<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>We have growing imap-login processes until we reach the max
processes.<br>
</p>
<p>This occurs when a particular user have a login error due to our
LDAP misconfiguration:</p>
<p>---<br>
<font face="monospace">Mar 4 14:59:33 hera dovecot[2226963]:
auth: Error:
plain(john.doe,XX.XX.XX.XX,<13C0eBP2354lqXpO>): user not
found from any userdbs                <br>
Mar 4 14:59:33 hera dovecot[2226963]: imap: Error: auth-master:
login: request [1001652225]: Login auth request failed:
Authenticated user not found from <br>
userdb, auth lookup id=1001652225 (auth connected 2 msecs ago,
request took 1 msecs, client-pid=2235348
client-id=1)Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â <br>
Mar 4 14:59:33 hera dovecot[2226963]: imap-login: Internal
login failure (pid=2235348 id=1): user=<ohn.doe>,
method=PLAIN, rip=XX.XX.XX.XX, lip=18<br>
5.233.100.1, mpid=2235359, TLS, session=<13C0eBP2354lqXpO><br>
---</font><br>
</p>
<p>The origin of is issue is when <span
style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff;">passdb finds
the user and userdb not.</span> The result is imap-login
processes with no timeout growing until we reach the max
processes.</span></p>
<ul>
<li>OS version</li>
</ul>
<p>Debian stable - Bullseye</p>
<ul>
<li>Dovecot version<br>
</li>
</ul>
<p><span style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff;">dpkg -l |grep
dovecot
</span><br>
ii  dovecot-antispam                    2.0+20171229-1+b7
                    amd64        Dovecot plugins for training
spam filters
<br>
ii  dovecot-common                      1:2.1.7-7+deb7u1
                     all          Transitional package for
dovecot
<br>
ii  dovecot-core                        1:2.3.13+dfsg1-2+deb11u1
             amd64        secure POP3/IMAP server - core files
<br>
ii  dovecot-core-dbgsym                 1:2.3.13+dfsg1-2+deb11u1
             amd64        debug symbols for dovecot-core
<br>
ii  dovecot-imapd                       1:2.3.13+dfsg1-2+deb11u1
             amd64        secure POP3/IMAP server - IMAP daemon
<br>
ii  dovecot-imapd-dbgsym                1:2.3.13+dfsg1-2+deb11u1
             amd64        debug symbols for dovecot-imapd
<br>
ii  dovecot-ldap                        1:2.3.13+dfsg1-2+deb11u1
             amd64        secure POP3/IMAP server - LDAP support
<br>
ii  dovecot-managesieved                1:2.3.13+dfsg1-2+deb11u1
             amd64        secure POP3/IMAP server - ManageSieve
server
<br>
ii  dovecot-mysql                       1:2.3.13+dfsg1-2+deb11u1
             amd64        secure POP3/IMAP server - MySQL
support
<br>
ii  dovecot-pop3d                       1:2.3.13+dfsg1-2+deb11u1
             amd64        secure POP3/IMAP server - POP3 daemon
<br>
ii  dovecot-sieve                       1:2.3.13+dfsg1-2+deb11u1
             amd64        secure POP3/IMAP server - Sieve
filters support<br>
<br>
</span></p>
<ul>
<li><span style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff;">doveconf -n<br>
</span></span></li>
</ul>
<p><span style="font-family:monospace">---<br>
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
<br>
# Pigeonhole version 0.5.13 (cdd19fe3)
<br>
doveconf: Warning: service auth { client_limit=1000 } is lower
than required under max. load (4096)
<br>
doveconf: Warning: service anvil { client_limit=1000 } is lower
than required under max. load (4099)
<br>
# OS: Linux 5.10.0-21-cloud-amd64 x86_64 Debian 11.6 ext4
<br>
# Hostname: XXX<br>
auth_mechanisms = plain login
<br>
default_process_limit = 1024
<br>
first_valid_gid = 8
<br>
first_valid_uid = 109
<br>
last_valid_gid = 8
<br>
last_valid_uid = 109
<br>
login_greeting = XXX listening.
<br>
mail_access_groups = mail
<br>
mail_gid = 8
<br>
mail_location = maildir:/srv/vmail/%d/%n
<br>
mail_privileged_group = mail
<br>
mail_uid = 109
<br>
managesieve_notify_capability = mailto
<br>
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy i<br>
nclude variables body enotify environment mailbox date index
ihave duplicate mime foreverypart extracttext imapflags notify
imapsieve vnd.dovecot.imapsieve<br>
vnd.dovecot.filter
<br>
namespace inbox {
<br>
 inbox = yes
<br>
 location =  <br>
 mailbox Drafts {
<br>
   special_use = \Drafts
<br>
 }
<br>
 mailbox Junk {
<br>
   special_use = \Junk
<br>
 }
<br>
 mailbox Sent {
<br>
   special_use = \Sent
<br>
 }
<br>
 mailbox "Sent Messages" {
<br>
   special_use = \Sent
<br>
 }
<br>
 mailbox Trash {
<br>
   special_use = \Trash
<br>
 }
<br>
 prefix =  <br>
}
<br>
passdb {
<br>
 args = /etc/dovecot/dovecot-ldap.conf
<br>
 driver = ldap
<br>
}
<br>
passdb {
<br>
 args = /etc/dovecot/dovecot-ldap-girondix.conf
<br>
 driver = ldap
<br>
}
<br>
passdb {
<br>
 args = /etc/dovecot/dovecot-oauth2.conf.ext
<br>
 driver = oauth2
<br>
 mechanisms = xoauth2 oauthbearer
<br>
}
<br>
plugin {
<br>
 quota_rule = *:storage=100M
<br>
 quota_rule2 = Trash:storage=10%%
<br>
 recipient_delimiter = +
<br>
 sieve = /srv/vmail/%d/%n/dovecot.sieve
<br>
 sieve_default = /var/lib/dovecot/sieve/default.sieve
<br>
 sieve_dir = /srv/vmail/%d/%n/sieve
<br>
 sieve_extensions = +notify +imapflags +vnd.dovecot.filter
<br>
 sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
<br>
 sieve_global_extensions = +vnd.dovecot.pipe
<br>
 sieve_max_script_size = 1M
<br>
 sieve_pipe_bin_dir = /etc/dovecot/sieve
<br>
 sieve_pipe_socket_dir = sieve-pipe
<br>
 sieve_plugins = sieve_imapsieve sieve_extprograms
<br>
 sieve_redirect_envelope_from = orig_recipient
<br>
}
<br>
protocols = imap pop3 sieve
<br>
service auth {
<br>
 unix_listener /var/spool/postfix/private/auth {
<br>
   group = mail
<br>
   mode = 0600
<br>
   user = postfix
<br>
 }
<br>
 unix_listener auth-master {
<br>
   group = mail
<br>
   mode = 0660
<br>
   user = vmail
<br>
 }
<br>
 unix_listener auth-userdb {
<br>
   group = mail
<br>
   mode = 0600
<br>
   user = vmail
<br>
 }
<br>
}
<br>
service imap-login {
<br>
 inet_listener imap {
<br>
   port = 0
<br>
 }
<br>
}
<br>
service imap {
<br>
 vsz_limit = 1 G
<br>
}
<br>
service lmtp {
<br>
 executable = lmtp -L
<br>
 process_min_avail = 2
<br>
}
<br>
service pop3-login {
<br>
 inet_listener pop3 {
<br>
   port = 0
<br>
 }
<br>
}
<br>
ssl_cert = </srv/letsencrypt/pem/mail.aquilenet.fr.pem
<br>
ssl_client_ca_dir = /etc/ssl/certs
<br>
ssl_dh = # hidden, use -P to show it
<br>
ssl_key = # hidden, use -P to show it
<br>
userdb {
<br>
 args = /etc/dovecot/dovecot-ldap.conf
<br>
 driver = ldap
<br>
}
<br>
userdb {
<br>
 args = /etc/dovecot/dovecot-ldap-girondix.conf
<br>
 driver = ldap
<br>
}
<br>
protocol lmtp {
<br>
 auth_username_format = %n
<br>
 info_log_path = /var/log/dovecot-lmtp.log
<br>
 mail_plugins = " sieve"
<br>
}
<br>
protocol lda {
<br>
 mail_plugins = " mailbox_alias sieve"
<br>
}
<br>
protocol imap {
<br>
 imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
<br>
 imap_idle_notify_interval = 30 secs
<br>
 mail_max_userip_connections = 50
<br>
 mail_plugins = quota  mailbox_alias imap_quota
<br>
}
<br>
protocol pop3 {
<br>
 mail_plugins = quota mailbox_alias acl
<br>
 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
<br>
}</span><br>
<span style="font-family:monospace"><span
style="font-family:monospace">---</span></span><span
style="font-family:monospace"></span></p>
</body>
</html>