[Dovecot] Delay on failed pw attempts
Asheesh Laroia
asheesh at asheesh.org
Wed Jan 2 01:46:23 EET 2008
On Tue, 1 Jan 2008, Dean Brooks wrote:
> Hi,
>
> Is there a way, or can a way be added, to add an "auth_failed_delay=10s"
> style option that would put in an artificial delay after a failed
> password attempt?
>
> As it stands now, Dovecot seems highly vulnerable to widescale
> brute-force password dictionary scans.
But not if you secure access to Dovecot using e.g. fail2ban. Why is
adding complexity to Dovecot better than using a dedicated tool?
-- Asheesh.
--
Kites rise highest against the wind -- not with it.
-- Winston Churchill
More information about the dovecot
mailing list