[Dovecot] login processes from attacks staying for hours

Timo Sirainen tss at iki.fi
Thu Jul 31 13:13:46 EEST 2008


On Jul 28, 2008, at 4:38 AM, Asheesh Laroia wrote:

> On Thu, 24 Jul 2008, Kai Schaetzl wrote:
>
>> Other programs have their own built-in values/parameters for  
>> timeouts,
>> which makes sense as one program's typical timeout needs may be quite
>> different from another one. So, each program should at least have a  
>> few
>> *configurable* parameters that control timeouts like how long an
>> authentication can take or when a data transfer timeout occurs. The  
>> IDLE
>> timeout in dovecot seems to be 30 minutes. I would expect it to  
>> close any
>> non-authenticated connection *at least* after this time - if not  
>> earlier.

In v1.1 IDLE never disconnects on timeout, because several clients  
rely on this.

> Indeed, as I recall, the IMAP protocol in general sets a 30 minute  
> timeout across the board.

Right.

> So killing any connection with no data for that long seems like a  
> very sane idea.  Timo, what do you think?

Non-authenticated sessions have a shorter timeout, something like 2 or  
3 minutes. Authenticated non-IDLEing sessions are disconnected after  
30 minutes.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080731/cb5df6f4/attachment.bin 


More information about the dovecot mailing list