amavisd   [plain text]


#!/usr/bin/perl -T

#------------------------------------------------------------------------------
# This is amavisd-new.
# It is an interface between message transfer agent (MTA) and virus
# scanners and/or spam scanners, functioning as a mail content filter.
#
# It is a performance-enhanced and feature-enriched version of amavisd
# (which in turn is a daemonized version of AMaViS), initially based
# on amavisd-snapshot-20020300).
#
# All work since amavisd-snapshot-20020300:
#   Copyright (C) 2002,2003,2004  Mark Martinec,  All Rights Reserved.
# with contributions from the amavis-* mailing lists and individuals,
# as acknowledged in the release notes.
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

# Author: Mark Martinec <mark.martinec@ijs.si>
# Patches and problem reports are welcome.
#
# The latest version of this program is available at:
#   http://www.ijs.si/software/amavisd/
#------------------------------------------------------------------------------

# Here is a boilerplate from the amavisd(-snapshot) version,
# which is the version that served as a base code for the initial
# version of amavisd-new. License terms were the same:
#
#   Author:  Chris Mason <cmason@unixzone.com>
#   Current maintainer: Lars Hecking <lhecking@users.sourceforge.net>
#   Based on work by:
#         Mogens Kjaer, Carlsberg Laboratory, <mk@crc.dk>
#         Juergen Quade, Softing GmbH, <quade@softing.com>
#         Christian Bricart <shiva@aachalon.de>
#         Rainer Link <link@foo.fh-furtwangen.de>
#   This script is part of the AMaViS package.  For more information see:
#     http://amavis.org/
#   Copyright (C) 2000 - 2002 the people mentioned above
#   This software is licensed under the GNU General Public License (GPL)
#   See:  http://www.gnu.org/copyleft/gpl.html
#------------------------------------------------------------------------------

#------------------------------------------------------------------------------
#Index of packages in this file
#  Amavis::Boot
#  Amavis::Conf
#  Amavis::Lock
#  Amavis::Log
#  Amavis::Timing
#  Amavis::Util
#  Amavis::rfc2821_2822_Tools
#  Amavis::Lookup::RE
#  Amavis::Lookup::Label
#  Amavis::Lookup
#  Amavis::Expand
#  Amavis::In::Connection
#  Amavis::In::Message::PerRecip
#  Amavis::In::Message
#  Amavis::Out::EditHeader
#  Amavis::Out::Local
#  Amavis::Out
#  Amavis::UnmangleSender
#  Amavis::Unpackers::NewFilename
#  Amavis::Unpackers::Part
#  Amavis::Unpackers::OurFiler
#  Amavis::Unpackers::Validity
#  Amavis::Unpackers::MIME
#  Amavis::Notify
#  Amavis::Cache
#  Amavis
#optionally compiled-in packages: ---------------------------------------------
#  Amavis::DB::SNMP
#  Amavis::DB
#  Amavis::Cache
#  Amavis::Lookup::SQLfield
#  Amavis::Lookup::SQL
#  Amavis::Lookup::LDAP
#  Amavis::Lookup::LDAPattr
#  Amavis::In::AMCL
#  Amavis::In::SMTP
#  Amavis::AV
#  Amavis::SpamControl
#  Amavis::Unpackers
#------------------------------------------------------------------------------

#
package Amavis::Boot;
use strict;
use re 'taint';

# Fetch all required modules (or nicely report missing ones), and compile them
# once-and-for-all at the parent process, so that forked children can inherit
# and share already compiled code in memory. Children will still need to 'use'
# modules if they want to inherit from their name space.
#
sub fetch_modules($$@) {
  my($reason, $required, @modules) = @_;
  my(@missing);
  for my $m (@modules) {
    local($_) = $m;
    $_ .= /^auto::/ ? '.al' : '.pm';
    s[::][/]g;
    eval { require $_ } or push(@missing, $m);
  }
  die "ERROR: MISSING $reason:\n" . join('', map { "  $_\n" } @missing)
    if $required && @missing;
}

BEGIN {
  fetch_modules('REQUIRED BASIC MODULES', 1, qw(
    Exporter POSIX Fcntl Socket Errno Carp Time::HiRes
    IO::Handle IO::File IO::Socket IO::Socket::UNIX IO::Socket::INET
    IO::Wrap IO::Stringy Digest::MD5 Unix::Syslog File::Basename File::Copy
    Mail::Field Mail::Address Mail::Header Mail::Internet
    MIME::Base64 MIME::QuotedPrint MIME::Words
    MIME::Head MIME::Body MIME::Entity MIME::Parser
    Net::Cmd Net::SMTP Net::Server Net::Server::PreForkSimple
    MIME::Decoder::Base64 MIME::Decoder::Binary MIME::Decoder::Gzip64
    MIME::Decoder::NBit MIME::Decoder::QuotedPrint MIME::Decoder::UU
  ));
  # with earlier versions of Perl one may need to add additional modules
  # to the list, such as: auto::POSIX::setgid auto::POSIX::setuid ...
  fetch_modules('OPTIONAL BASIC MODULES', 0, qw(
    Carp::Heavy auto::POSIX::setgid auto::POSIX::setuid
  ));
}

1;

#
package Amavis::Conf;
use strict;
use re 'taint';

# prototypes
sub D_REJECT();
sub D_BOUNCE();
sub D_DISCARD();
sub D_PASS();

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  @EXPORT = ();
  @EXPORT_OK = ();
  %EXPORT_TAGS = (
    'dynamic_confvars' => [qw(
      $policy_bank_name $protocol @inet_acl
      $log_level $log_templ $log_recip_templ $forward_method $notify_method

      $amavis_auth_user $amavis_auth_pass $auth_reauthenticate_forwarded
      $auth_required_out $auth_required_inp @auth_mech_avail
      $local_client_bind_address
      $localhost_name $smtpd_greeting_banner $smtpd_quit_banner
      $smtpd_message_size_limit

      $final_virus_destiny $final_spam_destiny
      $final_banned_destiny $final_bad_header_destiny
      $warnvirussender $warnspamsender $warnbannedsender $warnbadhsender
      $warn_offsite

      @av_scanners @av_scanners_backup $first_infected_stops_scan
      $bypass_decode_parts

      $defang_virus $defang_banned $defang_spam
      $defang_bad_header $defang_undecipherable $defang_all
      $undecipherable_subject_tag
      $sa_spam_report_header $sa_spam_level_char
      $sa_mail_body_size_limit

      $localpart_is_case_sensitive
      $recipient_delimiter $replace_existing_extension
      $hdr_encoding $bdy_encoding $hdr_encoding_qb
      $notify_xmailer_header $X_HEADER_TAG $X_HEADER_LINE
      $remove_existing_x_scanned_headers $remove_existing_spam_headers

      $hdrfrom_notify_sender $hdrfrom_notify_recip
      $hdrfrom_notify_admin $hdrfrom_notify_spamadmin
      $mailfrom_notify_sender $mailfrom_notify_recip
      $mailfrom_notify_admin $mailfrom_notify_spamadmin
      $mailfrom_to_quarantine
      $virus_quarantine_method $spam_quarantine_method
      $banned_files_quarantine_method $bad_header_quarantine_method
      %local_delivery_aliases

      $notify_sender_templ
      $notify_virus_sender_templ $notify_spam_sender_templ
      $notify_virus_admin_templ  $notify_spam_admin_templ
      $notify_virus_recips_templ $notify_spam_recips_templ

      $banned_namepath_re
      $per_recip_whitelist_sender_lookup_tables
      $per_recip_blacklist_sender_lookup_tables

      @local_domains_maps @mynetworks_maps
      @bypass_virus_checks_maps @bypass_spam_checks_maps
      @bypass_banned_checks_maps @bypass_header_checks_maps
      @virus_lovers_maps @spam_lovers_maps
      @banned_files_lovers_maps @bad_header_lovers_maps
      @warnvirusrecip_maps @warnbannedrecip_maps @warnbadhrecip_maps
      @virus_admin_maps @spam_admin_maps @virus_quarantine_to_maps
      @banned_quarantine_to_maps @bad_header_quarantine_to_maps
      @spam_quarantine_to_maps @spam_quarantine_bysender_to_maps
      @banned_filename_maps
      @spam_tag_level_maps @spam_tag2_level_maps @spam_kill_level_maps
      @spam_dsn_cutoff_level_maps @spam_modifies_subj_maps
      @spam_subject_tag_maps @spam_subject_tag2_maps
      @whitelist_sender_maps @blacklist_sender_maps @score_sender_maps
      @message_size_limit_maps
      @addr_extension_virus_maps  @addr_extension_spam_maps
      @addr_extension_banned_maps @addr_extension_bad_header_maps
      @debug_sender_maps
    )],
    'confvars' => [qw(
      $myproduct_name $myversion_id $myversion_id_numeric $myversion_date
      $myversion $myhostname
      $MYHOME $TEMPBASE $QUARANTINEDIR
      $daemonize $pid_file $lock_file $db_home
      $enable_db $enable_global_cache
      $daemon_user $daemon_group $daemon_chroot_dir $path
      $DEBUG $DO_SYSLOG $SYSLOG_LEVEL $LOGFILE
      $max_servers $max_requests $child_timeout
      %current_policy_bank %policy_bank %interface_policy
      $unix_socketname $inet_socket_port $inet_socket_bind
      $insert_received_line $relayhost_is_client $smtpd_recipient_limit
      $MAXLEVELS $MAXFILES
      $MIN_EXPANSION_QUOTA $MIN_EXPANSION_FACTOR
      $MAX_EXPANSION_QUOTA $MAX_EXPANSION_FACTOR
      @lookup_sql_dsn
      $sql_select_policy $sql_select_white_black_list
      $virus_check_negative_ttl $virus_check_positive_ttl
      $spam_check_negative_ttl $spam_check_positive_ttl

      $enable_ldap $default_ldap $virus_lovers_ldap $spam_lovers_ldap
      $banned_files_lovers_ldap $bad_header_lovers_ldap
      $bypass_virus_checks_ldap $bypass_spam_checks_ldap
      $bypass_banned_checks_ldap $bypass_header_checks_ldap
      $spam_tag_level_ldap $spam_tag2_level_ldap $spam_kill_level_ldap
      $spam_modifies_subj_ldap $local_domains_ldap
      $spam_quarantine_to_ldap $virus_quarantine_to_ldap
      $banned_quarantine_to_ldap $bad_header_quarantine_to_ldap
      $spam_whitelist_sender_ldap $spam_blacklist_sender_ldap

      @keep_decoded_original_maps @map_full_type_to_short_type_maps
      @viruses_that_fake_sender_maps
    )],
    'unpack' => [qw(
      $file $arc $gzip $bzip2 $lzop $lha $unarj $uncompress $unfreeze
      $unrar $zoo $cpio $ar $rpm2cpio $cabextract
    )],
    'sa' => [qw(
      $helpers_home $dspam
      $sa_local_tests_only $sa_auto_whitelist $sa_timeout $sa_debug
    )],
    'platform' => [qw(
      $can_truncate $unicode_aware $eol
      &D_REJECT &D_BOUNCE &D_DISCARD &D_PASS
    )],

    # other variables settable by user in amavisd.conf,
    # but not directly accessible by the program
    'hidden_confvars' => [qw(
      $mydomain
    )],

    # legacy variables, predeclared for compatibility of amavisd.conf
    # The rest of the program does not use them directly and they should not be
    # visible in other modules, but may be referenced throgh @*_maps variables.
    'legacy_confvars' => [qw(
      %local_domains @local_domains_acl $local_domains_re @mynetworks
      %bypass_virus_checks @bypass_virus_checks_acl $bypass_virus_checks_re
      %bypass_spam_checks @bypass_spam_checks_acl $bypass_spam_checks_re
      %bypass_banned_checks @bypass_banned_checks_acl $bypass_banned_checks_re
      %bypass_header_checks @bypass_header_checks_acl $bypass_header_checks_re
      %virus_lovers @virus_lovers_acl $virus_lovers_re
      %spam_lovers @spam_lovers_acl $spam_lovers_re
      %banned_files_lovers @banned_files_lovers_acl $banned_files_lovers_re
      %bad_header_lovers @bad_header_lovers_acl $bad_header_lovers_re
      %virus_admin %spam_admin $virus_admin $spam_admin
      $warnvirusrecip $warnbannedrecip $warnbadhrecip
      $virus_quarantine_to $banned_quarantine_to $bad_header_quarantine_to
      $spam_quarantine_to $spam_quarantine_bysender_to
      $keep_decoded_original_re $map_full_type_to_short_type_re
      $banned_filename_re $viruses_that_fake_sender_re
      $sa_tag_level_deflt $sa_tag2_level_deflt $sa_kill_level_deflt
      $sa_dsn_cutoff_level $sa_spam_modifies_subj
      $sa_spam_subject_tag1 $sa_spam_subject_tag
      %whitelist_sender @whitelist_sender_acl $whitelist_sender_re
      %blacklist_sender @blacklist_sender_acl $blacklist_sender_re
      $addr_extension_virus $addr_extension_spam
      $addr_extension_banned $addr_extension_bad_header
      $gets_addr_in_quoted_form @debug_sender_acl
    )],
  );
  Exporter::export_tags qw(dynamic_confvars confvars unpack sa platform
                           hidden_confvars legacy_confvars);
} # BEGIN

use POSIX qw(uname);
use Carp ();
use Errno qw(ENOENT);

use vars @EXPORT;

sub c($); sub cr($); sub ca($);  # prototypes
use subs qw(c cr ca);  # access subroutine to new-style config variables
BEGIN { push(@EXPORT,qw(c cr ca)) }

{ # initialize new-style hash (policy bank) containing dynamic config settings
  for my $tag (@EXPORT_TAGS{'dynamic_confvars'}) {
    for my $v (@$tag) {
      if ($v !~ /^([%\$\@])(.*)\z/) { die "Unsupported variable type: $v" }
      else {
        no strict 'refs'; my($type,$name) = ($1,$2);
        $current_policy_bank{$name} = $type eq '$' ? \${"Amavis::Conf::$name"}
                                    : $type eq '@' ? \@{"Amavis::Conf::$name"}
                                    : $type eq '%' ? \%{"Amavis::Conf::$name"}
                                    : undef;
      }
    }
  }
  $current_policy_bank{'policy_bank_name'} = '';  # builtin policy
  $policy_bank{''} = { %current_policy_bank };    # copy
}

# new-style access to dynamic config variables
# return a config variable value - usually a scalar;
# one level of indirection for scalars is allowed
sub c($) {
  my($name) = @_;
  if (!exists $current_policy_bank{$name}) {
    Carp::croak(sprintf('No entry "%s" in policy bank "%s"',
                        $name, $current_policy_bank{'policy_bank_name'}));
  }
  my($var) = $current_policy_bank{$name}; my($r) = ref($var);
  !$r ? $var : $r eq 'SCALAR' ? $$var
    : $r eq 'ARRAY' ? @$var : $r eq 'HASH' ? %$var : $var;
}

# return a ref to a config variable value, or undef if var is undefined
sub cr($) {
  my($name) = @_;
  if (!exists $current_policy_bank{$name}) {
    Carp::croak(sprintf('No entry "%s" in policy bank "%s"',
                        $name, $current_policy_bank{'policy_bank_name'}));
  }
  my($var) = $current_policy_bank{$name};
  !defined($var) ? undef : !ref($var) ? \$var : $var;
}

# return a ref to a config variable value (which is supposed to be an array),
# converting undef to an empty array, and a scalar to a one-element array
# if necessary
sub ca($) {
  my($name) = @_;
  if (!exists $current_policy_bank{$name}) {
    Carp::croak(sprintf('No entry "%s" in policy bank "%s"',
                        $name, $current_policy_bank{'policy_bank_name'}));
  }
  my($var) = $current_policy_bank{$name};
  !defined($var) ? [] : !ref($var) ? [$var] : $var;
}

$myproduct_name = 'amavisd-new';
$myversion_id = '2.2.0'; $myversion_date = '20041102';

$myversion = "$myproduct_name-$myversion_id ($myversion_date)";
$myversion_id_numeric =  # x.yyyzzz, allows numerical comparision, like Perl $]
  sprintf("%8.6f", $1 + ($2 + $3/1000)/1000)
  if $myversion_id =~ /^(\d+)(?:\.(\d*)(?:\.(\d*))?)?(.*)$/;

$eol = "\n";  # native record separator in files: LF or CRLF or even CR
$unicode_aware = $]>=5.008 && length("\x{263a}")==1 && eval { require Encode };

# serves only as a quick default for other configuration settings
$MYHOME   = '/var/amavis';
$mydomain = '!change-mydomain-variable!.example.com';#intentionally bad default

# Create debugging output - true: log to stderr; false: log to syslog/file
$DEBUG = 0;

# Cause Net::Server parameters 'background' and 'setsid' to be set,
# resulting in the program to detach itself from the terminal
$daemonize = 0;

# Net::Server pre-forking settings - defaults, overruled by amavisd.conf
$max_servers  = 2;   # number of pre-forked children
$max_requests = 10;  # retire a child after that many accepts

$child_timeout = 8*60; # abort child if it does not complete each task in n sec

# Can file be truncated?
# Set to 1 if 'truncate' works (it is XPG4-UNIX standard feature,
#                               not required by Posix).
# Things will go faster with SMTP-in, otherwise (e.g. with milter)
# it makes no difference as file truncation will not be used.
$can_truncate = 1;

# expiration time of cached results: time to live in seconds
# (how long the result of a virus/spam test remains valid)
$virus_check_negative_ttl=  3*60; # time to remember that mail was not infected
$virus_check_positive_ttl= 30*60; # time to remember that mail was infected
$spam_check_negative_ttl = 30*60; # time to remember that mail was not spam
$spam_check_positive_ttl = 30*60; # time to remember that mail was spam
#
# NOTE:
#   Cache size will be determined by the largest of the $*_ttl values.
#   Depending on the mail rate, the cache database may grow quite large.
#   Reasonable compromise for the max value is 15 minutes to 2 hours.

# Customizable notification messages, logging

$SYSLOG_LEVEL = 'mail.debug';

$enable_db = 0;           # load optional modules Amavis::DB & Amavis::DB::SNMP
$enable_global_cache = 0; # enable use of bdb-based Amavis::Cache

# Where to find SQL server(s) and database to support SQL lookups?
# A list of triples: (dsn,user,passw). Specify more than one
# for multiple (backup) SQL servers.
#
#@lookup_sql_dsn =
#   ( ['DBI:mysql:mail:host1', 'some-username1', 'some-password1'],
#     ['DBI:mysql:mail:host2', 'some-username2', 'some-password2'] );

# The SQL select clause to fetch per-recipient policy settings
# The %k will be replaced by a comma-separated list of query addresses
# (e.g. full address, domain only, catchall).  Use ORDER, if there
# is a chance that multiple records will match - the first match wins
# If field names are not unique (e.g. 'id'), the later field overwrites the
# earlier in a hash returned by lookup, which is why we use '*,users.id'.
$sql_select_policy =
  'SELECT *,users.id FROM users,policy'
  . ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'
  . ' ORDER BY users.priority DESC';

# The SQL select clause to check sender in per-recipient whitelist/blacklist
# The first SELECT argument '?' will be users.id from recipient SQL lookup,
# the %k will be sender addresses (e.g. full address, domain only, catchall).
$sql_select_white_black_list =
  'SELECT wb FROM wblist,mailaddr'
  . ' WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id)'
  . '   AND (mailaddr.email IN (%k))'
  . ' ORDER BY mailaddr.priority DESC';

#
# Receiving mail related

# $unix_socketname = '/var/amavis/amavisd.sock'; # traditional amavis client protocol
# $inet_socket_port = 10024;      # accept SMTP on this TCP port
# $inet_socket_port = [10024,10026,10027];  # ...possibly on more than one
$inet_socket_bind = '127.0.0.1';  # limit socket bind to loopback interface

@inet_acl   = qw( 127.0.0.1   ::1 );  # allow SMTP access only from localhost
@mynetworks = qw( 127.0.0.0/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );

$notify_method  = 'smtp:[127.0.0.1]:10025';
$forward_method = 'smtp:[127.0.0.1]:10025';

$virus_quarantine_method        = 'local:virus-%i-%n';
$spam_quarantine_method         = 'local:spam-%b-%i-%n';
$banned_files_quarantine_method = 'local:banned-%i-%n';
$bad_header_quarantine_method   = 'local:badh-%i-%n';

$insert_received_line = 1; # insert 'Received:' header field? (not with milter)
$remove_existing_x_scanned_headers = 0;
$remove_existing_spam_headers      = 1;

# encoding (charset in MIME terminology)
# to be used in RFC 2047-encoded ...
$hdr_encoding = 'iso-8859-1';  # ... header field bodies
$bdy_encoding = 'iso-8859-1';  # ... notification body text

# encoding (encoding in MIME terminology)
$hdr_encoding_qb = 'Q';        # quoted-printable (default)
#$hdr_encoding_qb = 'B';       # base64           (usual for far east charsets)

$smtpd_recipient_limit = 1100; # max recipients (RCPT TO) - sanity limit

# $myhostname is used by SMTP server module in the initial SMTP welcome line,
# in inserted 'Received:' lines, Message-ID in notifications, log entries, ...
$myhostname = (uname)[1];  # should be a FQDN !

$smtpd_greeting_banner = '${helo-name} ${protocol} ${product} service ready';
$smtpd_quit_banner = '${helo-name} ${product} closing transmission channel';

# $localhost_name is the name of THIS host running amavisd
# (typically 'localhost'). It is used in HELO SMTP command
# when reinjecting mail back to MTA via SMTP for final delivery.
$localhost_name = 'localhost';

# @auth_mech_avail = ('PLAIN','LOGIN');   # empty list disables incoming AUTH
#$auth_required_inp = 1;   # incoming SMTP authentication required by amavisd?
#$auth_required_out = 1;   # SMTP authentication required by MTA

# SMTP AUTH username and password for notification submissions
# (and reauthentication of forwarded mail if requested)
#$amavis_auth_user = undef;  # perhaps: 'amavisd'
#$amavis_auth_pass = undef;
#$auth_reauthenticate_forwarded = undef;  # supply our own credentials also
                                          # for forwarded (passed) mail

# whom quarantined messages appear to be sent from (envelope sender)
# $mailfrom_to_quarantine = undef; # original sender if undef, or set explicitly

# where to send quarantined malware
#   Specify undef to disable, or e-mail address containing '@',
#   or just a local part, which will be mapped by %local_delivery_aliases
#   into local mailbox name or directory. The lookup key is a recipient address
$virus_quarantine_to  = 'virus-quarantine';   # %local_delivery_aliases mapped
$banned_quarantine_to = 'banned-quarantine';  # %local_delivery_aliases mapped
$bad_header_quarantine_to = 'bad-header-quarantine'; # %local_delivery_aliases
$spam_quarantine_to   = 'spam-quarantine';    # %local_delivery_aliases mapped

# similar to $spam_quarantine_to, but the lookup key is the sender address
$spam_quarantine_bysender_to = undef;  # dflt: no by-sender spam quarantine

# quarantine directory or mailbox file or empty
#   (only used if $virus_quarantine_to specifies direct local delivery)
$QUARANTINEDIR = undef;  # no quarantine unless overridden by config

$undecipherable_subject_tag = '***UNCHECKED*** ';

# string to prepend to Subject header field when message qualifies as spam
# $sa_spam_subject_tag1  = undef;  # example: '***possible SPAM*** '
# $sa_spam_subject_tag   = undef;  # example: '***SPAM*** '
$sa_spam_modifies_subj = 1;      # true for compatibility; can be a
                                 # lookup table indicating per-recip settings
$sa_spam_level_char = '*';  # character to be used in X-Spam-Level bar;
                            # empty or undef disables adding this header field
# $sa_spam_report_header = undef; # insert X-Spam-Report header field?
$sa_local_tests_only = 0;
$sa_debug = 0;
$sa_timeout = 30;           # timeout in seconds for a call to SpamAssassin

# MIME defanging is only activated when enabled and malware is allowed to pass
# $defang_virus = undef;
# $defang_banned = undef;
# $defang_spam = undef;
# $defang_bad_header = undef;
# $defang_undecipherable = undef;
# $defang_all = undef;

$MIN_EXPANSION_FACTOR =   5;  # times original mail size
$MAX_EXPANSION_FACTOR = 500;  # times original mail size

# See amavisd.conf and README.lookups for details.

# What to do with the message (this is independent of quarantining):
#   Reject:  tell MTA to generate a non-delivery notification,  MTA gets 5xx
#   Bounce:  generate a non-delivery notification by ourselves, MTA gets 250
#   Discard: drop the message and pretend it was delivered,     MTA gets 250
#   Pass:    deliver/accept the message
#
# Bounce and Reject are similar: in both cases sender gets a non-delivery
# notification, either generated by amavisd-new, or by MTA. The notification
# issued by amavisd-new may be more informative, while on the other hand
# MTA may be able to do a true reject on the original SMTP session
# (e.g. with sendmail milter), or else it just generates normal non-delivery
# notification / bounce (e.g. with Postfix, Exim). As a consequence,
# with Postfix and Exim and dual-sendmail setup the Bounce is more informative
# than Reject, but sendmail-milter users may prefer Reject.
#
# Bounce and Discard are similar: in both cases amavisd-new confirms
# to MTA the message reception with success code 250. The difference is
# in sender notification: Bounce sends a non-delivery notification to sender,
# Discard does not, the message is silently dropped. Quarantine and
# admin notifications are not affected by any of these settings.
#
# COMPATIBITITY NOTE: the separation of *_destiny values into
#   D_BOUNCE, D_REJECT, D_DISCARD and D_PASS made settings $warnvirussender
#   and $warnspamsender only still useful with D_PASS. The combination of
#   D_DISCARD + $warn*sender=1 is mapped into D_BOUNCE for compatibility.

# intentionally leave value -1 unassigned for compatibility
sub D_REJECT () { -3 }
sub D_BOUNCE () { -2 }
sub D_DISCARD() {  0 }
sub D_PASS ()   {  1 }

# The following symbolic constants can be used in *destiny settings:
#
# D_PASS     mail will pass to recipients, regardless of contents;
#
# D_DISCARD  mail will not be delivered to its recipients, sender will NOT be
#            notified. Effectively we lose mail (but it will be quarantined
#            unless disabled). Not a decent thing to do for a mailer.
#
# D_BOUNCE   mail will not be delivered to its recipients, a non-delivery
#            notification (bounce) will be sent to the sender by amavisd-new;
#            Exception: bounce (DSN) will not be sent if a virus name matches
#            $viruses_that_fake_sender_maps, or to messages from mailing lists
#            (Precedence: bulk|list|junk), or for spam exceeding
#            spam_dsn_cutoff_level
#
# D_REJECT   mail will not be delivered to its recipients, sender should
#            preferably get a reject, e.g. SMTP permanent reject response
#            (e.g. with milter), or non-delivery notification from MTA
#            (e.g. Postfix). If this is not possible (e.g. different recipients
#            have different tolerances to bad mail contents and not using LMTP)
#            amavisd-new sends a bounce by itself (same as D_BOUNCE).
#
# Notes:
#   D_REJECT and D_BOUNCE are similar, the difference is in who is responsible
#            for informing the sender about non-delivery, and how informative
#            the notification can be (amavisd-new knows more than MTA);
#   With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status
#            notification, colloquially called 'bounce') - depending on MTA;
#            Best suited for sendmail milter, especially for spam.
#   With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the
#            reason for mail non-delivery but unable to reject the original
#            SMTP session, is in position to suppress DSN if considered
#            unsuitable). Best suited for Postfix and other dual-MTA setups.

$final_virus_destiny      = D_DISCARD; # D_REJECT, D_BOUNCE, D_DISCARD, D_PASS
$final_banned_destiny     = D_BOUNCE;  # D_REJECT, D_BOUNCE, D_DISCARD, D_PASS
$final_spam_destiny       = D_BOUNCE;  # D_REJECT, D_BOUNCE, D_DISCARD, D_PASS
$final_bad_header_destiny = D_PASS;    # D_REJECT, D_BOUNCE, D_DISCARD, D_PASS

# If you decide to pass viruses (or spam) to certain users using
# %virus_lovers/@virus_lovers_acl/$virus_lovers_re, (or *spam_lovers*),
# %bypass_virus_checks/@bypass_virus_checks_acl, or $final_virus_destiny=D_PASS
# ($final_spam_destiny=D_PASS), you can set the variable $addr_extension_virus
# ($addr_extension_spam) to some string, and the recipient address will have
# this string appended as an address extension to the local-part of the
# address. This extension can be used by final local delivery agent to place
# such mail in different folders. Leave these variables undefined or empty
# strings to prevent appending address extensions. Setting has no effect
# on users which will not be receiving viruses (spam). Recipients which
# do not match access lists in @local_domains_maps are not affected (i.e.
# non-local recipients).
#
# LDAs usually default to stripping away address extension if no special
# handling for it is specified, so having this option enabled normally
# does no harm, provided the $recipients_delimiter character matches
# the setting at the final MTA's local delivery agent (LDA).
#
# $addr_extension_virus  = 'virus';  # for example
# $addr_extension_spam   = 'spam';
# $addr_extension_banned = 'banned';
# $addr_extension_bad_header = 'badh';

# Delimiter between local part of the recipient address and address extension
# (which can optionally be added, see variables $addr_extension_virus and
# $addr_extension_spam). E.g. recipient address <user@domain.example> gets
# changed to <user+virus@domain.example>.
#
# Delimiter should match equivalent (final) MTA delimiter setting.
# (e.g. for Postfix add 'recipient_delimiter = +' to main.cf).
# Setting it to an empty string or to undef disables this feature
# regardless of $addr_extension_virus and $addr_extension_spam settings.

# $recipient_delimiter = '+';
$replace_existing_extension = 1;   # true: replace ext; false: append ext

# Affects matching of localpart of e-mail addresses (left of '@')
# in lookups: true = case sensitive, false = case insensitive
$localpart_is_case_sensitive = 0;

# first match wins, more specific entries should precede general ones!
# the result may be a string or a ref to a list of strings;
# see also sub decompose_part()
$map_full_type_to_short_type_re = Amavis::Lookup::RE->new(
  [qr/^empty\z/                       => 'empty'],
  [qr/^directory\z/                   => 'dir'],
  [qr/^can't (stat|read)\b/           => 'dat'],  # file(1) diagnostics
  [qr/^cannot open\b/                 => 'dat'],  # file(1) diagnostics
  [qr/^ERROR: Corrupted\b/            => 'dat'],  # file(1) diagnostics
  [qr/can't read magic file|couldn't find any magic files/ => 'dat'],
  [qr/^data\z/                        => 'dat'],

  [qr/^ISO-8859.*\btext\b/            => 'txt'],
  [qr/^Non-ISO.*ASCII\b.*\btext\b/    => 'txt'],
  [qr/^Unicode\b.*\btext\b/i          => 'txt'],
  [qr/^'diff' output text\b/          => 'txt'],
  [qr/^GNU message catalog\b/         => 'mo'],
  [qr/^PGP encrypted data\b/          => 'pgp'],
  [qr/^PGP armored data( signed)? message\b/ => ['pgp','pgp.asc'] ],
  [qr/^PGP armored\b/                 =>        ['pgp','pgp.asc'] ],

### 'file' is a bit too trigger happy to claim something is 'mail text'
# [qr/^RFC 822 mail text\b/           => 'mail'],
  [qr/^(ASCII|smtp|RFC 822) mail text\b/ => 'txt'],

  [qr/^JPEG image data\b/             => 'jpg'],
  [qr/^GIF image data\b/              => 'gif'],
  [qr/^PNG image data\b/              => 'png'],
  [qr/^TIFF image data\b/             => 'tif'],
  [qr/^PCX\b.*\bimage data\b/         => 'pcx'],
  [qr/^PC bitmap data\b/              => 'bmp'],
  [qr/^MP3\b/                         => 'mp3'],
  [qr/^MPEG\b.*\bstream data\b/       => 'mpeg'],
  [qr/^RIFF\b.*\bAVI\b/               => 'avi'],
  [qr/^RIFF\b.*\bWAVE audio\b/        => 'wav'],
  [qr/^Macromedia Flash data\b/       => 'swf'],

  [qr/^HTML document text\b/          => 'html'],
  [qr/^XML document text\b/           => 'xml'],
  [qr/^exported SGML document text\b/ => 'sgml'],
  [qr/^PostScript document text\b/    => 'ps'],
  [qr/^PDF document\b/                => 'pdf'],
  [qr/^Rich Text Format data\b/       => 'rtf'],
  [qr/^Microsoft Office Document\b/   => 'doc'],
  [qr/^LaTeX\b.*\bdocument text\b/    => 'lat'],
  [qr/^TeX DVI file\b/                => 'dvi'],
  [qr/\bdocument text\b/              => 'txt'],
  [qr/^compiled Java class data\b/    => 'java'],
  [qr/^MS Windows 95 Internet shortcut text\b/ => 'url'],

  [qr/^frozen\b/                      => 'F'],
  [qr/^gzip compressed\b/             => 'gz'],
  [qr/^bzip compressed\b/             => 'bz'],
  [qr/^bzip2 compressed\b/            => 'bz2'],
  [qr/^lzop compressed\b/             => 'lzo'],
  [qr/^compress'd/                    => 'Z'],
  [qr/^Zip archive\b/i                => 'zip'],
  [qr/^RAR archive\b/i                => 'rar'],
  [qr/^LHa.*\barchive\b/i             => 'lha'],  # or .lzh
  [qr/^ARC archive\b/i                => 'arc'],
  [qr/^ARJ archive\b/i                => 'arj'],
  [qr/^Zoo archive\b/i                => 'zoo'],
  [qr/^(?:GNU |POSIX )?tar archive\b/i=> 'tar'],
  [qr/^Debian binary package\b/i      => 'deb'], # standard Unix archive (ar)
  [qr/^current ar archive\b/i         => 'a'],   # standard Unix archive (ar)
  [qr/^(?:ASCII )?cpio archive\b/i    => 'cpio'],
  [qr/^RPM\b/                         => 'rpm'],
  [qr/^(Transport Neutral Encapsulation Format|TNEF)\b/i => 'tnef'],
  [qr/^Microsoft cabinet file\b/      => 'cab'],

  [qr/^(uuencoded|xxencoded)\b/i      => 'uue'],
  [qr/^binhex\b/i                     => 'hqx'],
  [qr/^(ASCII|text)\b/i               => 'asc'],
  [qr/^Emacs.*byte-compiled Lisp data/i => 'asc'],  # BinHex with an empty line
  [qr/\bscript text executable\b/     => 'txt'],

  [qr/^MS-DOS\b.*\bexecutable\b/      => ['exe','exe-ms'] ],
  [qr/^MS Windows\b.*\bexecutable\b/  => ['exe','exe-ms'] ],
  [qr/^PA-RISC.*\bexecutable\b/       => ['exe','exe-unix'] ],
  [qr/^ELF .*\bexecutable\b/          => ['exe','exe-unix'] ],
  [qr/^COFF format .*\bexecutable\b/  => ['exe','exe-unix'] ],
  [qr/^executable \(RISC System\b/    => ['exe','exe-unix'] ],
  [qr/^VMS\b.*\bexecutable\b/         => ['exe','exe-vms'] ],

  [qr/\bexecutable\b/i                => 'exe'],
  [qr/^MS Windows\b.*\bDLL\b/         => 'dll'],
  [qr/\bshared object, \b/i           => 'so'],
  [qr/\brelocatable, \b/i             => 'o'],
  [qr/\btext\b/i                      => 'asc'],
  [qr/.*/                             => 'dat'],  # catchall

);

# MS Windows PE 32-bit Intel 80386 GUI executable not relocatable
# MS-DOS executable (EXE), OS/2 or MS Windows
# PA-RISC1.1 executable dynamically linked
# PA-RISC1.1 shared executable dynamically linked
# ELF 64-bit LSB executable, Alpha (unofficial), version 1 (FreeBSD), for FreeBSD 5.0.1, dynamically linked (uses shared libs), stripped
# ELF 64-bit LSB executable, Alpha (unofficial), version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
# ELF 64-bit MSB executable, SPARC V9, version 1 (FreeBSD), for FreeBSD 5.0, dynamically linked (uses shared libs), stripped
# ELF 64-bit MSB shared object, SPARC V9, version 1 (FreeBSD), stripped
# ELF 32-bit LSB executable, Intel 80386, version 1, dynamically`
# ELF 32-bit MSB executable, SPARC, version 1, dynamically linke`
# COFF format alpha executable paged stripped - version 3.11-10
# COFF format alpha executable paged dynamically linked stripped`
# COFF format alpha demand paged executable or object module stripped - version 3.11-10
# COFF format alpha paged dynamically linked not stripped shared`
# executable (RISC System/6000 V3.1) or obj module
# VMS VAX executable

# Define aliase names in this module to make it simpler to call
# these routines from amavisd.conf
*read_text           = \&Amavis::Util::read_text;
*read_l10n_templates = \&Amavis::Util::read_l10n_templates;
*read_hash           = \&Amavis::Util::read_hash;
*ask_daemon          = \&Amavis::AV::ask_daemon;
*sophos_savi         = \&Amavis::AV::ask_sophos_savi;
*ask_clamav          = \&Amavis::AV::ask_clamav;
sub new_RE { Amavis::Lookup::RE->new(@_) }

sub build_default_maps() {
  @local_domains_maps = (
    \%local_domains, \@local_domains_acl, \$local_domains_re);
  @mynetworks_maps = (\@mynetworks);
  @bypass_virus_checks_maps = (
    \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
  @bypass_spam_checks_maps = (
    \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
  @bypass_banned_checks_maps = (
    \%bypass_banned_checks, \@bypass_banned_checks_acl, \$bypass_banned_checks_re);
  @bypass_header_checks_maps = (
    \%bypass_header_checks, \@bypass_header_checks_acl, \$bypass_header_checks_re);
  @virus_lovers_maps = (
    \%virus_lovers, \@virus_lovers_acl, \$virus_lovers_re);
  @spam_lovers_maps = (
    \%spam_lovers, \@spam_lovers_acl, \$spam_lovers_re);
  @banned_files_lovers_maps = (
    \%banned_files_lovers, \@banned_files_lovers_acl, \$banned_files_lovers_re);
  @bad_header_lovers_maps = (
    \%bad_header_lovers, \@bad_header_lovers_acl, \$bad_header_lovers_re);
  @warnvirusrecip_maps  = (\$warnvirusrecip);
  @warnbannedrecip_maps = (\$warnbannedrecip);
  @warnbadhrecip_maps   = (\$warnbadhrecip);
  @virus_admin_maps = (\%virus_admin, \$virus_admin);
  @spam_admin_maps  = (\%spam_admin,  \$spam_admin);
  @virus_quarantine_to_maps = (\$virus_quarantine_to);
  @banned_quarantine_to_maps = (\$banned_quarantine_to);
  @bad_header_quarantine_to_maps = (\$bad_header_quarantine_to);
  @spam_quarantine_to_maps = (\$spam_quarantine_to);
  @spam_quarantine_bysender_to_maps = (\$spam_quarantine_bysender_to);
  @keep_decoded_original_maps = (\$keep_decoded_original_re);
  @map_full_type_to_short_type_maps = (\$map_full_type_to_short_type_re);
  @banned_filename_maps = (\$banned_filename_re);
  @viruses_that_fake_sender_maps = (\$viruses_that_fake_sender_re, 1);
  @spam_tag_level_maps  = (\$sa_tag_level_deflt);
  @spam_tag2_level_maps = (\$sa_tag2_level_deflt);
  @spam_kill_level_maps = (\$sa_kill_level_deflt);
  @spam_dsn_cutoff_level_maps = (\$sa_dsn_cutoff_level);
  @spam_modifies_subj_maps = (\$sa_spam_modifies_subj);
  @spam_subject_tag_maps   = (\$sa_spam_subject_tag1);  # note: inconsistent
  @spam_subject_tag2_maps  = (\$sa_spam_subject_tag);   # note: inconsistent
  @whitelist_sender_maps = (
    \%whitelist_sender, \@whitelist_sender_acl, \$whitelist_sender_re);
  @blacklist_sender_maps = (
    \%blacklist_sender, \@blacklist_sender_acl, \$blacklist_sender_re);
  @score_sender_maps = ();  # new variable, no backwards compatibility needed
  @message_size_limit_maps = ();  # new variable
  @addr_extension_virus_maps  = (\$addr_extension_virus);
  @addr_extension_spam_maps   = (\$addr_extension_spam);
  @addr_extension_banned_maps = (\$addr_extension_banned);
  @addr_extension_bad_header_maps = (\$addr_extension_bad_header);
  @debug_sender_maps = (\@debug_sender_acl);
}

# prepend a lookup table label object for logging purposes
sub label_default_maps() {
  for my $varname (qw(
    @local_domains_maps @mynetworks_maps
    @bypass_virus_checks_maps @bypass_spam_checks_maps
    @bypass_banned_checks_maps @bypass_header_checks_maps
    @virus_lovers_maps @spam_lovers_maps
    @banned_files_lovers_maps @bad_header_lovers_maps
    @warnvirusrecip_maps @warnbannedrecip_maps @warnbadhrecip_maps
    @virus_admin_maps @spam_admin_maps @virus_quarantine_to_maps
    @banned_quarantine_to_maps @bad_header_quarantine_to_maps
    @spam_quarantine_to_maps @spam_quarantine_bysender_to_maps
    @keep_decoded_original_maps @map_full_type_to_short_type_maps
    @banned_filename_maps @viruses_that_fake_sender_maps
    @spam_tag_level_maps @spam_tag2_level_maps @spam_kill_level_maps
    @spam_dsn_cutoff_level_maps @spam_modifies_subj_maps
    @spam_subject_tag_maps @spam_subject_tag2_maps
    @whitelist_sender_maps @blacklist_sender_maps @score_sender_maps
    @message_size_limit_maps
    @addr_extension_virus_maps @addr_extension_spam_maps
    @addr_extension_banned_maps @addr_extension_bad_header_maps
    @debug_sender_maps ))
  {
    my($g) = $varname; $g =~ s{\@}{Amavis::Conf::};  # qualified variable name
    my($label) = $varname; $label=~s/^\@//; $label=~s/_maps$//;
    { no strict 'refs';
      unshift(@$g,  # NOTE: a symbolic reference
              Amavis::Lookup::Label->new($label))  if @$g;  # no label if empty
    }
  }
}

# read and evaluate configuration file
sub read_config($) {
  my($config_file) = @_;
  my($msg);
  my($errn) = stat($config_file) ? 0 : 0+$!;
  if    ($errn == ENOENT) { $msg = "does not exist" }
  elsif ($errn)      { $msg = "inaccessible: $!" }
  elsif (!-f _)      { $msg = "not a regular file" }
  elsif (!-r _)      { $msg = "not readable" }
  elsif ($> && -o _) { $msg = "is owned by EUID $>, should be owned by root" }
  elsif ($> && -w _) { $msg = "is writable by EUID $>, EGID $)" }
  if (defined $msg) { die "Config file $config_file $msg" }
  do $config_file;
  if ($@ ne '') { die "Error in config file $config_file: $@" }
  # some sensible defaults for essential settings
  $TEMPBASE     = $MYHOME                   if !defined $TEMPBASE;
  $helpers_home = $MYHOME                   if !defined $helpers_home;
  $db_home      = "$MYHOME/db"              if !defined $db_home;
  $lock_file    = "$MYHOME/amavisd.lock"    if !defined $lock_file;
  $pid_file     = "$MYHOME/amavisd.pid"     if !defined $pid_file;

  $X_HEADER_TAG = 'X-Virus-Scanned'               if !defined $X_HEADER_TAG;
  $X_HEADER_LINE= "$myproduct_name at $mydomain"  if !defined $X_HEADER_LINE;

  my($pname) = "\"Content-filter at $myhostname\"";
  $hdrfrom_notify_sender = "$pname <postmaster\@$myhostname>"
    if !defined $hdrfrom_notify_sender;
  $hdrfrom_notify_recip = $mailfrom_notify_recip ne ''
    ? "$pname <$mailfrom_notify_recip>"
    : $hdrfrom_notify_sender  if !defined $hdrfrom_notify_recip;
  $hdrfrom_notify_admin = $mailfrom_notify_admin ne ''
    ? "$pname <$mailfrom_notify_admin>"
    : $hdrfrom_notify_sender  if !defined $hdrfrom_notify_admin;
  $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin ne ''
    ? "$pname <$mailfrom_notify_spamadmin>"
    : $hdrfrom_notify_sender  if !defined $hdrfrom_notify_spamadmin;

  # compatibility with deprecated $warn*sender and old *_destiny values
  # map old values <0, =0, >0 into D_REJECT/D_BOUNCE, D_DISCARD, D_PASS
  for ($final_virus_destiny, $final_banned_destiny, $final_spam_destiny) {
    if ($_ > 0) { $_ = D_PASS }
    elsif ($_ < 0 && $_ != D_BOUNCE && $_ != D_REJECT) {  # compatibility
      # favour Reject with sendmail milter, Bounce with others
      $_ = c('forward_method') eq '' ? D_REJECT : D_BOUNCE;
    }
  }
  if ($final_virus_destiny == D_DISCARD && c('warnvirussender') )
    { $final_virus_destiny = D_BOUNCE }
  if ($final_spam_destiny == D_DISCARD && c('warnspamsender') )
    { $final_spam_destiny = D_BOUNCE }
  if ($final_banned_destiny == D_DISCARD && c('warnbannedsender') )
    { $final_banned_destiny = D_BOUNCE }
  if ($final_bad_header_destiny == D_DISCARD && c('warnbadhsender') )
    { $final_bad_header_destiny = D_BOUNCE }
}

1;

#
package Amavis::Lock;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  @EXPORT = qw(&lock &unlock);
}
use Fcntl qw(LOCK_SH LOCK_EX LOCK_UN);

use subs @EXPORT;

sub lock($) {
  my($file_handle) = @_;
  flock($file_handle, LOCK_EX) or die "Can't lock $file_handle: $!";
  # NOTE: a lock is on a file, not on a file handle
}

sub unlock($) {
  my($file_handle) = @_;
  flock($file_handle, LOCK_UN) or die "Can't unlock $file_handle: $!";
}

1;

#
package Amavis::Log;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  %EXPORT_TAGS = ();
  @EXPORT = ();
  @EXPORT_OK = qw(&init &write_log);
}
use subs @EXPORT_OK;

use POSIX qw(locale_h strftime);
use Unix::Syslog qw(:macros :subs);
use IO::File ();
use File::Basename;

BEGIN {
  import Amavis::Conf qw(:platform $myversion $myhostname $daemon_user);
  import Amavis::Lock;
}

use vars qw($loghandle);  # log file handle
use vars qw($myname);
use vars qw($syslog_facility $syslog_priority %syslog_priority);
use vars qw($log_to_stderr $do_syslog $logfile);

sub init($$$$$) {
  my($ident, $syslog_level);
  ($ident, $log_to_stderr, $do_syslog, $syslog_level, $logfile) = @_;

  # Avoid taint bug in some versions of Perl (likely in 5.004, 5.005).
  # The 5.6.1 is fine. To test, run this one-liner:
  #   perl -Te '"$0 $$"; $r=$$; print eval{kill(0,$$);1}?"OK\n":"BUG\n"'
  $myname = $0;
# $myname = $1  if basename($0) =~ /^(.*)\z/;

  if ($syslog_level =~ /^\s*([a-z0-9]+)\.([a-z0-9]+)\s*\z/i) {
    $syslog_facility = eval("LOG_\U$1");
    $syslog_priority = eval("LOG_\U$2");
  }
  $syslog_facility = LOG_DAEMON   if $syslog_facility !~ /^\d+\z/;
  $syslog_priority = LOG_WARNING  if $syslog_priority !~ /^\d+\z/;
  if ($do_syslog) {
    openlog($ident, LOG_PID, $syslog_facility);
  } elsif ($logfile eq '') {
    die 'No $LOGFILE is specified (and not logging via syslog)';
  } else {
    $loghandle = IO::File->new($logfile,'>>')
      or die "Failed to open log file $logfile: $!";
    $loghandle->autoflush(1);
    my($uid) = $daemon_user=~/^(\d+)$/ ? $1 : (getpwnam($daemon_user))[2];
    if ($> == 0 && $uid) {
      chown($uid,-1,$logfile)
        or die "Can't chown logfile $logfile to $uid: $!";
    }
  }
  my($msg) = "starting.  $myname at $myhostname $myversion";
  $msg .= ", eol=\"$eol\""            if $eol ne "\n";
  $msg .= ", Unicode aware"           if $unicode_aware;
  $msg .= ", LC_ALL=$ENV{LC_ALL}"     if $ENV{LC_ALL}   ne '';
  $msg .= ", LC_TYPE=$ENV{LC_TYPE}"   if $ENV{LC_TYPE}  ne '';
  $msg .= ", LC_CTYPE=$ENV{LC_CTYPE}" if $ENV{LC_CTYPE} ne '';
  $msg .= ", LANG=$ENV{LANG}"         if $ENV{LANG}     ne '';
  write_log(0, $msg, undef);
}

# Log either to syslog or a file
sub write_log($$$) {
  my($level,$errmsg,$am_id) = @_;

  my($old_locale) = setlocale(LC_TIME,"C");  # English dates required!
  my($really_log_to_stderr) = $log_to_stderr || (!$do_syslog && !$loghandle);
  my($prefix) = '';
  if ($really_log_to_stderr || !$do_syslog) {  # create syslog-like prefix
    $prefix = sprintf("%s %s %s[%s]: ",
              strftime("%b %e %H:%M:%S", localtime), $myhostname, $myname, $$);
  }
  $am_id = "($am_id) "  if defined $am_id;
  $errmsg = Amavis::Util::sanitize_str($errmsg);
# if (length($errmsg) > 2000) {  # crop at some arbitrary limit (< LINE_MAX)
#   $errmsg = substr($errmsg,0,2000) . "...";
# }
  if ($really_log_to_stderr) {
    print STDERR $prefix, $am_id, $errmsg, $eol;
  } elsif ($do_syslog) {
    my($prio) = $syslog_priority;  # never go below this priority level
    # syslog priorities: DEBUG, INFO, NOTICE, WARNING, ERR, CRIT, ALERT, EMERG
    if    ($level <= -3) { $prio = LOG_CRIT    if $prio > LOG_CRIT    }
    elsif ($level <= -2) { $prio = LOG_ERR     if $prio > LOG_ERR     }
    elsif ($level <= -1) { $prio = LOG_WARNING if $prio > LOG_WARNING }
    elsif ($level <=  0) { $prio = LOG_NOTICE  if $prio > LOG_NOTICE  }
    elsif ($level <=  2) { $prio = LOG_INFO    if $prio > LOG_INFO    }
    else                 { $prio = LOG_DEBUG   if $prio > LOG_DEBUG   }
    my($pre) = '';
    my($logline_size) = 980;  # less than  (1023 - prefix)
    while (length($am_id . $pre . $errmsg) > $logline_size) {
      my($avail) = $logline_size - length($am_id . $pre . "...");
      syslog($prio, "%s", $am_id . $pre . substr($errmsg,0,$avail) . "...");
      $pre = "...";
      $errmsg = substr($errmsg, $avail);
    }
    syslog($prio, "%s", $am_id . $pre . $errmsg);
  } else {
    lock($loghandle);
    seek($loghandle,0,2) or die "Can't position log file to its tail: $!";
    print $loghandle $prefix, $am_id, $errmsg, $eol;
    unlock($loghandle);
  }
  setlocale(LC_TIME, $old_locale);
}

1;

#
package Amavis::Timing;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  %EXPORT_TAGS = ();
  @EXPORT = ();
  @EXPORT_OK = qw(&init &section_time &report &get_time_so_far);
}
use subs @EXPORT_OK;

use Time::HiRes ();

use vars qw(@timing);

# clear array @timing and enter start time
sub init() {
  @timing = (); section_time('init');
}

# enter current time reading into array @timing
sub section_time($) {
  push(@timing,shift,Time::HiRes::time);
}

# returns a string - a report of elapsed time by section
sub report() {
  section_time('rundown');
  my($notneeded, $t0) = (shift(@timing), shift(@timing));
  my($total) = $t0 <= 0 ? 0 : $timing[$#timing] - $t0;
  if ($total < 0.0000001) { $total = 0.0000001 }
  my(@sections);
  while (@timing) {
    my($section, $t) = (shift(@timing), shift(@timing));
    my($dt) = $t-$t0;
    $dt = 0  if $dt < 0;  # just in case (clock jumps)
    my($dtp) = $dt > $total ? 100 : $dt*100.0/$total;
    push(@sections, sprintf("%s: %.0f (%.0f%%)", $section, $dt*1000, $dtp));
    $t0 = $t;
  }
  sprintf("TIMING [total %.0f ms] - %s", $total * 1000, join(", ",@sections));
}

# returns value in seconds of elapsed time for processing of this mail so far
sub get_time_so_far() {
  my($notneeded, $t0) = @timing;
  my($total) = $t0 <= 0 ? 0 : Time::HiRes::time - $t0;
  $total < 0 ? 0 : $total;
}

use vars qw($t_was_busy $t_busy_cum $t_idle_cum $t0);

sub idle_proc(@) {
  my($t1) = Time::HiRes::time;
  if (defined $t0) {
    ($t_was_busy ? $t_busy_cum : $t_idle_cum) += $t1 - $t0;
    Amavis::Util::ll(5) && Amavis::Util::do_log(5,
      sprintf("idle_proc, @_: was %s, %.1f ms, total idle %.3f s, busy %.3f s",
        $t_was_busy ? "busy" : "idle", 1000 * ($t1 - $t0),
        $t_idle_cum, $t_busy_cum));
  }
  $t0 = $t1;
}

sub go_idle(@) {
  if ($t_was_busy) { idle_proc(@_); $t_was_busy = 0 }
}

sub go_busy(@) {
  if (!$t_was_busy) { idle_proc(@_); $t_was_busy = 1 }
}

sub report_load() {
  return  if $t_busy_cum + $t_idle_cum <= 0;
  Amavis::Util::do_log(3, sprintf(
     "load: %.0f %%, total idle %.3f s, busy %.3f s",
     100*$t_busy_cum / ($t_busy_cum + $t_idle_cum), $t_idle_cum, $t_busy_cum));
}

1;

#
package Amavis::Util;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  %EXPORT_TAGS = ();
  @EXPORT = ();
  @EXPORT_OK = qw(&untaint &min &max &safe_encode &q_encode
                  &snmp_count &snmp_counters_init &snmp_counters_get
                  &am_id &new_am_id &ll &do_log &debug_oneshot
                  &retcode &exit_status_str &prolong_timer &sanitize_str
                  &strip_tempdir &rmdir_recursively
                  &read_text &read_l10n_templates &read_hash
                  &run_command &run_command_consumer);
}
use subs @EXPORT_OK;
use POSIX qw(WIFEXITED WIFSIGNALED WIFSTOPPED
             WEXITSTATUS WTERMSIG WSTOPSIG);
use Errno qw(ENOENT);
use Digest::MD5;
# use Encode;  # Perl 5.8  UTF-8 support
# use Encode::CN;  # example: explicitly load Chinese module

BEGIN {
  import Amavis::Conf qw(:platform $DEBUG c cr ca);
  import Amavis::Log qw(write_log);
  import Amavis::Timing qw(section_time);
}

# Return untainted copy of a string (argument can be a string or a string ref)
sub untaint($) {
  no re 'taint';
  my($str);
  local($1);  # avoid Perl taint bug: tainted global $1 propagates taintedness
  $str = $1  if (ref($_[0]) ? ${$_[0]} : $_[0]) =~ /^(.*)\z/s;
  $str;
}

# Returns the smallest number from the list, or undef
sub min(@) {
  my($r) = @_ == 1 && ref($_[0]) ? $_[0] : \@_;  # accept list, or a list ref
  my($m);  for (@$r) { $m = $_  if defined $_ && (!defined $m || $_ < $m) }
  $m;
}

# Returns the largest number from the list, or undef
sub max(@) {
  my($r) = @_ == 1 && ref($_[0]) ? $_[0] : \@_;  # accept list, or a list ref
  my($m);  for (@$r) { $m = $_  if defined $_ && (!defined $m || $_ > $m) }
  $m;
}

# A wrapper for Encode::encode, avoiding a bug in Perl 5.8.0 which causes
# Encode::encode to loop and fill memory when given a tainted string
sub safe_encode($$;$) {
  if (!$unicode_aware) { $_[1] }  # just return the second argument
  else {
    my($encoding,$str,$check) = @_;
    $check = 0  if !defined($check);
    my($taint) = substr($str,0,0);     # taintedness of the string
    $taint . Encode::encode($encoding,untaint($str),$check);  # reattach taint
  }
}

# Do the Q-encoding manually, the MIME::Words::encode_mimeword does not
# encode spaces and does not limit to 75 ch, which violates the RFC 2047
sub q_encode($$$) {
  my($octets,$encoding,$charset) = @_;
  my($prefix) = '=?' . $charset . '?' . $encoding . '?';
  my($suffix) = '?='; local($1,$2,$3);
  # FWS | utext (= NO-WS-CTL|rest of US-ASCII)
  $octets =~ /^ ( [\001-\011\013\014\016-\177]* [ \t] )?  (.*?)
                ( [ \t] [\001-\011\013\014\016-\177]* )? \z/sx;
  my($head,$rest,$tail) = ($1,$2,$3);
  # Q-encode $rest according to RFC 2047
  # more restricted than =?_ so that it may be used in 'phrase'
  $rest =~ s{([^ 0-9a-zA-Z!*/+-])}{sprintf('=%02X',ord($1))}egs;
  $rest =~ tr/ /_/;   # turn spaces into _ (rfc2047 allows it)
  my($s) = $head; my($len) = 75 - (length($prefix)+length($suffix)) - 2;
  while ($rest ne '') {
    $s .= ' '  if $s !~ /[ \t]\z/;  # encoded words must be separated by FWS
    $rest =~ /^ ( .{0,$len} [^=] (?: [^=] | \z ) ) (.*) \z/sx;
    $s .= $prefix.$1.$suffix; $rest = $2;
  }
  $s.$tail;
}

# Set or get Amavis internal message id.
# This message id performs a similar function to queue-id in MTA responses.
# It may only be used in generating text part of SMTP responses,
# or in generating log entries.
use vars qw($amavis_task_id);  # internal message id (accessible via &am_id)

sub am_id(;$) {
  if (@_) {                    # set, if argument present
    $amavis_task_id = shift;
    $0 = "amavisd ($amavis_task_id)";
  }
  $amavis_task_id;             # return current value
}

sub new_am_id($;$$) {
  my($str, $cnt, $seq) = @_;
  my($id);
# my($ctx) = Digest::MD5->new; # 128 bits (32 hex digits)
# $ctx->add($str.$$);
# $id = substr($ctx->hexdigest, 0, 6);
  $id = defined $str ? $str : sprintf("%05d", $$);
  $id .= sprintf("-%02d", $cnt)  if defined $cnt;
  $id .= "-$seq"  if $seq > 1;
  am_id($id);
}

use vars qw(@counter_names);
# elements may be counter names (increment is 1), or pairs: [name,increment]
sub snmp_counters_init() { @counter_names = () }
sub snmp_count(@) { push(@counter_names, @_) }
sub snmp_counters_get() { \@counter_names }

use vars qw($debug_oneshot);
sub debug_oneshot(;$$) {
  if (@_) {
    my($new_debug_oneshot) = shift;
    if (($new_debug_oneshot ? 1 : 0) != ($debug_oneshot ? 1 : 0)) {
      do_log(0, "DEBUG_ONESHOT: TURNED ".($new_debug_oneshot ? "ON" : "OFF"));
      do_log(0, shift)  if @_;  # caller-provided extra log entry, usually
                                # the one that caused debug_oneshot call
    }
    $debug_oneshot = $new_debug_oneshot;
  }
  $debug_oneshot;
}

# is a message log level below the current log level?
sub ll($) {
  my($level) = @_;
  $level = 0  if $level > 0 && ($DEBUG || $debug_oneshot);
  $level <= c('log_level');
}

# write log entry
sub do_log($$) {
  my($level, $errmsg) = @_;
  if (ll($level)) {
    $level = 0  if $level > 0 && ($DEBUG || $debug_oneshot);
    write_log($level, $errmsg, am_id());
  }
}

sub retcode($) {  # (this subroutine is being phased out)
  my $code = shift;
  return WEXITSTATUS($code)    if WIFEXITED($code);
  return 128 + WTERMSIG($code) if WIFSIGNALED($code);
  return 255;
}

sub exit_status_str($;$) {
  my($stat,$err) = @_; my($str);
  if (WIFEXITED($stat)) {
    $str = sprintf("exit %d", WEXITSTATUS($stat));
  } elsif (WIFSTOPPED($stat)) {
    $str = sprintf("stopped, signal %d", WSTOPSIG($stat));
  } else {
    $str = sprintf("DIED on signal %d (%04x)", WTERMSIG($stat),$stat);
  }
  $str .= ', '.$err  if $err ne '';
  $str;
}

sub prolong_timer($;$) {
  my($which_section, $child_remaining_time) = @_;
  if (!defined($child_remaining_time)) {
    $child_remaining_time = alarm(0);  # check how much time is left
  }
  do_log(4, "prolong_timer after $which_section: "
            . "remaining time = $child_remaining_time s");
  $child_remaining_time = 60  if $child_remaining_time < 60;
  alarm($child_remaining_time);        # restart/prolong the timer
}

# Mostly for debugging and reporting purposes:
# Convert nonprintable characters in the argument
# to \[rnftbe], or \octal code, and '\' to '\\',
# and Unicode characters to \x{xxxx}, returning the sanitized string.
sub sanitize_str {
  my($str, $keep_eol) = @_;
  my(%map) = ("\r" => '\\r', "\n" => '\\n', "\f" => '\\f', "\t" => '\\t',
              "\b" => '\\b', "\e" => '\\e', "\\" => '\\\\');
  if ($keep_eol) {
    $str =~ s/([^\012\040-\133\135-\176])/  # and \240-\376 ?
              exists($map{$1}) ? $map{$1} :
                     sprintf(ord($1)>255 ? '\\x{%04x}' : '\\%03o', ord($1))/eg;
  } else {
    $str =~ s/([^\040-\133\135-\176])/      # and \240-\376 ?
              exists($map{$1}) ? $map{$1} :
                     sprintf(ord($1)>255 ? '\\x{%04x}' : '\\%03o', ord($1))/eg;
  }
  $str;
}

# Checks tempdir after being cleaned.
# It may only contain subdirectory 'parts' and file email.txt, nothing else.
#
sub check_tempdir($) {
  my($dir) = shift;
  local(*DIR); my($f);
  opendir(DIR,$dir) or die "Can't open directory $dir: $!";
  while (defined($f = readdir(DIR))) {
    if (!-d ("$dir/$f")) {
      die "Unexpected file $dir/$f"  if $f ne 'email.txt';
    } elsif ($f eq '.' || $f eq '..' || $f eq 'parts') {
    } else {
      die "Unexpected subdirectory $dir/$f";
    }
  }
  closedir(DIR) or die "Can't close directory $dir: $!";
  1;
}

# Remove all files and subdirectories from the temporary directory, leaving
# only the directory itself, file email.txt, and empty subdirectory ./parts .
# Leaving directories for reuse represents an important saving in time,
# as directory creation + deletion is quite an expensive operation,
# requiring atomic file system operation, including flushing buffers to disk.
#
sub strip_tempdir($) {
  my($dir) = shift;
  do_log(4, "strip_tempdir: $dir");
  my($errn) = lstat("$dir/parts") ? 0 : 0+$!;
  if ($errn != ENOENT) {
    if    ( -l _) { die "strip_tempdir: $dir/parts is a symbolic link" }
    elsif (!-d _) { die "strip_tempdir: $dir/parts is not a directory" }
    rmdir_recursively("$dir/parts", 1);
  }
  # All done. Check for any remains in the top directory just in case
  check_tempdir($dir);
  1;
}

#
# Removes a directory, along with its contents
sub rmdir_recursively($;$);  # prototype
sub rmdir_recursively($;$) {
  my($dir, $exclude_itself) = @_;
  do_log(4, "rmdir_recursively: $dir, excl=$exclude_itself");
  local(*DIR); my($f); my($cnt) = 0;
  opendir(DIR,$dir) or die "Can't open directory $dir: $!";
  while (defined($f = readdir(DIR))) {
    my($msg);
    my($errn) = lstat("$dir/$f") ? 0 : 0+$!;
    if    ($errn == ENOENT) { $msg = "does not exist" }
    elsif ($errn)           { $msg = "inaccessible: $!" }
    if (defined $msg) { die "rmdir_recursively: \"$dir/$f\" $msg" }
    next  if ($f eq '.' || $f eq '..') && -d _;
    $f = untaint($f);
    if (-d _) {
      rmdir_recursively("$dir/$f", 0);
    } else {
      $cnt++;
      unlink("$dir/$f") or die "Can't remove file $dir/$f: $!";
    }
  }
  closedir(DIR) or die "Can't close directory $dir: $!";
  section_time("unlink-$cnt-files");
  if (!$exclude_itself) {
    rmdir($dir) or die "Can't remove directory $dir: $!";
    section_time('rmdir');
  }
  1;
}

# read a multiline string from file - may be called from amavisd.conf
sub read_text($;$) {
  my($filename, $encoding) = @_;
  my($inp) = IO::File->new;
  $inp->open($filename,'<') or die "Can't open file $filename for reading: $!";
  if ($unicode_aware && $encoding ne '') {
    binmode($inp, ":encoding($encoding)")
      or die "Can't set :encoding($encoding) on file $filename: $!";
  }
  my($str) = '';  # must not be undef, work around a Perl UTF8 bug
  while (<$inp>) { $str .= $_ }
  $inp->close or die "Can't close $filename: $!";
  $str;
}

# attempt to read all user-visible replies from a l10n dir
# This function auto-fills $notify_sender_templ, $notify_virus_sender_templ,
# $notify_virus_admin_templ, $notify_virus_recips_templ,
# $notify_spam_sender_templ and $notify_spam_admin_templ from files named
# template-dsn.txt, template-virus-sender.txt, template-virus-admin.txt,
# template-virus-recipient.txt, template-spam-sender.txt,
# template-spam-admin.txt.  If this is available, it uses the charset
# file to do automatic charset conversion. Used by the Debian distribution.
sub read_l10n_templates($;$) {
  my($dir) = @_;
  if (@_ > 1)  # compatibility with Debian
    { my($l10nlang, $l10nbase) = @_; $dir = "$l10nbase/$l10nlang" }
  my($file_chset) = Amavis::Util::read_text("$dir/charset");
  if ($file_chset =~ m{^(?:#[^\n]*\n)*([^./\n\s]+)(\s*[#\n].*)?$}s) {
    $file_chset = untaint($1);
  } else {
    die "Invalid charset $file_chset\n";
  }
  $Amavis::Conf::notify_sender_templ =
    Amavis::Util::read_text("$dir/template-dsn.txt", $file_chset);
  $Amavis::Conf::notify_virus_sender_templ =
    Amavis::Util::read_text("$dir/template-virus-sender.txt", $file_chset);
  $Amavis::Conf::notify_virus_admin_templ =
    Amavis::Util::read_text("$dir/template-virus-admin.txt", $file_chset);
  $Amavis::Conf::notify_virus_recips_templ =
    Amavis::Util::read_text("$dir/template-virus-recipient.txt", $file_chset);
  $Amavis::Conf::notify_spam_sender_templ =
    Amavis::Util::read_text("$dir/template-spam-sender.txt", $file_chset);
  $Amavis::Conf::notify_spam_admin_templ =
    Amavis::Util::read_text("$dir/template-spam-admin.txt", $file_chset);
}

#use CDB_File;
#sub tie_hash($$) {
# my($hashref, $filename) = @_;
# CDB_File::create(%$hashref, $filename, "$filename.tmp$$")
#   or die "Can't create cdb $filename: $!";
# my($cdb) = tie(%$hashref,'CDB_File',$filename)
#   or die "Tie to $filename failed: $!";
# $hashref;
#}

# read a lookup hash from file - may be called from amavisd.conf .
#
# Format: one key per line, anything from '#' to the end of line
# is considered a comment, but '#' within correctly quoted rfc2821
# addresses is not treated as a comment (e.g. a hash sign within
# "strange # \"foo\" address"@example.com is part of the string).
# Lines may contain a pair: key value, separated by whitespace, or key only,
# in which case a value 1 is implied. Trailing whitespace is discarded,
# empty lines (containing only whitespace and comment) are ignored.
# Addresses (lefthand-side) are converted from rfc2821-quoted form
# into internal (raw) form and inserted as keys into a given hash.
# NOTE: the format is partly compatible with Postfix maps (not aliases):
#   no continuation lines are honoured, Postfix maps do not allow
#   rfc2821-quoted addresses containing whitespace, Postfix only allow
#   comments starting at the beginning of the line.
#
# The $hashref argument is returned for convenience, so that one can do
# for example:
#   $per_recip_whitelist_sender_lookup_tables = {
#     '.my1.example.com' => read_hash({},'/var/amavis/my1-example-com.wl'),
#     '.my2.example.com' => read_hash({},'/var/amavis/my2-example-com.wl') }
# or even simpler:
#   $per_recip_whitelist_sender_lookup_tables = {
#     '.my1.example.com' => read_hash('/var/amavis/my1-example-com.wl'),
#     '.my2.example.com' => read_hash('/var/amavis/my2-example-com.wl') }
#
sub read_hash(@) {
  unshift(@_,{})  if !ref $_[0];  # first argument is optional, defaults to {}
  my($hashref, $filename, $keep_case) = @_;
  my($lpcs) = c('localpart_is_case_sensitive');
  my($inp) = IO::File->new;
  $inp->open($filename,'<') or die "Can't open file $filename for reading: $!";
  while (<$inp>) {  # carefully handle comments, '#' within "" does not count
    chomp;
    my($lhs) = ''; my($rhs) = ''; my($at_rhs) = 0;
    for my $t ( /\G ( " (?: \\. | [^"\\] )* " |
                      [^#" \t]+ | [ \t]+ | . )/gcsx) {
      last  if $t eq '#';
      if (!$at_rhs && $t =~ /^[ \t]+\z/) { $at_rhs = 1 }
      else { ($at_rhs ? $rhs : $lhs) .= $t }
    }
    $rhs =~ s/[ \t]+\z//;  # trim trailing whitespace
    next  if $lhs eq '' && $rhs eq '';
    my($addr) = Amavis::rfc2821_2822_Tools::unquote_rfc2821_local($lhs);
    my($localpart,$domain) = Amavis::rfc2821_2822_Tools::split_address($addr);
    $localpart = lc($localpart)  if !$lpcs;
    $addr = $localpart . lc($domain);
    $hashref->{$addr} = $rhs eq '' ? 1 : $rhs;
    # do_log(5, "read_hash: address: <$addr>: ".$hashref->{$addr});
  }
  $inp->close or die "Can't close $filename: $!";
  $hashref;
}

# Run specified command as a subprocess (like qx operator, but more careful
# with error reporting and cancels :utf8 mode). Return a file handle open
# for reading from the subprocess. Use IO::Handle to ensure the subprocess
# will be automatically reclaimed in case of failure.
#
sub run_command($$@) {
  my($stdin_from, $stderr_to, $cmd, @args) = @_;
  my($cmd_text) = join(' ', $cmd, @args);
  $stdin_from = '/dev/null'  if $stdin_from eq '';
  my($msg) = join(' ', $cmd, @args, "<$stdin_from");
  $msg .= " 2>$stderr_to"  if $stderr_to ne '';
  my($pid); my($proc_fh) = IO::File->new;
  eval { $pid = $proc_fh->open('-|') };  # fork, catching errors
  if ($@ ne '') { chomp($@); die "run_command (open pipe): $@" }
  defined($pid) or die "run_command: can't fork: $!";
  if (!$pid) {                           # child
    eval {  # must not use die in forked process, or we end up with
            # two running daemons! Close unneeded files.
#     use Devel::Symdump ();
#     my($dumpobj) = Devel::Symdump->rnew;
#     for my $k ($dumpobj->ios) {
#       no strict 'refs';
#       my($fn) = fileno($k);
#       if ($fn == 1 || $fn == 2) {
#         do_log(2,sprintf("KEEPING %s, fileno=%s", $k, $fn));
#       } else {
#         $! = undef; close(*{$k}{IO}) and do_log(0, "DID CLOSE $k (fileno=$fn)");
#       }
#     }
      close(STDIN)       or die "Can't close STDIN: $!";
      close(main::stdin) or die "Can't close main::stdin: $!";
      open(STDIN, "<$stdin_from")
        or die "Can't reopen STDIN on $stdin_from: $!";
      fileno(STDIN) == 0 or die ("run_command: STDIN not fd0: ".fileno(STDIN));
      if ($stderr_to ne '') {
        close(STDERR) or die "Can't close STDERR: $!";
        open(STDERR, ">$stderr_to")
          or die "Can't open STDERR to $stderr_to: $!";
        fileno(STDERR) == 2
          or die ("run_command: STDERR not fd2: ".fileno(STDERR));
      }
      # BEWARE of Perl older that 5.6.0: sockets and pipes were not FD_CLOEXEC
      { no warnings;
        exec {$cmd} ($cmd,@args) or die "Failed to exec $cmd_text: $!";
      }
    };
    chomp($@);
    do_log(-2,"run_command: child process [$$]: $@\n");
    { no warnings;
      kill('TERM',$$)  # must not exit, we have to avoid DESTROY handlers
        or do_log(-3,"run_command: TROUBLE - Panic1, can't die: $!");
      # still kicking? die!
      exec('/usr/bin/false'); exec('/bin/false'); exec('false'); exec('true');
      do_log(-3,"run_command: TROUBLE - Panic2, can't die");
      exit 1;                  # better safe than sorry
                               # NOTREACHED
    }
  }
  # parent
  do_log(5,"run_command: [$pid] $msg");
  binmode($proc_fh) or die "Can't set pipe to binmode: $!";  # dflt Perl 5.8.1
  ($proc_fh, $pid);  # return pipe file handle to the subprocess and its PID
}

# Run specified command as a subprocess. Return a file handle open for
# WRITING to the subprocess. Use IO::Handle to ensure the subprocess
# will be automatically reclaimed in case of failure.
#
sub run_command_consumer($$@) {
  my($stdout_to, $stderr_to, $cmd, @args) = @_;
  my($cmd_text) = join(' ', $cmd, @args);
  $stdout_to = '/dev/null'  if $stdout_to eq '';
  my($msg) = join(' ', $cmd, @args, ">$stdout_to");
  $msg .= " 2>$stderr_to"  if $stderr_to ne '';
  my($pid); my($proc_fh) = IO::File->new;
  eval { $pid = $proc_fh->open('|-') };  # fork, catching errors
  if ($@ ne '') { chomp($@); die "run_command_consumer (open pipe): $@" }
  defined($pid) or die "run_command_consumer: can't fork: $!";
  if (!$pid) {                           # child
    eval {  # must not use die in forked process, or we end up with
            # two running daemons! Close unneeded files.
      close(main::stderr) or die "Can't close main::stderr: $!";
      close(main::stdout) or die "Can't close main::stdout: $!";
      close(main::STDOUT) or die "Can't close main::STDOUT: $!";
      open(STDOUT, ">$stdout_to")
        or die "Can't reopen STDOUT on $stdout_to: $!";
      fileno(STDOUT) == 1
        or die ("run_command_consumer: STDOUT not fd1: ".fileno(STDOUT));
      if ($stderr_to ne '') {
        close(STDERR) or die "Can't close STDERR: $!";
        open(STDERR, ">$stderr_to")
          or die "Can't open STDERR to $stderr_to: $!";
        fileno(STDERR) == 2
          or die ("run_command_consumer: STDERR not fd2: ".fileno(STDERR));
      }
      # BEWARE of Perl older that 5.6.0: sockets and pipes were not FD_CLOEXEC
      { no warnings;
        exec {$cmd} ($cmd,@args) or die "Failed to exec $cmd_text: $!";
      }
    };
    chomp($@);
    do_log(-2,"run_command_consumer: child process [$$]: $@\n");
    { no warnings;
      kill('TERM',$$)  # must not exit, we have to avoid DESTROY handlers
        or do_log(-3,"run_command_consumer: TROUBLE - Panic1, can't die: $!");
      # still kicking? die!
      exec('/usr/bin/false'); exec('/bin/false'); exec('false'); exec('true');
      do_log(-3,"run_command_consumer: TROUBLE - Panic2, can't die");
      exit 1;                  # better safe than sorry
                               # NOTREACHED
    }
  }
  # parent
  do_log(5,"run_command_consumer: [$pid] $msg");
  binmode($proc_fh) or die "Can't set pipe to binmode: $!";  # dflt Perl 5.8.1
  ($proc_fh, $pid);  # return pipe file handle to the subprocess and its PID
}

1;

#
package Amavis::rfc2821_2822_Tools;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  %EXPORT_TAGS = ();
  @EXPORT = qw(
    &iso8601_timestamp &iso8601_utc_timestamp &rfc2822_timestamp
    &received_line &parse_received
    &fish_out_ip_from_received &split_address &split_localpart &make_query_keys
    &quote_rfc2821_local &qquote_rfc2821_local &unquote_rfc2821_local
    &one_response_for_all
    &EX_OK &EX_NOUSER &EX_UNAVAILABLE &EX_TEMPFAIL &EX_NOPERM);
}

use subs @EXPORT;

use POSIX qw(locale_h strftime);

BEGIN {
  eval { require 'sysexits.ph' };  # try to use the installed version
  # define the most important constants if undefined
  do { sub EX_OK()           {0} } unless defined(&EX_OK);
  do { sub EX_NOUSER()      {67} } unless defined(&EX_NOUSER);
  do { sub EX_UNAVAILABLE() {69} } unless defined(&EX_UNAVAILABLE);
  do { sub EX_TEMPFAIL()    {75} } unless defined(&EX_TEMPFAIL);
  do { sub EX_NOPERM()      {77} } unless defined(&EX_NOPERM);
}

BEGIN {
  import Amavis::Conf qw(:platform $myhostname c cr ca);
  import Amavis::Util qw(ll do_log);
}

# Given a Unix time, return the local time zone offset at that time
# as a string +HHMM or -HHMM, appropriate for the RFC2822 date format.
# Works also for non-full-hour zone offsets, and on systems where strftime
# can not return TZ offset as a number;  (c) Mark Martinec, GPL
#
sub get_zone_offset($) {
  my($t) = @_;
  my($d) = 0;   # local zone offset in seconds
  for (1..3) {  # match the date (with a safety loop limit just in case)
    my($r) = sprintf("%04d%02d%02d", (localtime($t))[5, 4, 3]) cmp
             sprintf("%04d%02d%02d", (gmtime($t + $d))[5, 4, 3]);
    if ($r == 0) { last } else { $d += $r * 24 * 3600 }
  }
  my($sl,$su) = (0,0);
  for ((localtime($t))[2,1,0])   { $sl = $sl * 60 + $_ }
  for ((gmtime($t + $d))[2,1,0]) { $su = $su * 60 + $_ }
  $d += $sl - $su;  # add HMS difference (in seconds)
  my($sign) = $d >= 0 ? '+' : '-';
  $d = -$d  if $d < 0;
  $d = int(($d + 30) / 60.0);  # give minutes, rounded
  sprintf("%s%02d%02d", $sign, int($d / 60), $d % 60);
}

# Given a Unix time (seconds since 1970-01-01T00:00Z),
# provide date-time timestamp (local time) as specified in ISO 8601 (EN 28601)
sub iso8601_timestamp($;$) {
  my($t,$suppress_zone) = @_;
  # can't use %z because some systems do not support it (is treated as %Z)
  my($s) = strftime("%Y%m%dT%H%M%S", localtime($t));
  $s .= get_zone_offset($t)  unless $suppress_zone;
  $s;
}

# Given a Unix time (seconds since 1970-01-01T00:00Z),
# provide date-time timestamp (UTC) as specified in ISO 8601 (EN 28601)
sub iso8601_utc_timestamp($;$) {
  my($t,$suppress_zone) = @_;
  my($s) = strftime("%Y%m%dT%H%M%S", gmtime($t));
  $s .= 'Z'  unless $suppress_zone;
  $s;
}

# Given a Unix time, provide date-time timestamp as specified in RFC 2822
# (local time), to be used in headers such as 'Date:' and 'Received:'
#
sub rfc2822_timestamp($) {
  my($t) = @_;
  my(@lt) = localtime($t);
  # can't use %z because some systems do not support it (is treated as %Z)
  my($old_locale) = setlocale(LC_TIME,"C");  # English dates required!
  my($zone_name) = strftime("%Z",@lt);
  my($s) = strftime("%a, %e %b %Y %H:%M:%S ", @lt);
  $s .= get_zone_offset($t);
  $s .= " (" . $zone_name . ")"  if $zone_name !~ /^\s*\z/;
  setlocale(LC_TIME, $old_locale);  # restore the locale
  $s;
}

sub received_line($$$$) {
  my($conn, $msginfo, $id, $folded) = @_;
  my($smtp_proto, $recips) = ($conn->smtp_proto, $msginfo->recips);
  my($client_ip) = $conn->client_ip;
  if ($client_ip =~ /:/ && $client_ip !~ /^IPv6:/i) {
    $client_ip = 'IPv6:' . $client_ip;
  }
  my($s) = sprintf("from %s%s\n by %s%s (amavisd-new, %s)",
    ($conn->smtp_helo eq '' ? 'unknown' : $conn->smtp_helo),
    ($client_ip eq '' ? '' : " ([$client_ip])"),
    c('localhost_name'),
    ($conn->socket_ip eq '' ? ''
      : sprintf(" (%s [%s])", $myhostname, $conn->socket_ip) ),
    ($conn->socket_port eq '' ? 'unix socket' : "port ".$conn->socket_port) );
  $s .= "\n with $smtp_proto"  if $smtp_proto=~/^(ES|S|L)MTPS?A?\z/i; # rfc3848
  $s .= "\n id $id"  if $id ne '';
  # do not disclose recipients if more than one
  $s .= "\n for " . qquote_rfc2821_local(@$recips)  if @$recips == 1;
  $s .= ";\n " . rfc2822_timestamp($msginfo->rx_time);
  $s =~ s/\n//g  if !$folded;
  $s;
}

sub parse_received($) {
  my($received) = @_;
  local($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11);
  $received =~ s/\n([ \t])/$1/g;  # unfold
  $received =~ s/[\n\r]//g;       # delete remaining newlines if any
  my(%fields);
  while ($received =~ m{\G\s*
            ( \b(from|by) \s+ ( (?: \[ (?: \\. | [^\]\\] )* \] | [^;\s\[] )+ )
              (?: \s* \( (?: ( [^\s\[]+ ) \s+ )?
                         \[ ( (?: \\. | [^\]\\] )* ) \] \s*
                      \) )?
              (?: .*? ) (?= \(|;|\z|\b(?:from|by|via|with|id|for)\b )  # junk
            | \b(via|with|id|for) \s+
              ( (?:  "  (?: \\. | [^"\\]  )* "
                  |  \[ (?: \\. | [^\]\\] )* \]
                  |  \\. | .
                )+? (?= \(|;|\z|\b(?:from|by|via|with|id|for)\b ) )
            | (;) \s* ( .*? ) \s* \z                                   # time
            | (.*?) (?= \(|;|\z|\b(?:from|by|via|with|id|for)\b )      # junk
            ) ( (?: \s+ | (?: \( (?: \\. | [^)\\] )* \) ) )* ) }xgcsi)
  {
    my($v1, $v2, $v3, $comment) = ('') x 4;
    my($item, $field) = ($1, lc($2 || $6 || $8));
    if ($field eq 'from' || $field eq 'by') {
      ($v1, $v2, $v3, $comment) = ($3, $4, $5, $11);
    } elsif ($field eq ';') {  # time
      ($v1, $comment) = ($9, $11);
    } elsif ($10 eq '') {      # via|with|id|for
      ($v1, $comment) = ($7, $11);
    } else {                   # junk
      ($v1, $comment) = ($10, $11);
    }
    $comment =~ s/^\s+//;
    $comment =~ s/\s+\z//;
    $item    =~ s/^\Q$field\E\s*//i;
    if (!exists $fields{$field}) {
      $fields{$field} = [$item, $v1, $v2, $v3, $comment];
      do_log(5, "parse_received: $field = $item/$v1/$v2/$v3")  if $field ne '';
    }
  }
  \%fields;
}

sub fish_out_ip_from_received($) {
  my($received) = @_;
  my($ip);
  my($fields_ref) = parse_received($received);
  if (defined $fields_ref && exists $fields_ref->{'from'}) {
    my($item, $v1, $v2, $v3, $comment) = @{$fields_ref->{'from'}};
    for ($v3, $v2, $v1, $comment, $item) {
      if (/   \[ (\d{1,3} (?: \. \d{1,3}){3}) \] /x) {
        $ip = $1;  last;
      } elsif (/ (\d{1,3} (?: \. \d{1,3}){3}) (?!\d) /x) {
        $ip = $1;  last;
      } elsif (/ \[ (IPv6:)? ( ([0-9a-zA-Z]* : ){2,} [0-9a-zA-Z:.]* ) \] /xi) {
        $ip = $2;  last;
      }
    }
    do_log(5, "fish_out_ip_from_received: $ip, $item");
  }
  !defined($ip) ? undef : $ip;  # undef need not be tainted
}

# Splits unquoted fully qualified e-mail address, or an address
# with missing domain part. Returns a pair: (localpart, domain).
# The domain part (if nonempty) includes the '@' as the first character.
# If the syntax is badly broken, everything ends up as the localpart.
# The domain part can be an address literal, as specified by rfc2822.
# Does not handle explicit route paths.
#
sub split_address($) {
  my($mailbox) = @_;
  $mailbox =~ /^ (.*?) ( \@ (?:  \[  (?: \\. | [^\]\\] )*  \]
                                 |  [^@"<>\[\]\\\s] )*
                       ) \z/xs ? ($1, $2) : ($mailbox, '');
}

# split_localpart() splits localpart of an e-mail address at the first
# occurrence of the address extension delimiter character. (based on
# equivalent routine in Postfix)
#
# Reserved addresses are not split: postmaster, mailer-daemon,
# double-bounce. Addresses that begin with owner-, or addresses
# that end in -request are not split when the owner_request_special
# parameter is set.

sub split_localpart($$) {
  my($localpart, $delimiter) = @_;
  my($owner_request_special) = 1;  # configurable ???
  my($extension);
  if ($localpart =~ /^(postmaster|mailer-daemon|double-bounce)\z/i) {
    # do not split these, regardless of what the delimiter is
  } elsif ($delimiter eq '-' && $owner_request_special &&
           $localpart =~ /^owner-|-request\z/i) {
    # don't split owner-foo or foo-request
  } elsif ($localpart =~ /^(.+?)\Q$delimiter\E(.*)\z/s) {
    ($localpart, $extension) = ($1, $2);
    # do not split the address if the result would have a null localpart
  }
  ($localpart, $extension);
}

# For a given email address (e.g. for User+Foo@sub.exAMPLE.CoM)
# prepare and return a list of lookup keys in the following order:
#   User+Foo@sub.exAMPLE.COM   (as-is, no lowercasing)
#   user+foo@sub.example.com
#   user@sub.example.com (only if $recipient_delimiter nonempty)
#   user+foo(@) (only if $include_bare_user)
#   user(@)     (only if $include_bare_user and $recipient_delimiter nonempty)
#   (@)sub.example.com
#   (@).sub.example.com
#   (@).example.com
#   (@).com
#   (@).
# Note about (@): if $at_with_user is true the user-only keys (without domain)
# get an '@' character appended (e.g. 'user+foo@'). Usual for lookup_hash.
# If $at_with_user is false the domain-only (no user localpart) keys
# get a '@' prepended (e.g. '@.example.com'). Usual for lookup_sql.
#
# The domain part is lowercased in all but the first resulting item;
# the localpart is lowercased iff $localpart_is_case_sensitive is true.
#
sub make_query_keys($$$) {
  my($addr,$at_with_user,$include_bare_user) = @_;
  my($localpart,$domain) = split_address($addr); $domain = lc($domain);
  my($saved_full_localpart) = $localpart;
  $localpart = lc($localpart)  if !c('localpart_is_case_sensitive');
  # chop off leading @, and trailing dots
  $domain = $1  if $domain =~ /^\@?(.*?)\.*\z/s;
  my($extension); my($delim) = c('recipient_delimiter');
  if ($delim ne '') {
    ($localpart,$extension) = split_localpart($localpart,$delim);
  }
  my($append_to_user,$prepend_to_domain) = $at_with_user ? ('@','') : ('','@');
  my(@keys);  # a list of query keys
  push(@keys, $addr);                        # as is
  push(@keys, $localpart.$delim.$extension.'@'.$domain)
    if $extension ne '';                     # user+foo@example.com
  push(@keys, $localpart.'@'.$domain);       # user@example.com
  if ($include_bare_user) {  # typically enabled for local users only
    push(@keys, $localpart.$delim.$extension.$append_to_user)
      if $extension ne '';                   # user+foo(@)
    push(@keys, $localpart.$append_to_user); # user(@)
  }
  push(@keys, $prepend_to_domain.$domain);   # (@)sub.example.com
  if ($domain =~ /\[/) {     # don't split address literals
    push(@keys, $prepend_to_domain.'.');     # (@).
  } else {
    my(@dkeys); my($d) = $domain;
    for (;;) {               # (@).sub.example.com (@).example.com (@).com (@).
      push(@dkeys, $prepend_to_domain.'.'.$d);
      last  if $d eq '';
      $d = ($d =~ /^([^.]*)\.(.*)\z/s) ? $2 : '';
    }
    if (@dkeys > 10) { @dkeys = @dkeys[$#dkeys-9 .. $#dkeys] }  # sanity limit
    push(@keys,@dkeys);
  }
  my($keys_ref) = [];   # remove duplicates
  for my $k (@keys) { push(@$keys_ref,$k)  if !grep {$k eq $_} @$keys_ref }
  ll(5) && do_log(5,"query_keys: ".join(', ',@$keys_ref));
  # the rhs replacement strings are similar to what would be obtained
  # by lookup_re() given the following regular expression:
  # /^( ( ( [^@]*? ) ( \Q$delim\E [^@]* )? ) (?: \@ (.*) ) )$/xs
  my($rhs) = [   # a list of right-hand side replacement strings
    $addr,                  # $1 = User+Foo@Sub.Example.COM
    $saved_full_localpart,  # $2 = User+Foo
    $localpart,             # $3 = user
    $delim.$extension,      # $4 = +foo
    $domain,                # $5 = sub.example.com
  ];
  ($keys_ref, $rhs);
}

# quote_rfc2821_local() quotes the local part of a mailbox address
# (given in internal (unquoted) form), and returns external (quoted)
# mailbox address, as per rfc2821.
#
# Internal (unquoted) form is used internally by amavisd-new and other mail sw,
# external (quoted) form is used in SMTP commands and message headers.
#
# The quote_rfc2821_local() conversion is necessary because addresses
# we get from certain MTAs are raw, with stripped-off quoting.
# To re-insert message back via SMTP, the local-part of the address needs
# to be quoted again if it contains reserved characters or otherwise
# does not obey the dot-atom syntax, as specified in rfc2821.
# Failing to do that gets us into trouble: amavis accepts message from MTA,
# but is unable to hand it back to MTA after checking, receiving
# '501 Bad address syntax' with every attempt.
#
sub quote_rfc2821_local($) {
  my($mailbox) = @_;
  # atext: any character except controls, SP, and specials (rfc2821/rfc2822)
  my($atext) = "a-zA-Z0-9!#\$%&'*/=?^_`{|}~+-";
  # my($specials) = '()<>\[\]\\\\@:;,."';
  my($localpart,$domain) = split_address($mailbox);
  if ($localpart !~ /^[$atext]+(\.[$atext]+)*\z/so) {  # not dot-atom
    $localpart =~ s/(["\\])/\\$1/g;                    # quoted-pair
    $localpart = '"' . $localpart . '"';  # make a qcontent out of it
  }
  $domain = ''  if $domain eq '@';        # strip off empty domain entirely
  $localpart . $domain;
}

# wraps the result of quote_rfc2821_local into angle brackets <...> ;
# If given a list, it returns a list (possibly converted to
# comma-separated scalar), quoting each element;
#
sub qquote_rfc2821_local(@) {
  my(@r) = map { $_ eq '' ? '<>' : ('<' . quote_rfc2821_local($_) . '>') } @_;
  wantarray ? @r : join(', ', @r);
}

# unquote_rfc2821_local() strips away the quoting from the local part
# of an external (quoted) mailbox address, and returns internal (unquoted)
# mailbox address, as per rfc2821.
#
# Internal (unquoted) form is used internally by amavisd-new and other mail sw,
# external (quoted) form is used in SMTP commands and message headers.
#
sub unquote_rfc2821_local($) {
  my($mailbox) = @_;
  # the angle-bracket stripping is not really a duty of this subroutine,
  # as it should have been already done elsewhere, but for the time being
  # we do it here:
  $mailbox = $1  if $mailbox =~ /^ \s* < ( .* ) > \s* \z/xs;
  my($localpart,$domain) = split_address($mailbox);
  $localpart =~ s/ " | \\ (.) | \\ \z /$1/xsg;  # unquote quoted-pairs
  $localpart . $domain;
}

# Prepare a single SMTP response and an exit status as per sysexits.h
# from individual per-recipient response codes, taking into account
# sendmail milter specifics. Returns a triple: (smtp response, exit status,
# an indication whether DSN is needed).
#
sub one_response_for_all($$$) {
  my($msginfo, $dsn_per_recip_capable, $am_id) = @_;
  my($smtp_resp, $exit_code, $dsn_needed);

  my($delivery_method) = $msginfo->delivery_method;
  my($sender)          = $msginfo->sender;
  my($per_recip_data)  = $msginfo->per_recip_data;
  my($any_not_done)    = scalar(grep { !$_->recip_done } @$per_recip_data);
  if ($delivery_method ne '' && $any_not_done)
    { die "Explicit forwarding, but not all recips done" }
  if (!@$per_recip_data) {  # no recipients, nothing to do
    $smtp_resp = "250 2.5.0 Ok, id=$am_id"; $exit_code = EX_OK;
    do_log(5, "one_response_for_all <$sender>: no recipients, '$smtp_resp'");
  }
  if (!defined $smtp_resp) {
    for my $r (@$per_recip_data) {  # any 4xx code ?
      if ($r->recip_smtp_response =~ /^4/)  # pick the first 4xx code
        { $smtp_resp = $r->recip_smtp_response; last }
    }
    if (!defined $smtp_resp) {
      for my $r (@$per_recip_data) {        # any invalid code ?
        if ($r->recip_done && $r->recip_smtp_response !~ /^[245]/) {
          $smtp_resp = '451 4.5.0 Bad SMTP response code??? "'
                       . $r->recip_smtp_response . '"';
          last;                             # pick the first
        }
      }
    }
    if (defined $smtp_resp) {
      $exit_code = EX_TEMPFAIL;
      do_log(5, "one_response_for_all <$sender>: 4xx found, '$smtp_resp'");
    }
  }
  # NOTE: a 2xx SMTP response code is set both by internal Discard
  # and by a genuine successful delivery. To distinguish between the two
  # we need to check $r->recip_destiny as well.
  #
  if (!defined $smtp_resp) {
    # if destiny for _all_ recipients is D_DISCARD => Discard
    my($notall);
    for my $r (@$per_recip_data) {
      if ($r->recip_destiny == D_DISCARD)  # pick the first DISCARD code
        { $smtp_resp = $r->recip_smtp_response  if !defined $smtp_resp }
      else { $notall++; last }  # one is not a discard, nogood
    }
    if ($notall) { $smtp_resp = undef }
    if (defined $smtp_resp) {
      # helper program will interpret 99 as discard
      $exit_code = $delivery_method eq '' ? 99 : EX_OK;
      do_log(5, "one_response_for_all <$sender>: all DISCARD, '$smtp_resp'");
    }
  }
  if (!defined $smtp_resp) {
    # destiny for _all_ recipients is Discard or Reject => 5xx
    # (and there is at least one Reject)
    my($notall, $done_level);
    my($bounce_cnt) = 0;
    for my $r (@$per_recip_data) {
      my($dest, $resp) = ($r->recip_destiny, $r->recip_smtp_response);
      if ($dest == D_DISCARD) {
        # ok, this one is discard, let's see the rest
      } elsif ($resp =~ /^5/ && $dest != D_BOUNCE) {
        # prefer to report SMTP response code of genuine rejects
        # from MTA, over internal rejects by content filters
        if (!defined $smtp_resp || $r->recip_done > $done_level)
          { $smtp_resp  = $resp; $done_level = $r->recip_done }
      } else { $notall++; last }  # one is Pass or Bounce, nogood
    }
    if ($notall) { $smtp_resp = undef }
    if (defined $smtp_resp) {
      $exit_code = EX_UNAVAILABLE;
      do_log(5, "one_response_for_all <$sender>: REJECTs, '$smtp_resp'");
    }
  }
  if (!defined $smtp_resp) {
    # mixed destiny => 2xx, but generate dsn for bounces and rejects
    my($rej_cnt) = 0; my($bounce_cnt) = 0; my($drop_cnt) = 0;
    for my $r (@$per_recip_data) {
      my($dest, $resp) = ($r->recip_destiny, $r->recip_smtp_response);
      if ($resp =~ /^2/ && $dest == D_PASS)  # genuine successful delivery
        { $smtp_resp = $resp  if !defined $smtp_resp }
      $drop_cnt++  if $dest == D_DISCARD;
      if ($resp =~ /^5/)
        { if ($dest == D_BOUNCE) { $bounce_cnt++ } else { $rej_cnt++ } }
    }
    $exit_code = EX_OK;
    if (!defined $smtp_resp) {                 # no genuine Pass/2xx
        # declare success, we'll handle bounce
      $smtp_resp = "250 2.5.0 Ok, id=$am_id";
      if ($any_not_done) { $smtp_resp .= ", continue delivery" }
      elsif ($delivery_method eq '') { $exit_code = 99 }  # milter DISCARD
    }
    if ($rej_cnt + $bounce_cnt + $drop_cnt > 0) {
      $smtp_resp .= ", ";
      $smtp_resp .= "but "  if $rej_cnt+$bounce_cnt+$drop_cnt<@$per_recip_data;
      $smtp_resp .= join ", and ",
        map { my($cnt, $nm) = @$_;
              !$cnt ? () : $cnt == @$per_recip_data ? $nm : "$cnt $nm"
        } ([$rej_cnt,'REJECT'], [$bounce_cnt,'BOUNCE'], [$drop_cnt,'DISCARD']);
    }
    $dsn_needed =
      ($bounce_cnt > 0 || ($rej_cnt > 0 && !$dsn_per_recip_capable)) ? 1 : 0;
    ll(5) && do_log(5,"one_response_for_all <$sender>: "
             . ($rej_cnt + $bounce_cnt + $drop_cnt > 0 ? 'mixed' : 'success')
             . ", dsn_needed=$dsn_needed, '$smtp_resp'");
  }
  ($smtp_resp, $exit_code, $dsn_needed);
}

1;

#
package Amavis::Lookup::RE;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
}
BEGIN { import Amavis::Util qw(ll do_log) }

# Make an object out of the supplied lookup list
# to make it distinguishable from simple ACL array
sub new($$) { my($class) = shift; bless [@_], $class }

# lookup_re() performs a lookup for an e-mail address against
# a list made up of regular expressions.
#
# The full unmodified e-mail address is always used, so splitting to localpart
# and domain or lowercasing is NOT performed. The regexp is powerful enough
# that this can be accomplished by its mechanisms. The routine is useful for
# other RE tests besides the usual e-mail addresses, such as looking for
# banned file names.
#
# Each element of the list can be ref to a pair, or directly a regexp
# ('Regexp' object created by qr operator, or just a (less efficient)
# string containing a regular expression). If it is a pair, the first
# element is treated as a regexp, and the second provides a value in case
# the regexp matches. If not a pair, the implied result of a match is 1.
#
# The regular expression is taken as-is, no implicit anchoring or setting
# case insensitivity is done, so use qr'(?i)^user@example\.com$',
# and not a sloppy qr'user@example.com', which can easily backfire.
# Also, if qr is used with a delimiter other than ', make sure to quote
# the @ and $ .
#
# The pattern allows for capturing of parenthesized substrings, which can
# then be referenced from the result string using the $1, $2, ... notation,
# as with the Perl m// operator. The number after the $ may be a multi-digit
# decimal number. To avoid possible ambiguity the ${n} or $(n) form may be used
# Substring numbering starts with 1. Nonexistent references evaluate to empty
# strings. If any substitution is done, the result inherits the taintedness
# of $addr. Keep in mind that $ and @ characters needs to be backslash-quoted
# in qq() strings. Example:
#   $virus_quarantine_to = new_RE(
#     [ qr'^(.*)@example\.com$'i => 'virus-${1}@example.com' ],
#     [ qr'^(.*)(@[^@]*)?$'i     => 'virus-${1}${2}' ] );
#
# Example (equivalent to the example in lookup_acl):
#    $acl_re = Amavis::Lookup::RE->new(
#                       qr'@me\.ac\.uk$'i, [qr'[@.]ac\.uk$'i=>0], qr'\.uk$'i );
#    ($r,$k) = $acl_re->lookup_re('user@me.ac.uk');
# or $r = lookup(0, 'user@me.ac.uk', $acl_re);
#
# 'user@me.ac.uk'   matches me.ac.uk, returns true and search stops
# 'user@you.ac.uk'  matches .ac.uk, returns false (because of =>0) and search stops
# 'user@them.co.uk' matches .uk, returns true and search stops
# 'user@some.com'   does not match anything, falls through and returns false (undef)

sub lookup_re($$;$) {
  my($self, $addr,$get_all) = @_;
  local($1,$2,$3,$4); my(@matchingkey,@result);
  for my $e (@$self) {
    my($key,$r);
    if (ref($e) eq 'ARRAY') {  # a pair: (regexp,result)
      ($key,$r) = ($e->[0], @$e < 2 ? 1 : $e->[1]);
    } else {                   # a single regexp (not a pair), implies result 1
      ($key,$r) = ($e, 1);
    }
  # do_log(5, "lookup_re: key=\"$addr\", matching against RE $key");
    my(@rhs) = $addr =~ /$key/;  # match, capturing parenthesized subpatterns
    if (@rhs) {  # regexp matches
      # do the righthand side replacements if any $n, ${n} or $(n) is specified
      if (!ref($r) && $r=~/\$/) {
        my($any) = $r =~ s{ \$ ( (\d+) | \{ (\d+) \} | \( (\d+) \) ) }
                          { my($j)=$2+$3+$4; $j<1 ? '' : $rhs[$j-1] }gxse;
        # bring taintedness of input to the result
        $r .= substr($addr,0,0)  if $any;
      }
      push(@result,$r); push(@matchingkey,$key);
      last  if !$get_all;
    }
  }
  if (!ll(5)) {
    # don't bother preparing log report which will not be printed
  } elsif (!@result) {
    do_log(5,"lookup_re($addr), no matches");
  } else {  # pretty logging
    my(%esc) = (r => "\r", n => "\n", f => "\f", b => "\b",
                e => "\e", a => "\a", t => "\t");
    my(@mk) = @matchingkey;
    for my $mk (@mk)  # undo the \-quoting, will be redone by logging routines
      { $mk =~ s{ \\(.) }{ exists($esc{$1}) ? $esc{$1} : $1 }egsx }
    if (!$get_all) {  # first match wins
      do_log(5,sprintf('lookup_re(%s) matches key "%s", result=%s',
                        $addr,$mk[0],$result[0]));
    } else {  # want all matches
      do_log(5,"lookup_re($addr) matches keys: ".
               join(', ', map {sprintf('"%s"=>%s',$mk[$_],$result[$_])}
                              (0..$#result)));
    }
  }
  if (!$get_all) { !wantarray ? $result[0] : ($result[0], $matchingkey[0]) }
  else           { !wantarray ? \@result   : (\@result,   \@matchingkey)   }
}

1;

#
package Amavis::Lookup::Label;
use strict;
use re 'taint';

# Make an object out of the supplied string, to serve as label
# in log messages generated by sub lookup
sub new($$) { my($class) = shift; my($str) = shift; bless \$str, $class }
sub display($) { my($self) = shift; $$self }

1;

#
package Amavis::Lookup;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  %EXPORT_TAGS = ();
  @EXPORT = ();
  @EXPORT_OK = qw(&lookup &lookup_ip_acl);
}
use subs @EXPORT_OK;

BEGIN {
  import Amavis::Util qw(ll do_log);
  import Amavis::Conf qw(:platform c cr ca);
  import Amavis::Timing qw(section_time);
  import Amavis::rfc2821_2822_Tools qw(split_address make_query_keys);
}

# lookup_hash() performs a lookup for an e-mail address against a hash map.
# If a match is found (a hash key exists in the Perl hash) the function returns
# whatever the map returns, otherwise undef is returned. First match wins,
# aborting further search sequence.
#
sub lookup_hash($$;$) {
  my($addr, $hash_ref,$get_all) = @_;
  (ref($hash_ref) eq 'HASH')
    or die "lookup_hash: arg2 must be a hash ref: $hash_ref";
  local($1,$2,$3,$4); my(@matchingkey,@result);
  my($keys_ref,$rhs_ref) = make_query_keys($addr,1,1);
  for my $key (@$keys_ref) {   # do the search
    if (defined $$hash_ref{$key}) {  # got it
      push(@result,$$hash_ref{$key}); push(@matchingkey,$key);
      last  if !$get_all;
    }
  }
  # do the right-hand side replacements if any $n, ${n} or $(n) is specified
  for my $r (@result) {  # remember that $r is just an alias to array elements
    if (!ref($r) && $r=~/\$/) {  # is a plain string containing a '$'
      my($any) = $r =~ s{ \$ ( (\d+) | \{ (\d+) \} | \( (\d+) \) ) }
                        { my($j)=$2+$3+$4; $j<1 ? '' : $rhs_ref->[$j-1] }gxse;
      # bring taintedness of input to the result
      $r .= substr($addr,0,0)  if $any;
    }
  }
  if (!ll(5)) {
    # only bother with logging when needed
  } elsif (!@result) {
    do_log(5,"lookup_hash($addr), no matches");
  } elsif (!$get_all) {  # first match wins
    do_log(5,sprintf('lookup_hash(%s) matches key "%s", result=%s',
                      $addr,$matchingkey[0],$result[0]));
  } else {  # want all matches
    do_log(5,"lookup_hash($addr) matches keys: ".
             join(', ', map {sprintf('"%s"=>%s',$matchingkey[$_],$result[$_])}
                            (0..$#result)));
  }
  if (!$get_all) { !wantarray ? $result[0] : ($result[0], $matchingkey[0]) }
  else           { !wantarray ? \@result   : (\@result,   \@matchingkey)   }
}

# lookup_acl() performs a lookup for an e-mail address against
# access control list.
#
# Domain name of the supplied address is compared with each member of the
# access list in turn, the first match wins (terminates the search),
# and its value decides whether the result is true (yes, permit, pass)
# or false (no, deny, drop). Falling through without a match
# produces false (undef). Search is case-insensitive.
#
# If a list member contains a '@', the full e-mail address is compared,
# otherwise if a list member has a leading dot, the domain name part is
# matched only, and the domain as well as its subdomains can match. If there
# is no leading dot, the domain must match exactly (subdomains do not match).
#
# The presence of character '!' prepended to the list member decides
# whether the result will be true (without a '!') or false (with '!')
# in case this list member matches and terminates the search.
#
# Because search stops at the first match, it only makes sense
# to place more specific patterns before the more general ones.
#
# Although not a special case, it is good to remember that '.' always matches,
# so '.' would stop the search and return true, whereas '!.' would stop the
# search and return false (0) (which is normally not very useful,
# as false (undef) is also implied at the end of the list).
#
# Examples:
#
# given: @acl = qw( me.ac.uk !.ac.uk .uk )
#   'me.ac.uk' matches me.ac.uk, returns true and search stops
#
# given: @acl = qw( me.ac.uk !.ac.uk .uk )
#   'you.ac.uk' matches .ac.uk, returns false (because of '!') and search stops
#
# given: @acl = qw( me.ac.uk !.ac.uk .uk )
#   'them.co.uk' matches .uk, returns true and search stops
#
# given: @acl = qw( me.ac.uk !.ac.uk .uk )
#   'some.com' does not match anything, falls through and returns false (undef)
#
# given: @acl = qw( me.ac.uk !.ac.uk .uk !. )
#   'some.com' similar to previous, except it returns 0 instead of undef
#
# given: @acl = qw( me.ac.uk !.ac.uk .uk . )
#   'some.com' matches catchall ".", and returns true. The ".uk" is redundant
#
# more complex example: @acl = qw(
#   !The.Boss@dept1.xxx.com .dept1.xxx.com
#   .dept2.xxx.com .dept3.xxx.com lab.dept4.xxx.com
#   sub.xxx.com !.sub.xxx.com
#   me.d.aaa.com him.d.aaa.com !.d.aaa.com .aaa.com
# );

sub lookup_acl($$) {
  my($addr, $acl_ref) = @_;
  (ref($acl_ref) eq 'ARRAY')
    or die "lookup_acl: arg2 must be a list ref: $acl_ref";
  return undef  if !@$acl_ref;  # empty list can't match anything
  my($lpcs) = c('localpart_is_case_sensitive');
  my($localpart,$domain) = split_address($addr); $domain = lc($domain);
  $localpart = lc($localpart)  if !$lpcs;
  local($1,$2);
  # chop off leading @ and trailing dots
  $domain = $1  if $domain =~ /^\@?(.*?)\.*\z/s;
  my($lcaddr) = $localpart . '@' . $domain;
  my($found, $matchingkey, $result);
  for my $e (@$acl_ref) {
    $result = 1; $matchingkey = $e; my($key) = $e;
    if ($key =~ /^(!+)(.*)\z/s) {      # starts with an exclamation mark(s)
      $key = $2;
      $result = 1-$result  if (length($1) & 1);  # negate if odd
    }
    if ($key =~ /^(.*?)\@([^@]*)\z/s) {   # contains '@', check full address
      $found++  if $localpart eq ($lpcs?$1:lc($1)) && $domain eq lc($2);
    } elsif ($key =~ /^\.(.*)\z/s) {   # leading dot: domain or subdomain
      my($key_t) = lc($1);
      $found++  if $domain eq $key_t || $domain =~ /(\.|\z)\Q$key_t\E\z/s;
    } else {                           # match domain (but not its subdomains)
      $found++  if $domain eq lc($key);
    }
    last  if $found;
  }
  $matchingkey = $result = undef  if !$found;
  do_log(5, "lookup_acl($addr)".
    (!$found?", no match":" matches key \"$matchingkey\", result=$result"));
  !wantarray ? $result : ($result, $matchingkey);
}

# Perform a lookup for an e-mail address against any number of supplied maps:
# - SQL map,
# - LDAP map,
# - hash map,
# - (access control) list,
# - a list of regular expressions,
# - a (defined) scalar always matches, and returns itself as the 'map' value
#   (useful as a catchall for final 'pass' or 'fail');
# (see lookup_hash, lookup_acl, lookup_sql and lookup_ldap for details).
#
# when $get_all is 0 (the common usage):
#   If a match is found (a defined value), returns whatever the map returns,
#   otherwise returns undef. FIRST match aborts further search sequence.
# when $get_all is true:
#   Collects a list of results from ALL matching tables, and within each
#   table from ALL matching key. Returns a ref to the list of results
#   (and a ref to a list of matching keys if returning a pair).
#   The first element of both lists is supposed to be what lookup() would
#   have returned if $get_all were 0. The order of returned elements
#   corresponds to the order of the search.
#
sub lookup($$@) {
  my($get_all, $addr, @tables) = @_;
  my($label, @result,@matchingkey);
  for my $tb (@tables) {
    my($t) = ref($tb) eq 'REF' ? $$tb : $tb; # allow one level of indirection
    if (!ref($t) || ref($t) eq 'SCALAR') {   # a scalar always matches
      my($r) = ref($t) ? $$t : $t;  # allow direct or indirect reference
      if (defined $r) {
        do_log(5,"lookup: (scalar) matches, result=\"$r\"");
        push(@result,$r); push(@matchingkey,"(constant:$r)");
      }
    } elsif (ref($t) eq 'HASH') {
      my($r,$mk) = lookup_hash($addr,$t,$get_all);
      if (!defined $r)  {}
      elsif (!$get_all) { push(@result,$r);  push(@matchingkey,$mk)  }
      elsif (@$r)       { push(@result,@$r); push(@matchingkey,@$mk) }
    } elsif (ref($t) eq 'ARRAY') {
      my($r,$mk) = lookup_acl($addr,$t);
      if (defined $r)   { push(@result,$r);  push(@matchingkey,$mk)  }
    } elsif ($t->isa('Amavis::Lookup::Label')) {  # logging label
      # just a convenience for logging purposes, not a real lookup method
      $label = $t->display;  # grab the name, and proceed with the next table
    } elsif ($t->isa('Amavis::Lookup::RE')) {
      my($r,$mk) = $t->lookup_re($addr,$get_all);
      if (!defined $r)  {}
      elsif (!$get_all) { push(@result,$r);  push(@matchingkey,$mk)  }
      elsif (@$r)       { push(@result,@$r); push(@matchingkey,@$mk) }
    } elsif ($t->isa('Amavis::Lookup::SQL')) {
      my($r,$mk) = $t->lookup_sql($addr,$get_all);
      if (!defined $r)  {}
      elsif (!$get_all) { push(@result,$r);  push(@matchingkey,$mk)  }
      elsif (@$r)       { push(@result,@$r); push(@matchingkey,@$mk) }
    } elsif ($t->isa('Amavis::Lookup::SQLfield')) {
      my($r,$mk) = $t->lookup_sql_field($addr,$get_all);
      if (!defined $r)  {}
      elsif (!$get_all) { push(@result,$r);  push(@matchingkey,$mk)  }
      elsif (@$r)       { push(@result,@$r); push(@matchingkey,@$mk) }
    } elsif ($t->isa('Amavis::Lookup::LDAP')) {
      my($r,$mk) = $t->lookup_ldap($addr,$get_all);
      if (!defined $r)  {}
      elsif (!$get_all) { push(@result,$r);  push(@matchingkey,$mk) }
      elsif (@$r)       { push(@result,@$r); push(@matchingkey,@$mk) }
    } elsif ($t->isa('Amavis::Lookup::LDAPattr')) {
      my($r,$mk) = $t->lookup_ldap_attr($addr,$get_all);
      if (!defined $r)  {}
      elsif (!$get_all) { push(@result,$r);  push(@matchingkey,$mk) }
      elsif (@$r)       { push(@result,@$r); push(@matchingkey,@$mk) }
    } else {
      die "TROUBLE: lookup table is an unknown object: " . ref($t);
    }
    last  if @result && !$get_all;
  }
  # pretty logging
  if ($label ne '') { $label = " ($label)" }
  if (!ll(4)) {
    # don't bother preparing log report which will not be printed
  } elsif (!@tables) {
    do_log(4,"lookup$label => undef, \"$addr\", no lookup tables");
  } elsif (!@result) {
    do_log(4,"lookup$label => undef, \"$addr\" does not match");
  } elsif (!$get_all) {  # first match wins
    do_log(4,sprintf(
      'lookup%s => %-6s "%s" matches, result=%s, matching_key="%s"',
      $label, $result[0]?'true,':'false,', $addr,
      (ref $result[0] ne 'ARRAY' ? '"'.$result[0].'"'
                                 : '('.join(',',@{$result[0]}).')'),
      $matchingkey[0]));
  } else {  # want all matches
    do_log(4,sprintf('lookup%s, %d matches for "%s", results: %s',
      $label, scalar(@result), $addr,
      join(', ', map {sprintf('"%s"=>%s', $matchingkey[$_],
                              (ref $result[$_] ne 'ARRAY'
                                 ? '"'.$result[$_].'"'
                                 : '('.join(',',@{$result[$_]}).')') )}
                     (0..$#result) )));
  }
  if (!$get_all) { !wantarray ? $result[0] : ($result[0], $matchingkey[0]) }
  else           { !wantarray ? \@result   : (\@result,   \@matchingkey)   }
}

# ip_to_vec() takes IPv6 or IPv4 IP address with optional prefix length
# (or IPv4 mask), parses and validates it, and returns it as a 128-bit
# vector string that can be used as operand to Perl bitwise string operators.
# Syntax and other errors in the argument throw exception (die).
# If the second argument $allow_mask is 0, the prefix length or mask
# specification is not allowed as part of the IP address.
#
# The IPv6 syntax parsing and validation adheres to rfc3513.
# All the following IPv6 address forms are supported:
#   x:x:x:x:x:x:x:x        preferred form
#   x:x:x:x:x:x:d.d.d.d    alternative form
#   ...::...               zero-compressed form
#   addr/prefix-length     prefix length may be specified (defaults to 128)
# Optionally an "IPv6:" prefix may be prepended to the IPv6 address
# as specified by rfc2821. No brackets are allowed enclosing the address.
#
# The following IPv4 forms are allowed:
#   d.d.d.d
#   d.d.d.d/prefix-length  CIDR mask length is allowed (defaults to 32)
#   d.d.d.d/m.m.m.m        network mask (gets converted to prefix-length)
# If prefix-length or a mask is specified with an IPv4 address, the address
# may be shortened to d.d.d/n or d.d/n or d/n. Such truncation is allowed
# for compatibility with earlier version, but is deprecated and is not
# allowed for IPv6 addresses.
#
# IPv4 addresses and masks are converted to IPv4-mapped IPv6 addresses
# of the form ::FFFF:d.d.d.d,  The CIDR mask length (0..32) is converted
# to IPv6 prefix-length (96..128). The returned vector strings resulting
# from IPv4 and IPv6 forms are indistinguishable.
#
# NOTE:
#   d.d.d.d is equivalent to ::FFFF:d.d.d.d (IPv4-mapped IPv6 address)
#   which is not the same as ::d.d.d.d      (IPv4-compatible IPv6 address)
#
# A triple is returned:
#  - IP address represented as a 128-bit vector (a string)
#  - network mask derived from prefix length, a 128-bit vector (string)
#  - prefix length as an integer (0..128)
#
sub ip_to_vec($;$) {
  my($ip,$allow_mask) = @_;
  my($ip_len); my(@ip_fields);
  local($1,$2,$3,$4,$5,$6);
  $ip =~ s/^[ \t]+//; $ip =~ s/[ \t\n]+\z//s;  # trim
  my($ipa) = $ip;
  ($ipa,$ip_len) = ($1,$2)  if $allow_mask && $ip =~ m{^([^/]*)/(.*)\z}s;
  if ($ipa =~ m{^(IPv6:)?(.*:)(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\z}si){
    # IPv6 alternative form x:x:x:x:x:x:d.d.d.d
    !grep {$_ > 255} ($3,$4,$5,$6)
      or die "Invalid decimal field value in IPv6 address: $ip";
    $ipa = $2 . sprintf("%02X%02X:%02X%02X", $3,$4,$5,$6);
  } elsif ($ipa =~ m{^\d{1,3}(?:\.\d{1,3}){0,3}\z}) {  # IPv4 form
    my(@d) = split(/\./,$ipa,-1);
    !grep {$_ > 255} @d  or die "Invalid field value in IPv4 address: $ip";
    defined($ip_len) || @d==4
      or die "IPv4 address $ip contains fewer than 4 fields";
    $ipa = '::FFFF:' . sprintf("%02X%02X:%02X%02X", @d);  # IPv4-mapped IPv6
    if (!defined($ip_len)) { $ip_len = 32;   # no length, defaults to /32
    } elsif ($ip_len =~ /^\d{1,9}\z/) {      # /n, IPv4 CIDR notation
    } elsif ($ip_len =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\z/) {
      !grep {$_ > 255} ($1,$2,$3,$4)
        or die "Illegal field value in IPv4 mask: $ip";
      my($mask1) = pack('C4',$1,$2,$3,$4);   # /m.m.m.m
      my($len) = unpack("%b*",$mask1);       # count ones
      my($mask2) = pack('B32', '1' x $len);  # reconstruct mask from count
      $mask1 eq $mask2
        or die "IPv4 mask not representing valid CIDR mask: $ip";
      $ip_len = $len;
    } else {
      die "Invalid IPv4 network mask or CIDR prefix length: $ip";
    }
    $ip_len<=32 or die "IPv4 network prefix length greater than 32: $ip";
    $ip_len += 128-32;  # convert IPv4 net mask length to IPv6 prefix length
  }
  $ip_len = 128  if !defined($ip_len);
  $ip_len<=128 or die "IPv6 network prefix length greater than 128: $ip";
  $ipa =~ s/^IPv6://i;
  # now we presumably have an IPv6 preferred form x:x:x:x:x:x:x:x
  if ($ipa !~ /^(.*?)::(.*)\z/s) {  # zero-compressing form used?
    @ip_fields = split(/:/,$ipa,-1);  # no
  } else {                         # expand zero-compressing form
    my(@a) = split(/:/,$1,-1); my(@b) = split(/:/,$2,-1);
    my($missing_cnt) = 8-(@a+@b);  $missing_cnt = 1  if $missing_cnt<1;
    @ip_fields = (@a, (0) x $missing_cnt, @b);
  }
  !grep { !/^[0-9a-zA-Z]{1,4}\z/ } @ip_fields
    or die "Invalid syntax of IPv6 address: $ip";
  @ip_fields<8 and die "IPv6 address $ip contains fewer than 8 fields";
  @ip_fields>8 and die "IPv6 address $ip contains more than 8 fields";
  my($vec) = pack("n8", map {hex} @ip_fields);
  $ip_len=~/^\d{1,3}\z/
    or die "Invalid prefix length syntax in IP address: $ip";
  $ip_len<=128 or die "Invalid prefix length in IPv6 address: $ip";
  my($mask) = pack('B128', '1' x $ip_len);
# do_log(5,sprintf("ip_to_vec: %s => %s/%d\n", $ip,unpack("B*",$vec),$ip_len));
  ($vec,$mask,$ip_len);
}

# lookup_ip_acl() performs a lookup for an IPv4 or IPv6 address
# against access control list or a hash of network or host addresses.
#
# IP address is compared to each member of the access list in turn,
# the first match wins (terminates the search), and its value decides
# whether the result is true (yes, permit, pass) or false (no, deny, drop).
# Falling through without a match produces false (undef).
#
# The presence of character '!' prepended to the list member decides
# whether the result will be true (without a '!') or false (with '!')
# in case this list member matches and terminates the search.
#
# Because search stops at the first match, it only makes sense
# to place more specific patterns before the more general ones.
#
# For IPv4 a network address can be specified in classless notation
# n.n.n.n/k, or using a mask n.n.n.n/m.m.m.m . Missing mask implies /32,
# i.e. a host address. For IPv6 addresses all rfc3513 forms are allowed.
# See also comments at ip_to_vec().
#
# Although not a special case, it is good to remember that '::/0'
# always matches any IPv4 or IPv6 address.
#
# The '0/0' is equivalent to '::FFFF:0:0/0' and matches any IPv4 address
# (including IPv4-mapped IPv6 addresses), but not other IPv6 addresses!
#
# Example
#   given: @acl = qw( !192.168.1.12 172.16.3.3 !172.16.3.0/255.255.255.0
#                     10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
#                     !0.0.0.0/8 !:: 127.0.0.0/8 ::1 );
# matches rfc1918 private address space except host 192.168.1.12
# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches).
# In addition the 'unspecified' (null) IPv4 and IPv6 addresses return false,
# and IPv4 and IPv6 loopback addresses match and return true.
#
sub lookup_ip_acl($@) {
  my($ip, @nets_ref) = @_;
  my($ip_vec,$ip_mask) = ip_to_vec($ip,0);
  my($label,$found,$fullkey,$result);
  for my $tb (@nets_ref) {
    my($t) = ref($tb) eq 'REF' ? $$tb : $tb; # allow one level of indirection
    if (!ref($t) || ref($t) eq 'SCALAR') {   # a scalar always matches
      my($r) = ref($t) ? $$t : $t;  # allow direct or indirect reference
      $result = $r; $fullkey = "(constant:$r)";
      $found++  if defined $result;
    } elsif (ref($t) eq 'HASH') {
      # match the canonical IP address: dot-quad IPv4, or preferred IPv6 form
      my($ip_c);  # IP address in the canonical preferred form: x:x:x:x:x:x:x:x
      my($ip_dq); # IPv4 in a dotted-quad form if IPv4-mapped, or undef
      $ip_c = join(':', map {sprintf('%04x',$_)} unpack('n8',$ip_vec));
      my($ipv4_vec,$ipv4_mask) = ip_to_vec('::FFFF:0:0/96',1);
      if ( ($ip_vec & $ipv4_mask) eq ($ipv4_vec & $ipv4_mask) ) {
        # is an IPv4-mapped IPv6 address, format it in a dot-quad form
        $ip_dq = join('.', unpack('C4',substr($ip_vec,12,4)));  # last 32 bits
      }
      do_log(5, "lookup_ip_acl keys: \"$ip_dq\", \"$ip_c\"");
      if (defined $ip_dq) {  # try dot-quad if applicable
        $fullkey = $ip_dq; $result = $t->{$fullkey};
        $found++  if defined $result;
      }
      if (!$found) {         # try the 'preferred IPv6 form'
        $fullkey = $ip_c; $result = $t->{$fullkey};
        $found++  if defined $result;
      }
    } elsif (ref($t) eq 'ARRAY') {
      for my $net (@$t) {
        $fullkey = $net; my($key) = $fullkey; $result = 1;
        if ($key =~ /^(!+)(.*)\z/s) {  # starts with exclamation mark(s)
          $key = $2;
          $result = 1 - $result  if (length($1) & 1);  # negate if odd
        }
        my($acl_ip_vec, $acl_mask) = ip_to_vec($key,1);
        $found++  if ($ip_vec & $acl_mask) eq ($acl_ip_vec & $acl_mask);
        last  if $found;
      }
    } elsif ($t->isa('Amavis::Lookup::Label')) {  # logging label
      # just a convenience for logging purposes, not a real lookup method
      $label = $t->display;  # grab the name, and proceed with the next table
    } else {
      die "TROUBLE: lookup table is an unknown object: " . ref($t);
    }
    last  if $found;
  }
  $fullkey = $result = undef  if !$found;
  if ($label ne '') { $label = " ($label)" }
  ll(4) && do_log(4, "lookup_ip_acl$label: key=\"$ip\""
         . (!$found ? ", no match" : " matches \"$fullkey\", result=$result"));
  !wantarray ? $result : ($result, $fullkey);
}

1;

#
package Amavis::Expand;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  %EXPORT_TAGS = ();
  @EXPORT = ();
  @EXPORT_OK = qw(&expand);
}
use subs @EXPORT_OK;
BEGIN {
  import Amavis::Util qw(ll do_log);
}

# Given a string reference and a hashref of predefined (builtin) macros,
# expand() performs a macro expansion and returns a ref to the resulting string
#
# This is a simple, yet fully fledged macro processor with proper lexical
# analysis, call stack, implied quoting levels, user supplied builtin macros,
# two builtin flow-control macros: selector and iterator, plus a macro #,
# which discards input tokens until NEWLINE (like 'dnl' in m4).
# Also recognized are the usual \c and \nnn forms for specifying special
# characters, where c can be any of: r, n, f, b, e, a, t.  Lexical analysis
# of the input string is preformed only once, macro result values are not
# in danger of being lexically parsed and are treated as plain characters,
# loosing any special meaning they might have. No new macros can be defined
# by processing input string (at least in this version).
#
# Simple caller-provided macros have a single character name (usually a letter)
# and can evaluate to a string (possibly empty or undef), or an array of
# strings. It can also be a subroutine reference, in which case the subroutine
# will be called whenever macro value is needed. The subroutine must return
# a scalar: a string, or an array reference. The result will be treated as if
# it were specified directly.
#
# Two forms of simple macro calls are known: %x and %#x (where x is a single
# letter macro name, i.e. a key in a user-supplied hash):
#   %x   evaluates to the hash value associated with the name x;
#        if the value is an array ref, the result is a single concatenated
#        string of values separated with comma-space pairs;
#   %#x  evaluates to a number: if the macro value is a scalar, returns 0
#        for all-whitespace value, and 1 otherwise. If a value is an array ref,
#        evaluates to the number of elements in the array.
# A simple macro is evaluated only in nonquoted context, i.e. top-level
# text or in the first argument of a selector (see below). A literal percent
# character can be produced by %% or \%.
#
# More powerful expansion is provided by two builtin macros, using syntax:
#   [? arg1 | arg2 | ... ]    a selector
#   [  arg1 | arg2 | ... ]    an iterator
# where [, [?, | and ] are required tokens. To take away the special meaning
# of these characters they can be quoted by a backslash, e.g. \[ or \\ .
# Arguments are arbitrary text, possibly multiline, whitespace counts.
# Nested macro calls are permitted, proper bracket nesting must be observed.
#
# SELECTOR lets its first argument be evaluated immediately, and implicitly
# protects the remaining arguments. The first argument chooses which of the
# remaining arguments is selected as a result value. The result is only then
# evaluated, remaining arguments are discarded without evaluation. The first
# argument is usually a number (with optional leading and trailing whitespace).
# If it is a non-numeric string, it is treated as 0 for all-whitespace, and
# as 1 otherwise. Value 0 selects the very next (second) argument, value 1
# selects the one after it, etc. If the value is greater than the number
# of available arguments, the last one (but never the first) is selected.
# If there is only one (the first) alternative available but the value is
# greater than 0, an empty string is returned.
#   Examples:
#     [? 2   | zero | one | two | three ]  -> two
#     [? foo | none | any | two | three ]  -> any
#     [? 24  | 0    | one | many ]         -> many
#     [? 2   |No recipients]               -> (empty string)
#     [? %#R |No recipients|One recipient|%#R recipients]
#     [? %q  |No quarantine|Quarantined as %q]
# Note that a selector macro call can be considered a form of if-then-else,
# except that the 'then' and 'else' parts are swapped!
#
# ITERATOR in its full form takes three arguments (and ignores any extra
# arguments after that):
#     [ %x | body-usually-containing-%x | separator ]
# All iterator's arguments are implicitly quoted, iterator performs its own
# substitutions (described below). The result of an iterator call is a body
# (the second argument) repeated as many times as there are elements in the
# array denoted by the first argument. In each instance of a body
# all occurrences of token %x in the body are replaced with each successive
# element of the array. Resulting body instances are then glued together
# with a string given as the third argument. The result is finally evaluated
# as any top-level text for possible further expansion.
#
# There are two simplified forms of iterator call:
#     [ body | separator ]
# or  [ body ]
# where missing separator is considered a null string, and the missing formal
# argument name is obtained by looking for the first token of the form %x
# in the body.
#   Examples:
#     [%V| ]     a space-separated list of virus names
#
#     [%V|\n]    a newline-separated list of virus names
#
#     [%V|
#     ]          same thing: a newline-separated list of virus names
#
#     [
#         %V]    a list of virus names, each preceeded by NL and spaces
#
#     [ %R |%s --> <%R>|, ]  a comma-space separated list of sender/recipient
#                name pairs where recipient is iterated over the list
#                of recipients. (Only the (first) token %x in the first
#                argument is significant, other characters are ignored.)
#
#     [%V|[%R|%R + %V|, ]|; ]  produce all combinations of %R + %V elements
#
# A combined example:
#     [? %#C |#|Cc: [<%C>|, ]]
#     [? %#C ||Cc: [<%C>|, ]\n]#     ... same thing
# evaluates to an empty string if there are no elements in the %C array,
# otherwise it evaluates to a line:  Cc: <addr1>, <addr2>, ...\n
# The '#' removes input characters until and including newline after it.
# It can be used for clarity to allow newlines be placed in the source text
# but not resulting in empty lines in the expanded text. In the second example
# above, a backslash at the end of the line would achieve the same result,
# although the method is different: \NEWLINE is removed during initial lexical
# analysis, while # is an internal macro which, when called, actively discards
# tokens following it, until NEWLINE (or end of input) is encountered.
# Whitespace (including newlines) around the first argument %#C of selector
# call is ignored and can be used for clarity.
#
# These all produce the same result:
#     To: [%T|%T|, ]
#     To: [%T|, ]
#     To: %T
#
# See further practical examples in the supplied notification messages;
# see also README.customize file.
#
#   Author: Mark Martinec <Mark.Martinec@ijs.si>, 2002
#
sub expand($$) {
  my($str_ref)       = shift;  # a ref to a source string to be macro expanded;
  my($builtins_href) = shift;  # a hashref, mapping builtin macro names (single
                               # char) to macro values: strings or array refs
  my($lex_lbr, $lex_lbrq, $lex_rbr, $lex_sep, $lex_h) =
    \('[', '[?', ']', '|', '#');  # lexical elements to be used as references
  my(%lexmap);  # maps string to reference in order to protect lexels
  for (keys(%$builtins_href))
    { $lexmap{"%$_"}  = \"%$_"; $lexmap{"%#$_"} = \"%#$_" }
  for ($lex_lbr, $lex_lbrq, $lex_rbr, $lex_sep, $lex_h) { $lexmap{$$_} = $_ }
  # parse lexically
  my(@tokens) = $$str_ref =~ /\G \# | \[\?? | [\]|] | % \#? . | \\ [^0-7] |
                          \\ [0-7]{1,3} | [^\[\]\\|%\n#]+ | [^\n]+? | \n /gcsx;
  # replace lexical element strings with object references,
  # unquote backslash-quoted characters and %%, and drop backslash-newlines
  my(%esc) = (r => "\r", n => "\n", f => "\f", b => "\b",
              e => "\e", a => "\a", t => "\t");
  for (@tokens) {
    if (exists $lexmap{$_}) { $_ = $lexmap{$_} }       # replace with refs
    elsif ($_ eq "\\\n")    { $_ = '' }                # drop \NEWLINE
    elsif (/^%(%)\z/)       { $_ = $1 }                #  %% -> %
    elsif (/^(%#?.)\z/s)    { $_ = \$1 }               # unknown builtins
    elsif (/^\\([0-7]{1,3})\z/) { $_ = chr(oct($1)) }  # \nnn
    elsif (/^\\(.)\z/s)     { $_ = (exists($esc{$1}) ? $esc{$1} : $1) }
  }
  my($level) = 0; my($quote_level) = 0; my(@macro_type, @arg);
  my($output_str) = ''; my($whereto) = \$output_str;
  while (@tokens) {
    my($t) = shift(@tokens);
    if ($t eq '') {                                    # ignore leftovers
    } elsif ($quote_level>0 && ref($t) && ($t == $lex_lbr || $t == $lex_lbrq)){
      $quote_level++;
      ref($whereto) eq 'ARRAY' ? push(@$whereto, $t) : ($$whereto .= $t);
    } elsif (ref($t) && $t == $lex_lbr) {   # begin iterator macro call
      $quote_level++; $level++;
      unshift(@arg, [[]]); unshift(@macro_type, ''); $whereto = $arg[0][0];
    } elsif (ref($t) && $t == $lex_lbrq) {  # begin selector macro call
      $level++; unshift(@arg, [[]]); unshift(@macro_type, '');
      $whereto = $arg[0][0]; $macro_type[0] = 'select';
    } elsif ($quote_level > 1 && ref($t) && $t == $lex_rbr) {
      $quote_level--;
      ref($whereto) eq 'ARRAY' ? push(@$whereto, $t) : ($$whereto .= $t);
    } elsif ($level > 0 && ref($t) && $t == $lex_sep) {  # next argument
      if ($quote_level == 0 && $macro_type[0] eq 'select' && @{$arg[0]} == 1) {
        $quote_level++;
      }
      if ($quote_level == 1) {
        unshift(@{$arg[0]}, []); $whereto = $arg[0][0];  # begin next arg
      } else {
        ref($whereto) eq 'ARRAY' ? push(@$whereto, $t) : ($$whereto .= $t);
      }
    } elsif ($quote_level > 0 && ref($t) && $t == $lex_rbr) {
      $quote_level--;  # quote level just dropped to 0, this is now a call
      $level--  if $level > 0;
      my(@result);
      if ($macro_type[0] eq 'select') {
        my($sel, @alternatives) = reverse @{$arg[0]};  # list of refs
        $sel = !ref($sel) ? '' : join('', @$sel);      # turn ref into string
        if    ($sel =~ /^\s*\z/)         { $sel = 0 }
        elsif ($sel =~ /^\s*(\d+)\s*\z/) { $sel = 0+$1 }  # make numeric
        else { $sel = 1 }
        # provide an empty second alternative if we only have one specified
        push(@alternatives, [])  if @alternatives < 2 && $sel > 0;
        if ($sel < 0) { $sel = 0 }
        elsif ($sel > $#alternatives) { $sel = $#alternatives }
        @result = @{$alternatives[$sel]};
      } else {                                         # iterator
        my($cvar_r, $sep_r, $body_r, $cvar);  # give meaning to arguments
        if (@{$arg[0]} >= 3) { ($cvar_r,$body_r,$sep_r) = reverse @{$arg[0]} }
        else { ($body_r, $sep_r) = reverse @{$arg[0]}; $cvar_r = $body_r }
        # find the formal argument name (iterator)
        for (@$cvar_r) {
          if (ref && $$_ =~ /^%(.)\z/s) { $cvar = $1; last }
        }
        if (exists($builtins_href->{$cvar})) {
          my($values_r) = $builtins_href->{$cvar};
          while (ref($values_r) eq 'CODE') { $values_r = &$values_r }
          $values_r = [$values_r]  if !ref($values_r);
          my($ind);
          my($re) = qr/^%\Q$cvar\E\z/;
          for my $val (@$values_r) {
            push(@result, @$sep_r)  if ++$ind > 1 && ref($sep_r);
            push(@result, map { (ref && $$_ =~ /$re/) ? $val : $_ } @$body_r);
          }
        }
      }
      shift(@macro_type);  # pop the call stack
      shift(@arg);
      $whereto = $level > 0 ? $arg[0][0] : \$output_str;
      unshift(@tokens, @result);  # active macro call, reevaluate result
    } else {  # quoted, plain string, simple macro call, or a misplaced token
      my($s) = '';
      if ($quote_level > 0 || !ref($t)) {
        $s = $t;  # quoted or string
      } elsif ($t == $lex_h) {  # discard tokens to (and including) newline
        while (@tokens) { last  if shift(@tokens) eq "\n" }
      } elsif ($$t =~ /^%\#(.)\z/s) {  # provide number of elements
        if (!exists($builtins_href->{$1})) { $s = 0 }  # no such
        else {
          $s = $builtins_href->{$1};
          while (ref($s) eq 'CODE') { $s = &$s }  # subroutine callback
               # for array: number of elements; for scalar: nonwhite=1, other 0
          $s = ref($s) ? @$s : ($s !~ /^\s*\z/);
        }
      } elsif ($$t =~ /^%(.)\z/s) {    # provide values of a builtin macro
        if (!exists($builtins_href->{$1})) { $s = ''}  # no such
        else {
          $s = $builtins_href->{$1};
          while (ref($s) eq 'CODE') { $s = &$s }  # subroutine callback
          $s = join(', ', @$s)  if ref $s;
        }
      } else { $s = $$t }  # misplaced token, e.g. a top level | or ]
      ref($whereto) eq 'ARRAY' ? push(@$whereto, $s) : ($$whereto .= $s);
    }
  }
  \$output_str;
}

1;

#
package Amavis::In::Connection;

# Keeps relevant information about how we received the message:
# client connection information, SMTP envelope and SMTP parameters

use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
}

sub new
  { my($class) = @_; bless {}, $class }
sub client_ip       # client IP address (immediate SMTP client, i.e. our MTA)
  { my($self)=shift; !@_ ? $self->{client_ip} : ($self->{client_ip}=shift) }
sub socket_ip       # IP address of our interface that received connection
  { my($self)=shift; !@_ ? $self->{socket_ip} : ($self->{socket_ip}=shift) }
sub socket_port     # TCP port of our interface that received connection
  { my($self)=shift; !@_ ? $self->{socket_port}:($self->{socket_port}=shift) }
sub proto           # TCP/UNIX
  { my($self)=shift; !@_ ? $self->{proto}     : ($self->{proto}=shift) }
sub smtp_proto      # SMTP/ESMTP(A|S|SA)/LMTP(A|S|SA) # rfc3848, or QMQP/QMQPqq
  { my($self)=shift; !@_ ? $self->{smtp_proto}: ($self->{smtp_proto}=shift) }
sub smtp_helo       # (E)SMTP HELO/EHLO parameter
  { my($self)=shift; !@_ ? $self->{smtp_helo} : ($self->{smtp_helo}=shift) }

1;

#
package Amavis::In::Message::PerRecip;

use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
}

# per-recipient data are kept in an array of n-tuples:
#   (recipient-address, destiny, done, smtp-response-text, remote-mta, ...)
sub new     # NOTE: this class is a list, not a hash
  { my($class) = @_; bless [(undef) x 11], $class }

# subs to set or access individual elements of a n-tuple by name
sub recip_addr       # recipient envelope e-mail address
  { my($self)=shift; !@_ ? $$self[0] : ($$self[0]=shift) }
sub recip_addr_modified
  { my($self)=shift; !@_ ? $$self[1] : ($$self[1]=shift) }
sub recip_destiny    # D_REJECT, D_BOUNCE, D_DISCARD, D_PASS
  { my($self)=shift; !@_ ? $$self[2] : ($$self[2]=shift) }
sub recip_done       # false: not done, true: done (1: faked, 2: truly sent)
  { my($self)=shift; !@_ ? $$self[3] : ($$self[3]=shift) }
sub recip_smtp_response # rfc2821 response (3-digit + enhanced resp + text)
  { my($self)=shift; !@_ ? $$self[4] : ($$self[4]=shift) }
sub recip_remote_mta_smtp_response  # smtp response as issued by remote MTA
  { my($self)=shift; !@_ ? $$self[5] : ($$self[5]=shift) }
sub recip_remote_mta # remote MTA that issued the smtp response
  { my($self)=shift; !@_ ? $$self[6] : ($$self[6]=shift) }
sub recip_mbxname    # mailbox file name when known ('local:' or 'bsmtp:')
  { my($self)=shift; !@_ ? $$self[7] : ($$self[7]=shift) }
sub recip_whitelisted_sender  # recip considers this sender whitelisted (> 0)
  { my($self)=shift; !@_ ? $$self[8] : ($$self[8]=shift) }
sub recip_blacklisted_sender  # recip considers this sender blacklisted
  { my($self)=shift; !@_ ? $$self[9] : ($$self[9]=shift) }
sub recip_score_boost  # recip adds penalty spam points to the final score
  { my($self)=shift; !@_ ? $$self[10] : ($$self[10]=shift) }

sub recip_final_addr {  # return recip_addr_modified if set, else recip_addr
  my($self)=shift;
  my($newaddr) = $self->recip_addr_modified;
  defined $newaddr ? $newaddr : $self->recip_addr;
}

1;

#
package Amavis::In::Message;
# the main purpose of this class is to contain information
# about the message being processed

use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
}

BEGIN {
  import Amavis::Conf qw( :platform );
  import Amavis::rfc2821_2822_Tools qw(rfc2822_timestamp);
  import Amavis::In::Message::PerRecip;
}

sub new
  { my($class) = @_; bless {}, $class }
sub rx_time         # Unix time (s since epoch) of message reception by amavisd
  { my($self)=shift; !@_ ? $self->{rx_time}    : ($self->{rx_time}=shift) }
sub client_addr     # original client IP addr, obtained from XFORWARD or milter
  { my($self)=shift; !@_ ? $self->{cli_ip} : ($self->{cli_ip}=shift) }
sub client_name     # orig. client DNS name, obtained from XFORWARD or milter
  { my($self)=shift; !@_ ? $self->{cli_name} : ($self->{cli_name}=shift) }
sub client_proto     # orig. client protocol, obtained from XFORWARD or milter
  { my($self)=shift; !@_ ? $self->{cli_proto} : ($self->{cli_proto}=shift) }
sub client_helo     # orig. client EHLO name, obtained from XFORWARD or milter
  { my($self)=shift; !@_ ? $self->{cli_helo} : ($self->{cli_helo}=shift) }
sub queue_id        # MTA queue ID of message if known (Courier, milter/AM.PDP)
  { my($self)=shift; !@_ ? $self->{queue_id}   : ($self->{queue_id}=shift) }
sub msg_size        # ESMTP SIZE value, later corrected by actual message size
  { my($self)=shift; !@_ ? $self->{msg_size}   : ($self->{msg_size}=shift) }
sub auth_user       # ESMTP AUTH username
  { my($self)=shift; !@_ ? $self->{auth_user}  : ($self->{auth_user}=shift) }
sub auth_pass       # ESMTP AUTH password
  { my($self)=shift; !@_ ? $self->{auth_pass}  : ($self->{auth_pass}=shift) }
sub auth_submitter  # ESMTP MAIL command AUTH option value
  { my($self)=shift; !@_ ? $self->{auth_subm}  : ($self->{auth_subm}=shift) }
sub body_type       # ESMTP BODY parameter value
  { my($self)=shift; !@_ ? $self->{body_type}  : ($self->{body_type}=shift) }
sub sender          # envelope sender
  { my($self)=shift; !@_ ? $self->{sender}     : ($self->{sender}=shift) }
sub sender_contact  # unmangled sender address or undef (e.g. believed faked)
  { my($self)=shift; !@_ ? $self->{sender_c}   : ($self->{sender_c}=shift) }
sub sender_source   # unmangled sender address or info from the trace
  { my($self)=shift; !@_ ? $self->{sender_src} : ($self->{sender_src}=shift) }
sub mime_entity     # MIME::Parser entity holding the message
  { my($self)=shift; !@_ ? $self->{mime_entity}: ($self->{mime_entity}=shift)}
sub parts_root      # Amavis::Unpackers::Part root object
  { my($self)=shift; !@_ ? $self->{parts_root}:  ($self->{parts_root}=shift)}
sub mail_text       # rfc2822 msg: (open) file handle, or MIME::Entity object
  { my($self)=shift; !@_ ? $self->{mail_text}  : ($self->{mail_text}=shift) }
sub mail_text_fn    # orig. mail filename or undef, e.g. mail_tempdir/email.txt
  { my($self)=shift; !@_ ? $self->{mail_text_fn} : ($self->{mail_text_fn}=shift) }
sub mail_tempdir    # work directory, either $TEMPBASE or supplied by client
  { my($self)=shift; !@_ ? $self->{mail_tempdir} : ($self->{mail_tempdir}=shift) }
sub header_edits    # Amavis::Out::EditHeader object or undef
  { my($self)=shift; !@_ ? $self->{hdr_edits}  : ($self->{hdr_edits}=shift) }
sub orig_header     # original header - an arrayref of lines, with trailing LF
  { my($self)=shift; !@_ ? $self->{orig_header}: ($self->{orig_header}=shift) }
sub orig_header_size # size of original header
  { my($self)=shift; !@_ ? $self->{orig_hdr_s} : ($self->{orig_hdr_s}=shift) }
sub orig_body_size  # size of original body
  { my($self)=shift; !@_ ? $self->{orig_bdy_s} : ($self->{orig_bdy_s}=shift) }
sub body_digest     # message digest of message body
  { my($self)=shift; !@_ ? $self->{body_digest}: ($self->{body_digest}=shift) }
sub quarantined_to  # list of quarantine mailbox names or addresses if quarantined
  { my($self)=shift; !@_ ? $self->{quarantine} : ($self->{quarantine}=shift) }
sub dsn_sent        # delivery status notification was sent(1) or faked(2)
  { my($self)=shift; !@_ ? $self->{dsn_sent}   : ($self->{dsn_sent}=shift) }
sub delivery_method # delivery method, or empty for implicit delivery (milter)
  { my($self)=shift; !@_ ? $self->{delivery_method} : ($self->{delivery_method}=shift) }
sub client_delete   # don't delete the tempdir, it is a client's reponsibility
  { my($self)=shift; !@_ ? $self->{client_delete} : ($self->{client_delete}=shift) }

# The order of entries in the list is the original order in which
# recipient addresses (e.g. obtained via 'MAIL TO:') were received.
# Only the entries that were accepted (via SMTP response code 2xx)
# are placed in the list. The ORDER MUST BE PRESERVED and no recipients
# may be added or removed from the list! This is vital in order to be able
# to produce correct per-recipient responses to a LMTP client!
# 'destiny' values match the meaning of 'final_*_destiny'

sub per_recip_data {  # get or set a listref of envelope recipient n-tuples
  my($self) = shift;
  # store a given listref of n-tuples (originals, not copies!)
  if (@_) { @{$self->{recips}} = @{$_[0]} }
  # return a listref to the original n-tuples,
  # caller may modify the data if he knows what he is doing
  $self->{recips};
}

sub recips {           # get or set a listref of envelope recipients
  my($self)=shift;
  if (@_) {  # store a copy of a given listref of recipient addresses
    # wrap scalars (strings) into n-tuples
    $self->per_recip_data([ map {
      my($per_recip_obj) = Amavis::In::Message::PerRecip->new;
      $per_recip_obj->recip_addr($_);
      $per_recip_obj->recip_destiny(D_PASS);  # default is Pass
      $per_recip_obj } @{$_[0]} ]);
  }
  return  if !defined wantarray;  # don't bother
  # return listref of recipient addresses
  [ map { $_->recip_addr } @{$self->per_recip_data} ];
}

1;

#
package Amavis::Out::EditHeader;

# Accumulates instructions on what lines need to be added to the message
# header, deleted, or how to change existing lines, then via a call
# to write_header() performs these edits on the fly.

use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  @EXPORT_OK = qw(&hdr);
}

BEGIN {
  import Amavis::Conf qw(:platform c cr ca);
  import Amavis::Timing qw(section_time);
  import Amavis::Util qw(ll do_log safe_encode q_encode);
}
use MIME::Words;

sub new { my($class) = @_; bless {}, $class }

sub prepend_header($$$;$) {
  my($self, $field_name, $field_body, $structured) = @_;
  unshift(@{$self->{prepend}}, hdr($field_name, $field_body, $structured));
}

sub append_header($$$;$) {
  my($self, $field_name, $field_body, $structured) = @_;
  push(@{$self->{append}}, hdr($field_name, $field_body, $structured));
}

sub delete_header($$) {
  my($self, $field_name) = @_;
  $self->{edit}{lc($field_name)} = undef;
}

sub edit_header($$$;$) {
  my($self, $field_name, $field_edit_sub, $structured) = @_;
  # $field_edit_sub will be called with 2 args: field name and field body;
  # it should return the replacement field body (no field name and colon),
  # with or without the trailing NL
  !defined($field_edit_sub) || ref($field_edit_sub) eq 'CODE'
    or die "edit_header: arg#3 must be undef or a subroutine ref";
  $self->{edit}{lc($field_name)} = $field_edit_sub;
}

# copy all header edits from another header-edits object into this one
sub inherit_header_edits($$) {
  my($self, $other_edits) = @_;
  if (defined $other_edits) {
    unshift(@{$self->{prepend}},
            @{$other_edits->{prepend}})  if $other_edits->{prepend};
    unshift(@{$self->{append}},
            @{$other_edits->{append}})   if $other_edits->{append};
    if ($other_edits->{edit}) {
      for (keys %{$other_edits->{edit}})
        { $self->{edit}{$_} = $other_edits->{edit}{$_} }
    }
  }
}

# Insert space after colon if not present, RFC2047-encode if field body
# contains non-ASCII characters, fold long lines if needed,
# prepend space before each NL if missing, append NL if missing;
# Header fields with only spaces are not allowed.
# (rfc2822: Each line of characters MUST be no more than 998 characters,
# and SHOULD be no more than 78 characters, excluding the CRLF.
# '$structured' indicates that folding is only allowed at positions
# indicated by \n in the provided header body.
#
sub hdr($$;$) {
  my($field_name, $field_body, $structured) = @_;
  if ($field_name =~ /^(X-.*|Subject|Comments)\z/si &&
      $field_body =~ /[^\011\012\040-\176]/ #any nonprintable except TAB and LF
  ) { # encode according to RFC 2047
    $field_body =~ s/\n([ \t])/$1/g;  # unfold
    chomp($field_body);
    my($field_body_octets) = safe_encode(c('hdr_encoding'), $field_body);
    my($qb) = c('hdr_encoding_qb');
    if (uc($qb) eq 'Q') {
      $field_body = q_encode($field_body_octets, $qb, c('hdr_encoding'));
    } else {
      $field_body = MIME::Words::encode_mimeword($field_body_octets,
                                                 $qb, c('hdr_encoding'));
    }
  } else {  # supposed to be in plain ASCII, let's make sure it is
    $field_body = safe_encode('ascii', $field_body);
  }
  $field_name = safe_encode('ascii', $field_name);
  my($str) = $field_name . ':';
  $str .= ' '  if $field_body !~ /^[ \t]/;
  $str .= $field_body;
  $str =~ s/\n([^ \t\n])/\n $1/g;  # insert a space at line folds if missing
  $str =~ s/\n([ \t]*\n)+/\n/g;    # remove empty lines
  chomp($str);                     # chop off trailing NL if present
  if ($structured) {
    my(@sublines) = split(/\n/, $str, -1);
    $str = ''; my($s) = ''; my($s_l) = 0;
    for (@sublines) {              # join shorter field sections
      if ($s !~ /^\s*\z/ && $s_l + length($_) > 78) {
        $str .= "\n"  if $str ne '';
        $str .= $s; $s = ''; $s_l = 0;
      }
      $s .= $_; $s_l += length($_);
    }
    if ($s !~ /^\s*\z/) {
      $str .= "\n"  if $str ne '';
      $str .= $s;
    }
  } elsif (length($str) > 998) {
    # truncate the damn thing (to be done better)
    $str = substr($str,0,998);
  }
  $str .= "\n";  # append final NL
  do_log(5, "header: $str");
  $str;
}

# Copy mail header to the supplied method (line by line) while adding,
# removing, or changing certain header lines as required, and append
# an empty line (end-of-header). Returns number of original 'Received:'
# header fields to make simple loop detection possible (as required
# by rfc2821 section 6.2).
#
# Assumes input file is properly positioned, leaves it positioned
# at the beginning of the body.
#
sub write_header($$$) {
  my($self, $msg, $out_fh) = @_;
  $out_fh = IO::Wrap::wraphandle($out_fh);  # assure an IO::Handle-like obj
  my($is_mime) = ref($msg) && $msg->isa('MIME::Entity');
  my(@header);
  if ($is_mime) {
    @header = map { /^[ \t]*\n?\z/ ? ()   # remove empty lines, ensure NL
                                 : (/\n\z/ ? $_ : $_ . "\n") } @{$msg->header};
  }
  my($received_cnt) = 0; my($str) = '';
  for (@{$self->{prepend}}) { $str .= $_ }
  if ($str ne '') { $out_fh->print($str) or die "sending mail header1: $!" }
  if (!defined($msg)) {
    # existing header empty
  } elsif (!exists($self->{edit}) || !scalar(%{$self->{edit}})) {
    # no edits needed, do it the fast way
    if ($is_mime) {
      # NOTE: can't use method print_header, as it assumes file glob
      for my $h (@header)
        { $out_fh->print($h) or die "sending mail header2: $!" }
    } else {  # assume file handle
      while (<$msg>) {  # copy header only, read line by line
        last  if $_ eq $eol;  # end of header
        $out_fh->print($_) or die "sending mail header3: $!";
      }
    }
  } else {  # header edits are required
    my($curr_head, $next_head);
    push(@header, $eol)  if $is_mime;  # append empty line as end-of-header
    while (defined($next_head = $is_mime ? shift @header : <$msg>)) {
      if ($next_head =~ /^[ \t]/) { $curr_head .= $next_head }  # folded
      else {                                                    # new header
        if (!defined($curr_head)) {  # no previous complete header field
        } elsif ($curr_head !~ /^([!-9;-\176]+)[ \t]*:(.*)\z/s) {
          # invalid header, but we don't care
          $out_fh->print($curr_head) or die "sending mail header4: $!";
        } else {                     # count, edit, or delete
            # obsolete rfc822 syntax allowed whitespace before colon
          my($field_name, $field_body) = ($1, $2);
          my($field_name_lc) = lc($field_name);
          $received_cnt++  if $field_name_lc eq 'received';
          if (!exists($self->{edit}{$field_name_lc})) { # unchanged
            $out_fh->print($curr_head) or die "sending mail header5: $!";
          } else {
            my($edit) = $self->{edit}{$field_name_lc};
            if (defined($edit)) {                       # edit, not delete
              chomp($field_body);
              ### $field_body =~ s/\n([ \t])/$1/g;  # unfold
              $out_fh->print(hdr($field_name, &$edit($field_name,$field_body)))
                or die "sending mail header6: $!";
            }
          }
        }
        last  if $next_head eq $eol;                    # end-of-header reached
        $curr_head = $next_head;
      }
    }
  }
  $str = '';
  for (@{$self->{append}}) { $str .= $_ }
  $str .= $eol;  # end of header - separator line
  $out_fh->print($str) or die "sending mail header7: $!";
  section_time('write-header');
  $received_cnt;
}
1;

#
package Amavis::Out::Local;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  @EXPORT_OK = qw(&mail_to_local_mailbox);
}

use Errno qw(ENOENT);
use POSIX qw(strftime);
use IO::File ();
use IO::Wrap;

BEGIN {
  import Amavis::Conf qw(:platform $gzip $bzip2 c cr ca);
  import Amavis::Lock;
  import Amavis::Util qw(ll do_log am_id exit_status_str run_command_consumer);
  import Amavis::Timing qw(section_time);
  import Amavis::rfc2821_2822_Tools;
  import Amavis::Out::EditHeader;
}

use subs @EXPORT_OK;

# Deliver to local mailboxes only, ignore the rest: either to directory
# (maildir style), or file (Unix mbox).  (normally used as a quarantine method)
#
sub mail_to_local_mailbox(@) {
  my($via, $msginfo, $initial_submission, $filter) = @_;
  $via =~ /^local:(.*)\z/si or die "Bad local method: $via";
  my($via_arg) = $1;
  my(@per_recip_data) = grep { !$_->recip_done && (!$filter || &$filter($_)) }
                             @{$msginfo->per_recip_data};
  return 1  if !@per_recip_data;
  my($msg) = $msginfo->mail_text;      # a file handle or a MIME::Entity object
  if (defined($msg) && !$msg->isa('MIME::Entity')) {
    # at this point, we have no idea what the user gave us...
    # a globref? a FileHandle?
    $msg = IO::Wrap::wraphandle($msg); # now we have an IO::Handle-like obj
  }
  my($sender) = $msginfo->sender;
  for my $r (@per_recip_data) {
    # each one receives its own copy; these are not the original recipients
    my($recip) = $r->recip_final_addr;
    next  if $recip eq '';
    my($localpart,$domain) = split_address($recip);
    my($smtp_response);

    # %local_delivery_aliases emulates aliases map - this would otherwise
    # be done by MTA's local delivery agent if we gave the message to MTA.
    # This way we keep interface compatible with other mail delivery
    # methods. The hash value may be a ref to a pair of fixed strings,
    # or a subroutine ref (which must return such pair) to allow delayed
    # (lazy) evaluation when some part of the pair is not yet known
    # at initialization time.
    # If no matching entry is found, the key ($localpart) is treated as
    # a mailbox filename if nonempty, or else quarantining is skipped.

    my($mbxname, $suggested_filename);
    { # a block is used as a 'switch' statement - 'last' will exit from it
      my($ldar) = cr('local_delivery_aliases');  # a ref to a hash
      my($alias) = $ldar->{$localpart};
      if (ref($alias) eq 'ARRAY') {
        ($mbxname, $suggested_filename) = @$alias;
      } elsif (ref($alias) eq 'CODE') {  # lazy evaluation
        ($mbxname, $suggested_filename) = &$alias;
      } elsif ($alias ne '') {
        ($mbxname, $suggested_filename) = ($alias, undef);
      } elsif (!exists $ldar->{$localpart}) {
        do_log(0, "no key '$localpart' in \%local_delivery_aliases, skip local delivery");
      }
      if ($mbxname eq '') {
        my($why) = !exists $ldar->{$localpart} ? 1 : $alias eq '' ? 2 : 3;
        do_log(2, "skip local delivery($why): <$sender> -> <$recip>");
        $smtp_response = "250 2.6.0 Ok, skip local delivery($why)";
        last;   # exit block, not the loop
      }
      my($ux);  # is it a UNIX-style mailbox?
      if (!-d $mbxname) {  # assume a filename (need not exist yet)
        $ux = 1;           # $mbxname is a UNIX-style mailbox (one file)
      } else {             # a directory
        $ux = 0;  # $mbxname is a amavis/maildir style mailbox (a directory)
        if ($suggested_filename eq '')
          { $suggested_filename = $via_arg ne '' ? $via_arg : 'msg-%i-%n' }
        $suggested_filename =~ s{%(.)}
          {  $1 eq 'b' ? $msginfo->body_digest
           : $1 eq 'i' ? strftime("%Y%m%d-%H%M%S",localtime($msginfo->rx_time))
           : $1 eq 'n' ? am_id()
           : $1 eq '%' ? '%' : '%'.$1 }egs;
        # one mail per file, will create specified file
        $mbxname = "$mbxname/$suggested_filename";
      }
      do_log(1, "local delivery: <$sender> -> <$recip>, mbx=$mbxname");
      my($mp,$pos,$pipe,$pid);
      my($errn) = stat($mbxname) ? 0 : 0+$!;
      local $SIG{CHLD} = 'DEFAULT';
      local $SIG{PIPE} = 'IGNORE';  # write to broken pipe would throw a signal
      eval {                        # try to open the mailbox file for writing
        if (!$ux) {                 # new file, traditional amavis, or maildir
          if ($errn == ENOENT) {    # good, no file, as expected
          } elsif (!$errn && -e _)
            { die "File $mbxname already exists, refuse to overwrite" }
          if ($mbxname =~ /\.gz\z/) {
            ($mp,$pid) = run_command_consumer($mbxname,undef,$gzip);
            $pipe = 1;
          } else {
            $mp = IO::File->new;
            $mp->open($mbxname,'>',0640)
              or die "Can't create file $mbxname: $!";
          }
        } else {  # append to UNIX-style mailbox
                  # deliver only to non-executable regular files
          if ($errn == ENOENT) {
            $mp = IO::File->new;
            $mp->open($mbxname,'>',0640)
              or die "Can't create file $mbxname: $!";
          } elsif (!$errn && !-f _) {
            die "Mailbox $mbxname is not a regular file, refuse to deliver";
          } elsif (-x _ || -X _) {
            die "Mailbox file $mbxname is executable, refuse to deliver";
          } else {
            $mp = IO::File->new;
            $mp->open($mbxname,'>>',0640) or die "Can't append to $mbxname: $!";
          }
          binmode($mp, ":bytes") or die "Can't cancel :utf8 mode: $!"
            if $unicode_aware;
          lock($mp);
          $mp->seek(0,2) or die "Can't position mailbox file to its tail: $!";
          $pos = $mp->tell;
        }
        if (defined($msg) && !$msg->isa('MIME::Entity'))
          { $msg->seek(0,0) or die "Can't rewind mail file: $!" }
      };
      if ($@ ne '') {
        chomp($@);
        $smtp_response = $@ eq "timed out" ? "450 4.4.2" : "451 4.5.0";
        $smtp_response .= " Local delivery(1) to $mbxname failed: $@";
        last;          # exit block, not the loop
      }
      eval {  # if things fail from here on, try to restore mailbox state
        if ($ux) {
          $mp->printf("From %s  %s$eol", quote_rfc2821_local($sender),
                      scalar(localtime($msginfo->rx_time)) )
            or die "Can't write to $mbxname: $!";
        }
        my($hdr_edits) = $msginfo->header_edits;
        if (!$hdr_edits) {
          $hdr_edits = Amavis::Out::EditHeader->new;
          $msginfo->header_edits($hdr_edits);
        }
        $hdr_edits->delete_header('Return-Path');
        $hdr_edits->prepend_header('Delivered-To',
          quote_rfc2821_local($recip));
        $hdr_edits->prepend_header('Return-Path',
          qquote_rfc2821_local($sender));
        my($received_cnt) = $hdr_edits->write_header($msg,$mp);
        if ($received_cnt > 110) {
          # loop detection required by rfc2821 section 6.2
          # Do not modify the signal text, it gets matched elsewhere!
          die "Too many hops: $received_cnt 'Received:' header lines\n";
        }
        if (!$ux) {  # do it in blocks for speed if we can
          while ($msg->read($_,16384) > 0)
            { $mp->print($_) or die "Can't write to $mbxname: $!" }
        } else {     # for UNIX-style mailbox delivery: escape 'From '
          my($blank_line) = 1;
          while (<$msg>) {
            $mp->print('>') or die "Can't write to $mbxname: $!"
              if $blank_line && /^From /;
            $mp->print($_) or die "Can't write to $mbxname: $!";
            $blank_line = $_ eq $eol;
          }
        }
        # must append an empty line for a Unix mailbox format
        $mp->print($eol) or die "Can't write to $mbxname: $!"  if $ux;
      };
      my($failed) = 0;
      if ($@ ne '') {  # trouble
        chomp($@);
        if ($ux && defined($pos) && $can_truncate) {
          # try to restore UNIX-style mailbox to previous size;
          # Produces a fatal error if truncate isn't implemented
          # on your system.
          $mp->truncate($pos) or die "Can't truncate file $mbxname: $!";
        }
        $failed = 1;
      }
      unlock($mp)  if $ux;
      if (!$pipe) {
        $mp->close or die "Can't close $mbxname: $!";
      } else {
        my($err); $mp->close or $err = $!;
        $?==0 or die ("Closing pipe to $gzip: ".exit_status_str($?,$err));
      }
      if (!$failed) {
        $smtp_response = "250 2.6.0 Ok, delivered to $mbxname";
      } elsif ($@ eq "timed out") {
        $smtp_response = "450 4.4.2 Local delivery to $mbxname timed out";
      } elsif ($@ =~ /too many hops/i) {
        $smtp_response = "550 5.4.6 Rejected delivery to mailbox $mbxname: $@";
      } else {
        $smtp_response = "451 4.5.0 Local delivery to mailbox $mbxname failed: $@";
      }
    }  # end of block, 'last' within block brings us here
    do_log(-1, $smtp_response)  if $smtp_response !~ /^2/;
    $smtp_response .= ", id=" . am_id();
    $r->recip_smtp_response($smtp_response);
    $r->recip_done(2);
    $r->recip_mbxname($mbxname)  if defined $mbxname;
  }
  section_time('save-to-local-mailbox');
}

1;

#
package Amavis::Out;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  %EXPORT_TAGS = ();
  @EXPORT = qw(&mail_dispatch);
}

use IO::File ();
use IO::Wrap;
use Net::Cmd;
use Net::SMTP 2.24;
# use Authen::SASL;
use POSIX qw(strftime
             WIFEXITED WIFSIGNALED WIFSTOPPED
             WEXITSTATUS WTERMSIG WSTOPSIG);
BEGIN {
  import Amavis::Conf qw(:platform $DEBUG $QUARANTINEDIR
                         $relayhost_is_client c cr ca);
  import Amavis::Util qw(untaint min max ll do_log debug_oneshot
                         am_id snmp_count retcode exit_status_str
                         prolong_timer run_command_consumer);
  import Amavis::Timing qw(section_time);
  import Amavis::rfc2821_2822_Tools;
  import Amavis::Out::Local qw(mail_to_local_mailbox);
  import Amavis::Out::EditHeader;
}

# modify delivery method string if $relayhost_is_client and mail came in by TCP
sub dynamic_destination($$) {
  my($method,$conn) = @_;
  my($client_ip) = !defined($conn) ? undef : $conn->client_ip;
  if ($client_ip ne '' && $method =~ /^smtp\b/i) {
    my($new_method); my($relayhost,$relayhost_port,$rest);
    (undef,$relayhost,$relayhost_port,$rest) = split(/:/,$method,4);
    if ($relayhost_is_client)  # old style
      { ($relayhost,$relayhost_port,$rest) = ('*','*','') }
    $relayhost      = "[$client_ip]"        if $relayhost eq '*';
    $relayhost_port = $conn->socket_port+1  if $relayhost_port eq '*';
    $rest = ':'.$rest  if $rest ne '';
    $new_method = sprintf("smtp:%s:%s%s", $relayhost,$relayhost_port,$rest);
    if ($new_method ne $method) {
      do_log(3, "dynamic destination override: $method -> $new_method");
      $method = $new_method;
    }
  }
  $method;
}

sub mail_dispatch($$$;$) {
  my($conn) = shift;  my($msginfo,$initial_submission,$filter) = @_;
  my($via) = $msginfo->delivery_method;
  if ($via =~ /^smtp:/i) {
    mail_via_smtp(dynamic_destination($via,$conn), @_);
  } elsif ($via =~ /^pipe:/i) {
    mail_via_pipe($via, @_);
  } elsif ($via =~ /^bsmtp:/i) {
    mail_via_bsmtp($via, @_);
  } elsif ($via =~ /^local:/i) {
    # 'local:' is used by the quarantine code to relieve it
    # of the need to know which delivery method needs to be used.
    # Deliver first what is local (whatever does not contain '@')
    mail_to_local_mailbox($via, $msginfo, $initial_submission,
                          sub { shift->recip_final_addr !~ /\@/ ? 1 : 0 });
    if (grep { !$_->recip_done } @{$msginfo->per_recip_data}) {
      my($nm) = c('notify_method');  # deliver the rest
      if ($nm =~ /^smtp:/i) { mail_via_smtp(dynamic_destination($nm,$conn),@_)}
      elsif ($nm =~ /^pipe:/i)  { mail_via_pipe($nm, @_) }
      elsif ($nm =~ /^bsmtp:/i) { mail_via_bsmtp($nm, @_) }
    }
  }
}

#sub Net::Cmd::debug_print {
#  my($cmd,$out,$text) = @_;
#  do_log(0, "*** ".$cmd->debug_text($out,$text))  if $out;
#}

# trivial OO wrapper around Net::SMTP::datasend
sub new_smtp_data { my($class, $sh) = @_; bless \$sh, $class }

sub print {
  my($self) = shift;
  $$self->datasend(\@_)  # datasend may be given an array ref
    or die "datasend timed out while sending header\n";
}

# Send mail using SMTP - do multiple transactions if necessary
# (e.g. due to '452 Too many recipients')
#
sub mail_via_smtp(@) {
  my($via, $msginfo, $initial_submission, $filter) = @_;
  my($num_recips_undone) =
    scalar(grep { !$_->recip_done && (!$filter || &$filter($_)) }
                @{$msginfo->per_recip_data});
  while ($num_recips_undone > 0) {
    mail_via_smtp_single(@_);  # send what we can in one transaction
    my($num_recips_undone_after) =
      scalar(grep { !$_->recip_done && (!$filter || &$filter($_)) }
                  @{$msginfo->per_recip_data});
    if ($num_recips_undone_after >= $num_recips_undone) {
      do_log(-2, "TROUBLE: Number of recipients ($num_recips_undone_after) "
                 . "not reduced in SMTP transaction, abandon the effort");
      last;
    }
    if ($num_recips_undone_after > 0) {
      do_log(1, sprintf("Sent to %s recipients via SMTP, %s still to go",
                        $num_recips_undone - $num_recips_undone_after,
                        $num_recips_undone_after));
    }
    $num_recips_undone = $num_recips_undone_after;
  }
  1;
}

# Send mail using SMTP - single transaction
# (e.g. forwarding original mail or sending notification)
# May throw exception (die) if temporary failure (4xx) or other problem
#
sub mail_via_smtp_single(@) {
  my($via, $msginfo, $initial_submission, $filter) = @_;
  my($which_section) = 'fwd_init';
  snmp_count('OutMsgs');
  local($1,$2,$3);  # avoid Perl taint bug, still in 5.8.3
  $via =~ /^smtp: (?: \[ ([^\]]*) \] | ([^:]*) ) : ([^:]*) /six
    or die "Bad fwd method syntax: $via";
  my($relayhost, $relayhost_port) = ($1.$2, $3);
  my(@per_recip_data) = grep { !$_->recip_done && (!$filter || &$filter($_)) }
                             @{$msginfo->per_recip_data};
  my($logmsg) = sprintf("%s via SMTP: [%s]:%s <%s>",
                        ($initial_submission ? 'SEND' : 'FWD'),
                        $relayhost, $relayhost_port, $msginfo->sender);
  if (!@per_recip_data) { do_log(5, "$logmsg, nothing to do"); return 1 }
  do_log(1, $logmsg . " -> " .
            qquote_rfc2821_local(map {$_->recip_final_addr} @per_recip_data));
  my($msg) = $msginfo->mail_text;  # a file handle or a MIME::Entity object
  my($smtp_handle, $smtp_response); my($smtp_code, $smtp_msg, $received_cnt);
  my($any_valid_recips) = 0; my($any_tempfail_recips) = 0;
  my($any_valid_recips_and_data_sent) = 0; my($in_datasend_mode) = 0;
  if (defined($msg) && !$msg->isa('MIME::Entity')) {
    # at this point, we have no idea what the user gave us...
    # a globref? a FileHandle?
    $msg = IO::Wrap::wraphandle($msg);  # now we have an IO::Handle-like obj
    $msg->seek(0,0) or die "Can't rewind mail file: $!";
  }
  # NOTE: Net::SMTP uses alarm to do its own timing.
  #       We need to restart our timer when Net::SMTP is done using it !!!
  my($remaining_time) = alarm(0);  # check how much time is left, stop timer
  eval {
    $which_section = 'fwd-connect';
    # Timeout should be more than MTA normally takes to check DNS and RBL,
    # which may take a minute or more in case of unreachable DNS.
    # Specifying shorter timeout will cause alarm to terminate the wait
    # for SMTP status line prematurely, resulting in status code 000.
    # rfc2821 (section 4.5.3.2) requires timeout to be at least 5 minutes
    my($localaddr) = c('local_client_bind_address');  # IP assigned to socket
    my($heloname)  = c('localhost_name');      # host name used in HELO/EHLO
    $smtp_handle = Net::SMTP->new($relayhost, Port => $relayhost_port,
      ($localaddr eq '' ? () : (LocalAddr => $localaddr)),
      ($heloname  eq '' ? () : (Hello     => $heloname)),
      ExactAddresses => 1,
      Timeout => max(60, min(5 * 60, $remaining_time)),  # for each operation
#     Timeout => 0,  # no timeouts, disable nonblocking mode on socket
    # Debug => debug_oneshot(),
    );
    defined($smtp_handle)
      or die "Can't connect to $relayhost port $relayhost_port, $!";
    ll(5) && do_log(5,"Remote host presents itself as: ".$smtp_handle->domain);

    section_time($which_section);
    prolong_timer($which_section, $remaining_time);  # restart timer
    $remaining_time = undef;

    $which_section = 'fwd-xforward';
    if ($msginfo->client_addr ne '' && $smtp_handle->supports('XFORWARD')) {
      my($cmd) = join(' ', 'XFORWARD', map
        { my($n,$v) = @$_;
          # may encode value as xtext/rfc3461 in future attributes:
          # char between "!" (33) and "~" (126) inclusive, except "+" and "="
          # $v =~ s/[^\041-\052\054-\074\076-\176]/sprintf("+%02X",ord($&))/eg;
          # Wietse says not to xtext-encode these four attrs, just neuter them
          $v =~ s/[^\041-\176]/?/g;
          $v =~ s/[<>()\\";@]/?/g;  # other chars that are special in headers
                   # postfix/smtpd/smtpd.c NEUTER_CHARACTERS (but ':' for IPv6)
          $v = substr($v,0,255)  if length($v) > 255;  # see XFORWARD_README
          $v eq '' ? () : ("$n=$v") }
        ( ['ADDR', $msginfo->client_addr], ['NAME',$msginfo->client_name],
          ['PROTO',$msginfo->client_proto],['HELO',$msginfo->client_helo] ));
      do_log(5, "sending $cmd");
      $smtp_handle->command($cmd);
      $smtp_handle->response()==2 or die "sending $cmd\n";
      section_time($which_section); prolong_timer($which_section);
    }

    $which_section = 'fwd-auth';
    my($auth_user) = $msginfo->auth_user;
    my($mechanisms) = $smtp_handle->supports('AUTH');
    if (!c('auth_required_out')) {
      do_log(3,"AUTH not needed, user='$auth_user', MTA offers '$mechanisms'");
    } elsif ($mechanisms eq '') {
      do_log(3,"INFO: MTA does not offer AUTH capability, user='$auth_user'");
    } elsif (!defined $auth_user) {
      do_log(0,"INFO: AUTH needed for submission but AUTH data not available");
    } else {
      do_log(3,"INFO: authenticating $auth_user, server supports AUTH $mechanisms");
      my($sasl) = Authen::SASL->new(
        'callback' => { 'user' => $auth_user, 'authname' => $auth_user,
                        'pass' => $msginfo->auth_pass });
      $smtp_handle->auth($sasl) or die "sending AUTH, user=$auth_user\n";
      section_time($which_section); prolong_timer($which_section);
    }

    $which_section = 'fwd-mail-from';
    # how to pass the $msginfo->auth_submitter ???!!!
    $smtp_handle->mail(qquote_rfc2821_local($msginfo->sender))
      or die "sending MAIL FROM\n";
    section_time($which_section); prolong_timer($which_section);

    $which_section = 'fwd-rcpt-to';
    my($skipping_resp);
    for my $r (@per_recip_data) {                    # send recipient addresses
      if (defined $skipping_resp) {
        $r->recip_smtp_response($skipping_resp); $r->recip_done(2);
        next;
      }
      # send a RCPT TO command and get the response
      $smtp_handle->recipient(qquote_rfc2821_local($r->recip_final_addr));
      $smtp_code = $smtp_handle->code;
      $smtp_msg  = $smtp_handle->message;
      chomp($smtp_msg);
      my($rcpt_smtp_resp) = "$smtp_code $smtp_msg";
      if ($smtp_code =~ /^2/) {
        $any_valid_recips++;
      } else {  # not ok
        do_log(3, "response to RCPT TO: \"$rcpt_smtp_resp\"");
        if ($rcpt_smtp_resp =~ /^0/) {
          # timeout, what to do, could cause duplicates
          do_log(-1, "response to RCPT TO not yet available");
          $rcpt_smtp_resp = "450 4.4.2 ($rcpt_smtp_resp - probably timed out)";
        }
        $r->recip_remote_mta($relayhost);
        $r->recip_remote_mta_smtp_response($rcpt_smtp_resp);
        if ($rcpt_smtp_resp =~ /^ (\d{3}) \s+ ([245] \. \d{1,3} \. \d{1,3})?
                                \s* (.*) \z/xs)
        {
          my($resp_code, $resp_enhcode, $resp_msg) = ($1, $2, $3);
          if ($resp_enhcode eq '' && $resp_code =~ /^([245])/) {
            my($c1) = $1;
            $resp_enhcode = $resp_code eq '452' ?
                              "$c1.5.3" : "$c1.1.0";   # insert enhanced code
            $rcpt_smtp_resp = "$resp_code  $resp_enhcode $smtp_msg";
          }
        }
        if ($rcpt_smtp_resp =~ /^452/) {  # too many recipients - see rfc2821
          do_log(-1, sprintf('Only %d recips sent in one go: "%s"',
                             $any_valid_recips, $rcpt_smtp_resp));
          $skipping_resp = $rcpt_smtp_resp;
        } elsif ($rcpt_smtp_resp =~ /^4/) {
          $any_tempfail_recips++;
          $smtp_response = $rcpt_smtp_resp  if !defined($smtp_response);
        }
        $r->recip_smtp_response($rcpt_smtp_resp); $r->recip_done(2);
        $smtp_response = $rcpt_smtp_resp
          if $rcpt_smtp_resp =~ /^5/ && $smtp_response !~ /^5/; # keep first 5x
      }
    }
    section_time($which_section); prolong_timer($which_section);
    $smtp_code = $smtp_msg = undef;

    # TODO: get the value of $dsn_per_recip_capable argument of check_mail(),
    # or the actual protocol from In::Connection
    my($dsn_per_recip_capable) = 0;

    if (!$any_valid_recips) {
      do_log(-1,"mail_via_smtp: DATA skipped, no valid recips, $any_tempfail_recips");
    } elsif ($any_tempfail_recips && !$dsn_per_recip_capable) {
      # we must not proceede if mail did not came in as LMTP,
      # or we would generate mail duplicates on each delivery attempt
      do_log(-1,"mail_via_smtp: DATA skipped, tempfailed recips: $any_tempfail_recips");
    } else {  # send the message contents (enter DATA phase)
      $which_section = 'fwd-data';
      $smtp_handle->data or die "sending DATA command\n";
      $in_datasend_mode = 1;

      my($smtp_resp) = $smtp_handle->code . " " . $smtp_handle->message;
      chomp($smtp_resp);
      do_log(5, "response to DATA: \"$smtp_resp\"");

      my($smtp_data_fh) = Amavis::Out->new_smtp_data($smtp_handle);
      my($hdr_edits) = $msginfo->header_edits;
      $hdr_edits = Amavis::Out::EditHeader->new  if !$hdr_edits;
      $received_cnt = $hdr_edits->write_header($msg, $smtp_data_fh);
      if ($received_cnt > 100) {
        # loop detection required by rfc2821 6.2
        # Do not modify the signal text, it gets matched elsewhere!
        die "Too many hops: $received_cnt 'Received:' header lines\n";
      }
      if (!defined($msg)) {
        # empty mail body
      } elsif ($msg->isa('MIME::Entity')) {
        $msg->print_body($smtp_data_fh);
      } else {
        # Using fixed-size reads instead of line-by-line approach
        # makes feeding mail back to MTA (e.g. Postfix) more than
        # twice as fast for larger mail.

        # to reduce the likelyhood of a qmail bare-LF bug (bare LF reported
        # when CR and LF are separated by a TCP packet boundary) one may use
        # this 'while' line, reading line by line, instead of the normal one:
###     while (defined($_=$msg->getline)) {

        while ($msg->read($_, 16384) > 0) {
          $smtp_handle->datasend($_)
            or die "datasend timed out while sending body\n";
        }

      }
      section_time($which_section); prolong_timer($which_section);

      $which_section = 'fwd-data-end';
      # don't check status of dataend here, it may not yet be available
      $smtp_handle->dataend;
      $in_datasend_mode = 0; $any_valid_recips_and_data_sent = 1;
      section_time($which_section); prolong_timer($which_section);

      $which_section = 'fwd-rundown-1';
      # figure out the final SMTP response
      $smtp_code = $smtp_handle->code;
      my(@msgs) = $smtp_handle->message;
      # only the 'command()' resets messages list, so now we have both:
      # 'End data with <CR><LF>.<CR><LF>' and 'Ok: queued as...' in @msgs
      # and only the last SMTP response code in $smtp_handle->code
      my($smtp_msg) = $msgs[$#msgs];  chomp($smtp_msg);  # take the last one
      $smtp_response = "$smtp_code $smtp_msg";
      do_log(5, "response to data end: \"$smtp_response\"");
      for my $r (@per_recip_data) {
        next  if $r->recip_done;  # skip those that failed at RCPT TO
        $r->recip_remote_mta($relayhost);
        $r->recip_remote_mta_smtp_response($smtp_response);
      }
      if ($smtp_code =~ /^[245]/) {
        my($smtp_status) = substr($smtp_code, 0, 1);
        $smtp_response = sprintf("%s %d.6.0 %s, id=%s, from MTA: %s",
               $smtp_code, $smtp_status, ($smtp_status == 2 ? 'Ok' : 'Failed'),
               am_id(), $smtp_response);
      }
    }
  };
  my($err) = $@;
  my($saved_section_name) = $which_section;
  if ($err ne '') { chomp($err); $err = ' ' if $err eq '' } # careful chomp
  prolong_timer($which_section, $remaining_time);           # restart the timer
  $which_section = 'fwd-rundown';
  if ($err ne '') {  # fetch info about failure
    do_log(3, "mail_via_smtp: session failed: $err");
    if (!defined($smtp_handle)) { $smtp_code = ''; $smtp_msg = '' }
    else {
      $smtp_code = $smtp_handle->code; $smtp_msg = $smtp_handle->message;
      chomp($smtp_msg);
    }
  }
  # terminate the SMTP session if still alive
  if (!defined $smtp_handle) {
    # nothing
  } elsif ($in_datasend_mode) {
    # We are aborting SMTP session.  DATA send mode must NOT be normally
    # terminated with a dataend (dot), otherwise recipient will receive
    # a chopped-off mail (and possibly be receiving it over and over again
    # during each MTA retry.
    do_log(-1, "mail_via_smtp: NOTICE: aborting SMTP session, $err");
    $smtp_handle->close; # abruptly terminate the SMTP session, ignoring status
  } else {
    $smtp_handle->timeout(15);  # don't wait too long for response to a QUIT
    $smtp_handle->quit;         # send a QUIT regardless of success so far
    if ($err eq '' && $smtp_handle->status != CMD_OK) {
      do_log(-1,"WARN: sending SMTP QUIT command failed: "
                . $smtp_handle->code . " " . $smtp_handle->message);
    }
  }
  # prepare final smtp response and log abnormal events
  if ($err eq '') {             # no errors
    if ($any_valid_recips_and_data_sent && $smtp_response !~ /^[245]/) {
      $smtp_response =
        sprintf("451 4.6.0 Bad SMTP code, id=%s, from MTA: \"%s\"",
                am_id(), $smtp_response);
    }
  } elsif ($err eq "timed out" || $err =~ /: Timeout\z/) {
    my($msg) = ($in_datasend_mode && $smtp_code =~ /^354/) ?
               '' : ", $smtp_code $smtp_msg";
    $smtp_response = sprintf("450 4.4.2 Timed out during %s%s, id=%s",
                             $saved_section_name, $msg, am_id());
  } elsif ($err =~ /^Can't connect/) {
    $smtp_response = sprintf("450 4.4.1 %s, id=%s", $err, am_id());
  } elsif ($err =~ /^Too many hops/) {
    $smtp_response = sprintf("550 5.4.6 Rejected: %s, id=%s", $err, am_id());
  } elsif ($smtp_code =~ /^5/) {  # 5xx
    $smtp_response = sprintf("%s 5.5.0 Rejected by MTA: %s %s, id=%s",
                             ($smtp_code !~ /^5\d\d\z/ ? "550" : $smtp_code),
                             $smtp_code, $smtp_msg, am_id());
  } elsif ($smtp_code =~ /^0/) {  # 000
    $smtp_response = sprintf("450 4.4.2 No response during %s (%s): id=%s",
                             $saved_section_name, $err, am_id());
  } else {
    $smtp_response = sprintf("%s 4.5.0 from MTA during %s (%s): %s %s, id=%s",
                             ($smtp_code !~ /^4\d\d\z/ ? "451" : $smtp_code),
                             $saved_section_name, $err, $smtp_code, $smtp_msg,
                             am_id());
  }

  do_log( ($smtp_response =~ /^2/ ? 3 : -1),
          "mail_via_smtp: $smtp_response" )  if $smtp_response ne '';
  if (defined $smtp_response) {
    for my $r (@per_recip_data) {
      if (!$r->recip_done) {  # mark it as done
        $r->recip_smtp_response($smtp_response); $r->recip_done(2);
      } elsif ($any_valid_recips_and_data_sent
               && $r->recip_smtp_response =~ /^452/) {
        # 'undo' the RCPT TO '452 Too many recipients' situation,
        # needs to be handled in more than one transaction
        $r->recip_smtp_response(undef); $r->recip_done(undef);
      }
    }
  }
  if (   $smtp_response =~ /^2/) { snmp_count('OutMsgsDelivers') }
  elsif ($smtp_response =~ /^4/) { snmp_count('OutAttemptFails') }
  elsif ($smtp_response =~ /^5/) { snmp_count('OutMsgsRejects')  }
  section_time($which_section);
  1;
}

# Send mail using external mail submission program 'sendmail' (also available
# with Postfix and Exim) - used for forwarding original mail or sending notif.
# May throw exception (die) if temporary failure (4xx) or other problem
#
sub mail_via_pipe(@) {
  my($via, $msginfo, $initial_submission, $filter) = @_;
  snmp_count('OutMsgs');
  $via =~ /^pipe:(.*)\z/si or die "Bad fwd method syntax: $via";
  my($pipe_args) = $1;
  $pipe_args =~ s/^flags=\S*\s*//i;  # flags are currently ignored, q implied
  $pipe_args =~ s/^argv=//i;
  my(@per_recip_data) = grep { !$_->recip_done && (!$filter || &$filter($_)) }
                             @{$msginfo->per_recip_data};
  my($logmsg) = sprintf("%s via PIPE: <%s>",
                     ($initial_submission ? 'SEND' : 'FWD'), $msginfo->sender);
  if (!@per_recip_data) {
    do_log(5, "$logmsg, nothing to do");
    return 1;
  }
  do_log(1, $logmsg . " -> " .
            qquote_rfc2821_local(map {$_->recip_final_addr} @per_recip_data));
  my($msg) = $msginfo->mail_text;  # a file handle or a MIME::Entity object
  if (defined($msg) && !$msg->isa('MIME::Entity')) {
    # at this point, we have no idea what the user gave us...
    # a globref? a FileHandle?
    $msg = IO::Wrap::wraphandle($msg);  # now we have an IO::Handle-like obj
    $msg->seek(0,0) or die "Can't rewind mail file: $!";
  }
  my(@pipe_args) = split(' ', $pipe_args);  my(@command) = shift @pipe_args;
  for (@pipe_args) {
    # The sendmail command line expects addresses quoted as per RFC 822.
    #   "funny user"@some.domain
    # For compatibility with Sendmail, the Postfix sendmail command line
    # also accepts address formats that are legal in RFC 822 mail headers:
    #   Funny Dude <"funny user"@some.domain>
    # Although addresses passed as args to sendmail initial submission
    # should not be <...> bracketed, for some reason original sendmail
    # issues a warning on null reverse-path, but gladly accepty <>.
    # As this is not strictly wrong, we comply to make it happy.
    if (/^\$\{sender\}\z/i) {
      push(@command,
           map { $_ eq '' ? '<>' : untaint(quote_rfc2821_local($_)) }
               $msginfo->sender);
    } elsif (/^\$\{recipient\}\z/i) {
      push(@command,
           map { $_ eq '' ? '<>' : untaint(quote_rfc2821_local($_)) }
           map { $_->recip_final_addr } @per_recip_data);
    } else {
      push(@command, $_);
    }
  }
  do_log(5, "mail_via_pipe running command: " . join(' ', @command));
  local $SIG{CHLD} = 'DEFAULT';
  local $SIG{PIPE} = 'IGNORE';     # write to broken pipe would throw a signal
  my($mp,$pid) = run_command_consumer(undef,undef,@command);
  binmode($mp) or die "Can't set pipe to binmode: $!";  # dflt since Perl 5.8.1
  my($hdr_edits) = $msginfo->header_edits;
  $hdr_edits = Amavis::Out::EditHeader->new  if !$hdr_edits;
  my($received_cnt) = $hdr_edits->write_header($msg, $mp);
  if ($received_cnt > 100) {  # loop detection required by rfc2821 6.2
                              # deal with it later, for now just skip the body
  } elsif (!defined($msg)) {
    # empty mail body
  } elsif ($msg->isa('MIME::Entity')) {
    $msg->print_body($mp);
  } else {
    while ($msg->read($_, 16384) > 0)
      { $mp->print($_) or die "Submitting mail text failed: $!" }
  }
  my($smtp_response);
  if ($received_cnt > 100) { # loop detection required by rfc2821 6.2
    do_log(-2, "Too many hops: $received_cnt 'Received:' header lines");
    kill(15, $pid);          # kill the process running mail submission program
    $mp->close;              # and ignore status
    $smtp_response = "550 5.4.6 Rejected: " .
                     "Too many hops: $received_cnt 'Received:' header lines";
  } else {
    my($err); $mp->close or $err=$!; my($child_stat) = $?;
    my($error_str) = exit_status_str($child_stat,$err);
    my($status) = WEXITSTATUS($child_stat);
    # sendmail program (Postfix variant) can return the following exit codes:
    # EX_OK(0), EX_DATAERR, EX_SOFTWARE, EX_TEMPFAIL, EX_NOUSER, EX_UNAVAILABLE
    if ($status == EX_OK) {
      $smtp_response = "250 2.6.0 Ok";  # submitted to MTA
      snmp_count('OutMsgsDelivers');
    } elsif ($status == EX_TEMPFAIL) {
      $smtp_response = "450 4.5.0 Temporary failure submitting message";
      snmp_count('OutAttemptFails');
    } elsif ($status == EX_NOUSER) {
      $smtp_response = "550 5.1.1 Recipient unknown";
      snmp_count('OutMsgsRejects');
    } elsif ($status == EX_UNAVAILABLE) {
      $smtp_response = "550 5.5.0 Mail submission service unavailable";
      snmp_count('OutMsgsRejects');
    } else {
      $smtp_response = "451 4.5.0 Failed to submit a message: $error_str";
      snmp_count('OutAttemptFails');
    }
  }
  $smtp_response .= ", id=" . am_id();
  for my $r (@per_recip_data) {
    next  if $r->recip_done;
    $r->recip_smtp_response($smtp_response); $r->recip_done(2);
  }
  section_time('fwd-pipe');
  1;
}

sub mail_via_bsmtp(@) {
  my($via, $msginfo, $initial_submission, $filter) = @_;
  snmp_count('OutMsgs'); local($1);
  $via =~ /^bsmtp:(.*)\z/si or die "Bad fwd method: $via";
  my($bsmtp_file_final) = $1; my($mbxname);
  $bsmtp_file_final =~ s{%(.)}
    {  $1 eq 'b' ? $msginfo->body_digest
     : $1 eq 'i' ? strftime("%Y%m%d-%H%M%S",localtime($msginfo->rx_time))
     : $1 eq 'n' ? am_id()
     : $1 eq '%' ? '%' : '%'.$1 }egs;
  $bsmtp_file_final = $QUARANTINEDIR."/".$bsmtp_file_final
    if $bsmtp_file_final !~ m{^/};  # prepend directory if not specified
  my($bsmtp_file_tmp) = $bsmtp_file_final . ".tmp";
  my(@per_recip_data) = grep { !$_->recip_done && (!$filter || &$filter($_)) }
                             @{$msginfo->per_recip_data};
  my($logmsg) = sprintf("%s via BSMTP: %s",
                        ($initial_submission ? 'SEND' : 'FWD'),
                        qquote_rfc2821_local($msginfo->sender));
  if (!@per_recip_data) { do_log(5, "$logmsg, nothing to do"); return 1 }
  do_log(1, $logmsg . " -> " .
            qquote_rfc2821_local(map {$_->recip_final_addr} @per_recip_data) .
            ", file " . $bsmtp_file_final);
  my($msg) = $msginfo->mail_text;  # a scalar reference, or a file handle
  if (defined($msg) && !$msg->isa('MIME::Entity')) {
    # at this point, we have no idea what the user gave us...
    # a globref? a FileHandle?
    $msg = IO::Wrap::wraphandle($msg);  # now we have an IO::Handle-like obj
    $msg->seek(0,0) or die "Can't rewind mail file: $!";
  }
  my($mp) = IO::File->new;
  eval {
    $mp->open($bsmtp_file_tmp,'>',0640)
      or die "Can't create BSMTP file $bsmtp_file_tmp: $!";
    binmode($mp, ":bytes") or die "Can't set :bytes, $!"  if $unicode_aware;
    $mp->print("EHLO ", c('localhost_name'), $eol)
      or die "print failed (EHLO): $!";
    $mp->printf("MAIL FROM:%s BODY=8BITMIME%s",  # avoid conversion to 7bit
                qquote_rfc2821_local($msginfo->sender), $eol)
      or die "print failed (MAIL FROM): $!";
    for my $r (@per_recip_data) {
      $mp->print("RCPT TO:", qquote_rfc2821_local($r->recip_final_addr), $eol)
        or die "print failed (RCPT TO): $!";
    }
    $mp->print("DATA", $eol) or die "print failed (DATA): $!";
    my($hdr_edits) = $msginfo->header_edits;
    $hdr_edits = Amavis::Out::EditHeader->new  if !$hdr_edits;
    my($received_cnt) = $hdr_edits->write_header($msg,$mp);
    if ($received_cnt > 100) {  # loop detection required by rfc2821 6.2
      die "Too many hops: $received_cnt 'Received:' header lines";
    } elsif (!defined($msg))            {  # empty mail body
    } elsif ($msg->isa('MIME::Entity')) {
      $msg->print_body($mp);
    } else {
      while (<$msg>) {
        $mp->print(/^\./ ? (".",$_) : $_)  or die "print failed-data: $!";
      }
    }
    $mp->print(".", $eol) or die "print failed (final dot): $!";
  # $mp->print("QUIT",$eol) or die "print failed (QUIT): $!";
    $mp->close or die "Can't close BSMTP file $bsmtp_file_tmp: $!";
    $mp = undef;
    rename($bsmtp_file_tmp, $bsmtp_file_final)
      or die "Can't rename BSMTP file to $bsmtp_file_final: $!";
    $mbxname = $bsmtp_file_final;
  };
  my($err) = $@; my($smtp_response);
  if ($err eq '') {
    $smtp_response = "250 2.6.0 Ok, queued as BSMTP $bsmtp_file_final";
    snmp_count('OutMsgsDelivers');
  } else {
    chomp($err);
    unlink($bsmtp_file_tmp)
      or do_log(-2,"Can't delete half-finished BSMTP file $bsmtp_file_tmp: $!");
    $mp->close  if defined $mp;  # ignore status
    if ($err =~ /too many hops/i) {
      $smtp_response = "550 5.4.6 Rejected: $err";
      snmp_count('OutMsgsRejects');
    } else {
      $smtp_response = "451 4.5.0 Writing $bsmtp_file_tmp failed: $err";
      snmp_count('OutAttemptFails');
    }
  }
  $smtp_response .= ", id=" . am_id();
  for my $r (@per_recip_data) {
    next  if $r->recip_done;
    $r->recip_smtp_response($smtp_response);
    $r->recip_done(2);
    $r->recip_mbxname($mbxname)  if defined $mbxname;
  }
  section_time('fwd-bsmtp');
  1;
}

1;

#
package Amavis::UnmangleSender;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  %EXPORT_TAGS = ();
  @EXPORT = ();
  @EXPORT_OK = qw(&best_try_originator_ip &best_try_originator
                  &first_received_from);
}
use subs @EXPORT_OK;

BEGIN {
  import Amavis::Conf qw(:platform @viruses_that_fake_sender_maps);
  import Amavis::Util qw(ll do_log);
  import Amavis::rfc2821_2822_Tools qw(
                   split_address parse_received fish_out_ip_from_received);
  import Amavis::Lookup qw(lookup lookup_ip_acl);
}
use Mail::Address;

# Returns the envelope sender address, or reconstructs it if there is
# a good reason to believe the envelope address has been changed or forged,
# as is common for some varieties of viruses. Returns best guess of the
# sender address, or undef if it can not be determined.
#
sub unmangle_sender($$$) {
  my $sender         = shift;  # rfc2821 envelope sender address
  my $from           = shift;  # rfc2822 'From:' header, may include comment
  my $virusname_list = shift;  # list ref containing names of detected viruses
  # based on ideas from Furio Ercolessi, Mike Atkinson, Mark Martinec

  my($best_try_originator) = $sender;
  my($localpart,$domain) = split_address($sender);
  # extract the RFC2822 'from' address, ignoring phrase and comment
  chomp($from);
  {
    local($1,$2,$3,$4);  # avoid Perl 5.8.0 & 5.8.2 bug, $1 gets tainted !
    $from = (Mail::Address->parse($from))[0];
  }
  $from = $from->address  if $from ne '';
  # NOTE: rfc2822 allows multiple addresses in the From field!

  if (grep { /magistr/i } @$virusname_list) {
    for my $j (0..2) {     #  assemble possible `shifted' candidates
      next  if $j >= length($localpart);
      my($try) = $sender;
      substr($try, $j, 1) = chr(ord(substr($try, $j, 1)) - 1);
      if (lc($from) eq lc($try)) { $best_try_originator = $try; last }
    }
  }
  #
  #   Virus names are AV-checker vendor specific, but many use same
  #   or similar virus names. This requires attention and adjustments
  #   from Amavis administrators.
  #
  if (grep { /badtrans/i } @$virusname_list) {
    if ($from =~ /^     # these are fake built-in addresses
                   (joanna\@mail\.utexas\.edu | powerpuff\@videotron\.ca |
                     (mary\@c-com | support\@cyberramp | admin\@gte |
                      administrator\@border) \.net |
                     (monika\@telia | jessica\@aol | spiderroll\@hotmail |
                      lgonzal\@hotmail | andy\@hweb-media | Gravity49\@aol |
                      tina0828\@yahoo | JUJUB271\@AOL | aizzo\@home) \.com
                   ) \z/xi )
    { # discard recipient's address used as a fake 'MAIL FROM:'
      $best_try_originator = undef;
    } else {
      $best_try_originator = $1 if $from=~/^_(.+)\z/s && lc($sender) ne lc($1);
    }
  }
  for my $vn (@$virusname_list) {
    my($result,$matching_key) = lookup(0,$vn,@viruses_that_fake_sender_maps);
    if ($result) {
      do_log(2, "Virus $vn matches $matching_key, sender addr ignored");
      $best_try_originator = undef;
      last;
    }
  }
  $best_try_originator;
}

# Given a dotted-quad IPv4 address try reverse DNS resolve, and then
# forward DNS resolve. If they match, return domain name,
# otherwise return the IP address in brackets. (resolves IPv4 only)
#
sub ip_addr_to_name($) {
  my($addr) = @_;     # dotted-quad address string
  local($1,$2,$3,$4); my($result);
  if ($addr !~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\z/) {
    $result = $addr;  # not an IPv4 address
  } else {
    my($binaddr) = pack('C4', $1,$2,$3,$4);   # to binary string
    do_log(5, "ip_addr_to_name: DNS reverse-resolving: $addr");
    my(@addr) = gethostbyaddr($binaddr,2);           # IP -> name
    $result = '['.$addr.']';  # IP address in brackets if nothing matches
    if (@addr) {
      my($name,$aliases,$addrtype,$length,@addrs) = @addr;
      if ($name =~ /[^.]\.[a-zA-Z]+\z/s) {
        do_log(5, "ip_addr_to_name: DNS forward-resolving: $name");
        my(@raddr) = gethostbyname($name);           # name -> IP
        my($rname,$raliases,$raddrtype,$rlength,@raddrs) = @raddr;
        for my $ra (@raddrs) {
          if (lc($ra) eq lc($binaddr)) { $result = $name; last }
        }
      }
    }
  }
  do_log(3, "ip_addr_to_name: returning: $result");
  $result;
}

# Obtain and parse the first entry (chronologically) in the 'Received:' header
# path trace - to be used as the value of the macro %t in customized messages
#
sub first_received_from($) {
  my($entity) = shift;
  my($first_received);
  if (defined($entity)) {
    my($fields) = parse_received($entity->head->get('received', -1));
    if (exists $fields->{'from'}) {
      my($item, $v1, $v2, $v3, $comment) = @{$fields->{'from'}};
      $first_received = join(' ', $item, $comment);
      $first_received =~ s/^[ \t\n\r]+//s;   # discard leading whitespace
      $first_received =~ s/[ \t\n\r]+\z//s;  # discard trailing whitespace
    }
    do_log(5, "first_received_from: $first_received");
  }
  $first_received;
}

# Try to extract sender's public IP address from the Received trace
#
sub best_try_originator_ip($) {
  my($entity) = @_;
  my($first_received_from_ip);
  if (defined($entity)) {
    my(@publicnetworks) = qw(
      !0.0.0.0/8 !127.0.0.0/8 !172.16.0.0/12 !192.168.0.0/16 !10.0.0.0/8
      !169.254.0.0/16 !192.0.2.0/24 !192.88.99.0/24 !224.0.0.0/4
      ::FFFF:0:0/96
      !:: !::1 !FF00::/8 !FE80::/10 !FEC0::/10
      ::/0 );  # rfc3330, rfc3513
    my(@received) = reverse $entity->head->get('received');
    $#received = 5  if $#received > 5;  # first six, chronologically
    for my $r (@received) {
      $first_received_from_ip = fish_out_ip_from_received($r);
      last if $first_received_from_ip ne '' &&
              eval { lookup_ip_acl($first_received_from_ip,\@publicnetworks) };
    }
    do_log(5, "best_try_originator_ip: $first_received_from_ip");
  }
  $first_received_from_ip;
}

# For the purpose of informing administrators try to obtain true sender
# address or at least its site, as most viruses and spam have a nasty habit
# of faking envelope sender address. Return a pair of addresses:
# - the first (if defined) appears valid and may be used for sender
#   notifications;
# - the second should only be used in generating customizable notification
#   messages (macro %o), NOT to be used as address for sending notifications,
#   as it can contain invalid address (but can be more informative).
#
sub best_try_originator($$$) {
  my($sender, $entity, $virusname_list) = @_;
  return ($sender,$sender)  if !defined($entity);  # don't bother if no header
  my($originator) =
    unmangle_sender($sender, $entity->head->get('from',0), $virusname_list);
  return ($originator, $originator)  if defined $originator;
  my($first_received_from_ip) = best_try_originator_ip($entity);
  $originator = '?@' . ip_addr_to_name($first_received_from_ip)
    if $first_received_from_ip ne '';
  (undef, $originator);
}

1;

#
package Amavis::Unpackers::NewFilename;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  @EXPORT_OK = qw(&consumed_bytes);
}

BEGIN {
  import Amavis::Conf qw(c cr ca
                         $MIN_EXPANSION_QUOTA $MIN_EXPANSION_FACTOR
                         $MAX_EXPANSION_QUOTA $MAX_EXPANSION_FACTOR);
  import Amavis::Util qw(ll do_log min max);
}

use vars qw($avail_quota);  # available bytes quota for unpacked mail
use vars qw($rem_quota);    # remaining bytes quota for unpacked mail

sub new($;$$) {  # create a file name generator object
  my($class, $maxfiles,$mail_size) = @_;
  # calculate and initialize quota
  $avail_quota = $rem_quota =  # quota in bytes
    max($MIN_EXPANSION_QUOTA, $mail_size * $MIN_EXPANSION_FACTOR,
        min($MAX_EXPANSION_QUOTA, $mail_size * $MAX_EXPANSION_FACTOR));
  do_log(4,"Original mail size: $mail_size; quota set to: $avail_quota bytes");
  # create object
  bless {
    num_of_issued_names => 0,  first_issued_ind => 1,  last_issued_ind => 0,
    maxfiles => $maxfiles,  # undef disables limit
    objlist => [],
  }, $class;
}

sub parts_list_reset($) {              # clear a list of recently issued names
  my($self) = shift;
  $self->{num_of_issued_names} = 0;
  $self->{first_issued_ind} = $self->{last_issued_ind} + 1;
  $self->{objlist} = [];
}

sub parts_list($) {  # returns a ref to a list of recently issued names
  my($self) = shift;
  $self->{objlist};
}

sub parts_list_add($$) {  # add a parts object to the list of parts
  my($self, $part) = @_;
  push(@{$self->{objlist}}, $part);
}

sub generate_new_num($) {  # make-up a new number for a file and return it
  my($self) = @_;
  if (defined($self->{maxfiles}) &&
      $self->{num_of_issued_names} >= $self->{maxfiles}) {
    # do not change the text in die without adjusting decompose_part()
    die "Maximum number of files ($self->{maxfiles}) exceeded";
  }
  $self->{num_of_issued_names}++; $self->{last_issued_ind}++;
  $self->{last_issued_ind};
}

sub consumed_bytes($$;$$) {
  my($bytes, $bywhom, $tentatively, $exquota) = @_;
  my($perc) = !$avail_quota ? '' : sprintf(", (%.0f%%)",
                  100 * ($avail_quota - ($rem_quota - $bytes)) / $avail_quota);
  do_log(4,"Charging $bytes bytes to remaining quota $rem_quota"
           . " (out of $avail_quota$perc) - by $bywhom");
  if ($bytes > $rem_quota && $rem_quota >= 0) {
    # Do not modify the following signal text, it gets matched elsewhere!
    my($msg) = "Exceeded storage quota $avail_quota bytes by $bywhom; ".
               "last chunk $bytes bytes";
    do_log(-1, $msg);
    die "$msg\n"  if !$exquota;
  }
  $rem_quota -= $bytes  unless $tentatively;
  $rem_quota;  # return remaining quota
}

1;

#
package Amavis::Unpackers::Part;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
}

BEGIN {
  import Amavis::Util qw(ll do_log);
}

use vars qw($file_generator_object);
sub init($) { $file_generator_object = shift }

sub new($;$$) {  # create a part descriptor object
  my($class, $dir_name,$parent) = @_;
  my($self) = bless {}, $class;
  if (!defined($dir_name) && !defined($parent)) {
    # just make an empty object, presumably used as a new root
  } else {
    $self->number($file_generator_object->generate_new_num);
    $self->dir_name($dir_name)  if defined $dir_name;
    if (defined $parent) {
      $self->parent($parent);
      my($ch_ref) = $parent->children;
      push(@$ch_ref,$self); $parent->children($ch_ref);
    }
    $file_generator_object->parts_list_add($self);  # save it
    ll(4) && do_log(4, "Issued a new " .
               (defined $dir_name ? "file name" : "pseudo part") . ": " .
               $self->base_name);
  }
  $self;
}

sub number
  { my($self)=shift; !@_ ? $self->{number}   : ($self->{number}=shift) };
sub dir_name
  { my($self)=shift; !@_ ? $self->{dir_name} : ($self->{dir_name}=shift) };
sub parent
  { my($self)=shift; !@_ ? $self->{parent}   : ($self->{parent}=shift) };
sub children
  { my($self)=shift; !@_ ? $self->{children}||[] : ($self->{children}=shift) };
sub mime_placement    # part location within a MIME tree, e.g. "1/1/3"
  { my($self)=shift; !@_ ? $self->{place}    : ($self->{place}=shift) };
sub type_short     # string or a ref to a list of strings
  { my($self)=shift; !@_ ? $self->{ty_short} : ($self->{ty_short}=shift) };
sub type_long
  { my($self)=shift; !@_ ? $self->{ty_long}  : ($self->{ty_long}=shift) };
sub type_declared
  { my($self)=shift; !@_ ? $self->{ty_decl}  : ($self->{ty_decl}=shift) };
sub name_declared  # string or a ref to a list of strings
  { my($self)=shift; !@_ ? $self->{nm_decl}  : ($self->{nm_decl}=shift) };
sub size
  { my($self)=shift; !@_ ? $self->{size}     : ($self->{size}=shift) };
sub exists
  { my($self)=shift; !@_ ? $self->{exists}   : ($self->{exists}=shift) };
sub attributes        # listref of characters representing attributes
  { my($self)=shift; !@_ ? $self->{attr}     : ($self->{attr}=shift) };
sub attributes_add {  # U=undecodable, C=crypted, D=directory,S=special,L=link
  my($self)=shift; my($a) = $self->{attr} || [];
  for my $arg (@_) { push(@$a,$arg)  if $arg ne '' && !grep {$_ eq $arg} @$a }
  $self->{attr} = $a;
};

sub base_name { my($self)=shift; sprintf("p%03d",$self->number) }

sub full_name {
  my($self)=shift; my($d) = $self->dir_name;
  !defined($d) ? undef : $d.'/'.$self->base_name;
}

# returns a ref to a list of part ancestors, starting with the root object,
# and including the part object itself
sub path {
  my($self)=shift;
  my(@path);
  for (my($p)=$self; defined($p); $p=$p->parent) { unshift(@path,$p) }
  \@path;
};

1;

#
package Amavis::Unpackers::OurFiler;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter MIME::Parser::Filer);  # subclass of MIME::Parser::Filer
  %EXPORT_TAGS = ();
  @EXPORT = ();
  @EXPORT_OK = ();
}
# This package will be used by mime_decode().
#
# We don't want no heavy MIME::Parser machinery for file name extension
# guessing, decoding charsets in filenames (and listening to complaints
# about it), checking for evil filenames, checking for filename contention, ...
# (which can not be turned off completely by ignore_filename(1) !!!)
# Just enforce our file name! And while at it, collect generated filenames.
#
sub new($$$) {
  my($class, $dir, $parent_obj) = @_;
  $dir =~ s{/+\z}{};  # chop off trailing slashes from directory name
  bless {parent => $parent_obj, directory => $dir}, $class;
}

# provide a generated file name
sub output_path($@) {
  my($self, $head) = @_;
  my($newpart_obj) =
    Amavis::Unpackers::Part->new($self->{directory}, $self->{parent});
  get_amavisd_part($head, $newpart_obj);  # store object into head
  $newpart_obj->full_name;
}

sub get_amavisd_part($;$) {
  my($head) = shift;
  !@_ ? $head->{amavisd_parts_obj} : ($head->{amavisd_parts_obj} = shift);
}

1;

#
package Amavis::Unpackers::Validity;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  %EXPORT_TAGS = ();
  @EXPORT = ();
  @EXPORT_OK = qw(&check_header_validity &check_for_banned_names);
}

BEGIN {
  import Amavis::Util qw(ll do_log sanitize_str);
  import Amavis::Conf qw(:platform c cr ca);
  import Amavis::Lookup qw(lookup);
}

use subs @EXPORT_OK;

sub check_header_validity($$) {
  my($conn, $msginfo) = @_;
  my(@bad);
  my($curr_head);
  for my $next_head (@{$msginfo->orig_header}, "\n") {
    if ($next_head =~ /^[ \t]/) { $curr_head .= $next_head }  # folded
    else {                                                    # new header
      if (!defined($curr_head)) {  # no previous complete header
      } else {
        # obsolete rfc822 syntax allowed whitespace before colon
        my($field_name, $field_body) =
          $curr_head =~ /^([!-9;-\176]+)[ \t]*:(.*)\z/s
            ? ($1, $2) : (undef, $curr_head);
        my($msg1,$msg2);
        if (!defined($field_name) && $curr_head=~/^()()(.*)\z/s) {
          $msg1 = "Invalid header field head";
        } elsif ($curr_head =~ /^(.*?)([\000\015])(.*)\z/s) {
          $msg1 = "Improper use of control character";
        } elsif ($curr_head =~ /^(.*?)([\200-\377])(.*)\z/s) {
          $msg1 = "Non-encoded 8-bit data";
        } elsif ($curr_head =~ /^(.*?)([^\000-\377])(.*)\z/s) {
          $msg1 = "Non-encoded Unicode character";
        } elsif ($curr_head =~ /^()()([ \t]+)$/m) {
          $msg1 ="Improper folded header field made up entirely of whitespace";
        }
        if (defined $msg1) {
          my($pre, $ch, $post) = ($1, $2, $3);
          if (length($post) > 20) { $post = substr($post,0,15) . "..." }
          if (length($pre)-length($field_name)-2 > 50-length($post)) {
            $pre = "$field_name: ..."
                   . substr($pre, length($pre) - (45-length($post)));
          }
          $msg1 .= sprintf(" (char %02X hex)", ord($ch))  if length($ch)==1;
          $msg1 .= " in message header '$field_name'"     if $field_name ne '';
          $msg2 = sanitize_str($pre); my($msg2_pre_l) = length($msg2);
          $msg2 .= sanitize_str($ch . $post);
        # push(@bad, "$msg1\n  $msg2\n  " . (' ' x $msg2_pre_l) . '^');
          push(@bad, "$msg1: $msg2");
        }
      }
      last  if $next_head eq $eol;  # end-of-header reached
      $curr_head = $next_head;
    }
  }
  @bad;
}

sub check_for_banned_names($) {
  my($parts_root) = @_;
  do_log(3, "Checking for banned types and filenames");
  my(@banned_part_descr,@banned_matching_keys,@banned_rhs); my($part);
  my($bfnmr) = ca('banned_filename_maps');  # a ref to a list
  for (my(@unvisited)=($parts_root);
       @unvisited and $part=shift(@unvisited);
       push(@unvisited,@{$part->children}))
  { # traverse decomposed parts tree breadth-first
    my(@path) = @{$part->path};
    next  if @path <= 1;
#   ll(5) && do_log(5, "part path: ".join(", ", map {$_->base_name} @path));
    shift(@path);  # ignore place-holder root node
    next  if @{$part->children};  # ignore non-leaf nodes
    my(@descr); my($found,$key_val,$key_what,$result,$matchingkey);
    for my $p (@path) {
      my(@k,$n);
      $n = $p->base_name;
      if ($n ne '') { $n=~s/[\t\n]/ /g; push(@k,"P=$n") }
      $n = $p->mime_placement;
      if ($n ne '') { $n=~s/[\t\n]/ /g; push(@k,"L=$n") }
      $n = $p->type_declared;
      $n = [$n]  if !ref($n);
      for (@$n) {if ($_ ne '') {my($m)=$_; $m=~s/[\t\n]/ /g; push(@k,"M=$m")} }
      $n = $p->type_short;
      $n = [$n]  if !ref($n);
      for (@$n) {if ($_ ne '') {my($m)=$_; $m=~s/[\t\n]/ /g; push(@k,"T=$m")} }
      $n = $p->name_declared;
      $n = [$n]  if !ref($n);
      for (@$n) {if ($_ ne '') {my($m)=$_; $m=~s/[\t\n]/ /g; push(@k,"N=$m")} }
      $n = $p->attributes;
      $n = [$n]  if !ref($n);
      for (@$n) {if ($_ ne '') {my($m)=$_; $m=~s/[\t\n]/ /g; push(@k,"A=$m")} }
      push(@descr, join("\t",@k));
      if (!$found && @$bfnmr) {  # still searching?  (old style)
        for my $k (@k) {
          $k =~ /^([a-zA-Z0-9])=(.*)\z/s;
          ($key_what,$key_val) = ($1,$2);
          next  unless $key_what =~ /^[TMNA]\z/;
          if ($key_what eq 'T') {
            $key_val = '.' . $key_val;  # prepend a dot for compatibility
          } elsif ($key_what eq 'A') {
            if ($key_val eq 'U') { $key_val = 'UNDECIPHERABLE' } else { next }
          }
          do_log(4, sprintf("check_for_banned (%s) %s=%s",
                            $p->base_name, $key_what, $key_val));
          ($result,$matchingkey) = lookup(0,$key_val,@$bfnmr);
          $found++  if defined $result;
          last  if $found;
        }
      }
    }
    my($key_val_str) = join(' | ',@descr);  $key_val_str =~ s/\t/,/g;
    if (!$found) {  # try new style
      ($result,$matchingkey) =
        lookup(0,join("\n",@descr),
               Amavis::Lookup::Label->new('banned_namepath_re'),
               cr('banned_namepath_re'));
      $found++  if defined $result;
    }
    my($ll) = $result ? 1 : 3;
    if (ll($ll)) {  # only bother with logging when needed
      my(%esc) = (r => "\r", n => "\n", f => "\f", b => "\b",
                  e => "\e", a => "\a", t => "\t");
      my($mk) = $matchingkey;  # pretty-print
      $mk =~ s{ \\(.) }{ exists($esc{$1}) ? $esc{$1} : '\\'.$1 }egsx;
      do_log($ll, sprintf('p.path%s: "%s"%s',
                          !$result?'':" BANNED:$result", $key_val_str,
                          !defined $result ? '' : ", matching_key=\"$mk\""));
    }
    if ($result) {
      push(@banned_part_descr, $key_val_str);
      push(@banned_matching_keys, $matchingkey);
      push(@banned_rhs, $result);
    }
  }
  # return listrefs of parts descriptors, matching keys and lookup results
  (\@banned_part_descr, \@banned_matching_keys, \@banned_rhs);
}

1;

#
package Amavis::Unpackers::MIME;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  %EXPORT_TAGS = ();
  @EXPORT = ();
  @EXPORT_OK = qw(&mime_decode);
}
use Errno qw(ENOENT);
use MIME::Parser;
use MIME::Words;

BEGIN {
  import Amavis::Conf qw(:platform c cr ca);
  import Amavis::Timing qw(section_time);
  import Amavis::Util qw(snmp_count ll do_log);
  import Amavis::Unpackers::NewFilename qw(consumed_bytes);
}

use subs @EXPORT_OK;

# save MIME preamble and epilogue (if nontrivial) as extra (pseudo)parts
sub mime_decode_pre_epi($$$$$) {
  my($pe_name, $pe_lines, $tempdir, $parent_obj, $placement) = @_;
  if (defined $pe_lines && @$pe_lines) {
    do_log(5, "mime_decode_$pe_name: " . scalar(@$pe_lines) . " lines");
    if (@$pe_lines > 5 || "@$pe_lines" !~ m{^[a-zA-Z0-9/\@:;,. \t\n_-]*\z}s) {
      my($newpart_obj) = Amavis::Unpackers::Part->new("$tempdir/parts",
                                                      $parent_obj);
      $newpart_obj->mime_placement($placement);
      $newpart_obj->name_declared($pe_name);
      my($newpart) = $newpart_obj->full_name;
      my($outpart) = IO::File->new;
      $outpart->open($newpart,'>')
        or die "Can't create $pe_name file $newpart: $!";
      binmode($outpart, ":bytes") or die "Can't cancel :utf8 mode: $!"
        if $unicode_aware;
      my($len);
      for (@$pe_lines) {
        $outpart->print($_) or die "Can't write $pe_name to $newpart: $!";
        $len += length($_);
      }
      $outpart->close or die "Can't close $pe_name $newpart: $!";
      $newpart_obj->size($len);
      consumed_bytes($len, "mime_decode_$pe_name", 0, 1);
    }
  }
}

# traverse MIME::Entity object depth-first,
# extracting preambles and epilogues as extra (pseudo)parts, and
# filling-in additional information into Amavis::Unpackers::Part objects
sub mime_traverse($$$$$) {
  my($entity, $tempdir, $parent_obj, $depth, $placement) = @_;
  mime_decode_pre_epi('preamble', $entity->preamble,
                      $tempdir, $parent_obj, $placement);
  my($mt, $et) = ($entity->mime_type, $entity->effective_type);
  my($part); my($head) = $entity->head; my($body) = $entity->bodyhandle;
  if (!defined($body)) {  # a MIME container only contains parts, no bodypart
    # create pseudo-part objects for MIME containers (e.g. multipart/* )
    $part = Amavis::Unpackers::Part->new(undef,$parent_obj);
#   $part->type_short('no-file');
    do_log(2, $part->base_name." $placement Content-Type: $mt");
  } else {  # does have a body part (i.e. not a MIME container)
    my($fn) = $body->path; my($size);
    if (!defined($fn)) { $size = length($body->as_string) }
    else {
      my($msg); my($errn) = lstat($fn) ? 0 : 0+$!;
      if ($errn == ENOENT) { $msg = "does not exist" }
      elsif ($errn) { $msg = "is inaccessible: $!" }
      elsif (!-r _) { $msg = "is not readable" }
      elsif (!-f _) { $msg = "is not a regular file" }
      else {
        $size = -s _;
        do_log(4,"mime_traverse: file $fn is empty")  if !$size;
      }
      do_log(-1,"WARN: mime_traverse: file $fn $msg")  if defined $msg;
    }
    consumed_bytes($size, 'mime_decode', 0, 1);
    # retrieve Amavis::Unpackers::Part object (if any), stashed into head obj
    $part = Amavis::Unpackers::OurFiler::get_amavisd_part($head);
    if (defined $part) {
      $part->size($size);
      if ($size==0) { $part->type_short('empty'); $part->type_long('empty') }
      do_log(2, $part->base_name." $placement Content-Type: $mt" .
                ", size: $size B, name: ".$entity->head->recommended_filename);
      my($old_parent_obj) = $part->parent;
      if ($parent_obj ne $old_parent_obj) {  # reparent if necessary
        ll(5) && do_log(5,sprintf("reparenting %s from %s to %s",
                          $part->base_name,
                          $old_parent_obj->base_name, $parent_obj->base_name));
        my($ch_ref) = $old_parent_obj->children;
        $old_parent_obj->children([grep {$_ ne $part} @$ch_ref]);
        $ch_ref = $parent_obj->children;
        push(@$ch_ref,$part); $parent_obj->children($ch_ref);
        $part->parent($parent_obj);
      }
    }
  }
  if (defined $part) {
    $part->mime_placement($placement);
    $part->type_declared($mt eq $et ? $mt : [$mt, $et]);
    my(@rn);  # recommended file names, both raw and RFC 2047 decoded
    my($val, $val_decoded);
    $val = $head->mime_attr('content-disposition.filename');
    if ($val ne '') {
      push(@rn, $val);
      $val_decoded = MIME::Words::decode_mimewords($val);
      push(@rn, $val_decoded)  if $val_decoded ne $val;
    }
    $val = $head->mime_attr('content-type.name');
    if ($val ne '') {
      $val_decoded = MIME::Words::decode_mimewords($val);
      push(@rn, $val_decoded)  if !grep { $_ eq $val_decoded } @rn;
      push(@rn, $val)          if !grep { $_ eq $val         } @rn;
    }
    $part->name_declared(@rn==1 ? $rn[0] : \@rn)  if @rn;
  }
  mime_decode_pre_epi('epilogue', $entity->epilogue,
                      $tempdir, $parent_obj, $placement);
  my($item_num) = 0;
  for my $e ($entity->parts) {  # recursive descent
    $item_num++;
    mime_traverse($e,$tempdir,$part,$depth+1,"$placement/$item_num");
  }
}

# Break up mime parts, return MIME::Entity object
sub mime_decode($$$) {
  my($fileh, $tempdir, $parent_obj) = @_;
  # $fileh may be an open file handle, or a file name

  my($parser) = MIME::Parser->new;
  $parser->filer(Amavis::Unpackers::OurFiler->new("$tempdir/parts",
                                                  $parent_obj));
  $parser->ignore_errors(1);  # also is the default
# $parser->extract_nested_messages(0);
  $parser->extract_nested_messages("NEST");  # parse embedded message/rfc822
  $parser->extract_uuencode(1);
  my($entity);
  snmp_count('OpsDecByMimeParser');
  if (ref($fileh)) {                         # assume open file handle
    do_log(4, "Extracting mime components");
    $fileh->seek(0,0) or die "Can't rewind mail file: $!";
    local($1,$2,$3,$4);       # avoid Perl 5.8.0 & 5.8.2 bug, $1 gets tainted !
    $entity = $parser->parse($fileh);
  } else {                    # assume $fileh is a file name
    do_log(4, "Extracting mime components from $fileh");
    local($1,$2,$3,$4);       # avoid Perl 5.8.0 & 5.8.2 bug, $1 gets tainted !
    $entity = $parser->parse_open("$tempdir/parts/$fileh");
  }
# my($mime_err) = $parser->last_error;  # deprecated
  my($mime_err) = $parser->results->errors;
  $mime_err=~s/\s+\z//; $mime_err=~s/[ \t\r]*\n+/; /g; $mime_err=~s/\s+/ /g;
  $mime_err = substr($mime_err,0,250) . '...'  if length($mime_err) > 250;
  do_log(1, "WARN: MIME::Parser $mime_err")  if $mime_err ne '';
  mime_traverse($entity, $tempdir, $parent_obj, 0, '1');
  section_time('mime_decode');
  ($entity, $mime_err);
}

1;

#
package Amavis::Notify;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  %EXPORT_TAGS = ();
  @EXPORT = ();
  @EXPORT_OK = qw(&delivery_status_notification &delivery_short_report
                  &string_to_mime_entity &defanged_mime_entity);
}

BEGIN {
  import Amavis::Util qw(ll do_log am_id safe_encode q_encode);
  import Amavis::Timing qw(section_time);
  import Amavis::Conf qw(:platform $myhostname c cr ca);
  import Amavis::Lookup qw(lookup);
  import Amavis::Expand qw(expand);
  import Amavis::rfc2821_2822_Tools;
}
# use Encode;  # Perl 5.8  UTF-8 support
use MIME::Entity;

use subs @EXPORT_OK;

# Convert mail (that was obtained by macro-expanding notification templates)
# into proper MIME::Entity object. Some ad-hoc solutions are used
# for compatibility with previous version.
#
sub string_to_mime_entity($) {
  my($mail_as_string_ref) = @_;
  local($1,$2,$3); my($entity); my($m_hdr,$m_body);
  ($m_hdr, $m_body) = ($1, $3)
    if $$mail_as_string_ref =~ /^(.*?\r?\n)(\r?\n|\z)(.*)\z/s;
  $m_body = safe_encode(c('bdy_encoding'), $m_body);
  # make sure _our_ source line number is reported in case of failure
  my($nxmh) = c('notify_xmailer_header');
  eval {$entity = MIME::Entity->build(
    Type => 'text/plain', Encoding => '-SUGGEST', Charset=> c('bdy_encoding'),
    (defined $nxmh && $nxmh eq '' ? ()  # leave the MIME::Entity default
     : ('X-Mailer' => $nxmh) ),         # X-Mailer hdr or undef
    Data => $m_body); 1}  or do {chomp($@); die $@};
  my($head) = $entity->head;
  # insert header fields from template into MIME::Head entity
  $m_hdr =~ s/\r?\n([ \t])/$1/g;  # unfold template header
  for my $hdr_line (split(/\r?\n/, $m_hdr)) {
    if ($hdr_line =~ /^([^:]*):\s*(.*)\z/s) {
      my($fhead, $fbody) = ($1, $2);
      # encode according to RFC 2047 if necessary
      if ($fhead =~ /^(X-.*|Subject|Comments)\z/si &&
          $fbody =~ /[^\011\012\040-\176]/)  # nonprint. except TAB and LF?
      {                                      # encode according to RFC 2047
        # TODO: shouldn't we unfold first?!
        my($fbody_octets) = $fbody;          # non- UTF-8 -aware
        if ($unicode_aware && Encode::is_utf8($fbody)) {
          $fbody_octets = safe_encode(c('hdr_encoding'), $fbody);
          do_log(5, "string_to_mime_entity UTF-8 body:  $fbody");
          do_log(5, "string_to_mime_entity body octets: $fbody_octets");
        }
        my($qb) = c('hdr_encoding_qb');
        if (uc($qb) eq 'Q') {
          $fbody = q_encode($fbody_octets, $qb, c('hdr_encoding'));
        } else {
          $fbody = MIME::Words::encode_mimeword($fbody_octets,
                                           $qb, c('hdr_encoding'));
        }
      } else {  # supposed to be in plain ASCII, let's make sure it is
        $fbody = safe_encode('ascii', $fbody);
      }
      $fhead = safe_encode('ascii', $fhead);
      do_log(5, sprintf("string_to_mime_entity %s: %s", $fhead, $fbody));
      # make sure _our_ source line number is reported in case of failure
      if (!eval { $head->replace($fhead, $fbody); 1 }) {
        chomp($@);
        die sprintf("%s header field '%s: %s'",
                    ($@ eq '' ? "invalid" : "$@, "), $fhead, $fbody);
      }
    }
  }
  $entity;  # return the built MIME::Entity
}

# Generate delivery status notification according to
# rfc1892 (now rfc3462) and rfc1894 (now rfc3464).
# Return dsn message object if dsn is needed, or undef otherwise.
#
sub delivery_status_notification($$$$$) {
  my($conn,$msginfo,$report_success_dsn_also,$builtins_ref,$template_ref) = @_;
  my($dsn_time) = time;  # time of dsn creation - now
  my($notification);
  if ($msginfo->sender eq '') {  # must not respond to null reverse path
    do_log(4, "Not sending DSN to empty return path");
  } else {
    my($from_mta, $client_ip) = ($conn->smtp_helo, $conn->client_ip);
    my($msg) = '';              # constructed dsn text according to rfc3464
    $msg .= "Reporting-MTA: dns; $myhostname\n";
    $msg .= "Received-From-MTA: smtp; $from_mta ([$client_ip])\n"
      if $from_mta ne '';
    $msg .= "Arrival-Date: " . rfc2822_timestamp($msginfo->rx_time) . "\n";

    my($any);                   # any recipients with failed delivery?
    for my $r (@{$msginfo->per_recip_data}) {
      my($remote_mta) = $r->recip_remote_mta;
      my($smtp_resp)  = $r->recip_smtp_response;
      if (!$r->recip_done) {
        if ($msginfo->delivery_method eq '') {  # e.g. milter
          # as far as we are concerned all is ok, delivery will be performed
          # by a helper program or MTA
          $smtp_resp = "250 2.5.0 Ok, continue delivery";
        } else {
          do_log(-2,"TROUBLE: recipient not done: <"
                    . $r->recip_addr . "> " . $smtp_resp);
        }
      }
      my($smtp_resp_code, $smtp_resp_enhcode, $smtp_resp_msg);
      if ($smtp_resp =~ /^ (\d{3}) \s+ ([245] \. \d{1,3} \. \d{1,3})?
                           \s* (.*) \z/xs) {
        ($smtp_resp_code, $smtp_resp_enhcode, $smtp_resp_msg) = ($1,$2,$3);
      } else {
        $smtp_resp_msg = $smtp_resp;
      }
      my($smtp_resp_class) = $smtp_resp_code =~ /^(\d)/ ? $1 : '0';
      if ($smtp_resp_enhcode eq '' && $smtp_resp_class =~ /^([245])\z/) {
        $smtp_resp_enhcode = "$1.0.0";
      }
      # skip success notifications
      next unless $smtp_resp_class ne '2' || $report_success_dsn_also;
      $any++;
      $msg .= "\n";  # empty line between groups of per-recipient fields
      if ($remote_mta ne '' && $r->recip_final_addr ne $r->recip_addr) {
        $msg .= "X-NextToLast-Final-Recipient: rfc822; "
                . quote_rfc2821_local($r->recip_addr) . "\n";
        $msg .= "Final-Recipient: rfc822; "
                . quote_rfc2821_local($r->recip_final_addr) . "\n";
      } else {
        $msg .= "Final-Recipient: rfc822; "
                . quote_rfc2821_local($r->recip_addr) . "\n";
      }
      $msg .= "Action: ".($smtp_resp_class eq '2' ? 'delivered':'failed')."\n";
      $msg .= "Status: $smtp_resp_enhcode\n";
      my($rem_smtp_resp) = $r->recip_remote_mta_smtp_response;
      if ($remote_mta eq '' || $rem_smtp_resp eq '') {
        $msg .= "Diagnostic-Code: smtp; $smtp_resp\n";
      } else {
        $msg .= "Remote-MTA: dns; $remote_mta\n";
        $msg .= "Diagnostic-Code: smtp; $rem_smtp_resp\n";
      }
      $msg .= "Last-Attempt-Date: " . rfc2822_timestamp($dsn_time) . "\n";
    }
    return $notification  if !$any;  # don't bother, we won't be sending DSN

    my($to_hdr) = qquote_rfc2821_local($msginfo->sender_contact);

    # use the provided template text
    my(%mybuiltins) = %$builtins_ref;  # make a local copy
    $mybuiltins{'f'} = c('hdrfrom_notify_sender');
    $mybuiltins{'T'} = $to_hdr;
    $mybuiltins{'d'} = rfc2822_timestamp($dsn_time);
    my($dsn) = expand($template_ref, \%mybuiltins);

    my($dsn_entity) = string_to_mime_entity($dsn);
    $dsn_entity->make_multipart;
    my($head) = $dsn_entity->head;

    # rfc3464: The From field of the message header of the DSN SHOULD contain
    # the address of a human who is responsible for maintaining the mail system
    # at the Reporting MTA site (e.g. Postmaster), so that a reply to the
    # DSN will reach that person.
    eval { $head->replace('From', c('hdrfrom_notify_sender')); 1 }
      or do { chomp($@); die $@ };
    eval { $head->replace('To', $to_hdr); 1 } or do { chomp($@); die $@ };
    eval { $head->replace('Date', rfc2822_timestamp($dsn_time)); 1 }
      or do { chomp($@); die $@ };

    my($field) = Mail::Field->new('Content_type');  # underline, not hyphen!
    $field->type("multipart/report; report-type=delivery-status");
    $field->boundary(MIME::Entity::make_boundary());
    $head->replace('Content-type', $field->stringify);
    $head = undef;

    # make sure _our_ source line number is reported in case of failure
    eval {$dsn_entity->attach(
            Type => 'message/delivery-status', Encoding => '7bit',
            Description => 'Delivery error report',
            Data => $msg); 1} or do {chomp($@); die $@};
    eval {$dsn_entity->attach(
            Type => 'text/rfc822-headers', Encoding => '-SUGGEST',
            Description => 'Undelivered-message headers',
            Data => $msginfo->orig_header); 1} or do {chomp($@); die $@};
    $notification = Amavis::In::Message->new;
    $notification->rx_time($dsn_time);
    $notification->delivery_method(c('notify_method'));
    $notification->sender(c('mailfrom_notify_sender'));  # should be empty!
    $notification->auth_submitter('<>');
    $notification->auth_user(c('amavis_auth_user'));
    $notification->auth_pass(c('amavis_auth_pass'));
    $notification->recips([$msginfo->sender_contact]);
    $notification->mail_text($dsn_entity);
  }
  $notification;
}

# Return a pair of arrayrefs of quoted recipient addresses (the first lists
# recipients with successful delivery status, the second all the rest),
# plus a list of short per-recipient delivery reports for failed deliveries,
# that can be used in the first MIME part (the free text format) of delivery
# status notifications.
#
sub delivery_short_report($) {
  my($msginfo) = @_;
  my(@succ_recips, @failed_recips, @failed_recips_full);
  for my $r (@{$msginfo->per_recip_data}) {
    my($remote_mta)  = $r->recip_remote_mta;
    my($smtp_resp)   = $r->recip_smtp_response;
    my($qrecip_addr) = scalar(qquote_rfc2821_local($r->recip_addr));
    if ($r->recip_destiny == D_PASS && ($smtp_resp=~/^2/ || !$r->recip_done)) {
      push(@succ_recips,   $qrecip_addr);
    } else {
      push(@failed_recips, $qrecip_addr);
      push(@failed_recips_full,
           sprintf("%s:%s\n   %s", $qrecip_addr,
                   ($remote_mta eq ''?'':" $remote_mta said:"), $smtp_resp));
    }
  }
  (\@succ_recips, \@failed_recips, \@failed_recips_full);
}

# Build a new MIME::Entity object based on the original mail, but hopefully
# safer to mail readers: conventional mail header fields are retained,
# original mail becomes an attachment of type 'message/rfc822'.
# Text in $first_part becomes the first MIME part of type 'text/plain'.
#
sub defanged_mime_entity($$$) {
  my($conn,$msginfo,$first_part) = @_;
  my($new_entity);
  my($resent_time) = $msginfo->rx_time;
  $first_part = safe_encode(c('bdy_encoding'), $first_part);
  # make sure _our_ source line number is reported in case of failure
  my($nxmh) = c('notify_xmailer_header');
  eval {$new_entity = MIME::Entity->build(
    Type => 'multipart/mixed',
    (defined $nxmh && $nxmh eq '' ? ()  # leave the MIME::Entity default
     : ('X-Mailer' => $nxmh) ),         # X-Mailer hdr or undef
    ); 1}  or do {chomp($@); die $@};
  my($head) = $new_entity->head;
  my($orig_head) = $msginfo->mime_entity->head;
  # TODO: we should retain the ordering of Resent-* with their Received fields
  for my $field_head (   # copy some of the original header fields
      qw(Received From Sender To Cc Reply-To Date Message-ID
         Resent-From Resent-Sender Resent-To Resent-Cc
         Resent-Date Resent-Message-ID
         In-Reply-To References Subject
         Comments Keywords Organization X-Mailer) ) {
    for my $value ($orig_head->get_all($field_head)) {
      do_log(4, "copying-over the header field: $field_head");
      eval { $head->add($field_head, $value); 1 } or do {chomp($@); die $@};
    }
  }
  $head = undef;  # object not needed any longer
  eval {$new_entity->attach(
    Type => 'text/plain', Encoding => '-SUGGEST', Charset => c('bdy_encoding'),
    Data => $first_part); 1}  or do {chomp($@); die $@};
  eval {$new_entity->attach(  # rfc2046
    Type => 'message/rfc822; x-spam-type=original',
    Encoding => '8bit', Path => $msginfo->mail_text_fn,
    Description => 'Original message',
    Filename => 'message.txt', Disposition => 'attachment'); 1}
    or do {chomp($@); die $@};
  $new_entity;
}

1;

#
package Amavis::Cache;
# offer an 'IPC::Cache'-compatible simple interface
# to a local (per-process) memory-based cache;
use strict;
use re 'taint';

BEGIN {
  import Amavis::Util qw(ll do_log);
}
BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.0331';
  @ISA = qw(Exporter);
}

# simple local memory-based cache
sub new {  # called by each child process
  my($class) = @_;
  do_log(5,"BerkeleyDB not available, using memory-based local cache");
  bless {}, $class;
}
sub get { my($self,$key) = @_; thaw($self->{$key}) }
sub set { my($self,$key,$obj) = @_; $self->{$key} = freeze($obj) }

# protect % and ~, as well as NUL and \200 for good measure
sub encode($) {
  my($str) = @_; $str =~ s/[%~\000\200]/sprintf("%%%02X",ord($&))/egs; $str;
}

# simple Storable::freeze lookalike
sub freeze($);  # prototype
sub freeze($) {
  my($obj) = @_; my($ty) = ref($obj);
  if (!defined($obj))     { 'U' }
  elsif (!$ty)            { join('~', '',  encode($obj))  }  # string
  elsif ($ty eq 'SCALAR') { join('~', 'S', encode(freeze($$obj))) }
  elsif ($ty eq 'REF')    { join('~', 'R', encode(freeze($$obj))) }
  elsif ($ty eq 'ARRAY')  { join('~', 'A', map {encode(freeze($_))} @$obj) }
  elsif ($ty eq 'HASH') {
    join('~','H',map {(encode($_),encode(freeze($obj->{$_})))} sort keys %$obj)
  } else { die "Can't freeze object type $ty" }
}

# simple Storable::thaw lookalike
sub thaw($);  # prototype
sub thaw($) {
  my($str) = @_;
  return undef  if !defined $str;
  my($ty,@val) = split(/~/,$str,-1);
  for (@val) { s/%([0-9a-fA-F]{2})/pack("C",hex($1))/eg }
  if    ($ty eq 'U') { undef }
  elsif ($ty eq '')  { $val[0] }
  elsif ($ty eq 'S') { my($obj)=thaw($val[0]); \$obj }
  elsif ($ty eq 'R') { my($obj)=thaw($val[0]); \$obj }
  elsif ($ty eq 'A') { [map {thaw($_)} @val] }
  elsif ($ty eq 'H') {
    my($hr) = {};
    while (@val) { my($k) = shift @val; $hr->{$k} = thaw(shift @val) }
    $hr;
  } else { die "Can't thaw object type $ty" }
}

1;

#
package Amavis;
require 5.005;  # need qr operator and \z in regexps
use strict;
use re 'taint';

use POSIX qw(strftime);
use Errno qw(ENOENT);
use IO::File ();
# body digest for caching, either SHA1 or MD5
#use Digest::SHA1;
use Digest::MD5;
use Net::Server 0.83;
use Net::Server::PreForkSimple;

BEGIN {
  import Amavis::Conf qw(:platform :sa :confvars c cr ca);
  import Amavis::Util qw(untaint min max ll do_log sanitize_str debug_oneshot
                         am_id snmp_counters_init snmp_count prolong_timer);
  import Amavis::Log;
  import Amavis::Timing qw(section_time get_time_so_far);
  import Amavis::rfc2821_2822_Tools;
  import Amavis::Lookup qw(lookup lookup_ip_acl);
  import Amavis::Out;
  import Amavis::Out::EditHeader;
  import Amavis::UnmangleSender qw(best_try_originator_ip best_try_originator
                                   first_received_from);
  import Amavis::Unpackers::Validity qw(
                           check_header_validity check_for_banned_names);
  import Amavis::Unpackers::MIME qw(mime_decode);
  import Amavis::Expand qw(expand);
  import Amavis::Notify qw(delivery_status_notification delivery_short_report
                           string_to_mime_entity defanged_mime_entity);
  import Amavis::In::Connection;
  import Amavis::In::Message;
}

# Make it a subclass of Net::Server::PreForkSimple
# to override method &process_request (and others if desired)
use vars qw(@ISA);
# @ISA = qw(Net::Server);
@ISA = qw(Net::Server::PreForkSimple);

delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

use vars qw(
  $extra_code_db $extra_code_cache
  $extra_code_sql $extra_code_ldap
  $extra_code_in_amcl $extra_code_in_smtp
  $extra_code_antivirus $extra_code_antispam $extra_code_unpackers);

use vars qw($spam_level $spam_status $spam_report);
use vars qw($user_id_sql $wb_listed_sql $implicit_maps_inserted);
use vars qw($db_env $snmp_db);
use vars qw($body_digest $body_digest_cache);
use vars qw(%builtins);    # customizable notification messages
use vars qw($child_invocation_count $child_task_count);
# $child_invocation_count  # counts child re-use from 1 to max_requests
# $child_task_count        # counts check_mail() calls - this normally runs
                           # in sync with $child_invocation_count, but with
                           # SMTP or LMTP input there may be more than one
                           # message passed during a single SMTP session

use vars qw($VIRUSFILE $CONN $MSGINFO);
use vars qw($av_output @virusname @detecting_scanners
            @banned_filename @bad_headers);

use vars qw($amcl_in_obj $smtp_in_obj); # Amavis::In::AMCL and In::SMTP objects
use vars qw($sql_policy $sql_wblist);   # Amavis::Lookup::SQL objects
use vars qw($ldap_policy);              # Amavis::Lookup::LDAP objects

# initialize some remaining global variables;
# invoked after chroot and after privileges have been dropped
sub after_chroot_init() {

  # my(@modules_extra);
  # for my $m (keys %INC)
  #   { push(@modules_extra, $m)  if !grep {$_ eq $m} @modules_basic }
  # do_log(0, "modules loaded: "      .join(", ", sort @modules_basic));
  # do_log(0, "extra modules loaded: ".join(", ", sort @modules_extra));

  my($euid) = $>;   # effective UID
  $> = 0;           # try to become root
  POSIX::setuid(0)  if $> != 0;  # and try some more
  if ($> == 0) {    # succeded? panic!
    my(@msg) = ("It is possible to change EUID from $euid to root, ABORTING!",
                "Perhaps you forgot to patch the Net::Server - see:",
                "  http://www.ijs.si/software/amavisd/#net-server-sec",
                "or start as non-root, e.g. by su(1) or using option -u user");
    do_log(-3,"FATAL: $_")  for @msg;
    print STDERR (map {"$_\n"} @msg); die "EUID problem, ABORTING";
    exit 1;  # just in case
  }
  # report versions of some modules
  for my $m ('Amavis::Conf',
             sort map { s/\.pm\z//; s[/][::]g; $_ } grep { /\.pm\z/ } keys %INC){
    next  if !grep { $_ eq $m } qw(Amavis::Conf
      Archive::Tar Archive::Zip Compress::Zlib Convert::TNEF Convert::UUlib
      MIME::Entity MIME::Parser MIME::Tools Mail::Header Mail::Internet
      Mail::ClamAV Mail::SpamAssassin Mail::SpamAssassin::SpamCopURI URI
      Razor2::Client::Version Mail::SPF::Query Authen::SASL
      Net::DNS Net::SMTP Net::Cmd Net::Server Net::LDAP
      DBI BerkeleyDB DB_File SAVI Unix::Syslog Time::HiRes);
    do_log(0, sprintf("Module %-19s %s", $m, $m->VERSION || '?'));
  }
  if (c('forward_method') eq '' && $extra_code_in_smtp) {
    do_log(1,"forward_method in default policy bank is null (milter setup?), ".
             "DISABLING SMTP-in AS A PRECAUTION");
    $extra_code_in_smtp = undef;
  }
  do_log(0,"Amavis::DB code       ".($extra_code_db     ?'':" NOT")." loaded");
  do_log(0,"Amavis::Cache code    ".($extra_code_cache  ?'':" NOT")." loaded");
  do_log(0,"Lookup::SQL code      ".($extra_code_sql    ?'':" NOT")." loaded");
  do_log(0,"Lookup::LDAP code     ".($extra_code_ldap   ?'':" NOT")." loaded");
  do_log(0,"AMCL-in protocol code ".($extra_code_in_amcl?'':" NOT")." loaded");
  do_log(0,"SMTP-in protocol code ".($extra_code_in_smtp?'':" NOT")." loaded");
  do_log(0,"ANTI-VIRUS code       ".($extra_code_antivirus?'':" NOT")." loaded");
  do_log(0,"ANTI-SPAM  code       ".($extra_code_antispam ?'':" NOT")." loaded");
  do_log(0,"Unpackers  code       ".($extra_code_unpackers?'':" NOT")." loaded");

  # @Amavis::modules_basic = ();   # @modules_extra

  # Prepare a hash of macros to be used in notification message expansion.
  # A key (macro name) must be a single character. Most characters are
  # allowed, but to be on the safe side and for clarity it is suggested
  # that only letters are used. Upper case letters may (as a mnemonic)
  # suggest the value is an array, lower case may suggest the value is
  # a scalar string - but this is only a convention and not enforced.
  #
  # A value may be a reference to a subroutine which will be called later at
  # the time of macro expansion. This way we can provide a method for obtaining
  # information which is not yet available, such as AV scanner results,
  # or provide a lazy evaluation for more expensive calculations.
  # Subroutine will be called in scalar context with no arguments.
  # It may return a scalar string (or undef), or an array reference.
  %builtins = (
    '.' => undef,
    p => sub {c('policy_bank_name')},
      # mail reception timestamp (e.g. start of SMTP transaction):
    d => sub {rfc2822_timestamp($MSGINFO->rx_time)}, # rfc2822 local date-time
#   U => sub {iso8601_timestamp($MSGINFO->rx_time)},     # iso8601, local time
    U => sub {iso8601_utc_timestamp($MSGINFO->rx_time)}, # iso8601 UTC
    y => sub {sprintf("%.0f", 1000*get_time_so_far())},  # elapsed time in ms
    u => sub {sprintf("%010d",$MSGINFO->rx_time)},   # s since Unix epoch (UTC)

    h => $myhostname, # dns name of this host, or configurable name
    l => sub {my($ip) = $MSGINFO->client_addr; my($val);
              $val = $ip ne '' ? lookup_ip_acl($ip,@{ca('mynetworks_maps')})
                               : lookup(0,$MSGINFO->sender_source,
                                        @{ca('local_domains_maps')});
              $val ? 1 : undef}, # sender's client IP (if known) from @mynetworks
                                 # (if IP is known), or sender domain is local
    s => sub {qquote_rfc2821_local($MSGINFO->sender)}, # original envelope sender in <>
    S => sub { # unmangled sender or sender address to be notified, or empty...
               sanitize_str($MSGINFO->sender_contact) },  # ..if sender unknown
    o => sub { # best attempt at determining true sender (origin) of the virus,
               sanitize_str($MSGINFO->sender_source) },   # normally same as %s
    R => sub {$MSGINFO->recips},    # original message recipients list
    D => sub {my($y,$n,$f)=delivery_short_report($MSGINFO); $y}, # succ.delivered
    O => sub {my($y,$n,$f)=delivery_short_report($MSGINFO); $n}, # failed recips
    N => sub {my($y,$n,$f)=delivery_short_report($MSGINFO); $f}, # short dsn
    Q => sub {$MSGINFO->queue_id},  # MTA queue ID of the message if known
    m => sub { local($_) = $MSGINFO->mime_entity;   # Message-ID of the message
               if (defined) { $_ = $_->head->get('Message-ID',0); chomp;
                              s/^[ \t]+//; s/[ \t\n]+\z//;  # trim whitespace
                              # protect space and \n, other special characters
                              # will be sanitized before logging
                              s{([ =\r\n])}{sprintf("=%02X",ord($1))}eg; $_ }},
    r => sub { local($_) = $MSGINFO->mime_entity;   # first Resent-Message-ID
               if (defined) { $_ = $_->head->get('Resent-Message-ID',0); chomp;
                              s/^[ \t]+//; s/[ \t\n]+\z//;  # trim whitespace
                              s{([ =\r\n])}{sprintf("=%02X",ord($1))}eg; $_ }},
    j => sub { local($_) = $MSGINFO->mime_entity;   # Subject of the message
               if (defined) { $_ = $_->head->get('Subject',0); chomp;
                              s/\n([ \t])/$1/g;  # unfold
                              s{([=\r\n])}{sprintf("=%02X",ord($1))}eg; $_ }},
    b => sub {$MSGINFO->body_digest},     # original message body digest
    n => \&am_id,                # amavis internal message id (for log entries)
    i => sub {$VIRUSFILE},       # some quarantine id, e.g. quarantine filename
    q => sub {my($q) = $MSGINFO->quarantined_to;
              !defined($q) ? undef :
                [map { my($m)=$_; $m=~s{^\Q$QUARANTINEDIR\E/}{}; $m } @$q];
             },  # list of quarantine mailboxes
    v => sub {[split(/[ \t]*\r?\n/,$av_output)]},   # anti-virus scanner output
    V => sub {my(%seen); [grep {!$seen{$_}++} @virusname]}, #unique virus names
    F => sub {@banned_filename<=1 ? \@banned_filename
                : [$banned_filename[0], '...'] },   # list of banned file names
    X => sub {\@bad_headers},        # list of header syntax violations
    W => sub {\@detecting_scanners}, # list of av scanners detecting a virus
    H => sub {[map {my $h=$_; chomp($h); $h} @{$MSGINFO->orig_header}]},# orig hdr
    A => sub {[split(/\r?\n/, $spam_report)]},      # SpamAssassin report lines
    c => sub {!defined $spam_level ? '-'            # SA hits/score
              : 0+sprintf("%.3f",$spam_level+min(map {$_->recip_score_boost}
                                                @{$MSGINFO->per_recip_data}))},
    z => sub {$MSGINFO->orig_body_size+1+$MSGINFO->orig_header_size}, # mail size
    t => sub { # first entry in the Received trace
               sanitize_str(first_received_from($MSGINFO->mime_entity)) },
    e => sub { # first valid public IP in the Received trace
               sanitize_str(best_try_originator_ip($MSGINFO->mime_entity)) },
    a => sub {$MSGINFO->client_addr}, # original SMTP session client IP address
    g => sub { # original SMTP session client DNS name
               sanitize_str($MSGINFO->client_name) },
    k => sub { my($kill_level);
               scalar(grep   # any recipient declared the message be killed ?
                 { !$_->recip_whitelisted_sender &&
                   ($_->recip_blacklisted_sender ||
                     ($kill_level=lookup(0,$_->recip_addr,
                                         @{ca('spam_kill_level_maps')}),
                      defined $spam_level && defined $kill_level &&
                      $spam_level + $_->recip_score_boost >= $kill_level) )
                 } @{$MSGINFO->per_recip_data}) },
    '1'=> sub { my($tag_level);
                scalar(grep  # above tag level for any recipient?
                 { !$_->recip_whitelisted_sender &&
                   ($_->recip_blacklisted_sender ||
                     ($tag_level=lookup(0,$_->recip_addr,
                                        @{ca('spam_tag_level_maps')}),
                      defined $spam_level && defined $tag_level &&
                      $spam_level + $_->recip_score_boost >= $tag_level) )
                 } @{$MSGINFO->per_recip_data}) },
    '2'=> sub { my($tag2_level);
                scalar(grep  # above tag2 level for any recipient?
                 { !$_->recip_whitelisted_sender &&
                   ($_->recip_blacklisted_sender ||
                     ($tag2_level=lookup(0,$_->recip_addr,
                                         @{ca('spam_tag2_level_maps')}),
                     defined $spam_level && defined $tag2_level &&
                     $spam_level + $_->recip_score_boost >= $tag2_level) )
                 } @{$MSGINFO->per_recip_data}) },
    # macros f, T, C, B will be defined for each notification as appropriate
    # (representing From:, To:, Cc:, and Bcc: respectively)
    # remaining free letters: wxyEGIJKLMPYZ
  );

  # Map local virtual 'localpart' to a mailbox (e.g. to a quarantine filename
  # or a directory). Used by method 'local:', i.e. in mail_to_local_mailbox(),
  # for direct local quarantining. The hash value may be a ref to a pair of
  # fixed strings, or a subroutine ref (which must return a pair of strings
  # (a list, not a list ref)) which makes possible lazy evaluation
  # when some part of the pair is not known before the final delivery time.
  #
  # The first string in a pair must be either:
  #   - empty or undef, which will disable saving the message,
  #   - a filename, indicating a Unix-style mailbox,
  #   - a directory name, indicating a maildir-style mailbox,
  #     in which case the second string may provide a suggested file name.
  #
  %Amavis::Conf::local_delivery_aliases = (
    'virus-quarantine'    => sub { ($QUARANTINEDIR,  $VIRUSFILE) },
    'banned-quarantine'   => sub { ($QUARANTINEDIR,  $VIRUSFILE) },
    'bad-header-quarantine'=>sub { ($QUARANTINEDIR,  $VIRUSFILE) },
  # 'spam-quarantine'     => sub { ($QUARANTINEDIR,  $VIRUSFILE) },     # normal
    'spam-quarantine'     => sub { ($QUARANTINEDIR, "$VIRUSFILE.gz") }, # gzipped

    # some more examples:
    'sender-quarantine' =>
      sub { my($s) = $MSGINFO->sender; local($1);
            $s =~ s/[^a-zA-Z0-9._@]/=/g; $s =~ s/\@/%/g;
            $s = untaint($s)  if $s =~ /^([a-zA-Z0-9._=%]+)\z/;  # untaint
            $s =~ s/%/%%/g;  # protect %
            ( $QUARANTINEDIR, "sender-$s-%i-%n.gz" );   # suggested file name
          },
    'recip-quarantine' =>
      sub { ("$QUARANTINEDIR/recip-archive.mbox", undef) },
    'ham-quarantine' =>
      sub { ("$QUARANTINEDIR/ham.mbox", undef) },
    'outgoing-quarantine' =>
      sub { ("$QUARANTINEDIR/outgoing.mbox", undef) },
    'incoming-quarantine' =>
      sub { ("$QUARANTINEDIR/incoming.mbox", undef) },
  );
  # store policy names into 'policy_bank_name' fields, if not explicitly set
  for my $name (keys %policy_bank) {
    if (ref($policy_bank{$name}) eq 'HASH' &&
        !exists($policy_bank{$name}{'policy_bank_name'}))
      { $policy_bank{$name}{'policy_bank_name'} = $name }
  }
};

# overlay the current policy bank by settings from the
# $policy_bank{$policy_bank_name}, or load the default policy bank (empty name)
sub load_policy_bank($) {
  my($policy_bank_name) = @_;
  if (!exists $policy_bank{$policy_bank_name}) {
    do_log(-1,"policy bank \"$policy_bank_name\" does not exist, ignored");
  } elsif ($policy_bank_name eq '') {
    %current_policy_bank = %{$policy_bank{$policy_bank_name}};
    do_log(4,'loaded base policy bank');
  } else {
    my($cpbn) = c('policy_bank_name');  # currently loaded bank
    for my $k (keys %{$policy_bank{$policy_bank_name}}) {
      do_log(-1,"loading policy bank \"$policy_bank_name\": ".
                "unknown field \"$k\"")  if !exists $current_policy_bank{$k};
      $current_policy_bank{$k} = $policy_bank{$policy_bank_name}{$k};
    }
    do_log(2,sprintf('loaded policy bank "%s"%s', $policy_bank_name,
                     $cpbn eq '' ? '' : " over \"$cpbn\""));
  }
}

### Net::Server hook
### This hook occurs after chroot, change of user, and change of group has
### occured.  It allows for preparation before looping begins.
sub pre_loop_hook {
  my($self) = @_;
  local $SIG{CHLD} = 'DEFAULT';
  eval {
    after_chroot_init();  # the rest of the top-level initialization

    # this needs to be done only after chroot, otherwise paths will be wrong
    find_external_programs([split(/:/, $path, -1)]);
    # do some sanity checking
    my($name) = $TEMPBASE;
    $name = "$daemon_chroot_dir $name"  if $daemon_chroot_dir ne '';
    my($errn) = stat($TEMPBASE) ? 0 : 0+$!;
    if    ($errn==ENOENT) { die "No TEMPBASE directory: $name" }
    elsif ($errn)         { die "TEMPBASE directory inaccessible, $!: $name" }
    elsif (!-d _)         { die "TEMPBASE is not a directory: $name" }
    elsif (!-w _)         { die "TEMPBASE directory is not writable: $name" }
    if ($enable_global_cache && $extra_code_db) {
      my($name) = $db_home;
      $name = "$daemon_chroot_dir $name"  if $daemon_chroot_dir ne '';
      $errn = stat($db_home) ? 0 : 0+$!;
      if ($errn == ENOENT) {
        die "Please create an empty directory $name to hold a database".
            " (config variable \$db_home)\n" }
      elsif ($errn) { die "db_home inaccessible, $!: $name" }
      elsif (!-d _) { die "db_home is not a directory : $name" }
      elsif (!-w _) { die "db_home directory is not writable: $name" }
      Amavis::DB::init(1);
    }
    if ($QUARANTINEDIR ne '') {
      my($name) = $QUARANTINEDIR;
      $name = "$daemon_chroot_dir $name"  if $daemon_chroot_dir ne '';
      $errn = stat($QUARANTINEDIR) ? 0 : 0+$!;
      if    ($errn == ENOENT) { }  # ok
      elsif ($errn)         { die "QUARANTINEDIR inaccessible, $!: $name" }
      elsif (-d _ && !-w _) { die "QUARANTINEDIR directory not writable: $name" }
    }
    Amavis::SpamControl::init()  if $extra_code_antispam;
  };
  if ($@ ne '') {
    chomp($@); my($msg) = "TROUBLE in pre_loop_hook: $@"; do_log(-2,$msg);
    die ("Suicide (" . am_id() . ") " . $msg . "\n"); # kills child, not parent
  }
  1;
}

### log routine Net::Server hook
### (Sys::Syslog MUST NOT be specified as a value of 'log_file'!)
#
# Redirect Net::Server logging to use Amavis' do_log().
# The main reason is that Net::Server uses Sys::Syslog
# (and has two bugs in doing it, at least the Net-Server-0.82),
# and Amavis users are acustomed to Unix::Syslog.
sub write_to_log_hook {
  my($self,$level,$msg) = @_;
  my($prop) = $self->{server};
  local $SIG{CHLD} = 'DEFAULT';
  chomp($msg);
  do_log(1, "Net::Server: " . $msg);  # just call Amavis' traditional logging
  1;
}

### user customizable Net::Server hook
sub child_init_hook {
  my($self) = @_;
  local $SIG{CHLD} = 'DEFAULT';
  $0 = 'amavisd (virgin child)';
  eval {
    $db_env = $snmp_db = $body_digest_cache = undef;  # just in case
    Amavis::Timing::init(); snmp_counters_init();
    if ($extra_code_db) {
      $db_env = Amavis::DB->new;  # get access to a bdb environment
      $snmp_db = Amavis::DB::SNMP->new($db_env);
      $snmp_db->register_proc('')  if defined $snmp_db;  # process alive & idle
    }
    # if $db_env is undef the Amavis::Cache::new creates a memory-based cache
    $body_digest_cache = Amavis::Cache->new($db_env);
    if ($extra_code_db) {  # is it worth reporting the timing?
      section_time('bdb-open');
      do_log(2, Amavis::Timing::report());  # report elapsed times
    }
  };
  if ($@ ne '') {
    chomp($@); do_log(-2, "TROUBLE in child_init_hook: $@");
    die "Suicide in child_init_hook: $@\n";
  }
  Amavis::Timing::go_idle('vir');
}

### user customizable Net::Server hook
sub post_accept_hook {
  my($self) = @_;
  local $SIG{CHLD} = 'DEFAULT';
  $child_invocation_count++;
  $0 = sprintf("amavisd (ch%d-accept)", $child_invocation_count);
  Amavis::Timing::go_busy('hi ');
  # establish initial time right after 'accept'
  Amavis::Timing::init(); snmp_counters_init();
  $snmp_db->register_proc('A')  if defined $snmp_db;  # in 'accept' state
  load_policy_bank('');    # start with a builting policy bank
}

### user customizable Net::Server hook
### if this hook returns 1 the request is processed
### if this hook returns 0 the request is denied
sub allow_deny_hook {
  my($self) = @_;
  local($1,$2,$3,$4);  # Perl bug: $1 and $2 come tainted from Net::Server !
  local $SIG{CHLD} = 'DEFAULT';
  my($prop) = $self->{server}; my($sock) = $prop->{client}; my($bank_name);
  my($is_ux) = UNIVERSAL::can($sock,'NS_proto') && $sock->NS_proto eq 'UNIX';
  if ($is_ux) {
    $bank_name = $interface_policy{"SOCK"};  # possibly undef
  } else {
    my($myif,$myport) = ($prop->{sockaddr}, $prop->{sockport});
    if (defined $interface_policy{"$myif:$myport"}) {
      $bank_name = $interface_policy{"$myif:$myport"};
    } elsif (defined $interface_policy{$myport}) {
      $bank_name = $interface_policy{$myport};
    }
  }
  load_policy_bank($bank_name)  if defined $bank_name &&
                                   $bank_name ne c('policy_bank_name');
  # note that the new policy bank may have replaced the inet_acl access table
  if ($is_ux) {
    # always permit access - unix sockets are immune to this check
  } else {
    my($permit,$fullkey) = lookup_ip_acl($prop->{peeraddr},ca('inet_acl'));
    if (!$permit) {
      my($msg) = sprintf("DENIED ACCESS from IP %s, policy bank '%s'",
                         $prop->{peeraddr}, c('policy_bank_name') );
      $msg .= ", blocked by rule $fullkey"  if defined $fullkey;
      do_log(-1,$msg);
      return 0;
    }
  }
  1;
}

# use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC);
# sub cloexec_on($;$) {
#   my($fd,$name) = @_; my($flags);
#   $flags = fcntl($fd, F_GETFD, 0)
#     or die "Can't get flags from the file descriptor: $!";
#   if ($flags & FD_CLOEXEC == 0) {
#     do_log(4,"Turning on FD_CLOEXEC flag on $name");
#     fcntl($fd, F_SETFD, $flags | FD_CLOEXEC)
#       or die "Can't set FD_CLOEXEC on file descriptor $name: $!";
#   }
# }

### The heart of the program
### user customizable Net::Server hook
sub process_request {
  my($self) = shift;
  my($prop) = $self->{server}; my($sock) = $prop->{client};
  local $SIG{CHLD} = 'DEFAULT';
  local($1,$2,$3,$4);  # Perl bug: $1 and $2 come tainted from Net::Server !
  # Net::Server assigns STDIN and STDOUT to the socket
  binmode(STDIN)  or die "Can't set STDIN to binmode: $!";
  binmode(STDOUT) or die "Can't set STDOUT to binmode: $!";
  binmode($sock)  or die "Can't set socket to binmode: $!";
  $| = 1;
  local $SIG{ALRM} = sub { die "timed out\n" };  # do not modify the sig text!
  eval {
#   if ($] < 5.006) { # Perl older than 5.6.0 did not set FD_CLOEXEC on sockets
#     for my $mysock (@{$prop->{sock}}) { cloexec_on($mysock, $mysock) }
#   }
    prolong_timer('new request - timer reset', $child_timeout);  # timer init
    if ($extra_code_ldap && !defined $ldap_policy) {
      # make LDAP lookup object
      $ldap_policy = Amavis::Lookup::LDAP->new($default_ldap);
    }
    if (defined $ldap_policy && !$implicit_maps_inserted) {
      # make SQL field lookup objects with incorporated field names
      # fieldtype: B=boolean, N=numeric, S=string, L=list
      #            B-, N-, S-, L-  returns undef if field does not exist
      #            B0: boolean, nonexistent field treated as false,
      #            B1: boolean, nonexistent field treated as true
      my $lf = sub{Amavis::Lookup::LDAPattr->new($ldap_policy,@_)};
      unshift(@Amavis::Conf::virus_lovers_maps,        $lf->('amavisVirusLover',         'B-'));
      unshift(@Amavis::Conf::spam_lovers_maps,         $lf->('amavisSpamLover',          'B-'));
      unshift(@Amavis::Conf::banned_files_lovers_maps, $lf->('amavisBannedFilesLover',   'B-'));
      unshift(@Amavis::Conf::bad_header_lovers_maps,   $lf->('amavisBadHeaderLover',     'B-'));
      unshift(@Amavis::Conf::bypass_virus_checks_maps, $lf->('amavisBypassVirusChecks',  'B-'));
      unshift(@Amavis::Conf::bypass_spam_checks_maps,  $lf->('amavisBypassSpamChecks',   'B-'));
      unshift(@Amavis::Conf::bypass_banned_checks_maps,$lf->('amavisBypassBannedChecks', 'B-'));
      unshift(@Amavis::Conf::bypass_header_checks_maps,$lf->('amavisBypassHeaderChecks', 'B-'));
      unshift(@Amavis::Conf::spam_tag_level_maps,      $lf->('amavisSpamTagLevel',       'N'));
      unshift(@Amavis::Conf::spam_tag2_level_maps,     $lf->('amavisSpamTag2Level',      'N'));
      unshift(@Amavis::Conf::spam_kill_level_maps,     $lf->('amavisSpamKillLevel',      'N'));
      unshift(@Amavis::Conf::spam_modifies_subj_maps,  $lf->('amavisSpamModifiesSubject','B-'));
      unshift(@Amavis::Conf::message_size_limit_maps,  $lf->('amavisMessageSizeLimit',   'N-'));
      unshift(@Amavis::Conf::virus_quarantine_to_maps, $lf->('amavisVirusQuarantineTo',  'S-'));
      unshift(@Amavis::Conf::spam_quarantine_to_maps,  $lf->('amavisSpamQuarantineTo',   'S-'));
      unshift(@Amavis::Conf::banned_quarantine_to_maps, $lf->('amavisBannedQuarantineTo','S-'));
      unshift(@Amavis::Conf::bad_header_quarantine_to_maps, $lf->('amavisBadHeaderQuarantineTo', 'S-'));
      unshift(@Amavis::Conf::local_domains_maps,       $lf->('amavisLocal',
         'B1'));
      section_time('ldap-prepare');
    }
    if ($extra_code_sql && @lookup_sql_dsn) {
      # make SQL lookup objects which will hold SELECT and DBI handles
      $sql_wblist = Amavis::Lookup::SQL->new
        if !defined $sql_wblist && defined $sql_select_white_black_list;
      $sql_policy = Amavis::Lookup::SQL->new
        if !defined $sql_policy && defined $sql_select_policy;
    }
    if (defined $sql_policy && !$implicit_maps_inserted) {
      # make SQL field lookup objects with incorporated field names
      # fieldtype: B=boolean, N=numeric, S=string,
      #            B-, N-, S-   returns undef if field does not exist
      #            B0: boolean, nonexistent field treated as false,
      #            B1: boolean, nonexistent field treated as true
      my $nf = sub{Amavis::Lookup::SQLfield->new($sql_policy,@_)}; #shorthand
      $user_id_sql =                                    $nf->('id',                   'S');
      unshift(@Amavis::Conf::local_domains_maps,        $nf->('local',                'B1'));

      unshift(@Amavis::Conf::virus_lovers_maps,         $nf->('virus_lover',          'B0'));
      unshift(@Amavis::Conf::spam_lovers_maps,          $nf->('spam_lover',           'B-'));
      unshift(@Amavis::Conf::banned_files_lovers_maps,  $nf->('banned_files_lover',   'B-'));
      unshift(@Amavis::Conf::bad_header_lovers_maps,    $nf->('bad_header_lover',     'B-'));

      unshift(@Amavis::Conf::bypass_virus_checks_maps,  $nf->('bypass_virus_checks',  'B0'));
      unshift(@Amavis::Conf::bypass_spam_checks_maps,   $nf->('bypass_spam_checks',   'B0'));
      unshift(@Amavis::Conf::bypass_banned_checks_maps, $nf->('bypass_banned_checks', 'B-'));
      unshift(@Amavis::Conf::bypass_header_checks_maps, $nf->('bypass_header_checks', 'B-'));

      unshift(@Amavis::Conf::spam_tag_level_maps,       $nf->('spam_tag_level',       'N'));
      unshift(@Amavis::Conf::spam_tag2_level_maps,      $nf->('spam_tag2_level',      'N'));
      unshift(@Amavis::Conf::spam_kill_level_maps,      $nf->('spam_kill_level',      'N'));
      unshift(@Amavis::Conf::spam_dsn_cutoff_level_maps,$nf->('spam_dsn_cutoff_level','N-'));

      unshift(@Amavis::Conf::spam_modifies_subj_maps,   $nf->('spam_modifies_subj',   'B-'));
      unshift(@Amavis::Conf::spam_subject_tag_maps,     $nf->('spam_subject_tag',     'S-'));
      unshift(@Amavis::Conf::spam_subject_tag2_maps,    $nf->('spam_subject_tag2',    'S-'));

      unshift(@Amavis::Conf::virus_quarantine_to_maps,  $nf->('virus_quarantine_to',  'S-'));
      unshift(@Amavis::Conf::banned_quarantine_to_maps, $nf->('banned_quarantine_to', 'S-'));
      unshift(@Amavis::Conf::bad_header_quarantine_to_maps, $nf->('bad_header_quarantine_to','S-'));
      unshift(@Amavis::Conf::spam_quarantine_to_maps,   $nf->('spam_quarantine_to',   'S-'));
      unshift(@Amavis::Conf::message_size_limit_maps,   $nf->('message_size_limit',   'N-'));

      unshift(@Amavis::Conf::addr_extension_virus_maps, $nf->('addr_extension_virus', 'S-'));
      unshift(@Amavis::Conf::addr_extension_spam_maps,  $nf->('addr_extension_spam',  'S-'));
      unshift(@Amavis::Conf::addr_extension_banned_maps,$nf->('addr_extension_banned','S-'));
      unshift(@Amavis::Conf::addr_extension_bad_header_maps,$nf->('addr_extension_bad_header','S-'));

      unshift(@Amavis::Conf::warnvirusrecip_maps,       $nf->('warnvirusrecip',       'B-'));
      unshift(@Amavis::Conf::warnbannedrecip_maps,      $nf->('warnbannedrecip',      'B-'));
      unshift(@Amavis::Conf::warnbadhrecip_maps,        $nf->('warnbadhrecip',        'B-'));

      unshift(@Amavis::Conf::virus_admin_maps,          $nf->('virus_admin',          'S-'));
      unshift(@Amavis::Conf::spam_admin_maps,           $nf->('spam_admin',           'S-'));

      section_time('sql-prepare');
    }
    Amavis::Conf::label_default_maps()  if !$implicit_maps_inserted;
    $implicit_maps_inserted = 1;

    my($conn) = Amavis::In::Connection->new;
    $CONN = $conn;  # ugly - save in a global
    $conn->proto($sock->NS_proto);
    my($suggested_protocol) = c('protocol');  # suggested by the policy bank
    do_log(5,"process_request: suggested_protocol=\"$suggested_protocol\" on ".
             $sock->NS_proto);
    if ($sock->NS_proto eq 'UNIX') {     # traditional amavis helper program
      if ($suggested_protocol eq 'COURIER') {
        die "unavailable support for protocol: $suggested_protocol";
      } elsif ($suggested_protocol eq 'AM.PDP') {
        $amcl_in_obj = Amavis::In::AMCL->new  if !$amcl_in_obj;
        $amcl_in_obj->process_policy_request($sock, $conn, \&check_mail, 0);
      } else {  # default to old amavis helper program protocol
        $amcl_in_obj = Amavis::In::AMCL->new  if !$amcl_in_obj;
        $amcl_in_obj->process_policy_request($sock, $conn, \&check_mail, 1);
      }
    } elsif ($sock->NS_proto eq 'TCP') {
      $conn->socket_ip($prop->{sockaddr});
      $conn->socket_port($prop->{sockport});
      $conn->client_ip($prop->{peeraddr});
      if ($suggested_protocol eq 'TCP-LOOKUP') {  # postfix maps (experimental)
        process_tcp_lookup_request($sock, $conn);
        do_log(2, Amavis::Timing::report());  # report elapsed times
      } elsif ($suggested_protocol eq 'AM.PDP') {
        # amavis policy delegation protocol (e.g. new milter helper program)
        $amcl_in_obj = Amavis::In::AMCL->new  if !$amcl_in_obj;
        $amcl_in_obj->process_policy_request($sock, $conn, \&check_mail, 0);
      } else {  # defaults to SMTP or LMTP
        if (!$extra_code_in_smtp) {
          die "incoming TCP connection, but dynamic SMTP/LMTP code not loaded";
        }
        $smtp_in_obj = Amavis::In::SMTP->new  if !$smtp_in_obj;
        $smtp_in_obj->process_smtp_request(
              $sock, ($suggested_protocol eq 'LMTP'?1:0), $conn, \&check_mail);
      }
    } else {
      die ("unsupported protocol: $suggested_protocol, " . $sock->NS_proto);
    }
  };  # eval
  alarm(0);          # stop the timer
  if ($@ ne '') {
    chomp($@); my($timed_out) = $@ eq "timed out";
    my($msg) = $timed_out ? "Child task exceeded $child_timeout seconds, abort"
                          : "TROUBLE in process_request: $@";
    do_log(-2, $msg);
    $smtp_in_obj->preserve_evidence(1)  if $smtp_in_obj && !$timed_out;
    # kills a child, hopefully preserving tempdir; does not kill parent
    do_log(-1, "Requesting process rundown after fatal error");
    $self->done(1);
#   die ("Suicide (" . am_id() . ") " . $msg . "\n");
  }
# if ($child_task_count >= $max_requests &&
#     $child_invocation_count < $max_requests) {
  if ($child_task_count > $max_requests) {
    # in case of multiple-transaction protocols (e.g. SMTP, LMTP)
    # we do not like to keep running indefinitely at the MTA's mercy
    do_log(1, "Requesting process rundown after $child_task_count tasks ".
              "(and $child_invocation_count sessions)");
    $self->done(1);
  }
}

### override Net::Server::PreForkSimple::done
### to be able to rundown the child process prematurely
sub done(@) {
  my($self) = shift;
  if (@_) { $self->{server}->{done} = shift }
  elsif (!$self->{server}->{done})
    { $self->{server}->{done} = $self->SUPER::done }
  $self->{server}->{done};
}

### Net::Server hook
sub post_process_request_hook {
  my($self) = @_;
  local $SIG{CHLD} = 'DEFAULT';
  debug_oneshot(0);
  $0 = sprintf("amavisd (ch%d-avail)", $child_invocation_count);
  alarm(0); do_log(5,"post_process_request_hook: timer stopped");
  $snmp_db->register_proc('')  if defined $snmp_db; # process is alive and idle
  Amavis::Timing::go_idle('bye'); Amavis::Timing::report_load();
}

### Child is about to be terminated
### user customizable Net::Server hook
sub child_finish_hook {
  my($self) = @_;
  local $SIG{CHLD} = 'DEFAULT';
# for my $m (sort map { s/\.pm\z//; s[/][::]g; $_ } grep { /\.pm\z/ } keys %INC){
#   do_log(0, sprintf("Module %-19s %s", $m, $m->VERSION || '?'))
#     if grep {$m=~/^$_/} qw(Mail::ClamAV Mail::SpamAssassin Razor2 Net::DNS);
# }
  $0 = sprintf("amavisd (ch%d-finish)", $child_invocation_count);
  do_log(5,"child_finish_hook: invoking DESTROY methods");
  $smtp_in_obj = undef;  # calls Amavis::In::SMTP::DESTROY
  $amcl_in_obj = undef;  # (currently does nothing for Amavis::In::AMCL)
  $sql_wblist = undef;   # calls Amavis::Lookup::SQL::DESTROY
  $sql_policy = undef;   # calls Amavis::Lookup::SQL::DESTROY
  $ldap_policy = undef;  # calls Amavis::Lookup::LDAP::DESTROY
  $body_digest_cache = undef;  # calls Amavis::Cache::DESTROY
  eval { $snmp_db->register_proc(undef) }  if defined $snmp_db;  # going away
  $snmp_db = undef;      # calls Amavis::DB::SNMP::DESTROY
  $db_env = undef;
}

sub END {                # runs before exiting the module
  do_log(5,"at the END handler: invoking DESTROY methods");
  $smtp_in_obj = undef;  # at end calls Amavis::In::SMTP::DESTROY
  $amcl_in_obj = undef;  # (currently does nothing for Amavis::In::AMCL)
  $sql_wblist = undef;   # at end calls Amavis::Lookup::SQL::DESTROY
  $sql_policy = undef;   # at end calls Amavis::Lookup::SQL::DESTROY
  $ldap_policy = undef;  # at end calls Amavis::Lookup::LDAP::DESTROY
  $body_digest_cache = undef;  # at end calls Amavis::Cache::DESTROY
  eval { $snmp_db->register_proc(undef) }  if defined $snmp_db;  # going away
  $snmp_db = undef;      # at end calls Amavis::DB::SNMP::DESTROY
  $db_env = undef;
}

# implements Postfix TCP lookup server, see tcp_table(5) man page; experimental
sub process_tcp_lookup_request($$) {
  my($sock, $conn) = @_;
  local($/) = "\012";  # set line terminator to LF (regardless of platform)
  my($req_cnt);
  while (<$sock>) {
    $req_cnt++; my($level) = 0;
    my($resp_code, $resp_msg) = (400, 'INTERNAL ERROR');
    if (/^get (.*?)\015?\012\z/si) {
      my($key) = tcp_lookup_decode($1);
      my($sl); $sl = lookup(0,$key, @{ca('spam_lovers_maps')});
      $resp_code = 200; $level = 2;
      $resp_msg = $sl ? "OK Recipient <$key> IS spam lover"
                      : "DUNNO Recipient <$key> is NOT spam lover";
    } elsif (/^put ([^ ]*) (.*?)\015?\012\z/si) {
      $resp_code = 500; $resp_msg = 'request not implemented: ' . $_;
    } else {
      $resp_code = 500; $resp_msg = 'illegal request: ' . $_;
    }
    do_log($level, "tcp_lookup($req_cnt): $resp_code $resp_msg");
    $sock->printf("%03d %s\012", $resp_code, tcp_lookup_encode($resp_msg))
      or die "Can't write to tcp_lookup socket: $!";
  }
  do_log(0, "tcp_lookup: RUNDOWN after $req_cnt requests");
}

sub tcp_lookup_encode($) {
  my($str) = @_;
  $str =~ s/[^\041-\044\046-\176]/sprintf("%%%02x",ord($&))/eg;
  $str;
}

sub tcp_lookup_decode($) {
  my($str) = @_;
  $str =~ s/%([0-9a-fA-F]{2})/pack("C",hex($1))/eg;
  $str;
}

# Checks the message stored on a file. File must already
# be open on file handle $msginfo->mail_text; it need not be positioned
# properly, check_mail must not close the file handle.
#
sub check_mail($$$$) {
  my($conn, $msginfo, $dsn_per_recip_capable, $tempdir) = @_;

  my($am_id) = am_id();
  $snmp_db->register_proc($am_id)  if defined $snmp_db;
  my($fh) = $msginfo->mail_text; my(@recips) = @{$msginfo->recips};

  $MSGINFO = $msginfo;  # ugly - save in a global, to make it accessible
                        # to %builtins
  # check_mail() may be called several times per child lifetime and/or
  # per-SMTP session. The variable $child_task_count is mainly used
  # by AV-scanner interfaces, e.g. to initialize when invoked
  # for the first time during child process lifetime.
  $child_task_count++;

  # reset certain global variables for each task
  $VIRUSFILE = undef; $av_output = undef; @detecting_scanners = ();
  @virusname = (); @banned_filename = (); @bad_headers = ();
  $spam_level = undef; $spam_status = undef; $spam_report = undef;

  # comment out to retain SQL cache entries for the whole child lifetime:
  $sql_policy->clear_cache  if defined $sql_policy;
  $sql_wblist->clear_cache  if defined $sql_wblist;

  # comment out to retain LDAP cache entries for the whole child lifetime:
  $ldap_policy->clear_cache  if defined $ldap_policy;

  # also measures mail size and saves mail header
  $body_digest = get_body_digest($fh, $msginfo);

  my($mail_size) = $msginfo->msg_size;  # use ESMTP size if available
  $mail_size = $msginfo->orig_header_size + 1 + $msginfo->orig_body_size
    if $mail_size <= 0;
# $mail_size = -s $msginfo->mail_text_fn;  # get it from a file system

  my($file_generator_object) =   # maxfiles 0 disables the $MAXFILES limit
    Amavis::Unpackers::NewFilename->new($MAXFILES?$MAXFILES:undef, $mail_size);
  Amavis::Unpackers::Part::init($file_generator_object); # fudge: keep in variable
  my($parts_root) = Amavis::Unpackers::Part->new;
  $msginfo->parts_root($parts_root);
  my($smtp_resp, $exit_code, $preserve_evidence);
  my($banned_filename_checked,$virus_presence_checked,$spam_presence_checked);

  # matching banned rules suggest DSN to be suppressed?
  my($banned_dsn_suppress) = 0;

  # is any mail component password protected or otherwise non-decodable?
  my($any_undecipherable) = 0;

  my($cl_ip) = $msginfo->client_addr; my($pbn) = c('policy_bank_name');
  do_log(1,sprintf("Checking: %s%s%s -> %s",
                   $pbn eq   '' ? '' : "$pbn ",
                   $cl_ip eq '' ? '' : "[$cl_ip] ",
                   qquote_rfc2821_local($msginfo->sender),
                   join(',', qquote_rfc2821_local(@recips)) ));

  my($mime_err); # undef, or MIME parsing error string as given by MIME::Parser
  my($hold);           # set to some string to cause the message to be
                       # placed on hold (frozen) by MTA. This can be used
                       # in cases when we stumble across some permanent problem
                       # making us unable to decide if the message is to be
                       # really delivered.
  my($which_section);
  eval {
    snmp_count('InMsgs');
    snmp_count('InMsgsNullRPath')  if $msginfo->sender eq '';
    if    (@recips == 1) { snmp_count(  'InMsgsRecips' ) }
    elsif (@recips >  1) { snmp_count( ['InMsgsRecips',scalar(@recips)] ) }

    $which_section = "creating_partsdir";
    if (-d "$tempdir/parts") {
      # mkdir is a costly operation (must be atomic, flushes buffers).
      # If we can re-use directory 'parts' from the previous invocation
      # it saves us precious time. Together with matching rmdir this can
      # amount to 10-15 % of total elapsed time !!!  (no spam checking)
    } else {
      mkdir("$tempdir/parts", 0750)
        or die "Can't create directory $tempdir/parts: $!";
      section_time('mkdir parts');
    }
    chdir($TEMPBASE) or die "Can't chdir to $TEMPBASE: $!";

    # FIRST: what kind of e-mail did we get? call content scanners

    # already in cache?
    $which_section = "cached";
    snmp_count('CacheAttempts');
    my($cache_entry); my($now) = time;
    my($cache_entry_ttl) =
      max($virus_check_negative_ttl, $virus_check_positive_ttl,
          $spam_check_negative_ttl,  $spam_check_positive_ttl);
    my($now_utc_iso8601)     = iso8601_utc_timestamp($now,1);
    my($expires_utc_iso8601) = iso8601_utc_timestamp($now+$cache_entry_ttl,1);
    $cache_entry = $body_digest_cache->get($body_digest)
      if $body_digest_cache && defined $body_digest;
    if (!defined $cache_entry) {
      snmp_count('CacheMisses');
      $cache_entry->{'ctime'} = $now_utc_iso8601;  # create a new cache record
    } else {
      snmp_count('CacheHits');
      $banned_filename_checked = defined $cache_entry->{'FB'} ? 1 : 0;
      $virus_presence_checked  = defined $cache_entry->{'VN'} ? 1 : 0;

      # spam level and spam report may be influenced by mail header, not only
      # by mail body, so caching based on body is only a close approximation;
      # ignore spam cache if body is too small
      $spam_presence_checked = defined $cache_entry->{'SL'} ? 1 : 0;
      if ($msginfo->orig_body_size < 200) { $spam_presence_checked = 0 }

      if ($virus_presence_checked && defined $cache_entry->{'Vt'}) {
        # check for expiration of cached virus test results
        my($ttl) = !@{$cache_entry->{'VN'}} ? $virus_check_negative_ttl
                                            : $virus_check_positive_ttl;
        if ($now > $cache_entry->{'Vt'} + $ttl) {
          do_log(2,"Cached virus check expired, TTL = $ttl s");
          $virus_presence_checked  = 0;
        }
      }
      if ($spam_presence_checked && defined $cache_entry->{'St'}) {
        # check for expiration of cached spam test results
        # (note: hard-wired spam level 6)
        my($ttl) = $cache_entry->{'SL'} < 6  ? $spam_check_negative_ttl
                                             : $spam_check_positive_ttl;
        if ($now > $cache_entry->{'St'} + $ttl) {
          do_log(2,"Cached spam check expired, TTL = $ttl s");
          $spam_presence_checked  = 0;
        }
      }
      if ($virus_presence_checked) {
        $av_output = $cache_entry->{'VO'};
        @virusname = @{$cache_entry->{'VN'}};
        @detecting_scanners = @{$cache_entry->{'VD'}};
      }
      if ($banned_filename_checked) {
        @banned_filename = @{$cache_entry->{'FB'}};
        $banned_dsn_suppress = $cache_entry->{'FS'};
      }
      ($spam_level, $spam_status, $spam_report) = @$cache_entry{'SL','SS','SR'}
        if $spam_presence_checked;
      do_log(1,sprintf("cached %s from <%s> (%s,%s,%s)",
                       $body_digest, $msginfo->sender,
                       $banned_filename_checked, $virus_presence_checked,
                       $spam_presence_checked));
      snmp_count('CacheHitsVirusCheck')   if $virus_presence_checked;
      snmp_count('CacheHitsVirusMsgs')    if @virusname;
      snmp_count('CacheHitsSpamCheck')    if $spam_presence_checked;
      snmp_count('CacheHitsSpamMsgs')     if $spam_level >= 6;  # a hack
#     snmp_count('CacheHitsBannedCheck')  if $banned_filename_checked;
#     snmp_count('CacheHitsBannedMsgs')   if @banned_filename;
      do_log(5,sprintf("cache entry age: %s c=%s a=%s",
                  (@virusname ? 'V' : $spam_level > 5 ? 'S' : '.'),
                  $cache_entry->{'ctime'}, $cache_entry->{'atime'} ));
    }  # if defined $cache_entry

    my($will_do_virus_scanning) =   # virus scanning will be needed?
       !$virus_presence_checked && $extra_code_antivirus &&
       grep {!lookup(0,$_, @{ca('bypass_virus_checks_maps')})} @recips;

    my($will_do_banned_checking) =  # banned name checking will be needed?
       !$banned_filename_checked &&
       (@{ca('banned_filename_maps')} || cr('banned_namepath_re')) &&
       grep {!lookup(0,$_, @{ca('bypass_banned_checks_maps')})} @recips;

    # will do decoding parts as deeply as possible?  only if needed
    my($will_do_parts_decoding) =
       !c('bypass_decode_parts') &&
       ($will_do_virus_scanning || $will_do_banned_checking);

    $which_section = "mime_decode-1";
    my($ent); ($ent,$mime_err) = mime_decode($fh, $tempdir, $parts_root);
    $msginfo->mime_entity($ent);
    push(@bad_headers, "MIME error: ".$mime_err)  if $mime_err ne '';
    prolong_timer($which_section);

    if ($will_do_parts_decoding) {
      # decoding parts can take a lot of time!
      snmp_count('OpsDec');
      ($hold,$any_undecipherable) =
        Amavis::Unpackers::decompose_mail($tempdir,$file_generator_object);
    }
    if (grep {!lookup(0,$_,@{ca('bypass_header_checks_maps')})} @recips) {
      push(@bad_headers, check_header_validity($conn,$msginfo));
    }
    if ($will_do_banned_checking) {      # check for banned file contents
      $which_section = "check-banned";
      my($banned_part_descr_ref, $banned_matching_keys_ref, $banned_rhs_ref) =
        check_for_banned_names($parts_root);
      for my $j (0..$#{$banned_part_descr_ref}) {
        if ($banned_rhs_ref->[$j] =~ /^DISCARD/) {
          $banned_dsn_suppress = 1;
          do_log(4,sprintf('BANNED:%s: %s', $banned_rhs_ref->[$j],
                           $banned_part_descr_ref->[$j]));
        }
      }
      push(@banned_filename, @$banned_part_descr_ref);
    }
    $cache_entry->{'FB'} = \@banned_filename;
    $cache_entry->{'FS'} = $banned_dsn_suppress;

    if ($virus_presence_checked) {
      do_log(5, "virus_presence cached, skipping virus_scan");
    } elsif (!$extra_code_antivirus) {
      do_log(5, "no anti-virus code loaded, skipping virus_scan");
    } elsif (!grep {!lookup(0,$_,@{ca('bypass_virus_checks_maps')})} @recips) {
      do_log(5, "bypassing of virus checks requested");
    } elsif ($hold ne '') {  # protect virus scanner from mail bombs
      do_log(0, "NOTICE: Virus scanning skipped: $hold");
      $will_do_virus_scanning = 0;
    } else {
      if (!$will_do_virus_scanning)
        { do_log(-1, "NOTICE: will_do_virus_scanning is false???") }
      if (!defined($msginfo->mime_entity)) {
        $which_section = "mime_decode-3";
        my($ent); ($ent,$mime_err) = mime_decode($fh, $tempdir, $parts_root);
        $msginfo->mime_entity($ent);
        prolong_timer($which_section);
      }
      # special case to make available a complete mail file for inspection
      if ($mime_err ne '' ||
          lookup(0,'MAIL',@keep_decoded_original_maps) ||
          $any_undecipherable && lookup(0,'MAIL-UNDECIPHERABLE',
                                        @keep_decoded_original_maps)) {
        # keep the original email.txt by making a hard link to it in ./parts/
        $which_section = "linking-to-MAIL";
        my($newpart_obj) = Amavis::Unpackers::Part->new("$tempdir/parts",
                                                        $parts_root);
        my($newpart) = $newpart_obj->full_name;
        do_log(2, "providing full original message to scanners as $newpart".
           (!$any_undecipherable ?'' :", $any_undecipherable undecipherable").
           ($mime_err eq '' ? '' : ", MIME error: $mime_err") );
        link($msginfo->mail_text_fn, $newpart)
          or die sprintf("Can't create hard link %s to %s: %s",
                         $newpart, $msginfo->mail_text_fn, $!);
        $newpart_obj->type_short('MAIL');
        $newpart_obj->type_declared('message/rfc822');
      }
      $which_section = "virus_scan";
      # some virus scanners behave badly if interrupted,
      # so for now just turn off the timer
      my($remaining_time) = alarm(0);  # check time left, stop timer
      my($av_ret);
      eval {
        my($vn, $ds);
        ($av_ret, $av_output, $vn, $ds) =
          Amavis::AV::virus_scan($tempdir, $child_task_count==1, $parts_root);
        @virusname = @$vn; @detecting_scanners = @$ds;  # copy
      };
      prolong_timer($which_section, $remaining_time);   # restart timer
      if ($@ ne '') {
        chomp($@);
        if ($@ eq "timed out") {
          @virusname = (); $av_ret = 0;  # assume not a virus!
          do_log(-1, "virus_scan TIMED OUT, ASSUME NOT A VIRUS !!!");
        } else {
          $hold = "virus_scan: $@";  # request HOLD
          $av_ret = 0;               # pretend it was ok (msg should be held)
          die "$hold\n";             # die, TEMPFAIL is preferred to HOLD
        }
      }
      snmp_count('OpsVirusCheck');
      defined($av_ret) or die "All virus scanners failed!";
      @$cache_entry{'Vt','VO','VN','VD'} =
        ($now, $av_output, \@virusname, \@detecting_scanners);
      $virus_presence_checked = 1;
    }

    my($sender_contact,$sender_source);
    if (!@virusname) { $sender_contact = $sender_source = $msginfo->sender }
    else {
      ($sender_contact,$sender_source) = best_try_originator(
                        $msginfo->sender, $msginfo->mime_entity, \@virusname);
      section_time('best_try_originator');
    }
    $msginfo->sender_contact($sender_contact);  # save it
    $msginfo->sender_source($sender_source);    # save it

    # consider doing spam scanning
    if (!$extra_code_antispam) {
      do_log(5, "no anti-spam code loaded, skipping spam_scan");
    } elsif (@virusname || @banned_filename) {
      do_log(5, "infected or banned contents, skipping spam_scan");
    } elsif (!grep {!lookup(0,$_,@{ca('bypass_spam_checks_maps')})} @recips) {
      do_log(5, "bypassing of spam checks requested");
    } else {
      $which_section = "spam-wb-list";
      my($any_wbl, $all_wbl) = Amavis::SpamControl::white_black_list(
                     $conn, $msginfo, $sql_wblist, $user_id_sql, $ldap_policy);
      section_time($which_section);
      if ($all_wbl) {
        do_log(5, "sender white/blacklisted, skipping spam_scan");
      } elsif ($spam_presence_checked) {
        do_log(5, "spam_presence cached, skipping spam_scan");
      } else {
        $which_section = "spam_scan";
        ($spam_level, $spam_status, $spam_report) =
          Amavis::SpamControl::spam_scan($conn, $msginfo);
        prolong_timer($which_section);
        snmp_count('OpsSpamCheck');
        @$cache_entry{'St','SL','SS','SR'} =
          ($now, $spam_level, $spam_status, $spam_report);
        $spam_presence_checked = 1;
      }
    }

    # store to cache
    $cache_entry->{'atime'} = $now_utc_iso8601;   # update accessed timestamp
    $body_digest_cache->set($body_digest,$cache_entry,
                            $now_utc_iso8601,$expires_utc_iso8601)
      if $body_digest_cache && defined $body_digest;
    $cache_entry = undef;  # discard the object, it is no longer needed
    section_time('update_cache');

    snmp_count("virus.byname.$_")  for @virusname;

    # SECOND: now that we know what we got, decide what to do with it

    my($considered_spam_by_some_recips,$considered_oversize_by_some_recips);

    if (@virusname || @banned_filename) {  # virus or banned filename found
      # bad_headers do not enter this section, although code is ready for them;
      # we'll handle bad headers later, if mail turns out not to be spam
      $which_section = "deal_with_virus_or_banned";
      my($final_destiny) = @virusname       ? c('final_virus_destiny')
                         : @banned_filename ? c('final_banned_destiny')
                         : @bad_headers     ? c('final_bad_header_destiny')
                         : D_PASS;
      for my $r (@{$msginfo->per_recip_data}) {
        next  if $r->recip_done;           # already dealt with
        if ($final_destiny == D_PASS) {
          # recipient wants this message, malicious or not
        } elsif ((!@virusname ||           # not a virus or we want it
                  lookup(0,$r->recip_addr, @{ca('virus_lovers_maps')})) &&
                 (!@banned_filename ||     # not banned or we want it
                  lookup(0,$r->recip_addr, @{ca('banned_files_lovers_maps')})) &&
                 (!@bad_headers ||         # not bad header or we want it
                  lookup(0,$r->recip_addr, @{ca('bad_header_lovers_maps')})) )
        {
          # clean, or recipient wants it
        } else {  # change mail destiny for those not wanting malware
          $r->recip_destiny($final_destiny);
          my($reason);
          if (@virusname)
            { $reason = "VIRUS: "  . join(", ", @virusname) }
          elsif (@banned_filename)
            { $reason = "BANNED: " . join(", ", @banned_filename) }
          elsif (@bad_headers)
            { $reason = "BAD_HEADER: " . join(", ", @bad_headers) }
          $reason = substr($reason,0,100)."..."  if length($reason) > 100+3;
          $r->recip_smtp_response( ($final_destiny == D_DISCARD
                                    ? "250 2.7.1 Ok, discarded"
                                    : "550 5.7.1 Message content rejected") .
                                   ", id=$am_id - $reason");
          $r->recip_done(1);
        }
      }
      $which_section = "virus_or_banned quar+notif";
      ensure_mime_entity($msginfo, $fh, $tempdir, \@virusname, $parts_root);
      do_virus($conn, $msginfo);  # send notifications, quarantine it

    } else {                      # perhaps some recips consider it spam?
        # spaminess is an individual matter, we must compare spam level
        # with each recipient setting, there is no global criterium
        # that the mail is spam
      $which_section = "deal_with_spam";
      my($final_destiny) = c('final_spam_destiny');
      for my $r (@{$msginfo->per_recip_data}) {
        next  if $r->recip_done;  # already dealt with
        my($kill_level);
        $kill_level = lookup(0,$r->recip_addr, @{ca('spam_kill_level_maps')});
        my($boost) = $r->recip_score_boost;
        my($should_be_killed) =
          !$r->recip_whitelisted_sender &&
          ($r->recip_blacklisted_sender ||
           (defined $spam_level && defined $kill_level ?
                     $spam_level+$boost >= $kill_level : 0) );
        next  unless $should_be_killed;
        # message is at or above kill level, or sender is blacklisted
        $considered_spam_by_some_recips = 1;
        if ($final_destiny == D_PASS ||
            lookup(0,$r->recip_addr, @{ca('spam_lovers_maps')})) {
          # do nothing, recipient wants this message, even if spam
        } else {  # change mail destiny for those not wanting spam
          ll(3) && do_log(3,sprintf(
            "SPAM-KILL, %s -> %s, hits=%s, kill=%s%s",
            qquote_rfc2821_local($msginfo->sender, $r->recip_addr),
            (!defined $spam_level ? 'x'
             : !defined $boost ? $spam_level
             : $boost >= 0 ? $spam_level.'+'.$boost : $spam_level.$boost),
            !defined $kill_level ? 'x' : 0+sprintf("%.3f",$kill_level),
            $r->recip_blacklisted_sender ? ', BLACKLISTED' : ''));
          $r->recip_destiny($final_destiny);
          my($reason) =
            $r->recip_blacklisted_sender ? 'sender blacklisted' : 'UBE';
          $r->recip_smtp_response(($final_destiny == D_DISCARD
                              ? "250 2.7.1 Ok, discarded, $reason"
                              : "550 5.7.1 Message content rejected, $reason"
                            ) . ", id=$am_id");
          $r->recip_done(1);
        }
      }
      if ($considered_spam_by_some_recips) {
        $which_section = "spam quar+notif";
        ensure_mime_entity($msginfo, $fh, $tempdir, \@virusname, $parts_root);
        do_spam($conn, $msginfo);
        section_time('post-do_spam');
      }
    }

    if (@bad_headers) {  # invalid mail headers
      $which_section = "deal_with_bad_headers";
      ensure_mime_entity($msginfo, $fh, $tempdir, \@virusname, $parts_root);
      my($is_bulk) = $msginfo->mime_entity->head->get('precedence', 0);
      chomp($is_bulk);
      do_log(1,sprintf("BAD HEADER from %s<%s>: %s",
                       $is_bulk eq '' ? '' : "($is_bulk) ", $msginfo->sender,
                       $bad_headers[0]));
      $is_bulk = $is_bulk=~/^(bulk|list|junk)/i ? $1 : undef;
      if (defined $is_bulk || $msginfo->sender eq '') {
        # have mercy on mailing lists and DSN
      } else {
        my($any_badh); my($final_destiny) = c('final_bad_header_destiny');
        for my $r (@{$msginfo->per_recip_data}) {
          next  if $r->recip_done;  # already dealt with
          if ($final_destiny == D_PASS ||
              lookup(0,$r->recip_addr, @{ca('bad_header_lovers_maps')}))
          {
            # recipient wants this message, broken or not
          } else {  # change mail destiny for those not wanting it
            $r->recip_destiny($final_destiny);
            my($reason) = (split(/\n/, $bad_headers[0]))[0];
            $r->recip_smtp_response(($final_destiny == D_DISCARD
                        ? "250 2.6.0 Ok, message with invalid header discarded"
                        : "554 5.6.0 Message with invalid header rejected"
                      ) . ", id=$am_id - $reason");
            $r->recip_done(1);
            $any_badh++;
          }
        }
        if ($any_badh) {  # we use the same code as for viruses or banned
                          # but only if it wasn't already handled as spam
          do_virus($conn, $msginfo);  # send notifications, quarantine it
        }
      }
      section_time($which_section);
    }

    my($mslm) = ca('message_size_limit_maps');
    if (@$mslm) {
      $which_section = "deal_with_mail_size";
      my($mail_size) = $msginfo->msg_size;
      for my $r (@{$msginfo->per_recip_data}) {
        next  if $r->recip_done;  # already dealt with
        my($size_limit) = lookup(0,$r->recip_addr, @$mslm);
        $size_limit = 65536
          if $size_limit && $size_limit < 65536;  # rfc2821
        if ($size_limit && $mail_size > $size_limit) {
          do_log(1,sprintf("OVERSIZE from <%s> to <%s>: size %s B, limit %s B",
                    $msginfo->sender, $r->recip_addr, $mail_size, $size_limit))
            if !$considered_oversize_by_some_recips;
          $considered_oversize_by_some_recips = 1;
          $r->recip_destiny(D_BOUNCE);
          $r->recip_smtp_response("552 5.3.4 Message size ($mail_size B) ".
            "exceeds fixed maximium message size of $size_limit B, id=$am_id");
          $r->recip_done(1);
        }
      }
      section_time($which_section);
    }

    $which_section = "snooping_quarantine";
#   do_quarantine($conn, $msginfo, Amavis::Out::EditHeader->new,
#                 ['sender-quarantine'], 'local:user-%i-%n'
#     ) if lookup(0,$msginfo->sender, ['user1@domain','user2@domain']);
#   do_quarantine($conn, $msginfo, Amavis::Out::EditHeader->new,
#     ['incoming-quarantine'], 'local:all-%i-%n');
#   do_quarantine($conn, $msginfo, Amavis::Out::EditHeader->new,
#     ['archive@localhost'],   'local:all-%i-%n');
#   section_time($which_section);

    $which_section = "checking_sender_ip";
    my(@recips) = @{$msginfo->recips};
    if ($considered_spam_by_some_recips && @recips==1 &&
        $recips[0] eq $msginfo->sender &&
        lookup(0,$msginfo->sender, @{ca('local_domains_maps')}))
    {
      my($cl_ip) = $msginfo->client_addr;
      if ($cl_ip eq '') {
        ensure_mime_entity($msginfo, $fh, $tempdir, \@virusname, $parts_root);
        $cl_ip = fish_out_ip_from_received(
                               $msginfo->mime_entity->head->get('received',0));
      }
      if ($cl_ip ne '') {
        my($is_our_ip) =
          eval { lookup_ip_acl($cl_ip,@{ca('mynetworks_maps')}) };
        if ($@ ne '' && !$is_our_ip) {
          do_log(0, "FAKE SENDER, SPAM: $cl_ip, " . $msginfo->sender);
          $msginfo->sender_contact(undef);  # believed to be faked
        }
      }
    }

    if ($hold ne '') { do_log(-1, "NOTICE: HOLD reason: $hold") }

    # THIRD: now that we know what to do with it, do it!

    my($which_content_counter) =
        @virusname       ? 'ContentVirusMsgs'
      : @banned_filename ? 'ContentBannedMsgs'
      : $considered_spam_by_some_recips ? 'ContentSpamMsgs'
      : @bad_headers     ? 'ContentBadHdrMsgs'
      : $considered_oversize_by_some_recips ? 'ContentOversizeMsgs'
      : 'ContentCleanMsgs';
    snmp_count($which_content_counter);

    my($hdr_edits) = $msginfo->header_edits;
    if (!$hdr_edits) {
      $hdr_edits = Amavis::Out::EditHeader->new;
      $msginfo->header_edits($hdr_edits);
    }
    if ($msginfo->delivery_method eq '') {   # AM.PDP or AM.CL (milter)
      $which_section = "AM.PDP headers";
      ensure_mime_entity($msginfo, $fh, $tempdir, \@virusname, $parts_root);
      $hdr_edits = add_forwarding_header_edits_common(
        $conn, $msginfo, $hdr_edits, $hold, $any_undecipherable,
        $virus_presence_checked, $spam_presence_checked, undef);
      my($done_all);
      my($recip_cl);  # ref to a list of similar recip objects
      ($hdr_edits, $recip_cl, $done_all) =
        add_forwarding_header_edits_per_recip(
          $conn, $msginfo, $hdr_edits, $hold, $any_undecipherable,
          $virus_presence_checked, $spam_presence_checked, undef, undef);
      $msginfo->header_edits($hdr_edits);  # store edits (redundant?)
      if (@$recip_cl && !$done_all) {
        do_log(-1, "AM.PDP: CLIENTS REQUIRE DIFFERENT HEADERS");
      };
    } elsif (grep { !$_->recip_done } @{$msginfo->per_recip_data}) {  # forward
      # To be delivered explicitly - only to those recipients not yet marked
      # as 'done' by the above content filtering sections.
      $which_section = "forwarding";
      ensure_mime_entity($msginfo, $fh, $tempdir, \@virusname, $parts_root);
      # a quick-fix solution to defang dangerous contents
      my($mail_defanged);  # nonempty indicates mail body is replaced
      my($explanation);
      if ($hold ne '') { $explanation =
        "WARNING: possible mail bomb, NOT CHECKED FOR VIRUSES:\n  $hold";
      } elsif (@virusname) { $explanation =
        'WARNING: contains virus '.join(' ',@virusname)  if c('defang_virus');
      } elsif (@banned_filename) { $explanation =
        "WARNING: contains banned part"  if c('defang_banned');
      } elsif ($any_undecipherable) { $explanation =
        "WARNING: contains undecipherable part"  if c('defang_undecipherable');
      } elsif ($considered_spam_by_some_recips) { $explanation =
        $spam_report  if c('defang_spam');
      } elsif (@bad_headers) { $explanation =
        'WARNING: bad headers '.join(' ',@bad_headers) if c('defang_bad_header');
      } else { $explanation = '(clean)'  if c('defang_all') }
      if (defined $explanation) {  # malware
        $explanation .= "\n"  if $explanation !~ /\n\z/;
        my($s) = $explanation; $s=~s/[ \t\n]+\z//;
        if (length($s) > 100) { $s = substr($s,0,100-3) . "..." }
        do_log(1, "DEFANGING MAIL: $s");
        my($d) = defanged_mime_entity($conn,$msginfo,$explanation);
        $msginfo->mail_text($d);  # substitute mail with rewritten version
        $msginfo->mail_text_fn(undef);  # remove filename information
        $mail_defanged = 'Original mail wrapped as attachment (defanged)';
        section_time('defang');
      }
      $hdr_edits = add_forwarding_header_edits_common(
        $conn, $msginfo, $hdr_edits, $hold, $any_undecipherable,
        $virus_presence_checked, $spam_presence_checked, $mail_defanged);
      for (;;) {  # do the delivery
        my($r_hdr_edits) = Amavis::Out::EditHeader->new;  # per-recip edits set
        $r_hdr_edits->inherit_header_edits($hdr_edits);
        my($done_all);
        my($recip_cl);  # ref to a list of similar recip objects
        ($r_hdr_edits, $recip_cl, $done_all) =
          add_forwarding_header_edits_per_recip(
            $conn, $msginfo, $r_hdr_edits, $hold, $any_undecipherable,
            $virus_presence_checked, $spam_presence_checked,
            $mail_defanged, undef);
        last  if !@$recip_cl;
        $msginfo->header_edits($r_hdr_edits);  # store edits
        mail_dispatch($conn, $msginfo, 0,
                      sub { my($r) = @_; grep { $_ eq $r } @$recip_cl });
        snmp_count('OutForwMsgs');
        snmp_count('OutForwHoldMsgs')  if $hold ne '';
        last  if $done_all;
      }
    }
    prolong_timer($which_section);

    $which_section = "delivery-notification";
    my($dsn_needed);
    ($smtp_resp, $exit_code, $dsn_needed) =
      one_response_for_all($msginfo, $dsn_per_recip_capable, $am_id);
    my($warnsender_with_pass) =
      $smtp_resp =~ /^2/ && !$dsn_needed &&
      (@virusname       && c('warnvirussender')  ||
       @banned_filename && c('warnbannedsender') ||
       $considered_spam_by_some_recips && c('warnspamsender') ||
       @bad_headers     && c('warnbadhsender')  );
    ll(4) && do_log(4,sprintf(
      "warnsender_with_pass=%s (%s,%s,%s,%s), dsn_needed=%s, exit=%s, %s",
      $warnsender_with_pass,
      c('warnvirussender'),c('warnbannedsender'),
      c('warnbadhsender'),c('warnspamsender'),
      $dsn_needed,$exit_code,$smtp_resp));
    if ($dsn_needed || $warnsender_with_pass) {
      ensure_mime_entity($msginfo, $fh, $tempdir, \@virusname, $parts_root);
      my($what_bad_content) = join(' & ',
        !@virusname                      ? () : 'VIRUS',
        !@banned_filename                ? () : 'BANNED',
        !$considered_spam_by_some_recips ? () : 'SPAM',
        !@bad_headers                    ? () : 'BAD HEADER',
        !$considered_oversize_by_some_recips ? () : 'OVERSIZE');
      my($notification); my($dsn_cutoff_level);
      if ($msginfo->sender eq '') {  # don't respond to null reverse path
        my($msg) = "DSN contains $what_bad_content; bounce is not bouncible";
        if (!$dsn_needed) { do_log(4, $msg) }
        else { do_log(1, "NOTICE: $msg, mail intentionally dropped") }
        $msginfo->dsn_sent(2);       # pretend the message was bounced
      } elsif ($msginfo->sender_contact eq '') {
        my($msg) = sprintf("Not sending DSN to believed-to-be-faked "
                           . "sender <%s>, mail containing %s",
                           $msginfo->sender, $what_bad_content);
        if (!$dsn_needed) { do_log(4, $msg) }
        else { do_log(2, "NOTICE: $msg intentionally dropped") }
        $msginfo->dsn_sent(2);       # pretend the message was bounced
      } elsif ($banned_dsn_suppress) {
        my($msg) = "Not sending DSN, as suggested by banned rule";
        if (!$dsn_needed) { do_log(4, $msg) }
        else { do_log(1, "NOTICE: $msg, mail intentionally dropped") }
        $msginfo->dsn_sent(2);  # pretend the message was bounced
      } elsif (defined $spam_level &&
               !grep { $spam_level + $_->recip_score_boost <
                       lookup(0,$_->recip_addr,
                              @{ca('spam_dsn_cutoff_level_maps')}) }
                     @{$msginfo->per_recip_data} ) {
        my($msg) = "Not sending DSN, spam level exceeds DSN cutoff level";
        if (!$dsn_needed) { do_log(4, $msg) }
        else { do_log(1, "NOTICE: $msg, mail intentionally dropped") }
        $msginfo->dsn_sent(2);  # pretend the message was bounced
      } elsif ((@virusname || @banned_filename ||
                $considered_spam_by_some_recips || @bad_headers ||
                $considered_oversize_by_some_recips) &&
          $msginfo->mime_entity->head->get('precedence',0)
                                                      =~ /^(bulk|list|junk)/i )
      {
        my($msg) = sprintf("Not sending DSN in response to bulk mail "
                           . "from <%s> containing %s",
                           $msginfo->sender, $what_bad_content);
        if (!$dsn_needed) { do_log(4, $msg) }
        else { do_log(1, "NOTICE: $msg, mail intentionally dropped") }
        $msginfo->dsn_sent(2);       # pretend the message was bounced
      } else {  # prepare a notification
        my($which_dsn_counter,$dsnmsgref);
        ### TODO: better selection of DSN reason is needed!
        for my $r (@{$msginfo->per_recip_data}) {
          next  if !$r->recip_done;
          local($_) = $r->recip_smtp_response;
          ($which_dsn_counter,$dsnmsgref) =
              /^5.*\bVIRUS\b/ ?
                ('OutDsnVirusMsgs', cr('notify_virus_sender_templ'))
            : /^5.*\bBANNED\b/ ?
                ('OutDsnBannedMsgs',cr('notify_virus_sender_templ'))
            : /^5.*\b(?:UBE|blacklisted)\b/ ?
                ('OutDsnSpamMsgs',  cr('notify_spam_sender_templ'))
            : /^5.*\bheader\b/ ?
                ('OutDsnBadHdrMsgs',cr('notify_sender_templ'))
            :   ('OutDsnOtherMsgs', cr('notify_sender_templ'));
        }
        # generate delivery status notification according to rfc3462
        # and rfc3464 if needed
        $notification = delivery_status_notification($conn, $msginfo,
          $warnsender_with_pass, \%builtins, $dsnmsgref)  if $dsnmsgref;
        snmp_count($which_dsn_counter)  if defined $notification;
      }
      if (defined $notification) {  # dsn needed, send delivery notification
        mail_dispatch($conn, $notification, 1);
        snmp_count('OutDsnMsgs');
        my($n_smtp_resp, $n_exit_code, $n_dsn_needed) =
          one_response_for_all($notification, 0, $am_id);  # check status
        if ($n_smtp_resp =~ /^2/ && !$n_dsn_needed) {      # dsn successful?
          $msginfo->dsn_sent(1);  # mark the message as bounced
        } elsif ($n_smtp_resp =~ /^4/) {
          snmp_count('OutDsnTempFails');
          die sprintf("temporarily unable to send DSN to <%s>: %s",
                      $msginfo->sender_contact, $n_smtp_resp);
        } else {
          snmp_count('OutDsnRejects');
          do_log(-1,sprintf("NOTICE: UNABLE TO SEND DSN to <%s>: %s",
                            $msginfo->sender, $n_smtp_resp));
#         # if dsn can not be sent, try to send it to postmaster
#         $notification->recips(['postmaster']);
#         # attempt double bounce
#         mail_dispatch($conn, $notification, 1);
        }
      # $notification->purge;
      }
    }
    prolong_timer($which_section);

    # generate customized log report at log level 0 - this is usually the
    # only log entry interesting to administrators during normal operation
    $which_section = 'main_log_entry';
    my(%mybuiltins) = %builtins;  # make a local copy
    { # do a per-mail log entry
      my($s) = $spam_status; $s =~ s/^tests=//; my(@s) = split(/,/,$s);
      if (@s > 10) { $#s = 9; push(@s,"...") }
      $mybuiltins{'T'} = \@s;     # macro %T has overloaded semantics, ugly
      my($strr) = expand(cr('log_templ'), \%mybuiltins);
      for my $logline (split(/[ \t]*\n/, $$strr)) {
        do_log(0, $logline)  if $logline ne '';
      }
    }
    if (c('log_recip_templ') ne '') {  # do per-recipient log entries
      # redefine macros with a by-recipient semantics
      for my $r (@{$msginfo->per_recip_data}) {
        # recipient counter in macro %. may indicate to the template
        # that a per-recipient expansion semantics is expected
        $mybuiltins{'.'}++;
        my($recip) = $r->recip_addr;
        my($smtp_resp)   = $r->recip_smtp_response;
        my($qrecip_addr) = scalar(qquote_rfc2821_local($recip));
        $mybuiltins{'D'} = $mybuiltins{'O'} = $mybuiltins{'N'} = undef;
        if ($r->recip_destiny==D_PASS && ($smtp_resp=~/^2/ || !$r->recip_done)){
          $mybuiltins{'D'} = $qrecip_addr;
        } else {
          $mybuiltins{'O'} = $qrecip_addr;
          my($remote_mta)  = $r->recip_remote_mta;
          $mybuiltins{'N'} = sprintf("%s:%s\n   %s", $qrecip_addr,
                  ($remote_mta eq '' ? '' : " $remote_mta said:"), $smtp_resp);
        }
        my($blacklisted) = $r->recip_blacklisted_sender;
        my($whitelisted) = $r->recip_whitelisted_sender;
        my($boost)       = $r->recip_score_boost;
        my($is_local,$tag_level,$tag2_level,$kill_level);
        $is_local   = lookup(0,$recip, @{ca('local_domains_maps')});
        $tag_level  = lookup(0,$recip, @{ca('spam_tag_level_maps')});
        $tag2_level = lookup(0,$recip, @{ca('spam_tag2_level_maps')});
        $kill_level = lookup(0,$recip, @{ca('spam_kill_level_maps')});
        my($do_tag) =
            $blacklisted || !defined $tag_level ||
            (defined $spam_level ?  $spam_level+$boost >= $tag_level
                                 : $whitelisted ? (-10 >= $tag_level) : 0);
        my($do_tag2) = !$whitelisted &&
          ( $blacklisted ||
            (defined $spam_level && defined $tag2_level ?
                                    $spam_level+$boost >= $tag2_level : 0) );
        my($do_kill) = !$whitelisted &&
          ( $blacklisted ||
            (defined $spam_level && defined $kill_level ?
                                    $spam_level+$boost >= $kill_level : 0) );
        for ($do_tag,$do_tag2,$do_kill) { $_ = $_ ? 'Y' : '0' }  # normalize
        for ($is_local)                 { $_ = $_ ? 'L' : '0' }  # normalize
        for ($tag_level,$tag2_level,$kill_level) { $_ = 'x'  if !defined($_) }
        $mybuiltins{'R'} = $recip;
        $mybuiltins{'c'} = !defined $spam_level ? '-'
                                        : 0+sprintf("%.3f",$spam_level+$boost);
        @mybuiltins{('0','1','2','k')} = ($is_local,$do_tag,$do_tag2,$do_kill);
        # macros %3, %4, %5 are experimental, until a better solution is found
        @mybuiltins{('3','4','5')}     = ($tag_level,$tag2_level,$kill_level);
        my($strr) = expand(cr('log_recip_templ'), \%mybuiltins);
        for my $logline (split(/[ \t]*\n/, $$strr)) {
          do_log(0, $logline)  if $logline ne '';
        }
      }
    }
    section_time($which_section);

    $which_section = 'finishing';
    $snmp_db->update_counters  if defined $snmp_db;
    section_time('update_snmp');

  };  # end eval
  if ($@ ne '') {
    chomp($@);
    $preserve_evidence = 1;
    my($msg) = "$which_section FAILED: $@";
    do_log(-2, "TROUBLE in check_mail: $msg");
    $smtp_resp = "451 4.5.0 Error in processing, id=$am_id, $msg";
    $exit_code = EX_TEMPFAIL;
    for my $r (@{$msginfo->per_recip_data}) {
      next  if $r->recip_done;
      $r->recip_smtp_response($smtp_resp); $r->recip_done(1);
    }
  }
# if ($hold ne '') {
#   do_log(-1, "NOTICE: Evidence is to be preserved: $hold");
#   $preserve_evidence = 1;
# }
  if (!$preserve_evidence && debug_oneshot()) {
    do_log(0, "DEBUG_ONESHOT CAUSES EVIDENCE TO BE PRESERVED");
    $preserve_evidence = 1;
  }

  my($which_counter) = 'InUnknown';
  if    ($smtp_resp =~ /^4/) { $which_counter = 'InTempFails' }
  elsif ($smtp_resp =~ /^5/) { $which_counter = 'InRejects' }
  elsif ($smtp_resp =~ /^2/) {
    my($dsn_sent) = $msginfo->dsn_sent;
    if (!$dsn_sent) { $which_counter = $msginfo->delivery_method ne ''
                                       ? 'InAccepts' : 'InContinues' }
    elsif ($dsn_sent==1) { $which_counter = 'InBounces' }
    elsif ($dsn_sent==2) { $which_counter = 'InDiscards' }
  }
  snmp_count($which_counter);
  $snmp_db->register_proc('.')  if defined $snmp_db;  # content checking done

  $MSGINFO = undef;  # release global reference to msginfo object
  ($smtp_resp, $exit_code, $preserve_evidence);
}

# Ensure we have $msginfo->$entity defined when we expect we'll need it,
# e.g. to construct notifications. While at it, also get us some additional
# information on sender from the header.
#
sub ensure_mime_entity($$$$$) {
  my($msginfo, $fh, $tempdir, $virusname_list, $parts_root) = @_;
  if (!defined($msginfo->mime_entity)) {
    # header may not have been parsed yet, e.g. if the result was cached
    my($ent,$mime_err) = mime_decode($fh, $tempdir, $parts_root);
    $msginfo->mime_entity($ent);
    prolong_timer("ensure_mime_entity");
  }
}

sub add_forwarding_header_edits_common($$$$$$) {
  my($conn, $msginfo, $hdr_edits, $hold, $any_undecipherable,
     $virus_presence_checked, $spam_presence_checked, $mail_defanged) = @_;

  $hdr_edits->prepend_header('Received',
    received_line($conn,$msginfo,am_id(),1), 1)
    if $insert_received_line && $msginfo->delivery_method ne '';
  # discard existing X-Amavis-Hold header field, only allow our own
  $hdr_edits->delete_header('X-Amavis-Hold');
  if ($hold ne '') {
    $hdr_edits->append_header('X-Amavis-Hold', $hold);
    do_log(-1, "Inserting header field: X-Amavis-Hold: $hold");
  }
  if ($mail_defanged ne '') {
    # prepend Resent-* header fields, they must precede
    # corresponding Received header field (pushed in reverse order)
    $hdr_edits->prepend_header('Resent-Message-ID',
                               sprintf('<RE%s@%s>',am_id(),$myhostname) );
    $hdr_edits->prepend_header('Resent-Date',
                               rfc2822_timestamp($msginfo->rx_time));
    $hdr_edits->prepend_header('Resent-From', c('hdrfrom_notify_recip'));
    # append X-Amavis-Modified
    my($msg) = "$mail_defanged by $myhostname";
    $hdr_edits->append_header('X-Amavis-Modified', $msg);
    do_log(1, "Inserting header field: X-Amavis-Modified: $msg");
  }
  if ($extra_code_antivirus) {
    $hdr_edits->delete_header('X-Amavis-Alert');
    $hdr_edits->delete_header(c('X_HEADER_TAG'))
      if c('remove_existing_x_scanned_headers') &&
         (c('X_HEADER_LINE') ne '' && c('X_HEADER_TAG') =~ /^[!-9;-\176]+\z/);
  }
  if ($extra_code_antispam) {
    if (c('remove_existing_spam_headers')) {
      my(@which_headers) = qw(
          X-Spam-Status X-Spam-Level X-Spam-Flag X-Spam-Score
          X-Spam-Report X-Spam-Checker-Version X-Spam-Tests);
      push(@which_headers, qw(X-DSPAM-Result X-DSPAM-Signature X-DSPAM-User
                              X-DSPAM-Probability) )  if defined $dspam;
      for my $h (@which_headers) { $hdr_edits->delete_header($h) }
    }
  # $hdr_edits->append_header('X-Spam-Checker-Version',
  # sprintf("SpamAssassin %s (%s) on %s", Mail::SpamAssassin::Version(),
  #         $Mail::SpamAssassin::SUB_VERSION, $myhostname));
  }
  $hdr_edits;
}

# Prepare header edits for the first not-yet-done recipient.
# Inspect remaining recipients, returning the list of recipient objects
# that are receiving the same set of header edits (so the message may be
# delivered to them in one SMTP transaction).
#
sub add_forwarding_header_edits_per_recip($$$$$$$$$) {
  my($conn, $msginfo, $hdr_edits, $hold, $any_undecipherable,
     $virus_presence_checked, $spam_presence_checked,
     $mail_defanged, $filter) = @_;
  my(@recip_cluster);
  my(@per_recip_data) = grep { !$_->recip_done && (!$filter || &$filter($_)) }
                             @{$msginfo->per_recip_data};
  my($per_recip_data_len) = scalar(@per_recip_data);
  my($first) = 1; my($cluster_key); my($cluster_full_spam_status);
  for my $r (@per_recip_data) {
    my($recip) = $r->recip_addr;
    my($is_local,$blacklisted,$whitelisted,$boost,$tag_level,$tag2_level,
       $do_tag_virus_checked,$do_tag_virus,$do_tag_banned,$do_tag_badh,
       $do_tag,$do_tag2,$do_subj,$do_subj_u,$subject_tag,$subject_tag2);
    $is_local = lookup(0,$recip, @{ca('local_domains_maps')});
    $do_tag_badh  = @bad_headers &&
                    !lookup(0,$recip,@{ca('bypass_header_checks_maps')});
    $do_tag_banned= @banned_filename &&
                    !lookup(0,$recip,@{ca('bypass_banned_checks_maps')});
    $do_tag_virus = @virusname &&
                    !lookup(0,$recip,@{ca('bypass_virus_checks_maps')});
    $do_tag_virus_checked =
      $virus_presence_checked &&
      (c('X_HEADER_LINE') ne '' && c('X_HEADER_TAG') =~ /^[!-9;-\176]+\z/) &&
      !lookup(0,$recip,@{ca('bypass_virus_checks_maps')});
    if ($extra_code_antispam) {
      my($bypassed);
      $blacklisted = $r->recip_blacklisted_sender;
      $whitelisted = $r->recip_whitelisted_sender;
      $boost       = $r->recip_score_boost;
      $bypassed    = lookup(0,$recip, @{ca('bypass_spam_checks_maps')});
      $tag_level   = lookup(0,$recip, @{ca('spam_tag_level_maps')});
      $tag2_level  = lookup(0,$recip, @{ca('spam_tag2_level_maps')});
      # spam-related headers should _not_ be inserted for:
      #  - nonlocal recipients (outgoing mail), as a matter of courtesy
      #    to our users;
      #  - recipients matching bypass_spam_checks: even though spam checking
      #    may have been done for other reasons, these recipients do not
      #    expect such headers, so let's pretend the check has not been done
      #    and not insert spam-related headers for them
      $do_tag = $is_local && !$bypassed &&
        ( $blacklisted || !defined $tag_level ||
          (defined $spam_level ? $spam_level+$boost  >= $tag_level
                               : $whitelisted ? (-10 >= $tag_level) : 0) );
      $do_tag2 = $is_local && !$bypassed && !$whitelisted &&
        ( $blacklisted ||
          (defined $spam_level && defined $tag2_level ?
            $spam_level+$boost >= $tag2_level : 0) );
      $subject_tag2 = !$do_tag2 ? undef
                           : lookup(0,$recip, @{ca('spam_subject_tag2_maps')});
      $subject_tag  = !($do_tag||$do_tag2) ? undef
                           : lookup(0,$recip, @{ca('spam_subject_tag_maps')});
      $do_subj = ($subject_tag2 ne '' || $subject_tag ne '') &&
                 lookup(0,$recip, @{ca('spam_modifies_subj_maps')});
    }
    if ($hold ne '' || $any_undecipherable) { # adding *UNCHECKED* subject tag?
       $do_subj_u = $is_local && c('undecipherable_subject_tag') ne '' &&
                    !(@virusname && !lookup(0,$recip,
                                          @{ca('bypass_virus_checks_maps')}) );
    }
    # normalize
    for ($do_tag_virus_checked, $do_tag_virus, $do_tag_banned, $do_tag_badh,
         $do_tag, $do_tag2, $do_subj, $do_subj_u, $is_local) { $_ = $_?1:0 }
    my($spam_level_bar, $full_spam_status);
    if ($do_tag || $do_tag2) {
      my($slc) = c('sa_spam_level_char');
      $spam_level_bar =
        $slc x min($blacklisted ? 64 : $spam_level+$boost, 64)  if $slc ne '';
      my($s) = $spam_status; $s =~ s/,/,\n /g;  # allow header field wrapping
      $full_spam_status = sprintf("%s,\n hits=%s\n%s%s %s%s",
        $do_tag2 ? 'Yes' : 'No',
        !defined $spam_level  ? 'x' : 0+sprintf("%.3f",$spam_level+$boost),
        !defined $tag_level   ? '' : sprintf(" tagged_above=%s\n",$tag_level),
        !defined $tag2_level  ? '' : sprintf(" required=%s\n",  $tag2_level),
        join('', $blacklisted ? "BLACKLISTED\n " : (),
                 $whitelisted ? "WHITELISTED\n " : ()),
        $s);
    }
    my($key) = join("\000",
      $do_tag_virus_checked, $do_tag_virus, $do_tag_banned, $do_tag_badh,
      $do_tag, $do_tag2, $do_subj, $do_subj_u, $spam_level_bar,
      $full_spam_status);
    if ($first) {
      ll(4) && do_log(4,sprintf(
        "headers CLUSTERING: NEW CLUSTER <%s>: ".
        "hits=%s, tag=%s, tag2=%s, subj=%s, subj_u=%s, local=%s, bl=%s",
        $recip,
        (!defined $spam_level ? 'x'
         : !defined $boost ? $spam_level
         : $boost >= 0 ? $spam_level.'+'.$boost : $spam_level.$boost),
        $do_tag, $do_tag2, $do_subj, $do_subj_u, $is_local, $blacklisted));
      $cluster_key = $key; $cluster_full_spam_status = $full_spam_status;
    } elsif ($key eq $cluster_key) {
      do_log(5,"headers CLUSTERING: <$recip> joining cluster");
    } else {
      do_log(5,"headers CLUSTERING: skipping <$recip> (tag=$do_tag, tag2=$do_tag2)");
      next;  # this recipient will be handled in some later pass
    }

    if ($first) {  # insert headers required for the new cluster
      if ($do_tag_virus_checked) {
        $hdr_edits->append_header(c('X_HEADER_TAG'), c('X_HEADER_LINE'));
      }
      if ($do_tag_virus) {
        $hdr_edits->append_header('X-Amavis-Alert',
          "INFECTED, message contains virus:\n " . join(",\n ",@virusname), 1);
      }
      if ($do_tag_banned) {
        my(@b) = @banned_filename>3 ? @banned_filename[0..2] :@banned_filename;
        my($msg) = "BANNED, message contains "
          . (@banned_filename==1 ? 'part' : 'parts') . ":\n "
          . join(",\n ", @b) . (@banned_filename > @b ? ", ..." : "");
        $hdr_edits->append_header('X-Amavis-Alert', $msg, 1);
      }
      if ($do_tag_badh) {
        $hdr_edits->append_header('X-Amavis-Alert',
                                  'BAD HEADER '.$bad_headers[0], 1);
      }
      if ($do_tag) {
        $hdr_edits->append_header('X-Spam-Status', $full_spam_status, 1);
#       $hdr_edits->append_header('X-Spam-Score',
#         !defined $spam_level ? '-' : 0+sprintf("%.3f",$spam_level+$boost) );
        $hdr_edits->append_header('X-Spam-Level',
                                  $spam_level_bar) if defined $spam_level_bar;
      }
      if ($do_tag2) {
        $hdr_edits->append_header('X-Spam-Flag', 'YES');
        $hdr_edits->append_header('X-Spam-Report', $spam_report,1)
          if $spam_report ne '' && c('sa_spam_report_header');
      }
      if ($do_subj || $do_subj_u) {
        my($s) = '';
        if ($do_subj_u) {
          $s = c('undecipherable_subject_tag');
          do_log(3,"adding $s, $any_undecipherable, $hold");
        }
        if ($do_subj) {
          $s .= $do_tag2 && $subject_tag2 ne '' ? $subject_tag2 : $subject_tag;
        }
        my($entity) = $msginfo->mime_entity;
        if (defined $entity && defined $entity->head->get('Subject',0)) {
          $hdr_edits->edit_header('Subject',
                                 sub { $_[1]=~/^([ \t]?)(.*)\z/s; ' '.$s.$2 });
        } else {  # no Subject header field present, insert one
          $s =~ s/[ \t]+\z//;  # trim
          $hdr_edits->append_header('Subject', $s);
          if (!defined $entity) {
            do_log(-1,"WARN: no MIME entity!? Inserting 'Subject'");
          } else {
            do_log(0,"INFO: no existing header field 'Subject', inserting it");
          }
        }
      }
    }
    push(@recip_cluster,$r);  $first = 0;

    my($delim) = c('recipient_delimiter');
    if ($delim ne '' && $is_local) {
      # append address extensions to mailbox names if desired
      my($ext_map) = $do_tag_virus  ? ca('addr_extension_virus_maps')
                   : $do_tag_banned ? ca('addr_extension_banned_maps')
                   : $do_tag2       ? ca('addr_extension_spam_maps')
                   : $do_tag_badh   ? ca('addr_extension_bad_header_maps')
                   : undef;
      my($ext) = !ref($ext_map) ? undef : lookup(0,$recip, @$ext_map);
      if ($ext ne '') {
        my($localpart,$domain) = split_address($recip);
        if (c('replace_existing_extension'))  # strip existing address extensions
          { $localpart =~ s/^(.*?)\Q$delim\E.*\z/$1/s }
        do_log(5,"adding address extension $delim$ext to $localpart$domain");
        $r->recip_addr_modified($localpart.$delim.$ext.$domain);
      }
    }
  }
  my($done_all);
  if (@recip_cluster == $per_recip_data_len) {
    do_log(5,"headers CLUSTERING: " .
             "done all $per_recip_data_len recips in one go");
    $done_all = 1;
  } else {
    ll(4) && do_log(4,sprintf(
                        "headers CLUSTERING: got %d recips out of %d: %s",
                        scalar(@recip_cluster), $per_recip_data_len,
              join(", ", map { "<" . $_->recip_addr . ">" } @recip_cluster) ));
  }
  if (defined($cluster_full_spam_status) && @recip_cluster) {
    my($s) = $cluster_full_spam_status; $s =~ s/\n[ \t]/ /g;
    ll(2) && do_log(2,sprintf("SPAM-TAG, %s -> %s, %s",
                        qquote_rfc2821_local($msginfo->sender),
                        join(',', qquote_rfc2821_local(
                                 map { $_->recip_addr } @recip_cluster)), $s));
  }
  ($hdr_edits, \@recip_cluster, $done_all);
}

sub do_quarantine($$$$$;$) {
  my($conn,$msginfo,$hdr_edits,$recips_ref,$quarantine_method,$snmp_id) = @_;
  if ($quarantine_method eq '') { do_log(5, "quarantine disabled") }
  else {
    # fudge to make %b access the body_digest of $msginfo, not of $quar_msg
    $quarantine_method =~ s/%b/$msginfo->body_digest/eg;
    my($sender) = $msginfo->sender;
    my($quar_msg) = Amavis::In::Message->new;
    $quar_msg->rx_time($msginfo->rx_time);  # copy the reception time
    $quar_msg->delivery_method($quarantine_method);
    if ($quarantine_method =~ /^bsmtp:/i) {
      $quar_msg->sender($sender);      # original sender & recipients
      $quar_msg->recips($msginfo->recips);
    } else {
      my($mftq) = c('mailfrom_to_quarantine');
      $quar_msg->sender(defined $mftq ? $mftq : $sender);
      $quar_msg->recips($recips_ref);  # e.g. per-recip quarantine
      # NOTE: RFC2821 mentions possible headers X-SMTP-MAIL and X-SMTP-RCPT
      # Exim uses: Envelope-To,  Sendmail uses X-Envelope-To;
      # No need with bsmtp, which already carries addresses in the envelope
      $hdr_edits->prepend_header('X-Envelope-To',
        join(",\n ", qquote_rfc2821_local(@{$msginfo->recips})), 1);
      $hdr_edits->prepend_header('X-Envelope-From',
        qquote_rfc2821_local($sender));
    }
    do_log(5, "DO_QUARANTINE, sender: " . $quar_msg->sender);
    $quar_msg->auth_submitter(qquote_rfc2821_local($quar_msg->sender));
    $quar_msg->auth_user(c('amavis_auth_user'));
    $quar_msg->auth_pass(c('amavis_auth_pass'));
    $quar_msg->header_edits($hdr_edits);
    $quar_msg->mail_text($msginfo->mail_text);  # use the same mail contents

    snmp_count('QuarMsgs');
    mail_dispatch($conn, $quar_msg, 1);
    my($n_smtp_resp, $n_exit_code, $n_dsn_needed) =
      one_response_for_all($quar_msg, 0, am_id());  # check status
    if ($n_smtp_resp =~ /^2/ && !$n_dsn_needed) {   # ok
      snmp_count($snmp_id eq '' ? 'QuarOther' : $snmp_id);
    } elsif ($n_smtp_resp =~ /^4/) {
      snmp_count('QuarAttemptTempFails');
      die "temporarily unable to quarantine: $n_smtp_resp";
    } else {  # abort if quarantining not successful
      snmp_count('QuarAttemptFails');
      die "Can not quarantine: $n_smtp_resp";
    }
    my(@qa); my(%seen);  # collect unique quarantine mailboxes or addresses
    for my $r (@{$quar_msg->per_recip_data}) {
      my($mbxname) = $r->recip_mbxname;
      $mbxname = $r->recip_final_addr  if !defined($mbxname);
      push(@qa,$mbxname)  if $mbxname ne '' && !$seen{$mbxname}++;
    }
    $msginfo->quarantined_to(\@qa);  # remember where it was quarantined to
    do_log(5, "DO_QUARANTINE done");
  }
}

# If virus/banned/bad-header found - quarantine it and send notifications
sub do_virus($$) {
  my($conn, $msginfo) = @_;
  my($q_method, $quarantine_to_maps_ref, $bypass_checks_maps_ref) =
    @virusname ?
      (c('virus_quarantine_method'),
       ca('virus_quarantine_to_maps'),
       ca('bypass_virus_checks_maps'))
    : @banned_filename ?
      (c('banned_files_quarantine_method'),
       ca('banned_quarantine_to_maps'),
       ca('bypass_banned_checks_maps'))
    : @bad_headers ?
      (c('bad_header_quarantine_method'),
       ca('bad_header_quarantine_to_maps'),
       ca('bypass_header_checks_maps'))
    : (undef, undef, undef);
  # suggest a name to be used as 'X-Quarantine-Id:' or file name
  $VIRUSFILE = $q_method =~ /^(?:local|bsmtp):(.*)\z/si ? $1 : "virus-%i-%n";
  $VIRUSFILE =~ s{%(.)}
    {  $1 eq 'b' ? $msginfo->body_digest
     : $1 eq 'i' ? strftime("%Y%m%d-%H%M%S",localtime($msginfo->rx_time))
     : $1 eq 'n' ? am_id()
     : $1 eq '%' ? '%' : '%'.$1 }egs;
  do_log(5, "do_virus: looking for per-recipient quarantine and admins");
  my(@q_addr,@a_addr);  # get per-recipient quarantine address(es) and admins
  for my $r (@{$msginfo->per_recip_data}) {
    my($rec) = $r->recip_addr;
    my($q);  # quarantine (pseudo) address associated with the recipient
    ($q) = lookup(0,$rec, @$quarantine_to_maps_ref);
    $q = $rec  if $q ne '' && $q_method =~ /^bsmtp:/i;  # orig.recip when BSMTP
    my($a) = lookup(0,$rec, @{ca('virus_admin_maps')});
    push(@q_addr, $q)  if $q ne '' && !grep {$_ eq $q} @q_addr;
    push(@a_addr, $a)  if $a ne '' && !grep {$_ eq $a} @a_addr;
  }
  if (@q_addr) {  # do the quarantining
    # prepare header edits for the quarantined message
    my($hdr_edits) = Amavis::Out::EditHeader->new;
    $hdr_edits->prepend_header('X-Quarantine-Id', "<$VIRUSFILE>");
    if (@virusname) {
      $hdr_edits->append_header('X-Amavis-Alert',
        "INFECTED, message contains virus:\n " . join(",\n ", @virusname), 1);
    }
    if (@banned_filename) {
      my(@b) = @banned_filename>3 ? @banned_filename[0..2] : @banned_filename;
      my($msg) = "BANNED, message contains "
                 . (@banned_filename==1 ? 'part' : 'parts') . ":\n "
                 . join(",\n ", @b) . (@banned_filename > @b ? ", ..." : "");
      $hdr_edits->append_header('X-Amavis-Alert', $msg, 1);
    }
    if (@bad_headers) {
      $hdr_edits->append_header('X-Amavis-Alert',
                                'BAD HEADER '.$bad_headers[0], 1);
    }
    do_quarantine($conn,$msginfo,$hdr_edits,\@q_addr,$q_method,
                  @virusname ? 'QuarVirusMsgs' :
                  @banned_filename ? 'QuarBannedMsgs' :
                  @bad_headers ? 'QuarBadHMsgs' : 'QuarOther');
  }
  my($hdr_edits) = Amavis::Out::EditHeader->new;
  do_log(4, "Skip virus_admin notification, no admin specified")  if !@a_addr;
  for my $admin (@a_addr) {   # notify per-recipient virus administrators
    do_log(5, "DO_VIRUS - NOTIFICATIONS to $admin; sender: ".$msginfo->sender);
    my($notification) = Amavis::In::Message->new;
    $notification->rx_time($msginfo->rx_time);  # copy over the reception time
    $notification->delivery_method(c('notify_method'));
    $notification->sender(c('mailfrom_notify_admin'));
    $notification->auth_submitter(
      qquote_rfc2821_local(c('mailfrom_notify_admin')));
    $notification->auth_user(c('amavis_auth_user'));
    $notification->auth_pass(c('amavis_auth_pass'));
    $notification->recips([$admin]);
    my(%mybuiltins) = %builtins;  # make a local copy
    $mybuiltins{'T'} = [quote_rfc2821_local($admin)];   # used in 'To:'
    $mybuiltins{'f'} = c('hdrfrom_notify_admin');       # From:
    $notification->mail_text(
      string_to_mime_entity(expand(cr('notify_virus_admin_templ'),
                                   \%mybuiltins)));
    $notification->header_edits($hdr_edits);
    mail_dispatch($conn, $notification, 1);
    my($n_smtp_resp, $n_exit_code, $n_dsn_needed) =
      one_response_for_all($notification, 0, am_id());  # check status
    if ($n_smtp_resp =~ /^2/ && !$n_dsn_needed) {       # ok
    } elsif ($n_smtp_resp =~ /^4/) {
      die "temporarily unable to notify virus admin: $n_smtp_resp";
    } else {
      do_log(-1, "FAILED to notify virus admin: $n_smtp_resp");
    }
    # $notification->purge;
  }

# if (! defined($msginfo->sender_contact) ) {
#   do_log(5,"do_virus: skip recipient notifications for unknown senders");
# } else {  # send notification to recipients
    my(@recips_to_notify) =
      grep {
        @virusname       && !lookup(0,$_,@{ca('bypass_virus_checks_maps')}) ?
          scalar(lookup(0,$_,@{ca('warnvirusrecip_maps')}))
      : @banned_filename && !lookup(0,$_,@{ca('bypass_banned_checks_maps')}) ?
          scalar(lookup(0,$_,@{ca('warnbannedrecip_maps')}))
      : @bad_headers     && !lookup(0,$_,@{ca('bypass_header_checks_maps')}) ?
          scalar(lookup(0,$_,@{ca('warnbadhrecip_maps')}))
      : 0  }
      grep { c('warn_offsite') || lookup(0,$_,@{ca('local_domains_maps')}) }
           @{$msginfo->recips};
    if (!@recips_to_notify) {
      do_log(5,"do_virus: recipient notifications not required");
    } else {
      my($notification) = Amavis::In::Message->new;
      $notification->rx_time($msginfo->rx_time); # copy over the reception time
      $notification->delivery_method(c('notify_method'));
      $notification->sender(c('mailfrom_notify_recip'));
      $notification->auth_submitter(
        qquote_rfc2821_local(c('mailfrom_notify_recip')));
      $notification->auth_user(c('amavis_auth_user'));
      $notification->auth_pass(c('amavis_auth_pass'));
      $notification->recips(\@recips_to_notify);
      my(%mybuiltins) = %builtins;  # make a local copy
      $mybuiltins{'f'} = c('hdrfrom_notify_recip');       # 'From:'
      $mybuiltins{'T'} = (@recips_to_notify==1 && $recips_to_notify[0] ne '') ?  # 'To:'
                           [quote_rfc2821_local($recips_to_notify[0])] : undef;
      $notification->mail_text(
        string_to_mime_entity(expand(cr('notify_virus_recips_templ'),
                                     \%mybuiltins)) );
      $notification->header_edits($hdr_edits);
      mail_dispatch($conn, $notification, 1);
      my($n_smtp_resp, $n_exit_code, $n_dsn_needed) =
        one_response_for_all($notification, 0, am_id());  # check status
      if ($n_smtp_resp =~ /^2/ && !$n_dsn_needed) {       # ok
      } elsif ($n_smtp_resp =~ /^4/) {
        die "temporarily unable to notify recipients: $n_smtp_resp";
      } else {
        do_log(-1, "FAILED to notify recipients: $n_smtp_resp");
      }
      # $notification->purge;
    }
# }
  do_log(5, "DO_VIRUS - DONE");
}

#
# If Spam found - quarantine it and log report
sub do_spam($$) {
  my($conn, $msginfo) = @_;
  # suggest a name to be used as 'X-Quarantine-Id:' or file name
  my($q_method) = c('spam_quarantine_method');
  $VIRUSFILE = $q_method =~ /^(?:local|bsmtp):(.*)\z/si ? $1 : "spam-%b-%i-%n";
  $VIRUSFILE =~ s{%(.)}
    {  $1 eq 'b' ? $msginfo->body_digest
     : $1 eq 'i' ? strftime("%Y%m%d-%H%M%S",localtime($msginfo->rx_time))
     : $1 eq 'n' ? am_id()
     : $1 eq '%' ? '%' : '%'.$1 }egs;
  # use the smallest value as the level reported in quarantined headers!
  my($tag_level) =
    min(map { scalar(lookup(0,$_,@{ca('spam_tag_level_maps')}))  } @{$msginfo->recips});
  my($tag2_level) =
    min(map { scalar(lookup(0,$_,@{ca('spam_tag2_level_maps')})) } @{$msginfo->recips});
  my($kill_level) =
    min(map { scalar(lookup(0,$_,@{ca('spam_kill_level_maps')})) } @{$msginfo->recips});
  my($blacklisted) =
    scalar(grep { $_->recip_blacklisted_sender } @{$msginfo->per_recip_data});
  my($whitelisted) =
    scalar(grep { $_->recip_whitelisted_sender } @{$msginfo->per_recip_data});
  my($s) = $spam_status; $s =~ s/,/,\n /g;  # allow header field wrapping
  my($full_spam_status) = sprintf(
    "%s,\n hits=%s\n tag=%s\n tag2=%s\n kill=%s\n %s%s",
    (defined $spam_level && defined $tag2_level && $spam_level>=$tag2_level ?
       'Yes' : 'No'),
    (map { !defined $_ ? 'x' : 0+sprintf("%.3f",$_) }
         ($spam_level, $tag_level, $tag2_level, $kill_level)),
    join('', $blacklisted ? "BLACKLISTED\n " : (),
             $whitelisted ? "WHITELISTED\n " : ()),
    $s);

  do_log(5, "do_spam: looking for a quarantine address");
  my(@q_addr,@a_addr);  # quarantine address(es) and administrators
  my($sqbsm) = ca('spam_quarantine_bysender_to_maps');
  if (@$sqbsm) {   # by-sender quarantine
    my($a);  $a = lookup(0,$msginfo->sender, @$sqbsm);
    push(@q_addr, $a)  if $a ne '';
  }
  # get per-recipient quarantine address(es) and admins
  for my $r (@{$msginfo->per_recip_data}) {
    my($rec) = $r->recip_addr;
    my($q);  # quarantine (pseudo) address associated with the recipient
    ($q) = lookup(0,$rec, @{ca('spam_quarantine_to_maps')});
    $q = $rec  if $q ne '' && $q_method =~ /^bsmtp:/i;  # orig.recip when BSMTP
    my($a) = lookup(0,$rec, @{ca('spam_admin_maps')});
    push(@q_addr, $q)  if $q ne '' && !grep {$_ eq $q} @q_addr;
    push(@a_addr, $a)  if $a ne '' && !grep {$_ eq $a} @a_addr;
  }
  if (@q_addr) {  # do the quarantining
    # prepare header edits for the quarantined message
    my($hdr_edits) = Amavis::Out::EditHeader->new;
    $hdr_edits->prepend_header('X-Quarantine-Id', "<$VIRUSFILE>");
    $hdr_edits->append_header('X-Spam-Status', $full_spam_status, 1);
#   $hdr_edits->append_header('X-Spam-Score',
#     !defined $spam_level ? 'x' : 0+sprintf("%.3f",$spam_level) );
    my($slc) = c('sa_spam_level_char');
    $hdr_edits->append_header('X-Spam-Level',
                              $slc x min(0+$spam_level,64))  if $slc ne '';
    $hdr_edits->append_header('X-Spam-Report', $spam_report,1)
      if c('sa_spam_report_header') && $spam_report ne '';
    do_quarantine($conn,$msginfo,$hdr_edits,\@q_addr,$q_method,'QuarSpamMsgs');
  }
  $s = $full_spam_status; $s =~ s/\n[ \t]/ /g;
  do_log(2,sprintf("SPAM, <%s> -> %s, %s%s", $msginfo->sender_source,
                   join(',', qquote_rfc2821_local(@{$msginfo->recips})),  $s,
                   !@q_addr ? '' : sprintf(", quarantine %s (%s)",
                                           $VIRUSFILE, join(',', @q_addr)) ));
  do_log(4, "Skip spam_admin notification, no admin specified")  if !@a_addr;
  for my $admin (@a_addr) {   # notify per-recipient spam administrators
    do_log(5, "DO_SPAM - NOTIFICATIONS to $admin; sender: ".$msginfo->sender);
    my($notification) = Amavis::In::Message->new;
    $notification->rx_time($msginfo->rx_time);  # copy over the reception time
    $notification->delivery_method(c('notify_method'));
    $notification->sender(c('mailfrom_notify_spamadmin'));
    $notification->auth_submitter(
      qquote_rfc2821_local(c('mailfrom_notify_spamadmin')));
    $notification->auth_user(c('amavis_auth_user'));
    $notification->auth_pass(c('amavis_auth_pass'));
    $notification->recips([$admin]);
    my(%mybuiltins) = %builtins;  # make a local copy
    $mybuiltins{'T'} = [quote_rfc2821_local($admin)];  # used in 'To:'
    $mybuiltins{'f'} = c('hdrfrom_notify_spamadmin');
    $notification->mail_text(
      string_to_mime_entity(expand(cr('notify_spam_admin_templ'),
                                   \%mybuiltins)));
    my($hdr_edits) = Amavis::Out::EditHeader->new;
    $notification->header_edits($hdr_edits);
    mail_dispatch($conn, $notification, 1);
    my($n_smtp_resp, $n_exit_code, $n_dsn_needed) =
      one_response_for_all($notification, 0, am_id());  # check status
    if ($n_smtp_resp =~ /^2/ && !$n_dsn_needed) {       # ok
    } elsif ($n_smtp_resp =~ /^4/) {
      die "temporarily unable to notify spam admin: $n_smtp_resp";
    } else {
      do_log(-1, "FAILED to notify spam admin: $n_smtp_resp");
    }
  # $notification->purge;
  }
  do_log(5, "DO_SPAM DONE");
}

# Calculate message digest;
# While at it, also get the message size and store original header,
# since we need it for the %H macro, and MIME::Tools may modify it.

sub get_body_digest($$) {
  my($fh, $msginfo) = @_;
  $fh->seek(0,0) or die "Can't rewind mail file: $!";
  local($_);

  # choose message digest method:
  my($ctx) = Digest::MD5->new;  # 128 bits (32 hex digits)
# my($ctx) = Digest::SHA1->new; # 160 bits (40 hex digits), slightly slower

  my(@orig_header);
  my($header_size) = 0;
  my($body_size) = 0;
  while (<$fh>) {               # skip mail header
    last  if $_ eq $eol;
    $header_size += length($_);
    push(@orig_header, $_);     # with trailing EOL
  }
  my($len);
  while (($len = read($fh,$_,16384)) > 0)
    { $ctx->add($_); $body_size += $len }
  my($signature) = $ctx->hexdigest;
# my($signature) = $ctx->b64digest;
  $signature = untaint($signature)  # checked (either 32 or 40 char)
    if $signature =~ /^ [0-9a-fA-F]{32} (?: [0-9a-fA-F]{8} )? \z/x;
  # store information obtained
  $msginfo->orig_header(\@orig_header);
  $msginfo->orig_header_size($header_size);
  $msginfo->orig_body_size($body_size);
  $msginfo->body_digest($signature);

  section_time('body_hash');
  do_log(3, "body hash: $signature");
  $signature;
}

sub find_program_path($$$) {
  my($fv_list, $path_list_ref, $may_log) = @_;
  $fv_list = [$fv_list]  if !ref $fv_list;
  my($found);
  for my $fv (@$fv_list) {
    my(@fv_cmd) = split(' ',$fv);
    if (!@fv_cmd) {  # empty, not available
    } elsif ($fv_cmd[0] =~ /^\//) {  # absolute path
      my($errn) = stat($fv_cmd[0]) ? 0 : 0+$!;
      if    ($errn == ENOENT) { }
      elsif ($errn)           {
        do_log(-1, "find_program_path: " . "$fv_cmd[0] inaccessible: $!")
          if $may_log;
      } elsif (-x _ && !-d _) { $found = join(' ', @fv_cmd) }
    } elsif ($fv_cmd[0] =~ /\//) {   # relative path
      die "find_program_path: relative paths not implemented: @fv_cmd\n";
    } else {                         # walk through the specified PATH
      for my $p (@$path_list_ref) {
        my($errn) = stat("$p/$fv_cmd[0]") ? 0 : 0+$!;
        if    ($errn == ENOENT) { }
        elsif ($errn)           {
          do_log(-1, "find_program_path: " . "$p/$fv_cmd[0] inaccessible: $!")
            if $may_log;
        } elsif (-x _ && !-d _) {
          $found = $p . '/' . join(' ', @fv_cmd);
          last;
        }
      }
    }
    last  if defined $found;
  }
  $found;
}

sub find_external_programs($) {
  my($path_list_ref) = @_;
  for my $f (qw($file $arc $gzip $bzip2 $lzop $lha $unarj $uncompress
                $unfreeze $unrar $zoo $cpio $ar $rpm2cpio $cabextract $dspam))
  {
    my($g) = $f;
    $g =~ s/\$/Amavis::Conf::/;
    my($fv_list) = eval('$' . $g);
    my($found) = find_program_path($fv_list, $path_list_ref, 1);
    { no strict 'refs'; $$g = $found }  # NOTE: a symbolic reference
    if (!defined $found) {
      do_log(-1, sprintf("No %-14s not using it", "$f,"));
    } else {
      do_log(0,sprintf("Found %-11s at %s%s", $f,
              $daemon_chroot_dir ne '' ? "(chroot: $daemon_chroot_dir/) " : '',
              $found));
    }
  }
  # map program name hints to full paths
  my($tier) = 'primary';  # primary, secondary, ...   av scanners
  for my $f (@{ca('av_scanners')}, "\000", @{ca('av_scanners_backup')}) {
    if ($f eq "\000") {   # next tier
      $tier = 'secondary';
    } elsif (!defined $f || !ref $f) {  # empty, skip
    } elsif (ref($f->[1]) eq 'CODE') {
      do_log(0, "Using internal av scanner code for ($tier) " . $f->[0]);
    } else {
      my($found) = $f->[1] = find_program_path($f->[1], $path_list_ref, 1);
      if (!defined $found) {
        do_log(3, "No $tier av scanner: " . $f->[0]);
        $f = undef;                     # release its storage
      } else {
        do_log(0,sprintf("Found $tier av scanner %-11s at %s%s", $f->[0],
              $daemon_chroot_dir ne '' ? "(chroot: $daemon_chroot_dir/) " : '',
              $found));
      }
    }
  }
}

# Fetch all remaining modules.
sub fetch_modules_extra() {
  my(@modules);
  if ($extra_code_sql) {
    push(@modules, 'DBI');
    for (@lookup_sql_dsn) {
      my(@dsn) = split(/:/,$_->[0],-1);
      push(@modules, 'DBD::'.$dsn[1])  if uc($dsn[0]) eq 'DBI';
    }
  }
  push(@modules, qw(Net::LDAP Net::LDAP::Util))  if $extra_code_ldap;
  if (c('bypass_decode_parts') &&
      !grep {exists $policy_bank{$_}{'bypass_decode_parts'} &&
             !$policy_bank{$_}{'bypass_decode_parts'} } keys %policy_bank) {
  } else {
    push(@modules, qw(Compress::Zlib Convert::TNEF Convert::UUlib
                      Archive::Zip Archive::Tar));
  }
  push(@modules, 'Mail::SpamAssassin')  if $extra_code_antispam;
  push(@modules, 'Authen::SASL')  if c('auth_required_out');
  Amavis::Boot::fetch_modules('REQUIRED ADDITIONAL MODULES', 1, @modules);
  my($sa_version);
  $sa_version = Mail::SpamAssassin::Version()  if $extra_code_antispam;
  @modules = ();  # now start collecting optional modules
  if ($extra_code_antispam) {  # must be loaded before chroot takes place
    push(@modules, qw(
      Mail::SpamAssassin::Locker::UnixNFSSafe
      Mail::SpamAssassin::DBBasedAddrList
      Mail::SpamAssassin::BayesStore::DBM
      Mail::SpamAssassin::BayesStore::SQL
      Mail::SpamAssassin::Plugin::SPF
      Mail::SpamAssassin::Plugin::URIDNSBL
      Mail::SpamAssassin::Plugin::Hashcash
      Mail::SpamAssassin::Plugin::Razor2

      Mail::SpamAssassin::UnixLocker
      Mail::SpamAssassin::PerMsgLearner
      Mail::SpamAssassin::BayesStoreDBM

      Mail::SPF::Query Net::CIDR::Lite
      Net::DNS::RR::SOA Net::DNS::RR::NS Net::DNS::RR::MX
      Net::DNS::RR::A Net::DNS::RR::AAAA Net::DNS::RR::PTR
      Net::DNS::RR::CNAME Net::DNS::RR::TXT Net::Ping bytes
    ));
  }
  if ($extra_code_antispam && defined $sa_version && $sa_version < 3) {
    # if using Mail::SpamAssassin::SpamCopURI with SA older than 3.0.0
    push(@modules, qw(
      Mail::SpamAssassin::SpamCopURI
      URI URI::Escape URI::Heuristic URI::QueryParam URI::Split URI::URL
      URI::WithBase URI::_foreign URI::_generic URI::_ldap URI::_login
      URI::_query URI::_segment URI::_server URI::_userpass URI::data URI::ftp
      URI::gopher URI::http URI::https URI::ldap URI::ldapi URI::ldaps
      URI::mailto URI::mms URI::news URI::nntp URI::pop URI::rlogin URI::rsync
      URI::rtsp URI::rtspu URI::sip URI::sips URI::snews URI::ssh URI::telnet
      URI::tn3270 URI::urn URI::urn::isbn URI::urn::oid
      URI::file URI::file::Base URI::file::Unix URI::file::Win32
    ));
  }
  # ??? ArchiveIterator Reporter SQLBasedAddrList BayesStore::SQL
  # ??? Locker::Flock Plugin::RelayCountry
  Amavis::Boot::fetch_modules('PRE-COMPILE OPTIONAL MODULES', 0,
                              @modules)  if @modules;
  # load optional modules SAVI and Mail::ClamAV if available and requested
  if ($extra_code_antivirus) {
    my($savi_obj, $savi_module_ok, $clamav_module_ok);
    for my $entry (@{ca('av_scanners')}, @{ca('av_scanners_backup')}) {
      if (ref($entry) ne 'ARRAY') {  # none
      } elsif ($entry->[1] eq \&ask_sophos_savi ||
               $entry->[1] eq \&sophos_savi ||
               $entry->[0] eq 'Sophos SAVI') {
        if (!defined($savi_module_ok)) {
          $savi_module_ok = eval { require SAVI };
          $savi_module_ok = 0  if !defined $savi_module_ok;
#
# if the Amavis::AV::sophos_savi_init() in the following line _is_
# called from here, SAVI-Perl will only initialize once during startup;
# otherwise (if left uninitialized here) each child process will do the
# SAVI-Perl initialization at its birth, which costs some time, but avoids
# the need to restart amavisd when IDE database changes:
###       $savi_obj = Amavis::AV::sophos_savi_init(@$entry) if $savi_module_ok;

        }
        if (!$savi_module_ok) { $entry->[1] = undef }  # disable entry
        else { $entry->[2] = $savi_obj  if defined $savi_obj }  # save as args
      } elsif ($entry->[1] eq \&ask_clamav ||
               $entry->[0] =~ /^Mail::ClamAV/) {
        if (!defined($clamav_module_ok)) {
          $clamav_module_ok = eval { require Mail::ClamAV };
          $clamav_module_ok = 0  if !defined $clamav_module_ok;
        }
        $entry->[1] = undef  if !$clamav_module_ok;  # disable entry
      }
    }
  }
}

#
# Main program starts here
#

# Read dynamic source code, and logging and notification message templates
# from the end of this file (pseudo file handle DATA)
#
$Amavis::Conf::notify_spam_admin_templ  = '';  # not used
$Amavis::Conf::notify_spam_recips_templ = '';  # not used
do { local($/) = "__DATA__\n";   # set line terminator to this string
  chomp($_ = <Amavis::DATA>)  for (
    $extra_code_db, $extra_code_cache,
    $extra_code_sql, $extra_code_ldap,
    $extra_code_in_amcl, $extra_code_in_smtp,
    $extra_code_antivirus, $extra_code_antispam, $extra_code_unpackers,
    $Amavis::Conf::log_templ, $Amavis::Conf::log_recip_templ);
  if ($unicode_aware) {
#   binmode(\*Amavis::DATA, ":encoding(utf8)")    #  :encoding(iso-8859-1)
#     or die "Can't set \*DATA encoding: $!";
  }
  chomp($_ = <Amavis::DATA>)  for (
    $Amavis::Conf::notify_sender_templ,
    $Amavis::Conf::notify_virus_sender_templ,
    $Amavis::Conf::notify_virus_admin_templ,
    $Amavis::Conf::notify_virus_recips_templ,
    $Amavis::Conf::notify_spam_sender_templ,
    $Amavis::Conf::notify_spam_admin_templ );
}; # restore line terminator
close(\*Amavis::DATA) or die "Can't close *Amavis::DATA: $!";
# close(STDIN)        or die "Can't close STDIN: $!";
# note: don't close STDIN just yet to prevent some other file taking up fd 0

# discard trailing NL
$Amavis::Conf::log_templ = $1
  if $Amavis::Conf::log_templ=~/^(.*?)[\r\n]+\z/s;
$Amavis::Conf::log_recip_templ = $1
  if $Amavis::Conf::log_recip_templ=~/^(.*?)[\r\n]+\z/s;

my($config_file) = '/etc/amavisd.conf';  # default location of config file

# Consider droping privileges early, before reading config file.
# This is only possible if running under chroot will not be needed.
#
my($desired_group);                      # defaults to $desired_user's group
my($desired_user);                       # username or UID
if ($> != 0) { $desired_user = $> }      # use effective UID if not root
#else {
# for my $u ('amavis', 'vscan') {        # try to guess a good default username
#   my($username,$passwd,$uid,$gid) = getpwnam($u);
#   if (defined $uid && $uid != 0) { $desired_user = $u; last }
# }
#}

# collect and parse command line options
while (@ARGV >= 2 && $ARGV[0] =~ /^-[ugc]\z/) {
  my($opt) = shift @ARGV;
  if ($opt eq '-u') {       # -u username
    my($val) = shift @ARGV;
    if ($> == 0) { $desired_user = $val }
    else { print STDERR "Ignoring option -u when not running as root\n" }
  } elsif ($opt eq '-g') {  # -g group
    my($val) = shift @ARGV;
    if ($> == 0) { $desired_group = $val }
    else { print STDERR "Ignoring option -g when not running as root\n" }
  } elsif ($opt eq '-c') {  # -c config_file
    $config_file = shift @ARGV;
    $config_file = untaint($config_file)
      if $config_file =~ m{^[A-Za-z0-9/._=+-]+\z};
  }
}

if (defined $desired_user && ($> == 0 || $< == 0)) {   # drop privileges early
  my($username,$passwd,$uid,$gid) =
    $desired_user=~/^(\d+)$/ ? (undef,undef,$1,undef) :getpwnam($desired_user);
  defined $uid or die "No such username: $desired_user\n";
  if ($desired_group eq '') { $desired_group = $gid }  # for logging purposes
  else { $gid = $desired_group=~/^(\d+)$/ ? $1 : getgrnam($desired_group) }
  defined $gid or die "No such group: $desired_group\n";
  $( = $gid;  # real GID
  $) = "$gid $gid";  # effective GID
  POSIX::setuid($uid) or die "Can't setuid to $uid: $!";
  $> = $uid; $< = $uid;  # just in case
# print STDERR "desired user=$desired_user ($uid), current: EUID: $> ($<)\n";
# print STDERR "desired group=$desired_group, current: EGID: $) ($()\n";
  $> != 0 or die "Still running as root, aborting\n";
  $< != 0 or die "Effective UID changed, but Real UID is 0\n";
}

umask(0027);

# Read config file, which may override default settings
Amavis::Conf::build_default_maps();
Amavis::Conf::read_config($config_file);

if (defined $desired_user && $daemon_user ne '') {
  # compare the config file settings to current UID
  my($username,$passwd,$uid,$gid) =
    $daemon_user=~/^(\d+)$/ ? (undef,undef,$1,undef) : getpwnam($daemon_user);
  $uid == $> or warn sprintf(
    "WARN: running under user '%s' (UID=%s), the config file".
    " specifies \$daemon_user='%s' (UID=%s)\n",
    $desired_user, $>, $daemon_user, defined $uid ? $uid : '?');
}

# chdir($TEMPBASE) or die "Can't chdir to $TEMPBASE: $!";
# use vars qw(@modules_basic);
# @modules_basic = keys %INC;

# compile optional modules if needed

if (!$enable_db) { $extra_code_db = undef }
else {
  eval $extra_code_db or die "Problem in Amavis::DB or Amavis::DB::SNMP code: $@";
  $extra_code_db = 1;         # release memory occupied by the source code
}
if (!$enable_global_cache || !$extra_code_db) { $extra_code_cache = undef }
else {
  eval $extra_code_cache or die "Problem in the Amavis::Cache code: $@";
  $extra_code_cache = 1;      # release memory occupied by the source code
}
if (!@lookup_sql_dsn) { $extra_code_sql = undef }
else {
  eval $extra_code_sql or die "Problem in the Lookup::SQL code: $@";
  $extra_code_sql = 1;        # release memory occupied by the source code
}
if (!$enable_ldap) { $extra_code_ldap = undef }
else {
  eval $extra_code_ldap or die "Problem in the Lookup::LDAP code: $@";
  $extra_code_ldap = 1;       # release memory occupied by the source code
}

if (c('protocol') eq 'COURIER') {
  die "In::Courier code not available";
} elsif (c('protocol') eq 'AM.PDP' || $unix_socketname ne '') {
  eval $extra_code_in_amcl or die "Problem in the In::AMCL code: $@";
  $extra_code_in_amcl = 1;    # release memory occupied by the source code
} else {
  $extra_code_in_amcl = undef;
}

if (c('protocol') eq 'QMQPqq') { # simpleminded, not checking all policy banks
  die "In::QMQPqq code not available";
} elsif (c('protocol') =~ /^(SMTP|LMTP)\z/ ||
         $inet_socket_port ne '' &&
           (!ref $inet_socket_port || @$inet_socket_port)) { # assume SMTP/LMTP
  eval $extra_code_in_smtp or die "Problem in the In::SMTP code: $@";
  $extra_code_in_smtp = 1;    # release memory occupied by the source code
} else {
  $extra_code_in_smtp = undef;
}

my($bpvcm) = ca('bypass_virus_checks_maps');
if (!@{ca('av_scanners')} && !@{ca('av_scanners_backup')}) {
  $extra_code_antivirus = undef;
} elsif (@$bpvcm && !ref($bpvcm->[0]) && $bpvcm->[0]) {
  # do a simple-minded test to make it easy to turn off virus checks
  $extra_code_antivirus = undef;
} else {
  eval $extra_code_antivirus or die "Problem in the antivirus code: $@";
  $extra_code_antivirus = 1;  # release memory occupied by the source code
}
if (!$extra_code_antivirus)  # release storage
  { @Amavis::Conf::av_scanners = @Amavis::Conf::av_scanners_backup = () }

my($bpscm) = ca('bypass_spam_checks_maps');
if (@$bpscm && !ref($bpscm->[0]) && $bpscm->[0]) {
  # do a simple-minded test to make it easy to turn off spam checks
  $extra_code_antispam = undef;
} else {
  eval $extra_code_antispam or die "Problem in the antispam code: $@";
  $extra_code_antispam = 1;   # release memory occupied by the source code
}

if (c('bypass_decode_parts') &&
    !grep {exists $policy_bank{$_}{'bypass_decode_parts'} &&
           !$policy_bank{$_}{'bypass_decode_parts'} } keys %policy_bank) {
  $extra_code_unpackers = undef;
} else {
  eval $extra_code_unpackers or die "Problem in the Amavis::Unpackers code: $@";
  $extra_code_unpackers = 1;  # release memory occupied by the source code
}

# act on command line parameters
my($cmd) = lc($ARGV[0]);
if ($cmd =~ /^(start|debug|debug-sa|foreground)?\z/) {
  $DEBUG=1      if $cmd eq 'debug';
  $daemonize=0  if $cmd eq 'foreground';
  $daemonize=0, $sa_debug=1  if $cmd eq 'debug-sa';
} elsif ($cmd !~ /^(reload|stop)\z/) {
  die "$myversion: Unknown argument.  Usage:\n  $0 [-u user] [-g group] [-c config-file] ( [start] | stop | reload | debug | debug-sa | foreground )\n";
} else {  # stop or reload
  eval {  # first stop a running daemon
    $pid_file ne '' or die "Config parameter \$pid_file not defined";
    my($errn) = stat($pid_file) ? 0 : 0+$!;
    $errn != ENOENT or die "No PID file $pid_file\n";
    $errn == 0      or die "PID file $pid_file inaccessible: $!";
    my($amavisd_pid);
    open(PID_FILE, "< $pid_file\0") or die "Can't read file $pid_file: $!";
    while (<PID_FILE>) { chomp; $amavisd_pid = $_ if /^\d+\z/ }
    close(PID_FILE) or die "Can't close file $pid_file: $!";
    defined($amavisd_pid) or die "Invalid PID in the $pid_file";
    $amavisd_pid = untaint($amavisd_pid);
    kill('TERM',$amavisd_pid) or die "Can't SIGTERM amavisd[$amavisd_pid]: $!";
    my($delay) = 1;  # seconds
    for (;;) {
      sleep($delay); $delay = 5;
      last  if !kill(0,$amavisd_pid);  # is the old daemon still there?
      print STDERR "Waiting for the process $amavisd_pid to terminate\n";
    }
  };
  if ($@ ne '') { chomp($@); die "$@, can't $cmd the process\n" }
  exit 0  if $cmd eq 'stop';
  print STDERR "daemon terminated, waiting for the dust to settle...\n";
  sleep 5;  # wait for the TCP socket to be released
  print STDERR "becoming a new daemon...\n";
}
$daemonize = 0  if $DEBUG;

# Set path, home and term explictly.  Don't trust environment
$ENV{PATH} = $path          if $path ne '';
$ENV{HOME} = $helpers_home  if $helpers_home ne '';
$ENV{TERM} = 'dumb'; $ENV{COLUMNS} = '80'; $ENV{LINES} = '100';

Amavis::Log::init("amavis", !1, $DO_SYSLOG, $SYSLOG_LEVEL, $LOGFILE);

# report version of Perl and process UID
do_log(1, "user=$desired_user, EUID: $> ($<);  group=$desired_group, EGID: $) ($()");
do_log(0, "Perl version               $]");

# $SIG{USR2} = sub {
#   my($msg) = Carp::longmess("SIG$_[0] received, backtrace:");
#   print STDERR "\n",$msg,"\n";  do_log(-1,$msg);
# };

fetch_modules_extra();  # bring additional modules into memory and compile them

# set up Net::Server configuration
my $server = bless {
  server => {
    # command args to be used after HUP must be untainted, deflt: [$0,@ARGV]
  # commandline => ['/usr/local/sbin/amavisd','-c',$config_file],
    commandline => [],  # disable

    # listen on the following sockets (one or more):
    port => [ ($unix_socketname eq '' ? () : "$unix_socketname|unix"), # helper
              map { "$_/tcp" }             # accept SMTP on this port(s)
                  (ref $inet_socket_port ? @$inet_socket_port
                   : $inet_socket_port ne '' ? $inet_socket_port : () ),
            ],
    # limit socket bind (e.g. to the loopback interface)
    host => ($inet_socket_bind eq '' ? '*' : $inet_socket_bind),

    max_servers  => $max_servers,  # number of pre-forked children
    max_requests => $max_requests, # restart child after that many accept's
    user       => (($> == 0 || $< == 0) ? $daemon_user  : undef),
    group      => (($> == 0 || $< == 0) ? $daemon_group : undef),
    pid_file   => $pid_file,
    lock_file  => $lock_file,  # serialization lockfile
  # serialize  => 'flock',     # flock, semaphore, pipe
    background => $daemonize ? 1 : undef,
    setsid     => $daemonize ? 1 : undef,
    chroot     => $daemon_chroot_dir ne '' ? $daemon_chroot_dir : undef,
    no_close_by_child => 1,

    # controls log level for Net::Server internal log messages:
    #   0=err, 1=warning, 2=notice, 3=info, 4=debug
    log_level  => ($DEBUG ? 4 : 2),
    log_file   => undef,  # will be overridden to call do_log()
  },
}, 'Amavis';

$0 = 'amavisd (master)';
$server->run;  # transfer control to Net::Server

# shouldn't get here
exit 1;

# we read text (especially notification templates) from DATA sections
# to avoid any interpretations of special characters (e.g. \ or ') by Perl
#

__DATA__
#
package Amavis::DB::SNMP;
use strict;
use re 'taint';

BEGIN {
  import Amavis::Conf qw($myversion $myhostname);
  import Amavis::Util qw(ll do_log snmp_counters_get);
}

use BerkeleyDB;

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
}

# open existing databases (called by each child process)
sub new {
  my($class,$db_env) = @_; my($env) = $db_env->get_db_env;
  defined $env or die "BDB bad db env.: $BerkeleyDB::Error, $!.";
  my($dbs) = BerkeleyDB::Hash->new(-Filename=>'snmp.db', -Env=>$env);
  defined $dbs or die "BDB no dbS: $BerkeleyDB::Error, $!.";
  my($dbn) = BerkeleyDB::Hash->new(-Filename=>'nanny.db', -Env=>$env);
  defined $dbn or die "BDB no dbN: $BerkeleyDB::Error, $!.";
  bless { 'db_snmp'=>$dbs, 'db_nanny'=>$dbn }, $class;
}

sub DESTROY {
  my($self) = shift;
  eval { do_log(5,"Amavis::DB::SNMP called") };
  for my $db ($self->{'db_snmp'}, $self->{'db_nanny'}) {
    if (defined $db) {
      eval { $db->db_close==0 or die "db_close: $BerkeleyDB::Error, $!." };
      if ($@ ne '') { warn "BDB S+N DESTROY $@" }
      $db = undef;
    }
  }
}

#sub lock_stat($) {
# my($label) = @_;
# my($s) = qx'/usr/local/bin/db_stat-4.2 -c -h /var/amavis/db | /usr/local/bin/perl -ne \'$a{$2}=$1 if /^(\d+)\s+Total number of locks (requested|released)/; END {printf("%d, %d\n",$a{requested}, $a{requested}-$a{released})}\'';
# do_log(0, "lock_stat $label: $s");
#}

# insert startup time SNMP entry, called from the master process at startup
# (a classical subroutine, not a method)
sub put_initial_snmp_data($) {
  my($db) = @_;
  my($cursor) = $db->db_cursor(DB_WRITECURSOR);
  defined $cursor or die "BDB S db_cursor: $BerkeleyDB::Error, $!.";
  for my $obj (['sysDescr',    'STR', $myversion],
               ['sysObjectID', 'OID', '1.3.6.1.4.1.15312.2.1'],
                 # iso.org.dod.internet.private.enterprise.ijs.amavisd-new.snmp
               ['sysUpTime',   'INT', int(time)],
                 # later it must be converted to timeticks (10ms since start)
               ['sysContact',  'STR', ''],
               ['sysName',     'STR', $myhostname],
               ['sysLocation', 'STR', ''],
               ['sysServices', 'INT', 64],  # application
  ) {
    my($key,$type,$val) = @$obj;
    $cursor->c_put($key, sprintf("%s %s",$type,$val), DB_KEYLAST) == 0
      or die "BDB S c_put: $BerkeleyDB::Error, $!.";
  };
  $cursor->c_close==0 or die "BDB S c_close: $BerkeleyDB::Error, $!.";
}

sub update_counters {
  my($self) = @_;
  my($counter_names_ref) = snmp_counters_get();
  my($eval_stat,$interrupt); $interrupt = '';
  if (defined $counter_names_ref && @$counter_names_ref) {
    my($db) = $self->{'db_snmp'}; my($cursor);
    my($h1) = sub { $interrupt = $_[0] };
    local(@SIG{qw(INT HUP TERM TSTP QUIT ALRM USR1 USR2)}) = ($h1) x 8;
    eval {  # ensure cursor will be unlocked even in case of errors or signals
      $cursor = $db->db_cursor(DB_WRITECURSOR);  # obtain write lock
      defined $cursor or die "db_cursor: $BerkeleyDB::Error, $!.";
      for my $key (@$counter_names_ref) {
        my($counter_name,$counter_incr) = ref($key) ? @$key : ($key,1);
        my($val,$flags); my($type) = 'C32';
        my($stat) = $cursor->c_get($counter_name,$val,DB_SET);
        if ($stat==0) {  # exists, update it
          if ($val =~ /^\Q$type\E (\d+)\z/o) { $val = $1 }
          else { do_log(-2,"WARN: counter syntax? $val, clearing"); $val = 0 }
          $flags = DB_CURRENT; $val = $val+$counter_incr;
        } else {  # create new entry
          $stat==DB_NOTFOUND  or die "c_get: $BerkeleyDB::Error, $!.";
          $flags = DB_KEYLAST; $val = $counter_incr;
        }
        $cursor->c_put($counter_name, sprintf("%s %010d",$type,$val),$flags)==0
          or die "c_put: $BerkeleyDB::Error, $!.";
      }
      $cursor->c_close==0 or die "c_close: $BerkeleyDB::Error, $!.";
      $cursor = undef;
    };
    $eval_stat = $@;
    if (defined $db) {
      $cursor->c_close  if defined $cursor;  # unlock, ignoring status
      $cursor = undef;
      if ($eval_stat eq '') {
#       my($stat); $db->db_sync();  # not really needed
#       $stat==0 or warn "BDB S db_sync, status $stat: $BerkeleyDB::Error, $!.";
      }
    }
  }
  delete $self->{'cnt'};
  if ($interrupt ne '') { kill($interrupt,$$) }  # resignal
  elsif ($eval_stat ne '')
    { chomp($eval_stat); die "update_counters: BDB S $eval_stat\n" }
}

sub register_proc {
  my($self,$task_id) = @_;
  my($db) = $self->{'db_nanny'}; my($cursor);
  my($val,$new_val); my($key) = sprintf("%05d",$$);
  $new_val = sprintf("%010d %-12s", time, $task_id)  if defined $task_id;
  my($eval_stat,$interrupt); $interrupt = '';
  my($h1) = sub { $interrupt = $_[0] };
  local(@SIG{qw(INT HUP TERM TSTP QUIT ALRM USR1 USR2)}) = ($h1) x 8;
  eval {  # ensure cursor will be unlocked even in case of errors or signals
    $cursor = $db->db_cursor(DB_WRITECURSOR);  # obtain write lock
    defined $cursor or die "db_cursor: $BerkeleyDB::Error, $!.";
    my($stat) = $cursor->c_get($key,$val,DB_SET);
    $stat==0 || $stat==DB_NOTFOUND or die "c_get: $BerkeleyDB::Error, $!.";
    if ($stat==0 && !defined $task_id) {  # remove existing entry
      $cursor->c_del==0 or die "c_del: $BerkeleyDB::Error, $!.";
    } elsif (defined $task_id && !($stat==0 && $new_val eq $val)) {
      # add new, or update existing entry if different
      $cursor->c_put($key, $new_val,
                     $stat==0 ? DB_CURRENT : DB_KEYLAST ) == 0
        or die "c_put: $BerkeleyDB::Error, $!.";
    }
    $cursor->c_close==0 or die "c_close: $BerkeleyDB::Error, $!.";
    $cursor = undef;
  };
  $eval_stat = $@;
  if (defined $db) {
    $cursor->c_close  if defined $cursor;  # unlock, ignoring status
    $cursor = undef;
    if ($eval_stat eq '') {
#     my($stat) = $db->db_sync();  # not really needed
#     $stat==0 or warn "BDB N db_sync, status $stat: $BerkeleyDB::Error, $!.";
    }
  }
  if ($interrupt ne '') { kill($interrupt,$$) }  # resignal
  elsif ($eval_stat ne '')
    { chomp($eval_stat); die "register_proc: BDB N $eval_stat\n" }
}

1;

#
package Amavis::DB;
use strict;
use re 'taint';

BEGIN {
  import Amavis::Conf qw($db_home $daemon_chroot_dir);
  import Amavis::Util qw(untaint ll do_log);
}

use BerkeleyDB;

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
}

# create new databases, then close them (called by the parent process)
# (called only if $db_home is nonempty)
sub init($) {
  my($predelete) = @_;  # delete existing db files first?
  my($name) = $db_home;
  $name = "$daemon_chroot_dir $name"  if $daemon_chroot_dir ne '';
  if ($predelete) {     # delete old database files
    local(*DIR); my($f);
    opendir(DIR,$db_home) or die "Can't open directory $name: $!";
    while (defined($f = readdir(DIR))) {
      next  if ($f eq '.' || $f eq '..') && -d _;
      if ($f =~ /^(__db\.\d+|(cache-expiry|cache|snmp|nanny)\.db)\z/s) {
        $f = untaint($f);
        unlink("$db_home/$f") or die "Can't delete file $name/$f: $!";
      }
    }
    closedir(DIR) or die "Can't close directory $name: $!";
  }
  my($env) = BerkeleyDB::Env->new(-Home=>$db_home, -Mode=>0640,
    -Flags=> DB_CREATE | DB_INIT_CDB | DB_INIT_MPOOL);
  defined $env or die "BDB bad db env. at $db_home: $BerkeleyDB::Error, $!.";
  do_log(0, sprintf("Creating db in %s/; BerkeleyDB %s, libdb %s",
                    $name, BerkeleyDB->VERSION, $BerkeleyDB::db_version));
  my($dbc) = BerkeleyDB::Hash->new(
    -Filename=>'cache.db', -Flags=>DB_CREATE, -Env=>$env );
  defined $dbc or die "BDB no dbC: $BerkeleyDB::Error, $!.";
  my($dbq) = BerkeleyDB::Queue->new(
    -Filename=>'cache-expiry.db', -Flags=>DB_CREATE, -Env=>$env,
    -Len=>15+1+32 );  # '-ExtentSize' needs DB 3.2.x, e.g. -ExtentSize=>2
  defined $dbq or die "BDB no dbQ: $BerkeleyDB::Error, $!.";
  my($dbs) = BerkeleyDB::Hash->new(
    -Filename=>'snmp.db', -Flags=>DB_CREATE, -Env=>$env );
  defined $dbs or die "BDB no dbS: $BerkeleyDB::Error, $!.";
  my($dbn) = BerkeleyDB::Hash->new(
    -Filename=>'nanny.db', -Flags=>DB_CREATE, -Env=>$env );
  defined $dbn or die "BDB no dbN: $BerkeleyDB::Error, $!.";

  Amavis::DB::SNMP::put_initial_snmp_data($dbs);
  for my $db ($dbc, $dbq, $dbs, $dbn)
    { $db->db_close==0 or die "BDB db_close: $BerkeleyDB::Error, $!." }
}

# open an existing databases environment (called by each child process)
sub new {
  my($class) = @_; my($env);
  if (defined $db_home) {
    $env = BerkeleyDB::Env->new(
      -Home=>$db_home, -Mode=>0640, -Flags=> DB_INIT_CDB | DB_INIT_MPOOL);
    defined $env or die "BDB bad db env. at $db_home: $BerkeleyDB::Error, $!.";
  }
  bless \$env, $class;
}
sub get_db_env { my($self) = shift; $$self }

1;

__DATA__
#
package Amavis::Cache;
# offer an 'IPC::Cache'-compatible interface to a BerkeleyDB-based cache.
# Replaces methods new,get,set of the memory-based cache.
use strict;
use re 'taint';

BEGIN {
  import Amavis::Util qw(ll do_log);
}

use BerkeleyDB;

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.0332';
  @ISA = qw(Exporter);
}

# open existing databases (called by each child process);
# if $db_env is undef a memory-based cache is created, otherwise use BerkeleyDB
sub new {
  my($class,$db_env) = @_;
  my($dbc,$dbq,$mem_cache);
  if (!defined($db_env)) {
    do_log(1,"BerkeleyDB not available, using memory-based local cache");
    $mem_cache = {};
  } else {
    my($env) = $db_env->get_db_env;
    defined $env or die "BDB bad db env.: $BerkeleyDB::Error, $!.";
    $dbc = BerkeleyDB::Hash->new(-Filename=>'cache.db', -Env=>$env);
    defined $dbc or die "BDB no dbC: $BerkeleyDB::Error, $!.";
    $dbq = BerkeleyDB::Queue->new(-Filename=>'cache-expiry.db', -Env=>$env,
      -Len=>15+1+32);  # '-ExtentSize' needs DB 3.2.x, e.g. -ExtentSize=>2
    defined $dbq or die "BDB no dbQ: $BerkeleyDB::Error, $!.";
  }
  bless {'db_cache'=>$dbc, 'db_queue'=>$dbq, 'mem_cache'=>$mem_cache}, $class;
}

sub DESTROY {
  my($self) = shift;
  eval { do_log(5,"Amavis::Cache called") };
  for my $db ($self->{'db_cache'}, $self->{'db_queue'}) {
    if (defined $db) {
      eval { $db->db_close==0 or die "db_close: $BerkeleyDB::Error, $!." };
      if ($@ ne '') { warn "BDB C+Q DESTROY $@" }
      $db = undef;
    }
  }
}

# purge expired entries from the queue head and enqueue new entry at the tail
sub enqueue {
  my($self,$str,$now_utc_iso8601,$expires_utc_iso8601) = @_;
  my($db) = $self->{'db_cache'};  my($dbq) = $self->{'db_queue'};
  local($1,$2); my($stat,$key,$val); $key = '';
  my($qcursor) = $dbq->db_cursor(DB_WRITECURSOR);
  defined $qcursor or die "BDB Q db_cursor: $BerkeleyDB::Error, $!.";
  while ( ($stat=$qcursor->c_get($key,$val,DB_NEXT)) == 0 ) {
    if ($val !~ /^([^ ]+) (.*)\z/s) {
      do_log(-2,"WARN: queue head invalid, deleting: $val");
    } else {
      my($t,$digest) = ($1,$2);
      last  if $t ge $now_utc_iso8601;
      my($cursor) = $db->db_cursor(DB_WRITECURSOR);
      defined $cursor or die "BDB C db_cursor: $BerkeleyDB::Error, $!.";
      my($v); my($st1) = $cursor->c_get($digest,$v,DB_SET);
      $st1==0 || $st1==DB_NOTFOUND or die "BDB C c_get: $BerkeleyDB::Error, $!.";
      if ($st1==0 && $v=~/^([^ ]+) /s) {  # record exists and appears valid
         if ($1 ne $t) {
           do_log(5,"enqueue: not deleting: $digest, was refreshed since");
         } else {  # its expiration time correspond to timestamp in the queue
           do_log(5,"enqueue: deleting: $digest");
           my($st2) = $cursor->c_del;     # delete expired entry from the cache
           $st2==0 || $st2==DB_KEYEMPTY
             or die "BDB C c_del: $BerkeleyDB::Error, $!.";
         }
      }
      $cursor->c_close==0 or die "BDB C c_close: $BerkeleyDB::Error, $!.";
    }
    my($st3) = $qcursor->c_del;
    $st3==0 || $st3==DB_KEYEMPTY or die "BDB Q c_del: $BerkeleyDB::Error, $!.";
  }
  $stat==0 || $stat==DB_NOTFOUND or die "BDB Q c_get: $BerkeleyDB::Error, $!.";
  $qcursor->c_close==0 or die "BDB Q c_close: $BerkeleyDB::Error, $!.";
  # insert new expiration request in the queue
  $dbq->db_put($key, "$expires_utc_iso8601 $str", DB_APPEND) == 0
    or die "BDB Q db_put: $BerkeleyDB::Error, $!.";
  # syncing would only be worth doing if we would want the cache to persist
  # across restarts - but we scratch the databases to avoid rebuild worries
# $stat = $dbq->db_sync();
# $stat==0 or warn "BDB Q db_sync, status $stat: $BerkeleyDB::Error, $!.";
# $stat = $db->db_sync();
# $stat==0 or warn "BDB C db_sync, status $stat: $BerkeleyDB::Error, $!.";
}

sub get {
  my($self,$key) = @_;
  my($val); my($db) = $self->{'db_cache'};
  if (!defined($db)) {
    $val = $self->{'mem_cache'}{$key};  # simple local memory-based cache
  } else {
    my($stat) = $db->db_get($key,$val);
    $stat==0 || $stat==DB_NOTFOUND
      or die "BDB C c_get: $BerkeleyDB::Error, $!.";
    local($1,$2);
    if ($stat==0 && $val=~/^([^ ]+) (.*)/s) { $val = $2 } else { $val = undef }
  }
  thaw($val);
}

sub set {
  my($self,$key,$obj,$now_utc_iso8601,$expires_utc_iso8601) = @_;
  my($db) = $self->{'db_cache'};
  if (!defined($db)) {
    $self->{'mem_cache'}{$key} = freeze($obj);
  } else {
    my($cursor) = $db->db_cursor(DB_WRITECURSOR);
    defined $cursor or die "BDB C db_cursor: $BerkeleyDB::Error, $!.";
    my($val); my($stat) = $cursor->c_get($key,$val,DB_SET);
    $stat==0 || $stat==DB_NOTFOUND
      or die "BDB C c_get: $BerkeleyDB::Error, $!.";
    $cursor->c_put($key, $expires_utc_iso8601.' '.freeze($obj),
                   $stat==0 ? DB_CURRENT : DB_KEYLAST ) == 0
      or die "BDB C c_put: $BerkeleyDB::Error, $!.";
    $cursor->c_close==0 or die "BDB C c_close: $BerkeleyDB::Error, $!.";
  # $stat = $db->db_sync();  # only worth doing if cache were persistent
  # $stat==0 or warn "BDB C db_sync, status $stat: $BerkeleyDB::Error, $!.";
    $self->enqueue($key,$now_utc_iso8601,$expires_utc_iso8601);
  }
  $obj;
}

1;

__DATA__
#
package Amavis::Lookup::SQLfield;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
}
BEGIN { import Amavis::Util qw(ll do_log) }

sub new($$$;$$) {
  my($class, $sql_query,$fieldname, $fieldtype,$implied_args) = @_;
  # fieldtype: B=boolean, N=numeric, S=string,
  #            N-: numeric, nonexistent field returns undef without complaint
  #            S-: string,  nonexistent field returns undef without complaint
  #            B-: boolean, nonexistent field returns undef without complaint
  #            B0: boolean, nonexistent field treated as false
  #            B1: boolean, nonexistent field treated as true
  return undef  if !defined($sql_query);
  my($self) = bless {}, $class;
  $self->{sql_query} = $sql_query;
  $self->{fieldname} = lc($fieldname);
  $self->{fieldtype} = uc($fieldtype);
  $self->{args} = ref($implied_args) eq 'ARRAY' ? [@$implied_args]  # copy
                  : [$implied_args]  if defined $implied_args;
  $self;
}

sub lookup_sql_field($$$) {
  my($self,$addr,$get_all) = @_;
  my(@result,@matchingkey);
  if (!defined($self)) {
    do_log(5, "lookup_sql_field - undefined, \"$addr\" no match");
  } elsif (!defined($self->{sql_query})) {
    do_log(5, sprintf("lookup_sql_field(%s) - null query, \"%s\" no match",
                      $self->{fieldname}, $addr));
  } else {
    my($field) = $self->{fieldname};
    my($res_ref,$mk_ref) = $self->{sql_query}->lookup_sql($addr,1,
                                  !exists($self->{args}) ? () : $self->{args});
    do_log(5, "lookup_sql_field($field), \"$addr\" no matching record")
      if !@$res_ref;
    for my $ind (0..$#$res_ref) {
      my($match); my($h_ref) = $res_ref->[$ind]; my($mk) = $mk_ref->[$ind];
      if (!exists($h_ref->{$field})) {
        # record found, but no field with that name in the table
        # fieldtype: B0: boolean, nonexistent field treated as false,
        #            B1: boolean, nonexistent field treated as true
        if (     $self->{fieldtype} =~ /^B0/) {  # boolean, defaults to false
          $match = 0;  # nonexistent field treated as 0
          do_log(5, "lookup_sql_field($field), no field, \"$addr\" result=$match");
        } elsif ($self->{fieldtype} =~ /^B1/) {  # defaults to true
          $match = 1;  # nonexistent field treated as 1
          do_log(5,"lookup_sql_field($field), no field, \"$addr\" result=$match");
        } elsif ($self->{fieldtype}=~/^.-/s) {   # allowed to not exist
          do_log(5,"lookup_sql_field($field), no field, \"$addr\" result=undef");
        } else {       # treated as 'no match', issue a warning
          do_log(1,"lookup_sql_field($field) ".
                   "(WARN: no such field in the SQL table), ".
                   "\"$addr\" result=undef");
        }
      } else {  # field exists
        # fieldtype: B=boolean, N=numeric, S=string
        $match = $h_ref->{$field};
        if (!defined($match)) {   # NULL field values represented as undef
        } elsif ($self->{fieldtype} =~ /^B/) {  # boolean
          # convert values 'N', 'F', '0', ' ' and "\000" to 0
          # to allow value to be used directly as a Perl boolean
          $match = 0  if $match =~ /^([NnFf ]|0+|\000+)[ ]*\z/;
        } elsif ($self->{fieldtype} =~ /^N/) {   # numeric
          $match = $match + 0;  # unify different numeric forms
        } elsif ($self->{fieldtype} =~ /^S/) {   # string
          $match =~ s/ +\z//;   # trim trailing spaces
        }
        do_log(5, "lookup_sql_field($field) \"$addr\" result=" .
                  (defined $match ? $match : 'undef') );
      }
      if (defined $match) {
        push(@result,$match); push(@matchingkey,$mk);
        last  if !$get_all;
      }
    }
  }
  if (!$get_all) { !wantarray ? $result[0] : ($result[0], $matchingkey[0]) }
  else           { !wantarray ? \@result   : (\@result,   \@matchingkey)   }
}

1;

#
package Amavis::Lookup::SQL;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
}

use DBI;

BEGIN {
  import Amavis::Conf qw(:platform :confvars c cr ca);
  import Amavis::Timing qw(section_time);
  import Amavis::Util qw(untaint snmp_count ll do_log);
  import Amavis::rfc2821_2822_Tools qw(make_query_keys);
}

use vars qw($sql_connected);

# Connect to a database.  Take a list of database connection
# parameters and try each until one succeeds.
#  -- based on code from Ben Ransford <amavis@uce.ransford.org> 2002-09-22
sub connect_to_sql(@) {
  my(@dsns) = @_;  # a list of DSNs to try connecting to sequentially
  my($dbh);
  do_log(3,"Connecting to SQL database server");
  for my $tmpdsn (@dsns) {
    my($dsn, $username, $password) = @$tmpdsn;
    do_log(4, "connect_to_sql: trying '$dsn'");
    $dbh = DBI->connect($dsn, $username, $password,
                        {PrintError => 0, RaiseError => 0, Taint => 1} );
    if ($dbh) { do_log(3,"connect_to_sql: '$dsn' succeeded"); last }
    do_log(-1,"connect_to_sql: unable to connect to DSN '$dsn': ".$DBI::errstr);
  }
  do_log(-2,"connect_to_sql: unable to connect to any DSN at all!")
    if !$dbh && @dsns > 1;
  $sql_connected = 1  if $dbh;
  $dbh;
}

# return a new Lookup::SQL object to contain DBI handle and prepared selects
sub new {
  my($class) = @_;  bless {}, $class;
}

# explicitly disconnect from SQL server
sub DESTROY {
  my($self) = shift;
  eval { do_log(5,"Amavis::Lookup::SQL called") };
  if (defined $self && $self->{dbh} && $sql_connected) {
    $sql_connected = 0;
    eval { $self->{dbh}->disconnect }; $self->{dbh} = undef;
  }
}

# store DBI handle and prepared selects into existing Lookup::SQL obj
sub store_dbh($$$) {
  my($self, $dbh, $select_clause) = @_;
  $self->{dbh} = $dbh;  # save DBI handle
  $self->{select_clause} = $select_clause;
  $self->clear_cache;   # let's start afresh just in case
  $self;
}

sub clear_cache {
  my($self) = @_;
  delete $self->{cache};
}

# lookup_sql() performs a lookup for an e-mail address against a SQL map.
# If a match is found it returns whatever the map returns (a reference
# to a hash containing values of requested fields), otherwise returns undef.
# A match aborts further fetching sequence, unless $get_all is true.
#
# SQL lookups (e.g. for user+foo@example.com) are performed in order
# which can be requested by 'ORDER BY' in the SELECT statement, otherwise
# the order is unspecified, which is only useful if only specific entries
# exist in a database (e.g. only full addresses, not domains).
#
# The following order is recommended, going from specific to more general:
#  - lookup for user+foo@example.com
#  - lookup for user@example.com (only if $recipient_delimiter nonempty)
#  - lookup for user+foo ('naked lookup': only if local)
#  - lookup for user  ('naked lookup': local and $recipient_delimiter nonempty)
#  - lookup for @sub.example.com
#  - lookup for @.sub.example.com
#  - lookup for @.example.com
#  - lookup for @.com
#  - lookup for @.       (catchall)
# NOTE:
#  this is different from hash and ACL lookups in two important aspects:
#    - a key without '@' implies mailbox (=user) name, not domain name;
#    - the naked mailbox name lookups are only performed when the e-mail addr
#      (usually its domain part) matches the static local_domains* lookups.
#
# The domain part is always lowercased when constructing a key,
# the localpart is lowercased unless $localpart_is_case_sensitive is true.
#
sub lookup_sql($$$;$) {
  my($self, $addr,$get_all,$extra_args) = @_;
  my(@matchingkey,@result);
  if (!defined $extra_args &&
      exists $self->{cache} && exists $self->{cache}->{$addr})
  { # cached ?
    my($c) = $self->{cache}->{$addr}; @result = @$c  if ref $c;
    @matchingkey = map {'/cached/'} @result; #will do for now, improve some day
    if (!ll(5)) {
      # don't bother preparing log report which will not be printed
    } elsif (!@result) {
      do_log(5,"lookup_sql (cached): \"$addr\" no match");
    } else {
      for my $m (@result) {
        do_log(5, sprintf("lookup_sql (cached): \"%s\" matches, result=(%s)",
          $addr, join(", ", map { sprintf("%s=>%s", $_,
                                  !defined($m->{$_})?'-':'"'.$m->{$_}.'"'
                                         ) } sort keys(%$m) ) ));
      }
    }
    if (!$get_all) {
      return(!wantarray ? $result[0] : ($result[0], $matchingkey[0]));
    } else {
      return(!wantarray ? \@result   : (\@result,   \@matchingkey));
    }
  }
  if (!$sql_connected) {
    my($sql_dbh) = connect_to_sql(@lookup_sql_dsn);
    section_time('sql-connect');
    defined($sql_dbh) or die "SQL server(s) not reachable";
    $sql_dbh->{'RaiseError'} = 1;
    $Amavis::sql_policy->store_dbh($sql_dbh, $sql_select_policy)
      if defined $sql_select_policy;
    $Amavis::sql_wblist->store_dbh($sql_dbh, $sql_select_white_black_list)
      if defined $sql_select_white_black_list;
  }
  my($is_local);  # $local_domains_sql is not looked up to avoid recursion!
  $is_local = Amavis::Lookup::lookup(0,$addr,
                                     grep {ref ne 'Amavis::Lookup::SQL' &&
                                           ref ne 'Amavis::Lookup::SQLfield' &&
                                           ref ne 'Amavis::Lookup::LDAP' &&
                                           ref ne 'Amavis::Lookup::LDAPattr'}
                                           @{ca('local_domains_maps')});
  my($keys_ref,$rhs_ref) = make_query_keys($addr,0,$is_local);
  my(@keys) = @$keys_ref;
  my($n) = sprintf("%d",scalar(@keys));  # number of keys
  my($sel) = $self->{select_clause};
  my($k_cnt) = $sel =~ s/%k/join(',',('?')x$n)/ge;
  if (!exists $self->{"sth$n"}) {
    # 'prepare' appropriate query only when needed, and save it for reuse
    do_log(5,"SQL prepare($n): $sel");
    $self->{"sth$n"} = $self->{dbh}->prepare($sel);
  }
  my($sth) = $self->{"sth$n"};
  @keys = (@keys) x $k_cnt  if $k_cnt != 1;
  unshift(@keys,@$extra_args)  if ref $extra_args;  # prepend extra arguments
  do_log(4,"lookup_sql \"$addr\", query keys: ".join(', ',map{"\"$_\""}@keys));
  do_log(4,"lookup_sql select: $sel");
  my($a_ref,$found); my($match) = {};
  eval {
    snmp_count('OpsSqlSelect');
    $sth->execute(map { untaint($_) } @keys);  # do the query
    while ( defined($a_ref=$sth->fetchrow_arrayref) ) {  # fetch query results
      my(@names) = @{$sth->{NAME_lc}};
      $match = {}; @$match{@names} = @$a_ref;
      if (!exists $match->{'local'} && $match->{'email'} eq '@.') {
        # UGLY HACK to let a catchall (@.) imply that field 'local' has
        # a value undef (NULL) when that field is not present in the
        # database. This overrides B1 fieldtype default by an explicit
        # undef for '@.', causing a fallback to static lookup tables.
        # The purpose is to provide a useful default for local_domains
        # lookup if the field 'local' is not present in the SQL table.
        # NOTE: field names 'local' and 'email' are hardwired here!!!
        push(@names,'local'); $match->{'local'} = undef;
        do_log(5, "lookup_sql: \"$addr\" matches catchall, local=>undef");
      }
      push(@result, {%$match});  # copy hash
      push(@matchingkey, join(", ", map { sprintf("%s=>%s", $_,
                                !defined($match->{$_})?'-':'"'.$match->{$_}.'"'
                                ) } @names));
      last  if !$get_all;
    }
    $sth->finish();
  };  # eval
  if ($@ ne '') {
    my($err) = $@;
    do_log(-1, "lookup_sql: $DBI::err, $DBI::errstr");
    if (!$sth) {}
    elsif ($sth->err eq '2006' || $sth->errstr =~ /\bserver has gone away\b/ ||
           $sth->err eq '2013' || $sth->errstr =~ /\bLost connection to\b/) {
      do_log(-1,"NOTICE: Disconnected from SQL server");
      $sql_connected = 0;  $self->{dbh}->disconnect;  $self->{dbh} = undef;
    }
    die $err;
  }
  if (!ll(4)) {
    # don't bother preparing log report which will not be printed
  } elsif (!@result) {
    do_log(4, "lookup_sql, \"$addr\" no match")
  } else {
    do_log(4, "lookup_sql($addr) matches, result=($_)")  for @matchingkey;
  }
  # save for future use, but only within processing of this message
  $self->{cache}->{$addr} = \@result;
  section_time('lookup_sql');
  if (!$get_all) { !wantarray ? $result[0] : ($result[0], $matchingkey[0]) }
  else           { !wantarray ? \@result   : (\@result,   \@matchingkey)   }
}

1;

__DATA__
#^L
package Amavis::Lookup::LDAPattr;

use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);

  import Amavis::Util qw(ll do_log)
}

# attrtype: B=boolean, N=numeric, S=string, L=list
#           N-: numeric, nonexistent field returns undef without complaint
#           S-: string,  nonexistent field returns undef without complaint
#           L-: list,    nonexistent field returns undef without complaint
#           B-: boolean, nonexistent field returns undef without complaint
#           B0: boolean, nonexistent field treated as false
#           B1: boolean, nonexistent field treated as true

sub new($$$;$) {
  my($class,$ldap_query,$attrname,$attrtype) = @_;
  return undef  if !defined($ldap_query);
  my($self) = bless {}, $class;
  $self->{ldap_query} = $ldap_query;
  $self->{attrname}   = lc($attrname);
  $self->{attrtype}   = uc($attrtype);
  $self;
}

sub lookup_ldap_attr($$$) {
  my($self,$addr,$get_all) = @_;
  my(@result,@matchingkey);
  if (!defined($self)) {
    do_log(5,"lookup_ldap_attr - undefined, \"$addr\" no match");
  } elsif (!defined($self->{ldap_query})) {
    do_log(5,sprintf("lookup_ldap_attr(%s) - null query, \"%s\" no match",
                      $self->{attrname}, $addr));
  } else {
    my($attr) = $self->{attrname};
    my($res_ref,$mk_ref) = $self->{ldap_query}->lookup_ldap($addr,1);
    do_log(5,"lookup_ldap_attr($attr), \"$addr\" no matching record")
      if !@$res_ref;
    for my $ind (0..$#$res_ref) {
      my($match); my($h_ref) = $res_ref->[$ind]; my($mk) = $mk_ref->[$ind];
      if (!exists($h_ref->{$attr})) {
        # record found, but no attribute with that name in the table
        if (     $self->{attrtype} =~ /^B0/) { # boolean, defaults to false
          $match = 0; # nonexistent attribute treated as 0
          do_log(5,"lookup_ldap_attr($attr), no attribute, \"$addr\" result=$match");
        } elsif ($self->{attrtype} =~ /^B1/) { # boolean, defaults to true
          $match = 1; # nonexistent attribute treated as 1
          do_log(5,"lookup_ldap_attr($attr), no attribute, \"$addr\" result=$match");
        } elsif ($self->{attrtype}=~/^.-/s) { # allowed to not exist
          do_log(5,"lookup_ldap_attr($attr), no attribute, \"$addr\" result=undef");
        } else { # treated as 'no match', issue a warning
          do_log(1,"lookup_ldap_attr($attr) ".
                   "(WARN: no such attribute in LDAP entry), ".
                   "\"$addr\" result=undef");
        }
      } else { # attribute exists
        $match = $h_ref->{$attr};
        if (!defined($match)) { # NULL attribute values represented as undef
        } elsif ($self->{attrtype} =~ /^B/) { # boolean
          $match = $match eq "TRUE" ? 1 : 0; # convert TRUE|FALSE to 1|0
        } elsif ($self->{attrtype} =~ /^N/) { # numeric
          $match = $match + 0;  # unify different numeric forms
        } elsif ($self->{attrtype} =~ /^S/) { # string
          $match =~ s/ +\z//;   # trim trailing spaces
        } elsif ($self->{attrtype} =~ /^L/) { # list
          #$match = join(", ",@$match);
        }
        do_log(5,sprintf("lookup_ldap_attr(%s) \"%s\" result=(%s)",
                  $attr, $addr, defined($match) ? $match : 'undef'));
      }
      if (defined $match) {
        push(@result,$match); push(@matchingkey,$mk);
        last  if !$get_all;
      }
    }
  }
  if (!$get_all) { !wantarray ? $result[0] : ($result[0], $matchingkey[0]) }
  else           { !wantarray ? \@result   : (\@result,   \@matchingkey)   }
}

1;

#
package Amavis::Lookup::LDAP;

use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION
              $ldap_sys_default @ldap_attrs);
  $VERSION = '2.033';
  @ISA = qw(Exporter);

  import Amavis::Conf qw(:platform :confvars c cr ca);
  import Amavis::Timing qw(section_time);
  import Amavis::Util qw(untaint snmp_count ll do_log);
  import Amavis::rfc2821_2822_Tools qw(make_query_keys);

  $ldap_sys_default = {
    hostname      => 'localhost',
    port          => 389,
    timeout       => 120,
    tls           => 0,
    base          => undef,
    scope         => 'sub',
    query_filter  => '(&(objectClass=amavisAccount)(mail=%m))',
    bind_dn       => undef,
    bind_password => undef,
  };

  @ldap_attrs = qw(amavisVirusLover amavisSpamLover amavisBannedFilesLover
    amavisBadHeaderLover amavisBypassVirusChecks amavisBypassSpamChecks
    amavisBypassBannedChecks amavisBypassHeaderChecks amavisSpamTagLevel
    amavisSpamTag2Level amavisSpamKillLevel amavisSpamModifiesSubject
    amavisVirusQuarantineTo amavisSpamQuarantineTo amavisBannedQuarantineTo
    amavisBadHeaderQuarantineTo amavisBlacklistSender amavisWhitelistSender
    amavisLocal amavisMessageSizeLimit mail
  );
}

use vars qw($ldap_connected);

sub new {
  my($class,$default) = @_;
  my($self) = bless {}, $class;
  for (qw(hostname port timeout tls base scope query_filter
          bind_dn bind_password)) {
    # replace undefined attributes with defaults
    $self->{$_} = $default->{$_}          unless defined($self->{$_});
    $self->{$_} = $ldap_sys_default->{$_} unless defined($self->{$_});
  }
  $self;
}

# explicitly disconnect from LDAP server
sub DESTROY {
  my($self) = shift;
  eval { do_log(5,"Amavis::Lookup::LDAP called") };
  if (defined $self && $self->{ldap} && $ldap_connected) {
    $ldap_connected = 0;
    eval { $self->{ldap}->disconnect }; $self->{ldap} = undef;
  }
}

sub connect_to_ldap {
  my($self) = @_;
  my($ldap);
  do_log(3,"Connecting to LDAP host");
  my $hostlist = ref $self->{hostname} eq 'ARRAY' ?
                     join(", ",@{$self->{hostname}}) : $self->{hostname};
  do_log(4,"connect_to_ldap: trying $hostlist");
  $ldap = Net::LDAP->new($self->{hostname},
                         port    => $self->{port},
                         timeout => $self->{timeout},
                         onerror => 'undef');
  if ($ldap) {
    do_log(3,"connect_to_ldap: connected to $hostlist");
  } else {
    do_log(-1,"connect_to_ldap: unable to connect to host $hostlist");
    return undef;
  }
  if ($self->{tls}) {  # TLS required
    my $tlsVer = $ldap->start_tls(verify=>'none');
    do_log(3,"connect_to_ldap: TLS version $tlsVer enabled");
  }
  if ($self->{bind_dn}) {  # binding required
    if ($ldap->bind($self->{bind_dn}, password => $self->{bind_password})) {
      do_log(3,"connect_to_ldap: bind $self->{bind_dn} succeeded");
    } else {
      do_log(-1,"connect_to_ldap: bind $self->{bind_dn} failed");
      return undef;
    }
  }
  $ldap_connected = 1  if $ldap;
  $ldap;
}

sub store_ldap($$) {
  my($self,$ldap) = @_;
  $self->{ldap} = $ldap; # save LDAP handle
  $self->clear_cache;    # let's start afresh just in case
  $self;
}

sub clear_cache {
  my($self) = @_;
  delete $self->{cache};
}

sub lookup_ldap($$$) {
  my($self,$addr,$get_all) = @_;
  my(@matchingkey,@result);
  if (exists $self->{cache} && exists $self->{cache}->{$addr}) { # cached?
    my($c) = $self->{cache}->{$addr}; @result = @$c if ref $c;
    @matchingkey = map {'/cached/'} @result; # will do for now, improve some day
    if (!ll(5)) {
      # don't bother preparing log report which will not be printed
    } elsif (!@result) {
      do_log(5,"lookup_ldap (cached): \"$addr\" no match");
    } else {
      for my $m (@result) {
        do_log(5, sprintf("lookup_ldap (cached): \"%s\" matches, result=(%s)",
          $addr, join(", ", map { sprintf("%s=>%s", $_,
                                  !defined($m->{$_})?'-':'"'.$m->{$_}.'"'
                                         ) } sort keys(%$m) ) ));
      }
    }
    if (!$get_all) {
      return(!wantarray ? $result[0] : ($result[0], $matchingkey[0]));
    } else {
      return(!wantarray ? \@result   : (\@result,   \@matchingkey));
    }
  }
  if (!$ldap_connected) {
    my($ldap) = $self->connect_to_ldap;
    defined($ldap) or die "LDAP server(s) not reachable";
    $self->store_ldap($ldap);
    section_time('ldap-connect');
  }
  my($is_local);  # $local_domains_ldap is not looked up to avoid recursion!
  $is_local = Amavis::Lookup::lookup(0,$addr,
                                     grep {ref ne 'Amavis::Lookup::SQL' &&
                                           ref ne 'Amavis::Lookup::SQLfield' &&
                                           ref ne 'Amavis::Lookup::LDAP' &&
                                           ref ne 'Amavis::Lookup::LDAPattr'}
                                           @{ca('local_domains_maps')});
  my($keys_ref,$rhs_ref) = make_query_keys($addr,0,$is_local);
  my(@keys) = @$keys_ref;
  $_ = untaint($_) for @keys; # untaint keys
  do_log(4,sprintf("lookup_ldap \"%s\", query keys: %s, %s",
               $addr, join(', ',map{"\"$_\""}@keys), $self->{query_filter}));
  my($result);
  eval {
    snmp_count('OpsLDAPSearch');
    for my $key (@keys) {
      my($match) = {};
      (my $filter = $self->{query_filter}) =~ s/%m/$key/g;
      do_log(9,sprintf(
        "lookup_ldap: searching base=\"%s\", scope=\"%s\", filter=\"%s\"",
         $self->{base}, $self->{scope}, $filter));
      $result = $self->{ldap}->search(base   => $self->{base},
                                      scope  => $self->{scope},
                                      filter => $filter,
                                      attrs  => [@ldap_attrs],);
      my $entry = $result->entry(0); # only use first record returned
      next unless $entry;            # no entry found, try next key
      for my $attr (@ldap_attrs) {
        my($value);
        $attr = lc($attr);
        do_log(9,"lookup_ldap: reading attribute \"$attr\" from object");
        if ($attr =~ /^amavis(white|black)listsender\z/) { # multivalued (list)
          $value = $entry->get_value($attr, asref => 1);
        } else {
          $value = $entry->get_value($attr);
        }
        $match->{$attr} = $value if $value;
      }
      if (!exists $match->{'amavislocal'} && $match->{'mail'} eq '@.') {
        # NOTE: see lookup_sql
        $match->{'amavislocal'} = undef;
        do_log(5,"lookup_ldap: \"$addr\" matches catchall, amavislocal=>undef");
      }
      push(@result, {%$match}); # copy hash
      push(@matchingkey, join(", ", map { sprintf("%s=>%s", $_,
           !defined($match->{$_})?'-':'"'.$match->{$_}.'"' ) } keys(%$match)));
      last if !$get_all;
    }
  }; # eval
  if ($@ ne '') {
    my($err) = $@;
    do_log(-1,"lookup_ldap: $err");
    if (!$result || $result->code() != 'LDAP_SUCCESS') {
      my $code = $result?$result->code():-1;
      my $errname = Net::LDAP::Util::ldap_error_name->($code);
      if ($errname eq 'LDAP_PARAM_ERROR') {
        do_log(-1,"NOTICE: LDAP error - LDAP_PARAM_ERROR");
      }
      else { # probably lost connection to server
        do_log(-1,"NOTICE: Check LDAP server, lost connection?");
        $ldap_connected = 0; $self->{ldap}->disconnect; $self->{ldap} = undef;
      }
    }
    die $err;
  }
  if (!ll(4)) {
    # don't bother preparing log report which will not be printed
  } elsif (!@result) {
    do_log(4,"lookup_ldap, \"$addr\" no match")
  } else {
    do_log(4,"lookup_ldap($addr) matches, result=($_)") for @matchingkey;
  }
  # save for future use, but only within processing of this message
  $self->{cache}->{$addr} = \@result;
  section_time('lookup_ldap');
  if (!$get_all) { !wantarray ? $result[0] : ($result[0], $matchingkey[0]) }
  else           { !wantarray ? \@result   : (\@result,   \@matchingkey)   }
}

1;

__DATA__
#
package Amavis::In::AMCL;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
}

use subs @EXPORT;
use Errno qw(ENOENT);
use IO::File ();

BEGIN {
  import Amavis::Conf qw(:platform :confvars c cr ca);
  import Amavis::Util qw(ll do_log debug_oneshot snmp_counters_init snmp_count
                         am_id new_am_id untaint rmdir_recursively);
  import Amavis::Lookup qw(lookup);
  import Amavis::Timing qw(section_time);
  import Amavis::rfc2821_2822_Tools;
  import Amavis::In::Message;
  import Amavis::In::Connection;
  import Amavis::Out::EditHeader qw(hdr);
  import Amavis::rfc2821_2822_Tools qw(/^EX_/);
}

sub new($) { my($class) = @_;  bless {}, $class }

# (used with sendmail milter and traditional (non-SMTP) MTA interface)
#
sub process_policy_request($$$$) {
  my($self, $sock, $conn, $check_mail, $old_amcl) = @_;
  # $sock:       connected socket from Net::Server
  # $conn:       information about client connection
  # $check_mail: subroutine ref to be called with file handle

  my(%attr);
  $0 = sprintf("amavisd (ch%d-P-idle)", $Amavis::child_invocation_count);
  if ($old_amcl) {
    # Accept a single request from traditional amavis helper program.
    # Receive TEMPDIR/SENDER/RCPTS/LDA/LDAARGS from client
    # Simple "protocol": \2 means LDA; \3 means EOT (end of transmission)
    my($state) = 0; $attr{'request'} = 'AM.CL'; my($response) = "\001";
    my($rv,@recips,@ldaargs,$inbuff); local($1);
    my(@attr_names) = qw(tempdir sender recipient ldaargs);
    while (defined($rv = recv($sock, $inbuff, 8192, 0))) {
      $0 = sprintf("amavisd (ch%d-P)", $Amavis::child_invocation_count);
      if ($state < 2) {
        $attr{$attr_names[$state]} = $inbuff; $state++;
      } elsif ($state == 2 && $inbuff eq "\002") {
        $state++;
      } elsif ($state >= 2 && $inbuff eq "\003") {
        section_time('got data');
        $attr{'recipient'} = \@recips; $attr{'ldaargs'} = \@ldaargs;
        $attr{'delivery_care_of'} = @ldaargs ? 'client' : 'server';
        eval {
          my($msginfo) = preprocess_policy_query(\%attr);
          $response = (map { /^exit_code=(\d+)\z/ ? $1 : () }
                           check_amcl_policy($conn,$msginfo,$check_mail,1))[0];
        };
        if ($@ ne '') {
          chomp($@); do_log(-2,"policy_server FAILED: $@");
          $response = EX_TEMPFAIL;
        }
        $state = 4;
      } elsif ($state == 2) {
        push(@recips, $inbuff);
      } else {
        push(@ldaargs, $inbuff);
      }
      defined(send($sock,$response,0))
        or die "send failed in state $state: $!";
      last  if $state >= 4;
      $0 = sprintf("amavisd (ch%d-P-idle)", $Amavis::child_invocation_count);
    }
    if ($state==4 && defined($rv)) {
      # normal termination
    } elsif (!defined($rv) && $! != 0) {
      die "recv failed in state $state: $!";
    } else {  # eof or a runaway state
      die "helper client session terminated unexpectedly, state: $state";
    }
    do_log(2, Amavis::Timing::report());  # report elapsed times

  } else {  # new amavis helper protocol AM.PDP or a Postfix policy server
    # for Postfix policy server see Postfix docs SMTPD_POLICY_README
    my(@response); local($1,$2,$3);
    local($/) = "\012";  # set line terminator to LF (Postfix idiosyncrasy)
    $! = undef;
    while(<$sock>) {     # can accept multiple tasks
      $0 = sprintf("amavisd (ch%d-P)", $Amavis::child_invocation_count);
      Amavis::Timing::init(); snmp_counters_init();
      # must not use \r and \n, not \015 and \012 on certain platforms
      if (/^\015?\012\z/) {  # end of request
        section_time('got data');
        eval {
          my($msginfo) = preprocess_policy_query(\%attr);
          @response = $attr{'request'} eq 'smtpd_access_policy'
                        ? postfix_policy($conn,$msginfo,\%attr)
                        : check_amcl_policy($conn,$msginfo,$check_mail,0);
        };
        if ($@ ne '') {
          chomp($@); do_log(-2, "policy_server FAILED: $@");
          @response = (proto_encode('setreply','450','4.5.0',"Failure: $@"),
                       proto_encode('return_value','tempfail'),
                       proto_encode('exit_code',sprintf("%d",EX_TEMPFAIL)));
        # last;
        }
        $sock->print( map { $_."\015\012" } (@response,'') )
          or die "Can't write response to socket: $!";
        %attr = (); @response = ();
        do_log(2, Amavis::Timing::report());
      } elsif (/^ ([^=\000\012]*?) (=|:[ \t]*)
                  ([^\012]*?) \015?\012 \z/xsi) {
        my($attr_name) = Amavis::tcp_lookup_decode($1);
        my($attr_val)  = Amavis::tcp_lookup_decode($3);
        if (!exists $attr{$attr_name}) {
          $attr{$attr_name} = $attr_val;
        } else {
          if (!ref($attr{$attr_name}))
            { $attr{$attr_name} = [ $attr{$attr_name} ] }
          push(@{$attr{$attr_name}}, $attr_val);
        }
        my($known_attr) = scalar(grep {$_ eq $attr_name} qw(
          request helo_name protocol_state protocol_name queue_id
          client_name client_address sender recipient) );
        do_log(!$known_attr?-1:1, "policy protocol: $attr_name=$attr_val");
      } else {
        do_log(-1, "policy protocol: INVALID ATTRIBUTE LINE: $_");
      }
      $0 = sprintf("amavisd (ch%d-P-idle)", $Amavis::child_invocation_count);
      $! = undef;  # we'll be interested in the errno from the I/O op in while
    }
    if (!defined($_) && $! != 0) { die "read from client socket FAILED: $!" }
  };
  $0 = sprintf("amavisd (ch%d-P)", $Amavis::child_invocation_count);
}

# Return a new Amavis::In::Message object
# based on given policy query attributes
#
sub preprocess_policy_query($) {
  my($attr_ref) = @_;

  my($msginfo) = Amavis::In::Message->new;
  $msginfo->rx_time(time);  # now

  # amavisd -> amavis-helper protocol query consists of any number of
  # the following lines, the response is terminated by an empty line.
  # The 'request=AM.PDP' is a required first field, the order of
  # remaining fields is arbitrary.
  # Required fields are: request, tempdir, sender, recipient (one or more)
  #   request=AM.PDP
  #   tempdir=/var/amavis/amavis-milter-MWZmu9Di
  #   tempdir_removed_by=client    (tempdir_removed_by=server is a default)
  #   mail_file=/var/amavis/am.../email.txt (defaults to tempdir/email.txt)
  #   sender=<foo@example.com>
  #   recipient=<bar1@example.net>
  #   recipient=<bar2@example.net>
  #   recipient=<bar3@example.net>
  #   delivery_care_of=server      (client or server, client is a default)
  #   queue_id=qid
  #   protocol_name=ESMTP
  #   helo_name=b.example.com
  #   client_address=10.2.3.4

  my($sender,@recips);
  $msginfo->delivery_method(
    lc($attr_ref->{'delivery_care_of'}) eq 'server' ? c('forward_method') :'');
  $msginfo->client_delete(lc($attr_ref->{'tempdir_removed_by'}) eq 'client'
                          ? 1 : 0);
  $msginfo->queue_id($attr_ref->{'queue_id'})
    if exists $attr_ref->{'queue_id'};
  $msginfo->client_addr($attr_ref->{'client_address'})
    if exists $attr_ref->{'client_address'};
  $msginfo->client_name($attr_ref->{'client_name'})
    if exists $attr_ref->{'client_name'};
  $msginfo->client_proto($attr_ref->{'protocol_name'})
    if exists $attr_ref->{'protocol_name'};
  $msginfo->client_helo($attr_ref->{'helo_name'})
    if exists $attr_ref->{'helo_name'};
  if (exists $attr_ref->{'sender'}) {
    $sender = $attr_ref->{'sender'};
    $sender = unquote_rfc2821_local($sender);
    $msginfo->sender($sender);
  }
  if (exists $attr_ref->{'recipient'}) {
    my($r) = $attr_ref->{'recipient'};
    @recips = !ref($r) ? $r : @$r;
    $_ = unquote_rfc2821_local($_)  for @recips;
    $msginfo->recips(\@recips);
  }
  if (!exists $attr_ref->{'tempdir'}) {
    $msginfo->mail_tempdir($TEMPBASE);  # defaults to $TEMPBASE
  } else {
    local($1,$2); my($tempdir) = $attr_ref->{tempdir};
    $tempdir =~ /^ (?: \Q$TEMPBASE\E | \Q$MYHOME\E )
                   \/ (?! \.{1,2} \z) [A-Za-z0-9_.-]+ \z/xso
      or die "Invalid/unexpected temporary directory name '$tempdir'";
    $msginfo->mail_tempdir(untaint($tempdir));
  }
  if (!exists $attr_ref->{'mail_file'}) {
    $msginfo->mail_text_fn($msginfo->mail_tempdir . '/email.txt');
  } else {
    # SECURITY: just believe the supplied file name, blindly untainting it
    $msginfo->mail_text_fn(untaint($attr_ref->{'mail_file'}));
  }
  if ($msginfo->mail_text_fn ne '') {
    my($fname) = $msginfo->mail_text_fn;
    do_log(5, "preprocess_policy_query: opening mail file '$fname'");
    # set new amavis message id
    new_am_id( ($fname =~ m{amavis-(milter-)?([^/]+?)\z}s ? $2 : undef) );
    # file created by amavis helper program, just open it
    my($fh) = IO::File->new;
    $fh->open($fname,'<') or die "Can't open file $fname: $!";
    binmode($fh,":bytes") or die "Can't cancel :utf8 mode: $!"
      if $unicode_aware;
    $msginfo->mail_text($fh);  # save file handle to object
  }
  if ($attr_ref->{'request'} =~ /^AM\.(CL|PDP)\z/) {
    do_log(1, sprintf("%s %s: <%s> -> %s",
                      $attr_ref->{'request'}, $msginfo->mail_tempdir, $sender,
                      join(',', qquote_rfc2821_local(@recips)) ));
  } else {
    do_log(1, sprintf("%s(%s): %s %s: %s[%s] <%s> -> <%s>",
                    @$attr_ref{qw(request protocol_state protocol_name queue_id
                    client_name client_address sender recipient)}));
  }
  $msginfo;
}

sub check_amcl_policy($$$$) {
  my($conn,$msginfo,$check_mail,$old_amcl) = @_;

  my($smtp_resp, $exit_code, $preserve_evidence);
  my(%baseline_policy_bank); my($policy_changed) = 0;
  %baseline_policy_bank = %current_policy_bank;
  # do some sanity checks before deciding to call check_mail()
  if (!ref($msginfo->per_recip_data) || !defined($msginfo->mail_text)) {
    $smtp_resp = '450 4.5.0 Incomplete request'; $exit_code = EX_TEMPFAIL;
  } else {
    my($cl_ip) = $msginfo->client_addr;
    if ($cl_ip ne '' && defined $policy_bank{'MYNETS'}
        && lookup_ip_acl($cl_ip,@{ca('mynetworks_maps')}) ) {
      Amavis::load_policy_bank('MYNETS'); $policy_changed = 1;
    }
    debug_oneshot(1)  if lookup(0,$msginfo->sender,@{ca('debug_sender_maps')});
    # check_mail() expects open file on $fh, need not be rewound
    my($fh) = $msginfo->mail_text;  my($tempdir) = $msginfo->mail_tempdir;
    ($smtp_resp, $exit_code, $preserve_evidence) =
      &$check_mail($conn,$msginfo,0,$tempdir);
    $fh->close or die "Can't close temp file: $!"   if $fh;
    $fh = undef; $msginfo->mail_text(undef);
    my($errn) = $tempdir eq '' ? ENOENT : (stat($tempdir) ? 0 : 0+$!);
    if ($tempdir eq '' || $errn == ENOENT) {
      # do nothing
    } elsif ($msginfo->client_delete) {
      do_log(4, "AM.PDP: deletion of $tempdir is client's responsibility");
    } elsif ($preserve_evidence) {
      do_log(-1,"AM.PDP: tempdir is to be PRESERVED: $tempdir");
    } else {
      do_log(4, "AM.PDP: tempdir being removed: $tempdir");
      my($fname) = $msginfo->mail_text_fn;
      unlink($fname) or die "Can't remove file $fname: $!"  if $fname ne '';
      rmdir_recursively($tempdir);
    }
  }
  # amavisd -> amavis-helper protocol response consists of any number of
  # the following lines, the response is terminated by an empty line
  #   addrcpt=recipient
  #   delrcpt=recipient
  #   addheader=hdr_head hdr_body
  #   chgheader=index hdr_head hdr_body
  #   delheader=index hdr_head
  #   replacebody=new_body  (not implemented)
  #   return_value=continue|reject|discard|accept|tempfail
  #   setreply=rcode xcode message
  #   exit_code=n           (old amavis helper, not applicable to milter)

  my(@response); my($rcpt_deletes,$rcpt_count)=(0,0);
  if (ref($msginfo->per_recip_data)) {
    for my $r (@{$msginfo->per_recip_data})
      { $rcpt_count++;  if ($r->recip_done) { $rcpt_deletes++ } }
  }
  if ($smtp_resp=~/^([1-5]\d\d) ([245]\.\d{1,3}\.\d{1,3})(?: |\z)(.*)\z/s)
    { push(@response, proto_encode('setreply', $1,$2,$3)) }
  if ($exit_code == EX_TEMPFAIL) {
    push(@response, proto_encode('return_value','tempfail'));
  } elsif ($exit_code == EX_NOUSER) {          # reject the whole message
    push(@response, proto_encode('return_value','reject'));
  } elsif ($exit_code == EX_UNAVAILABLE) {     # reject the whole message
    push(@response, proto_encode('return_value','reject'));
  } elsif ($exit_code == 99) {                 # discard the whole message
    push(@response, proto_encode('return_value','discard'));
  } elsif ($rcpt_count-$rcpt_deletes <= 0) {   # none left, should be discarded
    # discarding could have been requested (?)
    do_log(-1, "WARN: no recips left (forgot to set ".
               "\$forward_method=undef using milter?), $smtp_resp");
    $exit_code = 99;
    push(@response, proto_encode('return_value','discard'));
  } elsif ($msginfo->delivery_method ne '') {
    # tell MTA to discard the message, amavisd will do the forwarding
    $exit_code = 99;   # *** 99 or EX_OK; ???
    push(@response, proto_encode('return_value','discard'));
  } else {  # EX_OK
    for my $r (@{$msginfo->per_recip_data}) {  # modified recipient addresses?
      my($addr,$newaddr) = ($r->recip_addr, $r->recip_final_addr);
      if ($r->recip_done) {          # delete
        push(@response, proto_encode('delrcpt',
                                     quote_rfc2821_local($addr)));
      } elsif ($newaddr ne $addr) {  # modify, e.g. adding extension
        push(@response, proto_encode('delrcpt',
                                     quote_rfc2821_local($addr)));
        push(@response, proto_encode('addrcpt',
                                     quote_rfc2821_local($newaddr)));
      }
    }
    my($hdr_edits) = $msginfo->header_edits;
    if ($hdr_edits) {  # any added or modified header fields?
      local($1,$2);
      # Inserting. Not posible to specify placement of header fields in milter!
      for my $hf (@{$hdr_edits->{prepend}}, @{$hdr_edits->{append}}) {
        if ($hf =~ /^([^:]+):[ \t]*(.*?)$/s)
          { push(@response, proto_encode('addheader',$1,$2)) }
      }
      my($field_name,$edit,$field_body);
      while ( ($field_name,$edit) = each %{$hdr_edits->{edit}} ) {
        $field_body = $msginfo->mime_entity->head->get($field_name,0);
        if (!defined($field_body)) {
          # such header field does not exist, do nothing
        } elsif (!defined($edit)) {  # delete existing header field
          push(@response, proto_encode('delheader',"1",$field_name));
        } else {                     # edit the first occurrence
          chomp($field_body);
          $field_body = hdr($field_name, &$edit($field_name,$field_body));
          $field_body = $1  if $field_body =~ /^[^:]+:[ \t]*(.*?)$/s;
          push(@response, proto_encode('chgheader', "1",
                                       $field_name, $field_body));
        }
      }
    }
    if ($old_amcl) {   # milter via old amavis helper program
      # warn if there is anything that should be done but MTA is not capable of
      # (or a helper program can not pass the request)
      for (grep { /^(delrcpt|addrcpt)=/ } @response)
        { do_log(-1, "WARN: MTA can't do: $_") }
      if ($rcpt_deletes && $rcpt_count-$rcpt_deletes > 0) {
        do_log(-1, "WARN: ACCEPT THE WHOLE MESSAGE, ".
                   "MTA-in can't do selective recips deletion");
      }
    }
    push(@response, proto_encode('return_value','continue'));
  }
  push(@response, proto_encode('exit_code',"$exit_code"));
  do_log(2, "mail checking ended: ".join("\n",@response));
  if ($policy_changed) {
    %current_policy_bank = %baseline_policy_bank; $policy_changed = 0;
  }
  @response;
}

sub postfix_policy($$$) {
  my($conn,$msginfo,$attr_ref) = @_;
  my(@response);
  if (!exists($attr_ref->{'request'})) {
    die "no 'request' attribute";
  } elsif ($attr_ref->{'request'} ne 'smtpd_access_policy') {
    die ("unknown 'request' value: " . $attr_ref->{'request'});
  } else {
    @response = 'action=DUNNO';
  }
  @response;
}

sub proto_encode($@) {
  my($attribute_name,@strings) = @_; local($1);
  $attribute_name =~    # encode all but alfanumerics, '_' and '-'
    s/([^0-9a-zA-Z_-])/sprintf("%%%02x",ord($1))/eg;
  for (@strings) {      # encode % and nonprintables
    s/([^\041-\044\046-\176])/sprintf("%%%02x",ord($1))/eg;
  }
  ## encode % and nonprintables, but leave SP and TAB as-is
  # $str =~ s/[^\011\040-\044\046-\176]/sprintf("%%%02x",ord($&))/eg;
  $attribute_name . '=' . join(' ',@strings);
}

1;

__DATA__
#
package Amavis::In::SMTP;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
}
use Errno qw(ENOENT);
use MIME::Base64;

BEGIN {
  import Amavis::Conf qw(:platform :confvars c cr ca);
  import Amavis::Util qw(ll do_log am_id new_am_id snmp_counters_init
                         prolong_timer debug_oneshot sanitize_str
                         strip_tempdir rmdir_recursively);
  import Amavis::Lookup qw(lookup lookup_ip_acl);
  import Amavis::Timing qw(section_time);
  import Amavis::rfc2821_2822_Tools;
  import Amavis::In::Message;
  import Amavis::In::Connection;
}

sub new($) {
  my($class) = @_;
  my($self) = bless {}, $class;
  $self->{sock} = undef;              # SMTP socket
  $self->{proto} = undef;             # SMTP / ((ESMTP / LMTP) (A | S | SA)? )
  $self->{pipelining}  = undef;       # may we buffer responses?
  $self->{smtp_outbuf} = undef;       # SMTP responses buffer for PIPELINING
  $self->{fh_pers} = undef;           # persistent file handle for email.txt
  $self->{tempdir_persistent} = undef;# temporary directory for check_mail
  $self->{preserve} = undef;          # don't delete tempdir on exit
  $self->{tempdir_empty} = 1;         # anything of interest in tempdir?
  $self->{session_closed_normally} = undef; # closed properly with QUIT
  $self;
}

sub preserve_evidence  # try to preserve temporary files etc in case of trouble
  { my($self)=shift; !@_ ? $self->{preserve} : ($self->{preserve}=shift) }

sub DESTROY {
  my($self) = shift;
  eval { do_log(5,"Amavis::In::SMTP::DESTROY called") };
  eval {
    $self->{fh_pers}->close
      or die "Can't close temp file: $!"  if $self->{fh_pers};
    my($errn) = $self->{tempdir_pers} eq '' ? ENOENT
                  : (stat($self->{tempdir_pers}) ? 0 : 0+$!);
    if (defined $self->{tempdir_pers} && $errn != ENOENT) {
      # this will not be included in the TIMING report,
      # but it only occurs infrequently and doesn't take that long
      if ($self->preserve_evidence && !$self->{tempdir_empty}) {
        do_log(-1,"SMTP shutdown: tempdir is to be PRESERVED: ".
                  $self->{tempdir_pers});
      } else {
        do_log(2, sprintf("SMTP shutdown: %s is being removed: %s%s",
                  $self->{tempdir_empty} ? 'empty tempdir' : 'tempdir',
                  $self->{tempdir_pers},
                  $self->preserve_evidence ? ', nothing to preserve' : ''));
        rmdir_recursively($self->{tempdir_pers});
      }
    }
    if (! $self->{session_closed_normally}) {
      $self->smtp_resp(1,"421 4.3.2 Service shutting down, closing channel");
    }
  };
  if ($@ ne '')
    { my($eval_stat) = $@; eval { do_log(1,"SMTP shutdown: $eval_stat") } }
}

sub prepare_tempdir($) {
  my($self) = @_;
  if (! defined $self->{tempdir_pers} ) {
    # invent a name for a temporary directory for this child, and create it
    my($now_iso8601) = iso8601_timestamp(time,1);  # or: iso8601_utc_timestamp
    $self->{tempdir_pers} = sprintf("%s/amavis-%s-%05d",
                                    $TEMPBASE, $now_iso8601, $$);
  }
  my($dname) = $self->{tempdir_pers};
  my(@stat_list) = lstat($dname); my($errn) = @stat_list ? 0 : 0+$!;
  if (!$errn && ! -d _) {  # exists, but is not a directory !?
    die "prepare_tempdir: $dname is not a directory!!!";
  } elsif (!$errn) {
    my($dev,$ino) = @stat_list;
    if ($dev != $self->{tempdir_dev} || $ino != $self->{tempdir_ino}) {
      do_log(-1,"prepare_tempdir: $dname is no longer the same directory!!!");
      ($self->{tempdir_dev},$self->{tempdir_ino}) = @stat_list;
    }
  } elsif ($errn == ENOENT) {
    do_log(4,"prepare_tempdir: creating directory $dname");
    mkdir($dname,0750) or die "Can't create directory $dname: $!";
    ($self->{tempdir_dev},$self->{tempdir_ino}) = lstat($dname);
    $self->{tempdir_empty} = 1;
    section_time('mkdir tempdir');
  }
  # prepare temporary file for writing (and reading later)
  my($fname) = $dname . '/email.txt';
  @stat_list = lstat($fname); $errn = @stat_list ? 0 : 0+$!;
  if (!$errn && ! -f _) {  # exists, but is not a regular file !?
    die "prepare_tempdir: $fname is not a regular file!!!";
  } elsif ($self->{fh_pers} && !$errn && -f _) {
    my($dev,$ino) = @stat_list;
    if ($dev != $self->{file_dev} || $ino != $self->{file_ino}) {
      do_log(-1,"prepare_tempdir: $fname is no longer the same file!!!");
      ($self->{file_dev}, $self->{file_ino}) = @stat_list;
    }
    $self->{fh_pers}->seek(0,0) or die "Can't rewind mail file: $!";
    $self->{fh_pers}->truncate(0) or die "Can't truncate mail file: $!";
  } else {
    do_log(4,"prepare_tempdir: creating file $fname");
    $self->{fh_pers} = IO::File->new($fname,'+>',0640)
      or die "Can't create file $fname: $!";
    ($self->{file_dev}, $self->{file_ino}) = lstat($fname);
    section_time('create email.txt');
  }
}

sub authenticate($$$) {
  my($state,$auth_mech,$auth_resp) = @_;
  my($result,$newchallenge);
  if ($auth_mech eq 'ANONYMOUS') {   # rfc2245
    $result = [$auth_resp,undef];
  } elsif ($auth_mech eq 'PLAIN') {  # rfc2595, "user\0authname\0pass"
    if (!defined($auth_resp)) { $newchallenge = '' }
    else { $result = [ (split(/\000/,$auth_resp,-1))[0,2] ] }
  } elsif ($auth_mech eq 'LOGIN' && !defined $state) {
    $newchallenge = 'Username:'; $state = [];
  } elsif ($auth_mech eq 'LOGIN' && @$state==0) {
    push(@$state, $auth_resp); $newchallenge = 'Password:';
  } elsif ($auth_mech eq 'LOGIN' && @$state==1) {
    push(@$state, $auth_resp); $result = $state;
  } # CRAM-MD5:rfc2195,  DIGEST-MD5:rfc2831
    ($state,$result,$newchallenge);
}

# Accept a SMTP or LMTP connect (which can do any number of SMTP transactions)
# and call content checking for each message received
#
sub process_smtp_request($$$$) {
  my($self, $sock, $lmtp, $conn, $check_mail) = @_;
  # $sock:       connected socket from Net::Server
  # $lmtp:       use LMTP protocol instead of (E)SMTP
  # $conn:       information about client connection
  # $check_mail: subroutine ref to be called with file handle

  my($msginfo,$authenticated,$auth_user,$auth_pass);
  $self->{sock} = $sock;
  $self->{pipelining} = 0;    # may we buffer responses?
  $self->{smtp_outbuf} = [];  # SMTP responses buffer for PIPELINING

  my($myheloname);
# $myheloname = $myhostname;
# $myheloname = 'localhost';
# $myheloname = '[127.0.0.1]';
  $myheloname = '[' . $conn->socket_ip . ']';

  new_am_id(undef, $Amavis::child_invocation_count, undef);
  my($initial_am_id) = 1; my($sender,@recips); my($got_rcpt);
  my($max_recip_size_limit);  # maximum of per-recipient message size limits
  my($terminating,$aborting,$eof,$voluntary_exit); my($seq) = 0;
  my(%xforward_args); my(%baseline_policy_bank); my($policy_changed);
  %baseline_policy_bank = %current_policy_bank; $policy_changed = 0;
  $conn->smtp_proto($self->{proto} = $lmtp ? 'LMTP' : 'SMTP');

  # system-wide message size limit, if any
  my($message_size_limit) = c('smtpd_message_size_limit');
  if ($message_size_limit && $message_size_limit < 65536)
    { $message_size_limit = 65536 }   # rfc2821 requires at least 64k
  my($smtpd_greeting_banner_tmp) = c('smtpd_greeting_banner');
  $smtpd_greeting_banner_tmp =~
    s{ \$ (?: \{ ([^\}]*) \} | ([a-zA-Z0-9_-]+) ) }
     { { 'helo-name'    => $myheloname,
         'version'      => $myversion,
         'version-id'   => $myversion_id,
         'version-date' => $myversion_date,
         'product'      => $myproduct_name,
         'protocol'     => $lmtp?'LMTP':'ESMTP' }->{lc($1.$2)}
     }egx;
  $self->smtp_resp(1, "220 $smtpd_greeting_banner_tmp");

  $0 = sprintf("amavisd (ch%d-idle)", $Amavis::child_invocation_count);
  Amavis::Timing::go_idle(4);
  undef $!;
  while(<$sock>) {
    $0 = sprintf("amavisd (ch%d-%s)",
                 $Amavis::child_invocation_count, am_id());
    Amavis::Timing::go_busy(5);
    prolong_timer('reading SMTP command');
    { # a block is used as a 'switch' statement - 'last' will exit from it
      my($cmd) = $_;
      do_log(4, $self->{proto} . "< $cmd");
      !/^ \s* ([A-Za-z]+) (?: \s+ (.*?) )? \s* \015\012 \z/xs && do {
        $self->smtp_resp(1,"500 5.5.2 Error: bad syntax", 1, $cmd); last;
      };
      $_ = uc($1); my($args) = $2;
      /^RSET|DATA|QUIT\z/ && $args ne '' && do {
        $self->smtp_resp(1,"501 5.5.4 Error: $_ does not accept arguments",
                         1,$cmd);
        last;
      };
      /^RSET\z/ && do { $sender = undef; @recips = (); $got_rcpt = 0;
                        $max_recip_size_limit = undef; $msginfo = undef;
                        if ($policy_changed) {
                          %current_policy_bank = %baseline_policy_bank;
                          $policy_changed = 0;
                        }
                        $self->smtp_resp(0,"250 2.0.0 Ok $_"); last };
      /^NOOP\z/ && do { $self->smtp_resp(1,"250 2.0.0 Ok $_"); last };
      /^QUIT\z/ && do {
        my($smtpd_quit_banner_tmp) = c('smtpd_quit_banner');
        $smtpd_quit_banner_tmp =~
          s{ \$ (?: \{ ([^\}]*) \} | ([a-zA-Z0-9_-]+) ) }
           { { 'helo-name'    => $myheloname,
               'version'      => $myversion,
               'version-id'   => $myversion_id,
               'version-date' => $myversion_date,
               'product'      => $myproduct_name,
               'protocol'     => $lmtp?'LMTP':'ESMTP' }->{lc($1.$2)}
           }egx;
        $self->smtp_resp(1,"221 2.0.0 $smtpd_quit_banner_tmp");
        $terminating=1; last;
      };
###   !$lmtp && /^HELO\z/ && do {  # strict
      /^HELO\z/ && do {
        $sender = undef; @recips = (); $got_rcpt = 0;     # implies RSET
        $max_recip_size_limit = undef; $msginfo = undef;  # forget previous
        if ($policy_changed)
          { %current_policy_bank = %baseline_policy_bank; $policy_changed = 0 }
        $self->{pipelining} = 0; $self->smtp_resp(0,"250 $myheloname");
        $lmtp = 0; $conn->smtp_proto($self->{proto} = 'SMTP');
        $conn->smtp_helo($args); section_time('SMTP HELO'); last;
      };
###   (!$lmtp && /^EHLO\z/ || $lmtp && /^LHLO\z/) && do {  # strict
      (/^EHLO\z/ || /^LHLO\z/) && do {
        $sender = undef; @recips = (); $got_rcpt = 0;     # implies RSET
        $max_recip_size_limit = undef; $msginfo = undef;  # forget previous
        if ($policy_changed)
          { %current_policy_bank = %baseline_policy_bank; $policy_changed = 0 }
        $lmtp = /^LHLO\z/ ? 1 : 0;
        $conn->smtp_proto($self->{proto} = $lmtp ? 'LMTP' : 'ESMTP');
        $self->{pipelining} = 1;
        $self->smtp_resp(0,"250 $myheloname\n" . join("\n",
          'PIPELINING',
          !defined($message_size_limit) ? 'SIZE'
            : sprintf('SIZE %d',$message_size_limit),
          '8BITMIME',
          'ENHANCEDSTATUSCODES',
          !@{ca('auth_mech_avail')} ? ()
                                   : join(' ','AUTH',@{ca('auth_mech_avail')}),
          'XFORWARD NAME ADDR PROTO HELO' ));
        $conn->smtp_helo($args); section_time("SMTP $_");
        last;
      };
      /^XFORWARD\z/ && do {  # Postfix extension
        if (defined($sender)) {
          $self->smtp_resp(0,"503 5.5.1 Error: XFORWARD not allowed within transaction", 1, $cmd);
          last;
        }
        my($bad);
        for (split(' ',$args)) {
          if (!/^( [A-Za-z0-9] [A-Za-z0-9-]* ) = ( [\041-\176]{0,255} )\z/xs) {
            $self->smtp_resp(0,"501 5.5.4 Syntax error in XFORWARD parameters",
                             1, $cmd);
            $bad = 1; last;
          } else {
            my($name,$val) = (uc($1), $2);
            if ($name =~ /^(?:NAME|ADDR|PROTO|HELO)\z/) {
              $val = undef  if uc($val) eq '[UNAVAILABLE]';
              $xforward_args{$name} = $val;
            } else {
              $self->smtp_resp(0,"501 5.5.4 XFORWARD command parameter error: $name=$val",1,$cmd);
              $bad = 1; last;
            }
          }
        }
        $self->smtp_resp(1,"250 2.5.0 Ok")  if !$bad;
        last;
      };
      /^HELP\z/ && do {
        $self->smtp_resp(1,"214 2.0.0 See amavisd-new home page at:\n".
                           "http://www.ijs.si/software/amavisd/");
        last;
      };
      /^AUTH\z/ && @{ca('auth_mech_avail')} && do {  # rfc2554
        if ($args !~ /^([^ ]+)(?: ([^ ]*))?\z/is) {
          $self->smtp_resp(0,"501 5.5.2 Syntax: AUTH mech [initresp]",1,$cmd);
          last;
        }
        my($auth_mech,$auth_resp) = (uc($1), $2);
        if ($authenticated) {
          $self->smtp_resp(0,"503 5.5.1 Error: session already authenticated", 1, $cmd);
        } elsif (defined($sender)) {
          $self->smtp_resp(0,"503 5.5.1 Error: AUTH not allowed within transaction", 1, $cmd);
        } elsif (!grep {uc($_) eq $auth_mech} @{ca('auth_mech_avail')}) {
          $self->smtp_resp(0,"504 5.7.6 Error: requested authentication mechanism not supported", 1, $cmd);
        } else {
          my($state,$result,$challenge);
          if   ($auth_resp eq '=') { $auth_resp = '' }  # zero length
          elsif ($auth_resp eq '') { $auth_resp = undef }
          for (;;) {
            if ($auth_resp !~ m{^[A-Za-z0-9+/=]*\z}) {
              $self->smtp_resp(0,"501 5.5.4 Authentication failed: malformed authentication response", 1, $cmd);
              last;
            } else {
              $auth_resp = decode_base64($auth_resp)  if $auth_resp ne '';
              ($state,$result,$challenge) =
                authenticate($state, $auth_mech, $auth_resp);
              if (ref($result) eq 'ARRAY') {
                $self->smtp_resp(0,"235 2.7.1 Authentication successful");
                $authenticated = 1; ($auth_user,$auth_pass) = @$result;
                do_log(2,"AUTH $auth_mech, user=$auth_user");
              # do_log(2,"AUTH $auth_mech, user=$auth_user, pass=$auth_resp");
                last;
              } elsif (defined $result && !$result) {
                $self->smtp_resp(0,"535 5.7.1 Authentication failed", 1, $cmd);
                last;
              }
            }
            # server challenge or ready prompt
            $self->smtp_resp(1,"334 ".encode_base64($challenge,''));
            $auth_resp = <$sock>;
            do_log(5, $self->{proto} . "< $auth_resp");
            $auth_resp =~ s/\015?\012\z//;
            if ($auth_resp eq '*') {
              $self->smtp_resp(0,"501 5.7.1 Authentication aborted");
              last;
            }
          }
        }
        last;
      };
      /^VRFY\z/ && do {
        $self->smtp_resp(1,"502 5.5.1 Command $_ not implemented", 1, $cmd);
      # if ($args eq '') {
      #   $self->smtp_resp(1,"501 5.5.2 Syntax: VRFY address", 1, $cmd);
      # } else {
      #   $self->smtp_resp(1,"252 2.0.0 Cannot VRFY user, but will accept ".
      #                      "message and attempt delivery", 0, $cmd);
      # }
        last;
      };
      /^MAIL\z/ && do {  # begin new transaction
        if (defined($sender)) {
          $self->smtp_resp(0,"503 5.5.1 Error: nested MAIL command", 1, $cmd);
          last;
        }
        if (!$authenticated &&
            c('auth_required_inp') && @{ca('auth_mech_avail')} ) {
          $self->smtp_resp(0,"530 5.7.1 Authentication required", 1, $cmd);
          last;
        }
        # begin SMTP transaction
        my($now) = time;
        prolong_timer('MAIL FROM received - timer reset', $child_timeout);
        if (!$seq) { # the first connect
          section_time('SMTP pre-MAIL');
        } else {     # establish new time reference for each transaction
          Amavis::Timing::init(); snmp_counters_init();
        }
        $seq++;
        new_am_id(undef,$Amavis::child_invocation_count,$seq)
          if !$initial_am_id;
        $initial_am_id = 0; $self->prepare_tempdir;
        my($cl_ip) = $xforward_args{'ADDR'};
        if ($cl_ip ne '' && defined $policy_bank{'MYNETS'}
            && lookup_ip_acl($cl_ip,@{ca('mynetworks_maps')}) ) {
          Amavis::load_policy_bank('MYNETS'); $policy_changed = 1;
        }
        $msginfo = Amavis::In::Message->new;
        $msginfo->rx_time($now);
        $msginfo->delivery_method(c('forward_method'));
        my($submitter);
        if ($authenticated) {
          $msginfo->auth_user($auth_user); $msginfo->auth_pass($auth_pass);
          $conn->smtp_proto($self->{proto}.'A')  # rfc3848
            if $self->{proto} =~ /^(LMTP|ESMTP)\z/i;
        } elsif (c('auth_reauthenticate_forwarded') &&
                 c('amavis_auth_user') ne '') {
          $msginfo->auth_user(c('amavis_auth_user'));
          $msginfo->auth_pass(c('amavis_auth_pass'));
          $submitter = qquote_rfc2821_local(c('mailfrom_notify_recip'));
        }
        $msginfo->client_addr($xforward_args{'ADDR'});
        $msginfo->client_name($xforward_args{'NAME'});
        $msginfo->client_proto($xforward_args{'PROTO'});
        $msginfo->client_helo($xforward_args{'HELO'});
        %xforward_args = ();  # reset values for the next transation
        # permit some sloppy syntax without angle brackets
        if ($args !~ /^FROM: \s*
                      ( < (?: " (?: \\. | [^\\"] )* " | [^"@] )*
                          (?: @ (?: \[ (?: \\. | [^\]\\] )* \] |
                                    [^\[\]\\>] )* )?
                        > |
                        [^<\s] (?: " (?: \\. | [^\\"] )* " | [^"\s] )*
                      ) (?: \s+ ([\040-\176]+) )? \z/isx ) {
            $self->smtp_resp(0,"501 5.5.2 Syntax: MAIL FROM: <address>",1,$cmd);
            last;
        }
        my($bad);  my($addr,$opt) = ($1,$2);
        for (split(' ',$opt)) {
          if (!/^ ( [A-Za-z0-9] [A-Za-z0-9-]*  ) =
                  ( [\041-\074\076-\176]+ ) \z/xs) { # printable, not '=' or SP
            $self->smtp_resp(0,"501 5.5.4 Syntax error in MAIL FROM parameters",
                             1,$cmd);
            $bad = 1; last;
          } else {
            my($name,$val) = (uc($1),$2);
            if ($name eq 'SIZE' && $val=~/^\d{1,20}\z/) {  # rfc1870
              $msginfo->msg_size($val+0);
              if ($message_size_limit && $val > $message_size_limit) {
                my($msg) = "552 5.3.4 Declared message size ($val B) exceeds ".
                   "fixed maximium message size of $message_size_limit B";
                do_log(0, $self->{proto}." REJECT 'MAIL FROM': $msg");
                $self->smtp_resp(0,$msg, 0,$cmd);
                $bad = 1; last;
              }
            } elsif ($name eq 'BODY' && $val=~/^7BIT|8BITMIME\z/i){
              $msginfo->body_type(uc($val));
            } elsif ($name eq 'AUTH' && @{ca('auth_mech_avail')} &&
                     !defined($submitter) ) {  # rfc2554
              $submitter = $val;  # encoded as xtext: rfc3461
              $submitter =~ s/\+([0-9a-fA-F]{2})/pack("C",hex($1))/eg;
              do_log(5, "MAIL command, $authenticated, submitter: $submitter");
            } else {
              my($msg);
              if ($name eq 'AUTH' && !@{ca('auth_mech_avail')}) {
                $msg = "503 5.7.4 Error: authentication disabled";
              } else {
                $msg = "504 5.5.4 MAIL command parameter error: $name=$val";
              }
              $self->smtp_resp(0,$msg,1,$cmd);
              $bad = 1; last;
            }
          }
        }
        if (!$bad) {
          $addr = ($addr =~ /^<(.*)>\z/s) ? $1 : $addr;
          $self->smtp_resp(0,"250 2.1.0 Sender $addr OK");
          $sender = unquote_rfc2821_local($addr);
          debug_oneshot(lookup(0,$sender,@{ca('debug_sender_maps')}) ? 1 : 0,
                        $self->{proto} . "< $cmd");
        # $submitter = "<$addr>" if !defined($submitter);  # rfc2554: MAY
          $submitter = '<>'      if !defined($msginfo->auth_user);
          $msginfo->auth_submitter($submitter);
        };
        last;
      };
      /^RCPT\z/ && do {
        if (!defined($sender)) {
          $self->smtp_resp(0,"503 5.5.1 Need MAIL command before RCPT",1,$cmd);
          @recips = (); $got_rcpt = 0;
          last;
        }
        $got_rcpt++;
        # permit some sloppy syntax without angle brackets
        if ($args !~ /^TO: \s*
                      ( < (?: " (?: \\. | [^\\"] )* " | [^"@] )*
                          (?: @ (?: \[ (?: \\. | [^\]\\] )* \] |
                                    [^\[\]\\>] )* )?
                        > |
                        [^<\s] (?: " (?: \\. | [^\\"] )* " | [^"\s] )*
                      ) (?: \s+ ([\040-\176]+) )? \z/isx ) {
          $self->smtp_resp(0,"501 5.5.2 Syntax: RCPT TO: <address>",1,$cmd);
          last;
        }
        if ($2 ne '') {
          $self->smtp_resp(0,"504 5.5.4 RCPT command parameter not implemented: $2",
                           1, $cmd);
        ### $self->smtp_resp(0,"555 5.5.4 RCPT command parameter unrecognized: $2", 1, $cmd);
        } elsif ($got_rcpt > $smtpd_recipient_limit) {
          $self->smtp_resp(0,"452 4.5.3 Too many recipients");
        } else {
          my($addr,$opt) = ($1, $2);
          $addr = ($addr =~ /^<(.*)>\z/s) ? $1 : $addr;
          my($addr_unq) = unquote_rfc2821_local($addr);
          my($recip_size_limit); my($mslm) = ca('message_size_limit_maps');
          $recip_size_limit = lookup(0,$addr_unq, @$mslm)  if @$mslm;
          if ($recip_size_limit && $recip_size_limit < 65536)
            { $recip_size_limit = 65536 }  # rfc2821 requires at least 64k
          if ($recip_size_limit > $max_recip_size_limit)
            { $max_recip_size_limit = $recip_size_limit }
          my($mail_size) = $msginfo->msg_size;
          if (defined $mail_size && $recip_size_limit && $mail_size > $recip_size_limit) {
            my($msg) = "552 5.3.4 Declared message size ($mail_size B) ".
                "exceeds fixed maximium message size of $recip_size_limit B, ".
                "recipient $addr";
            do_log(0, $self->{proto}." REJECT 'RCPT TO': $msg");
            $self->smtp_resp(0,$msg, 0,$cmd);
          } else {
            push(@recips,$addr_unq);
            $self->smtp_resp(0,"250 2.1.5 Recipient $addr OK");
          }
        };
        last;
      };
      /^DATA\z/ && !@recips && do {
        if (!defined($sender)) {
          $self->smtp_resp(1,"503 5.5.1 Need MAIL command before DATA",1,$cmd);
        } elsif (!$got_rcpt) {
          $self->smtp_resp(1,"503 5.5.1 Need RCPT command before DATA",1,$cmd);
        } elsif ($lmtp) {  # rfc2033 requires 503 code!
          $self->smtp_resp(1,"503 5.1.1 Error (DATA): no valid recipients",0,$cmd);
        } else {
          $self->smtp_resp(1,"554 5.1.1 Error (DATA): no valid recipients",0,$cmd);
        }
        last;
      };
      /^DATA\z/ && do {
        # set timer to the initial value, MTA timer starts here
        prolong_timer('DATA received - timer reset', $child_timeout);
        if ($message_size_limit) {  # enforce system-wide size limit
          if (!$max_recip_size_limit ||
              $max_recip_size_limit > $message_size_limit) {
            $max_recip_size_limit = $message_size_limit;
          }
        }
        my($within_data_transfer,$complete);
        my($size) = 0; my($over_size) = 0;
        eval {
          $msginfo->sender($sender); $msginfo->recips(\@recips);
          ll(1) && do_log(1, sprintf("%s:%s:%s %s: <%s> -> %s Received: %s",
                            $conn->smtp_proto,
                            $conn->socket_ip eq $inet_socket_bind ? ''
                              : '['.$conn->socket_ip.']',
                            $conn->socket_port, $self->{tempdir_pers},
                            $sender, join(',', qquote_rfc2821_local(@recips)),
                            join(' ', ($msginfo->msg_size  eq '' ? ()
                                        : 'SIZE='.$msginfo->msg_size),
                                      ($msginfo->body_type eq '' ? ()
                                        : 'BODY='.$msginfo->body_type),
                                      received_line($conn,$msginfo,am_id(),0) )
                            ) );
          $self->smtp_resp(1,"354 End data with <CR><LF>.<CR><LF>");
          $within_data_transfer = 1;
          section_time('SMTP pre-DATA-flush')  if $self->{pipelining};
          $self->{tempdir_empty} = 0;
          do { local($/) = "\015\012";      # set input line terminator to CRLF
            while(<$sock>) {                # use native I/O for speed
            # do_log(5, $self->{proto} . "< $_");
              if (/^\./) {
                if ($_ eq ".\015\012")
                  { $complete = 1; $within_data_transfer = 0; last }
                s/^\.(.+\015\012)\z/$1/s;   # dot de-stuffing, rfc2821
              }
              $size += length($_);  # message size is defined in rfc1870
              if (!$over_size) {
                chomp;  # remove \015\012 (the $/), faster than s///
                print {$self->{fh_pers}} $_,$eol
                  or die "Can't write to mail file: $!";
                if ($max_recip_size_limit && $size > $max_recip_size_limit) {
                  do_log(1,"Message size exceeded $max_recip_size_limit B, ".
                           "skiping further input");
                  print {$self->{fh_pers}} $eol,"***TRUNCATED***",$eol
                    or die "Can't write to mail file: $!";
                  $over_size = 1;
                }
              }
            }
            $eof = 1  if !$complete;
          }; # restores line terminator
          # normal data termination, or eof on socket, or fatal error
          do_log(4, $self->{proto} . "< .\015\012")  if $complete;
          $self->{fh_pers}->flush or die "Can't flush mail file: $!";
          # On some systems you have to do a seek whenever you
          # switch between reading and writing. Amongst other things,
          # this may have the effect of calling stdio's clearerr(3).
          $self->{fh_pers}->seek(0,1) or die "Can't seek on file: $!";
          section_time('SMTP DATA');
        };
        if ($@ ne '' || !$complete || $over_size) {  # err or connection broken
          chomp($@);
          # on error, either send: '421 Shutting down',
          # or: '451 Aborted, error in processing' and NOT shut down!
          if ($over_size && $@ eq '' && !$within_data_transfer) {
            my($msg) = "552 5.3.4 Message size ($size B) exceeds ".
                     "fixed maximium message size of $max_recip_size_limit B";
            do_log(0, $self->{proto}." REJECT: $msg");
            $self->smtp_resp(0,$msg, 0,$cmd);
          } elsif (!$within_data_transfer) {
            my($msg) = "Error in processing: " .
                       !$complete && $@ eq '' ? 'incomplete' : $@;
            do_log(-2, $self->{proto}." TROUBLE: 451 4.5.0 $msg");
            $self->smtp_resp(1, "451 4.5.0 $msg");
        ### $aborting = $msg;
          } else {
            $aborting = "client broke the connection ".
                        "during data transfer"  if $eof;
            $aborting .= ', '  if $aborting ne '' && $@ ne '';
            $aborting .= $@;
            $aborting = '???'  if $aborting eq '';
            do_log($@ ne '' ? -1 : 3,
                   $self->{proto}." TROUBLE, ABORTING: $aborting");
          }
        } else {  # all OK
          #
          # Is it acceptable to do all this processing here,
          # before returning response???  According to rfc1047
          # it is not a good idea! But at the moment we do not have
          # much choice, amavis has no queueing mechanism and can not
          # accept responsibility for delivery.
          #
          # check contents before responding
          # check_mail() expects open file on $self->{fh_pers},
          # need not be rewound
          $msginfo->mail_tempdir($self->{tempdir_pers});
          $msginfo->mail_text_fn($self->{tempdir_pers} . '/email.txt');
          $msginfo->mail_text($self->{fh_pers});
          my($declared_size) = $msginfo->msg_size;
          if (!defined($declared_size)) {
            $msginfo->msg_size($size);
          } elsif ($size != $declared_size) {
            do_log(3,"Actual message size $size B, declared $declared_size B");
            $msginfo->msg_size($size);
          }
          my($smtp_resp, $exit_code, $preserve_evidence) =
            &$check_mail($conn,$msginfo, $lmtp,$self->{tempdir_pers});
          if ($preserve_evidence) { $self->preserve_evidence(1) }
          if ($smtp_resp !~ /^4/ &&
              grep { !$_->recip_done } @{$msginfo->per_recip_data}) {
            die "TROUBLE: (MISCONFIG) not all recipients done, " .
                "forward_method is: " . $msginfo->delivery_method;
          }
          if (!$lmtp) {
            do_log(4, "sending SMTP response: \"$smtp_resp\"");
            $self->smtp_resp(0, $smtp_resp);
          } else {
            my($bounced) = $msginfo->dsn_sent;
            for my $r (@{$msginfo->per_recip_data}) {
              my($resp) = $r->recip_smtp_response;
              if ($bounced && $smtp_resp=~/^2/ && $resp!~/^2/) {
                # as the message was already bounced by us,
                # MTA must not bounce it again; failure status
                # needs to be converted into success!
                $resp = sprintf("250 2.5.0 Ok, DSN %s (%s)",
                                $bounced==1 ? 'sent' : 'muted', $resp);
              }
              do_log(4, sprintf("sending LMTP response for <%s>: \"%s\"",
                                $r->recip_addr, $resp));
              $self->smtp_resp(0, $resp);
            }
          }
        };
        alarm(0); do_log(5,"timer stopped after DATA end");
        if ($self->preserve_evidence && !$self->{tempdir_empty}) {
          # keep evidence in case of trouble
          do_log(-1,"PRESERVING EVIDENCE in ".$self->{tempdir_pers});
          $self->{fh_pers}->close or die "Can't close mail file: $!";
          $self->{fh_pers} = undef; $self->{tempdir_pers} = undef;
          $self->{tempdir_empty} = 1;
        }
        # cleanup, but leave directory (and file handle if possible) for reuse
        if ($self->{fh_pers} && !$can_truncate) {
          # truncate is not standard across all Unix variants,
          # it is not Posix, but is XPG4-UNIX.
          # So if we can't truncate a file and leave it open,
          # we have to create it anew later, at some cost.
          #
          $self->{fh_pers}->close or die "Can't close mail file: $!";
          $self->{fh_pers} = undef;
          unlink($self->{tempdir_pers}.'/email.txt')
            or die "Can't delete file ".$self->{tempdir_pers}."/email.txt: $!";
          section_time('delete email.txt');
        }
        if (defined $self->{tempdir_pers}) {  # prepare for the next one
          strip_tempdir($self->{tempdir_pers}); $self->{tempdir_empty} = 1;
        }
        $sender = undef; @recips = (); $got_rcpt = 0;     # implicit RSET
        $max_recip_size_limit = undef; $msginfo = undef;  # forget previous
        if ($policy_changed)
          { %current_policy_bank = %baseline_policy_bank; $policy_changed = 0 }
        $self->preserve_evidence(0);  # reset
        # report elapsed times by section for each transaction
        # (the time for the QUIT remains unaccounted for)
        do_log(2, Amavis::Timing::report());
        Amavis::Timing::init(); snmp_counters_init();
        last;
      };  # DATA
      # catchall (EXPN, TURN, unknown):
      $self->smtp_resp(1,"502 5.5.1 Error: command ($_) not implemented",1,$cmd);
    # $self->smtp_resp(1,"500 5.5.2 Error: command ($_) not recognized", 1,$cmd);
    };  # end of 'switch' block
    if ($terminating || defined $aborting) {   # exit SMTP-session loop
      $voluntary_exit = 1; last;
    }
    # rfc2920 requires a flush whenever the local TCP input buffer is
    # emptied. Since we can't check it (unless we use sysread & select),
    # we should do a flush here to be in compliance. We could only break
    # the requirement if we _knew_ we talk with a local MTA client which
    # uses client-side pipelining.
    $self->smtp_resp_flush;
    $0 = sprintf("amavisd (ch%d-%s-idle)",
                 $Amavis::child_invocation_count, am_id());
    Amavis::Timing::go_idle(6);
    undef $!;
  } # end of while
  my($errn,$errs);
  if (!$voluntary_exit) {
    $eof = 1;
    if (!defined($_)) { $errn = 0+$!; $errs = "$!" }
  }
  $0 = sprintf("amavisd (ch%d)", $Amavis::child_invocation_count);
  Amavis::Timing::go_busy(7);
  # come here when: QUIT is received, eof or err on socket, or we need to abort
  $self->smtp_resp_flush; # just in case, the session might have been disconnected
  my($msg) =
    defined $aborting && !$eof ? "ABORTING the session: $aborting" :
    defined $aborting ? $aborting :
    !$terminating ? "client broke the connection without a QUIT ($errs)" : '';
  do_log($aborting?-1:2, $self->{proto}.': NOTICE: '.$msg)  if $msg ne '';
  if (defined $aborting && !$eof)
    { $self->smtp_resp(1,"421 4.3.2 Service shutting down, ".$aborting) }
  $self->{session_closed_normally} = 1;
  # closes connection after child_finish_hook
}

# sends a SMTP response consisting of 3-digit code and an optional message;
# slow down evil clients by delaying response on permanent errors
sub smtp_resp($$$;$$) {
  my($self, $flush,$resp, $penalize,$line) = @_;
  if ($penalize) {
    do_log(-1, $self->{proto} . ": $resp; PENALIZE: $line");
    sleep 5;
    section_time('SMTP penalty wait');
  }
  $resp = sanitize_str($resp,1);
  local($1,$2,$3,$4);
  if ($resp !~ /^ ([1-5]\d\d) (\ |-|\z)
                ([245] \. \d{1,3} \. \d{1,3} (?: \ |\z) )?
                (.*) \z/xs)
    { die "Internal error(2): bad SMTP response code: '$resp'" }
  my($resp_code,$continuation,$enhanced,$tail) = ($1,$2,$3, $4);
  my($lead_len) = length($resp_code) + 1 + length($enhanced);
  while (length($tail) > 512-2-$lead_len || $tail =~ /\n/) {
    # rfc2821: The maximum total length of a reply line including the
    # reply code and the <CRLF> is 512 characters.  More information
    # may be conveyed through multiple-line replies.
    my($head) = substr($tail,0,512-2-$lead_len);
    if ($head =~ /^([^\n]*\n)/) { $head = $1 }
    $tail = substr($tail,length($head)); chomp($head);
    push(@{$self->{smtp_outbuf}}, $resp_code.'-'.$enhanced.$head);
  }
  push(@{$self->{smtp_outbuf}},$resp_code.$continuation.$enhanced.$tail);
  $self->smtp_resp_flush   if $flush || !$self->{pipelining} ||
                              @{$self->{smtp_outbuf}} > 200;
}

sub smtp_resp_flush($) {
  my($self) = shift;
  if (@{$self->{smtp_outbuf}}) {
    for my $resp (@{$self->{smtp_outbuf}}) {
      do_log(4, $self->{proto} . "> $resp");
    };
    my($stat) =
      $self->{sock}->print(map { $_."\015\012" } @{$self->{smtp_outbuf}} );
    @{$self->{smtp_outbuf}} = ();  # prevent printing again even if error
    $stat or die "Error writing a SMTP response to the socket: $!";
  }
}

1;

__DATA__
#
package Amavis::AV;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
  @EXPORT_OK = qw(&sophos_savi_init);
}

use POSIX qw(WIFEXITED WIFSIGNALED WIFSTOPPED
             WEXITSTATUS WTERMSIG WSTOPSIG);
use Errno qw(EPIPE ENOTCONN ENOENT);
use Socket;
use IO::Socket;
use IO::Socket::UNIX;

use subs @EXPORT_OK;
use vars @EXPORT;

BEGIN {
  import Amavis::Conf qw(:platform :confvars c cr ca);
  import Amavis::Util qw(ll untaint min max do_log am_id
                         exit_status_str run_command);
  import Amavis::Timing qw(section_time);
}

use vars qw(%st_socket_created %st_sock); # keep persistent state (per-socket)

# subroutine available for calling from @av_scanners list entries;
# it has the same args and returns as run_av() below
sub ask_daemon { ask_av(\&ask_daemon_internal, @_) }

sub clamav_module_init($) {
  my($av_name) = @_;
  # each child should reinitialize clamav module to reload databases.
  my($clamav_version) = Mail::ClamAV->VERSION;
  my($dbdir) = Mail::ClamAV::retdbdir();
  my($clamav_obj) = Mail::ClamAV->new($dbdir);
  ref $clamav_obj
    or die "$av_name: Can't load db from $dbdir: $Mail::ClamAV::Error";
  $clamav_obj->buildtrie;
  $clamav_obj->maxreclevel($MAXLEVELS)  if $MAXLEVELS;
  $clamav_obj->maxfiles($MAXFILES);
  $clamav_obj->maxfilesize($MAX_EXPANSION_QUOTA || 30*1024*1024);
  if ($clamav_version >= 0.12) {
    $clamav_obj->maxratio($MAX_EXPANSION_FACTOR);
#   $clamav_obj->archivememlim(0);  # limit memory usage for bzip2 (0/1)
  }
  do_log(2,"$av_name init");
  section_time('clamav_module_init');
  ($clamav_obj,$clamav_version);
}

# to be called from sub ask_clamav
use vars qw($clamav_obj $clamav_version);
sub clamav_module_internal($@) {
  my($query, $bare_fnames,$names_to_parts,$tempdir, $av_name) = @_;
  if (!defined $clamav_obj) {
    ($clamav_obj,$clamav_version) = clamav_module_init($av_name);  # first time
  } elsif ($clamav_obj->statchkdir) {            # db reload needed?
    do_log(2, "$av_name: reloading virus database");
    ($clamav_obj,$clamav_version) = clamav_module_init($av_name);
  }
  my($fname) = "$tempdir/parts/$query";   # file to be checked
  my($part) = $names_to_parts->{$query};  # get corresponding parts object
  my($options) = 0;  # bitfield of options to Mail::ClamAV::scan
  my($opt_archive,$opt_mail);
  if ($clamav_version < 0.12) {
    $opt_archive = &Mail::ClamAV::CL_ARCHIVE;
    $opt_mail    = &Mail::ClamAV::CL_MAIL;
  } else {         # >= 0.12, reflects renamed flags in libclamav 0.80
    $opt_archive = &Mail::ClamAV::CL_SCAN_ARCHIVE;
    $opt_mail    = &Mail::ClamAV::CL_SCAN_MAIL;
  }
  $options |= &Mail::ClamAV::CL_SCAN_STDOPT  if $clamav_version >= 0.13;
  $options |= $opt_archive;  # turn on ARCHIVE
  $options &= ~$opt_mail;    # turn off MAIL
  if (ref($part) && (lc($part->type_short) eq 'mail' ||
                     lc($part->type_declared) eq 'message/rfc822')) {
    do_log(2, "$av_name: $query - enabling option CL_MAIL");
    $options |= $opt_mail;   # turn on MAIL
  }
  my($ret) = $clamav_obj->scan(untaint($fname), $options);
  my($output,$status);
  if    ($ret->virus) { $status = 1; $output = "INFECTED: $ret" }
  elsif ($ret->clean) { $status = 0; $output = "CLEAN" }
  else { $status = 2; $output = $ret->error.", errno=".$ret->errno }
  ($status,$output);  # return synthesised status and a result string
}

# subroutine available for calling from @av_scanners list entries;
# it has the same args and returns as run_av() below
sub ask_clamav { ask_av(\&clamav_module_internal, @_) }


use vars qw($savi_obj);
sub sophos_savi_init {
  my($av_name, $command) = @_;
  my(@savi_bool_options) = qw(
    FullSweep DynamicDecompression FullMacroSweep OLE2Handling
    IgnoreTemplateBit VBA3Handling VBA5Handling OF95DecryptHandling
    HelpHandling DecompressVBA5 Emulation PEHandling ExcelFormulaHandling
    PowerPointMacroHandling PowerPointEmbeddedHandling ProjectHandling
    ZipDecompression ArjDecompression RarDecompression UueDecompression
    GZipDecompression TarDecompression CmzDecompression HqxDecompression
    MbinDecompression !LoopBackEnabled
    Lha SfxArchives MSCabinet TnefAttachmentHandling MSCompress
    !DeleteAllMacros Vbe !ExecFileDisinfection VisioFileHandling
    ActiveMimeHandling !DelVBA5Project
    ScrapObjectHandling SrpStreamHandling Office2001Handling
    Upx PalmPilotHandling HqxDecompression
    Pdf Rtf Html Elf WordB OutlookExpress
  );
  # starting with SAVI V3: Mac and SafeMacDfHandling options were removed;
  # new option GrpArchiveUnpack makes individual settings unnecessary;
  # option 'Mime' may cause a CPU loop when checking broken mail with some
  # versions of Sophos library (even with more recent ones!)
  my($savi_obj) = SAVI->new;
  ref $savi_obj or die "$av_name: Can't create SAVI object, err=$savi_obj";
  my($version) = $savi_obj->version;
  ref $version or die "$av_name: Can't get SAVI version, err=$version";
  do_log(2,sprintf("$av_name init: Version %s (engine %d.%d) recognizing %d viruses\n",
         $version->string, $version->major, $version->minor, $version->count));
# for ($version->ide_list)
#   { do_log(2, sprintf("$av_name: IDE %s released %s", $_->name, $_->date)) }
  my($error) = $savi_obj->set('MaxRecursionDepth', $MAXLEVELS, 1);
  !defined $error or die "$av_name: error setting MaxRecursionDepth: err=$error";
  $error     = $savi_obj->set('NamespaceSupport', 3);  # new with Sophos 3.67
  !defined $error
    or do_log(-1,"$av_name: error setting NamespaceSupport: err=$error");
  for (@savi_bool_options) {
    my($value) = /^!/ ? 0 : 1;  s/^!+//;
    $error = $savi_obj->set($_, $value);
    !defined $error or die "$av_name: Error setting $_: err=$error";
  }
  section_time('sophos_savi_init');
  $savi_obj;
}

# to be called from sub sophos_savi
sub sophos_savi_internal {
  my($query,
     $bare_fnames,$names_to_parts,$tempdir, $av_name,$command,$args) = @_;
# if (defined $args) { $savi_obj = $args }
# else {
    $savi_obj = sophos_savi_init($av_name,$command)  if !defined $savi_obj;
# }
  my($fname) = "$tempdir/parts/$query";   # file to be checked
  my($part) = $names_to_parts->{$query};  # get corresponding parts object
  my($mime_option_value) = 0;
  if (ref($part) && (lc($part->type_short) eq 'mail' ||
                     lc($part->type_declared) eq 'message/rfc822')) {
    do_log(2, "$av_name: $query - enabling option MIME");
    $mime_option_value = 1;
  }
  my($error) = $savi_obj->set('MIME', $mime_option_value);
  !defined $error or die sprintf("%s: Error %s option MIME: err=%s",
                $av_name, $mime_option_value ? 'setting' : 'clearing', $error);
  my($output,$status); my($result) = $savi_obj->scan($fname);
  if (!ref($result)) {  # error
    my($msg) = "$av_name: error scanning file $fname, " .
               $savi_obj->error_string($result) . " ($result) $!";
    if (! grep {$result == $_} (514,527,530,538,549) ) {
      $status = 2; $output = "ERROR: $msg\n";
    } else { # don't panic on non-fatal (encrypted, corrupted, partial)
      $status = 0; $output = "CLEAN: $msg\n";
    }
    do_log(-1,$output);
  } elsif ($result->infected) {
    $status = 1; $output = "INFECTED $query\n";
    for my $virus_name ($result->viruses) { $output .= "$virus_name FOUND\n" }
  } else {
    $status = 0; $output = "CLEAN $query\n";
  }
  ($status,$output);  # return synthesised status and a result string
}

# subroutine available for calling from @av_scanners list entries;
# it has the same args and returns as run_av() below
sub ask_sophos_savi {
  my($bare_fnames,$names_to_parts,$tempdir, $av_name,$command,$args,
     $sts_clean,$sts_infected,$how_to_get_names) = @_;
  if (@_ < 3+6) {  # supply default arguments for backwards compatibility
    $args = ["*"]; $sts_clean = [0]; $sts_infected = [1];
    $how_to_get_names = qr/^(.*) FOUND$/;
  }
  ask_av(\&sophos_savi_internal,
         $bare_fnames,$names_to_parts,$tempdir, $av_name,$command,$args,
         $sts_clean, $sts_infected, $how_to_get_names);
}


# same args and returns as run_av() below,
# but prepended by a $query, which is the string to be sent to the daemon.
# Handles both UNIX and INET domain sockets.
# More than one socket may be specified for redundancy, they will be tried
# one after the other until one succeeds.
#
sub ask_daemon_internal {
  my($query,  # expanded query template, often a command and a file or dir name
     $bare_fnames,$names_to_parts,$tempdir, $av_name,$command,$args,
     $sts_clean,$sts_infected,$how_to_get_names,  # regexps
  ) = @_;
  my($query_template_orig,$sockets) = @$args;
  my($output); my($socketname,$is_inet);
  if (!ref($sockets)) { $sockets = [ $sockets ] }
  my($max_retries) = 2 * @$sockets;  my($retries) = 0;
  $SIG{PIPE} = 'IGNORE';  # 'send' to broken pipe would throw a signal
  for (;;) {  # gracefully handle cases when av child times out or restarts
    @$sockets >= 1 or die "no sockets specified!?";  # sanity
    $socketname = $sockets->[0];  # try the first one in the current list
    $is_inet = $socketname =~ m{^/} ? 0 : 1; # simpleminded: unix vs. inet sock
    eval {
      if (!$st_socket_created{$socketname}) {
        ll(3) && do_log(3, "$av_name: Connecting to socket " .
                  join(' ',$daemon_chroot_dir,$socketname).
                  (!$retries ? '' : ", retry #$retries") );
        if ($is_inet) {   # inet socket
          $st_sock{$socketname} = IO::Socket::INET->new($socketname)
            or die "Can't connect to INET socket $socketname: $!\n";
          $st_socket_created{$socketname} = 1;
        } else {          # unix socket
          $st_sock{$socketname} = IO::Socket::UNIX->new(Type => SOCK_STREAM)
            or die "Can't create UNIX socket: $!\n";
          $st_socket_created{$socketname} = 1;
          $st_sock{$socketname}->connect( pack_sockaddr_un($socketname) )
            or die "Can't connect to UNIX socket $socketname: $!\n";
        }
      }
      ll(3) && do_log(3,sprintf("$av_name: Sending %s to %s socket %s",
                                $query, $is_inet?"INET":"UNIX", $socketname));
      # UGLY: bypass send method in IO::Socket to be able to retrieve
      # status/errno directly from 'send', not from 'getpeername':
      defined send($st_sock{$socketname}, $query, 0)
        or die "Can't send to socket $socketname: $!\n";
      if ($av_name =~ /^(Sophie|Trophie)/i) {
        # Sophie and Trophie can accept multiple requests per session
        # and return a single line response each time
        defined $st_sock{$socketname}->recv($output, 1024)
          or die "Can't receive from socket $socketname: $!\n";
      } else {
        $output = join('', $st_sock{$socketname}->getlines);
        $st_sock{$socketname}->close
          or die "Can't close socket $socketname: $!\n";
        $st_sock{$socketname}=undef; $st_socket_created{$socketname}=0;
      }
      $! = undef;
      $output ne '' or die "Empty result from $socketname\n";
    };
    last  if $@ eq '';
    # error handling (most interesting error codes are EPIPE and ENOTCONN)
    chomp($@); my($err) = "$!"; my($errn) = 0+$!;
    ++$retries <= $max_retries
      or die "Too many retries to talk to $socketname ($@)";
    # is ECONNREFUSED for INET sockets common enough too?
    if ($retries <= 1 && $errn == EPIPE) {  # common, don't cause concern
      do_log(2,"$av_name broken pipe (don't worry), retrying ($retries)");
    } else {
      do_log( ($retries>1?-1:1), "$av_name: $@, retrying ($retries)");
      if ($retries % @$sockets == 0) {  # every time the list is exhausted
        my($dly) = min(20, 1 + 5 * ($retries/@$sockets - 1));
        do_log(3,"$av_name: sleeping for $dly s");
        sleep($dly);   # slow down a possible runaway
      }
    }
    if ($st_socket_created{$socketname}) {
      # prepare for a retry, ignore 'close' status
      $st_sock{$socketname}->close;
      $st_sock{$socketname} = undef; $st_socket_created{$socketname} = 0;
    }
    # leave good socket as the first entry in the list
    # so that it will be tried first when needed again
    push(@$sockets, shift @$sockets)  if @$sockets>1; # circular shift left
  }
  (0,$output);  # return synthesised status and result string
}

# ask_av is a common subroutine available to be used by ask_daemon, ask_clamav,
# ask_sophos_savi and similar front-end routines used in @av_scanners entries.
# It traverses supplied files or directory ($bare_fnames) and calls a supplied
# subroutine for each file to be scanned, summarizing the final av scan result.
# It has the same args and returns as run_av() below, prepended by a checking
# subroutine argument.
sub ask_av {
  my($code) = shift; # strip away the first argument, a subroutine ref
  my($bare_fnames,$names_to_parts,$tempdir, $av_name,$command,$args,
     $sts_clean,$sts_infected,$how_to_get_names) = @_;
  my($query_template) = ref $args eq 'ARRAY' ? $args->[0] : $args;
  do_log(5, "ask_av ($av_name): query template1: $query_template");
  my($checking_each_file) = $query_template =~ /\*/;
  my($scan_status,@virusname); my($output) = '';
  for my $f ($checking_each_file ? @$bare_fnames : ("$tempdir/parts")) {
    my($query) = $query_template;
    if (!$checking_each_file) {  # scanner can be given a directory name
      $query =~ s[{}][$tempdir/parts]g;  # replace {} with directory name
      do_log(3,"Using ($av_name) on dir: $query");
    } else {                     # must check each file individually
      # replace {}/* with directory name and file, and * with current file name
      $query =~ s[ ({}/)? \* ][ $1 eq '' ? $f : "$tempdir/parts/$f" ]gesx;
      do_log(3,"Using ($av_name) on file: $query");
    }
    my($t_status,$t_output) = &$code($query, @_);
    do_log(4,"ask_av ($av_name) result: $t_output");
    if (ref($sts_infected) eq 'ARRAY'
                  ? (grep {$_==$t_status} @$sts_infected)
                  : $t_output =~ /$sts_infected/m) {  # is infected
      # test for infected first, in case both expressions match
      $scan_status = 1;  # 'true' indicates virus found, no errors
      my(@t_virusnames) = ref($how_to_get_names) eq 'CODE'
                            ? &$how_to_get_names($t_output)
                            : $t_output =~ /$how_to_get_names/gm;
      @t_virusnames = map { defined $_ ? $_ : () } @t_virusnames;
      push(@virusname, @t_virusnames);
      $output .= $t_output . $eol;
      do_log(2,"ask_av ($av_name): $f INFECTED: ".join(", ",@t_virusnames));
    } elsif (ref($sts_clean) eq 'ARRAY'
                  ? (grep {$_==$t_status} @$sts_clean)
                  : $t_output =~ /$sts_clean/m) {  # is clean
      $scan_status = 0  if !$scan_status;   # no viruses, no errors
      do_log(3,"ask_av ($av_name): $f CLEAN");
    } else {
      do_log(-2,"ask_av ($av_name) FAILED - unexpected result: $t_output");
      last;  # error, bail out
    }
  }
  if (!@$bare_fnames) { $scan_status = 0 }  # no errors, no viruses
  do_log(3,"$av_name result: clean") if defined($scan_status) && !$scan_status;
  ($scan_status,$output,\@virusname);
}

# Call a virus scanner and parse its output.
# Returns a triplet (or die in case of failure).
# The first element of the triplet is interpreted as follows:
# - true if virus found,
# - 0 if no viruses found,
# - undef if it did not complete its job;
# the second element is a string, the text as provided by the virus scanner;
# the third element is ref to a list of virus names found (if any).
#   (it is guaranteed the list will be nonempty if virus was found)
#
sub run_av {
  # first three args are prepended, not part of n-tuple
  my($bare_fnames,  # a ref to a list of filenames to scan (basenames)
     $names_to_parts, # ref to a hash that maps base file names to parts object
     $tempdir,      # temporary directory
     $av_name, $command, $args,
     $sts_clean,    # a ref to a list of status values, or a regexp
     $sts_infected, # a ref to a list of status values, or a regexp
     $how_to_get_names, # ref to sub, or a regexp to get list of virus names
     $pre_code, $post_code,  # routines to be invoked before and after av
  ) = @_;
  my($scan_status,$virusnames,$error_str); my($output) = '';
  &$pre_code(@_)  if defined $pre_code;
  if (ref($command) eq 'CODE') {
    do_log(3,"Using $av_name: (built-in interface)");
    ($scan_status,$output,$virusnames) = &$command(@_);
  } else {
    my(@args) = split(' ',$args);
    if (grep { m{^({}/)?\*\z} } @args) {    #  {}/* or *, list each file
      # replace asterisks with bare file names (basenames) if alone or in {}/*
      local($1);
      @args = map { !m{^({}/)?\*\z} ? $_
                                  : map {$1.untaint($_)} @$bare_fnames } @args;
    }
    for (@args) { s[{}][$tempdir/parts]g }  # replace {} with directory name
    # NOTE: RAV does not like '</dev/null' in its command!
    ll(3) && do_log(3, "Using ($av_name): " . join(' ',$command,@args));
    my($proc_fh,$pid) = run_command(undef, "&1", $command, @args);
    while( defined($_ = $proc_fh->getline) ) { $output .= $_ }
    my($err); $proc_fh->close or $err=$!; my($child_stat) = $?;
    $error_str = exit_status_str($child_stat,$err);
    my($retval) = WEXITSTATUS($child_stat);
    local($1); chomp($output); my($output_trimmed) = $output;
    $output_trimmed =~ s/\r\n/\n/gs;
    $output_trimmed =~ s/([ \t\n\r])[ \t\n\r]{4,}/$1.../gs;
    $output_trimmed = "..." . substr($output_trimmed,-800)
      if length($output_trimmed) > 800;
    do_log(3, "run_av: $command $error_str, $output_trimmed");
    if (!WIFEXITED($child_stat)) {
    } elsif (ref($sts_infected) eq 'ARRAY'
                  ? (grep {$_==$retval} @$sts_infected)
                  : $output =~ /$sts_infected/m) {  # is infected
      # test for infected first, in case both expressions match
      $virusnames = [];  # get a list of virus names by parsing output
      @$virusnames = ref($how_to_get_names) eq 'CODE'
                          ? &$how_to_get_names($output)
                          : $output =~ /$how_to_get_names/gm;
      @$virusnames = map { defined $_ ? $_ : () } @$virusnames;
      $scan_status = 1;  # 'true' indicates virus found
      do_log(2,"run_av ($av_name): INFECTED: ".join(", ",@$virusnames));
    } elsif (ref($sts_clean) eq 'ARRAY' ? (grep {$_==$retval} @$sts_clean)
                                        : $output =~ /$sts_clean/m) { #is clean
      $scan_status = 0;  # 'false' (but defined) indicates no viruses
      do_log(5,"run_av ($av_name): clean");
    } else {
      $error_str = "unexpected $error_str, output=\"$output_trimmed\"";
    }
    $output = $output_trimmed  if length($output) > 900;
  }
  &$post_code(@_)  if defined $post_code;
  $virusnames = []        if !defined $virusnames;
  @$virusnames = (undef)  if $scan_status && !@$virusnames;  # nonnil
  if (!defined($scan_status) && defined($error_str)) {
    die "$command $error_str";      # die is more informative than return value
  }
  ($scan_status, $output, $virusnames);
}

sub virus_scan($$$) {
  my($tempdir,$firsttime,$parts_root) = @_;
  my($scan_status,$output,@virusname,@detecting_scanners);
  my($anyone_done); my($anyone_tried);
  my($bare_fnames_ref,$names_to_parts);
  my(@errors); my($j); my($tier) = 'primary';
  for my $av (@{ca('av_scanners')}, "\000", @{ca('av_scanners_backup')}) {
    next  if !defined $av;
    if ($av eq "\000") {  # 'magic' separator between lists
      last  if $anyone_done;
      do_log(-2,"WARN: all $tier virus scanners failed, considering backups");
      $tier = 'secondary';  next;
    }
    next  if !ref $av || !defined $av->[1];
    if (!defined $bare_fnames_ref) {  # first time: collect file names to scan
      ($bare_fnames_ref,$names_to_parts) =
        files_to_scan("$tempdir/parts",$parts_root);
      do_log(2, "Not calling virus scanners, ".
                "no files to scan in $tempdir/parts")  if !@$bare_fnames_ref;
    }
    $anyone_tried++; my($this_status,$this_output,$this_vn);
    if (!@$bare_fnames_ref) {  # no files to scan?
      ($this_status,$this_output,$this_vn) = (0, '', []);  # declare clean
    } else {  # call virus scanner
      eval {
        ($this_status,$this_output,$this_vn) =
          run_av($bare_fnames_ref,$names_to_parts,$tempdir, @$av);
      };
      if ($@ ne '') {
        my($err) = $@; chomp($err);
        $err = "$av->[0] av-scanner FAILED: $err";
        do_log(-2,$err); push(@errors,$err);
        $this_status = undef;
      };
    }
    $anyone_done++  if defined $this_status;
    $j++; section_time("AV-scan-$j");
    if ($this_status) {  # virus detected by this scanner
      push(@detecting_scanners, $av->[0]);
      if (!@virusname) { # store results of the first scanner detecting
        @virusname = @$this_vn;
        $scan_status = $this_status; $output = $this_output;
      }
      last  if c('first_infected_stops_scan');  # stop now if we found a virus?
    } elsif (!defined($scan_status)) {  # tentatively keep regardless of status
      $scan_status = $this_status; $output = $this_output;
    }
  }
  if (@virusname && @detecting_scanners) {
    my(@ds) = @detecting_scanners;  for (@ds) { s/,/;/ }  # facilitates parsing
    ll(2) && do_log(2, sprintf("virus_scan: (%s), detected by %d scanners: %s",
                      join(', ',@virusname), scalar(@ds), join(', ',@ds)));
  }
  $output =~ s{\Q$tempdir\E/parts/?}{}gs  if defined $output;  # hide path info
  if (!$anyone_tried) { die "NO VIRUS SCANNERS AVAILABLE\n" }
  elsif (!$anyone_done)
    { die ("ALL VIRUS SCANNERS FAILED: ".join("; ",@errors)."\n") }
  ($scan_status, $output, \@virusname, \@detecting_scanners);  # return a quad
}

# return a ref to a list of files to be scanned in a given directory
sub files_to_scan($$) {
  my($dir,$parts_root) = @_;
  local(*DIR); my($f); my($bare_fnames_ref) = [];
  opendir(DIR, $dir) or die "Can't open directory $dir: $!";
  # traverse parts directory and check for actual files
  while (defined($f = readdir(DIR))) {
    my($fname) = "$dir/$f";
    my($errn) = lstat($fname) ? 0 : 0+$!;
    next  if $errn == ENOENT;
    if ($errn) { die "files_to_scan: file $fname inaccessible: $!" }
    if (!-r _) { die "files_to_scan: file $fname not readable" }
    next  if ($f eq '.' || $f eq '..') && -d _;  # this or the parent directory
    if (!-f _) {    # not a regular file
      my($what) = -l _ ? 'symlink' : -d _ ? 'directory' : 'non-regular file';
      do_log(-1, "WARN: files_to_scan: removing unexpected $what $fname");
      unlink(untaint($fname)) or die "Can't delete $what $fname: $!";
    } elsif (-z _) {
      # empty file
    } else {
      if ($f !~ /^[A-Za-z0-9_.-]+\z/s)
        {do_log(-1,"WARN: files_to_scan: unexpected/suspicious file name: $f")}
      push(@$bare_fnames_ref, $f);
    }
  }
  closedir(DIR) or die "Can't close directory $dir: $!";

  my($names_to_parts) = {};  # a hash that maps base file name
                             # to Amavis::Unpackers::Part object
  # traverse decomposed parts tree breadth-first, match it to actual files
  my($part);
  for (my(@unvisited)=($parts_root);
       @unvisited and $part=shift(@unvisited);
       push(@unvisited,@{$part->children}))
  { next  if $part eq $parts_root;
    my($fname) = $part->base_name;
    if (grep {$_ eq $fname} @$bare_fnames_ref) {
      $names_to_parts->{$fname} = $part;
    } elsif ($part->exists) {
      my($type_short) = $part->type_short;
      ll(4) && do_log(4,sprintf(
                         "files_to_scan: info: part %s (%s) no longer present",
         $fname, (!ref $type_short ? $type_short : join(', ',@$type_short)) ));
    }
  }
  for my $fname (@$bare_fnames_ref) {
    if (!exists $names_to_parts->{$fname}) {
      do_log(-1,"files_to_scan: $fname has no corresponding parts object");
    }
  }
  ($bare_fnames_ref, $names_to_parts);
}

1;

__DATA__
#
package Amavis::SpamControl;
use strict;
use re 'taint';

BEGIN {
  use Exporter ();
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  $VERSION = '2.033';
  @ISA = qw(Exporter);
}
use FileHandle;
use Mail::SpamAssassin;

BEGIN {
  import Amavis::Conf qw(:platform :sa $daemon_user c cr ca);
  import Amavis::Util qw(ll do_log retcode exit_status_str run_command
                         prolong_timer);
  import Amavis::rfc2821_2822_Tools;
  import Amavis::Timing qw(section_time);
  import Amavis::Lookup qw(lookup);
}

use subs @EXPORT_OK;

use vars qw($spamassassin_obj);

# called at startup, before the main fork
sub init() {
  do_log(1, "SpamControl: initializing Mail::SpamAssassin");
  my($saved_umask) = umask;
  $spamassassin_obj = Mail::SpamAssassin->new({
    debug => $sa_debug,
    save_pattern_hits => $sa_debug,
    dont_copy_prefs   => 1,
    local_tests_only  => $sa_local_tests_only,
    home_dir_for_helpers => $helpers_home,
    stop_at_threshold => 0,
#   DEF_RULES_DIR     => '/usr/local/share/spamassassin',
#   LOCAL_RULES_DIR   => '/etc/mail/spamassassin',
#see man Mail::SpamAssassin for other options
  });
# $Mail::SpamAssassin::DEBUG->{rbl}=-3;
# $Mail::SpamAssassin::DEBUG->{dcc}=-3;
# $Mail::SpamAssassin::DEBUG->{pyzor}=-3;
# $Mail::SpamAssassin::DEBUG->{bayes}=-3;
# $Mail::SpamAssassin::DEBUG->{rulesrun}=4+64;
  if ($sa_auto_whitelist && Mail::SpamAssassin::Version() < 3) {
    do_log(1, "SpamControl: turning on SA auto-whitelisting (AWL)");
    # create a factory for the persistent address list
    my($addrlstfactory) = Mail::SpamAssassin::DBBasedAddrList->new;
    $spamassassin_obj->set_persistent_address_list_factory($addrlstfactory);
  }
  $spamassassin_obj->compile_now;     # ensure all modules etc. are preloaded
  alarm(0);              # seems like SA forgets to clear alarm in some cases
  umask($saved_umask);   # restore our umask, SA clobbered it
  do_log(1, "SpamControl: done");
}

# check envelope sender if white or blacklisted by each recipient;
# Saves the result in recip_blacklisted_sender and recip_whitelisted_sender
# properties of each recipient object.
#
sub white_black_list($$$$$) {
  my($conn,$msginfo,$sql_wblist,$user_id_sql,$ldap_policy) = @_;
  my($any_w)=0; my($any_b)=0; my($all)=1; my($wr,$br);
  my($sender) = $msginfo->sender;
  do_log(4,"wbl: checking sender <$sender>");
  for my $r (@{$msginfo->per_recip_data}) {
    next  if $r->recip_done;  # already dealt with
    my($found,$wb,$boost); my($recip) = $r->recip_addr;
    my($user_id_ref,$mk_ref) = !defined $sql_wblist ? ([],[])
                                 : lookup(1,$recip,$user_id_sql);
    do_log(5,"wbl: (SQL) recip <$recip>, ".scalar(@$user_id_ref)." matches")
      if defined $sql_wblist && ll(5);
    for my $ind (0..$#{$user_id_ref}) {  # for ALL SQL sets matching the recip
      my($user_id) = $user_id_ref->[$ind];  my($mkey);
      ($wb,$mkey) = lookup(0,$sender,
                Amavis::Lookup::SQLfield->new($sql_wblist,'wb','S',$user_id) );
      do_log(4,"wbl: (SQL) recip <$recip>, rid=$user_id, got: \"$wb\"");
      if (!defined($wb)) {  # NULL field or no match: remains undefined
      } elsif ($wb =~ /^ *([+-]?\d+(?:\.\d*)?) *\z/) {  # numeric
        my($val) = 0+$1;    # penalty points to be added to the score
        $boost += $val;
        ll(2) && do_log(2,sprintf(
                  "wbl: (SQL) soft-%slisted (%s) sender <%s> => <%s> (rid=%s)",
                  ($val<0?'white':'black'), $val, $sender, $recip, $user_id));
        $wb = undef;  # not hard- white or blacklisting
      } elsif ($wb =~ /^[ \000]*\z/) {        # neutral, stops the search
        $found++; $wb = 0;
        do_log(5,"wbl: (SQL) recip <$recip> is neutral to sender <$sender>");
      } elsif ($wb =~ /^([BbNnFf])[ ]*\z/) {  # blacklisted (B, N, F)
        $found++; $wb = -1; $any_b++; $br = $recip;
        $r->recip_blacklisted_sender(1);
        do_log(5,"wbl: (SQL) recip <$recip> blacklisted sender <$sender>");
      } else {                         # whitelisted (W, Y, T) or anything else
        if ($wb =~ /^([WwYyTt])[ ]*\z/) {
          do_log(5, "wbl: (SQL) recip <$recip> whitelisted sender <$sender>");
        } else {
          do_log(-1,"wbl: (SQL) recip <$recip> whitelisted sender <$sender>, ".
                    "unexpected wb field value: \"$wb\"");
        }
        $found++; $wb = +1; $any_w++; $wr = $recip;
        $r->recip_whitelisted_sender(1);
      }
      last  if $found;
    }
    if (!$found && defined($ldap_policy)) {
      my($wblist);
      my($keys_ref,$rhs_ref) = make_query_keys($sender,0,0);
      my(@keys) = @$keys_ref;
      do_log(5,sprintf("wbl: (LDAP) query keys: %s",
                       join(', ',map{"\"$_\""}@keys)));
      $wblist = lookup(0,$recip,Amavis::Lookup::LDAPattr->new($ldap_policy,'amavisBlacklistSender','L-'));
      for my $key (@keys) {
        if (grep {/^\Q$key\E\z/i} @$wblist) {
          $found++; $wb = -1; $br = $recip; $any_b++;
          $r->recip_blacklisted_sender(1);
          do_log(5,"wbl: (LDAP) recip <$recip> blacklisted sender <$sender>");
        }
      }
      $wblist = lookup(0,$recip,Amavis::Lookup::LDAPattr->new($ldap_policy,'amavisWhitelistSender','L-'));
      for my $key (@keys) {
        if (grep {/^\Q$key\E\z/i} @$wblist) {
          $found++; $wb = +1; $wr = $recip; $any_w++;
          $r->recip_whitelisted_sender(1);
          do_log(5,"wbl: (LDAP) recip <$recip> whitelisted sender <$sender>");
        }
      }
    }
    if (!$found) {  # fall back to static lookups if no match
      # sender can be both white- and blacklisted at the same time
      my($val); my($r_ref,$mk_ref,@t);

      # NOTE on the specifics of $per_recip_blacklist_sender_lookup_tables :
      # the $r_ref below is supposed to be a ref to a single lookup table
      # for compatibility with pre-2.0 versions of amavisd-new;
      # Note that this is different from @score_sender_maps, which is
      # supposed to contain a ref to a _list_ of lookup tables as a result
      # of the first-level lookup (on the recipient address as a key).
      #
      ($r_ref,$mk_ref) = lookup(0,$recip,
                         Amavis::Lookup::Label->new("blacklist_recip<$recip>"),
                         cr('per_recip_blacklist_sender_lookup_tables'));
      @t = ( (defined $r_ref ? $r_ref : ()), @{ca('blacklist_sender_maps')} );
      $val = lookup(0,$sender,
                    Amavis::Lookup::Label->new("blacklist_sender<$sender>"),
                    @t)  if @t;
      if ($val) {
        $found++; $wb = -1; $br = $recip; $any_b++;
        $r->recip_blacklisted_sender(1);
        do_log(5,"wbl: recip <$recip> blacklisted sender <$sender>");
      }
      # similar for whitelists:
      ($r_ref,$mk_ref) = lookup(0,$recip,
                         Amavis::Lookup::Label->new("whitelist_recip<$recip>"),
                         cr('per_recip_whitelist_sender_lookup_tables'));
      @t = ( (defined $r_ref ? $r_ref : ()), @{ca('whitelist_sender_maps')} );
      $val = lookup(0,$sender,
                    Amavis::Lookup::Label->new("whitelist_sender<$sender>"),
                    @t)  if @t;
      if ($val) {
        $found++; $wb = +1; $wr = $recip; $any_w++;
        $r->recip_whitelisted_sender(1);
        do_log(5,"wbl: recip <$recip> whitelisted sender <$sender>");
      }
    }
    if (!defined($boost)) {        # static lookups if no match
      # note the first argument of lookup() is true, requesting ALL matches
      my($r_ref,$mk_ref) = lookup(1,$recip,
                             Amavis::Lookup::Label->new("score_recip<$re