I want to disable the time penalty for dovecot imap authentication. When receiving a valid user-password combo the server responds in .04 seconds. When I send in an invalid comination it will either respond in 1.544 or 2.044 seconds += .002 I am using dovecot to test a program that sends a login request to a server and processes the response. I want to be able to send a series of valid and invalid login attempts. The issue is that with the 2 seconds delay for a bad login attempt, the tests are too slow to run in production I can see that the delay is defined in auth-penalty.h Is there a way, in the config file, to set AUTH_PENALTY_INIT_SECS = 0, or any other way to remove the time delay for an invalid login. I am running dovecot version 2.2.33.2 I am running without root permissions I do not want to make changes outside of the dovecot config file, password file, or run folder. -- Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20200605/c68a28f6/attachment.html>
>>>>> "Stephen" == Stephen Blackwell <stephenmac98 at gmail.com> writes:Stephen> I want to disable the time penalty for dovecot imap Stephen> authentication. When receiving a valid user-password combo Stephen> the server responds in .04 seconds. When I send in an invalid Stephen> comination it will either respond in 1.544 or 2.044 seconds Stephen> += .002 Stephen> I am using dovecot to test a program that sends a login Stephen> request to a server and processes the response. I want to be Stephen> able to send a series of valid and invalid login attempts. Stephen> The issue is that with the 2 seconds delay for a bad login Stephen> attempt, the tests are too slow to run in production Why are you running tests on production? Hmm? Stephen> I can see that the delay is defined in auth-penalty.h Is Stephen> there a way, in the config file, to set Stephen> AUTH_PENALTY_INIT_SECS = 0, or any other way to remove the Stephen> time delay for an invalid login. Take a look at this page: https://wiki.dovecot.org/Authentication/Penalty but maybe you can put your test IP into the list of trusted networks? John
On 05 Jun 2020, at 11:27, Stephen Blackwell <stephenmac98 at gmail.com> wrote:> I want to disable the time penalty for dovecot imap authentication. When receiving a valid user-password combo the server responds in .04 seconds. When I send in an invalid comination it will either respond in 1.544 or 2.044 seconds += .002This is, of course, by design. Slowing down cracking software is a good thing.> The issue is that with the 2 seconds delay for a bad login attempt, the tests are too slow to run in productionYes, that is rather the point.> I can see that the delay is defined in auth-penalty.h Is there a way, in the config file, to set AUTH_PENALTY_INIT_SECS = 0, or any other way to remove the time delay for an invalid login.Change the value and compile a non-production version of dovecot and run your tests there. Be sure to never run this on real users data.> I do not want to make changes outside of the dovecot config file, password file, or run folder.You can't always get what you want. -- Beautiful dawn / Lights up the shore for me / There is nothing else in the world I'd rather see with you.