Dovecot 2.2.27 proxy - enforcing per client IP connection limits

Adi Pircalabu adi at ddns.com.au
Thu Mar 9 03:05:39 UTC 2017


Quick follow-up: updated the proxies to 2.2.28, but I still couldn't 
find a way to limit the inbound IMAP connections per IP & username. I 
know "mail_max_userip_connections" limit works for the mail stores, but 
it doesn't seem to have any effect on the proxies. I'm using a mix of 
Dovecot & Courier-IMAP servers as backends.
Basically I need to find a way to enforce the maximum limit for the 
username<>remoteip so that, if I have:
ESTCONNS=`doveadm -f flow proxy list | grep 
"username=usern at domain.com.proto=imap" | wc -l`
$ESTCONNS is lower or equal than the configured limit.
The proxies are configured as per 
https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy to forward 
the password to the remote server using MySQL. In dovecot-sql.conf.ext I 
have:
password_query = SELECT NULL AS password, 'Y' as nopassword, host, email 
as email, 'any-cert' as 'starttls', 'Y' AS proxy FROM mailbox WHERE 
email = '%u' AND disabled_smtpauth=0

At the moment the only way I can limit the number of established 
connections per source IP address on the Dovecot proxies is using 
iptables, which isn't what I want.
Where else can I look?

Adi Pircalabu, System Administrator
DDNS, a Total Internet Company
159 Barkly Avenue, Burnley, Vic 3121, T +61 3 9815 6868

On 08/03/17 12:32, Adi Pircalabu wrote:
> Hi,
> 
> Trying to keep abusive/buggy IMAP clients at bay on a number of Dovecot 
> proxy servers, I've reconfigured them to use 
> "mail_max_userip_connections = 50" in the "protocol imap" section, 
> followed by restarting Dovecot. Yet, I'm still seeing 160+ established 
> connections from a single IP address for the same email account. Am I 
> missing anything?
> 
> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.16 (fed8554)
> # OS: Linux 2.6.32-642.4.2.el6.x86_64 x86_64 CentOS release 6.8 (Final)
> auth_cache_negative_ttl = 5 mins
> auth_cache_size = 16 M
> auth_cache_ttl = 18 hours
> default_client_limit = 6120
> default_process_limit = 500
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope 
> encoded-character vacation subaddress comparator-i;ascii-numeric 
> relational regex imap4flags copy include variables body enotify 
> environment mailbox date index ihave duplicate mime foreverypart 
> extracttext imapflags notify
> mbox_write_locks = fcntl
> namespace inbox {
>    inbox = yes
>    location =
>    mailbox Drafts {
>      special_use = \Drafts
>    }
>    mailbox Junk {
>      special_use = \Junk
>    }
>    mailbox Sent {
>      special_use = \Sent
>    }
>    mailbox "Sent Messages" {
>      special_use = \Sent
>    }
>    mailbox Trash {
>      special_use = \Trash
>    }
>    prefix =
> }
> passdb {
>    args = /etc/dovecot/dovecot-sql.conf.ext
>    driver = sql
> }
> plugin {
>    sieve = file:~/sieve;active=~/.dovecot.sieve
>    sieve_extensions = +notify +imapflags
> }
> protocols = imap pop3 lmtp sieve
> service auth {
>    client_limit = 6120
> }
> service imap-login {
>    process_limit = 2048
>    process_min_avail = 20
>    service_count = 0
>    vsz_limit = 256 M
> }
> service imap {
>    process_limit = 2048
> }
> service managesieve-login {
>    inet_listener sieve {
>      port = 4190
>    }
>    service_count = 0
>    vsz_limit = 128 M
> }
> service managesieve {
>    process_limit = 1024
> }
> service pop3 {
>    process_limit = 1024
> }
> [...]
> protocol imap {
>    imap_capability = IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
>    mail_max_userip_connections = 50
> }
> 
> 


More information about the dovecot mailing list