On Mon, Aug 12, 2024 at 07:34:28AM +0000, Slavko via mailop wrote:
> Dňa 11. augusta 2024 23:46:43 UTC používateľ Viktor Dukhovni via mailop
> <mailop@mailop.org> napísal:
>
> >I see some similar traffic (remote disconnects after ~8-30s) on my server:
>
> Please, what would be reasonable TLS handshake timeout nowadays?
I think it can be rather different for SMTP and SUBMIT services. For
SMTP, timeouts should be fairly generous, because the sending MTA can
plausibly be on some high delay or lossy link, and, despite all the
abuse, one (some of us, anyway) still wants to optimise for delivery of
mail, more than for deflecting every single spam message.
For SUBMIT, the traffic is presumably from your own users, who are
rarely very far away, and if temporarily on a bad link will try
again from a better location. So the timeouts on ports 465 and 587
could be shorter. Whatever your users are unlikely to exceed.
I'm tempted to propose 30s instead of 300s as still reasonable.
> I know, it depends, but anyway i consider 5 min (IMO stanfard SMTP timeout)
> as too long. I lowered it on my MSA to 1 min long time ago, without any
> problems for real clients. But i feel, that even 1 min is still too long for
> TLS,
> especially when it is first thing, which client have to do after TCP
> establishing.
A couple of lost packets early in the connection can lead to long TCP
retransmission delays, so 5s is I think too short, and 30s is, while
still generous, is not dramatically larger. In any case, if your
submission service is not DoSed by too many live connections, it really
does not matter if a few stick around longer than absolutely necessary.
Postfix has a "stress" parameter, making it possible to lower timeouts
for a while, once a service crosses its process limit. I am guessing
Exim might not, but you probably don't need this for the reported issue.
> When i look to GnuTLS, they "suggests" to set it to some constant with
> very long name (GNUTLS_something), which is set to max_int ms, thus
> even longer....
>
> I found that i cannot set TLS handshake timeout in exim, but anyway,
> knowing that value can be useful, as other SW can allow to setup it.
> Can you please elaborate about it?
TL;DR Go with 30s, and not lower than 10s if you really feel the need to
run a tight ship.
--
Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
