From: "André Rodier"

chain input {

    # Limit new imap connections ala fail2ban
    meta nfproto ipv4 tcp dport imaps ct state new,untracked \
    limit rate over 10/minute add @banned_imap_ipv4 { ip saddr }

I'm don't know all the subttlties of this rule, but there are some mail clients (MacOSX Mail comes to mind) that will bombard your IMAP server with new connections when it does a global search. It will open a new connection for each mailbox, then do a search. When your connection limit is reached, it will then close all the open connections and do another round.

This may be interpreted as a BFD attack, and you'll lock out a legitimate user.

Joseph Tam <jtam.home@gmail.com>