dovecot config for 1500 simultaneous connection

KT Walrus kevin at my.walr.us
Tue Feb 14 23:02:22 UTC 2017


> On Feb 14, 2017, at 5:50 PM, Joseph Tam <jtam.home at gmail.com> wrote:
> 
> Another related security situation I've encountered is when a fraudster
> has phished a user's password.  A user/admin changes the password,
> but forgets to invalidate dovecot's cached entry, allowing the fraudster
> contunuing access to the mail account until the TTL expires or user logs
> in with new credentials.  I've been burnt by this one.

I’m no expert, but should the code that updates the password hash in the 
database also immediately try to log into dovecot for the user with a fake 
password?

Authentication should fail but the cache would be updated?

Or, doesn’t Dovecot expire the cache’d entry on failed authentication?


More information about the dovecot mailing list