| blob | 0e083628a90d90f8f2417cb3795141877a0378d1 |
1 /* $NetBSD$ */
3 /*++
4 /* NAME
5 /* qmgr_message 3
6 /* SUMMARY
7 /* in-core message structures
8 /* SYNOPSIS
9 /* #include "qmgr.h"
10 /*
11 /* int qmgr_message_count;
12 /* int qmgr_recipient_count;
13 /*
14 /* QMGR_MESSAGE *qmgr_message_alloc(class, name, qflags, mode)
15 /* const char *class;
16 /* const char *name;
17 /* int qflags;
18 /* mode_t mode;
19 /*
20 /* QMGR_MESSAGE *qmgr_message_realloc(message)
21 /* QMGR_MESSAGE *message;
22 /*
23 /* void qmgr_message_free(message)
24 /* QMGR_MESSAGE *message;
25 /*
26 /* void qmgr_message_update_warn(message)
27 /* QMGR_MESSAGE *message;
28 /*
29 /* void qmgr_message_kill_record(message, offset)
30 /* QMGR_MESSAGE *message;
31 /* long offset;
32 /* DESCRIPTION
33 /* This module performs en-gross operations on queue messages.
34 /*
35 /* qmgr_message_count is a global counter for the total number
36 /* of in-core message structures (i.e. the total size of the
37 /* `active' message queue).
38 /*
39 /* qmgr_recipient_count is a global counter for the total number
40 /* of in-core recipient structures (i.e. the sum of all recipients
41 /* in all in-core message structures).
42 /*
43 /* qmgr_message_alloc() creates an in-core message structure
44 /* with sender and recipient information taken from the named queue
45 /* file. A null result means the queue file could not be read or
46 /* that the queue file contained incorrect information. A result
47 /* QMGR_MESSAGE_LOCKED means delivery must be deferred. The number
48 /* of recipients read from a queue file is limited by the global
49 /* var_qmgr_rcpt_limit configuration parameter. When the limit
50 /* is reached, the \fIrcpt_offset\fR structure member is set to
51 /* the position where the read was terminated. Recipients are
52 /* run through the resolver, and are assigned to destination
53 /* queues. Recipients that cannot be assigned are deferred or
54 /* bounced. Mail that has bounced twice is silently absorbed.
55 /* A non-zero mode means change the queue file permissions.
56 /*
57 /* qmgr_message_realloc() resumes reading recipients from the queue
58 /* file, and updates the recipient list and \fIrcpt_offset\fR message
59 /* structure members. A null result means that the file could not be
60 /* read or that the file contained incorrect information.
61 /*
62 /* qmgr_message_free() destroys an in-core message structure and makes
63 /* the resources available for reuse. It is an error to destroy
64 /* a message structure that is still referenced by queue entry structures.
65 /*
66 /* qmgr_message_update_warn() takes a closed message, opens it, updates
67 /* the warning field, and closes it again.
68 /*
69 /* qmgr_message_kill_record() takes a closed message, opens it, updates
70 /* the record type at the given offset to "killed", and closes the file.
71 /* A killed envelope record is ignored. Killed records are not allowed
72 /* inside the message content.
73 /* DIAGNOSTICS
74 /* Warnings: malformed message file. Fatal errors: out of memory.
75 /* SEE ALSO
76 /* envelope(3) message envelope parser
77 /* LICENSE
78 /* .ad
79 /* .fi
80 /* The Secure Mailer license must be distributed with this software.
81 /* AUTHOR(S)
82 /* Wietse Venema
83 /* IBM T.J. Watson Research
84 /* P.O. Box 704
85 /* Yorktown Heights, NY 10598, USA
86 /*--*/
88 /* System library. */
90 #include <sys_defs.h>
91 #include <sys/stat.h>
92 #include <stdlib.h>
94 #include <fcntl.h>
95 #include <errno.h>
96 #include <unistd.h>
97 #include <string.h>
98 #include <ctype.h>
100 #ifdef STRCASECMP_IN_STRINGS_H
101 #include <strings.h>
102 #endif
104 /* Utility library. */
106 #include <msg.h>
107 #include <mymalloc.h>
108 #include <vstring.h>
109 #include <vstream.h>
110 #include <split_at.h>
111 #include <valid_hostname.h>
112 #include <argv.h>
113 #include <stringops.h>
114 #include <myflock.h>
116 /* Global library. */
118 #include <dict.h>
119 #include <mail_queue.h>
120 #include <mail_params.h>
121 #include <canon_addr.h>
122 #include <record.h>
123 #include <rec_type.h>
124 #include <sent.h>
125 #include <deliver_completed.h>
126 #include <opened.h>
127 #include <verp_sender.h>
128 #include <mail_proto.h>
129 #include <qmgr_user.h>
130 #include <split_addr.h>
131 #include <dsn_mask.h>
132 #include <rec_attr_map.h>
134 /* Client stubs. */
136 #include <rewrite_clnt.h>
137 #include <resolve_clnt.h>
139 /* Application-specific. */
146 /* qmgr_message_create - create in-core message structure */
150 {
154 qmgr_message_count++;
193 }
195 /* qmgr_message_close - close queue file */
198 {
201 }
203 /* qmgr_message_open - open queue file */
206 {
208 /*
209 * Sanity check.
210 */
214 /*
215 * Open this queue file. Skip files that we cannot open. Back off when
216 * the system appears to be running out of resources.
217 */
225 }
227 }
229 /* qmgr_message_oldstyle_scan - support for Postfix < 1.0 queue files */
232 {
238 /*
239 * Initialize. No early returns or we have a memory leak.
240 */
245 /*
246 * Rewind to the very beginning to make sure we see all records.
247 */
251 /*
252 * Scan through the old style queue file. Count the total number of
253 * recipients and find the data/extra sections offsets. Note that the new
254 * queue files require that data_size equals extra_offset - data_offset,
255 * so we set data_size to this as well and ignore the size record itself
256 * completely.
257 */
261 /* Report missing end record later. */
278 }
280 }
281 }
283 /*
284 * Clean up.
285 */
290 /*
291 * Sanity checks. Verify that all required information was found,
292 * including the queue file end marker.
293 */
296 }
298 /* qmgr_message_read - read envelope records */
301 {
318 /*
319 * Initialize. No early returns or we have a memory leak.
320 */
323 /*
324 * If we re-open this file, skip over on-file recipient records that we
325 * already looked at, and refill the in-core recipient address list.
326 */
334 }
336 /*
337 * Read envelope records. XXX Rely on the front-end programs to enforce
338 * record size limits. Read up to var_qmgr_rcpt_limit recipients from the
339 * queue file, to protect against memory exhaustion. Recipient records
340 * may appear before or after the message content, so we keep reading
341 * from the queue file until we have enough recipients (rcpt_offset != 0)
342 * and until we know all the non-recipient information.
343 *
344 * When reading recipients from queue file, stop reading when we reach a
345 * per-message in-core recipient limit rather than a global in-core
346 * recipient limit. Use the global recipient limit only in order to stop
347 * opening queue files. The purpose is to achieve equal delay for
348 * messages with recipient counts up to var_qmgr_rcpt_limit recipients.
349 *
350 * If we would read recipients up to a global recipient limit, the average
351 * number of in-core recipients per message would asymptotically approach
352 * (global recipient limit)/(active queue size limit), which gives equal
353 * delay per recipient rather than equal delay per message.
354 *
355 * On the first open, we must examine all non-recipient records.
356 *
357 * Optimization: when we know that recipient records are not mixed with
358 * non-recipient records, as is typical with mailing list mail, then we
359 * can avoid having to examine all the queue file records before we can
360 * start deliveries. This avoids some file system thrashing with huge
361 * mailing lists.
362 */
370 }
378 /* Need to update curr_offset after pointer jump. */
380 }
385 }
389 }
391 /*
392 * Map named attributes to pseudo record types, so that we don't have
393 * to pollute the queue file with records that are incompatible with
394 * past Postfix versions. Preferably, people should be able to back
395 * out from an upgrade without losing mail.
396 */
403 }
407 }
408 }
410 /*
411 * Process recipient records.
412 */
414 /* See also below for code setting orig_rcpt etc. */
415 #define FUDGE(x) ((x) * (var_qmgr_fudge / 100.0))
424 }
428 }
436 /* We already examined all non-recipient records. */
439 /* Examine all remaining non-recipient records. */
441 /* Optimizations for "pure recipient" record sections. */
443 /* We already examined all non-recipient records. */
446 }
447 /* Examine non-recipient records in extracted segment. */
452 }
453 }
455 }
461 }
465 }
468 }
470 }
472 /* See also above for code clearing dsn_orcpt. */
478 }
482 }
484 /* See also above for code clearing dsn_notify. */
489 }
494 else
497 }
498 }
500 /* See also above for code clearing orig_rcpt. */
506 }
510 }
512 /*
513 * Process non-recipient records.
514 */
516 /* We already examined all non-recipient records. */
524 /* Postfix >= 1.0 (a.k.a. 20010228). */
530 }
536 }
538 /* Postfix < 1.0 (a.k.a. 20010228). */
541 /* Can't happen. */
546 }
547 }
548 /* Postfix < 2.4 compatibility. */
556 }
558 }
563 }
568 }
574 }
580 }
586 }
593 }
595 }
599 }
605 else
607 }
608 }
610 /* Allow extra segment to override envelope segment info. */
615 }
617 /*
618 * Backwards compatibility. Before Postfix 2.3, the logging
619 * attributes were called client_name, etc. Now they are called
620 * log_client_name. etc., and client_name is used for the actual
621 * client information. To support old queue files, we accept both
622 * names for the purpose of logging; the new name overrides the
623 * old one.
624 *
625 * XXX Do not use the "legacy" client_name etc. attribute values for
626 * initializing the logging attributes, when this file already
627 * contains the "modern" log_client_name etc. logging attributes.
628 * Otherwise, logging attributes that are not present in the
629 * queue file would be set with information from the real client.
630 */
646 }
647 /* Original client attributes. */
676 else
682 else
688 else
694 else
697 }
699 /*
700 * Optional tracing flags (verify, sendmail -v, sendmail -bv).
701 * This record is killed after a trace logfile report is sent and
702 * after the logfile is deleted.
703 */
708 else
710 }
712 }
717 }
719 }
731 }
732 }
734 }
735 }
737 /*
738 * Grr.
739 */
745 }
751 }
753 /*
754 * Avoid clumsiness elsewhere in the program. When sending data across an
755 * IPC channel, sending an empty string is more convenient than sending a
756 * null pointer.
757 */
780 /* Postfix < 2.3 compatibility. */
784 /*
785 * Clean up.
786 */
789 /*
790 * Sanity checks. Verify that all required information was found,
791 * including the queue file end marker.
792 */
794 /* Already logged warning. */
806 }
809 }
811 /* qmgr_message_update_warn - update the time of next delay warning */
814 {
816 /*
817 * XXX eventually this should let us schedule multiple warnings, right
818 * now it just allows for one.
819 */
827 }
829 /* qmgr_message_kill_record - mark one message record as killed */
832 {
840 }
842 /* qmgr_message_sort_compare - compare recipient information */
845 {
854 /*
855 * Compare most significant to least significant recipient attributes.
856 * The comparison function must be transitive, so NULL values need to be
857 * assigned an ordinal (we set NULL last).
858 */
868 /*
869 * Compare message transport.
870 */
875 /*
876 * Compare queue name (nexthop or recipient@nexthop).
877 */
880 }
882 /*
883 * Compare recipient domain.
884 */
895 /*
896 * Compare recipient address.
897 */
899 }
901 /* qmgr_message_sort - sort message recipient addresses by domain */
904 {
915 }
916 }
918 /* qmgr_resolve_one - resolve or skip one recipient */
922 {
923 #define QMGR_REDIRECT(rp, tp, np) do { \
924 (rp)->flags = 0; \
925 vstring_strcpy((rp)->transport, (tp)); \
926 vstring_strcpy((rp)->nexthop, (np)); \
927 } while (0)
931 else
943 }
944 }
946 /* qmgr_message_resolve - resolve recipients */
949 {
955 RESOLVE_REPLY reply;
960 ssize_t len;
962 DSN dsn;
963 MSG_STATS stats;
966 #define STREQ(x,y) (strcmp(x,y) == 0)
967 #define STR vstring_str
968 #define LEN VSTRING_LEN
974 /*
975 * Redirect overrides all else. But only once (per entire message).
976 * For consistency with the remainder of Postfix, rewrite the address
977 * to canonical form before resolving it.
978 */
983 }
993 }
995 /*
996 * Content filtering overrides the address resolver.
997 *
998 * XXX Bypass content_filter inspection for user-generated probes
999 * (sendmail -bv). MTA-generated probes never have the "please filter
1000 * me" bits turned on, but we handle them here anyway for the sake of
1001 * future proofing.
1002 */
1012 }
1014 /*
1015 * Resolve the destination to (transport, nexthop, address). The
1016 * result address may differ from the one specified by the sender.
1017 */
1024 }
1026 /*
1027 * Bounce null recipients. This should never happen, but is most
1028 * likely the result of a fault in a different program, so aborting
1029 * the queue manager process does not help.
1030 */
1034 }
1036 /*
1037 * Discard mail to the local double bounce address here, so this
1038 * system can run without a local delivery agent. They'd still have
1039 * to configure something for mail directed to the local postmaster,
1040 * though, but that is an RFC requirement anyway.
1041 *
1042 * XXX This lookup should be done in the resolver, and the mail should
1043 * be directed to a general-purpose null delivery agent.
1044 */
1058 #if 0
1059 /* It's the default verification probe sender address. */
1062 #endif
1066 }
1067 }
1069 /*
1070 * Optionally defer deliveries over specific transports, unless the
1071 * restriction is lifted temporarily.
1072 */
1082 }
1083 }
1085 /*
1086 * Look up or instantiate the proper transport.
1087 */
1092 }
1094 /*
1095 * This message is being flushed. If need-be unthrottle the
1096 * transport.
1097 */
1102 /*
1103 * This transport is dead. Defer delivery to this recipient.
1104 */
1115 }
1116 }
1118 /*
1119 * The nexthop destination provides the default name for the
1120 * per-destination queue. When the delivery agent accepts only one
1121 * recipient per delivery, give each recipient its own queue, so that
1122 * deliveries to different recipients of the same message can happen
1123 * in parallel, and so that we can enforce per-recipient concurrency
1124 * limits and prevent one recipient from tying up all the delivery
1125 * agent resources. We use recipient@nexthop as queue name rather
1126 * than the actual recipient domain name, so that one recipient in
1127 * multiple equivalent domains cannot evade the per-recipient
1128 * concurrency limit. Split the address on the recipient delimiter if
1129 * one is defined, so that extended addresses don't get extra
1130 * delivery slots.
1131 *
1132 * Fold the result to lower case so that we don't have multiple queues
1133 * for the same name.
1134 *
1135 * Important! All recipients in a queue must have the same nexthop
1136 * value. It is OK to have multiple queues with the same nexthop
1137 * value, but only when those queues are named after recipients.
1138 *
1139 * The single-recipient code below was written for local(8) like
1140 * delivery agents, and assumes that all domains that deliver to the
1141 * same (transport + nexthop) are aliases for $nexthop. Delivery
1142 * concurrency is changed from per-domain into per-recipient, by
1143 * changing the queue name from nexthop into localpart@nexthop.
1144 *
1145 * XXX This assumption is incorrect when different destinations share
1146 * the same (transport + nexthop). In reality, such transports are
1147 * rarely configured to use single-recipient deliveries. The fix is
1148 * to decouple the per-destination recipient limit from the
1149 * per-destination concurrency.
1150 */
1155 /* Copy the recipient localpart. */
1160 /* Remove the address extension from the recipient localpart. */
1163 /* Assume the recipient domain is equivalent to nexthop. */
1165 }
1168 /*
1169 * This transport is alive. Find or instantiate a queue for this
1170 * recipient.
1171 */
1176 }
1178 /*
1179 * This message is being flushed. If need-be unthrottle the queue.
1180 */
1185 /*
1186 * This queue is dead. Defer delivery to this recipient.
1187 */
1193 }
1194 }
1196 /*
1197 * This queue is alive. Bind this recipient to this queue instance.
1198 */
1200 }
1203 }
1205 /* qmgr_message_assign - assign recipients to specific delivery requests */
1208 {
1214 /*
1215 * Try to bundle as many recipients in a delivery request as we can. When
1216 * the recipient resolves to the same site and transport as the previous
1217 * recipient, do not create a new queue entry, just move that recipient
1218 * to the recipient list of the existing queue entry. All this provided
1219 * that we do not exceed the transport-specific limit on the number of
1220 * recipients per transaction. Skip recipients with a dead transport or
1221 * destination.
1222 */
1223 #define LIMIT_OK(limit, count) ((limit) == 0 || ((count) < (limit)))
1231 }
1235 qmgr_recipient_count++;
1236 }
1237 }
1240 }
1242 /* qmgr_message_free - release memory for in-core message structure */
1245 {
1285 qmgr_message_count--;
1287 }
1289 /* qmgr_message_alloc - create in-core message structure */
1293 {
1300 /*
1301 * Create an in-core message structure.
1302 */
1305 /*
1306 * Extract message envelope information: time of arrival, sender address,
1307 * recipient addresses. Skip files with malformed envelope information.
1308 */
1309 #define QMGR_LOCK_MODE (MYFLOCK_OP_EXCLUSIVE | MYFLOCK_OP_NOWAIT)
1314 }
1320 }
1327 /*
1328 * We have validated the queue file content, so it is safe to modify
1329 * the file properties now.
1330 */
1334 /*
1335 * Reset the defer log. This code should not be here, but we must
1336 * reset the defer log *after* acquiring the exclusive lock on the
1337 * queue file and *before* resolving new recipients. Since all those
1338 * operations are encapsulated so nicely by this routine, the defer
1339 * log reset has to be done here as well.
1340 *
1341 * Note: it is safe to remove the defer logfile from a previous queue
1342 * run of this queue file, because the defer log contains information
1343 * about recipients that still exist in this queue file.
1344 */
1354 }
1355 }
1357 /* qmgr_message_realloc - refresh in-core message structure */
1360 {
1363 /*
1364 * Sanity checks.
1365 */
1372 /*
1373 * Extract recipient addresses. Skip files with malformed envelope
1374 * information.
1375 */
1388 }
1389 }