Protection against POP or IMAP Denial of Service (DOS)

[Bron Gondwana]

On Wed, 21 May 2008 07:13:10 +0200, "Christiaan den Besten" <chris at prolocation.net> said:
> Bron,
> 
> What does the authentication for nginx for you, since it can't query  
> for example a ldap directly ( at least, not the last time I checked )?  
> The epoll will scale, but wondering what is the most 'light' method to  
> do the actual authentication ..

Perl, it's the swiss cheese^H^H^H^H^H^Harmy knife of tools.

Specifically, we have this funky little thing that's increasingly
inaccurately named "saslperld".  It's just forking Net::Server
derivative that listens to unix sockets.  It currently talks the
following protocols:

* lookup
* mux
* nginx
* perdimap
* perdpop
* vfs

Ok - so we don't use either of the perdition ones any more, they should
probably get removed in the cleanup I'm planning to do later this week
(while working on one time password, openid, other goodies).

"lookup" is a simple key value protocol allowing usernames to be resolved
to our internal userids.  It's used by log analysis tools.

"mux" is the saslauthd protocol.  Some sort of packed struct format from memory.

"nginx" is the nginx http authentication protocol

"vfs" is also very badly named.  It's the protocol that I originally wrote for
handling our vfs interfaces (DAV & FTP) but has since expanded to be used by
our web interface and every other bit of code that wants to check user
authentication details, because the protocol is so easy to use from our
perl libraries.

The overhead of unix sockets really is very low, and being separate processes
means any epoll thingy (looking a DJabberd soon hopefully) can chat to it
asynchronously without having to do its own thread pool.

It also listens on a UDP port for broadcast cache expiry events and caches user
details to reduce database traffic for protocols with frequent short-lived logins.

Bron.
-- 
  Bron Gondwana
  brong at fastmail.fm