dovecot config for 1500 simultaneous connection
Joseph Tam
jtam.home at gmail.com
Tue Feb 14 23:12:15 UTC 2017
On Tue, 14 Feb 2017, KT Walrus wrote:
>> Another related security situation I've encountered is when a fraudster
>> has phished a user's password. A user/admin changes the password,
>> but forgets to invalidate dovecot's cached entry, allowing the fraudster
>> contunuing access to the mail account until the TTL expires or user logs
>> in with new credentials. I've been burnt by this one.
>
> I?m no expert, but should the code that updates the password hash in the
> database also immediately try to log into dovecot for the user with a fake
> password?
>
> Authentication should fail but the cache would be updated?
I guess you could write a hook for that, but that's not a scalable
solution if your auth database is used by many different services that
do their own credential caching.
I do this manually i.e. if I have to invalidate mail system cache, I log
in with wrong credentials.
> Or, doesn?t Dovecot expire the cache?d entry on failed authentication?
Dovecot does have a auth_cache_negative_ttl setting.
I think the best proactive approach is to keep auth_cache_ttl modest
(a few minutes) rather than hours or days.
Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list