I have dovecot 1.0.5 installed on an OpenBSD 4.1 box and an OS X
Server 10.4.10 box.
Sure you've all heard it before, because of the pipe error, no more
login processes can be launched, and I have to restart the server.
dovecot: Sep 13 05:50:00 Error: pipe() failed: Too many open files
I first thought this was the issue with kqueue, but I've since
recompiled making sure to use poll. This also happened with 1.0.3 and
1.0.2.
It also happens very specifically after a dictionary attack that
lasts usually about an hour, unless I can catch it earlier. (Around
18,000 login attempts)
ex:
dovecot: Sep 13 05:49:58 Info: pop3-login: Aborted login:
user=<aaron>, method=PLAIN, rip=62.161.41.32, lip=<local ip>
dovecot: Sep 13 05:49:58 Info: pop3-login: Aborted login: user=<adm>,
method=PLAIN, rip=62.161.41.32, lip=<local ip>
dovecot: Sep 13 05:49:58 Info: pop3-login: Aborted login:
user=<account>, method=PLAIN, rip=62.161.41.32, lip=<local ip>
But after the attack has subsided for a period of time, I still have
the number of file descriptors maxed out for the dovecot process.
I've increased the number available to have a higher roof, but that
doesn't fix the problem.
Wondering if anyone else has seen this issue, and also in a generic
problem. How are others dealing the the problem of being attacked in
this method? Is there a max number of login tries for a given ip
address within a period of time that I'm missing? :)
Thanks,
Patrick