|
|
| Author |
Message |
| 25 new of 467 responses total. |
other
|
|
response 125 of 467:
| 
Oct 1 19:01 UTC 2004 |
When a system connects to deliver mail to Grex, does each attempt spawn
a separate exim process, or are they all sequential and handled by a
single process?
Could exim be tweaked to spawn a child process for each incoming email,
giving the userid as a parameter and returning a boolean indication of
whether that user's mailbox is allowed to accept more mail? The
configuration for the child process could specify the size limit for
inboxes. The child process could check the filesize directly, as aruba
suggests, or check a database maintained by a cron task run once daily
during a slow usage period and perhaps also updated by the logOUT
process.
|
prp
|
|
response 126 of 467:
|
Oct 1 19:47 UTC 2004 |
What happens when a message comes in for two people, and puts one
of them over the quota, but not the other? When Grex accepts a
message, can it do so for just some of the recipients?
Ignoring that for the moment, I agree with Mark. The thing to do
is:
- Wait for sender to send size of message.
- Check the current size of user's mailbox. If this message puts
it over the quota, reject it.
- Otherwise accept the message and process it without further regard
for the quota.
Note this does allow the mailbox to grow above the quota, if two
messages come in in parallel, but this is rare and the maximum overage
is less than the size of one message.
This ought to be as simple as adding a CheckMailboxSize(user) function
to the delivery part of the system, which the accepting part calls.
|
prp
|
|
response 127 of 467:
|
Oct 1 20:06 UTC 2004 |
Actually it should probably be OKtoAdd(user,size) instead of
CheckMailboxSize(user) above.
|
spooked
|
|
response 128 of 467:
|
Oct 1 21:49 UTC 2004 |
And, if the sender lies about the message size?
|
janc
|
|
response 129 of 467:
|
Oct 1 23:22 UTC 2004 |
The answers to all the questions and comments can be summarized with "I
don't know". MTA's are huge complex pieces of software. Generally not
all incoming mail is destined for a local mailbox. Aliases and .forward
files may direct it elsewhere. Many systems relay mail, accepting it
only to send it further. Ordinarily you can't just check the mailbox
at accept time because you don't know yet which mailbox, if any, it is
destined for. For Grex this may true rarely enough not to matter, but I
think a solution like what prp suggests would be driving a stake through
the heart of the exim architecture, losing the ability to do all sorts
of things that I suspect, without full study, we never do on Grex. Is
this OK? I don't know. I'll have to study more. So far I've looked at
various people's pages describing what they did, but I haven't looked at
the source code. Yes, it should be much simpler, but I suspect that if
it was then people would have done it that way. I haven't even started
work on this yet.
I think I've got exim fully installed and working, if not necessarily in
the optimum configuration. Figuring out mailbox quotas is the next
step. Or maybe I'll go back and finish up lockuser first.
|
cross
|
|
response 130 of 467:
|
Oct 2 01:20 UTC 2004 |
Jan is wrong on one major point here: MTA's don't *have* to send you
the size of a message before they transmit the message. They can,
but there's nothing that says they have to.
The way Marcus's mailbox quota code worked, it did a stat() of the user's
mailbox file, and compared it against some kind of constant (I think he
added an option to sendmail.cf to initialize that). If the size returned
by stat was greater than the constant, an error was returned in the SMTP
transaction sending the mail. If not, then the mail was accepted and
appended to the user's mailbox. If the user was subsequently over mail
quota, this would be detected the next time he or she got a message.
It wasn't that fancy. The only major `optimization' was to stat the
user's mailbox during the SMTP transaction (once the recipient was known,
but before the data was sent). I don't remember what it did in the case
of multiple recipients; probably deliver to those it could and reject
the rest.
I say put up exim with the existing quota code and work from there.
Since we've never measured the network link in any way, any guesses as
to where a bottleneck might exist are pure speculation, and not based
on any observations based on empirical evidence.
Or, since Kip's not doing it, put up postfix instead.
|
janc
|
|
response 131 of 467:
|
Oct 2 02:42 UTC 2004 |
Thanks for the correction. I really know nothing about MTAs. My main
qualification for doing it is that I seem to be doing it.
I spent some time trying to find Marcus's old description of how his
mail quota worked, but didn't succeed. So I have no idea. Sail forward
regardless.
I've been digging though things, and at this point I think I can do it
pretty simply, just by editing exim's config file.
Here's my approximate plan, still not fully worked out:
(1) Turn on exim's built in quota system, with the inclusive option.
Mostly it won't be used, but it'll be there when anything slips
through the accept-time quota check. The inclusive option means
that people can continue to recieve mail until they go over the
quota. So if you are one byte under quota, and receive a 10 Meg
mail file it will be delivered. You'll then be 10 Megs over
quota, but I don't care. With this system I don't need to know
how big the incoming message is to decide whether to reject it.
I just check the size of the file. If it is over quota I reject
the mail, no matter how large or small it is.
(2) In exim's config file, I configure a router rule that gets run
before rule that routes to local delivery. This will use the
${stat operator to get the size of the mail file and compare it
to the quota. If it's too big, it denys. These rules get run
at receive time, so everything is hunky dory.
So, this appears to me to be fairly simple. It only became possible to
do this in fairly recent releases of exim, I think. All the people
devising complex schemes were probably working with older releases.
Either that or I'm missing something. Maybe I don't even need to do
(1), though it makes a nice safety net.
It also looks too me like hierarchical mail directories would be very
easy to configure into exim. The trickier part of getting heirarchical
mail to work would be figuring out how to get users MAIL environment
variable set correctly so that the mail clients will be able to read
their mail. I'm not sure I'll bother though. I really expect this to
be a fairly insubstantial performance improvement.
I'm going to spend a little more time reading exim documentation to make
sure I'm understanding everything and am really able to do this the way
I want. One thing I can say for exim is that it has quite good
documentation, sadly not a common thing for open source software.
I've already spent a couple days working on getting exim up and working,
and am far enough along that I think I see how I can do everything I
need with it. So naturally I'm *thrilled* at the suggestion that I drop
it and start over with postfix.
|
prp
|
|
response 132 of 467:
|
Oct 2 16:27 UTC 2004 |
You might want to take a brief look at the documentation for
postfix. If it is even better than exim, that would support
switching. Then again, if the exim documentation is as good
as it sounds, it might not be worth bothering.
|
cross
|
|
response 133 of 467:
|
Oct 2 17:25 UTC 2004 |
My concern with exim is that we get stuck with another weirdo piece
of 0% market share software just because `that's the way we've always
done it.' If you want to stick with it, however, fine. But how many
exim sites are there out there compared to postfix sites?
|
janc
|
|
response 134 of 467:
|
Oct 2 17:58 UTC 2004 |
I have no idea how many exim sites there are.
Let's get this straight. Three years ago we decided to switch Grex to
openBSD. It's been a year and a half since the Grex users invested in
the new computer. It's time they got someething for their money. I
want to get Grex moved to nextGrex as soon as possible. Within the next
few weeks if possible.
I seem to be the only person doing things. I have limited time. I have
limited enthusiasm. I don't want to spend my time fooling with MTAs. I
don't care about MTAs. I want to be writting my own software, not
futzing around with other people's. I am attempting to stay on a
straight line aimed at getting NextGrex up. I am not taking any detours
or diversions. At some point when I wasn't in the room some set of staff
members decided on exim for reasons I either never knew or have
forgotten. Good enough for me. Exim will work. I'll go with exim. I
will not engage in any re-examination of that decision, because that
would be a diversion from my straight line.
If postfix is better, you are welcome to install postfix, either today
or at any time in the future. If you can promise me absolutely that you
will have it up within a week, then I'll stop working on exim. If not
then your plan is not part of my straight line. I am not interested in
holding up progress on NextGrex so that we can have a better MTA. No
user of Grex cares about exim vs. postfix vs. sendmail. All they want
is for their mail to go through. Exim will get their mail through,
perform well enough, and be secure enough.
After I got exim built, it took five minutes to switch from sendmail to
exim - just edit three files and restart one process. We can switch
from MTA to MTA twice a day for the rest of eternity for all I care.
I'd be sorely disappointed if nobody ever improves on what I'm doing now.
In case anyone has any delusions, nextGrex will not be in perfect shape
on the day we come up on it. I want it to be reasonably stable and
secure. I want all basic services to be basically working. I
anticipate months of bug fixing and fine tuning. I'm hoping that the
new platform will provide an environment for innovation and development
of new and better services for Grex. I've spent years of my life
pushing Grex out of ditches. You'll not find me blocking you if you
want to change MTAs. Though I'd hope you could find more interesting
things to change on Grex.
|
aruba
|
|
response 135 of 467:
|
Oct 3 15:15 UTC 2004 |
I'm behind the straight-line approach 100%, Jan.
|
spooked
|
|
response 136 of 467:
|
Oct 3 22:24 UTC 2004 |
I also support Jan's approach. As he says, if another staff member wants
to improve on his work (but not delay the live public release of
NextGrex), you are welcome - but action speaks real volumes.
|
keesan
|
|
response 137 of 467:
|
Oct 4 16:40 UTC 2004 |
Jim plans to take a few linux courses at WCC so that some day he can help with
the next next grex. In the meantime we are both extremely grateful to Jan
and everyone else who has been working on this next grex.
|
albaugh
|
|
response 138 of 467:
|
Oct 4 17:43 UTC 2004 |
Drift: Does mdw do grex any more?
|
tod
|
|
response 139 of 467:
|
Oct 4 19:06 UTC 2004 |
re #137
If Jim is interested, I have an extra copy of RedHat for Business which
includes a book & CD. Send me an address at todd@plesco.us and I'll mail it
to him.
|
janc
|
|
response 140 of 467:
|
Oct 4 21:06 UTC 2004 |
OK. I have mail quota working under exim, I think.
The whole thing was done from the exim config file. I like the degree to
which exim can be configured. The syntax isn't super great, but at least
it is well documented and exim gives good error messages when there are
problems. I suspect parsing the whole config file on every start up is rather
slow, but on the new system slow is a relative term.
So I started with a couple macro definitions.
MBOX_QUOTA = 1M
STAFF_GID = 20
MBOX_FILE = /var/mail/$local_part
Pretty clear. We need the staff group id because staff is exempted from
mailbox quotas. I think that makes some sense, since many system error
messages might be mailed to staff. However most Grex staff forward their
mail off Grex.
We use a macro to construct the user's mailbox partly to facilitate a
switch to hierarchical mail directories someday. I think all you now have
to do to make exim do hierarchical mail is change the MBOX_FILE macro to
something like:
MBOX_FILE = /var/mail/${length_1:$local_part}/\
${if == ${strlen:$local_part}{1} {z}{${substr_1_1:$local_part}}/\
$local_part
The real meat of the quota check is done in the route definitions. Routes
decide what is to be done with an incoming mail, but they are also called
to verify each recipient as they are fed to SMTP. The routes definitions are
checked sequentially. First one takes mail addressed to non-grex domains
and delivers them to the appropriate system via SMTP. Next one checks
grex addresses against the system aliases file. Next one checks them
against a .forward file. The last one, run only if all previous ones
weren't appropriate, delivers to the local mailbox file. I replaced that
with three new routes.
First, we do delivery to staff:
localuser_noquota:
driver = accept
check_local_user
condition = ${if == {$local_user_gid}{STAFF_GID} {yes}{no}}
transport = local_delivery_noquota
That says that if the recipient has the staff GID, use the
"local_deliver_noquota" transport.
Next we generate a failure for mail to full mailboxes:
mbox_full:
driver = redirect
verify_only
no_verify_sender
allow_fail
condition = ${if \
and { {exists {MBOX_FILE}} \
{ >= {${extract{size}{${stat:MBOX_FILE}}{$value}{0}}} \
{MBOX_QUOTA} } } \
{yes}{no} }
data = :fail:Mailbox for $local_part is full
This rule is used only when verifying a recipient after an SMTP-client
issues a comand like RCPT TO:<mailhog@grex.org>. It stat's their mail
file, if it exists. If it is full, it forces a failure with the error
message "Mailbox for mailhog is full". Note that the message will still
be delivered to any other recipients. We do a hard fail here because
previous experience says that if we just "defer" then many mail hosts
will retry seconds later and keep hammering us with repeated attempts
to deliver the message.
If that route fails to apply, we can go ahead and deliver the mail normally:
localuser:
driver = accept
check_local_user
transport = local_delivery_quota
cannot_route_message = Unknown user
Now each of the two mail delivery routes referenced a transport to use.
The config file defines those too. Here's the noquota one:
local_delivery_noquota:
driver = appendfile
file = MBOX_FILE
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660
The quota one just defines a quota:
local_delivery_quota:
driver = appendfile
file = MBOX_FILE
quota_is_inclusive
quota = MBOX_QUOTA
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660
Note that for mail coming in through SMTP, this does the quota check for the
second time. We did a check at RCPT time, and now we are doing the same check
again as we are deliving the mail. Doing it twice isn't really necessary,
but it is nice, because the second check is being done with a lock on the
mailfile, so it avoids race conditions. The second check is more important
for mail that didn't come in via SMTP - that is mail that was sent by another
user on Grex, because there is no RCPT time check done for such mail.
There is another difference between the SMTP RCPT time check and the
append-time check. If the latter fails, then we defer instead of doing a hard
fail. The system will retry delivery for a few days before bouncing back the
mail, and the mail will be bounced back to the "From" address. Since this
mostly effects only mail sent from Grex, this is fine.
There are probably some other things I should do with the configuration, like
setting up logging through syslog instead of to exim's own private log files.
|
janc
|
|
response 141 of 467:
|
Oct 5 01:37 UTC 2004 |
OK, made some further changes, tightening up security settings and moving the
logging into syslog.
Things still on the To Do List:
- Logging. Grex keeps logs a long time. Need to figure out how to
edit /etc/newsyslog.conf to make the system keep logs Grexishly.
And need to figure out how long we keep logs anyway.
- Newuser needs to be modified to set disk quotas. I also don't think
I've activated disk quotas under OpenBSD 3.5 yet. It boots slower
once you do that, so I was putting it off.
- Need to look at the login program to see if it can be modified to do
a few things:
- Warn users when their mailboxes are full or almost full.
- Display all the alternate motd files (birthday, Grexwalk, etc)
- Print more informative messages when logins fail.
- Set MAIL variable to hierarchical mail file path.
If we can set MAIL variables without too much trouble, then I should
probably go ahead and turn on the hierarchical mail directory code in
exim.
- Port lockuser
I think those are the most important things.
At some point I'm going to open things up to a few friendly users (board, etc)
to let them test things. I'm going to want to start having as many eyes as
I can looking for things that need work.
I wish Mike Myers was still around. He was always great at stumbling into
every bug in the system.
|
twenex
|
|
response 142 of 467:
|
Oct 5 10:01 UTC 2004 |
Is that meant as a compliment?
|
gelinas
|
|
response 143 of 467:
|
Oct 5 11:47 UTC 2004 |
Yes, it is: such testers are great for improving quality but very hard to
find.
|
janc
|
|
response 144 of 467:
|
Oct 5 20:37 UTC 2004 |
Yeah. Some people are brilliant at finding ways to make software fail.
Combine that with the ability produce useful bug reports and you have a
person highly valued by any programmer interested in getting things solid.
Though it must be very annoying for Mike. I'm sure he'd prefer if
things just worked for him.
|
cross
|
|
response 145 of 467:
|
Oct 5 23:23 UTC 2004 |
I'm not trying to get in your way, Jan. Don't mistake my frustration
at the way Grex decides to do things with frustration at you.
I'll look at what it takes to get postfix up and running on nextgrex
when I get back to California.
|
janc
|
|
response 146 of 467:
|
Oct 6 03:38 UTC 2004 |
I read some postfix documentation when I configured the postfix MTA on my
desktop system, but I've forgotten everything about it. I can say that I'm
impressed with how easy it finally turned out to be to do everything that I
wanted to do with exim, once I slogged through the documentation and thought
it out. I had really expected that I would need to hack the source code, but
everything I needed to do could be done from the config file.
My one concern with exim is performance. I worry that all that
configurability was purchased at the price of mediocre performance, though
I have no experience to base this on yet. We'll see.
I don't think you are in my way. Actually, my way is pretty hard to get into.
I think if I made a list of the 100 most interesting projects to work on on
Grex, replacing a working MTA with another working MTA wouldn't be on it.
But different people have different tastes. Hey, and we don't really know
how well my exim configuration will work till we start feeding a lot more mail
through it than just my few test messages.
|
janc
|
|
response 147 of 467:
|
Oct 6 03:48 UTC 2004 |
I've been hacking 'login' and 'sshd'. I'm mostly done with login, just
starting on sshd. Unlike exim, getting these to behave the way we want
is going to require some source code modifications. This list is:
- Warn about full / almost full mailboxes.
- Display multiple motd files.
- Set MAIL environment variables.
Customizing the error messages is painful to do with the existing login.c
so I'm going to let that slide for now at least. I'm putting the code
to set the MAIL variable for hierarchical mail directories in #ifdefs for
now. The mods are in the same places as the mods for printing out warnings
for full mailboxes, so I may as well put them in now. Likely I'll do some
tests to see if the mail clients all respect the MAIL variable. If they
do maybe I'll go ahead and do hierarchical mail now.
|
janc
|
|
response 148 of 467:
|
Oct 6 04:59 UTC 2004 |
OK, here's a puzzle.
While wandering through the source code of 'sshd' I discovered that there is
a "UseLogin yes" option that can be put into the config file. When this is
set, sshd uses the 'login' program to start the user's shell after he has been
authenticated. This would be very nice for me because I wouldn't have to
do all the same hacks to 'sshd' that I already have done to 'login'. We could
keep running a generic OpenBSD version of sshd without local patches.
However, I noticed that the manual page says nothing of "UseLogin". Web
searching shows that historically there have been two major 'ssh' security
holes with UseLogin. Both of these, however, were fixed years ago. I found
many references suggesting that "UseLogin" was once described in the manual,
but it seems to have been removed. However I couldn't find any information
on why it was removed from the manual, but left in the code. Is it
depreciated? I don't know. I did find a message in which one of the OpenBSD
developers said he regretted ever having accepted the UserLogin patch to
OpenBSD.
So, do I go ahead and use UseLogin, or do I ignore it and patch sshd?
|
janc
|
|
response 149 of 467:
|
Oct 6 05:00 UTC 2004 |
Correction: one of the "OpenSSH" developer, not one of the OpenBSD developers.
|
