Brian Candler <B.Ca...@pobox.com> writes:

Nup. The strace is really weird :) Here is what seems to happen.

1) The quota warning message is constructed in tmp by inserting a couple of headers and then copying the boilerplate message. The filename used here *does* include the _quota that you noticed. 2) The fd is rewound, and used as the source for a delivery. In the code, you'll see it calling the 'deliver' function with the same fd that it used above. This new delivery is created in tmp in the usual fashion and does *not* use the _quota filename. 3) File is renamed into new. Boom.

In fact, the more I think of it, the more hazardous the rename vs link/unlink is. Even if the code behaves properly and does not do more than one undifferentiated delivery per process per second, you can still lose mail if your clock ever slips backwards (like just after a reboot, before ntp has started up).

I've attached a quick and ugly patch that uses link/unlink in favour of restore and doesn't fail the whole delivery if the quota warning fails for some reason. I haven't compiled or tested it, but hopefully it serves as a concept suggestion.

m.

--- deliverquota.c.orig Sat Feb 10 19:23:48 2001 +++ deliverquota.c Sat Feb 10 19:29:21 2001 @@ -50,7 +50,7 @@ static const char rcsid[]="$Id: deliverquota.c,v 1.12 2000/12/25 19:43:17 mrsam
Exp $";

static long deliver(int fd, const char *dir, const char *q, long s, - int auto_create, int quota_warn_percent); + int auto_create, int quota_warn_percent, int fail_quietly);

static void do_deliver_warning(const char *, const char *);

@@ -192,7 +192,7 @@ ** the quota. */ sleep(2); - deliver(fd, dir, q, 0, 0, -1); + deliver(fd, dir, q, 0, 0, -1, 1); } close(fd); unlink(tname); @@ -202,7 +202,7 @@ }

static long deliver(int fdin, const char *dir, const char *q, long s, - int auto_create, int quota_warn_percent) + int auto_create, int quota_warn_percent, int fail_quietly) { char *tname, *nname; char buf[BUFSIZ]; @@ -216,7 +216,7 @@ if (rc < 0) { perror("maildir_try_create"); - exit(EX_TEMPFAIL); + exit(fail_quietly ? 0 : EX_TEMPFAIL); } sleep(3); } @@ -230,7 +230,7 @@ if (fd < 0) { perror(tname); - exit(EX_TEMPFAIL); + exit(fail_quietly ? 0 : EX_TEMPFAIL); }

while ((n=read(fdin, buf, sizeof(buf))) > 0) @@ -247,7 +247,7 @@ close(fd); unlink(tname); perror(tname); - exit(EX_IOERR); + exit(fail_quietly ? 0 : EX_IOERR); } p += l; n -= l; @@ -258,7 +258,7 @@ { unlink(tname); perror(tname); - exit(EX_IOERR); + exit(fail_quietly ? 0 : EX_IOERR); }

if (s != ss) @@ -272,7 +272,7 @@ { unlink(tname); perror(tname); - exit(EX_OSERR); + exit(fail_quietly ? 0 : EX_OSERR); } sprintf(qq, "%s,S=%ld", nname, ss-s); free(nname); @@ -286,19 +286,20 @@ if (quotafd >= 0) close(quotafd); unlink(tname); printf("Mail quota exceeded.\n"); - exit(EX_NOPERM); + exit(fail_quietly ? 0 : EX_NOPERM); } maildir_addquota(dir, quotafd, q, ss-s, 1); if (quotafd >= 0) close(quotafd); } }

- if (rename(tname, nname)) + if (link(tname, nname)) { unlink(tname); perror(tname); - exit(EX_IOERR); + exit(fail_quietly ? 0 : EX_IOERR); } + unlink(tname); if (quota_warn_percent >= 0 && maildir_readquota(dir, q) >=
quota_warn_percent) { deliver_warning(dir, q); @@ -350,9 +351,9 @@ maildir_addquota(dir, quotafd, q, stat_buf.st_size, 1); if (quotafd >= 0) close(quotafd); deliver(0, dir, q, stat_buf.st_size, - auto_create, quota_warn_percent); + auto_create, quota_warn_percent, 0); exit(0); } - deliver(0, dir, q, 0, auto_create, quota_warn_percent); + deliver(0, dir, q, 0, auto_create, quota_warn_percent, 0); exit(0); }