make delay after failed login configurable

2011-01-11 Thread Felix Schumacher 

Hi,

I would like to have the pause after a failed login configurable. There 
are a few sleep(3) in the codebase (2.2 - 2.4) which I would like to 
replace with a configurable timeout.


The reasoning for this is twofold.

 1. Our password-backend (eDirectory with pam_ldap) can be configured 
to pause and throttle login attempts, so there is no need for imapd to 
do it.
 2. We want to use cyrus imapd with cas in a single sign on 
environment. We are using horde with an imap-proxy as a frontend to our 
imap server. We have a bug in the login process, which will do about 
three failing logins with the imap server. Since the pause in imapd is 
not configurable, this leads to nine seconds delay, which is not really 
nice.


The attached patch (for imapd-2.2.12) makes the pause configurable 
while maintaining the three seconds delay as default. I only changed the 
sleep(3) calls in imapd.c and proxyd.c as we are not using pop3 and 
lmtp is not used directly through horde.


Should I create a bugzilla entry for this feature request?

Bye
 Felixdiff -ur cyrus-imapd-2.2.12-orig/imap/imapd.c cyrus-imapd-2.2.12/imap/imapd.c
--- cyrus-imapd-2.2.12-orig/imap/imapd.c2011-01-05 12:28:15.0 
+0100
+++ cyrus-imapd-2.2.12/imap/imapd.c 2011-01-06 09:44:58.0 +0100
@@ -1705,6 +1705,7 @@
 char *passwd;
 const char *reply = NULL;
 int plaintextloginpause;
+int failedloginpause;
 int r;
 
 if (imapd_userid) {
@@ -1776,7 +1777,10 @@
syslog(LOG_NOTICE, badlogin: %s plaintext %s %s,
   imapd_clienthost, canon_user, sasl_errdetail(imapd_saslconn));
 
-   sleep(3);
+   failedloginpause = config_getint(IMAPOPT_FAILEDLOGINPAUSE);
+if (failedloginpause != 0) {
+   sleep(failedloginpause);
+   }
 
if ((reply = sasl_errstring(r, NULL, NULL)) != NULL) {
prot_printf(imapd_out, %s NO Login failed: %s\r\n, tag, reply);
@@ -1866,6 +1870,8 @@
 
 int r;
 
+int failedloginpause;
+
 r = saslserver(imapd_saslconn, authtype, resp, , + , ,
   imapd_in, imapd_out, sasl_result, NULL);
 
@@ -1894,7 +1900,11 @@
snmp_increment_args(AUTHENTICATION_NO, 1,
VARIABLE_AUTH, 0, /* hash_simple(authtype) */ 
VARIABLE_LISTEND);
-   sleep(3);
+
+   failedloginpause = config_getint(IMAPOPT_FAILEDLOGINPAUSE);
+if (failedloginpause != 0) {
+   sleep(failedloginpause);
+   }
 
if (errorstring) {
prot_printf(imapd_out, %s NO %s\r\n, tag, errorstring);
diff -ur cyrus-imapd-2.2.12-orig/imap/proxyd.c cyrus-imapd-2.2.12/imap/proxyd.c
--- cyrus-imapd-2.2.12-orig/imap/proxyd.c   2011-01-05 12:28:15.0 
+0100
+++ cyrus-imapd-2.2.12/imap/proxyd.c2011-01-06 09:45:13.0 +0100
@@ -2163,6 +2163,7 @@
 char *passwd;
 char *reply = 0;
 int plaintextloginpause;
+int failedloginpause;
 int r;
 
 if (proxyd_userid) {
@@ -2242,8 +2243,12 @@
   proxyd_clienthost, canon_user, reply);
}
/* Apply penalty only if not under layer */
-   if (proxyd_starttls_done == 0)
-   sleep(3);
+   if (proxyd_starttls_done == 0) {
+   failedloginpause = config_getint(IMAPOPT_FAILEDLOGINPAUSE);
+   if (failedloginpause != 0) {
+   sleep(failedloginpause);
+   }
+   }
if (errorstring) {
prot_printf(proxyd_out, %s NO Login failed: %s\r\n, 
tag, errorstring);
@@ -2308,6 +2313,7 @@
 char *ssfmsg=NULL;
 
 int r;
+int failedloginpause;
 
 r = saslserver(proxyd_saslconn, authtype, resp, , + , ,
   proxyd_in, proxyd_out, sasl_result, NULL);
@@ -2337,7 +2343,10 @@
snmp_increment_args(AUTHENTICATION_NO, 1,
VARIABLE_AUTH, 0, /* hash_simple(authtype) */ 
VARIABLE_LISTEND);
-   sleep(3);
+   failedloginpause = config_getint(IMAPOPT_FAILEDLOGINPAUSE);
+   if (failedloginpause != 0) {
+   sleep(failedloginpause);
+   }
 
if (errorstring) {
prot_printf(proxyd_out, %s NO %s\r\n, tag, errorstring);
diff -ur cyrus-imapd-2.2.12-orig/lib/imapoptions 
cyrus-imapd-2.2.12/lib/imapoptions
--- cyrus-imapd-2.2.12-orig/lib/imapoptions 2011-01-05 12:28:15.0 
+0100
+++ cyrus-imapd-2.2.12/lib/imapoptions  2011-01-06 09:44:00.0 +0100
@@ -202,6 +202,9 @@
as having already been delivered to the mailbox.  Records the mailbox
and message-id/resent-message-id of all successful deliveries. */
 
+{ failedloginpause, 3, INT }
+/* Number of seconds to pause after a failed login. */
+
 { foolstupidclients, 0, SWITCH }
 /* If enabled, only list the personal namespace when a LIST * is performed.
(it changes the request to a LIST INBOX* */

Cyrus Home Page:

Re: make delay after failed login configurable

2011-01-11 Thread Bron Gondwana 
On Tue, Jan 11, 2011 at 09:23:45AM +0100, Felix Schumacher wrote:
 Hi,
 
 I would like to have the pause after a failed login configurable.
 There are a few sleep(3) in the codebase (2.2 - 2.4) which I would
 like to replace with a configurable timeout.

Excellent - that's a great idea.

 Should I create a bugzilla entry for this feature request?

Yes please.  I'll definitely be fixing up pop3d and lmtpd to match
as well, because half-implemented features are a real pain for the
next poor sucker who spends a while wondering why they only did some
of the daemons, and then doing the wrong thing because they're trying
to retain the existing broken behaviour!

Bron.

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/

Re: imapd and pop3d processes accumulate when clients disappear

2011-01-11 Thread Gary Mills 
On Mon, Jan 10, 2011 at 11:39:31PM +0100, Sebastian Hagedorn wrote:
 
 That was fixed quite a while ago ... we had the same problem, so I
 worked with one of the developers to debug and fix it.

Thanks for the information.  So, a Cyrus or SASL upgrade some time
in the future should fix this problem.  I'm pleased that I won't need
to carry my local fix forward to a new version.

-- 
-Gary Mills--Unix Group--Computer and Network Services-

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/

Re: imapd and pop3d processes accumulate when clients disappear

2011-01-11 Thread Sebastian Hagedorn 
--On 11. Januar 2011 07:26:38 -0600 Gary Mills mi...@cc.umanitoba.ca 
wrote:



On Mon, Jan 10, 2011 at 11:39:31PM +0100, Sebastian Hagedorn wrote:


That was fixed quite a while ago ... we had the same problem, so I
worked with one of the developers to debug and fix it.


Thanks for the information.  So, a Cyrus or SASL upgrade some time
in the future should fix this problem.  I'm pleased that I won't need
to carry my local fix forward to a new version.


FWIW, I believe that the official fix works quite differently from yours. 
Yours enables TCP keepalives whereas the official one (introduced in 2.3.9, 
I believe) uses timeouts.
I have no idea if one is superior to the other or what the ramifications 
are. All that matters to me is that it seems to be working :)

--
.:.Sebastian Hagedorn - RZKR-R1 (Gebäude 52), Zimmer 18.:.
.:.Regionales Rechenzentrum (RRZK).:.
.:.Universität zu Köln / Cologne University - ✆ +49-221-478-5587.:.

p7s6CvSMyHRAI.p7s
Description: S/MIME cryptographic signature

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/

Truncate a folder

2011-01-11 Thread Adam Tauno Williams 
Is there an 'official' means to administratively truncate a folder?
That is - delete all the messages in a folder in one operation.  Verses
deleting and recreating the folder.


Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/

Re: Truncate a folder

2011-01-11 Thread Andrew Morgan 
On Tue, 11 Jan 2011, Adam Tauno Williams wrote:

 Is there an 'official' means to administratively truncate a folder?
 That is - delete all the messages in a folder in one operation.  Verses
 deleting and recreating the folder.

ipurge maybe?

Andy

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/

2.4.x release still has parameters which were removed

2011-01-11 Thread Simon Matter 
Hi,

While doing some work on our RPMs - yes really :) - I wanted to remove the
md5/sha1 stuff from the package because it is mentioned in the changelog
as

- make_sha1 and make_md5 are removed (replaced by GUID and reconstruct
changes)

What I'm wondering is why those parameters have been left in imapoptions
and therefore are still to be found in the docs and manpages. Is there a
good reason why they are kept there or were they forgotten?

Thanks for any insight,
Simon


Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/