[horde] Blocked ActiveSync Devices

Marc Cheptea marc.cheptea at spamina.com
Mon Jun 29 15:14:22 UTC 2015 

On 6/26/2015 4:09 PM, Michael J Rubinsky wrote:
>
> Quoting Marc Cheptea <marc.cheptea at spamina.com>:
>
>> Hi everyone,
>>
>> I am trying to block an ActiveSync device in horde and I'm having 
>> some problems. The device is blocked successfully and cannot get 
>> updates. However it seems blocked devices keep re-connecting 
>> continuously. These requests use an extreme amount of resources on my 
>> test server (load average 4.66, on a 1 core VM). Most of which are 
>> used up by Apache while processing the device's requests.
>>
>> Looking in my apache access.log, I'm seeing that the device is 
>> sending 4 requests/second continuously until blocked. See excerpt below:
>>
>> /"OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1" 200 933 "-" 
>> "Apple-iPhone...."
>> "POST 
>> /Microsoft-Server-ActiveSync?User=demo at user.com&DeviceId=AJHG56a6daS&DeviceType=iPhone&Cmd=Settings 
>> HTTP/1.1" 200 714 "-" "Apple-iPhone..."
>> "POST 
>> /Microsoft-Server-ActiveSync?User=demo at user.com&DeviceId=AJHG56a6daS&DeviceType=iPhone&Cmd=Provision 
>> HTTP/1.1" 200 650 "-" "Apple-iPhone..."
>> "POST 
>> /Microsoft-Server-ActiveSync?User=demo at user.com&DeviceId=AJHG56a6daS&DeviceType=iPhone&Cmd=Sync 
>> HTTP/1.1" 449 1002 "-" "Apple-iPhone..."/
>>
>> Is this the normal behaviour? Is there a way to tell the device it 
>> should try to attempt sync after 5min?
>>
>> My problem is that I have multiple devices I would like to block and 
>> this behavior will kill my web server.
>
> We send the appropriate status codes (well, at least we are supposed 
> to), that tell the client the reason for the rejection (authentication 
> error, blocked via permissions etc..). Please attache the activesync 
> log of a blocked client so I can verify this is indeed happening 
> correctly. If it is, there is not much we can do to prevent the device 
> from attempting to connect from within Horde.
>

I enabled the logging and experimented for a couple of hours with the 
ActiveSync hooks and a couple of devices (iOS 7, iOS 8, Android 4.0.* 
and WP8). Out of these only iOS8 didn't send the continuous requests 
when blocked. iOS7 would send 4 requests/sec continuously, Android and 
WP8 less frequent (random) yet continuous requests.

According to the logs the ActiveSync server returns the 129 code when a 
device is blocked. The client however it seems has the liberty to react 
in any way it wants to this code and most keep on trying to sync.

I seems there is not much that can be done on ActiveSync(Horde) 
server-side, these devices just do what they want. Additionally I 
noticed that the error messages shown by the devices when blocked are 
totally unintuitive - all of them show messages like "Connection to the 
server failed." instead of the more user friendly "The device was 
blocked.".

Regards,
Mark

More information about the horde mailing list