Hi all,

I want to remove the authentication penalty for specific ip addresses (subnets if possible).

I am using Dovecot 2.3.2 (582970113) and figured that this information:
https://wiki2.dovecot.org/Authentication/Penalty
> If the IP is in login_trusted_networks (e.g. webmail), skip any authentication penalties

is not up to date.
Instead this information is:
https://wiki2.dovecot.org/Upgrading/2.3

--- START ---
Localhost Auth Penalty

Dovecot no longer disables auth penalty waits for clients connecting from localhost (or login_trusted_networks in general). The previous idea was that it would likely be a webmail that would have its own delays, but there are no guarantees about this.

If the old behavior is still wanted, it's possible to do nowadays even more generically with e.g.:

passdb {
 driver = passwd-file
 args = username_format=%{rip} /etc/dovecot/passdb
}

/etc/dovecot/passdb:

127.0.0.1:::::::nodelay=yes
192.168.10.124:::::::nodelay=yes
--- STOP ---


Adding the passdb section and creating a passdb file with the respective ip addresses does not have any effect though.
Login failures through the webmailer are still being delayed.

"dovecot -n" shows that the new passdb section is loaded:

--- START ---
passdb {
  args = username_format=%{rip} /etc/dovecot/passdb
  driver = passwd-file
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
--- STOP ---

Changing orders does not make a difference.

The passdb file contains these entries:
--- START ---
127.0.0.1:::::::nodelay=yes
10.25.1.20:::::::nodelay=yes
--- STOP ---

The logfile shows the increased delay:
--- START ---
Jul 10 23:37:16 9fcdf83ee81e dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<xxx@yyy.zzz>, method=PLAIN, rip=10.25.1.20, lip=10.25.1.10, TLS, TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bit
s)
Jul 10 23:37:25 9fcdf83ee81e dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xxx@yyy.zzz>, method=PLAIN, rip=10.25.1.20, lip=10.25.1.10, TLS, TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bit
s)
--- STOP ---


What am I missing?