Hello,
with no reply yet on this topic I am wondering if this is the right place to address the topic.
With its behaviour dovecot prevents the hardening of password hashes. For security reasons it is recommended to increase YESCRYPT_COST_FACTOR above the default value of 5.
e.g. https://linux-audit.com/authentication/linux-password-security-hashing-round...
This is not possible when dovecot is running because dovecot can not authenticate users where the password was created with a high YESCRYPT_COST_FACTOR.
And this affects all major linux distros because they all use ENCRYPT_METHOD YESCRYPT these days. (e.g. debian, ubuntu, fedora, arch, kali linux)
Can someone please let me know if this mailing list is the right place to address this and/or recommend a better place to me?
Thank you, Matthias
Am Sonntag, dem 11.01.2026 um 10:11 +0100 schrieb Matthias Bodenbinder via dovecot:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
doveadm auth test matthias
Password: passdb: matthias auth failed extra fields: user=matthias When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
doveadm auth test matthias
Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org