Hi, like I have written in the subject line I want to limit the pop login per user and per minute. Currently I am having several customers which are fetching their email with popcon (MS Exchange). This has never been a problem. But... They all have got the same "technician" which take care of their systems. The problem is, that he misconfigured the servers of these customers. In detail: their servers are trying to fetch email every 2 - 5 seconds. For every email address. In the past I contacted the technician and told him about his mistake. He was not very helpful and simply told me that he is doing the same configuration since several years at all of his customer servers. Without problems. It is up to me to fix my problem myself. Well, I googled a lot but all I found is to limit for a specific IP or for a secific account. Both is not what I am looking for. Maybe someone can give me a hint? Thanks and kind regards Markus -- stairweb GmbH Firmensitz: Gutenbergstr. 8, 94036 Passau Telefon: +49 (0)851 / 20426650 Telefax: +49 (0)851 / 20426655 e-Mail: info at stairweb.de Internet: www.stairweb.de Registergericht: Amtsgericht Passau, HRB 6044 Gesch?ftsf?hrer: Markus Eckerl, Karl Prei?ler, Alexander Lengl
Am 22.03.2018 um 11:21 schrieb Markus Eckerl:> Hi, > > like I have written in the subject line I want to limit the pop login > per user and per minute. > > Currently I am having several customers which are fetching their email > with popcon (MS Exchange). > > This has never been a problem. But... They all have got the same > "technician" which take care of their systems. > > The problem is, that he misconfigured the servers of these customers. In > detail: their servers are trying to fetch email every 2 - 5 seconds. For > every email address. > > In the past I contacted the technician and told him about his mistake. > He was not very helpful and simply told me that he is doing the same > configuration since several years at all of his customer servers. > Without problems. It is up to me to fix my problem myself. > > Well, I googled a lot but all I found is to limit for a specific IP or > for a secific account. Both is not what I am looking for. > > Maybe someone can give me a hint? > > Thanks and kind regards > > Markus > > >I had about 5000 popcon users in the past , dovecot can handle this if you turn right parameters on. As far i remember there were also 2 different ways to configure popcon, users per time or all users in one session ( which was really bullshit ) , after all i wouldnt recommand trying limiting ,that might lead to further problems. Your customer has to understand his misconfiguration some graph of that time is here https://blog.sys4.de/xymon-dovecot-count-imap-pop3-logins-graph-central-rsyslog-server-ubuntu-lucid-en.html -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG,80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
Am 22.03.2018 um 12:42 schrieb Robert Schetterer:> Am 22.03.2018 um 11:21 schrieb Markus Eckerl: >> Hi, >> >> like I have written in the subject line I want to limit the pop login >> per user and per minute. >> >> Currently I am having several customers which are fetching their email >> with popcon (MS Exchange). >> >> This has never been a problem. But... They all have got the same >> "technician" which take care of their systems. >> >> The problem is, that he misconfigured the servers of these customers. In >> detail: their servers are trying to fetch email every 2 - 5 seconds. For >> every email address. >> >> In the past I contacted the technician and told him about his mistake. >> He was not very helpful and simply told me that he is doing the same >> configuration since several years at all of his customer servers. >> Without problems. It is up to me to fix my problem myself. >> >> Well, I googled a lot but all I found is to limit for a specific IP or >> for a secific account. Both is not what I am looking for. >> >> Maybe someone can give me a hint? >> >> Thanks and kind regards >> >> Markus >> >> >> > > I had about 5000 popcon users in the past , dovecot can handle this > if you turn right parameters on. As far i remember there were also 2 > different ways to configure popcon, users per time or all users in one > session ( which was really bullshit ) , after all i wouldnt recommand > trying limiting ,that might lead to further problems. Your customer has > to understand his misconfiguration > > some graph of that time is here > > https://blog.sys4.de/xymon-dovecot-count-imap-pop3-logins-graph-central-rsyslog-server-ubuntu-lucid-en.html > > > >beside iptables recent, or fail2ban which may have unwanted side effects and only work by ip here was a post with a dovecot solution https://www.dovecot.org/list/dovecot/2017-July/108521.html never tested this Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG, 80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On Thu, 22 Mar 2018, Markus Eckerl wrote:> The problem is, that he misconfigured the servers of these customers. In > detail: their servers are trying to fetch email every 2 - 5 seconds. For > every email address. > > In the past I contacted the technician and told him about his mistake. > He was not very helpful and simply told me that he is doing the same > configuration since several years at all of his customer servers. > Without problems. It is up to me to fix my problem myself.Seems to me you're bending over backwards to fix someone else's problem, and what you really need is an "attitude adjustment" tool for obnoxious clients who use your service like they're the only ones that matter. Apart from what others can suggest (I think dovecot allows delegation of usage to a separate policyd service), you can perhaps use firewall throttling e.g. https://making.pusher.com/per-ip-rate-limiting-with-iptables/ It can't do it per user, but perhaps it is better to set a global limit and let your downstream client better manage and conserve a limited resource. Joseph Tam <jtam.home at gmail.com>
On Thu, Mar 22, 2018 at 1:41 PM, Joseph Tam <jtam.home at gmail.com> wrote:> On Thu, 22 Mar 2018, Markus Eckerl wrote: > > The problem is, that he misconfigured the servers of these customers. In >> detail: their servers are trying to fetch email every 2 - 5 seconds. For >> every email address. >> >> In the past I contacted the technician and told him about his mistake. >> He was not very helpful and simply told me that he is doing the same >> configuration since several years at all of his customer servers. >> Without problems. It is up to me to fix my problem myself. >> > > Seems to me you're bending over backwards to fix someone else's problem, > and what you really need is an "attitude adjustment" tool for obnoxious > clients who use your service like they're the only ones that matter. > > Apart from what others can suggest (I think dovecot allows delegation > of usage to a separate policyd service), you can perhaps use firewall > throttling e.g. > > https://making.pusher.com/per-ip-rate-limiting-with-iptables/ > > It can't do it per user, but perhaps it is better to set a global limit > and let your downstream client better manage and conserve a limited > resource. > >Might be a good use of the new authpolicy stuff. You could run a local weakforced with 1 minute windows and break auth for certain IPs that do more than one login per minute. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180322/f2486a66/attachment.html>