Hi, It would be quite hard to enforce a limit at the proxy level since the proxies do not share any information. Currently I do not know any way of enforcing a limit at the proxies already.
Sami > On 16 Mar 2017, at 7.14, Adi Pircalabu <[email protected]> wrote: > > Thanks, > > I thought this might be the case. Is there any solution to enforce this on > the proxy? If not, will a feature request be considered anytime soon? I see > the proxies as the first line of defense against IMAP "abuse" and I think > it's consistent having the same configurable option available on both > backends and the proxies. > > --- > Adi Pircalabu > > On 14-03-2017 20:17, Sami Ketola wrote: >> Hi, >> mail_max_userip_connections is only enforced at the backend level. The >> setting has no effect on proxy. If you want to force the limit then >> you can only do it in the backend. >> Sami >>> On 9 Mar 2017, at 12.05, Adi Pircalabu <[email protected]> wrote: >>> Quick follow-up: updated the proxies to 2.2.28, but I still couldn't find a >>> way to limit the inbound IMAP connections per IP & username. I know >>> "mail_max_userip_connections" limit works for the mail stores, but it >>> doesn't seem to have any effect on the proxies. I'm using a mix of Dovecot >>> & Courier-IMAP servers as backends. >>> Basically I need to find a way to enforce the maximum limit for the >>> username<>remoteip so that, if I have: >>> ESTCONNS=`doveadm -f flow proxy list | grep >>> "[email protected]=imap" | wc -l` >>> $ESTCONNS is lower or equal than the configured limit. >>> The proxies are configured as per >>> https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy to forward the >>> password to the remote server using MySQL. In dovecot-sql.conf.ext I have: >>> password_query = SELECT NULL AS password, 'Y' as nopassword, host, email as >>> email, 'any-cert' as 'starttls', 'Y' AS proxy FROM mailbox WHERE email = >>> '%u' AND disabled_smtpauth=0 >>> At the moment the only way I can limit the number of established >>> connections per source IP address on the Dovecot proxies is using iptables, >>> which isn't what I want. >>> Where else can I look? >>> Adi Pircalabu, System Administrator >>> DDNS, a Total Internet Company >>> 159 Barkly Avenue, Burnley, Vic 3121, T +61 3 9815 6868 >>> On 08/03/17 12:32, Adi Pircalabu wrote: >>>> Hi, >>>> Trying to keep abusive/buggy IMAP clients at bay on a number of Dovecot >>>> proxy servers, I've reconfigured them to use "mail_max_userip_connections >>>> = 50" in the "protocol imap" section, followed by restarting Dovecot. Yet, >>>> I'm still seeing 160+ established connections from a single IP address for >>>> the same email account. Am I missing anything? >>>> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf >>>> # Pigeonhole version 0.4.16 (fed8554) >>>> # OS: Linux 2.6.32-642.4.2.el6.x86_64 x86_64 CentOS release 6.8 (Final) >>>> auth_cache_negative_ttl = 5 mins >>>> auth_cache_size = 16 M >>>> auth_cache_ttl = 18 hours >>>> default_client_limit = 6120 >>>> default_process_limit = 500 >>>> managesieve_notify_capability = mailto >>>> managesieve_sieve_capability = fileinto reject envelope encoded-character >>>> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags >>>> copy include variables body enotify environment mailbox date index ihave >>>> duplicate mime foreverypart extracttext imapflags notify >>>> mbox_write_locks = fcntl >>>> namespace inbox { >>>> inbox = yes >>>> location = >>>> mailbox Drafts { >>>> special_use = \Drafts >>>> } >>>> mailbox Junk { >>>> special_use = \Junk >>>> } >>>> mailbox Sent { >>>> special_use = \Sent >>>> } >>>> mailbox "Sent Messages" { >>>> special_use = \Sent >>>> } >>>> mailbox Trash { >>>> special_use = \Trash >>>> } >>>> prefix = >>>> } >>>> passdb { >>>> args = /etc/dovecot/dovecot-sql.conf.ext >>>> driver = sql >>>> } >>>> plugin { >>>> sieve = file:~/sieve;active=~/.dovecot.sieve >>>> sieve_extensions = +notify +imapflags >>>> } >>>> protocols = imap pop3 lmtp sieve >>>> service auth { >>>> client_limit = 6120 >>>> } >>>> service imap-login { >>>> process_limit = 2048 >>>> process_min_avail = 20 >>>> service_count = 0 >>>> vsz_limit = 256 M >>>> } >>>> service imap { >>>> process_limit = 2048 >>>> } >>>> service managesieve-login { >>>> inet_listener sieve { >>>> port = 4190 >>>> } >>>> service_count = 0 >>>> vsz_limit = 128 M >>>> } >>>> service managesieve { >>>> process_limit = 1024 >>>> } >>>> service pop3 { >>>> process_limit = 1024 >>>> } >>>> [...] >>>> protocol imap { >>>> imap_capability = IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE >>>> mail_max_userip_connections = 50 >>>> }
