[BlueOnyx:21104] Re: Dovecot - Nope, dfix!

Greg Kuhnert gkuhnert at compassnetworks.com.au
Thu Jun 8 16:54:42 -05 2017 

Hi all.

Just out of interest, the root cause of the problem comes back to changed behaviour in dovecot. The newer dovecot is a little more “lightweight” in terms of its footprint. Let me explain.

dFix is not just a security tool. When it was first created, the primary function was to restart dovecot when it used to hang and crash… (kind of like a third party active monitor). I had a busy server at the time that was regularly getting attacked with dictionary attacks and all sorts of other stuff. I found that in some circumstances, that the master fix process refused to spawn children. the dFix script was born. It counted the number of dovecot processes, and if it was outside some pre-configured limits, it would re-start dovecot. The other stuff - watching the log files for bad IP addresses and blocking them came later. In case you ever wondered, dFix stands for “Dovecot Fix”.

So. What changed? The new dovecot is leaner than the old one. The default configured minimum number of processes that it looks for is 10 dovecot processes. If it finds less than this, it will assume dovecot is dead. I just had a look at a box, and the number of processes was around 8 or 9 processes. For anyone that wants to still use the old dFix, you can edit the config file to change the defaults in /etc/dfix.conf

# Dovecot Process limits
#
# When the number of Dovecot processes exceeds the MAX value, dfix will stop dovecot until the number of processes
# drops beliw the MIN value.
MIN=10
MAX=500

You can change the MIN value to say 7, and things should be back to normal.

BUT, let me say this. The newer version of dFix is radically different - and takes a very different approach. The original dFix ran as a cron job every 60 seconds, checked dovecot and log files, and took action.

In the new one, there is no more dovecot process monitoring. That is now handled very well by active monitor. dFix 2 uses an engine that is constantly monitoring log files - with a very rapid response to threats - providing instant mitigation to the threats it detects.

Regards,
Greg.


> On 8 Jun 2017, at 9:01 am, Michael Stauber <mstauber at blueonyx.it> wrote:
> 
> Hi Gregg,
> 
>> Still the same problem.
>> Redirecting to /bin/systemctl status  dovecot.service Redirecting to
>> /bin/systemctl status  dovecot.service
> 
> The issue is "Dfix". That's causing the problem. Uninstall that PKG.
> Only leave "Dfix2" aboard (which is fine), but the regular "Dfix" has to go.
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20170609/86e8b222/attachment.html>

More information about the Blueonyx mailing list