[Dovecot] Dovecot failed logins delay all logins

Dominic Malolepszy dmalolepszy at optusnet.com.au
Wed Oct 17 09:11:13 EEST 2012 

Hi all,

I have observed with my Dovecot setup that unique failed logins cause 
legitimate correct logins to be slowed. I am running two servers, each 
with two Dovecot instances, a Proxy with Director, and a backend 
Dovecot. I suspect that the backend instance is throttling
connections from the same IP, and because I am running a Proxy, the 
backend will only see either of the two server IPs. I confirmed this by 
directly connecting to the backend, to bypass the proxy and rule it. I 
initiated dozens of unique failed logins from one IP and separately 
attempted to login from the same IP, and experienced an extended delay 
during login. At the same time a login from a different IP suceeded 
imediately. I see nothing in the logs suggesting some sort of process 
limits were exceeded, however I do see the following proc title for the 
backend auth process:
"dovecot/auth [7 wait, 0 passdb, 0 userdb]"

I have increased the mail_max_userip_connections to a very large value 
however I believe that setting is a per username/ip limit. Is there any 
sort of setting in Dovecot that I can configure that stops this 
authentication throttling per IP? Below is the configuration of the 
backend Dovecot instance.


# 2.1.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-279.5.2.el6.x86_64 x86_64 Red Hat Enterprise Linux 
Server release 6.3 (Santiago)
auth_cache_negative_ttl = 3 secs
auth_cache_size = 100 M
auth_cache_ttl = 10 mins
auth_default_realm = example.com
auth_failure_delay = 5 secs
auth_mechanisms = plain login
auth_verbose_passwords = sha1
auth_worker_max_count = 25
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
first_valid_gid = 12
first_valid_uid = 8
last_valid_gid = 12
last_valid_uid = 8
login_greeting = Hello there.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
mail_fsync = always
mail_gid = mail
mail_location = maildir:%h/Maildir
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = " stats"
mail_uid = mail
mmap_disable = yes
namespace {
   inbox = yes
   location = maildir:%h/Maildir
   prefix = INBOX.
   separator = .
}
passdb {
   args = /etc/dovecot/dovecot-ldap.conf
   driver = ldap
}
protocols = pop3 imap
service auth {
   unix_listener auth-userdb {
     group = mail
     mode = 0660
     user = mail
   }
}
service imap-login {
   inet_listener imap {
     address = 0.0.0.0
     port = 9143
   }
   process_min_avail = 5
   service_count = 0
   vsz_limit = 256 M
}
service imap {
   process_limit = 1000
   vsz_limit = 256 M
}
service pop3-login {
   inet_listener pop3 {
     address = 0.0.0.0
     port = 9110
   }
   process_min_avail = 5
   service_count = 0
   vsz_limit = 256 M
}
service pop3 {
   process_limit = 1000
   vsz_limit = 256 M
}
service stats {
   fifo_listener stats-mail {
     mode = 0600
     user = mail
   }
   inet_listener {
     address = 127.0.0.1
     port = 24242
   }
}
ssl = no
stats_memory_limit = 64 M
userdb {
   driver = prefetch
}
userdb {
   args = /etc/dovecot/dovecot-ldap.conf
   driver = ldap
}
verbose_proctitle = yes
protocol imap {
   imap_logout_format = bytes_read=%i bytes_send=%o
   mail_max_userip_connections = 1000
   mail_plugins = " stats "
}
protocol pop3 {
   mail_max_userip_connections = 1000
}


Dominic

More information about the dovecot mailing list