NetBSD/gnu/dist/postfix/proto/TUNING_README.html

659 lines
24 KiB
HTML
Raw Normal View History

2004-04-27 08:12:43 +04:00
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Postfix Performance Tuning</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
<h1><img src="postfix-logo.jpg" width="203" height="98" alt="">
Postfix Performance Tuning</h1>
<hr>
<h2>Purpose of Postfix performance tuning </h2>
<p> The hints and tips in this document help you improve the
performance of Postfix systems that already work. If your Postfix
system is unable to receive or deliver mail, then you need to solve
those problems first, using the DEBUG_README document as guidance.
<p> For tuning external content filter performance, first read the
respective information in the FILTER_README and SMTPD_PROXY_README
documents. Then make sure to avoid latency in the content filter
code. As much as possible avoid performing queries against external
data sources with a high or highly variable delay. Your content
filter will run with a small concurrency to avoid CPU/memory
starvation, and if any latency creeps in, content filter throughput
will suffer. High volume environments should avoid RBL lookups,
complex database queries and so on. </p>
<p>Topics on mail receiving performance: </p>
<ul>
<li> <a href="#server_tips">General mail receiving performance tips</a>
<li> <a href="#speedup">Doing more work with your SMTP server processes</a>
<li> <a href="#slowdown">Slowing down SMTP clients that make many errors</a>
<li> <a href="#conn_limit">Measures against clients that make too many connections</a>
</ul>
<p>Topics on mail delivery performance: </p>
<ul>
<li> <a href="#mailing_tips">General mail delivery performance tips</a>
<li> <a href="#hammer">Tuning the frequency of deferred mail delivery attempts</a>
<li> <a href="#rope">Tuning the number of simultaneous deliveries</a>
<li> <a href="#rcpts">Tuning the number of recipients per delivery</a>
</ul>
<p>Other Postfix performance tuning topics: </p>
<ul>
<li> <a href="#proc_limit">Tuning the number of Postfix processes</a>
<li> <a href="#file_limit">Tuning the number of open files or
sockets</a>
</ul>
<p> The following tools can be used to measure mail system performance
under artificial loads. They are normally not installed with Postfix.
</p>
<ul>
<li> <a href="smtp-source.1.html">smtp-source, SMTP/LMTP message
generator</a>
<li> <a href="smtp-sink.1.html">smtp-sink, SMTP/LMTP message dump
</a>
<li> <a href="qmqp-source.1.html">qmqp-source, QMQP message generator
</a>
<li> <a href="qmqp-sink.1.html">qmqp-sink, QMQP message dump </a>
</ul>
<h2><a name="server_tips">General mail receiving performance
tips</a></h2>
<ul>
<li> <p> Read and understand the maildrop queue, incoming queue,
and active queue discussions in the QSHAPE_README document. </p>
<li> <p> Run a local name server to reduce slow-down due to DNS
lookups. If you run multiple Postfix systems, point each local name
server to a shared forwarding server to reduce the number of lookups
across the upstream network link. </p>
<li> <p> Eliminate unnecessary LDAP lookups, by specifying a domain
filter. This eliminates lookups for addresses in remote domains,
and eliminates lookups of partial addresses. See ldap_table(5) for
details. </p>
</ul>
<p> When Postfix responds slowly to SMTP clients: </p>
<ul>
<li> <p> <a href="DEBUG_README.html#logging">Look for obvious signs
of trouble</a> as described in the DEBUG_README document, and
eliminate those problems first. </p>
<li> <p> Turn off your header_checks and body_checks patterns and
see if the problem goes away. </p>
<li> <p> <a href="DEBUG_README.html#no_chroot">Turn off chroot
operation</a> as described in the DEBUG_README document and see
if the problem goes away. </p>
<li> <p> If Postfix logs the SMTP client as "unknown" then you have
a name service problem: the name server is bad, or the resolv.conf
file contains bad information, or some packet filter is blocking
the DNS requests or replies. </p>
<li> <p> If the number of smtpd(8) processes has reached the process
limit as specified in master.cf, new SMTP clients must wait until
a process becomes available. Increase the number of processes if
memory permits. See the instructions given under "<a
href="#proc_limit">Tuning the number of Postfix processes</a>".
</p>
</ul>
<h2><a name="speedup">Doing more work with your SMTP server
processes</a></h2>
<p> With Postfix versions 2.0 and earlier, the smtpd(8) server
pauses before reporting an error to an SMTP client. The idea is
called tar pitting. However, these delays also slow down Postfix.
When the smtpd(8) server replies slowly, sessions take more time,
so that more smtpd(8) server processes are needed to handle the
load. When your Postfix smtpd(8) server process limit is reached,
new clients must wait until a server process becomes available.
This means that all clients experience poor performance. </p>
<p> You can speed up the handling of smtpd(8) server error replies
by turning off the delay: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
# Not needed with Postfix 2.1
smtpd_error_sleep_time = 0
</pre>
</blockquote>
<p> With the above setting, Postfix 2.0 and earlier can serve more
SMTP clients with the same number SMTP server processes. The next
section describes how Postfix deals with clients that make a large
number of errors. </p>
<h2><a name="slowdown"> Slowing down SMTP clients that make many errors</a></h2>
<p> The Postfix smtpd(8) server maintains a per-session error count.
The error count is reset when a message is transferred successfully,
and is incremented when a client request is unrecognized or
unimplemented, when a client request violates <a
href="SMTPD_ACCESS_README.html">access restrictions</a>, or when
some other error happens. </p>
<p> As the per-session error count increases, the smtpd(8) server
changes behavior and begins to insert delays into the responses.
The idea is to slow down a run-away client in order to limit resource
usage. The behavior is Postfix version dependent. </p>
<p> IMPORTANT: These delays slow down Postfix, too. When too much
delay is configured, the number of simultaneous SMTP sessions will
increase until it reaches the smtpd(8) server process limit, and new
SMTP clients must wait until an smtpd(8) server process becomes available.
</p>
<p> Postfix version 2.1 and later:</p>
<ul>
<li> <p> When the error count reaches $smtpd_soft_error_limit
(default: 10), the Postfix smtpd(8) server delays all non-error and
error responses by $smtpd_error_sleep_time seconds (default: 1
second). </p>
<li><p>When the error count reaches $smtpd_hard_error_limit
(default: 20) the Postfix smtpd(8) server breaks the connection. </p>
</ul>
<p> Postfix version 2.0 and earlier:</p>
<ul>
<li> <p> When the error count is less than $smtpd_soft_error_limit
(default: 10) the Postfix smtpd(8) server delays all error replies by
$smtpd_error_sleep_time (1 second with Postfix 2.0, 5 seconds with
Postfix 1.1 and earlier). </p>
<li> <p> When the error count reaches $smtpd_soft_error_limit,
the Postfix smtpd(8) server delays all responses by "error count"
seconds or $smtpd_error_sleep_time, whichever is more. </p>
<li><p>When the error count reaches $smtpd_hard_error_limit
(default: 20) the Postfix smtpd(8) server breaks the connection. </p>
</ul>
<h2><a name="conn_limit">Measures against clients that make too many connections</a></h2>
2007-05-19 20:27:18 +04:00
<p> Note: these features use the Postfix anvil(8) service, introduced
with Postfix version 2.2. </p>
2004-04-27 08:12:43 +04:00
<p> The Postfix smtpd(8) server can limit the number of simultaneous
2007-05-19 20:27:18 +04:00
connections from the same SMTP client, as well as the connection
rate and the rate of certain SMTP commands from the same client.
2004-04-27 08:12:43 +04:00
These statistics are maintained by the anvil(8) server (translation:
if anvil(8) breaks, then connection limits stop working). </p>
2007-05-19 20:27:18 +04:00
<p> IMPORTANT: These limits must not be used to regulate legitimate
traffic: mail will suffer grotesque delays if you do so. The limits
are designed to protect the smtpd(8) server against abuse by
out-of-control clients. </p>
2004-04-27 08:12:43 +04:00
2007-05-19 20:27:18 +04:00
<blockquote>
2004-04-27 08:12:43 +04:00
2007-05-19 20:27:18 +04:00
<dl>
2004-04-27 08:12:43 +04:00
2007-05-19 20:27:18 +04:00
<dt> smtpd_client_connection_count_limit (default: 50) </dt> <dd>
The maximum number of connections than an SMTP client may make
simultaneously. </dd>
2005-08-19 01:00:20 +04:00
2007-05-19 20:27:18 +04:00
<dt> smtpd_client_connection_rate_limit (default: no limit) </dt>
<dd> The maximum number of connections that an SMTP client may make
in the time interval specified with anvil_rate_time_unit (default:
60s). </dd>
2005-08-19 01:00:20 +04:00
2007-05-19 20:27:18 +04:00
<dt> smtpd_client_message_rate_limit (default: no limit) </dt> <dd>
The maximum number of message delivery requests that an SMTP client
may make in the time interval specified with anvil_rate_time_unit
(default: 60s). </dd>
2004-04-27 08:12:43 +04:00
2007-05-19 20:27:18 +04:00
<dt> smtpd_client_recipient_rate_limit (default: no limit) </dt>
<dd> The maximum number of recipient addresses that an SMTP client
may specify in the time interval specified with anvil_rate_time_unit
(default: 60s). </dd>
2004-04-27 08:12:43 +04:00
2007-05-19 20:27:18 +04:00
<dt> smtpd_client_new_tls_session_rate_limit (default: no limit)
</dt> <dd> The maximum number of new TLS sessions (without using
the TLS session cache) that an SMTP client may negotiate in the
time interval specified with anvil_rate_time_unit (default: 60s).
</dd>
2004-04-27 08:12:43 +04:00
2007-05-19 20:27:18 +04:00
<dt> smtpd_client_event_limit_exceptions (default: $mynetworks)
</dt> <dd> SMTP clients that are excluded from connection and rate
limits specified above. </dd>
</dl>
</blockquote>
2004-04-27 08:12:43 +04:00
<h2><a name="mailing_tips">General mail delivery performance tips</a></h2>
<ul>
<li> <p> Read and understand the maildrop queue, incoming queue,
active queue and deferred queue discussions in the QSHAPE_README
document. </p>
<li> <p> In case of slow delivery, run the qshape tool as described
in the QSHAPE_README document. </p>
<li> <p> Submit multiple recipients per message instead of submitting
messages with only a few recipients. </p>
<li> <p> Submit mail via SMTP instead of /usr/sbin/sendmail. You
may have to adjust the smtpd_recipient_limit parameter setting.
</p>
<li> <p> Don't overwhelm the disk with mail submissions. Optimize
the mail submission rate by tuning the number of parallel submissions
and/or by tuning the Postfix in_flow_delay parameter setting. </p>
<li> <p> Run a local name server to reduce slow-down due to DNS
lookups. If you run multiple Postfix systems, point each local name
server to a shared forwarding server to reduce the number of lookups
across the upstream network link. </p>
<li> <p> Reduce the smtp_connect_timeout and smtp_helo_timeout
values so that Postfix does not waste lots of time connecting
2005-08-19 01:00:20 +04:00
to non-responding remote SMTP servers. </p>
2004-04-27 08:12:43 +04:00
<li> <p> Use a dedicated mail delivery transport for problematic
destinations, with reduced timeouts and with adjusted concurrency.
See "<a href="#rope">Tuning the number of simultaneous deliveries</a>"
below.
</p>
<li> <p> Use a fallback_relay host for mail that cannot be delivered
upon the first attempt. This "graveyard" machine can use shorter
retry times for difficult to reach destinations. See "<a
href="#hammer">Tuning the frequency of deferred mail delivery
attempts</a>" below. </p>
<li> <p> Speed up disk updates with a large (64MB) persistent write
cache. This allows disk updates to be sorted for optimal access
speed without compromising file system integrity when the system
crashes. </p>
<li> <p> Use a solid-state disk (a persistent RAM disk). This
is an expensive solution that should be used in combination
with short SMTP timeouts and a fallback_relay "graveyard"
machine that delivers mail for problem destinations. </p>
</ul>
<h2><a name="rope">Tuning the number of simultaneous deliveries</a></h2>
<p> Although Postfix can be configured to run 1000 SMTP client
processes at the same time, it is rarely desirable that it makes
1000 simultaneous connections to the same remote system. For this
reason, Postfix has safety mechanisms in place to avoid this
so-called "thundering herd" problem. </p>
<p> The Postfix queue manager implements the analog of the TCP slow
start flow control strategy: when delivering to a site, send a
small number of messages first, then increase the concurrency as
long as all goes well; reduce concurrency in the face of congestion.
</p>
<ul>
<li> <p> The initial_destination_concurrency parameter (default: 5)
controls how many messages are initially sent to the same destination
before adapting delivery concurrency. Of course, this setting is
effective only as long as it does not exceed the process limit and
the destination concurrency limit for the specific mail transport
channel. </p>
<li> <p> The default_destination_concurrency_limit parameter (default:
20) controls how many messages may be sent to the same destination
simultaneously. You can override this setting for specific message
delivery transports by taking the name of the master.cf entry
and appending "_destination_concurrency_limit". </p>
</ul>
<p> Examples of transport specific concurrency limits are: </p>
<ul>
<li> <p> The local_destination_concurrency_limit parameter (default:
2) controls how many messages are delivered simultaneously to the
same local recipient. The recommended limit is low because delivery
to the same mailbox must happen sequentially, so massive parallelism
is not useful. Another good reason to limit delivery concurrency
to the same recipient: if the recipient has an expensive shell
command in her .forward file, or if the recipient is a mailing list
manager, you don't want to run too many instances of those processes
2007-05-19 20:27:18 +04:00
at the same time. </p>
2004-04-27 08:12:43 +04:00
<li> <p> The default smtp_destination_concurrency_limit of 20 seems
enough to noticeably load a system without bringing it to its knees.
Be careful when changing this to a much larger number. </p>
</ul>
<p> The above default values of the concurrency limits work well
in a broad range of situations. Knee-jerk changes to these parameters
in the face of congestion can actually make problems worse.
Specifically, large destination concurrencies should never be the
default. They should be used only for transports that deliver mail
to a small number of high volume domains. </p>
<p> A common situation where high concurrency is called for is on
gateways relaying a high volume of mail from between the Internet
and an intranet mail environment. Approximately half the mail
(assuming equal volumes inbound and outbound) will be destined
for the internal mail hubs. Since the internal mail hubs will be
receiving all external mail exclusively from the gateway, it is
reasonable to configure the gateway to make greater demands on the
capacity of the internal SMTP servers. </p>
<p> The tuning of the inbound concurrency limits need not be trial
and error. A high volume capable mailhub should be able to easily
handle 50 or 100 (rather than the default 20) simultaneous connections,
especially if the gateway forwards to multiple MX hosts. When all
MX hosts are up and accepting connections in a timely fashion,
throughput will be high. If any MX host is down and completely
unresponsive, the average connection latency rises to at least 1/N
* $smtp_connection_timeout, if there are N MX hosts. This limits
throughput to at most the destination concurrency * N /
$smtp_connection_timeout. </p>
<p> For example, with a destination concurrency of 100 and 2 MX
hosts, each host will handle up to 50 simultaneous connections. If
one MX host is down and the default SMTP connection timeout is 30s,
the throughput limit is 100 * 2 / 30 ~= 6 messages per second. This
suggests that high volume destinations with good connectivity and
multiple MX hosts need a lower connection timeout, values as low
as 5s or even 1s can be used to prevent congestion when one or
more, but not all MX hosts are down. </p>
<p> If necessary, set a higher transport_destination_concurrency_limit
(in main.cf since this is a queue manager parameter) and a lower
smtp_connection_timeout (with a "-o" override in master.cf since
this parameter has no per-transport name) for the relay transport
and any transports dedicated for specific high volume destinations.
</p>
<h2><a name="rcpts">Tuning the number of recipients per delivery</a></h2>
<p> The default_destination_recipient_limit parameter (default:
50) controls how many recipients a Postfix delivery agent will send
with each copy of an email message. You can override this setting
for specific Postfix delivery agents. For example,
"uucp_destination_recipient_limit = 100" would limit the number of
recipients per UUCP delivery to 100. </p>
<p> If an email message exceeds the recipient limit for some
destination, the Postfix queue manager breaks up the list of
recipients into smaller lists. Postfix will attempt to send multiple
copies of the message in parallel. </p>
<p> IMPORTANT: Be careful when increasing the recipient limit per
message delivery; some smtpd(8) servers abort the connection when they
run out of memory or when a hard recipient limit is reached, so
that the message will never be delivered. </p>
<p> The smtpd_recipient_limit parameter (default: 1000) controls
how many recipients the Postfix smtpd(8) server will take per
delivery. The default limit is more than any reasonable SMTP client
would send. The limit exists to protect the local mail system
against a run-away client. </p>
<h2><a name="hammer">Tuning the frequency of deferred mail delivery attempts</a></h2>
<p> When a Postfix delivery agent (smtp(8), local(8), etc.) is
unable to deliver a message it may blame the message itself, or it
may blame the receiving party. </p>
<ul>
<li> <p> When the delivery agent blames the message, the queue
manager gives the queue file a time stamp into the future, so it
won't be looked at for a while. By default, the amount of time to
cool down is the amount of time that has passed since the message
arrived. This results in so-called exponential backoff behavior.
</p>
<li> <p> When the delivery agent blames the receiving party (for
example a local recipient user, or a remote host), the queue manager
not only advances the queue file time stamp, but also puts the
receiving party on a "dead" list so that it will be skipped for
some amount of time. </p>
</ul>
<p> This process is governed by a bunch of little parameters. </p>
<blockquote>
<dl>
2007-05-19 20:27:18 +04:00
<dt> queue_run_delay (default: 300 seconds; before Postfix 2.4:
1000s) </dt> <dd> How often
2004-04-27 08:12:43 +04:00
the queue manager scans the queue for deferred mail. </dd>
2007-05-19 20:27:18 +04:00
<dt> minimal_backoff_time (default: 300 seconds; before Postfix
2.4: 1000s) </dt> <dd> The
2004-04-27 08:12:43 +04:00
minimal amount of time a message won't be looked at, and the minimal
amount of time to stay away from a "dead" destination. </dd>
<dt> maximal_backoff_time (default: 4000 seconds) </dt> <dd> The
maximal amount of time a message won't be looked at after a delivery
failure. </dd>
<dt> maximal_queue_lifetime (default: 5 days) </dt> <dd> How long
a message stays in the queue before it is sent back as undeliverable.
Specify 0 for mail that should be returned immediately after the
first unsuccessful delivery attempt. </dd>
<dt> bounce_queue_lifetime (default: 5 days, available with Postfix
version 2.1 and later) </dt> <dd> How long a MAILER-DAEMON message
stays in the queue before it is considered undeliverable. Specify
0 for mail that should be tried only once. </dd>
<dt> qmgr_message_recipient_limit (default: 20000) </dt> <dd> The
size of many in-memory queue manager data structures. Among others,
this parameter limits the size of the short-term, in-memory list
of "dead" destinations. Destinations that don't fit the list are
not added. </dd>
</dl>
</blockquote>
<p> IMPORTANT: If you increase the frequency of deferred mail
delivery attempts, or if you flush the deferred mail queue frequently,
then you may find that Postfix mail delivery performance actually
becomes worse. The symptoms are as follows: </p>
<ul>
<li> <p> The active queue becomes saturated with mail that has
delivery problems. New mail enters the active queue only when
an old message is deferred. This is a slow process that usually
requires timing out one or more SMTP connections. </p>
<li> <p> All available Postfix delivery agents become occupied
trying to connect to unreachable sites etc. New mail has to wait
until a delivery agent becomes available. This is a slow process
that usually requires timing out one or more SMTP connections. </p>
</ul>
<p> When mail is being deferred frequently, fixing the problem is
always better than increasing the frequency of delivery attempts.
However, if you can control only the delivery attempt frequency,
consider using a dedicated fallback_relay "graveyard" machine for
2007-05-19 20:27:18 +04:00
bad destinations, so that these destinations do not ruin the
performance of normal
2004-04-27 08:12:43 +04:00
mail deliveries. </p>
<h2><a name="proc_limit">Tuning the number of Postfix processes</a></h2>
<p> The default_process_limit configuration parameter gives direct
control over how many daemon processes Postfix will run. As of
Postfix 2.0 the default limit is 100 smtp client processes, 100
smtp server processes, and so on. This may overwhelm systems with
little memory, as well as networks with low bandwidth. </p>
<p> You can change the global process limit by specifying a
non-default default_process_limit in the main.cf file. For example,
to run up to 10 smtp client processes, 10 smtp server processes,
and so on: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
default_process_limit = 10
</pre>
</blockquote>
<p> You need to execute "postfix reload" to make the change effective.
The limits are enforced by the Postfix master(8) daemon which does
not automatically read main.cf when it changes. </p>
<p> You can override the process limit for specific Postfix daemons
by editing the master.cf file. For example, if you do not wish to
receive 100 SMTP messages at the same time, but do not want to
change the process limits for local mail deliveries, you could
specify: </p>
<blockquote>
<pre>
/etc/postfix/master.cf:
# ====================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ====================================================================
. . .
smtp inet n - - - 10 smtpd
. . .
</pre>
</blockquote>
<h2><a name="file_limit">Tuning the number of open files or sockets</a></h2>
<p> When Postfix opens too many files or sockets, processes will
abort with fatal errors, and the system may log "file table full"
errors. </p>
<ul>
2007-05-19 20:27:18 +04:00
<li> <p> Depending on your Postfix and operating system versions
you may need to recompile Postfix if you need more than 1024 file
descriptors per process: </p>
<ul> <li> <p> No recompilation is needed for Postfix version 2.4
and later, when it was compiled for systems that support BSD kqueue(2)
(FreeBSD 4.1, NetBSD 2.0, OpenBSD 2.9), Solaris 8 /dev/poll, or
Linux 2.6 epoll(4). </p>
<li> <p> Otherwise, Postfix needs to be recompiled to override the
default FD_SETSIZE value. </p>
</ul>
2004-04-27 08:12:43 +04:00
<li> <p> Reduce the number of processes as described under "<a
href="#proc_limit">Tuning the number of Postfix processes</a>" above.
Fewer processes need fewer open files and sockets. </p>
<li> <p> Configure the kernel for more open files and sockets.
The details are extremely system dependent and change with the
operating system version. Be sure to verify the following information
with your system tuning guide: </p>
<ul>
<li> <p> Some FreeBSD kernel parameters can be specified in
2007-05-19 20:27:18 +04:00
/boot/loader.conf, and some can be specified in /etc/sysctl.conf
or changed with sysctl commands.
2004-04-27 08:12:43 +04:00
Which is which depends on the version.
</p>
<pre>
kern.ipc.maxsockets="5000"
kern.ipc.nmbclusters="65536"
kern.maxproc="2048"
kern.maxfiles="16384"
kern.maxfilesperproc="16384"
</pre>
<li> <p> Linux kernel parameters can be specified in /etc/sysctl.conf
2007-05-19 20:27:18 +04:00
or changed with sysctl commands: </p>
2004-04-27 08:12:43 +04:00
<pre>
fs.file-max=16384
kernel.threads-max=2048
</pre>
<li> <p> Solaris kernel parameters can be specified in /etc/system,
as described in the <a
2007-05-19 20:27:18 +04:00
href="http://www.science.uva.nl/pub/solaris/solaris2.html#q3.48">Solaris
2004-04-27 08:12:43 +04:00
FAQ</a> entry titled "How can I increase the number of file
descriptors per process?" </p>
<pre>
* set hard limit on file descriptors
set rlim_fd_max = 4096
* set soft limit on file descriptors
set rlim_fd_cur = 1024
</pre>
</ul>
</ul>
</body>
</html>