS_I_CLT, Clt_SSL_Options, false,
                             CltCertFile, CltKeyFile,
                             CACertPath, CACertFile, DHParams);
        return tls_ok_clt;
}

/*
**  STARTTLS -- try to start secure connection (client side)
**
**      Parameters:
**              m -- the mailer.
**              mci -- the mailer connection info.
**              e -- the envelope.
**
**      Returns:
**              success?
**              (maybe this should be some other code than EX_
**              that denotes which stage failed.)
*/

static int
starttls(m, mci, e)
        MAILER *m;
        MCI *mci;
        ENVELOPE *e;
{
        int smtpresult;
        int result = 0;
        int rfd, wfd;
        SSL *clt_ssl = NULL;
        time_t tlsstart;

        if (clt_ctx == NULL && !initclttls(true))
                return EX_TEMPFAIL;

# if USE_OPENSSL_ENGINE
        if (!SSL_set_engine(NULL))
        {
                sm_syslog(LOG_ERR, NOQID,
                          "STARTTLS=client, SSL_set_engine=failed");
                return EX_TEMPFAIL;
        }
# endif /* USE_OPENSSL_ENGINE */

        smtpmessage("STARTTLS", m, mci);

        /* get the reply */
        smtpresult = reply(m, mci, e, TimeOuts.to_starttls, NULL, NULL,
                        XS_STARTTLS);

        /* check return code from server */
        if (REPLYTYPE(smtpresult) == 4)
                return EX_TEMPFAIL;
        if (smtpresult == 501)
                return EX_USAGE;
        if (smtpresult == -1)
                return smtpresult;

        /* not an expected reply but we have to deal with it */
        if (REPLYTYPE(smtpresult) == 5)
                return EX_UNAVAILABLE;
        if (smtpresult != 220)
                return EX_PROTOCOL;

        if (LogLevel > 13)
                sm_syslog(LOG_INFO, NOQID, "STARTTLS=client, start=ok");

        /* start connection */
        if ((clt_ssl = SSL_new(clt_ctx)) == NULL)
        {
                if (LogLevel > 5)
                {
                        sm_syslog(LOG_ERR, NOQID,
                                  "STARTTLS=client, error: SSL_new failed");
                        if (LogLevel > 9)
                                tlslogerr("client");
                }
                return EX_SOFTWARE;
        }

        rfd = sm_io_getinfo(mci->mci_in, SM_IO_WHAT_FD, NULL);
        wfd = sm_io_getinfo(mci->mci_out, SM_IO_WHAT_FD, NULL);

        /* SSL_clear(clt_ssl); ? */
        if (rfd < 0 || wfd < 0 ||
            (result = SSL_set_rfd(clt_ssl, rfd)) != 1 ||
            (result = SSL_set_wfd(clt_ssl, wfd)) != 1)
        {
                if (LogLevel > 5)
                {
                        sm_syslog(LOG_ERR, NOQID,
                                  "STARTTLS=client, error: SSL_set_xfd failed=%d",
                                  result);
                        if (LogLevel > 9)
                                tlslogerr("client");
                }
                return EX_SOFTWARE;
        }
        SSL_set_connect_state(clt_ssl);
        tlsstart = curtime();

ssl_retry:
        if ((result = SSL_connect(clt_ssl)) <= 0)
        {
                int i, ssl_err;

                ssl_err = SSL_get_error(clt_ssl, result);
                i = tls_retry(clt_ssl, rfd, wfd, tlsstart,
                        TimeOuts.to_starttls, ssl_err, "client");
                if (i > 0)
                        goto ssl_retry;

                if (LogLevel > 5)
                {
                        sm_syslog(LOG_WARNING, NOQID,
                                  "STARTTLS=client, error: connect failed=%d, SSL_error=%d, errno=%d, retry=%d",
                                  result, ssl_err, errno, i);
                        if (LogLevel > 8)
                                tlslogerr("client");
                }

                SSL_free(clt_ssl);
                clt_ssl = NULL;
                return EX_SOFTWARE;
        }
        mci->mci_ssl = clt_ssl;
        result = tls_get_info(mci->mci_ssl, false, mci->mci_host,
                              &mci->mci_macro, true);

        /* switch to use TLS... */
        if (sfdctls(&mci->mci_in, &mci->mci_out, mci->mci_ssl) == 0)
                return EX_OK;

        /* failure */
        SSL_free(clt_ssl);
        clt_ssl = NULL;
        return EX_SOFTWARE;
}
/*
**  ENDTLSCLT -- shutdown secure connection (client side)
**
**      Parameters:
**              mci -- the mailer connection info.
**
**      Returns:
**              success?
*/

static int
endtlsclt(mci)
        MCI *mci;
{
        int r;

        if (!bitset(MCIF_TLSACT, mci->mci_flags))
                return EX_OK;
        r = endtls(mci->mci_ssl, "client");
        mci->mci_flags &= ~MCIF_TLSACT;
        return r;
}
# endif /* STARTTLS */
# if STARTTLS || SASL
/*
**  ISCLTFLGSET -- check whether client flag is set.
**
**      Parameters:
**              e -- envelope.
**              flag -- flag to check in {client_flags}
**
**      Returns:
**              true iff flag is set.
*/

static bool
iscltflgset(e, flag)
        ENVELOPE *e;
        int flag;
{
        char *p;

        p = macvalue(macid("{client_flags}"), e);
        if (p == NULL)
                return false;
        for (; *p != '\0'; p++)
        {
                /* look for just this one flag */
                if (*p == (char) flag)
                        return true;
        }
        return false;
}
# endif /* STARTTLS || SASL */