Re: [Dovecot] SSL Certificate Authentication
What you really want is the AUTH EXTERNAL authentication mechanism. This would authenticate your users based on the used certificate. Unfortunately, this mechanism is not supported in dovecot as well as in most clients. Courier supports it since some months if you really need it. There's no way in dovecot to use no password, but there's one to use any password: Your password database has to return the field nopassword, value 1. But you should consider that this means that your users can impersonate any other user on your mailserver as the SSL certificate here only controls access, but not identity. -Original Message- From: dovecot-bounces+siebert+lists=et.rub...@dovecot.org [mailto:dovecot-bounces+siebert+lists=et.rub...@dovecot.org] On Behalf Of Anthony Davies Sent: Thursday, December 18, 2008 12:27 AM To: dovecot@dovecot.org Subject: [Dovecot] SSL Certificate Authentication Hi Guys, I am using the SSL Client Certificate authentication method for my Dovecot instance, however rather then just requiring the client certificate it also prompts me for my user password. My certificate was securely generated on a smart card and is passphrase protected so I would like to stop having to enter my certificate passphrase and my user password to collect my mail. Where abouts in the config file can I resolve this issue? Cheers, Tony Davies
Re: [Dovecot] Segfault on antispam plugin
On Wed, Dec 17, 2008 at 4:45 PM, Allan Cassaro allan.cass...@gmail.com wrote: On Thu, Dec 11, 2008 at 7:49 AM, Allan Cassaro allan.cass...@gmail.com wrote: On Thu, Dec 11, 2008 at 7:17 AM, Steffen Kaiser skdove...@smail.inf.fh-brs.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 11 Dec 2008, Allan Cassaro wrote: On Thu, 11 Dec 2008, Allan Cassaro wrote: I don´t have SELinux, or any type or hardening... The ulimit (when logged with dovecot user) is unlimited... Yes, but when Dovecot is spawned as service, the user dovecot does not log in (through PAM anyway to have pam_limits invoked), therefore I assume that limits.conf does not take effect. Dovecot ran with a lot of proccess here, something about 800~900 imap proccess and 5~10 login-proccess to 300~400 simultaneous users... Hmm, I do remember something similiar when the new students arrived and the number of simultaneous logins increased above some limit. I added the ulimit command to init.d. After our conversation, I made some tests: 1) Adding this line to /etc/pam.d/common-session (Debian system) session required pam_limits.so # cat /etc/security/limits.conf dovecot hardnofile 2048 dovecot softnofile 2048 The limits.conf is respected now. # su -c 'ulimit -n' dovecot 2048 (The value of limits.conf) (no login) # /etc/init.d/dovecot restart Warning: fd limit 1024 is lower than what Dovecot can use under full load (more than 1456). Either grow the limit or change login_max_processes_count and max_mail_processes settings (Problem persists) 2) Change the ulimit for root user (as you saw): # ulimit -n 2048 # /etc/init.d/dovecot restart (no errors) # cat /etc/security/limits.conf dovecot hardnofile 2048 dovecot softnofile 2048 root hardnofile 2048 root softnofile 2048 So, I think that dovecot uses the limit from the root user, not dovecot... Now I will wait 20 minutes and see what happens :D Hooo.. another (ugly) think: When imap crashes, the antispam plugin don't erase the /tmp/antispam-plugin-X dir (obviously). So this is possibly to delay or avoid creation of temp dirs? Hi Steffen, after some others tests, I don't have problem with file descriptors any more, but the plugin make the imap proccess dies with segfault yet... How can I help more to find this issue? Regards. Now, I compiled with debug enabled and I can saw (a lot of) this on syslog: Dec 18 10:30:13 curie imap: antispam: plugin initialising (1.1-notgit) Dec 18 10:30:13 curie imap: antispam: no trash folders Dec 18 10:30:13 curie imap: antispam: Bloqueados is spam folder Dec 18 10:30:13 curie imap: antispam: no unsure folders Dec 18 10:30:13 curie imap: antispam: mail backend spam address -a Dec 18 10:30:13 curie imap: antispam: mail backend not-spam address -d Dec 18 10:30:13 curie imap: antispam: mail backend sendmail /usr/libexec/dovecot/blockthis.py Dec 18 10:30:13 curie imap: antispam: mail backend sendmail arg -u Dec 18 10:30:13 curie imap: antispam: mail backend sendmail arg abuarque Dec 18 10:30:13 curie imap: antispam: mail backend tmpdir /tmp Dec 18 10:30:13 curie dovecot: child 29672 (imap) killed with signal 11 Regards.
Re: [Dovecot] [PATCH] drop root privileges on solaris, request for testing
Andrey Panin wrote: On 349, 12 14, 2008 at 08:03:25AM +0200, Timo Sirainen wrote: On Fri, 2008-11-21 at 15:30 +0300, Andrey Panin wrote: Hello all, this patch allows master process to drop more root priveleges under Solaris. My limited testing shows that code works, but I'm not sure that defined privilege set is permissive enough for dovecot. Unfortunately I have no root access to our Solaris servers to really test it. So if someone is ready to test this patch please do it :) Since no-one's offered to test perhaps I'll just put this into v1.2 and see if anyone complains? :) I have no objections for this plan :) Sorry I missed this when first announced (wasn't paying attention I guess). I've applied the patch to Dovecot 1.1.7 (with minor change to configure.in) on Solaris 10 sparc 64-bit but Dovecot fails on startup dovecot: Dec 18 12:45:47 Info: Dovecot v1.1.7 starting up dovecot: Dec 18 12:45:47 Fatal: auth(default): initgroups(root, 0) failed: Not owner dovecot: Dec 18 12:45:47 Fatal: Auth process died too early - shutting down The same config with vanilla Dovecot 1.1.7 works fine, so I'm guessing it dropped too many privileges. We actually run our live Dovecot on a Solaris 8 box, but Solaris 8 doesn't support setppriv, I think. Best Wishes, Chris -- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wake...@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
Re: [Dovecot] Segfault on antispam plugin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 18 Dec 2008, Allan Cassaro wrote: BTW: Without a trash folder configured, deleting a mail from the SPAM folder will cause a HAM learning. Dec 18 10:30:13 curie imap: antispam: mail backend sendmail /usr/libexec/dovecot/blockthis.py Hmm, antispam uses exec() to execute the binary. I'm not sure whether or not the kernel supports shell scripts here. I suggest to use the interpreter python as binary and the script as argument. Dec 18 10:30:13 curie imap: antispam: mail backend tmpdir /tmp Dec 18 10:30:13 curie dovecot: child 29672 (imap) killed with signal 11 With that I cannot really help you. Usually I try to put some debug() statements in there to check, how far the process runs before it dies, in order to narrow down the point in the source. However, I'm not the developer of this plugin and I cannot help you debugging stack traces or core dumps. Bye, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJSkl4VJMDrex4hCIRAhA/AJ4l1PefoHn5Evw7HTQO9pUQlrHDAQCgvXwV wOgsJ5QZECS7oTp9T86A5QE= =ZBV3 -END PGP SIGNATURE-
Re: [Dovecot] Segfault on antispam plugin
On Thu, Dec 18, 2008 at 11:00 AM, Steffen Kaiser skdove...@smail.inf.fh-brs.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 18 Dec 2008, Allan Cassaro wrote: BTW: Without a trash folder configured, deleting a mail from the SPAM folder will cause a HAM learning. Yes! This is exactly what I want! :D If the user put some e-mail on Blocked folder, the python script extract the From and modify the sieve of this user and insert a fileinto Trash. If the user exclude (or move to another folder) the script remove the fileinto rule. Works wonderful! My users really like it! :D Dec 18 10:30:13 curie imap: antispam: mail backend sendmail /usr/libexec/dovecot/blockthis.py Hmm, antispam uses exec() to execute the binary. I'm not sure whether or not the kernel supports shell scripts here. I suggest to use the interpreter python as binary and the script as argument. Well , this error don't occurs all the time. Is very intermittent. I don't believe that this is the problem... But I can test... Dec 18 10:30:13 curie imap: antispam: mail backend tmpdir /tmp Dec 18 10:30:13 curie dovecot: child 29672 (imap) killed with signal 11 With that I cannot really help you. Usually I try to put some debug() statements in there to check, how far the process runs before it dies, in order to narrow down the point in the source. However, I'm not the developer of this plugin and I cannot help you debugging stack traces or core dumps. Humm... this is bad... :( But if I can help you to help me with anything... Regards.
Re: [Dovecot] [PATCH] drop root privileges on solaris, request for testing
On 353, 12 18, 2008 at 12:50:11PM +, Chris Wakelin wrote: Andrey Panin wrote: On 349, 12 14, 2008 at 08:03:25AM +0200, Timo Sirainen wrote: On Fri, 2008-11-21 at 15:30 +0300, Andrey Panin wrote: Hello all, this patch allows master process to drop more root priveleges under Solaris. My limited testing shows that code works, but I'm not sure that defined privilege set is permissive enough for dovecot. Unfortunately I have no root access to our Solaris servers to really test it. So if someone is ready to test this patch please do it :) Since no-one's offered to test perhaps I'll just put this into v1.2 and see if anyone complains? :) I have no objections for this plan :) Sorry I missed this when first announced (wasn't paying attention I guess). I've applied the patch to Dovecot 1.1.7 (with minor change to configure.in) on Solaris 10 sparc 64-bit but Dovecot fails on startup dovecot: Dec 18 12:45:47 Info: Dovecot v1.1.7 starting up dovecot: Dec 18 12:45:47 Fatal: auth(default): initgroups(root, 0) failed: Not owner dovecot: Dec 18 12:45:47 Fatal: Auth process died too early - shutting down The same config with vanilla Dovecot 1.1.7 works fine, so I'm guessing it dropped too many privileges. Can you try running ppriv -D dovecot to determine which privilege is missing ? We actually run our live Dovecot on a Solaris 8 box, but Solaris 8 doesn't support setppriv, I think.
Re: [Dovecot] Dovecot imap processes pinning CPU
Steffen Weber wrote: Just saw this thread on This fix seems to work for me: http://lkml.indiana.edu/hypermail/linux/kernel/0812.1/00998.html That fixed it for me as well. You can get the patch from gitweb at (formatting is a bit nicer for patching): http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=711a49a07f84f914aac26a52143f6e7526571143 It is not fixed in 2.6.27.9, but will be fixed in 2.6.27.10 according to Greg KH: http://lkml.org/lkml/2008/12/14/162 Good, I guess we just picked the wrong time to update our mail server to the latest stable kernel.
Re: [Dovecot] SSL Certificate Authentication
On 353, 12 18, 2008 at 01:13:27PM +0100, Thomas Siebert wrote: What you really want is the AUTH EXTERNAL authentication mechanism. This would authenticate your users based on the used certificate. Unfortunately, this mechanism is not supported in dovecot as well as in most clients. Courier supports it since some months if you really need it. What widespread mail clients support EXTERNAL ? BTW it's trivial to implement it dovecot if there is a real demand. There's no way in dovecot to use no password, but there's one to use any password: Your password database has to return the field nopassword, value 1. But you should consider that this means that your users can impersonate any other user on your mailserver as the SSL certificate here only controls access, but not identity. That's not true. Look at ssl_username_from_cert and ssl_cert_username_field configuration parameters. -Original Message- From: dovecot-bounces+siebert+lists=et.rub...@dovecot.org [mailto:dovecot-bounces+siebert+lists=et.rub...@dovecot.org] On Behalf Of Anthony Davies Sent: Thursday, December 18, 2008 12:27 AM To: dovecot@dovecot.org Subject: [Dovecot] SSL Certificate Authentication Hi Guys, I am using the SSL Client Certificate authentication method for my Dovecot instance, however rather then just requiring the client certificate it also prompts me for my user password. My certificate was securely generated on a smart card and is passphrase protected so I would like to stop having to enter my certificate passphrase and my user password to collect my mail. Where abouts in the config file can I resolve this issue? Cheers, Tony Davies
Re: [Dovecot] [PATCH] drop root privileges on solaris, request for testing
Andrey Panin wrote: I've applied the patch to Dovecot 1.1.7 (with minor change to configure.in) on Solaris 10 sparc 64-bit but Dovecot fails on startup dovecot: Dec 18 12:45:47 Info: Dovecot v1.1.7 starting up dovecot: Dec 18 12:45:47 Fatal: auth(default): initgroups(root, 0) failed: Not owner dovecot: Dec 18 12:45:47 Fatal: Auth process died too early - shutting down The same config with vanilla Dovecot 1.1.7 works fine, so I'm guessing it dropped too many privileges. Can you try running ppriv -D dovecot to determine which privilege is missing ? Difficult as the dovecot master process dies as soon as the dovecot-auth process ends. I ran a truss -f on it though and found: 26409: setppriv(PRIV_SET, PRIV_PERMITTED, {0250004b0400}) = 0 26409: setppriv(PRIV_SET, PRIV_EFFECTIVE, {0250004b0400}) = 0 ... 26411: setgroups(11, 0x0006C290) Err#1 EPERM [proc_setid] 26411: write(2, 01 F i n i t g r o u p s.., 40) = 40 26411: _exit(89) From the setgroups manpage: ERRORS The getgroups() and setgroups() functions will fail if: ... EPERM The {PRIV_PROC_SETID} privilege is not asserted in the effective set of the calling process. I tried omitting PRIV_PROC_SETID from the list in capabilities-solaris.c but that doesn't seem to make much difference except 19468: setppriv(PRIV_SET, PRIV_PERMITTED, {0250004b}) = 0 19468: setppriv(PRIV_SET, PRIV_EFFECTIVE, {0250004b}) = 0 I don't know much about process privileges, but could it be that the dovecot-auth subprocess isn't inheriting the privileges from the master process? I can send you the whole truss files if you like. Best Wishes, Chris -- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wake...@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
Re: [Dovecot] [PATCH] drop root privileges on solaris, request for testing
Chris Wakelin wrote: Andrey Panin wrote: I've applied the patch to Dovecot 1.1.7 (with minor change to configure.in) on Solaris 10 sparc 64-bit but Dovecot fails on startup dovecot: Dec 18 12:45:47 Info: Dovecot v1.1.7 starting up dovecot: Dec 18 12:45:47 Fatal: auth(default): initgroups(root, 0) failed: Not owner dovecot: Dec 18 12:45:47 Fatal: Auth process died too early - shutting down The same config with vanilla Dovecot 1.1.7 works fine, so I'm guessing it dropped too many privileges. Can you try running ppriv -D dovecot to determine which privilege is missing ? Aha! I found out why that didn't work; needs -e. # ppriv -D -e dovecot dovecot[19610]: missing privilege ALL (euid = 65534, syscall = 23) needed at setuid+0x98 dovecot[19610]: missing privilege proc_setid (euid = 65534, syscall = 46) needed at setgid+0x9c imap[19610]: missing privilege ALL (euid = 65534, syscall = 23) needed at setuid+0x98 # ppriv -D -s +proc_setid -e dovecot dovecot[19632]: missing privilege ALL (euid = 65534, syscall = 23) needed at setuid+0x98 Fatal: We couldn't drop root group privileges (wanted=65534, gid=0, egid=0) Error: imap dump-capability process returned 89 Fatal: Invalid configuration in dovecot.conf I'm confused as to whether the list in capabilities-solaris.c is privileges to drop or privileges to set? Best Wishes, Chris -- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wake...@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
Re: [Dovecot] nopassword extra field useless with LDAP passdb
Do you have a nopassword field in LDAP? If not, then it doesn't get set. Perhaps what you want is: pass_attrs = uid=user, =nopassword=1 Timo, Thank you for your tip. The correct dovecot-ldap.conf line should look like: pass_attrs = uid=user, =password=, =nopassword=1 But even in this case we get: dovecot: auth(default): ldap(user1,127.0.0.1): pass search: base=ou=People,dc=example,dc=local scope=subtree filter=((objectClass=inetOrgPerson)(uid=user1)) fields=uid dovecot: auth(default): ldap(user1,127.0.0.1): result: uid(user)=user1 dovecot: auth(default): ldap(user1,127.0.0.1): No password in reply dovecot: auth(default): client out: FAIL1 user=user1 temp in our logs. I beleive this is due to the way attribute templates/static fields are processed in db-ldap.c. Thanks in advance! P.S. By the way, could you please share your opinion about possible SASL EXTERNAL usage in this case? Do you think this is the appropriate use case?
Re: [Dovecot] OT: Looking for a robust IMAP client
On Mon, 15 Dec 2008 12:45:13 -0500 Stewart Dean sd...@bard.edu wrote: Is there a simple robust IMAP client to replace Pine (which I *think* is no longer supported)? GUI or TTY session? I'm wondering if there is something we can tell users to use when Things Are Dire. GUI would be better since it removes one of the few remaining reasons for a logon server GUIwise, I have been using Sylpheed for years, both personally and professionally, and I believe it to be the best GUI-type IMAP client around. It too does the header caching and other stuff mentioned but, compared with Thunderbird, it has: . always performed better (i.e., faster) . never crashed (AFAICR) Bling-wise, it's a bit poor, but it gets the job done. Mário Barbosa
Re: [Dovecot] OT: Looking for a robust IMAP client
On Thu, 18 Dec 2008 22:11:25 + Mário Barbosa mplbarb...@clix.pt wrote: On Mon, 15 Dec 2008 12:45:13 -0500 Stewart Dean sd...@bard.edu wrote: Is there a simple robust IMAP client to replace Pine (which I *think* is no longer supported)? GUI or TTY session? I'm wondering if there is something we can tell users to use when Things Are Dire. GUI would be better since it removes one of the few remaining reasons for a logon server GUIwise, I have been using Sylpheed for years, both personally and professionally, and I believe it to be the best GUI-type IMAP client around. It too does the header caching and other stuff mentioned but, compared with Thunderbird, it has: . always performed better (i.e., faster) . never crashed (AFAICR) Bling-wise, it's a bit poor, but it gets the job done. Mário Barbosa I would recommend Claws Mail instead, it is the succesor of Sylpheed and is much better... :) BTJ -- --- Bjørn T Johansen b...@havleik.no --- Someone wrote: I understand that if you play a Windows CD backwards you hear strange Satanic messages To which someone replied: It's even worse than that; play it forwards and it installs Windows ---
Re: [Dovecot] nopassword extra field useless with LDAP passdb
Timo, Seems that nopassword extra field (more exactly, auth_request-no_password condition) is completely ignored in passdb-ldap.c, due to (line 112 as of Dovecot 1.1.7): === if (auth_request-passdb_password == NULL) { auth_request_log_error(auth_request, ldap, No password in reply); } else if (ldap_next_entry(conn-ld, entry) != NULL) { auth_request_log_error(auth_request, ldap, pass_filter matched multiple objects, aborting); } else if (auth_request-passdb_password == NULL !auth_request-no_password) { auth_request_log_info(auth_request, ldap, Empty password returned without nopassword); passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH; } else { /* passdb_password may change on the way, so we'll need to strdup. */ password = t_strdup(auth_request-passdb_password); passdb_result = PASSDB_RESULT_OK; } === As we see, the first if block intercepts auth_request-passdb_password == NULL condition, ignoring auth_request-no_password and making line 127 (passdb_result = PASSDB_RESULT_OK) unreachable even if auth_request-no_password is set. For my local installation I've just removed the first if block (see patch in attachment), and it seems to fix the problem. --- src/auth/passdb-ldap.c 2008-10-26 18:00:45.0 +0300 +++ src/auth/passdb-ldap.c.nopassword 2008-12-19 01:57:18.0 +0300 @@ -109,10 +109,7 @@ password = NULL; ldap_query_save_result(conn, entry, auth_request); - if (auth_request-passdb_password == NULL) { - auth_request_log_error(auth_request, ldap, - No password in reply); - } else if (ldap_next_entry(conn-ld, entry) != NULL) { + if (ldap_next_entry(conn-ld, entry) != NULL) { auth_request_log_error(auth_request, ldap, pass_filter matched multiple objects, aborting); } else if (auth_request-passdb_password == NULL
Re: [Dovecot] More info from mail_log plugin
On Thu, 2008-12-18 at 19:49 +0100, Bardur Haskor wrote: Thanks a lot :-) it works just like I had hoped for with IMAP. Unfortunatly, the mail_log plugin won't start with Pop3 anymore. I get the following error in the log: Dec 18 18:24:49 bardur-desktop dovecot: POP3(bardur): dlopen(/usr/local/lib/dovecot/pop3/lib20_mail_log_plugin.so) failed: /usr/local/lib/dovecot/pop3/lib20_mail_log_plugin.so: undefined symbol: imap_write_flags Dec 18 18:24:49 bardur-desktop dovecot: Fatal: POP3(bardur): Couldn't load required plugins This should fix it: http://hg.dovecot.org/dovecot-1.2/rev/5eb05134db86 signature.asc Description: This is a digitally signed message part
[Dovecot] Move mail in Maildir without IMAP
I set-up some spam/ham learning folders where a crontab entry learns the mail and them moves it do a different Maildir folder. Unfortunately, since it has a different dovecot-keywords file, any imap flags get changed to unknown-0, unknown-1 etc. I tried the following, but it didn't work mv ${src_ham}/cur/* $dest_ham/new/ cp ${src_ham}/dovecot-keywords ${dest_ham} Is there a simple way to do this correctly without going through IMAP? And are there any more serious consequences of moving mail like this, with dovecot imap running on top.
Re: [Dovecot] Move mail in Maildir without IMAP
On Fri, 2008-12-19 at 01:11 +, RW wrote: I set-up some spam/ham learning folders where a crontab entry learns the mail and them moves it do a different Maildir folder. Unfortunately, since it has a different dovecot-keywords file, any imap flags get changed to unknown-0, unknown-1 etc. I tried the following, but it didn't work mv ${src_ham}/cur/* $dest_ham/new/ cp ${src_ham}/dovecot-keywords ${dest_ham} Is there a simple way to do this correctly without going through IMAP? No. But you could do something like: export MAIL=maildir:/home/user/Maildir printf 1 select src\n2 copy 1:* dest\n3 store 1:* +flags.silent \\deleted\n4 close\n | imap And are there any more serious consequences of moving mail like this, with dovecot imap running on top. No. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Apple patches 6-8
On Wed, 2008-12-17 at 09:35 -0600, Mike Abbott wrote: Here are a few more patches. Still keeping it easy for now. Again the basis for these patches is dovecot-1.1.7. Patch #6. Solve a cross-compilation endianness issue. Currently, Dovecot assumes that the endianness of the build system is the same as the endianness of the runtime system. This is not necessarily true. We ran into this while compiling for i386 on a ppc machine. The patch switches to using gcc's __BIG_ENDIAN__ macro; see the comment in the patch to configure.in. It also removes the related and unused MAIL_INDEX_COMPAT_FLAGS parameter. This patch may be applicable to other build environments with a little tweaking. http://hg.dovecot.org/dovecot-1.1/rev/fdcb5fc6f2d9 Patch #7. Replace all occurrences of hash_create and hash_destroy with hash_table_create and hash_table_destroy respectively. The symbols hash_create and hash_destroy conflict with symbols defined in strhash.h and libc. This showed up when loading dovecot's quota plugin (one of our future patches will add a hash table to it; stay tuned). The wrong hash_create was called which caused a crash at the first hash_insert. Apparently this is only a problem in loaded dynamic libraries and not linked-in ones. If you start renaming API functions, rename all of them for consistency. :) Probably will stay v1.2-only. http://hg.dovecot.org/dovecot-1.2/rev/f9166a09423a Patch #8. Back off after auth failures to deter abusers. Stalls 5 seconds per failed attempt. http://hg.dovecot.org/dovecot-1.2/rev/1b744c38bcac http://hg.dovecot.org/dovecot-1.2/rev/164569761647 Your code disabled idle timeout entirely while waiting for the auth failure reply. This doesn't seem such a good idea to me. Rather it sounds like an easy way to DoS the server. Just connect, send about 100 failing LOGIN commands and then do nothing for the next 7 hours (besides what's necessary to keep the TCP connection alive). Repeat with some thousands of clients. signature.asc Description: This is a digitally signed message part