Hi folks,I have a handful of iOS 10.2.1 Mail app IMAP clients that intermittently break into this unexplained authenticate-then-immediately-disconnect behavior when connecting to a RHEL7 Dovecot (dovecot-2.2.10-7.el7) proxy, providing proxied connections to a backend Panda/UW-IMAP server. From talking to the users, the activity would appear to be spontaneous (ie: not caused by user interaction with the device).
The behavior doesn't seem to have any observable implications for the end user, other than momentarily hitting the Dovecot process_limit (which, if not raised to a rather large number, disrupts new IMAP proxy connections momentarily).
I reckon this is not an issue with Dovecot, but I'm curious to know if other folks have observed this behavior when dealing with iOS Mail app clients?
The log entries look like this:
iOS 10 device = 172.16.0.1
RHEL7 Dovecot proxy host = 192.168.0.1 ("proxyhost")
Panda/UW-IMAP target = panda.imap.tld
Mar 6 12:11:00 proxyhost dovecot: imap-login: proxy(jdoe): started
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN,
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<VvzqehVKhwBCol00>
Mar 6 12:11:00 proxyhost dovecot: imap-login: proxy(jdoe):
disconnecting 172.16.0.1 (Disconnected by client): user=<jdoe>,
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS: Disconnected,
session=<VvzqehVKhwBCol00>
Mar 6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe): started
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN,
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<jaXxehVKiABCol00>
Mar 6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe):
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>,
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS,
session=<jaXxehVKiABCol00>
Mar 6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe): started
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN,
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<RmX4ehVKiQBCol00>
Mar 6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe):
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>,
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS,
session=<RmX4ehVKiQBCol00>
Mar 6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe): started
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN,
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<inYBexVKigBCol00>
Mar 6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe):
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>,
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS,
session=<inYBexVKigBCol00>
Mar 6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe): started
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN,
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<GwAJexVKiwBCol00>
Mar 6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe):
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>,
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS,
session=<GwAJexVKiwBCol00>
Mar 6 12:11:03 proxyhost dovecot: imap-login: proxy(jdoe): started
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN,
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<asUPexVKswBCol00>
Mar 6 12:11:03 proxyhost dovecot: imap-login: proxy(jdoe):
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>,
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS,
session=<asUPexVKswBCol00>
Mar 6 12:11:03 proxyhost dovecot: imap-login: proxy(jdoe): started
proxying to panda.imap.tld:993: user=<jdoe>, method=PLAIN,
rip=172.16.0.1, lip=192.168.0.1, TLS, session=<n9YYexVKjQBCol00>
Mar 6 12:11:04 proxyhost dovecot: imap-login: proxy(jdoe):
disconnecting 172.16.0.1 (Disconnected by server): user=<jdoe>,
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS,
session=<n9YYexVKjQBCol00>
...and on and on, usually until the 'service imap-login' process_limit is reached. You could naturally apply some iptables rate-limiting to avoid hitting process_limit, but it'd be nice to have the iOS client simply behave properly instead.
dovecot -n: --- # 2.2.10: /etc/dovecot/dovecot.conf# OS: Linux 3.10.0-514.6.2.el7.x86_64 x86_64 Red Hat Enterprise Linux Server release 7.3 (Maipo)
auth_mechanisms = plain login
auth_verbose = yes
first_valid_uid = 1000
imap_capability = +I18NLEVEL=1
mbox_write_locks = fcntl
passdb {
args = nopassword=y
default_fields = proxy=y ssl=any-cert host=panda.imap.tld
driver = static
}
protocols = imap pop3
service imap-login {
process_limit = 400-ish at the moment
process_min_avail = 2
}
service pop3-login {
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl = required
ssl_ca = </etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
ssl_cert = <proxyhost.crt
ssl_dh_parameters_length = 2048
ssl_key = <proxyhost.key
ssl_protocols = !SSLv3 !SSLv3
ssl_require_crl = no
userdb {
driver = static
}
---
Thanks for any insight out there.
Robert Giles
smime.p7s
Description: S/MIME Cryptographic Signature
