[Dovecot] Questions about Proxy/Director (was: Re: Indexes to MLC-SSD)
Jan-Frode Myklebust schrieb:
Yes, and in ascii-art this becomes :-)
MTA -(lmtp)--> dovecot-director ---(lmtp)---> backend-server1 \---(lmtp)---> backend-server2
IMAP-user -(imap)--> dovecot-director --(imap) --> backend-server1 \--(imap) --> backend-server2
I failed creating a nice ascii view ;-)
However, I have some more questions:
What happens if the MTA accepted a message but the backend-server fails and is unable to store it?
What about load-balancing and/or failover? Maybe all users on backend-server1 are fetching their mails causing high load while backend-server2 is idle. Is it possible to specify more than one backend-server IPs as I can do for the database hosts for userdb queries?
On Thu, Nov 24, 2011 at 02:35:55PM +0100, Patrick Westenberg wrote:
- What happens if the MTA accepted a message but the backend-server fails and is unable to store it?
Your MTA will be notified about the failure trough SMTP/LMTP error codes, and retry if it was a temp-failure.
- What about load-balancing and/or failover? Maybe all users on backend-server1 are fetching their mails causing high load while backend-server2 is idle. Is it possible to specify more than one backend-server IPs as I can do for the database hosts for userdb queries?
We use a clusterfs (so it's not very important which backend server the user is directed to), and have configured the dovecot director with:
director_mail_servers = 192.168.42.7 192.168.42.8 192.168.42.9 192.168.42.10 192.168.42.11 192.168.42.28 192.168.42.29
director_servers = 192.168.42.15 192.168.42.17
passdb {
args = proxy=y nopassword=y
driver = static
}which gives us loadbalancing of new logins, and also failover should a backend server fail.
If you want to work with at local index and maildirs on NFS, you'll need to configure something smarter for selecting backend server. Maybe use proxy extrafield to specify a host for the user, and point this at a failover IP that will hang on the preferred server by default, but fail over to another working server if the preferred server fails..
http://wiki2.dovecot.org/PasswordDatabase/ExtraField-jf
Jan-Frode Myklebust schrieb:
We use a clusterfs (so it's not very important which backend server the user is directed to), and have configured the dovecot director with:
director_mail_servers = 192.168.42.7 192.168.42.8 192.168.42.9 192.168.42.10 192.168.42.11 192.168.42.28 192.168.42.29 director_servers = 192.168.42.15 192.168.42.17 passdb { args = proxy=y nopassword=y driver = static }
which gives us loadbalancing of new logins, and also failover should a backend server fail.
That looks nice.
What is your frontend configuration? How many users do you have that you need that many backend servers? Are your index stored together with the mails?
Patrick
On Thu, Nov 24, 2011 at 11:58:01PM +0100, Patrick Westenberg wrote:
What is your frontend configuration?
The frontend is two servers running dovecot director, and ucarp for managing failover ip-addresses.
=====================================================================
# 2.0.14: /etc/dovecot/dovecot.conf
# OS: x86_64 Red Hat Enterprise Linux Server release 5.x
director_mail_servers = 192.168.42.7 192.168.42.8 192.168.42.9 192.168.42.10 192.168.42.11 192.168.42.28 192.168.42.29
director_servers = 192.168.42.15 192.168.42.17
disable_plaintext_auth = no
listen = *
lmtp_proxy = yes
passdb {
args = proxy=y nopassword=y
driver = static
}
service anvil {
client_limit = 2051
}
service auth {
client_limit = 4196
unix_listener auth-userdb {
user = dovecot
}
}
service director {
fifo_listener login/proxy-notify {
mode = 0666
}
inet_listener {
port = 5515
}
unix_listener director-userdb {
mode = 0600
}
unix_listener login/director {
mode = 0666
}
}
service imap-login {
executable = imap-login director
process_limit = 1024
}
service lmtp {
inet_listener lmtp {
address = *
port = 24
}
}
service pop3-login {
executable = pop3-login director
process_limit = 1024
}
ssl_cert =
How many users do you have that you need that many backend servers?
How many users do you have that you need that many backend servers?
I don't think I'm allowed to share that externally, sorry. This is the mail-system of an ISP, so we have quite a few users.. :-)
Are your index stored together with the mails?
They're not stored together, because we made the error of not creating a home directory for our users, but both maildirs and indexes are stored on similar cluster fs' (GPFS).
-jf
On Fri, 25 Nov 2011 09:17:15 +0100, Jan-Frode Myklebust janfrode@tanso.net wrote:
On Thu, Nov 24, 2011 at 11:58:01PM +0100, Patrick Westenberg wrote:
What is your frontend configuration?
The frontend is two servers running dovecot director, and ucarp for managing failover ip-addresses.
Two additional directors or the two directors from your posted config (.15/.17)?
Will I have to configure external IPs for the backend servers or just internal for the connections to and from the directors? I'm not sure if the director "redirects" the connections to the backend servers or if they pass through on the internal network.
How many users do you have that you need that many backend servers?
I don't think I'm allowed to share that externally, sorry. This is the mail-system of an ISP, so we have quite a few users.. :-)
Ok :-)
Hi again, I have a working test environment not but I don't feel very comfortable with a non encrypted connection between the proxy/director and the backend servers. If I set ssl = required on my backend server I get this error: imap-login: Disconnected (tried to use disabled plaintext auth) Is there a chance to encrypt this connection? # 2.0.16: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.3 auth_debug = yes auth_verbose = yes director_mail_servers = 172.17.0.31 director_servers = 172.17.213.213 disable_plaintext_auth = no lmtp_proxy = yes mail_debug = yes passdb { args = proxy=y nopassword=y driver = static } service auth { unix_listener auth-userdb { mode = 0600 user = dovecot } } service director { fifo_listener login/proxy-notify { mode = 0666 } inet_listener { port = 5515 } unix_listener director-userdb { mode = 0600 } unix_listener login/director { mode = 0666 } } service imap-login { executable = imap-login director } ssl = required ssl_cert =
On Tue, 2011-11-29 at 15:24 +0100, Patrick Westenberg wrote:
I have a working test environment not but I don't feel very comfortable with a non encrypted connection between the proxy/director and the backend servers.
If I set ssl = required on my backend server I get this error: imap-login: Disconnected (tried to use disabled plaintext auth)
Is there a chance to encrypt this connection?
See the ssl stuff in http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy
participants (3)
-
Jan-Frode Myklebust
-
Patrick Westenberg
-
Timo Sirainen