saslauthd memory leak > fix

Discussion in 'Server Operation' started by Djamu, May 19, 2011.

  1. Djamu

    Djamu New Member

    This is an old issue that still isn't resolved on debian & derivates ( others ? )
    maybe someone should include it in the howtos.

    issue:
    saslauthd's memory usage starts to climb handling invalid authentication requests, eventually eating all your server memory ( & swap ).
    this is in fact a very serious issue, as it facilitates (D)DOS attacks by someone sending lots of crap auth. requests until the OOM process killer kicks in.


    there's an easy workaround by changing /etc/default/saslauthd
    Code:
    OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
    
    to
    Code:
    OPTIONS="-n 0 -c -m /var/spool/postfix/var/run/saslauthd -r"
    
    adding "-n 0" effectively prevents the saslauthd daemon from using thread processes by using forks instead.
    ( on 1 of my servers it used up 8GB and 16GB swap.... which was freed up instantaneously upon changing the config and invoking /etc/init.d/saslauthd restart )

    if anybody has a better solution.. feel free to post



    my 5 cents
     
    Last edited: May 19, 2011
  2. falcon7700

    falcon7700 HowtoForge Supporter

    (bump) Still a problem on Debian Squeeze

    Recently ran into this problem on a "Prefect Server" built on Squeeze.

    So, thanks again for the solution ;-)
     
  3. Sir Henry

    Sir Henry Member

    Thank you, this is indeed still a problem with the current version on Debian Squeeze. Look at the yearly memory graph, it is very interesting. The server stalled when the committed memory exceeded the available physical RAM (8GB) plus swap (2GB). This leak went unnoticed (*blush*) for one year to crash at last.

    I found the culprit by adding another graph showing memory usage by process. Problem now solved with the no-thread option.
     

    Attached Files:

    Last edited: Sep 9, 2014
  4. webguyz

    webguyz HowtoForge Supporter

    Hmm. I don't have a /etc/default/saslauthd file, but I am using ISPConfig aand Postfix and I do see sasl auths going on in my mail.log so I mus be using it.

    Is there an alternate location it might be in?

    Thanks!
     
  5. till

    till Super Moderator

    If you use dovecot, then postfix is authenticating against dovecot and not saslauthd. saslauthd is used on courier setups.
     
  6. Sir Henry

    Sir Henry Member

    Depending on your distribution this could also be in /etc/saslauthd.conf.
     
: saslauthd

Share This Page