<html>

<head>

<title> Postfix Configuration - Resource Controls</title>

</head>

<body>

<h1><a href="big-picture.html"><img src="small-picture.gif" width="115" height="45"></a> Postfix Configuration - Resource Controls</h1>

<hr>

<a href="index.html">Up one level</a> | <a href="basic.html">Basic
Configuration</a> | <a href="uce.html">UCE Controls</a> | <a
href="rate.html">Rate Controls</a> | Resource Controls | <a
href="rewrite.html">Address Manipulation</a>

<h2> Introduction</h2>

The Postfix system is designed to run within a finite memory budget.
To this end, there are configurable limits on the <i>size</i> of
in-memory objects such as text line fragments, on the <i>number of
instances</i> of such objects, and on the <i>time</i> an operation
may take. In addition, strategies are in place for dealing with
resource exhaustion.  The idea is to keep running under conditions
of stress, without making the problem worse.

<p>

<ul>

<li> <a href="#size">Object size limits</a>

<p>

<li> <a href="#count">Object count limits</a>

<p>

<li> <a href="#time">Time limits</a>

<p>

<li> <a href="#lock">Acquiring exclusive file locks</a>

<p>

<li> <a href="#fan">Error recovery</a>

</ul>

<a name="size"><h2> Object size limits</h2> </a>

The first step towards a fixed memory resource budget is to limit
the size of each in-memory object.  Once the size of in-memory
objects is limited, total memory consumption is limited by limiting
the number of object instances.  Simple, no?

<p>

<dl>

<dt> <b>line_length_limit</b> (default: 2048 bytes)

<dd> How long a line of text can be before it is broken up into
pieces.  All Postfix perimeter programs (<a href="smtpd.8.html">SMTP
server</a>, <a href="smtp.8.html">SMTP client</a>, <a
href="pickup.8.html">local pickup</a> and <a href="local.8.html">local
delivery</a>) enforce this line length limit when reading data from
an untrusted source.  Long lines are reconstructed upon delivery.

<p>

<dt> <b>header_size_limit</b> (default: 102400 bytes)

<dd> How much text may be carried in a multi-line message header.
Header text that does not fit in <b>$header_size_limit</b> bytes
overflows into the message body. This limit is enforced by the <a
href="cleanup.8.html"> cleanup</a> header rewriting code.

</dl>

<p>

The following parameters restrict the use of file system storage:

<dl>

<dt> <b>message_size_limit</b> (default: 10240000 bytes)

<dd> The maximal size of a Postfix queue file for inbound mail,
including envelope information (sender, recipient, etc.).

<p>

<dt> <b>queue_minfree</b> (default: no restriction)

<dd> How many bytes of free space are needed in the queue file
system.  The <a href="smtpd.8.html">SMTP server</a> declines inbound
mail delivery requests when there is insufficient space (the mail
will be accepted once enough space becomes available).  There is
no default limit; however, it seems like a good idea to require at
least several times <b>$message_size_limit</b> so that the mail
system won't get stuck on a single large message.

<p>

<dt> <b>bounce_size_limit</b> (default: 50000 bytes)

<dd> How much of an undelivered message is sent back to the sender.

</dl>

<a name="count"><h2> Object count limits</h2> </a>

Once the sizes of memory objects have been limited, the next step
to implement Postfix's finite memory budget is to limit the number
of in-memory object instances.

<dl>

<dt> <b>qmgr_message_recipient_limit</b> (default: 10000)

<dd> An upper bound on the number of <a href="qmgr.8.html">queue
manager</a> in-memory recipient address data structures.  This
parameter also controls the number of instances of other in-memory
data structures.  See, for example, the <a
href="rate.html#backoff">delivery rate control</a> documentation.

<p>

<dt> <b>qmgr_message_active_limit</b> (default: 1000)

<dd> An upper limit on the number of messages in the <b>active</b>
queue.  For an introduction to the Postfix queue organization see
the <a href="queuing.html">Postfix overview</a> documentation.

<p>

<dt> <b>duplicate_filter_limit</b> (default: 1000)

<dd> How many recipient addresses the <a href="local.8.html">local
delivery</a> agent and <a href="cleanup.8.html">address cleanup</a>
daemon remember when delivering a message. A recipient address is
ignored when it is found in the remembered list.

</dl>

<a name="time"><h2> Time limits</h2> </a>

External commands are given a finite time for completion. Such
commands are run by the <a href="local.8.html">local</a> delivery
agent when it finds a "|<i>command</i>" destination in an <a
href="aliases.5.html">alias</a> database, <a
href="aliases.5.html">:include:</a> file or <a
href="aliases.5.html">.forward</a> file.  The <a
href="pipe.8.html">pipe</a> mailer implements an alternative way
to pipe mail into external commands.

<dl>

<dt> <b>command_time_limit</b> (default: 1000 seconds)

<dd> How long the <a href="local.8.html">local</a> delivery agent
will wait before aborting an external command.

<p>

<dt> <i>service_name</i><b>_time_limit</b> (default:
<b>$command_time_limit</b>)

<dd> The time limit for delivery to external commands via the
<b>pipe</b> mailer. For <i>service_name</i>, substitute the service
name (the first field in the <b>master.cf </b> file).

</dl>

<a name="lock"><h2> Acquiring exclusive file locks</h2> </a>

Internally, the Postfix programs cooperate in a very disciplined
manner and rarely need to fight for exclusive file access. However,
access conflicts may happen on the outside, for example, when mail
has to be delivered while a user is accessing her mailbox. Postfix
supports two types of file locks:

<ul>

<li>Internal locks, implemented with the <b>fcntl()</b> or
<b>flock()</b> system primitives.

<p>

<li>External locks, implemented as files named <i>file</i><b>.lock</b>.

</ul>

Depending on the host system, Postfix uses one method or both.
The following configuration parameters control how Postfix deals
with file locks:

<dl>

<dt> <b>deliver_lock_attempts</b> (default: 5)

<dd> The number of times to try locking a file before giving up.

<p>

<dt> <b>deliver_lock_delay</b> (default: 1 second)

<dd> How long to wait between attempts to lock a file.

<p>

<dt> <b>stale_lock_time</b> (default: 500)

<dd> How old an external lock file may be before it is forcibly
removed.

</dl>

<a name="fan"><h2> Error recovery</h2> </a>

Under conditions of severe stress, available system resources may
be insufficient to accommodate Postfix's needs. The world may also
seem to fall apart when a Postfix configuration file is broken, or
when a Postfix program is defective.

<p>

The general approach taken in the face of disaster is to terminate
with a fatal run-time error (or with a panic in case of software
problems), and to try again after some time (the <a
href="master.8.html">master</a> daemon will restart processes after
some delay). Each failed attempt is logged; hopefully, someone will
notice the problem and fix it.

<p>

Some recovery strategies were implemented very early during Postfix
development, and haven't been made configurable yet. What follows
is the beginning of a growing list of recovery control parameters:

<dl>

<dt> <b>fork_attempts</b> (default: 5 times)

<dd> The number of times to attempt to create a new process before
giving up.

<p>

<dt> <b>fork_delay</b> (default: 1 second)

<dd> The delay between attempts to create a new process.

<p>

<dt> <b>transport_retry_time</b> (default: 60 seconds)

<dd> The amount of time between queue manager attempts to contact
an apparently defunct Postfix delivery service.

</dl>

<hr>

<a href="index.html">Up one level</a> | <a href="basic.html">Basic
Configuration</a> | <a href="uce.html">UCE Controls</a> | <a
href="rate.html">Rate Controls</a> | Resource Controls | <a
href="rewrite.html">Address Manipulation</a>

</body>

</html>