Re: [Dovecot] How to limit max number of connections for ip address

24 Feb 2012


      Hi Timo:
My question was because constantly we received brute force attack from
some of ip address which uses pop3 service to affect dovecot's login
proccess.
For example:
Error: Temporary failure in creating login processes, slowing down for now
pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<admin>,
method=PLAIN, rip=A.B.C.D, Info: Aborted login (auth failed, 1
attempts): user=<useradmin>, method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A
pop3-login: Info: Aborted login (auth failed, 1 attempts):
user=<admin123>, method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A
pop3-login: Info: Aborted login (auth failed, 1 attempts):
user=<administrator>, method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A
pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<adm>,
method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A
auth(default): Info: shadow(best,A.B.C.D): unknown user
dovecot: Error: pipe() failed: Too many open files
dovecot: Error: Temporary failure in creating login processes, slowing
down for now
In the log above from dovecto.log file, we observed a lot of conections
from IP address A.B.C.D to our email server with ip address X.Y.Z.A
using pop3 login process.
Is possible prevent this type of attacks with any dovecot option (maybe
limit the number of max connections from one ip address or maybe
upgrading my dovecot version)?
Thanks for you help and time.
Wilberth.
El 23/02/2012 05:21 p.m., Timo Sirainen escribió:
...
On 24.2.2012, at 0.33, Wilberth Perez wrote:
...
Does any one , knows if is possible configure dovecot for limit max
number of connections for IP address?
I would  like to prevent future fork-bombing attacks for pop3 and imap
login process in my email server.
Our dovecot version is : 1.2.10
There is mail_max_userip_connections setting which limits IP+username combination. Typically that should be enough to prevent fork bombing, because users normally don't have more than one account.
Or you mean when some IP keeps connecting even without actually loggin in? http://wiki.dovecot.org/LoginProcess has some settings related to this, which should normally be quite helpful if the limits are right.