On Wed, 2010-07-21 at 14:57 +0300, Thanos Chatziathanassiou wrote:
> Timo Sirainen wrote:
> > On 21.7.2010, at 12.29, Thanos Chatziathanassiou wrote:
> >
> >
> >> Would it be possible to deny login if username==password with a
> >> (non?)polite/custom message to go change your password to something less
> >> obvious ?
> >>
> >
> > What passdb do you use?
> >
> >
> passwd-file with md5-crypt though I could easily swap it for an SQL
> variant.
With SQL this should be pretty easy to do. If password matches username
('%w' = '%u') have it return 'y' as nologin and 'bad password' as
reason.
> I think I'll be fairly shielded from this kind of things in the
> future, just brought it up because all of us here manage people's mails
> one way or another.
I think this is one of the tons of different possible password policies
and isn't really Dovecot's job. It really should be enforced while
setting the password, not while checking it.
