[qmail] / INTERNALS

1. Overview

Here's the data flow in the qmail suite:

 qmail-smtpd --- qmail-queue --- qmail-send --- qmail-rspawn --- qmail-remote
               /                     |      \
qmail-inject _/                 qmail-clean  \_ qmail-lspawn --- qmail-local

Every message is added to a central queue directory by qmail-queue.
qmail-queue is invoked as needed, usually by qmail-inject for locally
generated messages, qmail-smtpd for messages received through SMTP,
qmail-local for forwarded messages, or qmail-send for bounce messages.

Every message is then delivered by qmail-send, in cooperation with
qmail-lspawn and qmail-rspawn, and cleaned up by qmail-clean. These four
programs are long-running daemons.

The queue is designed to be crashproof, provided that the underlying
filesystem is crashproof. All cleanups are handled by qmail-send and
qmail-clean without human intervention. See section 6 for more details.


2. Queue structure

Each message in the queue is identified by a unique number, let's say
457. The queue is organized into several directories, each of which may
contain files related to message 457:

   mess/457: the message
   todo/457: the envelope: where the message came from, where it's going
   intd/457: the envelope, under construction by qmail-queue
   info/457: the envelope sender address, after preprocessing
   local/457: local envelope recipient addresses, after preprocessing
   remote/457: remote envelope recipient addresses, after preprocessing
   bounce/457: permanent delivery errors

Here are all possible states for a message. + means a file exists; -
means it does not exist; ? means it may or may not exist.

   S1. -mess -intd -todo -info -local -remote -bounce
   S2. +mess -intd -todo -info -local -remote -bounce
   S3. +mess +intd -todo -info -local -remote -bounce
   S4. +mess ?intd +todo ?info ?local ?remote -bounce (queued)
   S5. +mess -intd -todo +info ?local ?remote ?bounce (preprocessed)

Guarantee: If mess/457 exists, it has inode number 457.


3. How messages enter the queue

To add a message to the queue, qmail-queue first creates a file in a
separate directory, pid/, with a unique name. The filesystem assigns
that file a unique inode number. qmail-queue looks at that number, say
457. By the guarantee above, message 457 must be in state S1.

qmail-queue renames pid/whatever as mess/457, moving to S2. It writes
the message to mess/457. It then creates intd/457, moving to S3, and
writes the envelope information to intd/457.

Finally qmail-queue creates a new link, todo/457, for intd/457, moving
to S4. At that instant the message has been successfully queued, and
qmail-queue leaves it for further handling by qmail-send.

qmail-queue starts a 24-hour timer before touching any files, and
commits suicide if the timer expires.


4. How queued messages are preprocessed

Once a message has been queued, qmail-send must decide which recipients
are local and which recipients are remote. It may also rewrite some
recipient addresses.

When qmail-send notices todo/457, it knows that message 457 is in S4. It
removes info/457, local/457, and remote/457 if they exist. Then it reads
through todo/457. It creates info/457, possibly local/457, and possibly
remote/457. When it is done, it removes intd/457. The message is still
in S4 at this point. Finally qmail-send removes todo/457, moving to S5.
At that instant the message has been successfully preprocessed.


5. How preprocessed messages are delivered

Messages at S5 are handled as follows. Each address in local/457 and
remote/457 is marked either NOT DONE or DONE.

   DONE: The message was successfully delivered, or the last delivery
         attempt met with permanent failure. Either way, qmail-send
	 should not attempt further delivery to this address.

   NOT DONE: If there have been any delivery attempts, they have all
             met with temporary failure. Either way, qmail-send should
             try delivery in the future.

qmail-send may at its leisure try to deliver a message to a NOT DONE
address. If the message is successfully delivered, qmail-send marks the
address as DONE. If the delivery attempt meets with permanent failure,
qmail-send first appends a note to bounce/457, creating bounce/457 if
necessary; then it marks the address as DONE. Note that bounce/457 is
not crashproof.

qmail-send may handle bounce/457 at any time, as follows: it (1) injects
a new bounce message, created from bounce/457 and mess/457; (2) deletes
bounce/457.

When all addresses in local/457 are DONE, qmail-send deletes local/457.
Same for remote/457. 

When local/457 and remote/457 are gone, qmail-send eliminates the
message, as follows. First, if bounce/457 exists, qmail-send handles it
as described above. Once bounce/457 is definitely gone, qmail-send
deletes info/457, moving to S2, and finally mess/457, moving to S1.


6. Cleanups

If the computer crashes while qmail-queue is trying to queue a message,
or while qmail-send is eliminating a message, the message may be left in
state S2 or S3.

When qmail-send sees a message in state S2 or S3---other than one
it is currently eliminating!---where mess/457 is more than 36 hours old,
it deletes intd/457 if that exists, then deletes mess/457. Note that any
qmail-queue handling the message must be dead.

Similarly, when qmail-send sees a file in the pid/ directory that is
more than 36 hours old, it deletes it.

Cleanups are not necessary if the computer crashes while qmail-send is
delivering a message. At worst a message may be delivered twice. (There
is no way for a distributed mail system to eliminate the possibility of
duplication. What if an SMTP connection is broken just before the server
acknowledges successful receipt of the message? The client must assume
the worst and send the message again. Similarly, if the computer crashes
just before qmail-send marks a message as DONE, the new qmail-send must
assume the worst and send the message again. The usual solutions in the
database literature---e.g., keeping log files---amount to saying that
it's the recipient's computer's job to discard duplicate messages.)


7. Further notes

Currently info/457 serves two purposes: first, it records the envelope
sender; second, its modification time is used to decide when a message
has been in the queue too long. In the future info/457 may store more
information. Any non-backwards-compatible changes will be identified by
version numbers.

When qmail-queue has successfully placed a message into the queue, it
pulls a trigger offered by qmail-send. Here is the current triggering
mechanism: lock/trigger is a named pipe. Before scanning todo/,
qmail-send opens lock/trigger O_NDELAY for reading. It then selects for
readability on lock/trigger. qmail-queue pulls the trigger by writing a
byte O_NDELAY to lock/trigger. This makes lock/trigger readable and
wakes up qmail-send. Before scanning todo/ again, qmail-send closes and
reopens lock/trigger.
Commit	Line	Data
2117e02e MW	1	1. Overview
	2
	3	Here's the data flow in the qmail suite:
	4
	5	qmail-smtpd --- qmail-queue --- qmail-send --- qmail-rspawn --- qmail-remote
	6	/ \| \
	7	qmail-inject _/ qmail-clean \_ qmail-lspawn --- qmail-local
	8
	9	Every message is added to a central queue directory by qmail-queue.
	10	qmail-queue is invoked as needed, usually by qmail-inject for locally
	11	generated messages, qmail-smtpd for messages received through SMTP,
	12	qmail-local for forwarded messages, or qmail-send for bounce messages.
	13
	14	Every message is then delivered by qmail-send, in cooperation with
	15	qmail-lspawn and qmail-rspawn, and cleaned up by qmail-clean. These four
	16	programs are long-running daemons.
	17
	18	The queue is designed to be crashproof, provided that the underlying
	19	filesystem is crashproof. All cleanups are handled by qmail-send and
	20	qmail-clean without human intervention. See section 6 for more details.
	21
	22
	23	2. Queue structure
	24
	25	Each message in the queue is identified by a unique number, let's say
	26	457. The queue is organized into several directories, each of which may
	27	contain files related to message 457:
	28
	29	mess/457: the message
	30	todo/457: the envelope: where the message came from, where it's going
	31	intd/457: the envelope, under construction by qmail-queue
	32	info/457: the envelope sender address, after preprocessing
	33	local/457: local envelope recipient addresses, after preprocessing
	34	remote/457: remote envelope recipient addresses, after preprocessing
	35	bounce/457: permanent delivery errors
	36
	37	Here are all possible states for a message. + means a file exists; -
	38	means it does not exist; ? means it may or may not exist.
	39
	40	S1. -mess -intd -todo -info -local -remote -bounce
	41	S2. +mess -intd -todo -info -local -remote -bounce
	42	S3. +mess +intd -todo -info -local -remote -bounce
	43	S4. +mess ?intd +todo ?info ?local ?remote -bounce (queued)
	44	S5. +mess -intd -todo +info ?local ?remote ?bounce (preprocessed)
	45
	46	Guarantee: If mess/457 exists, it has inode number 457.
	47
	48
	49	3. How messages enter the queue
	50
	51	To add a message to the queue, qmail-queue first creates a file in a
	52	separate directory, pid/, with a unique name. The filesystem assigns
	53	that file a unique inode number. qmail-queue looks at that number, say
	54	457. By the guarantee above, message 457 must be in state S1.
	55
	56	qmail-queue renames pid/whatever as mess/457, moving to S2. It writes
	57	the message to mess/457. It then creates intd/457, moving to S3, and
	58	writes the envelope information to intd/457.
	59
	60	Finally qmail-queue creates a new link, todo/457, for intd/457, moving
	61	to S4. At that instant the message has been successfully queued, and
	62	qmail-queue leaves it for further handling by qmail-send.
	63
	64	qmail-queue starts a 24-hour timer before touching any files, and
65	commits suicide if the timer expires.
66
67
68	4. How queued messages are preprocessed
69
70	Once a message has been queued, qmail-send must decide which recipients
71	are local and which recipients are remote. It may also rewrite some
72	recipient addresses.
73
74	When qmail-send notices todo/457, it knows that message 457 is in S4. It
75	removes info/457, local/457, and remote/457 if they exist. Then it reads
76	through todo/457. It creates info/457, possibly local/457, and possibly
77	remote/457. When it is done, it removes intd/457. The message is still
78	in S4 at this point. Finally qmail-send removes todo/457, moving to S5.
79	At that instant the message has been successfully preprocessed.
80
81
82	5. How preprocessed messages are delivered
83
84	Messages at S5 are handled as follows. Each address in local/457 and
85	remote/457 is marked either NOT DONE or DONE.
86
87	DONE: The message was successfully delivered, or the last delivery
88	attempt met with permanent failure. Either way, qmail-send
89	should not attempt further delivery to this address.
90
91	NOT DONE: If there have been any delivery attempts, they have all
92	met with temporary failure. Either way, qmail-send should
93	try delivery in the future.
94
95	qmail-send may at its leisure try to deliver a message to a NOT DONE
96	address. If the message is successfully delivered, qmail-send marks the
97	address as DONE. If the delivery attempt meets with permanent failure,
98	qmail-send first appends a note to bounce/457, creating bounce/457 if
212b6f5d MW	99	necessary; then it marks the address as DONE. Note that bounce/457 is
212b6f5d MW	100	not crashproof.
2117e02e MW	101
	102	qmail-send may handle bounce/457 at any time, as follows: it (1) injects
	103	a new bounce message, created from bounce/457 and mess/457; (2) deletes
	104	bounce/457.
	105
	106	When all addresses in local/457 are DONE, qmail-send deletes local/457.
	107	Same for remote/457.
	108
	109	When local/457 and remote/457 are gone, qmail-send eliminates the
	110	message, as follows. First, if bounce/457 exists, qmail-send handles it
	111	as described above. Once bounce/457 is definitely gone, qmail-send
	112	deletes info/457, moving to S2, and finally mess/457, moving to S1.
	113
	114
	115	6. Cleanups
	116
	117	If the computer crashes while qmail-queue is trying to queue a message,
	118	or while qmail-send is eliminating a message, the message may be left in
	119	state S2 or S3.
	120
	121	When qmail-send sees a message in state S2 or S3---other than one
	122	it is currently eliminating!---where mess/457 is more than 36 hours old,
	123	it deletes intd/457 if that exists, then deletes mess/457. Note that any
	124	qmail-queue handling the message must be dead.
	125
	126	Similarly, when qmail-send sees a file in the pid/ directory that is
	127	more than 36 hours old, it deletes it.
	128
	129	Cleanups are not necessary if the computer crashes while qmail-send is
	130	delivering a message. At worst a message may be delivered twice. (There
	131	is no way for a distributed mail system to eliminate the possibility of
	132	duplication. What if an SMTP connection is broken just before the server
	133	acknowledges successful receipt of the message? The client must assume
	134	the worst and send the message again. Similarly, if the computer crashes
	135	just before qmail-send marks a message as DONE, the new qmail-send must
	136	assume the worst and send the message again. The usual solutions in the
	137	database literature---e.g., keeping log files---amount to saying that
	138	it's the recipient's computer's job to discard duplicate messages.)
	139
	140
	141	7. Further notes
	142
	143	Currently info/457 serves two purposes: first, it records the envelope
	144	sender; second, its modification time is used to decide when a message
	145	has been in the queue too long. In the future info/457 may store more
	146	information. Any non-backwards-compatible changes will be identified by
	147	version numbers.
	148
	149	When qmail-queue has successfully placed a message into the queue, it
	150	pulls a trigger offered by qmail-send. Here is the current triggering
	151	mechanism: lock/trigger is a named pipe. Before scanning todo/,
	152	qmail-send opens lock/trigger O_NDELAY for reading. It then selects for
	153	readability on lock/trigger. qmail-queue pulls the trigger by writing a
	154	byte O_NDELAY to lock/trigger. This makes lock/trigger readable and
	155	wakes up qmail-send. Before scanning todo/ again, qmail-send closes and
	156	reopens lock/trigger.