Hi Marc,
On 2024/05/02 15:31, Marc wrote:
Looking for some advise. Hmmm, I am glad I took the time to arrange a proper ldap infrastructure. What ever gets hammered stays local
Hahaha, yea well, galera served us well until now, and assuming no DDL changes on large tables we believe it will continue to do so. That aside, I do like ldap indeed, but unfortunately that's not a feasible option at this stage.
What I'm hoping is that dovecot has some way to in case of such "authentication backend" problem scenarios to ignore protocol and politeness and simply disconnect the client, ie, just shut the connection without saying anything, this could even be with a small delay (I'd say 1 second or so, just to avoid tight auth retry loops, up to 4 or 5 seconds IMHO would be fine). auth_failure_delay = 2 secs ?
That will still simply wait before *rejecting* the login, compared to *dropping the connection*.
We are thus looking for three different behaviours:
1. If backend confrims auth, ACK auth + proceed (grant access) to email.
2. If backend confirm "no such user" or "invalid creds", wait for auth_failure_delay and then *reject* the login.
3. If the backend fails (ie, can neither confirm nor deny), simply drop the connection.
I hope this is more clear.
Kind regards, Jaco