maildir with softupdates
Brad Knowles
brad.knowles at skynet.be
Wed Jul 23 11:03:45 PDT 2003
At 10:32 AM -0700 2003/07/23, David Schultz wrote:
>> "ext3 is unsafe for maildir, and with softupdates, so is ffs."
>> http://www.irbs.net/internet/postfix/0202/0358.html
>
> The statement is FUD; this is a topic that mailer people love to
> complain about. It's only true if your MTA doesn't call fsync()
> when it wants to guarantee that the file it just wrote is on
> stable storage.
The MTA does not know anything about maildir. This would be a
local delivery agent (LDA) issue, not an MTA issue.
Moreover, the software not only needs to issue an fsync() on the
file, it also needs to issue an fsync() on the directory, in order to
have reasonable guarantees that the date has been safely written. My
recollection is that, with fsync() on the file and fsync() on the
directory, softupdates is actually safe for these kinds of
applications (at least, the filesystem won't be left in an
inconsistent state), whereas ext3fs or other filesystems might not be.
Keep in mind that Kirk McKusick (author of softupdates) and Eric
Allman (author of sendmail) have been partners for decades, and I
don't think that either would do anything that could cause serious
harm to the business done by the other. They've known each other far
too long to let anything like that happen.
I know that sendmail is safe on softupdates (indeed, softupdates
is recommended), but I also recall that some source modifications
were required to have it to an fsync() on both the file and the
directory, before it was safe.
Unfortunately, I don't recall if the fync()-on-file-and-directory
trick is enough to make sendmail sufficiently safe on ext3fs. You'd
have to ask people who are more knowledgeable with that configuration
than I am.
In the long run, it all comes down to how much danger you're
willing to live with, and how much safety you believe is required
before you are in proper compliance with the protocol specifications.
If you want to run your e-mail system on a pure RAM disk that has
no battery backup or UPS, and you're willing to lose all that e-mail
if the power goes out, then you should be able to do that. However,
if you have any customers, you should make operational decisions like
this known to them, so that they can make their own determination as
to whether or not you are conforming to the level of service that
they require.
For example, if you are a spamhaus, then this sort of thing is
probably okay. In fact, you probably want to encourage frequent
power outages, so that you can claim that you "delivered" X-billions
of e-mail messages per second, where "delivered" in this case means
"threw away".
With data delivery rates that high, you could charge exorbitant
fees for your services. Indeed, in that case I would encourage you
to draw as much spam business as possible, because your mode of
operation would mean that I would probably get less spam than I do
today.
This issue no longer has anything to do with -CURRENT, so I am
re-directing this to freebsd-chat.
--
Brad Knowles, <brad.knowles at skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
More information about the freebsd-chat
mailing list