1/*	$NetBSD: qmgr.c,v 1.3 2020/03/18 19:05:19 christos Exp $	*/
2
3/*++
4/* NAME
5/*	qmgr 8
6/* SUMMARY
7/*	Postfix queue manager
8/* SYNOPSIS
9/*	\fBqmgr\fR [generic Postfix daemon options]
10/* DESCRIPTION
11/*	The \fBqmgr\fR(8) daemon awaits the arrival of incoming mail
12/*	and arranges for its delivery via Postfix delivery processes.
13/*	The actual mail routing strategy is delegated to the
14/*	\fBtrivial-rewrite\fR(8) daemon.
15/*	This program expects to be run from the \fBmaster\fR(8) process
16/*	manager.
17/*
18/*	Mail addressed to the local \fBdouble-bounce\fR address is
19/*	logged and discarded.  This stops potential loops caused by
20/*	undeliverable bounce notifications.
21/* MAIL QUEUES
22/* .ad
23/* .fi
24/*	The \fBqmgr\fR(8) daemon maintains the following queues:
25/* .IP \fBincoming\fR
26/*	Inbound mail from the network, or mail picked up by the
27/*	local \fBpickup\fR(8) daemon from the \fBmaildrop\fR directory.
28/* .IP \fBactive\fR
29/*	Messages that the queue manager has opened for delivery. Only
30/*	a limited number of messages is allowed to enter the \fBactive\fR
31/*	queue (leaky bucket strategy, for a fixed delivery rate).
32/* .IP \fBdeferred\fR
33/*	Mail that could not be delivered upon the first attempt. The queue
34/*	manager implements exponential backoff by doubling the time between
35/*	delivery attempts.
36/* .IP \fBcorrupt\fR
37/*	Unreadable or damaged queue files are moved here for inspection.
38/* .IP \fBhold\fR
39/*	Messages that are kept "on hold" are kept here until someone
40/*	sets them free.
41/* DELIVERY STATUS REPORTS
42/* .ad
43/* .fi
44/*	The \fBqmgr\fR(8) daemon keeps an eye on per-message delivery status
45/*	reports in the following directories. Each status report file has
46/*	the same name as the corresponding message file:
47/* .IP \fBbounce\fR
48/*	Per-recipient status information about why mail is bounced.
49/*	These files are maintained by the \fBbounce\fR(8) daemon.
50/* .IP \fBdefer\fR
51/*	Per-recipient status information about why mail is delayed.
52/*	These files are maintained by the \fBdefer\fR(8) daemon.
53/* .IP \fBtrace\fR
54/*	Per-recipient status information as requested with the
55/*	Postfix "\fBsendmail -v\fR" or "\fBsendmail -bv\fR" command.
56/*	These files are maintained by the \fBtrace\fR(8) daemon.
57/* .PP
58/*	The \fBqmgr\fR(8) daemon is responsible for asking the
59/*	\fBbounce\fR(8), \fBdefer\fR(8) or \fBtrace\fR(8) daemons to
60/*	send delivery reports.
61/* STRATEGIES
62/* .ad
63/* .fi
64/*	The queue manager implements a variety of strategies for
65/*	either opening queue files (input) or for message delivery (output).
66/* .IP "\fBleaky bucket\fR"
67/*	This strategy limits the number of messages in the \fBactive\fR queue
68/*	and prevents the queue manager from running out of memory under
69/*	heavy load.
70/* .IP \fBfairness\fR
71/*	When the \fBactive\fR queue has room, the queue manager takes one
72/*	message from the \fBincoming\fR queue and one from the \fBdeferred\fR
73/*	queue. This prevents a large mail backlog from blocking the delivery
74/*	of new mail.
75/* .IP "\fBslow start\fR"
76/*	This strategy eliminates "thundering herd" problems by slowly
77/*	adjusting the number of parallel deliveries to the same destination.
78/* .IP "\fBround robin\fR"
79/*	The queue manager sorts delivery requests by destination.
80/*	Round-robin selection prevents one destination from dominating
81/*	deliveries to other destinations.
82/* .IP "\fBexponential backoff\fR"
83/*	Mail that cannot be delivered upon the first attempt is deferred.
84/*	The time interval between delivery attempts is doubled after each
85/*	attempt.
86/* .IP "\fBdestination status cache\fR"
87/*	The queue manager avoids unnecessary delivery attempts by
88/*	maintaining a short-term, in-memory list of unreachable destinations.
89/* .IP "\fBpreemptive message scheduling\fR"
90/*	The queue manager attempts to minimize the average per-recipient delay
91/*	while still preserving the correct per-message delays, using
92/*	a sophisticated preemptive message scheduling.
93/* TRIGGERS
94/* .ad
95/* .fi
96/*	On an idle system, the queue manager waits for the arrival of
97/*	trigger events, or it waits for a timer to go off. A trigger
98/*	is a one-byte message.
99/*	Depending on the message received, the queue manager performs
100/*	one of the following actions (the message is followed by the
101/*	symbolic constant used internally by the software):
102/* .IP "\fBD (QMGR_REQ_SCAN_DEFERRED)\fR"
103/*	Start a deferred queue scan.  If a deferred queue scan is already
104/*	in progress, that scan will be restarted as soon as it finishes.
105/* .IP "\fBI (QMGR_REQ_SCAN_INCOMING)\fR"
106/*	Start an incoming queue scan. If an incoming queue scan is already
107/*	in progress, that scan will be restarted as soon as it finishes.
108/* .IP "\fBA (QMGR_REQ_SCAN_ALL)\fR"
109/*	Ignore deferred queue file time stamps. The request affects
110/*	the next deferred queue scan.
111/* .IP "\fBF (QMGR_REQ_FLUSH_DEAD)\fR"
112/*	Purge all information about dead transports and destinations.
113/* .IP "\fBW (TRIGGER_REQ_WAKEUP)\fR"
114/*	Wakeup call, This is used by the master server to instantiate
115/*	servers that should not go away forever. The action is to start
116/*	an incoming queue scan.
117/* .PP
118/*	The \fBqmgr\fR(8) daemon reads an entire buffer worth of triggers.
119/*	Multiple identical trigger requests are collapsed into one, and
120/*	trigger requests are sorted so that \fBA\fR and \fBF\fR precede
121/*	\fBD\fR and \fBI\fR. Thus, in order to force a deferred queue run,
122/*	one would request \fBA F D\fR; in order to notify the queue manager
123/*	of the arrival of new mail one would request \fBI\fR.
124/* STANDARDS
125/*	RFC 3463 (Enhanced status codes)
126/*	RFC 3464 (Delivery status notifications)
127/* SECURITY
128/* .ad
129/* .fi
130/*	The \fBqmgr\fR(8) daemon is not security sensitive. It reads
131/*	single-character messages from untrusted local users, and thus may
132/*	be susceptible to denial of service attacks. The \fBqmgr\fR(8) daemon
133/*	does not talk to the outside world, and it can be run at fixed low
134/*	privilege in a chrooted environment.
135/* DIAGNOSTICS
136/*	Problems and transactions are logged to \fBsyslogd\fR(8)
137/*	or \fBpostlogd\fR(8).
138/*	Corrupted message files are saved to the \fBcorrupt\fR queue
139/*	for further inspection.
140/*
141/*	Depending on the setting of the \fBnotify_classes\fR parameter,
142/*	the postmaster is notified of bounces and of other trouble.
143/* BUGS
144/*	A single queue manager process has to compete for disk access with
145/*	multiple front-end processes such as \fBcleanup\fR(8). A sudden burst of
146/*	inbound mail can negatively impact outbound delivery rates.
147/* CONFIGURATION PARAMETERS
148/* .ad
149/* .fi
150/*	Changes to \fBmain.cf\fR are not picked up automatically
151/*	as \fBqmgr\fR(8)
152/*	is a persistent process. Use the "\fBpostfix reload\fR" command after
153/*	a configuration change.
154/*
155/*	The text below provides only a parameter summary. See
156/*	\fBpostconf\fR(5) for more details including examples.
157/*
158/*	In the text below, \fItransport\fR is the first field in a
159/*	\fBmaster.cf\fR entry.
160/* COMPATIBILITY CONTROLS
161/* .ad
162/* .fi
163/*	Available before Postfix version 2.5:
164/* .IP "\fBallow_min_user (no)\fR"
165/*	Allow a sender or recipient address to have `-' as the first
166/*	character.
167/* .PP
168/*	Available with Postfix version 2.7 and later:
169/* .IP "\fBdefault_filter_nexthop (empty)\fR"
170/*	When a content_filter or FILTER request specifies no explicit
171/*	next-hop destination, use $default_filter_nexthop instead; when
172/*	that value is empty, use the domain in the recipient address.
173/* ACTIVE QUEUE CONTROLS
174/* .ad
175/* .fi
176/* .IP "\fBqmgr_clog_warn_time (300s)\fR"
177/*	The minimal delay between warnings that a specific destination is
178/*	clogging up the Postfix active queue.
179/* .IP "\fBqmgr_message_active_limit (20000)\fR"
180/*	The maximal number of messages in the active queue.
181/* .IP "\fBqmgr_message_recipient_limit (20000)\fR"
182/*	The maximal number of recipients held in memory by the Postfix
183/*	queue manager, and the maximal size of the short-term,
184/*	in-memory "dead" destination status cache.
185/* .IP "\fBqmgr_message_recipient_minimum (10)\fR"
186/*	The minimal number of in-memory recipients for any message.
187/* .IP "\fBdefault_recipient_limit (20000)\fR"
188/*	The default per-transport upper limit on the number of in-memory
189/*	recipients.
190/* .IP "\fBtransport_recipient_limit ($default_recipient_limit)\fR"
191/*	A transport-specific override for the default_recipient_limit
192/*	parameter value, where \fItransport\fR is the master.cf name of
193/*	the message delivery transport.
194/* .IP "\fBdefault_extra_recipient_limit (1000)\fR"
195/*	The default value for the extra per-transport limit imposed on the
196/*	number of in-memory recipients.
197/* .IP "\fBtransport_extra_recipient_limit ($default_extra_recipient_limit)\fR"
198/*	A transport-specific override for the default_extra_recipient_limit
199/*	parameter value, where \fItransport\fR is the master.cf name of
200/*	the message delivery transport.
201/* .PP
202/*	Available in Postfix version 2.4 and later:
203/* .IP "\fBdefault_recipient_refill_limit (100)\fR"
204/*	The default per-transport limit on the number of recipients refilled at
205/*	once.
206/* .IP "\fBtransport_recipient_refill_limit ($default_recipient_refill_limit)\fR"
207/*	A transport-specific override for the default_recipient_refill_limit
208/*	parameter value, where \fItransport\fR is the master.cf name of
209/*	the message delivery transport.
210/* .IP "\fBdefault_recipient_refill_delay (5s)\fR"
211/*	The default per-transport maximum delay between recipients refills.
212/* .IP "\fBtransport_recipient_refill_delay ($default_recipient_refill_delay)\fR"
213/*	A transport-specific override for the default_recipient_refill_delay
214/*	parameter value, where \fItransport\fR is the master.cf name of
215/*	the message delivery transport.
216/* DELIVERY CONCURRENCY CONTROLS
217/* .ad
218/* .fi
219/* .IP "\fBinitial_destination_concurrency (5)\fR"
220/*	The initial per-destination concurrency level for parallel delivery
221/*	to the same destination.
222/* .IP "\fBdefault_destination_concurrency_limit (20)\fR"
223/*	The default maximal number of parallel deliveries to the same
224/*	destination.
225/* .IP "\fBtransport_destination_concurrency_limit ($default_destination_concurrency_limit)\fR"
226/*	A transport-specific override for the
227/*	default_destination_concurrency_limit parameter value, where
228/*	\fItransport\fR is the master.cf name of the message delivery
229/*	transport.
230/* .PP
231/*	Available in Postfix version 2.5 and later:
232/* .IP "\fBtransport_initial_destination_concurrency ($initial_destination_concurrency)\fR"
233/*	A transport-specific override for the initial_destination_concurrency
234/*	parameter value, where \fItransport\fR is the master.cf name of
235/*	the message delivery transport.
236/* .IP "\fBdefault_destination_concurrency_failed_cohort_limit (1)\fR"
237/*	How many pseudo-cohorts must suffer connection or handshake
238/*	failure before a specific destination is considered unavailable
239/*	(and further delivery is suspended).
240/* .IP "\fBtransport_destination_concurrency_failed_cohort_limit ($default_destination_concurrency_failed_cohort_limit)\fR"
241/*	A transport-specific override for the
242/*	default_destination_concurrency_failed_cohort_limit parameter value,
243/*	where \fItransport\fR is the master.cf name of the message delivery
244/*	transport.
245/* .IP "\fBdefault_destination_concurrency_negative_feedback (1)\fR"
246/*	The per-destination amount of delivery concurrency negative
247/*	feedback, after a delivery completes with a connection or handshake
248/*	failure.
249/* .IP "\fBtransport_destination_concurrency_negative_feedback ($default_destination_concurrency_negative_feedback)\fR"
250/*	A transport-specific override for the
251/*	default_destination_concurrency_negative_feedback parameter value,
252/*	where \fItransport\fR is the master.cf name of the message delivery
253/*	transport.
254/* .IP "\fBdefault_destination_concurrency_positive_feedback (1)\fR"
255/*	The per-destination amount of delivery concurrency positive
256/*	feedback, after a delivery completes without connection or handshake
257/*	failure.
258/* .IP "\fBtransport_destination_concurrency_positive_feedback ($default_destination_concurrency_positive_feedback)\fR"
259/*	A transport-specific override for the
260/*	default_destination_concurrency_positive_feedback parameter value,
261/*	where \fItransport\fR is the master.cf name of the message delivery
262/*	transport.
263/* .IP "\fBdestination_concurrency_feedback_debug (no)\fR"
264/*	Make the queue manager's feedback algorithm verbose for performance
265/*	analysis purposes.
266/* RECIPIENT SCHEDULING CONTROLS
267/* .ad
268/* .fi
269/* .IP "\fBdefault_destination_recipient_limit (50)\fR"
270/*	The default maximal number of recipients per message delivery.
271/* .IP "\fBtransport_destination_recipient_limit ($default_destination_recipient_limit)\fR"
272/*	A transport-specific override for the
273/*	default_destination_recipient_limit parameter value, where
274/*	\fItransport\fR is the master.cf name of the message delivery
275/*	transport.
276/* MESSAGE SCHEDULING CONTROLS
277/* .ad
278/* .fi
279/* .IP "\fBdefault_delivery_slot_cost (5)\fR"
280/*	How often the Postfix queue manager's scheduler is allowed to
281/*	preempt delivery of one message with another.
282/* .IP "\fBtransport_delivery_slot_cost ($default_delivery_slot_cost)\fR"
283/*	A transport-specific override for the default_delivery_slot_cost
284/*	parameter value, where \fItransport\fR is the master.cf name of
285/*	the message delivery transport.
286/* .IP "\fBdefault_minimum_delivery_slots (3)\fR"
287/*	How many recipients a message must have in order to invoke the
288/*	Postfix queue manager's scheduling algorithm at all.
289/* .IP "\fBtransport_minimum_delivery_slots ($default_minimum_delivery_slots)\fR"
290/*	A transport-specific override for the default_minimum_delivery_slots
291/*	parameter value, where \fItransport\fR is the master.cf name of
292/*	the message delivery transport.
293/* .IP "\fBdefault_delivery_slot_discount (50)\fR"
294/*	The default value for transport-specific _delivery_slot_discount
295/*	settings.
296/* .IP "\fBtransport_delivery_slot_discount ($default_delivery_slot_discount)\fR"
297/*	A transport-specific override for the default_delivery_slot_discount
298/*	parameter value, where \fItransport\fR is the master.cf name of
299/*	the message delivery transport.
300/* .IP "\fBdefault_delivery_slot_loan (3)\fR"
301/*	The default value for transport-specific _delivery_slot_loan
302/*	settings.
303/* .IP "\fBtransport_delivery_slot_loan ($default_delivery_slot_loan)\fR"
304/*	A transport-specific override for the default_delivery_slot_loan
305/*	parameter value, where \fItransport\fR is the master.cf name of
306/*	the message delivery transport.
307/* OTHER RESOURCE AND RATE CONTROLS
308/* .ad
309/* .fi
310/* .IP "\fBminimal_backoff_time (300s)\fR"
311/*	The minimal time between attempts to deliver a deferred message;
312/*	prior to Postfix 2.4 the default value was 1000s.
313/* .IP "\fBmaximal_backoff_time (4000s)\fR"
314/*	The maximal time between attempts to deliver a deferred message.
315/* .IP "\fBmaximal_queue_lifetime (5d)\fR"
316/*	Consider a message as undeliverable, when delivery fails with a
317/*	temporary error, and the time in the queue has reached the
318/*	maximal_queue_lifetime limit.
319/* .IP "\fBqueue_run_delay (300s)\fR"
320/*	The time between deferred queue scans by the queue manager;
321/*	prior to Postfix 2.4 the default value was 1000s.
322/* .IP "\fBtransport_retry_time (60s)\fR"
323/*	The time between attempts by the Postfix queue manager to contact
324/*	a malfunctioning message delivery transport.
325/* .PP
326/*	Available in Postfix version 2.1 and later:
327/* .IP "\fBbounce_queue_lifetime (5d)\fR"
328/*	Consider a bounce message as undeliverable, when delivery fails
329/*	with a temporary error, and the time in the queue has reached the
330/*	bounce_queue_lifetime limit.
331/* .PP
332/*	Available in Postfix version 2.5 and later:
333/* .IP "\fBdefault_destination_rate_delay (0s)\fR"
334/*	The default amount of delay that is inserted between individual
335/*	message deliveries to the same destination and over the same message
336/*	delivery transport.
337/* .IP "\fBtransport_destination_rate_delay ($default_destination_rate_delay)\fR"
338/*	A transport-specific override for the default_destination_rate_delay
339/*	parameter value, where \fItransport\fR is the master.cf name of
340/*	the message delivery transport.
341/* .PP
342/*	Available in Postfix version 3.1 and later:
343/* .IP "\fBdefault_transport_rate_delay (0s)\fR"
344/*	The default amount of delay that is inserted between individual
345/*	message deliveries over the same message delivery transport,
346/*	regardless of destination.
347/* .IP "\fBtransport_transport_rate_delay ($default_transport_rate_delay)\fR"
348/*	A transport-specific override for the default_transport_rate_delay
349/*	parameter value, where the initial \fItransport\fR in the parameter
350/*	name is the master.cf name of the message delivery transport.
351/* SAFETY CONTROLS
352/* .ad
353/* .fi
354/* .IP "\fBqmgr_daemon_timeout (1000s)\fR"
355/*	How much time a Postfix queue manager process may take to handle
356/*	a request before it is terminated by a built-in watchdog timer.
357/* .IP "\fBqmgr_ipc_timeout (60s)\fR"
358/*	The time limit for the queue manager to send or receive information
359/*	over an internal communication channel.
360/* .PP
361/*	Available in Postfix version 3.1 and later:
362/* .IP "\fBaddress_verify_pending_request_limit (see 'postconf -d' output)\fR"
363/*	A safety limit that prevents address verification requests from
364/*	overwhelming the Postfix queue.
365/* MISCELLANEOUS CONTROLS
366/* .ad
367/* .fi
368/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
369/*	The default location of the Postfix main.cf and master.cf
370/*	configuration files.
371/* .IP "\fBdefer_transports (empty)\fR"
372/*	The names of message delivery transports that should not deliver mail
373/*	unless someone issues "\fBsendmail -q\fR" or equivalent.
374/* .IP "\fBdelay_logging_resolution_limit (2)\fR"
375/*	The maximal number of digits after the decimal point when logging
376/*	sub-second delay values.
377/* .IP "\fBhelpful_warnings (yes)\fR"
378/*	Log warnings about problematic configuration settings, and provide
379/*	helpful suggestions.
380/* .IP "\fBprocess_id (read-only)\fR"
381/*	The process ID of a Postfix command or daemon process.
382/* .IP "\fBprocess_name (read-only)\fR"
383/*	The process name of a Postfix command or daemon process.
384/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
385/*	The location of the Postfix top-level queue directory.
386/* .IP "\fBsyslog_facility (mail)\fR"
387/*	The syslog facility of Postfix logging.
388/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
389/*	A prefix that is prepended to the process name in syslog
390/*	records, so that, for example, "smtpd" becomes "prefix/smtpd".
391/* .PP
392/*	Available in Postfix version 3.0 and later:
393/* .IP "\fBconfirm_delay_cleared (no)\fR"
394/*	After sending a "your message is delayed" notification, inform
395/*	the sender when the delay clears up.
396/* .PP
397/*	Available in Postfix 3.3 and later:
398/* .IP "\fBservice_name (read-only)\fR"
399/*	The master.cf service name of a Postfix daemon process.
400/* .PP
401/*	Available in Postfix 3.5 and later:
402/* .IP "\fBinfo_log_address_format (external)\fR"
403/*	The email address form that will be used in non-debug logging
404/*	(info, warning, etc.).
405/* FILES
406/*	/var/spool/postfix/incoming, incoming queue
407/*	/var/spool/postfix/active, active queue
408/*	/var/spool/postfix/deferred, deferred queue
409/*	/var/spool/postfix/bounce, non-delivery status
410/*	/var/spool/postfix/defer, non-delivery status
411/*	/var/spool/postfix/trace, delivery status
412/* SEE ALSO
413/*	trivial-rewrite(8), address routing
414/*	bounce(8), delivery status reports
415/*	postconf(5), configuration parameters
416/*	master(5), generic daemon options
417/*	master(8), process manager
418/*	postlogd(8), Postfix logging
419/*	syslogd(8), system logging
420/* README FILES
421/* .ad
422/* .fi
423/*	Use "\fBpostconf readme_directory\fR" or
424/*	"\fBpostconf html_directory\fR" to locate this information.
425/* .na
426/* .nf
427/*	SCHEDULER_README, scheduling algorithm
428/*	QSHAPE_README, Postfix queue analysis
429/* LICENSE
430/* .ad
431/* .fi
432/*	The Secure Mailer license must be distributed with this software.
433/* AUTHOR(S)
434/*	Wietse Venema
435/*	IBM T.J. Watson Research
436/*	P.O. Box 704
437/*	Yorktown Heights, NY 10598, USA
438/*
439/*	Preemptive scheduler enhancements:
440/*	Patrik Rak
441/*	Modra 6
442/*	155 00, Prague, Czech Republic
443/*
444/*	Wietse Venema
445/*	Google, Inc.
446/*	111 8th Avenue
447/*	New York, NY 10011, USA
448/*--*/
449
450/* System library. */
451
452#include <sys_defs.h>
453#include <stdlib.h>
454#include <unistd.h>
455#include <ctype.h>
456
457/* Utility library. */
458
459#include <msg.h>
460#include <events.h>
461#include <vstream.h>
462#include <dict.h>
463
464/* Global library. */
465
466#include <mail_queue.h>
467#include <recipient_list.h>
468#include <mail_conf.h>
469#include <mail_params.h>
470#include <mail_version.h>
471#include <mail_proto.h>			/* QMGR_SCAN constants */
472#include <mail_flow.h>
473#include <flush_clnt.h>
474
475/* Master process interface */
476
477#include <master_proto.h>
478#include <mail_server.h>
479
480/* Application-specific. */
481
482#include "qmgr.h"
483
484 /*
485  * Tunables.
486  */
487int     var_queue_run_delay;
488int     var_min_backoff_time;
489int     var_max_backoff_time;
490int     var_max_queue_time;
491int     var_dsn_queue_time;
492int     var_qmgr_active_limit;
493int     var_qmgr_rcpt_limit;
494int     var_qmgr_msg_rcpt_limit;
495int     var_xport_rcpt_limit;
496int     var_stack_rcpt_limit;
497int     var_xport_refill_limit;
498int     var_xport_refill_delay;
499int     var_delivery_slot_cost;
500int     var_delivery_slot_loan;
501int     var_delivery_slot_discount;
502int     var_min_delivery_slots;
503int     var_init_dest_concurrency;
504int     var_transport_retry_time;
505int     var_dest_con_limit;
506int     var_dest_rcpt_limit;
507char   *var_defer_xports;
508int     var_local_con_lim;
509int     var_local_rcpt_lim;
510bool    var_verp_bounce_off;
511int     var_qmgr_clog_warn_time;
512char   *var_conc_pos_feedback;
513char   *var_conc_neg_feedback;
514int     var_conc_cohort_limit;
515int     var_conc_feedback_debug;
516int     var_xport_rate_delay;
517int     var_dest_rate_delay;
518char   *var_def_filter_nexthop;
519int     var_qmgr_daemon_timeout;
520int     var_qmgr_ipc_timeout;
521int     var_dsn_delay_cleared;
522int     var_vrfy_pend_limit;
523
524static QMGR_SCAN *qmgr_scans[2];
525
526#define QMGR_SCAN_IDX_INCOMING 0
527#define QMGR_SCAN_IDX_DEFERRED 1
528#define QMGR_SCAN_IDX_COUNT (sizeof(qmgr_scans) / sizeof(qmgr_scans[0]))
529
530/* qmgr_deferred_run_event - queue manager heartbeat */
531
532static void qmgr_deferred_run_event(int unused_event, void *dummy)
533{
534
535    /*
536     * This routine runs when it is time for another deferred queue scan.
537     * Make sure this routine gets called again in the future.
538     */
539    qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_DEFERRED], QMGR_SCAN_START);
540    event_request_timer(qmgr_deferred_run_event, dummy, var_queue_run_delay);
541}
542
543/* qmgr_trigger_event - respond to external trigger(s) */
544
545static void qmgr_trigger_event(char *buf, ssize_t len,
546			               char *unused_service, char **argv)
547{
548    int     incoming_flag = 0;
549    int     deferred_flag = 0;
550    int     i;
551
552    /*
553     * Sanity check. This service takes no command-line arguments.
554     */
555    if (argv[0])
556	msg_fatal("unexpected command-line argument: %s", argv[0]);
557
558    /*
559     * Collapse identical requests that have arrived since we looked last
560     * time. There is no client feedback so there is no need to process each
561     * request in order. And as long as we don't have conflicting requests we
562     * are free to sort them into the most suitable order.
563     */
564#define QMGR_FLUSH_BEFORE	(QMGR_FLUSH_ONCE | QMGR_FLUSH_DFXP)
565
566    for (i = 0; i < len; i++) {
567	if (msg_verbose)
568	    msg_info("request: %d (%c)",
569		     buf[i], ISALNUM(buf[i]) ? buf[i] : '?');
570	switch (buf[i]) {
571	case TRIGGER_REQ_WAKEUP:
572	case QMGR_REQ_SCAN_INCOMING:
573	    incoming_flag |= QMGR_SCAN_START;
574	    break;
575	case QMGR_REQ_SCAN_DEFERRED:
576	    deferred_flag |= QMGR_SCAN_START;
577	    break;
578	case QMGR_REQ_FLUSH_DEAD:
579	    deferred_flag |= QMGR_FLUSH_BEFORE;
580	    incoming_flag |= QMGR_FLUSH_BEFORE;
581	    break;
582	case QMGR_REQ_SCAN_ALL:
583	    deferred_flag |= QMGR_SCAN_ALL;
584	    incoming_flag |= QMGR_SCAN_ALL;
585	    break;
586	default:
587	    if (msg_verbose)
588		msg_info("request ignored");
589	    break;
590	}
591    }
592
593    /*
594     * Process each request type at most once. Modifiers take effect upon the
595     * next queue run. If no queue run is in progress, and a queue scan is
596     * requested, the request takes effect immediately.
597     */
598    if (incoming_flag != 0)
599	qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_INCOMING], incoming_flag);
600    if (deferred_flag != 0)
601	qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_DEFERRED], deferred_flag);
602}
603
604/* qmgr_loop - queue manager main loop */
605
606static int qmgr_loop(char *unused_name, char **unused_argv)
607{
608    char   *path;
609    ssize_t token_count;
610    int     feed = 0;
611    int     scan_idx;			/* Priority order scan index */
612    static int first_scan_idx = QMGR_SCAN_IDX_INCOMING;
613    int     last_scan_idx = QMGR_SCAN_IDX_COUNT - 1;
614    int     delay;
615
616    /*
617     * This routine runs as part of the event handling loop, after the event
618     * manager has delivered a timer or I/O event (including the completion
619     * of a connection to a delivery process), or after it has waited for a
620     * specified amount of time. The result value of qmgr_loop() specifies
621     * how long the event manager should wait for the next event.
622     */
623#define DONT_WAIT	0
624#define WAIT_FOR_EVENT	(-1)
625
626    /*
627     * Attempt to drain the active queue by allocating a suitable delivery
628     * process and by delivering mail via it. Delivery process allocation and
629     * mail delivery are asynchronous.
630     */
631    qmgr_active_drain();
632
633    /*
634     * Let some new blood into the active queue when the queue size is
635     * smaller than some configurable limit.
636     *
637     * We import one message per interrupt, to optimally tune the input count
638     * for the number of delivery agent protocol wait states, as explained in
639     * qmgr_transport.c.
640     */
641    delay = WAIT_FOR_EVENT;
642    for (scan_idx = 0; qmgr_message_count < var_qmgr_active_limit
643	 && scan_idx < QMGR_SCAN_IDX_COUNT; ++scan_idx) {
644	last_scan_idx = (scan_idx + first_scan_idx) % QMGR_SCAN_IDX_COUNT;
645	if ((path = qmgr_scan_next(qmgr_scans[last_scan_idx])) != 0) {
646	    delay = DONT_WAIT;
647	    if ((feed = qmgr_active_feed(qmgr_scans[last_scan_idx], path)) != 0)
648		break;
649	}
650    }
651
652    /*
653     * Round-robin the queue scans. When the active queue becomes full,
654     * prefer new mail over deferred mail.
655     */
656    if (qmgr_message_count < var_qmgr_active_limit) {
657	first_scan_idx = (last_scan_idx + 1) % QMGR_SCAN_IDX_COUNT;
658    } else if (first_scan_idx != QMGR_SCAN_IDX_INCOMING) {
659	first_scan_idx = QMGR_SCAN_IDX_INCOMING;
660    }
661
662    /*
663     * Global flow control. If enabled, slow down receiving processes that
664     * get ahead of the queue manager, but don't block them completely.
665     */
666    if (var_in_flow_delay > 0) {
667	token_count = mail_flow_count();
668	if (token_count < var_proc_limit) {
669	    if (feed != 0 && last_scan_idx == QMGR_SCAN_IDX_INCOMING)
670		mail_flow_put(1);
671	    else if (qmgr_scans[QMGR_SCAN_IDX_INCOMING]->handle == 0)
672		mail_flow_put(var_proc_limit - token_count);
673	} else if (token_count > var_proc_limit) {
674	    mail_flow_get(token_count - var_proc_limit);
675	}
676    }
677    return (delay);
678}
679
680/* pre_accept - see if tables have changed */
681
682static void pre_accept(char *unused_name, char **unused_argv)
683{
684    const char *table;
685
686    if ((table = dict_changed_name()) != 0) {
687	msg_info("table %s has changed -- restarting", table);
688	exit(0);
689    }
690}
691
692/* qmgr_pre_init - pre-jail initialization */
693
694static void qmgr_pre_init(char *unused_name, char **unused_argv)
695{
696    flush_init();
697}
698
699/* qmgr_post_init - post-jail initialization */
700
701static void qmgr_post_init(char *name, char **unused_argv)
702{
703
704    /*
705     * Backwards compatibility.
706     */
707    if (strcmp(var_procname, "nqmgr") == 0) {
708	msg_warn("please update the %s/%s file; the new queue manager",
709		 var_config_dir, MASTER_CONF_FILE);
710	msg_warn("(old name: nqmgr) has become the standard queue manager (new name: qmgr)");
711	msg_warn("support for the name old name (nqmgr) will be removed from Postfix");
712    }
713
714    /*
715     * Sanity check.
716     */
717    if (var_qmgr_rcpt_limit < var_qmgr_active_limit) {
718	msg_warn("%s is smaller than %s - adjusting %s",
719	      VAR_QMGR_RCPT_LIMIT, VAR_QMGR_ACT_LIMIT, VAR_QMGR_RCPT_LIMIT);
720	var_qmgr_rcpt_limit = var_qmgr_active_limit;
721    }
722    if (var_dsn_queue_time > var_max_queue_time) {
723	msg_warn("%s is larger than %s - adjusting %s",
724		 VAR_DSN_QUEUE_TIME, VAR_MAX_QUEUE_TIME, VAR_DSN_QUEUE_TIME);
725	var_dsn_queue_time = var_max_queue_time;
726    }
727
728    /*
729     * This routine runs after the skeleton code has entered the chroot jail.
730     * Prevent automatic process suicide after a limited number of client
731     * requests or after a limited amount of idle time. Move any left-over
732     * entries from the active queue to the incoming queue, and give them a
733     * time stamp into the future, in order to allow ongoing deliveries to
734     * finish first. Start scanning the incoming and deferred queues.
735     * Left-over active queue entries are moved to the incoming queue because
736     * the incoming queue has priority; moving left-overs to the deferred
737     * queue could cause anomalous delays when "postfix reload/start" are
738     * issued often. Override the IPC timeout (default 3600s) so that the
739     * queue manager can reset a broken IPC channel before the watchdog timer
740     * goes off.
741     */
742    var_ipc_timeout = var_qmgr_ipc_timeout;
743    var_use_limit = 0;
744    var_idle_limit = 0;
745    qmgr_move(MAIL_QUEUE_ACTIVE, MAIL_QUEUE_INCOMING, event_time());
746    qmgr_scans[QMGR_SCAN_IDX_INCOMING] = qmgr_scan_create(MAIL_QUEUE_INCOMING);
747    qmgr_scans[QMGR_SCAN_IDX_DEFERRED] = qmgr_scan_create(MAIL_QUEUE_DEFERRED);
748    qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_INCOMING], QMGR_SCAN_START);
749    qmgr_deferred_run_event(0, (void *) 0);
750}
751
752MAIL_VERSION_STAMP_DECLARE;
753
754/* main - the main program */
755
756int     main(int argc, char **argv)
757{
758    static const CONFIG_STR_TABLE str_table[] = {
759	VAR_DEFER_XPORTS, DEF_DEFER_XPORTS, &var_defer_xports, 0, 0,
760	VAR_CONC_POS_FDBACK, DEF_CONC_POS_FDBACK, &var_conc_pos_feedback, 1, 0,
761	VAR_CONC_NEG_FDBACK, DEF_CONC_NEG_FDBACK, &var_conc_neg_feedback, 1, 0,
762	VAR_DEF_FILTER_NEXTHOP, DEF_DEF_FILTER_NEXTHOP, &var_def_filter_nexthop, 0, 0,
763	0,
764    };
765    static const CONFIG_TIME_TABLE time_table[] = {
766	VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0,
767	VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
768	VAR_MAX_BACKOFF_TIME, DEF_MAX_BACKOFF_TIME, &var_max_backoff_time, 1, 0,
769	VAR_MAX_QUEUE_TIME, DEF_MAX_QUEUE_TIME, &var_max_queue_time, 0, 8640000,
770	VAR_DSN_QUEUE_TIME, DEF_DSN_QUEUE_TIME, &var_dsn_queue_time, 0, 8640000,
771	VAR_XPORT_RETRY_TIME, DEF_XPORT_RETRY_TIME, &var_transport_retry_time, 1, 0,
772	VAR_QMGR_CLOG_WARN_TIME, DEF_QMGR_CLOG_WARN_TIME, &var_qmgr_clog_warn_time, 0, 0,
773	VAR_XPORT_REFILL_DELAY, DEF_XPORT_REFILL_DELAY, &var_xport_refill_delay, 1, 0,
774	VAR_XPORT_RATE_DELAY, DEF_XPORT_RATE_DELAY, &var_xport_rate_delay, 0, 0,
775	VAR_DEST_RATE_DELAY, DEF_DEST_RATE_DELAY, &var_dest_rate_delay, 0, 0,
776	VAR_QMGR_DAEMON_TIMEOUT, DEF_QMGR_DAEMON_TIMEOUT, &var_qmgr_daemon_timeout, 1, 0,
777	VAR_QMGR_IPC_TIMEOUT, DEF_QMGR_IPC_TIMEOUT, &var_qmgr_ipc_timeout, 1, 0,
778	0,
779    };
780    static const CONFIG_INT_TABLE int_table[] = {
781	VAR_QMGR_ACT_LIMIT, DEF_QMGR_ACT_LIMIT, &var_qmgr_active_limit, 1, 0,
782	VAR_QMGR_RCPT_LIMIT, DEF_QMGR_RCPT_LIMIT, &var_qmgr_rcpt_limit, 1, 0,
783	VAR_QMGR_MSG_RCPT_LIMIT, DEF_QMGR_MSG_RCPT_LIMIT, &var_qmgr_msg_rcpt_limit, 1, 0,
784	VAR_XPORT_RCPT_LIMIT, DEF_XPORT_RCPT_LIMIT, &var_xport_rcpt_limit, 0, 0,
785	VAR_STACK_RCPT_LIMIT, DEF_STACK_RCPT_LIMIT, &var_stack_rcpt_limit, 0, 0,
786	VAR_XPORT_REFILL_LIMIT, DEF_XPORT_REFILL_LIMIT, &var_xport_refill_limit, 1, 0,
787	VAR_DELIVERY_SLOT_COST, DEF_DELIVERY_SLOT_COST, &var_delivery_slot_cost, 0, 0,
788	VAR_DELIVERY_SLOT_LOAN, DEF_DELIVERY_SLOT_LOAN, &var_delivery_slot_loan, 0, 0,
789	VAR_DELIVERY_SLOT_DISCOUNT, DEF_DELIVERY_SLOT_DISCOUNT, &var_delivery_slot_discount, 0, 100,
790	VAR_MIN_DELIVERY_SLOTS, DEF_MIN_DELIVERY_SLOTS, &var_min_delivery_slots, 0, 0,
791	VAR_INIT_DEST_CON, DEF_INIT_DEST_CON, &var_init_dest_concurrency, 1, 0,
792	VAR_DEST_CON_LIMIT, DEF_DEST_CON_LIMIT, &var_dest_con_limit, 0, 0,
793	VAR_DEST_RCPT_LIMIT, DEF_DEST_RCPT_LIMIT, &var_dest_rcpt_limit, 0, 0,
794	VAR_LOCAL_RCPT_LIMIT, DEF_LOCAL_RCPT_LIMIT, &var_local_rcpt_lim, 0, 0,
795	VAR_LOCAL_CON_LIMIT, DEF_LOCAL_CON_LIMIT, &var_local_con_lim, 0, 0,
796	VAR_CONC_COHORT_LIM, DEF_CONC_COHORT_LIM, &var_conc_cohort_limit, 0, 0,
797	VAR_VRFY_PEND_LIMIT, DEF_VRFY_PEND_LIMIT, &var_vrfy_pend_limit, 1, 0,
798	0,
799    };
800    static const CONFIG_BOOL_TABLE bool_table[] = {
801	VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off,
802	VAR_CONC_FDBACK_DEBUG, DEF_CONC_FDBACK_DEBUG, &var_conc_feedback_debug,
803	VAR_DSN_DELAY_CLEARED, DEF_DSN_DELAY_CLEARED, &var_dsn_delay_cleared,
804	0,
805    };
806
807    /*
808     * Fingerprint executables and core dumps.
809     */
810    MAIL_VERSION_STAMP_ALLOCATE;
811
812    /*
813     * Use the trigger service skeleton, because no-one else should be
814     * monitoring our service port while this process runs, and because we do
815     * not talk back to the client.
816     */
817    trigger_server_main(argc, argv, qmgr_trigger_event,
818			CA_MAIL_SERVER_INT_TABLE(int_table),
819			CA_MAIL_SERVER_STR_TABLE(str_table),
820			CA_MAIL_SERVER_BOOL_TABLE(bool_table),
821			CA_MAIL_SERVER_TIME_TABLE(time_table),
822			CA_MAIL_SERVER_PRE_INIT(qmgr_pre_init),
823			CA_MAIL_SERVER_POST_INIT(qmgr_post_init),
824			CA_MAIL_SERVER_LOOP(qmgr_loop),
825			CA_MAIL_SERVER_PRE_ACCEPT(pre_accept),
826			CA_MAIL_SERVER_SOLITARY,
827			CA_MAIL_SERVER_WATCHDOG(&var_qmgr_daemon_timeout),
828			0);
829}
830