| | 1 | /* $Cambridge: exim/src/src/retry.c,v 1.1 2004/10/07 10:39:01 ph10 Exp $ */ |
| | 2 | |
| | 3 | /************************************************* |
| | 4 | * Exim - an Internet mail transport agent * |
| | 5 | *************************************************/ |
| | 6 | |
| | 7 | /* Copyright (c) University of Cambridge 1995 - 2004 */ |
| | 8 | /* See the file NOTICE for conditions of use and distribution. */ |
| | 9 | |
| | 10 | /* Functions concerned with retrying unsuccessful deliveries. */ |
| | 11 | |
| | 12 | |
| | 13 | #include "exim.h" |
| | 14 | |
| | 15 | |
| | 16 | |
| | 17 | /************************************************* |
| | 18 | * Check the ultimate address timeout * |
| | 19 | *************************************************/ |
| | 20 | |
| | 21 | /* This function tests whether a message has been on the queue longer than |
| | 22 | the maximum retry time for a particular host. |
| | 23 | |
| | 24 | Arguments: |
| | 25 | host_key the key to look up a host retry rule |
| | 26 | domain the domain to look up a domain retry rule |
| | 27 | basic_errno a specific error number, or zero if none |
| | 28 | more_errno additional data for the error |
| | 29 | now the time |
| | 30 | |
| | 31 | Returns: TRUE if the ultimate timeout has been reached |
| | 32 | */ |
| | 33 | |
| | 34 | static BOOL |
| | 35 | ultimate_address_timeout(uschar *host_key, uschar *domain, int basic_errno, |
| | 36 | int more_errno, time_t now) |
| | 37 | { |
| | 38 | BOOL address_timeout = TRUE; /* no rule => timed out */ |
| | 39 | |
| | 40 | retry_config *retry = |
| | 41 | retry_find_config(host_key+2, domain, basic_errno, more_errno); |
| | 42 | |
| | 43 | if (retry != NULL && retry->rules != NULL) |
| | 44 | { |
| | 45 | retry_rule *last_rule; |
| | 46 | for (last_rule = retry->rules; |
| | 47 | last_rule->next != NULL; |
| | 48 | last_rule = last_rule->next); |
| | 49 | address_timeout = (now - received_time > last_rule->timeout); |
| | 50 | } |
| | 51 | |
| | 52 | return address_timeout; |
| | 53 | } |
| | 54 | |
| | 55 | |
| | 56 | |
| | 57 | /************************************************* |
| | 58 | * Set status of a host+address item * |
| | 59 | *************************************************/ |
| | 60 | |
| | 61 | /* This function is passed a host_item which contains a host name and an |
| | 62 | IP address string. Its job is to set the status of the address if it is not |
| | 63 | already set (indicated by hstatus_unknown). The possible values are: |
| | 64 | |
| | 65 | hstatus_usable the address is not listed in the unusable tree, and does |
| | 66 | not have a retry record, OR the time is past the next |
| | 67 | try time, OR the message has been on the queue for more |
| | 68 | than the maximum retry time for a failing host |
| | 69 | |
| | 70 | hstatus_unusable the address is listed in the unusable tree, or does have |
| | 71 | a retry record, and the time is not yet at the next retry |
| | 72 | time. |
| | 73 | |
| | 74 | hstatus_unusable_expired as above, but also the retry time has expired |
| | 75 | for this address. |
| | 76 | |
| | 77 | The reason a delivery is permitted when a message has been around for a very |
| | 78 | long time is to allow the ultimate address timeout to operate after a delivery |
| | 79 | failure. Otherwise some messages may stick around without being tried for too |
| | 80 | long. |
| | 81 | |
| | 82 | If a host retry record is retrieved from the hints database, the time of last |
| | 83 | trying is filled into the last_try field of the host block. If a host is |
| | 84 | generally usable, a check is made to see if there is a retry delay on this |
| | 85 | specific message at this host. |
| | 86 | |
| | 87 | If a non-standard port is being used, it is added to the retry key. |
| | 88 | |
| | 89 | Arguments: |
| | 90 | domain the address domain |
| | 91 | host pointer to a host item |
| | 92 | portstring "" for standard port, ":xxxx" for a non-standard port |
| | 93 | include_ip_address TRUE to include the address in the key - this is |
| | 94 | usual, but sometimes is not wanted |
| | 95 | retry_host_key where to put a pointer to the key for the host-specific |
| | 96 | retry record, if one is read and the host is usable |
| | 97 | retry_message_key where to put a pointer to the key for the message+host |
| | 98 | retry record, if one is read and the host is usable |
| | 99 | |
| | 100 | Returns: TRUE if the host has expired but is usable because |
| | 101 | its retry time has come |
| | 102 | */ |
| | 103 | |
| | 104 | BOOL |
| | 105 | retry_check_address(uschar *domain, host_item *host, uschar *portstring, |
| | 106 | BOOL include_ip_address, uschar **retry_host_key, uschar **retry_message_key) |
| | 107 | { |
| | 108 | BOOL yield = FALSE; |
| | 109 | time_t now = time(NULL); |
| | 110 | uschar *host_key, *message_key; |
| | 111 | open_db dbblock; |
| | 112 | open_db *dbm_file; |
| | 113 | tree_node *node; |
| | 114 | dbdata_retry *host_retry_record, *message_retry_record; |
| | 115 | |
| | 116 | *retry_host_key = *retry_message_key = NULL; |
| | 117 | |
| | 118 | DEBUG(D_transport|D_retry) debug_printf("checking status of %s\n", host->name); |
| | 119 | |
| | 120 | /* Do nothing if status already set; otherwise initialize status as usable. */ |
| | 121 | |
| | 122 | if (host->status != hstatus_unknown) return FALSE; |
| | 123 | host->status = hstatus_usable; |
| | 124 | |
| | 125 | /* Generate the host key for the unusable tree and the retry database. Ensure |
| | 126 | host names are lower cased (that's what %S does). */ |
| | 127 | |
| | 128 | host_key = include_ip_address? |
| | 129 | string_sprintf("T:%S:%s%s", host->name, host->address, portstring) : |
| | 130 | string_sprintf("T:%S%s", host->name, portstring); |
| | 131 | |
| | 132 | /* Generate the message-specific key */ |
| | 133 | |
| | 134 | message_key = string_sprintf("%s:%s", host_key, message_id); |
| | 135 | |
| | 136 | /* Search the tree of unusable IP addresses. This is filled in when deliveries |
| | 137 | fail, because the retry database itself is not updated until the end of all |
| | 138 | deliveries (so as to do it all in one go). The tree records addresses that have |
| | 139 | become unusable during this delivery process (i.e. those that will get put into |
| | 140 | the retry database when it is updated). */ |
| | 141 | |
| | 142 | node = tree_search(tree_unusable, host_key); |
| | 143 | if (node != NULL) |
| | 144 | { |
| | 145 | DEBUG(D_transport|D_retry) debug_printf("found in tree of unusables\n"); |
| | 146 | host->status = (node->data.val > 255)? |
| | 147 | hstatus_unusable_expired : hstatus_unusable; |
| | 148 | host->why = node->data.val & 255; |
| | 149 | return FALSE; |
| | 150 | } |
| | 151 | |
| | 152 | /* Open the retry database, giving up if there isn't one. Otherwise, search for |
| | 153 | the retry records, and then close the database again. */ |
| | 154 | |
| | 155 | if ((dbm_file = dbfn_open(US"retry", O_RDONLY, &dbblock, FALSE)) == NULL) |
| | 156 | { |
| | 157 | DEBUG(D_deliver|D_retry|D_hints_lookup) |
| | 158 | debug_printf("no retry data available\n"); |
| | 159 | return FALSE; |
| | 160 | } |
| | 161 | host_retry_record = dbfn_read(dbm_file, host_key); |
| | 162 | message_retry_record = dbfn_read(dbm_file, message_key); |
| | 163 | dbfn_close(dbm_file); |
| | 164 | |
| | 165 | /* Ignore the data if it is too old - too long since it was written */ |
| | 166 | |
| | 167 | if (host_retry_record == NULL) |
| | 168 | { |
| | 169 | DEBUG(D_transport|D_retry) debug_printf("no host retry record\n"); |
| | 170 | } |
| | 171 | else if (now - host_retry_record->time_stamp > retry_data_expire) |
| | 172 | { |
| | 173 | host_retry_record = NULL; |
| | 174 | DEBUG(D_transport|D_retry) debug_printf("host retry record too old\n"); |
| | 175 | } |
| | 176 | |
| | 177 | if (message_retry_record == NULL) |
| | 178 | { |
| | 179 | DEBUG(D_transport|D_retry) debug_printf("no message retry record\n"); |
| | 180 | } |
| | 181 | else if (now - message_retry_record->time_stamp > retry_data_expire) |
| | 182 | { |
| | 183 | message_retry_record = NULL; |
| | 184 | DEBUG(D_transport|D_retry) debug_printf("message retry record too old\n"); |
| | 185 | } |
| | 186 | |
| | 187 | /* If there's a host-specific retry record, check for reaching the retry |
| | 188 | time (or forcing). If not, and the host is not expired, check for the message |
| | 189 | having been around for longer than the maximum retry time for this host or |
| | 190 | address. Allow the delivery if it has. Otherwise set the appropriate unusable |
| | 191 | flag and return FALSE. Otherwise arrange to return TRUE if this is an expired |
| | 192 | host. */ |
| | 193 | |
| | 194 | if (host_retry_record != NULL) |
| | 195 | { |
| | 196 | *retry_host_key = host_key; |
| | 197 | |
| | 198 | /* We have not reached the next try time. Check for the ultimate address |
| | 199 | timeout if the host has not expired. */ |
| | 200 | |
| | 201 | if (now < host_retry_record->next_try && !deliver_force) |
| | 202 | { |
| | 203 | DEBUG(D_transport|D_retry) |
| | 204 | debug_printf("host retry time not reached: checking ultimate address " |
| | 205 | "timeout\n"); |
| | 206 | |
| | 207 | if (!host_retry_record->expired && |
| | 208 | ultimate_address_timeout(host_key, domain, |
| | 209 | host_retry_record->basic_errno, host_retry_record->more_errno, now)) |
| | 210 | { |
| | 211 | DEBUG(D_transport|D_retry) |
| | 212 | debug_printf("on queue longer than maximum retry for " |
| | 213 | "address - allowing delivery\n"); |
| | 214 | return FALSE; |
| | 215 | } |
| | 216 | |
| | 217 | /* We have not hit the ultimate address timeout; host is unusable. */ |
| | 218 | |
| | 219 | host->status = (host_retry_record->expired)? |
| | 220 | hstatus_unusable_expired : hstatus_unusable; |
| | 221 | host->why = hwhy_retry; |
| | 222 | host->last_try = host_retry_record->last_try; |
| | 223 | return FALSE; |
| | 224 | } |
| | 225 | |
| | 226 | /* Host is usable; set return TRUE if expired. */ |
| | 227 | |
| | 228 | yield = host_retry_record->expired; |
| | 229 | } |
| | 230 | |
| | 231 | /* It's OK to try the host. If there's a message-specific retry record, check |
| | 232 | for reaching its retry time (or forcing). If not, mark the host unusable, |
| | 233 | unless the ultimate address timeout has been reached. */ |
| | 234 | |
| | 235 | if (message_retry_record != NULL) |
| | 236 | { |
| | 237 | *retry_message_key = message_key; |
| | 238 | if (now < message_retry_record->next_try && !deliver_force) |
| | 239 | { |
| | 240 | DEBUG(D_transport|D_retry) |
| | 241 | debug_printf("host+message retry time not reached: checking ultimate " |
| | 242 | "address timeout\n"); |
| | 243 | if (!ultimate_address_timeout(host_key, domain, 0, 0, now)) |
| | 244 | { |
| | 245 | host->status = hstatus_unusable; |
| | 246 | host->why = hwhy_retry; |
| | 247 | } |
| | 248 | else |
| | 249 | { |
| | 250 | DEBUG(D_transport|D_retry) |
| | 251 | debug_printf("on queue longer than maximum retry for " |
| | 252 | "address - allowing delivery\n"); |
| | 253 | } |
| | 254 | return FALSE; |
| | 255 | } |
| | 256 | } |
| | 257 | |
| | 258 | return yield; |
| | 259 | } |
| | 260 | |
| | 261 | |
| | 262 | |
| | 263 | |
| | 264 | /************************************************* |
| | 265 | * Add a retry item to an address * |
| | 266 | *************************************************/ |
| | 267 | |
| | 268 | /* Retry items are chained onto an address when it is deferred either by router |
| | 269 | or by a transport, or if it succeeds or fails and there was a previous retry |
| | 270 | item that now needs to be deleted. Sometimes there can be both kinds of item: |
| | 271 | for example, if routing was deferred but then succeeded, and delivery then |
| | 272 | deferred. In that case there is a delete item for the routing retry, and an |
| | 273 | updating item for the delivery. |
| | 274 | |
| | 275 | (But note that that is only visible at the outer level, because in remote |
| | 276 | delivery subprocesses, the address starts "clean", with no retry items carried |
| | 277 | in.) |
| | 278 | |
| | 279 | These items are used at the end of a delivery attempt to update the retry |
| | 280 | database. The keys start R: for routing delays and T: for transport delays. |
| | 281 | |
| | 282 | Arguments: |
| | 283 | addr the address block onto which to hang the item |
| | 284 | key the retry key |
| | 285 | flags delete, host, and message flags, copied into the block |
| | 286 | |
| | 287 | Returns: nothing |
| | 288 | */ |
| | 289 | |
| | 290 | void |
| | 291 | retry_add_item(address_item *addr, uschar *key, int flags) |
| | 292 | { |
| | 293 | retry_item *rti = store_get(sizeof(retry_item)); |
| | 294 | rti->next = addr->retries; |
| | 295 | addr->retries = rti; |
| | 296 | rti->key = key; |
| | 297 | rti->basic_errno = addr->basic_errno; |
| | 298 | rti->more_errno = addr->more_errno; |
| | 299 | rti->message = addr->message; |
| | 300 | rti->flags = flags; |
| | 301 | |
| | 302 | DEBUG(D_transport|D_retry) |
| | 303 | { |
| | 304 | int letter = rti->more_errno & 255; |
| | 305 | debug_printf("added retry item for %s: errno=%d more_errno=", rti->key, |
| | 306 | rti->basic_errno); |
| | 307 | if (letter == 'A' || letter == 'M') |
| | 308 | debug_printf("%d,%c", (rti->more_errno >> 8) & 255, letter); |
| | 309 | else |
| | 310 | debug_printf("%d", rti->more_errno); |
| | 311 | debug_printf(" flags=%d\n", flags); |
| | 312 | } |
| | 313 | } |
| | 314 | |
| | 315 | |
| | 316 | |
| | 317 | /************************************************* |
| | 318 | * Find retry configuration data * |
| | 319 | *************************************************/ |
| | 320 | |
| | 321 | /* Search the in-store retry information for the first retry item that applies |
| | 322 | to a given destination. If the key contains an @ we are probably handling a |
| | 323 | local delivery and have a complete address to search for; this happens when |
| | 324 | retry_use_local_part is set on a router. Otherwise, the key is likely to be a |
| | 325 | host name for a remote delivery, or a domain name for a local delivery. We |
| | 326 | prepend *@ on the front of it so that it will match a retry item whose address |
| | 327 | item pattern is independent of the local part. The alternate key, if set, is |
| | 328 | always just a domain, so we treat it likewise. |
| | 329 | |
| | 330 | Arguments: |
| | 331 | key key for which retry info is wanted |
| | 332 | alternate alternative key, always just a domain |
| | 333 | basic_errno specific error predicate on the retry rule, or zero |
| | 334 | more_errno additional data for errno predicate |
| | 335 | |
| | 336 | Returns: pointer to retry rule, or NULL |
| | 337 | */ |
| | 338 | |
| | 339 | retry_config * |
| | 340 | retry_find_config(uschar *key, uschar *alternate, int basic_errno, |
| | 341 | int more_errno) |
| | 342 | { |
| | 343 | int replace; |
| | 344 | uschar *use_key, *use_alternate; |
| | 345 | uschar *colon = Ustrchr(key, ':'); |
| | 346 | retry_config *yield; |
| | 347 | |
| | 348 | /* If there's a colon in the key, temporarily replace it with |
| | 349 | a zero to terminate the string there. */ |
| | 350 | |
| | 351 | if (colon != NULL) |
| | 352 | { |
| | 353 | replace = ':'; |
| | 354 | } |
| | 355 | else |
| | 356 | { |
| | 357 | colon = key + Ustrlen(key); |
| | 358 | replace = 0; |
| | 359 | } |
| | 360 | *colon = 0; |
| | 361 | |
| | 362 | /* Sort out the keys */ |
| | 363 | |
| | 364 | use_key = (Ustrchr(key, '@') != NULL)? key : string_sprintf("*@%s", key); |
| | 365 | use_alternate = (alternate == NULL)? NULL : string_sprintf("*@%s", alternate); |
| | 366 | |
| | 367 | /* Scan the configured retry items. */ |
| | 368 | |
| | 369 | for (yield = retries; yield != NULL; yield = yield->next) |
| | 370 | { |
| | 371 | uschar *plist = yield->pattern; |
| | 372 | uschar *slist = yield->senders; |
| | 373 | |
| | 374 | /* If a specific error is set for this item, check that we are handling that |
| | 375 | specific error, and if so, check any additional error information if |
| | 376 | required. */ |
| | 377 | |
| | 378 | if (yield->basic_errno != 0) |
| | 379 | { |
| | 380 | /* Special code is required for quota errors, as these can either be system |
| | 381 | quota errors, or Exim's own quota imposition, which has a different error |
| | 382 | number. Full partitions are also treated in the same way as quota errors. |
| | 383 | */ |
| | 384 | |
| | 385 | if (yield->basic_errno == ERRNO_EXIMQUOTA) |
| | 386 | { |
| | 387 | if ((basic_errno != ERRNO_EXIMQUOTA && basic_errno != errno_quota && |
| | 388 | basic_errno != ENOSPC) || |
| | 389 | (yield->more_errno != 0 && yield->more_errno > more_errno)) |
| | 390 | continue; |
| | 391 | } |
| | 392 | |
| | 393 | /* Handle 4xx responses to RCPT. The code that was received is in the 2nd |
| | 394 | least significant byte of more_errno (with 400 subtracted). The required |
| | 395 | value is coded in the 2nd least significant byte of the yield->more_errno |
| | 396 | field as follows: |
| | 397 | |
| | 398 | 255 => any 4xx code |
| | 399 | >= 100 => the decade must match the value less 100 |
| | 400 | < 100 => the exact value must match |
| | 401 | */ |
| | 402 | |
| | 403 | else if (yield->basic_errno == ERRNO_RCPT4XX) |
| | 404 | { |
| | 405 | int wanted; |
| | 406 | if (basic_errno != ERRNO_RCPT4XX) continue; |
| | 407 | wanted = (yield->more_errno >> 8) & 255; |
| | 408 | if (wanted != 255) |
| | 409 | { |
| | 410 | int evalue = (more_errno >> 8) & 255; |
| | 411 | if (wanted >= 100) |
| | 412 | { |
| | 413 | if ((evalue/10)*10 != wanted - 100) continue; |
| | 414 | } |
| | 415 | else if (evalue != wanted) continue; |
| | 416 | } |
| | 417 | } |
| | 418 | |
| | 419 | /* There are some special cases for timeouts */ |
| | 420 | |
| | 421 | else if (yield->basic_errno == ETIMEDOUT) |
| | 422 | { |
| | 423 | if (basic_errno != ETIMEDOUT) continue; |
| | 424 | |
| | 425 | /* Just RTEF_CTOUT in the rule => don't care about 'A'/'M' addresses */ |
| | 426 | if (yield->more_errno == RTEF_CTOUT) |
| | 427 | { |
| | 428 | if ((more_errno & RTEF_CTOUT) == 0) continue; |
| | 429 | } |
| | 430 | |
| | 431 | else if (yield->more_errno != 0) |
| | 432 | { |
| | 433 | int cf_errno = more_errno; |
| | 434 | if ((yield->more_errno & RTEF_CTOUT) == 0) cf_errno &= ~RTEF_CTOUT; |
| | 435 | if (yield->more_errno != cf_errno) continue; |
| | 436 | } |
| | 437 | } |
| | 438 | |
| | 439 | /* Default checks for exact match */ |
| | 440 | |
| | 441 | else |
| | 442 | { |
| | 443 | if (yield->basic_errno != basic_errno || |
| | 444 | (yield->more_errno != 0 && yield->more_errno != more_errno)) |
| | 445 | continue; |
| | 446 | } |
| | 447 | } |
| | 448 | |
| | 449 | /* If the "senders" condition is set, check it. Note that sender_address may |
| | 450 | be null during -brt checking, in which case we do not use this rule. */ |
| | 451 | |
| | 452 | if (slist != NULL && (sender_address == NULL || |
| | 453 | match_address_list(sender_address, TRUE, TRUE, &slist, NULL, -1, 0, |
| | 454 | NULL) != OK)) |
| | 455 | continue; |
| | 456 | |
| | 457 | /* Check for a match between the address list item at the start of this retry |
| | 458 | rule and either the main or alternate keys. */ |
| | 459 | |
| | 460 | if (match_address_list(use_key, TRUE, TRUE, &plist, NULL, -1, UCHAR_MAX+1, |
| | 461 | NULL) == OK || |
| | 462 | (use_alternate != NULL && |
| | 463 | match_address_list(use_alternate, TRUE, TRUE, &plist, NULL, -1, |
| | 464 | UCHAR_MAX+1, NULL) == OK)) |
| | 465 | break; |
| | 466 | } |
| | 467 | |
| | 468 | *colon = replace; |
| | 469 | return yield; |
| | 470 | } |
| | 471 | |
| | 472 | |
| | 473 | |
| | 474 | |
| | 475 | /************************************************* |
| | 476 | * Update retry database * |
| | 477 | *************************************************/ |
| | 478 | |
| | 479 | /* Update the retry data for any directing/routing/transporting that was |
| | 480 | deferred, or delete it for those that succeeded after a previous defer. This is |
| | 481 | done all in one go to minimize opening/closing/locking of the database file. |
| | 482 | |
| | 483 | Note that, because SMTP delivery involves a list of destinations to try, there |
| | 484 | may be defer-type retry information for some of them even when the message was |
| | 485 | successfully delivered. Likewise if it eventually failed. |
| | 486 | |
| | 487 | This function may move addresses from the defer to the failed queue if the |
| | 488 | ultimate retry time has expired. |
| | 489 | |
| | 490 | Arguments: |
| | 491 | addr_defer queue of deferred addresses |
| | 492 | addr_failed queue of failed addresses |
| | 493 | addr_succeed queue of successful addresses |
| | 494 | |
| | 495 | Returns: nothing |
| | 496 | */ |
| | 497 | |
| | 498 | void |
| | 499 | retry_update(address_item **addr_defer, address_item **addr_failed, |
| | 500 | address_item **addr_succeed) |
| | 501 | { |
| | 502 | open_db dbblock; |
| | 503 | open_db *dbm_file = NULL; |
| | 504 | time_t now = time(NULL); |
| | 505 | int i; |
| | 506 | |
| | 507 | DEBUG(D_retry) debug_printf("Processing retry items\n"); |
| | 508 | |
| | 509 | /* Three-times loop to handle succeeded, failed, and deferred addresses. |
| | 510 | Deferred addresses must be handled after failed ones, because some may be moved |
| | 511 | to the failed chain if they have timed out. */ |
| | 512 | |
| | 513 | for (i = 0; i < 3; i++) |
| | 514 | { |
| | 515 | address_item *endaddr, *addr; |
| | 516 | address_item *last_first = NULL; |
| | 517 | address_item **paddr = (i==0)? addr_succeed : |
| | 518 | (i==1)? addr_failed : addr_defer; |
| | 519 | address_item **saved_paddr = NULL; |
| | 520 | |
| | 521 | DEBUG(D_retry) debug_printf("%s addresses:\n", (i == 0)? "Succeeded" : |
| | 522 | (i == 1)? "Failed" : "Deferred"); |
| | 523 | |
| | 524 | /* Loop for each address on the chain. For deferred addresses, the whole |
| | 525 | address times out unless one of its retry addresses has a retry rule that |
| | 526 | hasn't yet timed out. Deferred addresses should not be requesting deletion |
| | 527 | of retry items, but just in case they do by accident, treat that case |
| | 528 | as "not timed out". |
| | 529 | |
| | 530 | As well as handling the addresses themselves, we must also process any |
| | 531 | retry items for any parent addresses - these are typically "delete" items, |
| | 532 | because the parent must have succeeded in order to generate the child. */ |
| | 533 | |
| | 534 | while ((endaddr = *paddr) != NULL) |
| | 535 | { |
| | 536 | BOOL timed_out = FALSE; |
| | 537 | retry_item *rti; |
| | 538 | |
| | 539 | for (addr = endaddr; addr != NULL; addr = addr->parent) |
| | 540 | { |
| | 541 | int update_count = 0; |
| | 542 | int timedout_count = 0; |
| | 543 | |
| | 544 | DEBUG(D_retry) debug_printf("%s%s\n", addr->address, (addr->retries == NULL)? |
| | 545 | ": no retry items" : ""); |
| | 546 | |
| | 547 | /* Loop for each retry item. */ |
| | 548 | |
| | 549 | for (rti = addr->retries; rti != NULL; rti = rti->next) |
| | 550 | { |
| | 551 | uschar *message; |
| | 552 | int message_length, message_space, failing_interval, next_try; |
| | 553 | retry_rule *rule, *final_rule; |
| | 554 | retry_config *retry; |
| | 555 | dbdata_retry *retry_record; |
| | 556 | |
| | 557 | /* Open the retry database if it is not already open; failure to open |
| | 558 | the file is logged, but otherwise ignored - deferred addresses will |
| | 559 | get retried at the next opportunity. Not opening earlier than this saves |
| | 560 | opening if no addresses have retry items - common when none have yet |
| | 561 | reached their retry next try time. */ |
| | 562 | |
| | 563 | if (dbm_file == NULL) |
| | 564 | dbm_file = dbfn_open(US"retry", O_RDWR, &dbblock, TRUE); |
| | 565 | |
| | 566 | if (dbm_file == NULL) |
| | 567 | { |
| | 568 | DEBUG(D_deliver|D_retry|D_hints_lookup) |
| | 569 | debug_printf("retry database not available for updating\n"); |
| | 570 | return; |
| | 571 | } |
| | 572 | |
| | 573 | /* If there are no deferred addresses, that is, if this message is |
| | 574 | completing, and the retry item is for a message-specific SMTP error, |
| | 575 | force it to be deleted, because there's no point in keeping data for |
| | 576 | no-longer-existing messages. This situation can occur when a domain has |
| | 577 | two hosts and a message-specific error occurs for the first of them, |
| | 578 | but the address gets delivered to the second one. This optimization |
| | 579 | doesn't succeed in cleaning out all the dead entries, but it helps. */ |
| | 580 | |
| | 581 | if (*addr_defer == NULL && (rti->flags & rf_message) != 0) |
| | 582 | rti->flags |= rf_delete; |
| | 583 | |
| | 584 | /* Handle the case of a request to delete the retry info for this |
| | 585 | destination. */ |
| | 586 | |
| | 587 | if ((rti->flags & rf_delete) != 0) |
| | 588 | { |
| | 589 | (void)dbfn_delete(dbm_file, rti->key); |
| | 590 | DEBUG(D_retry) |
| | 591 | debug_printf("deleted retry information for %s\n", rti->key); |
| | 592 | continue; |
| | 593 | } |
| | 594 | |
| | 595 | /* Count the number of non-delete retry items. This is so that we |
| | 596 | can compare it to the count of timed_out ones, to check whether |
| | 597 | all are timed out. */ |
| | 598 | |
| | 599 | update_count++; |
| | 600 | |
| | 601 | /* Get the retry information for this destination and error code, if |
| | 602 | any. If this item is for a remote host with ip address, then pass |
| | 603 | the domain name as an alternative to search for. If no retry |
| | 604 | information is found, we can't generate a retry time, so there is |
| | 605 | no point updating the database. This retry item is timed out. */ |
| | 606 | |
| | 607 | if ((retry = retry_find_config(rti->key + 2, |
| | 608 | ((rti->flags & rf_host) != 0)? addr->domain : NULL, |
| | 609 | rti->basic_errno, rti->more_errno)) == NULL) |
| | 610 | { |
| | 611 | DEBUG(D_retry) debug_printf("No configured retry item for %s%s%s\n", |
| | 612 | rti->key, |
| | 613 | ((rti->flags & rf_host) != 0)? US" or " : US"", |
| | 614 | ((rti->flags & rf_host) != 0)? addr->domain : US""); |
| | 615 | if (addr == endaddr) timedout_count++; |
| | 616 | continue; |
| | 617 | } |
| | 618 | |
| | 619 | DEBUG(D_retry) |
| | 620 | { |
| | 621 | if ((rti->flags & rf_host) != 0) |
| | 622 | debug_printf("retry for %s (%s) = %s\n", rti->key, |
| | 623 | addr->domain, retry->pattern); |
| | 624 | else |
| | 625 | debug_printf("retry for %s = %s\n", rti->key, retry->pattern); |
| | 626 | } |
| | 627 | |
| | 628 | /* Set up the message for the database retry record. Because DBM |
| | 629 | records have a maximum data length, we enforce a limit. There isn't |
| | 630 | much point in keeping a huge message here, anyway. */ |
| | 631 | |
| | 632 | message = (rti->basic_errno > 0)? US strerror(rti->basic_errno) : |
| | 633 | (rti->message == NULL)? |
| | 634 | US"unknown error" : string_printing(rti->message); |
| | 635 | message_length = Ustrlen(message); |
| | 636 | if (message_length > 150) message_length = 150; |
| | 637 | |
| | 638 | /* Read a retry record from the database or construct a new one. |
| | 639 | Ignore an old one if it is too old since it was last updated. */ |
| | 640 | |
| | 641 | retry_record = dbfn_read(dbm_file, rti->key); |
| | 642 | if (retry_record != NULL && |
| | 643 | now - retry_record->time_stamp > retry_data_expire) |
| | 644 | retry_record = NULL; |
| | 645 | |
| | 646 | if (retry_record == NULL) |
| | 647 | { |
| | 648 | retry_record = store_get(sizeof(dbdata_retry) + message_length); |
| | 649 | message_space = message_length; |
| | 650 | retry_record->first_failed = now; |
| | 651 | retry_record->last_try = now; |
| | 652 | retry_record->next_try = now; |
| | 653 | retry_record->expired = FALSE; |
| | 654 | retry_record->text[0] = 0; /* just in case */ |
| | 655 | } |
| | 656 | else message_space = Ustrlen(retry_record->text); |
| | 657 | |
| | 658 | /* Compute how long this destination has been failing */ |
| | 659 | |
| | 660 | failing_interval = now - retry_record->first_failed; |
| | 661 | |
| | 662 | /* Search for the current retry rule. The cutoff time of the |
| | 663 | last rule is handled differently to the others. The rule continues |
| | 664 | to operate for ever (the global maximum interval will eventually |
| | 665 | limit the gaps) but its cutoff time determines when an individual |
| | 666 | destination times out. If there are no retry rules, the destination |
| | 667 | always times out, but we can't compute a retry time. */ |
| | 668 | |
| | 669 | final_rule = NULL; |
| | 670 | for (rule = retry->rules; rule != NULL; rule = rule->next) |
| | 671 | { |
| | 672 | if (failing_interval <= rule->timeout) break; |
| | 673 | final_rule = rule; |
| | 674 | } |
| | 675 | |
| | 676 | /* If there's an un-timed out rule, the destination has not |
| | 677 | yet timed out, so the address as a whole has not timed out (but we are |
| | 678 | interested in this only for the end address). Make sure the expired |
| | 679 | flag is false (can be forced via fixdb from outside, but ensure it is |
| | 680 | consistent with the rules whenever we go through here). */ |
| | 681 | |
| | 682 | if (rule != NULL) |
| | 683 | { |
| | 684 | retry_record->expired = FALSE; |
| | 685 | } |
| | 686 | |
| | 687 | /* Otherwise, set the retry timeout expired, and set the final rule |
| | 688 | as the one from which to compute the next retry time. Subsequent |
| | 689 | messages will fail immediately until the retry time is reached (unless |
| | 690 | there are other, still active, retries). */ |
| | 691 | |
| | 692 | else |
| | 693 | { |
| | 694 | rule = final_rule; |
| | 695 | retry_record->expired = TRUE; |
| | 696 | if (addr == endaddr) timedout_count++; |
| | 697 | } |
| | 698 | |
| | 699 | /* There is a special case to consider when some messages get through |
| | 700 | to a destination and others don't. This can happen locally when a |
| | 701 | large message pushes a user over quota, and it can happen remotely |
| | 702 | when a machine is on a dodgy Internet connection. The messages that |
| | 703 | get through wipe the retry information, causing those that don't to |
| | 704 | stay on the queue longer than the final retry time. In order to |
| | 705 | avoid this, we check, using the time of arrival of the message, to |
| | 706 | see if it has been on the queue for more than the final cutoff time, |
| | 707 | and if so, cause this retry item to time out, and the retry time to |
| | 708 | be set to "now" so that any subsequent messages in the same condition |
| | 709 | also get tried. We search for the last rule onwards from the one that |
| | 710 | is in use. If there are no retry rules for the item, rule will be null |
| | 711 | and timedout_count will already have been updated. |
| | 712 | |
| | 713 | This implements "timeout this rule if EITHER the host (or routing or |
| | 714 | directing) has been failing for more than the maximum time, OR if the |
| | 715 | message has been on the queue for more than the maximum time." */ |
| | 716 | |
| | 717 | if (received_time <= retry_record->first_failed && |
| | 718 | addr == endaddr && !retry_record->expired && rule != NULL) |
| | 719 | { |
| | 720 | retry_rule *last_rule; |
| | 721 | for (last_rule = rule; |
| | 722 | last_rule->next != NULL; |
| | 723 | last_rule = last_rule->next); |
| | 724 | if (now - received_time > last_rule->timeout) |
| | 725 | { |
| | 726 | DEBUG(D_retry) debug_printf("on queue longer than maximum retry\n"); |
| | 727 | timedout_count++; |
| | 728 | rule = NULL; |
| | 729 | } |
| | 730 | } |
| | 731 | |
| | 732 | /* Compute the next try time from the rule, subject to the global |
| | 733 | maximum, and update the retry database. If rule == NULL it means |
| | 734 | there were no rules at all (and the timeout will be set expired), |
| | 735 | or we have a message that is older than the final timeout. In this |
| | 736 | case set the next retry time to now, so that one delivery attempt |
| | 737 | happens for subsequent messages. */ |
| | 738 | |
| | 739 | if (rule == NULL) next_try = now; else |
| | 740 | { |
| | 741 | if (rule->rule == 'F') next_try = now + rule->p1; |
| | 742 | else /* assume rule = 'G' */ |
| | 743 | { |
| | 744 | int last_predicted_gap = |
| | 745 | retry_record->next_try - retry_record->last_try; |
| | 746 | int last_actual_gap = now - retry_record->last_try; |
| | 747 | int lastgap = (last_predicted_gap < last_actual_gap)? |
| | 748 | last_predicted_gap : last_actual_gap; |
| | 749 | next_try = now + ((lastgap < rule->p1)? rule->p1 : |
| | 750 | (lastgap * rule->p2)/1000); |
| | 751 | } |
| | 752 | } |
| | 753 | |
| | 754 | /* Impose a global retry max */ |
| | 755 | |
| | 756 | if (next_try - now > retry_interval_max) |
| | 757 | next_try = now + retry_interval_max; |
| | 758 | |
| | 759 | /* If the new message length is greater than the previous one, we |
| | 760 | have to copy the record first. */ |
| | 761 | |
| | 762 | if (message_length > message_space) |
| | 763 | { |
| | 764 | dbdata_retry *newr = store_get(sizeof(dbdata_retry) + message_length); |
| | 765 | memcpy(newr, retry_record, sizeof(dbdata_retry)); |
| | 766 | retry_record = newr; |
| | 767 | } |
| | 768 | |
| | 769 | /* Set up the retry record; message_length may be less than the string |
| | 770 | length for very long error strings. */ |
| | 771 | |
| | 772 | retry_record->last_try = now; |
| | 773 | retry_record->next_try = next_try; |
| | 774 | retry_record->basic_errno = rti->basic_errno; |
| | 775 | retry_record->more_errno = rti->more_errno; |
| | 776 | Ustrncpy(retry_record->text, message, message_length); |
| | 777 | retry_record->text[message_length] = 0; |
| | 778 | |
| | 779 | DEBUG(D_retry) |
| | 780 | { |
| | 781 | int letter = retry_record->more_errno & 255; |
| | 782 | debug_printf("Writing retry data for %s\n", rti->key); |
| | 783 | debug_printf(" first failed=%d last try=%d next try=%d expired=%d\n", |
| | 784 | (int)retry_record->first_failed, (int)retry_record->last_try, |
| | 785 | (int)retry_record->next_try, retry_record->expired); |
| | 786 | debug_printf(" errno=%d more_errno=", retry_record->basic_errno); |
| | 787 | if (letter == 'A' || letter == 'M') |
| | 788 | debug_printf("%d,%c", (retry_record->more_errno >> 8) & 255, |
| | 789 | letter); |
| | 790 | else |
| | 791 | debug_printf("%d", retry_record->more_errno); |
| | 792 | debug_printf(" %s\n", retry_record->text); |
| | 793 | } |
| | 794 | |
| | 795 | (void)dbfn_write(dbm_file, rti->key, retry_record, |
| | 796 | sizeof(dbdata_retry) + message_length); |
| | 797 | } /* Loop for each retry item */ |
| | 798 | |
| | 799 | /* If all the non-delete retry items are timed out, the address is |
| | 800 | timed out, provided that we didn't skip any hosts because their retry |
| | 801 | time was not reached (or because of hosts_max_try). */ |
| | 802 | |
| | 803 | if (update_count > 0 && update_count == timedout_count) |
| | 804 | { |
| | 805 | if (!testflag(endaddr, af_retry_skipped)) |
| | 806 | { |
| | 807 | DEBUG(D_retry) debug_printf("timed out: all retries expired\n"); |
| | 808 | timed_out = TRUE; |
| | 809 | } |
| | 810 | else |
| | 811 | { |
| | 812 | DEBUG(D_retry) |
| | 813 | debug_printf("timed out but some hosts were skipped\n"); |
| | 814 | } |
| | 815 | } |
| | 816 | } /* Loop for an address and its parents */ |
| | 817 | |
| | 818 | /* If this is a deferred address, and retry processing was requested by |
| | 819 | means of one or more retry items, and they all timed out, move the address |
| | 820 | to the failed queue, and restart this loop without updating paddr. |
| | 821 | |
| | 822 | If there were several addresses batched in the same remote delivery, only |
| | 823 | the original top one will have host retry items attached to it, but we want |
| | 824 | to handle all the same. Each will have a pointer back to its "top" address, |
| | 825 | and they will now precede the item with the retries because addresses are |
| | 826 | inverted when added to these final queues. We have saved information about |
| | 827 | them in passing (below) so they can all be cut out at once. */ |
| | 828 | |
| | 829 | if (i == 2) /* Handling defers */ |
| | 830 | { |
| | 831 | if (endaddr->retries != NULL && timed_out) |
| | 832 | { |
| | 833 | if (last_first == endaddr) paddr = saved_paddr; |
| | 834 | addr = *paddr; |
| | 835 | *paddr = endaddr->next; |
| | 836 | |
| | 837 | endaddr->next = *addr_failed; |
| | 838 | *addr_failed = addr; |
| | 839 | |
| | 840 | for (;; addr = addr->next) |
| | 841 | { |
| | 842 | setflag(addr, af_retry_timedout); |
| | 843 | addr->message = (addr->message == NULL)? US"retry timeout exceeded" : |
| | 844 | string_sprintf("%s: retry timeout exceeded", addr->message); |
| | 845 | log_write(0, LOG_MAIN, "** %s%s%s%s: retry timeout exceeded", |
| | 846 | addr->address, |
| | 847 | (addr->parent == NULL)? US"" : US" <", |
| | 848 | (addr->parent == NULL)? US"" : addr->parent->address, |
| | 849 | (addr->parent == NULL)? US"" : US">"); |
| | 850 | |
| | 851 | if (addr == endaddr) break; |
| | 852 | } |
| | 853 | |
| | 854 | continue; /* Restart from changed *paddr */ |
| | 855 | } |
| | 856 | |
| | 857 | /* This address is to remain on the defer chain. If it has a "first" |
| | 858 | pointer, save the pointer to it in case we want to fail the set of |
| | 859 | addresses when we get to the first one. */ |
| | 860 | |
| | 861 | if (endaddr->first != last_first) |
| | 862 | { |
| | 863 | last_first = endaddr->first; |
| | 864 | saved_paddr = paddr; |
| | 865 | } |
| | 866 | } |
| | 867 | |
| | 868 | /* All cases (succeed, fail, defer left on queue) */ |
| | 869 | |
| | 870 | paddr = &(endaddr->next); /* Advance to next address */ |
| | 871 | } /* Loop for all addresses */ |
| | 872 | } /* Loop for succeed, fail, defer */ |
| | 873 | |
| | 874 | /* Close and unlock the database */ |
| | 875 | |
| | 876 | if (dbm_file != NULL) dbfn_close(dbm_file); |
| | 877 | |
| | 878 | DEBUG(D_retry) debug_printf("end of retry processing\n"); |
| | 879 | } |
| | 880 | |
| | 881 | /* End of retry.c */ |
projects / exim.git / blame_incremental