[Dovecot] Dovecot failed logins delay all logins
Dominic Malolepszy
dmalolepszy at optusnet.com.au
Wed Oct 17 09:44:10 EEST 2012
I think I found a solution to this thanks to a post by Timo here:
http://dovecot.org/list/dovecot/2011-December/062631.html
service anvil { unix_listener anvil-auth-penalty { mode = 0 } }
On 17/10/12 17:11, Dominic Malolepszy wrote:
> Hi all,
>
> I have observed with my Dovecot setup that unique failed logins cause
> legitimate correct logins to be slowed. I am running two servers, each
> with two Dovecot instances, a Proxy with Director, and a backend
> Dovecot. I suspect that the backend instance is throttling
> connections from the same IP, and because I am running a Proxy, the
> backend will only see either of the two server IPs. I confirmed this
> by directly connecting to the backend, to bypass the proxy and rule
> it. I initiated dozens of unique failed logins from one IP and
> separately attempted to login from the same IP, and experienced an
> extended delay during login. At the same time a login from a different
> IP suceeded imediately. I see nothing in the logs suggesting some sort
> of process limits were exceeded, however I do see the following proc
> title for the backend auth process:
> "dovecot/auth [7 wait, 0 passdb, 0 userdb]"
>
> I have increased the mail_max_userip_connections to a very large value
> however I believe that setting is a per username/ip limit. Is there
> any sort of setting in Dovecot that I can configure that stops this
> authentication throttling per IP? Below is the configuration of the
> backend Dovecot instance.
>
>
> # 2.1.9: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-279.5.2.el6.x86_64 x86_64 Red Hat Enterprise Linux
> Server release 6.3 (Santiago)
> auth_cache_negative_ttl = 3 secs
> auth_cache_size = 100 M
> auth_cache_ttl = 10 mins
> auth_default_realm = example.com
> auth_failure_delay = 5 secs
> auth_mechanisms = plain login
> auth_verbose_passwords = sha1
> auth_worker_max_count = 25
> base_dir = /var/run/dovecot/
> disable_plaintext_auth = no
> first_valid_gid = 12
> first_valid_uid = 8
> last_valid_gid = 12
> last_valid_uid = 8
> login_greeting = Hello there.
> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
> mail_fsync = always
> mail_gid = mail
> mail_location = maildir:%h/Maildir
> mail_nfs_index = yes
> mail_nfs_storage = yes
> mail_plugins = " stats"
> mail_uid = mail
> mmap_disable = yes
> namespace {
> inbox = yes
> location = maildir:%h/Maildir
> prefix = INBOX.
> separator = .
> }
> passdb {
> args = /etc/dovecot/dovecot-ldap.conf
> driver = ldap
> }
> protocols = pop3 imap
> service auth {
> unix_listener auth-userdb {
> group = mail
> mode = 0660
> user = mail
> }
> }
> service imap-login {
> inet_listener imap {
> address = 0.0.0.0
> port = 9143
> }
> process_min_avail = 5
> service_count = 0
> vsz_limit = 256 M
> }
> service imap {
> process_limit = 1000
> vsz_limit = 256 M
> }
> service pop3-login {
> inet_listener pop3 {
> address = 0.0.0.0
> port = 9110
> }
> process_min_avail = 5
> service_count = 0
> vsz_limit = 256 M
> }
> service pop3 {
> process_limit = 1000
> vsz_limit = 256 M
> }
> service stats {
> fifo_listener stats-mail {
> mode = 0600
> user = mail
> }
> inet_listener {
> address = 127.0.0.1
> port = 24242
> }
> }
> ssl = no
> stats_memory_limit = 64 M
> userdb {
> driver = prefetch
> }
> userdb {
> args = /etc/dovecot/dovecot-ldap.conf
> driver = ldap
> }
> verbose_proctitle = yes
> protocol imap {
> imap_logout_format = bytes_read=%i bytes_send=%o
> mail_max_userip_connections = 1000
> mail_plugins = " stats "
> }
> protocol pop3 {
> mail_max_userip_connections = 1000
> }
>
>
> Dominic
More information about the dovecot
mailing list