help centre
For more info visit status.atmail.com

How can we help?


Search our knowledge base for answers to
common questions and latest updates.



My activities New request

Follow

Dovecot Performance Optimisation

Dominic -

PROBLEM

I want to optimize dovecot specifically to my system and user base.

ENVIRONMENT

  • On-Premises Server: Version 7.7+

CAUSE
Default dovecot configuration does not utilize my system to its full potential

RESOLUTION

Note: Setting the variable service_count = 0, can raise security concerns as this allows long running processors to handle multiple connections and authentications. This loses much of the security benefits of the login process design, because in the case of a security hole (in Dovecot or SSL library) the attacker is now able to see other users logging in and steal their passwords, read their mails, etc. Please see here for further information.

Optimisation of dovecot specific to your system will require you to first gather the following information. Your desired amount of user and type(SSL/TLS) of connections will effect the starting point for these variables. This document will use the IMAP protocol as a reference, but the same settings will apply to POP3 configurations. The following findings are based on a system with 100 users, but the same principals will apply when tuning larger systems.

  • Number of CPU cores available. This will be the integer set for the process_min_avail variable.
    [root@7801 ~]# nproc
    1
  • Number of users
    MariaDB [atmail]> select count(Account) from Users;
    +----------------+
    | count(Account) |
    +----------------+
    |            100 |
    +----------------+
    1 row in set (0.00 sec)

This document has been generated from testing with dovecot 2.2.22.rc1 (default dovecot from atmail 7.7) and will optimize the following sections of your dovecot.conf:

  • General Configuration
  • Login Process
  • Sessions

Your configuration can be found at:

/usr/local/atmail/mailserver/etc/dovecot/dovecot.conf

If you are unsure what version of dovecot your system has:

[root@server dovecot]# /usr/local/atmail/mailserver/sbin/dovecot --version
2.2.22.rc1 (fe789d2)

If you are unsure what configuration dovecot is currently using:

[root@server ~]# /usr/local/atmail/mailserver/bin/doveconf | head -n 1
# 2.2.22.rc1 (fe789d2): /usr/local/atmail/mailserver/etc/dovecot/dovecot.conf

PRESUMPTIONS

  • 100 users
  • Multiple devices
  • atmail is the only service running
  • SSL/TLS connections
    The service_count X process_limit variables = 250 SSL connections. This will account for each user to connect on two devices and allow the system 50 spare SSL/TLS logins.

General Configuration

The following additions can be placed in the general section of your dovecot.conf. For clarity and reference, i have appended ## to our performance optimized variables.

# MAILDIR ops
maildir_very_dirty_syncs = yes ## Assume that only Dovecot accesses cur/ directory
maildir_copy_with_hardlinks = yes ## When copying a message, do it with hard links whenever possible
maildir_stat_dirs = no ## set this to "yes", in which case Dovecot needs to stat() each directory entry, which degrades the performance
mailbox_list_index=yes ## Replies to IMAP STATUS with single index

Login Process

The following can be placed in the service imap-login or service pop3-login section of your dovecot.conf. For clarity and reference, i have appended ## to the performance optimised variables. 

service imap-login {
service_count = 5 ## Number of client connections to handle until the process kills itself. 0 = unlimited
process_limit = 50 ## Proc limit for imap-login service. SSL/TLS procs remain persistance for session.
process_min_avail = 1 ## Number of CPU cores
client_limit = 0 ## Maximum number of simultaneous client connections per process, 0 = default = 1000
vsz_limit = 64M ## increase ONLY if dovecot runs out of memory.

...truncated output...

  user = atmailimap

}

Sessions

The following can be placed in the service imap or service pop3 section of your dovecot.conf. For clarity and reference, i have appended ## to the performance optimized variables. 

service imap {
service_count = 5 ## Number of client connections to handle until the process kills itself. 0 = unlimited
process_limit = 50 ## Proc limit for imap service.
client_limit = 0 ## Maximum number of simultaneous client connections per process, 0 = default = 1000
vsz_limit = 64M ## increase ONLY if dovecot runs out of memory.

Truncated POP3 configuration...

service auth {
    client_limit = 500 ## Advised by MAX.load in dovecot logs while issuing doveadm reload
    unix_listener auth-userdb {
    }   
    unix_listener auth-client {
      mode = 0660
      user = atmail
      group = atmail
    }   
}

service anvil {
    client_limit = 300 ## Advised by MAX.load in dovecot logs while issuing doveadm reload
}

The client_limit variables in service auth and service anvil are set as referenced by MAX.load in the dovecot logs. While testing your configuration, you can quickly have dovecot re-read its configuration by issuing the following command:

[root@7802 ~]# /usr/local/atmail/mailserver/bin/doveadm reload

Summary

This document recommends using the above settings with appropriate ratios to apply them to your current system. These are only starting points that may require further tuning as your user base grows and the the system demands it.

Have more questions? Submit a request

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com