Here are a few more patches. Still keeping it easy for now. Again
the basis for these patches is dovecot-1.1.7.
Patch #6. Solve a cross-compilation endianness issue. Currently,
Dovecot assumes that the endianness of the build system is the same as
the endianness of the runtime system. This is not necessarily true.
We ran into this while compiling for i386 on a ppc machine. The patch
switches to using gcc's __BIG_ENDIAN__ macro; see the comment in the
patch to configure.in. It also removes the related and unused
MAIL_INDEX_COMPAT_FLAGS parameter. This patch may be applicable to
other build environments with a little tweaking.
Patch #7. Replace all occurrences of "hash_create" and "hash_destroy"
with "hash_table_create" and "hash_table_destroy" respectively. The
symbols hash_create and hash_destroy conflict with symbols defined in
<strhash.h> and libc. This showed up when loading dovecot's quota
plugin (one of our future patches will add a hash table to it; stay
tuned). The wrong hash_create was called which caused a crash at the
first hash_insert. Apparently this is only a problem in loaded
dynamic libraries and not linked-in ones.
Patch #8. Back off after auth failures to deter abusers. Stalls 5
seconds per failed attempt.
PS -- Please forgive me if I make a mistake at some point while
splitting these patches out from our source tree. They're all mingled
together on my end and it's sometimes tricky to extract just the right
changes for each patch. If anything seems fishy just let me know and
I'll take another look. Thanks.
Words by Mike Abbott [Wed, Dec 17, 2008 at 09:35:16AM -0600]:
Here are a few more patches. Still keeping it easy for now. Again the basis for these patches is dovecot-1.1.7.
[...]
Patch #8. Back off after auth failures to deter abusers. Stalls 5
seconds per failed attempt.
Can you make #8 configurable? We already have a sleep on auth failure on the module that does the auth (checkpassword) with some extra checks (for instance does not sleep on autentications coming from our webmail servers because they already do that) so we may not want that enabled.
-- Jose Celestino | http://japc.uncovering.org/files/japc-pgpkey.asc
"One man’s theology is another man’s belly laugh." -- Robert A. Heinlein
On Dec 17, 2008, at 5:47 PM, Jose Celestino wrote:
Words by Mike Abbott [Wed, Dec 17, 2008 at 09:35:16AM -0600]:
Here are a few more patches. Still keeping it easy for now. Again
the basis for these patches is dovecot-1.1.7.[...]
Patch #8. Back off after auth failures to deter abusers. Stalls 5 seconds per failed attempt.
Can you make #8 configurable? We already have a sleep on auth
failure on the module that does the auth (checkpassword) with some extra checks (for instance does not sleep on autentications coming from our webmail servers because they already do that) so we may not want that enabled.
dovecot-auth already does internally a 0-2 second failure delay
(flushes failures every 2 seconds). Hmm. Wonder if the increased
waiting could be done by dovecot-auth instead. There you can already
disable the internal wait by returning a "nodelay" field from
checkpassword (maybe you do already?)
On 352, 12 17, 2008 at 09:35:16AM -0600, Mike Abbott wrote:
Here are a few more patches. Still keeping it easy for now. Again the basis for these patches is dovecot-1.1.7.
Patch #6. Solve a cross-compilation endianness issue. Currently, Dovecot assumes that the endianness of the build system is the same as the endianness of the runtime system. This is not necessarily true. We ran into this while compiling for i386 on a ppc machine. The patch switches to using gcc's __BIG_ENDIAN__ macro; see the comment in the patch to configure.in. It also removes the related and unused MAIL_INDEX_COMPAT_FLAGS parameter. This patch may be applicable to other build environments with a little tweaking.
diff -ur dovecot-1.1.7/src/lib/sha1.c dovecot-patch/src/lib/sha1.c --- dovecot-1.1.7/src/lib/sha1.c 2008-10-26 10:03:45.000000000 -0500 +++ dovecot-patch/src/lib/sha1.c 2008-12-16 20:35:37.000000000 -0600 @@ -80,7 +80,7 @@ size_t t, s; uint32_t tmp;
-#ifndef WORDS_BIGENDIAN +#if !WORDS_BIGENDIAN
Is this change (and similar ones below) really necessary ?
On Wed, 2008-12-17 at 09:35 -0600, Mike Abbott wrote:
Here are a few more patches. Still keeping it easy for now. Again
the basis for these patches is dovecot-1.1.7.Patch #6. Solve a cross-compilation endianness issue. Currently,
Dovecot assumes that the endianness of the build system is the same as
the endianness of the runtime system. This is not necessarily true.
We ran into this while compiling for i386 on a ppc machine. The patch
switches to using gcc's __BIG_ENDIAN__ macro; see the comment in the
patch to configure.in. It also removes the related and unused
MAIL_INDEX_COMPAT_FLAGS parameter. This patch may be applicable to
other build environments with a little tweaking.
http://hg.dovecot.org/dovecot-1.1/rev/fdcb5fc6f2d9
Patch #7. Replace all occurrences of "hash_create" and "hash_destroy"
with "hash_table_create" and "hash_table_destroy" respectively. The
symbols hash_create and hash_destroy conflict with symbols defined in
<strhash.h> and libc. This showed up when loading dovecot's quota
plugin (one of our future patches will add a hash table to it; stay
tuned). The wrong hash_create was called which caused a crash at the
first hash_insert. Apparently this is only a problem in loaded
dynamic libraries and not linked-in ones.
If you start renaming API functions, rename all of them for consistency. :) Probably will stay v1.2-only.
http://hg.dovecot.org/dovecot-1.2/rev/f9166a09423a
Patch #8. Back off after auth failures to deter abusers. Stalls 5
seconds per failed attempt.
http://hg.dovecot.org/dovecot-1.2/rev/1b744c38bcac http://hg.dovecot.org/dovecot-1.2/rev/164569761647
Your code disabled idle timeout entirely while waiting for the auth failure reply. This doesn't seem such a good idea to me. Rather it sounds like an easy way to DoS the server. Just connect, send about 100 failing LOGIN commands and then do nothing for the next 7 hours (besides what's necessary to keep the TCP connection alive). Repeat with some thousands of clients.
If you start renaming API functions, rename all of them for
consistency. :)
Agreed, but when changing code on a branch, minimizing code deltas
makes merging easier.
Your code disabled idle timeout entirely
Yeah, probably not a good idea. If I had realized that I probably
would have just dropped the connection after N failed auth attempts,
and chosen N for when it matched the idle timeout. Your solution of
clamping the backoff to just under the idle timeout is fine too.
PS -- Today is busy so I'll try to submit the next patches Monday or
Tuesday.
Following up.
You checked in a slightly different version of patch 6 and released it
with 1.1.8. We will test your solution for this and adopt it if it
works.
We will update our code to honor both the idle timeout and the auth
failure delay, to avoid the DoS situation you described, since you
checked this into 1.2 not 1.1.
Thanks!
participants (4)
-
Andrey Panin
-
Jose Celestino
-
Mike Abbott
-
Timo Sirainen