dovecot - Mar 2011 - SASL abort causes 5s delay, triggered by UW libc-client

Since upgrding to Debian squeeze, the web mail system (Imp4/Horde3) 
suffers delays every time a new IMAP connection is needed. Tracing the 
authentication conversation, we find:

08:45:55.270609: 00000000 AUTHENTICATE GSSAPI
08:45:55.271277: +
08:45:55.271761: *
08:45:55.271782: 00000000 BAD Authentication aborted by client.
08:45:55.271815: 00000001 AUTHENTICATE PLAIN
08:46:00.271008: +
and the PLAIN login succeeds.

Imp4 is using php5-imap which is using libc-client, and the delays makes 
the interface so slow to hardly usable.

For reasons best known to its authors, libc-client first initiates 
GSSAPI authentication, then checks if there is a Kerberos ticket it can 
use (there is none), then realizes its mistake and aborts SASL, and 
tries PLAIN. At this point dovecot delays for 5000ms.

While not defending libs-client's odd behaviour of not checking for 
tickets first, it has probably done so for a long time, and dovecot from 
Debian lenny does not delay at this point.

I am lost as how to get around this without changing the code. The 
"nodelay" parameter can not be used with PAM passdb, according to the 
documentation.

I would be inclined to call always call client_auth_failed with 
nodelay=TRUE in the SASL_SERVER_REPLY_AUTH_ABORTED case.

Arne Nordmark


Config:
# 1.2.15: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0 ext3
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap
listen: *, [::]
ssl_ca_file: /etc/ssl/certs/mechca_cert.pem
ssl_cert_file: /etc/ssl/certs/ano4/ano4_crt.pem
ssl_key_file: /etc/ssl/certs/ano4/ano4_key.pem
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
mail_privileged_group: mail
mail_location: maildir:/var/mail/maildir/%u
mbox_write_locks: fcntl dotlock
lda:
   postmaster_address: postmaster at ano.mech.kth.se
   mail_plugins: sieve
auth default:
   mechanisms: plain gssapi
   failure_delay: 0
   debug: yes
   passdb:
     driver: pam
   userdb:
     driver: passwd
   socket:
     type: listen
     master:
       path: /var/run/dovecot/auth-master
       mode: 384
       user: root
plugin:
   sieve: ~/.dovecot.sieve
   sieve_dir: ~/sieve

On Sat, 2011-03-12 at 13:26 +0100, Arne Nordmark wrote:
> For reasons best known to its authors, libc-client first initiates 
> GSSAPI authentication, then checks if there is a Kerberos ticket it can 
> use (there is none), then realizes its mistake and aborts SASL, and 
> tries PLAIN. At this point dovecot delays for 5000ms.
Yeah, it's a bug. v2.0 doesn't have this problem.
> I am lost as how to get around this without changing the code. 
You can't.
> I would be inclined to call always call client_auth_failed with 
> nodelay=TRUE in the SASL_SERVER_REPLY_AUTH_ABORTED case.
Done: http://hg.dovecot.org/dovecot-1.2/rev/e7721f67688a