[Dovecot] Throttling Logins

Timo Sirainen tss at iki.fi
Wed Mar 21 20:22:59 EET 2007


On Mon, 2007-03-19 at 19:46 -0700, Sean Kamath wrote:
> 
> Earlier today I was hit with 612 login attempts in 7 minutes.  They  
> ramped up slowly, too. :-)
> 
> They quickly hit the file descriptor limit.  And then a login server  
> spawned and died so quickly that dovecot just died.
> 
> My question is, is there a way to throttle the number of login  
> connections?  I'm doing it in my firewall now, but it would be nice  
> to be able to say something like "max-login-attempts: X" before we  
> blacklist the IP (for some configurable time).

I think it's just simpler to configure your system to handle such
load. :) Give Dovecot enough file descriptors, or reduce the number of
allowed login processes / connections. See
http://wiki.dovecot.org/LoginProcess

Or are you using PAM? That could also be the problem since it forks new
processes, and authentication cache doesn't work very well with it
either.

http://dovecot.org/tools/imaptest.c is a nice tool to try stress testing
logins. Use it something like: imaptest user=dummy password=something
clients=100 - select=0

Some people want to limit number of connections coming to one user, so
this kind of blacklisting feature could be implemented at the same time.
Maybe for v2.0 or something..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070321/223627ff/attachment.pgp 


More information about the dovecot mailing list