W dniu 17.01.2022 o 15:58, Wietse Venema pisze:
> natan:
>> W dniu 14.01.2022 o 22:18, Wietse Venema pisze:
>>> natan:
>>> Wietse:
>>>> Do you know if the problem is a kernel limit or a per-process limit?
>>>> Does master have 4096 open files (including network sockets: ip,
>>>> unix-domain, etc.).
>>> Wietse:
>>>> BTW that last one was a trick question: you need a huge number of
>>>> services in master.cf to exceed the 4096 limit. The master needs
>>>> three sockets for each service with type 'unix' in master.cf;
>>>> services with type 'inet' require two sockets plus one socket per
>>>> address in inet_interfaces.
>>> natan:
>>>> "Do you know if the problem is a kernel limit or a per-process limit?"
>>>>
>>>> I realy dont known where is it the problem - and how diagnose this
>>>>
>>>> I long think about kernel limit but ... no have idea
> Wietse:
>> Were you the person who has a Postfix process limit in the thousands?
>> If that is the case, then I suggest that you reduce the Postfix
>> process limit to half the number, do "postfix reload", wait for a
>> while, and keep reducing the limit to half its value until the
>> "resource temporarily unavailable" warnings go away. Also, make
>> arrangements for more (and more powerful) servers.
> natan:
>> I don't know if I am that man with limit thousands
>>
>> # postconf -nf
> ...
>> default_process_limit = 1200
>>
> I don't see any settings that turn on content_filter or smtpd_proxy_filter,
> but you do have after-filter smtpd processes in master.cf. If your
> after-filter smtpd process limits are too low, then your system
> would die from congestion.
>
>> # postconf -Mf
> ...
>> smtpd pass - - - - 190 smtpd
>> -o receive_override_options=no_address_mappings
> ...
>> smtp-amavis unix - - - - 160 smtp
>> -o smtp_data_done_timeout=900s
>> -o smtp_send_xforward_command=yes
>> -o disable_dns_lookups=yes
>>
>> #without amavis
>> 10.0.100.5:10025 inet n - n - - smtpd
>> -o content_filter=
> ...
>> #from external amavis
>> xxx.xxx.xxx.199:10027 inet n - n - 400 smtpd
>> -o smtpd_proxy_timeout=900s
>> -o content_filter=
> ...
>> from log:
>> Jan 17 14:05:05 mailserver postfix/master[55510]: warning:
>> master_wakeup_timer_event: service qmgr(public/qmgr): Resource
>> temporarily unavailable
>>
>>
>> 14:05:01 CET
>> ps -e |grep smtpd |wc -l
>> 267
>>
>> 14:06:01 CET
>> ps -e |grep smtpd |wc -l
>> 266
>>
>>
>> # cat /var/log/mail.log |grep "Jan 17 10:10:54" |grep postscreen |grep
>> CONN |wc -l
>> 27
>> # cat /var/log/mail.log |grep "Jan 17 14:05:04" |grep postscreen |grep
>> CONN |wc -l
>> 21
>> # cat /var/log/mail.log |grep "Jan 17 14:05:05" |grep postscreen |grep
>> CONN |wc -l
>> 31
>> # cat /var/log/mail.log |grep "Jan 17 14:05:06" |grep postscreen |grep
>> CONN |wc -l
>> 22
>>
>>
>>
>> from log:
>> Jan 17 10:10:50 thebe4b postfix/postscreen[7103]: warning: cannot
>> connect to service private/smtpd: Resource temporarily unavailable
> postscreen maintains queues with connetions that still need to be
> 'tested' (postscreen_pre_queue_limit) and that need to be given to
> an smtpd process (postscreen_post_queue_limit).
>
> Each postscreen queue size is $default_process_limit. Both queues
> together add up to 2400 network sockets.
>
> If you make this amount the same as your internet-facing smtpd
> process limits, then postscreen might leave more resources for the
> rest of Postfix.
>
> And then, reduce process limits by half and do "postfix reload",
> until the 'Resource temporarily unavailable' message goes away.
>
>> This is a strong machine where load average: 0,95, 1,19, 2,08
> Obviously, it doesn't use much CPU power when it can't create a
> UNIX-domain socket.
>
> Wietse
Hmmm full
postconf -nf
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
bounce_queue_lifetime = 5h
broken_sasl_auth_clients = yes
compatibility_level = 2
default_destination_concurrency_limit = 100
default_destination_recipient_limit = 100
default_process_limit = 1200
delay_warning_time = 0h
disable_vrfy_command = yes
enable_long_queue_ids = yes
header_checks = pcre:/etc/postfix/header_checks.pcre
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
lmtp_destination_concurrency_limit = 100
lmtp_destination_recipient_limit = 1
lpolicyd = check_policy_service { unix:private/policyd-lemat3, timeout=4s,
default_action=DUNNO }
mailbox_size_limit = 0
max_idle = 1200s
max_use = 150
maximal_queue_lifetime = 24h
message_size_limit = 146800640
mydestination = domain.ltd, localhost.iq.pl, , localhost
myhostname = domain.ltd
mynetworks = 127.0.0.0/8, 10.0.100.5/32,
myorigin = /etc/mailname
policy-spf_time_limit = 3600
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access.cidr
cidr:/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = drop
postscreen_greet_action = drop
postscreen_greet_banner = mx0.iq.pl
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps
$mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps
$relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps
$sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps
$transport_maps $virtual_alias_domains $virtual_alias_maps
$virtual_mailbox_domains $virtual_mailbox_maps
$smtpd_sender_restrictions
$sender_dependent_relayhost_maps
proxy:mysql:/etc/postfix/mysql_whitelist_recipient.cf
readme_directory = no
recipient_bcc_maps =
proxy:mysql:/etc/postfix/mysql/mysql_recipient_bcc_maps_user.cf
regexp:/etc/postfix/recipient_bcc_maps,
recipient_delimiter = +
smtp-amavis_destination_recipient_limit = 1
smtp_connection_reuse_time_limit = 400s
smtp_data_done_timeout = 1600s
smtp_rcpt_timeout = 900s
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_count_limit = 200
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/client_checks,
check_client_access
cidr:/etc/postfix/amavis_bypass,
reject_unauth_pipelining, permit
explain amavis_bypass:
#########
/etc/postfix/amavis_bypass
#for no scan amavis:
10.0.100.24/32 FILTER smtp:10.0.100.5:10025
xxx.xxx.xxx.25/32 FILTER smtp:10.0.100.5:10025
#go to amavis-klaster
0.0.0.0/0 FILTER smtp-amavis:[127.0.0.1]:10628
##########
smtpd_data_restrictions = check_policy_service { inet:127.0.0.1:10040
timeout=2s, default_action=DUNNO } reject_unauth_pipelining,
reject_multi_recipient_bounce, permit
smtpd_enforce_tls = no
smtpd_hard_error_limit = 50
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
pcre:/etc/postfix/helo_access.pcre reject_unauth_pipelining,
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
smtpd_proxy_timeout = 240s
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/bad_recipients reject_unauth_pipelining,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, check_client_access
hash:/etc/postfix/whitelista,
reject_unauth_destination, lpolicyd, check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre, check_recipient_access
mysql:/etc/postfix/mysql_whitelist_recipient.cf,
reject_invalid_hostname,
check_sender_mx_access cidr:/etc/postfix/mx_access.cidr,
check_policy_service unix:private/policy-spf, reject_unlisted_recipient,
check_client_access cidr:/etc/postfix/rbl_override, reject_rbl_client
b.barracudacentral.org, reject_rbl_client dynamic.rbl.tld,
reject_rbl_client
bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client
cbl.abuseat.org, reject_rbl_client dnsbl.sorbs.net, permit
smtpd_restriction_classes = lpolicyd
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks check_sender_access
pcre:/etc/postfix/sender_checks.pcre reject_unknown_sender_domain
reject_unknown_reverse_client_hostname, reject_non_fqdn_sender
reject_unknown_address, reject_unauth_pipelining, permit
smtpd_soft_error_limit = 20
smtpd_tls_CAfile = /etc/pki/tls/certs/iq.pl.ca.crt
smtpd_tls_cert_file = /etc/pki/tls/certs/iq.pl.pem
smtpd_tls_key_file = /etc/pki/tls/private/iq.pl.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 600s
smtpd_use_tls = yes
smtputf8_enable = no
strict_rfc821_envelopes = yes
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 550
virtual_alias_expansion_limit = 2800
virtual_alias_maps = $virtual_mailbox_maps,
proxy:mysql:/etc/postfix/mysql/mysql_virtual_aliases.cf,
proxy:mysql:/etc/postfix/mysql/mysql_virtual_forward.cf,
proxy:mysql:/etc/postfix/mysql/mysql_catchall.cf
virtual_gid_maps = static:300
virtual_mailbox_domains = proxy:mysql:/etc/postfix/map.sql
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql/mysql_virtual_mailbox2.cf
virtual_minimum_uid = 300
virtual_transport = lmtp:inet:10.0.100.5:24
virtual_uid_maps = static:300
--
