From bd5fad424e7c9e9cb91d0338ca48f0a3144af8ed Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutras.com>
Date: Fri, 21 Jul 2023 11:44:50 +0300
Subject: [PATCH] dovecot: disable pam_faillock lockout mechanism

faillock has often been locking me out of my mailbox because it counts
failed authentication attempts against my user; turn this off and rely
on fail2ban to block instances of account password brute-forcing by IP.
---
 roles/dovecot/tasks/main.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
index dea394462..6c27a9073 100644
--- a/roles/dovecot/tasks/main.yml
+++ b/roles/dovecot/tasks/main.yml
@@ -47,6 +47,15 @@
 - name: Start and enable dovecot
   service: name=dovecot enabled=yes state=started
 
+  # faillock's default behavior allows third-parties to lock a user out of
+  # their mailbox by doing 3 failed auth attempts; turn it off and rely on
+  # fail2ban instead
+- name: Disable pam_faillock lockout mechanism
+  lineinfile:
+    path: /etc/security/faillock.conf
+    regexp: deny =
+    line: deny = 0
+
 - name: Open firewall holes
   ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
   with_items:
-- 
GitLab