LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How often does Thunderbird negotiate a login? (https://www.linuxquestions.org/questions/linux-security-4/how-often-does-thunderbird-negotiate-a-login-4175702460/)

halfpower 10-22-2021 09:24 AM
How often does Thunderbird negotiate a login?
 
How often is the password to the mail server when Thunderbird is left open? Sorry if this is the wrong forum, but I am trying to figure out how much a strain bcrypt/scrypt put on a server that does more than just email.

HappyTux 10-22-2021 10:26 AM
Every time it is set to check the mail, only way to do it on account that requires the login name and password to check it for mail.

Edit: that would be the checking function the encrypted stuff would only be used for the actual decryption of mail fetched.

sundialsvcs 10-24-2021 07:27 PM
Each time you "check for mail," a mail client initiates a new session with the mail server – using the password – then checks and receives the mail, then ends the session. However, there is virtually no overhead and therefore no "strain." Encryption algorithms are written to be very efficient. (For instance, your entire interaction with this web site is passing through quite a robust one!)

boughtonp 10-25-2021 07:18 AM
Quote:
Originally Posted by sundialsvcs (Post 6295364)
Encryption algorithms are written to be very efficient.
Halfpower isn't asking about encryption!

Bcrypt and scrypt are key derivation functions - they are written to be deliberately slow, and replace the misuse of fast hashing algorithms in password authentication.

boughtonp 10-25-2021 07:27 AM
Quote:
Originally Posted by halfpower (Post 6294683)
I am trying to figure out how much a strain bcrypt/scrypt put on a server that does more than just email.
This suggests you don't have enough users for it to matter - otherwise why would you be running it all from a single server?

However, you can probably check server logs to see how frequently email login requests are made at peak times - once you know that, double the rate and run a script on your staging/test server to see what sort of load you might expect, and go from there.

ntubski 10-25-2021 05:41 PM
If your server uses IMAP, then I guess it could be no renegotiations at all, depending on timeout configurations:

https://help.hcltechsw.com/domino/11...nlimits_t.html
Quote:
After a user opens a session with the IMAP service, the service waits for commands from the mail client. If no commands are received, the session is considered to be idle.
[...]Many IMAP clients poll for new mail every 10 minutes, so it's best to set the value to greater than 10 minutes, because the overhead of supporting an idle session is less than the overhead required to support clients logging in and opening mailboxes.

By default, servers drop idle sessions after 30 minutes.

halfpower 11-29-2021 10:35 AM
Thunderbird is set to check for new mail every ten minutes. However, when I leave Thunderbird open, new mail shows up almost as soon as it's received by the server. I'm guessing that a hefty bcrypt/argon2 hasher would be enough to lock up the web server for 1, maybe even a 3, seconds. I don't want to pay for an extra CPU core solely for the purpose of hashing passwords, however, web server performance and security are more important. I think I will have to dig deeper into the email server log files.


All times are GMT -5. The time now is 09:54 PM.