More of my users are accessing mail remotely, which probably explained
why I started seeing
Mar 18 05:50:34 dovecot: master: Warning: service(imap-login):
process_limit (2) reached, client connections are being dropped
I played around with increasing limits, but made the mistake of setting
service_count to a value other than 0 and 1.
service imap-login {
client_limit = 1024
service_count = 10240
process_min_avail = 2
process_limit = 8
}
Doubling and redoubling process_limit and increasing service_count didn't
prevent IMAP from eventually grinding to a halt because process_limit
was reached.
Mar 18 12:36:12 dovecot: master: Warning: service(imap-login):
process_limit (4) reached, client connections are being dropped
Mar 18 20:39:48 viol dovecot: master: Warning: service(imap-login):
process_limit (8) reached, client connections are being dropped
Observing the way imap-login processes spawn and retain file descriptors,
I finally understood the subtlety of [1], which explains that imap-login
will not exit despite reaching service_count if one SSL connection is
still open.
With many long-lived client connections, the asymptotic behaviour is that
the total #clients plateaus, but get spread out over many imap-login
processes, with many lingering on to hold a few SSL connections.
For service_count>1, process_limit should be set to a large fraction of
peak simultaneous clients (i.e. the same value used when service_count=1),
otherwise there is a high likelihood of running into process_limit and
game over.
Given this behaviour, there doesn't seem much sense in setting
service_count to anything but 0 (unlimited => performance mode) or 1
(security mode). Setting to other values supposedly limit memory leaks,
but if a single persistent SSL client can hold up an imap-login process
from exiting and releasing memory, it seems to negate this purpose.
Anyways, maybe [1] can mention this so others don't fall into the same
pit I did.
References
[1] https://doc.dovecot.org/admin_manual/login_processes/
Joseph Tam <jtam.home at gmail.com>