On Qua, 21 Jul 2010, Leonardo Rodrigues wrote:
i completly agree that dovecot is not the place for enforcingpassword policies nor checking them.
but, still on the subject, maybe dovecot could have somefeatures for helping sysadmins to avoid/mitigate brute-force
attacks. As told, some bots tries username=password, but those
fuckers (the bots) also tries lots of common passwords, 123, 1234,
the username followed by some numbers, and lots of others.of course, if the provided password is not correct, dovecotdenies access as it should .... but in those situations, logs can
get pretty filled with login failed messages, specially on servers
with lots of accounts. And, in some cases, after lots of tries, the
bot can found the correct username/password combination.[snip]
I think none of this is dovecot's function. Let's keep the UNIX
filosophy: one tool does one function, and does that function well.
Dovecot is an execellent mail server. It should not be turned into a
monster Windows-like application that does dozens of
not-really-quite-related things.
What you want can be done with other tools.
-- Eduardo M KALINOWSKI eduardo@kalinowski.com.br