Hi Matthias,
It would be nice if you could verify this assumption by raising the
allowed memory usage (vsz_limit) for the auth process until
YESCRYPT_COST_FACTOR=11 actually works.
Just curious though, not using yescrypt here
Kind regards,
Tom
On 1/16/26 16:38, Matthias Bodenbinder via dovecot wrote:
Hello John,
I have answered in more detail in another email.
After reading a lot more about this topic I believe it is not a timeout issue
but more of
a memory allocation issue.
E.g.:
https://www.openwall.com/lists/yescrypt/2024/03/20/2
In the above thread it is claimed that: The value 11 results in 1 GiB memory
usage
That is a lot. I will refrain from using that. I will go for a value of 7. That
is good
enough.
Kind Regards
Matthias
Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via dovecot:
Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the
delay that Dovecot waits after the failure before reporting it, so not
really relevant since the failure has already happened when that comes
into play.
Out of curiosity, when you do the test that fails, how long did it take
before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in
login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via
dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11.
I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the
user
password for my user and restarting the dovecot service I get:
# doveadm auth test matthias
Password:
passdb: matthias auth failed
extra fields:
user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
# doveadm auth test matthias
Password:
passdb: matthias auth succeeded
extra fields:
user=matthias
I have tested this back and forth. The culprit is definitely a high value for
YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly
extend the
time of the pam auth process.
Matthias
_______________________________________________
dovecot mailing list [email protected]
To unsubscribe send an email [email protected]
Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the
delay that Dovecot waits after the failure before reporting it, so not
really relevant since the failure has already happened when that comes
into play.
Out of curiosity, when you do the test that fails, how long did it take
before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in
login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via
dovecot:
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and
YESCRYPT_COST_FACTOR=11.
I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting
the user
password for my user and restarting the dovecot service I get:
# doveadm auth test matthias
Password:
passdb: matthias auth failed
extra fields:
user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
# doveadm auth test matthias
Password:
passdb: matthias auth succeeded
extra fields:
user=matthias
I have tested this back and forth. The culprit is definitely a high value for
YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly
extend the
time of the pam auth process.
Matthias
_______________________________________________
dovecot mailing list -- [1][email protected]
To unsubscribe send an email to [2][email protected]
References
Visible links
1. mailto:[email protected]
2. mailto:[email protected]
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
