84 Mail However, the really irksome thing about this program is the standard vacation message format. From the man page: From: eric@ucbmonet.berkeley.edu (Eric Allman) Subject: I am on vacation Delivered-By-The-Graces-Of: the Vacation program … Depending on one’s theology and politics, a message might be deliv- ered by the grace of some god or royal personage—but never by the grace of Unix. The very concept is an oxymoron. Apple Computer’s Mail Disaster of 1991 In his 1985 USENIX paper, Eric Allman writes that sendmail is phenome- nally reliabile because any message that is accepted is eventually delivered to its intended recipient, returned to the original sender, sent to the sys- tem’s postmaster, sent to the root user, or, in absolute worst case, logged to a file. Allman then goes on to note that “A major component of reliability is the concept of responsibility.” He continues:
Apple Computer’s Mail Disaster of 1991 85 For example, before sendmail will accept a message (by returning exit status or sending a response code) it insures that all information needed to deliver that message is forced out to the disk. In this way, sendmail has “accepted responsibility” for delivery of the message (or notification of failure). If the message is lost prior to acceptance, it is the “fault” of the sender if lost after acceptance, it is the “fault” of the receiving sendmail. This algorithm implies that a window exists where both sender and receiver believe that they are “responsible” for this message. If a failure occurs during this window then two copies of the message will be delivered. This is normally not a catastrophic event, and is far superior to losing a message. This design choice to deliver two copies of a message rather than none at all might indeed be far superior in most circumstances. Certainly, lost mail is a bad thing. On the other hand, techniques for guaranteeing synchronous, atomic operations, even for processes running on two separate computers, were known and understood in 1983 when sendmail was written. Date: Thu, 09 May 91 23:26:50 -0700 From: “Erik E. Fair”6 (Your Friendly Postmaster) fair@apple.com To: tcp-ip@nic.ddn.mil, unicode@sun.com, [...] Subject: Case of the Replicated Errors: An Internet Postmaster’s Horror Story This Is The Network: The Apple Engineering Network. The Apple Engineering Network has about 100 IP subnets, 224 AppleTalk zones, and over 600 AppleTalk networks. It stretches from Tokyo, Japan, to Paris, France, with half a dozen locations in the U.S., and 40 buildings in the Silicon Valley. It is interconnected with the Internet in three places: two in the Silicon Valley, and one in Boston. It supports almost 10,000 users every day. When things go wrong with e-mail on this network, it’s my problem. My name is Fair. I carry a badge. 6Erik Fair graciously gave us permission to reprint this message which appeared on the TCP-IP, UNICODE, and RISKS mailing lists, although he added: “I am not on the UNIX-HATERS mailing list. I have never sent anything there personally. I do not hate Unix I just hate USL, Sun, HP, and all the other vendors who have made Unix FUBAR.”