NQMGR(8) NQMGR(8) NAME nqmgr - Postfix queue manager SYNOPSIS nqmgr [generic Postfix daemon options] DESCRIPTION The nqmgr daemon awaits the arrival of incoming mail and arranges for its delivery via Postfix delivery processes. The actual mail routing strategy is delegated to the triv- ial-rewrite(8) daemon. This program expects to be run from the master(8) process manager. Mail addressed to the local double-bounce address is silently discarded. This stops potential loops caused by undeliverable bounce notifications. MAIL QUEUES The nqmgr daemon maintains the following queues: incoming Inbound mail from the network, or mail picked up by the local pickup agent from the maildrop directory. active Messages that the queue manager has opened for delivery. Only a limited number of messages is allowed to enter the active queue (leaky bucket strategy, for a fixed delivery rate). deferred Mail that could not be delivered upon the first attempt. The queue manager implements exponential backoff by doubling the time between delivery attempts. corrupt Unreadable or damaged queue files are moved here for inspection. hold Messages that are kept "on hold" are kept here until someone sets them free. DELIVERY STATUS REPORTS The nqmgr daemon keeps an eye on per-message delivery sta- tus reports in the following directories. Each status report file has the same name as the corresponding message file: bounce Per-recipient status information about why mail is bounced. These files are maintained by the bounce(8) daemon. defer Per-recipient status information about why mail is delayed. These files are maintained by the defer(8) daemon. The nqmgr daemon is responsible for asking the bounce(8) or defer(8) daemons to send non-delivery reports. STRATEGIES The queue manager implements a variety of strategies for either opening queue files (input) or for message delivery (output). leaky bucket This strategy limits the number of messages in the active queue and prevents the queue manager from running out of memory under heavy load. fairness When the active queue has room, the queue manager takes one message from the incoming queue and one from the deferred queue. This prevents a large mail backlog from blocking the delivery of new mail. slow start This strategy eliminates "thundering herd" problems by slowly adjusting the number of parallel deliver- ies to the same destination. round robin The queue manager sorts delivery requests by desti- nation. Round-robin selection prevents one desti- nation from dominating deliveries to other destina- tions. exponential backoff Mail that cannot be delivered upon the first attempt is deferred. The time interval between delivery attempts is doubled after each attempt. destination status cache The queue manager avoids unnecessary delivery attempts by maintaining a short-term, in-memory list of unreachable destinations. preemptive message scheduling The queue manager attempts to minimize the average per-recipient delay while still preserving the cor- rect per-message delays, using a sophisticated pre- emptive message scheduling. TRIGGERS On an idle system, the queue manager waits for the arrival of trigger events, or it waits for a timer to go off. A trigger is a one-byte message. Depending on the message received, the queue manager performs one of the following actions (the message is followed by the symbolic constant used internally by the software): D (QMGR_REQ_SCAN_DEFERRED) Start a deferred queue scan. If a deferred queue scan is already in progress, that scan will be restarted as soon as it finishes. I (QMGR_REQ_SCAN_INCOMING) Start an incoming queue scan. If an incoming queue scan is already in progress, that scan will be restarted as soon as it finishes. A (QMGR_REQ_SCAN_ALL) Ignore deferred queue file time stamps. The request affects the next deferred queue scan. F (QMGR_REQ_FLUSH_DEAD) Purge all information about dead transports and destinations. W (TRIGGER_REQ_WAKEUP) Wakeup call, This is used by the master server to instantiate servers that should not go away for- ever. The action is to start an incoming queue scan. The nqmgr daemon reads an entire buffer worth of triggers. Multiple identical trigger requests are collapsed into one, and trigger requests are sorted so that A and F pre- cede D and I. Thus, in order to force a deferred queue run, one would request A F D; in order to notify the queue manager of the arrival of new mail one would request I. STANDARDS None. The nqmgr daemon does not interact with the outside world. SECURITY The nqmgr daemon is not security sensitive. It reads sin- gle-character messages from untrusted local users, and thus may be susceptible to denial of service attacks. The nqmgr daemon does not talk to the outside world, and it can be run at fixed low privilege in a chrooted environ- ment. DIAGNOSTICS Problems and transactions are logged to the syslog daemon. Corrupted message files are saved to the corrupt queue for further inspection. Depending on the setting of the notify_classes parameter, the postmaster is notified of bounces and of other trou- ble. BUGS A single queue manager process has to compete for disk access with multiple front-end processes such as smtpd. A sudden burst of inbound mail can negatively impact out- bound delivery rates. CONFIGURATION PARAMETERS The following main.cf parameters are especially relevant to this program. See the Postfix main.cf file for syntax details and for default values. Use the postfix reload command after a configuration change. Miscellaneous allow_min_user Do not bounce recipient addresses that begin with '-'. queue_directory Top-level directory of the Postfix queue. Active queue controls In the text below, transport is the first field in a mas- ter.cf entry. qmgr_clog_warn_time Minimal delay between warnings that a specific des- tination is clogging up the active queue. Specify 0 to disable. qmgr_message_active_limit Limit the number of messages in the active queue. qmgr_message_recipient_limit Limit the number of in-memory recipients. This parameter also limits the size of the short- term, in-memory destination cache. qmgr_message_recipient_minimum Per message minimum of in-memory recipients. default_recipient_limit Default limit on the number of in-memory recipients per transport. transport_recipient_limit Limit on the number of in-memory recipients, for the named message transport. default_extra_recipient_limit Default limit on the total number of per transport in-memory recipients that the preempting messages can have. transport_extra_recipient_limit Limit on the number of in-memory recipients which all preempting messages delivered by the transport transport can have. Timing controls minimal_backoff_time Minimal time in seconds between delivery attempts of a deferred message. This parameter also limits the time an unreachable destination is kept in the short-term, in-memory destination status cache. maximal_backoff_time Maximal time in seconds between delivery attempts of a deferred message. maximal_queue_lifetime Maximal time in days a message is queued before it is sent back as undeliverable. queue_run_delay Time in seconds between deferred queue scans. Queue scans do not overlap. transport_retry_time Time in seconds between attempts to contact a bro- ken delivery transport. Concurrency controls initial_destination_concurrency Initial per-destination concurrency level for par- allel delivery to the same destination. default_destination_concurrency_limit Default limit on the number of parallel deliveries to the same destination. transport_destination_concurrency_limit Limit on the number of parallel deliveries to the same destination, for delivery via the named mes- sage transport. Recipient controls default_destination_recipient_limit Default limit on the number of recipients per mes- sage transfer. transport_destination_recipient_limit Limit on the number of recipients per message transfer, for the named message transport. Message scheduling transport_delivery_slot_cost (valid range: 0,2,3...) This parameter basically controls how often a mes- sage delivered by transport can be preempted by another message. An internal per-message/transport counter is incremented by one for each trans- port_delivery_slot_cost deliveries handled by transport. This counter represents the number of "available delivery slots" for use by other mes- sages. Current message can be preempted by another message when that other message can be delivered using less transport agents than the value of the "available delivery slots" counter. Value equal to 0 disables the message preemption for transport. transport_minimum_delivery_slots Message preemption is not attempted at all whenever a message that can't ever accumulate at least transport_minimum_delivery_slots available delivery slots is being delivered by transport. transport_delivery_slot_discount (valid range: 0..100) transport_delivery_slot_loan These parameters speed up the moment when a message preemption can happen. Instead of waiting until the full amount of delivery slots required is available, the preemption can happen when trans- port_delivery_slot_discount percent of the required amount plus transport_delivery_slot_loan still remains to be accumulated. Note that the full amount will still have to be accumulated before another preemption can take place later. default_delivery_slot_cost default_minimum_delivery_slots default_delivery_slot_discount default_delivery_slot_loan Default values for the transport specific parame- ters described above. SEE ALSO master(8), process manager syslogd(8) system logging trivial-rewrite(8), address routing LICENSE The Secure Mailer license must be distributed with this software. AUTHOR(S) Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, USA Scheduler enhancements: Patrik Rak Modra 6 155 00, Prague, Czech Republic NQMGR(8)