if (db_pid != -1)

		kill(db_pid, SIGTERM);

	if (jail_pid != -1)

		kill(jail_pid, SIGTERM);

	_exit(1);

	fprintf(sdc, "%s;", traplist_name);

	if (count != 0) {

		fprintf(sdc, "%s;inet;%u", traplist_msg, count);

		for (i = 0; i < count; i++)

			fprintf(sdc, ";%s/32", addrs[i]);

	fputc('\n', sdc);

	if (fflush(sdc) == EOF)

		syslog_r(LOG_DEBUG, &sdata, "configure_spamd: fflush failed (%m)");

	int i, pdes[2], status;

	char *fdpath;

	struct sigaction sa;

	sigfillset(&sa.sa_mask);

	sa.sa_flags = SA_RESTART;

	sa.sa_handler = sig_term_chld;

	if (debug)

		fprintf(stderr, "configure_pf - device on fd %d\n", pfdev);

	if (pfdev < 1 || pfdev > 63)

		return(-1);

	if (asprintf(&fdpath, "/dev/fd/%d", pfdev) == -1)

		return(-1);

	pargv[2] = fdpath;

	if (pipe(pdes) != 0) {

		syslog_r(LOG_INFO, &sdata, "pipe failed (%m)");

		free(fdpath);

		fdpath = NULL;

		return(-1);

	signal(SIGCHLD, SIG_DFL);

	switch (pid = fork()) {

		syslog_r(LOG_INFO, &sdata, "fork failed (%m)");

		free(fdpath);

		fdpath = NULL;

		close(pdes[0]);

		close(pdes[1]);

		sigaction(SIGCHLD, &sa, NULL);

		return(-1);

		close(pdes[1]);

		if (pdes[0] != STDIN_FILENO) {

			dup2(pdes[0], STDIN_FILENO);

			close(pdes[0]);

		execvp(PATH_PFCTL, pargv);

		syslog_r(LOG_ERR, &sdata, "can't exec %s:%m", PATH_PFCTL);

		_exit(1);

	free(fdpath);

	fdpath = NULL;

	close(pdes[0]);

	pf = fdopen(pdes[1], "w");

	if (pf == NULL) {

		syslog_r(LOG_INFO, &sdata, "fdopen failed (%m)");

		close(pdes[1]);

		sigaction(SIGCHLD, &sa, NULL);

		return(-1);

	for (i = 0; i < count; i++)

		if (addrs[i] != NULL)

			fprintf(pf, "%s/32\n", addrs[i]);

	fclose(pf);

	waitpid(pid, &status, 0);

	if (WIFEXITED(status) && WEXITSTATUS(status) != 0)

		syslog_r(LOG_ERR, &sdata, "%s returned status %d", PATH_PFCTL,

	else if (WIFSIGNALED(status))

		syslog_r(LOG_ERR, &sdata, "%s died on signal %d", PATH_PFCTL,

	sigaction(SIGCHLD, &sa, NULL);

	return(0);

	if (*addr == '<')

		addr++;

	(void) strlcpy(buf, addr, sizeof(buf));

	cp = strrchr(buf, '>');

	if (cp != NULL && cp[1] == '\0')

		*cp = '\0';

	while (*cp != '\0') {

		*cp = tolower((unsigned char)*cp);

		cp++;

	return(buf);

	size_t len;

	while (!SLIST_EMPTY(&match_suffix)) {

		SLIST_REMOVE_HEAD(&match_suffix, entry);

		free(m);

	if ((fp = fopen(alloweddomains_file, "r")) != NULL) {

		while ((buf = fgetln(fp, &len))) {

			while (len > 0 && isspace((unsigned char)buf[len-1]))

				len--;

			while (len > 0 && isspace((unsigned char)*buf)) {

				buf++;

				len--;

			if (len == 0)

			if (*buf == '#' || *buf == '\n')

			if (buf[len-1] == '\n')

				len--;

			if ((len + 1) > sizeof(m->addr)) {

				syslog_r(LOG_ERR, &sdata,

				    alloweddomains_file);

				goto bad;

			if ((m = malloc(sizeof(struct mail_addr))) == NULL)

			memcpy(m->addr, buf, len);

			m->addr[len]='\0';

			syslog_r(LOG_ERR, &sdata, "got suffix %s", m->addr);

			SLIST_INSERT_HEAD(&match_suffix, m, entry);

	return;

	while (!SLIST_EMPTY(&match_suffix)) {

		SLIST_REMOVE_HEAD(&match_suffix, entry);

		free(m);

	if (whitelist != NULL)

		for (i = 0; i < whitecount; i++) {

			free(whitelist[i]);

			whitelist[i] = NULL;

	whitecount = 0;

	if (traplist != NULL) {

		for (i = 0; i < trapcount; i++) {

			free(traplist[i]);

			traplist[i] = NULL;

	trapcount = 0;

	struct addrinfo hints, *res;

	memset(&hints, 0, sizeof(hints));

	hints.ai_family = AF_INET;		/*for now*/

	hints.ai_socktype = SOCK_DGRAM;		/*dummy*/

	hints.ai_protocol = IPPROTO_UDP;	/*dummy*/

	hints.ai_flags = AI_NUMERICHOST;

	if (getaddrinfo(addr, NULL, &hints, &res) == 0) {

		if (whitecount == whitealloc) {

			tmp = reallocarray(whitelist,

			    whitealloc + 1024, sizeof(char *));

			if (tmp == NULL) {

				freeaddrinfo(res);

				return(-1);

			whitelist = tmp;

			whitealloc += 1024;

		whitelist[whitecount] = strdup(addr);

		if (whitelist[whitecount] == NULL) {

			freeaddrinfo(res);

			return(-1);

		whitecount++;

		freeaddrinfo(res);

		return(-1);

	return(0);

	struct addrinfo hints, *res;

	memset(&hints, 0, sizeof(hints));

	hints.ai_family = AF_INET;		/*for now*/

	hints.ai_socktype = SOCK_DGRAM;		/*dummy*/

	hints.ai_protocol = IPPROTO_UDP;	/*dummy*/

	hints.ai_flags = AI_NUMERICHOST;

	if (getaddrinfo(addr, NULL, &hints, &res) == 0) {

		if (trapcount == trapalloc) {

			tmp = reallocarray(traplist,

			    trapalloc + 1024, sizeof(char *));

			if (tmp == NULL) {

				freeaddrinfo(res);

				return(-1);

			traplist = tmp;

			trapalloc += 1024;

		traplist[trapcount] = strdup(addr);

		if (traplist[trapcount] == NULL) {

			freeaddrinfo(res);

			return(-1);

		trapcount++;

		freeaddrinfo(res);

		return(-1);

	return(0);

	if ((dbc = malloc(sizeof(*dbc))) == NULL) {

		syslog_r(LOG_DEBUG, &sdata, "malloc failed (queue change)");

		return(-1);

	if ((dbc->key = strdup(key)) == NULL) {

		syslog_r(LOG_DEBUG, &sdata, "malloc failed (queue change)");

		free(dbc);

		return(-1);

	if ((dbc->data = malloc(dsiz)) == NULL) {

		syslog_r(LOG_DEBUG, &sdata, "malloc failed (queue change)");

		free(dbc->key);

		free(dbc);

		return(-1);

	memcpy(dbc->data, data, dsiz);

	dbc->dsiz = dsiz;

	dbc->act = act;

	syslog_r(LOG_DEBUG, &sdata,

	    "queueing %s of %s", ((act == DBC_ADD) ? "add" : "deletion"),

	    dbc->key);

	SLIST_INSERT_HEAD(&db_changes, dbc, entry);

	return(0);

	DBT			dbk, dbd;

	while (!SLIST_EMPTY(&db_changes)) {

		switch (dbc->act) {

			memset(&dbk, 0, sizeof(dbk));

			dbk.size = strlen(dbc->key);

			dbk.data = dbc->key;

			memset(&dbd, 0, sizeof(dbd));

			dbd.size = dbc->dsiz;

			dbd.data = dbc->data;

			if (db->put(db, &dbk, &dbd, 0)) {

				db->sync(db, 0);

				syslog_r(LOG_ERR, &sdata,

				    "can't add %s to spamd db (%m)", dbc->key);

			db->sync(db, 0);

			break;

			memset(&dbk, 0, sizeof(dbk));

			dbk.size = strlen(dbc->key);

			dbk.data = dbc->key;

			if (db->del(db, &dbk, 0)) {

				syslog_r(LOG_ERR, &sdata,

				    dbc->key);

			syslog_r(LOG_ERR, &sdata, "Unrecognized db change");

		free(dbc->key);

		dbc->key = NULL;

		free(dbc->data);

		dbc->data = NULL;

		dbc->act = 0;

		dbc->dsiz = 0;

		SLIST_REMOVE_HEAD(&db_changes, entry);

		free(dbc);

	return(ret);

	DBT			dbk, dbd;

	struct gdata		gd;

	memset(&dbk, 0, sizeof(dbk));

	dbk.size = strlen(key);

	dbk.data = key;

	memset(&dbd, 0, sizeof(dbd));

	switch (db->get(db, &dbk, &dbd, 0)) {

		return (0);

		if (gdcopyin(&dbd, &gd) != -1)

			return (gd.pcount == -1 ? 1 : 2);

		return (-1);

	HASHINFO	hashinfo;

	DBT		dbk, dbd;

	struct gdata	gd;

	time_t now = time(NULL);

	memset(&hashinfo, 0, sizeof(hashinfo));

	db = dbopen(dbname, O_EXLOCK|O_RDWR, 0600, DB_HASH, &hashinfo);

	if (db == NULL) {

		syslog_r(LOG_INFO, &sdata, "dbopen failed (%m)");

		return(-1);

	memset(&dbk, 0, sizeof(dbk));

	memset(&dbd, 0, sizeof(dbd));

	for (r = db->seq(db, &dbk, &dbd, R_FIRST); !r;

	    r = db->seq(db, &dbk, &dbd, R_NEXT)) {

		if ((dbk.size < 1) || gdcopyin(&dbd, &gd) == -1) {

			syslog_r(LOG_ERR, &sdata, "bogus entry in spamd database");

			goto bad;

		if (asiz < dbk.size + 1) {

			tmp = reallocarray(a, dbk.size, 2);

			if (tmp == NULL)

				goto bad;

			asiz = dbk.size * 2;

		memset(a, 0, asiz);

		memcpy(a, dbk.data, dbk.size);

		if (gd.expire <= now && gd.pcount != -2) {

			if (queue_change(a, NULL, 0, DBC_DEL) == -1)

		} else if (gd.pcount == -1)  {

			if ((addtrapaddr(a) == -1) &&

			    (queue_change(a, NULL, 0, DBC_DEL) == -1))

		} else if (gd.pcount >= 0 && gd.pass <= now) {

			cp = strchr(a, '\n');

			if (cp != NULL) {

				*cp = '\0';

			state = db_addrstate(db, a);

			if (state != 1 && addwhiteaddr(a) == -1) {

				if (cp != NULL)

					*cp = '\n';

				if (queue_change(a, NULL, 0, DBC_DEL) == -1)

					goto bad;

			if (tuple && state <= 0) {

				if (cp != NULL)

					*cp = '\0';

				gd.expire = now + whiteexp;

				dbd.size = sizeof(gd);

				dbd.data = &gd;

				if (queue_change(a, (void *) &gd, sizeof(gd),

				    DBC_ADD) == -1)

					goto bad;

				syslog_r(LOG_DEBUG, &sdata,

			if (debug)

				fprintf(stderr, "whitelisted %s\n", a);

	(void) do_changes(db);

	db->close(db);

	configure_pf(whitelist, whitecount);

	configure_spamd(traplist, trapcount, trapcfg);

	freeaddrlists();

	free(a);

	return(0);

	(void) do_changes(db);

	db->close(db);

	freeaddrlists();

	free(a);

	return(-1);

	DBT			dbk, dbd;

	trap = dequotetolower(to);

	if (!SLIST_EMPTY(&match_suffix)) {

		s = strlen(trap);

		SLIST_FOREACH(m, &match_suffix, entry) {

			j = s - strlen(m->addr);

			if ((j >= 0) && (strcasecmp(trap+j, m->addr) == 0))

				smatch = 1;

		if (!smatch)

			return (0);

	memset(&dbk, 0, sizeof(dbk));

	dbk.size = strlen(trap);

	dbk.data = trap;

	memset(&dbd, 0, sizeof(dbd));

	i = db->get(db, &dbk, &dbd, 0);

	if (i == -1)

		return (-1);

	if (i)

		return (1);

		return (0);

	HASHINFO	hashinfo;

	DBT		dbk, dbd;

	struct gdata	gd;

	now = time(NULL);

	expire = strtonum(expires, now,

	if (expire == 0)

		return(-1);

	if (strcmp(what, "TRAP") == 0)

		spamtrap = 1;

	else if (strcmp(what, "WHITE") == 0)

		return(-1);

	memset(&hashinfo, 0, sizeof(hashinfo));

	db = dbopen(dbname, O_EXLOCK|O_RDWR, 0600, DB_HASH, &hashinfo);

	if (db == NULL)

		return(-1);

	memset(&dbk, 0, sizeof(dbk));

	dbk.size = strlen(ip);

	dbk.data = ip;

	memset(&dbd, 0, sizeof(dbd));

	r = db->get(db, &dbk, &dbd, 0);

	if (r == -1)

	if (r) {

		memset(&gd, 0, sizeof(gd));

		gd.first = now;

		gd.pcount = spamtrap ? -1 : 0;

		gd.expire = expire;

		memset(&dbk, 0, sizeof(dbk));

		dbk.size = strlen(ip);

		dbk.data = ip;

		memset(&dbd, 0, sizeof(dbd));

		dbd.size = sizeof(gd);

		dbd.data = &gd;

		r = db->put(db, &dbk, &dbd, 0);

		db->sync(db, 0);

		if (r)

		if (debug)

			fprintf(stderr, "added %s %s\n",

			    spamtrap ? "trap entry for" : "", ip);

		syslog_r(LOG_DEBUG, &sdata,

	} else {

		if (gdcopyin(&dbd, &gd) == -1) {

			db->del(db, &dbk, 0);

			db->sync(db, 0);

			goto bad;

		if (spamtrap) {

			gd.pcount = -1;

			gd.bcount++;

		} else

			gd.pcount++;

		memset(&dbk, 0, sizeof(dbk));

		dbk.size = strlen(ip);

		dbk.data = ip;

		memset(&dbd, 0, sizeof(dbd));

		dbd.size = sizeof(gd);

		dbd.data = &gd;

		r = db->put(db, &dbk, &dbd, 0);

		db->sync(db, 0);

		if (r)

		if (debug)

			fprintf(stderr, "updated %s\n", ip);

	db->close(db);

	return(0);

	db->close(db);

	return(-1);

	HASHINFO	hashinfo;

	DBT		dbk, dbd;

	char		*key = NULL;

	struct gdata	gd;

	now = time(NULL);

	memset(&hashinfo, 0, sizeof(hashinfo));

	db = dbopen(dbname, O_EXLOCK|O_RDWR, 0600, DB_HASH, &hashinfo);

	if (db == NULL)

		return(-1);

	if (asprintf(&key, "%s\n%s\n%s\n%s", ip, helo, from, to) == -1)

	r = trapcheck(db, to);

	switch (r) {

		lookup = key;

		expire = greyexp;

		break;

		expire = trapexp;

		syslog_r(LOG_DEBUG, &sdata, "Trapping %s for tuple %s", ip,

		    key);

		break;

	memset(&dbk, 0, sizeof(dbk));

	dbk.size = strlen(lookup);

	dbk.data = lookup;

	memset(&dbd, 0, sizeof(dbd));

	r = db->get(db, &dbk, &dbd, 0);

	if (r == -1)

	if (r) {

		if (sync &&  low_prio_mx_ip &&

		    (strcmp(cip, low_prio_mx_ip) == 0) &&

		    ((startup + 60)  < now)) {

			expire = trapexp;

			syslog_r(LOG_DEBUG, &sdata,

			    ip, low_prio_mx_ip, key);

		memset(&gd, 0, sizeof(gd));

		gd.first = now;

		gd.bcount = 1;

		gd.pcount = spamtrap ? -1 : 0;

		gd.pass = now + expire;

		gd.expire = now + expire;

		memset(&dbk, 0, sizeof(dbk));

		dbk.size = strlen(lookup);

		dbk.data = lookup;

		memset(&dbd, 0, sizeof(dbd));

		dbd.size = sizeof(gd);

		dbd.data = &gd;

		r = db->put(db, &dbk, &dbd, 0);

		db->sync(db, 0);

		if (r)

		if (debug)

			fprintf(stderr, "added %s %s\n",

			    spamtrap ? "greytrap entry for" : "", lookup);

		syslog_r(LOG_DEBUG, &sdata,

		    spamtrap ? "greytrap " : "", ip, from, to, helo);

	} else {

		if (gdcopyin(&dbd, &gd) == -1) {

			db->del(db, &dbk, 0);

			db->sync(db, 0);

			goto bad;

		gd.bcount++;

		gd.pcount = spamtrap ? -1 : 0;

		if (gd.first + passtime < now)

			gd.pass = now;

		memset(&dbk, 0, sizeof(dbk));

		dbk.size = strlen(lookup);

		dbk.data = lookup;

		memset(&dbd, 0, sizeof(dbd));

		dbd.size = sizeof(gd);

		dbd.data = &gd;

		r = db->put(db, &dbk, &dbd, 0);

		db->sync(db, 0);

		if (r)

		if (debug)

			fprintf(stderr, "updated %s\n", lookup);

	free(key);

	key = NULL;

	db->close(db);

	if (syncsend && sync) {

		if (spamtrap) {

			syslog_r(LOG_DEBUG, &sdata,

			sync_trapped(now, now + expire, ip);

			sync_update(now, helo, ip, from, to);

	return(0);

	free(key);

	key = NULL;

	db->close(db);

	return(-1);

	if ((strncmp(buf, "WHITE:", 6) == 0) ||

	    (strncmp(buf, "TRAP:", 5) == 0)) {

		char **ap, *argv[5];

		for (ap = argv;

		    ap < &argv[4] && (*ap = strsep(&buf, ":")) != NULL;) {

			if (**ap != '\0')

				ap++;

			argc++;

		*ap = NULL;

		if (argc != 4)

			return (-1);

		twupdate(PATH_SPAMD_DB, argv[0], argv[1], argv[2], argv[3]);

		return (0);

	} else

		return (-1);

	char cip[32], ip[32], helo[MAX_MAIL], from[MAX_MAIL], to[MAX_MAIL];

	size_t len;

	struct addrinfo hints, *res;

	memset(&hints, 0, sizeof(hints));

	hints.ai_family = AF_INET;		/*for now*/

	hints.ai_socktype = SOCK_DGRAM;		/*dummy*/

	hints.ai_protocol = IPPROTO_UDP;	/*dummy*/

	hints.ai_flags = AI_NUMERICHOST;

	if (grey == NULL) {

		syslog_r(LOG_ERR, &sdata, "No greylist pipe stream!\n");

		return (-1);

	readsuffixlists();

	while ((buf = fgetln(grey, &len))) {

		if (buf[len - 1] == '\n')

			buf[len - 1] = '\0';

		if (strlen(buf) < 4)

		if (strcmp(buf, "SYNC") == 0) {

			continue;

		switch (state) {

			if (twread(buf) == 0) {

				break;

			if (strncmp(buf, "HE:", 3) != 0) {

				if (strncmp(buf, "CO:", 3) == 0)

					strlcpy(cip, buf+3, sizeof(cip));

				break;

			strlcpy(helo, buf+3, sizeof(helo));

			break;

			if (strncmp(buf, "IP:", 3) != 0)

			strlcpy(ip, buf+3, sizeof(ip));

			if (getaddrinfo(ip, NULL, &hints, &res) == 0) {

				freeaddrinfo(res);

			} else

			if (strncmp(buf, "FR:", 3) != 0) {

				break;

			strlcpy(from, buf+3, sizeof(from));

			break;

			if (strncmp(buf, "TO:", 3) != 0) {

				break;

			strlcpy(to, buf+3, sizeof(to));

			if (debug)

				fprintf(stderr,

				    helo, ip, from, to);

			greyupdate(PATH_SPAMD_DB, helo, ip, from, to, sync, cip);

			break;

	return (0);