[Dovecot] high number of processes

Egbert Jan van den Bussche egbert at vandenbussche.nl
Tue Jun 14 22:34:52 EEST 2011 

Hi,

Sometimes a script kiddie tries to guess passwords on our mailserver
(Ubuntu 10.04.2 LTS, postfix, dovecot 1.2.9, scanners, the standard
stuff). That leads to a nagios message about the high number of
processes. The number goes above 500. Nagios threshold is set to 250,
which is more than enough for normal operation of this server. When are
these processes supposed to die again? They seem to stay at the high
count quite long.

Is there a way to limit the generation of extra login processes? Can I
tune the login_process... params a bit? I have then all on default.

dovecot - n below:

root at mail-dev:/etc/dovecot# dovecot -n
# 1.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-32-server x86_64 Ubuntu 10.04.2 LTS
log_path: /var/log/dovecot/error.log
info_log_path: /var/log/dovecot/info.log
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap pop3 imaps pop3s
listen: *, [::]
ssl_cert_file: /disk/site/etc/ssl/hobby.nl/hobby.nl.crt
ssl_key_file: /disk/site/etc/ssl/hobby.nl/hobby.nl.key
ssl_cipher_list:
ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
first_valid_uid: 200
mail_privileged_group: vmail
mail_location: maildir:~/Maildir
mmap_disable: yes
dotlock_use_excl: no
mail_nfs_storage: yes
mail_nfs_index: yes
mbox_write_locks: fcntl dotlock
mail_executable(default): /usr/lib/dovecot/imap-wrapper.sh
mail_executable(imap): /usr/lib/dovecot/imap-wrapper.sh
mail_executable(pop3): /usr/lib/dovecot/pop3-wrapper.sh
mail_plugins: convert autocreate
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
imap_client_workarounds(default): outlook-idle delay-newmail
imap_client_workarounds(imap): outlook-idle delay-newmail
imap_client_workarounds(pop3):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
lda:
  postmaster_address: postmaster
  deliver_log_format: msgid=%m: %$
  rejection_subject: Rejected: %s
  rejection_reason: Your message to <%t> was automatically rejected:%n%r
  auth_socket_path: /var/run/dovecot/auth-master
auth default:
  mechanisms: plain login
  realms: kader.hcc.nl hobby.nl
  default_realm: kader.hcc.nl
  cache_size: 1024
  cache_ttl: 10
  passdb:
    driver: pam
    args: failure_show_msg=yes cache_key=%u dovecot
  passdb:
    driver: sql
    args: /etc/dovecot/dovecot-sql.conf
  userdb:
    driver: sql
    args: /etc/dovecot/dovecot-sql.conf
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/dovecot-auth
      mode: 432
      user: postfix
      group: postfix
    master:
      path: /var/run/dovecot/auth-master
      mode: 384
      user: vmail
      group: vmail
plugin:
  convert_mail: mbox:/disk/mail/convert/%n
  autocreate: Trash
  autocreate2: Sent
  autocreate3: Drafts
  autocreate4: Spam
  autosubscribe: Trash
  autosubscribe2: Sent
  autosubscribe3: Drafts
  autosubscribe4: Spam

login_process defaults:
#login_user = dovecot
#login_process_size = 64
#login_process_per_connection = yes
#login_processes_count = 3
#login_max_processes_count = 128
#login_max_connections = 256

lsof -n output (part of long list):
dovecot-a 12941       root   17u     unix 0xffff88012a457300      0t0
13606994 /var/run/dovecot/login/default
dovecot-a 12941       root   18u     unix 0xffff8800272bd800      0t0
13565904 /var/run/dovecot/login/default
dovecot-a 12941       root   19u     unix 0xffff8800a68a9800      0t0
13610586 /var/run/dovecot/login/default



TNX for any advise!
Egbert Jan HCC!Hobbynet, NL

More information about the dovecot mailing list