cyrus 2.5 imap idle/stuck connections (DOS like)
Willem Offermans
Willem at Offermans.Rompen.nl
Thu Mar 7 09:47:25 EST 2019
Dear Cyrus friends and Heiler Bensimon Bemerguy,
Don’t forget to report your solution.
It might certainly help other Cyrus users as well, though it is not directly related to Cyrus.
Wiel Offermans
Willem at Offermans.Rompen.nl
> On 7 Mar 2019, at 15:39, Heiler Bemerguy via Info-cyrus <info-cyrus at lists.andrew.cmu.edu> wrote:
>
> Yes I've read imapd.conf and cyrus.conf and found no options to limit connections per source IP or "idleness"..
>
> It means anyone can open a lot of connections to any port (143, 25, 110 etc) and render the server unusable??
>
> I'm using Debian, so I'll try to figure out how to do that with iptables.. Thanks!
>
>
>
> Best Regards,
>
> Heiler Bensimon Bemerguy - CINBESA
> Analista de Redes, Wi-Fi,
> Virtualização e Serviços Internet
> (55) 91 98151-4894
> Em 07/03/2019 11:25, Willem Offermans escreveu:
>> Dear Cyrus friends and Heiler Bensimon Bemerguy,
>>
>> You could use your firewall to achieve this.
>>
>> For ipfw:
>>
>> ${fwcmd} add pass tcp from any to ${ip_me} imap setup limit src-addr 10
>>
>> You have to lookup the right syntax for your firewall.
>>
>> Dit you check man imapd or man cyrus, maybe there is also an option for the daemon itself, but I would prefer the firewall.
>>
>>
>> Wiel Offermans
>> Willem at Offermans.Rompen.nl <mailto:Willem at Offermans.Rompen.nl>
>>
>>
>>
>>
>>> On 7 Mar 2019, at 14:53, Heiler Bemerguy via Info-cyrus <info-cyrus at lists.andrew.cmu.edu <mailto:info-cyrus at lists.andrew.cmu.edu>> wrote:
>>>
>>> Hail,
>>>
>>> I've noticed an user with ~200 open connections to cyrus imap port (143) and, because of him, no one else could login to the server.
>>>
>>> I've noticed even with a single "telnet ip 143", the connection is accepted and never ever dropped, even while still unauthenticated.
>>>
>>> How to stop that from happening?
>>>
>>> cyrus.conf:
>>> imap cmd="imapd -U 30" listen="imap" prefork=6 maxchild=200
>>>
>>>
>>> --
>>> Atenciosamente,
>>>
>>> Heiler Bensimon Bemerguy - CINBESA
>>> Analista de Redes, Wi-Fi,
>>> Virtualização e Serviços Internet
>>> (55) 91 98151-4894
>>>
>>> ----
>>> Cyrus Home Page: http://www.cyrusimap.org/ <http://www.cyrusimap.org/>
>>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ <http://lists.andrew.cmu.edu/pipermail/info-cyrus/>
>>> To Unsubscribe:
>>> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus <https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20190307/f7ac95b8/attachment.html>
More information about the Info-cyrus
mailing list