On Wed, Apr 25, 2001 at 03:36:28PM +0200, Karsten W. Rohrbach wrote:
> oh yes it is in control of at least the process it calls directly
> (qmail-popup) which terminates nonzero on auth error
Yeah, it exits nonzero at auth error and it exists nonzero in any other
case.
See my post (to qmail list) some days ago. qmail-popup ALWAYS exits with
_exit(1);
> tcpserver lacks the feature of connection rate limiting which exactly
> would be the application in our case. i also thought about defining a
> scheme like openssh does (max simultaneous connections, "soft"
> threshold for sessions, percentage of connections to drop) combined with
> some advanced tarpitting per ip address (like "accept n connections per
> minute from each ip address and back off with delay d and increase that
> delay each connection attempt, and perhaps multiply it with the
> exitcode of the process called).
> does this make sense?
That's what I'd liked to accomplish with the server/client framework
I wrote about. IMHO on a well administered system this is not error
prone - at least not more than having a LDAP or MySQL server for
authentication. The benefit however is that it can also be used in
clustered environments and you won't need code changes to djb software.
Putting all the load on tcpserver itself is IMHO a bad idea:
- it would need massive code changes in tcpserver
- it would slow down tcpserver itself
- depending on implementation tcpserver would need a lot more memory
- you'd have to have different versions of tcpserver (with/without rating)
- on new versions of tcpserver you'd have to port/make patches again
- lack of clustering support (POP-Toasters, SMTP-arrays)
If the client really could not connect to the server you can have a failsafe
method for this that either accepts like for "ok" or denies like for "fail".
DJB's strategy is always to have small, high specialised programs for
special tasks. I like this idea, it's in the spirit of Unix and I think
one should stick to it.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
Stress is when you wake up screaming and you realize you haven't fallen
asleep yet.
