Unbounded tokio::spawn per accepted connection → file-descriptor exhaustion under load. No read timeout → Slowloris holds connections open indefinitely.
Fixes
- SMTP: max 1000 connections per listener (Semaphore); per-read timeout 5 min (RFC 5321 §4.5.3.2)
- IMAP: max 500 connections per listener; per-read timeout 30 min (RFC 9051 §5.4), covering command loop and IDLE loop
Excess connections are dropped immediately (TCP RST) with a warn log.
Unbounded
tokio::spawnper accepted connection → file-descriptor exhaustion under load. No read timeout → Slowloris holds connections open indefinitely.Fixes
Excess connections are dropped immediately (TCP RST) with a
warnlog.