Joe Allesi -X (joallesi - Coyote Creek Consulting at Cisco)
2007-Nov-19 17:24 UTC
[Dovecot] Throttle New Connections?
All, Is anyone using iptables (recent module), or any other alternatives, to throttle the number of new imap or pop connections per minute? We have some applications that like to login every second to pull mail using imap, so we'd like to protect the entire dovecot server from these applications. We've already made the change over to high-perf mode, but we still need some type of denial of service protection. Any real-world data would be appreciated. Thanks!
This may be off topic - but you could always use something like imapproxy in front of your dovecot IMAP daemon. We do this locally for our webmail clients which use IMAP for the access to the mail store. Imapproxy can be found here: http://imapproxy.org/ -----Original Message----- From: dovecot-bounces+breu=cfu.net at dovecot.org [mailto:dovecot-bounces+breu=cfu.net at dovecot.org] On Behalf Of Joe Allesi -X (joallesi - Coyote Creek Consulting at Cisco) Sent: Monday, November 19, 2007 11:25 AM To: Dovecot Mailing List Subject: [Dovecot] Throttle New Connections? All, Is anyone using iptables (recent module), or any other alternatives, to throttle the number of new imap or pop connections per minute? We have some applications that like to login every second to pull mail using imap, so we'd like to protect the entire dovecot server from these applications. We've already made the change over to high-perf mode, but we still need some type of denial of service protection. Any real-world data would be appreciated. Thanks!
On Nov 19, 2007, at 9:24 AM, Joe Allesi -X (joallesi - Coyote Creek Consulting at Cisco) wrote:> All, > > Is anyone using iptables (recent module), or any other alternatives, > to > throttle the number of new imap or pop connections per minute? We have > some applications that like to login every second to pull mail using > imap, so we'd like to protect the entire dovecot server from these > applications. We've already made the change over to high-perf mode, > but > we still need some type of denial of service protection. Any real- > world > data would be appreciated.Yeah, I throttle initial connections per IP to something like 15 or 20. I started doing this after I got hit with a little more than 600 connections/second for a few minutes. I use OpenBSD with pf. Sean