[Dovecot] Auth failure delays

Timo Sirainen tss at iki.fi
Fri Nov 6 21:57:21 EET 2009


Currently Dovecot works like this when authentication fails:

 - the delay is always at least auth_failure_delay seconds (default: 2s)
 - each failed attempt doubles the delay for that specific imap/pop3
connection (no such delays for e.g. smtp)
 - the delay's upper limit is 3 minutes

For v2.0 I was planning on making dovecot-auth process do these checks
and keeping the state in anvil process:

 - the delay is always at least auth_failure_delay seconds (default: 2s)
 - for each remote IP address the delay is doubled, regardless of how
the request comes (imap, pop3, smtp, etc).
 - the delay's upper limit is .. hardcoded to 15 secs? i kind of hate
the thought of making this configurable.
 - each successful authentication from the IP resets the IP's delay
 - the delay happens before authentication is even attempted, so even
successful auth attempts will have the delay (unless of course there
haven't been auth failures from that IP)

If the upper limit is 15 secs, that means max. 240 auth attempts per
hour per IP. The reason I was thinking 15 secs is because I have some
vague memories about Thunderbird dropping connection after 15 or maybe
30 seconds of idling.

If user has one successful login, it's of course possible to get around
the delay doubling by just doing failed attempt -> successful attempt ->
failed -> success -> etc. But probably no one is really going to try to
do that, and even if they did it's still not that bad. The second
successful login will still have that 2 second delay before it resets
the delay. So that's still max one auth/2 seconds or max. 1800 auth
attempts/hour.

Any thoughts?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20091106/a35e78d1/attachment.bin 


More information about the dovecot mailing list