[Dovecot] v2.0.beta1 released

[Ed W]

On 14/12/2009 03:12, Timo Sirainen wrote:
> Largest changes since alpha3:
>
>   - if some IP address is failing authentications, all auth attempts from
> the IP are delayed increasingly. a successful auth drops the delay. max
> delay is 15 seconds. this is enforced by auth process, so it works
> across different connections/processes/protocols.
>    

I have a bunch of users behind several NATs (wifi hotspots, dialup 
gateways) and it would seem that if some muppet innocently sets up the 
wrong username/password then all the other users get significantly 
penalised?  (I have even seen cases people have a go at configuring 
Outlook, it doesn't work and they just leave it misconfigured and 
sending incorrect passwords forever afterwards...)

(This actually caught me out recently when a fairly large group of users 
got dropped due to pretty much just this type of rule implemented via an 
overeager Fail2ban rule...  One user just kept trying to use the wrong 
password (innocently) and locked out the whole group of users behind the 
nat... Durr, quick fix of the whitelisted IPs, but we don't always spot 
the smaller gateways)

Should it not only delay *incorrect* logins?  ie each time you get it 
wrong then you get a penalty (which increases).  Getting it right would 
login instantly and slightly decrease the "got it wrong" penalty (or 
perhaps it just time ages)?

Seems that this is a good compromise and doesn't penalise good users, 
whilst only very slightly assisting attackers? (If they hacked a login 
then delaying them a few seconds from using it isn't all the helpful 
anyway...)

My 2p..  Although possibly I misunderstood the changelog...?

Ed W