There are two rather clear issues with the state of authentication failure delays. First, the delay length isn't what was (presumably) intended. Second, there is a new way of doing failure delays in Dovecot 2 which was added *in addition to* the old method, rather than replacing it. As a result delays may not be the expected length and settings don't have the expected effect.

First, the length of the failure delays. Based on auth/auth-penalty.c and auth/auth-penalty.h, it seems rather clear that the delay time (for the newer type of failure delay) was intended to start at 2 seconds and double for each failure (see auth_penalty_to_secs), but be capped at 15 seconds. However, a simple test which tries to log in 5 times with a random password and times each attempt shows something different:

$ cat authtest.py import imaplib import time import random

conn = imaplib.IMAP4('localhost') for i in range(5): try: start = time.time() conn.login('testusers', str(random.random())) except Exception, e: print e print time.time() - start

$ python authtest.py [AUTHENTICATIONFAILED] Authentication failed. 0.502058982849 [AUTHENTICATIONFAILED] Authentication failed. 4.50464391708 [AUTHENTICATIONFAILED] Authentication failed. 8.50679802895 [AUTHENTICATIONFAILED] Authentication failed. 15.5040819645 [AUTHENTICATIONFAILED] Authentication failed. 15.5039038658

(Note that these results are with auth_failure_delay set to 0, more on that in a bit.) Aside from the extra half second on each attempt (which I have no clue about), there is no delay on the first attempt. Subsequent delays seem to have the correct timing. I *think* this is because auth_penalty_lookup is called from auth_request_handler_auth_begin, that is, at the *beginning* of an authentication attempt, therefore not affecting the first failed attempt.

This may be too minor an issue to worry much about, but it certainly looks to me like it's not doing quite what was intended.

Moving on to the second issue. Revision fbff8ca77d2e added a new style of authentication failure delay, but left the existing failure delay mechanism in place. The old failure delay uses the auth_failure_delay setting, and could be disabled by using a value of 0 for that setting. Its remnants are in auth/auth-request-handler.c in the function auth_request_handler_flush_failures. It looks like much of the code in that file could be removed or simplified by eliminating this older failure delay system.

Better still, I would like to see the auth_failure_delay setting retained and used in the new system. The value of the setting could be used in place of AUTH_PENALTY_INIT_SECS, allowing similar configurability to what the old system offered.

-Kevin