quedfldir[] = e.g.: "/usr/mmdf/lock/home"
MMDF stores mail in an isolated part of the file system, so that only authorized software may access the mail. Mail is stored under the directory sub-tree, specified in the conf.c global variable quedfldir[].
It must specify a path with at least two sub-directories. The next-to-bottom one is used as a "locking" directory and the bottom one is the home. For full protection, only authorized software can move through the locking directory. Hence, it is owned by MMDF and accessible only to it.
Submit, deliver, cleanque, and checkque must run setuid() to MMDF. (In order to set both its effect and real uid/gid to that of mmdf, deliver is usually run setuid() to root. On some systems it may only need to be be setuid() to MMDF. This has not been tested). The home directory is open access.
When mail is queued by submit, it is actually stored as two files. One contains the actual message text and the other contains some control information and the list of addressees.
The text file is stored in the msg directory. The other file is stored in the addr directory and is linked into one or more queue directories. The queue directories are selected based on the channels on which this message will be delivered. Each output channel typically has its own queue directory.
Another directory below home is a temporary area called tmp. It holds temporary address-lists as they are being built. Queuing of a message is completed by linking this address file into addr and the queue directories. The msg directory contains files with message text. Addr and msg files are synchronized by giving them the same unique name, which MMDF occasionally calls the message "name". The message name is derived by use of mktemp(3), using msg as the base directory. The files created in addr[] must be open read-write access; the ones in msg must be open read access.
When submit runs, it changes into home for its working directory. It then does a setuid() to run as the caller. This is necessary to permit submit to access the caller's address-list files (specified as "< file"), but probably will be changed. Deliver changes into the queue directory to minimize the time spent searching for messages to deliver.
The following depicts the directory organization:
lock (lock: 0700)
| (mmdf only)
|
________home______ (open: 0777)
/ | | \
/ | | \
tmp addr q.* msg (open: 0777)
addresses ==> moved and linked message text
built here ==> into here into here put here
entries: 0666 0666 0644
The msg portion of a queued message simply contains the message, which must conform to the Arpanet standard syntax, specified in RFC822. It is expected that the format of the message contents file eventually will be more structured, permitting storage of multi-media mail.
The following specifies the syntax of the addr (and queue directory) address-list portion of the queued message:
An address queue file contains a creation time-stamp, an indication if the sender has been notified of delayed delivery, some flags, an optional return-mail address, and an address list. Several <flags> are currently in use (as specified in msg.h). ADR_NOWARN indicates whether late warnings should be sent to the return-mail address if the entire address list has not been processed within the number of hours specified by "warntime". ADR_NORET indicates whether mail should be returned to the sender if it hasn't been completely processed within the number of hours specified by "failtime". ADR_CITE indicates whether warning and failure messages are to contain only a citation of the message. An ADR_DONE ("*") value, for the "late" flag, indicates that a warning notice has been sent.
The creation date is coded as a long ASCII decimal string, terminated by the "late" flag. This has to be stuffed into the file because Unix doesn't maintain it. The date is used to sort the queue so that mail is delivered in the order submitted.
The return address is a line of text and may be any address acceptable to submit.
Each address entry is on a separate line, and conforms to the adr_struct format, defined in adr_queue.h. It contains several fields separated by spaces or commas. Fields containing spaces or commas must be enclosed in double quotes.
The temp_ok flag indicates whether the address has been accepted during an "address verification" dialog with the receiving host. When the message text is successfully accepted by the receiving host, then this flag no longer applies and the mode is set to ADR_DONE ("*"). Before final acceptance of message text, the mode flag indicates whether the mail is for a mailbox, terminal, both, or either. (Currently only mailbox delivery, ADR_MAIL, is used.)
The queue name is the name of the sub-queue in which the message is queued for this address. Each addressee's host may be on a separate queue or some hosts may share the same queue. When all addressees in the same queue have been delivered, the address file is removed from that queue directory. When all queues have been processed, the address file (in both addr and the queue directory) and the text file (in msg) are removed.
The host and local strings are used by the channel program. The host determines the type of connection the channel program makes. The local string is passed to the host; it should be something meaningful to that host. The local string must not contain newline or null and it be a valid local address per RFC822.