[Dovecot] Connection queue full on my directors

Jan-Frode Myklebust janfrode at tanso.net
Tue Jan 11 21:43:41 EET 2011 

On Tue, Jan 11, 2011 at 04:31:03PM +0200, Timo Sirainen wrote:
> 
> Well, switching to high performance mode would work better for proxies: http://wiki2.dovecot.org/LoginProcess
> 

That text does a good job at scaring me away from high perf mode.. I 
wouldn't want any attackers stealing my user's passwords. Is it really 
necessary to run this way, when the server otherwise doesn't seem to be 
affected by the number of running processes ?

BTW: I'm seeing a bit more failed logins than I think there should be..

	pop3-login: Disconnected (auth failed, 1 attempts): user=<user at somewhere.net>, method=PLAIN, rip=xx.xx.xx.xxx, lip=xx.xxx.xx.xxx
	imap-login: Aborted login (auth failed, 1 attempts): user=<otheruser at nothere.net>, method=PLAIN, rip=xx.xxx.xxx.xx, lip=xx.xxx.xx.xxx, TLS

Could these be explained with the fact that we earlier didn't offer STARTTLS,
because users might be talking with one of the CNAMEs that doesn't match the
certificate name, and with this new config we started offering STARTTLS ? 

I'm a bit reluctant to do it, but if we do get too many complaints about failed
logins, will it be it possible to disable STARTTLS, while keeping SSL active 
for the imaps/pops ports on the director ?

Current config and stats:

#####################################################################
# 2.0.8: /usr/local/dovecot-2.0.8/etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-194.32.1.el5 x86_64 Red Hat Enterprise Linux Server release 5.5 (Tikanga) 
director_mail_servers = 192.168.42.7 192.168.42.8 192.168.42.9 192.168.42.10 192.168.42.11 192.168.42.28 192.168.42.29
director_servers = 192.168.42.15 192.168.42.17
disable_plaintext_auth = no
listen = *
passdb {
  args = proxy=y nopassword=y
  driver = static
}
service anvil {
  client_limit = 2051
}
service auth {
  client_limit = 4196
}
service director {
  fifo_listener login/proxy-notify {
    mode = 0666
  }
  inet_listener {
    port = 5515
  }
  unix_listener director-userdb {
    mode = 0600
  }
  unix_listener login/director {
    mode = 0666
  }
}
service imap-login {
  executable = imap-login director
  process_limit = 1024
}
service pop3-login {
  executable = pop3-login director
  process_limit = 1024
}
ssl_cert = </etc/pki/tls/certs/pop.example.net.crt
ssl_key = </etc/pki/tls/private/pop.example.net.key
#####################################################################

$ sudo /usr/local/dovecot/bin/doveadm director status
mail server ip                                                    vhosts users
192.168.42.7                                                          10   546
192.168.42.8                                                          10   531
192.168.42.9                                                          10   487
192.168.42.10                                                         10   520
192.168.42.11                                                         10   493
192.168.42.28                                                        100  5119
192.168.42.29                                                        100  4994


$ ps -ef|grep dovec|wc -l
684



   -jf

More information about the dovecot mailing list