[Dovecot] SASL abort causes 5s delay, triggered by UW libc-client
nordmark at mech.kth.se
Sat Mar 12 14:26:16 EET 2011
Since upgrding to Debian squeeze, the web mail system (Imp4/Horde3)
suffers delays every time a new IMAP connection is needed. Tracing the
authentication conversation, we find:
08:45:55.270609: 00000000 AUTHENTICATE GSSAPI
08:45:55.271782: 00000000 BAD Authentication aborted by client.
08:45:55.271815: 00000001 AUTHENTICATE PLAIN
and the PLAIN login succeeds.
Imp4 is using php5-imap which is using libc-client, and the delays makes
the interface so slow to hardly usable.
For reasons best known to its authors, libc-client first initiates
GSSAPI authentication, then checks if there is a Kerberos ticket it can
use (there is none), then realizes its mistake and aborts SASL, and
tries PLAIN. At this point dovecot delays for 5000ms.
While not defending libs-client's odd behaviour of not checking for
tickets first, it has probably done so for a long time, and dovecot from
Debian lenny does not delay at this point.
I am lost as how to get around this without changing the code. The
"nodelay" parameter can not be used with PAM passdb, according to the
I would be inclined to call always call client_auth_failed with
nodelay=TRUE in the SASL_SERVER_REPLY_AUTH_ABORTED case.
# 1.2.15: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0 ext3
log_timestamp: %Y-%m-%d %H:%M:%S
listen: *, [::]
mbox_write_locks: fcntl dotlock
postmaster_address: postmaster at ano.mech.kth.se
mechanisms: plain gssapi
More information about the dovecot