Hi all,
our mailserver is confronted with brute forces attacks. To analyse it, I tried to log the passwords in /var/log/dovecot-info.log file. I edited /etc/dovecot/dovecot.conf and set
I checked/run to read the valid configuration, where all values are set as quoted above:
doveadm config
I also checked if other config files are included in dovecot.conf, but couldnât find any.
What am I missing?
PS: I did manage to use this setting before, and it took me half a day and I had no clue why it suddenly had worked. After a reboot it didnât work any more even though the config was still the same. Running Dovecot server version 2.1.7 on Debian Linux 7.11.
Raj, you were absolutely right. I did some analysis and seems like dovecot wonât log the failed passwords only in the following two cases:
unknown user; the tried username doesnât exist. For example, login with an alias or complete invalid value.
this one I am only guessing: I tested with a wrong password, correct username from the same internal client from which I was also logged in correctly with my own email account at the same time. Seems like in such cases the failed passwords are not logged either.
As soon as hacker attempts continued with valid usernames or when I tested from an external server, wrong passwords were logged again. Such things can really drive you crazy sometimes.
Many thanks for your help again!
Please keep in mind that in newer versions of dovecot the correct options are:
auth_verbose_passwords=no|plain|sha1
####
# The following is from older versions of devecot and not accepted any more
####
auth_verbose_passwords=yes