iOS Mail app and rapid authenticate / disconnect on Dovecot proxy

Robert Giles rgiles at arlut.utexas.edu
Tue Mar 7 17:22:45 UTC 2017 

Hi folks,

I have a handful of iOS 10.2.1 Mail app IMAP clients that intermittently 
break into this unexplained authenticate-then-immediately-disconnect 
behavior when connecting to a RHEL7 Dovecot (dovecot-2.2.10-7.el7) 
proxy, providing proxied connections to a backend Panda/UW-IMAP server. 
 From talking to the users, the activity would appear to be spontaneous 
(ie: not caused by user interaction with the device).

The behavior doesn't seem to have any observable implications for the 
end user, other than momentarily hitting the Dovecot process_limit 
(which, if not raised to a rather large number, disrupts new IMAP proxy 
connections momentarily).

I reckon this is not an issue with Dovecot, but I'm curious to know if 
other folks have observed this behavior when dealing with iOS Mail app 
clients?

The log entries look like this:

iOS 10 device = 172.16.0.1
RHEL7 Dovecot proxy host = 192.168.0.1 ("proxyhost")
Panda/UW-IMAP target = panda.imap.tld

Mar  6 12:11:00 proxyhost dovecot: imap-login: proxy(jdoe): started 
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN, 
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<VvzqehVKhwBCol00>
Mar  6 12:11:00 proxyhost dovecot: imap-login: proxy(jdoe): 
disconnecting 172.16.0.1 (Disconnected by client): user=<jdoe>, 
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS: Disconnected, 
session=<VvzqehVKhwBCol00>
Mar  6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe): started 
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN, 
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<jaXxehVKiABCol00>
Mar  6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe): 
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>, 
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS, 
session=<jaXxehVKiABCol00>
Mar  6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe): started 
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN, 
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<RmX4ehVKiQBCol00>
Mar  6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe): 
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>, 
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS, 
session=<RmX4ehVKiQBCol00>
Mar  6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe): started 
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN, 
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<inYBexVKigBCol00>
Mar  6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe): 
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>, 
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS, 
session=<inYBexVKigBCol00>
Mar  6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe): started 
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN, 
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<GwAJexVKiwBCol00>
Mar  6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe): 
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>, 
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS, 
session=<GwAJexVKiwBCol00>
Mar  6 12:11:03 proxyhost dovecot: imap-login: proxy(jdoe): started 
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN, 
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<asUPexVKswBCol00>
Mar  6 12:11:03 proxyhost dovecot: imap-login: proxy(jdoe): 
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>, 
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS, 
session=<asUPexVKswBCol00>
Mar  6 12:11:03 proxyhost dovecot: imap-login: proxy(jdoe): started 
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN, 
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<n9YYexVKjQBCol00>
Mar  6 12:11:04 proxyhost dovecot: imap-login: proxy(jdoe): 
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>, 
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS, 
session=<n9YYexVKjQBCol00>

...and on and on, usually until the 'service imap-login' process_limit 
is reached.  You could naturally apply some iptables rate-limiting to 
avoid hitting process_limit, but it'd be nice to have the iOS client 
simply behave properly instead.

dovecot -n:
---
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-514.6.2.el7.x86_64 x86_64 Red Hat Enterprise Linux 
Server release 7.3 (Maipo)
auth_mechanisms = plain login
auth_verbose = yes
first_valid_uid = 1000
imap_capability = +I18NLEVEL=1
mbox_write_locks = fcntl
passdb {
   args = nopassword=y
   default_fields = proxy=y ssl=any-cert host=panda.imap.tld
   driver = static
}
protocols = imap pop3
service imap-login {
   process_limit = 400-ish at the moment
   process_min_avail = 2
}
service pop3-login {
   inet_listener pop3s {
     port = 995
     ssl = yes
   }
}
ssl = required
ssl_ca = </etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
ssl_cert = <proxyhost.crt
ssl_dh_parameters_length = 2048
ssl_key = <proxyhost.key
ssl_protocols = !SSLv3 !SSLv3
ssl_require_crl = no
userdb {
   driver = static
}
---

Thanks for any insight out there.

Robert Giles


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4305 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20170307/bb56877f/attachment.p7s>

More information about the dovecot mailing list