dovecot - Mar 2017 - Dovecot 2.2.27 proxy - enforcing per client IP connection limits

Hi,

Trying to keep abusive/buggy IMAP clients at bay on a number of Dovecot 
proxy servers, I've reconfigured them to use 
"mail_max_userip_connections = 50" in the "protocol imap"
section,
followed by restarting Dovecot. Yet, I'm still seeing 160+ established 
connections from a single IP address for the same email account. Am I 
missing anything?

# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 2.6.32-642.4.2.el6.x86_64 x86_64 CentOS release 6.8 (Final)
auth_cache_negative_ttl = 5 mins
auth_cache_size = 16 M
auth_cache_ttl = 18 hours
default_client_limit = 6120
default_process_limit = 500
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart 
extracttext imapflags notify
mbox_write_locks = fcntl
namespace inbox {
   inbox = yes
   location    mailbox Drafts {
     special_use = \Drafts
   }
   mailbox Junk {
     special_use = \Junk
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix }
passdb {
   args = /etc/dovecot/dovecot-sql.conf.ext
   driver = sql
}
plugin {
   sieve = file:~/sieve;active=~/.dovecot.sieve
   sieve_extensions = +notify +imapflags
}
protocols = imap pop3 lmtp sieve
service auth {
   client_limit = 6120
}
service imap-login {
   process_limit = 2048
   process_min_avail = 20
   service_count = 0
   vsz_limit = 256 M
}
service imap {
   process_limit = 2048
}
service managesieve-login {
   inet_listener sieve {
     port = 4190
   }
   service_count = 0
   vsz_limit = 128 M
}
service managesieve {
   process_limit = 1024
}
service pop3 {
   process_limit = 1024
}
[...]
protocol imap {
   imap_capability = IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
   mail_max_userip_connections = 50
}


-- 
Adi Pircalabu

Quick follow-up: updated the proxies to 2.2.28, but I still couldn't 
find a way to limit the inbound IMAP connections per IP & username. I 
know "mail_max_userip_connections" limit works for the mail stores,
but
it doesn't seem to have any effect on the proxies. I'm using a mix of 
Dovecot & Courier-IMAP servers as backends.
Basically I need to find a way to enforce the maximum limit for the 
username<>remoteip so that, if I have:
ESTCONNS=`doveadm -f flow proxy list | grep 
"username=usern at domain.com.proto=imap" | wc -l`
$ESTCONNS is lower or equal than the configured limit.
The proxies are configured as per 
https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy to forward 
the password to the remote server using MySQL. In dovecot-sql.conf.ext I 
have:
password_query = SELECT NULL AS password, 'Y' as nopassword, host, email
as email, 'any-cert' as 'starttls', 'Y' AS proxy FROM
mailbox WHERE
email = '%u' AND disabled_smtpauth=0

At the moment the only way I can limit the number of established 
connections per source IP address on the Dovecot proxies is using 
iptables, which isn't what I want.
Where else can I look?

Adi Pircalabu, System Administrator
DDNS, a Total Internet Company
159 Barkly Avenue, Burnley, Vic 3121, T +61 3 9815 6868

On 08/03/17 12:32, Adi Pircalabu wrote:
> Hi,
> 
> Trying to keep abusive/buggy IMAP clients at bay on a number of Dovecot 
> proxy servers, I've reconfigured them to use 
> "mail_max_userip_connections = 50" in the "protocol
imap" section,
> followed by restarting Dovecot. Yet, I'm still seeing 160+ established 
> connections from a single IP address for the same email account. Am I 
> missing anything?
> 
> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.16 (fed8554)
> # OS: Linux 2.6.32-642.4.2.el6.x86_64 x86_64 CentOS release 6.8 (Final)
> auth_cache_negative_ttl = 5 mins
> auth_cache_size = 16 M
> auth_cache_ttl = 18 hours
> default_client_limit = 6120
> default_process_limit = 500
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope 
> encoded-character vacation subaddress comparator-i;ascii-numeric 
> relational regex imap4flags copy include variables body enotify 
> environment mailbox date index ihave duplicate mime foreverypart 
> extracttext imapflags notify
> mbox_write_locks = fcntl
> namespace inbox {
>    inbox = yes
>    location >    mailbox Drafts {
>      special_use = \Drafts
>    }
>    mailbox Junk {
>      special_use = \Junk
>    }
>    mailbox Sent {
>      special_use = \Sent
>    }
>    mailbox "Sent Messages" {
>      special_use = \Sent
>    }
>    mailbox Trash {
>      special_use = \Trash
>    }
>    prefix > }
> passdb {
>    args = /etc/dovecot/dovecot-sql.conf.ext
>    driver = sql
> }
> plugin {
>    sieve = file:~/sieve;active=~/.dovecot.sieve
>    sieve_extensions = +notify +imapflags
> }
> protocols = imap pop3 lmtp sieve
> service auth {
>    client_limit = 6120
> }
> service imap-login {
>    process_limit = 2048
>    process_min_avail = 20
>    service_count = 0
>    vsz_limit = 256 M
> }
> service imap {
>    process_limit = 2048
> }
> service managesieve-login {
>    inet_listener sieve {
>      port = 4190
>    }
>    service_count = 0
>    vsz_limit = 128 M
> }
> service managesieve {
>    process_limit = 1024
> }
> service pop3 {
>    process_limit = 1024
> }
> [...]
> protocol imap {
>    imap_capability = IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
>    mail_max_userip_connections = 50
> }
> 
>

Hi,

mail_max_userip_connections is only enforced at the backend level. The setting
has no effect on proxy. If you want to force the limit then you can only do it
in the backend.

Sami
> On 9 Mar 2017, at 12.05, Adi Pircalabu <adi at ddns.com.au> wrote:
> 
> Quick follow-up: updated the proxies to 2.2.28, but I still couldn't
find a way to limit the inbound IMAP connections per IP & username. I know
"mail_max_userip_connections" limit works for the mail stores, but it
doesn't seem to have any effect on the proxies. I'm using a mix of
Dovecot & Courier-IMAP servers as backends.
> Basically I need to find a way to enforce the maximum limit for the
username<>remoteip so that, if I have:
> ESTCONNS=`doveadm -f flow proxy list | grep "username=usern at
domain.com.proto=imap" | wc -l`
> $ESTCONNS is lower or equal than the configured limit.
> The proxies are configured as per
https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy to forward the
password to the remote server using MySQL. In dovecot-sql.conf.ext I have:
> password_query = SELECT NULL AS password, 'Y' as nopassword, host,
email as email, 'any-cert' as 'starttls', 'Y' AS proxy
FROM mailbox WHERE email = '%u' AND disabled_smtpauth=0
> 
> At the moment the only way I can limit the number of established
connections per source IP address on the Dovecot proxies is using iptables,
which isn't what I want.
> Where else can I look?
> 
> Adi Pircalabu, System Administrator
> DDNS, a Total Internet Company
> 159 Barkly Avenue, Burnley, Vic 3121, T +61 3 9815 6868
> 
> On 08/03/17 12:32, Adi Pircalabu wrote:
>> Hi,
>> Trying to keep abusive/buggy IMAP clients at bay on a number of Dovecot
proxy servers, I've reconfigured them to use
"mail_max_userip_connections = 50" in the "protocol imap"
section, followed by restarting Dovecot. Yet, I'm still seeing 160+
established connections from a single IP address for the same email account. Am
I missing anything?
>> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.4.16 (fed8554)
>> # OS: Linux 2.6.32-642.4.2.el6.x86_64 x86_64 CentOS release 6.8 (Final)
>> auth_cache_negative_ttl = 5 mins
>> auth_cache_size = 16 M
>> auth_cache_ttl = 18 hours
>> default_client_limit = 6120
>> default_process_limit = 500
>> managesieve_notify_capability = mailto
>> managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric relational
regex imap4flags copy include variables body enotify environment mailbox date
index ihave duplicate mime foreverypart extracttext imapflags notify
>> mbox_write_locks = fcntl
>> namespace inbox {
>>   inbox = yes
>>   location >>   mailbox Drafts {
>>     special_use = \Drafts
>>   }
>>   mailbox Junk {
>>     special_use = \Junk
>>   }
>>   mailbox Sent {
>>     special_use = \Sent
>>   }
>>   mailbox "Sent Messages" {
>>     special_use = \Sent
>>   }
>>   mailbox Trash {
>>     special_use = \Trash
>>   }
>>   prefix >> }
>> passdb {
>>   args = /etc/dovecot/dovecot-sql.conf.ext
>>   driver = sql
>> }
>> plugin {
>>   sieve = file:~/sieve;active=~/.dovecot.sieve
>>   sieve_extensions = +notify +imapflags
>> }
>> protocols = imap pop3 lmtp sieve
>> service auth {
>>   client_limit = 6120
>> }
>> service imap-login {
>>   process_limit = 2048
>>   process_min_avail = 20
>>   service_count = 0
>>   vsz_limit = 256 M
>> }
>> service imap {
>>   process_limit = 2048
>> }
>> service managesieve-login {
>>   inet_listener sieve {
>>     port = 4190
>>   }
>>   service_count = 0
>>   vsz_limit = 128 M
>> }
>> service managesieve {
>>   process_limit = 1024
>> }
>> service pop3 {
>>   process_limit = 1024
>> }
>> [...]
>> protocol imap {
>>   imap_capability = IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
>>   mail_max_userip_connections = 50
>> }