Hippo Man
2022-Jun-15 15:40 UTC
[EXT] Re: The meaning of "tarpit" as used in the auth policy docs?
I'm sorry. Gmail didn't include the list in the "To" header when I responded, and I didn't notice. I fixed it now. -- hippoman at gmail.com Take a hippopotamus to lunch today. On Tue, Jun 14, 2022 at 2:40 AM Aki Tuomi <aki.tuomi at open-xchange.com> wrote:> Hi! > > Can you please keep responses on the list? =) > > Aki > > > On 14/06/2022 03:57 Hippo Man <hippoman at gmail.com> wrote: > > > > > > Thank you very much for explaining what "tarpit" means. > > > > So, if I return a huge numeric status value from the "before" check, > could I > > make the client wait for hours or even days or weeks before continuing > > with the authentication? > > > > -- > > hippoman at gmail.com > > Take a hippopotamus to lunch today. > > > > > > > > On Wed, Jun 8, 2022 at 12:50 AM Aki Tuomi <aki.tuomi at open-xchange.com> > wrote: > > > > > > > On 08/06/2022 05:34 Hippo Man <hippoman at gmail.com> wrote: > > > > > > > > > > > > I'm trying to understand what is meant by "tarpit" in the > ffollowing quote of the Dovecot auth policy docs for the "before" check ... > > > > First query is done before password and user databases are > consulted. This means that any userdb/passdb attributes are left empty. > > > > The command used here is ?allow? and will appear on the URL as > command=allow. > > > > status result values: > > > > * -1: Reject > > > > * 0: Accept > > > > * (Any other positive value): Tarpit for this number of seconds. > > > > What actually happens if a positive status value is returned here? > > > > > > > > Does it mean that the client will not receive any response for the > given number of seconds, but that the given login attempt will still > continue after that delay? Or does it mean that the client will not receive > a response for the given number of seconds, and then the login will be > rejected after that delay? > > > > > > > > What if the client has connected via pop3 and is sending multple > "user" and "pass" combinations? If the "before" check returns, for example, > the integer "5" as the status, does this mean there will be a 5-second > delay between each login attempt that is being sent to this connection? > > > > > > > > Ideally, I'd like the following to occur, but I don't know if it is > possible: > > > > > > > > * Client connects via pop3 and intends to send a large batch of > "user"/"pass" commands via this connection. > > > > > > > > * The first "user"/"pass" command is made to wait for many seconds. > > > > > > > > * Then, the connection is dropped, so that the subsequent > "user"/"pass" commands do not even hit the dovecot server. > > > > > > > > I'm thinking that this is *not* what is meant by "tarpit" in the > auth policy docs, correct? > > > > > > > > Thank you for any clarification. > > > > > > > > -- > > > > hippoman at gmail.com > > > > Take a hippopotamus to lunch today. > > > > > > Hi! > > > > > > When client connects, and sends authentication request dovecot > performs a policy lookup before any actual authentication. If this policy > result has positive value, tarpit occurs. > > > > > > This means we simply add a timeout to auth process and leave it > hanging, while handling other requests, and then perform the actual > authentication. The authentication is not failed, however. > > > > > > Aki > > > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220615/7d8c55f6/attachment.htm>