Postfix tuning for high amount

email-serverpostfixtuning

I have do some benchmarks with postfix, where we send out 6 KB HTML Mails. We followed all tuning instructions published by Postfix and used Ramdisk for the queue.

We were not able to send above 50 Mails / sec out.

Does anyone have some input on how we can improve that number?

The Server is only used for outgoing Mails.

Only to mention: I'm not a spammer 🙂 We will use it for a dating site where we send a big amount of Mails out for Notifications, weekly reports, daily stats.

Best Answer

It sounds like you need greater concurrency.

First ensure that you aren't bound by disk activity. atop is a good interactive method for this. sar and other tools are available as well. Given the ramdisk, this shouldn't be the major issue.

If your queue is full of mail going to many different domains, that is a sign that you aren't running enough server processes. Bump the limit on how many smptd instances you spawn.

If your queue is full of mail to some of the big internet sites (tons of GMail, for example), you will need to tune your settings for single-host delivery. Postfix should ramp itself up if it has a lot of email to the same domain, though.

Investigate and let us know what you're seeing.

Explanation

In SMTP, there are two encryptions scheme: STARTTLS and SMTPS. The difference is (1) SMTPS require SSL encryption from the first byte and (2) STARTTLS require plain text mode first and optionally client and server do SSL negotiation after STARTTLS command.

Postfix SMTP Server (smtpd) support both protocols. The problem is SMTP client (before postfix 3.0) - the one who sending email to remote server - doesn't support SMTPS connection. It only support plain text mode or STARTTLS mode.

What happens here is: Postfix SMTP client use plain text mode to connect to Bluehost because postfix want to established STARTTLS. But the Bluehost expect the first byte was SSL negotiation not plain text. This mismatch make Bluehost server silently discard the data and disconnect postfix. Postfix doesn't know what's going here, so it throws the error in maillog

Sep 27 16:31:51 TD1000 postfix/smtp[9757]: 1B2C357117: to=<me@mycompany.com>, relay=boxNNN.bluehost.com[a.b.c.d]:465, delay=5241, delays=5076/0.03/165/0, dsn=4.4.2, status=deferred (lost connection with boxNNN.bluehost.com[a.b.c.d] while receiving the initial server greeting)

Solution

Postfix TLS documentation provide a workaround to use stunnel here. So the solution from MrPhilTX was correct for Postfix < 3.0.

In postfix 3.0, Wietse Venema decided to give additional SMTPS feature for postfix SMTP client. With this feature, the stunnel solution doesn't needed here. There two variations here:

a) Enable SMTPS to all outgoing SMTP connection

Usually, in this case postfix has SMTPS-only relayhost like OP's problem. So

# Client-side SMTPS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
relayhost = [mail.example.com]:465

b) Enable SMTPS to several host

For other case, you need custom transport and transport_maps to selective turn on SMTPS

# /etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport

# /etc/postfix/transport:
example.com  relay-smtps:example.com:465

#/etc/postfix/master.cf:
relay-smtps  unix  -       -       n       -       -       smtp
    # Client-side SMTPS requires "encrypt" or stronger.
    -o smtp_tls_security_level=encrypt
    -o smtp_tls_wrappermode=yes

postfix – How to Use Simple File for SASL Authentication in Postfix

Postfix currently supports only two SASL authentication methods. One of the is Dovecot, which you don't want. The other is Cyrus, which is about as close to what you want as it's possible to get without rewriting Postfix. It does involve running a separate authentication daemon (saslauthd), but the authentication file is easy to edit and update.

The basics for using Cyrus SASL can be found at the postfix documentation site, but here's a short description. Please look at the link if anything's confusing in any way!

Start by installing Cyrus SASL with the plugin sasldb. (How to do that is left as an exercise for the reader; presumably there's a package in whatever package system your brand of unix is using.) Since the communication between Postfix and SASL will take place via a unix domain socket, you may want to add postfix to the SASL group, and make sure that that group has read and execute permissions to the directory /var/run/saslauthd.

Configure SASL

Configure SASL to use sasldb by editing /etc/sasl2/smtpd.conf:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM

The sasldb plugin means that sasl will use a Berkeley DB file for usernames and passwords. You add users with the command saslpasswd2:

$ saslpasswd2 -c -u example.com username
Password:
Again (for verification):

Note that you specify a domain together with the username, and the user will need to use "username@example.com" rather than just "username" when authenticating.

You can verify what users have been entered by running sasldblistusers2.

Start saslauthd, and verify that the authentication works by doing

testsaslauthd -u username@example.com -p password

Configure Postfix

Once that is done, tell Postfix to use SASL and to tell Cyrus that it's SMTP that it's authenticating, by editing /etc/postfix/main.cf to contain

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd

Then, reload postfix, and you should be set.

Best Answer

Related Solutions

Postfix relay host connection fails: timed out while receiving initial server greeting

Explanation

Solution

postfix – How to Use Simple File for SASL Authentication in Postfix

Configure SASL

Configure Postfix

Related Topic