> # tweak for heavy load management ROL 2006 from coba-e (at mark) bluequartz.org
> echo 100000 > /proc/sys/kernel/threads-max
> sysctl -w net.ipv4.tcp_max_syn_backlog=2048
> ulimit -n 64000
> ----------------------------------------------------------------------------
>
> I have xinetd set to 600 see below:
> ----------------------------------------------------------------------------
> ---------------------
> [root (at mark) marmailbq01 ~]# cat /etc/xinetd.conf # # Simple configuration
file for xinetd # # Some defaults, and include /etc/xinetd.d/
>
> defaults
> {
>
> instances = 600
> log_type = SYSLOG authpriv
> log_on_success = HOST PID
> log_on_failure = HOST
> cps = 25 30
> }
>
> includedir /etc/xinetd.d
> ----------------------------------------------------------------------------
>
>
> There are 700 users total on the server. I would consider it heavy load
> but
> I have to say that this never happened under qpopper on the old Cobalts.
>
> I still get at random times the excessive dovecot auth issues. The only
> way
> to relieve the trouble is by following the steps Marcelo outlined and
> issue:
>
> service dovecot stop
> service xinetd stop
>
> I then run a "top" and watch the process go back down. There are anywhere
> from 180 to 600 dovecot-auth when the service stops allowing people to
> check
> mail and Squirrelmail then starts in with the IMAP timeouts (I followed
> squirrelmail doc for the set php.ini to 600 for timeout issues) to help
> but
> once the dovecot auth gets up there that does not matter..
>
> Once the services return to normal (see below)
>
> [root@marmailbq01 ~]# ps -aux | grep dovecot
> Warning: bad syntax, perhaps a bogus '-'? See
> /usr/share/doc/procps-3.2.3/FAQ
> root 10617 0.1 0.0 3692 500 ? Ss 12:18 0:12
> /usr/sbin/dovecot
> root 10621 0.0 0.3 5456 1640 ? S 12:18 0:08
> dovecot-auth
> dovecot 18064 0.0 0.2 4932 1240 ? S 15:05 0:00 imap-login
> dovecot 18116 0.0 0.2 4680 1236 ? S 15:05 0:00 imap-login
> dovecot 18570 0.0 0.2 3932 1236 ? S 15:07 0:00 imap-login
> dovecot 18626 0.0 0.2 5032 1228 ? S 15:07 0:00 pop3-login
> dovecot 18628 0.0 0.2 3832 1228 ? S 15:07 0:00 pop3-login
> dovecot 18635 0.0 0.2 4584 1228 ? S 15:07 0:00 pop3-login
> dovecot 18636 0.0 0.2 5000 1228 ? S 15:07 0:00 pop3-login
> root 18638 0.0 0.1 5352 656 pts/0 R+ 15:07 0:00 grep
> dovecot
> [root@marmailbq01 ~]#
>
> Once the ps -aux outout looks like above I issue:
>
> service dovecot restart
> service xinetd restart
>
>
> Marcelo has posted a script that he uses to control the dovecot process:
>
> ----------------------------------------------------------------------------
> Script to control the dovecot processes
> // The comments are in spanish if someone have some doubt, tell me.
> #!/bin/bash
>
> # Parametros (cantidad de dovecot en ejecucion,minino de dovecot para
> volver
> a arrancar el servicio)
> # comprovar.sh 25 4
>
> while (sleep 3)
> do
>
> if test `ps -ef | grep dovecot | wc | tr -s ' ' | cut -d ' ' -f2`
> -gt $1
> then
> echo "Dovecot se esta ejecutando `ps -ef | grep dovecot |
> wc
> | tr -s ' ' | cut -d ' ' -f2` veces";
> #b nos dira si el servicio esta arrancado.
>
> if test `service dovecot status | grep running | wc | tr -s
> ' ' | cut -d ' ' -f2` -eq 1
> then
> service dovecot stop
> `php mail.php`
> #paramos servicio i ponemos b = false
> fi
> fi
> if test `ps -ef | grep dovecot | wc | tr -s ' ' | cut -d ' ' -f2`
> -lt $2
> then
> echo "Todo bien, servicio arrancado.";
> if test `service dovecot status | grep stopped | wc | tr -s
> ' ' | cut -d ' ' -f2` -eq 1
> then
> service dovecot start
> `php mailok.php`
> #Arrancamos el servicio i ponemos b =true
> fi
> fi
> done
>
> ----------------------------------------------------------------------------
>
> I am getting the comments translated as my Spanish is not that great but I
> did post the below questions about the script
>
> Marcelo -
>
> I see in the script that you are referencing php mailok.php and php
> mail.php. What are these and how do I get them? I have a defaul BQ load
> and
> have not done anyting with my dovecot config. Do I need to make changes to
> dovecot config? Is so then what?
>
> Also I would like to ask the group again if any ISP's out there or BQ
> admins
> with high user count how they are configured to prevent this auth process
> issue that causes dovecot to hang. I need to get this figured out. I am
> assuming that when this script runs it will prevent people from logging in
> but get the process back within levels again?
>
> ----------------------------------------------------------------------------
>
> I have also made the below changes to the dovecot.conf file to attempt to
> resolve this issue:
>
> # Should each login be processed in it's own process (yes), or should one
> # login process be allowed to process multiple Connections (no)? Yes is
> more
> secure, espcially # with SSL/TLS enabled.
> # No is faster since there's no need # to create processes all the time.
>
> login_process_per_connection = yes
>
> # Maximum number of connections allowed in login state. When this limit is
> reached, the oldest # connections are dropped. If
> login_process_per_connection # is no, this is a per-process value, # so
> the
> absolute maximum number of users # logging in actually
> login_processes_count
> * # max_logging_users.
>
> login_max_logging_users = 256
>
> # Should all IMAP and POP3 processes be killed when Dovecot master process
> #
> shuts down. Setting # this to "no" means that Dovecot can be upgraded
> without # forcing existing client connections # to close (although that
> could also be # a problem if the upgrade is eg. because of a security #
> fix). This however # means that after master process has died, the client
> processes can't write # to log files anymore.
>
> shutdown_clients = yes
>
> ----------------------------------------------------------------------------
>
> Where I am left is that I still have no solution. I am running the NuOnce
> Networks implementation of BlueQuartz with CentOs
>
> [root@marmailbq01 ~]# rpm -q base-bluequartz-capstone
> base-bluequartz-capstone-5100R-1.20060918BQ74.centos4
>
>
> I have the below version of dovecot installed:
>
> [root@marmailbq01 ~]# rpm -q dovecot
> dovecot-1.0-0.beta8.2.BQ
>
>
> Please let me know if there are any other ideas for fixing this. I really
> like Blue Quartz but this dovecot issue is killing me and making for some
> very irate users. I really need a dovecot expert or someone to tell me
> what
> config changes I need to make to allow this to work properly. I am sure
> that
> there are other ISP out there that have similar issues???
>
> Christian
> ________________________________
>
> From: Rodrigo Ordonez Licona [mailto:rodrigo (at mark) xnet.com.mx]
> Sent: Tuesday, October 24, 2006 10:01 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:07710] Re: HELP - excessive dovecot-auth
>
> We made this changes since qpopper problem and have 700 email accounts on
> a
> Centos bq fully yummed,
>
> We havent seen the dovecot auth issue, however we had to restart dovecot
> once but seems to be to spam related (a whole other story spamd with users
> over quota).
>
> We added this to /etc/rc.d/rc.local
>
> # tweak for heavy load management ROL 2006 from coba-e (at mark) bluequartz.org
> echo 100000 > /proc/sys/kernel/threads-max
> sysctl -w net.ipv4.tcp_max_syn_backlog=2048
> ulimit -n 64000
>
> Good Luck
>
> Rodrigo O
> Xnet
> ________________________________
>
> From: Michael Aronoff [mailto:ma (at mark) ciic.com]
> Sent: Martes, 24 de Octubre de 2006 06:24 p.m.
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:07709] Re: HELP - excessive dovecot-auth
>
> I have been lurking on this issue for a while and I have a small comment.
> Has anyone with this problem looked at open file handles? When I had this
> issue with Qpopper on my Raq 550 changing the files-max on boot helped
> solve
> it. It appears that the Cent-OS uses a newer Kernel and even though the
> system wide number for max files is high, there is a per user limit of
> 1024
> set. There was some discussion of this in
> http://bluequartz.org/ml/archive/coba-e/4900/4914.html and Michael Stauber
> said he would let the list know if it helped but I could not find any
> later
> post with info about if it worked. Anyway you may what to revisit this
> aspect as well.
>
> If it works please update us back so others can do the same things.
>
> Thanks,
>
> M Aronoff out
>
> Rodrigo -
>
> Thanks for the suggestion I have implemented the change as suggested and
> still no change:
>
> added this to /etc/rc.d/rc.local
I am no expert.
I have a couple of servers with about 900 users each . I don't have a
problem.
Maybe you can look in your maillog and see who is logging in once a minute
(like some people do) and ask them to change it to once every 6 or 7
minutes.
Maybe someone is trying to brute force your passwords?
The BFD on my servers sees and blocks, that every day.
In that case the auth or maillog logs would show a lot of failed logins.
My /etc/pam.d/dovecot looks like:
auth required pam_stack.so service=system-auth
auth requisite pam_shells.so
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
From the GUI, I have SMTP, SMTPS, IMAP, IMAPS, POP, POPS enabled.
But not SMTP auth, and not Submission port
I have separate servers doing the DNS and I have noticed problems with
services when the DNS does not respond well. You might check that.
----
Ken Marcus
Precision Web Hosting, Inc.
http://www.precisionweb.net