maildir-sync.c revision 8a3d609fdd84f5938c82e8e7eeb84a24ab41b317
45312f52ff3a3d4c137447be4c7556500c2f8bf2Timo Sirainen/* Copyright (C) 2004 Timo Sirainen */
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen Here's a description of how we handle Maildir synchronization and
08d6658a4e2ec8104cd1307f6baa75fdb07a24f8Mark Washenberger it's problems:
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen We want to be as efficient as we can. The most efficient way to
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen check if changes have occured is to stat() the new/ and cur/
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen directories and uidlist file - if their mtimes haven't changed,
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen there's no changes and we don't need to do anything.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen Problem 1: Multiple changes can happen within a single second -
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen nothing guarantees that once we synced it, someone else didn't just
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen then make a modification. Such modifications wouldn't get noticed
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen until a new modification occured later.
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen Problem 2: Syncing cur/ directory is much more costly than syncing
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen new/. Moving mails from new/ to cur/ will always change mtime of
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen cur/ causing us to sync it as well.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen Problem 3: We may not be able to move mail from new/ to cur/
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen because we're out of quota, or simply because we're accessing a
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen read-only mailbox.
473080c7c0d25ddfdf77e7dfa0ba8f73c6c669d5Timo Sirainen MAILDIR_SYNC_SECS
473080c7c0d25ddfdf77e7dfa0ba8f73c6c669d5Timo Sirainen -----------------
473080c7c0d25ddfdf77e7dfa0ba8f73c6c669d5Timo Sirainen Several checks below use MAILDIR_SYNC_SECS, which should be maximum
473080c7c0d25ddfdf77e7dfa0ba8f73c6c669d5Timo Sirainen clock drift between all computers accessing the maildir (eg. via
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen NFS), rounded up to next second. Our default is 1 second, since
356303df200c991580bd24041996a070ad08c05eTimo Sirainen everyone should be using NTP.
49e513d090753ccbf95560b2f3a21f081a5b6c51Timo Sirainen Note that setting it to 0 works only if there's only one computer
49e513d090753ccbf95560b2f3a21f081a5b6c51Timo Sirainen accessing the maildir. It's practically impossible to make two
473080c7c0d25ddfdf77e7dfa0ba8f73c6c669d5Timo Sirainen clocks _exactly_ synchronized.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen It might be possible to only use file server's clock by looking at
d9b73f3eb3d5f608dfd438cee89ce2b27547173fTimo Sirainen the atime field, but I don't know how well that would actually work.
00bde9ae9eab9e720462bf6ec9a4dd85e88c3bbfTimo Sirainen cur directory
00bde9ae9eab9e720462bf6ec9a4dd85e88c3bbfTimo Sirainen -------------
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen We have dirty_cur_time variable which is set to cur/ directory's
49e513d090753ccbf95560b2f3a21f081a5b6c51Timo Sirainen mtime when it's >= time() - MAILDIR_SYNC_SECS and we _think_ we have
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen synchronized the directory.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen When dirty_cur_time is non-zero, we don't synchronize the cur/
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen directory until
d5abbb932a0a598f002da39a8b3326643b1b5efcTimo Sirainen a) cur/'s mtime changes
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen b) opening a mail fails with ENOENT
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen c) time() > dirty_cur_time + MAILDIR_SYNC_SECS
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen This allows us to modify the maildir multiple times without having
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen to sync it at every change. The sync will eventually be done to
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen make sure we didn't miss any external changes.
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen The dirty_cur_time is set when:
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen - we change message flags
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen - we expunge messages
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen - we move mail from new/ to cur/
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen - we sync cur/ directory and it's mtime is >= time() - MAILDIR_SYNC_SECS
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen It's unset when we do the final syncing, ie. when mtime is
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen older than time() - MAILDIR_SYNC_SECS.
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen new directory
3b94ff5951db4d4eddb7a80ed4e3f61207202635Timo Sirainen -------------
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen If new/'s mtime is >= time() - MAILDIR_SYNC_SECS, always synchronize
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen it. dirty_cur_time-like feature might save us a few syncs, but
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen that might break a client which saves a mail in one connection and
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen tries to fetch it in another one. new/ directory is almost always
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen empty, so syncing it should be very fast anyway. Actually this can
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen still happen if we sync only new/ dir while another client is also
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen moving mails from it to cur/ - it takes us a while to see them.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen That's pretty unlikely to happen however, and only way to fix it
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen would be to always synchronize cur/ after new/.
49e513d090753ccbf95560b2f3a21f081a5b6c51Timo Sirainen Normally we move all mails from new/ to cur/ whenever we sync it. If
22535a9e685e29214082878e37a267157044618eTimo Sirainen it's not possible for some reason, we mark the mail with "probably
6fabfb7bbfd88d0c1de66981e52850f26067623bTimo Sirainen exists in new/ directory" flag.
22535a9e685e29214082878e37a267157044618eTimo Sirainen If rename() still fails because of ENOSPC or EDQUOT, we still save
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen the flag changes in index with dirty-flag on. When moving the mail
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen to cur/ directory, or when we notice it's already moved there, we
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen apply the flag changes to the filename, rename it and remove the
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen dirty flag. If there's dirty flags, this should be tried every time
356303df200c991580bd24041996a070ad08c05eTimo Sirainen after expunge or when closing the mailbox.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen This file contains UID <-> filename mappings. It's updated only when
e15f1d736c225c7ce6f3d08a37c1b2ae66b57c50Timo Sirainen new mail arrives, so it may contain filenames that have already been
e15f1d736c225c7ce6f3d08a37c1b2ae66b57c50Timo Sirainen deleted. Updating is done by getting uidlist.lock file, writing the
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen whole uidlist into it and rename()ing it over the old uidlist. This
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen means there's no need to lock the file for reading.
e15f1d736c225c7ce6f3d08a37c1b2ae66b57c50Timo Sirainen Whenever uidlist is rewritten, it's mtime must be larger than the old
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen one's. Use utime() before rename() if needed. Note that inode checking
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen wouldn't have been sufficient as inode numbers can be reused.
49e513d090753ccbf95560b2f3a21f081a5b6c51Timo Sirainen This file is usually read the first time you need to know filename for
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen given UID. After that it's not re-read unless new mails come that we
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen don't know about.
49e513d090753ccbf95560b2f3a21f081a5b6c51Timo Sirainen broken clients
49e513d090753ccbf95560b2f3a21f081a5b6c51Timo Sirainen --------------
22535a9e685e29214082878e37a267157044618eTimo Sirainen Originally the middle identifier in Maildir filename was specified
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen only as <process id>_<delivery counter>. That however created a
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen problem with randomized PIDs which made it possible that the same
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen PID was reused within one second.
22535a9e685e29214082878e37a267157044618eTimo Sirainen So if within one second a mail was delivered, MUA moved it to cur/
6fabfb7bbfd88d0c1de66981e52850f26067623bTimo Sirainen and another mail was delivered by a new process using same PID as
22535a9e685e29214082878e37a267157044618eTimo Sirainen the first one, we likely ended up overwriting the first mail when
22535a9e685e29214082878e37a267157044618eTimo Sirainen the second mail was moved over it.
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen Nowadays everyone should be giving a bit more specific identifier,
6fabfb7bbfd88d0c1de66981e52850f26067623bTimo Sirainen for example include microseconds in it which Dovecot does.
6fabfb7bbfd88d0c1de66981e52850f26067623bTimo Sirainen There's a simple way to prevent this from happening in some cases:
6fabfb7bbfd88d0c1de66981e52850f26067623bTimo Sirainen Don't move the mail from new/ to cur/ if it's mtime is >= time() -
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen MAILDIR_SYNC_SECS. The second delivery's link() call then fails
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen because the file is already in new/, and it will then use a
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen different filename. There's a few problems with this however:
6fabfb7bbfd88d0c1de66981e52850f26067623bTimo Sirainen - it requires extra stat() call which is unneeded extra I/O
6fabfb7bbfd88d0c1de66981e52850f26067623bTimo Sirainen - another MUA might still move the mail to cur/
6fabfb7bbfd88d0c1de66981e52850f26067623bTimo Sirainen - if first file's flags are modified by either Dovecot or another
6fabfb7bbfd88d0c1de66981e52850f26067623bTimo Sirainen MUA, it's moved to cur/ (you _could_ just do the dirty-flagging
6fabfb7bbfd88d0c1de66981e52850f26067623bTimo Sirainen but that'd be ugly)
25757faf029c369a8318349dafe952e2358df1d8Timo Sirainen Because this is useful only for very few people and it requires
c5383a0ed56a188a7d5efaaa4c6f8243af432d65Timo Sirainen extra I/O, I decided not to implement this. It should be however
c5383a0ed56a188a7d5efaaa4c6f8243af432d65Timo Sirainen quite easy to do since we need to be able to deal with files in new/
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen It's also possible to never accidentally overwrite a mail by using
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen link() + unlink() rather than rename(). This however isn't very
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen good idea as it introduces potential race conditions when multiple
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen clients are accessing the mailbox:
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen Trying to move the same mail from new/ to cur/ at the same time:
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen a) Client 1 uses slightly different filename than client 2,
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen for example one sets read-flag on but the other doesn't.
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen You have the same mail duplicated now.
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen b) Client 3 sees the mail between Client 1's and 2's link() calls
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen and changes it's flag. You have the same mail duplicated now.
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen And it gets worse when they're unlink()ing in cur/ directory:
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen c) Client 1 changes mails's flag and client 2 changes it back
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen between 1's link() and unlink(). The mail is now expunged.
c5383a0ed56a188a7d5efaaa4c6f8243af432d65Timo Sirainen d) If you try to deal with the duplicates by unlink()ing another
806cb455553b71934314da98f1b4a694a3aa152eTimo Sirainen one of them, you might end up unlinking both of them.
c5383a0ed56a188a7d5efaaa4c6f8243af432d65Timo Sirainen So, what should we do then if we notice a duplicate? First of all,
b42f37ae6f65ed986315b6885568d32115e589b1Timo Sirainen it might not be a duplicate at all, readdir() might have just
1f1e81aab38d833d1c9cdc244c91fd762e0080d4Timo Sirainen returned it twice because it was just renamed. What we should do is
1f1e81aab38d833d1c9cdc244c91fd762e0080d4Timo Sirainen create a completely new base name for it and rename() it to that.
c5383a0ed56a188a7d5efaaa4c6f8243af432d65Timo Sirainen If the call fails with ENOENT, it only means that it wasn't a
c5383a0ed56a188a7d5efaaa4c6f8243af432d65Timo Sirainen duplicate after all.
struct maildir_sync_context {
int partial;
struct maildir_index_sync_context {
void *context)
const char *newpath;
NULL) < 0)
ctx) < 0)
int ret;
if (ret > 0) {
if (ret == 0) {
return ret;
static struct maildir_sync_context *
return ctx;
const char *old_fname)
int ret = 0;
t_push();
t_pop();
return ret;
const char *dir;
if (ret == 0) {
if (new_dir)
if (ret < 0)
flags = 0;
if (move_new) {
} else if (new_dir) {
if (ret <= 0) {
if (ret < 0)
cur_mtime : 0;
const char *filename;
int ret;
seq = 0;
seq++;
goto __again;
INDEX_KEYWORDS_BYTE_COUNT) != 0) {
if (ret < 0)
else if (seq != 0) {
if (ret == 0) {
return ret;
if (cur_changed) {
return ret;
int ret;
return ret;
int ret;
return ret;
int ret;
if (ret < 0)