> What are you
> going to say to a user after exim destroys an important piece of mail
> that it accepted responsibility for delivering?
"Send it again".
I have (almost) no axe to grind on this matter. As a matter of principle, I
agree with your approach, but I feel you have weakened your case by speaking
of absolutes. I don't believe it is possible to build an MTA that can
absolutely guarantee never to lose mail under any circumstances whatsoever. By
putting in more effort and spending more money you can get ever closer to that
ideal, but you can never quite get there. So what it boils down to is exactly
how much effort it is worth going to to achieve the level of reliability you
desire. One must also consider the general level of reliability of MTAs - a
chain is only as strong as its weakest link.
"link" may be atomic, but you can still lose a filing system beyond recovery.
As it happens, we DID lose one yesterday on an MTA machine - despite disc
mirroring and UPS protection, an operating system gremlin crept in and
corrupted it. It wasn't the mail spool - but it easily could have been. No
fancy footwork with carefully chosen system calls and syncing the disc etc
could have helped.
My view is that you should do the best you conveniently can, but that there is
no point in building something which is theoretically perfect, because the
primitives you are building on top of are imperfect. You should also strive to
enable detection of what mail has been lost when an accident does occur,
which, typically means keeping the mail spool and the logs as far apart as you
can (which, by the way, we don't seem to do, despite good intentions...)
An assessment of the probabilities of mail loss with exim and qmail would be
an interesting exercise, and perhaps one has something to learn from the
other. But let us not pretend that either is perfect.
--
Martyn Johnson maj@???
University of Cambridge Computer Lab
Cambridge UK
