Hello, we have the following problem: Nov 3 09:43:33 minerva dovecot: [ID 583609 local0.warning] master: Warning: service(anvil): client_limit reached, client connections are being dropped Nov 3 09:51:33 minerva dovecot: [ID 583609 local0.error] imap-login: Error: net_connect_unix(anvil) failed: Connection refused Nov 3 09:51:33 minerva dovecot: [ID 583609 local0.crit] imap-login: Fatal: Couldn't connect to anvil Nov 3 09:52:42 minerva dovecot: [ID 583609 local0.error] pop3-login: Error: net_connect_unix(anvil) failed: Connection refused Nov 3 09:52:42 minerva dovecot: [ID 583609 local0.crit] pop3-login: Fatal: Couldn't connect to anvil Nov 3 09:52:42 minerva dovecot: [ID 583609 local0.error] imap-login: Error: net_connect_unix(anvil) failed: Connection refused Nov 3 09:52:42 minerva dovecot: [ID 583609 local0.crit] imap-login: Fatal: Couldn't connect to anvil At that time I counted 2030 imap processes from 995 users and 1106 imap-login processes. What can I do to set an appropriate client_limit for anvil? The configuration is: # doveadm config -n # 2.0.5: /opt/local/etc/dovecot/dovecot.conf # OS: SunOS 5.10 sun4v auth_verbose = yes default_client_limit = 3000 default_process_limit = 300 disable_plaintext_auth = no listen = xxx.xxx.uni-giessen.de localhost mail_fsync = always mail_location = mbox:~/Mail:INBOX=/var/mail/%u mail_nfs_index = yes mail_nfs_storage = yes mail_plugins = quota mmap_disable = yes namespace { inbox = yes location = prefix = separator = / type = private } namespace { hidden = yes list = no location = prefix = Mail/ separator = / subscriptions = yes type = private } passdb { driver = pam } postmaster_address = postmaster at hrz.uni-giessen.de protocols = imap pop3 service auth { client_limit = 5720 } service imap { process_limit = 4096 } ssl_cert = </etc/ssl/server.crt ssl_key = </etc/ssl/server.key syslog_facility = local0 userdb { driver = passwd } verbose_proctitle = yes version_ignore = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep mail_max_userip_connections = 20 mail_plugins = quota imap_quota } protocol pop3 { pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_uidl_format = %08Xv%08Xu } minerva{root}2509:/ # grep anvil /var/log/locallog minerva{root}2510:/ -- Hochschulrechenzentrum der | Mail: Juergen.Obermann at hrz.uni-giessen.de Justus-Liebig-Universitaet | WWW: http://www.uni-giessen.de/obermann Heinrich-Buff-Ring 44 | Tel: 0641-99-13054 (0641-99-13001) D-35392 Giessen, Germany | Fax: 0641-99-13009
On 3.11.2010, at 9.35, Juergen Obermann wrote:> Nov 3 09:43:33 minerva dovecot: [ID 583609 local0.warning] master: Warning: service(anvil): client_limit reached, client connections are being dropped > > At that time I counted 2030 imap processes from 995 users and 1106 imap-login processes. What can I do to set an appropriate client_limit for anvil?Well, it's easy to answer the question: service anvil { client_limit = 8000 # or something } But you would probably benefit from not having that many login processes: http://wiki2.dovecot.org/LoginProcess There are some other weird things going on here though:> default_client_limit = 3000 > default_process_limit = 300If the default process limit is 300 and you haven't overridden that (I didn't see service imap-login in your settings), how do you have 1106 imap-login processes? Also you didn't mention how many pop3-login processes there were. With anvil's client_limit being 3000, this error shouldn't have happened unless there were a total of about 3000 imap/pop3-login processes. So maybe there are some bugs related to this.. Also I should add a check to startup that it warns if anvil's client_limit is too low.
On Wed, 2010-11-03 at 09:26 -0400, Charles Marcus wrote:> On 2010-11-03 9:12 AM, J?rgen Obermann wrote: > > Quoting Timo Sirainen <tss at iki.fi>: > >> But you would probably benefit from not having that many login > >> processes: http://wiki2.dovecot.org/LoginProcess > > > I now switched the login processes from high security to high > > performance mode, because the problem appeared again. > > Just curious - how much less secure is the high performance mode?Copy&pasting (slightly just updated) from the wiki: High-performance mode It works by using a number of long running login processes, each handling a number of connections. This loses much of the security benefits of the login process design, because in case of a security hole (in Dovecot or SSL library) the attacker is now able to see other users logging in and steal their passwords, read their mails, etc.