A quick test confirms that HAproxy header IP information does properly
delay the authentication failures upon successive failed login attempts
from the same IP.
And furthermore if the webmail client is delayed on the IMAP level, this
could potentially be exploited for DoS and as such may not b
The wiki states that anvil's authentication penalties are skipped when
IP is in login_trusted_networks.
http://wiki.dovecot.org/Authentication/Penalty
Is there a way to enable the authentication penalties for specific
advertised remote IPs, when the connecting IP is in
"login_trusted_networks"