On Wed, 2010-07-21 at 14:57 +0300, Thanos Chatziathanassiou wrote:
Timo Sirainen wrote:
On 21.7.2010, at 12.29, Thanos Chatziathanassiou wrote:
Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?
What passdb do you use?
passwd-file with md5-crypt though I could easily swap it for an SQL variant.
With SQL this should be pretty easy to do. If password matches username ('%w' = '%u') have it return 'y' as nologin and 'bad password' as reason.
I think I'll be fairly shielded from this kind of things in the future, just brought it up because all of us here manage people's mails one way or another.
I think this is one of the tons of different possible password policies and isn't really Dovecot's job. It really should be enforced while setting the password, not while checking it.