summaryrefslogtreecommitdiffstats
path: root/README_FILES/STRESS_README
blob: 8edc148e400be1a94e5ecd99c062a1cbfec25818 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
PPoossttffiixx SSttrreessss--DDeeppeennddeenntt CCoonnffiigguurraattiioonn

-------------------------------------------------------------------------------

OOvveerrvviieeww

This document describes the symptoms of Postfix SMTP server overload. It
presents permanent main.cf changes to avoid overload during normal operation,
and temporary main.cf changes to cope with an unexpected burst of mail. This
document makes specific suggestions for Postfix 2.5 and later which support
stress-adaptive behavior, and for earlier Postfix versions that don't.

Topics covered in this document:

  * Symptoms of Postfix SMTP server overload
  * Automatic stress-adaptive behavior
  * Service more SMTP clients at the same time
  * Spend less time per SMTP client
  * Disconnect suspicious SMTP clients
  * Temporary measures for older Postfix releases
  * Detecting support for stress-adaptive behavior
  * Forcing stress-adaptive behavior on or off
  * Other measures to off-load zombies
  * Credits

SSyymmppttoommss ooff PPoossttffiixx SSMMTTPP sseerrvveerr oovveerrllooaadd

Under normal conditions, the Postfix SMTP server responds immediately when an
SMTP client connects to it; the time to deliver mail is noticeable only with
large messages. Performance degrades dramatically when the number of SMTP
clients exceeds the number of Postfix SMTP server processes. When an SMTP
client connects while all Postfix SMTP server processes are busy, the client
must wait until a server process becomes available.

SMTP server overload may be caused by a surge of legitimate mail (example: a
DNS registrar opens a new zone for registrations), by mistake (mail explosion
caused by a forwarding loop) or by malice (worm outbreak, botnet, or other
illegitimate activity).

Symptoms of Postfix SMTP server overload are:

  * Remote SMTP clients experience a long delay before Postfix sends the "220
    hostname.example.com ESMTP Postfix" greeting.

      o NOTE: Broken DNS configurations can also cause lengthy delays before
        Postfix sends "220 hostname.example.com ...". These delays also exist
        when Postfix is NOT overloaded.

      o NOTE: To avoid "overload" delays for end-user mail clients, enable the
        "submission" service entry in master.cf (present since Postfix 2.1),
        and tell users to connect to this instead of the public SMTP service.

  * The Postfix SMTP server logs an increased number of "lost connection after
    CONNECT" events. This happens because remote SMTP clients disconnect before
    Postfix answers the connection.

      o NOTE: A portscan for open SMTP ports can also result in "lost
        connection ..." logfile messages.

  * Postfix 2.3 and later logs a warning that all server ports are busy:

    Oct  3 20:39:27 spike postfix/master[28905]: warning: service "smtp"
     (25) has reached its process limit "30": new clients may experience
     noticeable delays
    Oct  3 20:39:27 spike postfix/master[28905]: warning: to avoid this
     condition, increase the process count in master.cf or reduce the
     service time per client
    Oct  3 20:39:27 spike postfix/master[28905]: warning: see
      http://www.postfix.org/STRESS_README.html for examples of
      stress-adapting configuration settings

Legitimate mail that doesn't get through during an episode of Postfix SMTP
server overload is not necessarily lost. It should still arrive once the
situation returns to normal, as long as the overload condition is temporary.

AAuuttoommaattiicc ssttrreessss--aaddaappttiivvee bbeehhaavviioorr

Postfix version 2.5 introduces automatic stress-adaptive behavior. It works as
follows. When a "public" network service such as the SMTP server runs into an
"all server ports are busy" condition, the Postfix master(8) daemon logs a
warning, restarts the service (without interrupting existing network sessions),
and runs the service with "-o stress=yes" on the server process command line:

    80821  ??  S      0:00.24 smtpd -n smtp -t inet -u -c -o stress=yes

Normally, the Postfix master(8) daemon runs such a service with "-o stress=" on
the command line (i.e. with an empty parameter value):

    83326  ??  S      0:00.28 smtpd -n smtp -t inet -u -c -o stress=

You won't see "-o stress" command-line parameters with services that have local
clients only. These include services internal to Postfix such as the queue
manager, and services that listen on a loopback interface only, such as after-
filter SMTP services.

The "stress" parameter value is the key to making main.cf parameter settings
stress adaptive. The following settings are the default with Postfix 2.6 and
later.

    1 smtpd_timeout = ${stress?{10}:{300}}s
    2 smtpd_hard_error_limit = ${stress?{1}:{20}}
    3 smtpd_junk_command_limit = ${stress?{1}:{100}}
    4 # Parameters added after Postfix 2.6:
    5 smtpd_per_record_deadline = ${stress?{yes}:{no}}
    6 smtpd_starttls_timeout = ${stress?{10}:{300}}s
    7 address_verify_poll_count = ${stress?{1}:{3}}

Postfix versions before 3.0 use the older form ${stress?x}${stress:y} instead
of the newer form ${stress?{x}:{y}}.

The syntax of ${name?{value}:{value}}, ${name?value} and ${name:value} is
explained at the beginning of the postconf(5) manual page.

Translation:

  * Line 1: under conditions of stress, use an smtpd_timeout value of 10
    seconds instead of the default 300 seconds. Experience on the postfix-users
    list from a variety of sysadmins shows that reducing the "normal"
    smtpd_timeout to 60s is unlikely to affect legitimate clients. However, it
    is unlikely to become the Postfix default because it's not RFC compliant.
    Setting smtpd_timeout to 10s or even 5s under stress will still allow most
    legitimate clients to connect and send mail, but may delay mail from some
    clients. No mail should be lost, as long as this measure is used only
    temporarily.

  * Line 2: under conditions of stress, use an smtpd_hard_error_limit of 1
    instead of the default 20. This disconnects clients after a single error,
    giving other clients a chance to connect. However, this may cause
    significant delays with legitimate mail, such as a mailing list that
    contains a few no-longer-active user names that didn't bother to
    unsubscribe. No mail should be lost, as long as this measure is used only
    temporarily.

  * Line 3: under conditions of stress, use an smtpd_junk_command_limit of 1
    instead of the default 100. This prevents clients from keeping connections
    open by repeatedly sending HELO, EHLO, NOOP, RSET, VRFY or ETRN commands.

  * Line 5: under conditions of stress, change the behavior of smtpd_timeout
    and smtpd_starttls_timeout, from a time limit per read or write system
    call, to a time limit to send or receive a complete record (an SMTP command
    line, SMTP response line, SMTP message content line, or TLS protocol
    message).

  * Line 6: under conditions of stress, reduce the time limit for TLS protocol
    handshake messages to 10 seconds, from the default value of 300 seconds.
    See also the smtpd_timeout discussion above.

  * Line 7: under conditions of stress, do not wait up to 6 seconds for the
    completion of an address verification probe. If the result is not already
    in the address verification cache, reply immediately with
    $unverified_recipient_tempfail_action or
    $unverified_sender_tempfail_action. No mail should be lost, as long as this
    measure is used only temporarily.

NOTE: Please keep in mind that the stress-adaptive feature is a fairly
desperate measure to keep ssoommee legitimate mail flowing under overload
conditions. If a site is reaching the SMTP server process limit when there
isn't an attack or bot flood occurring, then either the process limit needs to
be raised or more hardware needs to be added.

SSeerrvviiccee mmoorree SSMMTTPP cclliieennttss aatt tthhee ssaammee ttiimmee

This section and the ones that follow discuss permanent measures against mail
server overload.

One measure to avoid the "all server processes busy" condition is to service
more SMTP clients simultaneously. For this you need to increase the number of
Postfix SMTP server processes. This will improve the responsiveness for remote
SMTP clients, as long as the server machine has enough hardware and software
resources to run the additional processes, and as long as the file system can
keep up with the additional load.

  * You increase the number of SMTP server processes either by increasing the
    default_process_limit in main.cf (line 3 below), or by increasing the SMTP
    server's "maxproc" field in master.cf (line 10 below). Either way, you need
    to issue a "postfix reload" command to make the change effective.

  * Process limits above 1000 require Postfix version 2.4 or later, and an
    operating system that supports kernel-based event filters (BSD kqueue(2),
    Linux epoll(4), or Solaris /dev/poll).

  * More processes use more memory. You can reduce the Postfix memory footprint
    by using cdb: lookup tables instead of Berkeley DB's hash: or btree:
    tables.

     1 /etc/postfix/main.cf:
     2     # Raise the global process limit, 100 since Postfix 2.0.
     3     default_process_limit = 200
     4
     5 /etc/postfix/master.cf:
     6     # =============================================================
     7     # service type  private unpriv  chroot  wakeup  maxproc command
     8     # =============================================================
     9     # Raise the SMTP service process limit only.
    10     smtp      inet  n       -       n       -       200     smtpd

  * NOTE: older versions of the SMTPD_POLICY_README document contain a mistake:
    they configure a fixed number of policy daemon processes. When you raise
    the SMTP server's "maxproc" field in master.cf, SMTP server processes will
    report problems when connecting to policy server processes, because there
    aren't enough of them. Examples of errors are "connection refused" or
    "operation timed out".

    To fix, edit master.cf and specify a zero "maxproc" field in all policy
    server entries; see line 6 in the example below. Issue a "postfix reload"
    command to make the change effective.

    1 /etc/postfix/master.cf:
    2     # =============================================================
    3     # service type  private unpriv  chroot  wakeup  maxproc command
    4     # =============================================================
    5     # Disable the policy service process limit.
    6     policy    unix  -       n       n       -       0       spawn
    7         user=nobody argv=/some/where/policy-server

SSppeenndd lleessss ttiimmee ppeerr SSMMTTPP cclliieenntt

When increasing the number of SMTP server processes is not practical, you can
improve Postfix server responsiveness by eliminating delays. When Postfix
spends less time per SMTP session, the same number of SMTP server processes can
service more clients in a given amount of time.

  * Eliminate non-functional RBL lookups (blocklists that are no longer in
    operation). These lookups can degrade performance. Postfix logs a warning
    when an RBL server does not respond.

  * Eliminate redundant RBL lookups (people often use multiple Spamhaus RBLs
    that include each other). To find out whether RBLs include other RBLs, look
    up the websites that document the RBL's policies.

  * Eliminate header_checks and body_checks, and keep just a few emergency
    patterns to block the latest worm explosion or backscatter mail. See
    BACKSCATTER_README for examples of the latter.

  * Group your header_checks and body_checks patterns to avoid unnecessary
    pattern matching operations:

     1  /etc/postfix/header_checks:
     2      if /^Subject:/
     3      /^Subject: virus found in mail from you/ reject
     4      /^Subject: ..other../ reject
     5      endif
     6
     7      if /^Received:/
     8      /^Received: from (postfix\.org) / reject forged client name in
    received header: $1
     9      /^Received: from ..other../ reject ....
    10      endif

DDiissccoonnnneecctt ssuussppiicciioouuss SSMMTTPP cclliieennttss

Under conditions of overload you can improve Postfix SMTP server responsiveness
by hanging up on suspicious clients, so that other clients get a chance to talk
to Postfix.

  * Use "521" SMTP reply codes (Postfix 2.6 and later) or "421" (Postfix 2.3-
    2.5) to hang up on clients that that match botnet-related RBLs (see next
    bullet) or that match selected non-RBL restrictions such as SMTP access
    maps. The Postfix SMTP server will reject mail and disconnect without
    waiting for the remote SMTP client to send a QUIT command.

  * To hang up connections from denylisted zombies, you can set specific
    Postfix SMTP server reject codes for specific RBLs, and for individual
    responses from specific RBLs. We'll use zen.spamhaus.org as an example; by
    the time you read this document, details may have changed. Right now, their
    documents say that a response of 127.0.0.10 or 127.0.0.11 indicates a
    dynamic client IP address, which means that the machine is probably running
    a bot of some kind. To give a 521 response instead of the default 554
    response, use something like:

     1  /etc/postfix/main.cf:
     2      smtpd_client_restrictions =
     3         permit_mynetworks
     4         reject_rbl_client zen.spamhaus.org=127.0.0.10
     5         reject_rbl_client zen.spamhaus.org=127.0.0.11
     6         reject_rbl_client zen.spamhaus.org
     7
     8      rbl_reply_maps = hash:/etc/postfix/rbl_reply_maps
     9
    10  /etc/postfix/rbl_reply_maps:
    11      # With Postfix 2.3-2.5 use "421" to hang up connections.
    12      zen.spamhaus.org=127.0.0.10 521 4.7.1 Service unavailable;
    13       $rbl_class [$rbl_what] blocked using
    14       $rbl_domain${rbl_reason?; $rbl_reason}
    15
    16      zen.spamhaus.org=127.0.0.11 521 4.7.1 Service unavailable;
    17       $rbl_class [$rbl_what] blocked using
    18       $rbl_domain${rbl_reason?; $rbl_reason}

    Although the above example shows three RBL lookups (lines 4-6), Postfix
    will only do a single DNS query, so it does not affect the performance.

  * With Postfix 2.3-2.5, use reply code 421 (521 will not cause Postfix to
    disconnect). The down-side of replying with 421 is that it works only for
    zombies and other malware. If the client is running a real MTA, then it may
    connect again several times until the mail expires in its queue. When this
    is a problem, stick with the default 554 reply, and use
    "smtpd_hard_error_limit = 1" as described below.

  * You can automatically turn on the above overload measure with Postfix 2.5
    and later, or with earlier releases that contain the stress-adaptive
    behavior source code patch from the mirrors listed at http://
    www.postfix.org/download.html. Simply replace line above 8 with:

     8      rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps}

More information about automatic stress-adaptive behavior is in section
"Automatic stress-adaptive behavior".

TTeemmppoorraarryy mmeeaassuurreess ffoorr oollddeerr PPoossttffiixx rreelleeaasseess

See the section "Automatic stress-adaptive behavior" if you are running Postfix
version 2.5 or later, or if you have applied the source code patch for stress-
adaptive behavior from the mirrors listed at http://www.postfix.org/
download.html.

The following measures can be applied temporarily during overload. They still
allow mmoosstt legitimate clients to connect and send mail, but may affect some
legitimate clients.

  * Reduce smtpd_timeout (default: 300s). Experience on the postfix-users list
    from a variety of sysadmins shows that reducing the "normal" smtpd_timeout
    to 60s is unlikely to affect legitimate clients. However, it is unlikely to
    become the Postfix default because it's not RFC compliant. Setting
    smtpd_timeout to 10s (line 2 below) or even 5s under stress will still
    allow mmoosstt legitimate clients to connect and send mail, but may delay mail
    from some clients. No mail should be lost, as long as this measure is used
    only temporarily.

  * Reduce smtpd_hard_error_limit (default: 20). Setting this to 1 under stress
    (line 3 below) helps by disconnecting clients after a single error, giving
    other clients a chance to connect. However, this may cause significant
    delays with legitimate mail, such as a mailing list that contains a few no-
    longer-active user names that didn't bother to unsubscribe. No mail should
    be lost, as long as this measure is used only temporarily.

  * Use an smtpd_junk_command_limit of 1 instead of the default 100. This
    prevents clients from keeping idle connections open by repeatedly sending
    NOOP or RSET commands.

    1  /etc/postfix/main.cf:
    2      smtpd_timeout = 10
    3      smtpd_hard_error_limit = 1
    4      smtpd_junk_command_limit = 1

With these measures, no mail should be lost, as long as these measures are used
only temporarily. The next section of this document introduces a way to
automate this process.

DDeetteeccttiinngg ssuuppppoorrtt ffoorr ssttrreessss--aaddaappttiivvee bbeehhaavviioorr

To find out if your Postfix installation supports stress-adaptive behavior, use
the "ps" command, and look for the smtpd processes. Postfix has stress-adaptive
support when you see "-o stress=" or "-o stress=yes" command-line options.
Remember that Postfix never enables stress-adaptive behavior on servers that
listen on local addresses only.

The following example is for FreeBSD or Linux. On Solaris, HP-UX and other
System-V flavors, use "ps -ef" instead of "ps ax".

    $ ps ax|grep smtpd
    83326  ??  S      0:00.28 smtpd -n smtp -t inet -u -c -o stress=
    84345  ??  Ss     0:00.11 /usr/bin/perl /usr/libexec/postfix/smtpd-
    policy.pl

You can't use postconf(1) to detect stress-adaptive support. The postconf(1)
command ignores the existence of the stress parameter in main.cf, because the
parameter has no effect there. Command-line "-o parameter" settings always take
precedence over main.cf parameter settings.

If you configure stress-adaptive behavior in main.cf when it isn't supported,
nothing bad will happen. The processes will run as if the stress parameter
always has an empty value.

FFoorrcciinngg ssttrreessss--aaddaappttiivvee bbeehhaavviioorr oonn oorr ooffff

You can manually force stress-adaptive behavior on, by adding a "-o stress=yes"
command-line option in master.cf. This can be useful for testing overrides on
the SMTP service. Issue "postfix reload" to make the change effective.

Note: setting the stress parameter in main.cf has no effect for services that
accept remote connections.

    1 /etc/postfix/master.cf:
    2     # =============================================================
    3     # service type  private unpriv  chroot  wakeup  maxproc command
    4     # =============================================================
    5     #
    6     smtp      inet  n       -       n       -       -       smtpd
    7         -o stress=yes
    8         -o . . .

To permanently force stress-adaptive behavior off with a specific service,
specify "-o stress=" on its master.cf command line. This may be desirable for
the "submission" service. Issue "postfix reload" to make the change effective.

Note: setting the stress parameter in main.cf has no effect for services that
accept remote connections.

    1 /etc/postfix/master.cf:
    2     # =============================================================
    3     # service type  private unpriv  chroot  wakeup  maxproc command
    4     # =============================================================
    5     #
    6     submission inet n       -       n       -       -       smtpd
    7         -o stress=
    8         -o . . .

OOtthheerr mmeeaassuurreess ttoo ooffff--llooaadd zzoommbbiieess

The postscreen(8) daemon, introduced with Postfix 2.8, provides additional
protection against mail server overload. One postscreen(8) process handles
multiple inbound SMTP connections, and decides which clients may talk to a
Postfix SMTP server process. By keeping spambots away, postscreen(8) leaves
more SMTP server processes available for legitimate clients, and delays the
onset of server overload conditions.

CCrreeddiittss

  * Thanks to the postfix-users mailing list members for sharing early
    experiences with the stress-adaptive feature.
  * The RBL example and several other paragraphs of text were adapted from
    postfix-users postings by Noel Jones.
  * Wietse implemented stress-adaptive behavior as the smallest possible patch
    while he should be working on other things.