[Dovecot] Is Dovecot ready for production use?
Hi!
I'm currently running RH 9 with postfix, uw-imap and MailScanner. I want to install Fedora Core 2 (when it comes out next week) with postfix, dovecot and amavisd. I'm unhappy with the problems I'm having with MailScanner, with the difficulty I've had with authentication as I am currently configured, and want to move to Maildir instead of mbox.
That being said, is dovecot stable enough yet for production use? I only have four users on my home linux box, but I personally get around 500 emails a day (that fedora list is *busy*).
Thanks,
Ben
Benjamin J. Weiss wrote:
That being said, is dovecot stable enough yet for production use? I only have four users on my home linux box, but I personally get around 500 emails a day (that fedora list is *busy*).
I use it in two such environments, one in an office with 10 users, most of whom are connected from inside the office itself for the whole day. It easily passes 500 mails across the network in 24 hours. The other is in a larger organisation with maybe 20 or 30 people connected at a time through various webmail clients.
In both cases, it has behaved perfectly. It was also trivial to set up, particularly when contrasted with uw-imapd or courier.
I'm using Jaldhar's Debian backports. And very nice they are too :-)
regards,
Steffen
-- Steffen Higel
Knowledge and Data Engineering Group, | e: Steffen.Higel@cs.tcd.ie Department of Computer Science, | w: http://netsoc.tcd.ie/~higels Trinity College Dublin | t: +353 (1) 6082361 pgp: http://www.cs.tcd.ie/Steffen.Higel/higels.txt
Benjamin J. Weiss wrote:
Hi!
I'm currently running RH 9 with postfix, uw-imap and MailScanner. I want to install Fedora Core 2 (when it comes out next week) with postfix, dovecot and amavisd. I'm unhappy with the problems I'm having with MailScanner, with the difficulty I've had with authentication as I am currently configured, and want to move to Maildir instead of mbox.
That being said, is dovecot stable enough yet for production use? I only have four users on my home linux box, but I personally get around 500 emails a day (that fedora list is *busy*).
I've "backported" the latest Red Hat development packages of Dovecot to Red Hat 9 (simply rebuilt the RPM), and have 150+ users using it. My server runs Sendmail (milter plugins require it for now), Dovecot (using Maildir), SpamAssassin (via procmail), ClamAV (via milter), and Anomy Sanitizer (via procmail). There are a couple of customflags annoyances between Mozilla based mail clients and Dovecot running Maildir, however it has otherwise proven quite stable in my enivronment. We process about 5-6000 mails per day.
HTH, -Rick
-- Rick Johnson, RHCE #807302311706007 - rjohnson@medata.com Linux/Network Administrator - Medata, Inc. PGP Public Key: https://mail.medata.com/pgp/rjohnson.asc
From: "Rick Johnson" rjohnson@medata.com
Benjamin J. Weiss wrote:
Hi!
I'm currently running RH 9 with postfix, uw-imap and MailScanner. I want to install Fedora Core 2 (when it comes out next week) with postfix, dovecot and amavisd. I'm unhappy with the problems I'm having with MailScanner, with the difficulty I've had with authentication as I am currently configured, and want to move to Maildir instead of mbox.
That being said, is dovecot stable enough yet for production use? I only have four users on my home linux box, but I personally get around 500 emails a day (that fedora list is *busy*).
I've "backported" the latest Red Hat development packages of Dovecot to Red Hat 9 (simply rebuilt the RPM), and have 150+ users using it. My server runs Sendmail (milter plugins require it for now), Dovecot (using Maildir), SpamAssassin (via procmail), ClamAV (via milter), and Anomy Sanitizer (via procmail). There are a couple of customflags annoyances between Mozilla based mail clients and Dovecot running Maildir, however it has otherwise proven quite stable in my enivronment. We process about 5-6000 mails per day.
Thanks, but I received an email pointing out an SSL problem with Fedora and dovecot:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=115284
and I do *all* connections to my server in an encrypted mode, even imaps.
If dovecot is going to crash on an hourly basis, I may have to stick with uw and mbox. :(
Benjamin J. Weiss wrote:
Thanks, but I received an email pointing out an SSL problem with Fedora and dovecot:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=115284
and I do *all* connections to my server in an encrypted mode, even imaps.
If dovecot is going to crash on an hourly basis, I may have to stick with uw and mbox. :(
I have yet to experience this problem with the 0.99.10.4 version from the Devel tree. We do 95% of our connections via SSL as well (OpenSSL), and I run Fedora Core 1 at home for a personal server configured in the same fashion.
Note I am using a dovecot package from the devel tree. That version is: dovecot-0.99.10.4-3. The package that was reported was dovecot-0.99.10-6, which is the "stock" fedora package. We had problems with that version too, which is why I stepped up. So far, we've avoided any crashes as a result of the update.
Rgds, -Rick
-- Rick Johnson, RHCE #807302311706007 - rjohnson@medata.com Linux/Network Administrator - Medata, Inc. PGP Public Key: https://mail.medata.com/pgp/rjohnson.asc
On Mon, 2004-05-10 at 20:35, Rick Johnson wrote:
Benjamin J. Weiss wrote:
Thanks, but I received an email pointing out an SSL problem with Fedora and dovecot:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=115284
and I do *all* connections to my server in an encrypted mode, even imaps.
If dovecot is going to crash on an hourly basis, I may have to stick with uw and mbox. :(
I have yet to experience this problem with the 0.99.10.4 version from the Devel tree. We do 95% of our connections via SSL as well (OpenSSL), and I run Fedora Core 1 at home for a personal server configured in the same fashion.
Note I am using a dovecot package from the devel tree. That version is: dovecot-0.99.10.4-3. The package that was reported was dovecot-0.99.10-6, which is the "stock" fedora package. We had problems with that version too, which is why I stepped up. So far, we've avoided any crashes as a result of the update.
It was me who pointed this problem out to Benjamin in a private email.
I have rebuilded and installed the version of the package you mention. I will test it out to see if it fixes the problem. It does however look like Timo is still working on a fix tough.
-- Anders Nielsen anielsen@diku.dk
On Tue, 2004-05-11 at 11:51, Anders Nielsen wrote:
It was me who pointed this problem out to Benjamin in a private email.
I have rebuilded and installed the version of the package you mention. I will test it out to see if it fixes the problem. It does however look like Timo is still working on a fix tough.
The problem is still there - 2 crashes in 1 hour of testing.
Anders Nielsen anielsen@diku.dk
On Mon, 2004-05-10 at 21:23, Benjamin J. Weiss wrote:
Thanks, but I received an email pointing out an SSL problem with Fedora and dovecot:
Well, I finally looked at what Fedora's OpenSSL package looks like. It has at least this patch which doesn't work if Dovecot is chrooted. I'm not really sure when ICA is really called though. Actually there's a bug in that patch, if open() fails rfd = -1. The check should be if (rfd == -1), not if (rfd).. Maybe it would work with that fix? Anyone want to try? --- openssl-0.9.7a/libica-1.3.5/src/prand.c.urandom 2003-07-10 16:09:35.000000000 -0400 +++ openssl-0.9.7a/libica-1.3.5/src/prand.c 2003-10-24 01:59:53.000000000 -0400 @@ -421,11 +421,26 @@ */ + /* + ** Change 10/24/03 PK: Use /dev/urandom instead. + */ static unsigned char get_byte(u_int32 *array5, int current_byte) { - u_int32 val; + static int rfd = 0; /* File descriptor to /dev/urandom */ + unsigned char retval; + + if (!rfd) { + rfd = open("/dev/urandom", O_RDONLY); + } + + /* If we have a valid fd for /dev/urandom then use it */ + if (rfd) { + read(rfd, &retval, 1); + return retval; + } + /* Otherwise use the old pseudo random number generator */ val = *(array5 + current_byte/4); current_byte %= 4;
On Mon, 2004-05-10 at 22:17, Timo Sirainen wrote:
Well, I finally looked at what Fedora's OpenSSL package looks like. It has at least this patch which doesn't work if Dovecot is chrooted. I'm not really sure when ICA is really called though.
I guess it's only when using some IBM crypto hardware. Also that patch couldn't be the cause of the real problem. Oh well, wondering some more.
(btw. I filed this as openssl bug in rh bugzilla)
With a little bit of thinking, maybe it's this simple to fix: diff -u -r1.21 ssl-proxy-openssl.c --- src/login-common/ssl-proxy-openssl.c 10 May 2004 02:15:16 -0000 1.21 +++ src/login-common/ssl-proxy-openssl.c 10 May 2004 20:03:26 -0000 @@ -460,9 +460,10 @@ } /* PRNG initialization might want to use /dev/urandom, make sure it - does it before chrooting. */ - if (RAND_bytes(&buf, 1) != 1) - i_fatal("RAND_bytes() failed: %s\n", ssl_last_error()); + does it before chrooting. We might not have enough entropy at + the first try, so this function may fail. It's still been + initialized though. */ + (void)RAND_bytes(&buf, 1); ssl_proxies = hash_create(default_pool, default_pool, 0, NULL, NULL); ssl_initialized = TRUE;
On Mon, 2004-05-10 at 21:58, Timo Sirainen wrote:
With a little bit of thinking, maybe it's this simple to fix:
diff -u -r1.21 ssl-proxy-openssl.c
I am testing the patch now... So far no crashes but it is still to early to conclude anything. I will get back with more info later.
-- Anders Nielsen anielsen@jobindex.dk
On Tue, 2004-05-11 at 14:02, Anders Nielsen wrote:
On Mon, 2004-05-10 at 21:58, Timo Sirainen wrote:
With a little bit of thinking, maybe it's this simple to fix:
diff -u -r1.21 ssl-proxy-openssl.c
I am testing the patch now... So far no crashes but it is still to early to conclude anything. I will get back with more info later.
No crashes after 30 hours :-)
This is remarkable since we have seen between 2 and 14 crashes a day for at least 14 days. Since I put dovecot into production a month ago I have only seen one day with out crashes (a sunday where the server was almost idle).
I would say that the patch have helped. Thank you Timo :-)
-- Anders Nielsen anielsen@diku.dk
participants (6)
-
Anders Nielsen
-
Anders Nielsen
-
Benjamin J. Weiss
-
Rick Johnson
-
Steffen Higel
-
Timo Sirainen