If dovecot is in play as auth backend then weakforced could be a viable option.
Quite a powerful tool tailored to fight/detect brute force attacks:
https://github.com/PowerDNS/weakforced
Am 30. Juli 2021 15:12:40 UTC schrieb post...@ptld.com:
>> Unfortunately, the required data, i.e. client IP address and username
>> are distributed in different log files. The IP address is written to
>> postfix's log, while the username is in saslauthd's log in case of
>> failure, with the time stamp as the only link between both.
>>
>> Is there some best current practice or recommended log config to
>> analyze
>> persistent login attempts?
>
>
>This is kind of a dovecot thing more than a postfix thing. One option
>is...
>
>
>In dovecot core conf:
> auth_verbose = yes
> auth_verbose_passwords=sha1
>
>
>If using rsyslog for logging you can separate logins to their own log
>for easier scanning:
> if $programname == "dovecot" and $msg startswith "auth-worker" then {
> -/var/log/mail/dovecot_auth
> stop
> }
>
>
>Would give you logs with the user, IP and the hashed password tried to
>see if its repeating same password (dumb client) vs brute force:
>
>Jul 30 11:05:11 mx dovecot[9737]: auth-worker(12362): conn
>unix:auth-worker (pid=12361,uid=97): auth-worker<1>:
>sql(t...@example.com,100.101.102.103,<DFbMi1jIU9BoiAwp>): Password
>mismatch (given password: <REDACTED>)
