Remove authentication penalty for webmailer

Andreas Meyer luckyfellow42 at gmail.com
Wed Jul 11 02:45:59 EEST 2018 

Hi all,

I want to remove the authentication penalty for specific ip addresses
(subnets if possible).

I am using Dovecot 2.3.2 (582970113) and figured that this information:
https://wiki2.dovecot.org/Authentication/Penalty
> If the IP is in login_trusted_networks (e.g. webmail), skip any
authentication penalties

is not up to date.
Instead this information is:
https://wiki2.dovecot.org/Upgrading/2.3

--- START ---
*Localhost Auth Penalty*

Dovecot no longer disables auth penalty waits for clients connecting from
localhost (or login_trusted_networks in general). The previous idea was
that it would likely be a webmail that would have its own delays, but there
are no guarantees about this.

If the old behavior is still wanted, it's possible to do nowadays even more
generically with e.g.:

passdb {
 driver = passwd-file
 args = username_format=%{rip} /etc/dovecot/passdb
}

/etc/dovecot/passdb:

127.0.0.1:::::::nodelay=yes
192.168.10.124:::::::nodelay=yes
--- STOP ---


Adding the passdb section and creating a passdb file with the respective ip
addresses does not have any effect though.
Login failures through the webmailer are still being delayed.

"dovecot -n" shows that the new passdb section is loaded:

--- START ---
passdb {
  args = username_format=%{rip} /etc/dovecot/passdb
  driver = passwd-file
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
--- STOP ---

Changing orders does not make a difference.

The passdb file contains these entries:
--- START ---
127.0.0.1:::::::nodelay=yes
10.25.1.20:::::::nodelay=yes
--- STOP ---

The logfile shows the increased delay:
--- START ---
Jul 10 23:37:16 9fcdf83ee81e dovecot: imap-login: Disconnected (auth
failed, 1 attempts in 2 secs): user=<xxx at yyy.zzz>, method=PLAIN,
rip=10.25.1.20, lip=10.25.1.10, TLS, TLSv1.2 with cipher
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bit
s)
Jul 10 23:37:25 9fcdf83ee81e dovecot: imap-login: Disconnected (auth
failed, 1 attempts in 6 secs): user=<xxx at yyy.zzz>, method=PLAIN,
rip=10.25.1.20, lip=10.25.1.10, TLS, TLSv1.2 with cipher
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bit
s)
--- STOP ---


What am I missing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180710/d6f0b5ee/attachment.html>

More information about the dovecot mailing list