5
/* old Postfix queue manager
7
/* \fBqmgr\fR [generic Postfix daemon options]
9
/* The \fBqmgr\fR daemon awaits the arrival of incoming mail
10
/* and arranges for its delivery via Postfix delivery processes.
11
/* The actual mail routing strategy is delegated to the
12
/* \fBtrivial-rewrite\fR(8) daemon.
13
/* This program expects to be run from the \fBmaster\fR(8) process
16
/* Mail addressed to the local \fBdouble-bounce\fR address is
17
/* logged and discarded. This stops potential loops caused by
18
/* undeliverable bounce notifications.
22
/* The \fBqmgr\fR daemon maintains the following queues:
24
/* Inbound mail from the network, or mail picked up by the
25
/* local \fBpickup\fR agent from the \fBmaildrop\fR directory.
27
/* Messages that the queue manager has opened for delivery. Only
28
/* a limited number of messages is allowed to enter the \fBactive\fR
29
/* queue (leaky bucket strategy, for a fixed delivery rate).
31
/* Mail that could not be delivered upon the first attempt. The queue
32
/* manager implements exponential backoff by doubling the time between
35
/* Unreadable or damaged queue files are moved here for inspection.
37
/* Messages that are kept "on hold" are kept here until someone
39
/* DELIVERY STATUS REPORTS
42
/* The \fBqmgr\fR daemon keeps an eye on per-message delivery status
43
/* reports in the following directories. Each status report file has
44
/* the same name as the corresponding message file:
46
/* Per-recipient status information about why mail is bounced.
47
/* These files are maintained by the \fBbounce\fR(8) daemon.
49
/* Per-recipient status information about why mail is delayed.
50
/* These files are maintained by the \fBdefer\fR(8) daemon.
52
/* Per-recipient status information as requested with the
53
/* Postfix "\fBsendmail -v\fR" or "\fBsendmail -bv\fR" command.
54
/* These files are maintained by the \fBtrace\fR(8) daemon.
56
/* The \fBqmgr\fR daemon is responsible for asking the
57
/* \fBbounce\fR(8), \fBdefer\fR(8) or \fBtrace\fR(8) daemons to
58
/* send delivery reports.
62
/* The queue manager implements a variety of strategies for
63
/* either opening queue files (input) or for message delivery (output).
64
/* .IP "\fBleaky bucket\fR"
65
/* This strategy limits the number of messages in the \fBactive\fR queue
66
/* and prevents the queue manager from running out of memory under
69
/* When the \fBactive\fR queue has room, the queue manager takes one
70
/* message from the \fBincoming\fR queue and one from the \fBdeferred\fR
71
/* queue. This prevents a large mail backlog from blocking the delivery
73
/* .IP "\fBslow start\fR"
74
/* This strategy eliminates "thundering herd" problems by slowly
75
/* adjusting the number of parallel deliveries to the same destination.
76
/* .IP "\fBround robin\fR
77
/* The queue manager sorts delivery requests by destination.
78
/* Round-robin selection prevents one destination from dominating
79
/* deliveries to other destinations.
80
/* .IP "\fBexponential backoff\fR"
81
/* Mail that cannot be delivered upon the first attempt is deferred.
82
/* The time interval between delivery attempts is doubled after each
84
/* .IP "\fBdestination status cache\fR"
85
/* The queue manager avoids unnecessary delivery attempts by
86
/* maintaining a short-term, in-memory list of unreachable destinations.
90
/* On an idle system, the queue manager waits for the arrival of
91
/* trigger events, or it waits for a timer to go off. A trigger
92
/* is a one-byte message.
93
/* Depending on the message received, the queue manager performs
94
/* one of the following actions (the message is followed by the
95
/* symbolic constant used internally by the software):
96
/* .IP "\fBD (QMGR_REQ_SCAN_DEFERRED)\fR"
97
/* Start a deferred queue scan. If a deferred queue scan is already
98
/* in progress, that scan will be restarted as soon as it finishes.
99
/* .IP "\fBI (QMGR_REQ_SCAN_INCOMING)\fR"
100
/* Start an incoming queue scan. If an incoming queue scan is already
101
/* in progress, that scan will be restarted as soon as it finishes.
102
/* .IP "\fBA (QMGR_REQ_SCAN_ALL)\fR"
103
/* Ignore deferred queue file time stamps. The request affects
104
/* the next deferred queue scan.
105
/* .IP "\fBF (QMGR_REQ_FLUSH_DEAD)\fR"
106
/* Purge all information about dead transports and destinations.
107
/* .IP "\fBW (TRIGGER_REQ_WAKEUP)\fR"
108
/* Wakeup call, This is used by the master server to instantiate
109
/* servers that should not go away forever. The action is to start
110
/* an incoming queue scan.
112
/* The \fBqmgr\fR daemon reads an entire buffer worth of triggers.
113
/* Multiple identical trigger requests are collapsed into one, and
114
/* trigger requests are sorted so that \fBA\fR and \fBF\fR precede
115
/* \fBD\fR and \fBI\fR. Thus, in order to force a deferred queue run,
116
/* one would request \fBA F D\fR; in order to notify the queue manager
117
/* of the arrival of new mail one would request \fBI\fR.
121
/* None. The \fBqmgr\fR daemon does not interact with the outside world.
125
/* The \fBqmgr\fR daemon is not security sensitive. It reads
126
/* single-character messages from untrusted local users, and thus may
127
/* be susceptible to denial of service attacks. The \fBqmgr\fR daemon
128
/* does not talk to the outside world, and it can be run at fixed low
129
/* privilege in a chrooted environment.
131
/* Problems and transactions are logged to the syslog daemon.
132
/* Corrupted message files are saved to the \fBcorrupt\fR queue
133
/* for further inspection.
135
/* Depending on the setting of the \fBnotify_classes\fR parameter,
136
/* the postmaster is notified of bounces and of other trouble.
138
/* A single queue manager process has to compete for disk access with
139
/* multiple front-end processes such as \fBsmtpd\fR. A sudden burst of
140
/* inbound mail can negatively impact outbound delivery rates.
141
/* CONFIGURATION PARAMETERS
144
/* Changes to \fBmain.cf\fR are not picked up automatically, as qmgr(8)
145
/* processes are persistent. Use the command "\fBpostfix reload\fR" after
146
/* a configuration change.
148
/* The text below provides only a parameter summary. See
149
/* postconf(5) for more details including examples.
151
/* In the text below, \fItransport\fR is the first field in a
152
/* \fBmaster.cf\fR entry.
153
/* COMPATIBILITY CONTROLS
156
/* .IP "\fBallow_min_user (no)\fR"
157
/* Allow a recipient address to have `-' as the first character.
158
/* ACTIVE QUEUE CONTROLS
161
/* .IP "\fBqmgr_clog_warn_time (300s)\fR"
162
/* The minimal delay between warnings that a specific destination is
163
/* clogging up the Postfix active queue.
164
/* .IP "\fBqmgr_message_active_limit (20000)\fR"
165
/* The maximal number of messages in the active queue.
166
/* .IP "\fBqmgr_message_recipient_limit (20000)\fR"
167
/* The maximal number of recipients held in memory by the Postfix
168
/* queue manager, and the maximal size of the size of the short-term,
169
/* in-memory "dead" destination status cache.
170
/* DELIVERY CONCURRENCY CONTROLS
173
/* .IP "\fBqmgr_fudge_factor (100)\fR"
174
/* Obsolete feature: the percentage of delivery resources that a busy
175
/* mail system will use up for delivery of a large mailing list
177
/* .IP "\fBinitial_destination_concurrency (5)\fR"
178
/* The initial per-destination concurrency level for parallel delivery
179
/* to the same destination.
180
/* .IP "\fBdefault_destination_concurrency_limit (20)\fR"
181
/* The default maximal number of parallel deliveries to the same
183
/* .IP \fItransport\fB_destination_concurrency_limit\fR
184
/* Idem, for delivery via the named message \fItransport\fR.
185
/* RECIPIENT SCHEDULING CONTROLS
188
/* .IP "\fBdefault_destination_recipient_limit (50)\fR"
189
/* The default maximal number of recipients per message delivery.
190
/* .IP \fItransport\fB_destination_recipient_limit\fR
191
/* Idem, for delivery via the named message \fItransport\fR.
192
/* OTHER RESOURCE AND RATE CONTROLS
195
/* .IP "\fBminimal_backoff_time (1000s)\fR"
196
/* The minimal time between attempts to deliver a deferred message.
197
/* .IP "\fBmaximal_backoff_time (4000s)\fR"
198
/* The maximal time between attempts to deliver a deferred message.
199
/* .IP "\fBmaximal_queue_lifetime (5d)\fR"
200
/* The maximal time a message is queued before it is sent back as
202
/* .IP "\fBqueue_run_delay (1000s)\fR"
203
/* The time between deferred queue scans by the queue manager.
204
/* .IP "\fBtransport_retry_time (60s)\fR"
205
/* The time between attempts by the Postfix queue manager to contact
206
/* a malfunctioning message delivery transport.
208
/* Available in Postfix version 2.1 and later:
209
/* .IP "\fBbounce_queue_lifetime (5d)\fR"
210
/* The maximal time a bounce message is queued before it is considered
212
/* .SH MISCELLANEOUS CONTROLS
215
/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
216
/* The default location of the Postfix main.cf and master.cf
217
/* configuration files.
218
/* .IP "\fBdaemon_timeout (18000s)\fR"
219
/* How much time a Postfix daemon process may take to handle a
220
/* request before it is terminated by a built-in watchdog timer.
221
/* .IP "\fBdefer_transports (empty)\fR"
222
/* The names of message delivery transports that should not be delivered
223
/* to unless someone issues "\fBsendmail -q\fR" or equivalent.
224
/* .IP "\fBhelpful_warnings (yes)\fR"
225
/* Log warnings about problematic configuration settings, and provide
226
/* helpful suggestions.
227
/* .IP "\fBipc_timeout (3600s)\fR"
228
/* The time limit for sending or receiving information over an internal
229
/* communication channel.
230
/* .IP "\fBprocess_id (read-only)\fR"
231
/* The process ID of a Postfix command or daemon process.
232
/* .IP "\fBprocess_name (read-only)\fR"
233
/* The process name of a Postfix command or daemon process.
234
/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
235
/* The location of the Postfix top-level queue directory.
236
/* .IP "\fBsyslog_facility (mail)\fR"
237
/* The syslog facility of Postfix logging.
238
/* .IP "\fBsyslog_name (postfix)\fR"
239
/* The mail system name that is prepended to the process name in syslog
240
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
242
/* /var/spool/postfix/incoming, incoming queue
243
/* /var/spool/postfix/active, active queue
244
/* /var/spool/postfix/deferred, deferred queue
245
/* /var/spool/postfix/bounce, non-delivery status
246
/* /var/spool/postfix/defer, non-delivery status
247
/* /var/spool/postfix/trace, delivery status
249
/* trivial-rewrite(8), address routing
250
/* bounce(8), delivery status reports
251
/* postconf(5), configuration parameters
252
/* master(8), process manager
253
/* syslogd(8) system logging
257
/* Use "\fBpostconf readme_directory\fR" or
258
/* "\fBpostconf html_directory\fR" to locate this information.
261
/* QSHAPE_README, Postfix queue analysis
265
/* The Secure Mailer license must be distributed with this software.
268
/* IBM T.J. Watson Research
270
/* Yorktown Heights, NY 10598, USA
273
/* System library. */
275
#include <sys_defs.h>
280
/* Utility library. */
287
/* Global library. */
289
#include <mail_queue.h>
290
#include <recipient_list.h>
291
#include <mail_conf.h>
292
#include <mail_params.h>
293
#include <mail_proto.h> /* QMGR_SCAN constants */
294
#include <mail_flow.h>
295
#include <flush_clnt.h>
297
/* Master process interface */
299
#include <master_proto.h>
300
#include <mail_server.h>
302
/* Application-specific. */
309
int var_queue_run_delay;
310
int var_min_backoff_time;
311
int var_max_backoff_time;
312
int var_max_queue_time;
313
int var_dsn_queue_time;
314
int var_qmgr_active_limit;
315
int var_qmgr_rcpt_limit;
316
int var_init_dest_concurrency;
317
int var_transport_retry_time;
318
int var_dest_con_limit;
319
int var_dest_rcpt_limit;
320
char *var_defer_xports;
321
bool var_allow_min_user;
323
int var_local_rcpt_lim; /* XXX */
324
int var_local_con_lim; /* XXX */
326
bool var_verp_bounce_off;
327
bool var_sender_routing;
328
int var_qmgr_clog_warn_time;
330
static QMGR_SCAN *qmgr_incoming;
331
static QMGR_SCAN *qmgr_deferred;
333
/* qmgr_deferred_run_event - queue manager heartbeat */
335
static void qmgr_deferred_run_event(int unused_event, char *dummy)
339
* This routine runs when it is time for another deferred queue scan.
340
* Make sure this routine gets called again in the future.
342
qmgr_scan_request(qmgr_deferred, QMGR_SCAN_START);
343
event_request_timer(qmgr_deferred_run_event, dummy, var_queue_run_delay);
346
/* qmgr_trigger_event - respond to external trigger(s) */
348
static void qmgr_trigger_event(char *buf, int len,
349
char *unused_service, char **argv)
351
int incoming_flag = 0;
352
int deferred_flag = 0;
356
* Sanity check. This service takes no command-line arguments.
359
msg_fatal("unexpected command-line argument: %s", argv[0]);
362
* Collapse identical requests that have arrived since we looked last
363
* time. There is no client feedback so there is no need to process each
364
* request in order. And as long as we don't have conflicting requests we
365
* are free to sort them into the most suitable order.
367
for (i = 0; i < len; i++) {
369
msg_info("request: %d (%c)",
370
buf[i], ISALNUM(buf[i]) ? buf[i] : '?');
372
case TRIGGER_REQ_WAKEUP:
373
case QMGR_REQ_SCAN_INCOMING:
374
incoming_flag |= QMGR_SCAN_START;
376
case QMGR_REQ_SCAN_DEFERRED:
377
deferred_flag |= QMGR_SCAN_START;
379
case QMGR_REQ_FLUSH_DEAD:
380
deferred_flag |= QMGR_FLUSH_DEAD;
381
incoming_flag |= QMGR_FLUSH_DEAD;
383
case QMGR_REQ_SCAN_ALL:
384
deferred_flag |= QMGR_SCAN_ALL;
385
incoming_flag |= QMGR_SCAN_ALL;
389
msg_info("request ignored");
395
* Process each request type at most once. Modifiers take effect upon the
396
* next queue run. If no queue run is in progress, and a queue scan is
397
* requested, the request takes effect immediately.
399
if (incoming_flag != 0)
400
qmgr_scan_request(qmgr_incoming, incoming_flag);
401
if (deferred_flag != 0)
402
qmgr_scan_request(qmgr_deferred, deferred_flag);
405
/* qmgr_loop - queue manager main loop */
407
static int qmgr_loop(char *unused_name, char **unused_argv)
415
* This routine runs as part of the event handling loop, after the event
416
* manager has delivered a timer or I/O event (including the completion
417
* of a connection to a delivery process), or after it has waited for a
418
* specified amount of time. The result value of qmgr_loop() specifies
419
* how long the event manager should wait for the next event.
422
#define WAIT_FOR_EVENT (-1)
425
* Attempt to drain the active queue by allocating a suitable delivery
426
* process and by delivering mail via it. Delivery process allocation and
427
* mail delivery are asynchronous.
432
* Let some new blood into the active queue when the queue size is
433
* smaller than some configurable limit, and when the number of in-core
434
* recipients does not exceed some configurable limit. When the system is
435
* under heavy load, favor new mail over old mail.
437
if (qmgr_message_count < var_qmgr_active_limit
438
&& qmgr_recipient_count < var_qmgr_rcpt_limit)
439
if ((in_path = qmgr_scan_next(qmgr_incoming)) != 0)
440
in_feed = qmgr_active_feed(qmgr_incoming, in_path);
441
if (qmgr_message_count < var_qmgr_active_limit
442
&& qmgr_recipient_count < var_qmgr_rcpt_limit)
443
if ((df_path = qmgr_scan_next(qmgr_deferred)) != 0)
444
qmgr_active_feed(qmgr_deferred, df_path);
447
* Global flow control. If enabled, slow down receiving processes that
448
* get ahead of the queue manager, but don't block them completely.
450
if (var_in_flow_delay > 0) {
451
token_count = mail_flow_count();
452
if (token_count < var_proc_limit) {
455
else if (qmgr_incoming->handle == 0)
456
mail_flow_put(var_proc_limit - token_count);
457
} else if (token_count > var_proc_limit) {
458
mail_flow_get(token_count - var_proc_limit);
461
if (in_path || df_path)
463
return (WAIT_FOR_EVENT);
466
/* pre_accept - see if tables have changed */
468
static void pre_accept(char *unused_name, char **unused_argv)
472
if ((table = dict_changed_name()) != 0) {
473
msg_info("table %s has changed -- restarting", table);
478
/* qmgr_pre_init - pre-jail initialization */
480
static void qmgr_pre_init(char *unused_name, char **unused_argv)
485
/* qmgr_post_init - post-jail initialization */
487
static void qmgr_post_init(char *unused_name, char **unused_argv)
493
if (var_qmgr_rcpt_limit < var_qmgr_active_limit) {
494
msg_warn("%s is smaller than %s",
495
VAR_QMGR_RCPT_LIMIT, VAR_QMGR_ACT_LIMIT);
496
var_qmgr_rcpt_limit = var_qmgr_active_limit;
500
* This routine runs after the skeleton code has entered the chroot jail.
501
* Prevent automatic process suicide after a limited number of client
502
* requests or after a limited amount of idle time. Move any left-over
503
* entries from the active queue to the incoming queue, and give them a
504
* time stamp into the future, in order to allow ongoing deliveries to
505
* finish first. Start scanning the incoming and deferred queues.
506
* Left-over active queue entries are moved to the incoming queue because
507
* the incoming queue has priority; moving left-overs to the deferred
508
* queue could cause anomalous delays when "postfix reload/start" are
513
qmgr_move(MAIL_QUEUE_ACTIVE, MAIL_QUEUE_INCOMING, event_time());
514
qmgr_incoming = qmgr_scan_create(MAIL_QUEUE_INCOMING);
515
qmgr_deferred = qmgr_scan_create(MAIL_QUEUE_DEFERRED);
516
qmgr_scan_request(qmgr_incoming, QMGR_SCAN_START);
517
qmgr_deferred_run_event(0, (char *) 0);
520
/* main - the main program */
522
int main(int argc, char **argv)
524
static CONFIG_STR_TABLE str_table[] = {
525
VAR_DEFER_XPORTS, DEF_DEFER_XPORTS, &var_defer_xports, 0, 0,
528
static CONFIG_TIME_TABLE time_table[] = {
529
VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0,
530
VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
531
VAR_MAX_BACKOFF_TIME, DEF_MAX_BACKOFF_TIME, &var_max_backoff_time, 1, 0,
532
VAR_MAX_QUEUE_TIME, DEF_MAX_QUEUE_TIME, &var_max_queue_time, 0, 8640000,
533
VAR_DSN_QUEUE_TIME, DEF_DSN_QUEUE_TIME, &var_dsn_queue_time, 0, 8640000,
534
VAR_XPORT_RETRY_TIME, DEF_XPORT_RETRY_TIME, &var_transport_retry_time, 1, 0,
535
VAR_QMGR_CLOG_WARN_TIME, DEF_QMGR_CLOG_WARN_TIME, &var_qmgr_clog_warn_time, 0, 0,
538
static CONFIG_INT_TABLE int_table[] = {
539
VAR_QMGR_ACT_LIMIT, DEF_QMGR_ACT_LIMIT, &var_qmgr_active_limit, 1, 0,
540
VAR_QMGR_RCPT_LIMIT, DEF_QMGR_RCPT_LIMIT, &var_qmgr_rcpt_limit, 1, 0,
541
VAR_INIT_DEST_CON, DEF_INIT_DEST_CON, &var_init_dest_concurrency, 1, 0,
542
VAR_DEST_CON_LIMIT, DEF_DEST_CON_LIMIT, &var_dest_con_limit, 0, 0,
543
VAR_DEST_RCPT_LIMIT, DEF_DEST_RCPT_LIMIT, &var_dest_rcpt_limit, 0, 0,
544
VAR_QMGR_FUDGE, DEF_QMGR_FUDGE, &var_qmgr_fudge, 10, 100,
545
VAR_LOCAL_RCPT_LIMIT, DEF_LOCAL_RCPT_LIMIT, &var_local_rcpt_lim, 0, 0,
546
VAR_LOCAL_CON_LIMIT, DEF_LOCAL_CON_LIMIT, &var_local_con_lim, 0, 0,
547
VAR_PROC_LIMIT, DEF_PROC_LIMIT, &var_proc_limit, 1, 0,
550
static CONFIG_BOOL_TABLE bool_table[] = {
551
VAR_ALLOW_MIN_USER, DEF_ALLOW_MIN_USER, &var_allow_min_user,
552
VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off,
553
VAR_SENDER_ROUTING, DEF_SENDER_ROUTING, &var_sender_routing,
558
* Use the trigger service skeleton, because no-one else should be
559
* monitoring our service port while this process runs, and because we do
560
* not talk back to the client.
562
trigger_server_main(argc, argv, qmgr_trigger_event,
563
MAIL_SERVER_INT_TABLE, int_table,
564
MAIL_SERVER_STR_TABLE, str_table,
565
MAIL_SERVER_BOOL_TABLE, bool_table,
566
MAIL_SERVER_TIME_TABLE, time_table,
567
MAIL_SERVER_PRE_INIT, qmgr_pre_init,
568
MAIL_SERVER_POST_INIT, qmgr_post_init,
569
MAIL_SERVER_LOOP, qmgr_loop,
570
MAIL_SERVER_PRE_ACCEPT, pre_accept,
571
MAIL_SERVER_SOLITARY,