On Fri, 18 May 2018, Sami Ketola wrote:
It would be a lot easier to find a reasonable process limit if we could boot these unauthenticated connections off in a more reasonable amount of time, like 5-10 seconds, but I'm not seeing a way to accomplish that?
https://github.com/PowerDNS/weakforced <https://github.com/PowerDNS/weakforced> is just for situations like this.
It may be, but it's good to dial back the timeouts to something reasonable, even for legitimate hosts. Maybe it's stipulated by RFC, but 3 minutes is a lot of time to wait for a password. I did have a patch I applied to an old version of Dovecot to 30s, so I don't know if it will works without modification the version the OP has (the seocnd define looks like it has to be tweaked for 5-10s), or whether it has been superceded by some other config setting, but this was the patch -------------------------------------------------------------------------------- diff -r -U0 a/src/lib-master/master-interface.h b/src/lib-master/master-interface.h --- a/src/lib-master/master-interface.h Mon Jun 2 04:50:10 2014 +++ b/src/lib-master/master-interface.h Sat Feb 14 18:41:39 2015 @@ -99,1 +99,1 @@ -#define MASTER_LOGIN_TIMEOUT_SECS (30) +#define MASTER_LOGIN_TIMEOUT_SECS (3*60) @@ -101,1 +101,1 @@ -#define MASTER_AUTH_SERVER_TIMEOUT_SECS (MASTER_LOGIN_TIMEOUT_SECS<<1) +#define MASTER_AUTH_SERVER_TIMEOUT_SECS (MASTER_LOGIN_TIMEOUT_SECS - 30) Joseph Tam <jtam.home@gmail.com>