Hi John, this is not a pam timeout issue. I have the passwords of my user and the root user created with YESCRYPT_COST_FACTOR=11 and it works fine. ssh, postfix, nfs, gdm, etc. Everything works except dovecot.
With this command you can check which YESCRYPT_COST_FACTOR has been used: #### # getent shadow | awk -F: '$2 ~ /^\$/' | column --table --separator :$ root y jFT ... matthias y jFT ... guest y j9T ... #### jFT stands for YESCRYPT_COST_FACTOR=11 j9T stands for YESCRYPT_COST_FACTOR=5 (see also here: https://linux-audit.com/authentication/linux-password-security-hashing-rounds/#yescrypt) When I test for user guest (with j9T) I get: #### # time doveadm auth test guest Password: passdb: guest auth succeeded extra fields: user=guest doveadm auth test guest 0,00s user 0,00s system 0% cpu 2,195 total #### When I test for user matthias (with jFT) I get: #### # time doveadm auth test matthias Password: passdb: matthias auth failed extra fields: user=matthias doveadm auth test matthias 0,00s user 0,00s system 0% cpu 8,996 total #### When I recreate the password for user matthias with YESCRYPT_COST_FACTOR=5 the issue is gone. pamtester is also successful with YESCRYPT_COST_FACTOR=11 #### # pamtester --verbose system-auth matthias authenticate pamtester: invoking pam_start(system-auth, matthias, ...) pamtester: performing operation - authenticate Password: pamtester: successfully authenticated #### ssh login works fine too: #### Jan 16 15:53:08 rakete sshd-session[49576]: Accepted password for matthias from 192.168.132.182 port 50692 ssh2 Jan 16 15:53:08 rakete sshd-session[49576]: pam_unix(sshd:session): session opened for user matthias(uid=1000) by matthias(uid=0) #### I also tested dovecot with YESCRYPT_COST_FACTOR=7 and that worked. YESCRYPT_COST_FACTOR=9 didnt work. Kind Regards Matthias Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via dovecot: > Hi Matthias > > I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the > delay that Dovecot waits after the failure before reporting it, so not > really relevant since the failure has already happened when that comes > into play. > > Out of curiosity, when you do the test that fails, how long did it take > before it failed? > > Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in > login.defs) or elsewhere. > > John > > > On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: > > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via > > dovecot: > > > Hi, > > > > > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > > > YESCRYPT_COST_FACTOR=11. > > > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > > > > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and > > > recreacting the user > > > password for my user and restarting the dovecot service I get: > > > > > > # doveadm auth test matthias > > > Password: > > > passdb: matthias auth failed > > > extra fields: > > > user=matthias > > > > > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > > > > > # doveadm auth test matthias > > > Password: > > > passdb: matthias auth succeeded > > > extra fields: > > > user=matthias > > > > > > > > > I have tested this back and forth. The culprit is definitely a high value > > > for > > > YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 > > > fails. > > > > Can it be that this problem has to do with > > > > #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 > > > > in auth-request-handler.c ? > > > > Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly > > extend the > > time of the pam auth process. > > > > Matthias > > > > _______________________________________________ > > dovecot mailing list [email protected] > > To unsubscribe send an email [email protected] > Hi Matthias > > I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the > delay that Dovecot waits after the failure before reporting it, so not > really relevant since the failure has already happened when that comes > into play. > > Out of curiosity, when you do the test that fails, how long did it take > before it failed? > > Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in > login.defs) or elsewhere. > > John > > On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: > > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via > dovecot: > > Hi, > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > YESCRYPT_COST_FACTOR=11. > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting > the user > password for my user and restarting the dovecot service I get: > > # doveadm auth test matthias > Password: > passdb: matthias auth failed > extra fields: > user=matthias > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > # doveadm auth test matthias > Password: > passdb: matthias auth succeeded > extra fields: > user=matthias > > > I have tested this back and forth. The culprit is definitely a high value for > YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 > fails. > > > Can it be that this problem has to do with > > #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 > > in auth-request-handler.c ? > > Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly > extend the > time of the pam auth process. > > Matthias > > _______________________________________________ > dovecot mailing list -- [1][email protected] > To unsubscribe send an email to [2][email protected] > > References > > Visible links > 1. mailto:[email protected] > 2. mailto:[email protected] > _______________________________________________ > dovecot mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
