Difference between revisions of "ZCS Service Protection"

Line 1: Line 1:
 +
 +
 
== postfix ==
 
== postfix ==
  
Line 6: Line 8:
 
== IMAP/POP/HTTP ==
 
== IMAP/POP/HTTP ==
  
The ZCS NGINX Proxy implementation provides the following zmlocalconfig options:
+
The ZCS NGINX Proxy implementation provides the following :
 +
 
 +
* IP-based login rate limiting directives
 +
 
 +
** zimbraReverseProxyIPLoginLimit
 +
 
 +
<pre>
 +
<attr id="622" name="zimbraReverseProxyIPLoginLimit" type="integer" min="0" cardinality="single" optionalIn="globalConfig" since="5.0.3">
 +
  <globalConfigValue>0</globalConfigValue>
 +
  <desc>Sets the upper limit on logins from a remote IP via POP or
 +
    IMAP to this proxy server after which login is rejected with an
 +
    appropriate protocol specific bye response. This counter is
 +
    cumulative for all users that appear to the proxy to be logging in
 +
    from the same IP address.  If multiple users appear to the proxy
 +
    to be logging in from the same IP address (usual with NATing),
 +
    then each of the different users login will contribute to
 +
    increasing the hit counter for that IP address, and when the
 +
    counter eventually exceeds the limit, then the connections
 +
    from that IP address will be throttled.  Therefore, all users from
 +
    the same IP will contribute to (and be affected by) this counter.
 +
    Logins using all protocols (POP3/POP3S/IMAP/IMAPS) will affect
 +
    this counter (the counter is aggregate for all protocols, *not*
 +
    separate).  If this value is set to 0, then no limiting will take
 +
    place for any IP.</desc>
 +
</attr>
 +
</pre>
 +
 
 +
** zimbraReverseProxyIPLoginLimitTime
 +
 
 +
<pre>
 +
<attr id="623" name="zimbraReverseProxyIPLoginLimitTime" type="integer" min="0" cardinality="single" optionalIn="globalConfig" since="5.0.3">
 +
  <globalConfigValue>3600</globalConfigValue>
 +
  <desc>Sets the time-to-live for the hit counter for IP based login
 +
    throttling.  If time is set to 3600 and limit is set to 1000, then
 +
    it means that NGINX should not allow more than 1000 users to log
 +
    in via the proxy from the same IP, within the time interval of an
 +
    hour.  The semantics for such a configuration would then be:
 +
    allow maximum 1000 users per hour from any given IP address.
 +
  </desc>
 +
</attr>
 +
</pre>
 +
 
 +
* Rate Limiting User Logins
 +
 
 +
** zimbraReverseProxyUserLoginLimit
 +
 
 +
<pre>
 +
<attr id="624" name="zimbraReverseProxyUserLoginLimit" type="integer" min="0" cardinality="single" optionalIn="globalConfig" requiresRestart="nginxproxy" since="5.0.3">
 +
  <globalConfigValue>0</globalConfigValue>
 +
  <desc>Limit how many times a user can login via the proxy.  Setting
 +
    limit to 100 and time to 3600 means: allow maximum 100 logins per
 +
    hour for any user.  As with the ip counterparts, the user hit
 +
    counter and timeout are cumulative for all protocols.  Also, for a
 +
    given users login, both counters are checked in succession, with
 +
    the IP counter being checked first.  A login may be rejected
 +
    (throttled) because the IP is over-usage, or because the login
 +
    name itself is over-usage. A value of 0 indicates that no
 +
    throttling will take place for any user.
 +
  </desc>
 +
</attr>
 +
</pre>
 +
 
 +
** zimbraReverseProxyUserLoginLimitTime
  
* mail_login_user_max
+
<pre>
* mail_login_user_ttl
+
<attr id="625" name="zimbraReverseProxyUserLoginLimitTime" type="integer" min="0" cardinality="single" optionalIn="globalConfig" requiresRestart="nginxproxy" since="5.0.3">
* mail_login_ip_max
+
  <globalConfigValue>3600</globalConfigValue>
* mail_login_ip_ttl
+
  <desc>
 +
    Sets the time-to-live for the hit counter for per user login
 +
    throttling.
 +
  </desc>
 +
</attr>
 +
</pre>

Revision as of 14:51, 22 September 2010


postfix

Postfix Rate Limiting:

IMAP/POP/HTTP

The ZCS NGINX Proxy implementation provides the following :

  • IP-based login rate limiting directives
    • zimbraReverseProxyIPLoginLimit
<attr id="622" name="zimbraReverseProxyIPLoginLimit" type="integer" min="0" cardinality="single" optionalIn="globalConfig" since="5.0.3">
  <globalConfigValue>0</globalConfigValue>
  <desc>Sets the upper limit on logins from a remote IP via POP or
    IMAP to this proxy server after which login is rejected with an
    appropriate protocol specific bye response. This counter is
    cumulative for all users that appear to the proxy to be logging in
    from the same IP address.  If multiple users appear to the proxy
    to be logging in from the same IP address (usual with NATing),
    then each of the different users login will contribute to
    increasing the hit counter for that IP address, and when the
    counter eventually exceeds the limit, then the connections
    from that IP address will be throttled.  Therefore, all users from
    the same IP will contribute to (and be affected by) this counter.
    Logins using all protocols (POP3/POP3S/IMAP/IMAPS) will affect
    this counter (the counter is aggregate for all protocols, *not*
    separate).  If this value is set to 0, then no limiting will take
    place for any IP.</desc>
</attr>
    • zimbraReverseProxyIPLoginLimitTime
<attr id="623" name="zimbraReverseProxyIPLoginLimitTime" type="integer" min="0" cardinality="single" optionalIn="globalConfig" since="5.0.3">
  <globalConfigValue>3600</globalConfigValue>
  <desc>Sets the time-to-live for the hit counter for IP based login
    throttling.  If time is set to 3600 and limit is set to 1000, then
    it means that NGINX should not allow more than 1000 users to log
    in via the proxy from the same IP, within the time interval of an
    hour.  The semantics for such a configuration would then be:
    allow maximum 1000 users per hour from any given IP address.
  </desc>
</attr>
  • Rate Limiting User Logins
    • zimbraReverseProxyUserLoginLimit
<attr id="624" name="zimbraReverseProxyUserLoginLimit" type="integer" min="0" cardinality="single" optionalIn="globalConfig" requiresRestart="nginxproxy" since="5.0.3">
  <globalConfigValue>0</globalConfigValue>
  <desc>Limit how many times a user can login via the proxy.  Setting
    limit to 100 and time to 3600 means: allow maximum 100 logins per
    hour for any user.  As with the ip counterparts, the user hit
    counter and timeout are cumulative for all protocols.  Also, for a
    given users login, both counters are checked in succession, with
    the IP counter being checked first.  A login may be rejected
    (throttled) because the IP is over-usage, or because the login
    name itself is over-usage. A value of 0 indicates that no
    throttling will take place for any user.
  </desc>
</attr>
    • zimbraReverseProxyUserLoginLimitTime
<attr id="625" name="zimbraReverseProxyUserLoginLimitTime" type="integer" min="0" cardinality="single" optionalIn="globalConfig" requiresRestart="nginxproxy" since="5.0.3">
  <globalConfigValue>3600</globalConfigValue>
  <desc>
    Sets the time-to-live for the hit counter for per user login
    throttling.
  </desc>
</attr>
Jump to: navigation, search