Difference between revisions of "ZCS Service Protection"

 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
+
{{BC|Community Sandbox}}
 +
__FORCETOC__
 +
<div class="col-md-12 ibox-content">
 +
=Zimbra Collaboration Service Protection=
 +
{{KB|{{Unsupported}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}}
 +
{{WIP}}
 +
== TODO ==
 +
* add notes for https://bugzilla.zimbra.com/show_bug.cgi?id=85526
  
 
== postfix ==
 
== postfix ==
Line 6: Line 13:
 
* http://postfix.eu.org/rate.html#destination
 
* http://postfix.eu.org/rate.html#destination
  
== IMAP/POP/HTTP ==
+
== IMAP/POP ==
  
 
The ZCS NGINX Proxy implementation provides the following :
 
The ZCS NGINX Proxy implementation provides the following :
  
* IP-based login rate limiting directives
+
=== IP-based login rate limiting directives ===
  
** zimbraReverseProxyIPLoginLimit
+
* zimbraReverseProxyIPLoginLimit
  
 
<pre>
 
<pre>
Line 35: Line 42:
 
</pre>
 
</pre>
  
** zimbraReverseProxyIPLoginLimitTime
+
* zimbraReverseProxyIPLoginLimitTime
  
 
<pre>
 
<pre>
Line 50: Line 57:
 
</pre>
 
</pre>
  
* Rate Limiting User Logins
+
=== Rate Limiting User Logins ===
  
** zimbraReverseProxyUserLoginLimit
+
* zimbraReverseProxyUserLoginLimit
  
 
<pre>
 
<pre>
Line 70: Line 77:
 
</pre>
 
</pre>
  
** zimbraReverseProxyUserLoginLimitTime
+
* zimbraReverseProxyUserLoginLimitTime
  
 
<pre>
 
<pre>
Line 81: Line 88:
 
</attr>
 
</attr>
 
</pre>
 
</pre>
 +
{{Article Footer|Zimbra Collaboration 8.0, 7.0|04/16/2014}}

Latest revision as of 13:30, 13 July 2015

Zimbra Collaboration Service Protection

   KB 3845        Last updated on 2015-07-13  




0.00
(0 votes)

TODO

postfix

Postfix Rate Limiting:

IMAP/POP

The ZCS NGINX Proxy implementation provides the following :

IP-based login rate limiting directives

  • zimbraReverseProxyIPLoginLimit
<attr id="622" name="zimbraReverseProxyIPLoginLimit" type="integer" min="0" cardinality="single" optionalIn="globalConfig" since="5.0.3">
  <globalConfigValue>0</globalConfigValue>
  <desc>Sets the upper limit on logins from a remote IP via POP or
    IMAP to this proxy server after which login is rejected with an
    appropriate protocol specific bye response. This counter is
    cumulative for all users that appear to the proxy to be logging in
    from the same IP address.  If multiple users appear to the proxy
    to be logging in from the same IP address (usual with NATing),
    then each of the different users login will contribute to
    increasing the hit counter for that IP address, and when the
    counter eventually exceeds the limit, then the connections
    from that IP address will be throttled.  Therefore, all users from
    the same IP will contribute to (and be affected by) this counter.
    Logins using all protocols (POP3/POP3S/IMAP/IMAPS) will affect
    this counter (the counter is aggregate for all protocols, *not*
    separate).  If this value is set to 0, then no limiting will take
    place for any IP.</desc>
</attr>
  • zimbraReverseProxyIPLoginLimitTime
<attr id="623" name="zimbraReverseProxyIPLoginLimitTime" type="integer" min="0" cardinality="single" optionalIn="globalConfig" since="5.0.3">
  <globalConfigValue>3600</globalConfigValue>
  <desc>Sets the time-to-live for the hit counter for IP based login
    throttling.  If time is set to 3600 and limit is set to 1000, then
    it means that NGINX should not allow more than 1000 users to log
    in via the proxy from the same IP, within the time interval of an
    hour.  The semantics for such a configuration would then be:
    allow maximum 1000 users per hour from any given IP address.
  </desc>
</attr>

Rate Limiting User Logins

  • zimbraReverseProxyUserLoginLimit
<attr id="624" name="zimbraReverseProxyUserLoginLimit" type="integer" min="0" cardinality="single" optionalIn="globalConfig" requiresRestart="nginxproxy" since="5.0.3">
  <globalConfigValue>0</globalConfigValue>
  <desc>Limit how many times a user can login via the proxy.  Setting
    limit to 100 and time to 3600 means: allow maximum 100 logins per
    hour for any user.  As with the ip counterparts, the user hit
    counter and timeout are cumulative for all protocols.  Also, for a
    given users login, both counters are checked in succession, with
    the IP counter being checked first.  A login may be rejected
    (throttled) because the IP is over-usage, or because the login
    name itself is over-usage. A value of 0 indicates that no
    throttling will take place for any user.
  </desc>
</attr>
  • zimbraReverseProxyUserLoginLimitTime
<attr id="625" name="zimbraReverseProxyUserLoginLimitTime" type="integer" min="0" cardinality="single" optionalIn="globalConfig" requiresRestart="nginxproxy" since="5.0.3">
  <globalConfigValue>3600</globalConfigValue>
  <desc>
    Sets the time-to-live for the hit counter for per user login
    throttling.
  </desc>
</attr>
Verified Against: Zimbra Collaboration 8.0, 7.0 Date Created: 04/16/2014
Article ID: https://wiki.zimbra.com/index.php?title=ZCS_Service_Protection Date Modified: 2015-07-13



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search