From 37989954e3d030e254561b734993a4463eab2fb8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Tue, 31 Oct 2023 12:02:33 -0400
Subject: [PATCH] start taking notes on IMAP HA (tpo/tpa/team#41009)

---
 service/email.md | 38 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/service/email.md b/service/email.md
index 4c35fd83..2fff76af 100644
--- a/service/email.md
+++ b/service/email.md
@@ -999,7 +999,7 @@ the long term plan from TPA-RFC-44 (TPA-RFC-45, [issue
 tpo/tpa/team#41009](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41009)). This will mean either outsourcing mail
 services or building a proper mail hosting service.
 
-## Proposed Solution
+## Proposed Solutions
 
 We went through a number of proposals to improve mail services over
 time:
@@ -1012,6 +1012,42 @@ time:
    records, long term plan postponed)
  * TPA-RFC-45: Mail architecture (long term plans from TPA-RFC-44)
 
+## High availability notes
+
+If we do host our own IMAP servers eventually, we would like them to
+be highly available, without human intervention. That means having an
+"active-active" mirror setup where the failure of one host doesn't
+affect users at all and doesn't require human intervention to restore
+services.
+
+We already know quite well how to do an active/passive setup: DRBD
+allows us to replicate entire disks between machines. It *might* be
+possible to do the same with active/active setups in DRBD, in theory,
+but in practice this quickly runs into filesystem limitations, as
+(e.g.) ext4 is *not* designed to be accessed by multiple machines
+simultaneously.
+
+Dovecot has a [replication system called dsync](https://doc.dovecot.org/configuration_manual/replication/) that replicates
+mailboxes over a pipe. There are examples for TCP, TLS and SSH. [This
+blog post](http://blog.dovecot.org/2012/02/dovecot-clustering-with-dsync-based.html) explains the design as well. A pair of [director](https://doc.dovecot.org/admin_manual/director/dovecotdirector/)
+processes could be used to direct users to the right server. [This
+tutorial](http://web.archive.org/web/20201111212844/https://blog.le-vert.net/?p=160) seems to have been useful for people.
+
+Dovecot also shows a [HAProxy configuration](https://doc.dovecot.org/configuration_manual/haproxy/).  A script called
+[poolmon](https://github.com/brandond/poolmon/tree/master) seems to be used by some folks to remove/re-add backends
+to the director when the go unhealthy. Dovecot now ships a
+[dovemon](https://doc.dovecot.org/configuration_manual/dovemon/) program that works similarly, but it's only available in
+the non-free "Pro" version.
+
+There's also a [ceph plugin](https://github.com/ceph-dovecot/dovecot-ceph-plugin) to store emails in a Ceph backend.
+
+It also seems possible to store mailbox and index objects in an
+[object storage backend](https://doc.dovecot.org/admin_manual/dovecot_backend/), a configuration documented in the
+[Dovecot Cluster Architecture](https://doc.dovecot.org/admin_manual/dovecot_cluster_architecture/). It seems that, unfortunately, this
+is part of the "Pro" version of Dovecot, not usable in the free
+version (see [mailbox formats](https://doc.dovecot.org/admin_manual/mailbox_formats/)). There's also someone who
+implemented a [syncthing backend](https://github.com/fragtion/dovecot-core).
+
 ## Submission server proposal
 
 Note: this proposal was discussed inline in the old
-- 
GitLab