Hi all,
I want to remove the authentication penalty for specific ip addresses (subnets if possible).
I am using Dovecot 2.3.2 (582970113) and figured that this information: https://wiki2.dovecot.org/Authentication/Penalty
If the IP is in login_trusted_networks (e.g. webmail), skip any authentication penalties
is not up to date. Instead this information is: https://wiki2.dovecot.org/Upgrading/2.3
--- START --- *Localhost Auth Penalty*
Dovecot no longer disables auth penalty waits for clients connecting from localhost (or login_trusted_networks in general). The previous idea was that it would likely be a webmail that would have its own delays, but there are no guarantees about this.
If the old behavior is still wanted, it's possible to do nowadays even more generically with e.g.:
passdb { driver = passwd-file args = username_format=%{rip} /etc/dovecot/passdb }
/etc/dovecot/passdb:
127.0.0.1:::::::nodelay=yes 192.168.10.124:::::::nodelay=yes --- STOP ---
Adding the passdb section and creating a passdb file with the respective ip addresses does not have any effect though. Login failures through the webmailer are still being delayed.
"dovecot -n" shows that the new passdb section is loaded:
--- START --- passdb { args = username_format=%{rip} /etc/dovecot/passdb driver = passwd-file } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } --- STOP ---
Changing orders does not make a difference.
The passdb file contains these entries: --- START --- 127.0.0.1:::::::nodelay=yes 10.25.1.20:::::::nodelay=yes --- STOP ---
The logfile shows the increased delay: --- START --- Jul 10 23:37:16 9fcdf83ee81e dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<xxx@yyy.zzz>, method=PLAIN, rip=10.25.1.20, lip=10.25.1.10, TLS, TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bit s) Jul 10 23:37:25 9fcdf83ee81e dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xxx@yyy.zzz>, method=PLAIN, rip=10.25.1.20, lip=10.25.1.10, TLS, TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bit s) --- STOP ---
What am I missing?