From 87c124e1ae6beb5efcc2b92690ca5a590f6db78a Mon Sep 17 00:00:00 2001
From: missytake <missytake@systemli.org>
Date: Wed, 30 Oct 2024 15:31:25 +0100
Subject: [PATCH 1/2] dovecot: disable anvil authentication penalty

fix #441
---
 CHANGELOG.md                                  | 3 +++
 cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2 | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5154275f..aa10953c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,9 @@
 - add guide to migrate chatmail to a new server
   ([#429](https://github.com/deltachat/chatmail/pull/429))
 
+- disable anvil authentication penalty
+  ([#414](https://github.com/deltachat/chatmail/pull/444)
+
 - increase `request_queue_size` for UNIX sockets to 1000.
   ([#437](https://github.com/deltachat/chatmail/pull/437))
 
diff --git a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2 b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
index f4b68f9e..d8965343 100644
--- a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
+++ b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
@@ -194,6 +194,15 @@ service imap-login {
     process_min_avail = 10
 }
 
+service anvil {
+    # We are disabling anvil penalty on failed login attempts
+    # because it can only detect brute forcing by IP address
+    # not by username. As the correct IP address is not handed
+    # to dovecot anyway, it is more of hindrance than of use.
+    # See <https://www.dovecot.org/list/dovecot/2012-May/135485.html> for details.
+    unix_listener anvil-auth-penalty { mode = 0 }
+}
+
 ssl = required
 ssl_cert = </var/lib/acme/live/{{ config.mail_domain }}/fullchain
 ssl_key = </var/lib/acme/live/{{ config.mail_domain }}/privkey

From 3afc3d62f2593b18815313c2c96dec888bfa14c8 Mon Sep 17 00:00:00 2001
From: missytake <missytake@systemli.org>
Date: Wed, 30 Oct 2024 15:41:35 +0100
Subject: [PATCH 2/2] dovecot: fix syntax error

---
 cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2 b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
index d8965343..1390e4db 100644
--- a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
+++ b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
@@ -200,7 +200,9 @@ service anvil {
     # not by username. As the correct IP address is not handed
     # to dovecot anyway, it is more of hindrance than of use.
     # See <https://www.dovecot.org/list/dovecot/2012-May/135485.html> for details.
-    unix_listener anvil-auth-penalty { mode = 0 }
+    unix_listener anvil-auth-penalty {
+        mode = 0
+    }
 }
 
 ssl = required