I want to disable the time penalty for dovecot imap authentication. When receiving a valid user-password combo the server responds in .04 seconds. When I send in an invalid comination it will either respond in 1.544 or 2.044 seconds += .002
I am using dovecot to test a program that sends a login request to a server and processes the response. I want to be able to send a series of valid and invalid login attempts.
The issue is that with the 2 seconds delay for a bad login attempt, the tests are too slow to run in production
I can see that the delay is defined in auth-penalty.h Is there a way, in the config file, to set AUTH_PENALTY_INIT_SECS = 0, or any other way to remove the time delay for an invalid login.
I am running dovecot version 2.2.33.2 I am running without root permissions I do not want to make changes outside of the dovecot config file, password file, or run folder.
-- Stephen
"Stephen" == Stephen Blackwell stephenmac98@gmail.com writes:
Stephen> I want to disable the time penalty for dovecot imap Stephen> authentication. When receiving a valid user-password combo Stephen> the server responds in .04 seconds. When I send in an invalid Stephen> comination it will either respond in 1.544 or 2.044 seconds Stephen> += .002
Stephen> I am using dovecot to test a program that sends a login Stephen> request to a server and processes the response. I want to be Stephen> able to send a series of valid and invalid login attempts.
Stephen> The issue is that with the 2 seconds delay for a bad login Stephen> attempt, the tests are too slow to run in production
Why are you running tests on production? Hmm?
Stephen> I can see that the delay is defined in auth-penalty.h Is Stephen> there a way, in the config file, to set Stephen> AUTH_PENALTY_INIT_SECS = 0, or any other way to remove the Stephen> time delay for an invalid login.
Take a look at this page:
https://wiki.dovecot.org/Authentication/Penalty
but maybe you can put your test IP into the list of trusted networks?
John
On 05 Jun 2020, at 11:27, Stephen Blackwell stephenmac98@gmail.com wrote:
I want to disable the time penalty for dovecot imap authentication. When receiving a valid user-password combo the server responds in .04 seconds. When I send in an invalid comination it will either respond in 1.544 or 2.044 seconds += .002
This is, of course, by design. Slowing down cracking software is a good thing.
The issue is that with the 2 seconds delay for a bad login attempt, the tests are too slow to run in production
Yes, that is rather the point.
I can see that the delay is defined in auth-penalty.h Is there a way, in the config file, to set AUTH_PENALTY_INIT_SECS = 0, or any other way to remove the time delay for an invalid login.
Change the value and compile a non-production version of dovecot and run your tests there. Be sure to never run this on real users data.
I do not want to make changes outside of the dovecot config file, password file, or run folder.
You can't always get what you want.
-- Beautiful dawn / Lights up the shore for me / There is nothing else in the world I'd rather see with you.
participants (3)
-
@lbutlr
-
John Stoffel
-
Stephen Blackwell