Hi all,
I have observed with my Dovecot setup that unique failed logins cause
legitimate correct logins to be slowed. I am running two servers, each
with two Dovecot instances, a Proxy with Director, and a backend
Dovecot. I suspect that the backend instance is throttling
connections from the same IP, and because I am running a Proxy, the
backend will only see either of the two server IPs. I confirmed this by
directly connecting to the backend, to bypass the proxy and rule it. I
initiated dozens of unique failed logins from one IP and separately
attempted to login from the same IP, and experienced an extended delay
during login. At the same time a login from a different IP suceeded
imediately. I see nothing in the logs suggesting some sort of process
limits were exceeded, however I do see the following proc title for the
backend auth process:
"dovecot/auth [7 wait, 0 passdb, 0 userdb]"
I have increased the mail_max_userip_connections to a very large value
however I believe that setting is a per username/ip limit. Is there any
sort of setting in Dovecot that I can configure that stops this
authentication throttling per IP? Below is the configuration of the
backend Dovecot instance.
# 2.1.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-279.5.2.el6.x86_64 x86_64 Red Hat Enterprise Linux
Server release 6.3 (Santiago)
auth_cache_negative_ttl = 3 secs
auth_cache_size = 100 M
auth_cache_ttl = 10 mins
auth_default_realm = example.com
auth_failure_delay = 5 secs
auth_mechanisms = plain login
auth_verbose_passwords = sha1
auth_worker_max_count = 25
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
first_valid_gid = 12
first_valid_uid = 8
last_valid_gid = 12
last_valid_uid = 8
login_greeting = Hello there.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
mail_fsync = always
mail_gid = mail
mail_location = maildir:%h/Maildir
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = " stats"
mail_uid = mail
mmap_disable = yes
namespace {
inbox = yes
location = maildir:%h/Maildir
prefix = INBOX.
separator = .
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
protocols = pop3 imap
service auth {
unix_listener auth-userdb {
group = mail
mode = 0660
user = mail
}
}
service imap-login {
inet_listener imap {
address = 0.0.0.0
port = 9143
}
process_min_avail = 5
service_count = 0
vsz_limit = 256 M
}
service imap {
process_limit = 1000
vsz_limit = 256 M
}
service pop3-login {
inet_listener pop3 {
address = 0.0.0.0
port = 9110
}
process_min_avail = 5
service_count = 0
vsz_limit = 256 M
}
service pop3 {
process_limit = 1000
vsz_limit = 256 M
}
service stats {
fifo_listener stats-mail {
mode = 0600
user = mail
}
inet_listener {
address = 127.0.0.1
port = 24242
}
}
ssl = no
stats_memory_limit = 64 M
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
verbose_proctitle = yes
protocol imap {
imap_logout_format = bytes_read=%i bytes_send=%o
mail_max_userip_connections = 1000
mail_plugins = " stats "
}
protocol pop3 {
mail_max_userip_connections = 1000
}
Dominic
