Excessive DoS triggers on IMAP connections
Question asked by Ciaran Morgan - 5/19/2018 at 3:04 PM
First of, I have upgraded from v15 to v16 recently and have had very few issues - most tend to be where are the v15  functions now located in v16 menus.
Wonder if anyone else is seeing this particular problem on IMAP connections
I have, for a number of years, based a number of my security settings on the excellent document from Bruce Barnes, especially the Denial of Services settings on the IMAP/SMTP connections.  These have, by and large, been really successful and for example limit the number of connections from an IP address within a fixed timescale.
Since upgrading to v16, I have noticed a large number of (especially) IMAP DoS blocks occurring where they did not occur under v15 with exactly the same settings.  What appears to be happening is that some users are clocking up 50 - 100+ connections in short timescales (e.g. ten minutes) and on looking through the IMAP logs, I can see IMAP connections being made and within seconds, the logs will record that the same user has logged in again but there has been no IMAP command to log in or authenticate with it. 
Sometimes these login records will simply appear in the middle of an ongoing IMAP retrieval session and little or no other traffic associated with that login is reported. The log does then record the session being disconnected, typically up to 30 minutes after the login.
I am trying to trace the users setup to check to see exactly how they have their devices configured but I do know that nothing on their end has changed since I have upgraded to v16.
Any information as to why the number of IMAP logins appears to be massively increasing under v16, only for some users, or any other methods of trying to track down the cause, would be seriously welcome.

5 Replies

Reply to Thread
Scarab Replied
We experienced the same thing but we tracked it down to Apple clients that do not use IMAP IDLE properly.
Many email clients offer the ability to use the IDLE function of IMAP. What the IMAP IDLE function does is leaves a connection open to the mail server so that when new email arrives it immediately alerts your mail client and pushes the new message to you.
This is a very good thing to have configured for your mailbox, in theory, however in practice the way that Apple Mail handles this function of the IMAP protocol it creates multiple IMAP connections, adding additional new connections at regular intervals and never closing them, instead of leaving just one connection open. Over time these can pile up, diminishing available resources on both your computer and the mail server. This can result in both Apple Mail and your device being sluggishly slow, or even being blocked from connecting to your mail server for a DoS (Denial of Service) attack.
You used to be able to disable IMAP IDLE client-side in Apple Mail (which resolved the issue entirely), however the ability to disable this function was recently removed in Mac OS 10.11 El Capitan. The only recourse at this point is to disable IMAP IDLE server-side in SmarterMail under SETTINGS > PROTOCOLS > IMAP by turning off the "Enable IDLE Command".
Ciaran Morgan Replied
Thanks for the info Scarab - the user is indeed using Apple Mail and iPhones, all on IMAP but unfortunately I already have the IDLE command disabled yet this still is happening.

Appreciate the reply.
Robert G. Replied
I've noticed Apple (mac mail, iphone, ipad) clients appear to be the culprit. Companies that use outlook with android devices do not get these issues. Whitelisting their IP or increasing the brute force limit are the only options.

Note: I love apple and own both iPhone and Macbook Pro. Just thought I'd say this in case people think I'm biased.
Scarab Replied
Just had this come up again, but for a slightly different reason. Mac Mail will open a new IMAP connection and re-authenticate for every folder that it needs to synch. If a user has X# of folders > Threshold # in Smartermail's IDS Denial of Service Rules then they will get blocked. (By comparison GMail limits to 15 IMAP connections) We experienced a user with 80+ folders triggering our Threshold of 60 every time Mac Mail attempted to synch folders. This is a 19 year old known issue with Mac Mail IMAP dating back to the last century...so it is unlikely that Apple will fix it anytime in the foreseeable future. Best options we can provide, as increasing the Threshold beyond 60 is ridiculous at this point, is to *STRONGLY* suggest that the user use local folders in Mac Mail for organizing their emails, or that they significantly decrease the number of folders that they keep in their mail account to prevent from violating the Threshold of IMAP connections.
Matt Petty Replied
Employee Post
I don't understand why they do it like that I'll look through the logs sometimes and notice that they connect, authenticate, then issue like 2-4 commands, stop and do it again on another connection for a different folder. Many times it will do this concurrently which can make reading and following whats happening in the logs when debugging Mac issues very difficult. Very unfortunate that it's been an issue that long and they haven't fixed it, typical Apple :/

Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com

Reply to Thread