Extension SSLit: Dovecot unable to start due to too many SNI ssl certificate config files

[hschramm]

Username: hschramm

TITLE

Extension SSLit: Dovecot unable to start due to too many SNI ssl certificate config files

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

PLESK 18.0.36, Debian Linux Buster, SSLit 1.9.0 1242

PROBLEM DESCRIPTION

With 600+ Domains on a Server and SSLit extension it may happen that dovecot is no longer startable if too many domain certificates are added to dovecot.

STEPS TO REPRODUCE

Create 600+ Domains on a server
Enable SSLit
Secure all Domains especially for IMAP, POP3
Try to restart dovecot or enable pci_compliance for dovecot (which triggers a restart)

ACTUAL RESULT

plesk sbin pci_compliance_resolver --enable dovecot
Job for dovecot.service failed.
See "systemctl status dovecot.service" and "journalctl -xe" for details.
INFO: [Sat Jul 10 03:47:13 CEST 2021]: Service: dovecot, Action: reload
Trying to reload service dovecot... active
Jul 10 03:47:13 server1 systemd[1]: Started Dovecot IMAP/POP3 email server.
Jul 10 03:47:13 server1 systemd[1]: Reloading Dovecot IMAP/POP3 email server.
Jul 10 03:47:14 server1 dovecot[16034]: doveconf: Warning: service auth { client_limit=1000 } is lower than required under max. load (2248)
Jul 10 03:47:14 server1 dovecot[16034]: doveconf: Warning: service anvil { client_limit=1000 } is lower than required under max. load (2251)
Jul 10 03:47:14 server1 doveadm[16087]: Fatal: Dovecot is not running (read from /var/run/dovecot/master.pid)
Jul 10 03:47:14 server1 systemd[1]: dovecot.service: Control process exited, code=exited, status=75/TEMPFAIL
Jul 10 03:47:14 server1 systemd[1]: Reload failed for Dovecot IMAP/POP3 email server.

***** problem report *****
Warning: reload service dovecot failed

ERROR: Command '['/opt/psa/admin/sbin/pleskrc', 'dovecot', 'reload']' returned non-zero exit status 1
exit status 1


Jul 10 03:47:28 server1 dovecot[16143]: config: Fatal: pool_system_malloc(1608): Out of memory
Jul 10 03:47:28 server1 dovecot[16034]: master: Error: Error reading configuration: read(/var/run/dovecot/config) failed: EOF
Jul 10 03:47:28 server1 dovecot[16143]: config: Fatal: master: service(config): child 16277 returned error 83 (Out of memory (service config { vsz_limit=256 MB }, you may need to increase it) - set CORE_OUTOFMEM=1 environment to get core dump)

EXPECTED RESULT

It should not fail but set the vsz_limit to 1G

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[pauls1919]

i have a similiar issue,
config: Fatal: master: service(config): child 3478411 returned error 83 (Out of memory (service config { vsz_limit=256 MB }, you may need to increase it) - set CORE_OUTOFMEM=1 environme>
created
vim /etc/dovecot/conf.d/99-vsz.conf

service imap {
vsz_limit = 1 G
}


and restarted dovecot service but same result.
no webmail is working on server side

 

[Bitpalast]

If I remember correctly, the vsz_limit must be higher than the largest temporary/cache dovecot file. Suggestion: Try to find the largest dovecot files by running
# find /var/qmail/mailnames/ -type f -name dovecot.index.cache -exec ls -al {} \; | sort -k 5 -n | tail -n1
then increase vsz_limit to a value greater than the largest one.

 

[hschramm]

Dovecot tells you what to do:

Out of memory (service config { vsz_limit=256 MB }

The service "config" needs a higher vzs_limit not the service imap

this is the way to go:

service config {
vsz_limit=1G
}

restart dovecot and everything is fine.

 

[kevinjansen]

We are also having similar errors: The error about memory is gone but now it is left out with:

Jan 25 13:40:47 plesk34 postfix-local[57825]: 93BAD6620B: process '/usr/libexec/dovecot/dovecot-lda -d "$DELIVERED_TO" -a "${ORIGINAL_RECIPIENT:-DELIVERED_TO}"' stderr : doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/14-plesk-sni-mail.domain.tld.conf line 0: Couldn't open include file /etc/dovecot/conf.d/14-plesk-sni-mail.domain.tld.conf: Too many open files

Latest Plesk version
Centos 7

But after that config directory reaches more then 1024 configs, then the problem starts. So there is somewhere a default 1024 settings that needs to be override. Any suggestions?

What background information:
We add for every domain a mail.domain.tld, request a ssl certificate and bind that to the mail server. So customers can use mail.domain.tld with a valid certificate. We know that "domain.tld" works, but in nature people uses mail. or smtp. or imap. as mail services. This results that when we reach 512 domains (because each domain creates 2 config files) that Dovecot starts shouting out errors.

[root@plesk34 ~]# grep files /proc/$(pgrep -f 'dovecot -F')/limits
Max open files 65535 65535 files

show dovecot.service | grep -i limitno
LimitNOFILE=65535

 

[hschramm]

Try the following

systemctl edit dovecot.service

[Service]
LimitNOFILE=infinity

Restart and try again.

 

[kevinjansen]

Dear hschramm,

I have tried that but no luck
Jan 26 20:14:49 plesk34 postfix-local[12692]: 0A28C6629B: process '/usr/libexec/dovecot/dovecot-lda -d "$DELIVERED_TO" -a "${ORIGINAL_RECIPIENT:-DELIVERED_TO}"' stderr : doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/14-plesk-sni-domain.nl.conf line 0: Couldn't open include file /etc/dovecot/conf.d/14-plesk-sni-domain.nl.conf: Too many open files

When i keep adding domains this results in the same error but then a different config file.
Maybe i also need to do something with postfix?