[Dovecot] Feature request: usernames and passwords

Jerry dovecot.user at seibercom.net
Wed Jul 21 16:35:57 EEST 2010

On Wed, 21 Jul 2010 14:29:10 +0300
Thanos Chatziathanassiou <tchatzi at arx.net> articulated:

> A relatively recent development that spammers got wind of is users that 
> have username==password, with/without the domain.
> I am tracking numerous 1-off attempts from bots to gain access to 
> mailboxes this way.
> Situation isn't made any better if you're also using dovecot as SMTP 
> AUTH provider for I am ashamed to admit I've relayed some spam that way.
> Would it be possible to deny login if username==password with a 
> (non?)polite/custom message to go change your password to something less 
> obvious ?

Seriously, this reminds me of a saying by Ron White that I have always
thought à propos: "You can't fix stupid." There is no way you can
protect a user from their own stupidity. I don't care how many
safeguards you put in place. Remember, "Nothing is foolproof to a
sufficiently talented fool." Or, as I like to tell others, "Make it
idiot proof and someone will make a better idiot." There are reportedly
thousands of users who use, "Password" for their actual password.

This is not a Dovecot problem. Adding additional checks in Dovecot will
only bloat the program and potentially cause other catastrophic

Jerry ✌
Dovecot.user at seibercom.net

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.

"I kind of want to slay the dragon. Let's go to work."

	Angel's final words. 

More information about the dovecot mailing list