1 /* $NetBSD: qmgr.c,v 1.3 2020/03/18 19:05:19 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* qmgr 8 6 /* SUMMARY 7 /* Postfix queue manager 8 /* SYNOPSIS 9 /* \fBqmgr\fR [generic Postfix daemon options] 10 /* DESCRIPTION 11 /* The \fBqmgr\fR(8) daemon awaits the arrival of incoming mail 12 /* and arranges for its delivery via Postfix delivery processes. 13 /* The actual mail routing strategy is delegated to the 14 /* \fBtrivial-rewrite\fR(8) daemon. 15 /* This program expects to be run from the \fBmaster\fR(8) process 16 /* manager. 17 /* 18 /* Mail addressed to the local \fBdouble-bounce\fR address is 19 /* logged and discarded. This stops potential loops caused by 20 /* undeliverable bounce notifications. 21 /* MAIL QUEUES 22 /* .ad 23 /* .fi 24 /* The \fBqmgr\fR(8) daemon maintains the following queues: 25 /* .IP \fBincoming\fR 26 /* Inbound mail from the network, or mail picked up by the 27 /* local \fBpickup\fR(8) daemon from the \fBmaildrop\fR directory. 28 /* .IP \fBactive\fR 29 /* Messages that the queue manager has opened for delivery. Only 30 /* a limited number of messages is allowed to enter the \fBactive\fR 31 /* queue (leaky bucket strategy, for a fixed delivery rate). 32 /* .IP \fBdeferred\fR 33 /* Mail that could not be delivered upon the first attempt. The queue 34 /* manager implements exponential backoff by doubling the time between 35 /* delivery attempts. 36 /* .IP \fBcorrupt\fR 37 /* Unreadable or damaged queue files are moved here for inspection. 38 /* .IP \fBhold\fR 39 /* Messages that are kept "on hold" are kept here until someone 40 /* sets them free. 41 /* DELIVERY STATUS REPORTS 42 /* .ad 43 /* .fi 44 /* The \fBqmgr\fR(8) daemon keeps an eye on per-message delivery status 45 /* reports in the following directories. Each status report file has 46 /* the same name as the corresponding message file: 47 /* .IP \fBbounce\fR 48 /* Per-recipient status information about why mail is bounced. 49 /* These files are maintained by the \fBbounce\fR(8) daemon. 50 /* .IP \fBdefer\fR 51 /* Per-recipient status information about why mail is delayed. 52 /* These files are maintained by the \fBdefer\fR(8) daemon. 53 /* .IP \fBtrace\fR 54 /* Per-recipient status information as requested with the 55 /* Postfix "\fBsendmail -v\fR" or "\fBsendmail -bv\fR" command. 56 /* These files are maintained by the \fBtrace\fR(8) daemon. 57 /* .PP 58 /* The \fBqmgr\fR(8) daemon is responsible for asking the 59 /* \fBbounce\fR(8), \fBdefer\fR(8) or \fBtrace\fR(8) daemons to 60 /* send delivery reports. 61 /* STRATEGIES 62 /* .ad 63 /* .fi 64 /* The queue manager implements a variety of strategies for 65 /* either opening queue files (input) or for message delivery (output). 66 /* .IP "\fBleaky bucket\fR" 67 /* This strategy limits the number of messages in the \fBactive\fR queue 68 /* and prevents the queue manager from running out of memory under 69 /* heavy load. 70 /* .IP \fBfairness\fR 71 /* When the \fBactive\fR queue has room, the queue manager takes one 72 /* message from the \fBincoming\fR queue and one from the \fBdeferred\fR 73 /* queue. This prevents a large mail backlog from blocking the delivery 74 /* of new mail. 75 /* .IP "\fBslow start\fR" 76 /* This strategy eliminates "thundering herd" problems by slowly 77 /* adjusting the number of parallel deliveries to the same destination. 78 /* .IP "\fBround robin\fR" 79 /* The queue manager sorts delivery requests by destination. 80 /* Round-robin selection prevents one destination from dominating 81 /* deliveries to other destinations. 82 /* .IP "\fBexponential backoff\fR" 83 /* Mail that cannot be delivered upon the first attempt is deferred. 84 /* The time interval between delivery attempts is doubled after each 85 /* attempt. 86 /* .IP "\fBdestination status cache\fR" 87 /* The queue manager avoids unnecessary delivery attempts by 88 /* maintaining a short-term, in-memory list of unreachable destinations. 89 /* .IP "\fBpreemptive message scheduling\fR" 90 /* The queue manager attempts to minimize the average per-recipient delay 91 /* while still preserving the correct per-message delays, using 92 /* a sophisticated preemptive message scheduling. 93 /* TRIGGERS 94 /* .ad 95 /* .fi 96 /* On an idle system, the queue manager waits for the arrival of 97 /* trigger events, or it waits for a timer to go off. A trigger 98 /* is a one-byte message. 99 /* Depending on the message received, the queue manager performs 100 /* one of the following actions (the message is followed by the 101 /* symbolic constant used internally by the software): 102 /* .IP "\fBD (QMGR_REQ_SCAN_DEFERRED)\fR" 103 /* Start a deferred queue scan. If a deferred queue scan is already 104 /* in progress, that scan will be restarted as soon as it finishes. 105 /* .IP "\fBI (QMGR_REQ_SCAN_INCOMING)\fR" 106 /* Start an incoming queue scan. If an incoming queue scan is already 107 /* in progress, that scan will be restarted as soon as it finishes. 108 /* .IP "\fBA (QMGR_REQ_SCAN_ALL)\fR" 109 /* Ignore deferred queue file time stamps. The request affects 110 /* the next deferred queue scan. 111 /* .IP "\fBF (QMGR_REQ_FLUSH_DEAD)\fR" 112 /* Purge all information about dead transports and destinations. 113 /* .IP "\fBW (TRIGGER_REQ_WAKEUP)\fR" 114 /* Wakeup call, This is used by the master server to instantiate 115 /* servers that should not go away forever. The action is to start 116 /* an incoming queue scan. 117 /* .PP 118 /* The \fBqmgr\fR(8) daemon reads an entire buffer worth of triggers. 119 /* Multiple identical trigger requests are collapsed into one, and 120 /* trigger requests are sorted so that \fBA\fR and \fBF\fR precede 121 /* \fBD\fR and \fBI\fR. Thus, in order to force a deferred queue run, 122 /* one would request \fBA F D\fR; in order to notify the queue manager 123 /* of the arrival of new mail one would request \fBI\fR. 124 /* STANDARDS 125 /* RFC 3463 (Enhanced status codes) 126 /* RFC 3464 (Delivery status notifications) 127 /* SECURITY 128 /* .ad 129 /* .fi 130 /* The \fBqmgr\fR(8) daemon is not security sensitive. It reads 131 /* single-character messages from untrusted local users, and thus may 132 /* be susceptible to denial of service attacks. The \fBqmgr\fR(8) daemon 133 /* does not talk to the outside world, and it can be run at fixed low 134 /* privilege in a chrooted environment. 135 /* DIAGNOSTICS 136 /* Problems and transactions are logged to \fBsyslogd\fR(8) 137 /* or \fBpostlogd\fR(8). 138 /* Corrupted message files are saved to the \fBcorrupt\fR queue 139 /* for further inspection. 140 /* 141 /* Depending on the setting of the \fBnotify_classes\fR parameter, 142 /* the postmaster is notified of bounces and of other trouble. 143 /* BUGS 144 /* A single queue manager process has to compete for disk access with 145 /* multiple front-end processes such as \fBcleanup\fR(8). A sudden burst of 146 /* inbound mail can negatively impact outbound delivery rates. 147 /* CONFIGURATION PARAMETERS 148 /* .ad 149 /* .fi 150 /* Changes to \fBmain.cf\fR are not picked up automatically 151 /* as \fBqmgr\fR(8) 152 /* is a persistent process. Use the "\fBpostfix reload\fR" command after 153 /* a configuration change. 154 /* 155 /* The text below provides only a parameter summary. See 156 /* \fBpostconf\fR(5) for more details including examples. 157 /* 158 /* In the text below, \fItransport\fR is the first field in a 159 /* \fBmaster.cf\fR entry. 160 /* COMPATIBILITY CONTROLS 161 /* .ad 162 /* .fi 163 /* Available before Postfix version 2.5: 164 /* .IP "\fBallow_min_user (no)\fR" 165 /* Allow a sender or recipient address to have `-' as the first 166 /* character. 167 /* .PP 168 /* Available with Postfix version 2.7 and later: 169 /* .IP "\fBdefault_filter_nexthop (empty)\fR" 170 /* When a content_filter or FILTER request specifies no explicit 171 /* next-hop destination, use $default_filter_nexthop instead; when 172 /* that value is empty, use the domain in the recipient address. 173 /* ACTIVE QUEUE CONTROLS 174 /* .ad 175 /* .fi 176 /* .IP "\fBqmgr_clog_warn_time (300s)\fR" 177 /* The minimal delay between warnings that a specific destination is 178 /* clogging up the Postfix active queue. 179 /* .IP "\fBqmgr_message_active_limit (20000)\fR" 180 /* The maximal number of messages in the active queue. 181 /* .IP "\fBqmgr_message_recipient_limit (20000)\fR" 182 /* The maximal number of recipients held in memory by the Postfix 183 /* queue manager, and the maximal size of the short-term, 184 /* in-memory "dead" destination status cache. 185 /* .IP "\fBqmgr_message_recipient_minimum (10)\fR" 186 /* The minimal number of in-memory recipients for any message. 187 /* .IP "\fBdefault_recipient_limit (20000)\fR" 188 /* The default per-transport upper limit on the number of in-memory 189 /* recipients. 190 /* .IP "\fBtransport_recipient_limit ($default_recipient_limit)\fR" 191 /* A transport-specific override for the default_recipient_limit 192 /* parameter value, where \fItransport\fR is the master.cf name of 193 /* the message delivery transport. 194 /* .IP "\fBdefault_extra_recipient_limit (1000)\fR" 195 /* The default value for the extra per-transport limit imposed on the 196 /* number of in-memory recipients. 197 /* .IP "\fBtransport_extra_recipient_limit ($default_extra_recipient_limit)\fR" 198 /* A transport-specific override for the default_extra_recipient_limit 199 /* parameter value, where \fItransport\fR is the master.cf name of 200 /* the message delivery transport. 201 /* .PP 202 /* Available in Postfix version 2.4 and later: 203 /* .IP "\fBdefault_recipient_refill_limit (100)\fR" 204 /* The default per-transport limit on the number of recipients refilled at 205 /* once. 206 /* .IP "\fBtransport_recipient_refill_limit ($default_recipient_refill_limit)\fR" 207 /* A transport-specific override for the default_recipient_refill_limit 208 /* parameter value, where \fItransport\fR is the master.cf name of 209 /* the message delivery transport. 210 /* .IP "\fBdefault_recipient_refill_delay (5s)\fR" 211 /* The default per-transport maximum delay between recipients refills. 212 /* .IP "\fBtransport_recipient_refill_delay ($default_recipient_refill_delay)\fR" 213 /* A transport-specific override for the default_recipient_refill_delay 214 /* parameter value, where \fItransport\fR is the master.cf name of 215 /* the message delivery transport. 216 /* DELIVERY CONCURRENCY CONTROLS 217 /* .ad 218 /* .fi 219 /* .IP "\fBinitial_destination_concurrency (5)\fR" 220 /* The initial per-destination concurrency level for parallel delivery 221 /* to the same destination. 222 /* .IP "\fBdefault_destination_concurrency_limit (20)\fR" 223 /* The default maximal number of parallel deliveries to the same 224 /* destination. 225 /* .IP "\fBtransport_destination_concurrency_limit ($default_destination_concurrency_limit)\fR" 226 /* A transport-specific override for the 227 /* default_destination_concurrency_limit parameter value, where 228 /* \fItransport\fR is the master.cf name of the message delivery 229 /* transport. 230 /* .PP 231 /* Available in Postfix version 2.5 and later: 232 /* .IP "\fBtransport_initial_destination_concurrency ($initial_destination_concurrency)\fR" 233 /* A transport-specific override for the initial_destination_concurrency 234 /* parameter value, where \fItransport\fR is the master.cf name of 235 /* the message delivery transport. 236 /* .IP "\fBdefault_destination_concurrency_failed_cohort_limit (1)\fR" 237 /* How many pseudo-cohorts must suffer connection or handshake 238 /* failure before a specific destination is considered unavailable 239 /* (and further delivery is suspended). 240 /* .IP "\fBtransport_destination_concurrency_failed_cohort_limit ($default_destination_concurrency_failed_cohort_limit)\fR" 241 /* A transport-specific override for the 242 /* default_destination_concurrency_failed_cohort_limit parameter value, 243 /* where \fItransport\fR is the master.cf name of the message delivery 244 /* transport. 245 /* .IP "\fBdefault_destination_concurrency_negative_feedback (1)\fR" 246 /* The per-destination amount of delivery concurrency negative 247 /* feedback, after a delivery completes with a connection or handshake 248 /* failure. 249 /* .IP "\fBtransport_destination_concurrency_negative_feedback ($default_destination_concurrency_negative_feedback)\fR" 250 /* A transport-specific override for the 251 /* default_destination_concurrency_negative_feedback parameter value, 252 /* where \fItransport\fR is the master.cf name of the message delivery 253 /* transport. 254 /* .IP "\fBdefault_destination_concurrency_positive_feedback (1)\fR" 255 /* The per-destination amount of delivery concurrency positive 256 /* feedback, after a delivery completes without connection or handshake 257 /* failure. 258 /* .IP "\fBtransport_destination_concurrency_positive_feedback ($default_destination_concurrency_positive_feedback)\fR" 259 /* A transport-specific override for the 260 /* default_destination_concurrency_positive_feedback parameter value, 261 /* where \fItransport\fR is the master.cf name of the message delivery 262 /* transport. 263 /* .IP "\fBdestination_concurrency_feedback_debug (no)\fR" 264 /* Make the queue manager's feedback algorithm verbose for performance 265 /* analysis purposes. 266 /* RECIPIENT SCHEDULING CONTROLS 267 /* .ad 268 /* .fi 269 /* .IP "\fBdefault_destination_recipient_limit (50)\fR" 270 /* The default maximal number of recipients per message delivery. 271 /* .IP "\fBtransport_destination_recipient_limit ($default_destination_recipient_limit)\fR" 272 /* A transport-specific override for the 273 /* default_destination_recipient_limit parameter value, where 274 /* \fItransport\fR is the master.cf name of the message delivery 275 /* transport. 276 /* MESSAGE SCHEDULING CONTROLS 277 /* .ad 278 /* .fi 279 /* .IP "\fBdefault_delivery_slot_cost (5)\fR" 280 /* How often the Postfix queue manager's scheduler is allowed to 281 /* preempt delivery of one message with another. 282 /* .IP "\fBtransport_delivery_slot_cost ($default_delivery_slot_cost)\fR" 283 /* A transport-specific override for the default_delivery_slot_cost 284 /* parameter value, where \fItransport\fR is the master.cf name of 285 /* the message delivery transport. 286 /* .IP "\fBdefault_minimum_delivery_slots (3)\fR" 287 /* How many recipients a message must have in order to invoke the 288 /* Postfix queue manager's scheduling algorithm at all. 289 /* .IP "\fBtransport_minimum_delivery_slots ($default_minimum_delivery_slots)\fR" 290 /* A transport-specific override for the default_minimum_delivery_slots 291 /* parameter value, where \fItransport\fR is the master.cf name of 292 /* the message delivery transport. 293 /* .IP "\fBdefault_delivery_slot_discount (50)\fR" 294 /* The default value for transport-specific _delivery_slot_discount 295 /* settings. 296 /* .IP "\fBtransport_delivery_slot_discount ($default_delivery_slot_discount)\fR" 297 /* A transport-specific override for the default_delivery_slot_discount 298 /* parameter value, where \fItransport\fR is the master.cf name of 299 /* the message delivery transport. 300 /* .IP "\fBdefault_delivery_slot_loan (3)\fR" 301 /* The default value for transport-specific _delivery_slot_loan 302 /* settings. 303 /* .IP "\fBtransport_delivery_slot_loan ($default_delivery_slot_loan)\fR" 304 /* A transport-specific override for the default_delivery_slot_loan 305 /* parameter value, where \fItransport\fR is the master.cf name of 306 /* the message delivery transport. 307 /* OTHER RESOURCE AND RATE CONTROLS 308 /* .ad 309 /* .fi 310 /* .IP "\fBminimal_backoff_time (300s)\fR" 311 /* The minimal time between attempts to deliver a deferred message; 312 /* prior to Postfix 2.4 the default value was 1000s. 313 /* .IP "\fBmaximal_backoff_time (4000s)\fR" 314 /* The maximal time between attempts to deliver a deferred message. 315 /* .IP "\fBmaximal_queue_lifetime (5d)\fR" 316 /* Consider a message as undeliverable, when delivery fails with a 317 /* temporary error, and the time in the queue has reached the 318 /* maximal_queue_lifetime limit. 319 /* .IP "\fBqueue_run_delay (300s)\fR" 320 /* The time between deferred queue scans by the queue manager; 321 /* prior to Postfix 2.4 the default value was 1000s. 322 /* .IP "\fBtransport_retry_time (60s)\fR" 323 /* The time between attempts by the Postfix queue manager to contact 324 /* a malfunctioning message delivery transport. 325 /* .PP 326 /* Available in Postfix version 2.1 and later: 327 /* .IP "\fBbounce_queue_lifetime (5d)\fR" 328 /* Consider a bounce message as undeliverable, when delivery fails 329 /* with a temporary error, and the time in the queue has reached the 330 /* bounce_queue_lifetime limit. 331 /* .PP 332 /* Available in Postfix version 2.5 and later: 333 /* .IP "\fBdefault_destination_rate_delay (0s)\fR" 334 /* The default amount of delay that is inserted between individual 335 /* message deliveries to the same destination and over the same message 336 /* delivery transport. 337 /* .IP "\fBtransport_destination_rate_delay ($default_destination_rate_delay)\fR" 338 /* A transport-specific override for the default_destination_rate_delay 339 /* parameter value, where \fItransport\fR is the master.cf name of 340 /* the message delivery transport. 341 /* .PP 342 /* Available in Postfix version 3.1 and later: 343 /* .IP "\fBdefault_transport_rate_delay (0s)\fR" 344 /* The default amount of delay that is inserted between individual 345 /* message deliveries over the same message delivery transport, 346 /* regardless of destination. 347 /* .IP "\fBtransport_transport_rate_delay ($default_transport_rate_delay)\fR" 348 /* A transport-specific override for the default_transport_rate_delay 349 /* parameter value, where the initial \fItransport\fR in the parameter 350 /* name is the master.cf name of the message delivery transport. 351 /* SAFETY CONTROLS 352 /* .ad 353 /* .fi 354 /* .IP "\fBqmgr_daemon_timeout (1000s)\fR" 355 /* How much time a Postfix queue manager process may take to handle 356 /* a request before it is terminated by a built-in watchdog timer. 357 /* .IP "\fBqmgr_ipc_timeout (60s)\fR" 358 /* The time limit for the queue manager to send or receive information 359 /* over an internal communication channel. 360 /* .PP 361 /* Available in Postfix version 3.1 and later: 362 /* .IP "\fBaddress_verify_pending_request_limit (see 'postconf -d' output)\fR" 363 /* A safety limit that prevents address verification requests from 364 /* overwhelming the Postfix queue. 365 /* MISCELLANEOUS CONTROLS 366 /* .ad 367 /* .fi 368 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" 369 /* The default location of the Postfix main.cf and master.cf 370 /* configuration files. 371 /* .IP "\fBdefer_transports (empty)\fR" 372 /* The names of message delivery transports that should not deliver mail 373 /* unless someone issues "\fBsendmail -q\fR" or equivalent. 374 /* .IP "\fBdelay_logging_resolution_limit (2)\fR" 375 /* The maximal number of digits after the decimal point when logging 376 /* sub-second delay values. 377 /* .IP "\fBhelpful_warnings (yes)\fR" 378 /* Log warnings about problematic configuration settings, and provide 379 /* helpful suggestions. 380 /* .IP "\fBprocess_id (read-only)\fR" 381 /* The process ID of a Postfix command or daemon process. 382 /* .IP "\fBprocess_name (read-only)\fR" 383 /* The process name of a Postfix command or daemon process. 384 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" 385 /* The location of the Postfix top-level queue directory. 386 /* .IP "\fBsyslog_facility (mail)\fR" 387 /* The syslog facility of Postfix logging. 388 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" 389 /* A prefix that is prepended to the process name in syslog 390 /* records, so that, for example, "smtpd" becomes "prefix/smtpd". 391 /* .PP 392 /* Available in Postfix version 3.0 and later: 393 /* .IP "\fBconfirm_delay_cleared (no)\fR" 394 /* After sending a "your message is delayed" notification, inform 395 /* the sender when the delay clears up. 396 /* .PP 397 /* Available in Postfix 3.3 and later: 398 /* .IP "\fBservice_name (read-only)\fR" 399 /* The master.cf service name of a Postfix daemon process. 400 /* .PP 401 /* Available in Postfix 3.5 and later: 402 /* .IP "\fBinfo_log_address_format (external)\fR" 403 /* The email address form that will be used in non-debug logging 404 /* (info, warning, etc.). 405 /* FILES 406 /* /var/spool/postfix/incoming, incoming queue 407 /* /var/spool/postfix/active, active queue 408 /* /var/spool/postfix/deferred, deferred queue 409 /* /var/spool/postfix/bounce, non-delivery status 410 /* /var/spool/postfix/defer, non-delivery status 411 /* /var/spool/postfix/trace, delivery status 412 /* SEE ALSO 413 /* trivial-rewrite(8), address routing 414 /* bounce(8), delivery status reports 415 /* postconf(5), configuration parameters 416 /* master(5), generic daemon options 417 /* master(8), process manager 418 /* postlogd(8), Postfix logging 419 /* syslogd(8), system logging 420 /* README FILES 421 /* .ad 422 /* .fi 423 /* Use "\fBpostconf readme_directory\fR" or 424 /* "\fBpostconf html_directory\fR" to locate this information. 425 /* .na 426 /* .nf 427 /* SCHEDULER_README, scheduling algorithm 428 /* QSHAPE_README, Postfix queue analysis 429 /* LICENSE 430 /* .ad 431 /* .fi 432 /* The Secure Mailer license must be distributed with this software. 433 /* AUTHOR(S) 434 /* Wietse Venema 435 /* IBM T.J. Watson Research 436 /* P.O. Box 704 437 /* Yorktown Heights, NY 10598, USA 438 /* 439 /* Preemptive scheduler enhancements: 440 /* Patrik Rak 441 /* Modra 6 442 /* 155 00, Prague, Czech Republic 443 /* 444 /* Wietse Venema 445 /* Google, Inc. 446 /* 111 8th Avenue 447 /* New York, NY 10011, USA 448 /*--*/ 449 450 /* System library. */ 451 452 #include <sys_defs.h> 453 #include <stdlib.h> 454 #include <unistd.h> 455 #include <ctype.h> 456 457 /* Utility library. */ 458 459 #include <msg.h> 460 #include <events.h> 461 #include <vstream.h> 462 #include <dict.h> 463 464 /* Global library. */ 465 466 #include <mail_queue.h> 467 #include <recipient_list.h> 468 #include <mail_conf.h> 469 #include <mail_params.h> 470 #include <mail_version.h> 471 #include <mail_proto.h> /* QMGR_SCAN constants */ 472 #include <mail_flow.h> 473 #include <flush_clnt.h> 474 475 /* Master process interface */ 476 477 #include <master_proto.h> 478 #include <mail_server.h> 479 480 /* Application-specific. */ 481 482 #include "qmgr.h" 483 484 /* 485 * Tunables. 486 */ 487 int var_queue_run_delay; 488 int var_min_backoff_time; 489 int var_max_backoff_time; 490 int var_max_queue_time; 491 int var_dsn_queue_time; 492 int var_qmgr_active_limit; 493 int var_qmgr_rcpt_limit; 494 int var_qmgr_msg_rcpt_limit; 495 int var_xport_rcpt_limit; 496 int var_stack_rcpt_limit; 497 int var_xport_refill_limit; 498 int var_xport_refill_delay; 499 int var_delivery_slot_cost; 500 int var_delivery_slot_loan; 501 int var_delivery_slot_discount; 502 int var_min_delivery_slots; 503 int var_init_dest_concurrency; 504 int var_transport_retry_time; 505 int var_dest_con_limit; 506 int var_dest_rcpt_limit; 507 char *var_defer_xports; 508 int var_local_con_lim; 509 int var_local_rcpt_lim; 510 bool var_verp_bounce_off; 511 int var_qmgr_clog_warn_time; 512 char *var_conc_pos_feedback; 513 char *var_conc_neg_feedback; 514 int var_conc_cohort_limit; 515 int var_conc_feedback_debug; 516 int var_xport_rate_delay; 517 int var_dest_rate_delay; 518 char *var_def_filter_nexthop; 519 int var_qmgr_daemon_timeout; 520 int var_qmgr_ipc_timeout; 521 int var_dsn_delay_cleared; 522 int var_vrfy_pend_limit; 523 524 static QMGR_SCAN *qmgr_scans[2]; 525 526 #define QMGR_SCAN_IDX_INCOMING 0 527 #define QMGR_SCAN_IDX_DEFERRED 1 528 #define QMGR_SCAN_IDX_COUNT (sizeof(qmgr_scans) / sizeof(qmgr_scans[0])) 529 530 /* qmgr_deferred_run_event - queue manager heartbeat */ 531 532 static void qmgr_deferred_run_event(int unused_event, void *dummy) 533 { 534 535 /* 536 * This routine runs when it is time for another deferred queue scan. 537 * Make sure this routine gets called again in the future. 538 */ 539 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_DEFERRED], QMGR_SCAN_START); 540 event_request_timer(qmgr_deferred_run_event, dummy, var_queue_run_delay); 541 } 542 543 /* qmgr_trigger_event - respond to external trigger(s) */ 544 545 static void qmgr_trigger_event(char *buf, ssize_t len, 546 char *unused_service, char **argv) 547 { 548 int incoming_flag = 0; 549 int deferred_flag = 0; 550 int i; 551 552 /* 553 * Sanity check. This service takes no command-line arguments. 554 */ 555 if (argv[0]) 556 msg_fatal("unexpected command-line argument: %s", argv[0]); 557 558 /* 559 * Collapse identical requests that have arrived since we looked last 560 * time. There is no client feedback so there is no need to process each 561 * request in order. And as long as we don't have conflicting requests we 562 * are free to sort them into the most suitable order. 563 */ 564 #define QMGR_FLUSH_BEFORE (QMGR_FLUSH_ONCE | QMGR_FLUSH_DFXP) 565 566 for (i = 0; i < len; i++) { 567 if (msg_verbose) 568 msg_info("request: %d (%c)", 569 buf[i], ISALNUM(buf[i]) ? buf[i] : '?'); 570 switch (buf[i]) { 571 case TRIGGER_REQ_WAKEUP: 572 case QMGR_REQ_SCAN_INCOMING: 573 incoming_flag |= QMGR_SCAN_START; 574 break; 575 case QMGR_REQ_SCAN_DEFERRED: 576 deferred_flag |= QMGR_SCAN_START; 577 break; 578 case QMGR_REQ_FLUSH_DEAD: 579 deferred_flag |= QMGR_FLUSH_BEFORE; 580 incoming_flag |= QMGR_FLUSH_BEFORE; 581 break; 582 case QMGR_REQ_SCAN_ALL: 583 deferred_flag |= QMGR_SCAN_ALL; 584 incoming_flag |= QMGR_SCAN_ALL; 585 break; 586 default: 587 if (msg_verbose) 588 msg_info("request ignored"); 589 break; 590 } 591 } 592 593 /* 594 * Process each request type at most once. Modifiers take effect upon the 595 * next queue run. If no queue run is in progress, and a queue scan is 596 * requested, the request takes effect immediately. 597 */ 598 if (incoming_flag != 0) 599 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_INCOMING], incoming_flag); 600 if (deferred_flag != 0) 601 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_DEFERRED], deferred_flag); 602 } 603 604 /* qmgr_loop - queue manager main loop */ 605 606 static int qmgr_loop(char *unused_name, char **unused_argv) 607 { 608 char *path; 609 ssize_t token_count; 610 int feed = 0; 611 int scan_idx; /* Priority order scan index */ 612 static int first_scan_idx = QMGR_SCAN_IDX_INCOMING; 613 int last_scan_idx = QMGR_SCAN_IDX_COUNT - 1; 614 int delay; 615 616 /* 617 * This routine runs as part of the event handling loop, after the event 618 * manager has delivered a timer or I/O event (including the completion 619 * of a connection to a delivery process), or after it has waited for a 620 * specified amount of time. The result value of qmgr_loop() specifies 621 * how long the event manager should wait for the next event. 622 */ 623 #define DONT_WAIT 0 624 #define WAIT_FOR_EVENT (-1) 625 626 /* 627 * Attempt to drain the active queue by allocating a suitable delivery 628 * process and by delivering mail via it. Delivery process allocation and 629 * mail delivery are asynchronous. 630 */ 631 qmgr_active_drain(); 632 633 /* 634 * Let some new blood into the active queue when the queue size is 635 * smaller than some configurable limit. 636 * 637 * We import one message per interrupt, to optimally tune the input count 638 * for the number of delivery agent protocol wait states, as explained in 639 * qmgr_transport.c. 640 */ 641 delay = WAIT_FOR_EVENT; 642 for (scan_idx = 0; qmgr_message_count < var_qmgr_active_limit 643 && scan_idx < QMGR_SCAN_IDX_COUNT; ++scan_idx) { 644 last_scan_idx = (scan_idx + first_scan_idx) % QMGR_SCAN_IDX_COUNT; 645 if ((path = qmgr_scan_next(qmgr_scans[last_scan_idx])) != 0) { 646 delay = DONT_WAIT; 647 if ((feed = qmgr_active_feed(qmgr_scans[last_scan_idx], path)) != 0) 648 break; 649 } 650 } 651 652 /* 653 * Round-robin the queue scans. When the active queue becomes full, 654 * prefer new mail over deferred mail. 655 */ 656 if (qmgr_message_count < var_qmgr_active_limit) { 657 first_scan_idx = (last_scan_idx + 1) % QMGR_SCAN_IDX_COUNT; 658 } else if (first_scan_idx != QMGR_SCAN_IDX_INCOMING) { 659 first_scan_idx = QMGR_SCAN_IDX_INCOMING; 660 } 661 662 /* 663 * Global flow control. If enabled, slow down receiving processes that 664 * get ahead of the queue manager, but don't block them completely. 665 */ 666 if (var_in_flow_delay > 0) { 667 token_count = mail_flow_count(); 668 if (token_count < var_proc_limit) { 669 if (feed != 0 && last_scan_idx == QMGR_SCAN_IDX_INCOMING) 670 mail_flow_put(1); 671 else if (qmgr_scans[QMGR_SCAN_IDX_INCOMING]->handle == 0) 672 mail_flow_put(var_proc_limit - token_count); 673 } else if (token_count > var_proc_limit) { 674 mail_flow_get(token_count - var_proc_limit); 675 } 676 } 677 return (delay); 678 } 679 680 /* pre_accept - see if tables have changed */ 681 682 static void pre_accept(char *unused_name, char **unused_argv) 683 { 684 const char *table; 685 686 if ((table = dict_changed_name()) != 0) { 687 msg_info("table %s has changed -- restarting", table); 688 exit(0); 689 } 690 } 691 692 /* qmgr_pre_init - pre-jail initialization */ 693 694 static void qmgr_pre_init(char *unused_name, char **unused_argv) 695 { 696 flush_init(); 697 } 698 699 /* qmgr_post_init - post-jail initialization */ 700 701 static void qmgr_post_init(char *name, char **unused_argv) 702 { 703 704 /* 705 * Backwards compatibility. 706 */ 707 if (strcmp(var_procname, "nqmgr") == 0) { 708 msg_warn("please update the %s/%s file; the new queue manager", 709 var_config_dir, MASTER_CONF_FILE); 710 msg_warn("(old name: nqmgr) has become the standard queue manager (new name: qmgr)"); 711 msg_warn("support for the name old name (nqmgr) will be removed from Postfix"); 712 } 713 714 /* 715 * Sanity check. 716 */ 717 if (var_qmgr_rcpt_limit < var_qmgr_active_limit) { 718 msg_warn("%s is smaller than %s - adjusting %s", 719 VAR_QMGR_RCPT_LIMIT, VAR_QMGR_ACT_LIMIT, VAR_QMGR_RCPT_LIMIT); 720 var_qmgr_rcpt_limit = var_qmgr_active_limit; 721 } 722 if (var_dsn_queue_time > var_max_queue_time) { 723 msg_warn("%s is larger than %s - adjusting %s", 724 VAR_DSN_QUEUE_TIME, VAR_MAX_QUEUE_TIME, VAR_DSN_QUEUE_TIME); 725 var_dsn_queue_time = var_max_queue_time; 726 } 727 728 /* 729 * This routine runs after the skeleton code has entered the chroot jail. 730 * Prevent automatic process suicide after a limited number of client 731 * requests or after a limited amount of idle time. Move any left-over 732 * entries from the active queue to the incoming queue, and give them a 733 * time stamp into the future, in order to allow ongoing deliveries to 734 * finish first. Start scanning the incoming and deferred queues. 735 * Left-over active queue entries are moved to the incoming queue because 736 * the incoming queue has priority; moving left-overs to the deferred 737 * queue could cause anomalous delays when "postfix reload/start" are 738 * issued often. Override the IPC timeout (default 3600s) so that the 739 * queue manager can reset a broken IPC channel before the watchdog timer 740 * goes off. 741 */ 742 var_ipc_timeout = var_qmgr_ipc_timeout; 743 var_use_limit = 0; 744 var_idle_limit = 0; 745 qmgr_move(MAIL_QUEUE_ACTIVE, MAIL_QUEUE_INCOMING, event_time()); 746 qmgr_scans[QMGR_SCAN_IDX_INCOMING] = qmgr_scan_create(MAIL_QUEUE_INCOMING); 747 qmgr_scans[QMGR_SCAN_IDX_DEFERRED] = qmgr_scan_create(MAIL_QUEUE_DEFERRED); 748 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_INCOMING], QMGR_SCAN_START); 749 qmgr_deferred_run_event(0, (void *) 0); 750 } 751 752 MAIL_VERSION_STAMP_DECLARE; 753 754 /* main - the main program */ 755 756 int main(int argc, char **argv) 757 { 758 static const CONFIG_STR_TABLE str_table[] = { 759 VAR_DEFER_XPORTS, DEF_DEFER_XPORTS, &var_defer_xports, 0, 0, 760 VAR_CONC_POS_FDBACK, DEF_CONC_POS_FDBACK, &var_conc_pos_feedback, 1, 0, 761 VAR_CONC_NEG_FDBACK, DEF_CONC_NEG_FDBACK, &var_conc_neg_feedback, 1, 0, 762 VAR_DEF_FILTER_NEXTHOP, DEF_DEF_FILTER_NEXTHOP, &var_def_filter_nexthop, 0, 0, 763 0, 764 }; 765 static const CONFIG_TIME_TABLE time_table[] = { 766 VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0, 767 VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0, 768 VAR_MAX_BACKOFF_TIME, DEF_MAX_BACKOFF_TIME, &var_max_backoff_time, 1, 0, 769 VAR_MAX_QUEUE_TIME, DEF_MAX_QUEUE_TIME, &var_max_queue_time, 0, 8640000, 770 VAR_DSN_QUEUE_TIME, DEF_DSN_QUEUE_TIME, &var_dsn_queue_time, 0, 8640000, 771 VAR_XPORT_RETRY_TIME, DEF_XPORT_RETRY_TIME, &var_transport_retry_time, 1, 0, 772 VAR_QMGR_CLOG_WARN_TIME, DEF_QMGR_CLOG_WARN_TIME, &var_qmgr_clog_warn_time, 0, 0, 773 VAR_XPORT_REFILL_DELAY, DEF_XPORT_REFILL_DELAY, &var_xport_refill_delay, 1, 0, 774 VAR_XPORT_RATE_DELAY, DEF_XPORT_RATE_DELAY, &var_xport_rate_delay, 0, 0, 775 VAR_DEST_RATE_DELAY, DEF_DEST_RATE_DELAY, &var_dest_rate_delay, 0, 0, 776 VAR_QMGR_DAEMON_TIMEOUT, DEF_QMGR_DAEMON_TIMEOUT, &var_qmgr_daemon_timeout, 1, 0, 777 VAR_QMGR_IPC_TIMEOUT, DEF_QMGR_IPC_TIMEOUT, &var_qmgr_ipc_timeout, 1, 0, 778 0, 779 }; 780 static const CONFIG_INT_TABLE int_table[] = { 781 VAR_QMGR_ACT_LIMIT, DEF_QMGR_ACT_LIMIT, &var_qmgr_active_limit, 1, 0, 782 VAR_QMGR_RCPT_LIMIT, DEF_QMGR_RCPT_LIMIT, &var_qmgr_rcpt_limit, 1, 0, 783 VAR_QMGR_MSG_RCPT_LIMIT, DEF_QMGR_MSG_RCPT_LIMIT, &var_qmgr_msg_rcpt_limit, 1, 0, 784 VAR_XPORT_RCPT_LIMIT, DEF_XPORT_RCPT_LIMIT, &var_xport_rcpt_limit, 0, 0, 785 VAR_STACK_RCPT_LIMIT, DEF_STACK_RCPT_LIMIT, &var_stack_rcpt_limit, 0, 0, 786 VAR_XPORT_REFILL_LIMIT, DEF_XPORT_REFILL_LIMIT, &var_xport_refill_limit, 1, 0, 787 VAR_DELIVERY_SLOT_COST, DEF_DELIVERY_SLOT_COST, &var_delivery_slot_cost, 0, 0, 788 VAR_DELIVERY_SLOT_LOAN, DEF_DELIVERY_SLOT_LOAN, &var_delivery_slot_loan, 0, 0, 789 VAR_DELIVERY_SLOT_DISCOUNT, DEF_DELIVERY_SLOT_DISCOUNT, &var_delivery_slot_discount, 0, 100, 790 VAR_MIN_DELIVERY_SLOTS, DEF_MIN_DELIVERY_SLOTS, &var_min_delivery_slots, 0, 0, 791 VAR_INIT_DEST_CON, DEF_INIT_DEST_CON, &var_init_dest_concurrency, 1, 0, 792 VAR_DEST_CON_LIMIT, DEF_DEST_CON_LIMIT, &var_dest_con_limit, 0, 0, 793 VAR_DEST_RCPT_LIMIT, DEF_DEST_RCPT_LIMIT, &var_dest_rcpt_limit, 0, 0, 794 VAR_LOCAL_RCPT_LIMIT, DEF_LOCAL_RCPT_LIMIT, &var_local_rcpt_lim, 0, 0, 795 VAR_LOCAL_CON_LIMIT, DEF_LOCAL_CON_LIMIT, &var_local_con_lim, 0, 0, 796 VAR_CONC_COHORT_LIM, DEF_CONC_COHORT_LIM, &var_conc_cohort_limit, 0, 0, 797 VAR_VRFY_PEND_LIMIT, DEF_VRFY_PEND_LIMIT, &var_vrfy_pend_limit, 1, 0, 798 0, 799 }; 800 static const CONFIG_BOOL_TABLE bool_table[] = { 801 VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off, 802 VAR_CONC_FDBACK_DEBUG, DEF_CONC_FDBACK_DEBUG, &var_conc_feedback_debug, 803 VAR_DSN_DELAY_CLEARED, DEF_DSN_DELAY_CLEARED, &var_dsn_delay_cleared, 804 0, 805 }; 806 807 /* 808 * Fingerprint executables and core dumps. 809 */ 810 MAIL_VERSION_STAMP_ALLOCATE; 811 812 /* 813 * Use the trigger service skeleton, because no-one else should be 814 * monitoring our service port while this process runs, and because we do 815 * not talk back to the client. 816 */ 817 trigger_server_main(argc, argv, qmgr_trigger_event, 818 CA_MAIL_SERVER_INT_TABLE(int_table), 819 CA_MAIL_SERVER_STR_TABLE(str_table), 820 CA_MAIL_SERVER_BOOL_TABLE(bool_table), 821 CA_MAIL_SERVER_TIME_TABLE(time_table), 822 CA_MAIL_SERVER_PRE_INIT(qmgr_pre_init), 823 CA_MAIL_SERVER_POST_INIT(qmgr_post_init), 824 CA_MAIL_SERVER_LOOP(qmgr_loop), 825 CA_MAIL_SERVER_PRE_ACCEPT(pre_accept), 826 CA_MAIL_SERVER_SOLITARY, 827 CA_MAIL_SERVER_WATCHDOG(&var_qmgr_daemon_timeout), 828 0); 829 } 830