I have to admit that when I first saw this, it was also a bit confusing
as I was equating this with typical packet and session timeouts at the
network level.
What helped me better understand this was the phrase “one byte at a
time” and then reading up on things like Slow Loris that Viktor
included…
Just my .02…
- - -
On 15 Jul 2021, at 12:21, Viktor Dukhovni wrote:
On 15 Jul 2021, at 10:41 am, post...@ptld.com wrote:
"The time limit for sending a Postfix SMTP server response and for
receiving a remote SMTP client request."
The amount of time that smtpd(8) is willing to wait for a network
write
to write some data when writing a command-response, or for a network
read
to return some data when reading an SMTP command.
As elaborated under:
http://www.postfix.org/postconf.5.html#smtpd_per_record_deadline
Change the behavior of the smtpd_timeout and
smtpd_starttls_timeout
time limits, from a time limit per read or write system call,
to a time limit to send or receive a complete record (an SMTP
command line, SMTP response line, SMTP message content line,
or TLS protocol message). This limits the impact from hostile
peers that trickle data one byte at a time.
Thus the default timeout is per read or write, rather than the
complete
requested operation. With the deadline timer the timeout applies to
the entire I/O operation, possibly spanning multi reads or writes.
However, even then it is never the transmission of an entire message
body, rather it would be a logical data fragment, an SMTP command or
response, a body content line, a TLS protocol record, ... which
partly mitigates "Slowloris" attacks,
https://en.wikipedia.org/wiki/Slowloris_(computer_security)
meaningful progress must be made within the deadline timer, just
sending a few characters per 300s is not enough.
--
Viktor.
