mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 09:57:34 +00:00
Code Issues Releases Wiki Activity

postfix-2.11-20131001

Browse Source
This commit is contained in:
Wietse Venema 2013-10-01 00:00:00 -05:00 committed by Viktor Dukhovni
parent 12a1fc191f
commit 8b9901ce03
9 changed files with 70 additions and 197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
postfix/HISTORY
View File

@ -18969,3 +18969,11 @@ Apologies for any names omitted.
LMDB files can still be created by unprivileged Postfix
daemon processes under the postfix-owned data_directory.
Files: proto/LMDB_README.html, global/mkmap.c.
20131001
Cleanup: LMDB support is forbidden due to problems with
LMDB lock management. These problems hinder error recovery
in multi-programmed systems, and prohibit database sharing
between privileged writer processes and unprivileged reader
processes.

2
postfix/Makefile.in
View File

@ -59,7 +59,7 @@ libexec/postmulti-script: conf/postmulti-script
manpages:
set -e; for i in $(MANDIRS); do \
(set -e; echo "[$$i]"; cd $$i; $(MAKE) -f Makefile.in $(OPTS) MAKELEVEL=) || exit 1; \
done
done </dev/null
printfck: update

159
postfix/README_FILES/LMDB_README
View File

@ -1,158 +1,9 @@
PPoossttffiixx OOppeennLLDDAAPP LLMMDDBB HHoowwttoo
-------------------------------------------------------------------------------
IInnttrroodduuccttiioonn
Warning: LMDB applications require write access even when the application
itself is read-only. This violates the principle of least privilege, and
causes all kinds of problems when a non-root process needs to query a root-
owned database such as access(5), virtual(5), or transport(5).
Support to create LMDB databases is no longer available for the postmap(1)
and postalias(1) commands. Instead, consider using cdb: to manage root-
owned databases under the root-owned config_directory (default: /etc/
postfix) such as access(5), virtual(5), or transport(5).
Support to create LMDB databases is available only for unprivileged Postfix
daemon processes such as postscreen(8), tlsmgr(8) and verify(8) that manage
postfix-owned databases under the postfix-owned data_directory (default: /
var/lib/postfix).
Postfix uses databases of various kinds to store and look up information.
Postfix databases are specified as "type:name". OpenLDAP LMDB implements the
Postfix database type "lmdb". The name of a Postfix OpenLDAP LMDB database is
the name of the database file without the ".lmdb" suffix.
This document describes:
1. How to build Postfix with OpenLDAP LMDB support.
2. How to configure LMDB settings.
3. Missing pthread library trouble.
4. Unexpected failure modes that don't exist with other Postfix databases.
BBuuiillddiinngg PPoossttffiixx wwiitthh OOppeennLLDDAAPP LLMMDDBB ssuuppppoorrtt
Postfix normally does not enable OpenLDAP LMDB support. To build Postfix with
OpenLDAP LMDB support, use something like:
% make makefiles CCARGS="-DHAS_LMDB -I/usr/local/include" \
AUXLIBS="-L/usr/local/lib -llmdb"
% make
Solaris may need this:
% make makefiles CCARGS="-DHAS_LMDB -I/usr/local/include" \
AUXLIBS="-R/usr/local/lib -L/usr/local/lib -llmdb"
% make
The exact pathnames depend on how OpenLDAP LMDB was installed.
CCoonnffiigguurree LLMMDDBB sseettttiinnggss
Postfix provides configuration parameters that control OpenLDAP LMDB database
behavior.
* lmdb_map_size (default: 16777216). This setting specifies the initial
OpenLDAP LMDB database size limit in bytes. Each time a database becomes
full, its size limit is doubled.
* lmdb_max_readers (default: $default_process_limit). This specifies a hard
limit on the number of read transactions that may be open at the same time
for the same OpenLDAP LMDB database. When this number is too small, the
Postfix LMDB client will log MDB_READERS_FULL warnings, and will run with
reduced performance.
MMiissssiinngg pptthhrreeaadd lliibbrraarryy ttrroouubbllee
When building Postfix fails with:
undefined reference to `pthread_mutexattr_destroy'
undefined reference to `pthread_mutexattr_init'
undefined reference to `pthread_mutex_lock'
Add the "-lpthread" library to the "make makefiles" command.
% make makefiles .... AUXLIBS="... -lpthread"
Source code for OpenLDAP LMDB is available at http://www.openldap.org. More
information is available at http://highlandsun.com/hyc/mdb/.
UUnneexxppeecctteedd ffaaiilluurree mmooddeess ooff PPoossttffiixx LLMMDDBB ddaattaabbaasseess..
As documented below, conversion to LMDB introduces a number of failure modes
that don't exist with other Postfix databases. Some failure modes have been
eliminated in the course of time. The writeup below reflects the status as of
of LMDB 0.9.8.
UUnneexxppeecctteedd ""PPeerrmmiissssiioonn ddeenniieedd"" eerrrroorrss..
Problem:
A world-readable LMDB database cannot be opened by a process with a UID
that differs from the database file owner, even when an attempt is made to
open the database read-only. This problem does not exist with other Postfix
databases.
Background:
The LMDB implementation requires write access to maintain read locks, and
perhaps for other purposes.
Solution:
Consider using cdb: to manage root-owned databases under the root-owned /
etc or config_directory (default: /etc/postfix) such as access(5), virtual
(5), transport(5). Support to create LMDB databases is available only for
unprivileged Postfix daemon processes such as postscreen(8), tlsmgr(8) and
verify(8) that manage postfix-owned databases under the postfix-owned
data_directory (default: /var/lib/postfix).
UUnneexxppeecctteedd ""rreeaaddeerrss ffuullll"" eerrrroorrss..
Problem:
Under heavy load, database read operations fail with MDB_READERS_FULL
errors. This problem does not exist with other Postfix databases.
Background:
The LMDB implementation enforces a hard limit on the number of simultaneous
read requests for the same database environment. This limit must be
specified in advance with the lmdb_max_readers configuration parameter.
Mitigation:
Postfix logs a warning suggesting that the lmdb_max_readers parameter value
be increased, and retries the failed operation for a limited number of
times while running with reduced performance.
Prevention:
Monitor your LMDB files for MDB_READERS_FULL errors. After making the
necessary adjustments, restart Postfix.
NNoonn--oobbvviioouuss rreeccoovveerryy wwiitthh ppoossttssccrreeeenn((88)),, ttllssmmggrr((88)),, oorr vveerriiffyy((88)) ffrroomm aa
ccoorrrruupptteedd ddaattaabbaassee..
Problem:
You cannot rebuild a corrupted LMDB database simply by waiting until a
daemon restarts. This problem does not exist with other Postfix databases.
Background:
The Postfix LMDB database client does not truncate the database file.
Instead it attempts to create a transaction for a "drop" request plus
subsequent "store" requests. That is obviously not possible with a
corrupted database file.
Impact:
Postfix does not process mail until someone fixes the problem.
Recovery:
First delete the ".lmdb" file by hand. Then, restart postfix.
Prevention:
Arrange your file systems such that they never run out of free space.
Use ECC memory to detect and correct silent corruption of in-memory file
system data and metadata.
Use a file system such as ZFS to detect and correct silent corruption of
on-disk file system data and metadata.
-------------------------------------------------------------------------------
Postfix LMDB support is forbidden due to problems with LMDB lock management.
These problems hinder error recovery in multi-programmed systems, and prohibit
database sharing between privileged writer processes and unprivileged reader
processes.

8
postfix/RELEASE_NOTES
View File

@ -14,6 +14,14 @@ specifies the release date of a stable release or snapshot release.
If you upgrade from Postfix 2.9 or earlier, read RELEASE_NOTES-2.10
before proceeding.
Major changes with snapshot 20131001
====================================
LMDB support is forbidden due to problems with LMDB lock management.
These problems hinder error recovery in multi-programmed systems,
and prohibit database sharing between privileged writer processes
and unprivileged reader processes.
Major changes with snapshot 20130929
====================================

32
postfix/html/LMDB_README.html
View File

@ -17,6 +17,16 @@
<hr>
<hr>
<p> Postfix LMDB support is forbidden due to problems with LMDB lock
management. These problems hinder error recovery in multi-programmed
systems, and prohibit database sharing between privileged writer
processes and unprivileged reader processes. </p>
<!--
<h2>Introduction</h2>
<blockquote> <p> Warning: LMDB applications require write access
@ -185,7 +195,7 @@ restart Postfix. </p> </dd>
</dl>
<!--
<!- -
<p> <strong>Unexpected <a href="postmap.1.html">postmap(1)</a>/<a href="postalias.1.html">postalias(1)</a> "database full"
errors. </strong></p>
@ -290,17 +300,17 @@ full" error will disappear, at least for a while. </p>
sure that <a href="postconf.5.html#lmdb_map_size">lmdb_map_size</a> &gt; 3x the largest LMDB file size. </p>
</dd> </dl>
-->
- ->
<p> <strong>Non-obvious recovery with <!-- <a href="postmap.1.html">postmap(1)</a>, <a href="postalias.1.html">postalias(1)</a>, -->
<p> <strong>Non-obvious recovery with <!- - <a href="postmap.1.html">postmap(1)</a>, <a href="postalias.1.html">postalias(1)</a>, - ->
<a href="postscreen.8.html">postscreen(8)</a>, <a href="tlsmgr.8.html">tlsmgr(8)</a>, or <a href="verify.8.html">verify(8)</a> from a corrupted database.
</strong></p>
<dl>
<dt> Problem: </dt> <dd> <p> You cannot rebuild a corrupted LMDB
database simply by <!-- re-running <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a>, or
by --> waiting until a daemon restarts. This problem does not exist
database simply by <!- - re-running <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a>, or
by - -> waiting until a daemon restarts. This problem does not exist
with other Postfix databases. </p> </dd>
<dt> Background: </dt> <dd> <p> The Postfix LMDB database client
@ -313,10 +323,10 @@ That is obviously not possible with a corrupted database file. </p>
someone fixes the problem. </p> </dd>
<dt> Recovery: </dt> <dd> <p> First delete the ".lmdb" file by hand.
Then, <!-- rebuild the file with the <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a>
command if the file was created with those commands, or --> restart
postfix. <!-- daemons if the file is maintained by daemon processes.
--> </p> </dd>
Then, <!- - rebuild the file with the <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a>
command if the file was created with those commands, or - -> restart
postfix. <!- - daemons if the file is maintained by daemon processes.
- -> </p> </dd>
<dt> Prevention: </dt> <dd>
@ -330,3 +340,7 @@ in-memory file system data and metadata. </p>
corruption of on-disk file system data and metadata. </p>
</dd> </dl>
-->

30
postfix/proto/LMDB_README.html
View File

@ -17,6 +17,16 @@
<hr>
<hr>
<p> Postfix LMDB support is forbidden due to problems with LMDB lock
management. These problems hinder error recovery in multi-programmed
systems, and prohibit database sharing between privileged writer
processes and unprivileged reader processes. </p>
<!--
<h2>Introduction</h2>
<blockquote> <p> Warning: LMDB applications require write access
@ -185,7 +195,7 @@ restart Postfix. </p> </dd>
</dl>
<!--
<!- -
<p> <strong>Unexpected postmap(1)/postalias(1) "database full"
errors. </strong></p>
@ -290,17 +300,17 @@ full" error will disappear, at least for a while. </p>
sure that lmdb_map_size &gt; 3x the largest LMDB file size. </p>
</dd> </dl>
-->
- ->
<p> <strong>Non-obvious recovery with <!-- postmap(1), postalias(1), -->
<p> <strong>Non-obvious recovery with <!- - postmap(1), postalias(1), - ->
postscreen(8), tlsmgr(8), or verify(8) from a corrupted database.
</strong></p>
<dl>
<dt> Problem: </dt> <dd> <p> You cannot rebuild a corrupted LMDB
database simply by <!-- re-running postmap(1) or postalias(1), or
by --> waiting until a daemon restarts. This problem does not exist
database simply by <!- - re-running postmap(1) or postalias(1), or
by - -> waiting until a daemon restarts. This problem does not exist
with other Postfix databases. </p> </dd>
<dt> Background: </dt> <dd> <p> The Postfix LMDB database client
@ -313,10 +323,10 @@ That is obviously not possible with a corrupted database file. </p>
someone fixes the problem. </p> </dd>
<dt> Recovery: </dt> <dd> <p> First delete the ".lmdb" file by hand.
Then, <!-- rebuild the file with the postmap(1) or postalias(1)
command if the file was created with those commands, or --> restart
postfix. <!-- daemons if the file is maintained by daemon processes.
--> </p> </dd>
Then, <!- - rebuild the file with the postmap(1) or postalias(1)
command if the file was created with those commands, or - -> restart
postfix. <!- - daemons if the file is maintained by daemon processes.
- -> </p> </dd>
<dt> Prevention: </dt> <dd>
@ -330,3 +340,5 @@ in-memory file system data and metadata. </p>
corruption of on-disk file system data and metadata. </p>
</dd> </dl>
-->

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20130929"
#define MAIL_RELEASE_DATE "20131001"
#define MAIL_VERSION_NUMBER "2.11"
#ifdef SNAPSHOT

25
postfix/src/global/mkmap_open.c
View File

@ -102,29 +102,8 @@ static const MKMAP_OPEN_INFO mkmap_types[] = {
DICT_TYPE_HASH, mkmap_hash_open,
DICT_TYPE_BTREE, mkmap_btree_open,
#endif
/*
* LMDB readers open the LMDB lock file O_RDWR. This complicates
* database sharing between processes that run with different effective
* UIDs.
*
* For example, this violates the Postfix security model as it passes a
* read-write file handle for a root-owned file under /etc/postfix into a
* non-root daemon process.
*
* This also totally breaks non-root access for root-owned databases by
* non-daemon processes.
*
* Even if LMDB lock files were kept under /tmp or /var/run, those files
* would still have to be world-writable, and that would still violate
* the principle of least privilege.
*
* For all these reasons, LMDB is supported only for caches that are
* maintained by non-root daemon processes such as postscreen(8),
* tlsmgr(8) or verify(8). All the effort to recover from bogus LMDB
* errors was good for something.
*/
#ifdef notdef
#ifdef HAS_LMDB
#error "LMDB support is forbidden"
DICT_TYPE_LMDB, mkmap_lmdb_open,
#endif
DICT_TYPE_FAIL, mkmap_fail_open,

1
postfix/src/util/dict_open.c
View File

@ -299,6 +299,7 @@ static const DICT_OPEN_INFO dict_open_info[] = {
DICT_TYPE_BTREE, dict_btree_open,
#endif
#ifdef HAS_LMDB
#error "LMDB support is forbidden"
DICT_TYPE_LMDB, dict_lmdb_open,
#endif
#ifdef HAS_NIS