Difference between revisions of "ZCS Service Protection"

m (Protected "ZCS Service Protection" ([edit=sysop] (indefinite) [move=sysop] (indefinite)))
(added TODO; removed double bullet)
Line 1: Line 1:
 +
== TODO ==
 +
* add notes for https://bugzilla.zimbra.com/show_bug.cgi?id=85526
 +
 
== postfix ==
 
== postfix ==
  
Line 10: Line 13:
 
=== IP-based login rate limiting directives ===
 
=== IP-based login rate limiting directives ===
  
** zimbraReverseProxyIPLoginLimit
+
* zimbraReverseProxyIPLoginLimit
  
 
<pre>
 
<pre>
Line 33: Line 36:
 
</pre>
 
</pre>
  
** zimbraReverseProxyIPLoginLimitTime
+
* zimbraReverseProxyIPLoginLimitTime
  
 
<pre>
 
<pre>
Line 50: Line 53:
 
=== Rate Limiting User Logins ===
 
=== Rate Limiting User Logins ===
  
** zimbraReverseProxyUserLoginLimit
+
* zimbraReverseProxyUserLoginLimit
  
 
<pre>
 
<pre>
Line 68: Line 71:
 
</pre>
 
</pre>
  
** zimbraReverseProxyUserLoginLimitTime
+
* zimbraReverseProxyUserLoginLimitTime
  
 
<pre>
 
<pre>

Revision as of 18:14, 30 May 2014

TODO

postfix

Postfix Rate Limiting:

IMAP/POP

The ZCS NGINX Proxy implementation provides the following :

IP-based login rate limiting directives

  • zimbraReverseProxyIPLoginLimit
<attr id="622" name="zimbraReverseProxyIPLoginLimit" type="integer" min="0" cardinality="single" optionalIn="globalConfig" since="5.0.3">
  <globalConfigValue>0</globalConfigValue>
  <desc>Sets the upper limit on logins from a remote IP via POP or
    IMAP to this proxy server after which login is rejected with an
    appropriate protocol specific bye response. This counter is
    cumulative for all users that appear to the proxy to be logging in
    from the same IP address.  If multiple users appear to the proxy
    to be logging in from the same IP address (usual with NATing),
    then each of the different users login will contribute to
    increasing the hit counter for that IP address, and when the
    counter eventually exceeds the limit, then the connections
    from that IP address will be throttled.  Therefore, all users from
    the same IP will contribute to (and be affected by) this counter.
    Logins using all protocols (POP3/POP3S/IMAP/IMAPS) will affect
    this counter (the counter is aggregate for all protocols, *not*
    separate).  If this value is set to 0, then no limiting will take
    place for any IP.</desc>
</attr>
  • zimbraReverseProxyIPLoginLimitTime
<attr id="623" name="zimbraReverseProxyIPLoginLimitTime" type="integer" min="0" cardinality="single" optionalIn="globalConfig" since="5.0.3">
  <globalConfigValue>3600</globalConfigValue>
  <desc>Sets the time-to-live for the hit counter for IP based login
    throttling.  If time is set to 3600 and limit is set to 1000, then
    it means that NGINX should not allow more than 1000 users to log
    in via the proxy from the same IP, within the time interval of an
    hour.  The semantics for such a configuration would then be:
    allow maximum 1000 users per hour from any given IP address.
  </desc>
</attr>

Rate Limiting User Logins

  • zimbraReverseProxyUserLoginLimit
<attr id="624" name="zimbraReverseProxyUserLoginLimit" type="integer" min="0" cardinality="single" optionalIn="globalConfig" requiresRestart="nginxproxy" since="5.0.3">
  <globalConfigValue>0</globalConfigValue>
  <desc>Limit how many times a user can login via the proxy.  Setting
    limit to 100 and time to 3600 means: allow maximum 100 logins per
    hour for any user.  As with the ip counterparts, the user hit
    counter and timeout are cumulative for all protocols.  Also, for a
    given users login, both counters are checked in succession, with
    the IP counter being checked first.  A login may be rejected
    (throttled) because the IP is over-usage, or because the login
    name itself is over-usage. A value of 0 indicates that no
    throttling will take place for any user.
  </desc>
</attr>
  • zimbraReverseProxyUserLoginLimitTime
<attr id="625" name="zimbraReverseProxyUserLoginLimitTime" type="integer" min="0" cardinality="single" optionalIn="globalConfig" requiresRestart="nginxproxy" since="5.0.3">
  <globalConfigValue>3600</globalConfigValue>
  <desc>
    Sets the time-to-live for the hit counter for per user login
    throttling.
  </desc>
</attr>
Jump to: navigation, search