On Tue, 2008-01-01 at 15:59 -0500, Dean Brooks wrote: > Hi, > > Is there a way, or can a way be added, to add an "auth_failed_delay=10s" > style option that would put in an artificial delay after a failed > password attempt? > > As it stands now, Dovecot seems highly vulnerable to widescale > brute-force password dictionary scans. > > Even if it's not configurable, can a delay be hardcoded to something > like, say, 10 or 15 seconds?
Failed auth requests are put to a queue that's flushed every 2 seconds. So there is already a delay. I don't think it's a good idea to increase it up from 2 seconds, it just gets annoying when you type the wrong password accidentally. Although I suppose I could change the code so that it always waits 2 seconds instead of flushing all of them.
signature.asc
Description: This is a digitally signed message part
