Index: [Article Count Order] [Thread]

Date:  Thu, 8 May 2008 17:17:27 -0700
From:  "Ken Marcus - Precision Web Hosting, Inc." <kenmarcus (at mark)>
Subject:  [coba-e:12774] Re: dovecot udpate
To:  <coba-e (at mark)>
Message-Id:  <7d3d01c8b16a$127a6500$6601a8c0@OfficeKen>
X-Mail-Count: 12774

----- Original Message ----- 
From: "Ken Marcus - Precision Web Hosting, Inc." 
<kenmarcus (at mark)>
To: <coba-e (at mark)>
Sent: Thursday, May 08, 2008 5:14 PM
Subject: Re: [coba-e:12772] Re: dovecot udpate

>> Hisao SHIBUYA wrote:
>>> Hi Rusty and all,
>>>>>> First, let me say thank you for all you do.
>>>>>> Second, let me ask a question: is converting BQ from PAM to flat
>>>> files
>>>>>> going backwards? It doesn't appear to be a step forward, but a step
>>>>>> backward.
>>>>>> Shudder the word, but has anyone looked at Zeffie's recommendation to
>>>>>> see if it had any value before moving backwards?
>>>>> Changing flat file from pwdb will be performance down.
>>>>> On some point, changing flat file means to be a step back.
>>>>> I read Zeffie's post as coba-e:12183 again.
>>>>> If it is true, and the pwdb isn't the cause of the issue with dovecot.
>>>>> That issue is cause of dovecot pwdb implementation, we don't need to
>>>> change back to flat file.
>>>> <...>
>>>>> Any comment?
>>>>> Regards,
>>>>> Hisao
>>>> I've been playing around with the "login_max_processes_count" option in
>>>> dovecot.conf, and while it seems to work great preventing issues when
>>>> there is a dictionary-attack against POP3, it obviously had no affect 
>>>> on
>>>> a recent FTP dictionary-attack... pwdb still flaked out, and you would
>>>> have to login with root (since root is in shadow vs pwdb) to manually
>>>> fix or wait for sometime after the attack has stopped (time enough for
>>>> db_recover to do its thing).
>>>> I see shadow vs pwdb as a step back also, but would be a step towards
>>>> stability and reliability.
>>> Yes, pwdb has hung up issue with dictionary attack.
>>> And one more reason, that is compatibility.
>>> I checked pam and pwdb package of CentOS5, it has pam 0.99.
>>> It doesn't have pwdb library.
>>> Does anyone know why pwdb library was removed?
>>> On performance point, we can use db file for nsswitch as same as
>>> current database.
>>> So, if somebody would like to use db file for pam, they can
>>> install nss_db and make on /var/db directory, it makes db file
>>> from flat file.
>>>> I know BQ made the change from vsftpd to proftpd, so does proftpd have 
>>>> a
>>>> similar config setting as dovecot that may reduce issues with pwdb
>>>> during dictionary attacks? But, is this a bad direction to head; tuning
>>>> the individual services instead of replacing the underlying
>>>> authentication mechanism?
>>> There is no specific reason to use proftpd, I just ported the original
>>> code to RH based linux, and original code supported proftpd.
>>> That is why I use proftd.
>>> I understood somebody said that vsftpd configuration file is almost
>>> same as proftpd one.
>>> If it is true, it isn't difficult to migrate to vsftpd.
>>> It means, we don't release update package for proftpd.
>>> It is very good point for us.
>>> Anyway, I will fix the pwdb and dovecot issue in a couple of weeks.
>>> Thanks,
>>> Hisao
> From: "Greg Kuhnert"
>>I notice the new dovecot has been pushed. It might be helping on the pwdb 
>>related matters, but my mail performance has gone down the drain. For me 
>>to login to my own inbox is taking 30 seconds to change from one imap 
>>folder to another.....
>> Anyone else having problems after the update?
>> Regards,
>> Greg.
> On your question: I use pop3 so I don't know.
> But possibly increaseing the  login_max_processes_count in the 
> dovecot.conf again would make a difference.
> On another subject, if the   dovecot --version    shows 10.12, then that 
> is the version that allows anyone to log in without a password.
> Does anyone know if this  method of going to 1.013 would cause problems?
> yum install
> rpm -Uvh
> (I did do it to one unused server it works with pop3, pop3s but  imap, and 
> imaps do not see the mbox as far as I can tell.)
> ----
> Ken Marcus
> Ecommerce Web Hosting by
> Precision Web Hosting, Inc.

Correction, IMAP does work after applying that update.

Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.