On Wed, 2008-12-17 at 09:35 -0600, Mike Abbott wrote:
Here are a few more patches. Still keeping it easy for now. Again
the basis for these patches is dovecot-1.1.7.Patch #6. Solve a cross-compilation endianness issue. Currently,
Dovecot assumes that the endianness of the build system is the same as
the endianness of the runtime system. This is not necessarily true.
We ran into this while compiling for i386 on a ppc machine. The patch
switches to using gcc's __BIG_ENDIAN__ macro; see the comment in the
patch to configure.in. It also removes the related and unused
MAIL_INDEX_COMPAT_FLAGS parameter. This patch may be applicable to
other build environments with a little tweaking.
http://hg.dovecot.org/dovecot-1.1/rev/fdcb5fc6f2d9
Patch #7. Replace all occurrences of "hash_create" and "hash_destroy"
with "hash_table_create" and "hash_table_destroy" respectively. The
symbols hash_create and hash_destroy conflict with symbols defined in
and libc. This showed up when loading dovecot's quota
plugin (one of our future patches will add a hash table to it; stay
tuned). The wrong hash_create was called which caused a crash at the
first hash_insert. Apparently this is only a problem in loaded
dynamic libraries and not linked-in ones.
If you start renaming API functions, rename all of them for consistency. :) Probably will stay v1.2-only.
http://hg.dovecot.org/dovecot-1.2/rev/f9166a09423a
Patch #8. Back off after auth failures to deter abusers. Stalls 5
seconds per failed attempt.
http://hg.dovecot.org/dovecot-1.2/rev/1b744c38bcac http://hg.dovecot.org/dovecot-1.2/rev/164569761647
Your code disabled idle timeout entirely while waiting for the auth failure reply. This doesn't seem such a good idea to me. Rather it sounds like an easy way to DoS the server. Just connect, send about 100 failing LOGIN commands and then do nothing for the next 7 hours (besides what's necessary to keep the TCP connection alive). Repeat with some thousands of clients.