Disconnecting unauthenticated IMAP entities faster?
Sami Ketola
sami.ketola at dovecot.fi
Fri May 18 20:30:18 EEST 2018
> On 18 May 2018, at 20.19, David Hubbard <dhubbard at dino.hostasaurus.com> wrote:
>
> Hello, given the 2015 revision date, I was curious if anyone can confirm https://wiki2.dovecot.org/Timeouts is still accurate where the 'before login' IMAP timeout remains hard coded?
>
> We're having an issue where blocks of IP's from China and similar locations are crawling IP ranges trying common login credentials, and hanging the connections open in the process. We have clients who have large numbers of employees at single locations, so it isn't possible to reduce the mail_max_userip_connections (assuming it even applies to pre-auth sessions) to a low value. The end result is these connections chew up all the imap-login processes because they sit there until the three-minute timeout is hit, blocking legit users. The only workaround is to raise both the imap and imap-login processes to a massive amount to support all the pre-auth hung open connections.
>
> It would be a lot easier to find a reasonable process limit if we could boot these unauthenticated connections off in a more reasonable amount of time, like 5-10 seconds, but I'm not seeing a way to accomplish that?
>
https://github.com/PowerDNS/weakforced <https://github.com/PowerDNS/weakforced> is just for situations like this.
Sami
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180518/cc343af3/attachment.html>
More information about the dovecot
mailing list