Dovecot/Postfix 无法分配内存

Dovecot/Postfix 无法分配内存

我有一个具有 8GB 内存的 VPS,并在带有 Plesk Onyx 的 Ubuntu 16.04.02 上运行。

一段时间以来,系统经常在 dovecot 和/或 postfix 上崩溃。

Dovecot 版本:2.3.4.1-ubuntu16.04.19031416 Postfix 版本:3.1.0-3ubuntu0.3

我找不到解决这个问题的方法。

该服务器主要用于电子邮件(imap)和1个流量不大的小型Wordpress网站。

有时重启 dovecot 或 postfix 服务就足够了。但有时我必须重启整个服务器

从崩溃开始时 mail.log 中就存在错误。

> Jun 18 11:55:30 h2648771 dovecot: imap-login: Error: master(imap):
> net_connect_unix(imap) failed: Cannot allocate memory
> (client-pid=29864, client-id=1, rip=188.207.4.90, created 0 msecs ago,
> received 0/4 bytes) Jun 18 11:55:30 h2648771 dovecot: imap-login:
> Error: master(imap): net_connect_unix(imap) failed: Cannot allocate
> memory (client-pid=29866, client-id=1, rip=188.207.4.90, created 0
> msecs ago, received 0/4 bytes) Jun 18 11:55:30 h2648771 dovecot:
> imap-login: Error: socketpair() failed: Cannot allocate memory:
> user=<[email protected]>, method=PLAIN, rip=188.207.4.90,
> lip=85.214.19.175, TLS, session=<H9L2HJaLeX28zwRa> Jun 18 11:55:30
> h2648771 dovecot: imap-login: Error: net_connect_unix(anvil) failed:
> Cannot allocate memory Jun 18 11:55:30 h2648771 dovecot: master:
> Error: service(imap-login): command startup failed, throttling for 2
> secs Jun 18 11:55:30 h2648771 dovecot: imap: Error:
> net_connect_unix(/var/run/dovecot/stats-writer) failed: Cannot
> allocate memory Jun 18 11:55:30 h2648771 dovecot: imap: Error:
> net_connect_unix(/run/dovecot/auth-master) failed: Cannot allocate
> memory

etc/dovecot/dovecot.conf:

## Dovecot configuration file

# PLEASE DON'T EDIT ANYTHING IN THIS FILE! ANY CHANGES WILL BE LOST ON UPGRADE.
# Instead add your custom configuration to /etc/dovecot/conf.d/
# See the end of this file for details on customization.

# See example configuration files in /usr/share/doc/dovecot/example-config/
# See stock configuration files in /usr/share/doc/plesk-dovecot/dist-config/


# Space separated list of wanted authentication mechanisms.
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login digest-md5 cram-md5 apop

# Valid UID range should include popuser.
first_valid_uid = 30

# List of allowed characters in username. "'&" is added here to the default list.
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890&.-_@'

# Plesk Maildirs layout.
mail_home = /var/qmail/mailnames/%Ld/%Ln
mail_location = maildir:/var/qmail/mailnames/%Ld/%Ln/Maildir

# Enable Maildir++ quota support.
mail_plugins = $mail_plugins quota

plugin {
  # Take quota limits from maildirsize file. If it doesn't exist, don't enforce.
  quota = maildir:User quota
  # LDA/LMTP allows saving the last mail to bring user from under quota to
  # over quota, if the quota doesn't grow too high. Default is to allow as
  # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
  # 0 doesn't allow going over quota (compatibility with Courier-IMAP behavior).
  quota_grace = 0
}


service auth {
  # Allow userdb lookups for popuser.
  unix_listener auth-userdb {
    mode = 0600
    user = popuser
    group = popuser
  }
}


# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/dovecot/private/ssl-cert-and-key.pem
ssl_key =  </etc/dovecot/private/ssl-cert-and-key.pem


# Protocols support.

protocols = imap pop3

protocol imap {
  mail_plugins = $mail_plugins imap_quota
}

protocol pop3 {
  # POP3 UIDL format similar to the one used by Courier-IMAP.
  pop3_uidl_format = UID%u-%v
}

# Applicable workarounds for various client bugs.
imap_client_workarounds = delay-newmail
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh


# Default private namespace setup compatible with Courier-IMAP.

namespace inbox {
  separator = .
  prefix = INBOX.
  inbox = yes
}


# Logging verbosity and debugging.

# Log unsuccessful authentication attempts and the reasons why they failed.
#auth_verbose = yes

# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
#auth_verbose_passwords = no

# Even more verbose logging for debugging purposes.
#auth_debug = yes

# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
#auth_debug_passwords = yes

# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
#mail_debug = yes

# Show protocol level SSL errors.
#verbose_ssl = yes


# Log format compatible with Plesk statistics collector.
mail_log_prefix = "service=%s, user=%u, ip=[%r]. "
pop3_logout_format = "rcvd=%i, sent=%o, top=%t/%p, retr=%r/%b, del=%d/%m, size=%s"
imap_logout_format = "rcvd=%i, sent=%o"

# Customizable part of configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
#
# Prefixes 10 through 20 and 90 through 95 (inclusive) are reserved for Plesk. 
# Please do not occupy them or edit files with these prefixes!
!include conf.d/*.conf

# vim:ts=2 sts=2 sw=2 et:

etc/postfix/main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = h1234567.stratoserver.net
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.stratoserver.net, localhost, localhost.localdomain
mynetworks = 
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
message_size_limit = 1024000000
virtual_mailbox_limit = 0
recipient_canonical_maps = tcp:127.0.0.1:12346
recipient_canonical_classes = envelope_recipient,header_recipient
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = HIGH:!aNULL:!MD5
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
mynetworks_style = subnet
authorized_flush_users = 
authorized_mailq_users = 
inet_interfaces = all

有人知道如何解决这个问题吗?

输出

猫/ proc / user_beancounters

Version: 2.5
       uid  resource                     held              maxheld              barrier                limit              failcnt
  2648771:  kmemsize                 78343618            423485440  9223372036854775807  9223372036854775807                    0
            lockedpages                     0                   16              2097152              2097152                    0
            privvmpages               1138097              1401250  9223372036854775807  9223372036854775807                    0
            shmpages                    86247                86261  9223372036854775807  9223372036854775807                    0
            dummy                           0                    0  9223372036854775807  9223372036854775807                    0
            numproc                       211                  330                  700                  700                    0
            physpages                 1052473              1520136              2097152              2097152                    0
            vmguarpages                     0                    0              2097152              2097152                    0
            oomguarpages               576172               606928              2097152              2097152                    0
            numtcpsock                     67                  214                  750                  750                    0
            numflock                      478                  489  9223372036854775807  9223372036854775807                    0
            numpty                          0                    0  9223372036854775807  9223372036854775807                    0
            numsiginfo                      0                   60  9223372036854775807  9223372036854775807                    0
            tcpsndbuf                 5779952              9023696  9223372036854775807  9223372036854775807                    0
            tcprcvbuf                 1097728              3635784  9223372036854775807  9223372036854775807                    0
            othersockbuf               871624              2229824  9223372036854775807  9223372036854775807                    0
            dgramrcvbuf                     0               296480  9223372036854775807  9223372036854775807                    0
            numothersock                  469                  916                  950                  950                    0
            dcachesize               41858232            380313547  9223372036854775807  9223372036854775807                    0
            numfile                      6049                 8635  9223372036854775807  9223372036854775807                    0
            dummy                           0                    0  9223372036854775807  9223372036854775807                    0
            dummy                           0                    0  9223372036854775807  9223372036854775807                    0
            dummy                           0                    0  9223372036854775807  9223372036854775807                    0
            numiptent                     363                  365  9223372036854775807  9223372036854775807                    0

答案1

我的建议是禁用 TLSv1 并严格限制您的密码列表。(入站“smtp”和提交“smtpd”)

如果您确实需要 TLSv1,那么您仍然应该严格限制您的密码列表,否则,您可能会成为针对支持弃用的潜在易受攻击密码等的服务器的自动黑客攻击的接收方,这可能会产生相当大的影响。

为什么这样做?这样做实施起来很快,而且在某些情况下可以解决问题,上面的其他建议也很好。

ps 在我看来,允许 1 GB 的电子邮件也会影响内存利用率,这个值可能值得向下调整:

消息大小限制=1024000000

另外(如果运行 OpenVZ):

进一步阅读说将 numothersock 更改为“9223372036854775807”,与其他计数器相同。

来源:

https://www.cloudmin.com/node/35052

我不知道 numtcpsock 是否需要同样的改变。

答案2

我以前也遇到过这种情况。原因是/tmpramdisk 被随机/恶意上传填满了。配置您的网络服务器以使用硬盘临时上传目录。此外,监控 ramdisk 中的已用空间(如果有)。限制 php 使用的 RAM(如果适用)。

这类问题需要很长时间才能解决。祝你好运!

相关内容