Date:  Wed, 18 Apr 2007 16:56:02 -0400
From:  "Darrell D. Mobley" <dmobley (at mark) uhostme.net>
Subject:  [coba-e:09617] Re: Back by popular demand -  Dovecot/POP3 Flood
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <000901c781fb$f9702840$ec5078c0$@net>
In-Reply-To:  <Pine.LNX.4.63.0704181457370.18787 (at mark) mail.nuonce.net>
References:  <200704181640.l3IGe6Rc004080 (at mark) srv1.nickelnetworks.com> <Pine.LNX.4.63.0704181457370.18787 (at mark) mail.nuonce.net>
X-Mail-Count: 09617

> When your system starting going nutz, did you do a "ps aux"?  did you see
> a lot of the dove_auth apps running?

That was the case when mine did it, but I haven't seen the behavior since
the latest update.

> -----Original Message-----
> From: Brian N. Smith [mailto:brian (at mark) nuonce.net]
> Sent: Wednesday, April 18, 2007 3:05 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:09615] Re: Back by popular demand - Dovecot/POP3 Flood
> 
> > By popular demand the issue is back......
> >
> > Apr 18 08:45:07 srv1 dovecot: pop3-login: Aborted login: rip=127.0.0.1,
> > lip=127.0.0.1, secured
> > Apr 18 08:45:13 srv1 dovecot: pop3-login: Aborted login: user=<test>,
> > method=PLAIN, rip=81.18.67.70, lip=10.5.36.4
> 
> What do you think about changing; auth_worker_max_count?  Maybe create a
> max of 10?  The auth module is what seems to explode.
> 
> My only other suggestion is to use iptables to control flooding.  I
> haven't found anything else that may suggest anything better.
> 
> When your system starting going nutz, did you do a "ps aux"?  did you see
> a lot of the dove_auth apps running?
> 
> Brian
> 
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.