If dovecot is in play as auth backend then weakforced could be a viable option. Quite a powerful tool tailored to fight/detect brute force attacks: https://github.com/PowerDNS/weakforced
Am 30. Juli 2021 15:12:40 UTC schrieb post...@ptld.com: >> Unfortunately, the required data, i.e. client IP address and username >> are distributed in different log files. The IP address is written to >> postfix's log, while the username is in saslauthd's log in case of >> failure, with the time stamp as the only link between both. >> >> Is there some best current practice or recommended log config to >> analyze >> persistent login attempts? > > >This is kind of a dovecot thing more than a postfix thing. One option >is... > > >In dovecot core conf: > auth_verbose = yes > auth_verbose_passwords=sha1 > > >If using rsyslog for logging you can separate logins to their own log >for easier scanning: > if $programname == "dovecot" and $msg startswith "auth-worker" then { > -/var/log/mail/dovecot_auth > stop > } > > >Would give you logs with the user, IP and the hashed password tried to >see if its repeating same password (dumb client) vs brute force: > >Jul 30 11:05:11 mx dovecot[9737]: auth-worker(12362): conn >unix:auth-worker (pid=12361,uid=97): auth-worker<1>: >sql(t...@example.com,100.101.102.103,<DFbMi1jIU9BoiAwp>): Password >mismatch (given password: <REDACTED>)