dovecot - Jun 2022 - The meaning of "tarpit" as used in the auth policy docs?

I'm trying to understand what is meant by "tarpit" in the
ffollowing quote
of the Dovecot auth policy docs for the "before" check ...

First query is done *before* password and user databases are consulted.
This means that any userdb/passdb attributes are left empty.

The command used here is ?allow? and will appear on the URL as
command=allow.

status result values:

   -

   -1: Reject
   -

   0: Accept
   -

   (Any other positive value): *Tarpit for this number of seconds.*

What actually happens if a positive status value is returned here?

Does it mean that the client will not receive any response for the given
number of seconds, but that the given login attempt will still continue
after that delay? Or does it mean that the client will not receive a
response for the given number of seconds, and then the login will be
rejected after that delay?

What if the client has connected via pop3 and is sending multple
"user" and
"pass" combinations? If the "before" check returns, for
example, the
integer "5" as the status, does this mean there will be a 5-second
delay
between each login attempt that is being sent to this connection?

Ideally, I'd like the following to occur, but I don't know if it is
possible:

* Client connects via pop3 and intends to send a large batch of
"user"/"pass" commands via this connection.

* The first "user"/"pass" command is made to wait for many
seconds.

* Then, the connection is dropped, so that the subsequent
"user"/"pass"
commands do not even hit the dovecot server.

I'm thinking that this is *not* what is meant by "tarpit" in the
auth
policy docs, correct?

Thank you for any clarification.

-- 
 hippoman at gmail.com
 Take a hippopotamus to lunch today.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220607/96d2759f/attachment.htm>

> On 08/06/2022 05:34 Hippo Man <hippoman at gmail.com> wrote:
> 
> 
> I'm trying to understand what is meant by "tarpit" in the
ffollowing quote of the Dovecot auth policy docs for the "before"
check ...
> First query is done before password and user databases are consulted. This
means that any userdb/passdb attributes are left empty.
> The command used here is ?allow? and will appear on the URL as
command=allow.
> status result values:
>   * -1: Reject
>   * 0: Accept
>   * (Any other positive value): Tarpit for this number of seconds.
> What actually happens if a positive status value is returned here?
> 
> Does it mean that the client will not receive any response for the given
number of seconds, but that the given login attempt will still continue after
that delay? Or does it mean that the client will not receive a response for the
given number of seconds, and then the login will be rejected after that delay?
> 
> What if the client has connected via pop3 and is sending multple
"user" and "pass" combinations? If the "before"
check returns, for example, the integer "5" as the status, does this
mean there will be a 5-second delay between each login attempt that is being
sent to this connection?
> 
> Ideally, I'd like the following to occur, but I don't know if it is
possible:
> 
> * Client connects via pop3 and intends to send a large batch of
"user"/"pass" commands via this connection.
> 
> * The first "user"/"pass" command is made to wait for
many seconds.
> 
> * Then, the connection is dropped, so that the subsequent
"user"/"pass" commands do not even hit the dovecot server.
> 
> I'm thinking that this is *not* what is meant by "tarpit" in
the auth policy docs, correct?
> 
> Thank you for any clarification.
> 
> -- 
> ?hippoman at gmail.com
> ?Take a hippopotamus to lunch today.
Hi!

When client connects, and sends authentication request dovecot performs a policy
lookup before any actual authentication. If this policy result has positive
value, tarpit occurs.

This means we simply add a timeout to auth process and leave it hanging, while
handling other requests, and then perform the actual authentication. The
authentication is not failed, however.

Aki