-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication optimization in dovecot #6175
Comments
Is there are any issues with performance from anyone been reported? Adding cache just to optimize what doesn't have an issue, not always best choice, it can lead to negative results, especially with such stuff as auth that are critical. I would recommend to not overoptimize that not face issues. Also to remind: we use custom lua for auth. |
I ran tests on the nightly branch because I believe it could provide significant benefits. import smtplib
import imaplib
import ssl
from concurrent.futures import ThreadPoolExecutor
import time
# Configuration
SMTP_SERVER = ''
SMTP_PORT = 587
IMAP_SERVER = ''
IMAP_PORT = 993
USERNAME = ''
PASSWORD = ''
NUM_REQUESTS = 2000 # Total number of login attempts
NUM_THREADS = 70 # Number of concurrent threads
def smtp_login():
try:
context = ssl._create_unverified_context() # Disable SSL verification
with smtplib.SMTP(SMTP_SERVER, SMTP_PORT, timeout=10) as server:
server.ehlo()
server.starttls(context=context)
server.ehlo()
server.login(USERNAME, PASSWORD)
except Exception as e:
print(f"SMTP login failed: {e}")
def imap_login():
try:
with imaplib.IMAP4_SSL(IMAP_SERVER, IMAP_PORT) as imap_server:
imap_server.login(USERNAME, PASSWORD)
except Exception as e:
print(f"IMAP login failed: {e}")
def simulate_load():
start_time = time.time()
print("Starting to create load")
with ThreadPoolExecutor(max_workers=NUM_THREADS) as executor:
# Perform half SMTP and half IMAP logins simultaneously
futures = [executor.submit(smtp_login if i % 2 == 0 else imap_login) for i in range(NUM_REQUESTS)]
# Wait for all futures to complete
for future in futures:
future.result()
print(f"Completed {NUM_REQUESTS} login attempts in {time.time() - start_time:.2f} seconds")
if __name__ == '__main__':
simulate_load() Each login triggers an HTTP request to a PHP script, which can be observed in the PHP-FPM container logs.
The result:
without caching:
|
well with tests, it's looks more good :) |
That's what this issue is for: Evaluating the benefits. And I think especially big setups can profit a lot from this. I think also tools like ticketing systems, watching for new emails via IMAP, can benefit due to frequent email pulls.
That sounds great. I think extending cache size and TTL probably won't do much as part of a small-scale test with only very few/single user(s)? |
I would be happy to test this in a "big" setup if someone provides some kind of metrics I can graph? |
I'm not sure if this can be tracked? Potentially it's just visible for users/automation and its speed to login. Looking more through the dovecot documentation, there is also a docs page for login-processes optimization here. (We surely should stick with the "high-security mode"-approach) In the current setup, we do use: mailcow-dockerized/data/conf/dovecot/dovecot.conf Lines 126 to 153 in bd9f4ba
The docs state:
I do find the current value of But that aside: What the most interesting bit on the doc is...
We currently do not utilize What you think, @FreddleSpl0it? Would you mind repeating your tests on the same setup with above? (To have comparable results to your previous ones) |
Noteworthy, that the tool "only" opens 1000 IMAP connections (splits 2000 50/50 to IMAP and SMTP) which benefit from the changes) while SMTP does not. So with 2000 IMAP connections it might benefit even more. I'd also be curious if setting The final configuration I'd suggest:
|
Postfix uses sasl auth against Dovecot, so Postfix will also profit from that.
|
Well, i ran into some issues. i think we need to use https://doc.dovecot.org/2.3/configuration_manual/authentication/caching/#cache-keys so imap, sogo sso and app passwords will work at the same time. |
ok, setting
|
Oh, I see. Very well spotted, @FreddleSpl0it! That could explain weird login issues I occurred sometimes when testing recently. I'm now running:
But at this point, I'm not sure if setting |
Summary
It might be useful and beneficial to enable below
auth_cache_*
settings. These are suggested as part of the Performance tuning guide in dovecot's documentation.I think following might be beneficial:
https://doc.dovecot.org/2.3/settings/core/#core_setting-auth_cache_verify_password_with_worker
My comment: I'm not sure if the SQL-powered database login, as in mailcow, can/will take advantage. But I suppose it can't hurt and there are still some hashes calculated nonetheless.
https://doc.dovecot.org/2.3/settings/core/#core_setting-auth_cache_size
My comment: In mailcow the
auth_cache_size
is completely disabled. To maybe save some resources for fast and periodic logins as well as don't hit MySQL every time, we could enable the authentication cache. (Might be very beneficial for services periodically pulling for emails, such as GitLab, ticket systems, etc.)The chance of accounts being disabled and still being able to log-in for some time is - I think - worth the overall benefit. We could use 15 minutes as the default and change/mention the docs accordingly.
Motivation
Save resources, speed up authentication.
Additional context
No response
The text was updated successfully, but these errors were encountered: