[Dovecot] max connects per host?

Alex subscriber at viliar.net.ru
Tue Mar 18 19:34:14 EET 2008 

Johannes Berg wrote:
> On Mon, 2008-03-17 at 17:45 +0200, Timo Sirainen wrote:
>
>   
>>> I know about
>>> mail_max_userip_connections in dovecot 1.1
>>>       
>> It should be pretty easy to patch this code to ignore the user and just
>> limit IPs. You could basically just remove "user" from struct
>> mail_process_group and fix the code to compile. Or even easier:
>>
>> static struct mail_process_group *
>> mail_process_group_lookup(enum process_type type, const char *user,
>> 			  const struct ip_addr *ip)
>> {
>> 	user = ""; // use the same empty user for everyone
>>
>> // ...
>>
>> static struct mail_process_group *
>> mail_process_group_create(enum process_type type, const char *user,
>> 			  const struct ip_addr *ip)
>> {
>> 	struct mail_process_group *group;
>>
>> 	user = ""; // use the same empty user for everyone
>>     
>
> Sounds like
>
>   
>> Probably in future versions.
>>     
>
> could be trivially implemented with a "mail_process_group_lookup_key"
> setting that defaults to %u :)
>
> johannes
>   
Thank you Timo and Johannes for answers! I have used your 
recommendations and really enough this
small patch:
--- src/master/mail-process.c.orig      2008-03-18 19:55:04.000000000 -0400
+++ src/master/mail-process.c   2008-03-18 19:55:35.000000000 -0400
@@ -75,7 +75,8 @@ mail_process_group_lookup(enum process_t
        struct mail_process_group lookup_group;
 
        lookup_group.process.type = type;
-       lookup_group.user = t_strdup_noconst(user);
+       /*lookup_group.user = t_strdup_noconst(user);*/
+       lookup_group.user = "";
        lookup_group.remote_ip = *ip;
 
        return hash_lookup(mail_process_groups, &lookup_group);
@@ -89,7 +90,8 @@ mail_process_group_create(enum process_t
 
        group = i_new(struct mail_process_group, 1);
        group->process.type = type;
-       group->user = i_strdup(user);
+       /*group->user = i_strdup(user);*/
+       group->user = "";
        group->remote_ip = *ip;
 
        i_array_init(&group->processes, 10);
--- src/login-common/sasl-server.c.orig 2008-03-19 09:36:56.000000000 -0400
+++ src/login-common/sasl-server.c      2008-03-19 09:37:21.000000000 -0400
@@ -51,7 +51,7 @@ master_callback(struct client *client, e
        case MASTER_LOGIN_STATUS_INTERNAL_ERROR:
                break;
        case MASTER_LOGIN_STATUS_MAX_CONNECTIONS:
-               data = "Maximum number of connections from user+IP 
exceeded";
+               data = "Maximum number of connections from ip exceeded";
                break;
        }
        call_client_callback(client, reply, data, NULL);

And it is really work. But for probable future option, I think, it is 
would be wrong way.
Because this solution limit user _logins_, not connections. So, just for 
example, I could make very much connections to server and go to end up 
dovecot connection pool or, if I miss something here, system resources 
like max_files, max_sockets  and so on. IMHO, more truly solution is 
limit connections, and check it _before_ login procedure. I understand, 
that can happen in this case also. But why we will waste our resources 
to check login/pass, make redundant query to myssql/pgsql/sqlite and so 
on?  What are you think about that? Comments are very welcome.

Alex

More information about the dovecot mailing list