(I think I am testing other readers' patience, so if you want to follow-up, you can Email me directly.)
but how often do you have to type your username ?
Not often, but I'm not talking the typical case. The larger the population you serve, the more circumstances you'll have to cover.
Only on the initial config of your mailer. After that you are done.
Mail reader setups by users is often an error prone process, judging from the number of times I have to correct a setup. This is especially true for an educational institution that typically has a large turnover of accounts.
If a user gets it initially wrong, then fixes their mistake, they can't get it to work despite trying all sorts of config variations, not realizing it can't be resolved anymore. Result: trouble call.
If someone blows it setting on a multi-user workstation, other users with a working setups can't log in. Result: trouble call.
If a student flubs their credentials, all the roommates behind their residential NAT gateway suffer. Result: trouble call.
If a user screws up using an external service that slurps their mail (e.g. Gmail, Yahoo, uniboxapp, etc.), or worse, someone malicious does it on puropse, all other users of this service will be DoS'd. Result: trouble call(s).
If a user acquires a DHCP address in a polluted network ..., well you get the idea.
Not to mention ex-users who forget to remove their mail accounts from their smartphones, leaving a trail of blacklist entries in their wake as they travel from coffee shops to other public WiFi hotspots.
So this is why I decided to use two distinct jails with different policies. It seems to work reasonable well.
Until it doesn't. If it works for you, more power to you.
The cost/benefit of a hair-trigger blacklist policy is that it saves you a few log entries showing futile attempts at finding weak passwords (because you have strong passwords, don't you?) at the risk of dealing with any of the above situations.
Joseph Tam <jtam.home@gmail.com>