z-push zimbra backend - zimbra DoSFilter
To all users of the zimbra backend running zimbra 8 (or later I assume), please note that following troubleshooting of a user issue the root cause of erratic sync behaviour was narrowed down to ...
Zimbra 8 introduced a new DoSFilter - in their words ...
The denial-of-service filter or DoSFilter was added to the mailbox server in ZCS 8.0 to throttle clients sending a large number of requests over a very short period of time. The DoSFilter is applied to all requests for service, mailbox and admin. This feature was added with the completion of bug 66921.
DoS filtering is enabled by default once ZCS 8 is installed. It may be necessary to adjust the configuration to accommodate specific environmental needs. Disabling DoSFilter is not recommended.
As z-push is usually installed on a separate server from zimbra, it can get blocked by this filter particularly when first synching a device of turning it back on following an extended period of time not synching - basically any time z-push needs to send over many requests to the server in a short space of time. For example, a device requesting a sync on a mailbox that has received 50 new emails since the last sync would generate at a minimum a Search Request and 50 GetMsg Requests. A fast z-push server could fire off these requests very rapidly.
The zimbra wiki page DoSFilter - Zimbra :: Wiki explains how to add the IP address of the z-push server to the DoSFilter whitelist so it is always allowed to issue as many requests as needed.
If you are using versions 8.0.0, 8.0.1, or 8.0.2 please note that the configuration is a more manual process - please see the link at the bottom of the wiki page.