Dovecot 2.2.27 proxy - enforcing per client IP connection limits

[Sami Ketola]

Hi,

It would be quite hard to enforce a limit at the proxy level since the proxies do not share any information. Currently I do not know any way of enforcing a limit at the proxies already.

Sami

> On 16 Mar 2017, at 7.14, Adi Pircalabu <adi at ddns.com.au> wrote:
> 
> Thanks,
> 
> I thought this might be the case. Is there any solution to enforce this on the proxy? If not, will a feature request be considered anytime soon? I see the proxies as the first line of defense against IMAP "abuse" and I think it's consistent having the same configurable option available on both backends and the proxies.
> 
> ---
> Adi Pircalabu
> 
> On 14-03-2017 20:17, Sami Ketola wrote:
>> Hi,
>> mail_max_userip_connections is only enforced at the backend level. The
>> setting has no effect on proxy. If you want to force the limit then
>> you can only do it in the backend.
>> Sami
>>> On 9 Mar 2017, at 12.05, Adi Pircalabu <adi at ddns.com.au> wrote:
>>> Quick follow-up: updated the proxies to 2.2.28, but I still couldn't find a way to limit the inbound IMAP connections per IP & username. I know "mail_max_userip_connections" limit works for the mail stores, but it doesn't seem to have any effect on the proxies. I'm using a mix of Dovecot & Courier-IMAP servers as backends.
>>> Basically I need to find a way to enforce the maximum limit for the username<>remoteip so that, if I have:
>>> ESTCONNS=`doveadm -f flow proxy list | grep "username=usern at domain.com.proto=imap" | wc -l`
>>> $ESTCONNS is lower or equal than the configured limit.
>>> The proxies are configured as per https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy to forward the password to the remote server using MySQL. In dovecot-sql.conf.ext I have:
>>> password_query = SELECT NULL AS password, 'Y' as nopassword, host, email as email, 'any-cert' as 'starttls', 'Y' AS proxy FROM mailbox WHERE email = '%u' AND disabled_smtpauth=0
>>> At the moment the only way I can limit the number of established connections per source IP address on the Dovecot proxies is using iptables, which isn't what I want.
>>> Where else can I look?
>>> Adi Pircalabu, System Administrator
>>> DDNS, a Total Internet Company
>>> 159 Barkly Avenue, Burnley, Vic 3121, T +61 3 9815 6868
>>> On 08/03/17 12:32, Adi Pircalabu wrote:
>>>> Hi,
>>>> Trying to keep abusive/buggy IMAP clients at bay on a number of Dovecot proxy servers, I've reconfigured them to use "mail_max_userip_connections = 50" in the "protocol imap" section, followed by restarting Dovecot. Yet, I'm still seeing 160+ established connections from a single IP address for the same email account. Am I missing anything?
>>>> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
>>>> # Pigeonhole version 0.4.16 (fed8554)
>>>> # OS: Linux 2.6.32-642.4.2.el6.x86_64 x86_64 CentOS release 6.8 (Final)
>>>> auth_cache_negative_ttl = 5 mins
>>>> auth_cache_size = 16 M
>>>> auth_cache_ttl = 18 hours
>>>> default_client_limit = 6120
>>>> default_process_limit = 500
>>>> managesieve_notify_capability = mailto
>>>> managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify
>>>> mbox_write_locks = fcntl
>>>> namespace inbox {
>>>>  inbox = yes
>>>>  location =
>>>>  mailbox Drafts {
>>>>    special_use = \Drafts
>>>>  }
>>>>  mailbox Junk {
>>>>    special_use = \Junk
>>>>  }
>>>>  mailbox Sent {
>>>>    special_use = \Sent
>>>>  }
>>>>  mailbox "Sent Messages" {
>>>>    special_use = \Sent
>>>>  }
>>>>  mailbox Trash {
>>>>    special_use = \Trash
>>>>  }
>>>>  prefix =
>>>> }
>>>> passdb {
>>>>  args = /etc/dovecot/dovecot-sql.conf.ext
>>>>  driver = sql
>>>> }
>>>> plugin {
>>>>  sieve = file:~/sieve;active=~/.dovecot.sieve
>>>>  sieve_extensions = +notify +imapflags
>>>> }
>>>> protocols = imap pop3 lmtp sieve
>>>> service auth {
>>>>  client_limit = 6120
>>>> }
>>>> service imap-login {
>>>>  process_limit = 2048
>>>>  process_min_avail = 20
>>>>  service_count = 0
>>>>  vsz_limit = 256 M
>>>> }
>>>> service imap {
>>>>  process_limit = 2048
>>>> }
>>>> service managesieve-login {
>>>>  inet_listener sieve {
>>>>    port = 4190
>>>>  }
>>>>  service_count = 0
>>>>  vsz_limit = 128 M
>>>> }
>>>> service managesieve {
>>>>  process_limit = 1024
>>>> }
>>>> service pop3 {
>>>>  process_limit = 1024
>>>> }
>>>> [...]
>>>> protocol imap {
>>>>  imap_capability = IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
>>>>  mail_max_userip_connections = 50
>>>> }