Dovecot 2.2.27 proxy - enforcing per client IP connection limits
Adi Pircalabu
adi at ddns.com.au
Thu Mar 9 03:05:39 UTC 2017
Quick follow-up: updated the proxies to 2.2.28, but I still couldn't
find a way to limit the inbound IMAP connections per IP & username. I
know "mail_max_userip_connections" limit works for the mail stores, but
it doesn't seem to have any effect on the proxies. I'm using a mix of
Dovecot & Courier-IMAP servers as backends.
Basically I need to find a way to enforce the maximum limit for the
username<>remoteip so that, if I have:
ESTCONNS=`doveadm -f flow proxy list | grep
"username=usern at domain.com.proto=imap" | wc -l`
$ESTCONNS is lower or equal than the configured limit.
The proxies are configured as per
https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy to forward
the password to the remote server using MySQL. In dovecot-sql.conf.ext I
have:
password_query = SELECT NULL AS password, 'Y' as nopassword, host, email
as email, 'any-cert' as 'starttls', 'Y' AS proxy FROM mailbox WHERE
email = '%u' AND disabled_smtpauth=0
At the moment the only way I can limit the number of established
connections per source IP address on the Dovecot proxies is using
iptables, which isn't what I want.
Where else can I look?
Adi Pircalabu, System Administrator
DDNS, a Total Internet Company
159 Barkly Avenue, Burnley, Vic 3121, T +61 3 9815 6868
On 08/03/17 12:32, Adi Pircalabu wrote:
> Hi,
>
> Trying to keep abusive/buggy IMAP clients at bay on a number of Dovecot
> proxy servers, I've reconfigured them to use
> "mail_max_userip_connections = 50" in the "protocol imap" section,
> followed by restarting Dovecot. Yet, I'm still seeing 160+ established
> connections from a single IP address for the same email account. Am I
> missing anything?
>
> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.16 (fed8554)
> # OS: Linux 2.6.32-642.4.2.el6.x86_64 x86_64 CentOS release 6.8 (Final)
> auth_cache_negative_ttl = 5 mins
> auth_cache_size = 16 M
> auth_cache_ttl = 18 hours
> default_client_limit = 6120
> default_process_limit = 500
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext imapflags notify
> mbox_write_locks = fcntl
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> }
> passdb {
> args = /etc/dovecot/dovecot-sql.conf.ext
> driver = sql
> }
> plugin {
> sieve = file:~/sieve;active=~/.dovecot.sieve
> sieve_extensions = +notify +imapflags
> }
> protocols = imap pop3 lmtp sieve
> service auth {
> client_limit = 6120
> }
> service imap-login {
> process_limit = 2048
> process_min_avail = 20
> service_count = 0
> vsz_limit = 256 M
> }
> service imap {
> process_limit = 2048
> }
> service managesieve-login {
> inet_listener sieve {
> port = 4190
> }
> service_count = 0
> vsz_limit = 128 M
> }
> service managesieve {
> process_limit = 1024
> }
> service pop3 {
> process_limit = 1024
> }
> [...]
> protocol imap {
> imap_capability = IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
> mail_max_userip_connections = 50
> }
>
>
More information about the dovecot
mailing list