Dovecot performance and proxy loops with IPv6

Daniel Betz dbetz at df.eu
Thu Feb 2 13:07:38 UTC 2017 

Hello list,

i run here an large mailsetup with some million mailboxes and got strange performance problems, cause i think i have overseen or forgotten an simple setting.

Here are some details:

21 CentOS 7 Servers with dovecot 2.2.25 and ldap userdb/passdb via socket behind an hardware loadbalancer.
The storage behind is an ISCSI Storage with 4 10Gbit/s multipath paths, splitted up to 10 TB volumes for each server with LVM and xfs filesystem. No Cluster FS
Each server has about 60.000 to 75.000 mailboxes on it. mailboxes can have up to 10Gbyte space.

The Log says this sometimes and complete random:
Feb  1 10:42:49 server1 dovecot: pop3-login: Error: net_connect_unix(pop3) failed: Resource temporarily unavailable - http://wiki2.dovecot.org/SocketUnavailable
Feb  1 10:42:50 server1 dovecot: pop3-login: Error: net_connect_unix(pop3) failed: Resource temporarily unavailable - http://wiki2.dovecot.org/SocketUnavailable
Feb  1 10:42:50 server1 dovecot: pop3-login: Error: net_connect_unix(pop3) failed: Resource temporarily unavailable - http://wiki2.dovecot.org/SocketUnavailable
Feb  1 10:42:50 server1  dovecot: pop3-login: Error: net_connect_unix(pop3) failed: Resource temporarily unavailable - http://wiki2.dovecot.org/SocketUnavailable
Feb  1 10:42:50 server1 dovecot: imap-login: Error: net_connect_unix(imap) failed: Resource temporarily unavailable - http://wiki2.dovecot.org/SocketUnavailable
Feb  1 10:42:50 server1 dovecot: pop3-login: Error: net_connect_unix(pop3) failed: Resource temporarily unavailable - http://wiki2.dovecot.org/SocketUnavailable

Sure i have read the SocketUnavailabe wiki page and changed some settings, but the errors are not gone.
Could you please look over my dovecot config and give me some tips or hints what to change.

The next this is, when adding IPv6 via DNS to the hosts and login with IPv6 i will become an proxy loop.

Settings in nameserver:
server1.domain.com IN A 123.123.123.123
server1.domain.com IN AAAA 2001:123::1

The host entry comes from the ldap and says: mailHost: server1.domain.com

Imap Login with IPv6 to server1.domain.com tries to proxy from server1.domain.com ( IPv6 ) to server1.domain.com ( IPv6 ) and loops then.
I have removed the IPv6 AAAA entries in the dns to stop this loops.
Sorry, but i have no logs for this anymore.

Thanks in advise,
Daniel


And here system configs and dovecot configs:

sysctl:

fs.inotify.max_user_instances = 65535
fs.inotify.max_user_watches = 16384

systemd startup with ulimit settings:

[Unit]
Description=Dovecot Mailservice IMAP/POP

[Service]
Type=simple
LimitCORE=0
LimitNPROC=5000000
LimitNOFILE=65535
LimitSTACK=81920
LimitDATA=infinity
LimitMEMLOCK=infinity
LimitRSS=infinity
LimitAS=infinity

ExecStart=/usr/local/dovecot2/sbin/dovecot -F -c /usr/local/dovecot2/etc/dovecot/dovecot.conf

[Install]
WantedBy=multi-user.target



dovecot-ldap.conf:

uris = ldapi://%2Fvar%2Frun%2Fldapi
dn = cn=xxxxxxx,o=domain,c=com
dnpass = xxxxxxxxxxxxx
auth_bind = no
ldap_version = 3
base = o=domain,c=com 
user_attrs = mail=user,mailMessageStore=home,\
mailQuota=quota_rule=*:storage=%$
iterate_filter= (|(mailHost=server1.domain.com)(mailHost=popserver1.domain.com))
user_filter = (&(accountstatus=active)(|(uid=%u)(mail=%u)))
pass_attrs = mail=user,userPassword=password,=proxy_maybe=y,mailHost=host,=destuser=%u[%r]
pass_filter = (&(accountstatus=active)(|(uid=%u)(mail=%u)))

dovecot.conf:

# 2.2.25 (7be1766): /usr/local/dovecot2/etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-327.36.3.el7.x86_64 x86_64 CentOS Linux release 7.2.1511 (Core)
auth_cache_negative_ttl = 1 mins
auth_cache_size = 64 M
auth_cache_ttl = 2 hours
auth_mechanisms = plain login
auth_username_chars =
auth_verbose = yes
base_dir = /var/run/dovecot/
debug_log_path = /dev/null
default_login_user = dovecot
disable_plaintext_auth = no
doveadm_password =  # hidden, use -P to show it
doveadm_port = 12345
first_valid_gid = 1001
first_valid_uid = 1001
info_log_path = /dev/stderr
lda_mailbox_autocreate = yes
lda_original_recipient_header = X-Envelope-To
log_path = /dev/stderr
log_timestamp =
login_log_format_elements = user=[%u] method=%m rip=%r lip=%l %c
mail_gid = 1001
mail_location = mdbox:~:INDEX=%h/INDEX
mail_plugins = "notify replication stats"
mail_uid = 1001
mbox_write_locks = fcntl
namespace {
  inbox = yes
  location =
  prefix = INBOX.
  separator = .
  type = private
}
passdb {
  args = /usr/local/dovecot2/etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
plugin {
  quota = dict:User quota::file:%h/mdbox/dovecot-quota
  quota_warning = storage=85%% quota-warning 85 %u
  stats_refresh = 30 secs
  stats_track_cmds = yes
}
replication_max_conns = 30
sendmail_path = /usr/local/exim/bin/exim
service aggregator {
  fifo_listener replication-notify-fifo {
    mode = 0666
    user = popuser
  }
  unix_listener replication-notify {
    mode = 0666
    user = popuser
  }
}
service anvil {
  client_limit = 60000
}
service auth {
  client_limit = 60000
  unix_listener auth-userdb {
    mode = 0666
    user = popuser
  }
  unix_listener auth {
    mode = 0666
    user = popuser
  }
}
service config {
  unix_listener config {
    user = popuser
  }
}
service dict {
  unix_listener dict {
    mode = 0666
    user = popuser
  }
}
service doveadm {
  inet_listener {
    port = 12345
  }
  user = popuser
}
service imap-login {
  chroot = login
  process_limit = 60000
  process_min_avail = 16
}
service imap {
  executable = /usr/local/dovecot2/libexec/dovecot/imap
  process_limit = 250000
}
service ipc {
  client_limit = 60000
  unix_listener ipc {
    mode = 0650
    user = dovecot
  }
  unix_listener login/ipc-proxy {
    mode = 0650
    user = dovecot
  }
}
service lmtp {
  unix_listener lmtp {
    mode = 0666
    user = popuser
  }
}
service pop3-login {
  chroot = login
  process_limit = 60000
  process_min_avail = 16
}
service pop3 {
  executable = /usr/local/dovecot2/libexec/dovecot/pop3
  process_limit = 250000
}
service replicator {
  unix_listener replicator-doveadm {
    mode = 0600
    user = popuser
  }
}
service stats {
  fifo_listener stats-mail {
    mode = 0600
    user = popuser
  }
}
ssl_cert = </usr/local/dovecot2/etc/dovecot/certs/cert1.crt
ssl_key = </usr/local/dovecot2/etc/dovecot/certs/cert1.key
ssl_protocols = TLSv1.2 TLSv1.1 TLSv1 !SSLv3 !SSLv2
userdb {
  args = /usr/local/dovecot2/etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
verbose_proctitle = yes
protocol doveadm {
  mail_plugin_dir = /usr/local/dovecot2/lib/dovecot/
  mail_plugins = quota
}
protocol lda {
  info_log_path = /var/log/dovecot-lda
  log_path = /var/log/dovecot-lda
  log_timestamp = "%b %d %H:%M:%S "
  mail_plugin_dir = /usr/local/dovecot2/lib/dovecot/
  mail_plugins = quota
  postmaster_address = %u
}
protocol imap {
  imap_client_workarounds =
  mail_max_userip_connections = 100
  mail_plugin_dir = /usr/local/dovecot2/lib/dovecot/
  mail_plugins = quota imap_quota stats imap_stats
}
protocol pop3 {
  mail_plugin_dir = /usr/local/dovecot2/lib/dovecot/
  mail_plugins = quota stats
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  pop3_enable_last = yes
  pop3_fast_size_lookups = yes
  pop3_reuse_xuidl = no
  pop3_uidl_format = %g
}
local xxx.xxx.xxx.54 {
  protocol imap {
    ssl_cert = </usr/local/dovecot2/etc/dovecot/certs/cert1.crt
    ssl_key = </usr/local/dovecot2/etc/dovecot/certs/cert1.key
  }
}
local xxx.xxx.xxx.54 {
  protocol pop3 {
    ssl_cert = </usr/local/dovecot2/etc/dovecot/certs/cert1.crt
    ssl_key = </usr/local/dovecot2/etc/dovecot/certs/cert1.key
  }
}
local xxx.xxx.xxx.55 {
  protocol imap {
    ssl_cert = </usr/local/dovecot2/etc/dovecot/certs/cert2.crt
    ssl_key = </usr/local/dovecot2/etc/dovecot/certs/cert2.key
  }
}
local xxx.xxx.xxx.55 {
  protocol pop3 {
    ssl_cert = </usr/local/dovecot2/etc/dovecot/certs/cert2.crt
    ssl_key = </usr/local/dovecot2/etc/dovecot/certs/cert2.key
  }
}
local xxx.xxx.xxx.56 {
  protocol imap {
    ssl_cert = </usr/local/dovecot2/etc/dovecot/certs/cert3.crt
    ssl_key = </usr/local/dovecot2/etc/dovecot/certs/cert3.key
  }
}
local xxx.xxx.xxx.56 {
  protocol pop3 {
    ssl_cert = </usr/local/dovecot2/etc/dovecot/certs/cert3.crt
    ssl_key = </usr/local/dovecot2/etc/dovecot/certs/cert3.key
  }
}
local xxxx:xxxx::fa {
  protocol imap {
    ssl_cert = </usr/local/dovecot2/etc/dovecot/certs/cert1.crt
    ssl_key = </usr/local/dovecot2/etc/dovecot/certs/cert1.key
  }
}
local xxxx:xxxx::fa {
  protocol pop3 {
    ssl_cert = </usr/local/dovecot2/etc/dovecot/certs/cert1.crt
    ssl_key = </usr/local/dovecot2/etc/dovecot/certs/cert1.key
  }
}
local xxxx:xxxx::fb {
  protocol imap {
    ssl_cert = </usr/local/dovecot2/etc/dovecot/certs/cert2.crt
    ssl_key = </usr/local/dovecot2/etc/dovecot/certs/cert2.key
  }
}
local xxxx:xxxx::fb {
  protocol pop3 {
    ssl_cert = </usr/local/dovecot2/etc/dovecot/certs/cert2.crt
    ssl_key = </usr/local/dovecot2/etc/dovecot/certs/cert2.key
  }
}
local xxxx:xxxx::fc {
  protocol imap {
    ssl_cert = </usr/local/dovecot2/etc/dovecot/certs/cert3.crt
    ssl_key = </usr/local/dovecot2/etc/dovecot/certs/cert3.key
  }
}
local xxxx:xxxx::fc {
  protocol pop3 {
    ssl_cert = </usr/local/dovecot2/etc/dovecot/certs/cert3.crt
    ssl_key = </usr/local/dovecot2/etc/dovecot/certs/cert3.key
  }
}

More information about the dovecot mailing list