postfix-master/resource.html

   1 <html>
   2
   3 <head>
   4
   5 <title> Postfix Configuration - Resource Controls</title>
   6
   7 <META NAME="ROBOTS" CONTENT="NOINDEX,NOFOLLOW">
   8 </head>
   9
  10 <body background="obsolete.gif">
  11
  12 <h1><a href="big-picture.html"><img src="small-picture.gif" width="115" height="45"></a> Postfix Configuration - Resource Controls</h1>
  13
  14 <hr>
  15
  16 <p> <strong> Note: this web page is no longer maintained. It exists
  17 only to avoid breaking links in web pages that describe earlier
  18 versions of the Postfix mail system. </strong> </p>
  19
  20 <a href="docs.html">Up one level</a> | <a href="basic.html">Basic
  21 Configuration</a> | <a href="uce.html">UCE Controls</a> | <a
  22 href="rate.html">Rate Controls</a> | Resource Controls | <a
  23 href="rewrite.html">Address Manipulation</a>
  24
  25 <h2> Introduction</h2>
  26
  27 The Postfix system is designed to run within a finite memory budget.
  28 To this end, there are configurable limits on the <i>size</i> of
  29 in-memory objects such as text line fragments, on the <i>number of
  30 instances</i> of such objects, and on the <i>time</i> an operation
  31 may take. In addition, strategies are in place for dealing with
  32 resource exhaustion.  The idea is to keep running under conditions
  33 of stress, without making the problem worse.
  34
  35 <p>
  36
  37 <ul>
  38
  39 <li> <a href="#size">Object size limits</a>
  40
  41 <p>
  42
  43 <li> <a href="#count">Object count limits</a>
  44
  45 <p>
  46
  47 <li> <a href="#time">Time limits</a>
  48
  49 <p>
  50
  51 <li> <a href="#lock">Acquiring exclusive file locks</a>
  52
  53 <p>
  54
  55 <li> <a href="#fan">Error recovery</a>
  56
  57 </ul>
  58
  59 <a name="size"><h2> Object size limits</h2> </a>
  60
  61 The first step towards a fixed memory resource budget is to limit
  62 the size of each in-memory object.  Once the size of in-memory
  63 objects is limited, total memory consumption is limited by limiting
  64 the number of object instances.  Simple, no?
  65
  66 <p>
  67
  68 <dl>
  69
  70 <dt> <b>line_length_limit</b> (default: 2048 bytes)
  71
  72 <dd> How long a line of text can be before it is broken up into
  73 pieces.  All Postfix perimeter programs (<a href="smtpd.8.html">SMTP
  74 server</a>, <a href="smtp.8.html">SMTP client</a>, <a
  75 href="pickup.8.html">local pickup</a> and <a href="local.8.html">local
  76 delivery</a>) enforce this line length limit when reading data from
  77 an untrusted source.  Long lines are reconstructed upon delivery.
  78
  79 <p>
  80
  81 <dt> <b>header_size_limit</b> (default: 102400 bytes)
  82
  83 <dd> How much text may be carried in a multi-line message header.
  84 Header text that does not fit in <b>$header_size_limit</b> bytes
  85 is discarded. This limit is enforced by the <a
  86 href="cleanup.8.html"> cleanup</a> header rewriting code.
  87
  88 <p>
  89
  90 <dt> <b>header_address_token_limit</b> (default: 10240 tokens)
  91
  92 <dd> Limit on the amount of memory and CPU that Postfix will use for
  93 rewriting addresses in message headers. The limit is expressed as
  94 a number of tokens.  Tokens text that do not fit are discarded.
  95 This limit is enforced by the <a href="cleanup.8.html"> cleanup</a>
  96 header rewriting code.
  97
  98 <p>
  99
 100 <dt> <b>extract_recipient_limit</b> (default: 10240 recipients)
 101
 102 <dd> How many recipients Postfix will extract from message headers
 103 before it gives up. This limits the damage that a run-away program
 104 can do with "sendmail -t".
 105
 106 </dl>
 107
 108 <p>
 109
 110 The following parameters restrict the use of file system storage:
 111
 112 <dl>
 113
 114 <dt> <b>message_size_limit</b> (default: 10240000 bytes)
 115
 116 <dd> The maximal size of a Postfix queue file, including envelope
 117 information (sender, recipient, etc.).
 118
 119 <p>
 120
 121 <dt> <b>queue_minfree</b> (default: no restriction)
 122
 123 <dd> How many bytes of free space are needed in the queue file
 124 system.  The <a href="smtpd.8.html">SMTP server</a> declines inbound
 125 mail delivery requests when there is insufficient space (the mail
 126 will be accepted once enough space becomes available).  There is
 127 no default limit; however, it seems like a good idea to require at
 128 least several times <b>$message_size_limit</b> so that the mail
 129 system won't get stuck on a single large message.
 130
 131 <p>
 132
 133 <dt> <b>bounce_size_limit</b> (default: 50000 bytes)
 134
 135 <dd> How much of an undelivered message is sent back to the sender.
 136
 137 </dl>
 138
 139 <a name="count"><h2> Object count limits</h2> </a>
 140
 141 Once the sizes of memory objects have been limited, the next step
 142 to implement Postfix's finite memory budget is to limit the number
 143 of in-memory object instances.
 144
 145 <dl>
 146
 147 <dt> <b>qmgr_message_recipient_limit</b> (default: 20000)
 148
 149 <dd> An upper bound on the number of <a href="qmgr.8.html">queue
 150 manager</a> in-memory recipient address data structures.  This
 151 parameter also controls the number of instances of other in-memory
 152 data structures.  See, for example, the <a
 153 href="rate.html#backoff">delivery rate control</a> documentation.
 154
 155 <p>
 156
 157 <dt> <b>qmgr_message_active_limit</b> (default: 20000)
 158
 159 <dd> An upper limit on the number of messages in the <b>active</b>
 160 queue.  For an introduction to the Postfix queue organization see
 161 the <a href="queuing.html">Postfix overview</a> documentation.
 162
 163 <p>
 164
 165 <dt> <b>duplicate_filter_limit</b> (default: 1000)
 166
 167 <dd> How many recipient addresses the <a href="local.8.html">local
 168 delivery</a> agent and <a href="cleanup.8.html">address cleanup</a>
 169 daemon remember when delivering a message. A recipient address is
 170 ignored when it is found in the remembered list.
 171
 172 </dl>
 173
 174 <a name="time"><h2> Time limits</h2> </a>
 175
 176 External commands are given a finite time for completion. Such
 177 commands are run by the <a href="local.8.html">local</a> delivery
 178 agent when it finds a "|<i>command</i>" destination in an <a
 179 href="aliases.5.html">alias</a> database, <a
 180 href="aliases.5.html">:include:</a> file or <a
 181 href="aliases.5.html">.forward</a> file.  The <a
 182 href="pipe.8.html">pipe</a> mailer implements an alternative way
 183 to pipe mail into external commands.
 184
 185 <dl>
 186
 187 <dt> <b>command_time_limit</b> (default: 1000 seconds)
 188
 189 <dd> How long the <a href="local.8.html">local</a> delivery agent
 190 will wait before aborting an external command.
 191
 192 <p>
 193
 194 <dt> <i>service_name</i><b>_time_limit</b> (default:
 195 <b>$command_time_limit</b>)
 196
 197 <dd> The time limit for delivery to external commands via the
 198 <b>pipe</b> mailer. For <i>service_name</i>, substitute the service
 199 name (the first field in the <b>master.cf </b> file).
 200
 201 </dl>
 202
 203 <a name="lock"><h2> Acquiring exclusive file locks</h2> </a>
 204
 205 Internally, the Postfix programs cooperate in a very disciplined
 206 manner and rarely need to fight for exclusive file access. However,
 207 access conflicts may happen on the outside, for example, when mail
 208 has to be delivered while a user is accessing her mailbox. Postfix
 209 supports two types of file locks:
 210
 211 <ul>
 212
 213 <li>Internal locks, implemented with the <b>fcntl()</b> or
 214 <b>flock()</b> system primitives.
 215
 216 <p>
 217
 218 <li>External locks, implemented as files named <i>file</i><b>.lock</b>.
 219
 220 </ul>
 221
 222 Depending on the host system, Postfix uses one method or both.
 223 The following configuration parameters control how Postfix deals
 224 with file locks:
 225
 226 <dl>
 227
 228 <dt> <b>deliver_lock_attempts</b> (default: 5)
 229
 230 <dd> The number of times to try locking a file before giving up.
 231
 232 <p>
 233
 234 <dt> <b>deliver_lock_delay</b> (default: 1 second)
 235
 236 <dd> How long to wait between attempts to lock a file.
 237
 238 <p>
 239
 240 <dt> <b>stale_lock_time</b> (default: 500)
 241
 242 <dd> How old an external lock file may be before it is forcibly
 243 removed.
 244
 245 </dl>
 246
 247 <a name="fan"><h2> Error recovery</h2> </a>
 248
 249 Under conditions of severe stress, available system resources may
 250 be insufficient to accommodate Postfix's needs. The world may also
 251 seem to fall apart when a Postfix configuration file is broken, or
 252 when a Postfix program is defective.
 253
 254 <p>
 255
 256 The general approach taken in the face of disaster is to terminate
 257 with a fatal run-time error (or with a panic in case of software
 258 problems), and to try again after some time (the <a
 259 href="master.8.html">master</a> daemon will restart processes after
 260 some delay). Each failed attempt is logged; hopefully, someone will
 261 notice the problem and fix it.
 262
 263 <p>
 264
 265 Some recovery strategies were implemented very early during Postfix
 266 development, and haven't been made configurable yet. What follows
 267 is the beginning of a growing list of recovery control parameters:
 268
 269 <dl>
 270
 271 <dt> <b>fork_attempts</b> (default: 5 times)
 272
 273 <dd> The number of times to attempt to create a new process before
 274 giving up.
 275
 276 <p>
 277
 278 <dt> <b>fork_delay</b> (default: 1 second)
 279
 280 <dd> The delay between attempts to create a new process.
 281
 282 <p>
 283
 284 <dt> <b>transport_retry_time</b> (default: 60 seconds)
 285
 286 <dd> The amount of time between queue manager attempts to contact
 287 an apparently defunct Postfix delivery service.
 288
 289 </dl>
 290
 291 <hr>
 292
 293 <a href="docs.html">Up one level</a> | <a href="basic.html">Basic
 294 Configuration</a> | <a href="uce.html">UCE Controls</a> | <a
 295 href="rate.html">Rate Controls</a> | Resource Controls | <a
 296 href="rewrite.html">Address Manipulation</a>
 297
 298 </body>
 299
 300 </html>