Hi Timo:

My question was because constantly we received brute force attack from some of ip address which uses pop3 service to affect dovecot's login proccess.

For example:

Error: Temporary failure in creating login processes, slowing down for now pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<admin>, method=PLAIN, rip=A.B.C.D, Info: Aborted login (auth failed, 1 attempts): user=<useradmin>, method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<admin123>, method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<administrator>, method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<adm>, method=PLAIN, rip=A.B.C.D, lip=X.Y.Z.A auth(default): Info: shadow(best,A.B.C.D): unknown user dovecot: Error: pipe() failed: Too many open files dovecot: Error: Temporary failure in creating login processes, slowing down for now

In the log above from dovecto.log file, we observed a lot of conections from IP address A.B.C.D to our email server with ip address X.Y.Z.A using pop3 login process.

Is possible prevent this type of attacks with any dovecot option (maybe limit the number of max connections from one ip address or maybe upgrading my dovecot version)?

Thanks for you help and time.

Wilberth.

El 23/02/2012 05:21 p.m., Timo Sirainen escribió:

On 24.2.2012, at 0.33, Wilberth Perez wrote:

...

Does any one , knows if is possible configure dovecot for limit max number of connections for IP address?

I would like to prevent future fork-bombing attacks for pop3 and imap login process in my email server.

Our dovecot version is : 1.2.10

There is mail_max_userip_connections setting which limits IP+username combination. Typically that should be enough to prevent fork bombing, because users normally don't have more than one account.

Or you mean when some IP keeps connecting even without actually loggin in? http://wiki.dovecot.org/LoginProcess has some settings related to this, which should normally be quite helpful if the limits are right.

On 24.2.2012, at 17.07, Wilberth Perez wrote:

My question was because constantly we received brute force attack from some of ip address which uses pop3 service to affect dovecot's login proccess.

For example:

dovecot: Error: pipe() failed: Too many open files dovecot: Error: Temporary failure in creating login processes, slowing down for now

This is your main problem. Increase ulimit -n so Dovecot won't stop creating login processes (or alternatively decrease the max number of login processes). Newer Dovecot versions warn at startup if the fd limit is too low.