dovecot: disable pam_faillock lockout mechanism

faillock has often been locking me out of my mailbox because it counts failed authentication attempts against my user; turn this off and rely on fail2ban to block instances of account password brute-forcing by IP.

dovecot: disable pam_faillock lockout mechanism
bd5fad42 · Evangelos Foutras · 8480a4d2 · bd5fad42
Verified Commit bd5fad42 authored 1 year ago by Evangelos Foutras
--- a/roles/dovecot/tasks/main.yml
+++ b/roles/dovecot/tasks/main.yml
@@ -47,6 +47,15 @@
 - name: Start and enable dovecot
  service: name=dovecot enabled=yes state=started

+  # faillock's default behavior allows third-parties to lock a user out of
+  # their mailbox by doing 3 failed auth attempts; turn it off and rely on
+  # fail2ban instead
+- name: Disable pam_faillock lockout mechanism
+  lineinfile:
+    path: /etc/security/faillock.conf
+    regexp: deny =
+    line: deny = 0
+
 - name: Open firewall holes
  ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
  with_items: