| blob | e66951e4eb26e6ac470c9fad36c9eb7064c5b201 |
1 /* $NetBSD$ */
3 /*++
4 /* NAME
5 /* qmgr_active 3
6 /* SUMMARY
7 /* active queue management
8 /* SYNOPSIS
9 /* #include "qmgr.h"
10 /*
11 /* void qmgr_active_feed(scan_info, queue_id)
12 /* QMGR_SCAN *scan_info;
13 /* const char *queue_id;
14 /*
15 /* void qmgr_active_drain()
16 /*
17 /* int qmgr_active_done(message)
18 /* QMGR_MESSAGE *message;
19 /* DESCRIPTION
20 /* These functions maintain the active message queue: the set
21 /* of messages that the queue manager is actually working on.
22 /* The active queue is limited in size. Messages are drained
23 /* from the active queue by allocating a delivery process and
24 /* by delivering mail via that process. Messages leak into the
25 /* active queue only when the active queue is small enough.
26 /* Damaged message files are saved to the "corrupt" directory.
27 /*
28 /* qmgr_active_feed() inserts the named message file into
29 /* the active queue. Message files with the wrong name or
30 /* with other wrong properties are skipped but not removed.
31 /* The following queue flags are recognized, other flags being
32 /* ignored:
33 /* .IP QMGR_SCAN_ALL
34 /* Examine all queue files. Normally, deferred queue files with
35 /* future time stamps are ignored, and incoming queue files with
36 /* future time stamps are frowned upon.
37 /* .PP
38 /* qmgr_active_drain() allocates one delivery process.
39 /* Process allocation is asynchronous. Once the delivery
40 /* process is available, an attempt is made to deliver
41 /* a message via it. Message delivery is asynchronous, too.
42 /*
43 /* qmgr_active_done() deals with a message after delivery
44 /* has been tried for all in-core recipients. If the message
45 /* was bounced, a bounce message is sent to the sender, or
46 /* to the Errors-To: address if one was specified.
47 /* If there are more on-file recipients, a new batch of
48 /* in-core recipients is read from the queue file. Otherwise,
49 /* if a delivery agent marked the queue file as corrupt,
50 /* the queue file is moved to the "corrupt" queue (surprise);
51 /* if at least one delivery failed, the message is moved
52 /* to the deferred queue. The time stamps of a deferred queue
53 /* file are set to the nearest wakeup time of its recipient
54 /* sites (if delivery failed due to a problem with a next-hop
55 /* host), are set into the future by the amount of time the
56 /* message was queued (per-message exponential backoff), or are set
57 /* into the future by a minimal backoff time, whichever is more.
58 /* The minimal_backoff_time parameter specifies the minimal
59 /* amount of time between delivery attempts; maximal_backoff_time
60 /* specifies an upper limit.
61 /* DIAGNOSTICS
62 /* Fatal: queue file access failures, out of memory.
63 /* Panic: interface violations, internal consistency errors.
64 /* Warnings: corrupt message file. A corrupt message is saved
65 /* to the "corrupt" queue for further inspection.
66 /* LICENSE
67 /* .ad
68 /* .fi
69 /* The Secure Mailer license must be distributed with this software.
70 /* AUTHOR(S)
71 /* Wietse Venema
72 /* IBM T.J. Watson Research
73 /* P.O. Box 704
74 /* Yorktown Heights, NY 10598, USA
75 /*--*/
77 /* System library. */
79 #include <sys_defs.h>
80 #include <sys/stat.h>
81 #include <dirent.h>
82 #include <stdlib.h>
83 #include <unistd.h>
84 #include <string.h>
85 #include <utime.h>
86 #include <errno.h>
89 #define S_IRWXU 0700
90 #endif
92 /* Utility library. */
94 #include <msg.h>
95 #include <events.h>
96 #include <mymalloc.h>
97 #include <vstream.h>
99 /* Global library. */
101 #include <mail_params.h>
102 #include <mail_open_ok.h>
103 #include <mail_queue.h>
104 #include <recipient_list.h>
105 #include <bounce.h>
106 #include <defer.h>
107 #include <trace.h>
108 #include <abounce.h>
109 #include <rec_type.h>
110 #include <qmgr_user.h>
112 /* Application-specific. */
116 /*
117 * A bunch of call-back routines.
118 */
125 /* qmgr_active_corrupt - move corrupted file out of the way */
128 {
138 }
139 }
141 /* qmgr_active_defer - defer queue file */
145 {
165 }
166 }
168 /* qmgr_active_feed - feed one message into active queue */
171 {
182 /*
183 * Make sure this is something we are willing to open.
184 */
191 /*
192 * Skip files that have time stamps into the future. They need to cool
193 * down. Incoming and deferred files can have future time stamps.
194 */
201 }
203 /*
204 * Move the message to the active queue. File access errors are fatal.
205 */
213 }
215 /*
216 * Extract envelope information: sender and recipients. At this point,
217 * mail addresses have been processed by the cleanup service so they
218 * should be in canonical form. Generate requests to deliver this
219 * message.
220 *
221 * Throwing away queue files seems bad, especially when they made it this
222 * far into the mail system. Therefore we save bad files to a separate
223 * directory for further inspection.
224 *
225 * After queue manager restart it is possible that a queue file is still
226 * being delivered. In that case (the file is locked), defer delivery by
227 * a minimal amount of time.
228 */
229 #define QMGR_FLUSH_AFTER (QMGR_FLUSH_EACH | QMGR_FLUSH_DFXP)
245 /*
246 * Special case if all recipients were already delivered. Send any
247 * bounces and clean up.
248 */
252 }
253 }
255 /* qmgr_active_done - dispose of message after recipients have been tried */
258 {
265 /*
266 * During a previous iteration, an attempt to bounce this message may
267 * have failed, so there may still be a bounce log lying around. XXX By
268 * groping around in the bounce queue, we're trespassing on the bounce
269 * service's territory. But doing so is more robust than depending on the
270 * bounce daemon to do the lookup for us, and for us to do the deleting
271 * after we have received a successful status from the bounce service.
272 * The bounce queue directory blocks are most likely in memory anyway. If
273 * these lookups become a performance problem we will have to build an
274 * in-core cache into the bounce daemon.
275 *
276 * Don't bounce when the bounce log is empty. The bounce process obviously
277 * failed, and the delivery agent will have requested that the message be
278 * deferred.
279 *
280 * Bounces are sent asynchronously to avoid stalling while the cleanup
281 * daemon waits for the qmgr to accept the "new mail" trigger.
282 *
283 * See also code in cleanup_bounce.c.
284 */
301 qmgr_active_done_2_bounce_flush,
303 else
312 qmgr_active_done_2_bounce_flush,
315 }
316 }
318 /*
319 * Asynchronous processing does not reach this point.
320 */
322 }
324 /* qmgr_active_done_2_bounce_flush - process abounce_flush() status */
327 {
330 /*
331 * Process abounce_flush() status and continue processing.
332 */
335 }
337 /* qmgr_active_done_2_generic - continue processing */
340 {
346 /*
347 * A delivery agent marks a queue file as corrupt by changing its
348 * attributes, and by pretending that delivery was deferred.
349 */
355 }
357 /*
358 * If we did not read all recipients from this file, go read some more,
359 * but remember whether some recipients have to be tried again.
360 *
361 * Throwing away queue files seems bad, especially when they made it this
362 * far into the mail system. Therefore we save bad files to a separate
363 * directory for further inspection by a human being.
364 */
372 }
374 }
376 /*
377 * As a temporary implementation, synchronously inform the sender of
378 * trace information. This will block for 10 seconds when the qmgr FIFO
379 * is full.
380 *
381 * XXX With multi-recipient mail, some recipients may have NOTIFY=SUCCESS
382 * and others not. Depending on what subset of recipients are delivered,
383 * a trace file may or may not be created. Even when the last partial
384 * delivery attempt had no NOTIFY=SUCCESS recipients, a trace file may
385 * still exist from a previous partial delivery attempt. So as long as
386 * any recipient has NOTIFY=SUCCESS we have to always look for the trace
387 * file and be prepared for the file not to exist.
388 *
389 * See also comments in bounce/bounce_notify_util.c.
390 */
403 }
405 /*
406 * If we get to this point we have tried all recipients for this message.
407 * If the message is too old, try to bounce it.
408 *
409 * Bounces are sent asynchronously to avoid stalling while the cleanup
410 * daemon waits for the qmgr to accept the "new mail" trigger.
411 */
425 qmgr_active_done_3_defer_flush,
427 else
436 qmgr_active_done_3_defer_flush,
450 qmgr_active_done_3_defer_warn,
453 }
454 }
456 /*
457 * Asynchronous processing does not reach this point.
458 */
460 }
462 /* qmgr_active_done_3_defer_warn - continue after adefer_warn() completion */
465 {
468 /*
469 * Process adefer_warn() completion status and continue processing.
470 */
474 }
476 /* qmgr_active_done_3_defer_flush - continue after adefer_flush() completion */
479 {
482 /*
483 * Process adefer_flush() status and continue processing.
484 */
487 }
489 /* qmgr_active_done_3_generic - continue processing */
492 {
496 /*
497 * Some recipients need to be tried again. Move the queue file time
498 * stamps into the future by the amount of time that the message is
499 * delayed, and move the message to the deferred queue. Impose minimal
500 * and maximal backoff times.
501 *
502 * Since we look at actual time in queue, not time since last delivery
503 * attempt, backoff times will be distributed. However, we can still see
504 * spikes in delivery activity because the interval between deferred
505 * queue scans is finite.
506 */
516 }
519 }
521 /*
522 * All recipients done. Remove the queue file.
523 */
532 /* Same format as logged by postsuper. */
534 }
535 }
537 /*
538 * Finally, delete the in-core message structure.
539 */
541 }
543 /* qmgr_active_drain - drain active queue by allocating a delivery process */
546 {
549 /*
550 * Allocate one delivery process for every transport with pending mail.
551 * The process allocation completes asynchronously.
552 */
557 }
558 }