[Dovecot] Feature request: usernames and passwords

Eduardo M KALINOWSKI eduardo at kalinowski.com.br
Wed Jul 21 16:30:26 EEST 2010

On Qua, 21 Jul 2010, Leonardo Rodrigues wrote:
>     i completly agree that dovecot is not the place for enforcing  
> password policies nor checking them.
>     but, still on the subject, maybe dovecot could have some  
> features for helping sysadmins to avoid/mitigate brute-force  
> attacks. As told, some bots tries username=password, but those  
> fuckers (the bots) also tries lots of common passwords, 123, 1234,  
> the username followed by some numbers, and lots of others.
>     of course, if the provided password is not correct, dovecot  
> denies access as it should .... but in those situations, logs can  
> get pretty filled with login failed messages, specially on servers  
> with lots of accounts. And, in some cases, after lots of tries, the  
> bot can found the correct username/password combination.
> [snip]

I think none of this is dovecot's function. Let's keep the UNIX  
filosophy: one tool does one function, and does that function well.  
Dovecot is an execellent mail server. It should not be turned into a  
monster Windows-like application that does dozens of  
not-really-quite-related things.

What you want can be done with other tools.

eduardo at kalinowski.com.br

More information about the dovecot mailing list