Cliff Hayes writes:
a) I read about auth_failure_delay even before I posted my question and I could not figure out the one-line explanation in the dovecot wiki: "Number of seconds to delay before replying to failed authentications." It's delaying a reply. Does that mean the hacker can keep asking as fast as he wants?
As Reindl states, authentication is a synchronous operation so the BFD attacker must wait for a reply before continuing.
An attacker can get around this by running a botnet against you or opening up many concurrent connections (I think the latter can be capped), but I've rarely seen this. A botnet attack will defeat IP based blocking anyways.
Is it per user or per IP?
Irrelevant -- there is no tracking. It's simply pauses the reply to bad auth attempts and tarpits the session.
auth_failure_delay does not block BFD attacks, but makes it infeasable for reasonable strength passwords. It's simpler to implement, robust, and fault tolerant (e.g. a user cannot accidentally lock themselves out requiring administrative intervention to restore immediate access, or repeated failures from a NAT'd network does not DoS everything within the NAT'd network).
Joseph Tam jtam.home@gmail.com