On Sun, September 10, 2023 2:03 am, Viktor Dukhovni via Postfix-users wrote:
Your amavis content filter has a non-trivial backlog of mail, probably
because each message takes a long time to process. Here the message sat
5.4 seconds in the incoming queue and then took 11 seconds to to deliver
to amavis. This bottleneck suggess that the amavis filter is doing remote
DNS lookups that are quite slow.
You need to review your amavis configuration and disable or tune the
actions that lead to the processing delays.
On 13.09.23 15:34, lists--- via Postfix-users wrote:
OK, took out amavis from main.cf
#content_filter = smtp-amavis:[127.0.0.1]:10024
BIG reduction in Load average, still problem persists
took out amavis line from master.cf submission block
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
# -o content_filter=smtp-amavis:[127.0.0.1]:10026
user still reports problems...
either it's not amavis, or you need to flush your amavis queue.
you may need to limit number of concurrent amavis instances if you don't
have enough of CPU or RAM, e.g. in main.cf:
smtp-amavis_destination_concurrency_limit = 2
and in amavis config:
$max_servers = 2;
Make those numbers match, or amavis should have more processes than postfix
feeds. If you have much of CPU/RAM and process much mail, you may need to
increase those numbers instead.
HOWEVER
if it's NOT amavis issue (as it seems), you still need to track single
e-mail from being sent by client to being delivered to recipient or remote
server.
You need to watch your mail logs for new mails.
wait... shouldn't main.cf mynetworks = INCLUDE user's fixed IP...??
I thought it always did...?
no, you need those ususlly for servers or clients who send mail without SMTP
authentication. Clients should usually not to it, but many organization have
historical settings.
add IP to mynetwork - I think it's working OK now..
so, it seems my issue was (partially?) not having senders's fixed IP in
mynetworks ?
I don't think so.
(I'm still aiming to look at today's logs, eralier today, timeouts, after
editing mynetworks, seems OK)
hmmm... supposed to be using 587...
if you properly uncommented submission service in master.cf, the smtp
should log as postfix/smtps/smtpd or postfix/submission/smtpd
or your user used port 25 which is used for server-server mail transfer
and may have different setup.
I e.g. use postscreen (which sometimes adds 6-seconds delay) and also
spam and virus checking milters (like amavisd-milter) on 25. This takes
much time.
on port 587/465 I tend to use amavis as content_filter, which means mail
is received from user and filtered afterwards. This makes apparent
receiving mail from client much faster.
does this look OK, that's what I had:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026
I have something like:
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
#submissions inet n - y - - smtpd
# -o syslog_name=postfix/submissions
this would immediately tell us which port the mail did come from and which
postfix/amavis settings were used.
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 1, # enables disclaimer insertion if available
# notify administrator of locally originating malware
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
# forward to a smtpd service providing DKIM signing service
# forward_method => 'smtp:[127.0.0.1]:10027',
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1], # allow sending any file names and types
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
};
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
