Timo Sirainen wrote:
On Wed, 2010-07-21 at 14:57 +0300, Thanos Chatziathanassiou wrote:
Timo Sirainen wrote:
On 21.7.2010, at 12.29, Thanos Chatziathanassiou wrote:
Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?
What passdb do you use?
passwd-file with md5-crypt though I could easily swap it for an SQL variant.
With SQL this should be pretty easy to do. If password matches username ('%w' = '%u') have it return 'y' as nologin and 'bad password' as reason.
Correct. Should be fairly easy to do - just need a compatible crypt() function in SQL. Never thought of that.
I think I'll be fairly shielded from this kind of things in the future, just brought it up because all of us here manage people's mails one way or another.
I think this is one of the tons of different possible password policies and isn't really Dovecot's job. It really should be enforced while setting the password, not while checking it.
Indeed, though it seems that someone went out of their way to have their password changed to this and I was worried that a similar loop-hole exists that I'm not aware of. Anyway thanks for the tip.