1/* $NetBSD: qmgr.c,v 1.3 2020/03/18 19:05:19 christos Exp $ */ 2 3/*++ 4/* NAME 5/* qmgr 8 6/* SUMMARY 7/* Postfix queue manager 8/* SYNOPSIS 9/* \fBqmgr\fR [generic Postfix daemon options] 10/* DESCRIPTION 11/* The \fBqmgr\fR(8) daemon awaits the arrival of incoming mail 12/* and arranges for its delivery via Postfix delivery processes. 13/* The actual mail routing strategy is delegated to the 14/* \fBtrivial-rewrite\fR(8) daemon. 15/* This program expects to be run from the \fBmaster\fR(8) process 16/* manager. 17/* 18/* Mail addressed to the local \fBdouble-bounce\fR address is 19/* logged and discarded. This stops potential loops caused by 20/* undeliverable bounce notifications. 21/* MAIL QUEUES 22/* .ad 23/* .fi 24/* The \fBqmgr\fR(8) daemon maintains the following queues: 25/* .IP \fBincoming\fR 26/* Inbound mail from the network, or mail picked up by the 27/* local \fBpickup\fR(8) daemon from the \fBmaildrop\fR directory. 28/* .IP \fBactive\fR 29/* Messages that the queue manager has opened for delivery. Only 30/* a limited number of messages is allowed to enter the \fBactive\fR 31/* queue (leaky bucket strategy, for a fixed delivery rate). 32/* .IP \fBdeferred\fR 33/* Mail that could not be delivered upon the first attempt. The queue 34/* manager implements exponential backoff by doubling the time between 35/* delivery attempts. 36/* .IP \fBcorrupt\fR 37/* Unreadable or damaged queue files are moved here for inspection. 38/* .IP \fBhold\fR 39/* Messages that are kept "on hold" are kept here until someone 40/* sets them free. 41/* DELIVERY STATUS REPORTS 42/* .ad 43/* .fi 44/* The \fBqmgr\fR(8) daemon keeps an eye on per-message delivery status 45/* reports in the following directories. Each status report file has 46/* the same name as the corresponding message file: 47/* .IP \fBbounce\fR 48/* Per-recipient status information about why mail is bounced. 49/* These files are maintained by the \fBbounce\fR(8) daemon. 50/* .IP \fBdefer\fR 51/* Per-recipient status information about why mail is delayed. 52/* These files are maintained by the \fBdefer\fR(8) daemon. 53/* .IP \fBtrace\fR 54/* Per-recipient status information as requested with the 55/* Postfix "\fBsendmail -v\fR" or "\fBsendmail -bv\fR" command. 56/* These files are maintained by the \fBtrace\fR(8) daemon. 57/* .PP 58/* The \fBqmgr\fR(8) daemon is responsible for asking the 59/* \fBbounce\fR(8), \fBdefer\fR(8) or \fBtrace\fR(8) daemons to 60/* send delivery reports. 61/* STRATEGIES 62/* .ad 63/* .fi 64/* The queue manager implements a variety of strategies for 65/* either opening queue files (input) or for message delivery (output). 66/* .IP "\fBleaky bucket\fR" 67/* This strategy limits the number of messages in the \fBactive\fR queue 68/* and prevents the queue manager from running out of memory under 69/* heavy load. 70/* .IP \fBfairness\fR 71/* When the \fBactive\fR queue has room, the queue manager takes one 72/* message from the \fBincoming\fR queue and one from the \fBdeferred\fR 73/* queue. This prevents a large mail backlog from blocking the delivery 74/* of new mail. 75/* .IP "\fBslow start\fR" 76/* This strategy eliminates "thundering herd" problems by slowly 77/* adjusting the number of parallel deliveries to the same destination. 78/* .IP "\fBround robin\fR" 79/* The queue manager sorts delivery requests by destination. 80/* Round-robin selection prevents one destination from dominating 81/* deliveries to other destinations. 82/* .IP "\fBexponential backoff\fR" 83/* Mail that cannot be delivered upon the first attempt is deferred. 84/* The time interval between delivery attempts is doubled after each 85/* attempt. 86/* .IP "\fBdestination status cache\fR" 87/* The queue manager avoids unnecessary delivery attempts by 88/* maintaining a short-term, in-memory list of unreachable destinations. 89/* .IP "\fBpreemptive message scheduling\fR" 90/* The queue manager attempts to minimize the average per-recipient delay 91/* while still preserving the correct per-message delays, using 92/* a sophisticated preemptive message scheduling. 93/* TRIGGERS 94/* .ad 95/* .fi 96/* On an idle system, the queue manager waits for the arrival of 97/* trigger events, or it waits for a timer to go off. A trigger 98/* is a one-byte message. 99/* Depending on the message received, the queue manager performs 100/* one of the following actions (the message is followed by the 101/* symbolic constant used internally by the software): 102/* .IP "\fBD (QMGR_REQ_SCAN_DEFERRED)\fR" 103/* Start a deferred queue scan. If a deferred queue scan is already 104/* in progress, that scan will be restarted as soon as it finishes. 105/* .IP "\fBI (QMGR_REQ_SCAN_INCOMING)\fR" 106/* Start an incoming queue scan. If an incoming queue scan is already 107/* in progress, that scan will be restarted as soon as it finishes. 108/* .IP "\fBA (QMGR_REQ_SCAN_ALL)\fR" 109/* Ignore deferred queue file time stamps. The request affects 110/* the next deferred queue scan. 111/* .IP "\fBF (QMGR_REQ_FLUSH_DEAD)\fR" 112/* Purge all information about dead transports and destinations. 113/* .IP "\fBW (TRIGGER_REQ_WAKEUP)\fR" 114/* Wakeup call, This is used by the master server to instantiate 115/* servers that should not go away forever. The action is to start 116/* an incoming queue scan. 117/* .PP 118/* The \fBqmgr\fR(8) daemon reads an entire buffer worth of triggers. 119/* Multiple identical trigger requests are collapsed into one, and 120/* trigger requests are sorted so that \fBA\fR and \fBF\fR precede 121/* \fBD\fR and \fBI\fR. Thus, in order to force a deferred queue run, 122/* one would request \fBA F D\fR; in order to notify the queue manager 123/* of the arrival of new mail one would request \fBI\fR. 124/* STANDARDS 125/* RFC 3463 (Enhanced status codes) 126/* RFC 3464 (Delivery status notifications) 127/* SECURITY 128/* .ad 129/* .fi 130/* The \fBqmgr\fR(8) daemon is not security sensitive. It reads 131/* single-character messages from untrusted local users, and thus may 132/* be susceptible to denial of service attacks. The \fBqmgr\fR(8) daemon 133/* does not talk to the outside world, and it can be run at fixed low 134/* privilege in a chrooted environment. 135/* DIAGNOSTICS 136/* Problems and transactions are logged to \fBsyslogd\fR(8) 137/* or \fBpostlogd\fR(8). 138/* Corrupted message files are saved to the \fBcorrupt\fR queue 139/* for further inspection. 140/* 141/* Depending on the setting of the \fBnotify_classes\fR parameter, 142/* the postmaster is notified of bounces and of other trouble. 143/* BUGS 144/* A single queue manager process has to compete for disk access with 145/* multiple front-end processes such as \fBcleanup\fR(8). A sudden burst of 146/* inbound mail can negatively impact outbound delivery rates. 147/* CONFIGURATION PARAMETERS 148/* .ad 149/* .fi 150/* Changes to \fBmain.cf\fR are not picked up automatically 151/* as \fBqmgr\fR(8) 152/* is a persistent process. Use the "\fBpostfix reload\fR" command after 153/* a configuration change. 154/* 155/* The text below provides only a parameter summary. See 156/* \fBpostconf\fR(5) for more details including examples. 157/* 158/* In the text below, \fItransport\fR is the first field in a 159/* \fBmaster.cf\fR entry. 160/* COMPATIBILITY CONTROLS 161/* .ad 162/* .fi 163/* Available before Postfix version 2.5: 164/* .IP "\fBallow_min_user (no)\fR" 165/* Allow a sender or recipient address to have `-' as the first 166/* character. 167/* .PP 168/* Available with Postfix version 2.7 and later: 169/* .IP "\fBdefault_filter_nexthop (empty)\fR" 170/* When a content_filter or FILTER request specifies no explicit 171/* next-hop destination, use $default_filter_nexthop instead; when 172/* that value is empty, use the domain in the recipient address. 173/* ACTIVE QUEUE CONTROLS 174/* .ad 175/* .fi 176/* .IP "\fBqmgr_clog_warn_time (300s)\fR" 177/* The minimal delay between warnings that a specific destination is 178/* clogging up the Postfix active queue. 179/* .IP "\fBqmgr_message_active_limit (20000)\fR" 180/* The maximal number of messages in the active queue. 181/* .IP "\fBqmgr_message_recipient_limit (20000)\fR" 182/* The maximal number of recipients held in memory by the Postfix 183/* queue manager, and the maximal size of the short-term, 184/* in-memory "dead" destination status cache. 185/* .IP "\fBqmgr_message_recipient_minimum (10)\fR" 186/* The minimal number of in-memory recipients for any message. 187/* .IP "\fBdefault_recipient_limit (20000)\fR" 188/* The default per-transport upper limit on the number of in-memory 189/* recipients. 190/* .IP "\fBtransport_recipient_limit ($default_recipient_limit)\fR" 191/* A transport-specific override for the default_recipient_limit 192/* parameter value, where \fItransport\fR is the master.cf name of 193/* the message delivery transport. 194/* .IP "\fBdefault_extra_recipient_limit (1000)\fR" 195/* The default value for the extra per-transport limit imposed on the 196/* number of in-memory recipients. 197/* .IP "\fBtransport_extra_recipient_limit ($default_extra_recipient_limit)\fR" 198/* A transport-specific override for the default_extra_recipient_limit 199/* parameter value, where \fItransport\fR is the master.cf name of 200/* the message delivery transport. 201/* .PP 202/* Available in Postfix version 2.4 and later: 203/* .IP "\fBdefault_recipient_refill_limit (100)\fR" 204/* The default per-transport limit on the number of recipients refilled at 205/* once. 206/* .IP "\fBtransport_recipient_refill_limit ($default_recipient_refill_limit)\fR" 207/* A transport-specific override for the default_recipient_refill_limit 208/* parameter value, where \fItransport\fR is the master.cf name of 209/* the message delivery transport. 210/* .IP "\fBdefault_recipient_refill_delay (5s)\fR" 211/* The default per-transport maximum delay between recipients refills. 212/* .IP "\fBtransport_recipient_refill_delay ($default_recipient_refill_delay)\fR" 213/* A transport-specific override for the default_recipient_refill_delay 214/* parameter value, where \fItransport\fR is the master.cf name of 215/* the message delivery transport. 216/* DELIVERY CONCURRENCY CONTROLS 217/* .ad 218/* .fi 219/* .IP "\fBinitial_destination_concurrency (5)\fR" 220/* The initial per-destination concurrency level for parallel delivery 221/* to the same destination. 222/* .IP "\fBdefault_destination_concurrency_limit (20)\fR" 223/* The default maximal number of parallel deliveries to the same 224/* destination. 225/* .IP "\fBtransport_destination_concurrency_limit ($default_destination_concurrency_limit)\fR" 226/* A transport-specific override for the 227/* default_destination_concurrency_limit parameter value, where 228/* \fItransport\fR is the master.cf name of the message delivery 229/* transport. 230/* .PP 231/* Available in Postfix version 2.5 and later: 232/* .IP "\fBtransport_initial_destination_concurrency ($initial_destination_concurrency)\fR" 233/* A transport-specific override for the initial_destination_concurrency 234/* parameter value, where \fItransport\fR is the master.cf name of 235/* the message delivery transport. 236/* .IP "\fBdefault_destination_concurrency_failed_cohort_limit (1)\fR" 237/* How many pseudo-cohorts must suffer connection or handshake 238/* failure before a specific destination is considered unavailable 239/* (and further delivery is suspended). 240/* .IP "\fBtransport_destination_concurrency_failed_cohort_limit ($default_destination_concurrency_failed_cohort_limit)\fR" 241/* A transport-specific override for the 242/* default_destination_concurrency_failed_cohort_limit parameter value, 243/* where \fItransport\fR is the master.cf name of the message delivery 244/* transport. 245/* .IP "\fBdefault_destination_concurrency_negative_feedback (1)\fR" 246/* The per-destination amount of delivery concurrency negative 247/* feedback, after a delivery completes with a connection or handshake 248/* failure. 249/* .IP "\fBtransport_destination_concurrency_negative_feedback ($default_destination_concurrency_negative_feedback)\fR" 250/* A transport-specific override for the 251/* default_destination_concurrency_negative_feedback parameter value, 252/* where \fItransport\fR is the master.cf name of the message delivery 253/* transport. 254/* .IP "\fBdefault_destination_concurrency_positive_feedback (1)\fR" 255/* The per-destination amount of delivery concurrency positive 256/* feedback, after a delivery completes without connection or handshake 257/* failure. 258/* .IP "\fBtransport_destination_concurrency_positive_feedback ($default_destination_concurrency_positive_feedback)\fR" 259/* A transport-specific override for the 260/* default_destination_concurrency_positive_feedback parameter value, 261/* where \fItransport\fR is the master.cf name of the message delivery 262/* transport. 263/* .IP "\fBdestination_concurrency_feedback_debug (no)\fR" 264/* Make the queue manager's feedback algorithm verbose for performance 265/* analysis purposes. 266/* RECIPIENT SCHEDULING CONTROLS 267/* .ad 268/* .fi 269/* .IP "\fBdefault_destination_recipient_limit (50)\fR" 270/* The default maximal number of recipients per message delivery. 271/* .IP "\fBtransport_destination_recipient_limit ($default_destination_recipient_limit)\fR" 272/* A transport-specific override for the 273/* default_destination_recipient_limit parameter value, where 274/* \fItransport\fR is the master.cf name of the message delivery 275/* transport. 276/* MESSAGE SCHEDULING CONTROLS 277/* .ad 278/* .fi 279/* .IP "\fBdefault_delivery_slot_cost (5)\fR" 280/* How often the Postfix queue manager's scheduler is allowed to 281/* preempt delivery of one message with another. 282/* .IP "\fBtransport_delivery_slot_cost ($default_delivery_slot_cost)\fR" 283/* A transport-specific override for the default_delivery_slot_cost 284/* parameter value, where \fItransport\fR is the master.cf name of 285/* the message delivery transport. 286/* .IP "\fBdefault_minimum_delivery_slots (3)\fR" 287/* How many recipients a message must have in order to invoke the 288/* Postfix queue manager's scheduling algorithm at all. 289/* .IP "\fBtransport_minimum_delivery_slots ($default_minimum_delivery_slots)\fR" 290/* A transport-specific override for the default_minimum_delivery_slots 291/* parameter value, where \fItransport\fR is the master.cf name of 292/* the message delivery transport. 293/* .IP "\fBdefault_delivery_slot_discount (50)\fR" 294/* The default value for transport-specific _delivery_slot_discount 295/* settings. 296/* .IP "\fBtransport_delivery_slot_discount ($default_delivery_slot_discount)\fR" 297/* A transport-specific override for the default_delivery_slot_discount 298/* parameter value, where \fItransport\fR is the master.cf name of 299/* the message delivery transport. 300/* .IP "\fBdefault_delivery_slot_loan (3)\fR" 301/* The default value for transport-specific _delivery_slot_loan 302/* settings. 303/* .IP "\fBtransport_delivery_slot_loan ($default_delivery_slot_loan)\fR" 304/* A transport-specific override for the default_delivery_slot_loan 305/* parameter value, where \fItransport\fR is the master.cf name of 306/* the message delivery transport. 307/* OTHER RESOURCE AND RATE CONTROLS 308/* .ad 309/* .fi 310/* .IP "\fBminimal_backoff_time (300s)\fR" 311/* The minimal time between attempts to deliver a deferred message; 312/* prior to Postfix 2.4 the default value was 1000s. 313/* .IP "\fBmaximal_backoff_time (4000s)\fR" 314/* The maximal time between attempts to deliver a deferred message. 315/* .IP "\fBmaximal_queue_lifetime (5d)\fR" 316/* Consider a message as undeliverable, when delivery fails with a 317/* temporary error, and the time in the queue has reached the 318/* maximal_queue_lifetime limit. 319/* .IP "\fBqueue_run_delay (300s)\fR" 320/* The time between deferred queue scans by the queue manager; 321/* prior to Postfix 2.4 the default value was 1000s. 322/* .IP "\fBtransport_retry_time (60s)\fR" 323/* The time between attempts by the Postfix queue manager to contact 324/* a malfunctioning message delivery transport. 325/* .PP 326/* Available in Postfix version 2.1 and later: 327/* .IP "\fBbounce_queue_lifetime (5d)\fR" 328/* Consider a bounce message as undeliverable, when delivery fails 329/* with a temporary error, and the time in the queue has reached the 330/* bounce_queue_lifetime limit. 331/* .PP 332/* Available in Postfix version 2.5 and later: 333/* .IP "\fBdefault_destination_rate_delay (0s)\fR" 334/* The default amount of delay that is inserted between individual 335/* message deliveries to the same destination and over the same message 336/* delivery transport. 337/* .IP "\fBtransport_destination_rate_delay ($default_destination_rate_delay)\fR" 338/* A transport-specific override for the default_destination_rate_delay 339/* parameter value, where \fItransport\fR is the master.cf name of 340/* the message delivery transport. 341/* .PP 342/* Available in Postfix version 3.1 and later: 343/* .IP "\fBdefault_transport_rate_delay (0s)\fR" 344/* The default amount of delay that is inserted between individual 345/* message deliveries over the same message delivery transport, 346/* regardless of destination. 347/* .IP "\fBtransport_transport_rate_delay ($default_transport_rate_delay)\fR" 348/* A transport-specific override for the default_transport_rate_delay 349/* parameter value, where the initial \fItransport\fR in the parameter 350/* name is the master.cf name of the message delivery transport. 351/* SAFETY CONTROLS 352/* .ad 353/* .fi 354/* .IP "\fBqmgr_daemon_timeout (1000s)\fR" 355/* How much time a Postfix queue manager process may take to handle 356/* a request before it is terminated by a built-in watchdog timer. 357/* .IP "\fBqmgr_ipc_timeout (60s)\fR" 358/* The time limit for the queue manager to send or receive information 359/* over an internal communication channel. 360/* .PP 361/* Available in Postfix version 3.1 and later: 362/* .IP "\fBaddress_verify_pending_request_limit (see 'postconf -d' output)\fR" 363/* A safety limit that prevents address verification requests from 364/* overwhelming the Postfix queue. 365/* MISCELLANEOUS CONTROLS 366/* .ad 367/* .fi 368/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" 369/* The default location of the Postfix main.cf and master.cf 370/* configuration files. 371/* .IP "\fBdefer_transports (empty)\fR" 372/* The names of message delivery transports that should not deliver mail 373/* unless someone issues "\fBsendmail -q\fR" or equivalent. 374/* .IP "\fBdelay_logging_resolution_limit (2)\fR" 375/* The maximal number of digits after the decimal point when logging 376/* sub-second delay values. 377/* .IP "\fBhelpful_warnings (yes)\fR" 378/* Log warnings about problematic configuration settings, and provide 379/* helpful suggestions. 380/* .IP "\fBprocess_id (read-only)\fR" 381/* The process ID of a Postfix command or daemon process. 382/* .IP "\fBprocess_name (read-only)\fR" 383/* The process name of a Postfix command or daemon process. 384/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" 385/* The location of the Postfix top-level queue directory. 386/* .IP "\fBsyslog_facility (mail)\fR" 387/* The syslog facility of Postfix logging. 388/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" 389/* A prefix that is prepended to the process name in syslog 390/* records, so that, for example, "smtpd" becomes "prefix/smtpd". 391/* .PP 392/* Available in Postfix version 3.0 and later: 393/* .IP "\fBconfirm_delay_cleared (no)\fR" 394/* After sending a "your message is delayed" notification, inform 395/* the sender when the delay clears up. 396/* .PP 397/* Available in Postfix 3.3 and later: 398/* .IP "\fBservice_name (read-only)\fR" 399/* The master.cf service name of a Postfix daemon process. 400/* .PP 401/* Available in Postfix 3.5 and later: 402/* .IP "\fBinfo_log_address_format (external)\fR" 403/* The email address form that will be used in non-debug logging 404/* (info, warning, etc.). 405/* FILES 406/* /var/spool/postfix/incoming, incoming queue 407/* /var/spool/postfix/active, active queue 408/* /var/spool/postfix/deferred, deferred queue 409/* /var/spool/postfix/bounce, non-delivery status 410/* /var/spool/postfix/defer, non-delivery status 411/* /var/spool/postfix/trace, delivery status 412/* SEE ALSO 413/* trivial-rewrite(8), address routing 414/* bounce(8), delivery status reports 415/* postconf(5), configuration parameters 416/* master(5), generic daemon options 417/* master(8), process manager 418/* postlogd(8), Postfix logging 419/* syslogd(8), system logging 420/* README FILES 421/* .ad 422/* .fi 423/* Use "\fBpostconf readme_directory\fR" or 424/* "\fBpostconf html_directory\fR" to locate this information. 425/* .na 426/* .nf 427/* SCHEDULER_README, scheduling algorithm 428/* QSHAPE_README, Postfix queue analysis 429/* LICENSE 430/* .ad 431/* .fi 432/* The Secure Mailer license must be distributed with this software. 433/* AUTHOR(S) 434/* Wietse Venema 435/* IBM T.J. Watson Research 436/* P.O. Box 704 437/* Yorktown Heights, NY 10598, USA 438/* 439/* Preemptive scheduler enhancements: 440/* Patrik Rak 441/* Modra 6 442/* 155 00, Prague, Czech Republic 443/* 444/* Wietse Venema 445/* Google, Inc. 446/* 111 8th Avenue 447/* New York, NY 10011, USA 448/*--*/ 449 450/* System library. */ 451 452#include <sys_defs.h> 453#include <stdlib.h> 454#include <unistd.h> 455#include <ctype.h> 456 457/* Utility library. */ 458 459#include <msg.h> 460#include <events.h> 461#include <vstream.h> 462#include <dict.h> 463 464/* Global library. */ 465 466#include <mail_queue.h> 467#include <recipient_list.h> 468#include <mail_conf.h> 469#include <mail_params.h> 470#include <mail_version.h> 471#include <mail_proto.h> /* QMGR_SCAN constants */ 472#include <mail_flow.h> 473#include <flush_clnt.h> 474 475/* Master process interface */ 476 477#include <master_proto.h> 478#include <mail_server.h> 479 480/* Application-specific. */ 481 482#include "qmgr.h" 483 484 /* 485 * Tunables. 486 */ 487int var_queue_run_delay; 488int var_min_backoff_time; 489int var_max_backoff_time; 490int var_max_queue_time; 491int var_dsn_queue_time; 492int var_qmgr_active_limit; 493int var_qmgr_rcpt_limit; 494int var_qmgr_msg_rcpt_limit; 495int var_xport_rcpt_limit; 496int var_stack_rcpt_limit; 497int var_xport_refill_limit; 498int var_xport_refill_delay; 499int var_delivery_slot_cost; 500int var_delivery_slot_loan; 501int var_delivery_slot_discount; 502int var_min_delivery_slots; 503int var_init_dest_concurrency; 504int var_transport_retry_time; 505int var_dest_con_limit; 506int var_dest_rcpt_limit; 507char *var_defer_xports; 508int var_local_con_lim; 509int var_local_rcpt_lim; 510bool var_verp_bounce_off; 511int var_qmgr_clog_warn_time; 512char *var_conc_pos_feedback; 513char *var_conc_neg_feedback; 514int var_conc_cohort_limit; 515int var_conc_feedback_debug; 516int var_xport_rate_delay; 517int var_dest_rate_delay; 518char *var_def_filter_nexthop; 519int var_qmgr_daemon_timeout; 520int var_qmgr_ipc_timeout; 521int var_dsn_delay_cleared; 522int var_vrfy_pend_limit; 523 524static QMGR_SCAN *qmgr_scans[2]; 525 526#define QMGR_SCAN_IDX_INCOMING 0 527#define QMGR_SCAN_IDX_DEFERRED 1 528#define QMGR_SCAN_IDX_COUNT (sizeof(qmgr_scans) / sizeof(qmgr_scans[0])) 529 530/* qmgr_deferred_run_event - queue manager heartbeat */ 531 532static void qmgr_deferred_run_event(int unused_event, void *dummy) 533{ 534 535 /* 536 * This routine runs when it is time for another deferred queue scan. 537 * Make sure this routine gets called again in the future. 538 */ 539 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_DEFERRED], QMGR_SCAN_START); 540 event_request_timer(qmgr_deferred_run_event, dummy, var_queue_run_delay); 541} 542 543/* qmgr_trigger_event - respond to external trigger(s) */ 544 545static void qmgr_trigger_event(char *buf, ssize_t len, 546 char *unused_service, char **argv) 547{ 548 int incoming_flag = 0; 549 int deferred_flag = 0; 550 int i; 551 552 /* 553 * Sanity check. This service takes no command-line arguments. 554 */ 555 if (argv[0]) 556 msg_fatal("unexpected command-line argument: %s", argv[0]); 557 558 /* 559 * Collapse identical requests that have arrived since we looked last 560 * time. There is no client feedback so there is no need to process each 561 * request in order. And as long as we don't have conflicting requests we 562 * are free to sort them into the most suitable order. 563 */ 564#define QMGR_FLUSH_BEFORE (QMGR_FLUSH_ONCE | QMGR_FLUSH_DFXP) 565 566 for (i = 0; i < len; i++) { 567 if (msg_verbose) 568 msg_info("request: %d (%c)", 569 buf[i], ISALNUM(buf[i]) ? buf[i] : '?'); 570 switch (buf[i]) { 571 case TRIGGER_REQ_WAKEUP: 572 case QMGR_REQ_SCAN_INCOMING: 573 incoming_flag |= QMGR_SCAN_START; 574 break; 575 case QMGR_REQ_SCAN_DEFERRED: 576 deferred_flag |= QMGR_SCAN_START; 577 break; 578 case QMGR_REQ_FLUSH_DEAD: 579 deferred_flag |= QMGR_FLUSH_BEFORE; 580 incoming_flag |= QMGR_FLUSH_BEFORE; 581 break; 582 case QMGR_REQ_SCAN_ALL: 583 deferred_flag |= QMGR_SCAN_ALL; 584 incoming_flag |= QMGR_SCAN_ALL; 585 break; 586 default: 587 if (msg_verbose) 588 msg_info("request ignored"); 589 break; 590 } 591 } 592 593 /* 594 * Process each request type at most once. Modifiers take effect upon the 595 * next queue run. If no queue run is in progress, and a queue scan is 596 * requested, the request takes effect immediately. 597 */ 598 if (incoming_flag != 0) 599 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_INCOMING], incoming_flag); 600 if (deferred_flag != 0) 601 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_DEFERRED], deferred_flag); 602} 603 604/* qmgr_loop - queue manager main loop */ 605 606static int qmgr_loop(char *unused_name, char **unused_argv) 607{ 608 char *path; 609 ssize_t token_count; 610 int feed = 0; 611 int scan_idx; /* Priority order scan index */ 612 static int first_scan_idx = QMGR_SCAN_IDX_INCOMING; 613 int last_scan_idx = QMGR_SCAN_IDX_COUNT - 1; 614 int delay; 615 616 /* 617 * This routine runs as part of the event handling loop, after the event 618 * manager has delivered a timer or I/O event (including the completion 619 * of a connection to a delivery process), or after it has waited for a 620 * specified amount of time. The result value of qmgr_loop() specifies 621 * how long the event manager should wait for the next event. 622 */ 623#define DONT_WAIT 0 624#define WAIT_FOR_EVENT (-1) 625 626 /* 627 * Attempt to drain the active queue by allocating a suitable delivery 628 * process and by delivering mail via it. Delivery process allocation and 629 * mail delivery are asynchronous. 630 */ 631 qmgr_active_drain(); 632 633 /* 634 * Let some new blood into the active queue when the queue size is 635 * smaller than some configurable limit. 636 * 637 * We import one message per interrupt, to optimally tune the input count 638 * for the number of delivery agent protocol wait states, as explained in 639 * qmgr_transport.c. 640 */ 641 delay = WAIT_FOR_EVENT; 642 for (scan_idx = 0; qmgr_message_count < var_qmgr_active_limit 643 && scan_idx < QMGR_SCAN_IDX_COUNT; ++scan_idx) { 644 last_scan_idx = (scan_idx + first_scan_idx) % QMGR_SCAN_IDX_COUNT; 645 if ((path = qmgr_scan_next(qmgr_scans[last_scan_idx])) != 0) { 646 delay = DONT_WAIT; 647 if ((feed = qmgr_active_feed(qmgr_scans[last_scan_idx], path)) != 0) 648 break; 649 } 650 } 651 652 /* 653 * Round-robin the queue scans. When the active queue becomes full, 654 * prefer new mail over deferred mail. 655 */ 656 if (qmgr_message_count < var_qmgr_active_limit) { 657 first_scan_idx = (last_scan_idx + 1) % QMGR_SCAN_IDX_COUNT; 658 } else if (first_scan_idx != QMGR_SCAN_IDX_INCOMING) { 659 first_scan_idx = QMGR_SCAN_IDX_INCOMING; 660 } 661 662 /* 663 * Global flow control. If enabled, slow down receiving processes that 664 * get ahead of the queue manager, but don't block them completely. 665 */ 666 if (var_in_flow_delay > 0) { 667 token_count = mail_flow_count(); 668 if (token_count < var_proc_limit) { 669 if (feed != 0 && last_scan_idx == QMGR_SCAN_IDX_INCOMING) 670 mail_flow_put(1); 671 else if (qmgr_scans[QMGR_SCAN_IDX_INCOMING]->handle == 0) 672 mail_flow_put(var_proc_limit - token_count); 673 } else if (token_count > var_proc_limit) { 674 mail_flow_get(token_count - var_proc_limit); 675 } 676 } 677 return (delay); 678} 679 680/* pre_accept - see if tables have changed */ 681 682static void pre_accept(char *unused_name, char **unused_argv) 683{ 684 const char *table; 685 686 if ((table = dict_changed_name()) != 0) { 687 msg_info("table %s has changed -- restarting", table); 688 exit(0); 689 } 690} 691 692/* qmgr_pre_init - pre-jail initialization */ 693 694static void qmgr_pre_init(char *unused_name, char **unused_argv) 695{ 696 flush_init(); 697} 698 699/* qmgr_post_init - post-jail initialization */ 700 701static void qmgr_post_init(char *name, char **unused_argv) 702{ 703 704 /* 705 * Backwards compatibility. 706 */ 707 if (strcmp(var_procname, "nqmgr") == 0) { 708 msg_warn("please update the %s/%s file; the new queue manager", 709 var_config_dir, MASTER_CONF_FILE); 710 msg_warn("(old name: nqmgr) has become the standard queue manager (new name: qmgr)"); 711 msg_warn("support for the name old name (nqmgr) will be removed from Postfix"); 712 } 713 714 /* 715 * Sanity check. 716 */ 717 if (var_qmgr_rcpt_limit < var_qmgr_active_limit) { 718 msg_warn("%s is smaller than %s - adjusting %s", 719 VAR_QMGR_RCPT_LIMIT, VAR_QMGR_ACT_LIMIT, VAR_QMGR_RCPT_LIMIT); 720 var_qmgr_rcpt_limit = var_qmgr_active_limit; 721 } 722 if (var_dsn_queue_time > var_max_queue_time) { 723 msg_warn("%s is larger than %s - adjusting %s", 724 VAR_DSN_QUEUE_TIME, VAR_MAX_QUEUE_TIME, VAR_DSN_QUEUE_TIME); 725 var_dsn_queue_time = var_max_queue_time; 726 } 727 728 /* 729 * This routine runs after the skeleton code has entered the chroot jail. 730 * Prevent automatic process suicide after a limited number of client 731 * requests or after a limited amount of idle time. Move any left-over 732 * entries from the active queue to the incoming queue, and give them a 733 * time stamp into the future, in order to allow ongoing deliveries to 734 * finish first. Start scanning the incoming and deferred queues. 735 * Left-over active queue entries are moved to the incoming queue because 736 * the incoming queue has priority; moving left-overs to the deferred 737 * queue could cause anomalous delays when "postfix reload/start" are 738 * issued often. Override the IPC timeout (default 3600s) so that the 739 * queue manager can reset a broken IPC channel before the watchdog timer 740 * goes off. 741 */ 742 var_ipc_timeout = var_qmgr_ipc_timeout; 743 var_use_limit = 0; 744 var_idle_limit = 0; 745 qmgr_move(MAIL_QUEUE_ACTIVE, MAIL_QUEUE_INCOMING, event_time()); 746 qmgr_scans[QMGR_SCAN_IDX_INCOMING] = qmgr_scan_create(MAIL_QUEUE_INCOMING); 747 qmgr_scans[QMGR_SCAN_IDX_DEFERRED] = qmgr_scan_create(MAIL_QUEUE_DEFERRED); 748 qmgr_scan_request(qmgr_scans[QMGR_SCAN_IDX_INCOMING], QMGR_SCAN_START); 749 qmgr_deferred_run_event(0, (void *) 0); 750} 751 752MAIL_VERSION_STAMP_DECLARE; 753 754/* main - the main program */ 755 756int main(int argc, char **argv) 757{ 758 static const CONFIG_STR_TABLE str_table[] = { 759 VAR_DEFER_XPORTS, DEF_DEFER_XPORTS, &var_defer_xports, 0, 0, 760 VAR_CONC_POS_FDBACK, DEF_CONC_POS_FDBACK, &var_conc_pos_feedback, 1, 0, 761 VAR_CONC_NEG_FDBACK, DEF_CONC_NEG_FDBACK, &var_conc_neg_feedback, 1, 0, 762 VAR_DEF_FILTER_NEXTHOP, DEF_DEF_FILTER_NEXTHOP, &var_def_filter_nexthop, 0, 0, 763 0, 764 }; 765 static const CONFIG_TIME_TABLE time_table[] = { 766 VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0, 767 VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0, 768 VAR_MAX_BACKOFF_TIME, DEF_MAX_BACKOFF_TIME, &var_max_backoff_time, 1, 0, 769 VAR_MAX_QUEUE_TIME, DEF_MAX_QUEUE_TIME, &var_max_queue_time, 0, 8640000, 770 VAR_DSN_QUEUE_TIME, DEF_DSN_QUEUE_TIME, &var_dsn_queue_time, 0, 8640000, 771 VAR_XPORT_RETRY_TIME, DEF_XPORT_RETRY_TIME, &var_transport_retry_time, 1, 0, 772 VAR_QMGR_CLOG_WARN_TIME, DEF_QMGR_CLOG_WARN_TIME, &var_qmgr_clog_warn_time, 0, 0, 773 VAR_XPORT_REFILL_DELAY, DEF_XPORT_REFILL_DELAY, &var_xport_refill_delay, 1, 0, 774 VAR_XPORT_RATE_DELAY, DEF_XPORT_RATE_DELAY, &var_xport_rate_delay, 0, 0, 775 VAR_DEST_RATE_DELAY, DEF_DEST_RATE_DELAY, &var_dest_rate_delay, 0, 0, 776 VAR_QMGR_DAEMON_TIMEOUT, DEF_QMGR_DAEMON_TIMEOUT, &var_qmgr_daemon_timeout, 1, 0, 777 VAR_QMGR_IPC_TIMEOUT, DEF_QMGR_IPC_TIMEOUT, &var_qmgr_ipc_timeout, 1, 0, 778 0, 779 }; 780 static const CONFIG_INT_TABLE int_table[] = { 781 VAR_QMGR_ACT_LIMIT, DEF_QMGR_ACT_LIMIT, &var_qmgr_active_limit, 1, 0, 782 VAR_QMGR_RCPT_LIMIT, DEF_QMGR_RCPT_LIMIT, &var_qmgr_rcpt_limit, 1, 0, 783 VAR_QMGR_MSG_RCPT_LIMIT, DEF_QMGR_MSG_RCPT_LIMIT, &var_qmgr_msg_rcpt_limit, 1, 0, 784 VAR_XPORT_RCPT_LIMIT, DEF_XPORT_RCPT_LIMIT, &var_xport_rcpt_limit, 0, 0, 785 VAR_STACK_RCPT_LIMIT, DEF_STACK_RCPT_LIMIT, &var_stack_rcpt_limit, 0, 0, 786 VAR_XPORT_REFILL_LIMIT, DEF_XPORT_REFILL_LIMIT, &var_xport_refill_limit, 1, 0, 787 VAR_DELIVERY_SLOT_COST, DEF_DELIVERY_SLOT_COST, &var_delivery_slot_cost, 0, 0, 788 VAR_DELIVERY_SLOT_LOAN, DEF_DELIVERY_SLOT_LOAN, &var_delivery_slot_loan, 0, 0, 789 VAR_DELIVERY_SLOT_DISCOUNT, DEF_DELIVERY_SLOT_DISCOUNT, &var_delivery_slot_discount, 0, 100, 790 VAR_MIN_DELIVERY_SLOTS, DEF_MIN_DELIVERY_SLOTS, &var_min_delivery_slots, 0, 0, 791 VAR_INIT_DEST_CON, DEF_INIT_DEST_CON, &var_init_dest_concurrency, 1, 0, 792 VAR_DEST_CON_LIMIT, DEF_DEST_CON_LIMIT, &var_dest_con_limit, 0, 0, 793 VAR_DEST_RCPT_LIMIT, DEF_DEST_RCPT_LIMIT, &var_dest_rcpt_limit, 0, 0, 794 VAR_LOCAL_RCPT_LIMIT, DEF_LOCAL_RCPT_LIMIT, &var_local_rcpt_lim, 0, 0, 795 VAR_LOCAL_CON_LIMIT, DEF_LOCAL_CON_LIMIT, &var_local_con_lim, 0, 0, 796 VAR_CONC_COHORT_LIM, DEF_CONC_COHORT_LIM, &var_conc_cohort_limit, 0, 0, 797 VAR_VRFY_PEND_LIMIT, DEF_VRFY_PEND_LIMIT, &var_vrfy_pend_limit, 1, 0, 798 0, 799 }; 800 static const CONFIG_BOOL_TABLE bool_table[] = { 801 VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off, 802 VAR_CONC_FDBACK_DEBUG, DEF_CONC_FDBACK_DEBUG, &var_conc_feedback_debug, 803 VAR_DSN_DELAY_CLEARED, DEF_DSN_DELAY_CLEARED, &var_dsn_delay_cleared, 804 0, 805 }; 806 807 /* 808 * Fingerprint executables and core dumps. 809 */ 810 MAIL_VERSION_STAMP_ALLOCATE; 811 812 /* 813 * Use the trigger service skeleton, because no-one else should be 814 * monitoring our service port while this process runs, and because we do 815 * not talk back to the client. 816 */ 817 trigger_server_main(argc, argv, qmgr_trigger_event, 818 CA_MAIL_SERVER_INT_TABLE(int_table), 819 CA_MAIL_SERVER_STR_TABLE(str_table), 820 CA_MAIL_SERVER_BOOL_TABLE(bool_table), 821 CA_MAIL_SERVER_TIME_TABLE(time_table), 822 CA_MAIL_SERVER_PRE_INIT(qmgr_pre_init), 823 CA_MAIL_SERVER_POST_INIT(qmgr_post_init), 824 CA_MAIL_SERVER_LOOP(qmgr_loop), 825 CA_MAIL_SERVER_PRE_ACCEPT(pre_accept), 826 CA_MAIL_SERVER_SOLITARY, 827 CA_MAIL_SERVER_WATCHDOG(&var_qmgr_daemon_timeout), 828 0); 829} 830