On Mon, Mar 23, 2009 at 05:34:42PM -0400, Brandon Hilkert wrote:
>> if DKIM consumes all available CPU, find a faster DKIM engine. If DKIM
>> clobbers the disk capacity, consider placing the working area of the DKIM
>> process in tmpfs, because neither milters nor SMTP proxies queue mail, so
>> their need persistent storage.
>>
>> How are you doing DKIM signing and which resource is consumed, CPU,
>> disk, memory or network?
>
> I'm using dk-milter and dkim-milter and it's doing it through CPU I think.
Don't speculate. Measure. Is the CPU saturated or not?
> Showing atop during the processing, I see a percent or two of CPU during
> the transmission, and that's about it. The disk will show up to 20% busy,
> but nothing out of the ordinary. Am I missing something?
If so, perhaps the DKIM milter is writing the content to disk for signing,
and may be causing high disk latency. You have to tune the milter configuration
for high throughput. The RSA signature algorithm is expensive, but not that
expensive.
Using a single Xeon CPU:
$ openssl speed rsa1024
Doing 1024 bit private rsa's for 10s: 10230 1024 bit private RSA's in 10.00s
Doing 1024 bit public rsa's for 10s: 181020 1024 bit public RSA's in 10.00s
OpenSSL 0.9.8i 15 Sep 2008
built on: Wed Jan 7 16:41:43 EST 2009
options:bn(64,64) md2(int) rc4(8x,char) des(idx,cisc,16,int) aes(partial)
blowfish(ptr2)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int
-DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
sign verify sign/s verify/s
rsa 1024 bits 0.000978s 0.000055s 1023.0 18102.0
With < 100 msgs/sec RSA is not your bottleneck, and not much else in
the milter should be CPU-intensive. So it is disk I/O or poor concurrency.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[email protected]?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
