From 3ca0fa2b505921b4b8e720b5d5a454e382f240e9 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Mon, 2 Jun 2025 20:54:30 +0200
Subject: [PATCH] increase number of login connections

---
 CHANGELOG.md                                  |  3 +++
 cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2 | 11 +++++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5c4bc075..8e2f32b3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## untagged
 
+- Increase dovecot imap-login limits
+  ([#577](https://github.com/chatmail/relay/pull/577))
+
 - Increase nginx connection limits
   ([#576](https://github.com/chatmail/relay/pull/576))
 
diff --git a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2 b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
index d6e9e878..e76b37bd 100644
--- a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
+++ b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
@@ -177,17 +177,20 @@ service auth-worker {
 }
 
 service imap-login {
-    # High-security mode.
-    # Each process serves a single connection and exits afterwards.
-    # This is the default, but we set it explicitly to be sure.
+    # We are not using "high-security-mode" because even if dovecot
+    # login would be compromised, there are only E2EE messages to be
+    # found or sent, and an attacker doesn't have the key used with this address. 
     # See <https://doc.dovecot.org/admin_manual/login_processes/#high-security-mode> for details.
-    service_count = 1
+    
+    # Performance Mode. Each process serves up to 100 connections and exits afterwards. 
+    service_count = 100
 
     # Inrease the number of simultaneous connections.
     #
     # As of Dovecot 2.3.19.1 the default is 100 processes.
     # Combined with `service_count = 1` it means only 100 connections
     # can be handled simultaneously.
+    # We allow up to 5000 * 100 = 500K connections 
     process_limit = 10000
 
     # Avoid startup latency for new connections.