diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2014-04-17 04:56:43 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:51:47 +0200 |
| commit | e9e8ce2add2b7c020daa02228e506e7c02828c15 (patch) | |
| tree | 88aee2a20e3c1961aa94769a4df4f236a21741bc /roles/MX/templates/etc/postfix/main.cf.j2 | |
| parent | 3d4b17515fc21dbb218873b23ff9272ca9474e8e (diff) | |
Decongestion potential bottlenecks on trivial_rewrite(8).
Which might be caused by slow LDAP lookups in transport_maps. Instead,
we alias each addresses for which we want a custom transport to a
dedicated "dummy" domain, and use a static (CDB) transport_maps to map
said domains to their transport; the receiver can then use canonical(8)
to restore the original envelope recipient. Since the alias resolution
is performed by cleanup(8), which can run in parallel with other
instances, it should decongestion bottlenecks under heavy loads.
So far only the MX:es have been decongestioned. The list manager and
the MDA should be treated as well.
Diffstat (limited to 'roles/MX/templates/etc/postfix/main.cf.j2')
| -rw-r--r-- | roles/MX/templates/etc/postfix/main.cf.j2 | 26 |
1 files changed, 12 insertions, 14 deletions
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 6c2004a..8bed701 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -34,66 +34,64 @@ inet_protocols = all # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + # Forward everything to our internal mailhub {% if 'MTA-out' in group_names %} relayhost = [127.0.0.1]:{{ MTA_out.port }} {% else %} relayhost = [{{ MTA_out.host }}]:{{ MTA_out.port }} {% endif %} relay_domains = # Virtual transport -{% if 'LDA' in group_names %} -virtual_transport = smtpl:[127.0.0.1]:{{ LDA.port }} -{% else %} -virtual_transport = smtps:[{{ LDA.host }}]:{{ LDA.port }} -{% endif %} - +# We use a dedicated "virtual" domain to decongestion potential +# bottlenecks on trivial_rewrite(8) due to slow LDAP lookups in +# tranport_maps. +virtual_transport = error:5.1.1 Virtual transport unavailable virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf virtual_alias_maps = pcre:$config_directory/virtual/reserved_alias.pcre + # first we do the alias resolution... ldap:$config_directory/virtual/alias.cf - # stop the alias resolution (by making finding - # an A -> A alias) before searching for - # catch-alls and domain aliases - $virtual_mailbox_maps + # ...and unless there is matching mailbox/list... + ldap:$config_directory/virtual/mailbox.cf + ldap:$config_directory/virtual/list.cf + # ...we resolve alias domains and catch alls ldap:$config_directory/virtual/alias_domains.cf ldap:$config_directory/virtual/catchall.cf -virtual_mailbox_maps = ldap:$config_directory/virtual/mailbox.cf - ldap:$config_directory/virtual/list.cf -transport_maps = cdb:$config_directory/virtual/transport_reserved_alias - ldap:$config_directory/virtual/transport_list.cf +virtual_mailbox_maps = +transport_maps = cdb:$config_directory/virtual/transport # Don't rewrite remote headers local_header_rewrite_clients = # Pass the client information along to the content filter smtp_send_xforward_command = yes # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 +reserved-alias_recipient_limit = 1 # Tolerate occasional high latency smtp_data_done_timeout = 1200s # Tunnel everything through IPSec smtp_tls_security_level = none {% if 'MTA-out' in group_names %} smtp_bind_address = 127.0.0.1 {% else %} smtp_bind_address = 172.16.0.1 {% endif %} # TLS smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_CApath = /etc/ssl/certs/ smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_fingerprint_digest = sha1 |