Re: [Exim] backup delivery (was: ACL verify=sender)

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Kjetil Torgrim Homme
Date:  
À: Tony Finch
CC: David Woodhouse, tsh, exim-users
Anciens-sujets: Re: [Exim] ACL verify=sender
Sujet: Re: [Exim] backup delivery (was: ACL verify=sender)
On Mon, 2004-01-05 at 18:35, Tony Finch wrote:
> I recently suggested a feature to Philip that I've called early_delivery.
> This would be a modifier for use in the DATA ACL, which would cause a
> delivery attempt there and then. You'd be able to detect these early
> deliveries using an early_delivery router condition similar to the
> verify and address_test conditions.
>
> The motivation for this was to be able to pair up MX machines so that
> each one has a shadow machine that receives a copy of all its email.
> If the machine dies then any messages that were stuck on its queue can
> be recovered from the shadow, rather than being lost. Or if a destination
> machine dies after receiving a message (so the MX has deleted it) it
> can be recovered from the shadow.
>
> However the feature is troublesome from an architectural point of view
> (Philip wants to keep reception and delivery more separate than this)
> and w.r.t. how it fits in with local_scan() and the system filter.
> I'd also be wary to use it between systems that aren't tightly
> coupled (such as a departmental email server and our central email
> relays).
>
> I have some notes about it on the web at
> http://www.cus.cam.ac.uk/~fanf2/hermes/doc/misc/hr-exim.txt


hmm. losing the queue is annoying, but it should typically not amount
to more than a few seconds's worth of e-mail, i.e. on the order of a few
dozen messages. we accept the risk, but can at least tell the users who
are affected by inspecting the maillog at our central syslog host.

to protect against a failing Cyrus server, we have set up a normal
unseen shadow delivery. it delivers to

file = MAILDROP/${substr_0_10:$tod_log}/$local_part

we don't check to see if $local_part is valid, everything is accepted
blindly. if someone wants to spam this shadow server, feel free, the
data will only be used on the off-chance something really bad happens.
it runs on a non-standard port, so probes are unlikely to find it. we
could use a firewall rule if we were paranoid -- I guess we would have
done that if it was running on Linux rather than Solaris :-)

one file per user maintains the order of delivery, which is nice. we
can also easily help Eudora users who pressed the wrong button and
deleted all their e-mail. it also makes it easy to clean up the old
messages:

cd MAILDROP
find * -type d -prune -mtime +7 -exec rm -r {} \;


actually, losing the queue on our outgoing mail server would be pretty
bad. but I don't see any good way of replicating that beyond RAID-1.

--
Kjetil T.