[Dovecot] Feature request: usernames and passwords
Thanos Chatziathanassiou
tchatzi at arx.net
Wed Jul 21 15:35:00 EEST 2010
Timo Sirainen wrote:
> On Wed, 2010-07-21 at 14:57 +0300, Thanos Chatziathanassiou wrote:
>
>> Timo Sirainen wrote:
>>
>>> On 21.7.2010, at 12.29, Thanos Chatziathanassiou wrote:
>>>
>>>
>>>
>>>> Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?
>>>>
>>>>
>>> What passdb do you use?
>>>
>>>
>>>
>> passwd-file with md5-crypt though I could easily swap it for an SQL
>> variant.
>>
>
> With SQL this should be pretty easy to do. If password matches username
> ('%w' = '%u') have it return 'y' as nologin and 'bad password' as
> reason.
>
Correct. Should be fairly easy to do - just need a compatible crypt()
function in SQL. Never thought of that.
>
>> I think I'll be fairly shielded from this kind of things in the
>> future, just brought it up because all of us here manage people's mails
>> one way or another.
>>
>
> I think this is one of the tons of different possible password policies
> and isn't really Dovecot's job. It really should be enforced while
> setting the password, not while checking it.
>
Indeed, though it seems that someone went out of their way to have their
password changed to this and I was worried that a similar loop-hole
exists that I'm not aware of.
Anyway thanks for the tip.
More information about the dovecot
mailing list