Dovecot 2.2.27 proxy - enforcing per client IP connection limits

Adi Pircalabu adi at ddns.com.au
Mon Mar 20 22:08:44 UTC 2017 

On 21/03/17 07:03, Joseph Tam wrote:
> Sami Ketola writes:
> 
>>> Can anyone with Solr installed confirm/refute this:  does installing
>>> Solr keep iOS clients from roofing the connection count?
>>
>> I doubt it, but since IMAP SEARCH goes all the way down to the backends
>> mail_max_userip_connections can be used to limit the number of
>> connections.
> 
> Understood -- that's the current situation I'm in now.  Our iOS users
> would launch a search resulting in a connection burst, hit the connection
> cap, log out all IMAP sessions out, then start the cycle again.  This
> sometimes lasts for 10's of minutes.  I'm not sure what the users sees.
[...]
> Of course, the real fix is for iOS mail-app developers to stop assuming
> the IMAP server is owned exclusively by the user by configuring some
> reasonable connection throttles.

Thing is, one should never rely on the intentions or abilities of a 3rd 
party to fix their buggy code, especially when that 3rd party is Apple. 
Their IMAP implementation is shambolic at best and, by far and large, 
the clients using Apple mail clients are causing the most grief. Oh, did 
I mention that wonderful feature named iOS Profile which has so much 
potential if designed & implemented properly, but in A.D. 2017 it's 
still incomplete?
It's been more than obvious for years Apple can't be relied on for 
interoperability, the only way to improve the services offered to the 
clients is to look at the server side, whenever possible. And one of the 
options for limiting the IMAP client hammering is to enforce the limits 
on the proxies directly. Especially in an environment where the backend 
IMAP server isn't Dovecot and mail_max_userip_connections isn't an 
option. Even if the proxies don't exchange IMAP login information 
between them, being able to enforce the limit on the proxy can be a 
significant improvement to the current situation when the Courier-IMAP 
servers are open to IMAP abuse because they always see the proxy IP for 
the incoming connection.

Just my .02AUD

-- 
Adi Pircalabu

More information about the dovecot mailing list