Re: startTLS with postfix under load

Thu, 24 Jul 2008 08:44:26 -0700 

On Wed, Jul 23, 2008 at 10:02:48PM -0700, Quanah Gibson-Mount wrote:

> We found that if we are using startTLS with postfix, and heavily load 
> postfix, that it Postfix stops working, even though the LDAP server 
> continues to accept connections from other clients just fine using 
> startTLS.  Here's an example snippet from the log:
> 
> Jul 23 21:34:08 qa96 postfix/cleanup[94633]: error: dict_ldap_connect: 
> Unable to set STARTTLS: -1: Can't contact LDAP server

Without "proxymap" a busy Postfix server will generate thousands of LDAP
connections. Strongly suggest that at least for tables used by smtpd(8),
cleanup(8), and smtp(8) you use proxymap(8):

        proxy_read_maps = ... proxy:ldap:/etc/postfix/client.cf
        canonical_maps =  proxy:ldap:/etc/postfix/canonical.cf
        check_client_access proxy:ldap:/etc/postfix/client.cf
        ...

Tables used exclusively by trivial-rewrite (transport_maps,
virtual_mailbox_domains, virtual_alias_domains, ...) don't have to be
shared, but it is not always obvious which is which, so the simplest
solution is to use "proxy" for all LDAP lookups.

Can't contact LDAP server sounds like a resource issue, most likely
connection count overload.

> Jul 23 21:34:09 qa96 postfix/cleanup[94580]: error: dict_ldap_connect: 
> Unable to set STARTTLS: -1: Can't contact LDAP server
> Jul 23 21:34:09 qa96 postfix/cleanup[94580]: warning: 05B038ADD49B: 
> sender_canonical_maps map lookup problem for [EMAIL PROTECTED]
> 
> As you can see, the problem is happening at 21:34:08, after which point I 
> issued an ldapsearch using startTLS, which succeeds just fine.  Postfix 
> continues to be unable to create any new connections. Existing connections, 
> however, continue to work:

Naturally under connection overload, some succeed and others fail.

-- 
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[EMAIL PROTECTED]>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Reply via email to