Thanos Chatziathanassiou wrote:
A relatively recent development that spammers got wind of is users that have username==password, with/without the domain. I am tracking numerous 1-off attempts from bots to gain access to mailboxes this way. Situation isn't made any better if you're also using dovecot as SMTP AUTH provider for I am ashamed to admit I've relayed some spam that way. Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?
Dovecot isn't the place for this...
Use cracklib (on linuix - the equivalent for whatever OS you are using if not linux) with your passdb backend, and simply force users to use strong passwords, period.
In this day and age any sys admin who isn't doing this is just asking to be hacked.