diff --git a/src/EDITME b/src/EDITME

index 9372675..813dd41 100644

--- a/src/EDITME

+++ b/src/EDITME

@@ -794,6 +794,20 @@ TLS_LIBS=-lssl -lcrypto

 #------------------------------------------------------------------------------

+# On systems which support dynamic loading of shared libraries, Exim can

+# load a local_scan function specified in its config file instead of having

+# to be recompiled with the desired local_scan function. For a full

+# description of the API to this function, see the Exim specification.

+

+DLOPEN_LOCAL_SCAN=yes

+

+# If you set DLOPEN_LOCAL_SCAN, then you need to include -rdynamic in the

+# linker flags.  Without it, the loaded .so won't be able to access any

+# functions from exim.

+

+LFLAGS=-rdynamic -ldl -pie

+

+#------------------------------------------------------------------------------

 # The default distribution of Exim contains only the plain text form of the

 # documentation. Other forms are available separately. If you want to install

 # the documentation in "info" format, first fetch the Texinfo documentation

diff --git a/src/config.h.defaults b/src/config.h.defaults

index c33e098..6983a83 100644

--- a/src/config.h.defaults

+++ b/src/config.h.defaults

@@ -28,6 +28,8 @@ it's a default value. */

 #define AUTH_VARS                     3

+#define DLOPEN_LOCAL_SCAN

+

 #define BIN_DIRECTORY

 #define CONFIGURE_FILE

diff --git a/src/globals.c b/src/globals.c

index 1dbc015..10fb3e4 100644

--- a/src/globals.c

+++ b/src/globals.c

@@ -169,6 +169,10 @@ uschar *tls_verify_certificates= US"system";

 uschar *tls_verify_hosts       = NULL;

 #endif

+#ifdef DLOPEN_LOCAL_SCAN

+uschar *local_scan_path        = NULL;

+#endif

+

 #ifndef DISABLE_PRDR

 /* Per Recipient Data Response variables */

 BOOL    prdr_enable            = FALSE;

diff --git a/src/globals.h b/src/globals.h

index f3e884b..7063d97 100644

--- a/src/globals.h

+++ b/src/globals.h

@@ -131,6 +131,10 @@ extern uschar *tls_verify_certificates;/* Path for certificates to check */

 extern uschar *tls_verify_hosts;       /* Mandatory client verification */

 #endif

+#ifdef DLOPEN_LOCAL_SCAN

+extern uschar *local_scan_path;        /* Path to local_scan() library */

+#endif

+

 extern uschar  *dsn_envid;             /* DSN envid string */

 extern int      dsn_ret;               /* DSN ret type*/

 extern const pcre  *regex_DSN;         /* For recognizing DSN settings */

diff --git a/src/local_scan.c b/src/local_scan.c

index 3500047..8599172 100644

--- a/src/local_scan.c

+++ b/src/local_scan.c

@@ -5,60 +5,131 @@

 /* Copyright (c) University of Cambridge 1995 - 2009 */

 /* See the file NOTICE for conditions of use and distribution. */

+#include "exim.h"

-/******************************************************************************

-This file contains a template local_scan() function that just returns ACCEPT.

-If you want to implement your own version, you should copy this file to, say

-Local/local_scan.c, and edit the copy. To use your version instead of the

-default, you must set

-

-LOCAL_SCAN_SOURCE=Local/local_scan.c

-

-in your Local/Makefile. This makes it easy to copy your version for use with

-subsequent Exim releases.

-

-For a full description of the API to this function, see the Exim specification.

-******************************************************************************/

-

-

-/* This is the only Exim header that you should include. The effect of

-including any other Exim header is not defined, and may change from release to

-release. Use only the documented interface! */

-

-#include "local_scan.h"

-

-

-/* This is a "do-nothing" version of a local_scan() function. The arguments

-are:

-

-  fd             The file descriptor of the open -D file, which contains the

-                   body of the message. The file is open for reading and

-                   writing, but modifying it is dangerous and not recommended.

-

-  return_text    A pointer to an unsigned char* variable which you can set in

-                   order to return a text string. It is initialized to NULL.

-

-The return values of this function are:

-

-  LOCAL_SCAN_ACCEPT

-                 The message is to be accepted. The return_text argument is

-                   saved in $local_scan_data.

-

-  LOCAL_SCAN_REJECT

-                 The message is to be rejected. The returned text is used

-                   in the rejection message.

-

-  LOCAL_SCAN_TEMPREJECT

-                 This specifies a temporary rejection. The returned text

-                   is used in the rejection message.

-*/

+#ifdef DLOPEN_LOCAL_SCAN

+#include <dlfcn.h>

+static int (*local_scan_fn)(int fd, uschar **return_text) = NULL;

+static int load_local_scan_library(void);

+#endif

 int

 local_scan(int fd, uschar **return_text)

 {

 fd = fd;                      /* Keep picky compilers happy */

 return_text = return_text;

-return LOCAL_SCAN_ACCEPT;

+#ifdef DLOPEN_LOCAL_SCAN

+/* local_scan_path is defined AND not the empty string */

+if (local_scan_path && *local_scan_path)

+  {

+  if (!local_scan_fn)

+    {

+    if (!load_local_scan_library())

+      {

+        char *base_msg , *error_msg , *final_msg ;

+        int final_length = -1 ;

+

+        base_msg=US"Local configuration error - local_scan() library failure\n";

+        error_msg = dlerror() ;

+

+        final_length = strlen(base_msg) + strlen(error_msg) + 1 ;

+        final_msg = (char*)malloc( final_length*sizeof(char) ) ;

+        *final_msg = '\0' ;

+

+        strcat( final_msg , base_msg ) ;

+        strcat( final_msg , error_msg ) ;

+

+        *return_text = final_msg ;

+      return LOCAL_SCAN_TEMPREJECT;

+      }

+    }

+    return local_scan_fn(fd, return_text);

+  }

+else

+#endif

+  return LOCAL_SCAN_ACCEPT;

 }

+#ifdef DLOPEN_LOCAL_SCAN

+

+static int load_local_scan_library(void)

+{

+/* No point in keeping local_scan_lib since we'll never dlclose() anyway */

+void *local_scan_lib = NULL;

+int (*local_scan_version_fn)(void);

+int vers_maj;

+int vers_min;

+

+local_scan_lib = dlopen(local_scan_path, RTLD_NOW);

+if (!local_scan_lib)

+  {

+  log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library open failed - "

+    "message temporarily rejected");

+  return FALSE;

+  }

+

+local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_major");

+if (!local_scan_version_fn)

+  {

+  dlclose(local_scan_lib);

+  log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain "

+    "local_scan_version_major() function - message temporarily rejected");

+  return FALSE;

+  }

+

+/* The major number is increased when the ABI is changed in a non

+   backward compatible way. */

+vers_maj = local_scan_version_fn();

+

+local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_minor");

+if (!local_scan_version_fn)

+  {

+  dlclose(local_scan_lib);

+  log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain "

+    "local_scan_version_minor() function - message temporarily rejected");

+  return FALSE;

+  }

+

+/* The minor number is increased each time a new feature is added (in a

+   way that doesn't break backward compatibility) -- Marc */

+vers_min = local_scan_version_fn();

+

+

+if (vers_maj != LOCAL_SCAN_ABI_VERSION_MAJOR)

+  {

+  dlclose(local_scan_lib);

+  local_scan_lib = NULL;

+  log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible major"

+    "version number, you need to recompile your module for this version"

+    "of exim (The module was compiled for version %d.%d and this exim provides"

+    "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR,

+    LOCAL_SCAN_ABI_VERSION_MINOR);

+  return FALSE;

+  }

+else if (vers_min > LOCAL_SCAN_ABI_VERSION_MINOR)

+  {

+  dlclose(local_scan_lib);

+  local_scan_lib = NULL;

+  log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible minor"

+    "version number, you need to recompile your module for this version"

+    "of exim (The module was compiled for version %d.%d and this exim provides"

+    "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR,

+    LOCAL_SCAN_ABI_VERSION_MINOR);

+  return FALSE;

+  }

+

+local_scan_fn = dlsym(local_scan_lib, "local_scan");

+if (!local_scan_fn)

+  {

+  dlclose(local_scan_lib);

+  log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain "

+    "local_scan() function - message temporarily rejected");

+  return FALSE;

+  }

+

+return TRUE;

+}

+

+#endif /* DLOPEN_LOCAL_SCAN */

+

 /* End of local_scan.c */

diff --git a/src/readconf.c b/src/readconf.c

index 1de6bd7..d1e5142 100644

--- a/src/readconf.c

+++ b/src/readconf.c

@@ -300,6 +300,9 @@ static optionlist optionlist_config[] = {

   { "local_from_prefix",        opt_stringptr,   &local_from_prefix },

   { "local_from_suffix",        opt_stringptr,   &local_from_suffix },

   { "local_interfaces",         opt_stringptr,   &local_interfaces },

+#ifdef DLOPEN_LOCAL_SCAN

+  { "local_scan_path",          opt_stringptr,   &local_scan_path },

+#endif

   { "local_scan_timeout",       opt_time,        &local_scan_timeout },

   { "local_sender_retain",      opt_bool,        &local_sender_retain },

   { "localhost_number",         opt_stringptr,   &host_number_string },