The Postfix system is designed to run within a finite memory budget.
To this end, there are configurable limits on the size of
in-memory objects such as text line fragments, on the number of
instances of such objects, and on the time an operation
may take. In addition, strategies are in place for dealing with
resource exhaustion. The idea is to keep running under conditions
of stress, without making the problem worse.
The first step towards a fixed memory resource budget is to limit
the size of each in-memory object. Once the size of in-memory
objects is limited, total memory consumption is limited by limiting
the number of object instances. Simple, no?
line_length_limit (default: 2048 bytes)
How long a line of text can be before it is broken up into
pieces. All Postfix perimeter programs (SMTP
server, SMTP client, local pickup and local
delivery) enforce this line length limit when reading data from
an untrusted source. Long lines are reconstructed upon delivery.
header_size_limit (default: 102400 bytes)
How much text may be carried in a multi-line message header.
Header text that does not fit in $header_size_limit bytes
overflows into the message body. This limit is enforced by the cleanup header rewriting code.
How many recipients Postfix will extract from message headers
before it gives up. This limits the damage that a run-away program
can do with "sendmail -t".
The following parameters restrict the use of file system storage:
message_size_limit (default: 10240000 bytes)
The maximal size of a Postfix queue file, including envelope
information (sender, recipient, etc.).
queue_minfree (default: no restriction)
How many bytes of free space are needed in the queue file
system. The SMTP server declines inbound
mail delivery requests when there is insufficient space (the mail
will be accepted once enough space becomes available). There is
no default limit; however, it seems like a good idea to require at
least several times $message_size_limit so that the mail
system won't get stuck on a single large message.
bounce_size_limit (default: 50000 bytes)
How much of an undelivered message is sent back to the sender.
Once the sizes of memory objects have been limited, the next step
to implement Postfix's finite memory budget is to limit the number
of in-memory object instances.
qmgr_message_recipient_limit (default: 10000)
An upper bound on the number of queue
manager in-memory recipient address data structures. This
parameter also controls the number of instances of other in-memory
data structures. See, for example, the delivery rate control documentation.
qmgr_message_active_limit (default: 1000)
An upper limit on the number of messages in the active
queue. For an introduction to the Postfix queue organization see
the Postfix overview documentation.
duplicate_filter_limit (default: 1000)
How many recipient addresses the local
delivery agent and address cleanup
daemon remember when delivering a message. A recipient address is
ignored when it is found in the remembered list.
External commands are given a finite time for completion. Such
commands are run by the local delivery
agent when it finds a "|command" destination in an alias database, :include: file or .forward file. The pipe mailer implements an alternative way
to pipe mail into external commands.
command_time_limit (default: 1000 seconds)
How long the local delivery agent
will wait before aborting an external command.
Internally, the Postfix programs cooperate in a very disciplined
manner and rarely need to fight for exclusive file access. However,
access conflicts may happen on the outside, for example, when mail
has to be delivered while a user is accessing her mailbox. Postfix
supports two types of file locks:
Internal locks, implemented with the fcntl() or
flock() system primitives.
External locks, implemented as files named file.lock.
Depending on the host system, Postfix uses one method or both.
The following configuration parameters control how Postfix deals
with file locks:
deliver_lock_attempts (default: 5)
The number of times to try locking a file before giving up.
deliver_lock_delay (default: 1 second)
How long to wait between attempts to lock a file.
stale_lock_time (default: 500)
How old an external lock file may be before it is forcibly
Under conditions of severe stress, available system resources may
be insufficient to accommodate Postfix's needs. The world may also
seem to fall apart when a Postfix configuration file is broken, or
when a Postfix program is defective.
The general approach taken in the face of disaster is to terminate
with a fatal run-time error (or with a panic in case of software
problems), and to try again after some time (the master daemon will restart processes after
some delay). Each failed attempt is logged; hopefully, someone will
notice the problem and fix it.
Some recovery strategies were implemented very early during Postfix
development, and haven't been made configurable yet. What follows
is the beginning of a growing list of recovery control parameters:
fork_attempts (default: 5 times)
The number of times to attempt to create a new process before
fork_delay (default: 1 second)
The delay between attempts to create a new process.
transport_retry_time (default: 60 seconds)
The amount of time between queue manager attempts to contact
an apparently defunct Postfix delivery service.