On Tue, Jan 11, 2011 at 04:31:03PM +0200, Timo Sirainen wrote:
Well, switching to high performance mode would work better for proxies: http://wiki2.dovecot.org/LoginProcess
That text does a good job at scaring me away from high perf mode.. I wouldn't want any attackers stealing my user's passwords. Is it really necessary to run this way, when the server otherwise doesn't seem to be affected by the number of running processes ?
BTW: I'm seeing a bit more failed logins than I think there should be..
pop3-login: Disconnected (auth failed, 1 attempts): user=<user@somewhere.net>, method=PLAIN, rip=xx.xx.xx.xxx, lip=xx.xxx.xx.xxx
imap-login: Aborted login (auth failed, 1 attempts): user=<otheruser@nothere.net>, method=PLAIN, rip=xx.xxx.xxx.xx, lip=xx.xxx.xx.xxx, TLSCould these be explained with the fact that we earlier didn't offer STARTTLS, because users might be talking with one of the CNAMEs that doesn't match the certificate name, and with this new config we started offering STARTTLS ?
I'm a bit reluctant to do it, but if we do get too many complaints about failed logins, will it be it possible to disable STARTTLS, while keeping SSL active for the imaps/pops ports on the director ?
Current config and stats:
##################################################################### # 2.0.8: /usr/local/dovecot-2.0.8/etc/dovecot/dovecot.conf # OS: Linux 2.6.18-194.32.1.el5 x86_64 Red Hat Enterprise Linux Server release 5.5 (Tikanga) director_mail_servers = 192.168.42.7 192.168.42.8 192.168.42.9 192.168.42.10 192.168.42.11 192.168.42.28 192.168.42.29 director_servers = 192.168.42.15 192.168.42.17 disable_plaintext_auth = no listen = * passdb { args = proxy=y nopassword=y driver = static } service anvil { client_limit = 2051 } service auth { client_limit = 4196 } service director { fifo_listener login/proxy-notify { mode = 0666 } inet_listener { port = 5515 } unix_listener director-userdb { mode = 0600 } unix_listener login/director { mode = 0666 } } service imap-login { executable = imap-login director process_limit = 1024 } service pop3-login { executable = pop3-login director process_limit = 1024 } ssl_cert =
$ sudo /usr/local/dovecot/bin/doveadm director status mail server ip vhosts users 192.168.42.7 10 546 192.168.42.8 10 531 192.168.42.9 10 487 192.168.42.10 10 520 192.168.42.11 10 493 192.168.42.28 100 5119 192.168.42.29 100 4994
$ ps -ef|grep dovec|wc -l 684
-jf