[Dovecot] Feature request: usernames and passwords

Charles Marcus CMarcus at Media-Brokers.com
Wed Jul 21 15:39:07 EEST 2010

Thanos Chatziathanassiou wrote:
> A relatively recent development that spammers got wind of is users
> that have username==password, with/without the domain. I am tracking
> numerous 1-off attempts from bots to gain access to mailboxes this
> way. Situation isn't made any better if you're also using dovecot as
> SMTP AUTH provider for I am ashamed to admit I've relayed some spam
> that way. Would it be possible to deny login if username==password
> with a (non?)polite/custom message to go change your password to
> something less obvious ?

Dovecot isn't the place for this...

Use cracklib (on linuix - the equivalent for whatever OS you are using
if not linux) with your passdb backend, and simply force users to use
strong passwords, period.

In this day and age any sys admin who isn't doing this is just asking to
be hacked.

More information about the dovecot mailing list