[Dovecot] Throttle New Connections?
All,
Is anyone using iptables (recent module), or any other alternatives, to throttle the number of new imap or pop connections per minute? We have some applications that like to login every second to pull mail using imap, so we'd like to protect the entire dovecot server from these applications. We've already made the change over to high-perf mode, but we still need some type of denial of service protection. Any real-world data would be appreciated.
Thanks!
This may be off topic - but you could always use something like imapproxy in front of your dovecot IMAP daemon. We do this locally for our webmail clients which use IMAP for the access to the mail store.
Imapproxy can be found here: http://imapproxy.org/
-----Original Message----- From: dovecot-bounces+breu=cfu.net@dovecot.org [mailto:dovecot-bounces+breu=cfu.net@dovecot.org] On Behalf Of Joe Allesi -X (joallesi - Coyote Creek Consulting at Cisco) Sent: Monday, November 19, 2007 11:25 AM To: Dovecot Mailing List Subject: [Dovecot] Throttle New Connections?
All,
Is anyone using iptables (recent module), or any other alternatives, to throttle the number of new imap or pop connections per minute? We have some applications that like to login every second to pull mail using imap, so we'd like to protect the entire dovecot server from these applications. We've already made the change over to high-perf mode, but we still need some type of denial of service protection. Any real-world data would be appreciated.
Thanks!
On Nov 19, 2007, at 9:24 AM, Joe Allesi -X (joallesi - Coyote Creek
Consulting at Cisco) wrote:
All,
Is anyone using iptables (recent module), or any other alternatives,
to throttle the number of new imap or pop connections per minute? We have some applications that like to login every second to pull mail using imap, so we'd like to protect the entire dovecot server from these applications. We've already made the change over to high-perf mode,
but we still need some type of denial of service protection. Any real- world data would be appreciated.
Yeah, I throttle initial connections per IP to something like 15 or
20. I started doing this after I got hit with a little more than 600
connections/second for a few minutes.
I use OpenBSD with pf.
Sean
Yeah, I throttle initial connections per IP to something like 15 or 20. I started doing this after I got hit with a little more than 600 connections/second for a few minutes.
Just a note to those who might not know - but Outlook (Express) and possibly other MUAs like to connect once per "account", so if you host multiple accounts for a single person, you'll have them connecting in once for each account whenever their client checks mail/starts up.
I host my own email and I have about 5 accounts (I've had more in the past) I check. The instant I set a throttle on connections per second I had tons of errors come up when I would check my mail since I couldn't successfully log in for all accounts.
What you'd possibly be more interested in if you're hosting mail for many people is some way to throttle based on account, though that would require peeking at the protocol data and such.
Eli.
On Nov 20, 2007, at 2:10 PM, Eli Sand wrote:
I host my own email and I have about 5 accounts (I've had more in
the past) I check. The instant I set a throttle on connections per second I
had tons of errors come up when I would check my mail since I couldn't
successfully log in for all accounts.What you'd possibly be more interested in if you're hosting mail for
many people is some way to throttle based on account, though that would
require peeking at the protocol data and such.
My throttling is based on IP, and it took some experimentation to dial
it down to a useful number. Most of my users are on DSL or dialup
lines, and not behind corporate firewalls with aggregation.
Sean
participants (4)
-
Eli Sand
-
Joe Allesi -X (joallesi - Coyote Creek Consulting at Cisco)
-
Joseph W. Breu
-
Sean Kamath