[EXT] Re: The meaning of "tarpit" as used in the auth policy docs?

Wed Jun 15 15:40:36 UTC 2022

I'm sorry. Gmail didn't include the list in the "To" header when I
responded, and
I didn't notice. I fixed it now.

-- 
 hippoman at gmail.com
 Take a hippopotamus to lunch today.

On Tue, Jun 14, 2022 at 2:40 AM Aki Tuomi <aki.tuomi at open-xchange.com>
wrote:

> Hi!
>
> Can you please keep responses on the list? =)
>
> Aki
>
> > On 14/06/2022 03:57 Hippo Man <hippoman at gmail.com> wrote:
> >
> >
> > Thank you very much for explaining what "tarpit" means.
> >
> > So, if I return a huge numeric status value from the "before" check,
> could I
> > make the client wait for hours or even days or weeks before continuing
> > with the authentication?
> >
> > --
> >  hippoman at gmail.com
> >  Take a hippopotamus to lunch today.
> >
> >
> >
> > On Wed, Jun 8, 2022 at 12:50 AM Aki Tuomi <aki.tuomi at open-xchange.com>
> wrote:
> > >
> > >  > On 08/06/2022 05:34 Hippo Man <hippoman at gmail.com> wrote:
> > >  >
> > >  >
> > >  > I'm trying to understand what is meant by "tarpit" in the
> ffollowing quote of the Dovecot auth policy docs for the "before" check ...
> > >  > First query is done before password and user databases are
> consulted. This means that any userdb/passdb attributes are left empty.
> > >  > The command used here is ‘allow’ and will appear on the URL as
> command=allow.
> > >  > status result values:
> > >  > * -1: Reject
> > >  > * 0: Accept
> > >  > * (Any other positive value): Tarpit for this number of seconds.
> > >  > What actually happens if a positive status value is returned here?
> > >  >
> > >  > Does it mean that the client will not receive any response for the
> given number of seconds, but that the given login attempt will still
> continue after that delay? Or does it mean that the client will not receive
> a response for the given number of seconds, and then the login will be
> rejected after that delay?
> > >  >
> > >  > What if the client has connected via pop3 and is sending multple
> "user" and "pass" combinations? If the "before" check returns, for example,
> the integer "5" as the status, does this mean there will be a 5-second
> delay between each login attempt that is being sent to this connection?
> > >  >
> > >  > Ideally, I'd like the following to occur, but I don't know if it is
> possible:
> > >  >
> > >  > * Client connects via pop3 and intends to send a large batch of
> "user"/"pass" commands via this connection.
> > >  >
> > >  > * The first "user"/"pass" command is made to wait for many seconds.
> > >  >
> > >  > * Then, the connection is dropped, so that the subsequent
> "user"/"pass" commands do not even hit the dovecot server.
> > >  >
> > >  > I'm thinking that this is *not* what is meant by "tarpit" in the
> auth policy docs, correct?
> > >  >
> > >  > Thank you for any clarification.
> > >  >
> > >  > --
> > >  > hippoman at gmail.com
> > >  > Take a hippopotamus to lunch today.
> > >
> > >  Hi!
> > >
> > >  When client connects, and sends authentication request dovecot
> performs a policy lookup before any actual authentication. If this policy
> result has positive value, tarpit occurs.
> > >
> > >  This means we simply add a timeout to auth process and leave it
> hanging, while handling other requests, and then perform the actual
> authentication. The authentication is not failed, however.
> > >
> > >  Aki
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20220615/7d8c55f6/attachment.htm>