[Dovecot] login processes from attacks staying for hours

Asheesh Laroia asheesh at asheesh.org
Mon Jul 28 04:38:58 EEST 2008


On Thu, 24 Jul 2008, Kai Schaetzl wrote:

> Other programs have their own built-in values/parameters for timeouts,
> which makes sense as one program's typical timeout needs may be quite
> different from another one. So, each program should at least have a few
> *configurable* parameters that control timeouts like how long an
> authentication can take or when a data transfer timeout occurs. The IDLE
> timeout in dovecot seems to be 30 minutes. I would expect it to close any
> non-authenticated connection *at least* after this time - if not earlier.

Indeed, as I recall, the IMAP protocol in general sets a 30 minute 
timeout across the board.

So killing any connection with no data for that long seems like a very 
sane idea.  Timo, what do you think?

-- Asheesh.

-- 
After the last of 16 mounting screws has been removed from an access
cover, it will be discovered that the wrong access cover has been removed.


More information about the dovecot mailing list