Changes:

• Added goal 8 and rewrote mailbox synchronization plan.
• Added new SELECT command to change active mailbox and removed mailbox ID from command parameters

Goals

1. If a single (or configurable number of) server dies, no mails must be lost that have been reported to IMAP/SMTP clients as being successfully stored.

2. Must be able to automatically recover from a server desynchronization, such as:

• server has been offline for a long time
• some mail files have been manually added/deleted
• corrupted data/mail files if they're noticed

3. In multi-master setup if the link between servers die, the servers must be able to proceed autonomously (kind of conflicts with goal 1 though). When the link comes back, the changes are replicated as soon as possible.

4. Normal IMAP commands must not be able to cause desynchronization between servers. For example making conflicting flag changes simultaneously in two servers must not result in the servers having different flags.

5. Must perform well with at least 3 servers in a multi-master setup, preferrably still with tens of servers.

6. Latency shouldn't be increased noticeably when using servers distributed into 3 or more data centers. Must be usable over high-latency links (in optimistic async mode).

7. In normal operation send minimal incremental changes.

8. Make non-incremental synchronization fast enough to allow replication with users' untrusted Dovecot servers which may connect only rarely. Support also super high latency replication (e.g. using USB sticks).

Protocol

There are two major parts in the protocol: Handling the normal incremental changes and fixing desynchronization.

Originally I thought that maybe the changes could be sent using the same format as Dovecot's transaction logs, but now I'm beginning to think that it's probably not that good idea. The code reuse potential is quite minimal and the format would still have to be extended in several ways so that it won't be directly compatible anyway.

So I'm thinking the protocol could be something text-based. The main benefit is that text-based protocols are easier to debug. Stream compression should drop most of the extra overhead if bandwidth is a problem.

The exact on-wire protocol anyway doesn't matter in the design that's discussed below.

The commands have tags similar to IMAP commands, because some commands may have to be forwarded to other servers and it may take a while to get a reply. During the wait the server may process other commands.

Mailbox master

Each mailbox has a single master server selected. In multi-master setups the master server may be moved by having the destination server simply request it from the current master. The current master must then give it up. If link is lost to the current master, one of the remaining servers will become the new master within the remaining servers.

Each server must be connected to the current master server. Since each mailbox can have a different master server, this typically means all servers are connected to each others. However it's possible to create setups where server connects to only one other server, which in turn connect to more servers. This is useful if there are bandwidth bottlenecks between some servers. This kind of a situation can also happen if in a network A-B-C the link A-C dies, but A-B and B-C continues to work. Because of this all commands must be able to function in a way that the server proxies them to the current master, instead of failing the command and trying to make it the caller's problem to resend the command to the actual master.

When the cluster starts up, a single server is selected as the root master for all mailboxes. If a server doesn't know who the current mailbox master is, it asks from the root. All servers cache the currently known mailbox masters to avoid constant requests to the root.

If the root server dies, another server is selected as the root. Because the new root doesn't know what masters have been requested (and asking all of them from all servers would just waste bandwidth), all the servers are expected to flush their master caches and drop their own master status. The new root doesn't respond to any requests before all servers have notified that they've dropped being a master.

The master status doesn't have to be at mailbox level granularity. It could just as well be configured to move at user, domain or even global level. Perhaps this could be done dynamically, so that higher granularity is used when the master is beginning to change too often between servers.

Mailbox ID

Mailbox IDs are session-specific numbers dynamically assigned for user+mailbox+UIDVALIDITY combinations. All connections have different mailbox IDs. Also send and receive directions have different IDs. This allows the sender to easily replace existing IDs to point to new mailboxes without causing any confusion.

MBOX:

• Mailbox ID
• User name
• Mailbox name
• Mailbox UIDVALIDITY Reply:
• [Mailbox UIDVALIDITY] (if changed - command failed)
• Mailbox UIDNEXT
• Highest modseq

If the receiver finds out it has a different UIDVALIDITY, the mailbox requires a full resync. UIDNEXT and modseq can be used to determine if replication servers are out of sync.

After mailbox ID has been assigned, the active mailbox can be changed using a command:

SELECT:

• Mailbox ID

Requesting master status

MASTER-MOVE:

• [Destination SID] (if forwarding)

The command is sent to the last known master for the selected mailbox. The server will keep forwarding the command until it reaches the current master. During the forwarding other servers may want to request something from the master. These requests must be delayed by the forwarding servers until the move is finished.

Saving messages

SAVE:

• Received date
• [IMAP UID] (only if we're the master)
• Global UID (stays the same when copying the message)
• Message text Reply:
• [IMAP UID] (only if not specified in parameters)
• [Current mailbox master SID] (if it was moved)

If current server is not the master, the SAVE is sent to the master which gives the message its IMAP UID. The master server then replicates the message to other servers with the IMAP UID parameter set.

The mailbox master may have already changed by the time server receives a save request. If server receives a SAVE without IMAP UID parameter, it's responsible for finding out the new mailbox master and sending a new SAVE request to it. Once the new master replies with the IMAP UID, the server can reply to the original SAVE request, also providing the new master SID so the future requests can be sent there directly.

To be sure the message doesn't get lost, the server should not reply OK to the IMAP/SMTP client until it has received a reply from SAVE.

Copying messages

FIXME: Source or destination mailbox ID parameter should probably be removed and the selected mailbox's ID used instead.

COPY:

• Source mailbox ID
• Destination mailbox ID
• Source IMAP UID
• Global UID
• [Destination IMAP UID] (only if we're the master)
• Destination received date Reply:
• [Destination IMAP UID] (only if not specified in parameters)
• [Current mailbox master SID] (if it was moved)

Source mailbox ID + source IMAP UID identifies the message to be copied. It's expected to contain the given global UID (which is just an extra sanity check). Otherwise it works the same way as SAVE.

Since the message already exists, it's probably not necessary to wait for a reply before replying OK to originating IMAP client.

Expunging messages

EXPUNGE:

• IMAP UIDs (No reply)

Expunges also have to be sent via master server (the same way as SAVE) to avoid COPY command failing in some servers because it was just expunged.

Changing message flags

STORE:

• IMAP UIDs
• Added flags/keywords
• Removed flags/keywords
• [Current modseq] (master sends)
• [Highest modseq of the messages before this change] (non-master sends)
• [flag: this is a CONDSTORE STORE UNCHANGEDSINCE] (non-master may send) [Reply:
• IMAP UIDs where STORE was rejected to (if CONDSTORE flag was used) ]

Stores also have to be sent via master server to avoid flag desynchronization. Master first checks if it has higher modseqs in the messages. Then it applies all the changes and forwards the changes to other servers. For messages that had higher initial modseqs their flags are sent to the server sending the STORE to fix a potential desync.

If CONDSTORE flag is set, the change is rejected for messages that had a higher modseq. Non-masters shouldn't reply to a STORE UNCHANGEDSINCE command before the change has been replicated to master and the rejections have been processed.

Mailbox synchronization

Network connections to other servers are always initiated by the same servers. From replication point of view they could be thought of as client/server.

The clients keep track of the last seen server state for all mailboxes:

• UIDVALIDITY
• UIDNEXT
• Highest modseq

Client requests mailbox ID with MBOX command. If UIDVALIDITY changed, state is reset by setting UIDNEXT=1 and highest modseq=0. MBOX command is then resent using the updated UIDVALIDITY.

If server's UIDNEXT (server-UIDNEXT) is higher than last seen UIDNEXT (old-UIDNEXT), it means the server has added new messages and we want to fetch them. If the client's UIDNEXT (client-UIDNEXT) is higher than the old-UIDNEXT, it means the client has added new messages and they need to be sent to the server. All messages with UID >= old-UIDNEXT and UID < min(client-UIDNEXT, server-UIDNEXT) have an UID conflict and they must be given new unused UIDs.

The synchronization is done in two batches of commands. Client first selects the mailbox and then starts the sync:

SYNC-BEGIN:

• server's last highest modseq
• client's current highest modseq
• QRESYNC-like sequence + IMAP UID lists for optimizing EXPUNGE replies

Client then proceeds to send all its changes using SAVE, EXPUNGE and STORE commands. The sync is finished with SYNC-END command.

Server replies with:

• List of expunged IMAP UIDs (EXPUNGE command):
  • IMAP UIDs
• Added messages (SAVE command?):
  • IMAP UID
  • Global UID
  • Modseq
  • Flags and keywords
  • Received date
  • [Message text]
• Changed flags/keywords/modseqs (STORE commands):
  • IMAP UID
  • Modseq
  • Changed flags and keywords (or if not easily determined, their current values)
• IMAP UID conflict fixes (UIDFIX command):
  • Source IMAP UIDs
  • Destination IMAP UIDs
• Sync finish:
  • Updated UIDNEXT
  • Updated highest modseq

Server may also reply with STORE commands that change nothing except modseqs. This is needed to get the modseqs synchronized.

If in high-latency + high-bandwidth mode the message texts are always sent. The message texts are also sent if the server can determine that the client couldn't have previously seen the message (i.e. the message was saved, not copied). Otherwise they have to be requested for the messages with previously unseen global UIDs:

FETCH:

• IMAP UIDs Reply:
• Message texts

By the time client receives the reply from server, it may already have done further changes. This means it may have to fix modseqs and IMAP UIDs internally as well.