[Dovecot] SASL abort causes 5s delay, triggered by UW libc-client
Since upgrding to Debian squeeze, the web mail system (Imp4/Horde3) suffers delays every time a new IMAP connection is needed. Tracing the authentication conversation, we find:
08:45:55.270609: 00000000 AUTHENTICATE GSSAPI 08:45:55.271277: + 08:45:55.271761: * 08:45:55.271782: 00000000 BAD Authentication aborted by client. 08:45:55.271815: 00000001 AUTHENTICATE PLAIN 08:46:00.271008: + and the PLAIN login succeeds.
Imp4 is using php5-imap which is using libc-client, and the delays makes the interface so slow to hardly usable.
For reasons best known to its authors, libc-client first initiates GSSAPI authentication, then checks if there is a Kerberos ticket it can use (there is none), then realizes its mistake and aborts SASL, and tries PLAIN. At this point dovecot delays for 5000ms.
While not defending libs-client's odd behaviour of not checking for tickets first, it has probably done so for a long time, and dovecot from Debian lenny does not delay at this point.
I am lost as how to get around this without changing the code. The "nodelay" parameter can not be used with PAM passdb, according to the documentation.
I would be inclined to call always call client_auth_failed with nodelay=TRUE in the SASL_SERVER_REPLY_AUTH_ABORTED case.
Arne Nordmark
Config: # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0 ext3 log_timestamp: %Y-%m-%d %H:%M:%S protocols: imap listen: *, [::] ssl_ca_file: /etc/ssl/certs/mechca_cert.pem ssl_cert_file: /etc/ssl/certs/ano4/ano4_crt.pem ssl_key_file: /etc/ssl/certs/ano4/ano4_key.pem login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_privileged_group: mail mail_location: maildir:/var/mail/maildir/%u mbox_write_locks: fcntl dotlock lda: postmaster_address: postmaster@ano.mech.kth.se mail_plugins: sieve auth default: mechanisms: plain gssapi failure_delay: 0 debug: yes passdb: driver: pam userdb: driver: passwd socket: type: listen master: path: /var/run/dovecot/auth-master mode: 384 user: root plugin: sieve: ~/.dovecot.sieve sieve_dir: ~/sieve
On Sat, 2011-03-12 at 13:26 +0100, Arne Nordmark wrote:
For reasons best known to its authors, libc-client first initiates GSSAPI authentication, then checks if there is a Kerberos ticket it can use (there is none), then realizes its mistake and aborts SASL, and tries PLAIN. At this point dovecot delays for 5000ms.
Yeah, it's a bug. v2.0 doesn't have this problem.
I am lost as how to get around this without changing the code.
You can't.
I would be inclined to call always call client_auth_failed with nodelay=TRUE in the SASL_SERVER_REPLY_AUTH_ABORTED case.
participants (2)
-
Arne Nordmark
-
Timo Sirainen