[Dovecot] Feature request: usernames and passwords

Timo Sirainen tss at iki.fi
Wed Jul 21 15:18:27 EEST 2010


On Wed, 2010-07-21 at 14:57 +0300, Thanos Chatziathanassiou wrote:
> Timo Sirainen wrote:
> > On 21.7.2010, at 12.29, Thanos Chatziathanassiou wrote:
> >
> >   
> >> Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?
> >>     
> >
> > What passdb do you use?
> >
> >   
> passwd-file with md5-crypt though I could easily swap it for an SQL 
> variant. 

With SQL this should be pretty easy to do. If password matches username
('%w' = '%u') have it return 'y' as nologin and 'bad password' as
reason. 

> I think I'll be fairly shielded from this kind of things in the 
> future, just brought it up because all of us here manage people's mails 
> one way or another.

I think this is one of the tons of different possible password policies
and isn't really Dovecot's job. It really should be enforced while
setting the password, not while checking it.



More information about the dovecot mailing list