reliability principles

> "Send it again".

That's wonderful.

I suppose that, after sending a private message to the wrong place,
you'd say ``Just ask him not to read it''?

> I don't believe it is possible to build an MTA that can
> absolutely guarantee never to lose mail under any circumstances whatsoever.

Obviously. There's no magical boundary between OS crashes and other
types of failures.

However, you have to reduce the probability of a failure to reasonable
levels. If you don't deal with OS crashes, you will have terrible
failure rates---more than one failure per 10^9 messages.

That's why the consensus of the community is that losing a message to an
OS crash is (to quote RFC 1123) ``frivolous.'' Every mailer is required
to deal with OS crashes; you MUST NOT accept a message by SMTP if you
are not going to take your responsibility seriously.

As another example, if your ``OS gremlin''---sorry to hear about that---
were a common problem on, say, SGIs, people who wanted to run mailers on
SGIs would have to take measures to reduce the probability of a gremlin
eating mail.

> My view is that you should do the best you conveniently can,

That's not good enough when you're transporting people's mail. If you
don't spend the time to achieve the reliability levels required by
RFC 1123, your mailer doesn't belong on the Internet.

---Dan