[Dovecot] Maximum number of connections from user+IP exceeded

Tue Aug 20 00:10:57 EEST 2013

Am 19.08.2013 23:00, schrieb Stan Hoeppner:
> On 8/19/2013 7:03 AM, Reindl Harald wrote:
>>
>> Am 19.08.2013 14:00, schrieb LuKreme:
>>> All of a sudden I am getting these errors on one of my accounts:
>>>
>>> imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=10)
>>> It was working fine last night when I went to bed, and is posting these errors nearly constantly
>>
>> in case of IMAP 10 is *way* too low!
>>
>> keep in mind that
>>
>> * a IMAP client opens one connection *per folder*
> 
> What do you mean by "per folder"?  I've been limiting Tbird to 2 IMAP
> connections for many years and, unsurprisingly, it never opens more than
> two IMAP connections to Dovecot no matter how many folders I access,
> tabs I have open, or searches I perform, etc:
> 
> tcp 0 0 192.168.100.9:143 192.168.100.53:1663 ESTABLISHED 13189/imap
> tcp 0 0 192.168.100.9:143 192.168.100.53:1672 ESTABLISHED 13192/imap

and it will never check more than 2 folder relieable and in time for new mails

> And with the default TB limit of 5 it never opens more than 5

fine - and with Inbox, Sent, Trash, Junk and Drafts it will
so with 2 client from the smane NAT your 10 are done

> Which clients exhibit this "per folder" connection behavior?  
> That seems totally unnecessary.

may i suggest you read about how IMAP IDLE works?

http://forum.emclient.com/emclient/topics/imap_idle_should_open_a_connection_to_each_folder_but_it_does_not
http://kb.mozillazine.org/IMAP:_advanced_account_configuration

>> * if you have 5 folders and a user with 3 devices (workstation, phone, tablet) you are done
> 
> Again, not folder dependent but client configuration dependent.  If your
> client is RC it never opens more than one connection per user, and
> closes the connection after each operation.

Roundcube is not a regulary client because with stateless HTTP you
hardly can implement IMAP IDLE

>> * if you have a few imap-users behind the same NAT you are done
> 
> This isn't correct either.  It's user+IP

says who?
this makes no sense to limit anything relieable
hence, a bad guy has no user at all and opens a lot of connections for damage

> So you could have 30 connections from 3 users, 100 from 10 users, through 
> one NAT IP, with a setting of 10

even with your example of 5 default connections you have a problem with
the same user owning 3 devices - they most likely sometimes are behind
his home NAT and turned on

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130819/e495f9e1/attachment.bin>