RE: Dovecot password policy

2016-08-05 Thread Michael Fox
> A lot of “bots” try very simple passwords say less than X > characters; over and over and over again before they give up. > > I realize Dovecot mitigates this by slowing them down; but always nice to > have another optional layer of defense to clip this kind of garbage closer > to the door.

Re: Dovecot password policy

2016-08-05 Thread Joseph Tam
Robert Blayzor writes: Is there a way to configure Dovecot to perhaps filter/enforce which passwords are accepted before authenticating? Ie: Reject immediately (without a database lookup) if password is not X characters in length? Yes, use the checkpassword hook.

Re: Dovecot password policy

2016-08-05 Thread Aki Tuomi
> On August 5, 2016 at 9:10 PM Robert Blayzor wrote: > > > On Aug 5, 2016, at 12:12 PM, Aki Tuomi wrote: > > > > The response time will be same anyways. > > > > Anyways. It is better to enforce this kind of thing when users define the > >

Re: Dovecot password policy

2016-08-05 Thread Robert Blayzor
On Aug 5, 2016, at 12:12 PM, Aki Tuomi wrote: > > The response time will be same anyways. > > Anyways. It is better to enforce this kind of thing when users define the > password than during login. The idea would be to mitigate unnecessary database dips for password

Re: Dovecot password policy

2016-08-05 Thread Aki Tuomi
> On August 5, 2016 at 6:47 PM "Michael A. Peters" > wrote: > > > On 08/05/2016 08:41 AM, Robert Blayzor wrote: > > Is there a way to configure Dovecot to perhaps filter/enforce which > > passwords are accepted before authenticating? > > > > Ie: Reject immediately

Re: Dovecot password policy

2016-08-05 Thread Michael A. Peters
On 08/05/2016 08:41 AM, Robert Blayzor wrote: Is there a way to configure Dovecot to perhaps filter/enforce which passwords are accepted before authenticating? Ie: Reject immediately (without a database lookup) if password is not X characters in length? ? Not sure what the benefit would