QMGR(8) QMGR(8) NAME qmgr - Postfix queue manager SYNOPSIS qmgr [generic Postfix daemon options] DESCRIPTION The qmgr daemon awaits the arrival of incoming mail and arranges for its delivery via Postfix delivery processes. The actual mail routing strategy is delegated to the triv- ial-rewrite(8) daemon. This program expects to be run from the master(8) process manager. Mail addressed to the local double-bounce address is silently discarded. This stops potential loops caused by undeliverable bounce notifications. Mail addressed to a user listed in the optional relocated database is bounced with a "user has moved to new_loca- tion" message. See relocated(5) for a precise description. MAIL QUEUES The qmgr daemon maintains the following queues: incoming Inbound mail from the network, or mail picked up by the local pickup agent from the maildrop directory. active Messages that the queue manager has opened for delivery. Only a limited number of messages is allowed to enter the active queue (leaky bucket strategy, for a fixed delivery rate). deferred Mail that could not be delivered upon the first attempt. The queue manager implements exponential backoff by doubling the time between delivery attempts. corrupt Unreadable or damaged queue files are moved here for inspection. DELIVERY STATUS REPORTS The qmgr daemon keeps an eye on per-message delivery sta- tus reports in the following directories. Each status report file has the same name as the corresponding message file: bounce Per-recipient status information about why mail is bounced. These files are maintained by the bounce(8) daemon. defer Per-recipient status information about why mail is 1 QMGR(8) QMGR(8) delayed. These files are maintained by the defer(8) daemon. The qmgr daemon is responsible for asking the bounce(8) or defer(8) daemons to send non-delivery reports. STRATEGIES The queue manager implements a variety of strategies for either opening queue files (input) or for message delivery (output). leaky bucket This strategy limits the number of messages in the active queue and prevents the queue manager from running out of memory under heavy load. fairness When the active queue has room, the queue manager takes one message from the incoming queue and one from the deferred queue. This prevents a large mail backlog from blocking the delivery of new mail. slow start This strategy eliminates "thundering herd" problems by slowly adjusting the number of parallel deliver- ies to the same destination. round robin The queue manager sorts delivery requests by desti- nation. Round-robin selection prevents one desti- nation from dominating deliveries to other destina- tions. exponential backoff Mail that cannot be delivered upon the first attempt is deferred. The time interval between delivery attempts is doubled after each attempt. destination status cache The queue manager avoids unnecessary delivery attempts by maintaining a short-term, in-memory list of unreachable destinations. TRIGGERS On an idle system, the queue manager waits for the arrival of trigger events, or it waits for a timer to go off. A trigger is a one-byte message. Depending on the message received, the queue manager performs one of the following actions (the message is followed by the symbolic constant used internally by the software): D (QMGR_REQ_SCAN_DEFERRED) Start a deferred queue scan. If a deferred queue scan is already in progress, that scan will be 2 QMGR(8) QMGR(8) restarted as soon as it finishes. I (QMGR_REQ_SCAN_INCOMING) Start an incoming queue scan. If an incoming queue scan is already in progress, that scan will be restarted as soon as it finishes. A (QMGR_REQ_SCAN_ALL) Ignore deferred queue file time stamps. The request affects the next deferred queue scan. F (QMGR_REQ_FLUSH_DEAD) Purge all information about dead transports and destinations. W (TRIGGER_REQ_WAKEUP) Wakeup call, This is used by the master server to instantiate servers that should not go away for- ever. The action is to start an incoming queue scan. The qmgr daemon reads an entire buffer worth of triggers. Multiple identical trigger requests are collapsed into one, and trigger requests are sorted so that A and F pre- cede D and I. Thus, in order to force a deferred queue run, one would request A F D; in order to notify the queue manager of the arrival of new mail one would request I. STANDARDS None. The qmgr daemon does not interact with the outside world. SECURITY The qmgr daemon is not security sensitive. It reads sin- gle-character messages from untrusted local users, and thus may be susceptible to denial of service attacks. The qmgr daemon does not talk to the outside world, and it can be run at fixed low privilege in a chrooted environment. DIAGNOSTICS Problems and transactions are logged to the syslog daemon. Corrupted message files are saved to the corrupt queue for further inspection. Depending on the setting of the notify_classes parameter, the postmaster is notified of bounces and of other trou- ble. BUGS A single queue manager process has to compete for disk access with multiple front-end processes such as smtpd. A sudden burst of inbound mail can negatively impact out- bound delivery rates. 3 QMGR(8) QMGR(8) CONFIGURATION PARAMETERS The following main.cf parameters are especially relevant to this program. See the Postfix main.cf file for syntax details and for default values. Use the postfix reload command after a configuration change. Miscellaneous allow_min_user Do not bounce recipient addresses that begin with '-'. relocated_maps Tables with contact information for users, hosts or domains that no longer exist. See relocated(5). queue_directory Top-level directory of the Postfix queue. Active queue controls qmgr_message_active_limit Limit the number of messages in the active queue. qmgr_message_recipient_limit Limit the number of in-memory recipients. This parameter also limits the size of the short- term, in-memory destination cache. Timing controls min_backoff Minimal time in seconds between delivery attempts of a deferred message. This parameter also limits the time an unreachable destination is kept in the short-term, in-memory destination status cache. max_backoff Maximal time in seconds between delivery attempts of a deferred message. maximal_queue_lifetime Maximal time in days a message is queued before it is sent back as undeliverable. queue_run_delay Time in seconds between deferred queue scans. Queue scans do not overlap. transport_retry_time Time in seconds between attempts to contact a bro- ken delivery transport. 4 QMGR(8) QMGR(8) Concurrency controls In the text below, transport is the first field in a mas- ter.cf entry. qmgr_fudge_factor (valid range: 10..100) The percentage of delivery resources that a busy mail system will use up for delivery of a large mailing list message. With 100%, delivery of one message does not begin before the previous message has been delivered. This results in good perfor- mance for large mailing lists, but results in poor response time for one-to-one mail. With less than 100%, response time for one-to-one mail improves, but large mailing list delivery performance suf- fers. In the worst case, recipients near the begin- ning of a large list receive a burst of messages immediately, while recipients near the end of that list receive that same burst of messages a whole day later. qmgr_site_hog_factor (valid range: 10..100) The percentage of delivery resources that a busy mail system will use up for delivery to a single site. With 100%, mail is delivered in first-in, first-out order, so that a burst of mail for one site can block mail for other destinations. With less than 100%, the excess mail is deferred. The deferred mail is delivered in little bursts, the remainder of the backlog being deferred again, with a lot of I/O activity happening as Postfix searches the deferred queue for deliverable mail. initial_destination_concurrency Initial per-destination concurrency level for par- allel delivery to the same destination. default_destination_concurrency_limit Default limit on the number of parallel deliveries to the same destination. transport_destination_concurrency_limit Limit on the number of parallel deliveries to the same destination, for delivery via the named mes- sage transport. Recipient controls default_destination_recipient_limit Default limit on the number of recipients per mes- sage transfer. transport_destination_recipient_limit Limit on the number of recipients per message transfer, for the named message transport. 5 QMGR(8) QMGR(8) SEE ALSO master(8), process manager relocated(5), format of the "user has moved" table syslogd(8) system logging trivial-rewrite(8), address routing LICENSE The Secure Mailer license must be distributed with this software. AUTHOR(S) Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, USA 6