[Dovecot] Feature request: usernames and passwords
dovecot.user at seibercom.net
Wed Jul 21 16:35:57 EEST 2010
On Wed, 21 Jul 2010 14:29:10 +0300
Thanos Chatziathanassiou <tchatzi at arx.net> articulated:
> A relatively recent development that spammers got wind of is users that
> have username==password, with/without the domain.
> I am tracking numerous 1-off attempts from bots to gain access to
> mailboxes this way.
> Situation isn't made any better if you're also using dovecot as SMTP
> AUTH provider for I am ashamed to admit I've relayed some spam that way.
> Would it be possible to deny login if username==password with a
> (non?)polite/custom message to go change your password to something less
> obvious ?
Seriously, this reminds me of a saying by Ron White that I have always
thought à propos: "You can't fix stupid." There is no way you can
protect a user from their own stupidity. I don't care how many
safeguards you put in place. Remember, "Nothing is foolproof to a
sufficiently talented fool." Or, as I like to tell others, "Make it
idiot proof and someone will make a better idiot." There are reportedly
thousands of users who use, "Password" for their actual password.
This is not a Dovecot problem. Adding additional checks in Dovecot will
only bloat the program and potentially cause other catastrophic
Dovecot.user at seibercom.net
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
"I kind of want to slay the dragon. Let's go to work."
Angel's final words.
More information about the dovecot