[Dovecot] MOSTLY SOLVED: Re: client limit and STARTTLS

Reindl Harald h.reindl at thelounge.net
Sun Apr 7 13:44:41 EEST 2013



Am 07.04.2013 12:36, schrieb David Benfell:
> On 04/07/2013 03:15 AM, Reindl Harald wrote:
>> Am 06.04.2013 10:09, schrieb David Benfell:
>>> So I changed it again:
>>>
>>> default_process_limit = 128 default_client_limit = 512
>>>
>>> And now it seems to be fine. But I'm mystified because what you
>>> say is the case on your system, that is, that the process limit
>>> needs to be greater than the client limit, is what I would
>>> expect: wouldn't each client require at least one process?
> 
>> no, 512x128 = 65536 connections each process can serve
>> default_client_limit clients
> 
> Thanks a million! I had no idea that was how it worked. I would think
> that 65536 would be enough. ;-)

http://wiki2.dovecot.org/LoginProcess

High-performance mode:
It works by using a number of long running login processes, each handling a number of connections. This loses much
of the security benefits of the login process design, because in case of a security hole (in Dovecot or SSL
library) the attacker is now able to see other users logging in and steal their passwords, read their mails, etc.

Default client_limit * process_limit = 1000*100 = 100k connections

vsz_limit should be increased to avoid out of memory errors, especially if you're using SSL/TLS.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130407/1542b157/attachment.bin>


More information about the dovecot mailing list