Any way to limit number of active IMAP/POP3 sessions from a single user / per user?
Hello,
Just wonder: is there any way in Dovecot to limit number of active IMAP/POP3 connections for a single user, not touching any other users? Basically, the situation is single user hammering servers by lots of POP3 connections from time to time, and limiting exactly one user could be good.
On 02.07.2017 10:53, Alexey Asemov (Alex/AT) wrote:
Hello,
Just wonder: is there any way in Dovecot to limit number of active IMAP/POP3 connections for a single user, not touching any other users? Basically, the situation is single user hammering servers by lots of POP3 connections from time to time, and limiting exactly one user could be good.
Easiest would be to use 2.2.29 or later and use policy server for it. With older version, I'm not sure if this is doable sensibly.
Aki
On 3 Jul 2017, at 9.24, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
On 02.07.2017 10:53, Alexey Asemov (Alex/AT) wrote:
Hello,
Just wonder: is there any way in Dovecot to limit number of active IMAP/POP3 connections for a single user, not touching any other users? Basically, the situation is single user hammering servers by lots of POP3 connections from time to time, and limiting exactly one user could be good.
Easiest would be to use 2.2.29 or later and use policy server for it. With older version, I'm not sure if this is doable sensibly.
I think returning mail_max_userip_connections from userdb works.
Hello Aki, Timo,
Thanks a lot for your answers. I'll test with setting mail_max_userip_connections from DB first and tell if it works. If it does not, I'll go with the policy server.
Again, thanks a lot.
On 03.07.2017 9:29, Timo Sirainen wrote:
On 3 Jul 2017, at 9.24, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
On 02.07.2017 10:53, Alexey Asemov (Alex/AT) wrote:
Hello,
Just wonder: is there any way in Dovecot to limit number of active IMAP/POP3 connections for a single user, not touching any other users? Basically, the situation is single user hammering servers by lots of POP3 connections from time to time, and limiting exactly one user could be good. Easiest would be to use 2.2.29 or later and use policy server for it. With older version, I'm not sure if this is doable sensibly.
I think returning mail_max_userip_connections from userdb works.
I can confirm setting mail_max_userip_connections from database in userdb query *does not* work at all. User can still open multiple connection above the limit, seems like it has no effect. I thoroughly checked DB response and it contains proper field name/value.
I am using dovecot 2.2.31.
Also, I have mail_max_userip_connections set globally in the dovecot configuration file and wonder if this can interfere, but at least some other settings do not and so I doubt it's the cause.
So for now I have to go with writing a policy server for that it seems :)
I assume it does not work because user/IP limit is probably checked before parsing DB parameters. Maybe dovecot code can be adjusted somehow so it allows setting mail_max_userip_connections from userdb before it's processed?
On 3 Jul 2017, at 19.34, Alexey Asemov (Alex/AT) <lists@alex-at.ru> wrote:
I can confirm setting mail_max_userip_connections from database in userdb query *does not* work at all. User can still open multiple connection above the limit, seems like it has no effect. I thoroughly checked DB response and it contains proper field name/value.
I am using dovecot 2.2.31.
Also, I have mail_max_userip_connections set globally in the dovecot configuration file and wonder if this can interfere, but at least some other settings do not and so I doubt it's the cause.
Oh, right, I remembered that this setting wasn't handled until imap process started, but it's handled by login process. But what you could do if the user has a static IP:
remote 1.2.3.4 { mail_max_userip_connections = 1 }
or even a static IP address space:
remote 1.2.3.0/24 { mail_max_userip_connections = 1 }
So for now I have to go with writing a policy server for that it seems :)
I assume it does not work because user/IP limit is probably checked before parsing DB parameters. Maybe dovecot code can be adjusted somehow so it allows setting mail_max_userip_connections from userdb before it's processed?
Since it's login process, it would have to be returned by passdb lookup. But that's a lot of trouble for such a special use case.
participants (3)
-
Aki Tuomi
-
Alexey Asemov (Alex/AT)
-
Timo Sirainen