BSD 4_4_Lite1 release

[unix-history] / usr / src / usr.sbin / sendmail / src / recipient.c
diff --git a/usr/src/usr.sbin/sendmail/src/recipient.c b/usr/src/usr.sbin/sendmail/src/recipient.c

index fa7d1d9..c6c15c4 100644 (file)
--- a/usr/src/usr.sbin/sendmail/src/recipient.c
+++ b/usr/src/usr.sbin/sendmail/src/recipient.c
@@ -1,20 +1,43 @@
  /*
   * Copyright (c) 1983 Eric P. Allman
  /*
   * Copyright (c) 1983 Eric P. Allman
- * Copyright (c) 1988 Regents of the University of California.
- * All rights reserved.
+ * Copyright (c) 1988, 1993
+ *     The Regents of the University of California.  All rights reserved.
   *
   *
- * %sccs.include.redist.c%
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *     This product includes software developed by the University of
+ *     California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
   */
  
  #ifndef lint
   */
  
  #ifndef lint
-static char sccsid[] = "@(#)recipient.c        5.31 (Berkeley) %G%";
+static char sccsid[] = "@(#)recipient.c        8.44 (Berkeley) 2/28/94";
  #endif /* not lint */
  
  #endif /* not lint */
  
-# include <sys/types.h>
-# include <sys/stat.h>
-# include <sys/file.h>
-# include <pwd.h>
  # include "sendmail.h"
  # include "sendmail.h"
+# include <pwd.h>
  
  /*
  **  SENDTOLIST -- Designate a send list.
  
  /*
  **  SENDTOLIST -- Designate a send list.
@@ -22,12 +45,6 @@ static char sccsid[] = "@(#)recipient.c      5.31 (Berkeley) %G%";
  **     The parameter is a comma-separated list of people to send to.
  **     This routine arranges to send to all of them.
  **
  **     The parameter is a comma-separated list of people to send to.
  **     This routine arranges to send to all of them.
  **
-**     The `ctladdr' is the address that expanded to be this one,
-**     e.g., in an alias expansion.  This is used for a number of
-**     purposed, most notably inheritance of uid/gid for protection
-**     purposes.  It is also used to detect self-reference in group
-**     expansions and the like.
-**
  **     Parameters:
  **             list -- the send list.
  **             ctladdr -- the address template for the person to
  **     Parameters:
  **             list -- the send list.
  **             ctladdr -- the address template for the person to
@@ -36,10 +53,10 @@ static char sccsid[] = "@(#)recipient.c     5.31 (Berkeley) %G%";
  **                     expansion.
  **             sendq -- a pointer to the head of a queue to put
  **                     these people into.
  **                     expansion.
  **             sendq -- a pointer to the head of a queue to put
  **                     these people into.
-**             qflags -- special flags to set in the q_flags field.
+**             e -- the envelope in which to add these recipients.
  **
  **     Returns:
  **
  **     Returns:
-**             pointer to chain of addresses.
+**             The number of addresses actually on the list.
  **
  **     Side Effects:
  **             none.
  **
  **     Side Effects:
  **             none.
@@ -47,20 +64,24 @@ static char sccsid[] = "@(#)recipient.c     5.31 (Berkeley) %G%";
  
  # define MAXRCRSN      10
  
  
  # define MAXRCRSN      10
  
-ADDRESS *
-sendto(list, copyf, ctladdr, qflags)
+sendtolist(list, ctladdr, sendq, e)
         char *list;
         ADDRESS *ctladdr;
         ADDRESS **sendq;
         char *list;
         ADDRESS *ctladdr;
         ADDRESS **sendq;
-       u_short qflags;
+       register ENVELOPE *e;
  {
         register char *p;
         register ADDRESS *al;   /* list of addresses to send to */
         bool firstone;          /* set on first address sent */
  {
         register char *p;
         register ADDRESS *al;   /* list of addresses to send to */
         bool firstone;          /* set on first address sent */
-       bool selfref;           /* set if this list includes ctladdr */
         char delimiter;         /* the address delimiter */
         char delimiter;         /* the address delimiter */
-       ADDRESS *sibl;          /* sibling pointer in tree */
-       ADDRESS *prev;          /* previous sibling */
+       int naddrs;
+       char *oldto = e->e_to;
+
+       if (list == NULL)
+       {
+               syserr("sendtolist: null list");
+               return 0;
+       }
  
         if (tTd(25, 1))
         {
  
         if (tTd(25, 1))
         {
@@ -70,119 +91,59 @@ sendto(list, copyf, ctladdr, qflags)
  
         /* heuristic to determine old versus new style addresses */
         if (ctladdr == NULL &&
  
         /* heuristic to determine old versus new style addresses */
         if (ctladdr == NULL &&
-           (index(list, ',') != NULL || index(list, ';') != NULL ||
-            index(list, '<') != NULL || index(list, '(') != NULL))
-               CurEnv->e_flags &= ~EF_OLDSTYLE;
+           (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
+            strchr(list, '<') != NULL || strchr(list, '(') != NULL))
+               e->e_flags &= ~EF_OLDSTYLE;
         delimiter = ' ';
         delimiter = ' ';
-       if (!bitset(EF_OLDSTYLE, CurEnv->e_flags) || ctladdr != NULL)
+       if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
                 delimiter = ',';
  
         firstone = TRUE;
                 delimiter = ',';
  
         firstone = TRUE;
-       selfref = FALSE;
         al = NULL;
         al = NULL;
+       naddrs = 0;
  
         for (p = list; *p != '\0'; )
         {
  
         for (p = list; *p != '\0'; )
         {
+               auto char *delimptr;
                 register ADDRESS *a;
                 register ADDRESS *a;
-               extern char *DelimChar;         /* defined in prescan */
  
                 /* parse the address */
  
                 /* parse the address */
-               while (isspace(*p) || *p == ',')
+               while ((isascii(*p) && isspace(*p)) || *p == ',')
                         p++;
                         p++;
-               a = parseaddr(p, (ADDRESS *) NULL, 1, delimiter);
-               p = DelimChar;
+               a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e);
+               p = delimptr;
                 if (a == NULL)
                         continue;
                 a->q_next = al;
                 a->q_alias = ctladdr;
                 if (a == NULL)
                         continue;
                 a->q_next = al;
                 a->q_alias = ctladdr;
-               if (ctladdr != NULL)
-                       a->q_flags |= ctladdr->q_flags & ~QPRIMARY;
-               a->q_flags |= qflags;
  
                 /* see if this should be marked as a primary address */
                 if (ctladdr == NULL ||
                     (firstone && *p == '\0' && bitset(QPRIMARY, ctladdr->q_flags)))
                         a->q_flags |= QPRIMARY;
  
  
                 /* see if this should be marked as a primary address */
                 if (ctladdr == NULL ||
                     (firstone && *p == '\0' && bitset(QPRIMARY, ctladdr->q_flags)))
                         a->q_flags |= QPRIMARY;
  
-               /* put on send queue or suppress self-reference */
                 if (ctladdr != NULL && sameaddr(ctladdr, a))
                 if (ctladdr != NULL && sameaddr(ctladdr, a))
-                       selfref = TRUE;
-               else
-                       al = a;
+                       ctladdr->q_flags |= QSELFREF;
+               al = a;
                 firstone = FALSE;
         }
  
                 firstone = FALSE;
         }
  
-       /* if this alias doesn't include itself, delete ctladdr */
-       if (!selfref && ctladdr != NULL)
-               ctladdr->q_flags |= QDONTSEND;
-
         /* arrange to send to everyone on the local send list */
         /* arrange to send to everyone on the local send list */
-       prev = sibl = NULL;
-       if (ctladdr != NULL)
-               prev = ctladdr->q_child;
         while (al != NULL)
         {
                 register ADDRESS *a = al;
         while (al != NULL)
         {
                 register ADDRESS *a = al;
-               extern ADDRESS *recipient();
-               extern ADDRESS *recipient();
  
                 al = a->q_next;
  
                 al = a->q_next;
-               sibl = recipient(a);
-               if (sibl != NULL)
-               {
-                       extern ADDRESS *addrref();
+               a = recipient(a, sendq, e);
  
  
-                       /* inherit full name */
-                       if (sibl->q_fullname == NULL && ctladdr != NULL)
-                               sibl->q_fullname = ctladdr->q_fullname;
-
-                       /* link tree together (but only if the node is new) */
-                       if (sibl == a)
-                       {
-                               sibl->q_sibling = prev;
-                               prev = sibl;
-                       }
-               }
+               /* arrange to inherit full name */
+               if (a->q_fullname == NULL && ctladdr != NULL)
+                       a->q_fullname = ctladdr->q_fullname;
+               naddrs++;
         }
  
         }
  
-       CurEnv->e_to = NULL;
-       if (ctladdr != NULL)
-               ctladdr->q_child = prev;
-       return (prev);
-}
-\f/*
-**  ADDRREF -- return pointer to address that references another address.
-**
-**     Parameters:
-**             a -- address to check.
-**             r -- reference to find.
-**
-**     Returns:
-**             address of node in tree rooted at 'a' that references
-**                     'r'.
-**             NULL if no such node exists.
-**
-**     Side Effects:
-**             none.
-*/
-
-ADDRESS *
-addrref(a, r)
-       register ADDRESS *a;
-       register ADDRESS *r;
-{
-       register ADDRESS *q;
-
-       while (a != NULL)
-       {
-               if (a->q_child == r || a->q_sibling == r)
-                       return (a);
-               q = addrref(a->q_child, r);
-               if (q != NULL)
-                       return (q);
-               a = a->q_sibling;
-       }
-       return (NULL);
+       e->e_to = oldto;
+       return (naddrs);
  }
  \f/*
  **  RECIPIENT -- Designate a message recipient
  }
  \f/*
  **  RECIPIENT -- Designate a message recipient
@@ -194,22 +155,21 @@ addrref(a, r)
  **             sendq -- a pointer to the head of a queue to put the
  **                     recipient in.  Duplicate supression is done
  **                     in this queue.
  **             sendq -- a pointer to the head of a queue to put the
  **                     recipient in.  Duplicate supression is done
  **                     in this queue.
+**             e -- the current envelope.
  **
  **     Returns:
  **
  **     Returns:
-**             pointer to address actually inserted in send list.
+**             The actual address in the queue.  This will be "a" if
+**             the address is not a duplicate, else the original address.
  **
  **     Side Effects:
  **             none.
  */
  
  **
  **     Side Effects:
  **             none.
  */
  
-extern ADDRESS *getctladdr();
-extern char    *RcptLogFile;
-
  ADDRESS *
  ADDRESS *
-ADDRESS *
-recipient(a, sendq)
+recipient(a, sendq, e)
         register ADDRESS *a;
         register ADDRESS **sendq;
         register ADDRESS *a;
         register ADDRESS **sendq;
+       register ENVELOPE *e;
  {
         register ADDRESS *q;
         ADDRESS **pq;
  {
         register ADDRESS *q;
         ADDRESS **pq;
@@ -218,9 +178,9 @@ recipient(a, sendq)
         bool quoted = FALSE;            /* set if the addr has a quote bit */
         int findusercount = 0;
         char buf[MAXNAME];              /* unquoted image of the user name */
         bool quoted = FALSE;            /* set if the addr has a quote bit */
         int findusercount = 0;
         char buf[MAXNAME];              /* unquoted image of the user name */
-       extern bool safefile();
+       extern int safefile();
  
  
-       CurEnv->e_to = a->q_paddr;
+       e->e_to = a->q_paddr;
         m = a->q_mailer;
         errno = 0;
         if (tTd(26, 1))
         m = a->q_mailer;
         errno = 0;
         if (tTd(26, 1))
@@ -229,11 +189,20 @@ recipient(a, sendq)
                 printaddr(a, FALSE);
         }
  
                 printaddr(a, FALSE);
         }
  
+       /* if this is primary, add it to the original recipient list */
+       if (a->q_alias == NULL)
+       {
+               if (e->e_origrcpt == NULL)
+                       e->e_origrcpt = a->q_paddr;
+               else if (e->e_origrcpt != a->q_paddr)
+                       e->e_origrcpt = "";
+       }
+
         /* break aliasing loops */
         if (AliasLevel > MAXRCRSN)
         {
         /* break aliasing loops */
         if (AliasLevel > MAXRCRSN)
         {
-               usrerr("aliasing/forwarding loop broken");
-               return (NULL);
+               usrerr("554 aliasing/forwarding loop broken");
+               return (a);
         }
  
         /*
         }
  
         /*
@@ -241,30 +210,36 @@ recipient(a, sendq)
         */
  
         /* set the queue timeout */
         */
  
         /* set the queue timeout */
-       a->q_timeout = TimeOut;
-
-       /* map user & host to lower case if requested on non-aliases */
-       if (a->q_alias == NULL)
-               loweraddr(a);
+       a->q_timeout = TimeOuts.to_q_return;
  
         /* get unquoted user for file, program or user.name check */
         (void) strcpy(buf, a->q_user);
         for (p = buf; *p != '\0' && !quoted; p++)
         {
  
         /* get unquoted user for file, program or user.name check */
         (void) strcpy(buf, a->q_user);
         for (p = buf; *p != '\0' && !quoted; p++)
         {
-               if (!isascii(*p) && (*p & 0377) != (SpaceSub & 0377))
+               if (*p == '\\')
                         quoted = TRUE;
         }
         stripquotes(buf);
  
                         quoted = TRUE;
         }
         stripquotes(buf);
  
-       /* do sickly crude mapping for program mailing, etc. */
-       if (m == LocalMailer && buf[0] == '|')
+       /* check for direct mailing to restricted mailers */
+       if (m == ProgMailer)
         {
         {
-               a->q_mailer = m = ProgMailer;
-               a->q_user++;
-               if (a->q_alias == NULL && !ForceMail)
+               if (a->q_alias == NULL)
+               {
+                       a->q_flags |= QBADADDR;
+                       usrerr("550 Cannot mail directly to programs");
+               }
+               else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
+               {
+                       a->q_flags |= QBADADDR;
+                       usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs",
+                               a->q_alias->q_ruser, MyHostName);
+               }
+               else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
                 {
                 {
-                       a->q_flags |= QDONTSEND|QBADADDR;
-                       usrerr("Cannot mail directly to programs");
+                       a->q_flags |= QBADADDR;
+                       usrerr("550 Address %s is unsafe for mailing to programs",
+                               a->q_alias->q_paddr);
                 }
         }
  
                 }
         }
  
@@ -279,144 +254,144 @@ recipient(a, sendq)
  
         for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
         {
  
         for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
         {
-               if (!ForceMail && sameaddr(q, a))
+               if (sameaddr(q, a))
                 {
                         if (tTd(26, 1))
                         {
                                 printf("%s in sendq: ", a->q_paddr);
                                 printaddr(q, FALSE);
                         }
                 {
                         if (tTd(26, 1))
                         {
                                 printf("%s in sendq: ", a->q_paddr);
                                 printaddr(q, FALSE);
                         }
-                       if (Verbose && !bitset(QDONTSEND|QPSEUDO, a->q_flags))
-                               message(Arpa_Info, "duplicate suppressed");
                         if (!bitset(QPRIMARY, q->q_flags))
                         if (!bitset(QPRIMARY, q->q_flags))
+                       {
+                               if (!bitset(QDONTSEND, a->q_flags))
+                                       message("duplicate suppressed");
                                 q->q_flags |= a->q_flags;
                                 q->q_flags |= a->q_flags;
-                       if (!bitset(QPSEUDO, a->q_flags))
-                               q->q_flags &= ~QPSEUDO;
-                       return (q);
+                       }
+                       else if (bitset(QSELFREF, q->q_flags))
+                               q->q_flags |= a->q_flags & ~QDONTSEND;
+                       a = q;
+                       goto testselfdestruct;
                 }
         }
  
         /* add address on list */
         *pq = a;
         a->q_next = NULL;
                 }
         }
  
         /* add address on list */
         *pq = a;
         a->q_next = NULL;
-       CurEnv->e_nrcpts++;
-
-       if (a->q_alias == NULL && RcptLogFile != NULL &&
-           !bitset(QDONTSEND, a->q_flags))
-       {
-               static int RcptLogFd = -1;
-
-               /*
-               **  Log the incoming recipient name before aliasing,
-               **  expanding, forwarding, rewriting, and all that jazz.
-               **  We'll use this to track down out-of-date aliases,
-               **  host names, and so forth.
-               */
-
-               if (RcptLogFd < 0)
-               {
-                       /* try to open the log file */
-                       RcptLogFd = open(RcptLogFile, O_WRONLY|O_APPEND|O_CREAT, 0666);
-                       if (RcptLogFd >= 0)
-                               (void) fcntl(RcptLogFd, F_SETFD, 1);
-               }
-               if (RcptLogFd >= 0)
-               {
-                       int l = strlen(a->q_paddr);
-
-                       a->q_paddr[l] = '\n';
-                       if (write(RcptLogFd, a->q_paddr, l + 1) < 0)
-                       {
-                               (void) close(RcptLogFd);
-                               RcptLogFd = -1;
-                       }
-                       a->q_paddr[l] = '\0';
-               }
-       }
  
         /*
  
         /*
-       **  Alias the name and handle :include: specs.
+       **  Alias the name and handle special mailer types.
         */
  
    trylocaluser:
         */
  
    trylocaluser:
-       if (m == LocalMailer && !bitset(QDONTSEND, a->q_flags))
+       if (tTd(29, 7))
+               printf("at trylocaluser %s\n", a->q_user);
+
+       if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags))
+               goto testselfdestruct;
+
+       if (m == InclMailer)
         {
         {
-               if (strncmp(a->q_user, ":include:", 9) == 0)
+               a->q_flags |= QDONTSEND;
+               if (a->q_alias == NULL)
                 {
                 {
-                       a->q_flags |= QDONTSEND;
-                       if (a->q_alias == NULL && !ForceMail)
-                       {
-                               a->q_flags |= QBADADDR;
-                               usrerr("Cannot mail directly to :include:s");
-                       }
-                       else
-                       {
-                               message(Arpa_Info, "including file %s", &a->q_user[9]);
-                               include(&a->q_user[9], FALSE, a, sendq);
-                       }
+                       a->q_flags |= QBADADDR;
+                       usrerr("550 Cannot mail directly to :include:s");
                 }
                 else
                 {
                 }
                 else
                 {
-                       /* try aliasing */
-                       alias(a, sendq);
+                       int ret;
  
  
-# ifdef USERDB
-                       /* if not aliased, look it up in the user database */
-                       if (!bitset(QDONTSEND|QNOTREMOTE, a->q_flags))
+                       message("including file %s", a->q_user);
+                       ret = include(a->q_user, FALSE, a, sendq, e);
+                       if (transienterror(ret))
                         {
                         {
-                               extern int udbexpand();
-
-                               if (udbexpand(a, sendq) == EX_TEMPFAIL)
-                               {
-                                       a->q_flags |= QQUEUEUP;
-                                       if (CurEnv->e_message == NULL)
-                                               CurEnv->e_message = newstr("Deferred: user database error");
-# ifdef LOG
-                                       if (LogLevel > 3)
-                                               syslog(LOG_INFO, "%s: deferred: udbexpand",
-                                                       CurEnv->e_id);
-# endif
-                                       message(Arpa_Info, "queued (user database error)");
-                                       return (a);
-                               }
+#ifdef LOG
+                               if (LogLevel > 2)
+                                       syslog(LOG_ERR, "%s: include %s: transient error: %s",
+                                               e->e_id == NULL ? "NOQUEUE" : e->e_id,
+                                               a->q_user, errstring(ret));
+#endif
+                               a->q_flags |= QQUEUEUP;
+                               a->q_flags &= ~QDONTSEND;
+                               usrerr("451 Cannot open %s: %s",
+                                       a->q_user, errstring(ret));
+                       }
+                       else if (ret != 0)
+                       {
+                               a->q_flags |= QBADADDR;
+                               usrerr("550 Cannot open %s: %s",
+                                       a->q_user, errstring(ret));
                         }
                         }
-# endif
                 }
         }
                 }
         }
-
-       /*
-       **  If the user is local and still being sent, verify that
-       **  the address is good.  If it is, try to forward.
-       **  If the address is already good, we have a forwarding
-       **  loop.  This can be broken by just sending directly to
-       **  the user (which is probably correct anyway).
-       */
-
-       if (bitset(QDONTSEND, a->q_flags) || m != LocalMailer)
-               return (a);
-
-       /* see if this is to a file */
-       if (buf[0] == '/')
+       else if (m == FileMailer)
         {
         {
-               struct stat stb;
                 extern bool writable();
  
                 extern bool writable();
  
-               p = rindex(buf, '/');
                 /* check if writable or creatable */
                 /* check if writable or creatable */
-               if (a->q_alias == NULL && !QueueRun && !ForceMail)
+               if (a->q_alias == NULL)
                 {
                 {
-                       a->q_flags |= QDONTSEND|QBADADDR;
-                       usrerr("Cannot mail directly to files");
+                       a->q_flags |= QBADADDR;
+                       usrerr("550 Cannot mail directly to files");
                 }
                 }
-               else if ((stat(buf, &stb) >= 0) ? (!writable(&stb)) :
-                   (*p = '\0', !safefile(buf, getruid(), S_IWRITE|S_IEXEC)))
+               else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
                 {
                         a->q_flags |= QBADADDR;
                 {
                         a->q_flags |= QBADADDR;
-                       giveresponse(EX_CANTCREAT, m, CurEnv);
+                       usrerr("550 User %s@%s doesn't have a valid shell for mailing to files",
+                               a->q_alias->q_ruser, MyHostName);
+               }
+               else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
+               {
+                       a->q_flags |= QBADADDR;
+                       usrerr("550 Address %s is unsafe for mailing to files",
+                               a->q_alias->q_paddr);
+               }
+               else if (!writable(buf, getctladdr(a), SFF_ANYFILE))
+               {
+                       a->q_flags |= QBADADDR;
+                       giveresponse(EX_CANTCREAT, m, NULL, a->q_alias, e);
                 }
                 }
-               return (a);
         }
  
         }
  
+       if (m != LocalMailer)
+       {
+               if (!bitset(QDONTSEND, a->q_flags))
+                       e->e_nrcpts++;
+               goto testselfdestruct;
+       }
+
+       /* try aliasing */
+       alias(a, sendq, e);
+
+# ifdef USERDB
+       /* if not aliased, look it up in the user database */
+       if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags))
+       {
+               extern int udbexpand();
+
+               if (udbexpand(a, sendq, e) == EX_TEMPFAIL)
+               {
+                       a->q_flags |= QQUEUEUP;
+                       if (e->e_message == NULL)
+                               e->e_message = newstr("Deferred: user database error");
+# ifdef LOG
+                       if (LogLevel > 8)
+                               syslog(LOG_INFO, "%s: deferred: udbexpand: %s",
+                                       e->e_id == NULL ? "NOQUEUE" : e->e_id,
+                                       errstring(errno));
+# endif
+                       message("queued (user database error): %s",
+                               errstring(errno));
+                       e->e_nrcpts++;
+                       goto testselfdestruct;
+               }
+       }
+# endif
+
+       /* if it was an alias or a UDB expansion, just return now */
+       if (bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags))
+               goto testselfdestruct;
+
         /*
         **  If we have a level two config file, then pass the name through
         **  Ruleset 5 before sending it off.  Ruleset 5 has the right
         /*
         **  If we have a level two config file, then pass the name through
         **  Ruleset 5 before sending it off.  Ruleset 5 has the right
@@ -433,7 +408,7 @@ recipient(a, sendq)
         if (!bitset(QNOTREMOTE, a->q_flags) && ConfigLevel >= 2 &&
             RewriteRules[5] != NULL)
         {
         if (!bitset(QNOTREMOTE, a->q_flags) && ConfigLevel >= 2 &&
             RewriteRules[5] != NULL)
         {
-               maplocaluser(a, sendq);
+               maplocaluser(a, sendq, e);
         }
  
         /*
         }
  
         /*
@@ -441,29 +416,31 @@ recipient(a, sendq)
         **  and deliver it.
         */
  
         **  and deliver it.
         */
  
-       if (!bitset(QDONTSEND, a->q_flags))
+       if (!bitset(QDONTSEND|QQUEUEUP, a->q_flags))
         {
         {
+               auto bool fuzzy;
                 register struct passwd *pw;
                 extern struct passwd *finduser();
  
                 /* warning -- finduser may trash buf */
                 register struct passwd *pw;
                 extern struct passwd *finduser();
  
                 /* warning -- finduser may trash buf */
-               pw = finduser(buf);
+               pw = finduser(buf, &fuzzy);
                 if (pw == NULL)
                 {
                         a->q_flags |= QBADADDR;
                 if (pw == NULL)
                 {
                         a->q_flags |= QBADADDR;
-                       giveresponse(EX_NOUSER, m, CurEnv);
+                       giveresponse(EX_NOUSER, m, NULL, a->q_alias, e);
                 }
                 else
                 {
                         char nbuf[MAXNAME];
  
                 }
                 else
                 {
                         char nbuf[MAXNAME];
  
-                       if (strcmp(a->q_user, pw->pw_name) != 0)
+                       if (fuzzy)
                         {
                                 /* name was a fuzzy match */
                                 a->q_user = newstr(pw->pw_name);
                                 if (findusercount++ > 3)
                                 {
                         {
                                 /* name was a fuzzy match */
                                 a->q_user = newstr(pw->pw_name);
                                 if (findusercount++ > 3)
                                 {
-                                       usrerr("aliasing/forwarding loop for %s broken",
+                                       a->q_flags |= QBADADDR;
+                                       usrerr("554 aliasing/forwarding loop for %s broken",
                                                 pw->pw_name);
                                         return (a);
                                 }
                                                 pw->pw_name);
                                         return (a);
                                 }
@@ -472,19 +449,47 @@ recipient(a, sendq)
                                 (void) strcpy(buf, pw->pw_name);
                                 goto trylocaluser;
                         }
                                 (void) strcpy(buf, pw->pw_name);
                                 goto trylocaluser;
                         }
-                       a->q_home = newstr(pw->pw_dir);
+                       if (strcmp(pw->pw_dir, "/") == 0)
+                               a->q_home = "";
+                       else
+                               a->q_home = newstr(pw->pw_dir);
                         a->q_uid = pw->pw_uid;
                         a->q_gid = pw->pw_gid;
                         a->q_uid = pw->pw_uid;
                         a->q_gid = pw->pw_gid;
+                       a->q_ruser = newstr(pw->pw_name);
                         a->q_flags |= QGOODUID;
                         buildfname(pw->pw_gecos, pw->pw_name, nbuf);
                         if (nbuf[0] != '\0')
                                 a->q_fullname = newstr(nbuf);
                         a->q_flags |= QGOODUID;
                         buildfname(pw->pw_gecos, pw->pw_name, nbuf);
                         if (nbuf[0] != '\0')
                                 a->q_fullname = newstr(nbuf);
+                       if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' &&
+                           !usershellok(pw->pw_shell))
+                       {
+                               a->q_flags |= QBOGUSSHELL;
+                       }
                         if (!quoted)
                         if (!quoted)
-                               forward(a, sendq);
+                               forward(a, sendq, e);
                 }
         }
                 }
         }
-       return (a);
+       if (!bitset(QDONTSEND, a->q_flags))
+               e->e_nrcpts++;
  
  
+  testselfdestruct:
+       if (tTd(26, 8))
+       {
+               printf("testselfdestruct: ");
+               printaddr(a, TRUE);
+       }
+       if (a->q_alias == NULL && a != &e->e_from &&
+           bitset(QDONTSEND, a->q_flags))
+       {
+               q = *sendq;
+               while (q != NULL && bitset(QDONTSEND, q->q_flags))
+                       q = q->q_next;
+               if (q == NULL)
+               {
+                       a->q_flags |= QBADADDR;
+                       usrerr("554 aliasing/forwarding loop broken");
+               }
+       }
         return (a);
  }
  \f/*
         return (a);
  }
  \f/*
@@ -498,6 +503,9 @@ recipient(a, sendq)
  **
  **     Parameters:
  **             name -- the name to match against.
  **
  **     Parameters:
  **             name -- the name to match against.
+**             fuzzyp -- an outarg that is set to TRUE if this entry
+**                     was found using the fuzzy matching algorithm;
+**                     set to FALSE otherwise.
  **
  **     Returns:
  **             A pointer to a pw struct.
  **
  **     Returns:
  **             A pointer to a pw struct.
@@ -508,29 +516,47 @@ recipient(a, sendq)
  */
  
  struct passwd *
  */
  
  struct passwd *
-finduser(name)
+finduser(name, fuzzyp)
         char *name;
         char *name;
+       bool *fuzzyp;
  {
         register struct passwd *pw;
         register char *p;
         extern struct passwd *getpwent();
         extern struct passwd *getpwnam();
  
  {
         register struct passwd *pw;
         register char *p;
         extern struct passwd *getpwent();
         extern struct passwd *getpwnam();
  
-       /* map upper => lower case */
+       if (tTd(29, 4))
+               printf("finduser(%s): ", name);
+
+       *fuzzyp = FALSE;
+
+       /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
         for (p = name; *p != '\0'; p++)
         for (p = name; *p != '\0'; p++)
+               if (!isascii(*p) || !isdigit(*p))
+                       break;
+       if (*p == '\0')
         {
         {
-               if (isascii(*p) && isupper(*p))
-                       *p = tolower(*p);
+               if (tTd(29, 4))
+                       printf("failed (numeric input)\n");
+               return NULL;
         }
  
         /* look up this login name using fast path */
         if ((pw = getpwnam(name)) != NULL)
         }
  
         /* look up this login name using fast path */
         if ((pw = getpwnam(name)) != NULL)
+       {
+               if (tTd(29, 4))
+                       printf("found (non-fuzzy)\n");
                 return (pw);
                 return (pw);
+       }
  
  #ifdef MATCHGECOS
         /* see if fuzzy matching allowed */
         if (!MatchGecos)
  
  #ifdef MATCHGECOS
         /* see if fuzzy matching allowed */
         if (!MatchGecos)
+       {
+               if (tTd(29, 4))
+                       printf("not found (fuzzy disabled)\n");
                 return NULL;
                 return NULL;
+       }
  
         /* search for a matching full name instead */
         for (p = name; *p != '\0'; p++)
  
         /* search for a matching full name instead */
         for (p = name; *p != '\0'; p++)
@@ -543,14 +569,21 @@ finduser(name)
         {
                 char buf[MAXNAME];
  
         {
                 char buf[MAXNAME];
  
-               fullname(pw, buf);
-               if (index(buf, ' ') != NULL && !strcasecmp(buf, name))
+               buildfname(pw->pw_gecos, pw->pw_name, buf);
+               if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
                 {
                 {
-                               message(Arpa_Info, "sending to %s <%s>",
-                                   buf, pw->pw_name);
+                       if (tTd(29, 4))
+                               printf("fuzzy matches %s\n", pw->pw_name);
+                       message("sending to login name %s", pw->pw_name);
+                       *fuzzyp = TRUE;
                         return (pw);
                 }
         }
                         return (pw);
                 }
         }
+       if (tTd(29, 4))
+               printf("no fuzzy match found\n");
+#else
+       if (tTd(29, 4))
+               printf("not found (fuzzy disabled)\n");
  #endif
         return (NULL);
  }
  #endif
         return (NULL);
  }
@@ -566,7 +599,9 @@ finduser(name)
  **     not writable.  This is also enforced by mailfile.
  **
  **     Parameters:
  **     not writable.  This is also enforced by mailfile.
  **
  **     Parameters:
-**             s -- pointer to a stat struct for the file.
+**             filename -- the file name to check.
+**             ctladdr -- the controlling address for this file.
+**             flags -- SFF_* flags to control the function.
  **
  **     Returns:
  **             TRUE -- if we will be able to write this file.
  **
  **     Returns:
  **             TRUE -- if we will be able to write this file.
@@ -577,34 +612,98 @@ finduser(name)
  */
  
  bool
  */
  
  bool
-writable(s)
-       register struct stat *s;
+writable(filename, ctladdr, flags)
+       char *filename;
+       ADDRESS *ctladdr;
+       int flags;
  {
  {
-       int euid, egid;
+       uid_t euid;
+       gid_t egid;
         int bits;
         int bits;
+       register char *p;
+       char *uname;
+       struct stat stb;
+       extern char RealUserName[];
  
  
-       if (bitset(0111, s->st_mode))
-               return (FALSE);
-       euid = getruid();
-       egid = getrgid();
-       if (geteuid() == 0)
+       if (tTd(29, 5))
+               printf("writable(%s, %x)\n", filename, flags);
+
+#ifdef HASLSTAT
+       if ((bitset(SFF_NOSLINK, flags) ? lstat(filename, &stb)
+                                       : stat(filename, &stb)) < 0)
+#else
+       if (stat(filename, &stb) < 0)
+#endif
+       {
+               /* file does not exist -- see if directory is safe */
+               p = strrchr(filename, '/');
+               if (p == NULL)
+               {
+                       errno = ENOTDIR;
+                       return FALSE;
+               }
+               *p = '\0';
+               errno = safefile(filename, RealUid, RealGid, RealUserName,
+                                SFF_MUSTOWN, S_IWRITE|S_IEXEC);
+               *p = '/';
+               return errno == 0;
+       }
+
+#ifdef SUID_ROOT_FILES_OK
+       /* really ought to be passed down -- and not a good idea */
+       flags |= SFF_ROOTOK;
+#endif
+
+       /*
+       **  File does exist -- check that it is writable.
+       */
+
+       if (bitset(0111, stb.st_mode))
         {
         {
-               if (bitset(S_ISUID, s->st_mode))
-                       euid = s->st_uid;
-               if (bitset(S_ISGID, s->st_mode))
-                       egid = s->st_gid;
+               if (tTd(29, 5))
+                       printf("failed (mode %o: x bits)\n", stb.st_mode);
+               errno = EPERM;
+               return (FALSE);
         }
  
         }
  
+       if (ctladdr != NULL && geteuid() == 0)
+       {
+               euid = ctladdr->q_uid;
+               egid = ctladdr->q_gid;
+               uname = ctladdr->q_user;
+       }
+       else
+       {
+               euid = RealUid;
+               egid = RealGid;
+               uname = RealUserName;
+       }
         if (euid == 0)
         if (euid == 0)
-               return (TRUE);
-       bits = S_IWRITE;
-       if (euid != s->st_uid)
         {
         {
-               bits >>= 3;
-               if (egid != s->st_gid)
-                       bits >>= 3;
+               euid = DefUid;
+               uname = DefUser;
         }
         }
-       return ((s->st_mode & bits) != 0);
+       if (egid == 0)
+               egid = DefGid;
+       if (geteuid() == 0)
+       {
+               if (bitset(S_ISUID, stb.st_mode) &&
+                   (stb.st_uid != 0 || bitset(SFF_ROOTOK, flags)))
+               {
+                       euid = stb.st_uid;
+                       uname = NULL;
+               }
+               if (bitset(S_ISGID, stb.st_mode) &&
+                   (stb.st_gid != 0 || bitset(SFF_ROOTOK, flags)))
+                       egid = stb.st_gid;
+       }
+
+       if (tTd(29, 5))
+               printf("\teu/gid=%d/%d, st_u/gid=%d/%d\n",
+                       euid, egid, stb.st_uid, stb.st_gid);
+
+       errno = safefile(filename, euid, egid, uname, flags, S_IWRITE);
+       return errno == 0;
  }
  \f/*
  **  INCLUDE -- handle :include: specification.
  }
  \f/*
  **  INCLUDE -- handle :include: specification.
@@ -620,28 +719,114 @@ writable(s)
  **                     to put these addresses in.
  **
  **     Returns:
  **                     to put these addresses in.
  **
  **     Returns:
-**             none.
+**             open error status
  **
  **     Side Effects:
  **             reads the :include: file and sends to everyone
  **             listed in that file.
  **
  **     Side Effects:
  **             reads the :include: file and sends to everyone
  **             listed in that file.
+**
+**     Security Note:
+**             If you have restricted chown (that is, you can't
+**             give a file away), it is reasonable to allow programs
+**             and files called from this :include: file to be to be
+**             run as the owner of the :include: file.  This is bogus
+**             if there is any chance of someone giving away a file.
+**             We assume that pre-POSIX systems can give away files.
+**
+**             There is an additional restriction that if you
+**             forward to a :include: file, it will not take on
+**             the ownership of the :include: file.  This may not
+**             be necessary, but shouldn't hurt.
  */
  
  static jmp_buf CtxIncludeTimeout;
  */
  
  static jmp_buf CtxIncludeTimeout;
+static int     includetimeout();
  
  
-include(fname, forwarding, ctladdr, sendq)
+#ifndef S_IWOTH
+# define S_IWOTH       (S_IWRITE >> 6)
+#endif
+
+int
+include(fname, forwarding, ctladdr, sendq, e)
         char *fname;
         bool forwarding;
         ADDRESS *ctladdr;
         ADDRESS **sendq;
         char *fname;
         bool forwarding;
         ADDRESS *ctladdr;
         ADDRESS **sendq;
+       ENVELOPE *e;
  {
  {
-       register FILE *fp;
-       char *oldto = CurEnv->e_to;
+       register FILE *fp = NULL;
+       char *oldto = e->e_to;
         char *oldfilename = FileName;
         int oldlinenumber = LineNumber;
         register EVENT *ev = NULL;
         char *oldfilename = FileName;
         int oldlinenumber = LineNumber;
         register EVENT *ev = NULL;
+       int nincludes;
+       register ADDRESS *ca;
+       uid_t saveduid, uid;
+       gid_t savedgid, gid;
+       char *uname;
+       int rval = 0;
+       int sfflags = forwarding ? SFF_MUSTOWN : SFF_ANYFILE;
+       struct stat st;
         char buf[MAXLINE];
         char buf[MAXLINE];
-       static int includetimeout();
+#ifdef _POSIX_CHOWN_RESTRICTED
+# if _POSIX_CHOWN_RESTRICTED == -1
+#  define safechown    FALSE
+# else
+#  define safechown    TRUE
+# endif
+#else
+# ifdef _PC_CHOWN_RESTRICTED
+       bool safechown;
+# else
+#  ifdef BSD
+#   define safechown   TRUE
+#  else
+#   define safechown   FALSE
+#  endif
+# endif
+#endif
+       extern bool chownsafe();
+
+       if (tTd(27, 2))
+               printf("include(%s)\n", fname);
+       if (tTd(27, 4))
+               printf("   ruid=%d euid=%d\n", getuid(), geteuid());
+       if (tTd(27, 14))
+       {
+               printf("ctladdr ");
+               printaddr(ctladdr, FALSE);
+       }
+
+       if (tTd(27, 9))
+               printf("include: old uid = %d/%d\n", getuid(), geteuid());
+
+       ca = getctladdr(ctladdr);
+       if (ca == NULL)
+       {
+               uid = DefUid;
+               gid = DefGid;
+               uname = DefUser;
+               saveduid = -1;
+       }
+       else
+       {
+               uid = ca->q_uid;
+               gid = ca->q_gid;
+               uname = ca->q_user;
+#ifdef HASSETREUID
+               saveduid = geteuid();
+               savedgid = getegid();
+               if (saveduid == 0)
+               {
+                       initgroups(uname, gid);
+                       if (uid != 0)
+                               (void) setreuid(0, uid);
+               }
+#endif                   
+       }
+
+       if (tTd(27, 9))
+               printf("include: new uid = %d/%d\n", getuid(), geteuid());
  
         /*
         **  If home directory is remote mounted but server is down,
  
         /*
         **  If home directory is remote mounted but server is down,
@@ -650,64 +835,172 @@ include(fname, forwarding, ctladdr, sendq)
  
         if (setjmp(CtxIncludeTimeout) != 0)
         {
  
         if (setjmp(CtxIncludeTimeout) != 0)
         {
-               ctladdr->q_flags |= QQUEUEUP|QDONTSEND;
+               ctladdr->q_flags |= QQUEUEUP;
                 errno = 0;
                 errno = 0;
-               usrerr("451 open timeout on %s", fname);
-               return;
+
+               /* return pseudo-error code */
+               rval = EOPENTIMEOUT;
+               goto resetuid;
         }
         ev = setevent((time_t) 60, includetimeout, 0);
  
         }
         ev = setevent((time_t) 60, includetimeout, 0);
  
-       /* if forwarding, the input file must be marked safe */
-       if (forwarding && !safefile(fname, ctladdr->q_uid, S_IREAD))
+       /* the input file must be marked safe */
+       rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD);
+       if (rval != 0)
         {
         {
-               /* don't use this .forward file */
-               clrevent(ev);
-               return;
+               /* don't use this :include: file */
+               if (tTd(27, 4))
+                       printf("include: not safe (uid=%d): %s\n",
+                               uid, errstring(rval));
         }
         }
+       else
+       {
+               fp = fopen(fname, "r");
+               if (fp == NULL)
+               {
+                       rval = errno;
+                       if (tTd(27, 4))
+                               printf("include: open: %s\n", errstring(rval));
+               }
+       }
+       clrevent(ev);
  
  
-       fp = fopen(fname, "r");
-       if (fp == NULL)
+resetuid:
+
+#ifdef HASSETREUID
+       if (saveduid == 0)
         {
         {
-               usrerr("Cannot open %s", fname);
-               return;
+               if (uid != 0)
+                       if (setreuid(-1, 0) < 0 || setreuid(RealUid, 0) < 0)
+                               syserr("setreuid(%d, 0) failure (real=%d, eff=%d)",
+                                       RealUid, getuid(), geteuid());
+               setgid(savedgid);
         }
         }
+#endif
+
+       if (tTd(27, 9))
+               printf("include: reset uid = %d/%d\n", getuid(), geteuid());
+
+       if (rval == EOPENTIMEOUT)
+               usrerr("451 open timeout on %s", fname);
+
+       if (fp == NULL)
+               return rval;
  
  
-       if (getctladdr(ctladdr) == NULL)
+       if (fstat(fileno(fp), &st) < 0)
         {
         {
-               struct stat st;
+               rval = errno;
+               syserr("Cannot fstat %s!", fname);
+               return rval;
+       }
  
  
-               if (fstat(fileno(fp), &st) < 0)
-                       syserr("Cannot fstat %s!", fname);
+#ifndef safechown
+       safechown = chownsafe(fileno(fp));
+#endif
+       if (ca == NULL && safechown)
+       {
                 ctladdr->q_uid = st.st_uid;
                 ctladdr->q_gid = st.st_gid;
                 ctladdr->q_flags |= QGOODUID;
         }
                 ctladdr->q_uid = st.st_uid;
                 ctladdr->q_gid = st.st_gid;
                 ctladdr->q_flags |= QGOODUID;
         }
+       if (ca != NULL && ca->q_uid == st.st_uid)
+       {
+               /* optimization -- avoid getpwuid if we already have info */
+               ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
+               ctladdr->q_ruser = ca->q_ruser;
+       }
+       else
+       {
+               char *sh;
+               register struct passwd *pw;
  
  
-       clrevent(ev);
+               sh = "/SENDMAIL/ANY/SHELL/";
+               pw = getpwuid(st.st_uid);
+               if (pw != NULL)
+               {
+                       ctladdr->q_ruser = newstr(pw->pw_name);
+                       if (safechown)
+                               sh = pw->pw_shell;
+               }
+               if (pw == NULL)
+                       ctladdr->q_flags |= QBOGUSSHELL;
+               else if(!usershellok(sh))
+               {
+                       if (safechown)
+                               ctladdr->q_flags |= QBOGUSSHELL;
+                       else
+                               ctladdr->q_flags |= QUNSAFEADDR;
+               }
+       }
+
+       if (bitset(EF_VRFYONLY, e->e_flags))
+       {
+               /* don't do any more now */
+               ctladdr->q_flags |= QVERIFIED;
+               e->e_nrcpts++;
+               xfclose(fp, "include", fname);
+               return rval;
+       }
+
+       /*
+       ** Check to see if some bad guy can write this file
+       **
+       **      This should really do something clever with group
+       **      permissions; currently we just view world writable
+       **      as unsafe.  Also, we don't check for writable
+       **      directories in the path.  We've got to leave
+       **      something for the local sysad to do.
+       */
+
+       if (bitset(S_IWOTH, st.st_mode))
+               ctladdr->q_flags |= QUNSAFEADDR;
  
         /* read the file -- each line is a comma-separated list. */
         FileName = fname;
         LineNumber = 0;
  
         /* read the file -- each line is a comma-separated list. */
         FileName = fname;
         LineNumber = 0;
+       ctladdr->q_flags &= ~QSELFREF;
+       nincludes = 0;
         while (fgets(buf, sizeof buf, fp) != NULL)
         {
         while (fgets(buf, sizeof buf, fp) != NULL)
         {
-               register char *p = index(buf, '\n');
+               register char *p = strchr(buf, '\n');
  
                 LineNumber++;
                 if (p != NULL)
                         *p = '\0';
  
                 LineNumber++;
                 if (p != NULL)
                         *p = '\0';
-               if (buf[0] == '\0' || buf[0] == '#')
+               if (buf[0] == '#' || buf[0] == '\0')
                         continue;
                         continue;
-               CurEnv->e_to = oldto;
-               message(Arpa_Info, "%s to %s",
+               e->e_to = NULL;
+               message("%s to %s",
                         forwarding ? "forwarding" : "sending", buf);
                         forwarding ? "forwarding" : "sending", buf);
+#ifdef LOG
+               if (forwarding && LogLevel > 9)
+                       syslog(LOG_INFO, "%s: forward %s => %s",
+                               e->e_id == NULL ? "NOQUEUE" : e->e_id,
+                               oldto, buf);
+#endif
+
                 AliasLevel++;
                 AliasLevel++;
-               sendto(buf, 1, ctladdr, 0);
+               nincludes += sendtolist(buf, ctladdr, sendq, e);
                 AliasLevel--;
         }
  
                 AliasLevel--;
         }
  
-       (void) fclose(fp);
+       if (ferror(fp) && tTd(27, 3))
+               printf("include: read error: %s\n", errstring(errno));
+       if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
+       {
+               if (tTd(27, 5))
+               {
+                       printf("include: QDONTSEND ");
+                       printaddr(ctladdr, FALSE);
+               }
+               ctladdr->q_flags |= QDONTSEND;
+       }
+
+       (void) xfclose(fp, "include", fname);
         FileName = oldfilename;
         LineNumber = oldlinenumber;
         FileName = oldfilename;
         LineNumber = oldlinenumber;
+       e->e_to = oldto;
+       return rval;
  }
  
  static
  }
  
  static
@@ -720,6 +1013,7 @@ includetimeout()
  **
  **     Parameters:
  **             argv -- argument vector to send to.
  **
  **     Parameters:
  **             argv -- argument vector to send to.
+**             e -- the current envelope.
  **
  **     Returns:
  **             none.
  **
  **     Returns:
  **             none.
@@ -729,29 +1023,15 @@ includetimeout()
  **                     send queue.
  */
  
  **                     send queue.
  */
  
-sendtoargv(argv)
+sendtoargv(argv, e)
         register char **argv;
         register char **argv;
+       register ENVELOPE *e;
  {
         register char *p;
  
         while ((p = *argv++) != NULL)
         {
  {
         register char *p;
  
         while ((p = *argv++) != NULL)
         {
-               if (argv[0] != NULL && argv[1] != NULL && !strcasecmp(argv[0], "at"))
-               {
-                       char nbuf[MAXNAME];
-
-                       if (strlen(p) + strlen(argv[1]) + 2 > sizeof nbuf)
-                               usrerr("address overflow");
-                       else
-                       {
-                               (void) strcpy(nbuf, p);
-                               (void) strcat(nbuf, "@");
-                               (void) strcat(nbuf, argv[1]);
-                               p = newstr(nbuf);
-                               argv += 2;
-                       }
-               }
-               sendto(p, 0, (ADDRESS *) NULL, 0);
+               (void) sendtolist(p, NULLADDR, &e->e_sendqueue, e);
         }
  }
  \f/*
         }
  }
  \f/*