[horde] Blocked ActiveSync Devices
Michael J Rubinsky
mrubinsk at horde.org
Mon Jun 29 16:25:14 UTC 2015
Quoting Marc Cheptea <marc.cheptea at spamina.com>:
> On 6/26/2015 4:09 PM, Michael J Rubinsky wrote:
>>
>> Quoting Marc Cheptea <marc.cheptea at spamina.com>:
>>
>>> Hi everyone,
>>>
>>> I am trying to block an ActiveSync device in horde and I'm having
>>> some problems. The device is blocked successfully and cannot get
>>> updates. However it seems blocked devices keep re-connecting
>>> continuously. These requests use an extreme amount of resources on
>>> my test server (load average 4.66, on a 1 core VM). Most of which
>>> are used up by Apache while processing the device's requests.
>>>
>>> Looking in my apache access.log, I'm seeing that the device is
>>> sending 4 requests/second continuously until blocked. See excerpt
>>> below:
>>>
>>> /"OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1" 200 933 "-"
>>> "Apple-iPhone...."
>>> "POST
>>> /Microsoft-Server-ActiveSync?User=demo at user.com&DeviceId=AJHG56a6daS&DeviceType=iPhone&Cmd=Settings HTTP/1.1" 200 714 "-"
>>> "Apple-iPhone..."
>>> "POST
>>> /Microsoft-Server-ActiveSync?User=demo at user.com&DeviceId=AJHG56a6daS&DeviceType=iPhone&Cmd=Provision HTTP/1.1" 200 650 "-"
>>> "Apple-iPhone..."
>>> "POST
>>> /Microsoft-Server-ActiveSync?User=demo at user.com&DeviceId=AJHG56a6daS&DeviceType=iPhone&Cmd=Sync HTTP/1.1" 449 1002 "-"
>>> "Apple-iPhone..."/
>>>
>>> Is this the normal behaviour? Is there a way to tell the device it
>>> should try to attempt sync after 5min?
>>>
>>> My problem is that I have multiple devices I would like to block
>>> and this behavior will kill my web server.
>>
>> We send the appropriate status codes (well, at least we are
>> supposed to), that tell the client the reason for the rejection
>> (authentication error, blocked via permissions etc..). Please
>> attache the activesync log of a blocked client so I can verify this
>> is indeed happening correctly. If it is, there is not much we can
>> do to prevent the device from attempting to connect from within
>> Horde.
>>
>
> I enabled the logging and experimented for a couple of hours with
> the ActiveSync hooks and a couple of devices (iOS 7, iOS 8, Android
> 4.0.* and WP8). Out of these only iOS8 didn't send the continuous
> requests when blocked. iOS7 would send 4 requests/sec continuously,
> Android and WP8 less frequent (random) yet continuous requests.
>
> According to the logs the ActiveSync server returns the 129 code
> when a device is blocked. The client however it seems has the
> liberty to react in any way it wants to this code and most keep on
> trying to sync.
Exactly. Welcome to the horrid world of fragmented EAS clients.
From MS-ASCMD 2.2.4:
Status Code: 129
Element Name: DeviceIsBlockedForThisUser
Meaning: The user is configured to allow only some devices to sync.
This device is not the allowed device.
Versions: Supported by: 14.0, 14.1
> I seems there is not much that can be done on ActiveSync(Horde)
> server-side, these devices just do what they want. Additionally I
> noticed that the error messages shown by the devices when blocked
> are totally unintuitive - all of them show messages like "Connection
> to the server failed." instead of the more user friendly "The device
> was blocked.".
If the mood suits you, you could experiment with different status
codes to see if any of the others that might be sort-of-appropriate
produce a better response with your mix of clients. The status code is
set Horde_ActiveSync::authenticate() and the status codes that are
available in this case are defined in Horde_ActiveSync_Status.
--
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5869 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20150629/ce801307/attachment.bin>
More information about the horde
mailing list