"Connection queue full" error from dovecot

deltachat / chatmail

chatmail service deployment scripts and docs

https://delta.chat/en/2023-12-13-chatmail

MIT License

118 stars 9 forks source link

"Connection queue full" error from dovecot #59

Closed link2xt closed 10 months ago

link2xt commented 10 months ago

I tried to setup deltachat-core-rust CI to use a chatmail instance.

Python CI crashed with error imaplib.IMAP4.abort: command: LOGIN => Connection queue full.

In Dovecot log on the server this looks like this:

Oct 29 14:44:57 nine dovecot[893]: imap-login: Disconnected: Connection queue full (disconnected while authenticating, waited 0 secs): user=<>, method=PLAIN, rip=13.105.117.37, lip=116.202.23
3.236, TLS, session=<DL+OINsIGr4NaXUl>

link2xt commented 10 months ago

According to doveconf output, default_process_limit = 100 and service imap-login { process_limit = 0 } which means imap-login has default 100 processes limit. Similarly, default_client_limit = 1000 and service imap-login { client_limit = 0 }, which means imap-login process can have at most 1000 connections. Overall we should be able to support 100000 connections, which is a lot and I am pretty sure CI should not be running into this limit.

Our mailcow instance currently used for CI has imap-login process limit set to 10000 and default_client_limit = 10400.

link2xt commented 10 months ago

https://doc.dovecot.org/admin_manual/login_processes/ explains something about login process design. Default is a "high-security mode" which means service imap-login { service_count = 1 }. This is what doveconf reports in our case. This means we can actually have only 100 connections and client limit does not matter as the process exits after a single connection.

I will try increasing the process_limit for now. Switching to high performance mode may sound interesting for benchmarking, but I don't think we should go for it as this may have actual security impact in case of OpenSSL vulnerabilities and logging is not that interesting for actual clients which maintain a connection for a long time, unlike CI.

Related thread on the Dovecot mailing list: https://www.mail-archive.com/dovecot@dovecot.org/msg34756.html

link2xt commented 10 months ago

Overall, I think we need:

service imap-login {
    service_count = 1 # High-security mode, default, see https://doc.dovecot.org/admin_manual/login_processes/#high-security-mode
    process_limit = 10000 # Number of connections in high-security mode
    process_min_avail = 10 # Avoid startup latency for new connections
}

hpk42 commented 10 months ago

Let's try this, and thanks for the analysis

link2xt commented 10 months ago

It already works with process_limit = 10000 manually added on nine.testrun.org, CI passes here: https://github.com/deltachat/deltachat-core-rust/pull/4837

So I made a PR #60 to add it to the deploy.