Skip to content

Commit

Permalink
auth: Clarify how auth failure delay settings interact
Browse files Browse the repository at this point in the history
  • Loading branch information
sirainen committed Sep 13, 2024
1 parent c6a9731 commit 4c86881
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 7 deletions.
10 changes: 8 additions & 2 deletions data/settings.js
Original file line number Diff line number Diff line change
Expand Up @@ -2945,11 +2945,17 @@ and appending an \`@domain\` element to the username in cleartext logins.`
values: setting_types.TIME,
seealso: [ 'auth_internal_failure_delay' ],
text: `
This is the delay before replying to failed authentication attempts.
This is the delay before replying to failed authentication attempts. Using
[[link,passdb_extra_field_nodelay]] bypasses this setting.
This setting defines the interval for which the authentication process
flushes all auth failures. Thus, this is the maximum interval a user may
encounter.`
encounter. However, there can be additional delays added by
[[link,auth_penalty]].
This setting doesn't affect internal failures. See
[[setting,auth_internal_failure_delay]].
`
},

auth_gssapi_hostname: {
Expand Down
14 changes: 10 additions & 4 deletions docs/core/config/auth/passdb.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ dovecotlinks:
passdb_extra_fields:
hash: extra-fields
text: passdb extra fields
passdb_extra_field_nodelay:
hash: nodelay
text: passdb nodelay extra field
passdb_user_extra_field:
hash: user-extra-field
text: passdb user extra field
Expand Down Expand Up @@ -508,11 +511,14 @@ The order of preference is: `proxy`, `host`, then `nologin`.

#### `nodelay`

Don't delay reply to client in case of an authentication failure.
Don't delay reply to client in case of an authentication failure. However, this
doesn't affect internal failure delays
([[setting,auth_internal_failure_delay]]).

If the authentication fails, Dovecot typically waits 0-2 seconds before
sending back the "authentication failed" reply. If this field is set, no
such delay is done.
If the authentication fails, Dovecot typically waits 0-2 seconds
([[setting,auth_failure_delay]]) before sending back the "authentication
failed" reply. If this field is set, no such delay is done. Additionally,
[[link,auth_penalty]] won't be increased.

Commonly used with [[link,authentication_proxies]] and [[link,auth_referral]],
but may also be used standalone.
Expand Down
6 changes: 5 additions & 1 deletion docs/core/config/auth/penalty.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,11 @@ dovecotlinks:
# Authentication Penalty

Dovecot anvil process tracks authentication penalties for different IPs
to slow down brute force login attempts.
to slow down brute force login attempts. The penalty is increased after failed
logins until a maximum value, unless [[link,passdb_extra_field_nodelay]] is
used. The penalty is applied for the IP before passdb lookups are done, so
the delay might exist even with `nodelay` if it is not used for all
authentication attempts for the IP.

## Algorithm

Expand Down

0 comments on commit 4c86881

Please sign in to comment.