Dovecot refuses to log failed passwords

Hi all,
our mailserver is confronted with brute forces attacks. To analyse it, I tried to log the passwords in /var/log/dovecot-info.log file. I edited /etc/dovecot/dovecot.conf and set

auth_debug = yes
auth_verbose = yes
auth_debug_passwords = yes
auth_verbose_passwords = plain

Then, I reloaded dovecot

doveadm reload

Also did

service dovecot restart
shutdown -r now

I checked/run to read the valid configuration, where all values are set as quoted above:

doveadm config

I also checked if other config files are included in dovecot.conf, but couldn’t find any.

What am I missing?

PS: I did manage to use this setting before, and it took me half a day and I had no clue why it suddenly had worked. After a reboot it didn’t work any more even though the config was still the same. Running Dovecot server version 2.1.7 on Debian Linux 7.11.

You are missing in dovecot.conf

mail_debug = yes

So full config should be:

mail_debug = yes
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
auth_verbose_passwords = yes

Restart Dovecot service. No need to restart Debian Linux:

service dovecot restart

If dovecot can not restart, run the following to trace error messages:

dovecot -c /etc/dovecot/dovecot.conf

Hi Raj, thank you so much for helping me!
Unfortunately this didn’t do the trick, as

mail_debug = yes

was set already. I just didn’t know it played a role and so didn’t mention it.

I checked everything again, and settings seem totally correct.
Also tried

auth_verbose_passwords = sha1

(instead of “plain”) without any new result.
Still no entry for ‘given password’

Somehow seems like a bug, or maybe some other misconfiguration interfering.

Raj, you were absolutely right. I did some analysis and seems like dovecot won’t log the failed passwords only in the following two cases:

  • unknown user; the tried username doesn’t exist. For example, login with an alias or complete invalid value.
  • this one I am only guessing: I tested with a wrong password, correct username from the same internal client from which I was also logged in correctly with my own email account at the same time. Seems like in such cases the failed passwords are not logged either.

As soon as hacker attempts continued with valid usernames or when I tested from an external server, wrong passwords were logged again. Such things can really drive you crazy sometimes.
Many thanks for your help again!

Please keep in mind that in newer versions of dovecot the correct options are:

auth_verbose_passwords=no|plain|sha1
####
# The following is from older versions of devecot and not accepted any more
####
auth_verbose_passwords=yes  

https://wiki2.dovecot.org/Logging

Have a nice day everyone!

1 Like

Glad it sorted out. Thank you posting solution as well.

1 Like

Linux sysadmin blog - Linux/Unix Howtos and Tutorials - Linux bash shell scripting wiki