[Dovecot] login processes from attacks staying for hours

[Asheesh Laroia]

On Thu, 24 Jul 2008, Kai Schaetzl wrote:

> Other programs have their own built-in values/parameters for timeouts,
> which makes sense as one program's typical timeout needs may be quite
> different from another one. So, each program should at least have a few
> *configurable* parameters that control timeouts like how long an
> authentication can take or when a data transfer timeout occurs. The IDLE
> timeout in dovecot seems to be 30 minutes. I would expect it to close any
> non-authenticated connection *at least* after this time - if not earlier.

Indeed, as I recall, the IMAP protocol in general sets a 30 minute 
timeout across the board.

So killing any connection with no data for that long seems like a very 
sane idea.  Timo, what do you think?

-- Asheesh.

-- 
After the last of 16 mounting screws has been removed from an access
cover, it will be discovered that the wrong access cover has been removed.