ottoka opened a new pull request #746: URL: https://github.com/apache/james-project/pull/746
For standalone James installations, there should be some basic protection against people/bots abusing James as a password oracle for brute-force/dictionary attacks. This needs to be enforced in a central location, so it affects all of the various protocols supported by James. This proposal adds an option verifyFailureDelay to usersrepository.xml, which delays the response if someone tries to authenticate with a non-existing user or wrong password. There is intentionally no distinction between these two cases, so it also covers username guessing attacks. Introducing this feature should not affect existing James installations, so the default is 0 delay/disabled. T-Shirt size S. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
