[Dovecot] How to solve "Maximum number of connections from user+IP exceeded" [Error countermeasure]
table of contents
Hello everyone.
I'm Naka, a member of the System Solutions Department, who tends to skip lunch in order to enjoy eating out in the evening.
When connecting to a mail server using an email client tool (Thunderbird), an error occurred and the connection was disconnected (= connection became unstable).
If you look at the server side logs, you may see " Maximum number of connections from user+IP exceeded " being output in the error log related to Dovecot.
This time, we will explain how to solve and take countermeasures for Maximum number of connections from user+IP exceeded
Error assumption environment
■Mail server: OS
AlmaLinux 9.x■Mail server: Middleware
postfix.x86_64 2:3.5.9-24.el9 @appstream
dovecot.x86_64 1:2.3.16-10.el9 @appstream■Connection method from client
IMAP■Email client tool
Thunderbird (Windows environment)
Expected error situation
The email client tool (Thunderbird) connected to the mail server (Postfix/Dovecot) is disconnected due to a connection error.
This situation has a direct impact on mail server users being disconnected, so we need to take immediate action.
■Errors on Thunderbard side confirmed by the author
Connection error
Connection timed out: no futher infomartion
How to check logs on the mail server side
$ less /var/log/maillog Oct 01 19:00:00 example-host dovecot[xxxx]: imap-login: Disconnected: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=10): user=<email address> , method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS, session=<xxxxx>
Cause of error
I divided the log contents and added an explanation to them.
Log text | Explanation |
Oct 01 19:00:00 example-host dovecot[xxxx]: | Date and time of occurrence, host name, error source (dovecot) |
imap-login: Disconnected: | Event Description: IMAP login disconnected. |
Maximum number of connections from user+IP exceeded | Error text translation: Maximum number of connections from user IP exceeded |
(mail_max_userip_connections=10): | (Current configuration parameters and their values related to the error) Maximum number of simultaneous connections allowed for the same user from the same IP address |
user=<email address>,method=PLAIN,rip=xxx.xxx.xxx.xxx,lip=xxx.xxx.xxx.xxx, TLS, session=<xxxxx> | User information (email address) and connection information (IP, etc.) targeted for disconnection |
Regarding this error, the log text on the server side (Dovecot) provides detailed information about the situation with parameters.
The log content is `` The login was disconnected because the maximum number of connections from user IP to the target email address was exceeded .''
This is followed
by the related parameter " (mail_max_userip_connections=10): This "Maximum number of simultaneous connections allowed for the same user from the same IP address" , and currently the maximum value is set to 10 It shows that
that the ``connection to the same user using the same IP'' exceeding this value (10) caused an error and the existing connection was disconnected.
Solution
In this case, for IMAP connection, edit 20-imap.conf, which is Dovecot's IMAP conf.
Correct or add the value of the parameter "mail_max_userip_connections" to a value that exceeds the expected number of connections.
After that, I resolved the issue in my case by reloading Dovecot's settings to reflect the updated parameters.
■1. Backup of 20-imap.conf
Make a dated backup before making any changes.
There is a possibility that you may end up saving the file with all the contents deleted, so be sure to save it just in case.
(If you only use it for work, you can also place it in /tmp)
$ sudo cp -p /etc/dovecot/conf.d/20-imap.conf /etc/dovecot/conf.d/20-imap.conf.`date +%Y%m%d` $ ls -l /etc /dovecot/conf.d/20-imap.conf* *Check output
TIps: CentOS-Base.repo.`date +%Y%m%d`
` (backticks) to treat the result of the command as a string.
In it, we use the data command that can display the date and time by specifying the format (year, month, day).
This is convenient because you can create a backup file with the "year, month, and day" at the end of the file name when the command was executed, without having to look at the calendar.
Side note: “Does the backup not load?” → “Doesn’t load?”
In Dovecot's default settings, the setting "!include conf.d/*.conf" is written in "/etc/dovecot/dovecot.conf".
$ less /etc/dovecot/dovecot.conf ~Near the end~ !include conf.d/*.conf
With this setting, the conf for each divided item under conf.d is loaded.
The target to be read is "*.conf" which matches the condition, so if it is a current backup that has a date at the end, it will not be read.
■2.Procedure for modifying parameters in dovecot.conf
In the author's environment, the default value (10) was written and applied with the comment out.
Therefore, set new values by modifying or adding.
This time, I added the setting "50" so that you can see the difference from the default value.
$ sudo vi /etc/dovecot/conf.d/20-imap.conf ~omitted~ protocol imap { ~omitted~ #mail_max_userip_connections = 10 mail_max_userip_connections = 50 *Additional note}
■3. Check the difference
Check the difference between the edited 20-imap.conf and the backup confirm that the additions and modifications are as intended .
$ diff /etc/dovecot/conf.d/20-imap.conf //etc/dovecot/conf.d/20-imap.conf.`date +%Y%m%d`
■4.Procedure for reflecting in Dovecot (reloading settings)
Run systemctl reload to take effect.
I use status before and after execution to check if there are any problems.
systemctl status dovecot systemctl reload dovecot systemctl status dovecot
■5. Connection confirmation
Please connect using the email client tool (Thunderbard).
If the connection is stable and no errors occur after a certain period of time, the problem is considered resolved.
■Complete
This completes the work to deal with Dovecot's "Maximum number of connections from user+IP exceeded".
When taking precautions in advance
Also, even if there is no error currently occurring, the ``number of simultaneous connections per user per IP'' is expected to be larger than the setting value.
It is a good idea to take measures to prevent errors by setting it to a larger value in advance
There is no need to separately adjust other parameters when taking precautionary measures, and there is no problem with the same settings as in the solution method.
If you are in an environment where one email address is used for system notifications, etc., the number of simultaneous connections will probably increase.
When building a server, it is better to change the value to a slightly larger value from the beginning.
lastly
The content is basic: ``Look at the logs, check the parameters, and take action,'' but writing the article made me realize how important it is.
I think the error itself is simple, but since it affects mail server users, it's easy to panic.
If you check and investigate information about the situation, you can respond quickly, so it's important to remain calm during abnormal times.
I hope this article provides some useful knowledge and information to those who read it.
Thank you for reading this far.
Reference information
Authentication | Dovecot official document
https://doc.dovecot.org/2.3/configuration_manual/authentication/