LMDB files can still be created by unprivileged Postfix
daemon processes under the postfix-owned data_directory.
Files: proto/LMDB_README.html, global/mkmap.c.
+
+20131001
+
+ Cleanup: LMDB support is forbidden due to problems with
+ LMDB lock management. These problems hinder error recovery
+ in multi-programmed systems, and prohibit database sharing
+ between privileged writer processes and unprivileged reader
+ processes.
manpages:
set -e; for i in $(MANDIRS); do \
(set -e; echo "[$$i]"; cd $$i; $(MAKE) -f Makefile.in $(OPTS) MAKELEVEL=) || exit 1; \
- done
+ done </dev/null
printfck: update
P\bPo\bos\bst\btf\bfi\bix\bx O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP L\bLM\bMD\bDB\bB H\bHo\bow\bwt\bto\bo
-------------------------------------------------------------------------------
-
-I\bIn\bnt\btr\bro\bod\bdu\buc\bct\bti\bio\bon\bn
-
- Warning: LMDB applications require write access even when the application
- itself is read-only. This violates the principle of least privilege, and
- causes all kinds of problems when a non-root process needs to query a root-
- owned database such as access(5), virtual(5), or transport(5).
-
- Support to create LMDB databases is no longer available for the postmap(1)
- and postalias(1) commands. Instead, consider using cdb: to manage root-
- owned databases under the root-owned config_directory (default: /etc/
- postfix) such as access(5), virtual(5), or transport(5).
-
- Support to create LMDB databases is available only for unprivileged Postfix
- daemon processes such as postscreen(8), tlsmgr(8) and verify(8) that manage
- postfix-owned databases under the postfix-owned data_directory (default: /
- var/lib/postfix).
-
-Postfix uses databases of various kinds to store and look up information.
-Postfix databases are specified as "type:name". OpenLDAP LMDB implements the
-Postfix database type "lmdb". The name of a Postfix OpenLDAP LMDB database is
-the name of the database file without the ".lmdb" suffix.
-
-This document describes:
-
- 1. How to build Postfix with OpenLDAP LMDB support.
-
- 2. How to configure LMDB settings.
-
- 3. Missing pthread library trouble.
-
- 4. Unexpected failure modes that don't exist with other Postfix databases.
-
-B\bBu\bui\bil\bld\bdi\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx w\bwi\bit\bth\bh O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP L\bLM\bMD\bDB\bB s\bsu\bup\bpp\bpo\bor\brt\bt
-
-Postfix normally does not enable OpenLDAP LMDB support. To build Postfix with
-OpenLDAP LMDB support, use something like:
-
- % make makefiles CCARGS="-DHAS_LMDB -I/usr/local/include" \
- AUXLIBS="-L/usr/local/lib -llmdb"
- % make
-
-Solaris may need this:
-
- % make makefiles CCARGS="-DHAS_LMDB -I/usr/local/include" \
- AUXLIBS="-R/usr/local/lib -L/usr/local/lib -llmdb"
- % make
-
-The exact pathnames depend on how OpenLDAP LMDB was installed.
-
-C\bCo\bon\bnf\bfi\big\bgu\bur\bre\be L\bLM\bMD\bDB\bB s\bse\bet\btt\bti\bin\bng\bgs\bs
-
-Postfix provides configuration parameters that control OpenLDAP LMDB database
-behavior.
-
- * lmdb_map_size (default: 16777216). This setting specifies the initial
- OpenLDAP LMDB database size limit in bytes. Each time a database becomes
- full, its size limit is doubled.
-
- * lmdb_max_readers (default: $default_process_limit). This specifies a hard
- limit on the number of read transactions that may be open at the same time
- for the same OpenLDAP LMDB database. When this number is too small, the
- Postfix LMDB client will log MDB_READERS_FULL warnings, and will run with
- reduced performance.
-
-M\bMi\bis\bss\bsi\bin\bng\bg p\bpt\bth\bhr\bre\bea\bad\bd l\bli\bib\bbr\bra\bar\bry\by t\btr\bro\bou\bub\bbl\ble\be
-
-When building Postfix fails with:
-
- undefined reference to `pthread_mutexattr_destroy'
- undefined reference to `pthread_mutexattr_init'
- undefined reference to `pthread_mutex_lock'
-
-Add the "-lpthread" library to the "make makefiles" command.
-
- % make makefiles .... AUXLIBS="... -lpthread"
-
-Source code for OpenLDAP LMDB is available at http://www.openldap.org. More
-information is available at http://highlandsun.com/hyc/mdb/.
-
-U\bUn\bne\bex\bxp\bpe\bec\bct\bte\bed\bd f\bfa\bai\bil\blu\bur\bre\be m\bmo\bod\bde\bes\bs o\bof\bf P\bPo\bos\bst\btf\bfi\bix\bx L\bLM\bMD\bDB\bB d\bda\bat\bta\bab\bba\bas\bse\bes\bs.\b.
-
-As documented below, conversion to LMDB introduces a number of failure modes
-that don't exist with other Postfix databases. Some failure modes have been
-eliminated in the course of time. The writeup below reflects the status as of
-of LMDB 0.9.8.
-
-U\bUn\bne\bex\bxp\bpe\bec\bct\bte\bed\bd "\b"P\bPe\ber\brm\bmi\bis\bss\bsi\bio\bon\bn d\bde\ben\bni\bie\bed\bd"\b" e\ber\brr\bro\bor\brs\bs.\b.
-
-Problem:
- A world-readable LMDB database cannot be opened by a process with a UID
- that differs from the database file owner, even when an attempt is made to
- open the database read-only. This problem does not exist with other Postfix
- databases.
-
-Background:
- The LMDB implementation requires write access to maintain read locks, and
- perhaps for other purposes.
-
-Solution:
- Consider using cdb: to manage root-owned databases under the root-owned /
- etc or config_directory (default: /etc/postfix) such as access(5), virtual
- (5), transport(5). Support to create LMDB databases is available only for
- unprivileged Postfix daemon processes such as postscreen(8), tlsmgr(8) and
- verify(8) that manage postfix-owned databases under the postfix-owned
- data_directory (default: /var/lib/postfix).
-
-U\bUn\bne\bex\bxp\bpe\bec\bct\bte\bed\bd "\b"r\bre\bea\bad\bde\ber\brs\bs f\bfu\bul\bll\bl"\b" e\ber\brr\bro\bor\brs\bs.\b.
-
-Problem:
- Under heavy load, database read operations fail with MDB_READERS_FULL
- errors. This problem does not exist with other Postfix databases.
-
-Background:
- The LMDB implementation enforces a hard limit on the number of simultaneous
- read requests for the same database environment. This limit must be
- specified in advance with the lmdb_max_readers configuration parameter.
-
-Mitigation:
- Postfix logs a warning suggesting that the lmdb_max_readers parameter value
- be increased, and retries the failed operation for a limited number of
- times while running with reduced performance.
-
-Prevention:
- Monitor your LMDB files for MDB_READERS_FULL errors. After making the
- necessary adjustments, restart Postfix.
-
-N\bNo\bon\bn-\b-o\bob\bbv\bvi\bio\bou\bus\bs r\bre\bec\bco\bov\bve\ber\bry\by w\bwi\bit\bth\bh p\bpo\bos\bst\bts\bsc\bcr\bre\bee\ben\bn(\b(8\b8)\b),\b, t\btl\bls\bsm\bmg\bgr\br(\b(8\b8)\b),\b, o\bor\br v\bve\ber\bri\bif\bfy\by(\b(8\b8)\b) f\bfr\bro\bom\bm a\ba
-c\bco\bor\brr\bru\bup\bpt\bte\bed\bd d\bda\bat\bta\bab\bba\bas\bse\be.\b.
-
-Problem:
- You cannot rebuild a corrupted LMDB database simply by waiting until a
- daemon restarts. This problem does not exist with other Postfix databases.
-
-Background:
- The Postfix LMDB database client does not truncate the database file.
- Instead it attempts to create a transaction for a "drop" request plus
- subsequent "store" requests. That is obviously not possible with a
- corrupted database file.
-
-Impact:
- Postfix does not process mail until someone fixes the problem.
-
-Recovery:
- First delete the ".lmdb" file by hand. Then, restart postfix.
-
-Prevention:
- Arrange your file systems such that they never run out of free space.
-
- Use ECC memory to detect and correct silent corruption of in-memory file
- system data and metadata.
-
- Use a file system such as ZFS to detect and correct silent corruption of
- on-disk file system data and metadata.
+-------------------------------------------------------------------------------
+Postfix LMDB support is forbidden due to problems with LMDB lock management.
+These problems hinder error recovery in multi-programmed systems, and prohibit
+database sharing between privileged writer processes and unprivileged reader
+processes.
If you upgrade from Postfix 2.9 or earlier, read RELEASE_NOTES-2.10
before proceeding.
+Major changes with snapshot 20131001
+====================================
+
+LMDB support is forbidden due to problems with LMDB lock management.
+These problems hinder error recovery in multi-programmed systems,
+and prohibit database sharing between privileged writer processes
+and unprivileged reader processes.
+
Major changes with snapshot 20130929
====================================
<hr>
+<hr>
+
+
+<p> Postfix LMDB support is forbidden due to problems with LMDB lock
+management. These problems hinder error recovery in multi-programmed
+systems, and prohibit database sharing between privileged writer
+processes and unprivileged reader processes. </p>
+
+<!--
+
<h2>Introduction</h2>
<blockquote> <p> Warning: LMDB applications require write access
</dl>
-<!--
+<!- -
<p> <strong>Unexpected <a href="postmap.1.html">postmap(1)</a>/<a href="postalias.1.html">postalias(1)</a> "database full"
errors. </strong></p>
sure that <a href="postconf.5.html#lmdb_map_size">lmdb_map_size</a> > 3x the largest LMDB file size. </p>
</dd> </dl>
--->
+- ->
-<p> <strong>Non-obvious recovery with <!-- <a href="postmap.1.html">postmap(1)</a>, <a href="postalias.1.html">postalias(1)</a>, -->
+<p> <strong>Non-obvious recovery with <!- - <a href="postmap.1.html">postmap(1)</a>, <a href="postalias.1.html">postalias(1)</a>, - ->
<a href="postscreen.8.html">postscreen(8)</a>, <a href="tlsmgr.8.html">tlsmgr(8)</a>, or <a href="verify.8.html">verify(8)</a> from a corrupted database.
</strong></p>
<dl>
<dt> Problem: </dt> <dd> <p> You cannot rebuild a corrupted LMDB
-database simply by <!-- re-running <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a>, or
-by --> waiting until a daemon restarts. This problem does not exist
+database simply by <!-
- re-running <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a>, or
+by - -> waiting until a daemon restarts. This problem does not exist
with other Postfix databases. </p> </dd>
<dt> Background: </dt> <dd> <p> The Postfix LMDB database client
someone fixes the problem. </p> </dd>
<dt> Recovery: </dt> <dd> <p> First delete the ".lmdb" file by hand.
-Then, <!-- rebuild the file with the <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a>
-command if the file was created with those commands, or --> restart
-postfix. <!-- daemons if the file is maintained by daemon processes.
---> </p> </dd>
+Then, <!-
- rebuild the file with the <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a>
+command if the file was created with those commands, or - -> restart
+postfix. <!- - daemons if the file is maintained by daemon processes.
+- -> </p> </dd>
<dt> Prevention: </dt> <dd>
corruption of on-disk file system data and metadata. </p>
</dd> </dl>
+
+-->
+
+
<hr>
+<hr>
+
+
+<p> Postfix LMDB support is forbidden due to problems with LMDB lock
+management. These problems hinder error recovery in multi-programmed
+systems, and prohibit database sharing between privileged writer
+processes and unprivileged reader processes. </p>
+
+<!--
+
<h2>Introduction</h2>
<blockquote> <p> Warning: LMDB applications require write access
</dl>
-<!--
+<!- -
<p> <strong>Unexpected postmap(1)/postalias(1) "database full"
errors. </strong></p>
sure that lmdb_map_size > 3x the largest LMDB file size. </p>
</dd> </dl>
--->
+- ->
-<p> <strong>Non-obvious recovery with <!-- postmap(1), postalias(1), -->
+<p> <strong>Non-obvious recovery with <!- - postmap(1), postalias(1), - ->
postscreen(8), tlsmgr(8), or verify(8) from a corrupted database.
</strong></p>
<dl>
<dt> Problem: </dt> <dd> <p> You cannot rebuild a corrupted LMDB
-database simply by <!-- re-running postmap(1) or postalias(1), or
-by --> waiting until a daemon restarts. This problem does not exist
+database simply by <!- - re-running postmap(1) or postalias(1), or
+by - -> waiting until a daemon restarts. This problem does not exist
with other Postfix databases. </p> </dd>
<dt> Background: </dt> <dd> <p> The Postfix LMDB database client
someone fixes the problem. </p> </dd>
<dt> Recovery: </dt> <dd> <p> First delete the ".lmdb" file by hand.
-Then, <!-- rebuild the file with the postmap(1) or postalias(1)
-command if the file was created with those commands, or --> restart
-postfix. <!-- daemons if the file is maintained by daemon processes.
---> </p> </dd>
+Then, <!- - rebuild the file with the postmap(1) or postalias(1)
+command if the file was created with those commands, or - -> restart
+postfix. <!- - daemons if the file is maintained by daemon processes.
+- -> </p> </dd>
<dt> Prevention: </dt> <dd>
corruption of on-disk file system data and metadata. </p>
</dd> </dl>
+
+-->
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20130929"
+#define MAIL_RELEASE_DATE "20131001"
#define MAIL_VERSION_NUMBER "2.11"
#ifdef SNAPSHOT
DICT_TYPE_HASH, mkmap_hash_open,
DICT_TYPE_BTREE, mkmap_btree_open,
#endif
-
- /*
- * LMDB readers open the LMDB lock file O_RDWR. This complicates
- * database sharing between processes that run with different effective
- * UIDs.
- *
- * For example, this violates the Postfix security model as it passes a
- * read-write file handle for a root-owned file under /etc/postfix into a
- * non-root daemon process.
- *
- * This also totally breaks non-root access for root-owned databases by
- * non-daemon processes.
- *
- * Even if LMDB lock files were kept under /tmp or /var/run, those files
- * would still have to be world-writable, and that would still violate
- * the principle of least privilege.
- *
- * For all these reasons, LMDB is supported only for caches that are
- * maintained by non-root daemon processes such as postscreen(8),
- * tlsmgr(8) or verify(8). All the effort to recover from bogus LMDB
- * errors was good for something.
- */
-#ifdef notdef
+#ifdef HAS_LMDB
+#error "LMDB support is forbidden"
DICT_TYPE_LMDB, mkmap_lmdb_open,
#endif
DICT_TYPE_FAIL, mkmap_fail_open,
DICT_TYPE_BTREE, dict_btree_open,
#endif
#ifdef HAS_LMDB
+#error "LMDB support is forbidden"
DICT_TYPE_LMDB, dict_lmdb_open,
#endif
#ifdef HAS_NIS
projects / thirdparty / postfix.git / commitdiff
