YESCRYPT_COST_FACTOR=11 not working
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
doveadm auth test matthias
Password: passdb: matthias auth failed extra fields: user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
doveadm auth test matthias
Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Matthias
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
doveadm auth test matthias
Password: passdb: matthias auth failed extra fields: user=matthias When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
doveadm auth test matthias
Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
Hello,
with no reply yet on this topic I am wondering if this is the right place to address the topic.
With its behaviour dovecot prevents the hardening of password hashes. For security reasons it is recommended to increase YESCRYPT_COST_FACTOR above the default value of 5.
e.g. https://linux-audit.com/authentication/linux-password-security-hashing-round...
This is not possible when dovecot is running because dovecot can not authenticate users where the password was created with a high YESCRYPT_COST_FACTOR.
And this affects all major linux distros because they all use ENCRYPT_METHOD YESCRYPT these days. (e.g. debian, ubuntu, fedora, arch, kali linux)
Can someone please let me know if this mailing list is the right place to address this and/or recommend a better place to me?
Thank you, Matthias
Am Sonntag, dem 11.01.2026 um 10:11 +0100 schrieb Matthias Bodenbinder via dovecot:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
doveadm auth test matthias
Password: passdb: matthias auth failed extra fields: user=matthias When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
doveadm auth test matthias
Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Dovecot is not an UI software so setting too high or heavy computational cost will not work. I would recommend you use application password for imap access instead or use webmail with oauth2.
Its not really a dovecot problem if you use pam settings that run too long.
Aku
On 15/01/2026 11:24 EET Matthias Bodenbinder via dovecot
<[1]dovecot@dovecot.org> wrote:
Hello,
with no reply yet on this topic I am wondering if this is the right
place to address the
topic.
With its behaviour dovecot prevents the hardening of password
hashes. For security reasons
it is recommended to increase YESCRYPT_COST_FACTOR above the default
value of 5.
e.g.
[2]https://linux-audit.com/authentication/linux-password-security-hashing-rounds/#yescrypt
This is not possible when dovecot is running because dovecot can not
authenticate users
where the password was created with a high YESCRYPT_COST_FACTOR.
And this affects all major linux distros because they all
use ENCRYPT_METHOD YESCRYPT
these days. (e.g. debian, ubuntu, fedora, arch, kali linux)
Can someone please let me know if this mailing list is the right place
to address this
and/or recommend a better place to me?
Thank you,
Matthias
Am Sonntag, dem 11.01.2026 um 10:11 +0100 schrieb Matthias Bodenbinder
via dovecot:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder
via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and
YESCRYPT_COST_FACTOR=11.
I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and
recreacting the user
password for my user and restarting the dovecot service I get:
# doveadm auth test matthias
Password:
passdb: matthias auth failed
extra fields:
user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
# doveadm auth test matthias
Password:
passdb: matthias auth succeeded
extra fields:
user=matthias
I have tested this back and forth. The culprit is definitely a high
value for
YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or
11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will
certainly extend the
time of the pam auth process.
Matthias
_______________________________________________
dovecot mailing list -- [3]dovecot@dovecot.org
To unsubscribe send an email to [4]dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- [5]dovecot@dovecot.org
To unsubscribe send an email to [6]dovecot-leave@dovecot.orgReferences
Visible links
- mailto:dovecot@dovecot.org
- https://linux-audit.com/authentication/linux-password-security-hashing-round...
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
Ok. Understood. I have now implemented a dovecot specific password file and that works fine.
I believe that this is hard to maintain in a multi user environment. It imposes an extra user management task on the sys admin and/or the user.
From my point of view dovecot should support pam authentification even with the highest security settings out of the box. And that is YESCRYPT_COST_FACTOR=11.
Matthias
Am Donnerstag, dem 15.01.2026 um 12:03 +0200 schrieb Aki Tuomi via dovecot:
Dovecot is not an UI software so setting too high or heavy computational cost will not work. I would recommend you use application password for imap access instead or use webmail with oauth2.
Its not really a dovecot problem if you use pam settings that run too long.
Aku
On 15/01/2026 11:24 EET Matthias Bodenbinder via dovecot <[1]dovecot@dovecot.org> wrote:
Hello,
with no reply yet on this topic I am wondering if this is the right place to address the topic.
With its behaviour dovecot prevents the hardening of password hashes. For security reasons it is recommended to increase YESCRYPT_COST_FACTOR above the default value of 5.
e.g. [2]https://linux-audit.com/authentication/linux-password-security-hashing-round... pt
This is not possible when dovecot is running because dovecot can not authenticate users where the password was created with a high YESCRYPT_COST_FACTOR.
And this affects all major linux distros because they all use ENCRYPT_METHOD YESCRYPT these days. (e.g. debian, ubuntu, fedora, arch, kali linux)
Can someone please let me know if this mailing list is the right place to address this and/or recommend a better place to me?
Thank you, Matthias
Am Sonntag, dem 11.01.2026 um 10:11 +0100 schrieb Matthias Bodenbinder via dovecot:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
# doveadm auth test matthias Password: passdb: matthias auth failed extra fields: user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
# doveadm auth test matthias Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
_______________________________________________ dovecot mailing list -- [3]dovecot@dovecot.org To unsubscribe send an email to [4]dovecot-leave@dovecot.org
_______________________________________________ dovecot mailing list -- [5]dovecot@dovecot.org To unsubscribe send an email to [6]dovecot-leave@dovecot.org
References
Visible links 1. mailto:dovecot@dovecot.org 2. https://linux-audit.com/authentication/linux-password-security-hashing-round... 3. mailto:dovecot@dovecot.org 4. mailto:dovecot-leave@dovecot.org 5. mailto:dovecot@dovecot.org 6. mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play.
Out of curiosity, when you do the test that fails, how long did it take before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
doveadm auth test matthias
Password: passdb: matthias auth failed extra fields: user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
doveadm auth test matthias
Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play.
Out of curiosity, when you do the test that fails, how long did it take before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
doveadm auth test matthias
Password: passdb: matthias auth failed extra fields: user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
doveadm auth test matthias
Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
dovecot mailing list -- [1]dovecot@dovecot.org To unsubscribe send an email to [2]dovecot-leave@dovecot.org
References
Visible links
- mailto:dovecot@dovecot.org
- mailto:dovecot-leave@dovecot.org
Hi John,
this is not a pam timeout issue. I have the passwords of my user and the root user created with YESCRYPT_COST_FACTOR=11 and it works fine. ssh, postfix, nfs, gdm, etc. Everything works except dovecot.
With this command you can check which YESCRYPT_COST_FACTOR has been used:
getent shadow | awk -F: '$2 ~ /^\$/' | column --table --separator :$
root y jFT ... matthias y jFT ... guest y j9T ...
jFT stands for YESCRYPT_COST_FACTOR=11 j9T stands for YESCRYPT_COST_FACTOR=5 (see also here: https://linux-audit.com/authentication/linux-password-security-hashing-round...)
When I test for user guest (with j9T) I get:
time doveadm auth test guest
Password: passdb: guest auth succeeded extra fields: user=guest doveadm auth test guest 0,00s user 0,00s system 0% cpu 2,195 total
When I test for user matthias (with jFT) I get:
time doveadm auth test matthias
Password: passdb: matthias auth failed extra fields: user=matthias doveadm auth test matthias 0,00s user 0,00s system 0% cpu 8,996 total
When I recreate the password for user matthias with YESCRYPT_COST_FACTOR=5 the issue is gone.
pamtester is also successful with YESCRYPT_COST_FACTOR=11
pamtester --verbose system-auth matthias authenticate
pamtester: invoking pam_start(system-auth, matthias, ...) pamtester: performing operation - authenticate Password: pamtester: successfully authenticated
ssh login works fine too:
Jan 16 15:53:08 rakete sshd-session[49576]: Accepted password for matthias from 192.168.132.182 port 50692 ssh2 Jan 16 15:53:08 rakete sshd-session[49576]: pam_unix(sshd:session): session opened for user matthias(uid=1000) by matthias(uid=0)
I also tested dovecot with YESCRYPT_COST_FACTOR=7 and that worked. YESCRYPT_COST_FACTOR=9 didnt work.
Kind Regards Matthias
Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via dovecot:
Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play.
Out of curiosity, when you do the test that fails, how long did it take before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
doveadm auth test matthias
Password: passdb: matthias auth failed extra fields: user=matthias When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
doveadm auth test matthias
Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play.
Out of curiosity, when you do the test that fails, how long did it take before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
# doveadm auth test matthias Password: passdb: matthias auth failed extra fields: user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
# doveadm auth test matthias Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
_______________________________________________ dovecot mailing list -- [1]dovecot@dovecot.org To unsubscribe send an email to [2]dovecot-leave@dovecot.org
References
Visible links 1. mailto:dovecot@dovecot.org 2. mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hello John,
I have answered in more detail in another email.
After reading a lot more about this topic I believe it is not a timeout issue but more of a memory allocation issue.
E.g.: https://www.openwall.com/lists/yescrypt/2024/03/20/2
In the above thread it is claimed that: The value 11 results in 1 GiB memory usage
That is a lot. I will refrain from using that. I will go for a value of 7. That is good enough.
Kind Regards Matthias
Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via dovecot:
Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play.
Out of curiosity, when you do the test that fails, how long did it take before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
doveadm auth test matthias
Password: passdb: matthias auth failed extra fields: user=matthias When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
doveadm auth test matthias
Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play.
Out of curiosity, when you do the test that fails, how long did it take before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
# doveadm auth test matthias Password: passdb: matthias auth failed extra fields: user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
# doveadm auth test matthias Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
_______________________________________________ dovecot mailing list -- [1]dovecot@dovecot.org To unsubscribe send an email to [2]dovecot-leave@dovecot.org
References
Visible links 1. mailto:dovecot@dovecot.org 2. mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hi Matthias,
It would be nice if you could verify this assumption by raising the allowed memory usage (vsz_limit) for the auth process until YESCRYPT_COST_FACTOR=11 actually works.
Just curious though, not using yescrypt here
Kind regards, Tom
On 1/16/26 16:38, Matthias Bodenbinder via dovecot wrote:
Hello John,
I have answered in more detail in another email.
After reading a lot more about this topic I believe it is not a timeout issue but more of a memory allocation issue.
E.g.: https://www.openwall.com/lists/yescrypt/2024/03/20/2
In the above thread it is claimed that: The value 11 results in 1 GiB memory usage
That is a lot. I will refrain from using that. I will go for a value of 7. That is good enough.
Kind Regards Matthias
Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via dovecot:
Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play.
Out of curiosity, when you do the test that fails, how long did it take before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
doveadm auth test matthias
Password: passdb: matthias auth failed extra fields: user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
doveadm auth test matthias
Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play.
Out of curiosity, when you do the test that fails, how long did it take before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
# doveadm auth test matthias Password: passdb: matthias auth failed extra fields: user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
# doveadm auth test matthias Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
_______________________________________________ dovecot mailing list -- [1]dovecot@dovecot.org To unsubscribe send an email to [2]dovecot-leave@dovecot.org
References
Visible links 1. mailto:dovecot@dovecot.org 2. mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Am Dienstag, dem 20.01.2026 um 21:26 +0100 schrieb Tom Hendrikx via dovecot:
It would be nice if you could verify this assumption by raising the allowed memory usage (vsz_limit) for the auth process until YESCRYPT_COST_FACTOR=11 actually works.
I can do that. How do I have to set this?
Matthias
I figured out how to do the test.
I did set "service_vsz_limit = unlimited". With that YESCRYPT_COST_FACTOR=11 works fine.
A service_vsz_limit value of 1000M is not enough to make it work. A value of 1100M is ok.
Matthias
Am Dienstag, dem 20.01.2026 um 21:26 +0100 schrieb Tom Hendrikx via dovecot:
Hi Matthias,
It would be nice if you could verify this assumption by raising the allowed memory usage (vsz_limit) for the auth process until YESCRYPT_COST_FACTOR=11 actually works.
Just curious though, not using yescrypt here
Kind regards, Tom
On 1/16/26 16:38, Matthias Bodenbinder via dovecot wrote:
Hello John,
I have answered in more detail in another email.
After reading a lot more about this topic I believe it is not a timeout issue but more of a memory allocation issue.
E.g.: https://www.openwall.com/lists/yescrypt/2024/03/20/2
In the above thread it is claimed that: The value 11 results in 1 GiB memory usage
That is a lot. I will refrain from using that. I will go for a value of 7. That is good enough.
Kind Regards Matthias
Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via dovecot:
Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play.
Out of curiosity, when you do the test that fails, how long did it take before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
doveadm auth test matthias
Password: passdb: matthias auth failed extra fields: user=matthias When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
doveadm auth test matthias
Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play.
Out of curiosity, when you do the test that fails, how long did it take before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
# doveadm auth test matthias Password: passdb: matthias auth failed extra fields: user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
# doveadm auth test matthias Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
_______________________________________________ dovecot mailing list -- [1]dovecot@dovecot.org To unsubscribe send an email to [2]dovecot-leave@dovecot.org
References
Visible links 1. mailto:dovecot@dovecot.org 2. mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Am Mittwoch, dem 21.01.2026 um 11:46 +0100 schrieb Matthias Bodenbinder via dovecot:
I figured out how to do the test.
I did set "service_vsz_limit = unlimited". With that YESCRYPT_COST_FACTOR=11 works fine.
A service_vsz_limit value of 1000M is not enough to make it work. A value of 1100M is ok.
Matthias
I will leave the mailing list now. I only joined for this one particular issue.
If you want me to test other settings or you have any other questions you need to send me a personal email.
Matthias
Am Dienstag, dem 20.01.2026 um 21:26 +0100 schrieb Tom Hendrikx via dovecot:
Hi Matthias,
It would be nice if you could verify this assumption by raising the allowed memory usage (vsz_limit) for the auth process until YESCRYPT_COST_FACTOR=11 actually works.
Just curious though, not using yescrypt here
Kind regards, Tom
On 1/16/26 16:38, Matthias Bodenbinder via dovecot wrote:
Hello John,
I have answered in more detail in another email.
After reading a lot more about this topic I believe it is not a timeout issue but more of a memory allocation issue.
E.g.: https://www.openwall.com/lists/yescrypt/2024/03/20/2
In the above thread it is claimed that: The value 11 results in 1 GiB memory usage
That is a lot. I will refrain from using that. I will go for a value of 7. That is good enough.
Kind Regards Matthias
Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via dovecot:
Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play.
Out of curiosity, when you do the test that fails, how long did it take before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
doveadm auth test matthias
Password: passdb: matthias auth failed extra fields: user=matthias When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
doveadm auth test matthias
Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play.
Out of curiosity, when you do the test that fails, how long did it take before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get:
# doveadm auth test matthias Password: passdb: matthias auth failed extra fields: user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
# doveadm auth test matthias Password: passdb: matthias auth succeeded extra fields: user=matthias
I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process.
Matthias
_______________________________________________ dovecot mailing list -- [1]dovecot@dovecot.org To unsubscribe send an email to [2]dovecot-leave@dovecot.org
References
Visible links 1. mailto:dovecot@dovecot.org 2. mailto:dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (4)
-
Aki Tuomi
-
John Fawcett
-
Matthias Bodenbinder
-
Tom Hendrikx