[Dovecot] v2.0.beta1 released
Timo Sirainen
tss at iki.fi
Wed Dec 16 02:17:56 EET 2009
On Wed, 2009-12-16 at 00:03 +0000, Ed W wrote:
> On 14/12/2009 03:12, Timo Sirainen wrote:
> > Largest changes since alpha3:
> >
> > - if some IP address is failing authentications, all auth attempts from
> > the IP are delayed increasingly. a successful auth drops the delay. max
> > delay is 15 seconds. this is enforced by auth process, so it works
> > across different connections/processes/protocols.
> >
>
> I have a bunch of users behind several NATs (wifi hotspots, dialup
> gateways) and it would seem that if some muppet innocently sets up the
> wrong username/password then all the other users get significantly
> penalised? (I have even seen cases people have a go at configuring
> Outlook, it doesn't work and they just leave it misconfigured and
> sending incorrect passwords forever afterwards...)
This could be a problem, yes.. I probably have to make this configurable
in some way. Or perhaps I could add some more code so that if only the
same user+password combination (or a few of them) are the problem, it
doesn't penalize. This feels familiar, I think I almost started coding
that before. Or it's as if I already did, but I don't see the code..
When that's done, once in a while when an invalid user+pass combo
happens it delays the next user's login for a couple of seconds, but
then it would get cached for some time so if it tries again there would
be no delays.
Also in any case, even if I don't change it from how it works now, the
penalty goes away immediately after first successful login. So pretty
much the worst that can happen is that innocent users have to wait for
15 seconds before they can log in.
> Should it not only delay *incorrect* logins? ie each time you get it
> wrong then you get a penalty (which increases). Getting it right would
> login instantly and slightly decrease the "got it wrong" penalty (or
> perhaps it just time ages)?
That would also make the penalty pretty pointless. Attackers would just
login, wait for half a second, assume it was a failed login, disconnect
and connect again.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20091215/9beb6416/attachment.bin
More information about the dovecot
mailing list