RE: Dovecot password policy

2016-08-05 Thread Michael Fox 
> A lot of “bots” try very simple passwords say less than X
> characters; over and over and over again before they give up.
> 
> I realize Dovecot mitigates this by slowing them down; but always nice to
> have another optional layer of defense to clip this kind of garbage closer
> to the door.

Check out fail2ban.  It's very useful for that sort of repeated bot attack.

Michael

Re: Dovecot password policy

2016-08-05 Thread Joseph Tam 

Robert Blayzor  writes:


Is there a way to configure Dovecot to perhaps filter/enforce which
passwords are accepted before authenticating? Ie: Reject immediately
(without a database lookup) if password is not X characters in length?


Yes, use the checkpassword hook.

http://wiki.dovecot.org/AuthDatabase/CheckPassword

I think there also some PAM module that you can stack into your
system that will enforce password policies.

Joseph Tam

Re: Dovecot password policy

2016-08-05 Thread Aki Tuomi 

> On August 5, 2016 at 9:10 PM Robert Blayzor  wrote:
> 
> 
> On Aug 5, 2016, at 12:12 PM, Aki Tuomi  wrote:
> > 
> > The response time will be same anyways. 
> > 
> > Anyways. It is better to enforce this kind of thing when users define the 
> > password than during login.
> 
> 
> The idea would be to mitigate unnecessary database dips for password that 
> don’t clearly pass said password policy. Sure you can enforce what passwords 
> users use; but you can’t enforce what is being attempted to authenticate. A 
> lot of “bots” try very simple passwords say less than X characters; over and 
> over and over again before they give up.
> 
> I realize Dovecot mitigates this by slowing them down; but always nice to 
> have another optional layer of defense to clip this kind of garbage closer to 
> the door.
> 
> At the very least have a reject empty password option.
> 
> --
> Robert
> inoc.net!rblayzor
> XMPP: rblayzor.AT.inoc.net
> PGP Key: 78BEDCE1 @ pgp.mit.edu

I would like to mention the new auth policy server support. It works with 
weakforced.

See http://wiki2.dovecot.org/Authentication/Policy

And 

https://github.com/PowerDNS/weakforced

Correct usage should help you more than your plan, I promise.

Aki

Re: Dovecot password policy

2016-08-05 Thread Robert Blayzor 
On Aug 5, 2016, at 12:12 PM, Aki Tuomi  wrote:
> 
> The response time will be same anyways. 
> 
> Anyways. It is better to enforce this kind of thing when users define the 
> password than during login.


The idea would be to mitigate unnecessary database dips for password that don’t 
clearly pass said password policy. Sure you can enforce what passwords users 
use; but you can’t enforce what is being attempted to authenticate. A lot of 
“bots” try very simple passwords say less than X characters; over and over and 
over again before they give up.

I realize Dovecot mitigates this by slowing them down; but always nice to have 
another optional layer of defense to clip this kind of garbage closer to the 
door.

At the very least have a reject empty password option.

--
Robert
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP Key: 78BEDCE1 @ pgp.mit.edu

Re: Dovecot password policy

2016-08-05 Thread Aki Tuomi 

> On August 5, 2016 at 6:47 PM "Michael A. Peters"  
> wrote:
> 
> 
> On 08/05/2016 08:41 AM, Robert Blayzor wrote:
> > Is there a way to configure Dovecot to perhaps filter/enforce which 
> > passwords are accepted before authenticating?
> >
> > Ie:  Reject immediately (without a database lookup) if password is not X 
> > characters in length?
> >
> > ?
> >
> 
> Not sure what the benefit would be, other than helping automated bots 
> figure out your minimum password length based upon the response time.

The response time will be same anyways. 

Anyways. It is better to enforce this kind of thing when users define the 
password than during login.

Aki

Re: Dovecot password policy

2016-08-05 Thread Michael A. Peters 

On 08/05/2016 08:41 AM, Robert Blayzor wrote:

Is there a way to configure Dovecot to perhaps filter/enforce which passwords 
are accepted before authenticating?

Ie:  Reject immediately (without a database lookup) if password is not X 
characters in length?

?



Not sure what the benefit would be, other than helping automated bots 
figure out your minimum password length based upon the response time.