[Dovecot] Feature request: usernames and passwords

Pascal Volk user+dovecot at localhost.localdomain.org
Wed Jul 21 16:32:15 EEST 2010

On 07/21/2010 03:06 PM Leonardo Rodrigues wrote:
>      i was thinking on something like ...
> 1) after N tries (lets say 10 for example) of wrong username/password 
> combinations, dovecot could start delaying the answers for wrong 
> authentications coming from that specific IP address or IP/username, 
> thus slowing down the brute-force attacks;
> 1.1) or even, after some M (lets say 20 for example) wrong 
> username/password combinations, dovecot could ban that IP address (or IP 
> address/username combination to avoid problem with big networks with NAT 
> access) for XX seconds/minutes, also slowing down the brute-force attack 
> tries
> 1.2) this could probably be implemented using some in-memory internal 
> backend, so it would be absolutely independent on passdb schema and 
> would require no modifications on passdb schema.

Install dovecot 2.0.rc3 and try to 'break in'. You will see how dovecot
slows down your 'attack'. When you test it with your botnet ( ;-) ), use
`doveadm penalty` to see current penalties.

The trapper recommends today: deadbeef.1020215 at localdomain.org

More information about the dovecot mailing list