[Dovecot] Maximum number of connections from user+IP exceeded
All of a sudden I am getting these errors on one of my accounts:
imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=10)
It was working fine last night when I went to bed, and is posting these errors nearly constantly (about one every second) when I checked mail after waking up this morning.
The account is question is my main account and has a lot of mail, but it is not the account with the most mailboxes, that one is working fine.
I looked at the documentation on how to increase this setting, but <http://wiki.dovecot.org/MainConfig> is for 1.x and clicking the 'wiki2" link brings up a mostly blank page with no configuration info at all. It looks like in dovecot 1.x this would go in an protocol imap block, but I don't have one of those in my conf.
# doveconf -n
# 2.2.5: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.1-RELEASE i386
auth_mechanisms = plain login
disable_plaintext_auth = no
first_valid_uid = 89
log_path = /var/log/dovecot
mail_location = maildir:~/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox NotJunk {
auto = subscribe
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
driver = passwd
}
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
-- 'Never trust a ruler who puts his faith in tunnels and bunkers and escape routes. The chances are that his heart isn't in the job.'
Am 19.08.2013 14:00, schrieb LuKreme:
All of a sudden I am getting these errors on one of my accounts:
imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=10) It was working fine last night when I went to bed, and is posting these errors nearly constantly
in case of IMAP 10 is *way* too low!
keep in mind that
- a IMAP client opens one connection *per folder*
- if you have 5 folders and a user with 3 devices (workstation, phone, tablet) you are done
- if you have a few imap-users behind the same NAT you are done
Am 19.08.2013 14:03, schrieb Reindl Harald:
Am 19.08.2013 14:00, schrieb LuKreme:
All of a sudden I am getting these errors on one of my accounts:
imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=10) It was working fine last night when I went to bed, and is posting these errors nearly constantly
in case of IMAP 10 is *way* too low!
keep in mind that
- a IMAP client opens one connection *per folder*
- if you have 5 folders and a user with 3 devices (workstation, phone, tablet) you are done
- if you have a few imap-users behind the same NAT you are done
missed "I looked at the documentation on how to increase this setting" and "It looks like in dovecot 1.x this would go in an protocol imap block, but I don't have one of those in my conf"
it goes in no block, part of the main config
login_log_format_elements = user=<%u> %r %m %c login_log_format = %$: %s mail_max_userip_connections = 50 auth_mechanisms = CRAM-MD5 DIGEST-MD5 APOP LOGIN PLAIN disable_plaintext_auth = no shutdown_clients = no version_ignore = yes
On 8/19/2013 7:03 AM, Reindl Harald wrote:
Am 19.08.2013 14:00, schrieb LuKreme:
All of a sudden I am getting these errors on one of my accounts:
imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=10) It was working fine last night when I went to bed, and is posting these errors nearly constantly
in case of IMAP 10 is *way* too low!
keep in mind that
- a IMAP client opens one connection *per folder*
What do you mean by "per folder"? I've been limiting Tbird to 2 IMAP connections for many years and, unsurprisingly, it never opens more than two IMAP connections to Dovecot no matter how many folders I access, tabs I have open, or searches I perform, etc:
tcp 0 0 192.168.100.9:143 192.168.100.53:1663 ESTABLISHED 13189/imap tcp 0 0 192.168.100.9:143 192.168.100.53:1672 ESTABLISHED 13192/imap
And with the default TB limit of 5 it never opens more than 5. Which clients exhibit this "per folder" connection behavior? That seems totally unnecessary.
- if you have 5 folders and a user with 3 devices (workstation, phone, tablet) you are done
Again, not folder dependent but client configuration dependent. If your client is RC it never opens more than one connection per user, and closes the connection after each operation.
- if you have a few imap-users behind the same NAT you are done
This isn't correct either. It's user+IP. So you could have 30 connections from 3 users, 100 from 10 users, through one NAT IP, with a setting of 10.
-- Stan
Am 19.08.2013 23:00, schrieb Stan Hoeppner:
On 8/19/2013 7:03 AM, Reindl Harald wrote:
Am 19.08.2013 14:00, schrieb LuKreme:
All of a sudden I am getting these errors on one of my accounts:
imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=10) It was working fine last night when I went to bed, and is posting these errors nearly constantly
in case of IMAP 10 is *way* too low!
keep in mind that
- a IMAP client opens one connection *per folder*
What do you mean by "per folder"? I've been limiting Tbird to 2 IMAP connections for many years and, unsurprisingly, it never opens more than two IMAP connections to Dovecot no matter how many folders I access, tabs I have open, or searches I perform, etc:
tcp 0 0 192.168.100.9:143 192.168.100.53:1663 ESTABLISHED 13189/imap tcp 0 0 192.168.100.9:143 192.168.100.53:1672 ESTABLISHED 13192/imap
and it will never check more than 2 folder relieable and in time for new mails
And with the default TB limit of 5 it never opens more than 5
fine - and with Inbox, Sent, Trash, Junk and Drafts it will so with 2 client from the smane NAT your 10 are done
Which clients exhibit this "per folder" connection behavior?
That seems totally unnecessary.
may i suggest you read about how IMAP IDLE works?
http://forum.emclient.com/emclient/topics/imap_idle_should_open_a_connection... http://kb.mozillazine.org/IMAP:_advanced_account_configuration
- if you have 5 folders and a user with 3 devices (workstation, phone, tablet) you are done
Again, not folder dependent but client configuration dependent. If your client is RC it never opens more than one connection per user, and closes the connection after each operation.
Roundcube is not a regulary client because with stateless HTTP you hardly can implement IMAP IDLE
- if you have a few imap-users behind the same NAT you are done
This isn't correct either. It's user+IP
says who? this makes no sense to limit anything relieable hence, a bad guy has no user at all and opens a lot of connections for damage
So you could have 30 connections from 3 users, 100 from 10 users, through one NAT IP, with a setting of 10
even with your example of 5 default connections you have a problem with the same user owning 3 devices - they most likely sometimes are behind his home NAT and turned on
On 8/19/2013 4:10 PM, Reindl Harald wrote:
may i suggest you read about how IMAP IDLE works?
Oh, well sure, if you hang your hat on IDLE then your arguments here might make sense. But because of the brain dead one socket per folder architecture of IDLE few have adopted it en masse. Which is why my comments ignored the existence of IDLE. And which is also why the creators of the RFC stated clients must not count on the existence of IDLE and must poll, which seems really odd. Many have, and still ask, why even have IDLE then if we must still poll?
http://tools.ietf.org/html/rfc2177
"(While the spec actually does allow a server to push EXISTS responses aysynchronously, a client can't expect this behaviour and must poll.)"
Given the option of potentially dozens of open sockets between his server and any client simply to allow IDLE to work for all folders, or one or two connections and strictly client polling, I'd guess most admins will choose the latter.
-- Stan
Am 20.08.2013 01:45, schrieb Stan Hoeppner:
On 8/19/2013 4:10 PM, Reindl Harald wrote:
may i suggest you read about how IMAP IDLE works?
Oh, well sure, if you hang your hat on IDLE then your arguments here might make sense. But because of the brain dead one socket per folder architecture of IDLE few have adopted it en masse. Which is why my comments ignored the existence of IDLE. And which is also why the creators of the RFC stated clients must not count on the existence of IDLE and must poll, which seems really odd. Many have, and still ask, why even have IDLE then if we must still poll?
http://tools.ietf.org/html/rfc2177
"(While the spec actually does allow a server to push EXISTS responses aysynchronously, a client can't expect this behaviour and must poll.)"
Given the option of potentially dozens of open sockets between his server and any client simply to allow IDLE to work for all folders, or one or two connections and strictly client polling, I'd guess most admins will choose the latter
why we have IDLE is easy explained, i get around 500 mails per day well, i can't imagine my personal work-load woking without IDLE
30 folders sorted with Sieve
- several lists with own folders
- company (there folders, one for internal lists)
- customers
- vendors
- server-status (logwatch, mail-stats of 20 servers)
- error-notifies from watchdog (own cron-watchdogs, HP ILO, VMware vSphere, UPS...)
INBOX is a place where rarely a message comes in and with K9 on Android it's easy to select which folders should be considered for the common-inbox and which are pointless on a mobile (INBOX is none of them)
on a mailserver which can handle thousands of connections there is rarely a reason to disable IDLE and so a connection limit of 10 per IP is questionable
On 8/19/2013 6:55 PM, Reindl Harald wrote:
Am 20.08.2013 01:45, schrieb Stan Hoeppner:
On 8/19/2013 4:10 PM, Reindl Harald wrote:
may i suggest you read about how IMAP IDLE works?
Oh, well sure, if you hang your hat on IDLE then your arguments here might make sense. But because of the brain dead one socket per folder architecture of IDLE few have adopted it en masse. Which is why my comments ignored the existence of IDLE. And which is also why the creators of the RFC stated clients must not count on the existence of IDLE and must poll, which seems really odd. Many have, and still ask, why even have IDLE then if we must still poll?
http://tools.ietf.org/html/rfc2177
"(While the spec actually does allow a server to push EXISTS responses aysynchronously, a client can't expect this behaviour and must poll.)"
Given the option of potentially dozens of open sockets between his server and any client simply to allow IDLE to work for all folders, or one or two connections and strictly client polling, I'd guess most admins will choose the latter
why we have IDLE is easy explained, i get around 500 mails per day well, i can't imagine my personal work-load woking without IDLE
30 folders sorted with Sieve
- several lists with own folders
- company (there folders, one for internal lists)
- customers
- vendors
- server-status (logwatch, mail-stats of 20 servers)
- error-notifies from watchdog (own cron-watchdogs, HP ILO, VMware vSphere, UPS...)
INBOX is a place where rarely a message comes in and with K9 on Android it's easy to select which folders should be considered for the common-inbox and which are pointless on a mobile (INBOX is none of them)
IDLE is not required for this. Polling, which is the default on all MUAs, accomplishes the same over one socket, a few max, depending on what you're doing -concurrently- in the MUA.
on a mailserver which can handle thousands of connections there is rarely a reason to disable IDLE and so a connection limit of 10 per IP is questionable
The server resources aren't necessarily a problem as you can always go cluster. One potential problem though, and there are likely others, is that you're potentially increasing the SPI/NAT session tracking on the edge router by 3-6 fold by allowing 30 sessions vs 5 or 10. Add that on top of the other traffic types and, for many, this may require larger routers, a license upgrade, or both. If you're an org of any size and tunneling the IMAP sessions through VPN routers, an upgrade would likely be mandatory.
Thus for some orgs simply increasing allowed connections to support IDLE on arbitrary folder counts may come with a $20-100K price tag. If this was money in your pocket, would you spend it to simply replace poll with push, given that poll works fine, and given that push yields no -real- advantage over poll?
-- Stan
IDLE is not required for this. Polling, which is the default on all MUAs,
Not entirely sure I'd call it "the default", Thunderbird seems to setup for IDLE as default these days, and I suspect Apple Mail and any of the other popular ones do too.
The source code probably looks something like if (canIdle) then {do stuff} else {do polling}
On 8/20/2013 1:47 AM, Ben wrote:
IDLE is not required for this. Polling, which is the default on all MUAs,
Not entirely sure I'd call it "the default", Thunderbird seems to setup for IDLE as default these days, and I suspect Apple Mail and any of the other popular ones do too.
The source code probably looks something like if (canIdle) then {do stuff} else {do polling}
I haven't looked at a recent fresh install config of TB. If they have started enabling IDLE by default it's recently, and they'd have been required to increase the default 5 cached connections. Otherwise many folk would never see new mail notification on some of their server side sorted folders. And Joe and Susie Sixpack have no knowledge of the relationship between connection (socket) count and IDLE requirements, and I'd guess no MUA has documentation explaining this. I'm pretty sure Mozilla does not. I'm sure there are forum posts about it, but I doubt official documentation exists.
For IDLE to work seamlessly requires basically 3 things:
- MUA counts all IMAP folders and
- Always maintains $folder_count sockets
- IMAP servers must allow basically unlimited sockets
In a closed environment such as a corp/uni this can be achieved, and without unlimited sockets, if staff can enforce a limit on folder count. In an open environment such as an ISP or freemail provider, they'd have to allow unlimited sockets. Some may do so currently. I have no knowledge of what such providers are doing in this regard as I don't use them nor support anyone who does.
-- Stan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 20 Aug 2013, Ben wrote:
IDLE is not required for this. Polling, which is the default on all MUAs,
Not entirely sure I'd call it "the default", Thunderbird seems to setup for IDLE as default these days, and I suspect Apple Mail and any of the other popular ones do too.
Thunderbird can IDLE since long time, but does polling, if the number of allowed connections is exceeded. So, IDLE or polling is transparent to the users, except if some new-message indicator is not as quick as usual.
IMHO, this behaviour is the "default", if one will named it as such, because it makes the most sense and an ordinary user is not able to choose correctly, most of the time.
If somebody has already prepared a paper, when the load of x IDLE connections exceeds the load of polling of x folders for an amount of y simultaneous users? :-)
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUhNfZl3r2wJMiz2NAQL3iwf/TYcuuQAjkwC1Puq9KiyrOoR19SzjFp32 4B0m4nNgNrfSK/lxDWwYwYmOCNuCp/NrRuoiJyn34G/LH2p9X6z4pnv4nFVE2SYV gcWPd6nAmYsi3EoaIv71rvWtFf2JhuNOuX96+14DBjZyCzneUyqAvqxK8V1a/huA b0JAzczwt75J+kEqKPOHNq4dUK514FCc7kpMUFsDUlbAlxIkY10o2Y4PK8rirbGG m6kuYN+nceF6rcoLta0afUh/lSDKLX3MDQsGbMHBN/R/RqI2DTuZszXYjn1KqK4Q FoigN61j5yzIL7Yua18m29S12Myy5jLKFvcESLeGK3Ubgv9TdC2ARA== =OK/d -----END PGP SIGNATURE-----
On 2013-08-19 23:00, Stan Hoeppner wrote:
- a IMAP client opens one connection *per folder*
What do you mean by "per folder"? I've been limiting Tbird to 2 IMAP connections for many years and, unsurprisingly, it never opens more than two IMAP connections to Dovecot no matter how many folders I access, tabs I have open, or searches I perform, etc:
tcp 0 0 192.168.100.9:143 192.168.100.53:1663 ESTABLISHED 13189/imap tcp 0 0 192.168.100.9:143 192.168.100.53:1672 ESTABLISHED 13192/imap
And with the default TB limit of 5 it never opens more than 5. Which clients exhibit this "per folder" connection behavior? That seems totally unnecessary.
Any client which supports the 'IDLE' command does this; it's a mechanism to avoid that a client has to poll the IMAP server for new mail. The client does an 'IDLE' call *per folder* which only returns when the server adds new mail to the folder. Hence, the IDLE call blocks the connection, which is why mail clients which use IDLE have to establish multiple IMAP connections, one per folder which is monitored using this feature.
-- Frerich Raabe - raabe@froglogic.com www.froglogic.com - Multi-Platform GUI Testing
participants (6)
-
Ben
-
Frerich Raabe
-
LuKreme
-
Reindl Harald
-
Stan Hoeppner
-
Steffen Kaiser