remote | local blocks in protocol settings - dovecot

remote | local blocks in protocol settings

Nikolaos Milas

15 Jan 2016 15 Jan '16

10:02 a.m.

Hello,

Where can I find detailed documentation on how "remote" & "local" blocks are used in protocol configuration to provide specific settings for particular IPs/Names?

I've been searching around (wiki2, Google) but I found very few things. I also checked in the conf.d directory of the installation and couldn't find anything.

One useful thread was here:

http://www.dovecot.org/list/dovecot/2010-June/050069.html

where we can read about the "filter" hierarchy:

protocol name {
   remote <ip|name> {
     local <ip|name> {

but I would really appreciate reading more complete documentation (and, hopefully, examples).

Thanks, Nick

Show replies by date

Nikolaos Milas

19 Jan 19 Jan

3:34 a.m.

On 15/1/2016 8:02 μμ, Nikolaos Milas wrote:

...

Where can I find detailed documentation on how "remote" & "local" blocks are used in protocol configuration to provide specific settings for particular IPs/Names?

I've been searching around (wiki2, Google) but I found very few things. I also checked in the conf.d directory of the installation and couldn't find anything.

One useful thread was here:

http://www.dovecot.org/list/dovecot/2010-June/050069.html

where we can read about the "filter" hierarchy:

protocol name { remote { local {

but I would really appreciate reading more complete documentation (and, hopefully, examples).

Thanks, Nick

Having received no reply, I tried using the above info by configuring:

protocol imap {
   imap_client_workarounds = "delay-newmail"
   mail_plugins = quota imap_quota notify replication
   mail_max_userip_connections = 30
   remote 127.0.0.1 {
     mail_max_userip_connections = 1000
   }
}

but it didn't work:

Fatal: Error in configuration file /etc/dovecot/dovecot.conf line
30: remote must not be under protocol

The idea is to allow more connections to webmail than to individual users. Am I thinking right?

Can you please help me in finding how to configure things properly?

By the way, the command "doveadm who" shows imap connections by users, but it does not seem to show webmail connections. Any advice on this?

Thanks in advance, Nick

Timo Sirainen

5:31 a.m.

On 19 Jan 2016, at 13:34, Nikolaos Milas nmilas@noa.gr wrote:

...

On 15/1/2016 8:02 μμ, Nikolaos Milas wrote:

Having received no reply, I tried using the above info by configuring:

protocol imap { imap_client_workarounds = "delay-newmail" mail_plugins = quota imap_quota notify replication mail_max_userip_connections = 30 remote 127.0.0.1 { mail_max_userip_connections = 1000 } }

but it didn't work:

Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 30: remote must not be under protocol

Change it the other way around:

remote 127.0.0.1 { protocol imap { ... } }

...

By the way, the command "doveadm who" shows imap connections by users, but it does not seem to show webmail connections. Any advice on this?

Webmail probably just quickly opens and closes the connections, so there aren't any connections that are visible for more than a fraction of a second.

Nikolaos Milas

6:04 a.m.

On 19/1/2016 3:31 μμ, Timo Sirainen wrote:

...

Change it the other way around:

remote 127.0.0.1 { protocol imap { ... } }

Thank you for your advice Timo (on "remote" blocks).

So, the "remote" block should not have any parent (i.e. should not be included in any other block)?

...

Webmail probably just quickly opens and closes the connections, so there aren't any connections that are visible for more than a fraction of a second.

On the real issue: I am trying to identify why (just recently) webmail users recently are increasingly facing the error: "ERROR : Connection dropped by imap-server".

The docs I've read on webmail (squirrelmail) affirm your indication that webmail IMAP connections should be closing quickly, so these should not be the cause of the errors.

A few days ago, when I increased the global value of "mail_max_userip_connections", I stopped seeing errors "Maximum number of connections from user+IP exceeded" in dovecot log. However, the above problem continues in webmail.

Using the command "doveadm who" I see relatively few connections, so I am wondering what may be the cause.

Any ideas will be appreciated!

Thanks, Nick

Christian Kivalo

6:32 a.m.

...

...
Webmail probably just quickly opens and closes the connections, so there aren't any connections that are visible for more than a fraction of a second.

On the real issue: I am trying to identify why (just recently) webmail users recently are increasingly facing the error: "ERROR : Connection dropped by imap-server".

The docs I've read on webmail (squirrelmail) affirm your indication that webmail IMAP connections should be closing quickly, so these should not be the cause of the errors.

A few days ago, when I increased the global value of "mail_max_userip_connections", I stopped seeing errors "Maximum number of connections from user+IP exceeded" in dovecot log. However, the above problem continues in webmail.

Don't know if that helps but you could try a local imapproxy like imapproxy from imappproxy.org this should speed up your webmail and reuse connections

...

Using the command "doveadm who" I see relatively few connections, so I am wondering what may be the cause.

Any ideas will be appreciated!

Thanks, Nick Christian

Timo Sirainen

8:34 a.m.

...

On 19 Jan 2016, at 16:04, Nikolaos Milas nmilas@noa.gr wrote:

On 19/1/2016 3:31 μμ, Timo Sirainen wrote:

...
Change it the other way around:

remote 127.0.0.1 { protocol imap { ... } }

Thank you for your advice Timo (on "remote" blocks).

So, the "remote" block should not have any parent (i.e. should not be included in any other block)?

I just updated the error messages to be a bit more understandable: https://github.com/dovecot/core/commit/0df899feada1f406122d7658894c77eeb1022...

The nesting must be in this order or it'll give an error:

local 127.0.0.1 { local_name foo { remote 127.0.0.1 { protocol imap { } } } }

...

...
Webmail probably just quickly opens and closes the connections, so there aren't any connections that are visible for more than a fraction of a second.

On the real issue: I am trying to identify why (just recently) webmail users recently are increasingly facing the error: "ERROR : Connection dropped by imap-server".

Is there anything in Dovecot's error logs? For example any warnings about reaching a process limit?
If you can't find anything, try to find the matching webmail connection's disconnection message from Dovecot logs and see what it says the reason for disconnection was.

...

A few days ago, when I increased the global value of "mail_max_userip_connections", I stopped seeing errors "Maximum number of connections from user+IP exceeded" in dovecot log. However, the above problem continues in webmail.

If that is reached, Dovecot logs it as the reason for the disconnection.

Nikolaos Milas

10:23 a.m.

On 19/1/2016 6:34 μμ, Timo Sirainen wrote:

...

The nesting must be in this order or it'll give an error:

local 127.0.0.1 { local_name foo { remote 127.0.0.1 { protocol imap { } } } }

Please allow me to ask for clarifications:

local <ip> --> Local Dovecot Server IP address local_name <name> --> Connecting client username remote <ip> --> Connecting client ip address

Please correct accordingly, if necessary. Thanks!

...

Is there anything in Dovecot's error logs? For example any warnings about reaching a process limit?

If you can't find anything, try to find the matching webmail connection's disconnection message from Dovecot logs and see what it says the reason for disconnection was.

I just found in Dovecot logs:

dovecot: master: Warning: service(imap-login): process_limit (100) reached, client connections are being dropped

This must be it! So, I guess I could add to my config, for example:

service imap-login {
    service_count = 1
    vsz_limit = 64 M
+   process_limit = 500
+   process_min_avail = 2
}

Sounds right? (Ref.: http://wiki.dovecot.org/LoginProcess)

By the way is there a way to show/monitor (e.g. using doveadm) the current number of login processes used?

Thanks for everything! Nick

Timo Sirainen

10:54 a.m.

...

On 19 Jan 2016, at 20:23, Nikolaos Milas nmilas@noa.gr wrote:

On 19/1/2016 6:34 μμ, Timo Sirainen wrote:

...
The nesting must be in this order or it'll give an error:

local 127.0.0.1 { local_name foo { remote 127.0.0.1 { protocol imap { } } } }

Please allow me to ask for clarifications:

local <ip> --> Local Dovecot Server IP address

Yes.

...

local_name <name> --> Connecting client username

No, this is used only when TLS SNI extension is used. It expands to the TLS SNI hostname. Typically this is only used to configure per-host TLS certificates.

...

remote <ip> --> Connecting client ip address

Yes.

...

Please correct accordingly, if necessary. Thanks!

...

Is there anything in Dovecot's error logs? For example any warnings about reaching a process limit?

If you can't find anything, try to find the matching webmail connection's disconnection message from Dovecot logs and see what it says the reason for disconnection was.

I just found in Dovecot logs:

dovecot: master: Warning: service(imap-login): process_limit (100) reached, client connections are being dropped

This must be it! So, I guess I could add to my config, for example:

service imap-login { service_count = 1 vsz_limit = 64 M

process_limit = 500

process_min_avail = 2 }

Sounds right? (Ref.: http://wiki.dovecot.org/LoginProcess)

Yes.

...

By the way is there a way to show/monitor (e.g. using doveadm) the current number of login processes used?

Not beyond the standard tools: ps aux | grep imap-login | wc -l

Nikolaos Milas

2 p.m.

On 19/1/2016 8:54 μμ, Timo Sirainen wrote:

...

No, this is used only when TLS SNI extension is used. It expands to the TLS SNI hostname. Typically this is only used to configure per-host TLS certificates.

So, when TLS SNI extension is not used, we can skip the entire block? Like:

local 127.0.0.1 {
   remote 127.0.0.1 {
     protocol imap {
       ...
     }
   }
}

Is this acceptable?

Thanks, Nick

3186

Age (days ago)

3190

Last active (days ago)

List overview

8 comments

3 participants

participants (3)

Christian Kivalo
Nikolaos Milas
Timo Sirainen

remote | local blocks in protocol settings

tags

participants (3)