remote | local blocks in protocol settings
Hello,
Where can I find detailed documentation on how "remote" & "local" blocks are used in protocol configuration to provide specific settings for particular IPs/Names?
I've been searching around (wiki2, Google) but I found very few things. I also checked in the conf.d directory of the installation and couldn't find anything.
One useful thread was here:
http://www.dovecot.org/list/dovecot/2010-June/050069.htmlwhere we can read about the "filter" hierarchy:
protocol name {
remote <ip|name> {
local <ip|name> {but I would really appreciate reading more complete documentation (and, hopefully, examples).
Thanks, Nick
On 15/1/2016 8:02 μμ, Nikolaos Milas wrote:
Where can I find detailed documentation on how "remote" & "local" blocks are used in protocol configuration to provide specific settings for particular IPs/Names?
I've been searching around (wiki2, Google) but I found very few things. I also checked in the conf.d directory of the installation and couldn't find anything.
One useful thread was here:
http://www.dovecot.org/list/dovecot/2010-June/050069.html
where we can read about the "filter" hierarchy:
protocol name { remote <ip|name> { local <ip|name> {
but I would really appreciate reading more complete documentation (and, hopefully, examples).
Thanks, Nick
Having received no reply, I tried using the above info by configuring:
protocol imap {
imap_client_workarounds = "delay-newmail"
mail_plugins = quota imap_quota notify replication
mail_max_userip_connections = 30
remote 127.0.0.1 {
mail_max_userip_connections = 1000
}
}but it didn't work:
Fatal: Error in configuration file /etc/dovecot/dovecot.conf line
30: remote must not be under protocol- The idea is to allow more connections to webmail than to individual users. Am I thinking right?
Can you please help me in finding how to configure things properly?
By the way, the command "doveadm who" shows imap connections by users, but it does not seem to show webmail connections. Any advice on this?
Thanks in advance, Nick
On 19 Jan 2016, at 13:34, Nikolaos Milas <nmilas@noa.gr> wrote:
On 15/1/2016 8:02 μμ, Nikolaos Milas wrote:
Having received no reply, I tried using the above info by configuring:
protocol imap { imap_client_workarounds = "delay-newmail" mail_plugins = quota imap_quota notify replication mail_max_userip_connections = 30 remote 127.0.0.1 { mail_max_userip_connections = 1000 } }
but it didn't work:
Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 30: remote must not be under protocol
Change it the other way around:
remote 127.0.0.1 { protocol imap { ... } }
By the way, the command "doveadm who" shows imap connections by users, but it does not seem to show webmail connections. Any advice on this?
Webmail probably just quickly opens and closes the connections, so there aren't any connections that are visible for more than a fraction of a second.
On 19/1/2016 3:31 μμ, Timo Sirainen wrote:
Change it the other way around:
remote 127.0.0.1 { protocol imap { ... } }
Thank you for your advice Timo (on "remote" blocks).
So, the "remote" block should not have any parent (i.e. should not be included in any other block)?
Webmail probably just quickly opens and closes the connections, so there aren't any connections that are visible for more than a fraction of a second.
On the real issue: I am trying to identify why (just recently) webmail users recently are increasingly facing the error: "ERROR : Connection dropped by imap-server".
The docs I've read on webmail (squirrelmail) affirm your indication that webmail IMAP connections should be closing quickly, so these should not be the cause of the errors.
A few days ago, when I increased the global value of "mail_max_userip_connections", I stopped seeing errors "Maximum number of connections from user+IP exceeded" in dovecot log. However, the above problem continues in webmail.
Using the command "doveadm who" I see relatively few connections, so I am wondering what may be the cause.
Any ideas will be appreciated!
Thanks, Nick
Webmail probably just quickly opens and closes the connections, so there aren't any connections that are visible for more than a fraction of a second.
On the real issue: I am trying to identify why (just recently) webmail users recently are increasingly facing the error: "ERROR : Connection dropped by imap-server".
The docs I've read on webmail (squirrelmail) affirm your indication that webmail IMAP connections should be closing quickly, so these should not be the cause of the errors.
A few days ago, when I increased the global value of "mail_max_userip_connections", I stopped seeing errors "Maximum number of connections from user+IP exceeded" in dovecot log. However, the above problem continues in webmail.
Don't know if that helps but you could try a local imapproxy like imapproxy from imappproxy.org this should speed up your webmail and reuse connections
Using the command "doveadm who" I see relatively few connections, so I am wondering what may be the cause.
Any ideas will be appreciated!
Thanks, Nick Christian
On 19 Jan 2016, at 16:04, Nikolaos Milas <nmilas@noa.gr> wrote:
On 19/1/2016 3:31 μμ, Timo Sirainen wrote:
Change it the other way around:
remote 127.0.0.1 { protocol imap { ... } }
Thank you for your advice Timo (on "remote" blocks).
So, the "remote" block should not have any parent (i.e. should not be included in any other block)?
I just updated the error messages to be a bit more understandable: https://github.com/dovecot/core/commit/0df899feada1f406122d7658894c77eeb1022...
The nesting must be in this order or it'll give an error:
local 127.0.0.1 { local_name foo { remote 127.0.0.1 { protocol imap { } } } }
Webmail probably just quickly opens and closes the connections, so there aren't any connections that are visible for more than a fraction of a second.
On the real issue: I am trying to identify why (just recently) webmail users recently are increasingly facing the error: "ERROR : Connection dropped by imap-server".
Is there anything in Dovecot's error logs? For example any warnings about reaching a process limit?
If you can't find anything, try to find the matching webmail connection's disconnection message from Dovecot logs and see what it says the reason for disconnection was.
A few days ago, when I increased the global value of "mail_max_userip_connections", I stopped seeing errors "Maximum number of connections from user+IP exceeded" in dovecot log. However, the above problem continues in webmail.
If that is reached, Dovecot logs it as the reason for the disconnection.
On 19/1/2016 6:34 μμ, Timo Sirainen wrote:
The nesting must be in this order or it'll give an error:
local 127.0.0.1 { local_name foo { remote 127.0.0.1 { protocol imap { } } } }
Please allow me to ask for clarifications:
local <ip> --> Local Dovecot Server IP address local_name <name> --> Connecting client username remote <ip> --> Connecting client ip address
Please correct accordingly, if necessary. Thanks!
Is there anything in Dovecot's error logs? For example any warnings about reaching a process limit?
If you can't find anything, try to find the matching webmail connection's disconnection message from Dovecot logs and see what it says the reason for disconnection was.
I just found in Dovecot logs:
dovecot: master: Warning: service(imap-login): process_limit (100) reached, client connections are being dropped
This must be it! So, I guess I could add to my config, for example:
service imap-login {
service_count = 1
vsz_limit = 64 M
+ process_limit = 500
+ process_min_avail = 2
}Sounds right? (Ref.: http://wiki.dovecot.org/LoginProcess)
By the way is there a way to show/monitor (e.g. using doveadm) the current number of login processes used?
Thanks for everything! Nick
On 19 Jan 2016, at 20:23, Nikolaos Milas <nmilas@noa.gr> wrote:
On 19/1/2016 6:34 μμ, Timo Sirainen wrote:
The nesting must be in this order or it'll give an error:
local 127.0.0.1 { local_name foo { remote 127.0.0.1 { protocol imap { } } } }
Please allow me to ask for clarifications:
local <ip> --> Local Dovecot Server IP address
Yes.
local_name <name> --> Connecting client username
No, this is used only when TLS SNI extension is used. It expands to the TLS SNI hostname. Typically this is only used to configure per-host TLS certificates.
remote <ip> --> Connecting client ip address
Yes.
Please correct accordingly, if necessary. Thanks!
Is there anything in Dovecot's error logs? For example any warnings about reaching a process limit?
If you can't find anything, try to find the matching webmail connection's disconnection message from Dovecot logs and see what it says the reason for disconnection was.
I just found in Dovecot logs:
dovecot: master: Warning: service(imap-login): process_limit (100) reached, client connections are being dropped
This must be it! So, I guess I could add to my config, for example:
service imap-login { service_count = 1 vsz_limit = 64 M
- process_limit = 500
- process_min_avail = 2 }
Sounds right? (Ref.: http://wiki.dovecot.org/LoginProcess)
Yes.
By the way is there a way to show/monitor (e.g. using doveadm) the current number of login processes used?
Not beyond the standard tools: ps aux | grep imap-login | wc -l
On 19/1/2016 8:54 μμ, Timo Sirainen wrote:
No, this is used only when TLS SNI extension is used. It expands to the TLS SNI hostname. Typically this is only used to configure per-host TLS certificates.
So, when TLS SNI extension is not used, we can skip the entire block? Like:
local 127.0.0.1 {
remote 127.0.0.1 {
protocol imap {
...
}
}
}Is this acceptable?
Thanks, Nick
participants (3)
-
Christian Kivalo
-
Nikolaos Milas
-
Timo Sirainen