+static int open_mda_sink(struct query *ctl, struct msgblk *msg,
+ int *good_addresses, int *bad_addresses)
+/* open a stream to a local MDA */
+{
+#ifdef HAVE_SETEUID
+ uid_t orig_uid;
+#endif /* HAVE_SETEUID */
+ struct idlist *idp;
+ int length = 0, fromlen = 0, nameslen = 0;
+ char *names = NULL, *before, *after, *from = NULL;
+
+ (void)bad_addresses;
+ xfree(ctl->destaddr);
+ ctl->destaddr = xstrdup("localhost");
+
+ for (idp = msg->recipients; idp; idp = idp->next)
+ if (idp->val.status.mark == XMIT_ACCEPT)
+ (*good_addresses)++;
+
+ length = strlen(ctl->mda);
+ before = xstrdup(ctl->mda);
+
+ /* get user addresses for %T (or %s for backward compatibility) */
+ if (strstr(before, "%s") || strstr(before, "%T"))
+ {
+ /*
+ * We go through this in order to be able to handle very
+ * long lists of users and (re)implement %s.
+ */
+ nameslen = 0;
+ for (idp = msg->recipients; idp; idp = idp->next)
+ if (idp->val.status.mark == XMIT_ACCEPT)
+ nameslen += (strlen(idp->id) + 1); /* string + ' ' */
+ if (*good_addresses == 0)
+ nameslen = strlen(run.postmaster);
+
+ names = (char *)xmalloc(nameslen + 1); /* account for '\0' */
+ if (*good_addresses == 0)
+ strcpy(names, run.postmaster);
+ else
+ {
+ names[0] = '\0';
+ for (idp = msg->recipients; idp; idp = idp->next)
+ if (idp->val.status.mark == XMIT_ACCEPT)
+ {
+ strcat(names, idp->id);
+ strcat(names, " ");
+ }
+ names[--nameslen] = '\0'; /* chop trailing space */
+ }
+
+ sanitize(names);
+ }
+
+ /* get From address for %F */
+ if (strstr(before, "%F"))
+ {
+ from = xstrdup(msg->return_path);
+
+ sanitize(from);
+
+ fromlen = strlen(from);
+ }
+
+ /* do we have to build an mda string? */
+ if (names || from)
+ {
+ char *sp, *dp;
+
+ /* find length of resulting mda string */
+ sp = before;
+ while ((sp = strstr(sp, "%s"))) {
+ length += nameslen; /* subtract %s and add '' */
+ sp += 2;
+ }
+ sp = before;
+ while ((sp = strstr(sp, "%T"))) {
+ length += nameslen; /* subtract %T and add '' */
+ sp += 2;
+ }
+ sp = before;
+ while ((sp = strstr(sp, "%F"))) {
+ length += fromlen; /* subtract %F and add '' */
+ sp += 2;
+ }
+
+ after = (char *)xmalloc(length + 1);
+
+ /* copy mda source string to after, while expanding %[sTF] */
+ for (dp = after, sp = before; (*dp = *sp); dp++, sp++) {
+ if (sp[0] != '%') continue;
+
+ /* need to expand? BTW, no here overflow, because in
+ ** the worst case (end of string) sp[1] == '\0' */
+ if (sp[1] == 's' || sp[1] == 'T') {
+ *dp++ = '\'';
+ strcpy(dp, names);
+ dp += nameslen;
+ *dp++ = '\'';
+ sp++; /* position sp over [sT] */
+ dp--; /* adjust dp */
+ } else if (sp[1] == 'F') {
+ *dp++ = '\'';
+ strcpy(dp, from);
+ dp += fromlen;
+ *dp++ = '\'';
+ sp++; /* position sp over F */
+ dp--; /* adjust dp */
+ }
+ }
+
+ if (names) {
+ free(names);
+ names = NULL;
+ }
+ if (from) {
+ free(from);
+ from = NULL;
+ }
+
+ free(before);
+
+ before = after;
+ }
+
+
+ if (outlevel >= O_DEBUG)
+ report(stdout, GT_("about to deliver with: %s\n"), before);
+
+#ifdef HAVE_SETEUID
+ /*
+ * Arrange to run with user's permissions if we're root.
+ * This will initialize the ownership of any files the
+ * MDA creates properly. (The seteuid call is available
+ * under all BSDs and Linux)
+ */
+ orig_uid = getuid();
+ if (seteuid(ctl->uid)) {
+ report(stderr, GT_("Cannot switch effective user id to %ld: %s\n"), (long)ctl->uid, strerror(errno));
+ return PS_IOERR;
+ }
+#endif /* HAVE_SETEUID */
+
+ sinkfp = popen(before, "w");
+ free(before);
+ before = NULL;
+
+#ifdef HAVE_SETEUID
+ /* this will fail quietly if we didn't start as root */
+ if (seteuid(orig_uid)) {
+ report(stderr, GT_("Cannot switch effective user id back to original %ld: %s\n"), (long)orig_uid, strerror(errno));
+ return PS_IOERR;
+ }
+#endif /* HAVE_SETEUID */
+
+ if (!sinkfp)
+ {
+ report(stderr, GT_("MDA open failed\n"));
+ return(PS_IOERR);
+ }
+
+ /*
+ * We need to disable the normal SIGCHLD handling here because
+ * sigchld_handler() would reap away the error status, returning
+ * error status instead of 0 for successful completion.
+ */
+ set_signal_handler(SIGCHLD, SIG_DFL);
+
+ return(PS_SUCCESS);
+}
+
+int open_sink(struct query *ctl, struct msgblk *msg,
+ int *good_addresses, int *bad_addresses)
+/* set up sinkfp to be an input sink we can ship a message to */
+{
+ *bad_addresses = *good_addresses = 0;
+
+ if (want_progress() && outlevel >= O_VERBOSE && !ctl->mda && !ctl->bsmtp) puts("");
+
+ if (ctl->bsmtp) /* dump to a BSMTP batch file */
+ return(open_bsmtp_sink(ctl, msg, good_addresses, bad_addresses));
+ /*
+ * Try to forward to an SMTP or LMTP listener. If the attempt to
+ * open a socket fails, fall through to attempt delivery via
+ * local MDA.
+ */
+ else if (!ctl->mda && smtp_setup(ctl) != -1)
+ return(open_smtp_sink(ctl, msg, good_addresses, bad_addresses));
+
+ /*
+ * Awkward case. User didn't specify an MDA. Our attempt to get a
+ * listener socket failed. Try to cope anyway -- initial configuration
+ * may have found procmail.
+ */
+ else if (!ctl->mda)
+ {
+ report(stderr, GT_("%cMTP connect to %s failed\n"),
+ ctl->smtphostmode,
+ ctl->smtphost ? ctl->smtphost : "localhost");
+
+#ifndef FALLBACK_MDA
+ /* No fallback MDA declared. Bail out. */
+ return(PS_SMTP);
+#else
+ /*
+ * If user had things set up to forward offsite, no way
+ * we want to deliver locally!
+ */
+ if (ctl->smtphost && strcmp(ctl->smtphost, "localhost"))
+ return(PS_SMTP);
+
+ /*
+ * User was delivering locally. We have a fallback MDA.
+ * Latch it in place, logging the error, and fall through.
+ * Set stripcr as we would if MDA had been the initial transport
+ */
+ ctl->mda = FALLBACK_MDA;
+ if (!ctl->forcecr)
+ ctl->stripcr = TRUE;
+
+ report(stderr, GT_("can't raise the listener; falling back to %s"),
+ FALLBACK_MDA);
+#endif
+ }
+
+ if (ctl->mda) /* must deliver through an MDA */
+ return(open_mda_sink(ctl, msg, good_addresses, bad_addresses));
+
+ return(PS_SUCCESS);
+}
+