Re: [Dovecot] SSL/TLS handshake stays forever without timeout
On 15.1.2014, at 0.54, Andreas Schulze wrote: > Am 14.01.2014 20:38 schrieb Adrian Zaugg: >> This is not the test morrison has suggested. Doing his test with telnet >> and thus not complete the SSL handshake, the connection stays open much >> longer than 3 Minutes. I closed the connection now manually after a >> little more than 2 hours. This is on Dovecot 2.1.7. > same here with dovecot-2.2.10 Fixed: http://hg.dovecot.org/dovecot-2.2/rev/41622541a7a3
Re: [Dovecot] SSL/TLS handshake stays forever without timeout
Am 14.01.2014 20:38 schrieb Adrian Zaugg: > This is not the test morrison has suggested. Doing his test with telnet > and thus not complete the SSL handshake, the connection stays open much > longer than 3 Minutes. I closed the connection now manually after a > little more than 2 hours. This is on Dovecot 2.1.7. same here with dovecot-2.2.10 $ date; telnet imaphost 143 Di 14. Jan 21:57:59 CET 2014 . starttls . OK Begin TLS negotiation now. ... now it's 23:53 ant the tcp connection is still established. in contrast: postfix-2.11 $ date; telnet mx 25; date Di 14. Jan 23:42:45 CET 2014 ... starttls 220 2.0.0 Ready to start TLS Connection closed by foreign host. Di 14. Jan 23:48:10 CET 2014 looks like postfix handle the timeout smarter. Andreas
Re: [Dovecot] SSL/TLS handshake stays forever without timeout
Hi Pascal Am 14.01.14 20:26 schrieb Pascal Volk: > On 01/14/2014 04:42 PM morrison wrote: > Please define 'forever' > > I just did `time openssl s_client -connect mail.example.com:143 > -starttls imap` (and nothing else): This is not the test morrison has suggested. Doing his test with telnet and thus not complete the SSL handshake, the connection stays open much longer than 3 Minutes. I closed the connection now manually after a little more than 2 hours. This is on Dovecot 2.1.7. Regards, Adrian.
Re: [Dovecot] SSL/TLS handshake stays forever without timeout
Am 14.01.2014 20:26, schrieb Pascal Volk: > Please define 'forever' > > I just did `time openssl s_client -connect mail.example.com:143 > -starttls imap` (and nothing else): > > CONNECTED(0003) > depth=0 CN = mail.… > … > . OK Pre-login capabilities listed, post-login capabilities have more. > * BYE Disconnected for inactivity. > closed > > real3m0.377s > user0m0.016s > sys 0m0.000s > > As you can see, Dovecot closed the connection after three minutes did you read the "This will make our mail server vulnerable to DOS attack" 3 minutes is *way too long* in case of a DOS attack if no single byte data is received there is no reason not to close the connection at least after 30 seconds signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL/TLS handshake stays forever without timeout
On 01/14/2014 04:42 PM morrison wrote: > Hi, > > I am a system admin and I am evaluating using dovecot as our email server. In > my test, I found that if I telneted to 993 port and did not do anything or I > telneted to 143 port, sent starttls command and then did not do anything, the > connection stayed forever without timeout. This will make our mail server > vulnerable to DOS attack. I dig into dovecot Wiki and did not find any > solution. This seems to me that dovecot does not handle SSL/TLS handshake > timeout. I am wondering if this is a known issue and will be fixed in near > future. > > Thanks, > Please define 'forever' I just did `time openssl s_client -connect mail.example.com:143 -starttls imap` (and nothing else): CONNECTED(0003) depth=0 CN = mail.… … . OK Pre-login capabilities listed, post-login capabilities have more. * BYE Disconnected for inactivity. closed real3m0.377s user0m0.016s sys 0m0.000s As you can see, Dovecot closed the connection after three minutes. Regards, Pascal -- The trapper recommends today: fabaceae.1401...@localdomain.org
[Dovecot] SSL/TLS handshake stays forever without timeout
Hi, I am a system admin and I am evaluating using dovecot as our email server. In my test, I found that if I telneted to 993 port and did not do anything or I telneted to 143 port, sent starttls command and then did not do anything, the connection stayed forever without timeout. This will make our mail server vulnerable to DOS attack. I dig into dovecot Wiki and did not find any solution. This seems to me that dovecot does not handle SSL/TLS handshake timeout. I am wondering if this is a known issue and will be fixed in near future. Thanks,