Marten Lehmann wrote:
Hello,
You could look at inreasing the file limits, on debian its in /etc/security/limits.conf, increase the default 'nofile' from 1024 to say, 20000 or something.
no, thats the wrong way. This would help for now but it is just a workaround and sooner or later even these limits might be exceeded. So dovecot definitely needs max_connections_per_user or max_connections_per_ip option.
Here's an example of what we're seeing, haven't pinned it down to a specific client setting yet:
dovecot: Mar 27 13:14:26 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:28 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:30 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:32 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:35 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:36 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:38 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:39 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:41 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:42 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:45 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:46 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:48 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:49 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:51 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:53 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:55 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:56 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:58 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:14:59 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:15:01 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:15:03 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:15:05 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:15:06 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:15:08 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:15:10 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:15:12 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:15:14 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:15:17 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:15:18 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102 dovecot: Mar 27 13:15:20 Info: imap-login: Login: user=<username1>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=10.1.0.102
When we get 1-2 of these going at a time, it kills the server, and we need to restart imap. If there was* some kind of per-ip/login limit, I bet we wouldn't exceed the resources. In this case, we know this is an employee using an unsupported client from outside - but, we have no way to block the IP (need to keep in contact with the remote IP), and there doesn't seem to be a "only accept from these imap clients" option, either... It's totally unacceptable for me to tell my boss the mailserver died because someone used a bad mail program. :/
Maybe this would be really hard to implement in dovecot, but I just wanted to second the notion that it would be a good thing(tm).
Thanks,
-deano
Regards Marten