On Tue, 2008-01-01 at 16:47 -0500, Dean Brooks wrote:
Failed auth requests are put to a queue that's flushed every 2 seconds. So there is already a delay. I don't think it's a good idea to increase it up from 2 seconds, it just gets annoying when you type the wrong password accidentally.
I think the majority of Dovecot users would propose that 2 seconds is much too short, and that the annoyance of an occasional rare wrong password is of little concern given the high number of dictionary attacks occuring nowadays.
This *really* needs to be configurable. For our site, I would probably set the delay to 15 seconds. Others might want it at the very low 2 seconds like you suggest.
I don't really like adding settings that just tweak a small detail, but I guess there's no good default value to this then. v1.1 has now auth_failure_delay setting.
For v1.0 you can change src/auth/auth-request-handler.c line:
to_auth_failures = timeout_add(2000, auth_failure_timeout, NULL);