On Mon, 2007-03-19 at 19:46 -0700, Sean Kamath wrote: > > Earlier today I was hit with 612 login attempts in 7 minutes. They > ramped up slowly, too. :-) > > They quickly hit the file descriptor limit. And then a login server > spawned and died so quickly that dovecot just died. > > My question is, is there a way to throttle the number of login > connections? I'm doing it in my firewall now, but it would be nice > to be able to say something like "max-login-attempts: X" before we > blacklist the IP (for some configurable time).
I think it's just simpler to configure your system to handle such load. :) Give Dovecot enough file descriptors, or reduce the number of allowed login processes / connections. See http://wiki.dovecot.org/LoginProcess Or are you using PAM? That could also be the problem since it forks new processes, and authentication cache doesn't work very well with it either. http://dovecot.org/tools/imaptest.c is a nice tool to try stress testing logins. Use it something like: imaptest user=dummy password=something clients=100 - select=0 Some people want to limit number of connections coming to one user, so this kind of blacklisting feature could be implemented at the same time. Maybe for v2.0 or something..
signature.asc
Description: This is a digitally signed message part
