[Dovecot] Bug Report: Failure delay config is ignored

Kevin Goodsell kevingoodsell.lists at gmail.com
Wed May 4 20:39:39 EEST 2011


I have a set of automated tests for a system that can authenticate a
user by forwarding authentication details to a server. That is, in order
to authenticate a user, this system logs on to, e.g., an IMAP server
using the credentials supplied by the user to verify the correctness of
those credentials. I've been using dovecot as the authentication server
to test IMAP, IMAPs, POP3, and APOP. To run the tests (most of which are
authentication failures), I configure dovecot without authentication
failure delays, since obviously I don't want to wait several minutes for
the tests to finish.

Setting the configuration variable auth_failure_delay to 0 worked fine
in Dovecot 1.2, but since Debian updated to Dovecot 2.0 it no longer
works. The tests take a very long time to run.

I tried changing my passwd file to include nodelay=y, but this only
works in a very limited way. For the set of tests which use the correct
username, but an incorrect password, this successfully disables the
failure delay. However, for the set of tests which use incorrect
usernames (names not found in the user database or the password
database, and which therefore don't have the extra nodelay field), the
failure delay still occurs.

There seems to be at least two problems here. The first is that it isn't
clear what effect auth_failure_delay has. The comment in the sample
config file just says "Time to delay before replying to failed
authentications", which is certainly an incomplete description if not
totally inaccurate. This setting seems to be completely unmentioned in
the 2.0 wiki.

The second problem is that the nodelay extra field can only be applied
on a per-user basis. There doesn't seem to be any way to apply it to all
users, or to apply it to authentication attempts for non-existent users.

It seems to me that the failure delay that is actually used should
either be 1) the actual value of auth_failure_delay (ideally with some
random variance for extra security, but recognizing 0 as meaning
disabled) or 2) some multiple of auth_failure_delay, where the
multiplier increases with subsequent failures up to some max delay, with
0 still giving no delay.

Config information follows. Thanks.

-Kevin

$ dovecot -n
# 2.0.12: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-686 i686 Debian wheezy/sid
auth_debug = yes
auth_failure_delay = 0
auth_mechanisms = plain apop
auth_verbose = yes
listen = 127.0.0.1
log_path = /var/log/dovecot
mail_location = maildir:~/Maildir
passdb {
  args = /etc/dovecot/passwd
  driver = passwd-file
}
protocols = " imap pop3"
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  driver = passwd
}

$ cat /etc/dovecot/passwd
testuser:{PLAIN}testpassword::::::nodelay=y


More information about the dovecot mailing list