dovecot config for 1500 simultaneous connection

Joseph Tam jtam.home at gmail.com
Tue Feb 14 22:50:21 UTC 2017


Rajesh M wrote:

> i wish to improve the performance further by caching the logins.
> current the same is kept disable because when user's change passwords
> then they are not able to immediately login with the new password for
> some time.  How to solve this issue.

Dovecot shouldn't be doing that.  According to

 	https://wiki2.dovecot.org/Authentication/Caching

 	Data is used from the cache if it's not expired (auth_cache_ttl setting)
 		- If authentication fails this time, but it didn't fail
 		last time, it's assumed that the password has changed
 		and a database lookup is done.

As I read it, an authentication failure will cause an update of cache
credentials.  The problem I encountered is the converse -- a
user changes their password, but forgets to update their mail reader's
or web browser's stored password, which continues to work until the
TTL expires.

Another related security situation I've encountered is when a fraudster
has phished a user's password.  A user/admin changes the password,
but forgets to invalidate dovecot's cached entry, allowing the fraudster
contunuing access to the mail account until the TTL expires or user logs
in with new credentials.  I've been burnt by this one.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list