QMail : Slow, added -Rt0 in xine, but another problem

[jamesyeeoc]

Originally posted by Swakoo
yeah.. thanks

the ip is own by our datacenter equinix. we just got 14 ips off them.

Have them setup rDNS for each IP as you assign them to a domain, if you are putting multiple domains on an IP, you can only have a single rDNS, so you would have to pick which domain it would be.

so i just have to get them to do a reverse dns on the ip... ok.. going to contact them..

meanwhile. i set the queuelifetime to 86400 (1 day)

Also.. u asked what is the content of mine /etc/resolve.conf

its as follows
nameserver 127.0.0.1
search localdomain

above the 'nameserver 127.0.0.1' you should have either 1 or 2 of your upstream provider's nameservers listed. The 'search localdomain' is optional, I don't use it. There are different reasons for whether you put the 127.0.0.1 entry last, or first. I put it last for performance related reasons. Unless you have your server setup as a caching nameserver (probably not), I would put the 127.0.0.1 last. Do not put too many upstream entries, I recommend only 1 or 2. Make sure they are RELIABLE, if they are down for any reason, then your server will experience lookup delays. For example, on my test server, the upstream provider (ISP) is SBC Global, so I have:

nameserver 206.13.29.12
nameserver 206.13.30.12
nameserver 127.0.0.1

 

[Swakoo]

yeah i have multiple domains on a single IP as we do load balanicng...

all the domains' mail is tied to the plesk server

ooh I thought since its the DNS server, I just point it to itself.. both my DNS server the same.

I now monitoring a certain mail to see if it really clears in one mail Took note of its mail id via qmHandle. Tomorrow morning will be checking. Does it clear at a specififed time in the day, or exactly 24hr from the time the mail is in queue?

Your earlier suggestion of cron-ing a task to delete the failure notice and dump all output to /dev/null is the last resort.. as even though it will really keep the queue clean and tidy, i risk having valid users not being able to receive reject mails...

but countary to what i found online, once the queue hits thousand range, my outgoing mail to other mail servers outside is severely delayed..

 

[jamesyeeoc]

Originally posted by Swakoo
both my DNS server the same.
What do you mean by this?

I now monitoring a certain mail to see if it really clears in one mail Took note of its mail id via qmHandle. Tomorrow morning will be checking. Does it clear at a specififed time in the day, or exactly 24hr from the time the mail is in queue?
I believe each message's time would be 24 hrs in the queue, then dumped.

Your earlier suggestion of cron-ing a task to delete the failure notice and dump all output to /dev/null is the last resort.. as even though it will really keep the queue clean and tidy, i risk having valid users not being able to receive reject mails...
Understood

but countary to what i found online, once the queue hits thousand range, my outgoing mail to other mail servers outside is severely delayed..

You never did say if you increased the concurrencyremote file value to 250 or not. Then restart qmail again.

And I know it's never convenient, buy have you rebooted the server lately? Sometimes you have to...

 

[Swakoo]

I mean both my dns server points to just 127.0.0.1
So you reckon I should put my datacenter's DNS server in there too?

Oh did you mentioned to put "250" for concurrenyremote? Sorry I didn't catch that. I just added it via
echo "40" > /var/qmail/control/concurrencyremote
then restarted qmail /etc/ini.d/qmail restart

right? How do i see if it is attempting to move 250 emails per time? anyway to check for that?

Am monitoring the queue...


Hmm just check, the mail is still there, guess I will have to check in tonight and see how


Haven't restart yet, been running more than 3 months with no reset as it is our email server. Best time to restart it would be tomorrow when lesser people checks in.. nowadays.. email is everything to some people

 

[jamesyeeoc]

Yes, I always put at least one of the upstream nameservers in the resolv.conf file.

I thought I had mentioned '250', but I guess I must have just said to increase it. I would still bump it up higher than 40.

After making changes to resolv.conf, you should restart the 'named' service.

Still a good idea to reboot the server.

nowadays.. email is everything to some people

Yes, then it's a matter of which is worse, them complaining it's down for a minute or so, or that it's not delivering emails for hours and days.... When I decide to reboot even during a busy time, if I get any calls, I just tell them 'Do you want things to work or not?' That usually shuts them up.

 

[Swakoo]

Haha guess I must have forgotten to mention : I am Mr Nice Guy in office
But one thing for sure, it doesn't pay to be nice. BUt I like it anyway hah!

Ok some updates.. after a weekend of monitoring...

concurrency is at '250'
queuetimelife is at '86400' or 1 day
In PLESK control, mail is set to allow only mails from 127.0.0.1/32 (though sorry to say.. i don really understand how does the last number work.. /0, /8, /32... pardon me for my dumb-wittedness )
-Rt0 is in place (that's how we came to so many pages! heh)

Ok, now the queue is sitting comfortably at 3088, yesterday morning was 1500.
But the good thing is all my out-going mail, despite the queue... are out-gone!

at least mail is moving.. now monitoring to see how much the queue will built up.. but the mails are definitely staying 1 day only.. been checking the same message id.. it changes.. and i receive an email saying the mail i sent earlier is invalid and beenunsent for too long and is dumped out of queue..

now to see if can control the failure notices.. which mostly are spam... :S
what you reckon?

Also what other way can i look to finetune qmail?

For the resolv.conf

since my current one is

nameserver 127.0.0.1
search localdomain

I should just add it to

nameserver my.isp.dns.com
nameserver my.isp.dns.com
nameserver 127.0.0.1
search localdomain

??

Purely for performance (name lookup) purpose right?

 

[jamesyeeoc]

Haha guess I must have forgotten to mention : I am Mr Nice Guy in office
But one thing for sure, it doesn't pay to be nice. BUt I like it anyway hah!

No it does not pay, I know that very well. I am super nice guy most of the time
until they want to do something that they will regret and blame me for later

Ok some updates.. after a weekend of monitoring...

concurrency is at '250'
queuetimelife is at '86400' or 1 day
In PLESK control, mail is set to allow only mails from 127.0.0.1/32 (though sorry to say..
i don really understand how does the last number work.. /0, /8, /32... pardon me for my
dumb-wittedness )
-Rt0 is in place (that's how we came to so many pages! heh)

IP subnetting is not an easy subject and too involved for a forum post.
There are probably thousands of sites out there with IP Protocol and subnet information.

Here is one, I have not gone through their site, but looks like it could be useful for you.
http://www.learntosubnet.com/

Ok, now the queue is sitting comfortably at 3088, yesterday morning was 1500.
But the good thing is all my out-going mail, despite the queue... are out-gone!

at least mail is moving.. now monitoring to see how much the queue will built up..
but the mails are definitely staying 1 day only.. been checking the same message id..
it changes.. and i receive an email saying the mail i sent earlier is invalid and
beenunsent for too long and is dumped out of queue..

now to see if can control the failure notices.. which mostly are spam... :S
what you reckon?

'mostly' hmm. That is a problem, you could send them all to a blackhole
account (there is another thread on setting this up), or put qmHandle in a cronjob to run every
x hours. Both of these solutions are simple, but will affect 'ALL' failure notices, so
your clients would not even get a failure message when they mis-spell an email address. Other
than those, you would have to see if there are any Qmail addons or patches to do this. That would
require re-compiling Qmail, which if you have not done this, I do not recommend doing it on a
production server until you have done it successfully on a matching test server preferably a clone
of the production hard drive (exact same conditions).

Also what other way can i look to finetune qmail?

There are many other control files, search the Plesk forums (no matter
which version of Plesk, Qmail control files are the same and are not Plesk dependent.
See the qmail.org and qmailrocks.org sites or Google.

For the resolv.conf

since my current one is
quote:nameserver 127.0.0.1
search localdomain

I should just add it to
quote:
nameserver my.isp.dns.com
nameserver my.isp.dns.com
nameserver 127.0.0.1
search localdomain
??

Purely for performance (name lookup) purpose right?
I would put the first 3 lines you posted, I don't put the 'search localdomain'
statement in any of my servers' resolv.conf files. The primary reason to use your ISP's
nameservers is that theirs are 'caching nameservers', unless you reconfigure your Plesk server,
it is not setup to do 'caching'. So by using the ISP's you offload requests from your server to their
especially since most of the lookups for external domains will not be found in the non-existent
bind cache on your localserver. Or something like that.... IN ANY CASE, it is not required and all my servers work great without it, so why mess with a good thing?

From the Linux MAN pages (#man resolv.conf):

     search   Search list for host-name lookup.  The search list is normally
              determined from the local domain name; by default, it contains
              only the local domain name.  This may be changed by listing the
              desired domain search path following the search keyword with
              spaces or tabs separating the names.  Most resolver queries will
              be attempted using each component of the search path in turn
              until a match is found.  [color=red]Note that this process may be slow and
              will generate a lot of network traffic if the servers for the
              listed domains are not local, and that queries will time out if
              no server is available for one of the domains.[/color]

              The search list is currently limited to six domains with a total
              of 256 characters.

 

[Swakoo]

somemore updates.. queue hits 3000+.. but mail still outgoing.. and mails are staying in queue for only a day.

So i guess that solves that...

I understand the subnetting already.. basically its just to limit to 127.0.0.1 since /32 is refering to 32 '1's which is 255.255.255.255
right?

But the option for Allow/Disallow Networks.. while allowing localhost (127.0.0.1)
What use is there for allowing whatever other networks..? disallow is basically if i know some joker domain/ip definitely spam... but allow?

Yah I rather my client get the reject news.. to know that their intended mail recipient is a spoof. Since now outgoing is working well... hmm but it will be on my to-do list...
But what thread are yourefering to for the other method(s), can you shed some direction for me to head there?

For the DNS Server part... u mean it works great without.. or with the settings?

"search localdomain" - no purpose then?
But curiously, all these while I put both my dns server (in fact, all the servers) resolv.conf as nameserver 127.0.0.1 only
Apart from search domains within my server/control, how did it get the addresses of the other (many) external domains like google etc...? hmm..

also.. is it better for me to put the domain name of mine isp dns servers.. or the ip?
I restart named after that right?
should i apply to all my web servers too, or just dns servers enough?

Now that the concurrencyremote and queuetimelife works.. remember you suggested a few more last page.. I'll go check it out first and check with you again


Well, at least the main "evil" have been exorcised... or has it.. another week of comfort using should tell the difference... but.. Many thanks James!

Hahaha I must be now known as Mr So Many Freaking Questions... hahaha
but it has been one heck of a ride just on this topic.. and i learn many new things! thanks!

 

[jamesyeeoc]

Originally posted by Swakoo
somemore updates.. queue hits 3000+.. but mail still outgoing.. and mails are staying in queue for only a day.

You may not want to leave the queuelifetime set for only a day. There are situations where a valid domain's server is down for maintenance or whatever, and then those emails headed for that domain will never get there, and no failure message back to your user since it will be dropped from the queue... Just another piece of the puzzle to think about.

So i guess that solves that...

I understand the subnetting already.. basically its just to limit to 127.0.0.1 since /32 is refering to 32 '1's which is 255.255.255.255
right?

DA, I mean right.

But the option for Allow/Disallow Networks.. while allowing localhost (127.0.0.1)
What use is there for allowing whatever other networks..? disallow is basically if i know some joker domain/ip definitely spam... but allow?

Think of it as a whitelist of IPs. But you don't want to use it unless you really have a need.

The white list is used to specify the IP addresses from which mail will always be relayed without authorization, even if the mail relaying is disabled on the server.

Be VERY CAREFUL if you use the whitelist or you may become a relay for spammers!

Yah I rather my client get the reject news.. to know that their intended mail recipient is a spoof. Since now outgoing is working well... hmm but it will be on my to-do list...
But what thread are yourefering to for the other method(s), can you shed some direction for me to head there?

Not sure which of my responses you refer to...

For the DNS Server part... u mean it works great without.. or with the settings?

"search localdomain" - no purpose then?

It has a purpose, but IMO it is not needed on hosting servers, and since none of my failure messages hang in the queue for that long, I am wondering if that may be contributing to that symptom. I am not curious enough to change any of my servers to find out.

But curiously, all these while I put both my dns server (in fact, all the servers) resolv.conf as nameserver 127.0.0.1 only
Apart from search domains within my server/control, how did it get the addresses of the other (many) external domains like google etc...? hmm..

Do you mean when you only had your 127.0.0.1 in the resolv.conf?

also.. is it better for me to put the domain name of mine isp dns servers.. or the ip?

nameserver ip.of.isp.nameserver

I restart named after that right? Yes
should i apply to all my web servers too, or just dns servers enough?
Always restart named after any changes, just like restart Apache/httpd after any changes to httpd.include or vhost/vhost_ssl files. NOT your webservers, just your DNS Servers. Don't complicate matters...

Now that the concurrencyremote and queuetimelife works.. remember you suggested a few more last page.. I'll go check it out first and check with you again


Well, at least the main "evil" have been exorcised... or has it.. another week of comfort using should tell the difference... but.. Many thanks James!

Hahaha I must be now known as Mr So Many Freaking Questions... hahaha

Questions asked properly with enough detail are GOOD. Unasked questions or questions asked with little/no details are BAD.

but it has been one heck of a ride just on this topic.. and i learn many new things!
Yes, long thread, somehow I tend to pick the long ones. Just wait, there is much much much more to learn...

thanks!

 

[Swakoo]

You mention another thread that talks about setting a blackhole account??

What's the recommended number of days?
I have tested sending to one of the spam address (since its confirm invalid) I saw in the queue, on drop-out from the queue, I get an email from the server saying the mail has stay too long in the queue and it will be dropped. at least user still knows about it.. but your point is something worth pondering abt...


Ah I understand now... with regards to the Whitelist now. I think I fully comprehend it.. .. knowing it now.. 127.0.0.1/32 is very important! I wonder why plesk set it otherwise.
Btw, if I didn't have PLESK, where is the file that controls the white/black list for qmail?

so what does seach localdomain really do?
I just commented it out, see if it affects anything.
Also, I actually set the 2 new nameservers using their domainname ns1.isp.com, ns2.isp.com
But you recommended using IP address instead (which I have changed already), why so? I thought name more definite... ip maychange.. name usually won't?

Interestingly enough, with my 3 values of nameserver,
the first 2 entry (ISP's NS) IP addresses are in red.
the 3rd one (nameserver 127.0.0.1) is in purple. WHy the diff?

btw, I just implemented this change to one dns server, the other still the same.. see see first...


Yah I meant when I just had nameserver 127.0.0.1, how does it know where to find the external domains?

 

[jamesyeeoc]

Stupid Firefox, had this all ready to go and it locked up, had to re-do it all over

Originally posted by Swakoo
You mention another thread that talks about setting a blackhole account??

Ah, I understand now. See this thread:
http://forums.sw-soft.com/showthread.php?threadid=24286&highlight=blackhole
(see my post on 29th July 2005 05:50 AM

What's the recommended number of days?

7 days, but I have some servers set for 4 days. I figure it may take some people up to 4 days to get a crashed server operational and fully functional.

I have tested sending to one of the spam address (since its confirm invalid) I saw in the queue, on drop-out from the queue, I get an email from the server saying the mail has stay too long in the queue and it will be dropped. at least user still knows about it.. but your point is something worth pondering abt...

Ah I understand now... with regards to the Whitelist now. I think I fully comprehend it.. .. knowing it now.. 127.0.0.1/32 is very important! I wonder why plesk set it otherwise.
Btw, if I didn't have PLESK, where is the file that controls the white/black list for qmail?

so what does seach localdomain really do?
I just commented it out, see if it affects anything.
Also, I actually set the 2 new nameservers using their domainname ns1.isp.com, ns2.isp.com
But you recommended using IP address instead (which I have changed already), why so? I thought name more definite... ip maychange.. name usually won't?

Even the names may occasionally change, but it saves on having to do a lookup from the name to get the IP address everytime.

Interestingly enough, with my 3 values of nameserver,
the first 2 entry (ISP's NS) IP addresses are in red.
the 3rd one (nameserver 127.0.0.1) is in purple. WHy the diff?

What command are you doing to see the lines in color?

btw, I just implemented this change to one dns server, the other still the same.. see see first...

Always good to go slow and test/observe.

Yah I meant when I just had nameserver 127.0.0.1, how does it know where to find the external domains?
Too much for a post. Ever consider reading a Linux Primer or your OS docs to get foundation material? Ok, I'll be nice and give you some links:
Linux Resolver and DNS Loookups - how it works, primer, background material

http://howtos.linux.com/guides/nag2/x-087-2-resolv.shtml
http://www.linux.ie/articles/dns.php (good for newbies)
http://www.faqs.org/docs/linux_network/x-087-2-resolv.html
http://www.oreilly.com/catalog/linag2/book/ch06.html
http://howtos.linux.com/guides/nag2/x-087-2-resolv.library.shtml
http://linux.about.com/library/cmd/blcmdl5_resolver.htm
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-bind.html

 

[Swakoo]

7 Days!? Thats the original settings hmm...
if i maintain about 3000+ mails in my queue in one day.. gosh 7 days...
hmmm...


where's the file in qmail that controls the whitelist/blacklist like in PLESK? I'm sure there's a file that controls it?

I'm using vim over sshd. no idea why also... you think it maybe a problem?

yeah thats alot to digest... i'm picking it up as i go along.. perhaps thats why all my thoughts is pretty mess up heh

 

[jamesyeeoc]

Originally posted by Swakoo
7 Days!? Thats the original settings hmm...
if i maintain about 3000+ mails in my queue in one day.. gosh 7 days...
hmmm...
It's up to you, and as I said I do have some set for 4 days. I figure server goes down Friday-Sat-Sun-Mon they should have it up by then, unless they are slouches and don't notice it until Monday, too bad for them...
where's the file in qmail that controls the whitelist/blacklist like in PLESK? I'm sure there's a file that controls it?The blacklist is /var/qmail/control/badmailfrom and I can't remember about the whitelist, it's not a Qmail control file though. I'm pretty brain dead right now.

I'm using vim over sshd. no idea why also... you think it maybe a problem?I just tried vim over ssh and local on a test server, did not get any colored lines.

yeah thats alot to digest... i'm picking it up as i go along.. perhaps thats why all my thoughts is pretty mess up heh Stay on the path young grasshopper, it is the way to true enlightenment - Master Po (ok, now I know it's time to sleep)

Also, I had edited my last post with links to info on resolver and dns, didn't know if you saw that.

 

[Swakoo]

yeah there's no one perfect scenario.. guess i will keep it to 1 day for now.. probably push it to 3 days later.. i going to change my 2nd dns server setting this wedensday (add the 2 isp dns server) - slowly but surely
Then maybe once that ok, by end of week i set to 2 days

the blacklist is a qmail control but not the whitelist? interesting

Oh man, thats so jedi-sh hahaha
I will.. and yep I saw the links

Alot of information!


Hey you got icq/msn/ or some IM?

 

[Swakoo]

yo james... haha you have any IMs?
Googletalk also can hahaha


btw, i have set both settings to both dns server.. am working fine

Now to concentrate on the fine tuning of qmail... i was distracted by other task along the week.. whew

 

[jamesyeeoc]

I do have IM accounts, but don't use them much anymore, don't have the time for it

All work and no play makes James a very unhappy boy...

 

[Swakoo]

Originally posted by jamesyeeoc
I do have IM accounts, but don't use them much anymore, don't have the time for it

All work and no play makes James a very unhappy boy...

hahaha james... so is playing IM a work or play to you?


Hey I got a phenomenom that I realise...

the amount of spam is increasing at an amazing speed... ever since we sort of settle the qmail -Rt0 problem

will setting the queuelifetime to 1 day be a potential problem...?

we are not using PLESK server side spam filter cos the option given on the control panel is too simplified.. our concerns are that legit mail get filtered too.. what do you think?

or is it possible to download spamassain myself and install it into the mail server...?

 

[jamesyeeoc]

IM would be more of 'play' than work, but then I began using it for work as well. That's why I don't use it too often anymore.

If you are not using the Plesk version of SA, are you running with no anti-spam? If so, that would explain why you have so much spam.

It is possible to download and install the 'regular' non-plesk SA, there are many posts dealing with that. Another option would be to purchase and use the 4PSA SpamGuardian, which also is a GUI based interface for SA, they also use RulesDuJour with SA and is pretty effective, but their GUI still has some limitations.

If you want full flexibility, then you will have to download/install the full SA package and then you can have full control of it.

If you are going to do this I would recommend you check out using ART's yum repository for the RPMs. His versions of software are Plesk friendly.

Another alternative is to setup a separate mail scanning server to service your hosted domains. Check out ART's Project Gamera mail scanner stuff, it does require a separate non-Plesk server box to run.

 

[Swakoo]

hi james,

just got back from a company retreat, am refreshed! hahaha


oh well... i will look into it.... one step at a time

by the way; do you know if it is normal for qmail in that.. when a user's mailbox hit quota, they are not able to download their mail via POP? cos thats the problem my users are facing right now

when they breached the quota, they have to go to webmail to remove the unwanted mails before the can download mails again

 

[Traged1]

What we've found is that when your ISP provides you with two nameservers for your upstream DNS, they will provide you with one primary and one secondary nameserver. Now if you list these nameservers in the wrong order in your /etc/resolv.conf file you will actually query the secondary nameserver instead of the primary resulting in a big delay in the responce time.

This will affect site responce time, outbound email and ping results. Try reversing the order of the ISP nameservers listed in your resolv.conf file and then do a

# service network restart

Once that is done, if this was effecting your server you will notice a huge performance boost and email will start going our much faster.