Login with wrong credentials slow due delay on Dovecot
|Reported by:||drdol||Owned by:|
|Severity:||normal||Keywords:||dovecot login delay|
Description (last modified by alec)
Introduced in Changeset 4122 (line 706), the code will loop over $auth_methods and will do count($auth_methods)-login attempts.
The IMAP connection look like:
A0001 ID (name "Roundcube Webmail" version 0.5.1 php 5.2.6-3 os Linux command /) A0002 AUTHENTICATE PLAIN BASE64ENCODING A0003 LOGIN firstname.lastname@example.org password A0004 LOGOUT
If the IMAP-Server supports "AUTHENTICATE PLAIN", Roundcube tries to login twice, if the login credentials are incorrect. First using "AUTHENTICATE PLAIN" and "LOGIN" as a second attempt.
In older version of Roundcube, only "LOGIN" was supported.
The double check if the credentials cause some problems if Dovecot is in use. Dovecot will delay login with wrong credentials. This is mentioned here. Mentioned in the mailinglist, every wrong login attempt will increase the delay.
This delay has a negative impact for a user. The user sometimes has to wait 15 - 20 seconds to determine, that the user credentials are wrong, due the delay of the second login attempt with "LOGIN". IHMO after the first login failing the script should skip further tries to avoid delays.
The delay even increase, if to much wrong login attempts coming from the same IP.
Change History (6)
comment:5 Changed 4 months ago by mceccarellitnx
- Milestone 0.6-beta deleted
- Resolution fixed deleted
- Status changed from closed to reopened
- Version changed from 0.5.1 to 0.8.4