-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
I'm migrating from one system to another. Both are Arch Linux, but
copying the configurations and just modifying them for IP addresses
and hostnames didn't work.
Here's doveconf -n
# 2.1.15: /etc/dovecot/dovecot.conf
doveconf: Warning: service auth { client_limit=256 } is lower than
required under max. load (3072)
doveconf: Warning: service anvil { client_limit=256 } is lower than
required under max. load (2051)
# OS: Linux 3.8.4-1-ARCH x86_64
base_dir = /var/run/dovecot/
default_client_limit = 256
default_process_limit = 1024
login_trusted_networks = 10.8.0.0/16 127.0.0.0/8
mail_location = maildir:~/Maildir
mail_max_userip_connections = 30
passdb {
args = failure_show_msg=yes
driver = pam
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
}
ssl_cert = </big/www/ssl/www.cybernude.org_publickey.pem
ssl_key = </big/www/ssl/www.cybernude.org_privatekey.pem
userdb {
driver = passwd
}
Obvious first question: I can't figure out how to make dovecot happy
with the client and process limits. I'm not terribly worried about
going overboard here, though I have a very small number of users; the
migration is to a much more capable system. But I would like to stop
looking at the warning. It doesn't seem to matter what I put where--it
keeps complaining.
Second question: STARTTLS isn't working. What am I missing? Sorry if
this is something that should be obvious; I'm fighting a similar
battle with postfix and I'm being pushed around the bend while I
really need to be working on other things.
Thanks!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJRXy6nAAoJELJhbl/uPb4SsTAQALIkmDwCwPlCNPtJr482lVNj
vsNHX4TvTy0Xu4adtxFqJQM30EoEpu4A983CTm81jUFYKqDIBRJ3SAVOGf58lCQ1
uJhoyL0yhCaO9Zh7WZKdmhB+Jnek2+Rz2cpfOP4VseLL7Lg3OIwI4K/YiDAIcwnW
do/tvuJEL6SDDcDA3gOjDJ7gkykg34tJ02nnG65Yau0y563FT7npXKFnwGSn1X0+
GTFUwpZx5xp90eUZBLoTBPcnXohKlWhYxa2POHgm7eraK8k+aD9/2zlThQL6/qIx
HQKcSkZjB1CTgKGysp+msaR/gS5HiHILadB3opP8p7baGNG9jhifKE6LJavREH8p
PsxxCpTnf8d+xbbJVeDx6cyz7NQ8rNLals1qtPLAY4F04Uh400FjJov/dJruBISZ
QvASZPOtyZHuswUnSTtX22WOg2QIvyO5GyzqPGZ/0+MtgbtJxwizsyCTEFuTkq+r
RvsW1cltVsDKCFCCcjrkRzWu+xbDrkX42tNUnhi4YSJ5wcKQMRiqQBTtyCYT88sy
Ws9WtNaElOERxQeydmizvxIuFIoLapdPtfyRDSGoDOo0Cnq/QSIzvQNdOVbqqSBt
hcIVDNHTw8O5UfOhhbo+YT8QIBwD8J/uPxLfV72ep7nQBJh8XOymHJXGtQR8+H4x
6aey6+bafQ/YHtuS63bz
=4qNn
-----END PGP SIGNATURE-----
Hi David, On Fri, 2013-04-05 at 13:05 -0700, David Benfell wrote:> doveconf: Warning: service auth { client_limit=256 } is lower than > required under max. load (3072) > doveconf: Warning: service anvil { client_limit=256 } is lower than > required under max. load (2051)> service auth { > unix_listener /var/spool/postfix/private/auth { > mode = 0666 > }client_limit = 3072> }service anvil { client_limit = 2051 } (That's kinda interesting my anvil values need to be higher than auth values, yours is opposite, but, if thats what dovecot says...)> Second question: STARTTLS isn't working. What am I missing? Sorry if > this is something that should be obvious; I'm fighting a similar > battle with postfix and I'm being pushed around the bend while I > really need to be working on other things. >Are your certificate chains valid? Simply saying "isn't working" is almost a requirement for a *sigh* log output please, or a better description than "isn't working" ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: face-wink.png Type: image/png Size: 876 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20130406/9c4968a2/attachment.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20130406/9c4968a2/attachment.bin>
Reindl Harald
2013-Apr-07 10:44 UTC
[Dovecot] MOSTLY SOLVED: Re: client limit and STARTTLS
Am 07.04.2013 12:36, schrieb David Benfell:> On 04/07/2013 03:15 AM, Reindl Harald wrote: >> Am 06.04.2013 10:09, schrieb David Benfell: >>> So I changed it again: >>> >>> default_process_limit = 128 default_client_limit = 512 >>> >>> And now it seems to be fine. But I'm mystified because what you >>> say is the case on your system, that is, that the process limit >>> needs to be greater than the client limit, is what I would >>> expect: wouldn't each client require at least one process? > >> no, 512x128 = 65536 connections each process can serve >> default_client_limit clients > > Thanks a million! I had no idea that was how it worked. I would think > that 65536 would be enough. ;-)http://wiki2.dovecot.org/LoginProcess High-performance mode: It works by using a number of long running login processes, each handling a number of connections. This loses much of the security benefits of the login process design, because in case of a security hole (in Dovecot or SSL library) the attacker is now able to see other users logging in and steal their passwords, read their mails, etc. Default client_limit * process_limit = 1000*100 = 100k connections vsz_limit should be increased to avoid out of memory errors, especially if you're using SSL/TLS. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 263 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20130407/1542b157/attachment.bin>