xref: /freebsd/contrib/sendmail/src/recipient.c (revision f374ba41f55c1a127303d92d830dd58eef2f5243)
1 /*
2  * Copyright (c) 1998-2003, 2006 Proofpoint, Inc. and its suppliers.
3  *	All rights reserved.
4  * Copyright (c) 1983, 1995-1997 Eric P. Allman.  All rights reserved.
5  * Copyright (c) 1988, 1993
6  *	The Regents of the University of California.  All rights reserved.
7  *
8  * By using this file, you agree to the terms and conditions set
9  * forth in the LICENSE file which can be found at the top level of
10  * the sendmail distribution.
11  *
12  */
13 
14 #include <sendmail.h>
15 
16 SM_RCSID("@(#)$Id: recipient.c,v 8.351 2013-11-22 20:51:56 ca Exp $")
17 
18 #include <sm/sendmail.h>
19 #if _FFR_8BITENVADDR
20 # include <sm/ixlen.h>
21 #endif
22 
23 static void	includetimeout __P((int));
24 static ADDRESS	*self_reference __P((ADDRESS *));
25 static int	sortexpensive __P((ADDRESS *, ADDRESS *));
26 static int	sortbysignature __P((ADDRESS *, ADDRESS *));
27 static int	sorthost __P((ADDRESS *, ADDRESS *));
28 
29 typedef int	sortfn_t __P((ADDRESS *, ADDRESS *));
30 
31 /*
32 **  SORTHOST -- strcmp()-like func for host portion of an ADDRESS
33 **
34 **	Parameters:
35 **		xx -- first ADDRESS
36 **		yy -- second ADDRESS
37 **
38 **	Returns:
39 **		<0 when xx->q_host is less than yy->q_host
40 **		>0 when xx->q_host is greater than yy->q_host
41 **		0 when equal
42 */
43 
44 static int
45 sorthost(xx, yy)
46 	register ADDRESS *xx;
47 	register ADDRESS *yy;
48 {
49 #if _FFR_HOST_SORT_REVERSE
50 	/* XXX maybe compare hostnames from the end? */
51 	return sm_strrevcasecmp(xx->q_host, yy->q_host);
52 #else
53 	return sm_strcasecmp(xx->q_host, yy->q_host);
54 #endif
55 }
56 
57 /*
58 **  SORTEXPENSIVE -- strcmp()-like func for expensive mailers
59 **
60 **  The mailer has been noted already as "expensive" for 'xx'. This
61 **  will give a result relative to 'yy'. Expensive mailers get rated
62 **  "greater than" non-expensive mailers because during the delivery phase
63 **  it will get queued -- no use it getting in the way of less expensive
64 **  recipients. We avoid an MX RR lookup when both 'xx' and 'yy' are
65 **  expensive since an MX RR lookup happens when extracted from the queue
66 **  later.
67 **
68 **	Parameters:
69 **		xx -- first ADDRESS
70 **		yy -- second ADDRESS
71 **
72 **	Returns:
73 **		<0 when xx->q_host is less than yy->q_host and both are
74 **			expensive
75 **		>0 when xx->q_host is greater than yy->q_host, or when
76 **			'yy' is non-expensive
77 **		0 when equal (by expense and q_host)
78 */
79 
80 static int
81 sortexpensive(xx, yy)
82 	ADDRESS *xx;
83 	ADDRESS *yy;
84 {
85 	if (!bitnset(M_EXPENSIVE, yy->q_mailer->m_flags))
86 		return 1; /* xx should go later */
87 #if _FFR_HOST_SORT_REVERSE
88 	/* XXX maybe compare hostnames from the end? */
89 	return sm_strrevcasecmp(xx->q_host, yy->q_host);
90 #else
91 	return sm_strcasecmp(xx->q_host, yy->q_host);
92 #endif
93 }
94 
95 /*
96 **  SORTBYSIGNATURE -- a strcmp()-like func for q_mailer and q_host in ADDRESS
97 **
98 **	Parameters:
99 **		xx -- first ADDRESS
100 **		yy -- second ADDRESS
101 **
102 **	Returns:
103 **		0 when the "signature"'s are same
104 **		<0 when xx->q_signature is less than yy->q_signature
105 **		>0 when xx->q_signature is greater than yy->q_signature
106 **
107 **	Side Effect:
108 **		May set ADDRESS pointer for q_signature if not already set.
109 */
110 
111 static int
112 sortbysignature(xx, yy)
113 	ADDRESS *xx;
114 	ADDRESS *yy;
115 {
116 	register int ret;
117 
118 	/* Let's avoid redoing the signature over and over again */
119 	if (xx->q_signature == NULL)
120 		xx->q_signature = hostsignature(xx->q_mailer, xx->q_host, xx->q_flags & QSECURE);
121 	if (yy->q_signature == NULL)
122 		yy->q_signature = hostsignature(yy->q_mailer, yy->q_host, yy->q_flags & QSECURE);
123 	ret = strcmp(xx->q_signature, yy->q_signature);
124 
125 	/*
126 	**  If the two signatures are the same then we will return a sort
127 	**  value based on 'q_user'. But note that we have reversed xx and yy
128 	**  on purpose. This additional compare helps reduce the number of
129 	**  sameaddr() calls and loops in recipient() for the case when
130 	**  the rcpt list has been provided already in-order.
131 	*/
132 
133 	if (ret == 0)
134 		return strcmp(yy->q_user, xx->q_user);
135 	else
136 		return ret;
137 }
138 
139 /*
140 **  SENDTOLIST -- Designate a send list.
141 **
142 **	The parameter is a comma-separated list of people to send to.
143 **	This routine arranges to send to all of them.
144 **
145 **	Parameters:
146 **		list -- the send list.
147 **		ctladdr -- the address template for the person to
148 **			send to -- effective uid/gid are important.
149 **			This is typically the alias that caused this
150 **			expansion.
151 **		sendq -- a pointer to the head of a queue to put
152 **			these people into.
153 **		aliaslevel -- the current alias nesting depth -- to
154 **			diagnose loops.
155 **		e -- the envelope in which to add these recipients.
156 **
157 **	Returns:
158 **		The number of addresses actually on the list.
159 */
160 
161 /* q_flags bits inherited from ctladdr */
162 #define QINHERITEDBITS	(QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY)
163 
164 int
165 sendtolist(list, ctladdr, sendq, aliaslevel, e)
166 	char *list;
167 	ADDRESS *ctladdr;
168 	ADDRESS **sendq;
169 	int aliaslevel;
170 	register ENVELOPE *e;
171 {
172 	register char *p;
173 	register ADDRESS *SM_NONVOLATILE al; /* list of addresses to send to */
174 	SM_NONVOLATILE char delimiter;		/* the address delimiter */
175 	SM_NONVOLATILE int naddrs;
176 	SM_NONVOLATILE int i;
177 	char *endp;
178 	char *oldto = e->e_to;
179 	char *SM_NONVOLATILE bufp;
180 	char buf[MAXNAME + 1];	/* EAI: ok, uses bufp dynamically expanded */
181 
182 	if (list == NULL)
183 	{
184 		syserr("sendtolist: null list");
185 		return 0;
186 	}
187 
188 	if (tTd(25, 1))
189 	{
190 		sm_dprintf("sendto: %s\n   ctladdr=", list);
191 		printaddr(sm_debug_file(), ctladdr, false);
192 	}
193 
194 	/* heuristic to determine old versus new style addresses */
195 	if (ctladdr == NULL &&
196 	    (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
197 	     strchr(list, '<') != NULL || strchr(list, '(') != NULL))
198 		e->e_flags &= ~EF_OLDSTYLE;
199 	delimiter = ' ';
200 	if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
201 		delimiter = ',';
202 
203 	al = NULL;
204 	naddrs = 0;
205 
206 	/* make sure we have enough space to copy the string */
207 	i = strlen(list) + 1;
208 	if (i <= sizeof(buf))
209 	{
210 		bufp = buf;
211 		i = sizeof(buf);
212 	}
213 	else
214 		bufp = sm_malloc_x(i);
215 	endp = bufp + i;
216 
217 	SM_TRY
218 	{
219 		(void) sm_strlcpy(bufp, denlstring(list, false, true), i);
220 
221 		macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r");
222 		for (p = bufp; *p != '\0'; )
223 		{
224 			auto char *delimptr;
225 			register ADDRESS *a;
226 
227 			SM_ASSERT(p < endp);
228 
229 			/* parse the address */
230 			while ((SM_ISSPACE(*p)) || *p == ',')
231 				p++;
232 			SM_ASSERT(p < endp);
233 /* XXX p must be [i] */
234 			a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter,
235 				      &delimptr, e, true);
236 			p = delimptr;
237 			SM_ASSERT(p < endp);
238 			if (a == NULL)
239 				continue;
240 			a->q_next = al;
241 			a->q_alias = ctladdr;
242 
243 			/* arrange to inherit attributes from parent */
244 			if (ctladdr != NULL)
245 			{
246 				ADDRESS *b;
247 
248 				/* self reference test */
249 				if (sameaddr(ctladdr, a))
250 				{
251 					if (tTd(27, 5))
252 					{
253 						sm_dprintf("sendtolist: QSELFREF ");
254 						printaddr(sm_debug_file(), ctladdr, false);
255 					}
256 					ctladdr->q_flags |= QSELFREF;
257 				}
258 
259 				/* check for address loops */
260 				b = self_reference(a);
261 				if (b != NULL)
262 				{
263 					b->q_flags |= QSELFREF;
264 					if (tTd(27, 5))
265 					{
266 						sm_dprintf("sendtolist: QSELFREF ");
267 						printaddr(sm_debug_file(), b, false);
268 					}
269 					if (a != b)
270 					{
271 						if (tTd(27, 5))
272 						{
273 							sm_dprintf("sendtolist: QS_DONTSEND ");
274 							printaddr(sm_debug_file(), a, false);
275 						}
276 						a->q_state = QS_DONTSEND;
277 						b->q_flags |= a->q_flags & QNOTREMOTE;
278 						continue;
279 					}
280 				}
281 
282 				/* full name */
283 				if (a->q_fullname == NULL)
284 					a->q_fullname = ctladdr->q_fullname;
285 
286 				/* various flag bits */
287 				a->q_flags &= ~QINHERITEDBITS;
288 				a->q_flags |= ctladdr->q_flags & QINHERITEDBITS;
289 
290 				/* DSN recipient information */
291 				a->q_finalrcpt = ctladdr->q_finalrcpt;
292 				a->q_orcpt = ctladdr->q_orcpt;
293 			}
294 
295 			al = a;
296 		}
297 
298 		/* arrange to send to everyone on the local send list */
299 		while (al != NULL)
300 		{
301 			register ADDRESS *a = al;
302 
303 			al = a->q_next;
304 			a = recipient(a, sendq, aliaslevel, e);
305 			naddrs++;
306 		}
307 	}
308 	SM_FINALLY
309 	{
310 		e->e_to = oldto;
311 		if (bufp != buf)
312 			sm_free(bufp);
313 		macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL);
314 	}
315 	SM_END_TRY
316 	return naddrs;
317 }
318 
319 #if MILTER
320 /*
321 **  REMOVEFROMLIST -- Remove addresses from a send list.
322 **
323 **	The parameter is a comma-separated list of recipients to remove.
324 **	Note that it only deletes matching addresses.  If those addresses
325 **	have been expanded already in the sendq, it won't mark the
326 **	expanded recipients as QS_REMOVED.
327 **
328 **	Parameters:
329 **		list -- the list to remove.
330 **		sendq -- a pointer to the head of a queue to remove
331 **			these addresses from.
332 **		e -- the envelope in which to remove these recipients.
333 **
334 **	Returns:
335 **		The number of addresses removed from the list.
336 **
337 */
338 
339 int
340 removefromlist(list, sendq, e)
341 	char *list;
342 	ADDRESS **sendq;
343 	ENVELOPE *e;
344 {
345 	SM_NONVOLATILE char delimiter;		/* the address delimiter */
346 	SM_NONVOLATILE int naddrs;
347 	SM_NONVOLATILE int i;
348 	char *p;
349 	char *oldto = e->e_to;
350 	char *SM_NONVOLATILE bufp;
351 	char buf[MAXNAME + 1];	/* EAI: ok, uses bufp dynamically expanded */
352 
353 	if (list == NULL)
354 	{
355 		syserr("removefromlist: null list");
356 		return 0;
357 	}
358 
359 	if (tTd(25, 1))
360 		sm_dprintf("removefromlist: %s\n", list);
361 
362 	/* heuristic to determine old versus new style addresses */
363 	if (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
364 	    strchr(list, '<') != NULL || strchr(list, '(') != NULL)
365 		e->e_flags &= ~EF_OLDSTYLE;
366 	delimiter = ' ';
367 	if (!bitset(EF_OLDSTYLE, e->e_flags))
368 		delimiter = ',';
369 
370 	naddrs = 0;
371 
372 	/* make sure we have enough space to copy the string */
373 	i = strlen(list) + 1;
374 	if (i <= sizeof(buf))
375 	{
376 		bufp = buf;
377 		i = sizeof(buf);
378 	}
379 	else
380 		bufp = sm_malloc_x(i);
381 
382 	SM_TRY
383 	{
384 		(void) sm_strlcpy(bufp, denlstring(list, false, true), i);
385 
386 # if _FFR_ADDR_TYPE_MODES
387 		if (AddrTypeModes)
388 			macdefine(&e->e_macro, A_PERM, macid("{addr_type}"),
389 				  "e r d");
390 		else
391 # endif /* _FFR_ADDR_TYPE_MODES */
392 		/* "else" in #if code above */
393 		{
394 			macdefine(&e->e_macro, A_PERM, macid("{addr_type}"),
395 				  "e r");
396 		}
397 		for (p = bufp; *p != '\0'; )
398 		{
399 			ADDRESS a;	/* parsed address to be removed */
400 			ADDRESS *q;
401 			ADDRESS **pq;
402 			char *delimptr;
403 
404 			/* parse the address */
405 			while ((SM_ISSPACE(*p)) || *p == ',')
406 				p++;
407 			/* XXX p must be [i] */
408 			if (parseaddr(p, &a, RF_COPYALL|RF_RM_ADDR,
409 				      delimiter, &delimptr, e, true) == NULL)
410 			{
411 				p = delimptr;
412 				continue;
413 			}
414 			p = delimptr;
415 			for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
416 			{
417 				if (!QS_IS_DEAD(q->q_state) &&
418 				    (sameaddr(q, &a) ||
419 				     strcmp(q->q_paddr, a.q_paddr) == 0))
420 				{
421 					if (tTd(25, 5))
422 					{
423 						sm_dprintf("removefromlist: QS_REMOVED ");
424 						printaddr(sm_debug_file(), &a, false);
425 					}
426 					q->q_state = QS_REMOVED;
427 					naddrs++;
428 					break;
429 				}
430 			}
431 		}
432 	}
433 	SM_FINALLY
434 	{
435 		e->e_to = oldto;
436 		if (bufp != buf)
437 			sm_free(bufp);
438 		macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL);
439 	}
440 	SM_END_TRY
441 	return naddrs;
442 }
443 #endif /* MILTER */
444 
445 /*
446 **  RECIPIENT -- Designate a message recipient
447 **	Saves the named person for future mailing (after some checks).
448 **
449 **	Parameters:
450 **		new -- the (preparsed) address header for the recipient.
451 **		sendq -- a pointer to the head of a queue to put the
452 **			recipient in.  Duplicate suppression is done
453 **			in this queue.
454 **		aliaslevel -- the current alias nesting depth.
455 **		e -- the current envelope.
456 **
457 **	Returns:
458 **		The actual address in the queue.  This will be "a" if
459 **		the address is not a duplicate, else the original address.
460 **
461 */
462 
463 ADDRESS *
464 recipient(new, sendq, aliaslevel, e)
465 	register ADDRESS *new;
466 	register ADDRESS **sendq;
467 	int aliaslevel;
468 	register ENVELOPE *e;
469 {
470 	register ADDRESS *q;
471 	ADDRESS **pq;
472 	ADDRESS **prev;
473 	register struct mailer *m;
474 	register char *p;
475 	int i, buflen;
476 	bool quoted;		/* set if the addr has a quote bit */
477 	bool insert;
478 	int findusercount;
479 	bool initialdontsend;
480 	char *buf;
481 	char buf0[MAXNAME + 1]; /* EAI: ok, uses bufp dynamically expanded */
482 		/* unquoted image of the user name */
483 	sortfn_t *sortfn;
484 
485 	p = NULL;
486 	quoted = false;
487 	insert = false;
488 	findusercount = 0;
489 	initialdontsend = QS_IS_DEAD(new->q_state);
490 	e->e_to = new->q_paddr;
491 	m = new->q_mailer;
492 	errno = 0;
493 	if (aliaslevel == 0)
494 		new->q_flags |= QPRIMARY;
495 	if (tTd(26, 1))
496 	{
497 		sm_dprintf("\nrecipient (%d): ", aliaslevel);
498 		printaddr(sm_debug_file(), new, false);
499 	}
500 
501 	/* if this is primary, use it as original recipient */
502 	if (new->q_alias == NULL)
503 	{
504 		if (e->e_origrcpt == NULL)
505 			e->e_origrcpt = new->q_paddr;
506 		else if (e->e_origrcpt != new->q_paddr)
507 			e->e_origrcpt = "";
508 	}
509 
510 	/* find parent recipient for finalrcpt and orcpt */
511 	for (q = new; q->q_alias != NULL; q = q->q_alias)
512 		continue;
513 
514 	/* find final recipient DSN address */
515 	if (new->q_finalrcpt == NULL &&
516 	    e->e_from.q_mailer != NULL)
517 	{
518 		char frbuf[MAXLINE];
519 
520 		p = e->e_from.q_mailer->m_addrtype;
521 		if (p == NULL)
522 			p = "rfc822";
523 #if USE_EAI
524 		if (SM_STRCASEEQ(p, "rfc822") &&
525 		    !addr_is_ascii(q->q_user))
526 			p = "utf-8";
527 #endif
528 		if (sm_strcasecmp(p, "rfc822") != 0)
529 		{
530 			(void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s",
531 					   q->q_mailer->m_addrtype,
532 					   q->q_user);
533 		}
534 		else if (strchr(q->q_user, '@') != NULL)
535 		{
536 			(void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s",
537 					   p, q->q_user);
538 		}
539 		else if (strchr(q->q_paddr, '@') != NULL)
540 		{
541 			char *qp;
542 			bool b;
543 
544 			qp = q->q_paddr;
545 
546 			/* strip brackets from address */
547 			b = false;
548 			if (*qp == '<')
549 			{
550 				b = qp[strlen(qp) - 1] == '>';
551 				if (b)
552 					qp[strlen(qp) - 1] = '\0';
553 				qp++;
554 			}
555 			(void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s",
556 					   p, qp);
557 
558 			/* undo damage */
559 			if (b)
560 				qp[strlen(qp)] = '>';
561 		}
562 		else
563 		{
564 			(void) sm_snprintf(frbuf, sizeof(frbuf),
565 					   "%s; %.700s@%.100s",
566 					   p, q->q_user, MyHostName);
567 		}
568 		new->q_finalrcpt = sm_rpool_strdup_x(e->e_rpool, frbuf);
569 	}
570 
571 #if _FFR_GEN_ORCPT
572 	/* set ORCPT DSN arg if not already set */
573 	if (new->q_orcpt == NULL)
574 	{
575 		/* check for an existing ORCPT */
576 		if (q->q_orcpt != NULL)
577 			new->q_orcpt = q->q_orcpt;
578 		else
579 		{
580 			/* make our own */
581 			bool b = false;
582 			char *qp;
583 			char obuf[MAXLINE];
584 
585 			if (e->e_from.q_mailer != NULL)
586 				p = e->e_from.q_mailer->m_addrtype;
587 			if (p == NULL)
588 				p = "rfc822";
589 			(void) sm_strlcpyn(obuf, sizeof(obuf), 2, p, ";");
590 
591 			qp = q->q_paddr;
592 
593 			/* FFR: Needs to strip comments from stdin addrs */
594 
595 			/* strip brackets from address */
596 			if (*qp == '<')
597 			{
598 				b = qp[strlen(qp) - 1] == '>';
599 				if (b)
600 					qp[strlen(qp) - 1] = '\0';
601 				qp++;
602 			}
603 
604 			p = xtextify(denlstring(qp, true, false), "=");
605 
606 			if (sm_strlcat(obuf, p, sizeof(obuf)) >= sizeof(obuf))
607 			{
608 				/* if too big, don't use it */
609 				obuf[0] = '\0';
610 			}
611 
612 			/* undo damage */
613 			if (b)
614 				qp[strlen(qp)] = '>';
615 
616 			if (obuf[0] != '\0')
617 				new->q_orcpt =
618 					sm_rpool_strdup_x(e->e_rpool, obuf);
619 		}
620 	}
621 #endif /* _FFR_GEN_ORCPT */
622 
623 	/* break aliasing loops */
624 	if (aliaslevel > MaxAliasRecursion)
625 	{
626 		new->q_state = QS_BADADDR;
627 		new->q_status = "5.4.6";
628 		if (new->q_alias != NULL)
629 		{
630 			new->q_alias->q_state = QS_BADADDR;
631 			new->q_alias->q_status = "5.4.6";
632 		}
633 		if ((SuprErrs || !LogUsrErrs) && LogLevel > 0)
634 		{
635 			sm_syslog(LOG_ERR, e->e_id,
636 				"aliasing/forwarding loop broken: %s (%d aliases deep; %d max)",
637 				FileName != NULL ? FileName : "", aliaslevel,
638 				MaxAliasRecursion);
639 		}
640 		usrerrenh(new->q_status,
641 			  "554 aliasing/forwarding loop broken (%d aliases deep; %d max)",
642 			  aliaslevel, MaxAliasRecursion);
643 		return new;
644 	}
645 
646 	/*
647 	**  Finish setting up address structure.
648 	*/
649 
650 	/* get unquoted user for file, program or user.name check */
651 	i = strlen(new->q_user);
652 	if (i >= sizeof(buf0))
653 	{
654 		buflen = i + 1;
655 		buf = xalloc(buflen);
656 	}
657 	else
658 	{
659 		buf = buf0;
660 		buflen = sizeof(buf0);
661 	}
662 	(void) sm_strlcpy(buf, new->q_user, buflen);
663 	for (p = buf; *p != '\0' && !quoted; p++)
664 	{
665 		if (*p == '\\')
666 			quoted = true;
667 	}
668 	stripquotes(buf);
669 
670 	/* check for direct mailing to restricted mailers */
671 	if (m == ProgMailer)
672 	{
673 		if (new->q_alias == NULL || UseMSP ||
674 		    bitset(EF_UNSAFE, e->e_flags))
675 		{
676 			new->q_state = QS_BADADDR;
677 			new->q_status = "5.7.1";
678 			usrerrenh(new->q_status,
679 				  "550 Cannot mail directly to programs");
680 		}
681 		else if (bitset(QBOGUSSHELL, new->q_alias->q_flags))
682 		{
683 			new->q_state = QS_BADADDR;
684 			new->q_status = "5.7.1";
685 			if (new->q_alias->q_ruser == NULL)
686 				usrerrenh(new->q_status,
687 					  "550 UID %ld is an unknown user: cannot mail to programs",
688 					  (long) new->q_alias->q_uid);
689 			else
690 				usrerrenh(new->q_status,
691 					  "550 User %s@%s doesn't have a valid shell for mailing to programs",
692 					  new->q_alias->q_ruser, MyHostName);
693 		}
694 		else if (bitset(QUNSAFEADDR, new->q_alias->q_flags))
695 		{
696 			new->q_state = QS_BADADDR;
697 			new->q_status = "5.7.1";
698 			new->q_rstatus = "550 Unsafe for mailing to programs";
699 			usrerrenh(new->q_status,
700 				  "550 Address %s is unsafe for mailing to programs",
701 				  new->q_alias->q_paddr);
702 		}
703 	}
704 
705 	/*
706 	**  Look up this person in the recipient list.
707 	**	If they are there already, return, otherwise continue.
708 	**	If the list is empty, just add it.  Notice the cute
709 	**	hack to make from addresses suppress things correctly:
710 	**	the QS_DUPLICATE state will be set in the send list.
711 	**	[Please note: the emphasis is on "hack."]
712 	*/
713 
714 	prev = NULL;
715 
716 	/*
717 	**  If this message is going to the queue or FastSplit is set
718 	**  and it is the first try and the envelope hasn't split, then we
719 	**  avoid doing an MX RR lookup now because one will be done when the
720 	**  message is extracted from the queue later. It can go to the queue
721 	**  because all messages are going to the queue or this mailer of
722 	**  the current recipient is marked expensive.
723 	*/
724 
725 	if (UseMSP || WILL_BE_QUEUED(e->e_sendmode) ||
726 	    (!bitset(EF_SPLIT, e->e_flags) && e->e_ntries == 0 &&
727 	     FastSplit > 0))
728 		sortfn = sorthost;
729 	else if (NoConnect && bitnset(M_EXPENSIVE, new->q_mailer->m_flags))
730 		sortfn = sortexpensive;
731 	else
732 		sortfn = sortbysignature;
733 
734 	for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
735 	{
736 		/*
737 		**  If address is "less than" it should be inserted now.
738 		**  If address is "greater than" current comparison it'll
739 		**  insert later in the list; so loop again (if possible).
740 		**  If address is "equal" (different equal than sameaddr()
741 		**  call) then check if sameaddr() will be true.
742 		**  Because this list is now sorted, it'll mean fewer
743 		**  comparisons and fewer loops which is important for more
744 		**  recipients.
745 		*/
746 
747 		i = (*sortfn)(new, q);
748 		if (i == 0) /* equal */
749 		{
750 			/*
751 			**  Sortbysignature() has said that the two have
752 			**  equal MX RR's and the same user. Calling sameaddr()
753 			**  now checks if the two hosts are as identical as the
754 			**  MX RR's are (which might not be the case)
755 			**  before saying these are the identical addresses.
756 			*/
757 
758 			if (sameaddr(q, new) &&
759 			    (bitset(QRCPTOK, q->q_flags) ||
760 			     !bitset(QPRIMARY, q->q_flags)))
761 			{
762 				if (tTd(26, 1))
763 				{
764 					sm_dprintf("%s in sendq: ",
765 						   new->q_paddr);
766 					printaddr(sm_debug_file(), q, false);
767 				}
768 				if (!bitset(QPRIMARY, q->q_flags))
769 				{
770 					if (!QS_IS_DEAD(new->q_state))
771 						message("duplicate suppressed");
772 					else
773 						q->q_state = QS_DUPLICATE;
774 					q->q_flags |= new->q_flags;
775 				}
776 				else if (bitset(QSELFREF, q->q_flags)
777 					 || q->q_state == QS_REMOVED)
778 				{
779 					/*
780 					**  If an earlier milter removed the
781 					**  address, a later one can still add
782 					**  it back.
783 					*/
784 
785 					q->q_state = new->q_state;
786 					q->q_flags |= new->q_flags;
787 				}
788 				new = q;
789 				goto done;
790 			}
791 		}
792 		else if (i < 0) /* less than */
793 		{
794 			insert = true;
795 			break;
796 		}
797 		prev = pq;
798 	}
799 
800 	/* pq should point to an address, never NULL */
801 	SM_ASSERT(pq != NULL);
802 
803 	/* add address on list */
804 	if (insert)
805 	{
806 		/*
807 		**  insert before 'pq'. Only possible when at least 1
808 		**  ADDRESS is in the list already.
809 		*/
810 
811 		new->q_next = *pq;
812 		if (prev == NULL)
813 			*sendq = new; /* To be the first ADDRESS */
814 		else
815 			(*prev)->q_next = new;
816 	}
817 	else
818 	{
819 		/*
820 		**  Place in list at current 'pq' position. Possible
821 		**  when there are 0 or more ADDRESS's in the list.
822 		*/
823 
824 		new->q_next = NULL;
825 		*pq = new;
826 	}
827 
828 	/* added a new address: clear split flag */
829 	e->e_flags &= ~EF_SPLIT;
830 
831 	/*
832 	**  Alias the name and handle special mailer types.
833 	*/
834 
835   trylocaluser:
836 	if (tTd(29, 7))
837 	{
838 		sm_dprintf("at trylocaluser: ");
839 		printaddr(sm_debug_file(), new, false);
840 	}
841 
842 	if (!QS_IS_OK(new->q_state))
843 	{
844 		if (QS_IS_UNDELIVERED(new->q_state))
845 			e->e_nrcpts++;
846 		goto testselfdestruct;
847 	}
848 
849 	if (m == InclMailer)
850 	{
851 		new->q_state = QS_INCLUDED;
852 		if (new->q_alias == NULL || UseMSP ||
853 		    bitset(EF_UNSAFE, e->e_flags))
854 		{
855 			new->q_state = QS_BADADDR;
856 			new->q_status = "5.7.1";
857 			usrerrenh(new->q_status,
858 				  "550 Cannot mail directly to :include:s");
859 		}
860 		else
861 		{
862 			int ret;
863 
864 			message("including file %s", new->q_user);
865 			ret = include(new->q_user, false, new,
866 				      sendq, aliaslevel, e);
867 			if (transienterror(ret))
868 			{
869 				if (LogLevel > 2)
870 					sm_syslog(LOG_ERR, e->e_id,
871 						  "include %s: transient error: %s",
872 						  shortenstring(new->q_user,
873 								MAXSHORTSTR),
874 								sm_errstring(ret));
875 				new->q_state = QS_QUEUEUP;
876 				usrerr("451 4.2.4 Cannot open %s: %s",
877 					shortenstring(new->q_user,
878 						      MAXSHORTSTR),
879 					sm_errstring(ret));
880 			}
881 			else if (ret != 0)
882 			{
883 				new->q_state = QS_BADADDR;
884 				new->q_status = "5.2.4";
885 				usrerrenh(new->q_status,
886 					  "550 Cannot open %s: %s",
887 					  shortenstring(new->q_user,
888 							MAXSHORTSTR),
889 					  sm_errstring(ret));
890 			}
891 		}
892 	}
893 	else if (m == FileMailer)
894 	{
895 		/* check if allowed */
896 		if (new->q_alias == NULL || UseMSP ||
897 		    bitset(EF_UNSAFE, e->e_flags))
898 		{
899 			new->q_state = QS_BADADDR;
900 			new->q_status = "5.7.1";
901 			usrerrenh(new->q_status,
902 				  "550 Cannot mail directly to files");
903 		}
904 		else if (bitset(QBOGUSSHELL, new->q_alias->q_flags))
905 		{
906 			new->q_state = QS_BADADDR;
907 			new->q_status = "5.7.1";
908 			if (new->q_alias->q_ruser == NULL)
909 				usrerrenh(new->q_status,
910 					  "550 UID %ld is an unknown user: cannot mail to files",
911 					  (long) new->q_alias->q_uid);
912 			else
913 				usrerrenh(new->q_status,
914 					  "550 User %s@%s doesn't have a valid shell for mailing to files",
915 					  new->q_alias->q_ruser, MyHostName);
916 		}
917 		else if (bitset(QUNSAFEADDR, new->q_alias->q_flags))
918 		{
919 			new->q_state = QS_BADADDR;
920 			new->q_status = "5.7.1";
921 			new->q_rstatus = "550 Unsafe for mailing to files";
922 			usrerrenh(new->q_status,
923 				  "550 Address %s is unsafe for mailing to files",
924 				  new->q_alias->q_paddr);
925 		}
926 	}
927 
928 	/* try aliasing */
929 	if (!quoted && QS_IS_OK(new->q_state) &&
930 	    bitnset(M_ALIASABLE, m->m_flags))
931 		alias(new, sendq, aliaslevel, e);
932 
933 #if USERDB
934 	/* if not aliased, look it up in the user database */
935 	if (!bitset(QNOTREMOTE, new->q_flags) &&
936 	    QS_IS_SENDABLE(new->q_state) &&
937 	    bitnset(M_CHECKUDB, m->m_flags))
938 	{
939 		if (udbexpand(new, sendq, aliaslevel, e) == EX_TEMPFAIL)
940 		{
941 			new->q_state = QS_QUEUEUP;
942 			if (e->e_message == NULL)
943 				e->e_message = sm_rpool_strdup_x(e->e_rpool,
944 						"Deferred: user database error");
945 			if (new->q_message == NULL)
946 				new->q_message = "Deferred: user database error";
947 			if (LogLevel > 8)
948 				sm_syslog(LOG_INFO, e->e_id,
949 					  "deferred: udbexpand: %s",
950 					  sm_errstring(errno));
951 			message("queued (user database error): %s",
952 				sm_errstring(errno));
953 			e->e_nrcpts++;
954 			goto testselfdestruct;
955 		}
956 	}
957 #endif /* USERDB */
958 
959 	/*
960 	**  If we have a level two config file, then pass the name through
961 	**  Ruleset 5 before sending it off.  Ruleset 5 has the right
962 	**  to rewrite it to another mailer.  This gives us a hook
963 	**  after local aliasing has been done.
964 	*/
965 
966 	if (tTd(29, 5))
967 	{
968 		sm_dprintf("recipient: testing local?  cl=%d, rr5=%p\n\t",
969 			   ConfigLevel, (void *)RewriteRules[5]);
970 		printaddr(sm_debug_file(), new, false);
971 	}
972 	if (ConfigLevel >= 2 && RewriteRules[5] != NULL &&
973 	    bitnset(M_TRYRULESET5, m->m_flags) &&
974 	    !bitset(QNOTREMOTE, new->q_flags) &&
975 	    QS_IS_OK(new->q_state))
976 	{
977 		maplocaluser(new, sendq, aliaslevel + 1, e);
978 	}
979 
980 	/*
981 	**  If it didn't get rewritten to another mailer, go ahead
982 	**  and deliver it.
983 	*/
984 
985 	if (QS_IS_OK(new->q_state) &&
986 	    bitnset(M_HASPWENT, m->m_flags))
987 	{
988 		auto bool fuzzy;
989 		SM_MBDB_T user;
990 		int status;
991 
992 		/* warning -- finduser may trash buf */
993 		status = finduser(buf, &fuzzy, &user);
994 		switch (status)
995 		{
996 		  case EX_TEMPFAIL:
997 			new->q_state = QS_QUEUEUP;
998 			new->q_status = "4.5.2";
999 			giveresponse(EX_TEMPFAIL, new->q_status, m, NULL,
1000 				     new->q_alias, (time_t) 0, e, new);
1001 			break;
1002 		  default:
1003 			new->q_state = QS_BADADDR;
1004 			new->q_status = "5.1.1";
1005 			new->q_rstatus = "550 5.1.1 User unknown";
1006 			giveresponse(EX_NOUSER, new->q_status, m, NULL,
1007 				     new->q_alias, (time_t) 0, e, new);
1008 			break;
1009 		  case EX_OK:
1010 			if (fuzzy)
1011 			{
1012 				/* name was a fuzzy match */
1013 				new->q_user = sm_rpool_strdup_x(e->e_rpool,
1014 								user.mbdb_name);
1015 				if (findusercount++ > 3)
1016 				{
1017 					new->q_state = QS_BADADDR;
1018 					new->q_status = "5.4.6";
1019 					usrerrenh(new->q_status,
1020 						  "554 aliasing/forwarding loop for %s broken",
1021 						  user.mbdb_name);
1022 					goto done;
1023 				}
1024 
1025 				/* see if it aliases */
1026 				(void) sm_strlcpy(buf, user.mbdb_name, buflen);
1027 				goto trylocaluser;
1028 			}
1029 			if (*user.mbdb_homedir == '\0')
1030 				new->q_home = NULL;
1031 			else if (strcmp(user.mbdb_homedir, "/") == 0)
1032 				new->q_home = "";
1033 			else
1034 				new->q_home = sm_rpool_strdup_x(e->e_rpool,
1035 							user.mbdb_homedir);
1036 			if (user.mbdb_uid != SM_NO_UID)
1037 			{
1038 				new->q_uid = user.mbdb_uid;
1039 				new->q_gid = user.mbdb_gid;
1040 				new->q_flags |= QGOODUID;
1041 			}
1042 			new->q_ruser = sm_rpool_strdup_x(e->e_rpool,
1043 							 user.mbdb_name);
1044 			if (user.mbdb_fullname[0] != '\0')
1045 				new->q_fullname = sm_rpool_strdup_x(e->e_rpool,
1046 							user.mbdb_fullname);
1047 			if (!usershellok(user.mbdb_name, user.mbdb_shell))
1048 			{
1049 				new->q_flags |= QBOGUSSHELL;
1050 			}
1051 			if (bitset(EF_VRFYONLY, e->e_flags))
1052 			{
1053 				/* don't do any more now */
1054 				new->q_state = QS_VERIFIED;
1055 			}
1056 			else if (!quoted)
1057 				forward(new, sendq, aliaslevel, e);
1058 		}
1059 	}
1060 	if (!QS_IS_DEAD(new->q_state))
1061 		e->e_nrcpts++;
1062 
1063   testselfdestruct:
1064 	new->q_flags |= QTHISPASS;
1065 	if (tTd(26, 8))
1066 	{
1067 		sm_dprintf("testselfdestruct: ");
1068 		printaddr(sm_debug_file(), new, false);
1069 		if (tTd(26, 10))
1070 		{
1071 			sm_dprintf("SENDQ:\n");
1072 			printaddr(sm_debug_file(), *sendq, true);
1073 			sm_dprintf("----\n");
1074 		}
1075 	}
1076 	if (new->q_alias == NULL && new != &e->e_from &&
1077 	    QS_IS_DEAD(new->q_state))
1078 	{
1079 		for (q = *sendq; q != NULL; q = q->q_next)
1080 		{
1081 			if (!QS_IS_DEAD(q->q_state))
1082 				break;
1083 		}
1084 		if (q == NULL)
1085 		{
1086 			new->q_state = QS_BADADDR;
1087 			new->q_status = "5.4.6";
1088 			usrerrenh(new->q_status,
1089 				  "554 aliasing/forwarding loop broken");
1090 		}
1091 	}
1092 
1093   done:
1094 	new->q_flags |= QTHISPASS;
1095 	if (buf != buf0)
1096 		sm_free(buf); /* XXX leak if above code raises exception */
1097 
1098 	/*
1099 	**  If we are at the top level, check to see if this has
1100 	**  expanded to exactly one address.  If so, it can inherit
1101 	**  the primaryness of the address.
1102 	**
1103 	**  While we're at it, clear the QTHISPASS bits.
1104 	*/
1105 
1106 	if (aliaslevel == 0)
1107 	{
1108 		int nrcpts = 0;
1109 		ADDRESS *only = NULL;
1110 
1111 		for (q = *sendq; q != NULL; q = q->q_next)
1112 		{
1113 			if (bitset(QTHISPASS, q->q_flags) &&
1114 			    QS_IS_SENDABLE(q->q_state))
1115 			{
1116 				nrcpts++;
1117 				only = q;
1118 			}
1119 			q->q_flags &= ~QTHISPASS;
1120 		}
1121 		if (nrcpts == 1)
1122 		{
1123 			/* check to see if this actually got a new owner */
1124 			q = only;
1125 			while ((q = q->q_alias) != NULL)
1126 			{
1127 				if (q->q_owner != NULL)
1128 					break;
1129 			}
1130 			if (q == NULL)
1131 				only->q_flags |= QPRIMARY;
1132 		}
1133 		else if (!initialdontsend && nrcpts > 0)
1134 		{
1135 			/* arrange for return receipt */
1136 			e->e_flags |= EF_SENDRECEIPT;
1137 			new->q_flags |= QEXPANDED;
1138 			if (e->e_xfp != NULL &&
1139 			    bitset(QPINGONSUCCESS, new->q_flags))
1140 				(void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
1141 						     "%s... expanded to multiple addresses\n",
1142 						     new->q_paddr);
1143 		}
1144 	}
1145 	new->q_flags |= QRCPTOK;
1146 	(void) sm_snprintf(buf0, sizeof(buf0), "%d", e->e_nrcpts);
1147 	macdefine(&e->e_macro, A_TEMP, macid("{nrcpts}"), buf0);
1148 	return new;
1149 }
1150 
1151 /*
1152 **  FINDUSER -- find the password entry for a user.
1153 **
1154 **	This looks a lot like getpwnam, except that it may want to
1155 **	do some fancier pattern matching in /etc/passwd.
1156 **
1157 **	This routine contains most of the time of many sendmail runs.
1158 **	It deserves to be optimized.
1159 **
1160 **	Parameters:
1161 **		name -- the name to match against.
1162 **		fuzzyp -- an outarg that is set to true if this entry
1163 **			was found using the fuzzy matching algorithm;
1164 **			set to false otherwise.
1165 **		user -- structure to fill in if user is found
1166 **
1167 **	Returns:
1168 **		On success, fill in *user, set *fuzzyp and return EX_OK.
1169 **		If the user was not found, return EX_NOUSER.
1170 **		On error, return EX_TEMPFAIL or EX_OSERR.
1171 **
1172 **	Side Effects:
1173 **		may modify name.
1174 */
1175 
1176 int
1177 finduser(name, fuzzyp, user)
1178 	char *name;
1179 	bool *fuzzyp;
1180 	SM_MBDB_T *user;
1181 {
1182 #if MATCHGECOS
1183 	register struct passwd *pw;
1184 #endif
1185 	register char *p;
1186 	bool tryagain;
1187 	int status;
1188 
1189 	if (tTd(29, 4))
1190 		sm_dprintf("finduser(%s): ", name);
1191 
1192 	*fuzzyp = false;
1193 
1194 #if HESIOD && !HESIOD_ALLOW_NUMERIC_LOGIN
1195 	/* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
1196 	for (p = name; *p != '\0'; p++)
1197 		if (!isascii(*p) || !isdigit(*p))
1198 			break;
1199 	if (*p == '\0')
1200 	{
1201 		if (tTd(29, 4))
1202 			sm_dprintf("failed (numeric input)\n");
1203 		return EX_NOUSER;
1204 	}
1205 #endif /* HESIOD && !HESIOD_ALLOW_NUMERIC_LOGIN */
1206 
1207 	/* look up this login name using fast path */
1208 	status = sm_mbdb_lookup(name, user);
1209 	if (status != EX_NOUSER)
1210 	{
1211 		if (tTd(29, 4))
1212 			sm_dprintf("%s (non-fuzzy)\n", sm_strexit(status));
1213 		return status;
1214 	}
1215 
1216 	/* try mapping it to lower case */
1217 	tryagain = false;
1218 	for (p = name; *p != '\0'; p++)
1219 	{
1220 		if (isascii(*p) && isupper(*p))
1221 		{
1222 			*p = tolower(*p);
1223 			tryagain = true;
1224 		}
1225 	}
1226 	if (tryagain && (status = sm_mbdb_lookup(name, user)) != EX_NOUSER)
1227 	{
1228 		if (tTd(29, 4))
1229 			sm_dprintf("%s (lower case)\n", sm_strexit(status));
1230 		*fuzzyp = true;
1231 		return status;
1232 	}
1233 
1234 #if MATCHGECOS
1235 	/* see if fuzzy matching allowed */
1236 	if (!MatchGecos)
1237 	{
1238 		if (tTd(29, 4))
1239 			sm_dprintf("not found (fuzzy disabled)\n");
1240 		return EX_NOUSER;
1241 	}
1242 
1243 	/* search for a matching full name instead */
1244 	for (p = name; *p != '\0'; p++)
1245 	{
1246 		if (*p == (SpaceSub & 0177) || *p == '_')
1247 			*p = ' ';
1248 	}
1249 	(void) setpwent();
1250 	while ((pw = getpwent()) != NULL)
1251 	{
1252 		char buf[MAXNAME + 1];	/* EAI: ok: for pw_gecos */
1253 
1254 # if 0
1255 		if (SM_STRCASEEQ(pw->pw_name, name))
1256 		{
1257 			if (tTd(29, 4))
1258 				sm_dprintf("found (case wrapped)\n");
1259 			break;
1260 		}
1261 # endif /* 0 */
1262 
1263 		sm_pwfullname(pw->pw_gecos, pw->pw_name, buf, sizeof(buf));
1264 		if (strchr(buf, ' ') != NULL && SM_STRCASEEQ(buf, name))
1265 		{
1266 			if (tTd(29, 4))
1267 				sm_dprintf("fuzzy matches %s\n", pw->pw_name);
1268 			message("sending to login name %s", pw->pw_name);
1269 			break;
1270 		}
1271 	}
1272 	if (pw != NULL)
1273 		*fuzzyp = true;
1274 	else if (tTd(29, 4))
1275 		sm_dprintf("no fuzzy match found\n");
1276 # if DEC_OSF_BROKEN_GETPWENT	/* DEC OSF/1 3.2 or earlier */
1277 	endpwent();
1278 # endif
1279 	if (pw == NULL)
1280 		return EX_NOUSER;
1281 	sm_mbdb_frompw(user, pw);
1282 	return EX_OK;
1283 #else /* MATCHGECOS */
1284 	if (tTd(29, 4))
1285 		sm_dprintf("not found (fuzzy disabled)\n");
1286 	return EX_NOUSER;
1287 #endif /* MATCHGECOS */
1288 }
1289 
1290 /*
1291 **  WRITABLE -- predicate returning if the file is writable.
1292 **
1293 **	This routine must duplicate the algorithm in sys/fio.c.
1294 **	Unfortunately, we cannot use the access call since we
1295 **	won't necessarily be the real uid when we try to
1296 **	actually open the file.
1297 **
1298 **	Notice that ANY file with ANY execute bit is automatically
1299 **	not writable.  This is also enforced by mailfile.
1300 **
1301 **	Parameters:
1302 **		filename -- the file name to check.
1303 **		ctladdr -- the controlling address for this file.
1304 **		flags -- SFF_* flags to control the function.
1305 **
1306 **	Returns:
1307 **		true -- if we will be able to write this file.
1308 **		false -- if we cannot write this file.
1309 **
1310 **	Side Effects:
1311 **		none.
1312 */
1313 
1314 bool
1315 writable(filename, ctladdr, flags)
1316 	char *filename;
1317 	ADDRESS *ctladdr;
1318 	long flags;
1319 {
1320 	uid_t euid = 0;
1321 	gid_t egid = 0;
1322 	char *user = NULL;
1323 
1324 	if (tTd(44, 5))
1325 		sm_dprintf("writable(%s, 0x%lx)\n", filename, flags);
1326 
1327 	/*
1328 	**  File does exist -- check that it is writable.
1329 	*/
1330 
1331 	if (geteuid() != 0)
1332 	{
1333 		euid = geteuid();
1334 		egid = getegid();
1335 		user = NULL;
1336 	}
1337 	else if (ctladdr != NULL)
1338 	{
1339 		euid = ctladdr->q_uid;
1340 		egid = ctladdr->q_gid;
1341 		user = ctladdr->q_user;
1342 	}
1343 	else if (bitset(SFF_RUNASREALUID, flags))
1344 	{
1345 		euid = RealUid;
1346 		egid = RealGid;
1347 		user = RealUserName;
1348 	}
1349 	else if (FileMailer != NULL && !bitset(SFF_ROOTOK, flags))
1350 	{
1351 		if (FileMailer->m_uid == NO_UID)
1352 		{
1353 			euid = DefUid;
1354 			user = DefUser;
1355 		}
1356 		else
1357 		{
1358 			euid = FileMailer->m_uid;
1359 			user = NULL;
1360 		}
1361 		if (FileMailer->m_gid == NO_GID)
1362 			egid = DefGid;
1363 		else
1364 			egid = FileMailer->m_gid;
1365 	}
1366 	else
1367 	{
1368 		euid = egid = 0;
1369 		user = NULL;
1370 	}
1371 	if (!bitset(SFF_ROOTOK, flags))
1372 	{
1373 		if (euid == 0)
1374 		{
1375 			euid = DefUid;
1376 			user = DefUser;
1377 		}
1378 		if (egid == 0)
1379 			egid = DefGid;
1380 	}
1381 	if (geteuid() == 0 &&
1382 	    (ctladdr == NULL || !bitset(QGOODUID, ctladdr->q_flags)))
1383 		flags |= SFF_SETUIDOK;
1384 
1385 	if (!bitnset(DBS_FILEDELIVERYTOSYMLINK, DontBlameSendmail))
1386 		flags |= SFF_NOSLINK;
1387 	if (!bitnset(DBS_FILEDELIVERYTOHARDLINK, DontBlameSendmail))
1388 		flags |= SFF_NOHLINK;
1389 
1390 	errno = safefile(filename, euid, egid, user, flags, S_IWRITE, NULL);
1391 	return errno == 0;
1392 }
1393 
1394 /*
1395 **  INCLUDE -- handle :include: specification.
1396 **
1397 **	Parameters:
1398 **		fname -- filename to include.
1399 **		forwarding -- if true, we are reading a .forward file.
1400 **			if false, it's a :include: file.
1401 **		ctladdr -- address template to use to fill in these
1402 **			addresses -- effective user/group id are
1403 **			the important things.
1404 **		sendq -- a pointer to the head of the send queue
1405 **			to put these addresses in.
1406 **		aliaslevel -- the alias nesting depth.
1407 **		e -- the current envelope.
1408 **
1409 **	Returns:
1410 **		open error status
1411 **
1412 **	Side Effects:
1413 **		reads the :include: file and sends to everyone
1414 **		listed in that file.
1415 **
1416 **	Security Note:
1417 **		If you have restricted chown (that is, you can't
1418 **		give a file away), it is reasonable to allow programs
1419 **		and files called from this :include: file to be to be
1420 **		run as the owner of the :include: file.  This is bogus
1421 **		if there is any chance of someone giving away a file.
1422 **		We assume that pre-POSIX systems can give away files.
1423 **
1424 **		There is an additional restriction that if you
1425 **		forward to a :include: file, it will not take on
1426 **		the ownership of the :include: file.  This may not
1427 **		be necessary, but shouldn't hurt.
1428 */
1429 
1430 static jmp_buf	CtxIncludeTimeout;
1431 
1432 int
1433 include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
1434 	char *fname;
1435 	bool forwarding;
1436 	ADDRESS *ctladdr;
1437 	ADDRESS **sendq;
1438 	int aliaslevel;
1439 	ENVELOPE *e;
1440 {
1441 	SM_FILE_T *volatile fp = NULL;
1442 	char *oldto = e->e_to;
1443 	char *oldfilename = FileName;
1444 	int oldlinenumber = LineNumber;
1445 	register SM_EVENT *ev = NULL;
1446 	int nincludes;
1447 	int mode;
1448 	volatile bool maxreached = false;
1449 	register ADDRESS *ca;
1450 	volatile uid_t saveduid;
1451 	volatile gid_t savedgid;
1452 	volatile uid_t uid;
1453 	volatile gid_t gid;
1454 	char *volatile user;
1455 	int rval = 0;
1456 	volatile long sfflags = SFF_REGONLY;
1457 	register char *p;
1458 	bool safechown = false;
1459 	volatile bool safedir = false;
1460 	struct stat st;
1461 	char buf[MAXLINE];
1462 
1463 	if (tTd(27, 2))
1464 		sm_dprintf("include(%s)\n", fname);
1465 	if (tTd(27, 4))
1466 		sm_dprintf("   ruid=%ld euid=%ld\n",
1467 			(long) getuid(), (long) geteuid());
1468 	if (tTd(27, 14))
1469 	{
1470 		sm_dprintf("ctladdr ");
1471 		printaddr(sm_debug_file(), ctladdr, false);
1472 	}
1473 
1474 	if (tTd(27, 9))
1475 		sm_dprintf("include: old uid = %ld/%ld\n",
1476 			   (long) getuid(), (long) geteuid());
1477 
1478 	if (forwarding)
1479 	{
1480 		sfflags |= SFF_MUSTOWN|SFF_ROOTOK;
1481 		if (!bitnset(DBS_GROUPWRITABLEFORWARDFILE, DontBlameSendmail))
1482 			sfflags |= SFF_NOGWFILES;
1483 		if (!bitnset(DBS_WORLDWRITABLEFORWARDFILE, DontBlameSendmail))
1484 			sfflags |= SFF_NOWWFILES;
1485 	}
1486 	else
1487 	{
1488 		if (!bitnset(DBS_GROUPWRITABLEINCLUDEFILE, DontBlameSendmail))
1489 			sfflags |= SFF_NOGWFILES;
1490 		if (!bitnset(DBS_WORLDWRITABLEINCLUDEFILE, DontBlameSendmail))
1491 			sfflags |= SFF_NOWWFILES;
1492 	}
1493 
1494 	/*
1495 	**  If RunAsUser set, won't be able to run programs as user
1496 	**  so mark them as unsafe unless the administrator knows better.
1497 	*/
1498 
1499 	if ((geteuid() != 0 || RunAsUid != 0) &&
1500 	    !bitnset(DBS_NONROOTSAFEADDR, DontBlameSendmail))
1501 	{
1502 		if (tTd(27, 4))
1503 			sm_dprintf("include: not safe (euid=%ld, RunAsUid=%ld)\n",
1504 				   (long) geteuid(), (long) RunAsUid);
1505 		ctladdr->q_flags |= QUNSAFEADDR;
1506 	}
1507 
1508 	ca = getctladdr(ctladdr);
1509 	if (ca == NULL ||
1510 	    (ca->q_uid == DefUid && ca->q_gid == 0))
1511 	{
1512 		uid = DefUid;
1513 		gid = DefGid;
1514 		user = DefUser;
1515 	}
1516 	else
1517 	{
1518 		uid = ca->q_uid;
1519 		gid = ca->q_gid;
1520 		user = ca->q_user;
1521 	}
1522 #if MAILER_SETUID_METHOD != USE_SETUID
1523 	saveduid = geteuid();
1524 	savedgid = getegid();
1525 	if (saveduid == 0)
1526 	{
1527 		if (!DontInitGroups)
1528 		{
1529 			if (initgroups(user, gid) == -1)
1530 			{
1531 				rval = EAGAIN;
1532 				syserr("include: initgroups(%s, %ld) failed",
1533 					user, (long) gid);
1534 				goto resetuid;
1535 			}
1536 		}
1537 		else
1538 		{
1539 			GIDSET_T gidset[1];
1540 
1541 			gidset[0] = gid;
1542 			if (setgroups(1, gidset) == -1)
1543 			{
1544 				rval = EAGAIN;
1545 				syserr("include: setgroups() failed");
1546 				goto resetuid;
1547 			}
1548 		}
1549 
1550 		if (gid != 0 && setgid(gid) < -1)
1551 		{
1552 			rval = EAGAIN;
1553 			syserr("setgid(%ld) failure", (long) gid);
1554 			goto resetuid;
1555 		}
1556 		if (uid != 0)
1557 		{
1558 # if MAILER_SETUID_METHOD == USE_SETEUID
1559 			if (seteuid(uid) < 0)
1560 			{
1561 				rval = EAGAIN;
1562 				syserr("seteuid(%ld) failure (real=%ld, eff=%ld)",
1563 					(long) uid, (long) getuid(), (long) geteuid());
1564 				goto resetuid;
1565 			}
1566 # endif /* MAILER_SETUID_METHOD == USE_SETEUID */
1567 # if MAILER_SETUID_METHOD == USE_SETREUID
1568 			if (setreuid(0, uid) < 0)
1569 			{
1570 				rval = EAGAIN;
1571 				syserr("setreuid(0, %ld) failure (real=%ld, eff=%ld)",
1572 					(long) uid, (long) getuid(), (long) geteuid());
1573 				goto resetuid;
1574 			}
1575 # endif /* MAILER_SETUID_METHOD == USE_SETREUID */
1576 		}
1577 	}
1578 #endif /* MAILER_SETUID_METHOD != USE_SETUID */
1579 
1580 	if (tTd(27, 9))
1581 		sm_dprintf("include: new uid = %ld/%ld\n",
1582 			   (long) getuid(), (long) geteuid());
1583 
1584 	/*
1585 	**  If home directory is remote mounted but server is down,
1586 	**  this can hang or give errors; use a timeout to avoid this
1587 	*/
1588 
1589 	if (setjmp(CtxIncludeTimeout) != 0)
1590 	{
1591 		ctladdr->q_state = QS_QUEUEUP;
1592 		errno = 0;
1593 
1594 		/* return pseudo-error code */
1595 		rval = E_SM_OPENTIMEOUT;
1596 		goto resetuid;
1597 	}
1598 	if (TimeOuts.to_fileopen > 0)
1599 		ev = sm_setevent(TimeOuts.to_fileopen, includetimeout, 0);
1600 	else
1601 		ev = NULL;
1602 
1603 
1604 	/* check for writable parent directory */
1605 	p = strrchr(fname, '/');
1606 	if (p != NULL)
1607 	{
1608 		int ret;
1609 
1610 		*p = '\0';
1611 		ret = safedirpath(fname, uid, gid, user,
1612 				  sfflags|SFF_SAFEDIRPATH, 0, 0);
1613 		if (ret == 0)
1614 		{
1615 			/* in safe directory: relax chown & link rules */
1616 			safedir = true;
1617 			sfflags |= SFF_NOPATHCHECK;
1618 		}
1619 		else
1620 		{
1621 			if (bitnset((forwarding ?
1622 				     DBS_FORWARDFILEINUNSAFEDIRPATH :
1623 				     DBS_INCLUDEFILEINUNSAFEDIRPATH),
1624 				    DontBlameSendmail))
1625 				sfflags |= SFF_NOPATHCHECK;
1626 			else if (bitnset((forwarding ?
1627 					  DBS_FORWARDFILEINGROUPWRITABLEDIRPATH :
1628 					  DBS_INCLUDEFILEINGROUPWRITABLEDIRPATH),
1629 					 DontBlameSendmail) &&
1630 				 ret == E_SM_GWDIR)
1631 			{
1632 				setbitn(DBS_GROUPWRITABLEDIRPATHSAFE,
1633 					DontBlameSendmail);
1634 				ret = safedirpath(fname, uid, gid, user,
1635 						  sfflags|SFF_SAFEDIRPATH,
1636 						  0, 0);
1637 				clrbitn(DBS_GROUPWRITABLEDIRPATHSAFE,
1638 					DontBlameSendmail);
1639 				if (ret == 0)
1640 					sfflags |= SFF_NOPATHCHECK;
1641 				else
1642 					sfflags |= SFF_SAFEDIRPATH;
1643 			}
1644 			else
1645 				sfflags |= SFF_SAFEDIRPATH;
1646 			if (ret > E_PSEUDOBASE &&
1647 			    !bitnset((forwarding ?
1648 				      DBS_FORWARDFILEINUNSAFEDIRPATHSAFE :
1649 				      DBS_INCLUDEFILEINUNSAFEDIRPATHSAFE),
1650 				     DontBlameSendmail))
1651 			{
1652 				if (LogLevel > 11)
1653 					sm_syslog(LOG_INFO, e->e_id,
1654 						  "%s: unsafe directory path, marked unsafe",
1655 						  shortenstring(fname, MAXSHORTSTR));
1656 				ctladdr->q_flags |= QUNSAFEADDR;
1657 			}
1658 		}
1659 		*p = '/';
1660 	}
1661 
1662 	/* allow links only in unwritable directories */
1663 	if (!safedir &&
1664 	    !bitnset((forwarding ?
1665 		      DBS_LINKEDFORWARDFILEINWRITABLEDIR :
1666 		      DBS_LINKEDINCLUDEFILEINWRITABLEDIR),
1667 		     DontBlameSendmail))
1668 		sfflags |= SFF_NOLINK;
1669 
1670 	rval = safefile(fname, uid, gid, user, sfflags, S_IREAD, &st);
1671 	if (rval != 0)
1672 	{
1673 		/* don't use this :include: file */
1674 		if (tTd(27, 4))
1675 			sm_dprintf("include: not safe (uid=%ld): %s\n",
1676 				   (long) uid, sm_errstring(rval));
1677 	}
1678 	else if ((fp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, fname,
1679 				  SM_IO_RDONLY, NULL)) == NULL)
1680 	{
1681 		rval = errno;
1682 		if (tTd(27, 4))
1683 			sm_dprintf("include: open: %s\n", sm_errstring(rval));
1684 	}
1685 	else if (filechanged(fname, sm_io_getinfo(fp,SM_IO_WHAT_FD, NULL), &st))
1686 	{
1687 		rval = E_SM_FILECHANGE;
1688 		if (tTd(27, 4))
1689 			sm_dprintf("include: file changed after open\n");
1690 	}
1691 	if (ev != NULL)
1692 		sm_clrevent(ev);
1693 
1694 resetuid:
1695 
1696 #if HASSETREUID || USESETEUID
1697 	if (saveduid == 0)
1698 	{
1699 		if (uid != 0)
1700 		{
1701 # if USESETEUID
1702 			if (seteuid(0) < 0)
1703 				syserr("!seteuid(0) failure (real=%ld, eff=%ld)",
1704 				       (long) getuid(), (long) geteuid());
1705 # else /* USESETEUID */
1706 			if (setreuid(-1, 0) < 0)
1707 				syserr("!setreuid(-1, 0) failure (real=%ld, eff=%ld)",
1708 				       (long) getuid(), (long) geteuid());
1709 			if (setreuid(RealUid, 0) < 0)
1710 				syserr("!setreuid(%ld, 0) failure (real=%ld, eff=%ld)",
1711 				       (long) RealUid, (long) getuid(),
1712 				       (long) geteuid());
1713 # endif /* USESETEUID */
1714 		}
1715 		if (setgid(savedgid) < 0)
1716 			syserr("!setgid(%ld) failure (real=%ld eff=%ld)",
1717 			       (long) savedgid, (long) getgid(),
1718 			       (long) getegid());
1719 	}
1720 #endif /* HASSETREUID || USESETEUID */
1721 
1722 	if (tTd(27, 9))
1723 		sm_dprintf("include: reset uid = %ld/%ld\n",
1724 			   (long) getuid(), (long) geteuid());
1725 
1726 	if (rval == E_SM_OPENTIMEOUT)
1727 		usrerr("451 4.4.1 open timeout on %s", fname);
1728 
1729 	if (fp == NULL)
1730 		return rval;
1731 
1732 	if (fstat(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), &st) < 0)
1733 	{
1734 		rval = errno;
1735 		syserr("Cannot fstat %s!", fname);
1736 		(void) sm_io_close(fp, SM_TIME_DEFAULT);
1737 		return rval;
1738 	}
1739 
1740 	/* if path was writable, check to avoid file giveaway tricks */
1741 	safechown = chownsafe(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), safedir);
1742 	if (tTd(27, 6))
1743 		sm_dprintf("include: parent of %s is %s, chown is %ssafe\n",
1744 			   fname, safedir ? "safe" : "dangerous",
1745 			   safechown ? "" : "un");
1746 
1747 	/* if no controlling user or coming from an alias delivery */
1748 	if (safechown &&
1749 	    (ca == NULL ||
1750 	     (ca->q_uid == DefUid && ca->q_gid == 0)))
1751 	{
1752 		ctladdr->q_uid = st.st_uid;
1753 		ctladdr->q_gid = st.st_gid;
1754 		ctladdr->q_flags |= QGOODUID;
1755 	}
1756 	if (ca != NULL && ca->q_uid == st.st_uid)
1757 	{
1758 		/* optimization -- avoid getpwuid if we already have info */
1759 		ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
1760 		ctladdr->q_ruser = ca->q_ruser;
1761 	}
1762 	else if (!forwarding)
1763 	{
1764 		register struct passwd *pw;
1765 
1766 		pw = sm_getpwuid(st.st_uid);
1767 		if (pw == NULL)
1768 		{
1769 			ctladdr->q_uid = st.st_uid;
1770 			ctladdr->q_flags |= QBOGUSSHELL;
1771 		}
1772 		else
1773 		{
1774 			char *sh;
1775 
1776 			ctladdr->q_ruser = sm_rpool_strdup_x(e->e_rpool,
1777 							     pw->pw_name);
1778 			if (safechown)
1779 				sh = pw->pw_shell;
1780 			else
1781 				sh = "/SENDMAIL/ANY/SHELL/";
1782 			if (!usershellok(pw->pw_name, sh))
1783 			{
1784 				if (LogLevel > 11)
1785 					sm_syslog(LOG_INFO, e->e_id,
1786 						  "%s: user %s has bad shell %s, marked %s",
1787 						  shortenstring(fname,
1788 								MAXSHORTSTR),
1789 						  pw->pw_name, sh,
1790 						  safechown ? "bogus" : "unsafe");
1791 				if (safechown)
1792 					ctladdr->q_flags |= QBOGUSSHELL;
1793 				else
1794 					ctladdr->q_flags |= QUNSAFEADDR;
1795 			}
1796 		}
1797 	}
1798 
1799 	if (bitset(EF_VRFYONLY, e->e_flags))
1800 	{
1801 		/* don't do any more now */
1802 		ctladdr->q_state = QS_VERIFIED;
1803 		e->e_nrcpts++;
1804 		(void) sm_io_close(fp, SM_TIME_DEFAULT);
1805 		return rval;
1806 	}
1807 
1808 	/*
1809 	**  Check to see if some bad guy can write this file
1810 	**
1811 	**	Group write checking could be more clever, e.g.,
1812 	**	guessing as to which groups are actually safe ("sys"
1813 	**	may be; "user" probably is not).
1814 	*/
1815 
1816 	mode = S_IWOTH;
1817 	if (!bitnset((forwarding ?
1818 		      DBS_GROUPWRITABLEFORWARDFILESAFE :
1819 		      DBS_GROUPWRITABLEINCLUDEFILESAFE),
1820 		     DontBlameSendmail))
1821 		mode |= S_IWGRP;
1822 
1823 	if (bitset(mode, st.st_mode))
1824 	{
1825 		if (tTd(27, 6))
1826 			sm_dprintf("include: %s is %s writable, marked unsafe\n",
1827 				   shortenstring(fname, MAXSHORTSTR),
1828 				   bitset(S_IWOTH, st.st_mode) ? "world"
1829 							       : "group");
1830 		if (LogLevel > 11)
1831 			sm_syslog(LOG_INFO, e->e_id,
1832 				  "%s: %s writable %s file, marked unsafe",
1833 				  shortenstring(fname, MAXSHORTSTR),
1834 				  bitset(S_IWOTH, st.st_mode) ? "world" : "group",
1835 				  forwarding ? "forward" : ":include:");
1836 		ctladdr->q_flags |= QUNSAFEADDR;
1837 	}
1838 
1839 	/* read the file -- each line is a comma-separated list. */
1840 	FileName = fname;
1841 	LineNumber = 0;
1842 	ctladdr->q_flags &= ~QSELFREF;
1843 	nincludes = 0;
1844 	while (sm_io_fgets(fp, SM_TIME_DEFAULT, buf, sizeof(buf)) >= 0 &&
1845 	       !maxreached)
1846 	{
1847 		fixcrlf(buf, true);
1848 		LineNumber++;
1849 		if (buf[0] == '#' || buf[0] == '\0')
1850 			continue;
1851 
1852 		/* <sp>#@# introduces a comment anywhere */
1853 		/* for Japanese character sets */
1854 		for (p = buf; (p = strchr(++p, '#')) != NULL; )
1855 		{
1856 			if (p[1] == '@' && p[2] == '#' &&
1857 			    isascii(p[-1]) && isspace(p[-1]) &&
1858 			    (p[3] == '\0' || (SM_ISSPACE(p[3]))))
1859 			{
1860 				--p;
1861 				while (p > buf && isascii(p[-1]) &&
1862 				       isspace(p[-1]))
1863 					--p;
1864 				p[0] = '\0';
1865 				break;
1866 			}
1867 		}
1868 		if (buf[0] == '\0')
1869 			continue;
1870 
1871 		e->e_to = NULL;
1872 		message("%s to %s",
1873 			forwarding ? "forwarding" : "sending", buf);
1874 		if (forwarding && LogLevel > 10)
1875 			sm_syslog(LOG_INFO, e->e_id,
1876 				  "forward %.200s => %s",
1877 				  oldto, shortenstring(buf, MAXSHORTSTR));
1878 
1879 		nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e);
1880 
1881 		if (forwarding &&
1882 		    MaxForwardEntries > 0 &&
1883 		    nincludes >= MaxForwardEntries)
1884 		{
1885 			/* just stop reading and processing further entries */
1886 #if 0
1887 			/* additional: (?) */
1888 			ctladdr->q_state = QS_DONTSEND;
1889 #endif /* 0 */
1890 
1891 			syserr("Attempt to forward to more than %d addresses (in %s)!",
1892 				MaxForwardEntries, fname);
1893 			maxreached = true;
1894 		}
1895 	}
1896 
1897 	if (sm_io_error(fp) && tTd(27, 3))
1898 		sm_dprintf("include: read error: %s\n", sm_errstring(errno));
1899 	if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
1900 	{
1901 		if (aliaslevel <= MaxAliasRecursion ||
1902 		    ctladdr->q_state != QS_BADADDR)
1903 		{
1904 			ctladdr->q_state = QS_DONTSEND;
1905 			if (tTd(27, 5))
1906 			{
1907 				sm_dprintf("include: QS_DONTSEND ");
1908 				printaddr(sm_debug_file(), ctladdr, false);
1909 			}
1910 		}
1911 	}
1912 
1913 	(void) sm_io_close(fp, SM_TIME_DEFAULT);
1914 	FileName = oldfilename;
1915 	LineNumber = oldlinenumber;
1916 	e->e_to = oldto;
1917 	return rval;
1918 }
1919 
1920 static void
1921 includetimeout(ignore)
1922 	int ignore;
1923 {
1924 	/*
1925 	**  NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER.  DO NOT ADD
1926 	**	ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE
1927 	**	DOING.
1928 	*/
1929 
1930 	errno = ETIMEDOUT;
1931 	longjmp(CtxIncludeTimeout, 1);
1932 }
1933 
1934 /*
1935 **  SENDTOARGV -- send to an argument vector.
1936 **
1937 **	Parameters:
1938 **		argv -- argument vector to send to.
1939 **		e -- the current envelope.
1940 **
1941 **	Returns:
1942 **		none.
1943 **
1944 **	Side Effects:
1945 **		puts all addresses on the argument vector onto the
1946 **			send queue.
1947 */
1948 
1949 void
1950 sendtoargv(argv, e)
1951 	register char **argv;
1952 	register ENVELOPE *e;
1953 {
1954 	register char *p;
1955 
1956 #if USE_EAI
1957 	if (!e->e_smtputf8)
1958 	{
1959 		char **av;
1960 
1961 		av = argv;
1962 		while ((p = *av++) != NULL)
1963 		{
1964 			if (!addr_is_ascii(p))
1965 			{
1966 				e->e_smtputf8 = true;
1967 				break;
1968 			}
1969 		}
1970 	}
1971 #endif /* USE_EAI */
1972 
1973 	while ((p = *argv++) != NULL)
1974 	{
1975 #if USE_EAI
1976 		if (e->e_smtputf8)
1977 		{
1978 			int len = 0;
1979 
1980 			if (!SMTPUTF8 && !asciistr(p))
1981 			{
1982 				usrerr("non-ASCII recipient address %s requires SMTPUTF8",
1983 					p);
1984 				finis(false, true, EX_USAGE);
1985 			}
1986 			p = quote_internal_chars(p, NULL, &len, NULL);
1987 		}
1988 #endif /* USE_EAI */
1989 		(void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e);
1990 	}
1991 }
1992 
1993 /*
1994 **  GETCTLADDR -- get controlling address from an address header.
1995 **
1996 **	If none, get one corresponding to the effective userid.
1997 **
1998 **	Parameters:
1999 **		a -- the address to find the controller of.
2000 **
2001 **	Returns:
2002 **		the controlling address.
2003 */
2004 
2005 ADDRESS *
2006 getctladdr(a)
2007 	register ADDRESS *a;
2008 {
2009 	while (a != NULL && !bitset(QGOODUID, a->q_flags))
2010 		a = a->q_alias;
2011 	return a;
2012 }
2013 
2014 /*
2015 **  SELF_REFERENCE -- check to see if an address references itself
2016 **
2017 **	The check is done through a chain of aliases.  If it is part of
2018 **	a loop, break the loop at the "best" address, that is, the one
2019 **	that exists as a real user.
2020 **
2021 **	This is to handle the case of:
2022 **		awc:		Andrew.Chang
2023 **		Andrew.Chang:	awc@mail.server
2024 **	which is a problem only on mail.server.
2025 **
2026 **	Parameters:
2027 **		a -- the address to check.
2028 **
2029 **	Returns:
2030 **		The address that should be retained.
2031 */
2032 
2033 static ADDRESS *
2034 self_reference(a)
2035 	ADDRESS *a;
2036 {
2037 	ADDRESS *b;		/* top entry in self ref loop */
2038 	ADDRESS *c;		/* entry that point to a real mail box */
2039 
2040 	if (tTd(27, 1))
2041 		sm_dprintf("self_reference(%s)\n", a->q_paddr);
2042 
2043 	for (b = a->q_alias; b != NULL; b = b->q_alias)
2044 	{
2045 		if (sameaddr(a, b))
2046 			break;
2047 	}
2048 
2049 	if (b == NULL)
2050 	{
2051 		if (tTd(27, 1))
2052 			sm_dprintf("\t... no self ref\n");
2053 		return NULL;
2054 	}
2055 
2056 	/*
2057 	**  Pick the first address that resolved to a real mail box
2058 	**  i.e has a mbdb entry.  The returned value will be marked
2059 	**  QSELFREF in recipient(), which in turn will disable alias()
2060 	**  from marking it as QS_IS_DEAD(), which mean it will be used
2061 	**  as a deliverable address.
2062 	**
2063 	**  The 2 key thing to note here are:
2064 	**	1) we are in a recursive call sequence:
2065 	**		alias->sendtolist->recipient->alias
2066 	**	2) normally, when we return back to alias(), the address
2067 	**	   will be marked QS_EXPANDED, since alias() assumes the
2068 	**	   expanded form will be used instead of the current address.
2069 	**	   This behaviour is turned off if the address is marked
2070 	**	   QSELFREF.  We set QSELFREF when we return to recipient().
2071 	*/
2072 
2073 	c = a;
2074 	while (c != NULL)
2075 	{
2076 		if (tTd(27, 10))
2077 			sm_dprintf("  %s", c->q_user);
2078 		if (bitnset(M_HASPWENT, c->q_mailer->m_flags))
2079 		{
2080 			SM_MBDB_T user;
2081 
2082 			if (tTd(27, 2))
2083 				sm_dprintf("\t... getpwnam(%s)... ", c->q_user);
2084 			if (sm_mbdb_lookup(c->q_user, &user) == EX_OK)
2085 			{
2086 				if (tTd(27, 2))
2087 					sm_dprintf("found\n");
2088 
2089 				/* ought to cache results here */
2090 				if (sameaddr(b, c))
2091 					return b;
2092 				else
2093 					return c;
2094 			}
2095 			if (tTd(27, 2))
2096 				sm_dprintf("failed\n");
2097 		}
2098 		else
2099 		{
2100 			/* if local delivery, compare usernames */
2101 			if (bitnset(M_LOCALMAILER, c->q_mailer->m_flags) &&
2102 			    b->q_mailer == c->q_mailer)
2103 			{
2104 				if (tTd(27, 2))
2105 					sm_dprintf("\t... local match (%s)\n",
2106 						c->q_user);
2107 				if (sameaddr(b, c))
2108 					return b;
2109 				else
2110 					return c;
2111 			}
2112 		}
2113 		if (tTd(27, 10))
2114 			sm_dprintf("\n");
2115 		c = c->q_alias;
2116 	}
2117 
2118 	if (tTd(27, 1))
2119 		sm_dprintf("\t... cannot break loop for \"%s\"\n", a->q_paddr);
2120 
2121 	return NULL;
2122 }
2123