Postfix Configuration - Resource Controls


Note: this web page is no longer maintained. It exists only to avoid breaking links in web pages that describe earlier versions of the Postfix mail system.

Up one level | Basic Configuration | UCE Controls | Rate Controls | Resource Controls | Address Manipulation

Introduction

The Postfix system is designed to run within a finite memory budget. To this end, there are configurable limits on the size of in-memory objects such as text line fragments, on the number of instances of such objects, and on the time an operation may take. In addition, strategies are in place for dealing with resource exhaustion. The idea is to keep running under conditions of stress, without making the problem worse.

Object size limits

The first step towards a fixed memory resource budget is to limit the size of each in-memory object. Once the size of in-memory objects is limited, total memory consumption is limited by limiting the number of object instances. Simple, no?

line_length_limit (default: 2048 bytes)
How long a line of text can be before it is broken up into pieces. All Postfix perimeter programs (SMTP server, SMTP client, local pickup and local delivery) enforce this line length limit when reading data from an untrusted source. Long lines are reconstructed upon delivery.

header_size_limit (default: 102400 bytes)
How much text may be carried in a multi-line message header. Header text that does not fit in $header_size_limit bytes is discarded. This limit is enforced by the cleanup header rewriting code.

header_address_token_limit (default: 10240 tokens)
Limit on the amount of memory and CPU that Postfix will use for rewriting addresses in message headers. The limit is expressed as a number of tokens. Tokens text that do not fit are discarded. This limit is enforced by the cleanup header rewriting code.

extract_recipient_limit (default: 10240 recipients)
How many recipients Postfix will extract from message headers before it gives up. This limits the damage that a run-away program can do with "sendmail -t".

The following parameters restrict the use of file system storage:

message_size_limit (default: 10240000 bytes)
The maximal size of a Postfix queue file, including envelope information (sender, recipient, etc.).

queue_minfree (default: no restriction)
How many bytes of free space are needed in the queue file system. The SMTP server declines inbound mail delivery requests when there is insufficient space (the mail will be accepted once enough space becomes available). There is no default limit; however, it seems like a good idea to require at least several times $message_size_limit so that the mail system won't get stuck on a single large message.

bounce_size_limit (default: 50000 bytes)
How much of an undelivered message is sent back to the sender.

Object count limits

Once the sizes of memory objects have been limited, the next step to implement Postfix's finite memory budget is to limit the number of in-memory object instances.
qmgr_message_recipient_limit (default: 20000)
An upper bound on the number of queue manager in-memory recipient address data structures. This parameter also controls the number of instances of other in-memory data structures. See, for example, the delivery rate control documentation.

qmgr_message_active_limit (default: 20000)
An upper limit on the number of messages in the active queue. For an introduction to the Postfix queue organization see the Postfix overview documentation.

duplicate_filter_limit (default: 1000)
How many recipient addresses the local delivery agent and address cleanup daemon remember when delivering a message. A recipient address is ignored when it is found in the remembered list.

Time limits

External commands are given a finite time for completion. Such commands are run by the local delivery agent when it finds a "|command" destination in an alias database, :include: file or .forward file. The pipe mailer implements an alternative way to pipe mail into external commands.
command_time_limit (default: 1000 seconds)
How long the local delivery agent will wait before aborting an external command.

service_name_time_limit (default: $command_time_limit)
The time limit for delivery to external commands via the pipe mailer. For service_name, substitute the service name (the first field in the master.cf file).

Acquiring exclusive file locks

Internally, the Postfix programs cooperate in a very disciplined manner and rarely need to fight for exclusive file access. However, access conflicts may happen on the outside, for example, when mail has to be delivered while a user is accessing her mailbox. Postfix supports two types of file locks: Depending on the host system, Postfix uses one method or both. The following configuration parameters control how Postfix deals with file locks:
deliver_lock_attempts (default: 5)
The number of times to try locking a file before giving up.

deliver_lock_delay (default: 1 second)
How long to wait between attempts to lock a file.

stale_lock_time (default: 500)
How old an external lock file may be before it is forcibly removed.

Error recovery

Under conditions of severe stress, available system resources may be insufficient to accommodate Postfix's needs. The world may also seem to fall apart when a Postfix configuration file is broken, or when a Postfix program is defective.

The general approach taken in the face of disaster is to terminate with a fatal run-time error (or with a panic in case of software problems), and to try again after some time (the master daemon will restart processes after some delay). Each failed attempt is logged; hopefully, someone will notice the problem and fix it.

Some recovery strategies were implemented very early during Postfix development, and haven't been made configurable yet. What follows is the beginning of a growing list of recovery control parameters:

fork_attempts (default: 5 times)
The number of times to attempt to create a new process before giving up.

fork_delay (default: 1 second)
The delay between attempts to create a new process.

transport_retry_time (default: 60 seconds)
The amount of time between queue manager attempts to contact an apparently defunct Postfix delivery service.

Up one level | Basic Configuration | UCE Controls | Rate Controls | Resource Controls | Address Manipulation