The DoSFilter has two components: the connection throttling component and the block-an-ip-after-too-many-failed-logins component.
The second component can be turned off entirely:
Code: Select all
zmprov ms `zmhostname` zimbraInvalidLoginFilterMaxFailedLogin 0
For the first component, you can "turn it off" by adding your Zimbra servers (required) and any other desired IP addresses in CIDR format to the zimbraHttpThrottleSafeIPs global attribute. I think you know what to do here if you wish...
But, you could also just increase zimbraHttpDosFilterMaxRequestsPerSec to a really big number. There is apparently no maximum for this attribute:
Code: Select all
zmprov desc -a zimbraHttpDosFilterMaxRequestsPerSec
Regardless, for most single- and multi-server Zimbra servers, here's what I do:
Code: Select all
zmprov mcf zimbraHttpDosFilterDelayMillis 20
zmprov mcf zimbraHttpDosFilterMaxRequestsPerSec 500
zmprov ms `zmhostname` zimbraInvalidLoginFilterMaxFailedLogin 0
zmprov mcf +zimbraHttpThrottleSafeIPs xx.xx.xx.xx/32
zmprov mcf +zimbraHttpThrottleSafeIPs yy.yy.yy.yy/16
Multiple Zimbra servers _should_ be added automatically to zimbraHttpThrottleSafeIPs, but I find that that doesn't always happen for some reason, so I just manually add all the Zimbra servers's IP addresses (and any other networks I don't want to be analyzed by DosFilter connection throttling) to zimbraHttpThrottleSafeIPs.
For some really busy systems, where for example multiple delegated Admins are logged in to the Admin Console at the same time from the same IP, I find I need to increase zimbraHttpDosFilterMaxRequestsPerSec to as much as 1500. I think it's a good idea to have _some_ connection throttling always in place, but you have some flexibility as to how, and how high, you want to set the threshold. And you can always exempt any IP/network you wish from connection throttling entirely too.
Hope that helps,
Mark
P.S. As re the documentation, I agree it could be better. IMHO, the DoSFilter Wiki page tells you the rules of the game, but not how to play the game.