Currently Dovecot works like this when authentication fails:
- the delay is always at least auth_failure_delay seconds (default: 2s)
- each failed attempt doubles the delay for that specific imap/pop3 connection (no such delays for e.g. smtp)
- the delay's upper limit is 3 minutes
For v2.0 I was planning on making dovecot-auth process do these checks and keeping the state in anvil process:
- the delay is always at least auth_failure_delay seconds (default: 2s)
- for each remote IP address the delay is doubled, regardless of how the request comes (imap, pop3, smtp, etc).
- the delay's upper limit is .. hardcoded to 15 secs? i kind of hate the thought of making this configurable.
- each successful authentication from the IP resets the IP's delay
- the delay happens before authentication is even attempted, so even successful auth attempts will have the delay (unless of course there haven't been auth failures from that IP)
If the upper limit is 15 secs, that means max. 240 auth attempts per hour per IP. The reason I was thinking 15 secs is because I have some vague memories about Thunderbird dropping connection after 15 or maybe 30 seconds of idling.
If user has one successful login, it's of course possible to get around the delay doubling by just doing failed attempt -> successful attempt -> failed -> success -> etc. But probably no one is really going to try to do that, and even if they did it's still not that bad. The second successful login will still have that 2 second delay before it resets the delay. So that's still max one auth/2 seconds or max. 1800 auth attempts/hour.
Any thoughts?