Hello, with no reply yet on this topic I am wondering if this is the right place to address the topic.
With its behaviour dovecot prevents the hardening of password hashes. For security reasons it is recommended to increase YESCRYPT_COST_FACTOR above the default value of 5. e.g. https://linux-audit.com/authentication/linux-password-security-hashing-rounds/#yescrypt This is not possible when dovecot is running because dovecot can not authenticate users where the password was created with a high YESCRYPT_COST_FACTOR. And this affects all major linux distros because they all use ENCRYPT_METHOD YESCRYPT these days. (e.g. debian, ubuntu, fedora, arch, kali linux) Can someone please let me know if this mailing list is the right place to address this and/or recommend a better place to me? Thank you, Matthias Am Sonntag, dem 11.01.2026 um 10:11 +0100 schrieb Matthias Bodenbinder via dovecot: > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via > dovecot: > > Hi, > > > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > > YESCRYPT_COST_FACTOR=11. > > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting > > the user > > password for my user and restarting the dovecot service I get: > > > > # doveadm auth test matthias > > Password: > > passdb: matthias auth failed > > extra fields: > > user=matthias > > > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > > > # doveadm auth test matthias > > Password: > > passdb: matthias auth succeeded > > extra fields: > > user=matthias > > > > > > I have tested this back and forth. The culprit is definitely a high value > > for > > YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 > > fails. > > > Can it be that this problem has to do with > > #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 > > in auth-request-handler.c ? > > Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly > extend the > time of the pam auth process. > > Matthias > > _______________________________________________ > dovecot mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
