1 /* $NetBSD: qmgr.c,v 1.3 2020/03/18 19:05:17 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* qmgr 8 6 /* SUMMARY 7 /* old Postfix queue manager 8 /* SYNOPSIS 9 /* \fBqmgr\fR [generic Postfix daemon options] 10 /* DESCRIPTION 11 /* The \fBqmgr\fR(8) daemon awaits the arrival of incoming mail 12 /* and arranges for its delivery via Postfix delivery processes. 13 /* The actual mail routing strategy is delegated to the 14 /* \fBtrivial-rewrite\fR(8) daemon. 15 /* This program expects to be run from the \fBmaster\fR(8) process 16 /* manager. 17 /* 18 /* Mail addressed to the local \fBdouble-bounce\fR address is 19 /* logged and discarded. This stops potential loops caused by 20 /* undeliverable bounce notifications. 21 /* MAIL QUEUES 22 /* .ad 23 /* .fi 24 /* The \fBqmgr\fR(8) daemon maintains the following queues: 25 /* .IP \fBincoming\fR 26 /* Inbound mail from the network, or mail picked up by the 27 /* local \fBpickup\fR(8) agent from the \fBmaildrop\fR directory. 28 /* .IP \fBactive\fR 29 /* Messages that the queue manager has opened for delivery. Only 30 /* a limited number of messages is allowed to enter the \fBactive\fR 31 /* queue (leaky bucket strategy, for a fixed delivery rate). 32 /* .IP \fBdeferred\fR 33 /* Mail that could not be delivered upon the first attempt. The queue 34 /* manager implements exponential backoff by doubling the time between 35 /* delivery attempts. 36 /* .IP \fBcorrupt\fR 37 /* Unreadable or damaged queue files are moved here for inspection. 38 /* .IP \fBhold\fR 39 /* Messages that are kept "on hold" are kept here until someone 40 /* sets them free. 41 /* DELIVERY STATUS REPORTS 42 /* .ad 43 /* .fi 44 /* The \fBqmgr\fR(8) daemon keeps an eye on per-message delivery status 45 /* reports in the following directories. Each status report file has 46 /* the same name as the corresponding message file: 47 /* .IP \fBbounce\fR 48 /* Per-recipient status information about why mail is bounced. 49 /* These files are maintained by the \fBbounce\fR(8) daemon. 50 /* .IP \fBdefer\fR 51 /* Per-recipient status information about why mail is delayed. 52 /* These files are maintained by the \fBdefer\fR(8) daemon. 53 /* .IP \fBtrace\fR 54 /* Per-recipient status information as requested with the 55 /* Postfix "\fBsendmail -v\fR" or "\fBsendmail -bv\fR" command. 56 /* These files are maintained by the \fBtrace\fR(8) daemon. 57 /* .PP 58 /* The \fBqmgr\fR(8) daemon is responsible for asking the 59 /* \fBbounce\fR(8), \fBdefer\fR(8) or \fBtrace\fR(8) daemons to 60 /* send delivery reports. 61 /* STRATEGIES 62 /* .ad 63 /* .fi 64 /* The queue manager implements a variety of strategies for 65 /* either opening queue files (input) or for message delivery (output). 66 /* .IP "\fBleaky bucket\fR" 67 /* This strategy limits the number of messages in the \fBactive\fR queue 68 /* and prevents the queue manager from running out of memory under 69 /* heavy load. 70 /* .IP \fBfairness\fR 71 /* When the \fBactive\fR queue has room, the queue manager takes one 72 /* message from the \fBincoming\fR queue and one from the \fBdeferred\fR 73 /* queue. This prevents a large mail backlog from blocking the delivery 74 /* of new mail. 75 /* .IP "\fBslow start\fR" 76 /* This strategy eliminates "thundering herd" problems by slowly 77 /* adjusting the number of parallel deliveries to the same destination. 78 /* .IP "\fBround robin\fR" 79 /* The queue manager sorts delivery requests by destination. 80 /* Round-robin selection prevents one destination from dominating 81 /* deliveries to other destinations. 82 /* .IP "\fBexponential backoff\fR" 83 /* Mail that cannot be delivered upon the first attempt is deferred. 84 /* The time interval between delivery attempts is doubled after each 85 /* attempt. 86 /* .IP "\fBdestination status cache\fR" 87 /* The queue manager avoids unnecessary delivery attempts by 88 /* maintaining a short-term, in-memory list of unreachable destinations. 89 /* TRIGGERS 90 /* .ad 91 /* .fi 92 /* On an idle system, the queue manager waits for the arrival of 93 /* trigger events, or it waits for a timer to go off. A trigger 94 /* is a one-byte message. 95 /* Depending on the message received, the queue manager performs 96 /* one of the following actions (the message is followed by the 97 /* symbolic constant used internally by the software): 98 /* .IP "\fBD (QMGR_REQ_SCAN_DEFERRED)\fR" 99 /* Start a deferred queue scan. If a deferred queue scan is already 100 /* in progress, that scan will be restarted as soon as it finishes. 101 /* .IP "\fBI (QMGR_REQ_SCAN_INCOMING)\fR" 102 /* Start an incoming queue scan. If an incoming queue scan is already 103 /* in progress, that scan will be restarted as soon as it finishes. 104 /* .IP "\fBA (QMGR_REQ_SCAN_ALL)\fR" 105 /* Ignore deferred queue file time stamps. The request affects 106 /* the next deferred queue scan. 107 /* .IP "\fBF (QMGR_REQ_FLUSH_DEAD)\fR" 108 /* Purge all information about dead transports and destinations. 109 /* .IP "\fBW (TRIGGER_REQ_WAKEUP)\fR" 110 /* Wakeup call, This is used by the master server to instantiate 111 /* servers that should not go away forever. The action is to start 112 /* an incoming queue scan. 113 /* .PP 114 /* The \fBqmgr\fR(8) daemon reads an entire buffer worth of triggers. 115 /* Multiple identical trigger requests are collapsed into one, and 116 /* trigger requests are sorted so that \fBA\fR and \fBF\fR precede 117 /* \fBD\fR and \fBI\fR. Thus, in order to force a deferred queue run, 118 /* one would request \fBA F D\fR; in order to notify the queue manager 119 /* of the arrival of new mail one would request \fBI\fR. 120 /* STANDARDS 121 /* RFC 3463 (Enhanced status codes) 122 /* RFC 3464 (Delivery status notifications) 123 /* SECURITY 124 /* .ad 125 /* .fi 126 /* The \fBqmgr\fR(8) daemon is not security sensitive. It reads 127 /* single-character messages from untrusted local users, and thus may 128 /* be susceptible to denial of service attacks. The \fBqmgr\fR(8) daemon 129 /* does not talk to the outside world, and it can be run at fixed low 130 /* privilege in a chrooted environment. 131 /* DIAGNOSTICS 132 /* Problems and transactions are logged to the \fBsyslogd\fR(8) 133 /* or \fBpostlogd\fR(8) daemon. 134 /* Corrupted message files are saved to the \fBcorrupt\fR queue 135 /* for further inspection. 136 /* 137 /* Depending on the setting of the \fBnotify_classes\fR parameter, 138 /* the postmaster is notified of bounces and of other trouble. 139 /* BUGS 140 /* A single queue manager process has to compete for disk access with 141 /* multiple front-end processes such as \fBcleanup\fR(8). A sudden burst of 142 /* inbound mail can negatively impact outbound delivery rates. 143 /* CONFIGURATION PARAMETERS 144 /* .ad 145 /* .fi 146 /* Changes to \fBmain.cf\fR are not picked up automatically, 147 /* as \fBqmgr\fR(8) 148 /* is a persistent process. Use the command "\fBpostfix reload\fR" after 149 /* a configuration change. 150 /* 151 /* The text below provides only a parameter summary. See 152 /* \fBpostconf\fR(5) for more details including examples. 153 /* 154 /* In the text below, \fItransport\fR is the first field in a 155 /* \fBmaster.cf\fR entry. 156 /* COMPATIBILITY CONTROLS 157 /* .ad 158 /* .fi 159 /* Available before Postfix version 2.5: 160 /* .IP "\fBallow_min_user (no)\fR" 161 /* Allow a sender or recipient address to have `-' as the first 162 /* character. 163 /* .PP 164 /* Available with Postfix version 2.7 and later: 165 /* .IP "\fBdefault_filter_nexthop (empty)\fR" 166 /* When a content_filter or FILTER request specifies no explicit 167 /* next-hop destination, use $default_filter_nexthop instead; when 168 /* that value is empty, use the domain in the recipient address. 169 /* ACTIVE QUEUE CONTROLS 170 /* .ad 171 /* .fi 172 /* .IP "\fBqmgr_clog_warn_time (300s)\fR" 173 /* The minimal delay between warnings that a specific destination is 174 /* clogging up the Postfix active queue. 175 /* .IP "\fBqmgr_message_active_limit (20000)\fR" 176 /* The maximal number of messages in the active queue. 177 /* .IP "\fBqmgr_message_recipient_limit (20000)\fR" 178 /* The maximal number of recipients held in memory by the Postfix 179 /* queue manager, and the maximal size of the short-term, 180 /* in-memory "dead" destination status cache. 181 /* DELIVERY CONCURRENCY CONTROLS 182 /* .ad 183 /* .fi 184 /* .IP "\fBqmgr_fudge_factor (100)\fR" 185 /* Obsolete feature: the percentage of delivery resources that a busy 186 /* mail system will use up for delivery of a large mailing list 187 /* message. 188 /* .IP "\fBinitial_destination_concurrency (5)\fR" 189 /* The initial per-destination concurrency level for parallel delivery 190 /* to the same destination. 191 /* .IP "\fBdefault_destination_concurrency_limit (20)\fR" 192 /* The default maximal number of parallel deliveries to the same 193 /* destination. 194 /* .IP "\fBtransport_destination_concurrency_limit ($default_destination_concurrency_limit)\fR" 195 /* A transport-specific override for the 196 /* default_destination_concurrency_limit parameter value, where 197 /* \fItransport\fR is the master.cf name of the message delivery 198 /* transport. 199 /* .PP 200 /* Available in Postfix version 2.5 and later: 201 /* .IP "\fBtransport_initial_destination_concurrency ($initial_destination_concurrency)\fR" 202 /* A transport-specific override for the initial_destination_concurrency 203 /* parameter value, where \fItransport\fR is the master.cf name of 204 /* the message delivery transport. 205 /* .IP "\fBdefault_destination_concurrency_failed_cohort_limit (1)\fR" 206 /* How many pseudo-cohorts must suffer connection or handshake 207 /* failure before a specific destination is considered unavailable 208 /* (and further delivery is suspended). 209 /* .IP "\fBtransport_destination_concurrency_failed_cohort_limit ($default_destination_concurrency_failed_cohort_limit)\fR" 210 /* A transport-specific override for the 211 /* default_destination_concurrency_failed_cohort_limit parameter value, 212 /* where \fItransport\fR is the master.cf name of the message delivery 213 /* transport. 214 /* .IP "\fBdefault_destination_concurrency_negative_feedback (1)\fR" 215 /* The per-destination amount of delivery concurrency negative 216 /* feedback, after a delivery completes with a connection or handshake 217 /* failure. 218 /* .IP "\fBtransport_destination_concurrency_negative_feedback ($default_destination_concurrency_negative_feedback)\fR" 219 /* A transport-specific override for the 220 /* default_destination_concurrency_negative_feedback parameter value, 221 /* where \fItransport\fR is the master.cf name of the message delivery 222 /* transport. 223 /* .IP "\fBdefault_destination_concurrency_positive_feedback (1)\fR" 224 /* The per-destination amount of delivery concurrency positive 225 /* feedback, after a delivery completes without connection or handshake 226 /* failure. 227 /* .IP "\fBtransport_destination_concurrency_positive_feedback ($default_destination_concurrency_positive_feedback)\fR" 228 /* A transport-specific override for the 229 /* default_destination_concurrency_positive_feedback parameter value, 230 /* where \fItransport\fR is the master.cf name of the message delivery 231 /* transport. 232 /* .IP "\fBdestination_concurrency_feedback_debug (no)\fR" 233 /* Make the queue manager's feedback algorithm verbose for performance 234 /* analysis purposes. 235 /* RECIPIENT SCHEDULING CONTROLS 236 /* .ad 237 /* .fi 238 /* .IP "\fBdefault_destination_recipient_limit (50)\fR" 239 /* The default maximal number of recipients per message delivery. 240 /* .IP "\fBtransport_destination_recipient_limit ($default_destination_recipient_limit)\fR" 241 /* A transport-specific override for the 242 /* default_destination_recipient_limit parameter value, where 243 /* \fItransport\fR is the master.cf name of the message delivery 244 /* transport. 245 /* OTHER RESOURCE AND RATE CONTROLS 246 /* .ad 247 /* .fi 248 /* .IP "\fBminimal_backoff_time (300s)\fR" 249 /* The minimal time between attempts to deliver a deferred message; 250 /* prior to Postfix 2.4 the default value was 1000s. 251 /* .IP "\fBmaximal_backoff_time (4000s)\fR" 252 /* The maximal time between attempts to deliver a deferred message. 253 /* .IP "\fBmaximal_queue_lifetime (5d)\fR" 254 /* Consider a message as undeliverable, when delivery fails with a 255 /* temporary error, and the time in the queue has reached the 256 /* maximal_queue_lifetime limit. 257 /* .IP "\fBqueue_run_delay (300s)\fR" 258 /* The time between deferred queue scans by the queue manager; 259 /* prior to Postfix 2.4 the default value was 1000s. 260 /* .IP "\fBtransport_retry_time (60s)\fR" 261 /* The time between attempts by the Postfix queue manager to contact 262 /* a malfunctioning message delivery transport. 263 /* .PP 264 /* Available in Postfix version 2.1 and later: 265 /* .IP "\fBbounce_queue_lifetime (5d)\fR" 266 /* Consider a bounce message as undeliverable, when delivery fails 267 /* with a temporary error, and the time in the queue has reached the 268 /* bounce_queue_lifetime limit. 269 /* .PP 270 /* Available in Postfix version 2.5 and later: 271 /* .IP "\fBdefault_destination_rate_delay (0s)\fR" 272 /* The default amount of delay that is inserted between individual 273 /* message deliveries to the same destination and over the same message 274 /* delivery transport. 275 /* .IP "\fBtransport_destination_rate_delay ($default_destination_rate_delay)\fR" 276 /* A transport-specific override for the default_destination_rate_delay 277 /* parameter value, where \fItransport\fR is the master.cf name of 278 /* the message delivery transport. 279 /* .PP 280 /* Available in Postfix version 3.1 and later: 281 /* .IP "\fBdefault_transport_rate_delay (0s)\fR" 282 /* The default amount of delay that is inserted between individual 283 /* message deliveries over the same message delivery transport, 284 /* regardless of destination. 285 /* .IP "\fBtransport_transport_rate_delay ($default_transport_rate_delay)\fR" 286 /* A transport-specific override for the default_transport_rate_delay 287 /* parameter value, where the initial \fItransport\fR in the parameter 288 /* name is the master.cf name of the message delivery transport. 289 /* SAFETY CONTROLS 290 /* .ad 291 /* .fi 292 /* .IP "\fBqmgr_daemon_timeout (1000s)\fR" 293 /* How much time a Postfix queue manager process may take to handle 294 /* a request before it is terminated by a built-in watchdog timer. 295 /* .IP "\fBqmgr_ipc_timeout (60s)\fR" 296 /* The time limit for the queue manager to send or receive information 297 /* over an internal communication channel. 298 /* .PP 299 /* Available in Postfix version 3.1 and later: 300 /* .IP "\fBaddress_verify_pending_request_limit (see 'postconf -d' output)\fR" 301 /* A safety limit that prevents address verification requests from 302 /* overwhelming the Postfix queue. 303 /* MISCELLANEOUS CONTROLS 304 /* .ad 305 /* .fi 306 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" 307 /* The default location of the Postfix main.cf and master.cf 308 /* configuration files. 309 /* .IP "\fBdefer_transports (empty)\fR" 310 /* The names of message delivery transports that should not deliver mail 311 /* unless someone issues "\fBsendmail -q\fR" or equivalent. 312 /* .IP "\fBdelay_logging_resolution_limit (2)\fR" 313 /* The maximal number of digits after the decimal point when logging 314 /* sub-second delay values. 315 /* .IP "\fBhelpful_warnings (yes)\fR" 316 /* Log warnings about problematic configuration settings, and provide 317 /* helpful suggestions. 318 /* .IP "\fBprocess_id (read-only)\fR" 319 /* The process ID of a Postfix command or daemon process. 320 /* .IP "\fBprocess_name (read-only)\fR" 321 /* The process name of a Postfix command or daemon process. 322 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" 323 /* The location of the Postfix top-level queue directory. 324 /* .IP "\fBsyslog_facility (mail)\fR" 325 /* The syslog facility of Postfix logging. 326 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" 327 /* A prefix that is prepended to the process name in syslog 328 /* records, so that, for example, "smtpd" becomes "prefix/smtpd". 329 /* .PP 330 /* Available in Postfix version 3.0 and later: 331 /* .IP "\fBconfirm_delay_cleared (no)\fR" 332 /* After sending a "your message is delayed" notification, inform 333 /* the sender when the delay clears up. 334 /* .PP 335 /* Available in Postfix 3.3 and later: 336 /* .IP "\fBservice_name (read-only)\fR" 337 /* The master.cf service name of a Postfix daemon process. 338 /* .PP 339 /* Available in Postfix 3.5 and later: 340 /* .IP "\fBinfo_log_address_format (external)\fR" 341 /* The email address form that will be used in non-debug logging 342 /* (info, warning, etc.). 343 /* FILES 344 /* /var/spool/postfix/incoming, incoming queue 345 /* /var/spool/postfix/active, active queue 346 /* /var/spool/postfix/deferred, deferred queue 347 /* /var/spool/postfix/bounce, non-delivery status 348 /* /var/spool/postfix/defer, non-delivery status 349 /* /var/spool/postfix/trace, delivery status 350 /* SEE ALSO 351 /* trivial-rewrite(8), address routing 352 /* bounce(8), delivery status reports 353 /* postconf(5), configuration parameters 354 /* master(5), generic daemon options 355 /* master(8), process manager 356 /* postlogd(8), Postfix logging 357 /* syslogd(8), system logging 358 /* README FILES 359 /* .ad 360 /* .fi 361 /* Use "\fBpostconf readme_directory\fR" or 362 /* "\fBpostconf html_directory\fR" to locate this information. 363 /* .na 364 /* .nf 365 /* QSHAPE_README, Postfix queue analysis 366 /* LICENSE 367 /* .ad 368 /* .fi 369 /* The Secure Mailer license must be distributed with this software. 370 /* AUTHOR(S) 371 /* Wietse Venema 372 /* IBM T.J. Watson Research 373 /* P.O. Box 704 374 /* Yorktown Heights, NY 10598, USA 375 /* 376 /* Wietse Venema 377 /* Google, Inc. 378 /* 111 8th Avenue 379 /* New York, NY 10011, USA 380 /*--*/ 381 382 /* System library. */ 383 384 #include <sys_defs.h> 385 #include <stdlib.h> 386 #include <unistd.h> 387 #include <ctype.h> 388 389 /* Utility library. */ 390 391 #include <msg.h> 392 #include <events.h> 393 #include <vstream.h> 394 #include <dict.h> 395 396 /* Global library. */ 397 398 #include <mail_queue.h> 399 #include <recipient_list.h> 400 #include <mail_conf.h> 401 #include <mail_params.h> 402 #include <mail_version.h> 403 #include <mail_proto.h> /* QMGR_SCAN constants */ 404 #include <mail_flow.h> 405 #include <flush_clnt.h> 406 407 /* Master process interface */ 408 409 #include <master_proto.h> 410 #include <mail_server.h> 411 412 /* Application-specific. */ 413 414 #include "qmgr.h" 415 416 /* 417 * Tunables. 418 */ 419 int var_queue_run_delay; 420 int var_min_backoff_time; 421 int var_max_backoff_time; 422 int var_max_queue_time; 423 int var_dsn_queue_time; 424 int var_qmgr_active_limit; 425 int var_qmgr_rcpt_limit; 426 int var_init_dest_concurrency; 427 int var_transport_retry_time; 428 int var_dest_con_limit; 429 int var_dest_rcpt_limit; 430 char *var_defer_xports; 431 int var_qmgr_fudge; 432 int var_local_rcpt_lim; /* XXX */ 433 int var_local_con_lim; /* XXX */ 434 bool var_verp_bounce_off; 435 int var_qmgr_clog_warn_time; 436 char *var_conc_pos_feedback; 437 char *var_conc_neg_feedback; 438 int var_conc_cohort_limit; 439 int var_conc_feedback_debug; 440 int var_xport_rate_delay; 441 int var_dest_rate_delay; 442 char *var_def_filter_nexthop; 443 int var_qmgr_daemon_timeout; 444 int var_qmgr_ipc_timeout; 445 int var_dsn_delay_cleared; 446 int var_vrfy_pend_limit; 447 448 static QMGR_SCAN *qmgr_scans[2]; 449 450 #define QMGR_SCAN_IDX_INCOMING 0 451 #define QMGR_SCAN_IDX_DEFERRED 1 452 #define QMGR_SCAN_IDX_COUNT (sizeof(qmgr_scans) / sizeof(qmgr_scans[0])) 453 454 /* qmgr_deferred_run_event - queue manager heartbeat */ 455 456 static void qmgr_deferred_run_event(int unused_event, void *dummy) 457 { 458 459 /* 460 * This routine runs when it is time for another deferred queue scan. 461 * Make sure this routine gets called again in the future. 462 */ 463 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_DEFERRED], QMGR_SCAN_START); 464 event_request_timer(qmgr_deferred_run_event, dummy, var_queue_run_delay); 465 } 466 467 /* qmgr_trigger_event - respond to external trigger(s) */ 468 469 static void qmgr_trigger_event(char *buf, ssize_t len, 470 char *unused_service, char **argv) 471 { 472 int incoming_flag = 0; 473 int deferred_flag = 0; 474 int i; 475 476 /* 477 * Sanity check. This service takes no command-line arguments. 478 */ 479 if (argv[0]) 480 msg_fatal("unexpected command-line argument: %s", argv[0]); 481 482 /* 483 * Collapse identical requests that have arrived since we looked last 484 * time. There is no client feedback so there is no need to process each 485 * request in order. And as long as we don't have conflicting requests we 486 * are free to sort them into the most suitable order. 487 */ 488 #define QMGR_FLUSH_BEFORE (QMGR_FLUSH_ONCE | QMGR_FLUSH_DFXP) 489 490 for (i = 0; i < len; i++) { 491 if (msg_verbose) 492 msg_info("request: %d (%c)", 493 buf[i], ISALNUM(buf[i]) ? buf[i] : '?'); 494 switch (buf[i]) { 495 case TRIGGER_REQ_WAKEUP: 496 case QMGR_REQ_SCAN_INCOMING: 497 incoming_flag |= QMGR_SCAN_START; 498 break; 499 case QMGR_REQ_SCAN_DEFERRED: 500 deferred_flag |= QMGR_SCAN_START; 501 break; 502 case QMGR_REQ_FLUSH_DEAD: 503 deferred_flag |= QMGR_FLUSH_BEFORE; 504 incoming_flag |= QMGR_FLUSH_BEFORE; 505 break; 506 case QMGR_REQ_SCAN_ALL: 507 deferred_flag |= QMGR_SCAN_ALL; 508 incoming_flag |= QMGR_SCAN_ALL; 509 break; 510 default: 511 if (msg_verbose) 512 msg_info("request ignored"); 513 break; 514 } 515 } 516 517 /* 518 * Process each request type at most once. Modifiers take effect upon the 519 * next queue run. If no queue run is in progress, and a queue scan is 520 * requested, the request takes effect immediately. 521 */ 522 if (incoming_flag != 0) 523 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_INCOMING], incoming_flag); 524 if (deferred_flag != 0) 525 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_DEFERRED], deferred_flag); 526 } 527 528 /* qmgr_loop - queue manager main loop */ 529 530 static int qmgr_loop(char *unused_name, char **unused_argv) 531 { 532 char *path; 533 ssize_t token_count; 534 int feed = 0; 535 int scan_idx; /* Priority order scan index */ 536 static int first_scan_idx = QMGR_SCAN_IDX_INCOMING; 537 int last_scan_idx = QMGR_SCAN_IDX_COUNT - 1; 538 int delay; 539 540 /* 541 * This routine runs as part of the event handling loop, after the event 542 * manager has delivered a timer or I/O event (including the completion 543 * of a connection to a delivery process), or after it has waited for a 544 * specified amount of time. The result value of qmgr_loop() specifies 545 * how long the event manager should wait for the next event. 546 */ 547 #define DONT_WAIT 0 548 #define WAIT_FOR_EVENT (-1) 549 550 /* 551 * Attempt to drain the active queue by allocating a suitable delivery 552 * process and by delivering mail via it. Delivery process allocation and 553 * mail delivery are asynchronous. 554 */ 555 qmgr_active_drain(); 556 557 /* 558 * Let some new blood into the active queue when the queue size is 559 * smaller than some configurable limit, and when the number of in-core 560 * recipients does not exceed some configurable limit. 561 * 562 * We import one message per interrupt, to optimally tune the input count 563 * for the number of delivery agent protocol wait states, as explained in 564 * qmgr_transport.c. 565 */ 566 delay = WAIT_FOR_EVENT; 567 for (scan_idx = 0; qmgr_message_count < var_qmgr_active_limit 568 && qmgr_recipient_count < var_qmgr_rcpt_limit 569 && scan_idx < QMGR_SCAN_IDX_COUNT; ++scan_idx) { 570 last_scan_idx = (scan_idx + first_scan_idx) % QMGR_SCAN_IDX_COUNT; 571 if ((path = qmgr_scan_next(qmgr_scans[last_scan_idx])) != 0) { 572 delay = DONT_WAIT; 573 if ((feed = qmgr_active_feed(qmgr_scans[last_scan_idx], path)) != 0) 574 break; 575 } 576 } 577 578 /* 579 * Round-robin the queue scans. When the active queue becomes full, 580 * prefer new mail over deferred mail. 581 */ 582 if (qmgr_message_count < var_qmgr_active_limit 583 && qmgr_recipient_count < var_qmgr_rcpt_limit) { 584 first_scan_idx = (last_scan_idx + 1) % QMGR_SCAN_IDX_COUNT; 585 } else if (first_scan_idx != QMGR_SCAN_IDX_INCOMING) { 586 first_scan_idx = QMGR_SCAN_IDX_INCOMING; 587 } 588 589 /* 590 * Global flow control. If enabled, slow down receiving processes that 591 * get ahead of the queue manager, but don't block them completely. 592 */ 593 if (var_in_flow_delay > 0) { 594 token_count = mail_flow_count(); 595 if (token_count < var_proc_limit) { 596 if (feed != 0 && last_scan_idx == QMGR_SCAN_IDX_INCOMING) 597 mail_flow_put(1); 598 else if (qmgr_scans[QMGR_SCAN_IDX_INCOMING]->handle == 0) 599 mail_flow_put(var_proc_limit - token_count); 600 } else if (token_count > var_proc_limit) { 601 mail_flow_get(token_count - var_proc_limit); 602 } 603 } 604 return (delay); 605 } 606 607 /* pre_accept - see if tables have changed */ 608 609 static void pre_accept(char *unused_name, char **unused_argv) 610 { 611 const char *table; 612 613 if ((table = dict_changed_name()) != 0) { 614 msg_info("table %s has changed -- restarting", table); 615 exit(0); 616 } 617 } 618 619 /* qmgr_pre_init - pre-jail initialization */ 620 621 static void qmgr_pre_init(char *unused_name, char **unused_argv) 622 { 623 flush_init(); 624 } 625 626 /* qmgr_post_init - post-jail initialization */ 627 628 static void qmgr_post_init(char *unused_name, char **unused_argv) 629 { 630 631 /* 632 * Sanity check. 633 */ 634 if (var_qmgr_rcpt_limit < var_qmgr_active_limit) { 635 msg_warn("%s is smaller than %s - adjusting %s", 636 VAR_QMGR_RCPT_LIMIT, VAR_QMGR_ACT_LIMIT, VAR_QMGR_RCPT_LIMIT); 637 var_qmgr_rcpt_limit = var_qmgr_active_limit; 638 } 639 if (var_dsn_queue_time > var_max_queue_time) { 640 msg_warn("%s is larger than %s - adjusting %s", 641 VAR_DSN_QUEUE_TIME, VAR_MAX_QUEUE_TIME, VAR_DSN_QUEUE_TIME); 642 var_dsn_queue_time = var_max_queue_time; 643 } 644 645 /* 646 * This routine runs after the skeleton code has entered the chroot jail. 647 * Prevent automatic process suicide after a limited number of client 648 * requests or after a limited amount of idle time. Move any left-over 649 * entries from the active queue to the incoming queue, and give them a 650 * time stamp into the future, in order to allow ongoing deliveries to 651 * finish first. Start scanning the incoming and deferred queues. 652 * Left-over active queue entries are moved to the incoming queue because 653 * the incoming queue has priority; moving left-overs to the deferred 654 * queue could cause anomalous delays when "postfix reload/start" are 655 * issued often. Override the IPC timeout (default 3600s) so that the 656 * queue manager can reset a broken IPC channel before the watchdog timer 657 * goes off. 658 */ 659 var_ipc_timeout = var_qmgr_ipc_timeout; 660 var_use_limit = 0; 661 var_idle_limit = 0; 662 qmgr_move(MAIL_QUEUE_ACTIVE, MAIL_QUEUE_INCOMING, event_time()); 663 qmgr_scans[QMGR_SCAN_IDX_INCOMING] = qmgr_scan_create(MAIL_QUEUE_INCOMING); 664 qmgr_scans[QMGR_SCAN_IDX_DEFERRED] = qmgr_scan_create(MAIL_QUEUE_DEFERRED); 665 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_INCOMING], QMGR_SCAN_START); 666 qmgr_deferred_run_event(0, (void *) 0); 667 } 668 669 MAIL_VERSION_STAMP_DECLARE; 670 671 /* main - the main program */ 672 673 int main(int argc, char **argv) 674 { 675 static const CONFIG_STR_TABLE str_table[] = { 676 VAR_DEFER_XPORTS, DEF_DEFER_XPORTS, &var_defer_xports, 0, 0, 677 VAR_CONC_POS_FDBACK, DEF_CONC_POS_FDBACK, &var_conc_pos_feedback, 1, 0, 678 VAR_CONC_NEG_FDBACK, DEF_CONC_NEG_FDBACK, &var_conc_neg_feedback, 1, 0, 679 VAR_DEF_FILTER_NEXTHOP, DEF_DEF_FILTER_NEXTHOP, &var_def_filter_nexthop, 0, 0, 680 0, 681 }; 682 static const CONFIG_TIME_TABLE time_table[] = { 683 VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0, 684 VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0, 685 VAR_MAX_BACKOFF_TIME, DEF_MAX_BACKOFF_TIME, &var_max_backoff_time, 1, 0, 686 VAR_MAX_QUEUE_TIME, DEF_MAX_QUEUE_TIME, &var_max_queue_time, 0, 8640000, 687 VAR_DSN_QUEUE_TIME, DEF_DSN_QUEUE_TIME, &var_dsn_queue_time, 0, 8640000, 688 VAR_XPORT_RETRY_TIME, DEF_XPORT_RETRY_TIME, &var_transport_retry_time, 1, 0, 689 VAR_QMGR_CLOG_WARN_TIME, DEF_QMGR_CLOG_WARN_TIME, &var_qmgr_clog_warn_time, 0, 0, 690 VAR_XPORT_RATE_DELAY, DEF_XPORT_RATE_DELAY, &var_xport_rate_delay, 0, 0, 691 VAR_DEST_RATE_DELAY, DEF_DEST_RATE_DELAY, &var_dest_rate_delay, 0, 0, 692 VAR_QMGR_DAEMON_TIMEOUT, DEF_QMGR_DAEMON_TIMEOUT, &var_qmgr_daemon_timeout, 1, 0, 693 VAR_QMGR_IPC_TIMEOUT, DEF_QMGR_IPC_TIMEOUT, &var_qmgr_ipc_timeout, 1, 0, 694 0, 695 }; 696 static const CONFIG_INT_TABLE int_table[] = { 697 VAR_QMGR_ACT_LIMIT, DEF_QMGR_ACT_LIMIT, &var_qmgr_active_limit, 1, 0, 698 VAR_QMGR_RCPT_LIMIT, DEF_QMGR_RCPT_LIMIT, &var_qmgr_rcpt_limit, 1, 0, 699 VAR_INIT_DEST_CON, DEF_INIT_DEST_CON, &var_init_dest_concurrency, 1, 0, 700 VAR_DEST_CON_LIMIT, DEF_DEST_CON_LIMIT, &var_dest_con_limit, 0, 0, 701 VAR_DEST_RCPT_LIMIT, DEF_DEST_RCPT_LIMIT, &var_dest_rcpt_limit, 0, 0, 702 VAR_QMGR_FUDGE, DEF_QMGR_FUDGE, &var_qmgr_fudge, 10, 100, 703 VAR_LOCAL_RCPT_LIMIT, DEF_LOCAL_RCPT_LIMIT, &var_local_rcpt_lim, 0, 0, 704 VAR_LOCAL_CON_LIMIT, DEF_LOCAL_CON_LIMIT, &var_local_con_lim, 0, 0, 705 VAR_CONC_COHORT_LIM, DEF_CONC_COHORT_LIM, &var_conc_cohort_limit, 0, 0, 706 VAR_VRFY_PEND_LIMIT, DEF_VRFY_PEND_LIMIT, &var_vrfy_pend_limit, 1, 0, 707 0, 708 }; 709 static const CONFIG_BOOL_TABLE bool_table[] = { 710 VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off, 711 VAR_CONC_FDBACK_DEBUG, DEF_CONC_FDBACK_DEBUG, &var_conc_feedback_debug, 712 VAR_DSN_DELAY_CLEARED, DEF_DSN_DELAY_CLEARED, &var_dsn_delay_cleared, 713 0, 714 }; 715 716 /* 717 * Fingerprint executables and core dumps. 718 */ 719 MAIL_VERSION_STAMP_ALLOCATE; 720 721 /* 722 * Use the trigger service skeleton, because no-one else should be 723 * monitoring our service port while this process runs, and because we do 724 * not talk back to the client. 725 */ 726 trigger_server_main(argc, argv, qmgr_trigger_event, 727 CA_MAIL_SERVER_INT_TABLE(int_table), 728 CA_MAIL_SERVER_STR_TABLE(str_table), 729 CA_MAIL_SERVER_BOOL_TABLE(bool_table), 730 CA_MAIL_SERVER_TIME_TABLE(time_table), 731 CA_MAIL_SERVER_PRE_INIT(qmgr_pre_init), 732 CA_MAIL_SERVER_POST_INIT(qmgr_post_init), 733 CA_MAIL_SERVER_LOOP(qmgr_loop), 734 CA_MAIL_SERVER_PRE_ACCEPT(pre_accept), 735 CA_MAIL_SERVER_SOLITARY, 736 CA_MAIL_SERVER_WATCHDOG(&var_qmgr_daemon_timeout), 737 0); 738 } 739