I figured out how to do the test.
I did set "service_vsz_limit = unlimited". With that YESCRYPT_COST_FACTOR=11 works fine.
A service_vsz_limit value of 1000M is not enough to make it work. A value of 1100M is ok.
Matthias
Am Dienstag, dem 20.01.2026 um 21:26 +0100 schrieb Tom Hendrikx via dovecot:
Hi Matthias,
It would be nice if you could verify this assumption by raising the allowed memory usage (vsz_limit) for the auth process until YESCRYPT_COST_FACTOR=11 actually works.
Just curious though, not using yescrypt here
Kind regards, Tom
On 1/16/26 16:38, Matthias Bodenbinder via dovecot wrote:
Hello John,
I have answered in more detail in another email.
After reading a lot more about this topic I believe it is not a timeout issue but more of a memory allocation issue.
E.g.: https://www.openwall.com/lists/yescrypt/2024/03/20/2
In the above thread it is claimed that: The value 11 results in 1 GiB memory usage
That is a lot. I will refrain from using that. I will go for a value of 7. That is good enough.
Kind Regards Matthias
Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via dovecot:
Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play.
Out of curiosity, when you do the test that fails, how long did it take before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
doveadm auth test matthias
Password: passdb: matthias auth failed extra fields: user=matthias When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
doveadm auth test matthias
Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play.
Out of curiosity, when you do the test that fails, how long did it take before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
# doveadm auth test matthias Password: passdb: matthias auth failed extra fields: user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
# doveadm auth test matthias Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
_______________________________________________ dovecot mailing list -- [1]dovecot@dovecot.org To unsubscribe send an email to [2]dovecot-leave@dovecot.org
References
Visible links 1. mailto:dovecot@dovecot.org 2. mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org