[Dovecot] ldap idle connection timeout in DoveCot 1.0.13?

[Aliet Santiesteban Sifontes]

I had this problem running Dovecot 2.x where LDAP servers are located on
another firewall zone, we use Juniper SSG550. The problem was that the
firewall was dropping the ldap idle connections so client authentication
was failing in dovecot for a while and after a time it reconnects,
Dovecot/Openldap-Server never knows that the firewall has dropped the
connection because this is the default, the firewall doesn't send TCP
-Reset to the client and the server, in Juniper/Netscreen you can do a
workaround to speed up the process by configuring the zone to send reset
back to the client and the server. Check you have on the firewall:

set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always

Edit your zone and enable "If TCP non SYN, send RESET back" checkbox:

This fixed the delay for us, it would be a nice feature at dovecot side...
best regards



El 11 de abril de 2012 11:36, Timo Sirainen <tss at iki.fi> escribió:

> On 11.4.2012, at 17.49, Zhou, Yan wrote:
>
> > We are using DoveCot 1.0.13, it connects to LDAP server for
> authentication. It seems that DoveCot keeps the idle LDAP connection open.
>
> Yes.
>
> > Our firewall is terminating these connections after some time of idle
> activity (2 hours), then, we run into authentication problem. If we restart
> either LDAP or DoveCot, then it is fine.
> >
> > Can we set some kind of LDAP idle connection timeout in DoveCot?
>  /etc/dovecot-ldap.conf.  I do not see any configuration available for
> 1.0.13.
>
> No. But if you upgrade to a newer Dovecot (v2.x probably) this is solved
> by automatic transparent reconnection.
>
>