[Dovecot] Feature request: usernames and passwords

Thanos Chatziathanassiou tchatzi at arx.net
Wed Jul 21 15:35:00 EEST 2010


Timo Sirainen wrote:
> On Wed, 2010-07-21 at 14:57 +0300, Thanos Chatziathanassiou wrote:
>   
>> Timo Sirainen wrote:
>>     
>>> On 21.7.2010, at 12.29, Thanos Chatziathanassiou wrote:
>>>
>>>   
>>>       
>>>> Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?
>>>>     
>>>>         
>>> What passdb do you use?
>>>
>>>   
>>>       
>> passwd-file with md5-crypt though I could easily swap it for an SQL 
>> variant. 
>>     
>
> With SQL this should be pretty easy to do. If password matches username
> ('%w' = '%u') have it return 'y' as nologin and 'bad password' as
> reason. 
>   
Correct. Should be fairly easy to do - just need a compatible crypt() 
function in SQL. Never thought of that.
>   
>> I think I'll be fairly shielded from this kind of things in the 
>> future, just brought it up because all of us here manage people's mails 
>> one way or another.
>>     
>
> I think this is one of the tons of different possible password policies
> and isn't really Dovecot's job. It really should be enforced while
> setting the password, not while checking it.
>   
Indeed, though it seems that someone went out of their way to have their 
password changed to this and I was worried that a similar loop-hole 
exists that I'm not aware of.
Anyway thanks for the tip.



More information about the dovecot mailing list