1

My users are having problems with their IMAP mailboxes. The IMAP processes are hanging and timing out. When they timeout, the users might see an empty email box.

But the real problem appears to be the communication between slapd and famd.

Some background:

System:

  • Debian Lenny
  • courier-imap 4.4.0-2
  • fam 2.7.0-13.3
  • slapd 2.4.11-1

nsswitch.conf contains:

  passwd: files ldap
  group:  files ldap
  shadow: files ldap

courier's imap configuration file contains "IDLE" in the capabilities but removing it (and fiddling with IMAP_ENHANCEDIDLE) does nothing. From reading up, I would have thought that this would have stopped courier imap from using fam, but I guess not.

stracing the imap process (when it hangs) shows it hanging on communication with fam. So I restarted fam (which fixed the problem for a few hours) and continued trouble shooting to find the root of the problem.

Since the program was still hanging, I kept looking.

stracing famd showed it was hanging on communication with slapd. Kicking slapd solved the problem for a bit. slapd was responsive to other queries, but did become slower over time.

The strangest thing is these problems just started popping up. And the only packages that I've upgraded that I think might be relevant are the following:

  base-files 5lenny4
  libmysqlclient15off 5.0.51a-24+lenny2
  libssl0.9.8 0.9.8g-15+lenny3
  openssl 0.9.8g-15+lenny3
  tzdata 2009l-0lenny1
  udev 0.125-7+lenny3

It appears (without me confirming this yet) that the connection between famd and slapd is a long-lived one (via nscd).

Oops, writing this I just realized nscd is another piece I haven't tested. Guess I'll look into that.

EDIT: Just confirmed that kicking nscd solves the problem, too.

hexmode
  • 336
  • 2
  • 5

1 Answers1

1

Do not use system users for this purpose. Use "virtual" instead when all files are owned by one user and let courier directly access the ldap server.

The nss-ldap libraries are not that reliable.

One more thing: consider using dovecot instead of courier. It is like courier just better.

cstamas
  • 6,707
  • 25
  • 42
  • I am not hosting a large number of accounts this way. If I were, this might be an issue. I should have thought to try another IMAP server, though. Thanks. – hexmode Sep 11 '09 at 19:34
  • In the end, the most helpful thing you said was "The nss-ldap libraries are not that reliable." A quick scan of the Debian packages turned up nss-ldapd (http://arthurdejong.org/nss-pam-ldapd/) which is designed to be more reliable and less resource-heavy than the PADL libnss-ldap library. Probably the most important difference is that the nss-ldapd libraries have a daemon running that acts as a proxy for all the LDAP queries. This reduces the number of hits on the LDAP server dramatically and seems to have solved my problem for now. – hexmode Sep 12 '09 at 13:20