118
121
still arrive once the situation returns to normal, as long as the
119
122
overload condition is temporary. </p>
124
<h2><a name="adapt"> Automatic stress-adaptive behavior </a></h2>
126
<p> Postfix version 2.5 introduces automatic stress-adaptive behavior.
127
It works as follows. When a "public" network service such as the
128
SMTP server runs into an "all server ports are busy" condition, the
129
Postfix master(8) daemon logs a warning, restarts the service
130
(without interrupting existing network sessions), and runs the
131
service with "-o stress=yes" on the server process command line:
136
80821 ?? S 0:00.24 smtpd -n smtp -t inet -u -c -o stress=yes
140
<p> Normally, the Postfix master(8) daemon runs such a service with
141
"-o stress=" on the command line (i.e. with an empty parameter
146
83326 ?? S 0:00.28 smtpd -n smtp -t inet -u -c -o stress=
150
<p> Services that have local access only never have "-o stress"
151
parameters on the command line. This includes services internal to
152
Postfix such as the queue manager, and services that listen on a
153
loopback interface only, such as after-filter SMTP services. </p>
155
<p> The "stress" parameter value is the key to making main.cf
156
parameter settings stress adaptive. The following settings are the
157
default with Postfix 2.6 and later. </p>
161
1 smtpd_timeout = ${stress?10}${stress:300}s
162
2 smtpd_hard_error_limit = ${stress?1}${stress:20}
163
3 smtpd_junk_command_limit = ${stress?1}${stress:100}
164
4 # Parameters added after Postfix 2.6:
165
5 smtpd_per_record_deadline = ${stress?yes}${stress:no}
166
6 smtpd_starttls_timeout = ${stress?10}${stress:300}s
167
7 address_verify_poll_count = ${stress?1}${stress:3}
175
<li> <p> Line 1: under conditions of stress, use an smtpd_timeout
176
value of 10 seconds instead of the default 300 seconds. Experience
177
on the postfix-users list from a variety of sysadmins shows that
178
reducing the "normal" smtpd_timeout to 60s is unlikely to affect
179
legitimate clients. However, it is unlikely to become the Postfix
180
default because it's not RFC compliant. Setting smtpd_timeout to
181
10s or even 5s under stress will still allow most
182
legitimate clients to connect and send mail, but may delay mail
183
from some clients. No mail should be lost, as long as this measure
184
is used only temporarily. </p>
186
<li> <p> Line 2: under conditions of stress, use an smtpd_hard_error_limit
187
of 1 instead of the default 20. This helps by disconnecting clients
188
after a single error, giving other clients a chance to connect.
189
However, this may cause significant delays with legitimate mail,
190
such as a mailing list that contains a few no-longer-active user
191
names that didn't bother to unsubscribe. No mail should be lost,
192
as long as this measure is used only temporarily. </p>
194
<li> <p> Line 3: under conditions of stress, use an
195
smtpd_junk_command_limit of 1 instead of the default 100. This
196
prevents clients from keeping connections open by repeatedly
197
sending HELO, EHLO, NOOP, RSET, VRFY or ETRN commands. </p>
199
<li> <p> Line 5: under conditions of stress, change the behavior
200
of smtpd_timeout and smtpd_starttls_timeout, from a time limit per
201
read or write system call, to a time limit to send or receive a
202
complete record (an SMTP command line, SMTP response line, SMTP
203
message content line, or TLS protocol message). </p>
205
<li> <p> Line 6: under conditions of stress, reduce the time limit
206
for TLS protocol handshake messages to 10 seconds, from the default
207
value of 300 seconds. See also the smtpd_timeout discussion above.
210
<li> <p> Line 7: under conditions of stress, do not wait up to 6
211
seconds for the completion of an address verification probe. If the
212
result is not already in the address verification cache, reply
213
immediately with $unverified_recipient_tempfail_action or
214
$unverified_sender_tempfail_action. No mail should be lost, as long
215
as this measure is used only temporarily. </p>
219
<p> The syntax of ${name?value} and ${name:value} is explained at
220
the beginning of the postconf(5) manual page. </p>
222
<p> NOTE: Please keep in mind that the stress-adaptive feature is
223
a fairly desperate measure to keep <b>some</b> legitimate mail
224
flowing under overload conditions. If a site is reaching the SMTP
225
server process limit when there isn't an attack or bot flood
226
occurring, then either the process limit needs to be raised or more
227
hardware needs to be added. </p>
121
229
<h2><a name="concurrency"> Service more SMTP clients at the same time </a> </h2>
231
<p> This section and the ones that follow discuss permanent measures
232
against mail server overload. </p>
123
234
<p> One measure to avoid the "all server processes busy" condition
124
235
is to service more SMTP clients simultaneously. For this you need
125
236
to increase the number of Postfix SMTP server processes. This will
349
460
as these measures are used only temporarily. The next section of
350
461
this document introduces a way to automate this process. </p>
352
<h2><a name="adapt"> Automatic stress-adaptive behavior </a></h2>
354
<p> Postfix version 2.5 introduces automatic stress-adaptive behavior.
355
This is also available as a source code patch for Postfix versions
356
2.4 and 2.3 from the mirrors listed at
357
http://www.postfix.org/download.html. </p>
359
<p> It works as follows. When a "public" network service such as
360
the SMTP server runs into an "all server ports are busy" condition,
361
the Postfix master(8) daemon logs a warning, restarts the service
362
(without interrupting existing network sessions), and runs the
363
service with "-o stress=yes" on the server process command line:
368
80821 ?? S 0:00.24 smtpd -n smtp -t inet -u -c -o stress=yes
372
<p> Normally, the Postfix master(8) daemon runs such a service with
373
"-o stress=" on the command line (i.e. with an empty parameter
378
83326 ?? S 0:00.28 smtpd -n smtp -t inet -u -c -o stress=
382
<p> Services that have local access only never have "-o stress"
383
parameters on the command line. This includes services internal to
384
Postfix such as the queue manager, and services that listen on a
385
loopback interface only, such as after-filter SMTP services. </p>
387
<p> The "stress" parameter value is the key to making main.cf
388
parameter settings stress adaptive. The following settings are the
389
default with Postfix 2.6 and later. With earlier Postfix versions
390
that have stress-adaptive support, append the lines below to the
391
main.cf file and issue a "postfix reload" command: </p>
395
1 smtpd_timeout = ${stress?10}${stress:300}s
396
2 smtpd_hard_error_limit = ${stress?1}${stress:20}
397
3 smtpd_junk_command_limit = ${stress?1}${stress:100}
405
<li> <p> Line 1: under conditions of stress, use an smtpd_timeout
406
value of 10 seconds instead of the default 300 seconds. Experience
407
on the postfix-users list from a variety of sysadmins shows that
408
reducing the "normal" smtpd_timeout to 60s is unlikely to affect
409
legitimate clients. However, it is unlikely to become the Postfix
410
default because it's not RFC compliant. Setting smtpd_timeout to
411
10s (line 2 below) or even 5s under stress will still allow most
412
legitimate clients to connect and send mail, but may delay mail
413
from some clients. No mail should be lost, as long as this measure
414
is used only temporarily. </p>
416
<li> <p> Line 2: under conditions of stress, use an smtpd_hard_error_limit
417
of 1 instead of the default 20. This helps by disconnecting clients
418
after a single error, giving other clients a chance to connect.
419
However, this may cause significant delays with legitimate mail,
420
such as a mailing list that contains a few no-longer-active user
421
names that didn't bother to unsubscribe. No mail should be lost,
422
as long as this measure is used only temporarily. </p>
424
<li> <p> Line 3: under conditions of stress, use an
425
smtpd_junk_command_limit of 1 instead of the default 100. This
426
prevents clients from keeping idle connections open by repeatedly
427
sending NOOP or RSET commands. </p>
431
<p> The syntax of ${name?value} and ${name:value} is explained at
432
the beginning of the postconf(5) manual page. </p>
434
<p> NOTE: Please keep in mind that the stress-adaptive feature is
435
a fairly desperate measure to keep <b>some</b> legitimate mail
436
flowing under overload conditions. If a site is reaching the SMTP
437
server process limit when there isn't an attack or bot flood
438
occurring, then either the process limit needs to be raised or more
439
hardware needs to be added. </p>
441
463
<h2><a name="feature"> Detecting support for stress-adaptive behavior </a></h2>
443
465
<p> To find out if your Postfix installation supports stress-adaptive