Currently the Pulsar MailQueue do not come up with a dead-letter policy.
A bad JSON payload halts the processing.
This makes the Pulsar MailQeue brittle:
- The ability to inject a single message with a bad payload can cause an entire James cluster to come to a halt.
- Could be seen as an attack vector
- But also any changes to the underlying JSON schema for payloads is susceptible to cause major downtime.
We should define a deadletter policy:
- Given a number of failures delivery of the message would be abandonned
- And moved to a dead-letter topic for later audit (prevent data loss)