oracular (8) mimedefang-multiplexor.8.gz

Provided by: mimedefang_3.4.1-1build1_amd64 bug

NAME

       mimedefang-multiplexor - Process pool controller for mail filters.

SYNOPSIS

       mimedefang-multiplexor [options]

DESCRIPTION

       mimedefang-multiplexor  manages  a  pool  of  Perl  processes  for scanning e-mail.  It is
       designed to work in conjunction with mimedefang(8) and mimedefang.pl(8).

       mimedefang-multiplexor opens a UNIX-domain socket and listens for requests for  work  from
       mimedefang.   As requests come in, mimedefang-multiplexor creates Perl processes as needed
       to scan mail.  The Perl processes are not killed when scanning is completed, but  continue
       to  run  in  a  loop.   Perl  processes  are re-used for subsequent e-mail messages.  This
       eliminates the large overhead of starting a new Perl process for each incoming message.

       To avoid memory leaks, the Perl processes are killed after they have handled  some  number
       of scans.

OPTIONS

       -U user
              Runs  the multiplexor as user rather than root.  This option is mandatory, and must
              match the -U option supplied to mimedefang.

       -m minWorkers
              The minimum number of Perl processes to keep running at all times.  The default  is
              zero.

       -x maxWorkers
              The  maximum number of Perl processes to run simultaneously.  If a request comes in
              and all processes are busy, a temporary failure is signalled to the SMTP peer.  The
              default is 2.

       -r maxRequests
              The  maximum  number  of requests a given process handles before it is killed and a
              replacement started.  The default is 500.

       -i idleTime
              The idle time in seconds after which to kill of excess Perl processes.  That is, if
              the  process  is idle for longer than this time, and there are more than minWorkers
              running, the process is killed.  Note that this is implemented  as  a  timer  which
              ticks every idleTime seconds; therefore, processes may be idle for up to twice this
              time before they are killed.  The default for idleTime is 300 seconds.

       -V maxLifetime
              The maximum lifetime in seconds of a worker before it is killed and  a  replacement
              started.   The  default  is -1, which signifies no maximum lifetime.  Note that the
              lifetime check is done only when a worker becomes idle after a  request,  or  every
              time  the idle-timeout check is made.  On a very quiet system, workers may live for
              longer than maxLifetime by as much as idleTime.  Note also  that  the  lifetime  is
              measured  not  from  when the worker started running, but from when it was assigned
              its very first request.  A completely-idle worker  that  has  never  processed  any
              requests will not be terminated by the maxLifetime setting.

       -b busyTime
              The  longest  a  Perl  process  is allowed to spend scanning an e-mail before it is
              declared hung up and killed.  The default is 120 seconds.

       -Z     This option specifies that  the  multiplexor  should  accept  and  process  "status
              updates"  from busy workers.  Note that this consumes one extra file descriptor per
              worker, plus a small amount of CPU time per status update.

       -c cmdTime
              The timeout for communication between  mimedefang-multiplexor  and  mimedefang,  or
              between  mimedefang-multiplexor  and  a  Perl  scanning process.  The default is 10
              seconds.  This timeout should be kept quite short.

       -w waitTime
              When mimedefang-multiplexor starts the initial  workers,  or  needs  to  bring  the
              number  of  running  workers up to the number defined by the -m option, it does not
              start all the workers at once, because this could overload your  server.   Instead,
              it starts one worker every waitTime seconds.  The default value for waitTime is 3.

       -W waitTime
              If  you  use this option, mimedefang-multiplexor will never activate a worker until
              waitTime seconds have elapsed since the last worker activation.  This could  result
              in mail being tempfailed if worker activations do not keep pace with incoming mail.
              However, it may be preferable to tempfail mail rather than allow the load  on  your
              server  to  spike  up too quickly.  The default value for this option is 0, meaning
              that mimedefang-multiplexor will start workers as quickly as necessary to  keep  up
              with incoming mail.

       -z spooldir
              Set  the  spool  directory  to  spooldir.   If  this  option  is omitted, the spool
              directory defaults to /var/spool/MIMEDefang.

       -s pathName
              The UNIX-domain socket on which mimedefang-multiplexor listens for requests.   This
              should  be  specified  as an absolute pathname.  If this option is not supplied, it
              defaults to mimedefang-multiplexor.sock under the spool directory.

       -a socket
              A socket for listening for requests.  This is similar to the -s socket, except that
              a  restricted  set of requests are processed.  On this socket, the multiplexor will
              only process requests asking for status; it will not  accept  any  commands  to  do
              scanning  or that would consume a worker.  See the SOCKET SPECIFICATION section for
              the format of socket.

       -p fileName
              Causes mimedefang-multiplexor to write its process-ID (after becoming a daemon)  to
              the specified file.  The file will be owned by root.

       -o fileName
              Causes  mimedefang-multiplexor  to  use  fileName  as a lock file to avoid multiple
              instances from running.  If you supply -p but not -o,  then  mimedefang-multiplexor
              constructs a lock file by appending ".lock" to the pid file.  However, this is less
              secure than having a root-owned pid file in a root-owned directory and a lock  file
              writable  by  the  user named by the -U option.  (The lock file must be writable by
              the -U user.)

       -f filter_path
              Normally, mimedefang-multiplexor executes a Perl filter script called mimedefang.pl
              to  scan  the  e-mail.   However,  you  can have it execute any program you like by
              specifying the full path to the program with the -f option.  This program must obey
              the  protocol  documented  in  mimedefang-protocol(7);  see  that  manual  page for
              details.

              Note that the -f option does not specify the "filter" to  use  with  mimedefang.pl;
              instead,  it  specifies  the  program  for  mimedefang-multiplexor to execute.  You
              almost  certainly  should  not  use  this  option  unless  you  wish   to   replace
              mimedefang.pl with your own program.

       -F rules_path
              Specifies  the  path  to  the  filter rules.  By default, /etc/mimedefang-filter is
              used.  If you use the -F option, its value is passed to the underlying Perl  filter
              program using -f.

       -l     Log certain events, including the output of the Perl workers' standard-error, using
              syslog.  Normally, the multiplexor does not log much information.

       -d     Write debugging information about event-handling code in /var/log/mimedefang-event-
              debug.log.  This is only of use to people debugging mimedefang-multiplexor.

       -R kbytes
              Limits  the  resident-set  size of the worker filter processes to kbytes kilobytes.
              This limit is not supported on all operating systems; it is known to work on Linux.

       -M kbytes
              Limits the total memory space of worker filter processes to kbytes kilobytes.  This
              limit  is  supported on all operating systems which support the setrlimit(2) system
              call.  This should include most modern UNIX systems.

              We recommend that you monitor your worker filter processes and get a feel  for  how
              much  memory  they use.  You should then limit the memory to two or three times the
              worst-case that you  have  observed.   This  can  help  mitigate  denial-of-service
              attacks  which use complicated MIME messages to force mimedefang.pl to consume lots
              of memory.

       -h     Print usage information and exit.

       -t filename
              Log statistical information to filename.   See  the  section  STATISTICS  for  more
              information.

       -T     Log  statistical  information using syslog(2).  You may use any -t and -T together,
              in which case statistical information is logged in a file and using syslog.

       -u     Flush the statistics file after every write.  Normally, mimedefang-multiplexor does
              not  flush the file; this is the best choice for minimizing disk I/O on a busy mail
              server.  However, if you wish to watch statistics entries in real-time, you  should
              enable flushing.

       -D     Do  not  fork  into  the  background  and  become  a  daemon.  Instead, stay in the
              foreground.  Useful mainly for debugging or  if  you  have  a  supervisory  process
              managing mimedefang-multiplexor.

       -q queue_size
              Normally,  if  all  workers  are  busy  and mimedefang-multiplexor receives another
              request, it fails it with the error "No free workers."  However, if you use the  -q
              option, then up to queue_size requests will be queued.  As soon as a worker becomes
              free, the queued requests will be handed off in FIFO order.  If the queue  is  full
              and another request comes in, then the request is failed with "No free workers".

       -Q queue_timeout
              Queued  requests  should  not  stay on the queue indefinitely.  If a queued request
              cannot be processed within queue_timeout (default 30) seconds of  being  placed  on
              the queue, it is failed with a "Queued request timed out" message.  See the section
              "QUEUEING REQUESTS" for more discussion.

       -O sock
              Listen on a  notification  socket  for  connections  from  listeners.   mimedefang-
              multiplexor  can inform external programs of state changes by sending messages over
              a notification socket.  The external programs  connect  to  this  socket  and  then
              listen  for  notifications.  See the section SOCKET SPECIFICATION for the format of
              sock.

              See the mimedefang-notify(7) man page for details of the notification protocol.

       -N map_sock
              Listen on a map socket for Sendmail SOCKETMAP connections.  As  of  Sendmail  8.13,
              you  can  define  a  Sendmail  map  type  that  talks  to  a  daemon over a socket.
              mimedefang-multiplexor implements that protocol; consult  the  mimedefang-filter(5)
              man page for detils (see the SOCKET MAPS section).

              See the section SOCKET SPECIFICATION for the format of map_sock.

       -I backlog
              When mimedefang-multiplexor creates a listening socket, it calculates the "backlog"
              argument to listen(2) based on the maximum number of  workers.   However,  you  can
              explicitly  set  this  backlog  with  the -I option.  Setting the backlog to a high
              value (around 30-50) may help on a very busy server.  If you see mail log  messages
              saying  "MXCommand: socket: Connection refused" during busy periods, then that's an
              indication you need a higher listen backlog.

       -L interval
              Log the worker status every interval seconds.  This logs a line using  syslog;  the
              line looks like this:

       Worker status: Stopped=s Idle=i Busy=b Killed=k Queued=q Msgs=m Activations=a

              Here,  "Stopped" is the number of non-running workers, "Idle" is the number of idle
              workers, "Busy" is the number of busy workers, "Killed" is  the  number  of  killed
              workers  yet to be reaped, "Queued" is the number of queued requests, "Msgs" is the
              total number of  messages  processed  since  the  multiplexor  began  running,  and
              "Activations"  is  the  number  of  times a Perl process has been started since the
              multiplexor began running.

              If you supply an interval of 0 (which is the default), no periodic  status  logging
              is  performed.   If  you  supply an interval of less than 5 seconds, it is silently
              reset to 5 seconds.

       -S facility
              Specifies the syslog  facility  for  log  messages.   The  default  is  mail.   See
              openlog(3)  for  a  list  of  valid  facilities.  You can use either the short name
              ("mail") or long name ("LOG_MAIL") for the facility name.

       -E     Specifies that the multiplexor should create an embedded  Perl  interpreter.   This
              can  improve  performance  dramatically.   But see the section "EMBEDDING PERL" for
              more information.

       -X n   Specifies that the multiplexor should initiate a "tick" request  every  n  seconds.
              This  causes  your  filter_tick  function (if defined) to be called.  Note that you
              have no control over which worker executes filter_tick.  If all  workers  are  busy
              when a tick occurs, that tick request is skipped and a warning message is logged.

       -P n   Specifies  that  the multiplexor should run n tick requests in parallel.  Each tick
              is run as often as specified with the -X argument.  (If you  omit  the  -P  option,
              then the multiplexor behaves as if -P 1 had been specified.)

              If you run parallel ticks, each tick is assigned an integer identifying its "type".
              The type ranges from 0 to n-1.  While there may be  as  many  as  n  tick  requests
              running at a time, only one tick of each type will be active at any time.

       -Y label
              Sets  the  tag  used  in  the  multiplexor's  syslog  messages  to label instead of
              mimedefang-multiplexor.

       -G     Normally, mimedefang-multiplexor uses  a  umask  of  027  when  creating  listening
              sockets.   If  you would like the sockets to be readable and writeable by the group
              as well as the owner, supply the -G option.   This  causes  the  umask  to  be  007
              whenever UNIX-domain sockets are created.

       -y n   Limits  the maximum number of concurrent recipok checks to n on a per-domain basis.
              The value of n can range from 0 (in which case no limit is applied) to  maxWorkers,
              where  maxWorkers is the argument to the -x option.  If n is outside that range, it
              is ignored (and no limit is applied.)

              The recipok command  ultimately  invokes  the  filter_recipient  function  in  your
              filter.   If  you are doing recipient verification against servers that may be slow
              or unreliable, you can use  the  -y  option  to  limit  the  number  of  concurrent
              recipient  verifications per domain.  That way, if one domain's server becomes very
              slow, it won't consume all available workers for recipient verification.   Instead,
              its  RCPT commands will be tempfailed and there will be workers available to handle
              RCPT commands for other domains.

SOCKET SPECIFICATION

       The -a, -N and -O options takes a socket  as  an  argument.   The  format  of  the  socket
       parameter is similar to that of the Sendmail Milter library, and is one of the following:

       /path/to/socket
              A UNIX-domain socket

       inet:portnum
              A  TCP  socket  bound  to port portnum, but which accepts connections only from the
              IPv4 loopback address (127.0.0.1).

       inet_any:portnum
              A TCP socket bound to port portnum which will accept connections from any  address.
              Use inet_any with caution!

       inet6:portnum
              A TCP socket bound to port portnum listening on the IPv6 loopback address.

       inet6_any:portnum
              A TCP socket bound to port portnum listening on the IPv6 wildcard address.

QUEUEING REQUESTS

       Normally,  if  all  workers  are  busy,  any  additional  requests are failed immediately.
       However, the -q and -Q options allow you to queue requests for a  short  amount  of  time.
       This  facility  is  intended  to gracefully handle a temporary overload; most of the time,
       your queue should be empty.

       Because mimedefang checks the number of free workers when a connection is opened and fails
       the  connection  if  there  are  no free workers, the intent of the queue is to allow SMTP
       transactions that are already underway to continue if there is a slight overload.  Any new
       connections  will  be failed if all workers are busy, but existing connections are allowed
       to continue.  Queuing requests may improve throughput on extremely busy servers.

       Note that if you supply the -q option to mimedefang, then even new connections are allowed
       to queue.  This may improve throughput by keeping the worker utilization higher.

       The  -R  option  to  mimedefang  can  be used to reserve a specified number of workers for
       connections from the loopback address.   Using  the  -R  option  has  the  side-effect  of
       permitting new connections from the loopback address to queue.

EMBEDDING PERL

       Normally,   when   mimedefang-multiplexor   activates   a   worker,  it  forks  and  execs
       mimedefang.pl.  However, if the multiplexor was compiled with embedded Perl  support,  and
       you supply the -E command-line option, the multiplexor works like this:

       1      It  creates  an embedded Perl interpreter, and sources mimedefang.pl with a special
              command-line argument telling it to read the filter, but  not  to  enter  the  main
              loop.

       2      Each  time  a  worker  is  activated,  the  multiplexor  calls  fork() and runs the
              mimedefang.pl main loop.  This invokes filter_initialize and  then  runs  the  main
              loop.

       On  some  platforms  (for  example,  Red Hat Linux 7.3 with Perl 5.6.1), it is not safe to
       destroy and recreate  a  Perl  interpreter  without  causing  a  memory  leak.   On  those
       platforms,  if  you  attempt  to  reread the filter file (by sending the multiplexor a HUP
       signal or reread command), the filter will not be re-read, and a message will be logged to
       syslog.  On those platforms, you must kill and restart MIMEDefang if you change the filter
       file.

       On most platforms, however, a filter reread is accomplished by destroying and  re-creating
       the  embedded  interpreter,  re-sourcing mimedefang.pl and killing workers as soon as they
       are idle.

STATISTICS

       With the -t option, mimedefang-multiplexor logs certain events to a file.  This  file  can
       be  post-processed to gather statistics about the multiplexor.  You can use it to tune the
       number of workers you run, adjust timeouts, and so on.

       Each line of the file looks like this:

            YYYY/MM/DD:HH:MM:SS timestamp event key=val key=val...

       Here, YYYY/MM/DD:HH:MM:SS is the local time of day.  Timestamp is the  number  of  seconds
       since January 1, 1970.  Event is the name of an event.  The valid events are:

       StartWorker
              A worker process has been started.

       KillWorker
              A worker process has been killed.

       ReapWorker
              A  dead  worker process has been reaped.  It is possible to have a ReapWorker event
              without a previous KillWorker event if the worker process terminated abnormally.

       StartFilter
              A worker process has begun filtering an e-mail message.

       EndFilter
              A worker process has finished filtering an e-mail message.

       The possible keys in the key=value pairs are:

       worker=n
              The worker involved in the event.  Every worker is identified by a small integer.

       nworkers=n
              The total number of running workers immediately after the event happened.

       nbusy=n
              The number of busy  workers  (workers  which  are  processing  an  e-mail  message)
              immediately after the event happened.

       reason="string"
              The reason for a StartWorker or KillWorker event.  (Present only for these events.)

       numRequests=n
              The  number  of  e-mails  processed  by  the worker.  Present only for an EndFilter
              event.

       If you send the mimedefang-multiplexor process a SIGHUP signal (kill -1  pid),  it  closes
       and reopens the statistics file.  This is useful during log file rotation.

       If  you  send  the  mimedefang-multiplexor  process  a  SIGINT  signal (kill -INT pid), it
       terminates all active-but-idle workers.  Also, any active-and-busy  workers  terminate  as
       soon  as  they  finish filtering the current message.  This is useful to force a reread of
       the filter rules file without stopping and restarting Sendmail.

       If you send the mimedefang-multiplexor process a SIGTERM signal (kill pid), it  terminates
       all workers and exits immediately.

AUTHOR

       mimedefang-mulitplexor   was   written  by  Dianne  Skoll  <dfs@roaringpenguin.com>.   The
       mimedefang home page is https://www.mimedefang.org/.

SEE ALSO

       mimedefang.pl(8), mimedefang-filter(5), mimedefang(8), mimedefang-protocol(7)