| blob | 41fd8853e92907daefd6d3a7ffd8d2918356c17f |
1 /* $NetBSD$ */
3 /*++
4 /* NAME
5 /* qmgr_message 3
6 /* SUMMARY
7 /* in-core message structures
8 /* SYNOPSIS
9 /* #include "qmgr.h"
10 /*
11 /* int qmgr_message_count;
12 /* int qmgr_recipient_count;
13 /*
14 /* QMGR_MESSAGE *qmgr_message_alloc(class, name, qflags, mode)
15 /* const char *class;
16 /* const char *name;
17 /* int qflags;
18 /* mode_t mode;
19 /*
20 /* QMGR_MESSAGE *qmgr_message_realloc(message)
21 /* QMGR_MESSAGE *message;
22 /*
23 /* void qmgr_message_free(message)
24 /* QMGR_MESSAGE *message;
25 /*
26 /* void qmgr_message_update_warn(message)
27 /* QMGR_MESSAGE *message;
28 /*
29 /* void qmgr_message_kill_record(message, offset)
30 /* QMGR_MESSAGE *message;
31 /* long offset;
32 /* DESCRIPTION
33 /* This module performs en-gross operations on queue messages.
34 /*
35 /* qmgr_message_count is a global counter for the total number
36 /* of in-core message structures (i.e. the total size of the
37 /* `active' message queue).
38 /*
39 /* qmgr_recipient_count is a global counter for the total number
40 /* of in-core recipient structures (i.e. the sum of all recipients
41 /* in all in-core message structures).
42 /*
43 /* qmgr_message_alloc() creates an in-core message structure
44 /* with sender and recipient information taken from the named queue
45 /* file. A null result means the queue file could not be read or
46 /* that the queue file contained incorrect information. A result
47 /* QMGR_MESSAGE_LOCKED means delivery must be deferred. The number
48 /* of recipients read from a queue file is limited by the global
49 /* var_qmgr_rcpt_limit configuration parameter. When the limit
50 /* is reached, the \fIrcpt_offset\fR structure member is set to
51 /* the position where the read was terminated. Recipients are
52 /* run through the resolver, and are assigned to destination
53 /* queues. Recipients that cannot be assigned are deferred or
54 /* bounced. Mail that has bounced twice is silently absorbed.
55 /* A non-zero mode means change the queue file permissions.
56 /*
57 /* qmgr_message_realloc() resumes reading recipients from the queue
58 /* file, and updates the recipient list and \fIrcpt_offset\fR message
59 /* structure members. A null result means that the file could not be
60 /* read or that the file contained incorrect information. Recipient
61 /* limit imposed this time is based on the position of the message
62 /* job(s) on corresponding transport job list(s). It's considered
63 /* an error to call this when the recipient slots can't be allocated.
64 /*
65 /* qmgr_message_free() destroys an in-core message structure and makes
66 /* the resources available for reuse. It is an error to destroy
67 /* a message structure that is still referenced by queue entry structures.
68 /*
69 /* qmgr_message_update_warn() takes a closed message, opens it, updates
70 /* the warning field, and closes it again.
71 /*
72 /* qmgr_message_kill_record() takes a closed message, opens it, updates
73 /* the record type at the given offset to "killed", and closes the file.
74 /* A killed envelope record is ignored. Killed records are not allowed
75 /* inside the message content.
76 /* DIAGNOSTICS
77 /* Warnings: malformed message file. Fatal errors: out of memory.
78 /* SEE ALSO
79 /* envelope(3) message envelope parser
80 /* LICENSE
81 /* .ad
82 /* .fi
83 /* The Secure Mailer license must be distributed with this software.
84 /* AUTHOR(S)
85 /* Wietse Venema
86 /* IBM T.J. Watson Research
87 /* P.O. Box 704
88 /* Yorktown Heights, NY 10598, USA
89 /*
90 /* Preemptive scheduler enhancements:
91 /* Patrik Rak
92 /* Modra 6
93 /* 155 00, Prague, Czech Republic
94 /*--*/
96 /* System library. */
98 #include <sys_defs.h>
99 #include <sys/stat.h>
100 #include <stdlib.h>
102 #include <fcntl.h>
103 #include <errno.h>
104 #include <unistd.h>
105 #include <string.h>
106 #include <ctype.h>
108 #ifdef STRCASECMP_IN_STRINGS_H
109 #include <strings.h>
110 #endif
112 /* Utility library. */
114 #include <msg.h>
115 #include <mymalloc.h>
116 #include <vstring.h>
117 #include <vstream.h>
118 #include <split_at.h>
119 #include <valid_hostname.h>
120 #include <argv.h>
121 #include <stringops.h>
122 #include <myflock.h>
123 #include <sane_time.h>
125 /* Global library. */
127 #include <dict.h>
128 #include <mail_queue.h>
129 #include <mail_params.h>
130 #include <canon_addr.h>
131 #include <record.h>
132 #include <rec_type.h>
133 #include <sent.h>
134 #include <deliver_completed.h>
135 #include <opened.h>
136 #include <verp_sender.h>
137 #include <mail_proto.h>
138 #include <qmgr_user.h>
139 #include <split_addr.h>
140 #include <dsn_mask.h>
141 #include <rec_attr_map.h>
143 /* Client stubs. */
145 #include <rewrite_clnt.h>
146 #include <resolve_clnt.h>
148 /* Application-specific. */
155 /* qmgr_message_create - create in-core message structure */
159 {
163 qmgr_message_count++;
208 }
210 /* qmgr_message_close - close queue file */
213 {
216 }
218 /* qmgr_message_open - open queue file */
221 {
223 /*
224 * Sanity check.
225 */
229 /*
230 * Open this queue file. Skip files that we cannot open. Back off when
231 * the system appears to be running out of resources.
232 */
240 }
242 }
244 /* qmgr_message_oldstyle_scan - support for Postfix < 1.0 queue files */
247 {
253 /*
254 * Initialize. No early returns or we have a memory leak.
255 */
260 /*
261 * Rewind to the very beginning to make sure we see all records.
262 */
266 /*
267 * Scan through the old style queue file. Count the total number of
268 * recipients and find the data/extra sections offsets. Note that the new
269 * queue files require that data_size equals extra_offset - data_offset,
270 * so we set data_size to this as well and ignore the size record itself
271 * completely.
272 */
277 /* Report missing end record later. */
289 }
300 }
302 }
303 }
305 /*
306 * Clean up.
307 */
312 /*
313 * Sanity checks. Verify that all required information was found,
314 * including the queue file end marker.
315 */
318 }
320 /* qmgr_message_read - read envelope records */
323 {
341 /*
342 * Initialize. No early returns or we have a memory leak.
343 */
346 /*
347 * If we re-open this file, skip over on-file recipient records that we
348 * already looked at, and refill the in-core recipient address list.
349 *
350 * For the first time, the message recipient limit is calculated from the
351 * global recipient limit. This is to avoid reading little recipients
352 * when the active queue is near empty. When the queue becomes full, only
353 * the necessary amount is read in core. Such priming is necessary
354 * because there are no message jobs yet.
355 *
356 * For the next time, the recipient limit is based solely on the message
357 * jobs' positions in the job lists and/or job stacks.
358 */
371 }
372 /* Keep interrupt latency in check. */
380 /*
381 * Read envelope records. XXX Rely on the front-end programs to enforce
382 * record size limits. Read up to recipient_limit recipients from the
383 * queue file, to protect against memory exhaustion. Recipient records
384 * may appear before or after the message content, so we keep reading
385 * from the queue file until we have enough recipients (rcpt_offset != 0)
386 * and until we know all the non-recipient information.
387 *
388 * Note that the total recipient count record is accurate only for fresh
389 * queue files. After some of the recipients are marked as done and the
390 * queue file is deferred, it can be used as upper bound estimate only.
391 * Fortunately, this poses no major problem on the scheduling algorithm,
392 * as the only impact is that the already deferred messages are not
393 * chosen by qmgr_job_candidate() as often as they could.
394 *
395 * On the first open, we must examine all non-recipient records.
396 *
397 * Optimization: when we know that recipient records are not mixed with
398 * non-recipient records, as is typical with mailing list mail, then we
399 * can avoid having to examine all the queue file records before we can
400 * start deliveries. This avoids some file system thrashing with huge
401 * mailing lists.
402 */
410 }
418 /* Need to update curr_offset after pointer jump. */
420 }
425 }
429 }
431 /*
432 * Map named attributes to pseudo record types, so that we don't have
433 * to pollute the queue file with records that are incompatible with
434 * past Postfix versions. Preferably, people should be able to back
435 * out from an upgrade without losing mail.
436 */
443 }
447 }
448 }
450 /*
451 * Process recipient records.
452 */
454 /* See also below for code setting orig_rcpt etc. */
464 }
468 }
476 /* We already examined all non-recipient records. */
479 /* Examine all remaining non-recipient records. */
481 /* Optimizations for "pure recipient" record sections. */
483 /* We already examined all non-recipient records. */
486 }
487 /* Examine non-recipient records in extracted segment. */
492 }
493 }
495 }
502 }
506 }
509 }
511 }
513 /* See also above for code clearing dsn_orcpt. */
519 }
523 }
525 /* See also above for code clearing dsn_notify. */
530 }
535 else
538 }
539 }
541 /* See also above for code clearing orig_rcpt. */
547 }
551 }
553 /*
554 * Process non-recipient records.
555 */
557 /* We already examined all non-recipient records. */
565 /* Postfix >= 1.0 (a.k.a. 20010228). */
571 }
577 }
579 /* Postfix < 1.0 (a.k.a. 20010228). */
582 /* Can't happen. */
587 }
588 }
589 /* Postfix < 2.4 compatibility. */
597 }
599 }
604 }
609 }
615 }
621 }
627 }
634 }
636 }
640 }
646 else
648 }
649 }
651 /* Allow extra segment to override envelope segment info. */
656 }
658 /*
659 * Backwards compatibility. Before Postfix 2.3, the logging
660 * attributes were called client_name, etc. Now they are called
661 * log_client_name. etc., and client_name is used for the actual
662 * client information. To support old queue files we accept both
663 * names for the purpose of logging; the new name overrides the
664 * old one.
665 *
666 * XXX Do not use the "legacy" client_name etc. attribute values for
667 * initializing the logging attributes, when this file already
668 * contains the "modern" log_client_name etc. logging attributes.
669 * Otherwise, logging attributes that are not present in the
670 * queue file would be set with information from the real client.
671 */
687 }
688 /* Original client attributes. */
717 else
723 else
729 else
735 else
738 }
740 /*
741 * Optional tracing flags (verify, sendmail -v, sendmail -bv).
742 * This record is killed after a trace logfile report is sent and
743 * after the logfile is deleted.
744 */
749 else
751 }
753 }
758 }
760 }
772 }
773 }
775 }
776 }
778 /*
779 * Grr.
780 */
786 }
792 }
794 /*
795 * Remember when we have read the last recipient batch. Note that we do
796 * it here after reading as reading might have used considerable amount
797 * of time.
798 */
801 /*
802 * Avoid clumsiness elsewhere in the program. When sending data across an
803 * IPC channel, sending an empty string is more convenient than sending a
804 * null pointer.
805 */
828 /* Postfix < 2.3 compatibility. */
832 /*
833 * Clean up.
834 */
837 /*
838 * Sanity checks. Verify that all required information was found,
839 * including the queue file end marker.
840 */
846 }
848 /* Already logged warning. */
860 }
866 }
868 /* qmgr_message_update_warn - update the time of next delay warning */
871 {
873 /*
874 * XXX eventually this should let us schedule multiple warnings, right
875 * now it just allows for one.
876 */
884 }
886 /* qmgr_message_kill_record - mark one message record as killed */
889 {
897 }
899 /* qmgr_message_sort_compare - compare recipient information */
902 {
911 /*
912 * Compare most significant to least significant recipient attributes.
913 * The comparison function must be transitive, so NULL values need to be
914 * assigned an ordinal (we set NULL last).
915 */
925 /*
926 * Compare message transport.
927 */
932 /*
933 * Compare queue name (nexthop or recipient@nexthop).
934 */
937 }
939 /*
940 * Compare recipient domain.
941 */
952 /*
953 * Compare recipient address.
954 */
956 }
958 /* qmgr_message_sort - sort message recipient addresses by domain */
961 {
972 }
973 }
975 /* qmgr_resolve_one - resolve or skip one recipient */
979 {
980 #define QMGR_REDIRECT(rp, tp, np) do { \
981 (rp)->flags = 0; \
982 vstring_strcpy((rp)->transport, (tp)); \
983 vstring_strcpy((rp)->nexthop, (np)); \
984 } while (0)
988 else
1000 }
1001 }
1003 /* qmgr_message_resolve - resolve recipients */
1006 {
1012 RESOLVE_REPLY reply;
1017 ssize_t len;
1019 DSN dsn;
1020 MSG_STATS stats;
1023 #define STREQ(x,y) (strcmp(x,y) == 0)
1024 #define STR vstring_str
1025 #define LEN VSTRING_LEN
1031 /*
1032 * Redirect overrides all else. But only once (per entire message).
1033 * For consistency with the remainder of Postfix, rewrite the address
1034 * to canonical form before resolving it.
1035 */
1040 }
1052 }
1054 /*
1055 * Content filtering overrides the address resolver.
1056 *
1057 * XXX Bypass content_filter inspection for user-generated probes
1058 * (sendmail -bv). MTA-generated probes never have the "please filter
1059 * me" bits turned on, but we handle them here anyway for the sake of
1060 * future proofing.
1061 */
1071 }
1073 /*
1074 * Resolve the destination to (transport, nexthop, address). The
1075 * result address may differ from the one specified by the sender.
1076 */
1083 }
1085 /*
1086 * Bounce null recipients. This should never happen, but is most
1087 * likely the result of a fault in a different program, so aborting
1088 * the queue manager process does not help.
1089 */
1093 }
1095 /*
1096 * Discard mail to the local double bounce address here, so this
1097 * system can run without a local delivery agent. They'd still have
1098 * to configure something for mail directed to the local postmaster,
1099 * though, but that is an RFC requirement anyway.
1100 *
1101 * XXX This lookup should be done in the resolver, and the mail should
1102 * be directed to a general-purpose null delivery agent.
1103 */
1117 #if 0
1118 /* It's the default verification probe sender address. */
1121 #endif
1125 }
1126 }
1128 /*
1129 * Optionally defer deliveries over specific transports, unless the
1130 * restriction is lifted temporarily.
1131 */
1141 }
1142 }
1144 /*
1145 * Look up or instantiate the proper transport.
1146 */
1151 }
1153 /*
1154 * This message is being flushed. If need-be unthrottle the
1155 * transport.
1156 */
1161 /*
1162 * This transport is dead. Defer delivery to this recipient.
1163 */
1174 }
1175 }
1177 /*
1178 * The nexthop destination provides the default name for the
1179 * per-destination queue. When the delivery agent accepts only one
1180 * recipient per delivery, give each recipient its own queue, so that
1181 * deliveries to different recipients of the same message can happen
1182 * in parallel, and so that we can enforce per-recipient concurrency
1183 * limits and prevent one recipient from tying up all the delivery
1184 * agent resources. We use recipient@nexthop as queue name rather
1185 * than the actual recipient domain name, so that one recipient in
1186 * multiple equivalent domains cannot evade the per-recipient
1187 * concurrency limit. Split the address on the recipient delimiter if
1188 * one is defined, so that extended addresses don't get extra
1189 * delivery slots.
1190 *
1191 * Fold the result to lower case so that we don't have multiple queues
1192 * for the same name.
1193 *
1194 * Important! All recipients in a queue must have the same nexthop
1195 * value. It is OK to have multiple queues with the same nexthop
1196 * value, but only when those queues are named after recipients.
1197 *
1198 * The single-recipient code below was written for local(8) like
1199 * delivery agents, and assumes that all domains that deliver to the
1200 * same (transport + nexthop) are aliases for $nexthop. Delivery
1201 * concurrency is changed from per-domain into per-recipient, by
1202 * changing the queue name from nexthop into localpart@nexthop.
1203 *
1204 * XXX This assumption is incorrect when different destinations share
1205 * the same (transport + nexthop). In reality, such transports are
1206 * rarely configured to use single-recipient deliveries. The fix is
1207 * to decouple the per-destination recipient limit from the
1208 * per-destination concurrency.
1209 */
1214 /* Copy the recipient localpart. */
1219 /* Remove the address extension from the recipient localpart. */
1222 /* Assume the recipient domain is equivalent to nexthop. */
1224 }
1227 /*
1228 * This transport is alive. Find or instantiate a queue for this
1229 * recipient.
1230 */
1235 }
1237 /*
1238 * This message is being flushed. If need-be unthrottle the queue.
1239 */
1244 /*
1245 * This queue is dead. Defer delivery to this recipient.
1246 */
1252 }
1253 }
1255 /*
1256 * This queue is alive. Bind this recipient to this queue instance.
1257 */
1259 }
1262 }
1264 /* qmgr_message_assign - assign recipients to specific delivery requests */
1267 {
1275 /*
1276 * Try to bundle as many recipients in a delivery request as we can. When
1277 * the recipient resolves to the same site and transport as an existing
1278 * recipient, do not create a new queue entry, just move that recipient
1279 * to the recipient list of the existing queue entry. All this provided
1280 * that we do not exceed the transport-specific limit on the number of
1281 * recipients per transaction.
1282 */
1283 #define LIMIT_OK(limit, count) ((limit) == 0 || ((count) < (limit)))
1287 /*
1288 * Skip recipients with a dead transport or destination.
1289 */
1293 /*
1294 * Lookup or instantiate the message job if necessary.
1295 */
1299 }
1301 /*
1302 * Lookup or instantiate job peer if necessary.
1303 */
1307 /*
1308 * Lookup old or instantiate new recipient entry. We try to reuse the
1309 * last existing entry whenever the recipient limit permits.
1310 */
1316 /*
1317 * Add the recipient to the current entry and increase all those
1318 * recipient counters accordingly.
1319 */
1325 qmgr_recipient_count++;
1326 }
1328 /*
1329 * Release the message recipient list and reinitialize it for the next
1330 * time.
1331 */
1335 /*
1336 * Note that even if qmgr_job_obtain() reset the job candidate cache of
1337 * all transports to which we assigned new recipients, this message may
1338 * have other jobs which we didn't touch at all this time. But the number
1339 * of unread recipients affecting the candidate selection might have
1340 * changed considerably, so we must invalidate the caches if it might be
1341 * of some use.
1342 */
1347 }
1349 /* qmgr_message_move_limits - recycle unused recipient slots */
1352 {
1357 }
1359 /* qmgr_message_free - release memory for in-core message structure */
1362 {
1406 qmgr_message_count--;
1408 }
1410 /* qmgr_message_alloc - create in-core message structure */
1414 {
1421 /*
1422 * Create an in-core message structure.
1423 */
1426 /*
1427 * Extract message envelope information: time of arrival, sender address,
1428 * recipient addresses. Skip files with malformed envelope information.
1429 */
1430 #define QMGR_LOCK_MODE (MYFLOCK_OP_EXCLUSIVE | MYFLOCK_OP_NOWAIT)
1435 }
1441 }
1448 /*
1449 * We have validated the queue file content, so it is safe to modify
1450 * the file properties now.
1451 */
1455 /*
1456 * Reset the defer log. This code should not be here, but we must
1457 * reset the defer log *after* acquiring the exclusive lock on the
1458 * queue file and *before* resolving new recipients. Since all those
1459 * operations are encapsulated so nicely by this routine, the defer
1460 * log reset has to be done here as well.
1461 *
1462 * Note: it is safe to remove the defer logfile from a previous queue
1463 * run of this queue file, because the defer log contains information
1464 * about recipients that still exist in this queue file.
1465 */
1477 }
1478 }
1480 /* qmgr_message_realloc - refresh in-core message structure */
1483 {
1486 /*
1487 * Sanity checks.
1488 */
1495 /*
1496 * Extract recipient addresses. Skip files with malformed envelope
1497 * information.
1498 */
1513 }
1514 }