Ok. Understood. I have now implemented a dovecot specific password file and that works fine.
I believe that this is hard to maintain in a multi user environment. It imposes an extra user management task on the sys admin and/or the user. From my point of view dovecot should support pam authentification even with the highest security settings out of the box. And that is YESCRYPT_COST_FACTOR=11. Matthias Am Donnerstag, dem 15.01.2026 um 12:03 +0200 schrieb Aki Tuomi via dovecot: > Dovecot is not an UI software so setting too high or heavy computational > cost will not work. I would recommend you use application password for > imap access instead or use webmail with oauth2. > > Its not really a dovecot problem if you use pam settings that run too > long. > > Aku > > On 15/01/2026 11:24 EET Matthias Bodenbinder via dovecot > <[1][email protected]> wrote: > > > Hello, > > with no reply yet on this topic I am wondering if this is the right > place to address the > topic. > > With its behaviour dovecot prevents the hardening of password > hashes. For security reasons > it is recommended to increase YESCRYPT_COST_FACTOR above the default > value of 5. > > e.g. > > [2]https://linux-audit.com/authentication/linux-password-security-hashing-rounds/#yescry > pt > > This is not possible when dovecot is running because dovecot can not > authenticate users > where the password was created with a high YESCRYPT_COST_FACTOR. > > And this affects all major linux distros because they all > use ENCRYPT_METHOD YESCRYPT > these days. (e.g. debian, ubuntu, fedora, arch, kali linux) > > Can someone please let me know if this mailing list is the right place > to address this > and/or recommend a better place to me? > > Thank you, > Matthias > > > > Am Sonntag, dem 11.01.2026 um 10:11 +0100 schrieb Matthias Bodenbinder > via dovecot: > > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder > via dovecot: > > Hi, > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > YESCRYPT_COST_FACTOR=11. > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and > recreacting the user > password for my user and restarting the dovecot service I get: > > # doveadm auth test matthias > Password: > passdb: matthias auth failed > extra fields: > user=matthias > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > # doveadm auth test matthias > Password: > passdb: matthias auth succeeded > extra fields: > user=matthias > > > I have tested this back and forth. The culprit is definitely a high > value for > YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or > 11 fails. > > > Can it be that this problem has to do with > > #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 > > in auth-request-handler.c ? > > Increasing the YESCRYPT_COST_FACTOR for the password hashing will > certainly extend the > time of the pam auth process. > > Matthias > > _______________________________________________ > dovecot mailing list -- [3][email protected] > To unsubscribe send an email to [4][email protected] > > _______________________________________________ > dovecot mailing list -- [5][email protected] > To unsubscribe send an email to [6][email protected] > > References > > Visible links > 1. mailto:[email protected] > 2. > https://linux-audit.com/authentication/linux-password-security-hashing-rounds/#yescrypt > 3. mailto:[email protected] > 4. mailto:[email protected] > 5. mailto:[email protected] > 6. mailto:[email protected] > _______________________________________________ > dovecot mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
