On Tue, 2008-01-01 at 16:47 -0500, Dean Brooks wrote: > > Failed auth requests are put to a queue that's flushed every 2 seconds. > > So there is already a delay. I don't think it's a good idea to increase > > it up from 2 seconds, it just gets annoying when you type the wrong > > password accidentally. > > I think the majority of Dovecot users would propose that 2 seconds is > much too short, and that the annoyance of an occasional rare wrong > password is of little concern given the high number of dictionary > attacks occuring nowadays. > > This *really* needs to be configurable. For our site, I would probably > set the delay to 15 seconds. Others might want it at the very low > 2 seconds like you suggest.
I don't really like adding settings that just tweak a small detail, but I guess there's no good default value to this then. v1.1 has now auth_failure_delay setting. For v1.0 you can change src/auth/auth-request-handler.c line: to_auth_failures = timeout_add(2000, auth_failure_timeout, NULL);
signature.asc
Description: This is a digitally signed message part
