[PATCH] MANUAL.rst: Improve with Perf tips and SSL notes

Sebastian Spaeth Sebastian at SSpaeth.de
Sat Jul 9 17:35:23 UTC 2011 

On Sat, 9 Jul 2011 00:19:31 +0300, Daniel Shahaf <d.s at daniel.shahaf.name> wrote:
> While offlineimap.conf calls SQLite backend experimental, so should this
> tip, I believe.

Sure, can do so. Although I would really love to move this out of
experimental state at some point after the next release. I have been
running it a long time now and I feel pretty confident that it is not
less safe than using the plaintext one. Marking it as experimental will
cause people to not even try it out :-).

> Could you explain what might be the repercussions of disabling fsync?
> 
> ie, if I disable fsync and the power goes out while some changes have
> not been flushed, will something be corrupted?  And if so, how easy
> would it be to detect,repair that corruption?

There is 2 areas where this fsync setting is used. One is when writing
out messages to the local Maildir, the default here is fsync=True. So we
will make sure that a message has actually been written out to disk
before we note it in the status cache. If False, writing of several
messages to disk could potentially happen in one bigger lump (which
obviously is good for performance). A crash without fsync here could
obviously mean that we have added a message to the cache but not written
it out to disk yet. In that case, the next run could think it had been
deleted and delete the message on the server too. So, there is possible
data loss in case of crash (a network gone bad won't be enough, but a
crash could do it). The other area is fsync for writing out the
LocalStatus cache. We would wait till the megabytes of data have been
written out before we start writing out the message or proceed to the
next message. A loss here would not be that bad (in the case of
IMAP<->Maildir we can reconstruct the LocalStatus cache), and in
IMAP<->IMAP case, it would probably mean a few duplicated messages at
worst. (Fsync in the sqlite case won't matter for LocalStatus which will
always write out stuff on time, I believe).

So, it really depends on your security needs and willingness to tradeoff
speed vs crash-safeness.

> > +Security and SSL
> > +================

> What about 'openssl s_client'?  When I run it, 
>         New, TLSv1/SSLv3, Cipher is AES256-SHA
> is part of the output.

Interesting, I have a hard time interpreting this:

$ openssl s_client -connect sspaeth.de:22

CONNECTED(00000003)
4440:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:607:

And connecting to my mail server leads to connection refused. But
something like this would be nice indeed, yes.

> May want to point to the 'How do I generate an `sslcacertfile` file?'
> FAQ entry here? :P

Yes, that would make sense.... :)
 
> > +StartTLS
> Looks good.

Good.

Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/offlineimap-project/attachments/20110709/e21e68df/attachment.pgp>

More information about the OfflineIMAP-project mailing list