On Dec 17, 2008, at 5:47 PM, Jose Celestino wrote:
Words by Mike Abbott [Wed, Dec 17, 2008 at 09:35:16AM -0600]:Here are a few more patches. Still keeping it easy for now. Again thebasis for these patches is dovecot-1.1.7.[...]Patch #8. Back off after auth failures to deter abusers. Stalls 5 seconds per failed attempt.Can you make #8 configurable? We already have a sleep on auth failure onthe module that does the auth (checkpassword) with some extra checks (for instance does not sleep on autentications coming from our webmail servers because they already do that) so we may not want that enabled.
dovecot-auth already does internally a 0-2 second failure delay (flushes failures every 2 seconds). Hmm. Wonder if the increased waiting could be done by dovecot-auth instead. There you can already disable the internal wait by returning a "nodelay" field from checkpassword (maybe you do already?)
PGP.sig
Description: This is a digitally signed message part
