--- a/dovecot-example.conf	Tue Jan 01 23:53:29 2008 +0200
+++ b/dovecot-example.conf	Wed Jan 02 00:03:41 2008 +0200
@@ -777,6 +777,9 @@
 # Path for Samba's ntlm_auth helper binary.
 #auth_winbind_helper_path = /usr/bin/ntlm_auth
 
+# Number of seconds to delay before replying to failed authentications.
+#auth_failure_delay = 2
+
 auth default {
   # Space separated list of wanted authentication mechanisms:
   #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey

--- a/src/auth/auth-request-handler.c	Tue Jan 01 23:53:29 2008 +0200
+++ b/src/auth/auth-request-handler.c	Wed Jan 02 00:03:41 2008 +0200
@@ -14,8 +14,8 @@
 
 #include <stdlib.h>
 
-#define AUTH_FAILURE_DELAY_SECS 2
-#define AUTH_FAILURE_DELAY_CHECK_MSECS (1000*AUTH_FAILURE_DELAY_SECS/2)
+#define DEFAULT_AUTH_FAILURE_DELAY 2
+#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
 
 struct auth_request_handler {
 	int refcount;
@@ -34,6 +34,7 @@
 static ARRAY_DEFINE(auth_failures_arr, struct auth_request *);
 static struct aqueue *auth_failures;
 static struct timeout *to_auth_failures;
+static unsigned int auth_failure_delay;
 
 static void auth_failure_timeout(void *context);
 
@@ -508,7 +509,8 @@
 
 	count = aqueue_count(auth_failures);
 	if (count == 0) {
-		timeout_remove(&to_auth_failures);
+		if (to_auth_failures != NULL)
+			timeout_remove(&to_auth_failures);
 		return;
 	}
 
@@ -517,7 +519,7 @@
 		auth_request = auth_requests[aqueue_idx(auth_failures, 0)];
 
 		diff = ioloop_time - auth_request->last_access;
-		if (diff < AUTH_FAILURE_DELAY_SECS && !flush_all)
+		if (diff < auth_failure_delay && !flush_all)
 			break;
 
 		aqueue_delete_tail(auth_failures);
@@ -536,6 +538,12 @@
 
 void auth_request_handler_init(void)
 {
+	const char *env;
+
+	env = getenv("FAILURE_DELAY");
+	auth_failure_delay = env != NULL ? atoi(env) :
+		DEFAULT_AUTH_FAILURE_DELAY;
+
 	i_array_init(&auth_failures_arr, 128);
 	auth_failures = aqueue_init(&auth_failures_arr.arr);
 }

--- a/src/auth/auth.h	Tue Jan 01 23:53:29 2008 +0200
+++ b/src/auth/auth.h	Wed Jan 02 00:03:41 2008 +0200
@@ -46,7 +46,7 @@
 	char username_translation[256];
 	char master_user_separator;
 	bool ssl_require_client_cert;
-        bool ssl_username_from_cert;
+	bool ssl_username_from_cert;
 
 	bool verbose, verbose_debug, verbose_debug_passwords;
 };

--- a/src/master/auth-process.c	Tue Jan 01 23:53:29 2008 +0200
+++ b/src/master/auth-process.c	Wed Jan 02 00:03:41 2008 +0200
@@ -495,6 +495,7 @@
 	}
 	env_put(t_strconcat("WINBIND_HELPER_PATH=",
 			    set->winbind_helper_path, NULL));
+	env_put(t_strdup_printf("FAILURE_DELAY=%u", set->failure_delay));
 
 	restrict_process_size(set->process_size, (unsigned int)-1);
 }

--- a/src/master/master-settings.c	Tue Jan 01 23:53:29 2008 +0200
+++ b/src/master/master-settings.c	Wed Jan 02 00:03:41 2008 +0200
@@ -83,6 +83,7 @@
 	DEF_STR(krb5_keytab),
 	DEF_STR(gssapi_hostname),
 	DEF_STR(winbind_helper_path),
+	DEF_INT(failure_delay),
 
 	DEF_BOOL(verbose),
 	DEF_BOOL(debug),
@@ -312,6 +313,7 @@
 	MEMBER(krb5_keytab) "",
 	MEMBER(gssapi_hostname) "",
 	MEMBER(winbind_helper_path) "/usr/bin/ntlm_auth",
+	MEMBER(failure_delay) 2,
 
 	MEMBER(verbose) FALSE,
 	MEMBER(debug) FALSE,

--- a/src/master/master-settings.h	Tue Jan 01 23:53:29 2008 +0200
+++ b/src/master/master-settings.h	Wed Jan 02 00:03:41 2008 +0200
@@ -205,6 +205,7 @@
 	const char *krb5_keytab;
 	const char *gssapi_hostname;
 	const char *winbind_helper_path;
+	unsigned int failure_delay;
 
 	bool verbose, debug, debug_passwords;
 	bool ssl_require_client_cert;