Dovecot 2.2.27 proxy - enforcing per client IP connection limits

Wed Mar 15 22:14:53 UTC 2017

Thanks,

I thought this might be the case. Is there any solution to enforce this 
on the proxy? If not, will a feature request be considered anytime soon? 
I see the proxies as the first line of defense against IMAP "abuse" and 
I think it's consistent having the same configurable option available on 
both backends and the proxies.

---
Adi Pircalabu

On 14-03-2017 20:17, Sami Ketola wrote:
> Hi,
> 
> mail_max_userip_connections is only enforced at the backend level. The
> setting has no effect on proxy. If you want to force the limit then
> you can only do it in the backend.
> 
> Sami
> 
>> On 9 Mar 2017, at 12.05, Adi Pircalabu <adi at ddns.com.au> wrote:
>> 
>> Quick follow-up: updated the proxies to 2.2.28, but I still couldn't 
>> find a way to limit the inbound IMAP connections per IP & username. I 
>> know "mail_max_userip_connections" limit works for the mail stores, 
>> but it doesn't seem to have any effect on the proxies. I'm using a mix 
>> of Dovecot & Courier-IMAP servers as backends.
>> Basically I need to find a way to enforce the maximum limit for the 
>> username<>remoteip so that, if I have:
>> ESTCONNS=`doveadm -f flow proxy list | grep 
>> "username=usern at domain.com.proto=imap" | wc -l`
>> $ESTCONNS is lower or equal than the configured limit.
>> The proxies are configured as per 
>> https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy to 
>> forward the password to the remote server using MySQL. In 
>> dovecot-sql.conf.ext I have:
>> password_query = SELECT NULL AS password, 'Y' as nopassword, host, 
>> email as email, 'any-cert' as 'starttls', 'Y' AS proxy FROM mailbox 
>> WHERE email = '%u' AND disabled_smtpauth=0
>> 
>> At the moment the only way I can limit the number of established 
>> connections per source IP address on the Dovecot proxies is using 
>> iptables, which isn't what I want.
>> Where else can I look?
>> 
>> Adi Pircalabu, System Administrator
>> DDNS, a Total Internet Company
>> 159 Barkly Avenue, Burnley, Vic 3121, T +61 3 9815 6868
>> 
>> On 08/03/17 12:32, Adi Pircalabu wrote:
>>> Hi,
>>> Trying to keep abusive/buggy IMAP clients at bay on a number of 
>>> Dovecot proxy servers, I've reconfigured them to use 
>>> "mail_max_userip_connections = 50" in the "protocol imap" section, 
>>> followed by restarting Dovecot. Yet, I'm still seeing 160+ 
>>> established connections from a single IP address for the same email 
>>> account. Am I missing anything?
>>> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
>>> # Pigeonhole version 0.4.16 (fed8554)
>>> # OS: Linux 2.6.32-642.4.2.el6.x86_64 x86_64 CentOS release 6.8 
>>> (Final)
>>> auth_cache_negative_ttl = 5 mins
>>> auth_cache_size = 16 M
>>> auth_cache_ttl = 18 hours
>>> default_client_limit = 6120
>>> default_process_limit = 500
>>> managesieve_notify_capability = mailto
>>> managesieve_sieve_capability = fileinto reject envelope 
>>> encoded-character vacation subaddress comparator-i;ascii-numeric 
>>> relational regex imap4flags copy include variables body enotify 
>>> environment mailbox date index ihave duplicate mime foreverypart 
>>> extracttext imapflags notify
>>> mbox_write_locks = fcntl
>>> namespace inbox {
>>>   inbox = yes
>>>   location =
>>>   mailbox Drafts {
>>>     special_use = \Drafts
>>>   }
>>>   mailbox Junk {
>>>     special_use = \Junk
>>>   }
>>>   mailbox Sent {
>>>     special_use = \Sent
>>>   }
>>>   mailbox "Sent Messages" {
>>>     special_use = \Sent
>>>   }
>>>   mailbox Trash {
>>>     special_use = \Trash
>>>   }
>>>   prefix =
>>> }
>>> passdb {
>>>   args = /etc/dovecot/dovecot-sql.conf.ext
>>>   driver = sql
>>> }
>>> plugin {
>>>   sieve = file:~/sieve;active=~/.dovecot.sieve
>>>   sieve_extensions = +notify +imapflags
>>> }
>>> protocols = imap pop3 lmtp sieve
>>> service auth {
>>>   client_limit = 6120
>>> }
>>> service imap-login {
>>>   process_limit = 2048
>>>   process_min_avail = 20
>>>   service_count = 0
>>>   vsz_limit = 256 M
>>> }
>>> service imap {
>>>   process_limit = 2048
>>> }
>>> service managesieve-login {
>>>   inet_listener sieve {
>>>     port = 4190
>>>   }
>>>   service_count = 0
>>>   vsz_limit = 128 M
>>> }
>>> service managesieve {
>>>   process_limit = 1024
>>> }
>>> service pop3 {
>>>   process_limit = 1024
>>> }
>>> [...]
>>> protocol imap {
>>>   imap_capability = IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
>>>   mail_max_userip_connections = 50
>>> }