ZCS Service Protection
Zimbra Collaboration Service Protection
- This article is a Work in Progress, and may be unfinished or missing sections.
TODO
- add notes for https://bugzilla.zimbra.com/show_bug.cgi?id=85526
postfix
Postfix Rate Limiting:
IMAP/POP
The ZCS NGINX Proxy implementation provides the following :
IP-based login rate limiting directives
- zimbraReverseProxyIPLoginLimit
<attr id="622" name="zimbraReverseProxyIPLoginLimit" type="integer" min="0" cardinality="single" optionalIn="globalConfig" since="5.0.3"> <globalConfigValue>0</globalConfigValue> <desc>Sets the upper limit on logins from a remote IP via POP or IMAP to this proxy server after which login is rejected with an appropriate protocol specific bye response. This counter is cumulative for all users that appear to the proxy to be logging in from the same IP address. If multiple users appear to the proxy to be logging in from the same IP address (usual with NATing), then each of the different users login will contribute to increasing the hit counter for that IP address, and when the counter eventually exceeds the limit, then the connections from that IP address will be throttled. Therefore, all users from the same IP will contribute to (and be affected by) this counter. Logins using all protocols (POP3/POP3S/IMAP/IMAPS) will affect this counter (the counter is aggregate for all protocols, *not* separate). If this value is set to 0, then no limiting will take place for any IP.</desc> </attr>
- zimbraReverseProxyIPLoginLimitTime
<attr id="623" name="zimbraReverseProxyIPLoginLimitTime" type="integer" min="0" cardinality="single" optionalIn="globalConfig" since="5.0.3"> <globalConfigValue>3600</globalConfigValue> <desc>Sets the time-to-live for the hit counter for IP based login throttling. If time is set to 3600 and limit is set to 1000, then it means that NGINX should not allow more than 1000 users to log in via the proxy from the same IP, within the time interval of an hour. The semantics for such a configuration would then be: allow maximum 1000 users per hour from any given IP address. </desc> </attr>
Rate Limiting User Logins
- zimbraReverseProxyUserLoginLimit
<attr id="624" name="zimbraReverseProxyUserLoginLimit" type="integer" min="0" cardinality="single" optionalIn="globalConfig" requiresRestart="nginxproxy" since="5.0.3"> <globalConfigValue>0</globalConfigValue> <desc>Limit how many times a user can login via the proxy. Setting limit to 100 and time to 3600 means: allow maximum 100 logins per hour for any user. As with the ip counterparts, the user hit counter and timeout are cumulative for all protocols. Also, for a given users login, both counters are checked in succession, with the IP counter being checked first. A login may be rejected (throttled) because the IP is over-usage, or because the login name itself is over-usage. A value of 0 indicates that no throttling will take place for any user. </desc> </attr>
- zimbraReverseProxyUserLoginLimitTime
<attr id="625" name="zimbraReverseProxyUserLoginLimitTime" type="integer" min="0" cardinality="single" optionalIn="globalConfig" requiresRestart="nginxproxy" since="5.0.3"> <globalConfigValue>3600</globalConfigValue> <desc> Sets the time-to-live for the hit counter for per user login throttling. </desc> </attr>