Courier authentication slow

Roman Semko asked:

I have setup courier with imapd-ssl on ubuntu. Everything works fine: ssl certificates validate (on ubuntu/thunderbird and mac/mail) and login works, too.

The only problem is that it ALWAYS takes about half a minute for the handshake. If I do

openssl s_client -showcerts -connect myserver:993

I get “CONNECTED(00000003)” and then it hangs for half a minute

The time between the command and until I receive in mail.log:

myserver imapd-ssl: Connection, ip=[::ffff:89.136.227.107]

on the server logs is always between 29 and 32 seconds. Any idea what could cause that?
Postifx, HTTPS seem to respond lightning fast.

UPDATE:
I have tried to connect from an hotel and it seems to work fine. So my guess is that it’s an issue of firewalls on either my home router or the server’s firwall (ufw/iptables). I have read somewhere that when either of the systems has a firewall up, the courier seemed to take ages to login/authenticate. Some guy (http://de.comm.software.mailserver.narkive.com/GIvIajz6/courier-imap-sehr-langsam-mit-iptables) suggested that it happenens to courier when iptables are set. However, disabling them in my case didn’t do the trick..

My answer:


Courier imapd tries to do reverse DNS and ident lookups by default. Make sure you disable these, as one or the other (or both) is the most likely cause (and doing reverse DNS lookups at connection time leads to bad security).

For instance:

/usr/lib/courier-imap/libexec/couriertcpd ... -nodnslookup -noidentlookup ...

Check your system’s startup scripts to find out how it wants to add these options to the command.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.