[Dovecot] SSL/TLS handshake stays forever without timeout

Reindl Harald h.reindl at thelounge.net
Tue Jan 14 21:29:31 EET 2014



Am 14.01.2014 20:26, schrieb Pascal Volk:
> Please define 'forever'
> 
> I just did `time openssl s_client -connect mail.example.com:143
> -starttls imap` (and nothing else):
> 
> CONNECTED(00000003)
> depth=0 CN = mail.…
>> . OK Pre-login capabilities listed, post-login capabilities have more.
> * BYE Disconnected for inactivity.
> closed
> 
> real    3m0.377s
> user    0m0.016s
> sys     0m0.000s
> 
> As you can see, Dovecot closed the connection after three minutes

did you read the "This will make our mail server vulnerable to DOS attack"
3 minutes is *way too long* in case of a DOS attack

if no single byte data is received there is no reason not to close
the connection at least after 30 seconds

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140114/a605b2b7/attachment-0001.bin>


More information about the dovecot mailing list