Article 9586 at 07/04/17 06:08:44 From: paul.aviles (at mark) nickelnetworks.com Subject: [coba-e:09586] Re: Dovecot/POP3 Flood

Index: [Article Count Order] [Thread]
Date:  Mon, 16 Apr 2007 17:08:08 -0400
From:  "Paul Aviles" <paul.aviles (at mark) nickelnetworks.com>
Subject:  [coba-e:09586] Re: Dovecot/POP3 Flood
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <200704162108.l3GL8R2j027051 (at mark) srv1.nickelnetworks.com>
In-Reply-To:  <Pine.LNX.4.63.0704131504250.19241 (at mark) mail.nuonce.net>
X-Mail-Count: 09586

Brian, we were able to duplicate the problem creating some connections/loads
easily.  Something weird we found in the way dovecot calls the
authentication. Not even with socat we got the system able to authenticate.

After, we only did the changes to dovecot.conf and with 100 consecutive
connections per sec we did not exhibit the same issue.

Regards,

Paul Aviles
Nickel Networks
 

-----Original Message-----
From: Brian N. Smith [mailto:brian (at mark) nuonce.net] 
Sent: Friday, April 13, 2007 3:11 PM
To: coba-e (at mark) bluequartz.org
Subject: [coba-e:09560] Re: Dovecot/POP3 Flood

> I think this is the issue that will never die.. I am seeing the same 
> behavior on servers with the latest releases also...

I MAY (may is very weak word ... so, it could actually be may not) have a
solution.  I was reading over their wiki and made some changes to my config.
I have this problem about once a week and wrote scripts to stop everything,
run the dbrecover, and start everything.

In your /etc/dovecot.conf

Search for:
   #auth_cache_size = 0
Change to:
   auth_cache_size = 1024

Search for:
   passdb pam {

Then look below for:
   #args =
Change to:
   args = session=yes cache_key=%u%s dovecot

It is right before the '}', so make sure you get the correct one.

Save the file and restart Dovecot.

NOW, This tells Dovecot to use caching. And to immediately close the PAM
connection after authentication.

I just implemented this on my server today.  It hasn't had time to die.  I
am hoping that this will help out a lot, but I really do not know.  I can
assure you it does hurt.  If anything, it will help out some, since it is
caching the login info.  This helps when you have that user who connects
once a minute.

I also made some changes to:
   /etc/pam.d/dovecot

I made it look identical to:
   /etc/pam.d/system-auth

cd /etc/pam.d
mv dovecot dovecot.backup
cp system-auth dovecot

Once again, I do not know if that will help, but it is worth a try.

If you do NOT opt to do PAM, still make sure you restart Dovecot.

service dovecot restart


There is still the damn issue with the time changing.  I have researched
that.  That is a new feature of Dovecot?!  I haven't figured out how to turn
it off yet.

Thanks,
Brian


--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.