Date: Wed, 24 May 2006 19:55:41 +1000 From: Rob Middleton robm-dovecot@centenary.org.au Subject: Re: [Dovecot] Apple Mail and too many open files? To: Alan Schmitt alan.schmitt@polytechnique.org Cc: Dovecot List Mailing dovecot@dovecot.org
OS X is configured by default with these numbers way too low. OS X has some really dumb processes like AFP that will chew through all of your open files and not cope cleanly with running out of allowable/ available filehandles.
If you're running filesharing of ANY kind on your mail server, you
should stop it. Mail servers should run mail, not run AFP and Samba
and other things.
OS X has a DoS vulnerability in the way ssh processes are spawned and the ssh interaction with their PAM modules (it exhibits with the symptoms you have described). Have you really got port 22 blocked from the outside world?? Have you tested that? Consider running ssh on an alternate port if running OS X server (as Apple's GUI config tools for the firewall don't always allow you to block port 22).
This is a very simple problem to fix, and doesn't require blocking
port 22.
Set up /etc/hosts.allow:
sshd : 192.169.1.0/255.255.255.0 sshd-keygen-wrapper : 192.168.1.0/255.255.255.0
Set up /etc/hosts.deny:
ALL: ALL:deny
Tcpwrappers will now take care of you, and any DOS attacks you get
will simply be dropped.
Do consider running your mail services off a machine that is not a Mac OS X server. OS X server is merely OS X client/workstation with a
pretty management utility for some 'nix services. It is not stable under high load -- and it is not even stable under moderate load without numerous performance tweaks (it doesn't cope at all well if the disk queue goes up a touch or loadavg is at all interesting - ie it degrades poorly under load).
While some of this statement may be accurate, there's a lot of FUD
here too. Both OS X and OS X server use the same kernel, it is
true. However, these operating systems are fast and reliable. We
ran our mail server for a couple of years on OS X with exim and
courier-imap, and the only reason we did stop and move to Linux is
because we needed a bigger solution and intel-based hardware was
cheaper than a bunch of XServes.
And I will challenge your statement about high load. We have two web
servers that average betwen 5 and 10 mbits of constant web load,
running on OS X Server and XServes. The average load on these boxes
is something like 0.20.
Roger Weeks