Re: YESCRYPT_COST_FACTOR=11 not working
Am Mittwoch, dem 21.01.2026 um 11:46 +0100 schrieb Matthias Bodenbinder via dovecot: > I figured out how to do the test. > > I did set "service_vsz_limit = unlimited". With that YESCRYPT_COST_FACTOR=11 > works fine. > > A service_vsz_limit value of 1000M is not enough to make it work. > A value of 1100M is ok. > > Matthias I will leave the mailing list now. I only joined for this one particular issue. If you want me to test other settings or you have any other questions you need to send me a personal email. Matthias > > Am Dienstag, dem 20.01.2026 um 21:26 +0100 schrieb Tom Hendrikx via dovecot: > > Hi Matthias, > > > > It would be nice if you could verify this assumption by raising the > > allowed memory usage (vsz_limit) for the auth process until > > YESCRYPT_COST_FACTOR=11 actually works. > > > > Just curious though, not using yescrypt here > > > > Kind regards, > > Tom > > > > On 1/16/26 16:38, Matthias Bodenbinder via dovecot wrote: > > > Hello John, > > > > > > I have answered in more detail in another email. > > > > > > After reading a lot more about this topic I believe it is not a timeout > > > issue but > > > more > > > of > > > a memory allocation issue. > > > > > > E.g.: > > > https://www.openwall.com/lists/yescrypt/2024/03/20/2 > > > > > > In the above thread it is claimed that: The value 11 results in 1 GiB > > > memory usage > > > > > > That is a lot. I will refrain from using that. I will go for a value of > > > 7. That is > > > good > > > enough. > > > > > > Kind Regards > > > Matthias > > > > > > > > > > > > Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via > > > dovecot: > > > > Hi Matthias > > > > > > > > I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the > > > > delay that Dovecot waits after the failure before reporting it, so not > > > > really relevant since the failure has already happened when that comes > > > > into play. > > > > > > > > Out of curiosity, when you do the test that fails, how long did it take > > > > before it failed? > > > > > > > > Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in > > > > login.defs) or elsewhere. > > > > > > > > John > > > > > > > > > > > > On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: > > > > > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias > > > > > Bodenbinder via > > > > > dovecot: > > > > > > Hi, > > > > > > > > > > > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > > > > > > YESCRYPT_COST_FACTOR=11. > > > > > > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > > > > > > > > > > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and > > > > > > recreacting > > > > > > the > > > > > > user > > > > > > password for my user and restarting the dovecot service I get: > > > > > > > > > > > > # doveadm auth test matthias > > > > > > Password: > > > > > > passdb: matthias auth failed > > > > > > extra fields: > > > > > > user=matthias > > > > > > > > > > > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > > > > > > > > > > > # doveadm auth test matthias > > > > > > Password: > > > > > > passdb: matthias auth succeeded > > > > > > extra fields: > > > > > > user=matthias > > > > > > > > > > > > > > > > > > I have tested this back and forth. The culprit is definitely a high > > > > > > value for > > > > > > YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 > > > > > > or 11 fails. > > > > > > > > > > Can it be that this problem has to do with > > > > > > > > > > #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 > > > > > > > > > > in auth-request-handler.c ? > > > > > > > > > > Increasing the YESCRYPT_COST_FACTOR for the password hashing will > > > > > certainly > > > > > extend > > > > > the > > > > > time of the pam auth process. > > > > > > > > > > Matthias > > > > > > > > > > ___ > > > > > dovecot mailing list [email protected] > > > > > To unsubscribe send an email [email protected] > > > > Hi Matthias > > > > > > > > I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is > > > > the > > > > delay that Dovecot waits after the failure before reporting it, so > > > > not > > > > really relevant since the failure has already happened when that > > > > comes > > > > into play. > > > > > > > > Out of curiosity, when you do the test that fails, how long did it > > > > take > > > > before it failed? > > > > > > > > Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in > > > > login.defs) or elsewhere. > > > > > > > > John > > > > > > > > On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: > > > > > > > > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias > > > > Bodenbinder via > > > > dovecot: > > > > > > > > Hi, > > > > > > > > dovecot does not work with ENCRYPT_METHOD YESCR
Re: YESCRYPT_COST_FACTOR=11 not working
I figured out how to do the test. I did set "service_vsz_limit = unlimited". With that YESCRYPT_COST_FACTOR=11 works fine. A service_vsz_limit value of 1000M is not enough to make it work. A value of 1100M is ok. Matthias Am Dienstag, dem 20.01.2026 um 21:26 +0100 schrieb Tom Hendrikx via dovecot: > Hi Matthias, > > It would be nice if you could verify this assumption by raising the > allowed memory usage (vsz_limit) for the auth process until > YESCRYPT_COST_FACTOR=11 actually works. > > Just curious though, not using yescrypt here > > Kind regards, > Tom > > On 1/16/26 16:38, Matthias Bodenbinder via dovecot wrote: > > Hello John, > > > > I have answered in more detail in another email. > > > > After reading a lot more about this topic I believe it is not a timeout > > issue but more > > of > > a memory allocation issue. > > > > E.g.: > > https://www.openwall.com/lists/yescrypt/2024/03/20/2 > > > > In the above thread it is claimed that: The value 11 results in 1 GiB > > memory usage > > > > That is a lot. I will refrain from using that. I will go for a value of 7. > > That is > > good > > enough. > > > > Kind Regards > > Matthias > > > > > > > > Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via dovecot: > > > Hi Matthias > > > > > > I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the > > > delay that Dovecot waits after the failure before reporting it, so not > > > really relevant since the failure has already happened when that comes > > > into play. > > > > > > Out of curiosity, when you do the test that fails, how long did it take > > > before it failed? > > > > > > Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in > > > login.defs) or elsewhere. > > > > > > John > > > > > > > > > On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: > > > > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder > > > > via > > > > dovecot: > > > > > Hi, > > > > > > > > > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > > > > > YESCRYPT_COST_FACTOR=11. > > > > > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > > > > > > > > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and > > > > > recreacting the > > > > > user > > > > > password for my user and restarting the dovecot service I get: > > > > > > > > > > # doveadm auth test matthias > > > > > Password: > > > > > passdb: matthias auth failed > > > > > extra fields: > > > > > user=matthias > > > > > > > > > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > > > > > > > > > # doveadm auth test matthias > > > > > Password: > > > > > passdb: matthias auth succeeded > > > > > extra fields: > > > > > user=matthias > > > > > > > > > > > > > > > I have tested this back and forth. The culprit is definitely a high > > > > > value for > > > > > YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or > > > > > 11 fails. > > > > > > > > Can it be that this problem has to do with > > > > > > > > #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 > > > > > > > > in auth-request-handler.c ? > > > > > > > > Increasing the YESCRYPT_COST_FACTOR for the password hashing will > > > > certainly extend > > > > the > > > > time of the pam auth process. > > > > > > > > Matthias > > > > > > > > ___ > > > > dovecot mailing list [email protected] > > > > To unsubscribe send an email [email protected] > > > Hi Matthias > > > > > > I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is > > > the > > > delay that Dovecot waits after the failure before reporting it, so not > > > really relevant since the failure has already happened when that comes > > > into play. > > > > > > Out of curiosity, when you do the test that fails, how long did it > > > take > > > before it failed? > > > > > > Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in > > > login.defs) or elsewhere. > > > > > > John > > > > > > On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: > > > > > > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder > > > via > > > dovecot: > > > > > > Hi, > > > > > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > > > YESCRYPT_COST_FACTOR=11. > > > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > > > > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and > > > recreacting the > > > user > > > password for my user and restarting the dovecot service I get: > > > > > > # doveadm auth test matthias > > > Password: > > > passdb: matthias auth failed > > > extra fields: > > > user=matthias > > > > > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > > > > > # doveadm auth test matthias > > > Password: > > > passdb: matthias auth succeeded > > >
Re: YESCRYPT_COST_FACTOR=11 not working
Am Dienstag, dem 20.01.2026 um 21:26 +0100 schrieb Tom Hendrikx via dovecot: > It would be nice if you could verify this assumption by raising the > allowed memory usage (vsz_limit) for the auth process until > YESCRYPT_COST_FACTOR=11 actually works. I can do that. How do I have to set this? Matthias ___ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
Re: YESCRYPT_COST_FACTOR=11 not working
Hi Matthias, It would be nice if you could verify this assumption by raising the allowed memory usage (vsz_limit) for the auth process until YESCRYPT_COST_FACTOR=11 actually works. Just curious though, not using yescrypt here Kind regards, Tom On 1/16/26 16:38, Matthias Bodenbinder via dovecot wrote: Hello John, I have answered in more detail in another email. After reading a lot more about this topic I believe it is not a timeout issue but more of a memory allocation issue. E.g.: https://www.openwall.com/lists/yescrypt/2024/03/20/2 In the above thread it is claimed that: The value 11 results in 1 GiB memory usage That is a lot. I will refrain from using that. I will go for a value of 7. That is good enough. Kind Regards Matthias Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via dovecot: Hi Matthias I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play. Out of curiosity, when you do the test that fails, how long did it take before it failed? Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere. John On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot: Hi, dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get: # doveadm auth test matthias Password: passdb: matthias auth failed extra fields: user=matthias When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: # doveadm auth test matthias Password: passdb: matthias auth succeeded extra fields: user=matthias I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails. Can it be that this problem has to do with #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 in auth-request-handler.c ? Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process. Matthias ___ dovecot mailing list [email protected] To unsubscribe send an email [email protected] Hi Matthias I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play. Out of curiosity, when you do the test that fails, how long did it take before it failed? Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere. John On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot: Hi, dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get: # doveadm auth test matthias Password: passdb: matthias auth failed extra fields: user=matthias When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: # doveadm auth test matthias Password: passdb: matthias auth succeeded extra fields: user=matthias I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails. Can it be that this problem has to do with #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 in auth-request-handler.c ? Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process. Matthias ___ dovecot mailing list -- [1][email protected] To unsubscribe send an email to [2][email protected] References Visible links 1. mailto:[email protected] 2. mailto:[email protected] ___ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected] ___ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected] ___ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
Re: YESCRYPT_COST_FACTOR=11 not working
Hello John, I have answered in more detail in another email. After reading a lot more about this topic I believe it is not a timeout issue but more of a memory allocation issue. E.g.: https://www.openwall.com/lists/yescrypt/2024/03/20/2 In the above thread it is claimed that: The value 11 results in 1 GiB memory usage That is a lot. I will refrain from using that. I will go for a value of 7. That is good enough. Kind Regards Matthias Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via dovecot: > Hi Matthias > > I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the > delay that Dovecot waits after the failure before reporting it, so not > really relevant since the failure has already happened when that comes > into play. > > Out of curiosity, when you do the test that fails, how long did it take > before it failed? > > Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in > login.defs) or elsewhere. > > John > > > On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: > > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via > > dovecot: > > > Hi, > > > > > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > > > YESCRYPT_COST_FACTOR=11. > > > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > > > > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and > > > recreacting the user > > > password for my user and restarting the dovecot service I get: > > > > > > # doveadm auth test matthias > > > Password: > > > passdb: matthias auth failed > > > extra fields: > > > user=matthias > > > > > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > > > > > # doveadm auth test matthias > > > Password: > > > passdb: matthias auth succeeded > > > extra fields: > > > user=matthias > > > > > > > > > I have tested this back and forth. The culprit is definitely a high value > > > for > > > YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 > > > fails. > > > > Can it be that this problem has to do with > > > > #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 > > > > in auth-request-handler.c ? > > > > Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly > > extend the > > time of the pam auth process. > > > > Matthias > > > > ___ > > dovecot mailing list [email protected] > > To unsubscribe send an email [email protected] > Hi Matthias > > I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the > delay that Dovecot waits after the failure before reporting it, so not > really relevant since the failure has already happened when that comes > into play. > > Out of curiosity, when you do the test that fails, how long did it take > before it failed? > > Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in > login.defs) or elsewhere. > > John > > On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: > > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via > dovecot: > > Hi, > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > YESCRYPT_COST_FACTOR=11. > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting > the user > password for my user and restarting the dovecot service I get: > > # doveadm auth test matthias > Password: > passdb: matthias auth failed > extra fields: > user=matthias > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > # doveadm auth test matthias > Password: > passdb: matthias auth succeeded > extra fields: > user=matthias > > > I have tested this back and forth. The culprit is definitely a high value for > YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 > fails. > > > Can it be that this problem has to do with > > #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 > > in auth-request-handler.c ? > > Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly > extend the > time of the pam auth process. > > Matthias > > ___ > dovecot mailing list -- [1][email protected] > To unsubscribe send an email to [2][email protected] > > References > > Visible links > 1. mailto:[email protected] > 2. mailto:[email protected] > ___ > dovecot mailing list -- [email protected] > To unsubscribe send an email to [email protected] ___ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
Re: YESCRYPT_COST_FACTOR=11 not working
Hi John, this is not a pam timeout issue. I have the passwords of my user and the root user created with YESCRYPT_COST_FACTOR=11 and it works fine. ssh, postfix, nfs, gdm, etc. Everything works except dovecot. With this command you can check which YESCRYPT_COST_FACTOR has been used: # getent shadow | awk -F: '$2 ~ /^\$/' | column --table --separator :$ rooty jFT ... matthiasy jFT ... guest y j9T ... jFT stands for YESCRYPT_COST_FACTOR=11 j9T stands for YESCRYPT_COST_FACTOR=5 (see also here: https://linux-audit.com/authentication/linux-password-security-hashing-rounds/#yescrypt) When I test for user guest (with j9T) I get: # time doveadm auth test guest Password: passdb: guest auth succeeded extra fields: user=guest doveadm auth test guest 0,00s user 0,00s system 0% cpu 2,195 total When I test for user matthias (with jFT) I get: # time doveadm auth test matthias Password: passdb: matthias auth failed extra fields: user=matthias doveadm auth test matthias 0,00s user 0,00s system 0% cpu 8,996 total When I recreate the password for user matthias with YESCRYPT_COST_FACTOR=5 the issue is gone. pamtester is also successful with YESCRYPT_COST_FACTOR=11 # pamtester --verbose system-auth matthias authenticate pamtester: invoking pam_start(system-auth, matthias, ...) pamtester: performing operation - authenticate Password: pamtester: successfully authenticated ssh login works fine too: Jan 16 15:53:08 rakete sshd-session[49576]: Accepted password for matthias from 192.168.132.182 port 50692 ssh2 Jan 16 15:53:08 rakete sshd-session[49576]: pam_unix(sshd:session): session opened for user matthias(uid=1000) by matthias(uid=0) I also tested dovecot with YESCRYPT_COST_FACTOR=7 and that worked. YESCRYPT_COST_FACTOR=9 didnt work. Kind Regards Matthias Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via dovecot: > Hi Matthias > > I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the > delay that Dovecot waits after the failure before reporting it, so not > really relevant since the failure has already happened when that comes > into play. > > Out of curiosity, when you do the test that fails, how long did it take > before it failed? > > Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in > login.defs) or elsewhere. > > John > > > On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: > > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via > > dovecot: > > > Hi, > > > > > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > > > YESCRYPT_COST_FACTOR=11. > > > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > > > > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and > > > recreacting the user > > > password for my user and restarting the dovecot service I get: > > > > > > # doveadm auth test matthias > > > Password: > > > passdb: matthias auth failed > > > extra fields: > > > user=matthias > > > > > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > > > > > # doveadm auth test matthias > > > Password: > > > passdb: matthias auth succeeded > > > extra fields: > > > user=matthias > > > > > > > > > I have tested this back and forth. The culprit is definitely a high value > > > for > > > YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 > > > fails. > > > > Can it be that this problem has to do with > > > > #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 > > > > in auth-request-handler.c ? > > > > Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly > > extend the > > time of the pam auth process. > > > > Matthias > > > > ___ > > dovecot mailing list [email protected] > > To unsubscribe send an email [email protected] > Hi Matthias > > I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the > delay that Dovecot waits after the failure before reporting it, so not > really relevant since the failure has already happened when that comes > into play. > > Out of curiosity, when you do the test that fails, how long did it take > before it failed? > > Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in > login.defs) or elsewhere. > > John > > On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: > > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via > dovecot: > > Hi, > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > YESCRYPT_COST_FACTOR=11. > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting > the user > password for my user and restarting the dovecot service I get: > > # doveadm auth test matthias > Password: > passdb: matthias auth failed > extra fields
Re: YESCRYPT_COST_FACTOR=11 not working
Hi Matthias I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the delay that Dovecot waits after the failure before reporting it, so not really relevant since the failure has already happened when that comes into play. Out of curiosity, when you do the test that fails, how long did it take before it failed? Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in login.defs) or elsewhere. John On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote: Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot: Hi, dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get: # doveadm auth test matthias Password: passdb: matthias auth failed extra fields: user=matthias When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: # doveadm auth test matthias Password: passdb: matthias auth succeeded extra fields: user=matthias I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails. Can it be that this problem has to do with #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 in auth-request-handler.c ? Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process. Matthias ___ dovecot mailing list -- [1][email protected] To unsubscribe send an email to [2][email protected] References Visible links 1. mailto:[email protected] 2. mailto:[email protected] ___ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
Re: YESCRYPT_COST_FACTOR=11 not working
Ok. Understood. I have now implemented a dovecot specific password file and that works fine. I believe that this is hard to maintain in a multi user environment. It imposes an extra user management task on the sys admin and/or the user. From my point of view dovecot should support pam authentification even with the highest security settings out of the box. And that is YESCRYPT_COST_FACTOR=11. Matthias Am Donnerstag, dem 15.01.2026 um 12:03 +0200 schrieb Aki Tuomi via dovecot: > Dovecot is not an UI software so setting too high or heavy computational > cost will not work. I would recommend you use application password for > imap access instead or use webmail with oauth2. > > Its not really a dovecot problem if you use pam settings that run too > long. > > Aku > > On 15/01/2026 11:24 EET Matthias Bodenbinder via dovecot > <[1][email protected]> wrote: > > > Hello, > > with no reply yet on this topic I am wondering if this is the right > place to address the > topic. > > With its behaviour dovecot prevents the hardening of password > hashes. For security reasons > it is recommended to increase YESCRYPT_COST_FACTOR above the default > value of 5. > > e.g. > > [2]https://linux-audit.com/authentication/linux-password-security-hashing-rounds/#yescry > pt > > This is not possible when dovecot is running because dovecot can not > authenticate users > where the password was created with a high YESCRYPT_COST_FACTOR. > > And this affects all major linux distros because they all > use ENCRYPT_METHOD YESCRYPT > these days. (e.g. debian, ubuntu, fedora, arch, kali linux) > > Can someone please let me know if this mailing list is the right place > to address this > and/or recommend a better place to me? > > Thank you, > Matthias > > > > Am Sonntag, dem 11.01.2026 um 10:11 +0100 schrieb Matthias Bodenbinder > via dovecot: > > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder > via dovecot: > > Hi, > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > YESCRYPT_COST_FACTOR=11. > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and > recreacting the user > password for my user and restarting the dovecot service I get: > > # doveadm auth test matthias > Password: > passdb: matthias auth failed > extra fields: > user=matthias > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > # doveadm auth test matthias > Password: > passdb: matthias auth succeeded > extra fields: > user=matthias > > > I have tested this back and forth. The culprit is definitely a high > value for > YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or > 11 fails. > > > Can it be that this problem has to do with > > #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 > > in auth-request-handler.c ? > > Increasing the YESCRYPT_COST_FACTOR for the password hashing will > certainly extend the > time of the pam auth process. > > Matthias > > ___ > dovecot mailing list -- [3][email protected] > To unsubscribe send an email to [4][email protected] > > ___ > dovecot mailing list -- [5][email protected] > To unsubscribe send an email to [6][email protected] > > References > > Visible links > 1. mailto:[email protected] > 2. > https://linux-audit.com/authentication/linux-password-security-hashing-rounds/#yescrypt > 3. mailto:[email protected] > 4. mailto:[email protected] > 5. mailto:[email protected] > 6. mailto:[email protected] > ___ > dovecot mailing list -- [email protected] > To unsubscribe send an email to [email protected] ___ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
Re: YESCRYPT_COST_FACTOR=11 not working
Hello, with no reply yet on this topic I am wondering if this is the right place to address the topic. With its behaviour dovecot prevents the hardening of password hashes. For security reasons it is recommended to increase YESCRYPT_COST_FACTOR above the default value of 5. e.g. https://linux-audit.com/authentication/linux-password-security-hashing-rounds/#yescrypt This is not possible when dovecot is running because dovecot can not authenticate users where the password was created with a high YESCRYPT_COST_FACTOR. And this affects all major linux distros because they all use ENCRYPT_METHOD YESCRYPT these days. (e.g. debian, ubuntu, fedora, arch, kali linux) Can someone please let me know if this mailing list is the right place to address this and/or recommend a better place to me? Thank you, Matthias Am Sonntag, dem 11.01.2026 um 10:11 +0100 schrieb Matthias Bodenbinder via dovecot: > Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via > dovecot: > > Hi, > > > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > > YESCRYPT_COST_FACTOR=11. > > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting > > the user > > password for my user and restarting the dovecot service I get: > > > > # doveadm auth test matthias > > Password: > > passdb: matthias auth failed > > extra fields: > > user=matthias > > > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > > > # doveadm auth test matthias > > Password: > > passdb: matthias auth succeeded > > extra fields: > > user=matthias > > > > > > I have tested this back and forth. The culprit is definitely a high value > > for > > YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 > > fails. > > > Can it be that this problem has to do with > > #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 > > in auth-request-handler.c ? > > Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly > extend the > time of the pam auth process. > > Matthias > > ___ > dovecot mailing list -- [email protected] > To unsubscribe send an email to [email protected] ___ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
Re: YESCRYPT_COST_FACTOR=11 not working
Dovecot is not an UI software so setting too high or heavy computational cost will not work. I would recommend you use application password for imap access instead or use webmail with oauth2. Its not really a dovecot problem if you use pam settings that run too long. Aku On 15/01/2026 11:24 EET Matthias Bodenbinder via dovecot <[1][email protected]> wrote: Hello, with no reply yet on this topic I am wondering if this is the right place to address the topic. With its behaviour dovecot prevents the hardening of password hashes. For security reasons it is recommended to increase YESCRYPT_COST_FACTOR above the default value of 5. e.g. [2]https://linux-audit.com/authentication/linux-password-security-hashing-rounds/#yescrypt This is not possible when dovecot is running because dovecot can not authenticate users where the password was created with a high YESCRYPT_COST_FACTOR. And this affects all major linux distros because they all use ENCRYPT_METHOD YESCRYPT these days. (e.g. debian, ubuntu, fedora, arch, kali linux) Can someone please let me know if this mailing list is the right place to address this and/or recommend a better place to me? Thank you, Matthias Am Sonntag, dem 11.01.2026 um 10:11 +0100 schrieb Matthias Bodenbinder via dovecot: Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot: Hi, dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11. I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user password for my user and restarting the dovecot service I get: # doveadm auth test matthias Password: passdb: matthias auth failed extra fields: user=matthias When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: # doveadm auth test matthias Password: passdb: matthias auth succeeded extra fields: user=matthias I have tested this back and forth. The culprit is definitely a high value for YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails. Can it be that this problem has to do with #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 in auth-request-handler.c ? Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process. Matthias ___ dovecot mailing list -- [3][email protected] To unsubscribe send an email to [4][email protected] ___ dovecot mailing list -- [5][email protected] To unsubscribe send an email to [6][email protected] References Visible links 1. mailto:[email protected] 2. https://linux-audit.com/authentication/linux-password-security-hashing-rounds/#yescrypt 3. mailto:[email protected] 4. mailto:[email protected] 5. mailto:[email protected] 6. mailto:[email protected] ___ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
Re: YESCRYPT_COST_FACTOR=11 not working
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot: > Hi, > > dovecot does not work with ENCRYPT_METHOD YESCRYPT and > YESCRYPT_COST_FACTOR=11. > I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros. > > When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting > the user > password for my user and restarting the dovecot service I get: > > # doveadm auth test matthias > Password: > passdb: matthias auth failed > extra fields: > user=matthias > > When reverting the change to YESCRYPT_COST_FACTOR=5 it works again: > > # doveadm auth test matthias > Password: > passdb: matthias auth succeeded > extra fields: > user=matthias > > > I have tested this back and forth. The culprit is definitely a high value for > YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails. Can it be that this problem has to do with #define AUTH_FAILURE_DELAY_CHECK_MSECS 500 in auth-request-handler.c ? Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the time of the pam auth process. Matthias ___ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
