On Tue, Jan 08, 2013 at 10:02:31PM +0100, Reindl Harald wrote:
> Am 08.01.2013 21:40, schrieb Wietse Venema:
> > My conclusion is that Postfix can continue to provide basic policies
> > that avoid worst-case failure modes, but the choice of the settings
> > that control those policies is better left to the operator. If the
> > receiver slams on the brakes, then Postfix can suspend deliveries,
> > but the sender operator will have to adjust the sending rate.
>
> exactly this is the point
>
> thank you for your understanding and thoughts!
Suspending delivery and punting all messages from the active queue
for the designated nexthop is not a winning strategy. In this state
mail delivery to the destination is in most cases unlikely to
recover without manual intervention.
I would posit that neither Reindl nor the OP, or that many others
really understand what they are asking for. If they understood,
they would stop asking for it.
When faced with a destination that imposes tight rate limits you
must pre-configure your MTA to always stay under the limits. Nothing
good happens when the Postfix output rate under load exceeds the
remote limit whether you throttle the queue repeatedly or not.
The best that one can hope for is for Postfix to dynamically apply
a rate delay that is guaranteed to be slow enough to get under the
limit, and then gradually reduce it.
Throttling the destination (moving all active mail to deferred)
is a pre-programmed MTA outage, I'd not want to operate any system
that behaves that way, and neither should you, whether you know
it or not.
--
Viktor.
