> On 08/06/2022 05:34 Hippo Man <hippo...@gmail.com> wrote: > > > I'm trying to understand what is meant by "tarpit" in the ffollowing quote of > the Dovecot auth policy docs for the "before" check ... > First query is done before password and user databases are consulted. This > means that any userdb/passdb attributes are left empty. > The command used here is ‘allow’ and will appear on the URL as command=allow. > status result values: > * -1: Reject > * 0: Accept > * (Any other positive value): Tarpit for this number of seconds. > What actually happens if a positive status value is returned here? > > Does it mean that the client will not receive any response for the given > number of seconds, but that the given login attempt will still continue after > that delay? Or does it mean that the client will not receive a response for > the given number of seconds, and then the login will be rejected after that > delay? > > What if the client has connected via pop3 and is sending multple "user" and > "pass" combinations? If the "before" check returns, for example, the integer > "5" as the status, does this mean there will be a 5-second delay between each > login attempt that is being sent to this connection? > > Ideally, I'd like the following to occur, but I don't know if it is possible: > > * Client connects via pop3 and intends to send a large batch of "user"/"pass" > commands via this connection. > > * The first "user"/"pass" command is made to wait for many seconds. > > * Then, the connection is dropped, so that the subsequent "user"/"pass" > commands do not even hit the dovecot server. > > I'm thinking that this is *not* what is meant by "tarpit" in the auth policy > docs, correct? > > Thank you for any clarification. > > -- > hippo...@gmail.com > Take a hippopotamus to lunch today.
Hi! When client connects, and sends authentication request dovecot performs a policy lookup before any actual authentication. If this policy result has positive value, tarpit occurs. This means we simply add a timeout to auth process and leave it hanging, while handling other requests, and then perform the actual authentication. The authentication is not failed, however. Aki
