[Dovecot] SSL/TLS handshake stays forever without timeout
Hi,
I am a system admin and I am evaluating using dovecot as our email server. In my test, I found that if I telneted to 993 port and did not do anything or I telneted to 143 port, sent starttls command and then did not do anything, the connection stayed forever without timeout. This will make our mail server vulnerable to DOS attack. I dig into dovecot Wiki and did not find any solution. This seems to me that dovecot does not handle SSL/TLS handshake timeout. I am wondering if this is a known issue and will be fixed in near future.
Thanks,
On 01/14/2014 04:42 PM morrison wrote:
Hi,
I am a system admin and I am evaluating using dovecot as our email server. In my test, I found that if I telneted to 993 port and did not do anything or I telneted to 143 port, sent starttls command and then did not do anything, the connection stayed forever without timeout. This will make our mail server vulnerable to DOS attack. I dig into dovecot Wiki and did not find any solution. This seems to me that dovecot does not handle SSL/TLS handshake timeout. I am wondering if this is a known issue and will be fixed in near future.
Thanks,
Please define 'forever'
I just did time openssl s_client -connect mail.example.com:143 -starttls imap (and nothing else):
CONNECTED(00000003) depth=0 CN = mail.… … . OK Pre-login capabilities listed, post-login capabilities have more.
- BYE Disconnected for inactivity. closed
real 3m0.377s user 0m0.016s sys 0m0.000s
As you can see, Dovecot closed the connection after three minutes.
Regards, Pascal
The trapper recommends today: fabaceae.1401420@localdomain.org
Am 14.01.2014 20:26, schrieb Pascal Volk:
Please define 'forever'
I just did
time openssl s_client -connect mail.example.com:143 -starttls imap(and nothing else):CONNECTED(00000003) depth=0 CN = mail.… … . OK Pre-login capabilities listed, post-login capabilities have more.
- BYE Disconnected for inactivity. closed
real 3m0.377s user 0m0.016s sys 0m0.000s
As you can see, Dovecot closed the connection after three minutes
did you read the "This will make our mail server vulnerable to DOS attack" 3 minutes is *way too long* in case of a DOS attack
if no single byte data is received there is no reason not to close the connection at least after 30 seconds
Hi Pascal
Am 14.01.14 20:26 schrieb Pascal Volk:
On 01/14/2014 04:42 PM morrison wrote: Please define 'forever'
I just did
time openssl s_client -connect mail.example.com:143 -starttls imap(and nothing else):
This is not the test morrison has suggested. Doing his test with telnet and thus not complete the SSL handshake, the connection stays open much longer than 3 Minutes. I closed the connection now manually after a little more than 2 hours. This is on Dovecot 2.1.7.
Regards, Adrian.
Am 14.01.2014 20:38 schrieb Adrian Zaugg:
This is not the test morrison has suggested. Doing his test with telnet and thus not complete the SSL handshake, the connection stays open much longer than 3 Minutes. I closed the connection now manually after a little more than 2 hours. This is on Dovecot 2.1.7. same here with dovecot-2.2.10
$ date; telnet imaphost 143 Di 14. Jan 21:57:59 CET 2014 <IMAP dialog> . starttls . OK Begin TLS negotiation now.
... now it's 23:53 ant the tcp connection is still established.
in contrast: postfix-2.11 $ date; telnet mx 25; date Di 14. Jan 23:42:45 CET 2014 <SMTP dialog> ... starttls 220 2.0.0 Ready to start TLS Connection closed by foreign host. Di 14. Jan 23:48:10 CET 2014
looks like postfix handle the timeout smarter.
Andreas
On 15.1.2014, at 0.54, Andreas Schulze sca@andreasschulze.de wrote:
Am 14.01.2014 20:38 schrieb Adrian Zaugg:
This is not the test morrison has suggested. Doing his test with telnet and thus not complete the SSL handshake, the connection stays open much longer than 3 Minutes. I closed the connection now manually after a little more than 2 hours. This is on Dovecot 2.1.7. same here with dovecot-2.2.10
participants (6)
-
Adrian Zaugg
-
Andreas Schulze
-
morrison
-
Pascal Volk
-
Reindl Harald
-
Timo Sirainen