maildir with softupdates

Brad Knowles brad.knowles at skynet.be
Wed Jul 23 11:03:45 PDT 2003 

At 10:32 AM -0700 2003/07/23, David Schultz wrote:

>>  "ext3 is unsafe for maildir, and with softupdates, so is ffs."
>>  http://www.irbs.net/internet/postfix/0202/0358.html
>
>  The statement is FUD; this is a topic that mailer people love to
>  complain about.  It's only true if your MTA doesn't call fsync()
>  when it wants to guarantee that the file it just wrote is on
>  stable storage.

	The MTA does not know anything about maildir.  This would be a 
local delivery agent (LDA) issue, not an MTA issue.

	Moreover, the software not only needs to issue an fsync() on the 
file, it also needs to issue an fsync() on the directory, in order to 
have reasonable guarantees that the date has been safely written.  My 
recollection is that, with fsync() on the file and fsync() on the 
directory, softupdates is actually safe for these kinds of 
applications (at least, the filesystem won't be left in an 
inconsistent state), whereas ext3fs or other filesystems might not be.


	Keep in mind that Kirk McKusick (author of softupdates) and Eric 
Allman (author of sendmail) have been partners for decades, and I 
don't think that either would do anything that could cause serious 
harm to the business done by the other.  They've known each other far 
too long to let anything like that happen.

	I know that sendmail is safe on softupdates (indeed, softupdates 
is recommended), but I also recall that some source modifications 
were required to have it to an fsync() on both the file and the 
directory, before it was safe.

	Unfortunately, I don't recall if the fync()-on-file-and-directory 
trick is enough to make sendmail sufficiently safe on ext3fs.  You'd 
have to ask people who are more knowledgeable with that configuration 
than I am.


	In the long run, it all comes down to how much danger you're 
willing to live with, and how much safety you believe is required 
before you are in proper compliance with the protocol specifications.

	If you want to run your e-mail system on a pure RAM disk that has 
no battery backup or UPS, and you're willing to lose all that e-mail 
if the power goes out, then you should be able to do that.  However, 
if you have any customers, you should make operational decisions like 
this known to them, so that they can make their own determination as 
to whether or not you are conforming to the level of service that 
they require.


	For example, if you are a spamhaus, then this sort of thing is 
probably okay.  In fact, you probably want to encourage frequent 
power outages, so that you can claim that you "delivered" X-billions 
of e-mail messages per second, where "delivered" in this case means 
"threw away".

	With data delivery rates that high, you could charge exorbitant 
fees for your services.  Indeed, in that case I would encourage you 
to draw as much spam business as possible, because your mode of 
operation would mean that I would probably get less spam than I do 
today.


	This issue no longer has anything to do with -CURRENT, so I am 
re-directing this to freebsd-chat.

-- 
Brad Knowles, <brad.knowles at skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)

More information about the freebsd-chat mailing list