Timo Sirainen wrote:
On Wed, 2010-07-21 at 14:57 +0300, Thanos Chatziathanassiou wrote:
Timo Sirainen wrote:
On 21.7.2010, at 12.29, Thanos Chatziathanassiou wrote:
Would it be possible to deny login if username==password with a
(non?)polite/custom message to go change your password to something less
obvious ?
What passdb do you use?
passwd-file with md5-crypt though I could easily swap it for an SQL
variant.
With SQL this should be pretty easy to do. If password matches username
('%w' = '%u') have it return 'y' as nologin and 'bad password' as
reason.
Correct. Should be fairly easy to do - just need a compatible crypt()
function in SQL. Never thought of that.
I think I'll be fairly shielded from this kind of things in the
future, just brought it up because all of us here manage people's mails
one way or another.
I think this is one of the tons of different possible password policies
and isn't really Dovecot's job. It really should be enforced while
setting the password, not while checking it.
Indeed, though it seems that someone went out of their way to have their
password changed to this and I was worried that a similar loop-hole
exists that I'm not aware of.
Anyway thanks for the tip.
