Dovecot 2.2.27 proxy - enforcing per client IP connection limits
Hi,
Trying to keep abusive/buggy IMAP clients at bay on a number of Dovecot proxy servers, I've reconfigured them to use "mail_max_userip_connections = 50" in the "protocol imap" section, followed by restarting Dovecot. Yet, I'm still seeing 160+ established connections from a single IP address for the same email account. Am I missing anything?
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 2.6.32-642.4.2.el6.x86_64 x86_64 CentOS release 6.8 (Final) auth_cache_negative_ttl = 5 mins auth_cache_size = 16 M auth_cache_ttl = 18 hours default_client_limit = 6120 default_process_limit = 500 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve sieve_extensions = +notify +imapflags } protocols = imap pop3 lmtp sieve service auth { client_limit = 6120 } service imap-login { process_limit = 2048 process_min_avail = 20 service_count = 0 vsz_limit = 256 M } service imap { process_limit = 2048 } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 0 vsz_limit = 128 M } service managesieve { process_limit = 1024 } service pop3 { process_limit = 1024 } [...] protocol imap { imap_capability = IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE mail_max_userip_connections = 50 }
-- Adi Pircalabu
Quick follow-up: updated the proxies to 2.2.28, but I still couldn't
find a way to limit the inbound IMAP connections per IP & username. I
know "mail_max_userip_connections" limit works for the mail stores, but
it doesn't seem to have any effect on the proxies. I'm using a mix of
Dovecot & Courier-IMAP servers as backends.
Basically I need to find a way to enforce the maximum limit for the
username<>remoteip so that, if I have:
ESTCONNS=doveadm -f flow proxy list | grep "username=usern@domain.com.proto=imap" | wc -l
$ESTCONNS is lower or equal than the configured limit.
The proxies are configured as per
https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy to forward
the password to the remote server using MySQL. In dovecot-sql.conf.ext I
have:
password_query = SELECT NULL AS password, 'Y' as nopassword, host, email
as email, 'any-cert' as 'starttls', 'Y' AS proxy FROM mailbox WHERE
email = '%u' AND disabled_smtpauth=0
At the moment the only way I can limit the number of established connections per source IP address on the Dovecot proxies is using iptables, which isn't what I want. Where else can I look?
Adi Pircalabu, System Administrator DDNS, a Total Internet Company 159 Barkly Avenue, Burnley, Vic 3121, T +61 3 9815 6868
On 08/03/17 12:32, Adi Pircalabu wrote:
Hi,
Trying to keep abusive/buggy IMAP clients at bay on a number of Dovecot proxy servers, I've reconfigured them to use "mail_max_userip_connections = 50" in the "protocol imap" section, followed by restarting Dovecot. Yet, I'm still seeing 160+ established connections from a single IP address for the same email account. Am I missing anything?
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 2.6.32-642.4.2.el6.x86_64 x86_64 CentOS release 6.8 (Final) auth_cache_negative_ttl = 5 mins auth_cache_size = 16 M auth_cache_ttl = 18 hours default_client_limit = 6120 default_process_limit = 500 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve sieve_extensions = +notify +imapflags } protocols = imap pop3 lmtp sieve service auth { client_limit = 6120 } service imap-login { process_limit = 2048 process_min_avail = 20 service_count = 0 vsz_limit = 256 M } service imap { process_limit = 2048 } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 0 vsz_limit = 128 M } service managesieve { process_limit = 1024 } service pop3 { process_limit = 1024 } [...] protocol imap { imap_capability = IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE mail_max_userip_connections = 50 }
Hi,
mail_max_userip_connections is only enforced at the backend level. The setting has no effect on proxy. If you want to force the limit then you can only do it in the backend.
Sami
On 9 Mar 2017, at 12.05, Adi Pircalabu adi@ddns.com.au wrote:
Quick follow-up: updated the proxies to 2.2.28, but I still couldn't find a way to limit the inbound IMAP connections per IP & username. I know "mail_max_userip_connections" limit works for the mail stores, but it doesn't seem to have any effect on the proxies. I'm using a mix of Dovecot & Courier-IMAP servers as backends. Basically I need to find a way to enforce the maximum limit for the username<>remoteip so that, if I have: ESTCONNS=
doveadm -f flow proxy list | grep "username=usern@domain.com.proto=imap" | wc -l
$ESTCONNS is lower or equal than the configured limit. The proxies are configured as per https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy to forward the password to the remote server using MySQL. In dovecot-sql.conf.ext I have: password_query = SELECT NULL AS password, 'Y' as nopassword, host, email as email, 'any-cert' as 'starttls', 'Y' AS proxy FROM mailbox WHERE email = '%u' AND disabled_smtpauth=0At the moment the only way I can limit the number of established connections per source IP address on the Dovecot proxies is using iptables, which isn't what I want. Where else can I look?
Adi Pircalabu, System Administrator DDNS, a Total Internet Company 159 Barkly Avenue, Burnley, Vic 3121, T +61 3 9815 6868
On 08/03/17 12:32, Adi Pircalabu wrote:
Hi, Trying to keep abusive/buggy IMAP clients at bay on a number of Dovecot proxy servers, I've reconfigured them to use "mail_max_userip_connections = 50" in the "protocol imap" section, followed by restarting Dovecot. Yet, I'm still seeing 160+ established connections from a single IP address for the same email account. Am I missing anything? # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 2.6.32-642.4.2.el6.x86_64 x86_64 CentOS release 6.8 (Final) auth_cache_negative_ttl = 5 mins auth_cache_size = 16 M auth_cache_ttl = 18 hours default_client_limit = 6120 default_process_limit = 500 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve sieve_extensions = +notify +imapflags } protocols = imap pop3 lmtp sieve service auth { client_limit = 6120 } service imap-login { process_limit = 2048 process_min_avail = 20 service_count = 0 vsz_limit = 256 M } service imap { process_limit = 2048 } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 0 vsz_limit = 128 M } service managesieve { process_limit = 1024 } service pop3 { process_limit = 1024 } [...] protocol imap { imap_capability = IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE mail_max_userip_connections = 50 }
Thanks,
I thought this might be the case. Is there any solution to enforce this on the proxy? If not, will a feature request be considered anytime soon? I see the proxies as the first line of defense against IMAP "abuse" and I think it's consistent having the same configurable option available on both backends and the proxies.
Adi Pircalabu
On 14-03-2017 20:17, Sami Ketola wrote:
Hi,
mail_max_userip_connections is only enforced at the backend level. The setting has no effect on proxy. If you want to force the limit then you can only do it in the backend.
Sami
On 9 Mar 2017, at 12.05, Adi Pircalabu adi@ddns.com.au wrote:
Quick follow-up: updated the proxies to 2.2.28, but I still couldn't find a way to limit the inbound IMAP connections per IP & username. I know "mail_max_userip_connections" limit works for the mail stores, but it doesn't seem to have any effect on the proxies. I'm using a mix of Dovecot & Courier-IMAP servers as backends. Basically I need to find a way to enforce the maximum limit for the username<>remoteip so that, if I have: ESTCONNS=
doveadm -f flow proxy list | grep "username=usern@domain.com.proto=imap" | wc -l
$ESTCONNS is lower or equal than the configured limit. The proxies are configured as per https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy to forward the password to the remote server using MySQL. In dovecot-sql.conf.ext I have: password_query = SELECT NULL AS password, 'Y' as nopassword, host, email as email, 'any-cert' as 'starttls', 'Y' AS proxy FROM mailbox WHERE email = '%u' AND disabled_smtpauth=0At the moment the only way I can limit the number of established connections per source IP address on the Dovecot proxies is using iptables, which isn't what I want. Where else can I look?
Adi Pircalabu, System Administrator DDNS, a Total Internet Company 159 Barkly Avenue, Burnley, Vic 3121, T +61 3 9815 6868
On 08/03/17 12:32, Adi Pircalabu wrote:
Hi, Trying to keep abusive/buggy IMAP clients at bay on a number of Dovecot proxy servers, I've reconfigured them to use "mail_max_userip_connections = 50" in the "protocol imap" section, followed by restarting Dovecot. Yet, I'm still seeing 160+ established connections from a single IP address for the same email account. Am I missing anything? # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 2.6.32-642.4.2.el6.x86_64 x86_64 CentOS release 6.8 (Final) auth_cache_negative_ttl = 5 mins auth_cache_size = 16 M auth_cache_ttl = 18 hours default_client_limit = 6120 default_process_limit = 500 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve sieve_extensions = +notify +imapflags } protocols = imap pop3 lmtp sieve service auth { client_limit = 6120 } service imap-login { process_limit = 2048 process_min_avail = 20 service_count = 0 vsz_limit = 256 M } service imap { process_limit = 2048 } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 0 vsz_limit = 128 M } service managesieve { process_limit = 1024 } service pop3 { process_limit = 1024 } [...] protocol imap { imap_capability = IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE mail_max_userip_connections = 50 }
On 16 Mar 2017, at 0.14, Adi Pircalabu adi@ddns.com.au wrote:
I thought this might be the case. Is there any solution to enforce this on the proxy? If not, will a feature request be considered anytime soon? I see the proxies as the first line of defense against IMAP "abuse" and I think it's consistent having the same configurable option available on both backends and the proxies.
No plans to support enforcing at proxy level. One problem here is that there are no guarantees that the connections even end up in the same proxies, although I guess if your load balancer does IP stickiness that could work well enough.
On 16/03/17 11:03, Timo Sirainen wrote:
No plans to support enforcing at proxy level. One problem here is that there are no guarantees that the connections even end up in the same proxies, although I guess if your load balancer does IP stickiness that could work well enough.
With or without a load balancer in front of the proxies, it's still very manageable. Even without a load balancer, if you have say proxy_mail_max_userip_connections=n and m proxies, the maximum number of connections that can hit the backend at any time for an user is n*m. Would this help me to better manage the resources? Think it would. Is there a business case for the feature? For us it is, we're periodically getting hammered by iOS devices that try to open 300+ simultaneous IMAP connections for a single user from the same IP, while the average hovers usually below 50 for the busier mailboxes with many folders.
Thanks, Adi Pircalabu, System Administrator
Hi,
It would be quite hard to enforce a limit at the proxy level since the proxies do not share any information. Currently I do not know any way of enforcing a limit at the proxies already.
Sami
On 16 Mar 2017, at 7.14, Adi Pircalabu adi@ddns.com.au wrote:
Thanks,
I thought this might be the case. Is there any solution to enforce this on the proxy? If not, will a feature request be considered anytime soon? I see the proxies as the first line of defense against IMAP "abuse" and I think it's consistent having the same configurable option available on both backends and the proxies.
Adi Pircalabu
On 14-03-2017 20:17, Sami Ketola wrote:
Hi, mail_max_userip_connections is only enforced at the backend level. The setting has no effect on proxy. If you want to force the limit then you can only do it in the backend. Sami
On 9 Mar 2017, at 12.05, Adi Pircalabu adi@ddns.com.au wrote: Quick follow-up: updated the proxies to 2.2.28, but I still couldn't find a way to limit the inbound IMAP connections per IP & username. I know "mail_max_userip_connections" limit works for the mail stores, but it doesn't seem to have any effect on the proxies. I'm using a mix of Dovecot & Courier-IMAP servers as backends. Basically I need to find a way to enforce the maximum limit for the username<>remoteip so that, if I have: ESTCONNS=
doveadm -f flow proxy list | grep "username=usern@domain.com.proto=imap" | wc -l
$ESTCONNS is lower or equal than the configured limit. The proxies are configured as per https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy to forward the password to the remote server using MySQL. In dovecot-sql.conf.ext I have: password_query = SELECT NULL AS password, 'Y' as nopassword, host, email as email, 'any-cert' as 'starttls', 'Y' AS proxy FROM mailbox WHERE email = '%u' AND disabled_smtpauth=0 At the moment the only way I can limit the number of established connections per source IP address on the Dovecot proxies is using iptables, which isn't what I want. Where else can I look? Adi Pircalabu, System Administrator DDNS, a Total Internet Company 159 Barkly Avenue, Burnley, Vic 3121, T +61 3 9815 6868 On 08/03/17 12:32, Adi Pircalabu wrote:Hi, Trying to keep abusive/buggy IMAP clients at bay on a number of Dovecot proxy servers, I've reconfigured them to use "mail_max_userip_connections = 50" in the "protocol imap" section, followed by restarting Dovecot. Yet, I'm still seeing 160+ established connections from a single IP address for the same email account. Am I missing anything? # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 2.6.32-642.4.2.el6.x86_64 x86_64 CentOS release 6.8 (Final) auth_cache_negative_ttl = 5 mins auth_cache_size = 16 M auth_cache_ttl = 18 hours default_client_limit = 6120 default_process_limit = 500 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve sieve_extensions = +notify +imapflags } protocols = imap pop3 lmtp sieve service auth { client_limit = 6120 } service imap-login { process_limit = 2048 process_min_avail = 20 service_count = 0 vsz_limit = 256 M } service imap { process_limit = 2048 } service managesieve-login { inet_listener sieve { port = 4190 } service_count = 0 vsz_limit = 128 M } service managesieve { process_limit = 1024 } service pop3 { process_limit = 1024 } [...] protocol imap { imap_capability = IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE mail_max_userip_connections = 50 }
participants (3)
-
Adi Pircalabu
-
Sami Ketola
-
Timo Sirainen