[Dovecot] vsz_limit
Hello Timo and dovecot teamwork,
We have dovecot 2.0.10 installed with this configuration:
# dovecot -n # 2.0.10: /usr/local/dovecot/etc/dovecot/dovecot.conf # OS: Linux 2.6.18-92.1.18.el5 x86_64 Scientific Linux SL release 5.2 (Boron) auth_cache_size = 500 k auth_cache_ttl = 1000 secs disable_plaintext_auth = no first_valid_uid = 501 lock_method = dotlock mail_fsync = always mail_gid = vmail mail_location = maildir:%h/Maildir mail_nfs_index = yes mail_nfs_storage = yes mail_plugins = quota autocreate mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mmap_disable = yes namespace { inbox = yes location = prefix = separator = . type = private } namespace { hidden = yes inbox = no list = no location = prefix = INBOX. separator = . type = private } namespace { location = maildir:%h/Maildir/_backup prefix = _backup. separator = . type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin/autocreate = Spam plugin/autosubscribe = Spam plugin/quota = maildir:_backup:ns= plugin/quota_warning = storage=75%% quota-warning 75 %u plugin/quota_warning2 = storage=90%% quota-warning 90 %u plugin/sieve = %h/.dovecot.sieve plugin/sieve_dir = %h/sieve protocols = imap pop3 sieve service anvil { client_limit = 5000 } service auth { client_limit = 9000 unix_listener auth-master { group = vmail mode = 0700 user = vmail } user = root vsz_limit = 2 G } service imap-login { executable = /usr/local/dovecot/libexec/dovecot/imap-login inet_listener imap { address = * port = 143 } inet_listener imaps { address = * port = 993 } process_limit = 2048 process_min_avail = 20 user = vmail } service imap { executable = /usr/local/dovecot/libexec/dovecot/imap process_limit = 2048 } service managesieve-login { executable = /usr/local/dovecot/libexec/dovecot/managesieve-login inet_listener sieve { address = * port = 4190 } inet_listener sieve_deprecated { address = * port = 12000 } user = vmail } service managesieve { executable = /usr/local/dovecot/libexec/dovecot/managesieve } service pop3-login { executable = /usr/local/dovecot/libexec/dovecot/pop3-login inet_listener pop3 { address = * port = 110 } inet_listener pop3s { address = * port = 995 } process_limit = 2048 process_min_avail = 20 user = vmail } service pop3 { executable = /usr/local/dovecot/libexec/dovecot/pop3 process_limit = 2048 } service quota-warning { executable = script /usr/local/dovecot/bin/quota-warning.sh unix_listener quota-warning { group = vmail mode = 0700 user = vmail } } ssl_cert = </etc/ssl/correo_xxxx.crt ssl_key = </etc/ssl/correo_xxxx.pem syslog_facility = local3 userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } valid_chroot_dirs = /buzones/ protocol imap { imap_client_workarounds = mail_plugin_dir = /usr/local/dovecot/lib/dovecot mail_plugins = quota autocreate imap_quota } protocol pop3 { mail_plugin_dir = /usr/local/dovecot/lib/dovecot mail_plugins = quota autocreate pop3_uidl_format = %08Xu%08Xv } protocol lda { auth_socket_path = /usr/local/dovecot/var/run/dovecot/auth-master hostname = buzon.xxxx.es mail_plugin_dir = /usr/local/dovecot/lib/dovecot mail_plugins = quota autocreate sieve postmaster_address = postmaster@xxxx.es quota_full_tempfail = no rejection_reason = Su mensaje para <%t> fue rechazado automaticamente por nuestro sistema :%n%r rejection_subject = Rechazado: %s sendmail_path = /usr/sbin/exim } protocol sieve { managesieve_implementation_string = dovecot Pigeonhole managesieve_logout_format = bytes ( in=%i : out=%o ) managesieve_max_line_length = 65536 }
The problem is at the moment of maximum load of the system. We can see many imap sessions but there are also many imap-login processes, which is weird. Has it something to do with any parameter of our configuration? We think is something with the vsz_limit parameter. How can we tune it?
Thank you very much in advanced.
Kind regards.
[cid:image001.gif@01CCE647.65B8FB30]
Héctor Moreno Blanco División de Seguridad e Infraestructuras / Security and Infrastructures Division
GMV Isaac Newton, 11 P.T.M. Tres Cantos E-28760 Madrid Tel. +34 91 807 21 00 Fax +34 91 807 21 99 www.gmv.com <http://www.gmv.com/> [cid:image002.gif@01CCE647.65B8FB30]<http://www.gmv.com/b2_gmv>
[cid:image003.gif@01CCE647.65B8FB30]<http://www.facebook.com/infoGMV>
[cid:image004.gif@01CCE647.65B8FB30]<http://www.twitter.com/infoGMV_es>
[cid:image005.gif@01CCE647.65B8FB30]<http://www.youtube.com/infoGMV>
This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it.
Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion.
On Feb 8, 2012, at 3:58 AM, Héctor Moreno Blanco wrote:
-snip-
service imap-login { executable = /usr/local/dovecot/libexec/dovecot/imap-login inet_listener imap { address = * port = 143 } inet_listener imaps { address = * port = 993 } process_limit = 2048 process_min_avail = 20 user = vmail } service imap { executable = /usr/local/dovecot/libexec/dovecot/imap process_limit = 2048 }
- snip, again -
The problem is at the moment of maximum load of the system. We can see many imap sessions but there are also many imap-login processes, which is weird. Has it something to do with any parameter of our configuration? We think is something with the vsz_limit parameter. How can we tune it?
I'm not 100% sure but if this is the case but it looks like you setting process_limit and process_min_avail in the imap-login service block is putting dovecot in "High Security" mode. http://wiki2.dovecot.org/LoginProcess has good details on that. In short, I suspect your settings are creating a new imap-login process for each new IMAP connection. As I understand it, vsz_limit is more important when running in "High Performance" mode where you have just 1 imap-login process that handles all new IMAP connections. That process can grow quite large if you have a lot of simultaneous IMAP clients.
Thank you very much in advanced.
Kind regards.
[cid:image001.gif@01CCE647.65B8FB30]
Héctor Moreno Blanco División de Seguridad e Infraestructuras / Security and Infrastructures Division
GMV Isaac Newton, 11 P.T.M. Tres Cantos E-28760 Madrid Tel. +34 91 807 21 00 Fax +34 91 807 21 99 www.gmv.com <http://www.gmv.com/> [cid:image002.gif@01CCE647.65B8FB30]<http://www.gmv.com/b2_gmv>
[cid:image003.gif@01CCE647.65B8FB30]<http://www.facebook.com/infoGMV>
[cid:image004.gif@01CCE647.65B8FB30]<http://www.twitter.com/infoGMV_es>
[cid:image005.gif@01CCE647.65B8FB30]<http://www.youtube.com/infoGMV>
This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it.
Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion.
Hope this helps, David Warden
Hello Timo,
I can see these errors, but I'm not sure if they have something to do with my problem:
... Feb 8 12:04:57 XXXXXX dovecot: imap-login: Error: read(imap) failed: Connection reset by peer Feb 8 12:04:57 XXXXXX dovecot: imap-login: Error: read(imap) failed: Remote closed connection (process_limit reached?) Feb 8 12:04:57 XXXXXX dovecot: imap-login: Error: fd_send(imap, 16) failed: Broken pipe ... Feb 8 12:08:09 XXXXXX dovecot: imap-login: Error: master(imap): Auth request timed out (received 0/12 bytes) ...
Do you see anything wrong?
Anyway, I'm going to investigate what David Warden told me about the "High Security" mode, just in case it is related to my problem.
I appreciate your answers.
Kind regards.
Héctor Moreno Blanco División de Seguridad e Infraestructuras / Security and Infrastructures Division GMV Isaac Newton, 11 P.T.M. Tres Cantos E-28760 Madrid Tel. +34 91 807 21 00 Fax +34 91 807 21 99 www.gmv.com
-----Mensaje original----- De: Timo Sirainen [mailto:tss@iki.fi] Enviado el: jueves, 09 de febrero de 2012 0:29 Para: Héctor Moreno Blanco CC: dovecot@dovecot.org Asunto: Re: [Dovecot] vsz_limit
On 8.2.2012, at 10.58, Héctor Moreno Blanco wrote:
The problem is at the moment of maximum load of the system.
What problem? Does Dovecot log any errors?
This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it.
Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion.
On 9.2.2012, at 10.41, Héctor Moreno Blanco wrote:
I can see these errors, but I'm not sure if they have something to do with my problem:
... Feb 8 12:04:57 XXXXXX dovecot: imap-login: Error: read(imap) failed: Connection reset by peer Feb 8 12:04:57 XXXXXX dovecot: imap-login: Error: read(imap) failed: Remote closed connection (process_limit reached?) Feb 8 12:04:57 XXXXXX dovecot: imap-login: Error: fd_send(imap, 16) failed: Broken pipe
imap service isn't responding.
Feb 8 12:08:09 XXXXXX dovecot: imap-login: Error: master(imap): Auth request timed out (received 0/12 bytes)
imap process isn't responding because auth process isn't responding.
Do you see anything wrong?
Yes. Is the system load very high? That could explain this. Or do you see any other error messages? Those errors you pasted above show that something is wrong, but not the root cause of what's wrong.
Anyway, I'm going to investigate what David Warden told me about the "High Security" mode, just in case it is related to my problem.
It could at least help reduce the load. Also it would be a good idea to upgrade to latest v2.0.
Hello Timo,
There is no other problem as far as I know. That's why I think is has something to do with dovecot. Specifically with the imap an imap-login process, as I observe in the processes status. Anyway, the system load is not high enough to cause these problems. However, imap service doesn't work properly.
So, in order to enable the login process in high performance mode I add the parameter service_count = 0. Right?
I'll let you know if this helps.
Kind regards.
Héctor Moreno Blanco División de Seguridad e Infraestructuras / Security and Infrastructures Division GMV Isaac Newton, 11 P.T.M. Tres Cantos E-28760 Madrid Tel. +34 91 807 21 00 Fax +34 91 807 21 99 www.gmv.com
-----Mensaje original----- De: Timo Sirainen [mailto:tss@iki.fi] Enviado el: jueves, 09 de febrero de 2012 13:53 Para: Héctor Moreno Blanco CC: dovecot@dovecot.org Asunto: Re: [Dovecot] vsz_limit
On 9.2.2012, at 10.41, Héctor Moreno Blanco wrote:
I can see these errors, but I'm not sure if they have something to do with my problem:
... Feb 8 12:04:57 XXXXXX dovecot: imap-login: Error: read(imap) failed: Connection reset by peer Feb 8 12:04:57 XXXXXX dovecot: imap-login: Error: read(imap) failed: Remote closed connection (process_limit reached?) Feb 8 12:04:57 XXXXXX dovecot: imap-login: Error: fd_send(imap, 16) failed: Broken pipe
imap service isn't responding.
Feb 8 12:08:09 XXXXXX dovecot: imap-login: Error: master(imap): Auth request timed out (received 0/12 bytes)
imap process isn't responding because auth process isn't responding.
Do you see anything wrong?
Yes. Is the system load very high? That could explain this. Or do you see any other error messages? Those errors you pasted above show that something is wrong, but not the root cause of what's wrong.
Anyway, I'm going to investigate what David Warden told me about the "High Security" mode, just in case it is related to my problem.
It could at least help reduce the load. Also it would be a good idea to upgrade to latest v2.0.
This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it.
Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion.
participants (3)
-
David Warden
-
Héctor Moreno Blanco
-
Timo Sirainen