1/*++
2/* NAME
3/*	qmgr 8
4/* SUMMARY
5/*	Postfix queue manager
6/* SYNOPSIS
7/*	\fBqmgr\fR [generic Postfix daemon options]
8/* DESCRIPTION
9/*	The \fBqmgr\fR(8) daemon awaits the arrival of incoming mail
10/*	and arranges for its delivery via Postfix delivery processes.
11/*	The actual mail routing strategy is delegated to the
12/*	\fBtrivial-rewrite\fR(8) daemon.
13/*	This program expects to be run from the \fBmaster\fR(8) process
14/*	manager.
15/*
16/*	Mail addressed to the local \fBdouble-bounce\fR address is
17/*	logged and discarded.  This stops potential loops caused by
18/*	undeliverable bounce notifications.
19/* MAIL QUEUES
20/* .ad
21/* .fi
22/*	The \fBqmgr\fR(8) daemon maintains the following queues:
23/* .IP \fBincoming\fR
24/*	Inbound mail from the network, or mail picked up by the
25/*	local \fBpickup\fR(8) daemon from the \fBmaildrop\fR directory.
26/* .IP \fBactive\fR
27/*	Messages that the queue manager has opened for delivery. Only
28/*	a limited number of messages is allowed to enter the \fBactive\fR
29/*	queue (leaky bucket strategy, for a fixed delivery rate).
30/* .IP \fBdeferred\fR
31/*	Mail that could not be delivered upon the first attempt. The queue
32/*	manager implements exponential backoff by doubling the time between
33/*	delivery attempts.
34/* .IP \fBcorrupt\fR
35/*	Unreadable or damaged queue files are moved here for inspection.
36/* .IP \fBhold\fR
37/*	Messages that are kept "on hold" are kept here until someone
38/*	sets them free.
39/* DELIVERY STATUS REPORTS
40/* .ad
41/* .fi
42/*	The \fBqmgr\fR(8) daemon keeps an eye on per-message delivery status
43/*	reports in the following directories. Each status report file has
44/*	the same name as the corresponding message file:
45/* .IP \fBbounce\fR
46/*	Per-recipient status information about why mail is bounced.
47/*	These files are maintained by the \fBbounce\fR(8) daemon.
48/* .IP \fBdefer\fR
49/*	Per-recipient status information about why mail is delayed.
50/*	These files are maintained by the \fBdefer\fR(8) daemon.
51/* .IP \fBtrace\fR
52/*	Per-recipient status information as requested with the
53/*	Postfix "\fBsendmail -v\fR" or "\fBsendmail -bv\fR" command.
54/*	These files are maintained by the \fBtrace\fR(8) daemon.
55/* .PP
56/*	The \fBqmgr\fR(8) daemon is responsible for asking the
57/*	\fBbounce\fR(8), \fBdefer\fR(8) or \fBtrace\fR(8) daemons to
58/*	send delivery reports.
59/* STRATEGIES
60/* .ad
61/* .fi
62/*	The queue manager implements a variety of strategies for
63/*	either opening queue files (input) or for message delivery (output).
64/* .IP "\fBleaky bucket\fR"
65/*	This strategy limits the number of messages in the \fBactive\fR queue
66/*	and prevents the queue manager from running out of memory under
67/*	heavy load.
68/* .IP \fBfairness\fR
69/*	When the \fBactive\fR queue has room, the queue manager takes one
70/*	message from the \fBincoming\fR queue and one from the \fBdeferred\fR
71/*	queue. This prevents a large mail backlog from blocking the delivery
72/*	of new mail.
73/* .IP "\fBslow start\fR"
74/*	This strategy eliminates "thundering herd" problems by slowly
75/*	adjusting the number of parallel deliveries to the same destination.
76/* .IP "\fBround robin\fR
77/*	The queue manager sorts delivery requests by destination.
78/*	Round-robin selection prevents one destination from dominating
79/*	deliveries to other destinations.
80/* .IP "\fBexponential backoff\fR"
81/*	Mail that cannot be delivered upon the first attempt is deferred.
82/*	The time interval between delivery attempts is doubled after each
83/*	attempt.
84/* .IP "\fBdestination status cache\fR"
85/*	The queue manager avoids unnecessary delivery attempts by
86/*	maintaining a short-term, in-memory list of unreachable destinations.
87/* .IP "\fBpreemptive message scheduling\fR"
88/*	The queue manager attempts to minimize the average per-recipient delay
89/*	while still preserving the correct per-message delays, using
90/*	a sophisticated preemptive message scheduling.
91/* TRIGGERS
92/* .ad
93/* .fi
94/*	On an idle system, the queue manager waits for the arrival of
95/*	trigger events, or it waits for a timer to go off. A trigger
96/*	is a one-byte message.
97/*	Depending on the message received, the queue manager performs
98/*	one of the following actions (the message is followed by the
99/*	symbolic constant used internally by the software):
100/* .IP "\fBD (QMGR_REQ_SCAN_DEFERRED)\fR"
101/*	Start a deferred queue scan.  If a deferred queue scan is already
102/*	in progress, that scan will be restarted as soon as it finishes.
103/* .IP "\fBI (QMGR_REQ_SCAN_INCOMING)\fR"
104/*	Start an incoming queue scan. If an incoming queue scan is already
105/*	in progress, that scan will be restarted as soon as it finishes.
106/* .IP "\fBA (QMGR_REQ_SCAN_ALL)\fR"
107/*	Ignore deferred queue file time stamps. The request affects
108/*	the next deferred queue scan.
109/* .IP "\fBF (QMGR_REQ_FLUSH_DEAD)\fR"
110/*	Purge all information about dead transports and destinations.
111/* .IP "\fBW (TRIGGER_REQ_WAKEUP)\fR"
112/*	Wakeup call, This is used by the master server to instantiate
113/*	servers that should not go away forever. The action is to start
114/*	an incoming queue scan.
115/* .PP
116/*	The \fBqmgr\fR(8) daemon reads an entire buffer worth of triggers.
117/*	Multiple identical trigger requests are collapsed into one, and
118/*	trigger requests are sorted so that \fBA\fR and \fBF\fR precede
119/*	\fBD\fR and \fBI\fR. Thus, in order to force a deferred queue run,
120/*	one would request \fBA F D\fR; in order to notify the queue manager
121/*	of the arrival of new mail one would request \fBI\fR.
122/* STANDARDS
123/*	RFC 3463 (Enhanced status codes)
124/*	RFC 3464 (Delivery status notifications)
125/* SECURITY
126/* .ad
127/* .fi
128/*	The \fBqmgr\fR(8) daemon is not security sensitive. It reads
129/*	single-character messages from untrusted local users, and thus may
130/*	be susceptible to denial of service attacks. The \fBqmgr\fR(8) daemon
131/*	does not talk to the outside world, and it can be run at fixed low
132/*	privilege in a chrooted environment.
133/* DIAGNOSTICS
134/*	Problems and transactions are logged to the syslog daemon.
135/*	Corrupted message files are saved to the \fBcorrupt\fR queue
136/*	for further inspection.
137/*
138/*	Depending on the setting of the \fBnotify_classes\fR parameter,
139/*	the postmaster is notified of bounces and of other trouble.
140/* BUGS
141/*	A single queue manager process has to compete for disk access with
142/*	multiple front-end processes such as \fBcleanup\fR(8). A sudden burst of
143/*	inbound mail can negatively impact outbound delivery rates.
144/* CONFIGURATION PARAMETERS
145/* .ad
146/* .fi
147/*	Changes to \fBmain.cf\fR are not picked up automatically
148/*	as \fBqmgr\fR(8)
149/*	is a persistent process. Use the "\fBpostfix reload\fR" command after
150/*	a configuration change.
151/*
152/*	The text below provides only a parameter summary. See
153/*	\fBpostconf\fR(5) for more details including examples.
154/*
155/*	In the text below, \fItransport\fR is the first field in a
156/*	\fBmaster.cf\fR entry.
157/* COMPATIBILITY CONTROLS
158/* .ad
159/* .fi
160/*	Available before Postfix version 2.5:
161/* .IP "\fBallow_min_user (no)\fR"
162/*	Allow a sender or recipient address to have `-' as the first
163/*	character.
164/* .PP
165/*	Available with Postfix version 2.7 and later:
166/* .IP "\fBdefault_filter_nexthop (empty)\fR"
167/*	When a content_filter or FILTER request specifies no explicit
168/*	next-hop destination, use $default_filter_nexthop instead; when
169/*	that value is empty, use the domain in the recipient address.
170/* ACTIVE QUEUE CONTROLS
171/* .ad
172/* .fi
173/* .IP "\fBqmgr_clog_warn_time (300s)\fR"
174/*	The minimal delay between warnings that a specific destination is
175/*	clogging up the Postfix active queue.
176/* .IP "\fBqmgr_message_active_limit (20000)\fR"
177/*	The maximal number of messages in the active queue.
178/* .IP "\fBqmgr_message_recipient_limit (20000)\fR"
179/*	The maximal number of recipients held in memory by the Postfix
180/*	queue manager, and the maximal size of the short-term,
181/*	in-memory "dead" destination status cache.
182/* .IP "\fBqmgr_message_recipient_minimum (10)\fR"
183/*	The minimal number of in-memory recipients for any message.
184/* .IP "\fBdefault_recipient_limit (20000)\fR"
185/*	The default per-transport upper limit on the number of in-memory
186/*	recipients.
187/* .IP "\fItransport\fB_recipient_limit ($default_recipient_limit)\fR"
188/*	Idem, for delivery via the named message \fItransport\fR.
189/* .IP "\fBdefault_extra_recipient_limit (1000)\fR"
190/*	The default value for the extra per-transport limit imposed on the
191/*	number of in-memory recipients.
192/* .IP "\fItransport\fB_extra_recipient_limit ($default_extra_recipient_limit)\fR"
193/*	Idem, for delivery via the named message \fItransport\fR.
194/* .PP
195/*	Available in Postfix version 2.4 and later:
196/* .IP "\fBdefault_recipient_refill_limit (100)\fR"
197/*	The default per-transport limit on the number of recipients refilled at
198/*	once.
199/* .IP "\fItransport\fB_recipient_refill_limit ($default_recipient_refill_limit)\fR"
200/*	Idem, for delivery via the named message \fItransport\fR.
201/* .IP "\fBdefault_recipient_refill_delay (5s)\fR"
202/*	The default per-transport maximum delay between recipients refills.
203/* .IP "\fItransport\fB_recipient_refill_delay ($default_recipient_refill_delay)\fR"
204/*	Idem, for delivery via the named message \fItransport\fR.
205/* DELIVERY CONCURRENCY CONTROLS
206/* .ad
207/* .fi
208/* .IP "\fBinitial_destination_concurrency (5)\fR"
209/*	The initial per-destination concurrency level for parallel delivery
210/*	to the same destination.
211/* .IP "\fBdefault_destination_concurrency_limit (20)\fR"
212/*	The default maximal number of parallel deliveries to the same
213/*	destination.
214/* .IP "\fItransport\fB_destination_concurrency_limit ($default_destination_concurrency_limit)\fR"
215/*	Idem, for delivery via the named message \fItransport\fR.
216/* .PP
217/*	Available in Postfix version 2.5 and later:
218/* .IP "\fItransport\fB_initial_destination_concurrency ($initial_destination_concurrency)\fR"
219/*	Initial concurrency for delivery via the named message
220/*	\fItransport\fR.
221/* .IP "\fBdefault_destination_concurrency_failed_cohort_limit (1)\fR"
222/*	How many pseudo-cohorts must suffer connection or handshake
223/*	failure before a specific destination is considered unavailable
224/*	(and further delivery is suspended).
225/* .IP "\fItransport\fB_destination_concurrency_failed_cohort_limit ($default_destination_concurrency_failed_cohort_limit)\fR"
226/*	Idem, for delivery via the named message \fItransport\fR.
227/* .IP "\fBdefault_destination_concurrency_negative_feedback (1)\fR"
228/*	The per-destination amount of delivery concurrency negative
229/*	feedback, after a delivery completes with a connection or handshake
230/*	failure.
231/* .IP "\fItransport\fB_destination_concurrency_negative_feedback ($default_destination_concurrency_negative_feedback)\fR"
232/*	Idem, for delivery via the named message \fItransport\fR.
233/* .IP "\fBdefault_destination_concurrency_positive_feedback (1)\fR"
234/*	The per-destination amount of delivery concurrency positive
235/*	feedback, after a delivery completes without connection or handshake
236/*	failure.
237/* .IP "\fItransport\fB_destination_concurrency_positive_feedback ($default_destination_concurrency_positive_feedback)\fR"
238/*	Idem, for delivery via the named message \fItransport\fR.
239/* .IP "\fBdestination_concurrency_feedback_debug (no)\fR"
240/*	Make the queue manager's feedback algorithm verbose for performance
241/*	analysis purposes.
242/* RECIPIENT SCHEDULING CONTROLS
243/* .ad
244/* .fi
245/* .IP "\fBdefault_destination_recipient_limit (50)\fR"
246/*	The default maximal number of recipients per message delivery.
247/* .IP "\fItransport\fB_destination_recipient_limit ($default_destination_recipient_limit)\fR"
248/*	Idem, for delivery via the named message \fItransport\fR.
249/* MESSAGE SCHEDULING CONTROLS
250/* .ad
251/* .fi
252/* .IP "\fBdefault_delivery_slot_cost (5)\fR"
253/*	How often the Postfix queue manager's scheduler is allowed to
254/*	preempt delivery of one message with another.
255/* .IP "\fItransport\fB_delivery_slot_cost ($default_delivery_slot_cost)\fR"
256/*	Idem, for delivery via the named message \fItransport\fR.
257/* .IP "\fBdefault_minimum_delivery_slots (3)\fR"
258/*	How many recipients a message must have in order to invoke the
259/*	Postfix queue manager's scheduling algorithm at all.
260/* .IP "\fItransport\fB_minimum_delivery_slots ($default_minimum_delivery_slots)\fR"
261/*	Idem, for delivery via the named message \fItransport\fR.
262/* .IP "\fBdefault_delivery_slot_discount (50)\fR"
263/*	The default value for transport-specific _delivery_slot_discount
264/*	settings.
265/* .IP "\fItransport\fB_delivery_slot_discount ($default_delivery_slot_discount)\fR"
266/*	Idem, for delivery via the named message \fItransport\fR.
267/* .IP "\fBdefault_delivery_slot_loan (3)\fR"
268/*	The default value for transport-specific _delivery_slot_loan
269/*	settings.
270/* .IP "\fItransport\fB_delivery_slot_loan ($default_delivery_slot_loan)\fR"
271/*	Idem, for delivery via the named message \fItransport\fR.
272/* OTHER RESOURCE AND RATE CONTROLS
273/* .ad
274/* .fi
275/* .IP "\fBminimal_backoff_time (300s)\fR"
276/*	The minimal time between attempts to deliver a deferred message;
277/*	prior to Postfix 2.4 the default value was 1000s.
278/* .IP "\fBmaximal_backoff_time (4000s)\fR"
279/*	The maximal time between attempts to deliver a deferred message.
280/* .IP "\fBmaximal_queue_lifetime (5d)\fR"
281/*	Consider a message as undeliverable, when delivery fails with a
282/*	temporary error, and the time in the queue has reached the
283/*	maximal_queue_lifetime limit.
284/* .IP "\fBqueue_run_delay (300s)\fR"
285/*	The time between deferred queue scans by the queue manager;
286/*	prior to Postfix 2.4 the default value was 1000s.
287/* .IP "\fBtransport_retry_time (60s)\fR"
288/*	The time between attempts by the Postfix queue manager to contact
289/*	a malfunctioning message delivery transport.
290/* .PP
291/*	Available in Postfix version 2.1 and later:
292/* .IP "\fBbounce_queue_lifetime (5d)\fR"
293/*	Consider a bounce message as undeliverable, when delivery fails
294/*	with a temporary error, and the time in the queue has reached the
295/*	bounce_queue_lifetime limit.
296/* .PP
297/*	Available in Postfix version 2.5 and later:
298/* .IP "\fBdefault_destination_rate_delay (0s)\fR"
299/*	The default amount of delay that is inserted between individual
300/*	deliveries to the same destination; the resulting behavior depends
301/*	on the value of the corresponding per-destination recipient limit.
302/* .IP "\fItransport\fB_destination_rate_delay $default_destination_rate_delay
303/*	Idem, for delivery via the named message \fItransport\fR.
304/* SAFETY CONTROLS
305/* .ad
306/* .fi
307/* .IP "\fBqmgr_daemon_timeout (1000s)\fR"
308/*	How much time a Postfix queue manager process may take to handle
309/*	a request before it is terminated by a built-in watchdog timer.
310/* .IP "\fBqmgr_ipc_timeout (60s)\fR"
311/*	The time limit for the queue manager to send or receive information
312/*	over an internal communication channel.
313/* MISCELLANEOUS CONTROLS
314/* .ad
315/* .fi
316/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
317/*	The default location of the Postfix main.cf and master.cf
318/*	configuration files.
319/* .IP "\fBdefer_transports (empty)\fR"
320/*	The names of message delivery transports that should not deliver mail
321/*	unless someone issues "\fBsendmail -q\fR" or equivalent.
322/* .IP "\fBdelay_logging_resolution_limit (2)\fR"
323/*	The maximal number of digits after the decimal point when logging
324/*	sub-second delay values.
325/* .IP "\fBhelpful_warnings (yes)\fR"
326/*	Log warnings about problematic configuration settings, and provide
327/*	helpful suggestions.
328/* .IP "\fBprocess_id (read-only)\fR"
329/*	The process ID of a Postfix command or daemon process.
330/* .IP "\fBprocess_name (read-only)\fR"
331/*	The process name of a Postfix command or daemon process.
332/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
333/*	The location of the Postfix top-level queue directory.
334/* .IP "\fBsyslog_facility (mail)\fR"
335/*	The syslog facility of Postfix logging.
336/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
337/*	The mail system name that is prepended to the process name in syslog
338/*	records, so that "smtpd" becomes, for example, "postfix/smtpd".
339/* FILES
340/*	/var/spool/postfix/incoming, incoming queue
341/*	/var/spool/postfix/active, active queue
342/*	/var/spool/postfix/deferred, deferred queue
343/*	/var/spool/postfix/bounce, non-delivery status
344/*	/var/spool/postfix/defer, non-delivery status
345/*	/var/spool/postfix/trace, delivery status
346/* SEE ALSO
347/*	trivial-rewrite(8), address routing
348/*	bounce(8), delivery status reports
349/*	postconf(5), configuration parameters
350/*	master(5), generic daemon options
351/*	master(8), process manager
352/*	syslogd(8), system logging
353/* README FILES
354/* .ad
355/* .fi
356/*	Use "\fBpostconf readme_directory\fR" or
357/*	"\fBpostconf html_directory\fR" to locate this information.
358/* .na
359/* .nf
360/*	SCHEDULER_README, scheduling algorithm
361/*	QSHAPE_README, Postfix queue analysis
362/* LICENSE
363/* .ad
364/* .fi
365/*	The Secure Mailer license must be distributed with this software.
366/* AUTHOR(S)
367/*	Wietse Venema
368/*	IBM T.J. Watson Research
369/*	P.O. Box 704
370/*	Yorktown Heights, NY 10598, USA
371/*
372/*	Preemptive scheduler enhancements:
373/*	Patrik Rak
374/*	Modra 6
375/*	155 00, Prague, Czech Republic
376/*--*/
377
378/* System library. */
379
380#include <sys_defs.h>
381#include <stdlib.h>
382#include <unistd.h>
383#include <ctype.h>
384
385/* Utility library. */
386
387#include <msg.h>
388#include <events.h>
389#include <vstream.h>
390#include <dict.h>
391
392/* Global library. */
393
394#include <mail_queue.h>
395#include <recipient_list.h>
396#include <mail_conf.h>
397#include <mail_params.h>
398#include <mail_version.h>
399#include <mail_proto.h>			/* QMGR_SCAN constants */
400#include <mail_flow.h>
401#include <flush_clnt.h>
402
403/* Master process interface */
404
405#include <master_proto.h>
406#include <mail_server.h>
407
408/* Application-specific. */
409
410#include "qmgr.h"
411
412 /*
413  * Tunables.
414  */
415int     var_queue_run_delay;
416int     var_min_backoff_time;
417int     var_max_backoff_time;
418int     var_max_queue_time;
419int     var_dsn_queue_time;
420int     var_qmgr_active_limit;
421int     var_qmgr_rcpt_limit;
422int     var_qmgr_msg_rcpt_limit;
423int     var_xport_rcpt_limit;
424int     var_stack_rcpt_limit;
425int     var_xport_refill_limit;
426int     var_xport_refill_delay;
427int     var_delivery_slot_cost;
428int     var_delivery_slot_loan;
429int     var_delivery_slot_discount;
430int     var_min_delivery_slots;
431int     var_init_dest_concurrency;
432int     var_transport_retry_time;
433int     var_dest_con_limit;
434int     var_dest_rcpt_limit;
435char   *var_defer_xports;
436int     var_local_con_lim;
437int     var_local_rcpt_lim;
438bool    var_verp_bounce_off;
439int     var_qmgr_clog_warn_time;
440char   *var_conc_pos_feedback;
441char   *var_conc_neg_feedback;
442int     var_conc_cohort_limit;
443int     var_conc_feedback_debug;
444int     var_dest_rate_delay;
445char   *var_def_filter_nexthop;
446int     var_qmgr_daemon_timeout;
447int     var_qmgr_ipc_timeout;
448
449static QMGR_SCAN *qmgr_scans[2];
450
451#define QMGR_SCAN_IDX_INCOMING 0
452#define QMGR_SCAN_IDX_DEFERRED 1
453#define QMGR_SCAN_IDX_COUNT (sizeof(qmgr_scans) / sizeof(qmgr_scans[0]))
454
455/* qmgr_deferred_run_event - queue manager heartbeat */
456
457static void qmgr_deferred_run_event(int unused_event, char *dummy)
458{
459
460    /*
461     * This routine runs when it is time for another deferred queue scan.
462     * Make sure this routine gets called again in the future.
463     */
464    qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_DEFERRED], QMGR_SCAN_START);
465    event_request_timer(qmgr_deferred_run_event, dummy, var_queue_run_delay);
466}
467
468/* qmgr_trigger_event - respond to external trigger(s) */
469
470static void qmgr_trigger_event(char *buf, int len,
471			               char *unused_service, char **argv)
472{
473    int     incoming_flag = 0;
474    int     deferred_flag = 0;
475    int     i;
476
477    /*
478     * Sanity check. This service takes no command-line arguments.
479     */
480    if (argv[0])
481	msg_fatal("unexpected command-line argument: %s", argv[0]);
482
483    /*
484     * Collapse identical requests that have arrived since we looked last
485     * time. There is no client feedback so there is no need to process each
486     * request in order. And as long as we don't have conflicting requests we
487     * are free to sort them into the most suitable order.
488     */
489#define QMGR_FLUSH_BEFORE	(QMGR_FLUSH_ONCE | QMGR_FLUSH_DFXP)
490
491    for (i = 0; i < len; i++) {
492	if (msg_verbose)
493	    msg_info("request: %d (%c)",
494		     buf[i], ISALNUM(buf[i]) ? buf[i] : '?');
495	switch (buf[i]) {
496	case TRIGGER_REQ_WAKEUP:
497	case QMGR_REQ_SCAN_INCOMING:
498	    incoming_flag |= QMGR_SCAN_START;
499	    break;
500	case QMGR_REQ_SCAN_DEFERRED:
501	    deferred_flag |= QMGR_SCAN_START;
502	    break;
503	case QMGR_REQ_FLUSH_DEAD:
504	    deferred_flag |= QMGR_FLUSH_BEFORE;
505	    incoming_flag |= QMGR_FLUSH_BEFORE;
506	    break;
507	case QMGR_REQ_SCAN_ALL:
508	    deferred_flag |= QMGR_SCAN_ALL;
509	    incoming_flag |= QMGR_SCAN_ALL;
510	    break;
511	default:
512	    if (msg_verbose)
513		msg_info("request ignored");
514	    break;
515	}
516    }
517
518    /*
519     * Process each request type at most once. Modifiers take effect upon the
520     * next queue run. If no queue run is in progress, and a queue scan is
521     * requested, the request takes effect immediately.
522     */
523    if (incoming_flag != 0)
524	qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_INCOMING], incoming_flag);
525    if (deferred_flag != 0)
526	qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_DEFERRED], deferred_flag);
527}
528
529/* qmgr_loop - queue manager main loop */
530
531static int qmgr_loop(char *unused_name, char **unused_argv)
532{
533    char   *path;
534    int     token_count;
535    int     feed = 0;
536    int     scan_idx;			/* Priority order scan index */
537    static int first_scan_idx = QMGR_SCAN_IDX_INCOMING;
538    int     last_scan_idx = QMGR_SCAN_IDX_COUNT - 1;
539    int     delay;
540
541    /*
542     * This routine runs as part of the event handling loop, after the event
543     * manager has delivered a timer or I/O event (including the completion
544     * of a connection to a delivery process), or after it has waited for a
545     * specified amount of time. The result value of qmgr_loop() specifies
546     * how long the event manager should wait for the next event.
547     */
548#define DONT_WAIT	0
549#define WAIT_FOR_EVENT	(-1)
550
551    /*
552     * Attempt to drain the active queue by allocating a suitable delivery
553     * process and by delivering mail via it. Delivery process allocation and
554     * mail delivery are asynchronous.
555     */
556    qmgr_active_drain();
557
558    /*
559     * Let some new blood into the active queue when the queue size is
560     * smaller than some configurable limit.
561     *
562     * We import one message per interrupt, to optimally tune the input count
563     * for the number of delivery agent protocol wait states, as explained in
564     * qmgr_transport.c.
565     */
566    delay = WAIT_FOR_EVENT;
567    for (scan_idx = 0; qmgr_message_count < var_qmgr_active_limit
568	 && scan_idx < QMGR_SCAN_IDX_COUNT; ++scan_idx) {
569	last_scan_idx = (scan_idx + first_scan_idx) % QMGR_SCAN_IDX_COUNT;
570	if ((path = qmgr_scan_next(qmgr_scans[last_scan_idx])) != 0) {
571	    delay = DONT_WAIT;
572	    if ((feed = qmgr_active_feed(qmgr_scans[last_scan_idx], path)) != 0)
573		break;
574	}
575    }
576
577    /*
578     * Round-robin the queue scans. When the active queue becomes full,
579     * prefer new mail over deferred mail.
580     */
581    if (qmgr_message_count < var_qmgr_active_limit) {
582	first_scan_idx = (last_scan_idx + 1) % QMGR_SCAN_IDX_COUNT;
583    } else if (first_scan_idx != QMGR_SCAN_IDX_INCOMING) {
584	first_scan_idx = QMGR_SCAN_IDX_INCOMING;
585    }
586
587    /*
588     * Global flow control. If enabled, slow down receiving processes that
589     * get ahead of the queue manager, but don't block them completely.
590     */
591    if (var_in_flow_delay > 0) {
592	token_count = mail_flow_count();
593	if (token_count < var_proc_limit) {
594	    if (feed != 0 && last_scan_idx == QMGR_SCAN_IDX_INCOMING)
595		mail_flow_put(1);
596	    else if (qmgr_scans[QMGR_SCAN_IDX_INCOMING]->handle == 0)
597		mail_flow_put(var_proc_limit - token_count);
598	} else if (token_count > var_proc_limit) {
599	    mail_flow_get(token_count - var_proc_limit);
600	}
601    }
602    return (delay);
603}
604
605/* pre_accept - see if tables have changed */
606
607static void pre_accept(char *unused_name, char **unused_argv)
608{
609    const char *table;
610
611    if ((table = dict_changed_name()) != 0) {
612	msg_info("table %s has changed -- restarting", table);
613	exit(0);
614    }
615}
616
617/* qmgr_pre_init - pre-jail initialization */
618
619static void qmgr_pre_init(char *unused_name, char **unused_argv)
620{
621    flush_init();
622}
623
624/* qmgr_post_init - post-jail initialization */
625
626static void qmgr_post_init(char *name, char **unused_argv)
627{
628
629    /*
630     * Backwards compatibility.
631     */
632    if (strcmp(var_procname, "nqmgr") == 0) {
633	msg_warn("please update the %s/%s file; the new queue manager",
634		 var_config_dir, MASTER_CONF_FILE);
635	msg_warn("(old name: nqmgr) has become the standard queue manager (new name: qmgr)");
636	msg_warn("support for the name old name (nqmgr) will be removed from Postfix");
637    }
638
639    /*
640     * Sanity check.
641     */
642    if (var_qmgr_rcpt_limit < var_qmgr_active_limit) {
643	msg_warn("%s is smaller than %s - adjusting %s",
644	      VAR_QMGR_RCPT_LIMIT, VAR_QMGR_ACT_LIMIT, VAR_QMGR_RCPT_LIMIT);
645	var_qmgr_rcpt_limit = var_qmgr_active_limit;
646    }
647    if (var_dsn_queue_time > var_max_queue_time) {
648	msg_warn("%s is larger than %s - adjusting %s",
649		 VAR_DSN_QUEUE_TIME, VAR_MAX_QUEUE_TIME, VAR_DSN_QUEUE_TIME);
650	var_dsn_queue_time = var_max_queue_time;
651    }
652
653    /*
654     * This routine runs after the skeleton code has entered the chroot jail.
655     * Prevent automatic process suicide after a limited number of client
656     * requests or after a limited amount of idle time. Move any left-over
657     * entries from the active queue to the incoming queue, and give them a
658     * time stamp into the future, in order to allow ongoing deliveries to
659     * finish first. Start scanning the incoming and deferred queues.
660     * Left-over active queue entries are moved to the incoming queue because
661     * the incoming queue has priority; moving left-overs to the deferred
662     * queue could cause anomalous delays when "postfix reload/start" are
663     * issued often. Override the IPC timeout (default 3600s) so that the
664     * queue manager can reset a broken IPC channel before the watchdog timer
665     * goes off.
666     */
667    var_ipc_timeout = var_qmgr_ipc_timeout;
668    var_use_limit = 0;
669    var_idle_limit = 0;
670    qmgr_move(MAIL_QUEUE_ACTIVE, MAIL_QUEUE_INCOMING, event_time());
671    qmgr_scans[QMGR_SCAN_IDX_INCOMING] = qmgr_scan_create(MAIL_QUEUE_INCOMING);
672    qmgr_scans[QMGR_SCAN_IDX_DEFERRED] = qmgr_scan_create(MAIL_QUEUE_DEFERRED);
673    qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_INCOMING], QMGR_SCAN_START);
674    qmgr_deferred_run_event(0, (char *) 0);
675}
676
677MAIL_VERSION_STAMP_DECLARE;
678
679/* main - the main program */
680
681int     main(int argc, char **argv)
682{
683    static const CONFIG_STR_TABLE str_table[] = {
684	VAR_DEFER_XPORTS, DEF_DEFER_XPORTS, &var_defer_xports, 0, 0,
685	VAR_CONC_POS_FDBACK, DEF_CONC_POS_FDBACK, &var_conc_pos_feedback, 1, 0,
686	VAR_CONC_NEG_FDBACK, DEF_CONC_NEG_FDBACK, &var_conc_neg_feedback, 1, 0,
687	VAR_DEF_FILTER_NEXTHOP, DEF_DEF_FILTER_NEXTHOP, &var_def_filter_nexthop, 0, 0,
688	0,
689    };
690    static const CONFIG_TIME_TABLE time_table[] = {
691	VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0,
692	VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
693	VAR_MAX_BACKOFF_TIME, DEF_MAX_BACKOFF_TIME, &var_max_backoff_time, 1, 0,
694	VAR_MAX_QUEUE_TIME, DEF_MAX_QUEUE_TIME, &var_max_queue_time, 0, 8640000,
695	VAR_DSN_QUEUE_TIME, DEF_DSN_QUEUE_TIME, &var_dsn_queue_time, 0, 8640000,
696	VAR_XPORT_RETRY_TIME, DEF_XPORT_RETRY_TIME, &var_transport_retry_time, 1, 0,
697	VAR_QMGR_CLOG_WARN_TIME, DEF_QMGR_CLOG_WARN_TIME, &var_qmgr_clog_warn_time, 0, 0,
698	VAR_XPORT_REFILL_DELAY, DEF_XPORT_REFILL_DELAY, &var_xport_refill_delay, 1, 0,
699	VAR_DEST_RATE_DELAY, DEF_DEST_RATE_DELAY, &var_dest_rate_delay, 0, 0,
700	VAR_QMGR_DAEMON_TIMEOUT, DEF_QMGR_DAEMON_TIMEOUT, &var_qmgr_daemon_timeout, 1, 0,
701	VAR_QMGR_IPC_TIMEOUT, DEF_QMGR_IPC_TIMEOUT, &var_qmgr_ipc_timeout, 1, 0,
702	0,
703    };
704    static const CONFIG_INT_TABLE int_table[] = {
705	VAR_QMGR_ACT_LIMIT, DEF_QMGR_ACT_LIMIT, &var_qmgr_active_limit, 1, 0,
706	VAR_QMGR_RCPT_LIMIT, DEF_QMGR_RCPT_LIMIT, &var_qmgr_rcpt_limit, 1, 0,
707	VAR_QMGR_MSG_RCPT_LIMIT, DEF_QMGR_MSG_RCPT_LIMIT, &var_qmgr_msg_rcpt_limit, 1, 0,
708	VAR_XPORT_RCPT_LIMIT, DEF_XPORT_RCPT_LIMIT, &var_xport_rcpt_limit, 0, 0,
709	VAR_STACK_RCPT_LIMIT, DEF_STACK_RCPT_LIMIT, &var_stack_rcpt_limit, 0, 0,
710	VAR_XPORT_REFILL_LIMIT, DEF_XPORT_REFILL_LIMIT, &var_xport_refill_limit, 1, 0,
711	VAR_DELIVERY_SLOT_COST, DEF_DELIVERY_SLOT_COST, &var_delivery_slot_cost, 0, 0,
712	VAR_DELIVERY_SLOT_LOAN, DEF_DELIVERY_SLOT_LOAN, &var_delivery_slot_loan, 0, 0,
713	VAR_DELIVERY_SLOT_DISCOUNT, DEF_DELIVERY_SLOT_DISCOUNT, &var_delivery_slot_discount, 0, 100,
714	VAR_MIN_DELIVERY_SLOTS, DEF_MIN_DELIVERY_SLOTS, &var_min_delivery_slots, 0, 0,
715	VAR_INIT_DEST_CON, DEF_INIT_DEST_CON, &var_init_dest_concurrency, 1, 0,
716	VAR_DEST_CON_LIMIT, DEF_DEST_CON_LIMIT, &var_dest_con_limit, 0, 0,
717	VAR_DEST_RCPT_LIMIT, DEF_DEST_RCPT_LIMIT, &var_dest_rcpt_limit, 0, 0,
718	VAR_LOCAL_RCPT_LIMIT, DEF_LOCAL_RCPT_LIMIT, &var_local_rcpt_lim, 0, 0,
719	VAR_LOCAL_CON_LIMIT, DEF_LOCAL_CON_LIMIT, &var_local_con_lim, 0, 0,
720	VAR_CONC_COHORT_LIM, DEF_CONC_COHORT_LIM, &var_conc_cohort_limit, 0, 0,
721	0,
722    };
723    static const CONFIG_BOOL_TABLE bool_table[] = {
724	VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off,
725	VAR_CONC_FDBACK_DEBUG, DEF_CONC_FDBACK_DEBUG, &var_conc_feedback_debug,
726	0,
727    };
728
729    /*
730     * Fingerprint executables and core dumps.
731     */
732    MAIL_VERSION_STAMP_ALLOCATE;
733
734    /*
735     * Use the trigger service skeleton, because no-one else should be
736     * monitoring our service port while this process runs, and because we do
737     * not talk back to the client.
738     */
739    trigger_server_main(argc, argv, qmgr_trigger_event,
740			MAIL_SERVER_INT_TABLE, int_table,
741			MAIL_SERVER_STR_TABLE, str_table,
742			MAIL_SERVER_BOOL_TABLE, bool_table,
743			MAIL_SERVER_TIME_TABLE, time_table,
744			MAIL_SERVER_PRE_INIT, qmgr_pre_init,
745			MAIL_SERVER_POST_INIT, qmgr_post_init,
746			MAIL_SERVER_LOOP, qmgr_loop,
747			MAIL_SERVER_PRE_ACCEPT, pre_accept,
748			MAIL_SERVER_SOLITARY,
749			MAIL_SERVER_WATCHDOG, &var_qmgr_daemon_timeout,
750			0);
751}
752