On Mon, 13 Jun 2011, Timo Sirainen wrote:
With v2.0 it was already limiting. It increased each login failure delay to 15 seconds before the failure was reported. Although maybe something wasn't working correctly, because 50k hits is more than I think should have been possible. Assuming you have default_process_limit=100 (default), there should have been a maximum of 20k attempts (100 processes / 15 seconds * 60*50 seconds).
I've also seen the reported type of dictionary attacks. Login failure delay doesn't really help much for those... they just open numerous new connections and only try 1 username/password on each connection. On one server, that got me loads of messages like these in my logs:
Feb 13 00:40:46 poseidon kernel: TCP: drop open request from 64.73.242.138/1536
and
Feb 13 00:44:07 poseidon kernel: NET: 220 messages suppressed.
After being firewalled, it kept hammering on the pop3 port for 90 more seconds, after which it probably found another door to hammer.
Although I wouldn't really mind if dovecot can be setup to handle this "gracefully" but I'd say this is a more generic problem that is better solved at network level than within dovecot. (So it can be used for other services as well.)
-- Maarten