[Mimedefang] REVISED: postfix/mimedefang socket

Richard Laager rlaager at wiktel.com
Mon Jul 23 04:31:06 EDT 2018


I have attached updated systemd service files, with the PID file
directly in /run, which I have tested with 2.84. This change also
requires specifying a lock file in $SPOOLDIR.

If you prefer a diff rather than new files, I also attached a diff
against 2.84.

This includes and builds upon my last changes:

On 12/09/2017 05:45 PM, Richard Laager wrote:
> I ran into a problem with my systemd units for MIMEDefang. There is a
> race condition between mimedefang-multiplexor creating the socket and
> mimedefang trying to access it. If the multiplexor doesn't create the
> socket in time, mimedefang fails on startup.
> 
> This is happening because Type=simple services are assumed to be running
> immediately. This is documented in systemd.service(5), which says, "In
> this mode, if the process offers functionality to other processes on the
> system, its communication channels should be installed before the daemon
> is started up (e.g. sockets set up by systemd, via socket activation),
> as systemd will immediately proceed starting follow-up units."
> 
> I have attached updated versions to correct this. These change to
> Type=forking and drop the -D flag. With the change to Type=forking, I
> have also brought back pid files. Since systemd requires the pid file
> path to be hardcoded (as the argument to PIDFile), I put it in /run
> rather than the $SPOOLDIR (which the administrator can change).

This part no longer applies, as of MIMEDefang 2.83, because it writes
the PID files as root:

> It can't
> be directly in /run, as the daemon writes the pidfile after dropping
> privileges, so we have to create a /run/mimedefang subdirectory owned by
> $MX_USER. This requires some indirection, as $MX_USER can also be
> customized by the administrator. I only create this directory for
> mimedefang-multiplexor.service (and not mimedefang.service), as
> mimedefang.service is already ordered after mimedefang-multiplexor.service.
-- 
Richard


-------------- next part --------------
[Unit]
Description=MIMEDefang E-mail Filter
Documentation=man:mimedefang(8)
Before=multi-user.target
Before=postfix.service
Before=sendmail.service
After=remote-fs.target
After=systemd-journald-dev-log.socket
BindsTo=mimedefang-multiplexor.service
After=mimedefang-multiplexor.service
PropagatesReloadTo=mimedefang-multiplexor.service

[Service]
Type=forking
PIDFile=/run/mimedefang.pid
Restart=on-failure
TimeoutStopSec=30s
# LC_ALL=C may not be necessary for mimedefang, but it is for
# mimedefang-multiplexor, so upstream prefers it here also to be consistent.
Environment=LC_ALL=C MX_SOCKET=/var/spool/MIMEDefang/mimedefang-multiplexor.sock MX_USER=defang SPOOLDIR=/var/spool/MIMEDefang SOCKET=/var/spool/MIMEDefang/mimedefang.sock
EnvironmentFile=-/etc/default/mimedefang
ExecStartPre=/bin/rm -f $SOCKET
ExecStart=/bin/sh -c 'exec /usr/bin/mimedefang \
    `[ -n "$LOOPBACK_RESERVED_CONNECTIONS" ] && echo "-R $LOOPBACK_RESERVED_CONNECTIONS"` \
    -m $MX_SOCKET \
    -z $SPOOLDIR \
    -o $SPOOLDIR/mimedefang.lock \
    `[ -n "$MX_USER" ] && echo "-U $MX_USER"` \
    `[ -n "$SYSLOG_FACILITY" ] && echo "-S $SYSLOG_FACILITY"` \
    `[ "$MX_RELAY_CHECK" = "yes" ] && echo "-r"` \
    `[ "$MX_HELO_CHECK" = "yes" ] && echo "-H"` \
    `[ "$MX_SENDER_CHECK" = "yes" ] && echo "-s"` \
    `[ "$MX_RECIPIENT_CHECK" = "yes" ] && echo "-t"` \
    `[ "$KEEP_FAILED_DIRECTORIES" = "yes" ] && echo "-k"` \
    `[ "$MD_EXTRA" != "" ] && echo $MD_EXTRA` \
    `[ "$MD_SKIP_BAD_RCPTS" = "yes" ] && echo "-N"` \
    "`[ -n "$X_SCANNED_BY" ] && \
      ( [ "$X_SCANNED_BY" = "-" ] && \
        echo "-X" || echo "-x$X_SCANNED_BY" )`" \
    `[ "$MD_ALLOW_GROUP_ACCESS" = "yes" ] && echo "-G"` \
    `[ "$ALLOW_NEW_CONNECTIONS_TO_QUEUE" = "yes" ] && echo "-q"` \
    -p $SOCKET -P /run/mimedefang.pid'
ExecStopPost=/bin/rm -f $SOCKET
# Make this service eligible for a reload, so we can propagate it to
# mimedefang-multiplexor.service.
ExecReload=/bin/true

[Install]
WantedBy=multi-user.target
-------------- next part --------------
[Unit]
Description=MIMEDefang E-mail Filter (Multiplexor)
Documentation=man:mimedefang-multiplexor(8)
After=remote-fs.target
After=systemd-journald-dev-log.socket
PartOf=mimedefang.service

[Service]
Type=forking
PIDFile=/run/mimedefang-multiplexor.pid
Restart=on-failure
TimeoutStopSec=30s
KillMode=mixed
# Locale should be set to "C" for generating valid date headers
Environment=LC_ALL=C MX_BUSY=600 MX_LOG=yes MX_MAXIMUM=10 MX_MINIMUM=2 MX_SOCKET=/var/spool/MIMEDefang/mimedefang-multiplexor.sock MX_USER=defang SPOOLDIR=/var/spool/MIMEDefang
EnvironmentFile=-/etc/default/mimedefang
ExecStartPre=/bin/rm -f $MX_SOCKET
ExecStart=/bin/sh -c 'HOME=${SPOOLDIR} \
    exec /usr/bin/mimedefang-multiplexor \
    `[ "$MX_EMBED_PERL" = "yes" ] && echo "-E"` \
    -z $SPOOLDIR \
    -o $SPOOLDIR/mimedefang-multiplexor.lock \
    `[ -n "$FILTER" ] && echo "-f $FILTER"` \
    `[ -n "$SYSLOG_FACILITY" ] && echo "-S $SYSLOG_FACILITY"` \
    `[ -n "$SUBFILTER" ] && echo "-F $SUBFILTER"` \
    `[ -n "$MX_MINIMUM" ] && echo "-m $MX_MINIMUM"` \
    `[ -n "$MX_MAXIMUM" ] && echo "-x $MX_MAXIMUM"` \
    `[ -n "$MX_MAP_SOCKET" ] && echo "-N $MX_MAP_SOCKET"` \
    `[ -n "$MX_LOG_SLAVE_STATUS_INTERVAL" ] && echo "-L $MX_LOG_SLAVE_STATUS_INTERVAL"` \
    `[ -n "$MX_USER" ] && echo "-U $MX_USER"` \
    `[ -n "$MX_IDLE" ] && echo "-i $MX_IDLE"` \
    `[ -n "$MX_BUSY" ] && echo "-b $MX_BUSY"` \
    `[ -n "$MX_REQUESTS" ] && echo "-r $MX_REQUESTS"` \
    `[ -n "$MX_SLAVE_DELAY" ] && echo "-w $MX_SLAVE_DELAY"` \
    `[ -n "$MX_MIN_SLAVE_DELAY" ] && echo "-W $MX_MIN_SLAVE_DELAY"` \
    `[ -n "$MX_MAX_RSS" ] && echo "-R $MX_MAX_RSS"` \
    `[ -n "$MX_MAX_AS" ] && echo "-M $MX_MAX_AS"` \
    `[ "$MX_LOG" = "yes" ] && echo "-l"` \
    `[ "$MX_STATS" = "yes" ] && echo "-t /var/log/mimedefang/stats"` \
    `[ "$MX_STATS" = "yes" -a "$MX_FLUSH_STATS" = "yes" ] && echo "-u"` \
    `[ "$MX_STATS_SYSLOG" = "yes" ] && echo "-T"` \
    `[ "$MD_ALLOW_GROUP_ACCESS" = "yes" ] && echo "-G"` \
    `[ "$MX_STATUS_UPDATES" = "yes" ] && echo "-Z"` \
    `[ -n "$MX_QUEUE_SIZE" ] && echo "-q $MX_QUEUE_SIZE"` \
    `[ -n "$MX_QUEUE_TIMEOUT" ] && echo "-Q $MX_QUEUE_TIMEOUT"` \
    `[ -n "$MX_NOTIFIER" ] && echo "-O $MX_NOTIFIER"` \
    `[ -n "$MX_RECIPOK_PERDOMAIN_LIMIT" ] && echo "-y $MX_RECIPOK_PERDOMAIN_LIMIT"` \
    -s $MX_SOCKET -p /run/mimedefang-multiplexor.pid'
ExecStopPost=/bin/rm -f $MX_SOCKET
ExecReload=/bin/kill -INT $MAINPID
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mimedefang-systemd.patch
Type: text/x-patch
Size: 3932 bytes
Desc: not available
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20180723/8a41ce27/attachment.bin>


More information about the MIMEDefang mailing list