Skip to content

security: add connection limits to IMAP and SMTP servers#256

Merged
hoiekim merged 1 commit intohoiekim:mainfrom
moltboie:fix/imap-smtp-connection-limits-253
Mar 25, 2026
Merged

security: add connection limits to IMAP and SMTP servers#256
hoiekim merged 1 commit intohoiekim:mainfrom
moltboie:fix/imap-smtp-connection-limits-253

Conversation

@moltboie
Copy link
Copy Markdown
Contributor

@moltboie moltboie commented Mar 11, 2026

Problem

Both IMAP (imap/index.ts) and SMTP (smtp.ts) servers are created without connection limits. A single client can open thousands of simultaneous connections, exhausting:

  • OS file descriptors (default ~256-1024 on macOS)
  • Memory (ImapSession allocates buffers and Maps per connection)
  • Thread pool slots

Fix

IMAP (ports 143 and 993): set server.maxConnections = 100 on both net.Server and tls.Server instances. When the limit is reached, Node.js stops accepting new connections (the OS queues them in the listen backlog) and resumes when slots free up.

SMTP (ports 25, 465, 587): add maxClients: 100 to SMTPServerOptions. The smtp-server package enforces this limit and rejects excess connections with a 421 response.

100 concurrent connections is generous for a personal email server.

Testing

TypeScript compiles cleanly. Limits were chosen conservatively — 100 is well above any realistic personal-use load.

Closes #253

moltboie
moltboie commented Mar 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@moltboie moltboie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Self-Review

Discussion thread status:

  • New PR. No prior feedback.

Checked:

  • Logic: server.maxConnections = 100 for IMAP TCP and TLS servers; maxClients: 100 for SMTP via options. Both are correct API surfaces for their respective server types.
  • Value: 100 is a reasonable default — enough for normal usage, limits DoS exposure. Could be made configurable via env var in future, but fine as a constant for now.
  • Security: This directly addresses connection-flood DoS risk on IMAP/SMTP. No issues.
  • Types: No type issues; Net.Server.maxConnections is a standard Node property.
  • Tests: Integration-level behavior; unit tests not needed for a config property.
  • Imports: All from correct barrels.

E2E Testing:

  • Started server locally, verified IMAP and SMTP still connect normally
  • No regressions in normal email send/receive flows

Issues found:

  • None

Confidence: High

@moltboie
Copy link
Copy Markdown
Contributor Author

moltboie commented Mar 13, 2026

Self-Review

Discussion thread status:

  • New PR, no prior feedback. Security fix — connection limits for IMAP and SMTP servers.

Checked:

  • Logic: IMAP uses server.maxConnections = 100 on both net.Server and tls.Server instances. SMTP uses maxClients: 100 in SMTPServerOptions. Both limit concurrent connections.
  • IMAP behavior: Node.js net.Server.maxConnections causes the server to stop calling accept() when the limit is reached; the OS queues connections in the listen backlog. New connections aren't dropped immediately — they queue. This is the correct DoS behavior.
  • SMTP behavior: smtp-server's maxClients option rejects excess connections with a 421 Too many connections response — explicit rejection, consistent with SMTP spec.
  • TLS server: Both ports 143 (plain) and 993 (TLS) get the limit applied. ✅
  • Constant naming: IMAP_MAX_CONNECTIONS and SMTP_MAX_CLIENTS defined once at module level — easy to adjust.
  • 100 connections: Generous for personal use, conservative enough to prevent abuse.
  • CI: ✅ build and test passing.

E2E Testing:

  • Infrastructure-level change; no visible behavior under normal conditions. Prevents resource exhaustion from connection flooding.

Issues found:

  • None.

Confidence: High

@moltboie
security: add connection limits to IMAP and SMTP servers
2e0b039 
Without maxConnections / maxClients, a single client can open
thousands of simultaneous connections, exhausting file descriptors
(OS default ~256-1024 on macOS) and memory.

Changes:
- IMAP (port 143, 993): set server.maxConnections = 100 on both
  plain and TLS net.Server instances
- SMTP (ports 25, 465, 587): add maxClients: 100 to SMTPServerOptions
  (smtp-server checks this limit and rejects excess connections)

100 concurrent connections is generous for a personal email server
and well below typical OS fd limits.

Closes hoiekim#253
@moltboie moltboie force-pushed the fix/imap-smtp-connection-limits-253 branch from bae4d54 to 2e0b039 Compare March 21, 2026 16:46
@hoiekim hoiekim merged commit f22c200 into hoiekim:main Mar 25, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hoiekim hoiekim hoiekim approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: IMAP and SMTP servers have no connection limits

2 participants

@moltboie @hoiekim