I figured out how to do the test. I did set "service_vsz_limit = unlimited". With that YESCRYPT_COST_FACTOR=11 works fine.
A service_vsz_limit value of 1000M is not enough to make it work. A value of 1100M is ok. Matthias Am Dienstag, dem 20.01.2026 um 21:26 +0100 schrieb Tom Hendrikx via dovecot: > Hi Matthias, > > It would be nice if you could verify this assumption by raising the > allowed memory usage (vsz_limit) for the auth process until > YESCRYPT_COST_FACTOR=11 actually works. > > Just curious though, not using yescrypt here > > Kind regards, > Tom > > On 1/16/26 16:38, Matthias Bodenbinder via dovecot wrote: > > Hello John, > > > > I have answered in more detail in another email. > > > > After reading a lot more about this topic I believe it is not a timeout > > issue but more > > of > > a memory allocation issue. > > > > E.g.: > > https://www.openwall.com/lists/yescrypt/2024/03/20/2 > > > > In the above thread it is claimed that: The value 11 results in 1 GiB > > memory usage > > > > That is a lot. I will refrain from using that. I will go for a value of 7. > > That is > > good > > enough. > > > > Kind Regards > > Matthias > > > > > > > > Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via dovecot: > > > Hi Matthias > > > > > > I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the > > > delay that Dovecot waits after the failure before reporting it, so not > > > really relevant since the failure has already happened when that comes > > > into play. > > > > > > Out of curiosity, when you do the test that fails, how long did it take > > > before it failed? > > > > > > Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in > > > login.defs) or elsewhere. > > > > > > John > > > > > > > > > On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: > > > > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder > > > > via > > > > dovecot: > > > > > Hi, > > > > > > > > > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > > > > > YESCRYPT_COST_FACTOR=11. > > > > > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > > > > > > > > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and > > > > > recreacting the > > > > > user > > > > > password for my user and restarting the dovecot service I get: > > > > > > > > > > # doveadm auth test matthias > > > > > Password: > > > > > passdb: matthias auth failed > > > > > extra fields: > > > > > user=matthias > > > > > > > > > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > > > > > > > > > # doveadm auth test matthias > > > > > Password: > > > > > passdb: matthias auth succeeded > > > > > extra fields: > > > > > user=matthias > > > > > > > > > > > > > > > I have tested this back and forth. The culprit is definitely a high > > > > > value for > > > > > YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or > > > > > 11 fails. > > > > > > > > Can it be that this problem has to do with > > > > > > > > #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 > > > > > > > > in auth-request-handler.c ? > > > > > > > > Increasing the YESCRYPT_COST_FACTOR for the password hashing will > > > > certainly extend > > > > the > > > > time of the pam auth process. > > > > > > > > Matthias > > > > > > > > _______________________________________________ > > > > dovecot mailing list [email protected] > > > > To unsubscribe send an email [email protected] > > > Hi Matthias > > > > > > I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is > > > the > > > delay that Dovecot waits after the failure before reporting it, so not > > > really relevant since the failure has already happened when that comes > > > into play. > > > > > > Out of curiosity, when you do the test that fails, how long did it > > > take > > > before it failed? > > > > > > Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in > > > login.defs) or elsewhere. > > > > > > John > > > > > > On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: > > > > > > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder > > > via > > > dovecot: > > > > > > Hi, > > > > > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > > > YESCRYPT_COST_FACTOR=11. > > > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > > > > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and > > > recreacting the > > > user > > > password for my user and restarting the dovecot service I get: > > > > > > # doveadm auth test matthias > > > Password: > > > passdb: matthias auth failed > > > extra fields: > > > user=matthias > > > > > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > > > > > # doveadm auth test matthias > > > Password: > > > passdb: matthias auth succeeded > > > extra fields: > > > user=matthias > > > > > > > > > I have tested this back and forth. The culprit is definitely a high > > > value for > > > YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 > > > fails. > > > > > > > > > Can it be that this problem has to do with > > > > > > #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 > > > > > > in auth-request-handler.c ? > > > > > > Increasing the YESCRYPT_COST_FACTOR for the password hashing will > > > certainly extend > > > the > > > time of the pam auth process. > > > > > > Matthias > > > > > > _______________________________________________ > > > dovecot mailing list -- [1][email protected] > > > To unsubscribe send an email to [2][email protected] > > > > > > References > > > > > > Visible links > > > 1. mailto:[email protected] > > > 2. mailto:[email protected] > > > _______________________________________________ > > > dovecot mailing list -- [email protected] > > > To unsubscribe send an email to [email protected] > > > > > > _______________________________________________ > > dovecot mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > _______________________________________________ > dovecot mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
