1 /* $NetBSD: qmgr.c,v 1.3 2020/03/18 19:05:19 christos Exp $ */
2
3 /*++
4 /* NAME
5 /* qmgr 8
6 /* SUMMARY
7 /* Postfix queue manager
8 /* SYNOPSIS
9 /* \fBqmgr\fR [generic Postfix daemon options]
10 /* DESCRIPTION
11 /* The \fBqmgr\fR(8) daemon awaits the arrival of incoming mail
12 /* and arranges for its delivery via Postfix delivery processes.
13 /* The actual mail routing strategy is delegated to the
14 /* \fBtrivial-rewrite\fR(8) daemon.
15 /* This program expects to be run from the \fBmaster\fR(8) process
16 /* manager.
17 /*
18 /* Mail addressed to the local \fBdouble-bounce\fR address is
19 /* logged and discarded. This stops potential loops caused by
20 /* undeliverable bounce notifications.
21 /* MAIL QUEUES
22 /* .ad
23 /* .fi
24 /* The \fBqmgr\fR(8) daemon maintains the following queues:
25 /* .IP \fBincoming\fR
26 /* Inbound mail from the network, or mail picked up by the
27 /* local \fBpickup\fR(8) daemon from the \fBmaildrop\fR directory.
28 /* .IP \fBactive\fR
29 /* Messages that the queue manager has opened for delivery. Only
30 /* a limited number of messages is allowed to enter the \fBactive\fR
31 /* queue (leaky bucket strategy, for a fixed delivery rate).
32 /* .IP \fBdeferred\fR
33 /* Mail that could not be delivered upon the first attempt. The queue
34 /* manager implements exponential backoff by doubling the time between
35 /* delivery attempts.
36 /* .IP \fBcorrupt\fR
37 /* Unreadable or damaged queue files are moved here for inspection.
38 /* .IP \fBhold\fR
39 /* Messages that are kept "on hold" are kept here until someone
40 /* sets them free.
41 /* DELIVERY STATUS REPORTS
42 /* .ad
43 /* .fi
44 /* The \fBqmgr\fR(8) daemon keeps an eye on per-message delivery status
45 /* reports in the following directories. Each status report file has
46 /* the same name as the corresponding message file:
47 /* .IP \fBbounce\fR
48 /* Per-recipient status information about why mail is bounced.
49 /* These files are maintained by the \fBbounce\fR(8) daemon.
50 /* .IP \fBdefer\fR
51 /* Per-recipient status information about why mail is delayed.
52 /* These files are maintained by the \fBdefer\fR(8) daemon.
53 /* .IP \fBtrace\fR
54 /* Per-recipient status information as requested with the
55 /* Postfix "\fBsendmail -v\fR" or "\fBsendmail -bv\fR" command.
56 /* These files are maintained by the \fBtrace\fR(8) daemon.
57 /* .PP
58 /* The \fBqmgr\fR(8) daemon is responsible for asking the
59 /* \fBbounce\fR(8), \fBdefer\fR(8) or \fBtrace\fR(8) daemons to
60 /* send delivery reports.
61 /* STRATEGIES
62 /* .ad
63 /* .fi
64 /* The queue manager implements a variety of strategies for
65 /* either opening queue files (input) or for message delivery (output).
66 /* .IP "\fBleaky bucket\fR"
67 /* This strategy limits the number of messages in the \fBactive\fR queue
68 /* and prevents the queue manager from running out of memory under
69 /* heavy load.
70 /* .IP \fBfairness\fR
71 /* When the \fBactive\fR queue has room, the queue manager takes one
72 /* message from the \fBincoming\fR queue and one from the \fBdeferred\fR
73 /* queue. This prevents a large mail backlog from blocking the delivery
74 /* of new mail.
75 /* .IP "\fBslow start\fR"
76 /* This strategy eliminates "thundering herd" problems by slowly
77 /* adjusting the number of parallel deliveries to the same destination.
78 /* .IP "\fBround robin\fR"
79 /* The queue manager sorts delivery requests by destination.
80 /* Round-robin selection prevents one destination from dominating
81 /* deliveries to other destinations.
82 /* .IP "\fBexponential backoff\fR"
83 /* Mail that cannot be delivered upon the first attempt is deferred.
84 /* The time interval between delivery attempts is doubled after each
85 /* attempt.
86 /* .IP "\fBdestination status cache\fR"
87 /* The queue manager avoids unnecessary delivery attempts by
88 /* maintaining a short-term, in-memory list of unreachable destinations.
89 /* .IP "\fBpreemptive message scheduling\fR"
90 /* The queue manager attempts to minimize the average per-recipient delay
91 /* while still preserving the correct per-message delays, using
92 /* a sophisticated preemptive message scheduling.
93 /* TRIGGERS
94 /* .ad
95 /* .fi
96 /* On an idle system, the queue manager waits for the arrival of
97 /* trigger events, or it waits for a timer to go off. A trigger
98 /* is a one-byte message.
99 /* Depending on the message received, the queue manager performs
100 /* one of the following actions (the message is followed by the
101 /* symbolic constant used internally by the software):
102 /* .IP "\fBD (QMGR_REQ_SCAN_DEFERRED)\fR"
103 /* Start a deferred queue scan. If a deferred queue scan is already
104 /* in progress, that scan will be restarted as soon as it finishes.
105 /* .IP "\fBI (QMGR_REQ_SCAN_INCOMING)\fR"
106 /* Start an incoming queue scan. If an incoming queue scan is already
107 /* in progress, that scan will be restarted as soon as it finishes.
108 /* .IP "\fBA (QMGR_REQ_SCAN_ALL)\fR"
109 /* Ignore deferred queue file time stamps. The request affects
110 /* the next deferred queue scan.
111 /* .IP "\fBF (QMGR_REQ_FLUSH_DEAD)\fR"
112 /* Purge all information about dead transports and destinations.
113 /* .IP "\fBW (TRIGGER_REQ_WAKEUP)\fR"
114 /* Wakeup call, This is used by the master server to instantiate
115 /* servers that should not go away forever. The action is to start
116 /* an incoming queue scan.
117 /* .PP
118 /* The \fBqmgr\fR(8) daemon reads an entire buffer worth of triggers.
119 /* Multiple identical trigger requests are collapsed into one, and
120 /* trigger requests are sorted so that \fBA\fR and \fBF\fR precede
121 /* \fBD\fR and \fBI\fR. Thus, in order to force a deferred queue run,
122 /* one would request \fBA F D\fR; in order to notify the queue manager
123 /* of the arrival of new mail one would request \fBI\fR.
124 /* STANDARDS
125 /* RFC 3463 (Enhanced status codes)
126 /* RFC 3464 (Delivery status notifications)
127 /* SECURITY
128 /* .ad
129 /* .fi
130 /* The \fBqmgr\fR(8) daemon is not security sensitive. It reads
131 /* single-character messages from untrusted local users, and thus may
132 /* be susceptible to denial of service attacks. The \fBqmgr\fR(8) daemon
133 /* does not talk to the outside world, and it can be run at fixed low
134 /* privilege in a chrooted environment.
135 /* DIAGNOSTICS
136 /* Problems and transactions are logged to \fBsyslogd\fR(8)
137 /* or \fBpostlogd\fR(8).
138 /* Corrupted message files are saved to the \fBcorrupt\fR queue
139 /* for further inspection.
140 /*
141 /* Depending on the setting of the \fBnotify_classes\fR parameter,
142 /* the postmaster is notified of bounces and of other trouble.
143 /* BUGS
144 /* A single queue manager process has to compete for disk access with
145 /* multiple front-end processes such as \fBcleanup\fR(8). A sudden burst of
146 /* inbound mail can negatively impact outbound delivery rates.
147 /* CONFIGURATION PARAMETERS
148 /* .ad
149 /* .fi
150 /* Changes to \fBmain.cf\fR are not picked up automatically
151 /* as \fBqmgr\fR(8)
152 /* is a persistent process. Use the "\fBpostfix reload\fR" command after
153 /* a configuration change.
154 /*
155 /* The text below provides only a parameter summary. See
156 /* \fBpostconf\fR(5) for more details including examples.
157 /*
158 /* In the text below, \fItransport\fR is the first field in a
159 /* \fBmaster.cf\fR entry.
160 /* COMPATIBILITY CONTROLS
161 /* .ad
162 /* .fi
163 /* Available before Postfix version 2.5:
164 /* .IP "\fBallow_min_user (no)\fR"
165 /* Allow a sender or recipient address to have `-' as the first
166 /* character.
167 /* .PP
168 /* Available with Postfix version 2.7 and later:
169 /* .IP "\fBdefault_filter_nexthop (empty)\fR"
170 /* When a content_filter or FILTER request specifies no explicit
171 /* next-hop destination, use $default_filter_nexthop instead; when
172 /* that value is empty, use the domain in the recipient address.
173 /* ACTIVE QUEUE CONTROLS
174 /* .ad
175 /* .fi
176 /* .IP "\fBqmgr_clog_warn_time (300s)\fR"
177 /* The minimal delay between warnings that a specific destination is
178 /* clogging up the Postfix active queue.
179 /* .IP "\fBqmgr_message_active_limit (20000)\fR"
180 /* The maximal number of messages in the active queue.
181 /* .IP "\fBqmgr_message_recipient_limit (20000)\fR"
182 /* The maximal number of recipients held in memory by the Postfix
183 /* queue manager, and the maximal size of the short-term,
184 /* in-memory "dead" destination status cache.
185 /* .IP "\fBqmgr_message_recipient_minimum (10)\fR"
186 /* The minimal number of in-memory recipients for any message.
187 /* .IP "\fBdefault_recipient_limit (20000)\fR"
188 /* The default per-transport upper limit on the number of in-memory
189 /* recipients.
190 /* .IP "\fBtransport_recipient_limit ($default_recipient_limit)\fR"
191 /* A transport-specific override for the default_recipient_limit
192 /* parameter value, where \fItransport\fR is the master.cf name of
193 /* the message delivery transport.
194 /* .IP "\fBdefault_extra_recipient_limit (1000)\fR"
195 /* The default value for the extra per-transport limit imposed on the
196 /* number of in-memory recipients.
197 /* .IP "\fBtransport_extra_recipient_limit ($default_extra_recipient_limit)\fR"
198 /* A transport-specific override for the default_extra_recipient_limit
199 /* parameter value, where \fItransport\fR is the master.cf name of
200 /* the message delivery transport.
201 /* .PP
202 /* Available in Postfix version 2.4 and later:
203 /* .IP "\fBdefault_recipient_refill_limit (100)\fR"
204 /* The default per-transport limit on the number of recipients refilled at
205 /* once.
206 /* .IP "\fBtransport_recipient_refill_limit ($default_recipient_refill_limit)\fR"
207 /* A transport-specific override for the default_recipient_refill_limit
208 /* parameter value, where \fItransport\fR is the master.cf name of
209 /* the message delivery transport.
210 /* .IP "\fBdefault_recipient_refill_delay (5s)\fR"
211 /* The default per-transport maximum delay between recipients refills.
212 /* .IP "\fBtransport_recipient_refill_delay ($default_recipient_refill_delay)\fR"
213 /* A transport-specific override for the default_recipient_refill_delay
214 /* parameter value, where \fItransport\fR is the master.cf name of
215 /* the message delivery transport.
216 /* DELIVERY CONCURRENCY CONTROLS
217 /* .ad
218 /* .fi
219 /* .IP "\fBinitial_destination_concurrency (5)\fR"
220 /* The initial per-destination concurrency level for parallel delivery
221 /* to the same destination.
222 /* .IP "\fBdefault_destination_concurrency_limit (20)\fR"
223 /* The default maximal number of parallel deliveries to the same
224 /* destination.
225 /* .IP "\fBtransport_destination_concurrency_limit ($default_destination_concurrency_limit)\fR"
226 /* A transport-specific override for the
227 /* default_destination_concurrency_limit parameter value, where
228 /* \fItransport\fR is the master.cf name of the message delivery
229 /* transport.
230 /* .PP
231 /* Available in Postfix version 2.5 and later:
232 /* .IP "\fBtransport_initial_destination_concurrency ($initial_destination_concurrency)\fR"
233 /* A transport-specific override for the initial_destination_concurrency
234 /* parameter value, where \fItransport\fR is the master.cf name of
235 /* the message delivery transport.
236 /* .IP "\fBdefault_destination_concurrency_failed_cohort_limit (1)\fR"
237 /* How many pseudo-cohorts must suffer connection or handshake
238 /* failure before a specific destination is considered unavailable
239 /* (and further delivery is suspended).
240 /* .IP "\fBtransport_destination_concurrency_failed_cohort_limit ($default_destination_concurrency_failed_cohort_limit)\fR"
241 /* A transport-specific override for the
242 /* default_destination_concurrency_failed_cohort_limit parameter value,
243 /* where \fItransport\fR is the master.cf name of the message delivery
244 /* transport.
245 /* .IP "\fBdefault_destination_concurrency_negative_feedback (1)\fR"
246 /* The per-destination amount of delivery concurrency negative
247 /* feedback, after a delivery completes with a connection or handshake
248 /* failure.
249 /* .IP "\fBtransport_destination_concurrency_negative_feedback ($default_destination_concurrency_negative_feedback)\fR"
250 /* A transport-specific override for the
251 /* default_destination_concurrency_negative_feedback parameter value,
252 /* where \fItransport\fR is the master.cf name of the message delivery
253 /* transport.
254 /* .IP "\fBdefault_destination_concurrency_positive_feedback (1)\fR"
255 /* The per-destination amount of delivery concurrency positive
256 /* feedback, after a delivery completes without connection or handshake
257 /* failure.
258 /* .IP "\fBtransport_destination_concurrency_positive_feedback ($default_destination_concurrency_positive_feedback)\fR"
259 /* A transport-specific override for the
260 /* default_destination_concurrency_positive_feedback parameter value,
261 /* where \fItransport\fR is the master.cf name of the message delivery
262 /* transport.
263 /* .IP "\fBdestination_concurrency_feedback_debug (no)\fR"
264 /* Make the queue manager's feedback algorithm verbose for performance
265 /* analysis purposes.
266 /* RECIPIENT SCHEDULING CONTROLS
267 /* .ad
268 /* .fi
269 /* .IP "\fBdefault_destination_recipient_limit (50)\fR"
270 /* The default maximal number of recipients per message delivery.
271 /* .IP "\fBtransport_destination_recipient_limit ($default_destination_recipient_limit)\fR"
272 /* A transport-specific override for the
273 /* default_destination_recipient_limit parameter value, where
274 /* \fItransport\fR is the master.cf name of the message delivery
275 /* transport.
276 /* MESSAGE SCHEDULING CONTROLS
277 /* .ad
278 /* .fi
279 /* .IP "\fBdefault_delivery_slot_cost (5)\fR"
280 /* How often the Postfix queue manager's scheduler is allowed to
281 /* preempt delivery of one message with another.
282 /* .IP "\fBtransport_delivery_slot_cost ($default_delivery_slot_cost)\fR"
283 /* A transport-specific override for the default_delivery_slot_cost
284 /* parameter value, where \fItransport\fR is the master.cf name of
285 /* the message delivery transport.
286 /* .IP "\fBdefault_minimum_delivery_slots (3)\fR"
287 /* How many recipients a message must have in order to invoke the
288 /* Postfix queue manager's scheduling algorithm at all.
289 /* .IP "\fBtransport_minimum_delivery_slots ($default_minimum_delivery_slots)\fR"
290 /* A transport-specific override for the default_minimum_delivery_slots
291 /* parameter value, where \fItransport\fR is the master.cf name of
292 /* the message delivery transport.
293 /* .IP "\fBdefault_delivery_slot_discount (50)\fR"
294 /* The default value for transport-specific _delivery_slot_discount
295 /* settings.
296 /* .IP "\fBtransport_delivery_slot_discount ($default_delivery_slot_discount)\fR"
297 /* A transport-specific override for the default_delivery_slot_discount
298 /* parameter value, where \fItransport\fR is the master.cf name of
299 /* the message delivery transport.
300 /* .IP "\fBdefault_delivery_slot_loan (3)\fR"
301 /* The default value for transport-specific _delivery_slot_loan
302 /* settings.
303 /* .IP "\fBtransport_delivery_slot_loan ($default_delivery_slot_loan)\fR"
304 /* A transport-specific override for the default_delivery_slot_loan
305 /* parameter value, where \fItransport\fR is the master.cf name of
306 /* the message delivery transport.
307 /* OTHER RESOURCE AND RATE CONTROLS
308 /* .ad
309 /* .fi
310 /* .IP "\fBminimal_backoff_time (300s)\fR"
311 /* The minimal time between attempts to deliver a deferred message;
312 /* prior to Postfix 2.4 the default value was 1000s.
313 /* .IP "\fBmaximal_backoff_time (4000s)\fR"
314 /* The maximal time between attempts to deliver a deferred message.
315 /* .IP "\fBmaximal_queue_lifetime (5d)\fR"
316 /* Consider a message as undeliverable, when delivery fails with a
317 /* temporary error, and the time in the queue has reached the
318 /* maximal_queue_lifetime limit.
319 /* .IP "\fBqueue_run_delay (300s)\fR"
320 /* The time between deferred queue scans by the queue manager;
321 /* prior to Postfix 2.4 the default value was 1000s.
322 /* .IP "\fBtransport_retry_time (60s)\fR"
323 /* The time between attempts by the Postfix queue manager to contact
324 /* a malfunctioning message delivery transport.
325 /* .PP
326 /* Available in Postfix version 2.1 and later:
327 /* .IP "\fBbounce_queue_lifetime (5d)\fR"
328 /* Consider a bounce message as undeliverable, when delivery fails
329 /* with a temporary error, and the time in the queue has reached the
330 /* bounce_queue_lifetime limit.
331 /* .PP
332 /* Available in Postfix version 2.5 and later:
333 /* .IP "\fBdefault_destination_rate_delay (0s)\fR"
334 /* The default amount of delay that is inserted between individual
335 /* message deliveries to the same destination and over the same message
336 /* delivery transport.
337 /* .IP "\fBtransport_destination_rate_delay ($default_destination_rate_delay)\fR"
338 /* A transport-specific override for the default_destination_rate_delay
339 /* parameter value, where \fItransport\fR is the master.cf name of
340 /* the message delivery transport.
341 /* .PP
342 /* Available in Postfix version 3.1 and later:
343 /* .IP "\fBdefault_transport_rate_delay (0s)\fR"
344 /* The default amount of delay that is inserted between individual
345 /* message deliveries over the same message delivery transport,
346 /* regardless of destination.
347 /* .IP "\fBtransport_transport_rate_delay ($default_transport_rate_delay)\fR"
348 /* A transport-specific override for the default_transport_rate_delay
349 /* parameter value, where the initial \fItransport\fR in the parameter
350 /* name is the master.cf name of the message delivery transport.
351 /* SAFETY CONTROLS
352 /* .ad
353 /* .fi
354 /* .IP "\fBqmgr_daemon_timeout (1000s)\fR"
355 /* How much time a Postfix queue manager process may take to handle
356 /* a request before it is terminated by a built-in watchdog timer.
357 /* .IP "\fBqmgr_ipc_timeout (60s)\fR"
358 /* The time limit for the queue manager to send or receive information
359 /* over an internal communication channel.
360 /* .PP
361 /* Available in Postfix version 3.1 and later:
362 /* .IP "\fBaddress_verify_pending_request_limit (see 'postconf -d' output)\fR"
363 /* A safety limit that prevents address verification requests from
364 /* overwhelming the Postfix queue.
365 /* MISCELLANEOUS CONTROLS
366 /* .ad
367 /* .fi
368 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
369 /* The default location of the Postfix main.cf and master.cf
370 /* configuration files.
371 /* .IP "\fBdefer_transports (empty)\fR"
372 /* The names of message delivery transports that should not deliver mail
373 /* unless someone issues "\fBsendmail -q\fR" or equivalent.
374 /* .IP "\fBdelay_logging_resolution_limit (2)\fR"
375 /* The maximal number of digits after the decimal point when logging
376 /* sub-second delay values.
377 /* .IP "\fBhelpful_warnings (yes)\fR"
378 /* Log warnings about problematic configuration settings, and provide
379 /* helpful suggestions.
380 /* .IP "\fBprocess_id (read-only)\fR"
381 /* The process ID of a Postfix command or daemon process.
382 /* .IP "\fBprocess_name (read-only)\fR"
383 /* The process name of a Postfix command or daemon process.
384 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
385 /* The location of the Postfix top-level queue directory.
386 /* .IP "\fBsyslog_facility (mail)\fR"
387 /* The syslog facility of Postfix logging.
388 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
389 /* A prefix that is prepended to the process name in syslog
390 /* records, so that, for example, "smtpd" becomes "prefix/smtpd".
391 /* .PP
392 /* Available in Postfix version 3.0 and later:
393 /* .IP "\fBconfirm_delay_cleared (no)\fR"
394 /* After sending a "your message is delayed" notification, inform
395 /* the sender when the delay clears up.
396 /* .PP
397 /* Available in Postfix 3.3 and later:
398 /* .IP "\fBservice_name (read-only)\fR"
399 /* The master.cf service name of a Postfix daemon process.
400 /* .PP
401 /* Available in Postfix 3.5 and later:
402 /* .IP "\fBinfo_log_address_format (external)\fR"
403 /* The email address form that will be used in non-debug logging
404 /* (info, warning, etc.).
405 /* FILES
406 /* /var/spool/postfix/incoming, incoming queue
407 /* /var/spool/postfix/active, active queue
408 /* /var/spool/postfix/deferred, deferred queue
409 /* /var/spool/postfix/bounce, non-delivery status
410 /* /var/spool/postfix/defer, non-delivery status
411 /* /var/spool/postfix/trace, delivery status
412 /* SEE ALSO
413 /* trivial-rewrite(8), address routing
414 /* bounce(8), delivery status reports
415 /* postconf(5), configuration parameters
416 /* master(5), generic daemon options
417 /* master(8), process manager
418 /* postlogd(8), Postfix logging
419 /* syslogd(8), system logging
420 /* README FILES
421 /* .ad
422 /* .fi
423 /* Use "\fBpostconf readme_directory\fR" or
424 /* "\fBpostconf html_directory\fR" to locate this information.
425 /* .na
426 /* .nf
427 /* SCHEDULER_README, scheduling algorithm
428 /* QSHAPE_README, Postfix queue analysis
429 /* LICENSE
430 /* .ad
431 /* .fi
432 /* The Secure Mailer license must be distributed with this software.
433 /* AUTHOR(S)
434 /* Wietse Venema
435 /* IBM T.J. Watson Research
436 /* P.O. Box 704
437 /* Yorktown Heights, NY 10598, USA
438 /*
439 /* Preemptive scheduler enhancements:
440 /* Patrik Rak
441 /* Modra 6
442 /* 155 00, Prague, Czech Republic
443 /*
444 /* Wietse Venema
445 /* Google, Inc.
446 /* 111 8th Avenue
447 /* New York, NY 10011, USA
448 /*--*/
449
450 /* System library. */
451
452 #include <sys_defs.h>
453 #include <stdlib.h>
454 #include <unistd.h>
455 #include <ctype.h>
456
457 /* Utility library. */
458
459 #include <msg.h>
460 #include <events.h>
461 #include <vstream.h>
462 #include <dict.h>
463
464 /* Global library. */
465
466 #include <mail_queue.h>
467 #include <recipient_list.h>
468 #include <mail_conf.h>
469 #include <mail_params.h>
470 #include <mail_version.h>
471 #include <mail_proto.h> /* QMGR_SCAN constants */
472 #include <mail_flow.h>
473 #include <flush_clnt.h>
474
475 /* Master process interface */
476
477 #include <master_proto.h>
478 #include <mail_server.h>
479
480 /* Application-specific. */
481
482 #include "qmgr.h"
483
484 /*
485 * Tunables.
486 */
487 int var_queue_run_delay;
488 int var_min_backoff_time;
489 int var_max_backoff_time;
490 int var_max_queue_time;
491 int var_dsn_queue_time;
492 int var_qmgr_active_limit;
493 int var_qmgr_rcpt_limit;
494 int var_qmgr_msg_rcpt_limit;
495 int var_xport_rcpt_limit;
496 int var_stack_rcpt_limit;
497 int var_xport_refill_limit;
498 int var_xport_refill_delay;
499 int var_delivery_slot_cost;
500 int var_delivery_slot_loan;
501 int var_delivery_slot_discount;
502 int var_min_delivery_slots;
503 int var_init_dest_concurrency;
504 int var_transport_retry_time;
505 int var_dest_con_limit;
506 int var_dest_rcpt_limit;
507 char *var_defer_xports;
508 int var_local_con_lim;
509 int var_local_rcpt_lim;
510 bool var_verp_bounce_off;
511 int var_qmgr_clog_warn_time;
512 char *var_conc_pos_feedback;
513 char *var_conc_neg_feedback;
514 int var_conc_cohort_limit;
515 int var_conc_feedback_debug;
516 int var_xport_rate_delay;
517 int var_dest_rate_delay;
518 char *var_def_filter_nexthop;
519 int var_qmgr_daemon_timeout;
520 int var_qmgr_ipc_timeout;
521 int var_dsn_delay_cleared;
522 int var_vrfy_pend_limit;
523
524 static QMGR_SCAN *qmgr_scans[2];
525
526 #define QMGR_SCAN_IDX_INCOMING 0
527 #define QMGR_SCAN_IDX_DEFERRED 1
528 #define QMGR_SCAN_IDX_COUNT (sizeof(qmgr_scans) / sizeof(qmgr_scans[0]))
529
530 /* qmgr_deferred_run_event - queue manager heartbeat */
531
qmgr_deferred_run_event(int unused_event,void * dummy)532 static void qmgr_deferred_run_event(int unused_event, void *dummy)
533 {
534
535 /*
536 * This routine runs when it is time for another deferred queue scan.
537 * Make sure this routine gets called again in the future.
538 */
539 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_DEFERRED], QMGR_SCAN_START);
540 event_request_timer(qmgr_deferred_run_event, dummy, var_queue_run_delay);
541 }
542
543 /* qmgr_trigger_event - respond to external trigger(s) */
544
qmgr_trigger_event(char * buf,ssize_t len,char * unused_service,char ** argv)545 static void qmgr_trigger_event(char *buf, ssize_t len,
546 char *unused_service, char **argv)
547 {
548 int incoming_flag = 0;
549 int deferred_flag = 0;
550 int i;
551
552 /*
553 * Sanity check. This service takes no command-line arguments.
554 */
555 if (argv[0])
556 msg_fatal("unexpected command-line argument: %s", argv[0]);
557
558 /*
559 * Collapse identical requests that have arrived since we looked last
560 * time. There is no client feedback so there is no need to process each
561 * request in order. And as long as we don't have conflicting requests we
562 * are free to sort them into the most suitable order.
563 */
564 #define QMGR_FLUSH_BEFORE (QMGR_FLUSH_ONCE | QMGR_FLUSH_DFXP)
565
566 for (i = 0; i < len; i++) {
567 if (msg_verbose)
568 msg_info("request: %d (%c)",
569 buf[i], ISALNUM(buf[i]) ? buf[i] : '?');
570 switch (buf[i]) {
571 case TRIGGER_REQ_WAKEUP:
572 case QMGR_REQ_SCAN_INCOMING:
573 incoming_flag |= QMGR_SCAN_START;
574 break;
575 case QMGR_REQ_SCAN_DEFERRED:
576 deferred_flag |= QMGR_SCAN_START;
577 break;
578 case QMGR_REQ_FLUSH_DEAD:
579 deferred_flag |= QMGR_FLUSH_BEFORE;
580 incoming_flag |= QMGR_FLUSH_BEFORE;
581 break;
582 case QMGR_REQ_SCAN_ALL:
583 deferred_flag |= QMGR_SCAN_ALL;
584 incoming_flag |= QMGR_SCAN_ALL;
585 break;
586 default:
587 if (msg_verbose)
588 msg_info("request ignored");
589 break;
590 }
591 }
592
593 /*
594 * Process each request type at most once. Modifiers take effect upon the
595 * next queue run. If no queue run is in progress, and a queue scan is
596 * requested, the request takes effect immediately.
597 */
598 if (incoming_flag != 0)
599 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_INCOMING], incoming_flag);
600 if (deferred_flag != 0)
601 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_DEFERRED], deferred_flag);
602 }
603
604 /* qmgr_loop - queue manager main loop */
605
qmgr_loop(char * unused_name,char ** unused_argv)606 static int qmgr_loop(char *unused_name, char **unused_argv)
607 {
608 char *path;
609 ssize_t token_count;
610 int feed = 0;
611 int scan_idx; /* Priority order scan index */
612 static int first_scan_idx = QMGR_SCAN_IDX_INCOMING;
613 int last_scan_idx = QMGR_SCAN_IDX_COUNT - 1;
614 int delay;
615
616 /*
617 * This routine runs as part of the event handling loop, after the event
618 * manager has delivered a timer or I/O event (including the completion
619 * of a connection to a delivery process), or after it has waited for a
620 * specified amount of time. The result value of qmgr_loop() specifies
621 * how long the event manager should wait for the next event.
622 */
623 #define DONT_WAIT 0
624 #define WAIT_FOR_EVENT (-1)
625
626 /*
627 * Attempt to drain the active queue by allocating a suitable delivery
628 * process and by delivering mail via it. Delivery process allocation and
629 * mail delivery are asynchronous.
630 */
631 qmgr_active_drain();
632
633 /*
634 * Let some new blood into the active queue when the queue size is
635 * smaller than some configurable limit.
636 *
637 * We import one message per interrupt, to optimally tune the input count
638 * for the number of delivery agent protocol wait states, as explained in
639 * qmgr_transport.c.
640 */
641 delay = WAIT_FOR_EVENT;
642 for (scan_idx = 0; qmgr_message_count < var_qmgr_active_limit
643 && scan_idx < QMGR_SCAN_IDX_COUNT; ++scan_idx) {
644 last_scan_idx = (scan_idx + first_scan_idx) % QMGR_SCAN_IDX_COUNT;
645 if ((path = qmgr_scan_next(qmgr_scans[last_scan_idx])) != 0) {
646 delay = DONT_WAIT;
647 if ((feed = qmgr_active_feed(qmgr_scans[last_scan_idx], path)) != 0)
648 break;
649 }
650 }
651
652 /*
653 * Round-robin the queue scans. When the active queue becomes full,
654 * prefer new mail over deferred mail.
655 */
656 if (qmgr_message_count < var_qmgr_active_limit) {
657 first_scan_idx = (last_scan_idx + 1) % QMGR_SCAN_IDX_COUNT;
658 } else if (first_scan_idx != QMGR_SCAN_IDX_INCOMING) {
659 first_scan_idx = QMGR_SCAN_IDX_INCOMING;
660 }
661
662 /*
663 * Global flow control. If enabled, slow down receiving processes that
664 * get ahead of the queue manager, but don't block them completely.
665 */
666 if (var_in_flow_delay > 0) {
667 token_count = mail_flow_count();
668 if (token_count < var_proc_limit) {
669 if (feed != 0 && last_scan_idx == QMGR_SCAN_IDX_INCOMING)
670 mail_flow_put(1);
671 else if (qmgr_scans[QMGR_SCAN_IDX_INCOMING]->handle == 0)
672 mail_flow_put(var_proc_limit - token_count);
673 } else if (token_count > var_proc_limit) {
674 mail_flow_get(token_count - var_proc_limit);
675 }
676 }
677 return (delay);
678 }
679
680 /* pre_accept - see if tables have changed */
681
pre_accept(char * unused_name,char ** unused_argv)682 static void pre_accept(char *unused_name, char **unused_argv)
683 {
684 const char *table;
685
686 if ((table = dict_changed_name()) != 0) {
687 msg_info("table %s has changed -- restarting", table);
688 exit(0);
689 }
690 }
691
692 /* qmgr_pre_init - pre-jail initialization */
693
qmgr_pre_init(char * unused_name,char ** unused_argv)694 static void qmgr_pre_init(char *unused_name, char **unused_argv)
695 {
696 flush_init();
697 }
698
699 /* qmgr_post_init - post-jail initialization */
700
qmgr_post_init(char * name,char ** unused_argv)701 static void qmgr_post_init(char *name, char **unused_argv)
702 {
703
704 /*
705 * Backwards compatibility.
706 */
707 if (strcmp(var_procname, "nqmgr") == 0) {
708 msg_warn("please update the %s/%s file; the new queue manager",
709 var_config_dir, MASTER_CONF_FILE);
710 msg_warn("(old name: nqmgr) has become the standard queue manager (new name: qmgr)");
711 msg_warn("support for the name old name (nqmgr) will be removed from Postfix");
712 }
713
714 /*
715 * Sanity check.
716 */
717 if (var_qmgr_rcpt_limit < var_qmgr_active_limit) {
718 msg_warn("%s is smaller than %s - adjusting %s",
719 VAR_QMGR_RCPT_LIMIT, VAR_QMGR_ACT_LIMIT, VAR_QMGR_RCPT_LIMIT);
720 var_qmgr_rcpt_limit = var_qmgr_active_limit;
721 }
722 if (var_dsn_queue_time > var_max_queue_time) {
723 msg_warn("%s is larger than %s - adjusting %s",
724 VAR_DSN_QUEUE_TIME, VAR_MAX_QUEUE_TIME, VAR_DSN_QUEUE_TIME);
725 var_dsn_queue_time = var_max_queue_time;
726 }
727
728 /*
729 * This routine runs after the skeleton code has entered the chroot jail.
730 * Prevent automatic process suicide after a limited number of client
731 * requests or after a limited amount of idle time. Move any left-over
732 * entries from the active queue to the incoming queue, and give them a
733 * time stamp into the future, in order to allow ongoing deliveries to
734 * finish first. Start scanning the incoming and deferred queues.
735 * Left-over active queue entries are moved to the incoming queue because
736 * the incoming queue has priority; moving left-overs to the deferred
737 * queue could cause anomalous delays when "postfix reload/start" are
738 * issued often. Override the IPC timeout (default 3600s) so that the
739 * queue manager can reset a broken IPC channel before the watchdog timer
740 * goes off.
741 */
742 var_ipc_timeout = var_qmgr_ipc_timeout;
743 var_use_limit = 0;
744 var_idle_limit = 0;
745 qmgr_move(MAIL_QUEUE_ACTIVE, MAIL_QUEUE_INCOMING, event_time());
746 qmgr_scans[QMGR_SCAN_IDX_INCOMING] = qmgr_scan_create(MAIL_QUEUE_INCOMING);
747 qmgr_scans[QMGR_SCAN_IDX_DEFERRED] = qmgr_scan_create(MAIL_QUEUE_DEFERRED);
748 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_INCOMING], QMGR_SCAN_START);
749 qmgr_deferred_run_event(0, (void *) 0);
750 }
751
752 MAIL_VERSION_STAMP_DECLARE;
753
754 /* main - the main program */
755
main(int argc,char ** argv)756 int main(int argc, char **argv)
757 {
758 static const CONFIG_STR_TABLE str_table[] = {
759 VAR_DEFER_XPORTS, DEF_DEFER_XPORTS, &var_defer_xports, 0, 0,
760 VAR_CONC_POS_FDBACK, DEF_CONC_POS_FDBACK, &var_conc_pos_feedback, 1, 0,
761 VAR_CONC_NEG_FDBACK, DEF_CONC_NEG_FDBACK, &var_conc_neg_feedback, 1, 0,
762 VAR_DEF_FILTER_NEXTHOP, DEF_DEF_FILTER_NEXTHOP, &var_def_filter_nexthop, 0, 0,
763 0,
764 };
765 static const CONFIG_TIME_TABLE time_table[] = {
766 VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0,
767 VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
768 VAR_MAX_BACKOFF_TIME, DEF_MAX_BACKOFF_TIME, &var_max_backoff_time, 1, 0,
769 VAR_MAX_QUEUE_TIME, DEF_MAX_QUEUE_TIME, &var_max_queue_time, 0, 8640000,
770 VAR_DSN_QUEUE_TIME, DEF_DSN_QUEUE_TIME, &var_dsn_queue_time, 0, 8640000,
771 VAR_XPORT_RETRY_TIME, DEF_XPORT_RETRY_TIME, &var_transport_retry_time, 1, 0,
772 VAR_QMGR_CLOG_WARN_TIME, DEF_QMGR_CLOG_WARN_TIME, &var_qmgr_clog_warn_time, 0, 0,
773 VAR_XPORT_REFILL_DELAY, DEF_XPORT_REFILL_DELAY, &var_xport_refill_delay, 1, 0,
774 VAR_XPORT_RATE_DELAY, DEF_XPORT_RATE_DELAY, &var_xport_rate_delay, 0, 0,
775 VAR_DEST_RATE_DELAY, DEF_DEST_RATE_DELAY, &var_dest_rate_delay, 0, 0,
776 VAR_QMGR_DAEMON_TIMEOUT, DEF_QMGR_DAEMON_TIMEOUT, &var_qmgr_daemon_timeout, 1, 0,
777 VAR_QMGR_IPC_TIMEOUT, DEF_QMGR_IPC_TIMEOUT, &var_qmgr_ipc_timeout, 1, 0,
778 0,
779 };
780 static const CONFIG_INT_TABLE int_table[] = {
781 VAR_QMGR_ACT_LIMIT, DEF_QMGR_ACT_LIMIT, &var_qmgr_active_limit, 1, 0,
782 VAR_QMGR_RCPT_LIMIT, DEF_QMGR_RCPT_LIMIT, &var_qmgr_rcpt_limit, 1, 0,
783 VAR_QMGR_MSG_RCPT_LIMIT, DEF_QMGR_MSG_RCPT_LIMIT, &var_qmgr_msg_rcpt_limit, 1, 0,
784 VAR_XPORT_RCPT_LIMIT, DEF_XPORT_RCPT_LIMIT, &var_xport_rcpt_limit, 0, 0,
785 VAR_STACK_RCPT_LIMIT, DEF_STACK_RCPT_LIMIT, &var_stack_rcpt_limit, 0, 0,
786 VAR_XPORT_REFILL_LIMIT, DEF_XPORT_REFILL_LIMIT, &var_xport_refill_limit, 1, 0,
787 VAR_DELIVERY_SLOT_COST, DEF_DELIVERY_SLOT_COST, &var_delivery_slot_cost, 0, 0,
788 VAR_DELIVERY_SLOT_LOAN, DEF_DELIVERY_SLOT_LOAN, &var_delivery_slot_loan, 0, 0,
789 VAR_DELIVERY_SLOT_DISCOUNT, DEF_DELIVERY_SLOT_DISCOUNT, &var_delivery_slot_discount, 0, 100,
790 VAR_MIN_DELIVERY_SLOTS, DEF_MIN_DELIVERY_SLOTS, &var_min_delivery_slots, 0, 0,
791 VAR_INIT_DEST_CON, DEF_INIT_DEST_CON, &var_init_dest_concurrency, 1, 0,
792 VAR_DEST_CON_LIMIT, DEF_DEST_CON_LIMIT, &var_dest_con_limit, 0, 0,
793 VAR_DEST_RCPT_LIMIT, DEF_DEST_RCPT_LIMIT, &var_dest_rcpt_limit, 0, 0,
794 VAR_LOCAL_RCPT_LIMIT, DEF_LOCAL_RCPT_LIMIT, &var_local_rcpt_lim, 0, 0,
795 VAR_LOCAL_CON_LIMIT, DEF_LOCAL_CON_LIMIT, &var_local_con_lim, 0, 0,
796 VAR_CONC_COHORT_LIM, DEF_CONC_COHORT_LIM, &var_conc_cohort_limit, 0, 0,
797 VAR_VRFY_PEND_LIMIT, DEF_VRFY_PEND_LIMIT, &var_vrfy_pend_limit, 1, 0,
798 0,
799 };
800 static const CONFIG_BOOL_TABLE bool_table[] = {
801 VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off,
802 VAR_CONC_FDBACK_DEBUG, DEF_CONC_FDBACK_DEBUG, &var_conc_feedback_debug,
803 VAR_DSN_DELAY_CLEARED, DEF_DSN_DELAY_CLEARED, &var_dsn_delay_cleared,
804 0,
805 };
806
807 /*
808 * Fingerprint executables and core dumps.
809 */
810 MAIL_VERSION_STAMP_ALLOCATE;
811
812 /*
813 * Use the trigger service skeleton, because no-one else should be
814 * monitoring our service port while this process runs, and because we do
815 * not talk back to the client.
816 */
817 trigger_server_main(argc, argv, qmgr_trigger_event,
818 CA_MAIL_SERVER_INT_TABLE(int_table),
819 CA_MAIL_SERVER_STR_TABLE(str_table),
820 CA_MAIL_SERVER_BOOL_TABLE(bool_table),
821 CA_MAIL_SERVER_TIME_TABLE(time_table),
822 CA_MAIL_SERVER_PRE_INIT(qmgr_pre_init),
823 CA_MAIL_SERVER_POST_INIT(qmgr_post_init),
824 CA_MAIL_SERVER_LOOP(qmgr_loop),
825 CA_MAIL_SERVER_PRE_ACCEPT(pre_accept),
826 CA_MAIL_SERVER_SOLITARY,
827 CA_MAIL_SERVER_WATCHDOG(&var_qmgr_daemon_timeout),
828 0);
829 }
830