[Dovecot] Problem with passwords surrounded by curly braces
Hello, one of my users set his password to something surrounded by curly braces, and promptly all access to his mailbox was refused. After looking through the logs I found an entry Unknown password scheme , where is the user's password, but without the curly braces. I then browsed through the documentation and there was explained that it is possible to prefix the password with the password scheme in curly braces, like {PLAIN} where is the password itself. Manually altering the users password in the database to {PLAIN} (where is the user's password WITH curly braces) fixed this problem for me at this time, but the time a user chooses such a strange password I would have to edit the table again. So in my opinion the {SCHEME}-prefix is not a useful thing. Why would anyone need it, anyway? Shouldn't all passwords have the same scheme which is set in the dovecot.conf file once? If the feature is indeed used: with a database lookup it should be replaced by an optional database field or, if that's not possible, it should be possible to disable this feature from the config file. Frank
Re: [Dovecot] [debian] Etch Packages Available for v1.0.10
Hello, -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Compiled only for i386 with source package available. deb http://debian.delink.net/ etch-delink main deb-src http://debian.delink.net/ etch-delink main Cheers, Has anyone already made debian packages for one of the 1.1.x releases of Dovecot? Frank
Re: [Dovecot] Delay on failed pw attempts
Is there a way, or can a way be added, to add an auth_failed_delay=10s style option that would put in an artificial delay after a failed password attempt? As it stands now, Dovecot seems highly vulnerable to widescale brute-force password dictionary scans. Even if it's not configurable, can a delay be hardcoded to something like, say, 10 or 15 seconds? -- Dean Brooks [EMAIL PROTECTED] I recently installed an application called Fail2Ban (http://www.fail2ban.org), which scans log files and filters out failed login attempts. If a configurable number of failed attempts from the same IP is found, the IP is blocked out via iptables or hosts.deny for some time (default 10 minutes). Works pretty well for SSH, though I'm still waiting for the first attempt on my IMAP or SMTP ports ;-) So instead of letting a brute force attack continue at a slower pace, Fail2Ban locks out the attacking system for some time, while a legitimate user can mistype his password at least once or twice without penalty. If he continues to mistype his password, he probably deserves to wait ;-) If anyone want's to try it, a working fail2ban-regex for dovecot 1.05 and mysql is: failregex = Info: auth-worker\(default\): sql\(.*,HOST\): Password mismatch Info: auth-worker\(default\): sql\(.*,HOST\): unknown user Frank
Re: [Dovecot] Sieve regex never matches
Hi Timo, Both scripts compile fine, but their regex never match. Has anyone an idea why? I'm using Dovecot 1.0.0 on Debian Etch stable. So I guess you also use Debian-compiled Sieve plugin? It's possible that it doesn't have regex support compiled in. I'm not sure if it gives any errors or if it just silently ignores it.. No, no errors, so regex support was compiled in. The regex just never matched/always returned false. I've installed version 1.0.5 from the Debian testing branch yesterday evening, and now it works, so the problem has already been fixed. Frank