У меня есть VPS с 8 ГБ памяти и работающий на Ubuntu 16.04.02 с Plesk Onyx.
С некоторых пор система регулярно дает сбой на dovecot и / или postfix.
Версия Dovecot: 2.3.4.1 -ubuntu16.04.19031416 Версия Postfix: 3.1.0-3ubuntu0.3
Я не могу найти, как решить эту проблему.
Этот сервер в основном используется для электронной почты (imap) и одного небольшого веб-сайта Wordpress с небольшим трафиком.
] Иногда бывает достаточно перезапустить службу dovecot или postfix. Но иногда мне приходится перезапускать весь свой сервер
Ошибка в mail.log с самого начала сбоя.
> Jun 18 11:55:30 h2648771 dovecot: imap-login: Error: master(imap):
> net_connect_unix(imap) failed: Cannot allocate memory
> (client-pid=29864, client-id=1, rip=188.207.4.90, created 0 msecs ago,
> received 0/4 bytes) Jun 18 11:55:30 h2648771 dovecot: imap-login:
> Error: master(imap): net_connect_unix(imap) failed: Cannot allocate
> memory (client-pid=29866, client-id=1, rip=188.207.4.90, created 0
> msecs ago, received 0/4 bytes) Jun 18 11:55:30 h2648771 dovecot:
> imap-login: Error: socketpair() failed: Cannot allocate memory:
> user=<info@springstof.eu>, method=PLAIN, rip=188.207.4.90,
> lip=85.214.19.175, TLS, session=<H9L2HJaLeX28zwRa> Jun 18 11:55:30
> h2648771 dovecot: imap-login: Error: net_connect_unix(anvil) failed:
> Cannot allocate memory Jun 18 11:55:30 h2648771 dovecot: master:
> Error: service(imap-login): command startup failed, throttling for 2
> secs Jun 18 11:55:30 h2648771 dovecot: imap: Error:
> net_connect_unix(/var/run/dovecot/stats-writer) failed: Cannot
> allocate memory Jun 18 11:55:30 h2648771 dovecot: imap: Error:
> net_connect_unix(/run/dovecot/auth-master) failed: Cannot allocate
> memory
etc / dovecot / dovecot.conf:
## Dovecot configuration file
# PLEASE DON'T EDIT ANYTHING IN THIS FILE! ANY CHANGES WILL BE LOST ON UPGRADE.
# Instead add your custom configuration to /etc/dovecot/conf.d/
# See the end of this file for details on customization.
# See example configuration files in /usr/share/doc/dovecot/example-config/
# See stock configuration files in /usr/share/doc/plesk-dovecot/dist-config/
# Space separated list of wanted authentication mechanisms.
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login digest-md5 cram-md5 apop
# Valid UID range should include popuser.
first_valid_uid = 30
# List of allowed characters in username. "'&" is added here to the default list.
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890&.-_@'
# Plesk Maildirs layout.
mail_home = /var/qmail/mailnames/%Ld/%Ln
mail_location = maildir:/var/qmail/mailnames/%Ld/%Ln/Maildir
# Enable Maildir++ quota support.
mail_plugins = $mail_plugins quota
plugin {
# Take quota limits from maildirsize file. If it doesn't exist, don't enforce.
quota = maildir:User quota
# LDA/LMTP allows saving the last mail to bring user from under quota to
# over quota, if the quota doesn't grow too high. Default is to allow as
# long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
# 0 doesn't allow going over quota (compatibility with Courier-IMAP behavior).
quota_grace = 0
}
service auth {
# Allow userdb lookups for popuser.
unix_listener auth-userdb {
mode = 0600
user = popuser
group = popuser
}
}
# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/dovecot/private/ssl-cert-and-key.pem
ssl_key = </etc/dovecot/private/ssl-cert-and-key.pem
# Protocols support.
protocols = imap pop3
protocol imap {
mail_plugins = $mail_plugins imap_quota
}
protocol pop3 {
# POP3 UIDL format similar to the one used by Courier-IMAP.
pop3_uidl_format = UID%u-%v
}
# Applicable workarounds for various client bugs.
imap_client_workarounds = delay-newmail
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
# Default private namespace setup compatible with Courier-IMAP.
namespace inbox {
separator = .
prefix = INBOX.
inbox = yes
}
# Logging verbosity and debugging.
# Log unsuccessful authentication attempts and the reasons why they failed.
#auth_verbose = yes
# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
#auth_verbose_passwords = no
# Even more verbose logging for debugging purposes.
#auth_debug = yes
# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
#auth_debug_passwords = yes
# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
#mail_debug = yes
# Show protocol level SSL errors.
#verbose_ssl = yes
# Log format compatible with Plesk statistics collector.
mail_log_prefix = "service=%s, user=%u, ip=[%r]. "
pop3_logout_format = "rcvd=%i, sent=%o, top=%t/%p, retr=%r/%b, del=%d/%m, size=%s"
imap_logout_format = "rcvd=%i, sent=%o"
# Customizable part of configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
#
# Prefixes 10 through 20 and 90 through 95 (inclusive) are reserved for Plesk.
# Please do not occupy them or edit files with these prefixes!
!include conf.d/*.conf
# vim:ts=2 sts=2 sw=2 et:
etc / postfix / main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = h1234567.stratoserver.net
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.stratoserver.net, localhost, localhost.localdomain
mynetworks =
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
message_size_limit = 1024000000
virtual_mailbox_limit = 0
recipient_canonical_maps = tcp:127.0.0.1:12346
recipient_canonical_classes = envelope_recipient,header_recipient
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = HIGH:!aNULL:!MD5
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
mynetworks_style = subnet
authorized_flush_users =
authorized_mailq_users =
inet_interfaces = all
Есть кто-нибудь знает, как решить эту проблему?
Вывод
cat / proc / user_beancounters
Version: 2.5
uid resource held maxheld barrier limit failcnt
2648771: kmemsize 78343618 423485440 9223372036854775807 9223372036854775807 0
lockedpages 0 16 2097152 2097152 0
privvmpages 1138097 1401250 9223372036854775807 9223372036854775807 0
shmpages 86247 86261 9223372036854775807 9223372036854775807 0
dummy 0 0 9223372036854775807 9223372036854775807 0
numproc 211 330 700 700 0
physpages 1052473 1520136 2097152 2097152 0
vmguarpages 0 0 2097152 2097152 0
oomguarpages 576172 606928 2097152 2097152 0
numtcpsock 67 214 750 750 0
numflock 478 489 9223372036854775807 9223372036854775807 0
numpty 0 0 9223372036854775807 9223372036854775807 0
numsiginfo 0 60 9223372036854775807 9223372036854775807 0
tcpsndbuf 5779952 9023696 9223372036854775807 9223372036854775807 0
tcprcvbuf 1097728 3635784 9223372036854775807 9223372036854775807 0
othersockbuf 871624 2229824 9223372036854775807 9223372036854775807 0
dgramrcvbuf 0 296480 9223372036854775807 9223372036854775807 0
numothersock 469 916 950 950 0
dcachesize 41858232 380313547 9223372036854775807 9223372036854775807 0
numfile 6049 8635 9223372036854775807 9223372036854775807 0
dummy 0 0 9223372036854775807 9223372036854775807 0
dummy 0 0 9223372036854775807 9223372036854775807 0
dummy 0 0 9223372036854775807 9223372036854775807 0
numiptent 363 365 9223372036854775807 9223372036854775807 0
Мой совет - отключить TLSv1 и сильно ограничить ваш список шифров. (как входящий 'smtp', так и исходящий 'smtpd')
Если вам абсолютно необходим TLSv1, вы все равно должны сильно ограничить свой список шифров, если нет, то вы можете быть на приемном конце автоматических попыток взлома, нацеленных на серверы, поддерживающие устаревшие потенциально уязвимые шифры и т.д., и это может оказать значительное влияние.
Почему это нужно делать? Это быстро реализуется и в некоторых сценариях может исправить проблему, другие советы, приведенные выше, тоже хороши.
p.s. По моему мнению, разрешение 1 Гб сообщений также может повлиять на использование памяти, это значение, возможно, стоит отрегулировать вниз:
message_size_limit=1024000000
Также (если запущен OpenVZ):
Дальнейшее чтение говорит об изменении нумеропока на "9223372036854775807", как и другие счетчики.
Источник:
https://www.cloudmin.com/node/35052
Я не знаю, потребует ли нумеропоток такого же изменения.
. Это уже случалось со мной раньше. Причина заключалась в том, что / tmp
на RAM-диске был заполнен случайными / вредоносными загрузками. Настройте свой веб-сервер на использование временного каталога загрузки жесткого диска. Также следите за используемым пространством на RAM-дисках, если таковое имеется. Если возможно, ограничьте объем оперативной памяти, используемой php.
Подобные проблемы требуют много времени для решения. Удачи!