Hi,
I would like to have the pause after a failed login configurable. There
are a few "sleep(3)" in the codebase (2.2 - 2.4) which I would like to
replace with a configurable timeout.
The reasoning for this is twofold.
1. Our password-backend (eDirectory with pam_ldap) can be configured
to pause and throttle login attempts, so there is no need for imapd to
do it.
2. We want to use cyrus imapd with cas in a single sign on
environment. We are using horde with an imap-proxy as a frontend to our
imap server. We have a "bug" in the login process, which will do about
three failing logins with the imap server. Since the pause in imapd is
not configurable, this leads to nine seconds delay, which is not really
nice.
The attached patch (for imapd-2.2.12) makes the pause configurable
while maintaining the three seconds delay as default. I only changed the
"sleep(3)" calls in imapd.c and proxyd.c as we are not using pop3 and
lmtp is not used directly through horde.
Should I create a bugzilla entry for this feature request?
Bye
Felix
diff -ur cyrus-imapd-2.2.12-orig/imap/imapd.c cyrus-imapd-2.2.12/imap/imapd.c
--- cyrus-imapd-2.2.12-orig/imap/imapd.c 2011-01-05 12:28:15.000000000 +0100
+++ cyrus-imapd-2.2.12/imap/imapd.c 2011-01-06 09:44:58.000000000 +0100
@@ -1705,6 +1705,7 @@
char *passwd;
const char *reply = NULL;
int plaintextloginpause;
+ int failedloginpause;
int r;
if (imapd_userid) {
@@ -1776,7 +1777,10 @@
syslog(LOG_NOTICE, "badlogin: %s plaintext %s %s",
imapd_clienthost, canon_user, sasl_errdetail(imapd_saslconn));
- sleep(3);
+ failedloginpause = config_getint(IMAPOPT_FAILEDLOGINPAUSE);
+ if (failedloginpause != 0) {
+ sleep(failedloginpause);
+ }
if ((reply = sasl_errstring(r, NULL, NULL)) != NULL) {
prot_printf(imapd_out, "%s NO Login failed: %s\r\n", tag, reply);
@@ -1866,6 +1870,8 @@
int r;
+ int failedloginpause;
+
r = saslserver(imapd_saslconn, authtype, resp, "", "+ ", "",
imapd_in, imapd_out, &sasl_result, NULL);
@@ -1894,7 +1900,11 @@
snmp_increment_args(AUTHENTICATION_NO, 1,
VARIABLE_AUTH, 0, /* hash_simple(authtype) */
VARIABLE_LISTEND);
- sleep(3);
+
+ failedloginpause = config_getint(IMAPOPT_FAILEDLOGINPAUSE);
+ if (failedloginpause != 0) {
+ sleep(failedloginpause);
+ }
if (errorstring) {
prot_printf(imapd_out, "%s NO %s\r\n", tag, errorstring);
diff -ur cyrus-imapd-2.2.12-orig/imap/proxyd.c cyrus-imapd-2.2.12/imap/proxyd.c
--- cyrus-imapd-2.2.12-orig/imap/proxyd.c 2011-01-05 12:28:15.000000000 +0100
+++ cyrus-imapd-2.2.12/imap/proxyd.c 2011-01-06 09:45:13.000000000 +0100
@@ -2163,6 +2163,7 @@
char *passwd;
char *reply = 0;
int plaintextloginpause;
+ int failedloginpause;
int r;
if (proxyd_userid) {
@@ -2242,8 +2243,12 @@
proxyd_clienthost, canon_user, reply);
}
/* Apply penalty only if not under layer */
- if (proxyd_starttls_done == 0)
- sleep(3);
+ if (proxyd_starttls_done == 0) {
+ failedloginpause = config_getint(IMAPOPT_FAILEDLOGINPAUSE);
+ if (failedloginpause != 0) {
+ sleep(failedloginpause);
+ }
+ }
if (errorstring) {
prot_printf(proxyd_out, "%s NO Login failed: %s\r\n",
tag, errorstring);
@@ -2308,6 +2313,7 @@
char *ssfmsg=NULL;
int r;
+ int failedloginpause;
r = saslserver(proxyd_saslconn, authtype, resp, "", "+ ", "",
proxyd_in, proxyd_out, &sasl_result, NULL);
@@ -2337,7 +2343,10 @@
snmp_increment_args(AUTHENTICATION_NO, 1,
VARIABLE_AUTH, 0, /* hash_simple(authtype) */
VARIABLE_LISTEND);
- sleep(3);
+ failedloginpause = config_getint(IMAPOPT_FAILEDLOGINPAUSE);
+ if (failedloginpause != 0) {
+ sleep(failedloginpause);
+ }
if (errorstring) {
prot_printf(proxyd_out, "%s NO %s\r\n", tag, errorstring);
diff -ur cyrus-imapd-2.2.12-orig/lib/imapoptions cyrus-imapd-2.2.12/lib/imapoptions
--- cyrus-imapd-2.2.12-orig/lib/imapoptions 2011-01-05 12:28:15.000000000 +0100
+++ cyrus-imapd-2.2.12/lib/imapoptions 2011-01-06 09:44:00.000000000 +0100
@@ -202,6 +202,9 @@
as having already been delivered to the mailbox. Records the mailbox
and message-id/resent-message-id of all successful deliveries. */
+{ "failedloginpause", 3, INT }
+/* Number of seconds to pause after a failed login. */
+
{ "foolstupidclients", 0, SWITCH }
/* If enabled, only list the personal namespace when a LIST "*" is performed.
(it changes the request to a LIST "INBOX*" */
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
