[Dovecot] client limit and STARTTLS
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi all,
I'm migrating from one system to another. Both are Arch Linux, but copying the configurations and just modifying them for IP addresses and hostnames didn't work.
Here's doveconf -n
# 2.1.15: /etc/dovecot/dovecot.conf doveconf: Warning: service auth { client_limit=256 } is lower than required under max. load (3072) doveconf: Warning: service anvil { client_limit=256 } is lower than required under max. load (2051) # OS: Linux 3.8.4-1-ARCH x86_64 base_dir = /var/run/dovecot/ default_client_limit = 256 default_process_limit = 1024 login_trusted_networks = 10.8.0.0/16 127.0.0.0/8 mail_location = maildir:~/Maildir mail_max_userip_connections = 30 passdb { args = failure_show_msg=yes driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } ssl_cert =
Obvious first question: I can't figure out how to make dovecot happy with the client and process limits. I'm not terribly worried about going overboard here, though I have a very small number of users; the migration is to a much more capable system. But I would like to stop looking at the warning. It doesn't seem to matter what I put where--it keeps complaining.
Second question: STARTTLS isn't working. What am I missing? Sorry if this is something that should be obvious; I'm fighting a similar battle with postfix and I'm being pushed around the bend while I really need to be working on other things.
Thanks! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJRXy6nAAoJELJhbl/uPb4SsTAQALIkmDwCwPlCNPtJr482lVNj vsNHX4TvTy0Xu4adtxFqJQM30EoEpu4A983CTm81jUFYKqDIBRJ3SAVOGf58lCQ1 uJhoyL0yhCaO9Zh7WZKdmhB+Jnek2+Rz2cpfOP4VseLL7Lg3OIwI4K/YiDAIcwnW do/tvuJEL6SDDcDA3gOjDJ7gkykg34tJ02nnG65Yau0y563FT7npXKFnwGSn1X0+ GTFUwpZx5xp90eUZBLoTBPcnXohKlWhYxa2POHgm7eraK8k+aD9/2zlThQL6/qIx HQKcSkZjB1CTgKGysp+msaR/gS5HiHILadB3opP8p7baGNG9jhifKE6LJavREH8p PsxxCpTnf8d+xbbJVeDx6cyz7NQ8rNLals1qtPLAY4F04Uh400FjJov/dJruBISZ QvASZPOtyZHuswUnSTtX22WOg2QIvyO5GyzqPGZ/0+MtgbtJxwizsyCTEFuTkq+r RvsW1cltVsDKCFCCcjrkRzWu+xbDrkX42tNUnhi4YSJ5wcKQMRiqQBTtyCYT88sy Ws9WtNaElOERxQeydmizvxIuFIoLapdPtfyRDSGoDOo0Cnq/QSIzvQNdOVbqqSBt hcIVDNHTw8O5UfOhhbo+YT8QIBwD8J/uPxLfV72ep7nQBJh8XOymHJXGtQR8+H4x 6aey6+bafQ/YHtuS63bz =4qNn -----END PGP SIGNATURE-----
Hi David,
On Fri, 2013-04-05 at 13:05 -0700, David Benfell wrote:
doveconf: Warning: service auth { client_limit=256 } is lower than required under max. load (3072) doveconf: Warning: service anvil { client_limit=256 } is lower than required under max. load (2051)
service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 }
client_limit = 3072}
service anvil { client_limit = 2051 }
(That's kinda interesting my anvil values need to be higher than auth values, yours is opposite, but, if thats what dovecot says...)
Second question: STARTTLS isn't working. What am I missing? Sorry if this is something that should be obvious; I'm fighting a similar battle with postfix and I'm being pushed around the bend while I really need to be working on other things.
Are your certificate chains valid? Simply saying "isn't working" is almost a requirement for a *sigh* log output please, or a better description than "isn't working" ;)
Hi Noel,
On Sat, Apr 06, 2013 at 12:43:02PM +1000, Noel Butler wrote:
Second question: STARTTLS isn't working. What am I missing? Sorry if this is something that should be obvious; I'm fighting a similar battle with postfix and I'm being pushed around the bend while I really need to be working on other things.
Are your certificate chains valid? Simply saying "isn't working" is almost a requirement for a *sigh* log output please, or a better description than "isn't working" ;)
Clearly this had been wrong at the previous installation as well. I don't know why I had seen it differently before.
Yes, the certificate chains were screwed up. And you hit the nail on the head when you pointed to chains. It's a StartSSL cert and I've had trouble getting this straight from the beginning.
Thanks!
Now if we can sort out how to set the client and process limits. I changed the settings like thus:
default_process_limit = 1024 default_client_limit = 4096
Now it tells me something different, but much less urgently, at startup:
Apr 06 00:13:42 munich.parts-unknown.org dovecot[1816]: Warning: fd limit (ulimit -n) is lower than required under max. load (1024 < 4096), because of default_client_count
The truth is, I can't imagine having 4096 clients. I mean, it's true, I like my toys, but.....
So I changed it again:
default_process_limit = 128 default_client_limit = 512
And now it seems to be fine. But I'm mystified because what you say is the case on your system, that is, that the process limit needs to be greater than the client limit, is what I would expect: wouldn't each client require at least one process?
Thanks!
Am 06.04.2013 10:09, schrieb David Benfell:
So I changed it again:
default_process_limit = 128 default_client_limit = 512
And now it seems to be fine. But I'm mystified because what you say is the case on your system, that is, that the process limit needs to be greater than the client limit, is what I would expect: wouldn't each client require at least one process?
no, 512x128 = 65536 connections each process can serve default_client_limit clients
On Sat, 2013-04-06 at 01:09 -0700, David Benfell wrote:
Are your certificate chains valid? Simply saying "isn't working" is almost a requirement for a *sigh* log output please, or a better description than "isn't working" ;)
Yes, the certificate chains were screwed up. And you hit the nail on the head when you pointed to chains. It's a StartSSL cert and I've had trouble getting this straight from the beginning.
no problems, it's the main culprit for most SSL issues
Thanks!
Now if we can sort out how to set the client and process limits. I changed the settings like thus:
default_process_limit = 1024 default_client_limit = 4096
I see Harald has explained this already (I dont use high performance mode, I prefer security, but you wont notice any performance hit anyway, we never have)
But if you can't see yourself with that many concurrent users, remove them and stick with defaults, unless you do need to increase them, wich you'll soon learn from your users, worry about it then.
The truth is, I can't imagine having 4096 clients. I mean, it's true, I like my toys, but.....
When you see this, just set a ulimit in dovecots startup script
#!/bin/sh # rc.dovecot # Start/stop/restart dovecot. ulimit -n 8192
...dovecot stuff...
Cheers
participants (4)
-
David Benfell
-
David Benfell
-
Noel Butler
-
Reindl Harald