RE: mail_max_userip_connections per remote IP not working
Alessio,
> remote 1.2.3.4 {
> }
This isn't supported.
You can only set the same max connection for all userips.
protocol imap {
mail_max_userip_connections = 100
}
The conf above will act :
- 1.2.3.4's max connections will be set to 100 when using imap connection.
- 1.2.3.5's max connections will be set to 100 when using imap connection.
- and so on. Every connection to imap will have max connection limit, 100.
If you want to limit max connections only for a specific ip, you might want to
do that on your firewall.
-Original Message-
From: dovecot On Behalf Of Alessio Cecchi
Sent: Wednesday, April 14, 2021 5:39 AM
To: Dovecot Mailing List
Subject: mail_max_userip_connections per remote IP not working
Hi,
I'm tryng to set a specific mail_max_userip_connections for a remote IP
(webmail IMAP software), but it seems not working:
remote 1.2.3.4 {
protocol imap {
mail_max_userip_connections = 100
}
}
and also this isn't working
remote 1.2.3.4 {
mail_max_userip_connections = 100
}
I insert it at the end of 20-imap.conf file.
Is something wrong or is not supported?
I'm running dovecot 2.3.14.
Thanks
--
Alessio Cecchi
Postmaster @http://www.qboxmail.it
https://www.linkedin.com/in/alessice
mail_max_userip_connections per remote IP not working
Hi,
I'm tryng to set a specific mail_max_userip_connections for a remote IP
(webmail IMAP software), but it seems not working:
remote 1.2.3.4 {
protocol imap {
mail_max_userip_connections = 100
}
}
and also this isn't working
remote 1.2.3.4 {
mail_max_userip_connections = 100
}
I insert it at the end of 20-imap.conf file.
Is something wrong or is not supported?
I'm running dovecot 2.3.14.
Thanks
--
Alessio Cecchi
Postmaster @http://www.qboxmail.it
https://www.linkedin.com/in/alessice
per-user mail_max_userip_connections in userdb extra fields
Hi,
The documentation at https://wiki.dovecot.org/UserDatabase/ExtraFields
states that "It's possible to override settings from dovecot.conf", as
well as the following:
> If you want to override settings inside sections, you can separate
the > section name and key with '/'. For example:
>
> namespace default {
> inbox = yes
> separator = .
> location = maildir:~/Maildir
> }
>
> The separator setting can be overridden by returning
namespace/default/separator=. extra field.
As such, we would expect for it to be possible to override
mail_max_userip_connections under the "protocol imap" section, with a
passwdfile userdb looking something like this:
example:{CRYPT}x:1011:1011::/mail/example::userdb_protocol/imap/mail_max_userip_connections=100
The userdb returns the expected fields in the correct format (according
to the documentation):
# doveadm user -u example
userdb: example
user : example
uid : 1011
gid : 1011
home : /mail/example
protocol/imap/mail_max_userip_connections: 100
However, this new setting is not honoured. To test, I set
"mail_max_userip_connections=1" in 20-imap.conf, and noticed that my
second connection was closed with the following error:
dovecot[13573]: imap-login: Maximum number of connections from
user+IP exceeded (mail_max_userip_connections=1)
I also attempted the same setting, without the "protocol/imap" prefix.
Is this not possible? Are there restrictions to what settings may be
overridden in userdb? The documentation appears to suggest that there isn't.
Best regards,
Eirik Rye
Re: mail_max_userip_connections
> On 29 May 2019, at 4.40, hfh--- via dovecot wrote: > > mail_max_userip_connections > Can I set up an ip whitelist list, and the ip in this whitelist is > unrestricted? thanks!!! mail_max_userip_connections is not enforced for login_trusted_networks Sami
mail_max_userip_connections
mail_max_userip_connections Can I set up an ip whitelist list, and the ip in this whitelist is unrestricted? thanks!!! h...@cndns.com
Re: mail_max_userip_connections from userdb query
You can probably implement this better with weakforced. ---Aki TuomiDovecot oy Original message From: Arkadiusz Miśkiewicz <ar...@maven.pl> Date: 30/03/2018 11:21 (GMT+02:00) To: dovecot@dovecot.org Subject: mail_max_userip_connections from userdb query Hello. Is still true that mail_max_userip_connections cannot be overriden in userdb query? Want lower global and raise for some logins. https://www.dovecot.org/pipermail/dovecot/2017-July/108520.html -- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
mail_max_userip_connections from userdb query
Hello. Is still true that mail_max_userip_connections cannot be overriden in userdb query? Want lower global and raise for some logins. https://www.dovecot.org/pipermail/dovecot/2017-July/108520.html -- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
Re: Increasing mail_max_userip_connections and sys resources
On 15/1/2016 10:05 μμ, Joseph Tam wrote: ... Pragmatically, I set it high enough so that it meets the need of most clients, then deal with problems on a case by case basis ... Thank you very much Joseph for your quite useful advice and experience. Are you monitoring using "doveadm who"? 4. How can we set a different value to this directive for webmail connections (coming from 127.0.0.1, ::1)? I don't know if there is another method, but at the very least, you can start another dovecot instance with another config file that does specific things for 127.0.0.1. I tried using a remote block for webmail, but without success yet. You can see my other thread (asking on "remote" | "local" blocks). All the best, Nick
Re: Increasing mail_max_userip_connections and sys resources
In our low-traffic server we have always kept the default value for IMAP mail_max_userip_connections (10). The server has been working fine! (Thank you Timo for this!) However, recently we have been having: Maximum number of connections from user+IP exceeded errors both for IMAP and webmail users. Thus, we have now changed the value to 100. The questions: 1.Might this lead to overloading the server? 2. Could another dovecot setting prevent the above setting from being applied (e.g. due to connections exhaustion), i.e. should we also change other setting(s)? 3. What should we take into account when deciding the value for mail_max_userip_connections? It depends on how many users you have, the number of simultaneous clients they use, and the #connections each client opens. Potentially, you could exhaust connection limits -- they usually don't max out memory or CPU or disk since most of the connections are idle. (There is a new IDLE hibernate feature that might help to minimize memory use by idle imap worker processes.) I haven't found a value that gets rid of users running into connection limits. If I set it to n, the next day someone will choke on n+1. This is a snapshot connections (count : #connections) which shows the typical decay: 25 1 14 2 14 3 7 4 9 5 1 6 2 7 1 8 1 10 Occasionally, some user's connection demand will spike and exceed the limit because - they started yat another client - they started global operation like searching - they're using a network that support roaming IP (I've tracked some users across the city on their bus ride.) Pragmatically, I set it high enough so that it meets the need of most clients, then deal with problems on a case by case basis (e.g. get them to lower their mail client's idle connection setting, or asking them to reduce the number of active clients by logging out). It also prevents what this setting was designed for: connection starvation by busy/buggy clients. Usually, hitting the limit doesn't produce problems as mail clients are smart enough to close idle connections or reuse them. If you only got a dozen users, setting it to 100 is feasible. If you got 1000 users, probably not. 4. How can we set a different value to this directive for webmail connections (coming from 127.0.0.1, ::1)? I don't know if there is another method, but at the very least, you can start another dovecot instance with another config file that does specific things for 127.0.0.1. Joseph Tam <jtam.h...@gmail.com>
Re: Increasing mail_max_userip_connections and sys resources
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 15 Jan 2016, Nikolaos Milas wrote:
I tried adding "process_limit = 2048" to imap:
protocol imap {
imap_client_workarounds = "delay-newmail"
mail_plugins = quota imap_quota notify replication
process_limit = 2048
this setting belongs to the
service imap {
section. See the output of doveconf -a
- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQEVAwUBVpiy2Hz1H7kL/d9rAQK7BQgAv/kupyXWS6I+FOxKt1ougPYK0rdPRae9
FSVR1Lsp9dCQ0LBU2S6VHC3ZhJIaMm92N4UxjYjSXblj1irqGwuj/F2vgvcriTkG
R291zwT0MwwrSUu7ZTrqKeuvNFYY3cljwOZieTJi5Ozk8vKp7d8hIvHRjTQXeDah
7V0oHlqXAR/zLMc7bT4PZzTTaRxNAfGKTTzuh3jMuOjn0Ne91CQjNSgrUo6F1hMl
pz0ZNR3fns7ZGI//NXNgkdFqsP3LcH8bGYgBdpYNQZCgo+mYi+8ziB0a8ba6RMHU
CkwcpwZZuAoUaEA2XXLKgNcv5rjwgQAaEHwZATLLBwOVzlv8/LZ3Mw==
=NijQ
-END PGP SIGNATURE-
Re: Increasing mail_max_userip_connections and sys resources
On 15/1/2016 10:50 πμ, Steffen Kaiser wrote:
this setting belongs to the
service imap {
section.
Oh, this is it! It works now!
Thanks, Steffen.
All the best,
Nick
Increasing mail_max_userip_connections and sys resources
In our low-traffic server we have always kept the default value for IMAP
mail_max_userip_connections (10).
The server has been working fine! (Thank you Timo for this!)
However, recently we have been having:
Maximum number of connections from user+IP exceeded
errors both for IMAP and webmail users.
Thus, we have now changed the value to 100.
The questions:
1.Might this lead to overloading the server?
2. Could another dovecot setting prevent the above setting from being
applied (e.g. due to connections exhaustion), i.e. should we also change
other setting(s)?
3. What should we take into account when deciding the value for
mail_max_userip_connections?
4. How can we set a different value to this directive for webmail
connections (coming from 127.0.0.1, ::1)?
The config follows for your reference (I've only changed the real domain
name).
Thanks in advance for your help.
Nick
-
# doveconf -n
# 2.2.18: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.8
# OS: Linux 2.6.18-407.el5 x86_64 CentOS release 5.11 (Final)
auth_mechanisms = plain login
auth_verbose = yes
disable_plaintext_auth = no
dsync_remote_cmd = ssh -l root vmail1.example.com doveadm dsync-server -u%u
mail_gid = 500
mail_location = maildir:~/Maildir/
mail_plugins = quota mail_log notify replication
mail_uid = 500
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate
passdb {
args = /etc/dovecot/dovecot-passdb-ldap.conf
driver = ldap
}
plugin {
mail_log_events = delete undelete expunge copy mailbox_delete
mailbox_rename
mail_log_fields = uid box msgid size
mail_replica = remote:vm...@vmail1.example.com
quota = maildir:User quota
quota_rule = *:storage=5G
quota_rule2 = Trash:storage=+3%%
quota_warning = storage=75%% quota-warning 75 %u
quota_warning2 = storage=90%% quota-warning 90 %u
}
protocols = imap pop3
service aggregator {
fifo_listener replication-notify-fifo {
user = vmail
}
unix_listener replication-notify {
user = vmail
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
group = vmail
mode = 0660
user = vmail
}
user = root
}
service imap-login {
service_count = 1
vsz_limit = 64 M
}
service imap {
executable = imap postlogin
}
service pop3-login {
service_count = 1
vsz_limit = 64 M
}
service pop3 {
executable = pop3 postlogin
}
service postlogin {
executable = script-login -d rawlog
}
service quota-warning {
executable = script /opt/mail1.sh
unix_listener quota-warning {
user = vmail
}
user = vmail
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0600
}
}
ssl_ca =
Re: Increasing mail_max_userip_connections and sys resources
On 14/1/2016 7:19 μμ, Nikolaos Milas wrote:
2. Could another dovecot setting prevent the above setting from being
applied (e.g. due to connections exhaustion), i.e. should we also
change other setting(s)?
An associated question:
I tried adding "process_limit = 2048" to imap:
protocol imap {
imap_client_workarounds = "delay-newmail"
mail_plugins = quota imap_quota notify replication
process_limit = 2048
mail_max_userip_connections = 100
}
but this leads to:
# doveconf -n
# 2.2.18: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.8
doveconf: Fatal: Error in configuration file
/etc/dovecot/dovecot.conf line 30: Unknown setting: process_limit
doveconf: Error: managesieve-login: dump-capability process returned 89
doveconf: Fatal: Error in configuration file
/etc/dovecot/dovecot.conf line 30: Unknown setting: process_limit
However, here:
http://wiki.dovecot.org/Services#imap.2C_pop3.2C_managesieve I read:
imap, pop3, managesieve
process_limit defaults to 1024, which means that the number of
simultaneous IMAP (or POP3 or ManageSieve) connections is limited by
this setting. If you expect more connections, increase this value.
So, I was not expecting this error and can't see what's the problem.
Why "process_limit" is an unknown setting? What am I doing wrong?
Please clarify!
Thanks,
Nick
Re: [Dovecot] mail_max_userip_connections on a per user basis
On 20.6.2013, at 2.24, Antonio Leding t...@leding.net wrote:
Can the above setting be applied on a per user account basis?
I thought that maybe something like per account quotas might be a possible
method but not sure.
Nope. Although there's a mail_ prefix, the setting is actually handled by login
processes. You can have different values for different protocols (imap, pop3)
but not for different users. You could have them for different
source/destination IPs/networks though (local {}, remote {} blocks).
[Dovecot] mail_max_userip_connections on a per user basis
Hello, Can the above setting be applied on a per user account basis? I thought that maybe something like per account quotas might be a possible method but not sure. Thanks.
Re: [Dovecot] mail_max_userip_connections
On 12 March 2013 18:03, Axel Luttgens axelluttg...@swing.be wrote: Le 12 mars 2013 à 17:18, Simon Brereton simon.buongio...@gmail.com a écrit : [...] I suppose this implies it's the webmail client., So, to be sure: the webmail server is running on the same box as the one running Dovecot? Si. Yes. but even having that open on two different machines shouldn't open 10 connections. Should it? I tended to believe that usually, a webmail application tends to open/close connections sequentially, or to consecutively select relevant mailboxes within a single connection. But who knows... Which webmail app have you installed? I believe that as well, especially as I don't have tons of folders (some of my users do). I'm using Horde. When connecting to/making use of the webmail, you should at least see connect/disconnect entries written in Dovecot's log. Do they tend to overlap? With two machine and two phones, it's difficult to keep track of that - but I will try. To avoid that I was hoping there was a way to print out in table form which connections for which user were from where. And so now I have another reason to upgrade. I need to fix the mess I made with postfix first though. Simon
Re: [Dovecot] mail_max_userip_connections
On 03/13/13 05:37 AM, Simon Brereton wrote: On 12 March 2013 18:03, Axel Luttgens axelluttg...@swing.be wrote: Le 12 mars 2013 à 17:18, Simon Brereton simon.buongio...@gmail.com a écrit : [...] I suppose this implies it's the webmail client., So, to be sure: the webmail server is running on the same box as the one running Dovecot? Si. Yes. but even having that open on two different machines shouldn't open 10 connections. Should it? I tended to believe that usually, a webmail application tends to open/close connections sequentially, or to consecutively select relevant mailboxes within a single connection. But who knows... Which webmail app have you installed? I believe that as well, especially as I don't have tons of folders (some of my users do). I'm using Horde. Try imapproxy for Horde. It would keep a single connection to Dovecot open during a webmail session. http://www.horde.org/apps/imp/docs/PERFORMANCE Since Horde and Dovecot are on the same server, you can configure imapproxy on a different port, e.g. 1143. Horde - imapproxyd (port 1143) - Dovecot (port 143)
[Dovecot] mail_max_userip_connections
Hi Sometimes, I hit mail_max_userip_connections limit. As far as I know I'm the only person that does, but I would like to find out why before someone else hits the limit. Is there a command available that can list the connections per IP? I'd like to find out which client is causing this. Or do you have a better suggestion? Should I just raise the limit (it's still at the default 10, which I never changed). What are the implications of this. Thanks. Simon
Re: [Dovecot] mail_max_userip_connections
Le 12 mars 2013 à 14:43, Simon Brereton a écrit : Hi [...] Is there a command available that can list the connections per IP? Hello Simon, You could have a look at 'doveadm who' (http://wiki2.dovecot.org/Tools/Doveadm/Who). HTH, Axel
Re: [Dovecot] mail_max_userip_connections
On 12 Mar 2013 15:31, Axel Luttgens axelluttg...@swing.be wrote: Le 12 mars 2013 à 14:43, Simon Brereton a écrit : Hi [...] Is there a command available that can list the connections per IP? Hello Simon, You could have a look at 'doveadm who' ( http://wiki2.dovecot.org/Tools/Doveadm/Who). I really should get around to upgrading.. Simon
Re: [Dovecot] mail_max_userip_connections
Le 12 mars 2013 à 16:21, Simon Brereton a écrit : On 12 Mar 2013 15:31, Axel Luttgens wrote: [...] You could have a look at 'doveadm who' (http://wiki2.dovecot.org/Tools/Doveadm/Who). I really should get around to upgrading.. :-) Now, there are still the more generic ways, yet probably requiring a bit more guesswork; for example, assuming binary lsof is available on your system: sudo lsof -n -i :imap,pop3 On the other hand, I don't remember exactly what happens when that mail_max_userip_connections limit is hit; doesn't Dovecot log some hint that would allow you to track the culprit? Axel
Re: [Dovecot] mail_max_userip_connections
On 12 March 2013 16:59, Axel Luttgens axelluttg...@swing.be wrote: Le 12 mars 2013 à 16:21, Simon Brereton a écrit : On 12 Mar 2013 15:31, Axel Luttgens wrote: [...] You could have a look at 'doveadm who' (http://wiki2.dovecot.org/Tools/Doveadm/Who). I really should get around to upgrading.. :-) Now, there are still the more generic ways, yet probably requiring a bit more guesswork; for example, assuming binary lsof is available on your system: sudo lsof -n -i :imap,pop3 Handy. Thanks. Of course it only works in the instant I get the message (which isn't always apparent from the client). On the other hand, I don't remember exactly what happens when that mail_max_userip_connections limit is hit; doesn't Dovecot log some hint that would allow you to track the culprit? Well, not that I could see - that's why I asked on the list :) That's not to say it isn't there, but all I see in the log is: Mar 12 13:47:12 mail dovecot: imap-login: Maximum number of connections from user+IP exceeded (mail_max_userip_connections): user=si...@example.net, method=PLAIN, rip=127.0.0.1, secured I suppose this implies it's the webmail client., but even having that open on two different machines shouldn't open 10 connections. Should it? Simon
Re: [Dovecot] mail_max_userip_connections
Le 12 mars 2013 à 17:18, Simon Brereton simon.buongio...@gmail.com a écrit : [...] I suppose this implies it's the webmail client., So, to be sure: the webmail server is running on the same box as the one running Dovecot? but even having that open on two different machines shouldn't open 10 connections. Should it? I tended to believe that usually, a webmail application tends to open/close connections sequentially, or to consecutively select relevant mailboxes within a single connection. But who knows... Which webmail app have you installed? When connecting to/making use of the webmail, you should at least see connect/disconnect entries written in Dovecot's log. Do they tend to overlap? Axel
[Dovecot] dovecot: imap-login: Maximum number of connections from user+IP exceeded (mail_max_userip_connections)
Hi, has anyone seen this issue before as I have not. I'm a long time dovecot user and I don't see anything in the config that should cause this. The mail.log gets hit a lot of times with this same log message: dovecot: imap-login: Maximum number of connections from user+IP exceeded (mail_max_userip_connections) I have noted that it is more evident when I try to mass delete many messages. Any ideas of how to diagnose this issue? The dovecot -n follows: # 1.2.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.34.1-rscloud x86_64 Ubuntu 10.04.4 LTS log_timestamp: %Y-%m-%d %H:%M:%S login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login login_processes_count: 5 login_max_processes_count: 256 mail_privileged_group: mail mail_location: maildir:~/Maildir mail_debug: yes mbox_write_locks: fcntl dotlock auth default: realms: davidwbrown.name default_realm: dobbeltganger.com username_format: %n verbose: yes debug: yes debug_passwords: yes passdb: driver: shadow userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix
Re: [Dovecot] dovecot: imap-login: Maximum number of connections from user+IP exceeded (mail_max_userip_connections)
Il 04/03/2013 15:43, David Brown ha scritto:
Hi, has anyone seen this issue before as I have not.
I'm a long time dovecot user and I don't see anything in the config that
should cause this.
The mail.log gets hit a lot of times with this same log message:
dovecot: imap-login: Maximum number of connections from user+IP exceeded
(mail_max_userip_connections)
I have noted that it is more evident when I try to mass delete many
messages.
Any ideas of how to diagnose this issue?
Hi,
is not an issue but a configuration limit for prevent abuse.
You can increase these number with
protocol imap {
mail_max_userip_connections = 20
[...]
or you can see you current limit with dovecot -a
Ciao
--
Alessio Cecchi is:
@ ILS - http://www.linux.it/~alessice/
on LinkedIn - http://www.linkedin.com/in/alessice
Assistenza Sistemi GNU/Linux - http://www.cecchi.biz/
@ PLUG - ex-Presidente, adesso senatore a vita, http://www.prato.linux.it
[Dovecot] mail_max_userip_connections exceeded.
Hi I'm using Dovecot version 1:1.2.15-7 installed on Debian Squeeze via apt-get.. I have this error in the logs. /var/log/mail.log.1:2490:Jan 19 12:02:55 mail dovecot: imap-login: Maximum number of connections from user+IP exceeded (mail_max_userip_connections): user=u...@example.com, method=PLAIN, rip=127.0.0.1, secured I never changed this from the default 10. When I googled this error there was a thread on this list from May 2011 that indicated one would need one connection per user per subscribed folder. However, I know that user doesn't have 10 folders, let alone 10 subscribed folders! I can increase, it but it's not going to scale well. And there are people on this list with many 1000x users than I have - so how do they deal with that? 127.0.0.1 is obviously webmail (IMP5). So, how/why am I seeing this, and should I be concerned? Simon
Re: [Dovecot] mail_max_userip_connections exceeded.
On 01/20/2012 06:06 PM, Simon Brereton wrote: I have this error in the logs. /var/log/mail.log.1:2490:Jan 19 12:02:55 mail dovecot: imap-login: Maximum number of connections from user+IP exceeded (mail_max_userip_connections): user=u...@example.com, method=PLAIN, rip=127.0.0.1, secured I never changed this from the default 10. When I googled this error there was a thread on this list from May 2011 that indicated one would need one connection per user per subscribed folder. However, I know that user doesn't have 10 folders, let alone 10 subscribed folders! I can increase, it but it's not going to scale well. And there are people on this list with many 1000x users than I have - so how do they deal with that? 127.0.0.1 is obviously webmail (IMP5). So, how/why am I seeing this, and should I be concerned? Well, it really does look like IMP is using more than 10 connections at the same time. Or perhaps some of the existing connections are just hanging for some reason after IMP already discarded them, such as maybe a very long running SEARCH command was started and IMP then gave up. You could look at the process list (with verbose_proctitle=yes) and check if the user has other processes hanging at the time when this error is logged.
Re: [Dovecot] mail_max_userip_connections exceeded.
Simon Brereton simon.brere...@buongiorno.com writes:
/var/log/mail.log.1:2490:Jan 19 12:02:55 mail dovecot: imap-login:
Maximum number of connections from user+IP exceeded
(mail_max_userip_connections): user=u...@example.com, method=PLAIN,
rip=127.0.0.1, secured
I never changed this from the default 10. When I googled this error
there was a thread on this list from May 2011 that indicated one would
need one connection per user per subscribed folder. However, I know
that user doesn't have 10 folders, let alone 10 subscribed folders! I
can increase, it but it's not going to scale well. And there are
people on this list with many 1000x users than I have - so how do they
deal with that?
127.0.0.1 is obviously webmail (IMP5).
IMAP proxy or lack of proxy?
IMAP proxy could be a problem if the user had opened more than 10 (unique)
mailboxes. The proxy would keep this connection open until a timeout, and
after some time, could accumulate more connections than your limit.
The lack of proxy could solve your problem if for some reason your webmail
software is not closing the IMAP connection properly (I assume IMP does a
connect/authenticate/IMAP command/logout for every webmail operation).
Every connection (even to the same mailbox) would open up a new connection.
The proxy software will recognize the reconnnection and funnel it through
its cached connection.
You can lsof the user's IMAP processes (or troll through
/proc/{imap-process} or what you have) to figure out which mailboxes it
has opened. On my system, file descriptor 9 and 11 gives you the names
of the index files that indicate which mailboxes are being accessed.
Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] mail_max_userip_connections exceeded.
On 1/20/2012 4:48 PM, Joseph Tam wrote:
Simon Brereton simon.brere...@buongiorno.com writes:
/var/log/mail.log.1:2490:Jan 19 12:02:55 mail dovecot: imap-login:
Maximum number of connections from user+IP exceeded
(mail_max_userip_connections): user=u...@example.com, method=PLAIN,
rip=127.0.0.1, secured
I never changed this from the default 10. When I googled this error
there was a thread on this list from May 2011 that indicated one would
need one connection per user per subscribed folder. However, I know
that user doesn't have 10 folders, let alone 10 subscribed folders! I
can increase, it but it's not going to scale well. And there are
people on this list with many 1000x users than I have - so how do they
deal with that?
127.0.0.1 is obviously webmail (IMP5).
IMAP proxy or lack of proxy?
IMAP proxy could be a problem if the user had opened more than 10 (unique)
mailboxes. The proxy would keep this connection open until a timeout, and
after some time, could accumulate more connections than your limit.
The lack of proxy could solve your problem if for some reason your webmail
software is not closing the IMAP connection properly (I assume IMP does a
connect/authenticate/IMAP command/logout for every webmail operation).
Every connection (even to the same mailbox) would open up a new connection.
The proxy software will recognize the reconnnection and funnel it through
its cached connection.
You can lsof the user's IMAP processes (or troll through
/proc/{imap-process} or what you have) to figure out which mailboxes it
has opened. On my system, file descriptor 9 and 11 gives you the names
of the index files that indicate which mailboxes are being accessed.
Joseph Tam jtam.h...@gmail.com
I'm not sure that I saw the beginning of this thread but I got the same
error. I traced it to the fact that my destktop and my phone email
programs were both trying to access my imap from the same local network.
I changed it to 20 and I haven't seen any more problems. I don't know
if that would be a problem on a really heavily used server or not.
--
Knute Johnson
Re: [Dovecot] mail_max_userip_connections=10
Timo Sirainen tss at iki.fi writes:
On 19.9.2011, at 11.27, Tom Clark wrote:
Is there anyway of whitelisting an IP so that it can ignore
mail_max_userip_connections=10?
With v2.0 in theory:
remote 1.2.3.4 {
mail_max_userip_connections = 0
}
I don't know if it actually works.
Not sure I follow- in which conf file would it be appropriate to place this? Is
it possible to maintain separate values for the same config directive?
(I'm having a similar problem with iOS devices connecting to our server- they
seem to open multiple connections, easily going over 10 if they have many
subscribed directories).
Thanks,
-E-
Re: [Dovecot] mail_max_userip_connections=10
On 19.9.2011, at 11.27, Tom Clark wrote:
Is there anyway of whitelisting an IP so that it can ignore
mail_max_userip_connections=10?
With v2.0 in theory:
remote 1.2.3.4 {
mail_max_userip_connections = 0
}
I don't know if it actually works.
What should we set mail_max_userip_connections too realistically? 10 seems a
bit low?
It's 10 because I thought it would be enough :)
Re: [Dovecot] mail_max_userip_connections=10
Thanks Timo. I've been doing some investigation. Apart from K9 being
fundamentally broken 10 is fine!
I'll try the remote fix.
-Original Message-
From: Timo Sirainen [mailto:t...@iki.fi]
Sent: 22 September 2011 2:49 PM
To: Tom Clark
Cc: dovecot@dovecot.org
Subject: Re: [Dovecot] mail_max_userip_connections=10
On 19.9.2011, at 11.27, Tom Clark wrote:
Is there anyway of whitelisting an IP so that it can ignore
mail_max_userip_connections=10?
With v2.0 in theory:
remote 1.2.3.4 {
mail_max_userip_connections = 0
}
I don't know if it actually works.
What should we set mail_max_userip_connections too realistically? 10
seems a bit low?
It's 10 because I thought it would be enough :)
Re: [Dovecot] mail_max_userip_connections=10
If it is the same problem with K9 (although Timo doesn't think it is) we fixed it on the K9 machine by turning off PUSH mail folders. Tom -Original Message- From: dovecot-boun...@dovecot.org [mailto:dovecot-boun...@dovecot.org] On Behalf Of Timo Sirainen Sent: 19 September 2011 7:12 PM To: Asai Cc: Dovecot Mailing List Subject: Re: [Dovecot] mail_max_userip_connections=10 On 19.9.2011, at 20.43, Asai wrote: If you figure it out, please post the solution, because we're running into a similar issue right now with K9 mail where it's causing us to get this error:imap-login: Disconnected: Connection queue full That's a different problem. You need to increase number of login processes / connections. http://wiki2.dovecot.org/LoginProcess
Re: [Dovecot] mail_max_userip_connections=10
On 9/19/2011 7:36 AM, Tom Clark wrote: Hi Paul, It's coming from the same IP address through his ADSL. Hence he gets the problem with max_userip_connections. I think I tracked down the problem. He's been using K9 mail which seems to have a problem where it doesn't release a connection and has 1 connection per subscribed folder The reasoning behind the multiple socket communication design in the IMAP protocol is flawed, thus we end up with problems like yours, and others. It may have looked good on the white board but it doesn't seem to add benefit in production--only add problems. At least from an SA's perspective. Just about every other modern internet protocol gets by with a single socket, and many of those applications are more complex than IMAP. Multiple virtual channels are a good idea at the data link layer of WAN communications links, and work well there. They're a lousy idea at the application layer, however, as the IMAP protocol clearly demonstrates. Everything IMAP does over multiple sockets could have been accomplished over a single socket, with no noticeable decrease in performance, but with fewer SA headaches and fewer server resources consumed. I eagerly await a successor to the current version of IMAP, which will hopefully do away with this problematic, unnecessary, multiple socket nonsense. It may be a long wait, unfortunately... -- Stan
Re: [Dovecot] mail_max_userip_connections=10
Thanks for the insight, Tom. Yeah, it was a different problem, and we solved it. On 9/20/2011 1:15 AM, Tom Clark wrote: If it is the same problem with K9 (although Timo doesn't think it is) we fixed it on the K9 machine by turning off PUSH mail folders. Tom -Original Message- From: dovecot-boun...@dovecot.org [mailto:dovecot-boun...@dovecot.org] On Behalf Of Timo Sirainen Sent: 19 September 2011 7:12 PM To: Asai Cc: Dovecot Mailing List Subject: Re: [Dovecot] mail_max_userip_connections=10 On 19.9.2011, at 20.43, Asai wrote: If you figure it out, please post the solution, because we're running into a similar issue right now with K9 mail where it's causing us to get this error:imap-login: Disconnected: Connection queue full That's a different problem. You need to increase number of login processes / connections. http://wiki2.dovecot.org/LoginProcess
[Dovecot] mail_max_userip_connections=10
Hi, A couple of questions rather than a problem for once! We've got our Dovecot server running smoothly now apart from our MD. He's having problems with mail_max_userip_connections. He has 3 (Phone/Laptop/Tablet) items that all connect to the server at about the same time. Which means he's frequently running over the max_userip_connections. My questions are: Is there anyway of whitelisting an IP so that it can ignore mail_max_userip_connections=10? What should we set mail_max_userip_connections too realistically? 10 seems a bit low? Thanks Tom
Re: [Dovecot] mail_max_userip_connections=10
On 09/19/11 04:27, Tom Clark wrote: Hi, A couple of questions rather than a problem for once! We've got our Dovecot server running smoothly now apart from our MD. He's having problems with mail_max_userip_connections. He has 3 (Phone/Laptop/Tablet) items that all connect to the server at about the same time. Which means he's frequently running over the max_userip_connections. My questions are: Is there anyway of whitelisting an IP so that it can ignore mail_max_userip_connections=10? What should we set mail_max_userip_connections too realistically? 10 seems a bit low? Hi Tom, The setting mail_max_userip_connections is per IP. from 20-imap.conf (version 2.0.13, the version we are running) # Maximum number of IMAP connections allowed for a user from each IP address. # NOTE: The username is compared case-sensitively. #mail_max_userip_connections = 10 I am going to assume he has a different IP for each device, in this case that would allow up to 30 connections. You need to post your 'doveconf -n' output! Cheers, Paul
Re: [Dovecot] mail_max_userip_connections=10
Hi Paul, It's coming from the same IP address through his ADSL. Hence he gets the problem with max_userip_connections. I think I tracked down the problem. He's been using K9 mail which seems to have a problem where it doesn't release a connection and has 1 connection per subscribed folder Ta, Tom -Original Message- From: Paul Griffith [mailto:pa...@cse.yorku.ca] Sent: 19 September 2011 1:30 PM To: Tom Clark Cc: dovecot@dovecot.org Subject: Re: [Dovecot] mail_max_userip_connections=10 On 09/19/11 04:27, Tom Clark wrote: Hi, A couple of questions rather than a problem for once! We've got our Dovecot server running smoothly now apart from our MD. He's having problems with mail_max_userip_connections. He has 3 (Phone/Laptop/Tablet) items that all connect to the server at about the same time. Which means he's frequently running over the max_userip_connections. My questions are: Is there anyway of whitelisting an IP so that it can ignore mail_max_userip_connections=10? What should we set mail_max_userip_connections too realistically? 10 seems a bit low? Hi Tom, The setting mail_max_userip_connections is per IP. from 20-imap.conf (version 2.0.13, the version we are running) # Maximum number of IMAP connections allowed for a user from each IP address. # NOTE: The username is compared case-sensitively. #mail_max_userip_connections = 10 I am going to assume he has a different IP for each device, in this case that would allow up to 30 connections. You need to post your 'doveconf -n' output! Cheers, Paul
Re: [Dovecot] mail_max_userip_connections=10
On 9/19/2011 5:36 AM, Tom Clark wrote: Hi Paul, It's coming from the same IP address through his ADSL. Hence he gets the problem with max_userip_connections. I think I tracked down the problem. He's been using K9 mail which seems to have a problem where it doesn't release a connection and has 1 connection per subscribed folder Ta, Tom If you figure it out, please post the solution, because we're running into a similar issue right now with K9 mail where it's causing us to get this error:imap-login: Disconnected: Connection queue full
Re: [Dovecot] mail_max_userip_connections=10
On 19.9.2011, at 20.43, Asai wrote: If you figure it out, please post the solution, because we're running into a similar issue right now with K9 mail where it's causing us to get this error:imap-login: Disconnected: Connection queue full That's a different problem. You need to increase number of login processes / connections. http://wiki2.dovecot.org/LoginProcess
Re: [Dovecot] exceeded mail_max_userip_connections
On Sun, May 8, 2011 12:03 pm, Voytek Eymont wrote: SSL: Connection secure. IMAP Server: Maximum number of connections from user+IP exceeded (mail_max_userip_connections) so if I have Squirell logged in all the time, plus K-9 running, plus occasionally use IMAP client on my Palm, how many connections should I allow ? -- Voytek
Re: [Dovecot] exceeded mail_max_userip_connections
On 11:59 AM, Voytek Eymont wrote: On Sun, May 8, 2011 12:03 pm, Voytek Eymont wrote: SSL: Connection secure. IMAP Server: Maximum number of connections from user+IP exceeded (mail_max_userip_connections) so if I have Squirell logged in all the time, plus K-9 running, plus occasionally use IMAP client on my Palm, how many connections should I allow ? As many as one per client per subscribed folder, but ... Possibly Squirell is using a different IP (localhost, 127.0.0.1) and doesn't count. I suspect the issue is with K-9. I had similar issues with older versions of K-9. They went away at some point. I'm currently using K-9 3.604. If you are using an older version of K-9, particularly a 2.xxx version, I suggest you upgrade. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan
Re: [Dovecot] exceeded mail_max_userip_connections
On Mon, May 9, 2011 11:51 am, Mark Sapiro wrote: Voytek Eymont wrote: I thought it was 3.6x, I installed off market abt one week ago If you got it a week ago from the market, it's probably 3.604. thanks, 3.605 -- Voytek
[Dovecot] exceeded mail_max_userip_connections
Dumb Q I just got this in my Snapper client log I can't acces server log at this point dovecot 1.x I can access another account OK what it means, what I need do? (is this as I have K-9 client access same mail?) -- START MANUAL: 8/5/11 10:55 am RECEIVE: ACCOUNT: voytek SSL: Connection secure. IMAP Server: Maximum number of connections from user+IP exceeded (mail_max_userip_connections) Invalid login. Check username and password. DURATION: 3 END: 8/5/11 10:55 am Voytek Eymont ___ Sent from my iPalm/A with SnapperMail ™® www.snappermail.com
[Dovecot] Meaning of mail_max_userip_connections?
Hi, I set mail_max_userip_connections in our IMAP configuration to mail_max_userip_connections = 10 to allow users 10 parallel connections. It seems that this also limits the amount of parallel connections from one IP but different users?! Our users mostly accessing the IMAP server by a webmailer or proxies. Thus, all users (1) come from only 5 different IP. However, I got a lot of complaints about denied connections after setting mail_max_userip_connections = 10. Am I right with the meaning of this parameter? Thanks in advance Harry
Re: [Dovecot] Meaning of mail_max_userip_connections?
Harald Strack put forth on 9/27/2010 3:59 AM: Hi, I set mail_max_userip_connections in our IMAP configuration to mail_max_userip_connections = 10 to allow users 10 parallel connections. It seems that this also limits the amount of parallel connections from one IP but different users?! Our users mostly accessing the IMAP server by a webmailer or proxies. Thus, all users (1) come from only 5 different IP. However, I got a lot of complaints about denied connections after setting mail_max_userip_connections = 10. Am I right with the meaning of this parameter? More importantly, what were you attempting to accomplish by setting this? What problem were you expecting it to solve? Webmail servers typically don't hold an IMAP connection open for more than a few seconds so this setting does nothing in a webmail only environment. Proxies on the other hand, such as imapproxy, will hold concurrent connections open for quite a while. Enabling this setting with upstream imap proxies is a bad idea, as you've discovered. Again, what specific problem are you trying to solve? -- Stan
Re: [Dovecot] Meaning of mail_max_userip_connections?
Hi Stan, thank you very much for your help! On Mon, 2010-09-27 at 04:24 -0500, Stan Hoeppner wrote: Harald Strack put forth on 9/27/2010 3:59 AM: Hi, I set mail_max_userip_connections in our IMAP configuration to mail_max_userip_connections = 10 to allow users 10 parallel connections. It seems that this also limits the amount of parallel connections from one IP but different users?! Our users mostly accessing the IMAP server by a webmailer or proxies. Thus, all users (1) come from only 5 different IP. However, I got a lot of complaints about denied connections after setting mail_max_userip_connections = 10. Am I right with the meaning of this parameter? More importantly, what were you attempting to accomplish by setting this? What problem were you expecting it to solve? Webmail servers typically don't hold an IMAP connection open for more than a few seconds so this setting does nothing in a webmail only environment. We do have 1000s of parallel connections. Even a few seconds per connection needs more than 10 parallel connections. Proxies on the other hand, such as imapproxy, will hold concurrent connections open for quite a while. Enabling this setting with upstream imap proxies is a bad idea, as you've discovered. We do not use imapproxy. Our proxies behave more like NAT-gateways: the IMAP-Server get's a lot of connections from different users from the same IP. Again, what specific problem are you trying to solve? we have the problem that some users forked more than 100 processes (in one case we know the user was accessing the server with a custom script, some are caused by any buggy clients that do too many reconnects...). We want to limit the number of imap processes per user to 10, but not the number of processes per client IP (because of the proxies). Any idea? Thanks in advance Harry
Re: [Dovecot] Meaning of mail_max_userip_connections?
On Mon, 2010-09-27 at 12:17 +0200, Harald Strack wrote: Our users mostly accessing the IMAP server by a webmailer or proxies. Thus, all users (1) come from only 5 different IP. However, I got a lot of complaints about denied connections after setting mail_max_userip_connections = 10. We want to limit the number of imap processes per user to 10, but not the number of processes per client IP (because of the proxies). For that mail_max_userip_connections should have worked. If you get complaints then it's because some client opens more than 10 connections (or user has multiple clients open from same IP) or your webmail opens 10 connections simultaneously. You didn't say if the complains were from webmail users or from IMAP client users.. Assuming webmail, I guess the problem is that it just opens so many connections. With v2.0 you could specify different limits to a certain network range (i.e. disable it for webmail, keep it for rest). BTW. The default for mail_max_userip_connections is 10, so do you mean before you had it set to 0?
Re: [Dovecot] Meaning of mail_max_userip_connections?
Hi Timo, On Mon, 2010-09-27 at 13:50 +0100, Timo Sirainen wrote: On Mon, 2010-09-27 at 12:17 +0200, Harald Strack wrote: Our users mostly accessing the IMAP server by a webmailer or proxies. Thus, all users (1) come from only 5 different IP. However, I got a lot of complaints about denied connections after setting mail_max_userip_connections = 10. We want to limit the number of imap processes per user to 10, but not the number of processes per client IP (because of the proxies). For that mail_max_userip_connections should have worked. If you get complaints then it's because some client opens more than 10 connections (or user has multiple clients open from same IP) or your webmail opens 10 connections simultaneously. Accordingly, mail_max_userip_connections limits the number of connections from an IP. To deal with a scenario, when 400 Users behind a NAT-gateway come from the same IP (the gateway), we have to set mail_max_userip_connections = 400, right? You didn't say if the complains were from webmail users or from IMAP client users.. Assuming webmail, I guess the problem is that it just opens so many connections. Both. With v2.0 you could specify different limits to a certain network range (i.e. disable it for webmail, keep it for rest). Will there also be a limit per user? BTW. The default for mail_max_userip_connections is 10, so do you mean before you had it set to 0? Nearly. We had it set to 1000 and we set it to 1000 again now. best regards Harry
Re: [Dovecot] Meaning of mail_max_userip_connections?
On Mon, 2010-09-27 at 15:30 +0200, Harald Strack wrote: Accordingly, mail_max_userip_connections limits the number of connections from an IP. To deal with a scenario, when 400 Users behind a NAT-gateway come from the same IP (the gateway), we have to set mail_max_userip_connections = 400, right? No, wrong. It's a user+ip combination. Each different user behind the same IP can use up to 10 connections with mail_max_userip_connections=10. BTW. What Dovecot version? If this isn't working as expected, maybe dovecot -n output could show something useful..
Re: [Dovecot] Meaning of mail_max_userip_connections?
Hi Timo, On Mon, 2010-09-27 at 14:42 +0100, Timo Sirainen wrote: On Mon, 2010-09-27 at 15:30 +0200, Harald Strack wrote: Accordingly, mail_max_userip_connections limits the number of connections from an IP. To deal with a scenario, when 400 Users behind a NAT-gateway come from the same IP (the gateway), we have to set mail_max_userip_connections = 400, right? No, wrong. It's a user+ip combination. Each different user behind the same IP can use up to 10 connections with mail_max_userip_connections=10. Thanks a lot for your explanation! However, now I am at the beginning again. BTW. What Dovecot version? If this isn't working as expected, maybe dovecot -n output could show something /usr/local We do not use the most recent version... but was there a bug with this parameter? # 1.2.8: /usr/local/dovecot-1.2.8/etc/dovecot.conf # OS: SunOS 5.10 sun4u base_dir: /var/run/dovecot-1.2.8 log_path: /var/log/dovecot.log info_log_path: /var/log/dovecot.log log_timestamp: %Y-%m-%d %H:%M:%S listen: *:143 ssl_listen: *:993 ssl_cert_file: /usr/local/dovecot/etc/cert.pem ssl_key_file: /usr/local/dovecot/etc/key.pem verbose_ssl: yes login_dir: /var/run/dovecot-1.2.8/login login_executable: /usr/local/dovecot-1.2.8/libexec/dovecot/imap-login login_processes_count: 8 login_max_processes_count: 8192 max_mail_processes: 16084 mail_max_userip_connections: 1000 mail_privileged_group: mail mail_location: mbox:~/dovecot-home:LAYOUT=maildir++:INBOX=/var/mail/% u:INDEX=%h/dovecot-indexes mail_debug: yes mmap_disable: yes mbox_write_locks: fcntl dotlock mail_plugins: listescape imap_client_workarounds: netscape-eoh delay-newmail outlook-idle namespace: type: private separator: / inbox: yes list: yes subscriptions: yes auth default: debug: yes passdb: driver: pam userdb: driver: passwd best regards Harry
Re: [Dovecot] Meaning of mail_max_userip_connections?
On Mon, 2010-09-27 at 15:57 +0200, Harald Strack wrote: No, wrong. It's a user+ip combination. Each different user behind the same IP can use up to 10 connections with mail_max_userip_connections=10. Thanks a lot for your explanation! However, now I am at the beginning again. You could try doing some tests to see if you can trigger the problem. Or try to reduce the value from 1000 first to 100 and then maybe drop until people start complaning about and raise it a bit higher :) BTW. What Dovecot version? If this isn't working as expected, maybe dovecot -n output could show something /usr/local We do not use the most recent version... but was there a bug with this parameter? I was thinking if you were maybe using some really old version or maybe if you were using v2.0 and if there maybe had been some new bug. login_processes_count: 8 login_max_processes_count: 8192 Maybe you should set login_process_per_connection=no. http://wiki.dovecot.org/LoginProcess
Re: [Dovecot] mail_max_userip_connections
On Thu, 2009-12-10 at 11:24 -0800, Richard Stockton wrote: What is the appropriate setting for mail_max_userip_connections ? My POP3 connections seem to be mostly 1 at a time, Right, there's rarely need for more. but my IMAP connections are often 3 per user per IP. Is this appropriate? Thunderbird by default can use 5 connections I think. If I change the IMAP setting to mail_max_userip_connections=1 will it break things for the user? Probably. I am trying to improve this situation: ps auxwww | grep imap | wc 2373080 22400 What's the problem with that? Are you running out of memory? v2.0 adds initial support for handling multiple connections in one process. signature.asc Description: This is a digitally signed message part
[Dovecot] mail_max_userip_connections
What is the appropriate setting for mail_max_userip_connections ? My POP3 connections seem to be mostly 1 at a time, but my IMAP connections are often 3 per user per IP. Is this appropriate? If I change the IMAP setting to mail_max_userip_connections=1 will it break things for the user? I am trying to improve this situation: ps auxwww | grep imap | wc 2373080 22400 TIA, - Richard
[Dovecot] Missing mail_max_userip_connections setting
Hi, I'm having a problem with a webmail client trying to open multiple IMAP connections with dovecot, and hitting a cap. I see from the error logs from this program that it's hitting the mail_max_userip_connections cap, but I'm not seeing this value as defined in the dovecot.conf file. Would this automatically get set to a certain value by default if it's not present? Thanks, * * Tom Goerger - Email/Unix System Administrator * * * * University of Minnesota Email: t...@umn.edu * * Operations, Infrastructure and Architecture Phone: 4-5804 * * Internet ServicesOffice: 626J WBOB* * * *
Re: [Dovecot] Missing mail_max_userip_connections setting
On Fri, 2009-04-03 at 14:34 -0500, Thomas M Goerger wrote: Hi, I'm having a problem with a webmail client trying to open multiple IMAP connections with dovecot, and hitting a cap. I see from the error logs from this program that it's hitting the mail_max_userip_connections cap, but I'm not seeing this value as defined in the dovecot.conf file. You probably have your dovecot.conf based on v1.0's dovecot-example.conf. It's in v1.1's dovecot-example.conf. Would this automatically get set to a certain value by default if it's not present? Yes, 10. signature.asc Description: This is a digitally signed message part
