[Dovecot] Feature request: usernames and passwords
Eduardo M KALINOWSKI
eduardo at kalinowski.com.br
Wed Jul 21 16:30:26 EEST 2010
On Qua, 21 Jul 2010, Leonardo Rodrigues wrote:
> i completly agree that dovecot is not the place for enforcing
> password policies nor checking them.
>
> but, still on the subject, maybe dovecot could have some
> features for helping sysadmins to avoid/mitigate brute-force
> attacks. As told, some bots tries username=password, but those
> fuckers (the bots) also tries lots of common passwords, 123, 1234,
> the username followed by some numbers, and lots of others.
>
> of course, if the provided password is not correct, dovecot
> denies access as it should .... but in those situations, logs can
> get pretty filled with login failed messages, specially on servers
> with lots of accounts. And, in some cases, after lots of tries, the
> bot can found the correct username/password combination.
>
> [snip]
I think none of this is dovecot's function. Let's keep the UNIX
filosophy: one tool does one function, and does that function well.
Dovecot is an execellent mail server. It should not be turned into a
monster Windows-like application that does dozens of
not-really-quite-related things.
What you want can be done with other tools.
--
Eduardo M KALINOWSKI
eduardo at kalinowski.com.br
More information about the dovecot
mailing list