[Dovecot] Dovecot failed logins delay all logins

Wed Oct 17 09:44:10 EEST 2012

I think I found a solution to this thanks to a post by Timo here:
http://dovecot.org/list/dovecot/2011-December/062631.html

service anvil { unix_listener anvil-auth-penalty { mode = 0 } }

On 17/10/12 17:11, Dominic Malolepszy wrote:
> Hi all,
>
> I have observed with my Dovecot setup that unique failed logins cause 
> legitimate correct logins to be slowed. I am running two servers, each 
> with two Dovecot instances, a Proxy with Director, and a backend 
> Dovecot. I suspect that the backend instance is throttling
> connections from the same IP, and because I am running a Proxy, the 
> backend will only see either of the two server IPs. I confirmed this 
> by directly connecting to the backend, to bypass the proxy and rule 
> it. I initiated dozens of unique failed logins from one IP and 
> separately attempted to login from the same IP, and experienced an 
> extended delay during login. At the same time a login from a different 
> IP suceeded imediately. I see nothing in the logs suggesting some sort 
> of process limits were exceeded, however I do see the following proc 
> title for the backend auth process:
> "dovecot/auth [7 wait, 0 passdb, 0 userdb]"
>
> I have increased the mail_max_userip_connections to a very large value 
> however I believe that setting is a per username/ip limit. Is there 
> any sort of setting in Dovecot that I can configure that stops this 
> authentication throttling per IP? Below is the configuration of the 
> backend Dovecot instance.
>
>
> # 2.1.9: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-279.5.2.el6.x86_64 x86_64 Red Hat Enterprise Linux 
> Server release 6.3 (Santiago)
> auth_cache_negative_ttl = 3 secs
> auth_cache_size = 100 M
> auth_cache_ttl = 10 mins
> auth_default_realm = example.com
> auth_failure_delay = 5 secs
> auth_mechanisms = plain login
> auth_verbose_passwords = sha1
> auth_worker_max_count = 25
> base_dir = /var/run/dovecot/
> disable_plaintext_auth = no
> first_valid_gid = 12
> first_valid_uid = 8
> last_valid_gid = 12
> last_valid_uid = 8
> login_greeting = Hello there.
> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
> mail_fsync = always
> mail_gid = mail
> mail_location = maildir:%h/Maildir
> mail_nfs_index = yes
> mail_nfs_storage = yes
> mail_plugins = " stats"
> mail_uid = mail
> mmap_disable = yes
> namespace {
>   inbox = yes
>   location = maildir:%h/Maildir
>   prefix = INBOX.
>   separator = .
> }
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf
>   driver = ldap
> }
> protocols = pop3 imap
> service auth {
>   unix_listener auth-userdb {
>     group = mail
>     mode = 0660
>     user = mail
>   }
> }
> service imap-login {
>   inet_listener imap {
>     address = 0.0.0.0
>     port = 9143
>   }
>   process_min_avail = 5
>   service_count = 0
>   vsz_limit = 256 M
> }
> service imap {
>   process_limit = 1000
>   vsz_limit = 256 M
> }
> service pop3-login {
>   inet_listener pop3 {
>     address = 0.0.0.0
>     port = 9110
>   }
>   process_min_avail = 5
>   service_count = 0
>   vsz_limit = 256 M
> }
> service pop3 {
>   process_limit = 1000
>   vsz_limit = 256 M
> }
> service stats {
>   fifo_listener stats-mail {
>     mode = 0600
>     user = mail
>   }
>   inet_listener {
>     address = 127.0.0.1
>     port = 24242
>   }
> }
> ssl = no
> stats_memory_limit = 64 M
> userdb {
>   driver = prefetch
> }
> userdb {
>   args = /etc/dovecot/dovecot-ldap.conf
>   driver = ldap
> }
> verbose_proctitle = yes
> protocol imap {
>   imap_logout_format = bytes_read=%i bytes_send=%o
>   mail_max_userip_connections = 1000
>   mail_plugins = " stats "
> }
> protocol pop3 {
>   mail_max_userip_connections = 1000
> }
>
>
> Dominic