On Dec 17, 2008, at 5:47 PM, Jose Celestino wrote:
Words by Mike Abbott [Wed, Dec 17, 2008 at 09:35:16AM -0600]:
Here are a few more patches. Still keeping it easy for now. Again
the basis for these patches is dovecot-1.1.7.[...]
Patch #8. Back off after auth failures to deter abusers. Stalls 5 seconds per failed attempt.
Can you make #8 configurable? We already have a sleep on auth
failure on the module that does the auth (checkpassword) with some extra checks (for instance does not sleep on autentications coming from our webmail servers because they already do that) so we may not want that enabled.
dovecot-auth already does internally a 0-2 second failure delay
(flushes failures every 2 seconds). Hmm. Wonder if the increased
waiting could be done by dovecot-auth instead. There you can already
disable the internal wait by returning a "nodelay" field from
checkpassword (maybe you do already?)