[Dovecot] SSL/TLS handshake stays forever without timeout
Reindl Harald
h.reindl at thelounge.net
Tue Jan 14 21:29:31 EET 2014
Am 14.01.2014 20:26, schrieb Pascal Volk:
> Please define 'forever'
>
> I just did `time openssl s_client -connect mail.example.com:143
> -starttls imap` (and nothing else):
>
> CONNECTED(00000003)
> depth=0 CN = mail.…
> …
> . OK Pre-login capabilities listed, post-login capabilities have more.
> * BYE Disconnected for inactivity.
> closed
>
> real 3m0.377s
> user 0m0.016s
> sys 0m0.000s
>
> As you can see, Dovecot closed the connection after three minutes
did you read the "This will make our mail server vulnerable to DOS attack"
3 minutes is *way too long* in case of a DOS attack
if no single byte data is received there is no reason not to close
the connection at least after 30 seconds
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140114/a605b2b7/attachment-0001.bin>
More information about the dovecot
mailing list