[Dovecot] login processes from attacks staying for hours
Asheesh Laroia
asheesh at asheesh.org
Mon Jul 28 04:38:58 EEST 2008
On Thu, 24 Jul 2008, Kai Schaetzl wrote:
> Other programs have their own built-in values/parameters for timeouts,
> which makes sense as one program's typical timeout needs may be quite
> different from another one. So, each program should at least have a few
> *configurable* parameters that control timeouts like how long an
> authentication can take or when a data transfer timeout occurs. The IDLE
> timeout in dovecot seems to be 30 minutes. I would expect it to close any
> non-authenticated connection *at least* after this time - if not earlier.
Indeed, as I recall, the IMAP protocol in general sets a 30 minute
timeout across the board.
So killing any connection with no data for that long seems like a very
sane idea. Timo, what do you think?
-- Asheesh.
--
After the last of 16 mounting screws has been removed from an access
cover, it will be discovered that the wrong access cover has been removed.
More information about the dovecot
mailing list