[Dovecot] Feature request: usernames and passwords

Leonardo Rodrigues leolistas at solutti.com.br
Wed Jul 21 16:06:17 EEST 2010

Em 21/07/2010 09:18, Timo Sirainen escreveu:
> I think this is one of the tons of different possible password policies
> and isn't really Dovecot's job. It really should be enforced while
> setting the password, not while checking it.

     i completly agree that dovecot is not the place for enforcing 
password policies nor checking them.

     but, still on the subject, maybe dovecot could have some features 
for helping sysadmins to avoid/mitigate brute-force attacks. As told, 
some bots tries username=password, but those fuckers (the bots) also 
tries lots of common passwords, 123, 1234, the username followed by some 
numbers, and lots of others.

     of course, if the provided password is not correct, dovecot denies 
access as it should .... but in those situations, logs can get pretty 
filled with login failed messages, specially on servers with lots of 
accounts. And, in some cases, after lots of tries, the bot can found the 
correct username/password combination.

     i was thinking on something like ...

1) after N tries (lets say 10 for example) of wrong username/password 
combinations, dovecot could start delaying the answers for wrong 
authentications coming from that specific IP address or IP/username, 
thus slowing down the brute-force attacks;
1.1) or even, after some M (lets say 20 for example) wrong 
username/password combinations, dovecot could ban that IP address (or IP 
address/username combination to avoid problem with big networks with NAT 
access) for XX seconds/minutes, also slowing down the brute-force attack 
1.2) this could probably be implemented using some in-memory internal 
backend, so it would be absolutely independent on passdb schema and 
would require no modifications on passdb schema.

     the original message says about bot brute-force attacks, but we can 
be facing REAL brute-force attacks against a specific account .... and i 
think that some features to help mitigate those could indeed be 
interesting. And if those features exists, they could surely help on 
those brute-force attacks coming from dumb bots as well.

     it wont solve the username=password specific case, but could help 
on real or bot brute-force attacks.

     what do you think on that Timo ?


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes at solutti.com.br
	My SPAMTRAP, do not email it

More information about the dovecot mailing list