iOS Mail app and rapid authenticate / disconnect on Dovecot proxy

7 Mar 2017


      Hi folks,
I have a handful of iOS 10.2.1 Mail app IMAP clients that intermittently
break into this unexplained authenticate-then-immediately-disconnect
behavior when connecting to a RHEL7 Dovecot (dovecot-2.2.10-7.el7)
proxy, providing proxied connections to a backend Panda/UW-IMAP server.
From talking to the users, the activity would appear to be spontaneous
(ie: not caused by user interaction with the device).
The behavior doesn't seem to have any observable implications for the
end user, other than momentarily hitting the Dovecot process_limit
(which, if not raised to a rather large number, disrupts new IMAP proxy
connections momentarily).
I reckon this is not an issue with Dovecot, but I'm curious to know if
other folks have observed this behavior when dealing with iOS Mail app
clients?
The log entries look like this:
iOS 10 device = 172.16.0.1
RHEL7 Dovecot proxy host = 192.168.0.1 ("proxyhost")
Panda/UW-IMAP target = panda.imap.tld
Mar  6 12:11:00 proxyhost dovecot: imap-login: proxy(jdoe): started
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN,
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<VvzqehVKhwBCol00>
Mar  6 12:11:00 proxyhost dovecot: imap-login: proxy(jdoe):
disconnecting 172.16.0.1 (Disconnected by client): user=<jdoe>,
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS: Disconnected,
session=<VvzqehVKhwBCol00>
Mar  6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe): started
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN,
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<jaXxehVKiABCol00>
Mar  6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe):
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>,
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS,
session=<jaXxehVKiABCol00>
Mar  6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe): started
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN,
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<RmX4ehVKiQBCol00>
Mar  6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe):
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>,
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS,
session=<RmX4ehVKiQBCol00>
Mar  6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe): started
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN,
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<inYBexVKigBCol00>
Mar  6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe):
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>,
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS,
session=<inYBexVKigBCol00>
Mar  6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe): started
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN,
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<GwAJexVKiwBCol00>
Mar  6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe):
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>,
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS,
session=<GwAJexVKiwBCol00>
Mar  6 12:11:03 proxyhost dovecot: imap-login: proxy(jdoe): started
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN,
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<asUPexVKswBCol00>
Mar  6 12:11:03 proxyhost dovecot: imap-login: proxy(jdoe):
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>,
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS,
session=<asUPexVKswBCol00>
Mar  6 12:11:03 proxyhost dovecot: imap-login: proxy(jdoe): started
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN,
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<n9YYexVKjQBCol00>
Mar  6 12:11:04 proxyhost dovecot: imap-login: proxy(jdoe):
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>,
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS,
session=<n9YYexVKjQBCol00>
...and on and on, usually until the 'service imap-login' process_limit
is reached.  You could naturally apply some iptables rate-limiting to
avoid hitting process_limit, but it'd be nice to have the iOS client
simply behave properly instead.
dovecot -n:
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-514.6.2.el7.x86_64 x86_64 Red Hat Enterprise Linux
Server release 7.3 (Maipo)
auth_mechanisms = plain login
auth_verbose = yes
first_valid_uid = 1000
imap_capability = +I18NLEVEL=1
mbox_write_locks = fcntl
passdb {
args = nopassword=y
default_fields = proxy=y ssl=any-cert host=panda.imap.tld
driver = static
}
protocols = imap pop3
service imap-login {
process_limit = 400-ish at the moment
process_min_avail = 2
}
service pop3-login {
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl = required
ssl_ca = </etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
ssl_cert = <proxyhost.crt
ssl_dh_parameters_length = 2048
ssl_key = <proxyhost.key
ssl_protocols = !SSLv3 !SSLv3
ssl_require_crl = no
userdb {
driver = static
}
Thanks for any insight out there.
Robert Giles

Robert Giles

dovecot -n:

tags

participants (1)