Mystery blocked IP: clean firewall, saturated Dovecot limits, and false blocking symptoms

In NAT office environments, users often report “my IP is blocked,” while firewall rules are clean. The real bottleneck can be Dovecot per-IP session limits.

Diagnostic flow

csf -g 186.x.x.x
ss -ntp | grep '186.x.x.x'
doveadm who | grep '186.x.x.x'
dovecot -n | grep mail_max_userip_connections

Practical fix

mail_max_userip_connections = 60

remote 127.0.0.1 {
  mail_max_userip_connections = 150
}

Apply and validate:

dovecot -n
systemctl restart dovecot

Evidence and validation

grep -Ei 'too many|connection|auth|login' /var/log/maillog | tail -n 80

Final takeaway

If firewall is clean, inspect service-layer limits before applying random network changes. Per-IP Dovecot limits are a common root cause in NAT-heavy clients.

This post is licensed under CC BY-NC.