Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » IMAP connection from IP address rejected: too many simultaneous connections
  •  
cookiestore99

Messages: 20
Karma: 1
Send a private message to this user
We have are using Kerio in conjunction with JIRA to handle incoming mails to a specific inbox and user.

This mailhandler configuration has been working fine for the past 2 years, but has recently somehow completely crapped its self.

In the security log of our Kerio server we see error messages like:
IMAP connection from IP address x.x.x.x rejected: too many simultaneous connections (103 connections, limit 100)
Related to this on our JIRA server we see errors in the log like:
2017-02-02 13:45:00,112 Caesium-1-1 WARN anonymous jira @ [c.a.mail.incoming.mailfetcherservice] jira<_at_>[10100]: javax.mail.MessagingException: * BYE Too many connections from your IP address while connecting to host '<kerio host>' as user 'jira' via protocol 'imaps, caused by: com.sun.mail.iap.ConnectionException: * BYE Too many connections from your IP address


We have 13 mailhandlers configured, but somehow we have over 100 imap connections that are not being disconnected and prevent the mailhandler from working.
Also we can not log into the user account from the webmail interface.
We have tried to unlock all users from the admin interface and also disable and re enable the user account hoping this would clear all the open connections. It did not.

Any idea what could cause those zombie connections and how to get rid of them? Thanks in advance.


  •  
nbytes

Messages: 8
Karma: -2
Send a private message to this user

I think it has to do with Apple's pushmail service!


I do not know how to solve this?
  •  
sirmacalot

Messages: 3
Karma: 0
Send a private message to this user
Have you ever found a solution?
  •  
cookiestore99

Messages: 20
Karma: 1
Send a private message to this user
nope.

we talked to kerio support and all that they could tell us was to try an upgrade to a newer release and that we should think about changing our storage. The upgrade fixed the issue for a few weeks, but it came back.

Regarding storage, we are running kerio on a mounted nfs share, for easier backup etc. IO perf is not great, but it works fine, mostly. Kerio does not officially support this scenario and recommends use of a directly attached storage device like hdds or ssds with ext4.

At first we would not believe it, since this setup has been working ever since and we did not change anything... actively. What changed, was the size of our user base, increasingly that is. Hence why the load on the file system also increased slightly over time.

When checking the web admin ui for open imaps connections, we dont see any from the ip of our jira server. Still kerio blocks new connections, because the limit of 100 per ip has allegedly been exceeded. We dont see any connections in our central firewall or on the systems running kerio and jira, so the connections dont really exist. Only kerio thinks that they exist and then kills new imaps connection attempts. Let's call them ghost connections, sounds fancy.

So somehow in the internals of kerio there are cached imaps connection records that wont die and keep haunting us.

We have tried restarting the kerio, but the issue still persists. Since the last upgrade, which was a major release onto 9.x fixed the issue, it is likely related to caches that survive a simple reboot, but got wiped on a major release. Upgrades since then from 9.1 to 9.2 also did not clean the ghost connections, likely because they are a minor release.

We have also been seeing some general weirdness with our kerio instance lately:
- previews of mails not corresponding with the mail selected for preview, but the mail before
- getting a "server not responding" after changing settings in the web admin ui, like user permissions
- kerio hanging and not responding indefinitely after trying to restart the imaps service through the web admin ui.

What somehow alleviated the issue for now was stopping (not restarting) the imaps service through the web ui. Then kerio hangs, so we kill and restart it. Imaps service is back up after the forced restart and the ghost connections seem to be gone. Jira can connect and ro time investment is ok for now, since we have more serious topics to dedicate our work force to...

We also increased max connections per ip in the mailserver.cfg.xml from 100 to 200. More duct tape to keep the ghost connections away!!

  •  
sirmacalot

Messages: 3
Karma: 0
Send a private message to this user
Hello Cookiestore,

Thanks very much for the reply.
We will also try the things you mention in your reply.
We are making the first steps of moving to a cloud service as Kerio Connect always seems to be unstable and unreliable.
We have several other issues that are just to weird to mention...
Thanks again for your informational reply! Smile
  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
Have you tried to increase the number of connections to 500? You can also switch of the restriction completely.

This can be done under Services > Imap > Edit

While this is not the ultimate solution it might ease your pain.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Till Heppner

Messages: 48
Karma: 1
Send a private message to this user
Under Services -> IMAP you can only increase the number of total IMAP-Connections. But you must increase the IMAP-Connections per IP.

- Stop Kerio Connect
- Go into mailserver.cfg and search for <table name="service-imap">
- Then change to 1000 Connections at <variable name="MaxConnections">1000</variable>
- And now the same for IMAP SSL: <table name="service-imaps">
- Save and Restart Kerio Connect

  •  
MacLab

Messages: 218
Karma: 15
Send a private message to this user
Till Heppner wrote on Fri, 08 September 2017 07:55
Under Services -> IMAP you can only increase the number of total IMAP-Connections. But you must increase the IMAP-Connections per IP.

- Stop Kerio Connect
- Go into mailserver.cfg and search for <table name="service-imap">
- Then change to 1000 Connections at <variable name="MaxConnections">1000</variable>
- And now the same for IMAP SSL: <table name="service-imaps">
- Save and Restart Kerio Connect



This is correct. Just verifying for what it is worth that you need to modify the config file to allow more connections per IP. This is not a setting you can change in the interface. You may not need 1000 but change to at least 400-500. 100 is much too low.

MacLab, Inc.
Kerio Certified Partner, Reseller, Hosting Provider, Kerio Connect Certified.
http://maclaboratory.com
Previous Topic: Antivirus Module: SSL certificate problem
Next Topic: Kerio Connect and Outlook Shared Folders
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Sep 23 11:08:15 CEST 2017

Total time taken to generate the page: 0.00479 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.