Hi, I am a system admin and I am evaluating using dovecot as our email server. In my test, I found that if I telneted to 993 port and did not do anything or I telneted to 143 port, sent starttls command and then did not do anything, the connection stayed forever without timeout. This will make our mail server vulnerable to DOS attack. I dig into dovecot Wiki and did not find any solution. This seems to me that dovecot does not handle SSL/TLS handshake timeout. I am wondering if this is a known issue and will be fixed in near future. Thanks,
Pascal Volk
2014-Jan-14 19:26 UTC
[Dovecot] SSL/TLS handshake stays forever without timeout
On 01/14/2014 04:42 PM morrison wrote:> Hi, > > I am a system admin and I am evaluating using dovecot as our email server. In my test, I found that if I telneted to 993 port and did not do anything or I telneted to 143 port, sent starttls command and then did not do anything, the connection stayed forever without timeout. This will make our mail server vulnerable to DOS attack. I dig into dovecot Wiki and did not find any solution. This seems to me that dovecot does not handle SSL/TLS handshake timeout. I am wondering if this is a known issue and will be fixed in near future. > > Thanks, >Please define 'forever' I just did `time openssl s_client -connect mail.example.com:143 -starttls imap` (and nothing else): CONNECTED(00000003) depth=0 CN = mail.? ? . OK Pre-login capabilities listed, post-login capabilities have more. * BYE Disconnected for inactivity. closed real 3m0.377s user 0m0.016s sys 0m0.000s As you can see, Dovecot closed the connection after three minutes. Regards, Pascal -- The trapper recommends today: fabaceae.1401420 at localdomain.org