[Dovecot] Meaning of mail_max_userip_connections?
Hi,
I set mail_max_userip_connections in our IMAP configuration to
mail_max_userip_connections = 10
to allow users 10 parallel connections. It seems that this also limits the amount of parallel connections from one IP but different users?!
Our users mostly accessing the IMAP server by a webmailer or proxies. Thus, all users (>10000) come from only 5 different IP. However, I got a lot of complaints about denied connections after setting mail_max_userip_connections = 10.
Am I right with the meaning of this parameter?
Thanks in advance
Harry
Harald Strack put forth on 9/27/2010 3:59 AM:
Hi,
I set mail_max_userip_connections in our IMAP configuration to
mail_max_userip_connections = 10
to allow users 10 parallel connections. It seems that this also limits the amount of parallel connections from one IP but different users?!
Our users mostly accessing the IMAP server by a webmailer or proxies. Thus, all users (>10000) come from only 5 different IP. However, I got a lot of complaints about denied connections after setting mail_max_userip_connections = 10.
Am I right with the meaning of this parameter?
More importantly, what were you attempting to accomplish by setting this? What problem were you expecting it to solve?
Webmail servers typically don't hold an IMAP connection open for more than a few seconds so this setting does nothing in a webmail only environment.
Proxies on the other hand, such as imapproxy, will hold concurrent connections open for quite a while. Enabling this setting with upstream imap proxies is a bad idea, as you've discovered.
Again, what specific problem are you trying to solve?
-- Stan
Hi Stan,
thank you very much for your help!
On Mon, 2010-09-27 at 04:24 -0500, Stan Hoeppner wrote:
Harald Strack put forth on 9/27/2010 3:59 AM:
Hi,
I set mail_max_userip_connections in our IMAP configuration to
mail_max_userip_connections = 10
to allow users 10 parallel connections. It seems that this also limits the amount of parallel connections from one IP but different users?!
Our users mostly accessing the IMAP server by a webmailer or proxies. Thus, all users (>10000) come from only 5 different IP. However, I got a lot of complaints about denied connections after setting mail_max_userip_connections = 10.
Am I right with the meaning of this parameter?
More importantly, what were you attempting to accomplish by setting this? What problem were you expecting it to solve?
Webmail servers typically don't hold an IMAP connection open for more than a few seconds so this setting does nothing in a webmail only environment. We do have 1000s of parallel connections. Even a few seconds per connection needs more than 10 parallel connections.
Proxies on the other hand, such as imapproxy, will hold concurrent connections open for quite a while. Enabling this setting with upstream imap proxies is a bad idea, as you've discovered. We do not use imapproxy. Our proxies behave more like NAT-gateways: the IMAP-Server get's a lot of connections from different users from the same IP.
Again, what specific problem are you trying to solve?
we have the problem that some users forked more than 100 processes (in one case we know the user was accessing the server with a custom script, some are caused by any buggy clients that do too many reconnects...).
We want to limit the number of imap processes per user to 10, but not the number of processes per client IP (because of the proxies).
Any idea?
Thanks in advance
Harry
On Mon, 2010-09-27 at 12:17 +0200, Harald Strack wrote:
Our users mostly accessing the IMAP server by a webmailer or proxies. Thus, all users (>10000) come from only 5 different IP. However, I got a lot of complaints about denied connections after setting mail_max_userip_connections = 10.
We want to limit the number of imap processes per user to 10, but not the number of processes per client IP (because of the proxies).
For that mail_max_userip_connections should have worked. If you get complaints then it's because some client opens more than 10 connections (or user has multiple clients open from same IP) or your webmail opens
10 connections simultaneously.
You didn't say if the complains were from webmail users or from IMAP client users.. Assuming webmail, I guess the problem is that it just opens so many connections. With v2.0 you could specify different limits to a certain network range (i.e. disable it for webmail, keep it for rest).
BTW. The default for mail_max_userip_connections is 10, so do you mean before you had it set to 0?
Hi Timo,
On Mon, 2010-09-27 at 13:50 +0100, Timo Sirainen wrote:
On Mon, 2010-09-27 at 12:17 +0200, Harald Strack wrote:
Our users mostly accessing the IMAP server by a webmailer or proxies. Thus, all users (>10000) come from only 5 different IP. However, I got a lot of complaints about denied connections after setting mail_max_userip_connections = 10.
We want to limit the number of imap processes per user to 10, but not the number of processes per client IP (because of the proxies).
For that mail_max_userip_connections should have worked. If you get complaints then it's because some client opens more than 10 connections (or user has multiple clients open from same IP) or your webmail opens
10 connections simultaneously. Accordingly, mail_max_userip_connections limits the number of connections from an IP. To deal with a scenario, when 400 Users behind a NAT-gateway come from the same IP (the gateway), we have to set mail_max_userip_connections = 400, right?
You didn't say if the complains were from webmail users or from IMAP client users.. Assuming webmail, I guess the problem is that it just opens so many connections. Both. With v2.0 you could specify different limits to a certain network range (i.e. disable it for webmail, keep it for rest). Will there also be a limit per user?
BTW. The default for mail_max_userip_connections is 10, so do you mean before you had it set to 0? Nearly. We had it set to 1000 and we set it to 1000 again now.
best regards
Harry
On Mon, 2010-09-27 at 15:30 +0200, Harald Strack wrote:
Accordingly, mail_max_userip_connections limits the number of connections from an IP. To deal with a scenario, when 400 Users behind a NAT-gateway come from the same IP (the gateway), we have to set mail_max_userip_connections = 400, right?
No, wrong. It's a user+ip combination. Each different user behind the same IP can use up to 10 connections with mail_max_userip_connections=10.
BTW. What Dovecot version? If this isn't working as expected, maybe dovecot -n output could show something useful..
Hi Timo,
On Mon, 2010-09-27 at 14:42 +0100, Timo Sirainen wrote:
On Mon, 2010-09-27 at 15:30 +0200, Harald Strack wrote:
Accordingly, mail_max_userip_connections limits the number of connections from an IP. To deal with a scenario, when 400 Users behind a NAT-gateway come from the same IP (the gateway), we have to set mail_max_userip_connections = 400, right?
No, wrong. It's a user+ip combination. Each different user behind the same IP can use up to 10 connections with mail_max_userip_connections=10.
Thanks a lot for your explanation! However, now I am at the beginning again.
BTW. What Dovecot version? If this isn't working as expected, maybe dovecot -n output could show something /usr/local
We do not use the most recent version... but was there a bug with this parameter?
# 1.2.8: /usr/local/dovecot-1.2.8/etc/dovecot.conf # OS: SunOS 5.10 sun4u base_dir: /var/run/dovecot-1.2.8 log_path: /var/log/dovecot.log info_log_path: /var/log/dovecot.log log_timestamp: %Y-%m-%d %H:%M:%S listen: *:143 ssl_listen: *:993 ssl_cert_file: /usr/local/dovecot/etc/cert.pem ssl_key_file: /usr/local/dovecot/etc/key.pem verbose_ssl: yes login_dir: /var/run/dovecot-1.2.8/login login_executable: /usr/local/dovecot-1.2.8/libexec/dovecot/imap-login login_processes_count: 8 login_max_processes_count: 8192 max_mail_processes: 16084 mail_max_userip_connections: 1000 mail_privileged_group: mail mail_location: mbox:~/dovecot-home:LAYOUT=maildir++:INBOX=/var/mail/% u:INDEX=%h/dovecot-indexes mail_debug: yes mmap_disable: yes mbox_write_locks: fcntl dotlock mail_plugins: listescape imap_client_workarounds: netscape-eoh delay-newmail outlook-idle namespace: type: private separator: / inbox: yes list: yes subscriptions: yes auth default: debug: yes passdb: driver: pam userdb: driver: passwd
best regards
Harry
On Mon, 2010-09-27 at 15:57 +0200, Harald Strack wrote:
No, wrong. It's a user+ip combination. Each different user behind the same IP can use up to 10 connections with mail_max_userip_connections=10.
Thanks a lot for your explanation! However, now I am at the beginning again.
You could try doing some tests to see if you can trigger the problem. Or try to reduce the value from 1000 first to 100 and then maybe drop until people start complaning about and raise it a bit higher :)
BTW. What Dovecot version? If this isn't working as expected, maybe dovecot -n output could show something /usr/local
We do not use the most recent version... but was there a bug with this parameter?
I was thinking if you were maybe using some really old version or maybe if you were using v2.0 and if there maybe had been some new bug.
login_processes_count: 8 login_max_processes_count: 8192
Maybe you should set login_process_per_connection=no. http://wiki.dovecot.org/LoginProcess
participants (3)
-
Harald Strack
-
Stan Hoeppner
-
Timo Sirainen