[Dovecot] Dovecot failed logins delay all logins
Hi all,
I have observed with my Dovecot setup that unique failed logins cause legitimate correct logins to be slowed. I am running two servers, each with two Dovecot instances, a Proxy with Director, and a backend Dovecot. I suspect that the backend instance is throttling connections from the same IP, and because I am running a Proxy, the backend will only see either of the two server IPs. I confirmed this by directly connecting to the backend, to bypass the proxy and rule it. I initiated dozens of unique failed logins from one IP and separately attempted to login from the same IP, and experienced an extended delay during login. At the same time a login from a different IP suceeded imediately. I see nothing in the logs suggesting some sort of process limits were exceeded, however I do see the following proc title for the backend auth process: "dovecot/auth [7 wait, 0 passdb, 0 userdb]"
I have increased the mail_max_userip_connections to a very large value however I believe that setting is a per username/ip limit. Is there any sort of setting in Dovecot that I can configure that stops this authentication throttling per IP? Below is the configuration of the backend Dovecot instance.
# 2.1.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-279.5.2.el6.x86_64 x86_64 Red Hat Enterprise Linux Server release 6.3 (Santiago) auth_cache_negative_ttl = 3 secs auth_cache_size = 100 M auth_cache_ttl = 10 mins auth_default_realm = example.com auth_failure_delay = 5 secs auth_mechanisms = plain login auth_verbose_passwords = sha1 auth_worker_max_count = 25 base_dir = /var/run/dovecot/ disable_plaintext_auth = no first_valid_gid = 12 first_valid_uid = 8 last_valid_gid = 12 last_valid_uid = 8 login_greeting = Hello there. login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_fsync = always mail_gid = mail mail_location = maildir:%h/Maildir mail_nfs_index = yes mail_nfs_storage = yes mail_plugins = " stats" mail_uid = mail mmap_disable = yes namespace { inbox = yes location = maildir:%h/Maildir prefix = INBOX. separator = . } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } protocols = pop3 imap service auth { unix_listener auth-userdb { group = mail mode = 0660 user = mail } } service imap-login { inet_listener imap { address = 0.0.0.0 port = 9143 } process_min_avail = 5 service_count = 0 vsz_limit = 256 M } service imap { process_limit = 1000 vsz_limit = 256 M } service pop3-login { inet_listener pop3 { address = 0.0.0.0 port = 9110 } process_min_avail = 5 service_count = 0 vsz_limit = 256 M } service pop3 { process_limit = 1000 vsz_limit = 256 M } service stats { fifo_listener stats-mail { mode = 0600 user = mail } inet_listener { address = 127.0.0.1 port = 24242 } } ssl = no stats_memory_limit = 64 M userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } verbose_proctitle = yes protocol imap { imap_logout_format = bytes_read=%i bytes_send=%o mail_max_userip_connections = 1000 mail_plugins = " stats " } protocol pop3 { mail_max_userip_connections = 1000 }
Dominic
I think I found a solution to this thanks to a post by Timo here: http://dovecot.org/list/dovecot/2011-December/062631.html
service anvil { unix_listener anvil-auth-penalty { mode = 0 } }
On 17/10/12 17:11, Dominic Malolepszy wrote:
Hi all,
I have observed with my Dovecot setup that unique failed logins cause legitimate correct logins to be slowed. I am running two servers, each with two Dovecot instances, a Proxy with Director, and a backend Dovecot. I suspect that the backend instance is throttling connections from the same IP, and because I am running a Proxy, the backend will only see either of the two server IPs. I confirmed this by directly connecting to the backend, to bypass the proxy and rule it. I initiated dozens of unique failed logins from one IP and separately attempted to login from the same IP, and experienced an extended delay during login. At the same time a login from a different IP suceeded imediately. I see nothing in the logs suggesting some sort of process limits were exceeded, however I do see the following proc title for the backend auth process: "dovecot/auth [7 wait, 0 passdb, 0 userdb]"
I have increased the mail_max_userip_connections to a very large value however I believe that setting is a per username/ip limit. Is there any sort of setting in Dovecot that I can configure that stops this authentication throttling per IP? Below is the configuration of the backend Dovecot instance.
# 2.1.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-279.5.2.el6.x86_64 x86_64 Red Hat Enterprise Linux Server release 6.3 (Santiago) auth_cache_negative_ttl = 3 secs auth_cache_size = 100 M auth_cache_ttl = 10 mins auth_default_realm = example.com auth_failure_delay = 5 secs auth_mechanisms = plain login auth_verbose_passwords = sha1 auth_worker_max_count = 25 base_dir = /var/run/dovecot/ disable_plaintext_auth = no first_valid_gid = 12 first_valid_uid = 8 last_valid_gid = 12 last_valid_uid = 8 login_greeting = Hello there. login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_fsync = always mail_gid = mail mail_location = maildir:%h/Maildir mail_nfs_index = yes mail_nfs_storage = yes mail_plugins = " stats" mail_uid = mail mmap_disable = yes namespace { inbox = yes location = maildir:%h/Maildir prefix = INBOX. separator = . } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } protocols = pop3 imap service auth { unix_listener auth-userdb { group = mail mode = 0660 user = mail } } service imap-login { inet_listener imap { address = 0.0.0.0 port = 9143 } process_min_avail = 5 service_count = 0 vsz_limit = 256 M } service imap { process_limit = 1000 vsz_limit = 256 M } service pop3-login { inet_listener pop3 { address = 0.0.0.0 port = 9110 } process_min_avail = 5 service_count = 0 vsz_limit = 256 M } service pop3 { process_limit = 1000 vsz_limit = 256 M } service stats { fifo_listener stats-mail { mode = 0600 user = mail } inet_listener { address = 127.0.0.1 port = 24242 } } ssl = no stats_memory_limit = 64 M userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } verbose_proctitle = yes protocol imap { imap_logout_format = bytes_read=%i bytes_send=%o mail_max_userip_connections = 1000 mail_plugins = " stats " } protocol pop3 { mail_max_userip_connections = 1000 }
Dominic
On 10/17/2012 1:44 AM, Dominic Malolepszy wrote:
I think I found a solution to this thanks to a post by Timo here: http://dovecot.org/list/dovecot/2011-December/062631.html
service anvil { unix_listener anvil-auth-penalty { mode = 0 } }
You can also leave IP based penalties and set your other servers such as proxy and webmail as trusted.
Jack
participants (2)
-
Dominic Malolepszy
-
Jack Bates