spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] SPF/postfix iowait > 90%

2006-10-25 08:26:07
from [Alex van den Bogaerdt] [Permanent Link] 
On Wed, Oct 25, 2006 at 10:05:53AM -0500, Adrian De los Santos wrote:


I have setup spf in postfix and found that it almost killed my server  
raising the iowait at more than 90% putting the server on its knees.


while in the iowait state, the process itself doesn't use cpu.
Is the problem perhaps that too many processes are allowed to
be run simultaneously and the available memory is short, resulting
in trashing ?

Normally a process would terminate fast, but when you're waiting
for a DNS answer it stays present.  A new connection could fire
up a new instance, use more memory, also wait for a DNS answer,
and so on.  Snowball effect.  Suddenly you need to use the swap.
This uses cpu time, time that could have been used to process the
incoming DNS reply.


I think that maybe the iowait is due to the delay that exists in the  
DNS replies to the SPF process, my server recives more than 100k  
mails on a daily basis, and i have a caching DNS on this same server.


The caching server will use resources as well.  You may be better off
by putting it on a separate box, connected by a fast network.

Then look at the mail process:
- don't do SPF lookups if you can reject a message for other reasons
  such as bad helo, non-existing receiver, etc.
- if an answer is not available from the cache, start greylisting
  and thus terminate the connection.  In parallel, do ask for the
  SPF record (which won't be used at that time).
  When the client is trying another time, your cache will have the
  spf record and you get an answer fast.
- determine a sane number of processes that can run in parallel.
  If this number is reached, for any reason including but not
  limited to DNS lookups, refuse to accept more connections.

Others, please correct my mistakes and/or refine my suggestions.
I know this is a difficult topic.

HTH
Alex

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPF/postfix iowait > 90%, Scott Kitterman
Next by Date:  Re: [spf-discuss] SPF/postfix iowait > 90%, Adrian De los Santos
Previous by Thread:  [spf-discuss] SPF/postfix iowait > 90%, Adrian De los Santos
Next by Thread:  Re: [spf-discuss] SPF/postfix iowait > 90%, Adrian De los Santos
Indexes:  [Date] [Thread] [Top] [All Lists]