a) I read about auth_failure_delay even before I posted my question and I could not figure out the one-line explanation in the dovecot wiki: "Number of seconds to delay before replying to failed authentications." It's delaying a reply. Does that mean the hacker can keep asking as fast as he wants? Is it per user or per IP?
b) I'm familiar with mail_max_userip_connections = x, but I'm not familiar with the time limit you mention.
On 10/21/2014 5:02 PM, Reindl Harald wrote:
Am 21.10.2014 um 23:28 schrieb Cliff Hayes:
Does dovecot have any dictionary attack defenses yet? In the past I have had to implement defense from outside dovecot, but since dovecot is at the front lines and therefore is the first to know I'm hoping by now there is something we can set. For example, a limit on access failures per minut/hour/day or some such. If not why not?
no - but you can set "auth_failure_delay = 5" and limit new connections per IP to something around 40 per 5 minutes and 100 per 30 minutes which stops many of them or at least limit the amount of tries dramatically