Johannes Berg wrote:
On Mon, 2008-03-17 at 17:45 +0200, Timo Sirainen wrote:
I know about
mail_max_userip_connections in dovecot 1.1
It should be pretty easy to patch this code to ignore the user and just
limit IPs. You could basically just remove "user" from struct
mail_process_group and fix the code to compile. Or even easier:
static struct mail_process_group *
mail_process_group_lookup(enum process_type type, const char *user,
const struct ip_addr *ip)
{
user = ""; // use the same empty user for everyone
// ...
static struct mail_process_group *
mail_process_group_create(enum process_type type, const char *user,
const struct ip_addr *ip)
{
struct mail_process_group *group;
user = ""; // use the same empty user for everyone
Sounds like
Probably in future versions.
could be trivially implemented with a "mail_process_group_lookup_key"
setting that defaults to %u :)
johannes
Thank you Timo and Johannes for answers! I have used your
recommendations and really enough this
small patch:
--- src/master/mail-process.c.orig 2008-03-18 19:55:04.000000000 -0400
+++ src/master/mail-process.c 2008-03-18 19:55:35.000000000 -0400
@@ -75,7 +75,8 @@ mail_process_group_lookup(enum process_t
struct mail_process_group lookup_group;
lookup_group.process.type = type;
- lookup_group.user = t_strdup_noconst(user);
+ /*lookup_group.user = t_strdup_noconst(user);*/
+ lookup_group.user = "";
lookup_group.remote_ip = *ip;
return hash_lookup(mail_process_groups, &lookup_group);
@@ -89,7 +90,8 @@ mail_process_group_create(enum process_t
group = i_new(struct mail_process_group, 1);
group->process.type = type;
- group->user = i_strdup(user);
+ /*group->user = i_strdup(user);*/
+ group->user = "";
group->remote_ip = *ip;
i_array_init(&group->processes, 10);
--- src/login-common/sasl-server.c.orig 2008-03-19 09:36:56.000000000 -0400
+++ src/login-common/sasl-server.c 2008-03-19 09:37:21.000000000 -0400
@@ -51,7 +51,7 @@ master_callback(struct client *client, e
case MASTER_LOGIN_STATUS_INTERNAL_ERROR:
break;
case MASTER_LOGIN_STATUS_MAX_CONNECTIONS:
- data = "Maximum number of connections from user+IP
exceeded";
+ data = "Maximum number of connections from ip exceeded";
break;
}
call_client_callback(client, reply, data, NULL);
And it is really work. But for probable future option, I think, it is
would be wrong way.
Because this solution limit user _logins_, not connections. So, just for
example, I could make very much connections to server and go to end up
dovecot connection pool or, if I miss something here, system resources
like max_files, max_sockets and so on. IMHO, more truly solution is
limit connections, and check it _before_ login procedure. I understand,
that can happen in this case also. But why we will waste our resources
to check login/pass, make redundant query to myssql/pgsql/sqlite and so
on? What are you think about that? Comments are very welcome.
Alex
